FTL arity fixup should work on ARM64
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-03-06  Filip Pizlo  <fpizlo@apple.com>
2
3         FTL arity fixup should work on ARM64
4         https://bugs.webkit.org/show_bug.cgi?id=129810
5
6         Reviewed by Michael Saboff.
7         
8         - Using regT5 to pass the thunk return address to arityFixup is shady since that's a
9           callee-save.
10         
11         - The FTL path was assuming X86 conventions for where SP points at the top of the prologue.
12         
13         This makes some more tests pass.
14
15         * dfg/DFGJITCompiler.cpp:
16         (JSC::DFG::JITCompiler::compileFunction):
17         * ftl/FTLLink.cpp:
18         (JSC::FTL::link):
19         * jit/AssemblyHelpers.h:
20         (JSC::AssemblyHelpers::prologueStackPointerDelta):
21         * jit/JIT.cpp:
22         (JSC::JIT::privateCompile):
23         * jit/ThunkGenerators.cpp:
24         (JSC::arityFixup):
25         * llint/LowLevelInterpreter64.asm:
26         * offlineasm/arm64.rb:
27         * offlineasm/x86.rb: In addition to the t7 change, make t6 agree with GPRInfo.h.
28
29 2014-03-06  Mark Hahnenberg  <mhahnenberg@apple.com>
30
31         Fix write barriers in Repatch.cpp for !ENABLE(DFG_JIT) platforms after r165128
32         https://bugs.webkit.org/show_bug.cgi?id=129760
33
34         Reviewed by Geoffrey Garen.
35
36         r165128 disabled the write barrier fast path for inline caches on !ENABLE(DFG_JIT) platforms. 
37         The fix is to refactor the write barrier code into AssemblyHelpers and use that everywhere.
38
39         * dfg/DFGSpeculativeJIT.cpp:
40         (JSC::DFG::SpeculativeJIT::writeBarrier):
41         * dfg/DFGSpeculativeJIT.h:
42         * dfg/DFGSpeculativeJIT32_64.cpp:
43         (JSC::DFG::SpeculativeJIT::writeBarrier):
44         * dfg/DFGSpeculativeJIT64.cpp:
45         (JSC::DFG::SpeculativeJIT::writeBarrier):
46         * jit/AssemblyHelpers.h:
47         (JSC::AssemblyHelpers::checkMarkByte):
48         * jit/JIT.h:
49         * jit/JITPropertyAccess.cpp:
50         * jit/Repatch.cpp:
51         (JSC::writeBarrier):
52
53 2014-03-06  Joseph Pecoraro  <pecoraro@apple.com>
54
55         Web Inspector: Expose the console object in JSContexts to interact with Web Inspector
56         https://bugs.webkit.org/show_bug.cgi?id=127944
57
58         Reviewed by Geoffrey Garen.
59
60         Always expose the Console object in JSContexts, just like we
61         do for web pages. The default behavior will route to an
62         attached JSContext inspector. This can be overriden by
63         setting the ConsoleClient on the JSGlobalObject, which WebCore
64         does to get slightly different behavior.
65
66         * CMakeLists.txt:
67         * GNUmakefile.list.am:
68         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
69         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
70         * JavaScriptCore.xcodeproj/project.pbxproj:
71         Update build systems.
72
73         * API/tests/testapi.js:
74         * API/tests/testapi.mm:
75         Test that "console" exists in C and ObjC contexts.
76
77         * runtime/ConsoleClient.cpp: Added.
78         (JSC::ConsoleClient::printURLAndPosition):
79         (JSC::ConsoleClient::printMessagePrefix):
80         (JSC::ConsoleClient::printConsoleMessage):
81         (JSC::ConsoleClient::printConsoleMessageWithArguments):
82         (JSC::ConsoleClient::internalMessageWithTypeAndLevel):
83         (JSC::ConsoleClient::logWithLevel):
84         (JSC::ConsoleClient::clear):
85         (JSC::ConsoleClient::dir):
86         (JSC::ConsoleClient::dirXML):
87         (JSC::ConsoleClient::table):
88         (JSC::ConsoleClient::trace):
89         (JSC::ConsoleClient::assertCondition):
90         (JSC::ConsoleClient::group):
91         (JSC::ConsoleClient::groupCollapsed):
92         (JSC::ConsoleClient::groupEnd):
93         * runtime/ConsoleClient.h: Added.
94         (JSC::ConsoleClient::~ConsoleClient):
95         New private interface for handling the console object's methods.
96         A lot of the methods funnel through messageWithTypeAndLevel.
97
98         * runtime/ConsoleTypes.h: Renamed from Source/JavaScriptCore/inspector/ConsoleTypes.h.
99         Moved to JSC namespace.
100
101         * runtime/JSGlobalObject.cpp:
102         (JSC::JSGlobalObject::JSGlobalObject):
103         (JSC::JSGlobalObject::init):
104         (JSC::JSGlobalObject::reset):
105         (JSC::JSGlobalObject::visitChildren):
106         Create the "console" object when initializing the environment.
107         Also set the default console client to be the JS context inspector.
108
109         * runtime/JSGlobalObject.h:
110         (JSC::JSGlobalObject::setConsoleClient):
111         (JSC::JSGlobalObject::consoleClient):
112         Ability to change the console client, so WebCore can set a custom client.
113
114         * runtime/ConsolePrototype.cpp: Added.
115         (JSC::ConsolePrototype::finishCreation):
116         (JSC::valueToStringWithUndefinedOrNullCheck):
117         (JSC::consoleLogWithLevel):
118         (JSC::consoleProtoFuncDebug):
119         (JSC::consoleProtoFuncError):
120         (JSC::consoleProtoFuncLog):
121         (JSC::consoleProtoFuncWarn):
122         (JSC::consoleProtoFuncClear):
123         (JSC::consoleProtoFuncDir):
124         (JSC::consoleProtoFuncDirXML):
125         (JSC::consoleProtoFuncTable):
126         (JSC::consoleProtoFuncTrace):
127         (JSC::consoleProtoFuncAssert):
128         (JSC::consoleProtoFuncCount):
129         (JSC::consoleProtoFuncProfile):
130         (JSC::consoleProtoFuncProfileEnd):
131         (JSC::consoleProtoFuncTime):
132         (JSC::consoleProtoFuncTimeEnd):
133         (JSC::consoleProtoFuncTimeStamp):
134         (JSC::consoleProtoFuncGroup):
135         (JSC::consoleProtoFuncGroupCollapsed):
136         (JSC::consoleProtoFuncGroupEnd):
137         * runtime/ConsolePrototype.h: Added.
138         (JSC::ConsolePrototype::create):
139         (JSC::ConsolePrototype::createStructure):
140         (JSC::ConsolePrototype::ConsolePrototype):
141         Define the console object interface. Parse out required / expected
142         arguments and throw expcetions when methods are misused.
143
144         * runtime/JSConsole.cpp: Added.
145         * runtime/JSConsole.h: Added.
146         (JSC::JSConsole::createStructure):
147         (JSC::JSConsole::create):
148         (JSC::JSConsole::JSConsole):
149         Empty "console" object. Everything is in the prototype.
150
151         * inspector/JSConsoleClient.cpp: Added.
152         (Inspector::JSConsoleClient::JSGlobalObjectConsole):
153         (Inspector::JSConsoleClient::count):
154         (Inspector::JSConsoleClient::profile):
155         (Inspector::JSConsoleClient::profileEnd):
156         (Inspector::JSConsoleClient::time):
157         (Inspector::JSConsoleClient::timeEnd):
158         (Inspector::JSConsoleClient::timeStamp):
159         (Inspector::JSConsoleClient::warnUnimplemented):
160         (Inspector::JSConsoleClient::internalAddMessage):
161         * inspector/JSConsoleClient.h: Added.
162         * inspector/JSGlobalObjectInspectorController.cpp:
163         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
164         (Inspector::JSGlobalObjectInspectorController::consoleClient):
165         * inspector/JSGlobalObjectInspectorController.h:
166         Default JSContext ConsoleClient implementation. Handle nearly
167         everything exception profile/profileEnd and timeStamp.
168
169 2014-03-06  Andreas Kling  <akling@apple.com>
170
171         Drop unlinked function code on memory pressure.
172         <https://webkit.org/b/129789>
173
174         Make VM::discardAllCode() also drop UnlinkedFunctionCodeBlocks that
175         are not currently being compiled.
176
177         4.5 MB progression on Membuster.
178
179         Reviewed by Geoffrey Garen.
180
181         * heap/Heap.cpp:
182         (JSC::Heap::deleteAllUnlinkedFunctionCode):
183         * heap/Heap.h:
184         * runtime/VM.cpp:
185         (JSC::VM::discardAllCode):
186
187 2014-03-06  Filip Pizlo  <fpizlo@apple.com>
188
189         Clarify how we deal with "special" registers
190         https://bugs.webkit.org/show_bug.cgi?id=129806
191
192         Reviewed by Michael Saboff.
193         
194         Previously we had two different places that defined what "stack" registers are, a thing
195         called "specialRegisters" that had unclear meaning, and a really weird "firstRealRegister"/
196         "secondRealRegister"/"nextRegister" idiom in MacroAssembler that appeared to only be used by
197         one place and had a baked-in notion of what it meant for a register to be "real" or not.
198         
199         It's not cool to use words like "real" and "special" to describe registers, especially if you
200         fail to qualify what that means. This originally made sense on X86 - "real" registers were
201         the ones that weren't "stack related" (so "real" was the opposite of "stack"). But on ARM64,
202         you also have to worry about the LR register, which we'd want to say is "not real" but it's
203         also not a "stack" register. This got super confusing.
204         
205         So, this patch removes any mention of "real" registers, consolidates the knowledge of what is
206         a "stack" register, and uses the word special only in places where it's clearly defined and
207         where no better word comes to mind.
208         
209         This cleans up the code and fixes what seems like it was probably a harmless ARM64 bug: the
210         Reg and RegisterSet data structures would sometimes think that FP was Q0. Somehow this
211         magically didn't break anything because you never need to save/restore either FP or Q0, but
212         it was still super weird.
213
214         * assembler/ARM64Assembler.h:
215         (JSC::ARM64Assembler::lastRegister):
216         * assembler/MacroAssembler.h:
217         (JSC::MacroAssembler::nextRegister):
218         * ftl/FTLLocation.cpp:
219         (JSC::FTL::Location::restoreInto):
220         * ftl/FTLSaveRestore.cpp:
221         (JSC::FTL::saveAllRegisters):
222         (JSC::FTL::restoreAllRegisters):
223         * ftl/FTLSlowPathCall.cpp:
224         * jit/RegisterSet.cpp:
225         (JSC::RegisterSet::reservedHardwareRegisters):
226         (JSC::RegisterSet::runtimeRegisters):
227         (JSC::RegisterSet::specialRegisters):
228         (JSC::RegisterSet::calleeSaveRegisters):
229         * jit/RegisterSet.h:
230
231 2014-03-06  Filip Pizlo  <fpizlo@apple.com>
232
233         Unreviewed, fix build.
234
235         * disassembler/ARM64Disassembler.cpp:
236
237 2014-03-06  Filip Pizlo  <fpizlo@apple.com>
238
239         Use the LLVM disassembler on ARM64 if we are enabling the FTL
240         https://bugs.webkit.org/show_bug.cgi?id=129785
241
242         Reviewed by Geoffrey Garen.
243         
244         Our disassembler can't handle some of the code sequences that LLVM emits. LLVM's disassembler
245         is strictly more capable at this point. Use it if it's available.
246
247         * disassembler/ARM64Disassembler.cpp:
248         (JSC::tryToDisassemble):
249
250 2014-03-05  Joseph Pecoraro  <pecoraro@apple.com>
251
252         Web Inspector: Reduce RWI message frequency
253         https://bugs.webkit.org/show_bug.cgi?id=129767
254
255         Reviewed by Timothy Hatcher.
256
257         This used to be 0.2s and changed by accident to 0.02s.
258
259         * inspector/remote/RemoteInspector.mm:
260         (Inspector::RemoteInspector::pushListingSoon):
261
262 2014-03-05  Commit Queue  <commit-queue@webkit.org>
263
264         Unreviewed, rolling out r165141, r165157, and r165158.
265         http://trac.webkit.org/changeset/165141
266         http://trac.webkit.org/changeset/165157
267         http://trac.webkit.org/changeset/165158
268         https://bugs.webkit.org/show_bug.cgi?id=129772
269
270         "broke ftl" (Requested by olliej_ on #webkit).
271
272         * JavaScriptCore.xcodeproj/project.pbxproj:
273         * bytecode/PolymorphicPutByIdList.cpp:
274         (JSC::PutByIdAccess::visitWeak):
275         (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
276         (JSC::PolymorphicPutByIdList::from):
277         * bytecode/PolymorphicPutByIdList.h:
278         (JSC::PutByIdAccess::transition):
279         (JSC::PutByIdAccess::replace):
280         (JSC::PutByIdAccess::oldStructure):
281         (JSC::PutByIdAccess::chain):
282         (JSC::PutByIdAccess::stubRoutine):
283         * bytecode/PutByIdStatus.cpp:
284         (JSC::PutByIdStatus::computeForStubInfo):
285         (JSC::PutByIdStatus::computeFor):
286         (JSC::PutByIdStatus::dump):
287         * bytecode/PutByIdStatus.h:
288         (JSC::PutByIdStatus::PutByIdStatus):
289         (JSC::PutByIdStatus::takesSlowPath):
290         * bytecode/StructureStubInfo.h:
291         * dfg/DFGAbstractInterpreterInlines.h:
292         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
293         * dfg/DFGByteCodeParser.cpp:
294         (JSC::DFG::ByteCodeParser::emitPutById):
295         (JSC::DFG::ByteCodeParser::handlePutById):
296         * dfg/DFGClobberize.h:
297         (JSC::DFG::clobberize):
298         * dfg/DFGCommon.h:
299         * dfg/DFGConstantFoldingPhase.cpp:
300         (JSC::DFG::ConstantFoldingPhase::foldConstants):
301         * dfg/DFGFixupPhase.cpp:
302         (JSC::DFG::FixupPhase::fixupNode):
303         * dfg/DFGNode.h:
304         (JSC::DFG::Node::hasIdentifier):
305         * dfg/DFGNodeType.h:
306         * dfg/DFGPredictionPropagationPhase.cpp:
307         (JSC::DFG::PredictionPropagationPhase::propagate):
308         * dfg/DFGSafeToExecute.h:
309         (JSC::DFG::safeToExecute):
310         * dfg/DFGSpeculativeJIT.cpp:
311         (JSC::DFG::SpeculativeJIT::compileIn):
312         * dfg/DFGSpeculativeJIT.h:
313         * dfg/DFGSpeculativeJIT32_64.cpp:
314         (JSC::DFG::SpeculativeJIT::cachedGetById):
315         (JSC::DFG::SpeculativeJIT::cachedPutById):
316         (JSC::DFG::SpeculativeJIT::compile):
317         * dfg/DFGSpeculativeJIT64.cpp:
318         (JSC::DFG::SpeculativeJIT::cachedGetById):
319         (JSC::DFG::SpeculativeJIT::cachedPutById):
320         (JSC::DFG::SpeculativeJIT::compile):
321         * ftl/FTLCompile.cpp:
322         (JSC::FTL::fixFunctionBasedOnStackMaps):
323         * jit/CCallHelpers.h:
324         (JSC::CCallHelpers::setupArgumentsWithExecState):
325         * jit/JITInlineCacheGenerator.cpp:
326         (JSC::JITByIdGenerator::JITByIdGenerator):
327         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
328         * jit/JITInlineCacheGenerator.h:
329         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
330         * jit/JITOperations.cpp:
331         * jit/JITOperations.h:
332         * jit/JITPropertyAccess.cpp:
333         (JSC::JIT::emit_op_get_by_id):
334         (JSC::JIT::emit_op_put_by_id):
335         * jit/JITPropertyAccess32_64.cpp:
336         (JSC::JIT::emit_op_get_by_id):
337         (JSC::JIT::emit_op_put_by_id):
338         * jit/Repatch.cpp:
339         (JSC::tryCacheGetByID):
340         (JSC::tryBuildGetByIDList):
341         (JSC::tryCachePutByID):
342         (JSC::tryBuildPutByIdList):
343         * jit/SpillRegistersMode.h: Removed.
344         * llint/LLIntSlowPaths.cpp:
345         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
346         * runtime/Lookup.h:
347         (JSC::putEntry):
348         * runtime/PutPropertySlot.h:
349         (JSC::PutPropertySlot::isCacheable):
350         (JSC::PutPropertySlot::cachedOffset):
351
352 2014-03-05  Joseph Pecoraro  <pecoraro@apple.com>
353
354         Web Inspector: Prevent possible deadlock in view indication
355         https://bugs.webkit.org/show_bug.cgi?id=129766
356
357         Reviewed by Geoffrey Garen.
358
359         * inspector/remote/RemoteInspector.mm:
360         (Inspector::RemoteInspector::receivedIndicateMessage):
361
362 2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>
363
364         JSObject::fastGetOwnPropertySlot does a slow check for OverridesGetOwnPropertySlot
365         https://bugs.webkit.org/show_bug.cgi?id=129754
366
367         Reviewed by Geoffrey Garen.
368
369         InlineTypeFlags are stored in JSCell, so we can just load those instead of going through the TypeInfo.
370
371         * runtime/JSCell.h:
372         (JSC::JSCell::inlineTypeFlags):
373         * runtime/JSObject.h:
374         (JSC::JSObject::fastGetOwnPropertySlot):
375         * runtime/JSTypeInfo.h:
376         (JSC::TypeInfo::TypeInfo):
377         (JSC::TypeInfo::overridesGetOwnPropertySlot):
378
379 2014-03-05  Joseph Pecoraro  <pecoraro@apple.com>
380
381         Web Inspector: ASSERTION FAILED: m_javaScriptBreakpoints.isEmpty()
382         https://bugs.webkit.org/show_bug.cgi?id=129763
383
384         Reviewed by Geoffrey Garen.
385
386         Clear the list of all breakpoints, including unresolved breakpoints.
387
388         * inspector/agents/InspectorDebuggerAgent.cpp:
389         (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):
390
391 2014-03-05  Mark Lam  <mark.lam@apple.com>
392
393         llint_slow_path_check_has_instance() should not adjust PC before accessing operands.
394         <https://webkit.org/b/129768>
395
396         Reviewed by Mark Hahnenberg.
397
398         When evaluating "a instanceof b" where b is an object that ImplementsHasInstance
399         and OverridesHasInstance (e.g. a bound function), the LLINT will take the slow
400         path llint_slow_path_check_has_instance(), and execute a code path that does the
401         following:
402         1. Adjusts the byte code PC to the jump target PC.
403         2. For the purpose of storing the result, get the result registerIndex from the
404            1st operand using the PC as if the PC is still pointing to op_check_has_instance
405            bytecode.
406
407         The result is that whatever value resides after where the jump target PC is will
408         be used as a result register value.  Depending on what that value is, the result
409         can be:
410         1. the code coincidently works correctly
411         2. memory corruption
412         3. crashes
413
414         The fix is to only adjust the byte code PC after we have stored the result.
415         
416         * llint/LLIntSlowPaths.cpp:
417         (llint_slow_path_check_has_instance):
418
419 2014-03-05  Ryosuke Niwa  <rniwa@webkit.org>
420
421         Another build fix attempt after r165141.
422
423         * ftl/FTLCompile.cpp:
424         (JSC::FTL::fixFunctionBasedOnStackMaps):
425
426 2014-03-05  Ryosuke Niwa  <rniwa@webkit.org>
427
428         FTL build fix attempt after r165141.
429
430         * ftl/FTLCompile.cpp:
431         (JSC::FTL::fixFunctionBasedOnStackMaps):
432
433 2014-03-05  Gavin Barraclough  <barraclough@apple.com>
434
435         https://bugs.webkit.org/show_bug.cgi?id=128625
436         Add fast mapping from StringImpl to JSString
437
438         Unreviewed roll-out.
439
440         Reverting r164347, r165054, r165066 - not clear the performance tradeoff was right.
441
442         * runtime/JSString.cpp:
443         * runtime/JSString.h:
444         * runtime/VM.cpp:
445         (JSC::VM::createLeaked):
446         * runtime/VM.h:
447
448 2014-03-03  Oliver Hunt  <oliver@apple.com>
449
450         Support caching of custom setters
451         https://bugs.webkit.org/show_bug.cgi?id=129519
452
453         Reviewed by Filip Pizlo.
454
455         This patch adds caching of assignment to properties that
456         are backed by C functions. This provides most of the leg
457         work required to start supporting setters, and resolves
458         the remaining regressions from moving DOM properties up
459         the prototype chain.
