2f5779f3eecb96d72d7f20e689d9a4e26d317571
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-03-23  Hyowon Kim  <hw1008.kim@samsung.com>
2
3         Move all EFL typedefs into EflTypedefs.h.
4         https://bugs.webkit.org/show_bug.cgi?id=130511
5
6         Reviewed by Gyuyoung Kim
7
8         * heap/HeapTimer.h: Remove EFL typedefs.
9
10 2014-03-23  Filip Pizlo  <fpizlo@apple.com>
11
12         Gotta grow the locals vectors if we are about to do SetLocals beyond the bytecode's numCalleeRegisters
13         https://bugs.webkit.org/show_bug.cgi?id=130650
14         <rdar://problem/16122966>
15
16         Reviewed by Michael Saboff.
17         
18         Previously, it was only in the case of inlining that we would do SetLocal's beyond the
19         previously established numLocals limit. But then we added generalized op_call_varargs
20         handling, which results in us emitting SetLocals that didn't previously exist in the
21         bytecode.
22         
23         This factors out the inliner's ensureLocals loop and calls it from op_call_varargs.
24
25         * dfg/DFGByteCodeParser.cpp:
26         (JSC::DFG::ByteCodeParser::ensureLocals):
27         (JSC::DFG::ByteCodeParser::handleInlining):
28         (JSC::DFG::ByteCodeParser::parseBlock):
29         (JSC::DFG::ByteCodeParser::parse):
30         * ftl/FTLOSRExitCompiler.cpp:
31         (JSC::FTL::compileStub): Make this do alignment correctly.
32         * runtime/Options.h:
33         * tests/stress/call-varargs-from-inlined-code.js: Added.
34         * tests/stress/call-varargs-from-inlined-code-with-odd-number-of-arguments.js: Added.
35
36 2014-03-22  Filip Pizlo  <fpizlo@apple.com>
37
38         Unreviewed, adjust sizes for ARM64.
39
40         * ftl/FTLInlineCacheSize.cpp:
41         (JSC::FTL::sizeOfCall):
42
43 2014-03-22  Filip Pizlo  <fpizlo@apple.com>
44
45         Protect the silent spiller/filler's desire to fill Int32Constants by making sure that we don't mark something as having a Int32 register format if it's a non-Int32 constant
46         https://bugs.webkit.org/show_bug.cgi?id=130649
47         <rdar://problem/16399949>
48
49         Reviewed by Andreas Kling.
50
51         * dfg/DFGSpeculativeJIT32_64.cpp:
52         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
53         * dfg/DFGSpeculativeJIT64.cpp:
54         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
55         * tests/stress/fuzz-bug-16399949.js: Added.
56         (tryItOut.f):
57         (tryItOut):
58
59 2014-03-22  Filip Pizlo  <fpizlo@apple.com>
60
61         Call linking slow paths should be passed a CallLinkInfo* directly so that you can create a call IC without adding it to any CodeBlocks
62         https://bugs.webkit.org/show_bug.cgi?id=130644
63
64         Reviewed by Andreas Kling.
65         
66         This is conceptually a really simple change but it involves the following:
67         
68         - The inline part of the call IC stuffs a pointer to the CallLinkInfo into regT2.
69         
70         - CodeBlock uses a Bag of CallLinkInfos instead of a Vector.
71         
72         - Remove the significance of a CallLinkInfo's index. This means that DFG::JITCode no
73           longer has a vector of slow path counts that shadows the CallLinkInfo vector.
74         
75         - Make CallLinkInfo have its own slowPathCount, which counts actual slow path executions
76           and not all relinking.
77         
78         This makes planting JS->JS calls inside other inline caches or stubs a lot easier, since
79         the CallLinkInfo and the call IC slow paths no longer rely on the call being associated
80         with a op_call/op_construct instruction and a machine code return PC within such an
81         instruction.
82
83         * bytecode/CallLinkInfo.h:
84         (JSC::getCallLinkInfoCodeOrigin):
85         * bytecode/CallLinkStatus.cpp:
86         (JSC::CallLinkStatus::computeFor):
87         (JSC::CallLinkStatus::computeDFGStatuses):
88         * bytecode/CallLinkStatus.h:
89         * bytecode/CodeBlock.cpp:
90         (JSC::CodeBlock::printCallOp):
91         (JSC::CodeBlock::dumpBytecode):
92         (JSC::CodeBlock::finalizeUnconditionally):
93         (JSC::CodeBlock::getCallLinkInfoMap):
94         (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
95         (JSC::CodeBlock::addCallLinkInfo):
96         (JSC::CodeBlock::unlinkCalls):
97         * bytecode/CodeBlock.h:
98         (JSC::CodeBlock::stubInfoBegin):
99         (JSC::CodeBlock::stubInfoEnd):
100         (JSC::CodeBlock::callLinkInfosBegin):
101         (JSC::CodeBlock::callLinkInfosEnd):
102         (JSC::CodeBlock::byValInfo):
103         * dfg/DFGByteCodeParser.cpp:
104         (JSC::DFG::ByteCodeParser::handleCall):
105         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
106         * dfg/DFGJITCode.h:
107         * dfg/DFGJITCompiler.cpp:
108         (JSC::DFG::JITCompiler::link):
109         * dfg/DFGJITCompiler.h:
110         (JSC::DFG::JITCompiler::addJSCall):
111         (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord):
112         * dfg/DFGOSRExitCompilerCommon.cpp:
113         (JSC::DFG::reifyInlinedCallFrames):
114         * dfg/DFGSpeculativeJIT.cpp:
115         (JSC::DFG::SpeculativeJIT::compile):
116         * dfg/DFGSpeculativeJIT.h:
117         * dfg/DFGSpeculativeJIT32_64.cpp:
118         (JSC::DFG::SpeculativeJIT::emitCall):
119         * dfg/DFGSpeculativeJIT64.cpp:
120         (JSC::DFG::SpeculativeJIT::emitCall):
121         * ftl/FTLCompile.cpp:
122         (JSC::FTL::fixFunctionBasedOnStackMaps):
123         * ftl/FTLInlineCacheSize.cpp:
124         (JSC::FTL::sizeOfCall):
125         * ftl/FTLJSCall.cpp:
126         (JSC::FTL::JSCall::JSCall):
127         (JSC::FTL::JSCall::emit):
128         (JSC::FTL::JSCall::link):
129         * ftl/FTLJSCall.h:
130         * jit/JIT.cpp:
131         (JSC::JIT::privateCompileMainPass):
132         (JSC::JIT::privateCompileSlowCases):
133         (JSC::JIT::privateCompile):
134         * jit/JIT.h:
135         * jit/JITCall.cpp:
136         (JSC::JIT::compileOpCall):
137         (JSC::JIT::compileOpCallSlowCase):
138         * jit/JITCall32_64.cpp:
139         (JSC::JIT::compileOpCall):
140         (JSC::JIT::compileOpCallSlowCase):
141         * jit/JITOperations.cpp:
142         * jit/JITOperations.h:
143         (JSC::operationLinkFor):
144         (JSC::operationVirtualFor):
145         (JSC::operationLinkClosureCallFor):
146         * jit/Repatch.cpp:
147         (JSC::linkClosureCall):
148         * jit/ThunkGenerators.cpp:
149         (JSC::slowPathFor):
150         (JSC::virtualForThunkGenerator):
151         * tests/stress/eval-that-is-not-eval.js: Added.
152
153 2014-03-22  Filip Pizlo  <fpizlo@apple.com>
154
155         Unreviewed, fix mispelled test name.
156
157         * tests/stress/constand-folding-osr-exit.js: Removed.
158         * tests/stress/constant-folding-osr-exit.js: Copied from Source/JavaScriptCore/tests/stress/constand-folding-osr-exit.js.
159
160 2014-03-22  Andreas Kling  <akling@apple.com>
161
162         CREATE_DOM_WRAPPER doesn't need the ExecState.
163         <https://webkit.org/b/130648>
164
165         Add a fast path from JSGlobalObject to the VM so we don't have
166         to dance via the Heap.
167
168         Reviewed by Darin Adler.
169
170         * runtime/JSGlobalObject.cpp:
171         (JSC::JSGlobalObject::JSGlobalObject):
172         * runtime/JSGlobalObject.h:
173         (JSC::JSGlobalObject::vm):
174
175 2014-03-22  Filip Pizlo  <fpizlo@apple.com>
176
177         Unreviewed, fix FTL build.
178
179         * ftl/FTLJITFinalizer.cpp:
180
181 2014-03-22  Michael Saboff  <msaboff@apple.com>
182
183         toThis() on a JSWorkerGlobalScope should return a JSProxy and not undefined
184         https://bugs.webkit.org/show_bug.cgi?id=130554
185
186         Reviewed by Geoffrey Garen.
187
188         Fixed toThis() on WorkerGlobalScope to return a JSProxy instead of the JSGlobalObject.
189         Did some cleanup as well.  Moved the setting of the thisObject in a JSGlobalObject to
190         happen in finishCreation() so that it will also happen for other derived classes including
191         JSWorkerGlobalScopeBase.
192
193         * API/JSContextRef.cpp:
194         (JSGlobalContextCreateInGroup):
195         * jsc.cpp:
196         (GlobalObject::create):
197         * API/tests/testapi.c:
198         (globalObject_initialize): Eliminated ASSERT that the global object we are creating matches
199         the result from JSContextGetGlobalObject() as that will return the proxy.       
200         * runtime/JSGlobalObject.cpp:
201         (JSC::JSGlobalObject::init): Removed thisValue parameter and the call to setGlobalThis() since
202         we now call setGlobalThis in finishCreation().
203         * runtime/JSGlobalObject.h:
204         (JSC::JSGlobalObject::finishCreation):
205         (JSC::JSGlobalObject::setGlobalThis): Made this a private method.
206
207 2014-03-22  Andreas Kling  <akling@apple.com>
208
209         Fix debug build.
210
211         * bytecode/CodeBlock.cpp:
212         * runtime/Executable.cpp:
213
214 2014-03-22  Andreas Kling  <akling@apple.com>
215
216         Cut down on JSC profiler includes in WebCore & co.
217         <https://webkit.org/b/130637>
218
219         Most of WebKit was pulling in JSC's profiler headers via VM.h.
220
221         Reviewed by Darin Adler.
222
223         * dfg/DFGDisassembler.cpp:
224         * dfg/DFGDisassembler.h:
225         * dfg/DFGJITFinalizer.cpp:
226         * jsc.cpp:
227         * runtime/VM.cpp:
228         * runtime/VM.h:
229
230 2014-03-22  Landry Breuil <landry@openbsd.org>
231
232         Use pthread_stackseg_np() to find the stack bounds on OpenBSD.
233         https://bugs.webkit.org/show_bug.cgi?id=129965
234
235         Reviewed By Anders Carlsson.
236
237 2014-03-21  Mark Lam  <mark.lam@apple.com>
238
239         Crash when BytecodeGenerator::emitJump calls Label::bind on null pointer.
240         <https://webkit.org/b/124508>
241
242         Reviewed by Oliver Hunt.
243
244         The issue is that BreakNode::emitBytecode() is holding onto a LabelScope
245         pointer from the BytecodeGenerator's m_localScopes vector, and then it
246         calls emitPopScopes().  emitPopScopes() may do finally clause handling
247         which will require the m_localScopes to be cloned so that it can change
248         the local scopes for the finally block, and then restore it after
249         handling the finally clause.  These modifications of the m_localScopes
250         vector will result in the LabelScope pointer in BreakNode::emitBytecode()
251         becoming stale, thereby causing the crash.
252
253         The same issue applies to the ContinueNode as well.
254
255         The fix is to use the existing LabelScopePtr abstraction instead of raw
256         LabelScope pointers.  The LabelScopePtr is resilient to the underlying
257         vector re-allocating its backing store.
258
259         I also changed the LabelScopePtr constructor that takes a LabelScopeStore
260         to expect a reference to the owner store instead of a pointer because the
261         owner store should never be a null pointer.
262
263         * bytecompiler/BytecodeGenerator.cpp:
264         (JSC::BytecodeGenerator::newLabelScope):
265         (JSC::BytecodeGenerator::breakTarget):
266         (JSC::BytecodeGenerator::continueTarget):
267         * bytecompiler/BytecodeGenerator.h:
268         * bytecompiler/LabelScope.h:
269         (JSC::LabelScopePtr::LabelScopePtr):
270         (JSC::LabelScopePtr::operator bool):
271         (JSC::LabelScopePtr::null):
272         * bytecompiler/NodesCodegen.cpp:
273         (JSC::ContinueNode::trivialTarget):
274         (JSC::ContinueNode::emitBytecode):
275         (JSC::BreakNode::trivialTarget):
276         (JSC::BreakNode::emitBytecode):
277
278 2014-03-21  Mark Hahnenberg  <mhahnenberg@apple.com>
279
280         6% SunSpider commandline regression due to r165940
281         https://bugs.webkit.org/show_bug.cgi?id=130617
282
283         Reviewed by Michael Saboff.
284
285         In GCActivityCallback::didAllocate, lastGCLength() returns 0 if we've never collected 
286         before. Some of the benchmarks are never running a single EdenCollection, which causes 
287         them to repeatedly call scheduleTimer with a newDelay of 0. This defeats our timer 
288         slop heuristic, causing us to invoke CFRunLoopTimerSetNextFireDate a couple orders of 
289         magnitude more than we normally would.
290
291         The fix is to seed the last GC lengths in Heap with a non-zero length so that our heuristic works.
292
293         * heap/Heap.cpp:
294         (JSC::Heap::Heap):
295
296 2014-03-21  Filip Pizlo  <fpizlo@apple.com>
297
298         Constants folded by DFG::ByteCodeParser should not be dead.
299         https://bugs.webkit.org/show_bug.cgi?id=130576
300
301         Reviewed by Mark Hahnenberg.
302         
303         This fixes bugs in the ByteCodeParser's constant folder by removing that constant folder. This
304         reduces the number of folders in JSC from fourish to just threeish (parser, DFG AI, and one
305         or more folders in LLVM). Doing so has no performance impact since the other constant folders
306         already subsume this one.
307         
308         Also added a test case for the specific bug that instigated this.
309
310         * dfg/DFGByteCodeParser.cpp:
311         (JSC::DFG::ByteCodeParser::getJSConstantForValue):
312         (JSC::DFG::ByteCodeParser::getJSConstant):
313         (JSC::DFG::ByteCodeParser::inferredConstant):
314         (JSC::DFG::ByteCodeParser::handleIntrinsic):
315         (JSC::DFG::ByteCodeParser::parseBlock):
316         * dfg/DFGNode.h:
317         * dfg/DFGNodeFlags.h:
318         * tests/stress/constand-folding-osr-exit.js: Added.
319         (foo):
320         (test):
321         (.var):
322
323 2014-03-21  Mark Lam  <mark.lam@apple.com>
324
325         StackLayoutPhase should find the union'ed calleeVariable before accessing its machineLocal.
326         <https://webkit.org/b/130566>
327
328         Reviewed by Filip Pizlo.
329
330         * dfg/DFGStackLayoutPhase.cpp:
331         (JSC::DFG::StackLayoutPhase::run):
332
333 2014-03-20  Filip Pizlo  <fpizlo@apple.com>
334
335         FTL should correctly compile GetByVal on Uint32Array that claims to return non-int32 values
336         https://bugs.webkit.org/show_bug.cgi?id=130562
337         <rdar://problem/16382842>
338
339         Reviewed by Geoffrey Garen.
340
341         * ftl/FTLLowerDFGToLLVM.cpp:
342         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
343         * tests/stress/uint32array-unsigned-load.js: Added.
344         (foo):
345
346 2014-03-20  Brian Burg  <bburg@apple.com>
347
348         Web Inspector: add frontend controller and models for replay sessions
349         https://bugs.webkit.org/show_bug.cgi?id=130145
350
351         Reviewed by Joseph Pecoraro.
352
353         * inspector/scripts/CodeGeneratorInspector.py: Add the conditional Replay domain.
354
355 2014-03-20  Filip Pizlo  <fpizlo@apple.com>
356
357         FTL ValueToInt32 mishandles the constant case, and by the way, there is a constant case that the FTL sees
358         https://bugs.webkit.org/show_bug.cgi?id=130546
359         <rdar://problem/16383308>
360
361         Reviewed by Mark Hahnenberg.
362         
363         Make AI do a better job of folding this.
364         
365         Also made the FTL backend be more tolerant of data representations. In this case it
366         didn't know that "constant" was a valid representation. There is a finite set of
367         possible representations, but broadly, we don't write code that presumes anything
368         about the representation of an input; that's what methods like lowJSValue() are for.
369         ValueToInt32 was previously not relying on those methods at all because it had some
370         hacks. Now, those hacks are just a fast-path optimization but ultimately we fall down
371         to lowJSValue().
372
373         * dfg/DFGAbstractInterpreterInlines.h:
374         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
375         * ftl/FTLLowerDFGToLLVM.cpp:
376         (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
377         (JSC::FTL::LowerDFGToLLVM::numberOrNotCellToInt32):
378         * tests/stress/value-to-int32-undefined-constant.js: Added.
379         (foo):
380         * tests/stress/value-to-int32-undefined.js: Added.
381         (foo):
382
383 2014-03-20  Mark Hahnenberg  <mhahnenberg@apple.com>
384
385         Add some assertions back
386         https://bugs.webkit.org/show_bug.cgi?id=130531
387
388         Reviewed by Geoffrey Garen.
389
390         We removed a useful set of assertions for verifying that MarkedBlocks were 
391         in the state that we expected them to be in after clearing marks in the Heap. 
392         We should add these back to catch bugs earlier.
393
394         * heap/MarkedBlock.h:
395         * heap/MarkedSpace.cpp:
396         (JSC::VerifyMarkedOrRetired::operator()):
397         (JSC::MarkedSpace::clearMarks):
398
399 2014-03-20  Filip Pizlo  <fpizlo@apple.com>
400
401         Implement stackmap header version check and support new stackmap formats
402         https://bugs.webkit.org/show_bug.cgi?id=130535
403         <rdar://problem/16164284>
404
405         Reviewed by Geoffrey Garen.
406         
407         Add the notion of versioning so that LLVMers can happily implement new stackmap formats
408         without worrying about WebKit getting version-locked to LLVM. In the future, we will have
409         to implement parsing for a new LLVM stackmap format before it lands in LLVM, or we'll have
410         to have a "max usable LLVM revision" limit. But, thanks to versioning, we'll always be
411         happy to move backward in time to older versions of LLVM.
412
413         * ftl/FTLStackMaps.cpp:
414         (JSC::FTL::readObject):
415         (JSC::FTL::StackMaps::Constant::parse):
416         (JSC::FTL::StackMaps::StackSize::parse):
417         (JSC::FTL::StackMaps::Location::parse):
418         (JSC::FTL::StackMaps::Record::parse):
419         (JSC::FTL::StackMaps::parse):
420         (JSC::FTL::StackMaps::dump):
421         (JSC::FTL::StackMaps::dumpMultiline):
422         * ftl/FTLStackMaps.h:
423
424 2014-03-20  Filip Pizlo  <fpizlo@apple.com>
425
426         Crash beneath operationTearOffActivation running this JS compression demo
427         https://bugs.webkit.org/show_bug.cgi?id=130295
428         <rdar://problem/16332337>
429
430         Reviewed by Oliver Hunt.
431         
432         Make sure that we flush things as if we were at a terminal, if we are at a block with
433         no forward edges. This fixes infinitely loopy code with captured variables.
434
435         Make sure that the CFG simplifier adds explicit flushes whenever it jettisons a block.
436         
437         Make it so that NodeIsFlushed is a thing. Previously only SSA used it and it computed
438         it by itself. Now it's an artifact of CPS rethreading.
439         
440         Add a bunch of tests. All of them previously either crashed or returned bad output due
441         to memory corruption.
442
443         * bytecode/CodeBlock.cpp:
444         (JSC::CodeBlock::isCaptured):
445         * dfg/DFGByteCodeParser.cpp:
446         (JSC::DFG::ByteCodeParser::flushForTerminal):
447         (JSC::DFG::ByteCodeParser::flushForReturn):
448         (JSC::DFG::ByteCodeParser::flushIfTerminal):
449         (JSC::DFG::ByteCodeParser::branchData):
450         (JSC::DFG::ByteCodeParser::parseBlock):
451         * dfg/DFGCFGSimplificationPhase.cpp:
452         (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
453         * dfg/DFGCPSRethreadingPhase.cpp:
454         (JSC::DFG::CPSRethreadingPhase::run):
455         (JSC::DFG::CPSRethreadingPhase::computeIsFlushed):
456         (JSC::DFG::CPSRethreadingPhase::addFlushedLocalOp):
457         (JSC::DFG::CPSRethreadingPhase::addFlushedLocalEdge):
458         * dfg/DFGCSEPhase.cpp:
459         (JSC::DFG::CSEPhase::performNodeCSE):
460         * dfg/DFGGraph.cpp:
461         (JSC::DFG::Graph::clearFlagsOnAllNodes):
462         * dfg/DFGGraph.h:
463         * dfg/DFGNode.h:
464         * dfg/DFGNodeFlags.cpp:
465         (JSC::DFG::dumpNodeFlags):
466         * dfg/DFGNodeFlags.h:
467         * dfg/DFGSSAConversionPhase.cpp:
468         (JSC::DFG::SSAConversionPhase::run):
469         * tests/stress/activation-test-loop.js: Added.
