Clarify SyntaxErrors around yield and unskip tests
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog-2014-02-20
1 2014-02-20  Mark Hahnenberg  <mhahnenberg@apple.com>
2
3         CopiedBlock::pin can call into fastFree while forbidden
4         https://bugs.webkit.org/show_bug.cgi?id=128654
5
6         Reviewed by Oliver Hunt.
7
8         A FullCollection that skips copying doesn't clear the CopyWorkList of the all the surviving 
9         CopiedBlocks because we currently only call didSurviveGC() at the beginning of FullCollections.
10
11         EdenCollections always do copying, therefore they always clear all CopyWorkLists.
12
13         The fix is to call didSurviveGC() for all surviving CopiedBlocks at the end of FullCollections 
14         as well at the beginning.
15
16         * heap/CopiedBlock.h:
17         (JSC::CopiedBlock::didSurviveGC):
18         * heap/CopiedSpace.cpp:
19         (JSC::CopiedSpace::doneCopying):
20
21 2014-02-20  Mark Hahnenberg  <mhahnenberg@apple.com>
22
23         Add a JSC option to disable EdenCollections
24         https://bugs.webkit.org/show_bug.cgi?id=128849
25
26         Reviewed by Mark Lam.
27
28         This will help quickly identify whether or not GenGC is responsible for a 
29         particular crash by prematurely collecting a live object.
30
31         * heap/Heap.cpp:
32         (JSC::Heap::collect):
33         (JSC::Heap::shouldDoFullCollection):
34         * heap/Heap.h:
35         * runtime/Options.h:
36
37 2014-02-20  Michael Saboff  <msaboff@apple.com>
38
39         REGRESSION (r164417): ASSERTION FAILED: isBranch() in X86 32 bit build
40         https://bugs.webkit.org/show_bug.cgi?id=129118
41
42         Reviewed by Filip Pizlo.
43
44         Changed 32 bit version of SpeculativeJIT::compile handling of Jump nodes to match
45         what is in the 64 bit build.
46
47         * dfg/DFGSpeculativeJIT32_64.cpp:
48         (JSC::DFG::SpeculativeJIT::compile):
49
50 2014-02-20  Zan Dobersek  <zdobersek@igalia.com>
51
52         [Automake] Collect the JavaScript files required for JSC builtins through a wildcard
53         https://bugs.webkit.org/show_bug.cgi?id=129115
54
55         Reviewed by Oliver Hunt.
56
57         * GNUmakefile.list.am: Simplify adding new JavaScriptCore builtins by using a wildcard
58         to gather all the JavaScript files instead of listing each file explicitly.
59
60 2014-02-20  Mark Hahnenberg  <mhahnenberg@apple.com>
61
62         Replace uses of deprecated POSIX index() with strchr() in ObjcRuntimeExtras.h
63         https://bugs.webkit.org/show_bug.cgi?id=128610
64
65         Reviewed by Anders Carlsson.
66
67         index() is deprecated in favor of strchr() so we should use the latter.
68
69         * API/JSWrapperMap.mm:
70         (selectorToPropertyName):
71         * API/ObjcRuntimeExtras.h:
72         (parseObjCType):
73
74 2014-02-19  Filip Pizlo  <fpizlo@apple.com>
75
76         FTL should not emit stack overflow checks in leaf functions
77         https://bugs.webkit.org/show_bug.cgi?id=129085
78
79         Reviewed by Michael Saboff.
80         
81         Miniscule (0.5%) speed-up on V8v7.
82
83         * ftl/FTLLowerDFGToLLVM.cpp:
84         (JSC::FTL::LowerDFGToLLVM::lower):
85         (JSC::FTL::LowerDFGToLLVM::didOverflowStack):
86
87 2014-02-20  Mark Hahnenberg  <mhahnenberg@apple.com>
88
89         Dynamically generated JSExport protocols added to a class results in a crash
90         https://bugs.webkit.org/show_bug.cgi?id=129108
91
92         Reviewed by Oliver Hunt.
93
94         We're not getting any information from the runtime about the types of the methods on 
95         these protocols because they didn't exist at compile time. We should handle this gracefully.
96
97         * API/ObjCCallbackFunction.mm:
98         (objCCallbackFunctionForInvocation):
99         * API/tests/JSExportTests.mm:
100         (+[JSExportTests exportDynamicallyGeneratedProtocolTest]):
101         (runJSExportTests):
102
103 2014-02-20  Gabor Rapcsanyi  <rgabor@webkit.org>
104
105         ASSERTION FAILED: isUInt16() on ARMv7 after r113253.
106         https://bugs.webkit.org/show_bug.cgi?id=129101
107
108         Reviewed by Michael Saboff.
109
110         If the immediate value type is encoded then we shouldn't reach this assert.
111         Check the immediate type to avoid assertion in alignemnt check.
112
113         * assembler/ARMv7Assembler.h:
114         (JSC::ARMv7Assembler::add):
115
116 2014-02-20  Csaba Osztrogonác  <ossy@webkit.org>
117
118         Get rid of redundant Platform.h includes
119         https://bugs.webkit.org/show_bug.cgi?id=128817
120
121         Reviewed by Brent Fulgham.
122
123         * API/tests/JSNode.c:
124         * API/tests/JSNodeList.c:
125         * API/tests/minidom.c:
126         * API/tests/testapi.c:
127         * assembler/MacroAssembler.h:
128         * bytecode/ByValInfo.h:
129         * bytecode/CallLinkInfo.h:
130         * bytecode/CallReturnOffsetToBytecodeOffset.h:
131         * bytecode/CodeType.h:
132         * bytecode/HandlerInfo.h:
133         * bytecode/MethodOfGettingAValueProfile.h:
134         * bytecode/PolymorphicAccessStructureList.h:
135         * bytecode/PolymorphicPutByIdList.h:
136         * bytecode/StructureStubClearingWatchpoint.h:
137         * bytecode/StructureStubInfo.h:
138         * bytecode/ValueRecovery.h:
139         * bytecode/VirtualRegister.h:
140         * dfg/DFGAbstractHeap.h:
141         * dfg/DFGAbstractInterpreter.h:
142         * dfg/DFGAbstractInterpreterInlines.h:
143         * dfg/DFGAbstractValue.h:
144         * dfg/DFGAdjacencyList.h:
145         * dfg/DFGAllocator.h:
146         * dfg/DFGAnalysis.h:
147         * dfg/DFGArgumentsSimplificationPhase.h:
148         * dfg/DFGArrayMode.h:
149         * dfg/DFGArrayifySlowPathGenerator.h:
150         * dfg/DFGAtTailAbstractState.h:
151         * dfg/DFGBackwardsPropagationPhase.h:
152         * dfg/DFGBinarySwitch.h:
153         * dfg/DFGBlockInsertionSet.h:
154         * dfg/DFGBranchDirection.h:
155         * dfg/DFGCFAPhase.h:
156         * dfg/DFGCFGSimplificationPhase.h:
157         * dfg/DFGCPSRethreadingPhase.h:
158         * dfg/DFGCSEPhase.h:
159         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
160         * dfg/DFGCapabilities.h:
161         * dfg/DFGClobberSet.h:
162         * dfg/DFGClobberize.h:
163         * dfg/DFGCommon.h:
164         * dfg/DFGCommonData.h:
165         * dfg/DFGConstantFoldingPhase.h:
166         * dfg/DFGCriticalEdgeBreakingPhase.h:
167         * dfg/DFGDCEPhase.h:
168         * dfg/DFGDesiredIdentifiers.h:
169         * dfg/DFGDesiredStructureChains.h:
170         * dfg/DFGDesiredWatchpoints.h:
171         * dfg/DFGDisassembler.h:
172         * dfg/DFGDominators.h:
173         * dfg/DFGDriver.h:
174         * dfg/DFGEdge.h:
175         * dfg/DFGEdgeDominates.h:
176         * dfg/DFGEdgeUsesStructure.h:
177         * dfg/DFGFailedFinalizer.h:
178         * dfg/DFGFiltrationResult.h:
179         * dfg/DFGFinalizer.h:
180         * dfg/DFGFixupPhase.h:
181         * dfg/DFGFlushFormat.h:
182         * dfg/DFGFlushLivenessAnalysisPhase.h:
183         * dfg/DFGFlushedAt.h:
184         * dfg/DFGGraph.h:
185         * dfg/DFGInPlaceAbstractState.h:
186         * dfg/DFGInsertionSet.h:
187         * dfg/DFGInvalidationPointInjectionPhase.h:
188         * dfg/DFGJITCode.h:
189         * dfg/DFGJITFinalizer.h:
190         * dfg/DFGLICMPhase.h:
191         * dfg/DFGLazyJSValue.h:
192         * dfg/DFGLivenessAnalysisPhase.h:
193         * dfg/DFGLongLivedState.h:
194         * dfg/DFGLoopPreHeaderCreationPhase.h:
195         * dfg/DFGMinifiedGraph.h:
196         * dfg/DFGMinifiedID.h:
197         * dfg/DFGMinifiedNode.h:
198         * dfg/DFGNaturalLoops.h:
199         * dfg/DFGNode.h:
200         * dfg/DFGNodeAllocator.h:
201         * dfg/DFGNodeFlags.h:
202         * dfg/DFGNodeType.h:
203         * dfg/DFGOSRAvailabilityAnalysisPhase.h:
204         * dfg/DFGOSREntrypointCreationPhase.h:
205         * dfg/DFGOSRExit.h:
206         * dfg/DFGOSRExitBase.h:
207         * dfg/DFGOSRExitCompilationInfo.h:
208         * dfg/DFGOSRExitCompiler.h:
209         * dfg/DFGOSRExitCompilerCommon.h:
210         * dfg/DFGOSRExitJumpPlaceholder.h:
211         * dfg/DFGPhase.h:
212         * dfg/DFGPlan.h:
213         * dfg/DFGPredictionInjectionPhase.h:
214         * dfg/DFGPredictionPropagationPhase.h:
215         * dfg/DFGResurrectionForValidationPhase.h:
216         * dfg/DFGSSAConversionPhase.h:
217         * dfg/DFGSafeToExecute.h:
218         * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
219         * dfg/DFGSilentRegisterSavePlan.h:
220         * dfg/DFGSlowPathGenerator.h:
221         * dfg/DFGSpeculativeJIT.h:
222         * dfg/DFGStackLayoutPhase.h:
223         * dfg/DFGStructureAbstractValue.h:
224         * dfg/DFGThunks.h:
225         * dfg/DFGTierUpCheckInjectionPhase.h:
226         * dfg/DFGToFTLDeferredCompilationCallback.h:
227         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h:
228         * dfg/DFGTypeCheckHoistingPhase.h:
229         * dfg/DFGUnificationPhase.h:
230         * dfg/DFGUseKind.h:
231         * dfg/DFGValidate.h:
232         * dfg/DFGValueRecoveryOverride.h:
233         * dfg/DFGValueSource.h:
234         * dfg/DFGVariableAccessData.h:
235         * dfg/DFGVariableAccessDataDump.h:
236         * dfg/DFGVariableEvent.h:
237         * dfg/DFGVariableEventStream.h:
238         * dfg/DFGVirtualRegisterAllocationPhase.h:
239         * dfg/DFGWatchpointCollectionPhase.h:
240         * dfg/DFGWorklist.h:
241         * disassembler/Disassembler.h:
242         * ftl/FTLAbbreviatedTypes.h:
243         * ftl/FTLAbbreviations.h:
244         * ftl/FTLAbstractHeap.h:
245         * ftl/FTLAbstractHeapRepository.h:
246         * ftl/FTLCapabilities.h:
247         * ftl/FTLCommonValues.h:
248         * ftl/FTLCompile.h:
249         * ftl/FTLExitArgument.h:
250         * ftl/FTLExitArgumentForOperand.h:
251         * ftl/FTLExitArgumentList.h:
252         * ftl/FTLExitThunkGenerator.h:
253         * ftl/FTLExitValue.h:
254         * ftl/FTLFail.h:
255         * ftl/FTLForOSREntryJITCode.h:
256         * ftl/FTLFormattedValue.h:
257         * ftl/FTLIntrinsicRepository.h:
258         * ftl/FTLJITCode.h:
259         * ftl/FTLJITFinalizer.h:
260         * ftl/FTLLink.h:
261         * ftl/FTLLocation.h:
262         * ftl/FTLLowerDFGToLLVM.h:
263         * ftl/FTLLoweredNodeValue.h:
264         * ftl/FTLOSREntry.h:
265         * ftl/FTLOSRExit.h:
266         * ftl/FTLOSRExitCompilationInfo.h:
267         * ftl/FTLOSRExitCompiler.h:
268         * ftl/FTLOutput.h:
269         * ftl/FTLSaveRestore.h:
270         * ftl/FTLStackMaps.h:
271         * ftl/FTLState.h:
272         * ftl/FTLSwitchCase.h:
273         * ftl/FTLThunks.h:
274         * ftl/FTLTypedPointer.h:
275         * ftl/FTLValueFormat.h:
276         * ftl/FTLValueFromBlock.h:
277         * heap/JITStubRoutineSet.h:
278         * interpreter/AbstractPC.h:
279         * jit/AssemblyHelpers.h:
280         * jit/CCallHelpers.h:
281         * jit/ClosureCallStubRoutine.h:
282         * jit/GCAwareJITStubRoutine.h:
283         * jit/HostCallReturnValue.h:
284         * jit/JITDisassembler.h:
285         * jit/JITStubRoutine.h:
286         * jit/JITThunks.h:
287         * jit/JITToDFGDeferredCompilationCallback.h:
288         * jit/RegisterSet.h:
289         * jit/Repatch.h:
290         * jit/ScratchRegisterAllocator.h:
291         * jit/TempRegisterSet.h:
292         * jit/ThunkGenerator.h:
293         * llint/LLIntData.h:
294         * llint/LLIntEntrypoint.h:
295         * llint/LLIntExceptions.h:
296         * llint/LLIntOfflineAsmConfig.h:
297         * llint/LLIntOpcode.h:
298         * llint/LLIntSlowPaths.h:
299         * llint/LLIntThunks.h:
300         * llint/LowLevelInterpreter.h:
301         * llvm/InitializeLLVM.h:
302         * llvm/InitializeLLVMPOSIX.h:
303         * llvm/LLVMAPI.h:
304         * os-win32/inttypes.h:
305         * runtime/ArrayStorage.h:
306         * runtime/Butterfly.h:
307         * runtime/CommonSlowPaths.h:
308         * runtime/CommonSlowPathsExceptions.h:
309         * runtime/IndexingHeader.h:
310         * runtime/JSExportMacros.h:
311         * runtime/PropertyOffset.h:
312         * runtime/SparseArrayValueMap.h:
313
314 2014-02-19  Filip Pizlo  <fpizlo@apple.com>
315
316         DFG should have a way of carrying and preserving conditional branch weights
317         https://bugs.webkit.org/show_bug.cgi?id=129083
318
319         Reviewed by Michael Saboff.
320         
321         Branch and Switch now have branch counts/weights for each target. This is encapsulated
322         behind DFG::BranchTarget. We carry this data all the way to the FTL, and the DFG
323         backend ignores it.
324         
325         We don't set this data yet; that's for https://bugs.webkit.org/show_bug.cgi?id=129055.
326
327         * dfg/DFGByteCodeParser.cpp:
328         (JSC::DFG::ByteCodeParser::branchData):
329         (JSC::DFG::ByteCodeParser::handleInlining):
330         (JSC::DFG::ByteCodeParser::parseBlock):
331         (JSC::DFG::ByteCodeParser::linkBlock):
332         * dfg/DFGCFGSimplificationPhase.cpp:
333         (JSC::DFG::CFGSimplificationPhase::run):
334         * dfg/DFGFixupPhase.cpp:
335         (JSC::DFG::FixupPhase::fixupNode):
336         * dfg/DFGGraph.cpp:
337         (JSC::DFG::Graph::dump):
338         * dfg/DFGGraph.h:
339         * dfg/DFGInPlaceAbstractState.cpp:
340         (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
341         * dfg/DFGJITCompiler.cpp:
342         (JSC::DFG::JITCompiler::link):
343         * dfg/DFGNode.cpp:
344         (JSC::DFG::BranchTarget::dump):
345         * dfg/DFGNode.h:
346         (JSC::DFG::BranchTarget::BranchTarget):
347         (JSC::DFG::BranchTarget::setBytecodeIndex):
348         (JSC::DFG::BranchTarget::bytecodeIndex):
349         (JSC::DFG::BranchData::withBytecodeIndices):
350         (JSC::DFG::BranchData::takenBytecodeIndex):
351         (JSC::DFG::BranchData::notTakenBytecodeIndex):
352         (JSC::DFG::BranchData::forCondition):
353         (JSC::DFG::SwitchCase::SwitchCase):
354         (JSC::DFG::SwitchCase::withBytecodeIndex):
355         (JSC::DFG::SwitchData::SwitchData):
356         (JSC::DFG::Node::targetBytecodeOffsetDuringParsing):
357         (JSC::DFG::Node::targetBlock):
358         (JSC::DFG::Node::branchData):
359         (JSC::DFG::Node::successor):
360         (JSC::DFG::Node::successorForCondition):
361         * dfg/DFGSpeculativeJIT.cpp:
362         (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
363         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
364         (JSC::DFG::SpeculativeJIT::compilePeepHoleBooleanBranch):
365         (JSC::DFG::SpeculativeJIT::compilePeepHoleInt32Branch):
366         (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
367         (JSC::DFG::SpeculativeJIT::compileRegExpExec):
368         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
369         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
370         (JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump):
371         (JSC::DFG::SpeculativeJIT::emitSwitchChar):
372         (JSC::DFG::SpeculativeJIT::emitBinarySwitchStringRecurse):
373         (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
374         (JSC::DFG::SpeculativeJIT::emitSwitchString):
375         * dfg/DFGSpeculativeJIT32_64.cpp:
376         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
377         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
378         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
379         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
380         (JSC::DFG::SpeculativeJIT::emitBranch):
381         (JSC::DFG::SpeculativeJIT::compile):
382         * dfg/DFGSpeculativeJIT64.cpp:
383         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
384         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
385         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
386         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
387         (JSC::DFG::SpeculativeJIT::compilePeepHoleInt52Branch):
388         (JSC::DFG::SpeculativeJIT::emitBranch):
389         (JSC::DFG::SpeculativeJIT::compile):
390         * ftl/FTLLowerDFGToLLVM.cpp:
391         (JSC::FTL::LowerDFGToLLVM::compileJump):
392         (JSC::FTL::LowerDFGToLLVM::compileBranch):
393         (JSC::FTL::LowerDFGToLLVM::compileSwitch):
394         (JSC::FTL::LowerDFGToLLVM::buildSwitch):
395
396 2014-02-19  ChangSeok Oh  <changseok.oh@collabora.com>
397
398         Unreviewed build fix after r164396
399
400         * GNUmakefile.list.am: Added Promises.prototype.js properly
401
402 2014-02-19  Geoffrey Garen  <ggaren@apple.com>
403
404         Crash after -[JSContext evaluateScript:] when initializing JSContext with JSVirtualMachine
405         https://bugs.webkit.org/show_bug.cgi?id=129070
406
407         Reviewed by Mark Hahnenberg.
408
409         Clear our exception explicitly before throwing away the VM because our
410         exception references VM memory.
411
412         * API/JSContext.mm:
413         (-[JSContext dealloc]):
414         * API/tests/testapi.mm:
415         (testObjectiveCAPI):
416
417 2014-02-19  Brent Fulgham  <bfulgham@apple.com>
418
419         Unreviewed build fix after r164391
420
421         * runtime/Arguments.h: Make SlowArgumentData public so template libraries can
422         access its methods.