460
461         * JavaScriptCore.xcodeproj/project.pbxproj:
462         * bytecode/PolymorphicPutByIdList.cpp:
463         (JSC::PutByIdAccess::visitWeak):
464         (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
465         (JSC::PolymorphicPutByIdList::from):
466         * bytecode/PolymorphicPutByIdList.h:
467         (JSC::PutByIdAccess::transition):
468         (JSC::PutByIdAccess::replace):
469         (JSC::PutByIdAccess::customSetter):
470         (JSC::PutByIdAccess::isCustom):
471         (JSC::PutByIdAccess::oldStructure):
472         (JSC::PutByIdAccess::chain):
473         (JSC::PutByIdAccess::stubRoutine):
474         * bytecode/PutByIdStatus.cpp:
475         (JSC::PutByIdStatus::computeForStubInfo):
476         (JSC::PutByIdStatus::computeFor):
477         (JSC::PutByIdStatus::dump):
478         * bytecode/PutByIdStatus.h:
479         (JSC::PutByIdStatus::PutByIdStatus):
480         (JSC::PutByIdStatus::takesSlowPath):
481         (JSC::PutByIdStatus::makesCalls):
482         * bytecode/StructureStubInfo.h:
483         * dfg/DFGAbstractInterpreterInlines.h:
484         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
485         * dfg/DFGByteCodeParser.cpp:
486         (JSC::DFG::ByteCodeParser::emitPutById):
487         (JSC::DFG::ByteCodeParser::handlePutById):
488         * dfg/DFGClobberize.h:
489         (JSC::DFG::clobberize):
490         * dfg/DFGCommon.h:
491         * dfg/DFGConstantFoldingPhase.cpp:
492         (JSC::DFG::ConstantFoldingPhase::foldConstants):
493         * dfg/DFGFixupPhase.cpp:
494         (JSC::DFG::FixupPhase::fixupNode):
495         * dfg/DFGNode.h:
496         (JSC::DFG::Node::hasIdentifier):
497         * dfg/DFGNodeType.h:
498         * dfg/DFGPredictionPropagationPhase.cpp:
499         (JSC::DFG::PredictionPropagationPhase::propagate):
500         * dfg/DFGSafeToExecute.h:
501         (JSC::DFG::safeToExecute):
502         * dfg/DFGSpeculativeJIT.cpp:
503         (JSC::DFG::SpeculativeJIT::compileIn):
504         * dfg/DFGSpeculativeJIT.h:
505         * dfg/DFGSpeculativeJIT32_64.cpp:
506         (JSC::DFG::SpeculativeJIT::cachedGetById):
507         (JSC::DFG::SpeculativeJIT::cachedPutById):
508         (JSC::DFG::SpeculativeJIT::compile):
509         * dfg/DFGSpeculativeJIT64.cpp:
510         (JSC::DFG::SpeculativeJIT::cachedGetById):
511         (JSC::DFG::SpeculativeJIT::cachedPutById):
512         (JSC::DFG::SpeculativeJIT::compile):
513         * jit/CCallHelpers.h:
514         (JSC::CCallHelpers::setupArgumentsWithExecState):
515         * jit/JITInlineCacheGenerator.cpp:
516         (JSC::JITByIdGenerator::JITByIdGenerator):
517         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
518         * jit/JITInlineCacheGenerator.h:
519         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
520         * jit/JITOperations.cpp:
521         * jit/JITOperations.h:
522         * jit/JITPropertyAccess.cpp:
523         (JSC::JIT::emit_op_get_by_id):
524         (JSC::JIT::emit_op_put_by_id):
525         * jit/JITPropertyAccess32_64.cpp:
526         (JSC::JIT::emit_op_get_by_id):
527         (JSC::JIT::emit_op_put_by_id):
528         * jit/Repatch.cpp:
529         (JSC::tryCacheGetByID):
530         (JSC::tryBuildGetByIDList):
531         (JSC::emitCustomSetterStub):
532         (JSC::tryCachePutByID):
533         (JSC::tryBuildPutByIdList):
534         * jit/SpillRegistersMode.h: Added.
535         * llint/LLIntSlowPaths.cpp:
536         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
537         * runtime/Lookup.h:
538         (JSC::putEntry):
539         * runtime/PutPropertySlot.h:
540         (JSC::PutPropertySlot::setCacheableCustomProperty):
541         (JSC::PutPropertySlot::customSetter):
542         (JSC::PutPropertySlot::isCacheablePut):
543         (JSC::PutPropertySlot::isCacheableCustomProperty):
544         (JSC::PutPropertySlot::cachedOffset):
545
546 2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>
547
548         JSCell::m_gcData should encode its information differently
549         https://bugs.webkit.org/show_bug.cgi?id=129741
550
551         Reviewed by Geoffrey Garen.
552
553         We want to keep track of three GC states for an object:
554
555         1. Not marked (which implies not in the remembered set)
556         2. Marked but not in the remembered set
557         3. Marked and in the remembered set
558         
559         Currently we only indicate marked vs. not marked in JSCell::m_gcData. During a write 
560         barrier, we only want to take the slow path if the object being stored to is in state #2. 
561         We'd like to make the test for state #2 as fast as possible, which means making it a 
562         compare against 0.
563
564         * dfg/DFGOSRExitCompilerCommon.cpp:
565         (JSC::DFG::osrWriteBarrier):
566         * dfg/DFGSpeculativeJIT.cpp:
567         (JSC::DFG::SpeculativeJIT::checkMarkByte):
568         (JSC::DFG::SpeculativeJIT::writeBarrier):
569         * dfg/DFGSpeculativeJIT.h:
570         * dfg/DFGSpeculativeJIT32_64.cpp:
571         (JSC::DFG::SpeculativeJIT::writeBarrier):
572         * dfg/DFGSpeculativeJIT64.cpp:
573         (JSC::DFG::SpeculativeJIT::writeBarrier):
574         * ftl/FTLLowerDFGToLLVM.cpp:
575         (JSC::FTL::LowerDFGToLLVM::allocateCell):
576         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
577         * heap/Heap.cpp:
578         (JSC::Heap::clearRememberedSet):
579         (JSC::Heap::addToRememberedSet):
580         * jit/AssemblyHelpers.h:
581         (JSC::AssemblyHelpers::checkMarkByte):
582         * jit/JIT.h:
583         * jit/JITPropertyAccess.cpp:
584         (JSC::JIT::checkMarkByte):
585         (JSC::JIT::emitWriteBarrier):
586         * jit/Repatch.cpp:
587         (JSC::writeBarrier):
588         * llint/LowLevelInterpreter.asm:
589         * llint/LowLevelInterpreter32_64.asm:
590         * llint/LowLevelInterpreter64.asm:
591         * runtime/JSCell.h:
592         (JSC::JSCell::mark):
593         (JSC::JSCell::remember):
594         (JSC::JSCell::forget):
595         (JSC::JSCell::isMarked):
596         (JSC::JSCell::isRemembered):
597         * runtime/JSCellInlines.h:
598         (JSC::JSCell::JSCell):
599         * runtime/StructureIDBlob.h:
600         (JSC::StructureIDBlob::StructureIDBlob):
601
602 2014-03-05  Filip Pizlo  <fpizlo@apple.com>
603
604         More FTL ARM fixes
605         https://bugs.webkit.org/show_bug.cgi?id=129755
606
607         Reviewed by Geoffrey Garen.
608         
609         - Be more defensive about inline caches that have degenerate chains.
610         
611         - Temporarily switch to allocating all MCJIT memory in the executable pool on non-x86
612           platforms. The bug tracking the real fix is: https://bugs.webkit.org/show_bug.cgi?id=129756
613         
614         - Don't even emit intrinsic declarations on non-x86 platforms.
615         
616         - More debug printing support.
617         
618         - Don't use vmCall() in the prologue. This should have crashed on all platforms all the time
619           but somehow it gets lucky on x86.
620
621         * bytecode/GetByIdStatus.cpp:
622         (JSC::GetByIdStatus::appendVariant):
623         (JSC::GetByIdStatus::computeForChain):
624         (JSC::GetByIdStatus::computeForStubInfo):
625         * bytecode/GetByIdStatus.h:
626         * bytecode/PutByIdStatus.cpp:
627         (JSC::PutByIdStatus::appendVariant):
628         (JSC::PutByIdStatus::computeForStubInfo):
629         * bytecode/PutByIdStatus.h:
630         * bytecode/StructureSet.h:
631         (JSC::StructureSet::overlaps):
632         * ftl/FTLCompile.cpp:
633         (JSC::FTL::mmAllocateDataSection):
634         * ftl/FTLDataSection.cpp:
635         (JSC::FTL::DataSection::DataSection):
636         (JSC::FTL::DataSection::~DataSection):
637         * ftl/FTLDataSection.h:
638         * ftl/FTLLowerDFGToLLVM.cpp:
639         (JSC::FTL::LowerDFGToLLVM::lower):
640         * ftl/FTLOutput.h:
641         (JSC::FTL::Output::doubleSin):
642         (JSC::FTL::Output::doubleCos):
643         * runtime/JSCJSValue.cpp:
644         (JSC::JSValue::dumpInContext):
645         * runtime/JSCell.h:
646         (JSC::JSCell::structureID):
647
648 2014-03-05  peavo@outlook.com  <peavo@outlook.com>
649
650         [Win32][LLINT] Crash when running JSC stress tests.
651         https://bugs.webkit.org/show_bug.cgi?id=129429
652
653         On Windows the reserved stack space consists of committed memory, a guard page, and uncommitted memory,
654         where the guard page is a barrier between committed and uncommitted memory.
655         When data from the guard page is read or written, the guard page is moved, and memory is committed.
656         This is how the system grows the stack.
657         When using the C stack on Windows we need to precommit the needed stack space.
658         Otherwise we might crash later if we access uncommitted stack memory.
659         This can happen if we allocate stack space larger than the page guard size (4K).
660         The system does not get the chance to move the guard page, and commit more memory,
661         and we crash if uncommitted memory is accessed.
662         The MSVC compiler fixes this by inserting a call to the _chkstk() function,
663         when needed, see http://support.microsoft.com/kb/100775.
664
665         Reviewed by Geoffrey Garen.
666
667         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Enable LLINT.
668         * jit/Repatch.cpp:
669         (JSC::writeBarrier): Compile fix when DFG_JIT is not enabled.
670         * offlineasm/x86.rb: Compile fix, and small simplification.
671         * runtime/VM.cpp:
672         (JSC::preCommitStackMemory): Added function to precommit stack memory.
673         (JSC::VM::updateStackLimit): Call function to precommit stack memory when stack limit is updated.
674
675 2014-03-05  Michael Saboff  <msaboff@apple.com>
676
677         JSDataViewPrototype::getData() and setData() crash on platforms that don't allow unaligned accesses
678         https://bugs.webkit.org/show_bug.cgi?id=129746
679
680         Reviewed by Filip Pizlo.
681
682         Changed to use a union to manually assemble or disassemble the various types
683         from / to the corresponding bytes.  All memory access is now done using
684         byte accesses.
685
686         * runtime/JSDataViewPrototype.cpp:
687         (JSC::getData):
688         (JSC::setData):
689
690 2014-03-05  Filip Pizlo  <fpizlo@apple.com>
691
692         FTL loadStructure always generates invalid IR
693         https://bugs.webkit.org/show_bug.cgi?id=129747
694
695         Reviewed by Mark Hahnenberg.
696
697         As the comment at the top of FTL::Output states, the FTL doesn't use LLVM's notion
698         of pointers. LLVM's notion of pointers tries to model C, in the sense that you have
699         to have a pointer to a type, and you can only load things of that type from that
700         pointer. Pointer arithmetic is basically not possible except through the bizarre
701         getelementptr operator. This doesn't fit with how the JS object model works since
702         the JS object model doesn't consist of nice and tidy C types placed in C arrays.
703         Also, it would be impossible to use getelementptr and LLVM pointers for accessing
704         any of JSC's C or C++ objects unless we went through the exercise of redeclaring
705         all of our fundamental data structures in LLVM IR as LLVM types. Clang could do
706         this for us, but that would require that to use the FTL, JSC itself would have to
707         be compiled with clang. Worse, it would have to be compiled with a clang that uses
708         a version of LLVM that is compatible with the one against which the FTL is linked.
709         Yuck!
710
711         The solution is to NEVER use LLVM pointers. This has always been the case in the
712         FTL. But it causes some confusion.
713         
714         Not using LLVM pointers means that if the FTL has a "pointer", it's actually a
715         pointer-wide integer (m_out.intPtr in FTL-speak). The act of "loading" and
716         "storing" from or to a pointer involves first bitcasting the intPtr to a real LLVM
717         pointer that has the type that we want. The load and store operations over pointers
718         are called Output::load* and Output::store*, where * is one of "8", "16", "32",
719         "64", "Ptr", "Float", or "Double.
720         
721         There is unavoidable confusion here. It would be bizarre for the FTL to call its
722         "pointer-wide integers" anything other than "pointers", since they are, in all
723         respects that we care about, simply pointers. But they are *not* LLVM pointers and
724         they never will be that.
725         
726         There is one exception to this "no pointers" rule. The FTL does use actual LLVM
727         pointers for refering to LLVM alloca's - i.e. local variables. To try to reduce
728         confusion, we call these "references". So an "FTL reference" is actually an "LLVM
729         pointer", while an "FTL pointer" is actually an "LLVM integer". FTL references have
730         methods for access called Output::get and Output::set. These lower to LLVM load
731         and store, since FTL references are just LLVM pointers.
732         
733         This confusion appears to have led to incorrect code in loadStructure().
734         loadStructure() was using get() and set() to access FTL pointers. But those methods
735         don't work on FTL pointers and never will, since they are for FTL references.
736         
737         The worst part of this is that it was previously impossible to have test coverage
738         for the relevant path (MasqueradesAsUndefined) without writing a DRT test. This
739         patch fixes this by introducing a Masquerader object to jsc.cpp.
740         
741         * ftl/FTLAbstractHeapRepository.h: Add an abstract heap for the structure table.
742         * ftl/FTLLowerDFGToLLVM.cpp:
743         (JSC::FTL::LowerDFGToLLVM::loadStructure): This was wrong.
744         * ftl/FTLOutput.h: Add a comment to disuade people from using get() and set().
745         * jsc.cpp: Give us the power to test for MasqueradesAsUndefined.
746         (WTF::Masquerader::Masquerader):
747         (WTF::Masquerader::create):
748         (WTF::Masquerader::createStructure):
749         (GlobalObject::finishCreation):
750         (functionMakeMasquerader):
751         * tests/stress/equals-masquerader.js: Added.
752         (foo):
753         (test):
754
755 2014-03-05  Anders Carlsson  <andersca@apple.com>
756
757         Tweak after r165109 to avoid extra copies
758         https://bugs.webkit.org/show_bug.cgi?id=129745
759
760         Reviewed by Geoffrey Garen.
761
762         * heap/Heap.cpp:
763         (JSC::Heap::visitProtectedObjects):
764         (JSC::Heap::visitTempSortVectors):
765         (JSC::Heap::clearRememberedSet):
766         * heap/Heap.h:
767         (JSC::Heap::forEachProtectedCell):
768
769 2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>
770
771         DFGStoreBarrierElisionPhase should should GCState directly instead of m_gcClobberSet when calling writesOverlap()
772         https://bugs.webkit.org/show_bug.cgi?id=129717
773
774         Reviewed by Filip Pizlo.
775
776         * dfg/DFGStoreBarrierElisionPhase.cpp:
777         (JSC::DFG::StoreBarrierElisionPhase::StoreBarrierElisionPhase):
778         (JSC::DFG::StoreBarrierElisionPhase::couldCauseGC):
779
780 2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>
781
782         Use range-based loops where possible in Heap methods
783         https://bugs.webkit.org/show_bug.cgi?id=129513
784
785         Reviewed by Mark Lam.
786
787         Replace old school iterator based loops with the new range-based loop hotness
788         for a better tomorrow.
789
790         * heap/CodeBlockSet.cpp:
791         (JSC::CodeBlockSet::~CodeBlockSet):
792         (JSC::CodeBlockSet::clearMarks):
793         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
794         (JSC::CodeBlockSet::traceMarked):
795         * heap/Heap.cpp:
796         (JSC::Heap::visitProtectedObjects):
797         (JSC::Heap::visitTempSortVectors):
798         (JSC::Heap::clearRememberedSet):
799         * heap/Heap.h:
800         (JSC::Heap::forEachProtectedCell):
801
802 2014-03-04  Filip Pizlo  <fpizlo@apple.com>
803
804         DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e. boolean, undefined, or null)
805         https://bugs.webkit.org/show_bug.cgi?id=129563
806
807         Reviewed by Geoffrey Garen.
808         
809         Rolling this back in after fixing an assertion failure. speculateMisc() should have
810         said DFG_TYPE_CHECK instead of typeCheck.
811         
812         This adds a specialization of CompareStrictEq over Misc. I noticed the need for this
813         when I saw that we didn't support CompareStrictEq(Untyped) in FTL but that the main
814         user of this was EarleyBoyer, and in that benchmark what it was really doing was
815         comparing undefined, null, and booleans to each other.
816         
817         This also adds support for miscellaneous things that I needed to make my various test
818         cases work. This includes comparison over booleans and the various Throw-related node
819         types.
820         
821         This also improves constant folding of CompareStrictEq and CompareEq.
822         
823         Also found a bug where we were claiming that GetByVals on typed arrays are OutOfBounds
824         based on profiling, which caused some downstream badness. We don't actually support
825         compiling OutOfBounds GetByVals on typed arrays. The DFG would ignore the flag and just
826         emit a bounds check, but in the FTL path, the SSA lowering phase would assume that it
827         shouldn't factor out the bounds check since the access is not InBounds but then the
828         backend would ignore the flag and assume that the bounds check was already emitted.
829         This showed up on an existing test but I added a test for this explicitly to have more
830         certain coverage. The fix is to not mark something as OutOfBounds if the semantics are
831         that we'll have a bounds check anyway.
832         
833         This is a 1% speed-up on Octane mostly because of raytrace, but also because of just
834         general progressions across the board. No speed-up yet on EarleyBoyer, since there is
835         still a lot more coverage work to be done there.
