Fast path for jsStringWithCache() when asked for the same string repeatedly.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-07-04  Andreas Kling  <akling@apple.com>
2
3         Fast path for jsStringWithCache() when asked for the same string repeatedly.
4         <https://webkit.org/b/134635>
5
6         Also moved the whole thing from WebCore to JavaScriptCore since it
7         makes more sense here, and inline the lightweight checks, leaving only
8         the hashmap stuff out of line.
9
10         Reviewed by Darin Adler.
11
12         * runtime/JSString.cpp:
13         (JSC::jsStringWithCacheSlowCase):
14         * runtime/JSString.h:
15         (JSC::jsStringWithCache):
16         * runtime/VM.h:
17
18 2014-07-03  Daniel Bates  <dabates@apple.com>
19
20         Add WTF::move()
21         https://bugs.webkit.org/show_bug.cgi?id=134500
22
23         Rubber-stamped by Anders Carlsson.
24
25         Substitute WTF::move() for std::move().
26
27         * bytecode/CodeBlock.h:
28         * bytecode/UnlinkedCodeBlock.cpp:
29         * bytecompiler/BytecodeGenerator.cpp:
30         * dfg/DFGGraph.cpp:
31         * dfg/DFGJITCompiler.cpp:
32         * dfg/DFGStackLayoutPhase.cpp:
33         * dfg/DFGWorklist.cpp:
34         * heap/DelayedReleaseScope.h:
35         * heap/HeapInlines.h:
36         [...]
37
38 2014-07-03  Filip Pizlo  <fpizlo@apple.com>
39
40         SSA DCE should process blocks in forward order
41         https://bugs.webkit.org/show_bug.cgi?id=134611
42
43         Reviewed by Andreas Kling.
44
45         * dfg/DFGDCEPhase.cpp:
46         (JSC::DFG::DCEPhase::run):
47         * ftl/FTLLowerDFGToLLVM.cpp:
48         (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
49         * tests/stress/dead-value-with-mov-hint-in-another-block.js: Added.
50         (foo):
51
52 2014-07-03  Filip Pizlo  <fpizlo@apple.com>
53
54         JSActivation::symbolTablePut() should invalidate variable watchpoints
55         https://bugs.webkit.org/show_bug.cgi?id=134602
56
57         Reviewed by Oliver Hunt.
58         
59         Usually stores to captured variables cause us to invalidate the variable watchpoint because CodeBlock does so
60         during linking - we essentially assume that if it's at all possible for an inner function to store to a
61         variable we declare then this variable cannot be a constant. But this misses the dynamic store case, i.e.
62         JSActivation::symbolTablePut(). Part of the problem here is that JSActivation duplicates
63         JSSymbolTableObject's symbolTablePut() logic, which did have the invalidation. This patch keeps that code
64         duplicated, but fixes JSActivation::symbolTablePut() to do the right thing.
65
66         * runtime/JSActivation.cpp:
67         (JSC::JSActivation::symbolTablePut):
68         * runtime/JSSymbolTableObject.h:
69         (JSC::symbolTablePut):
70         * tests/stress/constant-closure-var-with-dynamic-invalidation.js: Added.
71         (.):
72
73 2014-07-01  Mark Lam  <mark.lam@apple.com>
74
75         Debugger's breakpoint list should not be a Vector.
76         <https://webkit.org/b/134514>
77
78         Reviewed by Geoffrey Garen.
79
80         The debugger currently stores breakpoint data as entries in a Vector (see
81         BreakpointsInLine).  It also keeps a fast map look up of breakpoint IDs to
82         the breakpoint data (see m_breakpointIDToBreakpoint).  Because a Vector can
83         compact or reallocate its backing store, this can causes all sorts of havoc.
84         The m_breakpointIDToBreakpoint map assumes that the breakpoint data doesn't
85         move in memory.
86
87         The fix is to replace the BreakpointsInLine Vector with a BreakpointsList
88         doubly linked list.
89
90         * debugger/Breakpoint.h:
91         (JSC::Breakpoint::Breakpoint):
92         (JSC::BreakpointsList::~BreakpointsList):
93         * debugger/Debugger.cpp:
94         (JSC::Debugger::setBreakpoint):
95         (JSC::Debugger::removeBreakpoint):
96         (JSC::Debugger::hasBreakpoint):
97         * debugger/Debugger.h:
98
99 2014-06-30  Michael Saboff  <msaboff@apple.com>
100
101         Add option to run-jsc-stress-testes to filter out tests that use large heaps
102         https://bugs.webkit.org/show_bug.cgi?id=134458
103
104         Reviewed by Filip Pizlo.
105
106         Added test to skip js1_5/Regress/regress-159334.js when testing on a memory limited device.
107
108         * tests/mozilla/mozilla-tests.yaml:
109
110 2014-06-30  Daniel Bates  <dabates@apple.com>
111
112         Avoid copying closed variables vector; actually use move semantics
113
114         Rubber-stamped by Oliver Hunt.
115
116         Currently we always copy the closed variables vector passed by Parser::closedVariables()
117         to ProgramNode::setClosedVariables() because these member functions return and take a const
118         rvalue reference, respectively. Instead, these member functions should take an return a non-
119         constant rvalue reference so that we actually move the closed variables vector from the Parser
120         object to the Node object.
121
122         * parser/Nodes.cpp:
123         (JSC::ProgramNode::setClosedVariables): Remove const qualifier for argument.
124         * parser/Nodes.h:
125         (JSC::ScopeNode::setClosedVariables): Ditto.
126         * parser/Parser.h:
127         (JSC::Parser::closedVariables): Remove const qualifier on return type.
128         (JSC::parse): Remove extraneous call to std::move(). Calling std::move() is unnecessary here
129         because Parser::closedVariables() returns an rvalue reference.
130
131 2014-06-30  Joseph Pecoraro  <pecoraro@apple.com>
132
133         JSContext Inspection: Provide a way to use a non-Main RunLoop for Inspector JavaScript Evaluations
134         https://bugs.webkit.org/show_bug.cgi?id=134371
135
136         Reviewed by Timothy Hatcher.
137
138         * API/JSContextPrivate.h:
139         * API/JSContext.mm:
140         (-[JSContext _debuggerRunLoop]):
141         (-[JSContext _setDebuggerRunLoop:]):
142         Private API for setting the CFRunLoop for a debugger to evaluate in.
143         
144         * API/JSContextRefInternal.h: Added.
145         * API/JSContextRef.cpp:
146         (JSGlobalContextGetDebuggerRunLoop):
147         (JSGlobalContextSetDebuggerRunLoop):
148         Internal API for setting a CFRunLoop on a JSContextRef.
149         Set this on the debuggable.
150         
151         * inspector/remote/RemoteInspectorDebuggable.h:
152         * inspector/remote/RemoteInspectorDebuggableConnection.h:
153         (Inspector::RemoteInspectorBlock::RemoteInspectorBlock):
154         (Inspector::RemoteInspectorBlock::~RemoteInspectorBlock):
155         (Inspector::RemoteInspectorBlock::operator=):
156         (Inspector::RemoteInspectorBlock::operator()):
157         Moved into the header.
158
159         * runtime/JSGlobalObject.h:
160         (JSC::JSGlobalObject::inspectorDebuggable):
161         Lets store the RunLoop on the debuggable instead of this core
162         platform agnostic class, so expose the debuggable.
163
164         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
165         (Inspector::RemoteInspectorHandleRunSourceGlobal):
166         (Inspector::RemoteInspectorQueueTaskOnGlobalQueue):
167         (Inspector::RemoteInspectorInitializeGlobalQueue):
168         Rename the global functions for clarity.
169
170         (Inspector::RemoteInspectorHandleRunSourceWithInfo):
171         Handler for private run loops.
172
173         (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
174         (Inspector::RemoteInspectorDebuggableConnection::~RemoteInspectorDebuggableConnection):
175         (Inspector::RemoteInspectorDebuggableConnection::dispatchAsyncOnDebuggable):
176         (Inspector::RemoteInspectorDebuggableConnection::setupRunLoop):
177         (Inspector::RemoteInspectorDebuggableConnection::teardownRunLoop):
178         (Inspector::RemoteInspectorDebuggableConnection::queueTaskOnPrivateRunLoop):
179         Setup and teardown and use private run loop sources if the debuggable needs it.
180
181 2014-06-30  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>
182
183         Add missing ENABLE(DFG_JIT) guards
184         https://bugs.webkit.org/show_bug.cgi?id=134444
185
186         Reviewed by Darin Adler.
187
188         * dfg/DFGFunctionWhitelist.cpp:
189         * dfg/DFGFunctionWhitelist.h:
190
191 2014-06-29  Yoav Weiss  <yoav@yoav.ws>
192
193         Add support for HTMLImageElement's sizes attribute
194         https://bugs.webkit.org/show_bug.cgi?id=133620
195
196         Reviewed by Dean Jackson.
197
198         Added an ENABLE_PICTURE_SIZES compile flag.
199
200         * Configurations/FeatureDefines.xcconfig:
201
202 2014-06-27  Filip Pizlo  <fpizlo@apple.com>
203
204         Don't fold a UInt32ToNumber with DoOverflow to Identity since that would result in an Identity that takes an Int32 and returns a DoubleRep
205         https://bugs.webkit.org/show_bug.cgi?id=134412
206
207         Reviewed by Mark Hahnenberg.
208
209         * dfg/DFGCSEPhase.cpp:
210         (JSC::DFG::CSEPhase::setReplacement):
211         * dfg/DFGStrengthReductionPhase.cpp:
212         (JSC::DFG::StrengthReductionPhase::handleNode):
213         * dfg/DFGValidate.cpp:
214         (JSC::DFG::Validate::validate):
215         * tests/stress/uint32-to-number-fold-constant-with-do-overflow.js: Added.
216         (foo):
217         (bar):
218         (baz):
219
220 2014-06-27  Peyton Randolph  <prandolph@apple.com>
221
222          Add feature flag for link long-press gesture.                                                                   
223          https://bugs.webkit.org/show_bug.cgi?id=134262                                                                  
224                                                                                                                          
225          Reviewed by Enrica Casucci.                                                                                     
226                                                                                                                          
227          * Configurations/FeatureDefines.xcconfig:                                                                       
228          Add ENABLE_LINK_LONG_PRESS. 
229
230 2014-06-27  László Langó  <llango.u-szeged@partner.samsung.com>
231
232         [JavaScriptCore] FTL buildfix for EFL platform.
233         https://bugs.webkit.org/show_bug.cgi?id=133546
234
235         Reviewed by Darin Adler.
236
237         * ftl/FTLAbstractHeap.cpp:
238         (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap):
239         * ftl/FTLLocation.cpp:
240         (JSC::FTL::Location::forStackmaps):
241         * ftl/FTLLowerDFGToLLVM.cpp:
242         (JSC::FTL::LowerDFGToLLVM::opposite):
243         * ftl/FTLOSRExitCompiler.cpp:
244         (JSC::FTL::compileStub):
245         * ftl/FTLStackMaps.cpp:
246         (JSC::FTL::StackMaps::Constant::dump):
247         * llvm/InitializeLLVMPOSIX.cpp:
248         (JSC::initializeLLVMPOSIX):
249
250 2014-06-26  Benjamin Poulain  <benjamin@webkit.org>
251
252         iOS 8 beta 2 ES6 'Set' clear() broken
253         https://bugs.webkit.org/show_bug.cgi?id=134346
254
255         Reviewed by Oliver Hunt.
256
257         The object map was not cleared :(.
258
259         Kudos to Ashley Gullen for tracking this and making a regression test.
260         Credit to Oliver for finding the missing code.
261
262         * runtime/MapData.h:
263         (JSC::MapData::clear):
264
265 2014-06-25  Brent Fulgham  <bfulgham@apple.com>
266
267         [Win] Expose Cache Information to WinLauncher
268         https://bugs.webkit.org/show_bug.cgi?id=134318
269
270         Reviewed by Dean Jackson.
271
272         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing
273         MemoryStatistics files to the WIndows build.
274         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
275
276 2014-06-26  David Kilzer  <ddkilzer@apple.com>
277
278         DFG::FunctionWhitelist::parseFunctionNamesInFile does not close file
279         <http://webkit.org/b/134343>
280         <rdar://problem/17459487>
281
282         Reviewed by Michael Saboff.
283
284         * dfg/DFGFunctionWhitelist.cpp:
285         (JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile):
286         Close the file handle, and log an error on failure.
287
288 2014-06-25  Dana Burkart  <dburkart@apple.com>
289
290         Add support for 5-tuple versioning.
291
292         Reviewed by David Farler.
293
294         * Configurations/Version.xcconfig:
295
296 2014-06-25  Geoffrey Garen  <ggaren@apple.com>
297
298         Build fix.
299
300         Unreviewed.
301
302         * runtime/JSDateMath.cpp:
303         (JSC::parseDateFromNullTerminatedCharacters):
304         * runtime/VM.cpp:
305         (JSC::VM::resetDateCache): Use std::numeric_limits instead of QNaN
306         constant since that constant doesn't exist anymore.
307
308 2014-06-25  Geoffrey Garen  <ggaren@apple.com>
309
310         Unreviewed, rolling out r166876.
311
312         Caused some ECMA test262 failures
313
314         Reverted changeset:
315
316         "Date object needs to check for ES5 15.9.1.14 TimeClip limit."
317         https://bugs.webkit.org/show_bug.cgi?id=131248
318         http://trac.webkit.org/changeset/166876
319
320 2014-06-25  Brent Fulgham  <bfulgham@apple.com>
321
322         [Win] Unreviewed gardening.
323
324         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Update to
325         put various files in proper IDE categories.
326
327 2014-06-25  peavo@outlook.com  <peavo@outlook.com>
328
329         [Win64] ASM LLINT is not enabled.
330         https://bugs.webkit.org/show_bug.cgi?id=130638
331
332         This patch adds a new LLINT assembler backend for Win64, and implements it.
333         It makes adjustments to follow the Win64 ABI spec. where it's found to be needed.
334         Also, LLINT and JIT is enabled for Win64.
335
336         Reviewed by Mark Lam.
337
338         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added JITStubsMSVC64.asm.
339         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
340         * JavaScriptCore/JavaScriptCore.vcxproj/jsc/jscCommon.props: Increased stack size to avoid stack overflow in tests.
341         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Generate assembler source file for Win64.
342         * assembler/MacroAssemblerX86_64.h: 
343         (JSC::MacroAssemblerX86_64::call): Follow Win64 ABI spec.
344         * jit/JITStubsMSVC64.asm: Added.
345         * jit/Repatch.cpp:
346         (JSC::emitPutTransitionStub): Compile fix.
347         * jit/ThunkGenerators.cpp:
348         (JSC::nativeForGenerator): Follow Win64 ABI spec.
349         * llint/LLIntData.cpp:
350         (JSC::LLInt::Data::performAssertions): Ditto.
351         * llint/LLIntOfflineAsmConfig.h: Enable new llint backend for Win64.
352         * llint/LowLevelInterpreter.asm: Implement new Win64 backend, and follow Win64 ABI spec.
353         * llint/LowLevelInterpreter64.asm: Ditto.
354         * offlineasm/asm.rb: Compile fix.
355         * offlineasm/backends.rb: Add new llint backend for Win64.
356         * offlineasm/settings.rb: Compile fix.
357         * offlineasm/x86.rb: Implement new llint Win64 backend.
358
359 2014-06-25  Laszlo Gombos  <l.gombos@samsung.com>
360
361         Remove build guard for progress element
362         https://bugs.webkit.org/show_bug.cgi?id=134292
363
364         Reviewed by Benjamin Poulain.
365
366         * Configurations/FeatureDefines.xcconfig:
367
368 2014-06-24  Michael Saboff  <msaboff@apple.com>
369
370         Add support routines to provide descriptive JavaScript backtraces
371         https://bugs.webkit.org/show_bug.cgi?id=134278
372
373         Reviewed by Mark Lam.
374
375         * interpreter/CallFrame.cpp:
376         (JSC::CallFrame::dump):
377         (JSC::CallFrame::describeFrame):
378         * interpreter/CallFrame.h:
379         * runtime/JSCJSValue.cpp:
380         (JSC::JSValue::dumpForBacktrace):
381         * runtime/JSCJSValue.h:
382
383 2014-06-24  Brady Eidson  <beidson@apple.com>
384
385         Enable GAMEPAD in the Mac build, but disabled at runtime.
386         https://bugs.webkit.org/show_bug.cgi?id=134255
387
388         Reviewed by Dean Jackson.
389
390         * Configurations/FeatureDefines.xcconfig:
391
392         * runtime/JSObject.h: Export JSObject::removeDirect() to allow disabling
393           functions at runtime.
394
395 2014-06-24  Mark Hahnenberg  <mhahnenberg@apple.com>
396
397         REGRESSION (r169703): Invalid cast in JSC::asGetterSetter / JSC::JSObject::defineOwnNonIndexProperty
398         https://bugs.webkit.org/show_bug.cgi?id=134046
399
400         Reviewed by Filip Pizlo.
401
402         * runtime/GetterSetter.h:
403         (JSC::asGetterSetter):
404         * runtime/JSObject.cpp:
405         (JSC::JSObject::defineOwnNonIndexProperty): We need to check for a CustomGetterSetter here as well as
406         a normal GetterSetter. If we encounter a CustomGetterSetter, we delete it, create a new normal GetterSetter,
407         and insert it like normal. We also need to check for CustomAccessors when checking for unconfigurable properties.
408
409 2014-06-24  Brent Fulgham  <bfulgham@apple.com>
410
411         [Win] MSVC mishandles enums in bitfields
412         https://bugs.webkit.org/show_bug.cgi?id=134237
413
414         Reviewed by Michael Saboff.
415
416         Replace uses of enum types in bit fields with unsigned to
417         avoid losing a bit to hold the sign value. This can result
418         in Windows interpreting the value of the field improperly.
419
420         * bytecode/StructureStubInfo.h:
421         * parser/Nodes.h:
422
423 2014-06-23  Andreas Kling  <akling@apple.com>
424
425         Inline the UnlinkedInstructionStream::Reader logic.
426         <https://webkit.org/b/134203>
427
428         This class is only used by CodeBlock to unpack the unlinked instructions,
429         and we were spending 0.5% of total time on PLT calling Reader::next().
430         Move the logic to the header file and mark it ALWAYS_INLINE.
431
432         Reviewed by Geoffrey Garen.
433
434         * bytecode/UnlinkedInstructionStream.cpp:
435         * bytecode/UnlinkedInstructionStream.h:
436         (JSC::UnlinkedInstructionStream::Reader::Reader):
437         (JSC::UnlinkedInstructionStream::Reader::read8):
438         (JSC::UnlinkedInstructionStream::Reader::read32):
439         (JSC::UnlinkedInstructionStream::Reader::next):
440
441 2014-06-20  Sam Weinig  <sam@webkit.org>
442
443         Remove static tables for bindings that use eager reification
444         https://bugs.webkit.org/show_bug.cgi?id=134126
445
446         Reviewed by Oliver Hunt.
447
448         * runtime/JSObject.cpp:
449         (JSC::JSObject::putDirectCustomAccessor):
450         * runtime/Structure.h:
451         (JSC::Structure::setHasCustomGetterSetterProperties):
452         Change setHasCustomGetterSetterProperties to behave like setHasGetterSetterProperties, and set
453         the m_hasReadOnlyOrGetterSetterPropertiesExcludingProto bit if the property is not __proto__.