423
424 2014-02-19  Mark Lam  <mark.lam@apple.com>
425
426         Need to align sp before calling operationLoadVarargs on 32-bit platforms.
427         <https://webkit.org/b/129056>
428
429         Reviewed by Michael Saboff.
430
431         In JIT::compileLoadVarargs(), we'll call operationSizeFrameForVarargs()
432         to compute the amount of stack space we need for the varargs, adjust the
433         stack pointer to make room for those varargs, and then call
434         operationLoadVarargs() to fill in the varargs. Currently, the stack
435         pointer adjustment takes care of allocating space for the varargs, but
436         does not align the stack pointer for the call to operationLoadVarargs().
437         The fix is to align the stack pointer there.
438
439         Note: The stack pointer adjustment is based on the new CallFrame pointer
440         value returned by operationSizeFrameForVarargs(). On 64-bit platforms,
441         both the stack pointer and call frame pointer are similarly aligned
442         (i.e. low nibbles are 0). Hence, no additional adjustment is needed.
443         Only the 32-bit code needs the fix.
444
445         Note: The LLINT also works this way i.e. aligns the stack pointer before
446         calling llint_slow_path_call_varargs().
447
448         * jit/JITCall32_64.cpp:
449         (JSC::JIT::compileLoadVarargs):
450
451 2014-02-19  Sam Weinig  <sam@webkit.org>
452
453         [JS] Convert Promise.prototype.catch to be a built-in
454         https://bugs.webkit.org/show_bug.cgi?id=129052
455
456         Reviewed by Geoffrey Garen.
457
458         * GNUmakefile.list.am:
459         * JavaScriptCore.xcodeproj/project.pbxproj:
460         * builtins/Promise.prototype.js: Added.
461         (catch): Add JS based implementation of Promise.prototype.catch.
462
463         * runtime/JSPromisePrototype.cpp:
464         Remove the C++ implementation of Promise.prototype.catch.
465
466 2014-02-19  Filip Pizlo  <fpizlo@apple.com>
467
468         FTL should allow LLVM to allocate data sections with alignment > 8
469         https://bugs.webkit.org/show_bug.cgi?id=129066
470
471         Reviewed by Geoffrey Garen.
472         
473         We were previously using the native allocator's alignment guarantees (which we presumed
474         to be 8 bytes), and further hinting our desires by using the LSectionWord type (which
475         was 8 bytes). This breaks now that LLVM will sometimes ask for 16 byte alignment on
476         some sections.
477         
478         This changes our data section allocation strategy to use the new FTL::DataSection,
479         which can handle arbitrary 2^k alignment.
480
481         * JavaScriptCore.xcodeproj/project.pbxproj:
482         * ftl/FTLCompile.cpp:
483         (JSC::FTL::mmAllocateDataSection):
484         (JSC::FTL::dumpDataSection):
485         (JSC::FTL::compile):
486         * ftl/FTLDataSection.cpp: Added.
487         (JSC::FTL::DataSection::DataSection):
488         (JSC::FTL::DataSection::~DataSection):
489         * ftl/FTLDataSection.h: Added.
490         (JSC::FTL::DataSection::base):
491         (JSC::FTL::DataSection::size):
492         * ftl/FTLJITCode.cpp:
493         (JSC::FTL::JITCode::addDataSection):
494         * ftl/FTLJITCode.h:
495         (JSC::FTL::JITCode::dataSections):
496         * ftl/FTLState.h:
497
498 2014-02-19  Filip Pizlo  <fpizlo@apple.com>
499
500         Unreviewed, fix comment.
501
502         * ftl/FTLWeight.h:
503         (JSC::FTL::Weight::scaleToTotal):
504
505 2014-02-19  Anders Carlsson  <andersca@apple.com>
506
507         Add WTF_MAKE_FAST_ALLOCATED to more classes
508         https://bugs.webkit.org/show_bug.cgi?id=129064
509
510         Reviewed by Andreas Kling.
511
512         * dfg/DFGSpeculativeJIT.h:
513         * heap/CopyWorkList.h:
514         * heap/Region.h:
515         * runtime/Arguments.h:
516         * runtime/SymbolTable.h:
517         * runtime/WriteBarrier.h:
518
519 2014-02-19  Michael Saboff  <msaboff@apple.com>
520
521         Unreviewed build fix after r164374
522
523         * llint/LLIntOfflineAsmConfig.h: Added #define OFFLINE_ASM_X86_WIN 0 
524         for ENABLE(LLINT_C_LOOP).
525
526 2014-02-19  Filip Pizlo  <fpizlo@apple.com>
527
528         FTL should be able to convey branch weights to LLVM
529         https://bugs.webkit.org/show_bug.cgi?id=129054
530
531         Reviewed by Michael Saboff.
532         
533         This introduces a really nice way to convey branch weights to LLVM. The basic class
534         is Weight, which just wraps a float; NaN is used when you are not sure. You can
535         pass this alongside a LBasicBlock to branching instructions like condbr and switch.
536         But for simplicity, you can just pass a WeightedTarget, which is a tuple of the
537         two. And for even greater simplicity, you can create WeightedTargets from
538         LBasicBlocks by doing:
539         
540             usually(b)   => WeightedTarget(b, Weight(1))
541             rarely(b)    => WeightedTarget(b, Weight(0))
542             unsure(b)    => WeightedTarget(b, Weight()) or WeightedTarget(b, Weight(NaN))
543         
544         This allows for constructs like:
545         
546             m_out.branch(isCell(value), usually(isCellCase), rarely(slowCase));
547         
548         This was intended to be perf-neutral for now, but it did end up creating a ~1%
549         speed-up on V8v7 and Octane2.
550
551         * JavaScriptCore.xcodeproj/project.pbxproj:
552         * ftl/FTLAbbreviations.h:
553         (JSC::FTL::mdNode):
554         * ftl/FTLCommonValues.cpp:
555         (JSC::FTL::CommonValues::CommonValues):
556         * ftl/FTLCommonValues.h:
557         * ftl/FTLLowerDFGToLLVM.cpp:
558         (JSC::FTL::LowerDFGToLLVM::lower):
559         (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
560         (JSC::FTL::LowerDFGToLLVM::compileStoreBarrierWithNullCheck):
561         (JSC::FTL::LowerDFGToLLVM::compileToThis):
562         (JSC::FTL::LowerDFGToLLVM::compileArithMul):
563         (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
564         (JSC::FTL::LowerDFGToLLVM::compileArithMod):
565         (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
566         (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
567         (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
568         (JSC::FTL::LowerDFGToLLVM::compileGetById):
569         (JSC::FTL::LowerDFGToLLVM::compileGetIndexedPropertyStorage):
570         (JSC::FTL::LowerDFGToLLVM::compileGetTypedArrayByteOffset):
571         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
572         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
573         (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
574         (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
575         (JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize):
576         (JSC::FTL::LowerDFGToLLVM::compileToString):
577         (JSC::FTL::LowerDFGToLLVM::compileToPrimitive):
578         (JSC::FTL::LowerDFGToLLVM::compileStringCharAt):
579         (JSC::FTL::LowerDFGToLLVM::compileStringCharCodeAt):
580         (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
581         (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):
582         (JSC::FTL::LowerDFGToLLVM::compileBranch):
583         (JSC::FTL::LowerDFGToLLVM::compileSwitch):
584         (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
585         (JSC::FTL::LowerDFGToLLVM::nonSpeculativeCompare):
586         (JSC::FTL::LowerDFGToLLVM::allocateCell):
587         (JSC::FTL::LowerDFGToLLVM::allocateBasicStorageAndGetEnd):
588         (JSC::FTL::LowerDFGToLLVM::boolify):
589         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
590         (JSC::FTL::LowerDFGToLLVM::contiguousPutByValOutOfBounds):
591         (JSC::FTL::LowerDFGToLLVM::buildSwitch):
592         (JSC::FTL::LowerDFGToLLVM::doubleToInt32):
593         (JSC::FTL::LowerDFGToLLVM::sensibleDoubleToInt32):
594         (JSC::FTL::LowerDFGToLLVM::lowDouble):
595         (JSC::FTL::LowerDFGToLLVM::strictInt52ToJSValue):
596         (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
597         (JSC::FTL::LowerDFGToLLVM::speculateStringOrStringObject):
598         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
599         (JSC::FTL::LowerDFGToLLVM::callCheck):
600         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
601         * ftl/FTLOutput.cpp:
602         (JSC::FTL::Output::initialize):
603         (JSC::FTL::Output::appendTo):
604         (JSC::FTL::Output::newBlock):
605         (JSC::FTL::Output::sensibleDoubleToInt):
606         (JSC::FTL::Output::load):
607         (JSC::FTL::Output::store):
608         (JSC::FTL::Output::baseIndex):
609         (JSC::FTL::Output::branch):
610         (JSC::FTL::Output::crashNonTerminal):
611         * ftl/FTLOutput.h:
612         (JSC::FTL::Output::branch):
613         (JSC::FTL::Output::switchInstruction):
614         * ftl/FTLSwitchCase.h:
615         (JSC::FTL::SwitchCase::SwitchCase):
616         (JSC::FTL::SwitchCase::weight):
617         * ftl/FTLWeight.h: Added.
618         (JSC::FTL::Weight::Weight):
619         (JSC::FTL::Weight::isSet):
620         (JSC::FTL::Weight::operator!):
621         (JSC::FTL::Weight::value):
622         (JSC::FTL::Weight::scaleToTotal):
623         * ftl/FTLWeightedTarget.h: Added.
624         (JSC::FTL::WeightedTarget::WeightedTarget):
625         (JSC::FTL::WeightedTarget::target):
626         (JSC::FTL::WeightedTarget::weight):
627         (JSC::FTL::usually):
628         (JSC::FTL::rarely):
629         (JSC::FTL::unsure):
630
631 2014-02-19  peavo@outlook.com  <peavo@outlook.com>
632
633         [Win][LLINT] Incorrect stack alignment.
634         https://bugs.webkit.org/show_bug.cgi?id=129045
635
636         Reviewed by Michael Saboff.
637
638         LLINT expects the stack to be 16 byte aligned, but with MSVC it is not.
639         To align the stack, a new backend, X86_WIN, is created.
640
641         * llint/LLIntOfflineAsmConfig.h: Use X86_WIN backend on Windows.
642         * llint/LowLevelInterpreter.asm: Align stack to 16 byte boundaries. Otherwise, use same implementation for X86_WIN as for X86.
643         * llint/LowLevelInterpreter32_64.asm: Adjust stack offset to retrieve function parameters now that the stack is aligned.
644         * offlineasm/backends.rb: Added X86_WIN backend.
645         * offlineasm/x86.rb: Fix crash caused by incorrect assembly code for double types.
646
647 2014-02-19  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
648
649         ASSERTION FAILED: (year >= 1970 && yearday >= 0) || (year < 1970 && yearday < 0) in WTF::dateToDaysFrom1970
650         https://bugs.webkit.org/show_bug.cgi?id=128740
651
652         Very large numbers could cause an overflow which resulted in the assertion failing in WTF::dateToDaysFrom1970
653         DateConstructor will now check if the number fits into an Int32 before casting
654
655         Reviewed by Geoffrey Garen.
656
657         * runtime/DateConstructor.cpp:
658         (JSC::constructDate):
659         (JSC::dateUTC):
660
661 2014-02-19  Mark Hahnenberg  <mhahnenberg@apple.com>
662
663         Dedicated worker crash caused by global DFG worklists + GC
664         https://bugs.webkit.org/show_bug.cgi?id=128537
665
666         Reviewed by Filip Pizlo.
667
668         The process-global DFG worklists were causing objects to participate in the garbage collections of VMs 
669         other than the one they were allocated in. This started manifesting in the worker tests because they're 
670         one of the few WebKit tests that do multithreaded JS.
671
672         The fix is to filter out Plans from other VMs during collection.
673
674         * dfg/DFGSafepoint.cpp:
675         (JSC::DFG::Safepoint::vm):
676         * dfg/DFGSafepoint.h:
677         * dfg/DFGWorklist.cpp:
678         (JSC::DFG::Worklist::isActiveForVM):
679         (JSC::DFG::Worklist::suspendAllThreads):
680         (JSC::DFG::Worklist::resumeAllThreads):
681         (JSC::DFG::Worklist::visitChildren):
682         * dfg/DFGWorklist.h:
683         * heap/Heap.cpp:
684         (JSC::Heap::deleteAllCompiledCode):
685         * heap/SlotVisitorInlines.h:
686         (JSC::SlotVisitor::copyLater):
687
688 2014-02-19  Brady Eidson  <beidson@apple.com>
689
690         Add FeatureDefines for image controls
691         https://bugs.webkit.org/show_bug.cgi?id=129022
692
693         Reviewed by Jer Noble.
694
695         * Configurations/FeatureDefines.xcconfig:
696
697 2014-02-19  Dan Bernstein  <mitz@apple.com>
698
699         Simplify PLATFORM(MAC) && !PLATFORM(IOS) and similar expressions
700         https://bugs.webkit.org/show_bug.cgi?id=129029
701
702         Reviewed by Mark Rowe.
703
704         * API/JSValueRef.cpp:
705         (JSValueUnprotect):
706         * jit/ExecutableAllocatorFixedVMPool.cpp:
707
708 2014-02-18  Filip Pizlo  <fpizlo@apple.com>
709
710         Correctly install libllvmForJSC.dylib in production builds
711         https://bugs.webkit.org/show_bug.cgi?id=129023
712
713         Reviewed by Mark Rowe.
714         
715         In non-production builds, we copy it as before. In production builds, we use the install
716         path.
717         
718         Also roll http://trac.webkit.org/changeset/164348 back in.
719
720         * Configurations/Base.xcconfig:
721         * Configurations/LLVMForJSC.xcconfig:
722         * JavaScriptCore.xcodeproj/project.pbxproj:
723
724 2014-02-18  Filip Pizlo  <fpizlo@apple.com>
725
726         Unreviewed, roll out http://trac.webkit.org/changeset/164348 because it broke some
727         builds.
728
729         * JavaScriptCore.xcodeproj/project.pbxproj:
730
731 2014-02-18  Filip Pizlo  <fpizlo@apple.com>
732
733         Don't call LLVMInitializeNativeTarget() because it can be all messed up if you cross-compile LLVM
734         https://bugs.webkit.org/show_bug.cgi?id=129020
735
736         Reviewed by Dan Bernstein.
737         
738         LLVMInitializeNativeTarget() is this super special inline function in llvm-c/Target.h that
739         depends on some #define's that come from some really weird magic in autoconf/configure.ac.
740         That magic fails miserably for cross-compiles. So, we need to manually initialize the things
741         that InitializeNativeTarget initializes.
742
743         * llvm/library/LLVMExports.cpp:
744         (initializeAndGetJSCLLVMAPI):
745
746 2014-02-18  Filip Pizlo  <fpizlo@apple.com>
747
748         The shell scripts in the Xcode build system should tell you when they failed
749         https://bugs.webkit.org/show_bug.cgi?id=129018
750
751         Reviewed by Mark Rowe.
752
753         * JavaScriptCore.xcodeproj/project.pbxproj:
754
755 2014-02-17  Gavin Barraclough  <barraclough@apple.com>
756
757         Add fast mapping from StringImpl to JSString
758         https://bugs.webkit.org/show_bug.cgi?id=128625
759
760         Reviewed by Geoff Garen & Andreas Kling.
761
762         * runtime/JSString.cpp:
763         (JSC::JSString::WeakOwner::finalize):
764             - once the JSString weakly owned by a StringImpl becomed unreachable remove the WeakImpl.
765         * runtime/JSString.h:
766         (JSC::jsStringWithWeakOwner):
767             - create a JSString wrapping a StringImpl, and weakly caches the JSString on the StringImpl.
768         * runtime/VM.cpp:
769         (JSC::VM::VM):
770             - initialize jsStringWeakOwner.
771         (JSC::VM::createLeakedForMainThread):
772             - initialize jsStringWeakOwner - the main thread gets to use the weak pointer
773               on StringImpl to cache a JSString wrapper.
774         * runtime/VM.h:
775             - renamed createLeaked -> createLeakedForMainThread to make it clear this
776               should only be used to cretae the main thread VM.
777
778 2014-02-18  Oliver Hunt  <oliver@apple.com>
779
780         Prevent builtin js named with C++ reserved words from breaking the build
781         https://bugs.webkit.org/show_bug.cgi?id=129017
782
783         Reviewed by Sam Weinig.
784
785         Simple change to a couple of macros to make sure we don't create functions
786         named using reserved words.
787
788         * builtins/BuiltinExecutables.cpp:
789         * builtins/BuiltinNames.h:
790
791 2014-02-18  Filip Pizlo  <fpizlo@apple.com>
792
793         FTL should build on ARM64
794         https://bugs.webkit.org/show_bug.cgi?id=129010
795
796         Reviewed by Sam Weinig.
797         
798         * disassembler/X86Disassembler.cpp: Just because we have the LLVM disassembler doesn't mean we're on X86.
799         * ftl/FTLLocation.cpp: DWARF parsing for ARM64 is super easy.
800         (JSC::FTL::Location::isGPR):
801         (JSC::FTL::Location::gpr):
802         (JSC::FTL::Location::isFPR):
803         (JSC::FTL::Location::fpr):
804         (JSC::FTL::Location::restoreInto): This function wasn't even X86-specific to begin with so move it out of the #if stuff.
805         * ftl/FTLUnwindInfo.cpp: They're called q not d.
806         (JSC::FTL::UnwindInfo::parse):
807         * jit/GPRInfo.h:
808         (JSC::GPRInfo::toArgumentRegister): Add this method; we alraedy had it on X86.
809
810 2014-02-18  Filip Pizlo  <fpizlo@apple.com>
811
812         FTL unwind parsing should handle ARM64
813         https://bugs.webkit.org/show_bug.cgi?id=128984
814
815         Reviewed by Oliver Hunt.
816         
817         This makes unwind parsing handle ARM64 and it makes all clients of unwind info capable of
818         dealing with that architecture.
819         
820         The big difference is that ARM64 has callee-save double registers. This is conceptually easy
821         to handle, but out code for dealing with callee-saves spoke of "GPRReg". We've been in this
822         situation before: code that needs to deal with either a GPRReg or a FPRReg. In the past we'd
823         hacked around the problem, but this time I decided to do a full frontal assault. This patch
824         adds a Reg class, which is a box for either GPRReg or FPRReg along with tools for iterating
825         over all possible registers. Then, I threaded this through SaveRestore, RegisterSet,
826         RegisterAtOffset, and UnwindInfo. With the help of Reg, it was easy to refactor the code to
827         handle FPRs in addition to GPRs.
828
829         * CMakeLists.txt:
830         * GNUmakefile.list.am:
831         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
832         * JavaScriptCore.xcodeproj/project.pbxproj:
833         * ftl/FTLOSRExitCompiler.cpp:
834         (JSC::FTL::compileStub):
835         * ftl/FTLRegisterAtOffset.cpp:
836         (JSC::FTL::RegisterAtOffset::dump):
837         * ftl/FTLRegisterAtOffset.h:
838         (JSC::FTL::RegisterAtOffset::RegisterAtOffset):
839         (JSC::FTL::RegisterAtOffset::operator!):
840         (JSC::FTL::RegisterAtOffset::reg):
841         (JSC::FTL::RegisterAtOffset::operator==):
842         (JSC::FTL::RegisterAtOffset::operator<):
843         (JSC::FTL::RegisterAtOffset::getReg):
844         * ftl/FTLSaveRestore.cpp:
845         (JSC::FTL::offsetOfReg):
846         * ftl/FTLSaveRestore.h:
847         * ftl/FTLUnwindInfo.cpp:
848         (JSC::FTL::UnwindInfo::parse):
849         (JSC::FTL::UnwindInfo::find):
850         (JSC::FTL::UnwindInfo::indexOf):
851         * ftl/FTLUnwindInfo.h:
852         * jit/Reg.cpp: Added.
853         (JSC::Reg::dump):
854         * jit/Reg.h: Added.
