144b76790585800666fd72155fa03e3eff386788
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-03-25  Filip Pizlo  <fpizlo@apple.com>
2
3         Arguments simplification phase should be fine with marking the arguments local itself as an arguments alias
4         https://bugs.webkit.org/show_bug.cgi?id=130764
5         <rdar://problem/16304788>
6
7         Reviewed by Sam Weinig.
8         
9         Being an arguments alias just means that your OSR exit recovery should attempt arguments
10         creation. This is true of arguments locals. We had special cases that tried to make it not
11         true of arguments locals. The only consequence of those special cases was to cause crashes
12         in case of arguments that are also captured variables (i.e. we have SlowArguments). This
13         change just removes those special cases.
14         
15         This change means that the FTL will now see SetLocals with a FlushedArguments format.
16         Previously you wouldn't see them because previously only non-captured variable would be
17         arguments aliases, and non-captured variables get completely SSAified - i.e. no SetLocals
18         left. Adding handling for FlushedArguments is a benign and simple change since its
19         behavior is identical to FlushedJSValue for that code's purposes.
20
21         * dfg/DFGArgumentsSimplificationPhase.cpp:
22         (JSC::DFG::ArgumentsSimplificationPhase::run):
23         * ftl/FTLLowerDFGToLLVM.cpp:
24         (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
25         * tests/stress/captured-arguments-variable.js: Added.
26         (foo):
27         (noInline):
28
29 2014-03-25  Mark Hahnenberg  <mhahnenberg@apple.com>
30
31         Add HeapInlines
32         https://bugs.webkit.org/show_bug.cgi?id=130759
33
34         Reviewed by Filip Pizlo.
35
36         * GNUmakefile.list.am:
37         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
38         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
39         * JavaScriptCore.xcodeproj/project.pbxproj:
40         * heap/Heap.cpp:
41         (JSC::MarkedBlockSnapshotFunctor::MarkedBlockSnapshotFunctor):
42         (JSC::MarkedBlockSnapshotFunctor::operator()):
43         * heap/Heap.h: Also reindented while we're here.
44         (JSC::Heap::writeBarrierBuffer):
45         (JSC::Heap::vm):
46         (JSC::Heap::objectSpace):
47         (JSC::Heap::machineThreads):
48         (JSC::Heap::operationInProgress):
49         (JSC::Heap::allocatorForObjectWithoutDestructor):
50         (JSC::Heap::allocatorForObjectWithNormalDestructor):
51         (JSC::Heap::allocatorForObjectWithImmortalStructureDestructor):
52         (JSC::Heap::storageAllocator):
53         (JSC::Heap::notifyIsSafeToCollect):
54         (JSC::Heap::isSafeToCollect):
55         (JSC::Heap::handleSet):
56         (JSC::Heap::handleStack):
57         (JSC::Heap::lastFullGCLength):
58         (JSC::Heap::lastEdenGCLength):
59         (JSC::Heap::increaseLastFullGCLength):
60         (JSC::Heap::sizeBeforeLastEdenCollection):
61         (JSC::Heap::sizeAfterLastEdenCollection):
62         (JSC::Heap::sizeBeforeLastFullCollection):
63         (JSC::Heap::sizeAfterLastFullCollection):
64         (JSC::Heap::jitStubRoutines):
65         (JSC::Heap::isDeferred):
66         (JSC::Heap::structureIDTable):
67         (JSC::Heap::removeCodeBlock):
68         * heap/HeapInlines.h: Added.
69         (JSC::Heap::shouldCollect):
70         (JSC::Heap::isBusy):
71         (JSC::Heap::isCollecting):
72         (JSC::Heap::heap):
73         (JSC::Heap::isLive):
74         (JSC::Heap::isInRememberedSet):
75         (JSC::Heap::isMarked):
76         (JSC::Heap::testAndSetMarked):
77         (JSC::Heap::setMarked):
78         (JSC::Heap::isWriteBarrierEnabled):
79         (JSC::Heap::writeBarrier):
80         (JSC::Heap::reportExtraMemoryCost):
81         (JSC::Heap::forEachProtectedCell):
82         (JSC::Heap::forEachCodeBlock):
83         (JSC::Heap::allocateWithNormalDestructor):
84         (JSC::Heap::allocateWithImmortalStructureDestructor):
85         (JSC::Heap::allocateWithoutDestructor):
86         (JSC::Heap::tryAllocateStorage):
87         (JSC::Heap::tryReallocateStorage):
88         (JSC::Heap::ascribeOwner):
89         (JSC::Heap::blockAllocator):
90         (JSC::Heap::releaseSoon):
91         (JSC::Heap::incrementDeferralDepth):
92         (JSC::Heap::decrementDeferralDepth):
93         (JSC::Heap::collectIfNecessaryOrDefer):
94         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
95         (JSC::Heap::markListSet):
96         * runtime/JSCInlines.h:
97
98 2014-03-25  Filip Pizlo  <fpizlo@apple.com>
99
100         DFG::ByteCodeParser::SetMode should distinguish between setting immediately without a flush and setting immediately with a flush
101         https://bugs.webkit.org/show_bug.cgi?id=130760
102
103         Reviewed by Mark Hahnenberg.
104
105         * dfg/DFGByteCodeParser.cpp:
106         (JSC::DFG::ByteCodeParser::setLocal):
107         (JSC::DFG::ByteCodeParser::setArgument):
108         (JSC::DFG::ByteCodeParser::handleInlining):
109         (JSC::DFG::ByteCodeParser::parseBlock):
110         * tests/stress/assign-argument-in-inlined-call.js: Added.
111         (f1):
112         (getF2Arguments):
113         (f2):
114         (f3):
115         * tests/stress/assign-captured-argument-in-inlined-call.js: Added.
116         (f1):
117         (f2):
118         (f3):
119
120 2014-03-25  Filip Pizlo  <fpizlo@apple.com>
121
122         Fix 32-bit getter call alignment.
123
124         Reviewed by Mark Hahnenberg.
125
126         * jit/Repatch.cpp:
127         (JSC::generateGetByIdStub):
128
129 2014-03-25  Filip Pizlo  <fpizlo@apple.com>
130
131         Repatch should plant calls to getters directly rather than through a C helper
132         https://bugs.webkit.org/show_bug.cgi?id=129589
133
134         Reviewed by Mark Hahnenberg.
135         
136         As the title says. All of the superstructure for this was already in place, so now it
137         was just a matter of actually emitting the call.
138         
139         8x speed-up for getter microbenchmarks. 
140
141         * CMakeLists.txt:
142         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
143         * JavaScriptCore.xcodeproj/project.pbxproj:
144         * bytecode/PolymorphicGetByIdList.h:
145         (JSC::GetByIdAccess::doesCalls):
146         * jit/AccessorCallJITStubRoutine.cpp: Added.
147         (JSC::AccessorCallJITStubRoutine::AccessorCallJITStubRoutine):
148         (JSC::AccessorCallJITStubRoutine::~AccessorCallJITStubRoutine):
149         (JSC::AccessorCallJITStubRoutine::visitWeak):
150         * jit/AccessorCallJITStubRoutine.h: Added.
151         * jit/AssemblyHelpers.h:
152         (JSC::AssemblyHelpers::storeCell):
153         * jit/GCAwareJITStubRoutine.h:
154         * jit/Repatch.cpp:
155         (JSC::generateGetByIdStub):
156         * runtime/GetterSetter.h:
157         (JSC::GetterSetter::offsetOfGetter):
158         (JSC::GetterSetter::offsetOfSetter):
159
160 2014-03-25  Michael Saboff  <msaboff@apple.com>
161
162         Unreviewed, rolling out r166126.
163
164         Rollout r166126 in prepartion to roll out prerequisite r166070
165
166         Reverted changeset:
167
168         "toThis() on a JSWorkerGlobalScope should return a JSProxy and
169         not undefined"
170         https://bugs.webkit.org/show_bug.cgi?id=130554
171         http://trac.webkit.org/changeset/166126
172
173 2014-03-25  Oliver Hunt  <oliver@apple.com>
174
175         AST incorrectly conflates readable and writable locations
176         https://bugs.webkit.org/show_bug.cgi?id=130734
177
178         Reviewed by Filip Pizlo.
179
180         We need to distinguish between "locations" that are valid for reading
181         and writing, vs those that may only be written.
182
183         * bytecompiler/NodesCodegen.cpp:
184         (JSC::ForInNode::emitBytecode):
185         (JSC::ForOfNode::emitBytecode):
186         * parser/Nodes.h:
187         (JSC::ExpressionNode::isAssignmentLocation):
188
189 2014-03-24  Oliver Hunt  <oliver@apple.com>
190
191         ASSERTION FAILED in Parser: dst != localReg
192         https://bugs.webkit.org/show_bug.cgi?id=130710
193
194         Reviewed by Filip Pizlo.
195
196         Just make sure we don't try to write to a captured constant,
197         following the change to track captured variables separately.
198
199         * bytecompiler/NodesCodegen.cpp:
200         (JSC::PostfixNode::emitResolve):
201         (JSC::PrefixNode::emitResolve):
202
203 2014-03-25  Martin Robinson  <mrobinson@igalia.com>
204
205         [GTK] Remove the autotools build
206         https://bugs.webkit.org/show_bug.cgi?id=130717
207
208         Reviewed by Anders Carlsson.
209
210         * GNUmakefile.am: Removed.
211         * config.h: Remove references to the autotools configure file.
212
213 2014-03-24  Filip Pizlo  <fpizlo@apple.com>
214
215         More scaffolding for a stub routine to have a stub recursively embedded inside it
216         https://bugs.webkit.org/show_bug.cgi?id=130770
217
218         Reviewed by Oliver Hunt.
219
220         * bytecode/CallLinkInfo.cpp:
221         (JSC::CallLinkInfo::unlink): VM& argument is superfluous.
222         (JSC::CallLinkInfo::visitWeak): Factor this out, it used to be in CodeBlock::finalizeUnconditionally().
223         * bytecode/CallLinkInfo.h:
224         * bytecode/CodeBlock.cpp:
225         (JSC::CodeBlock::finalizeUnconditionally): Factor out some functionality into CallLinkInfo::visitWeak(), and make sure we pass RepatchBuffer& in more places.
226         (JSC::CodeBlock::unlinkCalls):
227         (JSC::CodeBlock::unlinkIncomingCalls):
228         * bytecode/PolymorphicGetByIdList.cpp: Pass RepatchBuffer& through and call JITStubRoutine::visitWeak().
229         (JSC::GetByIdAccess::visitWeak):
230         (JSC::PolymorphicGetByIdList::visitWeak):
231         * bytecode/PolymorphicGetByIdList.h:
232         * bytecode/PolymorphicPutByIdList.cpp: Pass RepatchBuffer& through and call JITStubRoutine::visitWeak().
233         (JSC::PutByIdAccess::visitWeak):
234         (JSC::PolymorphicPutByIdList::visitWeak):
235         * bytecode/PolymorphicPutByIdList.h:
236         * bytecode/StructureStubInfo.cpp: Pass RepatchBuffer& through.
237         (JSC::StructureStubInfo::visitWeakReferences):
238         * bytecode/StructureStubInfo.h:
239         * jit/ClosureCallStubRoutine.cpp: isClosureCall is unused.
240         (JSC::ClosureCallStubRoutine::ClosureCallStubRoutine):
241         * jit/GCAwareJITStubRoutine.cpp:
242         (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
243         (JSC::createJITStubRoutine):
244         * jit/GCAwareJITStubRoutine.h: Make it easier to construct one of these.
245         (JSC::GCAwareJITStubRoutine::isClosureCall): Deleted.
246         * jit/JITStubRoutine.cpp:
247         (JSC::JITStubRoutine::visitWeak): This will allow future JITStubRoutine subclasses to have stubs recursively embedded inside them.
248         * jit/JITStubRoutine.h:
249         * jit/Repatch.cpp:
250         (JSC::generateGetByIdStub): Fix a possible GC bug where we weren't making the stub routine GC aware.
251         (JSC::emitCustomSetterStub): Clean up some code.
252
253 2014-03-24  Geoffrey Garen  <ggaren@apple.com>
254
255         Safari crashes in JavaScriptCore: JSC::JSObject::growOutOfLineStorage
256         when WebKit is compiled with fcatch-undefined-behavior
257         https://bugs.webkit.org/show_bug.cgi?id=130652
258
259         Reviewed by Mark Hahnenberg.
260
261         Use a static member function because the butterfly we pass in might be
262         NULL, and passing NULL to a member function is undefined behavior.
263
264         Stylistically, I think this new way reads a little more clearly, since it
265         matches createOrGrowArrayRight, and it helps to convey that m_butterfly
266         might not exist yet.
267
268         * runtime/Butterfly.h:
269         * runtime/ButterflyInlines.h:
270         (JSC::Butterfly::createOrGrowPropertyStorage): Renamed from growPropertyStorage
271         because we might create. Split out the create path to avoid using NULL
272         in a member function expression.
273
274         Removed some unused versions of this function.
275
276         * runtime/JSObject.cpp:
277         (JSC::JSObject::growOutOfLineStorage): Updated for interface change.
278
279 2014-03-24  Oliver Hunt  <oliver@apple.com>
280
281         Strict mode destructuring assignment crashes the parser.
282         https://bugs.webkit.org/show_bug.cgi?id=130538
283
284         Reviewed by Michael Saboff.
285
286         The SyntaxChecker mode always return 1 for success, except
287         for a small subset of functions where we needed exact information.
288         This ends up just being a poor design decision as it means
289         the parser can get confused between a function return 1, and
290         the Resolve constant which was also 1. So we now use a unique
291         type for every creation method.
292
293         * parser/SyntaxChecker.h:
294         (JSC::SyntaxChecker::createSourceElements):
295         (JSC::SyntaxChecker::createFunctionBody):
296         (JSC::SyntaxChecker::createArguments):
297         (JSC::SyntaxChecker::createSpreadExpression):
298         (JSC::SyntaxChecker::createArgumentsList):
299         (JSC::SyntaxChecker::createPropertyList):
300         (JSC::SyntaxChecker::createElementList):
301         (JSC::SyntaxChecker::createFormalParameterList):
302         (JSC::SyntaxChecker::createClause):
303         (JSC::SyntaxChecker::createClauseList):
304         (JSC::SyntaxChecker::createFuncDeclStatement):
305         (JSC::SyntaxChecker::createBlockStatement):
306         (JSC::SyntaxChecker::createExprStatement):
307         (JSC::SyntaxChecker::createIfStatement):
308         (JSC::SyntaxChecker::createForLoop):
309         (JSC::SyntaxChecker::createForInLoop):
310         (JSC::SyntaxChecker::createForOfLoop):
311         (JSC::SyntaxChecker::createEmptyStatement):
312         (JSC::SyntaxChecker::createVarStatement):
313         (JSC::SyntaxChecker::createReturnStatement):
314         (JSC::SyntaxChecker::createBreakStatement):
315         (JSC::SyntaxChecker::createContinueStatement):
316         (JSC::SyntaxChecker::createTryStatement):
317         (JSC::SyntaxChecker::createSwitchStatement):
318         (JSC::SyntaxChecker::createWhileStatement):
319         (JSC::SyntaxChecker::createWithStatement):
320         (JSC::SyntaxChecker::createDoWhileStatement):
321         (JSC::SyntaxChecker::createLabelStatement):
322         (JSC::SyntaxChecker::createThrowStatement):
323         (JSC::SyntaxChecker::createDebugger):
324         (JSC::SyntaxChecker::createConstStatement):
325         (JSC::SyntaxChecker::appendConstDecl):
326         (JSC::SyntaxChecker::combineCommaNodes):
327         (JSC::SyntaxChecker::operatorStackPop):
328
329 2014-03-24  Brent Fulgham  <bfulgham@apple.com>
330
331         Activate WebVTT Tests Once Merging is Complete
332         https://bugs.webkit.org/show_bug.cgi?id=130420
333
334         Reviewed by Eric Carlson.
335
336         * Configurations/FeatureDefines.xcconfig: Turn on ENABLE(WEBVTT_REGIONS)
337
338 2014-03-24  Andreas Kling  <akling@apple.com>
339
340         Stop pulling in all the macro assemblers from VM.h
341         <https://webkit.org/b/130691>
342
343         Remove #include of "GPRInfo.h". This breaks WebCore's dependency
344         on macro assemblers headers and removes 8 includes from every
345         .cpp file in the JS bindings.
346
347         Reviewed by Geoff Garen.
348
349         * runtime/VM.h:
350
351 2014-03-24  Gavin Barraclough  <barraclough@apple.com>
352
353         Add support for thread QoS
354         https://bugs.webkit.org/show_bug.cgi?id=130688
355
356         Reviewed by Andreas Kling.
357
358         * heap/BlockAllocator.cpp:
359         (JSC::BlockAllocator::blockFreeingThreadStartFunc):
360             - block freeing is a utility activity.
361
362 2014-03-24  Filip Pizlo  <fpizlo@apple.com>
363
364         Unreviewed, fix CLOOP build.
365
366         * bytecode/CallLinkStatus.cpp:
367         (JSC::CallLinkStatus::computeFor):
368         * bytecode/CodeBlock.cpp:
369         (JSC::CodeBlock::printCallOp):
370         (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
371         (JSC::CodeBlock::resetStubDuringGCInternal): Deleted.
372         * bytecode/CodeBlock.h:
373         (JSC::CodeBlock::callLinkInfosEnd): Deleted.
374
375 2014-03-24  Gabor Rapcsanyi  <rgabor@webkit.org>
376
377         [ARM64] GNU assembler doesn't work with LLInt arm64 backend.
378         https://bugs.webkit.org/show_bug.cgi?id=130453
379         
380         Reviewed by Filip Pizlo.
381
382         Change fp and lr to x29 and x30. Add both operand kinds to emitARM64()
383         at sxtw and uxtw instructions.
384
385         * offlineasm/arm64.rb:
386
387 2014-03-23  Hyowon Kim  <hw1008.kim@samsung.com>
388
389         Move all EFL typedefs into EflTypedefs.h.
390         https://bugs.webkit.org/show_bug.cgi?id=130511
391
392         Reviewed by Gyuyoung Kim
393
394         * heap/HeapTimer.h: Remove EFL typedefs.
395
396 2014-03-23  Filip Pizlo  <fpizlo@apple.com>
397
398         Gotta grow the locals vectors if we are about to do SetLocals beyond the bytecode's numCalleeRegisters
399         https://bugs.webkit.org/show_bug.cgi?id=130650
400         <rdar://problem/16122966>
401
402         Reviewed by Michael Saboff.
403         
404         Previously, it was only in the case of inlining that we would do SetLocal's beyond the
405         previously established numLocals limit. But then we added generalized op_call_varargs
406         handling, which results in us emitting SetLocals that didn't previously exist in the
407         bytecode.
408         
409         This factors out the inliner's ensureLocals loop and calls it from op_call_varargs.
410
411         * dfg/DFGByteCodeParser.cpp:
412         (JSC::DFG::ByteCodeParser::ensureLocals):
413         (JSC::DFG::ByteCodeParser::handleInlining):
414         (JSC::DFG::ByteCodeParser::parseBlock):
415         (JSC::DFG::ByteCodeParser::parse):
416         * ftl/FTLOSRExitCompiler.cpp:
417         (JSC::FTL::compileStub): Make this do alignment correctly.
418         * runtime/Options.h:
419         * tests/stress/call-varargs-from-inlined-code.js: Added.
420         * tests/stress/call-varargs-from-inlined-code-with-odd-number-of-arguments.js: Added.
421
422 2014-03-22  Filip Pizlo  <fpizlo@apple.com>
423
424         Unreviewed, adjust sizes for ARM64.
425
426         * ftl/FTLInlineCacheSize.cpp:
427         (JSC::FTL::sizeOfCall):
428
429 2014-03-22  Filip Pizlo  <fpizlo@apple.com>
430
431         Protect the silent spiller/filler's desire to fill Int32Constants by making sure that we don't mark something as having a Int32 register format if it's a non-Int32 constant
432         https://bugs.webkit.org/show_bug.cgi?id=130649
433         <rdar://problem/16399949>
434
435         Reviewed by Andreas Kling.
436
437         * dfg/DFGSpeculativeJIT32_64.cpp:
438         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
439         * dfg/DFGSpeculativeJIT64.cpp:
440         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
441         * tests/stress/fuzz-bug-16399949.js: Added.
442         (tryItOut.f):
443         (tryItOut):
444
445 2014-03-22  Filip Pizlo  <fpizlo@apple.com>
446
447         Call linking slow paths should be passed a CallLinkInfo* directly so that you can create a call IC without adding it to any CodeBlocks
448         https://bugs.webkit.org/show_bug.cgi?id=130644
449
450         Reviewed by Andreas Kling.
451         
452         This is conceptually a really simple change but it involves the following:
453         
454         - The inline part of the call IC stuffs a pointer to the CallLinkInfo into regT2.
455         
456         - CodeBlock uses a Bag of CallLinkInfos instead of a Vector.
457         
458         - Remove the significance of a CallLinkInfo's index. This means that DFG::JITCode no
459           longer has a vector of slow path counts that shadows the CallLinkInfo vector.
460         
461         - Make CallLinkInfo have its own slowPathCount, which counts actual slow path executions
462           and not all relinking.
463         
464         This makes planting JS->JS calls inside other inline caches or stubs a lot easier, since
465         the CallLinkInfo and the call IC slow paths no longer rely on the call being associated
466         with a op_call/op_construct instruction and a machine code return PC within such an
467         instruction.
