2012-10-16 Lucas Forschler Merge 2012-10-10 Filip Pizlo SUSundance: JSArray::sort with an evil compare function allows access into arbitrary memory Reviewed by Geoffrey Garen. This patch correctly omits the removal of the !header check in unshift(). * runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncSort): * runtime/JSArray.cpp: (JSC::JSArray::sortNumeric): (JSC::JSArray::sort): (JSC::JSArray::compactForSorting): * runtime/JSArray.h: (JSArray): (JSC::JSArray::hasSparseMap): 2012-10-16 Lucas Forschler Merge r129577 2012-09-25 Filip Pizlo We shouldn't use the optimized versions of shift/unshift if the user is doing crazy things to the array https://bugs.webkit.org/show_bug.cgi?id=97603 Reviewed by Gavin Barraclough. You changed the length behind our backs? No optimizations for you then! * runtime/ArrayPrototype.cpp: (JSC::shift): (JSC::unshift): * runtime/JSArray.cpp: (JSC::JSArray::shiftCount): 2012-08-14 Lucas Forschler Merge r124272. 2012-07-31 Sam Weinig Fix the Windows build. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: 2012-08-14 Lucas Forschler Merge r124268. 2012-07-31 Sam Weinig Stop masking 8 bits off of the visited link hash. We need all the bits! https://bugs.webkit.org/show_bug.cgi?id=92799 Reviewed by Anders Carlsson. * runtime/Identifier.cpp: (JSC::IdentifierCStringTranslator::hash): (JSC::IdentifierLCharFromUCharTranslator::hash): * runtime/Identifier.h: (JSC::IdentifierCharBufferTranslator::hash): Update for new function names. 2012-08-10 Lucas Forschler Windows build fix after merging radar 12050720. Add missing symbols. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: 2012-08-10 Lucas Forschler Windows build fix after merging radar 12050720. Part 2 - removing symbols. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: 2012-08-10 Lucas Forschler Windows Build fix after merging radar 12050720. * runtime/JSLock.cpp: (JSC::JSLock::DropAllLocks::DropAllLocks): 2012-08-06 Lucas Forschler Merge patch for 2012-07-24 Filip Pizlo DFG method checks should keep the receiver of the property access alive until all checks complete. Reviewed by Gavin Barraclough. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): 2012-08-02 Lucas Forschler Merge 121307 2012-06-26 Filip Pizlo DFG PutByValAlias is too aggressive https://bugs.webkit.org/show_bug.cgi?id=90026 Reviewed by Gavin Barraclough. For CSE on normal arrays, we now treat PutByVal as impure. This does not appear to affect performance by much. For CSE on typed arrays, we fix PutByValAlias by making GetByVal speculate that the access is within bounds. This also has the effect of making our out-of-bounds handling consistent with WebCore. * dfg/DFGCSEPhase.cpp: (JSC::DFG::CSEPhase::performNodeCSE): * dfg/DFGGraph.h: (JSC::DFG::Graph::byValIsPure): (JSC::DFG::Graph::clobbersWorld): * dfg/DFGNodeType.h: (DFG): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray): (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray): 2012-07-30 Lucas Forschler Merge 121391 2012-06-27 Filip Pizlo Javascript SHA-512 gives wrong hash on second and subsequent runs unless Web Inspector Javascript Debugging is on https://bugs.webkit.org/show_bug.cgi?id=90053 Reviewed by Mark Hahnenberg. The problem is that the code was assuming that the recovery should be Undefined if the source of the SetLocal was !shouldGenerate(). But that's wrong, since the DFG optimizer may skip around a UInt32ToNumber node (hence making it !shouldGenerate()) and keep the source of that node alive. In that case we should base the recovery on the source of the UInt32ToNumber. The logic for this was already in place but the fast check for !shouldGenerate() broke it. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor): 2012-06-06 Mark Rowe Merge r118995. 2012-05-30 Oliver Hunt Really provide error information with the inspector disabled https://bugs.webkit.org/show_bug.cgi?id=87910 Reviewed by Filip Pizlo. Don't bother checking for anything other than pre-existing error info. In the absence of complete line number information you'll only get the line a function starts on, but at least it's something. * interpreter/Interpreter.cpp: (JSC::Interpreter::throwException): 2012-06-06 Mark Rowe Merge r118992. 2012-05-30 Filip Pizlo LLInt broken on x86-32 with JIT turned off https://bugs.webkit.org/show_bug.cgi?id=87906 Reviewed by Geoffrey Garen. Fixed the code to not clobber registers that contain important things, like the call frame. * llint/LowLevelInterpreter32_64.asm: 2012-05-31 Ojan Vafai add back the ability to disable flexbox https://bugs.webkit.org/show_bug.cgi?id=87147 Reviewed by Tony Chang. * Configurations/FeatureDefines.xcconfig: 2012-05-31 Tim Horton Disable CSS3 flexbox Reviewed by John Sullivan. * Configurations/FeatureDefines.xcconfig: 2012-05-31 Tim Horton Add feature defines for web-facing parts of CSS Regions and Exclusions https://bugs.webkit.org/show_bug.cgi?id=87442 Reviewed by Dan Bernstein. * Configurations/FeatureDefines.xcconfig: 2012-05-30 Lucas Forschler Merge 118956 2012-05-30 Oliver Hunt DFG does not correctly handle exceptions caught in the LLInt https://bugs.webkit.org/show_bug.cgi?id=87885 Reviewed by Filip Pizlo. Make the DFG use genericThrow, rather than reimplementing a small portion of it. Also make the LLInt slow paths validate that their PC is correct. * dfg/DFGOperations.cpp: * llint/LLIntSlowPaths.cpp: (LLInt): 2012-05-30 Lucas Forschler Merge 118810 2012-05-29 Mark Hahnenberg CopiedSpace::doneCopying could start another collection https://bugs.webkit.org/show_bug.cgi?id=86538 Reviewed by Geoffrey Garen. It's possible that if we don't have anything at the head of to-space after a collection and the BlockAllocator doesn't have any fresh blocks to give us right now we could start another collection while still in the middle of the first collection when we call CopiedSpace::addNewBlock(). One way to resolve this would be to have Heap::shouldCollect() check that m_operationInProgress is NoOperation. This would prevent the path in getFreshBlock() that starts the collection if we're already in the middle of one. I could not come up with a test case to reproduce this crash on ToT. * heap/Heap.h: (JSC::Heap::shouldCollect): We shouldn't collect if we're already in the middle of a collection, i.e. the current operation should be NoOperation. 2012-05-30 Lucas Forschler Merge 2012-05-23 Lucas Forschler Merge 117860 2012-05-21 Michael Saboff Cleanup of Calls to operationStrCat and operationNewArray and Use Constructor after r117729 https://bugs.webkit.org/show_bug.cgi?id=87027 Reviewed by Oliver Hunt. Change calls to operationStrCat and operationNewArray to provide the pointer to the EncodedJSValue* data buffer instead of the ScratchBuffer that contains it. Added a ScratchBuffer::create() function. This is a clean-up to r117729. * dfg/DFGOperations.cpp: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * runtime/JSGlobalData.h: (JSC::ScratchBuffer::create): (JSC::ScratchBuffer::dataBuffer): (JSC::JSGlobalData::scratchBufferForSize): 2012-05-23 Lucas Forschler Merge 117729 2012-05-20 Michael Saboff JSGlobalData ScratchBuffers Are Not Visited During Garbage Collection https://bugs.webkit.org/show_bug.cgi?id=86553 Reviewed by Gavin Barraclough. Scratch buffers can contain the only reference to live objects. Therefore visit scratch buffer contents as conservative roots. Changed the scratch buffers to be a struct with an "active" length and the actual buffer. The users of the scratch buffer emit code where needed to set and clear the active length as appropriate. During marking, the active count is used for conservative marking. * dfg/DFGAssemblyHelpers.h: (JSC::DFG::AssemblyHelpers::debugCall): * dfg/DFGOSRExitCompiler32_64.cpp: (JSC::DFG::OSRExitCompiler::compileExit): * dfg/DFGOSRExitCompiler64.cpp: (JSC::DFG::OSRExitCompiler::compileExit): * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGThunks.cpp: (JSC::DFG::osrExitGenerationThunkGenerator): * heap/Heap.cpp: (JSC::Heap::markRoots): * runtime/JSGlobalData.cpp: (JSC::JSGlobalData::gatherConservativeRoots): * runtime/JSGlobalData.h: (JSC::ScratchBuffer::ScratchBuffer): (ScratchBuffer): (JSC::ScratchBuffer::allocationSize): (JSC::ScratchBuffer::setActiveLength): (JSC::ScratchBuffer::activeLength): (JSC::ScratchBuffer::activeLengthPtr): (JSC::ScratchBuffer::dataBuffer): (JSGlobalData): (JSC::JSGlobalData::scratchBufferForSize): 2012-05-21 Lucas Forschler Merge 117523 2012-05-17 Filip Pizlo Setting array index -1 and looping over array causes bad behavior https://bugs.webkit.org/show_bug.cgi?id=86733 Reviewed by Oliver Hunt. * dfg/DFGOperations.cpp: 2012-05-21 Lucas Forschler Merge 117193 2012-05-15 Oliver Hunt Make error information available even if all we have is line number information. https://bugs.webkit.org/show_bug.cgi?id=86547 Reviewed by Filip Pizlo. We don't need expression information to generate useful line, file, and stack information, so only require that we have line number info available. * interpreter/Interpreter.cpp: (JSC::Interpreter::throwException): * runtime/Executable.h: (JSC): 2012-05-21 Lucas Forschler Merge 117201 2012-05-15 Mark Hahnenberg Block freeing thread should not free blocks when we are actively requesting them https://bugs.webkit.org/show_bug.cgi?id=86519 Reviewed by Geoff Garen. * heap/BlockAllocator.h: (JSC::BlockAllocator::allocate): Reordering the setting of the flag so its done while we hold the lock to ensure proper locking. 2012-05-21 Lucas Forschler Merge 117183 2012-05-15 Mark Hahnenberg Block freeing thread should not free blocks when we are actively requesting them https://bugs.webkit.org/show_bug.cgi?id=86519 Reviewed by Geoffrey Garen. The block freeing thread shoots us in the foot if it decides to run while we're actively requesting blocks and returning them. This situation can arise when there is a lot of copying collection going on in steady state. We allocate a large swath of pages to copy into, then we return all the newly free old pages to the BlockAllocator. In this state, if the block freeing thread wakes up in between collections (which is more likely than it waking up during a collection) and frees half of these pages, they will be needed almost immediately during the next collection, causing a storm of VM allocations which we know are going to be very slow. What we'd like is for when things have quieted down the block freeing thread can then return memory to the OS. Usually this will be when a page has fully loaded and has a low allocation rate. In this situation, our opportunistic collections will only be running at least every few seconds, thus the extra time spent doing VM allocations won't matter nearly as much as, say, while a page is loading. * heap/BlockAllocator.cpp: (JSC::BlockAllocator::BlockAllocator): Initialize our new field. (JSC::BlockAllocator::blockFreeingThreadMain): We check if we've seen any block requests recently. If so, reset our flag and go back to sleep. We also don't bother with locking here. If we miss out on an update, we'll see it when we wake up again. * heap/BlockAllocator.h: Add new field to track whether or not we've received recent block requests. (BlockAllocator): (JSC::BlockAllocator::allocate): If we receive a request for a block, set our field that tracks that to true. We don't bother locking since we assume that writing to a bool is atomic. 2012-05-15 Lucas Forschler Merge 116785 2012-05-11 Sam Weinig Fix crash seen when running with libgmalloc https://bugs.webkit.org/show_bug.cgi?id=86232 Reviewed by Gavin Barraclough. * heap/MarkStack.cpp: (JSC::MarkStackThreadSharedData::markingThreadMain): Don't delete the SlotVisitor before the ParallelModeEnabler has had a chance to run its destructor. 2012-05-15 Sam Weinig ENABLE_IFRAME_SEAMLESS should be turned off on the branch Reviewed by Andy Estes. * Configurations/FeatureDefines.xcconfig: Disable ENABLE_IFRAME_SEAMLESS. 2012-05-15 Lucas Forschler Merge 116925 2012-05-13 Filip Pizlo DFG performs incorrect constant folding on double-to-uint32 conversion in Uint32Array PutByVal https://bugs.webkit.org/show_bug.cgi?id=86330 Reviewed by Darin Adler. static_cast(d) is wrong, since JS semantics require us to use toInt32(d). In particular, C++ casts on typical hardware (like x86 and similar) will return 0x80000000 for double values that are out of range of the int32 domain (i.e. less than -2^31 or greater than or equal to 2^31). But JS semantics call for wrap-around; for example the double value 4294967297 ought to become the int32 value 1, not 0x80000000. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray): 2012-05-15 Lucas Forschler Merge 116809 2012-05-11 Geoffrey Garen Clarified JSGlobalData (JavaScript VM) lifetime https://bugs.webkit.org/show_bug.cgi?id=85142 Reviewed by Alexey Proskuryakov. (Follow-up fix.) * API/JSContextRef.cpp: (JSGlobalContextCreate): Restored some code I removed because I misread an #ifdef. (We don't need to test BUILDING_ON_LEOPARD, but we still need the linked-on test, because apps might have been linked on older OS's.) 2012-05-15 Lucas Forschler Merge 116813 2012-05-11 Filip Pizlo JIT memory allocator is not returning memory to the OS on Darwin https://bugs.webkit.org/show_bug.cgi?id=86047 Reviewed by Geoff Garen. * jit/ExecutableAllocatorFixedVMPool.cpp: (JSC::FixedVMPoolExecutableAllocator::notifyPageIsFree): 2012-05-15 Lucas Forschler Merge 116593 2012-05-09 Filip Pizlo JIT memory allocator is not returning memory to the OS on Darwin https://bugs.webkit.org/show_bug.cgi?id=86047 Reviewed by Geoff Garen. Work around the problem by using a different madvise() flag, but only for the JIT memory allocator. Also put in ASSERTs that the call is actually working. * jit/ExecutableAllocatorFixedVMPool.cpp: (JSC::FixedVMPoolExecutableAllocator::notifyNeedPage): (JSC::FixedVMPoolExecutableAllocator::notifyPageIsFree): 2012-05-15 Lucas Forschler Merge 116565 2012-05-09 Mark Hahnenberg CopiedSpace does not add pinned blocks back to the to-space filter https://bugs.webkit.org/show_bug.cgi?id=86011 Reviewed by Geoffrey Garen. After a collection has finished, we go through the blocks in from-space and move any of them that are pinned into to-space. At the beginning of collection, we reset the to-space block filter that is used during conservative scanning and add back the blocks that are filled during the collection. However, we neglect to add back those blocks that are moved from from-space to to-space, which can cause the conservative scan to think that some pinned items are not actually in CopiedSpace. * heap/CopiedSpace.cpp: (JSC::CopiedSpace::doneCopying): Add the pinned blocks back to the to-space filter. Also added a comment and assert for future readers that indicates that it's okay that we don't also add the block to the to-space block set since it was never removed. 