836
837         * bytecode/SpeculatedType.cpp:
838         (JSC::speculationToAbbreviatedString):
839         (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
840         (JSC::valuesCouldBeEqual):
841         * bytecode/SpeculatedType.h:
842         (JSC::isMiscSpeculation):
843         * dfg/DFGAbstractInterpreterInlines.h:
844         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
845         * dfg/DFGArrayMode.cpp:
846         (JSC::DFG::ArrayMode::refine):
847         * dfg/DFGArrayMode.h:
848         * dfg/DFGFixupPhase.cpp:
849         (JSC::DFG::FixupPhase::fixupNode):
850         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
851         * dfg/DFGNode.h:
852         (JSC::DFG::Node::shouldSpeculateMisc):
853         * dfg/DFGSafeToExecute.h:
854         (JSC::DFG::SafeToExecuteEdge::operator()):
855         * dfg/DFGSpeculativeJIT.cpp:
856         (JSC::DFG::SpeculativeJIT::compileStrictEq):
857         (JSC::DFG::SpeculativeJIT::speculateMisc):
858         (JSC::DFG::SpeculativeJIT::speculate):
859         * dfg/DFGSpeculativeJIT.h:
860         * dfg/DFGSpeculativeJIT32_64.cpp:
861         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
862         * dfg/DFGSpeculativeJIT64.cpp:
863         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
864         * dfg/DFGUseKind.cpp:
865         (WTF::printInternal):
866         * dfg/DFGUseKind.h:
867         (JSC::DFG::typeFilterFor):
868         * ftl/FTLCapabilities.cpp:
869         (JSC::FTL::canCompile):
870         * ftl/FTLLowerDFGToLLVM.cpp:
871         (JSC::FTL::LowerDFGToLLVM::compileNode):
872         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
873         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
874         (JSC::FTL::LowerDFGToLLVM::compileThrow):
875         (JSC::FTL::LowerDFGToLLVM::isNotMisc):
876         (JSC::FTL::LowerDFGToLLVM::isMisc):
877         (JSC::FTL::LowerDFGToLLVM::speculate):
878         (JSC::FTL::LowerDFGToLLVM::speculateMisc):
879         * tests/stress/float32-array-out-of-bounds.js: Added.
880         * tests/stress/weird-equality-folding-cases.js: Added.
881
882 2014-03-04  Commit Queue  <commit-queue@webkit.org>
883
884         Unreviewed, rolling out r165085.
885         http://trac.webkit.org/changeset/165085
886         https://bugs.webkit.org/show_bug.cgi?id=129729
887
888         Broke imported/w3c/html-templates/template-element/template-
889         content.html (Requested by ap on #webkit).
890
891         * bytecode/SpeculatedType.cpp:
892         (JSC::speculationToAbbreviatedString):
893         * bytecode/SpeculatedType.h:
894         * dfg/DFGAbstractInterpreterInlines.h:
895         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
896         * dfg/DFGArrayMode.cpp:
897         (JSC::DFG::ArrayMode::refine):
898         * dfg/DFGArrayMode.h:
899         * dfg/DFGFixupPhase.cpp:
900         (JSC::DFG::FixupPhase::fixupNode):
901         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
902         * dfg/DFGNode.h:
903         (JSC::DFG::Node::shouldSpeculateBoolean):
904         * dfg/DFGSafeToExecute.h:
905         (JSC::DFG::SafeToExecuteEdge::operator()):
906         * dfg/DFGSpeculativeJIT.cpp:
907         (JSC::DFG::SpeculativeJIT::compileStrictEq):
908         (JSC::DFG::SpeculativeJIT::speculate):
909         * dfg/DFGSpeculativeJIT.h:
910         * dfg/DFGSpeculativeJIT32_64.cpp:
911         * dfg/DFGSpeculativeJIT64.cpp:
912         * dfg/DFGUseKind.cpp:
913         (WTF::printInternal):
914         * dfg/DFGUseKind.h:
915         (JSC::DFG::typeFilterFor):
916         * ftl/FTLCapabilities.cpp:
917         (JSC::FTL::canCompile):
918         * ftl/FTLLowerDFGToLLVM.cpp:
919         (JSC::FTL::LowerDFGToLLVM::compileNode):
920         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
921         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
922         (JSC::FTL::LowerDFGToLLVM::speculate):
923         * tests/stress/float32-array-out-of-bounds.js: Removed.
924         * tests/stress/weird-equality-folding-cases.js: Removed.
925
926 2014-03-04  Brian Burg  <bburg@apple.com>
927
928         Inspector does not restore breakpoints after a page reload
929         https://bugs.webkit.org/show_bug.cgi?id=129655
930
931         Reviewed by Joseph Pecoraro.
932
933         Fix a regression introduced by r162096 that erroneously removed
934         the inspector backend's mapping of files to breakpoints whenever the
935         global object was cleared.
936
937         The inspector's breakpoint mappings should only be cleared when the
938         debugger agent is disabled or destroyed. We should only clear the
939         debugger's breakpoint state when the global object is cleared.
940
941         To make it clearer what state is being cleared, the two cases have
942         been split into separate methods.
943
944         * inspector/agents/InspectorDebuggerAgent.cpp:
945         (Inspector::InspectorDebuggerAgent::disable):
946         (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):
947         (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
948         (Inspector::InspectorDebuggerAgent::didClearGlobalObject):
949         * inspector/agents/InspectorDebuggerAgent.h:
950
951 2014-03-04  Andreas Kling  <akling@apple.com>
952
953         Streamline JSValue::get().
954         <https://webkit.org/b/129720>
955
956         Fetch each Structure and VM only once when walking the prototype chain
957         in JSObject::getPropertySlot(), then pass it along to the functions
958         we call from there, so they don't have to re-fetch it.
959
960         Reviewed by Geoff Garen.
961
962         * runtime/JSObject.h:
963         (JSC::JSObject::inlineGetOwnPropertySlot):
964         (JSC::JSObject::fastGetOwnPropertySlot):
965         (JSC::JSObject::getPropertySlot):
966
967 2014-03-01  Filip Pizlo  <fpizlo@apple.com>
968
969         DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e. boolean, undefined, or null)
970         https://bugs.webkit.org/show_bug.cgi?id=129563
971
972         Reviewed by Geoffrey Garen.
973         
974         This adds a specialization of CompareStrictEq over Misc. I noticed the need for this
975         when I saw that we didn't support CompareStrictEq(Untyped) in FTL but that the main
976         user of this was EarleyBoyer, and in that benchmark what it was really doing was
977         comparing undefined, null, and booleans to each other.
978         
979         This also adds support for miscellaneous things that I needed to make my various test
980         cases work. This includes comparison over booleans and the various Throw-related node
981         types.
982         
983         This also improves constant folding of CompareStrictEq and CompareEq.
984         
985         Also found a bug where we were claiming that GetByVals on typed arrays are OutOfBounds
986         based on profiling, which caused some downstream badness. We don't actually support
987         compiling OutOfBounds GetByVals on typed arrays. The DFG would ignore the flag and just
988         emit a bounds check, but in the FTL path, the SSA lowering phase would assume that it
989         shouldn't factor out the bounds check since the access is not InBounds but then the
990         backend would ignore the flag and assume that the bounds check was already emitted.
991         This showed up on an existing test but I added a test for this explicitly to have more
992         certain coverage. The fix is to not mark something as OutOfBounds if the semantics are
993         that we'll have a bounds check anyway.
994         
995         This is a 1% speed-up on Octane mostly because of raytrace, but also because of just
996         general progressions across the board. No speed-up yet on EarleyBoyer, since there is
997         still a lot more coverage work to be done there.
998
999         * bytecode/SpeculatedType.cpp:
1000         (JSC::speculationToAbbreviatedString):
1001         (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
1002         (JSC::valuesCouldBeEqual):
1003         * bytecode/SpeculatedType.h:
1004         (JSC::isMiscSpeculation):
1005         * dfg/DFGAbstractInterpreterInlines.h:
1006         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1007         * dfg/DFGFixupPhase.cpp:
1008         (JSC::DFG::FixupPhase::fixupNode):
1009         * dfg/DFGNode.h:
1010         (JSC::DFG::Node::shouldSpeculateMisc):
1011         * dfg/DFGSafeToExecute.h:
1012         (JSC::DFG::SafeToExecuteEdge::operator()):
1013         * dfg/DFGSpeculativeJIT.cpp:
1014         (JSC::DFG::SpeculativeJIT::compileStrictEq):
1015         (JSC::DFG::SpeculativeJIT::speculateMisc):
1016         (JSC::DFG::SpeculativeJIT::speculate):
1017         * dfg/DFGSpeculativeJIT.h:
1018         * dfg/DFGSpeculativeJIT32_64.cpp:
1019         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
1020         * dfg/DFGSpeculativeJIT64.cpp:
1021         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
1022         * dfg/DFGUseKind.cpp:
1023         (WTF::printInternal):
1024         * dfg/DFGUseKind.h:
1025         (JSC::DFG::typeFilterFor):
1026         * ftl/FTLCapabilities.cpp:
1027         (JSC::FTL::canCompile):
1028         * ftl/FTLLowerDFGToLLVM.cpp:
1029         (JSC::FTL::LowerDFGToLLVM::compileNode):
1030         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
1031         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
1032         (JSC::FTL::LowerDFGToLLVM::compileThrow):
1033         (JSC::FTL::LowerDFGToLLVM::isNotMisc):
1034         (JSC::FTL::LowerDFGToLLVM::isMisc):
1035         (JSC::FTL::LowerDFGToLLVM::speculate):
1036         (JSC::FTL::LowerDFGToLLVM::speculateMisc):
1037         * tests/stress/float32-array-out-of-bounds.js: Added.
1038         * tests/stress/weird-equality-folding-cases.js: Added.
1039
1040 2014-03-04  Andreas Kling  <akling@apple.com>
1041
1042         Spam static branch prediction hints on JS bindings.
1043         <https://webkit.org/b/129703>
1044
1045         Add LIKELY hint to jsDynamicCast since it's always used in a context
1046         where we expect it to succeed and takes an error path when it doesn't.
1047
1048         Reviewed by Geoff Garen.
1049
1050         * runtime/JSCell.h:
1051         (JSC::jsDynamicCast):
1052
1053 2014-03-04  Andreas Kling  <akling@apple.com>
1054
1055         Get to Structures more efficiently in JSCell::methodTable().
1056         <https://webkit.org/b/129702>
1057
1058         In JSCell::methodTable(), get the VM once and pass that along to
1059         structure(VM&) instead of using the heavier structure().
1060
1061         In JSCell::methodTable(VM&), replace calls to structure() with
1062         calls to structure(VM&).
1063
1064         Reviewed by Mark Hahnenberg.
1065
1066         * runtime/JSCellInlines.h:
1067         (JSC::JSCell::methodTable):
1068
1069 2014-03-04  Joseph Pecoraro  <pecoraro@apple.com>
1070
1071         Web Inspector: Listen for the XPC_ERROR_CONNECTION_INVALID event to deref
1072         https://bugs.webkit.org/show_bug.cgi?id=129697
1073
1074         Reviewed by Timothy Hatcher.
1075
1076         * inspector/remote/RemoteInspectorXPCConnection.mm:
1077         (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
1078         (Inspector::RemoteInspectorXPCConnection::handleEvent):
1079
1080 2014-03-04  Mark Hahnenberg  <mhahnenberg@apple.com>
1081
1082         Merge API shims and JSLock
1083         https://bugs.webkit.org/show_bug.cgi?id=129650
1084
1085         Reviewed by Mark Lam.
1086
1087         JSLock is now taking on all of APIEntryShim's responsibilities since there is never a reason 
1088         to take just the JSLock. Ditto for DropAllLocks and APICallbackShim.
1089
1090         * API/APICallbackFunction.h:
1091         (JSC::APICallbackFunction::call):
1092         (JSC::APICallbackFunction::construct):
1093         * API/APIShims.h: Removed.
1094         * API/JSBase.cpp:
1095         (JSEvaluateScript):
1096         (JSCheckScriptSyntax):
1097         (JSGarbageCollect):
1098         (JSReportExtraMemoryCost):
1099         (JSSynchronousGarbageCollectForDebugging):
1100         * API/JSCallbackConstructor.cpp:
1101         * API/JSCallbackFunction.cpp:
1102         * API/JSCallbackObjectFunctions.h:
1103         (JSC::JSCallbackObject<Parent>::init):
1104         (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
1105         (JSC::JSCallbackObject<Parent>::put):
1106         (JSC::JSCallbackObject<Parent>::putByIndex):
1107         (JSC::JSCallbackObject<Parent>::deleteProperty):
1108         (JSC::JSCallbackObject<Parent>::construct):
1109         (JSC::JSCallbackObject<Parent>::customHasInstance):
1110         (JSC::JSCallbackObject<Parent>::call):
1111         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
1112         (JSC::JSCallbackObject<Parent>::getStaticValue):
1113         (JSC::JSCallbackObject<Parent>::callbackGetter):
1114         * API/JSContext.mm:
1115         (-[JSContext setException:]):
1116         (-[JSContext wrapperForObjCObject:]):
1117         (-[JSContext wrapperForJSObject:]):
1118         * API/JSContextRef.cpp:
1119         (JSContextGroupRelease):
1120         (JSContextGroupSetExecutionTimeLimit):
1121         (JSContextGroupClearExecutionTimeLimit):
1122         (JSGlobalContextCreateInGroup):
1123         (JSGlobalContextRetain):
1124         (JSGlobalContextRelease):
1125         (JSContextGetGlobalObject):
1126         (JSContextGetGlobalContext):
1127         (JSGlobalContextCopyName):
1128         (JSGlobalContextSetName):
1129         * API/JSManagedValue.mm:
1130         (-[JSManagedValue value]):
1131         * API/JSObjectRef.cpp:
1132         (JSObjectMake):
1133         (JSObjectMakeFunctionWithCallback):
1134         (JSObjectMakeConstructor):
1135         (JSObjectMakeFunction):
1136         (JSObjectMakeArray):
1137         (JSObjectMakeDate):
1138         (JSObjectMakeError):
1139         (JSObjectMakeRegExp):
1140         (JSObjectGetPrototype):
1141         (JSObjectSetPrototype):
1142         (JSObjectHasProperty):
1143         (JSObjectGetProperty):
1144         (JSObjectSetProperty):
1145         (JSObjectGetPropertyAtIndex):
1146         (JSObjectSetPropertyAtIndex):
1147         (JSObjectDeleteProperty):
1148         (JSObjectGetPrivateProperty):
1149         (JSObjectSetPrivateProperty):
1150         (JSObjectDeletePrivateProperty):
1151         (JSObjectIsFunction):
1152         (JSObjectCallAsFunction):
1153         (JSObjectCallAsConstructor):
1154         (JSObjectCopyPropertyNames):
1155         (JSPropertyNameArrayRelease):
1156         (JSPropertyNameAccumulatorAddName):
1157         * API/JSScriptRef.cpp:
1158         * API/JSValue.mm:
1159         (isDate):
1160         (isArray):
1161         (containerValueToObject):
1162         (valueToArray):
1163         (valueToDictionary):
1164         (objectToValue):
1165         * API/JSValueRef.cpp:
1166         (JSValueGetType):
1167         (JSValueIsUndefined):
1168         (JSValueIsNull):
1169         (JSValueIsBoolean):
1170         (JSValueIsNumber):
1171         (JSValueIsString):
1172         (JSValueIsObject):
1173         (JSValueIsObjectOfClass):
1174         (JSValueIsEqual):
1175         (JSValueIsStrictEqual):
1176         (JSValueIsInstanceOfConstructor):
1177         (JSValueMakeUndefined):
1178         (JSValueMakeNull):
1179         (JSValueMakeBoolean):
1180         (JSValueMakeNumber):
1181         (JSValueMakeString):
1182         (JSValueMakeFromJSONString):
1183         (JSValueCreateJSONString):
1184         (JSValueToBoolean):
1185         (JSValueToNumber):
1186         (JSValueToStringCopy):
1187         (JSValueToObject):
1188         (JSValueProtect):
1189         (JSValueUnprotect):
1190         * API/JSVirtualMachine.mm:
1191         (-[JSVirtualMachine addManagedReference:withOwner:]):
1192         (-[JSVirtualMachine removeManagedReference:withOwner:]):
1193         * API/JSWeakObjectMapRefPrivate.cpp:
1194         * API/JSWrapperMap.mm:
1195         (constructorHasInstance):
1196         (makeWrapper):
1197         (tryUnwrapObjcObject):
1198         * API/ObjCCallbackFunction.mm:
1199         (JSC::objCCallbackFunctionCallAsFunction):
1200         (JSC::objCCallbackFunctionCallAsConstructor):
1201         (objCCallbackFunctionForInvocation):
1202         * CMakeLists.txt:
1203         * ForwardingHeaders/JavaScriptCore/APIShims.h: Removed.
1204         * GNUmakefile.list.am:
1205         * JavaScriptCore.xcodeproj/project.pbxproj:
1206         * dfg/DFGWorklist.cpp:
1207         * heap/DelayedReleaseScope.h:
1208         (JSC::DelayedReleaseScope::~DelayedReleaseScope):
1209         * heap/HeapTimer.cpp:
1210         (JSC::HeapTimer::timerDidFire):
1211         (JSC::HeapTimer::timerEvent):
1212         * heap/IncrementalSweeper.cpp:
1213         * inspector/InjectedScriptModule.cpp:
1214         (Inspector::InjectedScriptModule::ensureInjected):
1215         * jsc.cpp:
1216         (jscmain):
1217         * runtime/GCActivityCallback.cpp:
1218         (JSC::DefaultGCActivityCallback::doWork):
1219         * runtime/JSGlobalObjectDebuggable.cpp:
1220         (JSC::JSGlobalObjectDebuggable::connect):
1221         (JSC::JSGlobalObjectDebuggable::disconnect):
1222         (JSC::JSGlobalObjectDebuggable::dispatchMessageFromRemoteFrontend):
1223         * runtime/JSLock.cpp:
1224         (JSC::JSLock::lock):
1225         (JSC::JSLock::didAcquireLock):
1226         (JSC::JSLock::unlock):
1227         (JSC::JSLock::willReleaseLock):
1228         (JSC::JSLock::DropAllLocks::DropAllLocks):
1229         (JSC::JSLock::DropAllLocks::~DropAllLocks):
1230         * runtime/JSLock.h:
1231         * testRegExp.cpp:
1232         (realMain):
1233
1234 2014-03-04  Commit Queue  <commit-queue@webkit.org>
1235
1236         Unreviewed, rolling out r164812.
1237         http://trac.webkit.org/changeset/164812
1238         https://bugs.webkit.org/show_bug.cgi?id=129699
1239
1240         it made things run slower (Requested by pizlo on #webkit).
1241
1242         * interpreter/Interpreter.cpp:
1243         (JSC::Interpreter::execute):
1244         * jsc.cpp:
1245         (GlobalObject::finishCreation):
1246         * runtime/BatchedTransitionOptimizer.h:
1247         (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
1248         (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer):
1249
1250 2014-03-02  Filip Pizlo  <fpizlo@apple.com>
1251
1252         GetMyArgumentByVal in FTL
1253         https://bugs.webkit.org/show_bug.cgi?id=128850
1254
1255         Reviewed by Oliver Hunt.
1256         
1257         This would have been easy if the OSR exit compiler's arity checks hadn't been wrong.
1258         They checked arity by doing "exec->argumentCount == codeBlock->numParameters", which
1259         caused it to think that the arity check had failed if the caller had passed more
1260         arguments than needed. This would cause the call frame copying to sort of go into
1261         reverse (because the amount-by-which-we-failed-arity would have opposite sign,
1262         throwing off a bunch of math) and the stack would end up being corrupted.
1263         
1264         The bug was revealed by two existing tests although as far as I could tell, neither
1265         test was intending to cover this case directly. So, I added a new test.
1266
1267         * ftl/FTLCapabilities.cpp:
1268         (JSC::FTL::canCompile):
1269         * ftl/FTLLowerDFGToLLVM.cpp:
1270         (JSC::FTL::LowerDFGToLLVM::compileNode):
1271         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
1272         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
1273         (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated):
1274         (JSC::FTL::LowerDFGToLLVM::checkArgumentsNotCreated):
1275         * ftl/FTLOSRExitCompiler.cpp:
1276         (JSC::FTL::compileStub):
1277         * ftl/FTLState.h:
1278         * tests/stress/exit-from-ftl-when-caller-passed-extra-args-then-use-function-dot-arguments.js: Added.
1279         * tests/stress/ftl-get-my-argument-by-val-inlined-and-not-inlined.js: Added.
1280         * tests/stress/ftl-get-my-argument-by-val-inlined.js: Added.
1281         * tests/stress/ftl-get-my-argument-by-val.js: Added.
1282
1283 2014-03-04  Zan Dobersek  <zdobersek@igalia.com>
1284
1285         [GTK] Build the Udis86 disassembler
1286         https://bugs.webkit.org/show_bug.cgi?id=129679
1287
1288         Reviewed by Michael Saboff.
1289
1290         * GNUmakefile.am: Generate the Udis86-related derived sources. Distribute the required files.