468
469         * bytecode/CallLinkInfo.h:
470         (JSC::getCallLinkInfoCodeOrigin):
471         * bytecode/CallLinkStatus.cpp:
472         (JSC::CallLinkStatus::computeFor):
473         (JSC::CallLinkStatus::computeDFGStatuses):
474         * bytecode/CallLinkStatus.h:
475         * bytecode/CodeBlock.cpp:
476         (JSC::CodeBlock::printCallOp):
477         (JSC::CodeBlock::dumpBytecode):
478         (JSC::CodeBlock::finalizeUnconditionally):
479         (JSC::CodeBlock::getCallLinkInfoMap):
480         (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
481         (JSC::CodeBlock::addCallLinkInfo):
482         (JSC::CodeBlock::unlinkCalls):
483         * bytecode/CodeBlock.h:
484         (JSC::CodeBlock::stubInfoBegin):
485         (JSC::CodeBlock::stubInfoEnd):
486         (JSC::CodeBlock::callLinkInfosBegin):
487         (JSC::CodeBlock::callLinkInfosEnd):
488         (JSC::CodeBlock::byValInfo):
489         * dfg/DFGByteCodeParser.cpp:
490         (JSC::DFG::ByteCodeParser::handleCall):
491         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
492         * dfg/DFGJITCode.h:
493         * dfg/DFGJITCompiler.cpp:
494         (JSC::DFG::JITCompiler::link):
495         * dfg/DFGJITCompiler.h:
496         (JSC::DFG::JITCompiler::addJSCall):
497         (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord):
498         * dfg/DFGOSRExitCompilerCommon.cpp:
499         (JSC::DFG::reifyInlinedCallFrames):
500         * dfg/DFGSpeculativeJIT.cpp:
501         (JSC::DFG::SpeculativeJIT::compile):
502         * dfg/DFGSpeculativeJIT.h:
503         * dfg/DFGSpeculativeJIT32_64.cpp:
504         (JSC::DFG::SpeculativeJIT::emitCall):
505         * dfg/DFGSpeculativeJIT64.cpp:
506         (JSC::DFG::SpeculativeJIT::emitCall):
507         * ftl/FTLCompile.cpp:
508         (JSC::FTL::fixFunctionBasedOnStackMaps):
509         * ftl/FTLInlineCacheSize.cpp:
510         (JSC::FTL::sizeOfCall):
511         * ftl/FTLJSCall.cpp:
512         (JSC::FTL::JSCall::JSCall):
513         (JSC::FTL::JSCall::emit):
514         (JSC::FTL::JSCall::link):
515         * ftl/FTLJSCall.h:
516         * jit/JIT.cpp:
517         (JSC::JIT::privateCompileMainPass):
518         (JSC::JIT::privateCompileSlowCases):
519         (JSC::JIT::privateCompile):
520         * jit/JIT.h:
521         * jit/JITCall.cpp:
522         (JSC::JIT::compileOpCall):
523         (JSC::JIT::compileOpCallSlowCase):
524         * jit/JITCall32_64.cpp:
525         (JSC::JIT::compileOpCall):
526         (JSC::JIT::compileOpCallSlowCase):
527         * jit/JITOperations.cpp:
528         * jit/JITOperations.h:
529         (JSC::operationLinkFor):
530         (JSC::operationVirtualFor):
531         (JSC::operationLinkClosureCallFor):
532         * jit/Repatch.cpp:
533         (JSC::linkClosureCall):
534         * jit/ThunkGenerators.cpp:
535         (JSC::slowPathFor):
536         (JSC::virtualForThunkGenerator):
537         * tests/stress/eval-that-is-not-eval.js: Added.
538
539 2014-03-22  Filip Pizlo  <fpizlo@apple.com>
540
541         Unreviewed, fix mispelled test name.
542
543         * tests/stress/constand-folding-osr-exit.js: Removed.
544         * tests/stress/constant-folding-osr-exit.js: Copied from Source/JavaScriptCore/tests/stress/constand-folding-osr-exit.js.
545
546 2014-03-22  Andreas Kling  <akling@apple.com>
547
548         CREATE_DOM_WRAPPER doesn't need the ExecState.
549         <https://webkit.org/b/130648>
550
551         Add a fast path from JSGlobalObject to the VM so we don't have
552         to dance via the Heap.
553
554         Reviewed by Darin Adler.
555
556         * runtime/JSGlobalObject.cpp:
557         (JSC::JSGlobalObject::JSGlobalObject):
558         * runtime/JSGlobalObject.h:
559         (JSC::JSGlobalObject::vm):
560
561 2014-03-22  Filip Pizlo  <fpizlo@apple.com>
562
563         Unreviewed, fix FTL build.
564
565         * ftl/FTLJITFinalizer.cpp:
566
567 2014-03-22  Michael Saboff  <msaboff@apple.com>
568
569         toThis() on a JSWorkerGlobalScope should return a JSProxy and not undefined
570         https://bugs.webkit.org/show_bug.cgi?id=130554
571
572         Reviewed by Geoffrey Garen.
573
574         Fixed toThis() on WorkerGlobalScope to return a JSProxy instead of the JSGlobalObject.
575         Did some cleanup as well.  Moved the setting of the thisObject in a JSGlobalObject to
576         happen in finishCreation() so that it will also happen for other derived classes including
577         JSWorkerGlobalScopeBase.
578
579         * API/JSContextRef.cpp:
580         (JSGlobalContextCreateInGroup):
581         * jsc.cpp:
582         (GlobalObject::create):
583         * API/tests/testapi.c:
584         (globalObject_initialize): Eliminated ASSERT that the global object we are creating matches
585         the result from JSContextGetGlobalObject() as that will return the proxy.       
586         * runtime/JSGlobalObject.cpp:
587         (JSC::JSGlobalObject::init): Removed thisValue parameter and the call to setGlobalThis() since
588         we now call setGlobalThis in finishCreation().
589         * runtime/JSGlobalObject.h:
590         (JSC::JSGlobalObject::finishCreation):
591         (JSC::JSGlobalObject::setGlobalThis): Made this a private method.
592
593 2014-03-22  Andreas Kling  <akling@apple.com>
594
595         Fix debug build.
596
597         * bytecode/CodeBlock.cpp:
598         * runtime/Executable.cpp:
599
600 2014-03-22  Andreas Kling  <akling@apple.com>
601
602         Cut down on JSC profiler includes in WebCore & co.
603         <https://webkit.org/b/130637>
604
605         Most of WebKit was pulling in JSC's profiler headers via VM.h.
606
607         Reviewed by Darin Adler.
608
609         * dfg/DFGDisassembler.cpp:
610         * dfg/DFGDisassembler.h:
611         * dfg/DFGJITFinalizer.cpp:
612         * jsc.cpp:
613         * runtime/VM.cpp:
614         * runtime/VM.h:
615
616 2014-03-22  Landry Breuil <landry@openbsd.org>
617
618         Use pthread_stackseg_np() to find the stack bounds on OpenBSD.
619         https://bugs.webkit.org/show_bug.cgi?id=129965
620
621         Reviewed By Anders Carlsson.
622
623 2014-03-21  Mark Lam  <mark.lam@apple.com>
624
625         Crash when BytecodeGenerator::emitJump calls Label::bind on null pointer.
626         <https://webkit.org/b/124508>
627
628         Reviewed by Oliver Hunt.
629
630         The issue is that BreakNode::emitBytecode() is holding onto a LabelScope
631         pointer from the BytecodeGenerator's m_localScopes vector, and then it
632         calls emitPopScopes().  emitPopScopes() may do finally clause handling
633         which will require the m_localScopes to be cloned so that it can change
634         the local scopes for the finally block, and then restore it after
635         handling the finally clause.  These modifications of the m_localScopes
636         vector will result in the LabelScope pointer in BreakNode::emitBytecode()
637         becoming stale, thereby causing the crash.
638
639         The same issue applies to the ContinueNode as well.
640
641         The fix is to use the existing LabelScopePtr abstraction instead of raw
642         LabelScope pointers.  The LabelScopePtr is resilient to the underlying
643         vector re-allocating its backing store.
644
645         I also changed the LabelScopePtr constructor that takes a LabelScopeStore
646         to expect a reference to the owner store instead of a pointer because the
647         owner store should never be a null pointer.
648
649         * bytecompiler/BytecodeGenerator.cpp:
650         (JSC::BytecodeGenerator::newLabelScope):
651         (JSC::BytecodeGenerator::breakTarget):
652         (JSC::BytecodeGenerator::continueTarget):
653         * bytecompiler/BytecodeGenerator.h:
654         * bytecompiler/LabelScope.h:
655         (JSC::LabelScopePtr::LabelScopePtr):
656         (JSC::LabelScopePtr::operator bool):
657         (JSC::LabelScopePtr::null):
658         * bytecompiler/NodesCodegen.cpp:
659         (JSC::ContinueNode::trivialTarget):
660         (JSC::ContinueNode::emitBytecode):
661         (JSC::BreakNode::trivialTarget):
662         (JSC::BreakNode::emitBytecode):
663
664 2014-03-21  Mark Hahnenberg  <mhahnenberg@apple.com>
665
666         6% SunSpider commandline regression due to r165940
667         https://bugs.webkit.org/show_bug.cgi?id=130617
668
669         Reviewed by Michael Saboff.
670
671         In GCActivityCallback::didAllocate, lastGCLength() returns 0 if we've never collected 
672         before. Some of the benchmarks are never running a single EdenCollection, which causes 
673         them to repeatedly call scheduleTimer with a newDelay of 0. This defeats our timer 
674         slop heuristic, causing us to invoke CFRunLoopTimerSetNextFireDate a couple orders of 
675         magnitude more than we normally would.
676
677         The fix is to seed the last GC lengths in Heap with a non-zero length so that our heuristic works.
678
679         * heap/Heap.cpp:
680         (JSC::Heap::Heap):
681
682 2014-03-21  Filip Pizlo  <fpizlo@apple.com>
683
684         Constants folded by DFG::ByteCodeParser should not be dead.
685         https://bugs.webkit.org/show_bug.cgi?id=130576
686
687         Reviewed by Mark Hahnenberg.
688         
689         This fixes bugs in the ByteCodeParser's constant folder by removing that constant folder. This
690         reduces the number of folders in JSC from fourish to just threeish (parser, DFG AI, and one
691         or more folders in LLVM). Doing so has no performance impact since the other constant folders
692         already subsume this one.
693         
694         Also added a test case for the specific bug that instigated this.
695
696         * dfg/DFGByteCodeParser.cpp:
697         (JSC::DFG::ByteCodeParser::getJSConstantForValue):
698         (JSC::DFG::ByteCodeParser::getJSConstant):
699         (JSC::DFG::ByteCodeParser::inferredConstant):
700         (JSC::DFG::ByteCodeParser::handleIntrinsic):
701         (JSC::DFG::ByteCodeParser::parseBlock):
702         * dfg/DFGNode.h:
703         * dfg/DFGNodeFlags.h:
704         * tests/stress/constand-folding-osr-exit.js: Added.
705         (foo):
706         (test):
707         (.var):
708
709 2014-03-21  Mark Lam  <mark.lam@apple.com>
710
711         StackLayoutPhase should find the union'ed calleeVariable before accessing its machineLocal.
712         <https://webkit.org/b/130566>
713
714         Reviewed by Filip Pizlo.
715
716         * dfg/DFGStackLayoutPhase.cpp:
717         (JSC::DFG::StackLayoutPhase::run):
718
719 2014-03-20  Filip Pizlo  <fpizlo@apple.com>
720
721         FTL should correctly compile GetByVal on Uint32Array that claims to return non-int32 values
722         https://bugs.webkit.org/show_bug.cgi?id=130562
723         <rdar://problem/16382842>
724
725         Reviewed by Geoffrey Garen.
726
727         * ftl/FTLLowerDFGToLLVM.cpp:
728         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
729         * tests/stress/uint32array-unsigned-load.js: Added.
730         (foo):
731
732 2014-03-20  Brian Burg  <bburg@apple.com>
733
734         Web Inspector: add frontend controller and models for replay sessions
735         https://bugs.webkit.org/show_bug.cgi?id=130145
736
737         Reviewed by Joseph Pecoraro.
738
739         * inspector/scripts/CodeGeneratorInspector.py: Add the conditional Replay domain.
740
741 2014-03-20  Filip Pizlo  <fpizlo@apple.com>
742
743         FTL ValueToInt32 mishandles the constant case, and by the way, there is a constant case that the FTL sees
744         https://bugs.webkit.org/show_bug.cgi?id=130546
745         <rdar://problem/16383308>
746
747         Reviewed by Mark Hahnenberg.
748         
749         Make AI do a better job of folding this.
750         
751         Also made the FTL backend be more tolerant of data representations. In this case it
752         didn't know that "constant" was a valid representation. There is a finite set of
753         possible representations, but broadly, we don't write code that presumes anything
754         about the representation of an input; that's what methods like lowJSValue() are for.
755         ValueToInt32 was previously not relying on those methods at all because it had some
756         hacks. Now, those hacks are just a fast-path optimization but ultimately we fall down
757         to lowJSValue().
758
759         * dfg/DFGAbstractInterpreterInlines.h:
760         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
761         * ftl/FTLLowerDFGToLLVM.cpp:
762         (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
763         (JSC::FTL::LowerDFGToLLVM::numberOrNotCellToInt32):
764         * tests/stress/value-to-int32-undefined-constant.js: Added.
765         (foo):
766         * tests/stress/value-to-int32-undefined.js: Added.
767         (foo):
768
769 2014-03-20  Mark Hahnenberg  <mhahnenberg@apple.com>
770
771         Add some assertions back
772         https://bugs.webkit.org/show_bug.cgi?id=130531
773
774         Reviewed by Geoffrey Garen.
775
776         We removed a useful set of assertions for verifying that MarkedBlocks were 
777         in the state that we expected them to be in after clearing marks in the Heap. 
778         We should add these back to catch bugs earlier.
779
780         * heap/MarkedBlock.h:
781         * heap/MarkedSpace.cpp:
782         (JSC::VerifyMarkedOrRetired::operator()):
783         (JSC::MarkedSpace::clearMarks):
784
785 2014-03-20  Filip Pizlo  <fpizlo@apple.com>
786
787         Implement stackmap header version check and support new stackmap formats
788         https://bugs.webkit.org/show_bug.cgi?id=130535
789         <rdar://problem/16164284>
790
791         Reviewed by Geoffrey Garen.
792         
793         Add the notion of versioning so that LLVMers can happily implement new stackmap formats
794         without worrying about WebKit getting version-locked to LLVM. In the future, we will have
795         to implement parsing for a new LLVM stackmap format before it lands in LLVM, or we'll have
796         to have a "max usable LLVM revision" limit. But, thanks to versioning, we'll always be
797         happy to move backward in time to older versions of LLVM.
798
799         * ftl/FTLStackMaps.cpp:
800         (JSC::FTL::readObject):
801         (JSC::FTL::StackMaps::Constant::parse):
802         (JSC::FTL::StackMaps::StackSize::parse):
803         (JSC::FTL::StackMaps::Location::parse):
804         (JSC::FTL::StackMaps::Record::parse):
805         (JSC::FTL::StackMaps::parse):
806         (JSC::FTL::StackMaps::dump):
807         (JSC::FTL::StackMaps::dumpMultiline):
808         * ftl/FTLStackMaps.h:
809
810 2014-03-20  Filip Pizlo  <fpizlo@apple.com>
811
812         Crash beneath operationTearOffActivation running this JS compression demo
813         https://bugs.webkit.org/show_bug.cgi?id=130295
814         <rdar://problem/16332337>
815
816         Reviewed by Oliver Hunt.
817         
818         Make sure that we flush things as if we were at a terminal, if we are at a block with
819         no forward edges. This fixes infinitely loopy code with captured variables.
820
821         Make sure that the CFG simplifier adds explicit flushes whenever it jettisons a block.
822         
823         Make it so that NodeIsFlushed is a thing. Previously only SSA used it and it computed
824         it by itself. Now it's an artifact of CPS rethreading.
825         
826         Add a bunch of tests. All of them previously either crashed or returned bad output due
827         to memory corruption.
828
829         * bytecode/CodeBlock.cpp:
830         (JSC::CodeBlock::isCaptured):
831         * dfg/DFGByteCodeParser.cpp:
832         (JSC::DFG::ByteCodeParser::flushForTerminal):
833         (JSC::DFG::ByteCodeParser::flushForReturn):
834         (JSC::DFG::ByteCodeParser::flushIfTerminal):
835         (JSC::DFG::ByteCodeParser::branchData):
836         (JSC::DFG::ByteCodeParser::parseBlock):
837         * dfg/DFGCFGSimplificationPhase.cpp:
838         (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
839         * dfg/DFGCPSRethreadingPhase.cpp:
840         (JSC::DFG::CPSRethreadingPhase::run):
841         (JSC::DFG::CPSRethreadingPhase::computeIsFlushed):
842         (JSC::DFG::CPSRethreadingPhase::addFlushedLocalOp):
843         (JSC::DFG::CPSRethreadingPhase::addFlushedLocalEdge):
844         * dfg/DFGCSEPhase.cpp:
845         (JSC::DFG::CSEPhase::performNodeCSE):
846         * dfg/DFGGraph.cpp:
847         (JSC::DFG::Graph::clearFlagsOnAllNodes):
848         * dfg/DFGGraph.h:
849         * dfg/DFGNode.h:
850         * dfg/DFGNodeFlags.cpp:
851         (JSC::DFG::dumpNodeFlags):
852         * dfg/DFGNodeFlags.h:
853         * dfg/DFGSSAConversionPhase.cpp:
854         (JSC::DFG::SSAConversionPhase::run):
855         * tests/stress/activation-test-loop.js: Added.
856         (Inner.this.doStuff):
857         (Inner):
858         (foo.inner.isDone):
859         (foo):
860         * tests/stress/inferred-infinite-loop-that-uses-captured-variables.js: Added.
861         (bar):
862         (foo):
863         (noInline):
864         * tests/stress/infinite-loop-that-uses-captured-variables-before-throwing.js: Added.
865         (bar):
866         (foo):
867         (noInline):
868         * tests/stress/infinite-loop-that-uses-captured-variables-but-they-do-not-escape.js: Added.
869         (bar):
870         (foo):
871         (noInline):
872         * tests/stress/infinite-loop-that-uses-captured-variables-with-osr-entry.js: Added.
873         (bar):
874         (foo):
875         (noInline):
876         * tests/stress/infinite-loop-that-uses-captured-variables.js: Added.
877         (bar):
878         (foo):
879         (noInline):
880         * tests/stress/tricky-indirectly-inferred-infinite-loop-that-uses-captured-variables-and-creates-the-activation-outside-the-loop.js: Added.
881         (bar):
882         (fuzz):
883         (foo.f):
884         (foo):
885         * tests/stress/tricky-inferred-infinite-loop-that-uses-captured-variables-and-creates-the-activation-outside-the-loop.js: Added.
886         (bar):
887         (foo.f):
888         (foo):
889         * tests/stress/tricky-infinite-loop-that-uses-captured-variables-and-creates-the-activation-outside-the-loop.js: Added.
890         (bar):
891         (foo.f):
892         (foo):
893         * tests/stress/tricky-infinite-loop-that-uses-captured-variables.js: Added.
894         (bar):
895         (foo):
896         (noInline):
897
898 2014-03-20  Oliver Hunt  <oliver@apple.com>
899
900         Incorrect behavior when mutating a typed array during set.
901         https://bugs.webkit.org/show_bug.cgi?id=130428
902
903         Reviewed by Geoffrey Garen.
904
905         This fixes a null derefence that occurs if a typed array
906         is mutated during the set() operation. The patch gets rid
907         of the "Quickly" version of setIndex that is assigning
908         JSValues of unknown type, as the numeric conversion can trigger
909         side effects that lead to neutering, and so we deref null.
910
911         * runtime/JSGenericTypedArrayView.h:
912         (JSC::JSGenericTypedArrayView::setIndex):
913         * runtime/JSGenericTypedArrayViewInlines.h:
914         (JSC::JSGenericTypedArrayView<Adaptor>::set):
915         (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
916
917 2014-03-20  Gavin Barraclough  <barraclough@apple.com>
918
919         Remove IdentifierTable typedef, isIdentifier()
920         https://bugs.webkit.org/show_bug.cgi?id=130533
921
922         Rubber stamped by Geoff Garen.
923
924         Code should use AtomicStringTable, isAtomic() directly.
925
926         * API/JSClassRef.cpp:
927         (OpaqueJSClass::~OpaqueJSClass):
928         (OpaqueJSClassContextData::OpaqueJSClassContextData):
929         (OpaqueJSClass::className):
930         * API/JSClassRef.h:
931         * bytecode/SpeculatedType.cpp:
932         (JSC::speculationFromCell):
933         * bytecompiler/BytecodeGenerator.cpp:
934         (JSC::BytecodeGenerator::BytecodeGenerator):
935         * dfg/DFGSpeculativeJIT.cpp:
936         (JSC::DFG::SpeculativeJIT::compileIn):
937         (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
938         * ftl/FTLLowerDFGToLLVM.cpp:
939         (JSC::FTL::LowerDFGToLLVM::speculateStringIdent):
940         * heap/Heap.cpp:
941         (JSC::Heap::collect):
942         * interpreter/CallFrame.h:
943         (JSC::ExecState::atomicStringTable):
944         * parser/ASTBuilder.h:
945         (JSC::ASTBuilder::addVar):
946         * parser/Parser.cpp:
947         (JSC::Parser<LexerType>::createBindingPattern):
948         * runtime/Completion.cpp:
949         (JSC::checkSyntax):
950         (JSC::evaluate):
951         * runtime/Identifier.cpp:
952         (JSC::Identifier::checkCurrentAtomicStringTable):
953         * runtime/Identifier.h:
954         (JSC::Identifier::Identifier):
955         * runtime/IdentifierInlines.h:
956         (JSC::Identifier::add):
957         * runtime/JSCJSValue.cpp:
958         (JSC::JSValue::dumpInContext):
959         * runtime/JSLock.cpp:
960         (JSC::JSLock::didAcquireLock):
961         (JSC::JSLock::willReleaseLock):
962         (JSC::JSLock::DropAllLocks::DropAllLocks):
963         (JSC::JSLock::DropAllLocks::~DropAllLocks):
964         * runtime/JSLock.h:
965         * runtime/PropertyMapHashTable.h:
966         (JSC::PropertyTable::find):
967         (JSC::PropertyTable::get):
968         (JSC::PropertyTable::findWithString):
969         * runtime/PropertyName.h:
970         (JSC::PropertyName::PropertyName):
971         * runtime/PropertyNameArray.cpp:
972         (JSC::PropertyNameArray::add):
973         * runtime/VM.cpp:
974         (JSC::VM::VM):
975         (JSC::VM::~VM):
976         * runtime/VM.h:
977         (JSC::VM::atomicStringTable):
978
979 2014-03-20  Gavin Barraclough  <barraclough@apple.com>
980
981         Merge AtomicString, Identifier
982         https://bugs.webkit.org/show_bug.cgi?id=128624
983
984         Reviewed by Geoff Garen.
985
986         WTF::StringImpl currently supports two uniquing mechanism - AtomicString and
987         Identifer - that is one too many.
988
989         Remove Identifier in favour of AtomicString. Identifier had two interesting
990         mechanisms that we preserve.
991
992         (1) JSC API VMs each get their own string table, switch the string table on
993             API entry/exit.
994         (2) JSC caches a pointer to the string table on the VM to avoid a thread
995             specific access. Adds a new AtomicString::add method to support this.
996
997         * API/JSAPIWrapperObject.mm:
998             - updated includes.
999         * JavaScriptCore.xcodeproj/project.pbxproj:
1000             - added IdentifierInlines.h.
1001         * inspector/JSInjectedScriptHostPrototype.cpp:
1002         * inspector/JSJavaScriptCallFramePrototype.cpp:
1003             - updated includes.
1004         * interpreter/CallFrame.h:
1005         (JSC::ExecState::atomicStringTable):
1006             - added, used via AtomicString::add to avoid thread-specific access.
1007         * runtime/ConsolePrototype.cpp:
1008             - updated includes.
1009         * runtime/Identifier.cpp:
1010         (JSC::Identifier::add):
1011         (JSC::Identifier::add8):
1012             - vm->smallStrings.singleCharacterStringRep now returns Atomic strings, use AtomicString::add.
1013         * runtime/Identifier.h:
1014         (JSC::Identifier::Identifier):
1015             - added ASSERTS.
1016         (JSC::Identifier::add):
1017             - vm->smallStrings.singleCharacterStringRep now returns Atomic strings, use AtomicString::add.
