1. 16 Sep, 2012 2 commits
  2. 15 Sep, 2012 1 commit
    • fpizlo@apple.com's avatar
      Structure check hoisting fails to consider the possibility of conflicting... · 6e0a9edd
      fpizlo@apple.com authored
      Structure check hoisting fails to consider the possibility of conflicting checks on the source of the first assignment to the hoisted variable
      https://bugs.webkit.org/show_bug.cgi?id=96872
      
      Reviewed by Oliver Hunt.
      
      This does a few related things:
              
      - It turns off the use of ForceOSRExit for sure-to-fail CheckStructures, because
        I noticed that this would sometimes happen for a ForwardCheckStructure. The
        problem is that ForceOSRExit exits backwards, not forwards. Since the code that
        led to those ForceOSRExit's being inserted was written out of paranoia rather
        than need, I removed it. Specifically, I removed the m_isValid = false code
        for CheckStructure/StructureTransitionWatchpoint in AbstractState.
              
      - If a structure check causes a structure set to go empty, we don't want a
        PutStructure to revive the set. It should instead be smart enough to realize 
        that an empty set implies that the code can't execute. This was the only "bug"
        that the use of m_isValid = false was preventing.
              
      - Finally, the main change: structure check hoisting looks at the source of the
        SetLocals on structure-check-hoistable variables and ensures that the source
        is not checked with a conflicting structure. This is O(n^2) but it does not
        show up at all in performance tests.
              
      The first two parts of this change were auxiliary bugs that were revealed by
      the structure check hoister doing bad things.
      
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::initialize):
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGStructureCheckHoistingPhase.cpp:
      (JSC::DFG::StructureCheckHoistingPhase::run):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128699 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      6e0a9edd
  3. 14 Sep, 2012 8 commits
    • fpizlo@apple.com's avatar
      All of the things in SparseArrayValueMap should be out-of-line · 9cedb5d0
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=96854
      
      Reviewed by Andy Estes.
      
      Those inline methods were buying us nothing.
      
      * GNUmakefile.list.am:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * runtime/JSArray.cpp:
      * runtime/JSGlobalData.cpp:
      * runtime/JSObject.cpp:
      * runtime/RegExpMatchesArray.cpp:
      * runtime/SparseArrayValueMap.cpp:
      (JSC::SparseArrayValueMap::SparseArrayValueMap):
      (JSC):
      (JSC::SparseArrayValueMap::~SparseArrayValueMap):
      (JSC::SparseArrayValueMap::finishCreation):
      (JSC::SparseArrayValueMap::create):
      (JSC::SparseArrayValueMap::destroy):
      (JSC::SparseArrayValueMap::createStructure):
      (JSC::SparseArrayValueMap::add):
      (JSC::SparseArrayValueMap::putEntry):
      (JSC::SparseArrayValueMap::putDirect):
      (JSC::SparseArrayEntry::get):
      (JSC::SparseArrayEntry::getNonSparseMode):
      (JSC::SparseArrayValueMap::visitChildren):
      * runtime/SparseArrayValueMapInlineMethods.h: Removed.
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128680 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      9cedb5d0
    • commit-queue@webkit.org's avatar
      JSC should throw a more descriptive exception when blocking 'eval' via CSP. · 7415e10e
      commit-queue@webkit.org authored
      https://bugs.webkit.org/show_bug.cgi?id=94331
      
      Patch by Mike West <mkwst@chromium.org> on 2012-09-14
      Reviewed by Geoffrey Garen.
      
      Source/JavaScriptCore:
      
      Unless explicitly whitelisted, the 'script-src' Content Security Policy
      directive blocks 'eval' and 'eval'-like constructs such as
      'new Function()'. When 'eval' is encountered in code, an 'EvalError' is
      thrown, but the associated message is poor: "Eval is disabled" doesn't
      give developers enough information about why their code isn't behaving
      as expected.
      
      This patch adds an 'errorMessage' parameter to the JavaScriptCore method
      used to disable 'eval'; ContentSecurityPolicy has the opportunity to
      pass in a more detailed and descriptive error that contains more context
      for the developer.
      
      * runtime/Executable.cpp:
      (JSC::EvalExecutable::compileInternal):
          Drop the hard-coded "Eval is disabled" error message in favor of
          reading the error message off the global object.
      * runtime/FunctionConstructor.cpp:
      (JSC::FunctionConstructor::getCallData):
          Drop the hard-coded "Function constructor is disabled" error message
          in favor of reading the error message off the global object.
      * runtime/JSGlobalObject.h:
      (JSGlobalObject):
      (JSC::JSGlobalObject::evalEnabled):
          Making this accessor method const.
      (JSC::JSGlobalObject::evalDisabledErrorMessage):
          Accessor for the error message set via 'setEvalDisabled'.
      (JSC::JSGlobalObject::setEvalEnabled):
          Adding an 'errorMessage' parameter which is stored on the global
          object, and used when exceptions are thrown.
      
      Source/WebCore:
      
      Unless explicitly whitelisted, the 'script-src' Content Security Policy
      directive blocks 'eval' and 'eval'-like constructs such as
      'new Function()'. When 'eval' is encountered in code, an 'EvalError' is
      thrown, but the associated message is poor: "Eval is disabled" doesn't
      give developers enough information about why their code isn't behaving
      as expected.
      
      This patch adds an 'errorMessage' parameter to the JavaScriptCore method
      used to disable 'eval'; ContentSecurityPolicy has the opportunity to
      pass in a more detailed and descriptive error that contains more context
      for the developer.
      
      The new error message is tested by adjusting existing tests; nothing new
      is required.
      
      * bindings/js/ScriptController.cpp:
      (WebCore::ScriptController::initScript):
          Read the error message off the document's ContentSecurityPolicy.
      (WebCore::ScriptController::disableEval):
      * bindings/js/ScriptController.h:
      (ScriptController):
          Pipe the error message through to JSGlobalObject when disabling eval
      * bindings/js/WorkerScriptController.cpp:
      (WebCore::WorkerScriptController::disableEval):
      * bindings/js/WorkerScriptController.h:
      (WorkerScriptController):
          Pipe the error message through to JSGlobalObject when disabling eval
      * bindings/v8/ScriptController.cpp:
      (WebCore::ScriptController::disableEval):
      * bindings/v8/ScriptController.h:
      (ScriptController):
      * bindings/v8/WorkerScriptController.cpp:
      (WebCore::WorkerScriptController::disableEval):
      * bindings/v8/WorkerScriptController.h:
      (WorkerScriptController):
          Placeholder for V8 piping to be built in webk.it/94332.
      * dom/Document.cpp:
      (WebCore::Document::disableEval):
      * dom/Document.h:
      (Document):
      * dom/ScriptExecutionContext.h:
      (ScriptExecutionContext):
          Pipe the error message through to the ScriptController when
          disabling eval.
      * page/ContentSecurityPolicy.cpp:
      (WebCore::CSPDirectiveList::evalDisabledErrorMessage):
          Accessor for the error message that ought be displayed to developers
          when 'eval' used while disabled for a specific directive list.
      (WebCore::CSPDirectiveList::setEvalDisabledErrorMessage):
          Mutator for the error message that ought be displayed to developers
          when 'eval' used while disabled for a specific directive list.
      (CSPDirectiveList):
      (WebCore::CSPDirectiveList::create):
          Upon creation of a CSPDirectiveList, set the error message if the
          directive list disables 'eval'.
      (WebCore::ContentSecurityPolicy::didReceiveHeader):
          Pass the error message into ScriptExecutionContext::disableEval.
      (WebCore::ContentSecurityPolicy::evalDisabledErrorMessage):
          Public accessor for the policy's error message; walks the list of
          directive lists and returns the first error message found.
      (WebCore):
      * page/ContentSecurityPolicy.h:
      * workers/WorkerContext.cpp:
      (WebCore::WorkerContext::disableEval):
      * workers/WorkerContext.h:
      (WorkerContext):
          Pipe the error message through to the ScriptController when
          disabling eval.
      
      LayoutTests:
      
      * http/tests/security/contentSecurityPolicy/eval-blocked-expected.txt:
      * http/tests/security/contentSecurityPolicy/eval-blocked-in-about-blank-iframe-expected.txt:
      * http/tests/security/contentSecurityPolicy/function-constructor-blocked-expected.txt:
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128670 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      7415e10e
    • fpizlo@apple.com's avatar
      bbc homepage crashes immediately · c9f16125
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=96812
      <rdar://problem/12081386>
      
      Reviewed by Oliver Hunt.
      
      If you use the old storage pointer to write to space you thought was newly allocated,
      you're going to have a bad time.
      
      * runtime/JSArray.cpp:
      (JSC::JSArray::unshiftCount):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128667 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      c9f16125
    • abarth@webkit.org's avatar
      Remove webkitPostMessage · 79bb5ebb
      abarth@webkit.org authored
      https://bugs.webkit.org/show_bug.cgi?id=96577
      
      Reviewed by Ojan Vafai.
      
      .:
      
      Add ENABLE_LEGACY_VENDOR_PREFIXES flag.
      
      * Source/cmake/WebKitFeatures.cmake:
      * Source/cmakeconfig.h.cmake:
      
      Source/JavaScriptCore:
      
      Add ENABLE_LEGACY_VENDOR_PREFIXES flag.
      
      * Configurations/FeatureDefines.xcconfig:
      
      Source/WebCore:
      
      webkitPostMessage works the same as postMessage. The spec and the
      implementation have been stable for a while. We should no longer be
      exposing this vendor-prefixed API.
      
      This patch places the webkitPostMessage API behind an ENABLE flag.
      We're going to try removing this API in the Chromium port. If we don't
      run into trouble, we'll remove it in all the other ports as well.
      
      This topic has been discussed on webkit-dev in
      http://lists.webkit.org/pipermail/webkit-dev/2012-April/020237.html and
      http://lists.webkit.org/pipermail/webkit-dev/2012-September/022189.html
      
      This patch introduces the ENABLE(LEGACY_VENDOR_PREFIXES) flag. Rather
      than having a flag for each vendor-prefixed API we're experimenting
      with removing, we'll add vendor prefixed APIs to this ENABLE when we
      want to try removing them. If we succeed, we'll just delete the APIs.
      If we fail, we'll remove them from the ENABLE. That way we avoid the
      churn of adding and removing many ENABLE macros.
      