855         (JSC::Reg::Reg):
856         (JSC::Reg::fromIndex):
857         (JSC::Reg::first):
858         (JSC::Reg::last):
859         (JSC::Reg::next):
860         (JSC::Reg::index):
861         (JSC::Reg::isSet):
862         (JSC::Reg::operator!):
863         (JSC::Reg::isGPR):
864         (JSC::Reg::isFPR):
865         (JSC::Reg::gpr):
866         (JSC::Reg::fpr):
867         (JSC::Reg::operator==):
868         (JSC::Reg::operator!=):
869         (JSC::Reg::operator<):
870         (JSC::Reg::operator>):
871         (JSC::Reg::operator<=):
872         (JSC::Reg::operator>=):
873         (JSC::Reg::hash):
874         (JSC::Reg::invalid):
875         * jit/RegisterSet.h:
876         (JSC::RegisterSet::set):
877         (JSC::RegisterSet::clear):
878         (JSC::RegisterSet::get):
879
880 2014-02-17  Filip Pizlo  <fpizlo@apple.com>
881
882         More ARM FTL glue
883         https://bugs.webkit.org/show_bug.cgi?id=128948
884
885         Reviewed by Sam Weinig.
886
887         * Configurations/Base.xcconfig: Allow for an header search directory for LLVM's generated files.
888         * Configurations/LLVMForJSC.xcconfig: Link the right things for ARM.
889         * assembler/ARM64Assembler.h: Builds fix.
890         (JSC::ARM64Assembler::fillNops):
891         * disassembler/LLVMDisassembler.cpp: Use the right target triples.
892         (JSC::tryToDisassembleWithLLVM):
893         * ftl/FTLCompile.cpp:
894         (JSC::FTL::fixFunctionBasedOnStackMaps): Build fix.
895         * jit/GPRInfo.h: Builds fix.
896         * llvm/library/LLVMExports.cpp: Link the right things.
897         (initializeAndGetJSCLLVMAPI):
898
899 2014-02-17  Anders Carlsson  <andersca@apple.com>
900
901         Remove ENABLE_GLOBAL_FASTMALLOC_NEW
902         https://bugs.webkit.org/show_bug.cgi?id=127067
903
904         Reviewed by Geoffrey Garen.
905
906         * parser/Nodes.h:
907
908 2014-02-17  Sergio Correia  <sergio.correia@openbossa.org>
909
910         Replace uses of PassOwnPtr/OwnPtr with std::unique_ptr in WebCore/inspector
911         https://bugs.webkit.org/show_bug.cgi?id=128681
912
913         Reviewed by Timothy Hatcher.
914
915         Another step towards getting rid of PassOwnPtr/OwnPtr, now targeting
916         WebCore/inspector/*. Besides files in there, a few other files in
917         JavaScriptCore/inspector, WebKit/, WebKit2/WebProcess/WebCoreSupport/
918         and WebCore/testing were touched.
919
920
921         * inspector/ContentSearchUtilities.cpp:
922         * inspector/ContentSearchUtilities.h:
923         * inspector/agents/InspectorConsoleAgent.cpp:
924         * inspector/agents/InspectorConsoleAgent.h:
925
926 2014-02-17  Filip Pizlo  <fpizlo@apple.com>
927
928         FTL should support ToPrimitive and the DFG should fold it correctly
929         https://bugs.webkit.org/show_bug.cgi?id=128892
930
931         Reviewed by Geoffrey Garen.
932
933         * dfg/DFGAbstractInterpreterInlines.h:
934         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
935         * dfg/DFGConstantFoldingPhase.cpp:
936         (JSC::DFG::ConstantFoldingPhase::foldConstants):
937         * dfg/DFGSpeculativeJIT64.cpp:
938         (JSC::DFG::SpeculativeJIT::compile):
939         * ftl/FTLCapabilities.cpp:
940         (JSC::FTL::canCompile):
941         * ftl/FTLLowerDFGToLLVM.cpp:
942         (JSC::FTL::LowerDFGToLLVM::compileNode):
943         (JSC::FTL::LowerDFGToLLVM::compileToPrimitive):
944         * tests/stress/fold-to-primitive-in-cfa.js: Added.
945         (foo):
946         (.result.foo):
947         * tests/stress/fold-to-primitive-to-identity-in-cfa.js: Added.
948         (foo):
949         (.result.foo):
950
951 2014-02-17  Filip Pizlo  <fpizlo@apple.com>
952
953         Register preservation wrapper should know about the possibility of callee-saved FPRs
954         https://bugs.webkit.org/show_bug.cgi?id=128923
955
956         Reviewed by Mark Hahnenberg.
957
958         * jit/RegisterPreservationWrapperGenerator.cpp:
959         (JSC::generateRegisterPreservationWrapper):
960         (JSC::generateRegisterRestoration):
961         * jit/RegisterSet.cpp:
962
963 2014-02-17  Filip Pizlo  <fpizlo@apple.com>
964
965         lr is a special register on ARM64
966         https://bugs.webkit.org/show_bug.cgi?id=128922
967
968         Reviewed by Mark Hahnenberg.
969
970         * jit/RegisterSet.cpp:
971         (JSC::RegisterSet::specialRegisters):
972
973 2014-02-17  Filip Pizlo  <fpizlo@apple.com>
974
975         Fix RegisterSet::calleeSaveRegisters() by making it correct on ARM64
976         https://bugs.webkit.org/show_bug.cgi?id=128921
977
978         Reviewed by Mark Hahnenberg.
979
980         * jit/RegisterSet.cpp:
981         (JSC::RegisterSet::calleeSaveRegisters):
982
983 2014-02-17  Filip Pizlo  <fpizlo@apple.com>
984
985         RegisterSet::calleeSaveRegisters() should know about ARM64
986         https://bugs.webkit.org/show_bug.cgi?id=128918
987
988         Reviewed by Mark Hahnenberg.
989
990         * jit/RegisterSet.cpp:
991         (JSC::RegisterSet::calleeSaveRegisters):
992
993 2014-02-17  Csaba Osztrogonác  <ossy@webkit.org>
994
995         Move back primary header includes next to config.h
996         https://bugs.webkit.org/show_bug.cgi?id=128912
997
998         Reviewed by Alexey Proskuryakov.
999
1000         * dfg/DFGAbstractHeap.cpp:
1001         * dfg/DFGAbstractValue.cpp:
1002         * dfg/DFGArgumentsSimplificationPhase.cpp:
1003         * dfg/DFGArithMode.cpp:
1004         * dfg/DFGArrayMode.cpp:
1005         * dfg/DFGAtTailAbstractState.cpp:
1006         * dfg/DFGAvailability.cpp:
1007         * dfg/DFGBackwardsPropagationPhase.cpp:
1008         * dfg/DFGBasicBlock.cpp:
1009         * dfg/DFGBinarySwitch.cpp:
1010         * dfg/DFGBlockInsertionSet.cpp:
1011         * dfg/DFGByteCodeParser.cpp:
1012         * dfg/DFGCFAPhase.cpp:
1013         * dfg/DFGCFGSimplificationPhase.cpp:
1014         * dfg/DFGCPSRethreadingPhase.cpp:
1015         * dfg/DFGCSEPhase.cpp:
1016         * dfg/DFGCapabilities.cpp:
1017         * dfg/DFGClobberSet.cpp:
1018         * dfg/DFGClobberize.cpp:
1019         * dfg/DFGCommon.cpp:
1020         * dfg/DFGCommonData.cpp:
1021         * dfg/DFGCompilationKey.cpp:
1022         * dfg/DFGCompilationMode.cpp:
1023         * dfg/DFGConstantFoldingPhase.cpp:
1024         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
1025         * dfg/DFGDCEPhase.cpp:
1026         * dfg/DFGDesiredIdentifiers.cpp:
1027         * dfg/DFGDesiredStructureChains.cpp:
1028         * dfg/DFGDesiredTransitions.cpp:
1029         * dfg/DFGDesiredWatchpoints.cpp:
1030         * dfg/DFGDesiredWeakReferences.cpp:
1031         * dfg/DFGDesiredWriteBarriers.cpp:
1032         * dfg/DFGDisassembler.cpp:
1033         * dfg/DFGDominators.cpp:
1034         * dfg/DFGEdge.cpp:
1035         * dfg/DFGFailedFinalizer.cpp:
1036         * dfg/DFGFinalizer.cpp:
1037         * dfg/DFGFixupPhase.cpp:
1038         * dfg/DFGFlushFormat.cpp:
1039         * dfg/DFGFlushLivenessAnalysisPhase.cpp:
1040         * dfg/DFGFlushedAt.cpp:
1041         * dfg/DFGGraph.cpp:
1042         * dfg/DFGGraphSafepoint.cpp:
1043         * dfg/DFGInPlaceAbstractState.cpp:
1044         * dfg/DFGIntegerCheckCombiningPhase.cpp:
1045         * dfg/DFGInvalidationPointInjectionPhase.cpp:
1046         * dfg/DFGJITCode.cpp:
1047         * dfg/DFGJITCompiler.cpp:
1048         * dfg/DFGJITFinalizer.cpp:
1049         * dfg/DFGJumpReplacement.cpp:
1050         * dfg/DFGLICMPhase.cpp:
1051         * dfg/DFGLazyJSValue.cpp:
1052         * dfg/DFGLivenessAnalysisPhase.cpp:
1053         * dfg/DFGLongLivedState.cpp:
1054         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
1055         * dfg/DFGMinifiedNode.cpp:
1056         * dfg/DFGNaturalLoops.cpp:
1057         * dfg/DFGNode.cpp:
1058         * dfg/DFGNodeFlags.cpp:
1059         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
1060         * dfg/DFGOSREntry.cpp:
1061         * dfg/DFGOSREntrypointCreationPhase.cpp:
1062         * dfg/DFGOSRExit.cpp:
1063         * dfg/DFGOSRExitBase.cpp:
1064         * dfg/DFGOSRExitCompiler.cpp:
1065         * dfg/DFGOSRExitCompiler32_64.cpp:
1066         * dfg/DFGOSRExitCompiler64.cpp:
1067         * dfg/DFGOSRExitCompilerCommon.cpp:
1068         * dfg/DFGOSRExitJumpPlaceholder.cpp:
1069         * dfg/DFGOSRExitPreparation.cpp:
1070         * dfg/DFGPhase.cpp:
1071         * dfg/DFGPlan.cpp:
1072         * dfg/DFGPredictionInjectionPhase.cpp:
1073         * dfg/DFGPredictionPropagationPhase.cpp:
1074         * dfg/DFGResurrectionForValidationPhase.cpp:
1075         * dfg/DFGSSAConversionPhase.cpp:
1076         * dfg/DFGSSALoweringPhase.cpp:
1077         * dfg/DFGSafepoint.cpp:
1078         * dfg/DFGSpeculativeJIT.cpp:
1079         * dfg/DFGSpeculativeJIT32_64.cpp:
1080         * dfg/DFGSpeculativeJIT64.cpp:
1081         * dfg/DFGStackLayoutPhase.cpp:
1082         * dfg/DFGStoreBarrierElisionPhase.cpp:
1083         * dfg/DFGStrengthReductionPhase.cpp:
1084         * dfg/DFGThreadData.cpp:
1085         * dfg/DFGThunks.cpp:
1086         * dfg/DFGTierUpCheckInjectionPhase.cpp:
1087         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
1088         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
1089         * dfg/DFGTypeCheckHoistingPhase.cpp:
1090         * dfg/DFGUnificationPhase.cpp:
1091         * dfg/DFGUseKind.cpp:
1092         * dfg/DFGValidate.cpp:
1093         * dfg/DFGValueSource.cpp:
1094         * dfg/DFGVariableAccessDataDump.cpp:
1095         * dfg/DFGVariableEvent.cpp:
1096         * dfg/DFGVariableEventStream.cpp:
1097         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
1098         * dfg/DFGWatchpointCollectionPhase.cpp:
1099         * dfg/DFGWorklist.cpp:
1100         * heap/JITStubRoutineSet.cpp:
1101         * jit/GCAwareJITStubRoutine.cpp:
1102         * jit/JIT.cpp:
1103         * jit/JITDisassembler.cpp:
1104         * jit/JITOperations.cpp:
1105         * jit/JITStubRoutine.cpp:
1106         * jit/JITStubs.cpp:
1107         * jit/TempRegisterSet.cpp:
1108
1109 2014-02-16  Filip Pizlo  <fpizlo@apple.com>
1110
1111         FTL OSR exit shouldn't make X86-specific assumptions
1112         https://bugs.webkit.org/show_bug.cgi?id=128890
1113
1114         Reviewed by Mark Hahnenberg.
1115
1116         Mostly this is about not using push/pop, but instead using the more abstract pushToSave() and popToRestore() while reflecting on the stack alignment.
1117
1118         * assembler/MacroAssembler.h:
1119         (JSC::MacroAssembler::pushToSaveImmediateWithoutTouchingRegisters):
1120         (JSC::MacroAssembler::pushToSaveByteOffset):
1121         * assembler/MacroAssemblerARM64.h:
1122         (JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters):
1123         (JSC::MacroAssemblerARM64::pushToSaveByteOffset):
1124         * ftl/FTLExitThunkGenerator.cpp:
1125         (JSC::FTL::ExitThunkGenerator::emitThunk):
1126         * ftl/FTLOSRExitCompiler.cpp:
1127         (JSC::FTL::compileStub):
1128         * ftl/FTLThunks.cpp:
1129         (JSC::FTL::osrExitGenerationThunkGenerator):
1130
1131 2014-02-17  Filip Pizlo  <fpizlo@apple.com>
1132
1133         Unreviewed, make this test pass without DFG. It was assuming that you always have DFG
1134         and that it would always tier-up to the DFG - both wrong assumptions.
1135
1136         * tests/stress/tricky-array-bounds-checks.js:
1137         (foo):
1138
1139 2014-02-17  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
1140
1141         Fix the CLoop build after r163760
1142         https://bugs.webkit.org/show_bug.cgi?id=128900
1143
1144         Reviewed by Csaba Osztrogonác.
1145
1146         * llint/LLIntThunks.cpp:
1147
1148 2014-02-17  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
1149
1150         CLoop buildfix after r164207
1151         https://bugs.webkit.org/show_bug.cgi?id=128899
1152
1153         Reviewed by Csaba Osztrogonác.
1154
1155         * dfg/DFGCommon.h:
1156         (JSC::DFG::shouldShowDisassembly):
1157
1158 2014-02-16  Filip Pizlo  <fpizlo@apple.com>
1159
1160         Unreviewed, 32-bit build fix.
1161
1162         * assembler/MacroAssembler.h:
1163         (JSC::MacroAssembler::lshiftPtr):
1164
1165 2014-02-15  Filip Pizlo  <fpizlo@apple.com>
1166
1167         FTL should inline polymorphic heap accesses
1168         https://bugs.webkit.org/show_bug.cgi?id=128795
1169
1170         Reviewed by Oliver Hunt.
1171         
1172         We now inline GetByIds that we know are pure but polymorphic. They manifest in DFG IR
1173         as MultiGetByOffset, and in LLVM IR as a switch with a basic block for each kind of
1174         read.
1175         
1176         2% speed-up on Octane mostly due to a 18% speed-up on deltablue.
1177
1178         * CMakeLists.txt:
1179         * GNUmakefile.list.am:
1180         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1181         * JavaScriptCore.xcodeproj/project.pbxproj:
1182         * bytecode/CodeBlock.cpp:
1183         (JSC::CodeBlock::dumpBytecode):
1184         * bytecode/ExitingJITType.cpp: Added.
1185         (WTF::printInternal):
1186         * bytecode/ExitingJITType.h:
1187         * bytecode/GetByIdStatus.cpp:
1188         (JSC::GetByIdStatus::computeFromLLInt):
1189         (JSC::GetByIdStatus::computeForChain):
1190         (JSC::GetByIdStatus::computeForStubInfo):
1191         (JSC::GetByIdStatus::computeFor):
1192         (JSC::GetByIdStatus::dump):
1193         * bytecode/GetByIdStatus.h:
1194         (JSC::GetByIdStatus::GetByIdStatus):
1195         (JSC::GetByIdStatus::numVariants):
1196         (JSC::GetByIdStatus::variants):
1197         (JSC::GetByIdStatus::at):
1198         (JSC::GetByIdStatus::operator[]):
1199         * bytecode/GetByIdVariant.cpp: Added.
1200         (JSC::GetByIdVariant::dump):
1201         (JSC::GetByIdVariant::dumpInContext):
1202         * bytecode/GetByIdVariant.h: Added.
1203         (JSC::GetByIdVariant::GetByIdVariant):
1204         (JSC::GetByIdVariant::isSet):
1205         (JSC::GetByIdVariant::operator!):
1206         (JSC::GetByIdVariant::structureSet):
1207         (JSC::GetByIdVariant::chain):
1208         (JSC::GetByIdVariant::specificValue):
1209         (JSC::GetByIdVariant::offset):
1210         * dfg/DFGAbstractInterpreterInlines.h:
1211         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1212         * dfg/DFGByteCodeParser.cpp:
1213         (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
1214         (JSC::DFG::ByteCodeParser::handleGetById):
1215         (JSC::DFG::ByteCodeParser::parseBlock):
1216         * dfg/DFGCSEPhase.cpp:
1217         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
1218         (JSC::DFG::CSEPhase::performNodeCSE):
1219         * dfg/DFGClobberize.h:
1220         (JSC::DFG::clobberize):
1221         * dfg/DFGCommon.h:
1222         (JSC::DFG::verboseCompilationEnabled):
1223         (JSC::DFG::logCompilationChanges):
1224         (JSC::DFG::shouldShowDisassembly):
1225         * dfg/DFGConstantFoldingPhase.cpp:
1226         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1227         (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
1228         * dfg/DFGDriver.cpp:
1229         (JSC::DFG::compileImpl):
1230         * dfg/DFGFixupPhase.cpp:
1231         (JSC::DFG::FixupPhase::fixupNode):
1232         * dfg/DFGGraph.cpp:
1233         (JSC::DFG::Graph::dump):
1234         * dfg/DFGGraph.h:
1235         (JSC::DFG::Graph::convertToConstant):
1236         * dfg/DFGNode.h:
1237         (JSC::DFG::Node::convertToGetByOffset):
1238         (JSC::DFG::Node::hasHeapPrediction):
1239         (JSC::DFG::Node::hasMultiGetByOffsetData):
1240         (JSC::DFG::Node::multiGetByOffsetData):
1241         * dfg/DFGNodeType.h:
1242         * dfg/DFGPhase.h:
1243         (JSC::DFG::Phase::graph):
1244         (JSC::DFG::runAndLog):
1245         * dfg/DFGPlan.cpp:
1246         (JSC::DFG::dumpAndVerifyGraph):
1247         (JSC::DFG::Plan::compileInThread):
1248         (JSC::DFG::Plan::compileInThreadImpl):
1249         * dfg/DFGPredictionPropagationPhase.cpp:
1250         (JSC::DFG::PredictionPropagationPhase::propagate):
1251         * dfg/DFGSafeToExecute.h:
1252         (JSC::DFG::safeToExecute):
1253         * dfg/DFGSpeculativeJIT32_64.cpp:
1254         (JSC::DFG::SpeculativeJIT::compile):
1255         * dfg/DFGSpeculativeJIT64.cpp:
1256         (JSC::DFG::SpeculativeJIT::compile):
1257         * dfg/DFGTypeCheckHoistingPhase.cpp:
1258         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
1259         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
1260         * ftl/FTLCapabilities.cpp:
1261         (JSC::FTL::canCompile):
1262         * ftl/FTLCompile.cpp:
1263         (JSC::FTL::fixFunctionBasedOnStackMaps):
1264         (JSC::FTL::compile):
1265         * ftl/FTLLowerDFGToLLVM.cpp:
1266         (JSC::FTL::LowerDFGToLLVM::compileNode):
1267         (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
1268         * ftl/FTLState.h:
1269         (JSC::FTL::verboseCompilationEnabled):
1270         (JSC::FTL::showDisassembly):
1271         * jsc.cpp:
1272         (GlobalObject::finishCreation):
1273         (functionEffectful42):
1274         * runtime/IntendedStructureChain.cpp:
1275         (JSC::IntendedStructureChain::dump):
1276         (JSC::IntendedStructureChain::dumpInContext):
1277         * runtime/IntendedStructureChain.h:
1278         * runtime/Options.cpp:
1279         (JSC::recomputeDependentOptions):
1280         * runtime/Options.h:
1281         * tests/stress/fold-multi-get-by-offset-to-get-by-offset-with-watchpoint.js: Added.