1018         * runtime/IdentifierInlines.h: Added.
1019         (JSC::Identifier::add):
1020             - moved from Identifier.h, use AtomicString::add.
1021         * runtime/JSCInlines.h:
1022             - added IdentifierInlines.h.
1023         * runtime/JSLock.h:
1024             - removed IdentifierTable.
1025         * runtime/PropertyNameArray.cpp:
1026             - updated includes.
1027         * runtime/SmallStrings.cpp:
1028         (JSC::SmallStringsStorage::SmallStringsStorage):
1029             - ensure all single character strings are Atomic.
1030         * runtime/VM.cpp:
1031         (JSC::VM::VM):
1032             - instantiate CommonIdentifiers with the correct AtomicStringTable set on thread data.
1033         * runtime/VM.h:
1034         (JSC::VM::atomicStringTable):
1035             - added, used via AtomicString::add to avoid thread-specific access.
1036
1037 2014-03-20  Gabor Rapcsanyi  <rgabor@webkit.org>
1038
1039         [ARM64] Fix assembler build issues and add cacheFlush support for Linux
1040         https://bugs.webkit.org/show_bug.cgi?id=130502
1041
1042         Reviewed by Michael Saboff.
1043
1044         Add limits.h for INT_MIN in ARM64Assembler(). Delete shouldBlindForSpecificArch(uintptr_t)
1045         because on ARM64 uint64_t and uintptr_t is the same with GCC and Clang as well.
1046         Add cacheFlush support for Linux.
1047
1048         * assembler/ARM64Assembler.h:
1049         (JSC::ARM64Assembler::linuxPageFlush):
1050         (JSC::ARM64Assembler::cacheFlush):
1051         * assembler/MacroAssemblerARM64.h:
1052         (JSC::MacroAssemblerARM64::shouldBlindForSpecificArch):
1053
1054 2014-03-19  Gavin Barraclough  <barraclough@apple.com>
1055
1056         https://bugs.webkit.org/show_bug.cgi?id=130494
1057         EmptyUnique strings are Identifiers/Atomic
1058
1059         Reviewed by Geoff Garen.
1060
1061         EmptyUnique strings should set the Identifier/Atomic flag.
1062
1063         This fixes an unreproducible bug we believe exists in Identifier handling.
1064         Expected behaviour is that while Identifiers may reference EmptyUniques
1065         (StringImpls allocated as UIDs for PrivateNames), these are not created
1066         through the main Identifier constructor, the Identifier flag is not set
1067         on PrivateNames, and we should never lookup EmptyUnique strings in the
1068         IdentifierTable.
1069
1070         Unfortunately that was happening. Some tables used to implement property
1071         access in the JIT hold StringImpl*s, and turn these back into Identifiers
1072         using the identfiier constructor. Since the code generator will now plant
1073         by-id (cachable) accesses to PrivateNames we can end up passing an
1074         EmptyUnique to Identifier::add, potentially leading to PrivateNames being
1075         uniqued together (though hard to prove, since the hash codes are random).
1076
1077         * runtime/PropertyName.h:
1078         (JSC::PropertyName::PropertyName):
1079         (JSC::PropertyName::uid):
1080         (JSC::PropertyName::publicName):
1081         (JSC::PropertyName::asIndex):
1082             - PropertyName assumed that PrivateNames are not Identifiers - instead check isEmptyUnique().
1083         * runtime/Structure.cpp:
1084         (JSC::Structure::getPropertyNamesFromStructure):
1085             - Structure assumed that PrivateNames are not Identifiers - instead check isEmptyUnique().
1086
1087 2014-03-19  Filip Pizlo  <fpizlo@apple.com>
1088
1089         Unreviewed, revert the DFGCommon.h change in r165938. It was not intentional.
1090
1091         * dfg/DFGCommon.h:
1092
1093 2014-03-19  Mark Hahnenberg  <mhahnenberg@apple.com>
1094
1095         GC timer should intelligently choose between EdenCollections and FullCollections
1096         https://bugs.webkit.org/show_bug.cgi?id=128261
1097
1098         Reviewed by Geoffrey Garen.
1099
1100         Most of the GCs while browsing the web are due to the GC timer. Currently the GC timer 
1101         always does FullCollections. To reduce the impact of the GC timer on the system this patch
1102         changes Heap so that it has two timers, one for each type of collection. The FullCollection
1103         timer is notified at the end of EdenCollections how much the Heap has grown since the last 
1104         FullCollection and when somebody notifies the Heap of abandoned memory (which usually wouldn't 
1105         be detected by an EdenCollection).
1106
1107         * CMakeLists.txt:
1108         * GNUmakefile.list.am:
1109         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1110         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1111         * JavaScriptCore.xcodeproj/project.pbxproj:
1112         * heap/EdenGCActivityCallback.cpp: Added.
1113         (JSC::EdenGCActivityCallback::EdenGCActivityCallback):
1114         (JSC::EdenGCActivityCallback::doCollection):
1115         (JSC::EdenGCActivityCallback::lastGCLength):
1116         (JSC::EdenGCActivityCallback::deathRate):
1117         (JSC::EdenGCActivityCallback::gcTimeSlice):
1118         * heap/EdenGCActivityCallback.h: Added.
1119         (JSC::GCActivityCallback::createEdenTimer):
1120         * heap/FullGCActivityCallback.cpp: Added.
1121         (JSC::FullGCActivityCallback::FullGCActivityCallback):
1122         (JSC::FullGCActivityCallback::doCollection):
1123         (JSC::FullGCActivityCallback::lastGCLength):
1124         (JSC::FullGCActivityCallback::deathRate):
1125         (JSC::FullGCActivityCallback::gcTimeSlice):
1126         * heap/FullGCActivityCallback.h: Added.
1127         (JSC::GCActivityCallback::createFullTimer):
1128         * heap/GCActivityCallback.cpp:
1129         (JSC::GCActivityCallback::GCActivityCallback):
1130         (JSC::GCActivityCallback::doWork):
1131         (JSC::GCActivityCallback::scheduleTimer):
1132         (JSC::GCActivityCallback::cancelTimer):
1133         (JSC::GCActivityCallback::didAllocate):
1134         (JSC::GCActivityCallback::willCollect):
1135         (JSC::GCActivityCallback::cancel):
1136         * heap/GCActivityCallback.h:
1137         * heap/Heap.cpp:
1138         (JSC::Heap::Heap):
1139         (JSC::Heap::reportAbandonedObjectGraph):
1140         (JSC::Heap::didAbandon):
1141         (JSC::Heap::collectAllGarbage):
1142         (JSC::Heap::collect):
1143         (JSC::Heap::willStartCollection):
1144         (JSC::Heap::updateAllocationLimits):
1145         (JSC::Heap::didFinishCollection):
1146         (JSC::Heap::setFullActivityCallback):
1147         (JSC::Heap::setEdenActivityCallback):
1148         (JSC::Heap::fullActivityCallback):
1149         (JSC::Heap::edenActivityCallback):
1150         (JSC::Heap::setGarbageCollectionTimerEnabled):
1151         (JSC::Heap::didAllocate):
1152         (JSC::Heap::shouldDoFullCollection):
1153         * heap/Heap.h:
1154         (JSC::Heap::lastFullGCLength):
1155         (JSC::Heap::lastEdenGCLength):
1156         (JSC::Heap::increaseLastFullGCLength):
1157         (JSC::Heap::sizeBeforeLastEdenCollection):
1158         (JSC::Heap::sizeAfterLastEdenCollection):
1159         (JSC::Heap::sizeBeforeLastFullCollection):
1160         (JSC::Heap::sizeAfterLastFullCollection):
1161         * heap/HeapOperation.h:
1162         * heap/HeapStatistics.cpp:
1163         (JSC::HeapStatistics::showObjectStatistics):
1164         * heap/HeapTimer.cpp:
1165         (JSC::HeapTimer::timerDidFire):
1166         * jsc.cpp:
1167         (functionFullGC):
1168         (functionEdenGC):
1169         * runtime/Options.h:
1170
1171 2014-03-19  Commit Queue  <commit-queue@webkit.org>
1172
1173         Unreviewed, rolling out r165926.
1174         https://bugs.webkit.org/show_bug.cgi?id=130488
1175
1176         broke the iOS build (Requested by estes on #webkit).
1177
1178         Reverted changeset:
1179
1180         "GC timer should intelligently choose between EdenCollections
1181         and FullCollections"
1182         https://bugs.webkit.org/show_bug.cgi?id=128261
1183         http://trac.webkit.org/changeset/165926
1184
1185 2014-03-13  Mark Hahnenberg  <mhahnenberg@apple.com>
1186
1187         GC timer should intelligently choose between EdenCollections and FullCollections
1188         https://bugs.webkit.org/show_bug.cgi?id=128261
1189
1190         Reviewed by Geoffrey Garen.
1191
1192         Most of the GCs while browsing the web are due to the GC timer. Currently the GC timer 
1193         always does FullCollections. To reduce the impact of the GC timer on the system this patch
1194         changes Heap so that it has two timers, one for each type of collection. The FullCollection
1195         timer is notified at the end of EdenCollections how much the Heap has grown since the last 
1196         FullCollection and when somebody notifies the Heap of abandoned memory (which wouldn't be 
1197         detected by an EdenCollection).
1198
1199         * heap/GCActivityCallback.cpp:
1200         (JSC::GCActivityCallback::GCActivityCallback):
1201         (JSC::GCActivityCallback::doWork):
1202         (JSC::FullGCActivityCallback::FullGCActivityCallback):
1203         (JSC::FullGCActivityCallback::doCollection):
1204         (JSC::EdenGCActivityCallback::EdenGCActivityCallback):
1205         (JSC::EdenGCActivityCallback::doCollection):
1206         (JSC::GCActivityCallback::scheduleTimer):
1207         (JSC::GCActivityCallback::cancelTimer):
1208         (JSC::GCActivityCallback::didAllocate):
1209         (JSC::GCActivityCallback::willCollect):
1210         (JSC::GCActivityCallback::cancel):
1211         * heap/GCActivityCallback.h:
1212         (JSC::GCActivityCallback::GCActivityCallback):
1213         (JSC::GCActivityCallback::createFullTimer):
1214         (JSC::GCActivityCallback::createEdenTimer):
1215         * heap/Heap.cpp:
1216         (JSC::Heap::Heap):
1217         (JSC::Heap::didAbandon):
1218         (JSC::Heap::willStartCollection):
1219         (JSC::Heap::updateAllocationLimits):
1220         (JSC::Heap::setFullActivityCallback):
1221         (JSC::Heap::setEdenActivityCallback):
1222         (JSC::Heap::fullActivityCallback):
1223         (JSC::Heap::edenActivityCallback):
1224         (JSC::Heap::setGarbageCollectionTimerEnabled):
1225         (JSC::Heap::didAllocate):
1226         * heap/Heap.h:
1227         * heap/HeapTimer.cpp:
1228         (JSC::HeapTimer::timerDidFire):
1229
1230 2014-03-19  Filip Pizlo  <fpizlo@apple.com>
1231
1232         REGRESSION(r165459): It broke 109 jsc stress test on ARM Thumb2 and Mac 32 bit
1233         https://bugs.webkit.org/show_bug.cgi?id=130134
1234
1235         Reviewed by Mark Hahnenberg.
1236
1237         * dfg/DFGFixupPhase.cpp:
1238         (JSC::DFG::FixupPhase::fixupNode): Can't do some optimizations if you don't have a lot of registers.
1239         * dfg/DFGSpeculativeJIT32_64.cpp:
1240         (JSC::DFG::SpeculativeJIT::cachedGetById): Move stuff around before going into the IC code to ensure that we give the IC code the invariants it needs. This only happens in case of GetByIdFlush, where we are forced into using weird combinations of registers because the results have to be in t0/t1.
1241         (JSC::DFG::SpeculativeJIT::compile): For a normal GetById, the register allocator should just do the right thing so nobody has to move anything around.
1242         * jit/JITInlineCacheGenerator.cpp:
1243         (JSC::JITGetByIdGenerator::JITGetByIdGenerator): Assert the things we want.
1244         * jit/JITInlineCacheGenerator.h:
1245         * jit/Repatch.cpp:
1246         (JSC::generateGetByIdStub): Remove a previous incomplete hack to try to work around the DFG's problem.
1247
1248 2014-03-19  Mark Hahnenberg  <mhahnenberg@apple.com>
1249
1250         Normalize some of the older JSC options
1251         https://bugs.webkit.org/show_bug.cgi?id=128753
1252
1253         Reviewed by Michael Saboff.
1254
1255         * runtime/Options.cpp:
1256         (JSC::Options::initialize):
1257
1258 2014-03-12  Mark Lam  <mark.lam@apple.com>
1259
1260         Update type of local vars to match the type of String length.
1261         <https://webkit.org/b/130077>
1262
1263         Reviewed by Geoffrey Garen.
1264
1265         * runtime/JSStringJoiner.cpp:
1266         (JSC::JSStringJoiner::join):
1267
1268 2014-03-18  Filip Pizlo  <fpizlo@apple.com>
1269
1270         Get rid of Flush in SSA
1271         https://bugs.webkit.org/show_bug.cgi?id=130440
1272
1273         Reviewed by Sam Weinig.
1274         
1275         This is basically a red patch. We used to use backwards flow for determining what was
1276         flushed, until it became clear that this doesn't make sense. Now the Flush nodes don't
1277         accomplish anything. Keeping them around in SSA can only make things hard.
1278
1279         * CMakeLists.txt:
1280         * GNUmakefile.list.am:
1281         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1282         * JavaScriptCore.xcodeproj/project.pbxproj:
1283         * dfg/DFGBasicBlock.cpp:
1284         (JSC::DFG::BasicBlock::SSAData::SSAData):
1285         * dfg/DFGBasicBlock.h:
1286         * dfg/DFGFlushLivenessAnalysisPhase.cpp: Removed.
1287         * dfg/DFGFlushLivenessAnalysisPhase.h: Removed.
1288         * dfg/DFGGraph.cpp:
1289         (JSC::DFG::Graph::dump):
1290         * dfg/DFGPlan.cpp:
1291         (JSC::DFG::Plan::compileInThreadImpl):
1292         * dfg/DFGSSAConversionPhase.cpp:
1293         (JSC::DFG::SSAConversionPhase::run):
1294         * ftl/FTLLowerDFGToLLVM.cpp:
1295         (JSC::FTL::LowerDFGToLLVM::compileNode):
1296
1297 2014-03-18  Filip Pizlo  <fpizlo@apple.com>
1298
1299         Unreviewed, fix iOS production build.
1300
1301         * JavaScriptCore.xcodeproj/project.pbxproj:
1302
1303 2014-03-18  Michael Saboff  <msaboff@apple.com>
1304
1305         Update RegExp Tracing code
1306         https://bugs.webkit.org/show_bug.cgi?id=130381
1307
1308         Reviewed by Andreas Kling.
1309
1310         Updated the regular expression tracing code for 8/16 bit JIT as
1311         well as match only entry points.  Also added average string length
1312         metric.
1313
1314         * runtime/RegExp.cpp:
1315         (JSC::RegExp::RegExp):
1316         (JSC::RegExp::match):
1317         (JSC::RegExp::printTraceData):
1318         * runtime/RegExp.h:
1319         * runtime/VM.cpp:
1320         (JSC::VM::addRegExpToTrace):
1321         (JSC::VM::dumpRegExpTrace):
1322         * runtime/VM.h:
1323         * yarr/YarrJIT.h:
1324         (JSC::Yarr::YarrCodeBlock::get8BitMatchOnlyAddr):
1325         (JSC::Yarr::YarrCodeBlock::get16BitMatchOnlyAddr):
1326         (JSC::Yarr::YarrCodeBlock::get8BitMatchAddr):
1327         (JSC::Yarr::YarrCodeBlock::get16BitMatchAddr):
1328
1329 2014-03-17  Filip Pizlo  <fpizlo@apple.com>
1330
1331         Add CompareStrictEq(StringIdent:, NotStringVar:) and CompareStrictEq(String:, Untyped:)
1332         https://bugs.webkit.org/show_bug.cgi?id=130300
1333
1334         Reviewed by Mark Hahnenberg.
1335         
1336         We can quickly strictly compare StringIdent's to NotStringVar's and String's to Untyped's.
1337         This makes the DFG aware of this.
1338         
1339         Also adds StringIdent-to-StringIdent and StringIdent-to-NotStringVar strict comparisons to
1340         the FTL. Also adds StringIdent-to-StringIdent non-strict comparisons to the FTL.
1341         
1342         This also gives the DFG some abstractions for checking something is a cell or is other.
1343         This made this patch easier to write and also simplified a bunch of other stuff.
1344         
1345         1% speed-up on Octane.
1346
1347         * assembler/AbstractMacroAssembler.h:
1348         (JSC::AbstractMacroAssembler::JumpList::JumpList):
1349         * bytecode/SpeculatedType.h:
1350         (JSC::isNotStringVarSpeculation):
1351         * dfg/DFGFixupPhase.cpp:
1352         (JSC::DFG::FixupPhase::fixupNode):
1353         * dfg/DFGNode.h:
1354         (JSC::DFG::Node::childFor):
1355         (JSC::DFG::Node::shouldSpeculateNotStringVar):
1356         * dfg/DFGSafeToExecute.h:
1357         (JSC::DFG::SafeToExecuteEdge::operator()):
1358         * dfg/DFGSpeculativeJIT.cpp:
1359         (JSC::DFG::SpeculativeJIT::compileIn):
1360         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
1361         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
1362         (JSC::DFG::SpeculativeJIT::compileInstanceOf):
1363         (JSC::DFG::SpeculativeJIT::compileStrictEq):
1364         (JSC::DFG::SpeculativeJIT::compileBooleanCompare):
1365         (JSC::DFG::SpeculativeJIT::compileStringEquality):
1366         (JSC::DFG::SpeculativeJIT::compileStringToUntypedEquality):
1367         (JSC::DFG::SpeculativeJIT::compileStringIdentEquality):
1368         (JSC::DFG::SpeculativeJIT::compileStringIdentToNotStringVarEquality):
1369         (JSC::DFG::SpeculativeJIT::compileStringZeroLength):
1370         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
1371         (JSC::DFG::SpeculativeJIT::speculateString):
1372         (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
1373         (JSC::DFG::SpeculativeJIT::speculateNotStringVar):
1374         (JSC::DFG::SpeculativeJIT::speculateNotCell):
1375         (JSC::DFG::SpeculativeJIT::speculateOther):
1376         (JSC::DFG::SpeculativeJIT::speculate):
1377         (JSC::DFG::SpeculativeJIT::emitSwitchChar):
1378         (JSC::DFG::SpeculativeJIT::emitSwitchString):
1379         * dfg/DFGSpeculativeJIT.h:
1380         (JSC::DFG::SpeculativeJIT::blessedBooleanResult):
1381         (JSC::DFG::SpeculativeJIT::unblessedBooleanResult):
1382         (JSC::DFG::SpeculativeJIT::booleanResult):
1383         * dfg/DFGSpeculativeJIT32_64.cpp:
1384         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
1385         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
1386         (JSC::DFG::SpeculativeJIT::emitCall):
1387         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1388         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
1389         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
1390         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
1391         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
1392         (JSC::DFG::SpeculativeJIT::compile):
1393         (JSC::DFG::branchIsCell):
1394         (JSC::DFG::branchNotCell):
1395         (JSC::DFG::SpeculativeJIT::branchIsOther):
1396         (JSC::DFG::SpeculativeJIT::branchNotOther):
1397         (JSC::DFG::SpeculativeJIT::moveTrueTo):
1398         (JSC::DFG::SpeculativeJIT::moveFalseTo):
1399         (JSC::DFG::SpeculativeJIT::blessBoolean):
1400         * dfg/DFGSpeculativeJIT64.cpp:
1401         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
1402         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
1403         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1404         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
1405         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
1406         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
1407         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
1408         (JSC::DFG::SpeculativeJIT::compile):
1409         (JSC::DFG::SpeculativeJIT::writeBarrier):
1410         (JSC::DFG::SpeculativeJIT::branchIsCell):
1411         (JSC::DFG::SpeculativeJIT::branchNotCell):
1412         (JSC::DFG::SpeculativeJIT::branchIsOther):
1413         (JSC::DFG::SpeculativeJIT::branchNotOther):
1414         (JSC::DFG::SpeculativeJIT::moveTrueTo):
1415         (JSC::DFG::SpeculativeJIT::moveFalseTo):
1416         (JSC::DFG::SpeculativeJIT::blessBoolean):
1417         * dfg/DFGUseKind.cpp:
1418         (WTF::printInternal):
1419         * dfg/DFGUseKind.h:
1420         (JSC::DFG::typeFilterFor):
1421         * ftl/FTLCapabilities.cpp:
1422         (JSC::FTL::canCompile):
1423         * ftl/FTLLowerDFGToLLVM.cpp:
1424         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
1425         (JSC::FTL::LowerDFGToLLVM::lowString):
1426         (JSC::FTL::LowerDFGToLLVM::lowStringIdent):
1427         (JSC::FTL::LowerDFGToLLVM::speculate):
1428         (JSC::FTL::LowerDFGToLLVM::speculateString):
1429         (JSC::FTL::LowerDFGToLLVM::speculateStringIdent):
1430         (JSC::FTL::LowerDFGToLLVM::speculateNotStringVar):
1431         * runtime/JSCJSValue.h:
1432         * tests/stress/string-ident-to-not-string-var-equality.js: Added.
1433         (foo):
1434         (bar):
1435         (test):
1436
1437 2014-03-18  Joseph Pecoraro  <pecoraro@apple.com>
1438
1439         Add Copyright to framework.sb
1440         https://bugs.webkit.org/show_bug.cgi?id=130413
1441
1442         Reviewed by Timothy Hatcher.
1443
1444         Other sb files got the copyright. Follow suit.
1445
1446         * framework.sb:
1447
1448 2014-03-18  Matthew Mirman  <mmirman@apple.com>
1449
1450         Removed extra parens from if statement in a preprocessor define.
1451         https://bugs.webkit.org/show_bug.cgi?id=130408
1452
1453         Reviewed by Filip Pizlo.
1454
1455         * parser/Parser.cpp:
1456
1457 2014-03-18  Filip Pizlo  <fpizlo@apple.com>
1458
1459         More FTL enabling.
1460
1461         Rubber stamped by Dan Bernstein and Mark Hahnenberg.
1462
1463         * Configurations/FeatureDefines.xcconfig:
1464         * ftl/FTLCompile.cpp:
1465         (JSC::FTL::compile):
1466
1467 2014-03-17  Michael Saboff  <msaboff@apple.com>
1468
1469         V8 regexp spends most of its time in operationGetById
1470         https://bugs.webkit.org/show_bug.cgi?id=130380
1471
1472         Reviewed by Filip Pizlo.
1473
1474         Added String.length case to tryCacheGetByID that will only help the BaseLine JIT.
1475         When V8 regexp is run from the command line, this nets a 2% performance improvement.
1476         When the test is run for a longer amount of time, there is much less benefit as the
1477         DFG will emit the appropriate code for String.length.  This does remove
1478         operationGetById as the hottest function whne run from the command line.
