Remove two now-incorrect assertions after r168256.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-05-05  Andreas Kling  <akling@apple.com>
2
3         Remove two now-incorrect assertions after r168256.
4
5         * runtime/JSString.cpp:
6         (JSC::JSRopeString::resolveRopeSlowCase8):
7         (JSC::JSRopeString::resolveRopeSlowCase):
8
9 2014-05-04  Andreas Kling  <akling@apple.com>
10
11         Optimize JSRopeString for resolving directly to AtomicString.
12         <https://webkit.org/b/132548>
13
14         If we know that the JSRopeString we are resolving is going to be used
15         as an AtomicString, we can try to avoid creating a new string.
16
17         We do this by first resolving the rope into a stack buffer, and using
18         that buffer as a key into the AtomicString table. If there is already
19         an AtomicString with the same characters, we reuse that instead of
20         constructing a new StringImpl.
21
22         JSString gains these two public functions:
23
24         - AtomicString toAtomicString()
25
26             Returns an AtomicString, tries to avoid allocating a new string
27             if possible.
28
29         - AtomicStringImpl* toExistingAtomicString()
30
31             Returns a non-null AtomicStringImpl* if one already exists in the
32             AtomicString table. If none is found, the rope is left unresolved.
33
34         Reviewed by Filip Pizlo.
35
36         * runtime/JSString.cpp:
37         (JSC::JSRopeString::resolveRopeInternal8):
38         (JSC::JSRopeString::resolveRopeInternal16):
39         (JSC::JSRopeString::resolveRopeToAtomicString):
40         (JSC::JSRopeString::clearFibers):
41         (JSC::JSRopeString::resolveRopeToExistingAtomicString):
42         (JSC::JSRopeString::resolveRope):
43         (JSC::JSRopeString::outOfMemory):
44         * runtime/JSString.h:
45         (JSC::JSString::toAtomicString):
46         (JSC::JSString::toExistingAtomicString):
47
48 2014-05-04  Andreas Kling  <akling@apple.com>
49
50         Unreviewed, rolling out r168254.
51
52         Very crashy on debug JSC tests.
53
54         Reverted changeset:
55
56         "jsSubstring() should be lazy"
57         https://bugs.webkit.org/show_bug.cgi?id=132556
58         http://trac.webkit.org/changeset/168254
59
60 2014-05-04  Filip Pizlo  <fpizlo@apple.com>
61
62         jsSubstring() should be lazy
63         https://bugs.webkit.org/show_bug.cgi?id=132556
64
65         Reviewed by Andreas Kling.
66         
67         jsSubstring() is now lazy by using a special rope that is a substring instead of a
68         concatenation. To make this patch super simple, we require that a substring's base is
69         never a rope. Hence, when resolving a rope, we either go down a non-recursive substring
70         path, or we go down a concatenation path which may see exactly one level of substrings in
71         its fibers.
72         
73         This is up to a 50% speed-up on microbenchmarks and a 10% speed-up on Octane/regexp.
74
75         * heap/MarkedBlock.cpp:
76         (JSC::MarkedBlock::specializedSweep):
77         * runtime/JSString.cpp:
78         (JSC::JSRopeString::visitFibers):
79         (JSC::JSRopeString::resolveRope):
80         (JSC::JSRopeString::resolveRopeSlowCase8):
81         (JSC::JSRopeString::resolveRopeSlowCase):
82         (JSC::JSRopeString::outOfMemory):
83         * runtime/JSString.h:
84         (JSC::JSRopeString::finishCreation):
85         (JSC::JSRopeString::append):
86         (JSC::JSRopeString::create):
87         (JSC::JSRopeString::offsetOfFibers):
88         (JSC::JSRopeString::fiber):
89         (JSC::JSRopeString::substringBase):
90         (JSC::JSRopeString::substringOffset):
91         (JSC::JSRopeString::substringSentinel):
92         (JSC::JSRopeString::isSubstring):
93         (JSC::jsSubstring):
94         * runtime/RegExpMatchesArray.cpp:
95         (JSC::RegExpMatchesArray::reifyAllProperties):
96         * runtime/StringPrototype.cpp:
97         (JSC::stringProtoFuncSubstring):
98
99 2014-05-02  Michael Saboff  <msaboff@apple.com>
100
101         "arm64 function not 4-byte aligned" warnings when building JSC
102         https://bugs.webkit.org/show_bug.cgi?id=132495
103
104         Reviewed by Geoffrey Garen.
105
106         Added ".align 4" for both ARM Thumb2 and ARM 64 to silence the linker.
107
108         * llint/LowLevelInterpreter.cpp:
109
110 2014-05-02  Mark Hahnenberg  <mhahnenberg@apple.com>
111
112         Fix cloop build after r168178
113
114         * bytecode/CodeBlock.cpp:
115
116 2014-05-01  Mark Hahnenberg  <mhahnenberg@apple.com>
117
118         Add a DFG function whitelist
119         https://bugs.webkit.org/show_bug.cgi?id=132437
120
121         Reviewed by Geoffrey Garen.
122
123         Often times when debugging, using bytecode ranges isn't enough to narrow down to the 
124         particular DFG block that's causing issues. This patch adds the ability to whitelist 
125         specific functions specified in a file to enable further filtering without having to recompile.
126
127         * CMakeLists.txt:
128         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
129         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
130         * JavaScriptCore.xcodeproj/project.pbxproj:
131         * dfg/DFGCapabilities.cpp:
132         (JSC::DFG::isSupported):
133         (JSC::DFG::mightInlineFunctionForCall):
134         (JSC::DFG::mightInlineFunctionForClosureCall):
135         (JSC::DFG::mightInlineFunctionForConstruct):
136         * dfg/DFGFunctionWhitelist.cpp: Added.
137         (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
138         (JSC::DFG::FunctionWhitelist::FunctionWhitelist):
139         (JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile):
140         (JSC::DFG::FunctionWhitelist::contains):
141         * dfg/DFGFunctionWhitelist.h: Added.
142         * runtime/Options.cpp:
143         (JSC::parse):
144         (JSC::Options::dumpOption):
145         * runtime/Options.h:
146
147 2014-05-02  Filip Pizlo  <fpizlo@apple.com>
148
149         DFGAbstractInterpreter should not claim Int52 arithmetic creates Int52s
150         https://bugs.webkit.org/show_bug.cgi?id=132446
151
152         Reviewed by Mark Hahnenberg.
153         
154         Basically any arithmetic operation can turn an Int52 into an Int32 or vice-versa, and
155         our modeling of Int52Rep nodes is such that they can have either Int32 or Int52 type
156         to indicate a bound on the value. This is useful for knowing, for example, that
157         Int52Rep(Int32:) returns a value that cannot be outside the Int32 range. Also,
158         ValueRep(Int52Rep:) uses this to determine whether it may return a double or an int.
159         But this means that all arithmetic operations must be careful to note that they may
160         turn Int32 inputs into an Int52 output or vice-versa, as these new tests show.
161
162         * dfg/DFGAbstractInterpreterInlines.h:
163         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
164         * dfg/DFGByteCodeParser.cpp:
165         (JSC::DFG::ByteCodeParser::makeSafe):
166         * tests/stress/int52-ai-add-then-filter-int32.js: Added.
167         (foo):
168         * tests/stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js: Added.
169         (foo):
170         * tests/stress/int52-ai-mul-then-filter-int32-directly.js: Added.
171         (foo):
172         * tests/stress/int52-ai-mul-then-filter-int32.js: Added.
173         (foo):
174         * tests/stress/int52-ai-neg-then-filter-int32.js: Added.
175         (foo):
176         * tests/stress/int52-ai-sub-then-filter-int32.js: Added.
177         (foo):
178
179 2014-05-01  Geoffrey Garen  <ggaren@apple.com>
180
181         JavaScriptCore fails to build with some versions of clang
182         https://bugs.webkit.org/show_bug.cgi?id=132436
183
184         Reviewed by Anders Carlsson.
185
186         * runtime/ArgumentsIteratorConstructor.cpp: Since we call
187         putDirectWithoutTransition, and it calls putWillGrowOutOfLineStorage,
188         and both are marked inline, it's valid for the compiler to decide
189         to inline both and emit neither in the binary. Therefore, we need
190         both inline definitions to be available in the translation unit at
191         compile time, or we'll try to link against a function that doesn't exist.
192
193 2014-05-01  Commit Queue  <commit-queue@webkit.org>
194
195         Unreviewed, rolling out r167964.
196         https://bugs.webkit.org/show_bug.cgi?id=132431
197
198         Memory improvements should not regress memory usage (Requested
199         by olliej on #webkit).
200
201         Reverted changeset:
202
203         "Don't hold on to parameter BindingNodes forever"
204         https://bugs.webkit.org/show_bug.cgi?id=132360
205         http://trac.webkit.org/changeset/167964
206
207 2014-05-01  Filip Pizlo  <fpizlo@apple.com>
208
209         Fix trivial debug-only race-that-crashes in CallLinkStatus and explain why the remaining races are totally awesome
210         https://bugs.webkit.org/show_bug.cgi?id=132427
211
212         Reviewed by Mark Hahnenberg.
213
214         * bytecode/CallLinkStatus.cpp:
215         (JSC::CallLinkStatus::computeFor):
216
217 2014-04-30  Simon Fraser  <simon.fraser@apple.com>
218
219         Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO
220         https://bugs.webkit.org/show_bug.cgi?id=132396
221
222         Reviewed by Eric Carlson.
223
224         Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO and related code.
225
226         * Configurations/FeatureDefines.xcconfig:
227
228 2014-04-30  Filip Pizlo  <fpizlo@apple.com>
229
230         Argument flush formats should not be presumed to be JSValue since 'this' is weird
231         https://bugs.webkit.org/show_bug.cgi?id=132404
232
233         Reviewed by Michael Saboff.
234
235         * dfg/DFGSpeculativeJIT.cpp:
236         (JSC::DFG::SpeculativeJIT::compileCurrentBlock): Don't assume that arguments are flushed as JSValue. Use the logic for locals instead.
237         * dfg/DFGSpeculativeJIT32_64.cpp:
238         (JSC::DFG::SpeculativeJIT::compile): SetArgument "changes" the format because before this we wouldn't know we had arguments.
239         * dfg/DFGSpeculativeJIT64.cpp:
240         (JSC::DFG::SpeculativeJIT::compile): Ditto.
241         * dfg/DFGValueSource.cpp:
242         (JSC::DFG::ValueSource::dumpInContext): Make this easier to dump.
243         * dfg/DFGValueSource.h:
244         (JSC::DFG::ValueSource::operator!): Make this easier to dump because Operands<T> uses T::operator!().
245         * ftl/FTLOSREntry.cpp:
246         (JSC::FTL::prepareOSREntry): This had a useful assertion for everything except 'this'.
247         * tests/stress/strict-to-this-int.js: Added.
248         (foo):
249         (Number.prototype.valueOf):
250         (test):
251
252 2014-04-29  Oliver Hunt  <oliver@apple.com>
253
254         Don't hold on to parameterBindingNodes forever
255         https://bugs.webkit.org/show_bug.cgi?id=132360
256
257         Reviewed by Geoffrey Garen.
258
259         Don't keep the parameter nodes anymore. Instead we store the
260         original parameter string and reparse whenever we actually
261         need them. Because we only actually need them for compilation
262         this only results in a single extra parse.
263
264         * bytecode/UnlinkedCodeBlock.cpp:
265         (JSC::generateFunctionCodeBlock):
266         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
267         (JSC::UnlinkedFunctionExecutable::visitChildren):
268         (JSC::UnlinkedFunctionExecutable::finishCreation):
269         (JSC::UnlinkedFunctionExecutable::paramString):
270         (JSC::UnlinkedFunctionExecutable::parameters):
271         (JSC::UnlinkedFunctionExecutable::parameterCount): Deleted.
272         * bytecode/UnlinkedCodeBlock.h:
273         (JSC::UnlinkedFunctionExecutable::create):
274         (JSC::UnlinkedFunctionExecutable::parameterCount):
275         (JSC::UnlinkedFunctionExecutable::parameters): Deleted.
276         (JSC::UnlinkedFunctionExecutable::finishCreation): Deleted.
277         * parser/ASTBuilder.h:
278         (JSC::ASTBuilder::ASTBuilder):
279         (JSC::ASTBuilder::setFunctionBodyParameters):
280         * parser/Nodes.h:
281         (JSC::FunctionBodyNode::parametersStartOffset):
282         (JSC::FunctionBodyNode::parametersEndOffset):
283         (JSC::FunctionBodyNode::setParameterLocation):
284         * parser/Parser.cpp:
285         (JSC::Parser<LexerType>::parseFunctionInfo):
286         (JSC::parseParameters):
287         * parser/Parser.h:
288         (JSC::parse):
289         * parser/SourceCode.h:
290         (JSC::SourceCode::subExpression):
291         * parser/SyntaxChecker.h:
292         (JSC::SyntaxChecker::setFunctionBodyParameters):
293
294 2014-04-29  Mark Hahnenberg  <mhahnenberg@apple.com>
295
296         JSProxies should be cacheable
297         https://bugs.webkit.org/show_bug.cgi?id=132351
298
299         Reviewed by Geoffrey Garen.
300
301         Whenever we encounter a proxy in an inline cache we should try to cache on the 
302         proxy's target instead of giving up.
303
304         This patch adds support for a simple "recursive" inline cache if the base object
305         we're accessing is a pure forwarding proxy. JSGlobalObject and its subclasses 
306         are the only ones to benefit from this right now.
307
308         This is performance neutral on the benchmarks we track. Currently we won't
309         cache on JSDOMWindow due to HasImpureGetOwnPropertySlot, but this issue will be fixed soon.
310
311         * jit/Repatch.cpp:
312         (JSC::generateByIdStub):
313         (JSC::tryBuildGetByIDList):
314         (JSC::tryCachePutByID):
315         (JSC::tryBuildPutByIdList):
316         * jsc.cpp:
317         (GlobalObject::finishCreation):
318         (functionCreateProxy):
319         * runtime/IntendedStructureChain.cpp:
320         (JSC::IntendedStructureChain::isNormalized):
321         * runtime/JSCellInlines.h:
322         (JSC::JSCell::isProxy):
323         * runtime/JSGlobalObject.h:
324         (JSC::JSGlobalObject::finishCreation):
325         * runtime/JSProxy.h:
326         (JSC::JSProxy::createStructure):
327         (JSC::JSProxy::targetOffset):
328         * runtime/JSType.h:
329         * runtime/Operations.h:
330         (JSC::isPrototypeChainNormalized):
331         * runtime/Structure.h:
332         (JSC::Structure::isProxy):
333         * tests/stress/proxy-inline-cache.js: Added.
334         (cacheOnTarget.getX):
335         (cacheOnTarget):
336         (cacheOnPrototypeOfTarget.getX):
337         (cacheOnPrototypeOfTarget):
338         (dontCacheOnProxyInPrototypeChain.getX):
339         (dontCacheOnProxyInPrototypeChain):
340         (dontCacheOnTargetOfProxyInPrototypeChainOfTarget.getX):
341         (dontCacheOnTargetOfProxyInPrototypeChainOfTarget):
342
343 2014-04-29  Filip Pizlo  <fpizlo@apple.com>
344
345         Use LLVM as a backend for the fourth-tier DFG JIT (a.k.a. the FTL JIT)
346         https://bugs.webkit.org/show_bug.cgi?id=112840
347
348         Rubber stamped by Geoffrey Garen.
349
350         * Configurations/FeatureDefines.xcconfig:
351
352 2014-04-29  Geoffrey Garen  <ggaren@apple.com>
353
354         String.prototype.trim removes U+200B from strings.
355         https://bugs.webkit.org/show_bug.cgi?id=130184
356
357         Reviewed by Michael Saboff.
358
359         * runtime/StringPrototype.cpp:
360         (JSC::trimString):
361         (JSC::isTrimWhitespace): Deleted.
362
363 2014-04-29  Mark Lam  <mark.lam@apple.com>
364
365         Zombifying sweep should ignore retired blocks.
366         <https://webkit.org/b/132344>
367
368         Reviewed by Mark Hahnenberg.
369
370         By definition, retired blocks do not have "dead" objects, or at least
371         none that we know of yet until the next marking phase has been run
372         over it.  So, we should not be sweeping them (even for zombie mode).
373
374         * heap/Heap.cpp:
375         (JSC::Heap::zombifyDeadObjects):
376         * heap/MarkedSpace.cpp:
377         (JSC::MarkedSpace::zombifySweep):
378         * heap/MarkedSpace.h:
379         (JSC::ZombifySweep::operator()):
380
381 2014-04-29  Mark Lam  <mark.lam@apple.com>
382
383         Fix bit rot in zombie mode heap code.
384         <https://webkit.org/b/132342>
385
386         Reviewed by Mark Hahnenberg.
387
388         Need to enter a DelayedReleaseScope before doing a sweep.
389
390         * heap/Heap.cpp:
391         (JSC::Heap::zombifyDeadObjects):
392
393 2014-04-29  Tomas Popela  <tpopela@redhat.com>
394
395         LLINT loadisFromInstruction doesn't need special case for big endians
396         https://bugs.webkit.org/show_bug.cgi?id=132330
397
398         Reviewed by Mark Lam.
399
400         The change introduced in r167076 was wrong. We should not apply the offset
401         adjustment on loadisFromInstruction usage as the instruction
402         (UnlinkedInstruction) is declared as an union (i.e. with the int32_t
403         operand variable). The offset of the other union members will be the
404         same as the offset of the first one, that is 0. The behavior here is the
405         same on little and big endian architectures. Thus we don't need
406         special case for big endians.
407
408         * llint/LowLevelInterpreter.asm:
409
410 2014-04-28  Mark Hahnenberg  <mhahnenberg@apple.com>
411
412         Simplify tryCacheGetById
413         https://bugs.webkit.org/show_bug.cgi?id=132314
414
415         Reviewed by Oliver Hunt and Filip Pizlo.
416
417         This is neutral across all benchmarks we track, although it looks like a wee 0.5% progression on sunspider.
418
419         * jit/Repatch.cpp:
420         (JSC::tryCacheGetByID): If we fail to cache on self, we just repatch to call tryBuildGetByIDList next time.
421
422 2014-04-28  Michael Saboff  <msaboff@apple.com>
423
424         REGRESSION(r153142) ASSERT from CodeBlock::dumpBytecode dumping String Switch Jump Tables
425         https://bugs.webkit.org/show_bug.cgi?id=132315
426
427         Reviewed by Mark Hahnenberg.
428
429         Used the StringImpl version of utf8() instead of creating a String first.
430
431         * bytecode/CodeBlock.cpp:
432         (JSC::CodeBlock::dumpBytecode):
433
434 2014-04-28  Filip Pizlo  <fpizlo@apple.com>
435
436         The LLInt is awesome and it should get more of the action.
437
438         Rubber stamped by Geoffrey Garen.
439         
440         5% speed-up on JSBench and no meaningful regressions.  Should be a PLT/DYE speed-up also.
441
442         * runtime/Options.h:
443
444 2014-04-27  Filip Pizlo  <fpizlo@apple.com>
445
446         GC should be able to remove things from the DFG worklist and cancel on-going compilations if it knows that the compilation would already be invalidated
447         https://bugs.webkit.org/show_bug.cgi?id=132166
448
449         Reviewed by Oliver Hunt and Mark Hahnenberg.
450         
451         The GC can aid type inference by removing structures that are dead and jettisoning
452         code that relies on those structures. This can dramatically accelerate type inference
453         for some tricky programs.
454         
455         Unfortunately, we previously pinned any structures that enqueued compilations depended
456         on. This means that if you're on a machine that only runs a single compilation thread
457         and where compilations are relatively slow, you have a high chance of large numbers of
458         structures being pinned during any GC since the compilation queue is likely to be full
459         of random stuff.
