0aeb0e9e56ce749d4fbc4ac5ec3e0f9c109c6651
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-01-04  Zan Dobersek  <zdobersek@igalia.com>
2
3         Explicitly use the std:: nested name specifier when using std::pair, std::make_pair
4         https://bugs.webkit.org/show_bug.cgi?id=126439
5
6         Reviewed by Andreas Kling.
7
8         Instead of relying on std::pair and std::make_pair symbols being present in the current scope
9         through the pair and make_pair symbols, the std:: specifier should be used explicitly.
10
11         * bytecode/Opcode.cpp:
12         (JSC::compareOpcodePairIndices):
13         (JSC::OpcodeStats::~OpcodeStats):
14         * bytecompiler/BytecodeGenerator.cpp:
15         (JSC::BytecodeGenerator::BytecodeGenerator):
16         * parser/ASTBuilder.h:
17         (JSC::ASTBuilder::makeBinaryNode):
18         * parser/Parser.cpp:
19         (JSC::Parser<LexerType>::parseIfStatement):
20         * runtime/Structure.cpp:
21         (JSC::StructureTransitionTable::contains):
22         (JSC::StructureTransitionTable::get):
23         (JSC::StructureTransitionTable::add):
24
25 2014-01-03  David Farler  <dfarler@apple.com>
26
27         [super dealloc] missing in Source/JavaScriptCore/API/tests/testapi.mm, fails to build with -Werror,-Wobjc-missing-super-calls
28         https://bugs.webkit.org/show_bug.cgi?id=126454
29
30         Reviewed by Geoffrey Garen.
31
32         * API/tests/testapi.mm:
33         (-[TextXYZ dealloc]):
34         add [super dealloc]
35         (-[EvilAllocationObject dealloc]):
36         add [super dealloc]
37
38 2014-01-02  Carlos Garcia Campos  <cgarcia@igalia.com>
39
40         REGRESSION(r160304): [GTK] Disable libtool fast install
41         https://bugs.webkit.org/show_bug.cgi?id=126381
42
43         Reviewed by Martin Robinson.
44
45         Remove -no-fast-install ld flag since fast install is now disabled
46         globally.
47
48         * GNUmakefile.am:
49
50 2014-01-02  Sam Weinig  <sam@webkit.org>
51
52         Update Promises to the https://github.com/domenic/promises-unwrapping spec
53         https://bugs.webkit.org/show_bug.cgi?id=120954
54
55         Reviewed by Filip Pizlo.
56
57         Update Promises to the revised spec. Notable changes:
58         - JSPromiseResolver is gone.
59         - TaskContext has been renamed Microtask and now has a virtual run() function.
60         - Instead of using custom InternalFunction subclasses, JSFunctions are used
61           with PrivateName properties for internal slots.
62
63         * CMakeLists.txt:
64         * DerivedSources.make:
65         * GNUmakefile.list.am:
66         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
67         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
68         * JavaScriptCore.xcodeproj/project.pbxproj:
69         * interpreter/CallFrame.h:
70         (JSC::ExecState::promiseConstructorTable):
71         * runtime/CommonIdentifiers.cpp:
72         (JSC::CommonIdentifiers::CommonIdentifiers):
73         * runtime/CommonIdentifiers.h:
74         * runtime/JSGlobalObject.cpp:
75         (JSC::JSGlobalObject::reset):
76         (JSC::JSGlobalObject::visitChildren):
77         (JSC::JSGlobalObject::queueMicrotask):
78         * runtime/JSGlobalObject.h:
79         (JSC::JSGlobalObject::promiseConstructor):
80         (JSC::JSGlobalObject::promisePrototype):
81         (JSC::JSGlobalObject::promiseStructure):
82         * runtime/JSPromise.cpp:
83         (JSC::JSPromise::create):
84         (JSC::JSPromise::JSPromise):
85         (JSC::JSPromise::finishCreation):
86         (JSC::JSPromise::visitChildren):
87         (JSC::JSPromise::reject):
88         (JSC::JSPromise::resolve):
89         (JSC::JSPromise::appendResolveReaction):
90         (JSC::JSPromise::appendRejectReaction):
91         (JSC::triggerPromiseReactions):
92         * runtime/JSPromise.h:
93         (JSC::JSPromise::status):
94         (JSC::JSPromise::result):
95         (JSC::JSPromise::constructor):
96         * runtime/JSPromiseCallback.cpp: Removed.
97         * runtime/JSPromiseCallback.h: Removed.
98         * runtime/JSPromiseConstructor.cpp:
99         (JSC::constructPromise):
100         (JSC::JSPromiseConstructor::getCallData):
101         (JSC::JSPromiseConstructorFuncCast):
102         (JSC::JSPromiseConstructorFuncResolve):
103         (JSC::JSPromiseConstructorFuncReject):
104         * runtime/JSPromiseConstructor.h:
105         * runtime/JSPromiseDeferred.cpp: Added.
106         (JSC::JSPromiseDeferred::create):
107         (JSC::JSPromiseDeferred::JSPromiseDeferred):
108         (JSC::JSPromiseDeferred::finishCreation):
109         (JSC::JSPromiseDeferred::visitChildren):
110         (JSC::createJSPromiseDeferredFromConstructor):
111         (JSC::updateDeferredFromPotentialThenable):
112         * runtime/JSPromiseDeferred.h: Added.
113         (JSC::JSPromiseDeferred::createStructure):
114         (JSC::JSPromiseDeferred::promise):
115         (JSC::JSPromiseDeferred::resolve):
116         (JSC::JSPromiseDeferred::reject):
117         * runtime/JSPromiseFunctions.cpp: Added.
118         (JSC::deferredConstructionFunction):
119         (JSC::createDeferredConstructionFunction):
120         (JSC::identifyFunction):
121         (JSC::createIdentifyFunction):
122         (JSC::promiseAllCountdownFunction):
123         (JSC::createPromiseAllCountdownFunction):
124         (JSC::promiseResolutionHandlerFunction):
125         (JSC::createPromiseResolutionHandlerFunction):
126         (JSC::rejectPromiseFunction):
127         (JSC::createRejectPromiseFunction):
128         (JSC::resolvePromiseFunction):
129         (JSC::createResolvePromiseFunction):
130         (JSC::throwerFunction):
131         (JSC::createThrowerFunction):
132         * runtime/JSPromiseFunctions.h: Added.
133         * runtime/JSPromisePrototype.cpp:
134         (JSC::JSPromisePrototypeFuncThen):
135         (JSC::JSPromisePrototypeFuncCatch):
136         * runtime/JSPromiseReaction.cpp: Added.
137         (JSC::createExecutePromiseReactionMicroTask):
138         (JSC::ExecutePromiseReactionMicroTask::run):
139         (JSC::JSPromiseReaction::create):
140         (JSC::JSPromiseReaction::JSPromiseReaction):
141         (JSC::JSPromiseReaction::finishCreation):
142         (JSC::JSPromiseReaction::visitChildren):
143         * runtime/JSPromiseReaction.h: Added.
144         (JSC::JSPromiseReaction::createStructure):
145         (JSC::JSPromiseReaction::deferred):
146         (JSC::JSPromiseReaction::handler):
147         * runtime/JSPromiseResolver.cpp: Removed.
148         * runtime/JSPromiseResolver.h: Removed.
149         * runtime/JSPromiseResolverConstructor.cpp: Removed.
150         * runtime/JSPromiseResolverConstructor.h: Removed.
151         * runtime/JSPromiseResolverPrototype.cpp: Removed.
152         * runtime/JSPromiseResolverPrototype.h: Removed.
153         * runtime/Microtask.h: Added.
154         * runtime/VM.cpp:
155         (JSC::VM::VM):
156         (JSC::VM::~VM):
157         * runtime/VM.h:
158
159 2014-01-02  Mark Hahnenberg  <mhahnenberg@apple.com>
160
161         Add support for StoreBarrier and friends to the FTL
162         https://bugs.webkit.org/show_bug.cgi?id=126040
163
164         Reviewed by Filip Pizlo.
165
166         * ftl/FTLAbstractHeapRepository.h:
167         * ftl/FTLCapabilities.cpp:
168         (JSC::FTL::canCompile):
169         * ftl/FTLIntrinsicRepository.h:
170         * ftl/FTLLowerDFGToLLVM.cpp:
171         (JSC::FTL::LowerDFGToLLVM::compileNode):
172         (JSC::FTL::LowerDFGToLLVM::compileStoreBarrier):
173         (JSC::FTL::LowerDFGToLLVM::compileConditionalStoreBarrier):
174         (JSC::FTL::LowerDFGToLLVM::compileStoreBarrierWithNullCheck):
175         (JSC::FTL::LowerDFGToLLVM::loadMarkByte):
176         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
177         * heap/Heap.cpp:
178         (JSC::Heap::Heap):
179         * heap/Heap.h:
180         (JSC::Heap::writeBarrierBuffer):
181
182 2014-01-02  Mark Hahnenberg  <mhahnenberg@apple.com>
183
184         Storing new CopiedSpace memory into a JSObject should fire a write barrier
185         https://bugs.webkit.org/show_bug.cgi?id=126025
186
187         Reviewed by Filip Pizlo.
188
189         Technically this is creating a pointer between a (potentially) old generation object and a young 
190         generation chunk of memory, thus there needs to be a barrier.
191
192         * JavaScriptCore.xcodeproj/project.pbxproj:
193         * dfg/DFGOperations.cpp:
194         * heap/CopyWriteBarrier.h: Added. This class functions similarly to the WriteBarrier class. It 
195         acts as a proxy for pointers to CopiedSpace. Assignments to the field cause a write barrier to 
196         fire for the object that is the owner of the CopiedSpace memory. This is to ensure during nursery 
197         collections that objects with new backing stores are visited, even if they are old generation objects. 
198         (JSC::CopyWriteBarrier::CopyWriteBarrier):
199         (JSC::CopyWriteBarrier::operator!):
200         (JSC::CopyWriteBarrier::operator UnspecifiedBoolType*):
201         (JSC::CopyWriteBarrier::get):
202         (JSC::CopyWriteBarrier::operator*):
203         (JSC::CopyWriteBarrier::operator->):
204         (JSC::CopyWriteBarrier::set):
205         (JSC::CopyWriteBarrier::setWithoutWriteBarrier):
206         (JSC::CopyWriteBarrier::clear):
207         * heap/Heap.h:
208         * runtime/JSArray.cpp:
209         (JSC::JSArray::unshiftCountSlowCase):
210         (JSC::JSArray::shiftCountWithArrayStorage):
211         (JSC::JSArray::unshiftCountWithArrayStorage):
212         * runtime/JSCell.h:
213         (JSC::JSCell::unvalidatedStructure):
214         * runtime/JSGenericTypedArrayViewInlines.h:
215         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
216         * runtime/JSObject.cpp:
217         (JSC::JSObject::copyButterfly):
218         (JSC::JSObject::getOwnPropertySlotByIndex):
219         (JSC::JSObject::putByIndex):
220         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
221         (JSC::JSObject::createInitialIndexedStorage):
222         (JSC::JSObject::createArrayStorage):
223         (JSC::JSObject::deletePropertyByIndex):
224         (JSC::JSObject::getOwnPropertyNames):
225         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
226         (JSC::JSObject::countElements):
227         (JSC::JSObject::increaseVectorLength):
228         (JSC::JSObject::ensureLengthSlow):
229         * runtime/JSObject.h:
230         (JSC::JSObject::butterfly):
231         (JSC::JSObject::setStructureAndButterfly):
232         (JSC::JSObject::setButterflyWithoutChangingStructure):
233         (JSC::JSObject::JSObject):
234         (JSC::JSObject::putDirectInternal):
235         (JSC::JSObject::putDirectWithoutTransition):
236         * runtime/MapData.cpp:
237         (JSC::MapData::ensureSpaceForAppend):
238         * runtime/Structure.cpp:
239         (JSC::Structure::materializePropertyMap):
240
241 2013-12-23  Oliver Hunt  <oliver@apple.com>
242
243         Refactor PutPropertySlot to be aware of custom properties
244         https://bugs.webkit.org/show_bug.cgi?id=126187
245
246         Reviewed by Antti Koivisto.
247
248         Refactor PutPropertySlot, making the constructor take the thisValue
249         used as a target.  This results in a wide range of boilerplate changes
250         to pass the new parameter.
251
252         * API/JSObjectRef.cpp:
253         (JSObjectSetProperty):
254         * dfg/DFGOperations.cpp:
255         (JSC::DFG::operationPutByValInternal):
256         * interpreter/Interpreter.cpp:
257         (JSC::Interpreter::execute):
258         * jit/JITOperations.cpp:
259         * llint/LLIntSlowPaths.cpp:
260         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
261         * runtime/Arguments.cpp:
262         (JSC::Arguments::putByIndex):
263         * runtime/ArrayPrototype.cpp:
264         (JSC::putProperty):
265         (JSC::arrayProtoFuncPush):
266         * runtime/JSCJSValue.cpp:
267         (JSC::JSValue::putToPrimitiveByIndex):
268         * runtime/JSCell.cpp:
269         (JSC::JSCell::putByIndex):
270         * runtime/JSFunction.cpp:
271         (JSC::JSFunction::put):
272         * runtime/JSGenericTypedArrayViewInlines.h:
273         (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
274         * runtime/JSONObject.cpp:
275         (JSC::Walker::walk):
276         * runtime/JSObject.cpp:
277         (JSC::JSObject::putByIndex):
278         (JSC::JSObject::putDirectNonIndexAccessor):
279         (JSC::JSObject::deleteProperty):
280         * runtime/JSObject.h:
281         (JSC::JSObject::putDirect):
282         * runtime/Lookup.h:
283         (JSC::putEntry):
284         (JSC::lookupPut):
285         * runtime/PutPropertySlot.h:
286         (JSC::PutPropertySlot::PutPropertySlot):
287         (JSC::PutPropertySlot::setCustomProperty):
288         (JSC::PutPropertySlot::thisValue):
289         (JSC::PutPropertySlot::isCacheable):
290
291 2014-01-01  Filip Pizlo  <fpizlo@apple.com>
292
293         Rationalize DFG DCE
294         https://bugs.webkit.org/show_bug.cgi?id=125523
295
296         Reviewed by Mark Hahnenberg.
297         
298         Adds the ability to DCE more things. It's now the case that if a node is completely
299         pure, we clear NodeMustGenerate and the node becomes a DCE candidate.
300
301         * dfg/DFGAbstractInterpreterInlines.h:
302         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
303         * dfg/DFGCSEPhase.cpp:
304         (JSC::DFG::CSEPhase::performNodeCSE):
305         * dfg/DFGClobberize.h:
306         (JSC::DFG::clobberize):
307         * dfg/DFGDCEPhase.cpp:
308         (JSC::DFG::DCEPhase::cleanVariables):
309         * dfg/DFGFixupPhase.cpp:
310         (JSC::DFG::FixupPhase::fixupNode):
311         * dfg/DFGGraph.h:
312         (JSC::DFG::Graph::clobbersWorld):
313         * dfg/DFGNodeType.h:
314         * dfg/DFGSpeculativeJIT.cpp:
315         (JSC::DFG::SpeculativeJIT::compileAdd):
316         * dfg/DFGSpeculativeJIT.h:
317         * dfg/DFGSpeculativeJIT32_64.cpp:
318         (JSC::DFG::SpeculativeJIT::compile):
319         * dfg/DFGSpeculativeJIT64.cpp:
320         (JSC::DFG::SpeculativeJIT::compile):
321         * ftl/FTLLowerDFGToLLVM.cpp:
322         (JSC::FTL::LowerDFGToLLVM::compileNode):
323         (JSC::FTL::LowerDFGToLLVM::compileValueAdd):
324
325 2014-01-02  Benjamin Poulain  <benjamin@webkit.org>
326
327         Attempt to fix the build of WebCore's code generator on CMake based system
328         https://bugs.webkit.org/show_bug.cgi?id=126271
329
330         Reviewed by Sam Weinig.
331
332         * CMakeLists.txt:
333
334 2013-12-30  Commit Queue  <commit-queue@webkit.org>
335
336         Unreviewed, rolling out r161157, r161158, r161160, r161161,
337         r161163, and r161165.
338         http://trac.webkit.org/changeset/161157
339         http://trac.webkit.org/changeset/161158
340         http://trac.webkit.org/changeset/161160
341         http://trac.webkit.org/changeset/161161
342         http://trac.webkit.org/changeset/161163
343         http://trac.webkit.org/changeset/161165
344         https://bugs.webkit.org/show_bug.cgi?id=126332
345
346         Broke WebKit2 on Mountain Lion (Requested by ap on #webkit).
347
348         * heap/BlockAllocator.cpp:
349         (JSC::BlockAllocator::~BlockAllocator):
350         (JSC::BlockAllocator::waitForRelativeTimeWhileHoldingLock):
351         (JSC::BlockAllocator::waitForRelativeTime):
352         (JSC::BlockAllocator::blockFreeingThreadMain):
353         * heap/BlockAllocator.h:
354         (JSC::BlockAllocator::deallocate):
355
356 2013-12-30  Anders Carlsson  <andersca@apple.com>
357
358         Fix build.
359
360         * heap/BlockAllocator.h:
361
362 2013-12-30  Anders Carlsson  <andersca@apple.com>
363
364         Stop using ThreadCondition in BlockAllocator
365         https://bugs.webkit.org/show_bug.cgi?id=126313
366
367         Reviewed by Sam Weinig.
368
369         * heap/BlockAllocator.cpp:
370         (JSC::BlockAllocator::~BlockAllocator):
371         (JSC::BlockAllocator::waitForDuration):
372         (JSC::BlockAllocator::blockFreeingThreadMain):
373         * heap/BlockAllocator.h:
374         (JSC::BlockAllocator::deallocate):
375
376 2013-12-30  Anders Carlsson  <andersca@apple.com>
377
378         Stop using ThreadCondition in jsc.cpp
379         https://bugs.webkit.org/show_bug.cgi?id=126311
380
381         Reviewed by Sam Weinig.
382
383         * jsc.cpp:
384         (timeoutThreadMain):
385         (main):
386
387 2013-12-30  Anders Carlsson  <andersca@apple.com>
388
389         Replace WTF::ThreadingOnce with std::call_once
390         https://bugs.webkit.org/show_bug.cgi?id=126215
391
392         Reviewed by Sam Weinig.
393
394         * dfg/DFGWorklist.cpp:
395         (JSC::DFG::globalWorklist):
396         * runtime/InitializeThreading.cpp:
397         (JSC::initializeThreading):
398
399 2013-12-30  Martin Robinson  <mrobinson@igalia.com>
400
401         [CMake] [GTK] Add support for GObject introspection
402         https://bugs.webkit.org/show_bug.cgi?id=126162
403
404         Reviewed by Daniel Bates.
405
406         * PlatformGTK.cmake: Add the GIR targets.
407
408 2013-12-28  Filip Pizlo  <fpizlo@apple.com>
409
410         Get rid of DFG forward exiting
411         https://bugs.webkit.org/show_bug.cgi?id=125531
412
413         Reviewed by Oliver Hunt.
414         
415         This finally gets rid of forward exiting. Forward exiting was always a fragile concept
416         since it involved the compiler trying to figure out how to "roll forward" the
417         execution from some DFG node to the next bytecode index. It was always easy to find
418         counterexamples where it broke, and it has always served as an obstacle to adding
419         compiler improvements - the latest being http://webkit.org/b/125523, which tried to
420         make DCE work for more things.
421         
422         This change finishes the work of removing forward exiting. A lot of forward exiting
423         was already removed in some other bugs, but SetLocal still did forward exits. SetLocal
424         is in many ways the hardest to remove, since the forward exiting of SetLocal also
425         implied that any conversion nodes inserted before the SetLocal would then also be
426         marked as forward-exiting. Hence SetLocal's forward-exiting made a bunch of other
427         things also forward-exiting, and this was always a source of weirdo bugs.
428         
429         SetLocal must be able to exit in case it performs a hoisted type speculation. Nodes
430         inserted just before SetLocal must also be able to exit - for example type check
431         hoisting may insert a CheckStructure, or fixup phase may insert something like
432         Int32ToDouble. But if any of those nodes tried to backward exit, then this could lead
433         to the reexecution of a side-effecting operation, for example:
434         
435             a: Call(...)
436             b: SetLocal(@a, r1)
437         
438         For a long time it seemed like SetLocal *had* to exit forward because of this. But
439         this change side-steps the problem by changing the ByteCodeParser to always emit a
440         kind of "two-phase commit" for stores to local variables. Now when the ByteCodeParser
441         wishes to store to a local, it first emits a MovHint and then enqueues a SetLocal.
442         The SetLocal isn't actually emitted until the beginning of the next bytecode
443         instruction (which the exception of op_enter and op_ret, which emit theirs immediately
444         since it's always safe to reexecute those bytecode instructions and since deferring
445         SetLocals would be weird there - op_enter has many SetLocals and op_ret is a set
446         followed by a jump in case of inlining, so we'd have to emit the SetLocal "after" the
447         jump and that would be awkward). This means that the above IR snippet would look
448         something like:
449         
450             a: Call(..., bc#42)
451             b: MovHint(@a, r1, bc#42)
452             c: SetLocal(@a, r1, bc#47)
453         
454         Where the SetLocal exits "backwards" but appears at the beginning of the next bytecode
455         instruction. This means that by the time we get to that SetLocal, the OSR exit
456         analysis already knows that r1 is associated with @a, and it means that the SetLocal
457         or anything hoisted above it can exit backwards as normal.
458         
459         This change also means that the "forward rewiring" can be killed. Previously, we might
460         have inserted a conversion node on SetLocal and then the SetLocal died (i.e. turned
461         into a MovHint) and the conversion node either died completely or had its lifetime
462         truncated to be less than the actual value's bytecode lifetime. This no longer happens
463         since conversion nodes are only inserted at SetLocals.
464         
465         More precisely, this change introduces two laws that we were basically already
466         following anyway:
467         
468         1) A MovHint's child should never be changed except if all other uses of that child
469            are also replaced. Specifically, this prohibits insertion of conversion nodes at
470            MovHints.
471         
472         2) Anytime any child is replaced with something else, and all other uses aren't also
473            replaced, we must insert a Phantom use of the original child.
474
475         This is a slight compile-time regression but has no effect on code-gen. It unlocks a
476         bunch of optimization opportunities so I think it's worth it.