      * Configurations/FeatureDefines.xcconfig:
      * GNUmakefile.am:
      * GNUmakefile.features.am:
      * bindings/js/JSDOMWindowCustom.cpp:
      (WebCore):
      * bindings/js/JSDedicatedWorkerContextCustom.cpp:
      (WebCore):
      * bindings/js/JSMessagePortCustom.cpp:
      (WebCore):
      * bindings/js/JSWorkerCustom.cpp:
      (WebCore):
      * bindings/v8/custom/V8DOMWindowCustom.cpp:
      (WebCore):
      * bindings/v8/custom/V8DedicatedWorkerContextCustom.cpp:
      (WebCore):
      * bindings/v8/custom/V8MessagePortCustom.cpp:
      (WebCore):
      * bindings/v8/custom/V8WorkerCustom.cpp:
      (WebCore):
      * dom/MessagePort.idl:
      * page/DOMWindow.idl:
      * workers/DedicatedWorkerContext.idl:
      * workers/Worker.idl:
      
      Source/WebKit/chromium:
      
      Add ENABLE_LEGACY_VENDOR_PREFIXES flag.
      
      * features.gypi:
      
      Source/WebKit/mac:
      
      Add ENABLE_LEGACY_VENDOR_PREFIXES flag.
      
      * Configurations/FeatureDefines.xcconfig:
      
      Source/WebKit2:
      
      Add ENABLE_LEGACY_VENDOR_PREFIXES flag.
      
      * Configurations/FeatureDefines.xcconfig:
      
      Tools:
      
      Add ENABLE_LEGACY_VENDOR_PREFIXES flag.
      
      * Scripts/webkitperl/FeatureList.pm:
      * qmake/mkspecs/features/features.pri:
      
      LayoutTests:
      
      Update tests to rely only upon the unprefixed API.
      
      * fast/canvas/webgl/script-tests/arraybuffer-transfer-of-control.js:
      (wrapSend):
      (wrapFailSend):
      * fast/dom/Window/post-message-crash.html:
      * fast/dom/Window/window-postmessage-args-expected.txt:
      * fast/dom/Window/window-postmessage-args.html:
      * fast/events/message-port.html:
      * fast/events/resources/message-port-multi.js:
      * fast/workers/resources/worker-call.js:
      * fast/workers/worker-call-expected.txt:
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128658 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      79bb5ebb
    • vestbo@webkit.org's avatar
      [Qt] Make force_static_libs_as_shared work on Mac OS · 8de23a30
      vestbo@webkit.org authored
      We had to move a few LIBS += around that were in the wrong place,
      and not caught when everything was just linked into the final
      QtWebKit library.
      
      Reviewed by Simon Hausmann.
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128616 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      8de23a30
    • hausmann@webkit.org's avatar
      Fix interpreter build · afc84378
      hausmann@webkit.org authored
      https://bugs.webkit.org/show_bug.cgi?id=96617
      
      Patch by Kevin Funk <kevin.funk@kdab.com> on 2012-09-14
      Reviewed by Simon Hausmann.
      
      Make compile.
      
      * interpreter/Interpreter.cpp:
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128611 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      afc84378
    • commit-queue@webkit.org's avatar
      [BlackBerry] Switching from Slogger to Slogger2 requires changes in CMakeList of · 1799880c
      commit-queue@webkit.org authored
      webkit in order to include libraries of slog2
      https://bugs.webkit.org/show_bug.cgi?id=96391
      
      Patch by Parth Patel <parpatel@rim.com> on 2012-09-14
      Reviewed by Yong Li.
      
      Changes in Cmake files of JavaScriptCore of webkit to include slog2 libs in build
      files of webkit in response to switching from Slogger to Slogger2.
      
      * shell/PlatformBlackBerry.cmake:
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128599 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      1799880c
    • mhahnenberg@apple.com's avatar
      Remove the Zapped BlockState · 76e50b10
      mhahnenberg@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=96708
      
      Reviewed by Geoffrey Garen.
      
      The Zapped block state is rather confusing. It indicates that a block is in one of two different states that we
      can't tell the difference between:
      
      1) I have run all destructors of things that are zapped, and I have not allocated any more objects. This block
         is ready for reclaiming if you so choose.
      2) I have run all the destructors of things that are zapped, but I have allocated more stuff since then, so it
         is not safe to reclaim this block.
      
      This state adds a lot of complexity to our state transition model for MarkedBlocks. We should get rid of it.
      We can replace this state by making sure mark bits represent all of the liveness information we need when running
      our conservative stack scan. Instead of zapping the free list when canonicalizing cell liveness data prior to
      a conservative scan, we can instead mark all objects in the block except for those in the free list. This should
      incur no performance penalty since we're doing it on a very small O(1) number of blocks at the beginning of the collection.
      
      For the time being we still need to use zapping to determine whether we have run an object's destructor or not.
      
      * heap/MarkedAllocator.cpp:
      (JSC::MarkedAllocator::tryAllocateHelper): Renaming stuff.
      * heap/MarkedAllocator.h: Renamed zapFreeList to canonicalizeCellLivenessData to match.
      (MarkedAllocator):
      (JSC::MarkedAllocator::canonicalizeCellLivenessData): Same as old zapFreeList, but just call canonicalize instead.
      * heap/MarkedBlock.cpp:
      (JSC::MarkedBlock::specializedSweep): Remove the check for Zapped block stuff. Also change the block state to Marked
      instead of Zapped if we're not producing a FreeList since that's the only other state that really makes any sense.
      (JSC::MarkedBlock::sweepHelper): Remove Zapped related code.
      (SetAllMarksFunctor): Functor to set all the mark bits in the block since there's not a simple function to call on
      the Bitmap itself.
      (JSC::SetAllMarksFunctor::operator()):
      (JSC):
      (JSC::MarkedBlock::canonicalizeCellLivenessData): Remove all the stuff for Zapped. For FreeListed, set all the mark bits
      and then clear the ones for the objects in the FreeList. This ensures that only the things that were in the FreeList
      are considered to be dead by the conservative scan, just like if we were to have zapped the FreeList like before.
      * heap/MarkedBlock.h:
      (MarkedBlock):
      (JSC::MarkedBlock::clearMarked): Add function to clear individual mark bits, since we need that functionality now.
      (JSC):
      (JSC::MarkedBlock::isLive): Remove code for Zapped stuff. Marked handles all interesting cases now.
      (JSC::MarkedBlock::forEachCell): Add new iterator function that iterates over all cells in the block, regardless of
      whether they're live or a dead.
      * heap/MarkedSpace.cpp:
      (JSC::MarkedSpace::canonicalizeCellLivenessData): Change to call the renamed canonicalize function.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128563 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      76e50b10
  4. 13 Sep, 2012 8 commits
    • commit-queue@webkit.org's avatar
      Make compile with both OS(WINCE) and PLATFORM(QT) support · 5d3f6453
      commit-queue@webkit.org authored
      https://bugs.webkit.org/show_bug.cgi?id=95536
      
      Patch by Kevin Funk <kevin.funk@kdab.com> on 2012-09-13
      Reviewed by Simon Hausmann.
      
      Source/JavaScriptCore:
      
      Do not link against advapi32 on wince
      
      * jsc.pro:
      
      Source/WebCore:
      
      * WebCore.pri:
      Set defines for the WinCE platform build
      * platform/graphics/BitmapImage.cpp:
      Use default implementation in BitmapImage::reportMemoryUsage() when Qt support available
      * platform/graphics/GraphicsContext.cpp:
      Same as above: use default implementation
       * platform/win/ClipboardUtilitiesWin.cpp:
      Remove unnecessary include
      
      Source/WTF:
      
      Fixes for Windows CE.
      
      * WTF.pri:
      Also include path for mt19937ar.c
      * wtf/unicode/icu/CollatorICU.cpp:
      Fix undeclared strdup() on CE7
      * wtf/Platform.h:
      
      Tools:
      
      Fix wince support in qmake files
      
      * Tools.pro:
      * qmake/mkspecs/features/configure.prf:
      * qmake/mkspecs/features/default_post.prf:
      * qmake/mkspecs/features/features.prf:
      * qmake/mkspecs/features/functions.prf:
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128558 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      5d3f6453
    • ggaren@apple.com's avatar
      Refactored the DFG to make fewer assumptions about variable capture · 81c360ed
      ggaren@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=96680
      
      Reviewed by Gavin Barraclough.
      
      A variable capture optimization patch I'm working on broke DFG
      correctness and the arguments simplification optimization phase, so I've
      refactored both to make fewer assumptions about variable capture.
      
      * bytecode/CodeBlock.h:
      (JSC::CodeBlock::isCaptured): This is the new One True Way to find out
      if a variable was captured. This gives us a single point of maintenance
      as we chagne capture behavior.
      
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::clobberCapturedVars): Don't assume that captured
      variables have any particular location. Instead, ask the One True Function.
      
      * dfg/DFGArgumentsSimplificationPhase.cpp:
      (JSC::DFG::ArgumentsSimplificationPhase::run):
      (JSC::DFG::ArgumentsSimplificationPhase::observeProperArgumentsUse):
      (JSC::DFG::ArgumentsSimplificationPhase::isOKToOptimize): Mechanical
      changes to separate being captured from being 'arguments'. What used
      to be
              if (captured)
                      if (arguments)
                              x
                      y
      is now
              if (arguments)
                      x
                      y
              else if (captured)
                      y
      
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::getLocal):
      (JSC::DFG::ByteCodeParser::setLocal):
      (JSC::DFG::ByteCodeParser::getArgument):
      (JSC::DFG::ByteCodeParser::setArgument):
      (JSC::DFG::ByteCodeParser::flushDirect):
      (JSC::DFG::ByteCodeParser::parseBlock):
      (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compile): Use the One True Function.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128544 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      81c360ed
    • benjamin@webkit.org's avatar
      Improve the SourceProvider hierarchy · 5ea59781
      benjamin@webkit.org authored
      https://bugs.webkit.org/show_bug.cgi?id=95635
      
      Patch by Benjamin Poulain <bpoulain@apple.com> on 2012-09-13
      Reviewed by Geoffrey Garen.
      
      Source/JavaScriptCore: 
      
      SourceProvider was designed to have subclasses magically handling the data without
      decoding all of it. The virtual methods length() and getRange() were based
      on these assumptions.
      
      In practice, the magic was in our head, there is no implementation that takes
      advantage of that.
      
      SourceProvider is modified to adopt WebCore's ScriptSourceProvider::source() and base
      everything on it.
      The code using SourceProvider is also simplified.
      