460         
461         This comprehensively fixes this issue by allowing the GC to remove compilation plans
462         if the things they depend on are dead, and to even cancel safepointed compilations.
463         
464         * bytecode/CodeBlock.cpp:
465         (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan):
466         (JSC::CodeBlock::isKnownToBeLiveDuringGC):
467         (JSC::CodeBlock::finalizeUnconditionally):
468         * bytecode/CodeBlock.h:
469         (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan): Deleted.
470         * dfg/DFGDesiredIdentifiers.cpp:
471         (JSC::DFG::DesiredIdentifiers::DesiredIdentifiers):
472         * dfg/DFGDesiredIdentifiers.h:
473         * dfg/DFGDesiredWatchpoints.h:
474         * dfg/DFGDesiredWeakReferences.cpp:
475         (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
476         * dfg/DFGDesiredWeakReferences.h:
477         * dfg/DFGGraphSafepoint.cpp:
478         (JSC::DFG::GraphSafepoint::GraphSafepoint):
479         * dfg/DFGGraphSafepoint.h:
480         * dfg/DFGPlan.cpp:
481         (JSC::DFG::Plan::Plan):
482         (JSC::DFG::Plan::compileInThread):
483         (JSC::DFG::Plan::compileInThreadImpl):
484         (JSC::DFG::Plan::notifyCompiling):
485         (JSC::DFG::Plan::notifyCompiled):
486         (JSC::DFG::Plan::notifyReady):
487         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
488         (JSC::DFG::Plan::isKnownToBeLiveDuringGC):
489         (JSC::DFG::Plan::cancel):
490         (JSC::DFG::Plan::visitChildren): Deleted.
491         * dfg/DFGPlan.h:
492         * dfg/DFGSafepoint.cpp:
493         (JSC::DFG::Safepoint::Result::~Result):
494         (JSC::DFG::Safepoint::Result::didGetCancelled):
495         (JSC::DFG::Safepoint::Safepoint):
496         (JSC::DFG::Safepoint::~Safepoint):
497         (JSC::DFG::Safepoint::checkLivenessAndVisitChildren):
498         (JSC::DFG::Safepoint::isKnownToBeLiveDuringGC):
499         (JSC::DFG::Safepoint::cancel):
500         (JSC::DFG::Safepoint::visitChildren): Deleted.
501         * dfg/DFGSafepoint.h:
502         (JSC::DFG::Safepoint::Result::Result):
503         * dfg/DFGWorklist.cpp:
504         (JSC::DFG::Worklist::compilationState):
505         (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
506         (JSC::DFG::Worklist::removeAllReadyPlansForVM):
507         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
508         (JSC::DFG::Worklist::visitWeakReferences):
509         (JSC::DFG::Worklist::removeDeadPlans):
510         (JSC::DFG::Worklist::runThread):
511         (JSC::DFG::Worklist::visitChildren): Deleted.
512         * dfg/DFGWorklist.h:
513         * ftl/FTLCompile.cpp:
514         (JSC::FTL::compile):
515         * ftl/FTLCompile.h:
516         * heap/CodeBlockSet.cpp:
517         (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks):
518         * heap/Heap.cpp:
519         (JSC::Heap::markRoots):
520         (JSC::Heap::visitCompilerWorklistWeakReferences):
521         (JSC::Heap::removeDeadCompilerWorklistEntries):
522         (JSC::Heap::visitWeakHandles):
523         (JSC::Heap::collect):
524         (JSC::Heap::visitCompilerWorklists): Deleted.
525         * heap/Heap.h:
526
527 2014-04-28  Mark Hahnenberg  <mhahnenberg@apple.com>
528
529         Deleting properties poisons objects
530         https://bugs.webkit.org/show_bug.cgi?id=131551
531
532         Reviewed by Oliver Hunt.
533
534         This is ~3% progression on Dromaeo with a ~6% progression on the jslib portion of Dromaeo in particular.
535
536         * runtime/JSPropertyNameIterator.cpp:
537         (JSC::JSPropertyNameIterator::create):
538         * runtime/PropertyMapHashTable.h:
539         (JSC::PropertyTable::hasDeletedOffset):
540         (JSC::PropertyTable::hadDeletedOffset): If we ever had deleted properties we can no longer cache offsets when 
541         iterating properties because we're required to iterate properties in insertion order.
542         * runtime/Structure.cpp:
543         (JSC::Structure::Structure):
544         (JSC::Structure::materializePropertyMap): We now re-use deleted properties when materializing the property map.
545         (JSC::Structure::removePropertyTransition): We allow up to 5 deletes for a particular path through the tree of 
546         Structure transitions. After that, we convert to an uncacheable dictionary like we used to. We don't cache 
547         delete transitions, but we allow transitioning from them.
548         (JSC::Structure::changePrototypeTransition):
549         (JSC::Structure::despecifyFunctionTransition):
550         (JSC::Structure::attributeChangeTransition):
551         (JSC::Structure::toDictionaryTransition):
552         (JSC::Structure::preventExtensionsTransition):
553         (JSC::Structure::addPropertyWithoutTransition):
554         (JSC::Structure::removePropertyWithoutTransition):
555         (JSC::Structure::pin): Now does only what it says it does--marks the property table as pinned.
556         (JSC::Structure::pinAndPreventTransitions): More descriptive version of what the old pin() was doing.
557         * runtime/Structure.h:
558         * runtime/StructureInlines.h:
559         (JSC::Structure::setEnumerationCache):
560         (JSC::Structure::hadDeletedOffsets):
561         (JSC::Structure::propertyTable):
562         (JSC::Structure::checkOffsetConsistency): Rearranged variables to be more sensible.
563         * tests/stress/for-in-after-delete.js: Added.
564         (foo):
565
566 2014-04-25  Andreas Kling  <akling@apple.com>
567
568         Inline (C++) GetByVal with numeric indices more aggressively.
569         <https://webkit.org/b/132218>
570
571         We were already inlining the string indexed GetByVal path pretty well,
572         while the path for numeric indices got neglected. No more!
573
574         ~9.5% improvement on Dromaeo/dom-traverse.html on my MBP:
575
576             Before: 199.50 runs/s
577              After: 218.58 runs/s
578
579         Reviewed by Phil Pizlo.
580
581         * dfg/DFGOperations.cpp:
582         * runtime/JSCJSValueInlines.h:
583         (JSC::JSValue::get):
584
585             ALWAYS_INLINE all the things.
586
587         * runtime/JSObject.h:
588         (JSC::JSObject::getPropertySlot):
589
590             Avoid fetching the Structure more than once. We have the same
591             optimization in the string-indexed code path.
592
593 2014-04-25  Oliver Hunt  <oliver@apple.com>
594
595         Need earlier cell test
596         https://bugs.webkit.org/show_bug.cgi?id=132211
597
598         Reviewed by Mark Lam.
599
600         Move cell test to before the function call repatch
601         location, as the repatch logic for 32bit assumes that the
602         caller will already have performed a cell check.
603
604         * jit/JITCall32_64.cpp:
605         (JSC::JIT::compileOpCall):
606
607 2014-04-25  Andreas Kling  <akling@apple.com>
608
609         Un-fast-allocate JSGlobalObjectRareData because Windows doesn't build and I'm not in the mood.
610
611         * runtime/JSGlobalObject.h:
612         (JSC::JSGlobalObject::JSGlobalObjectRareData::JSGlobalObjectRareData):
613         (JSC::JSGlobalObject::JSGlobalObjectRareData::~JSGlobalObjectRareData): Deleted.
614
615 2014-04-25  Andreas Kling  <akling@apple.com>
616
617         Windows build fix attempt.
618
619         * runtime/JSGlobalObject.h:
620         (JSC::JSGlobalObject::JSGlobalObjectRareData::~JSGlobalObjectRareData):
621
622 2014-04-25  Mark Lam  <mark.lam@apple.com>
623
624         Refactor debugging code to use BreakpointActions instead of Vector<ScriptBreakpointAction>.
625         <https://webkit.org/b/132201>
626
627         Reviewed by Joseph Pecoraro.
628
629         BreakpointActions is Vector<ScriptBreakpointAction>.  Let's just consistently use
630         BreakpointActions everywhere.
631
632         * inspector/ScriptBreakpoint.h:
633         (Inspector::ScriptBreakpoint::ScriptBreakpoint):
634         * inspector/ScriptDebugServer.cpp:
635         (Inspector::ScriptDebugServer::setBreakpoint):
636         (Inspector::ScriptDebugServer::getActionsForBreakpoint):
637         * inspector/ScriptDebugServer.h:
638         * inspector/agents/InspectorDebuggerAgent.cpp:
639         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
640         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
641         (Inspector::InspectorDebuggerAgent::setBreakpoint):
642         (Inspector::InspectorDebuggerAgent::removeBreakpoint):
643         * inspector/agents/InspectorDebuggerAgent.h:
644
645 2014-04-24  Filip Pizlo  <fpizlo@apple.com>
646
647         DFG worklist scanning should not treat the key as a separate entity
648         https://bugs.webkit.org/show_bug.cgi?id=132167
649
650         Reviewed by Mark Hahnenberg.
651         
652         This simplifies the interface to the GC and will enable more optimizations.
653
654         * dfg/DFGCompilationKey.cpp:
655         (JSC::DFG::CompilationKey::visitChildren): Deleted.
656         * dfg/DFGCompilationKey.h:
657         * dfg/DFGPlan.cpp:
658         (JSC::DFG::Plan::visitChildren):
659         * dfg/DFGWorklist.cpp:
660         (JSC::DFG::Worklist::visitChildren):
661
662 2014-04-25  Oliver Hunt  <oliver@apple.com>
663
664         Remove unused parameter from codeblock linking function
665         https://bugs.webkit.org/show_bug.cgi?id=132199
666
667         Reviewed by Anders Carlsson.
668
669         No change in behaviour. This is just a small change to make it
670         slightly easier to reason about what the offsets in UnlinkedFunctionExecutable
671         actually mean.
672
673         * bytecode/UnlinkedCodeBlock.cpp:
674         (JSC::UnlinkedFunctionExecutable::link):
675         * bytecode/UnlinkedCodeBlock.h:
676         * runtime/Executable.cpp:
677         (JSC::ProgramExecutable::initializeGlobalProperties):
678
679 2014-04-25  Andreas Kling  <akling@apple.com>
680
681         Mark some things with WTF_MAKE_FAST_ALLOCATED.
682         <https://webkit.org/b/132198>
683
684         Use FastMalloc for more things.
685
686         Reviewed by Anders Carlsson.
687
688         * builtins/BuiltinExecutables.h:
689         * heap/GCThreadSharedData.h:
690         * inspector/JSConsoleClient.h:
691         * inspector/agents/InspectorAgent.h:
692         * runtime/CodeCache.h:
693         * runtime/JSGlobalObject.h:
694         * runtime/Lookup.cpp:
695         (JSC::HashTable::createTable):
696         (JSC::HashTable::deleteTable):
697         * runtime/WeakGCMap.h:
698
699 2014-04-25  Antoine Quint  <graouts@webkit.org>
700
701         Implement Array.prototype.find()
702         https://bugs.webkit.org/show_bug.cgi?id=130966
703
704         Reviewed by Oliver Hunt.
705
706         Implement Array.prototype.find() and Array.prototype.findIndex() as proposed in the Harmony spec.
707
708         * builtins/Array.prototype.js:
709         (find):
710         (findIndex):
711         * runtime/ArrayPrototype.cpp:
712
713 2014-04-24  Brady Eidson  <beidson@apple.com>
714
715         Rename "IMAGE_CONTROLS" feature to "SERVICE_CONTROLS"
716         https://bugs.webkit.org/show_bug.cgi?id=132155
717
718         Reviewed by Tim Horton.
719
720         * Configurations/FeatureDefines.xcconfig:
721
722 2014-04-24  Michael Saboff  <msaboff@apple.com>
723
724         REGRESSION: Apparent hang of PCE.js Mac OS System 7.0.1 on ARM64 devices
725         https://bugs.webkit.org/show_bug.cgi?id=132147
726
727         Reviewed by Mark Lam.
728
729         Fixed or64(), eor32( ) and eor64() to use "src" register when we have a valid logicalImm.
730
731         * assembler/MacroAssemblerARM64.h:
732         (JSC::MacroAssemblerARM64::or64):
733         (JSC::MacroAssemblerARM64::xor32):
734         (JSC::MacroAssemblerARM64::xor64):
735         * tests/stress/regress-132147.js: Added test.
736
737 2014-04-24  Mark Lam  <mark.lam@apple.com>
738
739         Make slowPathAllocsBetweenGCs a runtime option.
740         <https://webkit.org/b/132137>
741
742         Reviewed by Mark Hahnenberg.
743
744         This will make it easier to more casually run tests with this configuration
745         as well as to reproduce issues (instead of requiring a code mod and rebuild).
746         We will now take --slowPathAllocsBetweenGCs=N where N is the number of
747         slow path allocations before we trigger a collection.
748
749         The option defaults to 0, which is reserved to mean that we will not trigger
750         any collections there.
751
752         * heap/Heap.h:
753         * heap/MarkedAllocator.cpp:
754         (JSC::MarkedAllocator::doTestCollectionsIfNeeded):
755         (JSC::MarkedAllocator::allocateSlowCase):
756         * heap/MarkedAllocator.h:
757         * runtime/Options.h:
758
759 2014-04-23  Mark Lam  <mark.lam@apple.com>
760
761         The GC should only resume compiler threads that it suspended in the same GC pass.
762         <https://webkit.org/b/132088>
763
764         Reviewed by Mark Hahnenberg.
765
766         Previously, this scenario can occur:
767         1. Thread 1 starts a GC and tries to suspend DFG worklist threads.  However,
768            no worklists were created yet at the that time.
769         2. Thread 2 starts to compile some functions and creates a DFG worklist, and
770            acquires the worklist thread's lock.
771         3. Thread 1's GC completes and tries to resume suspended DFG worklist thread.
772            This time, it sees the worklist created by Thread 2 and ends up unlocking
773            the worklist thread's lock that is supposedly held by Thread 2.
774         Thereafter, chaos ensues.
775
776         The fix is to cache the worklists that were actually suspended by each GC pass,
777         and only resume those when the GC is done.
778
779         This issue was discovered by enabling COLLECT_ON_EVERY_ALLOCATION and running
780         the fast/workers layout tests.
781
782         * heap/Heap.cpp:
783         (JSC::Heap::visitCompilerWorklists):
784         (JSC::Heap::deleteAllCompiledCode):
785         (JSC::Heap::suspendCompilerThreads):
786         (JSC::Heap::resumeCompilerThreads):
787         * heap/Heap.h:
788
789 2014-04-23  Mark Hahnenberg  <mhahnenberg@apple.com>
790
791         Arguments::copyBackingStore needs to update m_registers in tandem with m_registerArray
792         https://bugs.webkit.org/show_bug.cgi?id=132079
793
794         Reviewed by Michael Saboff.
795
796         Since we're moving the register backing store, we don't want to leave a dangling pointer into a random CopiedBlock.
797
798         Also added a test that previously triggered this bug.
799
800         * runtime/Arguments.cpp:
801         (JSC::Arguments::copyBackingStore): D'oh!
802         * tests/stress/arguments-copy-register-array-backing-store.js: Added.
803         (foo):
804         (bar):
805
806 2014-04-23  Mark Rowe  <mrowe@apple.com>
807
808         [Mac] REGRESSION (r164823): Building JavaScriptCore creates files under /tmp/JavaScriptCore.dst
809         <https://webkit.org/b/132053>
810
811         Reviewed by Dan Bernstein.
812
813         * JavaScriptCore.xcodeproj/project.pbxproj: Don't try to create a symlink at /usr/local/bin/jsc inside
814         the DSTROOT unless we're building to the deployment location. Also remove the unnecessary -x argument
815         from /bin/sh since that generates unnecessary output.
816
817 2014-04-22  Mark Lam  <mark.lam@apple.com>
818
819         DFG::Worklist should acquire the m_lock before iterating DFG plans.
820         <https://webkit.org/b/132032>
821
822         Reviewed by Filip Pizlo.
823
824         Currently, there's a rightToRun mechanism that ensures that no compilation
825         threads are running when the GC is iterating through the DFG worklists.
826         However, this does not prevent a Worker thread from doing a DFG compilation
827         and modifying the plans in the worklists thereby invalidating the plan
828         iterator that the GC is using.  This patch fixes the issue by acquiring
829         the worklist m_lock before iterating the worklist plans.
830
831         This issue was uncovered by running the fast/workers layout tests with
832         COLLECT_ON_EVERY_ALLOCATION enabled.
833
834         * dfg/DFGWorklist.cpp:
835         (JSC::DFG::Worklist::isActiveForVM):
836         (JSC::DFG::Worklist::visitChildren):
837
838 2014-04-22  Brent Fulgham  <bfulgham@apple.com>
839
840         [Win] Support Python 2.7 in Cygwin
841         https://bugs.webkit.org/show_bug.cgi?id=132023
842
843         Reviewed by Michael Saboff.
844
845         * DerivedSources.make: Use a conditional variable to define
846         the path to Python/Perl.
847
848 2014-04-22  Filip Pizlo  <fpizlo@apple.com>
849
850         Switch the LLVMForJSC target to using the LLVM in /usr/local rather than /usr/local/LLVMForJavaScriptCore on iOS
851         https://bugs.webkit.org/show_bug.cgi?id=130867
852         <rdar://problem/16432456> 
853
854         Reviewed by Mark Hahnenberg.
855
856         * Configurations/Base.xcconfig:
857         * Configurations/LLVMForJSC.xcconfig:
858
859 2014-04-22  Alex Christensen  <achristensen@webkit.org>
860
861         [Win] Unreviewed build fix after my r167666.
862
863         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
864         Added ../../../ again to include headers in Source/JavaScriptCore.
865
866 2014-04-22  Alex Christensen  <achristensen@webkit.org>
867
868         Removed old stdbool and inttypes headers.
869         https://bugs.webkit.org/show_bug.cgi?id=131966
870
871         Reviewed by Brent Fulgham.
872
873         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
874         * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
875         Removed references to os-win32 directory.
876         * os-win32: Removed.
877         * os-win32/inttypes.h: Removed.
878         * os-win32/stdbool.h: Removed.
879
880 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
881
882         DFG::clobberize() should honestly admit that profiler and debugger nodes are effectful
883         https://bugs.webkit.org/show_bug.cgi?id=131971
884         <rdar://problem/16676511>
885
886         Reviewed by Mark Lam.
887
888         * dfg/DFGClobberize.h:
889         (JSC::DFG::clobberize):
890
891 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
892
893         Switch statements that skip the baseline JIT should work
894         https://bugs.webkit.org/show_bug.cgi?id=131965
895
896         Reviewed by Mark Hahnenberg.
897
898         * bytecode/JumpTable.h:
899         (JSC::SimpleJumpTable::ensureCTITable):
900         * dfg/DFGSpeculativeJIT.cpp:
901         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
902         * jit/JITOpcodes.cpp:
903         (JSC::JIT::emit_op_switch_imm):
904         (JSC::JIT::emit_op_switch_char):
905         * jit/JITOpcodes32_64.cpp:
906         (JSC::JIT::emit_op_switch_imm):
907         (JSC::JIT::emit_op_switch_char):
908         * tests/stress/inline-llint-with-switch.js: Added.
909         (foo):
910         (bar):
911         (test):
912
913 2014-04-21  Mark Hahnenberg  <mhahnenberg@apple.com>
914
915         Arguments objects shouldn't need a destructor
916         https://bugs.webkit.org/show_bug.cgi?id=131899
917
918         Reviewed by Oliver Hunt.
919
920         This patch rids Arguments objects of their destructors. It does this by 
921         switching their backing stores to use CopiedSpace rather than malloc memory.