477
478         * bytecode/CodeBlock.cpp:
479         (JSC::CodeBlock::dumpAssumingJITType):
480         * bytecode/CodeBlock.h:
481         (JSC::CodeBlock::instructionCount):
482         * dfg/DFGAbstractInterpreterInlines.h:
483         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
484         * dfg/DFGArgumentsSimplificationPhase.cpp:
485         (JSC::DFG::ArgumentsSimplificationPhase::run):
486         * dfg/DFGArrayifySlowPathGenerator.h:
487         (JSC::DFG::ArrayifySlowPathGenerator::ArrayifySlowPathGenerator):
488         * dfg/DFGBackwardsPropagationPhase.cpp:
489         (JSC::DFG::BackwardsPropagationPhase::propagate):
490         * dfg/DFGByteCodeParser.cpp:
491         (JSC::DFG::ByteCodeParser::setDirect):
492         (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal):
493         (JSC::DFG::ByteCodeParser::DelayedSetLocal::execute):
494         (JSC::DFG::ByteCodeParser::handleInlining):
495         (JSC::DFG::ByteCodeParser::parseBlock):
496         * dfg/DFGCSEPhase.cpp:
497         (JSC::DFG::CSEPhase::eliminate):
498         * dfg/DFGClobberize.h:
499         (JSC::DFG::clobberize):
500         * dfg/DFGCommon.h:
501         * dfg/DFGConstantFoldingPhase.cpp:
502         (JSC::DFG::ConstantFoldingPhase::foldConstants):
503         * dfg/DFGDCEPhase.cpp:
504         (JSC::DFG::DCEPhase::run):
505         (JSC::DFG::DCEPhase::fixupBlock):
506         (JSC::DFG::DCEPhase::cleanVariables):
507         * dfg/DFGFixupPhase.cpp:
508         (JSC::DFG::FixupPhase::fixupNode):
509         (JSC::DFG::FixupPhase::fixEdge):
510         (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
511         * dfg/DFGLICMPhase.cpp:
512         (JSC::DFG::LICMPhase::run):
513         (JSC::DFG::LICMPhase::attemptHoist):
514         * dfg/DFGMinifiedNode.cpp:
515         (JSC::DFG::MinifiedNode::fromNode):
516         * dfg/DFGMinifiedNode.h:
517         (JSC::DFG::belongsInMinifiedGraph):
518         (JSC::DFG::MinifiedNode::constantNumber):
519         (JSC::DFG::MinifiedNode::weakConstant):
520         * dfg/DFGNode.cpp:
521         (JSC::DFG::Node::hasVariableAccessData):
522         * dfg/DFGNode.h:
523         (JSC::DFG::Node::convertToPhantom):
524         (JSC::DFG::Node::convertToPhantomUnchecked):
525         (JSC::DFG::Node::convertToIdentity):
526         (JSC::DFG::Node::containsMovHint):
527         (JSC::DFG::Node::hasUnlinkedLocal):
528         (JSC::DFG::Node::willHaveCodeGenOrOSR):
529         * dfg/DFGNodeFlags.cpp:
530         (JSC::DFG::dumpNodeFlags):
531         * dfg/DFGNodeFlags.h:
532         * dfg/DFGNodeType.h:
533         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
534         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
535         * dfg/DFGOSREntrypointCreationPhase.cpp:
536         (JSC::DFG::OSREntrypointCreationPhase::run):
537         * dfg/DFGOSRExit.cpp:
538         * dfg/DFGOSRExit.h:
539         * dfg/DFGOSRExitBase.cpp:
540         * dfg/DFGOSRExitBase.h:
541         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSite):
542         * dfg/DFGPredictionPropagationPhase.cpp:
543         (JSC::DFG::PredictionPropagationPhase::propagate):
544         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
545         * dfg/DFGSSAConversionPhase.cpp:
546         (JSC::DFG::SSAConversionPhase::run):
547         * dfg/DFGSafeToExecute.h:
548         (JSC::DFG::safeToExecute):
549         * dfg/DFGSpeculativeJIT.cpp:
550         (JSC::DFG::SpeculativeJIT::speculationCheck):
551         (JSC::DFG::SpeculativeJIT::emitInvalidationPoint):
552         (JSC::DFG::SpeculativeJIT::typeCheck):
553         (JSC::DFG::SpeculativeJIT::compileMovHint):
554         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
555         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
556         (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
557         * dfg/DFGSpeculativeJIT.h:
558         (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch):
559         (JSC::DFG::SpeculativeJIT::needsTypeCheck):
560         * dfg/DFGSpeculativeJIT32_64.cpp:
561         (JSC::DFG::SpeculativeJIT::compile):
562         * dfg/DFGSpeculativeJIT64.cpp:
563         (JSC::DFG::SpeculativeJIT::compile):
564         * dfg/DFGTypeCheckHoistingPhase.cpp:
565         (JSC::DFG::TypeCheckHoistingPhase::run):
566         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
567         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
568         * dfg/DFGValidate.cpp:
569         (JSC::DFG::Validate::validateCPS):
570         * dfg/DFGVariableAccessData.h:
571         (JSC::DFG::VariableAccessData::VariableAccessData):
572         * dfg/DFGVariableEventStream.cpp:
573         (JSC::DFG::VariableEventStream::reconstruct):
574         * ftl/FTLCapabilities.cpp:
575         (JSC::FTL::canCompile):
576         * ftl/FTLLowerDFGToLLVM.cpp:
577         (JSC::FTL::LowerDFGToLLVM::compileNode):
578         (JSC::FTL::LowerDFGToLLVM::compileGetArgument):
579         (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
580         (JSC::FTL::LowerDFGToLLVM::compileMovHint):
581         (JSC::FTL::LowerDFGToLLVM::compileZombieHint):
582         (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble):
583         (JSC::FTL::LowerDFGToLLVM::speculate):
584         (JSC::FTL::LowerDFGToLLVM::typeCheck):
585         (JSC::FTL::LowerDFGToLLVM::appendTypeCheck):
586         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
587         (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
588         * ftl/FTLOSRExit.cpp:
589         * ftl/FTLOSRExit.h:
590         * tests/stress/dead-int32-to-double.js: Added.
591         (foo):
592         * tests/stress/dead-uint32-to-number.js: Added.
593         (foo):
594
595 2013-12-25  Commit Queue  <commit-queue@webkit.org>
596
597         Unreviewed, rolling out r161033 and r161074.
598         http://trac.webkit.org/changeset/161033
599         http://trac.webkit.org/changeset/161074
600         https://bugs.webkit.org/show_bug.cgi?id=126240
601
602         Oliver says that a rollout would be better (Requested by ap on
603         #webkit).
604
605         * API/JSObjectRef.cpp:
606         (JSObjectSetProperty):
607         * dfg/DFGOperations.cpp:
608         (JSC::DFG::operationPutByValInternal):
609         * interpreter/Interpreter.cpp:
610         (JSC::Interpreter::execute):
611         * jit/JITOperations.cpp:
612         * llint/LLIntSlowPaths.cpp:
613         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
614         * runtime/Arguments.cpp:
615         (JSC::Arguments::putByIndex):
616         * runtime/ArrayPrototype.cpp:
617         (JSC::putProperty):
618         (JSC::arrayProtoFuncPush):
619         * runtime/JSCJSValue.cpp:
620         (JSC::JSValue::putToPrimitiveByIndex):
621         * runtime/JSCell.cpp:
622         (JSC::JSCell::putByIndex):
623         * runtime/JSFunction.cpp:
624         (JSC::JSFunction::put):
625         * runtime/JSGenericTypedArrayViewInlines.h:
626         (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
627         * runtime/JSONObject.cpp:
628         (JSC::Walker::walk):
629         * runtime/JSObject.cpp:
630         (JSC::JSObject::putByIndex):
631         (JSC::JSObject::putDirectNonIndexAccessor):
632         (JSC::JSObject::deleteProperty):
633         * runtime/JSObject.h:
634         (JSC::JSObject::putDirect):
635         * runtime/Lookup.h:
636         (JSC::putEntry):
637         (JSC::lookupPut):
638         * runtime/PutPropertySlot.h:
639         (JSC::PutPropertySlot::PutPropertySlot):
640         (JSC::PutPropertySlot::setNewProperty):
641         (JSC::PutPropertySlot::isCacheable):
642
643 2013-12-25  Filip Pizlo  <fpizlo@apple.com>
644
645         DFG PhantomArguments shouldn't rely on a dead Phi graph
646         https://bugs.webkit.org/show_bug.cgi?id=126218
647
648         Reviewed by Oliver Hunt.
649         
650         This change dramatically rationalizes our handling of PhantomArguments (i.e.
651         speculative elision of arguments object allocation).
652         
653         It's now the case that if we decide that we can elide arguments allocation, we just
654         turn the arguments-creating node into a PhantomArguments and mark all locals that
655         it's stored to as being arguments aliases. Being an arguments alias and being a
656         PhantomArguments means basically the same thing: in DFG execution you have the empty
657         value, on OSR exit an arguments object is allocated in your place, and all operations
658         that use the value now just refer directly to the actual arguments in the call frame
659         header (or the arguments we know that we passed to the call, in case of inlining).
660         
661         This means that we no longer have arguments simplification creating a dead Phi graph
662         that then has to be interpreted by the OSR exit logic. That sort of never made any
663         sense.
664         
665         This means that PhantomArguments now has a clear story in SSA: basically SSA just
666         gets rid of the "locals" but everything else is the same.
667         
668         Finally, this means that we can more easily get rid of forward exiting. As I was
669         working on the code to get rid of forward exiting, I realized that I'd have to
670         carefully preserve the special meanings of MovHint and SetLocal in the case of
671         PhantomArguments. It was really bizarre: even the semantics of MovHint were tied to
672         our specific treatment of PhantomArguments. After this change this is no longer the
673         case.
674         
675         One of the really cool things about this change is that arguments reification now
676         just becomes a special kind of FlushFormat. This further unifies things: it means
677         that a MovHint(PhantomArguments) and a SetLocal(PhantomArguments) both have the same
678         meaning, since both of them dictate that the way we recover the local on exit is by
679         reifying arguments. Previously, the SetLocal(PhantomArguments) case needed some
680         special handling to accomplish this.
681         
682         A downside of this approach is that we will now emit code to store the empty value
683         into aliased arguments variables, and we will even emit code to load that empty value
684         as well. As far as I can tell this doesn't cost anything, since PhantomArguments are
685         most profitable in cases where it allows us to simplify control flow and kill the
686         arguments locals entirely. Of course, this isn't an issue in SSA form since SSA form
687         also eliminates the locals.
688
689         * dfg/DFGArgumentsSimplificationPhase.cpp:
690         (JSC::DFG::ArgumentsSimplificationPhase::run):
691         (JSC::DFG::ArgumentsSimplificationPhase::detypeArgumentsReferencingPhantomChild):
692         * dfg/DFGFlushFormat.cpp:
693         (WTF::printInternal):
694         * dfg/DFGFlushFormat.h:
695         (JSC::DFG::resultFor):
696         (JSC::DFG::useKindFor):
697         (JSC::DFG::dataFormatFor):
698         * dfg/DFGSpeculativeJIT.cpp:
699         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
700         * dfg/DFGSpeculativeJIT32_64.cpp:
701         (JSC::DFG::SpeculativeJIT::compile):
702         * dfg/DFGSpeculativeJIT64.cpp:
703         (JSC::DFG::SpeculativeJIT::compile):
704         * dfg/DFGValueSource.h:
705         (JSC::DFG::ValueSource::ValueSource):
706         (JSC::DFG::ValueSource::forFlushFormat):
707         * dfg/DFGVariableAccessData.h:
708         (JSC::DFG::VariableAccessData::flushFormat):
709         * ftl/FTLLowerDFGToLLVM.cpp:
710         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
711
712 2013-12-23  Oliver Hunt  <oliver@apple.com>
713
714         Refactor PutPropertySlot to be aware of custom properties
715         https://bugs.webkit.org/show_bug.cgi?id=126187
716
717         Reviewed by msaboff.
718
719         Refactor PutPropertySlot, making the constructor take the thisValue
720         used as a target.  This results in a wide range of boilerplate changes
721         to pass the new parameter.
722
723         * API/JSObjectRef.cpp:
724         (JSObjectSetProperty):
725         * dfg/DFGOperations.cpp:
726         (JSC::DFG::operationPutByValInternal):
727         * interpreter/Interpreter.cpp:
728         (JSC::Interpreter::execute):
729         * jit/JITOperations.cpp:
730         * llint/LLIntSlowPaths.cpp:
731         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
732         * runtime/Arguments.cpp:
733         (JSC::Arguments::putByIndex):
734         * runtime/ArrayPrototype.cpp:
735         (JSC::putProperty):
736         (JSC::arrayProtoFuncPush):
737         * runtime/JSCJSValue.cpp:
738         (JSC::JSValue::putToPrimitiveByIndex):
739         * runtime/JSCell.cpp:
740         (JSC::JSCell::putByIndex):
741         * runtime/JSFunction.cpp:
742         (JSC::JSFunction::put):
743         * runtime/JSGenericTypedArrayViewInlines.h:
744         (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
745         * runtime/JSONObject.cpp:
746         (JSC::Walker::walk):
747         * runtime/JSObject.cpp:
748         (JSC::JSObject::putByIndex):
749         (JSC::JSObject::putDirectNonIndexAccessor):
750         (JSC::JSObject::deleteProperty):
751         * runtime/JSObject.h:
752         (JSC::JSObject::putDirect):
753         * runtime/Lookup.h:
754         (JSC::putEntry):
755         (JSC::lookupPut):
756         * runtime/PutPropertySlot.h:
757         (JSC::PutPropertySlot::PutPropertySlot):
758         (JSC::PutPropertySlot::setCustomProperty):
759         (JSC::PutPropertySlot::thisValue):
760         (JSC::PutPropertySlot::isCacheable):
761
762 2013-12-23  Benjamin Poulain  <benjamin@webkit.org>
763
764         Add class matching to the Selector Code Generator
765         https://bugs.webkit.org/show_bug.cgi?id=126176
766
767         Reviewed by Antti Koivisto and Oliver Hunt.
768
769         Add test and branch based on BaseIndex addressing for x86_64.
770         Fast loops are needed to compete with clang on tight loops.
771
772         * assembler/MacroAssembler.h:
773         * assembler/MacroAssemblerX86_64.h:
774         (JSC::MacroAssemblerX86_64::branch64):
775         (JSC::MacroAssemblerX86_64::branchPtr):
776         * assembler/X86Assembler.h:
777         (JSC::X86Assembler::cmpq_rm):
778
779 2013-12-23  Oliver Hunt  <oliver@apple.com>
780
781         Update custom setter implementations to perform type checks
782         https://bugs.webkit.org/show_bug.cgi?id=126171
783
784         Reviewed by Daniel Bates.
785
786         Modify the setter function signature to take encoded values
787         as we're changing the setter usage everywhere anyway.
788
789         * runtime/Lookup.h:
790         (JSC::putEntry):
791
792 2013-12-23  Lucas Forschler  <lforschler@apple.com>
793
794         <rdar://problem/15682948> Update copyright strings
795         
796         Reviewed by Dan Bernstein.
797
798         * Info.plist:
799         * JavaScriptCore.vcxproj/JavaScriptCore.resources/Info.plist:
800
801 2013-12-23  Zan Dobersek  <zdobersek@igalia.com>
802
803         [GTK] Clean up compiler optimizations flags for libWTF, libJSC
804         https://bugs.webkit.org/show_bug.cgi?id=126157
805
806         Reviewed by Gustavo Noronha Silva.
807
808         * GNUmakefile.am: Remove the -fstrict-aliasing and -O3 compiler flags for libWTF.la. -O3 gets
809         overridden by -O2 that's listed in CXXFLAGS (or -O0 in case of debug builds) and -fstrict-aliasing
810         is enabled when -O2 is used (and shouldn't be enabled in debug builds anyway).
811
812 2013-12-22  Martin Robinson  <mrobinson@igalia.com>
813
814         [CMake] Fix typo from r160812
815         https://bugs.webkit.org/show_bug.cgi?id=126145
816
817         Reviewed by Gustavo Noronha Silva.
818
819         * CMakeLists.txt: Fix typo when detecting the type of library.
820
821 2013-12-22  Martin Robinson  <mrobinson@igalia.com>
822
823         [GTK][CMake] libtool-compatible soversion calculation
824         https://bugs.webkit.org/show_bug.cgi?id=125511
825
826         Reviewed by Gustavo Noronha Silva.
827
828         * CMakeLists.txt: Use the POPULATE_LIBRARY_VERSION macro and the
829         library-specific version information.
830
831 2013-12-23  Gustavo Noronha Silva  <gns@gnome.org>
832
833         [GTK] [CMake] Generate pkg-config files
834         https://bugs.webkit.org/show_bug.cgi?id=125685
835
836         Reviewed by Martin Robinson.
837
838         * PlatformGTK.cmake: Added. Generate javascriptcoregtk-3.0.pc.
839
840 2013-12-22  Benjamin Poulain  <benjamin@webkit.org>
841
842         Create a skeleton for CSS Selector code generation
843         https://bugs.webkit.org/show_bug.cgi?id=126044
844
845         Reviewed by Antti Koivisto and Gavin Barraclough.
846
847         * assembler/LinkBuffer.h:
848         Add a new owner UID for code compiled for CSS.
849         Export the symbols needed to link code from WebCore.
850
851 2013-12-19  Mark Hahnenberg  <mhahnenberg@apple.com>
852
853         Clean up DFG write barriers
854         https://bugs.webkit.org/show_bug.cgi?id=126047
855
856         Reviewed by Filip Pizlo.
857
858         * dfg/DFGSpeculativeJIT.cpp:
859         (JSC::DFG::SpeculativeJIT::storeToWriteBarrierBuffer): Use the register allocator to 
860         determine which registers need saving instead of saving every single one of them.
861         (JSC::DFG::SpeculativeJIT::osrWriteBarrier): We don't need to save live register state 
862         because the write barriers during OSR execute when there are no live registers. Also we  
863         don't need to use pushes to pad the stack pointer for pokes on x86; we can just use an add.
864         (JSC::DFG::SpeculativeJIT::writeBarrier):
865         * dfg/DFGSpeculativeJIT.h:
866         * jit/Repatch.cpp:
867         (JSC::emitPutReplaceStub):
868         (JSC::emitPutTransitionStub):
869         * runtime/VM.h: Get rid of writeBarrierRegisterBuffer since it's no longer used.
870
871 2013-12-20  Balazs Kilvady  <kilvadyb@homejinni.com>
872
873         [MIPS] Missing MacroAssemblerMIPS::branchTest8(ResultCondition, BaseIndex, TrustedImm32)
874         https://bugs.webkit.org/show_bug.cgi?id=126062
875
876         Reviewed by Mark Hahnenberg.
877
878         * assembler/MacroAssemblerMIPS.h:
879         (JSC::MacroAssemblerMIPS::branchTest8):
880
881 2013-12-20  Julien Brianceau  <jbriance@cisco.com>
882
883         [sh4] Add missing implementation in MacroAssembler to fix build.
884         https://bugs.webkit.org/show_bug.cgi?id=126063
885
886         Reviewed by Mark Hahnenberg.
887
888         * assembler/MacroAssemblerSH4.h:
889         (JSC::MacroAssemblerSH4::branchTest8):
890
891 2013-12-20  Julien Brianceau  <jbriance@cisco.com>
892
893         [arm] Add missing implementation in MacroAssembler to fix CPU(ARM_TRADITIONAL) build.
894         https://bugs.webkit.org/show_bug.cgi?id=126064
895
896         Reviewed by Mark Hahnenberg.
897
898         * assembler/MacroAssemblerARM.h:
899         (JSC::MacroAssemblerARM::branchTest8):
900
901 2013-12-19  Joseph Pecoraro  <pecoraro@apple.com>
902
903         Web Inspector: Add InspectorFrontendHost.debuggableType to let the frontend know it's backend is JavaScript or Web
904         https://bugs.webkit.org/show_bug.cgi?id=126016
905
906         Reviewed by Timothy Hatcher.
907
908         * inspector/remote/RemoteInspector.mm:
909         (Inspector::RemoteInspector::listingForDebuggable):
910         * inspector/remote/RemoteInspectorConstants.h:
911         Include a debuggable type identifier in the debuggable listing,
912         so the remote frontend can know if it is debugging a Web Page
913         or JS Context.
914
915 2013-12-19  Benjamin Poulain  <benjamin@webkit.org>
916
917         Add an utility class to simplify generating function calls
918         https://bugs.webkit.org/show_bug.cgi?id=125972
919
920         Reviewed by Geoffrey Garen.
921
922         Split branchTest32 in two functions: test32AndSetFlags and branchOnFlags.
923         This is done to allow code where the flags are set, multiple operation that
924         do not modify the flags occur, then the flags are used.
925
926         This is used for function calls to test the return value while discarding the
927         return register.
928
929         * assembler/MacroAssemblerX86Common.h:
930         (JSC::MacroAssemblerX86Common::test32AndSetFlags):
931         (JSC::MacroAssemblerX86Common::branchOnFlags):
932         (JSC::MacroAssemblerX86Common::branchTest32):
933
934 2013-12-19  Mark Hahnenberg  <mhahnenberg@apple.com>
935
936         Put write barriers in the right places in the baseline JIT
937         https://bugs.webkit.org/show_bug.cgi?id=125975
938
939         Reviewed by Filip Pizlo.
940
941         * jit/JIT.cpp:
942         (JSC::JIT::privateCompileSlowCases):
943         * jit/JIT.h:
944         * jit/JITInlines.h:
945         (JSC::JIT::callOperation):
946         (JSC::JIT::emitArrayProfilingSite):
947         * jit/JITOpcodes.cpp:
948         (JSC::JIT::emit_op_enter):
949         (JSC::JIT::emitSlow_op_enter):
950         * jit/JITOpcodes32_64.cpp:
951         (JSC::JIT::emit_op_enter):
952         (JSC::JIT::emitSlow_op_enter):
953         * jit/JITPropertyAccess.cpp:
954         (JSC::JIT::emit_op_put_by_val):
955         (JSC::JIT::emitGenericContiguousPutByVal):
956         (JSC::JIT::emitArrayStoragePutByVal):
957         (JSC::JIT::emit_op_put_by_id):
958         (JSC::JIT::emitPutGlobalProperty):
959         (JSC::JIT::emitPutGlobalVar):
960         (JSC::JIT::emitPutClosureVar):
961         (JSC::JIT::emit_op_init_global_const):
962         (JSC::JIT::checkMarkWord):
963         (JSC::JIT::emitWriteBarrier):
964         (JSC::JIT::privateCompilePutByVal):
965         * jit/JITPropertyAccess32_64.cpp:
966         (JSC::JIT::emitGenericContiguousPutByVal):
967         (JSC::JIT::emitArrayStoragePutByVal):
968         (JSC::JIT::emit_op_put_by_id):
969         (JSC::JIT::emitSlow_op_put_by_id):
970         (JSC::JIT::emitPutGlobalProperty):
971         (JSC::JIT::emitPutGlobalVar):
972         (JSC::JIT::emitPutClosureVar):
973         (JSC::JIT::emit_op_init_global_const):
974         * jit/Repatch.cpp:
975         (JSC::emitPutReplaceStub):
976         (JSC::emitPutTransitionStub):
977         (JSC::repatchPutByID):
978         * runtime/CommonSlowPaths.cpp:
979         (JSC::SLOW_PATH_DECL):
980         * runtime/CommonSlowPaths.h:
981
982 2013-12-19  Brent Fulgham  <bfulgham@apple.com>
983
984         Implement ArrayBuffer.isView
985         https://bugs.webkit.org/show_bug.cgi?id=126004
986
987         Reviewed by Filip Pizlo.
988
989         Test coverage in webgl/1.0.2/resources/webgl_test_files/conformance/typedarrays/array-unit-tests.html
990
991         * runtime/JSArrayBufferConstructor.cpp:
992         (JSC::JSArrayBufferConstructor::finishCreation): Add 'isView' to object constructor.
993         (JSC::arrayBufferFuncIsView): New method.
994
995 2013-12-19  Mark Lam  <mark.lam@apple.com>
996
997         Fix broken C loop LLINT build.
998         https://bugs.webkit.org/show_bug.cgi?id=126024.
999
1000         Reviewed by Oliver Hunt.
1001
1002         * runtime/VM.h:
1003
1004 2013-12-18  Mark Hahnenberg  <mhahnenberg@apple.com>
1005
1006         DelayedReleaseScope is in the wrong place
1007         https://bugs.webkit.org/show_bug.cgi?id=125876
1008
1009         Reviewed by Geoffrey Garen.
1010
1011         The DelayedReleaseScope needs to be around the free list sweeping in MarkedAllocator::tryAllocateHelper. 
1012         This location gives us a good safe point between getting ready to allocate  (i.e. identifying a non-empty 
1013         free list) and doing the actual allocation (popping the free list).
1014
1015         * heap/MarkedAllocator.cpp:
1016         (JSC::MarkedAllocator::tryAllocateHelper):
1017         (JSC::MarkedAllocator::allocateSlowCase):
1018         (JSC::MarkedAllocator::addBlock):
1019         * runtime/JSCellInlines.h:
1020         (JSC::allocateCell):
1021
1022 2013-12-18  Gustavo Noronha Silva  <gns@gnome.org>
1023
1024         [GTK][CMake] make libjavascriptcoregtk a public shared library again
1025         https://bugs.webkit.org/show_bug.cgi?id=125512
1026
1027         Reviewed by Martin Robinson.
1028
1029         * CMakeLists.txt: use target type instead of SHARED_CORE to decide whether
1030         JavaScriptCore is a shared library, since it's always shared for GTK+ regardless
1031         of SHARED_CORE.
