Support inline caching of RegExpMatchesArray.length
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-05-23  Andreas Kling  <akling@apple.com>
2
3         Support inline caching of RegExpMatchesArray.length
4         <https://webkit.org/b/133234>
5
6         Give RegExpMatchesArray.length the same treatment as JSArray in
7         repatch so we don't have to go out of line on every access.
8
9         ~13% speed-up on Octane/regexp.
10
11         Reviewed by Geoffrey Garen.
12
13         * jit/Repatch.cpp:
14         (JSC::tryCacheGetByID):
15         * runtime/RegExpMatchesArray.h:
16         (JSC::isRegExpMatchesArray):
17
18 2014-05-22  Mark Lam  <mark.lam@apple.com>
19
20         REGRESSION(r154797): Debugger crashes when stepping over an uncaught exception.
21         <https://webkit.org/b/133182>
22
23         Reviewed by Oliver Hunt.
24
25         Before r154797, we used to clear the VM exception before calling into the
26         debugger.  After r154797, we don't.  This patch will restore this clearing
27         of the exception before calling into the debugger.
28
29         Also added assertions after returning from calls into the debugger to
30         ensure that the debugger did not introduce any exceptions.
31
32         * interpreter/Interpreter.cpp:
33         (JSC::unwindCallFrame):
34         (JSC::Interpreter::unwind):
35         (JSC::Interpreter::debug):
36         - Fixed the assertion here.  Interpreter::debug() should never be called
37           with a pending exception.  Debugger callbacks for exceptions should be
38           handled by Interpreter::unwind() and Interpreter::unwindCallFrame().
39
40 2014-05-21  Filip Pizlo  <fpizlo@apple.com>
41
42         Store barrier elision should run after DCE in both the DFG path and the FTL path
43         https://bugs.webkit.org/show_bug.cgi?id=129718
44
45         Rubber stamped by Mark Hahnenberg.
46
47         * dfg/DFGPlan.cpp:
48         (JSC::DFG::Plan::compileInThreadImpl):
49
50 2014-05-21  Zsolt Borbely  <zsborbely.u-szeged@partner.samsung.com>
51
52         [EFL] Add include path of compact_unwind_encoding.h if FTL JIT is enabled
53         https://bugs.webkit.org/show_bug.cgi?id=132907
54
55         Reviewed by Gyuyoung Kim.
56
57         * CMakeLists.txt:
58
59 2014-05-16  Martin Robinson  <mrobinson@igalia.com>
60
61         [CMake] Improve handling of LIB_INSTALL_DIR, EXEC_INSTALL_DIR, and LIBEXEC_INSTALL_DIR
62         https://bugs.webkit.org/show_bug.cgi?id=132819
63
64         Reviewed by Carlos Garcia Campos.
65
66         * javascriptcoregtk.pc.in: Instead of using the special pkg-config variables,
67         use the common CMake ones directly.
68
69 2014-05-21  Filip Pizlo  <fpizlo@apple.com>
70
71         Unreviewed, roll out http://trac.webkit.org/changeset/169159.
72         
73         This was a unilateral change and wasn't properly reviewed.
74
75         * tests/mozilla/mozilla-tests.yaml:
76
77 2014-05-21  Antoine Quint  <graouts@webkit.org>
78
79         Array.prototype.find and findIndex should skip holes
80         https://bugs.webkit.org/show_bug.cgi?id=132658
81
82         Reviewed by Geoffrey Garen.
83
84         Skip holes in the array when iterating such that callback isn't called.
85
86         * builtins/Array.prototype.js:
87         (find):
88         (findIndex):
89
90 2014-05-21  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
91
92         REGRESSION(r169092 and r169102): Skip failing JSC tests on ARM64 properly
93         https://bugs.webkit.org/show_bug.cgi?id=133149
94
95         Reviewed by Csaba Osztrogonác.
96
97         * tests/mozilla/mozilla-tests.yaml:
98
99 2014-05-20  Geoffrey Garen  <ggaren@apple.com>
100
101         Rolled out <http://trac.webkit.org/changeset/166184>
102         https://bugs.webkit.org/show_bug.cgi?id=133144
103
104         Reviewed by Gavin Barraclough.
105
106         It caused a performance regression.
107
108         * heap/BlockAllocator.cpp:
109         (JSC::BlockAllocator::blockFreeingThreadStartFunc):
110
111 2014-05-20  Filip Pizlo  <fpizlo@apple.com>
112
113         DFG prediction propagation should agree with fixup phase over the return type of GetByVal
114         https://bugs.webkit.org/show_bug.cgi?id=133134
115
116         Reviewed by Mark Hahnenberg.
117         
118         Make prediction propagator use ArrayMode refinement to decide the return type.
119         
120         Also introduce a heap prediction intrinsic that allows us to test weird corner cases
121         like this. The only way we'll see a mismatch like this in the real world is probably
122         through a gnarly race condition.
123
124         * dfg/DFGByteCodeParser.cpp:
125         (JSC::DFG::ByteCodeParser::handleIntrinsic):
126         * dfg/DFGNode.h:
127         (JSC::DFG::Node::setHeapPrediction):
128         * dfg/DFGPredictionPropagationPhase.cpp:
129         (JSC::DFG::PredictionPropagationPhase::propagate):
130         * jsc.cpp:
131         (GlobalObject::finishCreation):
132         (functionFalse1):
133         (functionFalse2):
134         (functionUndefined1):
135         (functionUndefined2):
136         (functionFalse): Deleted.
137         (functionOtherFalse): Deleted.
138         (functionUndefined): Deleted.
139         * runtime/Intrinsic.h:
140         * tests/stress/get-by-val-double-predicted-int.js: Added.
141         (foo):
142
143 2014-05-20  Mark Hahnenberg  <mhahnenberg@apple.com>
144
145         Watchdog timer should be lazily allocated
146         https://bugs.webkit.org/show_bug.cgi?id=133135
147
148         Reviewed by Geoffrey Garen.
149
150         We incur a noticeable amount of overhead on some benchmarks due to checking if the Watchdog ever fired. 
151         There is no reason to do this checking if we never activated the Watchdog, which can only be done through 
152         JSContextGroupSetExecutionTimeLimit or JSContextGroupClearExecutionTimeLimit. 
153
154         By allocating the Watchdog lazily on the VM we can avoid all of the associated overhead when we don't use 
155         these two API functions (which is true of most clients).
156
157         * API/JSContextRef.cpp:
158         (JSContextGroupSetExecutionTimeLimit):
159         (JSContextGroupClearExecutionTimeLimit):
160         * dfg/DFGByteCodeParser.cpp:
161         (JSC::DFG::ByteCodeParser::parseBlock):
162         * dfg/DFGSpeculativeJIT32_64.cpp:
163         (JSC::DFG::SpeculativeJIT::compile):
164         * dfg/DFGSpeculativeJIT64.cpp:
165         (JSC::DFG::SpeculativeJIT::compile):
166         * interpreter/Interpreter.cpp:
167         (JSC::Interpreter::execute):
168         (JSC::Interpreter::executeCall):
169         (JSC::Interpreter::executeConstruct):
170         * jit/JITOpcodes.cpp:
171         (JSC::JIT::emit_op_loop_hint):
172         (JSC::JIT::emitSlow_op_loop_hint):
173         * jit/JITOperations.cpp:
174         * llint/LLIntSlowPaths.cpp:
175         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
176         * runtime/VM.h:
177         * runtime/Watchdog.cpp:
178         (JSC::Watchdog::Scope::Scope): Deleted.
179         (JSC::Watchdog::Scope::~Scope): Deleted.
180         * runtime/Watchdog.h:
181         (JSC::Watchdog::Scope::Scope):
182         (JSC::Watchdog::Scope::~Scope):
183
184 2014-05-19  Mark Hahnenberg  <mhahnenberg@apple.com>
185
186         JSArray::shiftCountWith* could be more efficient
187         https://bugs.webkit.org/show_bug.cgi?id=133011
188
189         Reviewed by Geoffrey Garen.
190
191         Our current implementations of shiftCountWithAnyIndexingType and shiftCountWithArrayStorage 
192         are scared of the presence of any holes in the array. We can mitigate this somewhat by enabling 
193         them to correctly handle holes, thus avoiding the slowest of slow paths in most cases.
194
195         * runtime/ArrayStorage.h:
196         (JSC::ArrayStorage::indexingHeader):
197         (JSC::ArrayStorage::length):
198         (JSC::ArrayStorage::hasHoles):
199         * runtime/IndexingHeader.h:
200         (JSC::IndexingHeader::publicLength):
201         (JSC::IndexingHeader::from):
202         * runtime/JSArray.cpp:
203         (JSC::JSArray::shiftCountWithArrayStorage):
204         (JSC::JSArray::shiftCountWithAnyIndexingType):
205         (JSC::JSArray::unshiftCountWithArrayStorage):
206         * runtime/JSArray.h:
207         (JSC::JSArray::shiftCountForShift):
208         (JSC::JSArray::shiftCountForSplice):
209         (JSC::JSArray::shiftCount):
210         * runtime/Structure.cpp:
211         (JSC::Structure::holesRequireSpecialBehavior):
212         * runtime/Structure.h:
213
214 2014-05-19  Filip Pizlo  <fpizlo@apple.com>
215
216         Test gardening: skip some failing tests on not-X86.
217
218         * tests/mozilla/mozilla-tests.yaml:
219
220 2014-05-19  Mark Lam  <mark.lam@apple.com>
221
222         operationOptimize() should defer the GC for a while.
223         <https://webkit.org/b/133103>
224
225         Reviewed by Filip Pizlo.
226
227         Currently, operationOptimize() only defers the GC until its end.  As a result,
228         a GC may be triggered just before we return from operationOptimize(), and it may
229         jettison the optimize codeBlock that we're planning to OSR enter into when we
230         return from this function.  This is because the OSR entry on-ramp code hasn't
231         been executed yet, and hence, there is not yet a reference to this new codeBlock
232         from the stack, and there won't be until we've had a chance to return out of
233         operationOptimize() to run the OSR entry on-ramp code.
234
235         This issue is now fixed by using DeferGCForAWhile instead of DeferGC.  This
236         ensures that the GC will be deferred until after the OSR entry on-ramp can be
237         executed.
238
239         * jit/JITOperations.cpp:
240
241 2014-05-19  Filip Pizlo  <fpizlo@apple.com>
242
243         Take care of some ARM64 test failures
244         https://bugs.webkit.org/show_bug.cgi?id=133090
245
246         Reviewed by Geoffrey Garen.
247         
248         Constant blinding on ARM64 cannot use the scratch register.
249
250         * assembler/MacroAssembler.h:
251         (JSC::MacroAssembler::convertInt32ToDouble):
252         (JSC::MacroAssembler::branchPtr):
253         (JSC::MacroAssembler::storePtr):
254         (JSC::MacroAssembler::store64):
255         * assembler/MacroAssemblerARM64.h:
256         (JSC::MacroAssemblerARM64::scratchRegisterForBlinding):
257
258 2014-05-19  Tanay C  <tanay.c@samsung.com>
259
260         Removing some check-webkit-style warnings from ./dfg
261         https://bugs.webkit.org/show_bug.cgi?id=132854
262
263         Reviewed by Darin Adler.
264
265         * dfg/DFGAbstractInterpreter.h:
266         * dfg/DFGAbstractValue.h:
267         * dfg/DFGBlockInsertionSet.h:
268         * dfg/DFGCommonData.h:
269         * dfg/DFGDominators.h:
270         * dfg/DFGGraph.h:
271         * dfg/DFGInPlaceAbstractState.h:
272         * dfg/DFGPredictionPropagationPhase.h:
273
274 2014-05-18  Filip Pizlo  <fpizlo@apple.com>
275
276         Unreviewed, remove bogus comment. We already made the FTL use our calling convention.
277         That was a long time ago.
278
279         * ftl/FTLLowerDFGToLLVM.cpp:
280         (JSC::FTL::LowerDFGToLLVM::compileReturn):
281
282 2014-05-18  Rik Cabanier  <cabanier@adobe.com>
283
284         support for navigator.hardwareConcurrency
285         https://bugs.webkit.org/show_bug.cgi?id=132588
286
287         Reviewed by Filip Pizlo.
288
289         * Configurations/FeatureDefines.xcconfig:
290
291 2014-05-16  Michael Saboff  <msaboff@apple.com>
292
293         Crash in JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::generatePatternCharacterFixed() due to WTF::CrashOnOverflow::overflowed + 9
294         https://bugs.webkit.org/show_bug.cgi?id=133009
295
296         Reviewed by Oliver Hunt.
297
298         If we determine that any alternative requires a minumum match size greater than
299         INT_MAX, we handle the match in the interpreter.
300
301         Check to see if the pattern has unsigned lengths before invoking YARR JIT.
302         * runtime/RegExp.cpp:
303         (JSC::RegExp::compile):
304         (JSC::RegExp::compileMatchOnly):
305
306         * tests/stress/large-regexp.js: New test added.
307
308         Set m_containsUnsignedLengthPattern flag if any alternative's minimum length
309         doesn't fit in an int.
310         * yarr/YarrPattern.cpp:
311         (JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets):
312
313         Clear new m_containsUnsignedLengthPattern flag.
314         * yarr/YarrPattern.cpp:
315         (JSC::Yarr::YarrPattern::YarrPattern):
316         * yarr/YarrPattern.h:
317         (JSC::Yarr::YarrPattern::reset):
318         (JSC::Yarr::YarrPattern::containsUnsignedLengthPattern):
319
320 2014-05-15  Mark Hahnenberg  <mhahnenberg@apple.com>
321
322         JSDOMWindow should not claim HasImpureGetOwnPropertySlot
323         https://bugs.webkit.org/show_bug.cgi?id=132918
324
325         Reviewed by Geoffrey Garen.
326
327         * jit/Repatch.cpp:
328         (JSC::tryRepatchIn): We forgot to check for watchpoints when repatching "in".
329
330 2014-05-15  Alex Christensen  <achristensen@webkit.org>
331
332         Add pointer lock to features without enabling it.
333         https://bugs.webkit.org/show_bug.cgi?id=132961
334
335         Reviewed by Sam Weinig.
336
337         * Configurations/FeatureDefines.xcconfig:
338         Added ENABLE_POINTER_LOCK to list of features.
339
340 2014-05-14  Mark Hahnenberg  <mhahnenberg@apple.com>
341
342         Inline caching for proxies clobbers baseGPR too early
343         https://bugs.webkit.org/show_bug.cgi?id=132916
344
345         Reviewed by Filip Pizlo.
346
347         We clobber baseGPR prior to the Structure checks, so if any of the checks fail then the slow path 
348         gets the target of the proxy rather than the proxy itself. We need to delay the clobbering of baseGPR 
349         until we know the inline cache is going to succeed.
350
351         * jit/Repatch.cpp:
352         (JSC::generateByIdStub):
353
354 2014-05-14  Brent Fulgham  <bfulgham@apple.com>
355
356         [Win] Unreviewed build fix.
357
358         * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: This solution
359         was missing commands to build LLInt portions of JSC.
360         * llint/LLIntData.cpp: 64-bit build fix.
361
362 2014-05-14  Martin Hodovan <mhodovan.u-szeged@partner.samsung.com>
363
364         ARM Traditional buildfix after r168776.
365         https://bugs.webkit.org/show_bug.cgi?id=132903
366
367         Reviewed by Darin Adler.
368
369         * assembler/MacroAssemblerARM.h:
370         (JSC::MacroAssemblerARM::abortWithReason): Added.
371
372 2014-05-14  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>
373
374         Remove CSS_STICKY_POSITION guards
375         https://bugs.webkit.org/show_bug.cgi?id=132676
376
377         Reviewed by Simon Fraser.
378
379         * Configurations/FeatureDefines.xcconfig:
380
381 2014-05-13  Filip Pizlo  <fpizlo@apple.com>
382
383         JIT breakpoints should be more informative
384         https://bugs.webkit.org/show_bug.cgi?id=132882
385
386         Reviewed by Oliver Hunt.
387         
388         Introduce the notion of an AbortReason, which is a nice enumeration of coded assertion
389         failure names. This means that all you need to figure out why the JIT SIGTRAP'd is to look
390         at that platform's abort reason register (r11 on X86-64 for example).
391
392         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
393         * JavaScriptCore.xcodeproj/project.pbxproj:
394         * assembler/AbortReason.h: Added.
395         * assembler/AbstractMacroAssembler.h:
396         * assembler/MacroAssemblerARM64.h:
397         (JSC::MacroAssemblerARM64::abortWithReason):
398         * assembler/MacroAssemblerARMv7.h:
399         (JSC::MacroAssemblerARMv7::abortWithReason):
400         * assembler/MacroAssemblerX86.h:
401         (JSC::MacroAssemblerX86::abortWithReason):
402         * assembler/MacroAssemblerX86_64.h:
403         (JSC::MacroAssemblerX86_64::abortWithReason):
404         * dfg/DFGSlowPathGenerator.h:
405         (JSC::DFG::SlowPathGenerator::generate):
406         * dfg/DFGSpeculativeJIT.cpp:
407         (JSC::DFG::SpeculativeJIT::bail):
408         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
409         (JSC::DFG::SpeculativeJIT::compileMakeRope):
410         * dfg/DFGSpeculativeJIT.h:
411         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):
412         * dfg/DFGSpeculativeJIT32_64.cpp:
413         (JSC::DFG::SpeculativeJIT::compile):
414         * dfg/DFGSpeculativeJIT64.cpp:
415         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
416         (JSC::DFG::SpeculativeJIT::compile):
417         * dfg/DFGThunks.cpp:
418         (JSC::DFG::osrEntryThunkGenerator):
419         * jit/AssemblyHelpers.cpp:
420         (JSC::AssemblyHelpers::jitAssertIsInt32):
421         (JSC::AssemblyHelpers::jitAssertIsJSInt32):
422         (JSC::AssemblyHelpers::jitAssertIsJSNumber):
423         (JSC::AssemblyHelpers::jitAssertIsJSDouble):
424         (JSC::AssemblyHelpers::jitAssertIsCell):
425         (JSC::AssemblyHelpers::jitAssertTagsInPlace):
426         (JSC::AssemblyHelpers::jitAssertHasValidCallFrame):
427         (JSC::AssemblyHelpers::jitAssertIsNull):
428         (JSC::AssemblyHelpers::jitAssertArgumentCountSane):
429         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
430         * jit/AssemblyHelpers.h:
431         (JSC::AssemblyHelpers::checkStackPointerAlignment):
432         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo): Deleted.
433         * jit/JIT.h:
434         * jit/JITArithmetic.cpp:
435         (JSC::JIT::emitSlow_op_div):
436         * jit/JITOpcodes.cpp:
437         (JSC::JIT::emitSlow_op_loop_hint):
438         * jit/JITOpcodes32_64.cpp:
439         (JSC::JIT::privateCompileCTINativeCall):
440         * jit/JITPropertyAccess.cpp:
441         (JSC::JIT::emit_op_get_by_val):
442         (JSC::JIT::compileGetDirectOffset):
443         (JSC::JIT::addStructureTransitionCheck): Deleted.
444         (JSC::JIT::testPrototype): Deleted.
445         * jit/JITPropertyAccess32_64.cpp:
446         (JSC::JIT::emit_op_get_by_val):
447         (JSC::JIT::compileGetDirectOffset):
448         * jit/RegisterPreservationWrapperGenerator.cpp:
449         (JSC::generateRegisterRestoration):
450         * jit/Repatch.cpp:
451         (JSC::addStructureTransitionCheck):
452         (JSC::linkClosureCall):
453         * jit/ThunkGenerators.cpp:
454         (JSC::emitPointerValidation):
455         (JSC::nativeForGenerator):
456         * yarr/YarrJIT.cpp:
457         (JSC::Yarr::YarrGenerator::generate):
458
459 2014-05-13  peavo@outlook.com  <peavo@outlook.com>
460
461         [Win] Enum type with value zero is compatible with void*, potential cause of crashes.
462         https://bugs.webkit.org/show_bug.cgi?id=132772
463
464         Reviewed by Geoffrey Garen.
465
466         Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example).
467         This has caused crashes on Windows on two occasions (bug 132683, and bug 121001).
468         This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*.
469         The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr.
470
471         * assembler/MacroAssemblerARM.h:
472         (JSC::MacroAssemblerARM::loadDouble):
473         (JSC::MacroAssemblerARM::storeDouble):
474         * assembler/MacroAssemblerARM64.h:
475         (JSC::MacroAssemblerARM64::loadDouble):
476         (JSC::MacroAssemblerARM64::storeDouble):
477         * assembler/MacroAssemblerARMv7.h:
478         (JSC::MacroAssemblerARMv7::loadDouble):
479         (JSC::MacroAssemblerARMv7::storeDouble):
480         * assembler/MacroAssemblerMIPS.h:
481         (JSC::MacroAssemblerMIPS::loadDouble):
482         (JSC::MacroAssemblerMIPS::storeDouble):
483         * assembler/MacroAssemblerSH4.h:
484         (JSC::MacroAssemblerSH4::loadDouble):
485         (JSC::MacroAssemblerSH4::storeDouble):
486         * assembler/MacroAssemblerX86.h:
487         (JSC::MacroAssemblerX86::storeDouble):
488         * assembler/MacroAssemblerX86Common.h:
489         (JSC::MacroAssemblerX86Common::absDouble):
490         (JSC::MacroAssemblerX86Common::negateDouble):
491         (JSC::MacroAssemblerX86Common::loadDouble):
492         * dfg/DFGSpeculativeJIT.cpp:
493         (JSC::DFG::SpeculativeJIT::silentFill):
494         (JSC::DFG::compileClampDoubleToByte):
495         * dfg/DFGSpeculativeJIT32_64.cpp:
496         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
497         (JSC::DFG::SpeculativeJIT::compile):
498         * jit/AssemblyHelpers.cpp:
499         (JSC::AssemblyHelpers::purifyNaN):
500         * jit/JITInlines.h:
501         (JSC::JIT::emitLoadDouble):
502         * jit/JITPropertyAccess.cpp:
503         (JSC::JIT::emitFloatTypedArrayGetByVal):
504         * jit/ThunkGenerators.cpp:
505         (JSC::floorThunkGenerator):
506         (JSC::roundThunkGenerator):
507         (JSC::powThunkGenerator):
508
509 2014-05-12  Commit Queue  <commit-queue@webkit.org>
510
511         Unreviewed, rolling out r168642.
512         https://bugs.webkit.org/show_bug.cgi?id=132839
513
514         Broke ARM build (Requested by jpfau on #webkit).
515
516         Reverted changeset:
517
518         "[Win] Enum type with value zero is compatible with void*,
519         potential cause of crashes."
520         https://bugs.webkit.org/show_bug.cgi?id=132772
521         http://trac.webkit.org/changeset/168642
522
523 2014-05-12  peavo@outlook.com  <peavo@outlook.com>
524
525         [Win] Enum type with value zero is compatible with void*, potential cause of crashes.
526         https://bugs.webkit.org/show_bug.cgi?id=132772
527
528         Reviewed by Geoffrey Garen.
529
530         Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example).
531         This has caused crashes on Windows on two occasions (bug 132683, and bug 121001).
532         This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*.
533         The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr.
534
535         * assembler/MacroAssemblerARM.h:
536         (JSC::MacroAssemblerARM::loadDouble):
537         (JSC::MacroAssemblerARM::storeDouble):
538         * assembler/MacroAssemblerARM64.h:
539         (JSC::MacroAssemblerARM64::loadDouble):
540         (JSC::MacroAssemblerARM64::storeDouble):
541         * assembler/MacroAssemblerARMv7.h:
542         (JSC::MacroAssemblerARMv7::loadDouble):
543         (JSC::MacroAssemblerARMv7::storeDouble):
544         * assembler/MacroAssemblerMIPS.h:
545         (JSC::MacroAssemblerMIPS::loadDouble):
546         (JSC::MacroAssemblerMIPS::storeDouble):
547         * assembler/MacroAssemblerSH4.h:
548         (JSC::MacroAssemblerSH4::loadDouble):
549         (JSC::MacroAssemblerSH4::storeDouble):
550         * assembler/MacroAssemblerX86.h:
551         (JSC::MacroAssemblerX86::storeDouble):
552         * assembler/MacroAssemblerX86Common.h:
553         (JSC::MacroAssemblerX86Common::absDouble):
554         (JSC::MacroAssemblerX86Common::negateDouble):
555         (JSC::MacroAssemblerX86Common::loadDouble):
556         * dfg/DFGSpeculativeJIT.cpp:
557         (JSC::DFG::SpeculativeJIT::silentFill):
558         (JSC::DFG::compileClampDoubleToByte):
559         * dfg/DFGSpeculativeJIT32_64.cpp:
560         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
561         (JSC::DFG::SpeculativeJIT::compile):
562         * jit/AssemblyHelpers.cpp:
563         (JSC::AssemblyHelpers::purifyNaN):
564         * jit/JITInlines.h:
565         (JSC::JIT::emitLoadDouble):
566         * jit/JITPropertyAccess.cpp:
567         (JSC::JIT::emitFloatTypedArrayGetByVal):
568         * jit/ThunkGenerators.cpp:
569         (JSC::floorThunkGenerator):
570         (JSC::roundThunkGenerator):
571         (JSC::powThunkGenerator):
572
573 2014-05-12  Andreas Kling  <akling@apple.com>
574
575         0.4% of PLT3 in JSCell::structure() below JSObject::visitChildren().
576         <https://webkit.org/b/132828>
577         <rdar://problem/16886285>
578
579         Reviewed by Michael Saboff.
580
581         * runtime/JSObject.cpp:
582         (JSC::JSObject::visitButterfly):
583         (JSC::JSObject::visitChildren):
584
585             Use JSCell::structure(VM&) to reduce the number of hoops we jump
586             through to find Structures during marking.
587
588 2014-05-12  László Langó  <llango.u-szeged@partner.samsung.com>
589
590         [cmake] Add missing FTL source files to the build system.
591
592         Reviewed by Csaba Osztrogonác.
593
594         * CMakeLists.txt:
595
596 2014-05-09  Joseph Pecoraro  <pecoraro@apple.com>
597
598         Web Inspector: Allow Remote Inspector to entitlement check UIProcess through WebProcess
599         https://bugs.webkit.org/show_bug.cgi?id=132409
600
601         Reviewed by Timothy Hatcher.
602
603         Proxy applications are applications which hold WebViews for other
604         applications. The WebProcess (Web Content Service) is a proxy application.
605         For legacy reasons we were supporting a scenario where proxy applications
606         could potentially host WebViews for more then one other application. That
607         was never the case for WebProcess and it is now a scenario we don't need
608         to worry about supporting.
609
610         With this change, a proxy application more naturally only holds WebViews
611         for a single parent / host application. The proxy process can set the
612         parent pid / audit_token data on the RemoteInspector singleton, and
613         that data will be sent on to webinspectord later on to be validated.
614         In the WebProcess<->UIProcess relationship that information is known
615         and set immediately. In the Legacy iOS case that information is set
616         soon after, but not immediately known at the point the WebView is created.
617
618         This allows us to simplify the RemoteInspectorDebuggable interface.
619         We no longer need a pid per-Debuggable.
620
621         * inspector/remote/RemoteInspector.h:
622         * inspector/remote/RemoteInspector.mm:
623         (Inspector::RemoteInspector::RemoteInspector):
624         (Inspector::RemoteInspector::setParentProcessInformation):
625         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
626         (Inspector::RemoteInspector::listingForDebuggable):
627         (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
628         Handle new proxy application setup message, and provide an API
629         for a proxy application to set the parent process information.
630
631         * inspector/remote/RemoteInspectorConstants.h:
632         New setup and response message for proxy applications to pass
633         their parent / host application information to webinspectord.
634
635         * inspector/remote/RemoteInspectorDebuggable.cpp:
636         (Inspector::RemoteInspectorDebuggable::info):
637         * inspector/remote/RemoteInspectorDebuggable.h:
638         (Inspector::RemoteInspectorDebuggableInfo::RemoteInspectorDebuggableInfo):
639         (Inspector::RemoteInspectorDebuggableInfo::hasParentProcess): Deleted.
640         pid per debuggable is no longer needed.
641
642 2014-05-09  Mark Hahnenberg  <mhahnenberg@apple.com>
643
644         JSDOMWindow should disable property caching after a certain point
645         https://bugs.webkit.org/show_bug.cgi?id=132751
646
647         Reviewed by Filip Pizlo.
648
649         This is part of removing HasImpureGetOwnPropertySlot from JSDOMWindow. After the lookup in the static 
650         hash table for JSDOMWindow fails we want to disable property caching even if the code that follows thinks 
651         that it has provided a cacheable value.
652
653         * runtime/PropertySlot.h:
654         (JSC::PropertySlot::PropertySlot):
655         (JSC::PropertySlot::isCacheable):
656         (JSC::PropertySlot::disableCaching):
657
658 2014-05-09  Andreas Kling  <akling@apple.com>
659
660         8.8% spent in Object.prototype.hasOwnProperty() on sbperftest.
661         <https://webkit.org/b/132749>
662
663         Leverage the fast-resolve-to-AtomicString optimization for JSRopeString
664         in Object.prototype.* by using JSString::toIdentifier() in the cases where
665         we are converting JSString -> String -> Identifier.
666
667         This brings time spent in hasOwnProperty() from 8.8% to 1.3% on
668         "The Great HTML5 Gaming Performance Test: 2014 edition"
669         <http://www.scirra.com/demos/c2/sbperftest/>
670
671         Reviewed by Oliver Hunt.
672
673         * runtime/ObjectPrototype.cpp:
674         (JSC::objectProtoFuncHasOwnProperty):
675         (JSC::objectProtoFuncDefineGetter):
676         (JSC::objectProtoFuncDefineSetter):
677         (JSC::objectProtoFuncLookupGetter):
678         (JSC::objectProtoFuncLookupSetter):
679
680 2014-05-08  Mark Hahnenberg  <mhahnenberg@apple.com>
681
682         JSDOMWindow should have a WatchpointSet to fire on window close
683         https://bugs.webkit.org/show_bug.cgi?id=132721
684
685         Reviewed by Filip Pizlo.
686
687         This patch allows us to reset the inline caches that assumed they could skip 
688         the first part of JSDOMWindow::getOwnPropertySlot that checks if the window has 
689         been closed. This is part of getting rid of HasImpureGetOwnPropertySlot on JSDOMWindow.
690
691         PropertySlot now accepts a WatchpointSet which the inline cache code can look for
692         to see if it should create a new Watchpoint for that particular inline cache site.
693
694         * bytecode/Watchpoint.h:
695         * jit/Repatch.cpp:
696         (JSC::generateByIdStub):
697         (JSC::tryBuildGetByIDList):
698         (JSC::tryCachePutByID):
699         (JSC::tryBuildPutByIdList):
700         * runtime/PropertySlot.h:
701         (JSC::PropertySlot::PropertySlot):
702         (JSC::PropertySlot::watchpointSet):
703         (JSC::PropertySlot::setWatchpointSet):
704
705 2014-05-09  Tanay C  <tanay.c@samsung.com>
706
707         Fix build warning (uninitialized variable) in DFGFixupPhase.cpp 
708         https://bugs.webkit.org/show_bug.cgi?id=132331
709
710         Reviewed by Darin Adler.
711
712         * dfg/DFGFixupPhase.cpp:
713         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
714
715 2014-05-09  peavo@outlook.com  <peavo@outlook.com>
716
717         [Win] Crash when enabling DFG JIT.
718         https://bugs.webkit.org/show_bug.cgi?id=132683
719
720         Reviewed by Geoffrey Garen.
721
722         On windows, using register GPRInfo::regT0 as parameter to e.g. JIT::storeDouble(..., GPRInfo::regT0)),
723         results in a call to JIT::storeDouble(FPRegisterID src, const void* address),
724         where the address parameter gets the value of GPRInfo::regT0, which is 0 (eax on Windows).
725         This causes the register to be written to address 0, hence the crash.
726
727         * dfg/DFGOSRExitCompiler32_64.cpp:
728         (JSC::DFG::OSRExitCompiler::compileExit): Use address in regT0 as parameter.
729         * dfg/DFGOSRExitCompiler64.cpp:
730         (JSC::DFG::OSRExitCompiler::compileExit): Ditto.
731
732 2014-05-09  Martin Hodovan <mhodovan.u-szeged@partner.samsung.com>
733
734         REGRESSION(r167094): JSC crashes on ARM Traditional
735         https://bugs.webkit.org/show_bug.cgi?id=132738
736
737         Reviewed by Zoltan Herczeg.
738
739         PC is two instructions ahead of the current instruction
740         on ARM Traditional, so the distance is 8 bytes not 2.
741
742         * llint/LowLevelInterpreter.asm:
743
744 2014-05-09  Alberto Garcia  <berto@igalia.com>
745
746         jsmin.py license header confusing, mentions non-free license
747         https://bugs.webkit.org/show_bug.cgi?id=123665
748
749         Reviewed by Darin Adler.
750
751         Pull the most recent version from upstream, which has a clear
752         license.
753
754         * inspector/scripts/jsmin.py:
755
756 2014-05-08  Mark Hahnenberg  <mhahnenberg@apple.com>
757
758         Base case for get-by-id inline cache doesn't check for HasImpureGetOwnPropertySlot
759         https://bugs.webkit.org/show_bug.cgi?id=132695
760
761         Reviewed by Filip Pizlo.
762
763         We check in the case where we're accessing something other than the base object (e.g. the prototype), 
764         but we fail to do so for the base object.
765
766         * jit/Repatch.cpp:
767         (JSC::tryCacheGetByID):
768         (JSC::tryBuildGetByIDList):
769         * jsc.cpp: Added some infrastructure to support this test. We don't currently trigger this bug anywhere in WebKit
770         because all of the values that are returned that could be impure are set to uncacheable anyways.
771         (WTF::ImpureGetter::ImpureGetter):
772         (WTF::ImpureGetter::createStructure):
773         (WTF::ImpureGetter::create):
774         (WTF::ImpureGetter::finishCreation):
775         (WTF::ImpureGetter::getOwnPropertySlot):
776         (WTF::ImpureGetter::visitChildren):
777         (WTF::ImpureGetter::setDelegate):
778         (GlobalObject::finishCreation):
779         (functionCreateImpureGetter):
780         (functionSetImpureGetterDelegate):
781         * tests/stress/impure-get-own-property-slot-inline-cache.js: Added.
782         (foo):
783
784 2014-05-08  Filip Pizlo  <fpizlo@apple.com>
785
786         deleteAllCompiledCode() shouldn't use the suspension worklist
787         https://bugs.webkit.org/show_bug.cgi?id=132708
788
789         Reviewed by Mark Hahnenberg.
790
791         * bytecode/CodeBlock.cpp:
792         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
793         * dfg/DFGPlan.cpp:
794         (JSC::DFG::Plan::isStillValid):
795         * heap/Heap.cpp:
796         (JSC::Heap::deleteAllCompiledCode):
797
798 2014-05-08  Filip Pizlo  <fpizlo@apple.com>
799
800         SSA conversion should delete PhantomLocals for captured variables
801         https://bugs.webkit.org/show_bug.cgi?id=132693
802
803         Reviewed by Mark Hahnenberg.
804
805         * dfg/DFGCommon.cpp:
806         (JSC::DFG::startCrashing): Parallel JIT and a JIT bug means that we man dump IR in parallel. This is the workaround. This patch uses it in all of the places where we dump IR and crash.
807         * dfg/DFGCommon.h:
808         * dfg/DFGFixupPhase.cpp:
809         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): Use the workaround.
810         * dfg/DFGLivenessAnalysisPhase.cpp:
811         (JSC::DFG::LivenessAnalysisPhase::run): Use the workaround.
812         * dfg/DFGSSAConversionPhase.cpp:
813         (JSC::DFG::SSAConversionPhase::run): Fix the bug - it's true that PhantomLocal for captured variables doesn't need anything done to it, but it's wrong that we didn't delete it outright.
814         * dfg/DFGValidate.cpp: Use the workaround.
815         * tests/stress/phantom-local-captured-but-not-flushed-to-ssa.js: Added.
816         (foo):
817         (bar):
818
819 2014-05-07  Commit Queue  <commit-queue@webkit.org>
820
821         Unreviewed, rolling out r168451.
822         https://bugs.webkit.org/show_bug.cgi?id=132670
823
824         Not a speed-up, just do what other compilers do. (Requested by
825         kling on #webkit).
826
827         Reverted changeset:
828
829         "[X86] Emit BT instruction for single-bit tests."
830         https://bugs.webkit.org/show_bug.cgi?id=132650
831         http://trac.webkit.org/changeset/168451
832
833 2014-05-07  Filip Pizlo  <fpizlo@apple.com>
834
835         Make Executable::clearCode() actually clear all of the entrypoints, and
836         clean up some other FTL-related calling convention stuff.
837         <rdar://problem/16720172>
838
839         Rubber stamped by Mark Hahnenberg.
840
841         * dfg/DFGOperations.cpp:
842         * dfg/DFGOperations.h:
843         * dfg/DFGWorklist.cpp:
844         (JSC::DFG::Worklist::Worklist):
845         (JSC::DFG::Worklist::finishCreation):
846         (JSC::DFG::Worklist::create):
847         (JSC::DFG::ensureGlobalDFGWorklist):
848         (JSC::DFG::ensureGlobalFTLWorklist):
849         * dfg/DFGWorklist.h:
850         * heap/CodeBlockSet.cpp:
851         (JSC::CodeBlockSet::dump):
852         * heap/CodeBlockSet.h:
853         * runtime/Executable.cpp:
854         (JSC::ExecutableBase::clearCode):
855
856 2014-05-07  Andreas Kling  <akling@apple.com>
857
858         [X86] Emit BT instruction for single-bit tests.
859         <https://webkit.org/b/132650>
860
861         Implement test-bit-and-branch slightly more efficiently by using
862         BT + JC/JNC instead of TEST + JZ/JNZ when we're only testing for
863         a single bit.
864
865         Reviewed by Michael Saboff.
866
867         * assembler/MacroAssemblerX86Common.h:
868         (JSC::MacroAssemblerX86Common::singleBitIndex):
869         (JSC::MacroAssemblerX86Common::branchTest32):
870         * assembler/X86Assembler.h:
871         (JSC::X86Assembler::bt_i8r):
872         (JSC::X86Assembler::bt_i8m):
873
874 2014-05-07  Mark Lam  <mark.lam@apple.com>
875
876         REGRESSION(r166678): Dromaeo/cssquery-dojo.html crashes regularly.
877         <https://webkit.org/b/131356>
878
879         Reviewed by Geoffrey Garen.
880
881         The issue is that GC needs to be made aware of writes to m_inferredValue
882         in the VariableWatchpointSet, but was not.  As a result, if a JSCell*
883         is written to a VariableWatchpointSet m_inferredValue, and that JSCell
884         does not survive an eden GC shortly after, we will end up with a stale
885         JSCell pointer left in the m_inferredValue.
886
887         This issue can be detected more easily by running Dromaeo/cssquery-dojo.html
888         using DumpRenderTree with the VM heap in zombie mode.
889
890         The fix is to change VariableWatchpointSet m_inferredValue to type
891         WriteBarrier<Unknown> and ensure that VariableWatchpointSet::notifyWrite()
892         is executed by all the execution engines so that the WriteBarrier semantics
893         are honored.
894
895         We still check if the value to be written is the same as the one in the
896         inferredValue.  We'll by-pass calling the slow path notifyWrite() if the
897         values are the same.        
898
899         * JavaScriptCore.xcodeproj/project.pbxproj:
900         * bytecode/CodeBlock.cpp:
901         (JSC::CodeBlock::CodeBlock):
902         - need to pass the symbolTable to prepareToWatch() because it will be needed
903           for instantiating the VariableWatchpointSet in prepareToWatch().
904
905         * bytecode/VariableWatchpointSet.h:
906         (JSC::VariableWatchpointSet::VariableWatchpointSet):
907         - VariableWatchpointSet now tracks its owner symbol table for its m_inferredValue
908           write barrier, and yes, m_inferredValue is now of type WriteBarrier<Unknown>.
909         (JSC::VariableWatchpointSet::inferredValue):
910         (JSC::VariableWatchpointSet::invalidate):
911         (JSC::VariableWatchpointSet::finalizeUnconditionally):
912         (JSC::VariableWatchpointSet::addressOfInferredValue):
913         (JSC::VariableWatchpointSet::notifyWrite): Deleted.
914         * bytecode/VariableWatchpointSetInlines.h: Added.
915         (JSC::VariableWatchpointSet::notifyWrite):
916
917         * dfg/DFGByteCodeParser.cpp:
918         (JSC::DFG::ByteCodeParser::cellConstant):
919         - Added an assert in case we try to make constants of zombified JSCells again.
920
921         * dfg/DFGOperations.cpp:
922         * dfg/DFGOperations.h:
923         * dfg/DFGSpeculativeJIT.h:
924         (JSC::DFG::SpeculativeJIT::callOperation):
925         * dfg/DFGSpeculativeJIT32_64.cpp:
926         (JSC::DFG::SpeculativeJIT::compile):
927         * dfg/DFGSpeculativeJIT64.cpp:
928         (JSC::DFG::SpeculativeJIT::compile):
929         - We now let the slow path handle the cases when the VariableWatchpointSet is
930           in state ClearWatchpoint and IsWatched, and the slow path will ensure that
931           we handle the needed write barrier semantics correctly.
932           We will by-pass the slow path if the value being written is the same as the
933           inferred value.
934
935         * ftl/FTLIntrinsicRepository.h:
936         * ftl/FTLLowerDFGToLLVM.cpp:
937         (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):
938         - Let the slow path handle the cases when the VariableWatchpointSet is
939           in state ClearWatchpoint and IsWatched.
940           We will by-pass the slow path if the value being written is the same as the
941           inferred value.
942
943         * heap/Heap.cpp:
944         (JSC::Zombify::operator()):
945         - Use a different value for the zombified bits (to distinguish it from 0xbbadbeef
946           which is used everywhere else).
947         * heap/Heap.h:
948         (JSC::Heap::isZombified):
949         - Provide a convenience test function to check if JSCells are zombified.  This is
950           currently only used in an assertion in the DFG bytecode parser, but the intent
951           it that we'll apply this test in other strategic places later to help with early
952           detection of usage of GC'ed objects when we run in zombie mode.
953
954         * jit/JITOpcodes.cpp:
955         (JSC::JIT::emitSlow_op_captured_mov):
956         * jit/JITOperations.h:
957         * jit/JITPropertyAccess.cpp:
958         (JSC::JIT::emitNotifyWrite):
959         * jit/JITPropertyAccess32_64.cpp:
960         (JSC::JIT::emitNotifyWrite):
961         (JSC::JIT::emitSlow_op_put_to_scope):
962         - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
963           is in state ClearWatchpoint and IsWatched.
964           We will by-pass the slow path if the value being written is the same as the
965           inferred value.
966         
967         * llint/LowLevelInterpreter32_64.asm:
968         * llint/LowLevelInterpreter64.asm:
969         - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
970           is in state ClearWatchpoint and IsWatched.
971           We will by-pass the slow path if the value being written is the same as the
972           inferred value.
973         
974         * runtime/CommonSlowPaths.cpp:
975
976         * runtime/JSCJSValue.h: Fixed some typos in the comments.
977         * runtime/JSGlobalObject.cpp:
978         (JSC::JSGlobalObject::addGlobalVar):
979         (JSC::JSGlobalObject::addFunction):
980         * runtime/JSSymbolTableObject.h:
981         (JSC::symbolTablePut):
982         (JSC::symbolTablePutWithAttributes):
983         * runtime/SymbolTable.cpp:
984         (JSC::SymbolTableEntry::prepareToWatch):
985         (JSC::SymbolTableEntry::notifyWriteSlow):
986         * runtime/SymbolTable.h:
987         (JSC::SymbolTableEntry::notifyWrite):
988
989 2014-05-06  Michael Saboff  <msaboff@apple.com>
990
991         Unreviewd build fix for C-LOOP after r168396.
992
993         * runtime/TestRunnerUtils.cpp:
994         (JSC::optimizeNextInvocation): Wrapped actual call inside #if ENABLE(JIT)
995
996 2014-05-06  Michael Saboff  <msaboff@apple.com>
997
998         Add test for deleteAllCompiledCode
999         https://bugs.webkit.org/show_bug.cgi?id=132632
1000
1001         Reviewed by Phil Pizlo.
1002
1003         Added two new hooks to jsc, one to call Heap::deleteAllCompiledCode() and
1004         the other to call CodeBlock::optimizeNextInvocation().  Used these two hooks
1005         to write a test that will queue up loads of DFG compiles and then call
1006         Heap::deleteAllCompiledCode() to make sure that it can handle compiled
1007         code as well as code being compiled.
1008
1009         * jsc.cpp:
1010         (GlobalObject::finishCreation):
1011         (functionDeleteAllCompiledCode):
1012         (functionOptimizeNextInvocation):
1013         * runtime/TestRunnerUtils.cpp:
1014         (JSC::optimizeNextInvocation):
1015         * runtime/TestRunnerUtils.h:
1016         * tests/stress/deleteAllCompiledCode.js: Added.
1017         (functionList):
1018         (runTest):
1019
1020 2014-05-06  Andreas Kling  <akling@apple.com>
1021
1022         JSString::toAtomicString() should return AtomicString.
1023         <https://webkit.org/b/132627>
1024
1025         Remove premature optimization where I was trying to avoid refcount
1026         churn when returning an already atomicized String.
1027
1028         Instead of using reinterpret_cast to mangle the String member into
1029         a const AtomicString& return value, just return AtomicString.
1030
1031         Reviewed by Geoff Garen.
1032
1033         * runtime/JSString.h:
1034         (JSC::JSString::toAtomicString):
1035
1036 2014-05-06  Mark Hahnenberg  <mhahnenberg@apple.com>
1037
1038         Roll out r167889
1039
1040         Rubber stamped by Geoff Garen.
1041
1042         It broke some websites.
1043
1044         * runtime/JSPropertyNameIterator.cpp:
1045         (JSC::JSPropertyNameIterator::create):
1046         * runtime/PropertyMapHashTable.h:
1047         (JSC::PropertyTable::hasDeletedOffset):
1048         (JSC::PropertyTable::hadDeletedOffset): Deleted.
1049         * runtime/Structure.cpp:
1050         (JSC::Structure::Structure):
1051         (JSC::Structure::materializePropertyMap):
1052         (JSC::Structure::removePropertyTransition):
1053         (JSC::Structure::changePrototypeTransition):
1054         (JSC::Structure::despecifyFunctionTransition):
1055         (JSC::Structure::attributeChangeTransition):
1056         (JSC::Structure::toDictionaryTransition):
1057         (JSC::Structure::preventExtensionsTransition):
1058         (JSC::Structure::addPropertyWithoutTransition):
1059         (JSC::Structure::removePropertyWithoutTransition):
1060         (JSC::Structure::pin):
1061         (JSC::Structure::pinAndPreventTransitions): Deleted.
1062         * runtime/Structure.h:
1063         * runtime/StructureInlines.h:
1064         (JSC::Structure::setEnumerationCache):
1065         (JSC::Structure::propertyTable):
1066         (JSC::Structure::checkOffsetConsistency):
1067         (JSC::Structure::hadDeletedOffsets): Deleted.
1068         * tests/stress/for-in-after-delete.js:
1069         (foo): Deleted.
1070
1071 2014-05-05  Andreas Kling  <akling@apple.com>
1072
1073         Fix debug build.
1074
1075         * runtime/JSCellInlines.h:
1076         (JSC::JSCell::fastGetOwnProperty):
1077
1078 2014-05-05  Andreas Kling  <akling@apple.com>
1079
1080         Optimize GetByVal when subscript is a rope string.
1081         <https://webkit.org/b/132590>
1082
1083         Use JSString::toIdentifier() in the various GetByVal implementations
1084         to try and avoid allocating extra strings.
1085
1086         Added canUseFastGetOwnProperty() and wrap calls to fastGetOwnProperty()
1087         in that, to avoid calling JSString::value() which always resolves ropes
1088         into new strings and de-optimizes subsequent toIdentifier() calls.
1089
1090         My iMac says ~9% progression on Dromaeo/dom-attr.html
1091
1092         Reviewed by Phil Pizlo.
1093
1094         * dfg/DFGOperations.cpp:
1095         * jit/JITOperations.cpp:
1096         (JSC::getByVal):
1097         * llint/LLIntSlowPaths.cpp:
1098         (JSC::LLInt::getByVal):
1099         * runtime/JSCell.h:
1100         * runtime/JSCellInlines.h:
1101         (JSC::JSCell::fastGetOwnProperty):
1102         (JSC::JSCell::canUseFastGetOwnProperty):
1103
1104 2014-05-05  Andreas Kling  <akling@apple.com>
1105
1106         REGRESSION (r168256): ASSERTION FAILED: (buffer + m_length) == position loading vanityfair.com article.
1107         <https://webkit.org/b/168256>
1108         <rdar://problem/16816316>
1109
1110         Make resolveRopeSlowCase8() behave like its 16-bit counterpart and not
1111         clear the fibers. The caller takes care of this.
1112
1113         Test: fast/dom/getElementById-with-rope-string-arg.html
1114
1115         Reviewed by Geoffrey Garen.
1116
1117         * runtime/JSString.cpp:
1118         (JSC::JSRopeString::resolveRopeSlowCase8):
1119
1120 2014-05-05  Michael Saboff  <msaboff@apple.com>
1121
1122         REGRESSION: RELEASE_ASSERT in CodeBlock::baselineVersion @ cnn.com
1123         https://bugs.webkit.org/show_bug.cgi?id=132581
1124
1125         Reviewed by Filip Pizlo.
1126
1127         * dfg/DFGPlan.cpp:
1128         (JSC::DFG::Plan::isStillValid): Check that the alternative codeBlock we
1129         started compiling for is still the same at the end of compilation.
1130         Also did some minor restructuring.
1131
1132 2014-05-05  Andreas Kling  <akling@apple.com>
1133
1134         Optimize PutByVal when subscript is a rope string.
1135         <https://webkit.org/b/132572>
1136
1137         Add a JSString::toIdentifier() that is smarter when the JSString is
1138         really a rope string. Use this in baseline & DFG's PutByVal to avoid
1139         allocating new StringImpls that we immediately deduplicate anyway.
1140
1141         Reviewed by Antti Koivisto.
1142
1143         * dfg/DFGOperations.cpp:
1144         (JSC::DFG::operationPutByValInternal):
1145         * jit/JITOperations.cpp:
1146         * runtime/JSString.h:
1147         (JSC::JSString::toIdentifier):
1148
1149 2014-05-05  Andreas Kling  <akling@apple.com>
1150
1151         Remove two now-incorrect assertions after r168256.
1152
1153         * runtime/JSString.cpp:
1154         (JSC::JSRopeString::resolveRopeSlowCase8):
1155         (JSC::JSRopeString::resolveRopeSlowCase):
1156
1157 2014-05-04  Andreas Kling  <akling@apple.com>
1158
1159         Optimize JSRopeString for resolving directly to AtomicString.
1160         <https://webkit.org/b/132548>
1161
1162         If we know that the JSRopeString we are resolving is going to be used
1163         as an AtomicString, we can try to avoid creating a new string.
1164
1165         We do this by first resolving the rope into a stack buffer, and using
1166         that buffer as a key into the AtomicString table. If there is already
1167         an AtomicString with the same characters, we reuse that instead of
1168         constructing a new StringImpl.
1169
1170         JSString gains these two public functions:
1171
1172         - AtomicString toAtomicString()
1173
1174             Returns an AtomicString, tries to avoid allocating a new string
1175             if possible.
1176
1177         - AtomicStringImpl* toExistingAtomicString()
1178
1179             Returns a non-null AtomicStringImpl* if one already exists in the
1180             AtomicString table. If none is found, the rope is left unresolved.
1181
1182         Reviewed by Filip Pizlo.
1183
1184         * runtime/JSString.cpp:
1185         (JSC::JSRopeString::resolveRopeInternal8):
1186         (JSC::JSRopeString::resolveRopeInternal16):
1187         (JSC::JSRopeString::resolveRopeToAtomicString):
1188         (JSC::JSRopeString::clearFibers):
1189         (JSC::JSRopeString::resolveRopeToExistingAtomicString):
1190         (JSC::JSRopeString::resolveRope):
1191         (JSC::JSRopeString::outOfMemory):
1192         * runtime/JSString.h:
1193         (JSC::JSString::toAtomicString):
1194         (JSC::JSString::toExistingAtomicString):
1195
1196 2014-05-04  Andreas Kling  <akling@apple.com>
1197
1198         Unreviewed, rolling out r168254.
1199
1200         Very crashy on debug JSC tests.
1201
1202         Reverted changeset:
1203
1204         "jsSubstring() should be lazy"
1205         https://bugs.webkit.org/show_bug.cgi?id=132556
1206         http://trac.webkit.org/changeset/168254
1207
1208 2014-05-04  Filip Pizlo  <fpizlo@apple.com>
1209
1210         jsSubstring() should be lazy
1211         https://bugs.webkit.org/show_bug.cgi?id=132556
1212
1213         Reviewed by Andreas Kling.
1214         
1215         jsSubstring() is now lazy by using a special rope that is a substring instead of a
1216         concatenation. To make this patch super simple, we require that a substring's base is
1217         never a rope. Hence, when resolving a rope, we either go down a non-recursive substring
1218         path, or we go down a concatenation path which may see exactly one level of substrings in
1219         its fibers.
1220         
1221         This is up to a 50% speed-up on microbenchmarks and a 10% speed-up on Octane/regexp.
1222
1223         * heap/MarkedBlock.cpp:
1224         (JSC::MarkedBlock::specializedSweep):
1225         * runtime/JSString.cpp:
1226         (JSC::JSRopeString::visitFibers):
1227         (JSC::JSRopeString::resolveRope):
1228         (JSC::JSRopeString::resolveRopeSlowCase8):
1229         (JSC::JSRopeString::resolveRopeSlowCase):
1230         (JSC::JSRopeString::outOfMemory):
1231         * runtime/JSString.h:
1232         (JSC::JSRopeString::finishCreation):
1233         (JSC::JSRopeString::append):
1234         (JSC::JSRopeString::create):
1235         (JSC::JSRopeString::offsetOfFibers):
1236         (JSC::JSRopeString::fiber):
1237         (JSC::JSRopeString::substringBase):
1238         (JSC::JSRopeString::substringOffset):
1239         (JSC::JSRopeString::substringSentinel):
1240         (JSC::JSRopeString::isSubstring):
1241         (JSC::jsSubstring):
1242         * runtime/RegExpMatchesArray.cpp:
1243         (JSC::RegExpMatchesArray::reifyAllProperties):
1244         * runtime/StringPrototype.cpp:
1245         (JSC::stringProtoFuncSubstring):
1246
1247 2014-05-02  Michael Saboff  <msaboff@apple.com>
1248
1249         "arm64 function not 4-byte aligned" warnings when building JSC
1250         https://bugs.webkit.org/show_bug.cgi?id=132495
1251
1252         Reviewed by Geoffrey Garen.
1253
1254         Added ".align 4" for both ARM Thumb2 and ARM 64 to silence the linker.
1255
1256         * llint/LowLevelInterpreter.cpp:
1257
1258 2014-05-02  Mark Hahnenberg  <mhahnenberg@apple.com>
1259
1260         Fix cloop build after r168178
1261
1262         * bytecode/CodeBlock.cpp:
1263
1264 2014-05-01  Mark Hahnenberg  <mhahnenberg@apple.com>
1265
1266         Add a DFG function whitelist
1267         https://bugs.webkit.org/show_bug.cgi?id=132437
1268
1269         Reviewed by Geoffrey Garen.
1270
1271         Often times when debugging, using bytecode ranges isn't enough to narrow down to the 
1272         particular DFG block that's causing issues. This patch adds the ability to whitelist 
1273         specific functions specified in a file to enable further filtering without having to recompile.
1274
1275         * CMakeLists.txt:
1276         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1277         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1278         * JavaScriptCore.xcodeproj/project.pbxproj:
1279         * dfg/DFGCapabilities.cpp:
1280         (JSC::DFG::isSupported):
1281         (JSC::DFG::mightInlineFunctionForCall):
1282         (JSC::DFG::mightInlineFunctionForClosureCall):
1283         (JSC::DFG::mightInlineFunctionForConstruct):
1284         * dfg/DFGFunctionWhitelist.cpp: Added.
1285         (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
1286         (JSC::DFG::FunctionWhitelist::FunctionWhitelist):
1287         (JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile):
1288         (JSC::DFG::FunctionWhitelist::contains):
1289         * dfg/DFGFunctionWhitelist.h: Added.
1290         * runtime/Options.cpp:
1291         (JSC::parse):
1292         (JSC::Options::dumpOption):
1293         * runtime/Options.h:
1294
1295 2014-05-02  Filip Pizlo  <fpizlo@apple.com>
1296
1297         DFGAbstractInterpreter should not claim Int52 arithmetic creates Int52s
1298         https://bugs.webkit.org/show_bug.cgi?id=132446
1299
1300         Reviewed by Mark Hahnenberg.
1301         
1302         Basically any arithmetic operation can turn an Int52 into an Int32 or vice-versa, and
1303         our modeling of Int52Rep nodes is such that they can have either Int32 or Int52 type
1304         to indicate a bound on the value. This is useful for knowing, for example, that
1305         Int52Rep(Int32:) returns a value that cannot be outside the Int32 range. Also,
1306         ValueRep(Int52Rep:) uses this to determine whether it may return a double or an int.
1307         But this means that all arithmetic operations must be careful to note that they may
1308         turn Int32 inputs into an Int52 output or vice-versa, as these new tests show.
1309
1310         * dfg/DFGAbstractInterpreterInlines.h:
1311         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1312         * dfg/DFGByteCodeParser.cpp:
1313         (JSC::DFG::ByteCodeParser::makeSafe):
1314         * tests/stress/int52-ai-add-then-filter-int32.js: Added.
1315         (foo):
1316         * tests/stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js: Added.
1317         (foo):
1318         * tests/stress/int52-ai-mul-then-filter-int32-directly.js: Added.
1319         (foo):
1320         * tests/stress/int52-ai-mul-then-filter-int32.js: Added.
1321         (foo):
1322         * tests/stress/int52-ai-neg-then-filter-int32.js: Added.
1323         (foo):
1324         * tests/stress/int52-ai-sub-then-filter-int32.js: Added.
1325         (foo):
1326
1327 2014-05-01  Geoffrey Garen  <ggaren@apple.com>
1328
1329         JavaScriptCore fails to build with some versions of clang
1330         https://bugs.webkit.org/show_bug.cgi?id=132436
1331
1332         Reviewed by Anders Carlsson.
1333
1334         * runtime/ArgumentsIteratorConstructor.cpp: Since we call
1335         putDirectWithoutTransition, and it calls putWillGrowOutOfLineStorage,
1336         and both are marked inline, it's valid for the compiler to decide
1337         to inline both and emit neither in the binary. Therefore, we need
1338         both inline definitions to be available in the translation unit at
1339         compile time, or we'll try to link against a function that doesn't exist.
1340
1341 2014-05-01  Commit Queue  <commit-queue@webkit.org>
1342
1343         Unreviewed, rolling out r167964.
1344         https://bugs.webkit.org/show_bug.cgi?id=132431
1345
1346         Memory improvements should not regress memory usage (Requested
1347         by olliej on #webkit).
1348
1349         Reverted changeset:
1350
1351         "Don't hold on to parameter BindingNodes forever"
1352         https://bugs.webkit.org/show_bug.cgi?id=132360
1353         http://trac.webkit.org/changeset/167964
1354
1355 2014-05-01  Filip Pizlo  <fpizlo@apple.com>
1356
1357         Fix trivial debug-only race-that-crashes in CallLinkStatus and explain why the remaining races are totally awesome
1358         https://bugs.webkit.org/show_bug.cgi?id=132427
1359
1360         Reviewed by Mark Hahnenberg.
1361
1362         * bytecode/CallLinkStatus.cpp:
1363         (JSC::CallLinkStatus::computeFor):
1364
1365 2014-04-30  Simon Fraser  <simon.fraser@apple.com>
1366
1367         Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO
1368         https://bugs.webkit.org/show_bug.cgi?id=132396
1369
1370         Reviewed by Eric Carlson.
1371
1372         Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO and related code.
1373
1374         * Configurations/FeatureDefines.xcconfig:
1375
1376 2014-04-30  Filip Pizlo  <fpizlo@apple.com>
1377
1378         Argument flush formats should not be presumed to be JSValue since 'this' is weird
1379         https://bugs.webkit.org/show_bug.cgi?id=132404
1380
1381         Reviewed by Michael Saboff.
1382
1383         * dfg/DFGSpeculativeJIT.cpp:
1384         (JSC::DFG::SpeculativeJIT::compileCurrentBlock): Don't assume that arguments are flushed as JSValue. Use the logic for locals instead.
1385         * dfg/DFGSpeculativeJIT32_64.cpp:
1386         (JSC::DFG::SpeculativeJIT::compile): SetArgument "changes" the format because before this we wouldn't know we had arguments.
1387         * dfg/DFGSpeculativeJIT64.cpp:
1388         (JSC::DFG::SpeculativeJIT::compile): Ditto.
1389         * dfg/DFGValueSource.cpp:
1390         (JSC::DFG::ValueSource::dumpInContext): Make this easier to dump.
1391         * dfg/DFGValueSource.h:
1392         (JSC::DFG::ValueSource::operator!): Make this easier to dump because Operands<T> uses T::operator!().
1393         * ftl/FTLOSREntry.cpp:
1394         (JSC::FTL::prepareOSREntry): This had a useful assertion for everything except 'this'.
1395         * tests/stress/strict-to-this-int.js: Added.
1396         (foo):
1397         (Number.prototype.valueOf):
1398         (test):
1399
1400 2014-04-29  Oliver Hunt  <oliver@apple.com>
1401
1402         Don't hold on to parameterBindingNodes forever
1403         https://bugs.webkit.org/show_bug.cgi?id=132360
1404
1405         Reviewed by Geoffrey Garen.
1406
1407         Don't keep the parameter nodes anymore. Instead we store the
1408         original parameter string and reparse whenever we actually
1409         need them. Because we only actually need them for compilation
1410         this only results in a single extra parse.
1411
1412         * bytecode/UnlinkedCodeBlock.cpp:
1413         (JSC::generateFunctionCodeBlock):
1414         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1415         (JSC::UnlinkedFunctionExecutable::visitChildren):
1416         (JSC::UnlinkedFunctionExecutable::finishCreation):
1417         (JSC::UnlinkedFunctionExecutable::paramString):
1418         (JSC::UnlinkedFunctionExecutable::parameters):
1419         (JSC::UnlinkedFunctionExecutable::parameterCount): Deleted.
1420         * bytecode/UnlinkedCodeBlock.h:
1421         (JSC::UnlinkedFunctionExecutable::create):
1422         (JSC::UnlinkedFunctionExecutable::parameterCount):
1423         (JSC::UnlinkedFunctionExecutable::parameters): Deleted.
1424         (JSC::UnlinkedFunctionExecutable::finishCreation): Deleted.
1425         * parser/ASTBuilder.h:
1426         (JSC::ASTBuilder::ASTBuilder):
1427         (JSC::ASTBuilder::setFunctionBodyParameters):
1428         * parser/Nodes.h:
1429         (JSC::FunctionBodyNode::parametersStartOffset):
1430         (JSC::FunctionBodyNode::parametersEndOffset):
1431         (JSC::FunctionBodyNode::setParameterLocation):
1432         * parser/Parser.cpp:
1433         (JSC::Parser<LexerType>::parseFunctionInfo):
1434         (JSC::parseParameters):
1435         * parser/Parser.h:
1436         (JSC::parse):
1437         * parser/SourceCode.h:
1438         (JSC::SourceCode::subExpression):
1439         * parser/SyntaxChecker.h:
1440         (JSC::SyntaxChecker::setFunctionBodyParameters):
1441
1442 2014-04-29  Mark Hahnenberg  <mhahnenberg@apple.com>
1443
1444         JSProxies should be cacheable
1445         https://bugs.webkit.org/show_bug.cgi?id=132351
1446
1447         Reviewed by Geoffrey Garen.
1448
1449         Whenever we encounter a proxy in an inline cache we should try to cache on the 
1450         proxy's target instead of giving up.
1451
1452         This patch adds support for a simple "recursive" inline cache if the base object
1453         we're accessing is a pure forwarding proxy. JSGlobalObject and its subclasses 
1454         are the only ones to benefit from this right now.
1455
1456         This is performance neutral on the benchmarks we track. Currently we won't
1457         cache on JSDOMWindow due to HasImpureGetOwnPropertySlot, but this issue will be fixed soon.
1458
1459         * jit/Repatch.cpp:
1460         (JSC::generateByIdStub):
1461         (JSC::tryBuildGetByIDList):
1462         (JSC::tryCachePutByID):
1463         (JSC::tryBuildPutByIdList):
1464         * jsc.cpp:
1465         (GlobalObject::finishCreation):
1466         (functionCreateProxy):
1467         * runtime/IntendedStructureChain.cpp:
1468         (JSC::IntendedStructureChain::isNormalized):
1469         * runtime/JSCellInlines.h:
1470         (JSC::JSCell::isProxy):
1471         * runtime/JSGlobalObject.h:
1472         (JSC::JSGlobalObject::finishCreation):
1473         * runtime/JSProxy.h:
1474         (JSC::JSProxy::createStructure):
1475         (JSC::JSProxy::targetOffset):
1476         * runtime/JSType.h:
1477         * runtime/Operations.h:
1478         (JSC::isPrototypeChainNormalized):
1479         * runtime/Structure.h:
1480         (JSC::Structure::isProxy):
1481         * tests/stress/proxy-inline-cache.js: Added.
1482         (cacheOnTarget.getX):
1483         (cacheOnTarget):
1484         (cacheOnPrototypeOfTarget.getX):
1485         (cacheOnPrototypeOfTarget):
1486         (dontCacheOnProxyInPrototypeChain.getX):
1487         (dontCacheOnProxyInPrototypeChain):
1488         (dontCacheOnTargetOfProxyInPrototypeChainOfTarget.getX):
1489         (dontCacheOnTargetOfProxyInPrototypeChainOfTarget):
1490
1491 2014-04-29  Filip Pizlo  <fpizlo@apple.com>
1492
1493         Use LLVM as a backend for the fourth-tier DFG JIT (a.k.a. the FTL JIT)
1494         https://bugs.webkit.org/show_bug.cgi?id=112840
1495
1496         Rubber stamped by Geoffrey Garen.
1497
1498         * Configurations/FeatureDefines.xcconfig:
1499
1500 2014-04-29  Geoffrey Garen  <ggaren@apple.com>
1501
1502         String.prototype.trim removes U+200B from strings.
1503         https://bugs.webkit.org/show_bug.cgi?id=130184
1504
1505         Reviewed by Michael Saboff.
1506
1507         * runtime/StringPrototype.cpp:
1508         (JSC::trimString):
1509         (JSC::isTrimWhitespace): Deleted.
1510
1511 2014-04-29  Mark Lam  <mark.lam@apple.com>
1512
1513         Zombifying sweep should ignore retired blocks.
1514         <https://webkit.org/b/132344>
1515
1516         Reviewed by Mark Hahnenberg.
1517
1518         By definition, retired blocks do not have "dead" objects, or at least
1519         none that we know of yet until the next marking phase has been run
1520         over it.  So, we should not be sweeping them (even for zombie mode).
1521
1522         * heap/Heap.cpp:
1523         (JSC::Heap::zombifyDeadObjects):
1524         * heap/MarkedSpace.cpp:
1525         (JSC::MarkedSpace::zombifySweep):
1526         * heap/MarkedSpace.h:
1527         (JSC::ZombifySweep::operator()):
1528
1529 2014-04-29  Mark Lam  <mark.lam@apple.com>
1530
1531         Fix bit rot in zombie mode heap code.
1532         <https://webkit.org/b/132342>
1533
1534         Reviewed by Mark Hahnenberg.
1535
1536         Need to enter a DelayedReleaseScope before doing a sweep.
1537
1538         * heap/Heap.cpp:
1539         (JSC::Heap::zombifyDeadObjects):
1540
1541 2014-04-29  Tomas Popela  <tpopela@redhat.com>
1542
1543         LLINT loadisFromInstruction doesn't need special case for big endians
1544         https://bugs.webkit.org/show_bug.cgi?id=132330
1545
1546         Reviewed by Mark Lam.
1547
1548         The change introduced in r167076 was wrong. We should not apply the offset
1549         adjustment on loadisFromInstruction usage as the instruction
1550         (UnlinkedInstruction) is declared as an union (i.e. with the int32_t
1551         operand variable). The offset of the other union members will be the
1552         same as the offset of the first one, that is 0. The behavior here is the
1553         same on little and big endian architectures. Thus we don't need
1554         special case for big endians.
1555
1556         * llint/LowLevelInterpreter.asm:
1557
1558 2014-04-28  Mark Hahnenberg  <mhahnenberg@apple.com>
1559
1560         Simplify tryCacheGetById
1561         https://bugs.webkit.org/show_bug.cgi?id=132314
1562
1563         Reviewed by Oliver Hunt and Filip Pizlo.
1564
1565         This is neutral across all benchmarks we track, although it looks like a wee 0.5% progression on sunspider.
1566
1567         * jit/Repatch.cpp:
1568         (JSC::tryCacheGetByID): If we fail to cache on self, we just repatch to call tryBuildGetByIDList next time.
1569
1570 2014-04-28  Michael Saboff  <msaboff@apple.com>
1571
1572         REGRESSION(r153142) ASSERT from CodeBlock::dumpBytecode dumping String Switch Jump Tables
1573         https://bugs.webkit.org/show_bug.cgi?id=132315
1574
1575         Reviewed by Mark Hahnenberg.
1576
1577         Used the StringImpl version of utf8() instead of creating a String first.
1578
1579         * bytecode/CodeBlock.cpp:
1580         (JSC::CodeBlock::dumpBytecode):
1581
1582 2014-04-28  Filip Pizlo  <fpizlo@apple.com>
1583
1584         The LLInt is awesome and it should get more of the action.
1585
1586         Rubber stamped by Geoffrey Garen.
1587         
1588         5% speed-up on JSBench and no meaningful regressions.  Should be a PLT/DYE speed-up also.
1589
1590         * runtime/Options.h:
1591
1592 2014-04-27  Filip Pizlo  <fpizlo@apple.com>
1593
1594         GC should be able to remove things from the DFG worklist and cancel on-going compilations if it knows that the compilation would already be invalidated
1595         https://bugs.webkit.org/show_bug.cgi?id=132166
1596
1597         Reviewed by Oliver Hunt and Mark Hahnenberg.
1598         
1599         The GC can aid type inference by removing structures that are dead and jettisoning
1600         code that relies on those structures. This can dramatically accelerate type inference
1601         for some tricky programs.
1602         
1603         Unfortunately, we previously pinned any structures that enqueued compilations depended
1604         on. This means that if you're on a machine that only runs a single compilation thread
1605         and where compilations are relatively slow, you have a high chance of large numbers of
1606         structures being pinned during any GC since the compilation queue is likely to be full
1607         of random stuff.
1608         
1609         This comprehensively fixes this issue by allowing the GC to remove compilation plans
1610         if the things they depend on are dead, and to even cancel safepointed compilations.
1611         
1612         * bytecode/CodeBlock.cpp:
1613         (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan):
1614         (JSC::CodeBlock::isKnownToBeLiveDuringGC):
1615         (JSC::CodeBlock::finalizeUnconditionally):
1616         * bytecode/CodeBlock.h:
1617         (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan): Deleted.
1618         * dfg/DFGDesiredIdentifiers.cpp:
1619         (JSC::DFG::DesiredIdentifiers::DesiredIdentifiers):
1620         * dfg/DFGDesiredIdentifiers.h:
1621         * dfg/DFGDesiredWatchpoints.h:
1622         * dfg/DFGDesiredWeakReferences.cpp:
1623         (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
1624         * dfg/DFGDesiredWeakReferences.h:
1625         * dfg/DFGGraphSafepoint.cpp:
1626         (JSC::DFG::GraphSafepoint::GraphSafepoint):
1627         * dfg/DFGGraphSafepoint.h:
1628         * dfg/DFGPlan.cpp:
1629         (JSC::DFG::Plan::Plan):
1630         (JSC::DFG::Plan::compileInThread):
1631         (JSC::DFG::Plan::compileInThreadImpl):
1632         (JSC::DFG::Plan::notifyCompiling):
1633         (JSC::DFG::Plan::notifyCompiled):
1634         (JSC::DFG::Plan::notifyReady):
1635         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
1636         (JSC::DFG::Plan::isKnownToBeLiveDuringGC):
1637         (JSC::DFG::Plan::cancel):
1638         (JSC::DFG::Plan::visitChildren): Deleted.
1639         * dfg/DFGPlan.h:
1640         * dfg/DFGSafepoint.cpp:
1641         (JSC::DFG::Safepoint::Result::~Result):
1642         (JSC::DFG::Safepoint::Result::didGetCancelled):
1643         (JSC::DFG::Safepoint::Safepoint):
1644         (JSC::DFG::Safepoint::~Safepoint):
1645         (JSC::DFG::Safepoint::checkLivenessAndVisitChildren):
1646         (JSC::DFG::Safepoint::isKnownToBeLiveDuringGC):
1647         (JSC::DFG::Safepoint::cancel):
1648         (JSC::DFG::Safepoint::visitChildren): Deleted.
1649         * dfg/DFGSafepoint.h:
1650         (JSC::DFG::Safepoint::Result::Result):
1651         * dfg/DFGWorklist.cpp:
1652         (JSC::DFG::Worklist::compilationState):
1653         (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
1654         (JSC::DFG::Worklist::removeAllReadyPlansForVM):
1655         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
1656         (JSC::DFG::Worklist::visitWeakReferences):
1657         (JSC::DFG::Worklist::removeDeadPlans):
1658         (JSC::DFG::Worklist::runThread):
1659         (JSC::DFG::Worklist::visitChildren): Deleted.
1660         * dfg/DFGWorklist.h:
1661         * ftl/FTLCompile.cpp:
1662         (JSC::FTL::compile):
1663         * ftl/FTLCompile.h:
1664         * heap/CodeBlockSet.cpp:
1665         (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks):
1666         * heap/Heap.cpp:
1667         (JSC::Heap::markRoots):
1668         (JSC::Heap::visitCompilerWorklistWeakReferences):
1669         (JSC::Heap::removeDeadCompilerWorklistEntries):
1670         (JSC::Heap::visitWeakHandles):
1671         (JSC::Heap::collect):
1672         (JSC::Heap::visitCompilerWorklists): Deleted.
1673         * heap/Heap.h:
1674
1675 2014-04-28  Mark Hahnenberg  <mhahnenberg@apple.com>
1676
1677         Deleting properties poisons objects
1678         https://bugs.webkit.org/show_bug.cgi?id=131551
1679
1680         Reviewed by Oliver Hunt.
1681
1682         This is ~3% progression on Dromaeo with a ~6% progression on the jslib portion of Dromaeo in particular.
1683
1684         * runtime/JSPropertyNameIterator.cpp:
1685         (JSC::JSPropertyNameIterator::create):
1686         * runtime/PropertyMapHashTable.h:
1687         (JSC::PropertyTable::hasDeletedOffset):
1688         (JSC::PropertyTable::hadDeletedOffset): If we ever had deleted properties we can no longer cache offsets when 
1689         iterating properties because we're required to iterate properties in insertion order.
1690         * runtime/Structure.cpp:
1691         (JSC::Structure::Structure):
1692         (JSC::Structure::materializePropertyMap): We now re-use deleted properties when materializing the property map.
1693         (JSC::Structure::removePropertyTransition): We allow up to 5 deletes for a particular path through the tree of 
1694         Structure transitions. After that, we convert to an uncacheable dictionary like we used to. We don't cache 
1695         delete transitions, but we allow transitioning from them.
1696         (JSC::Structure::changePrototypeTransition):
1697         (JSC::Structure::despecifyFunctionTransition):
1698         (JSC::Structure::attributeChangeTransition):
1699         (JSC::Structure::toDictionaryTransition):
1700         (JSC::Structure::preventExtensionsTransition):
1701         (JSC::Structure::addPropertyWithoutTransition):
1702         (JSC::Structure::removePropertyWithoutTransition):
1703         (JSC::Structure::pin): Now does only what it says it does--marks the property table as pinned.
1704         (JSC::Structure::pinAndPreventTransitions): More descriptive version of what the old pin() was doing.
1705         * runtime/Structure.h:
1706         * runtime/StructureInlines.h:
1707         (JSC::Structure::setEnumerationCache):
1708         (JSC::Structure::hadDeletedOffsets):
1709         (JSC::Structure::propertyTable):
1710         (JSC::Structure::checkOffsetConsistency): Rearranged variables to be more sensible.
1711         * tests/stress/for-in-after-delete.js: Added.
1712         (foo):
1713
1714 2014-04-25  Andreas Kling  <akling@apple.com>
1715
1716         Inline (C++) GetByVal with numeric indices more aggressively.
1717         <https://webkit.org/b/132218>
1718
1719         We were already inlining the string indexed GetByVal path pretty well,
1720         while the path for numeric indices got neglected. No more!
1721
1722         ~9.5% improvement on Dromaeo/dom-traverse.html on my MBP:
1723
1724             Before: 199.50 runs/s
1725              After: 218.58 runs/s
1726
1727         Reviewed by Phil Pizlo.
1728
1729         * dfg/DFGOperations.cpp:
1730         * runtime/JSCJSValueInlines.h:
1731         (JSC::JSValue::get):
1732
1733             ALWAYS_INLINE all the things.
1734
1735         * runtime/JSObject.h:
1736         (JSC::JSObject::getPropertySlot):
1737
1738             Avoid fetching the Structure more than once. We have the same
1739             optimization in the string-indexed code path.
1740
1741 2014-04-25  Oliver Hunt  <oliver@apple.com>
1742
1743         Need earlier cell test
1744         https://bugs.webkit.org/show_bug.cgi?id=132211
1745
1746         Reviewed by Mark Lam.
1747
1748         Move cell test to before the function call repatch
1749         location, as the repatch logic for 32bit assumes that the
1750         caller will already have performed a cell check.
1751
1752         * jit/JITCall32_64.cpp:
1753         (JSC::JIT::compileOpCall):
1754
1755 2014-04-25  Andreas Kling  <akling@apple.com>
1756
1757         Un-fast-allocate JSGlobalObjectRareData because Windows doesn't build and I'm not in the mood.
1758
1759         * runtime/JSGlobalObject.h:
1760         (JSC::JSGlobalObject::JSGlobalObjectRareData::JSGlobalObjectRareData):
1761         (JSC::JSGlobalObject::JSGlobalObjectRareData::~JSGlobalObjectRareData): Deleted.
1762
1763 2014-04-25  Andreas Kling  <akling@apple.com>
1764
1765         Windows build fix attempt.
1766
1767         * runtime/JSGlobalObject.h:
1768         (JSC::JSGlobalObject::JSGlobalObjectRareData::~JSGlobalObjectRareData):
1769
1770 2014-04-25  Mark Lam  <mark.lam@apple.com>
1771
1772         Refactor debugging code to use BreakpointActions instead of Vector<ScriptBreakpointAction>.
1773         <https://webkit.org/b/132201>
1774
1775         Reviewed by Joseph Pecoraro.
1776
1777         BreakpointActions is Vector<ScriptBreakpointAction>.  Let's just consistently use
1778         BreakpointActions everywhere.
1779
1780         * inspector/ScriptBreakpoint.h:
1781         (Inspector::ScriptBreakpoint::ScriptBreakpoint):
1782         * inspector/ScriptDebugServer.cpp:
1783         (Inspector::ScriptDebugServer::setBreakpoint):
1784         (Inspector::ScriptDebugServer::getActionsForBreakpoint):
1785         * inspector/ScriptDebugServer.h:
1786         * inspector/agents/InspectorDebuggerAgent.cpp:
1787         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
1788         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
1789         (Inspector::InspectorDebuggerAgent::setBreakpoint):
1790         (Inspector::InspectorDebuggerAgent::removeBreakpoint):
1791         * inspector/agents/InspectorDebuggerAgent.h:
1792
1793 2014-04-24  Filip Pizlo  <fpizlo@apple.com>
1794
1795         DFG worklist scanning should not treat the key as a separate entity
1796         https://bugs.webkit.org/show_bug.cgi?id=132167
1797
1798         Reviewed by Mark Hahnenberg.
1799         
1800         This simplifies the interface to the GC and will enable more optimizations.
1801
1802         * dfg/DFGCompilationKey.cpp:
1803         (JSC::DFG::CompilationKey::visitChildren): Deleted.
1804         * dfg/DFGCompilationKey.h:
1805         * dfg/DFGPlan.cpp:
1806         (JSC::DFG::Plan::visitChildren):
1807         * dfg/DFGWorklist.cpp:
1808         (JSC::DFG::Worklist::visitChildren):
1809
1810 2014-04-25  Oliver Hunt  <oliver@apple.com>
1811
1812         Remove unused parameter from codeblock linking function
1813         https://bugs.webkit.org/show_bug.cgi?id=132199
1814
1815         Reviewed by Anders Carlsson.
1816
1817         No change in behaviour. This is just a small change to make it
1818         slightly easier to reason about what the offsets in UnlinkedFunctionExecutable
1819         actually mean.
1820
1821         * bytecode/UnlinkedCodeBlock.cpp:
1822         (JSC::UnlinkedFunctionExecutable::link):
1823         * bytecode/UnlinkedCodeBlock.h:
1824         * runtime/Executable.cpp:
1825         (JSC::ProgramExecutable::initializeGlobalProperties):
1826
1827 2014-04-25  Andreas Kling  <akling@apple.com>
1828
1829         Mark some things with WTF_MAKE_FAST_ALLOCATED.
1830         <https://webkit.org/b/132198>
1831
1832         Use FastMalloc for more things.
1833
1834         Reviewed by Anders Carlsson.
1835
1836         * builtins/BuiltinExecutables.h:
1837         * heap/GCThreadSharedData.h:
1838         * inspector/JSConsoleClient.h:
1839         * inspector/agents/InspectorAgent.h:
1840         * runtime/CodeCache.h:
1841         * runtime/JSGlobalObject.h:
1842         * runtime/Lookup.cpp:
1843         (JSC::HashTable::createTable):
1844         (JSC::HashTable::deleteTable):
1845         * runtime/WeakGCMap.h:
1846
1847 2014-04-25  Antoine Quint  <graouts@webkit.org>
1848
1849         Implement Array.prototype.find()
1850         https://bugs.webkit.org/show_bug.cgi?id=130966
1851
1852         Reviewed by Oliver Hunt.
1853
1854         Implement Array.prototype.find() and Array.prototype.findIndex() as proposed in the Harmony spec.
1855
1856         * builtins/Array.prototype.js:
1857         (find):
1858         (findIndex):
1859         * runtime/ArrayPrototype.cpp:
1860
1861 2014-04-24  Brady Eidson  <beidson@apple.com>
1862
1863         Rename "IMAGE_CONTROLS" feature to "SERVICE_CONTROLS"
1864         https://bugs.webkit.org/show_bug.cgi?id=132155
1865
1866         Reviewed by Tim Horton.
1867
1868         * Configurations/FeatureDefines.xcconfig:
1869
1870 2014-04-24  Michael Saboff  <msaboff@apple.com>
1871
1872         REGRESSION: Apparent hang of PCE.js Mac OS System 7.0.1 on ARM64 devices
1873         https://bugs.webkit.org/show_bug.cgi?id=132147
1874
1875         Reviewed by Mark Lam.
1876
1877         Fixed or64(), eor32( ) and eor64() to use "src" register when we have a valid logicalImm.
1878
1879         * assembler/MacroAssemblerARM64.h:
1880         (JSC::MacroAssemblerARM64::or64):
1881         (JSC::MacroAssemblerARM64::xor32):
1882         (JSC::MacroAssemblerARM64::xor64):
1883         * tests/stress/regress-132147.js: Added test.
1884
1885 2014-04-24  Mark Lam  <mark.lam@apple.com>
1886
1887         Make slowPathAllocsBetweenGCs a runtime option.
1888         <https://webkit.org/b/132137>
1889
1890         Reviewed by Mark Hahnenberg.
1891
1892         This will make it easier to more casually run tests with this configuration
1893         as well as to reproduce issues (instead of requiring a code mod and rebuild).
1894         We will now take --slowPathAllocsBetweenGCs=N where N is the number of
1895         slow path allocations before we trigger a collection.
1896
1897         The option defaults to 0, which is reserved to mean that we will not trigger
1898         any collections there.
1899
1900         * heap/Heap.h:
1901         * heap/MarkedAllocator.cpp:
1902         (JSC::MarkedAllocator::doTestCollectionsIfNeeded):
1903         (JSC::MarkedAllocator::allocateSlowCase):
1904         * heap/MarkedAllocator.h:
1905         * runtime/Options.h:
1906
1907 2014-04-23  Mark Lam  <mark.lam@apple.com>
1908
1909         The GC should only resume compiler threads that it suspended in the same GC pass.
1910         <https://webkit.org/b/132088>
1911
1912         Reviewed by Mark Hahnenberg.
1913
1914         Previously, this scenario can occur:
1915         1. Thread 1 starts a GC and tries to suspend DFG worklist threads.  However,
1916            no worklists were created yet at the that time.
1917         2. Thread 2 starts to compile some functions and creates a DFG worklist, and
1918            acquires the worklist thread's lock.
1919         3. Thread 1's GC completes and tries to resume suspended DFG worklist thread.
1920            This time, it sees the worklist created by Thread 2 and ends up unlocking
1921            the worklist thread's lock that is supposedly held by Thread 2.
1922         Thereafter, chaos ensues.
1923
1924         The fix is to cache the worklists that were actually suspended by each GC pass,
1925         and only resume those when the GC is done.
1926
1927         This issue was discovered by enabling COLLECT_ON_EVERY_ALLOCATION and running
1928         the fast/workers layout tests.
1929
1930         * heap/Heap.cpp:
1931         (JSC::Heap::visitCompilerWorklists):
1932         (JSC::Heap::deleteAllCompiledCode):
1933         (JSC::Heap::suspendCompilerThreads):
1934         (JSC::Heap::resumeCompilerThreads):
1935         * heap/Heap.h:
1936
1937 2014-04-23  Mark Hahnenberg  <mhahnenberg@apple.com>
1938
1939         Arguments::copyBackingStore needs to update m_registers in tandem with m_registerArray
1940         https://bugs.webkit.org/show_bug.cgi?id=132079
1941
1942         Reviewed by Michael Saboff.
1943
1944         Since we're moving the register backing store, we don't want to leave a dangling pointer into a random CopiedBlock.
1945
1946         Also added a test that previously triggered this bug.
1947
1948         * runtime/Arguments.cpp:
1949         (JSC::Arguments::copyBackingStore): D'oh!
1950         * tests/stress/arguments-copy-register-array-backing-store.js: Added.
1951         (foo):
1952         (bar):
1953
1954 2014-04-23  Mark Rowe  <mrowe@apple.com>
1955
1956         [Mac] REGRESSION (r164823): Building JavaScriptCore creates files under /tmp/JavaScriptCore.dst
1957         <https://webkit.org/b/132053>
1958
1959         Reviewed by Dan Bernstein.
1960
1961         * JavaScriptCore.xcodeproj/project.pbxproj: Don't try to create a symlink at /usr/local/bin/jsc inside
1962         the DSTROOT unless we're building to the deployment location. Also remove the unnecessary -x argument
1963         from /bin/sh since that generates unnecessary output.
1964
1965 2014-04-22  Mark Lam  <mark.lam@apple.com>
1966
1967         DFG::Worklist should acquire the m_lock before iterating DFG plans.
1968         <https://webkit.org/b/132032>
1969
1970         Reviewed by Filip Pizlo.
1971
1972         Currently, there's a rightToRun mechanism that ensures that no compilation
1973         threads are running when the GC is iterating through the DFG worklists.
1974         However, this does not prevent a Worker thread from doing a DFG compilation
1975         and modifying the plans in the worklists thereby invalidating the plan
1976         iterator that the GC is using.  This patch fixes the issue by acquiring
1977         the worklist m_lock before iterating the worklist plans.
1978
1979         This issue was uncovered by running the fast/workers layout tests with
1980         COLLECT_ON_EVERY_ALLOCATION enabled.
1981
1982         * dfg/DFGWorklist.cpp:
1983         (JSC::DFG::Worklist::isActiveForVM):
1984         (JSC::DFG::Worklist::visitChildren):
1985
1986 2014-04-22  Brent Fulgham  <bfulgham@apple.com>
1987
1988         [Win] Support Python 2.7 in Cygwin
1989         https://bugs.webkit.org/show_bug.cgi?id=132023
1990
1991         Reviewed by Michael Saboff.
1992
1993         * DerivedSources.make: Use a conditional variable to define
1994         the path to Python/Perl.
1995
1996 2014-04-22  Filip Pizlo  <fpizlo@apple.com>
1997
1998         Switch the LLVMForJSC target to using the LLVM in /usr/local rather than /usr/local/LLVMForJavaScriptCore on iOS
1999         https://bugs.webkit.org/show_bug.cgi?id=130867
2000         <rdar://problem/16432456> 
2001
2002         Reviewed by Mark Hahnenberg.
2003
2004         * Configurations/Base.xcconfig:
2005         * Configurations/LLVMForJSC.xcconfig:
2006
2007 2014-04-22  Alex Christensen  <achristensen@webkit.org>
2008
2009         [Win] Unreviewed build fix after my r167666.
2010
2011         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
2012         Added ../../../ again to include headers in Source/JavaScriptCore.
2013
2014 2014-04-22  Alex Christensen  <achristensen@webkit.org>
2015
2016         Removed old stdbool and inttypes headers.
2017         https://bugs.webkit.org/show_bug.cgi?id=131966
2018
2019         Reviewed by Brent Fulgham.
2020
2021         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
2022         * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
2023         Removed references to os-win32 directory.
2024         * os-win32: Removed.
2025         * os-win32/inttypes.h: Removed.
2026         * os-win32/stdbool.h: Removed.
2027
2028 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
2029
2030         DFG::clobberize() should honestly admit that profiler and debugger nodes are effectful
2031         https://bugs.webkit.org/show_bug.cgi?id=131971
2032         <rdar://problem/16676511>
2033
2034         Reviewed by Mark Lam.
2035
2036         * dfg/DFGClobberize.h:
2037         (JSC::DFG::clobberize):
2038
2039 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
2040
2041         Switch statements that skip the baseline JIT should work
2042         https://bugs.webkit.org/show_bug.cgi?id=131965
2043
2044         Reviewed by Mark Hahnenberg.
2045
2046         * bytecode/JumpTable.h:
2047         (JSC::SimpleJumpTable::ensureCTITable):
2048         * dfg/DFGSpeculativeJIT.cpp:
2049         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
2050         * jit/JITOpcodes.cpp:
2051         (JSC::JIT::emit_op_switch_imm):
2052         (JSC::JIT::emit_op_switch_char):
2053         * jit/JITOpcodes32_64.cpp:
2054         (JSC::JIT::emit_op_switch_imm):
2055         (JSC::JIT::emit_op_switch_char):
2056         * tests/stress/inline-llint-with-switch.js: Added.
2057         (foo):
2058         (bar):
2059         (test):
2060
2061 2014-04-21  Mark Hahnenberg  <mhahnenberg@apple.com>
2062
2063         Arguments objects shouldn't need a destructor
2064         https://bugs.webkit.org/show_bug.cgi?id=131899
2065
2066         Reviewed by Oliver Hunt.
2067
2068         This patch rids Arguments objects of their destructors. It does this by 
2069         switching their backing stores to use CopiedSpace rather than malloc memory.
2070
2071         * dfg/DFGSpeculativeJIT.cpp:
2072         (JSC::DFG::SpeculativeJIT::emitAllocateArguments): Fix the code emitted for inline
2073         Arguments allocation so that it only emits an extra write for strict mode code rather
2074         than unconditionally.
2075         * heap/CopyToken.h: New CopyTokens for the two different types of Arguments backing stores.
2076         * runtime/Arguments.cpp:
2077         (JSC::Arguments::visitChildren): We need to tell the collector to copy the back stores now.
2078         (JSC::Arguments::copyBackingStore): Do the actual copying of the backing stores.
2079         (JSC::Arguments::deletePropertyByIndex): Update all the accesses to SlowArgumentData and m_registerArray.
2080         (JSC::Arguments::deleteProperty):
2081         (JSC::Arguments::defineOwnProperty):
2082         (JSC::Arguments::allocateRegisterArray):
2083         (JSC::Arguments::tearOff):
2084         (JSC::Arguments::destroy): Deleted. We don't need the destructor any more.
2085         * runtime/Arguments.h:
2086         (JSC::Arguments::registerArraySizeInBytes):
2087         (JSC::Arguments::SlowArgumentData::SlowArgumentData): Switch SlowArgumentData to being allocated
2088         in CopiedSpace. Now the SlowArgumentData and its backing store are a single contiguous CopiedSpace
2089         allocation.
2090         (JSC::Arguments::SlowArgumentData::slowArguments):
2091         (JSC::Arguments::SlowArgumentData::bytecodeToMachineCaptureOffset):
2092         (JSC::Arguments::SlowArgumentData::setBytecodeToMachineCaptureOffset):
2093         (JSC::Arguments::SlowArgumentData::sizeForNumArguments):
2094         (JSC::Arguments::Arguments):
2095         (JSC::Arguments::allocateSlowArguments):
2096         (JSC::Arguments::tryDeleteArgument):
2097         (JSC::Arguments::isDeletedArgument):
2098         (JSC::Arguments::isArgument):
2099         (JSC::Arguments::argument):
2100         (JSC::Arguments::finishCreation):
2101         * runtime/SymbolTable.h:
2102
2103 2014-04-21  Eric Carlson  <eric.carlson@apple.com>
2104
2105         [Mac] implement WebKitDataCue
2106         https://bugs.webkit.org/show_bug.cgi?id=131799
2107
2108         Reviewed by Dean Jackson.
2109
2110         * Configurations/FeatureDefines.xcconfig: Define ENABLE_DATACUE_VALUE.
2111
2112 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
2113
2114         Unreviewed test gardening, run the repeat-out-of-bounds tests again.
2115
2116         * tests/stress/float32-repeat-out-of-bounds.js:
2117         * tests/stress/int8-repeat-out-of-bounds.js:
2118
2119 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
2120
2121         OSR exit should know about Int52 and Double constants
2122         https://bugs.webkit.org/show_bug.cgi?id=131945
2123
2124         Reviewed by Oliver Hunt.
2125         
2126         The DFG OSR exit machinery's ignorance would lead to some constants becoming
2127         jsUndefined() after OSR exit.
2128         
2129         The FTL OSR exit machinery's ignorance just meant that we would sometimes use a
2130         stackmap constant rather than baking the constant into the OSRExit data structure.
2131         So, not a big deal, but worth fixing.
2132         
2133         Also added some helpful hacks to jsc.cpp for testing such OSR exit pathologies.
2134
2135         * dfg/DFGByteCodeParser.cpp:
2136         (JSC::DFG::ByteCodeParser::handleIntrinsic):
2137         * dfg/DFGMinifiedNode.h:
2138         (JSC::DFG::belongsInMinifiedGraph):
2139         (JSC::DFG::MinifiedNode::hasConstantNumber):
2140         * ftl/FTLLowerDFGToLLVM.cpp:
2141         (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
2142         * jsc.cpp:
2143         (GlobalObject::finishCreation):
2144         (functionOtherFalse):
2145         (functionUndefined):
2146         * runtime/Intrinsic.h:
2147         * tests/stress/fold-to-double-constant-then-exit.js: Added.
2148         (foo):
2149         * tests/stress/fold-to-int52-constant-then-exit.js: Added.
2150         (foo):
2151
2152 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
2153
2154         Provide feedback when we encounter an unrecognied node in the FTL backend.
2155
2156         Rubber stamped by Alexey Proskuryakov.
2157
2158         * ftl/FTLLowerDFGToLLVM.cpp:
2159         (JSC::FTL::LowerDFGToLLVM::compileNode):
2160
2161 2014-04-21  Andreas Kling  <akling@apple.com>
2162
2163         Move the JSString cache from DOMWrapperWorld to VM.
2164         <https://webkit.org/b/131940>
2165
2166         Reviewed by Geoff Garen.
2167
2168         * runtime/VM.h:
2169
2170 2014-04-19  Filip Pizlo  <fpizlo@apple.com>
2171
2172         Take block execution count estimates into account when voting double
2173         https://bugs.webkit.org/show_bug.cgi?id=131906
2174
2175         Reviewed by Geoffrey Garen.
2176         
2177         This was a drama in three acts.
2178         
2179         Act I: Slurp in BasicBlock::executionCount and use it as a weight when counting the
2180             number of uses of a variable that want double or non-double. Easy as pie. This
2181             gave me a huge speed-up on FloatMM and a huge slow-down on basically everything
2182             else.
2183         
2184         Act II: Realize that there were some programs where our previous double voting was
2185             just on the edge of disaster and making it more precise tipped it over. In
2186             particular, if you had an integer variable that would infrequently be used in a
2187             computation that resulted in a variable that was frequently used as an array index,
2188             the outer infrequentness would be the thing we'd use in the vote. So, an array
2189             index would become double. We fix this by reviving global backwards propagation
2190             and introducing the concept of ReallyWantsInt, which is used just for array
2191             indices. Any variable transitively flagged as ReallyWantsInt will never be forced
2192             double. We need that flag to be separate from UsedAsInt, since UsedAsInt needs to
2193             be set in bitops for RageConversion but using it for double forcing is too much.
2194             Basically, it's cheaper to have to convert a double to an int for a bitop than it
2195             is to convert a double to an int for an array index; also a variable being used as
2196             an array index is a much stronger hint that it ought to be an int. This recovered
2197             performance on everything except programs that used FTL OSR entry.
2198         
2199         Act III: Realize that OSR entrypoint creation creates blocks that have NaN execution
2200             count, which then completely pollutes the weighting - essentially all votes go
2201             NaN. Fix this with some surgical defenses. Basically, any client of execution
2202             counts should allow for them to be NaN and shouldn't completely fall off a cliff
2203             when it happens.
2204         
2205         This is awesome. 75% speed-up on FloatMM. 11% speed-up on audio-dft. This leads to
2206         7% speed-up on AsmBench and 2% speed-up on Kraken.
2207
2208         * CMakeLists.txt:
2209         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2210         * JavaScriptCore.xcodeproj/project.pbxproj:
2211         * dfg/DFGBackwardsPropagationPhase.cpp:
2212         (JSC::DFG::BackwardsPropagationPhase::run):
2213         (JSC::DFG::BackwardsPropagationPhase::propagate):
2214         * dfg/DFGGraph.cpp:
2215         (JSC::DFG::Graph::dumpBlockHeader):
2216         * dfg/DFGGraph.h:
2217         (JSC::DFG::Graph::voteNode):
2218         (JSC::DFG::Graph::voteChildren):
2219         * dfg/DFGNodeFlags.cpp:
2220         (JSC::DFG::dumpNodeFlags):
2221         * dfg/DFGNodeFlags.h:
2222         * dfg/DFGOSREntrypointCreationPhase.cpp:
2223         (JSC::DFG::OSREntrypointCreationPhase::run):
2224         * dfg/DFGPlan.cpp:
2225         (JSC::DFG::Plan::compileInThreadImpl):
2226         * dfg/DFGPredictionPropagationPhase.cpp:
2227         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
2228         (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
2229         * dfg/DFGVariableAccessData.cpp: Added.
2230         (JSC::DFG::VariableAccessData::VariableAccessData):
2231         (JSC::DFG::VariableAccessData::mergeIsCaptured):
2232         (JSC::DFG::VariableAccessData::mergeShouldNeverUnbox):
2233         (JSC::DFG::VariableAccessData::predict):
2234         (JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction):
2235         (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
2236         (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat):
2237         (JSC::DFG::VariableAccessData::mergeDoubleFormatState):
2238         (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
2239         (JSC::DFG::VariableAccessData::flushFormat):
2240         * dfg/DFGVariableAccessData.h:
2241         (JSC::DFG::VariableAccessData::vote):
2242         (JSC::DFG::VariableAccessData::VariableAccessData): Deleted.
2243         (JSC::DFG::VariableAccessData::mergeIsCaptured): Deleted.
2244         (JSC::DFG::VariableAccessData::mergeShouldNeverUnbox): Deleted.
2245         (JSC::DFG::VariableAccessData::predict): Deleted.
2246         (JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction): Deleted.
2247         (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote): Deleted.
2248         (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat): Deleted.
2249         (JSC::DFG::VariableAccessData::mergeDoubleFormatState): Deleted.
2250         (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat): Deleted.
2251         (JSC::DFG::VariableAccessData::flushFormat): Deleted.
2252
2253 2014-04-21  Michael Saboff  <msaboff@apple.com>
2254
2255         REGRESSION(r167591): ARM64 and ARM traditional builds broken
2256         https://bugs.webkit.org/show_bug.cgi?id=131935
2257
2258         Reviewed by Mark Hahnenberg.
2259
2260         Added store8(TrustedImm32, MacroAssembler::Address) to the ARM traditional and ARM64
2261         macro assemblers.  Added a new test for the original patch.
2262
2263         * assembler/MacroAssemblerARM.h:
2264         (JSC::MacroAssemblerARM::store8):
2265         * assembler/MacroAssemblerARM64.h:
2266         (JSC::MacroAssemblerARM64::store8):
2267         * tests/stress/dfg-create-arguments-inline-alloc.js: New test.
2268
2269 2014-04-21  Mark Hahnenberg  <mhahnenberg@apple.com>
2270
2271         Inline allocate Arguments objects in the DFG
2272         https://bugs.webkit.org/show_bug.cgi?id=131897
2273
2274         Reviewed by Geoffrey Garen.
2275
2276         Many libraries/frameworks depend on the arguments object for overloaded API entry points. 
2277         This is the first step to making Arguments fast(er). We'll duplicate the logic in Arguments::create 
2278         for now and take the slow path for complicated cases like slow arguments, tearing off for strict mode, etc.
2279
2280         * dfg/DFGSpeculativeJIT.cpp:
2281         (JSC::DFG::SpeculativeJIT::emitAllocateArguments):
2282         * dfg/DFGSpeculativeJIT.h:
2283         (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject):
2284         * dfg/DFGSpeculativeJIT32_64.cpp:
2285         (JSC::DFG::SpeculativeJIT::compile):
2286         * dfg/DFGSpeculativeJIT64.cpp:
2287         (JSC::DFG::SpeculativeJIT::compile):
2288         * runtime/Arguments.h:
2289         (JSC::Arguments::offsetOfActivation):
2290         (JSC::Arguments::offsetOfOverrodeLength):
2291         (JSC::Arguments::offsetOfIsStrictMode):
2292         (JSC::Arguments::offsetOfRegisterArray):
2293         (JSC::Arguments::offsetOfCallee):
2294         (JSC::Arguments::allocationSize):
2295
2296 2014-04-20  Andreas Kling  <akling@apple.com>
2297
2298         Speed up jsStringWithCache() through WeakGCMap inlining.
2299         <https://webkit.org/b/131923>
2300
2301         Always inline WeakGCMap::add() but move the slow garbage collecting
2302         path out-of-line.
2303
2304         Reviewed by Darin Adler.
2305
2306         * runtime/WeakGCMap.h:
2307         (JSC::WeakGCMap::add):
2308         (JSC::WeakGCMap::gcMap):
2309
2310 2014-04-20  László Langó  <llango.u-szeged@partner.samsung.com>
2311
2312         JavaScriptCore: ARM build fix after r167094.
2313         https://bugs.webkit.org/show_bug.cgi?id=131612
2314
2315         Reviewed by Michael Saboff.
2316
2317         After r167094 there are many build errors on ARM like these:
2318
2319             /tmp/ccgtHRno.s:370: Error: invalid constant (425a) after fixup
2320             /tmp/ccgtHRno.s:374: Error: invalid constant (426e) after fixup
2321             /tmp/ccgtHRno.s:378: Error: invalid constant (4282) after fixup
2322             /tmp/ccgtHRno.s:382: Error: invalid constant (4296) after fixup
2323
2324         Problem is caused by the wrong generated assembly like:
2325             "\tmov r2, (" LOCAL_LABEL_STRING(llint_op_strcat) " - " LOCAL_LABEL_STRING(relativePCBase) ")\n" // /home/webkit/WebKit/Source/JavaScriptCore/llint/LowLevelInterpreter.asm:741
2326
2327         `mov` can only move 8 bit immediate, but not every constant fit into 8 bit. Clang converts
2328         the mov to a single movw or a movw and a movt, depending on the immediate, but binutils doesn't.
2329         Add a new ARM specific offline assembler instruction (`mvlbl`) for the following llint_entry
2330         use case: move rn, (label1-label2) which is translated to movw and movt.
2331
2332         * llint/LowLevelInterpreter.asm:
2333         * offlineasm/arm.rb:
2334         * offlineasm/instructions.rb:
2335
2336 2014-04-20  Csaba Osztrogonác  <ossy@webkit.org>
2337
2338         [ARM] Unreviewed build fix after r167336.
2339
2340         * assembler/MacroAssemblerARM.h:
2341         (JSC::MacroAssemblerARM::branchAdd32):
2342
2343 2014-04-20  Commit Queue  <commit-queue@webkit.org>
2344
2345         Unreviewed, rolling out r167501.
2346         https://bugs.webkit.org/show_bug.cgi?id=131913
2347
2348         It broke DYEBench (Requested by mhahnenberg on #webkit).
2349
2350         Reverted changeset:
2351
2352         "Deleting properties poisons objects"
2353         https://bugs.webkit.org/show_bug.cgi?id=131551
2354         http://trac.webkit.org/changeset/167501
2355
2356 2014-04-19  Filip Pizlo  <fpizlo@apple.com>
2357
2358         It should be OK to store new fields into objects that have no prototypes
2359         https://bugs.webkit.org/show_bug.cgi?id=131905
2360
2361         Reviewed by Mark Hahnenberg.
2362
2363         * dfg/DFGByteCodeParser.cpp:
2364         (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
2365         * tests/stress/put-by-id-transition-null-prototype.js: Added.
2366         (foo):
2367
2368 2014-04-19  Benjamin Poulain  <bpoulain@apple.com>
2369
2370         Make the CSS JIT compile for ARM64
2371         https://bugs.webkit.org/show_bug.cgi?id=131834
2372
2373         Reviewed by Gavin Barraclough.
2374
2375         Extend the ARM64 MacroAssembler to support the code generation required by
2376         the CSS JIT.
2377
2378         * assembler/MacroAssembler.h:
2379         * assembler/MacroAssemblerARM64.h:
2380         (JSC::MacroAssemblerARM64::addPtrNoFlags):
2381         (JSC::MacroAssemblerARM64::or32):
2382         (JSC::MacroAssemblerARM64::branchPtr):
2383         (JSC::MacroAssemblerARM64::test32):
2384         (JSC::MacroAssemblerARM64::branch):
2385         * assembler/MacroAssemblerX86Common.h:
2386         (JSC::MacroAssemblerX86Common::test32):
2387
2388 2014-04-19  Andreas Kling  <akling@apple.com>
2389
2390         Two little shortcuts to the JSType.
2391         <https://webkit.org/b/131896>
2392
2393         Tweak two sites that take the long road through JSCell::structure()->typeInfo()
2394         to look at data that's already in JSCell::type().
2395
2396         Reviewed by Darin Adler.
2397
2398         * runtime/NameInstance.h:
2399         (JSC::isName):
2400         * runtime/NumberPrototype.cpp:
2401         (JSC::toThisNumber):
2402
2403 2014-04-19  Filip Pizlo  <fpizlo@apple.com>
2404
2405         Make it easier to check if an integer sum would overflow
2406         https://bugs.webkit.org/show_bug.cgi?id=131900
2407
2408         Reviewed by Darin Adler.
2409
2410         * dfg/DFGOperations.cpp:
2411         * runtime/Operations.h:
2412         (JSC::jsString):
2413
2414 2014-04-19  Filip Pizlo  <fpizlo@apple.com>
2415
2416         Address some feedback on https://bugs.webkit.org/show_bug.cgi?id=130684.
2417
2418         * dfg/DFGOperations.cpp:
2419         * runtime/JSString.h:
2420         (JSC::JSRopeString::RopeBuilder::append):
2421
2422 2014-04-18  Mark Lam  <mark.lam@apple.com>
2423
2424         REGRESSION(r164205): WebKit crash @StructureIDTable::get.
2425         <https://webkit.org/b/130539>
2426
2427         Reviewed by Geoffrey Garen.
2428
2429         prepareOSREntry() prepares for OSR entry by first copying the local var
2430         values from the baseline frame to a scartch buffer, which is then used
2431         to fill in the locals in their new position in the DFG frame.  Unfortunately,
2432         prepareOSREntry() was using the DFG frame's frameRegisterCount as the frame
2433         size of the baseline frame.  As a result, some values of locals in the
2434         baseline frame were not saved off, and the DFG frame may get initialized
2435         with random content that happened to be in the uninitialized (and possibly
2436         unallocated) portions of the scratch buffer.
2437
2438         The fix is to use OSREntryData::m_expectedValues.numberOfLocals() as the
2439         number of locals in the baseline frame that we want to copy to the scratch
2440         buffer.
2441
2442         Note: osrEntryThunkGenerator() is expecting the DFG frameRegisterCount
2443         at offset 0 in the scratch buffer.  So, we continue to write that value
2444         there, not the baseline frame size.
2445
2446         * dfg/DFGOSREntry.cpp:
2447         (JSC::DFG::prepareOSREntry):
2448
2449 2014-04-18  Timothy Hatcher  <timothy@apple.com>
2450
2451         Web Inspector: Move InspectorProfilerAgent to JavaScriptCore
2452         https://bugs.webkit.org/show_bug.cgi?id=131673
2453
2454         Passes existing profiler and inspector tests.
2455
2456         Reviewed by Joseph Pecoraro.
2457
2458         * CMakeLists.txt:
2459         * DerivedSources.make:
2460         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2461         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2462         * JavaScriptCore.xcodeproj/project.pbxproj:
2463         * inspector/JSConsoleClient.cpp:
2464         (Inspector::JSConsoleClient::JSConsoleClient):
2465         (Inspector::JSConsoleClient::profile):
2466         (Inspector::JSConsoleClient::profileEnd):
2467         (Inspector::JSConsoleClient::count): Deleted.
2468         * inspector/JSConsoleClient.h:
2469         * inspector/JSGlobalObjectInspectorController.cpp:
2470         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2471         * inspector/agents/InspectorProfilerAgent.cpp: Added.
2472         (Inspector::InspectorProfilerAgent::InspectorProfilerAgent):
2473         (Inspector::InspectorProfilerAgent::~InspectorProfilerAgent):
2474         (Inspector::InspectorProfilerAgent::addProfile):
2475         (Inspector::InspectorProfilerAgent::createProfileHeader):
2476         (Inspector::InspectorProfilerAgent::enable):
2477         (Inspector::InspectorProfilerAgent::disable):
2478         (Inspector::InspectorProfilerAgent::getUserInitiatedProfileName):
2479         (Inspector::InspectorProfilerAgent::getProfileHeaders):
2480         (Inspector::buildInspectorObject):
2481         (Inspector::InspectorProfilerAgent::buildProfileInspectorObject):
2482         (Inspector::InspectorProfilerAgent::getCPUProfile):
2483         (Inspector::InspectorProfilerAgent::removeProfile):
2484         (Inspector::InspectorProfilerAgent::reset):
2485         (Inspector::InspectorProfilerAgent::didCreateFrontendAndBackend):
2486         (Inspector::InspectorProfilerAgent::willDestroyFrontendAndBackend):
2487         (Inspector::InspectorProfilerAgent::start):
2488         (Inspector::InspectorProfilerAgent::stop):
2489         (Inspector::InspectorProfilerAgent::setRecordingProfile):
2490         (Inspector::InspectorProfilerAgent::startProfiling):
2491         (Inspector::InspectorProfilerAgent::stopProfiling):
2492         * inspector/agents/InspectorProfilerAgent.h: Added.
2493         * inspector/agents/JSGlobalObjectProfilerAgent.cpp: Copied from Source/WebCore/inspector/ScriptProfile.idl.
2494         (Inspector::JSGlobalObjectProfilerAgent::JSGlobalObjectProfilerAgent):
2495         (Inspector::JSGlobalObjectProfilerAgent::profilingGlobalExecState):
2496         * inspector/agents/JSGlobalObjectProfilerAgent.h: Copied from Source/WebCore/inspector/ScriptProfile.idl.
2497         * inspector/protocol/Profiler.json: Renamed from Source/WebCore/inspector/protocol/Profiler.json.
2498         * profiler/Profile.h:
2499         * runtime/ConsoleClient.h:
2500
2501 2014-04-18  Commit Queue  <commit-queue@webkit.org>
2502
2503         Unreviewed, rolling out r167527.
2504         https://bugs.webkit.org/show_bug.cgi?id=131883
2505
2506         Broke 32-bit build (Requested by ap on #webkit).
2507
2508         Reverted changeset:
2509
2510         "[Mac] implement WebKitDataCue"
2511         https://bugs.webkit.org/show_bug.cgi?id=131799
2512         http://trac.webkit.org/changeset/167527
2513
2514 2014-04-18  Eric Carlson  <eric.carlson@apple.com>
2515
2516         [Mac] implement WebKitDataCue
2517         https://bugs.webkit.org/show_bug.cgi?id=131799
2518
2519         Reviewed by Dean Jackson.
2520
2521         * Configurations/FeatureDefines.xcconfig: Define ENABLE_DATACUE_VALUE.
2522
2523 2014-04-18  Filip Pizlo  <fpizlo@apple.com>
2524
2525         Actually address Mark's review feedback.
2526
2527         * dfg/DFGOSRExitCompilerCommon.cpp:
2528         (JSC::DFG::handleExitCounts):
2529
2530 2014-04-18  Filip Pizlo  <fpizlo@apple.com>
2531
2532         Options::maximumExecutionCountsBetweenCheckpoints() should be higher for DFG->FTL tier-up but the same for other tier-ups
2533         https://bugs.webkit.org/show_bug.cgi?id=131850
2534
2535         Reviewed by Mark Hahnenberg.
2536         
2537         Templatize ExecutionCounter to allow for two different styles of calculating the
2538         checkpoint threshold.
2539         
2540         Appears to be a slight speed-up on DYEBench.
2541
2542         * bytecode/CodeBlock.h:
2543         (JSC::CodeBlock::llintExecuteCounter):
2544         (JSC::CodeBlock::offsetOfJITExecuteCounter):
2545         (JSC::CodeBlock::offsetOfJITExecutionActiveThreshold):
2546         (JSC::CodeBlock::offsetOfJITExecutionTotalCount):
2547         (JSC::CodeBlock::jitExecuteCounter):
2548         * bytecode/ExecutionCounter.cpp:
2549         (JSC::ExecutionCounter<countingVariant>::ExecutionCounter):
2550         (JSC::ExecutionCounter<countingVariant>::forceSlowPathConcurrently):
2551         (JSC::ExecutionCounter<countingVariant>::checkIfThresholdCrossedAndSet):
2552         (JSC::ExecutionCounter<countingVariant>::setNewThreshold):
2553         (JSC::ExecutionCounter<countingVariant>::deferIndefinitely):
2554         (JSC::applyMemoryUsageHeuristics):
2555         (JSC::applyMemoryUsageHeuristicsAndConvertToInt):
2556         (JSC::ExecutionCounter<countingVariant>::hasCrossedThreshold):
2557         (JSC::ExecutionCounter<countingVariant>::setThreshold):
2558         (JSC::ExecutionCounter<countingVariant>::reset):
2559         (JSC::ExecutionCounter<countingVariant>::dump):
2560         (JSC::ExecutionCounter::ExecutionCounter): Deleted.
2561         (JSC::ExecutionCounter::forceSlowPathConcurrently): Deleted.
2562         (JSC::ExecutionCounter::checkIfThresholdCrossedAndSet): Deleted.
2563         (JSC::ExecutionCounter::setNewThreshold): Deleted.
2564         (JSC::ExecutionCounter::deferIndefinitely): Deleted.
2565         (JSC::ExecutionCounter::applyMemoryUsageHeuristics): Deleted.
2566         (JSC::ExecutionCounter::applyMemoryUsageHeuristicsAndConvertToInt): Deleted.
2567         (JSC::ExecutionCounter::hasCrossedThreshold): Deleted.
2568         (JSC::ExecutionCounter::setThreshold): Deleted.
2569         (JSC::ExecutionCounter::reset): Deleted.
2570         (JSC::ExecutionCounter::dump): Deleted.
2571         * bytecode/ExecutionCounter.h:
2572         (JSC::formattedTotalExecutionCount):
2573         (JSC::ExecutionCounter::maximumExecutionCountsBetweenCheckpoints):
2574         (JSC::ExecutionCounter::clippedThreshold):
2575         (JSC::ExecutionCounter::formattedTotalCount): Deleted.
2576         * dfg/DFGJITCode.h:
2577         * dfg/DFGOSRExitCompilerCommon.cpp:
2578         (JSC::DFG::handleExitCounts):
2579         * llint/LowLevelInterpreter.asm:
2580         * runtime/Options.h:
2581
2582 2014-04-17  Mark Hahnenberg  <mhahnenberg@apple.com>
2583
2584         Deleting properties poisons objects
2585         https://bugs.webkit.org/show_bug.cgi?id=131551
2586
2587         Reviewed by Geoffrey Garen.
2588
2589         This is ~3% progression on Dromaeo with a ~6% progression on the jslib portion of Dromaeo in particular.
2590
2591         * runtime/Structure.cpp:
2592         (JSC::Structure::Structure):
2593         (JSC::Structure::materializePropertyMap): We now re-use deleted properties when materializing the property map.
2594         (JSC::Structure::removePropertyTransition): We allow up to 5 deletes for a particular path through the tree of 
2595         Structure transitions. After that, we convert to an uncacheable dictionary like we used to. We don't cache 
2596         delete transitions, but we allow transitioning from them.
2597         (JSC::Structure::changePrototypeTransition):
2598         (JSC::Structure::despecifyFunctionTransition):
2599         (JSC::Structure::attributeChangeTransition):
2600         (JSC::Structure::toDictionaryTransition):
2601         (JSC::Structure::preventExtensionsTransition):
2602         (JSC::Structure::addPropertyWithoutTransition):
2603         (JSC::Structure::removePropertyWithoutTransition):
2604         (JSC::Structure::pin): Now does only what it says it does--marks the property table as pinned.
2605         (JSC::Structure::pinAndPreventTransitions): More descriptive version of what the old pin() was doing.
2606         * runtime/Structure.h:
2607         * runtime/StructureInlines.h:
2608         (JSC::Structure::checkOffsetConsistency): Rearranged variables to be more sensible.
2609
2610 2014-04-17  Filip Pizlo  <fpizlo@apple.com>
2611
2612         InlineCallFrameSet should be refcounted
2613         https://bugs.webkit.org/show_bug.cgi?id=131829
2614
2615         Reviewed by Geoffrey Garen.
2616         
2617         And DFG::Plan should hold a ref to it. Previously it was owned by Graph until it
2618         became owned by JITCode. Except that if we're "failing" to compile, JITCode may die.
2619         Even as it dies, the GC may still want to scan the DFG::Plan, which leads to scanning
2620         the DesiredWriteBarriers, which leads to scanning the InlineCallFrameSet.
2621         
2622         So, just make the darn thing refcounted.
2623
2624         * bytecode/InlineCallFrameSet.h:
2625         * dfg/DFGArgumentsSimplificationPhase.cpp:
2626         (JSC::DFG::ArgumentsSimplificationPhase::run):
2627         * dfg/DFGByteCodeParser.cpp:
2628         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2629         * dfg/DFGCommonData.h:
2630         * dfg/DFGGraph.cpp:
2631         (JSC::DFG::Graph::Graph):
2632         (JSC::DFG::Graph::requiredRegisterCountForExit):
2633         * dfg/DFGGraph.h:
2634         * dfg/DFGJITCompiler.cpp:
2635         (JSC::DFG::JITCompiler::link):
2636         * dfg/DFGPlan.cpp:
2637         (JSC::DFG::Plan::Plan):
2638         * dfg/DFGPlan.h:
2639         * dfg/DFGStackLayoutPhase.cpp:
2640         (JSC::DFG::StackLayoutPhase::run):
2641         * ftl/FTLFail.cpp:
2642         (JSC::FTL::fail):
2643         * ftl/FTLLink.cpp:
2644         (JSC::FTL::link):
2645
2646 2014-04-17  Filip Pizlo  <fpizlo@apple.com>
2647
2648         FTL::fail() should manage memory "correctly"
2649         https://bugs.webkit.org/show_bug.cgi?id=131823
2650         <rdar://problem/16384297>
2651
2652         Reviewed by Oliver Hunt.
2653
2654         * ftl/FTLFail.cpp:
2655         (JSC::FTL::fail):
2656
2657 2014-04-17  Filip Pizlo  <fpizlo@apple.com>
2658
2659         Prediction propagator should correctly model Int52s flowing through arguments
2660         https://bugs.webkit.org/show_bug.cgi?id=131822
2661         <rdar://problem/16641408>
2662
2663         Reviewed by Oliver Hunt.
2664
2665         * dfg/DFGPredictionPropagationPhase.cpp:
2666         (JSC::DFG::PredictionPropagationPhase::propagate):
2667         * tests/stress/int52-argument.js: Added.
2668         (foo):
2669         * tests/stress/int52-variable.js: Added.
2670         (foo):
2671
2672 2014-04-17  Filip Pizlo  <fpizlo@apple.com>
2673
2674         REGRESSION: ASSERT(!typeInfo().hasImpureGetOwnPropertySlot() || typeInfo().newImpurePropertyFiresWatchpoints()) on jquery tests
2675         https://bugs.webkit.org/show_bug.cgi?id=131798
2676
2677         Reviewed by Alexey Proskuryakov.
2678         
2679         Some day, we will fix https://bugs.webkit.org/show_bug.cgi?id=131810 and some version
2680         of this assertion can return. For now, it's not clear that the assertion is guarding
2681         any truly undesirable behavior - so it should just go away and be replaced with a
2682         FIXME.
2683
2684         * bytecode/GetByIdStatus.cpp:
2685         (JSC::GetByIdStatus::computeForStubInfo):
2686         * runtime/Structure.h:
2687         (JSC::Structure::takesSlowPathInDFGForImpureProperty):
2688
2689 2014-04-17  David Kilzer  <ddkilzer@apple.com>
2690
2691         Blind attempt to fix Windows build after r166837
2692         <http://webkit.org/b/131246>
2693
2694         Hoping to fix this build error:
2695
2696             warning MSB8027: Two or more files with the name of GCLogging.cpp will produce outputs to the same location. This can lead to an incorrect build result.  The files involved are ..\heap\GCLogging.cpp, ..\heap\GCLogging.cpp.
2697
2698         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Fix copy-paste
2699         boo-boo by changing the GCLogging.cpp ClCompile entry to a
2700         GCLogging.h ClInclude entry.
2701
2702 2014-04-16  Filip Pizlo  <fpizlo@apple.com>
2703
2704         AI for GetLocal should match the DFG backend, and in this case, the best way to do that is to get rid of the "exit if empty prediction" thing since it's a vestige of a time long gone
2705         https://bugs.webkit.org/show_bug.cgi?id=131764
2706
2707         Reviewed by Geoffrey Garen.
2708         
2709         The attached test case can be made to not crash by deleting old code. It used to be
2710         the case that the DFG needed empty prediction guards, for shady reasons. We fixed that
2711         long ago. At this point, these guards just make life difficult. So get rid of them.
2712
2713         * dfg/DFGAbstractInterpreterInlines.h:
2714         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2715         * dfg/DFGSpeculativeJIT32_64.cpp:
2716         (JSC::DFG::SpeculativeJIT::compile):
2717         * dfg/DFGSpeculativeJIT64.cpp:
2718         (JSC::DFG::SpeculativeJIT::compile):
2719         * tests/stress/bug-131764.js: Added.
2720         (test1):
2721         (test2):
2722
2723 2014-04-17  Darin Adler  <darin@apple.com>
2724
2725         Add separate flag for IndexedDatabase in workers since the current implementation is not threadsafe
2726         https://bugs.webkit.org/show_bug.cgi?id=131785
2727         rdar://problem/16003108
2728
2729         Reviewed by Brady Eidson.
2730
2731         * Configurations/FeatureDefines.xcconfig: Added INDEXED_DATABASE_IN_WORKERS.
2732
2733 2014-04-16  Alexey Proskuryakov  <ap@apple.com>
2734
2735         Build fix after http://trac.webkit.org/changeset/167416 (Sink NaN sanitization)
2736
2737         * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::speculate):
2738
2739 2014-04-16  Filip Pizlo  <fpizlo@apple.com>
2740
2741         Extra error reporting for invalid value conversions
2742         https://bugs.webkit.org/show_bug.cgi?id=131786
2743
2744         Rubber stamped by Ryosuke Niwa.
2745
2746         * dfg/DFGFixupPhase.cpp:
2747         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
2748
2749 2014-04-16  Filip Pizlo  <fpizlo@apple.com>
2750
2751         Sink NaN sanitization to uses and remove it when it's unnecessary
2752         https://bugs.webkit.org/show_bug.cgi?id=131419
2753
2754         Reviewed by Oliver Hunt.
2755         
2756         This moves NaN purification to stores that could see an impure NaN.
2757         
2758         5% speed-up on AsmBench, 50% speed-up on AsmBench/n-body. It is a regression on FloatMM
2759         though, because of the other bug that causes that benchmark to box doubles in a loop.
2760
2761         * bytecode/SpeculatedType.h:
2762         (JSC::isInt32SpeculationForArithmetic):
2763         (JSC::isMachineIntSpeculationForArithmetic):
2764         (JSC::isDoubleSpeculation):
2765         (JSC::isDoubleSpeculationForArithmetic):
2766         * dfg/DFGAbstractInterpreterInlines.h:
2767         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2768         * dfg/DFGAbstractValue.cpp:
2769         (JSC::DFG::AbstractValue::fixTypeForRepresentation):
2770         * dfg/DFGFixupPhase.cpp:
2771         (JSC::DFG::FixupPhase::fixupNode):
2772         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
2773         * dfg/DFGInPlaceAbstractState.cpp:
2774         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
2775         * dfg/DFGPredictionPropagationPhase.cpp:
2776         (JSC::DFG::PredictionPropagationPhase::propagate):
2777         * dfg/DFGSpeculativeJIT.cpp:
2778         (JSC::DFG::SpeculativeJIT::compileValueRep):
2779         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
2780         * dfg/DFGUseKind.h:
2781         (JSC::DFG::typeFilterFor):
2782         * ftl/FTLLowerDFGToLLVM.cpp:
2783         (JSC::FTL::LowerDFGToLLVM::compileValueRep):
2784         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
2785         * runtime/PureNaN.h:
2786         * tests/stress/float32-array-nan-inlined.js: Added.
2787         (foo):
2788         (test):
2789         * tests/stress/float32-array-nan.js: Added.
2790         (foo):
2791         (test):
2792         * tests/stress/float64-array-nan-inlined.js: Added.
2793         (foo):
2794         (isBigEndian):
2795         (test):
2796         * tests/stress/float64-array-nan.js: Added.
2797         (foo):
2798         (isBigEndian):
2799         (test):
2800
2801 2014-04-16  Brent Fulgham  <bfulgham@apple.com>
2802
2803         [Win] Unreviewed Windows gardening. Restrict our new 'isinf' check
2804         to 32-bit builds, and revise the comment to explain what we are
2805         doing.
2806
2807         * runtime/JSCJSValueInlines.h:
2808         (JSC::JSValue::isMachineInt): Provide motivation for the new
2809         'isinf' check for our 32-bit code path.
2810
2811 2014-04-16  Juergen Ributzka  <juergen@apple.com>
2812
2813         Allocate the data section on the heap again for FTL on ARM64
2814         https://bugs.webkit.org/show_bug.cgi?id=130156
2815
2816         Reviewed by Geoffrey Garen and Filip Pizlo.
2817
2818         * ftl/FTLCompile.cpp:
2819         (JSC::FTL::mmAllocateDataSection):
2820         * ftl/FTLDataSection.cpp:
2821         (JSC::FTL::DataSection::DataSection):
2822         (JSC::FTL::DataSection::~DataSection):
2823         * ftl/FTLDataSection.h:
2824
2825 2014-04-16  Mark Lam  <mark.lam@apple.com>
2826
2827         Crash in CodeBlock::setOptimizationThresholdBasedOnCompilationResult() when the debugger activates.
2828         <https://webkit.org/b/131747>
2829
2830         Reviewed by Filip Pizlo.
2831
2832         When the debugger is about to activate (e.g. enter stepping mode), it first
2833         waits for all DFG compilations to complete.  However, when the DFG completes,
2834         if compilation is successful, it will install a new DFG codeBlock.  The
2835         CodeBlock installation process is required to register codeBlocks with the
2836         debugger.  Debugger::registerCodeBlock() will eventually call
2837         CodeBlock::setSteppingMode() which may jettison the DFG codeBlock that we're
2838         trying to install.  Thereafter, chaos ensues.
2839
2840         This jettison'ing only happens because the debugger currently set its
2841         m_steppingMode flag before waiting for compilation to complete.  The fix is
2842         simply to set that flag only after compilation is complete.
2843
2844         * debugger/Debugger.cpp:
2845         (JSC::Debugger::setSteppingMode):
2846         (JSC::Debugger::registerCodeBlock):
2847
2848 2014-04-16  Filip Pizlo  <fpizlo@apple.com>
2849
2850         Discern between NaNs that would be safe to tag and NaNs that need some purification before tagging
2851         https://bugs.webkit.org/show_bug.cgi?id=131420
2852
2853         Reviewed by Oliver Hunt.
2854         
2855         Rationalizes our handling of NaNs. We now have the notion of pureNaN(), or PNaN, which
2856         replaces QNaN and represents a "safe" NaN for our tagging purposes. NaN purification now
2857         goes through the purifyNaN() API.
2858         
2859         SpeculatedType and its clients can now distinguish between a PureNaN and an ImpureNaN.
2860         
2861         Prediction propagator is made slightly more cautious when dealing with NaNs. It doesn't
2862         have to be too cautious since most prediction-based logic only cares about whether or not
2863         a value could be an integer.
2864         
2865         AI is made much more cautious when dealing with NaNs. We don't yet introduce ImpureNaN
2866         anywhere in the compiler, but when we do, we ought to be able to trust AI to propagate it
2867         soundly and precisely.
2868         
2869         No performance change because this just unblocks
2870         https://bugs.webkit.org/show_bug.cgi?id=131419.
2871
2872         * API/JSValueRef.cpp:
2873         (JSValueMakeNumber):
2874         (JSValueToNumber):
2875         * JavaScriptCore.xcodeproj/project.pbxproj:
2876         * bytecode/SpeculatedType.cpp:
2877         (JSC::dumpSpeculation):
2878         (JSC::speculationFromValue):
2879         (JSC::typeOfDoubleSum):
2880         (JSC::typeOfDoubleDifference):
2881         (JSC::typeOfDoubleProduct):
2882         (JSC::polluteDouble):
2883         (JSC::typeOfDoubleQuotient):
2884         (JSC::typeOfDoubleMinMax):
2885         (JSC::typeOfDoubleNegation):
2886         (JSC::typeOfDoubleAbs):
2887         (JSC::typeOfDoubleFRound):
2888         (JSC::typeOfDoubleBinaryOp):
2889         (JSC::typeOfDoubleUnaryOp):
2890         * bytecode/SpeculatedType.h:
2891         * dfg/DFGAbstractInterpreterInlines.h:
2892         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2893         * dfg/DFGByteCodeParser.cpp:
2894         (JSC::DFG::ByteCodeParser::handleInlining):
2895         (JSC::DFG::ByteCodeParser::parseCodeBlock):
2896         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
2897         (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
2898         * dfg/DFGInPlaceAbstractState.cpp:
2899         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
2900         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
2901         (JSC::DFG::createPreHeader):
2902         * dfg/DFGNode.h:
2903         (JSC::DFG::BranchTarget::BranchTarget):
2904         * dfg/DFGOSREntrypointCreationPhase.cpp:
2905         (JSC::DFG::OSREntrypointCreationPhase::run):
2906         * dfg/DFGOSRExitCompiler32_64.cpp:
2907         (JSC::DFG::OSRExitCompiler::compileExit):
2908         * dfg/DFGOSRExitCompiler64.cpp:
2909         (JSC::DFG::OSRExitCompiler::compileExit):
2910         * dfg/DFGPredictionPropagationPhase.cpp:
2911         (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
2912         (JSC::DFG::PredictionPropagationPhase::propagate):
2913         * dfg/DFGSpeculativeJIT.cpp:
2914         (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
2915         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
2916         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
2917         * dfg/DFGSpeculativeJIT32_64.cpp:
2918         (JSC::DFG::SpeculativeJIT::compile):
2919         * dfg/DFGSpeculativeJIT64.cpp:
2920         (JSC::DFG::SpeculativeJIT::compile):
2921         * dfg/DFGVariableAccessData.h:
2922         (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
2923         * ftl/FTLLowerDFGToLLVM.cpp:
2924         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
2925         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2926         (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
2927         (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
2928         (JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize):
2929         (JSC::FTL::LowerDFGToLLVM::numberOrNotCellToInt32):
2930         (JSC::FTL::LowerDFGToLLVM::allocateJSArray):
2931         * ftl/FTLValueFormat.cpp:
2932         (JSC::FTL::reboxAccordingToFormat):
2933         * jit/AssemblyHelpers.cpp:
2934         (JSC::AssemblyHelpers::purifyNaN):
2935         (JSC::AssemblyHelpers::sanitizeDouble): Deleted.
2936         * jit/AssemblyHelpers.h:
2937         * jit/JITPropertyAccess.cpp:
2938         (JSC::JIT::emitFloatTypedArrayGetByVal):
2939         * runtime/DateConstructor.cpp:
2940         (JSC::constructDate):
2941         * runtime/DateInstanceCache.h:
2942         (JSC::DateInstanceData::DateInstanceData):
2943         (JSC::DateInstanceCache::reset):
2944         * runtime/ExceptionHelpers.cpp:
2945         (JSC::TerminatedExecutionError::defaultValue):
2946         * runtime/JSArray.cpp:
2947         (JSC::JSArray::setLength):
2948         (JSC::JSArray::pop):
2949         (JSC::JSArray::shiftCountWithAnyIndexingType):
2950         (JSC::JSArray::sortVector):
2951         (JSC::JSArray::compactForSorting):
2952         * runtime/JSArray.h:
2953         (JSC::JSArray::create):
2954         (JSC::JSArray::tryCreateUninitialized):
2955         * runtime/JSCJSValue.cpp:
2956         (JSC::JSValue::toNumberSlowCase):
2957         * runtime/JSCJSValue.h:
2958         * runtime/JSCJSValueInlines.h:
2959         (JSC::jsNaN):
2960         (JSC::JSValue::JSValue):
2961         (JSC::JSValue::getPrimitiveNumber):
2962         * runtime/JSGlobalObjectFunctions.cpp:
2963         (JSC::parseInt):
2964         (JSC::jsStrDecimalLiteral):
2965         (JSC::toDouble):
2966         (JSC::jsToNumber):
2967         (JSC::parseFloat):
2968         * runtime/JSObject.cpp:
2969         (JSC::JSObject::createInitialDouble):
2970         (JSC::JSObject::convertUndecidedToDouble):
2971         (JSC::JSObject::convertInt32ToDouble):
2972         (JSC::JSObject::deletePropertyByIndex):
2973         (JSC::JSObject::ensureLengthSlow):
2974         * runtime/MathObject.cpp:
2975         (JSC::mathProtoFuncMax):
2976         (JSC::mathProtoFuncMin):
2977         * runtime/PureNaN.h: Added.
2978         (JSC::pureNaN):
2979         (JSC::isImpureNaN):
2980         (JSC::purifyNaN):
2981         * runtime/TypedArrayAdaptors.h:
2982         (JSC::FloatTypedArrayAdaptor::toJSValue):
2983
2984 2014-04-16  Juergen Ributzka  <juergen@apple.com>
2985
2986         Enable system library calls in FTL for ARM64
2987         https://bugs.webkit.org/show_bug.cgi?id=130154
2988
2989         Reviewed by Geoffrey Garen and Filip Pizlo.
2990
2991         * ftl/FTLIntrinsicRepository.h:
2992         * ftl/FTLOutput.h:
2993         (JSC::FTL::Output::doubleRem):
2994         (JSC::FTL::Output::doubleSin):
2995         (JSC::FTL::Output::doubleCos):
2996
2997 2014-04-16  peavo@outlook.com  <peavo@outlook.com>
2998
2999         Fix JSC Debug Regressions on Windows
3000         https://bugs.webkit.org/show_bug.cgi?id=131182
3001
3002         Reviewed by Brent Fulgham.
3003
3004         The cast static_cast<int64_t>(number) in JSValue::isMachineInt() can generate a floating point error,
3005         and set the st floating point register tags, if the value of the number parameter is infinite.
3006         If the st floating point register tags are not cleared, this can cause strange floating point behavior later on.
3007         This can be avoided by checking for infinity first.
3008
3009         * runtime/JSCJSValueInlines.h:
3010         (JSC::JSValue::isMachineInt): Avoid floating point error by checking for infinity first.
3011         * runtime/Options.cpp:
3012         (JSC::recomputeDependentOptions): Re-enable jit for Windows.
3013
3014 2014-04-16  Oliver Hunt  <oliver@apple.com>
3015
3016         Simple ES6 feature:Array.prototype.fill
3017         https://bugs.webkit.org/show_bug.cgi?id=131703
3018
3019         Reviewed by David Hyatt.
3020
3021         Add support for Array.prototype.fill
3022
3023         * builtins/Array.prototype.js:
3024         (fill):
3025         * runtime/ArrayPrototype.cpp:
3026
3027 2014-04-16  Mark Hahnenberg  <mhahnenberg@apple.com>
3028
3029         [WebKit] Cleanup the build from uninitialized variable in JavaScriptCore
3030         https://bugs.webkit.org/show_bug.cgi?id=131728
3031
3032         Reviewed by Darin Adler.
3033
3034         * runtime/JSObject.cpp:
3035         (JSC::JSObject::genericConvertDoubleToContiguous): Add a RELEASE_ASSERT on the 
3036         path we expect to never take. Also shut up confused compilers about uninitialized things.
3037
3038 2014-04-16  Filip Pizlo  <fpizlo@apple.com>
3039
3040         Unreviewed, ARMv7 build fix after r167336.
3041
3042         * assembler/MacroAssemblerARMv7.h:
3043         (JSC::MacroAssemblerARMv7::branchAdd32):
3044
3045 2014-04-16  Gabor Rapcsanyi  <rgabor@webkit.org>
3046
3047         Unreviewed, ARM64 buildfix after r167336.
3048
3049         * assembler/MacroAssemblerARM64.h:
3050         (JSC::MacroAssemblerARM64::branchAdd32): Add missing function.
3051
3052 2014-04-15  Filip Pizlo  <fpizlo@apple.com>
3053
3054         Unreviewed, add the obvious thing that marks MakeRope as exiting since it can exit.
3055
3056         * dfg/DFGAbstractInterpreterInlines.h:
3057         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3058
3059 2014-04-15  Filip Pizlo  <fpizlo@apple.com>
3060
3061         compileMakeRope does not emit necessary bounds checks
3062         https://bugs.webkit.org/show_bug.cgi?id=130684
3063         <rdar://problem/16398388>
3064
3065         Reviewed by Oliver Hunt.
3066         
3067         Add string length bounds checks in a bunch of places. We should never allow a string
3068         to have a length greater than 2^31-1 because it's not clear that the language has
3069         semantics for it and because there is code that assumes that this cannot happen.
3070         
3071         Also add a bunch of tests to that effect to cover the various ways in which this was
3072         previously allowed to happen.
3073
3074         * dfg/DFGOperations.cpp:
3075         * dfg/DFGSpeculativeJIT.cpp:
3076         (JSC::DFG::SpeculativeJIT::compileMakeRope):
3077         * ftl/FTLLowerDFGToLLVM.cpp:
3078         (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
3079         * runtime/JSString.cpp:
3080         (JSC::JSRopeString::RopeBuilder::expand):
3081         * runtime/JSString.h:
3082         (JSC::JSString::create):
3083         (JSC::JSRopeString::RopeBuilder::append):
3084         (JSC::JSRopeString::RopeBuilder::release):
3085         (JSC::JSRopeString::append):
3086         * runtime/Operations.h:
3087         (JSC::jsString):
3088         (JSC::jsStringFromRegisterArray):
3089         (JSC::jsStringFromArguments):
3090         * runtime/StringPrototype.cpp:
3091         (JSC::stringProtoFuncIndexOf):
3092         (JSC::stringProtoFuncSlice):
3093         (JSC::stringProtoFuncSubstring):
3094         (JSC::stringProtoFuncToLowerCase):
3095         * tests/stress/make-large-string-jit-strcat.js: Added.
3096         (foo):
3097         * tests/stress/make-large-string-jit.js: Added.
3098         (foo):
3099         * tests/stress/make-large-string-strcat.js: Added.
3100         * tests/stress/make-large-string.js: Added.
3101
3102 2014-04-15  Julien Brianceau  <jbriance@cisco.com>
3103
3104         Remove invalid sh4 specific code in JITInlines header.
3105         https://bugs.webkit.org/show_bug.cgi?id=131692
3106
3107         Reviewed by Geoffrey Garen.
3108
3109         * jit/JITInlines.h:
3110         (JSC::JIT::callOperation): Prototype is not F_JITOperation_EJJZ
3111         anymore since r160244, so the sh4 specific code is invalid now
3112         and has to be removed.
3113
3114 2014-04-15  Mark Hahnenberg  <mhahnenberg@apple.com>
3115
3116         Fix precedence issue in JSCell:setRemembered
3117
3118         Rubber stamped by Filip Pizlo.
3119
3120         * runtime/JSCell.h:
3121         (JSC::JSCell::setRemembered):
3122
3123 2014-04-15  Mark Hahnenberg  <mhahnenberg@apple.com>
3124
3125         Objective-C API external object graphs don't handle generational collection properly
3126         https://bugs.webkit.org/show_bug.cgi?id=131634
3127
3128         Reviewed by Geoffrey Garen.
3129
3130         If the set of Objective-C objects transitively reachable through an object changes, we 
3131         need to update the set of opaque roots accordingly. If we don't, the next EdenCollection 
3132         won't rescan the external object graph, which would lead us to consider a newly allocated 
3133         JSManagedValue to be dead.
3134
3135         * API/JSBase.cpp:
3136         (JSSynchronousEdenCollectForDebugging):
3137         * API/JSVirtualMachine.mm:
3138         (-[JSVirtualMachine initWithContextGroupRef:]):
3139         (-[JSVirtualMachine dealloc]):
3140         (-[JSVirtualMachine isOldExternalObject:]):
3141         (-[JSVirtualMachine addExternalRememberedObject:]):
3142         (-[JSVirtualMachine addManagedReference:withOwner:]):
3143         (-[JSVirtualMachine removeManagedReference:withOwner:]):
3144         (-[JSVirtualMachine externalRememberedSet]):
3145         (scanExternalObjectGraph):
3146         (scanExternalRememberedSet):
3147         * API/JSVirtualMachineInternal.h:
3148         * API/tests/testapi.mm:
3149         * heap/Heap.cpp:
3150         (JSC::Heap::markRoots):
3151         * heap/Heap.h:
3152         (JSC::Heap::slotVisitor):
3153         * heap/SlotVisitor.h:
3154         * heap/SlotVisitorInlines.h:
3155         (JSC::SlotVisitor::containsOpaqueRoot):
3156         (JSC::SlotVisitor::containsOpaqueRootTriState):
3157
3158 2014-04-15  Filip Pizlo  <fpizlo@apple.com>
3159
3160         DFG IR should keep the data flow of doubles and int52's separate from the data flow of JSValue's
3161         https://bugs.webkit.org/show_bug.cgi?id=131423
3162
3163         Reviewed by Geoffrey Garen.
3164         
3165         This introduces more static typing into DFG IR. Previously we just had the notion of
3166         JSValues and Storage. This was weird because doubles weren't always convertible to
3167         JSValues, and Int52s weren't always convertible to either doubles or JSValues. We would
3168         sort of insert explicit conversion nodes just for the places where we knew that an
3169         implicit conversion wouldn't have been possible -- but there was no hard and fast rule so
3170         we'd get bugs from forgetting to do the right conversion.
3171         
3172         This patch introduces a hard and fast rule: doubles can never be implicitly converted to
3173         anything but doubles, and likewise Int52's can never be implicitly converted. Conversion
3174         nodes are used for all of the conversions. Int52Rep, DoubleRep, and ValueRep are the
3175         conversions. They are like Identity but return the same value using a different
3176         representation. Likewise, constants may now be represented using either JSConstant,
3177         Int52Constant, or DoubleConstant. UseKinds have been adjusted accordingly, as well.
3178         Int52RepUse and DoubleRepUse are node uses that mean "the node must be of Int52 (or
3179         Double) type". They don't imply checks. There is also DoubleRepRealUse, which means that
3180         we speculate DoubleReal and expect Double representation.
3181         
3182         In addition to simplifying a bunch of rules in the IR and making the IR more verifiable,
3183         this also makes it easier to introduce optimizations in the future. It's now possible for
3184         AI to model when/how conversion take place. For example if doing a conversion results in
3185         NaN sanitization, then AI can model this and can allow us to sink sanitizations. That's
3186         what https://bugs.webkit.org/show_bug.cgi?id=131419 will be all about.
3187         
3188         This was a big change, so I had to do some interesting things, like finally get rid of
3189         the DFG's weird variadic template macro hacks and use real C++11 variadic templates. Also
3190         the ByteCodeParser no longer emits Identity nodes since that was always pointless.
3191         
3192         No performance change because this mostly just rationalizes preexisting behavior.
3193
3194         * JavaScriptCore.xcodeproj/project.pbxproj:
3195         * assembler/MacroAssemblerX86.h:
3196         * bytecode/CodeBlock.cpp:
3197         * bytecode/CodeBlock.h:
3198         * dfg/DFGAbstractInterpreter.h:
3199         (JSC::DFG::AbstractInterpreter::setBuiltInConstant):
3200         (JSC::DFG::AbstractInterpreter::setConstant):
3201         * dfg/DFGAbstractInterpreterInlines.h:
3202         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3203         * dfg/DFGAbstractValue.cpp:
3204         (JSC::DFG::AbstractValue::set):
3205         (JSC::DFG::AbstractValue::fixTypeForRepresentation):
3206         (JSC::DFG::AbstractValue::checkConsistency):
3207         * dfg/DFGAbstractValue.h:
3208         * dfg/DFGBackwardsPropagationPhase.cpp:
3209         (JSC::DFG::BackwardsPropagationPhase::propagate):
3210         * dfg/DFGBasicBlock.h:
3211         * dfg/DFGBasicBlockInlines.h:
3212         (JSC::DFG::BasicBlock::appendNode):
3213         (JSC::DFG::BasicBlock::appendNonTerminal):
3214         * dfg/DFGByteCodeParser.cpp:
3215         (JSC::DFG::ByteCodeParser::parseBlock):
3216         * dfg/DFGCSEPhase.cpp:
3217         (JSC::DFG::CSEPhase::constantCSE):
3218         (JSC::DFG::CSEPhase::performNodeCSE):
3219         (JSC::DFG::CSEPhase::int32ToDoubleCSE): Deleted.
3220         * dfg/DFGCapabilities.h:
3221         * dfg/DFGClobberize.h:
3222         (JSC::DFG::clobberize):
3223         * dfg/DFGConstantFoldingPhase.cpp:
3224         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3225         * dfg/DFGDCEPhase.cpp:
3226         (JSC::DFG::DCEPhase::fixupBlock):
3227         * dfg/DFGEdge.h:
3228         (JSC::DFG::Edge::willNotHaveCheck):
3229         * dfg/DFGFixupPhase.cpp:
3230         (JSC::DFG::FixupPhase::run):
3231         (JSC::DFG::FixupPhase::fixupNode):
3232         (JSC::DFG::FixupPhase::fixupGetAndSetLocalsInBlock):
3233         (JSC::DFG::FixupPhase::observeUseKindOnNode):
3234         (JSC::DFG::FixupPhase::fixIntEdge):
3235         (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
3236         (JSC::DFG::FixupPhase::injectTypeConversionsInBlock):
3237         (JSC::DFG::FixupPhase::tryToRelaxRepresentation):
3238         (JSC::DFG::FixupPhase::fixEdgeRepresentation):
3239         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
3240         (JSC::DFG::FixupPhase::addRequiredPhantom):
3241         (JSC::DFG::FixupPhase::addPhantomsIfNecessary):
3242         (JSC::DFG::FixupPhase::clearPhantomsAtEnd):
3243         (JSC::DFG::FixupPhase::fixupSetLocalsInBlock): Deleted.
3244         * dfg/DFGFlushFormat.h:
3245         (JSC::DFG::resultFor):
3246         (JSC::DFG::useKindFor):
3247         * dfg/DFGGraph.cpp:
3248         (JSC::DFG::Graph::dump):
3249         * dfg/DFGGraph.h:
3250         (JSC::DFG::Graph::addNode):
3251         * dfg/DFGInPlaceAbstractState.cpp:
3252         (JSC::DFG::InPlaceAbstractState::initialize):
3253         * dfg/DFGInsertionSet.h:
3254         (JSC::DFG::InsertionSet::insertNode):
3255         (JSC::DFG::InsertionSet::insertConstant):
3256         (JSC::DFG::InsertionSet::insertConstantForUse):
3257         * dfg/DFGIntegerCheckCombiningPhase.cpp:
3258         (JSC::DFG::IntegerCheckCombiningPhase::insertAdd):
3259         (JSC::DFG::IntegerCheckCombiningPhase::insertMustAdd):
3260         * dfg/DFGNode.cpp:
3261         (JSC::DFG::Node::convertToIdentity):
3262         (WTF::printInternal):
3263         * dfg/DFGNode.h:
3264         (JSC::DFG::Node::Node):
3265         (JSC::DFG::Node::setResult):
3266         (JSC::DFG::Node::result):
3267         (JSC::DFG::Node::isConstant):
3268         (JSC::DFG::Node::hasConstant):
3269         (JSC::DFG::Node::convertToConstant):
3270         (JSC::DFG::Node::valueOfJSConstant):
3271         (JSC::DFG::Node::hasResult):
3272         (JSC::DFG::Node::hasInt32Result):
3273         (JSC::DFG::Node::hasInt52Result):
3274         (JSC::DFG::Node::hasNumberResult):
3275         (JSC::DFG::Node::hasDoubleResult):
3276         (JSC::DFG::Node::hasJSResult):
3277         (JSC::DFG::Node::hasBooleanResult):
3278         (JSC::DFG::Node::hasStorageResult):
3279         (JSC::DFG::Node::defaultUseKind):
3280         (JSC::DFG::Node::defaultEdge):
3281         (JSC::DFG::Node::convertToIdentity): Deleted.
3282         * dfg/DFGNodeFlags.cpp:
3283         (JSC::DFG::dumpNodeFlags):
3284         * dfg/DFGNodeFlags.h:
3285         (JSC::DFG::canonicalResultRepresentation):
3286         * dfg/DFGNodeType.h:
3287         * dfg/DFGOSRExitCompiler32_64.cpp:
3288         (JSC::DFG::OSRExitCompiler::compileExit):
3289         * dfg/DFGOSRExitCompiler64.cpp:
3290         (JSC::DFG::OSRExitCompiler::compileExit):
3291         * dfg/DFGPredictionPropagationPhase.cpp:
3292         (JSC::DFG::PredictionPropagationPhase::propagate):
3293         * dfg/DFGResurrectionForValidationPhase.cpp:
3294         (JSC::DFG::ResurrectionForValidationPhase::run):
3295         * dfg/DFGSSAConversionPhase.cpp:
3296         (JSC::DFG::SSAConversionPhase::run):
3297         * dfg/DFGSafeToExecute.h:
3298         (JSC::DFG::SafeToExecuteEdge::operator()):
3299         (JSC::DFG::safeToExecute):
3300         * dfg/DFGSpeculativeJIT.cpp:
3301         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
3302         (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR):
3303         (JSC::DFG::SpeculativeJIT::silentFill):
3304         (JSC::DFG::JSValueRegsTemporary::JSValueRegsTemporary):
3305         (JSC::DFG::JSValueRegsTemporary::~JSValueRegsTemporary):
3306         (JSC::DFG::JSValueRegsTemporary::regs):
3307         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
3308         (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
3309         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
3310         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
3311         (JSC::DFG::SpeculativeJIT::compileValueRep):
3312         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
3313         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
3314         (JSC::DFG::SpeculativeJIT::compileAdd):
3315         (JSC::DFG::SpeculativeJIT::compileArithSub):
3316         (JSC::DFG::SpeculativeJIT::compileArithNegate):
3317         (JSC::DFG::SpeculativeJIT::compileArithMul):
3318         (JSC::DFG::SpeculativeJIT::compileArithDiv):
3319         (JSC::DFG::SpeculativeJIT::compileArithMod):
3320         (JSC::DFG::SpeculativeJIT::compare):
3321         (JSC::DFG::SpeculativeJIT::compileStrictEq):
3322         (JSC::DFG::SpeculativeJIT::speculateNumber):
3323         (JSC::DFG::SpeculativeJIT::speculateDoubleReal):
3324         (JSC::DFG::SpeculativeJIT::speculate):
3325         (JSC::DFG::SpeculativeJIT::compileInt32ToDouble): Deleted.
3326         (JSC::DFG::SpeculativeJIT::speculateMachineInt): Deleted.
3327         (JSC::DFG::SpeculativeJIT::speculateRealNumber): Deleted.
3328         * dfg/DFGSpeculativeJIT.h:
3329         (JSC::DFG::SpeculativeJIT::allocate):
3330         (JSC::DFG::SpeculativeJIT::use):
3331         (JSC::DFG::SpeculativeJIT::boxDouble):
3332         (JSC::DFG::SpeculativeJIT::spill):
3333         (JSC::DFG::SpeculativeJIT::jsValueResult):
3334         (JSC::DFG::SpeculateInt52Operand::SpeculateInt52Operand):
3335         (JSC::DFG::SpeculateStrictInt52Operand::SpeculateStrictInt52Operand):
3336         (JSC::DFG::SpeculateWhicheverInt52Operand::SpeculateWhicheverInt52Operand):
3337         (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
3338         * dfg/DFGSpeculativeJIT32_64.cpp:
3339         (JSC::DFG::SpeculativeJIT::fillJSValue):
3340         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
3341         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3342         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3343         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3344         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
3345         (JSC::DFG::SpeculativeJIT::emitBranch):
3346         (JSC::DFG::SpeculativeJIT::compile):
3347         (JSC::DFG::SpeculativeJIT::convertToDouble): Deleted.
3348         * dfg/DFGSpeculativeJIT64.cpp:
3349         (JSC::DFG::SpeculativeJIT::fillJSValue):
3350         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
3351         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
3352         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3353         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3354         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3355         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
3356         (JSC::DFG::SpeculativeJIT::emitBranch):
3357         (JSC::DFG::SpeculativeJIT::compile):
3358         (JSC::DFG::SpeculativeJIT::convertToDouble): Deleted.
3359         * dfg/DFGStrengthReductionPhase.cpp:
3360         (JSC::DFG::StrengthReductionPhase::handleNode):
3361         * dfg/DFGUseKind.cpp:
3362         (WTF::printInternal):
3363         * dfg/DFGUseKind.h:
3364         (JSC::DFG::typeFilterFor):
3365         (JSC::DFG::shouldNotHaveTypeCheck):
3366         (JSC::DFG::mayHaveTypeCheck):
3367         (JSC::DFG::isNumerical):
3368         (JSC::DFG::isDouble):
3369         (JSC::DFG::isCell):
3370         (JSC::DFG::usesStructure):
3371         (JSC::DFG::useKindForResult):
3372         * dfg/DFGValidate.cpp:
3373         (JSC::DFG::Validate::validate):
3374         * dfg/DFGVariadicFunction.h: Removed.
3375         * ftl/FTLCapabilities.cpp:
3376         (JSC::FTL::canCompile):
3377         * ftl/FTLLowerDFGToLLVM.cpp:
3378         (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
3379         (JSC::FTL::LowerDFGToLLVM::compileNode):
3380         (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
3381         (JSC::FTL::LowerDFGToLLVM::compilePhi):
3382         (JSC::FTL::LowerDFGToLLVM::compileDoubleConstant):
3383         (JSC::FTL::LowerDFGToLLVM::compileInt52Constant):
3384         (JSC::FTL::LowerDFGToLLVM::compileWeakJSConstant):
3385         (JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
3386         (JSC::FTL::LowerDFGToLLVM::compileValueRep):
3387         (JSC::FTL::LowerDFGToLLVM::compileInt52Rep):
3388         (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
3389         (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub):
3390         (JSC::FTL::LowerDFGToLLVM::compileArithMul):
3391         (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
3392         (JSC::FTL::LowerDFGToLLVM::compileArithMod):
3393         (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
3394         (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
3395         (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
3396         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
3397         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
3398         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
3399         (JSC::FTL::LowerDFGToLLVM::compare):
3400         (JSC::FTL::LowerDFGToLLVM::boolify):
3401         (JSC::FTL::LowerDFGToLLVM::lowInt52):
3402         (JSC::FTL::LowerDFGToLLVM::lowStrictInt52):
3403         (JSC::FTL::LowerDFGToLLVM::lowWhicheverInt52):
3404         (JSC::FTL::LowerDFGToLLVM::lowDouble):
3405         (JSC::FTL::LowerDFGToLLVM::lowJSValue):
3406         (JSC::FTL::LowerDFGToLLVM::strictInt52ToDouble):
3407         (JSC::FTL::LowerDFGToLLVM::jsValueToDouble):
3408         (JSC::FTL::LowerDFGToLLVM::speculate):
3409         (JSC::FTL::LowerDFGToLLVM::speculateNumber):
3410         (JSC::FTL::LowerDFGToLLVM::speculateDoubleReal):