delta/qt5/qtwebkit.git/Source/JavaScriptCore/runtime, branch old/5.1 code.qt.io: qt/qtwebkit.git JSObject::getOwnNonIndexPropertyNames calculates numCacheableSlots incorrectly (2/2) 2013-07-01T14:22:37+00:00 Mark Hahnenberg mhahnenberg@apple.com 2013-07-01T13:46:30+00:00 86a59036393fb081f094325518205e6c6067b05e https://bugs.webkit.org/show_bug.cgi?id=114235 Reviewed by Filip Pizlo. If the object doesn't have any properties but the prototype does, we'll assume those prototype properties are accessible in the base object's backing store, which is bad. Source/JavaScriptCore: * runtime/JSObject.cpp: (JSC::JSObject::getPropertyNames): (JSC::JSObject::getOwnNonIndexPropertyNames): * runtime/PropertyNameArray.h: (JSC::PropertyNameArray::PropertyNameArray): (JSC::PropertyNameArray::setNumCacheableSlotsForObject): (JSC::PropertyNameArray::setBaseObject): (PropertyNameArray): Change-Id: If61b609438fa1d62364bac556af635413198d8ad git-svn-id: http://svn.webkit.org/repository/webkit/trunk@148142 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com> 
https://bugs.webkit.org/show_bug.cgi?id=114235

Reviewed by Filip Pizlo.

If the object doesn't have any properties but the prototype does, we'll assume those prototype properties are
accessible in the base object's backing store, which is bad.

Source/JavaScriptCore:

* runtime/JSObject.cpp:
(JSC::JSObject::getPropertyNames):
(JSC::JSObject::getOwnNonIndexPropertyNames):
* runtime/PropertyNameArray.h:
(JSC::PropertyNameArray::PropertyNameArray):
(JSC::PropertyNameArray::setNumCacheableSlotsForObject):
(JSC::PropertyNameArray::setBaseObject):
(PropertyNameArray):

Change-Id: If61b609438fa1d62364bac556af635413198d8ad
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@148142 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
JSObject::getOwnNonIndexPropertyNames calculates numCacheableSlots incorrectly 2013-07-01T14:22:33+00:00 Mark Hahnenberg mhahnenberg@apple.com 2013-06-19T09:43:53+00:00 55e3e0bb1d8b1487df36219869ef5bd302b8640c https://bugs.webkit.org/show_bug.cgi?id=114235 Reviewed by Geoffrey Garen. Due to the way that numCacheableSlots is currently calculated, checking an object's prototype for enumerable properties causes us not to cache any properties at all. We should only cache properties on the object itself since we currently don't take advantage of any sort of name caching for properties in the prototype chain. This fix undoes a ~2% SunSpider regression caused by http://trac.webkit.org/changeset/147570. * runtime/JSObject.cpp: (JSC::JSObject::getOwnNonIndexPropertyNames): Change-Id: I5853ab567cd0a8cd20aeac1372ec64fc4f25df1a git-svn-id: http://svn.webkit.org/repository/webkit/trunk@148036 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com> 
https://bugs.webkit.org/show_bug.cgi?id=114235

Reviewed by Geoffrey Garen.

Due to the way that numCacheableSlots is currently calculated, checking an object's prototype for enumerable
properties causes us not to cache any properties at all. We should only cache properties on the object itself
since we currently don't take advantage of any sort of name caching for properties in the prototype chain.
This fix undoes a ~2% SunSpider regression caused by http://trac.webkit.org/changeset/147570.