      * interpreter/Interpreter.cpp:
      (JSC::appendSourceToError): Keep a reference to the string instead of querying it for
      each time it is used.
      * parser/Lexer.cpp:
      (JSC::::setCode):
      (JSC::::sourceCode):
      * parser/Parser.h:
      (JSC::parse):
      * parser/SourceCode.h:
      (JSC::SourceCode::SourceCode):
      (JSC::SourceCode::subExpression):
      * parser/SourceProvider.h:
      (SourceProvider):
      (JSC::SourceProvider::getRange):
      
      Source/WebCore: 
      
      Get rid of ScriptSourceProvider and StringSourceProvider, they have been made
      useless by JavaScript updates.
      
      On x86_64, this reduces the binary size by 6kb.
      
      * GNUmakefile.list.am:
      * Target.pri:
      * WebCore.gypi:
      * WebCore.vcproj/WebCore.vcproj:
      * WebCore.xcodeproj/project.pbxproj:
      * bindings/js/CachedScriptSourceProvider.h:
      (WebCore::CachedScriptSourceProvider::CachedScriptSourceProvider):
      * bindings/js/ScriptDebugServer.cpp:
      (WebCore::ScriptDebugServer::updateCurrentStatementPosition):
      (WebCore::ScriptDebugServer::dispatchDidParseSource):
      (WebCore::ScriptDebugServer::dispatchFailedToParseSource):
      * bindings/js/ScriptSourceCode.h:
      (WebCore::ScriptSourceCode::ScriptSourceCode):
      (ScriptSourceCode):
      * bindings/js/ScriptSourceProvider.h: Removed.
      * bindings/js/StringSourceProvider.h: Removed.
      * bindings/js/WorkerScriptController.cpp:
      * bindings/objc/WebScriptObject.mm:
      * bridge/NP_jsobject.cpp:
      * bridge/jni/jni_jsobject.mm:
      
      Source/WebKit/mac: 
      
      * Plugins/Hosted/NetscapePluginInstanceProxy.mm: Fix a #include abuse.
      * WebView/WebScriptDebugger.mm:
      (toNSString): We can now use the (faster) implicit conversion
      from String to NSString.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128542 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      5ea59781
    • fpizlo@apple.com's avatar
      DFG: Dead GetButterfly's shouldn't be subject to CSE · 00298b98
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=96707
      <rdar://problem/12296311>
      
      Source/JavaScriptCore: 
      
      Reviewed by Oliver Hunt.
              
      There were a number of cases of this that creeped into the CSE: it would
      match something even though it was dead.
      
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
      (JSC::DFG::CSEPhase::checkArrayElimination):
      (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
      (JSC::DFG::CSEPhase::getScopeChainLoadElimination):
      (JSC::DFG::CSEPhase::getLocalLoadElimination):
      
      LayoutTests: 
      
      Reviewed by Oliver Hunt.
      
      * fast/js/dfg-dead-redundant-get-array-length-expected.txt: Added.
      * fast/js/dfg-dead-redundant-get-array-length.html: Added.
      * fast/js/jsc-test-list:
      * fast/js/script-tests/dfg-dead-redundant-get-array-length.js: Added.
      (foo):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128541 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      00298b98
    • oliver@apple.com's avatar
      Make global const initialisation explicit in the bytecode · 62f4d0e3
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=96711
      
      Reviewed by Gavin Barraclough.
      
      Added op_init_global_const to make initialisation of global const
      fields explicit.  This will help us keep correct semantics in the
      upcoming variable resolution refactoring.
      
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::dump):
      * bytecode/Opcode.h:
      (JSC):
      (JSC::padOpcodeName):
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::BytecodeGenerator::emitInitGlobalConst):
      (JSC):
      * bytecompiler/BytecodeGenerator.h:
      (BytecodeGenerator):
      * bytecompiler/NodesCodegen.cpp:
      (JSC::ConstDeclNode::emitCodeSingle):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGCapabilities.h:
      (JSC::DFG::canCompileOpcode):
      * interpreter/Interpreter.cpp:
      (JSC::Interpreter::privateExecute):
      * jit/JIT.cpp:
      (JSC::JIT::privateCompileMainPass):
      (JSC::JIT::privateCompileSlowCases):
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm:
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128534 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      62f4d0e3
    • mhahnenberg@apple.com's avatar
      Rename forEachCell to forEachLiveCell · 4930320c
      mhahnenberg@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=96685
      
      Reviewed by Oliver Hunt.
      
      forEachCell actually only iterates over live cells. We should rename it to 
      reflect what it actually does. This is also helpful because we want to add a new 
      forEachCell that actually does iterate each and every cell in a MarkedBlock 
      regardless of whether or not it is live.
      
      * debugger/Debugger.cpp:
      (JSC::Debugger::recompileAllJSFunctions):
      * heap/Heap.cpp:
      (JSC::Heap::globalObjectCount):
      (JSC::Heap::objectTypeCounts):
      * heap/MarkedBlock.h:
      (MarkedBlock):
      (JSC::MarkedBlock::forEachLiveCell):
      * heap/MarkedSpace.h:
      (MarkedSpace):
      (JSC::MarkedSpace::forEachLiveCell):
      * runtime/JSGlobalData.cpp:
      (JSC::JSGlobalData::releaseExecutableMemory):
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128498 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      4930320c
    • loislo@chromium.org's avatar
      [Qt][Win] REGRESSION(r128400): It broke the build · 4ef04bfb
      loislo@chromium.org authored
      https://bugs.webkit.org/show_bug.cgi?id=96617
      
      Patch by Filip Pizlo <fpizlo@apple.com> on 2012-09-13
      Reviewed by Simon Hausmann.
      
      Source/JavaScriptCore:
      
      Changed "JSC::Array" to "JSC::ArrayClass" because it's not used often enough
      for the brevity to be beneficial, and because "Array" causes too much namespace
      pollution.
      
      * runtime/IndexingType.h:
      (JSC):
      * runtime/JSArray.cpp:
      (JSC::JSArray::pop):
      (JSC::JSArray::push):
      (JSC::JSArray::sortNumeric):
      (JSC::JSArray::sort):
      (JSC::JSArray::fillArgList):
      (JSC::JSArray::copyToArguments):
      (JSC::JSArray::compactForSorting):
      * runtime/JSObject.cpp:
      (JSC::JSObject::getOwnPropertySlotByIndex):
      (JSC::JSObject::putByIndex):
      (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
      (JSC::JSObject::deletePropertyByIndex):
      (JSC::JSObject::getOwnPropertyNames):
      (JSC::JSObject::putByIndexBeyondVectorLength):
      (JSC::JSObject::putDirectIndexBeyondVectorLength):
      (JSC::JSObject::getNewVectorLength):
      (JSC::JSObject::getOwnPropertyDescriptor):
      * runtime/JSObject.h:
      (JSC::JSObject::getArrayLength):
      (JSC::JSObject::getVectorLength):
      (JSC::JSObject::canGetIndexQuickly):
      (JSC::JSObject::canSetIndexQuickly):
      (JSC::JSObject::inSparseIndexingMode):
      (JSC::JSObject::ensureArrayStorage):
      
      Source/WebCore:
      
      * bridge/runtime_array.h:
      (JSC::RuntimeArray::createStructure):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128428 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      4ef04bfb
    • fpizlo@apple.com's avatar
      Testing whether indexing type is ArrayWithArrayStorage should not compare... · 6f88333e
      fpizlo@apple.com authored
      Testing whether indexing type is ArrayWithArrayStorage should not compare against ArrayWithArrayStorage
      https://bugs.webkit.org/show_bug.cgi?id=96611
      
      Reviewed by Gavin Barraclough.
      
      * dfg/DFGRepatch.cpp:
      (JSC::DFG::tryCacheGetByID):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::checkArray):
      * jit/JITPropertyAccess.cpp:
      (JSC::JIT::privateCompilePatchGetArrayLength):
      * jit/JITPropertyAccess32_64.cpp:
      (JSC::JIT::privateCompilePatchGetArrayLength):
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm:
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128425 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      6f88333e
  5. 12 Sep, 2012 5 commits
    • fpizlo@apple.com's avatar
      JSC should have property butterflies · d8dd0535
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=91933
      
      Reviewed by Geoffrey Garen.
      
      Source/JavaScriptCore: 
      
      This changes the JSC object model. Previously, all objects had fast lookup for
      named properties. Integer indexed properties were only fast if you used a
      JSArray. With this change, all objects have fast indexed properties. This is
      accomplished without any space overhead by using a bidirectional object layout,
      aka butterflies. Each JSObject has a m_butterfly pointer where previously it
      had a m_outOfLineStorage pointer. To the left of the location pointed to by
      m_butterfly, we place all named out-of-line properties. To the right, we place
      all indexed properties along with indexing meta-data. Though, some indexing
      meta-data is placed in the 8-byte word immediately left of the pointed-to
      location; this is in anticipation of the indexing meta-data being small enough
      in the common case that m_butterfly always points to the first indexed
      property.
              
      This is performance neutral, except on tests that use indexed properties on
      plain objects, where the speed-up is in excess of an order of magnitude.
              
      One notable aspect of what this change brings is that it allows indexing
      storage to morph over time. Currently this is only used to allow all non-array
      objects to start out without any indexed storage. But it could be used for
      some kinds of array type inference in the future.
      