470         (Inner.this.doStuff):
471         (Inner):
472         (foo.inner.isDone):
473         (foo):
474         * tests/stress/inferred-infinite-loop-that-uses-captured-variables.js: Added.
475         (bar):
476         (foo):
477         (noInline):
478         * tests/stress/infinite-loop-that-uses-captured-variables-before-throwing.js: Added.
479         (bar):
480         (foo):
481         (noInline):
482         * tests/stress/infinite-loop-that-uses-captured-variables-but-they-do-not-escape.js: Added.
483         (bar):
484         (foo):
485         (noInline):
486         * tests/stress/infinite-loop-that-uses-captured-variables-with-osr-entry.js: Added.
487         (bar):
488         (foo):
489         (noInline):
490         * tests/stress/infinite-loop-that-uses-captured-variables.js: Added.
491         (bar):
492         (foo):
493         (noInline):
494         * tests/stress/tricky-indirectly-inferred-infinite-loop-that-uses-captured-variables-and-creates-the-activation-outside-the-loop.js: Added.
495         (bar):
496         (fuzz):
497         (foo.f):
498         (foo):
499         * tests/stress/tricky-inferred-infinite-loop-that-uses-captured-variables-and-creates-the-activation-outside-the-loop.js: Added.
500         (bar):
501         (foo.f):
502         (foo):
503         * tests/stress/tricky-infinite-loop-that-uses-captured-variables-and-creates-the-activation-outside-the-loop.js: Added.
504         (bar):
505         (foo.f):
506         (foo):
507         * tests/stress/tricky-infinite-loop-that-uses-captured-variables.js: Added.
508         (bar):
509         (foo):
510         (noInline):
511
512 2014-03-20  Oliver Hunt  <oliver@apple.com>
513
514         Incorrect behavior when mutating a typed array during set.
515         https://bugs.webkit.org/show_bug.cgi?id=130428
516
517         Reviewed by Geoffrey Garen.
518
519         This fixes a null derefence that occurs if a typed array
520         is mutated during the set() operation. The patch gets rid
521         of the "Quickly" version of setIndex that is assigning
522         JSValues of unknown type, as the numeric conversion can trigger
523         side effects that lead to neutering, and so we deref null.
524
525         * runtime/JSGenericTypedArrayView.h:
526         (JSC::JSGenericTypedArrayView::setIndex):
527         * runtime/JSGenericTypedArrayViewInlines.h:
528         (JSC::JSGenericTypedArrayView<Adaptor>::set):
529         (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
530
531 2014-03-20  Gavin Barraclough  <barraclough@apple.com>
532
533         Remove IdentifierTable typedef, isIdentifier()
534         https://bugs.webkit.org/show_bug.cgi?id=130533
535
536         Rubber stamped by Geoff Garen.
537
538         Code should use AtomicStringTable, isAtomic() directly.
539
540         * API/JSClassRef.cpp:
541         (OpaqueJSClass::~OpaqueJSClass):
542         (OpaqueJSClassContextData::OpaqueJSClassContextData):
543         (OpaqueJSClass::className):
544         * API/JSClassRef.h:
545         * bytecode/SpeculatedType.cpp:
546         (JSC::speculationFromCell):
547         * bytecompiler/BytecodeGenerator.cpp:
548         (JSC::BytecodeGenerator::BytecodeGenerator):
549         * dfg/DFGSpeculativeJIT.cpp:
550         (JSC::DFG::SpeculativeJIT::compileIn):
551         (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
552         * ftl/FTLLowerDFGToLLVM.cpp:
553         (JSC::FTL::LowerDFGToLLVM::speculateStringIdent):
554         * heap/Heap.cpp:
555         (JSC::Heap::collect):
556         * interpreter/CallFrame.h:
557         (JSC::ExecState::atomicStringTable):
558         * parser/ASTBuilder.h:
559         (JSC::ASTBuilder::addVar):
560         * parser/Parser.cpp:
561         (JSC::Parser<LexerType>::createBindingPattern):
562         * runtime/Completion.cpp:
563         (JSC::checkSyntax):
564         (JSC::evaluate):
565         * runtime/Identifier.cpp:
566         (JSC::Identifier::checkCurrentAtomicStringTable):
567         * runtime/Identifier.h:
568         (JSC::Identifier::Identifier):
569         * runtime/IdentifierInlines.h:
570         (JSC::Identifier::add):
571         * runtime/JSCJSValue.cpp:
572         (JSC::JSValue::dumpInContext):
573         * runtime/JSLock.cpp:
574         (JSC::JSLock::didAcquireLock):
575         (JSC::JSLock::willReleaseLock):
576         (JSC::JSLock::DropAllLocks::DropAllLocks):
577         (JSC::JSLock::DropAllLocks::~DropAllLocks):
578         * runtime/JSLock.h:
579         * runtime/PropertyMapHashTable.h:
580         (JSC::PropertyTable::find):
581         (JSC::PropertyTable::get):
582         (JSC::PropertyTable::findWithString):
583         * runtime/PropertyName.h:
584         (JSC::PropertyName::PropertyName):
585         * runtime/PropertyNameArray.cpp:
586         (JSC::PropertyNameArray::add):
587         * runtime/VM.cpp:
588         (JSC::VM::VM):
589         (JSC::VM::~VM):
590         * runtime/VM.h:
591         (JSC::VM::atomicStringTable):
592
593 2014-03-20  Gavin Barraclough  <barraclough@apple.com>
594
595         Merge AtomicString, Identifier
596         https://bugs.webkit.org/show_bug.cgi?id=128624
597
598         Reviewed by Geoff Garen.
599
600         WTF::StringImpl currently supports two uniquing mechanism - AtomicString and
601         Identifer - that is one too many.
602
603         Remove Identifier in favour of AtomicString. Identifier had two interesting
604         mechanisms that we preserve.
605
606         (1) JSC API VMs each get their own string table, switch the string table on
607             API entry/exit.
608         (2) JSC caches a pointer to the string table on the VM to avoid a thread
609             specific access. Adds a new AtomicString::add method to support this.
610
611         * API/JSAPIWrapperObject.mm:
612             - updated includes.
613         * JavaScriptCore.xcodeproj/project.pbxproj:
614             - added IdentifierInlines.h.
615         * inspector/JSInjectedScriptHostPrototype.cpp:
616         * inspector/JSJavaScriptCallFramePrototype.cpp:
617             - updated includes.
618         * interpreter/CallFrame.h:
619         (JSC::ExecState::atomicStringTable):
620             - added, used via AtomicString::add to avoid thread-specific access.
621         * runtime/ConsolePrototype.cpp:
622             - updated includes.
623         * runtime/Identifier.cpp:
624         (JSC::Identifier::add):
625         (JSC::Identifier::add8):
626             - vm->smallStrings.singleCharacterStringRep now returns Atomic strings, use AtomicString::add.
627         * runtime/Identifier.h:
628         (JSC::Identifier::Identifier):
629             - added ASSERTS.
630         (JSC::Identifier::add):
631             - vm->smallStrings.singleCharacterStringRep now returns Atomic strings, use AtomicString::add.
632         * runtime/IdentifierInlines.h: Added.
633         (JSC::Identifier::add):
634             - moved from Identifier.h, use AtomicString::add.
635         * runtime/JSCInlines.h:
636             - added IdentifierInlines.h.
637         * runtime/JSLock.h:
638             - removed IdentifierTable.
639         * runtime/PropertyNameArray.cpp:
640             - updated includes.
641         * runtime/SmallStrings.cpp:
642         (JSC::SmallStringsStorage::SmallStringsStorage):
643             - ensure all single character strings are Atomic.
644         * runtime/VM.cpp:
645         (JSC::VM::VM):
646             - instantiate CommonIdentifiers with the correct AtomicStringTable set on thread data.
647         * runtime/VM.h:
648         (JSC::VM::atomicStringTable):
649             - added, used via AtomicString::add to avoid thread-specific access.
650
651 2014-03-20  Gabor Rapcsanyi  <rgabor@webkit.org>
652
653         [ARM64] Fix assembler build issues and add cacheFlush support for Linux
654         https://bugs.webkit.org/show_bug.cgi?id=130502
655
656         Reviewed by Michael Saboff.
657
658         Add limits.h for INT_MIN in ARM64Assembler(). Delete shouldBlindForSpecificArch(uintptr_t)
659         because on ARM64 uint64_t and uintptr_t is the same with GCC and Clang as well.
660         Add cacheFlush support for Linux.
661
662         * assembler/ARM64Assembler.h:
663         (JSC::ARM64Assembler::linuxPageFlush):
664         (JSC::ARM64Assembler::cacheFlush):
665         * assembler/MacroAssemblerARM64.h:
666         (JSC::MacroAssemblerARM64::shouldBlindForSpecificArch):
667
668 2014-03-19  Gavin Barraclough  <barraclough@apple.com>
669
670         https://bugs.webkit.org/show_bug.cgi?id=130494
671         EmptyUnique strings are Identifiers/Atomic
672
673         Reviewed by Geoff Garen.
674
675         EmptyUnique strings should set the Identifier/Atomic flag.
676
677         This fixes an unreproducible bug we believe exists in Identifier handling.
678         Expected behaviour is that while Identifiers may reference EmptyUniques
679         (StringImpls allocated as UIDs for PrivateNames), these are not created
680         through the main Identifier constructor, the Identifier flag is not set
681         on PrivateNames, and we should never lookup EmptyUnique strings in the
682         IdentifierTable.
683
684         Unfortunately that was happening. Some tables used to implement property
685         access in the JIT hold StringImpl*s, and turn these back into Identifiers
686         using the identfiier constructor. Since the code generator will now plant
687         by-id (cachable) accesses to PrivateNames we can end up passing an
688         EmptyUnique to Identifier::add, potentially leading to PrivateNames being
689         uniqued together (though hard to prove, since the hash codes are random).
690
691         * runtime/PropertyName.h:
692         (JSC::PropertyName::PropertyName):
693         (JSC::PropertyName::uid):
694         (JSC::PropertyName::publicName):
695         (JSC::PropertyName::asIndex):
696             - PropertyName assumed that PrivateNames are not Identifiers - instead check isEmptyUnique().
697         * runtime/Structure.cpp:
698         (JSC::Structure::getPropertyNamesFromStructure):
699             - Structure assumed that PrivateNames are not Identifiers - instead check isEmptyUnique().
700
701 2014-03-19  Filip Pizlo  <fpizlo@apple.com>
702
703         Unreviewed, revert the DFGCommon.h change in r165938. It was not intentional.
704
705         * dfg/DFGCommon.h:
706
707 2014-03-19  Mark Hahnenberg  <mhahnenberg@apple.com>
708
709         GC timer should intelligently choose between EdenCollections and FullCollections
710         https://bugs.webkit.org/show_bug.cgi?id=128261
711
712         Reviewed by Geoffrey Garen.
713
714         Most of the GCs while browsing the web are due to the GC timer. Currently the GC timer 
715         always does FullCollections. To reduce the impact of the GC timer on the system this patch
716         changes Heap so that it has two timers, one for each type of collection. The FullCollection
717         timer is notified at the end of EdenCollections how much the Heap has grown since the last 
718         FullCollection and when somebody notifies the Heap of abandoned memory (which usually wouldn't 
719         be detected by an EdenCollection).
720
721         * CMakeLists.txt:
722         * GNUmakefile.list.am:
723         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
724         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
725         * JavaScriptCore.xcodeproj/project.pbxproj:
726         * heap/EdenGCActivityCallback.cpp: Added.
727         (JSC::EdenGCActivityCallback::EdenGCActivityCallback):
728         (JSC::EdenGCActivityCallback::doCollection):
729         (JSC::EdenGCActivityCallback::lastGCLength):
730         (JSC::EdenGCActivityCallback::deathRate):
731         (JSC::EdenGCActivityCallback::gcTimeSlice):
732         * heap/EdenGCActivityCallback.h: Added.
733         (JSC::GCActivityCallback::createEdenTimer):
734         * heap/FullGCActivityCallback.cpp: Added.
735         (JSC::FullGCActivityCallback::FullGCActivityCallback):
736         (JSC::FullGCActivityCallback::doCollection):
737         (JSC::FullGCActivityCallback::lastGCLength):
738         (JSC::FullGCActivityCallback::deathRate):
739         (JSC::FullGCActivityCallback::gcTimeSlice):
740         * heap/FullGCActivityCallback.h: Added.
741         (JSC::GCActivityCallback::createFullTimer):
742         * heap/GCActivityCallback.cpp:
743         (JSC::GCActivityCallback::GCActivityCallback):
744         (JSC::GCActivityCallback::doWork):
745         (JSC::GCActivityCallback::scheduleTimer):
746         (JSC::GCActivityCallback::cancelTimer):
747         (JSC::GCActivityCallback::didAllocate):
748         (JSC::GCActivityCallback::willCollect):
749         (JSC::GCActivityCallback::cancel):
750         * heap/GCActivityCallback.h:
751         * heap/Heap.cpp:
752         (JSC::Heap::Heap):
753         (JSC::Heap::reportAbandonedObjectGraph):
754         (JSC::Heap::didAbandon):
755         (JSC::Heap::collectAllGarbage):
756         (JSC::Heap::collect):
757         (JSC::Heap::willStartCollection):
758         (JSC::Heap::updateAllocationLimits):
759         (JSC::Heap::didFinishCollection):
760         (JSC::Heap::setFullActivityCallback):
761         (JSC::Heap::setEdenActivityCallback):
762         (JSC::Heap::fullActivityCallback):
763         (JSC::Heap::edenActivityCallback):
764         (JSC::Heap::setGarbageCollectionTimerEnabled):
765         (JSC::Heap::didAllocate):
766         (JSC::Heap::shouldDoFullCollection):
767         * heap/Heap.h:
768         (JSC::Heap::lastFullGCLength):
769         (JSC::Heap::lastEdenGCLength):
770         (JSC::Heap::increaseLastFullGCLength):
771         (JSC::Heap::sizeBeforeLastEdenCollection):
772         (JSC::Heap::sizeAfterLastEdenCollection):
773         (JSC::Heap::sizeBeforeLastFullCollection):
774         (JSC::Heap::sizeAfterLastFullCollection):
775         * heap/HeapOperation.h:
776         * heap/HeapStatistics.cpp:
777         (JSC::HeapStatistics::showObjectStatistics):
778         * heap/HeapTimer.cpp:
779         (JSC::HeapTimer::timerDidFire):
780         * jsc.cpp:
781         (functionFullGC):
782         (functionEdenGC):
783         * runtime/Options.h:
784
785 2014-03-19  Commit Queue  <commit-queue@webkit.org>
786
787         Unreviewed, rolling out r165926.
788         https://bugs.webkit.org/show_bug.cgi?id=130488
789
790         broke the iOS build (Requested by estes on #webkit).
791
792         Reverted changeset:
793
794         "GC timer should intelligently choose between EdenCollections
795         and FullCollections"
796         https://bugs.webkit.org/show_bug.cgi?id=128261
797         http://trac.webkit.org/changeset/165926
798
799 2014-03-13  Mark Hahnenberg  <mhahnenberg@apple.com>
800
801         GC timer should intelligently choose between EdenCollections and FullCollections
802         https://bugs.webkit.org/show_bug.cgi?id=128261
803
804         Reviewed by Geoffrey Garen.
805
806         Most of the GCs while browsing the web are due to the GC timer. Currently the GC timer 
807         always does FullCollections. To reduce the impact of the GC timer on the system this patch
808         changes Heap so that it has two timers, one for each type of collection. The FullCollection
809         timer is notified at the end of EdenCollections how much the Heap has grown since the last 
810         FullCollection and when somebody notifies the Heap of abandoned memory (which wouldn't be 
811         detected by an EdenCollection).
812
813         * heap/GCActivityCallback.cpp:
814         (JSC::GCActivityCallback::GCActivityCallback):
815         (JSC::GCActivityCallback::doWork):
816         (JSC::FullGCActivityCallback::FullGCActivityCallback):
817         (JSC::FullGCActivityCallback::doCollection):
818         (JSC::EdenGCActivityCallback::EdenGCActivityCallback):
819         (JSC::EdenGCActivityCallback::doCollection):
820         (JSC::GCActivityCallback::scheduleTimer):
821         (JSC::GCActivityCallback::cancelTimer):
822         (JSC::GCActivityCallback::didAllocate):
823         (JSC::GCActivityCallback::willCollect):
824         (JSC::GCActivityCallback::cancel):
825         * heap/GCActivityCallback.h:
826         (JSC::GCActivityCallback::GCActivityCallback):
827         (JSC::GCActivityCallback::createFullTimer):
828         (JSC::GCActivityCallback::createEdenTimer):
829         * heap/Heap.cpp:
830         (JSC::Heap::Heap):
831         (JSC::Heap::didAbandon):
832         (JSC::Heap::willStartCollection):
833         (JSC::Heap::updateAllocationLimits):
834         (JSC::Heap::setFullActivityCallback):
835         (JSC::Heap::setEdenActivityCallback):
836         (JSC::Heap::fullActivityCallback):
837         (JSC::Heap::edenActivityCallback):
838         (JSC::Heap::setGarbageCollectionTimerEnabled):
839         (JSC::Heap::didAllocate):
840         * heap/Heap.h:
841         * heap/HeapTimer.cpp:
842         (JSC::HeapTimer::timerDidFire):
843
844 2014-03-19  Filip Pizlo  <fpizlo@apple.com>
845
846         REGRESSION(r165459): It broke 109 jsc stress test on ARM Thumb2 and Mac 32 bit
847         https://bugs.webkit.org/show_bug.cgi?id=130134
848
849         Reviewed by Mark Hahnenberg.
850
851         * dfg/DFGFixupPhase.cpp:
852         (JSC::DFG::FixupPhase::fixupNode): Can't do some optimizations if you don't have a lot of registers.
853         * dfg/DFGSpeculativeJIT32_64.cpp:
854         (JSC::DFG::SpeculativeJIT::cachedGetById): Move stuff around before going into the IC code to ensure that we give the IC code the invariants it needs. This only happens in case of GetByIdFlush, where we are forced into using weird combinations of registers because the results have to be in t0/t1.
855         (JSC::DFG::SpeculativeJIT::compile): For a normal GetById, the register allocator should just do the right thing so nobody has to move anything around.
856         * jit/JITInlineCacheGenerator.cpp:
857         (JSC::JITGetByIdGenerator::JITGetByIdGenerator): Assert the things we want.
858         * jit/JITInlineCacheGenerator.h:
859         * jit/Repatch.cpp:
860         (JSC::generateGetByIdStub): Remove a previous incomplete hack to try to work around the DFG's problem.
861
862 2014-03-19  Mark Hahnenberg  <mhahnenberg@apple.com>
863
864         Normalize some of the older JSC options
865         https://bugs.webkit.org/show_bug.cgi?id=128753
866
867         Reviewed by Michael Saboff.
868
869         * runtime/Options.cpp:
870         (JSC::Options::initialize):
871
872 2014-03-12  Mark Lam  <mark.lam@apple.com>
873
874         Update type of local vars to match the type of String length.
875         <https://webkit.org/b/130077>
876
877         Reviewed by Geoffrey Garen.
878
879         * runtime/JSStringJoiner.cpp:
880         (JSC::JSStringJoiner::join):
881
882 2014-03-18  Filip Pizlo  <fpizlo@apple.com>
883
884         Get rid of Flush in SSA
885         https://bugs.webkit.org/show_bug.cgi?id=130440
886
887         Reviewed by Sam Weinig.
888         
889         This is basically a red patch. We used to use backwards flow for determining what was
890         flushed, until it became clear that this doesn't make sense. Now the Flush nodes don't
891         accomplish anything. Keeping them around in SSA can only make things hard.
892
893         * CMakeLists.txt:
894         * GNUmakefile.list.am:
895         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
896         * JavaScriptCore.xcodeproj/project.pbxproj:
897         * dfg/DFGBasicBlock.cpp:
898         (JSC::DFG::BasicBlock::SSAData::SSAData):
899         * dfg/DFGBasicBlock.h:
900         * dfg/DFGFlushLivenessAnalysisPhase.cpp: Removed.
901         * dfg/DFGFlushLivenessAnalysisPhase.h: Removed.