* runtime/JSObject.cpp:
(JSC::JSObject::getOwnNonIndexPropertyNames):

Change-Id: I5853ab567cd0a8cd20aeac1372ec64fc4f25df1a
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@148036 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
get_by_pname can become confused when iterating over objects with static properties 2013-07-01T14:22:27+00:00 Mark Hahnenberg mhahnenberg@apple.com 2013-06-19T09:43:08+00:00 ad2752807b14cf3602367b56494870a4801ba5da https://bugs.webkit.org/show_bug.cgi?id=113831 Reviewed by Geoffrey Garen. get_by_pname doesn't take static properties into account when using a JSPropertyNameIterator to directly access an object's backing store. One way to fix this is to not cache any properties when iterating over objects with static properties. This patch fixes the bug that was originally reported on swisscom.ch. Source/JavaScriptCore: * runtime/JSObject.cpp: (JSC::JSObject::getOwnNonIndexPropertyNames): * runtime/JSPropertyNameIterator.cpp: (JSC::JSPropertyNameIterator::create): * runtime/PropertyNameArray.h: (JSC::PropertyNameArray::PropertyNameArray): (JSC::PropertyNameArray::numCacheableSlots): (JSC::PropertyNameArray::setNumCacheableSlots): (PropertyNameArray): Change-Id: I7ae9c48eea3c5300c4825a10a660b0e2210c8862 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@147570 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com> 
https://bugs.webkit.org/show_bug.cgi?id=113831

Reviewed by Geoffrey Garen.

get_by_pname doesn't take static properties into account when using a JSPropertyNameIterator to directly
access an object's backing store. One way to fix this is to not cache any properties when iterating over
objects with static properties. This patch fixes the bug that was originally reported on swisscom.ch.

Source/JavaScriptCore:

* runtime/JSObject.cpp:
(JSC::JSObject::getOwnNonIndexPropertyNames):
* runtime/JSPropertyNameIterator.cpp:
(JSC::JSPropertyNameIterator::create):
* runtime/PropertyNameArray.h:
(JSC::PropertyNameArray::PropertyNameArray):
(JSC::PropertyNameArray::numCacheableSlots):
(JSC::PropertyNameArray::setNumCacheableSlots):
(PropertyNameArray):