454         Without this, JSObject::put() won't think there are any setters on the prototype chain of an
455         object that has no static lookup table and uses eagerly reified custom getter/setter properties.
456
457 2014-06-21  Brady Eidson  <beidson@apple.com>
458
459         Gamepad API - Deprecate the existing implementation
460         https://bugs.webkit.org/show_bug.cgi?id=134108
461
462         Reviewed by Timothy Hatcher.
463
464         -Add new "GAMEPAD_DEPRECATED" build flag, moving the existing implementation to use it
465         -Move some implementation files into a "deprecated" subdirectory.
466
467         * Configurations/FeatureDefines.xcconfig:
468
469 2014-06-21  Commit Queue  <commit-queue@webkit.org>
470
471         Unreviewed, rolling out r170244.
472         https://bugs.webkit.org/show_bug.cgi?id=134157
473
474         GTK/EFL bindings generator works differently, making this
475         patch not work there.  Will fix entire patch after a rollout.
476         (Requested by bradee-oh on #webkit).
477
478         Reverted changeset:
479
480         "Gamepad API - Deprecate the existing implementation"
481         https://bugs.webkit.org/show_bug.cgi?id=134108
482         http://trac.webkit.org/changeset/170244
483
484 2014-06-21  Brady Eidson  <beidson@apple.com>
485
486         Gamepad API - Deprecate the existing implementation
487         https://bugs.webkit.org/show_bug.cgi?id=134108
488
489         Reviewed by Timothy Hatcher.
490
491         -Add new "GAMEPAD_DEPRECATED" build flag, moving the existing implementation to use it
492         -Add the "Deprecated" suffix to some implementation files
493
494         * Configurations/FeatureDefines.xcconfig:
495
496 2014-06-21  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
497
498         Removing PAGE_VISIBILITY_API compile guard.
499         https://bugs.webkit.org/show_bug.cgi?id=133844
500
501         Reviewed by Gavin Barraclough.
502
503         * Configurations/FeatureDefines.xcconfig:
504
505 2014-06-21  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
506
507         ARM traditional buildfix after r169942.
508         https://bugs.webkit.org/show_bug.cgi?id=134100
509
510         Reviewed by Zoltan Herczeg.
511
512         * assembler/MacroAssemblerARM.h:
513         (JSC::MacroAssemblerARM::abortWithReason): Added.
514
515 2014-06-20  Andreas Kling  <akling@apple.com>
516
517         [Cocoa] Release freed up blocks from the JS heap after simulated memory pressure.
518         <https://webkit.org/b/134112>
519
520         Reviewed by Mark Hahnenberg.
521
522         * heap/BlockAllocator.h:
523
524 2014-06-19  Alex Christensen  <achristensen@webkit.org>
525
526         Unreviewed fix after r170130.
527
528         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj:
529         Corrected directory so it can find common.props when opening Visual Studio.
530
531 2014-06-19  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
532
533         Remove ENABLE(LLINT) and ENABLE(LLINT_C_LOOP) guards
534         https://bugs.webkit.org/show_bug.cgi?id=130389
535
536         Reviewed by Mark Lam.
537
538         Removed ENABLE(LLINT) since we always build with it, and changed ENABLE(LLINT_C_LOOP)
539         into !ENABLE(JIT) since they are mutually exclusive.
540
541         * CMakeLists.txt:
542         * assembler/MacroAssemblerCodeRef.h:
543         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
544         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
545         * assembler/MaxFrameExtentForSlowPathCall.h:
546         * bytecode/CallLinkStatus.cpp:
547         (JSC::CallLinkStatus::computeFromLLInt):
548         * bytecode/CodeBlock.cpp:
549         (JSC::dumpStructure):
550         (JSC::CodeBlock::printGetByIdCacheStatus):
551         (JSC::CodeBlock::printCallOp):
552         (JSC::CodeBlock::CodeBlock):
553         (JSC::CodeBlock::~CodeBlock):
554         (JSC::CodeBlock::propagateTransitions):
555         (JSC::CodeBlock::finalizeUnconditionally):
556         (JSC::CodeBlock::unlinkCalls):
557         (JSC::CodeBlock::unlinkIncomingCalls):
558         (JSC::CodeBlock::linkIncomingCall):
559         (JSC::CodeBlock::frameRegisterCount):
560         * bytecode/CodeBlock.h:
561         * bytecode/GetByIdStatus.cpp:
562         (JSC::GetByIdStatus::computeFromLLInt):
563         * bytecode/Opcode.h:
564         (JSC::padOpcodeName):
565         * bytecode/PutByIdStatus.cpp:
566         (JSC::PutByIdStatus::computeFromLLInt):
567         * bytecompiler/BytecodeGenerator.cpp:
568         (JSC::BytecodeGenerator::emitCall):
569         (JSC::BytecodeGenerator::emitConstruct):
570         * heap/Heap.cpp:
571         (JSC::Heap::gatherJSStackRoots):
572         * interpreter/Interpreter.cpp:
573         (JSC::Interpreter::initialize):
574         (JSC::Interpreter::isOpcode):
575         * interpreter/Interpreter.h:
576         (JSC::Interpreter::getOpcodeID):
577         * interpreter/JSStack.cpp:
578         (JSC::JSStack::JSStack):
579         (JSC::JSStack::committedByteCount):
580         * interpreter/JSStack.h:
581         * interpreter/JSStackInlines.h:
582         (JSC::JSStack::ensureCapacityFor):
583         (JSC::JSStack::topOfFrameFor):
584         (JSC::JSStack::setStackLimit):
585         * jit/ExecutableAllocatorFixedVMPool.cpp:
586         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
587         * jit/JIT.h:
588         (JSC::JIT::compileCTINativeCall):
589         * jit/JITExceptions.h:
590         * jit/JITThunks.cpp:
591         (JSC::JITThunks::ctiNativeCall):
592         (JSC::JITThunks::ctiNativeConstruct):
593         * llint/LLIntCLoop.cpp:
594         * llint/LLIntCLoop.h:
595         * llint/LLIntData.cpp:
596         (JSC::LLInt::initialize):
597         (JSC::LLInt::Data::performAssertions):
598         * llint/LLIntData.h:
599         (JSC::LLInt::Data::performAssertions): Deleted.
600         * llint/LLIntEntrypoint.cpp:
601         * llint/LLIntEntrypoint.h:
602         * llint/LLIntExceptions.cpp:
603         * llint/LLIntExceptions.h:
604         * llint/LLIntOfflineAsmConfig.h:
605         * llint/LLIntOffsetsExtractor.cpp:
606         (JSC::LLIntOffsetsExtractor::dummy):
607         * llint/LLIntOpcode.h:
608         * llint/LLIntSlowPaths.cpp:
609         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
610         * llint/LLIntSlowPaths.h:
611         * llint/LLIntThunks.cpp:
612         * llint/LLIntThunks.h:
613         * llint/LowLevelInterpreter.cpp:
614         * llint/LowLevelInterpreter.h:
615         * runtime/CommonSlowPaths.cpp:
616         * runtime/CommonSlowPaths.h:
617         * runtime/ErrorHandlingScope.cpp:
618         (JSC::ErrorHandlingScope::ErrorHandlingScope):
619         (JSC::ErrorHandlingScope::~ErrorHandlingScope):
620         * runtime/Executable.cpp:
621         (JSC::setupLLInt):
622         * runtime/InitializeThreading.cpp:
623         (JSC::initializeThreading):
624         * runtime/JSCJSValue.h:
625         * runtime/JSCJSValueInlines.h:
626         * runtime/Options.cpp:
627         (JSC::recomputeDependentOptions):
628         * runtime/VM.cpp:
629         (JSC::VM::VM):
630         (JSC::sanitizeStackForVM):
631         * runtime/VM.h:
632         (JSC::VM::canUseJIT): Deleted.
633
634 2014-06-18  Alex Christensen  <achristensen@webkit.org>
635
636         Add FTL to Windows build.
637         https://bugs.webkit.org/show_bug.cgi?id=134015
638
639         Reviewed by Filip Pizlo.
640
641         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
642         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
643         Added ftl source files.
644         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
645         Added ftl and llvm directories to include path.
646         * JavaScriptCore.vcxproj/libllvmForJSC: Added.
647         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.props: Added.
648         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj: Added.
649         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj.filters: Added.
650         * ftl/FTLLowerDFGToLLVM.cpp:
651         (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
652         MSVC doesn't like to divide by zero while compiling.  Use std::nan instead.
653         * llvm/InitializeLLVMWin.cpp: Added.
654         (JSC::initializeLLVMImpl):
655         Implemented dynamic loading and linking for Windows.
656
657 2014-06-18  Alex Christensen  <achristensen@webkit.org>
658
659         Unreviewed build fix after r170107.
660
661         * dfg/DFGSpeculativeJIT.cpp:
662         (JSC::DFG::SpeculativeJIT::compileArithMod):
663         Use non-template sub for armv7s.
664
665 2014-06-18  David Kilzer  <ddkilzer@apple.com>
666
667         -[JSContext setName:] leaks NSString
668         <http://webkit.org/b/134038>
669
670         Reviewed by Joseph Pecoraro.
671
672         Fixes the following static analyzer warning:
673
674             JavaScriptCore/API/JSContext.mm:200:73: warning: Potential leak of an object
675                 JSStringRef nameJS = name ? JSStringCreateWithCFString((CFStringRef)[name copy]) : nullptr;
676                                                                                     ^
677
678         * API/JSContext.mm:
679         (-[JSContext setName:]): Autorelease the copy of |name|.
680
681 2014-06-18  Mark Lam  <mark.lam@apple.com>
682
683         DFGGraph::m_doubleConstantMap will not map 0 values correctly.
684         <https://webkit.org/b/133994>
685
686         Reviewed by Geoffrey Garen.
687
688         DFGGraph::m_doubleConstantsMap should not use a double as a key to its HashMap,
689         because it means two unfortunate things:
690         - It will probably break for zero.
691         - It will think that -0 is the same as +0 under some circumstances, size
692           -0==+0 even though they are distinct values (for example 1/-0 != 1/+0).
693
694         The fix is to use std::unordered_map which does not require special empty
695         and deleted values, and to use the raw bits instead of the double value as
696         the key.
697
698         * dfg/DFGGraph.h:
699         * dfg/DFGJITCompiler.cpp:
700         (JSC::DFG::JITCompiler::addressOfDoubleConstant):
701
702 2014-06-18  Alex Christensen  <achristensen@webkit.org>
703
704         Remove duplicate code using sdiv.
705         https://bugs.webkit.org/show_bug.cgi?id=133764
706
707         Reviewed by Daniel Bates.
708
709         * assembler/ARMv7Assembler.h:
710         (JSC::ARMv7Assembler::sdiv):
711         Make sdiv a template to match arm64.
712         * dfg/DFGSpeculativeJIT.cpp:
713         (JSC::DFG::SpeculativeJIT::compileArithDiv):
714         (JSC::DFG::SpeculativeJIT::compileArithMod):
715         Remove duplicate code that was identical except for sdiv not being a template.
716
717 2014-06-17  Commit Queue  <commit-queue@webkit.org>
718
719         Unreviewed, rolling out r170082.
720         https://bugs.webkit.org/show_bug.cgi?id=134006
721
722         Breaks build. (Requested by mlam on #webkit).
723
724         Reverted changeset:
725
726         "DFGGraph::m_doubleConstantMap will not map 0 values
727         correctly."
728         https://bugs.webkit.org/show_bug.cgi?id=133994
729         http://trac.webkit.org/changeset/170082
730
731 2014-06-17  Mark Lam  <mark.lam@apple.com>
732
733         DFGGraph::m_doubleConstantMap will not map 0 values correctly.
734         <https://webkit.org/b/133994>
735
736         Reviewed by Geoffrey Garen.
737
738         DFGGraph::m_doubleConstantsMap should not use a double as a key to its HashMap,
739         because it means two unfortunate things:
740         - It will probably break for zero.
741         - It will think that -0 is the same as +0 under some circumstances, size
742           -0==+0 even though they are distinct values (for example 1/-0 != 1/+0).
743
744         The fix is to use std::unordered_map which does not require special empty
745         and deleted values, and to use the raw bits instead of the double value as
746         the key.
747
748         * dfg/DFGGraph.h:
749         * dfg/DFGJITCompiler.cpp:
750         (JSC::DFG::JITCompiler::addressOfDoubleConstant):
751
752 2014-06-17  Oliver Hunt  <oliver@apple.com>
753
754         Fix error messages for incorrect hex literals
755         https://bugs.webkit.org/show_bug.cgi?id=133998
756
757         Reviewed by Mark Lam.
758
759         Ensure that the error messages for bogus hex literals actually
760         make sense.
761
762         * parser/Lexer.cpp:
763         (JSC::Lexer<T>::lex):
764         * parser/ParserTokens.h:
765
766 2014-06-17  Matthew Mirman  <mmirman@apple.com>
767
768         Fixes bug where building JSC sometimes crashes at build-symbol-table-index.py. Also adds licenses. 
769         https://bugs.webkit.org/show_bug.cgi?id=133814
770
771         Reviewed by Filip Pizlo.
772         
773         Adds the "shopt -s nullglob" line necessary to prevent the loop in the shell 
774         script from using "*.o" as a file when no other files in the directory exist. 
775         
776         * build-symbol-table-index.sh: Added license.
777         * copy-llvm-ir-to-derived-sources.sh: Added license and "shopt -s nullglob" line.
778
779 2014-06-16  Sam Weinig  <sam@webkit.org>
780
781         Move forward declaration of bindings static functions into their implementation files
782         https://bugs.webkit.org/show_bug.cgi?id=133943
783
784         Reviewed by Geoffrey Garen.
785
786         * runtime/CommonIdentifiers.h:
787         Add a few identifiers that are needed by the DOM.
788
789 2014-06-16  Mark Lam  <mark.lam@apple.com>
790
791         Parser statementDepth accounting needs to account for when a function body excludes its braces.
792         <https://webkit.org/b/133832>
793
794         Reviewed by Oliver Hunt.
795
796         In some cases (e.g. when a Function object is instantiated from a string), the
797         function body source may not include its braces.  The parser needs to account
798         for this when calculating its statementDepth.
799
800         * bytecode/UnlinkedCodeBlock.cpp:
801         (JSC::generateFunctionCodeBlock):
802         (JSC::UnlinkedFunctionExecutable::codeBlockFor):
803         * bytecode/UnlinkedCodeBlock.h:
804         * parser/Parser.cpp:
805         (JSC::Parser<LexerType>::parseStatement):
806         - Also fixed the error message for declaring nested functions in strict mode
807           to be more accurate.
808         * parser/Parser.h:
809         (JSC::Parser<LexerType>::parse):
810         (JSC::parse):
811         * runtime/Executable.cpp:
812         (JSC::ScriptExecutable::newCodeBlockFor):
813
814 2014-06-16  Juergen Ributzka  <juergen@apple.com>
815
816         Change the order of the alias analysis passes to align with the opt pipeline of LLVM
817         https://bugs.webkit.org/show_bug.cgi?id=133753
818
819         Reviewed by Geoffrey Garen.
820
821         The order in which the alias analysis passes are added affects also the
822         order in which they are utilized. Change the order to align with the
823         one use by LLVM itself. The last alias analysis pass added will be
824         evaluated first. With this change we first perform a basic alias
825         analysis and then use the type-based alias analysis (if required).
826
827         * ftl/FTLCompile.cpp:
828         (JSC::FTL::compile):
829
830 2014-06-16  Juergen Ributzka  <juergen@apple.com>
831
832         Fix the arguments passed to the LLVM dylib
833         https://bugs.webkit.org/show_bug.cgi?id=133757
834
835         Reviewed by Geoffrey Garen.
836
837         The LLVM command line argument parser assumes that the first argument
838         is the program name. We need to add a fake program name, otherwise the
839         first argument will be parsed as program name and ignored.
840
841         * llvm/library/LLVMExports.cpp:
842         (initializeAndGetJSCLLVMAPI):
843
844 2014-06-16  Michael Saboff  <msaboff@apple.com>
845
846         Convert ASSERT in inlineFunctionForCapabilityLevel to early return
847         https://bugs.webkit.org/show_bug.cgi?id=133903
848
849         Reviewed by Mark Hahnenberg.
850
851         Hardened code by Converting ASSERT to return CannotCompile.
852
853         * dfg/DFGCapabilities.h:
854         (JSC::DFG::inlineFunctionForCapabilityLevel):
855
856 2014-06-13  Sam Weinig  <sam@webkit.org>
857
858         Store DOM constants directly in the JS object rather than jumping through a custom accessor
859         https://bugs.webkit.org/show_bug.cgi?id=133898
860
861         Reviewed by Oliver Hunt.
862
863         * runtime/Lookup.h:
864         (JSC::HashTableValue::attributes):
865         Switch attributes to be stored as an unsigned rather than an unsigned char, since there is no difference in memory use
866         and will make adding more flags possibles.
867
868         (JSC::HashTableValue::propertyGetter):
869         (JSC::HashTableValue::propertyPutter):
870         Change assertion to use BuiltinOrFunctionOrConstant.
871
872         (JSC::HashTableValue::constantInteger):
873         Added.
874
875         (JSC::getStaticPropertySlot):
876         (JSC::getStaticValueSlot):
877         Use PropertySlot::setValue() for constants during static lookup.
878
879         (JSC::reifyStaticProperties):
880         Put the constant directly on the object when eagerly reifying.
881
882         * runtime/PropertySlot.h:
883         Add ConstantInteger flag and BuiltinOrFunctionOrConstant helper.
884
885 2014-06-14  Michael Saboff  <msaboff@apple.com>
886
887         operationCreateArguments could cause a GC during OSR exit
888         https://bugs.webkit.org/show_bug.cgi?id=133905
889
890         Reviewed by Filip Pizlo.
891
892         Defer GC via new wrapper functions for operationCreateArguments and operationCreateInlinedArguments
893         for use by OSR exit stubs.
894
895         * dfg/DFGOSRExitCompilerCommon.cpp:
896         (JSC::DFG::ArgumentsRecoveryGenerator::generateFor):
897         * dfg/DFGOperations.cpp:
898         * dfg/DFGOperations.h:
899         * jit/JITOperations.cpp:
900         * jit/JITOperations.h:
901
902 2014-06-13  Mark Hahnenberg  <mhahnenberg@apple.com>
903
904         OSR exit should barrier the Executables for all InlineCallFrames, not just those on the stack at the time of exit
905         https://bugs.webkit.org/show_bug.cgi?id=133880
906
907         Reviewed by Filip Pizlo.
908
909         We could have exited due to a value received from an inlined block that's no longer on 
910         the stack, so we should just barrier all InlineCallFrames.