1291         * GNUmakefile.list.am: Add the Udis86 disassembler files to the build.
1292
1293 2014-03-04  Andreas Kling  <akling@apple.com>
1294
1295         Fix too-narrow assertion I added in r165054.
1296
1297         It's okay for a 1-character string to come in here. This will happen
1298         if the VM small string optimization doesn't apply (ch > 0xFF)
1299
1300         * runtime/JSString.h:
1301         (JSC::jsStringWithWeakOwner):
1302
1303 2014-03-04  Andreas Kling  <akling@apple.com>
1304
1305         Micro-optimize Strings in JS bindings.
1306         <https://webkit.org/b/129673>
1307
1308         Make jsStringWithWeakOwner() take a StringImpl& instead of a String.
1309         This avoids branches in length() and operator[].
1310
1311         Also call JSString::create() directly instead of jsString() and just
1312         assert that the string length is >1. This way we don't duplicate the
1313         optimizations for empty and single-character strings.
1314
1315         Reviewed by Ryosuke Niwa.
1316
1317         * runtime/JSString.h:
1318         (JSC::jsStringWithWeakOwner):
1319
1320 2014-03-04  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
1321
1322         Implement Number.prototype.clz()
1323         https://bugs.webkit.org/show_bug.cgi?id=129479
1324
1325         Reviewed by Oliver Hunt.
1326
1327         Implemented Number.prototype.clz() as specified in the ES6 standard.
1328
1329         * runtime/NumberPrototype.cpp:
1330         (JSC::numberProtoFuncClz):
1331
1332 2014-03-03  Joseph Pecoraro  <pecoraro@apple.com>
1333
1334         Web Inspector: Avoid too early deref caused by RemoteInspectorXPCConnection::close
1335         https://bugs.webkit.org/show_bug.cgi?id=129631
1336
1337         Reviewed by Timothy Hatcher.
1338
1339         Avoid deref() too early if a client calls close(). The xpc_connection_close
1340         will cause another XPC_ERROR event to come in from the queue, deref then.
1341         Likewise, protect multithreaded access to m_client. If a client calls
1342         close() we want to immediately clear the pointer to prevent calls to it.
1343
1344         Overall the multi-threading aspects of RemoteInspectorXPCConnection are
1345         growing too complicated for probably little benefit. We may want to
1346         clean this up later.
1347
1348         * inspector/remote/RemoteInspector.mm:
1349         (Inspector::RemoteInspector::xpcConnectionFailed):
1350         * inspector/remote/RemoteInspectorXPCConnection.h:
1351         * inspector/remote/RemoteInspectorXPCConnection.mm:
1352         (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
1353         (Inspector::RemoteInspectorXPCConnection::close):
1354         (Inspector::RemoteInspectorXPCConnection::closeOnQueue):
1355         (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
1356         (Inspector::RemoteInspectorXPCConnection::handleEvent):
1357         (Inspector::RemoteInspectorXPCConnection::sendMessage):
1358
1359 2014-03-03  Michael Saboff  <msaboff@apple.com>
1360
1361         AbstractMacroAssembler::CachedTempRegister should start out invalid
1362         https://bugs.webkit.org/show_bug.cgi?id=129657
1363
1364         Reviewed by Filip Pizlo.
1365
1366         * assembler/AbstractMacroAssembler.h:
1367         (JSC::AbstractMacroAssembler::AbstractMacroAssembler):
1368         - Invalidate all cached registers in constructor as we don't know the
1369           contents of any register at the entry to the code we are going to
1370           generate.
1371
1372 2014-03-03  Andreas Kling  <akling@apple.com>
1373
1374         StructureOrOffset should be fastmalloced.
1375         <https://webkit.org/b/129640>
1376
1377         Reviewed by Geoffrey Garen.
1378
1379         * runtime/StructureIDTable.h:
1380
1381 2014-03-03  Michael Saboff  <msaboff@apple.com>
1382
1383         Crash in JIT code while watching a video @ storyboard.tumblr.com
1384         https://bugs.webkit.org/show_bug.cgi?id=129635
1385
1386         Reviewed by Filip Pizlo.
1387
1388         Clear m_set before we set bits in the TempRegisterSet(const RegisterSet& other)
1389         construtor.
1390
1391         * jit/TempRegisterSet.cpp:
1392         (JSC::TempRegisterSet::TempRegisterSet): Clear map before setting it.
1393         * jit/TempRegisterSet.h:
1394         (JSC::TempRegisterSet::TempRegisterSet): Use new clearAll() helper.
1395         (JSC::TempRegisterSet::clearAll): New private helper.
1396
1397 2014-03-03  Benjamin Poulain  <benjamin@webkit.org>
1398
1399         [x86] Improve code generation of byte test
1400         https://bugs.webkit.org/show_bug.cgi?id=129597
1401
1402         Reviewed by Geoffrey Garen.
1403
1404         When possible, test the 8 bit register to itself instead of comparing it
1405         to a literal.
1406
1407         * assembler/MacroAssemblerX86Common.h:
1408         (JSC::MacroAssemblerX86Common::test32):
1409
1410 2014-03-03  Mark Lam  <mark.lam@apple.com>
1411
1412         Web Inspector: debugger statements do not break.
1413         <https://webkit.org/b/129524>
1414
1415         Reviewed by Geoff Garen.
1416
1417         Since we no longer call op_debug hooks unless there is a debugger request
1418         made on the CodeBlock, the op_debug for the debugger statement never gets
1419         serviced.
1420
1421         With this fix, we check in the CodeBlock constructor if any debugger
1422         statements are present.  If so, we set a m_hasDebuggerStatement flag that
1423         causes the CodeBlock to show as having debugger requests.  Hence,
1424         breaking at debugger statements is now restored.
1425
1426         * bytecode/CodeBlock.cpp:
1427         (JSC::CodeBlock::CodeBlock):
1428         * bytecode/CodeBlock.h:
1429         (JSC::CodeBlock::hasDebuggerRequests):
1430         (JSC::CodeBlock::clearDebuggerRequests):
1431
1432 2014-03-03  Mark Lam  <mark.lam@apple.com>
1433
1434         ASSERTION FAILED: m_numBreakpoints >= numBreakpoints when deleting breakpoints.
1435         <https://webkit.org/b/129393>
1436
1437         Reviewed by Geoffrey Garen.
1438
1439         The issue manifests because the debugger will iterate all CodeBlocks in
1440         the heap when setting / clearing breakpoints, but it is possible for a
1441         CodeBlock to have been instantiate but is not yet registered with the
1442         debugger.  This can happen because of the following:
1443
1444         1. DFG worklist compilation is still in progress, and the target
1445            codeBlock is not ready for installation in its executable yet.
1446
1447         2. DFG compilation failed and we have a codeBlock that will never be
1448            installed in its executable, and the codeBlock has not been cleaned
1449            up by the GC yet.
1450
1451         The code for installing the codeBlock in its executable is the same code
1452         that registers it with the debugger.  Hence, these codeBlocks are not
1453         registered with the debugger, and any pending breakpoints that would map
1454         to that CodeBlock is as yet unset or will never be set.  As such, an
1455         attempt to remove a breakpoint in that CodeBlock will fail that assertion.
1456
1457         To fix this, we do the following:
1458
1459         1. We'll eagerly clean up any zombie CodeBlocks due to failed DFG / FTL
1460            compilation.  This is achieved by providing a
1461            DeferredCompilationCallback::compilationDidComplete() that does this
1462            clean up, and have all sub classes call it at the end of their
1463            compilationDidComplete() methods.
1464
1465         2. Before the debugger or profiler iterates CodeBlocks in the heap, they
1466            will wait for all compilations to complete before proceeding.  This
1467            ensures that:
1468            1. any zombie CodeBlocks would have been cleaned up, and won't be
1469               seen by the debugger or profiler.
1470            2. all CodeBlocks that the debugger and profiler needs to operate on
1471               will be "ready" for whatever needs to be done to them e.g.
1472               jettison'ing of DFG codeBlocks.
1473
1474         * bytecode/DeferredCompilationCallback.cpp:
1475         (JSC::DeferredCompilationCallback::compilationDidComplete):
1476         * bytecode/DeferredCompilationCallback.h:
1477         - Provide default implementation method to clean up zombie CodeBlocks.
1478
1479         * debugger/Debugger.cpp:
1480         (JSC::Debugger::forEachCodeBlock):
1481         - Utility function to iterate CodeBlocks.  It ensures that all compilations
1482           are complete before proceeding.
1483         (JSC::Debugger::setSteppingMode):
1484         (JSC::Debugger::toggleBreakpoint):
1485         (JSC::Debugger::recompileAllJSFunctions):
1486         (JSC::Debugger::clearBreakpoints):
1487         (JSC::Debugger::clearDebuggerRequests):
1488         - Use the utility iterator function.
1489
1490         * debugger/Debugger.h:
1491         * dfg/DFGOperations.cpp:
1492         - Added an assert to ensure that zombie CodeBlocks will be imminently cleaned up.
1493
1494         * dfg/DFGPlan.cpp:
1495         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
1496         - Remove unneeded code (that was not the best solution anyway) for ensuring
1497           that we don't generate new DFG codeBlocks after enabling the debugger or
1498           profiler.  Now that we wait for compilations to complete before proceeding
1499           with debugger and profiler work, this scenario will never happen.
1500
1501         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
1502         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
1503         - Call the super class method to clean up zombie codeBlocks.
1504
1505         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
1506         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete):
1507         - Call the super class method to clean up zombie codeBlocks.
1508
1509         * heap/CodeBlockSet.cpp:
1510         (JSC::CodeBlockSet::remove):
1511         * heap/CodeBlockSet.h:
1512         * heap/Heap.h:
1513         (JSC::Heap::removeCodeBlock):
1514         - New method to remove a codeBlock from the codeBlock set.
1515
1516         * jit/JITOperations.cpp:
1517         - Added an assert to ensure that zombie CodeBlocks will be imminently cleaned up.
1518
1519         * jit/JITToDFGDeferredCompilationCallback.cpp:
1520         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
1521         - Call the super class method to clean up zombie codeBlocks.
1522
1523         * runtime/VM.cpp:
1524         (JSC::VM::waitForCompilationsToComplete):
1525         - Renamed from prepareToDiscardCode() to be clearer about what it does.
1526
1527         (JSC::VM::discardAllCode):
1528         (JSC::VM::releaseExecutableMemory):
1529         (JSC::VM::setEnabledProfiler):
1530         - Wait for compilation to complete before enabling the profiler.
1531
1532         * runtime/VM.h:
1533
1534 2014-03-03  Brian Burg  <bburg@apple.com>
1535
1536         Another unreviewed build fix attempt for Windows after r164986.
1537
1538         We never told Visual Studio to copy over the web replay code generator scripts
1539         and the generated headers for JavaScriptCore replay inputs as if they were
1540         private headers.
1541
1542         * JavaScriptCore.vcxproj/copy-files.cmd:
1543
1544 2014-03-03  Brian Burg  <bburg@apple.com>
1545
1546         Web Replay: upstream input storage, capture/replay machinery, and inspector domain
1547         https://bugs.webkit.org/show_bug.cgi?id=128782
1548
1549         Reviewed by Timothy Hatcher.
1550
1551         Alter the replay inputs code generator so that it knows when it is necessary to
1552         to include headers for HEAVY_SCALAR types such as WTF::String and WebCore::URL.
1553
1554         * JavaScriptCore.xcodeproj/project.pbxproj:
1555         * replay/scripts/CodeGeneratorReplayInputs.py:
1556         (Framework.fromString):
1557         (Frameworks): Add WTF as an allowed framework for code generation.
1558         (Generator.generate_includes): Include headers for HEAVY_SCALAR types in the header file.
1559         (Generator.generate_includes.declaration):
1560         (Generator.generate_includes.or):
1561         (Generator.generate_type_forward_declarations): Skip HEAVY_SCALAR types.
1562
1563 2014-03-02  Filip Pizlo  <fpizlo@apple.com>
1564
1565         PolymorphicPutByIdList should have a simpler construction API with basically a single entrypoint
1566         https://bugs.webkit.org/show_bug.cgi?id=129591
1567
1568         Reviewed by Michael Saboff.
1569
1570         * bytecode/PolymorphicPutByIdList.cpp:
1571         (JSC::PutByIdAccess::fromStructureStubInfo): This function can figure out the slow path target for itself.
1572         (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList): This constuctor should be private, only from() should call it.
1573         (JSC::PolymorphicPutByIdList::from):
1574         * bytecode/PolymorphicPutByIdList.h:
1575         (JSC::PutByIdAccess::stubRoutine):
1576         * jit/Repatch.cpp:
1577         (JSC::tryBuildPutByIdList): Don't pass the slow path target since it can be derived from the stubInfo.
1578
1579 2014-03-02  Filip Pizlo  <fpizlo@apple.com>
1580
1581         Debugging improvements from my gbemu investigation session
1582         https://bugs.webkit.org/show_bug.cgi?id=129599
1583
1584         Reviewed by Mark Lam.
1585         
1586         Various improvements from when I was investigating bug 129411.
1587
1588         * bytecode/CodeBlock.cpp:
1589         (JSC::CodeBlock::optimizationThresholdScalingFactor): Make the dataLog() statement print the actual multiplier.
1590         * jsc.cpp:
1591         (GlobalObject::finishCreation):
1592         (functionDescribe): Make describe() return a string rather than printing the string.
1593         (functionDescribeArray): Like describe(), but prints details about arrays.
1594
1595 2014-02-25  Andreas Kling  <akling@apple.com>
1596
1597         JSDOMWindow::commonVM() should return a reference.
1598         <https://webkit.org/b/129293>
1599
1600         Added a DropAllLocks constructor that takes VM& without null checks.
1601
1602         Reviewed by Geoff Garen.
1603
1604 2014-03-02  Mark Lam  <mark.lam@apple.com>
1605
1606         CodeBlock::hasDebuggerRequests() should returning a bool instead of an int.
1607         <https://webkit.org/b/129584>
1608
1609         Reviewed by Darin Adler.
1610
1611         * bytecode/CodeBlock.h:
1612         (JSC::CodeBlock::hasDebuggerRequests):
1613
1614 2014-03-02  Mark Lam  <mark.lam@apple.com>
1615
1616         Clean up use of Options::enableConcurrentJIT().
1617         <https://webkit.org/b/129582>
1618
1619         Reviewed by Filip Pizlo.
1620
1621         DFG Driver was conditionally checking Options::enableConcurrentJIT()
1622         only if ENABLE(CONCURRENT_JIT).  Otherwise, it bypasses it with a local
1623         enableConcurrentJIT set to false.
1624
1625         Instead we should configure Options::enableConcurrentJIT() to be false
1626         in Options.cpp if !ENABLE(CONCURRENT_JIT), and DFG Driver should always
1627         check Options::enableConcurrentJIT().  This makes the code read a little
1628         cleaner.
1629
1630         * dfg/DFGDriver.cpp:
1631         (JSC::DFG::compileImpl):
1632         * runtime/Options.cpp:
1633         (JSC::recomputeDependentOptions):
1634
1635 2014-03-01  Filip Pizlo  <fpizlo@apple.com>
1636
1637         This shouldn't have been a layout test since it runs only under jsc. Moving it to JSC
1638         stress tests.
1639
1640         * tests/stress/generational-opaque-roots.js: Copied from LayoutTests/js/script-tests/generational-opaque-roots.js.
1641
1642 2014-03-01  Andreas Kling  <akling@apple.com>
1643
1644         JSCell::fastGetOwnProperty() should get the Structure more efficiently.
1645         <https://webkit.org/b/129560>
1646
1647         Now that structure() is nontrivial and we have a faster structure(VM&),
1648         make use of that in fastGetOwnProperty() since we already have VM.
1649
1650         Reviewed by Sam Weinig.
1651
1652         * runtime/JSCellInlines.h:
1653         (JSC::JSCell::fastGetOwnProperty):
1654
1655 2014-03-01  Andreas Kling  <akling@apple.com>
1656
1657         Avoid going through ExecState for VM when we already have it (in some places.)
1658         <https://webkit.org/b/129554>
1659
1660         Tweak some places that jump through unnecessary hoops to get the VM.
1661         There are many more like this.
1662
1663         Reviewed by Sam Weinig.
1664
1665         * runtime/JSObject.cpp:
1666         (JSC::JSObject::putByIndexBeyondVectorLength):
1667         (JSC::JSObject::putDirectIndexBeyondVectorLength):
1668         * runtime/ObjectPrototype.cpp:
1669         (JSC::objectProtoFuncToString):
1670
1671 2014-02-28  Filip Pizlo  <fpizlo@apple.com>
1672
1673         FTL should support PhantomArguments
1674         https://bugs.webkit.org/show_bug.cgi?id=113986
1675
1676         Reviewed by Oliver Hunt.
1677         
1678         Adding PhantomArguments to the FTL mostly means wiring the recovery of the Arguments
1679         object into the FTL's OSR exit compiler.
1680         
1681         This isn't a speed-up yet, since there is still more to be done to fully support
1682         all of the arguments craziness that our varargs benchmarks do.
1683
1684         * dfg/DFGOSRExitCompiler32_64.cpp:
1685         (JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp
1686         * dfg/DFGOSRExitCompiler64.cpp:
1687         (JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp
1688         * dfg/DFGOSRExitCompilerCommon.cpp:
1689         (JSC::DFG::ArgumentsRecoveryGenerator::ArgumentsRecoveryGenerator):
1690         (JSC::DFG::ArgumentsRecoveryGenerator::~ArgumentsRecoveryGenerator):
1691         (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): this is the common place for the recovery code
1692         * dfg/DFGOSRExitCompilerCommon.h:
1693         * ftl/FTLCapabilities.cpp:
1694         (JSC::FTL::canCompile):
1695         * ftl/FTLExitValue.cpp:
1696         (JSC::FTL::ExitValue::dumpInContext):
1697         * ftl/FTLExitValue.h:
1698         (JSC::FTL::ExitValue::argumentsObjectThatWasNotCreated):
1699         (JSC::FTL::ExitValue::isArgumentsObjectThatWasNotCreated):
1700         (JSC::FTL::ExitValue::valueFormat):
1701         * ftl/FTLLowerDFGToLLVM.cpp:
1702         (JSC::FTL::LowerDFGToLLVM::compileNode):
1703         (JSC::FTL::LowerDFGToLLVM::compilePhantomArguments):
1704         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
1705         (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
1706         * ftl/FTLOSRExitCompiler.cpp:
1707         (JSC::FTL::compileStub): Call into the ArgumentsRecoveryGenerator
1708         * tests/stress/slightly-more-difficult-to-fold-reflective-arguments-access.js: Added.
1709         * tests/stress/trivially-foldable-reflective-arguments-access.js: Added.
1710
1711 2014-02-28  Filip Pizlo  <fpizlo@apple.com>
1712
1713         Unreviewed, uncomment some code. It wasn't meant to be commented in the first place.
1714
1715         * dfg/DFGCSEPhase.cpp:
1716         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
1717
1718 2014-02-28  Andreas Kling  <akling@apple.com>
1719
1720         JSObject::findPropertyHashEntry() should take VM instead of ExecState.
1721         <https://webkit.org/b/129529>
1722
1723         Callers already have VM in a local, and findPropertyHashEntry() only
1724         uses the VM, no need to go all the way through ExecState.
1725
1726         Reviewed by Geoffrey Garen.
1727
1728         * runtime/JSObject.cpp:
1729         (JSC::JSObject::put):
1730         (JSC::JSObject::deleteProperty):
1731         (JSC::JSObject::findPropertyHashEntry):
1732         * runtime/JSObject.h:
1733
1734 2014-02-28  Joseph Pecoraro  <pecoraro@apple.com>
1735
1736         Deadlock remotely inspecting iOS Simulator
1737         https://bugs.webkit.org/show_bug.cgi?id=129511
1738
1739         Reviewed by Timothy Hatcher.
1740
1741         Avoid synchronous setup. Do it asynchronously, and let
1742         the RemoteInspector singleton know later if it failed.