1282         (foo):
1283         (bar):
1284         * tests/stress/fold-multi-get-by-offset-to-get-by-offset.js: Added.
1285         (foo):
1286         (bar):
1287         * tests/stress/multi-get-by-offset-proto-and-self.js: Added.
1288         (foo):
1289         (Foo):
1290
1291 2014-02-16  Filip Pizlo  <fpizlo@apple.com>
1292
1293         DFG::prepareOSREntry should be nice to the stack
1294         https://bugs.webkit.org/show_bug.cgi?id=128883
1295
1296         Reviewed by Oliver Hunt.
1297         
1298         Previously OSR entry had some FIXME's and some really badly commented-out code for
1299         clearing stack entries to help GC. It also did some permutations on a stack frame
1300         above us, in such a way that it wasn't obviously that we wouldn't clobber our own
1301         stack frame. This function also crashed in ASan.
1302         
1303         It just seems like there was too much badness to the whole idea of prepareOSREntry
1304         directly editing the stack. So, I changed it to create a stack frame in a scratch
1305         buffer on the side and then have some assembly code just copy it into place. This
1306         works fine, fixes a FIXME, possibly fixes some stack clobbering, and might help us
1307         make more progress with ASan.
1308
1309         * dfg/DFGOSREntry.cpp:
1310         (JSC::DFG::prepareOSREntry):
1311         * dfg/DFGOSREntry.h:
1312         * dfg/DFGThunks.cpp:
1313         (JSC::DFG::osrEntryThunkGenerator):
1314         * dfg/DFGThunks.h:
1315         * jit/JITOpcodes.cpp:
1316         (JSC::JIT::emitSlow_op_loop_hint):
1317         * jit/JITOperations.cpp:
1318
1319 2014-02-15  Filip Pizlo  <fpizlo@apple.com>
1320
1321         Vector with inline capacity should work with non-PODs
1322         https://bugs.webkit.org/show_bug.cgi?id=128864
1323
1324         Reviewed by Michael Saboff.
1325         
1326         Deques no longer have inline capacity because it was broken, and we didn't need it
1327         here anyway.
1328
1329         * dfg/DFGWorklist.h:
1330
1331 2014-02-15  Filip Pizlo  <fpizlo@apple.com>
1332
1333         Unreviewed, roll out r164166.
1334
1335         This broke three unique tests:
1336
1337         ** The following JSC stress test failures have been introduced:
1338             regress/script-tests/variadic-closure-call.js.default-ftl
1339             regress/script-tests/variadic-closure-call.js.ftl-no-cjit-validate
1340             regress/script-tests/variadic-closure-call.js.ftl-no-cjit-osr-validation
1341             regress/script-tests/variadic-closure-call.js.ftl-eager
1342             regress/script-tests/variadic-closure-call.js.ftl-eager-no-cjit
1343             regress/script-tests/variadic-closure-call.js.ftl-eager-no-cjit-osr-validation
1344             jsc-layout-tests.yaml/js/script-tests/unmatching-argument-count.js.layout-ftl-eager-no-cjit
1345             regress/script-tests/direct-arguments-getbyval.js.ftl-eager-no-cjit
1346             regress/script-tests/direct-arguments-getbyval.js.ftl-eager-no-cjit-osr-validation
1347
1348         * bytecode/PolymorphicAccessStructureList.h:
1349         * ftl/FTLCapabilities.cpp:
1350         (JSC::FTL::canCompile):
1351         * ftl/FTLLowerDFGToLLVM.cpp:
1352         (JSC::FTL::LowerDFGToLLVM::compileNode):
1353         * tests/stress/ftl-getbyval-arguments.js:
1354
1355 2014-02-15  Matthew Mirman  <mmirman@apple.com>
1356
1357         Added GetMyArgumentByVal to FTL
1358         https://bugs.webkit.org/show_bug.cgi?id=128850
1359
1360         Reviewed by Filip Pizlo.
1361
1362         * ftl/FTLCapabilities.cpp:
1363         (JSC::FTL::canCompile):
1364         * ftl/FTLLowerDFGToLLVM.cpp:
1365         (JSC::FTL::LowerDFGToLLVM::compileNode):
1366         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
1367         * tests/stress/ftl-getbyval-arguments.js: Added.
1368         (foo):
1369
1370 2014-02-15  peavo@outlook.com  <peavo@outlook.com>
1371
1372         [Win] LLINT is not working.
1373         https://bugs.webkit.org/show_bug.cgi?id=128115
1374
1375         Reviewed by Mark Lam.
1376
1377         This patch will generate assembly code with Intel syntax, which can be processed by the Microsoft assembler (MASM).
1378         By creating an asm file instead of a header file with inline assembly, we can support 64-bit.
1379         Only 32-bit compilation has been tested, not 64-bit.
1380         The aim of this patch is to get LLINT up and running on Windows.
1381
1382         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added new files, and generated asm file.
1383         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
1384         * LLIntAssembly/build-LLIntAssembly.sh: Generate dummy asm file in case we're using C backend.
1385         * bytecode/CallLinkStatus.cpp:
1386         (JSC::CallLinkStatus::computeFor): Compile fix when DFG is disabled.
1387         * bytecode/GetByIdStatus.cpp:
1388         (JSC::GetByIdStatus::computeFor): Ditto.
1389         * bytecode/GetByIdStatus.h: Ditto.
1390         * bytecode/PutByIdStatus.cpp:
1391         (JSC::PutByIdStatus::computeFor): Ditto.
1392         * bytecode/PutByIdStatus.h: Ditto.
1393         * llint/LLIntData.cpp:
1394         (JSC::LLInt::initialize): Compile fix.
1395         * llint/LLIntSlowPaths.h: Added llint_crash function.
1396         * llint/LLIntSlowPaths.cpp: Ditto.        
1397         * llint/LowLevelInterpreter.cpp: Disable code for Windows.
1398         * llint/LowLevelInterpreter.asm: Remove instruction which generates incorrect assembly code on Windows (MOV 0xbbadbeef, register), call llint_crash instead.
1399         Make local labels visible to MASM on Windows.
1400         * llint/LowLevelInterpreter32_64.asm: Make local labels visible to MASM on Windows.
1401         * offlineasm/asm.rb: Generate asm file with Intel assembly syntax.
1402         * offlineasm/settings.rb: Ditto.
1403         * offlineasm/x86.rb: Ditto.
1404
1405 2014-02-14  Joseph Pecoraro  <pecoraro@apple.com>
1406
1407         Web Inspector: CRASH when debugger closes while paused and remote inspecting a JSContext
1408         https://bugs.webkit.org/show_bug.cgi?id=127757
1409
1410         Reviewed by Timothy Hatcher.
1411
1412         The problem was that the lifetime of the InspectorController and all agents
1413         was tied to the remote inspector session. So, if a remote inspector was
1414         disconnected while in the nested run loop, everything would get torn
1415         down and when execution continued out of the nested runloop we would be
1416         back in the original call stack of destroyed objects.
1417
1418         This patch changes the lifetime of the InspectorController and agents to
1419         the JSGlobalObject. This way the agents are always alive, just the
1420         frontend and backend channels are destroyed and recreated each remote
1421         inspector session. This matches the agent lifetime for WebCore agents.
1422         We can also later take advantage of the agents being alive before
1423         and between inspector debug sessions to stash exception messages to
1424         pass on to a debugger if a debugger is connected later.
1425
1426         * inspector/JSGlobalObjectInspectorController.h:
1427         * inspector/JSGlobalObjectInspectorController.cpp:
1428         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1429         Cleaner initialization of agents. Easier to follow.
1430
1431         (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
1432         Move InjectedScript disconnection only once the global object is destroyed.
1433         This way if a developer has attached once and included an injected script,
1434         we will keep it around with any state it might want to remember until
1435         the global object is destroyed.
1436
1437         (Inspector::JSGlobalObjectInspectorController::globalObjectDestroyed):
1438         Disconnect agents and injected scripts when the global object is destroyed.
1439
1440         * inspector/InjectedScriptManager.cpp:
1441         (Inspector::InjectedScriptManager::disconnect):
1442         Now that the injected script manager is reused between remote
1443         inspector sessions, don't clear the pointer on disconnect calls.
1444         We now only call this once when the global object is getting
1445         destroyed anyways so it doesn't matter. But if we wanted to call
1446         disconnect multiple times, e.g. once per session, we could.
1447
1448         * inspector/ScriptDebugServer.cpp:
1449         (Inspector::ScriptDebugServer::dispatchFunctionToListeners):
1450         If the only listener was removed during the nested runloop, then when
1451         we dispatch an event after the nested runloop the listener list will
1452         be empty. Instead of asserting, just pass by an empty list.
1453
1454         * runtime/JSGlobalObject.h:
1455         (JSC::JSGlobalObject::inspectorController):
1456         Tie the inspector controller lifetime to the JSGlobalObject.
1457
1458         * runtime/JSGlobalObject.cpp:
1459         (JSC::JSGlobalObject::~JSGlobalObject):
1460         (JSC::JSGlobalObject::init):
1461         Create the inspector controller, and eagerly signal teardown
1462         in destruction.
1463
1464         * runtime/JSGlobalObjectDebuggable.h:
1465         * runtime/JSGlobalObjectDebuggable.cpp:
1466         (JSC::JSGlobalObjectDebuggable::connect):
1467         (JSC::JSGlobalObjectDebuggable::disconnect):
1468         (JSC::JSGlobalObjectDebuggable::dispatchMessageFromRemoteFrontend):
1469         Simplify by using the inspector controller on JSGlobalObject.
1470
1471 2014-02-14  Mark Hahnenberg  <mhahnenberg@apple.com>
1472
1473         -[JSManagedValue value] needs to be protected by the API lock
1474         https://bugs.webkit.org/show_bug.cgi?id=128857
1475
1476         Reviewed by Mark Lam.
1477
1478         * API/APICast.h:
1479         (toRef): Added an ASSERT so that we can detect these sorts of errors earlier. On 32-bit, toRef
1480         can allocate objects so we need to be holding the lock.
1481         * API/APIShims.h: Removed outdated comments.
1482         * API/JSManagedValue.mm: Added RefPtr<JSLock> to JSManagedValue.
1483         (-[JSManagedValue initWithValue:]): Initialize the m_lock field.
1484         (-[JSManagedValue value]): Lock the JSLock, check the VM*, return nil if invalid, take the APIEntryShim otherwise.
1485         * runtime/JSLock.cpp: Bug fix in JSLock. We were assuming that the VM was always non-null in JSLock::lock.
1486         (JSC::JSLock::lock):
1487
1488 2014-02-14  Oliver Hunt  <oliver@apple.com>
1489
1490         Implement a few more Array prototype functions in JS
1491         https://bugs.webkit.org/show_bug.cgi?id=128788
1492
1493         Reviewed by Gavin Barraclough.
1494
1495         Remove a pile of awful C++, and rewrite in simple JS.
1496
1497         Needed to make a few other changes to get fully builtins
1498         behavior to more accurately match a host function's.
1499
1500         * builtins/Array.prototype.js:
1501         (every):
1502         (forEach):
1503         (filter):
1504         (map):
1505         (some):
1506         * builtins/BuiltinExecutables.cpp:
1507         (JSC::BuiltinExecutables::BuiltinExecutables):
1508         (JSC::BuiltinExecutables::createBuiltinExecutable):
1509         * bytecompiler/BytecodeGenerator.cpp:
1510         (JSC::BytecodeGenerator::BytecodeGenerator):
1511         (JSC::BytecodeGenerator::emitPutByVal):
1512         * bytecompiler/BytecodeGenerator.h:
1513         (JSC::BytecodeGenerator::emitExpressionInfo):
1514         * interpreter/Interpreter.cpp:
1515         (JSC::GetStackTraceFunctor::operator()):
1516         * parser/Nodes.h:
1517         (JSC::FunctionBodyNode::overrideName):
1518         * profiler/LegacyProfiler.cpp:
1519         (JSC::createCallIdentifierFromFunctionImp):
1520         * runtime/ArrayPrototype.cpp:
1521         * runtime/JSFunction.cpp:
1522         (JSC::JSFunction::deleteProperty):
1523         * runtime/JSFunction.h:
1524
1525 2014-02-14  Mark Hahnenberg  <mhahnenberg@apple.com>
1526
1527         ASSERT(isValidAllocation(bytes)) when ObjC API creates custom errors
1528         https://bugs.webkit.org/show_bug.cgi?id=128840
1529
1530         Reviewed by Joseph Pecoraro.
1531
1532         We need to add APIEntryShims around places where we allocate errors in JSC.
1533         Also converted some of the createTypeError call sites to use ASCIILiteral.
1534
1535         * API/JSValue.mm:
1536         (valueToArray):
1537         (valueToDictionary):
1538         * API/ObjCCallbackFunction.mm:
1539         (JSC::objCCallbackFunctionCallAsConstructor):
1540         (JSC::ObjCCallbackFunctionImpl::call):
1541         * API/tests/testapi.mm:
1542
1543 2014-02-14  Mark Hahnenberg  <mhahnenberg@apple.com>
1544
1545         Baseline JIT should have a fast path to bypass the write barrier on op_enter
1546         https://bugs.webkit.org/show_bug.cgi?id=128832
1547
1548         Reviewed by Filip Pizlo.
1549
1550         * jit/JIT.h: Removed some random commented out functions.h
1551         * jit/JITOpcodes.cpp:
1552         (JSC::JIT::emit_op_enter):
1553         * jit/JITPropertyAccess.cpp:
1554         (JSC::JIT::emitWriteBarrier):
1555
1556 2014-02-14  Filip Pizlo  <fpizlo@apple.com>
1557
1558         Don't optimize variadic closure calls
1559         https://bugs.webkit.org/show_bug.cgi?id=128835
1560
1561         Reviewed by Gavin Barraclough.
1562         
1563         Read the check that had been in JITStubs.cpp, back in the day. This code came
1564         from the DFG and the DFG didn't need these checks.
1565
1566         * jit/JITOperations.cpp:
1567
1568 2014-02-14  David Kilzer  <ddkilzer@apple.com>
1569
1570         [ASan] Disable JSStack::sanitizeStack() to avoid false-positive stack-buffer-overflow errors
1571         <http://webkit.org/b/128819>
1572
1573         Reviewed by Filip Pizlo.
1574
1575         * interpreter/JSStack.cpp:
1576         (JSC::JSStack::sanitizeStack): When building with the clang
1577         address sanitizer, don't sanitize the stack since it will
1578         trigger false-positive stack-buffer-overflow errors.  Disabling
1579         this only results in a performance penalty, not a correctness
1580         penalty.
1581
1582 2014-02-14  Andres Gomez  <agomez@igalia.com>
1583
1584         Cleaning the JSStaticScopeObject files left behind after renaming their objects to JSNameScope
1585         https://bugs.webkit.org/show_bug.cgi?id=127595
1586
1587         Reviewed by Mario Sanchez Prada.
1588
1589         JSStaticScopeObject was renamed to JSNameScope and removed long
1590         ago but the files were left behind empty and the CMake compilation
1591         in need of its existance. Now, we are definitely getting rid of
1592         them.
1593
1594         * CMakeLists.txt:
1595         * runtime/JSStaticScopeObject.cpp: Removed.
1596         * runtime/JSStaticScopeObject.h: Removed.
1597
1598 2014-02-13  Filip Pizlo  <fpizlo@apple.com>
1599
1600         Kill some of the last vestiges of the C++ interpreter's PICs
1601         https://bugs.webkit.org/show_bug.cgi?id=128796
1602
1603         Reviewed by Michael Saboff.
1604
1605         * bytecode/BytecodeUseDef.h:
1606         (JSC::computeUsesForBytecodeOffset):
1607         (JSC::computeDefsForBytecodeOffset):
1608         * bytecode/CodeBlock.cpp:
1609         (JSC::CodeBlock::printGetByIdOp):
1610         (JSC::CodeBlock::printGetByIdCacheStatus):
1611         (JSC::CodeBlock::dumpBytecode):
1612         (JSC::CodeBlock::CodeBlock):
1613         * bytecode/GetByIdStatus.cpp:
1614         (JSC::GetByIdStatus::computeForStubInfo):
1615         * bytecode/Opcode.h:
1616         (JSC::padOpcodeName):
1617         * bytecode/PolymorphicAccessStructureList.h:
1618         (JSC::PolymorphicAccessStructureList::PolymorphicStubInfo::PolymorphicStubInfo):
1619         (JSC::PolymorphicAccessStructureList::PolymorphicStubInfo::set):
1620         (JSC::PolymorphicAccessStructureList::PolymorphicAccessStructureList):
1621         (JSC::PolymorphicAccessStructureList::visitWeak):
1622         * bytecode/StructureStubInfo.cpp:
1623         (JSC::StructureStubInfo::deref):
1624         (JSC::StructureStubInfo::visitWeakReferences):
1625         * bytecode/StructureStubInfo.h:
1626         (JSC::isGetByIdAccess):
1627         * jit/JIT.cpp:
1628         (JSC::JIT::privateCompileMainPass):
1629         * jit/Repatch.cpp:
1630         (JSC::getPolymorphicStructureList):
1631         (JSC::tryBuildGetByIDList):
1632         * llint/LowLevelInterpreter.asm:
1633
1634 2014-02-13  Mark Lam  <mark.lam@apple.com>
1635
1636         The JSContainerConvertor and ObjcContainerConvertor need to protect JSValueRefs. Part 2.
1637         <https://webkit.org/b/128764>
1638
1639         Reviewed by Mark Hahnenberg.
1640
1641         toJS() is the wrong cast function to use. We need to use toJSForGC() instead.
1642         Also we need to acquire the JSLock to prevent concurrent accesses to the
1643         Strong handle list.
1644
1645         * API/JSValue.mm:
1646         (JSContainerConvertor::add):
1647         (containerValueToObject):
1648         (ObjcContainerConvertor::add):
1649         (objectToValue):
1650
1651 2014-02-13  Mark Hahnenberg  <mhahnenberg@apple.com>
1652
1653         JSManagedValue::dealloc modifies NSMapTable while iterating it
1654         https://bugs.webkit.org/show_bug.cgi?id=128713
1655
1656         Reviewed by Geoffrey Garen.
1657
1658         Having to write a test for this revealed a bug in how addManagedReference:withOwner:
1659         actually notifies JSManagedValues of new owners.
1660
1661         * API/JSManagedValue.mm:
1662         (-[JSManagedValue dealloc]):
1663         * API/JSVirtualMachine.mm:
1664         (-[JSVirtualMachine addManagedReference:withOwner:]):
1665         (-[JSVirtualMachine removeManagedReference:withOwner:]):
1666         * API/tests/testapi.mm:
1667         (testObjectiveCAPI):
1668
1669 2014-02-13  Filip Pizlo  <fpizlo@apple.com>
1670
1671         Unreviewed, fix build.
1672
1673         * ftl/FTLLowerDFGToLLVM.cpp:
1674         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
1675
1676 2014-02-13  Ryosuke Niwa  <rniwa@webkit.org>
1677
1678         Speculative Release build fix after r164077.
1679
1680         * API/JSValue.mm:
1681
1682 2014-02-13  Mark Lam  <mark.lam@apple.com>
1683
1684         The JSContainerConvertor and ObjcContainerConvertor need to protect JSValueRefs.
1685         <https://webkit.org/b/128764>
1686
1687         Reviewed by Mark Hahnenberg.
1688
1689         Added a vector of Strong<Unknown> references in the 2 containers, and append
1690         the newly created JSValues to those vectors. This will keep all those JS objects
1691         alive for the duration of the conversion.