911
912         * dfg/DFGOSRExitCompilerCommon.cpp:
913         (JSC::DFG::adjustAndJumpToTarget):
914
915 2014-06-13  Alex Christensen  <achristensen@webkit.org>
916
917         Make css jit compile for armv7.
918         https://bugs.webkit.org/show_bug.cgi?id=133596
919
920         Reviewed by Benjamin Poulain.
921
922         * assembler/MacroAssembler.h:
923         Use branchPtr on ARM_THUMB2.
924         * assembler/MacroAssemblerARMv7.h:
925         (JSC::MacroAssemblerARMv7::addPtrNoFlags):
926         (JSC::MacroAssemblerARMv7::or32):
927         (JSC::MacroAssemblerARMv7::test32):
928         (JSC::MacroAssemblerARMv7::branch):
929         (JSC::MacroAssemblerARMv7::branchPtr):
930         Added macros necessary for css jit.
931
932 2014-06-13  Filip Pizlo  <fpizlo@apple.com>
933
934         Unreviewed, fix ARMv7.
935
936         * assembler/MacroAssemblerARMv7.h:
937         (JSC::MacroAssemblerARMv7::abortWithReason):
938
939 2014-06-12  Filip Pizlo  <fpizlo@apple.com>
940
941         Even better diagnostics from DFG traps
942         https://bugs.webkit.org/show_bug.cgi?id=133836
943
944         Reviewed by Oliver Hunt.
945         
946         We now stuff the DFG::NodeType into a register before bailing. Also made the
947         DFGBailed abort reason a bit more specific. As planned, the new abort reasons use
948         different numbers than any previous abort reasons.
949
950         * assembler/AbortReason.h:
951         * assembler/MacroAssemblerARM64.h:
952         (JSC::MacroAssemblerARM64::abortWithReason):
953         * assembler/MacroAssemblerARMv7.h:
954         (JSC::MacroAssemblerARMv7::abortWithReason):
955         * assembler/MacroAssemblerX86.h:
956         (JSC::MacroAssemblerX86::abortWithReason):
957         * assembler/MacroAssemblerX86_64.h:
958         (JSC::MacroAssemblerX86_64::abortWithReason):
959         * dfg/DFGSpeculativeJIT.cpp:
960         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
961         (JSC::DFG::SpeculativeJIT::bail):
962         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
963         * dfg/DFGSpeculativeJIT.h:
964
965 2014-06-12  Simon Fraser  <simon.fraser@apple.com>
966
967         Fix assertions under JSC::setNeverInline() when running js tests in WebKitTestRunner
968         https://bugs.webkit.org/show_bug.cgi?id=133840
969
970         Reviewed by Filip Pizlo.
971         
972         Fix ASSERT(exec->vm().currentThreadIsHoldingAPILock()); under JSC::setNeverInline()
973         when running DFG tests.
974
975         * API/JSCTestRunnerUtils.cpp:
976         (JSC::numberOfDFGCompiles):
977         (JSC::setNeverInline):
978
979 2014-06-12  Brent Fulgham  <bfulgham@apple.com>
980
981         [Win] Avoid fork bomb during build
982         https://bugs.webkit.org/show_bug.cgi?id=133837
983         <rdar://problem/17296034>
984
985         Reviewed by Tim Horton.
986
987         * JavaScriptCore.vcxproj/build-generated-files.sh: Use a
988         reasonable default value when the 'num-cpus' script is not available.
989
990 2014-06-12  Mark Lam  <mark.lam@apple.com>
991
992         Remove some dead / unused code.
993         <https://webkit.org/b/133828>
994
995         Reviewed by Filip Pizlo.
996
997         * builtins/BuiltinExecutables.cpp:
998         (JSC::BuiltinExecutables::createBuiltinExecutable):
999         * bytecode/UnlinkedCodeBlock.cpp:
1000         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1001         * bytecode/UnlinkedCodeBlock.h:
1002         (JSC::UnlinkedFunctionExecutable::create):
1003         * bytecompiler/BytecodeGenerator.h:
1004         (JSC::BytecodeGenerator::makeFunction):
1005         * parser/Parser.h:
1006         (JSC::DepthManager::DepthManager): Deleted.
1007         (JSC::DepthManager::~DepthManager): Deleted.
1008         * runtime/CodeCache.cpp:
1009         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
1010
1011 2014-06-12  Mark Hahnenberg  <mhahnenberg@apple.com>
1012
1013         Move structureHasRareData out of TypeInfo
1014         https://bugs.webkit.org/show_bug.cgi?id=133800
1015
1016         Reviewed by Andreas Kling.
1017
1018         StructureHasRareData was originally put in TypeInfo to avoid making Structure bigger, 
1019         but we have a few spare bits in Structure so it would be nice to remove this hack.
1020
1021         * runtime/JSTypeInfo.h:
1022         (JSC::TypeInfo::newImpurePropertyFiresWatchpoints):
1023         (JSC::TypeInfo::structureHasRareData): Deleted.
1024         * runtime/Structure.cpp:
1025         (JSC::Structure::Structure):
1026         (JSC::Structure::allocateRareData):
1027         (JSC::Structure::cloneRareDataFrom):
1028         * runtime/Structure.h:
1029         (JSC::Structure::previousID):
1030         (JSC::Structure::objectToStringValue):
1031         (JSC::Structure::setObjectToStringValue):
1032         (JSC::Structure::setPreviousID):
1033         (JSC::Structure::clearPreviousID):
1034         (JSC::Structure::previous):
1035         (JSC::Structure::rareData):
1036         * runtime/StructureInlines.h:
1037         (JSC::Structure::setEnumerationCache):
1038         (JSC::Structure::enumerationCache):
1039
1040 2014-06-12  Zsolt Borbely  <zsborbely.u-szeged@partner.samsung.com>
1041
1042         Allow enum guards to be generated from the replay json files
1043         https://bugs.webkit.org/show_bug.cgi?id=133399
1044
1045         Reviewed by Csaba Osztrogonác.
1046
1047         * replay/scripts/CodeGeneratorReplayInputs.py:
1048         (Type.__init__):
1049         (InputsModel.parse_type_with_framework_name):
1050         (Generator.generate_header):
1051         (Generator.generate_implementation):
1052         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp: Added.
1053         (Test::HandleWheelEvent::HandleWheelEvent):
1054         (Test::HandleWheelEvent::~HandleWheelEvent):
1055         (JSC::InputTraits<Test::HandleWheelEvent>::type):
1056         (JSC::InputTraits<Test::HandleWheelEvent>::encode):
1057         (JSC::InputTraits<Test::HandleWheelEvent>::decode):
1058         (JSC::EncodingTraits<WebCore::PlatformWheelEventPhase>::encodeValue):
1059         (JSC::EncodingTraits<WebCore::PlatformWheelEventPhase>::decodeValue):
1060         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h: Added.
1061         (JSC::InputTraits<Test::HandleWheelEvent>::queue):
1062         (Test::HandleWheelEvent::platformEvent):
1063         * replay/scripts/tests/generate-enum-with-guard.json: Added.
1064
1065 2014-06-12  Carlos Garcia Campos  <cgarcia@igalia.com>
1066
1067         Unreviewed. Fix GTK+ build after r169823.
1068
1069         Include StructureInlines.h in a few more files to fix linking
1070         issues due to JSC::Structure::get undefined symbol.
1071
1072         * runtime/ArrayIteratorConstructor.cpp:
1073         * runtime/ArrayIteratorPrototype.cpp:
1074         * runtime/JSConsole.cpp:
1075         * runtime/JSMapIterator.cpp:
1076         * runtime/JSSet.cpp:
1077         * runtime/JSSetIterator.cpp:
1078         * runtime/JSWeakMap.cpp:
1079         * runtime/MapIteratorPrototype.cpp:
1080         * runtime/MapPrototype.cpp:
1081         * runtime/SetIteratorPrototype.cpp:
1082         * runtime/SetPrototype.cpp:
1083         * runtime/WeakMapPrototype.cpp:
1084
1085 2014-06-12  Csaba Osztrogonác  <ossy@webkit.org>
1086
1087         [EFL] One more URTBF after r169823 to make ARM64 build happy too.
1088
1089         * runtime/JSMap.cpp:
1090
1091 2014-06-11  Mark Hahnenberg  <mhahnenberg@apple.com>
1092
1093         Inline caching should try to flatten uncacheable dictionaries
1094         https://bugs.webkit.org/show_bug.cgi?id=133683
1095
1096         Reviewed by Geoffrey Garen.
1097
1098         There exists a body of JS code that deletes properties off of objects (especially function/constructor objects), 
1099         which puts them into an uncacheable dictionary state. This prevents all future inline caching for these objects. 
1100         If properties are deleted out of the object during its initialization, we can enable caching for that object by 
1101         attempting to flatten it when we see we're trying to do inline caching with that object. We then record that we 
1102         performed this flattening optimization in the object's Structure. If it ever re-enters the uncacheable dictionary 
1103         state then we can just give up on caching that object.
1104
1105         In refactoring some of the code in tryCacheGetById and tryBuildGetByIdList to reduce some duplication, I added
1106         the InlineCacheAction enum, a new way to indicate the success or failure of an inline caching attempt. I changed
1107         the other inline caching functions to return this enum rather than the opaque booleans that we were previously 
1108         returning.
1109
1110         * jit/Repatch.cpp:
1111         (JSC::actionForCell):
1112         (JSC::tryCacheGetByID):
1113         (JSC::repatchGetByID):
1114         (JSC::tryBuildGetByIDList):
1115         (JSC::buildGetByIDList):
1116         (JSC::tryCachePutByID):
1117         (JSC::repatchPutByID):
1118         (JSC::tryBuildPutByIdList):
1119         (JSC::buildPutByIdList):
1120         (JSC::tryRepatchIn):
1121         (JSC::repatchIn):
1122         * runtime/Structure.cpp:
1123         (JSC::Structure::Structure):
1124         (JSC::Structure::flattenDictionaryStructure):
1125         * runtime/Structure.h:
1126         (JSC::Structure::hasBeenFlattenedBefore):
1127
1128 2014-06-11  Csaba Osztrogonác  <ossy@webkit.org>
1129
1130         [EFL] URTBF after r169823.
1131
1132         * bindings/ScriptValue.cpp: Missing include added.
1133
1134 2014-06-11  Ryosuke Niwa  <rniwa@webkit.org>
1135
1136         Remove an unnecessary asObject(this) call inside JSObject::fastGetOwnPropertySlot.
1137
1138         Rubber-stamped by Andreas Kling.
1139
1140         * runtime/JSObject.h:
1141         (JSC::JSObject::fastGetOwnPropertySlot):
1142
1143 2014-06-11  Ryosuke Niwa  <rniwa@webkit.org>
1144
1145         Turning on DUMP_PROPERTYMAP_STATS causes a build failure
1146         https://bugs.webkit.org/show_bug.cgi?id=133673
1147
1148         Reviewed by Andreas Kling.
1149
1150         Rewrote the property map statistics code because the old code wasn't building,
1151         and it was also mixing numbers for lookups and insertions/removals.
1152
1153         New logging code records the number of calls to PropertyTable::find (finds) and
1154         PropertyTable::get/PropertyTable::findWithString separately so that we can quantify
1155         the number of probing during updates and lookups.
1156
1157         * jsc.cpp:
1158         * runtime/PropertyMapHashTable.h:
1159         (JSC::PropertyTable::find):
1160         (JSC::PropertyTable::get):
1161         (JSC::PropertyTable::findWithString):
1162         (JSC::PropertyTable::add):
1163         (JSC::PropertyTable::remove):
1164         (JSC::PropertyTable::reinsert):
1165         (JSC::PropertyTable::rehash):
1166         * runtime/Structure.cpp:
1167         (JSC::PropertyMapStatisticsExitLogger::PropertyMapStatisticsExitLogger):
1168         (JSC::PropertyMapStatisticsExitLogger::~PropertyMapStatisticsExitLogger):
1169
1170 2014-06-11  Andreas Kling  <akling@apple.com>
1171
1172         Always inline JSValue::get() and Structure::get().
1173         <https://webkit.org/b/133755>
1174
1175         Reviewed by Ryosuke Niwa.
1176
1177         These functions get really hot, so ask the compiler to be more
1178         aggressive about inlining them.
1179
1180         ~28% speed-up on Ryosuke's microbenchmark for accessing nextSibling
1181         through GetByVal.
1182
1183         * runtime/JSArrayIterator.cpp:
1184         * runtime/JSCJSValue.cpp:
1185         * runtime/JSCJSValueInlines.h:
1186         (JSC::JSValue::get):
1187         * runtime/JSPromiseDeferred.cpp:
1188         * runtime/StructureInlines.h:
1189         (JSC::Structure::get):
1190
1191 2014-06-11  Ryosuke Niwa  <rniwa@webkit.org>
1192
1193         Structure::get should instantiate DeferGC only when materializing property map
1194         https://bugs.webkit.org/show_bug.cgi?id=133727
1195
1196         Rubber-stamped by Andreas Kling.
1197
1198         Make materializePropertyMapIfNecessary always inline.
1199
1200         This is ~12% improvement on the microbenchmark attached in the bug.
1201
1202         * runtime/Structure.h:
1203         (JSC::Structure::materializePropertyMapIfNecessary):
1204         (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
1205
1206 2014-06-11  Ryosuke Niwa  <rniwa@webkit.org>
1207
1208         Structure::get should instantiate DeferGC only when materializing property map
1209         https://bugs.webkit.org/show_bug.cgi?id=133727
1210
1211         Reviewed by Geoffrey Garen.
1212
1213         DeferGC instances in Structure::get was added in http://trac.webkit.org/r157539 in order to avoid
1214         collecting the property table newly created by materializePropertyMapIfNecessary since GC can happen
1215         when GCSafeConcurrentJITLocker goes out of scope.
1216
1217         However, always instantiating DeferGC inside Structure::get introduced a new performance bottleneck
1218         in JSObject::getPropertySlot because frequently incrementing and decrementing a counter in vm.m_heap
1219         and running a release assertion inside Heap::incrementDeferralDepth() is expensive.
1220
1221         Work around this by instantiating DeferGC only when we're actually calling materializePropertyMap,
1222         and immediately storing a pointer to the newly created property table in the stack before DeferGC
1223         goes out of scope so that the property table will be marked.
1224
1225         This shows 13-16% improvement on the microbenchmark attached in the bug.
1226
1227         * runtime/JSCJSValue.cpp:
1228         * runtime/JSObject.h:
1229         (JSC::JSObject::fastGetOwnPropertySlot):
1230         * runtime/Structure.h:
1231         (JSC::Structure::materializePropertyMapIfNecessary):
1232         * runtime/StructureInlines.h:
1233         (JSC::Structure::get):
1234
1235 2014-06-11  Andreas Kling  <akling@apple.com>
1236
1237         Some JSValue::get() micro-optimzations.
1238         <https://webkit.org/b/133739>
1239
1240         Tighten some of the property lookup code to improve performance of the
1241         eagerly reified prototype attributes:
1242
1243         - Instead of converting the property name to an integer at every step
1244           in the prototype chain, move that to a separate pass at the end
1245           since it should be a rare case.
1246
1247         - Cache the StructureIDTable in a local instead of fetching it from
1248           the Heap on every step.
1249
1250         - Make fillCustomGetterPropertySlot inline. It was out-of-lined based
1251           on the assumption that clients would mostly be cacheable GetByIds,
1252           and it gets pretty hot (~1%) in GetByVal.
1253
1254         - Pass the Structure directly to fillCustomGetterPropertySlot instead
1255           of refetching it from the StructureIDTable.
1256
1257         Reviewed by Geoff Garen.
1258
1259         * runtime/JSObject.cpp:
1260         (JSC::JSObject::fillCustomGetterPropertySlot): Deleted.
1261         * runtime/JSObject.h:
1262         (JSC::JSObject::inlineGetOwnPropertySlot):
1263         (JSC::JSObject::fillCustomGetterPropertySlot):
1264         (JSC::JSObject::getOwnPropertySlot):
1265         (JSC::JSObject::fastGetOwnPropertySlot):
1266         (JSC::JSObject::getPropertySlot):
1267         (JSC::JSObject::getOwnPropertySlotSlow): Deleted.
1268
1269 2014-06-10  Sam Weinig  <sam@webkit.org>
1270
1271         Don't create a HashTable for JSObjects that use eager reification
1272         https://bugs.webkit.org/show_bug.cgi?id=133705
1273
1274         Reviewed by Geoffrey Garen.
1275
1276         * runtime/Lookup.h:
1277         (JSC::reifyStaticProperties):
1278         Add a version of reifyStaticProperties that takes an array of HashTableValues
1279         rather than a HashTable.
1280
1281 2014-06-10  Filip Pizlo  <fpizlo@apple.com>
1282
1283         Prediction propagator should make sure everyone knows that a variable that is in an argument position where other versions of that variable are not MachineInts cannot possibly be flushed as Int52
1284         https://bugs.webkit.org/show_bug.cgi?id=133698
1285
1286         Reviewed by Geoffrey Garen and Mark Hahnenberg.
1287
1288         * dfg/DFGPredictionPropagationPhase.cpp:
1289         (JSC::DFG::PredictionPropagationPhase::propagate): Use the new utility to figure out if a variable could ever represent an Int52.
1290         * dfg/DFGVariableAccessData.cpp:
1291         (JSC::DFG::VariableAccessData::couldRepresentInt52): Add a new utility to detect early on if a variable could possibly be Int52.
1292         (JSC::DFG::VariableAccessData::couldRepresentInt52Impl):
1293         (JSC::DFG::VariableAccessData::flushFormat):
1294         * dfg/DFGVariableAccessData.h:
1295         * tests/stress/int52-inlined-call-argument.js: Added.
1296         (foo):
1297         (bar):
1298
1299 2014-06-10  Mark Lam  <mark.lam@apple.com>
1300
1301         Assertion failure at JSC::Structure::checkOffsetConsistency() const + 234.
1302         <https://webkit.org/b/133356>
1303
1304         Reviewed by Mark Hahnenberg.
1305
1306         The root cause of this issue is that a nonPropertyTransition can transition
1307         a pinned dictionary structure to an unpinned dictionary structure.  The new
1308         structure will get a copy of the property table from the original structure.
1309         However, when a GC occurs, the property table in the new structure will be
1310         cleared because it is unpinned.  This leads to complications in subsequent
1311         derivative structures when flattening occurs, which eventually leads to the
1312         assertion failure in this bug.
1313
1314         The fix is to ensure that the new dictionary structure generated by the
1315         nonPropertyTransition will have a copy of its predecessor's property table
1316         and is pinned.
1317
1318         * runtime/Structure.cpp:
1319         (JSC::Structure::nonPropertyTransition):
1320
1321 2014-06-10  Michael Saboff  <msaboff@apple.com>
1322
1323         In a certain app state, Array.prototype.filter() returns incorrect results
1324         https://bugs.webkit.org/show_bug.cgi?id=133577
1325
1326         Reviewed by Oliver Hunt.
1327
1328         Fixed the LLInt processing of op_put_by_val_direct to have the same hole check as op_put_by_val.
1329
1330         * llint/LowLevelInterpreter32_64.asm:
1331         * llint/LowLevelInterpreter64.asm:
1332
1333 2014-06-09  Mark Hahnenberg  <mhahnenberg@apple.com>
1334
1335         Global HashTables contain references to atomic StringImpls
1336         https://bugs.webkit.org/show_bug.cgi?id=133661
1337
1338         Reviewed by Geoffrey Garen.
1339
1340         This was a long-standing bug revealed by bug 133558. The issue is that the global static HashTables 
1341         cache their set of keys as StringImpls that are associated with a particular VM.  This is obviously 
1342         incompatible with using multiple VMs on multiple threads (e.g. when using workers). The fix is to 
1343         change the "keys" field of the static HashTables to be char** instead of StringImpl**.