922
923         * dfg/DFGSpeculativeJIT.cpp:
924         (JSC::DFG::SpeculativeJIT::emitAllocateArguments): Fix the code emitted for inline
925         Arguments allocation so that it only emits an extra write for strict mode code rather
926         than unconditionally.
927         * heap/CopyToken.h: New CopyTokens for the two different types of Arguments backing stores.
928         * runtime/Arguments.cpp:
929         (JSC::Arguments::visitChildren): We need to tell the collector to copy the back stores now.
930         (JSC::Arguments::copyBackingStore): Do the actual copying of the backing stores.
931         (JSC::Arguments::deletePropertyByIndex): Update all the accesses to SlowArgumentData and m_registerArray.
932         (JSC::Arguments::deleteProperty):
933         (JSC::Arguments::defineOwnProperty):
934         (JSC::Arguments::allocateRegisterArray):
935         (JSC::Arguments::tearOff):
936         (JSC::Arguments::destroy): Deleted. We don't need the destructor any more.
937         * runtime/Arguments.h:
938         (JSC::Arguments::registerArraySizeInBytes):
939         (JSC::Arguments::SlowArgumentData::SlowArgumentData): Switch SlowArgumentData to being allocated
940         in CopiedSpace. Now the SlowArgumentData and its backing store are a single contiguous CopiedSpace
941         allocation.
942         (JSC::Arguments::SlowArgumentData::slowArguments):
943         (JSC::Arguments::SlowArgumentData::bytecodeToMachineCaptureOffset):
944         (JSC::Arguments::SlowArgumentData::setBytecodeToMachineCaptureOffset):
945         (JSC::Arguments::SlowArgumentData::sizeForNumArguments):
946         (JSC::Arguments::Arguments):
947         (JSC::Arguments::allocateSlowArguments):
948         (JSC::Arguments::tryDeleteArgument):
949         (JSC::Arguments::isDeletedArgument):
950         (JSC::Arguments::isArgument):
951         (JSC::Arguments::argument):
952         (JSC::Arguments::finishCreation):
953         * runtime/SymbolTable.h:
954
955 2014-04-21  Eric Carlson  <eric.carlson@apple.com>
956
957         [Mac] implement WebKitDataCue
958         https://bugs.webkit.org/show_bug.cgi?id=131799
959
960         Reviewed by Dean Jackson.
961
962         * Configurations/FeatureDefines.xcconfig: Define ENABLE_DATACUE_VALUE.
963
964 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
965
966         Unreviewed test gardening, run the repeat-out-of-bounds tests again.
967
968         * tests/stress/float32-repeat-out-of-bounds.js:
969         * tests/stress/int8-repeat-out-of-bounds.js:
970
971 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
972
973         OSR exit should know about Int52 and Double constants
974         https://bugs.webkit.org/show_bug.cgi?id=131945
975
976         Reviewed by Oliver Hunt.
977         
978         The DFG OSR exit machinery's ignorance would lead to some constants becoming
979         jsUndefined() after OSR exit.
980         
981         The FTL OSR exit machinery's ignorance just meant that we would sometimes use a
982         stackmap constant rather than baking the constant into the OSRExit data structure.
983         So, not a big deal, but worth fixing.
984         
985         Also added some helpful hacks to jsc.cpp for testing such OSR exit pathologies.
986
987         * dfg/DFGByteCodeParser.cpp:
988         (JSC::DFG::ByteCodeParser::handleIntrinsic):
989         * dfg/DFGMinifiedNode.h:
990         (JSC::DFG::belongsInMinifiedGraph):
991         (JSC::DFG::MinifiedNode::hasConstantNumber):
992         * ftl/FTLLowerDFGToLLVM.cpp:
993         (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
994         * jsc.cpp:
995         (GlobalObject::finishCreation):
996         (functionOtherFalse):
997         (functionUndefined):
998         * runtime/Intrinsic.h:
999         * tests/stress/fold-to-double-constant-then-exit.js: Added.
1000         (foo):
1001         * tests/stress/fold-to-int52-constant-then-exit.js: Added.
1002         (foo):
1003
1004 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
1005
1006         Provide feedback when we encounter an unrecognied node in the FTL backend.
1007
1008         Rubber stamped by Alexey Proskuryakov.
1009
1010         * ftl/FTLLowerDFGToLLVM.cpp:
1011         (JSC::FTL::LowerDFGToLLVM::compileNode):
1012
1013 2014-04-21  Andreas Kling  <akling@apple.com>
1014
1015         Move the JSString cache from DOMWrapperWorld to VM.
1016         <https://webkit.org/b/131940>
1017
1018         Reviewed by Geoff Garen.
1019
1020         * runtime/VM.h:
1021
1022 2014-04-19  Filip Pizlo  <fpizlo@apple.com>
1023
1024         Take block execution count estimates into account when voting double
1025         https://bugs.webkit.org/show_bug.cgi?id=131906
1026
1027         Reviewed by Geoffrey Garen.
1028         
1029         This was a drama in three acts.
1030         
1031         Act I: Slurp in BasicBlock::executionCount and use it as a weight when counting the
1032             number of uses of a variable that want double or non-double. Easy as pie. This
1033             gave me a huge speed-up on FloatMM and a huge slow-down on basically everything
1034             else.
1035         
1036         Act II: Realize that there were some programs where our previous double voting was
1037             just on the edge of disaster and making it more precise tipped it over. In
1038             particular, if you had an integer variable that would infrequently be used in a
1039             computation that resulted in a variable that was frequently used as an array index,
1040             the outer infrequentness would be the thing we'd use in the vote. So, an array
1041             index would become double. We fix this by reviving global backwards propagation
1042             and introducing the concept of ReallyWantsInt, which is used just for array
1043             indices. Any variable transitively flagged as ReallyWantsInt will never be forced
1044             double. We need that flag to be separate from UsedAsInt, since UsedAsInt needs to
1045             be set in bitops for RageConversion but using it for double forcing is too much.
1046             Basically, it's cheaper to have to convert a double to an int for a bitop than it
1047             is to convert a double to an int for an array index; also a variable being used as
1048             an array index is a much stronger hint that it ought to be an int. This recovered
1049             performance on everything except programs that used FTL OSR entry.
1050         
1051         Act III: Realize that OSR entrypoint creation creates blocks that have NaN execution
1052             count, which then completely pollutes the weighting - essentially all votes go
1053             NaN. Fix this with some surgical defenses. Basically, any client of execution
1054             counts should allow for them to be NaN and shouldn't completely fall off a cliff
1055             when it happens.
1056         
1057         This is awesome. 75% speed-up on FloatMM. 11% speed-up on audio-dft. This leads to
1058         7% speed-up on AsmBench and 2% speed-up on Kraken.
1059
1060         * CMakeLists.txt:
1061         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1062         * JavaScriptCore.xcodeproj/project.pbxproj:
1063         * dfg/DFGBackwardsPropagationPhase.cpp:
1064         (JSC::DFG::BackwardsPropagationPhase::run):
1065         (JSC::DFG::BackwardsPropagationPhase::propagate):
1066         * dfg/DFGGraph.cpp:
1067         (JSC::DFG::Graph::dumpBlockHeader):
1068         * dfg/DFGGraph.h:
1069         (JSC::DFG::Graph::voteNode):
1070         (JSC::DFG::Graph::voteChildren):
1071         * dfg/DFGNodeFlags.cpp:
1072         (JSC::DFG::dumpNodeFlags):
1073         * dfg/DFGNodeFlags.h:
1074         * dfg/DFGOSREntrypointCreationPhase.cpp:
1075         (JSC::DFG::OSREntrypointCreationPhase::run):
1076         * dfg/DFGPlan.cpp:
1077         (JSC::DFG::Plan::compileInThreadImpl):
1078         * dfg/DFGPredictionPropagationPhase.cpp:
1079         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
1080         (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
1081         * dfg/DFGVariableAccessData.cpp: Added.
1082         (JSC::DFG::VariableAccessData::VariableAccessData):
1083         (JSC::DFG::VariableAccessData::mergeIsCaptured):
1084         (JSC::DFG::VariableAccessData::mergeShouldNeverUnbox):
1085         (JSC::DFG::VariableAccessData::predict):
1086         (JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction):
1087         (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
1088         (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat):
1089         (JSC::DFG::VariableAccessData::mergeDoubleFormatState):
1090         (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
1091         (JSC::DFG::VariableAccessData::flushFormat):
1092         * dfg/DFGVariableAccessData.h:
1093         (JSC::DFG::VariableAccessData::vote):
1094         (JSC::DFG::VariableAccessData::VariableAccessData): Deleted.
1095         (JSC::DFG::VariableAccessData::mergeIsCaptured): Deleted.
1096         (JSC::DFG::VariableAccessData::mergeShouldNeverUnbox): Deleted.
1097         (JSC::DFG::VariableAccessData::predict): Deleted.
1098         (JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction): Deleted.
1099         (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote): Deleted.
1100         (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat): Deleted.
1101         (JSC::DFG::VariableAccessData::mergeDoubleFormatState): Deleted.
1102         (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat): Deleted.
1103         (JSC::DFG::VariableAccessData::flushFormat): Deleted.
1104
1105 2014-04-21  Michael Saboff  <msaboff@apple.com>
1106
1107         REGRESSION(r167591): ARM64 and ARM traditional builds broken
1108         https://bugs.webkit.org/show_bug.cgi?id=131935
1109
1110         Reviewed by Mark Hahnenberg.
1111
1112         Added store8(TrustedImm32, MacroAssembler::Address) to the ARM traditional and ARM64
1113         macro assemblers.  Added a new test for the original patch.
1114
1115         * assembler/MacroAssemblerARM.h:
1116         (JSC::MacroAssemblerARM::store8):
1117         * assembler/MacroAssemblerARM64.h:
1118         (JSC::MacroAssemblerARM64::store8):
1119         * tests/stress/dfg-create-arguments-inline-alloc.js: New test.
1120
1121 2014-04-21  Mark Hahnenberg  <mhahnenberg@apple.com>
1122
1123         Inline allocate Arguments objects in the DFG
1124         https://bugs.webkit.org/show_bug.cgi?id=131897
1125
1126         Reviewed by Geoffrey Garen.
1127
1128         Many libraries/frameworks depend on the arguments object for overloaded API entry points. 
1129         This is the first step to making Arguments fast(er). We'll duplicate the logic in Arguments::create 
1130         for now and take the slow path for complicated cases like slow arguments, tearing off for strict mode, etc.
1131
1132         * dfg/DFGSpeculativeJIT.cpp:
1133         (JSC::DFG::SpeculativeJIT::emitAllocateArguments):
1134         * dfg/DFGSpeculativeJIT.h:
1135         (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject):
1136         * dfg/DFGSpeculativeJIT32_64.cpp:
1137         (JSC::DFG::SpeculativeJIT::compile):
1138         * dfg/DFGSpeculativeJIT64.cpp:
1139         (JSC::DFG::SpeculativeJIT::compile):
1140         * runtime/Arguments.h:
1141         (JSC::Arguments::offsetOfActivation):
1142         (JSC::Arguments::offsetOfOverrodeLength):
1143         (JSC::Arguments::offsetOfIsStrictMode):
1144         (JSC::Arguments::offsetOfRegisterArray):
1145         (JSC::Arguments::offsetOfCallee):
1146         (JSC::Arguments::allocationSize):
1147
1148 2014-04-20  Andreas Kling  <akling@apple.com>
1149
1150         Speed up jsStringWithCache() through WeakGCMap inlining.
1151         <https://webkit.org/b/131923>
1152
1153         Always inline WeakGCMap::add() but move the slow garbage collecting
1154         path out-of-line.
1155
1156         Reviewed by Darin Adler.
1157
1158         * runtime/WeakGCMap.h:
1159         (JSC::WeakGCMap::add):
1160         (JSC::WeakGCMap::gcMap):
1161
1162 2014-04-20  László Langó  <llango.u-szeged@partner.samsung.com>
1163
1164         JavaScriptCore: ARM build fix after r167094.
1165         https://bugs.webkit.org/show_bug.cgi?id=131612
1166
1167         Reviewed by Michael Saboff.
1168
1169         After r167094 there are many build errors on ARM like these:
1170
1171             /tmp/ccgtHRno.s:370: Error: invalid constant (425a) after fixup
1172             /tmp/ccgtHRno.s:374: Error: invalid constant (426e) after fixup
1173             /tmp/ccgtHRno.s:378: Error: invalid constant (4282) after fixup
1174             /tmp/ccgtHRno.s:382: Error: invalid constant (4296) after fixup
1175
1176         Problem is caused by the wrong generated assembly like:
1177             "\tmov r2, (" LOCAL_LABEL_STRING(llint_op_strcat) " - " LOCAL_LABEL_STRING(relativePCBase) ")\n" // /home/webkit/WebKit/Source/JavaScriptCore/llint/LowLevelInterpreter.asm:741
1178
1179         `mov` can only move 8 bit immediate, but not every constant fit into 8 bit. Clang converts
1180         the mov to a single movw or a movw and a movt, depending on the immediate, but binutils doesn't.
1181         Add a new ARM specific offline assembler instruction (`mvlbl`) for the following llint_entry
1182         use case: move rn, (label1-label2) which is translated to movw and movt.
1183
1184         * llint/LowLevelInterpreter.asm:
1185         * offlineasm/arm.rb:
1186         * offlineasm/instructions.rb:
1187
1188 2014-04-20  Csaba Osztrogonác  <ossy@webkit.org>
1189
1190         [ARM] Unreviewed build fix after r167336.
1191
1192         * assembler/MacroAssemblerARM.h:
1193         (JSC::MacroAssemblerARM::branchAdd32):
1194
1195 2014-04-20  Commit Queue  <commit-queue@webkit.org>
1196
1197         Unreviewed, rolling out r167501.
1198         https://bugs.webkit.org/show_bug.cgi?id=131913
1199
1200         It broke DYEBench (Requested by mhahnenberg on #webkit).
1201
1202         Reverted changeset:
1203
1204         "Deleting properties poisons objects"
1205         https://bugs.webkit.org/show_bug.cgi?id=131551
1206         http://trac.webkit.org/changeset/167501
1207
1208 2014-04-19  Filip Pizlo  <fpizlo@apple.com>
1209
1210         It should be OK to store new fields into objects that have no prototypes
1211         https://bugs.webkit.org/show_bug.cgi?id=131905
1212
1213         Reviewed by Mark Hahnenberg.
1214
1215         * dfg/DFGByteCodeParser.cpp:
1216         (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
1217         * tests/stress/put-by-id-transition-null-prototype.js: Added.
1218         (foo):
1219
1220 2014-04-19  Benjamin Poulain  <bpoulain@apple.com>
1221
1222         Make the CSS JIT compile for ARM64
1223         https://bugs.webkit.org/show_bug.cgi?id=131834
1224
1225         Reviewed by Gavin Barraclough.
1226
1227         Extend the ARM64 MacroAssembler to support the code generation required by
1228         the CSS JIT.
1229
1230         * assembler/MacroAssembler.h:
1231         * assembler/MacroAssemblerARM64.h:
1232         (JSC::MacroAssemblerARM64::addPtrNoFlags):
1233         (JSC::MacroAssemblerARM64::or32):
1234         (JSC::MacroAssemblerARM64::branchPtr):
1235         (JSC::MacroAssemblerARM64::test32):
1236         (JSC::MacroAssemblerARM64::branch):
1237         * assembler/MacroAssemblerX86Common.h:
1238         (JSC::MacroAssemblerX86Common::test32):
1239
1240 2014-04-19  Andreas Kling  <akling@apple.com>
1241
1242         Two little shortcuts to the JSType.
1243         <https://webkit.org/b/131896>
1244
1245         Tweak two sites that take the long road through JSCell::structure()->typeInfo()
1246         to look at data that's already in JSCell::type().
1247
1248         Reviewed by Darin Adler.
1249
1250         * runtime/NameInstance.h:
1251         (JSC::isName):
1252         * runtime/NumberPrototype.cpp:
1253         (JSC::toThisNumber):
1254
1255 2014-04-19  Filip Pizlo  <fpizlo@apple.com>
1256
1257         Make it easier to check if an integer sum would overflow
1258         https://bugs.webkit.org/show_bug.cgi?id=131900
1259
1260         Reviewed by Darin Adler.
1261
1262         * dfg/DFGOperations.cpp:
1263         * runtime/Operations.h:
1264         (JSC::jsString):
1265
1266 2014-04-19  Filip Pizlo  <fpizlo@apple.com>
1267
1268         Address some feedback on https://bugs.webkit.org/show_bug.cgi?id=130684.
1269
1270         * dfg/DFGOperations.cpp:
1271         * runtime/JSString.h:
1272         (JSC::JSRopeString::RopeBuilder::append):
1273
1274 2014-04-18  Mark Lam  <mark.lam@apple.com>
1275
1276         REGRESSION(r164205): WebKit crash @StructureIDTable::get.
1277         <https://webkit.org/b/130539>
1278
1279         Reviewed by Geoffrey Garen.
1280
1281         prepareOSREntry() prepares for OSR entry by first copying the local var
1282         values from the baseline frame to a scartch buffer, which is then used
1283         to fill in the locals in their new position in the DFG frame.  Unfortunately,
1284         prepareOSREntry() was using the DFG frame's frameRegisterCount as the frame
1285         size of the baseline frame.  As a result, some values of locals in the
1286         baseline frame were not saved off, and the DFG frame may get initialized
1287         with random content that happened to be in the uninitialized (and possibly
1288         unallocated) portions of the scratch buffer.
1289
1290         The fix is to use OSREntryData::m_expectedValues.numberOfLocals() as the
1291         number of locals in the baseline frame that we want to copy to the scratch
1292         buffer.
1293
1294         Note: osrEntryThunkGenerator() is expecting the DFG frameRegisterCount
1295         at offset 0 in the scratch buffer.  So, we continue to write that value
1296         there, not the baseline frame size.
1297
1298         * dfg/DFGOSREntry.cpp:
1299         (JSC::DFG::prepareOSREntry):
1300
1301 2014-04-18  Timothy Hatcher  <timothy@apple.com>
1302
1303         Web Inspector: Move InspectorProfilerAgent to JavaScriptCore
1304         https://bugs.webkit.org/show_bug.cgi?id=131673
1305
1306         Passes existing profiler and inspector tests.
1307
1308         Reviewed by Joseph Pecoraro.
1309
1310         * CMakeLists.txt:
1311         * DerivedSources.make:
1312         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1313         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1314         * JavaScriptCore.xcodeproj/project.pbxproj:
1315         * inspector/JSConsoleClient.cpp:
1316         (Inspector::JSConsoleClient::JSConsoleClient):
1317         (Inspector::JSConsoleClient::profile):
1318         (Inspector::JSConsoleClient::profileEnd):
1319         (Inspector::JSConsoleClient::count): Deleted.
1320         * inspector/JSConsoleClient.h:
1321         * inspector/JSGlobalObjectInspectorController.cpp:
1322         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1323         * inspector/agents/InspectorProfilerAgent.cpp: Added.
1324         (Inspector::InspectorProfilerAgent::InspectorProfilerAgent):
1325         (Inspector::InspectorProfilerAgent::~InspectorProfilerAgent):
1326         (Inspector::InspectorProfilerAgent::addProfile):
1327         (Inspector::InspectorProfilerAgent::createProfileHeader):
1328         (Inspector::InspectorProfilerAgent::enable):
1329         (Inspector::InspectorProfilerAgent::disable):
1330         (Inspector::InspectorProfilerAgent::getUserInitiatedProfileName):
1331         (Inspector::InspectorProfilerAgent::getProfileHeaders):
1332         (Inspector::buildInspectorObject):
1333         (Inspector::InspectorProfilerAgent::buildProfileInspectorObject):
1334         (Inspector::InspectorProfilerAgent::getCPUProfile):
1335         (Inspector::InspectorProfilerAgent::removeProfile):
1336         (Inspector::InspectorProfilerAgent::reset):
1337         (Inspector::InspectorProfilerAgent::didCreateFrontendAndBackend):
1338         (Inspector::InspectorProfilerAgent::willDestroyFrontendAndBackend):
1339         (Inspector::InspectorProfilerAgent::start):
1340         (Inspector::InspectorProfilerAgent::stop):
1341         (Inspector::InspectorProfilerAgent::setRecordingProfile):
1342         (Inspector::InspectorProfilerAgent::startProfiling):
1343         (Inspector::InspectorProfilerAgent::stopProfiling):
1344         * inspector/agents/InspectorProfilerAgent.h: Added.