2012-05-15 Lucas Forschler Merge 116484 2012-05-08 Mark Hahnenberg Heap should not continually allocate new pages in steady state https://bugs.webkit.org/show_bug.cgi?id=85936 Reviewed by Geoff Garen. Currently, in steady state (i.e. a constant amount of live GC memory with a constant rate of allocation) assuming we've just finished a collection with X live blocks in CopiedSpace, we increase our working set by X blocks in CopiedSpace with each collection we perform. This is due to the fact that we allocate until we run out of free blocks to use in the Heap before we consider whether we should run a collection. In the longer term, this issue will be mostly resolved by implementing quick release for the CopiedSpace. In the shorter term, we should change our policy to check whether we should allocate before trying to use a free block from the Heap. We can change our policy to something more appropriate once we have implemented quick release. This change should also have the convenient side effect of reducing the variance in GC-heavy tests (e.g. v8-splay) due to fact that we are doing less VM allocation during copying collection. Overall, this patch is performance neutral across the benchmarks we track. * heap/CopiedSpace.cpp: (JSC::CopiedSpace::getFreshBlock): Shuffle the request from the BlockAllocator around so that we only do it if the block request must succeed i.e. after we've already checked whether we should do a collection. * heap/MarkedAllocator.cpp: (JSC::MarkedAllocator::allocateSlowCase): Ditto. (JSC::MarkedAllocator::allocateBlock): We no longer have a failure mode in this function because by the time we've called it, we've already checked whether we should run a collection so there's no point in returning null. * heap/MarkedAllocator.h: Removing old arguments from function declaration. (MarkedAllocator): 2012-05-15 Lucas Forschler Merge 116372 2012-05-07 Oliver Hunt Rolling out r110287 RS=Filip Pizlo r110287 was meant to be refactoring only, but changed behavior enough to break some websites, including qq.com. 2012-05-15 Lucas Forschler Merge 116363 2012-05-07 Oliver Hunt Fix release build. * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): 2012-05-15 Lucas Forschler Merge 116361 2012-05-07 Oliver Hunt LLInt doesn't check for Ropes when performing a character switch https://bugs.webkit.org/show_bug.cgi?id=85837 Reviewed by Filip Pizlo. Make LLint check if the scrutinee of a char switch is a rope, and if so fall back to a slow case. * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): (LLInt): * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: 2012-05-15 Lucas Forschler Merge 116367 2012-05-07 Andy Estes ENABLE_IFRAME_SEAMLESS should be part of FEATURE_DEFINES. * Configurations/FeatureDefines.xcconfig: 2012-05-15 Lucas Forschler Merge 116356 2012-05-07 Eric Seidel Add ENABLE_IFRAME_SEAMLESS so Apple can turn off SEAMLESS if needed https://bugs.webkit.org/show_bug.cgi?id=85822 Reviewed by Adam Barth. * Configurations/FeatureDefines.xcconfig: 2012-05-04 Filip Pizlo DFG should not Flush GetLocal's https://bugs.webkit.org/show_bug.cgi?id=85663 Reviewed by Oliver Hunt. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::flushArgument): (JSC::DFG::ByteCodeParser::handleCall): 2012-05-04 Allan Sandfeld Jensen Doesn't build with ENABLE_JIT=0 https://bugs.webkit.org/show_bug.cgi?id=85042 Reviewed by Gavin Barraclough. * bytecode/Operands.h: 2012-05-03 Oliver Hunt Regression(r114702): Clobbering the caller frame register before we've stored it. https://bugs.webkit.org/show_bug.cgi?id=85564 Reviewed by Filip Pizlo. Don't use t0 as a temporary, when we're about to use the value in t0. * llint/LowLevelInterpreter32_64.asm: 2012-05-03 Mark Hahnenberg Removing remainder of accidental printfs. * heap/Heap.cpp: (JSC::Heap::collect): 2012-05-03 Andy Estes If you add printf()s to your garbage collector, the layout tests are gonna have a bad time. * runtime/GCActivityCallbackCF.cpp: (JSC::DefaultGCActivityCallbackPlatformData::timerDidFire): 2012-05-03 Mark Hahnenberg Heap::reportAbandonedObjectGraph should not hasten an allocation-triggered collection https://bugs.webkit.org/show_bug.cgi?id=85543 Reviewed by Filip Pizlo. Currently reportAbandonedObjectGraph causes the Heap to think it is closer to its allocation limit for the current cycle, thus hastening an allocation-triggered collection. In reality, it should just affect the opportunistic GC timer. We should track the bytes we think have been abandoned and the bytes that have been allocated separately. * heap/Heap.cpp: Added a new field m_abandonedBytes to Heap to keep track of how much we think we've abandoned. (JSC::Heap::Heap): (JSC::Heap::reportAbandonedObjectGraph): (JSC): (JSC::Heap::didAbandon): Added this function for reportAbandonedObjectGraph to call rather than didAllocate. Works the same as didAllocate, but modifies bytes abandoned rather than bytes allocated. Also notifies the timer, summing the two values together. (JSC::Heap::collect): (JSC::Heap::didAllocate): Now adds the bytes allocated and bytes abandoned when reporting to GCActivityCallback. * heap/Heap.h: (Heap): 2012-05-02 Eric Seidel Sort ENABLE_ defines in FeatureDefines.xcconfig files to make them easier to compare with one another (and easier to autogenerate) https://bugs.webkit.org/show_bug.cgi?id=85433 Reviewed by Adam Barth. I have a script which can autogenerate these xcconfig files as well as the vsprops files (and soon the Chromium, cmake, gnumake and qmake) feature lists from a central feature list file. In preparation for posting such a tool, I'm re-sorting these xcconfig files to be alphabetically ordered (currently they're close, but not quite). There is also at least one inconsistency between these files (CSS_LEGACY_PREFIXES) which I will fix in a second pass. I will also sort the FEATURE_DEFINES = line in a follow-up patch. * Configurations/FeatureDefines.xcconfig: 2012-05-02 Hojong Han ARM_TRADITIONAL build fix https://bugs.webkit.org/show_bug.cgi?id=85358 Reviewed by Gavin Barraclough. * assembler/MacroAssemblerARM.h: (JSC::MacroAssemblerARM::lshift32): (MacroAssemblerARM): (JSC::MacroAssemblerARM::or32): (JSC::MacroAssemblerARM::urshift32): (JSC::MacroAssemblerARM::xor32): (JSC::MacroAssemblerARM::branchSub32): 2012-05-02 Mark Hahnenberg Opportunistic GC should give up if the Heap is paged out https://bugs.webkit.org/show_bug.cgi?id=85411 Reviewed by Filip Pizlo. Opportunistic GC is punishing us severely in limited memory situations because its assumptions about how much time a collection will take are way out of whack when the Heap has been paged out by the OS. We should add a simple detection function to the Heap that detects if its is paged out. It will do this by iterating each block of both the MarkedSpace and CopiedSpace. If that operation takes longer than a fixed amount of time (e.g. 100ms), the function returns true. This function will only be run prior to an opportunistic collection (i.e. it will not run during our normal allocation-triggered collections). In my tests, steady state was drastically improved in high memory pressure situations (i.e. the browser was still usable, significant reduction in SPODs). Occasionally, a normal GC would be triggered due to pages doing things in the background, which would cause a significant pause. As we close pages we now cause normal collections rather than full collections, which prevents us from collecting all of the dead memory immediately. One nice way to deal with this issue might be to do incremental sweeping. * heap/CopiedSpace.cpp: (JSC::isBlockListPagedOut): Helper function to reduce code duplication when iterating over to-space, from-space, and the oversize blocks. (JSC): (JSC::CopiedSpace::isPagedOut): Tries to determine whether or not CopiedSpace is paged out by iterating all of the blocks. * heap/CopiedSpace.h: (CopiedSpace): * heap/Heap.cpp: (JSC::Heap::isPagedOut): Tries to determine whether the Heap is paged out by asking the MarkedSpace and CopiedSpace if they are paged out. (JSC): * heap/Heap.h: (Heap): (JSC::Heap::increaseLastGCLength): Added this so that the GC timer can linearly back off each time it determines that the Heap is paged out. * heap/MarkedAllocator.cpp: (JSC::MarkedAllocator::isPagedOut): Tries to determine if this particular MarkedAllocator's list of blocks are paged out. (JSC): * heap/MarkedAllocator.h: (MarkedAllocator): * heap/MarkedSpace.cpp: (JSC::MarkedSpace::isPagedOut): For each MarkedAllocator, check to see if they're paged out. * heap/MarkedSpace.h: (MarkedSpace): * runtime/GCActivityCallback.cpp: (JSC::DefaultGCActivityCallback::cancel): (JSC): * runtime/GCActivityCallback.h: (JSC::GCActivityCallback::cancel): (DefaultGCActivityCallback): * runtime/GCActivityCallbackCF.cpp: Added a constant of 100ms for the timeout in determining whether the Heap is paged out or not. (JSC): (JSC::DefaultGCActivityCallbackPlatformData::timerDidFire): Added the check to see if we should attempt a collection based on whether or not we can iterate the blocks of the Heap in 100ms. If we can't, we cancel the timer and tell the Heap we just wasted 100ms more trying to do a collection. This gives us a nice linear backoff so we're not constantly re-trying in steady state paged-out-ness. (JSC::DefaultGCActivityCallback::cancel): Added this function which, while currently doing exactly the same thing as willCollect, is more obvious as to what it's doing when we call it in timerDidFire. 2012-05-02 Yong Li Fix GCC X86 build error https://bugs.webkit.org/show_bug.cgi?id=85379 Reviewed by Rob Buis. Always explicitly claim ".text" to make sure functions defined with inline assembly will be created in the correct section. * dfg/DFGOperations.cpp: (JSC): 2012-05-02 Oliver Hunt Unreviewed, rolling out r115388. http://trac.webkit.org/changeset/115388 https://bugs.webkit.org/show_bug.cgi?id=85011 This caused many weird performance problems, and needs to be landed in pieces. * dfg/DFGOperations.cpp: * heap/Heap.cpp: (JSC::Heap::getConservativeRegisterRoots): (JSC::Heap::markRoots): * interpreter/CallFrame.cpp: (JSC::CallFrame::dumpCaller): (JSC): * interpreter/CallFrame.h: (JSC::ExecState::init): (ExecState): * interpreter/Interpreter.cpp: (JSC::Interpreter::execute): (JSC::Interpreter::executeCall): (JSC::Interpreter::executeConstruct): (JSC::Interpreter::prepareForRepeatCall): (JSC::Interpreter::privateExecute): * interpreter/Interpreter.h: (JSC::Interpreter::execute): * interpreter/RegisterFile.cpp: (JSC::RegisterFile::growSlowCase): (JSC::RegisterFile::gatherConservativeRoots): * interpreter/RegisterFile.h: (JSC::RegisterFile::end): (JSC::RegisterFile::size): (JSC::RegisterFile::addressOfEnd): (RegisterFile): (JSC::RegisterFile::RegisterFile): (JSC::RegisterFile::shrink): (JSC::RegisterFile::grow): * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): (JSC::jitCompileFor): (JSC::lazyLinkFor): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): (JSC::LLInt::handleHostCall): * llint/LowLevelInterpreter.asm: * runtime/CommonSlowPaths.h: (JSC::CommonSlowPaths::arityCheckFor): 2012-05-01 Oliver Hunt Physijs demo crashes due to DFG not updating topCallFrame correctly. https://bugs.webkit.org/show_bug.cgi?id=85311 Reviewed by Filip Pizlo. A few of the dfg operations failed to correctly set the topCallFrame, and so everything goes wrong. This patch corrects the effected operations, and makes debug builds poison topCallFrame before calling a dfg operation. * dfg/DFGOperations.cpp: (JSC::DFG::putByVal): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::callOperation): (SpeculativeJIT): (JSC::DFG::SpeculativeJIT::prepareForExternalCall): (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheck): (JSC::DFG::SpeculativeJIT::appendCallSetResult): 2012-04-30 Gavin Barraclough Should be able to use YARR JIT without the JS language JIT https://bugs.webkit.org/show_bug.cgi?id=85252 Reviewed by Geoff Garen. Need to split canUseRegExpJIT out of canUseJIT. * runtime/JSGlobalData.cpp: (JSC): (JSC::useJIT): (JSC::JSGlobalData::JSGlobalData): - replace m_canUseJIT with m_canUseAssembler * runtime/JSGlobalData.h: (JSGlobalData): (JSC::JSGlobalData::canUseRegExpJIT): - Added canUseRegExpJIT, distinct from canUseJIT. * runtime/RegExp.cpp: (JSC::RegExp::compile): (JSC::RegExp::compileMatchOnly): - Call canUseRegExpJIT instead of canUseJIT. 2012-04-30 Gavin Barraclough Should be able to build YARR JIT without the JS language JIT https://bugs.webkit.org/show_bug.cgi?id=85242 Reviewed by Michael Saboff. Some build macros are wrong. * assembler/RepatchBuffer.h: * jit/ExecutableAllocator.h: (JSC): * jit/JITExceptions.cpp: * runtime/InitializeThreading.cpp: (JSC::initializeThreadingOnce): 2012-04-26 Gavin Barraclough Arguments object resets attributes on redefinition of a parameter https://bugs.webkit.org/show_bug.cgi?id=84994 Rubber stamped by Oliver Hunt. There is a bug that we always re-add the original property before redefinition, doing so in a way that will reset the attributes without checking configurability. * runtime/Arguments.cpp: (JSC::Arguments::defineOwnProperty): - Only instantiate the property once - do not re-add if it has already been added, or if it has been deleted. 2012-04-30 Ryosuke Niwa Remove an erroneous assertion after r115655. * runtime/NumberPrototype.cpp: (JSC::toUStringWithRadix): 2012-04-30 Myles Maxfield End of Interpreter::tryCacheGetByID can trigger the garbage collector https://bugs.webkit.org/show_bug.cgi?id=84927 Reviewed by Oliver Hunt. * interpreter/Interpreter.cpp: (JSC::Interpreter::tryCacheGetByID): 2012-04-30 Benjamin Poulain jsSingleCharacterString and jsSingleCharacterSubstring are not inlined https://bugs.webkit.org/show_bug.cgi?id=85147 Reviewed by Darin Adler. The functions jsSingleCharacterString() and jsSingleCharacterSubstring() were not inlined by the compiler. This annihilate the gains of using SmallStrings. On stringProtoFuncCharAt(), this patch improves the performance by 11%. * runtime/JSString.h: (JSC::jsSingleCharacterString): (JSC::jsSingleCharacterSubstring): 2012-04-30 Benjamin Poulain Add fast patch for radix == 10 on numberProtoFuncToString https://bugs.webkit.org/show_bug.cgi?id=85120 Reviewed by Darin Adler. When radix, we use to turn the doubleValue into a JSValue just to convert it to a String. The problem is that was using the slow path for conversion and for the toString() operation. This patch shortcuts the creation of a JSValue and uses NumericStrings directly. The conversion is split between Integer and Double to ensure the fastest conversion for the common case of integer arguments. Converting number with radix 10 becomes 5% faster. Due to the simpler conversion of number to string for integer, converting integers that do not fall in the two previous optimizations get 32% faster. * runtime/NumberPrototype.cpp: (JSC::extractRadixFromArgs): (JSC::integerValueToString): (JSC::numberProtoFuncToString): 2012-04-30 Carlos Garcia Campos Unreviewed. Fix make distcheck. * GNUmakefile.list.am: Add missing header. 