1344
1345         * runtime/JSObject.cpp:
1346         (JSC::getClassPropertyNames):
1347         * runtime/Lookup.cpp:
1348         (JSC::HashTable::createTable):
1349         (JSC::HashTable::deleteTable):
1350         * runtime/Lookup.h:
1351         (JSC::HashTable::ConstIterator::key):
1352         (JSC::HashTable::entry):
1353
1354 2014-06-09  Mark Hahnenberg  <mhahnenberg@apple.com>
1355
1356         Build fix after r169703
1357
1358         * JavaScriptCore.xcodeproj/project.pbxproj:
1359
1360 2014-06-05  Mark Hahnenberg  <mhahnenberg@apple.com>
1361
1362         Eagerly reify DOM prototype attributes
1363         https://bugs.webkit.org/show_bug.cgi?id=133558
1364
1365         Reviewed by Oliver Hunt.
1366
1367         This allows us to get rid of a lot of the additional overhead of pushing DOM attributes up into the prototype. 
1368         By eagerly reifying the custom getters and setters into the actual JSObject we avoid having to override 
1369         getOwnPropertySlot for all of the DOM prototypes, which is a lot of the overhead of doing property lookups on 
1370         DOM wrappers.
1371
1372         * CMakeLists.txt:
1373         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1374         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1375         * JavaScriptCore.xcodeproj/project.pbxproj:
1376         * llint/LLIntData.cpp:
1377         (JSC::LLInt::Data::performAssertions):
1378         * llint/LowLevelInterpreter.asm:
1379         * runtime/BatchedTransitionOptimizer.h:
1380         (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
1381         * runtime/CustomGetterSetter.cpp: Added.
1382         (JSC::callCustomSetter):
1383         * runtime/CustomGetterSetter.h: Added.
1384         (JSC::CustomGetterSetter::create):
1385         (JSC::CustomGetterSetter::getter):
1386         (JSC::CustomGetterSetter::setter):
1387         (JSC::CustomGetterSetter::createStructure):
1388         (JSC::CustomGetterSetter::CustomGetterSetter):
1389         * runtime/JSCJSValue.cpp:
1390         (JSC::JSValue::putToPrimitive):
1391         * runtime/JSCJSValue.h:
1392         * runtime/JSCJSValueInlines.h:
1393         (JSC::JSValue::isCustomGetterSetter):
1394         * runtime/JSCell.h:
1395         * runtime/JSCellInlines.h:
1396         (JSC::JSCell::isCustomGetterSetter):
1397         (JSC::JSCell::canUseFastGetOwnProperty):
1398         * runtime/JSFunction.cpp:
1399         (JSC::JSFunction::isHostOrBuiltinFunction): Deleted.
1400         (JSC::JSFunction::isBuiltinFunction): Deleted.
1401         * runtime/JSFunction.h:
1402         * runtime/JSFunctionInlines.h: Inlined some random functions that appeared hot during profiling.
1403         (JSC::JSFunction::isBuiltinFunction):
1404         (JSC::JSFunction::isHostOrBuiltinFunction):
1405         * runtime/JSObject.cpp:
1406         (JSC::JSObject::put):
1407         (JSC::JSObject::putDirectCustomAccessor):
1408         (JSC::JSObject::fillGetterPropertySlot):
1409         (JSC::JSObject::fillCustomGetterPropertySlot):
1410         (JSC::JSObject::getOwnPropertySlotSlow): Deleted.
1411         * runtime/JSObject.h:
1412         (JSC::JSObject::hasCustomGetterSetterProperties):
1413         (JSC::JSObject::convertToDictionary):
1414         (JSC::JSObject::inlineGetOwnPropertySlot):
1415         (JSC::JSObject::getOwnPropertySlotSlow): Inlined because it looked hot during profiling.
1416         (JSC::JSObject::putOwnDataProperty):
1417         (JSC::JSObject::putDirect):
1418         (JSC::JSObject::putDirectWithoutTransition):
1419         * runtime/JSType.h:
1420         * runtime/Lookup.h:
1421         (JSC::reifyStaticProperties):
1422         * runtime/PropertyDescriptor.h:
1423         (JSC::PropertyDescriptor::PropertyDescriptor):
1424         * runtime/Structure.cpp:
1425         (JSC::Structure::Structure):
1426         (JSC::nextOutOfLineStorageCapacity): Deleted.
1427         (JSC::Structure::suggestedNewOutOfLineStorageCapacity): Deleted.
1428         (JSC::Structure::get): Deleted.
1429         * runtime/Structure.h:
1430         (JSC::Structure::hasCustomGetterSetterProperties):
1431         (JSC::Structure::setHasCustomGetterSetterProperties):
1432         * runtime/StructureInlines.h:
1433         (JSC::Structure::get): Inlined due to hotness.
1434         (JSC::nextOutOfLineStorageCapacity): Inlined due to hotness.
1435         (JSC::Structure::suggestedNewOutOfLineStorageCapacity): Inlined due to hotness.
1436         * runtime/VM.cpp:
1437         (JSC::VM::VM):
1438         * runtime/VM.h:
1439         * runtime/WriteBarrier.h:
1440         (JSC::WriteBarrierBase<Unknown>::isCustomGetterSetter):
1441
1442 2014-06-07  Mark Lam  <mark.lam@apple.com>
1443
1444         Structure should initialize its previousID in its constructor.
1445         <https://webkit.org/b/133606>
1446
1447         Reviewed by Mark Hahnenberg.
1448
1449         Currently, the Structure constructor that takes a previous structure will
1450         initialize its previousID to point to the previous structure's previousID.
1451         This is incorrect.  However, the caller of the Structure::create() factory
1452         method (which instantiated the Structure) will later call setPreviousID()
1453         to set the previousID to the correct previous structure.  This makes the
1454         code confusing to read and more error prone in that the structure relies
1455         on client code to fix its invalid previousID.
1456
1457         This patch fixes this by making the Structure constructor initialize
1458         previousID correctly.
1459
1460         * runtime/Structure.cpp:
1461         (JSC::Structure::Structure):
1462         (JSC::Structure::addPropertyTransition):
1463         (JSC::Structure::nonPropertyTransition):
1464         * runtime/Structure.h:
1465         * runtime/StructureInlines.h:
1466         (JSC::Structure::create):
1467
1468 2014-06-06  Andreas Kling  <akling@apple.com>
1469
1470         Indexed getters should return values directly on the PropertySlot.
1471         <https://webkit.org/b/133586>
1472
1473         Remove PropertySlot's custom index mode.
1474
1475         Reviewed by Darin Adler.
1476
1477         * runtime/JSObject.h:
1478         (JSC::PropertySlot::getValue):
1479         * runtime/PropertySlot.h:
1480         (JSC::PropertySlot::setCustomIndex): Deleted.
1481
1482 2014-06-04  Timothy Horton  <timothy_horton@apple.com>
1483
1484         iOS Debug build fix
1485
1486         Rubber-stamped by Filip Pizlo.
1487
1488         * Configurations/LLVMForJSC.xcconfig:
1489         Dead-code strip the llvmForJSC library unconditionally, to work around <rdar://problem/16920916>.
1490
1491 2014-06-04  Oliver Hunt  <oliver@apple.com>
1492
1493         ArrayIterator should not be exposed in Safari 8
1494         https://bugs.webkit.org/show_bug.cgi?id=133494
1495
1496         Reviewed by Michael Saboff.
1497
1498         Separate out types that require constructor objects, and don't
1499         include the iterator types in that list.
1500
1501         * runtime/JSGlobalObject.cpp:
1502         (JSC::JSGlobalObject::reset):
1503         * runtime/JSGlobalObject.h:
1504
1505 2014-06-04  Filip Pizlo  <fpizlo@apple.com>
1506
1507         DFG::Safepoint::begin() should set m_didCallBegin before releasing the rightToRun lock, because otherwise, Safepoint::checkLivenessAndVisitChildren() may assert due to a race
1508         https://bugs.webkit.org/show_bug.cgi?id=133525
1509         <rdar://problem/16790296>
1510
1511         Reviewed by Oliver Hunt.
1512
1513         * dfg/DFGSafepoint.cpp:
1514         (JSC::DFG::Safepoint::begin):
1515
1516 2014-06-03  Filip Pizlo  <fpizlo@apple.com>
1517
1518         LLVM soft-linking should be truly fail-silent
1519         https://bugs.webkit.org/show_bug.cgi?id=133482
1520
1521         Reviewed by Mark Lam.
1522
1523         * llvm/InitializeLLVMPOSIX.cpp:
1524         (JSC::initializeLLVMPOSIX): Missing return statement in the dlsym() returning null case.
1525
1526 2014-06-03  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
1527
1528         REGRESSION(r169092 and r169102): Skip failing JSC tests poperly on non-x86 Darwin platforms
1529         https://bugs.webkit.org/show_bug.cgi?id=133149
1530
1531         Reviewed by Csaba Osztrogonác.
1532
1533         * tests/mozilla/mozilla-tests.yaml: Skip js1_5/Regress/regress-159334.js only if the architecture isn't x86 and the host is Darwin.
1534
1535 2014-05-31  Anders Carlsson  <andersca@apple.com>
1536
1537         Add a LazyNeverDestroyed class template and use it
1538         https://bugs.webkit.org/show_bug.cgi?id=133425
1539
1540         Reviewed by Darin Adler.
1541
1542         * dfg/DFGFunctionWhitelist.cpp:
1543         (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
1544         * dfg/DFGFunctionWhitelist.h:
1545
1546 2014-05-28  Filip Pizlo  <fpizlo@apple.com>
1547
1548         DFG::DCEPhase inserts into an insertion set in reverse, causing hilarious basic block corruption if you kill a lot of NewArrays
1549         https://bugs.webkit.org/show_bug.cgi?id=133368
1550
1551         Reviewed by Mark Lam.
1552
1553         * dfg/DFGDCEPhase.cpp:
1554         (JSC::DFG::DCEPhase::fixupBlock): Loop in the right order so that we insert in the right order.
1555         * tests/stress/new-array-dead.js: Added.
1556         (foo):
1557
1558 2014-05-28  Filip Pizlo  <fpizlo@apple.com>
1559
1560         Unreviewed, fix not-x86 32-bit.
1561
1562         * llint/LowLevelInterpreter32_64.asm:
1563
1564 2014-05-27  Filip Pizlo  <fpizlo@apple.com>
1565
1566         Arrayify neglects to inform the clobberizer that it might fire watchpoints
1567         https://bugs.webkit.org/show_bug.cgi?id=133340
1568
1569         Reviewed by Mark Lam.
1570
1571         * dfg/DFGClobberize.h:
1572         (JSC::DFG::clobberize): Be honest.
1573         * llint/LowLevelInterpreter32_64.asm: Profile the object, not its structure.
1574         * tests/stress/arrayify-fires-watchpoint.js: Added.
1575         (foo):
1576         (test):
1577         (makeObjectArray):
1578         * tests/stress/arrayify-structure-bad-test.js: Added.
1579         (foo):
1580         (test):
1581
1582 2014-05-27  Jon Lee  <jonlee@apple.com>
1583
1584         Update ENABLE(MEDIA_SOURCE) on Mac
1585         https://bugs.webkit.org/show_bug.cgi?id=133141
1586
1587         Reviewed by Darin Adler.
1588
1589         * Configurations/FeatureDefines.xcconfig:
1590
1591 2014-05-27  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>
1592
1593         Remove BLOB guards
1594         https://bugs.webkit.org/show_bug.cgi?id=132863
1595
1596         Reviewed by Csaba Osztrogonác.
1597
1598         * Configurations/FeatureDefines.xcconfig:
1599
1600 2014-05-27  Zsolt Borbely  <zsborbely.u-szeged@partner.samsung.com>
1601
1602         Allow building CMake based ports with WEB_REPLAY
1603         https://bugs.webkit.org/show_bug.cgi?id=133154
1604
1605         Reviewed by Csaba Osztrogonác.
1606
1607         * CMakeLists.txt:
1608
1609 2014-05-25  Filip Pizlo  <fpizlo@apple.com>
1610
1611         Latest emscripten life benchmark is 4x slower because the DFG doesn't realize that arithmetic on booleans is a thing
1612         https://bugs.webkit.org/show_bug.cgi?id=133136
1613
1614         Reviewed by Oliver Hunt.
1615         
1616         Some key concepts:
1617
1618         - Except for the prediction propagation and type fixup phases, which are super early in
1619           the pipeline, nobody has to know about the fact that booleans may flow into numerical
1620           operations because there will just be a BooleanToNumber node that will take a value
1621           and, if that value is a boolean, will convert it to the equivalent numerical value. It
1622           will have a BooleanUse mode where it will also speculate that the input is a boolean
1623           but it can also do UntypedUse in which case it will pass through any non-booleans.
1624           This operation is very easy to model in all of the compiler tiers.
1625
1626         - No changes to the baseline JIT. The Baseline JIT will still believe that boolean
1627           inputs require taking the slow path and it will still report that it took slow path
1628           for any such operations.  The DFG will now be smart enough to ignore baseline JIT slow
1629           path profiling on operations that were known to have had boolean inputs.  That's a
1630           little quirky, but it's probably easier than modifying the baseline JIT to track
1631           booleans correctly.
1632         
1633         4.1x speed-up on the emscripten "life" benchmark. Up to 10x speed-up on microbenchmarks.
1634
1635         * bytecode/SpeculatedType.h:
1636         (JSC::isInt32OrBooleanSpeculation):
1637         (JSC::isInt32SpeculationForArithmetic):
1638         (JSC::isInt32OrBooleanSpeculationForArithmetic):
1639         (JSC::isInt32OrBooleanSpeculationExpectingDefined):
1640         (JSC::isInt52Speculation):
1641         (JSC::isMachineIntSpeculation):
1642         (JSC::isFullNumberOrBooleanSpeculation):
1643         (JSC::isFullNumberOrBooleanSpeculationExpectingDefined):
1644         (JSC::isInt32SpeculationExpectingDefined): Deleted.
1645         (JSC::isMachineIntSpeculationExpectingDefined): Deleted.
1646         (JSC::isMachineIntSpeculationForArithmetic): Deleted.
1647         (JSC::isBytecodeNumberSpeculationExpectingDefined): Deleted.
1648         (JSC::isFullNumberSpeculationExpectingDefined): Deleted.
1649         * dfg/DFGAbstractInterpreterInlines.h:
1650         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1651         * dfg/DFGAllocator.h:
1652         (JSC::DFG::Allocator<T>::indexOf):
1653         * dfg/DFGByteCodeParser.cpp:
1654         (JSC::DFG::ByteCodeParser::makeSafe):
1655         (JSC::DFG::ByteCodeParser::makeDivSafe):
1656         (JSC::DFG::ByteCodeParser::handleIntrinsic):
1657         * dfg/DFGCSEPhase.cpp:
1658         (JSC::DFG::CSEPhase::performNodeCSE):
1659         * dfg/DFGClobberize.h:
1660         (JSC::DFG::clobberize):
1661         * dfg/DFGCommon.h:
1662         * dfg/DFGConstantFoldingPhase.cpp:
1663         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1664         * dfg/DFGFixupPhase.cpp:
1665         (JSC::DFG::FixupPhase::fixupNode):
1666         (JSC::DFG::FixupPhase::fixIntConvertingEdge):
1667         (JSC::DFG::FixupPhase::fixIntOrBooleanEdge):
1668         (JSC::DFG::FixupPhase::fixDoubleOrBooleanEdge):
1669         (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
1670         (JSC::DFG::FixupPhase::fixIntEdge): Deleted.
1671         * dfg/DFGGraph.h:
1672         (JSC::DFG::Graph::addSpeculationMode):
1673         (JSC::DFG::Graph::valueAddSpeculationMode):
1674         (JSC::DFG::Graph::arithAddSpeculationMode):
1675         (JSC::DFG::Graph::addShouldSpeculateInt32):
1676         (JSC::DFG::Graph::mulShouldSpeculateInt32):
1677         (JSC::DFG::Graph::mulShouldSpeculateMachineInt):
1678         (JSC::DFG::Graph::negateShouldSpeculateInt32):
1679         (JSC::DFG::Graph::negateShouldSpeculateMachineInt):
1680         (JSC::DFG::Graph::addImmediateShouldSpeculateInt32):
1681         (JSC::DFG::Graph::mulImmediateShouldSpeculateInt32): Deleted.
1682         * dfg/DFGNode.h:
1683         (JSC::DFG::Node::sawBooleans):
1684         (JSC::DFG::Node::shouldSpeculateInt32OrBoolean):
1685         (JSC::DFG::Node::shouldSpeculateInt32ForArithmetic):
1686         (JSC::DFG::Node::shouldSpeculateInt32OrBooleanForArithmetic):
1687         (JSC::DFG::Node::shouldSpeculateInt32OrBooleanExpectingDefined):
1688         (JSC::DFG::Node::shouldSpeculateMachineInt):
1689         (JSC::DFG::Node::shouldSpeculateDouble):
1690         (JSC::DFG::Node::shouldSpeculateNumberOrBoolean):
1691         (JSC::DFG::Node::shouldSpeculateNumberOrBooleanExpectingDefined):
1692         (JSC::DFG::Node::shouldSpeculateNumber):
1693         (JSC::DFG::Node::canSpeculateInt32):
1694         (JSC::DFG::Node::canSpeculateInt52):
1695         (JSC::DFG::Node::sourceFor):
1696         (JSC::DFG::Node::shouldSpeculateInt32ExpectingDefined): Deleted.
1697         (JSC::DFG::Node::shouldSpeculateMachineIntForArithmetic): Deleted.
1698         (JSC::DFG::Node::shouldSpeculateMachineIntExpectingDefined): Deleted.
1699         (JSC::DFG::Node::shouldSpeculateDoubleForArithmetic): Deleted.
1700         (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined): Deleted.
1701         * dfg/DFGNodeFlags.cpp:
1702         (JSC::DFG::dumpNodeFlags):
1703         * dfg/DFGNodeFlags.h:
1704         (JSC::DFG::nodeMayOverflow):
1705         (JSC::DFG::nodeMayNegZero):
1706         (JSC::DFG::nodeCanSpeculateInt32):
1707         (JSC::DFG::nodeCanSpeculateInt52):
1708         * dfg/DFGNodeType.h:
1709         * dfg/DFGPredictionPropagationPhase.cpp:
1710         (JSC::DFG::PredictionPropagationPhase::run):
1711         (JSC::DFG::PredictionPropagationPhase::propagateToFixpoint):
1712         (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
1713         (JSC::DFG::PredictionPropagationPhase::propagate):
1714         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
1715         * dfg/DFGSafeToExecute.h:
1716         (JSC::DFG::safeToExecute):
1717         * dfg/DFGSpeculativeJIT.cpp:
1718         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
1719         * dfg/DFGSpeculativeJIT32_64.cpp:
1720         (JSC::DFG::SpeculativeJIT::compile):
1721         * dfg/DFGSpeculativeJIT64.cpp:
1722         (JSC::DFG::SpeculativeJIT::compile):
1723         * ftl/FTLCapabilities.cpp:
1724         (JSC::FTL::canCompile):
1725         * ftl/FTLLowerDFGToLLVM.cpp:
1726         (JSC::FTL::LowerDFGToLLVM::compileNode):
1727         (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
1728         (JSC::FTL::LowerDFGToLLVM::compileBooleanToNumber):
1729         * runtime/JSCJSValue.h:
1730         * runtime/JSCJSValueInlines.h:
1731         (JSC::JSValue::asInt32ForArithmetic):
1732         * tests/stress/max-boolean-exit.js: Added.
1733         (foo):
1734         (test):
1735         * tests/stress/mul-boolean-exit.js: Added.
1736         (foo):
1737         (test):
1738         * tests/stress/plus-boolean-exit.js: Added.
