8.8% spent in Object.prototype.hasOwnProperty() on sbperftest.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-05-09  Andreas Kling  <akling@apple.com>
2
3         8.8% spent in Object.prototype.hasOwnProperty() on sbperftest.
4         <https://webkit.org/b/132749>
5
6         Leverage the fast-resolve-to-AtomicString optimization for JSRopeString
7         in Object.prototype.* by using JSString::toIdentifier() in the cases where
8         we are converting JSString -> String -> Identifier.
9
10         This brings time spent in hasOwnProperty() from 8.8% to 1.3% on
11         "The Great HTML5 Gaming Performance Test: 2014 edition"
12         <http://www.scirra.com/demos/c2/sbperftest/>
13
14         Reviewed by Oliver Hunt.
15
16         * runtime/ObjectPrototype.cpp:
17         (JSC::objectProtoFuncHasOwnProperty):
18         (JSC::objectProtoFuncDefineGetter):
19         (JSC::objectProtoFuncDefineSetter):
20         (JSC::objectProtoFuncLookupGetter):
21         (JSC::objectProtoFuncLookupSetter):
22
23 2014-05-08  Mark Hahnenberg  <mhahnenberg@apple.com>
24
25         JSDOMWindow should have a WatchpointSet to fire on window close
26         https://bugs.webkit.org/show_bug.cgi?id=132721
27
28         Reviewed by Filip Pizlo.
29
30         This patch allows us to reset the inline caches that assumed they could skip 
31         the first part of JSDOMWindow::getOwnPropertySlot that checks if the window has 
32         been closed. This is part of getting rid of HasImpureGetOwnPropertySlot on JSDOMWindow.
33
34         PropertySlot now accepts a WatchpointSet which the inline cache code can look for
35         to see if it should create a new Watchpoint for that particular inline cache site.
36
37         * bytecode/Watchpoint.h:
38         * jit/Repatch.cpp:
39         (JSC::generateByIdStub):
40         (JSC::tryBuildGetByIDList):
41         (JSC::tryCachePutByID):
42         (JSC::tryBuildPutByIdList):
43         * runtime/PropertySlot.h:
44         (JSC::PropertySlot::PropertySlot):
45         (JSC::PropertySlot::watchpointSet):
46         (JSC::PropertySlot::setWatchpointSet):
47
48 2014-05-09  Tanay C  <tanay.c@samsung.com>
49
50         Fix build warning (uninitialized variable) in DFGFixupPhase.cpp 
51         https://bugs.webkit.org/show_bug.cgi?id=132331
52
53         Reviewed by Darin Adler.
54
55         * dfg/DFGFixupPhase.cpp:
56         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
57
58 2014-05-09  peavo@outlook.com  <peavo@outlook.com>
59
60         [Win] Crash when enabling DFG JIT.
61         https://bugs.webkit.org/show_bug.cgi?id=132683
62
63         Reviewed by Geoffrey Garen.
64
65         On windows, using register GPRInfo::regT0 as parameter to e.g. JIT::storeDouble(..., GPRInfo::regT0)),
66         results in a call to JIT::storeDouble(FPRegisterID src, const void* address),
67         where the address parameter gets the value of GPRInfo::regT0, which is 0 (eax on Windows).
68         This causes the register to be written to address 0, hence the crash.
69
70         * dfg/DFGOSRExitCompiler32_64.cpp:
71         (JSC::DFG::OSRExitCompiler::compileExit): Use address in regT0 as parameter.
72         * dfg/DFGOSRExitCompiler64.cpp:
73         (JSC::DFG::OSRExitCompiler::compileExit): Ditto.
74
75 2014-05-09  Martin Hodovan <mhodovan.u-szeged@partner.samsung.com>
76
77         REGRESSION(r167094): JSC crashes on ARM Traditional
78         https://bugs.webkit.org/show_bug.cgi?id=132738
79
80         Reviewed by Zoltan Herczeg.
81
82         PC is two instructions ahead of the current instruction
83         on ARM Traditional, so the distance is 8 bytes not 2.
84
85         * llint/LowLevelInterpreter.asm:
86
87 2014-05-09  Alberto Garcia  <berto@igalia.com>
88
89         jsmin.py license header confusing, mentions non-free license
90         https://bugs.webkit.org/show_bug.cgi?id=123665
91
92         Reviewed by Darin Adler.
93
94         Pull the most recent version from upstream, which has a clear
95         license.
96
97         * inspector/scripts/jsmin.py:
98
99 2014-05-08  Mark Hahnenberg  <mhahnenberg@apple.com>
100
101         Base case for get-by-id inline cache doesn't check for HasImpureGetOwnPropertySlot
102         https://bugs.webkit.org/show_bug.cgi?id=132695
103
104         Reviewed by Filip Pizlo.
105
106         We check in the case where we're accessing something other than the base object (e.g. the prototype), 
107         but we fail to do so for the base object.
108
109         * jit/Repatch.cpp:
110         (JSC::tryCacheGetByID):
111         (JSC::tryBuildGetByIDList):
112         * jsc.cpp: Added some infrastructure to support this test. We don't currently trigger this bug anywhere in WebKit
113         because all of the values that are returned that could be impure are set to uncacheable anyways.
114         (WTF::ImpureGetter::ImpureGetter):
115         (WTF::ImpureGetter::createStructure):
116         (WTF::ImpureGetter::create):
117         (WTF::ImpureGetter::finishCreation):
118         (WTF::ImpureGetter::getOwnPropertySlot):
119         (WTF::ImpureGetter::visitChildren):
120         (WTF::ImpureGetter::setDelegate):
121         (GlobalObject::finishCreation):
122         (functionCreateImpureGetter):
123         (functionSetImpureGetterDelegate):
124         * tests/stress/impure-get-own-property-slot-inline-cache.js: Added.
125         (foo):
126
127 2014-05-08  Filip Pizlo  <fpizlo@apple.com>
128
129         deleteAllCompiledCode() shouldn't use the suspension worklist
130         https://bugs.webkit.org/show_bug.cgi?id=132708
131
132         Reviewed by Mark Hahnenberg.
133
134         * bytecode/CodeBlock.cpp:
135         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
136         * dfg/DFGPlan.cpp:
137         (JSC::DFG::Plan::isStillValid):
138         * heap/Heap.cpp:
139         (JSC::Heap::deleteAllCompiledCode):
140
141 2014-05-08  Filip Pizlo  <fpizlo@apple.com>
142
143         SSA conversion should delete PhantomLocals for captured variables
144         https://bugs.webkit.org/show_bug.cgi?id=132693
145
146         Reviewed by Mark Hahnenberg.
147
148         * dfg/DFGCommon.cpp:
149         (JSC::DFG::startCrashing): Parallel JIT and a JIT bug means that we man dump IR in parallel. This is the workaround. This patch uses it in all of the places where we dump IR and crash.
150         * dfg/DFGCommon.h:
151         * dfg/DFGFixupPhase.cpp:
152         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): Use the workaround.
153         * dfg/DFGLivenessAnalysisPhase.cpp:
154         (JSC::DFG::LivenessAnalysisPhase::run): Use the workaround.
155         * dfg/DFGSSAConversionPhase.cpp:
156         (JSC::DFG::SSAConversionPhase::run): Fix the bug - it's true that PhantomLocal for captured variables doesn't need anything done to it, but it's wrong that we didn't delete it outright.
157         * dfg/DFGValidate.cpp: Use the workaround.
158         * tests/stress/phantom-local-captured-but-not-flushed-to-ssa.js: Added.
159         (foo):
160         (bar):
161
162 2014-05-07  Commit Queue  <commit-queue@webkit.org>
163
164         Unreviewed, rolling out r168451.
165         https://bugs.webkit.org/show_bug.cgi?id=132670
166
167         Not a speed-up, just do what other compilers do. (Requested by
168         kling on #webkit).
169
170         Reverted changeset:
171
172         "[X86] Emit BT instruction for single-bit tests."
173         https://bugs.webkit.org/show_bug.cgi?id=132650
174         http://trac.webkit.org/changeset/168451
175
176 2014-05-07  Filip Pizlo  <fpizlo@apple.com>
177
178         Make Executable::clearCode() actually clear all of the entrypoints, and
179         clean up some other FTL-related calling convention stuff.
180         <rdar://problem/16720172>
181
182         Rubber stamped by Mark Hahnenberg.
183
184         * dfg/DFGOperations.cpp:
185         * dfg/DFGOperations.h:
186         * dfg/DFGWorklist.cpp:
187         (JSC::DFG::Worklist::Worklist):
188         (JSC::DFG::Worklist::finishCreation):
189         (JSC::DFG::Worklist::create):
190         (JSC::DFG::ensureGlobalDFGWorklist):
191         (JSC::DFG::ensureGlobalFTLWorklist):
192         * dfg/DFGWorklist.h:
193         * heap/CodeBlockSet.cpp:
194         (JSC::CodeBlockSet::dump):
195         * heap/CodeBlockSet.h:
196         * runtime/Executable.cpp:
197         (JSC::ExecutableBase::clearCode):
198
199 2014-05-07  Andreas Kling  <akling@apple.com>
200
201         [X86] Emit BT instruction for single-bit tests.
202         <https://webkit.org/b/132650>
203
204         Implement test-bit-and-branch slightly more efficiently by using
205         BT + JC/JNC instead of TEST + JZ/JNZ when we're only testing for
206         a single bit.
207
208         Reviewed by Michael Saboff.
209
210         * assembler/MacroAssemblerX86Common.h:
211         (JSC::MacroAssemblerX86Common::singleBitIndex):
212         (JSC::MacroAssemblerX86Common::branchTest32):
213         * assembler/X86Assembler.h:
214         (JSC::X86Assembler::bt_i8r):
215         (JSC::X86Assembler::bt_i8m):
216
217 2014-05-07  Mark Lam  <mark.lam@apple.com>
218
219         REGRESSION(r166678): Dromaeo/cssquery-dojo.html crashes regularly.
220         <https://webkit.org/b/131356>
221
222         Reviewed by Geoffrey Garen.
223
224         The issue is that GC needs to be made aware of writes to m_inferredValue
225         in the VariableWatchpointSet, but was not.  As a result, if a JSCell*
226         is written to a VariableWatchpointSet m_inferredValue, and that JSCell
227         does not survive an eden GC shortly after, we will end up with a stale
228         JSCell pointer left in the m_inferredValue.
229
230         This issue can be detected more easily by running Dromaeo/cssquery-dojo.html
231         using DumpRenderTree with the VM heap in zombie mode.
232
233         The fix is to change VariableWatchpointSet m_inferredValue to type
234         WriteBarrier<Unknown> and ensure that VariableWatchpointSet::notifyWrite()
235         is executed by all the execution engines so that the WriteBarrier semantics
236         are honored.
237
238         We still check if the value to be written is the same as the one in the
239         inferredValue.  We'll by-pass calling the slow path notifyWrite() if the
240         values are the same.        
241
242         * JavaScriptCore.xcodeproj/project.pbxproj:
243         * bytecode/CodeBlock.cpp:
244         (JSC::CodeBlock::CodeBlock):
245         - need to pass the symbolTable to prepareToWatch() because it will be needed
246           for instantiating the VariableWatchpointSet in prepareToWatch().
247
248         * bytecode/VariableWatchpointSet.h:
249         (JSC::VariableWatchpointSet::VariableWatchpointSet):
250         - VariableWatchpointSet now tracks its owner symbol table for its m_inferredValue
251           write barrier, and yes, m_inferredValue is now of type WriteBarrier<Unknown>.
252         (JSC::VariableWatchpointSet::inferredValue):
253         (JSC::VariableWatchpointSet::invalidate):
254         (JSC::VariableWatchpointSet::finalizeUnconditionally):
255         (JSC::VariableWatchpointSet::addressOfInferredValue):
256         (JSC::VariableWatchpointSet::notifyWrite): Deleted.
257         * bytecode/VariableWatchpointSetInlines.h: Added.
258         (JSC::VariableWatchpointSet::notifyWrite):
259
260         * dfg/DFGByteCodeParser.cpp:
261         (JSC::DFG::ByteCodeParser::cellConstant):
262         - Added an assert in case we try to make constants of zombified JSCells again.
263
264         * dfg/DFGOperations.cpp:
265         * dfg/DFGOperations.h:
266         * dfg/DFGSpeculativeJIT.h:
267         (JSC::DFG::SpeculativeJIT::callOperation):
268         * dfg/DFGSpeculativeJIT32_64.cpp:
269         (JSC::DFG::SpeculativeJIT::compile):
270         * dfg/DFGSpeculativeJIT64.cpp:
271         (JSC::DFG::SpeculativeJIT::compile):
272         - We now let the slow path handle the cases when the VariableWatchpointSet is
273           in state ClearWatchpoint and IsWatched, and the slow path will ensure that
274           we handle the needed write barrier semantics correctly.
275           We will by-pass the slow path if the value being written is the same as the
276           inferred value.
277
278         * ftl/FTLIntrinsicRepository.h:
279         * ftl/FTLLowerDFGToLLVM.cpp:
280         (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):
281         - Let the slow path handle the cases when the VariableWatchpointSet is
282           in state ClearWatchpoint and IsWatched.
283           We will by-pass the slow path if the value being written is the same as the
284           inferred value.
285
286         * heap/Heap.cpp:
287         (JSC::Zombify::operator()):
288         - Use a different value for the zombified bits (to distinguish it from 0xbbadbeef
289           which is used everywhere else).
290         * heap/Heap.h:
291         (JSC::Heap::isZombified):
292         - Provide a convenience test function to check if JSCells are zombified.  This is
293           currently only used in an assertion in the DFG bytecode parser, but the intent
294           it that we'll apply this test in other strategic places later to help with early
295           detection of usage of GC'ed objects when we run in zombie mode.
296
297         * jit/JITOpcodes.cpp:
298         (JSC::JIT::emitSlow_op_captured_mov):
299         * jit/JITOperations.h:
300         * jit/JITPropertyAccess.cpp:
301         (JSC::JIT::emitNotifyWrite):
302         * jit/JITPropertyAccess32_64.cpp:
303         (JSC::JIT::emitNotifyWrite):
304         (JSC::JIT::emitSlow_op_put_to_scope):
305         - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
306           is in state ClearWatchpoint and IsWatched.
307           We will by-pass the slow path if the value being written is the same as the
308           inferred value.
309         
310         * llint/LowLevelInterpreter32_64.asm:
311         * llint/LowLevelInterpreter64.asm:
312         - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
313           is in state ClearWatchpoint and IsWatched.
314           We will by-pass the slow path if the value being written is the same as the
315           inferred value.
316         
317         * runtime/CommonSlowPaths.cpp:
318
319         * runtime/JSCJSValue.h: Fixed some typos in the comments.
320         * runtime/JSGlobalObject.cpp:
321         (JSC::JSGlobalObject::addGlobalVar):
322         (JSC::JSGlobalObject::addFunction):
323         * runtime/JSSymbolTableObject.h:
324         (JSC::symbolTablePut):
325         (JSC::symbolTablePutWithAttributes):
326         * runtime/SymbolTable.cpp:
327         (JSC::SymbolTableEntry::prepareToWatch):
328         (JSC::SymbolTableEntry::notifyWriteSlow):
329         * runtime/SymbolTable.h:
330         (JSC::SymbolTableEntry::notifyWrite):
331
332 2014-05-06  Michael Saboff  <msaboff@apple.com>
333
334         Unreviewd build fix for C-LOOP after r168396.
335
336         * runtime/TestRunnerUtils.cpp:
337         (JSC::optimizeNextInvocation): Wrapped actual call inside #if ENABLE(JIT)
338
339 2014-05-06  Michael Saboff  <msaboff@apple.com>
340
341         Add test for deleteAllCompiledCode
342         https://bugs.webkit.org/show_bug.cgi?id=132632
343
344         Reviewed by Phil Pizlo.
345
346         Added two new hooks to jsc, one to call Heap::deleteAllCompiledCode() and
347         the other to call CodeBlock::optimizeNextInvocation().  Used these two hooks
348         to write a test that will queue up loads of DFG compiles and then call
349         Heap::deleteAllCompiledCode() to make sure that it can handle compiled
350         code as well as code being compiled.
351
352         * jsc.cpp:
353         (GlobalObject::finishCreation):
354         (functionDeleteAllCompiledCode):
355         (functionOptimizeNextInvocation):
356         * runtime/TestRunnerUtils.cpp:
357         (JSC::optimizeNextInvocation):
358         * runtime/TestRunnerUtils.h:
359         * tests/stress/deleteAllCompiledCode.js: Added.
360         (functionList):
361         (runTest):
362
363 2014-05-06  Andreas Kling  <akling@apple.com>
364
365         JSString::toAtomicString() should return AtomicString.
366         <https://webkit.org/b/132627>
367
368         Remove premature optimization where I was trying to avoid refcount
369         churn when returning an already atomicized String.
370
371         Instead of using reinterpret_cast to mangle the String member into
372         a const AtomicString& return value, just return AtomicString.
373
374         Reviewed by Geoff Garen.
375
376         * runtime/JSString.h:
377         (JSC::JSString::toAtomicString):
378
379 2014-05-06  Mark Hahnenberg  <mhahnenberg@apple.com>
380
381         Roll out r167889
382
383         Rubber stamped by Geoff Garen.
384
385         It broke some websites.
386
387         * runtime/JSPropertyNameIterator.cpp:
388         (JSC::JSPropertyNameIterator::create):
389         * runtime/PropertyMapHashTable.h:
390         (JSC::PropertyTable::hasDeletedOffset):
391         (JSC::PropertyTable::hadDeletedOffset): Deleted.
392         * runtime/Structure.cpp:
393         (JSC::Structure::Structure):
394         (JSC::Structure::materializePropertyMap):
395         (JSC::Structure::removePropertyTransition):
396         (JSC::Structure::changePrototypeTransition):
397         (JSC::Structure::despecifyFunctionTransition):
398         (JSC::Structure::attributeChangeTransition):
399         (JSC::Structure::toDictionaryTransition):
400         (JSC::Structure::preventExtensionsTransition):
401         (JSC::Structure::addPropertyWithoutTransition):
402         (JSC::Structure::removePropertyWithoutTransition):
403         (JSC::Structure::pin):
404         (JSC::Structure::pinAndPreventTransitions): Deleted.
405         * runtime/Structure.h:
406         * runtime/StructureInlines.h:
407         (JSC::Structure::setEnumerationCache):
408         (JSC::Structure::propertyTable):
409         (JSC::Structure::checkOffsetConsistency):
410         (JSC::Structure::hadDeletedOffsets): Deleted.
411         * tests/stress/for-in-after-delete.js:
412         (foo): Deleted.
413
414 2014-05-05  Andreas Kling  <akling@apple.com>
415
416         Fix debug build.
417
418         * runtime/JSCellInlines.h:
419         (JSC::JSCell::fastGetOwnProperty):
420
421 2014-05-05  Andreas Kling  <akling@apple.com>
422
423         Optimize GetByVal when subscript is a rope string.
424         <https://webkit.org/b/132590>
425
426         Use JSString::toIdentifier() in the various GetByVal implementations
427         to try and avoid allocating extra strings.
428
429         Added canUseFastGetOwnProperty() and wrap calls to fastGetOwnProperty()
430         in that, to avoid calling JSString::value() which always resolves ropes
431         into new strings and de-optimizes subsequent toIdentifier() calls.
432
433         My iMac says ~9% progression on Dromaeo/dom-attr.html
434
435         Reviewed by Phil Pizlo.
436
437         * dfg/DFGOperations.cpp:
438         * jit/JITOperations.cpp:
439         (JSC::getByVal):
440         * llint/LLIntSlowPaths.cpp:
441         (JSC::LLInt::getByVal):
442         * runtime/JSCell.h:
443         * runtime/JSCellInlines.h:
444         (JSC::JSCell::fastGetOwnProperty):
445         (JSC::JSCell::canUseFastGetOwnProperty):
446
447 2014-05-05  Andreas Kling  <akling@apple.com>
448
449         REGRESSION (r168256): ASSERTION FAILED: (buffer + m_length) == position loading vanityfair.com article.
450         <https://webkit.org/b/168256>
451         <rdar://problem/16816316>
452
453         Make resolveRopeSlowCase8() behave like its 16-bit counterpart and not
454         clear the fibers. The caller takes care of this.