1743
1744         * inspector/remote/RemoteInspector.h:
1745         * inspector/remote/RemoteInspector.mm:
1746         (Inspector::RemoteInspector::setupFailed):
1747         * inspector/remote/RemoteInspectorDebuggableConnection.h:
1748         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
1749         (Inspector::RemoteInspectorDebuggableConnection::setup):
1750
1751 2014-02-28  Oliver Hunt  <oliver@apple.com>
1752
1753         REGRESSION(r164835): It broke 10 JSC stress test on 32 bit platforms
1754         https://bugs.webkit.org/show_bug.cgi?id=129488
1755
1756         Reviewed by Mark Lam.
1757
1758         Whoops, modify the right register.
1759
1760         * jit/JITCall32_64.cpp:
1761         (JSC::JIT::compileLoadVarargs):
1762
1763 2014-02-28  Filip Pizlo  <fpizlo@apple.com>
1764
1765         FTL should be able to call sin/cos directly on platforms where the intrinsic is busted
1766         https://bugs.webkit.org/show_bug.cgi?id=129503
1767
1768         Reviewed by Mark Lam.
1769
1770         * ftl/FTLIntrinsicRepository.h:
1771         * ftl/FTLOutput.h:
1772         (JSC::FTL::Output::doubleSin):
1773         (JSC::FTL::Output::doubleCos):
1774         (JSC::FTL::Output::intrinsicOrOperation):
1775
1776 2014-02-28  Mark Hahnenberg  <mhahnenberg@apple.com>
1777
1778         Fix !ENABLE(GGC) builds
1779
1780         * heap/Heap.cpp:
1781         (JSC::Heap::markRoots):
1782         (JSC::Heap::gatherJSStackRoots): Also fix one of the names of the GC phases.
1783
1784 2014-02-27  Mark Hahnenberg  <mhahnenberg@apple.com>
1785
1786         Clean up Heap::collect and Heap::markRoots
1787         https://bugs.webkit.org/show_bug.cgi?id=129464
1788
1789         Reviewed by Geoffrey Garen.
1790
1791         These functions have built up a lot of cruft recently. 
1792         We should do a bit of cleanup to make them easier to grok.
1793
1794         * heap/Heap.cpp:
1795         (JSC::Heap::finalizeUnconditionalFinalizers):
1796         (JSC::Heap::gatherStackRoots):
1797         (JSC::Heap::gatherJSStackRoots):
1798         (JSC::Heap::gatherScratchBufferRoots):
1799         (JSC::Heap::clearLivenessData):
1800         (JSC::Heap::visitSmallStrings):
1801         (JSC::Heap::visitConservativeRoots):
1802         (JSC::Heap::visitCompilerWorklists):
1803         (JSC::Heap::markProtectedObjects):
1804         (JSC::Heap::markTempSortVectors):
1805         (JSC::Heap::markArgumentBuffers):
1806         (JSC::Heap::visitException):
1807         (JSC::Heap::visitStrongHandles):
1808         (JSC::Heap::visitHandleStack):
1809         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
1810         (JSC::Heap::converge):
1811         (JSC::Heap::visitWeakHandles):
1812         (JSC::Heap::clearRememberedSet):
1813         (JSC::Heap::updateObjectCounts):
1814         (JSC::Heap::resetVisitors):
1815         (JSC::Heap::markRoots):
1816         (JSC::Heap::copyBackingStores):
1817         (JSC::Heap::deleteUnmarkedCompiledCode):
1818         (JSC::Heap::collect):
1819         (JSC::Heap::collectIfNecessaryOrDefer):
1820         (JSC::Heap::suspendCompilerThreads):
1821         (JSC::Heap::willStartCollection):
1822         (JSC::Heap::deleteOldCode):
1823         (JSC::Heap::flushOldStructureIDTables):
1824         (JSC::Heap::flushWriteBarrierBuffer):
1825         (JSC::Heap::stopAllocation):
1826         (JSC::Heap::reapWeakHandles):
1827         (JSC::Heap::sweepArrayBuffers):
1828         (JSC::Heap::snapshotMarkedSpace):
1829         (JSC::Heap::deleteSourceProviderCaches):
1830         (JSC::Heap::notifyIncrementalSweeper):
1831         (JSC::Heap::rememberCurrentlyExecutingCodeBlocks):
1832         (JSC::Heap::resetAllocators):
1833         (JSC::Heap::updateAllocationLimits):
1834         (JSC::Heap::didFinishCollection):
1835         (JSC::Heap::resumeCompilerThreads):
1836         * heap/Heap.h:
1837
1838 2014-02-27  Ryosuke Niwa  <rniwa@webkit.org>
1839
1840         indexOf and lastIndexOf shouldn't resolve ropes when needle is longer than haystack
1841         https://bugs.webkit.org/show_bug.cgi?id=129466
1842
1843         Reviewed by Michael Saboff.
1844
1845         Refactored the code to avoid calling JSString::value when needle is longer than haystack.
1846
1847         * runtime/StringPrototype.cpp:
1848         (JSC::stringProtoFuncIndexOf):
1849         (JSC::stringProtoFuncLastIndexOf):
1850
1851 2014-02-27  Timothy Hatcher  <timothy@apple.com>
1852
1853         Improve how ContentSearchUtilities::lineEndings works by supporting the three common line endings.
1854
1855         https://bugs.webkit.org/show_bug.cgi?id=129458
1856
1857         Reviewed by Joseph Pecoraro.
1858
1859         * inspector/ContentSearchUtilities.cpp:
1860         (Inspector::ContentSearchUtilities::textPositionFromOffset): Remove assumption about line ending length.
1861         (Inspector::ContentSearchUtilities::getRegularExpressionMatchesByLines): Remove assumption about
1862         line ending type and don't try to strip the line ending. Use size_t
1863         (Inspector::ContentSearchUtilities::lineEndings): Use findNextLineStart to find the lines.
1864         This will include the line ending in the lines, but that is okay.
1865         (Inspector::ContentSearchUtilities::buildObjectForSearchMatch): Use size_t.
1866         (Inspector::ContentSearchUtilities::searchInTextByLines): Modernize.
1867
1868 2014-02-27  Joseph Pecoraro  <pecoraro@apple.com>
1869
1870         [Mac] Warning: Multiple build commands for output file GCSegmentedArray and InspectorAgent
1871         https://bugs.webkit.org/show_bug.cgi?id=129446
1872
1873         Reviewed by Timothy Hatcher.
1874
1875         Remove duplicate header entries in Copy Header build phase.
1876
1877         * JavaScriptCore.xcodeproj/project.pbxproj:
1878
1879 2014-02-27  Oliver Hunt  <oliver@apple.com>
1880
1881         Whoops, include all of last patch.
1882
1883         * jit/JITCall32_64.cpp:
1884         (JSC::JIT::compileLoadVarargs):
1885
1886 2014-02-27  Oliver Hunt  <oliver@apple.com>
1887
1888         Slow cases for function.apply and function.call should not require vm re-entry
1889         https://bugs.webkit.org/show_bug.cgi?id=129454
1890
1891         Reviewed by Geoffrey Garen.
1892
1893         Implement call and apply using builtins. Happily the use
1894         of @call and @apply don't perform function equality checks
1895         and just plant direct var_args calls. This did expose a few
1896         codegen issues, but they're all covered by existing tests
1897         once call and apply are implemented in JS.
1898
1899         * JavaScriptCore.xcodeproj/project.pbxproj:
1900         * builtins/Function.prototype.js: Added.
1901         (call):
1902         (apply):
1903         * bytecompiler/NodesCodegen.cpp:
1904         (JSC::CallFunctionCallDotNode::emitBytecode):
1905         (JSC::ApplyFunctionCallDotNode::emitBytecode):
1906         * dfg/DFGCapabilities.cpp:
1907         (JSC::DFG::capabilityLevel):
1908         * interpreter/Interpreter.cpp:
1909         (JSC::sizeFrameForVarargs):
1910         (JSC::loadVarargs):
1911         * interpreter/Interpreter.h:
1912         * jit/JITCall.cpp:
1913         (JSC::JIT::compileLoadVarargs):
1914         * parser/ASTBuilder.h:
1915         (JSC::ASTBuilder::makeFunctionCallNode):
1916         * parser/Lexer.cpp:
1917         (JSC::isSafeBuiltinIdentifier):
1918         * runtime/CommonIdentifiers.h:
1919         * runtime/FunctionPrototype.cpp:
1920         (JSC::FunctionPrototype::addFunctionProperties):
1921         * runtime/JSObject.cpp:
1922         (JSC::JSObject::putDirectBuiltinFunction):
1923         (JSC::JSObject::putDirectBuiltinFunctionWithoutTransition):
1924         * runtime/JSObject.h:
1925
1926 2014-02-27  Joseph Pecoraro  <pecoraro@apple.com>
1927
1928         Web Inspector: Better name for RemoteInspectorDebuggableConnection dispatch queue
1929         https://bugs.webkit.org/show_bug.cgi?id=129443
1930
1931         Reviewed by Timothy Hatcher.
1932
1933         This queue is specific to the JSContext debuggable connections,
1934         there is no XPC involved. Give it a better name.
1935
1936         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
1937         (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
1938
1939 2014-02-27  David Kilzer  <ddkilzer@apple.com>
1940
1941         Remove jsc symlink if it already exists
1942
1943         This is a follow-up fix for:
1944
1945         Create symlink to /usr/local/bin/jsc during installation
1946         <http://webkit.org/b/129399>
1947         <rdar://problem/16168734>
1948
1949         * JavaScriptCore.xcodeproj/project.pbxproj:
1950         (Create /usr/local/bin/jsc symlink): If a jsc symlink already
1951         exists where we're about to create the symlink, remove the old
1952         one first.
1953
1954 2014-02-27  Michael Saboff  <msaboff@apple.com>
1955
1956         Unreviewed build fix for Mac tools after r164814
1957
1958         * Configurations/ToolExecutable.xcconfig:
1959         - Added JavaScriptCore.framework/PrivateHeaders to ToolExecutable include path.
1960         * JavaScriptCore.xcodeproj/project.pbxproj:
1961         - Changed productName to testRegExp for testRegExp target.
1962
1963 2014-02-27  Joseph Pecoraro  <pecoraro@apple.com>
1964
1965         Web Inspector: JSContext inspection should report exceptions in the console
1966         https://bugs.webkit.org/show_bug.cgi?id=128776
1967
1968         Reviewed by Timothy Hatcher.
1969
1970         When JavaScript API functions have an exception, let the inspector
1971         know so it can log the JavaScript and Native backtrace that caused
1972         the exception.
1973
1974         Include some clean up of ConsoleMessage and ScriptCallStack construction.
1975
1976         * API/JSBase.cpp:
1977         (JSEvaluateScript):
1978         (JSCheckScriptSyntax):
1979         * API/JSObjectRef.cpp:
1980         (JSObjectMakeFunction):
1981         (JSObjectMakeArray):
1982         (JSObjectMakeDate):
1983         (JSObjectMakeError):
1984         (JSObjectMakeRegExp):
1985         (JSObjectGetProperty):
1986         (JSObjectSetProperty):
1987         (JSObjectGetPropertyAtIndex):
1988         (JSObjectSetPropertyAtIndex):
1989         (JSObjectDeleteProperty):
1990         (JSObjectCallAsFunction):
1991         (JSObjectCallAsConstructor):
1992         * API/JSValue.mm:
1993         (reportExceptionToInspector):
1994         (valueToArray):
1995         (valueToDictionary):
1996         * API/JSValueRef.cpp:
1997         (JSValueIsEqual):
1998         (JSValueIsInstanceOfConstructor):
1999         (JSValueCreateJSONString):
2000         (JSValueToNumber):
2001         (JSValueToStringCopy):
2002         (JSValueToObject):
2003         When seeing an exception, let the inspector know there was an exception.
2004
2005         * inspector/JSGlobalObjectInspectorController.h:
2006         * inspector/JSGlobalObjectInspectorController.cpp:
2007         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2008         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
2009         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
2010         Log API exceptions by also grabbing the native backtrace.
2011
2012         * inspector/ScriptCallStack.h:
2013         * inspector/ScriptCallStack.cpp:
2014         (Inspector::ScriptCallStack::firstNonNativeCallFrame):
2015         (Inspector::ScriptCallStack::append):
2016         Minor extensions to ScriptCallStack to make it easier to work with.
2017
2018         * inspector/ConsoleMessage.cpp:
2019         (Inspector::ConsoleMessage::ConsoleMessage):
2020         (Inspector::ConsoleMessage::autogenerateMetadata):
2021         Provide better default information if the first call frame was native.
2022
2023         * inspector/ScriptCallStackFactory.cpp:
2024         (Inspector::createScriptCallStack):
2025         (Inspector::extractSourceInformationFromException):
2026         (Inspector::createScriptCallStackFromException):
2027         Perform the handling here of inserting a fake call frame for exceptions
2028         if there was no call stack (e.g. a SyntaxError) or if the first call
2029         frame had no information.
2030
2031         * inspector/ConsoleMessage.cpp:
2032         (Inspector::ConsoleMessage::ConsoleMessage):
2033         (Inspector::ConsoleMessage::autogenerateMetadata):
2034         * inspector/ConsoleMessage.h:
2035         * inspector/ScriptCallStackFactory.cpp:
2036         (Inspector::createScriptCallStack):
2037         (Inspector::createScriptCallStackForConsole):
2038         * inspector/ScriptCallStackFactory.h:
2039         * inspector/agents/InspectorConsoleAgent.cpp:
2040         (Inspector::InspectorConsoleAgent::enable):
2041         (Inspector::InspectorConsoleAgent::addMessageToConsole):
2042         (Inspector::InspectorConsoleAgent::count):
2043         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
2044         (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
2045         ConsoleMessage cleanup.
2046
2047 2014-02-27  David Kilzer  <ddkilzer@apple.com>
2048
2049         Create symlink to /usr/local/bin/jsc during installation
2050         <http://webkit.org/b/129399>
2051         <rdar://problem/16168734>
2052
2053         Reviewed by Dan Bernstein.
2054
2055         * JavaScriptCore.xcodeproj/project.pbxproj:
2056         - Add "Create /usr/local/bin/jsc symlink" build phase script to
2057           create the symlink during installation.
2058
2059 2014-02-27  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>
2060
2061         Math.{max, min}() must not return after first NaN value
2062         https://bugs.webkit.org/show_bug.cgi?id=104147
2063
2064         Reviewed by Oliver Hunt.
2065
2066         According to the spec, ToNumber going to be called on each argument
2067         even if a `NaN` value was already found
2068
2069         * runtime/MathObject.cpp:
2070         (JSC::mathProtoFuncMax):
2071         (JSC::mathProtoFuncMin):
2072
2073 2014-02-27  Gergo Balogh  <gbalogh.u-szeged@partner.samsung.com>
2074
2075         JSType upper limit (0xff) assertion can be removed.
2076         https://bugs.webkit.org/show_bug.cgi?id=129424
2077
2078         Reviewed by Geoffrey Garen.
2079
2080         * runtime/JSTypeInfo.h:
2081         (JSC::TypeInfo::TypeInfo):
2082
2083 2014-02-26  Michael Saboff  <msaboff@apple.com>
2084
2085         Auto generate bytecode information for bytecode parser and LLInt
2086         https://bugs.webkit.org/show_bug.cgi?id=129181
2087
2088         Reviewed by Mark Lam.
2089
2090         Added new bytecode/BytecodeList.json that contains a list of bytecodes and related
2091         helpers.  It also includes bytecode length and other information used to generate files.
2092         Added a new generator, generate-bytecode-files that generates Bytecodes.h and InitBytecodes.asm
2093         in DerivedSources/JavaScriptCore/.
2094
2095         Added the generation of these files to the "DerivedSource" build step.
2096         Slighty changed the build order, since the Bytecodes.h file is needed by
2097         JSCLLIntOffsetsExtractor.  Moved the offline assembly to a separate step since it needs
2098         to be run after JSCLLIntOffsetsExtractor.
2099
2100         Made related changes to OPCODE macros and their use.
2101
2102         Added JavaScriptCore.framework/PrivateHeaders to header file search path for building
2103         jsc to resolve Mac build issue.
2104
2105         * CMakeLists.txt:
2106         * Configurations/JSC.xcconfig:
2107         * DerivedSources.make:
2108         * GNUmakefile.am:
2109         * GNUmakefile.list.am:
2110         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2111         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2112         * JavaScriptCore.vcxproj/copy-files.cmd:
2113         * JavaScriptCore.xcodeproj/project.pbxproj:
2114         * bytecode/Opcode.h:
2115         (JSC::padOpcodeName):
2116         * llint/LLIntCLoop.cpp:
2117         (JSC::LLInt::CLoop::initialize):
2118         * llint/LLIntCLoop.h:
2119         * llint/LLIntData.cpp:
2120         (JSC::LLInt::initialize):
2121         * llint/LLIntOpcode.h:
2122         * llint/LowLevelInterpreter.asm:
2123
2124 2014-02-27  Julien Brianceau   <jbriance@cisco.com>
2125
2126         Fix 32-bit V_JITOperation_EJ callOperation introduced in r162652.
2127         https://bugs.webkit.org/show_bug.cgi?id=129420
2128
2129         Reviewed by Geoffrey Garen.
2130
2131         * dfg/DFGSpeculativeJIT.h:
2132         (JSC::DFG::SpeculativeJIT::callOperation): Payload and tag are swapped.
2133         Also, EABI_32BIT_DUMMY_ARG is missing for arm EABI and mips.
2134
2135 2014-02-27  Filip Pizlo  <fpizlo@apple.com>
2136
2137         Octane/closure thrashes between flattening dictionaries during global object initialization in a global eval
2138         https://bugs.webkit.org/show_bug.cgi?id=129435
2139
2140         Reviewed by Oliver Hunt.
2141         
2142         This is a 5-10% speed-up on Octane/closure.
2143
2144         * interpreter/Interpreter.cpp:
2145         (JSC::Interpreter::execute):
2146         * jsc.cpp:
2147         (GlobalObject::finishCreation):
2148         (functionClearCodeCache):
2149         * runtime/BatchedTransitionOptimizer.h:
2150         (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
2151         (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer):
2152
2153 2014-02-27  Alexey Proskuryakov  <ap@apple.com>
2154
2155         Added svn:ignore to two directories, so that .pyc files don't show up as unversioned.
2156
2157         * inspector/scripts: Added property svn:ignore.
2158         * replay/scripts: Added property svn:ignore.
2159
2160 2014-02-27  Gabor Rapcsanyi  <rgabor@webkit.org>
2161
2162         r164764 broke the ARM build
2163         https://bugs.webkit.org/show_bug.cgi?id=129415
2164
2165         Reviewed by Zoltan Herczeg.
2166
2167         * assembler/MacroAssemblerARM.h:
2168         (JSC::MacroAssemblerARM::moveWithPatch): Change reinterpret_cast to static_cast.
2169         (JSC::MacroAssemblerARM::canJumpReplacePatchableBranch32WithPatch): Add missing function.
2170         (JSC::MacroAssemblerARM::startOfPatchableBranch32WithPatchOnAddress): Add missing function.
2171         (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranch32WithPatch): Add missing function.
2172
2173 2014-02-27  Mark Hahnenberg  <mhahnenberg@apple.com>
2174
2175         r164764 broke the ARM build
2176         https://bugs.webkit.org/show_bug.cgi?id=129415
2177
2178         Reviewed by Geoffrey Garen.
2179
2180         * assembler/MacroAssemblerARM.h:
2181         (JSC::MacroAssemblerARM::moveWithPatch):
2182
2183 2014-02-26  Mark Hahnenberg  <mhahnenberg@apple.com>
2184
2185         r164764 broke the ARM build
2186         https://bugs.webkit.org/show_bug.cgi?id=129415
2187
2188         Reviewed by Geoffrey Garen.
2189
2190         * assembler/MacroAssemblerARM.h:
2191         (JSC::MacroAssemblerARM::branch32WithPatch): Missing this function.