1739         (foo):
1740         (test):
1741         * tests/stress/plus-boolean-or-double.js: Added.
1742         (foo):
1743         (test):
1744         * tests/stress/plus-boolean-or-int.js: Added.
1745         (foo):
1746         (test):
1747
1748 2014-05-26  Zsolt Borbely  <zsborbely.u-szeged@partner.samsung.com>
1749
1750         Remove dead code from VM.cpp
1751         https://bugs.webkit.org/show_bug.cgi?id=133284
1752
1753         Reviewed by Darin Adler.
1754
1755         This workaround was added in r127505. Since the clang is the
1756         only used compiler in this case, this workaround is obsolete.
1757
1758         * runtime/VM.cpp:
1759         (JSC::enableAssembler):
1760
1761 2014-05-26  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
1762
1763         JSC CLoop warning fix
1764         https://bugs.webkit.org/show_bug.cgi?id=133259
1765
1766         Reviewed by Darin Adler.
1767
1768         * llint/LLIntSlowPaths.cpp:
1769         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1770
1771 2014-05-24  Andreas Kling  <akling@apple.com>
1772
1773         Object.prototype.toString() should use cached strings for null/undefined.
1774         <https://webkit.org/b/133261>
1775
1776         Normally, when calling Object.prototype.toString() on a regular object,
1777         we'd cache the result of the stringification on the object's structure,
1778         making repeated calls fast.
1779
1780         For null and undefined, we were not as smart. We'd instead construct a
1781         new string with either "[object Null]" or "[object Undefined]" each time.
1782
1783         This was exposed by Dromaeo's JS library tests, where some prototype.js
1784         subtests generate millions of strings this way.
1785
1786         This patch adds two VM-permanent cached strings to the SmallStrings.
1787         Looks like ~10% speed-up on Dromaeo/jslib-traverse-prototype.html
1788
1789         Reviewed by Darin Adler.
1790
1791         * runtime/ObjectPrototype.cpp:
1792         (JSC::objectProtoFuncToString):
1793         * runtime/SmallStrings.cpp:
1794         (JSC::SmallStrings::SmallStrings):
1795         (JSC::SmallStrings::initializeCommonStrings):
1796         (JSC::SmallStrings::visitStrongReferences):
1797         * runtime/SmallStrings.h:
1798         (JSC::SmallStrings::nullObjectString):
1799         (JSC::SmallStrings::undefinedObjectString):
1800
1801 2014-05-23  Mark Hahnenberg  <mhahnenberg@apple.com>
1802
1803         Remove operationCallGetter
1804
1805         Rubber stamped by Filip Pizlo.
1806
1807         Nobody calls this function.
1808
1809         * JavaScriptCore.order:
1810         * jit/JITOperations.cpp:
1811         * jit/JITOperations.h:
1812
1813 2014-05-23  Andreas Kling  <akling@apple.com>
1814
1815         Templatize GC's destructor invocation for dtor type.
1816         <https://webkit.org/b/133231>
1817
1818         Get rid of a branch in callDestructor() by templatizing it for
1819         the DestructorType. Removed JSCell::methodTableForDestruction()
1820         since this was the only call site and it was jumping through
1821         a bunch of unnecessary hoops.
1822
1823         Reviewed by Geoffrey Garen.
1824
1825         * heap/MarkedBlock.cpp:
1826         (JSC::MarkedBlock::callDestructor):
1827         (JSC::MarkedBlock::specializedSweep):
1828         * heap/MarkedBlock.h:
1829         * runtime/JSCell.h:
1830         * runtime/JSCellInlines.h:
1831         (JSC::JSCell::methodTableForDestruction): Deleted.
1832
1833 2014-05-23  Andreas Kling  <akling@apple.com>
1834
1835         Support inline caching of RegExpMatchesArray.length
1836         <https://webkit.org/b/133234>
1837
1838         Give RegExpMatchesArray.length the same treatment as JSArray in
1839         repatch so we don't have to go out of line on every access.
1840
1841         ~13% speed-up on Octane/regexp.
1842
1843         Reviewed by Geoffrey Garen.
1844
1845         * jit/Repatch.cpp:
1846         (JSC::tryCacheGetByID):
1847         * runtime/RegExpMatchesArray.h:
1848         (JSC::isRegExpMatchesArray):
1849
1850 2014-05-22  Mark Lam  <mark.lam@apple.com>
1851
1852         REGRESSION(r154797): Debugger crashes when stepping over an uncaught exception.
1853         <https://webkit.org/b/133182>
1854
1855         Reviewed by Oliver Hunt.
1856
1857         Before r154797, we used to clear the VM exception before calling into the
1858         debugger.  After r154797, we don't.  This patch will restore this clearing
1859         of the exception before calling into the debugger.
1860
1861         Also added assertions after returning from calls into the debugger to
1862         ensure that the debugger did not introduce any exceptions.
1863
1864         * interpreter/Interpreter.cpp:
1865         (JSC::unwindCallFrame):
1866         (JSC::Interpreter::unwind):
1867         (JSC::Interpreter::debug):
1868         - Fixed the assertion here.  Interpreter::debug() should never be called
1869           with a pending exception.  Debugger callbacks for exceptions should be
1870           handled by Interpreter::unwind() and Interpreter::unwindCallFrame().
1871
1872 2014-05-21  Filip Pizlo  <fpizlo@apple.com>
1873
1874         Store barrier elision should run after DCE in both the DFG path and the FTL path
1875         https://bugs.webkit.org/show_bug.cgi?id=129718
1876
1877         Rubber stamped by Mark Hahnenberg.
1878
1879         * dfg/DFGPlan.cpp:
1880         (JSC::DFG::Plan::compileInThreadImpl):
1881
1882 2014-05-21  Zsolt Borbely  <zsborbely.u-szeged@partner.samsung.com>
1883
1884         [EFL] Add include path of compact_unwind_encoding.h if FTL JIT is enabled
1885         https://bugs.webkit.org/show_bug.cgi?id=132907
1886
1887         Reviewed by Gyuyoung Kim.
1888
1889         * CMakeLists.txt:
1890
1891 2014-05-16  Martin Robinson  <mrobinson@igalia.com>
1892
1893         [CMake] Improve handling of LIB_INSTALL_DIR, EXEC_INSTALL_DIR, and LIBEXEC_INSTALL_DIR
1894         https://bugs.webkit.org/show_bug.cgi?id=132819
1895
1896         Reviewed by Carlos Garcia Campos.
1897
1898         * javascriptcoregtk.pc.in: Instead of using the special pkg-config variables,
1899         use the common CMake ones directly.
1900
1901 2014-05-21  Filip Pizlo  <fpizlo@apple.com>
1902
1903         Unreviewed, roll out http://trac.webkit.org/changeset/169159.
1904         
1905         This was a unilateral change and wasn't properly reviewed.
1906
1907         * tests/mozilla/mozilla-tests.yaml:
1908
1909 2014-05-21  Antoine Quint  <graouts@webkit.org>
1910
1911         Array.prototype.find and findIndex should skip holes
1912         https://bugs.webkit.org/show_bug.cgi?id=132658
1913
1914         Reviewed by Geoffrey Garen.
1915
1916         Skip holes in the array when iterating such that callback isn't called.
1917
1918         * builtins/Array.prototype.js:
1919         (find):
1920         (findIndex):
1921
1922 2014-05-21  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
1923
1924         REGRESSION(r169092 and r169102): Skip failing JSC tests on ARM64 properly
1925         https://bugs.webkit.org/show_bug.cgi?id=133149
1926
1927         Reviewed by Csaba Osztrogonác.
1928
1929         * tests/mozilla/mozilla-tests.yaml:
1930
1931 2014-05-20  Geoffrey Garen  <ggaren@apple.com>
1932
1933         Rolled out <http://trac.webkit.org/changeset/166184>
1934         https://bugs.webkit.org/show_bug.cgi?id=133144
1935
1936         Reviewed by Gavin Barraclough.
1937
1938         It caused a performance regression.
1939
1940         * heap/BlockAllocator.cpp:
1941         (JSC::BlockAllocator::blockFreeingThreadStartFunc):
1942
1943 2014-05-20  Filip Pizlo  <fpizlo@apple.com>
1944
1945         DFG prediction propagation should agree with fixup phase over the return type of GetByVal
1946         https://bugs.webkit.org/show_bug.cgi?id=133134
1947
1948         Reviewed by Mark Hahnenberg.
1949         
1950         Make prediction propagator use ArrayMode refinement to decide the return type.
1951         
1952         Also introduce a heap prediction intrinsic that allows us to test weird corner cases
1953         like this. The only way we'll see a mismatch like this in the real world is probably
1954         through a gnarly race condition.
1955
1956         * dfg/DFGByteCodeParser.cpp:
1957         (JSC::DFG::ByteCodeParser::handleIntrinsic):
1958         * dfg/DFGNode.h:
1959         (JSC::DFG::Node::setHeapPrediction):
1960         * dfg/DFGPredictionPropagationPhase.cpp:
1961         (JSC::DFG::PredictionPropagationPhase::propagate):
1962         * jsc.cpp:
1963         (GlobalObject::finishCreation):
1964         (functionFalse1):
1965         (functionFalse2):
1966         (functionUndefined1):
1967         (functionUndefined2):
1968         (functionFalse): Deleted.
1969         (functionOtherFalse): Deleted.
1970         (functionUndefined): Deleted.
1971         * runtime/Intrinsic.h:
1972         * tests/stress/get-by-val-double-predicted-int.js: Added.
1973         (foo):
1974
1975 2014-05-20  Mark Hahnenberg  <mhahnenberg@apple.com>
1976
1977         Watchdog timer should be lazily allocated
1978         https://bugs.webkit.org/show_bug.cgi?id=133135
1979
1980         Reviewed by Geoffrey Garen.
1981
1982         We incur a noticeable amount of overhead on some benchmarks due to checking if the Watchdog ever fired. 
1983         There is no reason to do this checking if we never activated the Watchdog, which can only be done through 
1984         JSContextGroupSetExecutionTimeLimit or JSContextGroupClearExecutionTimeLimit. 
1985
1986         By allocating the Watchdog lazily on the VM we can avoid all of the associated overhead when we don't use 
1987         these two API functions (which is true of most clients).
1988
1989         * API/JSContextRef.cpp:
1990         (JSContextGroupSetExecutionTimeLimit):
1991         (JSContextGroupClearExecutionTimeLimit):
1992         * dfg/DFGByteCodeParser.cpp:
1993         (JSC::DFG::ByteCodeParser::parseBlock):
1994         * dfg/DFGSpeculativeJIT32_64.cpp:
1995         (JSC::DFG::SpeculativeJIT::compile):
1996         * dfg/DFGSpeculativeJIT64.cpp:
1997         (JSC::DFG::SpeculativeJIT::compile):
1998         * interpreter/Interpreter.cpp:
1999         (JSC::Interpreter::execute):
2000         (JSC::Interpreter::executeCall):
2001         (JSC::Interpreter::executeConstruct):
2002         * jit/JITOpcodes.cpp:
2003         (JSC::JIT::emit_op_loop_hint):
2004         (JSC::JIT::emitSlow_op_loop_hint):
2005         * jit/JITOperations.cpp:
2006         * llint/LLIntSlowPaths.cpp:
2007         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2008         * runtime/VM.h:
2009         * runtime/Watchdog.cpp:
2010         (JSC::Watchdog::Scope::Scope): Deleted.
2011         (JSC::Watchdog::Scope::~Scope): Deleted.
2012         * runtime/Watchdog.h:
2013         (JSC::Watchdog::Scope::Scope):
2014         (JSC::Watchdog::Scope::~Scope):
2015
2016 2014-05-19  Mark Hahnenberg  <mhahnenberg@apple.com>
2017
2018         JSArray::shiftCountWith* could be more efficient
2019         https://bugs.webkit.org/show_bug.cgi?id=133011
2020
2021         Reviewed by Geoffrey Garen.
2022
2023         Our current implementations of shiftCountWithAnyIndexingType and shiftCountWithArrayStorage 
2024         are scared of the presence of any holes in the array. We can mitigate this somewhat by enabling 
2025         them to correctly handle holes, thus avoiding the slowest of slow paths in most cases.
2026
2027         * runtime/ArrayStorage.h:
2028         (JSC::ArrayStorage::indexingHeader):
2029         (JSC::ArrayStorage::length):
2030         (JSC::ArrayStorage::hasHoles):
2031         * runtime/IndexingHeader.h:
2032         (JSC::IndexingHeader::publicLength):
2033         (JSC::IndexingHeader::from):
2034         * runtime/JSArray.cpp:
2035         (JSC::JSArray::shiftCountWithArrayStorage):
2036         (JSC::JSArray::shiftCountWithAnyIndexingType):
2037         (JSC::JSArray::unshiftCountWithArrayStorage):
2038         * runtime/JSArray.h:
2039         (JSC::JSArray::shiftCountForShift):
2040         (JSC::JSArray::shiftCountForSplice):
2041         (JSC::JSArray::shiftCount):
2042         * runtime/Structure.cpp:
2043         (JSC::Structure::holesRequireSpecialBehavior):
2044         * runtime/Structure.h:
2045
2046 2014-05-19  Filip Pizlo  <fpizlo@apple.com>
2047
2048         Test gardening: skip some failing tests on not-X86.
2049
2050         * tests/mozilla/mozilla-tests.yaml:
2051
2052 2014-05-19  Mark Lam  <mark.lam@apple.com>
2053
2054         operationOptimize() should defer the GC for a while.
2055         <https://webkit.org/b/133103>
2056
2057         Reviewed by Filip Pizlo.
2058
2059         Currently, operationOptimize() only defers the GC until its end.  As a result,
2060         a GC may be triggered just before we return from operationOptimize(), and it may
2061         jettison the optimize codeBlock that we're planning to OSR enter into when we
2062         return from this function.  This is because the OSR entry on-ramp code hasn't
2063         been executed yet, and hence, there is not yet a reference to this new codeBlock
2064         from the stack, and there won't be until we've had a chance to return out of
2065         operationOptimize() to run the OSR entry on-ramp code.
2066
2067         This issue is now fixed by using DeferGCForAWhile instead of DeferGC.  This
2068         ensures that the GC will be deferred until after the OSR entry on-ramp can be
2069         executed.
2070
2071         * jit/JITOperations.cpp:
2072
2073 2014-05-19  Filip Pizlo  <fpizlo@apple.com>
2074
2075         Take care of some ARM64 test failures
2076         https://bugs.webkit.org/show_bug.cgi?id=133090
2077
2078         Reviewed by Geoffrey Garen.
2079         
2080         Constant blinding on ARM64 cannot use the scratch register.
2081
2082         * assembler/MacroAssembler.h:
2083         (JSC::MacroAssembler::convertInt32ToDouble):
2084         (JSC::MacroAssembler::branchPtr):
2085         (JSC::MacroAssembler::storePtr):
2086         (JSC::MacroAssembler::store64):
2087         * assembler/MacroAssemblerARM64.h:
2088         (JSC::MacroAssemblerARM64::scratchRegisterForBlinding):
2089
2090 2014-05-19  Tanay C  <tanay.c@samsung.com>
2091
2092         Removing some check-webkit-style warnings from ./dfg
2093         https://bugs.webkit.org/show_bug.cgi?id=132854
2094
2095         Reviewed by Darin Adler.
2096
2097         * dfg/DFGAbstractInterpreter.h:
2098         * dfg/DFGAbstractValue.h:
2099         * dfg/DFGBlockInsertionSet.h:
2100         * dfg/DFGCommonData.h:
2101         * dfg/DFGDominators.h:
2102         * dfg/DFGGraph.h:
2103         * dfg/DFGInPlaceAbstractState.h:
2104         * dfg/DFGPredictionPropagationPhase.h:
2105
2106 2014-05-18  Filip Pizlo  <fpizlo@apple.com>
2107
2108         Unreviewed, remove bogus comment. We already made the FTL use our calling convention.
2109         That was a long time ago.
2110
2111         * ftl/FTLLowerDFGToLLVM.cpp:
2112         (JSC::FTL::LowerDFGToLLVM::compileReturn):
2113
2114 2014-05-18  Rik Cabanier  <cabanier@adobe.com>
2115
2116         support for navigator.hardwareConcurrency
2117         https://bugs.webkit.org/show_bug.cgi?id=132588
2118
2119         Reviewed by Filip Pizlo.
2120
2121         * Configurations/FeatureDefines.xcconfig:
2122
2123 2014-05-16  Michael Saboff  <msaboff@apple.com>
2124
2125         Crash in JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::generatePatternCharacterFixed() due to WTF::CrashOnOverflow::overflowed + 9
2126         https://bugs.webkit.org/show_bug.cgi?id=133009
2127
2128         Reviewed by Oliver Hunt.
2129
2130         If we determine that any alternative requires a minumum match size greater than
2131         INT_MAX, we handle the match in the interpreter.
2132
2133         Check to see if the pattern has unsigned lengths before invoking YARR JIT.
2134         * runtime/RegExp.cpp:
2135         (JSC::RegExp::compile):
2136         (JSC::RegExp::compileMatchOnly):
2137
2138         * tests/stress/large-regexp.js: New test added.
2139
2140         Set m_containsUnsignedLengthPattern flag if any alternative's minimum length
2141         doesn't fit in an int.
2142         * yarr/YarrPattern.cpp:
2143         (JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets):
2144
2145         Clear new m_containsUnsignedLengthPattern flag.
2146         * yarr/YarrPattern.cpp:
2147         (JSC::Yarr::YarrPattern::YarrPattern):
2148         * yarr/YarrPattern.h:
2149         (JSC::Yarr::YarrPattern::reset):
2150         (JSC::Yarr::YarrPattern::containsUnsignedLengthPattern):
2151
2152 2014-05-15  Mark Hahnenberg  <mhahnenberg@apple.com>
2153
2154         JSDOMWindow should not claim HasImpureGetOwnPropertySlot
2155         https://bugs.webkit.org/show_bug.cgi?id=132918
2156
2157         Reviewed by Geoffrey Garen.
2158
2159         * jit/Repatch.cpp:
2160         (JSC::tryRepatchIn): We forgot to check for watchpoints when repatching "in".
2161
2162 2014-05-15  Alex Christensen  <achristensen@webkit.org>
2163
2164         Add pointer lock to features without enabling it.
2165         https://bugs.webkit.org/show_bug.cgi?id=132961
2166
2167         Reviewed by Sam Weinig.
2168
2169         * Configurations/FeatureDefines.xcconfig:
2170         Added ENABLE_POINTER_LOCK to list of features.
2171
2172 2014-05-14  Mark Hahnenberg  <mhahnenberg@apple.com>
2173
2174         Inline caching for proxies clobbers baseGPR too early
2175         https://bugs.webkit.org/show_bug.cgi?id=132916
2176
2177         Reviewed by Filip Pizlo.
2178
2179         We clobber baseGPR prior to the Structure checks, so if any of the checks fail then the slow path 
2180         gets the target of the proxy rather than the proxy itself. We need to delay the clobbering of baseGPR 
2181         until we know the inline cache is going to succeed.
2182
2183         * jit/Repatch.cpp:
2184         (JSC::generateByIdStub):
2185
2186 2014-05-14  Brent Fulgham  <bfulgham@apple.com>
2187
2188         [Win] Unreviewed build fix.
2189
2190         * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: This solution
2191         was missing commands to build LLInt portions of JSC.
2192         * llint/LLIntData.cpp: 64-bit build fix.