902         * dfg/DFGGraph.cpp:
903         (JSC::DFG::Graph::dump):
904         * dfg/DFGPlan.cpp:
905         (JSC::DFG::Plan::compileInThreadImpl):
906         * dfg/DFGSSAConversionPhase.cpp:
907         (JSC::DFG::SSAConversionPhase::run):
908         * ftl/FTLLowerDFGToLLVM.cpp:
909         (JSC::FTL::LowerDFGToLLVM::compileNode):
910
911 2014-03-18  Filip Pizlo  <fpizlo@apple.com>
912
913         Unreviewed, fix iOS production build.
914
915         * JavaScriptCore.xcodeproj/project.pbxproj:
916
917 2014-03-18  Michael Saboff  <msaboff@apple.com>
918
919         Update RegExp Tracing code
920         https://bugs.webkit.org/show_bug.cgi?id=130381
921
922         Reviewed by Andreas Kling.
923
924         Updated the regular expression tracing code for 8/16 bit JIT as
925         well as match only entry points.  Also added average string length
926         metric.
927
928         * runtime/RegExp.cpp:
929         (JSC::RegExp::RegExp):
930         (JSC::RegExp::match):
931         (JSC::RegExp::printTraceData):
932         * runtime/RegExp.h:
933         * runtime/VM.cpp:
934         (JSC::VM::addRegExpToTrace):
935         (JSC::VM::dumpRegExpTrace):
936         * runtime/VM.h:
937         * yarr/YarrJIT.h:
938         (JSC::Yarr::YarrCodeBlock::get8BitMatchOnlyAddr):
939         (JSC::Yarr::YarrCodeBlock::get16BitMatchOnlyAddr):
940         (JSC::Yarr::YarrCodeBlock::get8BitMatchAddr):
941         (JSC::Yarr::YarrCodeBlock::get16BitMatchAddr):
942
943 2014-03-17  Filip Pizlo  <fpizlo@apple.com>
944
945         Add CompareStrictEq(StringIdent:, NotStringVar:) and CompareStrictEq(String:, Untyped:)
946         https://bugs.webkit.org/show_bug.cgi?id=130300
947
948         Reviewed by Mark Hahnenberg.
949         
950         We can quickly strictly compare StringIdent's to NotStringVar's and String's to Untyped's.
951         This makes the DFG aware of this.
952         
953         Also adds StringIdent-to-StringIdent and StringIdent-to-NotStringVar strict comparisons to
954         the FTL. Also adds StringIdent-to-StringIdent non-strict comparisons to the FTL.
955         
956         This also gives the DFG some abstractions for checking something is a cell or is other.
957         This made this patch easier to write and also simplified a bunch of other stuff.
958         
959         1% speed-up on Octane.
960
961         * assembler/AbstractMacroAssembler.h:
962         (JSC::AbstractMacroAssembler::JumpList::JumpList):
963         * bytecode/SpeculatedType.h:
964         (JSC::isNotStringVarSpeculation):
965         * dfg/DFGFixupPhase.cpp:
966         (JSC::DFG::FixupPhase::fixupNode):
967         * dfg/DFGNode.h:
968         (JSC::DFG::Node::childFor):
969         (JSC::DFG::Node::shouldSpeculateNotStringVar):
970         * dfg/DFGSafeToExecute.h:
971         (JSC::DFG::SafeToExecuteEdge::operator()):
972         * dfg/DFGSpeculativeJIT.cpp:
973         (JSC::DFG::SpeculativeJIT::compileIn):
974         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
975         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
976         (JSC::DFG::SpeculativeJIT::compileInstanceOf):
977         (JSC::DFG::SpeculativeJIT::compileStrictEq):
978         (JSC::DFG::SpeculativeJIT::compileBooleanCompare):
979         (JSC::DFG::SpeculativeJIT::compileStringEquality):
980         (JSC::DFG::SpeculativeJIT::compileStringToUntypedEquality):
981         (JSC::DFG::SpeculativeJIT::compileStringIdentEquality):
982         (JSC::DFG::SpeculativeJIT::compileStringIdentToNotStringVarEquality):
983         (JSC::DFG::SpeculativeJIT::compileStringZeroLength):
984         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
985         (JSC::DFG::SpeculativeJIT::speculateString):
986         (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
987         (JSC::DFG::SpeculativeJIT::speculateNotStringVar):
988         (JSC::DFG::SpeculativeJIT::speculateNotCell):
989         (JSC::DFG::SpeculativeJIT::speculateOther):
990         (JSC::DFG::SpeculativeJIT::speculate):
991         (JSC::DFG::SpeculativeJIT::emitSwitchChar):
992         (JSC::DFG::SpeculativeJIT::emitSwitchString):
993         * dfg/DFGSpeculativeJIT.h:
994         (JSC::DFG::SpeculativeJIT::blessedBooleanResult):
995         (JSC::DFG::SpeculativeJIT::unblessedBooleanResult):
996         (JSC::DFG::SpeculativeJIT::booleanResult):
997         * dfg/DFGSpeculativeJIT32_64.cpp:
998         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
999         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
1000         (JSC::DFG::SpeculativeJIT::emitCall):
1001         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1002         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
1003         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
1004         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
1005         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
1006         (JSC::DFG::SpeculativeJIT::compile):
1007         (JSC::DFG::branchIsCell):
1008         (JSC::DFG::branchNotCell):
1009         (JSC::DFG::SpeculativeJIT::branchIsOther):
1010         (JSC::DFG::SpeculativeJIT::branchNotOther):
1011         (JSC::DFG::SpeculativeJIT::moveTrueTo):
1012         (JSC::DFG::SpeculativeJIT::moveFalseTo):
1013         (JSC::DFG::SpeculativeJIT::blessBoolean):
1014         * dfg/DFGSpeculativeJIT64.cpp:
1015         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
1016         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
1017         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1018         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
1019         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
1020         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
1021         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
1022         (JSC::DFG::SpeculativeJIT::compile):
1023         (JSC::DFG::SpeculativeJIT::writeBarrier):
1024         (JSC::DFG::SpeculativeJIT::branchIsCell):
1025         (JSC::DFG::SpeculativeJIT::branchNotCell):
1026         (JSC::DFG::SpeculativeJIT::branchIsOther):
1027         (JSC::DFG::SpeculativeJIT::branchNotOther):
1028         (JSC::DFG::SpeculativeJIT::moveTrueTo):
1029         (JSC::DFG::SpeculativeJIT::moveFalseTo):
1030         (JSC::DFG::SpeculativeJIT::blessBoolean):
1031         * dfg/DFGUseKind.cpp:
1032         (WTF::printInternal):
1033         * dfg/DFGUseKind.h:
1034         (JSC::DFG::typeFilterFor):
1035         * ftl/FTLCapabilities.cpp:
1036         (JSC::FTL::canCompile):
1037         * ftl/FTLLowerDFGToLLVM.cpp:
1038         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
1039         (JSC::FTL::LowerDFGToLLVM::lowString):
1040         (JSC::FTL::LowerDFGToLLVM::lowStringIdent):
1041         (JSC::FTL::LowerDFGToLLVM::speculate):
1042         (JSC::FTL::LowerDFGToLLVM::speculateString):
1043         (JSC::FTL::LowerDFGToLLVM::speculateStringIdent):
1044         (JSC::FTL::LowerDFGToLLVM::speculateNotStringVar):
1045         * runtime/JSCJSValue.h:
1046         * tests/stress/string-ident-to-not-string-var-equality.js: Added.
1047         (foo):
1048         (bar):
1049         (test):
1050
1051 2014-03-18  Joseph Pecoraro  <pecoraro@apple.com>
1052
1053         Add Copyright to framework.sb
1054         https://bugs.webkit.org/show_bug.cgi?id=130413
1055
1056         Reviewed by Timothy Hatcher.
1057
1058         Other sb files got the copyright. Follow suit.
1059
1060         * framework.sb:
1061
1062 2014-03-18  Matthew Mirman  <mmirman@apple.com>
1063
1064         Removed extra parens from if statement in a preprocessor define.
1065         https://bugs.webkit.org/show_bug.cgi?id=130408
1066
1067         Reviewed by Filip Pizlo.
1068
1069         * parser/Parser.cpp:
1070
1071 2014-03-18  Filip Pizlo  <fpizlo@apple.com>
1072
1073         More FTL enabling.
1074
1075         Rubber stamped by Dan Bernstein and Mark Hahnenberg.
1076
1077         * Configurations/FeatureDefines.xcconfig:
1078         * ftl/FTLCompile.cpp:
1079         (JSC::FTL::compile):
1080
1081 2014-03-17  Michael Saboff  <msaboff@apple.com>
1082
1083         V8 regexp spends most of its time in operationGetById
1084         https://bugs.webkit.org/show_bug.cgi?id=130380
1085
1086         Reviewed by Filip Pizlo.
1087
1088         Added String.length case to tryCacheGetByID that will only help the BaseLine JIT.
1089         When V8 regexp is run from the command line, this nets a 2% performance improvement.
1090         When the test is run for a longer amount of time, there is much less benefit as the
1091         DFG will emit the appropriate code for String.length.  This does remove
1092         operationGetById as the hottest function whne run from the command line.
1093
1094         * jit/Repatch.cpp:
1095         (JSC::tryCacheGetByID):
1096
1097 2014-03-17  Andreas Kling  <akling@apple.com>
1098
1099         Add one-deep cache to opaque roots hashset.
1100         <https://webkit.org/b/130357>
1101
1102         The vast majority of WebCore JS wrappers will have their Document*
1103         as the root(). This change adds a simple optimization where we cache
1104         the last lookup and avoid going to the hashset for repeated queries.
1105
1106         Looks like 0.4% progression on DYEB on my MBP.
1107
1108         Reviewed by Mark Hahnenberg.
1109
1110         * JavaScriptCore.xcodeproj/project.pbxproj:
1111         * heap/OpaqueRootSet.h: Added.
1112         (JSC::OpaqueRootSet::OpaqueRootSet):
1113         (JSC::OpaqueRootSet::contains):
1114         (JSC::OpaqueRootSet::isEmpty):
1115         (JSC::OpaqueRootSet::clear):
1116         (JSC::OpaqueRootSet::add):
1117         (JSC::OpaqueRootSet::size):
1118         (JSC::OpaqueRootSet::begin):
1119         (JSC::OpaqueRootSet::end):
1120         * heap/SlotVisitor.h:
1121
1122 2014-03-17  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>
1123
1124         Implement Math.hypot
1125         https://bugs.webkit.org/show_bug.cgi?id=129486
1126
1127         Reviewed by Darin Adler.
1128
1129         * runtime/MathObject.cpp:
1130         (JSC::MathObject::finishCreation):
1131         (JSC::mathProtoFuncHypot):
1132
1133 2014-03-17  Zsolt Borbely  <borbezs@inf.u-szeged.hu>
1134
1135         Fix the !ENABLE(PROMISES) build
1136         https://bugs.webkit.org/show_bug.cgi?id=130328
1137
1138         Reviewed by Darin Adler.
1139
1140         Add missing ENABLE(PROMISES) guards.
1141
1142         * runtime/JSGlobalObject.cpp:
1143         (JSC::JSGlobalObject::reset):
1144         (JSC::JSGlobalObject::visitChildren):
1145         * runtime/JSGlobalObject.h:
1146         * runtime/JSPromiseDeferred.cpp:
1147         * runtime/JSPromiseDeferred.h:
1148         * runtime/JSPromiseReaction.cpp:
1149         * runtime/JSPromiseReaction.h:
1150         * runtime/VM.cpp:
1151         (JSC::VM::VM):
1152         * runtime/VM.h:
1153
1154 2014-03-16  Andreas Kling  <akling@apple.com>
1155
1156         REGRESSION(r165703): JSC tests crashing in StringImpl::destroy().
1157         <https://webkit.org/b/130304>
1158
1159         Reviewed by Anders Carlsson.
1160
1161         Unreviewed, restoring the old behavior of OpaqueJSString::identifier()
1162         that doesn't put a potentially unwanted string into the Identifier table.
1163
1164         * API/OpaqueJSString.cpp:
1165         (OpaqueJSString::identifier):
1166
1167 2014-03-16  Brian Burg  <bburg@apple.com>
1168
1169         Web Inspector: generated backend commands should reflect build system ENABLE settings
1170         https://bugs.webkit.org/show_bug.cgi?id=130111
1171
1172         Reviewed by Timothy Hatcher.
1173
1174         * CMakeLists.txt:
1175
1176         Combine only the Inspector domains listed in INSPECTOR_DOMAINS,
1177         instead of globbing any .json file.
1178
1179         * DerivedSources.make:
1180
1181         Force the combined inspector protocol file to be regenerated if
1182         the content or list of domains itself changes.
1183
1184 2014-03-16  Brian Burg  <bburg@apple.com>
1185
1186         Web Inspector: vended backend commands file should be generated as part of the build
1187         https://bugs.webkit.org/show_bug.cgi?id=130110
1188
1189         Reviewed by Timothy Hatcher.
1190
1191         * JavaScriptCore.xcodeproj/project.pbxproj: Copy InspectorJSBackendCommands.js to the
1192         private headers directory.
1193
1194 2014-03-16  Darin Adler  <darin@apple.com>
1195
1196         Remove all uses of deprecatedCharacters from JavaScriptCore
1197         https://bugs.webkit.org/show_bug.cgi?id=130304
1198
1199         Reviewed by Anders Carlsson.
1200
1201         * API/JSValueRef.cpp:
1202         (JSValueMakeFromJSONString): Use characters16 in the 16-bit code path.
1203         * API/OpaqueJSString.cpp:
1204         (OpaqueJSString::~OpaqueJSString): Use characters 16 in the 16-bit code path.
1205         (OpaqueJSString::identifier): Get rid of custom Identifier constructor, and
1206         juse use the standard one that takes a String.
1207         (OpaqueJSString::characters): Use getCharactersWithUpconvert instead of a
1208         hand-written alternative.
1209
1210         * bindings/ScriptValue.cpp:
1211         (Deprecated::jsToInspectorValue): Create InspectorString from String directly
1212         instead of involving a character pointer. Use the String from Identifier
1213         directly instead of making a new String.
1214
1215         * inspector/ContentSearchUtilities.cpp:
1216         (Inspector::ContentSearchUtilities::createSearchRegexSource): Use StringBuilder
1217         instead of building a String a character at a time. This is still a very slow
1218         way to do this. Also use strchr to search for a character instead of building
1219         a String every time just to use find on it.
1220
1221         * inspector/InspectorValues.cpp:
1222         (Inspector::doubleQuoteString): Remove unnecessary trip through a
1223         character pointer. This is still a really slow way to do this.
1224         (Inspector::InspectorValue::parseJSON): Use StringView::upconvertedCharacters
1225         instead of String::deprecatedCharacters. Still slow to always upconvert.
1226
1227         * runtime/DateConstructor.cpp: Removed unneeded include.
1228         * runtime/DatePrototype.cpp: Ditto.
1229
1230         * runtime/Identifier.h: Removed deprecatedCharacters function.
1231
1232         * runtime/JSGlobalObjectFunctions.cpp:
1233         (JSC::encode): Added a type cast to avoid ambiguity with the two character-
1234         appending functions from JSStringBuilder. Removed unneeded code duplicating
1235         what JSStringBuilder already does in its character append function.
1236         (JSC::decode): Deleted code that creates a JSStringBuilder that is never used.
1237         (JSC::parseIntOverflow): Changed lengths to unsigned. Made only the overload that
1238         is used outside this file have external linkage. Added a new overload that takes
1239         a StringView.
1240         (JSC::parseInt): Use StringView::substring to call parseIntOverflow.
1241         (JSC::globalFuncEscape): Use JSBuilder::append in a more efficient way for a
1242         single character.
1243
1244         * runtime/JSGlobalObjectFunctions.h: Removed unused overloads of parseIntOverflow.
1245
1246         * runtime/JSStringBuilder.h: Marked this "lightly deprecated".
1247         (JSC::JSStringBuilder::append): Overloaded for better speed with 8-bit characters.
1248         Made one overload private. Fixed a performance bug where we would reserve capacity
1249         in the 8-bit buffer but then append to the 16-bit buffer.
1250
1251         * runtime/ObjectPrototype.cpp: Removed unneeded include.
1252
1253         * runtime/StringPrototype.cpp:
1254         (JSC::stringProtoFuncFontsize): Use StringView::getCharactersWithUpconvert.
1255         (JSC::stringProtoFuncLink): Ditto.
1256
1257 2014-03-15  Filip Pizlo  <fpizlo@apple.com>
1258
1259         FTL ArrayifyToStructure shouldn't fail every time that it actually arrayifies
1260         https://bugs.webkit.org/show_bug.cgi?id=130296
1261
1262         Reviewed by Andreas Kling.
1263         
1264         During the 32-bit structure ID work, the second load of the structure was removed.
1265         That's wrong. The whole point of loading the structure ID again is that the structure
1266         ID would have been changed by the arrayification call, and we're verifying that the
1267         arrayification succeeded in changing the structure. If we check the old structure - as
1268         the code was doing after the 32-bit structure ID work - then this check is guaranteed
1269         to fail, causing a significant performance regression.
1270         
1271         It's actually amazing that the regression wasn't bigger. The reason is that if FTL
1272         code pathologically exits but the equivalent DFG code doesn't, then the exponential
1273         backoff almost perfectly guarantees that we just end up in the DFG. For this code, at
1274         the time at least, the DFG wasn't much slower so this didn't cause too much pain.
1275
1276         * ftl/FTLLowerDFGToLLVM.cpp:
1277         (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
1278
1279 2014-03-15  Filip Pizlo  <fpizlo@apple.com>
1280
1281         FTL should support CheckHasInstance/InstanceOf
1282         https://bugs.webkit.org/show_bug.cgi?id=130285
1283
1284         Reviewed by Sam Weinig.
1285         
1286         Fairly straightforward; I also discovered an inaccurate FIXME in the process.
1287
1288         * dfg/DFGFixupPhase.cpp:
1289         (JSC::DFG::FixupPhase::fixupNode):
1290         * ftl/FTLAbstractHeapRepository.h:
1291         * ftl/FTLCapabilities.cpp:
1292         (JSC::FTL::canCompile):
1293         * ftl/FTLLowerDFGToLLVM.cpp:
1294         (JSC::FTL::LowerDFGToLLVM::compileNode):
1295         (JSC::FTL::LowerDFGToLLVM::compileCheckHasInstance):
1296         (JSC::FTL::LowerDFGToLLVM::compileInstanceOf):
1297         * ftl/FTLOutput.h:
1298         (JSC::FTL::Output::phi):
1299         * tests/stress/instanceof.js: Added.
1300         * tests/stress/instanceof-not-cell.js: Added.
1301
1302 2014-03-15  Michael Saboff  <msaboff@apple.com>
1303
1304         It should be possible to adjust DFG and FTL compiler thread priorities
1305         https://bugs.webkit.org/show_bug.cgi?id=130288
1306
1307         Reviewed by Filip Pizlo.
1308
1309         Added ability to change thread priorities relative to its current priority.
1310         Created options to adjust the priority of the DFG and FTL compilation work thread
1311         pools.  For two core systems, there might be three runnable threads, the main thread,
1312         the DFG compilation thread and the FTL compilation thread.  With the same priority,
1313         the scheduler is free to schedule whatever thread it wants.  By lowering the
1314         compilation threads, the main thread can run.  Further tests may suggest better values
1315         for the new options, priorityDeltaOfDFGCompilerThreads and priorityDeltaOfFTLCompilerThreads.
1316
1317         For a two-core device, this change has a net positive improvement of 1-3% across
1318         SunSpider, Octane, Kraken and AsmBench.
1319
1320         * dfg/DFGWorklist.cpp:
1321         (JSC::DFG::Worklist::finishCreation):
1322         (JSC::DFG::Worklist::create):
1323         (JSC::DFG::ensureGlobalDFGWorklist):
1324         (JSC::DFG::ensureGlobalFTLWorklist):
1325         * dfg/DFGWorklist.h:
1326         * runtime/Options.cpp:
1327         (JSC::computePriorityDeltaOfWorkerThreads):
1328         * runtime/Options.h:
1329
1330 2014-03-15  David Kilzer  <ddkilzer@apple.com>
1331
1332         [iOS] Define SYSTEM_VERSION_PREFIX consistently
1333         <http://webkit.org/b/130293>
1334         <rdar://problem/15926359>
1335
1336         Reviewed by Dan Bernstein.
1337
1338         * Configurations/Version.xcconfig:
1339         (SYSTEM_VERSION_PREFIX_iphoneos): Sync with
1340         Source/WebKit/mac/Version.xcconfig.
1341
1342 2014-03-15  David Kilzer  <ddkilzer@apple.com>
1343
1344         Fix build: using integer absolute value function 'abs' when argument is of floating point type
1345         <http://webkit.org/b/130286>
1346
1347         Reviewed by Filip Pizlo.
1348
1349         Fixes the following build failure using trunk clang:
1350
1351             JavaScriptCore/assembler/MacroAssembler.h:992:17: error: using integer absolute value function 'abs' when argument is of floating point type [-Werror,-Wabsolute-value]
1352                     value = abs(value);
1353                             ^
1354             JavaScriptCore/assembler/MacroAssembler.h:992:17: note: use function 'fabs' instead
1355                     value = abs(value);
1356                             ^~~
1357                             fabs
1358
1359         * assembler/MacroAssembler.h:
1360         (JSC::MacroAssembler::shouldBlindDouble): Switch from abs() to
1361         fabs().