1692
1693         * API/JSValue.mm:
1694         (JSContainerConvertor::add):
1695         (ObjcContainerConvertor::add):
1696
1697 2014-02-13  Matthew Mirman  <mmirman@apple.com>
1698
1699         Added GetMyArgumentsLength to FTL
1700         https://bugs.webkit.org/show_bug.cgi?id=128758
1701
1702         Reviewed by Filip Pizlo.
1703
1704         * ftl/FTLCapabilities.cpp:
1705         (JSC::FTL::canCompile):
1706         * ftl/FTLLowerDFGToLLVM.cpp:
1707         (JSC::FTL::LowerDFGToLLVM::compileNode):
1708         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
1709         * tests/stress/ftl-getmyargumentslength.js: Added.
1710         (foo):
1711
1712 2014-02-13  Filip Pizlo  <fpizlo@apple.com>
1713
1714         Unreviewed, roll out http://trac.webkit.org/changeset/164066.
1715         
1716         It broke tests and it was just plain wrong.
1717
1718         * bytecode/GetByIdStatus.cpp:
1719         (JSC::GetByIdStatus::computeFromLLInt):
1720         (JSC::GetByIdStatus::computeForStubInfo):
1721         * runtime/Structure.h:
1722         (JSC::Structure::takesSlowPathInDFGForImpureProperty):
1723
1724 2014-02-13  Ryuan Choi  <ryuan.choi@samsung.com>
1725
1726         Unreviewed build fix.
1727
1728         Fixed typo.
1729
1730         * dfg/DFGIntegerCheckCombiningPhase.cpp:
1731         (JSC::DFG::IntegerCheckCombiningPhase::run):
1732
1733 2014-02-13  Michael Saboff  <msaboff@apple.com>
1734
1735         Change FTL stack check to use VM's stackLimit
1736         https://bugs.webkit.org/show_bug.cgi?id=128561
1737
1738         Reviewed by Filip Pizlo.
1739
1740         Changes FTL function entry to check the call frame register against the FTL
1741         specific stack limit (VM::m_ftlStackLimit) and throw an exception if the
1742         stack limit has been exceeded.  Updated the exception handling code to have
1743         a second entry that will unroll the current frame to the caller, since that
1744         is where the exception should be processed.
1745
1746         * ftl/FTLCompile.cpp:
1747         (JSC::FTL::fixFunctionBasedOnStackMaps):
1748         * ftl/FTLIntrinsicRepository.h:
1749         * ftl/FTLLowerDFGToLLVM.cpp:
1750         (JSC::FTL::LowerDFGToLLVM::lower):
1751         * ftl/FTLState.h:
1752         * runtime/VM.h:
1753         (JSC::VM::addressOfFTLStackLimit):
1754
1755 2014-02-13  Filip Pizlo  <fpizlo@apple.com>
1756
1757         GetByIdStatus shouldn't call takesSlowPathInDFGForImpureProperty() for self accesses, and calling that method should never assert about anything
1758         https://bugs.webkit.org/show_bug.cgi?id=128772
1759
1760         Reviewed by Mark Hahnenberg.
1761
1762         * bytecode/GetByIdStatus.cpp:
1763         (JSC::GetByIdStatus::computeFromLLInt):
1764         (JSC::GetByIdStatus::computeForStubInfo):
1765         * runtime/Structure.h:
1766         (JSC::Structure::takesSlowPathInDFGForImpureProperty):
1767
1768 2014-02-13  Mark Hahnenberg  <mhahnenberg@apple.com>
1769
1770         Add some RELEASE_ASSERTs to catch JSLock bugs earlier
1771         https://bugs.webkit.org/show_bug.cgi?id=128762
1772
1773         Reviewed by Mark Lam.
1774
1775         * interpreter/Interpreter.cpp:
1776         (JSC::Interpreter::execute):
1777         * runtime/JSLock.cpp:
1778         (JSC::JSLock::DropAllLocks::DropAllLocks):
1779
1780 2014-02-12  Filip Pizlo  <fpizlo@apple.com>
1781
1782         Hoist and combine array bounds checks
1783         https://bugs.webkit.org/show_bug.cgi?id=125433
1784
1785         Reviewed by Mark Hahnenberg.
1786         
1787         This adds a phase for reasoning about overflow checks and array bounds checks. It's
1788         block-local, and removes both overflow checks and bounds checks in one go.
1789         
1790         This also improves reasoning about commutative operations, and CSE between
1791         CheckOverflow and Unchecked arithmetic.
1792         
1793         This strangely uncovered a DFG backend bug where we were trying to extract an int32
1794         from a constant even when that constant was just simply a number. I fixed that bug.
1795
1796         * CMakeLists.txt:
1797         * GNUmakefile.list.am:
1798         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1799         * JavaScriptCore.xcodeproj/project.pbxproj:
1800         * dfg/DFGAbstractInterpreterInlines.h:
1801         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1802         * dfg/DFGAbstractValue.cpp:
1803         (JSC::DFG::AbstractValue::set):
1804         * dfg/DFGArgumentsSimplificationPhase.cpp:
1805         (JSC::DFG::ArgumentsSimplificationPhase::run):
1806         * dfg/DFGArithMode.h:
1807         (JSC::DFG::subsumes):
1808         * dfg/DFGByteCodeParser.cpp:
1809         (JSC::DFG::ByteCodeParser::handleIntrinsic):
1810         * dfg/DFGCSEPhase.cpp:
1811         (JSC::DFG::CSEPhase::pureCSE):
1812         (JSC::DFG::CSEPhase::int32ToDoubleCSE):
1813         (JSC::DFG::CSEPhase::performNodeCSE):
1814         * dfg/DFGClobberize.h:
1815         (JSC::DFG::clobberize):
1816         * dfg/DFGEdge.cpp:
1817         (JSC::DFG::Edge::dump):
1818         * dfg/DFGEdge.h:
1819         (JSC::DFG::Edge::sanitized):
1820         (JSC::DFG::Edge::hash):
1821         * dfg/DFGFixupPhase.cpp:
1822         (JSC::DFG::FixupPhase::fixupNode):
1823         * dfg/DFGGraph.h:
1824         (JSC::DFG::Graph::valueOfInt32Constant):
1825         * dfg/DFGInsertionSet.h:
1826         (JSC::DFG::InsertionSet::insertConstant):
1827         * dfg/DFGIntegerCheckCombiningPhase.cpp: Added.
1828         (JSC::DFG::IntegerCheckCombiningPhase::IntegerCheckCombiningPhase):
1829         (JSC::DFG::IntegerCheckCombiningPhase::run):
1830         (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
1831         (JSC::DFG::IntegerCheckCombiningPhase::rangeKeyAndAddend):
1832         (JSC::DFG::IntegerCheckCombiningPhase::isValid):
1833         (JSC::DFG::IntegerCheckCombiningPhase::insertAdd):
1834         (JSC::DFG::IntegerCheckCombiningPhase::insertMustAdd):
1835         (JSC::DFG::performIntegerCheckCombining):
1836         * dfg/DFGIntegerCheckCombiningPhase.h: Added.
1837         * dfg/DFGNode.h:
1838         (JSC::DFG::Node::willHaveCodeGenOrOSR):
1839         * dfg/DFGNodeType.h:
1840         * dfg/DFGPlan.cpp:
1841         (JSC::DFG::Plan::compileInThreadImpl):
1842         * dfg/DFGPredictionPropagationPhase.cpp:
1843         (JSC::DFG::PredictionPropagationPhase::propagate):
1844         * dfg/DFGSafeToExecute.h:
1845         (JSC::DFG::safeToExecute):
1846         * dfg/DFGSpeculativeJIT.cpp:
1847         (JSC::DFG::SpeculativeJIT::compileAdd):
1848         * dfg/DFGSpeculativeJIT32_64.cpp:
1849         (JSC::DFG::SpeculativeJIT::compile):
1850         * dfg/DFGSpeculativeJIT64.cpp:
1851         (JSC::DFG::SpeculativeJIT::compile):
1852         * dfg/DFGStrengthReductionPhase.cpp:
1853         (JSC::DFG::StrengthReductionPhase::handleNode):
1854         (JSC::DFG::StrengthReductionPhase::handleCommutativity):
1855         * dfg/DFGTypeCheckHoistingPhase.cpp:
1856         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
1857         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
1858         * ftl/FTLCapabilities.cpp:
1859         (JSC::FTL::canCompile):
1860         * ftl/FTLLowerDFGToLLVM.cpp:
1861         (JSC::FTL::LowerDFGToLLVM::compileNode):
1862         * jsc.cpp:
1863         (GlobalObject::finishCreation):
1864         (functionFalse):
1865         * runtime/Identifier.h:
1866         * runtime/Intrinsic.h:
1867         * runtime/JSObject.h:
1868         * tests/stress/get-by-id-untyped.js: Added.
1869         (foo):
1870         * tests/stress/inverted-additive-subsumption.js: Added.
1871         (foo):
1872         * tests/stress/redundant-add-overflow-checks.js: Added.
1873         (foo):
1874         * tests/stress/redundant-array-bounds-checks-addition-skip-first.js: Added.
1875         (foo):
1876         (arraycmp):
1877         * tests/stress/redundant-array-bounds-checks-addition.js: Added.
1878         (foo):
1879         (arraycmp):
1880         * tests/stress/redundant-array-bounds-checks-unchecked-addition.js: Added.
1881         (foo):
1882         (arraycmp):
1883         * tests/stress/redundant-array-bounds-checks.js: Added.
1884         (foo):
1885         (arraycmp):
1886         * tests/stress/tricky-array-bounds-checks.js: Added.
1887         (foo):
1888         (arraycmp):
1889
1890 2014-02-13  Filip Pizlo  <fpizlo@apple.com>
1891
1892         FTL should be OK with __compact_unwind in a data section
1893         https://bugs.webkit.org/show_bug.cgi?id=128756
1894
1895         Reviewed by Mark Hahnenberg.
1896
1897         * ftl/FTLCompile.cpp:
1898         (JSC::FTL::mmAllocateCodeSection):
1899         (JSC::FTL::mmAllocateDataSection):
1900
1901 2014-02-13  Michael Saboff  <msaboff@apple.com>
1902
1903         CStack Branch: VM::currentReturnThunkPC appears to be unused and should be removed
1904         https://bugs.webkit.org/show_bug.cgi?id=127205
1905
1906         Reviewed by Geoffrey Garen.
1907
1908         Removed ununsed references to VM::currentReturnThunkPC.
1909
1910         * jit/ThunkGenerators.cpp:
1911         (JSC::arityFixup):
1912         * runtime/VM.h:
1913
1914 2014-02-13  Tamas Gergely  <tgergely.u-szeged@partner.samsung.com>
1915
1916         Code cleanup: remove gcc<4.7 guards.
1917         https://bugs.webkit.org/show_bug.cgi?id=128729
1918
1919         Reviewed by Anders Carlsson.
1920
1921         Remove GCC_VERSION_AT_LEAST guards when it checks for pre-4.7 versions,
1922         as WK does not compile with earlier gcc versions.
1923
1924         * assembler/MIPSAssembler.h:
1925         (JSC::MIPSAssembler::cacheFlush):
1926         * interpreter/StackVisitor.cpp:
1927         (JSC::printif):
1928
1929 2014-02-12  Mark Lam  <mark.lam@apple.com>
1930
1931         No need to save reservedZoneSize when dropping the JSLock.
1932         <https://webkit.org/b/128719>
1933
1934         Reviewed by Geoffrey Garen.
1935
1936         The reservedZoneSize does not change due to the VM being run on a different
1937         thread. Hence, there is no need to save and restore its value. Instead of
1938         calling updateReservedZoneSize() to update the stack limit, we now call
1939         setStackPointerAtVMEntry() to do the job. setStackPointerAtVMEntry()
1940         will update the stackPointerAtVMEntry and delegate to updateStackLimit() to
1941         update the stack limit based on the new stackPointerAtVMEntry.
1942
1943         * runtime/ErrorHandlingScope.cpp:
1944         (JSC::ErrorHandlingScope::ErrorHandlingScope):
1945         (JSC::ErrorHandlingScope::~ErrorHandlingScope):
1946         - Previously, we initialize stackPointerAtVMEntry in VMEntryScope. This
1947           means that the stackPointerAtVMEntry may not be initialize when we
1948           instantiate the ErrorHandlingScope. And so, we needed to initialize the
1949           stackPointerAtVMEntry in the ErrorHandlingScope constructor if it's not
1950           already initialized.
1951
1952           Now that we initialize the stackPointerAtVMEntry when we lock the VM JSLock,
1953           we are guaranteed that it will be initialized by the time we instantiate
1954           the ErrorHandlingScope. Hence, we can change the ErrorHandlingScope code
1955           to just assert that the stackPointerAtVMEntry is initialized instead.
1956
1957         * runtime/InitializeThreading.cpp:
1958         (JSC::initializeThreading):
1959         - We no longer need to save the reservedZoneSize. Remove the related code.
1960
1961         * runtime/JSLock.cpp:
1962         (JSC::JSLock::lock):
1963         - When we grab the JSLock mutex for the first time, there is no reason why
1964           the stackPointerAtVMEntry should be initialized. By definition, grabbing
1965           the lock for the first time equates to entering the VM for the first time.
1966           Hence, we can just assert that stackPointerAtVMEntry is uninitialized,
1967           and initialize it unconditionally.
1968
1969           The only exception to this is if we're locking to regrab the JSLock in
1970           grabAllLocks(), but grabAllLocks() will take care of restoring the
1971           stackPointerAtVMEntry in that case after lock() returns. stackPointerAtVMEntry
1972           should still be 0 when we've just locked the JSLock. So, the above assertion
1973           always holds true.
1974
1975           Note: VM::setStackPointerAtVMEntry() will take care of calling
1976           VM::updateStackLimit() based on the new stackPointerAtVMEntry.
1977
1978         - There is no need to save the reservedZoneSize. The reservedZoneSize is
1979           set to Options::reservedZoneSize() when the VM is initialized. Thereafter,
1980           the ErrorHandlingScope will change it to Options::errorModeReservedZoneSize()
1981           when we're handling an error, and it will restore it afterwards. There is
1982           no other reason we should be changing the reservedZoneSize. Hence, we can
1983           remove the unnecessary code to save it here.
1984
1985         (JSC::JSLock::unlock):
1986         - Similarly, when the lockCount reaches 0 in unlock(), it is synonymous with
1987           exiting the VM. Hence, we should just clear the stackPointerAtVMEntry and
1988           update the stackLimit. Exiting the VM should have no effect on the VM
1989           reservedZoneSize. Hence, we can remove the unnecessary code to "restore" it.
1990
1991         (JSC::JSLock::dropAllLocks):
1992         - When dropping locks, we do not need to save the reservedZoneSize because
1993           the reservedZoneSize should remain the same regardless of which thread
1994           we are executing JS on. Hence, we can remove the unnecessary code to save
1995           the reservedZoneSize here.
1996
1997         (JSC::JSLock::grabAllLocks):
1998         - When re-grabbing locks, restoring the stackPointerAtVMEntry via
1999           VM::setStackPointerAtVMEntry() will take care of updating the stack limit.
2000           As explained above, there's no need to save the reservedZoneSize. Hence,
2001           there's no need to "restore" it here.
2002
2003         * runtime/VM.cpp:
2004         (JSC::VM::VM):
2005         (JSC::VM::setStackPointerAtVMEntry):
2006         - Sets the stackPointerAtVMEntry and delegates to updateStackLimit() to update
2007           the stack limit based on the new stackPointerAtVMEntry.
2008         (JSC::VM::updateStackLimit):
2009         * runtime/VM.h:
2010         (JSC::VM::stackPointerAtVMEntry):
2011         - Renamed stackPointerAtVMEntry to m_stackPointerAtVMEntry and made it private.
2012           Added a stackPointerAtVMEntry() function to read the value.
2013
2014 2014-02-12  Mark Hahnenberg  <mhahnenberg@apple.com>
2015
2016         DelayedReleaseScope in MarkedAllocator::tryAllocateHelper is wrong
2017         https://bugs.webkit.org/show_bug.cgi?id=128641
2018
2019         Reviewed by Michael Saboff.
2020
2021         We were improperly handling the case where the DelayedReleaseScope 
2022         in tryAllocateHelper would cause us to drop the API lock, allowing 
2023         another thread to sneak in and allocate a new block after we had already 
2024         concluded that there were no more blocks to allocate out of.
2025
2026         The fix is to call tryAllocateHelper in a loop until we know for sure 
2027         that this did not happen.
2028
2029         There was also a race condition with the DelayedReleaseScope in addBlock.
2030         We would add the block to the MarkedBlock's list, sweep it, and then return,
2031         causing us to drop the API lock momentarily. Another thread could then 
2032         grab the lock, and allocate out of the new block to the point where the 
2033         free list was empty. Then we would return to the original thread, who thinks 
2034         it's impossible to not allocate successfully at this point. 
2035         Instead we should just let tryAllocate do all the hard work with correctly 
2036         sweeping and getting a valid result.
2037
2038         There was another race condition in didFinishIterating. We would call resumeAllocating,
2039         which would create a DelayedReleaseScope. The DelayedReleaseScope would then release 
2040         API lock before we set m_isIterating back to false, which would potentially confuse 
2041         other threads.
2042
2043         * heap/MarkedAllocator.cpp:
2044         (JSC::MarkedAllocator::tryAllocateHelper):
2045         (JSC::MarkedAllocator::tryPopFreeList):
2046         (JSC::MarkedAllocator::tryAllocate):
2047         (JSC::MarkedAllocator::addBlock):
2048         * heap/MarkedAllocator.h:
2049
2050 2014-02-12  Brian Burg  <bburg@apple.com>
2051
2052         Web Replay: capture and replay nondeterminism of Date.now() and Math.random()
2053         https://bugs.webkit.org/show_bug.cgi?id=128633
2054
2055         Reviewed by Filip Pizlo.
2056
2057         Upstream the only two sources of script-visible nondeterminism in JavaScriptCore.
2058
2059         The random seed for WeakRandom is memoized when the owning JSGlobalObject is
2060         constructed. It is deterministically initialized during replay before any
2061         scripts execute with the global object.
2062
2063         The implementations of `Date.now()` and `new Date()` eventually obtain the
2064         current time from jsCurrentTime(). When capturing, we save return values of
2065         jsCurrentTime() into the recording. When replaying, we use memoized values from
2066         the recording instead of obtaining values from the platform-specific currentTime()
2067         implementation. No other code calls jsCurrentTime().
2068
2069         * DerivedSources.make: Add rules to make JSReplayInputs.h from JSInputs.json.
2070         * JavaScriptCore.xcodeproj/project.pbxproj:
2071         * replay/JSInputs.json: Added. Includes specifications for replay inputs
2072         "GetCurrentTime" and "SetRandomSeed". Tests will be added for both input
2073         cases once sufficient replay machinery has been added.
2074
2075         * replay/NondeterministicInput.h: NondeterministicInput should not have
2076         been marked 'final'.
2077
2078         * runtime/DateConstructor.cpp:
2079         (JSC::deterministicCurrentTime): Added. Load or store the current time depending
2080         on what kind of InputCursor is attached to the JSGlobalObject.
2081
2082         (JSC::constructDate): Use deterministicCurrentTime().
2083         (JSC::dateNow): Use deterministicCurrentTime().
2084         * runtime/JSGlobalObject.cpp:
2085         (JSC::JSGlobalObject::setInputCursor): When setting a non-empty input cursor,
2086         immediately store or load the "SetRandomSeed" input and initialize WeakRandom's
2087         random seed with it. The input cursor (and thus random seed) must be set before
2088         any scripts are evaluated with this JSGlobalObject.