1032
1033 2013-12-18  Benjamin Poulain  <benjamin@webkit.org>
1034
1035         Add a simple stack abstraction for x86_64
1036         https://bugs.webkit.org/show_bug.cgi?id=125908
1037
1038         Reviewed by Geoffrey Garen.
1039
1040         * assembler/MacroAssemblerX86_64.h:
1041         (JSC::MacroAssemblerX86_64::addPtrNoFlags):
1042         Add an explicit abstraction for the "lea" instruction. This is needed
1043         by the experimental JIT to have add and substract without changing the flags.
1044
1045         This is useful for function calls to test the return value, restore the registers,
1046         then branch on the flags from the return value.
1047
1048 2013-12-18  Mark Hahnenberg  <mhahnenberg@apple.com>
1049
1050         DFG should have a separate StoreBarrier node
1051         https://bugs.webkit.org/show_bug.cgi?id=125530
1052
1053         Reviewed by Filip Pizlo.
1054
1055         This is in preparation for GenGC. We use a separate StoreBarrier node instead of making them implicitly 
1056         part of other nodes so that it's easier to run analyses on them, e.g. for the StoreBarrierElisionPhase. 
1057         They are inserted during the fixup phase. Initially they do not generate any code.
1058
1059         * CMakeLists.txt:
1060         * GNUmakefile.list.am:
1061         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1062         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1063         * JavaScriptCore.xcodeproj/project.pbxproj:
1064         * dfg/DFGAbstractHeap.h:
1065         * dfg/DFGAbstractInterpreter.h:
1066         (JSC::DFG::AbstractInterpreter::isKnownNotCell):
1067         * dfg/DFGAbstractInterpreterInlines.h:
1068         (JSC::DFG::::executeEffects):
1069         * dfg/DFGClobberize.h:
1070         (JSC::DFG::clobberizeForAllocation):
1071         (JSC::DFG::clobberize):
1072         * dfg/DFGConstantFoldingPhase.cpp:
1073         (JSC::DFG::ConstantFoldingPhase::foldConstants): Whenever we insert new nodes that require StoreBarriers,
1074         we have to add those new StoreBarriers too. It's important to note that AllocatePropertyStorage and 
1075         ReallocatePropertyStorage nodes require their StoreBarriers to come after them since they allocate first,
1076         which could cause a GC, and then store the resulting buffer into their JSCell, which requires the barrier.
1077         If we ever require that write barriers occur before stores, we'll have to split these nodes into 
1078         AllocatePropertyStorage + StoreBarrier + PutPropertyStorage.
1079         * dfg/DFGFixupPhase.cpp:
1080         (JSC::DFG::FixupPhase::fixupNode):
1081         (JSC::DFG::FixupPhase::insertStoreBarrier):
1082         * dfg/DFGNode.h:
1083         (JSC::DFG::Node::isStoreBarrier):
1084         * dfg/DFGNodeType.h:
1085         * dfg/DFGOSRExitCompiler32_64.cpp:
1086         (JSC::DFG::OSRExitCompiler::compileExit):
1087         * dfg/DFGOSRExitCompiler64.cpp:
1088         (JSC::DFG::OSRExitCompiler::compileExit):
1089         * dfg/DFGPlan.cpp:
1090         (JSC::DFG::Plan::compileInThreadImpl):
1091         * dfg/DFGPredictionPropagationPhase.cpp:
1092         (JSC::DFG::PredictionPropagationPhase::propagate):
1093         * dfg/DFGSafeToExecute.h:
1094         (JSC::DFG::safeToExecute):
1095         * dfg/DFGSpeculativeJIT.cpp:
1096         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1097         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1098         (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
1099         (JSC::DFG::SpeculativeJIT::genericWriteBarrier): The fast path write barrier check. It loads the 
1100         byte that contains the mark bit of the object. 
1101         (JSC::DFG::SpeculativeJIT::storeToWriteBarrierBuffer): If the fast path check fails we try to store the 
1102         cell in the WriteBarrierBuffer so as to avoid frequently flushing all registers in order to make a C call.
1103         (JSC::DFG::SpeculativeJIT::writeBarrier):
1104         (JSC::DFG::SpeculativeJIT::osrWriteBarrier): More barebones version of the write barrier to be executed 
1105         during an OSR exit into baseline code. We must do this so that the baseline JIT object and array profiles 
1106         are properly cleared during GC.
1107         * dfg/DFGSpeculativeJIT.h:
1108         (JSC::DFG::SpeculativeJIT::callOperation):
1109         * dfg/DFGSpeculativeJIT32_64.cpp:
1110         (JSC::DFG::SpeculativeJIT::cachedPutById):
1111         (JSC::DFG::SpeculativeJIT::compileBaseValueStoreBarrier):
1112         (JSC::DFG::SpeculativeJIT::compile):
1113         (JSC::DFG::SpeculativeJIT::writeBarrier):
1114         * dfg/DFGSpeculativeJIT64.cpp:
1115         (JSC::DFG::SpeculativeJIT::cachedPutById):
1116         (JSC::DFG::SpeculativeJIT::compileBaseValueStoreBarrier):
1117         (JSC::DFG::SpeculativeJIT::compile):
1118         (JSC::DFG::SpeculativeJIT::writeBarrier):
1119         * dfg/DFGStoreBarrierElisionPhase.cpp: Added. New DFG phase that does block-local elision of redundant
1120         StoreBarriers. Every time a StoreBarrier on a particular object is executed, a bit is set indicating that 
1121         that object doesn't need any more StoreBarriers. 
1122         (JSC::DFG::StoreBarrierElisionPhase::StoreBarrierElisionPhase):
1123         (JSC::DFG::StoreBarrierElisionPhase::couldCauseGC): Nodes that could cause a GC reset the bits for all of the 
1124         objects known in the current block. 
1125         (JSC::DFG::StoreBarrierElisionPhase::allocatesFreshObject): A node that creates a new object automatically 
1126         sets the bit for that object since if a GC occurred as the result of that object's allocation then that 
1127         object would not need a barrier since it would be guaranteed to be a young generation object until the 
1128         next GC point.
1129         (JSC::DFG::StoreBarrierElisionPhase::noticeFreshObject):
1130         (JSC::DFG::StoreBarrierElisionPhase::getBaseOfStore):
1131         (JSC::DFG::StoreBarrierElisionPhase::shouldBeElided):
1132         (JSC::DFG::StoreBarrierElisionPhase::elideBarrier):
1133         (JSC::DFG::StoreBarrierElisionPhase::handleNode):
1134         (JSC::DFG::StoreBarrierElisionPhase::handleBlock):
1135         (JSC::DFG::StoreBarrierElisionPhase::run):
1136         (JSC::DFG::performStoreBarrierElision):
1137         * dfg/DFGStoreBarrierElisionPhase.h: Added.
1138         * heap/Heap.cpp:
1139         (JSC::Heap::Heap):
1140         (JSC::Heap::flushWriteBarrierBuffer):
1141         * heap/Heap.h:
1142         (JSC::Heap::writeBarrier):
1143         * heap/MarkedBlock.h:
1144         (JSC::MarkedBlock::offsetOfMarks):
1145         * heap/WriteBarrierBuffer.cpp: Added. The WriteBarrierBuffer buffers a set of JSCells that are awaiting 
1146         a pending WriteBarrier. This buffer is used by the DFG to avoid the overhead of calling out to C repeatedly
1147         to invoke a write barrier on a single JSCell. Instead the DFG has inline code to fill the WriteBarrier buffer
1148         until its full, and then to call out to C to flush it. The WriteBarrierBuffer will also be flushed prior to 
1149         each EdenCollection.
1150         (JSC::WriteBarrierBuffer::WriteBarrierBuffer):
1151         (JSC::WriteBarrierBuffer::~WriteBarrierBuffer):
1152         (JSC::WriteBarrierBuffer::flush):
1153         (JSC::WriteBarrierBuffer::reset):
1154         (JSC::WriteBarrierBuffer::add):
1155         * heap/WriteBarrierBuffer.h: Added.
1156         (JSC::WriteBarrierBuffer::currentIndexOffset):
1157         (JSC::WriteBarrierBuffer::capacityOffset):
1158         (JSC::WriteBarrierBuffer::bufferOffset):
1159         * jit/JITOperations.cpp:
1160         * jit/JITOperations.h:
1161         * runtime/VM.h:
1162
1163 2013-12-18  Carlos Garcia Campos  <cgarcia@igalia.com>
1164
1165         Unreviewed. Fix make distcheck.
1166
1167         * GNUmakefile.am:
1168
1169 2013-12-17  Julien Brianceau  <jbriance@cisco.com>
1170
1171         Fix armv7 and sh4 builds.
1172         https://bugs.webkit.org/show_bug.cgi?id=125848
1173
1174         Reviewed by Csaba Osztrogonác.
1175
1176         * assembler/ARMv7Assembler.h: Include limits.h for INT_MIN.
1177         * assembler/SH4Assembler.h: Include limits.h for INT_MIN.
1178
1179 2013-12-16  Oliver Hunt  <oliver@apple.com>
1180
1181         Avoid indirect function calls for custom getters
1182         https://bugs.webkit.org/show_bug.cgi?id=125821
1183
1184         Reviewed by Mark Hahnenberg.
1185
1186         Rather than invoking a helper function to perform an indirect call
1187         through a function pointer, just have the JIT call the function directly.
1188
1189         Unfortunately this only works in JSVALUE64 at the moment as there
1190         is not an obvious way to pass two EncodedJSValues uniformly over
1191         the various effected JITs.
1192
1193         * jit/CCallHelpers.h:
1194         (JSC::CCallHelpers::setupArguments):
1195         * jit/Repatch.cpp:
1196         (JSC::generateProtoChainAccessStub):
1197         (JSC::tryBuildGetByIDList):
1198
1199 2013-12-16  Joseph Pecoraro  <pecoraro@apple.com>
1200
1201         Fix some whitespace issues in inspector code
1202         https://bugs.webkit.org/show_bug.cgi?id=125814
1203
1204         Reviewed by Darin Adler.
1205
1206         * inspector/protocol/Debugger.json:
1207         * inspector/protocol/Runtime.json:
1208         * inspector/scripts/CodeGeneratorInspector.py:
1209         (Generator.process_command):
1210
1211 2013-12-16  Mark Hahnenberg  <mhahnenberg@apple.com>
1212
1213         Add some missing functions to MacroAssembler
1214         https://bugs.webkit.org/show_bug.cgi?id=125809
1215
1216         Reviewed by Oliver Hunt.
1217
1218         * assembler/AbstractMacroAssembler.h:
1219         * assembler/AssemblerBuffer.h:
1220         * assembler/LinkBuffer.cpp:
1221         * assembler/MacroAssembler.h:
1222         (JSC::MacroAssembler::storePtr):
1223         (JSC::MacroAssembler::andPtr):
1224         * assembler/MacroAssemblerARM64.h:
1225         (JSC::MacroAssemblerARM64::and64):
1226         (JSC::MacroAssemblerARM64::branchTest8):
1227         * assembler/MacroAssemblerARMv7.h:
1228         (JSC::MacroAssemblerARMv7::branchTest8):
1229         * assembler/X86Assembler.h:
1230
1231 2013-12-16  Brent Fulgham  <bfulgham@apple.com>
1232
1233         [Win] Remove dead code after conversion to VS2013
1234         https://bugs.webkit.org/show_bug.cgi?id=125795
1235
1236         Reviewed by Darin Adler.
1237
1238         * API/tests/testapi.c: Remove local nan implementation
1239
1240 2013-12-16  Oliver Hunt  <oliver@apple.com>
1241
1242         Cache getters and custom accessors on the prototype chain
1243         https://bugs.webkit.org/show_bug.cgi?id=125602
1244
1245         Reviewed by Michael Saboff.
1246
1247         Support caching of custom getters and accessors on the prototype chain.
1248         This is relatively trivial and just requires a little work compared to
1249         the direct access mode as we're under more register pressure.
1250
1251         * bytecode/StructureStubInfo.h:
1252           Removed the unsued initGetByIdProto as it was confusing to still have it present.
1253         * jit/Repatch.cpp:
1254         (JSC::generateProtoChainAccessStub):
1255         (JSC::tryCacheGetByID):
1256         (JSC::tryBuildGetByIDList):
1257
1258 2013-12-16  Mark Lam  <mark.lam@apple.com>
1259
1260         Change slow path result to take a void* instead of a ExecState*.
1261         https://bugs.webkit.org/show_bug.cgi?id=125802.
1262
1263         Reviewed by Filip Pizlo.
1264
1265         This is in preparation for C Stack OSR entry work that is coming soon.
1266         In the OSR entry case, we'll be returning a topOfFrame pointer value
1267         instead of the ExecState*.
1268
1269         * offlineasm/cloop.rb:
1270         * runtime/CommonSlowPaths.h:
1271         (JSC::encodeResult):
1272         (JSC::decodeResult):
1273
1274 2013-12-16  Alex Christensen  <achristensen@webkit.org>
1275
1276         Fixed Win64 build on VS2013.
1277         https://bugs.webkit.org/show_bug.cgi?id=125753
1278
1279         Reviewed by Brent Fulgham.
1280
1281         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1282         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj:
1283         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
1284         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
1285         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
1286         * JavaScriptCore.vcxproj/jsc/jsc.vcxproj:
1287         * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj:
1288         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
1289         Added correct PlatformToolset for 64-bit builds.
1290
1291 2013-12-16  Peter Szanka  <h868064@stud.u-szeged.hu>
1292
1293         Delete RVCT related code parts.
1294         https://bugs.webkit.org/show_bug.cgi?id=125626
1295
1296         Reviewed by Darin Adler.
1297
1298         * assembler/ARMAssembler.cpp:
1299         * assembler/ARMAssembler.h:
1300         (JSC::ARMAssembler::cacheFlush):
1301         * assembler/MacroAssemblerARM.cpp:
1302         (JSC::isVFPPresent):
1303         * jit/JITStubsARM.h:
1304         * jit/JITStubsARMv7.h:
1305
1306 2013-12-15  Ryosuke Niwa  <rniwa@webkit.org>
1307
1308         REGRESSION: 2x regression on Dromaeo DOM query tests
1309         https://bugs.webkit.org/show_bug.cgi?id=125377
1310
1311         Reviewed by Filip Pizlo.
1312
1313         The bug was caused by JSC not JIT'ing property access on "document" due to its type info having
1314         HasImpureGetOwnPropertySlot flag.
1315
1316         Fixed the bug by new type info flag NewImpurePropertyFiresWatchpoints, which allows the baseline
1317         JIT to generate byte code for access properties on an object with named properties (a.k.a.
1318         custom name getter) in DOM. When a new named property appears on the object, VM is notified via
1319         VM::addImpureProperty and fires StructureStubClearingWatchpoint added during the repatch.
1320
1321         * bytecode/GetByIdStatus.cpp:
1322         (JSC::GetByIdStatus::computeFromLLInt): Take the slow path if we have any object with impure
1323         properties in the prototype chain.
1324         (JSC::GetByIdStatus::computeForChain): Ditto.
1325
1326         * jit/Repatch.cpp:
1327         (JSC::repatchByIdSelfAccess): Throw away the byte code when a new impure property is added on any
1328         object in the prototype chain via StructureStubClearingWatchpoint.
1329         (JSC::generateProtoChainAccessStub): Ditto.
1330         (JSC::tryCacheGetByID):
1331         (JSC::tryBuildGetByIDList):
1332         (JSC::tryRepatchIn): Ditto.
1333
1334         * runtime/JSTypeInfo.h: Added NewImpurePropertyFiresWatchpoints.
1335         (JSC::TypeInfo::newImpurePropertyFiresWatchpoints): Added.
1336
1337         * runtime/Operations.h:
1338         (JSC::normalizePrototypeChainForChainAccess): Don't exit early if VM will be notified of new
1339         impure property even if the object had impure properties.
1340
1341         * runtime/Structure.h:
1342         (JSC::Structure::takesSlowPathInDFGForImpureProperty): Added. Wraps hasImpureGetOwnPropertySlot and
1343         asserts that newImpurePropertyFiresWatchpoints is true whenever hasImpureGetOwnPropertySlot is true.
1344
1345         * runtime/VM.cpp:
1346         (JSC::VM::registerWatchpointForImpureProperty): Added.
1347         (JSC::VM::addImpureProperty): Added. HTMLDocument calls it to notify JSC of a new impure property.
1348
1349         * runtime/VM.h:
1350
1351 2013-12-15  Andy Estes  <aestes@apple.com>
1352
1353         [iOS] Upstream changes to FeatureDefines.xcconfig
1354         https://bugs.webkit.org/show_bug.cgi?id=125742
1355
1356         Reviewed by Dan Bernstein.
1357
1358         * Configurations/FeatureDefines.xcconfig:
1359
1360 2013-12-14  Filip Pizlo  <fpizlo@apple.com>
1361
1362         FTL should *really* know when things are flushed
1363         https://bugs.webkit.org/show_bug.cgi?id=125747
1364
1365         Reviewed by Sam Weinig.
1366         
1367         Fix more codegen badness. This makes V8v7's crypto am3() function run faster in the FTL
1368         than in DFG. This means that even if we just compile those functions in V8v7 that don't
1369         make calls, the FTL gives us a 2% speed-up over the DFG. That's pretty good considering
1370         that we have still more optimizations to fix and we can make calls work.
1371
1372         * dfg/DFGSSAConversionPhase.cpp:
1373         (JSC::DFG::SSAConversionPhase::run):
1374         * ftl/FTLCompile.cpp:
1375         (JSC::FTL::fixFunctionBasedOnStackMaps):
1376
1377 2013-12-14  Andy Estes  <aestes@apple.com>
1378
1379         Unify FeatureDefines.xcconfig
1380         https://bugs.webkit.org/show_bug.cgi?id=125741
1381
1382         Rubber-stamped by Dan Bernstein.
1383
1384         * Configurations/FeatureDefines.xcconfig: Enable ENABLE_MEDIA_SOURCE.
1385
1386 2013-12-14  Mark Rowe  <mrowe@apple.com>
1387
1388         Build fix after r160557.
1389
1390         r160557 added the first generated header to JavaScriptCore that needs to be installed in to
1391         the framework wrapper. Sadly JavaScriptCore's Derived Sources target was not set to generate
1392         headers when invoked as part of the installhdrs action. This resulted in the build failing
1393         due to Xcode being unable to find the header file to install. The fix for this is to configure
1394         the Derived Sources target to use JavaScriptCore.xcconfig, which sets INSTALLHDRS_SCRIPT_PHASE
1395         to YES and allows Xcode to generate derived sources during the installhdrs action.
1396
1397         Enabling INSTALLHDRS_SCRIPT_PHASE required tweaking the Generate Derived Sources script build
1398         phase to skip running code related to offlineasm that depends on JSCLLIntOffsetExtractor
1399         having been compiled, which isn't the case at installhdrs time.
1400
1401         * JavaScriptCore.xcodeproj/project.pbxproj:
1402
1403 2013-12-13  Joseph Pecoraro  <pecoraro@apple.com>
1404
1405         Some Set and Map prototype functions have incorrect function lengths
1406         https://bugs.webkit.org/show_bug.cgi?id=125732
1407
1408         Reviewed by Oliver Hunt.
1409
1410         * runtime/MapPrototype.cpp:
1411         (JSC::MapPrototype::finishCreation):
1412         * runtime/SetPrototype.cpp:
1413         (JSC::SetPrototype::finishCreation):
1414
1415 2013-12-13  Joseph Pecoraro  <pecoraro@apple.com>
1416
1417         Web Inspector: Move Inspector and Debugger protocol domains into JavaScriptCore
1418         https://bugs.webkit.org/show_bug.cgi?id=125707
1419
1420         Reviewed by Timothy Hatcher.
1421
1422         * CMakeLists.txt:
1423         * DerivedSources.make:
1424         * GNUmakefile.am:
1425         * inspector/protocol/Debugger.json: Renamed from Source/WebCore/inspector/protocol/Debugger.json.
1426         * inspector/protocol/GenericTypes.json: Added.
1427         * inspector/protocol/InspectorDomain.json: Renamed from Source/WebCore/inspector/protocol/InspectorDomain.json.
1428         Add new files to inspector generation.
1429
1430         * inspector/scripts/CodeGeneratorInspector.py:
1431         (Generator.go):
1432         Only build TypeBuilder output if the domain only has types. Avoid
1433         backend/frontend dispatchers and backend commands.
1434
1435         (TypeBindings.create_type_declaration_.EnumBinding.get_setter_value_expression_pattern):
1436         (format_setter_value_expression):
1437         (Generator.process_command):
1438         (Generator.generate_send_method):
1439         * inspector/scripts/CodeGeneratorInspectorStrings.py:
1440         Export and name the get{JS,Web}EnumConstant function.
1441
1442 2013-12-11  Filip Pizlo  <fpizlo@apple.com>
1443
1444         Get rid of forward exit on UInt32ToNumber by adding an op_unsigned bytecode instruction
1445         https://bugs.webkit.org/show_bug.cgi?id=125553
1446
1447         Reviewed by Oliver Hunt.
1448         
1449         UInt32ToNumber was a super complicated node because it had to do a speculation, but it
1450         would do it after we already had computed the urshift. It couldn't just back to the
1451         beginning of the urshift because the inputs to the urshift weren't necessarily live
1452         anymore. We couldn't jump forward to the beginning of the next instruction because the
1453         result of the urshift was not yet unsigned-converted.
1454         
1455         For a while we solved this by forward-exiting in UInt32ToNumber. But that's really
1456         gross and I want to get rid of all forward exits. They cause a lot of bugs.
1457         
1458         We could also have turned UInt32ToNumber to a backwards exit by forcing the inputs to
1459         the urshift to be live. I figure that this might be a bit too extreme.
1460         
1461         So, I just created a new place that we can exit to: I split op_urshift into op_urshift
1462         followed by op_unsigned. op_unsigned is an "unsigned cast" along the lines of what
1463         UInt32ToNumber does. This allows me to get rid of all of the nastyness in the DFG for
1464         forward exiting in UInt32ToNumber.
1465         
1466         This patch enables massive code carnage in the DFG and FTL, and brings us closer to
1467         eliminating one of the DFG's most confusing concepts. On the flipside, it does make the
1468         bytecode slightly more complex (one new instruction). This is a profitable trade. We
1469         want the DFG and FTL to trend towards simplicity, since they are both currently too
1470         complicated.