1362
1363 2014-03-14  Oliver Hunt  <oliver@apple.com>
1364
1365         Reinstate intialiser syntax in for-in loops
1366         https://bugs.webkit.org/show_bug.cgi?id=130269
1367
1368         Reviewed by Michael Saboff.
1369
1370         Disallowing the initialiser broke some sites so this patch re-allows
1371         the syntax.  We still disallow the syntax in 'of' and pattern based
1372         enumeration.
1373
1374         * parser/ASTBuilder.h:
1375         (JSC::ASTBuilder::isBindingNode):
1376         * parser/Parser.cpp:
1377         (JSC::Parser<LexerType>::parseVarDeclarationList):
1378         (JSC::Parser<LexerType>::parseForStatement):
1379         * parser/SyntaxChecker.h:
1380         (JSC::SyntaxChecker::operatorStackPop):
1381
1382 2014-03-14  Mark Lam  <mark.lam@apple.com>
1383
1384         Accessing __lookupGetter__ and __lookupSetter__ should not crash the VM when undefined.
1385         <https://webkit.org/b/130279>
1386
1387         Reviewed by Filip Pizlo.
1388
1389         If neither the getter nor setter are defined, accessing __lookupGetter__
1390         and __lookupSetter__ will return undefined as expected.  However, if the
1391         getter is defined but the setter is not, accessing __lookupSetter__ will
1392         crash the VM.  Similarly, accessing __lookupGetter__ when only the setter
1393         is defined will crash the VM.
1394
1395         The reason is because objectProtoFuncLookupGetter() and
1396         objectProtoFuncLookupSetter() did not check if the getter and setter
1397         value is non-null before returning it as an EncodedJSValue.  The fix is
1398         to add the appropriate null checks.
1399
1400         * runtime/ObjectPrototype.cpp:
1401         (JSC::objectProtoFuncLookupGetter):
1402         (JSC::objectProtoFuncLookupSetter):
1403
1404 2014-03-14  Mark Rowe  <mrowe@apple.com>
1405
1406         Fix the production build.
1407
1408         Don't rely on USE_INTERNAL_SDK being set for the Production configuration since UseInternalSDK.xcconfig won't
1409         be at the expected relative path when working from installed source.
1410
1411         * Configurations/Base.xcconfig:
1412
1413 2014-03-14  Maciej Stachowiak  <mjs@apple.com>
1414
1415         Replace "Apple Computer, Inc." with "Apple Inc." in copyright headers
1416         https://bugs.webkit.org/show_bug.cgi?id=130276
1417         <rdar://problem/16266927>
1418
1419         Reviewed by Simon Fraser.
1420
1421         * API/APICast.h:
1422         * API/JSBase.cpp:
1423         * API/JSBase.h:
1424         * API/JSBasePrivate.h:
1425         * API/JSCallbackConstructor.cpp:
1426         * API/JSCallbackConstructor.h:
1427         * API/JSCallbackFunction.cpp:
1428         * API/JSCallbackFunction.h:
1429         * API/JSCallbackObject.cpp:
1430         * API/JSCallbackObject.h:
1431         * API/JSCallbackObjectFunctions.h:
1432         * API/JSClassRef.cpp:
1433         * API/JSClassRef.h:
1434         * API/JSContextRef.cpp:
1435         * API/JSContextRef.h:
1436         * API/JSContextRefPrivate.h:
1437         * API/JSObjectRef.cpp:
1438         * API/JSObjectRef.h:
1439         * API/JSProfilerPrivate.cpp:
1440         * API/JSProfilerPrivate.h:
1441         * API/JSRetainPtr.h:
1442         * API/JSStringRef.cpp:
1443         * API/JSStringRef.h:
1444         * API/JSStringRefBSTR.cpp:
1445         * API/JSStringRefBSTR.h:
1446         * API/JSStringRefCF.cpp:
1447         * API/JSStringRefCF.h:
1448         * API/JSValueRef.cpp:
1449         * API/JSValueRef.h:
1450         * API/JavaScript.h:
1451         * API/JavaScriptCore.h:
1452         * API/OpaqueJSString.cpp:
1453         * API/OpaqueJSString.h:
1454         * API/tests/JSNode.c:
1455         * API/tests/JSNode.h:
1456         * API/tests/JSNodeList.c:
1457         * API/tests/JSNodeList.h:
1458         * API/tests/Node.c:
1459         * API/tests/Node.h:
1460         * API/tests/NodeList.c:
1461         * API/tests/NodeList.h:
1462         * API/tests/minidom.c:
1463         * API/tests/minidom.js:
1464         * API/tests/testapi.c:
1465         * API/tests/testapi.js:
1466         * DerivedSources.make:
1467         * bindings/ScriptValue.cpp:
1468         * bytecode/CodeBlock.cpp:
1469         * bytecode/CodeBlock.h:
1470         * bytecode/EvalCodeCache.h:
1471         * bytecode/Instruction.h:
1472         * bytecode/JumpTable.cpp:
1473         * bytecode/JumpTable.h:
1474         * bytecode/Opcode.cpp:
1475         * bytecode/Opcode.h:
1476         * bytecode/SamplingTool.cpp:
1477         * bytecode/SamplingTool.h:
1478         * bytecode/SpeculatedType.cpp:
1479         * bytecode/SpeculatedType.h:
1480         * bytecode/ValueProfile.h:
1481         * bytecompiler/BytecodeGenerator.cpp:
1482         * bytecompiler/BytecodeGenerator.h:
1483         * bytecompiler/Label.h:
1484         * bytecompiler/LabelScope.h:
1485         * bytecompiler/RegisterID.h:
1486         * debugger/DebuggerCallFrame.cpp:
1487         * debugger/DebuggerCallFrame.h:
1488         * dfg/DFGDesiredStructureChains.cpp:
1489         * dfg/DFGDesiredStructureChains.h:
1490         * heap/GCActivityCallback.cpp:
1491         * heap/GCActivityCallback.h:
1492         * inspector/ConsoleMessage.cpp:
1493         * inspector/ConsoleMessage.h:
1494         * inspector/IdentifiersFactory.cpp:
1495         * inspector/IdentifiersFactory.h:
1496         * inspector/InjectedScriptManager.cpp:
1497         * inspector/InjectedScriptManager.h:
1498         * inspector/InjectedScriptSource.js:
1499         * inspector/ScriptBreakpoint.h:
1500         * inspector/ScriptDebugListener.h:
1501         * inspector/ScriptDebugServer.cpp:
1502         * inspector/ScriptDebugServer.h:
1503         * inspector/agents/InspectorAgent.cpp:
1504         * inspector/agents/InspectorAgent.h:
1505         * inspector/agents/InspectorDebuggerAgent.cpp:
1506         * inspector/agents/InspectorDebuggerAgent.h:
1507         * interpreter/Interpreter.cpp:
1508         * interpreter/Interpreter.h:
1509         * interpreter/JSStack.cpp:
1510         * interpreter/JSStack.h:
1511         * interpreter/Register.h:
1512         * jit/CompactJITCodeMap.h:
1513         * jit/JITStubs.cpp:
1514         * jit/JITStubs.h:
1515         * jit/JITStubsARM.h:
1516         * jit/JITStubsARMv7.h:
1517         * jit/JITStubsX86.h:
1518         * jit/JITStubsX86_64.h:
1519         * os-win32/stdbool.h:
1520         * parser/SourceCode.h:
1521         * parser/SourceProvider.h:
1522         * profiler/LegacyProfiler.cpp:
1523         * profiler/LegacyProfiler.h:
1524         * profiler/ProfileNode.cpp:
1525         * profiler/ProfileNode.h:
1526         * runtime/ArrayBufferView.cpp:
1527         * runtime/ArrayBufferView.h:
1528         * runtime/BatchedTransitionOptimizer.h:
1529         * runtime/CallData.h:
1530         * runtime/ConstructData.h:
1531         * runtime/DumpContext.cpp:
1532         * runtime/DumpContext.h:
1533         * runtime/ExceptionHelpers.cpp:
1534         * runtime/ExceptionHelpers.h:
1535         * runtime/InitializeThreading.cpp:
1536         * runtime/InitializeThreading.h:
1537         * runtime/IntegralTypedArrayBase.h:
1538         * runtime/IntendedStructureChain.cpp:
1539         * runtime/IntendedStructureChain.h:
1540         * runtime/JSActivation.cpp:
1541         * runtime/JSActivation.h:
1542         * runtime/JSExportMacros.h:
1543         * runtime/JSGlobalObject.cpp:
1544         * runtime/JSNotAnObject.cpp:
1545         * runtime/JSNotAnObject.h:
1546         * runtime/JSPropertyNameIterator.cpp:
1547         * runtime/JSPropertyNameIterator.h:
1548         * runtime/JSSegmentedVariableObject.cpp:
1549         * runtime/JSSegmentedVariableObject.h:
1550         * runtime/JSSymbolTableObject.cpp:
1551         * runtime/JSSymbolTableObject.h:
1552         * runtime/JSTypeInfo.h:
1553         * runtime/JSVariableObject.cpp:
1554         * runtime/JSVariableObject.h:
1555         * runtime/PropertyTable.cpp:
1556         * runtime/PutPropertySlot.h:
1557         * runtime/SamplingCounter.cpp:
1558         * runtime/SamplingCounter.h:
1559         * runtime/Structure.cpp:
1560         * runtime/Structure.h:
1561         * runtime/StructureChain.cpp:
1562         * runtime/StructureChain.h:
1563         * runtime/StructureInlines.h:
1564         * runtime/StructureTransitionTable.h:
1565         * runtime/SymbolTable.cpp:
1566         * runtime/SymbolTable.h:
1567         * runtime/TypedArrayBase.h:
1568         * runtime/TypedArrayType.cpp:
1569         * runtime/TypedArrayType.h:
1570         * runtime/VM.cpp:
1571         * runtime/VM.h:
1572         * yarr/RegularExpression.cpp:
1573         * yarr/RegularExpression.h:
1574
1575 2014-03-14  Filip Pizlo  <fpizlo@apple.com>
1576
1577         Final FTL iOS build magic
1578         https://bugs.webkit.org/show_bug.cgi?id=130281
1579
1580         Reviewed by Michael Saboff.
1581
1582         * Configurations/Base.xcconfig: For now our LLVM headers are in /usr/local/LLVMForJavaScriptCore/include, which is the same as OS X.
1583         * Configurations/LLVMForJSC.xcconfig: We need to be more careful about how we specify library paths if we want to get the prioritzation right. Also we need protobuf because things. :-/
1584
1585 2014-03-14  Joseph Pecoraro  <pecoraro@apple.com>
1586
1587         Web Inspector: Gracefully handle nil name -[JSContext setName:]
1588         https://bugs.webkit.org/show_bug.cgi?id=130262
1589
1590         Reviewed by Mark Hahnenberg.
1591
1592         * API/JSContext.mm:
1593         (-[JSContext setName:]):
1594         Gracefully handle nil input.
1595
1596         * API/tests/testapi.c:
1597         (globalContextNameTest):
1598         * API/tests/testapi.mm:
1599         Test for nil / NULL names in the ObjC and C APIs.
1600
1601 2014-03-11  Oliver Hunt  <oliver@apple.com>
1602
1603         Improve dom error messages
1604         https://bugs.webkit.org/show_bug.cgi?id=130103
1605
1606         Reviewed by Andreas Kling.
1607
1608         Add new helper function.
1609
1610         * runtime/Error.h:
1611         (JSC::throwVMTypeError):
1612
1613 2014-03-14  László Langó  <llango.u-szeged@partner.samsung.com>
1614
1615         Remove unused method declaration.
1616         https://bugs.webkit.org/show_bug.cgi?id=130238
1617
1618         Reviewed by Filip Pizlo.
1619
1620         The implementation of CallFrame::dumpCaller was removed in
1621         http://trac.webkit.org/changeset/153183, but the declaration of it was not.
1622
1623         * interpreter/CallFrame.h:
1624         Remove CallFrame::dumpCaller() method declaration.
1625
1626 2014-03-12  Sergio Villar Senin  <svillar@igalia.com>
1627
1628         Rename DEFINE_STATIC_LOCAL to DEPRECATED_DEFINE_STATIC_LOCAL
1629         https://bugs.webkit.org/show_bug.cgi?id=129612
1630
1631         Reviewed by Darin Adler.
1632
1633         For new code use static NeverDestroyed<T> instead.
1634
1635         * API/JSAPIWrapperObject.mm:
1636         (jsAPIWrapperObjectHandleOwner):
1637         * API/JSManagedValue.mm:
1638         (managedValueHandleOwner):
1639         * inspector/agents/InspectorDebuggerAgent.cpp:
1640         (Inspector::objectGroupForBreakpointAction):
1641         * inspector/scripts/CodeGeneratorInspectorStrings.py:
1642         * interpreter/JSStack.cpp:
1643         (JSC::stackStatisticsMutex):
1644         * jit/ExecutableAllocator.cpp:
1645         (JSC::DemandExecutableAllocator::allocators):
1646
1647 2014-03-12  Gavin Barraclough  <barraclough@apple.com>
1648
1649         Reduce memory use for static property maps
1650         https://bugs.webkit.org/show_bug.cgi?id=129986
1651
1652         Reviewed by Andreas Kling.
1653
1654         Static property tables are currently duplicated on first use from read-only memory into dirty memory
1655         in every process, and since the entries are large (48 bytes) and the tables can be unusually sparse
1656         (we use a custom hash table without a rehash) a lot of memory may be wasted.
1657
1658         First, reduce the size of the hashtable. Instead of storing values in the table the hashtable maps
1659         from string hashes to indicies into a densely packed array of values. Compute the index table at
1660         compile time as a part of the derived sources step, such that this may be read-only data.
1661
1662         Second, don't copy all data from the HashTableValue array into a HashEntry objects. Instead refer
1663         directly to the HashTableValue entries. The only data that needs to be allocated at runtime are the
1664         keys, which are Identifiers.
1665
1666         * create_hash_table:
1667             - emit the hash table index into the derived source (we were calculating this already to ensure chaining does not get too deep).
1668         * parser/Lexer.cpp:
1669         (JSC::Lexer<LChar>::parseIdentifier):
1670         (JSC::Lexer<UChar>::parseIdentifier):
1671         (JSC::Lexer<T>::parseIdentifierSlowCase):
1672             - HashEntry -> HashTableValue.
1673         * parser/Lexer.h:
1674         (JSC::Keywords::getKeyword):
1675             - HashEntry -> HashTableValue.
1676         * runtime/ClassInfo.h:
1677             - removed HashEntry.
1678         * runtime/JSObject.cpp:
1679         (JSC::getClassPropertyNames):
1680             - use HashTable::ConstIterator.
1681         (JSC::JSObject::put):
1682         (JSC::JSObject::deleteProperty):
1683         (JSC::JSObject::findPropertyHashEntry):
1684             - HashEntry -> HashTableValue.
1685         (JSC::JSObject::reifyStaticFunctionsForDelete):
1686             - changed HashTable::ConstIterator interface.
1687         * runtime/JSObject.h:
1688             - HashEntry -> HashTableValue.
1689         * runtime/Lookup.cpp:
1690         (JSC::HashTable::createTable):
1691             - table -> keys, keys array is now densely packed.
1692         (JSC::HashTable::deleteTable):
1693             - table -> keys.
1694         (JSC::setUpStaticFunctionSlot):
1695             - HashEntry -> HashTableValue.
1696         * runtime/Lookup.h:
1697         (JSC::HashTableValue::builtinGenerator):
1698         (JSC::HashTableValue::function):
1699         (JSC::HashTableValue::functionLength):
1700         (JSC::HashTableValue::propertyGetter):
1701         (JSC::HashTableValue::propertyPutter):
1702         (JSC::HashTableValue::lexerValue):
1703             - added accessor methods from HashEntry.
1704         (JSC::HashTable::copy):
1705             - fields changed.
1706         (JSC::HashTable::initializeIfNeeded):
1707             - table -> keys.
1708         (JSC::HashTable::entry):
1709             - HashEntry -> HashTableValue.
1710         (JSC::HashTable::ConstIterator::ConstIterator):
1711             - iterate packed value array, so no need to skipInvalidKeys().
1712         (JSC::HashTable::ConstIterator::value):
1713         (JSC::HashTable::ConstIterator::key):
1714         (JSC::HashTable::ConstIterator::operator->):
1715             - accessors now get HashTableValue/StringImpl* separately.
1716         (JSC::HashTable::ConstIterator::operator++):
1717             - iterate packed value array, so no need to skipInvalidKeys().
1718         (JSC::HashTable::end):
1719             - end is now size of dense not sparse array.
1720         (JSC::getStaticPropertySlot):
1721         (JSC::getStaticFunctionSlot):
1722         (JSC::getStaticValueSlot):
1723         (JSC::putEntry):
1724         (JSC::lookupPut):
1725             - HashEntry -> HashTableValue.
1726
1727 2014-03-13  Filip Pizlo  <fpizlo@apple.com>
1728
1729         Unreviewed, fix Mac no-FTL build.
1730
1731         * llvm/library/LLVMExports.cpp:
1732         (initializeAndGetJSCLLVMAPI):
1733
1734 2014-03-13  Juergen Ributzka  <juergen@apple.com>
1735
1736         Only export initializeAndGetJSCLLVMAPI from libllvmForJSC.dylib
1737         https://bugs.webkit.org/show_bug.cgi?id=130224
1738
1739         Reviewed by Filip Pizlo.
1740
1741         This limits the exported symbols to only initializeAndGetJSCLLVMAPI from
1742         the LLVM dylib. This allows the dylib to be safely used with other LLVM
1743         dylibs on the same system. It also reduces the dynamic linking overhead
1744         and also reduces the size by 6MB, because the linker can now dead strip
1745         many unused functions.
1746
1747         * Configurations/LLVMForJSC.xcconfig:
1748
1749 2014-03-13  Andreas Kling  <akling@apple.com>
1750
1751         VM::discardAllCode() should clear the RegExp cache.
1752         <https://webkit.org/b/130144>
1753
1754         Reviewed by Michael Saboff.
1755
1756         * runtime/VM.cpp:
1757         (JSC::VM::discardAllCode):
1758
1759 2014-03-13  Andreas Kling  <akling@apple.com>
1760
1761         Revert "Short-circuit JSGlobalObjectInspectorController when not inspecting."
1762         <https://webkit.org/b/129995>
1763
1764         This code path is not taken anymore on DYEB, and I can't explain why
1765         it was showing up in my profiles. Backing it out per JoePeck's suggestion.
1766
1767         * inspector/JSGlobalObjectInspectorController.cpp:
1768         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
1769
1770 2014-03-13  Filip Pizlo  <fpizlo@apple.com>
1771
1772         FTL should support IsBlah
1773         https://bugs.webkit.org/show_bug.cgi?id=130202
1774
1775         Reviewed by Geoffrey Garen.
1776
1777         * ftl/FTLCapabilities.cpp:
1778         (JSC::FTL::canCompile):
1779         * ftl/FTLIntrinsicRepository.h:
1780         * ftl/FTLLowerDFGToLLVM.cpp:
1781         (JSC::FTL::LowerDFGToLLVM::compileNode):
1782         (JSC::FTL::LowerDFGToLLVM::compileIsUndefined):
1783         (JSC::FTL::LowerDFGToLLVM::compileIsBoolean):
1784         (JSC::FTL::LowerDFGToLLVM::compileIsNumber):
1785         (JSC::FTL::LowerDFGToLLVM::compileIsString):
1786         (JSC::FTL::LowerDFGToLLVM::compileIsObject):
1787         (JSC::FTL::LowerDFGToLLVM::compileIsFunction):
1788         (JSC::FTL::LowerDFGToLLVM::compileStoreBarrier):
1789         (JSC::FTL::LowerDFGToLLVM::compileStoreBarrierWithNullCheck):
1790         (JSC::FTL::LowerDFGToLLVM::isNotCellOrMisc):
1791         (JSC::FTL::LowerDFGToLLVM::isNumber):
1792         (JSC::FTL::LowerDFGToLLVM::isNotNumber):
1793         (JSC::FTL::LowerDFGToLLVM::isBoolean):
1794         * ftl/FTLOSRExitCompiler.cpp:
1795         * tests/stress/is-undefined-exit-on-masquerader.js: Added.
1796         (bar):
1797         (foo):
1798         (test):
1799         * tests/stress/is-undefined-jettison-on-masquerader.js: Added.
1800         (foo):
1801         (test):
1802         * tests/stress/is-undefined-masquerader.js: Added.