455
456         Test: fast/dom/getElementById-with-rope-string-arg.html
457
458         Reviewed by Geoffrey Garen.
459
460         * runtime/JSString.cpp:
461         (JSC::JSRopeString::resolveRopeSlowCase8):
462
463 2014-05-05  Michael Saboff  <msaboff@apple.com>
464
465         REGRESSION: RELEASE_ASSERT in CodeBlock::baselineVersion @ cnn.com
466         https://bugs.webkit.org/show_bug.cgi?id=132581
467
468         Reviewed by Filip Pizlo.
469
470         * dfg/DFGPlan.cpp:
471         (JSC::DFG::Plan::isStillValid): Check that the alternative codeBlock we
472         started compiling for is still the same at the end of compilation.
473         Also did some minor restructuring.
474
475 2014-05-05  Andreas Kling  <akling@apple.com>
476
477         Optimize PutByVal when subscript is a rope string.
478         <https://webkit.org/b/132572>
479
480         Add a JSString::toIdentifier() that is smarter when the JSString is
481         really a rope string. Use this in baseline & DFG's PutByVal to avoid
482         allocating new StringImpls that we immediately deduplicate anyway.
483
484         Reviewed by Antti Koivisto.
485
486         * dfg/DFGOperations.cpp:
487         (JSC::DFG::operationPutByValInternal):
488         * jit/JITOperations.cpp:
489         * runtime/JSString.h:
490         (JSC::JSString::toIdentifier):
491
492 2014-05-05  Andreas Kling  <akling@apple.com>
493
494         Remove two now-incorrect assertions after r168256.
495
496         * runtime/JSString.cpp:
497         (JSC::JSRopeString::resolveRopeSlowCase8):
498         (JSC::JSRopeString::resolveRopeSlowCase):
499
500 2014-05-04  Andreas Kling  <akling@apple.com>
501
502         Optimize JSRopeString for resolving directly to AtomicString.
503         <https://webkit.org/b/132548>
504
505         If we know that the JSRopeString we are resolving is going to be used
506         as an AtomicString, we can try to avoid creating a new string.
507
508         We do this by first resolving the rope into a stack buffer, and using
509         that buffer as a key into the AtomicString table. If there is already
510         an AtomicString with the same characters, we reuse that instead of
511         constructing a new StringImpl.
512
513         JSString gains these two public functions:
514
515         - AtomicString toAtomicString()
516
517             Returns an AtomicString, tries to avoid allocating a new string
518             if possible.
519
520         - AtomicStringImpl* toExistingAtomicString()
521
522             Returns a non-null AtomicStringImpl* if one already exists in the
523             AtomicString table. If none is found, the rope is left unresolved.
524
525         Reviewed by Filip Pizlo.
526
527         * runtime/JSString.cpp:
528         (JSC::JSRopeString::resolveRopeInternal8):
529         (JSC::JSRopeString::resolveRopeInternal16):
530         (JSC::JSRopeString::resolveRopeToAtomicString):
531         (JSC::JSRopeString::clearFibers):
532         (JSC::JSRopeString::resolveRopeToExistingAtomicString):
533         (JSC::JSRopeString::resolveRope):
534         (JSC::JSRopeString::outOfMemory):
535         * runtime/JSString.h:
536         (JSC::JSString::toAtomicString):
537         (JSC::JSString::toExistingAtomicString):
538
539 2014-05-04  Andreas Kling  <akling@apple.com>
540
541         Unreviewed, rolling out r168254.
542
543         Very crashy on debug JSC tests.
544
545         Reverted changeset:
546
547         "jsSubstring() should be lazy"
548         https://bugs.webkit.org/show_bug.cgi?id=132556
549         http://trac.webkit.org/changeset/168254
550
551 2014-05-04  Filip Pizlo  <fpizlo@apple.com>
552
553         jsSubstring() should be lazy
554         https://bugs.webkit.org/show_bug.cgi?id=132556
555
556         Reviewed by Andreas Kling.
557         
558         jsSubstring() is now lazy by using a special rope that is a substring instead of a
559         concatenation. To make this patch super simple, we require that a substring's base is
560         never a rope. Hence, when resolving a rope, we either go down a non-recursive substring
561         path, or we go down a concatenation path which may see exactly one level of substrings in
562         its fibers.
563         
564         This is up to a 50% speed-up on microbenchmarks and a 10% speed-up on Octane/regexp.
565
566         * heap/MarkedBlock.cpp:
567         (JSC::MarkedBlock::specializedSweep):
568         * runtime/JSString.cpp:
569         (JSC::JSRopeString::visitFibers):
570         (JSC::JSRopeString::resolveRope):
571         (JSC::JSRopeString::resolveRopeSlowCase8):
572         (JSC::JSRopeString::resolveRopeSlowCase):
573         (JSC::JSRopeString::outOfMemory):
574         * runtime/JSString.h:
575         (JSC::JSRopeString::finishCreation):
576         (JSC::JSRopeString::append):
577         (JSC::JSRopeString::create):
578         (JSC::JSRopeString::offsetOfFibers):
579         (JSC::JSRopeString::fiber):
580         (JSC::JSRopeString::substringBase):
581         (JSC::JSRopeString::substringOffset):
582         (JSC::JSRopeString::substringSentinel):
583         (JSC::JSRopeString::isSubstring):
584         (JSC::jsSubstring):
585         * runtime/RegExpMatchesArray.cpp:
586         (JSC::RegExpMatchesArray::reifyAllProperties):
587         * runtime/StringPrototype.cpp:
588         (JSC::stringProtoFuncSubstring):
589
590 2014-05-02  Michael Saboff  <msaboff@apple.com>
591
592         "arm64 function not 4-byte aligned" warnings when building JSC
593         https://bugs.webkit.org/show_bug.cgi?id=132495
594
595         Reviewed by Geoffrey Garen.
596
597         Added ".align 4" for both ARM Thumb2 and ARM 64 to silence the linker.
598
599         * llint/LowLevelInterpreter.cpp:
600
601 2014-05-02  Mark Hahnenberg  <mhahnenberg@apple.com>
602
603         Fix cloop build after r168178
604
605         * bytecode/CodeBlock.cpp:
606
607 2014-05-01  Mark Hahnenberg  <mhahnenberg@apple.com>
608
609         Add a DFG function whitelist
610         https://bugs.webkit.org/show_bug.cgi?id=132437
611
612         Reviewed by Geoffrey Garen.
613
614         Often times when debugging, using bytecode ranges isn't enough to narrow down to the 
615         particular DFG block that's causing issues. This patch adds the ability to whitelist 
616         specific functions specified in a file to enable further filtering without having to recompile.
617
618         * CMakeLists.txt:
619         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
620         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
621         * JavaScriptCore.xcodeproj/project.pbxproj:
622         * dfg/DFGCapabilities.cpp:
623         (JSC::DFG::isSupported):
624         (JSC::DFG::mightInlineFunctionForCall):
625         (JSC::DFG::mightInlineFunctionForClosureCall):
626         (JSC::DFG::mightInlineFunctionForConstruct):
627         * dfg/DFGFunctionWhitelist.cpp: Added.
628         (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
629         (JSC::DFG::FunctionWhitelist::FunctionWhitelist):
630         (JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile):
631         (JSC::DFG::FunctionWhitelist::contains):
632         * dfg/DFGFunctionWhitelist.h: Added.
633         * runtime/Options.cpp:
634         (JSC::parse):
635         (JSC::Options::dumpOption):
636         * runtime/Options.h:
637
638 2014-05-02  Filip Pizlo  <fpizlo@apple.com>
639
640         DFGAbstractInterpreter should not claim Int52 arithmetic creates Int52s
641         https://bugs.webkit.org/show_bug.cgi?id=132446
642
643         Reviewed by Mark Hahnenberg.
644         
645         Basically any arithmetic operation can turn an Int52 into an Int32 or vice-versa, and
646         our modeling of Int52Rep nodes is such that they can have either Int32 or Int52 type
647         to indicate a bound on the value. This is useful for knowing, for example, that
648         Int52Rep(Int32:) returns a value that cannot be outside the Int32 range. Also,
649         ValueRep(Int52Rep:) uses this to determine whether it may return a double or an int.
650         But this means that all arithmetic operations must be careful to note that they may
651         turn Int32 inputs into an Int52 output or vice-versa, as these new tests show.
652
653         * dfg/DFGAbstractInterpreterInlines.h:
654         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
655         * dfg/DFGByteCodeParser.cpp:
656         (JSC::DFG::ByteCodeParser::makeSafe):
657         * tests/stress/int52-ai-add-then-filter-int32.js: Added.
658         (foo):
659         * tests/stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js: Added.
660         (foo):
661         * tests/stress/int52-ai-mul-then-filter-int32-directly.js: Added.
662         (foo):
663         * tests/stress/int52-ai-mul-then-filter-int32.js: Added.
664         (foo):
665         * tests/stress/int52-ai-neg-then-filter-int32.js: Added.
666         (foo):
667         * tests/stress/int52-ai-sub-then-filter-int32.js: Added.
668         (foo):
669
670 2014-05-01  Geoffrey Garen  <ggaren@apple.com>
671
672         JavaScriptCore fails to build with some versions of clang
673         https://bugs.webkit.org/show_bug.cgi?id=132436
674
675         Reviewed by Anders Carlsson.
676
677         * runtime/ArgumentsIteratorConstructor.cpp: Since we call
678         putDirectWithoutTransition, and it calls putWillGrowOutOfLineStorage,
679         and both are marked inline, it's valid for the compiler to decide
680         to inline both and emit neither in the binary. Therefore, we need
681         both inline definitions to be available in the translation unit at
682         compile time, or we'll try to link against a function that doesn't exist.
683
684 2014-05-01  Commit Queue  <commit-queue@webkit.org>
685
686         Unreviewed, rolling out r167964.
687         https://bugs.webkit.org/show_bug.cgi?id=132431
688
689         Memory improvements should not regress memory usage (Requested
690         by olliej on #webkit).
691
692         Reverted changeset:
693
694         "Don't hold on to parameter BindingNodes forever"
695         https://bugs.webkit.org/show_bug.cgi?id=132360
696         http://trac.webkit.org/changeset/167964
697
698 2014-05-01  Filip Pizlo  <fpizlo@apple.com>
699
700         Fix trivial debug-only race-that-crashes in CallLinkStatus and explain why the remaining races are totally awesome
701         https://bugs.webkit.org/show_bug.cgi?id=132427
702
703         Reviewed by Mark Hahnenberg.
704
705         * bytecode/CallLinkStatus.cpp:
706         (JSC::CallLinkStatus::computeFor):
707
708 2014-04-30  Simon Fraser  <simon.fraser@apple.com>
709
710         Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO
711         https://bugs.webkit.org/show_bug.cgi?id=132396
712
713         Reviewed by Eric Carlson.
714
715         Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO and related code.
716
717         * Configurations/FeatureDefines.xcconfig:
718
719 2014-04-30  Filip Pizlo  <fpizlo@apple.com>
720
721         Argument flush formats should not be presumed to be JSValue since 'this' is weird
722         https://bugs.webkit.org/show_bug.cgi?id=132404
723
724         Reviewed by Michael Saboff.
725
726         * dfg/DFGSpeculativeJIT.cpp:
727         (JSC::DFG::SpeculativeJIT::compileCurrentBlock): Don't assume that arguments are flushed as JSValue. Use the logic for locals instead.
728         * dfg/DFGSpeculativeJIT32_64.cpp:
729         (JSC::DFG::SpeculativeJIT::compile): SetArgument "changes" the format because before this we wouldn't know we had arguments.
730         * dfg/DFGSpeculativeJIT64.cpp:
731         (JSC::DFG::SpeculativeJIT::compile): Ditto.
732         * dfg/DFGValueSource.cpp:
733         (JSC::DFG::ValueSource::dumpInContext): Make this easier to dump.
734         * dfg/DFGValueSource.h:
735         (JSC::DFG::ValueSource::operator!): Make this easier to dump because Operands<T> uses T::operator!().
736         * ftl/FTLOSREntry.cpp:
737         (JSC::FTL::prepareOSREntry): This had a useful assertion for everything except 'this'.
738         * tests/stress/strict-to-this-int.js: Added.
739         (foo):
740         (Number.prototype.valueOf):
741         (test):
742
743 2014-04-29  Oliver Hunt  <oliver@apple.com>
744
745         Don't hold on to parameterBindingNodes forever
746         https://bugs.webkit.org/show_bug.cgi?id=132360
747
748         Reviewed by Geoffrey Garen.
749
750         Don't keep the parameter nodes anymore. Instead we store the
751         original parameter string and reparse whenever we actually
752         need them. Because we only actually need them for compilation
753         this only results in a single extra parse.
754
755         * bytecode/UnlinkedCodeBlock.cpp:
756         (JSC::generateFunctionCodeBlock):
757         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
758         (JSC::UnlinkedFunctionExecutable::visitChildren):
759         (JSC::UnlinkedFunctionExecutable::finishCreation):
760         (JSC::UnlinkedFunctionExecutable::paramString):
761         (JSC::UnlinkedFunctionExecutable::parameters):
762         (JSC::UnlinkedFunctionExecutable::parameterCount): Deleted.
763         * bytecode/UnlinkedCodeBlock.h:
764         (JSC::UnlinkedFunctionExecutable::create):
765         (JSC::UnlinkedFunctionExecutable::parameterCount):
766         (JSC::UnlinkedFunctionExecutable::parameters): Deleted.
767         (JSC::UnlinkedFunctionExecutable::finishCreation): Deleted.
768         * parser/ASTBuilder.h:
769         (JSC::ASTBuilder::ASTBuilder):
770         (JSC::ASTBuilder::setFunctionBodyParameters):
771         * parser/Nodes.h:
772         (JSC::FunctionBodyNode::parametersStartOffset):
773         (JSC::FunctionBodyNode::parametersEndOffset):
774         (JSC::FunctionBodyNode::setParameterLocation):
775         * parser/Parser.cpp:
776         (JSC::Parser<LexerType>::parseFunctionInfo):
777         (JSC::parseParameters):
778         * parser/Parser.h:
779         (JSC::parse):
780         * parser/SourceCode.h:
781         (JSC::SourceCode::subExpression):
782         * parser/SyntaxChecker.h:
783         (JSC::SyntaxChecker::setFunctionBodyParameters):
784
785 2014-04-29  Mark Hahnenberg  <mhahnenberg@apple.com>
786
787         JSProxies should be cacheable
788         https://bugs.webkit.org/show_bug.cgi?id=132351
789
790         Reviewed by Geoffrey Garen.
791
792         Whenever we encounter a proxy in an inline cache we should try to cache on the 
793         proxy's target instead of giving up.
794
795         This patch adds support for a simple "recursive" inline cache if the base object
796         we're accessing is a pure forwarding proxy. JSGlobalObject and its subclasses 
797         are the only ones to benefit from this right now.
798
799         This is performance neutral on the benchmarks we track. Currently we won't
800         cache on JSDOMWindow due to HasImpureGetOwnPropertySlot, but this issue will be fixed soon.
801
802         * jit/Repatch.cpp:
803         (JSC::generateByIdStub):
804         (JSC::tryBuildGetByIDList):
805         (JSC::tryCachePutByID):
806         (JSC::tryBuildPutByIdList):
807         * jsc.cpp:
808         (GlobalObject::finishCreation):
809         (functionCreateProxy):
810         * runtime/IntendedStructureChain.cpp:
811         (JSC::IntendedStructureChain::isNormalized):
812         * runtime/JSCellInlines.h:
813         (JSC::JSCell::isProxy):
814         * runtime/JSGlobalObject.h:
815         (JSC::JSGlobalObject::finishCreation):
816         * runtime/JSProxy.h:
817         (JSC::JSProxy::createStructure):
818         (JSC::JSProxy::targetOffset):
819         * runtime/JSType.h:
820         * runtime/Operations.h:
821         (JSC::isPrototypeChainNormalized):
822         * runtime/Structure.h:
823         (JSC::Structure::isProxy):
824         * tests/stress/proxy-inline-cache.js: Added.
825         (cacheOnTarget.getX):
826         (cacheOnTarget):
827         (cacheOnPrototypeOfTarget.getX):
828         (cacheOnPrototypeOfTarget):
829         (dontCacheOnProxyInPrototypeChain.getX):
830         (dontCacheOnProxyInPrototypeChain):
831         (dontCacheOnTargetOfProxyInPrototypeChainOfTarget.getX):
832         (dontCacheOnTargetOfProxyInPrototypeChainOfTarget):
833
834 2014-04-29  Filip Pizlo  <fpizlo@apple.com>
835
836         Use LLVM as a backend for the fourth-tier DFG JIT (a.k.a. the FTL JIT)
837         https://bugs.webkit.org/show_bug.cgi?id=112840
838
839         Rubber stamped by Geoffrey Garen.
840
841         * Configurations/FeatureDefines.xcconfig:
842
843 2014-04-29  Geoffrey Garen  <ggaren@apple.com>
844
845         String.prototype.trim removes U+200B from strings.
846         https://bugs.webkit.org/show_bug.cgi?id=130184
847
848         Reviewed by Michael Saboff.
849
850         * runtime/StringPrototype.cpp:
851         (JSC::trimString):
852         (JSC::isTrimWhitespace): Deleted.
853
854 2014-04-29  Mark Lam  <mark.lam@apple.com>
855
856         Zombifying sweep should ignore retired blocks.
857         <https://webkit.org/b/132344>
858
859         Reviewed by Mark Hahnenberg.
860
861         By definition, retired blocks do not have "dead" objects, or at least
862         none that we know of yet until the next marking phase has been run
863         over it.  So, we should not be sweeping them (even for zombie mode).
864
865         * heap/Heap.cpp:
866         (JSC::Heap::zombifyDeadObjects):
867         * heap/MarkedSpace.cpp:
868         (JSC::MarkedSpace::zombifySweep):
869         * heap/MarkedSpace.h:
870         (JSC::ZombifySweep::operator()):
871
872 2014-04-29  Mark Lam  <mark.lam@apple.com>
873
874         Fix bit rot in zombie mode heap code.
875         <https://webkit.org/b/132342>
876
877         Reviewed by Mark Hahnenberg.
878
879         Need to enter a DelayedReleaseScope before doing a sweep.
880
881         * heap/Heap.cpp:
882         (JSC::Heap::zombifyDeadObjects):
883
884 2014-04-29  Tomas Popela  <tpopela@redhat.com>
885
886         LLINT loadisFromInstruction doesn't need special case for big endians
887         https://bugs.webkit.org/show_bug.cgi?id=132330
888
889         Reviewed by Mark Lam.
890
891         The change introduced in r167076 was wrong. We should not apply the offset
892         adjustment on loadisFromInstruction usage as the instruction
893         (UnlinkedInstruction) is declared as an union (i.e. with the int32_t
894         operand variable). The offset of the other union members will be the
895         same as the offset of the first one, that is 0. The behavior here is the
896         same on little and big endian architectures. Thus we don't need
897         special case for big endians.
898
899         * llint/LowLevelInterpreter.asm:
900
901 2014-04-28  Mark Hahnenberg  <mhahnenberg@apple.com>
902
903         Simplify tryCacheGetById
904         https://bugs.webkit.org/show_bug.cgi?id=132314
905
906         Reviewed by Oliver Hunt and Filip Pizlo.
907
908         This is neutral across all benchmarks we track, although it looks like a wee 0.5% progression on sunspider.
909
910         * jit/Repatch.cpp:
911         (JSC::tryCacheGetByID): If we fail to cache on self, we just repatch to call tryBuildGetByIDList next time.