1471
1472         * bytecode/BytecodeUseDef.h:
1473         (JSC::computeUsesForBytecodeOffset):
1474         (JSC::computeDefsForBytecodeOffset):
1475         * bytecode/CodeBlock.cpp:
1476         (JSC::CodeBlock::dumpBytecode):
1477         * bytecode/Opcode.h:
1478         (JSC::padOpcodeName):
1479         * bytecode/ValueRecovery.cpp:
1480         (JSC::ValueRecovery::dumpInContext):
1481         * bytecode/ValueRecovery.h:
1482         (JSC::ValueRecovery::gpr):
1483         * bytecompiler/NodesCodegen.cpp:
1484         (JSC::BinaryOpNode::emitBytecode):
1485         (JSC::emitReadModifyAssignment):
1486         * dfg/DFGByteCodeParser.cpp:
1487         (JSC::DFG::ByteCodeParser::toInt32):
1488         (JSC::DFG::ByteCodeParser::parseBlock):
1489         * dfg/DFGClobberize.h:
1490         (JSC::DFG::clobberize):
1491         * dfg/DFGNodeType.h:
1492         * dfg/DFGOSRExitCompiler32_64.cpp:
1493         (JSC::DFG::OSRExitCompiler::compileExit):
1494         * dfg/DFGOSRExitCompiler64.cpp:
1495         (JSC::DFG::OSRExitCompiler::compileExit):
1496         * dfg/DFGSpeculativeJIT.cpp:
1497         (JSC::DFG::SpeculativeJIT::compileMovHint):
1498         (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
1499         * dfg/DFGSpeculativeJIT.h:
1500         * dfg/DFGSpeculativeJIT32_64.cpp:
1501         * dfg/DFGSpeculativeJIT64.cpp:
1502         * dfg/DFGStrengthReductionPhase.cpp:
1503         (JSC::DFG::StrengthReductionPhase::handleNode):
1504         (JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild):
1505         (JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild1):
1506         (JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild2):
1507         * ftl/FTLFormattedValue.h:
1508         (JSC::FTL::int32Value):
1509         * ftl/FTLLowerDFGToLLVM.cpp:
1510         (JSC::FTL::LowerDFGToLLVM::compileUInt32ToNumber):
1511         * ftl/FTLValueFormat.cpp:
1512         (JSC::FTL::reboxAccordingToFormat):
1513         (WTF::printInternal):
1514         * ftl/FTLValueFormat.h:
1515         * jit/JIT.cpp:
1516         (JSC::JIT::privateCompileMainPass):
1517         (JSC::JIT::privateCompileSlowCases):
1518         * jit/JIT.h:
1519         * jit/JITArithmetic.cpp:
1520         (JSC::JIT::emit_op_urshift):
1521         (JSC::JIT::emitSlow_op_urshift):
1522         (JSC::JIT::emit_op_unsigned):
1523         (JSC::JIT::emitSlow_op_unsigned):
1524         * jit/JITArithmetic32_64.cpp:
1525         (JSC::JIT::emitRightShift):
1526         (JSC::JIT::emitRightShiftSlowCase):
1527         (JSC::JIT::emit_op_unsigned):
1528         (JSC::JIT::emitSlow_op_unsigned):
1529         * llint/LowLevelInterpreter32_64.asm:
1530         * llint/LowLevelInterpreter64.asm:
1531         * runtime/CommonSlowPaths.cpp:
1532         (JSC::SLOW_PATH_DECL):
1533         * runtime/CommonSlowPaths.h:
1534
1535 2013-12-13  Mark Hahnenberg  <mhahnenberg@apple.com>
1536
1537         LLInt should not conditionally branch to to labels outside of its function
1538         https://bugs.webkit.org/show_bug.cgi?id=125713
1539
1540         Reviewed by Geoffrey Garen.
1541
1542         Conditional branches are insufficient for jumping to out-of-function labels.
1543         The fix is to use an unconditional jmp to the label combined with a conditional branch around the jmp.
1544
1545         * llint/LowLevelInterpreter32_64.asm:
1546         * llint/LowLevelInterpreter64.asm:
1547
1548 2013-12-13  Joseph Pecoraro  <pecoraro@apple.com>
1549
1550         [GTK] Remove Warnings in building about duplicate INSPECTOR variables
1551         https://bugs.webkit.org/show_bug.cgi?id=125710
1552
1553         Reviewed by Tim Horton.
1554
1555         * GNUmakefile.am:
1556
1557 2013-12-13  Joseph Pecoraro  <pecoraro@apple.com>
1558
1559         Cleanup CodeGeneratorInspectorStrings a bit
1560         https://bugs.webkit.org/show_bug.cgi?id=125705
1561
1562         Reviewed by Timothy Hatcher.
1563
1564         * inspector/scripts/CodeGeneratorInspectorStrings.py:
1565         Use ${foo} variable syntax and add an ASCIILiteral.
1566
1567 2013-12-13  Brent Fulgham  <bfulgham@apple.com>
1568
1569         [Win] Unreviewed build fix after r160563
1570
1571         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj: Missed the Debug
1572         target in my last patch.
1573
1574 2013-12-13  Brent Fulgham  <bfulgham@apple.com>
1575
1576         [Win] Unreviewed build fix after r160548
1577
1578         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj: Specify
1579         that we are using the vs12_xp target for Makefile-based projects.
1580         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj: Ditto
1581         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj: Ditto.
1582
1583 2013-12-13  Joseph Pecoraro  <pecoraro@apple.com>
1584
1585         Make inspector folder groups smarter in JavaScriptCore.xcodeproj
1586         https://bugs.webkit.org/show_bug.cgi?id=125663
1587
1588         Reviewed by Darin Adler.
1589
1590         * JavaScriptCore.xcodeproj/project.pbxproj:
1591
1592 2013-12-13  Joseph Pecoraro  <pecoraro@apple.com>
1593
1594         Web Inspector: Add Inspector Code Generation to JavaScriptCore for Runtime Domain
1595         https://bugs.webkit.org/show_bug.cgi?id=125595
1596
1597         Reviewed by Timothy Hatcher.
1598
1599           - Move CodeGeneration scripts from WebCore into JavaScriptCore/inspector/scripts
1600           - For ports that build WebKit frameworks separately, export the scripts as PrivateHeaders
1601           - Update CodeGeneratorInspector.py in a few ways:
1602             - output dynamic filenames, so JavaScriptCore generates InspectorJSFoo.* and WebCore generates InspectorWebFoo.*
1603             - take in more then one protocol JSON file. The first contains domains to generate, the others are dependencies
1604               that are generated elsewhere that we can depend on for Types.
1605           - Add DerivedSources build step to generate the Inspector Interfaces
1606
1607         * CMakeLists.txt:
1608         * DerivedSources.make:
1609         * GNUmakefile.am:
1610         * GNUmakefile.list.am:
1611         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1612         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1613         * JavaScriptCore.vcxproj/copy-files.cmd:
1614         * JavaScriptCore.xcodeproj/project.pbxproj:
1615         Add scripts and code generation.
1616
1617         * inspector/protocol/Runtime.json: Renamed from Source/WebCore/inspector/protocol/Runtime.json.
1618         Move protocol file into JavaScriptCore so its types will be generated in JavaScriptCore.
1619
1620         * inspector/scripts/CodeGeneratorInspector.py: Renamed from Source/WebCore/inspector/CodeGeneratorInspector.py.
1621         Updates to the script as listed above.
1622
1623         * inspector/scripts/CodeGeneratorInspectorStrings.py: Renamed from Source/WebCore/inspector/CodeGeneratorInspectorStrings.py.
1624         * inspector/scripts/generate-combined-inspector-json.py: Renamed from Source/WebCore/inspector/Scripts/generate-combined-inspector-json.py.
1625         Moved from WebCore into JavaScriptCore for code generation.
1626
1627 2013-12-13  Peter Szanka  <h868064@stud.u-szeged.hu>
1628
1629         Delete INTEL C compiler related code parts.
1630         https://bugs.webkit.org/show_bug.cgi?id=125625
1631
1632         Reviewed by Darin Adler.
1633
1634         * jsc.cpp:
1635         * testRegExp.cpp:
1636
1637 2013-12-13  Brent Fulgham  <bfulgham@apple.com>
1638
1639         [Win] Switch WebKit solution to Visual Studio 2013
1640         https://bugs.webkit.org/show_bug.cgi?id=125192
1641
1642         Reviewed by Anders Carlsson.
1643
1644         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Update for VS2013
1645         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
1646         Ditto
1647         * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: Ditto
1648         * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj: Ditto
1649         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: Ditto
1650
1651 2013-12-12  Joseph Pecoraro  <pecoraro@apple.com>
1652
1653         Add a few more ASCIILiterals
1654         https://bugs.webkit.org/show_bug.cgi?id=125662
1655
1656         Reviewed by Darin Adler.
1657
1658         * inspector/InspectorBackendDispatcher.cpp:
1659         (Inspector::InspectorBackendDispatcher::dispatch):
1660
1661 2013-12-12  Joseph Pecoraro  <pecoraro@apple.com>
1662
1663         Test new JSContext name APIs
1664         https://bugs.webkit.org/show_bug.cgi?id=125607
1665
1666         Reviewed by Darin Adler.
1667
1668         * API/JSContext.h:
1669         * API/JSContextRef.h:
1670         Fix whitespace issues.
1671
1672         * API/tests/testapi.c:
1673         (globalContextNameTest):
1674         (main):
1675         * API/tests/testapi.mm:
1676         Add tests for JSContext set/get name APIs.
1677
1678 2013-12-11  Filip Pizlo  <fpizlo@apple.com>
1679
1680         ARM64: Hang running pdfjs test, suspect DFG generated code for "in"
1681         https://bugs.webkit.org/show_bug.cgi?id=124727
1682         <rdar://problem/15566923>
1683
1684         Reviewed by Michael Saboff.
1685         
1686         Get rid of In's hackish use of StructureStubInfo. Previously it was using hotPathBegin,
1687         and it was the only IC that used that field, which was wasteful. Moreover, it used it
1688         to store two separate locations: the label for patching the jump and the label right
1689         after the jump. The code was relying on those two being the same label, which is true
1690         on X86 and some other platforms, but it isn't true on ARM64.
1691         
1692         This gets rid of hotPathBegin and makes In express those two locations as offsets from
1693         the callReturnLocation, which is analogous to what the other IC's do.
1694         
1695         This fixes a bug where any successful In patching would result in a trivially infinite
1696         loop - and hence a hang - on ARM64.
1697
1698         * bytecode/StructureStubInfo.h:
1699         * dfg/DFGJITCompiler.cpp:
1700         (JSC::DFG::JITCompiler::link):
1701         * dfg/DFGJITCompiler.h:
1702         (JSC::DFG::InRecord::InRecord):
1703         * dfg/DFGSpeculativeJIT.cpp:
1704         (JSC::DFG::SpeculativeJIT::compileIn):
1705         * jit/JITInlineCacheGenerator.cpp:
1706         (JSC::JITByIdGenerator::finalize):
1707         * jit/Repatch.cpp:
1708         (JSC::replaceWithJump):
1709         (JSC::patchJumpToGetByIdStub):
1710         (JSC::tryCachePutByID):
1711         (JSC::tryBuildPutByIdList):
1712         (JSC::tryRepatchIn):
1713         (JSC::resetGetByID):
1714         (JSC::resetPutByID):
1715         (JSC::resetIn):
1716
1717 2013-12-11  Joseph Pecoraro  <pecoraro@apple.com>
1718
1719         Web Inspector: Push More Inspector Required Classes Down into JavaScriptCore
1720         https://bugs.webkit.org/show_bug.cgi?id=125324
1721
1722         Reviewed by Timothy Hatcher.
1723
1724         * CMakeLists.txt:
1725         * GNUmakefile.am:
1726         * GNUmakefile.list.am:
1727         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1728         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1729         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
1730         * JavaScriptCore.vcxproj/copy-files.cmd:
1731         * JavaScriptCore.xcodeproj/project.pbxproj:
1732         * bindings/ScriptFunctionCall.cpp: Renamed from Source/WebCore/bindings/js/ScriptFunctionCall.cpp.
1733         * bindings/ScriptFunctionCall.h: Renamed from Source/WebCore/bindings/js/ScriptFunctionCall.h.
1734         * bindings/ScriptObject.cpp: Copied from Source/WebCore/inspector/WorkerConsoleAgent.cpp.
1735         * bindings/ScriptObject.h: Renamed from Source/WebCore/inspector/InspectorBaseAgent.h.
1736         * bindings/ScriptValue.cpp: Renamed from Source/WebCore/bindings/js/ScriptValue.cpp.
1737         * bindings/ScriptValue.h: Renamed from Source/WebCore/bindings/js/ScriptValue.h.
1738         * inspector/InspectorAgentBase.h: Copied from Source/WebCore/inspector/InspectorAgentRegistry.h.
1739         * inspector/InspectorAgentRegistry.cpp: Renamed from Source/WebCore/inspector/InspectorAgentRegistry.cpp.
1740         * inspector/InspectorBackendDispatcher.h: Renamed from Source/WebCore/inspector/InspectorBackendDispatcher.h.
1741         (Inspector::InspectorSupplementalBackendDispatcher::InspectorSupplementalBackendDispatcher):
1742         (Inspector::InspectorSupplementalBackendDispatcher::~InspectorSupplementalBackendDispatcher):
1743         * inspector/InspectorValues.cpp: Renamed from Source/WebCore/inspector/InspectorValues.cpp.
1744         * inspector/InspectorValues.h: Renamed from Source/WebCore/inspector/InspectorValues.h.
1745
1746 2013-12-11  Laszlo Vidacs  <lac@inf.u-szeged.hu>
1747
1748         Store SHA1 hash in std::array
1749         https://bugs.webkit.org/show_bug.cgi?id=125446
1750
1751         Reviewed by Darin Adler.
1752
1753         Change Vector to std::array and use typedef.
1754
1755         * bytecode/CodeBlockHash.cpp:
1756         (JSC::CodeBlockHash::CodeBlockHash):
1757
1758 2013-12-11  Mark Rowe  <mrowe@apple.com>
1759
1760         <https://webkit.org/b/125141> Modernize the JavaScriptCore API headers
1761         <rdar://problem/15540121>
1762
1763         This consists of three main changes:
1764         1) Converting the return type of initializer methods to instancetype.
1765         2) Declaring properties rather than getters and setters.
1766         3) Tagging C API methods with information about their memory management semantics.
1767
1768         Changing the declarations from getters and setters to properties also required
1769         updating the headerdoc in a number of places.
1770
1771         Reviewed by Anders Carlsson.
1772
1773         * API/JSContext.h:
1774         * API/JSContext.mm:
1775         * API/JSManagedValue.h:
1776         * API/JSManagedValue.mm:
1777         * API/JSStringRefCF.h:
1778         * API/JSValue.h:
1779         * API/JSVirtualMachine.h:
1780         * API/JSVirtualMachine.mm:
1781
1782 2013-12-11  Mark Rowe  <mrowe@apple.com>
1783
1784         <https://webkit.org/b/125559> Move JavaScriptCore off the legacy WebKit availability macros
1785
1786         The legacy WebKit availability macros are verbose, confusing, and provide no benefit over
1787         using the system availability macros directly. The original vision was that they'd serve
1788         a cross-platform purpose but that never came to be.
1789
1790         Map from WebKit version to OS X version based on the mapping in WebKitAvailability.h.
1791         All iOS versions are specified as 7.0 as that is when the JavaScriptCore C API was made
1792         public.
1793
1794         Part of <rdar://problem/15512304>.
1795
1796         Reviewed by Anders Carlsson.
1797
1798         * API/JSBasePrivate.h:
1799         * API/JSContextRef.h:
1800         * API/JSContextRefPrivate.h:
1801         * API/JSObjectRef.h:
1802         * API/JSValueRef.h:
1803
1804 2013-12-10  Filip Pizlo  <fpizlo@apple.com>
1805
1806         Get rid of forward exit on DoubleAsInt32
1807         https://bugs.webkit.org/show_bug.cgi?id=125552
1808
1809         Reviewed by Oliver Hunt.
1810         
1811         The forward exit was just there so that we wouldn't have to keep the inputs alive up to
1812         the DoubleAsInt32. That's dumb. Forward exits are a complicated piece of machinery and
1813         we shouldn't have it just for a bit of liveness micro-optimization.
1814         
1815         Also add a bunch of machinery to test this case on X86.
1816
1817         * assembler/AbstractMacroAssembler.h:
1818         (JSC::optimizeForARMv7s):
1819         (JSC::optimizeForARM64):
1820         (JSC::optimizeForX86):
1821         * dfg/DFGFixupPhase.cpp:
1822         (JSC::DFG::FixupPhase::fixupNode):
1823         * dfg/DFGNodeType.h:
1824         * dfg/DFGSpeculativeJIT.cpp:
1825         (JSC::DFG::SpeculativeJIT::compileDoubleAsInt32):
1826         * runtime/Options.h:
1827         * tests/stress/double-as-int32.js: Added.
1828         (foo):
1829         (test):
1830
1831 2013-12-10  Filip Pizlo  <fpizlo@apple.com>
1832
1833         Simplify CSE's treatment of NodeRelevantToOSR
1834         https://bugs.webkit.org/show_bug.cgi?id=125538
1835
1836         Reviewed by Oliver Hunt.
1837         
1838         Make the NodeRelevantToOSR thing obvious: if there is any MovHint on a node then the
1839         node is relevant to OSR.
1840
1841         * dfg/DFGCSEPhase.cpp:
1842         (JSC::DFG::CSEPhase::run):
1843         (JSC::DFG::CSEPhase::performNodeCSE):
1844         (JSC::DFG::CSEPhase::performBlockCSE):
1845
1846 2013-12-10  Filip Pizlo  <fpizlo@apple.com>
1847
1848         Get rid of forward exit in GetByVal on Uint32Array
1849         https://bugs.webkit.org/show_bug.cgi?id=125543
1850
1851         Reviewed by Oliver Hunt.
1852
1853         * dfg/DFGSpeculativeJIT.cpp:
1854         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
1855         * ftl/FTLLowerDFGToLLVM.cpp:
1856         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
1857
1858 2013-12-10  Balazs Kilvady  <kilvadyb@homejinni.com>
1859
1860         [MIPS] Redundant instructions in code generated from offlineasm.
1861         https://bugs.webkit.org/show_bug.cgi?id=125528
1862
1863         Reviewed by Michael Saboff.
1864
1865         Optimize lowering of offlineasm BaseIndex Addresses.
1866
1867         * offlineasm/mips.rb:
1868
1869 2013-12-10  Oliver Hunt  <oliver@apple.com>
1870
1871         Reduce the mass templatizing of the JS parser
1872         https://bugs.webkit.org/show_bug.cgi?id=125535
1873
1874         Reviewed by Michael Saboff.
1875
1876         The various caches we have now have removed the need for many of
1877         the template vs. regular parameters.  This patch converts those
1878         template parameters to regular parameters and updates the call
1879         sites.  This reduces the code size of the parser by around 15%.
1880
1881         * parser/ASTBuilder.h:
1882         (JSC::ASTBuilder::createGetterOrSetterProperty):
1883         (JSC::ASTBuilder::createProperty):
1884         * parser/Parser.cpp:
1885         (JSC::::parseInner):
1886         (JSC::::parseSourceElements):
1887         (JSC::::parseVarDeclarationList):
1888         (JSC::::createBindingPattern):
1889         (JSC::::tryParseDeconstructionPatternExpression):
1890         (JSC::::parseDeconstructionPattern):
1891         (JSC::::parseSwitchClauses):
1892         (JSC::::parseSwitchDefaultClause):
1893         (JSC::::parseBlockStatement):
1894         (JSC::::parseFormalParameters):
1895         (JSC::::parseFunctionInfo):
1896         (JSC::::parseFunctionDeclaration):
1897         (JSC::::parseProperty):
1898         (JSC::::parseObjectLiteral):
1899         (JSC::::parseStrictObjectLiteral):
1900         (JSC::::parseMemberExpression):
1901         * parser/Parser.h:
1902         * parser/SyntaxChecker.h:
1903         (JSC::SyntaxChecker::createProperty):
1904         (JSC::SyntaxChecker::createGetterOrSetterProperty):
1905
1906 2013-12-10  Mark Hahnenberg  <mhahnenberg@apple.com>
1907
1908         ASSERT !heap.vm()->isInitializingObject() when finishing DFG compilation at beginning of GC
1909         https://bugs.webkit.org/show_bug.cgi?id=125472
1910
1911         Reviewed by Geoff Garen.
1912
1913         This patch makes it look like it's okay to allocate so that the DFG plan finalization stuff 
1914         can do what it needs to do. We already expected that we might do allocation during plan 
1915         finalization and we increased the deferral depth to handle this, but we need to fix this other 
1916         ASSERT stuff too.
1917
1918         * GNUmakefile.list.am:
1919         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1920         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1921         * JavaScriptCore.xcodeproj/project.pbxproj:
1922         * heap/Heap.cpp:
1923         (JSC::Heap::collect):
1924         * heap/Heap.h:
1925         * heap/RecursiveAllocationScope.h: Added.
1926         (JSC::RecursiveAllocationScope::RecursiveAllocationScope):
1927         (JSC::RecursiveAllocationScope::~RecursiveAllocationScope):
1928         * runtime/VM.h:
1929
1930 2013-12-09  Filip Pizlo  <fpizlo@apple.com>
1931
1932         Impose and enforce some basic rules of sanity for where Phi functions are allowed to occur and where their (optional) corresponding MovHints can be
1933         https://bugs.webkit.org/show_bug.cgi?id=125480
1934
1935         Reviewed by Geoffrey Garen.
1936         
1937         Previously, if you wanted to insert some speculation right after where a value was
1938         produced, you'd get super confused if that value was produced by a Phi node.  You can't
1939         necessarily insert speculations after a Phi node because Phi nodes appear in this
1940         special sequence of Phis and MovHints that establish the OSR exit state for a block.
1941         So, you'd probably want to search for the next place where it's safe to insert things.
1942         We already do this "search for beginning of next bytecode instruction" search by
1943         looking at the next node that has a different CodeOrigin.  But this would be hard for a
1944         Phi because those Phis and MovHints have basically random CodeOrigins and they can all
1945         have different CodeOrigins.
1946
1947         This change imposes some sanity for this situation:
1948
1949         - Phis must have unset CodeOrigins.
1950
1951         - In each basic block, all nodes that have unset CodeOrigins must come before all nodes
1952           that have set CodeOrigins.
1953
1954         This all ends up working out just great because prior to this change we didn't have a 
1955         use for unset CodeOrigins.  I think it's appropriate to make "unset CodeOrigin" mean
1956         that we're in the prologue of a basic block.
1957
1958         It's interesting what this means for block merging, which we don't yet do in SSA.
1959         Consider merging the edge A->B.  One possibility is that the block merger is now
1960         required to clean up Phi/Upsilons, and reascribe the MovHints to have the CodeOrigin of
1961         the A's block terminal.  But an answer that might be better is that the originless
1962         nodes at the top of the B are just given the origin of the terminal and we keep the
1963         Phis.  That would require changing the above rules.  We'll see how it goes, and what we
1964         end up picking...
1965
1966         Overall, this special-things-at-the-top rule is analogous to what other SSA-based
1967         compilers do.  For example, LLVM has rules mandating that Phis appear at the top of a
1968         block.
1969
1970         * bytecode/CodeOrigin.cpp:
1971         (JSC::CodeOrigin::dump):
1972         * dfg/DFGOSRExitBase.h:
1973         (JSC::DFG::OSRExitBase::OSRExitBase):
1974         * dfg/DFGSSAConversionPhase.cpp:
1975         (JSC::DFG::SSAConversionPhase::run):
1976         * dfg/DFGValidate.cpp:
1977         (JSC::DFG::Validate::validate):
1978         (JSC::DFG::Validate::validateSSA):
1979
1980 2013-12-08  Filip Pizlo  <fpizlo@apple.com>
1981
1982         Reveal array bounds checks in DFG IR
1983         https://bugs.webkit.org/show_bug.cgi?id=125253
1984
1985         Reviewed by Oliver Hunt and Mark Hahnenberg.
1986         
1987         In SSA mode, this reveals array bounds checks and the load of array length in DFG IR,
1988         making this a candidate for LICM.
1989
1990         This also fixes a long-standing performance bug where the JSObject slow paths would
1991         always create contiguous storage, rather than type-specialized storage, when doing a
1992         "storage creating" storage, like:
1993         
1994             var o = {};
1995             o[0] = 42;
1996
1997         * CMakeLists.txt:
1998         * GNUmakefile.list.am:
1999         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2000         * JavaScriptCore.xcodeproj/project.pbxproj:
2001         * bytecode/ExitKind.cpp:
2002         (JSC::exitKindToString):
2003         (JSC::exitKindIsCountable):
2004         * bytecode/ExitKind.h:
2005         * dfg/DFGAbstractInterpreterInlines.h:
2006         (JSC::DFG::::executeEffects):
2007         * dfg/DFGArrayMode.cpp:
2008         (JSC::DFG::permitsBoundsCheckLowering):
2009         (JSC::DFG::ArrayMode::permitsBoundsCheckLowering):
2010         * dfg/DFGArrayMode.h:
2011         (JSC::DFG::ArrayMode::lengthNeedsStorage):
2012         * dfg/DFGClobberize.h:
2013         (JSC::DFG::clobberize):
2014         * dfg/DFGConstantFoldingPhase.cpp:
2015         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2016         * dfg/DFGFixupPhase.cpp:
2017         (JSC::DFG::FixupPhase::fixupNode):
2018         * dfg/DFGNodeType.h:
2019         * dfg/DFGPlan.cpp:
2020         (JSC::DFG::Plan::compileInThreadImpl):
2021         * dfg/DFGPredictionPropagationPhase.cpp:
2022         (JSC::DFG::PredictionPropagationPhase::propagate):
2023         * dfg/DFGSSALoweringPhase.cpp: Added.