1345         * inspector/agents/JSGlobalObjectProfilerAgent.cpp: Copied from Source/WebCore/inspector/ScriptProfile.idl.
1346         (Inspector::JSGlobalObjectProfilerAgent::JSGlobalObjectProfilerAgent):
1347         (Inspector::JSGlobalObjectProfilerAgent::profilingGlobalExecState):
1348         * inspector/agents/JSGlobalObjectProfilerAgent.h: Copied from Source/WebCore/inspector/ScriptProfile.idl.
1349         * inspector/protocol/Profiler.json: Renamed from Source/WebCore/inspector/protocol/Profiler.json.
1350         * profiler/Profile.h:
1351         * runtime/ConsoleClient.h:
1352
1353 2014-04-18  Commit Queue  <commit-queue@webkit.org>
1354
1355         Unreviewed, rolling out r167527.
1356         https://bugs.webkit.org/show_bug.cgi?id=131883
1357
1358         Broke 32-bit build (Requested by ap on #webkit).
1359
1360         Reverted changeset:
1361
1362         "[Mac] implement WebKitDataCue"
1363         https://bugs.webkit.org/show_bug.cgi?id=131799
1364         http://trac.webkit.org/changeset/167527
1365
1366 2014-04-18  Eric Carlson  <eric.carlson@apple.com>
1367
1368         [Mac] implement WebKitDataCue
1369         https://bugs.webkit.org/show_bug.cgi?id=131799
1370
1371         Reviewed by Dean Jackson.
1372
1373         * Configurations/FeatureDefines.xcconfig: Define ENABLE_DATACUE_VALUE.
1374
1375 2014-04-18  Filip Pizlo  <fpizlo@apple.com>
1376
1377         Actually address Mark's review feedback.
1378
1379         * dfg/DFGOSRExitCompilerCommon.cpp:
1380         (JSC::DFG::handleExitCounts):
1381
1382 2014-04-18  Filip Pizlo  <fpizlo@apple.com>
1383
1384         Options::maximumExecutionCountsBetweenCheckpoints() should be higher for DFG->FTL tier-up but the same for other tier-ups
1385         https://bugs.webkit.org/show_bug.cgi?id=131850
1386
1387         Reviewed by Mark Hahnenberg.
1388         
1389         Templatize ExecutionCounter to allow for two different styles of calculating the
1390         checkpoint threshold.
1391         
1392         Appears to be a slight speed-up on DYEBench.
1393
1394         * bytecode/CodeBlock.h:
1395         (JSC::CodeBlock::llintExecuteCounter):
1396         (JSC::CodeBlock::offsetOfJITExecuteCounter):
1397         (JSC::CodeBlock::offsetOfJITExecutionActiveThreshold):
1398         (JSC::CodeBlock::offsetOfJITExecutionTotalCount):
1399         (JSC::CodeBlock::jitExecuteCounter):
1400         * bytecode/ExecutionCounter.cpp:
1401         (JSC::ExecutionCounter<countingVariant>::ExecutionCounter):
1402         (JSC::ExecutionCounter<countingVariant>::forceSlowPathConcurrently):
1403         (JSC::ExecutionCounter<countingVariant>::checkIfThresholdCrossedAndSet):
1404         (JSC::ExecutionCounter<countingVariant>::setNewThreshold):
1405         (JSC::ExecutionCounter<countingVariant>::deferIndefinitely):
1406         (JSC::applyMemoryUsageHeuristics):
1407         (JSC::applyMemoryUsageHeuristicsAndConvertToInt):
1408         (JSC::ExecutionCounter<countingVariant>::hasCrossedThreshold):
1409         (JSC::ExecutionCounter<countingVariant>::setThreshold):
1410         (JSC::ExecutionCounter<countingVariant>::reset):
1411         (JSC::ExecutionCounter<countingVariant>::dump):
1412         (JSC::ExecutionCounter::ExecutionCounter): Deleted.
1413         (JSC::ExecutionCounter::forceSlowPathConcurrently): Deleted.
1414         (JSC::ExecutionCounter::checkIfThresholdCrossedAndSet): Deleted.
1415         (JSC::ExecutionCounter::setNewThreshold): Deleted.
1416         (JSC::ExecutionCounter::deferIndefinitely): Deleted.
1417         (JSC::ExecutionCounter::applyMemoryUsageHeuristics): Deleted.
1418         (JSC::ExecutionCounter::applyMemoryUsageHeuristicsAndConvertToInt): Deleted.
1419         (JSC::ExecutionCounter::hasCrossedThreshold): Deleted.
1420         (JSC::ExecutionCounter::setThreshold): Deleted.
1421         (JSC::ExecutionCounter::reset): Deleted.
1422         (JSC::ExecutionCounter::dump): Deleted.
1423         * bytecode/ExecutionCounter.h:
1424         (JSC::formattedTotalExecutionCount):
1425         (JSC::ExecutionCounter::maximumExecutionCountsBetweenCheckpoints):
1426         (JSC::ExecutionCounter::clippedThreshold):
1427         (JSC::ExecutionCounter::formattedTotalCount): Deleted.
1428         * dfg/DFGJITCode.h:
1429         * dfg/DFGOSRExitCompilerCommon.cpp:
1430         (JSC::DFG::handleExitCounts):
1431         * llint/LowLevelInterpreter.asm:
1432         * runtime/Options.h:
1433
1434 2014-04-17  Mark Hahnenberg  <mhahnenberg@apple.com>
1435
1436         Deleting properties poisons objects
1437         https://bugs.webkit.org/show_bug.cgi?id=131551
1438
1439         Reviewed by Geoffrey Garen.
1440
1441         This is ~3% progression on Dromaeo with a ~6% progression on the jslib portion of Dromaeo in particular.
1442
1443         * runtime/Structure.cpp:
1444         (JSC::Structure::Structure):
1445         (JSC::Structure::materializePropertyMap): We now re-use deleted properties when materializing the property map.
1446         (JSC::Structure::removePropertyTransition): We allow up to 5 deletes for a particular path through the tree of 
1447         Structure transitions. After that, we convert to an uncacheable dictionary like we used to. We don't cache 
1448         delete transitions, but we allow transitioning from them.
1449         (JSC::Structure::changePrototypeTransition):
1450         (JSC::Structure::despecifyFunctionTransition):
1451         (JSC::Structure::attributeChangeTransition):
1452         (JSC::Structure::toDictionaryTransition):
1453         (JSC::Structure::preventExtensionsTransition):
1454         (JSC::Structure::addPropertyWithoutTransition):
1455         (JSC::Structure::removePropertyWithoutTransition):
1456         (JSC::Structure::pin): Now does only what it says it does--marks the property table as pinned.
1457         (JSC::Structure::pinAndPreventTransitions): More descriptive version of what the old pin() was doing.
1458         * runtime/Structure.h:
1459         * runtime/StructureInlines.h:
1460         (JSC::Structure::checkOffsetConsistency): Rearranged variables to be more sensible.
1461
1462 2014-04-17  Filip Pizlo  <fpizlo@apple.com>
1463
1464         InlineCallFrameSet should be refcounted
1465         https://bugs.webkit.org/show_bug.cgi?id=131829
1466
1467         Reviewed by Geoffrey Garen.
1468         
1469         And DFG::Plan should hold a ref to it. Previously it was owned by Graph until it
1470         became owned by JITCode. Except that if we're "failing" to compile, JITCode may die.
1471         Even as it dies, the GC may still want to scan the DFG::Plan, which leads to scanning
1472         the DesiredWriteBarriers, which leads to scanning the InlineCallFrameSet.
1473         
1474         So, just make the darn thing refcounted.
1475
1476         * bytecode/InlineCallFrameSet.h:
1477         * dfg/DFGArgumentsSimplificationPhase.cpp:
1478         (JSC::DFG::ArgumentsSimplificationPhase::run):
1479         * dfg/DFGByteCodeParser.cpp:
1480         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1481         * dfg/DFGCommonData.h:
1482         * dfg/DFGGraph.cpp:
1483         (JSC::DFG::Graph::Graph):
1484         (JSC::DFG::Graph::requiredRegisterCountForExit):
1485         * dfg/DFGGraph.h:
1486         * dfg/DFGJITCompiler.cpp:
1487         (JSC::DFG::JITCompiler::link):
1488         * dfg/DFGPlan.cpp:
1489         (JSC::DFG::Plan::Plan):
1490         * dfg/DFGPlan.h:
1491         * dfg/DFGStackLayoutPhase.cpp:
1492         (JSC::DFG::StackLayoutPhase::run):
1493         * ftl/FTLFail.cpp:
1494         (JSC::FTL::fail):
1495         * ftl/FTLLink.cpp:
1496         (JSC::FTL::link):
1497
1498 2014-04-17  Filip Pizlo  <fpizlo@apple.com>
1499
1500         FTL::fail() should manage memory "correctly"
1501         https://bugs.webkit.org/show_bug.cgi?id=131823
1502         <rdar://problem/16384297>
1503
1504         Reviewed by Oliver Hunt.
1505
1506         * ftl/FTLFail.cpp:
1507         (JSC::FTL::fail):
1508
1509 2014-04-17  Filip Pizlo  <fpizlo@apple.com>
1510
1511         Prediction propagator should correctly model Int52s flowing through arguments
1512         https://bugs.webkit.org/show_bug.cgi?id=131822
1513         <rdar://problem/16641408>
1514
1515         Reviewed by Oliver Hunt.
1516
1517         * dfg/DFGPredictionPropagationPhase.cpp:
1518         (JSC::DFG::PredictionPropagationPhase::propagate):
1519         * tests/stress/int52-argument.js: Added.
1520         (foo):
1521         * tests/stress/int52-variable.js: Added.
1522         (foo):
1523
1524 2014-04-17  Filip Pizlo  <fpizlo@apple.com>
1525
1526         REGRESSION: ASSERT(!typeInfo().hasImpureGetOwnPropertySlot() || typeInfo().newImpurePropertyFiresWatchpoints()) on jquery tests
1527         https://bugs.webkit.org/show_bug.cgi?id=131798
1528
1529         Reviewed by Alexey Proskuryakov.
1530         
1531         Some day, we will fix https://bugs.webkit.org/show_bug.cgi?id=131810 and some version
1532         of this assertion can return. For now, it's not clear that the assertion is guarding
1533         any truly undesirable behavior - so it should just go away and be replaced with a
1534         FIXME.
1535
1536         * bytecode/GetByIdStatus.cpp:
1537         (JSC::GetByIdStatus::computeForStubInfo):
1538         * runtime/Structure.h:
1539         (JSC::Structure::takesSlowPathInDFGForImpureProperty):
1540
1541 2014-04-17  David Kilzer  <ddkilzer@apple.com>
1542
1543         Blind attempt to fix Windows build after r166837
1544         <http://webkit.org/b/131246>
1545
1546         Hoping to fix this build error:
1547
1548             warning MSB8027: Two or more files with the name of GCLogging.cpp will produce outputs to the same location. This can lead to an incorrect build result.  The files involved are ..\heap\GCLogging.cpp, ..\heap\GCLogging.cpp.
1549
1550         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Fix copy-paste
1551         boo-boo by changing the GCLogging.cpp ClCompile entry to a
1552         GCLogging.h ClInclude entry.
1553
1554 2014-04-16  Filip Pizlo  <fpizlo@apple.com>
1555
1556         AI for GetLocal should match the DFG backend, and in this case, the best way to do that is to get rid of the "exit if empty prediction" thing since it's a vestige of a time long gone
1557         https://bugs.webkit.org/show_bug.cgi?id=131764
1558
1559         Reviewed by Geoffrey Garen.
1560         
1561         The attached test case can be made to not crash by deleting old code. It used to be
1562         the case that the DFG needed empty prediction guards, for shady reasons. We fixed that
1563         long ago. At this point, these guards just make life difficult. So get rid of them.
1564
1565         * dfg/DFGAbstractInterpreterInlines.h:
1566         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1567         * dfg/DFGSpeculativeJIT32_64.cpp:
1568         (JSC::DFG::SpeculativeJIT::compile):
1569         * dfg/DFGSpeculativeJIT64.cpp:
1570         (JSC::DFG::SpeculativeJIT::compile):
1571         * tests/stress/bug-131764.js: Added.
1572         (test1):
1573         (test2):
1574
1575 2014-04-17  Darin Adler  <darin@apple.com>
1576
1577         Add separate flag for IndexedDatabase in workers since the current implementation is not threadsafe
1578         https://bugs.webkit.org/show_bug.cgi?id=131785
1579         rdar://problem/16003108
1580
1581         Reviewed by Brady Eidson.
1582
1583         * Configurations/FeatureDefines.xcconfig: Added INDEXED_DATABASE_IN_WORKERS.
1584
1585 2014-04-16  Alexey Proskuryakov  <ap@apple.com>
1586
1587         Build fix after http://trac.webkit.org/changeset/167416 (Sink NaN sanitization)
1588
1589         * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::speculate):
1590
1591 2014-04-16  Filip Pizlo  <fpizlo@apple.com>
1592
1593         Extra error reporting for invalid value conversions
1594         https://bugs.webkit.org/show_bug.cgi?id=131786
1595
1596         Rubber stamped by Ryosuke Niwa.
1597
1598         * dfg/DFGFixupPhase.cpp:
1599         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
1600
1601 2014-04-16  Filip Pizlo  <fpizlo@apple.com>
1602
1603         Sink NaN sanitization to uses and remove it when it's unnecessary
1604         https://bugs.webkit.org/show_bug.cgi?id=131419
1605
1606         Reviewed by Oliver Hunt.
1607         
1608         This moves NaN purification to stores that could see an impure NaN.
1609         
1610         5% speed-up on AsmBench, 50% speed-up on AsmBench/n-body. It is a regression on FloatMM
1611         though, because of the other bug that causes that benchmark to box doubles in a loop.
1612
1613         * bytecode/SpeculatedType.h:
1614         (JSC::isInt32SpeculationForArithmetic):
1615         (JSC::isMachineIntSpeculationForArithmetic):
1616         (JSC::isDoubleSpeculation):
1617         (JSC::isDoubleSpeculationForArithmetic):
1618         * dfg/DFGAbstractInterpreterInlines.h:
1619         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1620         * dfg/DFGAbstractValue.cpp:
1621         (JSC::DFG::AbstractValue::fixTypeForRepresentation):
1622         * dfg/DFGFixupPhase.cpp:
1623         (JSC::DFG::FixupPhase::fixupNode):
1624         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
1625         * dfg/DFGInPlaceAbstractState.cpp:
1626         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
1627         * dfg/DFGPredictionPropagationPhase.cpp:
1628         (JSC::DFG::PredictionPropagationPhase::propagate):
1629         * dfg/DFGSpeculativeJIT.cpp:
1630         (JSC::DFG::SpeculativeJIT::compileValueRep):
1631         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
1632         * dfg/DFGUseKind.h:
1633         (JSC::DFG::typeFilterFor):
1634         * ftl/FTLLowerDFGToLLVM.cpp:
1635         (JSC::FTL::LowerDFGToLLVM::compileValueRep):
1636         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
1637         * runtime/PureNaN.h:
1638         * tests/stress/float32-array-nan-inlined.js: Added.
1639         (foo):
1640         (test):
1641         * tests/stress/float32-array-nan.js: Added.
1642         (foo):
1643         (test):
1644         * tests/stress/float64-array-nan-inlined.js: Added.
1645         (foo):
1646         (isBigEndian):
1647         (test):
1648         * tests/stress/float64-array-nan.js: Added.
1649         (foo):
1650         (isBigEndian):
1651         (test):
1652
1653 2014-04-16  Brent Fulgham  <bfulgham@apple.com>
1654
1655         [Win] Unreviewed Windows gardening. Restrict our new 'isinf' check
1656         to 32-bit builds, and revise the comment to explain what we are
1657         doing.
1658
1659         * runtime/JSCJSValueInlines.h:
1660         (JSC::JSValue::isMachineInt): Provide motivation for the new
1661         'isinf' check for our 32-bit code path.
1662
1663 2014-04-16  Juergen Ributzka  <juergen@apple.com>
1664
1665         Allocate the data section on the heap again for FTL on ARM64
1666         https://bugs.webkit.org/show_bug.cgi?id=130156
1667
1668         Reviewed by Geoffrey Garen and Filip Pizlo.
1669
1670         * ftl/FTLCompile.cpp:
1671         (JSC::FTL::mmAllocateDataSection):
1672         * ftl/FTLDataSection.cpp:
1673         (JSC::FTL::DataSection::DataSection):
1674         (JSC::FTL::DataSection::~DataSection):
1675         * ftl/FTLDataSection.h:
1676
1677 2014-04-16  Mark Lam  <mark.lam@apple.com>
1678
1679         Crash in CodeBlock::setOptimizationThresholdBasedOnCompilationResult() when the debugger activates.
1680         <https://webkit.org/b/131747>
1681
1682         Reviewed by Filip Pizlo.
1683
1684         When the debugger is about to activate (e.g. enter stepping mode), it first
1685         waits for all DFG compilations to complete.  However, when the DFG completes,
1686         if compilation is successful, it will install a new DFG codeBlock.  The
1687         CodeBlock installation process is required to register codeBlocks with the
1688         debugger.  Debugger::registerCodeBlock() will eventually call
1689         CodeBlock::setSteppingMode() which may jettison the DFG codeBlock that we're
1690         trying to install.  Thereafter, chaos ensues.
1691
1692         This jettison'ing only happens because the debugger currently set its
1693         m_steppingMode flag before waiting for compilation to complete.  The fix is
1694         simply to set that flag only after compilation is complete.
1695
1696         * debugger/Debugger.cpp:
1697         (JSC::Debugger::setSteppingMode):
1698         (JSC::Debugger::registerCodeBlock):
1699
1700 2014-04-16  Filip Pizlo  <fpizlo@apple.com>
1701
1702         Discern between NaNs that would be safe to tag and NaNs that need some purification before tagging
1703         https://bugs.webkit.org/show_bug.cgi?id=131420
1704
1705         Reviewed by Oliver Hunt.
1706         
1707         Rationalizes our handling of NaNs. We now have the notion of pureNaN(), or PNaN, which
1708         replaces QNaN and represents a "safe" NaN for our tagging purposes. NaN purification now
1709         goes through the purifyNaN() API.
1710         
1711         SpeculatedType and its clients can now distinguish between a PureNaN and an ImpureNaN.
1712         
1713         Prediction propagator is made slightly more cautious when dealing with NaNs. It doesn't
1714         have to be too cautious since most prediction-based logic only cares about whether or not
1715         a value could be an integer.
1716         
1717         AI is made much more cautious when dealing with NaNs. We don't yet introduce ImpureNaN
1718         anywhere in the compiler, but when we do, we ought to be able to trust AI to propagate it
1719         soundly and precisely.
1720         
1721         No performance change because this just unblocks
1722         https://bugs.webkit.org/show_bug.cgi?id=131419.