2012-04-28 Geoffrey Garen Factored threaded block allocation into a separate object https://bugs.webkit.org/show_bug.cgi?id=85148 Reviewed by Sam Weinig. 99% of this patch just moves duplicated block allocation and deallocation code into a new object named BlockAllocator, with these exceptions: * heap/BlockAllocator.h: Added. (BlockAllocator::BlockAllocator): The order of declarations here now guards us against an unlikely race condition during startup. * heap/BlockAllocator.cpp: JSC::BlockAllocator::blockFreeingThreadMain): Added a FIXME to highlight a lack of clarity we have in our block deallocation routines. 2012-04-28 Sam Weinig Try to fix the Qt build. * heap/Heap.cpp: (JSC::Heap::lastChanceToFinalize): 2012-04-28 Geoffrey Garen Try to fix the Windows build. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: 2012-04-28 Geoffrey Garen Clarified JSGlobalData (JavaScript VM) lifetime https://bugs.webkit.org/show_bug.cgi?id=85142 Reviewed by Anders Carlsson. This was so confusing that I didn't feel like I could reason about memory lifetime in the heap without fixing it. The rules are: (1) JSGlobalData owns the virtual machine and all memory in it. (2) Deleting a JSGlobalData frees the virtual machine and all memory in it. (Caveat emptor: if you delete the virtual machine while you're running JIT code or accessing GC objects, you're gonna have a bad time.) (I opted not to make arbitrary sub-objects keep the virtual machine alive automatically because: (a) doing that right would be complex and slow; (b) in the case of an exiting thread or process, there's no clear way to give the garbage collector a chance to try again later; (c) continuing to run the garbage collector after we've been asked to shut down the virtual machine seems rude; (d) we've never really supported that feature, anyway.) (3) Normal ref-counting will do. No need to call a battery of specialty functions to tear down a JSGlobalData. Its foibles notwithstanding, C++ does in fact know how to execute destructors in order. * API/JSContextRef.cpp: (JSGlobalContextCreate): Removed compatibility shim for older operating systems because it's no longer used. (JSGlobalContextRelease): Now that we can rely on JSGlobalData to "do the right thing", this code is much simpler. We still have one special case to notify the garbage collector if we're removing the last reference to the global object, since this can improve memory behavior. * heap/CopiedSpace.cpp: (JSC::CopiedSpace::freeAllBlocks): * heap/CopiedSpace.h: (CopiedSpace): Renamed "destroy" => "freeAllBlocks" because true destruction-time behaviors should be limited to our C++ destructor. * heap/Heap.cpp: (JSC::Heap::~Heap): (JSC): (JSC::Heap::lastChanceToFinalize): * heap/Heap.h: (Heap): (JSC::Heap::heap): Renamed "destroy" => "lastChanceToFinalize" because true destruction-time behaviors should be limited to our C++ destructor. Reorganized the code, putting code that must run before any objects get torn down into lastChanceToFinalize, and code that just tears down objects into our destructor. * heap/Local.h: (JSC::LocalStack::LocalStack): (JSC::LocalStack::push): (LocalStack): See rule (2). * jsc.cpp: (functionQuit): (main): (printUsageStatement): (parseArguments): (jscmain): * testRegExp.cpp: (main): (printUsageStatement): (parseArguments): (realMain): See rule (3). I removed the feature of ensuring orderly tear-down when calling quit() or running in --help mode because it didn't seem very useful and making it work with Windows structured exception handling and NO_RETURN didn't seem like a fun way to spend a Saturday. * runtime/JSGlobalData.h: * runtime/JSGlobalData.cpp: (JSC::JSGlobalData::JSGlobalData): Moved heap to be the first data member in JSGlobalData to ensure that it's destructed last, so other objects that reference it destruct without crashing. This allowed me to remove clearBuiltinStructures() altogether, and helped guarantee rule (3). (JSC::JSGlobalData::~JSGlobalData): Explicitly call lastChanceToFinalize() at the head of our destructor to ensure that all pending finalizers run while the virtual machine is still in a valid state. Trying to resurrect (re-ref) the virtual machine at this point is not valid, but all other operations are. Changed a null to a 0xbbadbeef to clarify just how bad this beef is. * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): * runtime/JSGlobalObject.h: (JSGlobalObject): (JSC::JSGlobalObject::globalData): See rule (3). 2012-04-27 Geoffrey Garen Try to fix the Windows build. * heap/WeakBlock.h: (WeakBlock): 2012-04-27 Geoffrey Garen Made WeakSet::allocate() static and removed its JSGlobalData argument https://bugs.webkit.org/show_bug.cgi?id=85128 Reviewed by Anders Carlsson. This is a step toward faster finalization. WeakSet::allocate() now deduces which WeakSet to allocate from based on its JSCell* argument. (Currently, there's only one WeakSet, but soon there will be many.) This was a global replace of "globalData.heap.weakSet()->allocate" with "WeakSet::allocate", plus by-hand removal of the JSGlobalData argument. * heap/WeakSetInlines.h: Copied from Source/JavaScriptCore/heap/WeakSet.h. I had to split out WeakSet::allocate() in to a separate header to avoid a cycle. (JSC::WeakSet::allocate): We can mask the pointer we're passed to figure out where to allocate our WeakImpl. (Soon, we'll use this to associate the WeakImpl with the GC block it references.) 2012-04-27 Geoffrey Garen Stop using aligned allocation for WeakBlock https://bugs.webkit.org/show_bug.cgi?id=85124 Reviewed by Anders Carlsson. We don't actually use the alignment for anything. * heap/WeakBlock.cpp: (JSC::WeakBlock::create): (JSC::WeakBlock::WeakBlock): Switched from aligned allocation to regular allocation. * heap/WeakBlock.h: (WeakBlock): Don't use HeapBlock because HeapBlock requires aligned allocation. This change required me to add some declarations that we used to inherit from HeapBlock. (WeakBlock::blockFor): Removed. This function relied on aligned allocation but didn't do anything for us. (WeakBlock::deallocate): Removed. WeakBlock doesn't own any of the deallocation logic, so it shouldn't own the function. * heap/WeakSet.cpp: (JSC::WeakSet::~WeakSet): (JSC::WeakSet::finalizeAll): (JSC::WeakSet::visitLiveWeakImpls): (JSC::WeakSet::visitDeadWeakImpls): (JSC::WeakSet::sweep): (JSC::WeakSet::shrink): (JSC::WeakSet::resetAllocator): (JSC::WeakSet::tryFindAllocator): * heap/WeakSet.h: (WeakSet): Updated declarations to reflect WeakBlock not inheriting from HeapBlock. This allowed me to remove some casts, which was nice. (JSC::WeakSet::deallocate): Directly set the deallocated flag instead of asking WeakBlock to do it for us. We don't need to have a WeakBlock pointer to set the flag, so stop asking for one. 2012-04-27 Kentaro Hara [JSC] Implement a helper method createNotEnoughArgumentsError() https://bugs.webkit.org/show_bug.cgi?id=85102 Reviewed by Geoffrey Garen. In bug 84787, kbr@ requested to avoid hard-coding createTypeError(exec, "Not enough arguments") here and there. This patch implements createNotEnoughArgumentsError(exec) and uses it in JSC bindings. c.f. a corresponding bug for V8 bindings is bug 85097. * runtime/Error.cpp: (JSC::createNotEnoughArgumentsError): (JSC): * runtime/Error.h: (JSC): 2012-04-27 Geoffrey Garen Only allow non-null pointers in the WeakSet https://bugs.webkit.org/show_bug.cgi?id=85119 Reviewed by Darin Adler. This is a step toward more efficient finalization. No clients put non-pointers (JSValues) into Weak and PassWeak. Some clients put null pointers into Weak and PassWeak, but this is more efficient and straight-forward to model with a null in the Weak or PassWeak instead of allocating a WeakImpl just to hold null. * heap/PassWeak.h: (JSC): Removed the Unknown (JSValue) type of weak pointer because it's unused now. (PassWeak): Don't provide a default initializer for our JSCell* argument. This feature was only used in one place, and it was a bug. (JSC::::get): Don't check for a null stored inside our WeakImpl: that's not allowed anymore. (JSC::PassWeak::PassWeak): Handle null as a null WeakImpl instead of allocating a WeakImpl and storing null into it. * heap/Weak.h: (Weak): (JSC::::Weak): Same changes as in PassWeak. * heap/WeakBlock.cpp: (JSC::WeakBlock::visitLiveWeakImpls): (JSC::WeakBlock::visitDeadWeakImpls): Only non-null cells are valid in the WeakSet now, so no need to check for non-cells and null cell pointers. * heap/WeakImpl.h: (JSC::WeakImpl::WeakImpl): Only non-null cells are valid in the WeakSet now, so ASSERT that. 2012-04-27 Gavin Barraclough Math in JavaScript is inaccurate on iOS By defalut IEEE754 denormal support is disabled on iOS; turn it on. Reviewed by Filip Pizlo. * jsc.cpp: (main): - clear the appropriate bit in the fpscr. 2012-04-27 Michael Saboff Memory wasted in JSString for non-rope strings https://bugs.webkit.org/show_bug.cgi?id=84907 Reviewed by Geoffrey Garen. Split JSString into two classes, JSString as a base class that does not include the fibers of a Rope, and a subclass JSRopeString that has the rope functionality. Both classes "share" the same ClassInfo. Added a bool to JSString to indicate that the string was allocated as a JSRopeString to properly handle visiting the fiber children when the rope is resolved and the JSRopeString appears as a JSString. Didn't change the interface of JSString to require any JIT changes. As part of this change, removed "cellSize" from ClassInfo since both classes share the same ClassInfo, but have different sizes. The only use I could find for cellSize was an ASSERT in allocateCell(). This appears to be neutral on performance tests. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Changed JSString::resolveRope to JSRopeString::resolveRope * runtime/ClassInfo.h: (JSC): (ClassInfo): * runtime/JSCell.h: (JSC::allocateCell): * runtime/JSString.cpp: (JSC::JSRopeString::RopeBuilder::expand): (JSC::JSString::visitChildren): (JSC): (JSC::JSRopeString::visitFibers): (JSC::JSRopeString::resolveRope): (JSC::JSRopeString::resolveRopeSlowCase8): (JSC::JSRopeString::resolveRopeSlowCase): (JSC::JSRopeString::outOfMemory): (JSC::JSRopeString::getIndexSlowCase): * runtime/JSString.h: (JSC): (JSString): (JSC::JSString::finishCreation): (JSC::JSString::create): (JSC::JSString::isRope): (JSC::JSString::is8Bit): (JSRopeString): (RopeBuilder): (JSC::JSRopeString::RopeBuilder::RopeBuilder): (JSC::JSRopeString::RopeBuilder::append): (JSC::JSRopeString::RopeBuilder::release): (JSC::JSRopeString::RopeBuilder::length): (JSC::JSRopeString::JSRopeString): (JSC::JSRopeString::finishCreation): (JSC::JSRopeString::createNull): (JSC::JSRopeString::create): (JSC::JSString::value): (JSC::JSString::tryGetValue): (JSC::JSString::getIndex): (JSC::jsStringBuilder): * runtime/Operations.h: (JSC::jsString): (JSC::jsStringFromArguments): 2012-04-27 Oliver Hunt Correct assertion. * interpreter/Interpreter.cpp: (JSC::Interpreter::throwException): 2012-04-27 Oliver Hunt Lazy link phase of baseline jit fails to propagate exception https://bugs.webkit.org/show_bug.cgi?id=85092 Reviewed by Filip Pizlo. Very simple patch, when linking produces an error we need to actually store the exception prior to throwing it. I can't find any other examples of this, but as we're already in the slow path when throwing an exception I've hardened exception throwing against null exceptions. * interpreter/Interpreter.cpp: (JSC::Interpreter::throwException): * jit/JITStubs.cpp: (JSC::lazyLinkFor): 2012-04-27 Benjamin Poulain Generalize the single character optimization of numberProtoFuncToString https://bugs.webkit.org/show_bug.cgi?id=85027 Reviewed by Geoffrey Garen. The function numberProtoFuncToString() has an optimization to use SmallStrings::singleCharacterString() when the radix is 36. This patch generalize the optimization for any radix. Any positive number smaller than its radix can be represented by a single character of radixDigits. This makes numberProtoFuncToString() about twice as fast for this case of single digit conversion. * runtime/NumberPrototype.cpp: (JSC::numberProtoFuncToString): 2012-04-27 Gavin Peters Add new ENABLE_LINK_PRERENDER define to control the Prerendering API https://bugs.webkit.org/show_bug.cgi?id=84871 Reviewed by Adam Barth. Prerendering is currently covered by the ENABLE_LINK_PREFETCH macro, but the new Prerendering API separates it from prefetching. Having separate include guards lets ports enable prefetching, a relatively easy change, without needing to build the infrastructure for prerendering, which is considerably more complicated. * Configurations/FeatureDefines.xcconfig: 2012-04-26 Oliver Hunt Allocating WeakImpl should not trigger GC, as that makes the world very tricksy. https://bugs.webkit.org/show_bug.cgi?id=85020 Reviewed by Gavin Barraclough. Now in the event that we are unable to find an allocator for a new handle, just add a new allocator rather than trying to recover "dead" handles through a GC. Find allocator is now much simpler, and addAllocator directly reports the increased memory usage to the heap without causing any GC to happen immediately. * heap/WeakSet.cpp: (JSC::WeakSet::findAllocator): (JSC::WeakSet::addAllocator): 2012-04-26 Oliver Hunt Remove RegisterFile::end()/m_end https://bugs.webkit.org/show_bug.cgi?id=85011 Reviewed by Gavin Barraclough. Get rid of end() and m_end from RegisterFile. From now on we only care about the end of the committed region when calling code. When re-entering the VM we now plant the new CallFrame immediately after whatever the current topCallFrame is. This required adding a routine to CallFrame to determine exactly what we should be doing (in the absence of an existing CallFrame, we can't reason about the frameExtent() so we check for that). This also now means that the GC only marks the portion of the RegisterFile that is actually in use, and that VM re-entry doesn't exhaust the RegisterFile as rapidly. * dfg/DFGOperations.cpp: * heap/Heap.cpp: (JSC::Heap::getConservativeRegisterRoots): (JSC::Heap::markRoots): * interpreter/CallFrame.h: (JSC::ExecState::init): (JSC::ExecState::startOfReusableRegisterFile): (ExecState): * interpreter/Interpreter.cpp: (JSC::Interpreter::execute): (JSC::Interpreter::executeCall): (JSC::Interpreter::executeConstruct): (JSC::Interpreter::prepareForRepeatCall): (JSC::Interpreter::privateExecute): * interpreter/Interpreter.h: (JSC::Interpreter::execute): * interpreter/RegisterFile.cpp: (JSC::RegisterFile::growSlowCase): (JSC::RegisterFile::gatherConservativeRoots): * interpreter/RegisterFile.h: (JSC::RegisterFile::commitEnd): (JSC::RegisterFile::addressOfEnd): (RegisterFile): (JSC::RegisterFile::RegisterFile): (JSC::RegisterFile::shrink): (JSC::RegisterFile::grow): * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): (JSC::jitCompileFor): (JSC::lazyLinkFor): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): (JSC::LLInt::handleHostCall): * llint/LowLevelInterpreter.asm: * runtime/CommonSlowPaths.h: (JSC::CommonSlowPaths::arityCheckFor): 2012-04-26 Filip Pizlo DFG ARMv7 backend should optimize Float32 arrays https://bugs.webkit.org/show_bug.cgi?id=85000 Reviewed by Gavin Barraclough. * assembler/ARMv7Assembler.h: (ARMv7Assembler): (JSC::ARMv7Assembler::flds): (JSC::ARMv7Assembler::fsts): (JSC::ARMv7Assembler::vcvtds): (JSC::ARMv7Assembler::vcvtsd): * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::loadFloat): (MacroAssemblerARMv7): (JSC::MacroAssemblerARMv7::storeFloat): (JSC::MacroAssemblerARMv7::convertFloatToDouble): (JSC::MacroAssemblerARMv7::convertDoubleToFloat): * bytecode/PredictedType.h: (JSC::isActionableFloatMutableArrayPrediction): * dfg/DFGNode.h: (JSC::DFG::Node::shouldSpeculateFloat32Array): 2012-04-25 Benjamin Poulain Add a version of StringImpl::find() without offset https://bugs.webkit.org/show_bug.cgi?id=83968 Reviewed by Sam Weinig. Add support for the new StringImpl::find() to UString. Change stringProtoFuncIndexOf() to specifically take advatage of the feature. This gives a 12% gains on a distribution of strings between 30 and 100 characters. * runtime/StringPrototype.cpp: (JSC::substituteBackreferences): (JSC::stringProtoFuncIndexOf): * runtime/UString.h: (UString): (JSC::UString::find): 2012-04-25 Mark Hahnenberg WebCore shouldn't call collectAllGarbage directly https://bugs.webkit.org/show_bug.cgi?id=84897 Reviewed by Geoffrey Garen. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Exported symbol for reportAbanondedObjectGraph so WebCore can use it. * heap/Heap.h: Ditto. 2012-04-25 Oliver Hunt Biolab disaster crashes on ToT https://bugs.webkit.org/show_bug.cgi?id=84898 Reviewed by Filip Pizlo. Whoops, committed without saving reviewer requested change. * dfg/DFGVirtualRegisterAllocationPhase.cpp: (JSC::DFG::VirtualRegisterAllocationPhase::run): 2012-04-25 Oliver Hunt Biolab disaster crashes on ToT https://bugs.webkit.org/show_bug.cgi?id=84898 Reviewed by Filip Pizlo. I recently added an assertion to the Interpreter to catch incorrect updates of topCallFrame. This caused a bunch of sites (including biolab disaster) to crash as we were not correctly handling callee registers of inlined functions, leading to a mismatch. I could not actually make this trigger directly, although it does trigger already on some of the GTK and QT bots. * dfg/DFGVirtualRegisterAllocationPhase.cpp: (JSC::DFG::VirtualRegisterAllocationPhase::run): 2012-04-25 Kenneth Russell Delete CanvasPixelArray, ByteArray, JSByteArray and JSC code once unreferenced https://bugs.webkit.org/show_bug.cgi?id=83655 Reviewed by Oliver Hunt. * CMakeLists.txt: * GNUmakefile.list.am: * JavaScriptCore.gypi: * JavaScriptCore.order: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: * JavaScriptCore.xcodeproj/project.pbxproj: * Target.pri: * bytecode/PredictedType.cpp: (JSC::predictionToString): (JSC::predictionToAbbreviatedString): (JSC::predictionFromClassInfo): * bytecode/PredictedType.h: (JSC): (JSC::isActionableIntMutableArrayPrediction): * dfg/DFGAbstractState.cpp: (JSC::DFG::AbstractState::initialize): (JSC::DFG::AbstractState::execute): * dfg/DFGCSEPhase.cpp: (JSC::DFG::CSEPhase::performNodeCSE): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGNode.h: * dfg/DFGNodeType.h: (DFG): * dfg/DFGOperations.cpp: (JSC::DFG::putByVal): * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::checkArgumentTypes): (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::ValueSource::forPrediction): (SpeculativeJIT): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * interpreter/Interpreter.cpp: (JSC::Interpreter::privateExecute): * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): * jit/JITStubs.h: * llint/LLIntSlowPaths.cpp: (JSC::LLInt::getByVal): (JSC::LLInt::LLINT_SLOW_PATH_DECL): * runtime/JSByteArray.cpp: Removed. * runtime/JSByteArray.h: Removed. * runtime/JSGlobalData.cpp: 2012-04-25 Filip Pizlo http://bellard.org/jslinux/ triggers an assertion failure in the DFG JIT https://bugs.webkit.org/show_bug.cgi?id=84815 Reviewed by Gavin Barraclough. * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck): 2012-04-25 Michael Saboff Closure in try {} with catch captures all locals from the enclosing function https://bugs.webkit.org/show_bug.cgi?id=84804 Reviewed by Oliver Hunt. Changed the capturing of local variables from capturing when eval is used, within a "with" or within a "catch" to be just when an eval is used. Renamed the function returning that we should capture from getCapturedVariables() to usesEval(), since that what it noew returns. Needed to fix the "with" code to only range check when the activation has actually been torn off. Added m_isTornOff to JSActivation to track this. * parser/Parser.h: (JSC::Scope::usesEval): (JSC::Scope::getCapturedVariables): * runtime/JSActivation.cpp: (JSC::JSActivation::JSActivation): (JSC::JSActivation::symbolTableGet): (JSC::JSActivation::symbolTablePut): * runtime/JSActivation.h: (JSActivation): (JSC::JSActivation::tearOff): 2012-04-24 Mark Hahnenberg GC Activity Callback timer should be based on how much has been allocated since the last collection https://bugs.webkit.org/show_bug.cgi?id=84763 Reviewed by Geoffrey Garen. The desired behavior for the GC timer is to collect at some point in the future, regardless of how little we've allocated. A secondary goal, which is almost if not as important, is for the timer to collect sooner if there is the potential to collect a greater amount of memory. Conversely, as we allocate more memory we'd like to reduce the delay to the next collection. If we're allocating quickly enough, the timer should be preempted in favor of a normal allocation-triggered collection. If allocation were to slow or stop, we'd like the timer to be able to opportunistically run a collection without us having to allocate to the hard limit set by the Heap. This type of policy can be described in terms of the amount of CPU we are willing to dedicate to reclaim a single MB of memory. For example, we might be willing to dedicate 1% of our CPU to reclaim 1 MB. We base our CPU usage off of the length of the last collection, e.g. if our last collection took 1ms, we would want to wait about 100ms before running another collection to reclaim 1 MB. These constants should be tune-able, e.g. 0.1% CPU = 1 MB vs. 1% CPU = 1 MB vs. 10% CPU = 1 MB. * API/JSBase.cpp: Use the new reportAbandonedObjectGraph. (JSGarbageCollect): * API/JSContextRef.cpp: Ditto. * heap/Heap.cpp: (JSC::Heap::Heap): (JSC::Heap::reportAbandonedObjectGraph): Similar to reportExtraMemoryCost. Clients call this function to notify the Heap that some unknown number of JSC objects might have just been abandoned and are now garbage. The Heap might schedule a new collection timer based on this notification. (JSC): (JSC::Heap::collect): Renamed m_lastFullGCSize to the less confusing m_sizeAfterLastCollect. * heap/Heap.h: (Heap): * heap/MarkedAllocator.h: (JSC::MarkedAllocator::zapFreeList): Fixed a bug in zapFreeList that failed to nullify the current allocator's FreeList once zapping was complete. * runtime/GCActivityCallback.cpp: Removed didAbandonObjectGraph because it was replaced by Heap::reportAbandonedObjectGraph. (JSC): * runtime/GCActivityCallback.h: (JSC::GCActivityCallback::willCollect): (DefaultGCActivityCallback): * runtime/GCActivityCallbackCF.cpp: Refactored the GC timer code so that we now schedule the timer based on how much we have allocated since the last collection up to a certain amount. We use the length of the previous GC to try to keep our total cost of opportunistic timer-triggered collections around 1% of the CPU per MB of garbage we expect to reclaim up to a maximum of 5 MB. (DefaultGCActivityCallbackPlatformData): (JSC): (JSC::DefaultGCActivityCallback::~DefaultGCActivityCallback): (JSC::DefaultGCActivityCallback::commonConstructor): (JSC::scheduleTimer): (JSC::cancelTimer): (JSC::DefaultGCActivityCallback::didAllocate): 2012-04-24 Michael Saboff objectProtoFuncToString creates new string every invocation https://bugs.webkit.org/show_bug.cgi?id=84781 Reviewed by Geoffrey Garen. Cache the results of object toString() in the attached Structure. * runtime/ObjectPrototype.cpp: (JSC::objectProtoFuncToString): * runtime/Structure.cpp: (JSC::Structure::visitChildren): visit new m_hasObjectToStringValue. * runtime/Structure.h: Added new member m_hasObjectToStringValue (JSC): (JSC::Structure::objectToStringValue): (Structure): (JSC::Structure::setObjectToStringValue): 2012-04-24 Thouraya ANDOLSI Reviewed by Oliver Hunt. https://bugs.webkit.org/show_bug.cgi?id=84727. Fix build when ENABLE_JIT_CONSTANT_BLINDING enabled. * assembler/MacroAssemblerSH4.h: (JSC::MacroAssemblerSH4::or32): (JSC::MacroAssemblerSH4::and32): (JSC::MacroAssemblerSH4::lshift32): (JSC::MacroAssemblerSH4::xor32): (JSC::MacroAssemblerSH4::branchSub32): (JSC::MacroAssemblerSH4::urshift32): 2012-04-24 Gavin Barraclough Add explicit patchableBranchPtrWithPatch/patchableJump methods https://bugs.webkit.org/show_bug.cgi?id=84498 Reviewed by Filip Pizlo. Don't rely on inUninterruptedSequence to distinguish which jumps we need to be able to repatch. * assembler/AbstractMacroAssembler.h: (JSC::AbstractMacroAssembler::PatchableJump::PatchableJump): (PatchableJump): (JSC::AbstractMacroAssembler::PatchableJump::operator Jump&): (AbstractMacroAssembler): (JSC::AbstractMacroAssembler::AbstractMacroAssembler): - Added PatchableJump type, removed inUninterruptedSequence. * assembler/LinkBuffer.h: (LinkBuffer): (JSC::LinkBuffer::locationOf): - Only allow the location to be taken of patchable branches * assembler/MacroAssembler.h: (MacroAssembler): (JSC::MacroAssembler::patchableBranchPtrWithPatch): (JSC::MacroAssembler::patchableJump): (JSC::MacroAssembler::shouldBlind): - Added default implementation of patchableBranchPtrWithPatch, patchableJump. * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::MacroAssemblerARMv7): (MacroAssemblerARMv7): (JSC::MacroAssemblerARMv7::patchableBranchPtrWithPatch): (JSC::MacroAssemblerARMv7::patchableJump): (JSC::MacroAssemblerARMv7::jump): (JSC::MacroAssemblerARMv7::makeBranch): - Added ARMv7 implementation of patchableBranchPtrWithPatch, patchableJump. * dfg/DFGCorrectableJumpPoint.h: (DFG): (JSC::DFG::CorrectableJumpPoint::switchToLateJump): - Late jumps are PatchableJumps. * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::linkOSRExits): - replace use of inUninterruptedSequence * dfg/DFGJITCompiler.h: (JSC::DFG::PropertyAccessRecord::PropertyAccessRecord): (PropertyAccessRecord): - replace use of inUninterruptedSequence * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::cachedGetById): (JSC::DFG::SpeculativeJIT::cachedPutById): - replace use of inUninterruptedSequence * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::cachedGetById): (JSC::DFG::SpeculativeJIT::cachedPutById): - replace use of inUninterruptedSequence * jit/JIT.h: (PropertyStubCompilationInfo): - replace use of inUninterruptedSequence * jit/JITInlineMethods.h: (JSC::JIT::beginUninterruptedSequence): (JSC::JIT::endUninterruptedSequence): - replace use of inUninterruptedSequence * jit/JITPropertyAccess.cpp: (JSC::JIT::compileGetByIdHotPath): - replace use of inUninterruptedSequence * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::compileGetByIdHotPath): - replace use of inUninterruptedSequence 2012-04-24 Benjamin Poulain Generalize the single character optimization of r114072 https://bugs.webkit.org/show_bug.cgi?id=83961 Reviewed by Eric Seidel. Use the regular String::find(StringImpl*) in all cases now that it has been made faster. * runtime/StringPrototype.cpp: (JSC::replaceUsingStringSearch): 2012-04-24 Filip Pizlo Unreviewed, 32-bit build fix. * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): 2012-04-24 Filip Pizlo DFG performs incorrect DCE on (some?) intrinsics https://bugs.webkit.org/show_bug.cgi?id=84746 Reviewed by Oliver Hunt. * dfg/DFGAbstractState.cpp: (JSC::DFG::AbstractState::execute): * dfg/DFGByteCodeParser.cpp: (ByteCodeParser): (JSC::DFG::ByteCodeParser::setIntrinsicResult): (JSC::DFG::ByteCodeParser::handleMinMax): (JSC::DFG::ByteCodeParser::handleIntrinsic): * dfg/DFGNodeType.h: (DFG): * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): 2012-04-24 Mark Hahnenberg Failure to allocate ArrayStorage in emit_op_new_array leads to poisonous JSArray https://bugs.webkit.org/show_bug.cgi?id=84648 Reviewed by Geoffrey Garen. When emit_op_new_array successfully allocates a new JSArray but fails to allocate the corresponding ArrayStorage for it, it falls back to the out-of-line stub call to constructArray, which constructs and entirely new JSArray/ArrayStorage pair. This leaves us with a JSArray hanging around on the stack or in a register that did not go through its own constructor, thus giving it uninitialized memory in the two fields that are checked in JSArray::visitChildren. * jit/JITInlineMethods.h: (JSC::JIT::emitAllocateJSArray): We try to allocate the ArrayStorage first, so that if we fail we haven't generated the poisonous JSArray that can cause a GC crash. * jit/JITOpcodes.cpp: (JSC::JIT::emitSlow_op_new_array): 2012-04-23 Filip Pizlo DFG on ARMv7 should not OSR exit on every integer division https://bugs.webkit.org/show_bug.cgi?id=84661 Reviewed by Oliver Hunt. On ARMv7, ArithDiv no longer has to know whether or not to speculate integer (since that was broken with the introduction of Int32ToDouble) nor does it have to know whether or not to convert its result to integer. This is now taken care of for free with the addition of the DoubleAsInt32 node, which represents a double-is-really-int speculation. * dfg/DFGAbstractState.cpp: (JSC::DFG::AbstractState::execute): * dfg/DFGCSEPhase.cpp: (JSC::DFG::CSEPhase::performNodeCSE): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGNodeType.h: (DFG): * dfg/DFGOSRExit.cpp: (JSC::DFG::OSRExit::OSRExit): (JSC::DFG::OSRExit::considerAddingAsFrequentExitSiteSlow): * dfg/DFGOSRExit.h: (OSRExit): * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor): (JSC::DFG::SpeculativeJIT::compileDoubleAsInt32): (DFG): * dfg/DFGSpeculativeJIT.h: (SpeculativeJIT): (JSC::DFG::SpeculativeJIT::speculationCheck): (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): 2012-04-24 Geoffrey Garen "GlobalHandle" HandleHeap (now WeakSet) allocations grow but do not shrink https://bugs.webkit.org/show_bug.cgi?id=84740 Reviewed by Gavin Barraclough. Shrink! * heap/Heap.cpp: (JSC::Heap::destroy): Be more specific about what's shrinking, since we can also shrink the WeakSet, but we don't do so here. (JSC::Heap::collect): If we're going to shrink the heap, shrink the WeakSet too. Otherwise, its footprint is permanent. * heap/Heap.h: (Heap): Removed shrink() as a public interface, since it's vague about which parts of the heap it affects, and it's really an internal detail. * heap/WeakSet.cpp: (JSC::WeakSet::shrink): Nix any free blocks. We assume that sweep() has already taken place, since that's the convention for shrink() in the heap. * heap/WeakSet.h: (WeakSet): New function! 