2024         (JSC::DFG::SSALoweringPhase::SSALoweringPhase):
2025         (JSC::DFG::SSALoweringPhase::run):
2026         (JSC::DFG::SSALoweringPhase::handleNode):
2027         (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
2028         (JSC::DFG::performSSALowering):
2029         * dfg/DFGSSALoweringPhase.h: Added.
2030         * dfg/DFGSafeToExecute.h:
2031         (JSC::DFG::safeToExecute):
2032         * dfg/DFGSpeculativeJIT.cpp:
2033         (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
2034         * dfg/DFGSpeculativeJIT32_64.cpp:
2035         (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
2036         (JSC::DFG::SpeculativeJIT::compile):
2037         * dfg/DFGSpeculativeJIT64.cpp:
2038         (JSC::DFG::SpeculativeJIT::compile):
2039         * ftl/FTLCapabilities.cpp:
2040         (JSC::FTL::canCompile):
2041         * ftl/FTLLowerDFGToLLVM.cpp:
2042         (JSC::FTL::LowerDFGToLLVM::compileNode):
2043         (JSC::FTL::LowerDFGToLLVM::compileCheckInBounds):
2044         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
2045         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2046         (JSC::FTL::LowerDFGToLLVM::contiguousPutByValOutOfBounds):
2047         * runtime/JSObject.cpp:
2048         (JSC::JSObject::convertUndecidedForValue):
2049         (JSC::JSObject::createInitialForValueAndSet):
2050         (JSC::JSObject::putByIndexBeyondVectorLength):
2051         (JSC::JSObject::putDirectIndexBeyondVectorLength):
2052         * runtime/JSObject.h:
2053         * tests/stress/float32array-out-of-bounds.js: Added.
2054         (make):
2055         (foo):
2056         (test):
2057         * tests/stress/int32-object-out-of-bounds.js: Added.
2058         (make):
2059         (foo):
2060         (test):
2061         * tests/stress/int32-out-of-bounds.js: Added.
2062         (foo):
2063         (test):
2064
2065 2013-12-09  Sam Weinig  <sam@webkit.org>
2066
2067         Replace use of WTF::FixedArray with std::array
2068         https://bugs.webkit.org/show_bug.cgi?id=125475
2069
2070         Reviewed by Anders Carlsson.
2071
2072         * bytecode/CodeBlockHash.cpp:
2073         (JSC::CodeBlockHash::dump):
2074         * bytecode/Opcode.cpp:
2075         (JSC::OpcodeStats::~OpcodeStats):
2076         * dfg/DFGCSEPhase.cpp:
2077         * ftl/FTLAbstractHeap.h:
2078         * heap/MarkedSpace.h:
2079         * parser/ParserArena.h:
2080         * runtime/CodeCache.h:
2081         * runtime/DateInstanceCache.h:
2082         * runtime/JSGlobalObject.cpp:
2083         (JSC::JSGlobalObject::reset):
2084         * runtime/JSGlobalObject.h:
2085         * runtime/JSString.h:
2086         * runtime/LiteralParser.h:
2087         * runtime/NumericStrings.h:
2088         * runtime/RegExpCache.h:
2089         * runtime/SmallStrings.h:
2090
2091 2013-12-09  Joseph Pecoraro  <pecoraro@apple.com>
2092
2093         Remove miscellaneous unnecessary build statements
2094         https://bugs.webkit.org/show_bug.cgi?id=125466
2095
2096         Reviewed by Darin Adler.
2097
2098         * DerivedSources.make:
2099         * JavaScriptCore.vcxproj/build-generated-files.sh:
2100         * JavaScriptCore.xcodeproj/project.pbxproj:
2101         * make-generated-sources.sh:
2102
2103 2013-12-08  Filip Pizlo  <fpizlo@apple.com>
2104
2105         CSE should work in SSA
2106         https://bugs.webkit.org/show_bug.cgi?id=125430
2107
2108         Reviewed by Oliver Hunt and Mark Hahnenberg.
2109
2110         * dfg/DFGCSEPhase.cpp:
2111         (JSC::DFG::CSEPhase::run):
2112         (JSC::DFG::CSEPhase::performNodeCSE):
2113         * dfg/DFGPlan.cpp:
2114         (JSC::DFG::Plan::compileInThreadImpl):
2115
2116 2013-12-09  Joseph Pecoraro  <pecoraro@apple.com>
2117
2118         Remove docs/make-bytecode-docs.pl
2119         https://bugs.webkit.org/show_bug.cgi?id=125462
2120
2121         This sript is very old and no longer outputs useful data since the
2122         op code definitions have moved from Interpreter.cpp.
2123
2124         Reviewed by Darin Adler.
2125
2126         * DerivedSources.make:
2127         * docs/make-bytecode-docs.pl: Removed.
2128
2129 2013-12-09  Julien Brianceau  <jbriance@cisco.com>
2130
2131         Fix sh4 LLINT build.
2132         https://bugs.webkit.org/show_bug.cgi?id=125454
2133
2134         Reviewed by Michael Saboff.
2135
2136         In LLINT, sh4 backend implementation didn't handle properly conditional jumps using
2137         a LabelReference instance. This patch fixes it through sh4LowerMisplacedLabels phase.
2138         Also, to avoid the need of a 4th temporary gpr, this phase is triggered later in
2139         getModifiedListSH4.
2140
2141         * offlineasm/sh4.rb:
2142
2143 2013-12-08  Filip Pizlo  <fpizlo@apple.com>
2144
2145         Add the notion of ConstantStoragePointer to DFG IR
2146         https://bugs.webkit.org/show_bug.cgi?id=125395
2147
2148         Reviewed by Oliver Hunt.
2149         
2150         This pushes more typed array folding into StrengthReductionPhase, and enables CSE on
2151         storage pointers. Previously, you might have separate nodes for the same storage
2152         pointer and this would cause some bad register pressure in the DFG. Note that this
2153         was really a theoretical problem and not, to my knowledge a practical one - so this
2154         patch is basically just a clean-up.
2155
2156         * dfg/DFGAbstractInterpreterInlines.h:
2157         (JSC::DFG::::executeEffects):
2158         * dfg/DFGCSEPhase.cpp:
2159         (JSC::DFG::CSEPhase::constantStoragePointerCSE):
2160         (JSC::DFG::CSEPhase::performNodeCSE):
2161         * dfg/DFGClobberize.h:
2162         (JSC::DFG::clobberize):
2163         * dfg/DFGFixupPhase.cpp:
2164         (JSC::DFG::FixupPhase::fixupNode):
2165         * dfg/DFGGraph.cpp:
2166         (JSC::DFG::Graph::dump):
2167         * dfg/DFGNode.h:
2168         (JSC::DFG::Node::convertToConstantStoragePointer):
2169         (JSC::DFG::Node::hasStoragePointer):
2170         (JSC::DFG::Node::storagePointer):
2171         * dfg/DFGNodeType.h:
2172         * dfg/DFGPredictionPropagationPhase.cpp:
2173         (JSC::DFG::PredictionPropagationPhase::propagate):
2174         * dfg/DFGSafeToExecute.h:
2175         (JSC::DFG::safeToExecute):
2176         * dfg/DFGSpeculativeJIT.cpp:
2177         (JSC::DFG::SpeculativeJIT::compileConstantStoragePointer):
2178         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
2179         * dfg/DFGSpeculativeJIT.h:
2180         * dfg/DFGSpeculativeJIT32_64.cpp:
2181         (JSC::DFG::SpeculativeJIT::compile):
2182         * dfg/DFGSpeculativeJIT64.cpp:
2183         (JSC::DFG::SpeculativeJIT::compile):
2184         * dfg/DFGStrengthReductionPhase.cpp:
2185         (JSC::DFG::StrengthReductionPhase::handleNode):
2186         (JSC::DFG::StrengthReductionPhase::foldTypedArrayPropertyToConstant):
2187         (JSC::DFG::StrengthReductionPhase::prepareToFoldTypedArray):
2188         * dfg/DFGWatchpointCollectionPhase.cpp:
2189         (JSC::DFG::WatchpointCollectionPhase::handle):
2190         * ftl/FTLLowerDFGToLLVM.cpp:
2191         (JSC::FTL::LowerDFGToLLVM::compileNode):
2192         (JSC::FTL::LowerDFGToLLVM::compileConstantStoragePointer):
2193         (JSC::FTL::LowerDFGToLLVM::compileGetIndexedPropertyStorage):
2194
2195 2013-12-08  Filip Pizlo  <fpizlo@apple.com>
2196
2197         FTL should support UntypedUse versions of Compare nodes
2198         https://bugs.webkit.org/show_bug.cgi?id=125426
2199
2200         Reviewed by Oliver Hunt.
2201         
2202         This adds UntypedUse versions of all comparisons except CompareStrictEq, which is
2203         sufficiently different that I thought I'd do it in another patch.
2204         
2205         This also extends our ability to abstract over comparison kind and removes a bunch of
2206         copy-paste code.
2207
2208         * dfg/DFGSpeculativeJIT64.cpp:
2209         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
2210         * ftl/FTLCapabilities.cpp:
2211         (JSC::FTL::canCompile):
2212         * ftl/FTLIntrinsicRepository.h:
2213         * ftl/FTLLowerDFGToLLVM.cpp:
2214         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
2215         (JSC::FTL::LowerDFGToLLVM::compileCompareLess):
2216         (JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
2217         (JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
2218         (JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):
2219         (JSC::FTL::LowerDFGToLLVM::compare):
2220         (JSC::FTL::LowerDFGToLLVM::nonSpeculativeCompare):
2221         * ftl/FTLOutput.h:
2222         (JSC::FTL::Output::icmp):
2223         (JSC::FTL::Output::equal):
2224         (JSC::FTL::Output::notEqual):
2225         (JSC::FTL::Output::above):
2226         (JSC::FTL::Output::aboveOrEqual):
2227         (JSC::FTL::Output::below):
2228         (JSC::FTL::Output::belowOrEqual):
2229         (JSC::FTL::Output::greaterThan):
2230         (JSC::FTL::Output::greaterThanOrEqual):
2231         (JSC::FTL::Output::lessThan):
2232         (JSC::FTL::Output::lessThanOrEqual):
2233         (JSC::FTL::Output::fcmp):
2234         (JSC::FTL::Output::doubleEqual):
2235         (JSC::FTL::Output::doubleNotEqualOrUnordered):
2236         (JSC::FTL::Output::doubleLessThan):
2237         (JSC::FTL::Output::doubleLessThanOrEqual):
2238         (JSC::FTL::Output::doubleGreaterThan):
2239         (JSC::FTL::Output::doubleGreaterThanOrEqual):
2240         (JSC::FTL::Output::doubleEqualOrUnordered):
2241         (JSC::FTL::Output::doubleNotEqual):
2242         (JSC::FTL::Output::doubleLessThanOrUnordered):
2243         (JSC::FTL::Output::doubleLessThanOrEqualOrUnordered):
2244         (JSC::FTL::Output::doubleGreaterThanOrUnordered):
2245         (JSC::FTL::Output::doubleGreaterThanOrEqualOrUnordered):
2246         * tests/stress/untyped-equality.js: Added.
2247         (foo):
2248         * tests/stress/untyped-less-than.js: Added.
2249         (foo):
2250
2251 2013-12-07  Filip Pizlo  <fpizlo@apple.com>
2252
2253         Fold typedArray.length if typedArray is constant
2254         https://bugs.webkit.org/show_bug.cgi?id=125252
2255
2256         Reviewed by Sam Weinig.
2257         
2258         This was meant to be easy. The problem is that there was no good place for putting
2259         the folding of typedArray.length to a constant. You can't quite do it in the
2260         bytecode parser because at that point you don't yet know if typedArray is really
2261         a typed array. You can't do it as part of constant folding because the folder
2262         assumes that it can opportunistically forward-flow a constant value without changing
2263         the IR; this doesn't work since we need to first change the IR to register a
2264         desired watchpoint and only after that can we introduce that constant. We could have
2265         done it in Fixup but that would have been awkward since Fixup's code for turning a
2266         GetById of "length" into GetArrayLength is already somewhat complex. We could have
2267         done it in CSE but CSE is already fairly gnarly and will probably get rewritten.
2268         
2269         So I introduced a new phase, called StrengthReduction. This phase should have any
2270         transformations that don't requite CFA or CSE and that it would be weird to put into
2271         those other phases.
2272         
2273         I also took the opportunity to refactor some of the other folding code.
2274         
2275         This also adds a test, but the test couldn't quite be a LayoutTests/js/regress so I
2276         introduced the notion of JavaScriptCore/tests/stress.
2277         
2278         The goal of this patch isn't really to improve performance or anything like that.
2279         It adds an optimization for completeness, and in doing so it unlocks a bunch of new
2280         possibilities. The one that I'm most excited about is revealing array length checks
2281         in DFG IR, which will allow for array bounds check hoisting and elimination.
2282
2283         * CMakeLists.txt:
2284         * GNUmakefile.list.am:
2285         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2286         * JavaScriptCore.xcodeproj/project.pbxproj:
2287         * dfg/DFGAbstractInterpreterInlines.h:
2288         (JSC::DFG::::executeEffects):
2289         * dfg/DFGClobberize.h:
2290         (JSC::DFG::clobberize):
2291         * dfg/DFGFixupPhase.cpp:
2292         (JSC::DFG::FixupPhase::fixupNode):
2293         * dfg/DFGGraph.cpp:
2294         (JSC::DFG::Graph::tryGetFoldableView):
2295         (JSC::DFG::Graph::tryGetFoldableViewForChild1):
2296         * dfg/DFGGraph.h:
2297         * dfg/DFGNode.h:
2298         (JSC::DFG::Node::hasTypedArray):
2299         (JSC::DFG::Node::typedArray):
2300         * dfg/DFGNodeType.h:
2301         * dfg/DFGPlan.cpp:
2302         (JSC::DFG::Plan::compileInThreadImpl):
2303         * dfg/DFGPredictionPropagationPhase.cpp:
2304         (JSC::DFG::PredictionPropagationPhase::propagate):
2305         * dfg/DFGSafeToExecute.h:
2306         (JSC::DFG::safeToExecute):
2307         * dfg/DFGSpeculativeJIT.cpp:
2308         (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
2309         (JSC::DFG::SpeculativeJIT::compileConstantIndexedPropertyStorage):
2310         * dfg/DFGSpeculativeJIT32_64.cpp:
2311         (JSC::DFG::SpeculativeJIT::compile):
2312         * dfg/DFGSpeculativeJIT64.cpp:
2313         (JSC::DFG::SpeculativeJIT::compile):
2314         * dfg/DFGStrengthReductionPhase.cpp: Added.
2315         (JSC::DFG::StrengthReductionPhase::StrengthReductionPhase):
2316         (JSC::DFG::StrengthReductionPhase::run):
2317         (JSC::DFG::StrengthReductionPhase::handleNode):
2318         (JSC::DFG::StrengthReductionPhase::foldTypedArrayPropertyToConstant):
2319         (JSC::DFG::performStrengthReduction):
2320         * dfg/DFGStrengthReductionPhase.h: Added.
2321         * dfg/DFGWatchpointCollectionPhase.cpp:
2322         (JSC::DFG::WatchpointCollectionPhase::handle):
2323         * ftl/FTLCapabilities.cpp:
2324         (JSC::FTL::canCompile):
2325         * ftl/FTLLowerDFGToLLVM.cpp:
2326         (JSC::FTL::LowerDFGToLLVM::compileNode):
2327         (JSC::FTL::LowerDFGToLLVM::compileGetIndexedPropertyStorage):
2328         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2329         (JSC::FTL::LowerDFGToLLVM::typedArrayLength):
2330         * jsc.cpp:
2331         (GlobalObject::finishCreation):
2332         (functionTransferArrayBuffer):
2333         * runtime/ArrayBufferView.h:
2334         * tests/stress: Added.
2335         * tests/stress/fold-typed-array-properties.js: Added.
2336         (foo):
2337
2338 2013-12-07  peavo@outlook.com  <peavo@outlook.com>
2339
2340         [Win][64-bit] Hitting breakpoint assembler instruction in callToJavaScript.
2341         https://bugs.webkit.org/show_bug.cgi?id=125382
2342
2343         Reviewed by Michael Saboff.
2344
2345         The WinCairo results from run-javascriptcore-tests are the same as the WinCairo 32-bits results, when removing these breakpoints.
2346
2347         * jit/JITStubsMSVC64.asm: Remove breakpoint instructions.
2348
2349 2013-12-06  Filip Pizlo  <fpizlo@apple.com>
2350
2351         FTL should support all of Branch/LogicalNot
2352         https://bugs.webkit.org/show_bug.cgi?id=125370
2353
2354         Reviewed by Mark Hahnenberg.
2355
2356         * ftl/FTLCapabilities.cpp:
2357         (JSC::FTL::canCompile):
2358         * ftl/FTLIntrinsicRepository.h:
2359         * ftl/FTLLowerDFGToLLVM.cpp:
2360         (JSC::FTL::LowerDFGToLLVM::boolify):
2361
2362 2013-12-06  Roger Fong <roger_fong@apple.com> and Brent Fulgham  <bfulgham@apple.com>
2363
2364         [Win] Support compiling with VS2013
2365         https://bugs.webkit.org/show_bug.cgi?id=125353
2366
2367         Reviewed by Anders Carlsson.
2368
2369         * API/tests/testapi.c: Use C99 defines if available.
2370         * jit/JITOperations.cpp: Don't attempt to define C linkage when
2371         returning a C++ object.
2372
2373 2013-12-06  Filip Pizlo  <fpizlo@apple.com>
2374
2375         FTL should support generic ByVal accesses
2376         https://bugs.webkit.org/show_bug.cgi?id=125368
2377
2378         Reviewed by Mark Hahnenberg.
2379
2380         * dfg/DFGGraph.h:
2381         (JSC::DFG::Graph::isStrictModeFor):
2382         (JSC::DFG::Graph::ecmaModeFor):
2383         * ftl/FTLCapabilities.cpp:
2384         (JSC::FTL::canCompile):
2385         * ftl/FTLIntrinsicRepository.h:
2386         * ftl/FTLLowerDFGToLLVM.cpp:
2387         (JSC::FTL::LowerDFGToLLVM::compileNode):
2388         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
2389         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2390
2391 2013-12-06  Filip Pizlo  <fpizlo@apple.com>
2392
2393         FTL should support hole/OOB array accesses
2394         https://bugs.webkit.org/show_bug.cgi?id=118077
2395
2396         Reviewed by Oliver Hunt and Mark Hahnenberg.
2397
2398         * ftl/FTLCapabilities.cpp:
2399         (JSC::FTL::canCompile):
2400         * ftl/FTLIntrinsicRepository.h:
2401         * ftl/FTLLowerDFGToLLVM.cpp:
2402         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
2403         (JSC::FTL::LowerDFGToLLVM::baseIndex):
2404
2405 2013-12-06  Michael Saboff  <msaboff@apple.com>
2406
2407         Split sizing of VarArgs frames from loading arguments for the frame
2408         https://bugs.webkit.org/show_bug.cgi?id=125331
2409
2410         Reviewed by Filip Pizlo.
2411
2412         Split loadVarargs into sizeAndAllocFrameForVarargs() and loadVarargs() in
2413         preparation for moving onto the C stack.  sizeAndAllocFrameForVarargs() will
2414         compute the size of the callee frame and allocate it, while loadVarargs()
2415         actually loads the argument values.
2416
2417         As part of moving onto the C stack, sizeAndAllocFrameForVarargs() will be
2418         changed to a function that just computes the size.  The caller will use that
2419         size to allocate the new frame on the stack before calling loadVargs() and
2420         actually making the call.
2421
2422         * interpreter/Interpreter.cpp:
2423         (JSC::sizeAndAllocFrameForVarargs):
2424         (JSC::loadVarargs):
2425         * interpreter/Interpreter.h:
2426         * jit/JIT.h:
2427         * jit/JITCall.cpp:
2428         (JSC::JIT::compileLoadVarargs):
2429         * jit/JITCall32_64.cpp:
2430         (JSC::JIT::compileLoadVarargs):
2431         * jit/JITInlines.h:
2432         (JSC::JIT::callOperation):
2433         * jit/JITOperations.cpp:
2434         * jit/JITOperations.h:
2435         * llint/LLIntSlowPaths.cpp:
2436         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2437         * llint/LLIntSlowPaths.h:
2438         * llint/LowLevelInterpreter.asm:
2439         * llint/LowLevelInterpreter32_64.asm:
2440         * llint/LowLevelInterpreter64.asm:
2441         * runtime/VM.h:
2442
2443 2013-12-06  Filip Pizlo  <fpizlo@apple.com>
2444
2445         FTL should support all of ValueToInt32
2446         https://bugs.webkit.org/show_bug.cgi?id=125283
2447
2448         Reviewed by Mark Hahnenberg.
2449
2450         * ftl/FTLCapabilities.cpp:
2451         (JSC::FTL::canCompile):
2452         * ftl/FTLLowerDFGToLLVM.cpp:
2453         (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
2454         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2455         (JSC::FTL::LowerDFGToLLVM::lowCell):
2456         (JSC::FTL::LowerDFGToLLVM::isCell):
2457
2458 2013-12-06  Filip Pizlo  <fpizlo@apple.com>
2459
2460         FTL shouldn't have a doubleToUInt32 path
2461         https://bugs.webkit.org/show_bug.cgi?id=125360
2462
2463         Reviewed by Mark Hahnenberg.
2464         
2465         This code existed because I incorrectly thought it was necessary. It's now basically
2466         dead.
2467
2468         * ftl/FTLLowerDFGToLLVM.cpp:
2469         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2470
2471 2013-12-06  Laszlo Vidacs  <lac@inf.u-szeged.hu>
2472
2473         Define SHA1 hash size in SHA1.h and use it at various places.
2474         https://bugs.webkit.org/show_bug.cgi?id=125345
2475
2476         Reviewed by Darin Adler.
2477
2478         Use SHA1::hashSize instead of local variables.
2479
2480         * bytecode/CodeBlockHash.cpp:
2481         (JSC::CodeBlockHash::CodeBlockHash): use SHA1::hashSize
2482
2483 2013-12-05  Michael Saboff  <msaboff@apple.com>
2484
2485         REGRESSION(r160213): Crash in js/dom/JSON-parse.html
2486         https://bugs.webkit.org/show_bug.cgi?id=125335
2487
2488         Reviewed by Mark Lam.
2489
2490         Changed _llint_op_catch to materialize the VM via the scope chain instead of 
2491         the CodeBlock.  CallFrames always have a scope chain, but may have a null CodeBlock.
2492
2493         * llint/LowLevelInterpreter32_64.asm:
2494         (_llint_op_catch):
2495         * llint/LowLevelInterpreter64.asm:
2496         (_llint_op_catch):
2497
2498 2013-12-05  Michael Saboff  <msaboff@apple.com>
2499
2500         JSC: Simplify interface between throw and catch handler
2501         https://bugs.webkit.org/show_bug.cgi?id=125328
2502
2503         Reviewed by Geoffrey Garen.
2504
2505         Simplified the throw - catch interface.  The throw side is only responsible for
2506         jumping to the appropriate op_catch handler or returnFromJavaScript for uncaught
2507         exceptions.  The handler uses the exception values like VM.callFrameForThrow
2508         as appropriate and no longer relies on the throw side putting anything in
2509         registers.