1723
1724         * API/JSValueRef.cpp:
1725         (JSValueMakeNumber):
1726         (JSValueToNumber):
1727         * JavaScriptCore.xcodeproj/project.pbxproj:
1728         * bytecode/SpeculatedType.cpp:
1729         (JSC::dumpSpeculation):
1730         (JSC::speculationFromValue):
1731         (JSC::typeOfDoubleSum):
1732         (JSC::typeOfDoubleDifference):
1733         (JSC::typeOfDoubleProduct):
1734         (JSC::polluteDouble):
1735         (JSC::typeOfDoubleQuotient):
1736         (JSC::typeOfDoubleMinMax):
1737         (JSC::typeOfDoubleNegation):
1738         (JSC::typeOfDoubleAbs):
1739         (JSC::typeOfDoubleFRound):
1740         (JSC::typeOfDoubleBinaryOp):
1741         (JSC::typeOfDoubleUnaryOp):
1742         * bytecode/SpeculatedType.h:
1743         * dfg/DFGAbstractInterpreterInlines.h:
1744         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1745         * dfg/DFGByteCodeParser.cpp:
1746         (JSC::DFG::ByteCodeParser::handleInlining):
1747         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1748         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
1749         (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
1750         * dfg/DFGInPlaceAbstractState.cpp:
1751         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
1752         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
1753         (JSC::DFG::createPreHeader):
1754         * dfg/DFGNode.h:
1755         (JSC::DFG::BranchTarget::BranchTarget):
1756         * dfg/DFGOSREntrypointCreationPhase.cpp:
1757         (JSC::DFG::OSREntrypointCreationPhase::run):
1758         * dfg/DFGOSRExitCompiler32_64.cpp:
1759         (JSC::DFG::OSRExitCompiler::compileExit):
1760         * dfg/DFGOSRExitCompiler64.cpp:
1761         (JSC::DFG::OSRExitCompiler::compileExit):
1762         * dfg/DFGPredictionPropagationPhase.cpp:
1763         (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
1764         (JSC::DFG::PredictionPropagationPhase::propagate):
1765         * dfg/DFGSpeculativeJIT.cpp:
1766         (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
1767         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
1768         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
1769         * dfg/DFGSpeculativeJIT32_64.cpp:
1770         (JSC::DFG::SpeculativeJIT::compile):
1771         * dfg/DFGSpeculativeJIT64.cpp:
1772         (JSC::DFG::SpeculativeJIT::compile):
1773         * dfg/DFGVariableAccessData.h:
1774         (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
1775         * ftl/FTLLowerDFGToLLVM.cpp:
1776         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
1777         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
1778         (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
1779         (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
1780         (JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize):
1781         (JSC::FTL::LowerDFGToLLVM::numberOrNotCellToInt32):
1782         (JSC::FTL::LowerDFGToLLVM::allocateJSArray):
1783         * ftl/FTLValueFormat.cpp:
1784         (JSC::FTL::reboxAccordingToFormat):
1785         * jit/AssemblyHelpers.cpp:
1786         (JSC::AssemblyHelpers::purifyNaN):
1787         (JSC::AssemblyHelpers::sanitizeDouble): Deleted.
1788         * jit/AssemblyHelpers.h:
1789         * jit/JITPropertyAccess.cpp:
1790         (JSC::JIT::emitFloatTypedArrayGetByVal):
1791         * runtime/DateConstructor.cpp:
1792         (JSC::constructDate):
1793         * runtime/DateInstanceCache.h:
1794         (JSC::DateInstanceData::DateInstanceData):
1795         (JSC::DateInstanceCache::reset):
1796         * runtime/ExceptionHelpers.cpp:
1797         (JSC::TerminatedExecutionError::defaultValue):
1798         * runtime/JSArray.cpp:
1799         (JSC::JSArray::setLength):
1800         (JSC::JSArray::pop):
1801         (JSC::JSArray::shiftCountWithAnyIndexingType):
1802         (JSC::JSArray::sortVector):
1803         (JSC::JSArray::compactForSorting):
1804         * runtime/JSArray.h:
1805         (JSC::JSArray::create):
1806         (JSC::JSArray::tryCreateUninitialized):
1807         * runtime/JSCJSValue.cpp:
1808         (JSC::JSValue::toNumberSlowCase):
1809         * runtime/JSCJSValue.h:
1810         * runtime/JSCJSValueInlines.h:
1811         (JSC::jsNaN):
1812         (JSC::JSValue::JSValue):
1813         (JSC::JSValue::getPrimitiveNumber):
1814         * runtime/JSGlobalObjectFunctions.cpp:
1815         (JSC::parseInt):
1816         (JSC::jsStrDecimalLiteral):
1817         (JSC::toDouble):
1818         (JSC::jsToNumber):
1819         (JSC::parseFloat):
1820         * runtime/JSObject.cpp:
1821         (JSC::JSObject::createInitialDouble):
1822         (JSC::JSObject::convertUndecidedToDouble):
1823         (JSC::JSObject::convertInt32ToDouble):
1824         (JSC::JSObject::deletePropertyByIndex):
1825         (JSC::JSObject::ensureLengthSlow):
1826         * runtime/MathObject.cpp:
1827         (JSC::mathProtoFuncMax):
1828         (JSC::mathProtoFuncMin):
1829         * runtime/PureNaN.h: Added.
1830         (JSC::pureNaN):
1831         (JSC::isImpureNaN):
1832         (JSC::purifyNaN):
1833         * runtime/TypedArrayAdaptors.h:
1834         (JSC::FloatTypedArrayAdaptor::toJSValue):
1835
1836 2014-04-16  Juergen Ributzka  <juergen@apple.com>
1837
1838         Enable system library calls in FTL for ARM64
1839         https://bugs.webkit.org/show_bug.cgi?id=130154
1840
1841         Reviewed by Geoffrey Garen and Filip Pizlo.
1842
1843         * ftl/FTLIntrinsicRepository.h:
1844         * ftl/FTLOutput.h:
1845         (JSC::FTL::Output::doubleRem):
1846         (JSC::FTL::Output::doubleSin):
1847         (JSC::FTL::Output::doubleCos):
1848
1849 2014-04-16  peavo@outlook.com  <peavo@outlook.com>
1850
1851         Fix JSC Debug Regressions on Windows
1852         https://bugs.webkit.org/show_bug.cgi?id=131182
1853
1854         Reviewed by Brent Fulgham.
1855
1856         The cast static_cast<int64_t>(number) in JSValue::isMachineInt() can generate a floating point error,
1857         and set the st floating point register tags, if the value of the number parameter is infinite.
1858         If the st floating point register tags are not cleared, this can cause strange floating point behavior later on.
1859         This can be avoided by checking for infinity first.
1860
1861         * runtime/JSCJSValueInlines.h:
1862         (JSC::JSValue::isMachineInt): Avoid floating point error by checking for infinity first.
1863         * runtime/Options.cpp:
1864         (JSC::recomputeDependentOptions): Re-enable jit for Windows.
1865
1866 2014-04-16  Oliver Hunt  <oliver@apple.com>
1867
1868         Simple ES6 feature:Array.prototype.fill
1869         https://bugs.webkit.org/show_bug.cgi?id=131703
1870
1871         Reviewed by David Hyatt.
1872
1873         Add support for Array.prototype.fill
1874
1875         * builtins/Array.prototype.js:
1876         (fill):
1877         * runtime/ArrayPrototype.cpp:
1878
1879 2014-04-16  Mark Hahnenberg  <mhahnenberg@apple.com>
1880
1881         [WebKit] Cleanup the build from uninitialized variable in JavaScriptCore
1882         https://bugs.webkit.org/show_bug.cgi?id=131728
1883
1884         Reviewed by Darin Adler.
1885
1886         * runtime/JSObject.cpp:
1887         (JSC::JSObject::genericConvertDoubleToContiguous): Add a RELEASE_ASSERT on the 
1888         path we expect to never take. Also shut up confused compilers about uninitialized things.
1889
1890 2014-04-16  Filip Pizlo  <fpizlo@apple.com>
1891
1892         Unreviewed, ARMv7 build fix after r167336.
1893
1894         * assembler/MacroAssemblerARMv7.h:
1895         (JSC::MacroAssemblerARMv7::branchAdd32):
1896
1897 2014-04-16  Gabor Rapcsanyi  <rgabor@webkit.org>
1898
1899         Unreviewed, ARM64 buildfix after r167336.
1900
1901         * assembler/MacroAssemblerARM64.h:
1902         (JSC::MacroAssemblerARM64::branchAdd32): Add missing function.
1903
1904 2014-04-15  Filip Pizlo  <fpizlo@apple.com>
1905
1906         Unreviewed, add the obvious thing that marks MakeRope as exiting since it can exit.
1907
1908         * dfg/DFGAbstractInterpreterInlines.h:
1909         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1910
1911 2014-04-15  Filip Pizlo  <fpizlo@apple.com>
1912
1913         compileMakeRope does not emit necessary bounds checks
1914         https://bugs.webkit.org/show_bug.cgi?id=130684
1915         <rdar://problem/16398388>
1916
1917         Reviewed by Oliver Hunt.
1918         
1919         Add string length bounds checks in a bunch of places. We should never allow a string
1920         to have a length greater than 2^31-1 because it's not clear that the language has
1921         semantics for it and because there is code that assumes that this cannot happen.
1922         
1923         Also add a bunch of tests to that effect to cover the various ways in which this was
1924         previously allowed to happen.
1925
1926         * dfg/DFGOperations.cpp:
1927         * dfg/DFGSpeculativeJIT.cpp:
1928         (JSC::DFG::SpeculativeJIT::compileMakeRope):
1929         * ftl/FTLLowerDFGToLLVM.cpp:
1930         (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
1931         * runtime/JSString.cpp:
1932         (JSC::JSRopeString::RopeBuilder::expand):
1933         * runtime/JSString.h:
1934         (JSC::JSString::create):
1935         (JSC::JSRopeString::RopeBuilder::append):
1936         (JSC::JSRopeString::RopeBuilder::release):
1937         (JSC::JSRopeString::append):
1938         * runtime/Operations.h:
1939         (JSC::jsString):
1940         (JSC::jsStringFromRegisterArray):
1941         (JSC::jsStringFromArguments):
1942         * runtime/StringPrototype.cpp:
1943         (JSC::stringProtoFuncIndexOf):
1944         (JSC::stringProtoFuncSlice):
1945         (JSC::stringProtoFuncSubstring):
1946         (JSC::stringProtoFuncToLowerCase):
1947         * tests/stress/make-large-string-jit-strcat.js: Added.
1948         (foo):
1949         * tests/stress/make-large-string-jit.js: Added.
1950         (foo):
1951         * tests/stress/make-large-string-strcat.js: Added.
1952         * tests/stress/make-large-string.js: Added.
1953
1954 2014-04-15  Julien Brianceau  <jbriance@cisco.com>
1955
1956         Remove invalid sh4 specific code in JITInlines header.
1957         https://bugs.webkit.org/show_bug.cgi?id=131692
1958
1959         Reviewed by Geoffrey Garen.
1960
1961         * jit/JITInlines.h:
1962         (JSC::JIT::callOperation): Prototype is not F_JITOperation_EJJZ
1963         anymore since r160244, so the sh4 specific code is invalid now
1964         and has to be removed.
1965
1966 2014-04-15  Mark Hahnenberg  <mhahnenberg@apple.com>
1967
1968         Fix precedence issue in JSCell:setRemembered
1969
1970         Rubber stamped by Filip Pizlo.
1971
1972         * runtime/JSCell.h:
1973         (JSC::JSCell::setRemembered):
1974
1975 2014-04-15  Mark Hahnenberg  <mhahnenberg@apple.com>
1976
1977         Objective-C API external object graphs don't handle generational collection properly
1978         https://bugs.webkit.org/show_bug.cgi?id=131634
1979
1980         Reviewed by Geoffrey Garen.
1981
1982         If the set of Objective-C objects transitively reachable through an object changes, we 
1983         need to update the set of opaque roots accordingly. If we don't, the next EdenCollection 
1984         won't rescan the external object graph, which would lead us to consider a newly allocated 
1985         JSManagedValue to be dead.
1986
1987         * API/JSBase.cpp:
1988         (JSSynchronousEdenCollectForDebugging):
1989         * API/JSVirtualMachine.mm:
1990         (-[JSVirtualMachine initWithContextGroupRef:]):
1991         (-[JSVirtualMachine dealloc]):
1992         (-[JSVirtualMachine isOldExternalObject:]):
1993         (-[JSVirtualMachine addExternalRememberedObject:]):
1994         (-[JSVirtualMachine addManagedReference:withOwner:]):
1995         (-[JSVirtualMachine removeManagedReference:withOwner:]):
1996         (-[JSVirtualMachine externalRememberedSet]):
1997         (scanExternalObjectGraph):
1998         (scanExternalRememberedSet):
1999         * API/JSVirtualMachineInternal.h:
2000         * API/tests/testapi.mm:
2001         * heap/Heap.cpp:
2002         (JSC::Heap::markRoots):
2003         * heap/Heap.h:
2004         (JSC::Heap::slotVisitor):
2005         * heap/SlotVisitor.h:
2006         * heap/SlotVisitorInlines.h:
2007         (JSC::SlotVisitor::containsOpaqueRoot):
2008         (JSC::SlotVisitor::containsOpaqueRootTriState):
2009
2010 2014-04-15  Filip Pizlo  <fpizlo@apple.com>
2011
2012         DFG IR should keep the data flow of doubles and int52's separate from the data flow of JSValue's
2013         https://bugs.webkit.org/show_bug.cgi?id=131423
2014
2015         Reviewed by Geoffrey Garen.
2016         
2017         This introduces more static typing into DFG IR. Previously we just had the notion of
2018         JSValues and Storage. This was weird because doubles weren't always convertible to
2019         JSValues, and Int52s weren't always convertible to either doubles or JSValues. We would
2020         sort of insert explicit conversion nodes just for the places where we knew that an
2021         implicit conversion wouldn't have been possible -- but there was no hard and fast rule so
2022         we'd get bugs from forgetting to do the right conversion.
2023         
2024         This patch introduces a hard and fast rule: doubles can never be implicitly converted to
2025         anything but doubles, and likewise Int52's can never be implicitly converted. Conversion
2026         nodes are used for all of the conversions. Int52Rep, DoubleRep, and ValueRep are the
2027         conversions. They are like Identity but return the same value using a different
2028         representation. Likewise, constants may now be represented using either JSConstant,
2029         Int52Constant, or DoubleConstant. UseKinds have been adjusted accordingly, as well.
2030         Int52RepUse and DoubleRepUse are node uses that mean "the node must be of Int52 (or
2031         Double) type". They don't imply checks. There is also DoubleRepRealUse, which means that
2032         we speculate DoubleReal and expect Double representation.
2033         
2034         In addition to simplifying a bunch of rules in the IR and making the IR more verifiable,
2035         this also makes it easier to introduce optimizations in the future. It's now possible for
2036         AI to model when/how conversion take place. For example if doing a conversion results in
2037         NaN sanitization, then AI can model this and can allow us to sink sanitizations. That's
2038         what https://bugs.webkit.org/show_bug.cgi?id=131419 will be all about.
2039         
2040         This was a big change, so I had to do some interesting things, like finally get rid of
2041         the DFG's weird variadic template macro hacks and use real C++11 variadic templates. Also
2042         the ByteCodeParser no longer emits Identity nodes since that was always pointless.
2043         
2044         No performance change because this mostly just rationalizes preexisting behavior.
2045
2046         * JavaScriptCore.xcodeproj/project.pbxproj:
2047         * assembler/MacroAssemblerX86.h:
2048         * bytecode/CodeBlock.cpp:
2049         * bytecode/CodeBlock.h:
2050         * dfg/DFGAbstractInterpreter.h:
2051         (JSC::DFG::AbstractInterpreter::setBuiltInConstant):
2052         (JSC::DFG::AbstractInterpreter::setConstant):
2053         * dfg/DFGAbstractInterpreterInlines.h:
2054         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2055         * dfg/DFGAbstractValue.cpp:
2056         (JSC::DFG::AbstractValue::set):
2057         (JSC::DFG::AbstractValue::fixTypeForRepresentation):
2058         (JSC::DFG::AbstractValue::checkConsistency):
2059         * dfg/DFGAbstractValue.h:
2060         * dfg/DFGBackwardsPropagationPhase.cpp:
2061         (JSC::DFG::BackwardsPropagationPhase::propagate):
2062         * dfg/DFGBasicBlock.h:
2063         * dfg/DFGBasicBlockInlines.h:
2064         (JSC::DFG::BasicBlock::appendNode):
2065         (JSC::DFG::BasicBlock::appendNonTerminal):
2066         * dfg/DFGByteCodeParser.cpp:
2067         (JSC::DFG::ByteCodeParser::parseBlock):
2068         * dfg/DFGCSEPhase.cpp:
2069         (JSC::DFG::CSEPhase::constantCSE):
2070         (JSC::DFG::CSEPhase::performNodeCSE):
2071         (JSC::DFG::CSEPhase::int32ToDoubleCSE): Deleted.
2072         * dfg/DFGCapabilities.h:
2073         * dfg/DFGClobberize.h:
2074         (JSC::DFG::clobberize):
2075         * dfg/DFGConstantFoldingPhase.cpp:
2076         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2077         * dfg/DFGDCEPhase.cpp:
2078         (JSC::DFG::DCEPhase::fixupBlock):
2079         * dfg/DFGEdge.h:
2080         (JSC::DFG::Edge::willNotHaveCheck):
2081         * dfg/DFGFixupPhase.cpp:
2082         (JSC::DFG::FixupPhase::run):
2083         (JSC::DFG::FixupPhase::fixupNode):
2084         (JSC::DFG::FixupPhase::fixupGetAndSetLocalsInBlock):
2085         (JSC::DFG::FixupPhase::observeUseKindOnNode):
2086         (JSC::DFG::FixupPhase::fixIntEdge):
2087         (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
2088         (JSC::DFG::FixupPhase::injectTypeConversionsInBlock):
2089         (JSC::DFG::FixupPhase::tryToRelaxRepresentation):
2090         (JSC::DFG::FixupPhase::fixEdgeRepresentation):
2091         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
2092         (JSC::DFG::FixupPhase::addRequiredPhantom):
2093         (JSC::DFG::FixupPhase::addPhantomsIfNecessary):
2094         (JSC::DFG::FixupPhase::clearPhantomsAtEnd):
2095         (JSC::DFG::FixupPhase::fixupSetLocalsInBlock): Deleted.
2096         * dfg/DFGFlushFormat.h:
2097         (JSC::DFG::resultFor):
2098         (JSC::DFG::useKindFor):
2099         * dfg/DFGGraph.cpp:
2100         (JSC::DFG::Graph::dump):
2101         * dfg/DFGGraph.h:
2102         (JSC::DFG::Graph::addNode):
2103         * dfg/DFGInPlaceAbstractState.cpp:
2104         (JSC::DFG::InPlaceAbstractState::initialize):
2105         * dfg/DFGInsertionSet.h:
2106         (JSC::DFG::InsertionSet::insertNode):
2107         (JSC::DFG::InsertionSet::insertConstant):
2108         (JSC::DFG::InsertionSet::insertConstantForUse):
2109         * dfg/DFGIntegerCheckCombiningPhase.cpp:
2110         (JSC::DFG::IntegerCheckCombiningPhase::insertAdd):
2111         (JSC::DFG::IntegerCheckCombiningPhase::insertMustAdd):
2112         * dfg/DFGNode.cpp:
2113         (JSC::DFG::Node::convertToIdentity):
2114         (WTF::printInternal):
2115         * dfg/DFGNode.h:
2116         (JSC::DFG::Node::Node):
2117         (JSC::DFG::Node::setResult):
2118         (JSC::DFG::Node::result):
2119         (JSC::DFG::Node::isConstant):
2120         (JSC::DFG::Node::hasConstant):
2121         (JSC::DFG::Node::convertToConstant):
2122         (JSC::DFG::Node::valueOfJSConstant):
2123         (JSC::DFG::Node::hasResult):
2124         (JSC::DFG::Node::hasInt32Result):
2125         (JSC::DFG::Node::hasInt52Result):
2126         (JSC::DFG::Node::hasNumberResult):
2127         (JSC::DFG::Node::hasDoubleResult):
2128         (JSC::DFG::Node::hasJSResult):
2129         (JSC::DFG::Node::hasBooleanResult):
2130         (JSC::DFG::Node::hasStorageResult):
2131         (JSC::DFG::Node::defaultUseKind):
2132         (JSC::DFG::Node::defaultEdge):
2133         (JSC::DFG::Node::convertToIdentity): Deleted.