1803         (foo):
1804         (test):
1805
1806 2014-03-13  Mark Lam  <mark.lam@apple.com>
1807
1808         JS benchmarks crash with a bus error on 32-bit x86.
1809         <https://webkit.org/b/130203>
1810
1811         Reviewed by Geoffrey Garen.
1812
1813         The issue is that generateGetByIdStub() can potentially use the same register
1814         for the JSValue base register and the target tag register.  After loading the
1815         tag value into the target tag register, the JSValue base address is lost.
1816         The code then proceeds to load the payload value using the base register, and
1817         this results in a crash.
1818
1819         The fix is to check if the base register is the same as the target tag register.
1820         If so, we should make a copy the base register first before loading the tag
1821         value, and use the copy to load the payload value instead.
1822
1823         * jit/Repatch.cpp:
1824         (JSC::generateGetByIdStub):
1825
1826 2014-03-12  Filip Pizlo  <fpizlo@apple.com>
1827
1828         WebKit shouldn't crash on uniprocessor machines
1829         https://bugs.webkit.org/show_bug.cgi?id=130176
1830
1831         Reviewed by Michael Saboff.
1832         
1833         Previously the math for computing the number of JIT compiler threads would come up with
1834         zero threads on uniprocessor machines, and then the Worklist code would assert.
1835
1836         * runtime/Options.cpp:
1837         (JSC::computeNumberOfWorkerThreads):
1838         * runtime/Options.h:
1839
1840 2014-03-13  Radu Stavila  <stavila@adobe.com>
1841
1842         Webkit not building on XCode 5.1 due to garbage collection no longer being supported
1843         https://bugs.webkit.org/show_bug.cgi?id=130087
1844
1845         Reviewed by Mark Rowe.
1846
1847         Disable garbage collection on macosx when not using internal SDK.
1848
1849         * Configurations/Base.xcconfig:
1850
1851 2014-03-10  Darin Adler  <darin@apple.com>
1852
1853         Avoid copy-prone idiom "for (auto item : collection)"
1854         https://bugs.webkit.org/show_bug.cgi?id=129990
1855
1856         Reviewed by Geoffrey Garen.
1857
1858         * heap/CodeBlockSet.h:
1859         (JSC::CodeBlockSet::iterate): Use auto& to be sure we don't copy by accident.
1860         * inspector/ScriptDebugServer.cpp:
1861         (Inspector::ScriptDebugServer::dispatchBreakpointActionLog): Use auto* to
1862         make explicit that we are iterating through pointers.
1863         (Inspector::ScriptDebugServer::dispatchBreakpointActionSound): Ditto.
1864         (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe): Ditto.
1865         * inspector/agents/InspectorDebuggerAgent.cpp:
1866         (Inspector::InspectorDebuggerAgent::removeBreakpoint): Use auto&, and also
1867         get rid of an unneeded local variable.
1868
1869 2014-03-13  Brian Burg  <bburg@apple.com>
1870
1871         Web Inspector: Remove unused callId parameter from evaluateInWebInspector
1872         https://bugs.webkit.org/show_bug.cgi?id=129744
1873
1874         Reviewed by Timothy Hatcher.
1875
1876         * inspector/agents/InspectorAgent.cpp:
1877         (Inspector::InspectorAgent::enable):
1878         (Inspector::InspectorAgent::evaluateForTestInFrontend):
1879         * inspector/agents/InspectorAgent.h:
1880         * inspector/protocol/InspectorDomain.json:
1881
1882 2014-03-11  Filip Pizlo  <fpizlo@apple.com>
1883
1884         ASSERTION FAILED: node->op() == Phi || node->op() == SetArgument
1885         https://bugs.webkit.org/show_bug.cgi?id=130069
1886
1887         Reviewed by Geoffrey Garen.
1888         
1889         This was a great assertion, and it represents our strictest interpretation of the rules of
1890         our intermediate representation. However, fixing DCE to actually preserve the relevant
1891         property would be hard, and it wouldn't have an observable effect right now because nobody
1892         actually uses the propery of CPS that this assertion is checking for.
1893         
1894         In particular, we do always require, and rely on, the fact that non-captured variables
1895         have variablesAtTail refer to the last interesting use of the variable: a SetLocal if the
1896         block assigns to the variable, a GetLocal if it only reads from it, and a Flush,
1897         PhantomLocal, or Phi otherwise. We do preserve this property successfully and DCE was not
1898         broken in this regard. But, in the strictest sense, CPS also means that for captured
1899         variables, variablesAtTail also continues to point to the last relevant use of the
1900         variable. In particular, if there are multiple GetLocals, then it should point to the last
1901         one. This is hard for DCE to preserve. Also, nobody relies on variablesAtTail for captured
1902         variables, except to check the VariableAccessData; but in that case, we don't really need
1903         the *last* relevant use of the variable - any node that mentions the same variable will do
1904         just fine.
1905         
1906         So, this change loosens the assertion and adds a detailed FIXME describing what we would
1907         have to do if we wanted to preserve the more strict property.
1908         
1909         This also makes changes to various debug printing paths so that validation doesn't crash
1910         during graph dump. This also adds tests for the interesting cases of DCE failing to
1911         preserve CPS in the strictest sense. This also attempts to win the record for longest test
1912         name.
1913
1914         * bytecode/CodeBlock.cpp:
1915         (JSC::CodeBlock::hashAsStringIfPossible):
1916         (JSC::CodeBlock::dumpAssumingJITType):
1917         * bytecode/CodeBlock.h:
1918         * bytecode/CodeOrigin.cpp:
1919         (JSC::InlineCallFrame::hashAsStringIfPossible):
1920         (JSC::InlineCallFrame::dumpBriefFunctionInformation):
1921         * bytecode/CodeOrigin.h:
1922         * dfg/DFGCPSRethreadingPhase.cpp:
1923         (JSC::DFG::CPSRethreadingPhase::run):
1924         * dfg/DFGDCEPhase.cpp:
1925         (JSC::DFG::DCEPhase::cleanVariables):
1926         * dfg/DFGInPlaceAbstractState.cpp:
1927         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
1928         * runtime/FunctionExecutableDump.cpp:
1929         (JSC::FunctionExecutableDump::dump):
1930         * tests/stress/dead-access-to-captured-variable-preceded-by-a-live-store-in-function-with-multiple-basic-blocks.js: Added.
1931         (foo):
1932         * tests/stress/dead-access-to-captured-variable-preceded-by-a-live-store.js: Added.
1933         (foo):
1934
1935 2014-03-12  Brian Burg  <bburg@apple.com>
1936
1937         Web Replay: add infrastructure for memoizing nondeterministic DOM APIs
1938         https://bugs.webkit.org/show_bug.cgi?id=129445
1939
1940         Reviewed by Timothy Hatcher.
1941
1942         There was a bug in the replay inputs code generator that would include
1943         headers for definitions of enum classes, even though they can be safely
1944         forward-declared.
1945
1946         * replay/scripts/CodeGeneratorReplayInputs.py:
1947         (Generator.generate_includes): Only include for copy constructor if the
1948         type is a heavy scalar (i.e., String, URL), not a normal scalar
1949         (i.e., int, double, enum classes).
1950
1951         (Generator.generate_type_forward_declarations): Forward-declare scalars
1952         that are enums or enum classes.
1953
1954 2014-03-12  Joseph Pecoraro  <pecoraro@apple.com>
1955
1956         Web Inspector: Disable REMOTE_INSPECTOR in earlier OS X releases
1957         https://bugs.webkit.org/show_bug.cgi?id=130118
1958
1959         Reviewed by Timothy Hatcher.
1960
1961         * Configurations/FeatureDefines.xcconfig:
1962
1963 2014-03-12  Joseph Pecoraro  <pecoraro@apple.com>
1964
1965         Web Inspector: Hang in Remote Inspection triggering breakpoint from console
1966         https://bugs.webkit.org/show_bug.cgi?id=130032
1967
1968         Reviewed by Timothy Hatcher.
1969
1970         * inspector/EventLoop.h:
1971         * inspector/EventLoop.cpp:
1972         (Inspector::EventLoop::remoteInspectorRunLoopMode):
1973         (Inspector::EventLoop::cycle):
1974         Expose the run loop mode name so it can be used if needed by others.
1975
1976         * inspector/remote/RemoteInspectorDebuggableConnection.h:
1977         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
1978         (Inspector::RemoteInspectorBlock::RemoteInspectorBlock):
1979         (Inspector::RemoteInspectorBlock::~RemoteInspectorBlock):
1980         (Inspector::RemoteInspectorBlock::operator=):
1981         (Inspector::RemoteInspectorBlock::operator()):
1982         (Inspector::RemoteInspectorQueueTask):
1983         Instead of a dispatch_queue, have our own static Vector of debugger tasks.
1984
1985         (Inspector::RemoteInspectorHandleRunSource):
1986         (Inspector::RemoteInspectorInitializeQueue):
1987         Initialize the static queue and run loop source. When the run loop source
1988         fires, it will exhaust the queue of debugger messages.
1989
1990         (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
1991         (Inspector::RemoteInspectorDebuggableConnection::~RemoteInspectorDebuggableConnection):
1992         When we get a debuggable connection add a run loop source for inspector commands.
1993
1994         (Inspector::RemoteInspectorDebuggableConnection::dispatchAsyncOnDebuggable):
1995         (Inspector::RemoteInspectorDebuggableConnection::sendMessageToBackend):
1996         Enqueue blocks on our Vector instead of our dispatch_queue.
1997
1998 2014-03-12  Commit Queue  <commit-queue@webkit.org>
1999
2000         Unreviewed, rolling out r165482.
2001         https://bugs.webkit.org/show_bug.cgi?id=130157
2002
2003         Broke the windows build; "error C2466: cannot allocate an
2004         array of constant size 0" (Requested by jernoble on #webkit).
2005
2006         Reverted changeset:
2007
2008         "Reduce memory use for static property maps"
2009         https://bugs.webkit.org/show_bug.cgi?id=129986
2010         http://trac.webkit.org/changeset/165482
2011
2012 2014-03-12  Mark Hahnenberg  <mhahnenberg@apple.com>
2013
2014         Remove HandleSet::m_nextToFinalize
2015         https://bugs.webkit.org/show_bug.cgi?id=130109
2016
2017         Reviewed by Mark Lam.
2018
2019         This is a remnant of when HandleSet contained things that needed to be finalized. 
2020
2021         * heap/HandleSet.cpp:
2022         (JSC::HandleSet::HandleSet):
2023         (JSC::HandleSet::writeBarrier):
2024         * heap/HandleSet.h:
2025         (JSC::HandleSet::allocate):
2026         (JSC::HandleSet::deallocate):
2027
2028 2014-03-12  Mark Hahnenberg  <mhahnenberg@apple.com>
2029
2030         Layout Test fast/workers/worker-gc.html is failing
2031         https://bugs.webkit.org/show_bug.cgi?id=130135
2032
2033         Reviewed by Geoffrey Garen.
2034
2035         When removing MarkedBlocks, we always expect them to be in the MarkedAllocator's 
2036         main list of blocks, i.e. not in the retired list. When shutting down the VM this
2037         wasn't always the case which was causing ASSERTs to fire. We should rearrange things 
2038         so that allocators are notified with lastChanceToFinalize. This will give them 
2039         the chance to move their retired blocks back into the main list before removing them all.
2040
2041         * heap/MarkedAllocator.cpp:
2042         (JSC::LastChanceToFinalize::operator()):
2043         (JSC::MarkedAllocator::lastChanceToFinalize):
2044         * heap/MarkedAllocator.h:
2045         * heap/MarkedSpace.cpp:
2046         (JSC::LastChanceToFinalize::operator()):
2047         (JSC::MarkedSpace::lastChanceToFinalize):
2048
2049 2014-03-12  Gavin Barraclough  <barraclough@apple.com>
2050
2051         Reduce memory use for static property maps
2052         https://bugs.webkit.org/show_bug.cgi?id=129986
2053
2054         Reviewed by Andreas Kling.
2055
2056         Static property tables are currently duplicated on first use from read-only memory into dirty memory
2057         in every process, and since the entries are large (48 bytes) and the tables can be unusually sparse
2058         (we use a custom hash table without a rehash) a lot of memory may be wasted.
2059
2060         First, reduce the size of the hashtable. Instead of storing values in the table the hashtable maps
2061         from string hashes to indicies into a densely packed array of values. Compute the index table at
2062         compile time as a part of the derived sources step, such that this may be read-only data.
2063
2064         Second, don't copy all data from the HashTableValue array into a HashEntry objects. Instead refer
2065         directly to the HashTableValue entries. The only data that needs to be allocated at runtime are the
2066         keys, which are Identifiers.
2067
2068         * create_hash_table:
2069             - emit the hash table index into the derived source (we were calculating this already to ensure chaining does not get too deep).
2070         * parser/Lexer.cpp:
2071         (JSC::Lexer<LChar>::parseIdentifier):
2072         (JSC::Lexer<UChar>::parseIdentifier):
2073         (JSC::Lexer<T>::parseIdentifierSlowCase):
2074             - HashEntry -> HashTableValue.
2075         * parser/Lexer.h:
2076         (JSC::Keywords::getKeyword):
2077             - HashEntry -> HashTableValue.
2078         * runtime/ClassInfo.h:
2079             - removed HashEntry.
2080         * runtime/JSObject.cpp:
2081         (JSC::getClassPropertyNames):
2082             - use HashTable::ConstIterator.
2083         (JSC::JSObject::put):
2084         (JSC::JSObject::deleteProperty):
2085         (JSC::JSObject::findPropertyHashEntry):
2086             - HashEntry -> HashTableValue.
2087         (JSC::JSObject::reifyStaticFunctionsForDelete):
2088             - changed HashTable::ConstIterator interface.
2089         * runtime/JSObject.h:
2090             - HashEntry -> HashTableValue.
2091         * runtime/Lookup.cpp:
2092         (JSC::HashTable::createTable):
2093             - table -> keys, keys array is now densely packed.
2094         (JSC::HashTable::deleteTable):
2095             - table -> keys.
2096         (JSC::setUpStaticFunctionSlot):
2097             - HashEntry -> HashTableValue.
2098         * runtime/Lookup.h:
2099         (JSC::HashTableValue::builtinGenerator):
2100         (JSC::HashTableValue::function):
2101         (JSC::HashTableValue::functionLength):
2102         (JSC::HashTableValue::propertyGetter):
2103         (JSC::HashTableValue::propertyPutter):
2104         (JSC::HashTableValue::lexerValue):
2105             - added accessor methods from HashEntry.
2106         (JSC::HashTable::copy):
2107             - fields changed.
2108         (JSC::HashTable::initializeIfNeeded):
2109             - table -> keys.
2110         (JSC::HashTable::entry):
2111             - HashEntry -> HashTableValue.
2112         (JSC::HashTable::ConstIterator::ConstIterator):
2113             - iterate packed value array, so no need to skipInvalidKeys().
2114         (JSC::HashTable::ConstIterator::value):
2115         (JSC::HashTable::ConstIterator::key):
2116         (JSC::HashTable::ConstIterator::operator->):
2117             - accessors now get HashTableValue/StringImpl* separately.
2118         (JSC::HashTable::ConstIterator::operator++):
2119             - iterate packed value array, so no need to skipInvalidKeys().
2120         (JSC::HashTable::end):
2121             - end is now size of dense not sparse array.
2122         (JSC::getStaticPropertySlot):
2123         (JSC::getStaticFunctionSlot):
2124         (JSC::getStaticValueSlot):
2125         (JSC::putEntry):
2126         (JSC::lookupPut):
2127             - HashEntry -> HashTableValue.
2128
2129 2014-03-11  Filip Pizlo  <fpizlo@apple.com>
2130
2131         It should be possible to build WebKit with FTL on iOS
2132         https://bugs.webkit.org/show_bug.cgi?id=130116
2133
2134         Reviewed by Dan Bernstein.
2135
2136         * Configurations/Base.xcconfig:
2137
2138 2014-03-10  Filip Pizlo  <fpizlo@apple.com>
2139
2140         GetById list caching should use something object-oriented rather than PolymorphicAccessStructureList
2141         https://bugs.webkit.org/show_bug.cgi?id=129778
2142
2143         Reviewed by Geoffrey Garen.
2144         
2145         Also deduplicate the GetById getter call caching. Also add some small tests for
2146         get stubs.
2147         
2148         This change reduces the amount of code involved in GetById access caching and it
2149         creates data structures that can serve as an elegant scaffold for introducing other
2150         kinds of caches or improving current caching styles. It will definitely make getter
2151         performance improvements easier to implement.
2152
2153         * CMakeLists.txt:
2154         * GNUmakefile.list.am:
2155         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2156         * JavaScriptCore.xcodeproj/project.pbxproj:
2157         * bytecode/CodeBlock.cpp:
2158         (JSC::CodeBlock::printGetByIdCacheStatus):
2159         * bytecode/GetByIdStatus.cpp:
2160         (JSC::GetByIdStatus::computeForStubInfo):
2161         * bytecode/PolymorphicGetByIdList.cpp: Added.
2162         (JSC::GetByIdAccess::GetByIdAccess):
2163         (JSC::GetByIdAccess::~GetByIdAccess):
2164         (JSC::GetByIdAccess::fromStructureStubInfo):
2165         (JSC::GetByIdAccess::visitWeak):
2166         (JSC::PolymorphicGetByIdList::PolymorphicGetByIdList):
2167         (JSC::PolymorphicGetByIdList::from):
2168         (JSC::PolymorphicGetByIdList::~PolymorphicGetByIdList):
2169         (JSC::PolymorphicGetByIdList::currentSlowPathTarget):
2170         (JSC::PolymorphicGetByIdList::addAccess):
2171         (JSC::PolymorphicGetByIdList::isFull):
2172         (JSC::PolymorphicGetByIdList::isAlmostFull):
2173         (JSC::PolymorphicGetByIdList::didSelfPatching):
2174         (JSC::PolymorphicGetByIdList::visitWeak):
2175         * bytecode/PolymorphicGetByIdList.h: Added.
2176         (JSC::GetByIdAccess::GetByIdAccess):
2177         (JSC::GetByIdAccess::isSet):
2178         (JSC::GetByIdAccess::operator!):
2179         (JSC::GetByIdAccess::type):
2180         (JSC::GetByIdAccess::structure):
2181         (JSC::GetByIdAccess::chain):
2182         (JSC::GetByIdAccess::chainCount):
2183         (JSC::GetByIdAccess::stubRoutine):
2184         (JSC::GetByIdAccess::doesCalls):
2185         (JSC::PolymorphicGetByIdList::isEmpty):
2186         (JSC::PolymorphicGetByIdList::size):
2187         (JSC::PolymorphicGetByIdList::at):
2188         (JSC::PolymorphicGetByIdList::operator[]):
2189         * bytecode/StructureStubInfo.cpp:
2190         (JSC::StructureStubInfo::deref):
2191         (JSC::StructureStubInfo::visitWeakReferences):
2192         * bytecode/StructureStubInfo.h:
2193         (JSC::isGetByIdAccess):
2194         (JSC::StructureStubInfo::initGetByIdList):
2195         * jit/Repatch.cpp:
2196         (JSC::generateGetByIdStub):
2197         (JSC::tryCacheGetByID):
2198         (JSC::patchJumpToGetByIdStub):
2199         (JSC::tryBuildGetByIDList):
2200         (JSC::tryBuildPutByIdList):
2201         * tests/stress/getter.js: Added.
2202         (foo):
2203         (.o):
2204         * tests/stress/polymorphic-prototype-accesses.js: Added.
2205         (Foo):
2206         (Bar):
2207         (foo):
2208         * tests/stress/prototype-getter.js: Added.
2209         (Foo):
2210         (foo):
2211         * tests/stress/simple-prototype-accesses.js: Added.
2212         (Foo):
2213         (foo):
2214
2215 2014-03-11  Mark Hahnenberg  <mhahnenberg@apple.com>
2216
2217         MarkedBlocks that are "full enough" shouldn't be swept after EdenCollections
2218         https://bugs.webkit.org/show_bug.cgi?id=129920
2219
2220         Reviewed by Geoffrey Garen.
2221
2222         This patch introduces the notion of "retiring" MarkedBlocks. We retire a MarkedBlock
2223         when the amount of free space in a MarkedBlock drops below a certain threshold.
2224         Retired blocks are not considered for sweeping.
2225
2226         This is profitable because it reduces churn during sweeping. To build a free list, 
2227         we have to scan through each cell in a block. After a collection, all objects that 
2228         are live in the block will remain live until the next FullCollection, at which time
2229         we un-retire all previously retired blocks. Thus, a small number of objects in a block
2230         that die during each EdenCollection could cause us to do a disproportiante amount of 
2231         sweeping for how much free memory we get back.