1479
1480         * jit/Repatch.cpp:
1481         (JSC::tryCacheGetByID):
1482
1483 2014-03-17  Andreas Kling  <akling@apple.com>
1484
1485         Add one-deep cache to opaque roots hashset.
1486         <https://webkit.org/b/130357>
1487
1488         The vast majority of WebCore JS wrappers will have their Document*
1489         as the root(). This change adds a simple optimization where we cache
1490         the last lookup and avoid going to the hashset for repeated queries.
1491
1492         Looks like 0.4% progression on DYEB on my MBP.
1493
1494         Reviewed by Mark Hahnenberg.
1495
1496         * JavaScriptCore.xcodeproj/project.pbxproj:
1497         * heap/OpaqueRootSet.h: Added.
1498         (JSC::OpaqueRootSet::OpaqueRootSet):
1499         (JSC::OpaqueRootSet::contains):
1500         (JSC::OpaqueRootSet::isEmpty):
1501         (JSC::OpaqueRootSet::clear):
1502         (JSC::OpaqueRootSet::add):
1503         (JSC::OpaqueRootSet::size):
1504         (JSC::OpaqueRootSet::begin):
1505         (JSC::OpaqueRootSet::end):
1506         * heap/SlotVisitor.h:
1507
1508 2014-03-17  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>
1509
1510         Implement Math.hypot
1511         https://bugs.webkit.org/show_bug.cgi?id=129486
1512
1513         Reviewed by Darin Adler.
1514
1515         * runtime/MathObject.cpp:
1516         (JSC::MathObject::finishCreation):
1517         (JSC::mathProtoFuncHypot):
1518
1519 2014-03-17  Zsolt Borbely  <borbezs@inf.u-szeged.hu>
1520
1521         Fix the !ENABLE(PROMISES) build
1522         https://bugs.webkit.org/show_bug.cgi?id=130328
1523
1524         Reviewed by Darin Adler.
1525
1526         Add missing ENABLE(PROMISES) guards.
1527
1528         * runtime/JSGlobalObject.cpp:
1529         (JSC::JSGlobalObject::reset):
1530         (JSC::JSGlobalObject::visitChildren):
1531         * runtime/JSGlobalObject.h:
1532         * runtime/JSPromiseDeferred.cpp:
1533         * runtime/JSPromiseDeferred.h:
1534         * runtime/JSPromiseReaction.cpp:
1535         * runtime/JSPromiseReaction.h:
1536         * runtime/VM.cpp:
1537         (JSC::VM::VM):
1538         * runtime/VM.h:
1539
1540 2014-03-16  Andreas Kling  <akling@apple.com>
1541
1542         REGRESSION(r165703): JSC tests crashing in StringImpl::destroy().
1543         <https://webkit.org/b/130304>
1544
1545         Reviewed by Anders Carlsson.
1546
1547         Unreviewed, restoring the old behavior of OpaqueJSString::identifier()
1548         that doesn't put a potentially unwanted string into the Identifier table.
1549
1550         * API/OpaqueJSString.cpp:
1551         (OpaqueJSString::identifier):
1552
1553 2014-03-16  Brian Burg  <bburg@apple.com>
1554
1555         Web Inspector: generated backend commands should reflect build system ENABLE settings
1556         https://bugs.webkit.org/show_bug.cgi?id=130111
1557
1558         Reviewed by Timothy Hatcher.
1559
1560         * CMakeLists.txt:
1561
1562         Combine only the Inspector domains listed in INSPECTOR_DOMAINS,
1563         instead of globbing any .json file.
1564
1565         * DerivedSources.make:
1566
1567         Force the combined inspector protocol file to be regenerated if
1568         the content or list of domains itself changes.
1569
1570 2014-03-16  Brian Burg  <bburg@apple.com>
1571
1572         Web Inspector: vended backend commands file should be generated as part of the build
1573         https://bugs.webkit.org/show_bug.cgi?id=130110
1574
1575         Reviewed by Timothy Hatcher.
1576
1577         * JavaScriptCore.xcodeproj/project.pbxproj: Copy InspectorJSBackendCommands.js to the
1578         private headers directory.
1579
1580 2014-03-16  Darin Adler  <darin@apple.com>
1581
1582         Remove all uses of deprecatedCharacters from JavaScriptCore
1583         https://bugs.webkit.org/show_bug.cgi?id=130304
1584
1585         Reviewed by Anders Carlsson.
1586
1587         * API/JSValueRef.cpp:
1588         (JSValueMakeFromJSONString): Use characters16 in the 16-bit code path.
1589         * API/OpaqueJSString.cpp:
1590         (OpaqueJSString::~OpaqueJSString): Use characters 16 in the 16-bit code path.
1591         (OpaqueJSString::identifier): Get rid of custom Identifier constructor, and
1592         juse use the standard one that takes a String.
1593         (OpaqueJSString::characters): Use getCharactersWithUpconvert instead of a
1594         hand-written alternative.
1595
1596         * bindings/ScriptValue.cpp:
1597         (Deprecated::jsToInspectorValue): Create InspectorString from String directly
1598         instead of involving a character pointer. Use the String from Identifier
1599         directly instead of making a new String.
1600
1601         * inspector/ContentSearchUtilities.cpp:
1602         (Inspector::ContentSearchUtilities::createSearchRegexSource): Use StringBuilder
1603         instead of building a String a character at a time. This is still a very slow
1604         way to do this. Also use strchr to search for a character instead of building
1605         a String every time just to use find on it.
1606
1607         * inspector/InspectorValues.cpp:
1608         (Inspector::doubleQuoteString): Remove unnecessary trip through a
1609         character pointer. This is still a really slow way to do this.
1610         (Inspector::InspectorValue::parseJSON): Use StringView::upconvertedCharacters
1611         instead of String::deprecatedCharacters. Still slow to always upconvert.
1612
1613         * runtime/DateConstructor.cpp: Removed unneeded include.
1614         * runtime/DatePrototype.cpp: Ditto.
1615
1616         * runtime/Identifier.h: Removed deprecatedCharacters function.
1617
1618         * runtime/JSGlobalObjectFunctions.cpp:
1619         (JSC::encode): Added a type cast to avoid ambiguity with the two character-
1620         appending functions from JSStringBuilder. Removed unneeded code duplicating
1621         what JSStringBuilder already does in its character append function.
1622         (JSC::decode): Deleted code that creates a JSStringBuilder that is never used.
1623         (JSC::parseIntOverflow): Changed lengths to unsigned. Made only the overload that
1624         is used outside this file have external linkage. Added a new overload that takes
1625         a StringView.
1626         (JSC::parseInt): Use StringView::substring to call parseIntOverflow.
1627         (JSC::globalFuncEscape): Use JSBuilder::append in a more efficient way for a
1628         single character.
1629
1630         * runtime/JSGlobalObjectFunctions.h: Removed unused overloads of parseIntOverflow.
1631
1632         * runtime/JSStringBuilder.h: Marked this "lightly deprecated".
1633         (JSC::JSStringBuilder::append): Overloaded for better speed with 8-bit characters.
1634         Made one overload private. Fixed a performance bug where we would reserve capacity
1635         in the 8-bit buffer but then append to the 16-bit buffer.
1636
1637         * runtime/ObjectPrototype.cpp: Removed unneeded include.
1638
1639         * runtime/StringPrototype.cpp:
1640         (JSC::stringProtoFuncFontsize): Use StringView::getCharactersWithUpconvert.
1641         (JSC::stringProtoFuncLink): Ditto.
1642
1643 2014-03-15  Filip Pizlo  <fpizlo@apple.com>
1644
1645         FTL ArrayifyToStructure shouldn't fail every time that it actually arrayifies
1646         https://bugs.webkit.org/show_bug.cgi?id=130296
1647
1648         Reviewed by Andreas Kling.
1649         
1650         During the 32-bit structure ID work, the second load of the structure was removed.
1651         That's wrong. The whole point of loading the structure ID again is that the structure
1652         ID would have been changed by the arrayification call, and we're verifying that the
1653         arrayification succeeded in changing the structure. If we check the old structure - as
1654         the code was doing after the 32-bit structure ID work - then this check is guaranteed
1655         to fail, causing a significant performance regression.
1656         
1657         It's actually amazing that the regression wasn't bigger. The reason is that if FTL
1658         code pathologically exits but the equivalent DFG code doesn't, then the exponential
1659         backoff almost perfectly guarantees that we just end up in the DFG. For this code, at
1660         the time at least, the DFG wasn't much slower so this didn't cause too much pain.
1661
1662         * ftl/FTLLowerDFGToLLVM.cpp:
1663         (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
1664
1665 2014-03-15  Filip Pizlo  <fpizlo@apple.com>
1666
1667         FTL should support CheckHasInstance/InstanceOf
1668         https://bugs.webkit.org/show_bug.cgi?id=130285
1669
1670         Reviewed by Sam Weinig.
1671         
1672         Fairly straightforward; I also discovered an inaccurate FIXME in the process.
1673
1674         * dfg/DFGFixupPhase.cpp:
1675         (JSC::DFG::FixupPhase::fixupNode):
1676         * ftl/FTLAbstractHeapRepository.h:
1677         * ftl/FTLCapabilities.cpp:
1678         (JSC::FTL::canCompile):
1679         * ftl/FTLLowerDFGToLLVM.cpp:
1680         (JSC::FTL::LowerDFGToLLVM::compileNode):
1681         (JSC::FTL::LowerDFGToLLVM::compileCheckHasInstance):
1682         (JSC::FTL::LowerDFGToLLVM::compileInstanceOf):
1683         * ftl/FTLOutput.h:
1684         (JSC::FTL::Output::phi):
1685         * tests/stress/instanceof.js: Added.
1686         * tests/stress/instanceof-not-cell.js: Added.
1687
1688 2014-03-15  Michael Saboff  <msaboff@apple.com>
1689
1690         It should be possible to adjust DFG and FTL compiler thread priorities
1691         https://bugs.webkit.org/show_bug.cgi?id=130288
1692
1693         Reviewed by Filip Pizlo.
1694
1695         Added ability to change thread priorities relative to its current priority.
1696         Created options to adjust the priority of the DFG and FTL compilation work thread
1697         pools.  For two core systems, there might be three runnable threads, the main thread,
1698         the DFG compilation thread and the FTL compilation thread.  With the same priority,
1699         the scheduler is free to schedule whatever thread it wants.  By lowering the
1700         compilation threads, the main thread can run.  Further tests may suggest better values
1701         for the new options, priorityDeltaOfDFGCompilerThreads and priorityDeltaOfFTLCompilerThreads.
1702
1703         For a two-core device, this change has a net positive improvement of 1-3% across
1704         SunSpider, Octane, Kraken and AsmBench.
1705
1706         * dfg/DFGWorklist.cpp:
1707         (JSC::DFG::Worklist::finishCreation):
1708         (JSC::DFG::Worklist::create):
1709         (JSC::DFG::ensureGlobalDFGWorklist):
1710         (JSC::DFG::ensureGlobalFTLWorklist):
1711         * dfg/DFGWorklist.h:
1712         * runtime/Options.cpp:
1713         (JSC::computePriorityDeltaOfWorkerThreads):
1714         * runtime/Options.h:
1715
1716 2014-03-15  David Kilzer  <ddkilzer@apple.com>
1717
1718         [iOS] Define SYSTEM_VERSION_PREFIX consistently
1719         <http://webkit.org/b/130293>
1720         <rdar://problem/15926359>
1721
1722         Reviewed by Dan Bernstein.
1723
1724         * Configurations/Version.xcconfig:
1725         (SYSTEM_VERSION_PREFIX_iphoneos): Sync with
1726         Source/WebKit/mac/Version.xcconfig.
1727
1728 2014-03-15  David Kilzer  <ddkilzer@apple.com>
1729
1730         Fix build: using integer absolute value function 'abs' when argument is of floating point type
1731         <http://webkit.org/b/130286>
1732
1733         Reviewed by Filip Pizlo.
1734
1735         Fixes the following build failure using trunk clang:
1736
1737             JavaScriptCore/assembler/MacroAssembler.h:992:17: error: using integer absolute value function 'abs' when argument is of floating point type [-Werror,-Wabsolute-value]
1738                     value = abs(value);
1739                             ^
1740             JavaScriptCore/assembler/MacroAssembler.h:992:17: note: use function 'fabs' instead
1741                     value = abs(value);
1742                             ^~~
1743                             fabs
1744
1745         * assembler/MacroAssembler.h:
1746         (JSC::MacroAssembler::shouldBlindDouble): Switch from abs() to
1747         fabs().
1748
1749 2014-03-14  Oliver Hunt  <oliver@apple.com>
1750
1751         Reinstate intialiser syntax in for-in loops
1752         https://bugs.webkit.org/show_bug.cgi?id=130269
1753
1754         Reviewed by Michael Saboff.
1755
1756         Disallowing the initialiser broke some sites so this patch re-allows
1757         the syntax.  We still disallow the syntax in 'of' and pattern based
1758         enumeration.
1759
1760         * parser/ASTBuilder.h:
1761         (JSC::ASTBuilder::isBindingNode):
1762         * parser/Parser.cpp:
1763         (JSC::Parser<LexerType>::parseVarDeclarationList):
1764         (JSC::Parser<LexerType>::parseForStatement):
1765         * parser/SyntaxChecker.h:
1766         (JSC::SyntaxChecker::operatorStackPop):
1767
1768 2014-03-14  Mark Lam  <mark.lam@apple.com>
1769
1770         Accessing __lookupGetter__ and __lookupSetter__ should not crash the VM when undefined.
1771         <https://webkit.org/b/130279>
1772
1773         Reviewed by Filip Pizlo.
1774
1775         If neither the getter nor setter are defined, accessing __lookupGetter__
1776         and __lookupSetter__ will return undefined as expected.  However, if the
1777         getter is defined but the setter is not, accessing __lookupSetter__ will
1778         crash the VM.  Similarly, accessing __lookupGetter__ when only the setter
1779         is defined will crash the VM.
1780
1781         The reason is because objectProtoFuncLookupGetter() and
1782         objectProtoFuncLookupSetter() did not check if the getter and setter
1783         value is non-null before returning it as an EncodedJSValue.  The fix is
1784         to add the appropriate null checks.
1785
1786         * runtime/ObjectPrototype.cpp:
1787         (JSC::objectProtoFuncLookupGetter):
1788         (JSC::objectProtoFuncLookupSetter):
1789
1790 2014-03-14  Mark Rowe  <mrowe@apple.com>
1791
1792         Fix the production build.
1793
1794         Don't rely on USE_INTERNAL_SDK being set for the Production configuration since UseInternalSDK.xcconfig won't
1795         be at the expected relative path when working from installed source.
1796
1797         * Configurations/Base.xcconfig:
1798
1799 2014-03-14  Maciej Stachowiak  <mjs@apple.com>
1800
1801         Replace "Apple Computer, Inc." with "Apple Inc." in copyright headers
1802         https://bugs.webkit.org/show_bug.cgi?id=130276
1803         <rdar://problem/16266927>
1804
1805         Reviewed by Simon Fraser.
1806
1807         * API/APICast.h:
1808         * API/JSBase.cpp:
1809         * API/JSBase.h:
1810         * API/JSBasePrivate.h:
1811         * API/JSCallbackConstructor.cpp:
1812         * API/JSCallbackConstructor.h:
1813         * API/JSCallbackFunction.cpp:
1814         * API/JSCallbackFunction.h:
1815         * API/JSCallbackObject.cpp:
1816         * API/JSCallbackObject.h:
1817         * API/JSCallbackObjectFunctions.h:
1818         * API/JSClassRef.cpp:
1819         * API/JSClassRef.h:
1820         * API/JSContextRef.cpp:
1821         * API/JSContextRef.h:
1822         * API/JSContextRefPrivate.h:
1823         * API/JSObjectRef.cpp:
1824         * API/JSObjectRef.h:
1825         * API/JSProfilerPrivate.cpp:
1826         * API/JSProfilerPrivate.h:
1827         * API/JSRetainPtr.h:
1828         * API/JSStringRef.cpp:
1829         * API/JSStringRef.h:
1830         * API/JSStringRefBSTR.cpp:
1831         * API/JSStringRefBSTR.h:
1832         * API/JSStringRefCF.cpp:
1833         * API/JSStringRefCF.h:
1834         * API/JSValueRef.cpp:
1835         * API/JSValueRef.h:
1836         * API/JavaScript.h:
1837         * API/JavaScriptCore.h:
1838         * API/OpaqueJSString.cpp:
1839         * API/OpaqueJSString.h:
1840         * API/tests/JSNode.c:
1841         * API/tests/JSNode.h:
1842         * API/tests/JSNodeList.c:
1843         * API/tests/JSNodeList.h:
1844         * API/tests/Node.c:
1845         * API/tests/Node.h:
1846         * API/tests/NodeList.c:
1847         * API/tests/NodeList.h:
1848         * API/tests/minidom.c:
1849         * API/tests/minidom.js:
1850         * API/tests/testapi.c:
1851         * API/tests/testapi.js:
1852         * DerivedSources.make:
1853         * bindings/ScriptValue.cpp:
1854         * bytecode/CodeBlock.cpp:
1855         * bytecode/CodeBlock.h:
1856         * bytecode/EvalCodeCache.h:
1857         * bytecode/Instruction.h:
1858         * bytecode/JumpTable.cpp:
1859         * bytecode/JumpTable.h:
1860         * bytecode/Opcode.cpp:
1861         * bytecode/Opcode.h:
1862         * bytecode/SamplingTool.cpp:
1863         * bytecode/SamplingTool.h:
1864         * bytecode/SpeculatedType.cpp:
1865         * bytecode/SpeculatedType.h:
1866         * bytecode/ValueProfile.h:
1867         * bytecompiler/BytecodeGenerator.cpp:
1868         * bytecompiler/BytecodeGenerator.h:
1869         * bytecompiler/Label.h:
1870         * bytecompiler/LabelScope.h:
1871         * bytecompiler/RegisterID.h:
1872         * debugger/DebuggerCallFrame.cpp:
1873         * debugger/DebuggerCallFrame.h:
1874         * dfg/DFGDesiredStructureChains.cpp:
1875         * dfg/DFGDesiredStructureChains.h:
1876         * heap/GCActivityCallback.cpp:
1877         * heap/GCActivityCallback.h:
1878         * inspector/ConsoleMessage.cpp:
1879         * inspector/ConsoleMessage.h:
1880         * inspector/IdentifiersFactory.cpp:
1881         * inspector/IdentifiersFactory.h:
1882         * inspector/InjectedScriptManager.cpp:
1883         * inspector/InjectedScriptManager.h:
1884         * inspector/InjectedScriptSource.js:
1885         * inspector/ScriptBreakpoint.h:
1886         * inspector/ScriptDebugListener.h:
1887         * inspector/ScriptDebugServer.cpp:
1888         * inspector/ScriptDebugServer.h:
1889         * inspector/agents/InspectorAgent.cpp:
1890         * inspector/agents/InspectorAgent.h:
1891         * inspector/agents/InspectorDebuggerAgent.cpp:
1892         * inspector/agents/InspectorDebuggerAgent.h:
1893         * interpreter/Interpreter.cpp:
1894         * interpreter/Interpreter.h:
1895         * interpreter/JSStack.cpp:
1896         * interpreter/JSStack.h:
1897         * interpreter/Register.h:
1898         * jit/CompactJITCodeMap.h:
1899         * jit/JITStubs.cpp:
1900         * jit/JITStubs.h:
1901         * jit/JITStubsARM.h:
1902         * jit/JITStubsARMv7.h:
1903         * jit/JITStubsX86.h:
1904         * jit/JITStubsX86_64.h:
1905         * os-win32/stdbool.h:
1906         * parser/SourceCode.h:
1907         * parser/SourceProvider.h:
1908         * profiler/LegacyProfiler.cpp:
1909         * profiler/LegacyProfiler.h:
1910         * profiler/ProfileNode.cpp:
1911         * profiler/ProfileNode.h:
1912         * runtime/ArrayBufferView.cpp:
1913         * runtime/ArrayBufferView.h:
1914         * runtime/BatchedTransitionOptimizer.h:
1915         * runtime/CallData.h:
1916         * runtime/ConstructData.h:
1917         * runtime/DumpContext.cpp:
1918         * runtime/DumpContext.h:
1919         * runtime/ExceptionHelpers.cpp:
1920         * runtime/ExceptionHelpers.h:
1921         * runtime/InitializeThreading.cpp:
1922         * runtime/InitializeThreading.h:
1923         * runtime/IntegralTypedArrayBase.h:
1924         * runtime/IntendedStructureChain.cpp:
1925         * runtime/IntendedStructureChain.h:
1926         * runtime/JSActivation.cpp:
1927         * runtime/JSActivation.h:
1928         * runtime/JSExportMacros.h:
1929         * runtime/JSGlobalObject.cpp:
1930         * runtime/JSNotAnObject.cpp:
1931         * runtime/JSNotAnObject.h:
1932         * runtime/JSPropertyNameIterator.cpp:
1933         * runtime/JSPropertyNameIterator.h:
1934         * runtime/JSSegmentedVariableObject.cpp:
1935         * runtime/JSSegmentedVariableObject.h:
1936         * runtime/JSSymbolTableObject.cpp:
1937         * runtime/JSSymbolTableObject.h:
1938         * runtime/JSTypeInfo.h:
1939         * runtime/JSVariableObject.cpp:
1940         * runtime/JSVariableObject.h:
1941         * runtime/PropertyTable.cpp:
1942         * runtime/PutPropertySlot.h:
1943         * runtime/SamplingCounter.cpp:
1944         * runtime/SamplingCounter.h:
1945         * runtime/Structure.cpp:
1946         * runtime/Structure.h:
1947         * runtime/StructureChain.cpp:
1948         * runtime/StructureChain.h:
1949         * runtime/StructureInlines.h:
1950         * runtime/StructureTransitionTable.h:
1951         * runtime/SymbolTable.cpp:
1952         * runtime/SymbolTable.h:
1953         * runtime/TypedArrayBase.h:
1954         * runtime/TypedArrayType.cpp:
1955         * runtime/TypedArrayType.h:
1956         * runtime/VM.cpp:
1957         * runtime/VM.h:
1958         * yarr/RegularExpression.cpp:
1959         * yarr/RegularExpression.h:
1960
1961 2014-03-14  Filip Pizlo  <fpizlo@apple.com>
1962
1963         Final FTL iOS build magic
1964         https://bugs.webkit.org/show_bug.cgi?id=130281
1965
1966         Reviewed by Michael Saboff.
1967
1968         * Configurations/Base.xcconfig: For now our LLVM headers are in /usr/local/LLVMForJavaScriptCore/include, which is the same as OS X.
