Unreviewed. Removing the remaining Automake cruft.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-03-26  Zan Dobersek  <zdobersek@igalia.com>
2
3         Unreviewed. Removing the remaining Automake cruft.
4
5         * GNUmakefile.list.am: Removed.
6
7 2014-03-25  Filip Pizlo  <fpizlo@apple.com>
8
9         Arguments simplification phase should be fine with marking the arguments local itself as an arguments alias
10         https://bugs.webkit.org/show_bug.cgi?id=130764
11         <rdar://problem/16304788>
12
13         Reviewed by Sam Weinig.
14         
15         Being an arguments alias just means that your OSR exit recovery should attempt arguments
16         creation. This is true of arguments locals. We had special cases that tried to make it not
17         true of arguments locals. The only consequence of those special cases was to cause crashes
18         in case of arguments that are also captured variables (i.e. we have SlowArguments). This
19         change just removes those special cases.
20         
21         This change means that the FTL will now see SetLocals with a FlushedArguments format.
22         Previously you wouldn't see them because previously only non-captured variable would be
23         arguments aliases, and non-captured variables get completely SSAified - i.e. no SetLocals
24         left. Adding handling for FlushedArguments is a benign and simple change since its
25         behavior is identical to FlushedJSValue for that code's purposes.
26
27         * dfg/DFGArgumentsSimplificationPhase.cpp:
28         (JSC::DFG::ArgumentsSimplificationPhase::run):
29         * ftl/FTLLowerDFGToLLVM.cpp:
30         (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
31         * tests/stress/captured-arguments-variable.js: Added.
32         (foo):
33         (noInline):
34
35 2014-03-25  Mark Hahnenberg  <mhahnenberg@apple.com>
36
37         Add HeapInlines
38         https://bugs.webkit.org/show_bug.cgi?id=130759
39
40         Reviewed by Filip Pizlo.
41
42         * GNUmakefile.list.am:
43         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
44         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
45         * JavaScriptCore.xcodeproj/project.pbxproj:
46         * heap/Heap.cpp:
47         (JSC::MarkedBlockSnapshotFunctor::MarkedBlockSnapshotFunctor):
48         (JSC::MarkedBlockSnapshotFunctor::operator()):
49         * heap/Heap.h: Also reindented while we're here.
50         (JSC::Heap::writeBarrierBuffer):
51         (JSC::Heap::vm):
52         (JSC::Heap::objectSpace):
53         (JSC::Heap::machineThreads):
54         (JSC::Heap::operationInProgress):
55         (JSC::Heap::allocatorForObjectWithoutDestructor):
56         (JSC::Heap::allocatorForObjectWithNormalDestructor):
57         (JSC::Heap::allocatorForObjectWithImmortalStructureDestructor):
58         (JSC::Heap::storageAllocator):
59         (JSC::Heap::notifyIsSafeToCollect):
60         (JSC::Heap::isSafeToCollect):
61         (JSC::Heap::handleSet):
62         (JSC::Heap::handleStack):
63         (JSC::Heap::lastFullGCLength):
64         (JSC::Heap::lastEdenGCLength):
65         (JSC::Heap::increaseLastFullGCLength):
66         (JSC::Heap::sizeBeforeLastEdenCollection):
67         (JSC::Heap::sizeAfterLastEdenCollection):
68         (JSC::Heap::sizeBeforeLastFullCollection):
69         (JSC::Heap::sizeAfterLastFullCollection):
70         (JSC::Heap::jitStubRoutines):
71         (JSC::Heap::isDeferred):
72         (JSC::Heap::structureIDTable):
73         (JSC::Heap::removeCodeBlock):
74         * heap/HeapInlines.h: Added.
75         (JSC::Heap::shouldCollect):
76         (JSC::Heap::isBusy):
77         (JSC::Heap::isCollecting):
78         (JSC::Heap::heap):
79         (JSC::Heap::isLive):
80         (JSC::Heap::isInRememberedSet):
81         (JSC::Heap::isMarked):
82         (JSC::Heap::testAndSetMarked):
83         (JSC::Heap::setMarked):
84         (JSC::Heap::isWriteBarrierEnabled):
85         (JSC::Heap::writeBarrier):
86         (JSC::Heap::reportExtraMemoryCost):
87         (JSC::Heap::forEachProtectedCell):
88         (JSC::Heap::forEachCodeBlock):
89         (JSC::Heap::allocateWithNormalDestructor):
90         (JSC::Heap::allocateWithImmortalStructureDestructor):
91         (JSC::Heap::allocateWithoutDestructor):
92         (JSC::Heap::tryAllocateStorage):
93         (JSC::Heap::tryReallocateStorage):
94         (JSC::Heap::ascribeOwner):
95         (JSC::Heap::blockAllocator):
96         (JSC::Heap::releaseSoon):
97         (JSC::Heap::incrementDeferralDepth):
98         (JSC::Heap::decrementDeferralDepth):
99         (JSC::Heap::collectIfNecessaryOrDefer):
100         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
101         (JSC::Heap::markListSet):
102         * runtime/JSCInlines.h:
103
104 2014-03-25  Filip Pizlo  <fpizlo@apple.com>
105
106         DFG::ByteCodeParser::SetMode should distinguish between setting immediately without a flush and setting immediately with a flush
107         https://bugs.webkit.org/show_bug.cgi?id=130760
108
109         Reviewed by Mark Hahnenberg.
110
111         * dfg/DFGByteCodeParser.cpp:
112         (JSC::DFG::ByteCodeParser::setLocal):
113         (JSC::DFG::ByteCodeParser::setArgument):
114         (JSC::DFG::ByteCodeParser::handleInlining):
115         (JSC::DFG::ByteCodeParser::parseBlock):
116         * tests/stress/assign-argument-in-inlined-call.js: Added.
117         (f1):
118         (getF2Arguments):
119         (f2):
120         (f3):
121         * tests/stress/assign-captured-argument-in-inlined-call.js: Added.
122         (f1):
123         (f2):
124         (f3):
125
126 2014-03-25  Filip Pizlo  <fpizlo@apple.com>
127
128         Fix 32-bit getter call alignment.
129
130         Reviewed by Mark Hahnenberg.
131
132         * jit/Repatch.cpp:
133         (JSC::generateGetByIdStub):
134
135 2014-03-25  Filip Pizlo  <fpizlo@apple.com>
136
137         Repatch should plant calls to getters directly rather than through a C helper
138         https://bugs.webkit.org/show_bug.cgi?id=129589
139
140         Reviewed by Mark Hahnenberg.
141         
142         As the title says. All of the superstructure for this was already in place, so now it
143         was just a matter of actually emitting the call.
144         
145         8x speed-up for getter microbenchmarks. 
146
147         * CMakeLists.txt:
148         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
149         * JavaScriptCore.xcodeproj/project.pbxproj:
150         * bytecode/PolymorphicGetByIdList.h:
151         (JSC::GetByIdAccess::doesCalls):
152         * jit/AccessorCallJITStubRoutine.cpp: Added.
153         (JSC::AccessorCallJITStubRoutine::AccessorCallJITStubRoutine):
154         (JSC::AccessorCallJITStubRoutine::~AccessorCallJITStubRoutine):
155         (JSC::AccessorCallJITStubRoutine::visitWeak):
156         * jit/AccessorCallJITStubRoutine.h: Added.
157         * jit/AssemblyHelpers.h:
158         (JSC::AssemblyHelpers::storeCell):
159         * jit/GCAwareJITStubRoutine.h:
160         * jit/Repatch.cpp:
161         (JSC::generateGetByIdStub):
162         * runtime/GetterSetter.h:
163         (JSC::GetterSetter::offsetOfGetter):
164         (JSC::GetterSetter::offsetOfSetter):
165
166 2014-03-25  Michael Saboff  <msaboff@apple.com>
167
168         Unreviewed, rolling out r166126.
169
170         Rollout r166126 in prepartion to roll out prerequisite r166070
171
172         Reverted changeset:
173
174         "toThis() on a JSWorkerGlobalScope should return a JSProxy and
175         not undefined"
176         https://bugs.webkit.org/show_bug.cgi?id=130554
177         http://trac.webkit.org/changeset/166126
178
179 2014-03-25  Oliver Hunt  <oliver@apple.com>
180
181         AST incorrectly conflates readable and writable locations
182         https://bugs.webkit.org/show_bug.cgi?id=130734
183
184         Reviewed by Filip Pizlo.
185
186         We need to distinguish between "locations" that are valid for reading
187         and writing, vs those that may only be written.
188
189         * bytecompiler/NodesCodegen.cpp:
190         (JSC::ForInNode::emitBytecode):
191         (JSC::ForOfNode::emitBytecode):
192         * parser/Nodes.h:
193         (JSC::ExpressionNode::isAssignmentLocation):
194
195 2014-03-24  Oliver Hunt  <oliver@apple.com>
196
197         ASSERTION FAILED in Parser: dst != localReg
198         https://bugs.webkit.org/show_bug.cgi?id=130710
199
200         Reviewed by Filip Pizlo.
201
202         Just make sure we don't try to write to a captured constant,
203         following the change to track captured variables separately.
204
205         * bytecompiler/NodesCodegen.cpp:
206         (JSC::PostfixNode::emitResolve):
207         (JSC::PrefixNode::emitResolve):
208
209 2014-03-25  Martin Robinson  <mrobinson@igalia.com>
210
211         [GTK] Remove the autotools build
212         https://bugs.webkit.org/show_bug.cgi?id=130717
213
214         Reviewed by Anders Carlsson.
215
216         * GNUmakefile.am: Removed.
217         * config.h: Remove references to the autotools configure file.
218
219 2014-03-24  Filip Pizlo  <fpizlo@apple.com>
220
221         More scaffolding for a stub routine to have a stub recursively embedded inside it
222         https://bugs.webkit.org/show_bug.cgi?id=130770
223
224         Reviewed by Oliver Hunt.
225
226         * bytecode/CallLinkInfo.cpp:
227         (JSC::CallLinkInfo::unlink): VM& argument is superfluous.
228         (JSC::CallLinkInfo::visitWeak): Factor this out, it used to be in CodeBlock::finalizeUnconditionally().
229         * bytecode/CallLinkInfo.h:
230         * bytecode/CodeBlock.cpp:
231         (JSC::CodeBlock::finalizeUnconditionally): Factor out some functionality into CallLinkInfo::visitWeak(), and make sure we pass RepatchBuffer& in more places.
232         (JSC::CodeBlock::unlinkCalls):
233         (JSC::CodeBlock::unlinkIncomingCalls):
234         * bytecode/PolymorphicGetByIdList.cpp: Pass RepatchBuffer& through and call JITStubRoutine::visitWeak().
235         (JSC::GetByIdAccess::visitWeak):
236         (JSC::PolymorphicGetByIdList::visitWeak):
237         * bytecode/PolymorphicGetByIdList.h:
238         * bytecode/PolymorphicPutByIdList.cpp: Pass RepatchBuffer& through and call JITStubRoutine::visitWeak().
239         (JSC::PutByIdAccess::visitWeak):
240         (JSC::PolymorphicPutByIdList::visitWeak):
241         * bytecode/PolymorphicPutByIdList.h:
242         * bytecode/StructureStubInfo.cpp: Pass RepatchBuffer& through.
243         (JSC::StructureStubInfo::visitWeakReferences):
244         * bytecode/StructureStubInfo.h:
245         * jit/ClosureCallStubRoutine.cpp: isClosureCall is unused.
246         (JSC::ClosureCallStubRoutine::ClosureCallStubRoutine):
247         * jit/GCAwareJITStubRoutine.cpp:
248         (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
249         (JSC::createJITStubRoutine):
250         * jit/GCAwareJITStubRoutine.h: Make it easier to construct one of these.
251         (JSC::GCAwareJITStubRoutine::isClosureCall): Deleted.
252         * jit/JITStubRoutine.cpp:
253         (JSC::JITStubRoutine::visitWeak): This will allow future JITStubRoutine subclasses to have stubs recursively embedded inside them.
254         * jit/JITStubRoutine.h:
255         * jit/Repatch.cpp:
256         (JSC::generateGetByIdStub): Fix a possible GC bug where we weren't making the stub routine GC aware.
257         (JSC::emitCustomSetterStub): Clean up some code.
258
259 2014-03-24  Geoffrey Garen  <ggaren@apple.com>
260
261         Safari crashes in JavaScriptCore: JSC::JSObject::growOutOfLineStorage
262         when WebKit is compiled with fcatch-undefined-behavior
263         https://bugs.webkit.org/show_bug.cgi?id=130652
264
265         Reviewed by Mark Hahnenberg.
266
267         Use a static member function because the butterfly we pass in might be
268         NULL, and passing NULL to a member function is undefined behavior.
269
270         Stylistically, I think this new way reads a little more clearly, since it
271         matches createOrGrowArrayRight, and it helps to convey that m_butterfly
272         might not exist yet.
273
274         * runtime/Butterfly.h:
275         * runtime/ButterflyInlines.h:
276         (JSC::Butterfly::createOrGrowPropertyStorage): Renamed from growPropertyStorage
277         because we might create. Split out the create path to avoid using NULL
278         in a member function expression.
279
280         Removed some unused versions of this function.
281
282         * runtime/JSObject.cpp:
283         (JSC::JSObject::growOutOfLineStorage): Updated for interface change.
284
285 2014-03-24  Oliver Hunt  <oliver@apple.com>
286
287         Strict mode destructuring assignment crashes the parser.
288         https://bugs.webkit.org/show_bug.cgi?id=130538
289
290         Reviewed by Michael Saboff.
291
292         The SyntaxChecker mode always return 1 for success, except
293         for a small subset of functions where we needed exact information.
294         This ends up just being a poor design decision as it means
295         the parser can get confused between a function return 1, and
296         the Resolve constant which was also 1. So we now use a unique
297         type for every creation method.
298
299         * parser/SyntaxChecker.h:
300         (JSC::SyntaxChecker::createSourceElements):
301         (JSC::SyntaxChecker::createFunctionBody):
302         (JSC::SyntaxChecker::createArguments):
303         (JSC::SyntaxChecker::createSpreadExpression):
304         (JSC::SyntaxChecker::createArgumentsList):
305         (JSC::SyntaxChecker::createPropertyList):
306         (JSC::SyntaxChecker::createElementList):
307         (JSC::SyntaxChecker::createFormalParameterList):
308         (JSC::SyntaxChecker::createClause):
309         (JSC::SyntaxChecker::createClauseList):
310         (JSC::SyntaxChecker::createFuncDeclStatement):
311         (JSC::SyntaxChecker::createBlockStatement):
312         (JSC::SyntaxChecker::createExprStatement):
313         (JSC::SyntaxChecker::createIfStatement):
314         (JSC::SyntaxChecker::createForLoop):
315         (JSC::SyntaxChecker::createForInLoop):
316         (JSC::SyntaxChecker::createForOfLoop):
317         (JSC::SyntaxChecker::createEmptyStatement):
318         (JSC::SyntaxChecker::createVarStatement):
319         (JSC::SyntaxChecker::createReturnStatement):
320         (JSC::SyntaxChecker::createBreakStatement):
321         (JSC::SyntaxChecker::createContinueStatement):
322         (JSC::SyntaxChecker::createTryStatement):
323         (JSC::SyntaxChecker::createSwitchStatement):
324         (JSC::SyntaxChecker::createWhileStatement):
325         (JSC::SyntaxChecker::createWithStatement):
326         (JSC::SyntaxChecker::createDoWhileStatement):
327         (JSC::SyntaxChecker::createLabelStatement):
328         (JSC::SyntaxChecker::createThrowStatement):
329         (JSC::SyntaxChecker::createDebugger):
330         (JSC::SyntaxChecker::createConstStatement):
331         (JSC::SyntaxChecker::appendConstDecl):
332         (JSC::SyntaxChecker::combineCommaNodes):
333         (JSC::SyntaxChecker::operatorStackPop):
334
335 2014-03-24  Brent Fulgham  <bfulgham@apple.com>
336
337         Activate WebVTT Tests Once Merging is Complete
338         https://bugs.webkit.org/show_bug.cgi?id=130420
339
340         Reviewed by Eric Carlson.
341
342         * Configurations/FeatureDefines.xcconfig: Turn on ENABLE(WEBVTT_REGIONS)
343
344 2014-03-24  Andreas Kling  <akling@apple.com>
345
346         Stop pulling in all the macro assemblers from VM.h
347         <https://webkit.org/b/130691>
348
349         Remove #include of "GPRInfo.h". This breaks WebCore's dependency
350         on macro assemblers headers and removes 8 includes from every
351         .cpp file in the JS bindings.
352
353         Reviewed by Geoff Garen.
354
355         * runtime/VM.h:
356
357 2014-03-24  Gavin Barraclough  <barraclough@apple.com>
358
359         Add support for thread QoS
360         https://bugs.webkit.org/show_bug.cgi?id=130688
361
362         Reviewed by Andreas Kling.
363
364         * heap/BlockAllocator.cpp:
365         (JSC::BlockAllocator::blockFreeingThreadStartFunc):
366             - block freeing is a utility activity.
367
368 2014-03-24  Filip Pizlo  <fpizlo@apple.com>
369
370         Unreviewed, fix CLOOP build.
371
372         * bytecode/CallLinkStatus.cpp:
373         (JSC::CallLinkStatus::computeFor):
374         * bytecode/CodeBlock.cpp:
375         (JSC::CodeBlock::printCallOp):
376         (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
377         (JSC::CodeBlock::resetStubDuringGCInternal): Deleted.
378         * bytecode/CodeBlock.h:
379         (JSC::CodeBlock::callLinkInfosEnd): Deleted.
380
381 2014-03-24  Gabor Rapcsanyi  <rgabor@webkit.org>
382
383         [ARM64] GNU assembler doesn't work with LLInt arm64 backend.
384         https://bugs.webkit.org/show_bug.cgi?id=130453
385         
386         Reviewed by Filip Pizlo.
387
388         Change fp and lr to x29 and x30. Add both operand kinds to emitARM64()
389         at sxtw and uxtw instructions.
390
391         * offlineasm/arm64.rb:
392
393 2014-03-23  Hyowon Kim  <hw1008.kim@samsung.com>
394
395         Move all EFL typedefs into EflTypedefs.h.
396         https://bugs.webkit.org/show_bug.cgi?id=130511
397
398         Reviewed by Gyuyoung Kim
399
400         * heap/HeapTimer.h: Remove EFL typedefs.
401
402 2014-03-23  Filip Pizlo  <fpizlo@apple.com>
403
404         Gotta grow the locals vectors if we are about to do SetLocals beyond the bytecode's numCalleeRegisters
405         https://bugs.webkit.org/show_bug.cgi?id=130650
406         <rdar://problem/16122966>
407
408         Reviewed by Michael Saboff.
409         
410         Previously, it was only in the case of inlining that we would do SetLocal's beyond the
411         previously established numLocals limit. But then we added generalized op_call_varargs
412         handling, which results in us emitting SetLocals that didn't previously exist in the
413         bytecode.
414         
415         This factors out the inliner's ensureLocals loop and calls it from op_call_varargs.
416
417         * dfg/DFGByteCodeParser.cpp:
418         (JSC::DFG::ByteCodeParser::ensureLocals):
419         (JSC::DFG::ByteCodeParser::handleInlining):
420         (JSC::DFG::ByteCodeParser::parseBlock):
421         (JSC::DFG::ByteCodeParser::parse):
422         * ftl/FTLOSRExitCompiler.cpp:
423         (JSC::FTL::compileStub): Make this do alignment correctly.
424         * runtime/Options.h:
425         * tests/stress/call-varargs-from-inlined-code.js: Added.
426         * tests/stress/call-varargs-from-inlined-code-with-odd-number-of-arguments.js: Added.
427
428 2014-03-22  Filip Pizlo  <fpizlo@apple.com>
429
430         Unreviewed, adjust sizes for ARM64.
431
432         * ftl/FTLInlineCacheSize.cpp:
433         (JSC::FTL::sizeOfCall):
434
435 2014-03-22  Filip Pizlo  <fpizlo@apple.com>
436
437         Protect the silent spiller/filler's desire to fill Int32Constants by making sure that we don't mark something as having a Int32 register format if it's a non-Int32 constant
438         https://bugs.webkit.org/show_bug.cgi?id=130649
439         <rdar://problem/16399949>
440
441         Reviewed by Andreas Kling.
442
443         * dfg/DFGSpeculativeJIT32_64.cpp:
444         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
445         * dfg/DFGSpeculativeJIT64.cpp:
446         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
447         * tests/stress/fuzz-bug-16399949.js: Added.
448         (tryItOut.f):
449         (tryItOut):
450
451 2014-03-22  Filip Pizlo  <fpizlo@apple.com>
452
453         Call linking slow paths should be passed a CallLinkInfo* directly so that you can create a call IC without adding it to any CodeBlocks
454         https://bugs.webkit.org/show_bug.cgi?id=130644
455
456         Reviewed by Andreas Kling.
457         
458         This is conceptually a really simple change but it involves the following:
459         
460         - The inline part of the call IC stuffs a pointer to the CallLinkInfo into regT2.
461         
462         - CodeBlock uses a Bag of CallLinkInfos instead of a Vector.
463         
464         - Remove the significance of a CallLinkInfo's index. This means that DFG::JITCode no
465           longer has a vector of slow path counts that shadows the CallLinkInfo vector.
466         
467         - Make CallLinkInfo have its own slowPathCount, which counts actual slow path executions
468           and not all relinking.
469         
470         This makes planting JS->JS calls inside other inline caches or stubs a lot easier, since
471         the CallLinkInfo and the call IC slow paths no longer rely on the call being associated
472         with a op_call/op_construct instruction and a machine code return PC within such an
473         instruction.
474
475         * bytecode/CallLinkInfo.h:
476         (JSC::getCallLinkInfoCodeOrigin):
477         * bytecode/CallLinkStatus.cpp:
478         (JSC::CallLinkStatus::computeFor):
479         (JSC::CallLinkStatus::computeDFGStatuses):
480         * bytecode/CallLinkStatus.h:
481         * bytecode/CodeBlock.cpp:
482         (JSC::CodeBlock::printCallOp):
483         (JSC::CodeBlock::dumpBytecode):
484         (JSC::CodeBlock::finalizeUnconditionally):
485         (JSC::CodeBlock::getCallLinkInfoMap):
486         (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
487         (JSC::CodeBlock::addCallLinkInfo):
488         (JSC::CodeBlock::unlinkCalls):
489         * bytecode/CodeBlock.h:
490         (JSC::CodeBlock::stubInfoBegin):
491         (JSC::CodeBlock::stubInfoEnd):
492         (JSC::CodeBlock::callLinkInfosBegin):
493         (JSC::CodeBlock::callLinkInfosEnd):
494         (JSC::CodeBlock::byValInfo):
495         * dfg/DFGByteCodeParser.cpp:
496         (JSC::DFG::ByteCodeParser::handleCall):
497         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
498         * dfg/DFGJITCode.h:
499         * dfg/DFGJITCompiler.cpp:
500         (JSC::DFG::JITCompiler::link):
501         * dfg/DFGJITCompiler.h:
502         (JSC::DFG::JITCompiler::addJSCall):
503         (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord):
504         * dfg/DFGOSRExitCompilerCommon.cpp:
505         (JSC::DFG::reifyInlinedCallFrames):
506         * dfg/DFGSpeculativeJIT.cpp:
507         (JSC::DFG::SpeculativeJIT::compile):
508         * dfg/DFGSpeculativeJIT.h:
509         * dfg/DFGSpeculativeJIT32_64.cpp:
510         (JSC::DFG::SpeculativeJIT::emitCall):
511         * dfg/DFGSpeculativeJIT64.cpp:
512         (JSC::DFG::SpeculativeJIT::emitCall):
513         * ftl/FTLCompile.cpp:
514         (JSC::FTL::fixFunctionBasedOnStackMaps):
515         * ftl/FTLInlineCacheSize.cpp:
516         (JSC::FTL::sizeOfCall):
517         * ftl/FTLJSCall.cpp:
518         (JSC::FTL::JSCall::JSCall):
519         (JSC::FTL::JSCall::emit):
520         (JSC::FTL::JSCall::link):
521         * ftl/FTLJSCall.h:
522         * jit/JIT.cpp:
523         (JSC::JIT::privateCompileMainPass):
524         (JSC::JIT::privateCompileSlowCases):
525         (JSC::JIT::privateCompile):
526         * jit/JIT.h:
527         * jit/JITCall.cpp:
528         (JSC::JIT::compileOpCall):
529         (JSC::JIT::compileOpCallSlowCase):
530         * jit/JITCall32_64.cpp:
531         (JSC::JIT::compileOpCall):
532         (JSC::JIT::compileOpCallSlowCase):
533         * jit/JITOperations.cpp:
534         * jit/JITOperations.h:
535         (JSC::operationLinkFor):
536         (JSC::operationVirtualFor):
537         (JSC::operationLinkClosureCallFor):
538         * jit/Repatch.cpp:
539         (JSC::linkClosureCall):
540         * jit/ThunkGenerators.cpp:
541         (JSC::slowPathFor):
542         (JSC::virtualForThunkGenerator):
543         * tests/stress/eval-that-is-not-eval.js: Added.
544
545 2014-03-22  Filip Pizlo  <fpizlo@apple.com>
546
547         Unreviewed, fix mispelled test name.
548
549         * tests/stress/constand-folding-osr-exit.js: Removed.
550         * tests/stress/constant-folding-osr-exit.js: Copied from Source/JavaScriptCore/tests/stress/constand-folding-osr-exit.js.
551
552 2014-03-22  Andreas Kling  <akling@apple.com>
553
554         CREATE_DOM_WRAPPER doesn't need the ExecState.
555         <https://webkit.org/b/130648>
556
557         Add a fast path from JSGlobalObject to the VM so we don't have
558         to dance via the Heap.
559
560         Reviewed by Darin Adler.
561
562         * runtime/JSGlobalObject.cpp:
563         (JSC::JSGlobalObject::JSGlobalObject):
564         * runtime/JSGlobalObject.h:
565         (JSC::JSGlobalObject::vm):
566
567 2014-03-22  Filip Pizlo  <fpizlo@apple.com>
568
569         Unreviewed, fix FTL build.
570
571         * ftl/FTLJITFinalizer.cpp:
572
573 2014-03-22  Michael Saboff  <msaboff@apple.com>
574
575         toThis() on a JSWorkerGlobalScope should return a JSProxy and not undefined
576         https://bugs.webkit.org/show_bug.cgi?id=130554
577
578         Reviewed by Geoffrey Garen.
579
580         Fixed toThis() on WorkerGlobalScope to return a JSProxy instead of the JSGlobalObject.
581         Did some cleanup as well.  Moved the setting of the thisObject in a JSGlobalObject to
582         happen in finishCreation() so that it will also happen for other derived classes including
583         JSWorkerGlobalScopeBase.
584
585         * API/JSContextRef.cpp:
586         (JSGlobalContextCreateInGroup):
587         * jsc.cpp:
588         (GlobalObject::create):
589         * API/tests/testapi.c:
590         (globalObject_initialize): Eliminated ASSERT that the global object we are creating matches
591         the result from JSContextGetGlobalObject() as that will return the proxy.       
592         * runtime/JSGlobalObject.cpp:
593         (JSC::JSGlobalObject::init): Removed thisValue parameter and the call to setGlobalThis() since
594         we now call setGlobalThis in finishCreation().
595         * runtime/JSGlobalObject.h:
596         (JSC::JSGlobalObject::finishCreation):
597         (JSC::JSGlobalObject::setGlobalThis): Made this a private method.
598
599 2014-03-22  Andreas Kling  <akling@apple.com>
600
601         Fix debug build.
602
603         * bytecode/CodeBlock.cpp:
604         * runtime/Executable.cpp:
605
606 2014-03-22  Andreas Kling  <akling@apple.com>
607
608         Cut down on JSC profiler includes in WebCore & co.
609         <https://webkit.org/b/130637>
610
611         Most of WebKit was pulling in JSC's profiler headers via VM.h.
612
613         Reviewed by Darin Adler.
614
615         * dfg/DFGDisassembler.cpp:
616         * dfg/DFGDisassembler.h:
617         * dfg/DFGJITFinalizer.cpp:
618         * jsc.cpp:
619         * runtime/VM.cpp:
620         * runtime/VM.h:
621
622 2014-03-22  Landry Breuil <landry@openbsd.org>
623
624         Use pthread_stackseg_np() to find the stack bounds on OpenBSD.
625         https://bugs.webkit.org/show_bug.cgi?id=129965
626
627         Reviewed By Anders Carlsson.
628
629 2014-03-21  Mark Lam  <mark.lam@apple.com>
630
631         Crash when BytecodeGenerator::emitJump calls Label::bind on null pointer.
632         <https://webkit.org/b/124508>
633
634         Reviewed by Oliver Hunt.
635
636         The issue is that BreakNode::emitBytecode() is holding onto a LabelScope
637         pointer from the BytecodeGenerator's m_localScopes vector, and then it
638         calls emitPopScopes().  emitPopScopes() may do finally clause handling
639         which will require the m_localScopes to be cloned so that it can change
640         the local scopes for the finally block, and then restore it after
641         handling the finally clause.  These modifications of the m_localScopes
642         vector will result in the LabelScope pointer in BreakNode::emitBytecode()
643         becoming stale, thereby causing the crash.
644
645         The same issue applies to the ContinueNode as well.
646
647         The fix is to use the existing LabelScopePtr abstraction instead of raw
648         LabelScope pointers.  The LabelScopePtr is resilient to the underlying
649         vector re-allocating its backing store.
650
651         I also changed the LabelScopePtr constructor that takes a LabelScopeStore
652         to expect a reference to the owner store instead of a pointer because the
653         owner store should never be a null pointer.
654
655         * bytecompiler/BytecodeGenerator.cpp:
656         (JSC::BytecodeGenerator::newLabelScope):
657         (JSC::BytecodeGenerator::breakTarget):
658         (JSC::BytecodeGenerator::continueTarget):
659         * bytecompiler/BytecodeGenerator.h:
660         * bytecompiler/LabelScope.h:
661         (JSC::LabelScopePtr::LabelScopePtr):
662         (JSC::LabelScopePtr::operator bool):
663         (JSC::LabelScopePtr::null):
664         * bytecompiler/NodesCodegen.cpp:
665         (JSC::ContinueNode::trivialTarget):
666         (JSC::ContinueNode::emitBytecode):
667         (JSC::BreakNode::trivialTarget):
668         (JSC::BreakNode::emitBytecode):
669
670 2014-03-21  Mark Hahnenberg  <mhahnenberg@apple.com>
671
672         6% SunSpider commandline regression due to r165940
673         https://bugs.webkit.org/show_bug.cgi?id=130617
674
675         Reviewed by Michael Saboff.
676
677         In GCActivityCallback::didAllocate, lastGCLength() returns 0 if we've never collected 
678         before. Some of the benchmarks are never running a single EdenCollection, which causes 
679         them to repeatedly call scheduleTimer with a newDelay of 0. This defeats our timer 
680         slop heuristic, causing us to invoke CFRunLoopTimerSetNextFireDate a couple orders of 
681         magnitude more than we normally would.
682
683         The fix is to seed the last GC lengths in Heap with a non-zero length so that our heuristic works.
684
685         * heap/Heap.cpp:
686         (JSC::Heap::Heap):
687
688 2014-03-21  Filip Pizlo  <fpizlo@apple.com>
689
690         Constants folded by DFG::ByteCodeParser should not be dead.
691         https://bugs.webkit.org/show_bug.cgi?id=130576
692
693         Reviewed by Mark Hahnenberg.
694         
695         This fixes bugs in the ByteCodeParser's constant folder by removing that constant folder. This
696         reduces the number of folders in JSC from fourish to just threeish (parser, DFG AI, and one
697         or more folders in LLVM). Doing so has no performance impact since the other constant folders
698         already subsume this one.
699         
700         Also added a test case for the specific bug that instigated this.
701
702         * dfg/DFGByteCodeParser.cpp:
703         (JSC::DFG::ByteCodeParser::getJSConstantForValue):
704         (JSC::DFG::ByteCodeParser::getJSConstant):
705         (JSC::DFG::ByteCodeParser::inferredConstant):
706         (JSC::DFG::ByteCodeParser::handleIntrinsic):
707         (JSC::DFG::ByteCodeParser::parseBlock):
708         * dfg/DFGNode.h:
709         * dfg/DFGNodeFlags.h:
710         * tests/stress/constand-folding-osr-exit.js: Added.
711         (foo):
712         (test):
713         (.var):
714
715 2014-03-21  Mark Lam  <mark.lam@apple.com>
716
717         StackLayoutPhase should find the union'ed calleeVariable before accessing its machineLocal.
718         <https://webkit.org/b/130566>
719
720         Reviewed by Filip Pizlo.
721
722         * dfg/DFGStackLayoutPhase.cpp:
723         (JSC::DFG::StackLayoutPhase::run):
724
725 2014-03-20  Filip Pizlo  <fpizlo@apple.com>
726
727         FTL should correctly compile GetByVal on Uint32Array that claims to return non-int32 values
728         https://bugs.webkit.org/show_bug.cgi?id=130562
729         <rdar://problem/16382842>
730
731         Reviewed by Geoffrey Garen.
732
733         * ftl/FTLLowerDFGToLLVM.cpp:
734         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
735         * tests/stress/uint32array-unsigned-load.js: Added.
736         (foo):
737
738 2014-03-20  Brian Burg  <bburg@apple.com>
739
740         Web Inspector: add frontend controller and models for replay sessions
741         https://bugs.webkit.org/show_bug.cgi?id=130145
742
743         Reviewed by Joseph Pecoraro.
744
745         * inspector/scripts/CodeGeneratorInspector.py: Add the conditional Replay domain.
746
747 2014-03-20  Filip Pizlo  <fpizlo@apple.com>
748
749         FTL ValueToInt32 mishandles the constant case, and by the way, there is a constant case that the FTL sees
750         https://bugs.webkit.org/show_bug.cgi?id=130546
751         <rdar://problem/16383308>
752
753         Reviewed by Mark Hahnenberg.
754         
755         Make AI do a better job of folding this.
756         
757         Also made the FTL backend be more tolerant of data representations. In this case it
758         didn't know that "constant" was a valid representation. There is a finite set of
759         possible representations, but broadly, we don't write code that presumes anything
760         about the representation of an input; that's what methods like lowJSValue() are for.
761         ValueToInt32 was previously not relying on those methods at all because it had some
762         hacks. Now, those hacks are just a fast-path optimization but ultimately we fall down
763         to lowJSValue().
764
765         * dfg/DFGAbstractInterpreterInlines.h:
766         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
767         * ftl/FTLLowerDFGToLLVM.cpp:
768         (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
769         (JSC::FTL::LowerDFGToLLVM::numberOrNotCellToInt32):
770         * tests/stress/value-to-int32-undefined-constant.js: Added.
771         (foo):
772         * tests/stress/value-to-int32-undefined.js: Added.
773         (foo):
774
775 2014-03-20  Mark Hahnenberg  <mhahnenberg@apple.com>
776
777         Add some assertions back
778         https://bugs.webkit.org/show_bug.cgi?id=130531
779
780         Reviewed by Geoffrey Garen.
781
782         We removed a useful set of assertions for verifying that MarkedBlocks were 
783         in the state that we expected them to be in after clearing marks in the Heap. 
784         We should add these back to catch bugs earlier.
785
786         * heap/MarkedBlock.h:
787         * heap/MarkedSpace.cpp:
788         (JSC::VerifyMarkedOrRetired::operator()):
789         (JSC::MarkedSpace::clearMarks):
790
791 2014-03-20  Filip Pizlo  <fpizlo@apple.com>
792
793         Implement stackmap header version check and support new stackmap formats
794         https://bugs.webkit.org/show_bug.cgi?id=130535
795         <rdar://problem/16164284>
796
797         Reviewed by Geoffrey Garen.
798         
799         Add the notion of versioning so that LLVMers can happily implement new stackmap formats
800         without worrying about WebKit getting version-locked to LLVM. In the future, we will have
801         to implement parsing for a new LLVM stackmap format before it lands in LLVM, or we'll have
802         to have a "max usable LLVM revision" limit. But, thanks to versioning, we'll always be
803         happy to move backward in time to older versions of LLVM.
804
805         * ftl/FTLStackMaps.cpp:
806         (JSC::FTL::readObject):
807         (JSC::FTL::StackMaps::Constant::parse):
808         (JSC::FTL::StackMaps::StackSize::parse):
809         (JSC::FTL::StackMaps::Location::parse):
810         (JSC::FTL::StackMaps::Record::parse):
811         (JSC::FTL::StackMaps::parse):
812         (JSC::FTL::StackMaps::dump):
813         (JSC::FTL::StackMaps::dumpMultiline):
814         * ftl/FTLStackMaps.h:
815
816 2014-03-20  Filip Pizlo  <fpizlo@apple.com>
817
818         Crash beneath operationTearOffActivation running this JS compression demo
819         https://bugs.webkit.org/show_bug.cgi?id=130295
820         <rdar://problem/16332337>
821
822         Reviewed by Oliver Hunt.
823         
824         Make sure that we flush things as if we were at a terminal, if we are at a block with
825         no forward edges. This fixes infinitely loopy code with captured variables.
826
827         Make sure that the CFG simplifier adds explicit flushes whenever it jettisons a block.
828         
829         Make it so that NodeIsFlushed is a thing. Previously only SSA used it and it computed
830         it by itself. Now it's an artifact of CPS rethreading.
831         
832         Add a bunch of tests. All of them previously either crashed or returned bad output due
833         to memory corruption.
834
835         * bytecode/CodeBlock.cpp:
836         (JSC::CodeBlock::isCaptured):
837         * dfg/DFGByteCodeParser.cpp:
838         (JSC::DFG::ByteCodeParser::flushForTerminal):
839         (JSC::DFG::ByteCodeParser::flushForReturn):
840         (JSC::DFG::ByteCodeParser::flushIfTerminal):
841         (JSC::DFG::ByteCodeParser::branchData):
842         (JSC::DFG::ByteCodeParser::parseBlock):
843         * dfg/DFGCFGSimplificationPhase.cpp:
844         (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
845         * dfg/DFGCPSRethreadingPhase.cpp:
846         (JSC::DFG::CPSRethreadingPhase::run):
847         (JSC::DFG::CPSRethreadingPhase::computeIsFlushed):
848         (JSC::DFG::CPSRethreadingPhase::addFlushedLocalOp):
849         (JSC::DFG::CPSRethreadingPhase::addFlushedLocalEdge):
850         * dfg/DFGCSEPhase.cpp:
851         (JSC::DFG::CSEPhase::performNodeCSE):
852         * dfg/DFGGraph.cpp:
853         (JSC::DFG::Graph::clearFlagsOnAllNodes):
854         * dfg/DFGGraph.h:
855         * dfg/DFGNode.h:
856         * dfg/DFGNodeFlags.cpp:
857         (JSC::DFG::dumpNodeFlags):
858         * dfg/DFGNodeFlags.h:
859         * dfg/DFGSSAConversionPhase.cpp:
860         (JSC::DFG::SSAConversionPhase::run):
861         * tests/stress/activation-test-loop.js: Added.
862         (Inner.this.doStuff):
863         (Inner):
864         (foo.inner.isDone):
865         (foo):
866         * tests/stress/inferred-infinite-loop-that-uses-captured-variables.js: Added.
867         (bar):
868         (foo):
869         (noInline):
870         * tests/stress/infinite-loop-that-uses-captured-variables-before-throwing.js: Added.
871         (bar):
872         (foo):
873         (noInline):
874         * tests/stress/infinite-loop-that-uses-captured-variables-but-they-do-not-escape.js: Added.
875         (bar):
876         (foo):
877         (noInline):
878         * tests/stress/infinite-loop-that-uses-captured-variables-with-osr-entry.js: Added.
879         (bar):
880         (foo):
881         (noInline):
882         * tests/stress/infinite-loop-that-uses-captured-variables.js: Added.
883         (bar):
884         (foo):
885         (noInline):
886         * tests/stress/tricky-indirectly-inferred-infinite-loop-that-uses-captured-variables-and-creates-the-activation-outside-the-loop.js: Added.
887         (bar):
888         (fuzz):
889         (foo.f):
890         (foo):
891         * tests/stress/tricky-inferred-infinite-loop-that-uses-captured-variables-and-creates-the-activation-outside-the-loop.js: Added.
892         (bar):
893         (foo.f):
894         (foo):
895         * tests/stress/tricky-infinite-loop-that-uses-captured-variables-and-creates-the-activation-outside-the-loop.js: Added.
896         (bar):
897         (foo.f):
898         (foo):
899         * tests/stress/tricky-infinite-loop-that-uses-captured-variables.js: Added.
900         (bar):
901         (foo):
902         (noInline):
903
904 2014-03-20  Oliver Hunt  <oliver@apple.com>
905
906         Incorrect behavior when mutating a typed array during set.
907         https://bugs.webkit.org/show_bug.cgi?id=130428
908
909         Reviewed by Geoffrey Garen.
910
911         This fixes a null derefence that occurs if a typed array
912         is mutated during the set() operation. The patch gets rid
913         of the "Quickly" version of setIndex that is assigning
914         JSValues of unknown type, as the numeric conversion can trigger
915         side effects that lead to neutering, and so we deref null.
916
917         * runtime/JSGenericTypedArrayView.h:
918         (JSC::JSGenericTypedArrayView::setIndex):
919         * runtime/JSGenericTypedArrayViewInlines.h:
920         (JSC::JSGenericTypedArrayView<Adaptor>::set):
921         (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
922
923 2014-03-20  Gavin Barraclough  <barraclough@apple.com>
924
925         Remove IdentifierTable typedef, isIdentifier()
926         https://bugs.webkit.org/show_bug.cgi?id=130533
927
928         Rubber stamped by Geoff Garen.
929
930         Code should use AtomicStringTable, isAtomic() directly.
931
932         * API/JSClassRef.cpp:
933         (OpaqueJSClass::~OpaqueJSClass):
934         (OpaqueJSClassContextData::OpaqueJSClassContextData):
935         (OpaqueJSClass::className):
936         * API/JSClassRef.h:
937         * bytecode/SpeculatedType.cpp:
938         (JSC::speculationFromCell):
939         * bytecompiler/BytecodeGenerator.cpp:
940         (JSC::BytecodeGenerator::BytecodeGenerator):
941         * dfg/DFGSpeculativeJIT.cpp:
942         (JSC::DFG::SpeculativeJIT::compileIn):
943         (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
944         * ftl/FTLLowerDFGToLLVM.cpp:
945         (JSC::FTL::LowerDFGToLLVM::speculateStringIdent):
946         * heap/Heap.cpp:
947         (JSC::Heap::collect):
948         * interpreter/CallFrame.h:
949         (JSC::ExecState::atomicStringTable):
950         * parser/ASTBuilder.h:
951         (JSC::ASTBuilder::addVar):
952         * parser/Parser.cpp:
953         (JSC::Parser<LexerType>::createBindingPattern):
954         * runtime/Completion.cpp:
955         (JSC::checkSyntax):
956         (JSC::evaluate):
957         * runtime/Identifier.cpp:
958         (JSC::Identifier::checkCurrentAtomicStringTable):
959         * runtime/Identifier.h:
960         (JSC::Identifier::Identifier):
961         * runtime/IdentifierInlines.h:
962         (JSC::Identifier::add):
963         * runtime/JSCJSValue.cpp:
964         (JSC::JSValue::dumpInContext):
965         * runtime/JSLock.cpp:
966         (JSC::JSLock::didAcquireLock):
967         (JSC::JSLock::willReleaseLock):
968         (JSC::JSLock::DropAllLocks::DropAllLocks):
969         (JSC::JSLock::DropAllLocks::~DropAllLocks):
970         * runtime/JSLock.h:
971         * runtime/PropertyMapHashTable.h:
972         (JSC::PropertyTable::find):
973         (JSC::PropertyTable::get):
974         (JSC::PropertyTable::findWithString):
975         * runtime/PropertyName.h:
976         (JSC::PropertyName::PropertyName):
977         * runtime/PropertyNameArray.cpp:
978         (JSC::PropertyNameArray::add):
979         * runtime/VM.cpp:
980         (JSC::VM::VM):
981         (JSC::VM::~VM):
982         * runtime/VM.h:
983         (JSC::VM::atomicStringTable):
984
985 2014-03-20  Gavin Barraclough  <barraclough@apple.com>
986
987         Merge AtomicString, Identifier
988         https://bugs.webkit.org/show_bug.cgi?id=128624
989
990         Reviewed by Geoff Garen.
991
992         WTF::StringImpl currently supports two uniquing mechanism - AtomicString and
993         Identifer - that is one too many.
994
995         Remove Identifier in favour of AtomicString. Identifier had two interesting
996         mechanisms that we preserve.
997
998         (1) JSC API VMs each get their own string table, switch the string table on
999             API entry/exit.
1000         (2) JSC caches a pointer to the string table on the VM to avoid a thread
1001             specific access. Adds a new AtomicString::add method to support this.
1002
1003         * API/JSAPIWrapperObject.mm:
1004             - updated includes.
1005         * JavaScriptCore.xcodeproj/project.pbxproj:
1006             - added IdentifierInlines.h.
1007         * inspector/JSInjectedScriptHostPrototype.cpp:
1008         * inspector/JSJavaScriptCallFramePrototype.cpp:
1009             - updated includes.
1010         * interpreter/CallFrame.h:
1011         (JSC::ExecState::atomicStringTable):
1012             - added, used via AtomicString::add to avoid thread-specific access.
1013         * runtime/ConsolePrototype.cpp:
1014             - updated includes.
1015         * runtime/Identifier.cpp:
1016         (JSC::Identifier::add):
1017         (JSC::Identifier::add8):
1018             - vm->smallStrings.singleCharacterStringRep now returns Atomic strings, use AtomicString::add.
1019         * runtime/Identifier.h:
1020         (JSC::Identifier::Identifier):
1021             - added ASSERTS.
1022         (JSC::Identifier::add):
1023             - vm->smallStrings.singleCharacterStringRep now returns Atomic strings, use AtomicString::add.
1024         * runtime/IdentifierInlines.h: Added.
1025         (JSC::Identifier::add):
1026             - moved from Identifier.h, use AtomicString::add.
1027         * runtime/JSCInlines.h:
1028             - added IdentifierInlines.h.
1029         * runtime/JSLock.h:
1030             - removed IdentifierTable.
1031         * runtime/PropertyNameArray.cpp:
1032             - updated includes.
1033         * runtime/SmallStrings.cpp:
1034         (JSC::SmallStringsStorage::SmallStringsStorage):
1035             - ensure all single character strings are Atomic.
1036         * runtime/VM.cpp:
1037         (JSC::VM::VM):
1038             - instantiate CommonIdentifiers with the correct AtomicStringTable set on thread data.
1039         * runtime/VM.h:
1040         (JSC::VM::atomicStringTable):
1041             - added, used via AtomicString::add to avoid thread-specific access.
1042
1043 2014-03-20  Gabor Rapcsanyi  <rgabor@webkit.org>
1044
1045         [ARM64] Fix assembler build issues and add cacheFlush support for Linux
1046         https://bugs.webkit.org/show_bug.cgi?id=130502
1047
1048         Reviewed by Michael Saboff.
1049
1050         Add limits.h for INT_MIN in ARM64Assembler(). Delete shouldBlindForSpecificArch(uintptr_t)
1051         because on ARM64 uint64_t and uintptr_t is the same with GCC and Clang as well.
1052         Add cacheFlush support for Linux.
1053
1054         * assembler/ARM64Assembler.h:
1055         (JSC::ARM64Assembler::linuxPageFlush):
1056         (JSC::ARM64Assembler::cacheFlush):
1057         * assembler/MacroAssemblerARM64.h:
1058         (JSC::MacroAssemblerARM64::shouldBlindForSpecificArch):
1059
1060 2014-03-19  Gavin Barraclough  <barraclough@apple.com>
1061
1062         https://bugs.webkit.org/show_bug.cgi?id=130494
1063         EmptyUnique strings are Identifiers/Atomic
1064
1065         Reviewed by Geoff Garen.
1066
1067         EmptyUnique strings should set the Identifier/Atomic flag.
1068
1069         This fixes an unreproducible bug we believe exists in Identifier handling.
1070         Expected behaviour is that while Identifiers may reference EmptyUniques
1071         (StringImpls allocated as UIDs for PrivateNames), these are not created
1072         through the main Identifier constructor, the Identifier flag is not set
1073         on PrivateNames, and we should never lookup EmptyUnique strings in the
1074         IdentifierTable.
1075
1076         Unfortunately that was happening. Some tables used to implement property
1077         access in the JIT hold StringImpl*s, and turn these back into Identifiers
1078         using the identfiier constructor. Since the code generator will now plant
1079         by-id (cachable) accesses to PrivateNames we can end up passing an
1080         EmptyUnique to Identifier::add, potentially leading to PrivateNames being
1081         uniqued together (though hard to prove, since the hash codes are random).
1082
1083         * runtime/PropertyName.h:
1084         (JSC::PropertyName::PropertyName):
1085         (JSC::PropertyName::uid):
1086         (JSC::PropertyName::publicName):
1087         (JSC::PropertyName::asIndex):
1088             - PropertyName assumed that PrivateNames are not Identifiers - instead check isEmptyUnique().
1089         * runtime/Structure.cpp:
1090         (JSC::Structure::getPropertyNamesFromStructure):
1091             - Structure assumed that PrivateNames are not Identifiers - instead check isEmptyUnique().
1092
1093 2014-03-19  Filip Pizlo  <fpizlo@apple.com>
1094
1095         Unreviewed, revert the DFGCommon.h change in r165938. It was not intentional.
1096
1097         * dfg/DFGCommon.h:
1098
1099 2014-03-19  Mark Hahnenberg  <mhahnenberg@apple.com>
1100
1101         GC timer should intelligently choose between EdenCollections and FullCollections
1102         https://bugs.webkit.org/show_bug.cgi?id=128261
1103
1104         Reviewed by Geoffrey Garen.
1105
1106         Most of the GCs while browsing the web are due to the GC timer. Currently the GC timer 
1107         always does FullCollections. To reduce the impact of the GC timer on the system this patch
1108         changes Heap so that it has two timers, one for each type of collection. The FullCollection
1109         timer is notified at the end of EdenCollections how much the Heap has grown since the last 
1110         FullCollection and when somebody notifies the Heap of abandoned memory (which usually wouldn't 
1111         be detected by an EdenCollection).
1112
1113         * CMakeLists.txt:
1114         * GNUmakefile.list.am:
1115         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1116         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1117         * JavaScriptCore.xcodeproj/project.pbxproj:
1118         * heap/EdenGCActivityCallback.cpp: Added.
1119         (JSC::EdenGCActivityCallback::EdenGCActivityCallback):
1120         (JSC::EdenGCActivityCallback::doCollection):
1121         (JSC::EdenGCActivityCallback::lastGCLength):
1122         (JSC::EdenGCActivityCallback::deathRate):
1123         (JSC::EdenGCActivityCallback::gcTimeSlice):
1124         * heap/EdenGCActivityCallback.h: Added.
1125         (JSC::GCActivityCallback::createEdenTimer):
1126         * heap/FullGCActivityCallback.cpp: Added.
1127         (JSC::FullGCActivityCallback::FullGCActivityCallback):
1128         (JSC::FullGCActivityCallback::doCollection):
1129         (JSC::FullGCActivityCallback::lastGCLength):
1130         (JSC::FullGCActivityCallback::deathRate):
1131         (JSC::FullGCActivityCallback::gcTimeSlice):
1132         * heap/FullGCActivityCallback.h: Added.
1133         (JSC::GCActivityCallback::createFullTimer):
1134         * heap/GCActivityCallback.cpp:
1135         (JSC::GCActivityCallback::GCActivityCallback):
1136         (JSC::GCActivityCallback::doWork):
1137         (JSC::GCActivityCallback::scheduleTimer):
1138         (JSC::GCActivityCallback::cancelTimer):
1139         (JSC::GCActivityCallback::didAllocate):
1140         (JSC::GCActivityCallback::willCollect):
1141         (JSC::GCActivityCallback::cancel):
1142         * heap/GCActivityCallback.h:
1143         * heap/Heap.cpp:
1144         (JSC::Heap::Heap):
1145         (JSC::Heap::reportAbandonedObjectGraph):
1146         (JSC::Heap::didAbandon):
1147         (JSC::Heap::collectAllGarbage):
1148         (JSC::Heap::collect):
1149         (JSC::Heap::willStartCollection):
1150         (JSC::Heap::updateAllocationLimits):
1151         (JSC::Heap::didFinishCollection):
1152         (JSC::Heap::setFullActivityCallback):
1153         (JSC::Heap::setEdenActivityCallback):
1154         (JSC::Heap::fullActivityCallback):
1155         (JSC::Heap::edenActivityCallback):
1156         (JSC::Heap::setGarbageCollectionTimerEnabled):
1157         (JSC::Heap::didAllocate):
1158         (JSC::Heap::shouldDoFullCollection):
1159         * heap/Heap.h:
1160         (JSC::Heap::lastFullGCLength):
1161         (JSC::Heap::lastEdenGCLength):
1162         (JSC::Heap::increaseLastFullGCLength):
1163         (JSC::Heap::sizeBeforeLastEdenCollection):
1164         (JSC::Heap::sizeAfterLastEdenCollection):
1165         (JSC::Heap::sizeBeforeLastFullCollection):
1166         (JSC::Heap::sizeAfterLastFullCollection):
1167         * heap/HeapOperation.h:
1168         * heap/HeapStatistics.cpp:
1169         (JSC::HeapStatistics::showObjectStatistics):
1170         * heap/HeapTimer.cpp:
1171         (JSC::HeapTimer::timerDidFire):
1172         * jsc.cpp:
1173         (functionFullGC):
1174         (functionEdenGC):
1175         * runtime/Options.h:
1176
1177 2014-03-19  Commit Queue  <commit-queue@webkit.org>
1178
1179         Unreviewed, rolling out r165926.
1180         https://bugs.webkit.org/show_bug.cgi?id=130488
1181
1182         broke the iOS build (Requested by estes on #webkit).
1183
1184         Reverted changeset:
1185
1186         "GC timer should intelligently choose between EdenCollections
1187         and FullCollections"
1188         https://bugs.webkit.org/show_bug.cgi?id=128261
1189         http://trac.webkit.org/changeset/165926
1190
1191 2014-03-13  Mark Hahnenberg  <mhahnenberg@apple.com>
1192
1193         GC timer should intelligently choose between EdenCollections and FullCollections
1194         https://bugs.webkit.org/show_bug.cgi?id=128261
1195
1196         Reviewed by Geoffrey Garen.
1197
1198         Most of the GCs while browsing the web are due to the GC timer. Currently the GC timer 
1199         always does FullCollections. To reduce the impact of the GC timer on the system this patch
1200         changes Heap so that it has two timers, one for each type of collection. The FullCollection
1201         timer is notified at the end of EdenCollections how much the Heap has grown since the last 
1202         FullCollection and when somebody notifies the Heap of abandoned memory (which wouldn't be 
1203         detected by an EdenCollection).
1204
1205         * heap/GCActivityCallback.cpp:
1206         (JSC::GCActivityCallback::GCActivityCallback):
1207         (JSC::GCActivityCallback::doWork):
1208         (JSC::FullGCActivityCallback::FullGCActivityCallback):
1209         (JSC::FullGCActivityCallback::doCollection):
1210         (JSC::EdenGCActivityCallback::EdenGCActivityCallback):
1211         (JSC::EdenGCActivityCallback::doCollection):
1212         (JSC::GCActivityCallback::scheduleTimer):
1213         (JSC::GCActivityCallback::cancelTimer):
1214         (JSC::GCActivityCallback::didAllocate):
1215         (JSC::GCActivityCallback::willCollect):
1216         (JSC::GCActivityCallback::cancel):
1217         * heap/GCActivityCallback.h:
1218         (JSC::GCActivityCallback::GCActivityCallback):
1219         (JSC::GCActivityCallback::createFullTimer):
1220         (JSC::GCActivityCallback::createEdenTimer):
1221         * heap/Heap.cpp:
1222         (JSC::Heap::Heap):
1223         (JSC::Heap::didAbandon):
1224         (JSC::Heap::willStartCollection):
1225         (JSC::Heap::updateAllocationLimits):
1226         (JSC::Heap::setFullActivityCallback):
1227         (JSC::Heap::setEdenActivityCallback):
1228         (JSC::Heap::fullActivityCallback):
1229         (JSC::Heap::edenActivityCallback):
1230         (JSC::Heap::setGarbageCollectionTimerEnabled):
1231         (JSC::Heap::didAllocate):
1232         * heap/Heap.h:
1233         * heap/HeapTimer.cpp:
1234         (JSC::HeapTimer::timerDidFire):
1235
1236 2014-03-19  Filip Pizlo  <fpizlo@apple.com>
1237
1238         REGRESSION(r165459): It broke 109 jsc stress test on ARM Thumb2 and Mac 32 bit
1239         https://bugs.webkit.org/show_bug.cgi?id=130134
1240
1241         Reviewed by Mark Hahnenberg.
1242
1243         * dfg/DFGFixupPhase.cpp:
1244         (JSC::DFG::FixupPhase::fixupNode): Can't do some optimizations if you don't have a lot of registers.
1245         * dfg/DFGSpeculativeJIT32_64.cpp:
1246         (JSC::DFG::SpeculativeJIT::cachedGetById): Move stuff around before going into the IC code to ensure that we give the IC code the invariants it needs. This only happens in case of GetByIdFlush, where we are forced into using weird combinations of registers because the results have to be in t0/t1.
1247         (JSC::DFG::SpeculativeJIT::compile): For a normal GetById, the register allocator should just do the right thing so nobody has to move anything around.
1248         * jit/JITInlineCacheGenerator.cpp:
1249         (JSC::JITGetByIdGenerator::JITGetByIdGenerator): Assert the things we want.
1250         * jit/JITInlineCacheGenerator.h:
1251         * jit/Repatch.cpp:
1252         (JSC::generateGetByIdStub): Remove a previous incomplete hack to try to work around the DFG's problem.
1253
1254 2014-03-19  Mark Hahnenberg  <mhahnenberg@apple.com>
1255
1256         Normalize some of the older JSC options
1257         https://bugs.webkit.org/show_bug.cgi?id=128753
1258
1259         Reviewed by Michael Saboff.
1260
1261         * runtime/Options.cpp:
1262         (JSC::Options::initialize):
1263
1264 2014-03-12  Mark Lam  <mark.lam@apple.com>
1265
1266         Update type of local vars to match the type of String length.
1267         <https://webkit.org/b/130077>
1268
1269         Reviewed by Geoffrey Garen.
1270
1271         * runtime/JSStringJoiner.cpp:
1272         (JSC::JSStringJoiner::join):
1273
1274 2014-03-18  Filip Pizlo  <fpizlo@apple.com>
1275
1276         Get rid of Flush in SSA
1277         https://bugs.webkit.org/show_bug.cgi?id=130440
1278
1279         Reviewed by Sam Weinig.
1280         
1281         This is basically a red patch. We used to use backwards flow for determining what was
1282         flushed, until it became clear that this doesn't make sense. Now the Flush nodes don't
1283         accomplish anything. Keeping them around in SSA can only make things hard.
1284
1285         * CMakeLists.txt:
1286         * GNUmakefile.list.am:
1287         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1288         * JavaScriptCore.xcodeproj/project.pbxproj:
1289         * dfg/DFGBasicBlock.cpp:
1290         (JSC::DFG::BasicBlock::SSAData::SSAData):
1291         * dfg/DFGBasicBlock.h:
1292         * dfg/DFGFlushLivenessAnalysisPhase.cpp: Removed.
1293         * dfg/DFGFlushLivenessAnalysisPhase.h: Removed.
1294         * dfg/DFGGraph.cpp:
1295         (JSC::DFG::Graph::dump):
1296         * dfg/DFGPlan.cpp:
1297         (JSC::DFG::Plan::compileInThreadImpl):
1298         * dfg/DFGSSAConversionPhase.cpp:
1299         (JSC::DFG::SSAConversionPhase::run):
1300         * ftl/FTLLowerDFGToLLVM.cpp:
1301         (JSC::FTL::LowerDFGToLLVM::compileNode):
1302
1303 2014-03-18  Filip Pizlo  <fpizlo@apple.com>
1304
1305         Unreviewed, fix iOS production build.
1306
1307         * JavaScriptCore.xcodeproj/project.pbxproj:
1308
1309 2014-03-18  Michael Saboff  <msaboff@apple.com>
1310
1311         Update RegExp Tracing code
1312         https://bugs.webkit.org/show_bug.cgi?id=130381
1313
1314         Reviewed by Andreas Kling.
1315
1316         Updated the regular expression tracing code for 8/16 bit JIT as
1317         well as match only entry points.  Also added average string length
1318         metric.
1319
1320         * runtime/RegExp.cpp:
1321         (JSC::RegExp::RegExp):
1322         (JSC::RegExp::match):
1323         (JSC::RegExp::printTraceData):
1324         * runtime/RegExp.h:
1325         * runtime/VM.cpp:
1326         (JSC::VM::addRegExpToTrace):
1327         (JSC::VM::dumpRegExpTrace):
1328         * runtime/VM.h:
1329         * yarr/YarrJIT.h:
1330         (JSC::Yarr::YarrCodeBlock::get8BitMatchOnlyAddr):
1331         (JSC::Yarr::YarrCodeBlock::get16BitMatchOnlyAddr):
1332         (JSC::Yarr::YarrCodeBlock::get8BitMatchAddr):
1333         (JSC::Yarr::YarrCodeBlock::get16BitMatchAddr):
1334
1335 2014-03-17  Filip Pizlo  <fpizlo@apple.com>
1336
1337         Add CompareStrictEq(StringIdent:, NotStringVar:) and CompareStrictEq(String:, Untyped:)
1338         https://bugs.webkit.org/show_bug.cgi?id=130300
1339
1340         Reviewed by Mark Hahnenberg.
1341         
1342         We can quickly strictly compare StringIdent's to NotStringVar's and String's to Untyped's.
1343         This makes the DFG aware of this.
1344         
1345         Also adds StringIdent-to-StringIdent and StringIdent-to-NotStringVar strict comparisons to
1346         the FTL. Also adds StringIdent-to-StringIdent non-strict comparisons to the FTL.
1347         
1348         This also gives the DFG some abstractions for checking something is a cell or is other.
1349         This made this patch easier to write and also simplified a bunch of other stuff.
1350         
1351         1% speed-up on Octane.
1352
1353         * assembler/AbstractMacroAssembler.h:
1354         (JSC::AbstractMacroAssembler::JumpList::JumpList):
1355         * bytecode/SpeculatedType.h:
1356         (JSC::isNotStringVarSpeculation):
1357         * dfg/DFGFixupPhase.cpp:
1358         (JSC::DFG::FixupPhase::fixupNode):
1359         * dfg/DFGNode.h:
1360         (JSC::DFG::Node::childFor):
1361         (JSC::DFG::Node::shouldSpeculateNotStringVar):
1362         * dfg/DFGSafeToExecute.h:
1363         (JSC::DFG::SafeToExecuteEdge::operator()):
1364         * dfg/DFGSpeculativeJIT.cpp:
1365         (JSC::DFG::SpeculativeJIT::compileIn):
1366         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
1367         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
1368         (JSC::DFG::SpeculativeJIT::compileInstanceOf):
1369         (JSC::DFG::SpeculativeJIT::compileStrictEq):
1370         (JSC::DFG::SpeculativeJIT::compileBooleanCompare):
1371         (JSC::DFG::SpeculativeJIT::compileStringEquality):
1372         (JSC::DFG::SpeculativeJIT::compileStringToUntypedEquality):
1373         (JSC::DFG::SpeculativeJIT::compileStringIdentEquality):
1374         (JSC::DFG::SpeculativeJIT::compileStringIdentToNotStringVarEquality):
1375         (JSC::DFG::SpeculativeJIT::compileStringZeroLength):
1376         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
1377         (JSC::DFG::SpeculativeJIT::speculateString):
1378         (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
1379         (JSC::DFG::SpeculativeJIT::speculateNotStringVar):
1380         (JSC::DFG::SpeculativeJIT::speculateNotCell):
1381         (JSC::DFG::SpeculativeJIT::speculateOther):
1382         (JSC::DFG::SpeculativeJIT::speculate):
1383         (JSC::DFG::SpeculativeJIT::emitSwitchChar):
1384         (JSC::DFG::SpeculativeJIT::emitSwitchString):
1385         * dfg/DFGSpeculativeJIT.h:
1386         (JSC::DFG::SpeculativeJIT::blessedBooleanResult):
1387         (JSC::DFG::SpeculativeJIT::unblessedBooleanResult):
1388         (JSC::DFG::SpeculativeJIT::booleanResult):
1389         * dfg/DFGSpeculativeJIT32_64.cpp:
1390         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
1391         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
1392         (JSC::DFG::SpeculativeJIT::emitCall):
1393         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1394         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
1395         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
1396         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
1397         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
1398         (JSC::DFG::SpeculativeJIT::compile):
1399         (JSC::DFG::branchIsCell):
1400         (JSC::DFG::branchNotCell):
1401         (JSC::DFG::SpeculativeJIT::branchIsOther):
1402         (JSC::DFG::SpeculativeJIT::branchNotOther):
1403         (JSC::DFG::SpeculativeJIT::moveTrueTo):
1404         (JSC::DFG::SpeculativeJIT::moveFalseTo):
1405         (JSC::DFG::SpeculativeJIT::blessBoolean):
1406         * dfg/DFGSpeculativeJIT64.cpp:
1407         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
1408         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
1409         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1410         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
1411         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
1412         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
1413         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
1414         (JSC::DFG::SpeculativeJIT::compile):
1415         (JSC::DFG::SpeculativeJIT::writeBarrier):
1416         (JSC::DFG::SpeculativeJIT::branchIsCell):
1417         (JSC::DFG::SpeculativeJIT::branchNotCell):
1418         (JSC::DFG::SpeculativeJIT::branchIsOther):
1419         (JSC::DFG::SpeculativeJIT::branchNotOther):
1420         (JSC::DFG::SpeculativeJIT::moveTrueTo):
1421         (JSC::DFG::SpeculativeJIT::moveFalseTo):
1422         (JSC::DFG::SpeculativeJIT::blessBoolean):
1423         * dfg/DFGUseKind.cpp:
1424         (WTF::printInternal):
1425         * dfg/DFGUseKind.h:
1426         (JSC::DFG::typeFilterFor):
1427         * ftl/FTLCapabilities.cpp:
1428         (JSC::FTL::canCompile):
1429         * ftl/FTLLowerDFGToLLVM.cpp:
1430         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
1431         (JSC::FTL::LowerDFGToLLVM::lowString):
1432         (JSC::FTL::LowerDFGToLLVM::lowStringIdent):
1433         (JSC::FTL::LowerDFGToLLVM::speculate):
1434         (JSC::FTL::LowerDFGToLLVM::speculateString):
1435         (JSC::FTL::LowerDFGToLLVM::speculateStringIdent):
1436         (JSC::FTL::LowerDFGToLLVM::speculateNotStringVar):
1437         * runtime/JSCJSValue.h:
1438         * tests/stress/string-ident-to-not-string-var-equality.js: Added.
1439         (foo):
1440         (bar):
1441         (test):
1442
1443 2014-03-18  Joseph Pecoraro  <pecoraro@apple.com>
1444
1445         Add Copyright to framework.sb
1446         https://bugs.webkit.org/show_bug.cgi?id=130413
1447
1448         Reviewed by Timothy Hatcher.
1449
1450         Other sb files got the copyright. Follow suit.
1451
1452         * framework.sb:
1453
1454 2014-03-18  Matthew Mirman  <mmirman@apple.com>
1455
1456         Removed extra parens from if statement in a preprocessor define.
1457         https://bugs.webkit.org/show_bug.cgi?id=130408
1458
1459         Reviewed by Filip Pizlo.
1460
1461         * parser/Parser.cpp:
1462
1463 2014-03-18  Filip Pizlo  <fpizlo@apple.com>
1464
1465         More FTL enabling.
1466
1467         Rubber stamped by Dan Bernstein and Mark Hahnenberg.
1468
1469         * Configurations/FeatureDefines.xcconfig:
1470         * ftl/FTLCompile.cpp:
1471         (JSC::FTL::compile):
1472
1473 2014-03-17  Michael Saboff  <msaboff@apple.com>
1474
1475         V8 regexp spends most of its time in operationGetById
1476         https://bugs.webkit.org/show_bug.cgi?id=130380
1477
1478         Reviewed by Filip Pizlo.
1479
1480         Added String.length case to tryCacheGetByID that will only help the BaseLine JIT.
1481         When V8 regexp is run from the command line, this nets a 2% performance improvement.
1482         When the test is run for a longer amount of time, there is much less benefit as the
1483         DFG will emit the appropriate code for String.length.  This does remove
1484         operationGetById as the hottest function whne run from the command line.
1485
1486         * jit/Repatch.cpp:
1487         (JSC::tryCacheGetByID):
1488
1489 2014-03-17  Andreas Kling  <akling@apple.com>
1490
1491         Add one-deep cache to opaque roots hashset.
1492         <https://webkit.org/b/130357>
1493
1494         The vast majority of WebCore JS wrappers will have their Document*
1495         as the root(). This change adds a simple optimization where we cache
1496         the last lookup and avoid going to the hashset for repeated queries.
1497
1498         Looks like 0.4% progression on DYEB on my MBP.
1499
1500         Reviewed by Mark Hahnenberg.
1501
1502         * JavaScriptCore.xcodeproj/project.pbxproj:
1503         * heap/OpaqueRootSet.h: Added.
1504         (JSC::OpaqueRootSet::OpaqueRootSet):
1505         (JSC::OpaqueRootSet::contains):
1506         (JSC::OpaqueRootSet::isEmpty):
1507         (JSC::OpaqueRootSet::clear):
1508         (JSC::OpaqueRootSet::add):
1509         (JSC::OpaqueRootSet::size):
1510         (JSC::OpaqueRootSet::begin):
1511         (JSC::OpaqueRootSet::end):
1512         * heap/SlotVisitor.h:
1513
1514 2014-03-17  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>
1515
1516         Implement Math.hypot
1517         https://bugs.webkit.org/show_bug.cgi?id=129486
1518
1519         Reviewed by Darin Adler.
1520
1521         * runtime/MathObject.cpp:
1522         (JSC::MathObject::finishCreation):
1523         (JSC::mathProtoFuncHypot):
1524
1525 2014-03-17  Zsolt Borbely  <borbezs@inf.u-szeged.hu>
1526
1527         Fix the !ENABLE(PROMISES) build
1528         https://bugs.webkit.org/show_bug.cgi?id=130328
1529
1530         Reviewed by Darin Adler.
1531
1532         Add missing ENABLE(PROMISES) guards.
1533
1534         * runtime/JSGlobalObject.cpp:
1535         (JSC::JSGlobalObject::reset):
1536         (JSC::JSGlobalObject::visitChildren):
1537         * runtime/JSGlobalObject.h:
1538         * runtime/JSPromiseDeferred.cpp:
1539         * runtime/JSPromiseDeferred.h:
1540         * runtime/JSPromiseReaction.cpp:
1541         * runtime/JSPromiseReaction.h:
1542         * runtime/VM.cpp:
1543         (JSC::VM::VM):
1544         * runtime/VM.h:
1545
1546 2014-03-16  Andreas Kling  <akling@apple.com>
1547
1548         REGRESSION(r165703): JSC tests crashing in StringImpl::destroy().
1549         <https://webkit.org/b/130304>
1550
1551         Reviewed by Anders Carlsson.
1552
1553         Unreviewed, restoring the old behavior of OpaqueJSString::identifier()
1554         that doesn't put a potentially unwanted string into the Identifier table.
1555
1556         * API/OpaqueJSString.cpp:
1557         (OpaqueJSString::identifier):
1558
1559 2014-03-16  Brian Burg  <bburg@apple.com>
1560
1561         Web Inspector: generated backend commands should reflect build system ENABLE settings
1562         https://bugs.webkit.org/show_bug.cgi?id=130111
1563
1564         Reviewed by Timothy Hatcher.
1565
1566         * CMakeLists.txt:
1567
1568         Combine only the Inspector domains listed in INSPECTOR_DOMAINS,
1569         instead of globbing any .json file.
1570
1571         * DerivedSources.make:
1572
1573         Force the combined inspector protocol file to be regenerated if
1574         the content or list of domains itself changes.
1575
1576 2014-03-16  Brian Burg  <bburg@apple.com>
1577
1578         Web Inspector: vended backend commands file should be generated as part of the build
1579         https://bugs.webkit.org/show_bug.cgi?id=130110
1580
1581         Reviewed by Timothy Hatcher.
1582
1583         * JavaScriptCore.xcodeproj/project.pbxproj: Copy InspectorJSBackendCommands.js to the
1584         private headers directory.
1585
1586 2014-03-16  Darin Adler  <darin@apple.com>
1587
1588         Remove all uses of deprecatedCharacters from JavaScriptCore
1589         https://bugs.webkit.org/show_bug.cgi?id=130304
1590
1591         Reviewed by Anders Carlsson.
1592
1593         * API/JSValueRef.cpp:
1594         (JSValueMakeFromJSONString): Use characters16 in the 16-bit code path.
1595         * API/OpaqueJSString.cpp:
1596         (OpaqueJSString::~OpaqueJSString): Use characters 16 in the 16-bit code path.
1597         (OpaqueJSString::identifier): Get rid of custom Identifier constructor, and
1598         juse use the standard one that takes a String.
1599         (OpaqueJSString::characters): Use getCharactersWithUpconvert instead of a
1600         hand-written alternative.
1601
1602         * bindings/ScriptValue.cpp:
1603         (Deprecated::jsToInspectorValue): Create InspectorString from String directly
1604         instead of involving a character pointer. Use the String from Identifier
1605         directly instead of making a new String.
1606
1607         * inspector/ContentSearchUtilities.cpp:
1608         (Inspector::ContentSearchUtilities::createSearchRegexSource): Use StringBuilder
1609         instead of building a String a character at a time. This is still a very slow
1610         way to do this. Also use strchr to search for a character instead of building
1611         a String every time just to use find on it.
1612
1613         * inspector/InspectorValues.cpp:
1614         (Inspector::doubleQuoteString): Remove unnecessary trip through a
1615         character pointer. This is still a really slow way to do this.
1616         (Inspector::InspectorValue::parseJSON): Use StringView::upconvertedCharacters
1617         instead of String::deprecatedCharacters. Still slow to always upconvert.
1618
1619         * runtime/DateConstructor.cpp: Removed unneeded include.
1620         * runtime/DatePrototype.cpp: Ditto.
1621
1622         * runtime/Identifier.h: Removed deprecatedCharacters function.
1623
1624         * runtime/JSGlobalObjectFunctions.cpp:
1625         (JSC::encode): Added a type cast to avoid ambiguity with the two character-
1626         appending functions from JSStringBuilder. Removed unneeded code duplicating
1627         what JSStringBuilder already does in its character append function.
1628         (JSC::decode): Deleted code that creates a JSStringBuilder that is never used.
1629         (JSC::parseIntOverflow): Changed lengths to unsigned. Made only the overload that
1630         is used outside this file have external linkage. Added a new overload that takes
1631         a StringView.
1632         (JSC::parseInt): Use StringView::substring to call parseIntOverflow.
1633         (JSC::globalFuncEscape): Use JSBuilder::append in a more efficient way for a
1634         single character.
1635
1636         * runtime/JSGlobalObjectFunctions.h: Removed unused overloads of parseIntOverflow.
1637
1638         * runtime/JSStringBuilder.h: Marked this "lightly deprecated".
1639         (JSC::JSStringBuilder::append): Overloaded for better speed with 8-bit characters.
1640         Made one overload private. Fixed a performance bug where we would reserve capacity
1641         in the 8-bit buffer but then append to the 16-bit buffer.
1642
1643         * runtime/ObjectPrototype.cpp: Removed unneeded include.
1644
1645         * runtime/StringPrototype.cpp:
1646         (JSC::stringProtoFuncFontsize): Use StringView::getCharactersWithUpconvert.
1647         (JSC::stringProtoFuncLink): Ditto.
1648
1649 2014-03-15  Filip Pizlo  <fpizlo@apple.com>
1650
1651         FTL ArrayifyToStructure shouldn't fail every time that it actually arrayifies
1652         https://bugs.webkit.org/show_bug.cgi?id=130296
1653
1654         Reviewed by Andreas Kling.
1655         
1656         During the 32-bit structure ID work, the second load of the structure was removed.
1657         That's wrong. The whole point of loading the structure ID again is that the structure
1658         ID would have been changed by the arrayification call, and we're verifying that the
1659         arrayification succeeded in changing the structure. If we check the old structure - as
1660         the code was doing after the 32-bit structure ID work - then this check is guaranteed
1661         to fail, causing a significant performance regression.
1662         
1663         It's actually amazing that the regression wasn't bigger. The reason is that if FTL
1664         code pathologically exits but the equivalent DFG code doesn't, then the exponential
1665         backoff almost perfectly guarantees that we just end up in the DFG. For this code, at
1666         the time at least, the DFG wasn't much slower so this didn't cause too much pain.
1667
1668         * ftl/FTLLowerDFGToLLVM.cpp:
1669         (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
1670
1671 2014-03-15  Filip Pizlo  <fpizlo@apple.com>
1672
1673         FTL should support CheckHasInstance/InstanceOf
1674         https://bugs.webkit.org/show_bug.cgi?id=130285
1675
1676         Reviewed by Sam Weinig.
1677         
1678         Fairly straightforward; I also discovered an inaccurate FIXME in the process.
1679
1680         * dfg/DFGFixupPhase.cpp:
1681         (JSC::DFG::FixupPhase::fixupNode):
1682         * ftl/FTLAbstractHeapRepository.h:
1683         * ftl/FTLCapabilities.cpp:
1684         (JSC::FTL::canCompile):
1685         * ftl/FTLLowerDFGToLLVM.cpp:
1686         (JSC::FTL::LowerDFGToLLVM::compileNode):
1687         (JSC::FTL::LowerDFGToLLVM::compileCheckHasInstance):
1688         (JSC::FTL::LowerDFGToLLVM::compileInstanceOf):
1689         * ftl/FTLOutput.h:
1690         (JSC::FTL::Output::phi):
1691         * tests/stress/instanceof.js: Added.
1692         * tests/stress/instanceof-not-cell.js: Added.
1693
1694 2014-03-15  Michael Saboff  <msaboff@apple.com>
1695
1696         It should be possible to adjust DFG and FTL compiler thread priorities
1697         https://bugs.webkit.org/show_bug.cgi?id=130288
1698
1699         Reviewed by Filip Pizlo.
1700
1701         Added ability to change thread priorities relative to its current priority.
1702         Created options to adjust the priority of the DFG and FTL compilation work thread
1703         pools.  For two core systems, there might be three runnable threads, the main thread,
1704         the DFG compilation thread and the FTL compilation thread.  With the same priority,
1705         the scheduler is free to schedule whatever thread it wants.  By lowering the
1706         compilation threads, the main thread can run.  Further tests may suggest better values
1707         for the new options, priorityDeltaOfDFGCompilerThreads and priorityDeltaOfFTLCompilerThreads.
1708
1709         For a two-core device, this change has a net positive improvement of 1-3% across
1710         SunSpider, Octane, Kraken and AsmBench.
1711
1712         * dfg/DFGWorklist.cpp:
1713         (JSC::DFG::Worklist::finishCreation):
1714         (JSC::DFG::Worklist::create):
1715         (JSC::DFG::ensureGlobalDFGWorklist):
1716         (JSC::DFG::ensureGlobalFTLWorklist):
1717         * dfg/DFGWorklist.h:
1718         * runtime/Options.cpp:
1719         (JSC::computePriorityDeltaOfWorkerThreads):
1720         * runtime/Options.h:
1721
1722 2014-03-15  David Kilzer  <ddkilzer@apple.com>
1723
1724         [iOS] Define SYSTEM_VERSION_PREFIX consistently
1725         <http://webkit.org/b/130293>
1726         <rdar://problem/15926359>
1727
1728         Reviewed by Dan Bernstein.
1729
1730         * Configurations/Version.xcconfig:
1731         (SYSTEM_VERSION_PREFIX_iphoneos): Sync with
1732         Source/WebKit/mac/Version.xcconfig.
1733
1734 2014-03-15  David Kilzer  <ddkilzer@apple.com>
1735
1736         Fix build: using integer absolute value function 'abs' when argument is of floating point type
1737         <http://webkit.org/b/130286>
1738
1739         Reviewed by Filip Pizlo.
1740
1741         Fixes the following build failure using trunk clang:
1742
1743             JavaScriptCore/assembler/MacroAssembler.h:992:17: error: using integer absolute value function 'abs' when argument is of floating point type [-Werror,-Wabsolute-value]
1744                     value = abs(value);
1745                             ^
1746             JavaScriptCore/assembler/MacroAssembler.h:992:17: note: use function 'fabs' instead
1747                     value = abs(value);
1748                             ^~~
1749                             fabs
1750
1751         * assembler/MacroAssembler.h:
1752         (JSC::MacroAssembler::shouldBlindDouble): Switch from abs() to
1753         fabs().
1754
1755 2014-03-14  Oliver Hunt  <oliver@apple.com>
1756
1757         Reinstate intialiser syntax in for-in loops
1758         https://bugs.webkit.org/show_bug.cgi?id=130269
1759
1760         Reviewed by Michael Saboff.
1761
1762         Disallowing the initialiser broke some sites so this patch re-allows
1763         the syntax.  We still disallow the syntax in 'of' and pattern based
1764         enumeration.
1765
1766         * parser/ASTBuilder.h:
1767         (JSC::ASTBuilder::isBindingNode):
1768         * parser/Parser.cpp:
1769         (JSC::Parser<LexerType>::parseVarDeclarationList):
1770         (JSC::Parser<LexerType>::parseForStatement):
1771         * parser/SyntaxChecker.h:
1772         (JSC::SyntaxChecker::operatorStackPop):
1773
1774 2014-03-14  Mark Lam  <mark.lam@apple.com>
1775
1776         Accessing __lookupGetter__ and __lookupSetter__ should not crash the VM when undefined.
1777         <https://webkit.org/b/130279>
1778
1779         Reviewed by Filip Pizlo.
1780
1781         If neither the getter nor setter are defined, accessing __lookupGetter__
1782         and __lookupSetter__ will return undefined as expected.  However, if the
1783         getter is defined but the setter is not, accessing __lookupSetter__ will
1784         crash the VM.  Similarly, accessing __lookupGetter__ when only the setter
1785         is defined will crash the VM.
1786
1787         The reason is because objectProtoFuncLookupGetter() and
1788         objectProtoFuncLookupSetter() did not check if the getter and setter
1789         value is non-null before returning it as an EncodedJSValue.  The fix is
1790         to add the appropriate null checks.
1791
1792         * runtime/ObjectPrototype.cpp:
1793         (JSC::objectProtoFuncLookupGetter):
1794         (JSC::objectProtoFuncLookupSetter):
1795
1796 2014-03-14  Mark Rowe  <mrowe@apple.com>
1797
1798         Fix the production build.
1799
1800         Don't rely on USE_INTERNAL_SDK being set for the Production configuration since UseInternalSDK.xcconfig won't
1801         be at the expected relative path when working from installed source.
1802
1803         * Configurations/Base.xcconfig:
1804
1805 2014-03-14  Maciej Stachowiak  <mjs@apple.com>
1806
1807         Replace "Apple Computer, Inc." with "Apple Inc." in copyright headers
1808         https://bugs.webkit.org/show_bug.cgi?id=130276
1809         <rdar://problem/16266927>
1810
1811         Reviewed by Simon Fraser.
1812
1813         * API/APICast.h:
1814         * API/JSBase.cpp:
1815         * API/JSBase.h:
1816         * API/JSBasePrivate.h:
1817         * API/JSCallbackConstructor.cpp:
1818         * API/JSCallbackConstructor.h:
1819         * API/JSCallbackFunction.cpp:
1820         * API/JSCallbackFunction.h:
1821         * API/JSCallbackObject.cpp:
1822         * API/JSCallbackObject.h:
1823         * API/JSCallbackObjectFunctions.h:
1824         * API/JSClassRef.cpp:
1825         * API/JSClassRef.h:
1826         * API/JSContextRef.cpp:
1827         * API/JSContextRef.h:
1828         * API/JSContextRefPrivate.h:
1829         * API/JSObjectRef.cpp:
1830         * API/JSObjectRef.h:
1831         * API/JSProfilerPrivate.cpp:
1832         * API/JSProfilerPrivate.h:
1833         * API/JSRetainPtr.h:
1834         * API/JSStringRef.cpp:
1835         * API/JSStringRef.h:
1836         * API/JSStringRefBSTR.cpp:
1837         * API/JSStringRefBSTR.h:
1838         * API/JSStringRefCF.cpp:
1839         * API/JSStringRefCF.h:
1840         * API/JSValueRef.cpp:
1841         * API/JSValueRef.h:
1842         * API/JavaScript.h:
1843         * API/JavaScriptCore.h:
1844         * API/OpaqueJSString.cpp:
1845         * API/OpaqueJSString.h:
1846         * API/tests/JSNode.c:
1847         * API/tests/JSNode.h:
1848         * API/tests/JSNodeList.c:
1849         * API/tests/JSNodeList.h:
1850         * API/tests/Node.c:
1851         * API/tests/Node.h:
1852         * API/tests/NodeList.c:
1853         * API/tests/NodeList.h:
1854         * API/tests/minidom.c:
1855         * API/tests/minidom.js:
1856         * API/tests/testapi.c:
1857         * API/tests/testapi.js:
1858         * DerivedSources.make:
1859         * bindings/ScriptValue.cpp:
1860         * bytecode/CodeBlock.cpp:
1861         * bytecode/CodeBlock.h:
1862         * bytecode/EvalCodeCache.h:
1863         * bytecode/Instruction.h:
1864         * bytecode/JumpTable.cpp:
1865         * bytecode/JumpTable.h:
1866         * bytecode/Opcode.cpp:
1867         * bytecode/Opcode.h:
1868         * bytecode/SamplingTool.cpp:
1869         * bytecode/SamplingTool.h:
1870         * bytecode/SpeculatedType.cpp:
1871         * bytecode/SpeculatedType.h:
1872         * bytecode/ValueProfile.h:
1873         * bytecompiler/BytecodeGenerator.cpp:
1874         * bytecompiler/BytecodeGenerator.h:
1875         * bytecompiler/Label.h:
1876         * bytecompiler/LabelScope.h:
1877         * bytecompiler/RegisterID.h:
1878         * debugger/DebuggerCallFrame.cpp:
1879         * debugger/DebuggerCallFrame.h:
1880         * dfg/DFGDesiredStructureChains.cpp:
1881         * dfg/DFGDesiredStructureChains.h:
1882         * heap/GCActivityCallback.cpp:
1883         * heap/GCActivityCallback.h:
1884         * inspector/ConsoleMessage.cpp:
1885         * inspector/ConsoleMessage.h:
1886         * inspector/IdentifiersFactory.cpp:
1887         * inspector/IdentifiersFactory.h:
1888         * inspector/InjectedScriptManager.cpp:
1889         * inspector/InjectedScriptManager.h:
1890         * inspector/InjectedScriptSource.js:
1891         * inspector/ScriptBreakpoint.h:
1892         * inspector/ScriptDebugListener.h:
1893         * inspector/ScriptDebugServer.cpp:
1894         * inspector/ScriptDebugServer.h:
1895         * inspector/agents/InspectorAgent.cpp:
1896         * inspector/agents/InspectorAgent.h:
1897         * inspector/agents/InspectorDebuggerAgent.cpp:
1898         * inspector/agents/InspectorDebuggerAgent.h:
1899         * interpreter/Interpreter.cpp:
1900         * interpreter/Interpreter.h:
1901         * interpreter/JSStack.cpp:
1902         * interpreter/JSStack.h:
1903         * interpreter/Register.h:
1904         * jit/CompactJITCodeMap.h:
1905         * jit/JITStubs.cpp:
1906         * jit/JITStubs.h:
1907         * jit/JITStubsARM.h:
1908         * jit/JITStubsARMv7.h:
1909         * jit/JITStubsX86.h:
1910         * jit/JITStubsX86_64.h:
1911         * os-win32/stdbool.h:
1912         * parser/SourceCode.h:
1913         * parser/SourceProvider.h:
1914         * profiler/LegacyProfiler.cpp:
1915         * profiler/LegacyProfiler.h:
1916         * profiler/ProfileNode.cpp:
1917         * profiler/ProfileNode.h:
1918         * runtime/ArrayBufferView.cpp:
1919         * runtime/ArrayBufferView.h:
1920         * runtime/BatchedTransitionOptimizer.h:
1921         * runtime/CallData.h:
1922         * runtime/ConstructData.h:
1923         * runtime/DumpContext.cpp:
1924         * runtime/DumpContext.h:
1925         * runtime/ExceptionHelpers.cpp:
1926         * runtime/ExceptionHelpers.h:
1927         * runtime/InitializeThreading.cpp:
1928         * runtime/InitializeThreading.h:
1929         * runtime/IntegralTypedArrayBase.h:
1930         * runtime/IntendedStructureChain.cpp:
1931         * runtime/IntendedStructureChain.h:
1932         * runtime/JSActivation.cpp:
1933         * runtime/JSActivation.h:
1934         * runtime/JSExportMacros.h:
1935         * runtime/JSGlobalObject.cpp:
1936         * runtime/JSNotAnObject.cpp:
1937         * runtime/JSNotAnObject.h:
1938         * runtime/JSPropertyNameIterator.cpp:
1939         * runtime/JSPropertyNameIterator.h:
1940         * runtime/JSSegmentedVariableObject.cpp:
1941         * runtime/JSSegmentedVariableObject.h:
1942         * runtime/JSSymbolTableObject.cpp:
1943         * runtime/JSSymbolTableObject.h:
1944         * runtime/JSTypeInfo.h:
1945         * runtime/JSVariableObject.cpp:
1946         * runtime/JSVariableObject.h:
1947         * runtime/PropertyTable.cpp:
1948         * runtime/PutPropertySlot.h:
1949         * runtime/SamplingCounter.cpp:
1950         * runtime/SamplingCounter.h:
1951         * runtime/Structure.cpp:
1952         * runtime/Structure.h:
1953         * runtime/StructureChain.cpp:
1954         * runtime/StructureChain.h:
1955         * runtime/StructureInlines.h:
1956         * runtime/StructureTransitionTable.h:
1957         * runtime/SymbolTable.cpp:
1958         * runtime/SymbolTable.h:
1959         * runtime/TypedArrayBase.h:
1960         * runtime/TypedArrayType.cpp:
1961         * runtime/TypedArrayType.h:
1962         * runtime/VM.cpp:
1963         * runtime/VM.h:
1964         * yarr/RegularExpression.cpp:
1965         * yarr/RegularExpression.h:
1966
1967 2014-03-14  Filip Pizlo  <fpizlo@apple.com>
1968
1969         Final FTL iOS build magic
1970         https://bugs.webkit.org/show_bug.cgi?id=130281
1971
1972         Reviewed by Michael Saboff.
1973
1974         * Configurations/Base.xcconfig: For now our LLVM headers are in /usr/local/LLVMForJavaScriptCore/include, which is the same as OS X.
1975         * Configurations/LLVMForJSC.xcconfig: We need to be more careful about how we specify library paths if we want to get the prioritzation right. Also we need protobuf because things. :-/
1976
1977 2014-03-14  Joseph Pecoraro  <pecoraro@apple.com>
1978
1979         Web Inspector: Gracefully handle nil name -[JSContext setName:]
1980         https://bugs.webkit.org/show_bug.cgi?id=130262
1981
1982         Reviewed by Mark Hahnenberg.
1983
1984         * API/JSContext.mm:
1985         (-[JSContext setName:]):
1986         Gracefully handle nil input.
1987
1988         * API/tests/testapi.c:
1989         (globalContextNameTest):
1990         * API/tests/testapi.mm:
1991         Test for nil / NULL names in the ObjC and C APIs.
1992
1993 2014-03-11  Oliver Hunt  <oliver@apple.com>
1994
1995         Improve dom error messages
1996         https://bugs.webkit.org/show_bug.cgi?id=130103
1997
1998         Reviewed by Andreas Kling.
1999
2000         Add new helper function.
2001
2002         * runtime/Error.h:
2003         (JSC::throwVMTypeError):
2004
2005 2014-03-14  László Langó  <llango.u-szeged@partner.samsung.com>
2006
2007         Remove unused method declaration.
2008         https://bugs.webkit.org/show_bug.cgi?id=130238
2009
2010         Reviewed by Filip Pizlo.
2011
2012         The implementation of CallFrame::dumpCaller was removed in
2013         http://trac.webkit.org/changeset/153183, but the declaration of it was not.
2014
2015         * interpreter/CallFrame.h:
2016         Remove CallFrame::dumpCaller() method declaration.
2017
2018 2014-03-12  Sergio Villar Senin  <svillar@igalia.com>
2019
2020         Rename DEFINE_STATIC_LOCAL to DEPRECATED_DEFINE_STATIC_LOCAL
2021         https://bugs.webkit.org/show_bug.cgi?id=129612
2022
2023         Reviewed by Darin Adler.
2024
2025         For new code use static NeverDestroyed<T> instead.
2026
2027         * API/JSAPIWrapperObject.mm:
2028         (jsAPIWrapperObjectHandleOwner):
2029         * API/JSManagedValue.mm:
2030         (managedValueHandleOwner):
2031         * inspector/agents/InspectorDebuggerAgent.cpp:
2032         (Inspector::objectGroupForBreakpointAction):
2033         * inspector/scripts/CodeGeneratorInspectorStrings.py:
2034         * interpreter/JSStack.cpp:
2035         (JSC::stackStatisticsMutex):
2036         * jit/ExecutableAllocator.cpp:
2037         (JSC::DemandExecutableAllocator::allocators):
2038
2039 2014-03-12  Gavin Barraclough  <barraclough@apple.com>
2040
2041         Reduce memory use for static property maps
2042         https://bugs.webkit.org/show_bug.cgi?id=129986
2043
2044         Reviewed by Andreas Kling.
2045
2046         Static property tables are currently duplicated on first use from read-only memory into dirty memory
2047         in every process, and since the entries are large (48 bytes) and the tables can be unusually sparse
2048         (we use a custom hash table without a rehash) a lot of memory may be wasted.
2049
2050         First, reduce the size of the hashtable. Instead of storing values in the table the hashtable maps
2051         from string hashes to indicies into a densely packed array of values. Compute the index table at
2052         compile time as a part of the derived sources step, such that this may be read-only data.
2053
2054         Second, don't copy all data from the HashTableValue array into a HashEntry objects. Instead refer
2055         directly to the HashTableValue entries. The only data that needs to be allocated at runtime are the
2056         keys, which are Identifiers.
2057
2058         * create_hash_table:
2059             - emit the hash table index into the derived source (we were calculating this already to ensure chaining does not get too deep).
2060         * parser/Lexer.cpp:
2061         (JSC::Lexer<LChar>::parseIdentifier):
2062         (JSC::Lexer<UChar>::parseIdentifier):
2063         (JSC::Lexer<T>::parseIdentifierSlowCase):
2064             - HashEntry -> HashTableValue.
2065         * parser/Lexer.h:
2066         (JSC::Keywords::getKeyword):
2067             - HashEntry -> HashTableValue.
2068         * runtime/ClassInfo.h:
2069             - removed HashEntry.
2070         * runtime/JSObject.cpp:
2071         (JSC::getClassPropertyNames):
2072             - use HashTable::ConstIterator.
2073         (JSC::JSObject::put):
2074         (JSC::JSObject::deleteProperty):
2075         (JSC::JSObject::findPropertyHashEntry):
2076             - HashEntry -> HashTableValue.
2077         (JSC::JSObject::reifyStaticFunctionsForDelete):
2078             - changed HashTable::ConstIterator interface.
2079         * runtime/JSObject.h:
2080             - HashEntry -> HashTableValue.
2081         * runtime/Lookup.cpp:
2082         (JSC::HashTable::createTable):
2083             - table -> keys, keys array is now densely packed.
2084         (JSC::HashTable::deleteTable):
2085             - table -> keys.
2086         (JSC::setUpStaticFunctionSlot):
2087             - HashEntry -> HashTableValue.
2088         * runtime/Lookup.h:
2089         (JSC::HashTableValue::builtinGenerator):
2090         (JSC::HashTableValue::function):
2091         (JSC::HashTableValue::functionLength):
2092         (JSC::HashTableValue::propertyGetter):
2093         (JSC::HashTableValue::propertyPutter):
2094         (JSC::HashTableValue::lexerValue):
2095             - added accessor methods from HashEntry.
2096         (JSC::HashTable::copy):
2097             - fields changed.
2098         (JSC::HashTable::initializeIfNeeded):
2099             - table -> keys.
2100         (JSC::HashTable::entry):
2101             - HashEntry -> HashTableValue.
2102         (JSC::HashTable::ConstIterator::ConstIterator):
2103             - iterate packed value array, so no need to skipInvalidKeys().
2104         (JSC::HashTable::ConstIterator::value):
2105         (JSC::HashTable::ConstIterator::key):
2106         (JSC::HashTable::ConstIterator::operator->):
2107             - accessors now get HashTableValue/StringImpl* separately.
2108         (JSC::HashTable::ConstIterator::operator++):
2109             - iterate packed value array, so no need to skipInvalidKeys().
2110         (JSC::HashTable::end):
2111             - end is now size of dense not sparse array.
2112         (JSC::getStaticPropertySlot):
2113         (JSC::getStaticFunctionSlot):
2114         (JSC::getStaticValueSlot):
2115         (JSC::putEntry):
2116         (JSC::lookupPut):
2117             - HashEntry -> HashTableValue.
2118
2119 2014-03-13  Filip Pizlo  <fpizlo@apple.com>
2120
2121         Unreviewed, fix Mac no-FTL build.
2122
2123         * llvm/library/LLVMExports.cpp:
2124         (initializeAndGetJSCLLVMAPI):
2125
2126 2014-03-13  Juergen Ributzka  <juergen@apple.com>
2127
2128         Only export initializeAndGetJSCLLVMAPI from libllvmForJSC.dylib
2129         https://bugs.webkit.org/show_bug.cgi?id=130224
2130
2131         Reviewed by Filip Pizlo.
2132
2133         This limits the exported symbols to only initializeAndGetJSCLLVMAPI from
2134         the LLVM dylib. This allows the dylib to be safely used with other LLVM
2135         dylibs on the same system. It also reduces the dynamic linking overhead
2136         and also reduces the size by 6MB, because the linker can now dead strip
2137         many unused functions.
2138
2139         * Configurations/LLVMForJSC.xcconfig:
2140
2141 2014-03-13  Andreas Kling  <akling@apple.com>
2142
2143         VM::discardAllCode() should clear the RegExp cache.
2144         <https://webkit.org/b/130144>
2145
2146         Reviewed by Michael Saboff.
2147
2148         * runtime/VM.cpp:
2149         (JSC::VM::discardAllCode):
2150
2151 2014-03-13  Andreas Kling  <akling@apple.com>
2152
2153         Revert "Short-circuit JSGlobalObjectInspectorController when not inspecting."
2154         <https://webkit.org/b/129995>
2155
2156         This code path is not taken anymore on DYEB, and I can't explain why
2157         it was showing up in my profiles. Backing it out per JoePeck's suggestion.
2158
2159         * inspector/JSGlobalObjectInspectorController.cpp:
2160         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
2161
2162 2014-03-13  Filip Pizlo  <fpizlo@apple.com>
2163
2164         FTL should support IsBlah
2165         https://bugs.webkit.org/show_bug.cgi?id=130202
2166
2167         Reviewed by Geoffrey Garen.
2168
2169         * ftl/FTLCapabilities.cpp:
2170         (JSC::FTL::canCompile):
2171         * ftl/FTLIntrinsicRepository.h:
2172         * ftl/FTLLowerDFGToLLVM.cpp:
2173         (JSC::FTL::LowerDFGToLLVM::compileNode):
2174         (JSC::FTL::LowerDFGToLLVM::compileIsUndefined):
2175         (JSC::FTL::LowerDFGToLLVM::compileIsBoolean):
2176         (JSC::FTL::LowerDFGToLLVM::compileIsNumber):
2177         (JSC::FTL::LowerDFGToLLVM::compileIsString):
2178         (JSC::FTL::LowerDFGToLLVM::compileIsObject):
2179         (JSC::FTL::LowerDFGToLLVM::compileIsFunction):
2180         (JSC::FTL::LowerDFGToLLVM::compileStoreBarrier):
2181         (JSC::FTL::LowerDFGToLLVM::compileStoreBarrierWithNullCheck):
2182         (JSC::FTL::LowerDFGToLLVM::isNotCellOrMisc):
2183         (JSC::FTL::LowerDFGToLLVM::isNumber):
2184         (JSC::FTL::LowerDFGToLLVM::isNotNumber):
2185         (JSC::FTL::LowerDFGToLLVM::isBoolean):
2186         * ftl/FTLOSRExitCompiler.cpp:
2187         * tests/stress/is-undefined-exit-on-masquerader.js: Added.
2188         (bar):
2189         (foo):
2190         (test):
2191         * tests/stress/is-undefined-jettison-on-masquerader.js: Added.
2192         (foo):
2193         (test):
2194         * tests/stress/is-undefined-masquerader.js: Added.
2195         (foo):
2196         (test):
2197
2198 2014-03-13  Mark Lam  <mark.lam@apple.com>
2199
2200         JS benchmarks crash with a bus error on 32-bit x86.
2201         <https://webkit.org/b/130203>
2202
2203         Reviewed by Geoffrey Garen.
2204
2205         The issue is that generateGetByIdStub() can potentially use the same register
2206         for the JSValue base register and the target tag register.  After loading the
2207         tag value into the target tag register, the JSValue base address is lost.
2208         The code then proceeds to load the payload value using the base register, and
2209         this results in a crash.
2210
2211         The fix is to check if the base register is the same as the target tag register.
2212         If so, we should make a copy the base register first before loading the tag
2213         value, and use the copy to load the payload value instead.
2214
2215         * jit/Repatch.cpp:
2216         (JSC::generateGetByIdStub):
2217
2218 2014-03-12  Filip Pizlo  <fpizlo@apple.com>
2219
2220         WebKit shouldn't crash on uniprocessor machines
2221         https://bugs.webkit.org/show_bug.cgi?id=130176
2222
2223         Reviewed by Michael Saboff.
2224         
2225         Previously the math for computing the number of JIT compiler threads would come up with
2226         zero threads on uniprocessor machines, and then the Worklist code would assert.
2227
2228         * runtime/Options.cpp:
2229         (JSC::computeNumberOfWorkerThreads):
2230         * runtime/Options.h:
2231
2232 2014-03-13  Radu Stavila  <stavila@adobe.com>
2233
2234         Webkit not building on XCode 5.1 due to garbage collection no longer being supported
2235         https://bugs.webkit.org/show_bug.cgi?id=130087
2236
2237         Reviewed by Mark Rowe.
2238
2239         Disable garbage collection on macosx when not using internal SDK.
2240
2241         * Configurations/Base.xcconfig:
2242
2243 2014-03-10  Darin Adler  <darin@apple.com>
2244
2245         Avoid copy-prone idiom "for (auto item : collection)"
2246         https://bugs.webkit.org/show_bug.cgi?id=129990
2247
2248         Reviewed by Geoffrey Garen.
2249
2250         * heap/CodeBlockSet.h:
2251         (JSC::CodeBlockSet::iterate): Use auto& to be sure we don't copy by accident.
2252         * inspector/ScriptDebugServer.cpp:
2253         (Inspector::ScriptDebugServer::dispatchBreakpointActionLog): Use auto* to
2254         make explicit that we are iterating through pointers.
2255         (Inspector::ScriptDebugServer::dispatchBreakpointActionSound): Ditto.
2256         (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe): Ditto.
2257         * inspector/agents/InspectorDebuggerAgent.cpp:
2258         (Inspector::InspectorDebuggerAgent::removeBreakpoint): Use auto&, and also
2259         get rid of an unneeded local variable.
2260
2261 2014-03-13  Brian Burg  <bburg@apple.com>
2262
2263         Web Inspector: Remove unused callId parameter from evaluateInWebInspector
2264         https://bugs.webkit.org/show_bug.cgi?id=129744
2265
2266         Reviewed by Timothy Hatcher.
2267
2268         * inspector/agents/InspectorAgent.cpp:
2269         (Inspector::InspectorAgent::enable):
2270         (Inspector::InspectorAgent::evaluateForTestInFrontend):
2271         * inspector/agents/InspectorAgent.h:
2272         * inspector/protocol/InspectorDomain.json:
2273
2274 2014-03-11  Filip Pizlo  <fpizlo@apple.com>
2275
2276         ASSERTION FAILED: node->op() == Phi || node->op() == SetArgument
2277         https://bugs.webkit.org/show_bug.cgi?id=130069
2278
2279         Reviewed by Geoffrey Garen.
2280         
2281         This was a great assertion, and it represents our strictest interpretation of the rules of
2282         our intermediate representation. However, fixing DCE to actually preserve the relevant
2283         property would be hard, and it wouldn't have an observable effect right now because nobody
2284         actually uses the propery of CPS that this assertion is checking for.
2285         
2286         In particular, we do always require, and rely on, the fact that non-captured variables
2287         have variablesAtTail refer to the last interesting use of the variable: a SetLocal if the
2288         block assigns to the variable, a GetLocal if it only reads from it, and a Flush,
2289         PhantomLocal, or Phi otherwise. We do preserve this property successfully and DCE was not
2290         broken in this regard. But, in the strictest sense, CPS also means that for captured
2291         variables, variablesAtTail also continues to point to the last relevant use of the
2292         variable. In particular, if there are multiple GetLocals, then it should point to the last
2293         one. This is hard for DCE to preserve. Also, nobody relies on variablesAtTail for captured
2294         variables, except to check the VariableAccessData; but in that case, we don't really need
2295         the *last* relevant use of the variable - any node that mentions the same variable will do
2296         just fine.
2297         
2298         So, this change loosens the assertion and adds a detailed FIXME describing what we would
2299         have to do if we wanted to preserve the more strict property.
2300         
2301         This also makes changes to various debug printing paths so that validation doesn't crash
2302         during graph dump. This also adds tests for the interesting cases of DCE failing to
2303         preserve CPS in the strictest sense. This also attempts to win the record for longest test
2304         name.
2305
2306         * bytecode/CodeBlock.cpp:
2307         (JSC::CodeBlock::hashAsStringIfPossible):
2308         (JSC::CodeBlock::dumpAssumingJITType):
2309         * bytecode/CodeBlock.h:
2310         * bytecode/CodeOrigin.cpp:
2311         (JSC::InlineCallFrame::hashAsStringIfPossible):
2312         (JSC::InlineCallFrame::dumpBriefFunctionInformation):
2313         * bytecode/CodeOrigin.h:
2314         * dfg/DFGCPSRethreadingPhase.cpp:
2315         (JSC::DFG::CPSRethreadingPhase::run):
2316         * dfg/DFGDCEPhase.cpp:
2317         (JSC::DFG::DCEPhase::cleanVariables):
2318         * dfg/DFGInPlaceAbstractState.cpp:
2319         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
2320         * runtime/FunctionExecutableDump.cpp:
2321         (JSC::FunctionExecutableDump::dump):
2322         * tests/stress/dead-access-to-captured-variable-preceded-by-a-live-store-in-function-with-multiple-basic-blocks.js: Added.
2323         (foo):
2324         * tests/stress/dead-access-to-captured-variable-preceded-by-a-live-store.js: Added.
2325         (foo):
2326
2327 2014-03-12  Brian Burg  <bburg@apple.com>
2328
2329         Web Replay: add infrastructure for memoizing nondeterministic DOM APIs
2330         https://bugs.webkit.org/show_bug.cgi?id=129445
2331
2332         Reviewed by Timothy Hatcher.
2333
2334         There was a bug in the replay inputs code generator that would include
2335         headers for definitions of enum classes, even though they can be safely
2336         forward-declared.
2337
2338         * replay/scripts/CodeGeneratorReplayInputs.py:
2339         (Generator.generate_includes): Only include for copy constructor if the
2340         type is a heavy scalar (i.e., String, URL), not a normal scalar
2341         (i.e., int, double, enum classes).
2342
2343         (Generator.generate_type_forward_declarations): Forward-declare scalars
2344         that are enums or enum classes.
2345
2346 2014-03-12  Joseph Pecoraro  <pecoraro@apple.com>
2347
2348         Web Inspector: Disable REMOTE_INSPECTOR in earlier OS X releases
2349         https://bugs.webkit.org/show_bug.cgi?id=130118
2350
2351         Reviewed by Timothy Hatcher.
2352
2353         * Configurations/FeatureDefines.xcconfig:
2354
2355 2014-03-12  Joseph Pecoraro  <pecoraro@apple.com>
2356
2357         Web Inspector: Hang in Remote Inspection triggering breakpoint from console
2358         https://bugs.webkit.org/show_bug.cgi?id=130032
2359
2360         Reviewed by Timothy Hatcher.
2361
2362         * inspector/EventLoop.h:
2363         * inspector/EventLoop.cpp:
2364         (Inspector::EventLoop::remoteInspectorRunLoopMode):
2365         (Inspector::EventLoop::cycle):
2366         Expose the run loop mode name so it can be used if needed by others.
2367
2368         * inspector/remote/RemoteInspectorDebuggableConnection.h:
2369         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
2370         (Inspector::RemoteInspectorBlock::RemoteInspectorBlock):
2371         (Inspector::RemoteInspectorBlock::~RemoteInspectorBlock):
2372         (Inspector::RemoteInspectorBlock::operator=):
2373         (Inspector::RemoteInspectorBlock::operator()):
2374         (Inspector::RemoteInspectorQueueTask):
2375         Instead of a dispatch_queue, have our own static Vector of debugger tasks.
2376
2377         (Inspector::RemoteInspectorHandleRunSource):
2378         (Inspector::RemoteInspectorInitializeQueue):
2379         Initialize the static queue and run loop source. When the run loop source
2380         fires, it will exhaust the queue of debugger messages.
2381
2382         (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
2383         (Inspector::RemoteInspectorDebuggableConnection::~RemoteInspectorDebuggableConnection):
2384         When we get a debuggable connection add a run loop source for inspector commands.
2385
2386         (Inspector::RemoteInspectorDebuggableConnection::dispatchAsyncOnDebuggable):
2387         (Inspector::RemoteInspectorDebuggableConnection::sendMessageToBackend):
2388         Enqueue blocks on our Vector instead of our dispatch_queue.
2389
2390 2014-03-12  Commit Queue  <commit-queue@webkit.org>
2391
2392         Unreviewed, rolling out r165482.
2393         https://bugs.webkit.org/show_bug.cgi?id=130157
2394
2395         Broke the windows build; "error C2466: cannot allocate an
2396         array of constant size 0" (Requested by jernoble on #webkit).
2397
2398         Reverted changeset:
2399
2400         "Reduce memory use for static property maps"
2401         https://bugs.webkit.org/show_bug.cgi?id=129986
2402         http://trac.webkit.org/changeset/165482
2403
2404 2014-03-12  Mark Hahnenberg  <mhahnenberg@apple.com>
2405
2406         Remove HandleSet::m_nextToFinalize
2407         https://bugs.webkit.org/show_bug.cgi?id=130109
2408
2409         Reviewed by Mark Lam.
2410
2411         This is a remnant of when HandleSet contained things that needed to be finalized. 
2412
2413         * heap/HandleSet.cpp:
2414         (JSC::HandleSet::HandleSet):
2415         (JSC::HandleSet::writeBarrier):
2416         * heap/HandleSet.h:
2417         (JSC::HandleSet::allocate):
2418         (JSC::HandleSet::deallocate):
2419
2420 2014-03-12  Mark Hahnenberg  <mhahnenberg@apple.com>
2421
2422         Layout Test fast/workers/worker-gc.html is failing
2423         https://bugs.webkit.org/show_bug.cgi?id=130135
2424
2425         Reviewed by Geoffrey Garen.
2426
2427         When removing MarkedBlocks, we always expect them to be in the MarkedAllocator's 
2428         main list of blocks, i.e. not in the retired list. When shutting down the VM this
2429         wasn't always the case which was causing ASSERTs to fire. We should rearrange things 
2430         so that allocators are notified with lastChanceToFinalize. This will give them 
2431         the chance to move their retired blocks back into the main list before removing them all.
2432
2433         * heap/MarkedAllocator.cpp:
2434         (JSC::LastChanceToFinalize::operator()):
2435         (JSC::MarkedAllocator::lastChanceToFinalize):
2436         * heap/MarkedAllocator.h:
2437         * heap/MarkedSpace.cpp:
2438         (JSC::LastChanceToFinalize::operator()):
2439         (JSC::MarkedSpace::lastChanceToFinalize):
2440
2441 2014-03-12  Gavin Barraclough  <barraclough@apple.com>
2442
2443         Reduce memory use for static property maps
2444         https://bugs.webkit.org/show_bug.cgi?id=129986
2445
2446         Reviewed by Andreas Kling.
2447
2448         Static property tables are currently duplicated on first use from read-only memory into dirty memory
2449         in every process, and since the entries are large (48 bytes) and the tables can be unusually sparse
2450         (we use a custom hash table without a rehash) a lot of memory may be wasted.
2451
2452         First, reduce the size of the hashtable. Instead of storing values in the table the hashtable maps
2453         from string hashes to indicies into a densely packed array of values. Compute the index table at
2454         compile time as a part of the derived sources step, such that this may be read-only data.
2455
2456         Second, don't copy all data from the HashTableValue array into a HashEntry objects. Instead refer
2457         directly to the HashTableValue entries. The only data that needs to be allocated at runtime are the
2458         keys, which are Identifiers.
2459
2460         * create_hash_table:
2461             - emit the hash table index into the derived source (we were calculating this already to ensure chaining does not get too deep).
2462         * parser/Lexer.cpp:
2463         (JSC::Lexer<LChar>::parseIdentifier):
2464         (JSC::Lexer<UChar>::parseIdentifier):
2465         (JSC::Lexer<T>::parseIdentifierSlowCase):
2466             - HashEntry -> HashTableValue.
2467         * parser/Lexer.h:
2468         (JSC::Keywords::getKeyword):
2469             - HashEntry -> HashTableValue.
2470         * runtime/ClassInfo.h:
2471             - removed HashEntry.
2472         * runtime/JSObject.cpp:
2473         (JSC::getClassPropertyNames):
2474             - use HashTable::ConstIterator.
2475         (JSC::JSObject::put):
2476         (JSC::JSObject::deleteProperty):
2477         (JSC::JSObject::findPropertyHashEntry):
2478             - HashEntry -> HashTableValue.
2479         (JSC::JSObject::reifyStaticFunctionsForDelete):
2480             - changed HashTable::ConstIterator interface.
2481         * runtime/JSObject.h:
2482             - HashEntry -> HashTableValue.
2483         * runtime/Lookup.cpp:
2484         (JSC::HashTable::createTable):
2485             - table -> keys, keys array is now densely packed.
2486         (JSC::HashTable::deleteTable):
2487             - table -> keys.
2488         (JSC::setUpStaticFunctionSlot):
2489             - HashEntry -> HashTableValue.
2490         * runtime/Lookup.h:
2491         (JSC::HashTableValue::builtinGenerator):
2492         (JSC::HashTableValue::function):
2493         (JSC::HashTableValue::functionLength):
2494         (JSC::HashTableValue::propertyGetter):
2495         (JSC::HashTableValue::propertyPutter):
2496         (JSC::HashTableValue::lexerValue):
2497             - added accessor methods from HashEntry.
2498         (JSC::HashTable::copy):
2499             - fields changed.
2500         (JSC::HashTable::initializeIfNeeded):
2501             - table -> keys.
2502         (JSC::HashTable::entry):
2503             - HashEntry -> HashTableValue.
2504         (JSC::HashTable::ConstIterator::ConstIterator):
2505             - iterate packed value array, so no need to skipInvalidKeys().
2506         (JSC::HashTable::ConstIterator::value):
2507         (JSC::HashTable::ConstIterator::key):
2508         (JSC::HashTable::ConstIterator::operator->):
2509             - accessors now get HashTableValue/StringImpl* separately.
2510         (JSC::HashTable::ConstIterator::operator++):
2511             - iterate packed value array, so no need to skipInvalidKeys().
2512         (JSC::HashTable::end):
2513             - end is now size of dense not sparse array.
2514         (JSC::getStaticPropertySlot):
2515         (JSC::getStaticFunctionSlot):
2516         (JSC::getStaticValueSlot):
2517         (JSC::putEntry):
2518         (JSC::lookupPut):
2519             - HashEntry -> HashTableValue.
2520
2521 2014-03-11  Filip Pizlo  <fpizlo@apple.com>
2522
2523         It should be possible to build WebKit with FTL on iOS
2524         https://bugs.webkit.org/show_bug.cgi?id=130116
2525
2526         Reviewed by Dan Bernstein.
2527
2528         * Configurations/Base.xcconfig:
2529
2530 2014-03-10  Filip Pizlo  <fpizlo@apple.com>
2531
2532         GetById list caching should use something object-oriented rather than PolymorphicAccessStructureList
2533         https://bugs.webkit.org/show_bug.cgi?id=129778
2534
2535         Reviewed by Geoffrey Garen.
2536         
2537         Also deduplicate the GetById getter call caching. Also add some small tests for
2538         get stubs.
2539         
2540         This change reduces the amount of code involved in GetById access caching and it
2541         creates data structures that can serve as an elegant scaffold for introducing other
2542         kinds of caches or improving current caching styles. It will definitely make getter
2543         performance improvements easier to implement.
2544
2545         * CMakeLists.txt:
2546         * GNUmakefile.list.am:
2547         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2548         * JavaScriptCore.xcodeproj/project.pbxproj:
2549         * bytecode/CodeBlock.cpp:
2550         (JSC::CodeBlock::printGetByIdCacheStatus):
2551         * bytecode/GetByIdStatus.cpp:
2552         (JSC::GetByIdStatus::computeForStubInfo):
2553         * bytecode/PolymorphicGetByIdList.cpp: Added.
2554         (JSC::GetByIdAccess::GetByIdAccess):
2555         (JSC::GetByIdAccess::~GetByIdAccess):
2556         (JSC::GetByIdAccess::fromStructureStubInfo):
2557         (JSC::GetByIdAccess::visitWeak):
2558         (JSC::PolymorphicGetByIdList::PolymorphicGetByIdList):
2559         (JSC::PolymorphicGetByIdList::from):
2560         (JSC::PolymorphicGetByIdList::~PolymorphicGetByIdList):
2561         (JSC::PolymorphicGetByIdList::currentSlowPathTarget):
2562         (JSC::PolymorphicGetByIdList::addAccess):
2563         (JSC::PolymorphicGetByIdList::isFull):
2564         (JSC::PolymorphicGetByIdList::isAlmostFull):
2565         (JSC::PolymorphicGetByIdList::didSelfPatching):
2566         (JSC::PolymorphicGetByIdList::visitWeak):
2567         * bytecode/PolymorphicGetByIdList.h: Added.
2568         (JSC::GetByIdAccess::GetByIdAccess):
2569         (JSC::GetByIdAccess::isSet):
2570         (JSC::GetByIdAccess::operator!):
2571         (JSC::GetByIdAccess::type):
2572         (JSC::GetByIdAccess::structure):
2573         (JSC::GetByIdAccess::chain):
2574         (JSC::GetByIdAccess::chainCount):
2575         (JSC::GetByIdAccess::stubRoutine):
2576         (JSC::GetByIdAccess::doesCalls):
2577         (JSC::PolymorphicGetByIdList::isEmpty):
2578         (JSC::PolymorphicGetByIdList::size):
2579         (JSC::PolymorphicGetByIdList::at):
2580         (JSC::PolymorphicGetByIdList::operator[]):
2581         * bytecode/StructureStubInfo.cpp:
2582         (JSC::StructureStubInfo::deref):
2583         (JSC::StructureStubInfo::visitWeakReferences):
2584         * bytecode/StructureStubInfo.h:
2585         (JSC::isGetByIdAccess):
2586         (JSC::StructureStubInfo::initGetByIdList):
2587         * jit/Repatch.cpp:
2588         (JSC::generateGetByIdStub):
2589         (JSC::tryCacheGetByID):
2590         (JSC::patchJumpToGetByIdStub):
2591         (JSC::tryBuildGetByIDList):
2592         (JSC::tryBuildPutByIdList):
2593         * tests/stress/getter.js: Added.
2594         (foo):
2595         (.o):
2596         * tests/stress/polymorphic-prototype-accesses.js: Added.
2597         (Foo):
2598         (Bar):
2599         (foo):
2600         * tests/stress/prototype-getter.js: Added.
2601         (Foo):
2602         (foo):
2603         * tests/stress/simple-prototype-accesses.js: Added.
2604         (Foo):
2605         (foo):
2606
2607 2014-03-11  Mark Hahnenberg  <mhahnenberg@apple.com>
2608
2609         MarkedBlocks that are "full enough" shouldn't be swept after EdenCollections
2610         https://bugs.webkit.org/show_bug.cgi?id=129920
2611
2612         Reviewed by Geoffrey Garen.
2613
2614         This patch introduces the notion of "retiring" MarkedBlocks. We retire a MarkedBlock
2615         when the amount of free space in a MarkedBlock drops below a certain threshold.
2616         Retired blocks are not considered for sweeping.
2617
2618         This is profitable because it reduces churn during sweeping. To build a free list, 
2619         we have to scan through each cell in a block. After a collection, all objects that 
2620         are live in the block will remain live until the next FullCollection, at which time
2621         we un-retire all previously retired blocks. Thus, a small number of objects in a block
2622         that die during each EdenCollection could cause us to do a disproportiante amount of 
2623         sweeping for how much free memory we get back.
2624
2625         This patch looks like a consistent ~2% progression on boyer and is neutral everywhere else.
2626
2627         * heap/Heap.h:
2628         (JSC::Heap::didRetireBlockWithFreeListSize):
2629         * heap/MarkedAllocator.cpp:
2630         (JSC::MarkedAllocator::tryAllocateHelper):
2631         (JSC::MarkedAllocator::removeBlock):
2632         (JSC::MarkedAllocator::reset):
2633         * heap/MarkedAllocator.h:
2634         (JSC::MarkedAllocator::MarkedAllocator):
2635         (JSC::MarkedAllocator::forEachBlock):
2636         * heap/MarkedBlock.cpp:
2637         (JSC::MarkedBlock::sweepHelper):
2638         (JSC::MarkedBlock::clearMarksWithCollectionType):
2639         (JSC::MarkedBlock::didRetireBlock):
2640         * heap/MarkedBlock.h:
2641         (JSC::MarkedBlock::willRemoveBlock):
2642         (JSC::MarkedBlock::isLive):
2643         * heap/MarkedSpace.cpp:
2644         (JSC::MarkedSpace::clearNewlyAllocated):
2645         (JSC::MarkedSpace::clearMarks):
2646         * runtime/Options.h:
2647
2648 2014-03-11  Andreas Kling  <akling@apple.com>
2649
2650         Streamline PropertyTable for lookup-only access.
2651         <https://webkit.org/b/130060>
2652
2653         The PropertyTable lookup algorithm was written to support both read
2654         and write access. This wasn't actually needed in most places.
2655
2656         This change adds a PropertyTable::get() that just returns the value
2657         type (instead of an insertion iterator.) It also adds an early return
2658         for empty tables.
2659
2660         Finally, up the minimum table capacity from 8 to 16. It was lowered
2661         to 8 in order to save memory, but that was before PropertyTables were
2662         GC allocated. Nowadays we don't have nearly as many tables, since all
2663         the unpinned transitions die off.
2664
2665         Reviewed by Darin Adler.
2666
2667         * runtime/PropertyMapHashTable.h:
2668         (JSC::PropertyTable::get):
2669         * runtime/Structure.cpp:
2670         (JSC::Structure::despecifyDictionaryFunction):
2671         (JSC::Structure::attributeChangeTransition):
2672         (JSC::Structure::get):
2673         (JSC::Structure::despecifyFunction):
2674         * runtime/StructureInlines.h:
2675         (JSC::Structure::get):
2676
2677 2014-03-10  Mark Hahnenberg  <mhahnenberg@apple.com>
2678
2679         REGRESSION(r165407): DoYouEvenBench crashes in DRT
2680         https://bugs.webkit.org/show_bug.cgi?id=130066
2681
2682         Reviewed by Geoffrey Garen.
2683
2684         The baseline JIT does a conditional store barrier for the put_by_id, but we need 
2685         an unconditional store barrier so that we cover the butterfly case as well in emitPutTransitionStub.
2686
2687         * jit/JIT.h:
2688         * jit/JITPropertyAccess.cpp:
2689         (JSC::JIT::emit_op_put_by_id):
2690         (JSC::JIT::emitWriteBarrier):
2691
2692 2014-03-10  Mark Lam  <mark.lam@apple.com>
2693
2694         Resurrect bit-rotted JIT::probe() mechanism.
2695         <https://webkit.org/b/130067>
2696
2697         Reviewed by Geoffrey Garen.
2698
2699         * jit/JITStubs.cpp:
2700         - Added the needed #include <wtf/InlineASM.h>.
2701
2702 2014-03-10  Joseph Pecoraro  <pecoraro@apple.com>
2703
2704         Fix typo in EXCLUDED_SOURCE_FILE_NAMES_iphoneos.
2705
2706         Rubber-stamped by Dan Bernstein.
2707
2708         * Configurations/JavaScriptCore.xcconfig:
2709
2710 2014-03-10  Mark Lam  <mark.lam@apple.com>
2711
2712         r165414 broke the 32-bit x86 tests: ASSERTION FAILED: result != InvalidIndex @ GPRInfo.h:330.
2713         <https://webkit.org/b/130065>
2714
2715         Reviewed by Michael Saboff.
2716
2717         There is code in ScratchRegisterAllocator.cpp that is relying on GPRInfo::toIndex()
2718         being able to return InvalidIndex.  Hence, the assertion is invalid.  Ditto for
2719         FPRInfo::toIndex().
2720
2721         The fix is to remove the "result != InvalidIndex" assertions.
2722
2723         * jit/FPRInfo.h:
2724         (JSC::FPRInfo::toIndex):
2725         * jit/GPRInfo.h:
2726         (JSC::GPRInfo::toIndex):
2727
2728 2014-03-10  Mark Lam  <mark.lam@apple.com>
2729
2730         Crash on a stack overflow on 32-bit x86 in http/tests/websocket/tests/hybi/workers/no-onmessage-in-sync-op.html.
2731         <https://webkit.org/b/129955>
2732
2733         Reviewed by Geoffrey Garen.
2734
2735         The 32-bit x86 version of getHostCallReturnValue() was leaking 16 bytes
2736         stack memory every time it was called.  This is now fixed.
2737
2738         * jit/JITOperations.cpp:
2739
2740 2014-03-10  Joseph Pecoraro  <pecoraro@apple.com>
2741
2742         Better JSContext API for named evaluations (other than //# sourceURL)
2743         https://bugs.webkit.org/show_bug.cgi?id=129911
2744
2745         Reviewed by Geoffrey Garen.
2746
2747         * API/JSBase.h:
2748         * API/JSContext.h:
2749         * API/JSContext.mm:
2750         (-[JSContext evaluateScript:]):
2751         (-[JSContext evaluateScript:withSourceURL:]):
2752         Add new evaluateScript:withSourceURL:.
2753
2754         * API/tests/testapi.c:
2755         (main):
2756         * API/tests/testapi.mm:
2757         (testObjectiveCAPI):
2758         Add tests for sourceURL in evaluate APIs. It should
2759         affect the exception objects.
2760
2761 2014-03-10  Filip Pizlo  <fpizlo@apple.com>
2762
2763         Repatch should save and restore all used registers - not just temp ones - when making a call
2764         https://bugs.webkit.org/show_bug.cgi?id=130041
2765
2766         Reviewed by Geoffrey Garen and Mark Hahnenberg.
2767         
2768         The save/restore code was written back when the only client was the DFG, which only uses a
2769         subset of hardware registers: the "temp" registers in our lingo. But the FTL may use many
2770         other registers, especially on ARM64. The fact that Repatch doesn't know to save those can
2771         lead to data corruption on ARM64. 
2772
2773         * jit/RegisterSet.cpp:
2774         (JSC::RegisterSet::calleeSaveRegisters):
2775         (JSC::RegisterSet::numberOfSetGPRs):
2776         (JSC::RegisterSet::numberOfSetFPRs):
2777         * jit/RegisterSet.h:
2778         * jit/Repatch.cpp:
2779         (JSC::storeToWriteBarrierBuffer):
2780         (JSC::emitPutTransitionStub):
2781         * jit/ScratchRegisterAllocator.cpp:
2782         (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
2783         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
2784         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
2785         (JSC::ScratchRegisterAllocator::usedRegistersForCall):
2786         (JSC::ScratchRegisterAllocator::desiredScratchBufferSizeForCall):
2787         (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
2788         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
2789         * jit/ScratchRegisterAllocator.h:
2790
2791 2014-03-10  Mark Hahnenberg  <mhahnenberg@apple.com>
2792
2793         Remove ConditionalStore barrier
2794         https://bugs.webkit.org/show_bug.cgi?id=130040
2795
2796         Reviewed by Geoffrey Garen.
2797
2798         ConditionalStoreBarrier was created when barriers were much more expensive. Now that 
2799         they're cheap(er), we can get rid of them. This also allows us to get rid of the write 
2800         barrier logic in emitPutTransitionStub because we always will have executed a write barrier 
2801         on the base object in the case where we are allocating and storing a new Butterfly into it. 
2802         Previously, a ConditionalStoreBarrier might or might not have barrier-ed the base object, 
2803         so we'd have to emit a write barrier in the transition case.
2804
2805         This is performance neutral on the benchmarks we track.
2806
2807         * dfg/DFGAbstractInterpreterInlines.h:
2808         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2809         * dfg/DFGClobberize.h:
2810         (JSC::DFG::clobberize):
2811         * dfg/DFGConstantFoldingPhase.cpp:
2812         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2813         (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
2814         * dfg/DFGFixupPhase.cpp:
2815         (JSC::DFG::FixupPhase::fixupNode):
2816         (JSC::DFG::FixupPhase::insertStoreBarrier):
2817         * dfg/DFGNode.h:
2818         (JSC::DFG::Node::isStoreBarrier):
2819         * dfg/DFGNodeType.h:
2820         * dfg/DFGPredictionPropagationPhase.cpp:
2821         (JSC::DFG::PredictionPropagationPhase::propagate):
2822         * dfg/DFGSafeToExecute.h:
2823         (JSC::DFG::safeToExecute):
2824         * dfg/DFGSpeculativeJIT.cpp:
2825         (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
2826         * dfg/DFGSpeculativeJIT32_64.cpp:
2827         (JSC::DFG::SpeculativeJIT::compile):
2828         * dfg/DFGSpeculativeJIT64.cpp:
2829         (JSC::DFG::SpeculativeJIT::compile):
2830         * ftl/FTLCapabilities.cpp:
2831         (JSC::FTL::canCompile):
2832         * ftl/FTLLowerDFGToLLVM.cpp:
2833         (JSC::FTL::LowerDFGToLLVM::compileNode):
2834         * jit/Repatch.cpp:
2835         (JSC::emitPutTransitionStub):
2836
2837 2014-03-10  Filip Pizlo  <fpizlo@apple.com>
2838
2839         DFG and FTL should know that comparing anything to Misc is cheap and easy
2840         https://bugs.webkit.org/show_bug.cgi?id=130001
2841
2842         Reviewed by Geoffrey Garen.
2843         
2844         - Expand CompareStrictEq(Misc:, Misc:) to work for cases where either side of the
2845           comparison is just Untyped:.
2846         
2847         - This obviates the need for CompareStrictEqConstant, so remove it.
2848         
2849         - FTL had a thing called "Nully" which is really "Other". Rename it and add
2850           OtherUse.
2851         
2852         9% speed-up on box2d.
2853
2854         * dfg/DFGAbstractInterpreterInlines.h:
2855         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2856         * dfg/DFGByteCodeParser.cpp:
2857         (JSC::DFG::ByteCodeParser::parseBlock):
2858         * dfg/DFGClobberize.h:
2859         (JSC::DFG::clobberize):
2860         * dfg/DFGFixupPhase.cpp:
2861         (JSC::DFG::FixupPhase::fixupNode):
2862         * dfg/DFGNode.h:
2863         (JSC::DFG::Node::isBinaryUseKind):
2864         (JSC::DFG::Node::shouldSpeculateOther):
2865         * dfg/DFGNodeType.h:
2866         * dfg/DFGPredictionPropagationPhase.cpp:
2867         (JSC::DFG::PredictionPropagationPhase::propagate):
2868         * dfg/DFGSafeToExecute.h:
2869         (JSC::DFG::safeToExecute):
2870         * dfg/DFGSpeculativeJIT.cpp:
2871         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
2872         (JSC::DFG::SpeculativeJIT::compare):
2873         (JSC::DFG::SpeculativeJIT::compileStrictEq):
2874         * dfg/DFGSpeculativeJIT.h:
2875         * dfg/DFGSpeculativeJIT32_64.cpp:
2876         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
2877         (JSC::DFG::SpeculativeJIT::compile):
2878         * dfg/DFGSpeculativeJIT64.cpp:
2879         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
2880         (JSC::DFG::SpeculativeJIT::compile):
2881         * ftl/FTLCapabilities.cpp:
2882         (JSC::FTL::canCompile):
2883         * ftl/FTLLowerDFGToLLVM.cpp:
2884         (JSC::FTL::LowerDFGToLLVM::compileNode):
2885         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
2886         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
2887         (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
2888         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
2889         (JSC::FTL::LowerDFGToLLVM::isNotOther):
2890         (JSC::FTL::LowerDFGToLLVM::isOther):
2891         (JSC::FTL::LowerDFGToLLVM::speculate):
2892         (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
2893         (JSC::FTL::LowerDFGToLLVM::speculateNotCell):
2894         (JSC::FTL::LowerDFGToLLVM::speculateOther):
2895         (JSC::FTL::LowerDFGToLLVM::speculateMisc):
2896         * tests/stress/compare-strict-eq-integer-to-misc.js: Added.
2897
2898 2014-03-10  Filip Pizlo  <fpizlo@apple.com>
2899
2900         Unreviewed, remove unintended change.
2901
2902         * dfg/DFGDriver.cpp:
2903         (JSC::DFG::compileImpl):
2904
2905 2014-03-10  Filip Pizlo  <fpizlo@apple.com>
2906
2907         jsc commandline shouldn't have a "console" because that confuses some tests into thinking
2908         that they're running in the browser.
2909
2910         Rubber stamped by Mark Hahnenberg.
2911
2912         * jsc.cpp:
2913         (GlobalObject::finishCreation):
2914
2915 2014-03-10  Filip Pizlo  <fpizlo@apple.com>
2916
2917         Out-line ScratchRegisterAllocator
2918
2919         Rubber stamped by Mark Hahnenberg.
2920
2921         * CMakeLists.txt:
2922         * GNUmakefile.list.am:
2923         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2924         * JavaScriptCore.xcodeproj/project.pbxproj:
2925         * dfg/DFGDriver.cpp:
2926         (JSC::DFG::compileImpl):
2927         * jit/ScratchRegisterAllocator.cpp: Added.
2928         (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
2929         (JSC::ScratchRegisterAllocator::~ScratchRegisterAllocator):
2930         (JSC::ScratchRegisterAllocator::lock):
2931         (JSC::ScratchRegisterAllocator::allocateScratch):
2932         (JSC::ScratchRegisterAllocator::allocateScratchGPR):
2933         (JSC::ScratchRegisterAllocator::allocateScratchFPR):
2934         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
2935         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
2936         (JSC::ScratchRegisterAllocator::desiredScratchBufferSize):
2937         (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer):
2938         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer):
2939         * jit/ScratchRegisterAllocator.h:
2940
2941 2014-03-10  Brent Fulgham  <bfulgham@apple.com>
2942
2943         [Win] Pass environment to Pre-Build, Pre-link, and Post-Build Stages.
2944         https://bugs.webkit.org/show_bug.cgi?id=130023
2945
2946         Reviewed by Dean Jackson.
2947
2948         * JavaScriptCore.vcxproj/JavaScriptCore.proj: Avoid trailing backslashes in
2949         path names to avoid accidental escaping of later string substitutions.
2950
2951 2014-03-10  Andreas Kling  <akling@apple.com>
2952
2953         [X86_64] Smaller code for testb_i8r when register is accumulator.
2954         <https://webkit.org/b/130026>
2955
2956         Generate the shorthand version of "test al, imm" when possible.
2957
2958         Reviewed by Michael Saboff.
2959
2960         * assembler/X86Assembler.h:
2961         (JSC::X86Assembler::testb_i8r):
2962
2963 2014-03-10  Andreas Kling  <akling@apple.com>
2964
2965         [X86_64] Smaller code for sub_ir when register is accumulator.
2966         <https://webkit.org/b/130025>
2967
2968         Generate the shorthand version of "sub eax, imm" when possible.
2969
2970         Reviewed by Michael Saboff.
2971
2972         * assembler/X86Assembler.h:
2973         (JSC::X86Assembler::subl_ir):
2974         (JSC::X86Assembler::subq_ir):
2975
2976 2014-03-10  Andreas Kling  <akling@apple.com>
2977
2978         [X86_64] Smaller code for add_ir when register is accumulator.
2979         <https://webkit.org/b/130024>
2980
2981         Generate the shorthand version of "add eax, imm" when possible.
2982
2983         Reviewed by Michael Saboff.
2984
2985         * assembler/X86Assembler.h:
2986         (JSC::X86Assembler::addl_ir):
2987         (JSC::X86Assembler::addq_ir):
2988
2989 2014-03-10  Mark Hahnenberg  <mhahnenberg@apple.com>
2990
2991         writeBarrier in emitPutReplaceStub is unnecessary
2992         https://bugs.webkit.org/show_bug.cgi?id=130030
2993
2994         Reviewed by Filip Pizlo.
2995
2996         We already emit write barriers for each put-by-id when they're first compiled, so it's 
2997         redundant to emit a write barrier as part of the repatched code.
2998
2999         * jit/Repatch.cpp:
3000         (JSC::emitPutReplaceStub):
3001
3002 2014-03-10  Andreas Kling  <akling@apple.com>
3003
3004         [X86_64] Smaller code for xor_ir when register is accumulator.
3005         <https://webkit.org/b/130008>
3006
3007         Generate the shorthand version of "xor eax, imm" when possible.
3008
3009         Reviewed by Benjamin Poulain.
3010
3011         * assembler/X86Assembler.h:
3012         (JSC::X86Assembler::xorl_ir):
3013         (JSC::X86Assembler::xorq_ir):
3014
3015 2014-03-10  Andreas Kling  <akling@apple.com>
3016
3017         [X86_64] Smaller code for or_ir when register is accumulator.
3018         <https://webkit.org/b/130007>
3019
3020         Generate the shorthand version of "or eax, imm" when possible.
3021
3022         Reviewed by Benjamin Poulain.
3023
3024         * assembler/X86Assembler.h:
3025         (JSC::X86Assembler::orl_ir):
3026         (JSC::X86Assembler::orq_ir):
3027
3028 2014-03-10  Andreas Kling  <akling@apple.com>
3029
3030         [X86_64] Smaller code for test_ir when register is accumulator.
3031         <https://webkit.org/b/130006>
3032
3033         Generate the shorthand version of "test eax, imm" when possible.
3034
3035         Reviewed by Benjamin Poulain.
3036
3037         * assembler/X86Assembler.h:
3038         (JSC::X86Assembler::testl_i32r):
3039         (JSC::X86Assembler::testq_i32r):
3040
3041 2014-03-10  Andreas Kling  <akling@apple.com>
3042
3043         [X86_64] Smaller code for cmp_ir when register is accumulator.
3044         <https://webkit.org/b/130005>
3045
3046         Generate the shorthand version of "cmp eax, imm" when possible.
3047
3048         Reviewed by Benjamin Poulain.
3049
3050         * assembler/X86Assembler.h:
3051         (JSC::X86Assembler::cmpl_ir):
3052         (JSC::X86Assembler::cmpq_ir):
3053
3054 2014-03-10  Andreas Kling  <akling@apple.com>
3055
3056         [X86_64] Smaller code for store64(imm, address) when imm fits in 32 bits.
3057         <https://webkit.org/b/130002>
3058
3059         Generate this:
3060
3061             mov [address], imm32
3062
3063         Instead of this:
3064
3065             mov scratchRegister, imm32
3066             mov [address], scratchRegister
3067
3068         For store64(imm, address) where the 64-bit immediate can be passed as
3069         a sign-extended 32-bit value.
3070
3071         Reviewed by Benjamin Poulain.
3072
3073         * assembler/MacroAssemblerX86_64.h:
3074         (CAN_SIGN_EXTEND_32_64):
3075         (JSC::MacroAssemblerX86_64::store64):
3076
3077 2014-03-10  Andreas Kling  <akling@apple.com>
3078
3079         [X86_64] Smaller code for xchg_rr when one register is accumulator.
3080         <https://webkit.org/b/130004>
3081
3082         Generate the 1-byte version of "xchg eax, reg" when possible.
3083
3084         Reviewed by Benjamin Poulain.
3085
3086         * assembler/X86Assembler.h:
3087         (JSC::X86Assembler::xchgl_rr):
3088         (JSC::X86Assembler::xchgq_rr):
3089
3090 2014-03-09  Filip Pizlo  <fpizlo@apple.com>
3091
3092         GPRInfo::toIndex should return InvalidIndex for non-temp registers on ARM64
3093         https://bugs.webkit.org/show_bug.cgi?id=129998
3094
3095         Reviewed by Geoffrey Garen.
3096         
3097         Not only is that the established contract, but this is used to signal to
3098         ScratchRegisterAllocator that the register doesn't need locking since it isn't a register
3099         that this allocator would use. In the FTL, we may have an inline cache where LLVM had used
3100         some non-temp register (i.e. a register that JSC itself wouldn't have used). This is totally
3101         fine but previously it would have led to either an assertion failure, or data corruption, in
3102         the ScratchRegisterAllocator.
3103
3104         * jit/GPRInfo.h:
3105         (JSC::GPRInfo::toIndex):
3106
3107 2014-03-09  Filip Pizlo  <fpizlo@apple.com>
3108
3109         FTL fails the new equals-masquerader strictEqualConstant test
3110         https://bugs.webkit.org/show_bug.cgi?id=129996
3111
3112         Reviewed by Mark Lam.
3113         
3114         It turns out that the FTL was trying to do the masquerading stuff for ===null. But
3115         that's wrong since none of the other engines do it. The DFG even had an ancient
3116         FIXME about doing it - but that doesn't make sense since the LLInt and baseline JIT
3117         don't do it and JSValue::strictEqual() doesn't do it.
3118         
3119         Remove the FIXME and remove the extra checks in the FTL.
3120         
3121         This is a glorious patch: nothing but red and it fixes a test failure.
3122
3123         * dfg/DFGSpeculativeJIT.cpp:
3124         (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
3125         * ftl/FTLLowerDFGToLLVM.cpp:
3126         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
3127
3128 2014-03-09  Andreas Kling  <akling@apple.com>
3129
3130         Short-circuit JSGlobalObjectInspectorController when not inspecting.
3131         <https://webkit.org/b/129995>
3132
3133         Add an early return in reportAPIException() when the console agent
3134         is disabled. This avoids expensive symbolication during exceptions
3135         if there's nobody expecting the fancy backtrace anyway.
3136
3137         ~2% progression on DYEB on my MBP.
3138
3139         Reviewed by Geoff Garen.
3140
3141         * inspector/JSGlobalObjectInspectorController.cpp:
3142         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
3143
3144 2014-03-09  Andreas Kling  <akling@apple.com>
3145
3146         Inline the trivial parts of GC deferral.
3147         <https://webkit.org/b/129984>
3148
3149         Made most of the functions called by the DeferGC RAII object inline
3150         to avoid function call overhead.
3151
3152         Looks like ~1% progression on DYEB.
3153
3154         Reviewed by Geoffrey Garen.
3155
3156         * heap/Heap.cpp:
3157         * heap/Heap.h:
3158         (JSC::Heap::incrementDeferralDepth):
3159         (JSC::Heap::decrementDeferralDepth):
3160         (JSC::Heap::collectIfNecessaryOrDefer):
3161         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
3162
3163 2014-03-08  Mark Lam  <mark.lam@apple.com>
3164
3165         32-bit x86 handleUncaughtException returns to wrong location after a stack overflow.
3166         <https://webkit.org/b/129969>
3167
3168         Reviewed by Geoffrey Garen.
3169
3170         The 32-bit version of handleUncaughtException was missing the handling of an
3171         edge case for stack overflows where the current frame may already be the
3172         sentinel frame.  This edge case was handled in the 64-bit version.  The fix
3173         is to bring the 32-bit version up to parity.
3174
3175         * jit/JIT.cpp:
3176         (JSC::JIT::privateCompile):
3177         * llint/LowLevelInterpreter32_64.asm:
3178
3179 2014-03-07  Mark Lam  <mark.lam@apple.com>
3180
3181         Fix bugs in 32-bit Structure implementation.
3182         <https://webkit.org/b/129947>
3183
3184         Reviewed by Mark Hahnenberg.
3185
3186         Added the loading of the Structure (from the JSCell) before use that was
3187         missing in a few places.  Also added more test cases to equals-masquerader.js.
3188
3189         * dfg/DFGSpeculativeJIT32_64.cpp:
3190         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
3191         (JSC::DFG::SpeculativeJIT::compile):
3192         * dfg/DFGSpeculativeJIT64.cpp:
3193         (JSC::DFG::SpeculativeJIT::compile):
3194         * llint/LowLevelInterpreter32_64.asm:
3195         * tests/stress/equals-masquerader.js:
3196         (equalsNull):
3197         (notEqualsNull):
3198         (strictEqualsNull):
3199         (strictNotEqualsNull):
3200         (equalsUndefined):
3201         (notEqualsUndefined):
3202         (strictEqualsUndefined):
3203         (strictNotEqualsUndefined):
3204         (isFalsey):
3205         (test):
3206
3207 2014-03-07  Andrew Trick  <atrick@apple.com>
3208
3209         Temporarily disable repeat-out-of-bounds stress tests pending fix for 129953.
3210         https://bugs.webkit.org/show_bug.cgi?id=129954
3211
3212         Reviewed by Filip Pizlo.
3213
3214         * tests/stress/float32-repeat-out-of-bounds.js:
3215         * tests/stress/int8-repeat-out-of-bounds.js:
3216
3217 2014-03-07  Michael Saboff  <msaboff@apple.com>
3218
3219         .cfi directives in LowLevelInterpreter.cpp are providing no benefit
3220         https://bugs.webkit.org/show_bug.cgi?id=129945
3221
3222         Reviewed by Mark Lam.
3223
3224         Removed .cfi directive.  Verified that stack traces didn't regress in crash reporter
3225         or in lldb.
3226
3227         * llint/LowLevelInterpreter.cpp:
3228
3229 2014-03-07  Oliver Hunt  <oliver@apple.com>
3230
3231         Continue hangs when performing for-of over arguments
3232         https://bugs.webkit.org/show_bug.cgi?id=129915
3233
3234         Reviewed by Geoffrey Garen.
3235
3236         Put the continue label in the right place
3237
3238         * bytecompiler/BytecodeGenerator.cpp:
3239         (JSC::BytecodeGenerator::emitEnumeration):
3240
3241 2014-03-07  peavo@outlook.com  <peavo@outlook.com>
3242
3243         [Win64] Compile error after r165128.
3244         https://bugs.webkit.org/show_bug.cgi?id=129807
3245
3246         Reviewed by Mark Lam.
3247
3248         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: 
3249         Check platform environment variable to determine if an assembler file should be generated.
3250
3251 2014-03-07  Michael Saboff  <msaboff@apple.com>
3252
3253         Clarify how we deal with "special" registers
3254         https://bugs.webkit.org/show_bug.cgi?id=129806
3255
3256         Already reviewed change being relanded.
3257
3258         Relanding change set r165196 as it wasn't responsible for the breakage reported in
3259         https://bugs.webkit.org/show_bug.cgi?id=129822.  That appears to be a build or
3260
3261         Reviewed by Michael Saboff.
3262         configuration issue.
3263
3264         * assembler/ARM64Assembler.h:
3265         (JSC::ARM64Assembler::lastRegister):
3266         * assembler/MacroAssembler.h:
3267         (JSC::MacroAssembler::nextRegister):
3268         * ftl/FTLLocation.cpp:
3269         (JSC::FTL::Location::restoreInto):
3270         * ftl/FTLSaveRestore.cpp:
3271         (JSC::FTL::saveAllRegisters):
3272         (JSC::FTL::restoreAllRegisters):
3273         * ftl/FTLSlowPathCall.cpp:
3274         * jit/RegisterSet.cpp:
3275         (JSC::RegisterSet::reservedHardwareRegisters):
3276         (JSC::RegisterSet::runtimeRegisters):
3277         (JSC::RegisterSet::specialRegisters):
3278         (JSC::RegisterSet::calleeSaveRegisters):
3279         * jit/RegisterSet.h:
3280
3281 2014-03-07  Mark Hahnenberg  <mhahnenberg@apple.com>
3282
3283         Move GCActivityCallback to heap
3284         https://bugs.webkit.org/show_bug.cgi?id=129457
3285
3286         Reviewed by Geoffrey Garen.
3287
3288         All the other GC timer related stuff is there already.
3289
3290         * CMakeLists.txt:
3291         * GNUmakefile.list.am:
3292         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3293         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3294         * JavaScriptCore.xcodeproj/project.pbxproj:
3295         * heap/GCActivityCallback.cpp: Copied from Source/JavaScriptCore/runtime/GCActivityCallback.cpp.
3296         * heap/GCActivityCallback.h: Copied from Source/JavaScriptCore/runtime/GCActivityCallback.h.
3297         * runtime/GCActivityCallback.cpp: Removed.
3298         * runtime/GCActivityCallback.h: Removed.
3299
3300 2014-03-07  Andrew Trick  <atrick@apple.com>
3301
3302         Correct a comment typo from:
3303         FLT should call fmod directly on platforms where LLVM cannot relocate the libcall
3304         https://bugs.webkit.org/show_bug.cgi?id=129865
3305
3306         Reviewed by Mark Lam.
3307
3308         * ftl/FTLOutput.h:
3309         (JSC::FTL::Output::doubleRem):
3310
3311 2014-03-07  Mark Hahnenberg  <mhahnenberg@apple.com>
3312
3313         Use OwnPtr in StructureIDTable
3314         https://bugs.webkit.org/show_bug.cgi?id=129828
3315
3316         Reviewed by Geoffrey Garen.
3317
3318         This reduces the amount of boilerplate and fixes a memory leak.
3319
3320         * runtime/StructureIDTable.cpp:
3321         (JSC::StructureIDTable::StructureIDTable):
3322         (JSC::StructureIDTable::resize):
3323         (JSC::StructureIDTable::flushOldTables):
3324         (JSC::StructureIDTable::allocateID):
3325         (JSC::StructureIDTable::deallocateID):
3326         * runtime/StructureIDTable.h:
3327         (JSC::StructureIDTable::table):
3328         (JSC::StructureIDTable::get):
3329
3330 2014-03-07  Andrew Trick  <atrick@apple.com>
3331
3332         FLT should call fmod directly on platforms where LLVM cannot relocate the libcall
3333         https://bugs.webkit.org/show_bug.cgi?id=129865
3334
3335         Reviewed by Filip Pizlo.
3336
3337         * ftl/FTLIntrinsicRepository.h:
3338         * ftl/FTLOutput.h:
3339         (JSC::FTL::Output::doubleRem):
3340
3341 2014-03-06  Filip Pizlo  <fpizlo@apple.com>
3342
3343         If the FTL is build-time enabled then it should be run-time enabled.
3344
3345         Rubber stamped by Geoffrey Garen.
3346
3347         * runtime/Options.cpp:
3348         (JSC::recomputeDependentOptions):
3349         * runtime/Options.h:
3350
3351 2014-03-06  Joseph Pecoraro  <pecoraro@apple.com>
3352
3353         [OS X] Web Inspector: Allow Apps using JavaScriptCore to access "com.apple.webinspector" mach port
3354         https://bugs.webkit.org/show_bug.cgi?id=129852
3355
3356         Reviewed by Geoffrey Garen.
3357
3358         * framework.sb: Added.
3359         Sandbox extension to allow access to "com.apple.webinspector".
3360
3361         * JavaScriptCore.xcodeproj/project.pbxproj:
3362         Add a Copy Resources build phase and include framework.sb.
3363
3364         * Configurations/JavaScriptCore.xcconfig:
3365         Do not copy framework.sb on iOS.
3366
3367 2014-03-06  Mark Hahnenberg  <mhahnenberg@apple.com>
3368
3369         JSGlobalContextRelease incorrectly handles saving/restoring IdentifierTable
3370         https://bugs.webkit.org/show_bug.cgi?id=129858
3371
3372         Reviewed by Mark Lam.
3373
3374         It was correct (but really ugly) prior to the combining of APIEntryShim and JSLock, 
3375         but now it ends up overwriting the IdentifierTable that JSLock just restored.
3376
3377         * API/JSContextRef.cpp:
3378         (JSGlobalContextRelease):
3379
3380 2014-03-06  Oliver Hunt  <oliver@apple.com>
3381
3382         Fix FTL build.
3383
3384         * dfg/DFGConstantFoldingPhase.cpp:
3385         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3386
3387 2014-03-06  Brent Fulgham  <bfulgham@apple.com>
3388
3389         Unreviewed build fix after r165128.
3390
3391         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: The SEH flag was not getting set when
3392         performing 'Production' and 'DebugSuffix' type builds.
3393
3394 2014-03-06  Julien Brianceau  <jbriance@cisco.com>
3395
3396         Unreviewed, fix style in my previous commit.
3397         https://bugs.webkit.org/show_bug.cgi?id=129833
3398
3399         * runtime/JSConsole.cpp:
3400
3401 2014-03-06  Julien Brianceau  <jbriance@cisco.com>
3402
3403         Build fix: add missing include in JSConole.cpp.
3404         https://bugs.webkit.org/show_bug.cgi?id=129833
3405
3406         Reviewed by Oliver Hunt.
3407
3408         * runtime/JSConsole.cpp:
3409
3410 2014-03-06  Oliver Hunt  <oliver@apple.com>
3411
3412         Fix ARMv7
3413
3414         * jit/CCallHelpers.h:
3415         (JSC::CCallHelpers::setupArgumentsWithExecState):
3416
3417 2014-03-06  Commit Queue  <commit-queue@webkit.org>
3418
3419         Unreviewed, rolling out r165196.
3420         http://trac.webkit.org/changeset/165196
3421         https://bugs.webkit.org/show_bug.cgi?id=129822
3422
3423         broke arm64 on hardware (Requested by bfulgham on #webkit).