2192
2193 2014-02-26  Mark Hahnenberg  <mhahnenberg@apple.com>
2194
2195         EFL build fix
2196
2197         * dfg/DFGSpeculativeJIT32_64.cpp: Remove unused variables.
2198         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
2199         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
2200
2201 2014-02-25  Mark Hahnenberg  <mhahnenberg@apple.com>
2202
2203         Make JSCells have 32-bit Structure pointers
2204         https://bugs.webkit.org/show_bug.cgi?id=123195
2205
2206         Reviewed by Filip Pizlo.
2207
2208         This patch changes JSCells such that they no longer have a full 64-bit Structure
2209         pointer in their header. Instead they now have a 32-bit index into
2210         a per-VM table of Structure pointers. 32-bit platforms still use normal Structure
2211         pointers.
2212
2213         This change frees up an additional 32 bits of information in our object headers.
2214         We then use this extra space to store the indexing type of the object, the JSType
2215         of the object, some various type flags, and garbage collection data (e.g. mark bit).
2216         Because this inline type information is now faster to read, it pays for the slowdown 
2217         incurred by having to perform an extra indirection through the StructureIDTable.
2218
2219         This patch also threads a reference to the current VM through more of the C++ runtime
2220         to offset the cost of having to look up the VM to get the actual Structure pointer.
2221
2222         * API/JSContext.mm:
2223         (-[JSContext setException:]):
2224         (-[JSContext wrapperForObjCObject:]):
2225         (-[JSContext wrapperForJSObject:]):
2226         * API/JSContextRef.cpp:
2227         (JSContextGroupRelease):
2228         (JSGlobalContextRelease):
2229         * API/JSObjectRef.cpp:
2230         (JSObjectIsFunction):
2231         (JSObjectCopyPropertyNames):
2232         * API/JSValue.mm:
2233         (containerValueToObject):
2234         * API/JSWrapperMap.mm:
2235         (tryUnwrapObjcObject):
2236         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2237         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2238         * JavaScriptCore.xcodeproj/project.pbxproj:
2239         * assembler/AbstractMacroAssembler.h:
2240         * assembler/MacroAssembler.h:
2241         (JSC::MacroAssembler::patchableBranch32WithPatch):
2242         (JSC::MacroAssembler::patchableBranch32):
2243         * assembler/MacroAssemblerARM64.h:
2244         (JSC::MacroAssemblerARM64::branchPtrWithPatch):
2245         (JSC::MacroAssemblerARM64::patchableBranch32WithPatch):
2246         (JSC::MacroAssemblerARM64::canJumpReplacePatchableBranch32WithPatch):
2247         (JSC::MacroAssemblerARM64::startOfPatchableBranch32WithPatchOnAddress):
2248         (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranch32WithPatch):
2249         * assembler/MacroAssemblerARMv7.h:
2250         (JSC::MacroAssemblerARMv7::store8):
2251         (JSC::MacroAssemblerARMv7::branch32WithPatch):
2252         (JSC::MacroAssemblerARMv7::patchableBranch32WithPatch):
2253         (JSC::MacroAssemblerARMv7::canJumpReplacePatchableBranch32WithPatch):
2254         (JSC::MacroAssemblerARMv7::startOfPatchableBranch32WithPatchOnAddress):
2255         (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranch32WithPatch):
2256         * assembler/MacroAssemblerX86.h:
2257         (JSC::MacroAssemblerX86::branch32WithPatch):
2258         (JSC::MacroAssemblerX86::canJumpReplacePatchableBranch32WithPatch):
2259         (JSC::MacroAssemblerX86::startOfPatchableBranch32WithPatchOnAddress):
2260         (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranch32WithPatch):
2261         * assembler/MacroAssemblerX86_64.h:
2262         (JSC::MacroAssemblerX86_64::store32):
2263         (JSC::MacroAssemblerX86_64::moveWithPatch):
2264         (JSC::MacroAssemblerX86_64::branch32WithPatch):
2265         (JSC::MacroAssemblerX86_64::canJumpReplacePatchableBranch32WithPatch):
2266         (JSC::MacroAssemblerX86_64::startOfBranch32WithPatchOnRegister):
2267         (JSC::MacroAssemblerX86_64::startOfPatchableBranch32WithPatchOnAddress):
2268         (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranch32WithPatch):
2269         * assembler/RepatchBuffer.h:
2270         (JSC::RepatchBuffer::startOfPatchableBranch32WithPatchOnAddress):
2271         (JSC::RepatchBuffer::revertJumpReplacementToPatchableBranch32WithPatch):
2272         * assembler/X86Assembler.h:
2273         (JSC::X86Assembler::revertJumpTo_movq_i64r):
2274         (JSC::X86Assembler::revertJumpTo_movl_i32r):
2275         * bytecode/ArrayProfile.cpp:
2276         (JSC::ArrayProfile::computeUpdatedPrediction):
2277         * bytecode/ArrayProfile.h:
2278         (JSC::ArrayProfile::ArrayProfile):
2279         (JSC::ArrayProfile::addressOfLastSeenStructureID):
2280         (JSC::ArrayProfile::observeStructure):
2281         * bytecode/CodeBlock.h:
2282         (JSC::CodeBlock::heap):
2283         * bytecode/UnlinkedCodeBlock.h:
2284         * debugger/Debugger.h:
2285         * dfg/DFGAbstractHeap.h:
2286         * dfg/DFGArrayifySlowPathGenerator.h:
2287         * dfg/DFGClobberize.h:
2288         (JSC::DFG::clobberize):
2289         * dfg/DFGJITCompiler.h:
2290         (JSC::DFG::JITCompiler::branchWeakStructure):
2291         (JSC::DFG::JITCompiler::branchStructurePtr):
2292         * dfg/DFGOSRExitCompiler32_64.cpp:
2293         (JSC::DFG::OSRExitCompiler::compileExit):
2294         * dfg/DFGOSRExitCompiler64.cpp:
2295         (JSC::DFG::OSRExitCompiler::compileExit):
2296         * dfg/DFGOSRExitCompilerCommon.cpp:
2297         (JSC::DFG::osrWriteBarrier):
2298         (JSC::DFG::adjustAndJumpToTarget):
2299         * dfg/DFGOperations.cpp:
2300         (JSC::DFG::putByVal):
2301         * dfg/DFGSpeculativeJIT.cpp:
2302         (JSC::DFG::SpeculativeJIT::checkArray):
2303         (JSC::DFG::SpeculativeJIT::arrayify):
2304         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
2305         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
2306         (JSC::DFG::SpeculativeJIT::compileInstanceOf):
2307         (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
2308         (JSC::DFG::SpeculativeJIT::speculateObject):
2309         (JSC::DFG::SpeculativeJIT::speculateFinalObject):
2310         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
2311         (JSC::DFG::SpeculativeJIT::speculateString):
2312         (JSC::DFG::SpeculativeJIT::speculateStringObject):
2313         (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
2314         (JSC::DFG::SpeculativeJIT::emitSwitchChar):
2315         (JSC::DFG::SpeculativeJIT::emitSwitchString):
2316         (JSC::DFG::SpeculativeJIT::genericWriteBarrier):
2317         (JSC::DFG::SpeculativeJIT::writeBarrier):
2318         * dfg/DFGSpeculativeJIT.h:
2319         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
2320         (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
2321         * dfg/DFGSpeculativeJIT32_64.cpp:
2322         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
2323         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
2324         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
2325         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
2326         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
2327         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
2328         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
2329         (JSC::DFG::SpeculativeJIT::compile):
2330         (JSC::DFG::SpeculativeJIT::writeBarrier):
2331         * dfg/DFGSpeculativeJIT64.cpp:
2332         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
2333         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
2334         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
2335         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
2336         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
2337         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
2338         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
2339         (JSC::DFG::SpeculativeJIT::compile):
2340         (JSC::DFG::SpeculativeJIT::writeBarrier):
2341         * dfg/DFGWorklist.cpp:
2342         * ftl/FTLAbstractHeapRepository.cpp:
2343         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
2344         * ftl/FTLAbstractHeapRepository.h:
2345         * ftl/FTLLowerDFGToLLVM.cpp:
2346         (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
2347         (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
2348         (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
2349         (JSC::FTL::LowerDFGToLLVM::compileToString):
2350         (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
2351         (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
2352         (JSC::FTL::LowerDFGToLLVM::speculateTruthyObject):
2353         (JSC::FTL::LowerDFGToLLVM::allocateCell):
2354         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
2355         (JSC::FTL::LowerDFGToLLVM::isObject):
2356         (JSC::FTL::LowerDFGToLLVM::isString):
2357         (JSC::FTL::LowerDFGToLLVM::isArrayType):
2358         (JSC::FTL::LowerDFGToLLVM::hasClassInfo):
2359         (JSC::FTL::LowerDFGToLLVM::isType):
2360         (JSC::FTL::LowerDFGToLLVM::speculateStringOrStringObject):
2361         (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForCell):
2362         (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructureID):
2363         (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
2364         (JSC::FTL::LowerDFGToLLVM::loadMarkByte):
2365         (JSC::FTL::LowerDFGToLLVM::loadStructure):
2366         (JSC::FTL::LowerDFGToLLVM::weakStructure):
2367         * ftl/FTLOSRExitCompiler.cpp:
2368         (JSC::FTL::compileStub):
2369         * ftl/FTLOutput.h:
2370         (JSC::FTL::Output::store8):
2371         * heap/GCAssertions.h:
2372         * heap/Heap.cpp:
2373         (JSC::Heap::getConservativeRegisterRoots):
2374         (JSC::Heap::collect):
2375         (JSC::Heap::writeBarrier):
2376         * heap/Heap.h:
2377         (JSC::Heap::structureIDTable):
2378         * heap/MarkedSpace.h:
2379         (JSC::MarkedSpace::forEachBlock):
2380         * heap/SlotVisitorInlines.h:
2381         (JSC::SlotVisitor::internalAppend):
2382         * jit/AssemblyHelpers.h:
2383         (JSC::AssemblyHelpers::branchIfCellNotObject):
2384         (JSC::AssemblyHelpers::genericWriteBarrier):
2385         (JSC::AssemblyHelpers::emitLoadStructure):
2386         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
2387         * jit/JIT.h:
2388         * jit/JITCall.cpp:
2389         (JSC::JIT::compileOpCall):
2390         (JSC::JIT::privateCompileClosureCall):
2391         * jit/JITCall32_64.cpp:
2392         (JSC::JIT::emit_op_ret_object_or_this):
2393         (JSC::JIT::compileOpCall):
2394         (JSC::JIT::privateCompileClosureCall):
2395         * jit/JITInlineCacheGenerator.cpp:
2396         (JSC::JITByIdGenerator::generateFastPathChecks):
2397         * jit/JITInlineCacheGenerator.h:
2398         * jit/JITInlines.h:
2399         (JSC::JIT::emitLoadCharacterString):
2400         (JSC::JIT::checkStructure):
2401         (JSC::JIT::emitJumpIfCellNotObject):
2402         (JSC::JIT::emitAllocateJSObject):
2403         (JSC::JIT::emitArrayProfilingSiteWithCell):
2404         (JSC::JIT::emitArrayProfilingSiteForBytecodeIndexWithCell):
2405         (JSC::JIT::branchStructure):
2406         (JSC::branchStructure):
2407         * jit/JITOpcodes.cpp:
2408         (JSC::JIT::emit_op_check_has_instance):
2409         (JSC::JIT::emit_op_instanceof):
2410         (JSC::JIT::emit_op_is_undefined):
2411         (JSC::JIT::emit_op_is_string):
2412         (JSC::JIT::emit_op_ret_object_or_this):
2413         (JSC::JIT::emit_op_to_primitive):
2414         (JSC::JIT::emit_op_jeq_null):
2415         (JSC::JIT::emit_op_jneq_null):
2416         (JSC::JIT::emit_op_get_pnames):
2417         (JSC::JIT::emit_op_next_pname):
2418         (JSC::JIT::emit_op_eq_null):
2419         (JSC::JIT::emit_op_neq_null):
2420         (JSC::JIT::emit_op_to_this):
2421         (JSC::JIT::emitSlow_op_to_this):
2422         * jit/JITOpcodes32_64.cpp:
2423         (JSC::JIT::emit_op_check_has_instance):
2424         (JSC::JIT::emit_op_instanceof):
2425         (JSC::JIT::emit_op_is_undefined):
2426         (JSC::JIT::emit_op_is_string):
2427         (JSC::JIT::emit_op_to_primitive):
2428         (JSC::JIT::emit_op_jeq_null):
2429         (JSC::JIT::emit_op_jneq_null):
2430         (JSC::JIT::emitSlow_op_eq):
2431         (JSC::JIT::emitSlow_op_neq):
2432         (JSC::JIT::compileOpStrictEq):
2433         (JSC::JIT::emit_op_eq_null):
2434         (JSC::JIT::emit_op_neq_null):
2435         (JSC::JIT::emit_op_get_pnames):
2436         (JSC::JIT::emit_op_next_pname):
2437         (JSC::JIT::emit_op_to_this):
2438         * jit/JITOperations.cpp:
2439         * jit/JITPropertyAccess.cpp:
2440         (JSC::JIT::stringGetByValStubGenerator):
2441         (JSC::JIT::emit_op_get_by_val):
2442         (JSC::JIT::emitSlow_op_get_by_val):
2443         (JSC::JIT::emit_op_get_by_pname):
2444         (JSC::JIT::emit_op_put_by_val):
2445         (JSC::JIT::emit_op_get_by_id):
2446         (JSC::JIT::emitLoadWithStructureCheck):
2447         (JSC::JIT::emitSlow_op_get_from_scope):
2448         (JSC::JIT::emitSlow_op_put_to_scope):
2449         (JSC::JIT::checkMarkWord):
2450         (JSC::JIT::emitWriteBarrier):
2451         (JSC::JIT::addStructureTransitionCheck):
2452         (JSC::JIT::emitIntTypedArrayGetByVal):
2453         (JSC::JIT::emitFloatTypedArrayGetByVal):
2454         (JSC::JIT::emitIntTypedArrayPutByVal):
2455         (JSC::JIT::emitFloatTypedArrayPutByVal):
2456         * jit/JITPropertyAccess32_64.cpp:
2457         (JSC::JIT::stringGetByValStubGenerator):
2458         (JSC::JIT::emit_op_get_by_val):
2459         (JSC::JIT::emitSlow_op_get_by_val):
2460         (JSC::JIT::emit_op_put_by_val):
2461         (JSC::JIT::emit_op_get_by_id):
2462         (JSC::JIT::emit_op_get_by_pname):
2463         (JSC::JIT::emitLoadWithStructureCheck):
2464         * jit/JSInterfaceJIT.h:
2465         (JSC::JSInterfaceJIT::emitJumpIfNotType):
2466         * jit/Repatch.cpp:
2467         (JSC::repatchByIdSelfAccess):
2468         (JSC::addStructureTransitionCheck):
2469         (JSC::replaceWithJump):
2470         (JSC::generateProtoChainAccessStub):
2471         (JSC::tryCacheGetByID):
2472         (JSC::tryBuildGetByIDList):
2473         (JSC::writeBarrier):
2474         (JSC::emitPutReplaceStub):
2475         (JSC::emitPutTransitionStub):
2476         (JSC::tryBuildPutByIdList):
2477         (JSC::tryRepatchIn):
2478         (JSC::linkClosureCall):
2479         (JSC::resetGetByID):
2480         (JSC::resetPutByID):
2481         * jit/SpecializedThunkJIT.h:
2482         (JSC::SpecializedThunkJIT::loadJSStringArgument):
2483         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
2484         * jit/ThunkGenerators.cpp:
2485         (JSC::virtualForThunkGenerator):
2486         (JSC::arrayIteratorNextThunkGenerator):
2487         * jit/UnusedPointer.h:
2488         * llint/LowLevelInterpreter.asm:
2489         * llint/LowLevelInterpreter32_64.asm:
2490         * llint/LowLevelInterpreter64.asm:
2491         * runtime/Arguments.cpp:
2492         (JSC::Arguments::createStrictModeCallerIfNecessary):
2493         (JSC::Arguments::createStrictModeCalleeIfNecessary):
2494         * runtime/Arguments.h:
2495         (JSC::Arguments::createStructure):
2496         * runtime/ArrayPrototype.cpp:
2497         (JSC::shift):
2498         (JSC::unshift):
2499         (JSC::arrayProtoFuncToString):
2500         (JSC::arrayProtoFuncPop):
2501         (JSC::arrayProtoFuncReverse):
2502         (JSC::performSlowSort):
2503         (JSC::arrayProtoFuncSort):
2504         (JSC::arrayProtoFuncSplice):
2505         (JSC::arrayProtoFuncUnShift):
2506         * runtime/CommonSlowPaths.cpp:
2507         (JSC::SLOW_PATH_DECL):
2508         * runtime/Executable.h:
2509         (JSC::ExecutableBase::isFunctionExecutable):
2510         (JSC::ExecutableBase::clearCodeVirtual):
2511         (JSC::ScriptExecutable::unlinkCalls):
2512         * runtime/GetterSetter.cpp:
2513         (JSC::callGetter):
2514         (JSC::callSetter):
2515         * runtime/InitializeThreading.cpp:
2516         * runtime/JSArray.cpp:
2517         (JSC::JSArray::unshiftCountSlowCase):
2518         (JSC::JSArray::setLength):
2519         (JSC::JSArray::pop):
2520         (JSC::JSArray::push):
2521         (JSC::JSArray::shiftCountWithArrayStorage):
2522         (JSC::JSArray::shiftCountWithAnyIndexingType):
2523         (JSC::JSArray::unshiftCountWithArrayStorage):
2524         (JSC::JSArray::unshiftCountWithAnyIndexingType):
2525         (JSC::JSArray::sortNumericVector):
2526         (JSC::JSArray::sortNumeric):
2527         (JSC::JSArray::sortCompactedVector):
2528         (JSC::JSArray::sort):
2529         (JSC::JSArray::sortVector):
2530         (JSC::JSArray::fillArgList):
2531         (JSC::JSArray::copyToArguments):
2532         (JSC::JSArray::compactForSorting):
2533         * runtime/JSCJSValueInlines.h:
2534         (JSC::JSValue::toThis):
2535         (JSC::JSValue::put):
2536         (JSC::JSValue::putByIndex):
2537         (JSC::JSValue::equalSlowCaseInline):
2538         * runtime/JSCell.cpp:
2539         (JSC::JSCell::put):
2540         (JSC::JSCell::putByIndex):
2541         (JSC::JSCell::deleteProperty):
2542         (JSC::JSCell::deletePropertyByIndex):
2543         * runtime/JSCell.h:
2544         (JSC::JSCell::clearStructure):
2545         (JSC::JSCell::mark):
2546         (JSC::JSCell::isMarked):
2547         (JSC::JSCell::structureIDOffset):
2548         (JSC::JSCell::typeInfoFlagsOffset):
2549         (JSC::JSCell::typeInfoTypeOffset):
2550         (JSC::JSCell::indexingTypeOffset):
2551         (JSC::JSCell::gcDataOffset):
2552         * runtime/JSCellInlines.h:
2553         (JSC::JSCell::JSCell):
2554         (JSC::JSCell::finishCreation):
2555         (JSC::JSCell::type):
2556         (JSC::JSCell::indexingType):
2557         (JSC::JSCell::structure):
2558         (JSC::JSCell::visitChildren):
2559         (JSC::JSCell::isObject):
2560         (JSC::JSCell::isString):
2561         (JSC::JSCell::isGetterSetter):
2562         (JSC::JSCell::isProxy):
2563         (JSC::JSCell::isAPIValueWrapper):
2564         (JSC::JSCell::setStructure):
2565         (JSC::JSCell::methodTable):
2566         (JSC::Heap::writeBarrier):
2567         * runtime/JSDataView.cpp:
2568         (JSC::JSDataView::createStructure):
2569         * runtime/JSDestructibleObject.h:
2570         (JSC::JSCell::classInfo):
2571         * runtime/JSFunction.cpp:
2572         (JSC::JSFunction::getOwnNonIndexPropertyNames):
2573         (JSC::JSFunction::put):
2574         (JSC::JSFunction::defineOwnProperty):