2510
2511         * jit/CCallHelpers.h:
2512         (JSC::CCallHelpers::jumpToExceptionHandler):
2513         * jit/JITOpcodes.cpp:
2514         (JSC::JIT::emit_op_catch):
2515         * jit/JITOpcodes32_64.cpp:
2516         (JSC::JIT::emit_op_catch):
2517         * llint/LowLevelInterpreter32_64.asm:
2518         (_llint_op_catch):
2519         (_llint_throw_from_slow_path_trampoline):
2520         * llint/LowLevelInterpreter64.asm:
2521         (_llint_op_catch):
2522         (_llint_throw_from_slow_path_trampoline):
2523
2524 2013-12-04  Oliver Hunt  <oliver@apple.com>
2525
2526         Refactor static getter function prototype to include thisValue in addition to the base object
2527         https://bugs.webkit.org/show_bug.cgi?id=124461
2528
2529         Reviewed by Geoffrey Garen.
2530
2531         Add thisValue parameter to static getter prototype, and switch
2532         from JSValue to EncodedJSValue for parameters and return value.
2533
2534         Currently none of the static getters use the thisValue, but
2535         separating out the refactoring will prevent future changes
2536         from getting lost in the noise of refactoring.  This means
2537         that this patch does not result in any change in behaviour.
2538
2539         * API/JSCallbackObject.h:
2540         * API/JSCallbackObjectFunctions.h:
2541         (JSC::::asCallbackObject):
2542         (JSC::::staticFunctionGetter):
2543         (JSC::::callbackGetter):
2544         * jit/JITOperations.cpp:
2545         * runtime/JSActivation.cpp:
2546         (JSC::JSActivation::argumentsGetter):
2547         * runtime/JSActivation.h:
2548         * runtime/JSFunction.cpp:
2549         (JSC::JSFunction::argumentsGetter):
2550         (JSC::JSFunction::callerGetter):
2551         (JSC::JSFunction::lengthGetter):
2552         (JSC::JSFunction::nameGetter):
2553         * runtime/JSFunction.h:
2554         * runtime/JSObject.h:
2555         (JSC::PropertySlot::getValue):
2556         * runtime/NumberConstructor.cpp:
2557         (JSC::numberConstructorNaNValue):
2558         (JSC::numberConstructorNegInfinity):
2559         (JSC::numberConstructorPosInfinity):
2560         (JSC::numberConstructorMaxValue):
2561         (JSC::numberConstructorMinValue):
2562         * runtime/PropertySlot.h:
2563         * runtime/RegExpConstructor.cpp:
2564         (JSC::asRegExpConstructor):
2565         (JSC::regExpConstructorDollar1):
2566         (JSC::regExpConstructorDollar2):
2567         (JSC::regExpConstructorDollar3):
2568         (JSC::regExpConstructorDollar4):
2569         (JSC::regExpConstructorDollar5):
2570         (JSC::regExpConstructorDollar6):
2571         (JSC::regExpConstructorDollar7):
2572         (JSC::regExpConstructorDollar8):
2573         (JSC::regExpConstructorDollar9):
2574         (JSC::regExpConstructorInput):
2575         (JSC::regExpConstructorMultiline):
2576         (JSC::regExpConstructorLastMatch):
2577         (JSC::regExpConstructorLastParen):
2578         (JSC::regExpConstructorLeftContext):
2579         (JSC::regExpConstructorRightContext):
2580         * runtime/RegExpObject.cpp:
2581         (JSC::asRegExpObject):
2582         (JSC::regExpObjectGlobal):
2583         (JSC::regExpObjectIgnoreCase):
2584         (JSC::regExpObjectMultiline):
2585         (JSC::regExpObjectSource):
2586
2587 2013-12-04  Filip Pizlo  <fpizlo@apple.com>
2588
2589         FTL should use cvttsd2si directly for double-to-int32 conversions
2590         https://bugs.webkit.org/show_bug.cgi?id=125275
2591
2592         Reviewed by Michael Saboff.
2593         
2594         Wow. This was an ordeal. Using cvttsd2si was actually easy, but I learned, and
2595         sometimes even fixed, some interesting things:
2596         
2597         - The llvm.x86.sse2.cvttsd2si intrinsic can actually result in LLVM emitting a
2598           vcvttsd2si. I guess the intrinsic doesn't actually imply the instruction.
2599         
2600         - That whole thing about branchTruncateDoubleToUint32? Yeah we don't need that. It's
2601           better to use branchTruncateDoubleToInt32 instead. It has the right semantics for
2602           all of its callers (err, its one-and-only caller), and it's more likely to take
2603           fast path. This patch kills branchTruncateDoubleToUint32.
2604         
2605         - "a[i] = v; v = a[i]". Does this change v? OK, assume that 'a[i]' is a pure-ish
2606           operation - like an array access with 'i' being an integer index and we're not
2607           having a bad time. Now does this change v? CSE assumes that it doesn't. That's
2608           wrong. If 'a' is a typed array - the most sensible and pure kind of array - then
2609           this can be a truncating cast. For example 'v' could be a double and 'a' could be
2610           an integer array.
2611         
2612         - "v1 = a[i]; v2 = a[i]". Is v1 === v2 assuming that 'a[i]' is pure-ish? The answer
2613           is no. You could have a different arrayMode in each access. I know this sounds
2614           weird, but with concurrent JIT that might happen.
2615         
2616         This patch adds tests for all of this stuff, except for the first issue (it's weird
2617         but probably doesn't matter) and the last issue (it's too much of a freakshow).
2618
2619         * assembler/MacroAssemblerARM64.h:
2620         * assembler/MacroAssemblerARMv7.h:
2621         * assembler/MacroAssemblerX86Common.h:
2622         * dfg/DFGCSEPhase.cpp:
2623         (JSC::DFG::CSEPhase::getByValLoadElimination):
2624         (JSC::DFG::CSEPhase::performNodeCSE):
2625         * dfg/DFGSpeculativeJIT.cpp:
2626         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
2627         * ftl/FTLAbbreviations.h:
2628         (JSC::FTL::vectorType):
2629         (JSC::FTL::getUndef):
2630         (JSC::FTL::buildInsertElement):
2631         * ftl/FTLIntrinsicRepository.h:
2632         * ftl/FTLLowerDFGToLLVM.cpp:
2633         (JSC::FTL::LowerDFGToLLVM::doubleToInt32):
2634         (JSC::FTL::LowerDFGToLLVM::doubleToUInt32):
2635         (JSC::FTL::LowerDFGToLLVM::sensibleDoubleToInt32):
2636         * ftl/FTLOutput.h:
2637         (JSC::FTL::Output::insertElement):
2638         (JSC::FTL::Output::hasSensibleDoubleToInt):
2639         (JSC::FTL::Output::sensibleDoubleToInt):
2640
2641 2013-12-05  Commit Queue  <commit-queue@webkit.org>
2642
2643         Unreviewed, rolling out r160133.
2644         http://trac.webkit.org/changeset/160133
2645         https://bugs.webkit.org/show_bug.cgi?id=125325
2646
2647         broke bindings tests on all the bots (Requested by thorton on
2648         #webkit).
2649
2650         * API/JSCallbackObject.h:
2651         * API/JSCallbackObjectFunctions.h:
2652         (JSC::::staticFunctionGetter):
2653         (JSC::::callbackGetter):
2654         * jit/JITOperations.cpp:
2655         * runtime/JSActivation.cpp:
2656         (JSC::JSActivation::argumentsGetter):
2657         * runtime/JSActivation.h:
2658         * runtime/JSFunction.cpp:
2659         (JSC::JSFunction::argumentsGetter):
2660         (JSC::JSFunction::callerGetter):
2661         (JSC::JSFunction::lengthGetter):
2662         (JSC::JSFunction::nameGetter):
2663         * runtime/JSFunction.h:
2664         * runtime/JSObject.h:
2665         (JSC::PropertySlot::getValue):
2666         * runtime/NumberConstructor.cpp:
2667         (JSC::numberConstructorNaNValue):
2668         (JSC::numberConstructorNegInfinity):
2669         (JSC::numberConstructorPosInfinity):
2670         (JSC::numberConstructorMaxValue):
2671         (JSC::numberConstructorMinValue):
2672         * runtime/PropertySlot.h:
2673         * runtime/RegExpConstructor.cpp:
2674         (JSC::regExpConstructorDollar1):
2675         (JSC::regExpConstructorDollar2):
2676         (JSC::regExpConstructorDollar3):
2677         (JSC::regExpConstructorDollar4):
2678         (JSC::regExpConstructorDollar5):
2679         (JSC::regExpConstructorDollar6):
2680         (JSC::regExpConstructorDollar7):
2681         (JSC::regExpConstructorDollar8):
2682         (JSC::regExpConstructorDollar9):
2683         (JSC::regExpConstructorInput):
2684         (JSC::regExpConstructorMultiline):
2685         (JSC::regExpConstructorLastMatch):
2686         (JSC::regExpConstructorLastParen):
2687         (JSC::regExpConstructorLeftContext):
2688         (JSC::regExpConstructorRightContext):
2689         * runtime/RegExpObject.cpp:
2690         (JSC::regExpObjectGlobal):
2691         (JSC::regExpObjectIgnoreCase):
2692         (JSC::regExpObjectMultiline):
2693         (JSC::regExpObjectSource):
2694
2695 2013-12-05  Mark Lam  <mark.lam@apple.com>
2696
2697         Make the C Loop LLINT work with callToJavaScript.
2698         https://bugs.webkit.org/show_bug.cgi?id=125294.
2699
2700         Reviewed by Michael Saboff.
2701
2702         1. Changed the C Loop LLINT to dispatch to an Executable via its JITCode
2703            instance which is consistent with how the ASM LLINT works.
2704         2. Changed CLoop::execute() to take an Opcode instead of an OpcodeID.
2705            This makes it play nice with the use of JITCode for dispatching.
2706         3. Introduce a callToJavaScript and callToNativeFunction for the C Loop
2707            LLINT. These will call JSStack::pushFrame() and popFrame() to setup
2708            and teardown the CallFrame.
2709         4. Also introduced a C Loop returnFromJavaScript which is just a
2710            replacement for ctiOpThrowNotCaught which had the same function.
2711         5. Remove a lot of #if ENABLE(LLINT_C_LOOP) code now that the dispatch
2712            mechanism is consistent.
2713
2714         This patch has been tested with both configurations of COMPUTED_GOTOs
2715         on and off.
2716
2717         * interpreter/CachedCall.h:
2718         (JSC::CachedCall::CachedCall):
2719         (JSC::CachedCall::call):
2720         (JSC::CachedCall::setArgument):
2721         * interpreter/CallFrameClosure.h:
2722         (JSC::CallFrameClosure::setThis):
2723         (JSC::CallFrameClosure::setArgument):
2724         (JSC::CallFrameClosure::resetCallFrame):
2725         * interpreter/Interpreter.cpp:
2726         (JSC::Interpreter::execute):
2727         (JSC::Interpreter::executeCall):
2728         (JSC::Interpreter::executeConstruct):
2729         (JSC::Interpreter::prepareForRepeatCall):
2730         * interpreter/Interpreter.h:
2731         * interpreter/JSStack.h:
2732         * interpreter/JSStackInlines.h:
2733         (JSC::JSStack::pushFrame):
2734         * interpreter/ProtoCallFrame.h:
2735         (JSC::ProtoCallFrame::scope):
2736         (JSC::ProtoCallFrame::callee):
2737         (JSC::ProtoCallFrame::thisValue):
2738         (JSC::ProtoCallFrame::argument):
2739         (JSC::ProtoCallFrame::setArgument):
2740         * jit/JITCode.cpp:
2741         (JSC::JITCode::execute):
2742         * jit/JITCode.h:
2743         * jit/JITExceptions.cpp:
2744         (JSC::genericUnwind):
2745         * llint/LLIntCLoop.cpp:
2746         (JSC::LLInt::CLoop::initialize):
2747         * llint/LLIntCLoop.h:
2748         * llint/LLIntEntrypoint.cpp:
2749         (JSC::LLInt::setFunctionEntrypoint):
2750         (JSC::LLInt::setEvalEntrypoint):
2751         (JSC::LLInt::setProgramEntrypoint):
2752         - Inverted the check for vm.canUseJIT(). This allows the JIT case to be
2753           #if'd out nicely when building the C Loop LLINT.
2754         * llint/LLIntOpcode.h:
2755         * llint/LLIntThunks.cpp:
2756         (JSC::doCallToJavaScript):
2757         (JSC::executeJS):
2758         (JSC::callToJavaScript):
2759         (JSC::executeNative):
2760         (JSC::callToNativeFunction):
2761         * llint/LLIntThunks.h:
2762         * llint/LowLevelInterpreter.cpp:
2763         (JSC::CLoop::execute):
2764         * runtime/Executable.h:
2765         (JSC::ExecutableBase::offsetOfNumParametersFor):
2766         (JSC::ExecutableBase::hostCodeEntryFor):
2767         (JSC::ExecutableBase::jsCodeEntryFor):
2768         (JSC::ExecutableBase::jsCodeWithArityCheckEntryFor):
2769         (JSC::NativeExecutable::create):
2770         (JSC::NativeExecutable::finishCreation):
2771         (JSC::ProgramExecutable::generatedJITCode):
2772         * runtime/JSArray.cpp:
2773         (JSC::AVLTreeAbstractorForArrayCompare::compare_key_key):
2774         * runtime/StringPrototype.cpp:
2775         (JSC::replaceUsingRegExpSearch):
2776         * runtime/VM.cpp:
2777         (JSC::VM::getHostFunction):
2778
2779 2013-12-05  Laszlo Vidacs  <lac@inf.u-szeged.hu>
2780
2781         Fix JavaScriptCore build if cloop is enabled after r160094
2782         https://bugs.webkit.org/show_bug.cgi?id=125292
2783
2784         Reviewed by Michael Saboff.
2785
2786         Move ProtoCallFrame outside the JIT guard.
2787
2788         * jit/JITCode.h:
2789
2790 2013-12-04  Filip Pizlo  <fpizlo@apple.com>
2791
2792         Fold constant typed arrays
2793         https://bugs.webkit.org/show_bug.cgi?id=125205
2794
2795         Reviewed by Oliver Hunt and Mark Hahnenberg.
2796         
2797         If by some other mechanism we have a typed array access on a compile-time constant
2798         typed array pointer, then fold:
2799         
2800         - Array bounds checks. Specifically, fold the load of length.
2801         
2802         - Loading the vector.
2803         
2804         This needs to install a watchpoint on the array itself because of the possibility of
2805         neutering. Neutering is ridiculous. We do this without bloating the size of
2806         ArrayBuffer or JSArrayBufferView in the common case (i.e. the case where you
2807         allocated an array that didn't end up becoming a compile-time constant). To install
2808         the watchpoint, we slowDownAndWasteMemory and then create an incoming reference to
2809         the ArrayBuffer, where that incoming reference is from a watchpoint object. The
2810         ArrayBuffer already knows about such incoming references and can fire the
2811         watchpoints that way.
2812         
2813         * CMakeLists.txt:
2814         * GNUmakefile.list.am:
2815         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2816         * JavaScriptCore.xcodeproj/project.pbxproj:
2817         * dfg/DFGDesiredWatchpoints.cpp:
2818         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
2819         (JSC::DFG::DesiredWatchpoints::addLazily):
2820         * dfg/DFGDesiredWatchpoints.h:
2821         (JSC::DFG::GenericSetAdaptor::add):
2822         (JSC::DFG::GenericSetAdaptor::hasBeenInvalidated):
2823         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::hasBeenInvalidated):
2824         (JSC::DFG::GenericDesiredWatchpoints::reallyAdd):
2825         (JSC::DFG::GenericDesiredWatchpoints::areStillValid):
2826         (JSC::DFG::GenericDesiredWatchpoints::isStillValid):
2827         (JSC::DFG::GenericDesiredWatchpoints::shouldAssumeMixedState):
2828         (JSC::DFG::DesiredWatchpoints::isStillValid):
2829         (JSC::DFG::DesiredWatchpoints::shouldAssumeMixedState):
2830         (JSC::DFG::DesiredWatchpoints::isValidOrMixed):
2831         * dfg/DFGGraph.cpp:
2832         (JSC::DFG::Graph::tryGetFoldableView):
2833         * dfg/DFGGraph.h:
2834         * dfg/DFGSpeculativeJIT.cpp:
2835         (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
2836         (JSC::DFG::SpeculativeJIT::emitTypedArrayBoundsCheck):
2837         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
2838         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
2839         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
2840         (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
2841         (JSC::DFG::SpeculativeJIT::compileConstantIndexedPropertyStorage):
2842         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
2843         * dfg/DFGSpeculativeJIT.h:
2844         * dfg/DFGWatchpointCollectionPhase.cpp:
2845         (JSC::DFG::WatchpointCollectionPhase::handle):
2846         (JSC::DFG::WatchpointCollectionPhase::addLazily):
2847         * ftl/FTLLowerDFGToLLVM.cpp:
2848         (JSC::FTL::LowerDFGToLLVM::compileGetIndexedPropertyStorage):
2849         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
2850         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2851         (JSC::FTL::LowerDFGToLLVM::typedArrayLength):
2852         * runtime/ArrayBuffer.cpp:
2853         (JSC::ArrayBuffer::transfer):
2854         * runtime/ArrayBufferNeuteringWatchpoint.cpp: Added.
2855         (JSC::ArrayBufferNeuteringWatchpoint::ArrayBufferNeuteringWatchpoint):
2856         (JSC::ArrayBufferNeuteringWatchpoint::~ArrayBufferNeuteringWatchpoint):
2857         (JSC::ArrayBufferNeuteringWatchpoint::finishCreation):
2858         (JSC::ArrayBufferNeuteringWatchpoint::destroy):
2859         (JSC::ArrayBufferNeuteringWatchpoint::create):
2860         (JSC::ArrayBufferNeuteringWatchpoint::createStructure):
2861         * runtime/ArrayBufferNeuteringWatchpoint.h: Added.
2862         (JSC::ArrayBufferNeuteringWatchpoint::set):
2863         * runtime/VM.cpp:
2864         (JSC::VM::VM):
2865         * runtime/VM.h:
2866
2867 2013-12-04  Commit Queue  <commit-queue@webkit.org>
2868
2869         Unreviewed, rolling out r160116.
2870         http://trac.webkit.org/changeset/160116
2871         https://bugs.webkit.org/show_bug.cgi?id=125264
2872
2873         Change doesn't work as intended. See bug comments for details.
2874         (Requested by bfulgham on #webkit).
2875
2876         * runtime/InitializeThreading.cpp:
2877         (JSC::initializeThreading):
2878
2879 2013-12-04  Oliver Hunt  <oliver@apple.com>
2880
2881         Refactor static getter function prototype to include thisValue in addition to the base object
2882         https://bugs.webkit.org/show_bug.cgi?id=124461
2883
2884         Reviewed by Geoffrey Garen.
2885
2886         Add thisValue parameter to static getter prototype, and switch
2887         from JSValue to EncodedJSValue for parameters and return value.
2888
2889         Currently none of the static getters use the thisValue, but
2890         separating out the refactoring will prevent future changes
2891         from getting lost in the noise of refactoring.  This means
2892         that this patch does not result in any change in behaviour.
2893
2894         * API/JSCallbackObject.h:
2895         * API/JSCallbackObjectFunctions.h:
2896         (JSC::::asCallbackObject):
2897         (JSC::::staticFunctionGetter):
2898         (JSC::::callbackGetter):
2899         * jit/JITOperations.cpp:
2900         * runtime/JSActivation.cpp:
2901         (JSC::JSActivation::argumentsGetter):
2902         * runtime/JSActivation.h:
2903         * runtime/JSFunction.cpp:
2904         (JSC::JSFunction::argumentsGetter):
2905         (JSC::JSFunction::callerGetter):
2906         (JSC::JSFunction::lengthGetter):
2907         (JSC::JSFunction::nameGetter):
2908         * runtime/JSFunction.h:
2909         * runtime/JSObject.h:
2910         (JSC::PropertySlot::getValue):
2911         * runtime/NumberConstructor.cpp:
2912         (JSC::numberConstructorNaNValue):
2913         (JSC::numberConstructorNegInfinity):
2914         (JSC::numberConstructorPosInfinity):
2915         (JSC::numberConstructorMaxValue):
2916         (JSC::numberConstructorMinValue):
2917         * runtime/PropertySlot.h:
2918         * runtime/RegExpConstructor.cpp:
2919         (JSC::asRegExpConstructor):
2920         (JSC::regExpConstructorDollar1):
2921         (JSC::regExpConstructorDollar2):
2922         (JSC::regExpConstructorDollar3):
2923         (JSC::regExpConstructorDollar4):
2924         (JSC::regExpConstructorDollar5):
2925         (JSC::regExpConstructorDollar6):
2926         (JSC::regExpConstructorDollar7):
2927         (JSC::regExpConstructorDollar8):
2928         (JSC::regExpConstructorDollar9):
2929         (JSC::regExpConstructorInput):
2930         (JSC::regExpConstructorMultiline):
2931         (JSC::regExpConstructorLastMatch):
2932         (JSC::regExpConstructorLastParen):
2933         (JSC::regExpConstructorLeftContext):
2934         (JSC::regExpConstructorRightContext):
2935         * runtime/RegExpObject.cpp:
2936         (JSC::asRegExpObject):
2937         (JSC::regExpObjectGlobal):
2938         (JSC::regExpObjectIgnoreCase):
2939         (JSC::regExpObjectMultiline):
2940         (JSC::regExpObjectSource):
2941
2942 2013-12-04  Daniel Bates  <dabates@apple.com>
2943
2944         [iOS] Enable Objective-C ARC when building JSC tools for iOS simulator
2945         https://bugs.webkit.org/show_bug.cgi?id=125170
2946
2947         Reviewed by Geoffrey Garen.
2948
2949         * API/tests/testapi.mm:
2950         * Configurations/ToolExecutable.xcconfig:
2951
2952 2013-12-04  peavo@outlook.com  <peavo@outlook.com>
2953
2954         Use ThreadingOnce class to encapsulate pthread_once functionality.
2955         https://bugs.webkit.org/show_bug.cgi?id=125228
2956
2957         Reviewed by Brent Fulgham.
2958
2959         * runtime/InitializeThreading.cpp:
2960         (JSC::initializeThreading):
2961
2962 2013-12-04  Mark Lam  <mark.lam@apple.com>
2963
2964         Remove unneeded semicolons.
2965         https://bugs.webkit.org/show_bug.cgi?id=125083.
2966
2967         Rubber-stamped by Filip Pizlo.
2968
2969         * debugger/Debugger.h:
2970         (JSC::Debugger::detach):
2971         (JSC::Debugger::sourceParsed):
2972         (JSC::Debugger::exception):
2973         (JSC::Debugger::atStatement):
2974         (JSC::Debugger::callEvent):
2975         (JSC::Debugger::returnEvent):
2976         (JSC::Debugger::willExecuteProgram):
2977         (JSC::Debugger::didExecuteProgram):
2978         (JSC::Debugger::didReachBreakpoint):
2979
2980 2013-12-04  Andy Estes  <aestes@apple.com>
2981
2982         [iOS] Build projects with $(ARCHS_STANDARD_32_64_BIT)
2983         https://bugs.webkit.org/show_bug.cgi?id=125236
2984
2985         Reviewed by Sam Weinig.
2986
2987         $(ARCHS_STANDARD_32_64_BIT) is what we want for both device and simulator builds.
2988
2989         * Configurations/DebugRelease.xcconfig:
2990
2991 2013-12-03  Filip Pizlo  <fpizlo@apple.com>
2992
2993         Infer constant closure variables
2994         https://bugs.webkit.org/show_bug.cgi?id=124630
2995
2996         Reviewed by Geoffrey Garen.
2997         
2998         Captured variables that are assigned once (not counting op_enter's Undefined
2999         initialization) and that are contained within a function that has thus far only been
3000         entered once are now constant folded. It's pretty awesome.