912
913 2014-04-28  Michael Saboff  <msaboff@apple.com>
914
915         REGRESSION(r153142) ASSERT from CodeBlock::dumpBytecode dumping String Switch Jump Tables
916         https://bugs.webkit.org/show_bug.cgi?id=132315
917
918         Reviewed by Mark Hahnenberg.
919
920         Used the StringImpl version of utf8() instead of creating a String first.
921
922         * bytecode/CodeBlock.cpp:
923         (JSC::CodeBlock::dumpBytecode):
924
925 2014-04-28  Filip Pizlo  <fpizlo@apple.com>
926
927         The LLInt is awesome and it should get more of the action.
928
929         Rubber stamped by Geoffrey Garen.
930         
931         5% speed-up on JSBench and no meaningful regressions.  Should be a PLT/DYE speed-up also.
932
933         * runtime/Options.h:
934
935 2014-04-27  Filip Pizlo  <fpizlo@apple.com>
936
937         GC should be able to remove things from the DFG worklist and cancel on-going compilations if it knows that the compilation would already be invalidated
938         https://bugs.webkit.org/show_bug.cgi?id=132166
939
940         Reviewed by Oliver Hunt and Mark Hahnenberg.
941         
942         The GC can aid type inference by removing structures that are dead and jettisoning
943         code that relies on those structures. This can dramatically accelerate type inference
944         for some tricky programs.
945         
946         Unfortunately, we previously pinned any structures that enqueued compilations depended
947         on. This means that if you're on a machine that only runs a single compilation thread
948         and where compilations are relatively slow, you have a high chance of large numbers of
949         structures being pinned during any GC since the compilation queue is likely to be full
950         of random stuff.
951         
952         This comprehensively fixes this issue by allowing the GC to remove compilation plans
953         if the things they depend on are dead, and to even cancel safepointed compilations.
954         
955         * bytecode/CodeBlock.cpp:
956         (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan):
957         (JSC::CodeBlock::isKnownToBeLiveDuringGC):
958         (JSC::CodeBlock::finalizeUnconditionally):
959         * bytecode/CodeBlock.h:
960         (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan): Deleted.
961         * dfg/DFGDesiredIdentifiers.cpp:
962         (JSC::DFG::DesiredIdentifiers::DesiredIdentifiers):
963         * dfg/DFGDesiredIdentifiers.h:
964         * dfg/DFGDesiredWatchpoints.h:
965         * dfg/DFGDesiredWeakReferences.cpp:
966         (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
967         * dfg/DFGDesiredWeakReferences.h:
968         * dfg/DFGGraphSafepoint.cpp:
969         (JSC::DFG::GraphSafepoint::GraphSafepoint):
970         * dfg/DFGGraphSafepoint.h:
971         * dfg/DFGPlan.cpp:
972         (JSC::DFG::Plan::Plan):
973         (JSC::DFG::Plan::compileInThread):
974         (JSC::DFG::Plan::compileInThreadImpl):
975         (JSC::DFG::Plan::notifyCompiling):
976         (JSC::DFG::Plan::notifyCompiled):
977         (JSC::DFG::Plan::notifyReady):
978         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
979         (JSC::DFG::Plan::isKnownToBeLiveDuringGC):
980         (JSC::DFG::Plan::cancel):
981         (JSC::DFG::Plan::visitChildren): Deleted.
982         * dfg/DFGPlan.h:
983         * dfg/DFGSafepoint.cpp:
984         (JSC::DFG::Safepoint::Result::~Result):
985         (JSC::DFG::Safepoint::Result::didGetCancelled):
986         (JSC::DFG::Safepoint::Safepoint):
987         (JSC::DFG::Safepoint::~Safepoint):
988         (JSC::DFG::Safepoint::checkLivenessAndVisitChildren):
989         (JSC::DFG::Safepoint::isKnownToBeLiveDuringGC):
990         (JSC::DFG::Safepoint::cancel):
991         (JSC::DFG::Safepoint::visitChildren): Deleted.
992         * dfg/DFGSafepoint.h:
993         (JSC::DFG::Safepoint::Result::Result):
994         * dfg/DFGWorklist.cpp:
995         (JSC::DFG::Worklist::compilationState):
996         (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
997         (JSC::DFG::Worklist::removeAllReadyPlansForVM):
998         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
999         (JSC::DFG::Worklist::visitWeakReferences):
1000         (JSC::DFG::Worklist::removeDeadPlans):
1001         (JSC::DFG::Worklist::runThread):
1002         (JSC::DFG::Worklist::visitChildren): Deleted.
1003         * dfg/DFGWorklist.h:
1004         * ftl/FTLCompile.cpp:
1005         (JSC::FTL::compile):
1006         * ftl/FTLCompile.h:
1007         * heap/CodeBlockSet.cpp:
1008         (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks):
1009         * heap/Heap.cpp:
1010         (JSC::Heap::markRoots):
1011         (JSC::Heap::visitCompilerWorklistWeakReferences):
1012         (JSC::Heap::removeDeadCompilerWorklistEntries):
1013         (JSC::Heap::visitWeakHandles):
1014         (JSC::Heap::collect):
1015         (JSC::Heap::visitCompilerWorklists): Deleted.
1016         * heap/Heap.h:
1017
1018 2014-04-28  Mark Hahnenberg  <mhahnenberg@apple.com>
1019
1020         Deleting properties poisons objects
1021         https://bugs.webkit.org/show_bug.cgi?id=131551
1022
1023         Reviewed by Oliver Hunt.
1024
1025         This is ~3% progression on Dromaeo with a ~6% progression on the jslib portion of Dromaeo in particular.
1026
1027         * runtime/JSPropertyNameIterator.cpp:
1028         (JSC::JSPropertyNameIterator::create):
1029         * runtime/PropertyMapHashTable.h:
1030         (JSC::PropertyTable::hasDeletedOffset):
1031         (JSC::PropertyTable::hadDeletedOffset): If we ever had deleted properties we can no longer cache offsets when 
1032         iterating properties because we're required to iterate properties in insertion order.
1033         * runtime/Structure.cpp:
1034         (JSC::Structure::Structure):
1035         (JSC::Structure::materializePropertyMap): We now re-use deleted properties when materializing the property map.
1036         (JSC::Structure::removePropertyTransition): We allow up to 5 deletes for a particular path through the tree of 
1037         Structure transitions. After that, we convert to an uncacheable dictionary like we used to. We don't cache 
1038         delete transitions, but we allow transitioning from them.
1039         (JSC::Structure::changePrototypeTransition):
1040         (JSC::Structure::despecifyFunctionTransition):
1041         (JSC::Structure::attributeChangeTransition):
1042         (JSC::Structure::toDictionaryTransition):
1043         (JSC::Structure::preventExtensionsTransition):
1044         (JSC::Structure::addPropertyWithoutTransition):
1045         (JSC::Structure::removePropertyWithoutTransition):
1046         (JSC::Structure::pin): Now does only what it says it does--marks the property table as pinned.
1047         (JSC::Structure::pinAndPreventTransitions): More descriptive version of what the old pin() was doing.
1048         * runtime/Structure.h:
1049         * runtime/StructureInlines.h:
1050         (JSC::Structure::setEnumerationCache):
1051         (JSC::Structure::hadDeletedOffsets):
1052         (JSC::Structure::propertyTable):
1053         (JSC::Structure::checkOffsetConsistency): Rearranged variables to be more sensible.
1054         * tests/stress/for-in-after-delete.js: Added.
1055         (foo):
1056
1057 2014-04-25  Andreas Kling  <akling@apple.com>
1058
1059         Inline (C++) GetByVal with numeric indices more aggressively.
1060         <https://webkit.org/b/132218>
1061
1062         We were already inlining the string indexed GetByVal path pretty well,
1063         while the path for numeric indices got neglected. No more!
1064
1065         ~9.5% improvement on Dromaeo/dom-traverse.html on my MBP:
1066
1067             Before: 199.50 runs/s
1068              After: 218.58 runs/s
1069
1070         Reviewed by Phil Pizlo.
1071
1072         * dfg/DFGOperations.cpp:
1073         * runtime/JSCJSValueInlines.h:
1074         (JSC::JSValue::get):
1075
1076             ALWAYS_INLINE all the things.
1077
1078         * runtime/JSObject.h:
1079         (JSC::JSObject::getPropertySlot):
1080
1081             Avoid fetching the Structure more than once. We have the same
1082             optimization in the string-indexed code path.
1083
1084 2014-04-25  Oliver Hunt  <oliver@apple.com>
1085
1086         Need earlier cell test
1087         https://bugs.webkit.org/show_bug.cgi?id=132211
1088
1089         Reviewed by Mark Lam.
1090
1091         Move cell test to before the function call repatch
1092         location, as the repatch logic for 32bit assumes that the
1093         caller will already have performed a cell check.
1094
1095         * jit/JITCall32_64.cpp:
1096         (JSC::JIT::compileOpCall):
1097
1098 2014-04-25  Andreas Kling  <akling@apple.com>
1099
1100         Un-fast-allocate JSGlobalObjectRareData because Windows doesn't build and I'm not in the mood.
1101
1102         * runtime/JSGlobalObject.h:
1103         (JSC::JSGlobalObject::JSGlobalObjectRareData::JSGlobalObjectRareData):
1104         (JSC::JSGlobalObject::JSGlobalObjectRareData::~JSGlobalObjectRareData): Deleted.
1105
1106 2014-04-25  Andreas Kling  <akling@apple.com>
1107
1108         Windows build fix attempt.
1109
1110         * runtime/JSGlobalObject.h:
1111         (JSC::JSGlobalObject::JSGlobalObjectRareData::~JSGlobalObjectRareData):
1112
1113 2014-04-25  Mark Lam  <mark.lam@apple.com>
1114
1115         Refactor debugging code to use BreakpointActions instead of Vector<ScriptBreakpointAction>.
1116         <https://webkit.org/b/132201>
1117
1118         Reviewed by Joseph Pecoraro.
1119
1120         BreakpointActions is Vector<ScriptBreakpointAction>.  Let's just consistently use
1121         BreakpointActions everywhere.
1122
1123         * inspector/ScriptBreakpoint.h:
1124         (Inspector::ScriptBreakpoint::ScriptBreakpoint):
1125         * inspector/ScriptDebugServer.cpp:
1126         (Inspector::ScriptDebugServer::setBreakpoint):
1127         (Inspector::ScriptDebugServer::getActionsForBreakpoint):
1128         * inspector/ScriptDebugServer.h:
1129         * inspector/agents/InspectorDebuggerAgent.cpp:
1130         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
1131         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
1132         (Inspector::InspectorDebuggerAgent::setBreakpoint):
1133         (Inspector::InspectorDebuggerAgent::removeBreakpoint):
1134         * inspector/agents/InspectorDebuggerAgent.h:
1135
1136 2014-04-24  Filip Pizlo  <fpizlo@apple.com>
1137
1138         DFG worklist scanning should not treat the key as a separate entity
1139         https://bugs.webkit.org/show_bug.cgi?id=132167
1140
1141         Reviewed by Mark Hahnenberg.
1142         
1143         This simplifies the interface to the GC and will enable more optimizations.
1144
1145         * dfg/DFGCompilationKey.cpp:
1146         (JSC::DFG::CompilationKey::visitChildren): Deleted.
1147         * dfg/DFGCompilationKey.h:
1148         * dfg/DFGPlan.cpp:
1149         (JSC::DFG::Plan::visitChildren):
1150         * dfg/DFGWorklist.cpp:
1151         (JSC::DFG::Worklist::visitChildren):
1152
1153 2014-04-25  Oliver Hunt  <oliver@apple.com>
1154
1155         Remove unused parameter from codeblock linking function
1156         https://bugs.webkit.org/show_bug.cgi?id=132199
1157
1158         Reviewed by Anders Carlsson.
1159
1160         No change in behaviour. This is just a small change to make it
1161         slightly easier to reason about what the offsets in UnlinkedFunctionExecutable
1162         actually mean.
1163
1164         * bytecode/UnlinkedCodeBlock.cpp:
1165         (JSC::UnlinkedFunctionExecutable::link):
1166         * bytecode/UnlinkedCodeBlock.h:
1167         * runtime/Executable.cpp:
1168         (JSC::ProgramExecutable::initializeGlobalProperties):
1169
1170 2014-04-25  Andreas Kling  <akling@apple.com>
1171
1172         Mark some things with WTF_MAKE_FAST_ALLOCATED.
1173         <https://webkit.org/b/132198>
1174
1175         Use FastMalloc for more things.
1176
1177         Reviewed by Anders Carlsson.
1178
1179         * builtins/BuiltinExecutables.h:
1180         * heap/GCThreadSharedData.h:
1181         * inspector/JSConsoleClient.h:
1182         * inspector/agents/InspectorAgent.h:
1183         * runtime/CodeCache.h:
1184         * runtime/JSGlobalObject.h:
1185         * runtime/Lookup.cpp:
1186         (JSC::HashTable::createTable):
1187         (JSC::HashTable::deleteTable):
1188         * runtime/WeakGCMap.h:
1189
1190 2014-04-25  Antoine Quint  <graouts@webkit.org>
1191
1192         Implement Array.prototype.find()
1193         https://bugs.webkit.org/show_bug.cgi?id=130966
1194
1195         Reviewed by Oliver Hunt.
1196
1197         Implement Array.prototype.find() and Array.prototype.findIndex() as proposed in the Harmony spec.
1198
1199         * builtins/Array.prototype.js:
1200         (find):
1201         (findIndex):
1202         * runtime/ArrayPrototype.cpp:
1203
1204 2014-04-24  Brady Eidson  <beidson@apple.com>
1205
1206         Rename "IMAGE_CONTROLS" feature to "SERVICE_CONTROLS"
1207         https://bugs.webkit.org/show_bug.cgi?id=132155
1208
1209         Reviewed by Tim Horton.
1210
1211         * Configurations/FeatureDefines.xcconfig:
1212
1213 2014-04-24  Michael Saboff  <msaboff@apple.com>
1214
1215         REGRESSION: Apparent hang of PCE.js Mac OS System 7.0.1 on ARM64 devices
1216         https://bugs.webkit.org/show_bug.cgi?id=132147
1217
1218         Reviewed by Mark Lam.
1219
1220         Fixed or64(), eor32( ) and eor64() to use "src" register when we have a valid logicalImm.
1221
1222         * assembler/MacroAssemblerARM64.h:
1223         (JSC::MacroAssemblerARM64::or64):
1224         (JSC::MacroAssemblerARM64::xor32):
1225         (JSC::MacroAssemblerARM64::xor64):
1226         * tests/stress/regress-132147.js: Added test.
1227
1228 2014-04-24  Mark Lam  <mark.lam@apple.com>
1229
1230         Make slowPathAllocsBetweenGCs a runtime option.
1231         <https://webkit.org/b/132137>
1232
1233         Reviewed by Mark Hahnenberg.
1234
1235         This will make it easier to more casually run tests with this configuration
1236         as well as to reproduce issues (instead of requiring a code mod and rebuild).
1237         We will now take --slowPathAllocsBetweenGCs=N where N is the number of
1238         slow path allocations before we trigger a collection.
1239
1240         The option defaults to 0, which is reserved to mean that we will not trigger
1241         any collections there.
1242
1243         * heap/Heap.h:
1244         * heap/MarkedAllocator.cpp:
1245         (JSC::MarkedAllocator::doTestCollectionsIfNeeded):
1246         (JSC::MarkedAllocator::allocateSlowCase):
1247         * heap/MarkedAllocator.h:
1248         * runtime/Options.h:
1249
1250 2014-04-23  Mark Lam  <mark.lam@apple.com>
1251
1252         The GC should only resume compiler threads that it suspended in the same GC pass.
1253         <https://webkit.org/b/132088>
1254
1255         Reviewed by Mark Hahnenberg.
1256
1257         Previously, this scenario can occur:
1258         1. Thread 1 starts a GC and tries to suspend DFG worklist threads.  However,
1259            no worklists were created yet at the that time.
1260         2. Thread 2 starts to compile some functions and creates a DFG worklist, and
1261            acquires the worklist thread's lock.
1262         3. Thread 1's GC completes and tries to resume suspended DFG worklist thread.
1263            This time, it sees the worklist created by Thread 2 and ends up unlocking
1264            the worklist thread's lock that is supposedly held by Thread 2.
1265         Thereafter, chaos ensues.
1266
1267         The fix is to cache the worklists that were actually suspended by each GC pass,
1268         and only resume those when the GC is done.
1269
1270         This issue was discovered by enabling COLLECT_ON_EVERY_ALLOCATION and running
1271         the fast/workers layout tests.
1272
1273         * heap/Heap.cpp:
1274         (JSC::Heap::visitCompilerWorklists):
1275         (JSC::Heap::deleteAllCompiledCode):
1276         (JSC::Heap::suspendCompilerThreads):
1277         (JSC::Heap::resumeCompilerThreads):
1278         * heap/Heap.h:
1279
1280 2014-04-23  Mark Hahnenberg  <mhahnenberg@apple.com>
1281
1282         Arguments::copyBackingStore needs to update m_registers in tandem with m_registerArray
1283         https://bugs.webkit.org/show_bug.cgi?id=132079
1284
1285         Reviewed by Michael Saboff.
1286
1287         Since we're moving the register backing store, we don't want to leave a dangling pointer into a random CopiedBlock.
1288
1289         Also added a test that previously triggered this bug.
1290
1291         * runtime/Arguments.cpp:
1292         (JSC::Arguments::copyBackingStore): D'oh!
1293         * tests/stress/arguments-copy-register-array-backing-store.js: Added.
1294         (foo):
1295         (bar):
1296
1297 2014-04-23  Mark Rowe  <mrowe@apple.com>
1298
1299         [Mac] REGRESSION (r164823): Building JavaScriptCore creates files under /tmp/JavaScriptCore.dst
1300         <https://webkit.org/b/132053>
1301
1302         Reviewed by Dan Bernstein.
1303
1304         * JavaScriptCore.xcodeproj/project.pbxproj: Don't try to create a symlink at /usr/local/bin/jsc inside
1305         the DSTROOT unless we're building to the deployment location. Also remove the unnecessary -x argument
1306         from /bin/sh since that generates unnecessary output.
1307
1308 2014-04-22  Mark Lam  <mark.lam@apple.com>
1309
1310         DFG::Worklist should acquire the m_lock before iterating DFG plans.
1311         <https://webkit.org/b/132032>
1312
1313         Reviewed by Filip Pizlo.
1314
1315         Currently, there's a rightToRun mechanism that ensures that no compilation
1316         threads are running when the GC is iterating through the DFG worklists.
1317         However, this does not prevent a Worker thread from doing a DFG compilation
1318         and modifying the plans in the worklists thereby invalidating the plan
1319         iterator that the GC is using.  This patch fixes the issue by acquiring
1320         the worklist m_lock before iterating the worklist plans.
1321
1322         This issue was uncovered by running the fast/workers layout tests with
1323         COLLECT_ON_EVERY_ALLOCATION enabled.
1324
1325         * dfg/DFGWorklist.cpp:
1326         (JSC::DFG::Worklist::isActiveForVM):
1327         (JSC::DFG::Worklist::visitChildren):
1328
1329 2014-04-22  Brent Fulgham  <bfulgham@apple.com>
1330
1331         [Win] Support Python 2.7 in Cygwin
1332         https://bugs.webkit.org/show_bug.cgi?id=132023
1333
1334         Reviewed by Michael Saboff.
1335
1336         * DerivedSources.make: Use a conditional variable to define
1337         the path to Python/Perl.
1338
1339 2014-04-22  Filip Pizlo  <fpizlo@apple.com>
1340
1341         Switch the LLVMForJSC target to using the LLVM in /usr/local rather than /usr/local/LLVMForJavaScriptCore on iOS
1342         https://bugs.webkit.org/show_bug.cgi?id=130867
1343         <rdar://problem/16432456> 
1344
1345         Reviewed by Mark Hahnenberg.
1346
1347         * Configurations/Base.xcconfig:
1348         * Configurations/LLVMForJSC.xcconfig:
1349
1350 2014-04-22  Alex Christensen  <achristensen@webkit.org>
1351
1352         [Win] Unreviewed build fix after my r167666.
1353
1354         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
1355         Added ../../../ again to include headers in Source/JavaScriptCore.
1356
1357 2014-04-22  Alex Christensen  <achristensen@webkit.org>
1358
1359         Removed old stdbool and inttypes headers.
1360         https://bugs.webkit.org/show_bug.cgi?id=131966
1361
1362         Reviewed by Brent Fulgham.
1363
1364         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
1365         * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
1366         Removed references to os-win32 directory.
1367         * os-win32: Removed.
1368         * os-win32/inttypes.h: Removed.
1369         * os-win32/stdbool.h: Removed.
1370
1371 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
1372
1373         DFG::clobberize() should honestly admit that profiler and debugger nodes are effectful
1374         https://bugs.webkit.org/show_bug.cgi?id=131971
1375         <rdar://problem/16676511>
1376
1377         Reviewed by Mark Lam.
1378
1379         * dfg/DFGClobberize.h:
1380         (JSC::DFG::clobberize):
1381
1382 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
1383
1384         Switch statements that skip the baseline JIT should work
1385         https://bugs.webkit.org/show_bug.cgi?id=131965
1386
1387         Reviewed by Mark Hahnenberg.
1388
1389         * bytecode/JumpTable.h:
1390         (JSC::SimpleJumpTable::ensureCTITable):
1391         * dfg/DFGSpeculativeJIT.cpp:
1392         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
1393         * jit/JITOpcodes.cpp:
1394         (JSC::JIT::emit_op_switch_imm):
1395         (JSC::JIT::emit_op_switch_char):
1396         * jit/JITOpcodes32_64.cpp:
1397         (JSC::JIT::emit_op_switch_imm):
1398         (JSC::JIT::emit_op_switch_char):
1399         * tests/stress/inline-llint-with-switch.js: Added.
1400         (foo):
1401         (bar):
1402         (test):
1403
1404 2014-04-21  Mark Hahnenberg  <mhahnenberg@apple.com>
1405
1406         Arguments objects shouldn't need a destructor
1407         https://bugs.webkit.org/show_bug.cgi?id=131899
1408
1409         Reviewed by Oliver Hunt.
1410
1411         This patch rids Arguments objects of their destructors. It does this by 
1412         switching their backing stores to use CopiedSpace rather than malloc memory.
1413
1414         * dfg/DFGSpeculativeJIT.cpp:
1415         (JSC::DFG::SpeculativeJIT::emitAllocateArguments): Fix the code emitted for inline
1416         Arguments allocation so that it only emits an extra write for strict mode code rather
1417         than unconditionally.
1418         * heap/CopyToken.h: New CopyTokens for the two different types of Arguments backing stores.
1419         * runtime/Arguments.cpp:
1420         (JSC::Arguments::visitChildren): We need to tell the collector to copy the back stores now.
1421         (JSC::Arguments::copyBackingStore): Do the actual copying of the backing stores.
1422         (JSC::Arguments::deletePropertyByIndex): Update all the accesses to SlowArgumentData and m_registerArray.
1423         (JSC::Arguments::deleteProperty):
1424         (JSC::Arguments::defineOwnProperty):
1425         (JSC::Arguments::allocateRegisterArray):
1426         (JSC::Arguments::tearOff):
1427         (JSC::Arguments::destroy): Deleted. We don't need the destructor any more.
1428         * runtime/Arguments.h:
1429         (JSC::Arguments::registerArraySizeInBytes):
1430         (JSC::Arguments::SlowArgumentData::SlowArgumentData): Switch SlowArgumentData to being allocated
1431         in CopiedSpace. Now the SlowArgumentData and its backing store are a single contiguous CopiedSpace
1432         allocation.
1433         (JSC::Arguments::SlowArgumentData::slowArguments):
1434         (JSC::Arguments::SlowArgumentData::bytecodeToMachineCaptureOffset):
1435         (JSC::Arguments::SlowArgumentData::setBytecodeToMachineCaptureOffset):
1436         (JSC::Arguments::SlowArgumentData::sizeForNumArguments):
1437         (JSC::Arguments::Arguments):
1438         (JSC::Arguments::allocateSlowArguments):
1439         (JSC::Arguments::tryDeleteArgument):
1440         (JSC::Arguments::isDeletedArgument):
1441         (JSC::Arguments::isArgument):
1442         (JSC::Arguments::argument):
1443         (JSC::Arguments::finishCreation):
1444         * runtime/SymbolTable.h:
1445
1446 2014-04-21  Eric Carlson  <eric.carlson@apple.com>
1447
1448         [Mac] implement WebKitDataCue
1449         https://bugs.webkit.org/show_bug.cgi?id=131799
1450
1451         Reviewed by Dean Jackson.
1452
1453         * Configurations/FeatureDefines.xcconfig: Define ENABLE_DATACUE_VALUE.
1454
1455 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
1456
1457         Unreviewed test gardening, run the repeat-out-of-bounds tests again.
1458
1459         * tests/stress/float32-repeat-out-of-bounds.js:
1460         * tests/stress/int8-repeat-out-of-bounds.js:
1461
1462 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
1463
1464         OSR exit should know about Int52 and Double constants
1465         https://bugs.webkit.org/show_bug.cgi?id=131945
1466
1467         Reviewed by Oliver Hunt.
1468         
1469         The DFG OSR exit machinery's ignorance would lead to some constants becoming
1470         jsUndefined() after OSR exit.
1471         
1472         The FTL OSR exit machinery's ignorance just meant that we would sometimes use a
1473         stackmap constant rather than baking the constant into the OSRExit data structure.
1474         So, not a big deal, but worth fixing.
1475         
1476         Also added some helpful hacks to jsc.cpp for testing such OSR exit pathologies.
1477
1478         * dfg/DFGByteCodeParser.cpp:
1479         (JSC::DFG::ByteCodeParser::handleIntrinsic):
1480         * dfg/DFGMinifiedNode.h:
1481         (JSC::DFG::belongsInMinifiedGraph):
1482         (JSC::DFG::MinifiedNode::hasConstantNumber):
1483         * ftl/FTLLowerDFGToLLVM.cpp:
1484         (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
1485         * jsc.cpp:
1486         (GlobalObject::finishCreation):
1487         (functionOtherFalse):
1488         (functionUndefined):
1489         * runtime/Intrinsic.h:
1490         * tests/stress/fold-to-double-constant-then-exit.js: Added.
1491         (foo):
1492         * tests/stress/fold-to-int52-constant-then-exit.js: Added.
1493         (foo):
1494
1495 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
1496
1497         Provide feedback when we encounter an unrecognied node in the FTL backend.
1498
1499         Rubber stamped by Alexey Proskuryakov.
1500
1501         * ftl/FTLLowerDFGToLLVM.cpp:
1502         (JSC::FTL::LowerDFGToLLVM::compileNode):
1503
1504 2014-04-21  Andreas Kling  <akling@apple.com>
1505
1506         Move the JSString cache from DOMWrapperWorld to VM.
1507         <https://webkit.org/b/131940>
1508
1509         Reviewed by Geoff Garen.
1510
1511         * runtime/VM.h:
1512
1513 2014-04-19  Filip Pizlo  <fpizlo@apple.com>
1514
1515         Take block execution count estimates into account when voting double
1516         https://bugs.webkit.org/show_bug.cgi?id=131906
1517
1518         Reviewed by Geoffrey Garen.
1519         
1520         This was a drama in three acts.
1521         
1522         Act I: Slurp in BasicBlock::executionCount and use it as a weight when counting the
1523             number of uses of a variable that want double or non-double. Easy as pie. This
1524             gave me a huge speed-up on FloatMM and a huge slow-down on basically everything
1525             else.
1526         
1527         Act II: Realize that there were some programs where our previous double voting was
1528             just on the edge of disaster and making it more precise tipped it over. In
1529             particular, if you had an integer variable that would infrequently be used in a
1530             computation that resulted in a variable that was frequently used as an array index,
1531             the outer infrequentness would be the thing we'd use in the vote. So, an array
1532             index would become double. We fix this by reviving global backwards propagation
1533             and introducing the concept of ReallyWantsInt, which is used just for array
1534             indices. Any variable transitively flagged as ReallyWantsInt will never be forced
1535             double. We need that flag to be separate from UsedAsInt, since UsedAsInt needs to
1536             be set in bitops for RageConversion but using it for double forcing is too much.
1537             Basically, it's cheaper to have to convert a double to an int for a bitop than it
1538             is to convert a double to an int for an array index; also a variable being used as
1539             an array index is a much stronger hint that it ought to be an int. This recovered
1540             performance on everything except programs that used FTL OSR entry.
1541         
1542         Act III: Realize that OSR entrypoint creation creates blocks that have NaN execution
1543             count, which then completely pollutes the weighting - essentially all votes go
1544             NaN. Fix this with some surgical defenses. Basically, any client of execution
1545             counts should allow for them to be NaN and shouldn't completely fall off a cliff
1546             when it happens.
1547         
1548         This is awesome. 75% speed-up on FloatMM. 11% speed-up on audio-dft. This leads to
1549         7% speed-up on AsmBench and 2% speed-up on Kraken.
1550
1551         * CMakeLists.txt:
1552         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1553         * JavaScriptCore.xcodeproj/project.pbxproj:
1554         * dfg/DFGBackwardsPropagationPhase.cpp:
1555         (JSC::DFG::BackwardsPropagationPhase::run):
1556         (JSC::DFG::BackwardsPropagationPhase::propagate):
1557         * dfg/DFGGraph.cpp:
1558         (JSC::DFG::Graph::dumpBlockHeader):
1559         * dfg/DFGGraph.h:
1560         (JSC::DFG::Graph::voteNode):
1561         (JSC::DFG::Graph::voteChildren):
1562         * dfg/DFGNodeFlags.cpp:
1563         (JSC::DFG::dumpNodeFlags):
1564         * dfg/DFGNodeFlags.h:
1565         * dfg/DFGOSREntrypointCreationPhase.cpp:
1566         (JSC::DFG::OSREntrypointCreationPhase::run):
1567         * dfg/DFGPlan.cpp:
1568         (JSC::DFG::Plan::compileInThreadImpl):
1569         * dfg/DFGPredictionPropagationPhase.cpp:
1570         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
1571         (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
1572         * dfg/DFGVariableAccessData.cpp: Added.
1573         (JSC::DFG::VariableAccessData::VariableAccessData):
1574         (JSC::DFG::VariableAccessData::mergeIsCaptured):
1575         (JSC::DFG::VariableAccessData::mergeShouldNeverUnbox):
1576         (JSC::DFG::VariableAccessData::predict):
1577         (JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction):
1578         (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
1579         (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat):
1580         (JSC::DFG::VariableAccessData::mergeDoubleFormatState):
1581         (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
1582         (JSC::DFG::VariableAccessData::flushFormat):
1583         * dfg/DFGVariableAccessData.h:
1584         (JSC::DFG::VariableAccessData::vote):
1585         (JSC::DFG::VariableAccessData::VariableAccessData): Deleted.
1586         (JSC::DFG::VariableAccessData::mergeIsCaptured): Deleted.
1587         (JSC::DFG::VariableAccessData::mergeShouldNeverUnbox): Deleted.
1588         (JSC::DFG::VariableAccessData::predict): Deleted.
1589         (JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction): Deleted.
1590         (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote): Deleted.
1591         (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat): Deleted.
1592         (JSC::DFG::VariableAccessData::mergeDoubleFormatState): Deleted.
1593         (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat): Deleted.
1594         (JSC::DFG::VariableAccessData::flushFormat): Deleted.
1595
1596 2014-04-21  Michael Saboff  <msaboff@apple.com>
1597
1598         REGRESSION(r167591): ARM64 and ARM traditional builds broken
1599         https://bugs.webkit.org/show_bug.cgi?id=131935
1600
1601         Reviewed by Mark Hahnenberg.
1602
1603         Added store8(TrustedImm32, MacroAssembler::Address) to the ARM traditional and ARM64
1604         macro assemblers.  Added a new test for the original patch.
1605
1606         * assembler/MacroAssemblerARM.h:
1607         (JSC::MacroAssemblerARM::store8):
1608         * assembler/MacroAssemblerARM64.h:
1609         (JSC::MacroAssemblerARM64::store8):
1610         * tests/stress/dfg-create-arguments-inline-alloc.js: New test.
1611
1612 2014-04-21  Mark Hahnenberg  <mhahnenberg@apple.com>
1613
1614         Inline allocate Arguments objects in the DFG
1615         https://bugs.webkit.org/show_bug.cgi?id=131897
1616
1617         Reviewed by Geoffrey Garen.
1618
1619         Many libraries/frameworks depend on the arguments object for overloaded API entry points. 
1620         This is the first step to making Arguments fast(er). We'll duplicate the logic in Arguments::create 
1621         for now and take the slow path for complicated cases like slow arguments, tearing off for strict mode, etc.
1622
1623         * dfg/DFGSpeculativeJIT.cpp:
1624         (JSC::DFG::SpeculativeJIT::emitAllocateArguments):
1625         * dfg/DFGSpeculativeJIT.h:
1626         (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject):
1627         * dfg/DFGSpeculativeJIT32_64.cpp:
1628         (JSC::DFG::SpeculativeJIT::compile):
1629         * dfg/DFGSpeculativeJIT64.cpp:
1630         (JSC::DFG::SpeculativeJIT::compile):
1631         * runtime/Arguments.h:
1632         (JSC::Arguments::offsetOfActivation):
1633         (JSC::Arguments::offsetOfOverrodeLength):
1634         (JSC::Arguments::offsetOfIsStrictMode):
1635         (JSC::Arguments::offsetOfRegisterArray):
1636         (JSC::Arguments::offsetOfCallee):
1637         (JSC::Arguments::allocationSize):
1638
1639 2014-04-20  Andreas Kling  <akling@apple.com>
1640
1641         Speed up jsStringWithCache() through WeakGCMap inlining.
1642         <https://webkit.org/b/131923>
1643
1644         Always inline WeakGCMap::add() but move the slow garbage collecting
1645         path out-of-line.
1646
1647         Reviewed by Darin Adler.
1648
1649         * runtime/WeakGCMap.h:
1650         (JSC::WeakGCMap::add):
1651         (JSC::WeakGCMap::gcMap):
1652
1653 2014-04-20  László Langó  <llango.u-szeged@partner.samsung.com>
1654
1655         JavaScriptCore: ARM build fix after r167094.
1656         https://bugs.webkit.org/show_bug.cgi?id=131612
1657
1658         Reviewed by Michael Saboff.
1659
1660         After r167094 there are many build errors on ARM like these:
1661
1662             /tmp/ccgtHRno.s:370: Error: invalid constant (425a) after fixup
1663             /tmp/ccgtHRno.s:374: Error: invalid constant (426e) after fixup
1664             /tmp/ccgtHRno.s:378: Error: invalid constant (4282) after fixup
1665             /tmp/ccgtHRno.s:382: Error: invalid constant (4296) after fixup
1666
1667         Problem is caused by the wrong generated assembly like:
1668             "\tmov r2, (" LOCAL_LABEL_STRING(llint_op_strcat) " - " LOCAL_LABEL_STRING(relativePCBase) ")\n" // /home/webkit/WebKit/Source/JavaScriptCore/llint/LowLevelInterpreter.asm:741
1669
1670         `mov` can only move 8 bit immediate, but not every constant fit into 8 bit. Clang converts
1671         the mov to a single movw or a movw and a movt, depending on the immediate, but binutils doesn't.
1672         Add a new ARM specific offline assembler instruction (`mvlbl`) for the following llint_entry
1673         use case: move rn, (label1-label2) which is translated to movw and movt.
1674
1675         * llint/LowLevelInterpreter.asm:
1676         * offlineasm/arm.rb:
1677         * offlineasm/instructions.rb:
1678
1679 2014-04-20  Csaba Osztrogonác  <ossy@webkit.org>
1680
1681         [ARM] Unreviewed build fix after r167336.
1682
1683         * assembler/MacroAssemblerARM.h:
1684         (JSC::MacroAssemblerARM::branchAdd32):
1685
1686 2014-04-20  Commit Queue  <commit-queue@webkit.org>
1687
1688         Unreviewed, rolling out r167501.
1689         https://bugs.webkit.org/show_bug.cgi?id=131913
1690
1691         It broke DYEBench (Requested by mhahnenberg on #webkit).
1692
1693         Reverted changeset:
1694
1695         "Deleting properties poisons objects"
1696         https://bugs.webkit.org/show_bug.cgi?id=131551
1697         http://trac.webkit.org/changeset/167501
1698
1699 2014-04-19  Filip Pizlo  <fpizlo@apple.com>
1700
1701         It should be OK to store new fields into objects that have no prototypes
1702         https://bugs.webkit.org/show_bug.cgi?id=131905
1703
1704         Reviewed by Mark Hahnenberg.
1705
1706         * dfg/DFGByteCodeParser.cpp:
1707         (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
1708         * tests/stress/put-by-id-transition-null-prototype.js: Added.
1709         (foo):
1710
1711 2014-04-19  Benjamin Poulain  <bpoulain@apple.com>
1712
1713         Make the CSS JIT compile for ARM64
1714         https://bugs.webkit.org/show_bug.cgi?id=131834
1715
1716         Reviewed by Gavin Barraclough.
1717
1718         Extend the ARM64 MacroAssembler to support the code generation required by
1719         the CSS JIT.
1720
1721         * assembler/MacroAssembler.h:
1722         * assembler/MacroAssemblerARM64.h:
1723         (JSC::MacroAssemblerARM64::addPtrNoFlags):
1724         (JSC::MacroAssemblerARM64::or32):
1725         (JSC::MacroAssemblerARM64::branchPtr):
1726         (JSC::MacroAssemblerARM64::test32):
1727         (JSC::MacroAssemblerARM64::branch):
1728         * assembler/MacroAssemblerX86Common.h:
1729         (JSC::MacroAssemblerX86Common::test32):
1730
1731 2014-04-19  Andreas Kling  <akling@apple.com>
1732
1733         Two little shortcuts to the JSType.
1734         <https://webkit.org/b/131896>
1735
1736         Tweak two sites that take the long road through JSCell::structure()->typeInfo()
1737         to look at data that's already in JSCell::type().
1738
1739         Reviewed by Darin Adler.
1740
1741         * runtime/NameInstance.h:
1742         (JSC::isName):
1743         * runtime/NumberPrototype.cpp:
1744         (JSC::toThisNumber):
1745
1746 2014-04-19  Filip Pizlo  <fpizlo@apple.com>
1747
1748         Make it easier to check if an integer sum would overflow
1749         https://bugs.webkit.org/show_bug.cgi?id=131900
1750
1751         Reviewed by Darin Adler.
1752
1753         * dfg/DFGOperations.cpp:
1754         * runtime/Operations.h:
1755         (JSC::jsString):
1756
1757 2014-04-19  Filip Pizlo  <fpizlo@apple.com>
1758
1759         Address some feedback on https://bugs.webkit.org/show_bug.cgi?id=130684.
1760
1761         * dfg/DFGOperations.cpp:
1762         * runtime/JSString.h:
1763         (JSC::JSRopeString::RopeBuilder::append):
1764
1765 2014-04-18  Mark Lam  <mark.lam@apple.com>
1766
1767         REGRESSION(r164205): WebKit crash @StructureIDTable::get.
1768         <https://webkit.org/b/130539>
1769
1770         Reviewed by Geoffrey Garen.
1771
1772         prepareOSREntry() prepares for OSR entry by first copying the local var
1773         values from the baseline frame to a scartch buffer, which is then used
1774         to fill in the locals in their new position in the DFG frame.  Unfortunately,
1775         prepareOSREntry() was using the DFG frame's frameRegisterCount as the frame
1776         size of the baseline frame.  As a result, some values of locals in the
1777         baseline frame were not saved off, and the DFG frame may get initialized
1778         with random content that happened to be in the uninitialized (and possibly
1779         unallocated) portions of the scratch buffer.
1780
1781         The fix is to use OSREntryData::m_expectedValues.numberOfLocals() as the
1782         number of locals in the baseline frame that we want to copy to the scratch
1783         buffer.
1784
1785         Note: osrEntryThunkGenerator() is expecting the DFG frameRegisterCount
1786         at offset 0 in the scratch buffer.  So, we continue to write that value
1787         there, not the baseline frame size.
1788
1789         * dfg/DFGOSREntry.cpp:
1790         (JSC::DFG::prepareOSREntry):
1791
1792 2014-04-18  Timothy Hatcher  <timothy@apple.com>
1793
1794         Web Inspector: Move InspectorProfilerAgent to JavaScriptCore
1795         https://bugs.webkit.org/show_bug.cgi?id=131673
1796
1797         Passes existing profiler and inspector tests.
1798
1799         Reviewed by Joseph Pecoraro.
1800
1801         * CMakeLists.txt:
1802         * DerivedSources.make:
1803         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1804         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1805         * JavaScriptCore.xcodeproj/project.pbxproj:
1806         * inspector/JSConsoleClient.cpp:
1807         (Inspector::JSConsoleClient::JSConsoleClient):
1808         (Inspector::JSConsoleClient::profile):
1809         (Inspector::JSConsoleClient::profileEnd):
1810         (Inspector::JSConsoleClient::count): Deleted.
1811         * inspector/JSConsoleClient.h:
1812         * inspector/JSGlobalObjectInspectorController.cpp:
1813         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1814         * inspector/agents/InspectorProfilerAgent.cpp: Added.
1815         (Inspector::InspectorProfilerAgent::InspectorProfilerAgent):
1816         (Inspector::InspectorProfilerAgent::~InspectorProfilerAgent):
1817         (Inspector::InspectorProfilerAgent::addProfile):
1818         (Inspector::InspectorProfilerAgent::createProfileHeader):
1819         (Inspector::InspectorProfilerAgent::enable):
1820         (Inspector::InspectorProfilerAgent::disable):
1821         (Inspector::InspectorProfilerAgent::getUserInitiatedProfileName):
1822         (Inspector::InspectorProfilerAgent::getProfileHeaders):
1823         (Inspector::buildInspectorObject):
1824         (Inspector::InspectorProfilerAgent::buildProfileInspectorObject):
1825         (Inspector::InspectorProfilerAgent::getCPUProfile):
1826         (Inspector::InspectorProfilerAgent::removeProfile):
1827         (Inspector::InspectorProfilerAgent::reset):
1828         (Inspector::InspectorProfilerAgent::didCreateFrontendAndBackend):
1829         (Inspector::InspectorProfilerAgent::willDestroyFrontendAndBackend):
1830         (Inspector::InspectorProfilerAgent::start):
1831         (Inspector::InspectorProfilerAgent::stop):
1832         (Inspector::InspectorProfilerAgent::setRecordingProfile):
1833         (Inspector::InspectorProfilerAgent::startProfiling):
1834         (Inspector::InspectorProfilerAgent::stopProfiling):
1835         * inspector/agents/InspectorProfilerAgent.h: Added.
1836         * inspector/agents/JSGlobalObjectProfilerAgent.cpp: Copied from Source/WebCore/inspector/ScriptProfile.idl.
1837         (Inspector::JSGlobalObjectProfilerAgent::JSGlobalObjectProfilerAgent):
1838         (Inspector::JSGlobalObjectProfilerAgent::profilingGlobalExecState):
1839         * inspector/agents/JSGlobalObjectProfilerAgent.h: Copied from Source/WebCore/inspector/ScriptProfile.idl.
1840         * inspector/protocol/Profiler.json: Renamed from Source/WebCore/inspector/protocol/Profiler.json.
1841         * profiler/Profile.h:
1842         * runtime/ConsoleClient.h:
1843
1844 2014-04-18  Commit Queue  <commit-queue@webkit.org>
1845
1846         Unreviewed, rolling out r167527.
1847         https://bugs.webkit.org/show_bug.cgi?id=131883
1848
1849         Broke 32-bit build (Requested by ap on #webkit).
1850
1851         Reverted changeset:
1852
1853         "[Mac] implement WebKitDataCue"
1854         https://bugs.webkit.org/show_bug.cgi?id=131799
1855         http://trac.webkit.org/changeset/167527
1856
1857 2014-04-18  Eric Carlson  <eric.carlson@apple.com>
1858
1859         [Mac] implement WebKitDataCue
1860         https://bugs.webkit.org/show_bug.cgi?id=131799
1861
1862         Reviewed by Dean Jackson.
1863
1864         * Configurations/FeatureDefines.xcconfig: Define ENABLE_DATACUE_VALUE.
1865
1866 2014-04-18  Filip Pizlo  <fpizlo@apple.com>
1867
1868         Actually address Mark's review feedback.
1869
1870         * dfg/DFGOSRExitCompilerCommon.cpp:
1871         (JSC::DFG::handleExitCounts):
1872
1873 2014-04-18  Filip Pizlo  <fpizlo@apple.com>
1874
1875         Options::maximumExecutionCountsBetweenCheckpoints() should be higher for DFG->FTL tier-up but the same for other tier-ups
1876         https://bugs.webkit.org/show_bug.cgi?id=131850
1877
1878         Reviewed by Mark Hahnenberg.
1879         
1880         Templatize ExecutionCounter to allow for two different styles of calculating the
1881         checkpoint threshold.
1882         
1883         Appears to be a slight speed-up on DYEBench.
1884
1885         * bytecode/CodeBlock.h:
1886         (JSC::CodeBlock::llintExecuteCounter):
1887         (JSC::CodeBlock::offsetOfJITExecuteCounter):
1888         (JSC::CodeBlock::offsetOfJITExecutionActiveThreshold):
1889         (JSC::CodeBlock::offsetOfJITExecutionTotalCount):
1890         (JSC::CodeBlock::jitExecuteCounter):
1891         * bytecode/ExecutionCounter.cpp:
1892         (JSC::ExecutionCounter<countingVariant>::ExecutionCounter):
1893         (JSC::ExecutionCounter<countingVariant>::forceSlowPathConcurrently):
1894         (JSC::ExecutionCounter<countingVariant>::checkIfThresholdCrossedAndSet):
1895         (JSC::ExecutionCounter<countingVariant>::setNewThreshold):
1896         (JSC::ExecutionCounter<countingVariant>::deferIndefinitely):
1897         (JSC::applyMemoryUsageHeuristics):
1898         (JSC::applyMemoryUsageHeuristicsAndConvertToInt):
1899         (JSC::ExecutionCounter<countingVariant>::hasCrossedThreshold):
1900         (JSC::ExecutionCounter<countingVariant>::setThreshold):
1901         (JSC::ExecutionCounter<countingVariant>::reset):
1902         (JSC::ExecutionCounter<countingVariant>::dump):
1903         (JSC::ExecutionCounter::ExecutionCounter): Deleted.
1904         (JSC::ExecutionCounter::forceSlowPathConcurrently): Deleted.
1905         (JSC::ExecutionCounter::checkIfThresholdCrossedAndSet): Deleted.
1906         (JSC::ExecutionCounter::setNewThreshold): Deleted.
1907         (JSC::ExecutionCounter::deferIndefinitely): Deleted.
1908         (JSC::ExecutionCounter::applyMemoryUsageHeuristics): Deleted.
1909         (JSC::ExecutionCounter::applyMemoryUsageHeuristicsAndConvertToInt): Deleted.
1910         (JSC::ExecutionCounter::hasCrossedThreshold): Deleted.
1911         (JSC::ExecutionCounter::setThreshold): Deleted.
1912         (JSC::ExecutionCounter::reset): Deleted.
1913         (JSC::ExecutionCounter::dump): Deleted.
1914         * bytecode/ExecutionCounter.h:
1915         (JSC::formattedTotalExecutionCount):
1916         (JSC::ExecutionCounter::maximumExecutionCountsBetweenCheckpoints):
1917         (JSC::ExecutionCounter::clippedThreshold):
1918         (JSC::ExecutionCounter::formattedTotalCount): Deleted.
1919         * dfg/DFGJITCode.h:
1920         * dfg/DFGOSRExitCompilerCommon.cpp:
1921         (JSC::DFG::handleExitCounts):
1922         * llint/LowLevelInterpreter.asm:
1923         * runtime/Options.h:
1924
1925 2014-04-17  Mark Hahnenberg  <mhahnenberg@apple.com>
1926
1927         Deleting properties poisons objects
1928         https://bugs.webkit.org/show_bug.cgi?id=131551
1929
1930         Reviewed by Geoffrey Garen.
1931
1932         This is ~3% progression on Dromaeo with a ~6% progression on the jslib portion of Dromaeo in particular.
1933
1934         * runtime/Structure.cpp:
1935         (JSC::Structure::Structure):
1936         (JSC::Structure::materializePropertyMap): We now re-use deleted properties when materializing the property map.
1937         (JSC::Structure::removePropertyTransition): We allow up to 5 deletes for a particular path through the tree of 
1938         Structure transitions. After that, we convert to an uncacheable dictionary like we used to. We don't cache 
1939         delete transitions, but we allow transitioning from them.
1940         (JSC::Structure::changePrototypeTransition):
1941         (JSC::Structure::despecifyFunctionTransition):
1942         (JSC::Structure::attributeChangeTransition):
1943         (JSC::Structure::toDictionaryTransition):
1944         (JSC::Structure::preventExtensionsTransition):
1945         (JSC::Structure::addPropertyWithoutTransition):
1946         (JSC::Structure::removePropertyWithoutTransition):
1947         (JSC::Structure::pin): Now does only what it says it does--marks the property table as pinned.
1948         (JSC::Structure::pinAndPreventTransitions): More descriptive version of what the old pin() was doing.
1949         * runtime/Structure.h:
1950         * runtime/StructureInlines.h:
1951         (JSC::Structure::checkOffsetConsistency): Rearranged variables to be more sensible.
1952
1953 2014-04-17  Filip Pizlo  <fpizlo@apple.com>
1954
1955         InlineCallFrameSet should be refcounted
1956         https://bugs.webkit.org/show_bug.cgi?id=131829
1957
1958         Reviewed by Geoffrey Garen.
1959         
1960         And DFG::Plan should hold a ref to it. Previously it was owned by Graph until it
1961         became owned by JITCode. Except that if we're "failing" to compile, JITCode may die.
1962         Even as it dies, the GC may still want to scan the DFG::Plan, which leads to scanning
1963         the DesiredWriteBarriers, which leads to scanning the InlineCallFrameSet.
1964         
1965         So, just make the darn thing refcounted.
1966
1967         * bytecode/InlineCallFrameSet.h:
1968         * dfg/DFGArgumentsSimplificationPhase.cpp:
1969         (JSC::DFG::ArgumentsSimplificationPhase::run):
1970         * dfg/DFGByteCodeParser.cpp:
1971         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1972         * dfg/DFGCommonData.h:
1973         * dfg/DFGGraph.cpp:
1974         (JSC::DFG::Graph::Graph):
1975         (JSC::DFG::Graph::requiredRegisterCountForExit):
1976         * dfg/DFGGraph.h:
1977         * dfg/DFGJITCompiler.cpp:
1978         (JSC::DFG::JITCompiler::link):
1979         * dfg/DFGPlan.cpp:
1980         (JSC::DFG::Plan::Plan):
1981         * dfg/DFGPlan.h:
1982         * dfg/DFGStackLayoutPhase.cpp:
1983         (JSC::DFG::StackLayoutPhase::run):
1984         * ftl/FTLFail.cpp:
1985         (JSC::FTL::fail):
1986         * ftl/FTLLink.cpp:
1987         (JSC::FTL::link):
1988
1989 2014-04-17  Filip Pizlo  <fpizlo@apple.com>
1990
1991         FTL::fail() should manage memory "correctly"
1992         https://bugs.webkit.org/show_bug.cgi?id=131823
1993         <rdar://problem/16384297>
1994
1995         Reviewed by Oliver Hunt.
1996
1997         * ftl/FTLFail.cpp:
1998         (JSC::FTL::fail):
1999
2000 2014-04-17  Filip Pizlo  <fpizlo@apple.com>
2001
2002         Prediction propagator should correctly model Int52s flowing through arguments
2003         https://bugs.webkit.org/show_bug.cgi?id=131822
2004         <rdar://problem/16641408>
2005
2006         Reviewed by Oliver Hunt.
2007
2008         * dfg/DFGPredictionPropagationPhase.cpp:
2009         (JSC::DFG::PredictionPropagationPhase::propagate):
2010         * tests/stress/int52-argument.js: Added.
2011         (foo):
2012         * tests/stress/int52-variable.js: Added.
2013         (foo):
2014
2015 2014-04-17  Filip Pizlo  <fpizlo@apple.com>
2016
2017         REGRESSION: ASSERT(!typeInfo().hasImpureGetOwnPropertySlot() || typeInfo().newImpurePropertyFiresWatchpoints()) on jquery tests
2018         https://bugs.webkit.org/show_bug.cgi?id=131798
2019
2020         Reviewed by Alexey Proskuryakov.
2021         
2022         Some day, we will fix https://bugs.webkit.org/show_bug.cgi?id=131810 and some version
2023         of this assertion can return. For now, it's not clear that the assertion is guarding
2024         any truly undesirable behavior - so it should just go away and be replaced with a
2025         FIXME.
2026
2027         * bytecode/GetByIdStatus.cpp:
2028         (JSC::GetByIdStatus::computeForStubInfo):
2029         * runtime/Structure.h:
2030         (JSC::Structure::takesSlowPathInDFGForImpureProperty):
2031
2032 2014-04-17  David Kilzer  <ddkilzer@apple.com>
2033
2034         Blind attempt to fix Windows build after r166837
2035         <http://webkit.org/b/131246>
2036
2037         Hoping to fix this build error:
2038
2039             warning MSB8027: Two or more files with the name of GCLogging.cpp will produce outputs to the same location. This can lead to an incorrect build result.  The files involved are ..\heap\GCLogging.cpp, ..\heap\GCLogging.cpp.
2040
2041         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Fix copy-paste
2042         boo-boo by changing the GCLogging.cpp ClCompile entry to a
2043         GCLogging.h ClInclude entry.
2044
2045 2014-04-16  Filip Pizlo  <fpizlo@apple.com>
2046
2047         AI for GetLocal should match the DFG backend, and in this case, the best way to do that is to get rid of the "exit if empty prediction" thing since it's a vestige of a time long gone
2048         https://bugs.webkit.org/show_bug.cgi?id=131764
2049
2050         Reviewed by Geoffrey Garen.
2051         
2052         The attached test case can be made to not crash by deleting old code. It used to be
2053         the case that the DFG needed empty prediction guards, for shady reasons. We fixed that
2054         long ago. At this point, these guards just make life difficult. So get rid of them.
2055
2056         * dfg/DFGAbstractInterpreterInlines.h:
2057         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2058         * dfg/DFGSpeculativeJIT32_64.cpp:
2059         (JSC::DFG::SpeculativeJIT::compile):
2060         * dfg/DFGSpeculativeJIT64.cpp:
2061         (JSC::DFG::SpeculativeJIT::compile):
2062         * tests/stress/bug-131764.js: Added.
2063         (test1):
2064         (test2):
2065
2066 2014-04-17  Darin Adler  <darin@apple.com>
2067
2068         Add separate flag for IndexedDatabase in workers since the current implementation is not threadsafe
2069         https://bugs.webkit.org/show_bug.cgi?id=131785
2070         rdar://problem/16003108
2071
2072         Reviewed by Brady Eidson.
2073
2074         * Configurations/FeatureDefines.xcconfig: Added INDEXED_DATABASE_IN_WORKERS.
2075
2076 2014-04-16  Alexey Proskuryakov  <ap@apple.com>
2077
2078         Build fix after http://trac.webkit.org/changeset/167416 (Sink NaN sanitization)
2079
2080         * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::speculate):
2081
2082 2014-04-16  Filip Pizlo  <fpizlo@apple.com>
2083
2084         Extra error reporting for invalid value conversions
2085         https://bugs.webkit.org/show_bug.cgi?id=131786
2086
2087         Rubber stamped by Ryosuke Niwa.
2088
2089         * dfg/DFGFixupPhase.cpp:
2090         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
2091
2092 2014-04-16  Filip Pizlo  <fpizlo@apple.com>
2093
2094         Sink NaN sanitization to uses and remove it when it's unnecessary
2095         https://bugs.webkit.org/show_bug.cgi?id=131419
2096
2097         Reviewed by Oliver Hunt.
2098         
2099         This moves NaN purification to stores that could see an impure NaN.
2100         
2101         5% speed-up on AsmBench, 50% speed-up on AsmBench/n-body. It is a regression on FloatMM
2102         though, because of the other bug that causes that benchmark to box doubles in a loop.
2103
2104         * bytecode/SpeculatedType.h:
2105         (JSC::isInt32SpeculationForArithmetic):
2106         (JSC::isMachineIntSpeculationForArithmetic):
2107         (JSC::isDoubleSpeculation):
2108         (JSC::isDoubleSpeculationForArithmetic):
2109         * dfg/DFGAbstractInterpreterInlines.h:
2110         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2111         * dfg/DFGAbstractValue.cpp:
2112         (JSC::DFG::AbstractValue::fixTypeForRepresentation):
2113         * dfg/DFGFixupPhase.cpp:
2114         (JSC::DFG::FixupPhase::fixupNode):
2115         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
2116         * dfg/DFGInPlaceAbstractState.cpp:
2117         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
2118         * dfg/DFGPredictionPropagationPhase.cpp:
2119         (JSC::DFG::PredictionPropagationPhase::propagate):
2120         * dfg/DFGSpeculativeJIT.cpp:
2121         (JSC::DFG::SpeculativeJIT::compileValueRep):
2122         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
2123         * dfg/DFGUseKind.h:
2124         (JSC::DFG::typeFilterFor):
2125         * ftl/FTLLowerDFGToLLVM.cpp:
2126         (JSC::FTL::LowerDFGToLLVM::compileValueRep):
2127         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
2128         * runtime/PureNaN.h:
2129         * tests/stress/float32-array-nan-inlined.js: Added.
2130         (foo):
2131         (test):
2132         * tests/stress/float32-array-nan.js: Added.
2133         (foo):
2134         (test):
2135         * tests/stress/float64-array-nan-inlined.js: Added.
2136         (foo):
2137         (isBigEndian):
2138         (test):
2139         * tests/stress/float64-array-nan.js: Added.
2140         (foo):
2141         (isBigEndian):
2142         (test):
2143
2144 2014-04-16  Brent Fulgham  <bfulgham@apple.com>
2145
2146         [Win] Unreviewed Windows gardening. Restrict our new 'isinf' check
2147         to 32-bit builds, and revise the comment to explain what we are
2148         doing.
2149
2150         * runtime/JSCJSValueInlines.h:
2151         (JSC::JSValue::isMachineInt): Provide motivation for the new
2152         'isinf' check for our 32-bit code path.
2153
2154 2014-04-16  Juergen Ributzka  <juergen@apple.com>
2155
2156         Allocate the data section on the heap again for FTL on ARM64
2157         https://bugs.webkit.org/show_bug.cgi?id=130156
2158
2159         Reviewed by Geoffrey Garen and Filip Pizlo.
2160
2161         * ftl/FTLCompile.cpp:
2162         (JSC::FTL::mmAllocateDataSection):
2163         * ftl/FTLDataSection.cpp:
2164         (JSC::FTL::DataSection::DataSection):
2165         (JSC::FTL::DataSection::~DataSection):
2166         * ftl/FTLDataSection.h:
2167
2168 2014-04-16  Mark Lam  <mark.lam@apple.com>
2169
2170         Crash in CodeBlock::setOptimizationThresholdBasedOnCompilationResult() when the debugger activates.
2171         <https://webkit.org/b/131747>
2172
2173         Reviewed by Filip Pizlo.
2174
2175         When the debugger is about to activate (e.g. enter stepping mode), it first
2176         waits for all DFG compilations to complete.  However, when the DFG completes,
2177         if compilation is successful, it will install a new DFG codeBlock.  The
2178         CodeBlock installation process is required to register codeBlocks with the
2179         debugger.  Debugger::registerCodeBlock() will eventually call
2180         CodeBlock::setSteppingMode() which may jettison the DFG codeBlock that we're
2181         trying to install.  Thereafter, chaos ensues.
2182
2183         This jettison'ing only happens because the debugger currently set its
2184         m_steppingMode flag before waiting for compilation to complete.  The fix is
2185         simply to set that flag only after compilation is complete.
2186
2187         * debugger/Debugger.cpp:
2188         (JSC::Debugger::setSteppingMode):
2189         (JSC::Debugger::registerCodeBlock):
2190
2191 2014-04-16  Filip Pizlo  <fpizlo@apple.com>
2192
2193         Discern between NaNs that would be safe to tag and NaNs that need some purification before tagging
2194         https://bugs.webkit.org/show_bug.cgi?id=131420
2195
2196         Reviewed by Oliver Hunt.
2197         
2198         Rationalizes our handling of NaNs. We now have the notion of pureNaN(), or PNaN, which
2199         replaces QNaN and represents a "safe" NaN for our tagging purposes. NaN purification now
2200         goes through the purifyNaN() API.
2201         
2202         SpeculatedType and its clients can now distinguish between a PureNaN and an ImpureNaN.
2203         
2204         Prediction propagator is made slightly more cautious when dealing with NaNs. It doesn't
2205         have to be too cautious since most prediction-based logic only cares about whether or not
2206         a value could be an integer.
2207         
2208         AI is made much more cautious when dealing with NaNs. We don't yet introduce ImpureNaN
2209         anywhere in the compiler, but when we do, we ought to be able to trust AI to propagate it
2210         soundly and precisely.
2211         
2212         No performance change because this just unblocks
2213         https://bugs.webkit.org/show_bug.cgi?id=131419.
2214
2215         * API/JSValueRef.cpp:
2216         (JSValueMakeNumber):
2217         (JSValueToNumber):
2218         * JavaScriptCore.xcodeproj/project.pbxproj:
2219         * bytecode/SpeculatedType.cpp:
2220         (JSC::dumpSpeculation):
2221         (JSC::speculationFromValue):
2222         (JSC::typeOfDoubleSum):
2223         (JSC::typeOfDoubleDifference):
2224         (JSC::typeOfDoubleProduct):
2225         (JSC::polluteDouble):
2226         (JSC::typeOfDoubleQuotient):
2227         (JSC::typeOfDoubleMinMax):
2228         (JSC::typeOfDoubleNegation):
2229         (JSC::typeOfDoubleAbs):
2230         (JSC::typeOfDoubleFRound):
2231         (JSC::typeOfDoubleBinaryOp):
2232         (JSC::typeOfDoubleUnaryOp):
2233         * bytecode/SpeculatedType.h:
2234         * dfg/DFGAbstractInterpreterInlines.h:
2235         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2236         * dfg/DFGByteCodeParser.cpp:
2237         (JSC::DFG::ByteCodeParser::handleInlining):
2238         (JSC::DFG::ByteCodeParser::parseCodeBlock):
2239         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
2240         (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
2241         * dfg/DFGInPlaceAbstractState.cpp:
2242         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
2243         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
2244         (JSC::DFG::createPreHeader):
2245         * dfg/DFGNode.h:
2246         (JSC::DFG::BranchTarget::BranchTarget):
2247         * dfg/DFGOSREntrypointCreationPhase.cpp:
2248         (JSC::DFG::OSREntrypointCreationPhase::run):
2249         * dfg/DFGOSRExitCompiler32_64.cpp:
2250         (JSC::DFG::OSRExitCompiler::compileExit):
2251         * dfg/DFGOSRExitCompiler64.cpp:
2252         (JSC::DFG::OSRExitCompiler::compileExit):
2253         * dfg/DFGPredictionPropagationPhase.cpp:
2254         (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
2255         (JSC::DFG::PredictionPropagationPhase::propagate):
2256         * dfg/DFGSpeculativeJIT.cpp:
2257         (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
2258         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
2259         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
2260         * dfg/DFGSpeculativeJIT32_64.cpp:
2261         (JSC::DFG::SpeculativeJIT::compile):
2262         * dfg/DFGSpeculativeJIT64.cpp:
2263         (JSC::DFG::SpeculativeJIT::compile):
2264         * dfg/DFGVariableAccessData.h:
2265         (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
2266         * ftl/FTLLowerDFGToLLVM.cpp:
2267         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
2268         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2269         (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
2270         (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
2271         (JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize):
2272         (JSC::FTL::LowerDFGToLLVM::numberOrNotCellToInt32):
2273         (JSC::FTL::LowerDFGToLLVM::allocateJSArray):
2274         * ftl/FTLValueFormat.cpp:
2275         (JSC::FTL::reboxAccordingToFormat):
2276         * jit/AssemblyHelpers.cpp:
2277         (JSC::AssemblyHelpers::purifyNaN):
2278         (JSC::AssemblyHelpers::sanitizeDouble): Deleted.
2279         * jit/AssemblyHelpers.h:
2280         * jit/JITPropertyAccess.cpp:
2281         (JSC::JIT::emitFloatTypedArrayGetByVal):
2282         * runtime/DateConstructor.cpp:
2283         (JSC::constructDate):
2284         * runtime/DateInstanceCache.h:
2285         (JSC::DateInstanceData::DateInstanceData):
2286         (JSC::DateInstanceCache::reset):
2287         * runtime/ExceptionHelpers.cpp:
2288         (JSC::TerminatedExecutionError::defaultValue):
2289         * runtime/JSArray.cpp:
2290         (JSC::JSArray::setLength):
2291         (JSC::JSArray::pop):
2292         (JSC::JSArray::shiftCountWithAnyIndexingType):
2293         (JSC::JSArray::sortVector):
2294         (JSC::JSArray::compactForSorting):
2295         * runtime/JSArray.h:
2296         (JSC::JSArray::create):
2297         (JSC::JSArray::tryCreateUninitialized):
2298         * runtime/JSCJSValue.cpp:
2299         (JSC::JSValue::toNumberSlowCase):
2300         * runtime/JSCJSValue.h:
2301         * runtime/JSCJSValueInlines.h:
2302         (JSC::jsNaN):
2303         (JSC::JSValue::JSValue):
2304         (JSC::JSValue::getPrimitiveNumber):
2305         * runtime/JSGlobalObjectFunctions.cpp:
2306         (JSC::parseInt):
2307         (JSC::jsStrDecimalLiteral):
2308         (JSC::toDouble):
2309         (JSC::jsToNumber):
2310         (JSC::parseFloat):
2311         * runtime/JSObject.cpp:
2312         (JSC::JSObject::createInitialDouble):
2313         (JSC::JSObject::convertUndecidedToDouble):
2314         (JSC::JSObject::convertInt32ToDouble):
2315         (JSC::JSObject::deletePropertyByIndex):
2316         (JSC::JSObject::ensureLengthSlow):
2317         * runtime/MathObject.cpp:
2318         (JSC::mathProtoFuncMax):
2319         (JSC::mathProtoFuncMin):
2320         * runtime/PureNaN.h: Added.
2321         (JSC::pureNaN):
2322         (JSC::isImpureNaN):
2323         (JSC::purifyNaN):
2324         * runtime/TypedArrayAdaptors.h:
2325         (JSC::FloatTypedArrayAdaptor::toJSValue):
2326
2327 2014-04-16  Juergen Ributzka  <juergen@apple.com>
2328
2329         Enable system library calls in FTL for ARM64
2330         https://bugs.webkit.org/show_bug.cgi?id=130154
2331
2332         Reviewed by Geoffrey Garen and Filip Pizlo.
2333
2334         * ftl/FTLIntrinsicRepository.h:
2335         * ftl/FTLOutput.h:
2336         (JSC::FTL::Output::doubleRem):
2337         (JSC::FTL::Output::doubleSin):
2338         (JSC::FTL::Output::doubleCos):
2339
2340 2014-04-16  peavo@outlook.com  <peavo@outlook.com>
2341
2342         Fix JSC Debug Regressions on Windows
2343         https://bugs.webkit.org/show_bug.cgi?id=131182
2344
2345         Reviewed by Brent Fulgham.
2346
2347         The cast static_cast<int64_t>(number) in JSValue::isMachineInt() can generate a floating point error,
2348         and set the st floating point register tags, if the value of the number parameter is infinite.
2349         If the st floating point register tags are not cleared, this can cause strange floating point behavior later on.
2350         This can be avoided by checking for infinity first.
2351
2352         * runtime/JSCJSValueInlines.h:
2353         (JSC::JSValue::isMachineInt): Avoid floating point error by checking for infinity first.
2354         * runtime/Options.cpp:
2355         (JSC::recomputeDependentOptions): Re-enable jit for Windows.
2356
2357 2014-04-16  Oliver Hunt  <oliver@apple.com>
2358
2359         Simple ES6 feature:Array.prototype.fill
2360         https://bugs.webkit.org/show_bug.cgi?id=131703
2361
2362         Reviewed by David Hyatt.
2363
2364         Add support for Array.prototype.fill
2365
2366         * builtins/Array.prototype.js:
2367         (fill):
2368         * runtime/ArrayPrototype.cpp:
2369
2370 2014-04-16  Mark Hahnenberg  <mhahnenberg@apple.com>
2371
2372         [WebKit] Cleanup the build from uninitialized variable in JavaScriptCore
2373         https://bugs.webkit.org/show_bug.cgi?id=131728
2374
2375         Reviewed by Darin Adler.
2376
2377         * runtime/JSObject.cpp:
2378         (JSC::JSObject::genericConvertDoubleToContiguous): Add a RELEASE_ASSERT on the 
2379         path we expect to never take. Also shut up confused compilers about uninitialized things.
2380
2381 2014-04-16  Filip Pizlo  <fpizlo@apple.com>
2382
2383         Unreviewed, ARMv7 build fix after r167336.
2384
2385         * assembler/MacroAssemblerARMv7.h:
2386         (JSC::MacroAssemblerARMv7::branchAdd32):
2387
2388 2014-04-16  Gabor Rapcsanyi  <rgabor@webkit.org>
2389
2390         Unreviewed, ARM64 buildfix after r167336.
2391
2392         * assembler/MacroAssemblerARM64.h:
2393         (JSC::MacroAssemblerARM64::branchAdd32): Add missing function.
2394
2395 2014-04-15  Filip Pizlo  <fpizlo@apple.com>
2396
2397         Unreviewed, add the obvious thing that marks MakeRope as exiting since it can exit.
2398
2399         * dfg/DFGAbstractInterpreterInlines.h:
2400         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2401
2402 2014-04-15  Filip Pizlo  <fpizlo@apple.com>
2403
2404         compileMakeRope does not emit necessary bounds checks
2405         https://bugs.webkit.org/show_bug.cgi?id=130684
2406         <rdar://problem/16398388>
2407
2408         Reviewed by Oliver Hunt.
2409         
2410         Add string length bounds checks in a bunch of places. We should never allow a string
2411         to have a length greater than 2^31-1 because it's not clear that the language has
2412         semantics for it and because there is code that assumes that this cannot happen.
2413         
2414         Also add a bunch of tests to that effect to cover the various ways in which this was
2415         previously allowed to happen.
2416
2417         * dfg/DFGOperations.cpp:
2418         * dfg/DFGSpeculativeJIT.cpp:
2419         (JSC::DFG::SpeculativeJIT::compileMakeRope):
2420         * ftl/FTLLowerDFGToLLVM.cpp:
2421         (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
2422         * runtime/JSString.cpp:
2423         (JSC::JSRopeString::RopeBuilder::expand):
2424         * runtime/JSString.h:
2425         (JSC::JSString::create):
2426         (JSC::JSRopeString::RopeBuilder::append):
2427         (JSC::JSRopeString::RopeBuilder::release):
2428         (JSC::JSRopeString::append):
2429         * runtime/Operations.h:
2430         (JSC::jsString):
2431         (JSC::jsStringFromRegisterArray):
2432         (JSC::jsStringFromArguments):
2433         * runtime/StringPrototype.cpp:
2434         (JSC::stringProtoFuncIndexOf):
2435         (JSC::stringProtoFuncSlice):
2436         (JSC::stringProtoFuncSubstring):
2437         (JSC::stringProtoFuncToLowerCase):
2438         * tests/stress/make-large-string-jit-strcat.js: Added.
2439         (foo):
2440         * tests/stress/make-large-string-jit.js: Added.
2441         (foo):
2442         * tests/stress/make-large-string-strcat.js: Added.
2443         * tests/stress/make-large-string.js: Added.
2444
2445 2014-04-15  Julien Brianceau  <jbriance@cisco.com>
2446
2447         Remove invalid sh4 specific code in JITInlines header.
2448         https://bugs.webkit.org/show_bug.cgi?id=131692
2449
2450         Reviewed by Geoffrey Garen.
2451
2452         * jit/JITInlines.h:
2453         (JSC::JIT::callOperation): Prototype is not F_JITOperation_EJJZ
2454         anymore since r160244, so the sh4 specific code is invalid now
2455         and has to be removed.
2456
2457 2014-04-15  Mark Hahnenberg  <mhahnenberg@apple.com>
2458
2459         Fix precedence issue in JSCell:setRemembered
2460
2461         Rubber stamped by Filip Pizlo.
2462
2463         * runtime/JSCell.h:
2464         (JSC::JSCell::setRemembered):
2465
2466 2014-04-15  Mark Hahnenberg  <mhahnenberg@apple.com>
2467
2468         Objective-C API external object graphs don't handle generational collection properly
2469         https://bugs.webkit.org/show_bug.cgi?id=131634
2470
2471         Reviewed by Geoffrey Garen.
2472
2473         If the set of Objective-C objects transitively reachable through an object changes, we 
2474         need to update the set of opaque roots accordingly. If we don't, the next EdenCollection 
2475         won't rescan the external object graph, which would lead us to consider a newly allocated 
2476         JSManagedValue to be dead.
2477
2478         * API/JSBase.cpp:
2479         (JSSynchronousEdenCollectForDebugging):
2480         * API/JSVirtualMachine.mm:
2481         (-[JSVirtualMachine initWithContextGroupRef:]):
2482         (-[JSVirtualMachine dealloc]):
2483         (-[JSVirtualMachine isOldExternalObject:]):
2484         (-[JSVirtualMachine addExternalRememberedObject:]):
2485         (-[JSVirtualMachine addManagedReference:withOwner:]):
2486         (-[JSVirtualMachine removeManagedReference:withOwner:]):
2487         (-[JSVirtualMachine externalRememberedSet]):
2488         (scanExternalObjectGraph):
2489         (scanExternalRememberedSet):
2490         * API/JSVirtualMachineInternal.h:
2491         * API/tests/testapi.mm:
2492         * heap/Heap.cpp:
2493         (JSC::Heap::markRoots):
2494         * heap/Heap.h:
2495         (JSC::Heap::slotVisitor):
2496         * heap/SlotVisitor.h:
2497         * heap/SlotVisitorInlines.h:
2498         (JSC::SlotVisitor::containsOpaqueRoot):
2499         (JSC::SlotVisitor::containsOpaqueRootTriState):
2500
2501 2014-04-15  Filip Pizlo  <fpizlo@apple.com>
2502
2503         DFG IR should keep the data flow of doubles and int52's separate from the data flow of JSValue's
2504         https://bugs.webkit.org/show_bug.cgi?id=131423
2505
2506         Reviewed by Geoffrey Garen.
2507         
2508         This introduces more static typing into DFG IR. Previously we just had the notion of
2509         JSValues and Storage. This was weird because doubles weren't always convertible to
2510         JSValues, and Int52s weren't always convertible to either doubles or JSValues. We would
2511         sort of insert explicit conversion nodes just for the places where we knew that an
2512         implicit conversion wouldn't have been possible -- but there was no hard and fast rule so
2513         we'd get bugs from forgetting to do the right conversion.
2514         
2515         This patch introduces a hard and fast rule: doubles can never be implicitly converted to
2516         anything but doubles, and likewise Int52's can never be implicitly converted. Conversion
2517         nodes are used for all of the conversions. Int52Rep, DoubleRep, and ValueRep are the
2518         conversions. They are like Identity but return the same value using a different
2519         representation. Likewise, constants may now be represented using either JSConstant,
2520         Int52Constant, or DoubleConstant. UseKinds have been adjusted accordingly, as well.
2521         Int52RepUse and DoubleRepUse are node uses that mean "the node must be of Int52 (or
2522         Double) type". They don't imply checks. There is also DoubleRepRealUse, which means that
2523         we speculate DoubleReal and expect Double representation.
2524         
2525         In addition to simplifying a bunch of rules in the IR and making the IR more verifiable,
2526         this also makes it easier to introduce optimizations in the future. It's now possible for
2527         AI to model when/how conversion take place. For example if doing a conversion results in
2528         NaN sanitization, then AI can model this and can allow us to sink sanitizations. That's
2529         what https://bugs.webkit.org/show_bug.cgi?id=131419 will be all about.
2530         
2531         This was a big change, so I had to do some interesting things, like finally get rid of
2532         the DFG's weird variadic template macro hacks and use real C++11 variadic templates. Also
2533         the ByteCodeParser no longer emits Identity nodes since that was always pointless.
2534         
2535         No performance change because this mostly just rationalizes preexisting behavior.
2536
2537         * JavaScriptCore.xcodeproj/project.pbxproj:
2538         * assembler/MacroAssemblerX86.h:
2539         * bytecode/CodeBlock.cpp:
2540         * bytecode/CodeBlock.h:
2541         * dfg/DFGAbstractInterpreter.h:
2542         (JSC::DFG::AbstractInterpreter::setBuiltInConstant):
2543         (JSC::DFG::AbstractInterpreter::setConstant):
2544         * dfg/DFGAbstractInterpreterInlines.h:
2545         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2546         * dfg/DFGAbstractValue.cpp:
2547         (JSC::DFG::AbstractValue::set):
2548         (JSC::DFG::AbstractValue::fixTypeForRepresentation):
2549         (JSC::DFG::AbstractValue::checkConsistency):
2550         * dfg/DFGAbstractValue.h:
2551         * dfg/DFGBackwardsPropagationPhase.cpp:
2552         (JSC::DFG::BackwardsPropagationPhase::propagate):
2553         * dfg/DFGBasicBlock.h:
2554         * dfg/DFGBasicBlockInlines.h:
2555         (JSC::DFG::BasicBlock::appendNode):
2556         (JSC::DFG::BasicBlock::appendNonTerminal):
2557         * dfg/DFGByteCodeParser.cpp:
2558         (JSC::DFG::ByteCodeParser::parseBlock):
2559         * dfg/DFGCSEPhase.cpp:
2560         (JSC::DFG::CSEPhase::constantCSE):
2561         (JSC::DFG::CSEPhase::performNodeCSE):
2562         (JSC::DFG::CSEPhase::int32ToDoubleCSE): Deleted.
2563         * dfg/DFGCapabilities.h:
2564         * dfg/DFGClobberize.h:
2565         (JSC::DFG::clobberize):
2566         * dfg/DFGConstantFoldingPhase.cpp:
2567         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2568         * dfg/DFGDCEPhase.cpp:
2569         (JSC::DFG::DCEPhase::fixupBlock):
2570         * dfg/DFGEdge.h:
2571         (JSC::DFG::Edge::willNotHaveCheck):
2572         * dfg/DFGFixupPhase.cpp:
2573         (JSC::DFG::FixupPhase::run):
2574         (JSC::DFG::FixupPhase::fixupNode):
2575         (JSC::DFG::FixupPhase::fixupGetAndSetLocalsInBlock):
2576         (JSC::DFG::FixupPhase::observeUseKindOnNode):
2577         (JSC::DFG::FixupPhase::fixIntEdge):
2578         (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
2579         (JSC::DFG::FixupPhase::injectTypeConversionsInBlock):
2580         (JSC::DFG::FixupPhase::tryToRelaxRepresentation):
2581         (JSC::DFG::FixupPhase::fixEdgeRepresentation):
2582         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
2583         (JSC::DFG::FixupPhase::addRequiredPhantom):
2584         (JSC::DFG::FixupPhase::addPhantomsIfNecessary):
2585         (JSC::DFG::FixupPhase::clearPhantomsAtEnd):
2586         (JSC::DFG::FixupPhase::fixupSetLocalsInBlock): Deleted.
2587         * dfg/DFGFlushFormat.h:
2588         (JSC::DFG::resultFor):
2589         (JSC::DFG::useKindFor):
2590         * dfg/DFGGraph.cpp:
2591         (JSC::DFG::Graph::dump):
2592         * dfg/DFGGraph.h:
2593         (JSC::DFG::Graph::addNode):
2594         * dfg/DFGInPlaceAbstractState.cpp:
2595         (JSC::DFG::InPlaceAbstractState::initialize):
2596         * dfg/DFGInsertionSet.h:
2597         (JSC::DFG::InsertionSet::insertNode):
2598         (JSC::DFG::InsertionSet::insertConstant):
2599         (JSC::DFG::InsertionSet::insertConstantForUse):
2600         * dfg/DFGIntegerCheckCombiningPhase.cpp:
2601         (JSC::DFG::IntegerCheckCombiningPhase::insertAdd):
2602         (JSC::DFG::IntegerCheckCombiningPhase::insertMustAdd):
2603         * dfg/DFGNode.cpp:
2604         (JSC::DFG::Node::convertToIdentity):
2605         (WTF::printInternal):
2606         * dfg/DFGNode.h:
2607         (JSC::DFG::Node::Node):
2608         (JSC::DFG::Node::setResult):
2609         (JSC::DFG::Node::result):
2610         (JSC::DFG::Node::isConstant):
2611         (JSC::DFG::Node::hasConstant):
2612         (JSC::DFG::Node::convertToConstant):
2613         (JSC::DFG::Node::valueOfJSConstant):
2614         (JSC::DFG::Node::hasResult):
2615         (JSC::DFG::Node::hasInt32Result):
2616         (JSC::DFG::Node::hasInt52Result):
2617         (JSC::DFG::Node::hasNumberResult):
2618         (JSC::DFG::Node::hasDoubleResult):
2619         (JSC::DFG::Node::hasJSResult):
2620         (JSC::DFG::Node::hasBooleanResult):
2621         (JSC::DFG::Node::hasStorageResult):
2622         (JSC::DFG::Node::defaultUseKind):
2623         (JSC::DFG::Node::defaultEdge):
2624         (JSC::DFG::Node::convertToIdentity): Deleted.
2625         * dfg/DFGNodeFlags.cpp:
2626         (JSC::DFG::dumpNodeFlags):
2627         * dfg/DFGNodeFlags.h:
2628         (JSC::DFG::canonicalResultRepresentation):
2629         * dfg/DFGNodeType.h:
2630         * dfg/DFGOSRExitCompiler32_64.cpp:
2631         (JSC::DFG::OSRExitCompiler::compileExit):
2632         * dfg/DFGOSRExitCompiler64.cpp:
2633         (JSC::DFG::OSRExitCompiler::compileExit):
2634         * dfg/DFGPredictionPropagationPhase.cpp:
2635         (JSC::DFG::PredictionPropagationPhase::propagate):
2636         * dfg/DFGResurrectionForValidationPhase.cpp:
2637         (JSC::DFG::ResurrectionForValidationPhase::run):
2638         * dfg/DFGSSAConversionPhase.cpp:
2639         (JSC::DFG::SSAConversionPhase::run):
2640         * dfg/DFGSafeToExecute.h:
2641         (JSC::DFG::SafeToExecuteEdge::operator()):
2642         (JSC::DFG::safeToExecute):
2643         * dfg/DFGSpeculativeJIT.cpp:
2644         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
2645         (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR):
2646         (JSC::DFG::SpeculativeJIT::silentFill):
2647         (JSC::DFG::JSValueRegsTemporary::JSValueRegsTemporary):
2648         (JSC::DFG::JSValueRegsTemporary::~JSValueRegsTemporary):
2649         (JSC::DFG::JSValueRegsTemporary::regs):
2650         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
2651         (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
2652         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
2653         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
2654         (JSC::DFG::SpeculativeJIT::compileValueRep):
2655         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
2656         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
2657         (JSC::DFG::SpeculativeJIT::compileAdd):
2658         (JSC::DFG::SpeculativeJIT::compileArithSub):
2659         (JSC::DFG::SpeculativeJIT::compileArithNegate):
2660         (JSC::DFG::SpeculativeJIT::compileArithMul):
2661         (JSC::DFG::SpeculativeJIT::compileArithDiv):
2662         (JSC::DFG::SpeculativeJIT::compileArithMod):
2663         (JSC::DFG::SpeculativeJIT::compare):
2664         (JSC::DFG::SpeculativeJIT::compileStrictEq):
2665         (JSC::DFG::SpeculativeJIT::speculateNumber):
2666         (JSC::DFG::SpeculativeJIT::speculateDoubleReal):
2667         (JSC::DFG::SpeculativeJIT::speculate):
2668         (JSC::DFG::SpeculativeJIT::compileInt32ToDouble): Deleted.
2669         (JSC::DFG::SpeculativeJIT::speculateMachineInt): Deleted.
2670         (JSC::DFG::SpeculativeJIT::speculateRealNumber): Deleted.
2671         * dfg/DFGSpeculativeJIT.h:
2672         (JSC::DFG::SpeculativeJIT::allocate):
2673         (JSC::DFG::SpeculativeJIT::use):
2674         (JSC::DFG::SpeculativeJIT::boxDouble):
2675         (JSC::DFG::SpeculativeJIT::spill):
2676         (JSC::DFG::SpeculativeJIT::jsValueResult):
2677         (JSC::DFG::SpeculateInt52Operand::SpeculateInt52Operand):
2678         (JSC::DFG::SpeculateStrictInt52Operand::SpeculateStrictInt52Operand):
2679         (JSC::DFG::SpeculateWhicheverInt52Operand::SpeculateWhicheverInt52Operand):
2680         (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
2681         * dfg/DFGSpeculativeJIT32_64.cpp:
2682         (JSC::DFG::SpeculativeJIT::fillJSValue):
2683         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2684         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2685         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2686         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2687         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
2688         (JSC::DFG::SpeculativeJIT::emitBranch):
2689         (JSC::DFG::SpeculativeJIT::compile):
2690         (JSC::DFG::SpeculativeJIT::convertToDouble): Deleted.
2691         * dfg/DFGSpeculativeJIT64.cpp:
2692         (JSC::DFG::SpeculativeJIT::fillJSValue):
2693         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2694         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
2695         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2696         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2697         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2698         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
2699         (JSC::DFG::SpeculativeJIT::emitBranch):
2700         (JSC::DFG::SpeculativeJIT::compile):
2701         (JSC::DFG::SpeculativeJIT::convertToDouble): Deleted.
2702         * dfg/DFGStrengthReductionPhase.cpp:
2703         (JSC::DFG::StrengthReductionPhase::handleNode):
2704         * dfg/DFGUseKind.cpp:
2705         (WTF::printInternal):
2706         * dfg/DFGUseKind.h:
2707         (JSC::DFG::typeFilterFor):
2708         (JSC::DFG::shouldNotHaveTypeCheck):
2709         (JSC::DFG::mayHaveTypeCheck):
2710         (JSC::DFG::isNumerical):
2711         (JSC::DFG::isDouble):
2712         (JSC::DFG::isCell):
2713         (JSC::DFG::usesStructure):
2714         (JSC::DFG::useKindForResult):
2715         * dfg/DFGValidate.cpp:
2716         (JSC::DFG::Validate::validate):
2717         * dfg/DFGVariadicFunction.h: Removed.
2718         * ftl/FTLCapabilities.cpp:
2719         (JSC::FTL::canCompile):
2720         * ftl/FTLLowerDFGToLLVM.cpp:
2721         (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
2722         (JSC::FTL::LowerDFGToLLVM::compileNode):
2723         (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
2724         (JSC::FTL::LowerDFGToLLVM::compilePhi):
2725         (JSC::FTL::LowerDFGToLLVM::compileDoubleConstant):
2726         (JSC::FTL::LowerDFGToLLVM::compileInt52Constant):
2727         (JSC::FTL::LowerDFGToLLVM::compileWeakJSConstant):
2728         (JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
2729         (JSC::FTL::LowerDFGToLLVM::compileValueRep):
2730         (JSC::FTL::LowerDFGToLLVM::compileInt52Rep):
2731         (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
2732         (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub):
2733         (JSC::FTL::LowerDFGToLLVM::compileArithMul):
2734         (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
2735         (JSC::FTL::LowerDFGToLLVM::compileArithMod):
2736         (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
2737         (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
2738         (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
2739         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2740         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
2741         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
2742         (JSC::FTL::LowerDFGToLLVM::compare):
2743         (JSC::FTL::LowerDFGToLLVM::boolify):
2744         (JSC::FTL::LowerDFGToLLVM::lowInt52):
2745         (JSC::FTL::LowerDFGToLLVM::lowStrictInt52):
2746         (JSC::FTL::LowerDFGToLLVM::lowWhicheverInt52):
2747         (JSC::FTL::LowerDFGToLLVM::lowDouble):
2748         (JSC::FTL::LowerDFGToLLVM::lowJSValue):
2749         (JSC::FTL::LowerDFGToLLVM::strictInt52ToDouble):
2750         (JSC::FTL::LowerDFGToLLVM::jsValueToDouble):
2751         (JSC::FTL::LowerDFGToLLVM::speculate):
2752         (JSC::FTL::LowerDFGToLLVM::speculateNumber):
2753         (JSC::FTL::LowerDFGToLLVM::speculateDoubleReal):
2754         (JSC::FTL::LowerDFGToLLVM::compileInt52ToValue): Deleted.
2755         (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble): Deleted.
2756         (JSC::FTL::LowerDFGToLLVM::setInt52WithStrictValue): Deleted.
2757         (JSC::FTL::LowerDFGToLLVM::speculateRealNumber): Deleted.
2758         (JSC::FTL::LowerDFGToLLVM::speculateMachineInt): Deleted.
2759         * ftl/FTLValueFormat.cpp:
2760         (JSC::FTL::reboxAccordingToFormat):
2761         * jit/AssemblyHelpers.cpp:
2762         (JSC::AssemblyHelpers::sanitizeDouble):
2763         * jit/AssemblyHelpers.h:
2764         (JSC::AssemblyHelpers::boxDouble):
2765
2766 2014-04-15  Commit Queue  <commit-queue@webkit.org>
2767
2768         Unreviewed, rolling out r167199 and r167251.
2769         https://bugs.webkit.org/show_bug.cgi?id=131678
2770
2771         Caused a DYEBench regression and does not seem to improve perf
2772         on relevant websites (Requested by rniwa on #webkit).
2773
2774         Reverted changesets:
2775
2776         "Rewrite Function.bind as a builtin"
2777         https://bugs.webkit.org/show_bug.cgi?id=131083
2778         http://trac.webkit.org/changeset/167199
2779
2780         "Update test result"
2781         http://trac.webkit.org/changeset/167251
2782
2783 2014-04-14  Commit Queue  <commit-queue@webkit.org>
2784
2785         Unreviewed, rolling out r167272.
2786         https://bugs.webkit.org/show_bug.cgi?id=131666
2787
2788         Broke multiple tests (Requested by ap on #webkit).
2789
2790         Reverted changeset:
2791
2792         "Function.bind itself is too slow"
2793         https://bugs.webkit.org/show_bug.cgi?id=131636
2794         http://trac.webkit.org/changeset/167272
2795
2796 2014-04-14  Geoffrey Garen  <ggaren@apple.com>
2797
2798         ASSERT when firing low memory warning
2799         https://bugs.webkit.org/show_bug.cgi?id=131659
2800
2801         Reviewed by Mark Hahnenberg.
2802
2803         * heap/Heap.cpp:
2804         (JSC::Heap::deleteAllCompiledCode): Allow deleteAllCompiledCode to be
2805         called when no GC is happening because that is what we do when a low
2806         memory warning fires, and it is harmless.
2807
2808 2014-04-14  Mark Hahnenberg  <mhahnenberg@apple.com>
2809
2810         emit_op_put_by_id should not emit a write barrier that filters on value
2811         https://bugs.webkit.org/show_bug.cgi?id=131654
2812
2813         Reviewed by Filip Pizlo.
2814
2815         The 32-bit implementation does this, and it can cause crashes if we later repatch the 
2816         code to allocate and store new Butterflies.
2817
2818         * jit/JITPropertyAccess.cpp:
2819         (JSC::JIT::emitWriteBarrier): We also weren't verifying that the base was a cell on 
2820         32-bit if we were passed ShouldFilterBase. I also took the liberty of sinking the tag 
2821         load down into the if statement so that we don't do it if we're not filtering on the value.
2822         * jit/JITPropertyAccess32_64.cpp:
2823         (JSC::JIT::emit_op_put_by_id):
2824
2825 2014-04-14  Oliver Hunt  <oliver@apple.com>
2826
2827         Function.bind itself is too slow
2828         https://bugs.webkit.org/show_bug.cgi?id=131636
2829
2830         Reviewed by Geoffrey Garen.
2831
2832         Rather than forcing creation of an activation, we now store
2833         bound function properties directly on the returned closure.
2834         This is necessary to deal with code that creates many function
2835         bindings, but does not call them very often.
2836
2837         This is a 60% speed up in the included js/regress test.
2838
2839         * builtins/BuiltinExecutables.cpp:
2840         (JSC::BuiltinExecutables::createBuiltinExecutable):
2841         * builtins/Function.prototype.js:
2842         (bind.bindingFunction):
2843         (bind.else.switch.case.1.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk):
2844         (bind.else.switch.case.1.bindingFunction):
2845         (bind.else.switch.case.2.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk):
2846         (bind.else.switch.case.2.bindingFunction):
2847         (bind.else.switch.case.3.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk):
2848         (bind.else.switch.case.3.bindingFunction):
2849         (bind.else.switch.bindingFunction):
2850         (bind):
2851         (bind.else.switch.case.1.bindingFunction.oversizedCall): Deleted.
2852         (bind.else.switch.case.2.bindingFunction.oversizedCall): Deleted.
2853         (bind.else.switch.case.3.bindingFunction.oversizedCall): Deleted.
2854         * runtime/CommonIdentifiers.h:
2855
2856 2014-04-14  Julien Brianceau  <jbriance@cisco.com>
2857
2858         [sh4] Allow use of SubImmediates in LLINT.
2859         https://bugs.webkit.org/show_bug.cgi?id=131608
2860
2861         Reviewed by Mark Lam.
2862
2863         Allow use of SubImmediates with const pool so the sh4 architecture can
2864         share the arm path for setEntryAddress macro. It reduces architecture
2865         specific code and lead to a more optimal generated code for sh4.
2866
2867         * llint/LowLevelInterpreter.asm:
2868         * offlineasm/sh4.rb:
2869
2870 2014-04-14  Andreas Kling  <akling@apple.com>
2871
2872         Array.prototype.concat should allocate output storage only once.
2873         <https://webkit.org/b/131609>
2874
2875         Do a first pass across 'this' and any arguments to compute the
2876         final size of the resulting array from Array.prototype.concat.
2877         This avoids having to grow the output incrementally as we go.
2878
2879         This also includes two other micro-optimizations:
2880
2881         - Mark getProperty() with ALWAYS_INLINE.
2882
2883         - Use JSArray::length() instead of taking the generic property
2884           lookup path when we know an argument is an Array.
2885
2886         My MBP says ~3% progression on Dromaeo/jslib-traverse-jquery.
2887
2888         Reviewed by Oliver & Darin.
2889
2890         * runtime/ArrayPrototype.cpp:
2891         (JSC::getProperty):
2892         (JSC::arrayProtoFuncConcat):
2893
2894 2014-04-14  Commit Queue  <commit-queue@webkit.org>
2895
2896         Unreviewed, rolling out r167249.
2897         https://bugs.webkit.org/show_bug.cgi?id=131621
2898
2899         broke 3 tests on cloop (Requested by kling on #webkit).
2900
2901         Reverted changeset:
2902
2903         "Array.prototype.concat should allocate output storage only
2904         once."
2905         https://bugs.webkit.org/show_bug.cgi?id=131609
2906         http://trac.webkit.org/changeset/167249
2907
2908 2014-04-14  Alex Christensen  <achristensen@webkit.org>
2909
2910         Fixed potential integer truncation.
2911         https://bugs.webkit.org/show_bug.cgi?id=131615
2912
2913         Reviewed by Darin Adler.
2914
2915         * assembler/X86Assembler.h:
2916         (JSC::X86Assembler::fillNops):
2917         Truncate the size_t to an unsigned after it is limited to 15 instead of before.
2918
2919 2014-04-14  Andreas Kling  <akling@apple.com>
2920
2921         Array.prototype.concat should allocate output storage only once.
2922         <https://webkit.org/b/131609>
2923
2924         Do a first pass across 'this' and any arguments to compute the
2925         final size of the resulting array from Array.prototype.concat.
2926         This avoids having to grow the output incrementally as we go.
2927
2928         This also includes two other micro-optimizations:
2929
2930         - Mark getProperty() with ALWAYS_INLINE.
2931
2932         - Use JSArray::length() instead of taking the generic property
2933           lookup path when we know an argument is an Array.
2934
2935         My MBP says ~3% progression on Dromaeo/jslib-traverse-jquery.
2936
2937         Reviewed by Darin Adler.
2938
2939         * runtime/ArrayPrototype.cpp:
2940         (JSC::getProperty):
2941         (JSC::arrayProtoFuncConcat):
2942
2943 2014-04-14  Benjamin Poulain  <benjamin@webkit.org>
2944
2945         [JSC] Improve the call site of string comparison in some hot path
2946         https://bugs.webkit.org/show_bug.cgi?id=131605
2947
2948         Reviewed by Darin Adler.
2949
2950         When resolved, the String of a JSString is never null. It can be empty but not null.
2951         The null value is reserved for ropes but those would be resolved when getting the value.
2952
2953         Consequently, we should use the equal() operation that do not handle null values.
2954         Using the StringImpl directly is already common in StringPrototype but it was not used here for some reason.
2955
2956         * jit/JITOperations.cpp:
2957         * runtime/JSCJSValueInlines.h:
2958         (JSC::JSValue::equalSlowCaseInline):
2959         (JSC::JSValue::strictEqualSlowCaseInline):
2960         (JSC::JSValue::pureStrictEqual):
2961
2962 2014-04-08  Oliver Hunt  <oliver@apple.com>
2963
2964         Rewrite Function.bind as a builtin
2965         https://bugs.webkit.org/show_bug.cgi?id=131083
2966
2967         Reviewed by Geoffrey Garen.
2968
2969         This change removes the existing function.bind implementation
2970         entirely so JSBoundFunction is no more.
2971
2972         Instead we just return a regular JS closure with a few
2973         private properties hanging off it that allow us to perform
2974         the necessary bound function fakery.  While most of this is
2975         simple, a couple of key changes:
2976
2977         - The parser and lexer now directly track whether they're
2978           parsing code for call or construct and convert the private
2979           name @IsConstructor into TRUETOK or FALSETOK as appropriate.
2980           This automatically gives us the ability to vary behaviour
2981           from within the builtin. It also leaves a lot of headroom
2982           for trivial future improvements.
2983         - The instanceof operator now uses the prototypeForHasInstance
2984           private name, and we have a helper function to ensure that
2985           all objects that need to can update their magical 'prototype'
2986           property pair correctly.
2987
2988         * API/JSScriptRef.cpp:
2989         (parseScript):
2990         * JavaScriptCore.xcodeproj/project.pbxproj:
2991         * builtins/BuiltinExecutables.cpp:
2992         (JSC::BuiltinExecutables::createBuiltinExecutable):
2993         * builtins/Function.prototype.js:
2994         (bind.bindingFunction):
2995         (bind.else.bindingFunction):
2996         (bind):
2997         * bytecode/UnlinkedCodeBlock.cpp:
2998         (JSC::generateFunctionCodeBlock):
2999         * bytecompiler/NodesCodegen.cpp:
3000         (JSC::InstanceOfNode::emitBytecode):
3001         * interpreter/Interpreter.cpp:
3002         * parser/Lexer.cpp:
3003         (JSC::Lexer<T>::Lexer):
3004         (JSC::Lexer<LChar>::parseIdentifier):
3005         (JSC::Lexer<UChar>::parseIdentifier):
3006         * parser/Lexer.h:
3007         * parser/Parser.cpp:
3008         (JSC::Parser<LexerType>::Parser):
3009         (JSC::Parser<LexerType>::parseInner):
3010         * parser/Parser.h:
3011         (JSC::parse):
3012         * parser/ParserModes.h:
3013         * runtime/CodeCache.cpp:
3014         (JSC::CodeCache::getGlobalCodeBlock):
3015         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
3016         * runtime/CommonIdentifiers.h:
3017         * runtime/Completion.cpp:
3018         (JSC::checkSyntax):
3019         * runtime/Executable.cpp:
3020         (JSC::ProgramExecutable::checkSyntax):
3021         * runtime/FunctionPrototype.cpp:
3022         (JSC::FunctionPrototype::addFunctionProperties):
3023         (JSC::functionProtoFuncBind): Deleted.
3024         * runtime/JSBoundFunction.cpp: Removed.
3025         * runtime/JSBoundFunction.h: Removed.
3026         * runtime/JSFunction.cpp:
3027         (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor):
3028         (JSC::RetrieveCallerFunctionFunctor::operator()):
3029         (JSC::retrieveCallerFunction):
3030         (JSC::JSFunction::getOwnPropertySlot):
3031         (JSC::JSFunction::defineOwnProperty):
3032         * runtime/JSGlobalObject.cpp:
3033         (JSC::JSGlobalObject::reset):
3034         * runtime/JSGlobalObjectFunctions.cpp:
3035         (JSC::globalFuncSetTypeErrorAccessor):
3036         * runtime/JSGlobalObjectFunctions.h:
3037         * runtime/JSObject.h:
3038         (JSC::JSObject::inlineGetOwnPropertySlot):
3039
3040 2014-04-12  Filip Pizlo  <fpizlo@apple.com>
3041
3042         Math.fround() should be an intrinsic
3043         https://bugs.webkit.org/show_bug.cgi?id=131583
3044
3045         Reviewed by Geoffrey Garen.
3046         
3047         Makes programs that use Math.fround() run up to 6x faster.
3048
3049         * dfg/DFGAbstractInterpreterInlines.h:
3050         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3051         * dfg/DFGByteCodeParser.cpp:
3052         (JSC::DFG::ByteCodeParser::handleIntrinsic):
3053         * dfg/DFGCSEPhase.cpp:
3054         (JSC::DFG::CSEPhase::performNodeCSE):
3055         * dfg/DFGClobberize.h:
3056         (JSC::DFG::clobberize):
3057         * dfg/DFGFixupPhase.cpp:
3058         (JSC::DFG::FixupPhase::fixupNode):
3059         * dfg/DFGNodeType.h:
3060         * dfg/DFGPredictionPropagationPhase.cpp:
3061         (JSC::DFG::PredictionPropagationPhase::propagate):
3062         * dfg/DFGSafeToExecute.h:
3063         (JSC::DFG::safeToExecute):
3064         * dfg/DFGSpeculativeJIT32_64.cpp:
3065         (JSC::DFG::SpeculativeJIT::compile):
3066         * dfg/DFGSpeculativeJIT64.cpp:
3067         (JSC::DFG::SpeculativeJIT::compile):
3068         * ftl/FTLCapabilities.cpp:
3069         (JSC::FTL::canCompile):
3070         * ftl/FTLLowerDFGToLLVM.cpp:
3071         (JSC::FTL::LowerDFGToLLVM::compileNode):
3072         (JSC::FTL::LowerDFGToLLVM::compileArithFRound):
3073         * runtime/Intrinsic.h:
3074         * runtime/MathObject.cpp:
3075         (JSC::MathObject::finishCreation):
3076
3077 2014-04-12  Filip Pizlo  <fpizlo@apple.com>
3078
3079         FTL should use stackmap register liveness
3080         https://bugs.webkit.org/show_bug.cgi?id=130791
3081
3082         Reviewed by Goeffrey Garen.
3083         
3084         Enable the stackmap register liveness support by fixing the two last bugs:
3085         
3086         - If everything is dead after the patchpoint - a good possibility for a put_by_id -
3087           then we shouldn't crash due to a null scratch buffer.
3088         
3089         - Always consider callee-saves as if they were live. More precisely, we should
3090           consider those callee-saves that are not saved by the enclosing function to be live.
3091           For now we do the much simpler thing and consider callee-saves to be always live
3092           since it has minimal impact on the scratch register allocator. It will know not to
3093           preserve those for calls, anyway.
3094         
3095         I tried writing a test for the null scratch buffer thing, but failed. I will land the
3096         test anyway since it seems useful.
3097
3098         * ftl/FTLCompile.cpp:
3099         (JSC::FTL::usedRegistersFor):
3100         * jit/ScratchRegisterAllocator.cpp:
3101         (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
3102         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
3103         * runtime/Options.h:
3104         * tests/stress/repeated-put-by-id-reallocating-transition.js: Added.
3105         (foo):
3106
3107 2014-04-11  Filip Pizlo  <fpizlo@apple.com>
3108
3109         DFG::FixupPhase should insert conversion nodes after the rest of fixup so that we know how the types settled
3110         https://bugs.webkit.org/show_bug.cgi?id=131424
3111
3112         Reviewed by Geoffrey Garen.
3113         
3114         This defers type conversion injection until we've decided on types. This makes the
3115         process of deciding types a bit more flexible - for example we can naturally fixpoint
3116         and change our minds. Only when things are settled do we actually insert conversions.
3117         
3118         This is a necessary prerequisite for keeping double, int52, and JSValue data flow
3119         separate. A SetLocal/GetLocal will appear to be JSValue until we fixpoint and realize
3120         that there are typed uses. If we were eagerly inserting type conversions then we would
3121         first insert a to/from-JSValue conversion in some cases only to then replace it by
3122         the other conversions. It's probably trivial to remove those redundant conversions later
3123         but I think it's better if we don't insert them to begin with.
3124
3125         * bytecode/CodeOrigin.h:
3126         (JSC::CodeOrigin::operator!):
3127         * dfg/DFGFixupPhase.cpp:
3128         (JSC::DFG::FixupPhase::run):
3129         (JSC::DFG::FixupPhase::fixupBlock):
3130         (JSC::DFG::FixupPhase::fixupNode):
3131         (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
3132         (JSC::DFG::FixupPhase::fixEdge):
3133         (JSC::DFG::FixupPhase::fixIntEdge):
3134         (JSC::DFG::FixupPhase::injectTypeConversionsInBlock):
3135         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
3136         (JSC::DFG::FixupPhase::addRequiredPhantom):
3137         (JSC::DFG::FixupPhase::addPhantomsIfNecessary):
3138         (JSC::DFG::FixupPhase::clearPhantomsAtEnd):
3139         (JSC::DFG::FixupPhase::observeUntypedEdge): Deleted.
3140         (JSC::DFG::FixupPhase::fixupUntypedSetLocalsInBlock): Deleted.
3141         (JSC::DFG::FixupPhase::injectInt32ToDoubleNode): Deleted.
3142
3143 2014-04-11  Brian J. Burg  <burg@cs.washington.edu>
3144
3145         Web Replay: code generator should consider enclosing class when computing duplicate type names
3146         https://bugs.webkit.org/show_bug.cgi?id=131554
3147
3148         Reviewed by Timothy Hatcher.
3149
3150         We need to prepend an enum's enclosing class, if any, so that multiple enums with the same name
3151         can coexist without triggering a "duplicate types" error. Now, such enums must be referenced
3152         by the enclosing class and enum name.
3153
3154         Added tests for the new syntax, and rebaselined one test to reflect a previous patch's change.
3155
3156         * replay/scripts/CodeGeneratorReplayInputs.py:
3157         (Type.type_name): Prepend the enclosing class name.
3158         (Type.type_name.is):
3159         * replay/scripts/tests/expected/fail-on-duplicate-enum-type.json-error: Added.
3160         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Added.
3161         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Added.
3162         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: Rebaseline.
3163         * replay/scripts/tests/fail-on-duplicate-enum-type.json: Added.
3164         * replay/scripts/tests/generate-enums-with-same-base-name.json: Added.
3165
3166 2014-04-11  Gavin Barraclough  <baraclough@apple.com>
3167
3168         Rollout - Rewrite Function.bind as a builtin
3169         https://bugs.webkit.org/show_bug.cgi?id=131083
3170
3171         Unreviewed.
3172
3173         Rolling out r167020 while investigating a performance regression.
3174
3175         * API/JSObjectRef.cpp:
3176         (JSObjectMakeConstructor):
3177         * API/JSScriptRef.cpp:
3178         (parseScript):
3179         * CMakeLists.txt:
3180         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3181         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3182         * JavaScriptCore.xcodeproj/project.pbxproj:
3183         * builtins/BuiltinExecutables.cpp:
3184         (JSC::BuiltinExecutables::createBuiltinExecutable):
3185         * builtins/Function.prototype.js:
3186         (apply):
3187         (bind.bindingFunction): Deleted.
3188         (bind.else.bindingFunction): Deleted.
3189         (bind): Deleted.
3190         * bytecode/UnlinkedCodeBlock.cpp:
3191         (JSC::generateFunctionCodeBlock):
3192         * bytecompiler/NodesCodegen.cpp:
3193         (JSC::InstanceOfNode::emitBytecode):
3194         * interpreter/Interpreter.cpp:
3195         * parser/Lexer.cpp:
3196         (JSC::Lexer<T>::Lexer):
3197         (JSC::Lexer<LChar>::parseIdentifier):
3198         (JSC::Lexer<UChar>::parseIdentifier):
3199         * parser/Lexer.h:
3200         * parser/Parser.cpp:
3201         (JSC::Parser<LexerType>::Parser):
3202         (JSC::Parser<LexerType>::parseInner):
3203         * parser/Parser.h:
3204         (JSC::parse):
3205         * parser/ParserModes.h:
3206         * runtime/ArgumentsIteratorConstructor.cpp:
3207         (JSC::ArgumentsIteratorConstructor::finishCreation):
3208         * runtime/ArrayConstructor.cpp:
3209         (JSC::ArrayConstructor::finishCreation):
3210         * runtime/BooleanConstructor.cpp:
3211         (JSC::BooleanConstructor::finishCreation):
3212         * runtime/CodeCache.cpp:
3213         (JSC::CodeCache::getGlobalCodeBlock):
3214         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
3215         * runtime/CommonIdentifiers.h:
3216         * runtime/Completion.cpp:
3217         (JSC::checkSyntax):
3218         * runtime/DateConstructor.cpp:
3219         (JSC::DateConstructor::finishCreation):
3220         * runtime/ErrorConstructor.cpp:
3221         (JSC::ErrorConstructor::finishCreation):
3222         * runtime/Executable.cpp:
3223         (JSC::ProgramExecutable::checkSyntax):
3224         * runtime/FunctionConstructor.cpp:
3225         (JSC::FunctionConstructor::finishCreation):
3226         * runtime/FunctionPrototype.cpp:
3227         (JSC::FunctionPrototype::addFunctionProperties):
3228         (JSC::functionProtoFuncBind):
3229         * runtime/JSArrayBufferConstructor.cpp:
3230         (JSC::JSArrayBufferConstructor::finishCreation):
3231         * runtime/JSBoundFunction.cpp: Added.
3232         (JSC::boundFunctionCall):
3233         (JSC::boundFunctionConstruct):
3234         (JSC::JSBoundFunction::create):
3235         (JSC::JSBoundFunction::destroy):
3236         (JSC::JSBoundFunction::customHasInstance):
3237         (JSC::JSBoundFunction::JSBoundFunction):
3238         (JSC::JSBoundFunction::finishCreation):
3239         (JSC::JSBoundFunction::visitChildren):
3240         * runtime/JSBoundFunction.h: Added.
3241         (JSC::JSBoundFunction::targetFunction):
3242         (JSC::JSBoundFunction::boundThis):
3243         (JSC::JSBoundFunction::boundArgs):
3244         (JSC::JSBoundFunction::createStructure):
3245         * runtime/JSFunction.cpp:
3246         (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor):
3247         (JSC::RetrieveCallerFunctionFunctor::operator()):
3248         (JSC::retrieveCallerFunction):
3249         (JSC::JSFunction::getOwnPropertySlot):
3250         (JSC::JSFunction::getOwnNonIndexPropertyNames):
3251         (JSC::JSFunction::put):
3252         (JSC::JSFunction::defineOwnProperty):
3253         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
3254         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::finishCreation):
3255         * runtime/JSGlobalObject.cpp:
3256         (JSC::JSGlobalObject::reset):
3257         * runtime/JSGlobalObjectFunctions.cpp:
3258         (JSC::globalFuncSetTypeErrorAccessor): Deleted.
3259         * runtime/JSGlobalObjectFunctions.h:
3260         * runtime/JSObject.cpp:
3261         (JSC::JSObject::putDirectPrototypeProperty): Deleted.
3262         (JSC::JSObject::putDirectPrototypePropertyWithoutTransitions): Deleted.
3263         * runtime/JSObject.h:
3264         * runtime/JSPromiseConstructor.cpp:
3265         (JSC::JSPromiseConstructor::finishCreation):
3266         * runtime/MapConstructor.cpp:
3267         (JSC::MapConstructor::finishCreation):
3268         * runtime/MapIteratorConstructor.cpp:
3269         (JSC::MapIteratorConstructor::finishCreation):
3270         * runtime/NameConstructor.cpp:
3271         (JSC::NameConstructor::finishCreation):
3272         * runtime/NativeErrorConstructor.cpp:
3273         (JSC::NativeErrorConstructor::finishCreation):
3274         * runtime/NumberConstructor.cpp:
3275         (JSC::NumberConstructor::finishCreation):
3276         * runtime/ObjectConstructor.cpp:
3277         (JSC::ObjectConstructor::finishCreation):
3278         * runtime/RegExpConstructor.cpp:
3279         (JSC::RegExpConstructor::finishCreation):
3280         * runtime/SetConstructor.cpp:
3281         (JSC::SetConstructor::finishCreation):
3282         * runtime/SetIteratorConstructor.cpp:
3283         (JSC::SetIteratorConstructor::finishCreation):
3284         * runtime/StringConstructor.cpp:
3285         (JSC::StringConstructor::finishCreation):
3286         * runtime/WeakMapConstructor.cpp:
3287         (JSC::WeakMapConstructor::finishCreation):
3288
3289 2014-04-11  David Kilzer  <ddkilzer@apple.com>
3290
3291         [ASan] Build broke because libCompileRuntimeToLLVMIR.a links to libclang_rt.asan_osx_dynamic.dylib
3292         <http://webkit.org/b/131556>
3293         <rdar://problem/16591856>
3294
3295         Reviewed by Brent Fulgham.
3296
3297         * Configurations/CompileRuntimeToLLVMIR.xcconfig: Clear
3298         OTHER_LDFLAGS so the ASan build does not try to link to
3299         libclang_rt.asan_osx_dynamic.dylib.
3300
3301 2014-04-11  Mark Lam  <mark.lam@apple.com>
3302
3303         JSMainThreadExecState::call() should clear exceptions before returning.
3304         <https://webkit.org/b/131530>
3305
3306         Reviewed by Geoffrey Garen.
3307
3308         Added a version of JSC::call() that return any uncaught exception instead
3309         of leaving it pending in the VM.
3310
3311         As part of this change, I updated various parts of the code base to use the
3312         new API as needed.
3313
3314         * bindings/ScriptFunctionCall.cpp:
3315         (Deprecated::ScriptFunctionCall::call):
3316         - ScriptFunctionCall::call() is only used by the inspector to inject scripts.
3317           The injected scripts that will include Inspector scripts that should catch
3318           and handle any exceptions that were thrown.  We should not be seeing any
3319           exceptions returned from this call.  However, we do have checks for
3320           exceptions in case there are bugs in the Inspector scripts which allowed
3321           the exception to leak through.  Hence, it is proper to clear the exception
3322           here, and only record the fact that an exception was seen (if present).
3323
3324         * bindings/ScriptFunctionCall.h:
3325         * inspector/InspectorEnvironment.h:
3326         * runtime/CallData.cpp:
3327         (JSC::call):
3328         * runtime/CallData.h:
3329
3330 2014-04-11  Oliver Hunt  <oliver@apple.com>
3331
3332         Add BuiltinLog function to make debugging builtins easier
3333         https://bugs.webkit.org/show_bug.cgi?id=131550
3334
3335         Reviewed by Andreas Kling.
3336
3337         Add a logging function that builtins can use for debugging.
3338
3339         * runtime/CommonIdentifiers.h:
3340         * runtime/JSGlobalObject.cpp:
3341         (JSC::JSGlobalObject::reset):
3342         * runtime/JSGlobalObjectFunctions.cpp:
3343         (JSC::globalFuncBuiltinLog):
3344         * runtime/JSGlobalObjectFunctions.h:
3345
3346 2014-04-11  Julien Brianceau  <jbriance@cisco.com>
3347
3348         Fix LLInt for sh4 architecture (broken since C stack merge).
3349         https://bugs.webkit.org/show_bug.cgi?id=131532
3350
3351         Reviewed by Mark Lam.
3352
3353         This patch fixes build and also implements sh4 parts for initPCRelative and
3354         setEntryAddress macros introduced in http://trac.webkit.org/changeset/167094.
3355
3356         * llint/LowLevelInterpreter.asm:
3357         * llint/LowLevelInterpreter32_64.asm:
3358         * offlineasm/instructions.rb:
3359         * offlineasm/sh4.rb:
3360
3361 2014-04-10  Michael Saboff  <msaboff@apple.com>
3362
3363         Crash beneath DFG JIT code @ video.disney.com
3364         https://bugs.webkit.org/show_bug.cgi?id=131447
3365
3366         Reviewed by Geoffrey Garen.
3367
3368         The 32-bit path of speculateMisc() uses an 'is not int32' check followed by
3369         'tag not less than Undefined' check.  The first check was incorrectly elided if we
3370         knew that the value *was* an int32, when it should have been elided if we already
3371         knew that the value *was not* an int32.
3372
3373         * dfg/DFGSpeculativeJIT.cpp:
3374         (JSC::DFG::SpeculativeJIT::speculateMisc):
3375         * tests/stress/test-spec-misc.js: Added test.
3376         (getX):
3377         (foo):
3378         (bar):
3379
3380 2014-04-08  Filip Pizlo  <fpizlo@apple.com>
3381
3382         Make room for additional types in SpeculatedType.h
3383         https://bugs.webkit.org/show_bug.cgi?id=131422
3384
3385         Reviewed by Sam Weinig.
3386         
3387         This'll make it easier to add DoubleHeavyNaN and DoubleEmptyNaN.
3388
3389         * bytecode/SpeculatedType.h:
3390
3391 2014-04-10  Alex Christensen  <achristensen@webkit.org>
3392
3393         Compile fix for Win64.
3394         https://bugs.webkit.org/show_bug.cgi?id=131508
3395
3396         Reviewed by Geoffrey Garen.
3397
3398         * assembler/X86Assembler.h:
3399         (JSC::X86Assembler::fillNops):
3400         Added unsigned template parameter to distinguish between size_t and unsigned long.
3401
3402 2014-04-10  Michael Saboff  <msaboff@apple.com>
3403