      * API/JSCallbackObject.h:
      (JSCallbackObject):
      * API/JSCallbackObjectFunctions.h:
      (JSC::::getOwnPropertySlotByIndex):
      (JSC):
      (JSC::::getOwnNonIndexPropertyNames):
      * API/JSObjectRef.cpp:
      * CMakeLists.txt:
      * GNUmakefile.list.am:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * Target.pri:
      * bytecode/ArrayProfile.h:
      (JSC):
      (JSC::arrayModeFromStructure):
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::BytecodeGenerator::emitDirectPutById):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGAdjacencyList.h:
      (JSC::DFG::AdjacencyList::AdjacencyList):
      (AdjacencyList):
      * dfg/DFGArrayMode.cpp:
      (JSC::DFG::fromObserved):
      (JSC::DFG::modeAlreadyChecked):
      (JSC::DFG::modeToString):
      * dfg/DFGArrayMode.h:
      (DFG):
      (JSC::DFG::modeUsesButterfly):
      (JSC::DFG::modeIsJSArray):
      (JSC::DFG::isInBoundsAccess):
      (JSC::DFG::modeSupportsLength):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::handleGetByOffset):
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
      (JSC::DFG::CSEPhase::performNodeCSE):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      (JSC::DFG::FixupPhase::addNode):
      (FixupPhase):
      (JSC::DFG::FixupPhase::checkArray):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::byValIsPure):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::Node):
      (Node):
      * dfg/DFGNodeType.h:
      (DFG):
      * dfg/DFGOperations.cpp:
      (JSC::DFG::putByVal):
      * dfg/DFGOperations.h:
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGRepatch.cpp:
      (JSC::DFG::generateProtoChainAccessStub):
      (JSC::DFG::tryCacheGetByID):
      (JSC::DFG::tryBuildGetByIDList):
      (JSC::DFG::emitPutReplaceStub):
      (JSC::DFG::emitPutTransitionStub):
      (JSC::DFG::tryBuildPutByIdList):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::checkArray):
      (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
      (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
      (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
      (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::callOperation):
      (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::cachedGetById):
      (JSC::DFG::SpeculativeJIT::cachedPutById):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::cachedGetById):
      (JSC::DFG::SpeculativeJIT::cachedPutById):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGStructureCheckHoistingPhase.cpp:
      (JSC::DFG::StructureCheckHoistingPhase::run):
      * heap/CopiedSpace.h:
      (CopiedSpace):
      * jit/JIT.h:
      * jit/JITInlineMethods.h:
      (JSC::JIT::emitAllocateBasicJSObject):
      (JSC::JIT::emitAllocateBasicStorage):
      (JSC::JIT::emitAllocateJSArray):
      * jit/JITOpcodes.cpp:
      (JSC::JIT::emit_op_new_array):
      (JSC::JIT::emitSlow_op_new_array):
      * jit/JITPropertyAccess.cpp:
      (JSC::JIT::emit_op_get_by_val):
      (JSC::JIT::compileGetDirectOffset):
      (JSC::JIT::emit_op_put_by_val):
      (JSC::JIT::compileGetByIdHotPath):
      (JSC::JIT::emit_op_put_by_id):
      (JSC::JIT::compilePutDirectOffset):
      (JSC::JIT::privateCompilePatchGetArrayLength):
      * jit/JITPropertyAccess32_64.cpp:
      (JSC::JIT::emit_op_get_by_val):
      (JSC::JIT::emit_op_put_by_val):
      (JSC::JIT::compileGetByIdHotPath):
      (JSC::JIT::emit_op_put_by_id):
      (JSC::JIT::compilePutDirectOffset):
      (JSC::JIT::compileGetDirectOffset):
      (JSC::JIT::privateCompilePatchGetArrayLength):
      * jit/JITStubs.cpp:
      (JSC::DEFINE_STUB_FUNCTION):
      * jsc.cpp:
      * llint/LLIntSlowPaths.cpp:
      (JSC::LLInt::LLINT_SLOW_PATH_DECL):
      * llint/LowLevelInterpreter.asm:
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm:
      * runtime/Arguments.cpp:
      (JSC::Arguments::deletePropertyByIndex):
      (JSC::Arguments::defineOwnProperty):
      * runtime/ArrayConstructor.cpp:
      * runtime/ArrayConventions.h: Added.
      (JSC):
      (JSC::isDenseEnoughForVector):
      (JSC::indexingHeaderForArray):
      (JSC::baseIndexingHeaderForArray):
      * runtime/ArrayPrototype.cpp:
      (JSC::ArrayPrototype::create):
      (JSC):
      (JSC::ArrayPrototype::ArrayPrototype):
      (JSC::arrayProtoFuncToString):
      (JSC::arrayProtoFuncJoin):
      (JSC::arrayProtoFuncSort):
      (JSC::arrayProtoFuncFilter):
      (JSC::arrayProtoFuncMap):
      (JSC::arrayProtoFuncEvery):
      (JSC::arrayProtoFuncForEach):
      (JSC::arrayProtoFuncSome):
      (JSC::arrayProtoFuncReduce):
      (JSC::arrayProtoFuncReduceRight):
      * runtime/ArrayPrototype.h:
      (ArrayPrototype):
      (JSC::ArrayPrototype::createStructure):
      * runtime/ArrayStorage.h: Added.
      (JSC):
      (ArrayStorage):
      (JSC::ArrayStorage::ArrayStorage):
      (JSC::ArrayStorage::from):
      (JSC::ArrayStorage::butterfly):
      (JSC::ArrayStorage::indexingHeader):
      (JSC::ArrayStorage::length):
      (JSC::ArrayStorage::setLength):
      (JSC::ArrayStorage::vectorLength):
      (JSC::ArrayStorage::setVectorLength):
      (JSC::ArrayStorage::copyHeaderFromDuringGC):
      (JSC::ArrayStorage::inSparseMode):
      (JSC::ArrayStorage::lengthOffset):
      (JSC::ArrayStorage::vectorLengthOffset):
      (JSC::ArrayStorage::numValuesInVectorOffset):
      (JSC::ArrayStorage::vectorOffset):
      (JSC::ArrayStorage::indexBiasOffset):
      (JSC::ArrayStorage::sparseMapOffset):
      (JSC::ArrayStorage::sizeFor):
      * runtime/Butterfly.h: Added.
      (JSC):
      (Butterfly):
      (JSC::Butterfly::Butterfly):
      (JSC::Butterfly::totalSize):
      (JSC::Butterfly::fromBase):
      (JSC::Butterfly::offsetOfIndexingHeader):
      (JSC::Butterfly::offsetOfPublicLength):
      (JSC::Butterfly::offsetOfVectorLength):
      (JSC::Butterfly::indexingHeader):
      (JSC::Butterfly::propertyStorage):
      (JSC::Butterfly::indexingPayload):
      (JSC::Butterfly::arrayStorage):
      (JSC::Butterfly::offsetOfPropertyStorage):
      (JSC::Butterfly::indexOfPropertyStorage):
      (JSC::Butterfly::base):
      * runtime/ButterflyInlineMethods.h: Added.
      (JSC):
      (JSC::Butterfly::createUninitialized):
      (JSC::Butterfly::create):
      (JSC::Butterfly::createUninitializedDuringCollection):
      (JSC::Butterfly::base):
      (JSC::Butterfly::growPropertyStorage):
      (JSC::Butterfly::growArrayRight):
      (JSC::Butterfly::resizeArray):
      (JSC::Butterfly::unshift):
      (JSC::Butterfly::shift):
      * runtime/ClassInfo.h:
      (MethodTable):
      (JSC):
      * runtime/IndexingHeader.h: Added.
      (JSC):
      (IndexingHeader):
      (JSC::IndexingHeader::offsetOfIndexingHeader):
      (JSC::IndexingHeader::offsetOfPublicLength):
      (JSC::IndexingHeader::offsetOfVectorLength):
      (JSC::IndexingHeader::IndexingHeader):
      (JSC::IndexingHeader::vectorLength):
      (JSC::IndexingHeader::setVectorLength):
      (JSC::IndexingHeader::publicLength):
      (JSC::IndexingHeader::setPublicLength):
      (JSC::IndexingHeader::from):
      (JSC::IndexingHeader::fromEndOf):
      (JSC::IndexingHeader::propertyStorage):
      (JSC::IndexingHeader::arrayStorage):
      (JSC::IndexingHeader::butterfly):
      * runtime/IndexingHeaderInlineMethods.h: Added.
      (JSC):
      (JSC::IndexingHeader::preCapacity):
      (JSC::IndexingHeader::indexingPayloadSizeInBytes):
      * runtime/IndexingType.h: Added.
      (JSC):
      (JSC::hasIndexingHeader):
      * runtime/JSActivation.cpp:
      (JSC::JSActivation::JSActivation):
      (JSC::JSActivation::visitChildren):
      (JSC::JSActivation::getOwnNonIndexPropertyNames):
      * runtime/JSActivation.h:
      (JSActivation):
      (JSC::JSActivation::tearOff):
      * runtime/JSArray.cpp:
      (JSC):
      (JSC::createArrayButterflyInDictionaryIndexingMode):
      (JSC::JSArray::setLengthWritable):
      (JSC::JSArray::defineOwnProperty):
      (JSC::JSArray::getOwnPropertySlot):
      (JSC::JSArray::getOwnPropertyDescriptor):
      (JSC::JSArray::put):
      (JSC::JSArray::deleteProperty):
      (JSC::JSArray::getOwnNonIndexPropertyNames):
      (JSC::JSArray::unshiftCountSlowCase):
      (JSC::JSArray::setLength):
      (JSC::JSArray::pop):
      (JSC::JSArray::push):
      (JSC::JSArray::shiftCount):
      (JSC::JSArray::unshiftCount):
      (JSC::JSArray::sortNumeric):
      (JSC::JSArray::sort):
      (JSC::JSArray::fillArgList):
      (JSC::JSArray::copyToArguments):
      (JSC::JSArray::compactForSorting):
      * runtime/JSArray.h:
      (JSC):
      (JSArray):
      (JSC::JSArray::JSArray):
      (JSC::JSArray::length):
      (JSC::JSArray::createStructure):
      (JSC::JSArray::isLengthWritable):
      (JSC::createArrayButterfly):
      (JSC::JSArray::create):
      (JSC::JSArray::tryCreateUninitialized):
      * runtime/JSBoundFunction.cpp:
      (JSC::boundFunctionCall):
      (JSC::boundFunctionConstruct):
      (JSC::JSBoundFunction::finishCreation):
      * runtime/JSCell.cpp:
      (JSC::JSCell::getOwnNonIndexPropertyNames):
      (JSC):
      * runtime/JSCell.h:
      (JSCell):
      * runtime/JSFunction.cpp:
      (JSC::JSFunction::getOwnPropertySlot):
      (JSC::JSFunction::getOwnPropertyDescriptor):
      (JSC::JSFunction::getOwnNonIndexPropertyNames):
      (JSC::JSFunction::defineOwnProperty):
      * runtime/JSFunction.h:
      (JSFunction):
      * runtime/JSGlobalData.cpp:
      (JSC::JSGlobalData::JSGlobalData):
      * runtime/JSGlobalData.h:
      (JSGlobalData):
      * runtime/JSGlobalObject.cpp:
      (JSC::JSGlobalObject::reset):
      * runtime/JSONObject.cpp:
      (JSC::Stringifier::Holder::appendNextProperty):
      (JSC::Walker::walk):
      * runtime/JSObject.cpp:
      (JSC):
      (JSC::JSObject::visitButterfly):
      (JSC::JSObject::visitChildren):
      (JSC::JSFinalObject::visitChildren):
      (JSC::JSObject::getOwnPropertySlotByIndex):
      (JSC::JSObject::put):
      (JSC::JSObject::putByIndex):
      (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
      (JSC::JSObject::enterDictionaryIndexingMode):
      (JSC::JSObject::createArrayStorage):
      (JSC::JSObject::createInitialArrayStorage):
      (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
      (JSC::JSObject::putDirectAccessor):
      (JSC::JSObject::deleteProperty):
      (JSC::JSObject::deletePropertyByIndex):
      (JSC::JSObject::getOwnPropertyNames):
      (JSC::JSObject::getOwnNonIndexPropertyNames):
      (JSC::JSObject::preventExtensions):
      (JSC::JSObject::fillGetterPropertySlot):
      (JSC::JSObject::putIndexedDescriptor):
      (JSC::JSObject::defineOwnIndexedProperty):
      (JSC::JSObject::allocateSparseIndexMap):
      (JSC::JSObject::deallocateSparseIndexMap):
      (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
      (JSC::JSObject::putByIndexBeyondVectorLength):
      (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
      (JSC::JSObject::putDirectIndexBeyondVectorLength):
      (JSC::JSObject::getNewVectorLength):
      (JSC::JSObject::increaseVectorLength):
      (JSC::JSObject::checkIndexingConsistency):
      (JSC::JSObject::growOutOfLineStorage):
      (JSC::JSObject::getOwnPropertyDescriptor):
      (JSC::putDescriptor):
      (JSC::JSObject::putDirectMayBeIndex):
      (JSC::JSObject::defineOwnNonIndexProperty):
      (JSC::JSObject::defineOwnProperty):
      (JSC::JSObject::getOwnPropertySlotSlow):
      * runtime/JSObject.h:
      (JSC::JSObject::getArrayLength):
      (JSObject):
      (JSC::JSObject::getVectorLength):
      (JSC::JSObject::putDirectIndex):
      (JSC::JSObject::canGetIndexQuickly):
      (JSC::JSObject::getIndexQuickly):
      (JSC::JSObject::canSetIndexQuickly):
      (JSC::JSObject::setIndexQuickly):
      (JSC::JSObject::initializeIndex):
      (JSC::JSObject::completeInitialization):
      (JSC::JSObject::inSparseIndexingMode):
      (JSC::JSObject::butterfly):
      (JSC::JSObject::outOfLineStorage):
      (JSC::JSObject::offsetForLocation):
      (JSC::JSObject::indexingShouldBeSparse):
      (JSC::JSObject::butterflyOffset):
      (JSC::JSObject::butterflyAddress):
      (JSC::JSObject::arrayStorage):
      (JSC::JSObject::arrayStorageOrZero):
      (JSC::JSObject::ensureArrayStorage):
      (JSC::JSObject::checkIndexingConsistency):
      (JSC::JSNonFinalObject::JSNonFinalObject):
      (JSC):
      (JSC::JSObject::setButterfly):
      (JSC::JSObject::setButterflyWithoutChangingStructure):
      (JSC::JSObject::JSObject):
      (JSC::JSObject::inlineGetOwnPropertySlot):
      (JSC::JSObject::putDirectInternal):
      (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
      (JSC::JSObject::putDirectWithoutTransition):
      (JSC::offsetInButterfly):
      (JSC::offsetRelativeToPatchedStorage):
      (JSC::indexRelativeToBase):
      (JSC::offsetRelativeToBase):
      * runtime/JSPropertyNameIterator.cpp:
      (JSC::JSPropertyNameIterator::create):
      * runtime/JSSymbolTableObject.cpp:
      (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
      * runtime/JSSymbolTableObject.h:
      (JSSymbolTableObject):
      * runtime/JSTypeInfo.h:
      (JSC):
      (JSC::TypeInfo::interceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero):
      (JSC::TypeInfo::overridesGetPropertyNames):
      * runtime/LiteralParser.cpp:
      (JSC::::parse):
      * runtime/ObjectConstructor.cpp:
      * runtime/ObjectPrototype.cpp:
      (JSC::ObjectPrototype::ObjectPrototype):
      (JSC):
      * runtime/ObjectPrototype.h:
      (ObjectPrototype):
      * runtime/PropertyOffset.h:
      (JSC::offsetInOutOfLineStorage):
      * runtime/PropertyStorage.h: Added.
      (JSC):
      * runtime/PutDirectIndexMode.h: Added.
      (JSC):
      * runtime/RegExpMatchesArray.cpp:
      (JSC::RegExpMatchesArray::RegExpMatchesArray):
      (JSC):
      (JSC::RegExpMatchesArray::create):
      (JSC::RegExpMatchesArray::finishCreation):
      * runtime/RegExpMatchesArray.h:
      (RegExpMatchesArray):
      (JSC::RegExpMatchesArray::createStructure):
      * runtime/RegExpObject.cpp:
      (JSC::RegExpObject::getOwnNonIndexPropertyNames):
      * runtime/RegExpObject.h:
      (RegExpObject):
      * runtime/Reject.h: Added.
      (JSC):
      (JSC::reject):
      * runtime/SparseArrayValueMap.cpp: Added.
      (JSC):
      * runtime/SparseArrayValueMap.h: Added.
      (JSC):
      (SparseArrayEntry):
      (JSC::SparseArrayEntry::SparseArrayEntry):
      (SparseArrayValueMap):
      (JSC::SparseArrayValueMap::sparseMode):
      (JSC::SparseArrayValueMap::setSparseMode):
      (JSC::SparseArrayValueMap::lengthIsReadOnly):
      (JSC::SparseArrayValueMap::setLengthIsReadOnly):
      (JSC::SparseArrayValueMap::find):
      (JSC::SparseArrayValueMap::remove):
      (JSC::SparseArrayValueMap::notFound):
      (JSC::SparseArrayValueMap::isEmpty):
      (JSC::SparseArrayValueMap::contains):
      (JSC::SparseArrayValueMap::size):
      (JSC::SparseArrayValueMap::begin):
      (JSC::SparseArrayValueMap::end):
      * runtime/SparseArrayValueMapInlineMethods.h: Added.
      (JSC):
      (JSC::SparseArrayValueMap::SparseArrayValueMap):
      (JSC::SparseArrayValueMap::~SparseArrayValueMap):
      (JSC::SparseArrayValueMap::finishCreation):
      (JSC::SparseArrayValueMap::create):
      (JSC::SparseArrayValueMap::destroy):
      (JSC::SparseArrayValueMap::createStructure):
      (JSC::SparseArrayValueMap::add):
      (JSC::SparseArrayValueMap::putEntry):
      (JSC::SparseArrayValueMap::putDirect):
      (JSC::SparseArrayEntry::get):
      (JSC::SparseArrayEntry::getNonSparseMode):
      (JSC::SparseArrayValueMap::visitChildren):
      * runtime/StorageBarrier.h: Removed.
      * runtime/StringObject.cpp:
      (JSC::StringObject::putByIndex):
      (JSC):
      (JSC::StringObject::deletePropertyByIndex):
      * runtime/StringObject.h:
      (StringObject):
      * runtime/StringPrototype.cpp:
      * runtime/Structure.cpp:
      (JSC::Structure::Structure):
      (JSC::Structure::materializePropertyMap):
      (JSC::Structure::nonPropertyTransition):
      (JSC):
      * runtime/Structure.h:
      (Structure):
      (JSC::Structure::indexingType):
      (JSC::Structure::indexingTypeIncludingHistory):
      (JSC::Structure::indexingTypeOffset):
      (JSC::Structure::create):
      * runtime/StructureTransitionTable.h:
      (JSC):
      (JSC::toAttributes):
      (JSC::newIndexingType):
      (JSC::StructureTransitionTable::Hash::hash):
      * tests/mozilla/js1_6/Array/regress-304828.js:
      