2232
2233         This patch looks like a consistent ~2% progression on boyer and is neutral everywhere else.
2234
2235         * heap/Heap.h:
2236         (JSC::Heap::didRetireBlockWithFreeListSize):
2237         * heap/MarkedAllocator.cpp:
2238         (JSC::MarkedAllocator::tryAllocateHelper):
2239         (JSC::MarkedAllocator::removeBlock):
2240         (JSC::MarkedAllocator::reset):
2241         * heap/MarkedAllocator.h:
2242         (JSC::MarkedAllocator::MarkedAllocator):
2243         (JSC::MarkedAllocator::forEachBlock):
2244         * heap/MarkedBlock.cpp:
2245         (JSC::MarkedBlock::sweepHelper):
2246         (JSC::MarkedBlock::clearMarksWithCollectionType):
2247         (JSC::MarkedBlock::didRetireBlock):
2248         * heap/MarkedBlock.h:
2249         (JSC::MarkedBlock::willRemoveBlock):
2250         (JSC::MarkedBlock::isLive):
2251         * heap/MarkedSpace.cpp:
2252         (JSC::MarkedSpace::clearNewlyAllocated):
2253         (JSC::MarkedSpace::clearMarks):
2254         * runtime/Options.h:
2255
2256 2014-03-11  Andreas Kling  <akling@apple.com>
2257
2258         Streamline PropertyTable for lookup-only access.
2259         <https://webkit.org/b/130060>
2260
2261         The PropertyTable lookup algorithm was written to support both read
2262         and write access. This wasn't actually needed in most places.
2263
2264         This change adds a PropertyTable::get() that just returns the value
2265         type (instead of an insertion iterator.) It also adds an early return
2266         for empty tables.
2267
2268         Finally, up the minimum table capacity from 8 to 16. It was lowered
2269         to 8 in order to save memory, but that was before PropertyTables were
2270         GC allocated. Nowadays we don't have nearly as many tables, since all
2271         the unpinned transitions die off.
2272
2273         Reviewed by Darin Adler.
2274
2275         * runtime/PropertyMapHashTable.h:
2276         (JSC::PropertyTable::get):
2277         * runtime/Structure.cpp:
2278         (JSC::Structure::despecifyDictionaryFunction):
2279         (JSC::Structure::attributeChangeTransition):
2280         (JSC::Structure::get):
2281         (JSC::Structure::despecifyFunction):
2282         * runtime/StructureInlines.h:
2283         (JSC::Structure::get):
2284
2285 2014-03-10  Mark Hahnenberg  <mhahnenberg@apple.com>
2286
2287         REGRESSION(r165407): DoYouEvenBench crashes in DRT
2288         https://bugs.webkit.org/show_bug.cgi?id=130066
2289
2290         Reviewed by Geoffrey Garen.
2291
2292         The baseline JIT does a conditional store barrier for the put_by_id, but we need 
2293         an unconditional store barrier so that we cover the butterfly case as well in emitPutTransitionStub.
2294
2295         * jit/JIT.h:
2296         * jit/JITPropertyAccess.cpp:
2297         (JSC::JIT::emit_op_put_by_id):
2298         (JSC::JIT::emitWriteBarrier):
2299
2300 2014-03-10  Mark Lam  <mark.lam@apple.com>
2301
2302         Resurrect bit-rotted JIT::probe() mechanism.
2303         <https://webkit.org/b/130067>
2304
2305         Reviewed by Geoffrey Garen.
2306
2307         * jit/JITStubs.cpp:
2308         - Added the needed #include <wtf/InlineASM.h>.
2309
2310 2014-03-10  Joseph Pecoraro  <pecoraro@apple.com>
2311
2312         Fix typo in EXCLUDED_SOURCE_FILE_NAMES_iphoneos.
2313
2314         Rubber-stamped by Dan Bernstein.
2315
2316         * Configurations/JavaScriptCore.xcconfig:
2317
2318 2014-03-10  Mark Lam  <mark.lam@apple.com>
2319
2320         r165414 broke the 32-bit x86 tests: ASSERTION FAILED: result != InvalidIndex @ GPRInfo.h:330.
2321         <https://webkit.org/b/130065>
2322
2323         Reviewed by Michael Saboff.
2324
2325         There is code in ScratchRegisterAllocator.cpp that is relying on GPRInfo::toIndex()
2326         being able to return InvalidIndex.  Hence, the assertion is invalid.  Ditto for
2327         FPRInfo::toIndex().
2328
2329         The fix is to remove the "result != InvalidIndex" assertions.
2330
2331         * jit/FPRInfo.h:
2332         (JSC::FPRInfo::toIndex):
2333         * jit/GPRInfo.h:
2334         (JSC::GPRInfo::toIndex):
2335
2336 2014-03-10  Mark Lam  <mark.lam@apple.com>
2337
2338         Crash on a stack overflow on 32-bit x86 in http/tests/websocket/tests/hybi/workers/no-onmessage-in-sync-op.html.
2339         <https://webkit.org/b/129955>
2340
2341         Reviewed by Geoffrey Garen.
2342
2343         The 32-bit x86 version of getHostCallReturnValue() was leaking 16 bytes
2344         stack memory every time it was called.  This is now fixed.
2345
2346         * jit/JITOperations.cpp:
2347
2348 2014-03-10  Joseph Pecoraro  <pecoraro@apple.com>
2349
2350         Better JSContext API for named evaluations (other than //# sourceURL)
2351         https://bugs.webkit.org/show_bug.cgi?id=129911
2352
2353         Reviewed by Geoffrey Garen.
2354
2355         * API/JSBase.h:
2356         * API/JSContext.h:
2357         * API/JSContext.mm:
2358         (-[JSContext evaluateScript:]):
2359         (-[JSContext evaluateScript:withSourceURL:]):
2360         Add new evaluateScript:withSourceURL:.
2361
2362         * API/tests/testapi.c:
2363         (main):
2364         * API/tests/testapi.mm:
2365         (testObjectiveCAPI):
2366         Add tests for sourceURL in evaluate APIs. It should
2367         affect the exception objects.
2368
2369 2014-03-10  Filip Pizlo  <fpizlo@apple.com>
2370
2371         Repatch should save and restore all used registers - not just temp ones - when making a call
2372         https://bugs.webkit.org/show_bug.cgi?id=130041
2373
2374         Reviewed by Geoffrey Garen and Mark Hahnenberg.
2375         
2376         The save/restore code was written back when the only client was the DFG, which only uses a
2377         subset of hardware registers: the "temp" registers in our lingo. But the FTL may use many
2378         other registers, especially on ARM64. The fact that Repatch doesn't know to save those can
2379         lead to data corruption on ARM64. 
2380
2381         * jit/RegisterSet.cpp:
2382         (JSC::RegisterSet::calleeSaveRegisters):
2383         (JSC::RegisterSet::numberOfSetGPRs):
2384         (JSC::RegisterSet::numberOfSetFPRs):
2385         * jit/RegisterSet.h:
2386         * jit/Repatch.cpp:
2387         (JSC::storeToWriteBarrierBuffer):
2388         (JSC::emitPutTransitionStub):
2389         * jit/ScratchRegisterAllocator.cpp:
2390         (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
2391         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
2392         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
2393         (JSC::ScratchRegisterAllocator::usedRegistersForCall):
2394         (JSC::ScratchRegisterAllocator::desiredScratchBufferSizeForCall):
2395         (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
2396         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
2397         * jit/ScratchRegisterAllocator.h:
2398
2399 2014-03-10  Mark Hahnenberg  <mhahnenberg@apple.com>
2400
2401         Remove ConditionalStore barrier
2402         https://bugs.webkit.org/show_bug.cgi?id=130040
2403
2404         Reviewed by Geoffrey Garen.
2405
2406         ConditionalStoreBarrier was created when barriers were much more expensive. Now that 
2407         they're cheap(er), we can get rid of them. This also allows us to get rid of the write 
2408         barrier logic in emitPutTransitionStub because we always will have executed a write barrier 
2409         on the base object in the case where we are allocating and storing a new Butterfly into it. 
2410         Previously, a ConditionalStoreBarrier might or might not have barrier-ed the base object, 
2411         so we'd have to emit a write barrier in the transition case.
2412
2413         This is performance neutral on the benchmarks we track.
2414
2415         * dfg/DFGAbstractInterpreterInlines.h:
2416         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2417         * dfg/DFGClobberize.h:
2418         (JSC::DFG::clobberize):
2419         * dfg/DFGConstantFoldingPhase.cpp:
2420         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2421         (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
2422         * dfg/DFGFixupPhase.cpp:
2423         (JSC::DFG::FixupPhase::fixupNode):
2424         (JSC::DFG::FixupPhase::insertStoreBarrier):
2425         * dfg/DFGNode.h:
2426         (JSC::DFG::Node::isStoreBarrier):
2427         * dfg/DFGNodeType.h:
2428         * dfg/DFGPredictionPropagationPhase.cpp:
2429         (JSC::DFG::PredictionPropagationPhase::propagate):
2430         * dfg/DFGSafeToExecute.h:
2431         (JSC::DFG::safeToExecute):
2432         * dfg/DFGSpeculativeJIT.cpp:
2433         (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
2434         * dfg/DFGSpeculativeJIT32_64.cpp:
2435         (JSC::DFG::SpeculativeJIT::compile):
2436         * dfg/DFGSpeculativeJIT64.cpp:
2437         (JSC::DFG::SpeculativeJIT::compile):
2438         * ftl/FTLCapabilities.cpp:
2439         (JSC::FTL::canCompile):
2440         * ftl/FTLLowerDFGToLLVM.cpp:
2441         (JSC::FTL::LowerDFGToLLVM::compileNode):
2442         * jit/Repatch.cpp:
2443         (JSC::emitPutTransitionStub):
2444
2445 2014-03-10  Filip Pizlo  <fpizlo@apple.com>
2446
2447         DFG and FTL should know that comparing anything to Misc is cheap and easy
2448         https://bugs.webkit.org/show_bug.cgi?id=130001
2449
2450         Reviewed by Geoffrey Garen.
2451         
2452         - Expand CompareStrictEq(Misc:, Misc:) to work for cases where either side of the
2453           comparison is just Untyped:.
2454         
2455         - This obviates the need for CompareStrictEqConstant, so remove it.
2456         
2457         - FTL had a thing called "Nully" which is really "Other". Rename it and add
2458           OtherUse.
2459         
2460         9% speed-up on box2d.
2461
2462         * dfg/DFGAbstractInterpreterInlines.h:
2463         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2464         * dfg/DFGByteCodeParser.cpp:
2465         (JSC::DFG::ByteCodeParser::parseBlock):
2466         * dfg/DFGClobberize.h:
2467         (JSC::DFG::clobberize):
2468         * dfg/DFGFixupPhase.cpp:
2469         (JSC::DFG::FixupPhase::fixupNode):
2470         * dfg/DFGNode.h:
2471         (JSC::DFG::Node::isBinaryUseKind):
2472         (JSC::DFG::Node::shouldSpeculateOther):
2473         * dfg/DFGNodeType.h:
2474         * dfg/DFGPredictionPropagationPhase.cpp:
2475         (JSC::DFG::PredictionPropagationPhase::propagate):
2476         * dfg/DFGSafeToExecute.h:
2477         (JSC::DFG::safeToExecute):
2478         * dfg/DFGSpeculativeJIT.cpp:
2479         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
2480         (JSC::DFG::SpeculativeJIT::compare):
2481         (JSC::DFG::SpeculativeJIT::compileStrictEq):
2482         * dfg/DFGSpeculativeJIT.h:
2483         * dfg/DFGSpeculativeJIT32_64.cpp:
2484         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
2485         (JSC::DFG::SpeculativeJIT::compile):
2486         * dfg/DFGSpeculativeJIT64.cpp:
2487         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
2488         (JSC::DFG::SpeculativeJIT::compile):
2489         * ftl/FTLCapabilities.cpp:
2490         (JSC::FTL::canCompile):
2491         * ftl/FTLLowerDFGToLLVM.cpp:
2492         (JSC::FTL::LowerDFGToLLVM::compileNode):
2493         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
2494         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
2495         (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
2496         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
2497         (JSC::FTL::LowerDFGToLLVM::isNotOther):
2498         (JSC::FTL::LowerDFGToLLVM::isOther):
2499         (JSC::FTL::LowerDFGToLLVM::speculate):
2500         (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
2501         (JSC::FTL::LowerDFGToLLVM::speculateNotCell):
2502         (JSC::FTL::LowerDFGToLLVM::speculateOther):
2503         (JSC::FTL::LowerDFGToLLVM::speculateMisc):
2504         * tests/stress/compare-strict-eq-integer-to-misc.js: Added.
2505
2506 2014-03-10  Filip Pizlo  <fpizlo@apple.com>
2507
2508         Unreviewed, remove unintended change.
2509
2510         * dfg/DFGDriver.cpp:
2511         (JSC::DFG::compileImpl):
2512
2513 2014-03-10  Filip Pizlo  <fpizlo@apple.com>
2514
2515         jsc commandline shouldn't have a "console" because that confuses some tests into thinking
2516         that they're running in the browser.
2517
2518         Rubber stamped by Mark Hahnenberg.
2519
2520         * jsc.cpp:
2521         (GlobalObject::finishCreation):
2522
2523 2014-03-10  Filip Pizlo  <fpizlo@apple.com>
2524
2525         Out-line ScratchRegisterAllocator
2526
2527         Rubber stamped by Mark Hahnenberg.
2528
2529         * CMakeLists.txt:
2530         * GNUmakefile.list.am:
2531         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2532         * JavaScriptCore.xcodeproj/project.pbxproj:
2533         * dfg/DFGDriver.cpp:
2534         (JSC::DFG::compileImpl):
2535         * jit/ScratchRegisterAllocator.cpp: Added.
2536         (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
2537         (JSC::ScratchRegisterAllocator::~ScratchRegisterAllocator):
2538         (JSC::ScratchRegisterAllocator::lock):
2539         (JSC::ScratchRegisterAllocator::allocateScratch):
2540         (JSC::ScratchRegisterAllocator::allocateScratchGPR):
2541         (JSC::ScratchRegisterAllocator::allocateScratchFPR):
2542         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
2543         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
2544         (JSC::ScratchRegisterAllocator::desiredScratchBufferSize):
2545         (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer):
2546         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer):
2547         * jit/ScratchRegisterAllocator.h:
2548
2549 2014-03-10  Brent Fulgham  <bfulgham@apple.com>
2550
2551         [Win] Pass environment to Pre-Build, Pre-link, and Post-Build Stages.
2552         https://bugs.webkit.org/show_bug.cgi?id=130023
2553
2554         Reviewed by Dean Jackson.
2555
2556         * JavaScriptCore.vcxproj/JavaScriptCore.proj: Avoid trailing backslashes in
2557         path names to avoid accidental escaping of later string substitutions.
2558
2559 2014-03-10  Andreas Kling  <akling@apple.com>
2560
2561         [X86_64] Smaller code for testb_i8r when register is accumulator.
2562         <https://webkit.org/b/130026>
2563
2564         Generate the shorthand version of "test al, imm" when possible.
2565
2566         Reviewed by Michael Saboff.
2567
2568         * assembler/X86Assembler.h:
2569         (JSC::X86Assembler::testb_i8r):
2570
2571 2014-03-10  Andreas Kling  <akling@apple.com>
2572
2573         [X86_64] Smaller code for sub_ir when register is accumulator.
2574         <https://webkit.org/b/130025>
2575
2576         Generate the shorthand version of "sub eax, imm" when possible.
2577
2578         Reviewed by Michael Saboff.
2579
2580         * assembler/X86Assembler.h:
2581         (JSC::X86Assembler::subl_ir):
2582         (JSC::X86Assembler::subq_ir):
2583
2584 2014-03-10  Andreas Kling  <akling@apple.com>
2585
2586         [X86_64] Smaller code for add_ir when register is accumulator.
2587         <https://webkit.org/b/130024>
2588
2589         Generate the shorthand version of "add eax, imm" when possible.
2590
2591         Reviewed by Michael Saboff.
2592
2593         * assembler/X86Assembler.h:
2594         (JSC::X86Assembler::addl_ir):
2595         (JSC::X86Assembler::addq_ir):
2596
2597 2014-03-10  Mark Hahnenberg  <mhahnenberg@apple.com>
2598
2599         writeBarrier in emitPutReplaceStub is unnecessary
2600         https://bugs.webkit.org/show_bug.cgi?id=130030
2601
2602         Reviewed by Filip Pizlo.
2603
2604         We already emit write barriers for each put-by-id when they're first compiled, so it's 
2605         redundant to emit a write barrier as part of the repatched code.
2606
2607         * jit/Repatch.cpp:
2608         (JSC::emitPutReplaceStub):
2609
2610 2014-03-10  Andreas Kling  <akling@apple.com>
2611
2612         [X86_64] Smaller code for xor_ir when register is accumulator.
2613         <https://webkit.org/b/130008>
2614
2615         Generate the shorthand version of "xor eax, imm" when possible.
2616
2617         Reviewed by Benjamin Poulain.
2618
2619         * assembler/X86Assembler.h:
2620         (JSC::X86Assembler::xorl_ir):
2621         (JSC::X86Assembler::xorq_ir):
2622
2623 2014-03-10  Andreas Kling  <akling@apple.com>
2624
2625         [X86_64] Smaller code for or_ir when register is accumulator.
2626         <https://webkit.org/b/130007>
2627
2628         Generate the shorthand version of "or eax, imm" when possible.
2629
2630         Reviewed by Benjamin Poulain.
2631
2632         * assembler/X86Assembler.h:
2633         (JSC::X86Assembler::orl_ir):
2634         (JSC::X86Assembler::orq_ir):
2635
2636 2014-03-10  Andreas Kling  <akling@apple.com>
2637
2638         [X86_64] Smaller code for test_ir when register is accumulator.
2639         <https://webkit.org/b/130006>
2640
2641         Generate the shorthand version of "test eax, imm" when possible.
2642
2643         Reviewed by Benjamin Poulain.
2644
2645         * assembler/X86Assembler.h:
2646         (JSC::X86Assembler::testl_i32r):
2647         (JSC::X86Assembler::testq_i32r):
2648
2649 2014-03-10  Andreas Kling  <akling@apple.com>
2650
2651         [X86_64] Smaller code for cmp_ir when register is accumulator.
2652         <https://webkit.org/b/130005>
2653
2654         Generate the shorthand version of "cmp eax, imm" when possible.
2655
2656         Reviewed by Benjamin Poulain.
2657
2658         * assembler/X86Assembler.h:
2659         (JSC::X86Assembler::cmpl_ir):
2660         (JSC::X86Assembler::cmpq_ir):
2661
2662 2014-03-10  Andreas Kling  <akling@apple.com>
2663
2664         [X86_64] Smaller code for store64(imm, address) when imm fits in 32 bits.
2665         <https://webkit.org/b/130002>
2666
2667         Generate this:
2668
2669             mov [address], imm32
2670
2671         Instead of this:
2672
2673             mov scratchRegister, imm32
2674             mov [address], scratchRegister
2675
2676         For store64(imm, address) where the 64-bit immediate can be passed as
2677         a sign-extended 32-bit value.
2678
2679         Reviewed by Benjamin Poulain.
2680
2681         * assembler/MacroAssemblerX86_64.h:
2682         (CAN_SIGN_EXTEND_32_64):
2683         (JSC::MacroAssemblerX86_64::store64):
2684
2685 2014-03-10  Andreas Kling  <akling@apple.com>
2686
2687         [X86_64] Smaller code for xchg_rr when one register is accumulator.
2688         <https://webkit.org/b/130004>
2689
2690         Generate the 1-byte version of "xchg eax, reg" when possible.
2691
2692         Reviewed by Benjamin Poulain.
2693
2694         * assembler/X86Assembler.h:
2695         (JSC::X86Assembler::xchgl_rr):
2696         (JSC::X86Assembler::xchgq_rr):
2697
2698 2014-03-09  Filip Pizlo  <fpizlo@apple.com>
2699
2700         GPRInfo::toIndex should return InvalidIndex for non-temp registers on ARM64
2701         https://bugs.webkit.org/show_bug.cgi?id=129998
2702
2703         Reviewed by Geoffrey Garen.
2704         
2705         Not only is that the established contract, but this is used to signal to
2706         ScratchRegisterAllocator that the register doesn't need locking since it isn't a register
2707         that this allocator would use. In the FTL, we may have an inline cache where LLVM had used
2708         some non-temp register (i.e. a register that JSC itself wouldn't have used). This is totally
2709         fine but previously it would have led to either an assertion failure, or data corruption, in
2710         the ScratchRegisterAllocator.
2711
2712         * jit/GPRInfo.h:
2713         (JSC::GPRInfo::toIndex):
2714
2715 2014-03-09  Filip Pizlo  <fpizlo@apple.com>
2716
2717         FTL fails the new equals-masquerader strictEqualConstant test
2718         https://bugs.webkit.org/show_bug.cgi?id=129996
2719
2720         Reviewed by Mark Lam.
2721         
2722         It turns out that the FTL was trying to do the masquerading stuff for ===null. But
2723         that's wrong since none of the other engines do it. The DFG even had an ancient
2724         FIXME about doing it - but that doesn't make sense since the LLInt and baseline JIT
2725         don't do it and JSValue::strictEqual() doesn't do it.