2575         * runtime/JSGenericTypedArrayView.h:
2576         (JSC::JSGenericTypedArrayView::createStructure):
2577         * runtime/JSObject.cpp:
2578         (JSC::getCallableObjectSlow):
2579         (JSC::JSObject::copyButterfly):
2580         (JSC::JSObject::visitButterfly):
2581         (JSC::JSFinalObject::visitChildren):
2582         (JSC::JSObject::getOwnPropertySlotByIndex):
2583         (JSC::JSObject::put):
2584         (JSC::JSObject::putByIndex):
2585         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
2586         (JSC::JSObject::enterDictionaryIndexingMode):
2587         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
2588         (JSC::JSObject::createInitialIndexedStorage):
2589         (JSC::JSObject::createInitialUndecided):
2590         (JSC::JSObject::createInitialInt32):
2591         (JSC::JSObject::createInitialDouble):
2592         (JSC::JSObject::createInitialContiguous):
2593         (JSC::JSObject::createArrayStorage):
2594         (JSC::JSObject::convertUndecidedToInt32):
2595         (JSC::JSObject::convertUndecidedToDouble):
2596         (JSC::JSObject::convertUndecidedToContiguous):
2597         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
2598         (JSC::JSObject::convertUndecidedToArrayStorage):
2599         (JSC::JSObject::convertInt32ToDouble):
2600         (JSC::JSObject::convertInt32ToContiguous):
2601         (JSC::JSObject::convertInt32ToArrayStorage):
2602         (JSC::JSObject::genericConvertDoubleToContiguous):
2603         (JSC::JSObject::convertDoubleToArrayStorage):
2604         (JSC::JSObject::convertContiguousToArrayStorage):
2605         (JSC::JSObject::ensureInt32Slow):
2606         (JSC::JSObject::ensureDoubleSlow):
2607         (JSC::JSObject::ensureContiguousSlow):
2608         (JSC::JSObject::ensureArrayStorageSlow):
2609         (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
2610         (JSC::JSObject::switchToSlowPutArrayStorage):
2611         (JSC::JSObject::setPrototype):
2612         (JSC::JSObject::setPrototypeWithCycleCheck):
2613         (JSC::JSObject::putDirectNonIndexAccessor):
2614         (JSC::JSObject::deleteProperty):
2615         (JSC::JSObject::hasOwnProperty):
2616         (JSC::JSObject::deletePropertyByIndex):
2617         (JSC::JSObject::getPrimitiveNumber):
2618         (JSC::JSObject::hasInstance):
2619         (JSC::JSObject::getPropertySpecificValue):
2620         (JSC::JSObject::getPropertyNames):
2621         (JSC::JSObject::getOwnPropertyNames):
2622         (JSC::JSObject::getOwnNonIndexPropertyNames):
2623         (JSC::JSObject::seal):
2624         (JSC::JSObject::freeze):
2625         (JSC::JSObject::preventExtensions):
2626         (JSC::JSObject::reifyStaticFunctionsForDelete):
2627         (JSC::JSObject::removeDirect):
2628         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
2629         (JSC::JSObject::putByIndexBeyondVectorLength):
2630         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
2631         (JSC::JSObject::putDirectIndexBeyondVectorLength):
2632         (JSC::JSObject::getNewVectorLength):
2633         (JSC::JSObject::countElements):
2634         (JSC::JSObject::increaseVectorLength):
2635         (JSC::JSObject::ensureLengthSlow):
2636         (JSC::JSObject::growOutOfLineStorage):
2637         (JSC::JSObject::getOwnPropertyDescriptor):
2638         (JSC::putDescriptor):
2639         (JSC::JSObject::defineOwnNonIndexProperty):
2640         * runtime/JSObject.h:
2641         (JSC::getJSFunction):
2642         (JSC::JSObject::getArrayLength):
2643         (JSC::JSObject::getVectorLength):
2644         (JSC::JSObject::putByIndexInline):
2645         (JSC::JSObject::canGetIndexQuickly):
2646         (JSC::JSObject::getIndexQuickly):
2647         (JSC::JSObject::tryGetIndexQuickly):
2648         (JSC::JSObject::getDirectIndex):
2649         (JSC::JSObject::canSetIndexQuickly):
2650         (JSC::JSObject::canSetIndexQuicklyForPutDirect):
2651         (JSC::JSObject::setIndexQuickly):
2652         (JSC::JSObject::initializeIndex):
2653         (JSC::JSObject::hasSparseMap):
2654         (JSC::JSObject::inSparseIndexingMode):
2655         (JSC::JSObject::getDirect):
2656         (JSC::JSObject::getDirectOffset):
2657         (JSC::JSObject::isSealed):
2658         (JSC::JSObject::isFrozen):
2659         (JSC::JSObject::flattenDictionaryObject):
2660         (JSC::JSObject::ensureInt32):
2661         (JSC::JSObject::ensureDouble):
2662         (JSC::JSObject::ensureContiguous):
2663         (JSC::JSObject::rageEnsureContiguous):
2664         (JSC::JSObject::ensureArrayStorage):
2665         (JSC::JSObject::arrayStorage):
2666         (JSC::JSObject::arrayStorageOrNull):
2667         (JSC::JSObject::ensureLength):
2668         (JSC::JSObject::currentIndexingData):
2669         (JSC::JSObject::getHolyIndexQuickly):
2670         (JSC::JSObject::currentRelevantLength):
2671         (JSC::JSObject::isGlobalObject):
2672         (JSC::JSObject::isVariableObject):
2673         (JSC::JSObject::isStaticScopeObject):
2674         (JSC::JSObject::isNameScopeObject):
2675         (JSC::JSObject::isActivationObject):
2676         (JSC::JSObject::isErrorInstance):
2677         (JSC::JSObject::inlineGetOwnPropertySlot):
2678         (JSC::JSObject::fastGetOwnPropertySlot):
2679         (JSC::JSObject::getPropertySlot):
2680         (JSC::JSObject::putDirectInternal):
2681         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
2682         * runtime/JSPropertyNameIterator.h:
2683         (JSC::JSPropertyNameIterator::createStructure):
2684         * runtime/JSProxy.cpp:
2685         (JSC::JSProxy::getOwnPropertySlot):
2686         (JSC::JSProxy::getOwnPropertySlotByIndex):
2687         (JSC::JSProxy::put):
2688         (JSC::JSProxy::putByIndex):
2689         (JSC::JSProxy::defineOwnProperty):
2690         (JSC::JSProxy::deleteProperty):
2691         (JSC::JSProxy::deletePropertyByIndex):
2692         (JSC::JSProxy::getPropertyNames):
2693         (JSC::JSProxy::getOwnPropertyNames):
2694         * runtime/JSScope.cpp:
2695         (JSC::JSScope::objectAtScope):
2696         * runtime/JSString.h:
2697         (JSC::JSString::createStructure):
2698         (JSC::isJSString):
2699         * runtime/JSType.h:
2700         * runtime/JSTypeInfo.h:
2701         (JSC::TypeInfo::TypeInfo):
2702         (JSC::TypeInfo::isObject):
2703         (JSC::TypeInfo::structureIsImmortal):
2704         (JSC::TypeInfo::zeroedGCDataOffset):
2705         (JSC::TypeInfo::inlineTypeFlags):
2706         * runtime/MapData.h:
2707         * runtime/ObjectConstructor.cpp:
2708         (JSC::objectConstructorGetOwnPropertyNames):
2709         (JSC::objectConstructorKeys):
2710         (JSC::objectConstructorDefineProperty):
2711         (JSC::defineProperties):
2712         (JSC::objectConstructorSeal):
2713         (JSC::objectConstructorFreeze):
2714         (JSC::objectConstructorIsSealed):
2715         (JSC::objectConstructorIsFrozen):
2716         * runtime/ObjectPrototype.cpp:
2717         (JSC::objectProtoFuncDefineGetter):
2718         (JSC::objectProtoFuncDefineSetter):
2719         (JSC::objectProtoFuncToString):
2720         * runtime/Operations.cpp:
2721         (JSC::jsTypeStringForValue):
2722         (JSC::jsIsObjectType):
2723         * runtime/Operations.h:
2724         (JSC::normalizePrototypeChainForChainAccess):
2725         (JSC::normalizePrototypeChain):
2726         * runtime/PropertyMapHashTable.h:
2727         (JSC::PropertyTable::createStructure):
2728         * runtime/RegExp.h:
2729         (JSC::RegExp::createStructure):
2730         * runtime/SparseArrayValueMap.h:
2731         * runtime/Structure.cpp:
2732         (JSC::Structure::Structure):
2733         (JSC::Structure::~Structure):
2734         (JSC::Structure::prototypeChainMayInterceptStoreTo):
2735         * runtime/Structure.h:
2736         (JSC::Structure::id):
2737         (JSC::Structure::idBlob):
2738         (JSC::Structure::objectInitializationFields):
2739         (JSC::Structure::structureIDOffset):
2740         * runtime/StructureChain.h:
2741         (JSC::StructureChain::createStructure):
2742         * runtime/StructureIDTable.cpp: Added.
2743         (JSC::StructureIDTable::StructureIDTable):
2744         (JSC::StructureIDTable::~StructureIDTable):
2745         (JSC::StructureIDTable::resize):
2746         (JSC::StructureIDTable::flushOldTables):
2747         (JSC::StructureIDTable::allocateID):
2748         (JSC::StructureIDTable::deallocateID):
2749         * runtime/StructureIDTable.h: Added.
2750         (JSC::StructureIDTable::base):
2751         (JSC::StructureIDTable::get):
2752         * runtime/SymbolTable.h:
2753         * runtime/TypedArrayType.cpp:
2754         (JSC::typeForTypedArrayType):
2755         * runtime/TypedArrayType.h:
2756         * runtime/WeakMapData.h:
2757
2758 2014-02-26  Mark Hahnenberg  <mhahnenberg@apple.com>
2759
2760         Unconditional logging in compileFTLOSRExit
2761         https://bugs.webkit.org/show_bug.cgi?id=129407
2762
2763         Reviewed by Michael Saboff.
2764
2765         This was causing tests to fail with the FTL enabled.
2766
2767         * ftl/FTLOSRExitCompiler.cpp:
2768         (JSC::FTL::compileFTLOSRExit):
2769
2770 2014-02-26  Oliver Hunt  <oliver@apple.com>
2771
2772         Remove unused access types
2773         https://bugs.webkit.org/show_bug.cgi?id=129385
2774
2775         Reviewed by Filip Pizlo.
2776
2777         Remove unused cruft.
2778
2779         * bytecode/CodeBlock.cpp:
2780         (JSC::CodeBlock::printGetByIdCacheStatus):
2781         * bytecode/StructureStubInfo.cpp:
2782         (JSC::StructureStubInfo::deref):
2783         * bytecode/StructureStubInfo.h:
2784         (JSC::isGetByIdAccess):
2785         (JSC::isPutByIdAccess):
2786
2787 2014-02-26  Oliver Hunt  <oliver@apple.com>
2788
2789         Function.prototype.apply has a bad time with the spread operator
2790         https://bugs.webkit.org/show_bug.cgi?id=129381
2791
2792         Reviewed by Mark Hahnenberg.
2793
2794         Make sure our apply logic handle the spread operator correctly.
2795         To do this we simply emit the enumeration logic that we'd normally
2796         use for other enumerations, but only store the first two results
2797         to registers.  Then perform a varargs call.
2798
2799         * bytecompiler/NodesCodegen.cpp:
2800         (JSC::ApplyFunctionCallDotNode::emitBytecode):
2801
2802 2014-02-26  Mark Lam  <mark.lam@apple.com>
2803
2804         Compilation policy management belongs in operationOptimize(), not the DFG Driver.
2805         <https://webkit.org/b/129355>
2806
2807         Reviewed by Filip Pizlo.
2808
2809         By compilation policy, I mean the rules for determining whether to
2810         compile, when to compile, when to attempt compilation again, etc.  The
2811         few of these policy decisions that were previously being made in the
2812         DFG driver are now moved to operationOptimize() where we keep the rest
2813         of the policy logic.  Decisions that are based on the capabilities
2814         supported by the DFG are moved to DFG capabiliityLevel().
2815
2816         I've run the following benchmarks:
2817         1. the collection of jsc benchmarks on the jsc executable vs. its
2818            baseline.
2819         2. Octane 2.0 in browser without the WebInspector.
2820         3. Octane 2.0 in browser with the WebInspector open and a breakpoint
2821            set somewhere where it won't break.
2822
2823         In all of these, the results came out to be a wash as expected.
2824
2825         * dfg/DFGCapabilities.cpp:
2826         (JSC::DFG::isSupported):
2827         (JSC::DFG::mightCompileEval):
2828         (JSC::DFG::mightCompileProgram):
2829         (JSC::DFG::mightCompileFunctionForCall):
2830         (JSC::DFG::mightCompileFunctionForConstruct):
2831         (JSC::DFG::mightInlineFunctionForCall):
2832         (JSC::DFG::mightInlineFunctionForClosureCall):
2833         (JSC::DFG::mightInlineFunctionForConstruct):
2834         * dfg/DFGCapabilities.h:
2835         * dfg/DFGDriver.cpp:
2836         (JSC::DFG::compileImpl):
2837         * jit/JITOperations.cpp:
2838
2839 2014-02-26  Mark Lam  <mark.lam@apple.com>
2840
2841         ASSERTION FAILED: m_heap->vm()->currentThreadIsHoldingAPILock() in inspector-protocol/*.
2842         <https://webkit.org/b/129364>
2843
2844         Reviewed by Alexey Proskuryakov.
2845
2846         InjectedScriptModule::ensureInjected() needs an APIEntryShim.
2847
2848         * inspector/InjectedScriptModule.cpp:
2849         (Inspector::InjectedScriptModule::ensureInjected):
2850         - Added the needed but missing APIEntryShim. 
2851
2852 2014-02-25  Mark Lam  <mark.lam@apple.com>
2853
2854         Web Inspector: CRASH when evaluating in console of JSContext RWI with disabled breakpoints.
2855         <https://webkit.org/b/128766>
2856
2857         Reviewed by Geoffrey Garen.
2858
2859         Make the JSLock::grabAllLocks() work the same way as for the C loop LLINT.
2860         The reasoning is that we don't know of any clients that need unordered
2861         re-entry into the VM from different threads. So, we're enforcing ordered
2862         re-entry i.e. we must re-grab locks in the reverse order of dropping locks.
2863
2864         The crash in this bug happened because we were allowing unordered re-entry,
2865         and the following type of scenario occurred:
2866
2867         1. Thread T1 locks the VM, and enters the VM to execute some JS code.
2868         2. On entry, T1 detects that VM::m_entryScope is null i.e. this is the
2869            first time it entered the VM.
2870            T1 sets VM::m_entryScope to T1's entryScope.
2871         3. T1 drops all locks.
2872
2873         4. Thread T2 locks the VM, and enters the VM to execute some JS code.
2874            On entry, T2 sees that VM::m_entryScope is NOT null, and therefore
2875            does not set the entryScope.
2876         5. T2 drops all locks.
2877
2878         6. T1 re-grabs locks.
2879         7. T1 returns all the way out of JS code. On exit from the outer most
2880            JS function, T1 clears VM::m_entryScope (because T1 was the one who
2881            set it).
2882         8. T1 unlocks the VM.
2883
2884         9. T2 re-grabs locks.
2885         10. T2 proceeds to execute some code and expects VM::m_entryScope to be
2886             NOT null, but it turns out to be null. Assertion failures and
2887             crashes ensue.
2888
2889         With ordered re-entry, at step 6, T1 will loop and yield until T2 exits
2890         the VM. Hence, the issue will no longer manifest.
2891
2892         * runtime/JSLock.cpp:
2893         (JSC::JSLock::dropAllLocks):
2894         (JSC::JSLock::grabAllLocks):
2895         * runtime/JSLock.h:
2896         (JSC::JSLock::DropAllLocks::dropDepth):
2897
2898 2014-02-25  Mark Lam  <mark.lam@apple.com>
2899
2900         Need to initialize VM stack data even when the VM is on an exclusive thread.
2901         <https://webkit.org/b/129265>
2902
2903         Not reviewed.
2904
2905         Relanding r164627 now that <https://webkit.org/b/129341> is fixed.
2906
2907         * API/APIShims.h:
2908         (JSC::APIEntryShim::APIEntryShim):
2909         (JSC::APICallbackShim::shouldDropAllLocks):
2910         * heap/MachineStackMarker.cpp:
2911         (JSC::MachineThreads::addCurrentThread):
2912         * runtime/JSLock.cpp:
2913         (JSC::JSLockHolder::JSLockHolder):
2914         (JSC::JSLockHolder::init):
2915         (JSC::JSLockHolder::~JSLockHolder):
2916         (JSC::JSLock::JSLock):
2917         (JSC::JSLock::setExclusiveThread):
2918         (JSC::JSLock::lock):
2919         (JSC::JSLock::unlock):
2920         (JSC::JSLock::currentThreadIsHoldingLock):
2921         (JSC::JSLock::dropAllLocks):
2922         (JSC::JSLock::grabAllLocks):
2923         * runtime/JSLock.h:
2924         (JSC::JSLock::hasExclusiveThread):
2925         (JSC::JSLock::exclusiveThread):
2926         * runtime/VM.cpp:
2927         (JSC::VM::VM):
2928         * runtime/VM.h:
2929         (JSC::VM::hasExclusiveThread):
2930         (JSC::VM::exclusiveThread):
2931         (JSC::VM::setExclusiveThread):
2932         (JSC::VM::currentThreadIsHoldingAPILock):
2933
2934 2014-02-25  Filip Pizlo  <fpizlo@apple.com>
2935
2936         Inline caching in the FTL on ARM64 should "work"
2937         https://bugs.webkit.org/show_bug.cgi?id=129334
2938
2939         Reviewed by Mark Hahnenberg.
2940         
2941         Gets us to the point where simple tests that use inline caching are passing.
2942
2943         * assembler/LinkBuffer.cpp:
2944         (JSC::LinkBuffer::copyCompactAndLinkCode):
2945         (JSC::LinkBuffer::shrink):
2946         * ftl/FTLInlineCacheSize.cpp:
2947         (JSC::FTL::sizeOfGetById):
2948         (JSC::FTL::sizeOfPutById):
2949         (JSC::FTL::sizeOfCall):
2950         * ftl/FTLOSRExitCompiler.cpp:
2951         (JSC::FTL::compileFTLOSRExit):
2952         * ftl/FTLThunks.cpp:
2953         (JSC::FTL::osrExitGenerationThunkGenerator):
2954         * jit/GPRInfo.h:
2955         * offlineasm/arm64.rb:
2956
2957 2014-02-25  Commit Queue  <commit-queue@webkit.org>
2958
2959         Unreviewed, rolling out r164627.
2960         http://trac.webkit.org/changeset/164627
2961         https://bugs.webkit.org/show_bug.cgi?id=129325
2962
2963         Broke SubtleCrypto tests (Requested by ap on #webkit).
2964
2965         * API/APIShims.h:
2966         (JSC::APIEntryShim::APIEntryShim):
2967         (JSC::APICallbackShim::shouldDropAllLocks):
2968         * heap/MachineStackMarker.cpp:
2969         (JSC::MachineThreads::addCurrentThread):
2970         * runtime/JSLock.cpp:
2971         (JSC::JSLockHolder::JSLockHolder):
2972         (JSC::JSLockHolder::init):
2973         (JSC::JSLockHolder::~JSLockHolder):
2974         (JSC::JSLock::JSLock):
2975         (JSC::JSLock::lock):
2976         (JSC::JSLock::unlock):
2977         (JSC::JSLock::currentThreadIsHoldingLock):
2978         (JSC::JSLock::dropAllLocks):
2979         (JSC::JSLock::grabAllLocks):
2980         * runtime/JSLock.h:
2981         * runtime/VM.cpp:
2982         (JSC::VM::VM):
2983         * runtime/VM.h:
2984         (JSC::VM::currentThreadIsHoldingAPILock):
2985
2986 2014-02-25  Filip Pizlo  <fpizlo@apple.com>
2987
2988         ARM64 rshift64 should be an arithmetic shift
2989         https://bugs.webkit.org/show_bug.cgi?id=129323
2990
2991         Reviewed by Mark Hahnenberg.
2992
2993         * assembler/MacroAssemblerARM64.h:
2994         (JSC::MacroAssemblerARM64::rshift64):
2995
2996 2014-02-25  Sergio Villar Senin  <svillar@igalia.com>
2997
2998         [CSS Grid Layout] Add ENABLE flag
2999         https://bugs.webkit.org/show_bug.cgi?id=129153
3000
3001         Reviewed by Simon Fraser.
3002
3003         * Configurations/FeatureDefines.xcconfig: added ENABLE_CSS_GRID_LAYOUT feature flag.