      Source/WebCore: 
      
      Teach the DOM that to intercept get/put on indexed properties, you now have
      to override getOwnPropertySlotByIndex and putByIndex.
      
      No new tests because no new behavior. One test was rebased because indexed
      property iteration order now matches other engines (indexed properties always
      come first).
      
      * bindings/js/ArrayValue.cpp:
      (WebCore::ArrayValue::get):
      * bindings/js/JSBlobCustom.cpp:
      (WebCore::JSBlobConstructor::constructJSBlob):
      * bindings/js/JSCanvasRenderingContext2DCustom.cpp:
      (WebCore::JSCanvasRenderingContext2D::setWebkitLineDash):
      * bindings/js/JSDOMStringListCustom.cpp:
      (WebCore::toDOMStringList):
      * bindings/js/JSDOMStringMapCustom.cpp:
      (WebCore::JSDOMStringMap::deletePropertyByIndex):
      (WebCore):
      * bindings/js/JSDOMWindowCustom.cpp:
      (WebCore::JSDOMWindow::getOwnPropertySlot):
      (WebCore::JSDOMWindow::getOwnPropertySlotByIndex):
      (WebCore):
      (WebCore::JSDOMWindow::putByIndex):
      (WebCore::JSDOMWindow::deletePropertyByIndex):
      * bindings/js/JSDOMWindowShell.cpp:
      (WebCore::JSDOMWindowShell::getOwnPropertySlotByIndex):
      (WebCore):
      (WebCore::JSDOMWindowShell::putByIndex):
      (WebCore::JSDOMWindowShell::deletePropertyByIndex):
      * bindings/js/JSDOMWindowShell.h:
      (JSDOMWindowShell):
      * bindings/js/JSHistoryCustom.cpp:
      (WebCore::JSHistory::deletePropertyByIndex):
      (WebCore):
      * bindings/js/JSInspectorFrontendHostCustom.cpp:
      (WebCore::populateContextMenuItems):
      * bindings/js/JSLocationCustom.cpp:
      (WebCore::JSLocation::deletePropertyByIndex):
      (WebCore):
      * bindings/js/JSStorageCustom.cpp:
      (WebCore::JSStorage::deletePropertyByIndex):
      (WebCore):
      * bindings/js/JSWebSocketCustom.cpp:
      (WebCore::JSWebSocketConstructor::constructJSWebSocket):
      * bindings/js/ScriptValue.cpp:
      (WebCore::jsToInspectorValue):
      * bindings/js/SerializedScriptValue.cpp:
      (WebCore::CloneSerializer::serialize):
      * bindings/scripts/CodeGeneratorJS.pm:
      (GenerateHeader):
      (GenerateImplementation):
      * bridge/runtime_array.cpp:
      (JSC::RuntimeArray::RuntimeArray):
      * bridge/runtime_array.h:
      (JSC::RuntimeArray::createStructure):
      (RuntimeArray):
      
      LayoutTests: 
      
      Modify the JSON test to indicate that iterating over properties now returns
      indexed properties first. This is a behavior change that makes us more
      compliant with other implementations.
              