2193
2194 2014-05-14  Martin Hodovan <mhodovan.u-szeged@partner.samsung.com>
2195
2196         ARM Traditional buildfix after r168776.
2197         https://bugs.webkit.org/show_bug.cgi?id=132903
2198
2199         Reviewed by Darin Adler.
2200
2201         * assembler/MacroAssemblerARM.h:
2202         (JSC::MacroAssemblerARM::abortWithReason): Added.
2203
2204 2014-05-14  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>
2205
2206         Remove CSS_STICKY_POSITION guards
2207         https://bugs.webkit.org/show_bug.cgi?id=132676
2208
2209         Reviewed by Simon Fraser.
2210
2211         * Configurations/FeatureDefines.xcconfig:
2212
2213 2014-05-13  Filip Pizlo  <fpizlo@apple.com>
2214
2215         JIT breakpoints should be more informative
2216         https://bugs.webkit.org/show_bug.cgi?id=132882
2217
2218         Reviewed by Oliver Hunt.
2219         
2220         Introduce the notion of an AbortReason, which is a nice enumeration of coded assertion
2221         failure names. This means that all you need to figure out why the JIT SIGTRAP'd is to look
2222         at that platform's abort reason register (r11 on X86-64 for example).
2223
2224         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2225         * JavaScriptCore.xcodeproj/project.pbxproj:
2226         * assembler/AbortReason.h: Added.
2227         * assembler/AbstractMacroAssembler.h:
2228         * assembler/MacroAssemblerARM64.h:
2229         (JSC::MacroAssemblerARM64::abortWithReason):
2230         * assembler/MacroAssemblerARMv7.h:
2231         (JSC::MacroAssemblerARMv7::abortWithReason):
2232         * assembler/MacroAssemblerX86.h:
2233         (JSC::MacroAssemblerX86::abortWithReason):
2234         * assembler/MacroAssemblerX86_64.h:
2235         (JSC::MacroAssemblerX86_64::abortWithReason):
2236         * dfg/DFGSlowPathGenerator.h:
2237         (JSC::DFG::SlowPathGenerator::generate):
2238         * dfg/DFGSpeculativeJIT.cpp:
2239         (JSC::DFG::SpeculativeJIT::bail):
2240         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
2241         (JSC::DFG::SpeculativeJIT::compileMakeRope):
2242         * dfg/DFGSpeculativeJIT.h:
2243         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):
2244         * dfg/DFGSpeculativeJIT32_64.cpp:
2245         (JSC::DFG::SpeculativeJIT::compile):
2246         * dfg/DFGSpeculativeJIT64.cpp:
2247         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2248         (JSC::DFG::SpeculativeJIT::compile):
2249         * dfg/DFGThunks.cpp:
2250         (JSC::DFG::osrEntryThunkGenerator):
2251         * jit/AssemblyHelpers.cpp:
2252         (JSC::AssemblyHelpers::jitAssertIsInt32):
2253         (JSC::AssemblyHelpers::jitAssertIsJSInt32):
2254         (JSC::AssemblyHelpers::jitAssertIsJSNumber):
2255         (JSC::AssemblyHelpers::jitAssertIsJSDouble):
2256         (JSC::AssemblyHelpers::jitAssertIsCell):
2257         (JSC::AssemblyHelpers::jitAssertTagsInPlace):
2258         (JSC::AssemblyHelpers::jitAssertHasValidCallFrame):
2259         (JSC::AssemblyHelpers::jitAssertIsNull):
2260         (JSC::AssemblyHelpers::jitAssertArgumentCountSane):
2261         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
2262         * jit/AssemblyHelpers.h:
2263         (JSC::AssemblyHelpers::checkStackPointerAlignment):
2264         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo): Deleted.
2265         * jit/JIT.h:
2266         * jit/JITArithmetic.cpp:
2267         (JSC::JIT::emitSlow_op_div):
2268         * jit/JITOpcodes.cpp:
2269         (JSC::JIT::emitSlow_op_loop_hint):
2270         * jit/JITOpcodes32_64.cpp:
2271         (JSC::JIT::privateCompileCTINativeCall):
2272         * jit/JITPropertyAccess.cpp:
2273         (JSC::JIT::emit_op_get_by_val):
2274         (JSC::JIT::compileGetDirectOffset):
2275         (JSC::JIT::addStructureTransitionCheck): Deleted.
2276         (JSC::JIT::testPrototype): Deleted.
2277         * jit/JITPropertyAccess32_64.cpp:
2278         (JSC::JIT::emit_op_get_by_val):
2279         (JSC::JIT::compileGetDirectOffset):
2280         * jit/RegisterPreservationWrapperGenerator.cpp:
2281         (JSC::generateRegisterRestoration):
2282         * jit/Repatch.cpp:
2283         (JSC::addStructureTransitionCheck):
2284         (JSC::linkClosureCall):
2285         * jit/ThunkGenerators.cpp:
2286         (JSC::emitPointerValidation):
2287         (JSC::nativeForGenerator):
2288         * yarr/YarrJIT.cpp:
2289         (JSC::Yarr::YarrGenerator::generate):
2290
2291 2014-05-13  peavo@outlook.com  <peavo@outlook.com>
2292
2293         [Win] Enum type with value zero is compatible with void*, potential cause of crashes.
2294         https://bugs.webkit.org/show_bug.cgi?id=132772
2295
2296         Reviewed by Geoffrey Garen.
2297
2298         Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example).
2299         This has caused crashes on Windows on two occasions (bug 132683, and bug 121001).
2300         This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*.
2301         The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr.
2302
2303         * assembler/MacroAssemblerARM.h:
2304         (JSC::MacroAssemblerARM::loadDouble):
2305         (JSC::MacroAssemblerARM::storeDouble):
2306         * assembler/MacroAssemblerARM64.h:
2307         (JSC::MacroAssemblerARM64::loadDouble):
2308         (JSC::MacroAssemblerARM64::storeDouble):
2309         * assembler/MacroAssemblerARMv7.h:
2310         (JSC::MacroAssemblerARMv7::loadDouble):
2311         (JSC::MacroAssemblerARMv7::storeDouble):
2312         * assembler/MacroAssemblerMIPS.h:
2313         (JSC::MacroAssemblerMIPS::loadDouble):
2314         (JSC::MacroAssemblerMIPS::storeDouble):
2315         * assembler/MacroAssemblerSH4.h:
2316         (JSC::MacroAssemblerSH4::loadDouble):
2317         (JSC::MacroAssemblerSH4::storeDouble):
2318         * assembler/MacroAssemblerX86.h:
2319         (JSC::MacroAssemblerX86::storeDouble):
2320         * assembler/MacroAssemblerX86Common.h:
2321         (JSC::MacroAssemblerX86Common::absDouble):
2322         (JSC::MacroAssemblerX86Common::negateDouble):
2323         (JSC::MacroAssemblerX86Common::loadDouble):
2324         * dfg/DFGSpeculativeJIT.cpp:
2325         (JSC::DFG::SpeculativeJIT::silentFill):
2326         (JSC::DFG::compileClampDoubleToByte):
2327         * dfg/DFGSpeculativeJIT32_64.cpp:
2328         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2329         (JSC::DFG::SpeculativeJIT::compile):
2330         * jit/AssemblyHelpers.cpp:
2331         (JSC::AssemblyHelpers::purifyNaN):
2332         * jit/JITInlines.h:
2333         (JSC::JIT::emitLoadDouble):
2334         * jit/JITPropertyAccess.cpp:
2335         (JSC::JIT::emitFloatTypedArrayGetByVal):
2336         * jit/ThunkGenerators.cpp:
2337         (JSC::floorThunkGenerator):
2338         (JSC::roundThunkGenerator):
2339         (JSC::powThunkGenerator):
2340
2341 2014-05-12  Commit Queue  <commit-queue@webkit.org>
2342
2343         Unreviewed, rolling out r168642.
2344         https://bugs.webkit.org/show_bug.cgi?id=132839
2345
2346         Broke ARM build (Requested by jpfau on #webkit).
2347
2348         Reverted changeset:
2349
2350         "[Win] Enum type with value zero is compatible with void*,
2351         potential cause of crashes."
2352         https://bugs.webkit.org/show_bug.cgi?id=132772
2353         http://trac.webkit.org/changeset/168642
2354
2355 2014-05-12  peavo@outlook.com  <peavo@outlook.com>
2356
2357         [Win] Enum type with value zero is compatible with void*, potential cause of crashes.
2358         https://bugs.webkit.org/show_bug.cgi?id=132772
2359
2360         Reviewed by Geoffrey Garen.
2361
2362         Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example).
2363         This has caused crashes on Windows on two occasions (bug 132683, and bug 121001).
2364         This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*.
2365         The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr.
2366
2367         * assembler/MacroAssemblerARM.h:
2368         (JSC::MacroAssemblerARM::loadDouble):
2369         (JSC::MacroAssemblerARM::storeDouble):
2370         * assembler/MacroAssemblerARM64.h:
2371         (JSC::MacroAssemblerARM64::loadDouble):
2372         (JSC::MacroAssemblerARM64::storeDouble):
2373         * assembler/MacroAssemblerARMv7.h:
2374         (JSC::MacroAssemblerARMv7::loadDouble):
2375         (JSC::MacroAssemblerARMv7::storeDouble):
2376         * assembler/MacroAssemblerMIPS.h:
2377         (JSC::MacroAssemblerMIPS::loadDouble):
2378         (JSC::MacroAssemblerMIPS::storeDouble):
2379         * assembler/MacroAssemblerSH4.h:
2380         (JSC::MacroAssemblerSH4::loadDouble):
2381         (JSC::MacroAssemblerSH4::storeDouble):
2382         * assembler/MacroAssemblerX86.h:
2383         (JSC::MacroAssemblerX86::storeDouble):
2384         * assembler/MacroAssemblerX86Common.h:
2385         (JSC::MacroAssemblerX86Common::absDouble):
2386         (JSC::MacroAssemblerX86Common::negateDouble):
2387         (JSC::MacroAssemblerX86Common::loadDouble):
2388         * dfg/DFGSpeculativeJIT.cpp:
2389         (JSC::DFG::SpeculativeJIT::silentFill):
2390         (JSC::DFG::compileClampDoubleToByte):
2391         * dfg/DFGSpeculativeJIT32_64.cpp:
2392         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2393         (JSC::DFG::SpeculativeJIT::compile):
2394         * jit/AssemblyHelpers.cpp:
2395         (JSC::AssemblyHelpers::purifyNaN):
2396         * jit/JITInlines.h:
2397         (JSC::JIT::emitLoadDouble):
2398         * jit/JITPropertyAccess.cpp:
2399         (JSC::JIT::emitFloatTypedArrayGetByVal):
2400         * jit/ThunkGenerators.cpp:
2401         (JSC::floorThunkGenerator):
2402         (JSC::roundThunkGenerator):
2403         (JSC::powThunkGenerator):
2404
2405 2014-05-12  Andreas Kling  <akling@apple.com>
2406
2407         0.4% of PLT3 in JSCell::structure() below JSObject::visitChildren().
2408         <https://webkit.org/b/132828>
2409         <rdar://problem/16886285>
2410
2411         Reviewed by Michael Saboff.
2412
2413         * runtime/JSObject.cpp:
2414         (JSC::JSObject::visitButterfly):
2415         (JSC::JSObject::visitChildren):
2416
2417             Use JSCell::structure(VM&) to reduce the number of hoops we jump
2418             through to find Structures during marking.
2419
2420 2014-05-12  László Langó  <llango.u-szeged@partner.samsung.com>
2421
2422         [cmake] Add missing FTL source files to the build system.
2423
2424         Reviewed by Csaba Osztrogonác.
2425
2426         * CMakeLists.txt:
2427
2428 2014-05-09  Joseph Pecoraro  <pecoraro@apple.com>
2429
2430         Web Inspector: Allow Remote Inspector to entitlement check UIProcess through WebProcess
2431         https://bugs.webkit.org/show_bug.cgi?id=132409
2432
2433         Reviewed by Timothy Hatcher.
2434
2435         Proxy applications are applications which hold WebViews for other
2436         applications. The WebProcess (Web Content Service) is a proxy application.
2437         For legacy reasons we were supporting a scenario where proxy applications
2438         could potentially host WebViews for more then one other application. That
2439         was never the case for WebProcess and it is now a scenario we don't need
2440         to worry about supporting.
2441
2442         With this change, a proxy application more naturally only holds WebViews
2443         for a single parent / host application. The proxy process can set the
2444         parent pid / audit_token data on the RemoteInspector singleton, and
2445         that data will be sent on to webinspectord later on to be validated.
2446         In the WebProcess<->UIProcess relationship that information is known
2447         and set immediately. In the Legacy iOS case that information is set
2448         soon after, but not immediately known at the point the WebView is created.
2449
2450         This allows us to simplify the RemoteInspectorDebuggable interface.
2451         We no longer need a pid per-Debuggable.
2452
2453         * inspector/remote/RemoteInspector.h:
2454         * inspector/remote/RemoteInspector.mm:
2455         (Inspector::RemoteInspector::RemoteInspector):
2456         (Inspector::RemoteInspector::setParentProcessInformation):
2457         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
2458         (Inspector::RemoteInspector::listingForDebuggable):
2459         (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
2460         Handle new proxy application setup message, and provide an API
2461         for a proxy application to set the parent process information.
2462
2463         * inspector/remote/RemoteInspectorConstants.h:
2464         New setup and response message for proxy applications to pass
2465         their parent / host application information to webinspectord.
2466
2467         * inspector/remote/RemoteInspectorDebuggable.cpp:
2468         (Inspector::RemoteInspectorDebuggable::info):
2469         * inspector/remote/RemoteInspectorDebuggable.h:
2470         (Inspector::RemoteInspectorDebuggableInfo::RemoteInspectorDebuggableInfo):
2471         (Inspector::RemoteInspectorDebuggableInfo::hasParentProcess): Deleted.
2472         pid per debuggable is no longer needed.
2473
2474 2014-05-09  Mark Hahnenberg  <mhahnenberg@apple.com>
2475
2476         JSDOMWindow should disable property caching after a certain point
2477         https://bugs.webkit.org/show_bug.cgi?id=132751
2478
2479         Reviewed by Filip Pizlo.
2480
2481         This is part of removing HasImpureGetOwnPropertySlot from JSDOMWindow. After the lookup in the static 
2482         hash table for JSDOMWindow fails we want to disable property caching even if the code that follows thinks 
2483         that it has provided a cacheable value.
2484
2485         * runtime/PropertySlot.h:
2486         (JSC::PropertySlot::PropertySlot):
2487         (JSC::PropertySlot::isCacheable):
2488         (JSC::PropertySlot::disableCaching):
2489
2490 2014-05-09  Andreas Kling  <akling@apple.com>
2491
2492         8.8% spent in Object.prototype.hasOwnProperty() on sbperftest.
2493         <https://webkit.org/b/132749>
2494
2495         Leverage the fast-resolve-to-AtomicString optimization for JSRopeString
2496         in Object.prototype.* by using JSString::toIdentifier() in the cases where
2497         we are converting JSString -> String -> Identifier.
2498
2499         This brings time spent in hasOwnProperty() from 8.8% to 1.3% on
2500         "The Great HTML5 Gaming Performance Test: 2014 edition"
2501         <http://www.scirra.com/demos/c2/sbperftest/>
2502
2503         Reviewed by Oliver Hunt.
2504
2505         * runtime/ObjectPrototype.cpp:
2506         (JSC::objectProtoFuncHasOwnProperty):
2507         (JSC::objectProtoFuncDefineGetter):
2508         (JSC::objectProtoFuncDefineSetter):
2509         (JSC::objectProtoFuncLookupGetter):
2510         (JSC::objectProtoFuncLookupSetter):
2511
2512 2014-05-08  Mark Hahnenberg  <mhahnenberg@apple.com>
2513
2514         JSDOMWindow should have a WatchpointSet to fire on window close
2515         https://bugs.webkit.org/show_bug.cgi?id=132721
2516
2517         Reviewed by Filip Pizlo.
2518
2519         This patch allows us to reset the inline caches that assumed they could skip 
2520         the first part of JSDOMWindow::getOwnPropertySlot that checks if the window has 
2521         been closed. This is part of getting rid of HasImpureGetOwnPropertySlot on JSDOMWindow.
2522
2523         PropertySlot now accepts a WatchpointSet which the inline cache code can look for
2524         to see if it should create a new Watchpoint for that particular inline cache site.
2525
2526         * bytecode/Watchpoint.h:
2527         * jit/Repatch.cpp:
2528         (JSC::generateByIdStub):
2529         (JSC::tryBuildGetByIDList):
2530         (JSC::tryCachePutByID):
2531         (JSC::tryBuildPutByIdList):
2532         * runtime/PropertySlot.h:
2533         (JSC::PropertySlot::PropertySlot):
2534         (JSC::PropertySlot::watchpointSet):
2535         (JSC::PropertySlot::setWatchpointSet):
2536
2537 2014-05-09  Tanay C  <tanay.c@samsung.com>
2538
2539         Fix build warning (uninitialized variable) in DFGFixupPhase.cpp 
2540         https://bugs.webkit.org/show_bug.cgi?id=132331
2541
2542         Reviewed by Darin Adler.
2543
2544         * dfg/DFGFixupPhase.cpp:
2545         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
2546
2547 2014-05-09  peavo@outlook.com  <peavo@outlook.com>
2548
2549         [Win] Crash when enabling DFG JIT.
2550         https://bugs.webkit.org/show_bug.cgi?id=132683
2551
2552         Reviewed by Geoffrey Garen.
2553
2554         On windows, using register GPRInfo::regT0 as parameter to e.g. JIT::storeDouble(..., GPRInfo::regT0)),
2555         results in a call to JIT::storeDouble(FPRegisterID src, const void* address),
2556         where the address parameter gets the value of GPRInfo::regT0, which is 0 (eax on Windows).
2557         This causes the register to be written to address 0, hence the crash.
2558
2559         * dfg/DFGOSRExitCompiler32_64.cpp:
2560         (JSC::DFG::OSRExitCompiler::compileExit): Use address in regT0 as parameter.
2561         * dfg/DFGOSRExitCompiler64.cpp:
2562         (JSC::DFG::OSRExitCompiler::compileExit): Ditto.
2563
2564 2014-05-09  Martin Hodovan <mhodovan.u-szeged@partner.samsung.com>
2565
2566         REGRESSION(r167094): JSC crashes on ARM Traditional
2567         https://bugs.webkit.org/show_bug.cgi?id=132738
2568
2569         Reviewed by Zoltan Herczeg.
2570
2571         PC is two instructions ahead of the current instruction
2572         on ARM Traditional, so the distance is 8 bytes not 2.
2573
2574         * llint/LowLevelInterpreter.asm:
2575
2576 2014-05-09  Alberto Garcia  <berto@igalia.com>
2577
2578         jsmin.py license header confusing, mentions non-free license
2579         https://bugs.webkit.org/show_bug.cgi?id=123665
2580
2581         Reviewed by Darin Adler.
2582
2583         Pull the most recent version from upstream, which has a clear
2584         license.
2585
2586         * inspector/scripts/jsmin.py:
2587
2588 2014-05-08  Mark Hahnenberg  <mhahnenberg@apple.com>
2589
2590         Base case for get-by-id inline cache doesn't check for HasImpureGetOwnPropertySlot
2591         https://bugs.webkit.org/show_bug.cgi?id=132695
2592
2593         Reviewed by Filip Pizlo.
2594
2595         We check in the case where we're accessing something other than the base object (e.g. the prototype), 
2596         but we fail to do so for the base object.