2726         
2727         Remove the FIXME and remove the extra checks in the FTL.
2728         
2729         This is a glorious patch: nothing but red and it fixes a test failure.
2730
2731         * dfg/DFGSpeculativeJIT.cpp:
2732         (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
2733         * ftl/FTLLowerDFGToLLVM.cpp:
2734         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
2735
2736 2014-03-09  Andreas Kling  <akling@apple.com>
2737
2738         Short-circuit JSGlobalObjectInspectorController when not inspecting.
2739         <https://webkit.org/b/129995>
2740
2741         Add an early return in reportAPIException() when the console agent
2742         is disabled. This avoids expensive symbolication during exceptions
2743         if there's nobody expecting the fancy backtrace anyway.
2744
2745         ~2% progression on DYEB on my MBP.
2746
2747         Reviewed by Geoff Garen.
2748
2749         * inspector/JSGlobalObjectInspectorController.cpp:
2750         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
2751
2752 2014-03-09  Andreas Kling  <akling@apple.com>
2753
2754         Inline the trivial parts of GC deferral.
2755         <https://webkit.org/b/129984>
2756
2757         Made most of the functions called by the DeferGC RAII object inline
2758         to avoid function call overhead.
2759
2760         Looks like ~1% progression on DYEB.
2761
2762         Reviewed by Geoffrey Garen.
2763
2764         * heap/Heap.cpp:
2765         * heap/Heap.h:
2766         (JSC::Heap::incrementDeferralDepth):
2767         (JSC::Heap::decrementDeferralDepth):
2768         (JSC::Heap::collectIfNecessaryOrDefer):
2769         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
2770
2771 2014-03-08  Mark Lam  <mark.lam@apple.com>
2772
2773         32-bit x86 handleUncaughtException returns to wrong location after a stack overflow.
2774         <https://webkit.org/b/129969>
2775
2776         Reviewed by Geoffrey Garen.
2777
2778         The 32-bit version of handleUncaughtException was missing the handling of an
2779         edge case for stack overflows where the current frame may already be the
2780         sentinel frame.  This edge case was handled in the 64-bit version.  The fix
2781         is to bring the 32-bit version up to parity.
2782
2783         * jit/JIT.cpp:
2784         (JSC::JIT::privateCompile):
2785         * llint/LowLevelInterpreter32_64.asm:
2786
2787 2014-03-07  Mark Lam  <mark.lam@apple.com>
2788
2789         Fix bugs in 32-bit Structure implementation.
2790         <https://webkit.org/b/129947>
2791
2792         Reviewed by Mark Hahnenberg.
2793
2794         Added the loading of the Structure (from the JSCell) before use that was
2795         missing in a few places.  Also added more test cases to equals-masquerader.js.
2796
2797         * dfg/DFGSpeculativeJIT32_64.cpp:
2798         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
2799         (JSC::DFG::SpeculativeJIT::compile):
2800         * dfg/DFGSpeculativeJIT64.cpp:
2801         (JSC::DFG::SpeculativeJIT::compile):
2802         * llint/LowLevelInterpreter32_64.asm:
2803         * tests/stress/equals-masquerader.js:
2804         (equalsNull):
2805         (notEqualsNull):
2806         (strictEqualsNull):
2807         (strictNotEqualsNull):
2808         (equalsUndefined):
2809         (notEqualsUndefined):
2810         (strictEqualsUndefined):
2811         (strictNotEqualsUndefined):
2812         (isFalsey):
2813         (test):
2814
2815 2014-03-07  Andrew Trick  <atrick@apple.com>
2816
2817         Temporarily disable repeat-out-of-bounds stress tests pending fix for 129953.
2818         https://bugs.webkit.org/show_bug.cgi?id=129954
2819
2820         Reviewed by Filip Pizlo.
2821
2822         * tests/stress/float32-repeat-out-of-bounds.js:
2823         * tests/stress/int8-repeat-out-of-bounds.js:
2824
2825 2014-03-07  Michael Saboff  <msaboff@apple.com>
2826
2827         .cfi directives in LowLevelInterpreter.cpp are providing no benefit
2828         https://bugs.webkit.org/show_bug.cgi?id=129945
2829
2830         Reviewed by Mark Lam.
2831
2832         Removed .cfi directive.  Verified that stack traces didn't regress in crash reporter
2833         or in lldb.
2834
2835         * llint/LowLevelInterpreter.cpp:
2836
2837 2014-03-07  Oliver Hunt  <oliver@apple.com>
2838
2839         Continue hangs when performing for-of over arguments
2840         https://bugs.webkit.org/show_bug.cgi?id=129915
2841
2842         Reviewed by Geoffrey Garen.
2843
2844         Put the continue label in the right place
2845
2846         * bytecompiler/BytecodeGenerator.cpp:
2847         (JSC::BytecodeGenerator::emitEnumeration):
2848
2849 2014-03-07  peavo@outlook.com  <peavo@outlook.com>
2850
2851         [Win64] Compile error after r165128.
2852         https://bugs.webkit.org/show_bug.cgi?id=129807
2853
2854         Reviewed by Mark Lam.
2855
2856         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: 
2857         Check platform environment variable to determine if an assembler file should be generated.
2858
2859 2014-03-07  Michael Saboff  <msaboff@apple.com>
2860
2861         Clarify how we deal with "special" registers
2862         https://bugs.webkit.org/show_bug.cgi?id=129806
2863
2864         Already reviewed change being relanded.
2865
2866         Relanding change set r165196 as it wasn't responsible for the breakage reported in
2867         https://bugs.webkit.org/show_bug.cgi?id=129822.  That appears to be a build or
2868
2869         Reviewed by Michael Saboff.
2870         configuration issue.
2871
2872         * assembler/ARM64Assembler.h:
2873         (JSC::ARM64Assembler::lastRegister):
2874         * assembler/MacroAssembler.h:
2875         (JSC::MacroAssembler::nextRegister):
2876         * ftl/FTLLocation.cpp:
2877         (JSC::FTL::Location::restoreInto):
2878         * ftl/FTLSaveRestore.cpp:
2879         (JSC::FTL::saveAllRegisters):
2880         (JSC::FTL::restoreAllRegisters):
2881         * ftl/FTLSlowPathCall.cpp:
2882         * jit/RegisterSet.cpp:
2883         (JSC::RegisterSet::reservedHardwareRegisters):
2884         (JSC::RegisterSet::runtimeRegisters):
2885         (JSC::RegisterSet::specialRegisters):
2886         (JSC::RegisterSet::calleeSaveRegisters):
2887         * jit/RegisterSet.h:
2888
2889 2014-03-07  Mark Hahnenberg  <mhahnenberg@apple.com>
2890
2891         Move GCActivityCallback to heap
2892         https://bugs.webkit.org/show_bug.cgi?id=129457
2893
2894         Reviewed by Geoffrey Garen.
2895
2896         All the other GC timer related stuff is there already.
2897
2898         * CMakeLists.txt:
2899         * GNUmakefile.list.am:
2900         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2901         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2902         * JavaScriptCore.xcodeproj/project.pbxproj:
2903         * heap/GCActivityCallback.cpp: Copied from Source/JavaScriptCore/runtime/GCActivityCallback.cpp.
2904         * heap/GCActivityCallback.h: Copied from Source/JavaScriptCore/runtime/GCActivityCallback.h.
2905         * runtime/GCActivityCallback.cpp: Removed.
2906         * runtime/GCActivityCallback.h: Removed.
2907
2908 2014-03-07  Andrew Trick  <atrick@apple.com>
2909
2910         Correct a comment typo from:
2911         FLT should call fmod directly on platforms where LLVM cannot relocate the libcall
2912         https://bugs.webkit.org/show_bug.cgi?id=129865
2913
2914         Reviewed by Mark Lam.
2915
2916         * ftl/FTLOutput.h:
2917         (JSC::FTL::Output::doubleRem):
2918
2919 2014-03-07  Mark Hahnenberg  <mhahnenberg@apple.com>
2920
2921         Use OwnPtr in StructureIDTable
2922         https://bugs.webkit.org/show_bug.cgi?id=129828
2923
2924         Reviewed by Geoffrey Garen.
2925
2926         This reduces the amount of boilerplate and fixes a memory leak.
2927
2928         * runtime/StructureIDTable.cpp:
2929         (JSC::StructureIDTable::StructureIDTable):
2930         (JSC::StructureIDTable::resize):
2931         (JSC::StructureIDTable::flushOldTables):
2932         (JSC::StructureIDTable::allocateID):
2933         (JSC::StructureIDTable::deallocateID):
2934         * runtime/StructureIDTable.h:
2935         (JSC::StructureIDTable::table):
2936         (JSC::StructureIDTable::get):
2937
2938 2014-03-07  Andrew Trick  <atrick@apple.com>
2939
2940         FLT should call fmod directly on platforms where LLVM cannot relocate the libcall
2941         https://bugs.webkit.org/show_bug.cgi?id=129865
2942
2943         Reviewed by Filip Pizlo.
2944
2945         * ftl/FTLIntrinsicRepository.h:
2946         * ftl/FTLOutput.h:
2947         (JSC::FTL::Output::doubleRem):
2948
2949 2014-03-06  Filip Pizlo  <fpizlo@apple.com>
2950
2951         If the FTL is build-time enabled then it should be run-time enabled.
2952
2953         Rubber stamped by Geoffrey Garen.
2954
2955         * runtime/Options.cpp:
2956         (JSC::recomputeDependentOptions):
2957         * runtime/Options.h:
2958
2959 2014-03-06  Joseph Pecoraro  <pecoraro@apple.com>
2960
2961         [OS X] Web Inspector: Allow Apps using JavaScriptCore to access "com.apple.webinspector" mach port
2962         https://bugs.webkit.org/show_bug.cgi?id=129852
2963
2964         Reviewed by Geoffrey Garen.
2965
2966         * framework.sb: Added.
2967         Sandbox extension to allow access to "com.apple.webinspector".
2968
2969         * JavaScriptCore.xcodeproj/project.pbxproj:
2970         Add a Copy Resources build phase and include framework.sb.
2971
2972         * Configurations/JavaScriptCore.xcconfig:
2973         Do not copy framework.sb on iOS.
2974
2975 2014-03-06  Mark Hahnenberg  <mhahnenberg@apple.com>
2976
2977         JSGlobalContextRelease incorrectly handles saving/restoring IdentifierTable
2978         https://bugs.webkit.org/show_bug.cgi?id=129858
2979
2980         Reviewed by Mark Lam.
2981
2982         It was correct (but really ugly) prior to the combining of APIEntryShim and JSLock, 
2983         but now it ends up overwriting the IdentifierTable that JSLock just restored.
2984
2985         * API/JSContextRef.cpp:
2986         (JSGlobalContextRelease):
2987
2988 2014-03-06  Oliver Hunt  <oliver@apple.com>
2989
2990         Fix FTL build.
2991
2992         * dfg/DFGConstantFoldingPhase.cpp:
2993         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2994
2995 2014-03-06  Brent Fulgham  <bfulgham@apple.com>
2996
2997         Unreviewed build fix after r165128.
2998
2999         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: The SEH flag was not getting set when
3000         performing 'Production' and 'DebugSuffix' type builds.
3001
3002 2014-03-06  Julien Brianceau  <jbriance@cisco.com>
3003
3004         Unreviewed, fix style in my previous commit.
3005         https://bugs.webkit.org/show_bug.cgi?id=129833
3006
3007         * runtime/JSConsole.cpp:
3008
3009 2014-03-06  Julien Brianceau  <jbriance@cisco.com>
3010
3011         Build fix: add missing include in JSConole.cpp.
3012         https://bugs.webkit.org/show_bug.cgi?id=129833
3013
3014         Reviewed by Oliver Hunt.
3015
3016         * runtime/JSConsole.cpp:
3017
3018 2014-03-06  Oliver Hunt  <oliver@apple.com>
3019
3020         Fix ARMv7
3021
3022         * jit/CCallHelpers.h:
3023         (JSC::CCallHelpers::setupArgumentsWithExecState):
3024
3025 2014-03-06  Commit Queue  <commit-queue@webkit.org>
3026
3027         Unreviewed, rolling out r165196.
3028         http://trac.webkit.org/changeset/165196
3029         https://bugs.webkit.org/show_bug.cgi?id=129822
3030
3031         broke arm64 on hardware (Requested by bfulgham on #webkit).
3032
3033         * assembler/ARM64Assembler.h:
3034         (JSC::ARM64Assembler::lastRegister):
3035         * assembler/MacroAssembler.h:
3036         (JSC::MacroAssembler::isStackRelated):
3037         (JSC::MacroAssembler::firstRealRegister):
3038         (JSC::MacroAssembler::nextRegister):
3039         (JSC::MacroAssembler::secondRealRegister):
3040         * ftl/FTLLocation.cpp:
3041         (JSC::FTL::Location::restoreInto):
3042         * ftl/FTLSaveRestore.cpp:
3043         (JSC::FTL::saveAllRegisters):
3044         (JSC::FTL::restoreAllRegisters):
3045         * ftl/FTLSlowPathCall.cpp:
3046         * jit/RegisterSet.cpp:
3047         (JSC::RegisterSet::specialRegisters):
3048         (JSC::RegisterSet::calleeSaveRegisters):
3049         * jit/RegisterSet.h:
3050
3051 2014-03-06  Mark Lam  <mark.lam@apple.com>
3052
3053         REGRESSION(r165205): broke the CLOOP build (Requested by smfr on #webkit).
3054         <https://webkit.org/b/129813>
3055
3056         Reviewed by Michael Saboff.
3057
3058         Fixed broken C loop LLINT build.
3059
3060         * llint/LowLevelInterpreter.cpp:
3061         (JSC::CLoop::execute):
3062         * offlineasm/cloop.rb:
3063
3064 2014-03-03  Oliver Hunt  <oliver@apple.com>
3065
3066         Support caching of custom setters
3067         https://bugs.webkit.org/show_bug.cgi?id=129519
3068
3069         Reviewed by Filip Pizlo.
3070
3071         This patch adds caching of assignment to properties that
3072         are backed by C functions. This provides most of the leg
3073         work required to start supporting setters, and resolves
3074         the remaining regressions from moving DOM properties up
3075         the prototype chain.
3076
3077         * JavaScriptCore.xcodeproj/project.pbxproj:
3078         * bytecode/PolymorphicPutByIdList.cpp:
3079         (JSC::PutByIdAccess::visitWeak):
3080         (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
3081         (JSC::PolymorphicPutByIdList::from):
3082         * bytecode/PolymorphicPutByIdList.h:
3083         (JSC::PutByIdAccess::transition):
3084         (JSC::PutByIdAccess::replace):
3085         (JSC::PutByIdAccess::customSetter):
3086         (JSC::PutByIdAccess::isCustom):
3087         (JSC::PutByIdAccess::oldStructure):
3088         (JSC::PutByIdAccess::chain):
3089         (JSC::PutByIdAccess::stubRoutine):
3090         * bytecode/PutByIdStatus.cpp:
3091         (JSC::PutByIdStatus::computeForStubInfo):
3092         (JSC::PutByIdStatus::computeFor):
3093         (JSC::PutByIdStatus::dump):
3094         * bytecode/PutByIdStatus.h:
3095         (JSC::PutByIdStatus::PutByIdStatus):
3096         (JSC::PutByIdStatus::takesSlowPath):
3097         (JSC::PutByIdStatus::makesCalls):
3098         * bytecode/StructureStubInfo.h:
3099         * dfg/DFGAbstractInterpreterInlines.h:
3100         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3101         * dfg/DFGByteCodeParser.cpp:
3102         (JSC::DFG::ByteCodeParser::emitPutById):
3103         (JSC::DFG::ByteCodeParser::handlePutById):
3104         * dfg/DFGClobberize.h:
3105         (JSC::DFG::clobberize):
3106         * dfg/DFGCommon.h:
3107         * dfg/DFGConstantFoldingPhase.cpp:
3108         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3109         * dfg/DFGFixupPhase.cpp:
3110         (JSC::DFG::FixupPhase::fixupNode):
3111         * dfg/DFGNode.h:
3112         (JSC::DFG::Node::hasIdentifier):
3113         * dfg/DFGNodeType.h:
3114         * dfg/DFGPredictionPropagationPhase.cpp:
3115         (JSC::DFG::PredictionPropagationPhase::propagate):
3116         * dfg/DFGSafeToExecute.h:
3117         (JSC::DFG::safeToExecute):
3118         * dfg/DFGSpeculativeJIT.cpp:
3119         (JSC::DFG::SpeculativeJIT::compileIn):
3120         * dfg/DFGSpeculativeJIT.h:
3121         * dfg/DFGSpeculativeJIT32_64.cpp:
3122         (JSC::DFG::SpeculativeJIT::cachedGetById):
3123         (JSC::DFG::SpeculativeJIT::cachedPutById):
3124         (JSC::DFG::SpeculativeJIT::compile):
3125         * dfg/DFGSpeculativeJIT64.cpp:
3126         (JSC::DFG::SpeculativeJIT::cachedGetById):
3127         (JSC::DFG::SpeculativeJIT::cachedPutById):
3128         (JSC::DFG::SpeculativeJIT::compile):
3129         * jit/CCallHelpers.h:
3130         (JSC::CCallHelpers::setupArgumentsWithExecState):
3131         * jit/JITInlineCacheGenerator.cpp:
3132         (JSC::JITByIdGenerator::JITByIdGenerator):
3133         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
3134         * jit/JITInlineCacheGenerator.h:
3135         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
3136         * jit/JITOperations.cpp:
3137         * jit/JITOperations.h:
3138         * jit/JITPropertyAccess.cpp:
3139         (JSC::JIT::emit_op_get_by_id):
3140         (JSC::JIT::emit_op_put_by_id):
3141         * jit/JITPropertyAccess32_64.cpp:
3142         (JSC::JIT::emit_op_get_by_id):
3143         (JSC::JIT::emit_op_put_by_id):
3144         * jit/Repatch.cpp:
3145         (JSC::tryCacheGetByID):
3146         (JSC::tryBuildGetByIDList):
3147         (JSC::emitCustomSetterStub):
3148         (JSC::tryCachePutByID):
3149         (JSC::tryBuildPutByIdList):
3150         * jit/SpillRegistersMode.h: Added.
3151         * llint/LLIntSlowPaths.cpp:
3152         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3153         * runtime/Lookup.h:
3154         (JSC::putEntry):
3155         * runtime/PutPropertySlot.h:
3156         (JSC::PutPropertySlot::setCacheableCustomProperty):
3157         (JSC::PutPropertySlot::customSetter):
3158         (JSC::PutPropertySlot::isCacheablePut):
3159         (JSC::PutPropertySlot::isCacheableCustomProperty):
3160         (JSC::PutPropertySlot::cachedOffset):
3161
3162 2014-03-06  Filip Pizlo  <fpizlo@apple.com>
3163
3164         FTL arity fixup should work on ARM64
3165         https://bugs.webkit.org/show_bug.cgi?id=129810
3166
3167         Reviewed by Michael Saboff.
3168         
3169         - Using regT5 to pass the thunk return address to arityFixup is shady since that's a
3170           callee-save.
3171         
3172         - The FTL path was assuming X86 conventions for where SP points at the top of the prologue.
3173         
3174         This makes some more tests pass.
3175
3176         * dfg/DFGJITCompiler.cpp:
3177         (JSC::DFG::JITCompiler::compileFunction):
3178         * ftl/FTLLink.cpp:
3179         (JSC::FTL::link):
3180         * jit/AssemblyHelpers.h:
3181         (JSC::AssemblyHelpers::prologueStackPointerDelta):
3182         * jit/JIT.cpp:
3183         (JSC::JIT::privateCompile):
3184         * jit/ThunkGenerators.cpp:
3185         (JSC::arityFixup):
3186         * llint/LowLevelInterpreter64.asm:
3187         * offlineasm/arm64.rb:
3188         * offlineasm/x86.rb: In addition to the t7 change, make t6 agree with GPRInfo.h.
3189
3190 2014-03-06  Mark Hahnenberg  <mhahnenberg@apple.com>
3191
3192         Fix write barriers in Repatch.cpp for !ENABLE(DFG_JIT) platforms after r165128
3193         https://bugs.webkit.org/show_bug.cgi?id=129760
3194
3195         Reviewed by Geoffrey Garen.
3196
3197         r165128 disabled the write barrier fast path for inline caches on !ENABLE(DFG_JIT) platforms. 