2134         * dfg/DFGNodeFlags.cpp:
2135         (JSC::DFG::dumpNodeFlags):
2136         * dfg/DFGNodeFlags.h:
2137         (JSC::DFG::canonicalResultRepresentation):
2138         * dfg/DFGNodeType.h:
2139         * dfg/DFGOSRExitCompiler32_64.cpp:
2140         (JSC::DFG::OSRExitCompiler::compileExit):
2141         * dfg/DFGOSRExitCompiler64.cpp:
2142         (JSC::DFG::OSRExitCompiler::compileExit):
2143         * dfg/DFGPredictionPropagationPhase.cpp:
2144         (JSC::DFG::PredictionPropagationPhase::propagate):
2145         * dfg/DFGResurrectionForValidationPhase.cpp:
2146         (JSC::DFG::ResurrectionForValidationPhase::run):
2147         * dfg/DFGSSAConversionPhase.cpp:
2148         (JSC::DFG::SSAConversionPhase::run):
2149         * dfg/DFGSafeToExecute.h:
2150         (JSC::DFG::SafeToExecuteEdge::operator()):
2151         (JSC::DFG::safeToExecute):
2152         * dfg/DFGSpeculativeJIT.cpp:
2153         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
2154         (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR):
2155         (JSC::DFG::SpeculativeJIT::silentFill):
2156         (JSC::DFG::JSValueRegsTemporary::JSValueRegsTemporary):
2157         (JSC::DFG::JSValueRegsTemporary::~JSValueRegsTemporary):
2158         (JSC::DFG::JSValueRegsTemporary::regs):
2159         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
2160         (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
2161         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
2162         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
2163         (JSC::DFG::SpeculativeJIT::compileValueRep):
2164         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
2165         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
2166         (JSC::DFG::SpeculativeJIT::compileAdd):
2167         (JSC::DFG::SpeculativeJIT::compileArithSub):
2168         (JSC::DFG::SpeculativeJIT::compileArithNegate):
2169         (JSC::DFG::SpeculativeJIT::compileArithMul):
2170         (JSC::DFG::SpeculativeJIT::compileArithDiv):
2171         (JSC::DFG::SpeculativeJIT::compileArithMod):
2172         (JSC::DFG::SpeculativeJIT::compare):
2173         (JSC::DFG::SpeculativeJIT::compileStrictEq):
2174         (JSC::DFG::SpeculativeJIT::speculateNumber):
2175         (JSC::DFG::SpeculativeJIT::speculateDoubleReal):
2176         (JSC::DFG::SpeculativeJIT::speculate):
2177         (JSC::DFG::SpeculativeJIT::compileInt32ToDouble): Deleted.
2178         (JSC::DFG::SpeculativeJIT::speculateMachineInt): Deleted.
2179         (JSC::DFG::SpeculativeJIT::speculateRealNumber): Deleted.
2180         * dfg/DFGSpeculativeJIT.h:
2181         (JSC::DFG::SpeculativeJIT::allocate):
2182         (JSC::DFG::SpeculativeJIT::use):
2183         (JSC::DFG::SpeculativeJIT::boxDouble):
2184         (JSC::DFG::SpeculativeJIT::spill):
2185         (JSC::DFG::SpeculativeJIT::jsValueResult):
2186         (JSC::DFG::SpeculateInt52Operand::SpeculateInt52Operand):
2187         (JSC::DFG::SpeculateStrictInt52Operand::SpeculateStrictInt52Operand):
2188         (JSC::DFG::SpeculateWhicheverInt52Operand::SpeculateWhicheverInt52Operand):
2189         (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
2190         * dfg/DFGSpeculativeJIT32_64.cpp:
2191         (JSC::DFG::SpeculativeJIT::fillJSValue):
2192         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2193         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2194         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2195         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2196         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
2197         (JSC::DFG::SpeculativeJIT::emitBranch):
2198         (JSC::DFG::SpeculativeJIT::compile):
2199         (JSC::DFG::SpeculativeJIT::convertToDouble): Deleted.
2200         * dfg/DFGSpeculativeJIT64.cpp:
2201         (JSC::DFG::SpeculativeJIT::fillJSValue):
2202         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2203         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
2204         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2205         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2206         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2207         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
2208         (JSC::DFG::SpeculativeJIT::emitBranch):
2209         (JSC::DFG::SpeculativeJIT::compile):
2210         (JSC::DFG::SpeculativeJIT::convertToDouble): Deleted.
2211         * dfg/DFGStrengthReductionPhase.cpp:
2212         (JSC::DFG::StrengthReductionPhase::handleNode):
2213         * dfg/DFGUseKind.cpp:
2214         (WTF::printInternal):
2215         * dfg/DFGUseKind.h:
2216         (JSC::DFG::typeFilterFor):
2217         (JSC::DFG::shouldNotHaveTypeCheck):
2218         (JSC::DFG::mayHaveTypeCheck):
2219         (JSC::DFG::isNumerical):
2220         (JSC::DFG::isDouble):
2221         (JSC::DFG::isCell):
2222         (JSC::DFG::usesStructure):
2223         (JSC::DFG::useKindForResult):
2224         * dfg/DFGValidate.cpp:
2225         (JSC::DFG::Validate::validate):
2226         * dfg/DFGVariadicFunction.h: Removed.
2227         * ftl/FTLCapabilities.cpp:
2228         (JSC::FTL::canCompile):
2229         * ftl/FTLLowerDFGToLLVM.cpp:
2230         (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
2231         (JSC::FTL::LowerDFGToLLVM::compileNode):
2232         (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
2233         (JSC::FTL::LowerDFGToLLVM::compilePhi):
2234         (JSC::FTL::LowerDFGToLLVM::compileDoubleConstant):
2235         (JSC::FTL::LowerDFGToLLVM::compileInt52Constant):
2236         (JSC::FTL::LowerDFGToLLVM::compileWeakJSConstant):
2237         (JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
2238         (JSC::FTL::LowerDFGToLLVM::compileValueRep):
2239         (JSC::FTL::LowerDFGToLLVM::compileInt52Rep):
2240         (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
2241         (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub):
2242         (JSC::FTL::LowerDFGToLLVM::compileArithMul):
2243         (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
2244         (JSC::FTL::LowerDFGToLLVM::compileArithMod):
2245         (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
2246         (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
2247         (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
2248         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2249         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
2250         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
2251         (JSC::FTL::LowerDFGToLLVM::compare):
2252         (JSC::FTL::LowerDFGToLLVM::boolify):
2253         (JSC::FTL::LowerDFGToLLVM::lowInt52):
2254         (JSC::FTL::LowerDFGToLLVM::lowStrictInt52):
2255         (JSC::FTL::LowerDFGToLLVM::lowWhicheverInt52):
2256         (JSC::FTL::LowerDFGToLLVM::lowDouble):
2257         (JSC::FTL::LowerDFGToLLVM::lowJSValue):
2258         (JSC::FTL::LowerDFGToLLVM::strictInt52ToDouble):
2259         (JSC::FTL::LowerDFGToLLVM::jsValueToDouble):
2260         (JSC::FTL::LowerDFGToLLVM::speculate):
2261         (JSC::FTL::LowerDFGToLLVM::speculateNumber):
2262         (JSC::FTL::LowerDFGToLLVM::speculateDoubleReal):
2263         (JSC::FTL::LowerDFGToLLVM::compileInt52ToValue): Deleted.
2264         (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble): Deleted.
2265         (JSC::FTL::LowerDFGToLLVM::setInt52WithStrictValue): Deleted.
2266         (JSC::FTL::LowerDFGToLLVM::speculateRealNumber): Deleted.
2267         (JSC::FTL::LowerDFGToLLVM::speculateMachineInt): Deleted.
2268         * ftl/FTLValueFormat.cpp:
2269         (JSC::FTL::reboxAccordingToFormat):
2270         * jit/AssemblyHelpers.cpp:
2271         (JSC::AssemblyHelpers::sanitizeDouble):
2272         * jit/AssemblyHelpers.h:
2273         (JSC::AssemblyHelpers::boxDouble):
2274
2275 2014-04-15  Commit Queue  <commit-queue@webkit.org>
2276
2277         Unreviewed, rolling out r167199 and r167251.
2278         https://bugs.webkit.org/show_bug.cgi?id=131678
2279
2280         Caused a DYEBench regression and does not seem to improve perf
2281         on relevant websites (Requested by rniwa on #webkit).
2282
2283         Reverted changesets:
2284
2285         "Rewrite Function.bind as a builtin"
2286         https://bugs.webkit.org/show_bug.cgi?id=131083
2287         http://trac.webkit.org/changeset/167199
2288
2289         "Update test result"
2290         http://trac.webkit.org/changeset/167251
2291
2292 2014-04-14  Commit Queue  <commit-queue@webkit.org>
2293
2294         Unreviewed, rolling out r167272.
2295         https://bugs.webkit.org/show_bug.cgi?id=131666
2296
2297         Broke multiple tests (Requested by ap on #webkit).
2298
2299         Reverted changeset:
2300
2301         "Function.bind itself is too slow"
2302         https://bugs.webkit.org/show_bug.cgi?id=131636
2303         http://trac.webkit.org/changeset/167272
2304
2305 2014-04-14  Geoffrey Garen  <ggaren@apple.com>
2306
2307         ASSERT when firing low memory warning
2308         https://bugs.webkit.org/show_bug.cgi?id=131659
2309
2310         Reviewed by Mark Hahnenberg.
2311
2312         * heap/Heap.cpp:
2313         (JSC::Heap::deleteAllCompiledCode): Allow deleteAllCompiledCode to be
2314         called when no GC is happening because that is what we do when a low
2315         memory warning fires, and it is harmless.
2316
2317 2014-04-14  Mark Hahnenberg  <mhahnenberg@apple.com>
2318
2319         emit_op_put_by_id should not emit a write barrier that filters on value
2320         https://bugs.webkit.org/show_bug.cgi?id=131654
2321
2322         Reviewed by Filip Pizlo.
2323
2324         The 32-bit implementation does this, and it can cause crashes if we later repatch the 
2325         code to allocate and store new Butterflies.
2326
2327         * jit/JITPropertyAccess.cpp:
2328         (JSC::JIT::emitWriteBarrier): We also weren't verifying that the base was a cell on 
2329         32-bit if we were passed ShouldFilterBase. I also took the liberty of sinking the tag 
2330         load down into the if statement so that we don't do it if we're not filtering on the value.
2331         * jit/JITPropertyAccess32_64.cpp:
2332         (JSC::JIT::emit_op_put_by_id):
2333
2334 2014-04-14  Oliver Hunt  <oliver@apple.com>
2335
2336         Function.bind itself is too slow
2337         https://bugs.webkit.org/show_bug.cgi?id=131636
2338
2339         Reviewed by Geoffrey Garen.
2340
2341         Rather than forcing creation of an activation, we now store
2342         bound function properties directly on the returned closure.
2343         This is necessary to deal with code that creates many function
2344         bindings, but does not call them very often.
2345
2346         This is a 60% speed up in the included js/regress test.
2347
2348         * builtins/BuiltinExecutables.cpp:
2349         (JSC::BuiltinExecutables::createBuiltinExecutable):
2350         * builtins/Function.prototype.js:
2351         (bind.bindingFunction):
2352         (bind.else.switch.case.1.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk):
2353         (bind.else.switch.case.1.bindingFunction):
2354         (bind.else.switch.case.2.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk):
2355         (bind.else.switch.case.2.bindingFunction):
2356         (bind.else.switch.case.3.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk):
2357         (bind.else.switch.case.3.bindingFunction):
2358         (bind.else.switch.bindingFunction):
2359         (bind):
2360         (bind.else.switch.case.1.bindingFunction.oversizedCall): Deleted.
2361         (bind.else.switch.case.2.bindingFunction.oversizedCall): Deleted.
2362         (bind.else.switch.case.3.bindingFunction.oversizedCall): Deleted.
2363         * runtime/CommonIdentifiers.h:
2364
2365 2014-04-14  Julien Brianceau  <jbriance@cisco.com>
2366
2367         [sh4] Allow use of SubImmediates in LLINT.
2368         https://bugs.webkit.org/show_bug.cgi?id=131608
2369
2370         Reviewed by Mark Lam.
2371
2372         Allow use of SubImmediates with const pool so the sh4 architecture can
2373         share the arm path for setEntryAddress macro. It reduces architecture
2374         specific code and lead to a more optimal generated code for sh4.
2375
2376         * llint/LowLevelInterpreter.asm:
2377         * offlineasm/sh4.rb:
2378
2379 2014-04-14  Andreas Kling  <akling@apple.com>
2380
2381         Array.prototype.concat should allocate output storage only once.
2382         <https://webkit.org/b/131609>
2383
2384         Do a first pass across 'this' and any arguments to compute the
2385         final size of the resulting array from Array.prototype.concat.
2386         This avoids having to grow the output incrementally as we go.
2387
2388         This also includes two other micro-optimizations:
2389
2390         - Mark getProperty() with ALWAYS_INLINE.
2391
2392         - Use JSArray::length() instead of taking the generic property
2393           lookup path when we know an argument is an Array.
2394
2395         My MBP says ~3% progression on Dromaeo/jslib-traverse-jquery.
2396
2397         Reviewed by Oliver & Darin.
2398
2399         * runtime/ArrayPrototype.cpp:
2400         (JSC::getProperty):
2401         (JSC::arrayProtoFuncConcat):
2402
2403 2014-04-14  Commit Queue  <commit-queue@webkit.org>
2404
2405         Unreviewed, rolling out r167249.
2406         https://bugs.webkit.org/show_bug.cgi?id=131621
2407
2408         broke 3 tests on cloop (Requested by kling on #webkit).
2409
2410         Reverted changeset:
2411
2412         "Array.prototype.concat should allocate output storage only
2413         once."
2414         https://bugs.webkit.org/show_bug.cgi?id=131609
2415         http://trac.webkit.org/changeset/167249
2416
2417 2014-04-14  Alex Christensen  <achristensen@webkit.org>
2418
2419         Fixed potential integer truncation.
2420         https://bugs.webkit.org/show_bug.cgi?id=131615
2421
2422         Reviewed by Darin Adler.
2423
2424         * assembler/X86Assembler.h:
2425         (JSC::X86Assembler::fillNops):
2426         Truncate the size_t to an unsigned after it is limited to 15 instead of before.
2427
2428 2014-04-14  Andreas Kling  <akling@apple.com>
2429
2430         Array.prototype.concat should allocate output storage only once.
2431         <https://webkit.org/b/131609>
2432
2433         Do a first pass across 'this' and any arguments to compute the
2434         final size of the resulting array from Array.prototype.concat.
2435         This avoids having to grow the output incrementally as we go.
2436
2437         This also includes two other micro-optimizations:
2438
2439         - Mark getProperty() with ALWAYS_INLINE.
2440
2441         - Use JSArray::length() instead of taking the generic property
2442           lookup path when we know an argument is an Array.
2443
2444         My MBP says ~3% progression on Dromaeo/jslib-traverse-jquery.
2445
2446         Reviewed by Darin Adler.
2447
2448         * runtime/ArrayPrototype.cpp:
2449         (JSC::getProperty):
2450         (JSC::arrayProtoFuncConcat):
2451
2452 2014-04-14  Benjamin Poulain  <benjamin@webkit.org>
2453
2454         [JSC] Improve the call site of string comparison in some hot path
2455         https://bugs.webkit.org/show_bug.cgi?id=131605
2456
2457         Reviewed by Darin Adler.
2458
2459         When resolved, the String of a JSString is never null. It can be empty but not null.
2460         The null value is reserved for ropes but those would be resolved when getting the value.
2461
2462         Consequently, we should use the equal() operation that do not handle null values.
2463         Using the StringImpl directly is already common in StringPrototype but it was not used here for some reason.
2464
2465         * jit/JITOperations.cpp:
2466         * runtime/JSCJSValueInlines.h:
2467         (JSC::JSValue::equalSlowCaseInline):
2468         (JSC::JSValue::strictEqualSlowCaseInline):
2469         (JSC::JSValue::pureStrictEqual):
2470
2471 2014-04-08  Oliver Hunt  <oliver@apple.com>
2472
2473         Rewrite Function.bind as a builtin
2474         https://bugs.webkit.org/show_bug.cgi?id=131083
2475
2476         Reviewed by Geoffrey Garen.
2477
2478         This change removes the existing function.bind implementation
2479         entirely so JSBoundFunction is no more.
2480
2481         Instead we just return a regular JS closure with a few
2482         private properties hanging off it that allow us to perform
2483         the necessary bound function fakery.  While most of this is
2484         simple, a couple of key changes:
2485
2486         - The parser and lexer now directly track whether they're
2487           parsing code for call or construct and convert the private
2488           name @IsConstructor into TRUETOK or FALSETOK as appropriate.
2489           This automatically gives us the ability to vary behaviour
2490           from within the builtin. It also leaves a lot of headroom
2491           for trivial future improvements.
2492         - The instanceof operator now uses the prototypeForHasInstance
2493           private name, and we have a helper function to ensure that
2494           all objects that need to can update their magical 'prototype'
2495           property pair correctly.
2496
2497         * API/JSScriptRef.cpp:
2498         (parseScript):
2499         * JavaScriptCore.xcodeproj/project.pbxproj:
2500         * builtins/BuiltinExecutables.cpp:
2501         (JSC::BuiltinExecutables::createBuiltinExecutable):
2502         * builtins/Function.prototype.js:
2503         (bind.bindingFunction):
2504         (bind.else.bindingFunction):
2505         (bind):
2506         * bytecode/UnlinkedCodeBlock.cpp:
2507         (JSC::generateFunctionCodeBlock):
2508         * bytecompiler/NodesCodegen.cpp:
2509         (JSC::InstanceOfNode::emitBytecode):
2510         * interpreter/Interpreter.cpp:
2511         * parser/Lexer.cpp:
2512         (JSC::Lexer<T>::Lexer):
2513         (JSC::Lexer<LChar>::parseIdentifier):
2514         (JSC::Lexer<UChar>::parseIdentifier):
2515         * parser/Lexer.h:
2516         * parser/Parser.cpp:
2517         (JSC::Parser<LexerType>::Parser):
2518         (JSC::Parser<LexerType>::parseInner):
2519         * parser/Parser.h:
2520         (JSC::parse):
2521         * parser/ParserModes.h:
2522         * runtime/CodeCache.cpp:
2523         (JSC::CodeCache::getGlobalCodeBlock):
2524         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
2525         * runtime/CommonIdentifiers.h:
2526         * runtime/Completion.cpp:
2527         (JSC::checkSyntax):
2528         * runtime/Executable.cpp:
2529         (JSC::ProgramExecutable::checkSyntax):
2530         * runtime/FunctionPrototype.cpp:
2531         (JSC::FunctionPrototype::addFunctionProperties):
2532         (JSC::functionProtoFuncBind): Deleted.
2533         * runtime/JSBoundFunction.cpp: Removed.
2534         * runtime/JSBoundFunction.h: Removed.