3004
3005 2014-02-25  Michael Saboff  <msaboff@apple.com>
3006
3007         JIT Engines use the wrong stack limit for stack checks
3008         https://bugs.webkit.org/show_bug.cgi?id=129314
3009
3010         Reviewed by Filip Pizlo.
3011
3012         Change the Baseline and DFG code to use VM::m_stackLimit for stack limit checks.
3013
3014         * dfg/DFGJITCompiler.cpp:
3015         (JSC::DFG::JITCompiler::compileFunction):
3016         * jit/JIT.cpp:
3017         (JSC::JIT::privateCompile):
3018         * jit/JITCall.cpp:
3019         (JSC::JIT::compileLoadVarargs):
3020         * jit/JITCall32_64.cpp:
3021         (JSC::JIT::compileLoadVarargs):
3022         * runtime/VM.h:
3023         (JSC::VM::addressOfStackLimit):
3024
3025 2014-02-25  Filip Pizlo  <fpizlo@apple.com>
3026
3027         Unreviewed, roll out http://trac.webkit.org/changeset/164493.
3028         
3029         It causes crashes, apparently because it's removing too many barriers. I will investigate
3030         later.
3031
3032         * bytecode/SpeculatedType.cpp:
3033         (JSC::speculationToAbbreviatedString):
3034         * bytecode/SpeculatedType.h:
3035         * dfg/DFGFixupPhase.cpp:
3036         (JSC::DFG::FixupPhase::fixupNode):
3037         (JSC::DFG::FixupPhase::insertStoreBarrier):
3038         * dfg/DFGNode.h:
3039         * ftl/FTLCapabilities.cpp:
3040         (JSC::FTL::canCompile):
3041         * ftl/FTLLowerDFGToLLVM.cpp:
3042         (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
3043         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
3044         (JSC::FTL::LowerDFGToLLVM::isNotNully):
3045         (JSC::FTL::LowerDFGToLLVM::isNully):
3046         (JSC::FTL::LowerDFGToLLVM::speculate):
3047         (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
3048         (JSC::FTL::LowerDFGToLLVM::speculateNotCell):
3049
3050 2014-02-24  Oliver Hunt  <oliver@apple.com>
3051
3052         Fix build.
3053
3054         * jit/CCallHelpers.h:
3055         (JSC::CCallHelpers::setupArgumentsWithExecState):
3056
3057 2014-02-24  Oliver Hunt  <oliver@apple.com>
3058
3059         Spread operator has a bad time when applied to call function
3060         https://bugs.webkit.org/show_bug.cgi?id=128853
3061
3062         Reviewed by Geoffrey Garen.
3063
3064         Follow on from the previous patch the added an extra slot to
3065         op_call_varargs (and _call, _call_eval, _construct).  We now
3066         use the slot as an offset to in effect act as a 'slice' on
3067         the spread subject.  This allows us to automatically retain
3068         all our existing argument and array optimisatons.  Most of
3069         this patch is simply threading the offset around.
3070
3071         * bytecode/CodeBlock.cpp:
3072         (JSC::CodeBlock::dumpBytecode):
3073         * bytecompiler/BytecodeGenerator.cpp:
3074         (JSC::BytecodeGenerator::emitCall):
3075         (JSC::BytecodeGenerator::emitCallVarargs):
3076         * bytecompiler/BytecodeGenerator.h:
3077         * bytecompiler/NodesCodegen.cpp:
3078         (JSC::getArgumentByVal):
3079         (JSC::CallFunctionCallDotNode::emitBytecode):
3080         (JSC::ApplyFunctionCallDotNode::emitBytecode):
3081         * interpreter/Interpreter.cpp:
3082         (JSC::sizeFrameForVarargs):
3083         (JSC::loadVarargs):
3084         * interpreter/Interpreter.h:
3085         * jit/CCallHelpers.h:
3086         (JSC::CCallHelpers::setupArgumentsWithExecState):
3087         * jit/JIT.h:
3088         * jit/JITCall.cpp:
3089         (JSC::JIT::compileLoadVarargs):
3090         * jit/JITInlines.h:
3091         (JSC::JIT::callOperation):
3092         * jit/JITOperations.cpp:
3093         * jit/JITOperations.h:
3094         * llint/LLIntSlowPaths.cpp:
3095         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3096         * runtime/Arguments.cpp:
3097         (JSC::Arguments::copyToArguments):
3098         * runtime/Arguments.h:
3099         * runtime/JSArray.cpp:
3100         (JSC::JSArray::copyToArguments):
3101         * runtime/JSArray.h:
3102
3103 2014-02-24  Mark Lam  <mark.lam@apple.com>
3104
3105         Need to initialize VM stack data even when the VM is on an exclusive thread.
3106         <https://webkit.org/b/129265>
3107
3108         Reviewed by Geoffrey Garen.
3109
3110         We check VM::exclusiveThread as an optimization to forego the need to do
3111         JSLock locking. However, we recently started piggy backing on JSLock's
3112         lock() and unlock() to initialize VM stack data (stackPointerAtVMEntry
3113         and lastStackTop) to appropriate values for the current thread. This is
3114         needed because we may be acquiring the lock to enter the VM on a different
3115         thread.
3116
3117         As a result, we ended up not initializing the VM stack data when
3118         VM::exclusiveThread causes us to bypass the locking activity. Even though
3119         the VM::exclusiveThread will not have to deal with the VM being entered
3120         on a different thread, it still needs to initialize the VM stack data.
3121         The VM relies on that data being initialized properly once it has been
3122         entered.
3123
3124         With this fix, we push the check for exclusiveThread down into the JSLock,
3125         and handle the bypassing of unneeded locking activity there while still
3126         executing the necessary the VM stack data initialization.
3127
3128         * API/APIShims.h:
3129         (JSC::APIEntryShim::APIEntryShim):
3130         (JSC::APICallbackShim::shouldDropAllLocks):
3131         * heap/MachineStackMarker.cpp:
3132         (JSC::MachineThreads::addCurrentThread):
3133         * runtime/JSLock.cpp:
3134         (JSC::JSLockHolder::JSLockHolder):
3135         (JSC::JSLockHolder::init):
3136         (JSC::JSLockHolder::~JSLockHolder):
3137         (JSC::JSLock::JSLock):
3138         (JSC::JSLock::setExclusiveThread):
3139         (JSC::JSLock::lock):
3140         (JSLock::unlock):
3141         (JSLock::currentThreadIsHoldingLock):
3142         (JSLock::dropAllLocks):
3143         (JSLock::grabAllLocks):
3144         * runtime/JSLock.h:
3145         (JSC::JSLock::exclusiveThread):
3146         * runtime/VM.cpp:
3147         (JSC::VM::VM):
3148         * runtime/VM.h:
3149         (JSC::VM::exclusiveThread):
3150         (JSC::VM::setExclusiveThread):
3151         (JSC::VM::currentThreadIsHoldingAPILock):
3152
3153 2014-02-24  Filip Pizlo  <fpizlo@apple.com>
3154
3155         FTL should do polymorphic PutById inlining
3156         https://bugs.webkit.org/show_bug.cgi?id=129210
3157
3158         Reviewed by Mark Hahnenberg and Oliver Hunt.
3159         
3160         This makes PutByIdStatus inform us about polymorphic cases by returning an array of
3161         PutByIdVariants. The DFG now has a node called MultiPutByOffset that indicates a
3162         selection of multiple inlined PutByIdVariants.
3163         
3164         MultiPutByOffset is almost identical to MultiGetByOffset, which we added in
3165         http://trac.webkit.org/changeset/164207.
3166         
3167         This also does some FTL refactoring to make MultiPutByOffset share code with some nodes
3168         that generate similar code.
3169         
3170         1% speed-up on V8v7 due to splay improving by 6.8%. Splay does the thing where it
3171         sometimes swaps field insertion order, creating fake polymorphism.
3172
3173         * CMakeLists.txt:
3174         * GNUmakefile.list.am:
3175         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3176         * JavaScriptCore.xcodeproj/project.pbxproj:
3177         * bytecode/PutByIdStatus.cpp:
3178         (JSC::PutByIdStatus::computeFromLLInt):
3179         (JSC::PutByIdStatus::computeFor):
3180         (JSC::PutByIdStatus::computeForStubInfo):
3181         (JSC::PutByIdStatus::dump):
3182         * bytecode/PutByIdStatus.h:
3183         (JSC::PutByIdStatus::PutByIdStatus):
3184         (JSC::PutByIdStatus::isSimple):
3185         (JSC::PutByIdStatus::numVariants):
3186         (JSC::PutByIdStatus::variants):
3187         (JSC::PutByIdStatus::at):
3188         (JSC::PutByIdStatus::operator[]):
3189         * bytecode/PutByIdVariant.cpp: Added.
3190         (JSC::PutByIdVariant::dump):
3191         (JSC::PutByIdVariant::dumpInContext):
3192         * bytecode/PutByIdVariant.h: Added.
3193         (JSC::PutByIdVariant::PutByIdVariant):
3194         (JSC::PutByIdVariant::replace):
3195         (JSC::PutByIdVariant::transition):
3196         (JSC::PutByIdVariant::kind):
3197         (JSC::PutByIdVariant::isSet):
3198         (JSC::PutByIdVariant::operator!):
3199         (JSC::PutByIdVariant::structure):
3200         (JSC::PutByIdVariant::oldStructure):
3201         (JSC::PutByIdVariant::newStructure):
3202         (JSC::PutByIdVariant::structureChain):
3203         (JSC::PutByIdVariant::offset):
3204         * dfg/DFGAbstractInterpreterInlines.h:
3205         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3206         * dfg/DFGByteCodeParser.cpp:
3207         (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
3208         (JSC::DFG::ByteCodeParser::handleGetById):
3209         (JSC::DFG::ByteCodeParser::emitPutById):
3210         (JSC::DFG::ByteCodeParser::handlePutById):
3211         (JSC::DFG::ByteCodeParser::parseBlock):
3212         * dfg/DFGCSEPhase.cpp:
3213         (JSC::DFG::CSEPhase::checkStructureElimination):
3214         (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
3215         (JSC::DFG::CSEPhase::putStructureStoreElimination):
3216         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
3217         (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
3218         * dfg/DFGClobberize.h:
3219         (JSC::DFG::clobberize):
3220         * dfg/DFGConstantFoldingPhase.cpp:
3221         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3222         (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
3223         * dfg/DFGFixupPhase.cpp:
3224         (JSC::DFG::FixupPhase::fixupNode):
3225         * dfg/DFGGraph.cpp:
3226         (JSC::DFG::Graph::dump):
3227         * dfg/DFGGraph.h:
3228         * dfg/DFGNode.cpp:
3229         (JSC::DFG::MultiPutByOffsetData::writesStructures):
3230         (JSC::DFG::MultiPutByOffsetData::reallocatesStorage):
3231         * dfg/DFGNode.h:
3232         (JSC::DFG::Node::convertToPutByOffset):
3233         (JSC::DFG::Node::hasMultiPutByOffsetData):
3234         (JSC::DFG::Node::multiPutByOffsetData):
3235         * dfg/DFGNodeType.h:
3236         * dfg/DFGPredictionPropagationPhase.cpp:
3237         (JSC::DFG::PredictionPropagationPhase::propagate):
3238         * dfg/DFGSafeToExecute.h:
3239         (JSC::DFG::safeToExecute):
3240         * dfg/DFGSpeculativeJIT32_64.cpp:
3241         (JSC::DFG::SpeculativeJIT::compile):
3242         * dfg/DFGSpeculativeJIT64.cpp:
3243         (JSC::DFG::SpeculativeJIT::compile):
3244         * dfg/DFGTypeCheckHoistingPhase.cpp:
3245         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
3246         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
3247         * ftl/FTLCapabilities.cpp:
3248         (JSC::FTL::canCompile):
3249         * ftl/FTLLowerDFGToLLVM.cpp:
3250         (JSC::FTL::LowerDFGToLLVM::compileNode):
3251         (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
3252         (JSC::FTL::LowerDFGToLLVM::compileAllocatePropertyStorage):
3253         (JSC::FTL::LowerDFGToLLVM::compileReallocatePropertyStorage):
3254         (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
3255         (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
3256         (JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
3257         (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
3258         (JSC::FTL::LowerDFGToLLVM::loadProperty):
3259         (JSC::FTL::LowerDFGToLLVM::storeProperty):
3260         (JSC::FTL::LowerDFGToLLVM::addressOfProperty):
3261         (JSC::FTL::LowerDFGToLLVM::storageForTransition):
3262         (JSC::FTL::LowerDFGToLLVM::allocatePropertyStorage):
3263         (JSC::FTL::LowerDFGToLLVM::reallocatePropertyStorage):
3264         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
3265         * tests/stress/fold-multi-put-by-offset-to-put-by-offset.js: Added.
3266         * tests/stress/multi-put-by-offset-reallocation-butterfly-cse.js: Added.
3267         * tests/stress/multi-put-by-offset-reallocation-cases.js: Added.
3268
3269 2014-02-24  peavo@outlook.com  <peavo@outlook.com>
3270
3271         JSC regressions after r164494
3272         https://bugs.webkit.org/show_bug.cgi?id=129272
3273
3274         Reviewed by Mark Lam.
3275
3276         * offlineasm/x86.rb: Only avoid reverse opcode (fdivr) for Windows.
3277
3278 2014-02-24  Tamas Gergely  <tgergely.u-szeged@partner.samsung.com>
3279
3280         Code cleanup: remove leftover ENABLE(WORKERS) macros and support.
3281         https://bugs.webkit.org/show_bug.cgi?id=129255
3282
3283         Reviewed by Csaba Osztrogonác.
3284
3285         ENABLE_WORKERS macro was removed in r159679.
3286         Support is now also removed from xcconfig files.
3287
3288         * Configurations/FeatureDefines.xcconfig:
3289
3290 2014-02-24  David Kilzer  <ddkilzer@apple.com>
3291
3292         Remove redundant setting in FeatureDefines.xcconfig
3293
3294         * Configurations/FeatureDefines.xcconfig:
3295
3296 2014-02-23  Sam Weinig  <sam@webkit.org>
3297
3298         Update FeatureDefines.xcconfig
3299
3300         Rubber-stamped by Anders Carlsson.
3301
3302         * Configurations/FeatureDefines.xcconfig:
3303
3304 2014-02-23  Dean Jackson  <dino@apple.com>
3305
3306         Sort the project file with sort-Xcode-project-file.
3307
3308         Rubber-stamped by Sam Weinig.
3309
3310         * JavaScriptCore.xcodeproj/project.pbxproj:
3311
3312 2014-02-23  Sam Weinig  <sam@webkit.org>
3313
3314         Move telephone number detection behind its own ENABLE macro
3315         https://bugs.webkit.org/show_bug.cgi?id=129236
3316
3317         Reviewed by Dean Jackson.
3318
3319         * Configurations/FeatureDefines.xcconfig:
3320         Add ENABLE_TELEPHONE_NUMBER_DETECTION.
3321
3322 2014-02-22  Filip Pizlo  <fpizlo@apple.com>
3323
3324         Refine DFG+FTL inlining and compilation limits
3325         https://bugs.webkit.org/show_bug.cgi?id=129212
3326
3327         Reviewed by Mark Hahnenberg.
3328         
3329         Allow larger functions to be DFG-compiled. Institute a limit on FTL compilation,
3330         and set that limit quite high. Institute a limit on inlining-into. The idea here is
3331         that large functions tend to be autogenerated, and code generators like emscripten
3332         appear to leave few inlining opportunities anyway. Also, we don't want the code
3333         size explosion that we would risk if we allowed compilation of a large function and
3334         then inlined a ton of stuff into it.
3335         
3336         This is a 0.5% speed-up on Octane v2 and almost eliminates the typescript
3337         regression. This is a 9% speed-up on AsmBench.
3338
3339         * bytecode/CodeBlock.cpp:
3340         (JSC::CodeBlock::noticeIncomingCall):
3341         * dfg/DFGByteCodeParser.cpp:
3342         (JSC::DFG::ByteCodeParser::handleInlining):
3343         * dfg/DFGCapabilities.h:
3344         (JSC::DFG::isSmallEnoughToInlineCodeInto):
3345         * ftl/FTLCapabilities.cpp:
3346         (JSC::FTL::canCompile):
3347         * ftl/FTLState.h:
3348         (JSC::FTL::shouldShowDisassembly):
3349         * runtime/Options.h:
3350
3351 2014-02-22  Dan Bernstein  <mitz@apple.com>
3352
3353         REGRESSION (r164507): Crash beneath JSGlobalObjectInspectorController::reportAPIException at facebook.com, twitter.com, youtube.com
3354         https://bugs.webkit.org/show_bug.cgi?id=129227
3355
3356         Reviewed by Eric Carlson.
3357
3358         Reverted r164507.
3359
3360         * API/JSBase.cpp:
3361         (JSEvaluateScript):
3362         (JSCheckScriptSyntax):
3363         * API/JSObjectRef.cpp:
3364         (JSObjectMakeFunction):
3365         (JSObjectMakeArray):
3366         (JSObjectMakeDate):
3367         (JSObjectMakeError):
3368         (JSObjectMakeRegExp):
3369         (JSObjectGetProperty):
3370         (JSObjectSetProperty):
3371         (JSObjectGetPropertyAtIndex):
3372         (JSObjectSetPropertyAtIndex):
3373         (JSObjectDeleteProperty):
3374         (JSObjectCallAsFunction):
3375         (JSObjectCallAsConstructor):
3376         * API/JSValue.mm:
3377         (valueToArray):
3378         (valueToDictionary):
3379         * API/JSValueRef.cpp:
3380         (JSValueIsEqual):
3381         (JSValueIsInstanceOfConstructor):
3382         (JSValueCreateJSONString):
3383         (JSValueToNumber):
3384         (JSValueToStringCopy):
3385         (JSValueToObject):
3386         * inspector/ConsoleMessage.cpp:
3387         (Inspector::ConsoleMessage::ConsoleMessage):
3388         (Inspector::ConsoleMessage::autogenerateMetadata):
3389         * inspector/ConsoleMessage.h:
3390         * inspector/JSGlobalObjectInspectorController.cpp:
3391         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3392         * inspector/JSGlobalObjectInspectorController.h:
3393         * inspector/ScriptCallStack.cpp:
3394         * inspector/ScriptCallStack.h:
3395         * inspector/ScriptCallStackFactory.cpp:
3396         (Inspector::createScriptCallStack):
3397         (Inspector::createScriptCallStackForConsole):
3398         (Inspector::createScriptCallStackFromException):
3399         * inspector/ScriptCallStackFactory.h:
3400         * inspector/agents/InspectorConsoleAgent.cpp:
3401         (Inspector::InspectorConsoleAgent::enable):
3402         (Inspector::InspectorConsoleAgent::addMessageToConsole):
3403         (Inspector::InspectorConsoleAgent::count):
3404         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
3405         (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):