2089
2090         * runtime/WeakRandom.h:
2091         (JSC::WeakRandom::WeakRandom): Add JSGlobalObject as a friend class.
2092         (JSC::WeakRandom::initializeSeed): Extract the seed initialization into a
2093         separate method so it can be called outside of the JSGlobalObject constructor.
2094
2095 2014-02-12  Joseph Pecoraro  <pecoraro@apple.com>
2096
2097         Web Inspector: Cleanup JavaScriptCore/inspector
2098         https://bugs.webkit.org/show_bug.cgi?id=128662
2099
2100         Reviewed by Timothy Hatcher.
2101
2102         Now that the code has settled, do a cleanup pass.
2103
2104         * inspector/ContentSearchUtilities.cpp:
2105         * inspector/InspectorValues.cpp:
2106         (Inspector::InspectorValue::asObject):
2107         (Inspector::InspectorValue::asArray):
2108         (Inspector::InspectorValue::parseJSON):
2109         (Inspector::InspectorObjectBase::getObject):
2110         (Inspector::InspectorObjectBase::getArray):
2111         (Inspector::InspectorObjectBase::get):
2112         * inspector/ScriptCallStackFactory.cpp:
2113         * inspector/ScriptDebugServer.cpp:
2114         * inspector/agents/JSGlobalObjectConsoleAgent.h:
2115
2116 2014-02-12  Ryosuke Niwa  <rniwa@webkit.org>
2117
2118         Windows build fix attempt after r163960.
2119
2120         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2121         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2122
2123 2014-02-12  Michael Saboff  <msaboff@apple.com>
2124
2125         Adjust VM::stackLimit based on the size of the largest FTL stack produced
2126         https://bugs.webkit.org/show_bug.cgi?id=128562
2127
2128         Reviewed by Mark Lam.
2129
2130         Added VM::m_largestFTLStackSize to track the largest stack size of an FTL compiled
2131         function. Added VM::m_ftlStackLimit for FTL functions stack limit.  Renamed
2132         VM::updateStackLimitWithReservedZoneSize to VM::updateReservedZoneSize.  Renamed
2133         VM::setStackLimit to VM::updateStackLimit and changed it to do the updating of the
2134         stack limits, including taking into account m_largestFTLStackSize.
2135
2136         * ftl/FTLJITFinalizer.cpp:
2137         (JSC::FTL::JITFinalizer::finalizeFunction):
2138         * runtime/ErrorHandlingScope.cpp:
2139         (JSC::ErrorHandlingScope::ErrorHandlingScope):
2140         (JSC::ErrorHandlingScope::~ErrorHandlingScope):
2141         * runtime/JSLock.cpp:
2142         (JSC::JSLock::lock):
2143         (JSC::JSLock::unlock):
2144         (JSC::JSLock::grabAllLocks):
2145         * runtime/VM.cpp:
2146         (JSC::VM::VM):
2147         (JSC::VM::updateReservedZoneSize):
2148         (JSC::VM::updateStackLimit):
2149         (JSC::VM::updateFTLLargestStackSize):
2150         * runtime/VM.h:
2151
2152 2014-02-11  Oliver Hunt  <oliver@apple.com>
2153
2154         Make it possible to implement JS builtins in JS
2155         https://bugs.webkit.org/show_bug.cgi?id=127887
2156
2157         Reviewed by Michael Saboff.
2158
2159         This patch makes it possible to write builtin functions in JS.
2160         The bindings, generators, and definitions are all created automatically
2161         based on js files in the builtins/ directory.  This patch includes one
2162         such case: Array.prototype.js with an implementation of every().
2163
2164         There's a lot of refactoring to make it possible for CommonIdentifiers
2165         to include the output of the generated files (DerivedSources/JSCBuiltins.{h,cpp})
2166         without breaking the offset extractor. The result of this refactoring
2167         is that CommonIdentifiers, and a few other miscellaneous headers now
2168         need to be included directly as they were formerly captured through other
2169         paths.
2170
2171         In addition this adds a flag to the Lookup table's hashentry to indicate
2172         that a static function is actually backed by JS. There is then a lot of
2173         logic to thread the special nature of the functon to where it matters.
2174         This allows toString(), .caller, etc to mimic the behaviour of a host
2175         function.
2176
2177         Notes on writing builtins:
2178          - Each function is compiled independently of the others, and those
2179            implementations cannot currently capture all global properties (as
2180            that could be potentially unsafe). If a function does capture a
2181            global we will deliberately crash.
2182          - For those "global" properties that we do want access to, we use
2183            the @ prefix, e.g. Object(this) becomes @Object(this). The @ identifiers
2184            are private names, and behave just like regular properties, only
2185            without the risk of adulteration. Again, in the @Object case, we
2186            explicitly duplicate the ObjectConstructor reference on the GlobalObject
2187            so that we have guaranteed access to the original version of the
2188            constructor.
2189          - call, apply, eval, and Function are all rejected identifiers, again
2190            to prevent anything from accidentally using an adulterated object.
2191            Instead @call and @apply are available, and happily they completely
2192            drop the neq_ptr instruction as they're defined as always being the
2193            original call/apply functions.
2194
2195         These restrictions are just intended to make it harder to accidentally
2196         make changes that are incorrect (for instance calling whatever has been
2197         assigned to global.Object, instead of the original constructor function).
2198         However, making a mistake like this should result in a purely semantic
2199         error as fundamentally these functions are treated as though they were
2200         regular JS code in the host global, and have no more privileges than
2201         any other JS.
2202
2203         The initial proof of concept is Array.prototype.every, this shows a 65%
2204         performance improvement, and that improvement is significantly hurt by
2205         our poor optimisation of op_in.
2206
2207         As this is such a limited function, we have not yet exported all symbols
2208         that we could possibly need, but as we implement more, the likelihood
2209         of encountering missing features will reduce.
2210
2211
2212         * API/JSCallbackObjectFunctions.h:
2213         (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
2214         (JSC::JSCallbackObject<Parent>::put):
2215         (JSC::JSCallbackObject<Parent>::deleteProperty):
2216         (JSC::JSCallbackObject<Parent>::getStaticValue):
2217         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
2218         (JSC::JSCallbackObject<Parent>::callbackGetter):
2219         * CMakeLists.txt:
2220         * DerivedSources.make:
2221         * GNUmakefile.am:
2222         * GNUmakefile.list.am:
2223         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2224         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2225         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
2226         * JavaScriptCore.vcxproj/copy-files.cmd:
2227         * JavaScriptCore.xcodeproj/project.pbxproj:
2228         * builtins/Array.prototype.js:
2229         (every):
2230         * builtins/BuiltinExecutables.cpp: Added.
2231         (JSC::BuiltinExecutables::BuiltinExecutables):
2232         (JSC::BuiltinExecutables::createBuiltinExecutable):
2233         * builtins/BuiltinExecutables.h:
2234         (JSC::BuiltinExecutables::create):
2235         * builtins/BuiltinNames.h: Added.
2236         (JSC::BuiltinNames::BuiltinNames):
2237         (JSC::BuiltinNames::getPrivateName):
2238         (JSC::BuiltinNames::getPublicName):
2239         * bytecode/CodeBlock.cpp:
2240         (JSC::CodeBlock::CodeBlock):
2241         * bytecode/UnlinkedCodeBlock.cpp:
2242         (JSC::generateFunctionCodeBlock):
2243         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2244         (JSC::UnlinkedFunctionExecutable::codeBlockFor):
2245         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2246         * bytecode/UnlinkedCodeBlock.h:
2247         (JSC::ExecutableInfo::ExecutableInfo):
2248         (JSC::UnlinkedFunctionExecutable::create):
2249         (JSC::UnlinkedFunctionExecutable::toStrictness):
2250         (JSC::UnlinkedFunctionExecutable::isBuiltinFunction):
2251         (JSC::UnlinkedCodeBlock::isBuiltinFunction):
2252         * bytecompiler/BytecodeGenerator.cpp:
2253         (JSC::BytecodeGenerator::BytecodeGenerator):
2254         * bytecompiler/BytecodeGenerator.h:
2255         (JSC::BytecodeGenerator::isBuiltinFunction):
2256         (JSC::BytecodeGenerator::makeFunction):
2257         * bytecompiler/NodesCodegen.cpp:
2258         (JSC::CallFunctionCallDotNode::emitBytecode):
2259         (JSC::ApplyFunctionCallDotNode::emitBytecode):
2260         * create_hash_table:
2261         * generate-js-builtins: Added.
2262         (getCopyright):
2263         (getFunctions):
2264         (generateCode):
2265         (mangleName):
2266         (FunctionExecutable):
2267         (Identifier):
2268         (JSGlobalObject):
2269         (SourceCode):
2270         (UnlinkedFunctionExecutable):
2271         (VM):
2272         * interpreter/CachedCall.h:
2273         (JSC::CachedCall::CachedCall):
2274         * parser/ASTBuilder.h:
2275         (JSC::ASTBuilder::makeFunctionCallNode):
2276         * parser/Lexer.cpp:
2277         (JSC::Lexer<T>::Lexer):
2278         (JSC::isSafeBuiltinIdentifier):
2279         (JSC::Lexer<LChar>::parseIdentifier):
2280         (JSC::Lexer<UChar>::parseIdentifier):
2281         (JSC::Lexer<T>::lex):
2282         * parser/Lexer.h:
2283         (JSC::isSafeIdentifier):
2284         (JSC::Lexer<T>::lexExpectIdentifier):
2285         * parser/Nodes.cpp:
2286         (JSC::ProgramNode::setClosedVariables):
2287         * parser/Nodes.h:
2288         (JSC::ScopeNode::capturedVariables):
2289         (JSC::ScopeNode::setClosedVariables):
2290         (JSC::ProgramNode::closedVariables):
2291         * parser/Parser.cpp:
2292         (JSC::Parser<LexerType>::Parser):
2293         (JSC::Parser<LexerType>::parseInner):
2294         (JSC::Parser<LexerType>::didFinishParsing):
2295         (JSC::Parser<LexerType>::printUnexpectedTokenText):
2296         * parser/Parser.h:
2297         (JSC::Scope::getUsedVariables):
2298         (JSC::Parser::closedVariables):
2299         (JSC::parse):
2300         * parser/ParserModes.h:
2301         * parser/ParserTokens.h:
2302         * runtime/ArrayPrototype.cpp:
2303         * runtime/CodeCache.cpp:
2304         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
2305         * runtime/CommonIdentifiers.cpp:
2306         (JSC::CommonIdentifiers::CommonIdentifiers):
2307         (JSC::CommonIdentifiers::~CommonIdentifiers):
2308         (JSC::CommonIdentifiers::getPrivateName):
2309         (JSC::CommonIdentifiers::getPublicName):
2310         * runtime/CommonIdentifiers.h:
2311         (JSC::CommonIdentifiers::builtinNames):
2312         * runtime/ExceptionHelpers.cpp:
2313         (JSC::createUndefinedVariableError):
2314         * runtime/Executable.h:
2315         (JSC::EvalExecutable::executableInfo):
2316         (JSC::ProgramExecutable::executableInfo):
2317         (JSC::FunctionExecutable::isBuiltinFunction):
2318         * runtime/FunctionPrototype.cpp:
2319         (JSC::functionProtoFuncToString):
2320         * runtime/JSActivation.cpp:
2321         (JSC::JSActivation::symbolTableGet):
2322         (JSC::JSActivation::symbolTablePut):
2323         (JSC::JSActivation::symbolTablePutWithAttributes):
2324         * runtime/JSFunction.cpp:
2325         (JSC::JSFunction::createBuiltinFunction):
2326         (JSC::JSFunction::calculatedDisplayName):
2327         (JSC::JSFunction::sourceCode):
2328         (JSC::JSFunction::isHostOrBuiltinFunction):
2329         (JSC::JSFunction::isBuiltinFunction):
2330         (JSC::JSFunction::callerGetter):
2331         (JSC::JSFunction::getOwnPropertySlot):
2332         (JSC::JSFunction::getOwnNonIndexPropertyNames):
2333         (JSC::JSFunction::put):
2334         (JSC::JSFunction::defineOwnProperty):
2335         * runtime/JSFunction.h:
2336         * runtime/JSFunctionInlines.h:
2337         (JSC::JSFunction::nativeFunction):
2338         (JSC::JSFunction::nativeConstructor):
2339         (JSC::isHostFunction):
2340         * runtime/JSGlobalObject.cpp:
2341         (JSC::JSGlobalObject::reset):
2342         (JSC::JSGlobalObject::visitChildren):
2343         * runtime/JSGlobalObject.h:
2344         (JSC::JSGlobalObject::objectConstructor):
2345         (JSC::JSGlobalObject::symbolTableHasProperty):
2346         * runtime/JSObject.cpp:
2347         (JSC::getClassPropertyNames):
2348         (JSC::JSObject::reifyStaticFunctionsForDelete):
2349         (JSC::JSObject::putDirectBuiltinFunction):
2350         * runtime/JSObject.h:
2351         * runtime/JSSymbolTableObject.cpp:
2352         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
2353         * runtime/JSSymbolTableObject.h:
2354         (JSC::symbolTableGet):
2355         (JSC::symbolTablePut):
2356         (JSC::symbolTablePutWithAttributes):
2357         * runtime/Lookup.cpp:
2358         (JSC::setUpStaticFunctionSlot):
2359         * runtime/Lookup.h:
2360         (JSC::HashEntry::builtinGenerator):
2361         (JSC::HashEntry::propertyGetter):
2362         (JSC::HashEntry::propertyPutter):
2363         (JSC::HashTable::entry):
2364         (JSC::getStaticPropertySlot):
2365         (JSC::getStaticValueSlot):
2366         (JSC::putEntry):
2367         * runtime/NativeErrorConstructor.cpp:
2368         (JSC::NativeErrorConstructor::finishCreation):
2369         * runtime/NativeErrorConstructor.h:
2370         * runtime/PropertySlot.h:
2371         * runtime/VM.cpp:
2372         (JSC::VM::VM):
2373         * runtime/VM.h:
2374         (JSC::VM::builtinExecutables):
2375
2376 2014-02-11  Brent Fulgham  <bfulgham@apple.com>
2377
2378         Remove some unintended copies in ranged for loops
2379         https://bugs.webkit.org/show_bug.cgi?id=128644
2380
2381         Reviewed by Anders Carlsson.
2382
2383         * inspector/InjectedScriptHost.cpp:
2384         (Inspector::InjectedScriptHost::clearAllWrappers): Avoid creating/destroying
2385         a std::pair<> and pointer each loop iteration.
2386         * parser/Parser.cpp:
2387         (JSC::Parser<LexerType>::Parser): Avoid copying object containing a string
2388         each loop iteration.
2389
2390 2014-02-11  Ryosuke Niwa  <rniwa@webkit.org>
2391
2392         Debug build fix after r163946.
2393
2394         * dfg/DFGByteCodeParser.cpp:
2395         (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
2396
2397 2014-02-11  Filip Pizlo  <fpizlo@apple.com>
2398
2399         Inserting a node with a codeOrigin "like" another node should copy both the codeOrigin and codeOriginForExitTarget
2400         https://bugs.webkit.org/show_bug.cgi?id=128635
2401
2402         Reviewed by Michael Saboff.
2403         
2404         Originally nodes just had a codeOrigin. But then we started doing code motion, and we
2405         needed to separate the codeOrigin that designated where to exit from the codeOrigin
2406         that designated everything else. The "everything else" is actually pretty important:
2407         it includes profiling, exception handling, and the actual semantics of the node. For
2408         example some nodes use the origin's global object in some way.
2409         
2410         This all sort of worked except for one quirk: the facilities for creating nodes all
2411         assumed that there really was only one origin. LICM would work around this by setting
2412         the codeOriginForExitTarget manually. But, that means that:
2413         
2414         - If we did hoist a node twice, then the second time around, we would forget the node's
2415           original exit target.
2416         
2417         - If we did an insertNode() to insert a node before a hoisted node, the inserted node
2418           would have the wrong exit target.
2419         
2420         Most of the time, if we copy the code origin, we actually want to copy both origins.
2421         So, this patch introduces the notion of a NodeOrigin which has two CodeOrigins: a
2422         forExit code origin that says where to exit, and a semantic code origin for everything
2423         else.
2424         
2425         This also (annoyingly?) means that we are always more explicit about which code origin
2426         we refer to. That means that a lot of "node->codeOrigin" expressions had to change to
2427         "node->origin.semantic". This was partly a ploy on my part to ensure that this
2428         refactoring was complete: to get the code to compile I really had to audit all uses of
2429         CodeOrigin. If, in the future, we find that "node->origin.semantic" is too cumbersome
2430         then we can reintroduce the Node::codeOrigin field. For now I kinda like it though.
2431
2432         * GNUmakefile.list.am:
2433         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2434         * JavaScriptCore.xcodeproj/project.pbxproj:
2435         * dfg/DFGAbstractInterpreterInlines.h:
2436         (JSC::DFG::AbstractInterpreter<AbstractStateType>::booleanResult):
2437         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2438         * dfg/DFGArgumentsSimplificationPhase.cpp:
2439         (JSC::DFG::ArgumentsSimplificationPhase::run):
2440         (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUse):
2441         (JSC::DFG::ArgumentsSimplificationPhase::observeProperArgumentsUse):
2442         (JSC::DFG::ArgumentsSimplificationPhase::isOKToOptimize):
2443         * dfg/DFGArrayMode.cpp:
2444         (JSC::DFG::ArrayMode::originalArrayStructure):
2445         (JSC::DFG::ArrayMode::alreadyChecked):
2446         * dfg/DFGByteCodeParser.cpp:
2447         (JSC::DFG::ByteCodeParser::addToGraph):
2448         * dfg/DFGCFGSimplificationPhase.cpp:
2449         (JSC::DFG::CFGSimplificationPhase::run):
2450         (JSC::DFG::CFGSimplificationPhase::convertToJump):
2451         (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
2452         (JSC::DFG::CFGSimplificationPhase::jettisonBlock):
2453         (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
2454         * dfg/DFGCPSRethreadingPhase.cpp:
2455         (JSC::DFG::CPSRethreadingPhase::addPhiSilently):
2456         (JSC::DFG::CPSRethreadingPhase::addPhi):
2457         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
2458         (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
2459         (JSC::DFG::CPSRethreadingPhase::propagatePhis):
2460         * dfg/DFGCSEPhase.cpp:
2461         (JSC::DFG::CSEPhase::setLocalStoreElimination):
2462         * dfg/DFGClobberize.h:
2463         (JSC::DFG::clobberize):
2464         * dfg/DFGCommonData.cpp:
2465         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
2466         * dfg/DFGConstantFoldingPhase.cpp:
2467         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2468         (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
2469         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
2470         (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
2471         * dfg/DFGDCEPhase.cpp:
2472         (JSC::DFG::DCEPhase::fixupBlock):
2473         * dfg/DFGDisassembler.cpp:
2474         (JSC::DFG::Disassembler::createDumpList):
2475         * dfg/DFGFixupPhase.cpp:
2476         (JSC::DFG::FixupPhase::fixupNode):
2477         (JSC::DFG::FixupPhase::createToString):
2478         (JSC::DFG::FixupPhase::attemptToForceStringArrayModeByToStringConversion):
2479         (JSC::DFG::FixupPhase::convertStringAddUse):
2480         (JSC::DFG::FixupPhase::fixupToPrimitive):
2481         (JSC::DFG::FixupPhase::fixupToString):
2482         (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
2483         (JSC::DFG::FixupPhase::checkArray):
2484         (JSC::DFG::FixupPhase::blessArrayOperation):
2485         (JSC::DFG::FixupPhase::fixEdge):
2486         (JSC::DFG::FixupPhase::insertStoreBarrier):
2487         (JSC::DFG::FixupPhase::fixIntEdge):
2488         (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
2489         (JSC::DFG::FixupPhase::truncateConstantToInt32):
2490         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
2491         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
2492         (JSC::DFG::FixupPhase::convertToGetArrayLength):
2493         (JSC::DFG::FixupPhase::prependGetArrayLength):
2494         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
2495         (JSC::DFG::FixupPhase::addPhantomsIfNecessary):
2496         * dfg/DFGGraph.cpp:
2497         (JSC::DFG::Graph::dumpCodeOrigin):
2498         (JSC::DFG::Graph::amountOfNodeWhiteSpace):
2499         (JSC::DFG::Graph::dump):
2500         (JSC::DFG::Graph::dumpBlockHeader):
2501         * dfg/DFGGraph.h:
2502         (JSC::DFG::Graph::hasExitSite):
2503         (JSC::DFG::Graph::valueProfileFor):
2504         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2505         * dfg/DFGInvalidationPointInjectionPhase.cpp:
2506         (JSC::DFG::InvalidationPointInjectionPhase::handle):
2507         (JSC::DFG::InvalidationPointInjectionPhase::insertInvalidationCheck):
2508         * dfg/DFGLICMPhase.cpp:
2509         (JSC::DFG::LICMPhase::attemptHoist):
2510         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
2511         (JSC::DFG::createPreHeader):
2512         * dfg/DFGNode.h:
2513         (JSC::DFG::Node::Node):
2514         (JSC::DFG::Node::isStronglyProvedConstantIn):
2515         * dfg/DFGNodeOrigin.h: Added.