2597
2598         * jit/Repatch.cpp:
2599         (JSC::tryCacheGetByID):
2600         (JSC::tryBuildGetByIDList):
2601         * jsc.cpp: Added some infrastructure to support this test. We don't currently trigger this bug anywhere in WebKit
2602         because all of the values that are returned that could be impure are set to uncacheable anyways.
2603         (WTF::ImpureGetter::ImpureGetter):
2604         (WTF::ImpureGetter::createStructure):
2605         (WTF::ImpureGetter::create):
2606         (WTF::ImpureGetter::finishCreation):
2607         (WTF::ImpureGetter::getOwnPropertySlot):
2608         (WTF::ImpureGetter::visitChildren):
2609         (WTF::ImpureGetter::setDelegate):
2610         (GlobalObject::finishCreation):
2611         (functionCreateImpureGetter):
2612         (functionSetImpureGetterDelegate):
2613         * tests/stress/impure-get-own-property-slot-inline-cache.js: Added.
2614         (foo):
2615
2616 2014-05-08  Filip Pizlo  <fpizlo@apple.com>
2617
2618         deleteAllCompiledCode() shouldn't use the suspension worklist
2619         https://bugs.webkit.org/show_bug.cgi?id=132708
2620
2621         Reviewed by Mark Hahnenberg.
2622
2623         * bytecode/CodeBlock.cpp:
2624         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
2625         * dfg/DFGPlan.cpp:
2626         (JSC::DFG::Plan::isStillValid):
2627         * heap/Heap.cpp:
2628         (JSC::Heap::deleteAllCompiledCode):
2629
2630 2014-05-08  Filip Pizlo  <fpizlo@apple.com>
2631
2632         SSA conversion should delete PhantomLocals for captured variables
2633         https://bugs.webkit.org/show_bug.cgi?id=132693
2634
2635         Reviewed by Mark Hahnenberg.
2636
2637         * dfg/DFGCommon.cpp:
2638         (JSC::DFG::startCrashing): Parallel JIT and a JIT bug means that we man dump IR in parallel. This is the workaround. This patch uses it in all of the places where we dump IR and crash.
2639         * dfg/DFGCommon.h:
2640         * dfg/DFGFixupPhase.cpp:
2641         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): Use the workaround.
2642         * dfg/DFGLivenessAnalysisPhase.cpp:
2643         (JSC::DFG::LivenessAnalysisPhase::run): Use the workaround.
2644         * dfg/DFGSSAConversionPhase.cpp:
2645         (JSC::DFG::SSAConversionPhase::run): Fix the bug - it's true that PhantomLocal for captured variables doesn't need anything done to it, but it's wrong that we didn't delete it outright.
2646         * dfg/DFGValidate.cpp: Use the workaround.
2647         * tests/stress/phantom-local-captured-but-not-flushed-to-ssa.js: Added.
2648         (foo):
2649         (bar):
2650
2651 2014-05-07  Commit Queue  <commit-queue@webkit.org>
2652
2653         Unreviewed, rolling out r168451.
2654         https://bugs.webkit.org/show_bug.cgi?id=132670
2655
2656         Not a speed-up, just do what other compilers do. (Requested by
2657         kling on #webkit).
2658
2659         Reverted changeset:
2660
2661         "[X86] Emit BT instruction for single-bit tests."
2662         https://bugs.webkit.org/show_bug.cgi?id=132650
2663         http://trac.webkit.org/changeset/168451
2664
2665 2014-05-07  Filip Pizlo  <fpizlo@apple.com>
2666
2667         Make Executable::clearCode() actually clear all of the entrypoints, and
2668         clean up some other FTL-related calling convention stuff.
2669         <rdar://problem/16720172>
2670
2671         Rubber stamped by Mark Hahnenberg.
2672
2673         * dfg/DFGOperations.cpp:
2674         * dfg/DFGOperations.h:
2675         * dfg/DFGWorklist.cpp:
2676         (JSC::DFG::Worklist::Worklist):
2677         (JSC::DFG::Worklist::finishCreation):
2678         (JSC::DFG::Worklist::create):
2679         (JSC::DFG::ensureGlobalDFGWorklist):
2680         (JSC::DFG::ensureGlobalFTLWorklist):
2681         * dfg/DFGWorklist.h:
2682         * heap/CodeBlockSet.cpp:
2683         (JSC::CodeBlockSet::dump):
2684         * heap/CodeBlockSet.h:
2685         * runtime/Executable.cpp:
2686         (JSC::ExecutableBase::clearCode):
2687
2688 2014-05-07  Andreas Kling  <akling@apple.com>
2689
2690         [X86] Emit BT instruction for single-bit tests.
2691         <https://webkit.org/b/132650>
2692
2693         Implement test-bit-and-branch slightly more efficiently by using
2694         BT + JC/JNC instead of TEST + JZ/JNZ when we're only testing for
2695         a single bit.
2696
2697         Reviewed by Michael Saboff.
2698
2699         * assembler/MacroAssemblerX86Common.h:
2700         (JSC::MacroAssemblerX86Common::singleBitIndex):
2701         (JSC::MacroAssemblerX86Common::branchTest32):
2702         * assembler/X86Assembler.h:
2703         (JSC::X86Assembler::bt_i8r):
2704         (JSC::X86Assembler::bt_i8m):
2705
2706 2014-05-07  Mark Lam  <mark.lam@apple.com>
2707
2708         REGRESSION(r166678): Dromaeo/cssquery-dojo.html crashes regularly.
2709         <https://webkit.org/b/131356>
2710
2711         Reviewed by Geoffrey Garen.
2712
2713         The issue is that GC needs to be made aware of writes to m_inferredValue
2714         in the VariableWatchpointSet, but was not.  As a result, if a JSCell*
2715         is written to a VariableWatchpointSet m_inferredValue, and that JSCell
2716         does not survive an eden GC shortly after, we will end up with a stale
2717         JSCell pointer left in the m_inferredValue.
2718
2719         This issue can be detected more easily by running Dromaeo/cssquery-dojo.html
2720         using DumpRenderTree with the VM heap in zombie mode.
2721
2722         The fix is to change VariableWatchpointSet m_inferredValue to type
2723         WriteBarrier<Unknown> and ensure that VariableWatchpointSet::notifyWrite()
2724         is executed by all the execution engines so that the WriteBarrier semantics
2725         are honored.
2726
2727         We still check if the value to be written is the same as the one in the
2728         inferredValue.  We'll by-pass calling the slow path notifyWrite() if the
2729         values are the same.        
2730
2731         * JavaScriptCore.xcodeproj/project.pbxproj:
2732         * bytecode/CodeBlock.cpp:
2733         (JSC::CodeBlock::CodeBlock):
2734         - need to pass the symbolTable to prepareToWatch() because it will be needed
2735           for instantiating the VariableWatchpointSet in prepareToWatch().
2736
2737         * bytecode/VariableWatchpointSet.h:
2738         (JSC::VariableWatchpointSet::VariableWatchpointSet):
2739         - VariableWatchpointSet now tracks its owner symbol table for its m_inferredValue
2740           write barrier, and yes, m_inferredValue is now of type WriteBarrier<Unknown>.
2741         (JSC::VariableWatchpointSet::inferredValue):
2742         (JSC::VariableWatchpointSet::invalidate):
2743         (JSC::VariableWatchpointSet::finalizeUnconditionally):
2744         (JSC::VariableWatchpointSet::addressOfInferredValue):
2745         (JSC::VariableWatchpointSet::notifyWrite): Deleted.
2746         * bytecode/VariableWatchpointSetInlines.h: Added.
2747         (JSC::VariableWatchpointSet::notifyWrite):
2748
2749         * dfg/DFGByteCodeParser.cpp:
2750         (JSC::DFG::ByteCodeParser::cellConstant):
2751         - Added an assert in case we try to make constants of zombified JSCells again.
2752
2753         * dfg/DFGOperations.cpp:
2754         * dfg/DFGOperations.h:
2755         * dfg/DFGSpeculativeJIT.h:
2756         (JSC::DFG::SpeculativeJIT::callOperation):
2757         * dfg/DFGSpeculativeJIT32_64.cpp:
2758         (JSC::DFG::SpeculativeJIT::compile):
2759         * dfg/DFGSpeculativeJIT64.cpp:
2760         (JSC::DFG::SpeculativeJIT::compile):
2761         - We now let the slow path handle the cases when the VariableWatchpointSet is
2762           in state ClearWatchpoint and IsWatched, and the slow path will ensure that
2763           we handle the needed write barrier semantics correctly.
2764           We will by-pass the slow path if the value being written is the same as the
2765           inferred value.
2766
2767         * ftl/FTLIntrinsicRepository.h:
2768         * ftl/FTLLowerDFGToLLVM.cpp:
2769         (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):
2770         - Let the slow path handle the cases when the VariableWatchpointSet is
2771           in state ClearWatchpoint and IsWatched.
2772           We will by-pass the slow path if the value being written is the same as the
2773           inferred value.
2774
2775         * heap/Heap.cpp:
2776         (JSC::Zombify::operator()):
2777         - Use a different value for the zombified bits (to distinguish it from 0xbbadbeef
2778           which is used everywhere else).
2779         * heap/Heap.h:
2780         (JSC::Heap::isZombified):
2781         - Provide a convenience test function to check if JSCells are zombified.  This is
2782           currently only used in an assertion in the DFG bytecode parser, but the intent
2783           it that we'll apply this test in other strategic places later to help with early
2784           detection of usage of GC'ed objects when we run in zombie mode.
2785
2786         * jit/JITOpcodes.cpp:
2787         (JSC::JIT::emitSlow_op_captured_mov):
2788         * jit/JITOperations.h:
2789         * jit/JITPropertyAccess.cpp:
2790         (JSC::JIT::emitNotifyWrite):
2791         * jit/JITPropertyAccess32_64.cpp:
2792         (JSC::JIT::emitNotifyWrite):
2793         (JSC::JIT::emitSlow_op_put_to_scope):
2794         - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
2795           is in state ClearWatchpoint and IsWatched.
2796           We will by-pass the slow path if the value being written is the same as the
2797           inferred value.
2798         
2799         * llint/LowLevelInterpreter32_64.asm:
2800         * llint/LowLevelInterpreter64.asm:
2801         - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
2802           is in state ClearWatchpoint and IsWatched.
2803           We will by-pass the slow path if the value being written is the same as the
2804           inferred value.
2805         
2806         * runtime/CommonSlowPaths.cpp:
2807
2808         * runtime/JSCJSValue.h: Fixed some typos in the comments.
2809         * runtime/JSGlobalObject.cpp:
2810         (JSC::JSGlobalObject::addGlobalVar):
2811         (JSC::JSGlobalObject::addFunction):
2812         * runtime/JSSymbolTableObject.h:
2813         (JSC::symbolTablePut):
2814         (JSC::symbolTablePutWithAttributes):
2815         * runtime/SymbolTable.cpp:
2816         (JSC::SymbolTableEntry::prepareToWatch):
2817         (JSC::SymbolTableEntry::notifyWriteSlow):
2818         * runtime/SymbolTable.h:
2819         (JSC::SymbolTableEntry::notifyWrite):
2820
2821 2014-05-06  Michael Saboff  <msaboff@apple.com>
2822
2823         Unreviewd build fix for C-LOOP after r168396.
2824
2825         * runtime/TestRunnerUtils.cpp:
2826         (JSC::optimizeNextInvocation): Wrapped actual call inside #if ENABLE(JIT)
2827
2828 2014-05-06  Michael Saboff  <msaboff@apple.com>
2829
2830         Add test for deleteAllCompiledCode
2831         https://bugs.webkit.org/show_bug.cgi?id=132632
2832
2833         Reviewed by Phil Pizlo.
2834
2835         Added two new hooks to jsc, one to call Heap::deleteAllCompiledCode() and
2836         the other to call CodeBlock::optimizeNextInvocation().  Used these two hooks
2837         to write a test that will queue up loads of DFG compiles and then call
2838         Heap::deleteAllCompiledCode() to make sure that it can handle compiled
2839         code as well as code being compiled.
2840
2841         * jsc.cpp:
2842         (GlobalObject::finishCreation):
2843         (functionDeleteAllCompiledCode):
2844         (functionOptimizeNextInvocation):
2845         * runtime/TestRunnerUtils.cpp:
2846         (JSC::optimizeNextInvocation):
2847         * runtime/TestRunnerUtils.h:
2848         * tests/stress/deleteAllCompiledCode.js: Added.
2849         (functionList):
2850         (runTest):
2851
2852 2014-05-06  Andreas Kling  <akling@apple.com>
2853
2854         JSString::toAtomicString() should return AtomicString.
2855         <https://webkit.org/b/132627>
2856
2857         Remove premature optimization where I was trying to avoid refcount
2858         churn when returning an already atomicized String.
2859
2860         Instead of using reinterpret_cast to mangle the String member into
2861         a const AtomicString& return value, just return AtomicString.
2862
2863         Reviewed by Geoff Garen.
2864
2865         * runtime/JSString.h:
2866         (JSC::JSString::toAtomicString):
2867
2868 2014-05-06  Mark Hahnenberg  <mhahnenberg@apple.com>
2869
2870         Roll out r167889
2871
2872         Rubber stamped by Geoff Garen.
2873
2874         It broke some websites.
2875
2876         * runtime/JSPropertyNameIterator.cpp:
2877         (JSC::JSPropertyNameIterator::create):
2878         * runtime/PropertyMapHashTable.h:
2879         (JSC::PropertyTable::hasDeletedOffset):
2880         (JSC::PropertyTable::hadDeletedOffset): Deleted.
2881         * runtime/Structure.cpp:
2882         (JSC::Structure::Structure):
2883         (JSC::Structure::materializePropertyMap):
2884         (JSC::Structure::removePropertyTransition):
2885         (JSC::Structure::changePrototypeTransition):
2886         (JSC::Structure::despecifyFunctionTransition):
2887         (JSC::Structure::attributeChangeTransition):
2888         (JSC::Structure::toDictionaryTransition):
2889         (JSC::Structure::preventExtensionsTransition):
2890         (JSC::Structure::addPropertyWithoutTransition):
2891         (JSC::Structure::removePropertyWithoutTransition):
2892         (JSC::Structure::pin):
2893         (JSC::Structure::pinAndPreventTransitions): Deleted.
2894         * runtime/Structure.h:
2895         * runtime/StructureInlines.h:
2896         (JSC::Structure::setEnumerationCache):
2897         (JSC::Structure::propertyTable):
2898         (JSC::Structure::checkOffsetConsistency):
2899         (JSC::Structure::hadDeletedOffsets): Deleted.
2900         * tests/stress/for-in-after-delete.js:
2901         (foo): Deleted.
2902
2903 2014-05-05  Andreas Kling  <akling@apple.com>
2904
2905         Fix debug build.
2906
2907         * runtime/JSCellInlines.h:
2908         (JSC::JSCell::fastGetOwnProperty):
2909
2910 2014-05-05  Andreas Kling  <akling@apple.com>
2911
2912         Optimize GetByVal when subscript is a rope string.
2913         <https://webkit.org/b/132590>
2914
2915         Use JSString::toIdentifier() in the various GetByVal implementations
2916         to try and avoid allocating extra strings.
2917
2918         Added canUseFastGetOwnProperty() and wrap calls to fastGetOwnProperty()
2919         in that, to avoid calling JSString::value() which always resolves ropes
2920         into new strings and de-optimizes subsequent toIdentifier() calls.
2921
2922         My iMac says ~9% progression on Dromaeo/dom-attr.html
2923
2924         Reviewed by Phil Pizlo.
2925
2926         * dfg/DFGOperations.cpp:
2927         * jit/JITOperations.cpp:
2928         (JSC::getByVal):
2929         * llint/LLIntSlowPaths.cpp:
2930         (JSC::LLInt::getByVal):
2931         * runtime/JSCell.h:
2932         * runtime/JSCellInlines.h:
2933         (JSC::JSCell::fastGetOwnProperty):
2934         (JSC::JSCell::canUseFastGetOwnProperty):
2935
2936 2014-05-05  Andreas Kling  <akling@apple.com>
2937
2938         REGRESSION (r168256): ASSERTION FAILED: (buffer + m_length) == position loading vanityfair.com article.
2939         <https://webkit.org/b/168256>
2940         <rdar://problem/16816316>
2941
2942         Make resolveRopeSlowCase8() behave like its 16-bit counterpart and not
2943         clear the fibers. The caller takes care of this.
2944
2945         Test: fast/dom/getElementById-with-rope-string-arg.html
2946
2947         Reviewed by Geoffrey Garen.
2948
2949         * runtime/JSString.cpp:
2950         (JSC::JSRopeString::resolveRopeSlowCase8):
2951
2952 2014-05-05  Michael Saboff  <msaboff@apple.com>
2953
2954         REGRESSION: RELEASE_ASSERT in CodeBlock::baselineVersion @ cnn.com
2955         https://bugs.webkit.org/show_bug.cgi?id=132581
2956
2957         Reviewed by Filip Pizlo.
2958
2959         * dfg/DFGPlan.cpp:
2960         (JSC::DFG::Plan::isStillValid): Check that the alternative codeBlock we
2961         started compiling for is still the same at the end of compilation.
2962         Also did some minor restructuring.
2963
2964 2014-05-05  Andreas Kling  <akling@apple.com>
2965
2966         Optimize PutByVal when subscript is a rope string.
2967         <https://webkit.org/b/132572>
2968
2969         Add a JSString::toIdentifier() that is smarter when the JSString is
2970         really a rope string. Use this in baseline & DFG's PutByVal to avoid
2971         allocating new StringImpls that we immediately deduplicate anyway.
2972
2973         Reviewed by Antti Koivisto.
2974
2975         * dfg/DFGOperations.cpp:
2976         (JSC::DFG::operationPutByValInternal):
2977         * jit/JITOperations.cpp:
2978         * runtime/JSString.h:
2979         (JSC::JSString::toIdentifier):
2980
2981 2014-05-05  Andreas Kling  <akling@apple.com>
2982
2983         Remove two now-incorrect assertions after r168256.
2984
2985         * runtime/JSString.cpp:
2986         (JSC::JSRopeString::resolveRopeSlowCase8):
2987         (JSC::JSRopeString::resolveRopeSlowCase):
2988
2989 2014-05-04  Andreas Kling  <akling@apple.com>
2990
2991         Optimize JSRopeString for resolving directly to AtomicString.
2992         <https://webkit.org/b/132548>
2993
2994         If we know that the JSRopeString we are resolving is going to be used
2995         as an AtomicString, we can try to avoid creating a new string.
2996
2997         We do this by first resolving the rope into a stack buffer, and using
2998         that buffer as a key into the AtomicString table. If there is already
2999         an AtomicString with the same characters, we reuse that instead of
3000         constructing a new StringImpl.
3001
3002         JSString gains these two public functions:
3003
3004         - AtomicString toAtomicString()
3005
3006             Returns an AtomicString, tries to avoid allocating a new string
3007             if possible.