2535         * runtime/JSFunction.cpp:
2536         (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor):
2537         (JSC::RetrieveCallerFunctionFunctor::operator()):
2538         (JSC::retrieveCallerFunction):
2539         (JSC::JSFunction::getOwnPropertySlot):
2540         (JSC::JSFunction::defineOwnProperty):
2541         * runtime/JSGlobalObject.cpp:
2542         (JSC::JSGlobalObject::reset):
2543         * runtime/JSGlobalObjectFunctions.cpp:
2544         (JSC::globalFuncSetTypeErrorAccessor):
2545         * runtime/JSGlobalObjectFunctions.h:
2546         * runtime/JSObject.h:
2547         (JSC::JSObject::inlineGetOwnPropertySlot):
2548
2549 2014-04-12  Filip Pizlo  <fpizlo@apple.com>
2550
2551         Math.fround() should be an intrinsic
2552         https://bugs.webkit.org/show_bug.cgi?id=131583
2553
2554         Reviewed by Geoffrey Garen.
2555         
2556         Makes programs that use Math.fround() run up to 6x faster.
2557
2558         * dfg/DFGAbstractInterpreterInlines.h:
2559         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2560         * dfg/DFGByteCodeParser.cpp:
2561         (JSC::DFG::ByteCodeParser::handleIntrinsic):
2562         * dfg/DFGCSEPhase.cpp:
2563         (JSC::DFG::CSEPhase::performNodeCSE):
2564         * dfg/DFGClobberize.h:
2565         (JSC::DFG::clobberize):
2566         * dfg/DFGFixupPhase.cpp:
2567         (JSC::DFG::FixupPhase::fixupNode):
2568         * dfg/DFGNodeType.h:
2569         * dfg/DFGPredictionPropagationPhase.cpp:
2570         (JSC::DFG::PredictionPropagationPhase::propagate):
2571         * dfg/DFGSafeToExecute.h:
2572         (JSC::DFG::safeToExecute):
2573         * dfg/DFGSpeculativeJIT32_64.cpp:
2574         (JSC::DFG::SpeculativeJIT::compile):
2575         * dfg/DFGSpeculativeJIT64.cpp:
2576         (JSC::DFG::SpeculativeJIT::compile):
2577         * ftl/FTLCapabilities.cpp:
2578         (JSC::FTL::canCompile):
2579         * ftl/FTLLowerDFGToLLVM.cpp:
2580         (JSC::FTL::LowerDFGToLLVM::compileNode):
2581         (JSC::FTL::LowerDFGToLLVM::compileArithFRound):
2582         * runtime/Intrinsic.h:
2583         * runtime/MathObject.cpp:
2584         (JSC::MathObject::finishCreation):
2585
2586 2014-04-12  Filip Pizlo  <fpizlo@apple.com>
2587
2588         FTL should use stackmap register liveness
2589         https://bugs.webkit.org/show_bug.cgi?id=130791
2590
2591         Reviewed by Goeffrey Garen.
2592         
2593         Enable the stackmap register liveness support by fixing the two last bugs:
2594         
2595         - If everything is dead after the patchpoint - a good possibility for a put_by_id -
2596           then we shouldn't crash due to a null scratch buffer.
2597         
2598         - Always consider callee-saves as if they were live. More precisely, we should
2599           consider those callee-saves that are not saved by the enclosing function to be live.
2600           For now we do the much simpler thing and consider callee-saves to be always live
2601           since it has minimal impact on the scratch register allocator. It will know not to
2602           preserve those for calls, anyway.
2603         
2604         I tried writing a test for the null scratch buffer thing, but failed. I will land the
2605         test anyway since it seems useful.
2606
2607         * ftl/FTLCompile.cpp:
2608         (JSC::FTL::usedRegistersFor):
2609         * jit/ScratchRegisterAllocator.cpp:
2610         (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
2611         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
2612         * runtime/Options.h:
2613         * tests/stress/repeated-put-by-id-reallocating-transition.js: Added.
2614         (foo):
2615
2616 2014-04-11  Filip Pizlo  <fpizlo@apple.com>
2617
2618         DFG::FixupPhase should insert conversion nodes after the rest of fixup so that we know how the types settled
2619         https://bugs.webkit.org/show_bug.cgi?id=131424
2620
2621         Reviewed by Geoffrey Garen.
2622         
2623         This defers type conversion injection until we've decided on types. This makes the
2624         process of deciding types a bit more flexible - for example we can naturally fixpoint
2625         and change our minds. Only when things are settled do we actually insert conversions.
2626         
2627         This is a necessary prerequisite for keeping double, int52, and JSValue data flow
2628         separate. A SetLocal/GetLocal will appear to be JSValue until we fixpoint and realize
2629         that there are typed uses. If we were eagerly inserting type conversions then we would
2630         first insert a to/from-JSValue conversion in some cases only to then replace it by
2631         the other conversions. It's probably trivial to remove those redundant conversions later
2632         but I think it's better if we don't insert them to begin with.
2633
2634         * bytecode/CodeOrigin.h:
2635         (JSC::CodeOrigin::operator!):
2636         * dfg/DFGFixupPhase.cpp:
2637         (JSC::DFG::FixupPhase::run):
2638         (JSC::DFG::FixupPhase::fixupBlock):
2639         (JSC::DFG::FixupPhase::fixupNode):
2640         (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
2641         (JSC::DFG::FixupPhase::fixEdge):
2642         (JSC::DFG::FixupPhase::fixIntEdge):
2643         (JSC::DFG::FixupPhase::injectTypeConversionsInBlock):
2644         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
2645         (JSC::DFG::FixupPhase::addRequiredPhantom):
2646         (JSC::DFG::FixupPhase::addPhantomsIfNecessary):
2647         (JSC::DFG::FixupPhase::clearPhantomsAtEnd):
2648         (JSC::DFG::FixupPhase::observeUntypedEdge): Deleted.
2649         (JSC::DFG::FixupPhase::fixupUntypedSetLocalsInBlock): Deleted.
2650         (JSC::DFG::FixupPhase::injectInt32ToDoubleNode): Deleted.
2651
2652 2014-04-11  Brian J. Burg  <burg@cs.washington.edu>
2653
2654         Web Replay: code generator should consider enclosing class when computing duplicate type names
2655         https://bugs.webkit.org/show_bug.cgi?id=131554
2656
2657         Reviewed by Timothy Hatcher.
2658
2659         We need to prepend an enum's enclosing class, if any, so that multiple enums with the same name
2660         can coexist without triggering a "duplicate types" error. Now, such enums must be referenced
2661         by the enclosing class and enum name.
2662
2663         Added tests for the new syntax, and rebaselined one test to reflect a previous patch's change.
2664
2665         * replay/scripts/CodeGeneratorReplayInputs.py:
2666         (Type.type_name): Prepend the enclosing class name.
2667         (Type.type_name.is):
2668         * replay/scripts/tests/expected/fail-on-duplicate-enum-type.json-error: Added.
2669         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Added.
2670         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Added.
2671         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: Rebaseline.
2672         * replay/scripts/tests/fail-on-duplicate-enum-type.json: Added.
2673         * replay/scripts/tests/generate-enums-with-same-base-name.json: Added.
2674
2675 2014-04-11  Gavin Barraclough  <baraclough@apple.com>
2676
2677         Rollout - Rewrite Function.bind as a builtin
2678         https://bugs.webkit.org/show_bug.cgi?id=131083
2679
2680         Unreviewed.
2681
2682         Rolling out r167020 while investigating a performance regression.
2683
2684         * API/JSObjectRef.cpp:
2685         (JSObjectMakeConstructor):
2686         * API/JSScriptRef.cpp:
2687         (parseScript):
2688         * CMakeLists.txt:
2689         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2690         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2691         * JavaScriptCore.xcodeproj/project.pbxproj:
2692         * builtins/BuiltinExecutables.cpp:
2693         (JSC::BuiltinExecutables::createBuiltinExecutable):
2694         * builtins/Function.prototype.js:
2695         (apply):
2696         (bind.bindingFunction): Deleted.
2697         (bind.else.bindingFunction): Deleted.
2698         (bind): Deleted.
2699         * bytecode/UnlinkedCodeBlock.cpp:
2700         (JSC::generateFunctionCodeBlock):
2701         * bytecompiler/NodesCodegen.cpp:
2702         (JSC::InstanceOfNode::emitBytecode):
2703         * interpreter/Interpreter.cpp:
2704         * parser/Lexer.cpp:
2705         (JSC::Lexer<T>::Lexer):
2706         (JSC::Lexer<LChar>::parseIdentifier):
2707         (JSC::Lexer<UChar>::parseIdentifier):
2708         * parser/Lexer.h:
2709         * parser/Parser.cpp:
2710         (JSC::Parser<LexerType>::Parser):
2711         (JSC::Parser<LexerType>::parseInner):
2712         * parser/Parser.h:
2713         (JSC::parse):
2714         * parser/ParserModes.h:
2715         * runtime/ArgumentsIteratorConstructor.cpp:
2716         (JSC::ArgumentsIteratorConstructor::finishCreation):
2717         * runtime/ArrayConstructor.cpp:
2718         (JSC::ArrayConstructor::finishCreation):
2719         * runtime/BooleanConstructor.cpp:
2720         (JSC::BooleanConstructor::finishCreation):
2721         * runtime/CodeCache.cpp:
2722         (JSC::CodeCache::getGlobalCodeBlock):
2723         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
2724         * runtime/CommonIdentifiers.h:
2725         * runtime/Completion.cpp:
2726         (JSC::checkSyntax):
2727         * runtime/DateConstructor.cpp:
2728         (JSC::DateConstructor::finishCreation):
2729         * runtime/ErrorConstructor.cpp:
2730         (JSC::ErrorConstructor::finishCreation):
2731         * runtime/Executable.cpp:
2732         (JSC::ProgramExecutable::checkSyntax):
2733         * runtime/FunctionConstructor.cpp:
2734         (JSC::FunctionConstructor::finishCreation):
2735         * runtime/FunctionPrototype.cpp:
2736         (JSC::FunctionPrototype::addFunctionProperties):
2737         (JSC::functionProtoFuncBind):
2738         * runtime/JSArrayBufferConstructor.cpp:
2739         (JSC::JSArrayBufferConstructor::finishCreation):
2740         * runtime/JSBoundFunction.cpp: Added.
2741         (JSC::boundFunctionCall):
2742         (JSC::boundFunctionConstruct):
2743         (JSC::JSBoundFunction::create):
2744         (JSC::JSBoundFunction::destroy):
2745         (JSC::JSBoundFunction::customHasInstance):
2746         (JSC::JSBoundFunction::JSBoundFunction):
2747         (JSC::JSBoundFunction::finishCreation):
2748         (JSC::JSBoundFunction::visitChildren):
2749         * runtime/JSBoundFunction.h: Added.
2750         (JSC::JSBoundFunction::targetFunction):
2751         (JSC::JSBoundFunction::boundThis):
2752         (JSC::JSBoundFunction::boundArgs):
2753         (JSC::JSBoundFunction::createStructure):
2754         * runtime/JSFunction.cpp:
2755         (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor):
2756         (JSC::RetrieveCallerFunctionFunctor::operator()):
2757         (JSC::retrieveCallerFunction):
2758         (JSC::JSFunction::getOwnPropertySlot):
2759         (JSC::JSFunction::getOwnNonIndexPropertyNames):
2760         (JSC::JSFunction::put):
2761         (JSC::JSFunction::defineOwnProperty):
2762         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2763         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::finishCreation):
2764         * runtime/JSGlobalObject.cpp:
2765         (JSC::JSGlobalObject::reset):
2766         * runtime/JSGlobalObjectFunctions.cpp:
2767         (JSC::globalFuncSetTypeErrorAccessor): Deleted.
2768         * runtime/JSGlobalObjectFunctions.h:
2769         * runtime/JSObject.cpp:
2770         (JSC::JSObject::putDirectPrototypeProperty): Deleted.
2771         (JSC::JSObject::putDirectPrototypePropertyWithoutTransitions): Deleted.
2772         * runtime/JSObject.h:
2773         * runtime/JSPromiseConstructor.cpp:
2774         (JSC::JSPromiseConstructor::finishCreation):
2775         * runtime/MapConstructor.cpp:
2776         (JSC::MapConstructor::finishCreation):
2777         * runtime/MapIteratorConstructor.cpp:
2778         (JSC::MapIteratorConstructor::finishCreation):
2779         * runtime/NameConstructor.cpp:
2780         (JSC::NameConstructor::finishCreation):
2781         * runtime/NativeErrorConstructor.cpp:
2782         (JSC::NativeErrorConstructor::finishCreation):
2783         * runtime/NumberConstructor.cpp:
2784         (JSC::NumberConstructor::finishCreation):
2785         * runtime/ObjectConstructor.cpp:
2786         (JSC::ObjectConstructor::finishCreation):
2787         * runtime/RegExpConstructor.cpp:
2788         (JSC::RegExpConstructor::finishCreation):
2789         * runtime/SetConstructor.cpp:
2790         (JSC::SetConstructor::finishCreation):
2791         * runtime/SetIteratorConstructor.cpp:
2792         (JSC::SetIteratorConstructor::finishCreation):
2793         * runtime/StringConstructor.cpp:
2794         (JSC::StringConstructor::finishCreation):
2795         * runtime/WeakMapConstructor.cpp:
2796         (JSC::WeakMapConstructor::finishCreation):
2797
2798 2014-04-11  David Kilzer  <ddkilzer@apple.com>
2799
2800         [ASan] Build broke because libCompileRuntimeToLLVMIR.a links to libclang_rt.asan_osx_dynamic.dylib
2801         <http://webkit.org/b/131556>
2802         <rdar://problem/16591856>
2803
2804         Reviewed by Brent Fulgham.
2805
2806         * Configurations/CompileRuntimeToLLVMIR.xcconfig: Clear
2807         OTHER_LDFLAGS so the ASan build does not try to link to
2808         libclang_rt.asan_osx_dynamic.dylib.
2809
2810 2014-04-11  Mark Lam  <mark.lam@apple.com>
2811
2812         JSMainThreadExecState::call() should clear exceptions before returning.
2813         <https://webkit.org/b/131530>
2814
2815         Reviewed by Geoffrey Garen.
2816
2817         Added a version of JSC::call() that return any uncaught exception instead
2818         of leaving it pending in the VM.
2819
2820         As part of this change, I updated various parts of the code base to use the
2821         new API as needed.
2822
2823         * bindings/ScriptFunctionCall.cpp:
2824         (Deprecated::ScriptFunctionCall::call):
2825         - ScriptFunctionCall::call() is only used by the inspector to inject scripts.
2826           The injected scripts that will include Inspector scripts that should catch
2827           and handle any exceptions that were thrown.  We should not be seeing any
2828           exceptions returned from this call.  However, we do have checks for
2829           exceptions in case there are bugs in the Inspector scripts which allowed
2830           the exception to leak through.  Hence, it is proper to clear the exception
2831           here, and only record the fact that an exception was seen (if present).
2832
2833         * bindings/ScriptFunctionCall.h:
2834         * inspector/InspectorEnvironment.h:
2835         * runtime/CallData.cpp:
2836         (JSC::call):
2837         * runtime/CallData.h:
2838
2839 2014-04-11  Oliver Hunt  <oliver@apple.com>
2840
2841         Add BuiltinLog function to make debugging builtins easier
2842         https://bugs.webkit.org/show_bug.cgi?id=131550
2843
2844         Reviewed by Andreas Kling.
2845
2846         Add a logging function that builtins can use for debugging.
2847
2848         * runtime/CommonIdentifiers.h:
2849         * runtime/JSGlobalObject.cpp:
2850         (JSC::JSGlobalObject::reset):
2851         * runtime/JSGlobalObjectFunctions.cpp:
2852         (JSC::globalFuncBuiltinLog):
2853         * runtime/JSGlobalObjectFunctions.h:
2854
2855 2014-04-11  Julien Brianceau  <jbriance@cisco.com>
2856
2857         Fix LLInt for sh4 architecture (broken since C stack merge).
2858         https://bugs.webkit.org/show_bug.cgi?id=131532
2859
2860         Reviewed by Mark Lam.
2861
2862         This patch fixes build and also implements sh4 parts for initPCRelative and
2863         setEntryAddress macros introduced in http://trac.webkit.org/changeset/167094.
2864
2865         * llint/LowLevelInterpreter.asm:
2866         * llint/LowLevelInterpreter32_64.asm:
2867         * offlineasm/instructions.rb:
2868         * offlineasm/sh4.rb:
2869
2870 2014-04-10  Michael Saboff  <msaboff@apple.com>
2871
2872         Crash beneath DFG JIT code @ video.disney.com
2873         https://bugs.webkit.org/show_bug.cgi?id=131447
2874
2875         Reviewed by Geoffrey Garen.
2876
2877         The 32-bit path of speculateMisc() uses an 'is not int32' check followed by
2878         'tag not less than Undefined' check.  The first check was incorrectly elided if we
2879         knew that the value *was* an int32, when it should have been elided if we already
2880         knew that the value *was not* an int32.
2881
2882         * dfg/DFGSpeculativeJIT.cpp:
2883         (JSC::DFG::SpeculativeJIT::speculateMisc):
2884         * tests/stress/test-spec-misc.js: Added test.
2885         (getX):
2886         (foo):
2887         (bar):
2888
2889 2014-04-08  Filip Pizlo  <fpizlo@apple.com>
2890
2891         Make room for additional types in SpeculatedType.h
2892         https://bugs.webkit.org/show_bug.cgi?id=131422
2893
2894         Reviewed by Sam Weinig.
2895         
2896         This'll make it easier to add DoubleHeavyNaN and DoubleEmptyNaN.
2897
2898         * bytecode/SpeculatedType.h:
2899
2900 2014-04-10  Alex Christensen  <achristensen@webkit.org>
2901
2902         Compile fix for Win64.
2903         https://bugs.webkit.org/show_bug.cgi?id=131508
2904
2905         Reviewed by Geoffrey Garen.
2906
2907         * assembler/X86Assembler.h:
2908         (JSC::X86Assembler::fillNops):
2909         Added unsigned template parameter to distinguish between size_t and unsigned long.
2910
2911 2014-04-10  Michael Saboff  <msaboff@apple.com>
2912
2913         LLInt interpreter code should be generated as part of one function
2914         https://bugs.webkit.org/show_bug.cgi?id=131205
2915
2916         Reviewed by Mark Lam.
2917
2918         Changed the generation of llint opcodes so that they are all part of the same
2919         global function, llint_entry.  That function is used to fill in an entry point
2920         table that includes each of the opcodes and helpers.
2921
2922         * CMakeLists.txt:
2923         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
2924         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
2925         * JavaScriptCore.xcodeproj/project.pbxproj:
2926         Added appropriate use of new -I option to offline assembler and offset
2927         generator scripts.
2928
2929         * llint/LowLevelInterpreter.asm:
2930         * llint/LowLevelInterpreter.cpp:
2931         * llint/LowLevelInterpreter.h:
2932         * offlineasm/arm.rb:
2933         * offlineasm/arm64.rb:
2934         * offlineasm/asm.rb:
2935         * offlineasm/ast.rb:
2936         * offlineasm/backends.rb:
2937         * offlineasm/cloop.rb:
2938         * offlineasm/generate_offset_extractor.rb:
2939         * offlineasm/instructions.rb:
2940         * offlineasm/parser.rb:
2941         * offlineasm/registers.rb:
2942         * offlineasm/self_hash.rb:
2943         * offlineasm/settings.rb:
2944         * offlineasm/transform.rb:
2945         * offlineasm/x86.rb:
2946         Added a new "global" keyword to the offline assembler that denotes a label that
2947         should be exported.  Added opcode and operand support to get the absolute
2948         address of a local label using position independent calculations.  Updated the
2949         offline assembler to handle included files, both when generating the checksum
2950         as well as including files from other than the local directory via a newly
2951         added -I option.  The offline assembler now automatically determines external
2952         functions by keeping track of referenced functions that are defined within the
2953         assembly source.  This is used both for choosing the correct macro for external
2954         references as well as generating the needed EXTERN directives for masm.
2955         Updated the generation of the masm only .sym file to be written once at the end
2956         of the offline assembler.