2012-04-24 Adam Klein Fix includes in StrongInlines.h and ScriptValue.h https://bugs.webkit.org/show_bug.cgi?id=84659 Reviewed by Geoffrey Garen. * heap/StrongInlines.h: Include JSGlobalData.h, since JSGlobalData's definiition is required here. 2012-04-23 Filip Pizlo DFG OSR exit should ensure that all variables have been initialized https://bugs.webkit.org/show_bug.cgi?id=84653 Reviewed by Gavin Barraclough. Initialize all uncaptured dead variables to undefined on OSR exit. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::ValueSource::dump): (JSC::DFG::SpeculativeJIT::compile): (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor): * dfg/DFGSpeculativeJIT.h: 2012-04-23 Oliver Hunt Call instruction for the baseline JIT stores origin info in wrong callframe https://bugs.webkit.org/show_bug.cgi?id=84645 Reviewed by Gavin Barraclough. The baseline JIT was updating the wrong callframe when making a call. If the call failed during dispatch (unable to perform codegen, calling a non-object) we would attempt to use this information, but it would be completely wrong. * jit/JITCall.cpp: (JSC::JIT::compileOpCall): * jit/JITCall32_64.cpp: (JSC::JIT::compileOpCall): 2012-04-23 Filip Pizlo DFG must keep alive values that it will perform speculations on https://bugs.webkit.org/show_bug.cgi?id=84638 Reviewed by Oliver Hunt. * dfg/DFGNodeType.h: (DFG): 2012-04-23 Oliver Hunt Fix non-LLInt builds by temporarily removing an over-enthusiastic assertion * interpreter/Interpreter.cpp: (JSC::Interpreter::executeCall): 2012-04-22 Jon Lee Remove notifications support on Mac Lion. https://bugs.webkit.org/show_bug.cgi?id=84554 Reviewed by Sam Weinig. * Configurations/FeatureDefines.xcconfig: 2012-04-21 Darin Adler Change JavaScript lexer to use 0 instead of -1 for sentinel, eliminating the need to put characters into ints https://bugs.webkit.org/show_bug.cgi?id=84523 Reviewed by Oliver Hunt. Profiles showed that checks against -1 were costly, and I saw they could be eliminated. Streamlined this code to use standard character types and 0 rather than -1. One benefit of this is that there's no widening and narrowing. Another is that there are many cases where we already have the correct behavior for 0, so can eliminate a branch that was used to test for -1 before. Also eliminates typecasts in the code. * parser/Lexer.cpp: (JSC::Lexer::invalidCharacterMessage): Updated use of String::format since m_current is now a character type, not an int. (JSC::Lexer::setCode): Use 0 rather than -1 when past the end. (JSC::Lexer::shift): Ditto. Also spruced up the comment a bit. (JSC::Lexer::atEnd): Added. New function that distinguishes an actual 0 character from the end of the code. This can be used places we used to cheeck for -1. (JSC::Lexer::peek): Updated to use -1 instead of 0. Removed meaningless comment. (JSC::Lexer::parseFourDigitUnicodeHex): Changed to use character types instead of int. (JSC::Lexer::shiftLineTerminator): Removed now-unneeded type casts. Changed local variable that had a data-member-style name. (JSC::Lexer::parseIdentifier): Removed now-unneeded explicit checks for -1, since the isIdentPart function already returns false for the 0 character. Updated types in a couple other places. Used the atEnd function where needed. (JSC::Lexer::parseIdentifierSlowCase): More of the same. (JSC::characterRequiresParseStringSlowCase): Added overloaded helper function for parseString. (JSC::Lexer::parseString): Ditto. (JSC::Lexer::parseStringSlowCase): Ditto. (JSC::Lexer::parseMultilineComment): Ditto. (JSC::Lexer::lex): More of the same. Also changed code to set the startOffset directly in the tokenInfo instead of putting it in a local variable first, saving some memory access. (JSC::Lexer::scanRegExp): Ditto. (JSC::Lexer::skipRegExp): Ditto. * parser/Lexer.h: Changed return type of the peek function and type of m_current from int to the character type. Added atEnd function. (JSC::Lexer::setOffset): Used 0 instead of -1 and removed an overzealous attempt to optimize. (JSC::Lexer::lexExpectIdentifier): Used 0 instead of -1. 2012-04-21 Darin Adler Change JavaScript lexer to use 0 instead of -1 for sentinel, eliminating the need to put characters into ints https://bugs.webkit.org/show_bug.cgi?id=84523 Reviewed by Oliver Hunt. Separate preparation step of copyright dates, renaming, and other small tweaks. * parser/Lexer.cpp: (JSC::Lexer::invalidCharacterMessage): Removed "get" from name to match WebKit naming conventions. (JSC::Lexer::peek): Removed meaningless comment. (JSC::Lexer::parseFourDigitUnicodeHex): Renamed from getUnicodeCharacter to be more precise about what this function does. (JSC::Lexer::shiftLineTerminator): Renamed local variable that had a data-member-style name. (JSC::Lexer::parseStringSlowCase): Updated for new name of parseFourDigitUnicodeHex. (JSC::Lexer::lex): Updated for new name of invalidCharacterMessage. * parser/Lexer.h: Removed an unneeded forward declaration of the RegExp class. Renamed getInvalidCharMessage to invalidCharacterMessage and made it const. Renamed getUnicodeCharacter to parseFourDigitUnicodeHex. 2012-04-20 Filip Pizlo DFG should optimize int8 and int16 arrays on ARMv7 https://bugs.webkit.org/show_bug.cgi?id=84503 Reviewed by Oliver Hunt. * assembler/ARMv7Assembler.h: (ARMv7Assembler): (JSC::ARMv7Assembler::ldrsb): (JSC::ARMv7Assembler::ldrsh): * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::load16Signed): (JSC::MacroAssemblerARMv7::load8Signed): * bytecode/PredictedType.h: (JSC::isActionableIntMutableArrayPrediction): * dfg/DFGNode.h: (JSC::DFG::Node::shouldSpeculateInt8Array): (JSC::DFG::Node::shouldSpeculateInt16Array): 2012-04-20 Oliver Hunt Add an ability to find the extent of a callframe https://bugs.webkit.org/show_bug.cgi?id=84513 Reviewed by Filip Pizlo. Add a function to get the extent of a callframe and use that function for a new assertion to make sure the RegisterFile makes sense using that information. * interpreter/CallFrame.cpp: (JSC::CallFrame::frameExtentInternal): (JSC): * interpreter/CallFrame.h: (JSC::ExecState::frameExtent): (ExecState): * interpreter/Interpreter.cpp: (JSC::Interpreter::executeCall): 2012-04-20 Benjamin Poulain Inline the JSArray constructor https://bugs.webkit.org/show_bug.cgi?id=84416 Reviewed by Geoffrey Garen. The constructor is trivial, no reason to jump for it. This makes the creation of array ~5% faster (on non-trivial cases, no empty arrays). * runtime/JSArray.cpp: (JSC): * runtime/JSArray.h: (JSC::JSArray::JSArray): * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: 2012-04-20 Mark Hahnenberg Heap should cancel GC timer at the start of the collection https://bugs.webkit.org/show_bug.cgi?id=84477 Reviewed by Geoffrey Garen. Currently the Heap cancels the GC timer at the conclusion of a collection. We should change this to be at the beginning because something (e.g. a finalizer) could call didAbandonObjectGraph(), which will schedule the timer, but then we'll immediately unschedule the timer at the conclusion of the collection, thus potentially preventing large swaths of memory from being reclaimed in a timely manner. * API/JSBase.cpp: (JSGarbageCollect): Remove outdated fix-me and remove check for whether the Heap is busy or not, since we're just scheduling a timer to run a GC in the future. * heap/Heap.cpp: (JSC::Heap::collect): Rename didCollect to willCollect and move the call to the top of Heap::collect. * runtime/GCActivityCallback.cpp: Renamed didCollect to willCollect. (JSC::DefaultGCActivityCallback::willCollect): * runtime/GCActivityCallback.h: Ditto. (JSC::GCActivityCallback::willCollect): (DefaultGCActivityCallback): * runtime/GCActivityCallbackCF.cpp: Ditto. (JSC::DefaultGCActivityCallback::willCollect): 2012-04-20 Mark Hahnenberg JSGarbageCollect should not call collectAllGarbage() https://bugs.webkit.org/show_bug.cgi?id=84476 Reviewed by Geoffrey Garen. * API/JSBase.cpp: (JSGarbageCollect): Notify the Heap's GCActivityCallback using didAbandonObjectGraph. 2012-04-19 Oliver Hunt Exception stack traces aren't complete when the exception starts in native code https://bugs.webkit.org/show_bug.cgi?id=84073 Reviewed by Filip Pizlo. Refactored building the stack trace to so that we can construct it earlier, and don't rely on any prior work performed in the exception handling machinery. Also updated LLInt and the DFG to completely initialise the callframes of host function calls. Also fixed a few LLInt paths that failed to correctly update the topCallFrame. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * dfg/DFGJITCompiler.h: * dfg/DFGOperations.cpp: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::emitCall): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::emitCall): * interpreter/Interpreter.cpp: (JSC::eval): (JSC::Interpreter::getStackTrace): (JSC::Interpreter::addStackTraceIfNecessary): (JSC): (JSC::Interpreter::throwException): * interpreter/Interpreter.h: (Interpreter): * jit/JITCall.cpp: (JSC::JIT::compileOpCall): * jit/JITCall32_64.cpp: (JSC::JIT::compileOpCall): * jit/JITOpcodes.cpp: (JSC::JIT::privateCompileCTINativeCall): * jit/JITOpcodes32_64.cpp: (JSC::JIT::privateCompileCTINativeCall): * jsc.cpp: (functionJSCStack): * llint/LLIntExceptions.cpp: (JSC::LLInt::interpreterThrowInCaller): (JSC::LLInt::returnToThrow): (JSC::LLInt::callToThrow): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::handleHostCall): * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: * parser/Parser.h: (JSC::::parse): * runtime/Error.cpp: (JSC::addErrorInfo): (JSC::throwError): * runtime/Error.h: (JSC): 2012-04-19 Mark Hahnenberg We're collecting pathologically due to small allocations https://bugs.webkit.org/show_bug.cgi?id=84404 Reviewed by Geoffrey Garen. No change in performance on run-jsc-benchmarks. * dfg/DFGSpeculativeJIT.h: Replacing m_firstFreeCell with m_freeList. (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject): * heap/CopiedSpace.cpp: Getting rid of any water mark related stuff, since it's no longer useful. (JSC::CopiedSpace::CopiedSpace): (JSC::CopiedSpace::tryAllocateSlowCase): We now only call didAllocate here rather than carrying out a somewhat complicated accounting job for our old water mark throughout CopiedSpace. (JSC::CopiedSpace::tryAllocateOversize): Call the new didAllocate to notify the Heap of newly allocated stuff. (JSC::CopiedSpace::tryReallocateOversize): (JSC::CopiedSpace::doneFillingBlock): (JSC::CopiedSpace::doneCopying): (JSC::CopiedSpace::destroy): * heap/CopiedSpace.h: (CopiedSpace): * heap/CopiedSpaceInlineMethods.h: (JSC::CopiedSpace::startedCopying): * heap/Heap.cpp: Removed water mark related stuff, replaced with new bytesAllocated and bytesAllocatedLimit to track how much memory has been allocated since the last collection. (JSC::Heap::Heap): (JSC::Heap::reportExtraMemoryCostSlowCase): (JSC::Heap::collect): We now set the new limit of bytes that we can allocate before triggering a collection to be the size of the Heap after the previous collection. Thus, we still have our 2x allocation amount. (JSC::Heap::didAllocate): Notifies the GC activity timer of how many bytes have been allocated thus far and then adds the new number of bytes to the current total. (JSC): * heap/Heap.h: Removed water mark related stuff. (JSC::Heap::notifyIsSafeToCollect): (Heap): (JSC::Heap::shouldCollect): (JSC): * heap/MarkedAllocator.cpp: (JSC::MarkedAllocator::tryAllocateHelper): Refactored to use MarkedBlock's new FreeList struct. (JSC::MarkedAllocator::allocateSlowCase): (JSC::MarkedAllocator::addBlock): * heap/MarkedAllocator.h: (MarkedAllocator): (JSC::MarkedAllocator::MarkedAllocator): (JSC::MarkedAllocator::allocate): (JSC::MarkedAllocator::zapFreeList): Refactored to take in a FreeList instead of a FreeCell. * heap/MarkedBlock.cpp: (JSC::MarkedBlock::specializedSweep): (JSC::MarkedBlock::sweep): (JSC::MarkedBlock::sweepHelper): (JSC::MarkedBlock::zapFreeList): * heap/MarkedBlock.h: (FreeList): Added a new struct that keeps track of the current MarkedAllocator's free list including the number of bytes of stuff in the free list so that when the free list is exhausted, the correct amount can be reported to Heap. (MarkedBlock): (JSC::MarkedBlock::FreeList::FreeList): (JSC): * heap/MarkedSpace.cpp: Removing all water mark related stuff. (JSC::MarkedSpace::MarkedSpace): (JSC::MarkedSpace::resetAllocators): * heap/MarkedSpace.h: (MarkedSpace): (JSC): * heap/WeakSet.cpp: (JSC::WeakSet::findAllocator): Refactored to use the didAllocate interface with the Heap. This function still needs work though now that the Heap knows how many bytes have been allocated since the last collection. * jit/JITInlineMethods.h: Refactored to use MarkedBlock's new FreeList struct. (JSC::JIT::emitAllocateBasicJSObject): Ditto. * llint/LowLevelInterpreter.asm: Ditto. * runtime/GCActivityCallback.cpp: (JSC::DefaultGCActivityCallback::didAllocate): * runtime/GCActivityCallback.h: (JSC::GCActivityCallback::didAllocate): Renamed willAllocate to didAllocate to indicate that the allocation that is being reported has already taken place. (DefaultGCActivityCallback): * runtime/GCActivityCallbackCF.cpp: (JSC): (JSC::DefaultGCActivityCallback::didAllocate): Refactored to return early if the amount of allocation since the last collection is not above a threshold (initially arbitrarily chosen to be 128KB). 