1969         * Configurations/LLVMForJSC.xcconfig: We need to be more careful about how we specify library paths if we want to get the prioritzation right. Also we need protobuf because things. :-/
1970
1971 2014-03-14  Joseph Pecoraro  <pecoraro@apple.com>
1972
1973         Web Inspector: Gracefully handle nil name -[JSContext setName:]
1974         https://bugs.webkit.org/show_bug.cgi?id=130262
1975
1976         Reviewed by Mark Hahnenberg.
1977
1978         * API/JSContext.mm:
1979         (-[JSContext setName:]):
1980         Gracefully handle nil input.
1981
1982         * API/tests/testapi.c:
1983         (globalContextNameTest):
1984         * API/tests/testapi.mm:
1985         Test for nil / NULL names in the ObjC and C APIs.
1986
1987 2014-03-11  Oliver Hunt  <oliver@apple.com>
1988
1989         Improve dom error messages
1990         https://bugs.webkit.org/show_bug.cgi?id=130103
1991
1992         Reviewed by Andreas Kling.
1993
1994         Add new helper function.
1995
1996         * runtime/Error.h:
1997         (JSC::throwVMTypeError):
1998
1999 2014-03-14  László Langó  <llango.u-szeged@partner.samsung.com>
2000
2001         Remove unused method declaration.
2002         https://bugs.webkit.org/show_bug.cgi?id=130238
2003
2004         Reviewed by Filip Pizlo.
2005
2006         The implementation of CallFrame::dumpCaller was removed in
2007         http://trac.webkit.org/changeset/153183, but the declaration of it was not.
2008
2009         * interpreter/CallFrame.h:
2010         Remove CallFrame::dumpCaller() method declaration.
2011
2012 2014-03-12  Sergio Villar Senin  <svillar@igalia.com>
2013
2014         Rename DEFINE_STATIC_LOCAL to DEPRECATED_DEFINE_STATIC_LOCAL
2015         https://bugs.webkit.org/show_bug.cgi?id=129612
2016
2017         Reviewed by Darin Adler.
2018
2019         For new code use static NeverDestroyed<T> instead.
2020
2021         * API/JSAPIWrapperObject.mm:
2022         (jsAPIWrapperObjectHandleOwner):
2023         * API/JSManagedValue.mm:
2024         (managedValueHandleOwner):
2025         * inspector/agents/InspectorDebuggerAgent.cpp:
2026         (Inspector::objectGroupForBreakpointAction):
2027         * inspector/scripts/CodeGeneratorInspectorStrings.py:
2028         * interpreter/JSStack.cpp:
2029         (JSC::stackStatisticsMutex):
2030         * jit/ExecutableAllocator.cpp:
2031         (JSC::DemandExecutableAllocator::allocators):
2032
2033 2014-03-12  Gavin Barraclough  <barraclough@apple.com>
2034
2035         Reduce memory use for static property maps
2036         https://bugs.webkit.org/show_bug.cgi?id=129986
2037
2038         Reviewed by Andreas Kling.
2039
2040         Static property tables are currently duplicated on first use from read-only memory into dirty memory
2041         in every process, and since the entries are large (48 bytes) and the tables can be unusually sparse
2042         (we use a custom hash table without a rehash) a lot of memory may be wasted.
2043
2044         First, reduce the size of the hashtable. Instead of storing values in the table the hashtable maps
2045         from string hashes to indicies into a densely packed array of values. Compute the index table at
2046         compile time as a part of the derived sources step, such that this may be read-only data.
2047
2048         Second, don't copy all data from the HashTableValue array into a HashEntry objects. Instead refer
2049         directly to the HashTableValue entries. The only data that needs to be allocated at runtime are the
2050         keys, which are Identifiers.
2051
2052         * create_hash_table:
2053             - emit the hash table index into the derived source (we were calculating this already to ensure chaining does not get too deep).
2054         * parser/Lexer.cpp:
2055         (JSC::Lexer<LChar>::parseIdentifier):
2056         (JSC::Lexer<UChar>::parseIdentifier):
2057         (JSC::Lexer<T>::parseIdentifierSlowCase):
2058             - HashEntry -> HashTableValue.
2059         * parser/Lexer.h:
2060         (JSC::Keywords::getKeyword):
2061             - HashEntry -> HashTableValue.
2062         * runtime/ClassInfo.h:
2063             - removed HashEntry.
2064         * runtime/JSObject.cpp:
2065         (JSC::getClassPropertyNames):
2066             - use HashTable::ConstIterator.
2067         (JSC::JSObject::put):
2068         (JSC::JSObject::deleteProperty):
2069         (JSC::JSObject::findPropertyHashEntry):
2070             - HashEntry -> HashTableValue.
2071         (JSC::JSObject::reifyStaticFunctionsForDelete):
2072             - changed HashTable::ConstIterator interface.
2073         * runtime/JSObject.h:
2074             - HashEntry -> HashTableValue.
2075         * runtime/Lookup.cpp:
2076         (JSC::HashTable::createTable):
2077             - table -> keys, keys array is now densely packed.
2078         (JSC::HashTable::deleteTable):
2079             - table -> keys.
2080         (JSC::setUpStaticFunctionSlot):
2081             - HashEntry -> HashTableValue.
2082         * runtime/Lookup.h:
2083         (JSC::HashTableValue::builtinGenerator):
2084         (JSC::HashTableValue::function):
2085         (JSC::HashTableValue::functionLength):
2086         (JSC::HashTableValue::propertyGetter):
2087         (JSC::HashTableValue::propertyPutter):
2088         (JSC::HashTableValue::lexerValue):
2089             - added accessor methods from HashEntry.
2090         (JSC::HashTable::copy):
2091             - fields changed.
2092         (JSC::HashTable::initializeIfNeeded):
2093             - table -> keys.
2094         (JSC::HashTable::entry):
2095             - HashEntry -> HashTableValue.
2096         (JSC::HashTable::ConstIterator::ConstIterator):
2097             - iterate packed value array, so no need to skipInvalidKeys().
2098         (JSC::HashTable::ConstIterator::value):
2099         (JSC::HashTable::ConstIterator::key):
2100         (JSC::HashTable::ConstIterator::operator->):
2101             - accessors now get HashTableValue/StringImpl* separately.
2102         (JSC::HashTable::ConstIterator::operator++):
2103             - iterate packed value array, so no need to skipInvalidKeys().
2104         (JSC::HashTable::end):
2105             - end is now size of dense not sparse array.
2106         (JSC::getStaticPropertySlot):
2107         (JSC::getStaticFunctionSlot):
2108         (JSC::getStaticValueSlot):
2109         (JSC::putEntry):
2110         (JSC::lookupPut):
2111             - HashEntry -> HashTableValue.
2112
2113 2014-03-13  Filip Pizlo  <fpizlo@apple.com>
2114
2115         Unreviewed, fix Mac no-FTL build.
2116
2117         * llvm/library/LLVMExports.cpp:
2118         (initializeAndGetJSCLLVMAPI):
2119
2120 2014-03-13  Juergen Ributzka  <juergen@apple.com>
2121
2122         Only export initializeAndGetJSCLLVMAPI from libllvmForJSC.dylib
2123         https://bugs.webkit.org/show_bug.cgi?id=130224
2124
2125         Reviewed by Filip Pizlo.
2126
2127         This limits the exported symbols to only initializeAndGetJSCLLVMAPI from
2128         the LLVM dylib. This allows the dylib to be safely used with other LLVM
2129         dylibs on the same system. It also reduces the dynamic linking overhead
2130         and also reduces the size by 6MB, because the linker can now dead strip
2131         many unused functions.
2132
2133         * Configurations/LLVMForJSC.xcconfig:
2134
2135 2014-03-13  Andreas Kling  <akling@apple.com>
2136
2137         VM::discardAllCode() should clear the RegExp cache.
2138         <https://webkit.org/b/130144>
2139
2140         Reviewed by Michael Saboff.
2141
2142         * runtime/VM.cpp:
2143         (JSC::VM::discardAllCode):
2144
2145 2014-03-13  Andreas Kling  <akling@apple.com>
2146
2147         Revert "Short-circuit JSGlobalObjectInspectorController when not inspecting."
2148         <https://webkit.org/b/129995>
2149
2150         This code path is not taken anymore on DYEB, and I can't explain why
2151         it was showing up in my profiles. Backing it out per JoePeck's suggestion.
2152
2153         * inspector/JSGlobalObjectInspectorController.cpp:
2154         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
2155
2156 2014-03-13  Filip Pizlo  <fpizlo@apple.com>
2157
2158         FTL should support IsBlah
2159         https://bugs.webkit.org/show_bug.cgi?id=130202
2160
2161         Reviewed by Geoffrey Garen.
2162
2163         * ftl/FTLCapabilities.cpp:
2164         (JSC::FTL::canCompile):
2165         * ftl/FTLIntrinsicRepository.h:
2166         * ftl/FTLLowerDFGToLLVM.cpp:
2167         (JSC::FTL::LowerDFGToLLVM::compileNode):
2168         (JSC::FTL::LowerDFGToLLVM::compileIsUndefined):
2169         (JSC::FTL::LowerDFGToLLVM::compileIsBoolean):
2170         (JSC::FTL::LowerDFGToLLVM::compileIsNumber):
2171         (JSC::FTL::LowerDFGToLLVM::compileIsString):
2172         (JSC::FTL::LowerDFGToLLVM::compileIsObject):
2173         (JSC::FTL::LowerDFGToLLVM::compileIsFunction):
2174         (JSC::FTL::LowerDFGToLLVM::compileStoreBarrier):
2175         (JSC::FTL::LowerDFGToLLVM::compileStoreBarrierWithNullCheck):
2176         (JSC::FTL::LowerDFGToLLVM::isNotCellOrMisc):
2177         (JSC::FTL::LowerDFGToLLVM::isNumber):
2178         (JSC::FTL::LowerDFGToLLVM::isNotNumber):
2179         (JSC::FTL::LowerDFGToLLVM::isBoolean):
2180         * ftl/FTLOSRExitCompiler.cpp:
2181         * tests/stress/is-undefined-exit-on-masquerader.js: Added.
2182         (bar):
2183         (foo):
2184         (test):
2185         * tests/stress/is-undefined-jettison-on-masquerader.js: Added.
2186         (foo):
2187         (test):
2188         * tests/stress/is-undefined-masquerader.js: Added.
2189         (foo):
2190         (test):
2191
2192 2014-03-13  Mark Lam  <mark.lam@apple.com>
2193
2194         JS benchmarks crash with a bus error on 32-bit x86.
2195         <https://webkit.org/b/130203>
2196
2197         Reviewed by Geoffrey Garen.
2198
2199         The issue is that generateGetByIdStub() can potentially use the same register
2200         for the JSValue base register and the target tag register.  After loading the
2201         tag value into the target tag register, the JSValue base address is lost.
2202         The code then proceeds to load the payload value using the base register, and
2203         this results in a crash.
2204
2205         The fix is to check if the base register is the same as the target tag register.
2206         If so, we should make a copy the base register first before loading the tag
2207         value, and use the copy to load the payload value instead.
2208
2209         * jit/Repatch.cpp:
2210         (JSC::generateGetByIdStub):
2211
2212 2014-03-12  Filip Pizlo  <fpizlo@apple.com>
2213
2214         WebKit shouldn't crash on uniprocessor machines
2215         https://bugs.webkit.org/show_bug.cgi?id=130176
2216
2217         Reviewed by Michael Saboff.
2218         
2219         Previously the math for computing the number of JIT compiler threads would come up with
2220         zero threads on uniprocessor machines, and then the Worklist code would assert.
2221
2222         * runtime/Options.cpp:
2223         (JSC::computeNumberOfWorkerThreads):
2224         * runtime/Options.h:
2225
2226 2014-03-13  Radu Stavila  <stavila@adobe.com>
2227
2228         Webkit not building on XCode 5.1 due to garbage collection no longer being supported
2229         https://bugs.webkit.org/show_bug.cgi?id=130087
2230
2231         Reviewed by Mark Rowe.
2232
2233         Disable garbage collection on macosx when not using internal SDK.
2234
2235         * Configurations/Base.xcconfig:
2236
2237 2014-03-10  Darin Adler  <darin@apple.com>
2238
2239         Avoid copy-prone idiom "for (auto item : collection)"
2240         https://bugs.webkit.org/show_bug.cgi?id=129990
2241
2242         Reviewed by Geoffrey Garen.
2243
2244         * heap/CodeBlockSet.h:
2245         (JSC::CodeBlockSet::iterate): Use auto& to be sure we don't copy by accident.
2246         * inspector/ScriptDebugServer.cpp:
2247         (Inspector::ScriptDebugServer::dispatchBreakpointActionLog): Use auto* to
2248         make explicit that we are iterating through pointers.
2249         (Inspector::ScriptDebugServer::dispatchBreakpointActionSound): Ditto.
2250         (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe): Ditto.
2251         * inspector/agents/InspectorDebuggerAgent.cpp:
2252         (Inspector::InspectorDebuggerAgent::removeBreakpoint): Use auto&, and also
2253         get rid of an unneeded local variable.
2254
2255 2014-03-13  Brian Burg  <bburg@apple.com>
2256
2257         Web Inspector: Remove unused callId parameter from evaluateInWebInspector
2258         https://bugs.webkit.org/show_bug.cgi?id=129744
2259
2260         Reviewed by Timothy Hatcher.
2261
2262         * inspector/agents/InspectorAgent.cpp:
2263         (Inspector::InspectorAgent::enable):
2264         (Inspector::InspectorAgent::evaluateForTestInFrontend):
2265         * inspector/agents/InspectorAgent.h:
2266         * inspector/protocol/InspectorDomain.json:
2267
2268 2014-03-11  Filip Pizlo  <fpizlo@apple.com>
2269
2270         ASSERTION FAILED: node->op() == Phi || node->op() == SetArgument
2271         https://bugs.webkit.org/show_bug.cgi?id=130069
2272
2273         Reviewed by Geoffrey Garen.
2274         
2275         This was a great assertion, and it represents our strictest interpretation of the rules of
2276         our intermediate representation. However, fixing DCE to actually preserve the relevant
2277         property would be hard, and it wouldn't have an observable effect right now because nobody
2278         actually uses the propery of CPS that this assertion is checking for.
2279         
2280         In particular, we do always require, and rely on, the fact that non-captured variables
2281         have variablesAtTail refer to the last interesting use of the variable: a SetLocal if the
2282         block assigns to the variable, a GetLocal if it only reads from it, and a Flush,
2283         PhantomLocal, or Phi otherwise. We do preserve this property successfully and DCE was not
2284         broken in this regard. But, in the strictest sense, CPS also means that for captured
2285         variables, variablesAtTail also continues to point to the last relevant use of the
2286         variable. In particular, if there are multiple GetLocals, then it should point to the last
2287         one. This is hard for DCE to preserve. Also, nobody relies on variablesAtTail for captured
2288         variables, except to check the VariableAccessData; but in that case, we don't really need
2289         the *last* relevant use of the variable - any node that mentions the same variable will do
2290         just fine.
2291         
2292         So, this change loosens the assertion and adds a detailed FIXME describing what we would
2293         have to do if we wanted to preserve the more strict property.
2294         
2295         This also makes changes to various debug printing paths so that validation doesn't crash
2296         during graph dump. This also adds tests for the interesting cases of DCE failing to
2297         preserve CPS in the strictest sense. This also attempts to win the record for longest test
2298         name.
2299
2300         * bytecode/CodeBlock.cpp:
2301         (JSC::CodeBlock::hashAsStringIfPossible):
2302         (JSC::CodeBlock::dumpAssumingJITType):
2303         * bytecode/CodeBlock.h:
2304         * bytecode/CodeOrigin.cpp:
2305         (JSC::InlineCallFrame::hashAsStringIfPossible):
2306         (JSC::InlineCallFrame::dumpBriefFunctionInformation):
2307         * bytecode/CodeOrigin.h:
2308         * dfg/DFGCPSRethreadingPhase.cpp:
2309         (JSC::DFG::CPSRethreadingPhase::run):
2310         * dfg/DFGDCEPhase.cpp:
2311         (JSC::DFG::DCEPhase::cleanVariables):
2312         * dfg/DFGInPlaceAbstractState.cpp:
2313         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
2314         * runtime/FunctionExecutableDump.cpp:
2315         (JSC::FunctionExecutableDump::dump):
2316         * tests/stress/dead-access-to-captured-variable-preceded-by-a-live-store-in-function-with-multiple-basic-blocks.js: Added.
2317         (foo):
2318         * tests/stress/dead-access-to-captured-variable-preceded-by-a-live-store.js: Added.
2319         (foo):
2320
2321 2014-03-12  Brian Burg  <bburg@apple.com>
2322
2323         Web Replay: add infrastructure for memoizing nondeterministic DOM APIs
2324         https://bugs.webkit.org/show_bug.cgi?id=129445
2325
2326         Reviewed by Timothy Hatcher.
2327
2328         There was a bug in the replay inputs code generator that would include
2329         headers for definitions of enum classes, even though they can be safely
2330         forward-declared.
2331
2332         * replay/scripts/CodeGeneratorReplayInputs.py:
2333         (Generator.generate_includes): Only include for copy constructor if the
2334         type is a heavy scalar (i.e., String, URL), not a normal scalar
2335         (i.e., int, double, enum classes).
2336
2337         (Generator.generate_type_forward_declarations): Forward-declare scalars
2338         that are enums or enum classes.
2339
2340 2014-03-12  Joseph Pecoraro  <pecoraro@apple.com>
2341
2342         Web Inspector: Disable REMOTE_INSPECTOR in earlier OS X releases
2343         https://bugs.webkit.org/show_bug.cgi?id=130118
2344
2345         Reviewed by Timothy Hatcher.
2346
2347         * Configurations/FeatureDefines.xcconfig:
2348
2349 2014-03-12  Joseph Pecoraro  <pecoraro@apple.com>
2350
2351         Web Inspector: Hang in Remote Inspection triggering breakpoint from console
2352         https://bugs.webkit.org/show_bug.cgi?id=130032
2353
2354         Reviewed by Timothy Hatcher.
2355
2356         * inspector/EventLoop.h:
2357         * inspector/EventLoop.cpp:
2358         (Inspector::EventLoop::remoteInspectorRunLoopMode):
2359         (Inspector::EventLoop::cycle):
2360         Expose the run loop mode name so it can be used if needed by others.
2361
2362         * inspector/remote/RemoteInspectorDebuggableConnection.h:
2363         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
2364         (Inspector::RemoteInspectorBlock::RemoteInspectorBlock):
2365         (Inspector::RemoteInspectorBlock::~RemoteInspectorBlock):
2366         (Inspector::RemoteInspectorBlock::operator=):
2367         (Inspector::RemoteInspectorBlock::operator()):
2368         (Inspector::RemoteInspectorQueueTask):
2369         Instead of a dispatch_queue, have our own static Vector of debugger tasks.
2370
2371         (Inspector::RemoteInspectorHandleRunSource):
2372         (Inspector::RemoteInspectorInitializeQueue):
2373         Initialize the static queue and run loop source. When the run loop source
2374         fires, it will exhaust the queue of debugger messages.
2375
2376         (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
2377         (Inspector::RemoteInspectorDebuggableConnection::~RemoteInspectorDebuggableConnection):
2378         When we get a debuggable connection add a run loop source for inspector commands.
2379
2380         (Inspector::RemoteInspectorDebuggableConnection::dispatchAsyncOnDebuggable):
2381         (Inspector::RemoteInspectorDebuggableConnection::sendMessageToBackend):
2382         Enqueue blocks on our Vector instead of our dispatch_queue.
2383
2384 2014-03-12  Commit Queue  <commit-queue@webkit.org>
2385
2386         Unreviewed, rolling out r165482.
2387         https://bugs.webkit.org/show_bug.cgi?id=130157
2388
2389         Broke the windows build; "error C2466: cannot allocate an
2390         array of constant size 0" (Requested by jernoble on #webkit).
2391
2392         Reverted changeset:
2393
2394         "Reduce memory use for static property maps"
2395         https://bugs.webkit.org/show_bug.cgi?id=129986
2396         http://trac.webkit.org/changeset/165482
2397
2398 2014-03-12  Mark Hahnenberg  <mhahnenberg@apple.com>
2399
2400         Remove HandleSet::m_nextToFinalize
2401         https://bugs.webkit.org/show_bug.cgi?id=130109
2402
2403         Reviewed by Mark Lam.
2404
2405         This is a remnant of when HandleSet contained things that needed to be finalized. 
2406
2407         * heap/HandleSet.cpp:
2408         (JSC::HandleSet::HandleSet):
2409         (JSC::HandleSet::writeBarrier):
2410         * heap/HandleSet.h:
2411         (JSC::HandleSet::allocate):
2412         (JSC::HandleSet::deallocate):
2413
2414 2014-03-12  Mark Hahnenberg  <mhahnenberg@apple.com>
2415
2416         Layout Test fast/workers/worker-gc.html is failing
2417         https://bugs.webkit.org/show_bug.cgi?id=130135
2418
2419         Reviewed by Geoffrey Garen.
2420
2421         When removing MarkedBlocks, we always expect them to be in the MarkedAllocator's 
2422         main list of blocks, i.e. not in the retired list. When shutting down the VM this
2423         wasn't always the case which was causing ASSERTs to fire. We should rearrange things 
2424         so that allocators are notified with lastChanceToFinalize. This will give them 
2425         the chance to move their retired blocks back into the main list before removing them all.
2426
2427         * heap/MarkedAllocator.cpp:
2428         (JSC::LastChanceToFinalize::operator()):
2429         (JSC::MarkedAllocator::lastChanceToFinalize):
2430         * heap/MarkedAllocator.h:
2431         * heap/MarkedSpace.cpp:
2432         (JSC::LastChanceToFinalize::operator()):
2433         (JSC::MarkedSpace::lastChanceToFinalize):
2434
2435 2014-03-12  Gavin Barraclough  <barraclough@apple.com>
2436
2437         Reduce memory use for static property maps
2438         https://bugs.webkit.org/show_bug.cgi?id=129986
2439
2440         Reviewed by Andreas Kling.
2441
2442         Static property tables are currently duplicated on first use from read-only memory into dirty memory
2443         in every process, and since the entries are large (48 bytes) and the tables can be unusually sparse
2444         (we use a custom hash table without a rehash) a lot of memory may be wasted.
2445
2446         First, reduce the size of the hashtable. Instead of storing values in the table the hashtable maps
2447         from string hashes to indicies into a densely packed array of values. Compute the index table at
2448         compile time as a part of the derived sources step, such that this may be read-only data.
2449
2450         Second, don't copy all data from the HashTableValue array into a HashEntry objects. Instead refer
2451         directly to the HashTableValue entries. The only data that needs to be allocated at runtime are the
2452         keys, which are Identifiers.
2453
2454         * create_hash_table:
2455             - emit the hash table index into the derived source (we were calculating this already to ensure chaining does not get too deep).
2456         * parser/Lexer.cpp:
2457         (JSC::Lexer<LChar>::parseIdentifier):
2458         (JSC::Lexer<UChar>::parseIdentifier):
2459         (JSC::Lexer<T>::parseIdentifierSlowCase):
2460             - HashEntry -> HashTableValue.
2461         * parser/Lexer.h:
2462         (JSC::Keywords::getKeyword):
2463             - HashEntry -> HashTableValue.