2957
2958         * assembler/MacroAssemblerCodeRef.h:
2959         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
2960         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
2961         * bytecode/CodeBlock.cpp:
2962         (JSC::CodeBlock::dumpBytecode):
2963         (JSC::CodeBlock::CodeBlock):
2964         * bytecode/GetByIdStatus.cpp:
2965         (JSC::GetByIdStatus::computeFromLLInt):
2966         * bytecode/Opcode.h:
2967         (JSC::padOpcodeName):
2968         * bytecode/PutByIdStatus.cpp:
2969         (JSC::PutByIdStatus::computeFromLLInt):
2970         * jit/JIT.cpp:
2971         (JSC::JIT::privateCompileMainPass):
2972         * jit/JITStubs.h:
2973         * llint/LLIntCLoop.cpp:
2974         (JSC::LLInt::initialize):
2975         * llint/LLIntData.h:
2976         (JSC::LLInt::getCodeFunctionPtr):
2977         (JSC::LLInt::getOpcode): Deleted.
2978         (JSC::LLInt::getCodePtr): Deleted.
2979         * llint/LLIntOpcode.h:
2980         * llint/LLIntSlowPaths.cpp:
2981         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2982         * llint/LLIntThunks.cpp:
2983         (JSC::LLInt::functionForCallEntryThunkGenerator):
2984         (JSC::LLInt::functionForConstructEntryThunkGenerator):
2985         (JSC::LLInt::functionForCallArityCheckThunkGenerator):
2986         (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
2987         (JSC::LLInt::evalEntryThunkGenerator):
2988         (JSC::LLInt::programEntryThunkGenerator):
2989         * llint/LLIntThunks.h:
2990         Changed references to llint helpers to go through the entry point table populated
2991         by llint_entry.  Added helpers to OpcodeID enum for all builds.
2992
2993         * bytecode/BytecodeList.json:
2994         * generate-bytecode-files:
2995         * llint/LLIntCLoop.cpp:
2996         (JSC::LLInt::CLoop::initialize):
2997         Reordered sections to match the order that the functions are added to the entry point
2998         table.  Added new "asmPrefix" property for symbols that have one name but are generated
2999         with a prefix, e.g. op_enter -> llint_op_enter.  Eliminated the "emitDefineID" property
3000         as we are using enums for all bytecode references.  Changed the C Loop only
3001         llint_c_loop_init to llint_entry.
3002
3003 2014-04-10  Matthew Mirman  <mmirman@apple.com>
3004
3005         WIP for inlining C++.  Added a build target to produce LLVM IR.
3006         https://bugs.webkit.org/show_bug.cgi?id=130523
3007
3008         Reviewed by Mark Rowe.
3009
3010         * JavaScriptCore.xcodeproj/project.pbxproj:
3011         * build-symbol-table-index.py: Added.
3012         * build-symbol-table-index.sh: Added.
3013         * Configurations/CompileRuntimeToLLVMIR.xcconfig: Added.
3014         * copy-llvm-ir-to-derived-sources.sh: Added.
3015
3016 2014-04-10  Brian J. Burg  <burg@cs.washington.edu>
3017
3018         Web Replay: memoize plugin data for navigator.mimeTypes and navigator.plugins
3019         https://bugs.webkit.org/show_bug.cgi?id=131341
3020
3021         Reviewed by Timothy Hatcher.
3022
3023         Add support for encoding/decoding unsigned long with EncodedValue.
3024         It is a distinct type from uint32_t and uint64_t.
3025
3026         * replay/EncodedValue.cpp:
3027         (JSC::EncodedValue::convertTo<unsigned long>):
3028         * replay/EncodedValue.h:
3029
3030 2014-04-10  Mark Lam  <mark.lam@apple.com>
3031
3032         LLINT loadisFromInstruction should handle the big endian case.
3033         <https://webkit.org/b/131495>
3034
3035         Reviewed by Mark Hahnenberg.
3036
3037         The LLINT loadisFromInstruction macro aims to load the least significant
3038         32-bit word from the 64-bit bytecode instruction stream and sign extend
3039         it.  For big endian machines, the current implementation would load the
3040         wrong 32-bit word.
3041
3042         Without this fix, the JSC tests will crash on big endian machines.
3043         Thanks to Tomas Popela for diagnosing this issue.
3044
3045         * llint/LowLevelInterpreter.asm:
3046
3047 2014-04-09  Mark Lam  <mark.lam@apple.com>
3048
3049         Temporarily disable the JIT for the Windows port.
3050         <https://webkit.org/b/131470>
3051
3052         Reviewed by Brent Fulgham.
3053
3054         This is a temporary stop gap measure to green the Windows bots until
3055         we have a fix for https://webkit.org/b/131182.
3056
3057         * runtime/Options.cpp:
3058         (JSC::recomputeDependentOptions):
3059
3060 2014-04-09  Juergen Ributzka  <juergen@apple.com>
3061
3062         [FTL] Emit multibyte NOPs on X86-64
3063         https://bugs.webkit.org/show_bug.cgi?id=131394
3064
3065         Reviewed by Michael Saboff.
3066
3067         * assembler/X86Assembler.h:
3068         (JSC::X86Assembler::fillNops):
3069
3070 2014-04-09  Julien Brianceau  <jbriance@cisco.com>
3071
3072         Get rid of JITOperationWrappers.h header file.
3073         https://bugs.webkit.org/show_bug.cgi?id=131450
3074
3075         Reviewed by Michael Saboff.
3076
3077         JITOperationWrappers header file contains architecture specific code that is
3078         not needed anymore, so get rid of it.
3079
3080         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3081         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3082         * JavaScriptCore.xcodeproj/project.pbxproj:
3083         * dfg/DFGOperations.cpp:
3084         * jit/JITOperationWrappers.h: Removed.
3085         * jit/JITOperations.cpp:
3086
3087 2014-04-09  Mark Lam  <mark.lam@apple.com>
3088
3089         Ensure that LLINT accessing of the ProtoCallFrame is big endian friendly.
3090         <https://webkit.org/b/131449>
3091
3092         Reviewed by Mark Hahnenberg.
3093
3094         Change ProtoCallFrame::paddedArgCount to be of type uint32_t.  The argCount
3095         that it pads is of type int anyway.  It doesn't need to be 64 bit.  This
3096         also makes it work with the LLINT which is loading it with a loadi
3097         instruction.
3098
3099         We should add the PayLoadOffset to ProtoCallFrame::argCountAndCodeOriginValue
3100         when loading the argCount.
3101
3102         The paddedArgCount issue was causing failures when running the JSC tests on a
3103         64-bit big endian machine.  In this case, the paddedArgCount in the
3104         ProtoCallFrame has the value 2.  However, because the paddedArgCount was stored
3105         as a 64-bit size_t and the LLINT was loading only the low address 32-bits of
3106         that field, the LLINT got a value of 0 instead of the expected 2.  With this
3107         patch, we now have a matching store and load of a 32-bit value, and endianness
3108         no longer comes into play.
3109
3110         As for ProtoCallFrame::argCountAndCodeOriginValue, the argCount is stored in
3111         the payload field of the Register.  In the definition of EncodedValueDescriptor,
3112         We already ensure that that the payload is in the least significant 32-bits for
3113         little endian machines, and in the most significant 32-bits for big endian
3114         machines.  This means that there is no endianness bug when loading this value
3115         using loadi.  However, adding the PayLoadOffset clarifies the intent of the
3116         code to load the payload part of the Register value.
3117
3118         * interpreter/ProtoCallFrame.h:
3119         (JSC::ProtoCallFrame::setPaddedArgCount):
3120         * llint/LowLevelInterpreter32_64.asm:
3121         * llint/LowLevelInterpreter64.asm:
3122
3123 2014-04-08  Oliver Hunt  <oliver@apple.com>
3124
3125         Rewrite Function.bind as a builtin
3126         https://bugs.webkit.org/show_bug.cgi?id=131083
3127
3128         Reviewed by Geoffrey Garen.
3129
3130         This change removes the existing function.bind implementation
3131         entirely so JSBoundFunction is no more.
3132
3133         Instead we just return a regular JS closure with a few
3134         private properties hanging off it that allow us to perform
3135         the necessary bound function fakery.  While most of this is
3136         simple, a couple of key changes:
3137
3138         - The parser and lexer now directly track whether they're
3139           parsing code for call or construct and convert the private
3140           name @IsConstructor into TRUETOK or FALSETOK as appropriate.
3141           This automatically gives us the ability to vary behaviour
3142           from within the builtin. It also leaves a lot of headroom
3143           for trivial future improvements.
3144         - The instanceof operator now uses the prototypeForHasInstance
3145           private name, and we have a helper function to ensure that
3146           all objects that need to can update their magical 'prototype'
3147           property pair correctly.
3148
3149         * API/JSScriptRef.cpp:
3150         (parseScript):
3151         * JavaScriptCore.xcodeproj/project.pbxproj:
3152         * builtins/BuiltinExecutables.cpp:
3153         (JSC::BuiltinExecutables::createBuiltinExecutable):
3154         * builtins/Function.prototype.js:
3155         (bind.bindingFunction):
3156         (bind.else.bindingFunction):
3157         (bind):
3158         * bytecode/UnlinkedCodeBlock.cpp:
3159         (JSC::generateFunctionCodeBlock):
3160         * bytecompiler/NodesCodegen.cpp:
3161         (JSC::InstanceOfNode::emitBytecode):
3162         * interpreter/Interpreter.cpp:
3163         * parser/Lexer.cpp:
3164         (JSC::Lexer<T>::Lexer):
3165         (JSC::Lexer<LChar>::parseIdentifier):
3166         (JSC::Lexer<UChar>::parseIdentifier):
3167         * parser/Lexer.h:
3168         * parser/Parser.cpp:
3169         (JSC::Parser<LexerType>::Parser):
3170         (JSC::Parser<LexerType>::parseInner):
3171         * parser/Parser.h:
3172         (JSC::parse):
3173         * parser/ParserModes.h:
3174         * runtime/CodeCache.cpp:
3175         (JSC::CodeCache::getGlobalCodeBlock):
3176         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
3177         * runtime/CommonIdentifiers.h:
3178         * runtime/Completion.cpp:
3179         (JSC::checkSyntax):
3180         * runtime/Executable.cpp:
3181         (JSC::ProgramExecutable::checkSyntax):
3182         * runtime/FunctionPrototype.cpp:
3183         (JSC::FunctionPrototype::addFunctionProperties):
3184         (JSC::functionProtoFuncBind): Deleted.
3185         * runtime/JSBoundFunction.cpp: Removed.
3186         * runtime/JSBoundFunction.h: Removed.
3187         * runtime/JSFunction.cpp:
3188         (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor):
3189         (JSC::RetrieveCallerFunctionFunctor::operator()):
3190         (JSC::retrieveCallerFunction):
3191         (JSC::JSFunction::getOwnPropertySlot):
3192         (JSC::JSFunction::defineOwnProperty):
3193         * runtime/JSGlobalObject.cpp:
3194         (JSC::JSGlobalObject::reset):
3195         * runtime/JSGlobalObjectFunctions.cpp:
3196         (JSC::globalFuncSetTypeErrorAccessor):
3197         * runtime/JSGlobalObjectFunctions.h:
3198         * runtime/JSObject.h:
3199         (JSC::JSObject::inlineGetOwnPropertySlot):
3200
3201 2014-04-08  Jon Lee  <jonlee@apple.com>
3202
3203         Turn MSE on by default
3204         https://bugs.webkit.org/show_bug.cgi?id=131313
3205         <rdar://problem/16525223>
3206
3207         Reviewed by Jer Noble.
3208
3209         * Configurations/FeatureDefines.xcconfig:
3210
3211 2014-04-08  Joseph Pecoraro  <pecoraro@apple.com>
3212
3213         Web Inspector: Prevent deadlocks receiving WIRPermissionDenied message
3214         https://bugs.webkit.org/show_bug.cgi?id=131406
3215
3216         Reviewed by Timothy Hatcher.
3217
3218         * inspector/remote/RemoteInspector.h:
3219         * inspector/remote/RemoteInspector.mm:
3220         (Inspector::RemoteInspector::stop):
3221         (Inspector::RemoteInspector::stopInternal):
3222         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
3223         Provide a way to stop externally and a path to stop when in
3224         the middle of handling a message already with the locked mutex.
3225
3226         * inspector/remote/RemoteInspectorXPCConnection.h:
3227         * inspector/remote/RemoteInspectorXPCConnection.mm:
3228         (Inspector::RemoteInspectorXPCConnection::close):
3229         (Inspector::RemoteInspectorXPCConnection::closeFromMessage):
3230         Provide a way to close externally and a path to close when in
3231         the middle of handling a message already with a mutex.
3232
3233 2014-04-08  Joseph Pecoraro  <pecoraro@apple.com>
3234
3235         Web Inspector: Address stale FIXMEs concerning console in JSContext inspection
3236         https://bugs.webkit.org/show_bug.cgi?id=131398
3237
3238         Reviewed by Timothy Hatcher.
3239
3240         * inspector/InjectedScriptSource.js:
3241         The console object can be deleted from a page or JSContext,
3242         so keep code that expects that it could have been deleted
3243         to be resilient in those cases.
3244
3245         * inspector/JSGlobalObjectScriptDebugServer.h:
3246         * inspector/agents/JSGlobalObjectDebuggerAgent.h:
3247         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
3248         Change the FIXMEs to NOTEs that explain why these functions
3249         have empty implementations for JSContext inspection.
3250
3251 2014-04-08  Filip Pizlo  <fpizlo@apple.com>
3252
3253         Unreviewed, fix a goofy assertion to fix debug.
3254
3255         * bytecode/PolymorphicPutByIdList.h:
3256         (JSC::PutByIdAccess::isSetter):
3257         (JSC::PutByIdAccess::oldStructure):
3258         (JSC::PutByIdAccess::chain):
3259         (JSC::PutByIdAccess::stubRoutine):
3260         (JSC::PutByIdAccess::customSetter):
3261
3262 2014-04-08  Filip Pizlo  <fpizlo@apple.com>
3263
3264         Fail silently if the LLVM dylib isn't found
3265         https://bugs.webkit.org/show_bug.cgi?id=131385
3266
3267         Reviewed by Mark Hahnenberg.
3268
3269         * dfg/DFGPlan.cpp:
3270         (JSC::DFG::Plan::compileInThreadImpl):
3271         * llvm/InitializeLLVM.cpp:
3272         (JSC::initializeLLVM):
3273         * llvm/InitializeLLVM.h:
3274         * llvm/InitializeLLVMPOSIX.cpp:
3275         (JSC::initializeLLVMPOSIX):
3276
3277 2014-04-07  Filip Pizlo  <fpizlo@apple.com>
3278
3279         Repatch should support setters and plant calls to them directly
3280         https://bugs.webkit.org/show_bug.cgi?id=130750
3281
3282         Reviewed by Geoffrey Garen.
3283         
3284         All of the infrastructure was in place so this just enables setter optimization.
3285         
3286         This is a 12x speed-up on setter microbenchmarks. This is a 1% speed-up on Octane.
3287
3288         * bytecode/PolymorphicPutByIdList.cpp:
3289         (JSC::PutByIdAccess::visitWeak):
3290         * bytecode/PolymorphicPutByIdList.h:
3291         (JSC::PutByIdAccess::setter):
3292         (JSC::PutByIdAccess::customSetter): Deleted.
3293         * bytecode/PutByIdStatus.cpp:
3294         (JSC::PutByIdStatus::computeForStubInfo):
3295         * jit/Repatch.cpp:
3296         (JSC::toString):
3297         (JSC::kindFor):
3298         (JSC::customFor):
3299         (JSC::generateByIdStub):
3300         (JSC::tryCachePutByID):
3301         (JSC::tryBuildPutByIdList):
3302         * runtime/JSObject.cpp:
3303         (JSC::JSObject::put):
3304         * runtime/Lookup.h:
3305         (JSC::putEntry):
3306         * runtime/PutPropertySlot.h:
3307         (JSC::PutPropertySlot::setCacheableSetter):
3308         (JSC::PutPropertySlot::isCacheableSetter):
3309         (JSC::PutPropertySlot::isCacheableCustom):
3310         (JSC::PutPropertySlot::setCacheableCustomProperty): Deleted.
3311         (JSC::PutPropertySlot::isCacheableCustomProperty): Deleted.
3312         * tests/stress/setter.js: Added.
3313         (foo):
3314
3315 2014-04-07  Filip Pizlo  <fpizlo@apple.com>
3316
3317         Setters are just getters that take an extra argument and don't return a value
3318         https://bugs.webkit.org/show_bug.cgi?id=131336
3319
3320         Reviewed by Geoffrey Garen.
3321         
3322         Other than that, they're totally the same thing.
3323         
3324         This isn't as dumb as it sounds.        
3325
3326         Most of the work in calling an accessor has to do with emitting the necessary checks for
3327         figuring out whether we're calling the accessor we expected, followed by the boilerplate
3328         needed for setting up a call inside of a stub. It makes sense for the code to be totally
3329         common.
3330
3331         * jit/AssemblyHelpers.h:
3332         (JSC::AssemblyHelpers::storeValue):
3333         (JSC::AssemblyHelpers::moveTrustedValue):
3334         * jit/CCallHelpers.h:
3335         (JSC::CCallHelpers::setupResults):
3336         * jit/Repatch.cpp:
3337         (JSC::kindFor):
3338         (JSC::customFor):
3339         (JSC::generateByIdStub):
3340         (JSC::tryCacheGetByID):
3341         (JSC::tryBuildGetByIDList):
3342         (JSC::tryCachePutByID):
3343         (JSC::tryBuildPutByIdList):
3344         (JSC::generateGetByIdStub): Deleted.
3345         (JSC::emitCustomSetterStub): Deleted.
3346         * runtime/JSCJSValue.h:
3347         (JSC::JSValue::asValue):
3348         * runtime/PutPropertySlot.h:
3349         (JSC::PutPropertySlot::cachedOffset):
3350
3351 2014-04-07  Joseph Pecoraro  <pecoraro@apple.com>
3352
3353         Web Inspector: Hang in debuggable application after receiving WIRPermissionDenied
3354         https://bugs.webkit.org/show_bug.cgi?id=131321
3355
3356         Reviewed by Mark Rowe.
3357
3358         * inspector/remote/RemoteInspector.mm:
3359         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
3360         Avoid attempting to take the same lock twice. Move the received message
3361         lock grab after the WIRPermissionDenied branch, which takes the lock
3362         inside RemoteInspector::stop.
3363
3364 2014-04-07  Filip Pizlo  <fpizlo@apple.com>
3365
3366         Make it possible to disable some of the FTL's more interesting features
3367         https://bugs.webkit.org/show_bug.cgi?id=131312
3368
3369         Reviewed by Mark Hahnenberg.
3370
3371         * dfg/DFGByteCodeParser.cpp:
3372         (JSC::DFG::ByteCodeParser::handleGetById):
3373         (JSC::DFG::ByteCodeParser::handlePutById):
3374         (JSC::DFG::ByteCodeParser::parse):
3375         * runtime/Options.h:
3376
3377 2014-04-04  Mark Lam  <mark.lam@apple.com>
3378
3379         Date object needs to check for ES5 15.9.1.14 TimeClip limit.
3380         <https://webkit.org/b/131248>
3381
3382         Reviewed by Mark Hahnenberg.
3383
3384         The current Date object code does not adequately check for the ES5
3385         15.9.1.14 TimeClip limit.  As a result, some calculations can underflow
3386         / overflow and produce unexpected results.
3387
3388         For example, we were getting an assertion failure in
3389         WTF::equivalentYearForDST() due int underflows in this function, which
3390         in turn were due to an int overflow in WTF::msToYear().
3391
3392         This patch adds the needed checks, and adds some assertions to ensure
3393         that the used values are sane.
3394
3395         The changes have no noticeable impact on benchmark results.
3396
3397         * runtime/DateConstructor.cpp:
3398         (JSC::callDate):