2012-04-19 Filip Pizlo MacroAssemblerARMv7::branchTruncateDoubleToUint32 should obey the overflow signal https://bugs.webkit.org/show_bug.cgi?id=84401 Reviewed by Gavin Barraclough. * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::branchTruncateDoubleToUint32): 2012-04-19 Don Olmstead KeywordLookupGenerator.py should take an output file as an argument https://bugs.webkit.org/show_bug.cgi?id=84292 Reviewed by Eric Seidel. Extended KeywordLookupGenerator to accept an additional argument specifying an output file. If this argument is found stdout is redirected to a file for the duration of the script. * KeywordLookupGenerator.py: 2012-04-19 Filip Pizlo It should be possible to perform debugCall on ARMv7 https://bugs.webkit.org/show_bug.cgi?id=84381 Reviewed by Oliver Hunt. debugCall() was clobbering the argument to the call it was making, leading to a corrupt ExecState*. This change fixes that issue by using a scratch register that does not clobber arguments, and it also introduces more assertions that we have a valid call frame. * dfg/DFGAssemblyHelpers.cpp: (DFG): (JSC::DFG::AssemblyHelpers::jitAssertHasValidCallFrame): * dfg/DFGAssemblyHelpers.h: (JSC::DFG::AssemblyHelpers::selectScratchGPR): (AssemblyHelpers): (JSC::DFG::AssemblyHelpers::debugCall): (JSC::DFG::AssemblyHelpers::jitAssertHasValidCallFrame): * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::linkOSRExits): * dfg/DFGOSRExitCompiler.cpp: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::selectScratchGPR): 2012-04-19 Filip Pizlo LLInt no-JIT fallback native call trampoline's exception handler incorrectly assumes that the PB/PC has been preserved https://bugs.webkit.org/show_bug.cgi?id=84367 Reviewed by Oliver Hunt. * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: 2012-04-19 Filip Pizlo It should be possible to load from Float64 arrays on ARMv7 without crashing https://bugs.webkit.org/show_bug.cgi?id=84361 Reviewed by Oliver Hunt. * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::loadDouble): (JSC::MacroAssemblerARMv7::storeDouble): 2012-04-19 Dominik Röttsches [CMake] Build fix after r114575 https://bugs.webkit.org/show_bug.cgi?id=84322 Reviewed by Simon Hausmann. Build fix, adding WTF when linking jsc shell. * shell/CMakeLists.txt: 2012-04-18 Filip Pizlo JSC testing should have complete coverage over typed array types https://bugs.webkit.org/show_bug.cgi?id=84302 Reviewed by Geoff Garen. Added Uint8ClampedArray to the set of typed arrays that are supported by jsc command-line. * JSCTypedArrayStubs.h: (JSC): * jsc.cpp: (GlobalObject::finishCreation): 2012-04-18 Filip Pizlo jsc command line should support typed arrays by default https://bugs.webkit.org/show_bug.cgi?id=84298 Rubber stamped by Gavin Barraclough. * JSCTypedArrayStubs.h: (JSC): * jsc.cpp: (GlobalObject::finishCreation): 2012-04-18 Filip Pizlo JSVALUE32_64 should be able to perform division on ARM without crashing, and variables forced double should not be scrambled when performing OSR entry https://bugs.webkit.org/show_bug.cgi?id=84272 Reviewed by Geoff Garen. * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGOSREntry.cpp: (JSC::DFG::prepareOSREntry): 2012-04-18 Don Olmstead JavaScriptCore.gypi not current https://bugs.webkit.org/show_bug.cgi?id=84224 Reviewed by Eric Seidel. Updated JavaScriptCore.gypi to contain the latest sources. Removed os-win32 as it wasn't used. Also removed references to ICU files in the gypi file as ICU is most likely specified by the port itself. Private and public header files were determined by looking at copy-files.cmd within Apple's Visual Studio directory. * JavaScriptCore.gypi: 2012-04-18 Benjamin Poulain Remove m_subclassData from JSArray, move the attribute to subclass as needed https://bugs.webkit.org/show_bug.cgi?id=84249 Reviewed by Geoffrey Garen. JSArray's m_subclassData is only used by WebCore's RuntimeArray. This patch moves the attribute to RuntimeArray to avoid allocating memory for the pointer in the common case. This gives ~1% improvement in JSArray creation microbenchmark thanks to fewer allocations of CopiedSpace. * jit/JITInlineMethods.h: (JSC::JIT::emitAllocateJSArray): * runtime/JSArray.cpp: (JSC::JSArray::JSArray): * runtime/JSArray.h: 2012-04-18 Benjamin Poulain replaceUsingStringSearch: delay the creation of the replace string until needed https://bugs.webkit.org/show_bug.cgi?id=83841 Reviewed by Geoffrey Garen. We do not need to obtain the replaceValue until we have a match. By moving the intialization of replaceValue when needed, we save a few instructions when there is no match. * runtime/StringPrototype.cpp: (JSC::replaceUsingRegExpSearch): (JSC::replaceUsingStringSearch): (JSC::stringProtoFuncReplace): 2012-04-18 Mark Hahnenberg GC activity timer should be tied to allocation, not collection https://bugs.webkit.org/show_bug.cgi?id=83919 Reviewed by Geoffrey Garen. * API/JSContextRef.cpp: Used the new didAbandonObjectGraph callback to indicate that now that we've released a global object, we're abandoning a potentially large number of objects that JSC might want to collect. * heap/CopiedSpace.cpp: (JSC::CopiedSpace::tryAllocateSlowCase): Added the call to timer's willAllocate function to indicate that we've hit a slow path and are allocating now, so schedule the timer. * heap/Heap.cpp: (JSC::Heap::Heap): (JSC::Heap::collectAllGarbage): Removed the call to discardAllCompiledCode because it was causing us to throw away too much code during our benchmarks (especially vp8, which is very large and thus has large amounts of compiled code). (JSC::Heap::collect): Added the new call to didCollect at the conclusion of a collection so that we can cancel the timer if we no longer need to run a collection. Also added a check at the beginning of a collection to see if we should throw away our compiled code. Currently this is set to happen about once every minute. * heap/Heap.h: Added field to keep track of the last time we threw away our compiled code. * heap/MarkedAllocator.cpp: (JSC::MarkedAllocator::allocateSlowCase): Added call to willAllocate on the allocation slow path, just like in CopiedSpace. * runtime/GCActivityCallback.cpp: Added default stubs for non-CF platforms. (JSC::DefaultGCActivityCallback::willAllocate): (JSC): (JSC::DefaultGCActivityCallback::didCollect): (JSC::DefaultGCActivityCallback::didAbandonObjectGraph): * runtime/GCActivityCallback.h: Added new functions to make JSC's GC timer less arcane. This includes replacing the operator () with willAllocate() and adding an explicit didCollect() to cancel the timer after a collection occurs rather than relying on the way the timer is invoked to cancel itself. Also added a callback for when somebody else (e.g. WebCore or the JSC API) to notify JSC that they have just abandoned an entire graph of objects and that JSC might want to clean them up. (JSC::GCActivityCallback::~GCActivityCallback): (JSC::GCActivityCallback::willAllocate): (JSC::GCActivityCallback::didCollect): (JSC::GCActivityCallback::didAbandonObjectGraph): (JSC::GCActivityCallback::synchronize): (DefaultGCActivityCallback): * runtime/GCActivityCallbackCF.cpp: Re-wired all the run loop stuff to implement the aforementioned functions. We added a flag to check whether the timer was active because the call to CFRunLoopTimerSetNextFireDate actually turned out to be quite expensive (although Instruments couldn't tell us this). (DefaultGCActivityCallbackPlatformData): (JSC): (JSC::DefaultGCActivityCallbackPlatformData::timerDidFire): (JSC::DefaultGCActivityCallback::commonConstructor): (JSC::scheduleTimer): (JSC::cancelTimer): (JSC::DefaultGCActivityCallback::willAllocate): (JSC::DefaultGCActivityCallback::didCollect): (JSC::DefaultGCActivityCallback::didAbandonObjectGraph): 2012-04-17 Filip Pizlo DFG should not attempt to get rare case counts for op_mod on ARM https://bugs.webkit.org/show_bug.cgi?id=84218 Reviewed by Geoff Garen. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::makeSafe): * dfg/DFGCommon.h: (JSC::DFG::isX86): (DFG): 2012-04-17 Myles Maxfield BumpPointerAllocator assumes page size is less than MINIMUM_BUMP_POOL_SIZE https://bugs.webkit.org/show_bug.cgi?id=80912 Reviewed by Hajime Morita. * wtf/BumpPointerAllocator.h: (WTF::BumpPointerPool::create): 2012-04-17 Filip Pizlo Attempt to fix Windows build. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: 2012-04-17 Filip Pizlo It should be possible to create an inheritorID for the global this object without crashing https://bugs.webkit.org/show_bug.cgi?id=84200 Reviewed by Oliver Hunt. * runtime/JSGlobalThis.cpp: (JSC::JSGlobalThis::setUnwrappedObject): * runtime/JSGlobalThis.h: (JSC::JSGlobalThis::unwrappedObject): (JSGlobalThis): * runtime/JSObject.cpp: (JSC::JSObject::createInheritorID): * runtime/JSObject.h: (JSObject): (JSC::JSObject::resetInheritorID): 2012-04-17 Filip Pizlo DFG and LLInt should not clobber the frame pointer on ARMv7 https://bugs.webkit.org/show_bug.cgi?id=84185 Reviewed by Gavin Barraclough. Changed LLInt to use a different register. Changed DFG to use one fewer registers. We should revisit this and switch the DFG to use a different register instead of r7, but we can do that in a subsequent step since the performance effect is tiny. * dfg/DFGGPRInfo.h: (GPRInfo): (JSC::DFG::GPRInfo::toRegister): (JSC::DFG::GPRInfo::toIndex): * offlineasm/armv7.rb: 2012-04-17 Filip Pizlo use after free in JSC::DFG::Node::op / JSC::DFG::ByteCodeParser::flushArgument https://bugs.webkit.org/show_bug.cgi?id=83942 Reviewed by Gavin Barraclough. Don't use references to the graph after resizing the graph. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::flushArgument): 2012-04-16 Gavin Barraclough Array.prototype.toString should be generic https://bugs.webkit.org/show_bug.cgi?id=81588 Reviewed by Sam Weinig. * runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncToString): - check for join function, use fast case if base object is array & join is present & default. * runtime/CommonIdentifiers.h: - added 'join'. 2012-04-16 Carlos Garcia Campos Unreviewed. Fix make distcheck issues. * GNUmakefile.list.am: Add missing files. 2012-04-16 Sheriff Bot Unreviewed, rolling out r114309. http://trac.webkit.org/changeset/114309 https://bugs.webkit.org/show_bug.cgi?id=84097 it broke everything (Requested by olliej on #webkit). * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * bytecode/CodeBlock.h: * dfg/DFGOperations.cpp: * interpreter/Interpreter.cpp: (JSC::Interpreter::getStackTrace): (JSC::Interpreter::throwException): * interpreter/Interpreter.h: (Interpreter): * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): * jsc.cpp: (functionJSCStack): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::handleHostCall): * parser/Parser.h: (JSC::::parse): * runtime/Error.cpp: (JSC::addErrorInfo): (JSC::throwError): * runtime/Error.h: (JSC): 2012-04-16 Oliver Hunt Exception stack traces aren't complete when the exception starts in native code https://bugs.webkit.org/show_bug.cgi?id=84073 Reviewed by Gavin Barraclough. Refactored building the stack trace to so that we can construct it earlier, and don't rely on any prior work performed in the exception handling machinery. Also updated LLInt and the DFG to completely initialise the callframes of host function calls. * bytecode/CodeBlock.h: (JSC::CodeBlock::codeOriginIndexForReturn): (CodeBlock): * dfg/DFGOperations.cpp: * interpreter/Interpreter.cpp: (JSC::Interpreter::getStackTrace): (JSC::Interpreter::addStackTraceIfNecessary): (JSC): (JSC::Interpreter::throwException): * interpreter/Interpreter.h: (Interpreter): * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): * jsc.cpp: (functionJSCStack): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::handleHostCall): * parser/Parser.h: (JSC::::parse): * runtime/Error.cpp: (JSC::addErrorInfo): (JSC::throwError): * runtime/Error.h: (JSC): 2012-04-16 Oliver Hunt Fix COMMANDLINE_TYPEDARRAYS build https://bugs.webkit.org/show_bug.cgi?id=84051 Reviewed by Gavin Barraclough. Update for new putByIndex API and wtf changes. * JSCTypedArrayStubs.h: (JSC): 2012-04-16 Mark Hahnenberg GC in the middle of JSObject::allocatePropertyStorage can cause badness https://bugs.webkit.org/show_bug.cgi?id=83839 Reviewed by Geoffrey Garen. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * jit/JITStubs.cpp: Making changes to use the new return value of growPropertyStorage. (JSC::DEFINE_STUB_FUNCTION): * runtime/JSObject.cpp: (JSC::JSObject::growPropertyStorage): Renamed to more accurately reflect that we're growing our already-existing PropertyStorage. * runtime/JSObject.h: (JSObject): (JSC::JSObject::setPropertyStorage): "Atomically" sets the new property storage and the new structure so that we can be sure a GC never occurs when our Structure info is out of sync with our PropertyStorage. (JSC): (JSC::JSObject::putDirectInternal): Moved the check to see if we should allocate more backing store before the actual property insertion into the structure. (JSC::JSObject::putDirectWithoutTransition): Ditto. (JSC::JSObject::transitionTo): Ditto. * runtime/Structure.cpp: (JSC::Structure::suggestedNewPropertyStorageSize): Added to keep the resize policy for property backing stores contained within the Structure class. (JSC): * runtime/Structure.h: (JSC::Structure::shouldGrowPropertyStorage): Lets clients know if another insertion into the Structure would require resizing the property backing store so that they can preallocate the required storage. (Structure): 2012-04-13 Sheriff Bot Unreviewed, rolling out r114185. http://trac.webkit.org/changeset/114185 https://bugs.webkit.org/show_bug.cgi?id=83967 Broke a bunch of JavaScript related tests (Requested by andersca on #webkit). * runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncToString): (JSC::arrayProtoFuncToLocaleString): * runtime/CommonIdentifiers.h: * tests/mozilla/ecma/Array/15.4.4.2.js: (getTestCases): 2012-04-13 Gavin Barraclough Don't rely on fixed offsets to patch calls https://bugs.webkit.org/show_bug.cgi?id=83966 Rubber stamped by Oliver Hunt. These aren't being used anywhere! * jit/JIT.h: * jit/JITCall.cpp: (JSC::JIT::compileOpCall): * jit/JITCall32_64.cpp: (JSC::JIT::compileOpCall): 2012-04-13 Hojong Han Array.prototype.toString and Array.prototype.toLocaleString should be generic https://bugs.webkit.org/show_bug.cgi?id=81588 Reviewed by Gavin Barraclough. * runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncToString): (JSC::arrayProtoFuncToLocaleString): * runtime/CommonIdentifiers.h: * tests/mozilla/ecma/Array/15.4.4.2.js: (getTestCases.array.item.new.TestCase): (getTestCases): 2012-04-13 Gavin Barraclough Don't rely on fixed offsets to patch method checks https://bugs.webkit.org/show_bug.cgi?id=83958 Reviewed by Oliver Hunt. * bytecode/StructureStubInfo.h: - Add fields for the method check info. * jit/JIT.cpp: (JSC::PropertyStubCompilationInfo::copyToStubInfo): - Store the offsets on the stub info, instead of asserting. * jit/JIT.h: - Delete all the method check related offsets. * jit/JITPropertyAccess.cpp: (JSC::JIT::patchMethodCallProto): - Use the offset from the stubInfo. * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): - Pass the stubInfo to patchMethodCallProto. 