      Also check in new expected file for the edge cases of indexed property access
      with prototype accessors. This changeset introduces a known regression in that
      department, which is tracked here: https://bugs.webkit.org/show_bug.cgi?id=96596
      
      * fast/js/resources/JSON-stringify.js:
      * platform/mac/fast/js/primitive-property-access-edge-cases-expected.txt: Added.
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128400 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      d8dd0535
    • commit-queue@webkit.org's avatar
      Refactor Opcodes to distinguish between core and extension opcodes. · 0206200c
      commit-queue@webkit.org authored
      https://bugs.webkit.org/show_bug.cgi?id=96466.
      
      Patch by Mark Lam <mark.lam@apple.com> on 2012-09-12
      Reviewed by Filip Pizlo.
      
      * bytecode/Opcode.h:
      (JSC): Added FOR_EACH_CORE_OPCODE_ID() macro.
      * llint/LowLevelInterpreter.h:
      (JSC): Auto-generate llint opcode aliases using the
          FOR_EACH_CORE_OPCODE_ID() macro.
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128369 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      0206200c
    • ggaren@apple.com's avatar
      2012-09-11 Geoffrey Garen <ggaren@apple.com> · 51bbe0a2
      ggaren@apple.com authored
              Second step to fixing the Windows build: Add new symbols.
      
              * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128268 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      51bbe0a2
    • ggaren@apple.com's avatar
      2012-09-11 Geoffrey Garen <ggaren@apple.com> · c5397949
      ggaren@apple.com authored
              First step to fixing the Windows build: Remove old symbols.
      
              * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128266 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      c5397949
    • ggaren@apple.com's avatar
      Don't allocate a backing store just for a function's name · 0030e138
      ggaren@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=96468
      
      Reviewed by Oliver Hunt.
      
      Treat function.name like function.length etc., and use a custom getter.
      This saves space in closures.
      
      * debugger/DebuggerCallFrame.cpp:
      (JSC::DebuggerCallFrame::functionName):
      * debugger/DebuggerCallFrame.h:
      (DebuggerCallFrame): Updated for interface change.
      
      * runtime/Executable.h:
      (JSC::JSFunction::JSFunction): Do a little inlining.
      
      * runtime/JSFunction.cpp:
      (JSC::JSFunction::finishCreation): Gone now. That's the point of the patch.
      
      (JSC::JSFunction::name):
      (JSC::JSFunction::displayName):
      (JSC::JSFunction::nameGetter):
      (JSC::JSFunction::getOwnPropertySlot):
      (JSC::JSFunction::getOwnPropertyDescriptor):
      (JSC::JSFunction::getOwnPropertyNames):
      (JSC::JSFunction::put):
      (JSC::JSFunction::deleteProperty):
      (JSC::JSFunction::defineOwnProperty): Added custom accessors for .name
      just like .length and others.
      
      * runtime/JSFunction.h:
      (JSC::JSFunction::create):
      (JSFunction): Updated for interface changes.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128265 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      0030e138
  6. 11 Sep, 2012 10 commits
    • mhahnenberg@apple.com's avatar
      IncrementalSweeper should not sweep/free Zapped blocks · 86f589c0
      mhahnenberg@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=96464
      
      Reviewed by Filip Pizlo.
      
      This is not beneficial in terms of performance because there isn't any way a block can emerge
      in the Zapped state from a call to Heap::collect() unless we run an eager sweep on it, in which
      case we've already run all the destructors we possibly can. This also causes bugs since we don't
      take zapped-ness into account when determining whether or not a block is empty to free it. The
      incremental sweeper can then accidentally free blocks that it thinks are empty but are in fact
      zapped with still-live objects in them.
      
      * heap/MarkedBlock.h:
      (JSC::MarkedBlock::needsSweeping): It is only valid to sweep a block if it is in the Marked state.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128262 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      86f589c0
    • ggaren@apple.com's avatar
      JSActivation should inline allocate its registers, and eliminate · 06a8bb6e
      ggaren@apple.com authored
      'arguments' registers in the common case
      https://bugs.webkit.org/show_bug.cgi?id=96427
      
      Reviewed by Filip Pizlo.
      
      This cuts the size class for simple closures down to 64 bytes.
      
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::BytecodeGenerator::BytecodeGenerator): Set the usesNonStrictEval
      flag, which is new. Use a more specific test for whether a function
      uses 'arguments', so we can avoid allocating, initializing, and tearing
      off those registers in the common case. Distinguish between capturing
      arguments and not, so we can avoid allocating space for arguments in
      the torn-off object.
      
      We can make this even more general in the future, with some bytecode
      generator refactoring.
      
      (JSC::BytecodeGenerator::resolve): Updated for new interface.
      
      * bytecompiler/BytecodeGenerator.h:
      (BytecodeGenerator):
      (JSC::BytecodeGenerator::symbolTable): Updated some types.
      
      * heap/Heap.cpp:
      (JSC::Heap::isValidAllocation): Allow large allocations, now that they
      are both supported and used.
      
      * heap/Heap.h:
      (Heap): Added a new form of allocateCell that specifies the full size
      of the allocation, to allow for extra space on the end.
      
      * interpreter/CallFrame.h:
      (JSC::ExecState::argumentOffset):
      (JSC::ExecState::argumentOffsetIncludingThis):
      * interpreter/Interpreter.cpp:
      (JSC::Interpreter::unwindCallFrame): Refactored this code to be more
      specific about tearing off 'arguments' vs activations. This is something
      I forgot in my last patch, and it is required now that we can have
      acitvations without 'arguments' registers.
      
      * runtime/Arguments.h:
      (JSC::Arguments::setRegisters): No need for setRegisters anymore because
      the activation object's storage doesn't change.
      
      * runtime/JSActivation.cpp:
      (JSC::JSActivation::JSActivation): Initialize our storage manually because
      it's not declared to the C++ compiler.
      
      (JSC::JSActivation::visitChildren): No copyAndAppend because our storage
      is not out-of-line anymore.
      
      (JSC::JSActivation::symbolTableGet):
      (JSC::JSActivation::symbolTablePut):
      (JSC::JSActivation::getOwnPropertyNames):
      (JSC::JSActivation::symbolTablePutWithAttributes):
      (JSC::JSActivation::getOwnPropertySlot):
      (JSC::JSActivation::getOwnPropertyDescriptor):
      (JSC::JSActivation::argumentsGetter): Refactored isTornOff() testing to
      avoid using a data member and to avoid hard-coding any offset assumptions.
      
      * runtime/JSActivation.h:
      (JSC):
      (JSActivation):
      (JSC::JSActivation::create):
      (JSC::JSActivation::isDynamicScope):
      (JSC::JSActivation::captureStart):
      (JSC::JSActivation::storageSize):
      (JSC::JSActivation::storageSizeInBytes):
      (JSC::JSActivation::registerOffset):
      (JSC::JSActivation::tearOff):
      (JSC::JSActivation::isTornOff):
      (JSC::JSActivation::storage):
      (JSC::JSActivation::allocationSize):
      (JSC::JSActivation::isValid): New helper functions for doing the math
      on our inline storage. Note that in the "AllOfTheThings" tear-off case,
      the number of things is not known at compile time, so we store the
      number in the argument count register. We can't just copy the raw contents
      of the register beacuse we need a value that is safe for precise marking,
      and the value in the register file has an invalid tag.
      
      * runtime/JSCell.h:
      (JSC::allocateCell): New function for allocating with extra storage
      on the end.
      
      * runtime/JSSymbolTableObject.h:
      (JSC::JSSymbolTableObject::JSSymbolTableObject):
      (JSC::JSSymbolTableObject::finishCreation):
      * runtime/JSVariableObject.h:
      (JSC::JSVariableObject::JSVariableObject):
      (JSVariableObject): Make it easier for subclasses to use their symbol
      tables during construction, by passing the table as a constructor argument.
      
      * runtime/SymbolTable.h:
      (JSC::SharedSymbolTable::usesNonStrictEval):
      (JSC::SharedSymbolTable::setUsesNonStrictEval):
      (SharedSymbolTable):
      (JSC::SharedSymbolTable::captureMode):
      (JSC::SharedSymbolTable::setCaptureMode):
      (JSC::SharedSymbolTable::captureStart):
      (JSC::SharedSymbolTable::setCaptureStart):
      (JSC::SharedSymbolTable::captureEnd):
      (JSC::SharedSymbolTable::setCaptureEnd):
      (JSC::SharedSymbolTable::parameterCountIncludingThis):
      (JSC::SharedSymbolTable::setParameterCountIncludingThis):
      (JSC::SharedSymbolTable::SharedSymbolTable): Added data members to more
      precisely describe what kind of capture is in play, and to avoid having
      data members in the activation. We expect N activations per symbol table,
      so this can be a big savings in heavy closure usage.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128260 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      06a8bb6e
    • ryuan.choi@samsung.com's avatar
      Fix build break with LLINT on 32bit machine after r128219 · 22896bd5
      ryuan.choi@samsung.com authored
      https://bugs.webkit.org/show_bug.cgi?id=96461
      
      Unreviewed build fix.
      
      
      * llint/LowLevelInterpreter32_64.asm: Fixed typo.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128259 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      22896bd5
    • msaboff@apple.com's avatar
      Build fixed for http://trac.webkit.org/changeset/128243 · 1fd84272
      msaboff@apple.com authored
      Rubber stamped by Stephanie Lewis.
      
      Added missing include file needed by 96422.
      
      * icu/unicode/unorm2.h: Added.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128250 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      1fd84272
    • msaboff@apple.com's avatar
      Build fixed for http://trac.webkit.org/changeset/128243 · b0ed152f
      msaboff@apple.com authored
      Rubber stamped by Stephanie Lewis.
      
      Added missing include file needed by 96422.
      
      * icu/unicode/ptypes.h: Added.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128246 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      b0ed152f
    • msaboff@apple.com's avatar
      Update ICU header files to more recent version · ac39e697
      msaboff@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=96422
      
      Reviewed by Geoff Garen.
      