2516         (JSC::DFG::NodeOrigin::NodeOrigin):
2517         (JSC::DFG::NodeOrigin::isSet):
2518         * dfg/DFGOSREntrypointCreationPhase.cpp:
2519         (JSC::DFG::OSREntrypointCreationPhase::run):
2520         * dfg/DFGResurrectionForValidationPhase.cpp:
2521         (JSC::DFG::ResurrectionForValidationPhase::run):
2522         * dfg/DFGSSAConversionPhase.cpp:
2523         (JSC::DFG::SSAConversionPhase::run):
2524         * dfg/DFGSSALoweringPhase.cpp:
2525         (JSC::DFG::SSALoweringPhase::handleNode):
2526         (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
2527         * dfg/DFGSpeculativeJIT.cpp:
2528         (JSC::DFG::SpeculativeJIT::compileIn):
2529         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
2530         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
2531         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
2532         * dfg/DFGSpeculativeJIT.h:
2533         (JSC::DFG::SpeculativeJIT::masqueradesAsUndefinedWatchpointIsStillValid):
2534         (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheck):
2535         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnException):
2536         (JSC::DFG::SpeculativeJIT::appendCallSetResult):
2537         (JSC::DFG::SpeculativeJIT::appendCall):
2538         (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
2539         * dfg/DFGSpeculativeJIT32_64.cpp:
2540         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
2541         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
2542         (JSC::DFG::SpeculativeJIT::emitCall):
2543         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
2544         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
2545         (JSC::DFG::SpeculativeJIT::compile):
2546         * dfg/DFGSpeculativeJIT64.cpp:
2547         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
2548         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
2549         (JSC::DFG::SpeculativeJIT::emitCall):
2550         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
2551         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
2552         (JSC::DFG::SpeculativeJIT::compile):
2553         * dfg/DFGStrengthReductionPhase.cpp:
2554         (JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild):
2555         (JSC::DFG::StrengthReductionPhase::prepareToFoldTypedArray):
2556         * dfg/DFGTierUpCheckInjectionPhase.cpp:
2557         (JSC::DFG::TierUpCheckInjectionPhase::run):
2558         * dfg/DFGTypeCheckHoistingPhase.cpp:
2559         (JSC::DFG::TypeCheckHoistingPhase::run):
2560         * dfg/DFGValidate.cpp:
2561         (JSC::DFG::Validate::validateSSA):
2562         * dfg/DFGWatchpointCollectionPhase.cpp:
2563         (JSC::DFG::WatchpointCollectionPhase::handle):
2564         (JSC::DFG::WatchpointCollectionPhase::handleEdge):
2565         (JSC::DFG::WatchpointCollectionPhase::handleMasqueradesAsUndefined):
2566         (JSC::DFG::WatchpointCollectionPhase::globalObject):
2567         * ftl/FTLJSCall.cpp:
2568         (JSC::FTL::JSCall::link):
2569         * ftl/FTLLink.cpp:
2570         (JSC::FTL::link):
2571         * ftl/FTLLowerDFGToLLVM.cpp:
2572         (JSC::FTL::LowerDFGToLLVM::compileNode):
2573         (JSC::FTL::LowerDFGToLLVM::compileToThis):
2574         (JSC::FTL::LowerDFGToLLVM::compilePutById):
2575         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2576         (JSC::FTL::LowerDFGToLLVM::compileNewArray):
2577         (JSC::FTL::LowerDFGToLLVM::compileNewArrayBuffer):
2578         (JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize):
2579         (JSC::FTL::LowerDFGToLLVM::compileStringCharAt):
2580         (JSC::FTL::LowerDFGToLLVM::compileGetMyScope):
2581         (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated):
2582         (JSC::FTL::LowerDFGToLLVM::getById):
2583         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
2584         (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructure):
2585         (JSC::FTL::LowerDFGToLLVM::masqueradesAsUndefinedWatchpointIsStillValid):
2586         (JSC::FTL::LowerDFGToLLVM::callPreflight):
2587
2588 2014-02-11  Filip Pizlo  <fpizlo@apple.com>
2589
2590         Fix assertions and incorrect codegen for CompareEq(ObjectOrOther:, Object:)
2591         https://bugs.webkit.org/show_bug.cgi?id=128648
2592
2593         Reviewed by Mark Lam.
2594         
2595         I did CompareEq(Object:, ObjectOrOther:) correctly but the flipped version wrong.
2596         That's what I get for running tests in release mode. It's hard to write a test for
2597         the incorrect codegen; that's kind of why the assertions are there.
2598
2599         * ftl/FTLLowerDFGToLLVM.cpp:
2600         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
2601
2602 2014-02-11  Filip Pizlo  <fpizlo@apple.com>
2603
2604         Unreviewed, trivial change to silence FTL assertions
2605
2606         Normally, lowJSValue() should only be used for UntypedUse only. Here we are using it
2607         on ObjectOrOtherUse because we execute the speculation ourselves. The way you're
2608         supposed to do this is by passing ManualOperandSpeculation to tell lowJSValue() not
2609         to assert.
2610
2611         * ftl/FTLLowerDFGToLLVM.cpp:
2612         (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
2613
2614 2014-02-11  Filip Pizlo  <fpizlo@apple.com>
2615
2616         Use LLVM's dead store elimination
2617         https://bugs.webkit.org/show_bug.cgi?id=128638
2618
2619         Reviewed by Mark Hahnenberg.
2620         
2621         DFG's store elimination was being run too soon for comfort on the FTL path. It's
2622         really only sound when run after all other optimizations. Remove it from the FTL
2623         path.
2624         
2625         Enable LLVM store elimination. It's both easier to reason about and more
2626         comprehensive.
2627
2628         * dfg/DFGPlan.cpp:
2629         (JSC::DFG::Plan::compileInThreadImpl):
2630         * ftl/FTLCompile.cpp:
2631         (JSC::FTL::compile):
2632
2633 2014-02-11  Brian Burg  <bburg@apple.com>
2634
2635         Web Replay: upstream replay input code generator and EncodedValue class
2636         https://bugs.webkit.org/show_bug.cgi?id=128215
2637
2638         Reviewed by Joseph Pecoraro.
2639
2640         Add the replay inputs code generator. Most features of the input generator are
2641         exercised by included generator regression tests, which produce useful but
2642         non-compilable test replay inputs.
2643
2644         Add EncodedValue, the main replay input serialization class that encodes and
2645         decodes inputs and their data between C++ types and the JSON-based replay recording
2646         format. EncodedValue uses EncodingTraits specializations for type-specific encoding.
2647         Relative to other WebKit marshalling mechanisms, EncodedValue is key/value based.
2648         EncodedValue uses InspectorValue subclasses as its backing data structure.
2649
2650         Add some missing numerical conversions to InspectorValue.
2651
2652         * JavaScriptCore.xcodeproj/project.pbxproj:
2653         * inspector/InspectorValues.cpp:
2654         (Inspector::InspectorValue::asNumber):
2655         (Inspector::InspectorBasicValue::asNumber):
2656         * inspector/InspectorValues.h:
2657         * replay/EncodedValue.cpp: Added.
2658         (JSC::EncodedValue::asObject):
2659         (JSC::EncodedValue::asArray):
2660         (JSC::ScalarEncodingTraits<bool>::encodeValue):
2661         (JSC::ScalarEncodingTraits<double>::encodeValue):
2662         (JSC::ScalarEncodingTraits<float>::encodeValue):
2663         (JSC::ScalarEncodingTraits<int32_t>::encodeValue):
2664         (JSC::ScalarEncodingTraits<int64_t>::encodeValue):
2665         (JSC::ScalarEncodingTraits<uint32_t>::encodeValue):
2666         (JSC::ScalarEncodingTraits<uint64_t>::encodeValue):
2667         (JSC::long>::encodeValue):
2668         (JSC::EncodedValue::convertTo<bool>):
2669         (JSC::EncodedValue::convertTo<double>):
2670         (JSC::EncodedValue::convertTo<float>):
2671         (JSC::EncodedValue::convertTo<int32_t>):
2672         (JSC::EncodedValue::convertTo<int64_t>):
2673         (JSC::EncodedValue::convertTo<uint32_t>):
2674         (JSC::EncodedValue::convertTo<uint64_t>):
2675         (JSC::long>):
2676         (JSC::EncodedValue::convertTo<String>):
2677         (JSC::EncodedValue::put<EncodedValue>):
2678         (JSC::EncodedValue::append<EncodedValue>):
2679         (JSC::EncodedValue::get<EncodedValue>):
2680         * replay/EncodedValue.h: Added.
2681         (JSC::EncodedValue::EncodedValue):
2682         (JSC::EncodedValue::createObject):
2683         (JSC::EncodedValue::createArray):
2684         (JSC::EncodedValue::createString):
2685         (JSC::EncodedValue::~EncodedValue):
2686         (JSC::ScalarEncodingTraits::decodeValue):
2687         (JSC::EncodingTraits<String>::encodeValue):
2688         (JSC::EncodedValue::put):
2689         (JSC::EncodedValue::append):
2690         (JSC::EncodedValue::get):
2691         * replay/scripts/CodeGeneratorReplayInputs.py: Added.
2692         (ParseException):
2693         (TypecheckException):
2694         (Framework):
2695         (Framework.__init__):
2696         (Framework.setting):
2697         (Framework.fromString):
2698         (Frameworks):
2699         (InputQueue):
2700         (InputQueue.__init__):
2701         (InputQueue.setting):
2702         (InputQueue.fromString):
2703         (InputQueues):
2704         (Input):
2705         (Input.__init__):
2706         (Input.setting):
2707         (InputMember):
2708         (InputMember.__init__):
2709         (InputMember.has_flag):
2710         (TypeMode):
2711         (TypeMode.__init__):
2712         (TypeMode.fromString):
2713         (TypeModes):
2714         (Type):
2715         (Type.__init__):
2716         (Type.__eq__):
2717         (Type.__hash__):
2718         (Type.has_flag):
2719         (Type.is_struct):
2720         (Type.is_enum):
2721         (Type.is_enum_class):
2722         (Type.declaration_kind):
2723         (Type.qualified_prefix):
2724         (Type.qualified_prefix.is):
2725         (Type.type_name):
2726         (Type.storage_type):
2727         (Type.borrow_type):
2728         (Type.argument_type):
2729         (check_properties):
2730         (VectorType):
2731         (VectorType.__init__):
2732         (VectorType.has_flag):
2733         (VectorType.is_struct):
2734         (VectorType.is_enum):
2735         (VectorType.is_enum_class):
2736         (VectorType.qualified_prefix):
2737         (VectorType.type_name):
2738         (VectorType.argument_type):
2739         (InputsModel):
2740         (InputsModel.__init__):
2741         (InputsModel.enum_types):
2742         (InputsModel.get_type_for_member):
2743         (InputsModel.parse_toplevel):
2744         (InputsModel.parse_type_with_framework_name):
2745         (InputsModel.parse_input):
2746         (InputsModel.typecheck):
2747         (InputsModel.typecheck_type):
2748         (InputsModel.typecheck_input):
2749         (InputsModel.typecheck_input_member):
2750         (IncrementalFileWriter):
2751         (IncrementalFileWriter.__init__):
2752         (IncrementalFileWriter.write):
2753         (IncrementalFileWriter.close):
2754         (lcfirst):
2755         (wrap_with_guard):
2756         (Generator):
2757         (Generator.__init__):
2758         (Generator.setting):
2759         (Generator.output_filename):
2760         (Generator.write_output_files):
2761         (Generator.generate_header):
2762         (Generator.generate_implementation):
2763         (Generator.generate_license):
2764         (Generator.generate_includes):
2765         (Generator.generate_includes.declaration):
2766         (Generator.generate_includes.declaration.is):
2767         (Generator.generate_type_forward_declarations):
2768         (Generator.generate_type_forward_declarations.is):
2769         (Generator.generate_class_declaration):
2770         (Generator.generate_input_constructor_declaration):
2771         (Generator.generate_input_destructor_declaration):
2772         (Generator.generate_input_member_getter):
2773         (Generator.generate_input_member_declaration):
2774         (Generator.generate_input_member_tuples):
2775         (Generator.qualified_input_name):
2776         (Generator.generate_input_trait_declaration):
2777         (Generator.generate_enum_trait_declaration):
2778         (Generator.generate_for_each_macro):
2779         (Generator.generate_class_implementation):
2780         (Generator.generate_enum_trait_implementation):
2781         (Generator.generate_enum_trait_implementation.is):
2782         (Generator.generate_input_trait_implementation):
2783         (Generator.generate_input_encode_implementation):
2784         (Generator.generate_input_decode_implementation):
2785         (Generator.generate_constructor_initializer_list):
2786         (Generator.generate_constructor_formals_list):
2787         (Generator.generate_member_borrow_expression):
2788         (Generator.generate_member_move_expression):
2789         (Generator.generate_constructor_arguments_list):
2790         (generate_from_specification):
2791         * replay/scripts/CodeGeneratorReplayInputsTemplates.py: Added.
2792         (Templates):
2793         * replay/scripts/tests/expected/JSInputs.json-TestReplayInputs.cpp: Added.
2794         * replay/scripts/tests/expected/JSInputs.json-TestReplayInputs.h: Added.
2795         * replay/scripts/tests/expected/fail-on-c-style-enum-no-storage.json-error: Added.
2796         * replay/scripts/tests/expected/fail-on-duplicate-input-names.json-error: Added.
2797         * replay/scripts/tests/expected/fail-on-duplicate-type-names.json-error: Added.
2798         * replay/scripts/tests/expected/fail-on-enum-type-missing-values.json-error: Added.
2799         * replay/scripts/tests/expected/fail-on-missing-input-member-name.json-error: Added.
2800         * replay/scripts/tests/expected/fail-on-missing-input-name.json-error: Added.
2801         * replay/scripts/tests/expected/fail-on-missing-input-queue.json-error: Added.
2802         * replay/scripts/tests/expected/fail-on-missing-type-mode.json-error: Added.
2803         * replay/scripts/tests/expected/fail-on-missing-type-name.json-error: Added.
2804         * replay/scripts/tests/expected/fail-on-no-inputs.json-error: Added.
2805         * replay/scripts/tests/expected/fail-on-no-types.json-error: Added.
2806         * replay/scripts/tests/expected/fail-on-unknown-input-queue.json-error: Added.
2807         * replay/scripts/tests/expected/fail-on-unknown-member-type.json-error: Added.
2808         * replay/scripts/tests/expected/fail-on-unknown-type-mode.json-error: Added.
2809         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp: Added.
2810         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h: Added.
2811         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp: Added.
2812         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h: Added.
2813         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-error: Added.
2814         * replay/scripts/tests/expected/generate-event-loop-shape-types.json-error: Added.
2815         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.cpp: Added.
2816         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h: Added.
2817         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp: Added.
2818         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: Added.
2819         * replay/scripts/tests/expected/generate-inputs-with-flags.json-error: Added.
2820         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp: Added.
2821         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h: Added.
2822         * replay/scripts/tests/fail-on-c-style-enum-no-storage.json: Added.
2823         * replay/scripts/tests/fail-on-duplicate-input-names.json: Added.
2824         * replay/scripts/tests/fail-on-duplicate-type-names.json: Added.
2825         * replay/scripts/tests/fail-on-enum-type-missing-values.json: Added.
2826         * replay/scripts/tests/fail-on-missing-input-member-name.json: Added.
2827         * replay/scripts/tests/fail-on-missing-input-name.json: Added.
2828         * replay/scripts/tests/fail-on-missing-input-queue.json: Added.
2829         * replay/scripts/tests/fail-on-missing-type-mode.json: Added.
2830         * replay/scripts/tests/fail-on-missing-type-name.json: Added.
2831         * replay/scripts/tests/fail-on-no-inputs.json: Added.
2832         * replay/scripts/tests/fail-on-no-types.json: Added.
2833         * replay/scripts/tests/fail-on-unknown-input-queue.json: Added.
2834         * replay/scripts/tests/fail-on-unknown-member-type.json: Added.
2835         * replay/scripts/tests/fail-on-unknown-type-mode.json: Added.
2836         * replay/scripts/tests/generate-enum-encoding-helpers-with-guarded-values.json: Added.
2837         * replay/scripts/tests/generate-enum-encoding-helpers.json: Added.
2838         * replay/scripts/tests/generate-event-loop-shape-types.json: Added.
2839         * replay/scripts/tests/generate-input-with-guard.json: Added.
2840         * replay/scripts/tests/generate-input-with-vector-members.json: Added.
2841         * replay/scripts/tests/generate-inputs-with-flags.json: Added.
2842         * replay/scripts/tests/generate-memoized-type-modes.json: Added.
2843
2844 2014-02-11  Joseph Pecoraro  <pecoraro@apple.com>
2845
2846         Add Availability Macros to new JSC APIs
2847         https://bugs.webkit.org/show_bug.cgi?id=128615
2848
2849         Reviewed by Mark Rowe.
2850
2851         * API/JSContext.h:
2852         * API/JSContextRef.h:
2853
2854 2014-02-11  Filip Pizlo  <fpizlo@apple.com>
2855
2856         FTL should support CompareEq(ObjectOrOther:, Object:)
2857         https://bugs.webkit.org/show_bug.cgi?id=127752
2858
2859         Reviewed by Oliver Hunt.
2860         
2861         Also introduce some helpers for reasoning about nullness and truthyness.
2862
2863         * ftl/FTLCapabilities.cpp:
2864         (JSC::FTL::canCompile):
2865         * ftl/FTLLowerDFGToLLVM.cpp:
2866         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
2867         (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
2868         (JSC::FTL::LowerDFGToLLVM::speculateTruthyObject):
2869         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
2870         (JSC::FTL::LowerDFGToLLVM::isNotNully):
2871         (JSC::FTL::LowerDFGToLLVM::isNully):
2872         (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
2873         * tests/stress/compare-eq-object-or-other-to-object.js: Added.
2874         (foo):
2875         (test):
2876         * tests/stress/compare-eq-object-to-object-or-other.js: Added.
2877         (foo):
2878         (test):
2879
2880 2014-02-11  Mark Hahnenberg  <mhahnenberg@apple.com>
2881
2882         32-bit LLInt writeBarrierOnGlobalObject is wrong
2883         https://bugs.webkit.org/show_bug.cgi?id=128556
2884
2885         Reviewed by Geoffrey Garen.
2886
2887         * llint/LowLevelInterpreter32_64.asm:
2888         * llint/LowLevelInterpreter64.asm: Also fixed the value check on 64-bit.