2012-04-13 Gavin Barraclough Don't rely on fixed offsets to patch get_by_id/put_by_id https://bugs.webkit.org/show_bug.cgi?id=83924 Reviewed by Oliver Hunt. Store offsets in the structure stub info, as we do for the DFG JIT. * assembler/AbstractMacroAssembler.h: (JSC::AbstractMacroAssembler::differenceBetween): - this method can be static (now used from PropertyStubCompilationInfo::copyToStubInfo, will be removed soon!) * bytecode/StructureStubInfo.h: - added new fields for baseline JIT offsets. * jit/JIT.cpp: (JSC::PropertyStubCompilationInfo::copyToStubInfo): - moved out from JIT::privateCompile. (JSC::JIT::privateCompile): - moved out code to PropertyStubCompilationInfo::copyToStubInfo. * jit/JIT.h: (PropertyStubCompilationInfo): - added helper functions to initializae PropertyStubCompilationInfo, state to store more offset info. - removed many offsets. * jit/JITPropertyAccess.cpp: (JSC::JIT::emit_op_method_check): (JSC::JIT::compileGetByIdHotPath): (JSC::JIT::compileGetByIdSlowCase): (JSC::JIT::emit_op_put_by_id): (JSC::JIT::emitSlow_op_put_by_id): (JSC::JIT::patchGetByIdSelf): (JSC::JIT::patchPutByIdReplace): (JSC::JIT::privateCompilePatchGetArrayLength): (JSC::JIT::privateCompileGetByIdProto): (JSC::JIT::privateCompileGetByIdSelfList): (JSC::JIT::privateCompileGetByIdProtoList): (JSC::JIT::privateCompileGetByIdChainList): (JSC::JIT::privateCompileGetByIdChain): (JSC::JIT::resetPatchGetById): (JSC::JIT::resetPatchPutById): - changed code generation to use new interface to store info on PropertyStubCompilationInfo. - changed repatch functions to read offsets from the structure stub info. * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::emit_op_method_check): (JSC::JIT::compileGetByIdHotPath): (JSC::JIT::compileGetByIdSlowCase): (JSC::JIT::emit_op_put_by_id): (JSC::JIT::emitSlow_op_put_by_id): (JSC::JIT::patchGetByIdSelf): (JSC::JIT::patchPutByIdReplace): (JSC::JIT::privateCompilePatchGetArrayLength): (JSC::JIT::privateCompileGetByIdProto): (JSC::JIT::privateCompileGetByIdSelfList): (JSC::JIT::privateCompileGetByIdProtoList): (JSC::JIT::privateCompileGetByIdChainList): (JSC::JIT::privateCompileGetByIdChain): (JSC::JIT::resetPatchGetById): (JSC::JIT::resetPatchPutById): - changed code generation to use new interface to store info on PropertyStubCompilationInfo. - changed repatch functions to read offsets from the structure stub info. 2012-04-13 Rob Buis Fix some compiler warnings (miscellaneous) https://bugs.webkit.org/show_bug.cgi?id=80790 Reviewed by Antonio Gomes. Fix signed/unsigned comparison warning. * parser/Lexer.cpp: (JSC::::record16): 2012-04-12 Benjamin Poulain Improve replaceUsingStringSearch() for case of a single character searchValue https://bugs.webkit.org/show_bug.cgi?id=83738 Reviewed by Geoffrey Garen. This patch improves replaceUsingStringSearch() with the following: -Add a special case for single character search, taking advantage of the faster WTF::find(). -Inline replaceUsingStringSearch(). -Use StringImpl::create() instead of UString::substringSharingImpl() since we know we are in the bounds by definition. This gives less than 1% improvement for the multicharacter replace. The single character search show about 9% improvement. * runtime/StringPrototype.cpp: (JSC::replaceUsingStringSearch): 2012-04-12 Michael Saboff StructureStubInfo::reset() causes leaks of PolymorphicAccessStructureList and ExecutableMemoryHandle objects https://bugs.webkit.org/show_bug.cgi?id=83823 Reviewed by Gavin Barraclough. Put the clearing of the accessType to after the call to deref() so that deref() can use the accessType to delete referenced objects as needed. * bytecode/StructureStubInfo.h: (JSC::StructureStubInfo::reset): 2012-04-12 Balazs Kelemen [Qt] Fix WebKit1 build with V8 https://bugs.webkit.org/show_bug.cgi?id=83322 Reviewed by Adam Barth. * yarr/yarr.pri: 2012-04-12 Gavin Barraclough https://bugs.webkit.org/show_bug.cgi?id=83821 Move dfg repatching properties of structure stub info into a union Reviewed by Oliver Hunt. We want to be able to have similar properties for the baseline JIT, some restructuring to prepare for this. * bytecode/StructureStubInfo.h: (StructureStubInfo): * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::link): * dfg/DFGRepatch.cpp: (JSC::DFG::dfgRepatchByIdSelfAccess): (JSC::DFG::linkRestoreScratch): (JSC::DFG::generateProtoChainAccessStub): (JSC::DFG::tryCacheGetByID): (JSC::DFG::tryBuildGetByIDList): (JSC::DFG::tryBuildGetByIDProtoList): (JSC::DFG::emitPutReplaceStub): (JSC::DFG::emitPutTransitionStub): (JSC::DFG::tryCachePutByID): (JSC::DFG::tryBuildPutByIdList): (JSC::DFG::dfgResetGetByID): (JSC::DFG::dfgResetPutByID): 2012-04-12 Gavin Barraclough Delete a bunch of unused, copy & pasted values in JIT.h https://bugs.webkit.org/show_bug.cgi?id=83822 Reviewed by Oliver Hunt. The only architecture we support the JSVALUE64 JIT on is x86-64, all the patch offsets for other architectures are just nonsense. * jit/JIT.h: (JIT): 2012-04-12 Csaba Osztrogonác [Qt][ARM] Buildfix after r113934. Reviewed by Zoltan Herczeg. * assembler/MacroAssemblerARM.h: (JSC::MacroAssemblerARM::compare8): (MacroAssemblerARM): 2012-04-11 Filip Pizlo It is incorrect to short-circuit Branch(LogicalNot(@a)) if boolean speculations on @a may fail https://bugs.webkit.org/show_bug.cgi?id=83744 Reviewed by Andy Estes. This does the conservative thing: it only short-circuits Branch(LogicalNot(@a)) if @a is a node that is statically known to return boolean results. * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): 2012-04-11 Michael Saboff Invalid Union Reference in StructureStubInfo.{cpp.h} https://bugs.webkit.org/show_bug.cgi?id=83735 Reviewed by Filip Pizlo. Changed the references to u.getByIdProtoList and u.getByIdSelfList to be consistent. * bytecode/StructureStubInfo.cpp: (JSC::StructureStubInfo::visitWeakReferences): * bytecode/StructureStubInfo.h: (JSC::StructureStubInfo::initGetByIdSelfList): 2012-04-11 Filip Pizlo Unreviewed attempting to make Qt's eccentric hardware work. * assembler/MacroAssemblerARM.h: (JSC::MacroAssemblerARM::compare8): (MacroAssemblerARM): * assembler/MacroAssemblerMIPS.h: (JSC::MacroAssemblerMIPS::compare8): (MacroAssemblerMIPS): * assembler/MacroAssemblerSH4.h: (JSC::MacroAssemblerSH4::compare8): (MacroAssemblerSH4): 2012-04-11 Filip Pizlo op_is_foo should be optimized https://bugs.webkit.org/show_bug.cgi?id=83666 Reviewed by Gavin Barraclough. This implements inlining of op_is_undefined, op_is_string, op_is_number, and op_is_boolean in LLInt and the baseline JIT. op_is_object and op_is_function are not inlined because they are quite a bit more complex. This also implements all of the op_is_foo opcodes in the DFG, but it does not do any type profiling based optimizations, yet. * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::compare8): (MacroAssemblerARMv7): * assembler/MacroAssemblerX86Common.h: (JSC::MacroAssemblerX86Common::compare8): (MacroAssemblerX86Common): * assembler/MacroAssemblerX86_64.h: (MacroAssemblerX86_64): (JSC::MacroAssemblerX86_64::testPtr): * dfg/DFGAbstractState.cpp: (JSC::DFG::AbstractState::execute): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGCCallHelpers.h: (JSC::DFG::CCallHelpers::setupArguments): (CCallHelpers): * dfg/DFGCSEPhase.cpp: (JSC::DFG::CSEPhase::performNodeCSE): * dfg/DFGCapabilities.h: (JSC::DFG::canCompileOpcode): * dfg/DFGNodeType.h: (DFG): * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::callOperation): (JSC::DFG::SpeculativeJIT::appendCallSetResult): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * jit/JIT.cpp: (JSC::JIT::privateCompileMainPass): * jit/JIT.h: (JIT): * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_is_undefined): (JSC): (JSC::JIT::emit_op_is_boolean): (JSC::JIT::emit_op_is_number): (JSC::JIT::emit_op_is_string): * jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_is_undefined): (JSC): (JSC::JIT::emit_op_is_boolean): (JSC::JIT::emit_op_is_number): (JSC::JIT::emit_op_is_string): * jit/JITStubs.cpp: (JSC): * llint/LLIntSlowPaths.cpp: (LLInt): * llint/LLIntSlowPaths.h: (LLInt): * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: * offlineasm/armv7.rb: * offlineasm/instructions.rb: * offlineasm/x86.rb: 2012-04-11 Filip Pizlo If you use an IntegerOperand and want to return it with integerResult, you need to zero extend to get rid of the box https://bugs.webkit.org/show_bug.cgi?id=83734 Reviewed by Oliver Hunt. * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::fillInteger): (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToInt32): 2012-04-11 Filip Pizlo SpeculativeJIT::fillStorage() should work with all the states that a cell may be in https://bugs.webkit.org/show_bug.cgi?id=83722 Reviewed by Gavin Barraclough. It's now possible to do StorageOperand on a cell, in the case that the storage is inline. But this means that fillStorage() must be able to handle all of the states that a cell might be in. Previously it didn't. With this change, it now does handle all of the states, and moreover, it does so by preserving the DataFormat of cells and performing all of the cell speculations that should be performed if you're using a cell as storage. But if you use this on something that is known to be storage already then it behaves as it did before. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::fillStorage): 2012-04-11 Filip Pizlo Global variable predictions should not be coalesced unnecessarily https://bugs.webkit.org/show_bug.cgi?id=83678 Reviewed by Geoff Garen. Removed the PredictionTracker and everyone who used it. Converted GetGlobalVar to have a heapPrediction like a civilized DFG opcode ought to. No performance effect. * GNUmakefile.list.am: * JavaScriptCore.xcodeproj/project.pbxproj: * bytecode/CodeBlock.h: * bytecode/PredictionTracker.h: Removed. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGGenerationInfo.h: * dfg/DFGGraph.cpp: (JSC::DFG::Graph::dump): * dfg/DFGGraph.h: (Graph): * dfg/DFGNode.h: (JSC::DFG::Node::hasHeapPrediction): * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate): 2012-04-11 Benjamin Poulain Optimize String.split() for 1 character separator https://bugs.webkit.org/show_bug.cgi?id=83546 Reviewed by Gavin Barraclough. This patch adds a serie of optimizations to make stringProtoFuncSplit() faster in the common case where the separator is a single character. The two main gains are: -Use of the find() function with a single character instead of doing a full string matching. -Use of WTF::find() instead of UString::find() to avoid branching on is8Bit() and have a simpler inline function. The code is also changed to avoid making unnecessary allocations by converting the 8bit string to 16bits. This makes String.split() faster by about 13% in that particular case. * runtime/StringPrototype.cpp: (JSC): (JSC::splitStringByOneCharacterImpl): (JSC::stringProtoFuncSplit): 2012-04-10 Carlos Garcia Campos Unreviewed. Fix make distcheck issues. * GNUmakefile.list.am: Ad missing files. 2012-04-10 Mark Rowe Attempt to fix the Windows build. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: 2012-04-10 Patrick Gansterer Cleanup wtf/Platform.h and config.h files https://bugs.webkit.org/show_bug.cgi?id=83431 Reviewed by Eric Seidel. The ENABLE() and USE() macros take care about the case when the flag isn't defined. So there is no need to define anything with 0. Also move duplicated code from the config.h files to Platform.h and merge a few preprocessor commands to make the file more readable. * config.h: 2012-04-10 Filip Pizlo DFG should flush SetLocals to arguments https://bugs.webkit.org/show_bug.cgi?id=83554 Reviewed by Gavin Barraclough. This is necessary to match baseline JIT argument capture behavior. But to make this work right we need to have a story for arguments into which we store values of different formats. This patch introduces the notion of an ArgumentPosition - i.e. an argument in a particular inline call frame - and forces unification of all data pertinent to selecting the argument's data format. Also fixed an amusing bug in the handling of OSR on SetLocals if there was any insertion/deletion of nodes in the basic block. This is benign for now but won't be eventually since the DFG is getting smarter. So better fix it now. Also fixed an amusing bug in the handling of OSR on SetLocals if they are immediately followed by a Flush. I think this bug might have always been there but now it'll happen more commonly, and it's covered by the run-javascriptcore-tests. * JavaScriptCore.xcodeproj/project.pbxproj: * dfg/DFGAbstractState.cpp: (JSC::DFG::AbstractState::execute): * dfg/DFGArgumentPosition.h: Added. (DFG): (ArgumentPosition): (JSC::DFG::ArgumentPosition::ArgumentPosition): (JSC::DFG::ArgumentPosition::addVariable): (JSC::DFG::ArgumentPosition::mergeArgumentAwareness): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::setLocal): (JSC::DFG::ByteCodeParser::setArgument): (InlineStackEntry): (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): * dfg/DFGDoubleFormatState.h: Added. (DFG): (JSC::DFG::mergeDoubleFormatStates): (JSC::DFG::mergeDoubleFormatState): (JSC::DFG::doubleFormatStateToString): * dfg/DFGGraph.h: (Graph): * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGVariableAccessData.h: (JSC::DFG::VariableAccessData::VariableAccessData): (JSC::DFG::VariableAccessData::predict): (JSC::DFG::VariableAccessData::argumentAwarePrediction): (VariableAccessData): (JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction): (JSC::DFG::VariableAccessData::doubleFormatState): (JSC::DFG::VariableAccessData::shouldUseDoubleFormat): (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat): (JSC::DFG::VariableAccessData::mergeDoubleFormatState): (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat): 2012-04-10 Adam Klein Remove unused NonNullPassRefPtr from WTF https://bugs.webkit.org/show_bug.cgi?id=82389 Reviewed by Kentaro Hara. * JavaScriptCore.order: Remove nonexistent symbols referencing NonNullPassRefPtr. 2012-04-10 Darin Adler Remove unused data member from Lexer class https://bugs.webkit.org/show_bug.cgi?id=83429 Reviewed by Kentaro Hara. I noticed that m_delimited was "write-only", so I deleted it. * parser/Lexer.cpp: (JSC::Lexer::setCode): Removed code to set m_delimited. (JSC::Lexer::parseIdentifier): Ditto. (JSC::Lexer::parseIdentifierSlowCase): Ditto. (JSC::Lexer::lex): Ditto. * parser/Lexer.h: Deleted m_delimited. 2012-04-10 Patrick Gansterer [CMake] Enable USE_FOLDERS property https://bugs.webkit.org/show_bug.cgi?id=83571 Reviewed by Daniel Bates. Setting the FOLDER property on targets gives more structure to the generated Visual Studio solutions. This does not affect other CMake generators. * CMakeLists.txt: * shell/CMakeLists.txt: 2012-04-10 Filip Pizlo It should be possible to see why a code block was not compiled by the DFG https://bugs.webkit.org/show_bug.cgi?id=83553 Reviewed by Geoff Garen. If DFG_ENABLE(DEBUG_VERBOSE) and a code block is rejected, then print the opcode that caused the rejection. * dfg/DFGCapabilities.cpp: (JSC::DFG::debugFail): (DFG): (JSC::DFG::canHandleOpcodes): 2012-04-09 Gavin Barraclough If a callback constructor returns a C++ null, throw a type error. https://bugs.webkit.org/show_bug.cgi?id=83537 Rubber Stamped by Geoff Garen. * API/JSCallbackConstructor.cpp: (JSC::constructJSCallback): - If a callback constructor returns a C++ null, throw a type error. * API/tests/testapi.c: (Base_returnHardNull): * API/tests/testapi.js: - Add a test case for callback constructors that return a C++ null. 2012-04-09 Gavin Barraclough If a callback function returns a C++ null, convert to undefined. https://bugs.webkit.org/show_bug.cgi?id=83534 Reviewed by Geoff Garen. * API/JSCallbackFunction.cpp: - If a callback function returns a C++ null, convert to undefined. (JSC::JSCallbackFunction::call): * API/tests/testapi.c: (Base_returnHardNull): * API/tests/testapi.js: - Add a test case for callback functions that return a C++ null. 2012-04-09 Filip Pizlo Classic interpreter's GC hooks shouldn't attempt to scan instructions for code blocks that are currently being generated https://bugs.webkit.org/show_bug.cgi?id=83531 Reviewed by Gavin Barraclough. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::stronglyVisitStrongReferences): 2012-04-09 Filip Pizlo Unreviewed, modernize and clean up uses of ARM assembly mnemonics in inline asm blocks. * dfg/DFGOperations.cpp: (JSC): * offlineasm/armv7.rb: 2012-04-09 Patrick Gansterer Remove HAVE_STDINT_H https://bugs.webkit.org/show_bug.cgi?id=83434 Reviewed by Kentaro Hara. HAVE_STDINT_H is defined with 1 all the time and we us stdint.h without HAVE(STDINT_H) already. * config.h: 2012-04-08 Filip Pizlo DFG should not load the property storage if it is inline. https://bugs.webkit.org/show_bug.cgi?id=83455 Reviewed by Gavin Barraclough. We had previously decided to have all property storage accesses go through the property storage pointer even if they don't "really" have to, because we were thinking this would help GC barriers somehow. Well, we never ended up doing anything with that. Hence, doing these wasted loads of the property storage pointer when the storage is inline is just a waste of CPU cycles. This change makes the DFG's inline property accesses (GetByOffset and PutByOffset) go directly to the inline property storage if the structure(s) tell us that it's OK. This looks like an across-the-board 1% win. * bytecode/StructureSet.h: (JSC): (JSC::StructureSet::allAreUsingInlinePropertyStorage): (StructureSet): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::fillStorage): 2012-04-08 Filip Pizlo Command-line jsc's exception handling should be rationalized https://bugs.webkit.org/show_bug.cgi?id=83437 Reviewed by Dan Bernstein. - If an exception is thrown during run() execution, it is now propagated, so that it will terminate program execution unless it is caught. - If program execution terminates with an exception, the exception is now always printed. - When printing the exception, the backtrace is now also printed if one is available. It will only not be available if you use something akin to my favorite line of code, 'throw "error"', since primitives don't have properties and hence we cannot attach a "stack" property to them. * jsc.cpp: (functionRun): (runWithScripts): 2012-04-04 Filip Pizlo Forced OSR exits should lead to recompilation based on count, not rate https://bugs.webkit.org/show_bug.cgi?id=83247 Reviewed by Geoff Garen. Track which OSR exits happen because of inadequate coverage. Count them separately. If the count reaches a threshold, immediately trigger reoptimization. This is in contrast to the recompilation trigger for all other OSR exits. Normally recomp is triggered when the exit rate exceeds a certain ratio. Looks like a slight V8 speedup (sub 1%). * bytecode/CodeBlock.cpp: (JSC::CodeBlock::CodeBlock): * bytecode/CodeBlock.h: (JSC::CodeBlock::forcedOSRExitCounter): (JSC::CodeBlock::addressOfForcedOSRExitCounter): (JSC::CodeBlock::offsetOfForcedOSRExitCounter): (JSC::CodeBlock::shouldReoptimizeNow): (JSC::CodeBlock::shouldReoptimizeFromLoopNow): (CodeBlock): * bytecode/DFGExitProfile.h: (JSC::DFG::exitKindToString): * dfg/DFGOSRExitCompiler.cpp: (JSC::DFG::OSRExitCompiler::handleExitCounts): (DFG): * dfg/DFGOSRExitCompiler.h: (OSRExitCompiler): * dfg/DFGOSRExitCompiler32_64.cpp: (JSC::DFG::OSRExitCompiler::compileExit): * dfg/DFGOSRExitCompiler64.cpp: (JSC::DFG::OSRExitCompiler::compileExit): * dfg/DFGOperations.cpp: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * runtime/Options.cpp: (Options): (JSC::Options::initializeOptions): * runtime/Options.h: (Options): 2012-04-06 Benjamin Poulain Do not abuse ArrayStorage's m_length for testing array consistency https://bugs.webkit.org/show_bug.cgi?id=83403 Reviewed by Geoffrey Garen. Array creation from a list of values is a 3 steps process: -JSArray::tryCreateUninitialized() -JSArray::initializeIndex() for each values -JSArray::completeInitialization() Previously, the attribute m_length was not set to the final size JSArray::tryCreateUninitialized() because it was used to test the array consistency JSArray::initializeIndex(). This caused the initialization loop using JSArray::initializeIndex() maintain two counters: -index of the loop -storage->m_length++ This patch fixes this by using the index of the initialization loop for the indinces of JSArray::initializeIndex(). For testing consistency, the variable m_initializationIndex is introduced if CHECK_ARRAY_CONSISTENCY is defined. The patch also fixes minor unrelated build issue when CHECK_ARRAY_CONSISTENCY is defined. This improves the performance of JSArray creation from literals by 8%. * runtime/JSArray.cpp: (JSC::JSArray::tryFinishCreationUninitialized): (JSC::JSArray::checkConsistency): * runtime/JSArray.h: (ArrayStorage): (JSC::JSArray::initializeIndex): (JSC::JSArray::completeInitialization): 2012-04-06 Jon Lee Build fix for Windows bots. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: export missing symbol. 2012-04-06 Geoffrey Garen Renamed WeakHeap => WeakSet HandleHeap => HandleSet Reviewed by Sam Weinig. These sets do have internal allocators, but it's confusing to call them heaps because they're sub-objects of an object called "heap". * heap/HandleHeap.cpp: Removed. * heap/HandleHeap.h: Removed. * heap/HandleSet.cpp: Copied from JavaScriptCore/heap/HandleHeap.cpp. * heap/WeakHeap.cpp: Removed. * heap/WeakHeap.h: Removed. * heap/WeakSet.cpp: Copied from JavaScriptCore/heap/WeakHeap.cpp. * heap/WeakSet.h: Copied from JavaScriptCore/heap/WeakHeap.h. Plus global rename using grep. 2012-04-06 Dan Bernstein HiDPI: Have canvas use a hidpi backing store, but downsample upon access Reviewed by Sam Weinig. * Configurations/FeatureDefines.xcconfig: Added ENABLE_HIGH_DPI_CANVAS. 2012-04-06 Rob Buis Fix cast-align warnings in JSC https://bugs.webkit.org/show_bug.cgi?id=80790 Reviewed by George Staikos. * assembler/ARMv7Assembler.h: (JSC::ARMv7Assembler::computeJumpType): (JSC::ARMv7Assembler::link): * assembler/LinkBuffer.h: (JSC::LinkBuffer::linkCode): * heap/MarkStack.cpp: (JSC::SlotVisitor::copyAndAppend): * runtime/JSArray.cpp: (JSC::JSArray::visitChildren): * wtf/RefCountedArray.h: (WTF::RefCountedArray::Header::payload): 2012-04-06 Darin Adler Streamline strtod and fix some related problems https://bugs.webkit.org/show_bug.cgi?id=82857 Reviewed by Geoffrey Garen. * parser/Lexer.cpp: (JSC::Lexer::lex): Use parseDouble. Since we have already scanned the number and we know it has only correct characters, leading spaces, trailing junk, and trailing spaces are not a possibility. No need to add a trailing null character. * runtime/JSGlobalObjectFunctions.cpp: (JSC::parseInt): Changed overflow based 10 case to use parseDouble. No need to allow trailing junk since the code above already allows only numeric digits in the string. This code path is used only in unusual cases, so it's not optimized for 8-bit strings, but easily could be. (JSC::jsStrDecimalLiteral): Removed the allow trailing junk argument to this function template because all the callers are OK with trailing junk. Use the parseDouble function. No need to copy the data into a byte buffer, because parseDouble handles that. (JSC::toDouble): Got rid of the DisallowTrailingJunk argument to the jsStrDecimalLiteral function template. That's OK because this function already checks for trailing junk and handles it appropriately. The old code path was doing it twice. (JSC::parseFloat): Got rid of the AllowTrailingJunk argument to the jsStrDecimalLiteral function template; the template allows junk unconditionally. * runtime/LiteralParser.cpp: (JSC::::Lexer::lexNumber): Use parseDouble. Since we have already scanned the number and we know it has only correct characters, leading spaces, trailing junk, and trailing spaces are not a possibility. No need to add a trailing null character. No need to copy the data into a byte buffer, because parseDouble handles that. We could optimize the UChar case even more because we know all the characters are ASCII, but not doing that at this time. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Updated. 2012-04-06 Patrick Gansterer Remove JSC dependency from GregorianDateTime https://bugs.webkit.org/show_bug.cgi?id=83290 Reviewed by Geoffrey Garen. This allows us to move it to WTF later. * runtime/DateConstructor.cpp: (JSC::callDate): * runtime/JSDateMath.h: 2012-04-05 Michael Saboff Call Heap::discardAllCompiledCode() in low memory situations https://bugs.webkit.org/show_bug.cgi?id=83335 Reviewed by Geoffrey Garen. Restructured Heap::discardAllCompiledCode() to do the "Is JavaScriptRunning?" check inline so that it can be called directly without this check. * heap/Heap.cpp: (JSC::Heap::discardAllCompiledCode): (JSC::Heap::collectAllGarbage): * heap/Heap.h: Added JS_EXPORT_PRIVATE to discardAllCompiledCode() so it can be called from WebCore. (Heap): * runtime/JSGlobalData.h: Removed unused " void discardAllCompiledCode()" declaration. (JSGlobalData): 2012-04-05 Benjamin Poulain Speed up the conversion from JSValue to String for bulk operations https://bugs.webkit.org/show_bug.cgi?id=83243 Reviewed by Geoffrey Garen. When making operations on primitive types, we loose some time converting values to JSString in order to extract the string. This patch speeds up some basic Array operations by avoiding the creation of intermediary JSString when possible. For the cases where we need to convert a lot of JSValue in a tight loop, an inline conversion is used. * runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncToString): (JSC::arrayProtoFuncToLocaleString): (JSC::arrayProtoFuncJoin): (JSC::arrayProtoFuncPush): (JSC::arrayProtoFuncSort): * runtime/CommonIdentifiers.h: * runtime/JSArray.cpp: (JSC::JSArray::sort): * runtime/JSString.h: (JSC::JSValue::toUString): (JSC): (JSC::inlineJSValueNotStringtoUString): (JSC::JSValue::toUStringInline): * runtime/JSValue.cpp: (JSC::JSValue::toUStringSlowCase): (JSC): * runtime/JSValue.h: (JSValue): 2012-04-05 Benjamin Poulain Use QuickSort when sorting primitive values by string representation https://bugs.webkit.org/show_bug.cgi?id=83312 Reviewed by Gavin Barraclough. When the value we are sorting are all primitive values, we do not need to ensure a stable sort as two values with equal string representation are indistinguishable from JavaScript. This gives about 16% performance increase when sorting primitive values. * runtime/JSArray.cpp: (JSC::JSArray::sort): 2012-04-05 Oliver Hunt SIGILL in JavaScriptCore on a Geode processor https://bugs.webkit.org/show_bug.cgi?id=82496 Reviewed by Gavin Barraclough. Don't attempt to use the DFG when SSE2 is not available. * dfg/DFGCapabilities.cpp: (JSC::DFG::canCompileOpcodes): 2012-04-05 Oliver Hunt Fix 32-bit build. * API/APICast.h: (toJS): 2012-04-05 Oliver Hunt Replace static_cast with jsCast when casting JSCell subclasses in JSC https://bugs.webkit.org/show_bug.cgi?id=83307 Reviewed by Gavin Barraclough. Replace all usage of static_cast with jsCast in JavaScriptCore. This results in assertions when unsafe casts are performed, but simply leaves a static_cast in release builds. * API/APICast.h: (toJS): * API/JSCallbackConstructor.cpp: (JSC::constructJSCallback): * API/JSCallbackFunction.cpp: (JSC::JSCallbackFunction::call): * API/JSCallbackObjectFunctions.h: (JSC::::asCallbackObject): (JSC::::finishCreation): (JSC::::construct): (JSC::::call): * API/JSObjectRef.cpp: (JSObjectGetPrivate): (JSObjectSetPrivate): (JSObjectGetPrivateProperty): (JSObjectSetPrivateProperty): (JSObjectDeletePrivateProperty): * API/JSValueRef.cpp: (JSValueIsObjectOfClass): * API/JSWeakObjectMapRefPrivate.cpp: * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::resolve): (JSC::BytecodeGenerator::resolveConstDecl): * debugger/DebuggerActivation.cpp: (JSC::DebuggerActivation::finishCreation): * dfg/DFGOperations.cpp: * interpreter/Interpreter.cpp: (JSC::Interpreter::execute): (JSC::Interpreter::privateExecute): * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): * runtime/Executable.h: (JSC::isHostFunction): * runtime/JSActivation.h: (JSC::asActivation): * runtime/JSArray.cpp: (JSC::JSArray::defineOwnProperty): * runtime/JSArray.h: (JSC::asArray): * runtime/JSBoundFunction.cpp: (JSC::boundFunctionCall): (JSC::boundFunctionConstruct): * runtime/JSByteArray.h: (JSC::asByteArray): * runtime/JSCell.cpp: (JSC::JSCell::toObject): * runtime/JSCell.h: (JSC::jsCast): * runtime/JSGlobalObject.h: (JSC::asGlobalObject): * runtime/JSGlobalObjectFunctions.cpp: (JSC::globalFuncEval): * runtime/JSObject.cpp: (JSC::JSObject::setPrototypeWithCycleCheck): (JSC::JSObject::allowsAccessFrom): (JSC::JSObject::toThisObject): (JSC::JSObject::unwrappedObject): * runtime/JSObject.h: (JSC::asObject): * runtime/JSPropertyNameIterator.h: (JSC::Register::propertyNameIterator): * runtime/JSString.h: (JSC::asString): (JSC::JSValue::toString): * runtime/StringPrototype.cpp: (JSC::stringProtoFuncSubstr): 2012-04-05 Benjamin Poulain Make something faster than JSStringBuilder for joining an array of JSValue https://bugs.webkit.org/show_bug.cgi?id=83180 Reviewed by Geoffrey Garen. This patch add the class JSStringJoiner optimized for join() operations. This class makes stricter constraints than JSStringBuilder in order avoid memory allocations. In the best case, the class allocate memory only twice: -Allocate an array to keep a list of UString to join. -Allocate the final string. We also avoid the conversion from 8bits strings to 16bits strings since they are costly and unlikly to help for subsequent calls. * CMakeLists.txt: * GNUmakefile.list.am: * JavaScriptCore.gypi: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: * JavaScriptCore.xcodeproj/project.pbxproj: * Target.pri: * runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncToLocaleString): (JSC::arrayProtoFuncJoin): * runtime/JSStringJoiner.cpp: Added. (JSC): (JSC::appendStringToData): (JSC::joinStrings): (JSC::JSStringJoiner::build): * runtime/JSStringJoiner.h: Added. (JSC): (JSStringJoiner): (JSC::JSStringJoiner::JSStringJoiner): (JSC::JSStringJoiner::append): 2012-04-05 Gavin Barraclough https://bugs.webkit.org/show_bug.cgi?id=77293 [Un]Reserve 'let' Rubber stamped by Oliver Hunt. Revert r106198. This does break the web - e.g. https://bvi.bnc.ca/index/bnc/indexen.html If we're going to reserve let, we're going to have to do so in a more circumspect fashion. * parser/Keywords.table: 2012-04-05 Michael Saboff Rolling out http://trac.webkit.org/changeset/113262. Original code was fine. Rubber-stamped by Oliver Hunt. * assembler/MacroAssembler.h: (JSC::MacroAssembler::additionBlindedConstant): 2012-04-05 Patrick Gansterer [WinCE] Remove unnecessary function decleration https://bugs.webkit.org/show_bug.cgi?id=83155 Reviewed by Kentaro Hara. * runtime/JSDateMath.cpp: 2012-04-04 Patrick Gansterer