2464         * runtime/ClassInfo.h:
2465             - removed HashEntry.
2466         * runtime/JSObject.cpp:
2467         (JSC::getClassPropertyNames):
2468             - use HashTable::ConstIterator.
2469         (JSC::JSObject::put):
2470         (JSC::JSObject::deleteProperty):
2471         (JSC::JSObject::findPropertyHashEntry):
2472             - HashEntry -> HashTableValue.
2473         (JSC::JSObject::reifyStaticFunctionsForDelete):
2474             - changed HashTable::ConstIterator interface.
2475         * runtime/JSObject.h:
2476             - HashEntry -> HashTableValue.
2477         * runtime/Lookup.cpp:
2478         (JSC::HashTable::createTable):
2479             - table -> keys, keys array is now densely packed.
2480         (JSC::HashTable::deleteTable):
2481             - table -> keys.
2482         (JSC::setUpStaticFunctionSlot):
2483             - HashEntry -> HashTableValue.
2484         * runtime/Lookup.h:
2485         (JSC::HashTableValue::builtinGenerator):
2486         (JSC::HashTableValue::function):
2487         (JSC::HashTableValue::functionLength):
2488         (JSC::HashTableValue::propertyGetter):
2489         (JSC::HashTableValue::propertyPutter):
2490         (JSC::HashTableValue::lexerValue):
2491             - added accessor methods from HashEntry.
2492         (JSC::HashTable::copy):
2493             - fields changed.
2494         (JSC::HashTable::initializeIfNeeded):
2495             - table -> keys.
2496         (JSC::HashTable::entry):
2497             - HashEntry -> HashTableValue.
2498         (JSC::HashTable::ConstIterator::ConstIterator):
2499             - iterate packed value array, so no need to skipInvalidKeys().
2500         (JSC::HashTable::ConstIterator::value):
2501         (JSC::HashTable::ConstIterator::key):
2502         (JSC::HashTable::ConstIterator::operator->):
2503             - accessors now get HashTableValue/StringImpl* separately.
2504         (JSC::HashTable::ConstIterator::operator++):
2505             - iterate packed value array, so no need to skipInvalidKeys().
2506         (JSC::HashTable::end):
2507             - end is now size of dense not sparse array.
2508         (JSC::getStaticPropertySlot):
2509         (JSC::getStaticFunctionSlot):
2510         (JSC::getStaticValueSlot):
2511         (JSC::putEntry):
2512         (JSC::lookupPut):
2513             - HashEntry -> HashTableValue.
2514
2515 2014-03-11  Filip Pizlo  <fpizlo@apple.com>
2516
2517         It should be possible to build WebKit with FTL on iOS
2518         https://bugs.webkit.org/show_bug.cgi?id=130116
2519
2520         Reviewed by Dan Bernstein.
2521
2522         * Configurations/Base.xcconfig:
2523
2524 2014-03-10  Filip Pizlo  <fpizlo@apple.com>
2525
2526         GetById list caching should use something object-oriented rather than PolymorphicAccessStructureList
2527         https://bugs.webkit.org/show_bug.cgi?id=129778
2528
2529         Reviewed by Geoffrey Garen.
2530         
2531         Also deduplicate the GetById getter call caching. Also add some small tests for
2532         get stubs.
2533         
2534         This change reduces the amount of code involved in GetById access caching and it
2535         creates data structures that can serve as an elegant scaffold for introducing other
2536         kinds of caches or improving current caching styles. It will definitely make getter
2537         performance improvements easier to implement.
2538
2539         * CMakeLists.txt:
2540         * GNUmakefile.list.am:
2541         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2542         * JavaScriptCore.xcodeproj/project.pbxproj:
2543         * bytecode/CodeBlock.cpp:
2544         (JSC::CodeBlock::printGetByIdCacheStatus):
2545         * bytecode/GetByIdStatus.cpp:
2546         (JSC::GetByIdStatus::computeForStubInfo):
2547         * bytecode/PolymorphicGetByIdList.cpp: Added.
2548         (JSC::GetByIdAccess::GetByIdAccess):
2549         (JSC::GetByIdAccess::~GetByIdAccess):
2550         (JSC::GetByIdAccess::fromStructureStubInfo):
2551         (JSC::GetByIdAccess::visitWeak):
2552         (JSC::PolymorphicGetByIdList::PolymorphicGetByIdList):
2553         (JSC::PolymorphicGetByIdList::from):
2554         (JSC::PolymorphicGetByIdList::~PolymorphicGetByIdList):
2555         (JSC::PolymorphicGetByIdList::currentSlowPathTarget):
2556         (JSC::PolymorphicGetByIdList::addAccess):
2557         (JSC::PolymorphicGetByIdList::isFull):
2558         (JSC::PolymorphicGetByIdList::isAlmostFull):
2559         (JSC::PolymorphicGetByIdList::didSelfPatching):
2560         (JSC::PolymorphicGetByIdList::visitWeak):
2561         * bytecode/PolymorphicGetByIdList.h: Added.
2562         (JSC::GetByIdAccess::GetByIdAccess):
2563         (JSC::GetByIdAccess::isSet):
2564         (JSC::GetByIdAccess::operator!):
2565         (JSC::GetByIdAccess::type):
2566         (JSC::GetByIdAccess::structure):
2567         (JSC::GetByIdAccess::chain):
2568         (JSC::GetByIdAccess::chainCount):
2569         (JSC::GetByIdAccess::stubRoutine):
2570         (JSC::GetByIdAccess::doesCalls):
2571         (JSC::PolymorphicGetByIdList::isEmpty):
2572         (JSC::PolymorphicGetByIdList::size):
2573         (JSC::PolymorphicGetByIdList::at):
2574         (JSC::PolymorphicGetByIdList::operator[]):
2575         * bytecode/StructureStubInfo.cpp:
2576         (JSC::StructureStubInfo::deref):
2577         (JSC::StructureStubInfo::visitWeakReferences):
2578         * bytecode/StructureStubInfo.h:
2579         (JSC::isGetByIdAccess):
2580         (JSC::StructureStubInfo::initGetByIdList):
2581         * jit/Repatch.cpp:
2582         (JSC::generateGetByIdStub):
2583         (JSC::tryCacheGetByID):
2584         (JSC::patchJumpToGetByIdStub):
2585         (JSC::tryBuildGetByIDList):
2586         (JSC::tryBuildPutByIdList):
2587         * tests/stress/getter.js: Added.
2588         (foo):
2589         (.o):
2590         * tests/stress/polymorphic-prototype-accesses.js: Added.
2591         (Foo):
2592         (Bar):
2593         (foo):
2594         * tests/stress/prototype-getter.js: Added.
2595         (Foo):
2596         (foo):
2597         * tests/stress/simple-prototype-accesses.js: Added.
2598         (Foo):
2599         (foo):
2600
2601 2014-03-11  Mark Hahnenberg  <mhahnenberg@apple.com>
2602
2603         MarkedBlocks that are "full enough" shouldn't be swept after EdenCollections
2604         https://bugs.webkit.org/show_bug.cgi?id=129920
2605
2606         Reviewed by Geoffrey Garen.
2607
2608         This patch introduces the notion of "retiring" MarkedBlocks. We retire a MarkedBlock
2609         when the amount of free space in a MarkedBlock drops below a certain threshold.
2610         Retired blocks are not considered for sweeping.
2611
2612         This is profitable because it reduces churn during sweeping. To build a free list, 
2613         we have to scan through each cell in a block. After a collection, all objects that 
2614         are live in the block will remain live until the next FullCollection, at which time
2615         we un-retire all previously retired blocks. Thus, a small number of objects in a block
2616         that die during each EdenCollection could cause us to do a disproportiante amount of 
2617         sweeping for how much free memory we get back.
2618
2619         This patch looks like a consistent ~2% progression on boyer and is neutral everywhere else.
2620
2621         * heap/Heap.h:
2622         (JSC::Heap::didRetireBlockWithFreeListSize):
2623         * heap/MarkedAllocator.cpp:
2624         (JSC::MarkedAllocator::tryAllocateHelper):
2625         (JSC::MarkedAllocator::removeBlock):
2626         (JSC::MarkedAllocator::reset):
2627         * heap/MarkedAllocator.h:
2628         (JSC::MarkedAllocator::MarkedAllocator):
2629         (JSC::MarkedAllocator::forEachBlock):
2630         * heap/MarkedBlock.cpp:
2631         (JSC::MarkedBlock::sweepHelper):
2632         (JSC::MarkedBlock::clearMarksWithCollectionType):
2633         (JSC::MarkedBlock::didRetireBlock):
2634         * heap/MarkedBlock.h:
2635         (JSC::MarkedBlock::willRemoveBlock):
2636         (JSC::MarkedBlock::isLive):
2637         * heap/MarkedSpace.cpp:
2638         (JSC::MarkedSpace::clearNewlyAllocated):
2639         (JSC::MarkedSpace::clearMarks):
2640         * runtime/Options.h:
2641
2642 2014-03-11  Andreas Kling  <akling@apple.com>
2643
2644         Streamline PropertyTable for lookup-only access.
2645         <https://webkit.org/b/130060>
2646
2647         The PropertyTable lookup algorithm was written to support both read
2648         and write access. This wasn't actually needed in most places.
2649
2650         This change adds a PropertyTable::get() that just returns the value
2651         type (instead of an insertion iterator.) It also adds an early return
2652         for empty tables.
2653
2654         Finally, up the minimum table capacity from 8 to 16. It was lowered
2655         to 8 in order to save memory, but that was before PropertyTables were
2656         GC allocated. Nowadays we don't have nearly as many tables, since all
2657         the unpinned transitions die off.
2658
2659         Reviewed by Darin Adler.
2660
2661         * runtime/PropertyMapHashTable.h:
2662         (JSC::PropertyTable::get):
2663         * runtime/Structure.cpp:
2664         (JSC::Structure::despecifyDictionaryFunction):
2665         (JSC::Structure::attributeChangeTransition):
2666         (JSC::Structure::get):
2667         (JSC::Structure::despecifyFunction):
2668         * runtime/StructureInlines.h:
2669         (JSC::Structure::get):
2670
2671 2014-03-10  Mark Hahnenberg  <mhahnenberg@apple.com>
2672
2673         REGRESSION(r165407): DoYouEvenBench crashes in DRT
2674         https://bugs.webkit.org/show_bug.cgi?id=130066
2675
2676         Reviewed by Geoffrey Garen.
2677
2678         The baseline JIT does a conditional store barrier for the put_by_id, but we need 
2679         an unconditional store barrier so that we cover the butterfly case as well in emitPutTransitionStub.
2680
2681         * jit/JIT.h:
2682         * jit/JITPropertyAccess.cpp:
2683         (JSC::JIT::emit_op_put_by_id):
2684         (JSC::JIT::emitWriteBarrier):
2685
2686 2014-03-10  Mark Lam  <mark.lam@apple.com>
2687
2688         Resurrect bit-rotted JIT::probe() mechanism.
2689         <https://webkit.org/b/130067>
2690
2691         Reviewed by Geoffrey Garen.
2692
2693         * jit/JITStubs.cpp:
2694         - Added the needed #include <wtf/InlineASM.h>.
2695
2696 2014-03-10  Joseph Pecoraro  <pecoraro@apple.com>
2697
2698         Fix typo in EXCLUDED_SOURCE_FILE_NAMES_iphoneos.
2699
2700         Rubber-stamped by Dan Bernstein.
2701
2702         * Configurations/JavaScriptCore.xcconfig:
2703
2704 2014-03-10  Mark Lam  <mark.lam@apple.com>
2705
2706         r165414 broke the 32-bit x86 tests: ASSERTION FAILED: result != InvalidIndex @ GPRInfo.h:330.
2707         <https://webkit.org/b/130065>
2708
2709         Reviewed by Michael Saboff.
2710
2711         There is code in ScratchRegisterAllocator.cpp that is relying on GPRInfo::toIndex()
2712         being able to return InvalidIndex.  Hence, the assertion is invalid.  Ditto for
2713         FPRInfo::toIndex().
2714
2715         The fix is to remove the "result != InvalidIndex" assertions.
2716
2717         * jit/FPRInfo.h:
2718         (JSC::FPRInfo::toIndex):
2719         * jit/GPRInfo.h:
2720         (JSC::GPRInfo::toIndex):
2721
2722 2014-03-10  Mark Lam  <mark.lam@apple.com>
2723
2724         Crash on a stack overflow on 32-bit x86 in http/tests/websocket/tests/hybi/workers/no-onmessage-in-sync-op.html.
2725         <https://webkit.org/b/129955>
2726
2727         Reviewed by Geoffrey Garen.
2728
2729         The 32-bit x86 version of getHostCallReturnValue() was leaking 16 bytes
2730         stack memory every time it was called.  This is now fixed.
2731
2732         * jit/JITOperations.cpp:
2733
2734 2014-03-10  Joseph Pecoraro  <pecoraro@apple.com>
2735
2736         Better JSContext API for named evaluations (other than //# sourceURL)
2737         https://bugs.webkit.org/show_bug.cgi?id=129911
2738
2739         Reviewed by Geoffrey Garen.
2740
2741         * API/JSBase.h:
2742         * API/JSContext.h:
2743         * API/JSContext.mm:
2744         (-[JSContext evaluateScript:]):
2745         (-[JSContext evaluateScript:withSourceURL:]):
2746         Add new evaluateScript:withSourceURL:.
2747
2748         * API/tests/testapi.c:
2749         (main):
2750         * API/tests/testapi.mm:
2751         (testObjectiveCAPI):
2752         Add tests for sourceURL in evaluate APIs. It should
2753         affect the exception objects.
2754
2755 2014-03-10  Filip Pizlo  <fpizlo@apple.com>
2756
2757         Repatch should save and restore all used registers - not just temp ones - when making a call
2758         https://bugs.webkit.org/show_bug.cgi?id=130041
2759
2760         Reviewed by Geoffrey Garen and Mark Hahnenberg.
2761         
2762         The save/restore code was written back when the only client was the DFG, which only uses a
2763         subset of hardware registers: the "temp" registers in our lingo. But the FTL may use many
2764         other registers, especially on ARM64. The fact that Repatch doesn't know to save those can
2765         lead to data corruption on ARM64. 
2766
2767         * jit/RegisterSet.cpp:
2768         (JSC::RegisterSet::calleeSaveRegisters):
2769         (JSC::RegisterSet::numberOfSetGPRs):
2770         (JSC::RegisterSet::numberOfSetFPRs):
2771         * jit/RegisterSet.h:
2772         * jit/Repatch.cpp:
2773         (JSC::storeToWriteBarrierBuffer):
2774         (JSC::emitPutTransitionStub):
2775         * jit/ScratchRegisterAllocator.cpp:
2776         (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
2777         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
2778         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
2779         (JSC::ScratchRegisterAllocator::usedRegistersForCall):
2780         (JSC::ScratchRegisterAllocator::desiredScratchBufferSizeForCall):
2781         (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
2782         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
2783         * jit/ScratchRegisterAllocator.h:
2784
2785 2014-03-10  Mark Hahnenberg  <mhahnenberg@apple.com>
2786
2787         Remove ConditionalStore barrier
2788         https://bugs.webkit.org/show_bug.cgi?id=130040
2789
2790         Reviewed by Geoffrey Garen.
2791
2792         ConditionalStoreBarrier was created when barriers were much more expensive. Now that 
2793         they're cheap(er), we can get rid of them. This also allows us to get rid of the write 
2794         barrier logic in emitPutTransitionStub because we always will have executed a write barrier 
2795         on the base object in the case where we are allocating and storing a new Butterfly into it. 
2796         Previously, a ConditionalStoreBarrier might or might not have barrier-ed the base object, 
2797         so we'd have to emit a write barrier in the transition case.
2798
2799         This is performance neutral on the benchmarks we track.
2800
2801         * dfg/DFGAbstractInterpreterInlines.h:
2802         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2803         * dfg/DFGClobberize.h:
2804         (JSC::DFG::clobberize):
2805         * dfg/DFGConstantFoldingPhase.cpp:
2806         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2807         (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
2808         * dfg/DFGFixupPhase.cpp:
2809         (JSC::DFG::FixupPhase::fixupNode):
2810         (JSC::DFG::FixupPhase::insertStoreBarrier):
2811         * dfg/DFGNode.h:
2812         (JSC::DFG::Node::isStoreBarrier):
2813         * dfg/DFGNodeType.h:
2814         * dfg/DFGPredictionPropagationPhase.cpp:
2815         (JSC::DFG::PredictionPropagationPhase::propagate):
2816         * dfg/DFGSafeToExecute.h:
2817         (JSC::DFG::safeToExecute):
2818         * dfg/DFGSpeculativeJIT.cpp:
2819         (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
2820         * dfg/DFGSpeculativeJIT32_64.cpp:
2821         (JSC::DFG::SpeculativeJIT::compile):
2822         * dfg/DFGSpeculativeJIT64.cpp:
2823         (JSC::DFG::SpeculativeJIT::compile):
2824         * ftl/FTLCapabilities.cpp:
2825         (JSC::FTL::canCompile):
2826         * ftl/FTLLowerDFGToLLVM.cpp:
2827         (JSC::FTL::LowerDFGToLLVM::compileNode):
2828         * jit/Repatch.cpp:
2829         (JSC::emitPutTransitionStub):
2830
2831 2014-03-10  Filip Pizlo  <fpizlo@apple.com>
2832
2833         DFG and FTL should know that comparing anything to Misc is cheap and easy
2834         https://bugs.webkit.org/show_bug.cgi?id=130001
2835
2836         Reviewed by Geoffrey Garen.
2837         
2838         - Expand CompareStrictEq(Misc:, Misc:) to work for cases where either side of the
2839           comparison is just Untyped:.
2840         
2841         - This obviates the need for CompareStrictEqConstant, so remove it.
2842         
2843         - FTL had a thing called "Nully" which is really "Other". Rename it and add
2844           OtherUse.
2845         
2846         9% speed-up on box2d.
2847
2848         * dfg/DFGAbstractInterpreterInlines.h:
2849         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2850         * dfg/DFGByteCodeParser.cpp:
2851         (JSC::DFG::ByteCodeParser::parseBlock):
2852         * dfg/DFGClobberize.h:
2853         (JSC::DFG::clobberize):
2854         * dfg/DFGFixupPhase.cpp:
2855         (JSC::DFG::FixupPhase::fixupNode):
2856         * dfg/DFGNode.h:
2857         (JSC::DFG::Node::isBinaryUseKind):
2858         (JSC::DFG::Node::shouldSpeculateOther):
2859         * dfg/DFGNodeType.h:
2860         * dfg/DFGPredictionPropagationPhase.cpp:
2861         (JSC::DFG::PredictionPropagationPhase::propagate):
2862         * dfg/DFGSafeToExecute.h:
2863         (JSC::DFG::safeToExecute):
2864         * dfg/DFGSpeculativeJIT.cpp:
2865         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
2866         (JSC::DFG::SpeculativeJIT::compare):
2867         (JSC::DFG::SpeculativeJIT::compileStrictEq):
2868         * dfg/DFGSpeculativeJIT.h:
2869         * dfg/DFGSpeculativeJIT32_64.cpp:
2870         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
2871         (JSC::DFG::SpeculativeJIT::compile):
2872         * dfg/DFGSpeculativeJIT64.cpp:
2873         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
2874         (JSC::DFG::SpeculativeJIT::compile):
2875         * ftl/FTLCapabilities.cpp:
2876         (JSC::FTL::canCompile):
2877         * ftl/FTLLowerDFGToLLVM.cpp:
2878         (JSC::FTL::LowerDFGToLLVM::compileNode):
2879         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
2880         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
2881         (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
2882         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
2883         (JSC::FTL::LowerDFGToLLVM::isNotOther):
2884         (JSC::FTL::LowerDFGToLLVM::isOther):
2885         (JSC::FTL::LowerDFGToLLVM::speculate):
2886         (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
2887         (JSC::FTL::LowerDFGToLLVM::speculateNotCell):
2888         (JSC::FTL::LowerDFGToLLVM::speculateOther):
2889         (JSC::FTL::LowerDFGToLLVM::speculateMisc):
2890         * tests/stress/compare-strict-eq-integer-to-misc.js: Added.
2891
2892 2014-03-10  Filip Pizlo  <fpizlo@apple.com>
2893
2894         Unreviewed, remove unintended change.
2895
2896         * dfg/DFGDriver.cpp:
2897         (JSC::DFG::compileImpl):
2898
2899 2014-03-10  Filip Pizlo  <fpizlo@apple.com>
2900
2901         jsc commandline shouldn't have a "console" because that confuses some tests into thinking
2902         that they're running in the browser.
2903
2904         Rubber stamped by Mark Hahnenberg.
2905
2906         * jsc.cpp:
2907         (GlobalObject::finishCreation):
2908
2909 2014-03-10  Filip Pizlo  <fpizlo@apple.com>
2910
2911         Out-line ScratchRegisterAllocator
2912
2913         Rubber stamped by Mark Hahnenberg.
2914
2915         * CMakeLists.txt:
2916         * GNUmakefile.list.am:
2917         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2918         * JavaScriptCore.xcodeproj/project.pbxproj:
2919         * dfg/DFGDriver.cpp:
2920         (JSC::DFG::compileImpl):
2921         * jit/ScratchRegisterAllocator.cpp: Added.
2922         (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
2923         (JSC::ScratchRegisterAllocator::~ScratchRegisterAllocator):
2924         (JSC::ScratchRegisterAllocator::lock):
2925         (JSC::ScratchRegisterAllocator::allocateScratch):
2926         (JSC::ScratchRegisterAllocator::allocateScratchGPR):
2927         (JSC::ScratchRegisterAllocator::allocateScratchFPR):
2928         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
2929         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
2930         (JSC::ScratchRegisterAllocator::desiredScratchBufferSize):
2931         (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer):
2932         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer):
2933         * jit/ScratchRegisterAllocator.h:
2934
2935 2014-03-10  Brent Fulgham  <bfulgham@apple.com>
2936
2937         [Win] Pass environment to Pre-Build, Pre-link, and Post-Build Stages.
2938         https://bugs.webkit.org/show_bug.cgi?id=130023
2939
2940         Reviewed by Dean Jackson.
2941
2942         * JavaScriptCore.vcxproj/JavaScriptCore.proj: Avoid trailing backslashes in
2943         path names to avoid accidental escaping of later string substitutions.
2944
2945 2014-03-10  Andreas Kling  <akling@apple.com>
2946
2947         [X86_64] Smaller code for testb_i8r when register is accumulator.
2948         <https://webkit.org/b/130026>
2949
2950         Generate the shorthand version of "test al, imm" when possible.
2951
2952         Reviewed by Michael Saboff.
2953
2954         * assembler/X86Assembler.h:
2955         (JSC::X86Assembler::testb_i8r):
2956
2957 2014-03-10  Andreas Kling  <akling@apple.com>
2958
2959         [X86_64] Smaller code for sub_ir when register is accumulator.
2960         <https://webkit.org/b/130025>
2961
2962         Generate the shorthand version of "sub eax, imm" when possible.
2963
2964         Reviewed by Michael Saboff.
2965
2966         * assembler/X86Assembler.h:
2967         (JSC::X86Assembler::subl_ir):
2968         (JSC::X86Assembler::subq_ir):
2969
2970 2014-03-10  Andreas Kling  <akling@apple.com>
2971
2972         [X86_64] Smaller code for add_ir when register is accumulator.
2973         <https://webkit.org/b/130024>
2974
2975         Generate the shorthand version of "add eax, imm" when possible.
2976
2977         Reviewed by Michael Saboff.
2978
2979         * assembler/X86Assembler.h:
2980         (JSC::X86Assembler::addl_ir):
2981         (JSC::X86Assembler::addq_ir):
2982
2983 2014-03-10  Mark Hahnenberg  <mhahnenberg@apple.com>
2984
2985         writeBarrier in emitPutReplaceStub is unnecessary
2986         https://bugs.webkit.org/show_bug.cgi?id=130030
2987
2988         Reviewed by Filip Pizlo.
2989
2990         We already emit write barriers for each put-by-id when they're first compiled, so it's 
2991         redundant to emit a write barrier as part of the repatched code.
2992
2993         * jit/Repatch.cpp:
2994         (JSC::emitPutReplaceStub):
2995
2996 2014-03-10  Andreas Kling  <akling@apple.com>
2997
2998         [X86_64] Smaller code for xor_ir when register is accumulator.
2999         <https://webkit.org/b/130008>
3000
3001         Generate the shorthand version of "xor eax, imm" when possible.
3002
3003         Reviewed by Benjamin Poulain.
3004
3005         * assembler/X86Assembler.h:
3006         (JSC::X86Assembler::xorl_ir):
3007         (JSC::X86Assembler::xorq_ir):
3008
3009 2014-03-10  Andreas Kling  <akling@apple.com>
3010
3011         [X86_64] Smaller code for or_ir when register is accumulator.
3012         <https://webkit.org/b/130007>
3013
3014         Generate the shorthand version of "or eax, imm" when possible.
3015
3016         Reviewed by Benjamin Poulain.
3017
3018         * assembler/X86Assembler.h:
3019         (JSC::X86Assembler::orl_ir):
3020         (JSC::X86Assembler::orq_ir):
3021
3022 2014-03-10  Andreas Kling  <akling@apple.com>
3023
3024         [X86_64] Smaller code for test_ir when register is accumulator.
3025         <https://webkit.org/b/130006>
3026
3027         Generate the shorthand version of "test eax, imm" when possible.
3028
3029         Reviewed by Benjamin Poulain.
3030
3031         * assembler/X86Assembler.h:
3032         (JSC::X86Assembler::testl_i32r):
3033         (JSC::X86Assembler::testq_i32r):
3034
3035 2014-03-10  Andreas Kling  <akling@apple.com>
3036
3037         [X86_64] Smaller code for cmp_ir when register is accumulator.
3038         <https://webkit.org/b/130005>
3039
3040         Generate the shorthand version of "cmp eax, imm" when possible.
3041
3042         Reviewed by Benjamin Poulain.
3043
3044         * assembler/X86Assembler.h:
3045         (JSC::X86Assembler::cmpl_ir):
3046         (JSC::X86Assembler::cmpq_ir):
3047
3048 2014-03-10  Andreas Kling  <akling@apple.com>
3049
3050         [X86_64] Smaller code for store64(imm, address) when imm fits in 32 bits.
3051         <https://webkit.org/b/130002>
3052
3053         Generate this:
3054
3055             mov [address], imm32
3056
3057         Instead of this:
3058
3059             mov scratchRegister, imm32
3060             mov [address], scratchRegister
3061
3062         For store64(imm, address) where the 64-bit immediate can be passed as
3063         a sign-extended 32-bit value.
3064
3065         Reviewed by Benjamin Poulain.
3066
3067         * assembler/MacroAssemblerX86_64.h:
3068         (CAN_SIGN_EXTEND_32_64):
3069         (JSC::MacroAssemblerX86_64::store64):
3070
3071 2014-03-10  Andreas Kling  <akling@apple.com>
3072
3073         [X86_64] Smaller code for xchg_rr when one register is accumulator.
3074         <https://webkit.org/b/130004>
3075
3076         Generate the 1-byte version of "xchg eax, reg" when possible.
3077
3078         Reviewed by Benjamin Poulain.
3079
3080         * assembler/X86Assembler.h:
3081         (JSC::X86Assembler::xchgl_rr):
3082         (JSC::X86Assembler::xchgq_rr):
3083
3084 2014-03-09  Filip Pizlo  <fpizlo@apple.com>
3085
3086         GPRInfo::toIndex should return InvalidIndex for non-temp registers on ARM64
3087         https://bugs.webkit.org/show_bug.cgi?id=129998
3088
3089         Reviewed by Geoffrey Garen.
3090         
3091         Not only is that the established contract, but this is used to signal to
3092         ScratchRegisterAllocator that the register doesn't need locking since it isn't a register
3093         that this allocator would use. In the FTL, we may have an inline cache where LLVM had used
3094         some non-temp register (i.e. a register that JSC itself wouldn't have used). This is totally
3095         fine but previously it would have led to either an assertion failure, or data corruption, in
3096         the ScratchRegisterAllocator.
3097
3098         * jit/GPRInfo.h:
3099         (JSC::GPRInfo::toIndex):
3100
3101 2014-03-09  Filip Pizlo  <fpizlo@apple.com>
3102
3103         FTL fails the new equals-masquerader strictEqualConstant test
3104         https://bugs.webkit.org/show_bug.cgi?id=129996
3105
3106         Reviewed by Mark Lam.
3107         
3108         It turns out that the FTL was trying to do the masquerading stuff for ===null. But
3109         that's wrong since none of the other engines do it. The DFG even had an ancient
3110         FIXME about doing it - but that doesn't make sense since the LLInt and baseline JIT
3111         don't do it and JSValue::strictEqual() doesn't do it.
3112         
3113         Remove the FIXME and remove the extra checks in the FTL.
3114         
3115         This is a glorious patch: nothing but red and it fixes a test failure.
3116
3117         * dfg/DFGSpeculativeJIT.cpp:
3118         (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
3119         * ftl/FTLLowerDFGToLLVM.cpp:
3120         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
3121
3122 2014-03-09  Andreas Kling  <akling@apple.com>
3123
3124         Short-circuit JSGlobalObjectInspectorController when not inspecting.
3125         <https://webkit.org/b/129995>
3126
3127         Add an early return in reportAPIException() when the console agent
3128         is disabled. This avoids expensive symbolication during exceptions
3129         if there's nobody expecting the fancy backtrace anyway.
3130
3131         ~2% progression on DYEB on my MBP.
3132
3133         Reviewed by Geoff Garen.
3134
3135         * inspector/JSGlobalObjectInspectorController.cpp:
3136         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
3137
3138 2014-03-09  Andreas Kling  <akling@apple.com>
3139
3140         Inline the trivial parts of GC deferral.
3141         <https://webkit.org/b/129984>
3142
3143         Made most of the functions called by the DeferGC RAII object inline
3144         to avoid function call overhead.
3145
3146         Looks like ~1% progression on DYEB.
3147
3148         Reviewed by Geoffrey Garen.
3149
3150         * heap/Heap.cpp:
3151         * heap/Heap.h:
3152         (JSC::Heap::incrementDeferralDepth):
3153         (JSC::Heap::decrementDeferralDepth):
3154         (JSC::Heap::collectIfNecessaryOrDefer):
3155         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
3156
3157 2014-03-08  Mark Lam  <mark.lam@apple.com>
3158
3159         32-bit x86 handleUncaughtException returns to wrong location after a stack overflow.
3160         <https://webkit.org/b/129969>
3161
3162         Reviewed by Geoffrey Garen.
3163
3164         The 32-bit version of handleUncaughtException was missing the handling of an
3165         edge case for stack overflows where the current frame may already be the
3166         sentinel frame.  This edge case was handled in the 64-bit version.  The fix
3167         is to bring the 32-bit version up to parity.
3168
3169         * jit/JIT.cpp:
3170         (JSC::JIT::privateCompile):
3171         * llint/LowLevelInterpreter32_64.asm:
3172
3173 2014-03-07  Mark Lam  <mark.lam@apple.com>
3174
3175         Fix bugs in 32-bit Structure implementation.
3176         <https://webkit.org/b/129947>
3177
3178         Reviewed by Mark Hahnenberg.
3179
3180         Added the loading of the Structure (from the JSCell) before use that was
3181         missing in a few places.  Also added more test cases to equals-masquerader.js.
3182
3183         * dfg/DFGSpeculativeJIT32_64.cpp:
3184         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
3185         (JSC::DFG::SpeculativeJIT::compile):
3186         * dfg/DFGSpeculativeJIT64.cpp:
3187         (JSC::DFG::SpeculativeJIT::compile):
3188         * llint/LowLevelInterpreter32_64.asm:
3189         * tests/stress/equals-masquerader.js:
3190         (equalsNull):
3191         (notEqualsNull):
3192         (strictEqualsNull):
3193         (strictNotEqualsNull):
3194         (equalsUndefined):
3195         (notEqualsUndefined):
3196         (strictEqualsUndefined):
3197         (strictNotEqualsUndefined):
3198         (isFalsey):
3199         (test):
3200
3201 2014-03-07  Andrew Trick  <atrick@apple.com>
3202
3203         Temporarily disable repeat-out-of-bounds stress tests pending fix for 129953.
3204         https://bugs.webkit.org/show_bug.cgi?id=129954
3205
3206         Reviewed by Filip Pizlo.
3207
3208         * tests/stress/float32-repeat-out-of-bounds.js:
3209         * tests/stress/int8-repeat-out-of-bounds.js:
3210
3211 2014-03-07  Michael Saboff  <msaboff@apple.com>
3212
3213         .cfi directives in LowLevelInterpreter.cpp are providing no benefit
3214         https://bugs.webkit.org/show_bug.cgi?id=129945
3215
3216         Reviewed by Mark Lam.
3217
3218         Removed .cfi directive.  Verified that stack traces didn't regress in crash reporter
3219         or in lldb.
3220
3221         * llint/LowLevelInterpreter.cpp:
3222
3223 2014-03-07  Oliver Hunt  <oliver@apple.com>
3224
3225         Continue hangs when performing for-of over arguments
3226         https://bugs.webkit.org/show_bug.cgi?id=129915
3227
3228         Reviewed by Geoffrey Garen.
3229
3230         Put the continue label in the right place
3231
3232         * bytecompiler/BytecodeGenerator.cpp:
3233         (JSC::BytecodeGenerator::emitEnumeration):
3234
3235 2014-03-07  peavo@outlook.com  <peavo@outlook.com>
3236
3237         [Win64] Compile error after r165128.
3238         https://bugs.webkit.org/show_bug.cgi?id=129807
3239
3240         Reviewed by Mark Lam.
3241
3242         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: 
3243         Check platform environment variable to determine if an assembler file should be generated.
3244
3245 2014-03-07  Michael Saboff  <msaboff@apple.com>
3246
3247         Clarify how we deal with "special" registers
3248         https://bugs.webkit.org/show_bug.cgi?id=129806
3249
3250         Already reviewed change being relanded.
3251
3252         Relanding change set r165196 as it wasn't responsible for the breakage reported in
3253         https://bugs.webkit.org/show_bug.cgi?id=129822.  That appears to be a build or
3254
3255         Reviewed by Michael Saboff.
3256         configuration issue.
3257
3258         * assembler/ARM64Assembler.h:
3259         (JSC::ARM64Assembler::lastRegister):
3260         * assembler/MacroAssembler.h:
3261         (JSC::MacroAssembler::nextRegister):
3262         * ftl/FTLLocation.cpp:
3263         (JSC::FTL::Location::restoreInto):
3264         * ftl/FTLSaveRestore.cpp:
3265         (JSC::FTL::saveAllRegisters):
3266         (JSC::FTL::restoreAllRegisters):
3267         * ftl/FTLSlowPathCall.cpp:
3268         * jit/RegisterSet.cpp:
3269         (JSC::RegisterSet::reservedHardwareRegisters):
3270         (JSC::RegisterSet::runtimeRegisters):
3271         (JSC::RegisterSet::specialRegisters):
3272         (JSC::RegisterSet::calleeSaveRegisters):
3273         * jit/RegisterSet.h:
3274
3275 2014-03-07  Mark Hahnenberg  <mhahnenberg@apple.com>
3276
3277         Move GCActivityCallback to heap
3278         https://bugs.webkit.org/show_bug.cgi?id=129457
3279
3280         Reviewed by Geoffrey Garen.
3281
3282         All the other GC timer related stuff is there already.
3283
3284         * CMakeLists.txt:
3285         * GNUmakefile.list.am:
3286         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3287         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3288         * JavaScriptCore.xcodeproj/project.pbxproj:
3289         * heap/GCActivityCallback.cpp: Copied from Source/JavaScriptCore/runtime/GCActivityCallback.cpp.
3290         * heap/GCActivityCallback.h: Copied from Source/JavaScriptCore/runtime/GCActivityCallback.h.
3291         * runtime/GCActivityCallback.cpp: Removed.
3292         * runtime/GCActivityCallback.h: Removed.
3293
3294 2014-03-07  Andrew Trick  <atrick@apple.com>
3295
3296         Correct a comment typo from:
3297         FLT should call fmod directly on platforms where LLVM cannot relocate the libcall
3298         https://bugs.webkit.org/show_bug.cgi?id=129865
3299
3300         Reviewed by Mark Lam.
3301
3302         * ftl/FTLOutput.h:
3303         (JSC::FTL::Output::doubleRem):
3304
3305 2014-03-07  Mark Hahnenberg  <mhahnenberg@apple.com>
3306
3307         Use OwnPtr in StructureIDTable
3308         https://bugs.webkit.org/show_bug.cgi?id=129828
3309
3310         Reviewed by Geoffrey Garen.
3311
3312         This reduces the amount of boilerplate and fixes a memory leak.
3313
3314         * runtime/StructureIDTable.cpp:
3315         (JSC::StructureIDTable::StructureIDTable):
3316         (JSC::StructureIDTable::resize):
3317         (JSC::StructureIDTable::flushOldTables):
3318         (JSC::StructureIDTable::allocateID):
3319         (JSC::StructureIDTable::deallocateID):
3320         * runtime/StructureIDTable.h:
3321         (JSC::StructureIDTable::table):
3322         (JSC::StructureIDTable::get):
3323
3324 2014-03-07  Andrew Trick  <atrick@apple.com>
3325
3326         FLT should call fmod directly on platforms where LLVM cannot relocate the libcall
3327         https://bugs.webkit.org/show_bug.cgi?id=129865
3328
3329         Reviewed by Filip Pizlo.
3330
3331         * ftl/FTLIntrinsicRepository.h:
3332         * ftl/FTLOutput.h:
3333         (JSC::FTL::Output::doubleRem):
3334
3335 2014-03-06  Filip Pizlo  <fpizlo@apple.com>
3336
3337         If the FTL is build-time enabled then it should be run-time enabled.
3338
3339         Rubber stamped by Geoffrey Garen.
3340
3341         * runtime/Options.cpp:
3342         (JSC::recomputeDependentOptions):
3343         * runtime/Options.h:
3344
3345 2014-03-06  Joseph Pecoraro  <pecoraro@apple.com>
3346
3347         [OS X] Web Inspector: Allow Apps using JavaScriptCore to access "com.apple.webinspector" mach port
3348         https://bugs.webkit.org/show_bug.cgi?id=129852
3349
3350         Reviewed by Geoffrey Garen.
3351
3352         * framework.sb: Added.
3353         Sandbox extension to allow access to "com.apple.webinspector".
3354
3355         * JavaScriptCore.xcodeproj/project.pbxproj:
3356         Add a Copy Resources build phase and include framework.sb.
3357
3358         * Configurations/JavaScriptCore.xcconfig:
3359         Do not copy framework.sb on iOS.
3360
3361 2014-03-06  Mark Hahnenberg  <mhahnenberg@apple.com>
3362
3363         JSGlobalContextRelease incorrectly handles saving/restoring IdentifierTable
3364         https://bugs.webkit.org/show_bug.cgi?id=129858
3365
3366         Reviewed by Mark Lam.
3367
3368         It was correct (but really ugly) prior to the combining of APIEntryShim and JSLock, 
3369         but now it ends up overwriting the IdentifierTable that JSLock just restored.
3370
3371         * API/JSContextRef.cpp:
3372         (JSGlobalContextRelease):
3373
3374 2014-03-06  Oliver Hunt  <oliver@apple.com>
3375
3376         Fix FTL build.
3377
3378         * dfg/DFGConstantFoldingPhase.cpp:
3379         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3380
3381 2014-03-06  Brent Fulgham  <bfulgham@apple.com>
3382
3383         Unreviewed build fix after r165128.
3384
3385         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: The SEH flag was not getting set when
3386         performing 'Production' and 'DebugSuffix' type builds.
3387
3388 2014-03-06  Julien Brianceau  <jbriance@cisco.com>
3389
3390         Unreviewed, fix style in my previous commit.
3391         https://bugs.webkit.org/show_bug.cgi?id=129833
3392
3393         * runtime/JSConsole.cpp:
3394
3395 2014-03-06  Julien Brianceau  <jbriance@cisco.com>
3396
3397         Build fix: add missing include in JSConole.cpp.
3398         https://bugs.webkit.org/show_bug.cgi?id=129833
3399
3400         Reviewed by Oliver Hunt.
3401
3402         * runtime/JSConsole.cpp:
3403
3404 2014-03-06  Oliver Hunt  <oliver@apple.com>
3405
3406         Fix ARMv7
3407
3408         * jit/CCallHelpers.h:
3409         (JSC::CCallHelpers::setupArgumentsWithExecState):
3410
3411 2014-03-06  Commit Queue  <commit-queue@webkit.org>
3412
3413         Unreviewed, rolling out r165196.
3414         http://trac.webkit.org/changeset/165196
3415         https://bugs.webkit.org/show_bug.cgi?id=129822
3416
3417         broke arm64 on hardware (Requested by bfulgham on #webkit).
3418
3419         * assembler/ARM64Assembler.h:
3420         (JSC::ARM64Assembler::lastRegister):
3421         * assembler/MacroAssembler.h:
3422         (JSC::MacroAssembler::isStackRelated):
3423         (JSC::MacroAssembler::firstRealRegister):
3424         (JSC::MacroAssembler::nextRegister):
3425         (JSC::MacroAssembler::secondRealRegister):
3426         * ftl/FTLLocation.cpp:
3427         (JSC::FTL::Location::restoreInto):
3428         * ftl/FTLSaveRestore.cpp:
3429         (JSC::FTL::saveAllRegisters):
3430         (JSC::FTL::restoreAllRegisters):
3431         * ftl/FTLSlowPathCall.cpp:
3432         * jit/RegisterSet.cpp:
3433         (JSC::RegisterSet::specialRegisters):
3434         (JSC::RegisterSet::calleeSaveRegisters):
3435         * jit/RegisterSet.h:
3436
3437 2014-03-06  Mark Lam  <mark.lam@apple.com>
3438
3439         REGRESSION(r165205): broke the CLOOP build (Requested by smfr on #webkit).
3440         <https://webkit.org/b/129813>
3441
3442         Reviewed by Michael Saboff.
3443
3444         Fixed broken C loop LLINT build.
3445
3446         * llint/LowLevelInterpreter.cpp:
3447         (JSC::CLoop::execute):
3448         * offlineasm/cloop.rb:
3449
3450 2014-03-03  Oliver Hunt  <oliver@apple.com>
3451
3452         Support caching of custom setters
3453         https://bugs.webkit.org/show_bug.cgi?id=129519
3454
3455         Reviewed by Filip Pizlo.
3456
3457         This patch adds caching of assignment to properties that
3458         are backed by C functions. This provides most of the leg
3459         work required to start supporting setters, and resolves
3460         the remaining regressions from moving DOM properties up
3461         the prototype chain.
3462
3463         * JavaScriptCore.xcodeproj/project.pbxproj:
3464         * bytecode/PolymorphicPutByIdList.cpp:
3465         (JSC::PutByIdAccess::visitWeak):
3466         (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
3467         (JSC::PolymorphicPutByIdList::from):
3468         * bytecode/PolymorphicPutByIdList.h:
3469         (JSC::PutByIdAccess::transition):
3470         (JSC::PutByIdAccess::replace):
3471         (JSC::PutByIdAccess::customSetter):
3472         (JSC::PutByIdAccess::isCustom):
3473         (JSC::PutByIdAccess::oldStructure):
3474         (JSC::PutByIdAccess::chain):
3475         (JSC::PutByIdAccess::stubRoutine):
3476         * bytecode/PutByIdStatus.cpp:
3477         (JSC::PutByIdStatus::computeForStubInfo):
3478         (JSC::PutByIdStatus::computeFor):
3479         (JSC::PutByIdStatus::dump):
3480         * bytecode/PutByIdStatus.h:
3481         (JSC::PutByIdStatus::PutByIdStatus):
3482         (JSC::PutByIdStatus::takesSlowPath):
3483         (JSC::PutByIdStatus::makesCalls):
3484         * bytecode/StructureStubInfo.h:
3485         * dfg/DFGAbstractInterpreterInlines.h:
3486         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3487         * dfg/DFGByteCodeParser.cpp:
3488         (JSC::DFG::ByteCodeParser::emitPutById):
3489         (JSC::DFG::ByteCodeParser::handlePutById):
3490         * dfg/DFGClobberize.h:
3491         (JSC::DFG::clobberize):
3492         * dfg/DFGCommon.h:
3493         * dfg/DFGConstantFoldingPhase.cpp:
3494         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3495         * dfg/DFGFixupPhase.cpp:
3496         (JSC::DFG::FixupPhase::fixupNode):
3497         * dfg/DFGNode.h:
3498         (JSC::DFG::Node::hasIdentifier):
3499         * dfg/DFGNodeType.h:
3500         * dfg/DFGPredictionPropagationPhase.cpp:
3501         (JSC::DFG::PredictionPropagationPhase::propagate):
3502         * dfg/DFGSafeToExecute.h:
3503         (JSC::DFG::safeToExecute):
3504         * dfg/DFGSpeculativeJIT.cpp:
3505         (JSC::DFG::SpeculativeJIT::compileIn):
3506         * dfg/DFGSpeculativeJIT.h:
3507         * dfg/DFGSpeculativeJIT32_64.cpp:
3508         (JSC::DFG::SpeculativeJIT::cachedGetById):
3509         (JSC::DFG::SpeculativeJIT::cachedPutById):
3510         (JSC::DFG::SpeculativeJIT::compile):
3511         * dfg/DFGSpeculativeJIT64.cpp:
3512         (JSC::DFG::SpeculativeJIT::cachedGetById):
3513         (JSC::DFG::SpeculativeJIT::cachedPutById):
3514         (JSC::DFG::SpeculativeJIT::compile):
3515         * jit/CCallHelpers.h:
3516         (JSC::CCallHelpers::setupArgumentsWithExecState):
3517         * jit/JITInlineCacheGenerator.cpp:
3518         (JSC::JITByIdGenerator::JITByIdGenerator):
3519         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
3520         * jit/JITInlineCacheGenerator.h:
3521         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
3522         * jit/JITOperations.cpp:
3523         * jit/JITOperations.h:
3524         * jit/JITPropertyAccess.cpp:
3525         (JSC::JIT::emit_op_get_by_id):
3526         (JSC::JIT::emit_op_put_by_id):
3527         * jit/JITPropertyAccess32_64.cpp:
3528         (JSC::JIT::emit_op_get_by_id):
3529         (JSC::JIT::emit_op_put_by_id):
3530         * jit/Repatch.cpp:
3531         (JSC::tryCacheGetByID):
3532         (JSC::tryBuildGetByIDList):
3533         (JSC::emitCustomSetterStub):
3534         (JSC::tryCachePutByID):
3535         (JSC::tryBuildPutByIdList):
3536         * jit/SpillRegistersMode.h: Added.
3537         * llint/LLIntSlowPaths.cpp:
3538         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3539         * runtime/Lookup.h:
3540         (JSC::putEntry):
3541         * runtime/PutPropertySlot.h:
3542         (JSC::PutPropertySlot::setCacheableCustomProperty):
3543         (JSC::PutPropertySlot::customSetter):
3544         (JSC::PutPropertySlot::isCacheablePut):
3545         (JSC::PutPropertySlot::isCacheableCustomProperty):
3546         (JSC::PutPropertySlot::cachedOffset):
3547
3548 2014-03-06  Filip Pizlo  <fpizlo@apple.com>
3549
3550         FTL arity fixup should work on ARM64
3551         https://bugs.webkit.org/show_bug.cgi?id=129810
3552
3553         Reviewed by Michael Saboff.
3554         
3555         - Using regT5 to pass the thunk return address to arityFixup is shady since that's a
3556           callee-save.
3557         
3558         - The FTL path was assuming X86 conventions for where SP points at the top of the prologue.
3559         
3560         This makes some more tests pass.
3561
3562         * dfg/DFGJITCompiler.cpp:
3563         (JSC::DFG::JITCompiler::compileFunction):
3564         * ftl/FTLLink.cpp:
3565         (JSC::FTL::link):
3566         * jit/AssemblyHelpers.h:
3567         (JSC::AssemblyHelpers::prologueStackPointerDelta):
3568         * jit/JIT.cpp:
3569         (JSC::JIT::privateCompile):
3570         * jit/ThunkGenerators.cpp:
3571         (JSC::arityFixup):
3572         * llint/LowLevelInterpreter64.asm:
3573         * offlineasm/arm64.rb:
3574         * offlineasm/x86.rb: In addition to the t7 change, make t6 agree with GPRInfo.h.
3575
3576 2014-03-06  Mark Hahnenberg  <mhahnenberg@apple.com>
3577
3578         Fix write barriers in Repatch.cpp for !ENABLE(DFG_JIT) platforms after r165128
3579         https://bugs.webkit.org/show_bug.cgi?id=129760
3580
3581         Reviewed by Geoffrey Garen.
3582
3583         r165128 disabled the write barrier fast path for inline caches on !ENABLE(DFG_JIT) platforms. 
3584         The fix is to refactor the write barrier code into AssemblyHelpers and use that everywhere.
3585
3586         * dfg/DFGSpeculativeJIT.cpp:
3587         (JSC::DFG::SpeculativeJIT::writeBarrier):
3588         * dfg/DFGSpeculativeJIT.h:
3589         * dfg/DFGSpeculativeJIT32_64.cpp:
3590         (JSC::DFG::SpeculativeJIT::writeBarrier):
3591         * dfg/DFGSpeculativeJIT64.cpp:
3592         (JSC::DFG::SpeculativeJIT::writeBarrier):
3593         * jit/AssemblyHelpers.h:
3594         (JSC::AssemblyHelpers::checkMarkByte):
3595         * jit/JIT.h:
3596         * jit/JITPropertyAccess.cpp:
3597         * jit/Repatch.cpp:
3598         (JSC::writeBarrier):
3599
3600 2014-03-06  Joseph Pecoraro  <pecoraro@apple.com>
3601
3602         Web Inspector: Expose the console object in JSContexts to interact with Web Inspector
3603         https://bugs.webkit.org/show_bug.cgi?id=127944
3604
3605         Reviewed by Geoffrey Garen.
3606
3607         Always expose the Console object in JSContexts, just like we
3608         do for web pages. The default behavior will route to an
3609         attached JSContext inspector. This can be overriden by
3610         setting the ConsoleClient on the JSGlobalObject, which WebCore
3611         does to get slightly different behavior.
3612
3613         * CMakeLists.txt:
3614         * GNUmakefile.list.am:
3615         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3616         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3617         * JavaScriptCore.xcodeproj/project.pbxproj:
3618         Update build systems.
3619
3620         * API/tests/testapi.js:
3621         * API/tests/testapi.mm:
3622         Test that "console" exists in C and ObjC contexts.
3623
3624         * runtime/ConsoleClient.cpp: Added.
3625         (JSC::ConsoleClient::printURLAndPosition):
3626         (JSC::ConsoleClient::printMessagePrefix):
3627         (JSC::ConsoleClient::printConsoleMessage):
3628         (JSC::ConsoleClient::printConsoleMessageWithArguments):
3629         (JSC::ConsoleClient::internalMessageWithTypeAndLevel):
3630         (JSC::ConsoleClient::logWithLevel):
3631         (JSC::ConsoleClient::clear):
3632         (JSC::ConsoleClient::dir):
3633         (JSC::ConsoleClient::dirXML):
3634         (JSC::ConsoleClient::table):
3635         (JSC::ConsoleClient::trace):
3636         (JSC::ConsoleClient::assertCondition):
3637         (JSC::ConsoleClient::group):
3638         (JSC::ConsoleClient::groupCollapsed):
3639         (JSC::ConsoleClient::groupEnd):
3640         * runtime/ConsoleClient.h: Added.
3641         (JSC::ConsoleClient::~ConsoleClient):
3642         New private interface for handling the console object's methods.
3643         A lot of the methods funnel through messageWithTypeAndLevel.
3644
3645         * runtime/ConsoleTypes.h: Renamed from Source/JavaScriptCore/inspector/ConsoleTypes.h.
3646         Moved to JSC namespace.
3647
3648         * runtime/JSGlobalObject.cpp:
3649         (JSC::JSGlobalObject::JSGlobalObject):
3650         (JSC::JSGlobalObject::init):
3651         (JSC::JSGlobalObject::reset):
3652         (JSC::JSGlobalObject::visitChildren):
3653         Create the "console" object when initializing the environment.
3654         Also set the default console client to be the JS context inspector.
3655
3656         * runtime/JSGlobalObject.h:
3657         (JSC::JSGlobalObject::setConsoleClient):
3658         (JSC::JSGlobalObject::consoleClient):
3659         Ability to change the console client, so WebCore can set a custom client.
3660
3661         * runtime/ConsolePrototype.cpp: Added.
3662         (JSC::ConsolePrototype::finishCreation):
3663         (JSC::valueToStringWithUndefinedOrNullCheck):
3664         (JSC::consoleLogWithLevel):
3665         (JSC::consoleProtoFuncDebug):
3666         (JSC::consoleProtoFuncError):
3667         (JSC::consoleProtoFuncLog):
3668         (JSC::consoleProtoFuncWarn):
3669         (JSC::consoleProtoFuncClear):
3670         (JSC::consoleProtoFuncDir):
3671         (JSC::consoleProtoFuncDirXML):
3672         (JSC::consoleProtoFuncTable):
3673         (JSC::consoleProtoFuncTrace):
3674         (JSC::consoleProtoFuncAssert):
3675         (JSC::consoleProtoFuncCount):
3676         (JSC::consoleProtoFuncProfile):
3677         (JSC::consoleProtoFuncProfileEnd):
3678         (JSC::consoleProtoFuncTime):
3679         (JSC::consoleProtoFuncTimeEnd):
3680         (JSC::consoleProtoFuncTimeStamp):
3681         (JSC::consoleProtoFuncGroup):
3682         (JSC::consoleProtoFuncGroupCollapsed):
3683         (JSC::consoleProtoFuncGroupEnd):
3684         * runtime/ConsolePrototype.h: Added.
3685         (JSC::ConsolePrototype::create):
3686         (JSC::ConsolePrototype::createStructure):
3687         (JSC::ConsolePrototype::ConsolePrototype):
3688         Define the console object interface. Parse out required / expected
3689         arguments and throw expcetions when methods are misused.
3690
3691         * runtime/JSConsole.cpp: Added.
3692         * runtime/JSConsole.h: Added.
3693         (JSC::JSConsole::createStructure):
3694         (JSC::JSConsole::create):
3695         (JSC::JSConsole::JSConsole):
3696         Empty "console" object. Everything is in the prototype.
3697
3698         * inspector/JSConsoleClient.cpp: Added.
3699         (Inspector::JSConsoleClient::JSGlobalObjectConsole):
3700         (Inspector::JSConsoleClient::count):
3701         (Inspector::JSConsoleClient::profile):
3702         (Inspector::JSConsoleClient::profileEnd):
3703         (Inspector::JSConsoleClient::time):
3704         (Inspector::JSConsoleClient::timeEnd):
3705         (Inspector::JSConsoleClient::timeStamp):
3706         (Inspector::JSConsoleClient::warnUnimplemented):
3707         (Inspector::JSConsoleClient::internalAddMessage):
3708         * inspector/JSConsoleClient.h: Added.
3709         * inspector/JSGlobalObjectInspectorController.cpp:
3710         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3711         (Inspector::JSGlobalObjectInspectorController::consoleClient):
3712         * inspector/JSGlobalObjectInspectorController.h:
3713         Default JSContext ConsoleClient implementation. Handle nearly
3714         everything exception profile/profileEnd and timeStamp.
3715
3716 2014-03-06  Andreas Kling  <akling@apple.com>
3717
3718         Drop unlinked function code on memory pressure.
3719         <https://webkit.org/b/129789>
3720
3721         Make VM::discardAllCode() also drop UnlinkedFunctionCodeBlocks that
3722         are not currently being compiled.
3723
3724         4.5 MB progression on Membuster.
3725
3726         Reviewed by Geoffrey Garen.
3727
3728         * heap/Heap.cpp:
3729         (JSC::Heap::deleteAllUnlinkedFunctionCode):
3730         * heap/Heap.h:
3731         * runtime/VM.cpp:
3732         (JSC::VM::discardAllCode):
3733
3734 2014-03-06  Filip Pizlo  <fpizlo@apple.com>
3735
3736         Clarify how we deal with "special" registers
3737         https://bugs.webkit.org/show_bug.cgi?id=129806
3738
3739         Reviewed by Michael Saboff.
3740         
3741         Previously we had two different places that defined what "stack" registers are, a thing
3742         called "specialRegisters" that had unclear meaning, and a really weird "firstRealRegister"/
3743         "secondRealRegister"/"nextRegister" idiom in MacroAssembler that appeared to only be used by
3744         one place and had a baked-in notion of what it meant for a register to be "real" or not.
3745         
3746         It's not cool to use words like "real" and "special" to describe registers, especially if you
3747         fail to qualify what that means. This originally made sense on X86 - "real" registers were
3748         the ones that weren't "stack related" (so "real" was the opposite of "stack"). But on ARM64,
3749         you also have to worry about the LR register, which we'd want to say is "not real" but it's
3750         also not a "stack" register. This got super confusing.
3751         
3752         So, this patch removes any mention of "real" registers, consolidates the knowledge of what is
3753         a "stack" register, and uses the word special only in places where it's clearly defined and
3754         where no better word comes to mind.
3755         
3756         This cleans up the code and fixes what seems like it was probably a harmless ARM64 bug: the
3757         Reg and RegisterSet data structures would sometimes think that FP was Q0. Somehow this
3758         magically didn't break anything because you never need to save/restore either FP or Q0, but
3759         it was still super weird.
3760
3761         * assembler/ARM64Assembler.h:
3762         (JSC::ARM64Assembler::lastRegister):
3763         * assembler/MacroAssembler.h:
3764         (JSC::MacroAssembler::nextRegister):
3765         * ftl/FTLLocation.cpp:
3766         (JSC::FTL::Location::restoreInto):
3767         * ftl/FTLSaveRestore.cpp:
3768         (JSC::FTL::saveAllRegisters):
3769         (JSC::FTL::restoreAllRegisters):
3770         * ftl/FTLSlowPathCall.cpp:
3771         * jit/RegisterSet.cpp:
3772         (JSC::RegisterSet::reservedHardwareRegisters):
3773         (JSC::RegisterSet::runtimeRegisters):
3774         (JSC::RegisterSet::specialRegisters):
3775         (JSC::RegisterSet::calleeSaveRegisters):
3776         * jit/RegisterSet.h:
3777
3778 2014-03-06  Filip Pizlo  <fpizlo@apple.com>
3779
3780         Unreviewed, fix build.
3781
3782         * disassembler/ARM64Disassembler.cpp:
3783
3784 2014-03-06  Filip Pizlo  <fpizlo@apple.com>
3785
3786         Use the LLVM disassembler on ARM64 if we are enabling the FTL
3787         https://bugs.webkit.org/show_bug.cgi?id=129785
3788
3789         Reviewed by Geoffrey Garen.
3790         
3791         Our disassembler can't handle some of the code sequences that LLVM emits. LLVM's disassembler
3792         is strictly more capable at this point. Use it if it's available.
3793
3794         * disassembler/ARM64Disassembler.cpp:
3795         (JSC::tryToDisassemble):
3796
3797 2014-03-05  Joseph Pecoraro  <pecoraro@apple.com>
3798
3799         Web Inspector: Reduce RWI message frequency
3800         https://bugs.webkit.org/show_bug.cgi?id=129767
3801
3802         Reviewed by Timothy Hatcher.
3803
3804         This used to be 0.2s and changed by accident to 0.02s.
3805
3806         * inspector/remote/RemoteInspector.mm:
3807         (Inspector::RemoteInspector::pushListingSoon):
3808
3809 2014-03-05  Commit Queue  <commit-queue@webkit.org>
3810
3811         Unreviewed, rolling out r165141, r165157, and r165158.
3812         http://trac.webkit.org/changeset/165141
3813         http://trac.webkit.org/changeset/165157
3814         http://trac.webkit.org/changeset/165158
3815         https://bugs.webkit.org/show_bug.cgi?id=129772
3816
3817         "broke ftl" (Requested by olliej_ on #webkit).
3818
3819         * JavaScriptCore.xcodeproj/project.pbxproj:
3820         * bytecode/PolymorphicPutByIdList.cpp:
3821         (JSC::PutByIdAccess::visitWeak):
3822         (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
3823         (JSC::PolymorphicPutByIdList::from):
3824         * bytecode/PolymorphicPutByIdList.h:
3825         (JSC::PutByIdAccess::transition):
3826         (JSC::PutByIdAccess::replace):
3827         (JSC::PutByIdAccess::oldStructure):
3828         (JSC::PutByIdAccess::chain):
3829         (JSC::PutByIdAccess::stubRoutine):
3830         * bytecode/PutByIdStatus.cpp:
3831         (JSC::PutByIdStatus::computeForStubInfo):
3832         (JSC::PutByIdStatus::computeFor):
3833         (JSC::PutByIdStatus::dump):
3834         * bytecode/PutByIdStatus.h:
3835         (JSC::PutByIdStatus::PutByIdStatus):
3836         (JSC::PutByIdStatus::takesSlowPath):
3837         * bytecode/StructureStubInfo.h:
3838         * dfg/DFGAbstractInterpreterInlines.h:
3839         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3840         * dfg/DFGByteCodeParser.cpp:
3841         (JSC::DFG::ByteCodeParser::emitPutById):
3842         (JSC::DFG::ByteCodeParser::handlePutById):
3843         * dfg/DFGClobberize.h:
3844         (JSC::DFG::clobberize):
3845         * dfg/DFGCommon.h:
3846         * dfg/DFGConstantFoldingPhase.cpp:
3847         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3848         * dfg/DFGFixupPhase.cpp:
3849         (JSC::DFG::FixupPhase::fixupNode):
3850         * dfg/DFGNode.h:
3851         (JSC::DFG::Node::hasIdentifier):
3852         * dfg/DFGNodeType.h:
3853         * dfg/DFGPredictionPropagationPhase.cpp:
3854         (JSC::DFG::PredictionPropagationPhase::propagate):
3855         * dfg/DFGSafeToExecute.h:
3856         (JSC::DFG::safeToExecute):
3857         * dfg/DFGSpeculativeJIT.cpp:
3858         (JSC::DFG::SpeculativeJIT::compileIn):
3859         * dfg/DFGSpeculativeJIT.h:
3860         * dfg/DFGSpeculativeJIT32_64.cpp:
3861         (JSC::DFG::SpeculativeJIT::cachedGetById):
3862         (JSC::DFG::SpeculativeJIT::cachedPutById):
3863         (JSC::DFG::SpeculativeJIT::compile):
3864         * dfg/DFGSpeculativeJIT64.cpp:
3865         (JSC::DFG::SpeculativeJIT::cachedGetById):
3866         (JSC::DFG::SpeculativeJIT::cachedPutById):
3867         (JSC::DFG::SpeculativeJIT::compile):
3868         * ftl/FTLCompile.cpp:
3869         (JSC::FTL::fixFunctionBasedOnStackMaps):
3870         * jit/CCallHelpers.h:
3871         (JSC::CCallHelpers::setupArgumentsWithExecState):
3872         * jit/JITInlineCacheGenerator.cpp:
3873         (JSC::JITByIdGenerator::JITByIdGenerator):
3874         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
3875         * jit/JITInlineCacheGenerator.h:
3876         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
3877         * jit/JITOperations.cpp:
3878         * jit/JITOperations.h:
3879         * jit/JITPropertyAccess.cpp:
3880         (JSC::JIT::emit_op_get_by_id):
3881         (JSC::JIT::emit_op_put_by_id):
3882         * jit/JITPropertyAccess32_64.cpp:
3883         (JSC::JIT::emit_op_get_by_id):
3884         (JSC::JIT::emit_op_put_by_id):
3885         * jit/Repatch.cpp:
3886         (JSC::tryCacheGetByID):
3887         (JSC::tryBuildGetByIDList):
3888         (JSC::tryCachePutByID):
3889         (JSC::tryBuildPutByIdList):
3890         * jit/SpillRegistersMode.h: Removed.
3891         * llint/LLIntSlowPaths.cpp:
3892         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3893         * runtime/Lookup.h:
3894         (JSC::putEntry):
3895         * runtime/PutPropertySlot.h:
3896         (JSC::PutPropertySlot::isCacheable):
3897         (JSC::PutPropertySlot::cachedOffset):
3898
3899 2014-03-05  Joseph Pecoraro  <pecoraro@apple.com>
3900
3901         Web Inspector: Prevent possible deadlock in view indication
3902         https://bugs.webkit.org/show_bug.cgi?id=129766
3903
3904         Reviewed by Geoffrey Garen.
3905
3906         * inspector/remote/RemoteInspector.mm:
3907         (Inspector::RemoteInspector::receivedIndicateMessage):
3908
3909 2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>
3910
3911         JSObject::fastGetOwnPropertySlot does a slow check for OverridesGetOwnPropertySlot
3912         https://bugs.webkit.org/show_bug.cgi?id=129754
3913
3914         Reviewed by Geoffrey Garen.
3915
3916         InlineTypeFlags are stored in JSCell, so we can just load those instead of going through the TypeInfo.
3917
3918         * runtime/JSCell.h:
3919         (JSC::JSCell::inlineTypeFlags):
3920         * runtime/JSObject.h:
3921         (JSC::JSObject::fastGetOwnPropertySlot):
3922         * runtime/JSTypeInfo.h:
3923         (JSC::TypeInfo::TypeInfo):
3924         (JSC::TypeInfo::overridesGetOwnPropertySlot):
3925
3926 2014-03-05  Joseph Pecoraro  <pecoraro@apple.com>
3927
3928         Web Inspector: ASSERTION FAILED: m_javaScriptBreakpoints.isEmpty()
3929         https://bugs.webkit.org/show_bug.cgi?id=129763
3930
3931         Reviewed by Geoffrey Garen.
3932
3933         Clear the list of all breakpoints, including unresolved breakpoints.
3934
3935         * inspector/agents/InspectorDebuggerAgent.cpp:
3936         (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):
3937
3938 2014-03-05  Mark Lam  <mark.lam@apple.com>
3939
3940         llint_slow_path_check_has_instance() should not adjust PC before accessing operands.
3941         <https://webkit.org/b/129768>
3942
3943         Reviewed by Mark Hahnenberg.
3944
3945         When evaluating "a instanceof b" where b is an object that ImplementsHasInstance
3946         and OverridesHasInstance (e.g. a bound function), the LLINT will take the slow
3947         path llint_slow_path_check_has_instance(), and execute a code path that does the
3948         following:
3949         1. Adjusts the byte code PC to the jump target PC.
3950         2. For the purpose of storing the result, get the result registerIndex from the
3951            1st operand using the PC as if the PC is still pointing to op_check_has_instance
3952            bytecode.
3953
3954         The result is that whatever value resides after where the jump target PC is will
3955         be used as a result register value.  Depending on what that value is, the result
3956         can be:
3957         1. the code coincidently works correctly
3958         2. memory corruption
3959         3. crashes
3960
3961         The fix is to only adjust the byte code PC after we have stored the result.
3962         
3963         * llint/LLIntSlowPaths.cpp:
3964         (llint_slow_path_check_has_instance):
3965
3966 2014-03-05  Ryosuke Niwa  <rniwa@webkit.org>
3967
3968         Another build fix attempt after r165141.
3969
3970         * ftl/FTLCompile.cpp:
3971         (JSC::FTL::fixFunctionBasedOnStackMaps):
3972
3973 2014-03-05  Ryosuke Niwa  <rniwa@webkit.org>
3974
3975         FTL build fix attempt after r165141.
3976
3977         * ftl/FTLCompile.cpp:
3978         (JSC::FTL::fixFunctionBasedOnStackMaps):
3979
3980 2014-03-05  Gavin Barraclough  <barraclough@apple.com>
3981
3982         https://bugs.webkit.org/show_bug.cgi?id=128625
3983         Add fast mapping from StringImpl to JSString
3984
3985         Unreviewed roll-out.
3986
3987         Reverting r164347, r165054, r165066 - not clear the performance tradeoff was right.
3988
3989         * runtime/JSString.cpp:
3990         * runtime/JSString.h:
3991         * runtime/VM.cpp:
3992         (JSC::VM::createLeaked):
3993         * runtime/VM.h:
3994
3995 2014-03-03  Oliver Hunt  <oliver@apple.com>
3996
3997         Support caching of custom setters
3998         https://bugs.webkit.org/show_bug.cgi?id=129519
3999
4000         Reviewed by Filip Pizlo.
4001
4002         This patch adds caching of assignment to properties that
4003         are backed by C functions. This provides most of the leg
4004         work required to start supporting setters, and resolves
4005       &n