2889
2890 2014-02-11  Gabor Rapcsanyi  <rgabor@webkit.org>
2891
2892         LLInt typo error after r139004.
2893         https://bugs.webkit.org/show_bug.cgi?id=128592
2894
2895         Reviewed by Michael Saboff.
2896
2897         * offlineasm/arm.rb: change immediate to register in the condition
2898
2899 2014-02-10  Filip Pizlo  <fpizlo@apple.com>
2900
2901         LICM should gracefully handle unprofiled code
2902         https://bugs.webkit.org/show_bug.cgi?id=127848
2903
2904         Reviewed by Mark Hahnenberg.
2905
2906         * dfg/DFGLICMPhase.cpp:
2907         (JSC::DFG::LICMPhase::run):
2908
2909 2014-02-11  Mark Hahnenberg  <mhahnenberg@apple.com>
2910
2911         Obj-C API: JSExport doesn't work for methods that contain protocols in their type signature
2912         https://bugs.webkit.org/show_bug.cgi?id=128540
2913
2914         Reviewed by Oliver Hunt.
2915
2916         The bug is in parseObjCType in ObjcRuntimeExtras.h. When we see an '@' in the 
2917         type signature of a method, we assume that what follows the '@' is a class name, 
2918         so we call objc_getClass, and if that returns nil then we give up on the method 
2919         and don't export it.
2920
2921         This assumption doesn't work in the case of id<Protocol> because it's the name 
2922         of the protocol that follows the '@', not the name of a class. We should have 
2923         another fallback case for protocol names.
2924
2925         There's another case that also doesn't work, and that's the case of a named class 
2926         with a specified prototype in a method signature (e.g. NSObject<MyProtocol>). 
2927         There the substring of the type signature that represents the class is "NSObject<MyProtocol>", 
2928         which will also cause objc_getClass to return nil.
2929
2930         * API/ObjcRuntimeExtras.h:
2931         (parseObjCType):
2932         * API/tests/DateTests.mm: Also fixed an issue I noticed where we don't use an autorelease pool
2933         for the DateTests.
2934         * API/tests/JSExportTests.h: Added.
2935         * API/tests/JSExportTests.mm: Added.
2936         (-[TruthTeller returnTrue]):
2937         (-[ExportMethodWithIdProtocol methodWithIdProtocol:]):
2938         (-[ExportMethodWithClassProtocol methodWithClassProtocol:]):
2939         (+[JSExportTests exportInstanceMethodWithIdProtocolTest]):
2940         (+[JSExportTests exportInstanceMethodWithClassProtocolTest]):
2941         (runJSExportTests):
2942         * API/tests/testapi.mm:
2943         * JavaScriptCore.xcodeproj/project.pbxproj:
2944
2945 2014-02-10  Michael Saboff  <msaboff@apple.com>
2946
2947         Re-enable ARM Thumb2 disassembler
2948         https://bugs.webkit.org/show_bug.cgi?id=128577
2949
2950         Reviewed by Filip Pizlo.
2951
2952         Changed signature of tryToDisassemble() to match updates.
2953         Fixed typo in disassembler.
2954
2955         * disassembler/ARMv7/ARMv7DOpcode.cpp:
2956         * disassembler/ARMv7Disassembler.cpp:
2957         (JSC::tryToDisassemble):
2958
2959 2014-02-10  Mark Lam  <mark.lam@apple.com>
2960
2961         Removing limitation on JSLock's lockDropDepth.
2962         <https://webkit.org/b/128570>
2963
2964         Reviewed by Geoffrey Garen.
2965
2966         Now that we've switched to using the C stack, we no longer need to limit
2967         the JSLock::lockDropDepth to 2.
2968
2969         For C loop builds which still use the separate JSStack, the JSLock will
2970         enforce ordering for re-grabbing the lock after dropping it. Re-grabbing
2971         must occur in the reverse order of the dropping of the locks.
2972
2973         Ordering is achieved by JSLock::dropAllLocks() stashing away the
2974         JSLock:: m_lockDropDepth in its DropAllLocks instance's m_dropDepth
2975         before unlocking the lock. Subsequently, JSLock::grabAllLocks() will
2976         ensure that JSLocks::m_lockDropDepth equals its DropAllLocks instance's
2977         m_dropDepth before allowing the lock to be re-grabbed. Otherwise, it
2978         will yield execution and retry again later.
2979
2980         Note: because JSLocks::m_lockDropDepth is protected by the JSLock's
2981         mutex, grabAllLocks() will optimistically lock the JSLock before doing
2982         the check on m_lockDropDepth. If the check fails, it will unlock the
2983         JSLock, yield, and then relock it again later before retrying the check.
2984         This ensures that m_lockDropDepth remains under the protection of the
2985         JSLock's mutex.
2986
2987         * runtime/JSLock.cpp:
2988         (JSC::JSLock::dropAllLocks):
2989         (JSC::JSLock::grabAllLocks):
2990         (JSC::JSLock::DropAllLocks::DropAllLocks):
2991         (JSC::JSLock::DropAllLocks::~DropAllLocks):
2992         * runtime/JSLock.h:
2993         (JSC::JSLock::DropAllLocks::setDropDepth):
2994         (JSC::JSLock::DropAllLocks::dropDepth):
2995
2996 2014-02-10  Filip Pizlo  <fpizlo@apple.com>
2997
2998         FTL should support ToThis
2999         https://bugs.webkit.org/show_bug.cgi?id=127751
3000
3001         Reviewed by Oliver Hunt.
3002
3003         * ftl/FTLCapabilities.cpp:
3004         (JSC::FTL::canCompile):
3005         * ftl/FTLIntrinsicRepository.h:
3006         * ftl/FTLLowerDFGToLLVM.cpp:
3007         (JSC::FTL::LowerDFGToLLVM::compileNode):
3008         (JSC::FTL::LowerDFGToLLVM::compileToThis):
3009         * tests/stress/to-this-polymorphic.js: Added.
3010         (foo):
3011
3012 2014-02-10  Filip Pizlo  <fpizlo@apple.com>
3013
3014         Rename Operations.h to JSCInlines.h
3015         https://bugs.webkit.org/show_bug.cgi?id=128543
3016
3017         Rubber stamped by Geoffrey Garen.
3018         
3019         Well, what this actually does is it splits Operations.h into a real Operations.h that
3020         actually contains "operations", and JSCInlines.h, which serves the role of being an
3021         inlines umbrella.
3022         
3023         * API/JSBase.cpp:
3024         * API/JSCTestRunnerUtils.cpp:
3025         * API/JSCallbackConstructor.cpp:
3026         * API/JSCallbackFunction.cpp:
3027         * API/JSCallbackObject.cpp:
3028         * API/JSClassRef.cpp:
3029         * API/JSContext.mm:
3030         * API/JSContextRef.cpp:
3031         * API/JSManagedValue.mm:
3032         * API/JSObjectRef.cpp:
3033         * API/JSScriptRef.cpp:
3034         * API/JSValue.mm:
3035         * API/JSValueRef.cpp:
3036         * API/JSWeakObjectMapRefPrivate.cpp:
3037         * API/JSWrapperMap.mm:
3038         * GNUmakefile.list.am:
3039         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3040         * JavaScriptCore.xcodeproj/project.pbxproj:
3041         * assembler/LinkBuffer.cpp:
3042         * bindings/ScriptFunctionCall.cpp:
3043         * bindings/ScriptObject.cpp:
3044         * bytecode/ArrayAllocationProfile.cpp:
3045         * bytecode/ArrayProfile.cpp:
3046         * bytecode/BytecodeBasicBlock.cpp:
3047         * bytecode/CallLinkInfo.cpp:
3048         * bytecode/CallLinkStatus.cpp:
3049         * bytecode/CodeBlock.cpp:
3050         * bytecode/CodeBlockJettisoningWatchpoint.cpp:
3051         * bytecode/CodeOrigin.cpp:
3052         * bytecode/ExecutionCounter.cpp:
3053         * bytecode/GetByIdStatus.cpp:
3054         * bytecode/LazyOperandValueProfile.cpp:
3055         * bytecode/MethodOfGettingAValueProfile.cpp:
3056         * bytecode/PreciseJumpTargets.cpp:
3057         * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp:
3058         * bytecode/PutByIdStatus.cpp:
3059         * bytecode/SamplingTool.cpp:
3060         * bytecode/SpecialPointer.cpp:
3061         * bytecode/SpeculatedType.cpp:
3062         * bytecode/StructureStubClearingWatchpoint.cpp:
3063         * bytecode/UnlinkedCodeBlock.cpp:
3064         * bytecode/ValueRecovery.cpp:
3065         * bytecompiler/BytecodeGenerator.cpp:
3066         * bytecompiler/NodesCodegen.cpp:
3067         * debugger/Debugger.cpp:
3068         * debugger/DebuggerActivation.cpp:
3069         * debugger/DebuggerCallFrame.cpp:
3070         * dfg/DFGAbstractHeap.cpp:
3071         * dfg/DFGAbstractValue.cpp:
3072         * dfg/DFGArgumentsSimplificationPhase.cpp:
3073         * dfg/DFGArithMode.cpp:
3074         * dfg/DFGArrayMode.cpp:
3075         * dfg/DFGAtTailAbstractState.cpp:
3076         * dfg/DFGAvailability.cpp:
3077         * dfg/DFGBackwardsPropagationPhase.cpp:
3078         * dfg/DFGBasicBlock.cpp:
3079         * dfg/DFGBinarySwitch.cpp:
3080         * dfg/DFGBlockInsertionSet.cpp:
3081         * dfg/DFGByteCodeParser.cpp:
3082         * dfg/DFGCFAPhase.cpp:
3083         * dfg/DFGCFGSimplificationPhase.cpp:
3084         * dfg/DFGCPSRethreadingPhase.cpp:
3085         * dfg/DFGCSEPhase.cpp:
3086         * dfg/DFGCapabilities.cpp:
3087         * dfg/DFGClobberSet.cpp:
3088         * dfg/DFGClobberize.cpp:
3089         * dfg/DFGCommon.cpp:
3090         * dfg/DFGCommonData.cpp:
3091         * dfg/DFGCompilationKey.cpp:
3092         * dfg/DFGCompilationMode.cpp:
3093         * dfg/DFGConstantFoldingPhase.cpp:
3094         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
3095         * dfg/DFGDCEPhase.cpp:
3096         * dfg/DFGDesiredIdentifiers.cpp:
3097         * dfg/DFGDesiredStructureChains.cpp:
3098         * dfg/DFGDesiredTransitions.cpp:
3099         * dfg/DFGDesiredWatchpoints.cpp:
3100         * dfg/DFGDesiredWeakReferences.cpp:
3101         * dfg/DFGDesiredWriteBarriers.cpp:
3102         * dfg/DFGDisassembler.cpp:
3103         * dfg/DFGDominators.cpp:
3104         * dfg/DFGDriver.cpp:
3105         * dfg/DFGEdge.cpp:
3106         * dfg/DFGFailedFinalizer.cpp:
3107         * dfg/DFGFinalizer.cpp:
3108         * dfg/DFGFixupPhase.cpp:
3109         * dfg/DFGFlushFormat.cpp:
3110         * dfg/DFGFlushLivenessAnalysisPhase.cpp:
3111         * dfg/DFGFlushedAt.cpp:
3112         * dfg/DFGGraph.cpp:
3113         * dfg/DFGGraphSafepoint.cpp:
3114         * dfg/DFGInPlaceAbstractState.cpp:
3115         * dfg/DFGInvalidationPointInjectionPhase.cpp:
3116         * dfg/DFGJITCode.cpp:
3117         * dfg/DFGJITCompiler.cpp:
3118         * dfg/DFGJITFinalizer.cpp:
3119         * dfg/DFGJumpReplacement.cpp:
3120         * dfg/DFGLICMPhase.cpp:
3121         * dfg/DFGLazyJSValue.cpp:
3122         * dfg/DFGLivenessAnalysisPhase.cpp:
3123         * dfg/DFGLongLivedState.cpp:
3124         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
3125         * dfg/DFGMinifiedNode.cpp:
3126         * dfg/DFGNaturalLoops.cpp:
3127         * dfg/DFGNode.cpp:
3128         * dfg/DFGNodeFlags.cpp:
3129         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
3130         * dfg/DFGOSREntry.cpp:
3131         * dfg/DFGOSREntrypointCreationPhase.cpp:
3132         * dfg/DFGOSRExit.cpp:
3133         * dfg/DFGOSRExitBase.cpp:
3134         * dfg/DFGOSRExitCompiler.cpp:
3135         * dfg/DFGOSRExitCompiler32_64.cpp:
3136         * dfg/DFGOSRExitCompiler64.cpp:
3137         * dfg/DFGOSRExitCompilerCommon.cpp:
3138         * dfg/DFGOSRExitJumpPlaceholder.cpp:
3139         * dfg/DFGOSRExitPreparation.cpp:
3140         * dfg/DFGOperations.cpp:
3141         * dfg/DFGPhase.cpp:
3142         * dfg/DFGPlan.cpp:
3143         * dfg/DFGPredictionInjectionPhase.cpp:
3144         * dfg/DFGPredictionPropagationPhase.cpp:
3145         * dfg/DFGResurrectionForValidationPhase.cpp:
3146         * dfg/DFGSSAConversionPhase.cpp:
3147         * dfg/DFGSSALoweringPhase.cpp:
3148         * dfg/DFGSafepoint.cpp:
3149         * dfg/DFGSpeculativeJIT.cpp:
3150         * dfg/DFGSpeculativeJIT32_64.cpp:
3151         * dfg/DFGSpeculativeJIT64.cpp:
3152         * dfg/DFGStackLayoutPhase.cpp:
3153         * dfg/DFGStoreBarrierElisionPhase.cpp:
3154         * dfg/DFGStrengthReductionPhase.cpp:
3155         * dfg/DFGThreadData.cpp:
3156         * dfg/DFGThunks.cpp:
3157         * dfg/DFGTierUpCheckInjectionPhase.cpp:
3158         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
3159         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
3160         * dfg/DFGTypeCheckHoistingPhase.cpp:
3161         * dfg/DFGUnificationPhase.cpp:
3162         * dfg/DFGUseKind.cpp:
3163         * dfg/DFGValidate.cpp:
3164         * dfg/DFGValueSource.cpp:
3165         * dfg/DFGVariableAccessDataDump.cpp:
3166         * dfg/DFGVariableEvent.cpp:
3167         * dfg/DFGVariableEventStream.cpp:
3168         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
3169         * dfg/DFGWatchpointCollectionPhase.cpp:
3170         * dfg/DFGWorklist.cpp:
3171         * ftl/FTLAbstractHeap.cpp:
3172         * ftl/FTLAbstractHeapRepository.cpp:
3173         * ftl/FTLExitValue.cpp:
3174         * ftl/FTLLink.cpp:
3175         * ftl/FTLLowerDFGToLLVM.cpp:
3176         * ftl/FTLOSREntry.cpp:
3177         * ftl/FTLOSRExit.cpp:
3178         * ftl/FTLOSRExitCompiler.cpp:
3179         * ftl/FTLSlowPathCall.cpp:
3180         * heap/BlockAllocator.cpp:
3181         * heap/CodeBlockSet.cpp:
3182         * heap/ConservativeRoots.cpp:
3183         * heap/CopiedSpace.cpp:
3184         * heap/CopyVisitor.cpp:
3185         * heap/DeferGC.cpp:
3186         * heap/GCThread.cpp:
3187         * heap/GCThreadSharedData.cpp:
3188         * heap/HandleSet.cpp:
3189         * heap/HandleStack.cpp:
3190         * heap/Heap.cpp:
3191         * heap/HeapStatistics.cpp:
3192         * heap/HeapTimer.cpp:
3193         * heap/IncrementalSweeper.cpp:
3194         * heap/JITStubRoutineSet.cpp:
3195         * heap/MachineStackMarker.cpp:
3196         * heap/MarkStack.cpp:
3197         * heap/MarkedAllocator.cpp:
3198         * heap/MarkedBlock.cpp:
3199         * heap/MarkedSpace.cpp:
3200         * heap/SlotVisitor.cpp:
3201         * heap/SuperRegion.cpp:
3202         * heap/Weak.cpp:
3203         * heap/WeakBlock.cpp:
3204         * heap/WeakHandleOwner.cpp:
3205         * heap/WeakSet.cpp:
3206         * heap/WriteBarrierBuffer.cpp:
3207         * heap/WriteBarrierSupport.cpp:
3208         * inspector/InjectedScript.cpp:
3209         * inspector/InjectedScriptBase.cpp:
3210         * inspector/JSGlobalObjectScriptDebugServer.cpp:
3211         * inspector/JSInjectedScriptHost.cpp:
3212         * inspector/ScriptArguments.cpp:
3213         * inspector/ScriptCallStackFactory.cpp:
3214         * interpreter/AbstractPC.cpp:
3215         * interpreter/CallFrame.cpp:
3216         * interpreter/Interpreter.cpp:
3217         * interpreter/JSStack.cpp:
3218         * interpreter/ProtoCallFrame.cpp:
3219         * interpreter/StackVisitor.cpp:
3220         * interpreter/VMInspector.cpp:
3221         * jit/ArityCheckFailReturnThunks.cpp:
3222         * jit/AssemblyHelpers.cpp:
3223         * jit/ClosureCallStubRoutine.cpp:
3224         * jit/ExecutableAllocator.cpp:
3225         * jit/ExecutableAllocatorFixedVMPool.cpp:
3226         * jit/GCAwareJITStubRoutine.cpp:
3227         * jit/HostCallReturnValue.cpp:
3228         * jit/JIT.cpp:
3229         * jit/JITArithmetic.cpp:
3230         * jit/JITArithmetic32_64.cpp:
3231         * jit/JITCall.cpp:
3232         * jit/JITCall32_64.cpp:
3233         * jit/JITCode.cpp:
3234         * jit/JITDisassembler.cpp:
3235         * jit/JITExceptions.cpp:
3236         * jit/JITInlineCacheGenerator.cpp:
3237         * jit/JITInlines.h:
3238         * jit/JITOperations.cpp:
3239         * jit/JITOperationsMSVC64.cpp:
3240         * jit/JITStubRoutine.cpp:
3241         * jit/JITStubs.cpp:
3242         * jit/JITThunks.cpp:
3243         * jit/JITToDFGDeferredCompilationCallback.cpp:
3244         * jit/RegisterPreservationWrapperGenerator.cpp:
3245         * jit/RegisterSet.cpp:
3246         * jit/Repatch.cpp:
3247         * jit/TempRegisterSet.cpp:
3248         * jit/ThunkGenerators.cpp:
3249         * jsc.cpp:
3250         * llint/LLIntExceptions.cpp:
3251         * llint/LLIntSlowPaths.cpp:
3252         * llint/LowLevelInterpreter.cpp:
3253         * parser/Lexer.cpp:
3254         * parser/Nodes.cpp:
3255         * parser/Parser.cpp:
3256         * parser/ParserArena.cpp:
3257         * parser/SourceCode.cpp:
3258         * parser/SourceProvider.cpp:
3259         * parser/SourceProviderCache.cpp:
3260         * profiler/LegacyProfiler.cpp:
3261         * profiler/ProfileGenerator.cpp:
3262         * profiler/ProfilerBytecode.cpp:
3263         * profiler/ProfilerBytecodeSequence.cpp:
3264         * profiler/ProfilerBytecodes.cpp:
3265         * profiler/ProfilerCompilation.cpp:
3266         * profiler/ProfilerCompiledBytecode.cpp:
3267         * profiler/ProfilerDatabase.cpp:
3268         * profiler/ProfilerOSRExit.cpp:
3269         * profiler/ProfilerOSRExitSite.cpp:
3270         * profiler/ProfilerOrigin.cpp:
3271         * profiler/ProfilerOriginStack.cpp:
3272         * profiler/ProfilerProfiledBytecodes.cpp: