1d293f3f529b5f5181ddec4bd0af0a7b2cd4a975
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-07-03  Filip Pizlo  <fpizlo@apple.com>
2
3         SSA DCE should process blocks in forward order
4         https://bugs.webkit.org/show_bug.cgi?id=134611
5
6         Reviewed by Andreas Kling.
7
8         * dfg/DFGDCEPhase.cpp:
9         (JSC::DFG::DCEPhase::run):
10         * ftl/FTLLowerDFGToLLVM.cpp:
11         (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
12         * tests/stress/dead-value-with-mov-hint-in-another-block.js: Added.
13         (foo):
14
15 2014-07-03  Filip Pizlo  <fpizlo@apple.com>
16
17         JSActivation::symbolTablePut() should invalidate variable watchpoints
18         https://bugs.webkit.org/show_bug.cgi?id=134602
19
20         Reviewed by Oliver Hunt.
21         
22         Usually stores to captured variables cause us to invalidate the variable watchpoint because CodeBlock does so
23         during linking - we essentially assume that if it's at all possible for an inner function to store to a
24         variable we declare then this variable cannot be a constant. But this misses the dynamic store case, i.e.
25         JSActivation::symbolTablePut(). Part of the problem here is that JSActivation duplicates
26         JSSymbolTableObject's symbolTablePut() logic, which did have the invalidation. This patch keeps that code
27         duplicated, but fixes JSActivation::symbolTablePut() to do the right thing.
28
29         * runtime/JSActivation.cpp:
30         (JSC::JSActivation::symbolTablePut):
31         * runtime/JSSymbolTableObject.h:
32         (JSC::symbolTablePut):
33         * tests/stress/constant-closure-var-with-dynamic-invalidation.js: Added.
34         (.):
35
36 2014-07-01  Mark Lam  <mark.lam@apple.com>
37
38         Debugger's breakpoint list should not be a Vector.
39         <https://webkit.org/b/134514>
40
41         Reviewed by Geoffrey Garen.
42
43         The debugger currently stores breakpoint data as entries in a Vector (see
44         BreakpointsInLine).  It also keeps a fast map look up of breakpoint IDs to
45         the breakpoint data (see m_breakpointIDToBreakpoint).  Because a Vector can
46         compact or reallocate its backing store, this can causes all sorts of havoc.
47         The m_breakpointIDToBreakpoint map assumes that the breakpoint data doesn't
48         move in memory.
49
50         The fix is to replace the BreakpointsInLine Vector with a BreakpointsList
51         doubly linked list.
52
53         * debugger/Breakpoint.h:
54         (JSC::Breakpoint::Breakpoint):
55         (JSC::BreakpointsList::~BreakpointsList):
56         * debugger/Debugger.cpp:
57         (JSC::Debugger::setBreakpoint):
58         (JSC::Debugger::removeBreakpoint):
59         (JSC::Debugger::hasBreakpoint):
60         * debugger/Debugger.h:
61
62 2014-06-30  Michael Saboff  <msaboff@apple.com>
63
64         Add option to run-jsc-stress-testes to filter out tests that use large heaps
65         https://bugs.webkit.org/show_bug.cgi?id=134458
66
67         Reviewed by Filip Pizlo.
68
69         Added test to skip js1_5/Regress/regress-159334.js when testing on a memory limited device.
70
71         * tests/mozilla/mozilla-tests.yaml:
72
73 2014-06-30  Daniel Bates  <dabates@apple.com>
74
75         Avoid copying closed variables vector; actually use move semantics
76
77         Rubber-stamped by Oliver Hunt.
78
79         Currently we always copy the closed variables vector passed by Parser::closedVariables()
80         to ProgramNode::setClosedVariables() because these member functions return and take a const
81         rvalue reference, respectively. Instead, these member functions should take an return a non-
82         constant rvalue reference so that we actually move the closed variables vector from the Parser
83         object to the Node object.
84
85         * parser/Nodes.cpp:
86         (JSC::ProgramNode::setClosedVariables): Remove const qualifier for argument.
87         * parser/Nodes.h:
88         (JSC::ScopeNode::setClosedVariables): Ditto.
89         * parser/Parser.h:
90         (JSC::Parser::closedVariables): Remove const qualifier on return type.
91         (JSC::parse): Remove extraneous call to std::move(). Calling std::move() is unnecessary here
92         because Parser::closedVariables() returns an rvalue reference.
93
94 2014-06-30  Joseph Pecoraro  <pecoraro@apple.com>
95
96         JSContext Inspection: Provide a way to use a non-Main RunLoop for Inspector JavaScript Evaluations
97         https://bugs.webkit.org/show_bug.cgi?id=134371
98
99         Reviewed by Timothy Hatcher.
100
101         * API/JSContextPrivate.h:
102         * API/JSContext.mm:
103         (-[JSContext _debuggerRunLoop]):
104         (-[JSContext _setDebuggerRunLoop:]):
105         Private API for setting the CFRunLoop for a debugger to evaluate in.
106         
107         * API/JSContextRefInternal.h: Added.
108         * API/JSContextRef.cpp:
109         (JSGlobalContextGetDebuggerRunLoop):
110         (JSGlobalContextSetDebuggerRunLoop):
111         Internal API for setting a CFRunLoop on a JSContextRef.
112         Set this on the debuggable.
113         
114         * inspector/remote/RemoteInspectorDebuggable.h:
115         * inspector/remote/RemoteInspectorDebuggableConnection.h:
116         (Inspector::RemoteInspectorBlock::RemoteInspectorBlock):
117         (Inspector::RemoteInspectorBlock::~RemoteInspectorBlock):
118         (Inspector::RemoteInspectorBlock::operator=):
119         (Inspector::RemoteInspectorBlock::operator()):
120         Moved into the header.
121
122         * runtime/JSGlobalObject.h:
123         (JSC::JSGlobalObject::inspectorDebuggable):
124         Lets store the RunLoop on the debuggable instead of this core
125         platform agnostic class, so expose the debuggable.
126
127         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
128         (Inspector::RemoteInspectorHandleRunSourceGlobal):
129         (Inspector::RemoteInspectorQueueTaskOnGlobalQueue):
130         (Inspector::RemoteInspectorInitializeGlobalQueue):
131         Rename the global functions for clarity.
132
133         (Inspector::RemoteInspectorHandleRunSourceWithInfo):
134         Handler for private run loops.
135
136         (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
137         (Inspector::RemoteInspectorDebuggableConnection::~RemoteInspectorDebuggableConnection):
138         (Inspector::RemoteInspectorDebuggableConnection::dispatchAsyncOnDebuggable):
139         (Inspector::RemoteInspectorDebuggableConnection::setupRunLoop):
140         (Inspector::RemoteInspectorDebuggableConnection::teardownRunLoop):
141         (Inspector::RemoteInspectorDebuggableConnection::queueTaskOnPrivateRunLoop):
142         Setup and teardown and use private run loop sources if the debuggable needs it.
143
144 2014-06-30  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>
145
146         Add missing ENABLE(DFG_JIT) guards
147         https://bugs.webkit.org/show_bug.cgi?id=134444
148
149         Reviewed by Darin Adler.
150
151         * dfg/DFGFunctionWhitelist.cpp:
152         * dfg/DFGFunctionWhitelist.h:
153
154 2014-06-29  Yoav Weiss  <yoav@yoav.ws>
155
156         Add support for HTMLImageElement's sizes attribute
157         https://bugs.webkit.org/show_bug.cgi?id=133620
158
159         Reviewed by Dean Jackson.
160
161         Added an ENABLE_PICTURE_SIZES compile flag.
162
163         * Configurations/FeatureDefines.xcconfig:
164
165 2014-06-27  Filip Pizlo  <fpizlo@apple.com>
166
167         Don't fold a UInt32ToNumber with DoOverflow to Identity since that would result in an Identity that takes an Int32 and returns a DoubleRep
168         https://bugs.webkit.org/show_bug.cgi?id=134412
169
170         Reviewed by Mark Hahnenberg.
171
172         * dfg/DFGCSEPhase.cpp:
173         (JSC::DFG::CSEPhase::setReplacement):
174         * dfg/DFGStrengthReductionPhase.cpp:
175         (JSC::DFG::StrengthReductionPhase::handleNode):
176         * dfg/DFGValidate.cpp:
177         (JSC::DFG::Validate::validate):
178         * tests/stress/uint32-to-number-fold-constant-with-do-overflow.js: Added.
179         (foo):
180         (bar):
181         (baz):
182
183 2014-06-27  Peyton Randolph  <prandolph@apple.com>
184
185          Add feature flag for link long-press gesture.                                                                   
186          https://bugs.webkit.org/show_bug.cgi?id=134262                                                                  
187                                                                                                                          
188          Reviewed by Enrica Casucci.                                                                                     
189                                                                                                                          
190          * Configurations/FeatureDefines.xcconfig:                                                                       
191          Add ENABLE_LINK_LONG_PRESS. 
192
193 2014-06-27  László Langó  <llango.u-szeged@partner.samsung.com>
194
195         [JavaScriptCore] FTL buildfix for EFL platform.
196         https://bugs.webkit.org/show_bug.cgi?id=133546
197
198         Reviewed by Darin Adler.
199
200         * ftl/FTLAbstractHeap.cpp:
201         (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap):
202         * ftl/FTLLocation.cpp:
203         (JSC::FTL::Location::forStackmaps):
204         * ftl/FTLLowerDFGToLLVM.cpp:
205         (JSC::FTL::LowerDFGToLLVM::opposite):
206         * ftl/FTLOSRExitCompiler.cpp:
207         (JSC::FTL::compileStub):
208         * ftl/FTLStackMaps.cpp:
209         (JSC::FTL::StackMaps::Constant::dump):
210         * llvm/InitializeLLVMPOSIX.cpp:
211         (JSC::initializeLLVMPOSIX):
212
213 2014-06-26  Benjamin Poulain  <benjamin@webkit.org>
214
215         iOS 8 beta 2 ES6 'Set' clear() broken
216         https://bugs.webkit.org/show_bug.cgi?id=134346
217
218         Reviewed by Oliver Hunt.
219
220         The object map was not cleared :(.
221
222         Kudos to Ashley Gullen for tracking this and making a regression test.
223         Credit to Oliver for finding the missing code.
224
225         * runtime/MapData.h:
226         (JSC::MapData::clear):
227
228 2014-06-25  Brent Fulgham  <bfulgham@apple.com>
229
230         [Win] Expose Cache Information to WinLauncher
231         https://bugs.webkit.org/show_bug.cgi?id=134318
232
233         Reviewed by Dean Jackson.
234
235         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing
236         MemoryStatistics files to the WIndows build.
237         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
238
239 2014-06-26  David Kilzer  <ddkilzer@apple.com>
240
241         DFG::FunctionWhitelist::parseFunctionNamesInFile does not close file
242         <http://webkit.org/b/134343>
243         <rdar://problem/17459487>
244
245         Reviewed by Michael Saboff.
246
247         * dfg/DFGFunctionWhitelist.cpp:
248         (JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile):
249         Close the file handle, and log an error on failure.
250
251 2014-06-25  Dana Burkart  <dburkart@apple.com>
252
253         Add support for 5-tuple versioning.
254
255         Reviewed by David Farler.
256
257         * Configurations/Version.xcconfig:
258
259 2014-06-25  Geoffrey Garen  <ggaren@apple.com>
260
261         Build fix.
262
263         Unreviewed.
264
265         * runtime/JSDateMath.cpp:
266         (JSC::parseDateFromNullTerminatedCharacters):
267         * runtime/VM.cpp:
268         (JSC::VM::resetDateCache): Use std::numeric_limits instead of QNaN
269         constant since that constant doesn't exist anymore.
270
271 2014-06-25  Geoffrey Garen  <ggaren@apple.com>
272
273         Unreviewed, rolling out r166876.
274
275         Caused some ECMA test262 failures
276
277         Reverted changeset:
278
279         "Date object needs to check for ES5 15.9.1.14 TimeClip limit."
280         https://bugs.webkit.org/show_bug.cgi?id=131248
281         http://trac.webkit.org/changeset/166876
282
283 2014-06-25  Brent Fulgham  <bfulgham@apple.com>
284
285         [Win] Unreviewed gardening.
286
287         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Update to
288         put various files in proper IDE categories.
289
290 2014-06-25  peavo@outlook.com  <peavo@outlook.com>
291
292         [Win64] ASM LLINT is not enabled.
293         https://bugs.webkit.org/show_bug.cgi?id=130638
294
295         This patch adds a new LLINT assembler backend for Win64, and implements it.
296         It makes adjustments to follow the Win64 ABI spec. where it's found to be needed.
297         Also, LLINT and JIT is enabled for Win64.
298
299         Reviewed by Mark Lam.
300
301         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added JITStubsMSVC64.asm.
302         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
303         * JavaScriptCore/JavaScriptCore.vcxproj/jsc/jscCommon.props: Increased stack size to avoid stack overflow in tests.
304         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Generate assembler source file for Win64.
305         * assembler/MacroAssemblerX86_64.h: 
306         (JSC::MacroAssemblerX86_64::call): Follow Win64 ABI spec.
307         * jit/JITStubsMSVC64.asm: Added.
308         * jit/Repatch.cpp:
309         (JSC::emitPutTransitionStub): Compile fix.
310         * jit/ThunkGenerators.cpp:
311         (JSC::nativeForGenerator): Follow Win64 ABI spec.
312         * llint/LLIntData.cpp:
313         (JSC::LLInt::Data::performAssertions): Ditto.
314         * llint/LLIntOfflineAsmConfig.h: Enable new llint backend for Win64.
315         * llint/LowLevelInterpreter.asm: Implement new Win64 backend, and follow Win64 ABI spec.
316         * llint/LowLevelInterpreter64.asm: Ditto.
317         * offlineasm/asm.rb: Compile fix.
318         * offlineasm/backends.rb: Add new llint backend for Win64.
319         * offlineasm/settings.rb: Compile fix.
320         * offlineasm/x86.rb: Implement new llint Win64 backend.
321
322 2014-06-25  Laszlo Gombos  <l.gombos@samsung.com>
323
324         Remove build guard for progress element
325         https://bugs.webkit.org/show_bug.cgi?id=134292
326
327         Reviewed by Benjamin Poulain.
328
329         * Configurations/FeatureDefines.xcconfig:
330
331 2014-06-24  Michael Saboff  <msaboff@apple.com>
332
333         Add support routines to provide descriptive JavaScript backtraces
334         https://bugs.webkit.org/show_bug.cgi?id=134278
335
336         Reviewed by Mark Lam.
337
338         * interpreter/CallFrame.cpp:
339         (JSC::CallFrame::dump):
340         (JSC::CallFrame::describeFrame):
341         * interpreter/CallFrame.h:
342         * runtime/JSCJSValue.cpp:
343         (JSC::JSValue::dumpForBacktrace):
344         * runtime/JSCJSValue.h:
345
346 2014-06-24  Brady Eidson  <beidson@apple.com>
347
348         Enable GAMEPAD in the Mac build, but disabled at runtime.
349         https://bugs.webkit.org/show_bug.cgi?id=134255
350
351         Reviewed by Dean Jackson.
352
353         * Configurations/FeatureDefines.xcconfig:
354
355         * runtime/JSObject.h: Export JSObject::removeDirect() to allow disabling
356           functions at runtime.
357
358 2014-06-24  Mark Hahnenberg  <mhahnenberg@apple.com>
359
360         REGRESSION (r169703): Invalid cast in JSC::asGetterSetter / JSC::JSObject::defineOwnNonIndexProperty
361         https://bugs.webkit.org/show_bug.cgi?id=134046
362
363         Reviewed by Filip Pizlo.
364
365         * runtime/GetterSetter.h:
366         (JSC::asGetterSetter):
367         * runtime/JSObject.cpp:
368         (JSC::JSObject::defineOwnNonIndexProperty): We need to check for a CustomGetterSetter here as well as
369         a normal GetterSetter. If we encounter a CustomGetterSetter, we delete it, create a new normal GetterSetter,
370         and insert it like normal. We also need to check for CustomAccessors when checking for unconfigurable properties.
371
372 2014-06-24  Brent Fulgham  <bfulgham@apple.com>
373
374         [Win] MSVC mishandles enums in bitfields
375         https://bugs.webkit.org/show_bug.cgi?id=134237
376
377         Reviewed by Michael Saboff.
378
379         Replace uses of enum types in bit fields with unsigned to
380         avoid losing a bit to hold the sign value. This can result
381         in Windows interpreting the value of the field improperly.
382
383         * bytecode/StructureStubInfo.h:
384         * parser/Nodes.h:
385
386 2014-06-23  Andreas Kling  <akling@apple.com>
387
388         Inline the UnlinkedInstructionStream::Reader logic.
389         <https://webkit.org/b/134203>
390
391         This class is only used by CodeBlock to unpack the unlinked instructions,
392         and we were spending 0.5% of total time on PLT calling Reader::next().
393         Move the logic to the header file and mark it ALWAYS_INLINE.
394
395         Reviewed by Geoffrey Garen.
396
397         * bytecode/UnlinkedInstructionStream.cpp:
398         * bytecode/UnlinkedInstructionStream.h:
399         (JSC::UnlinkedInstructionStream::Reader::Reader):
400         (JSC::UnlinkedInstructionStream::Reader::read8):
401         (JSC::UnlinkedInstructionStream::Reader::read32):
402         (JSC::UnlinkedInstructionStream::Reader::next):
403
404 2014-06-20  Sam Weinig  <sam@webkit.org>
405
406         Remove static tables for bindings that use eager reification
407         https://bugs.webkit.org/show_bug.cgi?id=134126
408
409         Reviewed by Oliver Hunt.
410
411         * runtime/JSObject.cpp:
412         (JSC::JSObject::putDirectCustomAccessor):
413         * runtime/Structure.h:
414         (JSC::Structure::setHasCustomGetterSetterProperties):
415         Change setHasCustomGetterSetterProperties to behave like setHasGetterSetterProperties, and set
416         the m_hasReadOnlyOrGetterSetterPropertiesExcludingProto bit if the property is not __proto__.
417         Without this, JSObject::put() won't think there are any setters on the prototype chain of an
418         object that has no static lookup table and uses eagerly reified custom getter/setter properties.
419
420 2014-06-21  Brady Eidson  <beidson@apple.com>
421
422         Gamepad API - Deprecate the existing implementation
423         https://bugs.webkit.org/show_bug.cgi?id=134108
424
425         Reviewed by Timothy Hatcher.
426
427         -Add new "GAMEPAD_DEPRECATED" build flag, moving the existing implementation to use it
428         -Move some implementation files into a "deprecated" subdirectory.
429
430         * Configurations/FeatureDefines.xcconfig:
431
432 2014-06-21  Commit Queue  <commit-queue@webkit.org>
433
434         Unreviewed, rolling out r170244.
435         https://bugs.webkit.org/show_bug.cgi?id=134157
436
437         GTK/EFL bindings generator works differently, making this
438         patch not work there.  Will fix entire patch after a rollout.
439         (Requested by bradee-oh on #webkit).
440
441         Reverted changeset:
442
443         "Gamepad API - Deprecate the existing implementation"
444         https://bugs.webkit.org/show_bug.cgi?id=134108
445         http://trac.webkit.org/changeset/170244
446
447 2014-06-21  Brady Eidson  <beidson@apple.com>
448
449         Gamepad API - Deprecate the existing implementation
450         https://bugs.webkit.org/show_bug.cgi?id=134108
451
452         Reviewed by Timothy Hatcher.
453
454         -Add new "GAMEPAD_DEPRECATED" build flag, moving the existing implementation to use it
455         -Add the "Deprecated" suffix to some implementation files
456
457         * Configurations/FeatureDefines.xcconfig:
458
459 2014-06-21  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
460
461         Removing PAGE_VISIBILITY_API compile guard.
462         https://bugs.webkit.org/show_bug.cgi?id=133844
463
464         Reviewed by Gavin Barraclough.
465
466         * Configurations/FeatureDefines.xcconfig:
467
468 2014-06-21  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
469
470         ARM traditional buildfix after r169942.
471         https://bugs.webkit.org/show_bug.cgi?id=134100
472
473         Reviewed by Zoltan Herczeg.
474
475         * assembler/MacroAssemblerARM.h:
476         (JSC::MacroAssemblerARM::abortWithReason): Added.
477
478 2014-06-20  Andreas Kling  <akling@apple.com>
479
480         [Cocoa] Release freed up blocks from the JS heap after simulated memory pressure.
481         <https://webkit.org/b/134112>
482
483         Reviewed by Mark Hahnenberg.
484
485         * heap/BlockAllocator.h:
486
487 2014-06-19  Alex Christensen  <achristensen@webkit.org>
488
489         Unreviewed fix after r170130.
490
491         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj:
492         Corrected directory so it can find common.props when opening Visual Studio.
493
494 2014-06-19  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
495
496         Remove ENABLE(LLINT) and ENABLE(LLINT_C_LOOP) guards
497         https://bugs.webkit.org/show_bug.cgi?id=130389
498
499         Reviewed by Mark Lam.
500
501         Removed ENABLE(LLINT) since we always build with it, and changed ENABLE(LLINT_C_LOOP)
502         into !ENABLE(JIT) since they are mutually exclusive.
503
504         * CMakeLists.txt:
505         * assembler/MacroAssemblerCodeRef.h:
506         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
507         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
508         * assembler/MaxFrameExtentForSlowPathCall.h:
509         * bytecode/CallLinkStatus.cpp:
510         (JSC::CallLinkStatus::computeFromLLInt):
511         * bytecode/CodeBlock.cpp:
512         (JSC::dumpStructure):
513         (JSC::CodeBlock::printGetByIdCacheStatus):
514         (JSC::CodeBlock::printCallOp):
515         (JSC::CodeBlock::CodeBlock):
516         (JSC::CodeBlock::~CodeBlock):
517         (JSC::CodeBlock::propagateTransitions):
518         (JSC::CodeBlock::finalizeUnconditionally):
519         (JSC::CodeBlock::unlinkCalls):
520         (JSC::CodeBlock::unlinkIncomingCalls):
521         (JSC::CodeBlock::linkIncomingCall):
522         (JSC::CodeBlock::frameRegisterCount):
523         * bytecode/CodeBlock.h:
524         * bytecode/GetByIdStatus.cpp:
525         (JSC::GetByIdStatus::computeFromLLInt):
526         * bytecode/Opcode.h:
527         (JSC::padOpcodeName):
528         * bytecode/PutByIdStatus.cpp:
529         (JSC::PutByIdStatus::computeFromLLInt):
530         * bytecompiler/BytecodeGenerator.cpp:
531         (JSC::BytecodeGenerator::emitCall):
532         (JSC::BytecodeGenerator::emitConstruct):
533         * heap/Heap.cpp:
534         (JSC::Heap::gatherJSStackRoots):
535         * interpreter/Interpreter.cpp:
536         (JSC::Interpreter::initialize):
537         (JSC::Interpreter::isOpcode):
538         * interpreter/Interpreter.h:
539         (JSC::Interpreter::getOpcodeID):
540         * interpreter/JSStack.cpp:
541         (JSC::JSStack::JSStack):
542         (JSC::JSStack::committedByteCount):
543         * interpreter/JSStack.h:
544         * interpreter/JSStackInlines.h:
545         (JSC::JSStack::ensureCapacityFor):
546         (JSC::JSStack::topOfFrameFor):
547         (JSC::JSStack::setStackLimit):
548         * jit/ExecutableAllocatorFixedVMPool.cpp:
549         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
550         * jit/JIT.h:
551         (JSC::JIT::compileCTINativeCall):
552         * jit/JITExceptions.h:
553         * jit/JITThunks.cpp:
554         (JSC::JITThunks::ctiNativeCall):
555         (JSC::JITThunks::ctiNativeConstruct):
556         * llint/LLIntCLoop.cpp:
557         * llint/LLIntCLoop.h:
558         * llint/LLIntData.cpp:
559         (JSC::LLInt::initialize):
560         (JSC::LLInt::Data::performAssertions):
561         * llint/LLIntData.h:
562         (JSC::LLInt::Data::performAssertions): Deleted.
563         * llint/LLIntEntrypoint.cpp:
564         * llint/LLIntEntrypoint.h:
565         * llint/LLIntExceptions.cpp:
566         * llint/LLIntExceptions.h:
567         * llint/LLIntOfflineAsmConfig.h:
568         * llint/LLIntOffsetsExtractor.cpp:
569         (JSC::LLIntOffsetsExtractor::dummy):
570         * llint/LLIntOpcode.h:
571         * llint/LLIntSlowPaths.cpp:
572         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
573         * llint/LLIntSlowPaths.h:
574         * llint/LLIntThunks.cpp:
575         * llint/LLIntThunks.h:
576         * llint/LowLevelInterpreter.cpp:
577         * llint/LowLevelInterpreter.h:
578         * runtime/CommonSlowPaths.cpp:
579         * runtime/CommonSlowPaths.h:
580         * runtime/ErrorHandlingScope.cpp:
581         (JSC::ErrorHandlingScope::ErrorHandlingScope):
582         (JSC::ErrorHandlingScope::~ErrorHandlingScope):
583         * runtime/Executable.cpp:
584         (JSC::setupLLInt):
585         * runtime/InitializeThreading.cpp:
586         (JSC::initializeThreading):
587         * runtime/JSCJSValue.h:
588         * runtime/JSCJSValueInlines.h:
589         * runtime/Options.cpp:
590         (JSC::recomputeDependentOptions):
591         * runtime/VM.cpp:
592         (JSC::VM::VM):
593         (JSC::sanitizeStackForVM):
594         * runtime/VM.h:
595         (JSC::VM::canUseJIT): Deleted.
596
597 2014-06-18  Alex Christensen  <achristensen@webkit.org>
598
599         Add FTL to Windows build.
600         https://bugs.webkit.org/show_bug.cgi?id=134015
601
602         Reviewed by Filip Pizlo.
603
604         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
605         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
606         Added ftl source files.
607         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
608         Added ftl and llvm directories to include path.
609         * JavaScriptCore.vcxproj/libllvmForJSC: Added.
610         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.props: Added.
611         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj: Added.
612         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj.filters: Added.
613         * ftl/FTLLowerDFGToLLVM.cpp:
614         (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
615         MSVC doesn't like to divide by zero while compiling.  Use std::nan instead.
616         * llvm/InitializeLLVMWin.cpp: Added.
617         (JSC::initializeLLVMImpl):
618         Implemented dynamic loading and linking for Windows.
619
620 2014-06-18  Alex Christensen  <achristensen@webkit.org>
621
622         Unreviewed build fix after r170107.
623
624         * dfg/DFGSpeculativeJIT.cpp:
625         (JSC::DFG::SpeculativeJIT::compileArithMod):
626         Use non-template sub for armv7s.
627
628 2014-06-18  David Kilzer  <ddkilzer@apple.com>
629
630         -[JSContext setName:] leaks NSString
631         <http://webkit.org/b/134038>
632
633         Reviewed by Joseph Pecoraro.
634
635         Fixes the following static analyzer warning:
636
637             JavaScriptCore/API/JSContext.mm:200:73: warning: Potential leak of an object
638                 JSStringRef nameJS = name ? JSStringCreateWithCFString((CFStringRef)[name copy]) : nullptr;
639                                                                                     ^
640
641         * API/JSContext.mm:
642         (-[JSContext setName:]): Autorelease the copy of |name|.
643
644 2014-06-18  Mark Lam  <mark.lam@apple.com>
645
646         DFGGraph::m_doubleConstantMap will not map 0 values correctly.
647         <https://webkit.org/b/133994>
648
649         Reviewed by Geoffrey Garen.
650
651         DFGGraph::m_doubleConstantsMap should not use a double as a key to its HashMap,
652         because it means two unfortunate things:
653         - It will probably break for zero.
654         - It will think that -0 is the same as +0 under some circumstances, size
655           -0==+0 even though they are distinct values (for example 1/-0 != 1/+0).
656
657         The fix is to use std::unordered_map which does not require special empty
658         and deleted values, and to use the raw bits instead of the double value as
659         the key.
660
661         * dfg/DFGGraph.h:
662         * dfg/DFGJITCompiler.cpp:
663         (JSC::DFG::JITCompiler::addressOfDoubleConstant):
664
665 2014-06-18  Alex Christensen  <achristensen@webkit.org>
666
667         Remove duplicate code using sdiv.
668         https://bugs.webkit.org/show_bug.cgi?id=133764
669
670         Reviewed by Daniel Bates.
671
672         * assembler/ARMv7Assembler.h:
673         (JSC::ARMv7Assembler::sdiv):
674         Make sdiv a template to match arm64.
675         * dfg/DFGSpeculativeJIT.cpp:
676         (JSC::DFG::SpeculativeJIT::compileArithDiv):
677         (JSC::DFG::SpeculativeJIT::compileArithMod):
678         Remove duplicate code that was identical except for sdiv not being a template.
679
680 2014-06-17  Commit Queue  <commit-queue@webkit.org>
681
682         Unreviewed, rolling out r170082.
683         https://bugs.webkit.org/show_bug.cgi?id=134006
684
685         Breaks build. (Requested by mlam on #webkit).
686
687         Reverted changeset:
688
689         "DFGGraph::m_doubleConstantMap will not map 0 values
690         correctly."
691         https://bugs.webkit.org/show_bug.cgi?id=133994
692         http://trac.webkit.org/changeset/170082
693
694 2014-06-17  Mark Lam  <mark.lam@apple.com>
695
696         DFGGraph::m_doubleConstantMap will not map 0 values correctly.
697         <https://webkit.org/b/133994>
698
699         Reviewed by Geoffrey Garen.
700
701         DFGGraph::m_doubleConstantsMap should not use a double as a key to its HashMap,
702         because it means two unfortunate things:
703         - It will probably break for zero.
704         - It will think that -0 is the same as +0 under some circumstances, size
705           -0==+0 even though they are distinct values (for example 1/-0 != 1/+0).
706
707         The fix is to use std::unordered_map which does not require special empty
708         and deleted values, and to use the raw bits instead of the double value as
709         the key.
710
711         * dfg/DFGGraph.h:
712         * dfg/DFGJITCompiler.cpp:
713         (JSC::DFG::JITCompiler::addressOfDoubleConstant):
714
715 2014-06-17  Oliver Hunt  <oliver@apple.com>
716
717         Fix error messages for incorrect hex literals
718         https://bugs.webkit.org/show_bug.cgi?id=133998
719
720         Reviewed by Mark Lam.
721
722         Ensure that the error messages for bogus hex literals actually
723         make sense.
724
725         * parser/Lexer.cpp:
726         (JSC::Lexer<T>::lex):
727         * parser/ParserTokens.h:
728
729 2014-06-17  Matthew Mirman  <mmirman@apple.com>
730
731         Fixes bug where building JSC sometimes crashes at build-symbol-table-index.py. Also adds licenses. 
732         https://bugs.webkit.org/show_bug.cgi?id=133814
733
734         Reviewed by Filip Pizlo.
735         
736         Adds the "shopt -s nullglob" line necessary to prevent the loop in the shell 
737         script from using "*.o" as a file when no other files in the directory exist. 
738         
739         * build-symbol-table-index.sh: Added license.
740         * copy-llvm-ir-to-derived-sources.sh: Added license and "shopt -s nullglob" line.
741
742 2014-06-16  Sam Weinig  <sam@webkit.org>
743
744         Move forward declaration of bindings static functions into their implementation files
745         https://bugs.webkit.org/show_bug.cgi?id=133943
746
747         Reviewed by Geoffrey Garen.
748
749         * runtime/CommonIdentifiers.h:
750         Add a few identifiers that are needed by the DOM.
751
752 2014-06-16  Mark Lam  <mark.lam@apple.com>
753
754         Parser statementDepth accounting needs to account for when a function body excludes its braces.
755         <https://webkit.org/b/133832>
756
757         Reviewed by Oliver Hunt.
758
759         In some cases (e.g. when a Function object is instantiated from a string), the
760         function body source may not include its braces.  The parser needs to account
761         for this when calculating its statementDepth.
762
763         * bytecode/UnlinkedCodeBlock.cpp:
764         (JSC::generateFunctionCodeBlock):
765         (JSC::UnlinkedFunctionExecutable::codeBlockFor):
766         * bytecode/UnlinkedCodeBlock.h:
767         * parser/Parser.cpp:
768         (JSC::Parser<LexerType>::parseStatement):
769         - Also fixed the error message for declaring nested functions in strict mode
770           to be more accurate.
771         * parser/Parser.h:
772         (JSC::Parser<LexerType>::parse):
773         (JSC::parse):
774         * runtime/Executable.cpp:
775         (JSC::ScriptExecutable::newCodeBlockFor):
776
777 2014-06-16  Juergen Ributzka  <juergen@apple.com>
778
779         Change the order of the alias analysis passes to align with the opt pipeline of LLVM
780         https://bugs.webkit.org/show_bug.cgi?id=133753
781
782         Reviewed by Geoffrey Garen.
783
784         The order in which the alias analysis passes are added affects also the
785         order in which they are utilized. Change the order to align with the
786         one use by LLVM itself. The last alias analysis pass added will be
787         evaluated first. With this change we first perform a basic alias
788         analysis and then use the type-based alias analysis (if required).
789
790         * ftl/FTLCompile.cpp:
791         (JSC::FTL::compile):
792
793 2014-06-16  Juergen Ributzka  <juergen@apple.com>
794
795         Fix the arguments passed to the LLVM dylib
796         https://bugs.webkit.org/show_bug.cgi?id=133757
797
798         Reviewed by Geoffrey Garen.
799
800         The LLVM command line argument parser assumes that the first argument
801         is the program name. We need to add a fake program name, otherwise the
802         first argument will be parsed as program name and ignored.
803
804         * llvm/library/LLVMExports.cpp:
805         (initializeAndGetJSCLLVMAPI):
806
807 2014-06-16  Michael Saboff  <msaboff@apple.com>
808
809         Convert ASSERT in inlineFunctionForCapabilityLevel to early return
810         https://bugs.webkit.org/show_bug.cgi?id=133903
811
812         Reviewed by Mark Hahnenberg.
813
814         Hardened code by Converting ASSERT to return CannotCompile.
815
816         * dfg/DFGCapabilities.h:
817         (JSC::DFG::inlineFunctionForCapabilityLevel):
818
819 2014-06-13  Sam Weinig  <sam@webkit.org>
820
821         Store DOM constants directly in the JS object rather than jumping through a custom accessor
822         https://bugs.webkit.org/show_bug.cgi?id=133898
823
824         Reviewed by Oliver Hunt.
825
826         * runtime/Lookup.h:
827         (JSC::HashTableValue::attributes):
828         Switch attributes to be stored as an unsigned rather than an unsigned char, since there is no difference in memory use
829         and will make adding more flags possibles.
830
831         (JSC::HashTableValue::propertyGetter):
832         (JSC::HashTableValue::propertyPutter):
833         Change assertion to use BuiltinOrFunctionOrConstant.
834
835         (JSC::HashTableValue::constantInteger):
836         Added.
837
838         (JSC::getStaticPropertySlot):
839         (JSC::getStaticValueSlot):
840         Use PropertySlot::setValue() for constants during static lookup.
841
842         (JSC::reifyStaticProperties):
843         Put the constant directly on the object when eagerly reifying.
844
845         * runtime/PropertySlot.h:
846         Add ConstantInteger flag and BuiltinOrFunctionOrConstant helper.
847
848 2014-06-14  Michael Saboff  <msaboff@apple.com>
849
850         operationCreateArguments could cause a GC during OSR exit
851         https://bugs.webkit.org/show_bug.cgi?id=133905
852
853         Reviewed by Filip Pizlo.
854
855         Defer GC via new wrapper functions for operationCreateArguments and operationCreateInlinedArguments
856         for use by OSR exit stubs.
857
858         * dfg/DFGOSRExitCompilerCommon.cpp:
859         (JSC::DFG::ArgumentsRecoveryGenerator::generateFor):
860         * dfg/DFGOperations.cpp:
861         * dfg/DFGOperations.h:
862         * jit/JITOperations.cpp:
863         * jit/JITOperations.h:
864
865 2014-06-13  Mark Hahnenberg  <mhahnenberg@apple.com>
866
867         OSR exit should barrier the Executables for all InlineCallFrames, not just those on the stack at the time of exit
868         https://bugs.webkit.org/show_bug.cgi?id=133880
869
870         Reviewed by Filip Pizlo.
871
872         We could have exited due to a value received from an inlined block that's no longer on 
873         the stack, so we should just barrier all InlineCallFrames.
874
875         * dfg/DFGOSRExitCompilerCommon.cpp:
876         (JSC::DFG::adjustAndJumpToTarget):
877
878 2014-06-13  Alex Christensen  <achristensen@webkit.org>
879
880         Make css jit compile for armv7.
881         https://bugs.webkit.org/show_bug.cgi?id=133596
882
883         Reviewed by Benjamin Poulain.
884
885         * assembler/MacroAssembler.h:
886         Use branchPtr on ARM_THUMB2.
887         * assembler/MacroAssemblerARMv7.h:
888         (JSC::MacroAssemblerARMv7::addPtrNoFlags):
889         (JSC::MacroAssemblerARMv7::or32):
890         (JSC::MacroAssemblerARMv7::test32):
891         (JSC::MacroAssemblerARMv7::branch):
892         (JSC::MacroAssemblerARMv7::branchPtr):
893         Added macros necessary for css jit.
894
895 2014-06-13  Filip Pizlo  <fpizlo@apple.com>
896
897         Unreviewed, fix ARMv7.
898
899         * assembler/MacroAssemblerARMv7.h:
900         (JSC::MacroAssemblerARMv7::abortWithReason):
901
902 2014-06-12  Filip Pizlo  <fpizlo@apple.com>
903
904         Even better diagnostics from DFG traps
905         https://bugs.webkit.org/show_bug.cgi?id=133836
906
907         Reviewed by Oliver Hunt.
908         
909         We now stuff the DFG::NodeType into a register before bailing. Also made the
910         DFGBailed abort reason a bit more specific. As planned, the new abort reasons use
911         different numbers than any previous abort reasons.
912
913         * assembler/AbortReason.h:
914         * assembler/MacroAssemblerARM64.h:
915         (JSC::MacroAssemblerARM64::abortWithReason):
916         * assembler/MacroAssemblerARMv7.h:
917         (JSC::MacroAssemblerARMv7::abortWithReason):
918         * assembler/MacroAssemblerX86.h:
919         (JSC::MacroAssemblerX86::abortWithReason):
920         * assembler/MacroAssemblerX86_64.h:
921         (JSC::MacroAssemblerX86_64::abortWithReason):
922         * dfg/DFGSpeculativeJIT.cpp:
923         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
924         (JSC::DFG::SpeculativeJIT::bail):
925         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
926         * dfg/DFGSpeculativeJIT.h:
927
928 2014-06-12  Simon Fraser  <simon.fraser@apple.com>
929
930         Fix assertions under JSC::setNeverInline() when running js tests in WebKitTestRunner
931         https://bugs.webkit.org/show_bug.cgi?id=133840
932
933         Reviewed by Filip Pizlo.
934         
935         Fix ASSERT(exec->vm().currentThreadIsHoldingAPILock()); under JSC::setNeverInline()
936         when running DFG tests.
937
938         * API/JSCTestRunnerUtils.cpp:
939         (JSC::numberOfDFGCompiles):
940         (JSC::setNeverInline):
941
942 2014-06-12  Brent Fulgham  <bfulgham@apple.com>
943
944         [Win] Avoid fork bomb during build
945         https://bugs.webkit.org/show_bug.cgi?id=133837
946         <rdar://problem/17296034>
947
948         Reviewed by Tim Horton.
949
950         * JavaScriptCore.vcxproj/build-generated-files.sh: Use a
951         reasonable default value when the 'num-cpus' script is not available.
952
953 2014-06-12  Mark Lam  <mark.lam@apple.com>
954
955         Remove some dead / unused code.
956         <https://webkit.org/b/133828>
957
958         Reviewed by Filip Pizlo.
959
960         * builtins/BuiltinExecutables.cpp:
961         (JSC::BuiltinExecutables::createBuiltinExecutable):
962         * bytecode/UnlinkedCodeBlock.cpp:
963         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
964         * bytecode/UnlinkedCodeBlock.h:
965         (JSC::UnlinkedFunctionExecutable::create):
966         * bytecompiler/BytecodeGenerator.h:
967         (JSC::BytecodeGenerator::makeFunction):
968         * parser/Parser.h:
969         (JSC::DepthManager::DepthManager): Deleted.
970         (JSC::DepthManager::~DepthManager): Deleted.
971         * runtime/CodeCache.cpp:
972         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
973
974 2014-06-12  Mark Hahnenberg  <mhahnenberg@apple.com>
975
976         Move structureHasRareData out of TypeInfo
977         https://bugs.webkit.org/show_bug.cgi?id=133800
978
979         Reviewed by Andreas Kling.
980
981         StructureHasRareData was originally put in TypeInfo to avoid making Structure bigger, 
982         but we have a few spare bits in Structure so it would be nice to remove this hack.
983
984         * runtime/JSTypeInfo.h:
985         (JSC::TypeInfo::newImpurePropertyFiresWatchpoints):
986         (JSC::TypeInfo::structureHasRareData): Deleted.
987         * runtime/Structure.cpp:
988         (JSC::Structure::Structure):
989         (JSC::Structure::allocateRareData):
990         (JSC::Structure::cloneRareDataFrom):
991         * runtime/Structure.h:
992         (JSC::Structure::previousID):
993         (JSC::Structure::objectToStringValue):
994         (JSC::Structure::setObjectToStringValue):
995         (JSC::Structure::setPreviousID):
996         (JSC::Structure::clearPreviousID):
997         (JSC::Structure::previous):
998         (JSC::Structure::rareData):
999         * runtime/StructureInlines.h:
1000         (JSC::Structure::setEnumerationCache):
1001         (JSC::Structure::enumerationCache):
1002
1003 2014-06-12  Zsolt Borbely  <zsborbely.u-szeged@partner.samsung.com>
1004
1005         Allow enum guards to be generated from the replay json files
1006         https://bugs.webkit.org/show_bug.cgi?id=133399
1007
1008         Reviewed by Csaba Osztrogonác.
1009
1010         * replay/scripts/CodeGeneratorReplayInputs.py:
1011         (Type.__init__):
1012         (InputsModel.parse_type_with_framework_name):
1013         (Generator.generate_header):
1014         (Generator.generate_implementation):
1015         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp: Added.
1016         (Test::HandleWheelEvent::HandleWheelEvent):
1017         (Test::HandleWheelEvent::~HandleWheelEvent):
1018         (JSC::InputTraits<Test::HandleWheelEvent>::type):
1019         (JSC::InputTraits<Test::HandleWheelEvent>::encode):
1020         (JSC::InputTraits<Test::HandleWheelEvent>::decode):
1021         (JSC::EncodingTraits<WebCore::PlatformWheelEventPhase>::encodeValue):
1022         (JSC::EncodingTraits<WebCore::PlatformWheelEventPhase>::decodeValue):
1023         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h: Added.
1024         (JSC::InputTraits<Test::HandleWheelEvent>::queue):
1025         (Test::HandleWheelEvent::platformEvent):
1026         * replay/scripts/tests/generate-enum-with-guard.json: Added.
1027
1028 2014-06-12  Carlos Garcia Campos  <cgarcia@igalia.com>
1029
1030         Unreviewed. Fix GTK+ build after r169823.
1031
1032         Include StructureInlines.h in a few more files to fix linking
1033         issues due to JSC::Structure::get undefined symbol.
1034
1035         * runtime/ArrayIteratorConstructor.cpp:
1036         * runtime/ArrayIteratorPrototype.cpp:
1037         * runtime/JSConsole.cpp:
1038         * runtime/JSMapIterator.cpp:
1039         * runtime/JSSet.cpp:
1040         * runtime/JSSetIterator.cpp:
1041         * runtime/JSWeakMap.cpp:
1042         * runtime/MapIteratorPrototype.cpp:
1043         * runtime/MapPrototype.cpp:
1044         * runtime/SetIteratorPrototype.cpp:
1045         * runtime/SetPrototype.cpp:
1046         * runtime/WeakMapPrototype.cpp:
1047
1048 2014-06-12  Csaba Osztrogonác  <ossy@webkit.org>
1049
1050         [EFL] One more URTBF after r169823 to make ARM64 build happy too.
1051
1052         * runtime/JSMap.cpp:
1053
1054 2014-06-11  Mark Hahnenberg  <mhahnenberg@apple.com>
1055
1056         Inline caching should try to flatten uncacheable dictionaries
1057         https://bugs.webkit.org/show_bug.cgi?id=133683
1058
1059         Reviewed by Geoffrey Garen.
1060
1061         There exists a body of JS code that deletes properties off of objects (especially function/constructor objects), 
1062         which puts them into an uncacheable dictionary state. This prevents all future inline caching for these objects. 
1063         If properties are deleted out of the object during its initialization, we can enable caching for that object by 
1064         attempting to flatten it when we see we're trying to do inline caching with that object. We then record that we 
1065         performed this flattening optimization in the object's Structure. If it ever re-enters the uncacheable dictionary 
1066         state then we can just give up on caching that object.
1067
1068         In refactoring some of the code in tryCacheGetById and tryBuildGetByIdList to reduce some duplication, I added
1069         the InlineCacheAction enum, a new way to indicate the success or failure of an inline caching attempt. I changed
1070         the other inline caching functions to return this enum rather than the opaque booleans that we were previously 
1071         returning.
1072
1073         * jit/Repatch.cpp:
1074         (JSC::actionForCell):
1075         (JSC::tryCacheGetByID):
1076         (JSC::repatchGetByID):
1077         (JSC::tryBuildGetByIDList):
1078         (JSC::buildGetByIDList):
1079         (JSC::tryCachePutByID):
1080         (JSC::repatchPutByID):
1081         (JSC::tryBuildPutByIdList):
1082         (JSC::buildPutByIdList):
1083         (JSC::tryRepatchIn):
1084         (JSC::repatchIn):
1085         * runtime/Structure.cpp:
1086         (JSC::Structure::Structure):
1087         (JSC::Structure::flattenDictionaryStructure):
1088         * runtime/Structure.h:
1089         (JSC::Structure::hasBeenFlattenedBefore):
1090
1091 2014-06-11  Csaba Osztrogonác  <ossy@webkit.org>
1092
1093         [EFL] URTBF after r169823.
1094
1095         * bindings/ScriptValue.cpp: Missing include added.
1096
1097 2014-06-11  Ryosuke Niwa  <rniwa@webkit.org>
1098
1099         Remove an unnecessary asObject(this) call inside JSObject::fastGetOwnPropertySlot.
1100
1101         Rubber-stamped by Andreas Kling.
1102
1103         * runtime/JSObject.h:
1104         (JSC::JSObject::fastGetOwnPropertySlot):
1105
1106 2014-06-11  Ryosuke Niwa  <rniwa@webkit.org>
1107
1108         Turning on DUMP_PROPERTYMAP_STATS causes a build failure
1109         https://bugs.webkit.org/show_bug.cgi?id=133673
1110
1111         Reviewed by Andreas Kling.
1112
1113         Rewrote the property map statistics code because the old code wasn't building,
1114         and it was also mixing numbers for lookups and insertions/removals.
1115
1116         New logging code records the number of calls to PropertyTable::find (finds) and
1117         PropertyTable::get/PropertyTable::findWithString separately so that we can quantify
1118         the number of probing during updates and lookups.
1119
1120         * jsc.cpp:
1121         * runtime/PropertyMapHashTable.h:
1122         (JSC::PropertyTable::find):
1123         (JSC::PropertyTable::get):
1124         (JSC::PropertyTable::findWithString):
1125         (JSC::PropertyTable::add):
1126         (JSC::PropertyTable::remove):
1127         (JSC::PropertyTable::reinsert):
1128         (JSC::PropertyTable::rehash):
1129         * runtime/Structure.cpp:
1130         (JSC::PropertyMapStatisticsExitLogger::PropertyMapStatisticsExitLogger):
1131         (JSC::PropertyMapStatisticsExitLogger::~PropertyMapStatisticsExitLogger):
1132
1133 2014-06-11  Andreas Kling  <akling@apple.com>
1134
1135         Always inline JSValue::get() and Structure::get().
1136         <https://webkit.org/b/133755>
1137
1138         Reviewed by Ryosuke Niwa.
1139
1140         These functions get really hot, so ask the compiler to be more
1141         aggressive about inlining them.
1142
1143         ~28% speed-up on Ryosuke's microbenchmark for accessing nextSibling
1144         through GetByVal.
1145
1146         * runtime/JSArrayIterator.cpp:
1147         * runtime/JSCJSValue.cpp:
1148         * runtime/JSCJSValueInlines.h:
1149         (JSC::JSValue::get):
1150         * runtime/JSPromiseDeferred.cpp:
1151         * runtime/StructureInlines.h:
1152         (JSC::Structure::get):
1153
1154 2014-06-11  Ryosuke Niwa  <rniwa@webkit.org>
1155
1156         Structure::get should instantiate DeferGC only when materializing property map
1157         https://bugs.webkit.org/show_bug.cgi?id=133727
1158
1159         Rubber-stamped by Andreas Kling.
1160
1161         Make materializePropertyMapIfNecessary always inline.
1162
1163         This is ~12% improvement on the microbenchmark attached in the bug.
1164
1165         * runtime/Structure.h:
1166         (JSC::Structure::materializePropertyMapIfNecessary):
1167         (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
1168
1169 2014-06-11  Ryosuke Niwa  <rniwa@webkit.org>
1170
1171         Structure::get should instantiate DeferGC only when materializing property map
1172         https://bugs.webkit.org/show_bug.cgi?id=133727
1173
1174         Reviewed by Geoffrey Garen.
1175
1176         DeferGC instances in Structure::get was added in http://trac.webkit.org/r157539 in order to avoid
1177         collecting the property table newly created by materializePropertyMapIfNecessary since GC can happen
1178         when GCSafeConcurrentJITLocker goes out of scope.
1179
1180         However, always instantiating DeferGC inside Structure::get introduced a new performance bottleneck
1181         in JSObject::getPropertySlot because frequently incrementing and decrementing a counter in vm.m_heap
1182         and running a release assertion inside Heap::incrementDeferralDepth() is expensive.
1183
1184         Work around this by instantiating DeferGC only when we're actually calling materializePropertyMap,
1185         and immediately storing a pointer to the newly created property table in the stack before DeferGC
1186         goes out of scope so that the property table will be marked.
1187
1188         This shows 13-16% improvement on the microbenchmark attached in the bug.
1189
1190         * runtime/JSCJSValue.cpp:
1191         * runtime/JSObject.h:
1192         (JSC::JSObject::fastGetOwnPropertySlot):
1193         * runtime/Structure.h:
1194         (JSC::Structure::materializePropertyMapIfNecessary):
1195         * runtime/StructureInlines.h:
1196         (JSC::Structure::get):
1197
1198 2014-06-11  Andreas Kling  <akling@apple.com>
1199
1200         Some JSValue::get() micro-optimzations.
1201         <https://webkit.org/b/133739>
1202
1203         Tighten some of the property lookup code to improve performance of the
1204         eagerly reified prototype attributes:
1205
1206         - Instead of converting the property name to an integer at every step
1207           in the prototype chain, move that to a separate pass at the end
1208           since it should be a rare case.
1209
1210         - Cache the StructureIDTable in a local instead of fetching it from
1211           the Heap on every step.
1212
1213         - Make fillCustomGetterPropertySlot inline. It was out-of-lined based
1214           on the assumption that clients would mostly be cacheable GetByIds,
1215           and it gets pretty hot (~1%) in GetByVal.
1216
1217         - Pass the Structure directly to fillCustomGetterPropertySlot instead
1218           of refetching it from the StructureIDTable.
1219
1220         Reviewed by Geoff Garen.
1221
1222         * runtime/JSObject.cpp:
1223         (JSC::JSObject::fillCustomGetterPropertySlot): Deleted.
1224         * runtime/JSObject.h:
1225         (JSC::JSObject::inlineGetOwnPropertySlot):
1226         (JSC::JSObject::fillCustomGetterPropertySlot):
1227         (JSC::JSObject::getOwnPropertySlot):
1228         (JSC::JSObject::fastGetOwnPropertySlot):
1229         (JSC::JSObject::getPropertySlot):
1230         (JSC::JSObject::getOwnPropertySlotSlow): Deleted.
1231
1232 2014-06-10  Sam Weinig  <sam@webkit.org>
1233
1234         Don't create a HashTable for JSObjects that use eager reification
1235         https://bugs.webkit.org/show_bug.cgi?id=133705
1236
1237         Reviewed by Geoffrey Garen.
1238
1239         * runtime/Lookup.h:
1240         (JSC::reifyStaticProperties):
1241         Add a version of reifyStaticProperties that takes an array of HashTableValues
1242         rather than a HashTable.
1243
1244 2014-06-10  Filip Pizlo  <fpizlo@apple.com>
1245
1246         Prediction propagator should make sure everyone knows that a variable that is in an argument position where other versions of that variable are not MachineInts cannot possibly be flushed as Int52
1247         https://bugs.webkit.org/show_bug.cgi?id=133698
1248
1249         Reviewed by Geoffrey Garen and Mark Hahnenberg.
1250
1251         * dfg/DFGPredictionPropagationPhase.cpp:
1252         (JSC::DFG::PredictionPropagationPhase::propagate): Use the new utility to figure out if a variable could ever represent an Int52.
1253         * dfg/DFGVariableAccessData.cpp:
1254         (JSC::DFG::VariableAccessData::couldRepresentInt52): Add a new utility to detect early on if a variable could possibly be Int52.
1255         (JSC::DFG::VariableAccessData::couldRepresentInt52Impl):
1256         (JSC::DFG::VariableAccessData::flushFormat):
1257         * dfg/DFGVariableAccessData.h:
1258         * tests/stress/int52-inlined-call-argument.js: Added.
1259         (foo):
1260         (bar):
1261
1262 2014-06-10  Mark Lam  <mark.lam@apple.com>
1263
1264         Assertion failure at JSC::Structure::checkOffsetConsistency() const + 234.
1265         <https://webkit.org/b/133356>
1266
1267         Reviewed by Mark Hahnenberg.
1268
1269         The root cause of this issue is that a nonPropertyTransition can transition
1270         a pinned dictionary structure to an unpinned dictionary structure.  The new
1271         structure will get a copy of the property table from the original structure.
1272         However, when a GC occurs, the property table in the new structure will be
1273         cleared because it is unpinned.  This leads to complications in subsequent
1274         derivative structures when flattening occurs, which eventually leads to the
1275         assertion failure in this bug.
1276
1277         The fix is to ensure that the new dictionary structure generated by the
1278         nonPropertyTransition will have a copy of its predecessor's property table
1279         and is pinned.
1280
1281         * runtime/Structure.cpp:
1282         (JSC::Structure::nonPropertyTransition):
1283
1284 2014-06-10  Michael Saboff  <msaboff@apple.com>
1285
1286         In a certain app state, Array.prototype.filter() returns incorrect results
1287         https://bugs.webkit.org/show_bug.cgi?id=133577
1288
1289         Reviewed by Oliver Hunt.
1290
1291         Fixed the LLInt processing of op_put_by_val_direct to have the same hole check as op_put_by_val.
1292
1293         * llint/LowLevelInterpreter32_64.asm:
1294         * llint/LowLevelInterpreter64.asm:
1295
1296 2014-06-09  Mark Hahnenberg  <mhahnenberg@apple.com>
1297
1298         Global HashTables contain references to atomic StringImpls
1299         https://bugs.webkit.org/show_bug.cgi?id=133661
1300
1301         Reviewed by Geoffrey Garen.
1302
1303         This was a long-standing bug revealed by bug 133558. The issue is that the global static HashTables 
1304         cache their set of keys as StringImpls that are associated with a particular VM.  This is obviously 
1305         incompatible with using multiple VMs on multiple threads (e.g. when using workers). The fix is to 
1306         change the "keys" field of the static HashTables to be char** instead of StringImpl**.
1307
1308         * runtime/JSObject.cpp:
1309         (JSC::getClassPropertyNames):
1310         * runtime/Lookup.cpp:
1311         (JSC::HashTable::createTable):
1312         (JSC::HashTable::deleteTable):
1313         * runtime/Lookup.h:
1314         (JSC::HashTable::ConstIterator::key):
1315         (JSC::HashTable::entry):
1316
1317 2014-06-09  Mark Hahnenberg  <mhahnenberg@apple.com>
1318
1319         Build fix after r169703
1320
1321         * JavaScriptCore.xcodeproj/project.pbxproj:
1322
1323 2014-06-05  Mark Hahnenberg  <mhahnenberg@apple.com>
1324
1325         Eagerly reify DOM prototype attributes
1326         https://bugs.webkit.org/show_bug.cgi?id=133558
1327
1328         Reviewed by Oliver Hunt.
1329
1330         This allows us to get rid of a lot of the additional overhead of pushing DOM attributes up into the prototype. 
1331         By eagerly reifying the custom getters and setters into the actual JSObject we avoid having to override 
1332         getOwnPropertySlot for all of the DOM prototypes, which is a lot of the overhead of doing property lookups on 
1333         DOM wrappers.
1334
1335         * CMakeLists.txt:
1336         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1337         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1338         * JavaScriptCore.xcodeproj/project.pbxproj:
1339         * llint/LLIntData.cpp:
1340         (JSC::LLInt::Data::performAssertions):
1341         * llint/LowLevelInterpreter.asm:
1342         * runtime/BatchedTransitionOptimizer.h:
1343         (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
1344         * runtime/CustomGetterSetter.cpp: Added.
1345         (JSC::callCustomSetter):
1346         * runtime/CustomGetterSetter.h: Added.
1347         (JSC::CustomGetterSetter::create):
1348         (JSC::CustomGetterSetter::getter):
1349         (JSC::CustomGetterSetter::setter):
1350         (JSC::CustomGetterSetter::createStructure):
1351         (JSC::CustomGetterSetter::CustomGetterSetter):
1352         * runtime/JSCJSValue.cpp:
1353         (JSC::JSValue::putToPrimitive):
1354         * runtime/JSCJSValue.h:
1355         * runtime/JSCJSValueInlines.h:
1356         (JSC::JSValue::isCustomGetterSetter):
1357         * runtime/JSCell.h:
1358         * runtime/JSCellInlines.h:
1359         (JSC::JSCell::isCustomGetterSetter):
1360         (JSC::JSCell::canUseFastGetOwnProperty):
1361         * runtime/JSFunction.cpp:
1362         (JSC::JSFunction::isHostOrBuiltinFunction): Deleted.
1363         (JSC::JSFunction::isBuiltinFunction): Deleted.
1364         * runtime/JSFunction.h:
1365         * runtime/JSFunctionInlines.h: Inlined some random functions that appeared hot during profiling.
1366         (JSC::JSFunction::isBuiltinFunction):
1367         (JSC::JSFunction::isHostOrBuiltinFunction):
1368         * runtime/JSObject.cpp:
1369         (JSC::JSObject::put):
1370         (JSC::JSObject::putDirectCustomAccessor):
1371         (JSC::JSObject::fillGetterPropertySlot):
1372         (JSC::JSObject::fillCustomGetterPropertySlot):
1373         (JSC::JSObject::getOwnPropertySlotSlow): Deleted.
1374         * runtime/JSObject.h:
1375         (JSC::JSObject::hasCustomGetterSetterProperties):
1376         (JSC::JSObject::convertToDictionary):
1377         (JSC::JSObject::inlineGetOwnPropertySlot):
1378         (JSC::JSObject::getOwnPropertySlotSlow): Inlined because it looked hot during profiling.
1379         (JSC::JSObject::putOwnDataProperty):
1380         (JSC::JSObject::putDirect):
1381         (JSC::JSObject::putDirectWithoutTransition):
1382         * runtime/JSType.h:
1383         * runtime/Lookup.h:
1384         (JSC::reifyStaticProperties):
1385         * runtime/PropertyDescriptor.h:
1386         (JSC::PropertyDescriptor::PropertyDescriptor):
1387         * runtime/Structure.cpp:
1388         (JSC::Structure::Structure):
1389         (JSC::nextOutOfLineStorageCapacity): Deleted.
1390         (JSC::Structure::suggestedNewOutOfLineStorageCapacity): Deleted.
1391         (JSC::Structure::get): Deleted.
1392         * runtime/Structure.h:
1393         (JSC::Structure::hasCustomGetterSetterProperties):
1394         (JSC::Structure::setHasCustomGetterSetterProperties):
1395         * runtime/StructureInlines.h:
1396         (JSC::Structure::get): Inlined due to hotness.
1397         (JSC::nextOutOfLineStorageCapacity): Inlined due to hotness.
1398         (JSC::Structure::suggestedNewOutOfLineStorageCapacity): Inlined due to hotness.
1399         * runtime/VM.cpp:
1400         (JSC::VM::VM):
1401         * runtime/VM.h:
1402         * runtime/WriteBarrier.h:
1403         (JSC::WriteBarrierBase<Unknown>::isCustomGetterSetter):
1404
1405 2014-06-07  Mark Lam  <mark.lam@apple.com>
1406
1407         Structure should initialize its previousID in its constructor.
1408         <https://webkit.org/b/133606>
1409
1410         Reviewed by Mark Hahnenberg.
1411
1412         Currently, the Structure constructor that takes a previous structure will
1413         initialize its previousID to point to the previous structure's previousID.
1414         This is incorrect.  However, the caller of the Structure::create() factory
1415         method (which instantiated the Structure) will later call setPreviousID()
1416         to set the previousID to the correct previous structure.  This makes the
1417         code confusing to read and more error prone in that the structure relies
1418         on client code to fix its invalid previousID.
1419
1420         This patch fixes this by making the Structure constructor initialize
1421         previousID correctly.
1422
1423         * runtime/Structure.cpp:
1424         (JSC::Structure::Structure):
1425         (JSC::Structure::addPropertyTransition):
1426         (JSC::Structure::nonPropertyTransition):
1427         * runtime/Structure.h:
1428         * runtime/StructureInlines.h:
1429         (JSC::Structure::create):
1430
1431 2014-06-06  Andreas Kling  <akling@apple.com>
1432
1433         Indexed getters should return values directly on the PropertySlot.
1434         <https://webkit.org/b/133586>
1435
1436         Remove PropertySlot's custom index mode.
1437
1438         Reviewed by Darin Adler.
1439
1440         * runtime/JSObject.h:
1441         (JSC::PropertySlot::getValue):
1442         * runtime/PropertySlot.h:
1443         (JSC::PropertySlot::setCustomIndex): Deleted.
1444
1445 2014-06-04  Timothy Horton  <timothy_horton@apple.com>
1446
1447         iOS Debug build fix
1448
1449         Rubber-stamped by Filip Pizlo.
1450
1451         * Configurations/LLVMForJSC.xcconfig:
1452         Dead-code strip the llvmForJSC library unconditionally, to work around <rdar://problem/16920916>.
1453
1454 2014-06-04  Oliver Hunt  <oliver@apple.com>
1455
1456         ArrayIterator should not be exposed in Safari 8
1457         https://bugs.webkit.org/show_bug.cgi?id=133494
1458
1459         Reviewed by Michael Saboff.
1460
1461         Separate out types that require constructor objects, and don't
1462         include the iterator types in that list.
1463
1464         * runtime/JSGlobalObject.cpp:
1465         (JSC::JSGlobalObject::reset):
1466         * runtime/JSGlobalObject.h:
1467
1468 2014-06-04  Filip Pizlo  <fpizlo@apple.com>
1469
1470         DFG::Safepoint::begin() should set m_didCallBegin before releasing the rightToRun lock, because otherwise, Safepoint::checkLivenessAndVisitChildren() may assert due to a race
1471         https://bugs.webkit.org/show_bug.cgi?id=133525
1472         <rdar://problem/16790296>
1473
1474         Reviewed by Oliver Hunt.
1475
1476         * dfg/DFGSafepoint.cpp:
1477         (JSC::DFG::Safepoint::begin):
1478
1479 2014-06-03  Filip Pizlo  <fpizlo@apple.com>
1480
1481         LLVM soft-linking should be truly fail-silent
1482         https://bugs.webkit.org/show_bug.cgi?id=133482
1483
1484         Reviewed by Mark Lam.
1485
1486         * llvm/InitializeLLVMPOSIX.cpp:
1487         (JSC::initializeLLVMPOSIX): Missing return statement in the dlsym() returning null case.
1488
1489 2014-06-03  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
1490
1491         REGRESSION(r169092 and r169102): Skip failing JSC tests poperly on non-x86 Darwin platforms
1492         https://bugs.webkit.org/show_bug.cgi?id=133149
1493
1494         Reviewed by Csaba Osztrogonác.
1495
1496         * tests/mozilla/mozilla-tests.yaml: Skip js1_5/Regress/regress-159334.js only if the architecture isn't x86 and the host is Darwin.
1497
1498 2014-05-31  Anders Carlsson  <andersca@apple.com>
1499
1500         Add a LazyNeverDestroyed class template and use it
1501         https://bugs.webkit.org/show_bug.cgi?id=133425
1502
1503         Reviewed by Darin Adler.
1504
1505         * dfg/DFGFunctionWhitelist.cpp:
1506         (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
1507         * dfg/DFGFunctionWhitelist.h:
1508
1509 2014-05-28  Filip Pizlo  <fpizlo@apple.com>
1510
1511         DFG::DCEPhase inserts into an insertion set in reverse, causing hilarious basic block corruption if you kill a lot of NewArrays
1512         https://bugs.webkit.org/show_bug.cgi?id=133368
1513
1514         Reviewed by Mark Lam.
1515
1516         * dfg/DFGDCEPhase.cpp:
1517         (JSC::DFG::DCEPhase::fixupBlock): Loop in the right order so that we insert in the right order.
1518         * tests/stress/new-array-dead.js: Added.
1519         (foo):
1520
1521 2014-05-28  Filip Pizlo  <fpizlo@apple.com>
1522
1523         Unreviewed, fix not-x86 32-bit.
1524
1525         * llint/LowLevelInterpreter32_64.asm:
1526
1527 2014-05-27  Filip Pizlo  <fpizlo@apple.com>
1528
1529         Arrayify neglects to inform the clobberizer that it might fire watchpoints
1530         https://bugs.webkit.org/show_bug.cgi?id=133340
1531
1532         Reviewed by Mark Lam.
1533
1534         * dfg/DFGClobberize.h:
1535         (JSC::DFG::clobberize): Be honest.
1536         * llint/LowLevelInterpreter32_64.asm: Profile the object, not its structure.
1537         * tests/stress/arrayify-fires-watchpoint.js: Added.
1538         (foo):
1539         (test):
1540         (makeObjectArray):
1541         * tests/stress/arrayify-structure-bad-test.js: Added.
1542         (foo):
1543         (test):
1544
1545 2014-05-27  Jon Lee  <jonlee@apple.com>
1546
1547         Update ENABLE(MEDIA_SOURCE) on Mac
1548         https://bugs.webkit.org/show_bug.cgi?id=133141
1549
1550         Reviewed by Darin Adler.
1551
1552         * Configurations/FeatureDefines.xcconfig:
1553
1554 2014-05-27  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>
1555
1556         Remove BLOB guards
1557         https://bugs.webkit.org/show_bug.cgi?id=132863
1558
1559         Reviewed by Csaba Osztrogonác.
1560
1561         * Configurations/FeatureDefines.xcconfig:
1562
1563 2014-05-27  Zsolt Borbely  <zsborbely.u-szeged@partner.samsung.com>
1564
1565         Allow building CMake based ports with WEB_REPLAY
1566         https://bugs.webkit.org/show_bug.cgi?id=133154
1567
1568         Reviewed by Csaba Osztrogonác.
1569
1570         * CMakeLists.txt:
1571
1572 2014-05-25  Filip Pizlo  <fpizlo@apple.com>
1573
1574         Latest emscripten life benchmark is 4x slower because the DFG doesn't realize that arithmetic on booleans is a thing
1575         https://bugs.webkit.org/show_bug.cgi?id=133136
1576
1577         Reviewed by Oliver Hunt.
1578         
1579         Some key concepts:
1580
1581         - Except for the prediction propagation and type fixup phases, which are super early in
1582           the pipeline, nobody has to know about the fact that booleans may flow into numerical
1583           operations because there will just be a BooleanToNumber node that will take a value
1584           and, if that value is a boolean, will convert it to the equivalent numerical value. It
1585           will have a BooleanUse mode where it will also speculate that the input is a boolean
1586           but it can also do UntypedUse in which case it will pass through any non-booleans.
1587           This operation is very easy to model in all of the compiler tiers.
1588
1589         - No changes to the baseline JIT. The Baseline JIT will still believe that boolean
1590           inputs require taking the slow path and it will still report that it took slow path
1591           for any such operations.  The DFG will now be smart enough to ignore baseline JIT slow
1592           path profiling on operations that were known to have had boolean inputs.  That's a
1593           little quirky, but it's probably easier than modifying the baseline JIT to track
1594           booleans correctly.
1595         
1596         4.1x speed-up on the emscripten "life" benchmark. Up to 10x speed-up on microbenchmarks.
1597
1598         * bytecode/SpeculatedType.h:
1599         (JSC::isInt32OrBooleanSpeculation):
1600         (JSC::isInt32SpeculationForArithmetic):
1601         (JSC::isInt32OrBooleanSpeculationForArithmetic):
1602         (JSC::isInt32OrBooleanSpeculationExpectingDefined):
1603         (JSC::isInt52Speculation):
1604         (JSC::isMachineIntSpeculation):
1605         (JSC::isFullNumberOrBooleanSpeculation):
1606         (JSC::isFullNumberOrBooleanSpeculationExpectingDefined):
1607         (JSC::isInt32SpeculationExpectingDefined): Deleted.
1608         (JSC::isMachineIntSpeculationExpectingDefined): Deleted.
1609         (JSC::isMachineIntSpeculationForArithmetic): Deleted.
1610         (JSC::isBytecodeNumberSpeculationExpectingDefined): Deleted.
1611         (JSC::isFullNumberSpeculationExpectingDefined): Deleted.
1612         * dfg/DFGAbstractInterpreterInlines.h:
1613         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1614         * dfg/DFGAllocator.h:
1615         (JSC::DFG::Allocator<T>::indexOf):
1616         * dfg/DFGByteCodeParser.cpp:
1617         (JSC::DFG::ByteCodeParser::makeSafe):
1618         (JSC::DFG::ByteCodeParser::makeDivSafe):
1619         (JSC::DFG::ByteCodeParser::handleIntrinsic):
1620         * dfg/DFGCSEPhase.cpp:
1621         (JSC::DFG::CSEPhase::performNodeCSE):
1622         * dfg/DFGClobberize.h:
1623         (JSC::DFG::clobberize):
1624         * dfg/DFGCommon.h:
1625         * dfg/DFGConstantFoldingPhase.cpp:
1626         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1627         * dfg/DFGFixupPhase.cpp:
1628         (JSC::DFG::FixupPhase::fixupNode):
1629         (JSC::DFG::FixupPhase::fixIntConvertingEdge):
1630         (JSC::DFG::FixupPhase::fixIntOrBooleanEdge):
1631         (JSC::DFG::FixupPhase::fixDoubleOrBooleanEdge):
1632         (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
1633         (JSC::DFG::FixupPhase::fixIntEdge): Deleted.
1634         * dfg/DFGGraph.h:
1635         (JSC::DFG::Graph::addSpeculationMode):
1636         (JSC::DFG::Graph::valueAddSpeculationMode):
1637         (JSC::DFG::Graph::arithAddSpeculationMode):
1638         (JSC::DFG::Graph::addShouldSpeculateInt32):
1639         (JSC::DFG::Graph::mulShouldSpeculateInt32):
1640         (JSC::DFG::Graph::mulShouldSpeculateMachineInt):
1641         (JSC::DFG::Graph::negateShouldSpeculateInt32):
1642         (JSC::DFG::Graph::negateShouldSpeculateMachineInt):
1643         (JSC::DFG::Graph::addImmediateShouldSpeculateInt32):
1644         (JSC::DFG::Graph::mulImmediateShouldSpeculateInt32): Deleted.
1645         * dfg/DFGNode.h:
1646         (JSC::DFG::Node::sawBooleans):
1647         (JSC::DFG::Node::shouldSpeculateInt32OrBoolean):
1648         (JSC::DFG::Node::shouldSpeculateInt32ForArithmetic):
1649         (JSC::DFG::Node::shouldSpeculateInt32OrBooleanForArithmetic):
1650         (JSC::DFG::Node::shouldSpeculateInt32OrBooleanExpectingDefined):
1651         (JSC::DFG::Node::shouldSpeculateMachineInt):
1652         (JSC::DFG::Node::shouldSpeculateDouble):
1653         (JSC::DFG::Node::shouldSpeculateNumberOrBoolean):
1654         (JSC::DFG::Node::shouldSpeculateNumberOrBooleanExpectingDefined):
1655         (JSC::DFG::Node::shouldSpeculateNumber):
1656         (JSC::DFG::Node::canSpeculateInt32):
1657         (JSC::DFG::Node::canSpeculateInt52):
1658         (JSC::DFG::Node::sourceFor):
1659         (JSC::DFG::Node::shouldSpeculateInt32ExpectingDefined): Deleted.
1660         (JSC::DFG::Node::shouldSpeculateMachineIntForArithmetic): Deleted.
1661         (JSC::DFG::Node::shouldSpeculateMachineIntExpectingDefined): Deleted.
1662         (JSC::DFG::Node::shouldSpeculateDoubleForArithmetic): Deleted.
1663         (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined): Deleted.
1664         * dfg/DFGNodeFlags.cpp:
1665         (JSC::DFG::dumpNodeFlags):
1666         * dfg/DFGNodeFlags.h:
1667         (JSC::DFG::nodeMayOverflow):
1668         (JSC::DFG::nodeMayNegZero):
1669         (JSC::DFG::nodeCanSpeculateInt32):
1670         (JSC::DFG::nodeCanSpeculateInt52):
1671         * dfg/DFGNodeType.h:
1672         * dfg/DFGPredictionPropagationPhase.cpp:
1673         (JSC::DFG::PredictionPropagationPhase::run):
1674         (JSC::DFG::PredictionPropagationPhase::propagateToFixpoint):
1675         (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
1676         (JSC::DFG::PredictionPropagationPhase::propagate):
1677         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
1678         * dfg/DFGSafeToExecute.h:
1679         (JSC::DFG::safeToExecute):
1680         * dfg/DFGSpeculativeJIT.cpp:
1681         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
1682         * dfg/DFGSpeculativeJIT32_64.cpp:
1683         (JSC::DFG::SpeculativeJIT::compile):
1684         * dfg/DFGSpeculativeJIT64.cpp:
1685         (JSC::DFG::SpeculativeJIT::compile):
1686         * ftl/FTLCapabilities.cpp:
1687         (JSC::FTL::canCompile):
1688         * ftl/FTLLowerDFGToLLVM.cpp:
1689         (JSC::FTL::LowerDFGToLLVM::compileNode):
1690         (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
1691         (JSC::FTL::LowerDFGToLLVM::compileBooleanToNumber):
1692         * runtime/JSCJSValue.h:
1693         * runtime/JSCJSValueInlines.h:
1694         (JSC::JSValue::asInt32ForArithmetic):
1695         * tests/stress/max-boolean-exit.js: Added.
1696         (foo):
1697         (test):
1698         * tests/stress/mul-boolean-exit.js: Added.
1699         (foo):
1700         (test):
1701         * tests/stress/plus-boolean-exit.js: Added.
1702         (foo):
1703         (test):
1704         * tests/stress/plus-boolean-or-double.js: Added.
1705         (foo):
1706         (test):
1707         * tests/stress/plus-boolean-or-int.js: Added.
1708         (foo):
1709         (test):
1710
1711 2014-05-26  Zsolt Borbely  <zsborbely.u-szeged@partner.samsung.com>
1712
1713         Remove dead code from VM.cpp
1714         https://bugs.webkit.org/show_bug.cgi?id=133284
1715
1716         Reviewed by Darin Adler.
1717
1718         This workaround was added in r127505. Since the clang is the
1719         only used compiler in this case, this workaround is obsolete.
1720
1721         * runtime/VM.cpp:
1722         (JSC::enableAssembler):
1723
1724 2014-05-26  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
1725
1726         JSC CLoop warning fix
1727         https://bugs.webkit.org/show_bug.cgi?id=133259
1728
1729         Reviewed by Darin Adler.
1730
1731         * llint/LLIntSlowPaths.cpp:
1732         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1733
1734 2014-05-24  Andreas Kling  <akling@apple.com>
1735
1736         Object.prototype.toString() should use cached strings for null/undefined.
1737         <https://webkit.org/b/133261>
1738
1739         Normally, when calling Object.prototype.toString() on a regular object,
1740         we'd cache the result of the stringification on the object's structure,
1741         making repeated calls fast.
1742
1743         For null and undefined, we were not as smart. We'd instead construct a
1744         new string with either "[object Null]" or "[object Undefined]" each time.
1745
1746         This was exposed by Dromaeo's JS library tests, where some prototype.js
1747         subtests generate millions of strings this way.
1748
1749         This patch adds two VM-permanent cached strings to the SmallStrings.
1750         Looks like ~10% speed-up on Dromaeo/jslib-traverse-prototype.html
1751
1752         Reviewed by Darin Adler.
1753
1754         * runtime/ObjectPrototype.cpp:
1755         (JSC::objectProtoFuncToString):
1756         * runtime/SmallStrings.cpp:
1757         (JSC::SmallStrings::SmallStrings):
1758         (JSC::SmallStrings::initializeCommonStrings):
1759         (JSC::SmallStrings::visitStrongReferences):
1760         * runtime/SmallStrings.h:
1761         (JSC::SmallStrings::nullObjectString):
1762         (JSC::SmallStrings::undefinedObjectString):
1763
1764 2014-05-23  Mark Hahnenberg  <mhahnenberg@apple.com>
1765
1766         Remove operationCallGetter
1767
1768         Rubber stamped by Filip Pizlo.
1769
1770         Nobody calls this function.
1771
1772         * JavaScriptCore.order:
1773         * jit/JITOperations.cpp:
1774         * jit/JITOperations.h:
1775
1776 2014-05-23  Andreas Kling  <akling@apple.com>
1777
1778         Templatize GC's destructor invocation for dtor type.
1779         <https://webkit.org/b/133231>
1780
1781         Get rid of a branch in callDestructor() by templatizing it for
1782         the DestructorType. Removed JSCell::methodTableForDestruction()
1783         since this was the only call site and it was jumping through
1784         a bunch of unnecessary hoops.
1785
1786         Reviewed by Geoffrey Garen.
1787
1788         * heap/MarkedBlock.cpp:
1789         (JSC::MarkedBlock::callDestructor):
1790         (JSC::MarkedBlock::specializedSweep):
1791         * heap/MarkedBlock.h:
1792         * runtime/JSCell.h:
1793         * runtime/JSCellInlines.h:
1794         (JSC::JSCell::methodTableForDestruction): Deleted.
1795
1796 2014-05-23  Andreas Kling  <akling@apple.com>
1797
1798         Support inline caching of RegExpMatchesArray.length
1799         <https://webkit.org/b/133234>
1800
1801         Give RegExpMatchesArray.length the same treatment as JSArray in
1802         repatch so we don't have to go out of line on every access.
1803
1804         ~13% speed-up on Octane/regexp.
1805
1806         Reviewed by Geoffrey Garen.
1807
1808         * jit/Repatch.cpp:
1809         (JSC::tryCacheGetByID):
1810         * runtime/RegExpMatchesArray.h:
1811         (JSC::isRegExpMatchesArray):
1812
1813 2014-05-22  Mark Lam  <mark.lam@apple.com>
1814
1815         REGRESSION(r154797): Debugger crashes when stepping over an uncaught exception.
1816         <https://webkit.org/b/133182>
1817
1818         Reviewed by Oliver Hunt.
1819
1820         Before r154797, we used to clear the VM exception before calling into the
1821         debugger.  After r154797, we don't.  This patch will restore this clearing
1822         of the exception before calling into the debugger.
1823
1824         Also added assertions after returning from calls into the debugger to
1825         ensure that the debugger did not introduce any exceptions.
1826
1827         * interpreter/Interpreter.cpp:
1828         (JSC::unwindCallFrame):
1829         (JSC::Interpreter::unwind):
1830         (JSC::Interpreter::debug):
1831         - Fixed the assertion here.  Interpreter::debug() should never be called
1832           with a pending exception.  Debugger callbacks for exceptions should be
1833           handled by Interpreter::unwind() and Interpreter::unwindCallFrame().
1834
1835 2014-05-21  Filip Pizlo  <fpizlo@apple.com>
1836
1837         Store barrier elision should run after DCE in both the DFG path and the FTL path
1838         https://bugs.webkit.org/show_bug.cgi?id=129718
1839
1840         Rubber stamped by Mark Hahnenberg.
1841
1842         * dfg/DFGPlan.cpp:
1843         (JSC::DFG::Plan::compileInThreadImpl):
1844
1845 2014-05-21  Zsolt Borbely  <zsborbely.u-szeged@partner.samsung.com>
1846
1847         [EFL] Add include path of compact_unwind_encoding.h if FTL JIT is enabled
1848         https://bugs.webkit.org/show_bug.cgi?id=132907
1849
1850         Reviewed by Gyuyoung Kim.
1851
1852         * CMakeLists.txt:
1853
1854 2014-05-16  Martin Robinson  <mrobinson@igalia.com>
1855
1856         [CMake] Improve handling of LIB_INSTALL_DIR, EXEC_INSTALL_DIR, and LIBEXEC_INSTALL_DIR
1857         https://bugs.webkit.org/show_bug.cgi?id=132819
1858
1859         Reviewed by Carlos Garcia Campos.
1860
1861         * javascriptcoregtk.pc.in: Instead of using the special pkg-config variables,
1862         use the common CMake ones directly.
1863
1864 2014-05-21  Filip Pizlo  <fpizlo@apple.com>
1865
1866         Unreviewed, roll out http://trac.webkit.org/changeset/169159.
1867         
1868         This was a unilateral change and wasn't properly reviewed.
1869
1870         * tests/mozilla/mozilla-tests.yaml:
1871
1872 2014-05-21  Antoine Quint  <graouts@webkit.org>
1873
1874         Array.prototype.find and findIndex should skip holes
1875         https://bugs.webkit.org/show_bug.cgi?id=132658
1876
1877         Reviewed by Geoffrey Garen.
1878
1879         Skip holes in the array when iterating such that callback isn't called.
1880
1881         * builtins/Array.prototype.js:
1882         (find):
1883         (findIndex):
1884
1885 2014-05-21  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
1886
1887         REGRESSION(r169092 and r169102): Skip failing JSC tests on ARM64 properly
1888         https://bugs.webkit.org/show_bug.cgi?id=133149
1889
1890         Reviewed by Csaba Osztrogonác.
1891
1892         * tests/mozilla/mozilla-tests.yaml:
1893
1894 2014-05-20  Geoffrey Garen  <ggaren@apple.com>
1895
1896         Rolled out <http://trac.webkit.org/changeset/166184>
1897         https://bugs.webkit.org/show_bug.cgi?id=133144
1898
1899         Reviewed by Gavin Barraclough.
1900
1901         It caused a performance regression.
1902
1903         * heap/BlockAllocator.cpp:
1904         (JSC::BlockAllocator::blockFreeingThreadStartFunc):
1905
1906 2014-05-20  Filip Pizlo  <fpizlo@apple.com>
1907
1908         DFG prediction propagation should agree with fixup phase over the return type of GetByVal
1909         https://bugs.webkit.org/show_bug.cgi?id=133134
1910
1911         Reviewed by Mark Hahnenberg.
1912         
1913         Make prediction propagator use ArrayMode refinement to decide the return type.
1914         
1915         Also introduce a heap prediction intrinsic that allows us to test weird corner cases
1916         like this. The only way we'll see a mismatch like this in the real world is probably
1917         through a gnarly race condition.
1918
1919         * dfg/DFGByteCodeParser.cpp:
1920         (JSC::DFG::ByteCodeParser::handleIntrinsic):
1921         * dfg/DFGNode.h:
1922         (JSC::DFG::Node::setHeapPrediction):
1923         * dfg/DFGPredictionPropagationPhase.cpp:
1924         (JSC::DFG::PredictionPropagationPhase::propagate):
1925         * jsc.cpp:
1926         (GlobalObject::finishCreation):
1927         (functionFalse1):
1928         (functionFalse2):
1929         (functionUndefined1):
1930         (functionUndefined2):
1931         (functionFalse): Deleted.
1932         (functionOtherFalse): Deleted.
1933         (functionUndefined): Deleted.
1934         * runtime/Intrinsic.h:
1935         * tests/stress/get-by-val-double-predicted-int.js: Added.
1936         (foo):
1937
1938 2014-05-20  Mark Hahnenberg  <mhahnenberg@apple.com>
1939
1940         Watchdog timer should be lazily allocated
1941         https://bugs.webkit.org/show_bug.cgi?id=133135
1942
1943         Reviewed by Geoffrey Garen.
1944
1945         We incur a noticeable amount of overhead on some benchmarks due to checking if the Watchdog ever fired. 
1946         There is no reason to do this checking if we never activated the Watchdog, which can only be done through 
1947         JSContextGroupSetExecutionTimeLimit or JSContextGroupClearExecutionTimeLimit. 
1948
1949         By allocating the Watchdog lazily on the VM we can avoid all of the associated overhead when we don't use 
1950         these two API functions (which is true of most clients).
1951
1952         * API/JSContextRef.cpp:
1953         (JSContextGroupSetExecutionTimeLimit):
1954         (JSContextGroupClearExecutionTimeLimit):
1955         * dfg/DFGByteCodeParser.cpp:
1956         (JSC::DFG::ByteCodeParser::parseBlock):
1957         * dfg/DFGSpeculativeJIT32_64.cpp:
1958         (JSC::DFG::SpeculativeJIT::compile):
1959         * dfg/DFGSpeculativeJIT64.cpp:
1960         (JSC::DFG::SpeculativeJIT::compile):
1961         * interpreter/Interpreter.cpp:
1962         (JSC::Interpreter::execute):
1963         (JSC::Interpreter::executeCall):
1964         (JSC::Interpreter::executeConstruct):
1965         * jit/JITOpcodes.cpp:
1966         (JSC::JIT::emit_op_loop_hint):
1967         (JSC::JIT::emitSlow_op_loop_hint):
1968         * jit/JITOperations.cpp:
1969         * llint/LLIntSlowPaths.cpp:
1970         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1971         * runtime/VM.h:
1972         * runtime/Watchdog.cpp:
1973         (JSC::Watchdog::Scope::Scope): Deleted.
1974         (JSC::Watchdog::Scope::~Scope): Deleted.
1975         * runtime/Watchdog.h:
1976         (JSC::Watchdog::Scope::Scope):
1977         (JSC::Watchdog::Scope::~Scope):
1978
1979 2014-05-19  Mark Hahnenberg  <mhahnenberg@apple.com>
1980
1981         JSArray::shiftCountWith* could be more efficient
1982         https://bugs.webkit.org/show_bug.cgi?id=133011
1983
1984         Reviewed by Geoffrey Garen.
1985
1986         Our current implementations of shiftCountWithAnyIndexingType and shiftCountWithArrayStorage 
1987         are scared of the presence of any holes in the array. We can mitigate this somewhat by enabling 
1988         them to correctly handle holes, thus avoiding the slowest of slow paths in most cases.
1989
1990         * runtime/ArrayStorage.h:
1991         (JSC::ArrayStorage::indexingHeader):
1992         (JSC::ArrayStorage::length):
1993         (JSC::ArrayStorage::hasHoles):
1994         * runtime/IndexingHeader.h:
1995         (JSC::IndexingHeader::publicLength):
1996         (JSC::IndexingHeader::from):
1997         * runtime/JSArray.cpp:
1998         (JSC::JSArray::shiftCountWithArrayStorage):
1999         (JSC::JSArray::shiftCountWithAnyIndexingType):
2000         (JSC::JSArray::unshiftCountWithArrayStorage):
2001         * runtime/JSArray.h:
2002         (JSC::JSArray::shiftCountForShift):
2003         (JSC::JSArray::shiftCountForSplice):
2004         (JSC::JSArray::shiftCount):
2005         * runtime/Structure.cpp:
2006         (JSC::Structure::holesRequireSpecialBehavior):
2007         * runtime/Structure.h:
2008
2009 2014-05-19  Filip Pizlo  <fpizlo@apple.com>
2010
2011         Test gardening: skip some failing tests on not-X86.
2012
2013         * tests/mozilla/mozilla-tests.yaml:
2014
2015 2014-05-19  Mark Lam  <mark.lam@apple.com>
2016
2017         operationOptimize() should defer the GC for a while.
2018         <https://webkit.org/b/133103>
2019
2020         Reviewed by Filip Pizlo.
2021
2022         Currently, operationOptimize() only defers the GC until its end.  As a result,
2023         a GC may be triggered just before we return from operationOptimize(), and it may
2024         jettison the optimize codeBlock that we're planning to OSR enter into when we
2025         return from this function.  This is because the OSR entry on-ramp code hasn't
2026         been executed yet, and hence, there is not yet a reference to this new codeBlock
2027         from the stack, and there won't be until we've had a chance to return out of
2028         operationOptimize() to run the OSR entry on-ramp code.
2029
2030         This issue is now fixed by using DeferGCForAWhile instead of DeferGC.  This
2031         ensures that the GC will be deferred until after the OSR entry on-ramp can be
2032         executed.
2033
2034         * jit/JITOperations.cpp:
2035
2036 2014-05-19  Filip Pizlo  <fpizlo@apple.com>
2037
2038         Take care of some ARM64 test failures
2039         https://bugs.webkit.org/show_bug.cgi?id=133090
2040
2041         Reviewed by Geoffrey Garen.
2042         
2043         Constant blinding on ARM64 cannot use the scratch register.
2044
2045         * assembler/MacroAssembler.h:
2046         (JSC::MacroAssembler::convertInt32ToDouble):
2047         (JSC::MacroAssembler::branchPtr):
2048         (JSC::MacroAssembler::storePtr):
2049         (JSC::MacroAssembler::store64):
2050         * assembler/MacroAssemblerARM64.h:
2051         (JSC::MacroAssemblerARM64::scratchRegisterForBlinding):
2052
2053 2014-05-19  Tanay C  <tanay.c@samsung.com>
2054
2055         Removing some check-webkit-style warnings from ./dfg
2056         https://bugs.webkit.org/show_bug.cgi?id=132854
2057
2058         Reviewed by Darin Adler.
2059
2060         * dfg/DFGAbstractInterpreter.h:
2061         * dfg/DFGAbstractValue.h:
2062         * dfg/DFGBlockInsertionSet.h:
2063         * dfg/DFGCommonData.h:
2064         * dfg/DFGDominators.h:
2065         * dfg/DFGGraph.h:
2066         * dfg/DFGInPlaceAbstractState.h:
2067         * dfg/DFGPredictionPropagationPhase.h:
2068
2069 2014-05-18  Filip Pizlo  <fpizlo@apple.com>
2070
2071         Unreviewed, remove bogus comment. We already made the FTL use our calling convention.
2072         That was a long time ago.
2073
2074         * ftl/FTLLowerDFGToLLVM.cpp:
2075         (JSC::FTL::LowerDFGToLLVM::compileReturn):
2076
2077 2014-05-18  Rik Cabanier  <cabanier@adobe.com>
2078
2079         support for navigator.hardwareConcurrency
2080         https://bugs.webkit.org/show_bug.cgi?id=132588
2081
2082         Reviewed by Filip Pizlo.
2083
2084         * Configurations/FeatureDefines.xcconfig:
2085
2086 2014-05-16  Michael Saboff  <msaboff@apple.com>
2087
2088         Crash in JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::generatePatternCharacterFixed() due to WTF::CrashOnOverflow::overflowed + 9
2089         https://bugs.webkit.org/show_bug.cgi?id=133009
2090
2091         Reviewed by Oliver Hunt.
2092
2093         If we determine that any alternative requires a minumum match size greater than
2094         INT_MAX, we handle the match in the interpreter.
2095
2096         Check to see if the pattern has unsigned lengths before invoking YARR JIT.
2097         * runtime/RegExp.cpp:
2098         (JSC::RegExp::compile):
2099         (JSC::RegExp::compileMatchOnly):
2100
2101         * tests/stress/large-regexp.js: New test added.
2102
2103         Set m_containsUnsignedLengthPattern flag if any alternative's minimum length
2104         doesn't fit in an int.
2105         * yarr/YarrPattern.cpp:
2106         (JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets):
2107
2108         Clear new m_containsUnsignedLengthPattern flag.
2109         * yarr/YarrPattern.cpp:
2110         (JSC::Yarr::YarrPattern::YarrPattern):
2111         * yarr/YarrPattern.h:
2112         (JSC::Yarr::YarrPattern::reset):
2113         (JSC::Yarr::YarrPattern::containsUnsignedLengthPattern):
2114
2115 2014-05-15  Mark Hahnenberg  <mhahnenberg@apple.com>
2116
2117         JSDOMWindow should not claim HasImpureGetOwnPropertySlot
2118         https://bugs.webkit.org/show_bug.cgi?id=132918
2119
2120         Reviewed by Geoffrey Garen.
2121
2122         * jit/Repatch.cpp:
2123         (JSC::tryRepatchIn): We forgot to check for watchpoints when repatching "in".
2124
2125 2014-05-15  Alex Christensen  <achristensen@webkit.org>
2126
2127         Add pointer lock to features without enabling it.
2128         https://bugs.webkit.org/show_bug.cgi?id=132961
2129
2130         Reviewed by Sam Weinig.
2131
2132         * Configurations/FeatureDefines.xcconfig:
2133         Added ENABLE_POINTER_LOCK to list of features.
2134
2135 2014-05-14  Mark Hahnenberg  <mhahnenberg@apple.com>
2136
2137         Inline caching for proxies clobbers baseGPR too early
2138         https://bugs.webkit.org/show_bug.cgi?id=132916
2139
2140         Reviewed by Filip Pizlo.
2141
2142         We clobber baseGPR prior to the Structure checks, so if any of the checks fail then the slow path 
2143         gets the target of the proxy rather than the proxy itself. We need to delay the clobbering of baseGPR 
2144         until we know the inline cache is going to succeed.
2145
2146         * jit/Repatch.cpp:
2147         (JSC::generateByIdStub):
2148
2149 2014-05-14  Brent Fulgham  <bfulgham@apple.com>
2150
2151         [Win] Unreviewed build fix.
2152
2153         * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: This solution
2154         was missing commands to build LLInt portions of JSC.
2155         * llint/LLIntData.cpp: 64-bit build fix.
2156
2157 2014-05-14  Martin Hodovan <mhodovan.u-szeged@partner.samsung.com>
2158
2159         ARM Traditional buildfix after r168776.
2160         https://bugs.webkit.org/show_bug.cgi?id=132903
2161
2162         Reviewed by Darin Adler.
2163
2164         * assembler/MacroAssemblerARM.h:
2165         (JSC::MacroAssemblerARM::abortWithReason): Added.
2166
2167 2014-05-14  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>
2168
2169         Remove CSS_STICKY_POSITION guards
2170         https://bugs.webkit.org/show_bug.cgi?id=132676
2171
2172         Reviewed by Simon Fraser.
2173
2174         * Configurations/FeatureDefines.xcconfig:
2175
2176 2014-05-13  Filip Pizlo  <fpizlo@apple.com>
2177
2178         JIT breakpoints should be more informative
2179         https://bugs.webkit.org/show_bug.cgi?id=132882
2180
2181         Reviewed by Oliver Hunt.
2182         
2183         Introduce the notion of an AbortReason, which is a nice enumeration of coded assertion
2184         failure names. This means that all you need to figure out why the JIT SIGTRAP'd is to look
2185         at that platform's abort reason register (r11 on X86-64 for example).
2186
2187         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2188         * JavaScriptCore.xcodeproj/project.pbxproj:
2189         * assembler/AbortReason.h: Added.
2190         * assembler/AbstractMacroAssembler.h:
2191         * assembler/MacroAssemblerARM64.h:
2192         (JSC::MacroAssemblerARM64::abortWithReason):
2193         * assembler/MacroAssemblerARMv7.h:
2194         (JSC::MacroAssemblerARMv7::abortWithReason):
2195         * assembler/MacroAssemblerX86.h:
2196         (JSC::MacroAssemblerX86::abortWithReason):
2197         * assembler/MacroAssemblerX86_64.h:
2198         (JSC::MacroAssemblerX86_64::abortWithReason):
2199         * dfg/DFGSlowPathGenerator.h:
2200         (JSC::DFG::SlowPathGenerator::generate):
2201         * dfg/DFGSpeculativeJIT.cpp:
2202         (JSC::DFG::SpeculativeJIT::bail):
2203         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
2204         (JSC::DFG::SpeculativeJIT::compileMakeRope):
2205         * dfg/DFGSpeculativeJIT.h:
2206         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):
2207         * dfg/DFGSpeculativeJIT32_64.cpp:
2208         (JSC::DFG::SpeculativeJIT::compile):
2209         * dfg/DFGSpeculativeJIT64.cpp:
2210         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2211         (JSC::DFG::SpeculativeJIT::compile):
2212         * dfg/DFGThunks.cpp:
2213         (JSC::DFG::osrEntryThunkGenerator):
2214         * jit/AssemblyHelpers.cpp:
2215         (JSC::AssemblyHelpers::jitAssertIsInt32):
2216         (JSC::AssemblyHelpers::jitAssertIsJSInt32):
2217         (JSC::AssemblyHelpers::jitAssertIsJSNumber):
2218         (JSC::AssemblyHelpers::jitAssertIsJSDouble):
2219         (JSC::AssemblyHelpers::jitAssertIsCell):
2220         (JSC::AssemblyHelpers::jitAssertTagsInPlace):
2221         (JSC::AssemblyHelpers::jitAssertHasValidCallFrame):
2222         (JSC::AssemblyHelpers::jitAssertIsNull):
2223         (JSC::AssemblyHelpers::jitAssertArgumentCountSane):
2224         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
2225         * jit/AssemblyHelpers.h:
2226         (JSC::AssemblyHelpers::checkStackPointerAlignment):
2227         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo): Deleted.
2228         * jit/JIT.h:
2229         * jit/JITArithmetic.cpp:
2230         (JSC::JIT::emitSlow_op_div):
2231         * jit/JITOpcodes.cpp:
2232         (JSC::JIT::emitSlow_op_loop_hint):
2233         * jit/JITOpcodes32_64.cpp:
2234         (JSC::JIT::privateCompileCTINativeCall):
2235         * jit/JITPropertyAccess.cpp:
2236         (JSC::JIT::emit_op_get_by_val):
2237         (JSC::JIT::compileGetDirectOffset):
2238         (JSC::JIT::addStructureTransitionCheck): Deleted.
2239         (JSC::JIT::testPrototype): Deleted.
2240         * jit/JITPropertyAccess32_64.cpp:
2241         (JSC::JIT::emit_op_get_by_val):
2242         (JSC::JIT::compileGetDirectOffset):
2243         * jit/RegisterPreservationWrapperGenerator.cpp:
2244         (JSC::generateRegisterRestoration):
2245         * jit/Repatch.cpp:
2246         (JSC::addStructureTransitionCheck):
2247         (JSC::linkClosureCall):
2248         * jit/ThunkGenerators.cpp:
2249         (JSC::emitPointerValidation):
2250         (JSC::nativeForGenerator):
2251         * yarr/YarrJIT.cpp:
2252         (JSC::Yarr::YarrGenerator::generate):
2253
2254 2014-05-13  peavo@outlook.com  <peavo@outlook.com>
2255
2256         [Win] Enum type with value zero is compatible with void*, potential cause of crashes.
2257         https://bugs.webkit.org/show_bug.cgi?id=132772
2258
2259         Reviewed by Geoffrey Garen.
2260
2261         Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example).
2262         This has caused crashes on Windows on two occasions (bug 132683, and bug 121001).
2263         This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*.
2264         The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr.
2265
2266         * assembler/MacroAssemblerARM.h:
2267         (JSC::MacroAssemblerARM::loadDouble):
2268         (JSC::MacroAssemblerARM::storeDouble):
2269         * assembler/MacroAssemblerARM64.h:
2270         (JSC::MacroAssemblerARM64::loadDouble):
2271         (JSC::MacroAssemblerARM64::storeDouble):
2272         * assembler/MacroAssemblerARMv7.h:
2273         (JSC::MacroAssemblerARMv7::loadDouble):
2274         (JSC::MacroAssemblerARMv7::storeDouble):
2275         * assembler/MacroAssemblerMIPS.h:
2276         (JSC::MacroAssemblerMIPS::loadDouble):
2277         (JSC::MacroAssemblerMIPS::storeDouble):
2278         * assembler/MacroAssemblerSH4.h:
2279         (JSC::MacroAssemblerSH4::loadDouble):
2280         (JSC::MacroAssemblerSH4::storeDouble):
2281         * assembler/MacroAssemblerX86.h:
2282         (JSC::MacroAssemblerX86::storeDouble):
2283         * assembler/MacroAssemblerX86Common.h:
2284         (JSC::MacroAssemblerX86Common::absDouble):
2285         (JSC::MacroAssemblerX86Common::negateDouble):
2286         (JSC::MacroAssemblerX86Common::loadDouble):
2287         * dfg/DFGSpeculativeJIT.cpp:
2288         (JSC::DFG::SpeculativeJIT::silentFill):
2289         (JSC::DFG::compileClampDoubleToByte):
2290         * dfg/DFGSpeculativeJIT32_64.cpp:
2291         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2292         (JSC::DFG::SpeculativeJIT::compile):
2293         * jit/AssemblyHelpers.cpp:
2294         (JSC::AssemblyHelpers::purifyNaN):
2295         * jit/JITInlines.h:
2296         (JSC::JIT::emitLoadDouble):
2297         * jit/JITPropertyAccess.cpp:
2298         (JSC::JIT::emitFloatTypedArrayGetByVal):
2299         * jit/ThunkGenerators.cpp:
2300         (JSC::floorThunkGenerator):
2301         (JSC::roundThunkGenerator):
2302         (JSC::powThunkGenerator):
2303
2304 2014-05-12  Commit Queue  <commit-queue@webkit.org>
2305
2306         Unreviewed, rolling out r168642.
2307         https://bugs.webkit.org/show_bug.cgi?id=132839
2308
2309         Broke ARM build (Requested by jpfau on #webkit).
2310
2311         Reverted changeset:
2312
2313         "[Win] Enum type with value zero is compatible with void*,
2314         potential cause of crashes."
2315         https://bugs.webkit.org/show_bug.cgi?id=132772
2316         http://trac.webkit.org/changeset/168642
2317
2318 2014-05-12  peavo@outlook.com  <peavo@outlook.com>
2319
2320         [Win] Enum type with value zero is compatible with void*, potential cause of crashes.
2321         https://bugs.webkit.org/show_bug.cgi?id=132772
2322
2323         Reviewed by Geoffrey Garen.
2324
2325         Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example).
2326         This has caused crashes on Windows on two occasions (bug 132683, and bug 121001).
2327         This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*.
2328         The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr.
2329
2330         * assembler/MacroAssemblerARM.h:
2331         (JSC::MacroAssemblerARM::loadDouble):
2332         (JSC::MacroAssemblerARM::storeDouble):
2333         * assembler/MacroAssemblerARM64.h:
2334         (JSC::MacroAssemblerARM64::loadDouble):
2335         (JSC::MacroAssemblerARM64::storeDouble):
2336         * assembler/MacroAssemblerARMv7.h:
2337         (JSC::MacroAssemblerARMv7::loadDouble):
2338         (JSC::MacroAssemblerARMv7::storeDouble):
2339         * assembler/MacroAssemblerMIPS.h:
2340         (JSC::MacroAssemblerMIPS::loadDouble):
2341         (JSC::MacroAssemblerMIPS::storeDouble):
2342         * assembler/MacroAssemblerSH4.h:
2343         (JSC::MacroAssemblerSH4::loadDouble):
2344         (JSC::MacroAssemblerSH4::storeDouble):
2345         * assembler/MacroAssemblerX86.h:
2346         (JSC::MacroAssemblerX86::storeDouble):
2347         * assembler/MacroAssemblerX86Common.h:
2348         (JSC::MacroAssemblerX86Common::absDouble):
2349         (JSC::MacroAssemblerX86Common::negateDouble):
2350         (JSC::MacroAssemblerX86Common::loadDouble):
2351         * dfg/DFGSpeculativeJIT.cpp:
2352         (JSC::DFG::SpeculativeJIT::silentFill):
2353         (JSC::DFG::compileClampDoubleToByte):
2354         * dfg/DFGSpeculativeJIT32_64.cpp:
2355         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2356         (JSC::DFG::SpeculativeJIT::compile):
2357         * jit/AssemblyHelpers.cpp:
2358         (JSC::AssemblyHelpers::purifyNaN):
2359         * jit/JITInlines.h:
2360         (JSC::JIT::emitLoadDouble):
2361         * jit/JITPropertyAccess.cpp:
2362         (JSC::JIT::emitFloatTypedArrayGetByVal):
2363         * jit/ThunkGenerators.cpp:
2364         (JSC::floorThunkGenerator):
2365         (JSC::roundThunkGenerator):
2366         (JSC::powThunkGenerator):
2367
2368 2014-05-12  Andreas Kling  <akling@apple.com>
2369
2370         0.4% of PLT3 in JSCell::structure() below JSObject::visitChildren().
2371         <https://webkit.org/b/132828>
2372         <rdar://problem/16886285>
2373
2374         Reviewed by Michael Saboff.
2375
2376         * runtime/JSObject.cpp:
2377         (JSC::JSObject::visitButterfly):
2378         (JSC::JSObject::visitChildren):
2379
2380             Use JSCell::structure(VM&) to reduce the number of hoops we jump
2381             through to find Structures during marking.
2382
2383 2014-05-12  László Langó  <llango.u-szeged@partner.samsung.com>
2384
2385         [cmake] Add missing FTL source files to the build system.
2386
2387         Reviewed by Csaba Osztrogonác.
2388
2389         * CMakeLists.txt:
2390
2391 2014-05-09  Joseph Pecoraro  <pecoraro@apple.com>
2392
2393         Web Inspector: Allow Remote Inspector to entitlement check UIProcess through WebProcess
2394         https://bugs.webkit.org/show_bug.cgi?id=132409
2395
2396         Reviewed by Timothy Hatcher.
2397
2398         Proxy applications are applications which hold WebViews for other
2399         applications. The WebProcess (Web Content Service) is a proxy application.
2400         For legacy reasons we were supporting a scenario where proxy applications
2401         could potentially host WebViews for more then one other application. That
2402         was never the case for WebProcess and it is now a scenario we don't need
2403         to worry about supporting.
2404
2405         With this change, a proxy application more naturally only holds WebViews
2406         for a single parent / host application. The proxy process can set the
2407         parent pid / audit_token data on the RemoteInspector singleton, and
2408         that data will be sent on to webinspectord later on to be validated.
2409         In the WebProcess<->UIProcess relationship that information is known
2410         and set immediately. In the Legacy iOS case that information is set
2411         soon after, but not immediately known at the point the WebView is created.
2412
2413         This allows us to simplify the RemoteInspectorDebuggable interface.
2414         We no longer need a pid per-Debuggable.
2415
2416         * inspector/remote/RemoteInspector.h:
2417         * inspector/remote/RemoteInspector.mm:
2418         (Inspector::RemoteInspector::RemoteInspector):
2419         (Inspector::RemoteInspector::setParentProcessInformation):
2420         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
2421         (Inspector::RemoteInspector::listingForDebuggable):
2422         (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
2423         Handle new proxy application setup message, and provide an API
2424         for a proxy application to set the parent process information.
2425
2426         * inspector/remote/RemoteInspectorConstants.h:
2427         New setup and response message for proxy applications to pass
2428         their parent / host application information to webinspectord.
2429
2430         * inspector/remote/RemoteInspectorDebuggable.cpp:
2431         (Inspector::RemoteInspectorDebuggable::info):
2432         * inspector/remote/RemoteInspectorDebuggable.h:
2433         (Inspector::RemoteInspectorDebuggableInfo::RemoteInspectorDebuggableInfo):
2434         (Inspector::RemoteInspectorDebuggableInfo::hasParentProcess): Deleted.
2435         pid per debuggable is no longer needed.
2436
2437 2014-05-09  Mark Hahnenberg  <mhahnenberg@apple.com>
2438
2439         JSDOMWindow should disable property caching after a certain point
2440         https://bugs.webkit.org/show_bug.cgi?id=132751
2441
2442         Reviewed by Filip Pizlo.
2443
2444         This is part of removing HasImpureGetOwnPropertySlot from JSDOMWindow. After the lookup in the static 
2445         hash table for JSDOMWindow fails we want to disable property caching even if the code that follows thinks 
2446         that it has provided a cacheable value.
2447
2448         * runtime/PropertySlot.h:
2449         (JSC::PropertySlot::PropertySlot):
2450         (JSC::PropertySlot::isCacheable):
2451         (JSC::PropertySlot::disableCaching):
2452
2453 2014-05-09  Andreas Kling  <akling@apple.com>
2454
2455         8.8% spent in Object.prototype.hasOwnProperty() on sbperftest.
2456         <https://webkit.org/b/132749>
2457
2458         Leverage the fast-resolve-to-AtomicString optimization for JSRopeString
2459         in Object.prototype.* by using JSString::toIdentifier() in the cases where
2460         we are converting JSString -> String -> Identifier.
2461
2462         This brings time spent in hasOwnProperty() from 8.8% to 1.3% on
2463         "The Great HTML5 Gaming Performance Test: 2014 edition"
2464         <http://www.scirra.com/demos/c2/sbperftest/>
2465
2466         Reviewed by Oliver Hunt.
2467
2468         * runtime/ObjectPrototype.cpp:
2469         (JSC::objectProtoFuncHasOwnProperty):
2470         (JSC::objectProtoFuncDefineGetter):
2471         (JSC::objectProtoFuncDefineSetter):
2472         (JSC::objectProtoFuncLookupGetter):
2473         (JSC::objectProtoFuncLookupSetter):
2474
2475 2014-05-08  Mark Hahnenberg  <mhahnenberg@apple.com>
2476
2477         JSDOMWindow should have a WatchpointSet to fire on window close
2478         https://bugs.webkit.org/show_bug.cgi?id=132721
2479
2480         Reviewed by Filip Pizlo.
2481
2482         This patch allows us to reset the inline caches that assumed they could skip 
2483         the first part of JSDOMWindow::getOwnPropertySlot that checks if the window has 
2484         been closed. This is part of getting rid of HasImpureGetOwnPropertySlot on JSDOMWindow.
2485
2486         PropertySlot now accepts a WatchpointSet which the inline cache code can look for
2487         to see if it should create a new Watchpoint for that particular inline cache site.
2488
2489         * bytecode/Watchpoint.h:
2490         * jit/Repatch.cpp:
2491         (JSC::generateByIdStub):
2492         (JSC::tryBuildGetByIDList):
2493         (JSC::tryCachePutByID):
2494         (JSC::tryBuildPutByIdList):
2495         * runtime/PropertySlot.h:
2496         (JSC::PropertySlot::PropertySlot):
2497         (JSC::PropertySlot::watchpointSet):
2498         (JSC::PropertySlot::setWatchpointSet):
2499
2500 2014-05-09  Tanay C  <tanay.c@samsung.com>
2501
2502         Fix build warning (uninitialized variable) in DFGFixupPhase.cpp 
2503         https://bugs.webkit.org/show_bug.cgi?id=132331
2504
2505         Reviewed by Darin Adler.
2506
2507         * dfg/DFGFixupPhase.cpp:
2508         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
2509
2510 2014-05-09  peavo@outlook.com  <peavo@outlook.com>
2511
2512         [Win] Crash when enabling DFG JIT.
2513         https://bugs.webkit.org/show_bug.cgi?id=132683
2514
2515         Reviewed by Geoffrey Garen.
2516
2517         On windows, using register GPRInfo::regT0 as parameter to e.g. JIT::storeDouble(..., GPRInfo::regT0)),
2518         results in a call to JIT::storeDouble(FPRegisterID src, const void* address),
2519         where the address parameter gets the value of GPRInfo::regT0, which is 0 (eax on Windows).
2520         This causes the register to be written to address 0, hence the crash.
2521
2522         * dfg/DFGOSRExitCompiler32_64.cpp:
2523         (JSC::DFG::OSRExitCompiler::compileExit): Use address in regT0 as parameter.
2524         * dfg/DFGOSRExitCompiler64.cpp:
2525         (JSC::DFG::OSRExitCompiler::compileExit): Ditto.
2526
2527 2014-05-09  Martin Hodovan <mhodovan.u-szeged@partner.samsung.com>
2528
2529         REGRESSION(r167094): JSC crashes on ARM Traditional
2530         https://bugs.webkit.org/show_bug.cgi?id=132738
2531
2532         Reviewed by Zoltan Herczeg.
2533
2534         PC is two instructions ahead of the current instruction
2535         on ARM Traditional, so the distance is 8 bytes not 2.
2536
2537         * llint/LowLevelInterpreter.asm:
2538
2539 2014-05-09  Alberto Garcia  <berto@igalia.com>
2540
2541         jsmin.py license header confusing, mentions non-free license
2542         https://bugs.webkit.org/show_bug.cgi?id=123665
2543
2544         Reviewed by Darin Adler.
2545
2546         Pull the most recent version from upstream, which has a clear
2547         license.
2548
2549         * inspector/scripts/jsmin.py:
2550
2551 2014-05-08  Mark Hahnenberg  <mhahnenberg@apple.com>
2552
2553         Base case for get-by-id inline cache doesn't check for HasImpureGetOwnPropertySlot
2554         https://bugs.webkit.org/show_bug.cgi?id=132695
2555
2556         Reviewed by Filip Pizlo.
2557
2558         We check in the case where we're accessing something other than the base object (e.g. the prototype), 
2559         but we fail to do so for the base object.
2560
2561         * jit/Repatch.cpp:
2562         (JSC::tryCacheGetByID):
2563         (JSC::tryBuildGetByIDList):
2564         * jsc.cpp: Added some infrastructure to support this test. We don't currently trigger this bug anywhere in WebKit
2565         because all of the values that are returned that could be impure are set to uncacheable anyways.
2566         (WTF::ImpureGetter::ImpureGetter):
2567         (WTF::ImpureGetter::createStructure):
2568         (WTF::ImpureGetter::create):
2569         (WTF::ImpureGetter::finishCreation):
2570         (WTF::ImpureGetter::getOwnPropertySlot):
2571         (WTF::ImpureGetter::visitChildren):
2572         (WTF::ImpureGetter::setDelegate):
2573         (GlobalObject::finishCreation):
2574         (functionCreateImpureGetter):
2575         (functionSetImpureGetterDelegate):
2576         * tests/stress/impure-get-own-property-slot-inline-cache.js: Added.
2577         (foo):
2578
2579 2014-05-08  Filip Pizlo  <fpizlo@apple.com>
2580
2581         deleteAllCompiledCode() shouldn't use the suspension worklist
2582         https://bugs.webkit.org/show_bug.cgi?id=132708
2583
2584         Reviewed by Mark Hahnenberg.
2585
2586         * bytecode/CodeBlock.cpp:
2587         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
2588         * dfg/DFGPlan.cpp:
2589         (JSC::DFG::Plan::isStillValid):
2590         * heap/Heap.cpp:
2591         (JSC::Heap::deleteAllCompiledCode):
2592
2593 2014-05-08  Filip Pizlo  <fpizlo@apple.com>
2594
2595         SSA conversion should delete PhantomLocals for captured variables
2596         https://bugs.webkit.org/show_bug.cgi?id=132693
2597
2598         Reviewed by Mark Hahnenberg.
2599
2600         * dfg/DFGCommon.cpp:
2601         (JSC::DFG::startCrashing): Parallel JIT and a JIT bug means that we man dump IR in parallel. This is the workaround. This patch uses it in all of the places where we dump IR and crash.
2602         * dfg/DFGCommon.h:
2603         * dfg/DFGFixupPhase.cpp:
2604         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): Use the workaround.
2605         * dfg/DFGLivenessAnalysisPhase.cpp:
2606         (JSC::DFG::LivenessAnalysisPhase::run): Use the workaround.
2607         * dfg/DFGSSAConversionPhase.cpp:
2608         (JSC::DFG::SSAConversionPhase::run): Fix the bug - it's true that PhantomLocal for captured variables doesn't need anything done to it, but it's wrong that we didn't delete it outright.
2609         * dfg/DFGValidate.cpp: Use the workaround.
2610         * tests/stress/phantom-local-captured-but-not-flushed-to-ssa.js: Added.
2611         (foo):
2612         (bar):
2613
2614 2014-05-07  Commit Queue  <commit-queue@webkit.org>
2615
2616         Unreviewed, rolling out r168451.
2617         https://bugs.webkit.org/show_bug.cgi?id=132670
2618
2619         Not a speed-up, just do what other compilers do. (Requested by
2620         kling on #webkit).
2621
2622         Reverted changeset:
2623
2624         "[X86] Emit BT instruction for single-bit tests."
2625         https://bugs.webkit.org/show_bug.cgi?id=132650
2626         http://trac.webkit.org/changeset/168451
2627
2628 2014-05-07  Filip Pizlo  <fpizlo@apple.com>
2629
2630         Make Executable::clearCode() actually clear all of the entrypoints, and
2631         clean up some other FTL-related calling convention stuff.
2632         <rdar://problem/16720172>
2633
2634         Rubber stamped by Mark Hahnenberg.
2635
2636         * dfg/DFGOperations.cpp:
2637         * dfg/DFGOperations.h:
2638         * dfg/DFGWorklist.cpp:
2639         (JSC::DFG::Worklist::Worklist):
2640         (JSC::DFG::Worklist::finishCreation):
2641         (JSC::DFG::Worklist::create):
2642         (JSC::DFG::ensureGlobalDFGWorklist):
2643         (JSC::DFG::ensureGlobalFTLWorklist):
2644         * dfg/DFGWorklist.h:
2645         * heap/CodeBlockSet.cpp:
2646         (JSC::CodeBlockSet::dump):
2647         * heap/CodeBlockSet.h:
2648         * runtime/Executable.cpp:
2649         (JSC::ExecutableBase::clearCode):
2650
2651 2014-05-07  Andreas Kling  <akling@apple.com>
2652
2653         [X86] Emit BT instruction for single-bit tests.
2654         <https://webkit.org/b/132650>
2655
2656         Implement test-bit-and-branch slightly more efficiently by using
2657         BT + JC/JNC instead of TEST + JZ/JNZ when we're only testing for
2658         a single bit.
2659
2660         Reviewed by Michael Saboff.
2661
2662         * assembler/MacroAssemblerX86Common.h:
2663         (JSC::MacroAssemblerX86Common::singleBitIndex):
2664         (JSC::MacroAssemblerX86Common::branchTest32):
2665         * assembler/X86Assembler.h:
2666         (JSC::X86Assembler::bt_i8r):
2667         (JSC::X86Assembler::bt_i8m):
2668
2669 2014-05-07  Mark Lam  <mark.lam@apple.com>
2670
2671         REGRESSION(r166678): Dromaeo/cssquery-dojo.html crashes regularly.
2672         <https://webkit.org/b/131356>
2673
2674         Reviewed by Geoffrey Garen.
2675
2676         The issue is that GC needs to be made aware of writes to m_inferredValue
2677         in the VariableWatchpointSet, but was not.  As a result, if a JSCell*
2678         is written to a VariableWatchpointSet m_inferredValue, and that JSCell
2679         does not survive an eden GC shortly after, we will end up with a stale
2680         JSCell pointer left in the m_inferredValue.
2681
2682         This issue can be detected more easily by running Dromaeo/cssquery-dojo.html
2683         using DumpRenderTree with the VM heap in zombie mode.
2684
2685         The fix is to change VariableWatchpointSet m_inferredValue to type
2686         WriteBarrier<Unknown> and ensure that VariableWatchpointSet::notifyWrite()
2687         is executed by all the execution engines so that the WriteBarrier semantics
2688         are honored.
2689
2690         We still check if the value to be written is the same as the one in the
2691         inferredValue.  We'll by-pass calling the slow path notifyWrite() if the
2692         values are the same.        
2693
2694         * JavaScriptCore.xcodeproj/project.pbxproj:
2695         * bytecode/CodeBlock.cpp:
2696         (JSC::CodeBlock::CodeBlock):
2697         - need to pass the symbolTable to prepareToWatch() because it will be needed
2698           for instantiating the VariableWatchpointSet in prepareToWatch().
2699
2700         * bytecode/VariableWatchpointSet.h:
2701         (JSC::VariableWatchpointSet::VariableWatchpointSet):
2702         - VariableWatchpointSet now tracks its owner symbol table for its m_inferredValue
2703           write barrier, and yes, m_inferredValue is now of type WriteBarrier<Unknown>.
2704         (JSC::VariableWatchpointSet::inferredValue):
2705         (JSC::VariableWatchpointSet::invalidate):
2706         (JSC::VariableWatchpointSet::finalizeUnconditionally):
2707         (JSC::VariableWatchpointSet::addressOfInferredValue):
2708         (JSC::VariableWatchpointSet::notifyWrite): Deleted.
2709         * bytecode/VariableWatchpointSetInlines.h: Added.
2710         (JSC::VariableWatchpointSet::notifyWrite):
2711
2712         * dfg/DFGByteCodeParser.cpp:
2713         (JSC::DFG::ByteCodeParser::cellConstant):
2714         - Added an assert in case we try to make constants of zombified JSCells again.
2715
2716         * dfg/DFGOperations.cpp:
2717         * dfg/DFGOperations.h:
2718         * dfg/DFGSpeculativeJIT.h:
2719         (JSC::DFG::SpeculativeJIT::callOperation):
2720         * dfg/DFGSpeculativeJIT32_64.cpp:
2721         (JSC::DFG::SpeculativeJIT::compile):
2722         * dfg/DFGSpeculativeJIT64.cpp:
2723         (JSC::DFG::SpeculativeJIT::compile):
2724         - We now let the slow path handle the cases when the VariableWatchpointSet is
2725           in state ClearWatchpoint and IsWatched, and the slow path will ensure that
2726           we handle the needed write barrier semantics correctly.
2727           We will by-pass the slow path if the value being written is the same as the
2728           inferred value.
2729
2730         * ftl/FTLIntrinsicRepository.h:
2731         * ftl/FTLLowerDFGToLLVM.cpp:
2732         (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):
2733         - Let the slow path handle the cases when the VariableWatchpointSet is
2734           in state ClearWatchpoint and IsWatched.
2735           We will by-pass the slow path if the value being written is the same as the
2736           inferred value.
2737
2738         * heap/Heap.cpp:
2739         (JSC::Zombify::operator()):
2740         - Use a different value for the zombified bits (to distinguish it from 0xbbadbeef
2741           which is used everywhere else).
2742         * heap/Heap.h:
2743         (JSC::Heap::isZombified):
2744         - Provide a convenience test function to check if JSCells are zombified.  This is
2745           currently only used in an assertion in the DFG bytecode parser, but the intent
2746           it that we'll apply this test in other strategic places later to help with early
2747           detection of usage of GC'ed objects when we run in zombie mode.
2748
2749         * jit/JITOpcodes.cpp:
2750         (JSC::JIT::emitSlow_op_captured_mov):
2751         * jit/JITOperations.h:
2752         * jit/JITPropertyAccess.cpp:
2753         (JSC::JIT::emitNotifyWrite):
2754         * jit/JITPropertyAccess32_64.cpp:
2755         (JSC::JIT::emitNotifyWrite):
2756         (JSC::JIT::emitSlow_op_put_to_scope):
2757         - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
2758           is in state ClearWatchpoint and IsWatched.
2759           We will by-pass the slow path if the value being written is the same as the
2760           inferred value.
2761         
2762         * llint/LowLevelInterpreter32_64.asm:
2763         * llint/LowLevelInterpreter64.asm:
2764         - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
2765           is in state ClearWatchpoint and IsWatched.
2766           We will by-pass the slow path if the value being written is the same as the
2767           inferred value.
2768         
2769         * runtime/CommonSlowPaths.cpp:
2770
2771         * runtime/JSCJSValue.h: Fixed some typos in the comments.
2772         * runtime/JSGlobalObject.cpp:
2773         (JSC::JSGlobalObject::addGlobalVar):
2774         (JSC::JSGlobalObject::addFunction):
2775         * runtime/JSSymbolTableObject.h:
2776         (JSC::symbolTablePut):
2777         (JSC::symbolTablePutWithAttributes):
2778         * runtime/SymbolTable.cpp:
2779         (JSC::SymbolTableEntry::prepareToWatch):
2780         (JSC::SymbolTableEntry::notifyWriteSlow):
2781         * runtime/SymbolTable.h:
2782         (JSC::SymbolTableEntry::notifyWrite):
2783
2784 2014-05-06  Michael Saboff  <msaboff@apple.com>
2785
2786         Unreviewd build fix for C-LOOP after r168396.
2787
2788         * runtime/TestRunnerUtils.cpp:
2789         (JSC::optimizeNextInvocation): Wrapped actual call inside #if ENABLE(JIT)
2790
2791 2014-05-06  Michael Saboff  <msaboff@apple.com>
2792
2793         Add test for deleteAllCompiledCode
2794         https://bugs.webkit.org/show_bug.cgi?id=132632
2795
2796         Reviewed by Phil Pizlo.
2797
2798         Added two new hooks to jsc, one to call Heap::deleteAllCompiledCode() and
2799         the other to call CodeBlock::optimizeNextInvocation().  Used these two hooks
2800         to write a test that will queue up loads of DFG compiles and then call
2801         Heap::deleteAllCompiledCode() to make sure that it can handle compiled
2802         code as well as code being compiled.
2803
2804         * jsc.cpp:
2805         (GlobalObject::finishCreation):
2806         (functionDeleteAllCompiledCode):
2807         (functionOptimizeNextInvocation):
2808         * runtime/TestRunnerUtils.cpp:
2809         (JSC::optimizeNextInvocation):
2810         * runtime/TestRunnerUtils.h:
2811         * tests/stress/deleteAllCompiledCode.js: Added.
2812         (functionList):
2813         (runTest):
2814
2815 2014-05-06  Andreas Kling  <akling@apple.com>
2816
2817         JSString::toAtomicString() should return AtomicString.
2818         <https://webkit.org/b/132627>
2819
2820         Remove premature optimization where I was trying to avoid refcount
2821         churn when returning an already atomicized String.
2822
2823         Instead of using reinterpret_cast to mangle the String member into
2824         a const AtomicString& return value, just return AtomicString.
2825
2826         Reviewed by Geoff Garen.
2827
2828         * runtime/JSString.h:
2829         (JSC::JSString::toAtomicString):
2830
2831 2014-05-06  Mark Hahnenberg  <mhahnenberg@apple.com>
2832
2833         Roll out r167889
2834
2835         Rubber stamped by Geoff Garen.
2836
2837         It broke some websites.
2838
2839         * runtime/JSPropertyNameIterator.cpp:
2840         (JSC::JSPropertyNameIterator::create):
2841         * runtime/PropertyMapHashTable.h:
2842         (JSC::PropertyTable::hasDeletedOffset):
2843         (JSC::PropertyTable::hadDeletedOffset): Deleted.
2844         * runtime/Structure.cpp:
2845         (JSC::Structure::Structure):
2846         (JSC::Structure::materializePropertyMap):
2847         (JSC::Structure::removePropertyTransition):
2848         (JSC::Structure::changePrototypeTransition):
2849         (JSC::Structure::despecifyFunctionTransition):
2850         (JSC::Structure::attributeChangeTransition):
2851         (JSC::Structure::toDictionaryTransition):
2852         (JSC::Structure::preventExtensionsTransition):
2853         (JSC::Structure::addPropertyWithoutTransition):
2854         (JSC::Structure::removePropertyWithoutTransition):
2855         (JSC::Structure::pin):
2856         (JSC::Structure::pinAndPreventTransitions): Deleted.
2857         * runtime/Structure.h:
2858         * runtime/StructureInlines.h:
2859         (JSC::Structure::setEnumerationCache):
2860         (JSC::Structure::propertyTable):
2861         (JSC::Structure::checkOffsetConsistency):
2862         (JSC::Structure::hadDeletedOffsets): Deleted.
2863         * tests/stress/for-in-after-delete.js:
2864         (foo): Deleted.
2865
2866 2014-05-05  Andreas Kling  <akling@apple.com>
2867
2868         Fix debug build.
2869
2870         * runtime/JSCellInlines.h:
2871         (JSC::JSCell::fastGetOwnProperty):
2872
2873 2014-05-05  Andreas Kling  <akling@apple.com>
2874
2875         Optimize GetByVal when subscript is a rope string.
2876         <https://webkit.org/b/132590>
2877
2878         Use JSString::toIdentifier() in the various GetByVal implementations
2879         to try and avoid allocating extra strings.
2880
2881         Added canUseFastGetOwnProperty() and wrap calls to fastGetOwnProperty()
2882         in that, to avoid calling JSString::value() which always resolves ropes
2883         into new strings and de-optimizes subsequent toIdentifier() calls.
2884
2885         My iMac says ~9% progression on Dromaeo/dom-attr.html
2886
2887         Reviewed by Phil Pizlo.
2888
2889         * dfg/DFGOperations.cpp:
2890         * jit/JITOperations.cpp:
2891         (JSC::getByVal):
2892         * llint/LLIntSlowPaths.cpp:
2893         (JSC::LLInt::getByVal):
2894         * runtime/JSCell.h:
2895         * runtime/JSCellInlines.h:
2896         (JSC::JSCell::fastGetOwnProperty):
2897         (JSC::JSCell::canUseFastGetOwnProperty):
2898
2899 2014-05-05  Andreas Kling  <akling@apple.com>
2900
2901         REGRESSION (r168256): ASSERTION FAILED: (buffer + m_length) == position loading vanityfair.com article.
2902         <https://webkit.org/b/168256>
2903         <rdar://problem/16816316>
2904
2905         Make resolveRopeSlowCase8() behave like its 16-bit counterpart and not
2906         clear the fibers. The caller takes care of this.
2907
2908         Test: fast/dom/getElementById-with-rope-string-arg.html
2909
2910         Reviewed by Geoffrey Garen.
2911
2912         * runtime/JSString.cpp:
2913         (JSC::JSRopeString::resolveRopeSlowCase8):
2914
2915 2014-05-05  Michael Saboff  <msaboff@apple.com>
2916
2917         REGRESSION: RELEASE_ASSERT in CodeBlock::baselineVersion @ cnn.com
2918         https://bugs.webkit.org/show_bug.cgi?id=132581
2919
2920         Reviewed by Filip Pizlo.
2921
2922         * dfg/DFGPlan.cpp:
2923         (JSC::DFG::Plan::isStillValid): Check that the alternative codeBlock we
2924         started compiling for is still the same at the end of compilation.
2925         Also did some minor restructuring.
2926
2927 2014-05-05  Andreas Kling  <akling@apple.com>
2928
2929         Optimize PutByVal when subscript is a rope string.
2930         <https://webkit.org/b/132572>
2931
2932         Add a JSString::toIdentifier() that is smarter when the JSString is
2933         really a rope string. Use this in baseline & DFG's PutByVal to avoid
2934         allocating new StringImpls that we immediately deduplicate anyway.
2935
2936         Reviewed by Antti Koivisto.
2937
2938         * dfg/DFGOperations.cpp:
2939         (JSC::DFG::operationPutByValInternal):
2940         * jit/JITOperations.cpp:
2941         * runtime/JSString.h:
2942         (JSC::JSString::toIdentifier):
2943
2944 2014-05-05  Andreas Kling  <akling@apple.com>
2945
2946         Remove two now-incorrect assertions after r168256.
2947
2948         * runtime/JSString.cpp:
2949         (JSC::JSRopeString::resolveRopeSlowCase8):
2950         (JSC::JSRopeString::resolveRopeSlowCase):
2951
2952 2014-05-04  Andreas Kling  <akling@apple.com>
2953
2954         Optimize JSRopeString for resolving directly to AtomicString.
2955         <https://webkit.org/b/132548>
2956
2957         If we know that the JSRopeString we are resolving is going to be used
2958         as an AtomicString, we can try to avoid creating a new string.
2959
2960         We do this by first resolving the rope into a stack buffer, and using
2961         that buffer as a key into the AtomicString table. If there is already
2962         an AtomicString with the same characters, we reuse that instead of
2963         constructing a new StringImpl.
2964
2965         JSString gains these two public functions:
2966
2967         - AtomicString toAtomicString()
2968
2969             Returns an AtomicString, tries to avoid allocating a new string
2970             if possible.
2971
2972         - AtomicStringImpl* toExistingAtomicString()
2973
2974             Returns a non-null AtomicStringImpl* if one already exists in the
2975             AtomicString table. If none is found, the rope is left unresolved.
2976
2977         Reviewed by Filip Pizlo.
2978
2979         * runtime/JSString.cpp:
2980         (JSC::JSRopeString::resolveRopeInternal8):
2981         (JSC::JSRopeString::resolveRopeInternal16):
2982         (JSC::JSRopeString::resolveRopeToAtomicString):
2983         (JSC::JSRopeString::clearFibers):
2984         (JSC::JSRopeString::resolveRopeToExistingAtomicString):
2985         (JSC::JSRopeString::resolveRope):
2986         (JSC::JSRopeString::outOfMemory):
2987         * runtime/JSString.h:
2988         (JSC::JSString::toAtomicString):
2989         (JSC::JSString::toExistingAtomicString):
2990
2991 2014-05-04  Andreas Kling  <akling@apple.com>
2992
2993         Unreviewed, rolling out r168254.
2994
2995         Very crashy on debug JSC tests.
2996
2997         Reverted changeset:
2998
2999         "jsSubstring() should be lazy"
3000         https://bugs.webkit.org/show_bug.cgi?id=132556
3001         http://trac.webkit.org/changeset/168254
3002
3003 2014-05-04  Filip Pizlo  <fpizlo@apple.com>
3004
3005         jsSubstring() should be lazy
3006         https://bugs.webkit.org/show_bug.cgi?id=132556
3007
3008         Reviewed by Andreas Kling.
3009         
3010         jsSubstring() is now lazy by using a special rope that is a substring instead of a
3011         concatenation. To make this patch super simple, we require that a substring's base is
3012         never a rope. Hence, when resolving a rope, we either go down a non-recursive substring
3013         path, or we go down a concatenation path which may see exactly one level of substrings in
3014         its fibers.
3015         
3016         This is up to a 50% speed-up on microbenchmarks and a 10% speed-up on Octane/regexp.
3017
3018         * heap/MarkedBlock.cpp:
3019         (JSC::MarkedBlock::specializedSweep):
3020         * runtime/JSString.cpp:
3021         (JSC::JSRopeString::visitFibers):
3022         (JSC::JSRopeString::resolveRope):
3023         (JSC::JSRopeString::resolveRopeSlowCase8):
3024         (JSC::JSRopeString::resolveRopeSlowCase):
3025         (JSC::JSRopeString::outOfMemory):
3026         * runtime/JSString.h:
3027         (JSC::JSRopeString::finishCreation):
3028         (JSC::JSRopeString::append):
3029         (JSC::JSRopeString::create):
3030         (JSC::JSRopeString::offsetOfFibers):
3031         (JSC::JSRopeString::fiber):
3032         (JSC::JSRopeString::substringBase):
3033         (JSC::JSRopeString::substringOffset):
3034         (JSC::JSRopeString::substringSentinel):
3035         (JSC::JSRopeString::isSubstring):
3036         (JSC::jsSubstring):
3037         * runtime/RegExpMatchesArray.cpp:
3038         (JSC::RegExpMatchesArray::reifyAllProperties):
3039         * runtime/StringPrototype.cpp:
3040         (JSC::stringProtoFuncSubstring):
3041
3042 2014-05-02  Michael Saboff  <msaboff@apple.com>
3043
3044         "arm64 function not 4-byte aligned" warnings when building JSC
3045         https://bugs.webkit.org/show_bug.cgi?id=132495
3046
3047         Reviewed by Geoffrey Garen.
3048
3049         Added ".align 4" for both ARM Thumb2 and ARM 64 to silence the linker.
3050
3051         * llint/LowLevelInterpreter.cpp:
3052
3053 2014-05-02  Mark Hahnenberg  <mhahnenberg@apple.com>
3054
3055         Fix cloop build after r168178
3056
3057         * bytecode/CodeBlock.cpp:
3058
3059 2014-05-01  Mark Hahnenberg  <mhahnenberg@apple.com>
3060
3061         Add a DFG function whitelist
3062         https://bugs.webkit.org/show_bug.cgi?id=132437
3063
3064         Reviewed by Geoffrey Garen.
3065
3066         Often times when debugging, using bytecode ranges isn't enough to narrow down to the 
3067         particular DFG block that's causing issues. This patch adds the ability to whitelist 
3068         specific functions specified in a file to enable further filtering without having to recompile.
3069
3070         * CMakeLists.txt:
3071         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3072         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3073         * JavaScriptCore.xcodeproj/project.pbxproj:
3074         * dfg/DFGCapabilities.cpp:
3075         (JSC::DFG::isSupported):
3076         (JSC::DFG::mightInlineFunctionForCall):
3077         (JSC::DFG::mightInlineFunctionForClosureCall):
3078         (JSC::DFG::mightInlineFunctionForConstruct):
3079         * dfg/DFGFunctionWhitelist.cpp: Added.
3080         (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
3081         (JSC::DFG::FunctionWhitelist::FunctionWhitelist):
3082         (JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile):
3083         (JSC::DFG::FunctionWhitelist::contains):
3084         * dfg/DFGFunctionWhitelist.h: Added.
3085         * runtime/Options.cpp:
3086         (JSC::parse):
3087         (JSC::Options::dumpOption):
3088         * runtime/Options.h:
3089
3090 2014-05-02  Filip Pizlo  <fpizlo@apple.com>
3091
3092         DFGAbstractInterpreter should not claim Int52 arithmetic creates Int52s
3093         https://bugs.webkit.org/show_bug.cgi?id=132446
3094
3095         Reviewed by Mark Hahnenberg.
3096         
3097         Basically any arithmetic operation can turn an Int52 into an Int32 or vice-versa, and
3098         our modeling of Int52Rep nodes is such that they can have either Int32 or Int52 type
3099         to indicate a bound on the value. This is useful for knowing, for example, that
3100         Int52Rep(Int32:) returns a value that cannot be outside the Int32 range. Also,
3101         ValueRep(Int52Rep:) uses this to determine whether it may return a double or an int.
3102         But this means that all arithmetic operations must be careful to note that they may
3103         turn Int32 inputs into an Int52 output or vice-versa, as these new tests show.
3104
3105         * dfg/DFGAbstractInterpreterInlines.h:
3106         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3107         * dfg/DFGByteCodeParser.cpp:
3108         (JSC::DFG::ByteCodeParser::makeSafe):
3109         * tests/stress/int52-ai-add-then-filter-int32.js: Added.
3110         (foo):
3111         * tests/stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js: Added.
3112         (foo):
3113         * tests/stress/int52-ai-mul-then-filter-int32-directly.js: Added.
3114         (foo):
3115         * tests/stress/int52-ai-mul-then-filter-int32.js: Added.
3116         (foo):
3117         * tests/stress/int52-ai-neg-then-filter-int32.js: Added.
3118         (foo):
3119         * tests/stress/int52-ai-sub-then-filter-int32.js: Added.
3120         (foo):
3121
3122 2014-05-01  Geoffrey Garen  <ggaren@apple.com>
3123
3124         JavaScriptCore fails to build with some versions of clang
3125         https://bugs.webkit.org/show_bug.cgi?id=132436
3126
3127         Reviewed by Anders Carlsson.
3128
3129         * runtime/ArgumentsIteratorConstructor.cpp: Since we call
3130         putDirectWithoutTransition, and it calls putWillGrowOutOfLineStorage,
3131         and both are marked inline, it's valid for the compiler to decide
3132         to inline both and emit neither in the binary. Therefore, we need
3133         both inline definitions to be available in the translation unit at
3134         compile time, or we'll try to link against a function that doesn't exist.
3135
3136 2014-05-01  Commit Queue  <commit-queue@webkit.org>
3137
3138         Unreviewed, rolling out r167964.
3139         https://bugs.webkit.org/show_bug.cgi?id=132431
3140
3141         Memory improvements should not regress memory usage (Requested
3142         by olliej on #webkit).
3143
3144         Reverted changeset:
3145
3146         "Don't hold on to parameter BindingNodes forever"
3147         https://bugs.webkit.org/show_bug.cgi?id=132360
3148         http://trac.webkit.org/changeset/167964
3149
3150 2014-05-01  Filip Pizlo  <fpizlo@apple.com>
3151
3152         Fix trivial debug-only race-that-crashes in CallLinkStatus and explain why the remaining races are totally awesome
3153         https://bugs.webkit.org/show_bug.cgi?id=132427
3154
3155         Reviewed by Mark Hahnenberg.
3156
3157         * bytecode/CallLinkStatus.cpp:
3158         (JSC::CallLinkStatus::computeFor):
3159
3160 2014-04-30  Simon Fraser  <simon.fraser@apple.com>
3161
3162         Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO
3163         https://bugs.webkit.org/show_bug.cgi?id=132396
3164
3165         Reviewed by Eric Carlson.
3166
3167         Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO and related code.
3168
3169         * Configurations/FeatureDefines.xcconfig:
3170
3171 2014-04-30  Filip Pizlo  <fpizlo@apple.com>
3172
3173         Argument flush formats should not be presumed to be JSValue since 'this' is weird
3174         https://bugs.webkit.org/show_bug.cgi?id=132404
3175
3176         Reviewed by Michael Saboff.
3177
3178         * dfg/DFGSpeculativeJIT.cpp:
3179         (JSC::DFG::SpeculativeJIT::compileCurrentBlock): Don't assume that arguments are flushed as JSValue. Use the logic for locals instead.
3180         * dfg/DFGSpeculativeJIT32_64.cpp:
3181         (JSC::DFG::SpeculativeJIT::compile): SetArgument "changes" the format because before this we wouldn't know we had arguments.
3182         * dfg/DFGSpeculativeJIT64.cpp:
3183         (JSC::DFG::SpeculativeJIT::compile): Ditto.
3184         * dfg/DFGValueSource.cpp:
3185         (JSC::DFG::ValueSource::dumpInContext): Make this easier to dump.
3186         * dfg/DFGValueSource.h:
3187         (JSC::DFG::ValueSource::operator!): Make this easier to dump because Operands<T> uses T::operator!().
3188         * ftl/FTLOSREntry.cpp:
3189         (JSC::FTL::prepareOSREntry): This had a useful assertion for everything except 'this'.
3190         * tests/stress/strict-to-this-int.js: Added.
3191         (foo):
3192         (Number.prototype.valueOf):
3193         (test):
3194
3195 2014-04-29  Oliver Hunt  <oliver@apple.com>
3196
3197         Don't hold on to parameterBindingNodes forever
3198         https://bugs.webkit.org/show_bug.cgi?id=132360
3199
3200         Reviewed by Geoffrey Garen.
3201
3202         Don't keep the parameter nodes anymore. Instead we store the
3203         original parameter string and reparse whenever we actually
3204         need them. Because we only actually need them for compilation
3205         this only results in a single extra parse.
3206
3207         * bytecode/UnlinkedCodeBlock.cpp:
3208         (JSC::generateFunctionCodeBlock):
3209         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3210         (JSC::UnlinkedFunctionExecutable::visitChildren):
3211         (JSC::UnlinkedFunctionExecutable::finishCreation):
3212         (JSC::UnlinkedFunctionExecutable::paramString):
3213         (JSC::UnlinkedFunctionExecutable::parameters):
3214         (JSC::UnlinkedFunctionExecutable::parameterCount): Deleted.
3215         * bytecode/UnlinkedCodeBlock.h:
3216         (JSC::UnlinkedFunctionExecutable::create):
3217         (JSC::UnlinkedFunctionExecutable::parameterCount):
3218         (JSC::UnlinkedFunctionExecutable::parameters): Deleted.
3219         (JSC::UnlinkedFunctionExecutable::finishCreation): Deleted.
3220         * parser/ASTBuilder.h:
3221         (JSC::ASTBuilder::ASTBuilder):
3222         (JSC::ASTBuilder::setFunctionBodyParameters):
3223         * parser/Nodes.h:
3224         (JSC::FunctionBodyNode::parametersStartOffset):
3225         (JSC::FunctionBodyNode::parametersEndOffset):
3226         (JSC::FunctionBodyNode::setParameterLocation):
3227         * parser/Parser.cpp:
3228         (JSC::Parser<LexerType>::parseFunctionInfo):
3229         (JSC::parseParameters):
3230         * parser/Parser.h:
3231         (JSC::parse):
3232         * parser/SourceCode.h:
3233         (JSC::SourceCode::subExpression):
3234         * parser/SyntaxChecker.h:
3235         (JSC::SyntaxChecker::setFunctionBodyParameters):
3236
3237 2014-04-29  Mark Hahnenberg  <mhahnenberg@apple.com>
3238
3239         JSProxies should be cacheable
3240         https://bugs.webkit.org/show_bug.cgi?id=132351
3241
3242         Reviewed by Geoffrey Garen.
3243
3244         Whenever we encounter a proxy in an inline cache we should try to cache on the 
3245         proxy's target instead of giving up.
3246
3247         This patch adds support for a simple "recursive" inline cache if the base object
3248         we're accessing is a pure forwarding proxy. JSGlobalObject and its subclasses 
3249         are the only ones to benefit from this right now.
3250
3251         This is performance neutral on the benchmarks we track. Currently we won't
3252         cache on JSDOMWindow due to HasImpureGetOwnPropertySlot, but this issue will be fixed soon.
3253
3254         * jit/Repatch.cpp:
3255         (JSC::generateByIdStub):
3256         (JSC::tryBuildGetByIDList):
3257         (JSC::tryCachePutByID):
3258         (JSC::tryBuildPutByIdList):
3259         * jsc.cpp:
3260         (GlobalObject::finishCreation):
3261         (functionCreateProxy):
3262         * runtime/IntendedStructureChain.cpp:
3263         (JSC::IntendedStructureChain::isNormalized):
3264         * runtime/JSCellInlines.h:
3265         (JSC::JSCell::isProxy):
3266         * runtime/JSGlobalObject.h:
3267         (JSC::JSGlobalObject::finishCreation):
3268         * runtime/JSProxy.h:
3269         (JSC::JSProxy::createStructure):
3270         (JSC::JSProxy::targetOffset):
3271         * runtime/JSType.h:
3272         * runtime/Operations.h:
3273         (JSC::isPrototypeChainNormalized):
3274         * runtime/Structure.h:
3275         (JSC::Structure::isProxy):
3276         * tests/stress/proxy-inline-cache.js: Added.
3277         (cacheOnTarget.getX):
3278         (cacheOnTarget):
3279         (cacheOnPrototypeOfTarget.getX):
3280         (cacheOnPrototypeOfTarget):
3281         (dontCacheOnProxyInPrototypeChain.getX):
3282         (dontCacheOnProxyInPrototypeChain):
3283         (dontCacheOnTargetOfProxyInPrototypeChainOfTarget.getX):
3284         (dontCacheOnTargetOfProxyInPrototypeChainOfTarget):
3285
3286 2014-04-29  Filip Pizlo  <fpizlo@apple.com>
3287
3288         Use LLVM as a backend for the fourth-tier DFG JIT (a.k.a. the FTL JIT)
3289         https://bugs.webkit.org/show_bug.cgi?id=112840
3290
3291         Rubber stamped by Geoffrey Garen.
3292
3293         * Configurations/FeatureDefines.xcconfig:
3294
3295 2014-04-29  Geoffrey Garen  <ggaren@apple.com>
3296
3297         String.prototype.trim removes U+200B from strings.
3298         https://bugs.webkit.org/show_bug.cgi?id=130184
3299
3300         Reviewed by Michael Saboff.
3301
3302         * runtime/StringPrototype.cpp:
3303         (JSC::trimString):
3304         (JSC::isTrimWhitespace): Deleted.
3305
3306 2014-04-29  Mark Lam  <mark.lam@apple.com>
3307
3308         Zombifying sweep should ignore retired blocks.
3309         <https://webkit.org/b/132344>
3310
3311         Reviewed by Mark Hahnenberg.
3312
3313         By definition, retired blocks do not have "dead" objects, or at least
3314         none that we know of yet until the next marking phase has been run
3315         over it.  So, we should not be sweeping them (even for zombie mode).
3316
3317         * heap/Heap.cpp:
3318         (JSC::Heap::zombifyDeadObjects):
3319         * heap/MarkedSpace.cpp:
3320         (JSC::MarkedSpace::zombifySweep):
3321         * heap/MarkedSpace.h:
3322         (JSC::ZombifySweep::operator()):
3323
3324 2014-04-29  Mark Lam  <mark.lam@apple.com>
3325
3326         Fix bit rot in zombie mode heap code.
3327         <https://webkit.org/b/132342>
3328
3329         Reviewed by Mark Hahnenberg.
3330
3331         Need to enter a DelayedReleaseScope before doing a sweep.
3332
3333         * heap/Heap.cpp:
3334         (JSC::Heap::zombifyDeadObjects):
3335
3336 2014-04-29  Tomas Popela  <tpopela@redhat.com>
3337
3338         LLINT loadisFromInstruction doesn't need special case for big endians
3339         https://bugs.webkit.org/show_bug.cgi?id=132330
3340
3341         Reviewed by Mark Lam.
3342
3343         The change introduced in r167076 was wrong. We should not apply the offset
3344         adjustment on loadisFromInstruction usage as the instruction
3345         (UnlinkedInstruction) is declared as an union (i.e. with the int32_t
3346         operand variable). The offset of the other union members will be the
3347         same as the offset of the first one, that is 0. The behavior here is the
3348         same on little and big endian architectures. Thus we don't need
3349         special case for big endians.
3350
3351         * llint/LowLevelInterpreter.asm:
3352
3353 2014-04-28  Mark Hahnenberg  <mhahnenberg@apple.com>
3354
3355         Simplify tryCacheGetById
3356         https://bugs.webkit.org/show_bug.cgi?id=132314
3357
3358         Reviewed by Oliver Hunt and Filip Pizlo.
3359
3360         This is neutral across all benchmarks we track, although it looks like a wee 0.5% progression on sunspider.
3361
3362         * jit/Repatch.cpp:
3363         (JSC::tryCacheGetByID): If we fail to cache on self, we just repatch to call tryBuildGetByIDList next time.
3364
3365 2014-04-28  Michael Saboff  <msaboff@apple.com>
3366
3367         REGRESSION(r153142) ASSERT from CodeBlock::dumpBytecode dumping String Switch Jump Tables
3368         https://bugs.webkit.org/show_bug.cgi?id=132315
3369
3370         Reviewed by Mark Hahnenberg.
3371
3372         Used the StringImpl version of utf8() instead of creating a String first.
3373
3374         * bytecode/CodeBlock.cpp:
3375         (JSC::CodeBlock::dumpBytecode):
3376
3377 2014-04-28  Filip Pizlo  <fpizlo@apple.com>
3378
3379         The LLInt is awesome and it should get more of the action.
3380
3381         Rubber stamped by Geoffrey Garen.
3382         
3383         5% speed-up on JSBench and no meaningful regressions.  Should be a PLT/DYE speed-up also.
3384
3385         * runtime/Options.h:
3386
3387 2014-04-27  Filip Pizlo  <fpizlo@apple.com>
3388
3389         GC should be able to remove things from the DFG worklist and cancel on-going compilations if it knows that the compilation would already be invalidated
3390         https://bugs.webkit.org/show_bug.cgi?id=132166
3391
3392         Reviewed by Oliver Hunt and Mark Hahnenberg.
3393         
3394         The GC can aid type inference by removing structures that are dead and jettisoning
3395         code that relies on those structures. This can dramatically accelerate type inference
3396         for some tricky programs.
3397         
3398         Unfortunately, we previously pinned any structures that enqueued compilations depended
3399         on. This means that if you're on a machine that only runs a single compilation thread
3400         and where compilations are relatively slow, you have a high chance of large numbers of
3401         structures being pinned during any GC since the compilation queue is likely to be full
3402         of random stuff.
3403         
3404         This comprehensively fixes this issue by allowing the GC to remove compilation plans
3405         if the things they depend on are dead, and to even cancel safepointed compilations.
3406         
3407         * bytecode/CodeBlock.cpp:
3408         (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan):
3409         (JSC::CodeBlock::isKnownToBeLiveDuringGC):
3410         (JSC::CodeBlock::finalizeUnconditionally):
3411         * bytecode/CodeBlock.h:
3412         (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan): Deleted.
3413         * dfg/DFGDesiredIdentifiers.cpp:
3414         (JSC::DFG::DesiredIdentifiers::DesiredIdentifiers):
3415         * dfg/DFGDesiredIdentifiers.h:
3416         * dfg/DFGDesiredWatchpoints.h:
3417         * dfg/DFGDesiredWeakReferences.cpp:
3418         (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
3419         * dfg/DFGDesiredWeakReferences.h:
3420         * dfg/DFGGraphSafepoint.cpp:
3421         (JSC::DFG::GraphSafepoint::GraphSafepoint):
3422         * dfg/DFGGraphSafepoint.h:
3423         * dfg/DFGPlan.cpp:
3424         (JSC::DFG::Plan::Plan):
3425         (JSC::DFG::Plan::compileInThread):
3426         (JSC::DFG::Plan::compileInThreadImpl):
3427         (JSC::DFG::Plan::notifyCompiling):
3428         (JSC::DFG::Plan::notifyCompiled):
3429         (JSC::DFG::Plan::notifyReady):
3430         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
3431         (JSC::DFG::Plan::isKnownToBeLiveDuringGC):
3432         (JSC::DFG::Plan::cancel):
3433         (JSC::DFG::Plan::visitChildren): Deleted.
3434         * dfg/DFGPlan.h:
3435         * dfg/DFGSafepoint.cpp:
3436         (JSC::DFG::Safepoint::Result::~Result):
3437         (JSC::DFG::Safepoint::Result::didGetCancelled):
3438         (JSC::DFG::Safepoint::Safepoint):
3439         (JSC::DFG::Safepoint::~Safepoint):
3440         (JSC::DFG::Safepoint::checkLivenessAndVisitChildren):
3441         (JSC::DFG::Safepoint::isKnownToBeLiveDuringGC):
3442         (JSC::DFG::Safepoint::cancel):
3443         (JSC::DFG::Safepoint::visitChildren): Deleted.
3444         * dfg/DFGSafepoint.h:
3445         (JSC::DFG::Safepoint::Result::Result):
3446         * dfg/DFGWorklist.cpp:
3447         (JSC::DFG::Worklist::compilationState):
3448         (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
3449         (JSC::DFG::Worklist::removeAllReadyPlansForVM):
3450         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
3451         (JSC::DFG::Worklist::visitWeakReferences):
3452         (JSC::DFG::Worklist::removeDeadPlans):
3453         (JSC::DFG::Worklist::runThread):
3454         (JSC::DFG::Worklist::visitChildren): Deleted.
3455         * dfg/DFGWorklist.h:
3456         * ftl/FTLCompile.cpp:
3457         (JSC::FTL::compile):
3458         * ftl/FTLCompile.h:
3459         * heap/CodeBlockSet.cpp:
3460         (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks):
3461         * heap/Heap.cpp:
3462         (JSC::Heap::markRoots):
3463         (JSC::Heap::visitCompilerWorklistWeakReferences):
3464         (JSC::Heap::removeDeadCompilerWorklistEntries):
3465         (JSC::Heap::visitWeakHandles):
3466         (JSC::Heap::collect):
3467         (JSC::Heap::visitCompilerWorklists): Deleted.
3468         * heap/Heap.h:
3469
3470 2014-04-28  Mark Hahnenberg  <mhahnenberg@apple.com>
3471
3472         Deleting properties poisons objects
3473         https://bugs.webkit.org/show_bug.cgi?id=131551
3474
3475         Reviewed by Oliver Hunt.
3476
3477         This is ~3% progression on Dromaeo with a ~6% progression on the jslib portion of Dromaeo in particular.
3478
3479         * runtime/JSPropertyNameIterator.cpp:
3480         (JSC::JSPropertyNameIterator::create):
3481         * runtime/PropertyMapHashTable.h:
3482         (JSC::PropertyTable::hasDeletedOffset):
3483         (JSC::PropertyTable::hadDeletedOffset): If we ever had deleted properties we can no longer cache offsets when 
3484         iterating properties because we're required to iterate properties in insertion order.
3485         * runtime/Structure.cpp:
3486         (JSC::Structure::Structure):
3487         (JSC::Structure::materializePropertyMap): We now re-use deleted properties when materializing the property map.
3488         (JSC::Structure::removePropertyTransition): We allow up to 5 deletes for a particular path through the tree of 
3489         Structure transitions. After that, we convert to an uncacheable dictionary like we used to. We don't cache 
3490         delete transitions, but we allow transitioning from them.
3491         (JSC::Structure::changePrototypeTransition):
3492         (JSC::Structure::despecifyFunctionTransition):
3493         (JSC::Structure::attributeChangeTransition):
3494         (JSC::Structure::toDictionaryTransition):
3495         (JSC::Structure::preventExtensionsTransition):
3496         (JSC::Structure::addPropertyWithoutTransition):
3497         (JSC::Structure::removePropertyWithoutTransition):
3498         (JSC::Structure::pin): Now does only what it says it does--marks the property table as pinned.
3499         (JSC::Structure::pinAndPreventTransitions): More descriptive version of what the old pin() was doing.
3500         * runtime/Structure.h:
3501         * runtime/StructureInlines.h:
3502         (JSC::Structure::setEnumerationCache):
3503         (JSC::Structure::hadDeletedOffsets):
3504         (JSC::Structure::propertyTable):
3505         (JSC::Structure::checkOffsetConsistency): Rearranged variables to be more sensible.
3506         * tests/stress/for-in-after-delete.js: Added.
3507         (foo):
3508
3509 2014-04-25  Andreas Kling  <akling@apple.com>
3510
3511         Inline (C++) GetByVal with numeric indices more aggressively.
3512         <https://webkit.org/b/132218>
3513
3514         We were already inlining the string indexed GetByVal path pretty well,
3515         while the path for numeric indices got neglected. No more!
3516
3517         ~9.5% improvement on Dromaeo/dom-traverse.html on my MBP:
3518
3519             Before: 199.50 runs/s
3520              After: 218.58 runs/s
3521
3522         Reviewed by Phil Pizlo.
3523
3524         * dfg/DFGOperations.cpp:
3525         * runtime/JSCJSValueInlines.h:
3526         (JSC::JSValue::get):
3527
3528             ALWAYS_INLINE all the things.
3529
3530         * runtime/JSObject.h:
3531         (JSC::JSObject::getPropertySlot):
3532
3533             Avoid fetching the Structure more than once. We have the same
3534             optimization in the string-indexed code path.
3535
3536 2014-04-25  Oliver Hunt  <oliver@apple.com>
3537
3538         Need earlier cell test
3539         https://bugs.webkit.org/show_bug.cgi?id=132211
3540
3541         Reviewed by Mark Lam.
3542
3543         Move cell test to before the function call repatch
3544         location, as the repatch logic for 32bit assumes that the
3545         caller will already have performed a cell check.
3546
3547         * jit/JITCall32_64.cpp:
3548         (JSC::JIT::compileOpCall):
3549
3550 2014-04-25  Andreas Kling  <akling@apple.com>
3551
3552         Un-fast-allocate JSGlobalObjectRareData because Windows doesn't build and I'm not in the mood.
3553
3554         * runtime/JSGlobalObject.h:
3555         (JSC::JSGlobalObject::JSGlobalObjectRareData::JSGlobalObjectRareData):
3556         (JSC::JSGlobalObject::JSGlobalObjectRareData::~JSGlobalObjectRareData): Deleted.
3557
3558 2014-04-25  Andreas Kling  <akling@apple.com>
3559
3560         Windows build fix attempt.
3561
3562         * runtime/JSGlobalObject.h:
3563         (JSC::JSGlobalObject::JSGlobalObjectRareData::~JSGlobalObjectRareData):
3564
3565 2014-04-25  Mark Lam  <mark.lam@apple.com>
3566
3567         Refactor debugging code to use BreakpointActions instead of Vector<ScriptBreakpointAction>.
3568         <https://webkit.org/b/132201>
3569
3570         Reviewed by Joseph Pecoraro.
3571
3572         BreakpointActions is Vector<ScriptBreakpointAction>.  Let's just consistently use
3573         BreakpointActions everywhere.
3574
3575         * inspector/ScriptBreakpoint.h:
3576         (Inspector::ScriptBreakpoint::ScriptBreakpoint):
3577         * inspector/ScriptDebugServer.cpp:
3578         (Inspector::ScriptDebugServer::setBreakpoint):
3579         (Inspector::ScriptDebugServer::getActionsForBreakpoint):
3580         * inspector/ScriptDebugServer.h:
3581         * inspector/agents/InspectorDebuggerAgent.cpp:
3582         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
3583         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
3584         (Inspector::InspectorDebuggerAgent::setBreakpoint):
3585         (Inspector::InspectorDebuggerAgent::removeBreakpoint):
3586         * inspector/agents/InspectorDebuggerAgent.h:
3587
3588 2014-04-24  Filip Pizlo  <fpizlo@apple.com>
3589
3590         DFG worklist scanning should not treat the key as a separate entity
3591         https://bugs.webkit.org/show_bug.cgi?id=132167
3592
3593         Reviewed by Mark Hahnenberg.
3594         
3595         This simplifies the interface to the GC and will enable more optimizations.
3596
3597         * dfg/DFGCompilationKey.cpp:
3598         (JSC::DFG::CompilationKey::visitChildren): Deleted.
3599         * dfg/DFGCompilationKey.h:
3600         * dfg/DFGPlan.cpp:
3601         (JSC::DFG::Plan::visitChildren):
3602         * dfg/DFGWorklist.cpp:
3603         (JSC::DFG::Worklist::visitChildren):
3604
3605 2014-04-25  Oliver Hunt  <oliver@apple.com>
3606
3607         Remove unused parameter from codeblock linking function
3608         https://bugs.webkit.org/show_bug.cgi?id=132199
3609
3610         Reviewed by Anders Carlsson.
3611
3612         No change in behaviour. This is just a small change to make it
3613         slightly easier to reason about what the offsets in UnlinkedFunctionExecutable
3614         actually mean.
3615
3616         * bytecode/UnlinkedCodeBlock.cpp:
3617         (JSC::UnlinkedFunctionExecutable::link):
3618         * bytecode/UnlinkedCodeBlock.h:
3619         * runtime/Executable.cpp:
3620         (JSC::ProgramExecutable::initializeGlobalProperties):
3621
3622 2014-04-25  Andreas Kling  <akling@apple.com>
3623
3624         Mark some things with WTF_MAKE_FAST_ALLOCATED.
3625         <https://webkit.org/b/132198>
3626
3627         Use FastMalloc for more things.
3628
3629         Reviewed by Anders Carlsson.
3630
3631         * builtins/BuiltinExecutables.h:
3632         * heap/GCThreadSharedData.h:
3633         * inspector/JSConsoleClient.h:
3634         * inspector/agents/InspectorAgent.h:
3635         * runtime/CodeCache.h:
3636         * runtime/JSGlobalObject.h:
3637         * runtime/Lookup.cpp:
3638         (JSC::HashTable::createTable):
3639         (JSC::HashTable::deleteTable):
3640         * runtime/WeakGCMap.h:
3641
3642 2014-04-25  Antoine Quint  <graouts@webkit.org>
3643
3644         Implement Array.prototype.find()
3645         https://bugs.webkit.org/show_bug.cgi?id=130966
3646
3647         Reviewed by Oliver Hunt.
3648
3649         Implement Array.prototype.find() and Array.prototype.findIndex() as proposed in the Harmony spec.
3650
3651         * builtins/Array.prototype.js:
3652         (find):
3653         (findIndex):
3654         * runtime/ArrayPrototype.cpp:
3655
3656 2014-04-24  Brady Eidson  <beidson@apple.com>
3657
3658         Rename "IMAGE_CONTROLS" feature to "SERVICE_CONTROLS"
3659         https://bugs.webkit.org/show_bug.cgi?id=132155
3660
3661         Reviewed by Tim Horton.
3662
3663         * Configurations/FeatureDefines.xcconfig:
3664
3665 2014-04-24  Michael Saboff  <msaboff@apple.com>
3666
3667         REGRESSION: Apparent hang of PCE.js Mac OS System 7.0.1 on ARM64 devices
3668         https://bugs.webkit.org/show_bug.cgi?id=132147
3669
3670         Reviewed by Mark Lam.
3671
3672         Fixed or64(), eor32( ) and eor64() to use "src" register when we have a valid logicalImm.
3673
3674         * assembler/MacroAssemblerARM64.h:
3675         (JSC::MacroAssemblerARM64::or64):
3676         (JSC::MacroAssemblerARM64::xor32):
3677         (JSC::MacroAssemblerARM64::xor64):
3678         * tests/stress/regress-132147.js: Added test.
3679
3680 2014-04-24  Mark Lam  <mark.lam@apple.com>
3681
3682         Make slowPathAllocsBetweenGCs a runtime option.
3683         <https://webkit.org/b/132137>
3684
3685         Reviewed by Mark Hahnenberg.
3686
3687         This will make it easier to more casually run tests with this configuration
3688         as well as to reproduce issues (instead of requiring a code mod and rebuild).
3689         We will now take --slowPathAllocsBetweenGCs=N where N is the number of
3690         slow path allocations before we trigger a collection.
3691
3692         The option defaults to 0, which is reserved to mean that we will not trigger
3693         any collections there.
3694
3695         * heap/Heap.h:
3696         * heap/MarkedAllocator.cpp:
3697         (JSC::MarkedAllocator::doTestCollectionsIfNeeded):
3698         (JSC::MarkedAllocator::allocateSlowCase):
3699         * heap/MarkedAllocator.h:
3700         * runtime/Options.h:
3701
3702 2014-04-23  Mark Lam  <mark.lam@apple.com>
3703
3704         The GC should only resume compiler threads that it suspended in the same GC pass.
3705         <https://webkit.org/b/132088>
3706
3707         Reviewed by Mark Hahnenberg.
3708
3709         Previously, this scenario can occur:
3710         1. Thread 1 starts a GC and tries to suspend DFG worklist threads.  However,
3711            no worklists were created yet at the that time.
3712         2. Thread 2 starts to compile some functions and creates a DFG worklist, and
3713            acquires the worklist thread's lock.
3714         3. Thread 1's GC completes and tries to resume suspended DFG worklist thread.
3715            This time, it sees the worklist created by Thread 2 and ends up unlocking
3716            the worklist thread's lock that is supposedly held by Thread 2.
3717         Thereafter, chaos ensues.
3718
3719         The fix is to cache the worklists that were actually suspended by each GC pass,
3720         and only resume those when the GC is done.
3721
3722         This issue was discovered by enabling COLLECT_ON_EVERY_ALLOCATION and running
3723         the fast/workers layout tests.
3724
3725         * heap/Heap.cpp:
3726         (JSC::Heap::visitCompilerWorklists):
3727         (JSC::Heap::deleteAllCompiledCode):
3728         (JSC::Heap::suspendCompilerThreads):
3729         (JSC::Heap::resumeCompilerThreads):
3730         * heap/Heap.h:
3731
3732 2014-04-23  Mark Hahnenberg  <mhahnenberg@apple.com>
3733
3734         Arguments::copyBackingStore needs to update m_registers in tandem with m_registerArray
3735         https://bugs.webkit.org/show_bug.cgi?id=132079
3736
3737         Reviewed by Michael Saboff.
3738
3739         Since we're moving the register backing store, we don't want to leave a dangling pointer into a random CopiedBlock.
3740
3741         Also added a test that previously triggered this bug.
3742
3743         * runtime/Arguments.cpp:
3744         (JSC::Arguments::copyBackingStore): D'oh!
3745         * tests/stress/arguments-copy-register-array-backing-store.js: Added.
3746         (foo):
3747         (bar):
3748
3749 2014-04-23  Mark Rowe  <mrowe@apple.com>
3750
3751         [Mac] REGRESSION (r164823): Building JavaScriptCore creates files under /tmp/JavaScriptCore.dst
3752         <https://webkit.org/b/132053>
3753
3754         Reviewed by Dan Bernstein.
3755
3756         * JavaScriptCore.xcodeproj/project.pbxproj: Don't try to create a symlink at /usr/local/bin/jsc inside
3757         the DSTROOT unless we're building to the deployment location. Also remove the unnecessary -x argument
3758         from /bin/sh since that generates unnecessary output.
3759
3760 2014-04-22  Mark Lam  <mark.lam@apple.com>
3761
3762         DFG::Worklist should acquire the m_lock before iterating DFG plans.
3763         <https://webkit.org/b/132032>
3764
3765         Reviewed by Filip Pizlo.
3766
3767         Currently, there's a rightToRun mechanism that ensures that no compilation
3768         threads are running when the GC is iterating through the DFG worklists.
3769         However, this does not prevent a Worker thread from doing a DFG compilation
3770         and modifying the plans in the worklists thereby invalidating the plan
3771         iterator that the GC is using.  This patch fixes the issue by acquiring
3772         the worklist m_lock before iterating the worklist plans.
3773
3774         This issue was uncovered by running the fast/workers layout tests with
3775         COLLECT_ON_EVERY_ALLOCATION enabled.
3776
3777         * dfg/DFGWorklist.cpp:
3778         (JSC::DFG::Worklist::isActiveForVM):
3779         (JSC::DFG::Worklist::visitChildren):
3780
3781 2014-04-22  Brent Fulgham  <bfulgham@apple.com>
3782
3783         [Win] Support Python 2.7 in Cygwin
3784         https://bugs.webkit.org/show_bug.cgi?id=132023
3785
3786         Reviewed by Michael Saboff.
3787
3788         * DerivedSources.make: Use a conditional variable to define
3789         the path to Python/Perl.
3790
3791 2014-04-22  Filip Pizlo  <fpizlo@apple.com>
3792
3793         Switch the LLVMForJSC target to using the LLVM in /usr/local rather than /usr/local/LLVMForJavaScriptCore on iOS
3794         https://bugs.webkit.org/show_bug.cgi?id=130867
3795         <rdar://problem/16432456> 
3796
3797         Reviewed by Mark Hahnenberg.
3798
3799         * Configurations/Base.xcconfig:
3800         * Configurations/LLVMForJSC.xcconfig:
3801
3802 2014-04-22  Alex Christensen  <achristensen@webkit.org>
3803
3804         [Win] Unreviewed build fix after my r167666.
3805
3806         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
3807         Added ../../../ again to include headers in Source/JavaScriptCore.
3808
3809 2014-04-22  Alex Christensen  <achristensen@webkit.org>
3810
3811         Removed old stdbool and inttypes headers.
3812         https://bugs.webkit.org/show_bug.cgi?id=131966
3813
3814         Reviewed by Brent Fulgham.
3815
3816         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
3817         * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
3818         Removed references to os-win32 directory.
3819         * os-win32: Removed.
3820         * os-win32/inttypes.h: Removed.
3821         * os-win32/stdbool.h: Removed.
3822
3823 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
3824
3825         DFG::clobberize() should honestly admit that profiler and debugger nodes are effectful
3826         https://bugs.webkit.org/show_bug.cgi?id=131971
3827         <rdar://problem/16676511>
3828
3829         Reviewed by Mark Lam.
3830
3831         * dfg/DFGClobberize.h:
3832         (JSC::DFG::clobberize):
3833
3834 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
3835
3836         Switch statements that skip the baseline JIT should work
3837         https://bugs.webkit.org/show_bug.cgi?id=131965
3838
3839         Reviewed by Mark Hahnenberg.
3840
3841         * bytecode/JumpTable.h:
3842         (JSC::SimpleJumpTable::ensureCTITable):
3843         * dfg/DFGSpeculativeJIT.cpp:
3844         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
3845         * jit/JITOpcodes.cpp:
3846         (JSC::JIT::emit_op_switch_imm):
3847         (JSC::JIT::emit_op_switch_char):
3848         * jit/JITOpcodes32_64.cpp:
3849         (JSC::JIT::emit_op_switch_imm):
3850         (JSC::JIT::emit_op_switch_char):
3851         * tests/stress/inline-llint-with-switch.js: Added.
3852         (foo):
3853         (bar):
3854         (test):
3855
3856 2014-04-21  Mark Hahnenberg  <mhahnenberg@apple.com>
3857
3858         Arguments objects shouldn't need a destructor
3859         https://bugs.webkit.org/show_bug.cgi?id=131899
3860
3861         Reviewed by Oliver Hunt.
3862
3863         This patch rids Arguments objects of their destructors. It does this by 
3864         switching their backing stores to use CopiedSpace rather than malloc memory.
3865
3866         * dfg/DFGSpeculativeJIT.cpp:
3867         (JSC::DFG::SpeculativeJIT::emitAllocateArguments): Fix the code emitted for inline
3868         Arguments allocation so that it only emits an extra write for strict mode code rather
3869         than unconditionally.
3870         * heap/CopyToken.h: New CopyTokens for the two different types of Arguments backing stores.
3871         * runtime/Arguments.cpp:
3872         (JSC::Arguments::visitChildren): We need to tell the collector to copy the back stores now.
3873         (JSC::Arguments::copyBackingStore): Do the actual copying of the backing stores.
3874         (JSC::Arguments::deletePropertyByIndex): Update all the accesses to SlowArgumentData and m_registerArray.
3875         (JSC::Arguments::deleteProperty):
3876         (JSC::Arguments::defineOwnProperty):
3877         (JSC::Arguments::allocateRegisterArray):
3878         (JSC::Arguments::tearOff):
3879         (JSC::Arguments::destroy): Deleted. We don't need the destructor any more.
3880         * runtime/Arguments.h:
3881         (JSC::Arguments::registerArraySizeInBytes):
3882         (JSC::Arguments::SlowArgumentData::SlowArgumentData): Switch SlowArgumentData to being allocated
3883         in CopiedSpace. Now the SlowArgumentData and its backing store are a single contiguous CopiedSpace
3884         allocation.
3885         (JSC::Arguments::SlowArgumentData::slowArguments):
3886         (JSC::Arguments::SlowArgumentData::bytecodeToMachineCaptureOffset):
3887         (JSC::Arguments::SlowArgumentData::setBytecodeToMachineCaptureOffset):
3888         (JSC::Arguments::SlowArgumentData::sizeForNumArguments):
3889         (JSC::Arguments::Arguments):
3890         (JSC::Arguments::allocateSlowArguments):
3891         (JSC::Arguments::tryDeleteArgument):
3892         (JSC::Arguments::isDeletedArgument):
3893         (JSC::Arguments::isArgument):
3894         (JSC::Arguments::argument):
3895         (JSC::Arguments::finishCreation):
3896         * runtime/SymbolTable.h:
3897
3898 2014-04-21  Eric Carlson  <eric.carlson@apple.com>
3899
3900         [Mac] implement WebKitDataCue
3901         https://bugs.webkit.org/show_bug.cgi?id=131799
3902
3903         Reviewed by Dean Jackson.
3904
3905         * Configurations/FeatureDefines.xcconfig: Define ENABLE_DATACUE_VALUE.
3906
3907 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
3908
3909         Unreviewed test gardening, run the repeat-out-of-bounds tests again.
3910
3911         * tests/stress/float32-repeat-out-of-bounds.js:
3912         * tests/stress/int8-repeat-out-of-bounds.js:
3913
3914 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
3915
3916         OSR exit should know about Int52 and Double constants
3917         https://bugs.webkit.org/show_bug.cgi?id=131945
3918
3919         Reviewed by Oliver Hunt.
3920         
3921         The DFG OSR exit machinery's ignorance would lead to some constants becoming
3922         jsUndefined() after OSR exit.
3923         
3924         The FTL OSR exit machinery's ignorance just meant that we would sometimes use a
3925         stackmap constant rather than baking the constant into the OSRExit data structure.
3926         So, not a big deal, but worth fixing.
3927         
3928         Also added some helpful hacks to jsc.cpp for testing such OSR exit pathologies.
3929
3930         * dfg/DFGByteCodeParser.cpp:
3931         (JSC::DFG::ByteCodeParser::handleIntrinsic):
3932         * dfg/DFGMinifiedNode.h:
3933         (JSC::DFG::belongsInMinifiedGraph):
3934         (JSC::DFG::MinifiedNode::hasConstantNumber):
3935         * ftl/FTLLowerDFGToLLVM.cpp:
3936         (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
3937         * jsc.cpp:
3938         (GlobalObject::finishCreation):
3939         (functionOtherFalse):
3940         (functionUndefined):
3941         * runtime/Intrinsic.h:
3942         * tests/stress/fold-to-double-constant-then-exit.js: Added.
3943         (foo):
3944         * tests/stress/fold-to-int52-constant-then-exit.js: Added.
3945         (foo):
3946
3947 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
3948
3949         Provide feedback when we encounter an unrecognied node in the FTL backend.
3950
3951         Rubber stamped by Alexey Proskuryakov.
3952
3953         * ftl/FTLLowerDFGToLLVM.cpp:
3954         (JSC::FTL::LowerDFGToLLVM::compileNode):
3955
3956 2014-04-21  Andreas Kling  <akling@apple.com>
3957
3958         Move the JSString cache from DOMWrapperWorld to VM.
3959         <https://webkit.org/b/131940>
3960
3961         Reviewed by Geoff Garen.
3962
3963         * runtime/VM.h:
3964
3965 2014-04-19  Filip Pizlo  <fpizlo@apple.com>
3966
3967         Take block execution count estimates into account when voting double
3968         https://bugs.webkit.org/show_bug.cgi?id=131906
3969
3970         Reviewed by Geoffrey Garen.
3971         
3972         This was a drama in three acts.
3973         
3974         Act I: Slurp in BasicBlock::executionCount and use it as a weight when counting the
3975             number of uses of a variable that want double or non-double. Easy as pie. This
3976             gave me a huge speed-up on FloatMM and a huge slow-down on basically everything
3977             else.
3978         
3979         Act II: Realize that there were some programs where our previous double voting was
3980             just on the edge of disaster and making it more precise tipped it over. In
3981             particular, if you had an integer variable that would infrequently be used in a
3982             computation that resulted in a variable that was frequently used as an array index,
3983             the outer infrequentness would be the thing we'd use in the vote. So, an array
3984             index would become double. We fix this by reviving global backwards propagation
3985             and introducing the concept of ReallyWantsInt, which is used just for array
3986             indices. Any variable transitively flagged as ReallyWantsInt will never be forced
3987             double. We need that flag to be separate from UsedAsInt, since UsedAsInt needs to
3988             be set in bitops for RageConversion but using it for double forcing is too much.
3989             Basically, it's cheaper to have to convert a double to an int for a bitop than it
3990             is to convert a double to an int for an array index; also a variable being used as
3991             an array index is a much stronger hint that it ought to be an int. This recovered
3992             performance on everything except programs that used FTL OSR entry.
3993         
3994         Act III: Realize that OSR entrypoint creation creates blocks that have NaN execution
3995             count, which then completely pollutes the weighting - essentially all votes go
3996             NaN. Fix this with some surgical defenses. Basically, any client of execution
3997             counts should allow for them to be NaN and shouldn't completely fall off a cliff
3998             when it happens.
3999         
4000         This is awesome. 75% speed-up on FloatMM. 11% speed-up on audio-dft. This leads to
4001         7% speed-up on AsmBench and 2% speed-up on Kraken.
4002
4003         * CMakeLists.txt:
4004         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
4005         * JavaScriptCore.xcodeproj/project.pbxproj:
4006         * dfg/DFGBackwardsPropagationPhase.cpp:
4007         (JSC::DFG::BackwardsPropagationPhase::run):
4008         (JSC::DFG::BackwardsPropagationPhase::propagate):
4009         * dfg/DFGGraph.cpp:
4010         (JSC::DFG::Graph::dumpBlockHeader):
4011         * dfg/DFGGraph.h:
4012         (JSC::DFG::Graph::voteNode):