Change-Id: I7ae9c48eea3c5300c4825a10a660b0e2210c8862
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@147570 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
MIPS DFG implementation. 2013-05-23T11:38:58+00:00 Balazs Kilvady kilvadyb@homejinni.com 2013-02-18T19:25:23+00:00 fee41053a81024e15303ebf68e6a9a029374ce92 https://bugs.webkit.org/show_bug.cgi?id=101328 Patch by Balazs Kilvady <kilvadyb@homejinni.com> on 2013-02-18 Reviewed by Oliver Hunt. DFG implementation for MIPS. Source/JavaScriptCore: * assembler/MIPSAssembler.h: (JSC::MIPSAssembler::MIPSAssembler): (JSC::MIPSAssembler::sllv): (JSC::MIPSAssembler::movd): (MIPSAssembler): (JSC::MIPSAssembler::negd): (JSC::MIPSAssembler::labelForWatchpoint): (JSC::MIPSAssembler::label): (JSC::MIPSAssembler::vmov): (JSC::MIPSAssembler::linkDirectJump): (JSC::MIPSAssembler::maxJumpReplacementSize): (JSC::MIPSAssembler::revertJumpToMove): (JSC::MIPSAssembler::replaceWithJump): * assembler/MacroAssembler.h: (MacroAssembler): (JSC::MacroAssembler::poke): * assembler/MacroAssemblerMIPS.h: (JSC::MacroAssemblerMIPS::add32): (MacroAssemblerMIPS): (JSC::MacroAssemblerMIPS::and32): (JSC::MacroAssemblerMIPS::lshift32): (JSC::MacroAssemblerMIPS::mul32): (JSC::MacroAssemblerMIPS::or32): (JSC::MacroAssemblerMIPS::rshift32): (JSC::MacroAssemblerMIPS::urshift32): (JSC::MacroAssemblerMIPS::sub32): (JSC::MacroAssemblerMIPS::xor32): (JSC::MacroAssemblerMIPS::store32): (JSC::MacroAssemblerMIPS::jump): (JSC::MacroAssemblerMIPS::branchAdd32): (JSC::MacroAssemblerMIPS::branchMul32): (JSC::MacroAssemblerMIPS::branchSub32): (JSC::MacroAssemblerMIPS::branchNeg32): (JSC::MacroAssemblerMIPS::call): (JSC::MacroAssemblerMIPS::loadDouble): (JSC::MacroAssemblerMIPS::moveDouble): (JSC::MacroAssemblerMIPS::swapDouble): (JSC::MacroAssemblerMIPS::subDouble): (JSC::MacroAssemblerMIPS::mulDouble): (JSC::MacroAssemblerMIPS::divDouble): (JSC::MacroAssemblerMIPS::negateDouble): (JSC::MacroAssemblerMIPS::branchEqual): (JSC::MacroAssemblerMIPS::branchNotEqual): (JSC::MacroAssemblerMIPS::branchTruncateDoubleToInt32): (JSC::MacroAssemblerMIPS::branchTruncateDoubleToUint32): (JSC::MacroAssemblerMIPS::truncateDoubleToInt32): (JSC::MacroAssemblerMIPS::truncateDoubleToUint32): (JSC::MacroAssemblerMIPS::branchDoubleNonZero): (JSC::MacroAssemblerMIPS::branchDoubleZeroOrNaN): (JSC::MacroAssemblerMIPS::invert): (JSC::MacroAssemblerMIPS::replaceWithJump): (JSC::MacroAssemblerMIPS::maxJumpReplacementSize): * dfg/DFGAssemblyHelpers.h: (AssemblyHelpers): (JSC::DFG::AssemblyHelpers::preserveReturnAddressAfterCall): (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn): (JSC::DFG::AssemblyHelpers::debugCall): * dfg/DFGCCallHelpers.h: (CCallHelpers): (JSC::DFG::CCallHelpers::setupArguments): (JSC::DFG::CCallHelpers::setupArgumentsWithExecState): * dfg/DFGFPRInfo.h: (DFG): (FPRInfo): (JSC::DFG::FPRInfo::toRegister): (JSC::DFG::FPRInfo::toIndex): (JSC::DFG::FPRInfo::debugName): * dfg/DFGGPRInfo.h: (DFG): (GPRInfo): (JSC::DFG::GPRInfo::toRegister): (JSC::DFG::GPRInfo::toIndex): (JSC::DFG::GPRInfo::debugName): * dfg/DFGSpeculativeJIT.h: (SpeculativeJIT): * jit/JSInterfaceJIT.h: (JSInterfaceJIT): * runtime/JSGlobalData.h: (JSC::ScratchBuffer::allocationSize): (ScratchBuffer): Source/WTF: * wtf/Platform.h: git-svn-id: http://svn.webkit.org/repository/webkit/trunk@143247 268f45cc-cd09-0410-ab3c-d52691b4dbfc Conflicts: Source/JavaScriptCore/ChangeLog Source/JavaScriptCore/assembler/MacroAssemblerMIPS.h Source/JavaScriptCore/dfg/DFGAssemblyHelpers.h Source/WTF/ChangeLog Change-Id: Ibc6c2a2b1d5c70d351ede37c6c111b66b4cf7fef Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com> Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com> 
https://bugs.webkit.org/show_bug.cgi?id=101328

Patch by Balazs Kilvady <kilvadyb@homejinni.com> on 2013-02-18
Reviewed by Oliver Hunt.

DFG implementation for MIPS.

Source/JavaScriptCore:

* assembler/MIPSAssembler.h:
(JSC::MIPSAssembler::MIPSAssembler):
(JSC::MIPSAssembler::sllv):
(JSC::MIPSAssembler::movd):
(MIPSAssembler):
(JSC::MIPSAssembler::negd):
(JSC::MIPSAssembler::labelForWatchpoint):
(JSC::MIPSAssembler::label):
(JSC::MIPSAssembler::vmov):
(JSC::MIPSAssembler::linkDirectJump):
(JSC::MIPSAssembler::maxJumpReplacementSize):
(JSC::MIPSAssembler::revertJumpToMove):
(JSC::MIPSAssembler::replaceWithJump):
* assembler/MacroAssembler.h:
(MacroAssembler):
(JSC::MacroAssembler::poke):
* assembler/MacroAssemblerMIPS.h:
(JSC::MacroAssemblerMIPS::add32):
(MacroAssemblerMIPS):
(JSC::MacroAssemblerMIPS::and32):
(JSC::MacroAssemblerMIPS::lshift32):
(JSC::MacroAssemblerMIPS::mul32):
(JSC::MacroAssemblerMIPS::or32):
(JSC::MacroAssemblerMIPS::rshift32):
(JSC::MacroAssemblerMIPS::urshift32):
(JSC::MacroAssemblerMIPS::sub32):
(JSC::MacroAssemblerMIPS::xor32):
(JSC::MacroAssemblerMIPS::store32):
(JSC::MacroAssemblerMIPS::jump):
(JSC::MacroAssemblerMIPS::branchAdd32):
(JSC::MacroAssemblerMIPS::branchMul32):
(JSC::MacroAssemblerMIPS::branchSub32):
(JSC::MacroAssemblerMIPS::branchNeg32):
(JSC::MacroAssemblerMIPS::call):
(JSC::MacroAssemblerMIPS::loadDouble):
(JSC::MacroAssemblerMIPS::moveDouble):
(JSC::MacroAssemblerMIPS::swapDouble):
(JSC::MacroAssemblerMIPS::subDouble):
(JSC::MacroAssemblerMIPS::mulDouble):
(JSC::MacroAssemblerMIPS::divDouble):
(JSC::MacroAssemblerMIPS::negateDouble):
(JSC::MacroAssemblerMIPS::branchEqual):
(JSC::MacroAssemblerMIPS::branchNotEqual):
(JSC::MacroAssemblerMIPS::branchTruncateDoubleToInt32):
(JSC::MacroAssemblerMIPS::branchTruncateDoubleToUint32):
(JSC::MacroAssemblerMIPS::truncateDoubleToInt32):
(JSC::MacroAssemblerMIPS::truncateDoubleToUint32):
(JSC::MacroAssemblerMIPS::branchDoubleNonZero):
(JSC::MacroAssemblerMIPS::branchDoubleZeroOrNaN):
(JSC::MacroAssemblerMIPS::invert):
(JSC::MacroAssemblerMIPS::replaceWithJump):
(JSC::MacroAssemblerMIPS::maxJumpReplacementSize):
* dfg/DFGAssemblyHelpers.h:
(AssemblyHelpers):
(JSC::DFG::AssemblyHelpers::preserveReturnAddressAfterCall):
(JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn):
(JSC::DFG::AssemblyHelpers::debugCall):
* dfg/DFGCCallHelpers.h:
(CCallHelpers):
(JSC::DFG::CCallHelpers::setupArguments):
(JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
* dfg/DFGFPRInfo.h:
(DFG):
(FPRInfo):
(JSC::DFG::FPRInfo::toRegister):
(JSC::DFG::FPRInfo::toIndex):
(JSC::DFG::FPRInfo::debugName):
* dfg/DFGGPRInfo.h:
(DFG):
(GPRInfo):
(JSC::DFG::GPRInfo::toRegister):
(JSC::DFG::GPRInfo::toIndex):
(JSC::DFG::GPRInfo::debugName):
* dfg/DFGSpeculativeJIT.h:
(SpeculativeJIT):
* jit/JSInterfaceJIT.h:
(JSInterfaceJIT):
* runtime/JSGlobalData.h:
(JSC::ScratchBuffer::allocationSize):
(ScratchBuffer):

Source/WTF:

* wtf/Platform.h:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@143247 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Conflicts:
	Source/JavaScriptCore/ChangeLog
	Source/JavaScriptCore/assembler/MacroAssemblerMIPS.h
	Source/JavaScriptCore/dfg/DFGAssemblyHelpers.h
	Source/WTF/ChangeLog

Change-Id: Ibc6c2a2b1d5c70d351ede37c6c111b66b4cf7fef
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com>
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
Add more assertions to the property storage use in arrays 2013-04-16T17:58:28+00:00 Oliver Hunt oliver@apple.com 2013-04-16T09:58:22+00:00 9e5eaab34ec9fe2a0e0ba169c939a23bef8df900 https://bugs.webkit.org/show_bug.cgi?id=107728 Reviewed by Filip Pizlo. Add a bunch of assertions to array and object butterfly usage. This should make debugging somewhat easier. I also converted a couple of assertions to release asserts as they were so low cost it seemed a sensible thing to do. * runtime/JSArray.cpp: (JSC::JSArray::sortVector): (JSC::JSArray::compactForSorting): * runtime/JSObject.h: (JSC::JSObject::getHolyIndexQuickly): Change-Id: Ie6164b837e7671b87c003de3e29fd33ef05f4362 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@141029 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com> 
https://bugs.webkit.org/show_bug.cgi?id=107728

Reviewed by Filip Pizlo.

Add a bunch of assertions to array and object butterfly
usage.  This should make debugging somewhat easier.

I also converted a couple of assertions to release asserts
as they were so low cost it seemed a sensible thing to do.

* runtime/JSArray.cpp:
(JSC::JSArray::sortVector):
(JSC::JSArray::compactForSorting):
* runtime/JSObject.h:
(JSC::JSObject::getHolyIndexQuickly):

Change-Id: Ie6164b837e7671b87c003de3e29fd33ef05f4362
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@141029 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
Fix the build with GCC 4.8 https://bugs.webkit.org/show_bug.cgi?id=113147 2013-04-05T13:25:32+00:00 Andras Becsi andras.becsi@digia.com 2013-04-04T17:14:29+00:00 d6ffb6e0ba2941ff69c9b8eaf6ccf383c5d03063 Reviewed by Allan Sandfeld Jensen. Source/JavaScriptCore: Initialize JSObject* exception to suppress warnings that make the build fail because of -Werror=maybe-uninitialized. * runtime/Executable.cpp: (JSC::FunctionExecutable::compileForCallInternal): (JSC::FunctionExecutable::compileForConstructInternal): Source/WTF: Disable diagnostic warning -Wunused-local-typedefs for GCC 4.8 since dummy typedefs are commonly used in the codebase. * wtf/Compiler.h: Change-Id: I084a47068324c6b9ddd7f4274f7c5a2d10904627 Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com> Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com> 
Reviewed by Allan Sandfeld Jensen.

Source/JavaScriptCore:

Initialize JSObject* exception to suppress warnings that make
the build fail because of -Werror=maybe-uninitialized.

* runtime/Executable.cpp:
(JSC::FunctionExecutable::compileForCallInternal):
(JSC::FunctionExecutable::compileForConstructInternal):

Source/WTF:

Disable diagnostic warning -Wunused-local-typedefs for GCC 4.8
since dummy typedefs are commonly used in the codebase.

* wtf/Compiler.h:

Change-Id: I084a47068324c6b9ddd7f4274f7c5a2d10904627
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com>
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
r134080 causes heap problem on linux systems where PAGESIZE != 4096 2013-04-04T12:56:09+00:00 Balazs Kilvady kilvadyb@homejinni.com 2013-04-04T11:51:09+00:00 6ab46a19bac261f42b664c62f8c2477b294b86ea https://bugs.webkit.org/show_bug.cgi?id=102828 Patch by Balazs Kilvady <kilvadyb@homejinni.com> on 2013-01-18 Reviewed by Mark Hahnenberg. Make MarkStackSegment::blockSize as the capacity of segments of a MarkStackArray. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: * heap/MarkStack.cpp: (JSC): (JSC::MarkStackArray::MarkStackArray): (JSC::MarkStackArray::expand): (JSC::MarkStackArray::donateSomeCellsTo): (JSC::MarkStackArray::stealSomeCellsFrom): * heap/MarkStack.h: (JSC::MarkStackSegment::data): (CapacityFromSize): (MarkStackArray): * heap/MarkStackInlines.h: (JSC::MarkStackArray::setTopForFullSegment): (JSC::MarkStackArray::append): (JSC::MarkStackArray::isEmpty): (JSC::MarkStackArray::size): * runtime/Options.h: (JSC): Change-Id: I4663100b6b8b054bed03c0c6eb01bb9274a1b264 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@140195 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com> 
https://bugs.webkit.org/show_bug.cgi?id=102828

Patch by Balazs Kilvady <kilvadyb@homejinni.com> on 2013-01-18
Reviewed by Mark Hahnenberg.

Make MarkStackSegment::blockSize as the capacity of segments of a MarkStackArray.

* JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
* heap/MarkStack.cpp:
(JSC):
(JSC::MarkStackArray::MarkStackArray):
(JSC::MarkStackArray::expand):
(JSC::MarkStackArray::donateSomeCellsTo):
(JSC::MarkStackArray::stealSomeCellsFrom):
* heap/MarkStack.h:
(JSC::MarkStackSegment::data):
(CapacityFromSize):
(MarkStackArray):
* heap/MarkStackInlines.h:
(JSC::MarkStackArray::setTopForFullSegment):
(JSC::MarkStackArray::append):
(JSC::MarkStackArray::isEmpty):
(JSC::MarkStackArray::size):
* runtime/Options.h:
(JSC):

Change-Id: I4663100b6b8b054bed03c0c6eb01bb9274a1b264
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@140195 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
If array allocation profiling causes a new_array to allocate double arrays, then the holes should end up being correctly initialized 2013-04-04T12:32:39+00:00 Filip Pizlo fpizlo@apple.com 2013-04-04T10:19:52+00:00 23bde0cf8565bb36b9df638de874ad04607e84d3 https://bugs.webkit.org/show_bug.cgi?id=106363 Reviewed by Mark Hahnenberg. Source/JavaScriptCore: * runtime/JSArray.h: (JSC::JSArray::tryCreateUninitialized): LayoutTests: * fast/js/jsc-test-list: * fast/js/new-array-double-with-holes-expected.txt: Added. * fast/js/new-array-double-with-holes.html: Added. * fast/js/script-tests/new-array-double-with-holes.js: Added. (foo): Change-Id: Iad48b7dd0e71bcbe8557fd6f19487fcd9eeed585 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@139094 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com> 
https://bugs.webkit.org/show_bug.cgi?id=106363

Reviewed by Mark Hahnenberg.

Source/JavaScriptCore:

* runtime/JSArray.h:
(JSC::JSArray::tryCreateUninitialized):

LayoutTests:

* fast/js/jsc-test-list:
* fast/js/new-array-double-with-holes-expected.txt: Added.
* fast/js/new-array-double-with-holes.html: Added.
* fast/js/script-tests/new-array-double-with-holes.js: Added.
(foo):

Change-Id: Iad48b7dd0e71bcbe8557fd6f19487fcd9eeed585
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@139094 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
Don't assert that flags <= 0x3ff in JSTypeInfo 2013-03-26T16:49:41+00:00 Filip Pizlo fpizlo@apple.com 2013-03-21T17:15:00+00:00 da77818d99e1312e20f6d19835ce356bbb509579 https://bugs.webkit.org/show_bug.cgi?id=104988 Reviewed by Sam Weinig. This assertion doesn't accomplish anything other than crashes. * runtime/JSTypeInfo.h: (JSC::TypeInfo::TypeInfo): Change-Id: I16848f37dd75c3de061e737097f0a09a01e31626 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@137705 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com> 
https://bugs.webkit.org/show_bug.cgi?id=104988

Reviewed by Sam Weinig.

This assertion doesn't accomplish anything other than crashes.

* runtime/JSTypeInfo.h:
(JSC::TypeInfo::TypeInfo):

Change-Id: I16848f37dd75c3de061e737097f0a09a01e31626
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@137705 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
Named lookups on HTML documents produce inconsistent results in JavaScriptCore bindings 2013-03-26T16:49:37+00:00 Filip Pizlo fpizlo@apple.com 2013-03-21T17:13:57+00:00 1f8a9f66cf95c3ea5a8819c87157ac00d4b1ef0c https://bugs.webkit.org/show_bug.cgi?id=104623 Reviewed by Geoffrey Garen. Source/JavaScriptCore: Add the notion of objects that HasImpureGetOwnPropertySlot, and use that to inhibit prototype chain caching in some cases. This appears to be perf-neutral on benchmarks that we track. * dfg/DFGRepatch.cpp: (JSC::DFG::tryCacheGetByID): (JSC::DFG::tryBuildGetByIDProtoList): * jit/JITStubs.cpp: (JSC::JITThunks::tryCacheGetByID): (JSC::DEFINE_STUB_FUNCTION): * runtime/JSTypeInfo.h: (JSC): (JSC::TypeInfo::hasImpureGetOwnPropertySlot): * runtime/Operations.h: (JSC::normalizePrototypeChainForChainAccess): Source/WebCore: All DOM objects that have named getters or directly override getOwnPropertySlot are now marked as HasImpureGetOwnPropertySlot. Tests: fast/js/prototype-chain-caching-with-impure-get-own-property-slot-traps fast/js/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps * bindings/scripts/CodeGeneratorJS.pm: (GenerateHeader): LayoutTests: * fast/js/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps-expected.txt: Added. * fast/js/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps.html: Added. * fast/js/prototype-chain-caching-with-impure-get-own-property-slot-traps-expected.txt: Added. * fast/js/prototype-chain-caching-with-impure-get-own-property-slot-traps.html: Added. * fast/js/script-tests/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps.js: Added. (f): * fast/js/script-tests/prototype-chain-caching-with-impure-get-own-property-slot-traps.js: Added. (f): Change-Id: Ie17e39f2b8139778455e28aca9428698f4dd362f git-svn-id: http://svn.webkit.org/repository/webkit/trunk@137700 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com> 
https://bugs.webkit.org/show_bug.cgi?id=104623

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

Add the notion of objects that HasImpureGetOwnPropertySlot, and use that to inhibit prototype chain caching
in some cases. This appears to be perf-neutral on benchmarks that we track.

* dfg/DFGRepatch.cpp:
(JSC::DFG::tryCacheGetByID):
(JSC::DFG::tryBuildGetByIDProtoList):
* jit/JITStubs.cpp:
(JSC::JITThunks::tryCacheGetByID):
(JSC::DEFINE_STUB_FUNCTION):
* runtime/JSTypeInfo.h:
(JSC):
(JSC::TypeInfo::hasImpureGetOwnPropertySlot):
* runtime/Operations.h:
(JSC::normalizePrototypeChainForChainAccess):

Source/WebCore:

All DOM objects that have named getters or directly override getOwnPropertySlot are now marked as
HasImpureGetOwnPropertySlot.

Tests: fast/js/prototype-chain-caching-with-impure-get-own-property-slot-traps
        fast/js/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps

* bindings/scripts/CodeGeneratorJS.pm:
(GenerateHeader):

LayoutTests:

* fast/js/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps-expected.txt: Added.
* fast/js/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps.html: Added.
* fast/js/prototype-chain-caching-with-impure-get-own-property-slot-traps-expected.txt: Added.
* fast/js/prototype-chain-caching-with-impure-get-own-property-slot-traps.html: Added.
* fast/js/script-tests/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps.js: Added.
(f):
* fast/js/script-tests/prototype-chain-caching-with-impure-get-own-property-slot-traps.js: Added.
(f):

Change-Id: Ie17e39f2b8139778455e28aca9428698f4dd362f
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@137700 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>