3001         
3002         This involves a watchpoint on the assignment to variables and a watchpoint on entry
3003         into the function. The former is reused from global variable constant inference and the
3004         latter is reused from one-time closure inference.
3005
3006         * GNUmakefile.list.am:
3007         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3008         * JavaScriptCore.xcodeproj/project.pbxproj:
3009         * bytecode/CodeBlock.cpp:
3010         (JSC::CodeBlock::dumpBytecode):
3011         (JSC::CodeBlock::CodeBlock):
3012         * bytecode/Instruction.h:
3013         (JSC::Instruction::Instruction):
3014         * bytecode/Opcode.h:
3015         (JSC::padOpcodeName):
3016         * bytecode/UnlinkedCodeBlock.h:
3017         (JSC::UnlinkedInstruction::UnlinkedInstruction):
3018         * bytecode/VariableWatchpointSet.h:
3019         (JSC::VariableWatchpointSet::invalidate):
3020         * bytecode/Watchpoint.h:
3021         (JSC::WatchpointSet::invalidate):
3022         * bytecompiler/BytecodeGenerator.cpp:
3023         (JSC::BytecodeGenerator::addVar):
3024         (JSC::BytecodeGenerator::BytecodeGenerator):
3025         (JSC::BytecodeGenerator::emitInitLazyRegister):
3026         (JSC::BytecodeGenerator::emitMove):
3027         (JSC::BytecodeGenerator::emitNewFunctionInternal):
3028         (JSC::BytecodeGenerator::createArgumentsIfNecessary):
3029         * bytecompiler/BytecodeGenerator.h:
3030         (JSC::BytecodeGenerator::addVar):
3031         (JSC::BytecodeGenerator::watchableVariable):
3032         * dfg/DFGByteCodeParser.cpp:
3033         (JSC::DFG::ByteCodeParser::getLocal):
3034         (JSC::DFG::ByteCodeParser::inferredConstant):
3035         (JSC::DFG::ByteCodeParser::parseBlock):
3036         (JSC::DFG::ByteCodeParser::parse):
3037         * dfg/DFGGraph.cpp:
3038         (JSC::DFG::Graph::tryGetActivation):
3039         (JSC::DFG::Graph::tryGetRegisters):
3040         * dfg/DFGGraph.h:
3041         * jit/JIT.cpp:
3042         (JSC::JIT::privateCompileMainPass):
3043         (JSC::JIT::privateCompileSlowCases):
3044         * jit/JIT.h:
3045         * jit/JITOpcodes.cpp:
3046         (JSC::JIT::emit_op_mov):
3047         (JSC::JIT::emit_op_captured_mov):
3048         (JSC::JIT::emit_op_new_captured_func):
3049         (JSC::JIT::emitSlow_op_captured_mov):
3050         * jit/JITOpcodes32_64.cpp:
3051         (JSC::JIT::emit_op_mov):
3052         (JSC::JIT::emit_op_captured_mov):
3053         * llint/LowLevelInterpreter32_64.asm:
3054         * llint/LowLevelInterpreter64.asm:
3055         * runtime/CommonSlowPaths.cpp:
3056         (JSC::SLOW_PATH_DECL):
3057         * runtime/CommonSlowPaths.h:
3058         * runtime/ConstantMode.h: Added.
3059         * runtime/JSGlobalObject.h:
3060         * runtime/JSScope.cpp:
3061         (JSC::abstractAccess):
3062         * runtime/SymbolTable.cpp:
3063         (JSC::SymbolTableEntry::prepareToWatch):
3064
3065 2013-12-04  Brent Fulgham  <bfulgham@apple.com>
3066
3067         [Win] Unreviewed project file gardening.
3068
3069         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Remove deleted files from project.
3070         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Put files in proper directory
3071         folders to match the directory structure of the source code.
3072
3073 2013-12-04  Joseph Pecoraro  <pecoraro@apple.com>
3074
3075         Unreviewed Windows Build Fix attempt after r160099.
3076
3077         * JavaScriptCore.vcxproj/copy-files.cmd:
3078
3079 2013-12-04  Julien Brianceau  <jbriance@cisco.com>
3080
3081         REGRESSION (r160094): Fix lots of crashes for sh4 architecture.
3082         https://bugs.webkit.org/show_bug.cgi?id=125227
3083
3084         Reviewed by Michael Saboff.
3085
3086         * llint/LowLevelInterpreter32_64.asm: Do not use t4 and t5 as they match a0 and a1.
3087         * offlineasm/registers.rb: Add t7, t8 and t9 in register list for sh4 port.
3088         * offlineasm/sh4.rb: Rearrange RegisterID list and add the missing ones.
3089
3090 2013-12-03  Joseph Pecoraro  <pecoraro@apple.com>
3091
3092         Web Inspector: Push Remote Inspector debugging connection management into JavaScriptCore
3093         https://bugs.webkit.org/show_bug.cgi?id=124613
3094
3095         Reviewed by Timothy Hatcher.
3096
3097         Move the ENABLE(REMOTE_INSPECTOR) remote debugger connection management
3098         into JavaScriptCore (originally from WebKit/mac). Include enhancements:
3099
3100           * allow for different types of remote debuggable targets,
3101             eventually at least a JSContext, WebView, WKView.
3102           * allow debuggables to be registered and debugged on any thread. Unlike
3103             WebViews, JSContexts may be run entirely off of the main thread.
3104           * move the remote connection (XPC connection) itself off of the main thread,
3105             it doesn't need to be on the main thread.
3106
3107         Make JSContext @class and JavaScriptCore::JSContextRef
3108         "JavaScript" Remote Debuggables.
3109
3110         * inspector/remote/RemoteInspectorDebuggable.h: Added.
3111         * inspector/remote/RemoteInspectorDebuggable.cpp: Added.
3112         (Inspector::RemoteInspectorDebuggable::RemoteInspectorDebuggable):
3113         (Inspector::RemoteInspectorDebuggable::~RemoteInspectorDebuggable):
3114         (Inspector::RemoteInspectorDebuggable::init):
3115         (Inspector::RemoteInspectorDebuggable::update):
3116         (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed):
3117         (Inspector::RemoteInspectorDebuggable::info):
3118         RemoteInspectorDebuggable defines a debuggable target. As long as
3119         something creates a debuggable and is set to allow remote inspection
3120         it will be listed in remote debuggers. For the different types of
3121         debuggables (JavaScript and Web) there is different basic information
3122         that may be listed.
3123
3124         * inspector/InspectorFrontendChannel.h: Added.
3125         (Inspector::InspectorFrontendChannel::~InspectorFrontendChannel):
3126         The only thing a debuggable needs for remote debugging is an
3127         InspectorFrontendChannel a way to send messages to a remote frontend.
3128         This class provides that method, and is vended to the
3129         RemoteInspectorDebuggable when a remote connection is setup.
3130
3131         * inspector/remote/RemoteInspector.h: Added.
3132         * inspector/remote/RemoteInspector.mm: Added.
3133         Singleton, created at least when the first Debuggable is created.
3134         This class manages the list of debuggables, any connection to a
3135         remote debugger proxy (XPC service "com.apple.webinspector").
3136
3137         (Inspector::dispatchAsyncOnQueueSafeForAnyDebuggable):
3138         (Inspector::RemoteInspector::shared):
3139         (Inspector::RemoteInspector::RemoteInspector):
3140         (Inspector::RemoteInspector::nextAvailableIdentifier):
3141         (Inspector::RemoteInspector::registerDebuggable):
3142         (Inspector::RemoteInspector::unregisterDebuggable):
3143         (Inspector::RemoteInspector::updateDebuggable):
3144         Debuggable management. When debuggables are added, removed, or updated
3145         we stash a copy of the debuggable information and push an update to
3146         debuggers. Stashing a copy of the information in the RemoteInspector
3147         is a thread safe way to avoid walking over all debuggables to gather
3148         the information when it is needed.
3149
3150         (Inspector::RemoteInspector::start):
3151         (Inspector::RemoteInspector::stop):
3152         Runtime API to enable / disable the feature.
3153
3154         (Inspector::RemoteInspector::listingForDebuggable):
3155         (Inspector::RemoteInspector::pushListingNow):
3156         (Inspector::RemoteInspector::pushListingSoon):
3157         Pushing a listing to remote debuggers.
3158
3159         (Inspector::RemoteInspector::sendMessageToRemoteFrontend):
3160         (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
3161         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
3162         (Inspector::RemoteInspector::xpcConnectionFailed):
3163         (Inspector::RemoteInspector::xpcConnectionUnhandledMessage):
3164         XPC setup, send, and receive handling.
3165
3166         (Inspector::RemoteInspector::updateHasActiveDebugSession):
3167         Applications being debugged may want to know when a debug
3168         session is active. This provides that notification.
3169
3170         (Inspector::RemoteInspector::receivedSetupMessage):
3171         (Inspector::RemoteInspector::receivedDataMessage):
3172         (Inspector::RemoteInspector::receivedDidCloseMessage):
3173         (Inspector::RemoteInspector::receivedGetListingMessage):
3174         (Inspector::RemoteInspector::receivedIndicateMessage):
3175         (Inspector::RemoteInspector::receivedConnectionDiedMessage):
3176         Dispatching incoming remote debugging protocol messages.
3177         These are wrapping above the inspector protocol messages.
3178
3179         * inspector/remote/RemoteInspectorConstants.h: Added.
3180         Protocol messages and dictionary keys inside the messages.
3181
3182         (Inspector::RemoteInspectorDebuggableInfo::RemoteInspectorDebuggableInfo):
3183         * inspector/remote/RemoteInspectorDebuggableConnection.h: Added.
3184         * inspector/remote/RemoteInspectorDebuggableConnection.mm: Added.
3185         This is a connection between the RemoteInspector singleton and a RemoteInspectorDebuggable.
3186
3187         (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
3188         (Inspector::RemoteInspectorDebuggableConnection::~RemoteInspectorDebuggableConnection):
3189         Allow for dispatching messages on JavaScript debuggables on a dispatch_queue
3190         instead of the main queue.
3191
3192         (Inspector::RemoteInspectorDebuggableConnection::destination):
3193         (Inspector::RemoteInspectorDebuggableConnection::connectionIdentifier):
3194         Needed in the remote debugging protocol to identify the remote debugger.
3195
3196         (Inspector::RemoteInspectorDebuggableConnection::dispatchSyncOnDebuggable):
3197         (Inspector::RemoteInspectorDebuggableConnection::dispatchAsyncOnDebuggable):
3198         (Inspector::RemoteInspectorDebuggableConnection::setup):
3199         (Inspector::RemoteInspectorDebuggableConnection::closeFromDebuggable):
3200         (Inspector::RemoteInspectorDebuggableConnection::close):
3201         (Inspector::RemoteInspectorDebuggableConnection::sendMessageToBackend):
3202         (Inspector::RemoteInspectorDebuggableConnection::sendMessageToFrontend):
3203         The connection is a thin channel between the two sides that can be closed
3204         from either side, so there is some logic around multi-threaded access.
3205
3206         * inspector/remote/RemoteInspectorXPCConnection.h: Added.
3207         (Inspector::RemoteInspectorXPCConnection::Client::~Client):
3208         * inspector/remote/RemoteInspectorXPCConnection.mm: Added.
3209         (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
3210         (Inspector::RemoteInspectorXPCConnection::~RemoteInspectorXPCConnection):
3211         (Inspector::RemoteInspectorXPCConnection::close):
3212         (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
3213         (Inspector::RemoteInspectorXPCConnection::handleEvent):
3214         (Inspector::RemoteInspectorXPCConnection::sendMessage):
3215         This is a connection between the RemoteInspector singleton and an XPC service
3216         named "com.apple.webinspector". This handles serialization of the dictionary
3217         messages to and from the service. The receiving is done on a non-main queue.
3218
3219         * API/JSContext.h:
3220         * API/JSContext.mm:
3221         (-[JSContext name]):
3222         (-[JSContext setName:]):
3223         ObjC API to enable/disable JSContext remote inspection and give a name.
3224
3225         * API/JSContextRef.h:
3226         * API/JSContextRef.cpp:
3227         (JSGlobalContextGetName):
3228         (JSGlobalContextSetName):
3229         C API to give a JSContext a name.
3230
3231         * runtime/JSGlobalObject.cpp:
3232         (JSC::JSGlobalObject::setName):
3233         * runtime/JSGlobalObject.h:
3234         (JSC::JSGlobalObject::name):
3235         Shared handling of the APIs above.
3236
3237         * runtime/JSGlobalObjectDebuggable.cpp: Added.
3238         (JSC::JSGlobalObjectDebuggable::JSGlobalObjectDebuggable):
3239         (JSC::JSGlobalObjectDebuggable::name):
3240         (JSC::JSGlobalObjectDebuggable::connect):
3241         (JSC::JSGlobalObjectDebuggable::disconnect):
3242         (JSC::JSGlobalObjectDebuggable::dispatchMessageFromRemoteFrontend):
3243         * runtime/JSGlobalObjectDebuggable.h: Added.
3244         Stub for the actual remote debugging implementation. We will push
3245         down the appropriate WebCore/inspector peices suitable for debugging
3246         just a JavaScript context.
3247
3248         * CMakeLists.txt:
3249         * JavaScriptCore.xcodeproj/project.pbxproj:
3250         * GNUmakefile.am:
3251         * GNUmakefile.list.am:
3252         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3253         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3254         Update build files.
3255
3256 2013-12-04  Michael Saboff  <msaboff@apple.com>
3257
3258         Move the setting up of callee's callFrame from pushFrame to callToJavaScript thunk
3259         https://bugs.webkit.org/show_bug.cgi?id=123999
3260
3261         Reviewed by Filip Pizlo.
3262
3263         Changed LLInt and/or JIT enabled ports to allocate the stack frame in the
3264         callToJavaScript stub.  Added an additional stub, callToNativeFunction that
3265         allocates a stack frame in a similar way for calling native entry points
3266         that take a single ExecState* argument.  These stubs are implemented
3267         using common macros in LowLevelInterpreter{32_64,64}.asm.  There are also
3268         Windows X86 and X86-64 versions in the corresponding JitStubsXX.h.
3269         The stubs allocate and create a sentinel frame, then create the callee's
3270         frame, populating  the header and arguments from the passed in ProtoCallFrame*.
3271         It is assumed that the caller of either stub does a check for enough stack space
3272         via JSStack::entryCheck().
3273
3274         For ports using the C-Loop interpreter, the prior method for allocating stack
3275         frame and invoking functions is used, namely with JSStack::pushFrame() and
3276         ::popFrame().
3277
3278         Made spelling changes "sentinal" -> "sentinel".
3279
3280         * CMakeLists.txt:
3281         * GNUmakefile.list.am:
3282         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3283         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3284         * JavaScriptCore.xcodeproj/project.pbxproj:
3285         * interpreter/CachedCall.h:
3286         (JSC::CachedCall::CachedCall):
3287         (JSC::CachedCall::setThis):
3288         (JSC::CachedCall::setArgument):
3289         * interpreter/CallFrameClosure.h:
3290         (JSC::CallFrameClosure::resetCallFrame):
3291         * interpreter/Interpreter.cpp:
3292         (JSC::Interpreter::execute):
3293         (JSC::Interpreter::executeCall):
3294         (JSC::Interpreter::executeConstruct):
3295         (JSC::Interpreter::prepareForRepeatCall):
3296         * interpreter/Interpreter.h:
3297         * interpreter/JSStack.h:
3298         * interpreter/JSStackInlines.h:
3299         (JSC::JSStack::entryCheck):
3300         (JSC::JSStack::pushFrame):
3301         (JSC::JSStack::popFrame):
3302         * interpreter/ProtoCallFrame.cpp: Added.
3303         (JSC::ProtoCallFrame::init):
3304         * interpreter/ProtoCallFrame.h: Added.
3305         (JSC::ProtoCallFrame::codeBlock):
3306         (JSC::ProtoCallFrame::setCodeBlock):
3307         (JSC::ProtoCallFrame::setScope):
3308         (JSC::ProtoCallFrame::setCallee):
3309         (JSC::ProtoCallFrame::argumentCountIncludingThis):
3310         (JSC::ProtoCallFrame::argumentCount):
3311         (JSC::ProtoCallFrame::setArgumentCountIncludingThis):
3312         (JSC::ProtoCallFrame::setPaddedArgsCount):
3313         (JSC::ProtoCallFrame::clearCurrentVPC):
3314         (JSC::ProtoCallFrame::setThisValue):
3315         (JSC::ProtoCallFrame::setArgument):
3316         * jit/JITCode.cpp:
3317         (JSC::JITCode::execute):
3318         * jit/JITCode.h:
3319         * jit/JITOperations.cpp:
3320         * jit/JITStubs.h:
3321         * jit/JITStubsMSVC64.asm:
3322         * jit/JITStubsX86.h:
3323         * llint/LLIntOffsetsExtractor.cpp:
3324         * llint/LLIntThunks.h:
3325         * llint/LowLevelInterpreter.asm:
3326         * llint/LowLevelInterpreter32_64.asm:
3327         * llint/LowLevelInterpreter64.asm:
3328         * runtime/ArgList.h:
3329         (JSC::ArgList::data):
3330         * runtime/JSArray.cpp:
3331         (JSC::AVLTreeAbstractorForArrayCompare::compare_key_key):
3332         * runtime/StringPrototype.cpp:
3333         (JSC::replaceUsingRegExpSearch):
3334
3335 2013-12-04  László Langó  <lango@inf.u-szeged.hu>
3336
3337         Remove stdio.h from JSC files.
3338         https://bugs.webkit.org/show_bug.cgi?id=125220
3339
3340         Reviewed by Michael Saboff.
3341
3342         * interpreter/VMInspector.cpp:
3343         * jit/JITArithmetic.cpp:
3344         * jit/JITArithmetic32_64.cpp:
3345         * jit/JITCall.cpp:
3346         * jit/JITCall32_64.cpp:
3347         * jit/JITPropertyAccess.cpp:
3348         * jit/JITPropertyAccess32_64.cpp:
3349         * runtime/Completion.cpp:
3350         * runtime/IndexingType.cpp:
3351         * runtime/Lookup.h:
3352         * runtime/Operations.cpp:
3353         * runtime/Options.cpp:
3354         * runtime/RegExp.cpp:
3355
3356 2013-12-04  László Langó  <lango@inf.u-szeged.hu>
3357
3358         Avoid to add zero offset in BaseIndex.
3359         https://bugs.webkit.org/show_bug.cgi?id=125215
3360
3361         Reviewed by Michael Saboff.
3362
3363         When using cloop do not generate offsets additions for BaseIndex if the offset is zero.
3364
3365         * offlineasm/cloop.rb:
3366
3367 2013-12-04  Peter Molnar  <pmolnar.u-szeged@partner.samsung.com>
3368
3369         Fix !ENABLE(JAVASCRIPT_DEBUGGER) build.
3370         https://bugs.webkit.org/show_bug.cgi?id=125083
3371
3372         Reviewed by Mark Lam.
3373
3374         * debugger/Debugger.cpp:
3375         * debugger/Debugger.h:
3376         (JSC::Debugger::Debugger):
3377         (JSC::Debugger::needsOpDebugCallbacks):
3378         (JSC::Debugger::needsExceptionCallbacks):
3379         (JSC::Debugger::detach):
3380         (JSC::Debugger::sourceParsed):
3381         (JSC::Debugger::exception):
3382         (JSC::Debugger::atStatement):
3383         (JSC::Debugger::callEvent):
3384         (JSC::Debugger::returnEvent):
3385         (JSC::Debugger::willExecuteProgram):
3386         (JSC::Debugger::didExecuteProgram):
3387         (JSC::Debugger::didReachBreakpoint):
3388         * debugger/DebuggerPrimitives.h:
3389         * jit/JITOpcodes.cpp:
3390         (JSC::JIT::emit_op_debug):
3391         * jit/JITOpcodes32_64.cpp:
3392         (JSC::JIT::emit_op_debug):
3393         * llint/LLIntOfflineAsmConfig.h:
3394         * llint/LowLevelInterpreter.asm:
3395
3396 2013-12-03  Mark Lam  <mark.lam@apple.com>
3397
3398         testapi test crashes on Windows in WTF::Vector<wchar_t,64,WTF::UnsafeVectorOverflow>::size().
3399         https://bugs.webkit.org/show_bug.cgi?id=121972.
3400
3401         Reviewed by Brent Fulgham.
3402
3403         * interpreter/JSStack.cpp:
3404         (JSC::JSStack::~JSStack):
3405         - Reverting the change from r160004 since it's better to fix OSAllocatorWin
3406           to be consistent with OSAllocatorPosix.
3407
3408 2013-12-03  Mark Lam  <mark.lam@apple.com>
3409
3410         Fix LLINT_C_LOOP build for Win64.
3411         https://bugs.webkit.org/show_bug.cgi?id=125186.
3412
3413         Reviewed by Michael Saboff.
3414
3415         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3416         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3417         * jit/JITOperationsMSVC64.cpp: Added.
3418         (JSC::getHostCallReturnValueWithExecState):
3419         - Win64 will build JITStubMSVC64.asm even when !ENABLE(JIT). This results
3420           in a linkage error due to a missing getHostCallReturnValueWithExecState().
3421           So, we add a stub getHostCallReturnValueWithExecState() here to satisfy
3422           that linkage. This function will never be called.
3423           The alternative to providing such a stub is to make the MSVC project
3424           recognize if the JIT is enabled or not, and exclude JITStubMSVC64.asm
3425           if it's not enabled. We don't currently set ENABLE(JIT) via the MSVC
3426           project and the work to do that is too much trouble for what we're trying
3427           to achieve here. So, we're opting for this simpler workaround instead.
3428
3429         * llint/LowLevelInterpreter.asm:
3430         * llint/LowLevelInterpreter.cpp:
3431         (JSC::CLoop::execute):
3432         - Don't build callToJavaScript if we're building the C loop. Otherwise,
3433           the C loop won't build if !ENABLE(COMPUTE_GOTO_OPCODES). 
3434
3435 2013-12-03  Michael Saboff  <msaboff@apple.com>
3436
3437         ARM64: Crash in JIT code due to improper reuse of cached memory temp register
3438         https://bugs.webkit.org/show_bug.cgi?id=125181
3439
3440         Reviewed by Geoffrey Garen.
3441
3442         Changed load8() and load() to invalidate the memory temp CachedTempRegister when the
3443         destination of an absolute load is the memory temp register since the source address
3444         is also the memory temp register.  Change branch{8,32,64} of an AbsoluteAddress with
3445         a register to use the dataTempRegister as the destinate of the absolute load to
3446         reduce the chance that we need to invalidate the memory temp register cache.
3447         In the process, found and fixed an outright bug in branch8() where we'd load into
3448         the data temp register and then compare and branch on the memory temp register.
3449
3450         * assembler/MacroAssemblerARM64.h:
3451         (JSC::MacroAssemblerARM64::load8):
3452         (JSC::MacroAssemblerARM64::branch32):
3453         (JSC::MacroAssemblerARM64::branch64):
3454         (JSC::MacroAssemblerARM64::branch8):
3455         (JSC::MacroAssemblerARM64::load):
3456
3457 2013-12-03  Michael Saboff  <msaboff@apple.com>
3458
3459         jit/JITArithmetic.cpp doesn't build for non-X86 ports
3460         https://bugs.webkit.org/show_bug.cgi?id=125185
3461
3462         Rubber stamped by Mark Hahnenberg.
3463
3464         Removed unused declarations and related UNUSED_PARAM().
3465
3466         * jit/JITArithmetic.cpp:
3467         (JSC::JIT::emit_op_mod):
3468
3469 2013-12-03  Filip Pizlo  <fpizlo@apple.com>
3470
3471         ObjectAllocationProfile is racy and the DFG should be cool with that
3472         https://bugs.webkit.org/show_bug.cgi?id=125172
3473         <rdar://problem/15233487>
3474
3475         Reviewed by Mark Hahnenberg.
3476         
3477         We would previously sometimes get a null Structure because checking if the profile is non-null and loading
3478         the structure from it were two separate operations.