3008
3009         - AtomicStringImpl* toExistingAtomicString()
3010
3011             Returns a non-null AtomicStringImpl* if one already exists in the
3012             AtomicString table. If none is found, the rope is left unresolved.
3013
3014         Reviewed by Filip Pizlo.
3015
3016         * runtime/JSString.cpp:
3017         (JSC::JSRopeString::resolveRopeInternal8):
3018         (JSC::JSRopeString::resolveRopeInternal16):
3019         (JSC::JSRopeString::resolveRopeToAtomicString):
3020         (JSC::JSRopeString::clearFibers):
3021         (JSC::JSRopeString::resolveRopeToExistingAtomicString):
3022         (JSC::JSRopeString::resolveRope):
3023         (JSC::JSRopeString::outOfMemory):
3024         * runtime/JSString.h:
3025         (JSC::JSString::toAtomicString):
3026         (JSC::JSString::toExistingAtomicString):
3027
3028 2014-05-04  Andreas Kling  <akling@apple.com>
3029
3030         Unreviewed, rolling out r168254.
3031
3032         Very crashy on debug JSC tests.
3033
3034         Reverted changeset:
3035
3036         "jsSubstring() should be lazy"
3037         https://bugs.webkit.org/show_bug.cgi?id=132556
3038         http://trac.webkit.org/changeset/168254
3039
3040 2014-05-04  Filip Pizlo  <fpizlo@apple.com>
3041
3042         jsSubstring() should be lazy
3043         https://bugs.webkit.org/show_bug.cgi?id=132556
3044
3045         Reviewed by Andreas Kling.
3046         
3047         jsSubstring() is now lazy by using a special rope that is a substring instead of a
3048         concatenation. To make this patch super simple, we require that a substring's base is
3049         never a rope. Hence, when resolving a rope, we either go down a non-recursive substring
3050         path, or we go down a concatenation path which may see exactly one level of substrings in
3051         its fibers.
3052         
3053         This is up to a 50% speed-up on microbenchmarks and a 10% speed-up on Octane/regexp.
3054
3055         * heap/MarkedBlock.cpp:
3056         (JSC::MarkedBlock::specializedSweep):
3057         * runtime/JSString.cpp:
3058         (JSC::JSRopeString::visitFibers):
3059         (JSC::JSRopeString::resolveRope):
3060         (JSC::JSRopeString::resolveRopeSlowCase8):
3061         (JSC::JSRopeString::resolveRopeSlowCase):
3062         (JSC::JSRopeString::outOfMemory):
3063         * runtime/JSString.h:
3064         (JSC::JSRopeString::finishCreation):
3065         (JSC::JSRopeString::append):
3066         (JSC::JSRopeString::create):
3067         (JSC::JSRopeString::offsetOfFibers):
3068         (JSC::JSRopeString::fiber):
3069         (JSC::JSRopeString::substringBase):
3070         (JSC::JSRopeString::substringOffset):
3071         (JSC::JSRopeString::substringSentinel):
3072         (JSC::JSRopeString::isSubstring):
3073         (JSC::jsSubstring):
3074         * runtime/RegExpMatchesArray.cpp:
3075         (JSC::RegExpMatchesArray::reifyAllProperties):
3076         * runtime/StringPrototype.cpp:
3077         (JSC::stringProtoFuncSubstring):
3078
3079 2014-05-02  Michael Saboff  <msaboff@apple.com>
3080
3081         "arm64 function not 4-byte aligned" warnings when building JSC
3082         https://bugs.webkit.org/show_bug.cgi?id=132495
3083
3084         Reviewed by Geoffrey Garen.
3085
3086         Added ".align 4" for both ARM Thumb2 and ARM 64 to silence the linker.
3087
3088         * llint/LowLevelInterpreter.cpp:
3089
3090 2014-05-02  Mark Hahnenberg  <mhahnenberg@apple.com>
3091
3092         Fix cloop build after r168178
3093
3094         * bytecode/CodeBlock.cpp:
3095
3096 2014-05-01  Mark Hahnenberg  <mhahnenberg@apple.com>
3097
3098         Add a DFG function whitelist
3099         https://bugs.webkit.org/show_bug.cgi?id=132437
3100
3101         Reviewed by Geoffrey Garen.
3102
3103         Often times when debugging, using bytecode ranges isn't enough to narrow down to the 
3104         particular DFG block that's causing issues. This patch adds the ability to whitelist 
3105         specific functions specified in a file to enable further filtering without having to recompile.
3106
3107         * CMakeLists.txt:
3108         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3109         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3110         * JavaScriptCore.xcodeproj/project.pbxproj:
3111         * dfg/DFGCapabilities.cpp:
3112         (JSC::DFG::isSupported):
3113         (JSC::DFG::mightInlineFunctionForCall):
3114         (JSC::DFG::mightInlineFunctionForClosureCall):
3115         (JSC::DFG::mightInlineFunctionForConstruct):
3116         * dfg/DFGFunctionWhitelist.cpp: Added.
3117         (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
3118         (JSC::DFG::FunctionWhitelist::FunctionWhitelist):
3119         (JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile):
3120         (JSC::DFG::FunctionWhitelist::contains):
3121         * dfg/DFGFunctionWhitelist.h: Added.
3122         * runtime/Options.cpp:
3123         (JSC::parse):
3124         (JSC::Options::dumpOption):
3125         * runtime/Options.h:
3126
3127 2014-05-02  Filip Pizlo  <fpizlo@apple.com>
3128
3129         DFGAbstractInterpreter should not claim Int52 arithmetic creates Int52s
3130         https://bugs.webkit.org/show_bug.cgi?id=132446
3131
3132         Reviewed by Mark Hahnenberg.
3133         
3134         Basically any arithmetic operation can turn an Int52 into an Int32 or vice-versa, and
3135         our modeling of Int52Rep nodes is such that they can have either Int32 or Int52 type
3136         to indicate a bound on the value. This is useful for knowing, for example, that
3137         Int52Rep(Int32:) returns a value that cannot be outside the Int32 range. Also,
3138         ValueRep(Int52Rep:) uses this to determine whether it may return a double or an int.
3139         But this means that all arithmetic operations must be careful to note that they may
3140         turn Int32 inputs into an Int52 output or vice-versa, as these new tests show.
3141
3142         * dfg/DFGAbstractInterpreterInlines.h:
3143         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3144         * dfg/DFGByteCodeParser.cpp:
3145         (JSC::DFG::ByteCodeParser::makeSafe):
3146         * tests/stress/int52-ai-add-then-filter-int32.js: Added.
3147         (foo):
3148         * tests/stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js: Added.
3149         (foo):
3150         * tests/stress/int52-ai-mul-then-filter-int32-directly.js: Added.
3151         (foo):
3152         * tests/stress/int52-ai-mul-then-filter-int32.js: Added.
3153         (foo):
3154         * tests/stress/int52-ai-neg-then-filter-int32.js: Added.
3155         (foo):
3156         * tests/stress/int52-ai-sub-then-filter-int32.js: Added.
3157         (foo):
3158
3159 2014-05-01  Geoffrey Garen  <ggaren@apple.com>
3160
3161         JavaScriptCore fails to build with some versions of clang
3162         https://bugs.webkit.org/show_bug.cgi?id=132436
3163
3164         Reviewed by Anders Carlsson.
3165
3166         * runtime/ArgumentsIteratorConstructor.cpp: Since we call
3167         putDirectWithoutTransition, and it calls putWillGrowOutOfLineStorage,
3168         and both are marked inline, it's valid for the compiler to decide
3169         to inline both and emit neither in the binary. Therefore, we need
3170         both inline definitions to be available in the translation unit at
3171         compile time, or we'll try to link against a function that doesn't exist.
3172
3173 2014-05-01  Commit Queue  <commit-queue@webkit.org>
3174
3175         Unreviewed, rolling out r167964.
3176         https://bugs.webkit.org/show_bug.cgi?id=132431
3177
3178         Memory improvements should not regress memory usage (Requested
3179         by olliej on #webkit).
3180
3181         Reverted changeset:
3182
3183         "Don't hold on to parameter BindingNodes forever"
3184         https://bugs.webkit.org/show_bug.cgi?id=132360
3185         http://trac.webkit.org/changeset/167964
3186
3187 2014-05-01  Filip Pizlo  <fpizlo@apple.com>
3188
3189         Fix trivial debug-only race-that-crashes in CallLinkStatus and explain why the remaining races are totally awesome
3190         https://bugs.webkit.org/show_bug.cgi?id=132427
3191
3192         Reviewed by Mark Hahnenberg.
3193
3194         * bytecode/CallLinkStatus.cpp:
3195         (JSC::CallLinkStatus::computeFor):
3196
3197 2014-04-30  Simon Fraser  <simon.fraser@apple.com>
3198
3199         Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO
3200         https://bugs.webkit.org/show_bug.cgi?id=132396
3201
3202         Reviewed by Eric Carlson.
3203
3204         Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO and related code.
3205
3206         * Configurations/FeatureDefines.xcconfig:
3207
3208 2014-04-30  Filip Pizlo  <fpizlo@apple.com>
3209
3210         Argument flush formats should not be presumed to be JSValue since 'this' is weird
3211         https://bugs.webkit.org/show_bug.cgi?id=132404
3212
3213         Reviewed by Michael Saboff.
3214
3215         * dfg/DFGSpeculativeJIT.cpp:
3216         (JSC::DFG::SpeculativeJIT::compileCurrentBlock): Don't assume that arguments are flushed as JSValue. Use the logic for locals instead.
3217         * dfg/DFGSpeculativeJIT32_64.cpp:
3218         (JSC::DFG::SpeculativeJIT::compile): SetArgument "changes" the format because before this we wouldn't know we had arguments.
3219         * dfg/DFGSpeculativeJIT64.cpp:
3220         (JSC::DFG::SpeculativeJIT::compile): Ditto.
3221         * dfg/DFGValueSource.cpp:
3222         (JSC::DFG::ValueSource::dumpInContext): Make this easier to dump.
3223         * dfg/DFGValueSource.h:
3224         (JSC::DFG::ValueSource::operator!): Make this easier to dump because Operands<T> uses T::operator!().
3225         * ftl/FTLOSREntry.cpp:
3226         (JSC::FTL::prepareOSREntry): This had a useful assertion for everything except 'this'.
3227         * tests/stress/strict-to-this-int.js: Added.
3228         (foo):
3229         (Number.prototype.valueOf):
3230         (test):
3231
3232 2014-04-29  Oliver Hunt  <oliver@apple.com>
3233
3234         Don't hold on to parameterBindingNodes forever
3235         https://bugs.webkit.org/show_bug.cgi?id=132360
3236
3237         Reviewed by Geoffrey Garen.
3238
3239         Don't keep the parameter nodes anymore. Instead we store the
3240         original parameter string and reparse whenever we actually
3241         need them. Because we only actually need them for compilation
3242         this only results in a single extra parse.
3243
3244         * bytecode/UnlinkedCodeBlock.cpp:
3245         (JSC::generateFunctionCodeBlock):
3246         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3247         (JSC::UnlinkedFunctionExecutable::visitChildren):
3248         (JSC::UnlinkedFunctionExecutable::finishCreation):
3249         (JSC::UnlinkedFunctionExecutable::paramString):
3250         (JSC::UnlinkedFunctionExecutable::parameters):
3251         (JSC::UnlinkedFunctionExecutable::parameterCount): Deleted.
3252         * bytecode/UnlinkedCodeBlock.h:
3253         (JSC::UnlinkedFunctionExecutable::create):
3254         (JSC::UnlinkedFunctionExecutable::parameterCount):
3255         (JSC::UnlinkedFunctionExecutable::parameters): Deleted.
3256         (JSC::UnlinkedFunctionExecutable::finishCreation): Deleted.
3257         * parser/ASTBuilder.h:
3258         (JSC::ASTBuilder::ASTBuilder):
3259         (JSC::ASTBuilder::setFunctionBodyParameters):
3260         * parser/Nodes.h:
3261         (JSC::FunctionBodyNode::parametersStartOffset):
3262         (JSC::FunctionBodyNode::parametersEndOffset):
3263         (JSC::FunctionBodyNode::setParameterLocation):
3264         * parser/Parser.cpp:
3265         (JSC::Parser<LexerType>::parseFunctionInfo):
3266         (JSC::parseParameters):
3267         * parser/Parser.h:
3268         (JSC::parse):
3269         * parser/SourceCode.h:
3270         (JSC::SourceCode::subExpression):
3271         * parser/SyntaxChecker.h:
3272         (JSC::SyntaxChecker::setFunctionBodyParameters):
3273
3274 2014-04-29  Mark Hahnenberg  <mhahnenberg@apple.com>
3275
3276         JSProxies should be cacheable
3277         https://bugs.webkit.org/show_bug.cgi?id=132351
3278
3279         Reviewed by Geoffrey Garen.
3280
3281         Whenever we encounter a proxy in an inline cache we should try to cache on the 
3282         proxy's target instead of giving up.
3283
3284         This patch adds support for a simple "recursive" inline cache if the base object
3285         we're accessing is a pure forwarding proxy. JSGlobalObject and its subclasses 
3286         are the only ones to benefit from this right now.
3287
3288         This is performance neutral on the benchmarks we track. Currently we won't
3289         cache on JSDOMWindow due to HasImpureGetOwnPropertySlot, but this issue will be fixed soon.
3290
3291         * jit/Repatch.cpp:
3292         (JSC::generateByIdStub):
3293         (JSC::tryBuildGetByIDList):
3294         (JSC::tryCachePutByID):
3295         (JSC::tryBuildPutByIdList):
3296         * jsc.cpp:
3297         (GlobalObject::finishCreation):
3298         (functionCreateProxy):
3299         * runtime/IntendedStructureChain.cpp:
3300         (JSC::IntendedStructureChain::isNormalized):
3301         * runtime/JSCellInlines.h:
3302         (JSC::JSCell::isProxy):
3303         * runtime/JSGlobalObject.h:
3304         (JSC::JSGlobalObject::finishCreation):
3305         * runtime/JSProxy.h:
3306         (JSC::JSProxy::createStructure):
3307         (JSC::JSProxy::targetOffset):
3308         * runtime/JSType.h:
3309         * runtime/Operations.h:
3310         (JSC::isPrototypeChainNormalized):
3311         * runtime/Structure.h:
3312         (JSC::Structure::isProxy):
3313         * tests/stress/proxy-inline-cache.js: Added.
3314         (cacheOnTarget.getX):
3315         (cacheOnTarget):
3316         (cacheOnPrototypeOfTarget.getX):
3317         (cacheOnPrototypeOfTarget):
3318         (dontCacheOnProxyInPrototypeChain.getX):
3319         (dontCacheOnProxyInPrototypeChain):
3320         (dontCacheOnTargetOfProxyInPrototypeChainOfTarget.getX):
3321         (dontCacheOnTargetOfProxyInPrototypeChainOfTarget):
3322
3323 2014-04-29  Filip Pizlo  <fpizlo@apple.com>
3324
3325         Use LLVM as a backend for the fourth-tier DFG JIT (a.k.a. the FTL JIT)
3326         https://bugs.webkit.org/show_bug.cgi?id=112840
3327
3328         Rubber stamped by Geoffrey Garen.
3329
3330         * Configurations/FeatureDefines.xcconfig:
3331
3332 2014-04-29  Geoffrey Garen  <ggaren@apple.com>
3333
3334         String.prototype.trim removes U+200B from strings.
3335         https://bugs.webkit.org/show_bug.cgi?id=130184
3336
3337         Reviewed by Michael Saboff.
3338
3339         * runtime/StringPrototype.cpp:
3340         (JSC::trimString):
3341         (JSC::isTrimWhitespace): Deleted.
3342
3343 2014-04-29  Mark Lam  <mark.lam@apple.com>
3344
3345         Zombifying sweep should ignore retired blocks.
3346         <https://webkit.org/b/132344>
3347
3348         Reviewed by Mark Hahnenberg.
3349
3350         By definition, retired blocks do not have "dead" objects, or at least
3351         none that we know of yet until the next marking phase has been run
3352         over it.  So, we should not be sweeping them (even for zombie mode).
3353
3354         * heap/Heap.cpp:
3355         (JSC::Heap::zombifyDeadObjects):
3356         * heap/MarkedSpace.cpp:
3357         (JSC::MarkedSpace::zombifySweep):
3358         * heap/MarkedSpace.h:
3359         (JSC::ZombifySweep::operator()):
3360
3361 2014-04-29  Mark Lam  <mark.lam@apple.com>
3362
3363         Fix bit rot in zombie mode heap code.
3364         <https://webkit.org/b/132342>
3365
3366         Reviewed by Mark Hahnenberg.
3367
3368         Need to enter a DelayedReleaseScope before doing a sweep.
3369
3370         * heap/Heap.cpp:
3371         (JSC::Heap::zombifyDeadObjects):
3372
3373 2014-04-29  Tomas Popela  <tpopela@redhat.com>
3374
3375         LLINT loadisFromInstruction doesn't need special case for big endians
3376         https://bugs.webkit.org/show_bug.cgi?id=132330
3377
3378         Reviewed by Mark Lam.
3379
3380         The change introduced in r167076 was wrong. We should not apply the offset
3381         adjustment on loadisFromInstruction usage as the instruction
3382         (UnlinkedInstruction) is declared as an union (i.e. with the int32_t
3383         operand variable). The offset of the other union members will be the
3384         same as the offset of the first one, that is 0. The behavior here is the
3385         same on little and big endian architectures. Thus we don't need
3386         special case for big endians.
3387
3388         * llint/LowLevelInterpreter.asm:
3389
3390 2014-04-28  Mark Hahnenberg  <mhahnenberg@apple.com>
3391
3392         Simplify tryCacheGetById
3393         https://bugs.webkit.org/show_bug.cgi?id=132314
3394
3395         Reviewed by Oliver Hunt and Filip Pizlo.
3396
3397         This is neutral across all benchmarks we track, although it looks like a wee 0.5% progression on sunspider.
3398
3399         * jit/Repatch.cpp:
3400         (JSC::tryCacheGetByID): If we fail to cache on self, we just repatch to call tryBuildGetByIDList next time.
3401
3402 2014-04-28  Michael Saboff  <msaboff@apple.com>
3403
3404         REGRESSION(r153142) ASSERT from CodeBlock::dumpBytecode dumping String Switch Jump Tables
3405         https://bugs.webkit.org/show_bug.cgi?id=132315
3406
3407         Reviewed by Mark Hahnenberg.
3408
3409         Used the StringImpl version of utf8() instead of creating a String first.
3410
3411         * bytecode/CodeBlock.cpp:
3412         (JSC::CodeBlock::dumpBytecode):
3413
3414 2014-04-28  Filip Pizlo  <fpizlo@apple.com>
3415
3416         The LLInt is awesome and it should get more of the action.
3417
3418         Rubber stamped by Geoffrey Garen.
3419         
3420         5% speed-up on JSBench and no meaningful regressions.  Should be a PLT/DYE speed-up also.
3421
3422         * runtime/Options.h:
3423
3424 2014-04-27  Filip Pizlo  <fpizlo@apple.com>
3425
3426         GC should be able to remove things from the DFG worklist and cancel on-going compilations if it knows that the compilation would already be invalidated
3427         https://bugs.webkit.org/show_bug.cgi?id=132166
3428
3429         Reviewed by Oliver Hunt and Mark Hahnenberg.
3430         
3431         The GC can aid type inference by removing structures that are dead and jettisoning
3432         code that relies on those structures. This can dramatically accelerate type inference
3433         for some tricky programs.
3434         
3435         Unfortunately, we previously pinned any structures that enqueued compilations depended
3436         on. This means that if you're on a machine that only runs a single compilation thread
3437         and where compilations are relatively slow,&nb