      Updated ICU header files to 4.6.1.  Modifications made as part of the merge are:
      platform.h - Changed ifndef / define / endif for U_HAVE_UINT8_T, U_HAVE_UINT16_T, U_HAVE_UINT32_T,
          U_HAVE_UINT64_T, U_IS_BIG_ENDIAN and U_ENABLE_TRACING to match the existing platform.h
      putil.h (line 132) - Changes defined(U_WINDOWS) to defined(WIN32) || defined(OS2) to match existing putil.h
      ustring.h (line 945) - Wrapped macro argument cs with { (const UChar *)cs } to match existing ustring.h
      utypes.h (line 545) - Changed defined(U_WINDOWS) to defined(WIN32) to match existing utypes.h
      
      Source/JavaScriptCore: 
      
      * icu/unicode/localpointer.h: Added.
      * icu/unicode/parseerr.h:
      * icu/unicode/platform.h:
      * icu/unicode/putil.h:
      * icu/unicode/uchar.h:
      * icu/unicode/ucnv.h:
      * icu/unicode/ucnv_err.h:
      * icu/unicode/ucol.h:
      * icu/unicode/uconfig.h:
      * icu/unicode/uenum.h:
      * icu/unicode/uiter.h:
      * icu/unicode/uloc.h:
      * icu/unicode/umachine.h:
      * icu/unicode/unorm.h:
      * icu/unicode/urename.h:
      * icu/unicode/uscript.h:
      * icu/unicode/uset.h:
      * icu/unicode/ustring.h:
      * icu/unicode/utf.h:
      * icu/unicode/utf16.h:
      * icu/unicode/utf8.h:
      * icu/unicode/utypes.h:
      * icu/unicode/uvernum.h: Added.
      * icu/unicode/uversion.h:
      
      Source/WebCore: 
      
      Updated include files without any function change so no new tests.
      
      * icu/unicode/localpointer.h: Added.
      * icu/unicode/parseerr.h:
      * icu/unicode/platform.h:
      * icu/unicode/putil.h:
      * icu/unicode/ubrk.h:
      * icu/unicode/uchar.h:
      * icu/unicode/ucnv.h:
      * icu/unicode/ucnv_err.h:
      * icu/unicode/ucol.h:
      * icu/unicode/ucoleitr.h:
      * icu/unicode/uconfig.h:
      * icu/unicode/ucsdet.h:
      * icu/unicode/uenum.h:
      * icu/unicode/uidna.h:
      * icu/unicode/uiter.h:
      * icu/unicode/uloc.h:
      * icu/unicode/umachine.h:
      * icu/unicode/unorm.h:
      * icu/unicode/urename.h:
      * icu/unicode/uscript.h:
      * icu/unicode/usearch.h:
      * icu/unicode/uset.h:
      * icu/unicode/ushape.h:
      * icu/unicode/ustring.h:
      * icu/unicode/utext.h: Added.
      * icu/unicode/utf.h:
      * icu/unicode/utf16.h:
      * icu/unicode/utf8.h:
      * icu/unicode/utypes.h:
      * icu/unicode/uvernum.h: Added.
      * icu/unicode/uversion.h:
      
      Source/WebKit/mac: 
      
      * icu/unicode/localpointer.h: Added.
      * icu/unicode/parseerr.h:
      * icu/unicode/platform.h:
      * icu/unicode/putil.h:
      * icu/unicode/uchar.h:
      * icu/unicode/uconfig.h:
      * icu/unicode/uidna.h:
      * icu/unicode/uiter.h:
      * icu/unicode/umachine.h:
      * icu/unicode/unorm.h:
      * icu/unicode/urename.h:
      * icu/unicode/uscript.h:
      * icu/unicode/ustring.h:
      * icu/unicode/utf.h:
      * icu/unicode/utf16.h:
      * icu/unicode/utf8.h:
      * icu/unicode/utypes.h:
      * icu/unicode/uvernum.h: Added.
      * icu/unicode/uversion.h:
      
      Source/WTF: 
      
      * icu/unicode/localpointer.h: Added.
      * icu/unicode/parseerr.h:
      * icu/unicode/platform.h:
      * icu/unicode/putil.h:
      * icu/unicode/uchar.h:
      * icu/unicode/ucnv.h:
      * icu/unicode/ucnv_err.h:
      * icu/unicode/ucol.h:
      * icu/unicode/uconfig.h:
      * icu/unicode/uenum.h:
      * icu/unicode/uiter.h:
      * icu/unicode/uloc.h:
      * icu/unicode/umachine.h:
      * icu/unicode/unorm.h:
      * icu/unicode/urename.h:
      * icu/unicode/uscript.h:
      * icu/unicode/uset.h:
      * icu/unicode/ustring.h:
      * icu/unicode/utf.h:
      * icu/unicode/utf16.h:
      * icu/unicode/utf8.h:
      * icu/unicode/utypes.h:
      * icu/unicode/uvernum.h: Added.
      * icu/unicode/uversion.h:
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128243 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      ac39e697
    • mlilek@apple.com's avatar
      OS X port should compile with newer versions of clang · 431ac37c
      mlilek@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=96434
      
      Source/JavaScriptCore: 
      
      m_identIsVarDecl is unused - remove it.
      
      Reviewed by Anders Carlsson.
      
      * parser/NodeConstructors.h:
      (JSC::ForInNode::ForInNode):
      * parser/Nodes.h:
      (ForInNode):
      
      Source/WebCore: 
      
      Reviewed by Anders Carlsson.
      
      Guard m_hasTouchEventHandler behind ENABLE(TOUCH_EVENTS).
      * html/HTMLInputElement.cpp:
      (WebCore::HTMLInputElement::HTMLInputElement):
      * html/HTMLInputElement.h:
      (HTMLInputElement):
      
      Fix uninitialized variable.
      * platform/graphics/cg/GraphicsContextCG.cpp:
      (WebCore::createLinearSRGBColorSpace):
      
      Source/WebKit/mac: 
      
      m_isTerminated is unused in the Hosted flavor of NetscapePluginStream.
      
      Reviewed by Anders Carlsson.
      
      * Plugins/Hosted/HostedNetscapePluginStream.h:
      (HostedNetscapePluginStream):
      * Plugins/Hosted/HostedNetscapePluginStream.mm:
      (WebKit::HostedNetscapePluginStream::HostedNetscapePluginStream):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128234 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      431ac37c
    • fpizlo@apple.com's avatar
      LLInt should optimize and profile array length accesses · 4cafdbd1
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=96417
      
      Reviewed by Oliver Hunt.
      
      This fixes the following hole in our array profiling strategy, where the array
      is large (more than 1000 elements):
              
      for (var i = 0; i < array.length; ++i) ...
              
      The peeled use of array.length (in the array prologue) will execute only once
      before DFG optimization kicks in from the loop's OSR point. Since it executed
      only once, it executed in the LLInt. And prior to this patch, the LLInt did
      not profile array.length accesses - so the DFG will assume, based on the lack
      of profiling, that the access is in fact not an access to the JSArray length
      property. That could then impede our ability to hoist the array structure
      check, and may make us pessimistic in other ways as well, since the generic
      GetById used for the array length access will be viewed as a side-effecting
      operation.
      
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::printGetByIdCacheStatus):
      (JSC::CodeBlock::finalizeUnconditionally):
      * bytecode/GetByIdStatus.cpp:
      (JSC::GetByIdStatus::computeFromLLInt):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGCapabilities.h:
      (JSC::DFG::canCompileOpcode):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      * jit/JIT.cpp:
      (JSC::JIT::privateCompileMainPass):
      (JSC::JIT::privateCompileSlowCases):
      * llint/LLIntSlowPaths.cpp:
      (JSC::LLInt::LLINT_SLOW_PATH_DECL):
      * llint/LowLevelInterpreter.asm:
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm:
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128219 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      4cafdbd1
    • rakuco@webkit.org's avatar
      [EFL] Rewrite the EFL-related Find modules · 72080605
      rakuco@webkit.org authored
      https://bugs.webkit.org/show_bug.cgi?id=95237
      
      Reviewed by Kenneth Rohde Christiansen.
      
      .:
      
      FindEFL.cmake had several problems which caused unnecessary trouble
      when building the EFL port under some setups:
      
      o It looked for some modules (such as ecore) more than once for no
      reason, which led to people adding libraries and include paths in
      different ways across the build system.
      
      o It depended on pkg-config being present for the searches to
      succeed.
      
      o It obtained the library definitions from pkg-config, so
      ${FOO_LIBRARIES} would be set to something like "foo;bar" which
      expanded to "-lfoo -lbar" to the linker. If a wrong -L<path> was
      passed before that, the wrong library installation would end up
      being picked up.
      
      o Due to the problem above, we also needed to set the LINK_FLAGS
      property for each target with the value of ${FOO_LDFLAGS}, which was
      also obtained from pkg-config and sort of compensated the fact that
      the libraries did not use absolute paths and added the required -L
      paths. This also included dependencies for these libraries, so we
      ended up including libraries indirectly, which is bad.
      
      We have now replaced that file with a set of Find-modules which are
      much more granular, each of them responsible for looking for a
      single library and its components and setting library and include
      locations the right way (with FIND_PATH() and FIND_LIBRARY()), so
      that all the problems above are fixed.
      
      * Source/cmake/EFLHelpers.cmake: Added.
      * Source/cmake/FindEDBus.cmake: Added.
      * Source/cmake/FindEFL.cmake: Removed.
      * Source/cmake/FindEcore.cmake: Added.
      * Source/cmake/FindEdje.cmake: Added.
      * Source/cmake/FindEeze.cmake: Added.
      * Source/cmake/FindEfreet.cmake: Added.
      * Source/cmake/FindEina.cmake: Added.
      * Source/cmake/FindEvas.cmake: Added.
      * Source/cmake/OptionsEfl.cmake:
      
      Source/JavaScriptCore:
      
      * CMakeLists.txt: Stop setting the LINK_FLAGS property.
      * PlatformEfl.cmake: Ditto.
      * shell/PlatformEfl.cmake: Ditto.
      
      Source/WebCore:
      
      * CMakeLists.txt: Stop setting the LINK_FLAGS property now that no
      port sets WebCore_LINK_FLAGS.
      * PlatformEfl.cmake: Add libraries and include directories for
      each Enlightenment Foundation Library used by the port.
      
      Source/WebKit:
      
      * PlatformEfl.cmake: Stop setting the LINK_FLAGS property and add
      libraries and include directories for each Enlightenment
      Foundation Library used by the port.
      
      Source/WebKit2:
      
      * CMakeLists.txt: Stop setting the LINK_FLAGS property.
      * PlatformEfl.cmake: Add libraries and include directories for
      each Enlightenment Foundation Library used by the port.
      