3479
3480         * dfg/DFGAbstractInterpreterInlines.h:
3481         (JSC::DFG::::executeEffects):
3482         * dfg/DFGAbstractValue.cpp:
3483         (JSC::DFG::AbstractValue::setFuturePossibleStructure):
3484         * dfg/DFGByteCodeParser.cpp:
3485         (JSC::DFG::ByteCodeParser::parseBlock):
3486         * runtime/JSFunction.h:
3487         (JSC::JSFunction::allocationProfile):
3488         (JSC::JSFunction::allocationStructure):
3489
3490 2013-12-03  peavo@outlook.com  <peavo@outlook.com>
3491
3492         testapi test crashes on Windows in WTF::Vector<wchar_t,64,WTF::UnsafeVectorOverflow>::size()
3493         https://bugs.webkit.org/show_bug.cgi?id=121972
3494
3495         Reviewed by Michael Saboff.
3496
3497         The reason for the crash is that the wrong memory block is decommitted.
3498         This can happen if no memory has been committed in the reserved block before the JSStack object is destroyed.
3499         In the JSStack destructor, the pointer to decommit then points to the end of the block (or the start of the next), and the decommit size is zero.
3500         If there is a block just after the block we are trying to decommit, this block will be decommitted, since Windows will decommit the whole block,
3501         if the decommit size is zero (see VirtualFree). When somebody tries to read/write to this block later, we crash.
3502
3503         * interpreter/JSStack.cpp:
3504         (JSC::JSStack::~JSStack): Don't decommit memory if nothing has been committed.
3505
3506 2013-12-03  László Langó  <lango@inf.u-szeged.hu>
3507
3508         Guard JIT include.
3509         https://bugs.webkit.org/show_bug.cgi?id=125063
3510
3511         Reviewed by Filip Pizlo.
3512
3513         * llint/LLIntThunks.cpp:
3514
3515 2013-12-03  Julien Brianceau  <jbriance@cisco.com>
3516
3517         Merge mips and arm/sh4 paths in nativeForGenerator and privateCompileCTINativeCall functions.
3518         https://bugs.webkit.org/show_bug.cgi?id=125067
3519
3520         Reviewed by Michael Saboff.
3521
3522         * jit/JITOpcodes32_64.cpp:
3523         (JSC::JIT::privateCompileCTINativeCall):
3524         * jit/ThunkGenerators.cpp:
3525         (JSC::nativeForGenerator):
3526
3527 2013-12-02  Mark Lam  <mark.lam@apple.com>
3528
3529         Build failure when disabling JIT, YARR_JIT, and ASSEMBLER.
3530         https://bugs.webkit.org/show_bug.cgi?id=123809.
3531
3532         Reviewed by Geoffrey Garen.
3533
3534         Also fixed build when disabling the DISASSEMBLER.
3535         Added some needed #if's and some comments.
3536
3537         * assembler/LinkBuffer.cpp:
3538         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
3539         * dfg/DFGDisassembler.cpp:
3540         * dfg/DFGDisassembler.h:
3541         (JSC::DFG::Disassembler::Disassembler):
3542         (JSC::DFG::Disassembler::setStartOfCode):
3543         (JSC::DFG::Disassembler::setForBlockIndex):
3544         (JSC::DFG::Disassembler::setForNode):
3545         (JSC::DFG::Disassembler::setEndOfMainPath):
3546         (JSC::DFG::Disassembler::setEndOfCode):
3547         (JSC::DFG::Disassembler::dump):
3548         (JSC::DFG::Disassembler::reportToProfiler):
3549         * disassembler/Disassembler.cpp:
3550         * disassembler/X86Disassembler.cpp:
3551         * jit/FPRInfo.h:
3552         * jit/GPRInfo.h:
3553         * jit/JITDisassembler.cpp:
3554         * jit/JITDisassembler.h:
3555         (JSC::JITDisassembler::JITDisassembler):
3556         (JSC::JITDisassembler::setStartOfCode):
3557         (JSC::JITDisassembler::setForBytecodeMainPath):
3558         (JSC::JITDisassembler::setForBytecodeSlowPath):
3559         (JSC::JITDisassembler::setEndOfSlowPath):
3560         (JSC::JITDisassembler::setEndOfCode):
3561         (JSC::JITDisassembler::dump):
3562         (JSC::JITDisassembler::reportToProfiler):
3563
3564 2013-12-02  Filip Pizlo  <fpizlo@apple.com>
3565
3566         Baseline JIT calls to CommonSlowPaths shouldn't restore the last result
3567         https://bugs.webkit.org/show_bug.cgi?id=125107
3568
3569         Reviewed by Mark Hahnenberg.
3570
3571         Just killing dead code.
3572
3573         * jit/JITArithmetic.cpp:
3574         (JSC::JIT::emitSlow_op_negate):
3575         (JSC::JIT::emitSlow_op_lshift):
3576         (JSC::JIT::emitSlow_op_rshift):
3577         (JSC::JIT::emitSlow_op_urshift):
3578         (JSC::JIT::emitSlow_op_bitand):
3579         (JSC::JIT::emitSlow_op_inc):
3580         (JSC::JIT::emitSlow_op_dec):
3581         (JSC::JIT::emitSlow_op_mod):
3582         (JSC::JIT::emit_op_mod):
3583         (JSC::JIT::compileBinaryArithOpSlowCase):
3584         (JSC::JIT::emitSlow_op_div):
3585         * jit/JITArithmetic32_64.cpp:
3586         (JSC::JIT::emitSlow_op_negate):
3587         (JSC::JIT::emitSlow_op_lshift):
3588         (JSC::JIT::emitRightShiftSlowCase):
3589         (JSC::JIT::emitSlow_op_bitand):
3590         (JSC::JIT::emitSlow_op_bitor):
3591         (JSC::JIT::emitSlow_op_bitxor):
3592         (JSC::JIT::emitSlow_op_inc):
3593         (JSC::JIT::emitSlow_op_dec):
3594         (JSC::JIT::emitSlow_op_add):
3595         (JSC::JIT::emitSlow_op_sub):
3596         (JSC::JIT::emitSlow_op_mul):
3597         (JSC::JIT::emitSlow_op_div):
3598         * jit/JITOpcodes.cpp:
3599         (JSC::JIT::emit_op_strcat):
3600         (JSC::JIT::emitSlow_op_get_callee):
3601         (JSC::JIT::emitSlow_op_create_this):
3602         (JSC::JIT::emitSlow_op_to_this):
3603         (JSC::JIT::emitSlow_op_to_primitive):
3604         (JSC::JIT::emitSlow_op_not):
3605         (JSC::JIT::emitSlow_op_bitxor):
3606         (JSC::JIT::emitSlow_op_bitor):
3607         (JSC::JIT::emitSlow_op_stricteq):
3608         (JSC::JIT::emitSlow_op_nstricteq):
3609         (JSC::JIT::emitSlow_op_to_number):
3610         * jit/JITOpcodes32_64.cpp:
3611         (JSC::JIT::emitSlow_op_to_primitive):
3612         (JSC::JIT::emitSlow_op_not):
3613         (JSC::JIT::emitSlow_op_stricteq):
3614         (JSC::JIT::emitSlow_op_nstricteq):
3615         (JSC::JIT::emitSlow_op_to_number):
3616         (JSC::JIT::emitSlow_op_get_callee):
3617         (JSC::JIT::emitSlow_op_create_this):
3618         (JSC::JIT::emitSlow_op_to_this):
3619
3620 2013-12-01  Filip Pizlo  <fpizlo@apple.com>
3621
3622         Stores to local captured variables should be intercepted
3623         https://bugs.webkit.org/show_bug.cgi?id=124883
3624
3625         Reviewed by Mark Hahnenberg.
3626         
3627         Previously, in bytecode, you could assign to a captured variable just as you would
3628         assign to any other kind of variable. This complicates closure variable constant
3629         inference because we don't have any place where we can intercept stores to captured
3630         variables in the LLInt.
3631         
3632         This patch institutes a policy that only certain instructions can store to captured
3633         variables. If you interpret those instructions and you are required to notifyWrite()
3634         then you need to check if the relevant variable is captured. Those instructions are
3635         tracked in CodeBlock.cpp's VerifyCapturedDef. The main one is simply op_captured_mov.
3636         In the future, we'll probably modify those instructions to have a pointer directly to
3637         the VariableWatchpointSet; but for now we just introduce the captured instructions as
3638         placeholders.
3639         
3640         In order to validate that the placeholders are inserted correctly, this patch improves
3641         the CodeBlock validation to be able to inspect every def in the bytecode. To do that,
3642         this patch refactors the liveness analysis' use/def calculator to be reusable; it now
3643         takes a functor for each use or def.
3644         
3645         In the process of refactoring the liveness analysis, I noticed that op_enter was
3646         claiming to def all callee registers. That's wrong; it only defs the non-temporary
3647         variables. Making that change revealed preexisting bugs in the liveness analysis, since
3648         now the validator would pick up cases where the bytecode claimed to use a temporary and
3649         the def calculator never noticed the definition (or the converse - where the bytecode
3650         was actually not using a temporary but the liveness analysis thought that it was a
3651         use). This patch fixes a few of those bugs.
3652
3653         * GNUmakefile.list.am:
3654         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3655         * JavaScriptCore.xcodeproj/project.pbxproj:
3656         * bytecode/BytecodeLivenessAnalysis.cpp:
3657         (JSC::stepOverInstruction):
3658         * bytecode/BytecodeUseDef.h: Added.
3659         (JSC::computeUsesForBytecodeOffset):
3660         (JSC::computeDefsForBytecodeOffset):
3661         * bytecode/CodeBlock.cpp:
3662         (JSC::CodeBlock::dumpBytecode):
3663         (JSC::CodeBlock::isCaptured):
3664         (JSC::CodeBlock::validate):
3665         * bytecode/CodeBlock.h:
3666         * bytecode/Opcode.h:
3667         (JSC::padOpcodeName):
3668         * bytecompiler/BytecodeGenerator.cpp:
3669         (JSC::BytecodeGenerator::BytecodeGenerator):
3670         (JSC::BytecodeGenerator::resolveCallee):
3671         (JSC::BytecodeGenerator::emitMove):
3672         (JSC::BytecodeGenerator::isCaptured):
3673         (JSC::BytecodeGenerator::local):
3674         (JSC::BytecodeGenerator::constLocal):
3675         (JSC::BytecodeGenerator::emitNewFunction):
3676         (JSC::BytecodeGenerator::emitLazyNewFunction):
3677         (JSC::BytecodeGenerator::emitNewFunctionInternal):
3678         * bytecompiler/BytecodeGenerator.h:
3679         (JSC::Local::Local):
3680         (JSC::Local::isCaptured):
3681         (JSC::Local::captureMode):
3682         (JSC::BytecodeGenerator::captureMode):
3683         (JSC::BytecodeGenerator::emitNode):
3684         (JSC::BytecodeGenerator::pushOptimisedForIn):
3685         * bytecompiler/NodesCodegen.cpp:
3686         (JSC::PostfixNode::emitResolve):
3687         (JSC::PrefixNode::emitResolve):
3688         (JSC::ReadModifyResolveNode::emitBytecode):
3689         (JSC::AssignResolveNode::emitBytecode):
3690         (JSC::ConstDeclNode::emitCodeSingle):
3691         (JSC::ForInNode::emitBytecode):
3692         * dfg/DFGByteCodeParser.cpp:
3693         (JSC::DFG::ByteCodeParser::parseBlock):
3694         * dfg/DFGCapabilities.cpp:
3695         (JSC::DFG::capabilityLevel):
3696         * jit/JIT.cpp:
3697         (JSC::JIT::privateCompileMainPass):
3698         * llint/LowLevelInterpreter32_64.asm:
3699         * llint/LowLevelInterpreter64.asm:
3700         * runtime/SymbolTable.h:
3701         (JSC::SymbolTable::isCaptured):
3702
3703 2013-12-02  Filip Pizlo  <fpizlo@apple.com>
3704
3705         Instead of watchpointing activation allocation, we should watchpoint entry into functions that have captured variables
3706         https://bugs.webkit.org/show_bug.cgi?id=125052
3707
3708         Reviewed by Mark Hahnenberg.
3709         
3710         This makes us watch function entry rather than activation creation. We only incur the
3711         costs of doing so for functions that have captured variables, and only on the first two
3712         entries into the function. This means that closure variable constant inference will
3713         naturally work even for local uses of the captured variable, like:
3714         
3715             (function(){
3716                 var blah = 42;
3717                 ... // stuff
3718                 function () { ... blah /* we can fold this to 42 */ }
3719                 ... blah // we can also fold this to 42.
3720             })();
3721         
3722         Previously, only the nested use would have been foldable.
3723
3724         * bytecode/BytecodeLivenessAnalysis.cpp:
3725         (JSC::computeUsesForBytecodeOffset):
3726         (JSC::computeDefsForBytecodeOffset):
3727         * bytecode/CodeBlock.cpp:
3728         (JSC::CodeBlock::dumpBytecode):
3729         * bytecode/Opcode.h:
3730         (JSC::padOpcodeName):
3731         * bytecode/Watchpoint.h:
3732         (JSC::WatchpointSet::touch):
3733         (JSC::InlineWatchpointSet::touch):
3734         * bytecompiler/BytecodeGenerator.cpp:
3735         (JSC::BytecodeGenerator::BytecodeGenerator):
3736         * dfg/DFGAbstractInterpreterInlines.h:
3737         (JSC::DFG::::executeEffects):
3738         * dfg/DFGByteCodeParser.cpp:
3739         (JSC::DFG::ByteCodeParser::parseBlock):
3740         * dfg/DFGCapabilities.cpp:
3741         (JSC::DFG::capabilityLevel):
3742         * dfg/DFGClobberize.h:
3743         (JSC::DFG::clobberize):
3744         * dfg/DFGFixupPhase.cpp:
3745         (JSC::DFG::FixupPhase::fixupNode):
3746         * dfg/DFGNode.h:
3747         (JSC::DFG::Node::hasSymbolTable):
3748         * dfg/DFGNodeType.h:
3749         * dfg/DFGPredictionPropagationPhase.cpp:
3750         (JSC::DFG::PredictionPropagationPhase::propagate):
3751         * dfg/DFGSafeToExecute.h:
3752         (JSC::DFG::safeToExecute):
3753         * dfg/DFGSpeculativeJIT32_64.cpp:
3754         (JSC::DFG::SpeculativeJIT::compile):
3755         * dfg/DFGSpeculativeJIT64.cpp:
3756         (JSC::DFG::SpeculativeJIT::compile):
3757         * dfg/DFGWatchpointCollectionPhase.cpp:
3758         (JSC::DFG::WatchpointCollectionPhase::handle):
3759         * ftl/FTLCapabilities.cpp:
3760         (JSC::FTL::canCompile):
3761         * ftl/FTLLowerDFGToLLVM.cpp:
3762         (JSC::FTL::LowerDFGToLLVM::compileNode):
3763         * jit/JIT.cpp:
3764         (JSC::JIT::privateCompileMainPass):
3765         * jit/JIT.h:
3766         * jit/JITOpcodes.cpp:
3767         (JSC::JIT::emit_op_touch_entry):
3768         * llint/LowLevelInterpreter.asm:
3769         * runtime/CommonSlowPaths.cpp:
3770         (JSC::SLOW_PATH_DECL):
3771         * runtime/CommonSlowPaths.h:
3772         * runtime/JSActivation.h:
3773         (JSC::JSActivation::create):
3774         * runtime/SymbolTable.cpp:
3775         (JSC::SymbolTable::SymbolTable):
3776         * runtime/SymbolTable.h:
3777
3778 2013-12-02  Nick Diego Yamane  <nick.yamane@openbossa.org>
3779
3780         [JSC] Get rid of some unused parameters in LLIntSlowPaths.cpp macros
3781         https://bugs.webkit.org/show_bug.cgi?id=125075
3782
3783         Reviewed by Michael Saboff.
3784
3785         * llint/LLIntSlowPaths.cpp:
3786         (JSC::LLInt::handleHostCall): added UNUSED_PARAM(pc).
3787         (JSC::LLInt::setUpCall): Doesn't pass 'pc' to LLINT_CALL macros.
3788         (JSC::LLInt::LLINT_SLOW_PATH_DECL): Ditto.
3789
3790 2013-12-02  László Langó  <lango@inf.u-szeged.hu>
3791
3792         Remove stdio.h from JSC files.
3793         https://bugs.webkit.org/show_bug.cgi?id=125066
3794
3795         Reviewed by Michael Saboff.
3796
3797         Remove stdio.h, when it is not necessary to be included.
3798
3799         * bytecode/CodeBlock.cpp:
3800         * bytecode/StructureSet.h:
3801         * profiler/LegacyProfiler.cpp:
3802         * profiler/Profile.cpp:
3803         * profiler/ProfileNode.cpp:
3804         * yarr/YarrInterpreter.cpp:
3805
3806 2013-12-02  László Langó  <lango@inf.u-szeged.hu>
3807
3808         Unused include files when building without JIT.
3809         https://bugs.webkit.org/show_bug.cgi?id=125062
3810
3811         Reviewed by Michael Saboff.
3812
3813         We should organize the includes, and guard JIT methods
3814         in ValueRecovery.
3815
3816         * bytecode/ValueRecovery.cpp: Guard include files.
3817         * bytecode/ValueRecovery.h: Guard JIT methods.
3818
3819 2013-12-02  Balazs Kilvady  <kilvadyb@homejinni.com>
3820
3821         [MIPS] Small stack frame causes regressions.
3822         https://bugs.webkit.org/show_bug.cgi?id=124945
3823
3824         Reviewed by Michael Saboff.
3825
3826         Fix stack space for LLInt on MIPS.
3827
3828         * llint/LowLevelInterpreter32_64.asm:
3829
3830 2013-12-02  Brian J. Burg  <burg@cs.washington.edu>
3831
3832         jsc: implement a native readFile function
3833         https://bugs.webkit.org/show_bug.cgi?id=125059
3834
3835         Reviewed by Filip Pizlo.
3836
3837         This adds a native readFile() function to jsc, used to slurp
3838         an entire file into a JavaScript string.
3839
3840         * jsc.cpp:
3841         (GlobalObject::finishCreation): Add readFile() to globals.
3842         (functionReadFile): Added.
3843
3844 2013-12-02  László Langó  <lango@inf.u-szeged.hu>
3845
3846         JSC does not build if OPCODE_STATS is enabled.
3847         https://bugs.webkit.org/show_bug.cgi?id=125011
3848
3849         Reviewed by Filip Pizlo.
3850
3851         * bytecode/Opcode.cpp:
3852
3853 2013-11-29  Filip Pizlo  <fpizlo@apple.com>
3854
3855         Finally remove those DFG_ENABLE things
3856         https://bugs.webkit.org/show_bug.cgi?id=125025
3857
3858         Rubber stamped by Sam Weinig.
3859         
3860         This removes a bunch of unused and untested insanity.
3861
3862         * bytecode/CodeBlock.cpp:
3863         (JSC::CodeBlock::tallyFrequentExitSites):
3864         * dfg/DFGArgumentsSimplificationPhase.cpp:
3865         (JSC::DFG::ArgumentsSimplificationPhase::run):
3866         * dfg/DFGByteCodeParser.cpp:
3867         (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
3868         (JSC::DFG::ByteCodeParser::getArrayModeConsideringSlowPath):
3869         (JSC::DFG::ByteCodeParser::makeSafe):
3870         (JSC::DFG::ByteCodeParser::makeDivSafe):
3871         (JSC::DFG::ByteCodeParser::handleCall):
3872         (JSC::DFG::ByteCodeParser::handleInlining):
3873         (JSC::DFG::ByteCodeParser::parseBlock):
3874         (JSC::DFG::ByteCodeParser::linkBlock):
3875         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
3876         (JSC::DFG::ByteCodeParser::parseCodeBlock):
3877         (JSC::DFG::ByteCodeParser::parse):
3878         (JSC::DFG::parse):
3879         * dfg/DFGCFGSimplificationPhase.cpp:
3880         (JSC::DFG::CFGSimplificationPhase::run):
3881         (JSC::DFG::CFGSimplificationPhase::convertToJump):
3882         (JSC::DFG::CFGSimplificationPhase::fixJettisonedPredecessors):
3883         * dfg/DFGCSEPhase.cpp:
3884         (JSC::DFG::CSEPhase::endIndexForPureCSE):
3885         (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren):
3886         (JSC::DFG::CSEPhase::setReplacement):
3887         (JSC::DFG::CSEPhase::eliminate):
3888         (JSC::DFG::CSEPhase::performNodeCSE):
3889         * dfg/DFGCommon.h:
3890         (JSC::DFG::verboseCompilationEnabled):
3891         (JSC::DFG::logCompilationChanges):
3892         (JSC::DFG::shouldDumpGraphAtEachPhase):
3893         * dfg/DFGConstantFoldingPhase.cpp:
3894         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3895         * dfg/DFGFixupPhase.cpp:
3896         (JSC::DFG::FixupPhase::fixupNode):
3897         (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
3898         * dfg/DFGInPlaceAbstractState.cpp:
3899         (JSC::DFG::InPlaceAbstractState::initialize):
3900         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
3901         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
3902         (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
3903         * dfg/DFGJITCompiler.cpp:
3904         (JSC::DFG::JITCompiler::compileBody):
3905         (JSC::DFG::JITCompiler::link):
3906         * dfg/DFGOSRExitCompiler.cpp:
3907         * dfg/DFGOSRExitCompiler32_64.cpp:
3908         (JSC::DFG::OSRExitCompiler::compileExit):
3909         * dfg/DFGOSRExitCompiler64.cpp:
3910         (JSC::DFG::OSRExitCompiler::compileExit):
3911         * dfg/DFGOSRExitCompilerCommon.cpp:
3912         (JSC::DFG::adjustAndJumpToTarget):
3913         * dfg/DFGPredictionInjectionPhase.cpp:
3914         (JSC::DFG::PredictionInjectionPhase::run):
3915         * dfg/DFGPredictionPropagationPhase.cpp:
3916         (JSC::DFG::PredictionPropagationPhase::run):
3917         (JSC::DFG::PredictionPropagationPhase::propagate):
3918         (JSC::DFG::PredictionPropagationPhase::propagateForward):
3919         (JSC::DFG::PredictionPropagationPhase::propagateBackward):
3920         (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
3921         * dfg/DFGScoreBoard.h:
3922         (JSC::DFG::ScoreBoard::use):
3923         * dfg/DFGSlowPathGenerator.h:
3924         (JSC::DFG::SlowPathGenerator::generate):
3925         * dfg/DFGSpeculativeJIT.cpp:
3926         (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
3927         (JSC::DFG::SpeculativeJIT::runSlowPathGenerators):
3928         (JSC::DFG::SpeculativeJIT::dump):
3929         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
3930         (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
3931         * dfg/DFGSpeculativeJIT.h:
3932         * dfg/DFGSpeculativeJIT32_64.cpp:
3933         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
3934         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3935         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3936         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3937         (JSC::DFG::SpeculativeJIT::compile):
3938         * dfg/DFGSpeculativeJIT64.cpp:
3939         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
3940         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3941         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3942         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3943         (JSC::DFG::SpeculativeJIT::compile):
3944         * dfg/DFGVariableEventStream.cpp:
3945         (JSC::DFG::VariableEventStream::reconstruct):
3946         * dfg/DFGVariableEventStream.h:
3947         (JSC::DFG::VariableEventStream::appendAndLog):
3948         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
3949         (JSC::DFG::VirtualRegisterAllocationPhase::run):
3950         * jit/JIT.cpp:
3951         (JSC::JIT::privateCompile):
3952
3953 2013-11-29  Filip Pizlo  <fpizlo@apple.com>
3954