      Source/WTF:
      
      * CMakeLists.txt: Stop setting the LINK_FLAGS property.
      * PlatformEfl.cmake: Add libraries and include directories for
      each Enlightenment Foundation Library used by the port.
      
      Tools:
      
      * DumpRenderTree/efl/CMakeLists.txt: Stop setting the LINK_FLAGS
      property and include all the Enlightenment Foundation Libraries
      required by the target.
      * EWebLauncher/CMakeLists.txt: Ditto.
      * MiniBrowser/efl/CMakeLists.txt: Ditto.
      * TestWebKitAPI/PlatformEfl.cmake: Add missing include directories
      now that they are not added implicitly.
      * WebKitTestRunner/CMakeLists.txt: Stop setting the LINK_FLAGS
      property.
      * WebKitTestRunner/PlatformEfl.cmake: Stop setting the LINK_FLAGS
      property and include all the Enlightenment Foundation Libraries
      required by the target.
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128191 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      72080605
    • rakuco@webkit.org's avatar
      [EFL] Unreviewed build fix after r128065. · 10e70b09
      rakuco@webkit.org authored
      * CMakeLists.txt: Link against WTF for FastMalloc symbols, which
      are needed when building with SYSTEM_MALLOC off.
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128172 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      10e70b09
  7. 10 Sep, 2012 6 commits
    • mhahnenberg@apple.com's avatar
      Remove m_classInfo from JSCell · bd52e3e5
      mhahnenberg@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=96311
      
      Reviewed by Oliver Hunt.
      
      Now that no one is using the ClassInfo in JSCell, we can remove it for the greater good. This is a 1.5% win on v8v7 and
      a 1.7% win on kraken, and is an overall performance progression.
      
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject): Had to rearrange the order of when we take things off the free list
      and when we store the Structure in the object because we would clobber the free list otherwise. This made it not okay for
      the structure argument and the scratch register to alias one another. Also removed the store of the ClassInfo pointer in the
      object. Yay!
      (SpeculativeJIT):
      * dfg/DFGSpeculativeJIT32_64.cpp: Since it's no longer okay for for the scratch register and structure register to alias
      one another as stated above, had to add an extra temporary for passing the Structure.
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp: Ditto.
      (JSC::DFG::SpeculativeJIT::compile):
      * jit/JITInlineMethods.h:
      (JSC::JIT::emitAllocateBasicJSObject): Similar changes to DFG's inline allocation except that it removed the object from
      the free list first, so no changes were necessary there.
      * llint/LowLevelInterpreter.asm: Change the constants for amount of inline storage to match PropertyOffset.h and remove
      the store of the ClassInfo pointer during inline allocation.
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm:
      * runtime/JSCell.h: Remove the m_classInfo field and associated methods.
      (JSCell):
      * runtime/JSObject.h:
      (JSObject):
      * runtime/PropertyOffset.h: Expand the number of inline storage properties to take up the extra space that we're freeing
      with the removal of the ClassInfo pointer.
      (JSC):
      * runtime/Structure.h:
      (JSC):
      (JSC::JSCell::JSCell):
      (JSC::JSCell::finishCreation):
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128146 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      bd52e3e5
    • ggaren@apple.com's avatar
      Added large allocation support to MarkedSpace · 6159e5f9
      ggaren@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=96214
      
      Originally reviewed by Oliver Hunt, then I added a design revision by
      suggested by Phil Pizlo.
      
      I expanded the imprecise size classes to cover up to 32KB, then added
      an mmap-based allocator for everything bigger. There's a lot of tuning
      we could do in these size classes, but currently they're almost
      completely unused, so I haven't done any tuning.
      
      Subtle point: the large allocator is a degenerate case of our free list
      logic. Its list only ever contains zero or one items.
      
      * heap/Heap.h:
      (JSC::Heap::allocateStructure): Pipe in size information.
      
      * heap/MarkedAllocator.cpp:
      (JSC::MarkedAllocator::tryAllocateHelper): Handle the case where we
      find a free item in the sweep list but the item isn't big enough. This
      can happen in the large allocator because it mixes sizes.
      
      (JSC::MarkedAllocator::tryAllocate):
      (JSC::MarkedAllocator::allocateSlowCase): More piping.
      
      (JSC::MarkedAllocator::allocateBlock): Handle the oversize case.
      
      (JSC::MarkedAllocator::addBlock): I moved the call to didAddBlock here
      because it made more sense.
      
      * heap/MarkedAllocator.h:
      (MarkedAllocator):
      (JSC::MarkedAllocator::allocate):
      * heap/MarkedSpace.cpp:
      (JSC::MarkedSpace::MarkedSpace):
      (JSC::MarkedSpace::resetAllocators):
      (JSC::MarkedSpace::canonicalizeCellLivenessData):
      (JSC::MarkedSpace::isPagedOut):
      (JSC::MarkedSpace::freeBlock):
      * heap/MarkedSpace.h:
      (MarkedSpace):
      (JSC::MarkedSpace::allocatorFor):
      (JSC::MarkedSpace::destructorAllocatorFor):
      (JSC::MarkedSpace::allocateWithoutDestructor):
      (JSC::MarkedSpace::allocateWithDestructor):
      (JSC::MarkedSpace::allocateStructure):
      (JSC::MarkedSpace::forEachBlock):
      * runtime/Structure.h:
      (JSC::Structure): More piping.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128141 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      6159e5f9
    • ggaren@apple.com's avatar
      Try to fix the Windows (32-bit) build. · 3dd01f57
      ggaren@apple.com authored
      * jit/JITOpcodes.cpp:
      (JSC::JIT::emit_op_tear_off_arguments):
      * jit/JITOpcodes32_64.cpp:
      (JSC::JIT::emit_op_tear_off_arguments): Get operands 1 and 2, not 1 and 1. :(
      
      Also took this opportunity to rename to indicate that these values are
      not destinations anymore.
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128122 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      3dd01f57
    • ggaren@apple.com's avatar
      DFG misses arguments tear-off for function.arguments if 'arguments' is used · 84a6102f
      ggaren@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=96227
      
      Reviewed by Gavin Barraclough.
      
      Source/JavaScriptCore: 
      
      We've decided not to allow function.arguments to alias the local
      'arguments' object, or a local var or function named 'arguments'.
      Aliasing complicates the implementation (cf, this bug) and can produce
      surprising behavior for web programmers.
      
      Eliminating the aliasing has the side-effect of fixing this bug.
      
      The compatibilty story: function.arguments is deprecated, was never
      specified, and throws an exception in strict mode, so we expect it to
      disappear over time. Firefox does not alias to 'arguments'; Chrome
      does, but not if you use eval or with; IE does; Safari did.
      
      * dfg/DFGByteCodeParser.cpp: Noticed a little cleanup while verifying
      this code. Use the CodeBlock method for better encapsulation.
      
      * interpreter/Interpreter.cpp:
      (JSC::Interpreter::retrieveArgumentsFromVMCode): Behavior change: don't
      alias.
      
      * tests/mozilla/js1_4/Functions/function-001.js:
      (TestFunction_4): Updated test expectations for changed behavior.
      
      LayoutTests: 
      
      New test, and updated expectations.
       
      * fast/js/script-tests/function-dot-arguments.js:
      * fast/js/function-dot-arguments-expected.txt: Updated for new behavior.
      
      * fast/js/dfg-tear-off-function-dot-arguments.html:
      * fast/js/script-tests/dfg-tear-off-function-dot-arguments.js: Added. New test for bug cited here.
      
      * fast/js/function-dot-arguments-identity-expected.txt:
      * fast/js/function-dot-arguments-identity.html: Added. New test for new behavior.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128111 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      84a6102f
    • fpizlo@apple.com's avatar
      offlineasm has some impossible to implement, and unused, instructions · 5e605883
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=96310
      
      Reviewed by Mark Hahnenberg.
      
      * offlineasm/armv7.rb:
      * offlineasm/instructions.rb:
      * offlineasm/x86.rb:
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128100 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      5e605883
    • ggaren@apple.com's avatar
      Refactored op_tear_off* to support activations that don't allocate space for 'arguments' · 63a291eb
      ggaren@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=96231
      
      Reviewed by Gavin Barraclough.
      
      This is a step toward smaller activations.
      
      As a side-effect, this patch eliminates a load and branch from the hot path
      of activation tear-off by moving it to the cold path of arguments tear-off. Our
      optimizing assumptions are that activations are common and that reifying the
      arguments object is less common.
      
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::dump):
      * bytecode/Opcode.h:
      (JSC::padOpcodeName): Updated for new opcode lengths.
      
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::BytecodeGenerator::BytecodeGenerator):
      (JSC::BytecodeGenerator::addConstantValue): Added support for JSValue()
      in the bytecode, which we use when we have 'arguments' but no activation.
      
      (JSC::BytecodeGenerator::emitReturn): Always emit tear_off_arguments
      if we've allocated the arguments registers. This allows tear_off_activation
      not to worry about the arguments object anymore.
      
      Also, pass the activation and arguments values directly to these opcodes
      instead of requiring the opcodes to infer the values through special
      registers. This gives us more flexibility to move or eliminate registers.
      
      * dfg/DFGArgumentsSimplificationPhase.cpp:
      (JSC::DFG::ArgumentsSimplificationPhase::run):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGNode.h:
      (Node): Updated for new opcode lengths.
      
      * dfg/DFGOperations.cpp: Activation tear-off doesn't worry about the
      arguments object anymore. If 'arguments' is in use and reified, it's
      responsible for aliasing back to the activation object in tear_off_arguments.
      
      * dfg/DFGOperations.h:
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::callOperation):
      (SpeculativeJIT):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile): Don't pass the arguments object to
      activation tear-off; do pass the activation object to arguments tear-off.
      
      * interpreter/Interpreter.cpp:
      (JSC::Interpreter::privateExecute): Ditto.
      
      * jit/JITOpcodes.cpp:
      (JSC::JIT::emit_op_tear_off_activation):
      (JSC::JIT::emit_op_tear_off_arguments):
      * jit/JITOpcodes32_64.cpp:
      (JSC::JIT::emit_op_tear_off_activation):
      (JSC::JIT::emit_op_tear_off_arguments):
      * jit/JITStubs.cpp:
      (JSC::DEFINE_STUB_FUNCTION):
      * llint/LLIntSlowPaths.cpp:
      (JSC::LLInt::LLINT_SLOW_PATH_DECL):
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm: Same change in a few more execution engines.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128096 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      63a291eb