3198         The fix is to refactor the write barrier code into AssemblyHelpers and use that everywhere.
3199
3200         * dfg/DFGSpeculativeJIT.cpp:
3201         (JSC::DFG::SpeculativeJIT::writeBarrier):
3202         * dfg/DFGSpeculativeJIT.h:
3203         * dfg/DFGSpeculativeJIT32_64.cpp:
3204         (JSC::DFG::SpeculativeJIT::writeBarrier):
3205         * dfg/DFGSpeculativeJIT64.cpp:
3206         (JSC::DFG::SpeculativeJIT::writeBarrier):
3207         * jit/AssemblyHelpers.h:
3208         (JSC::AssemblyHelpers::checkMarkByte):
3209         * jit/JIT.h:
3210         * jit/JITPropertyAccess.cpp:
3211         * jit/Repatch.cpp:
3212         (JSC::writeBarrier):
3213
3214 2014-03-06  Joseph Pecoraro  <pecoraro@apple.com>
3215
3216         Web Inspector: Expose the console object in JSContexts to interact with Web Inspector
3217         https://bugs.webkit.org/show_bug.cgi?id=127944
3218
3219         Reviewed by Geoffrey Garen.
3220
3221         Always expose the Console object in JSContexts, just like we
3222         do for web pages. The default behavior will route to an
3223         attached JSContext inspector. This can be overriden by
3224         setting the ConsoleClient on the JSGlobalObject, which WebCore
3225         does to get slightly different behavior.
3226
3227         * CMakeLists.txt:
3228         * GNUmakefile.list.am:
3229         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3230         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3231         * JavaScriptCore.xcodeproj/project.pbxproj:
3232         Update build systems.
3233
3234         * API/tests/testapi.js:
3235         * API/tests/testapi.mm:
3236         Test that "console" exists in C and ObjC contexts.
3237
3238         * runtime/ConsoleClient.cpp: Added.
3239         (JSC::ConsoleClient::printURLAndPosition):
3240         (JSC::ConsoleClient::printMessagePrefix):
3241         (JSC::ConsoleClient::printConsoleMessage):
3242         (JSC::ConsoleClient::printConsoleMessageWithArguments):
3243         (JSC::ConsoleClient::internalMessageWithTypeAndLevel):
3244         (JSC::ConsoleClient::logWithLevel):
3245         (JSC::ConsoleClient::clear):
3246         (JSC::ConsoleClient::dir):
3247         (JSC::ConsoleClient::dirXML):
3248         (JSC::ConsoleClient::table):
3249         (JSC::ConsoleClient::trace):
3250         (JSC::ConsoleClient::assertCondition):
3251         (JSC::ConsoleClient::group):
3252         (JSC::ConsoleClient::groupCollapsed):
3253         (JSC::ConsoleClient::groupEnd):
3254         * runtime/ConsoleClient.h: Added.
3255         (JSC::ConsoleClient::~ConsoleClient):
3256         New private interface for handling the console object's methods.
3257         A lot of the methods funnel through messageWithTypeAndLevel.
3258
3259         * runtime/ConsoleTypes.h: Renamed from Source/JavaScriptCore/inspector/ConsoleTypes.h.
3260         Moved to JSC namespace.
3261
3262         * runtime/JSGlobalObject.cpp:
3263         (JSC::JSGlobalObject::JSGlobalObject):
3264         (JSC::JSGlobalObject::init):
3265         (JSC::JSGlobalObject::reset):
3266         (JSC::JSGlobalObject::visitChildren):
3267         Create the "console" object when initializing the environment.
3268         Also set the default console client to be the JS context inspector.
3269
3270         * runtime/JSGlobalObject.h:
3271         (JSC::JSGlobalObject::setConsoleClient):
3272         (JSC::JSGlobalObject::consoleClient):
3273         Ability to change the console client, so WebCore can set a custom client.
3274
3275         * runtime/ConsolePrototype.cpp: Added.
3276         (JSC::ConsolePrototype::finishCreation):
3277         (JSC::valueToStringWithUndefinedOrNullCheck):
3278         (JSC::consoleLogWithLevel):
3279         (JSC::consoleProtoFuncDebug):
3280         (JSC::consoleProtoFuncError):
3281         (JSC::consoleProtoFuncLog):
3282         (JSC::consoleProtoFuncWarn):
3283         (JSC::consoleProtoFuncClear):
3284         (JSC::consoleProtoFuncDir):
3285         (JSC::consoleProtoFuncDirXML):
3286         (JSC::consoleProtoFuncTable):
3287         (JSC::consoleProtoFuncTrace):
3288         (JSC::consoleProtoFuncAssert):
3289         (JSC::consoleProtoFuncCount):
3290         (JSC::consoleProtoFuncProfile):
3291         (JSC::consoleProtoFuncProfileEnd):
3292         (JSC::consoleProtoFuncTime):
3293         (JSC::consoleProtoFuncTimeEnd):
3294         (JSC::consoleProtoFuncTimeStamp):
3295         (JSC::consoleProtoFuncGroup):
3296         (JSC::consoleProtoFuncGroupCollapsed):
3297         (JSC::consoleProtoFuncGroupEnd):
3298         * runtime/ConsolePrototype.h: Added.
3299         (JSC::ConsolePrototype::create):
3300         (JSC::ConsolePrototype::createStructure):
3301         (JSC::ConsolePrototype::ConsolePrototype):
3302         Define the console object interface. Parse out required / expected
3303         arguments and throw expcetions when methods are misused.
3304
3305         * runtime/JSConsole.cpp: Added.
3306         * runtime/JSConsole.h: Added.
3307         (JSC::JSConsole::createStructure):
3308         (JSC::JSConsole::create):
3309         (JSC::JSConsole::JSConsole):
3310         Empty "console" object. Everything is in the prototype.
3311
3312         * inspector/JSConsoleClient.cpp: Added.
3313         (Inspector::JSConsoleClient::JSGlobalObjectConsole):
3314         (Inspector::JSConsoleClient::count):
3315         (Inspector::JSConsoleClient::profile):
3316         (Inspector::JSConsoleClient::profileEnd):
3317         (Inspector::JSConsoleClient::time):
3318         (Inspector::JSConsoleClient::timeEnd):
3319         (Inspector::JSConsoleClient::timeStamp):
3320         (Inspector::JSConsoleClient::warnUnimplemented):
3321         (Inspector::JSConsoleClient::internalAddMessage):
3322         * inspector/JSConsoleClient.h: Added.
3323         * inspector/JSGlobalObjectInspectorController.cpp:
3324         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3325         (Inspector::JSGlobalObjectInspectorController::consoleClient):
3326         * inspector/JSGlobalObjectInspectorController.h:
3327         Default JSContext ConsoleClient implementation. Handle nearly
3328         everything exception profile/profileEnd and timeStamp.
3329
3330 2014-03-06  Andreas Kling  <akling@apple.com>
3331
3332         Drop unlinked function code on memory pressure.
3333         <https://webkit.org/b/129789>
3334
3335         Make VM::discardAllCode() also drop UnlinkedFunctionCodeBlocks that
3336         are not currently being compiled.
3337
3338         4.5 MB progression on Membuster.
3339
3340         Reviewed by Geoffrey Garen.
3341
3342         * heap/Heap.cpp:
3343         (JSC::Heap::deleteAllUnlinkedFunctionCode):
3344         * heap/Heap.h:
3345         * runtime/VM.cpp:
3346         (JSC::VM::discardAllCode):
3347
3348 2014-03-06  Filip Pizlo  <fpizlo@apple.com>
3349
3350         Clarify how we deal with "special" registers
3351         https://bugs.webkit.org/show_bug.cgi?id=129806
3352
3353         Reviewed by Michael Saboff.
3354         
3355         Previously we had two different places that defined what "stack" registers are, a thing
3356         called "specialRegisters" that had unclear meaning, and a really weird "firstRealRegister"/
3357         "secondRealRegister"/"nextRegister" idiom in MacroAssembler that appeared to only be used by
3358         one place and had a baked-in notion of what it meant for a register to be "real" or not.
3359         
3360         It's not cool to use words like "real" and "special" to describe registers, especially if you
3361         fail to qualify what that means. This originally made sense on X86 - "real" registers were
3362         the ones that weren't "stack related" (so "real" was the opposite of "stack"). But on ARM64,
3363         you also have to worry about the LR register, which we'd want to say is "not real" but it's
3364         also not a "stack" register. This got super confusing.
3365         
3366         So, this patch removes any mention of "real" registers, consolidates the knowledge of what is
3367         a "stack" register, and uses the word special only in places where it's clearly defined and
3368         where no better word comes to mind.
3369         
3370         This cleans up the code and fixes what seems like it was probably a harmless ARM64 bug: the
3371         Reg and RegisterSet data structures would sometimes think that FP was Q0. Somehow this
3372         magically didn't break anything because you never need to save/restore either FP or Q0, but
3373         it was still super weird.
3374
3375         * assembler/ARM64Assembler.h:
3376         (JSC::ARM64Assembler::lastRegister):
3377         * assembler/MacroAssembler.h:
3378         (JSC::MacroAssembler::nextRegister):
3379         * ftl/FTLLocation.cpp:
3380         (JSC::FTL::Location::restoreInto):
3381         * ftl/FTLSaveRestore.cpp:
3382         (JSC::FTL::saveAllRegisters):
3383         (JSC::FTL::restoreAllRegisters):
3384         * ftl/FTLSlowPathCall.cpp:
3385         * jit/RegisterSet.cpp:
3386         (JSC::RegisterSet::reservedHardwareRegisters):
3387         (JSC::RegisterSet::runtimeRegisters):
3388         (JSC::RegisterSet::specialRegisters):
3389         (JSC::RegisterSet::calleeSaveRegisters):
3390         * jit/RegisterSet.h:
3391
3392 2014-03-06  Filip Pizlo  <fpizlo@apple.com>
3393
3394         Unreviewed, fix build.
3395
3396         * disassembler/ARM64Disassembler.cpp:
3397
3398 2014-03-06  Filip Pizlo  <fpizlo@apple.com>
3399
3400         Use the LLVM disassembler on ARM64 if we are enabling the FTL
3401         https://bugs.webkit.org/show_bug.cgi?id=129785
3402
3403         Reviewed by Geoffrey Garen.
3404         
3405         Our disassembler can't handle some of the code sequences that LLVM emits. LLVM's disassembler
3406         is strictly more capable at this point. Use it if it's available.
3407
3408         * disassembler/ARM64Disassembler.cpp:
3409         (JSC::tryToDisassemble):
3410
3411 2014-03-05  Joseph Pecoraro  <pecoraro@apple.com>
3412
3413         Web Inspector: Reduce RWI message frequency
3414         https://bugs.webkit.org/show_bug.cgi?id=129767
3415
3416         Reviewed by Timothy Hatcher.
3417
3418         This used to be 0.2s and changed by accident to 0.02s.
3419
3420         * inspector/remote/RemoteInspector.mm:
3421         (Inspector::RemoteInspector::pushListingSoon):
3422
3423 2014-03-05  Commit Queue  <commit-queue@webkit.org>
3424
3425         Unreviewed, rolling out r165141, r165157, and r165158.
3426         http://trac.webkit.org/changeset/165141
3427         http://trac.webkit.org/changeset/165157
3428         http://trac.webkit.org/changeset/165158
3429         https://bugs.webkit.org/show_bug.cgi?id=129772
3430
3431         "broke ftl" (Requested by olliej_ on #webkit).
3432
3433         * JavaScriptCore.xcodeproj/project.pbxproj:
3434         * bytecode/PolymorphicPutByIdList.cpp:
3435         (JSC::PutByIdAccess::visitWeak):
3436         (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
3437         (JSC::PolymorphicPutByIdList::from):
3438         * bytecode/PolymorphicPutByIdList.h:
3439         (JSC::PutByIdAccess::transition):
3440         (JSC::PutByIdAccess::replace):
3441         (JSC::PutByIdAccess::oldStructure):
3442         (JSC::PutByIdAccess::chain):
3443         (JSC::PutByIdAccess::stubRoutine):
3444         * bytecode/PutByIdStatus.cpp:
3445         (JSC::PutByIdStatus::computeForStubInfo):
3446         (JSC::PutByIdStatus::computeFor):
3447         (JSC::PutByIdStatus::dump):
3448         * bytecode/PutByIdStatus.h:
3449         (JSC::PutByIdStatus::PutByIdStatus):
3450         (JSC::PutByIdStatus::takesSlowPath):
3451         * bytecode/StructureStubInfo.h:
3452         * dfg/DFGAbstractInterpreterInlines.h:
3453         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3454         * dfg/DFGByteCodeParser.cpp:
3455         (JSC::DFG::ByteCodeParser::emitPutById):
3456         (JSC::DFG::ByteCodeParser::handlePutById):
3457         * dfg/DFGClobberize.h:
3458         (JSC::DFG::clobberize):
3459         * dfg/DFGCommon.h:
3460         * dfg/DFGConstantFoldingPhase.cpp:
3461         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3462         * dfg/DFGFixupPhase.cpp:
3463         (JSC::DFG::FixupPhase::fixupNode):
3464         * dfg/DFGNode.h:
3465         (JSC::DFG::Node::hasIdentifier):
3466         * dfg/DFGNodeType.h:
3467         * dfg/DFGPredictionPropagationPhase.cpp:
3468         (JSC::DFG::PredictionPropagationPhase::propagate):
3469         * dfg/DFGSafeToExecute.h:
3470         (JSC::DFG::safeToExecute):
3471         * dfg/DFGSpeculativeJIT.cpp:
3472         (JSC::DFG::SpeculativeJIT::compileIn):
3473         * dfg/DFGSpeculativeJIT.h:
3474         * dfg/DFGSpeculativeJIT32_64.cpp:
3475         (JSC::DFG::SpeculativeJIT::cachedGetById):
3476         (JSC::DFG::SpeculativeJIT::cachedPutById):
3477         (JSC::DFG::SpeculativeJIT::compile):
3478         * dfg/DFGSpeculativeJIT64.cpp:
3479         (JSC::DFG::SpeculativeJIT::cachedGetById):
3480         (JSC::DFG::SpeculativeJIT::cachedPutById):
3481         (JSC::DFG::SpeculativeJIT::compile):
3482         * ftl/FTLCompile.cpp:
3483         (JSC::FTL::fixFunctionBasedOnStackMaps):
3484         * jit/CCallHelpers.h:
3485         (JSC::CCallHelpers::setupArgumentsWithExecState):
3486         * jit/JITInlineCacheGenerator.cpp:
3487         (JSC::JITByIdGenerator::JITByIdGenerator):
3488         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
3489         * jit/JITInlineCacheGenerator.h:
3490         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
3491         * jit/JITOperations.cpp:
3492         * jit/JITOperations.h:
3493         * jit/JITPropertyAccess.cpp:
3494         (JSC::JIT::emit_op_get_by_id):
3495         (JSC::JIT::emit_op_put_by_id):
3496         * jit/JITPropertyAccess32_64.cpp:
3497         (JSC::JIT::emit_op_get_by_id):
3498         (JSC::JIT::emit_op_put_by_id):
3499         * jit/Repatch.cpp:
3500         (JSC::tryCacheGetByID):
3501         (JSC::tryBuildGetByIDList):
3502         (JSC::tryCachePutByID):
3503         (JSC::tryBuildPutByIdList):
3504         * jit/SpillRegistersMode.h: Removed.
3505         * llint/LLIntSlowPaths.cpp:
3506         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3507         * runtime/Lookup.h:
3508         (JSC::putEntry):
3509         * runtime/PutPropertySlot.h:
3510         (JSC::PutPropertySlot::isCacheable):
3511         (JSC::PutPropertySlot::cachedOffset):
3512
3513 2014-03-05  Joseph Pecoraro  <pecoraro@apple.com>
3514
3515         Web Inspector: Prevent possible deadlock in view indication
3516         https://bugs.webkit.org/show_bug.cgi?id=129766
3517
3518         Reviewed by Geoffrey Garen.
3519
3520         * inspector/remote/RemoteInspector.mm:
3521         (Inspector::RemoteInspector::receivedIndicateMessage):
3522
3523 2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>
3524
3525         JSObject::fastGetOwnPropertySlot does a slow check for OverridesGetOwnPropertySlot
3526         https://bugs.webkit.org/show_bug.cgi?id=129754
3527
3528         Reviewed by Geoffrey Garen.
3529
3530         InlineTypeFlags are stored in JSCell, so we can just load those instead of going through the TypeInfo.
3531
3532         * runtime/JSCell.h:
3533         (JSC::JSCell::inlineTypeFlags):
3534         * runtime/JSObject.h:
3535         (JSC::JSObject::fastGetOwnPropertySlot):
3536         * runtime/JSTypeInfo.h:
3537         (JSC::TypeInfo::TypeInfo):
3538         (JSC::TypeInfo::overridesGetOwnPropertySlot):
3539
3540 2014-03-05  Joseph Pecoraro  <pecoraro@apple.com>
3541
3542         Web Inspector: ASSERTION FAILED: m_javaScriptBreakpoints.isEmpty()
3543         https://bugs.webkit.org/show_bug.cgi?id=129763
3544
3545         Reviewed by Geoffrey Garen.
3546
3547         Clear the list of all breakpoints, including unresolved breakpoints.
3548
3549         * inspector/agents/InspectorDebuggerAgent.cpp:
3550         (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):
3551
3552 2014-03-05  Mark Lam  <mark.lam@apple.com>
3553
3554         llint_slow_path_check_has_instance() should not adjust PC before accessing operands.
3555         <https://webkit.org/b/129768>
3556
3557         Reviewed by Mark Hahnenberg.
3558
3559         When evaluating "a instanceof b" where b is an object that ImplementsHasInstance
3560         and OverridesHasInstance (e.g. a bound function), the LLINT will take the slow
3561         path llint_slow_path_check_has_instance(), and execute a code path that does the
3562         following:
3563         1. Adjusts the byte code PC to the jump target PC.
3564         2. For the purpose of storing the result, get the result registerIndex from the
3565            1st operand using the PC as if the PC is still pointing to op_check_has_instance
3566            bytecode.
3567
3568         The result is that whatever value resides after where the jump target PC is will
3569         be used as a result register value.  Depending on what that value is, the result
3570         can be:
3571         1. the code coincidently works correctly
3572         2. memory corruption
3573         3. crashes
3574
3575         The fix is to only adjust the byte code PC after we have stored the result.
3576         
3577         * llint/LLIntSlowPaths.cpp:
3578         (llint_slow_path_check_has_instance):
3579
3580 2014-03-05  Ryosuke Niwa  <rniwa@webkit.org>
3581
3582         Another build fix attempt after r165141.
3583
3584         * ftl/FTLCompile.cpp:
3585         (JSC::FTL::fixFunctionBasedOnStackMaps):
3586
3587 2014-03-05  Ryosuke Niwa  <rniwa@webkit.org>
3588
3589         FTL build fix attempt after r165141.
3590
3591         * ftl/FTLCompile.cpp:
3592         (JSC::FTL::fixFunctionBasedOnStackMaps):
3593
3594 2014-03-05  Gavin Barraclough  <barraclough@apple.com>
3595
3596         https://bugs.webkit.org/show_bug.cgi?id=128625
3597         Add fast mapping from StringImpl to JSString
3598
3599         Unreviewed roll-out.
3600
3601         Reverting r164347, r165054, r165066 - not clear the performance tradeoff was right.
3602
3603         * runtime/JSString.cpp:
3604         * runtime/JSString.h:
3605         * runtime/VM.cpp:
3606         (JSC::VM::createLeaked):
3607         * runtime/VM.h:
3608
3609 2014-03-03  Oliver Hunt  <oliver@apple.com>
3610
3611         Support caching of custom setters
3612         https://bugs.webkit.org/show_bug.cgi?id=129519
3613
3614         Reviewed by Filip Pizlo.
3615
3616         This patch adds caching of assignment to properties that
3617         are backed by C functions. This provides most of the leg
3618         work required to start supporting setters, and resolves
3619         the remaining regressions from moving DOM properties up
3620         the prototype chain.
3621
3622         * JavaScriptCore.xcodeproj/project.pbxproj:
3623         * bytecode/PolymorphicPutByIdList.cpp:
3624         (JSC::PutByIdAccess::visitWeak):
3625         (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
3626         (JSC::PolymorphicPutByIdList::from):
3627         * bytecode/PolymorphicPutByIdList.h:
3628         (JSC::PutByIdAccess::transition):
3629         (JSC::PutByIdAccess::replace):
3630         (JSC::PutByIdAccess::customSetter):
3631         (JSC::PutByIdAccess::isCustom):
3632         (JSC::PutByIdAccess::oldStructure):
3633         (JSC::PutByIdAccess::chain):
3634         (JSC::PutByIdAccess::stubRoutine):
3635         * bytecode/PutByIdStatus.cpp:
3636         (JSC::PutByIdStatus::computeForStubInfo):
3637         (JSC::PutByIdStatus::computeFor):
3638         (JSC::PutByIdStatus::dump):
3639         * bytecode/PutByIdStatus.h:
3640         (JSC::PutByIdStatus::PutByIdStatus):
3641         (JSC::PutByIdStatus::takesSlowPath):
3642         (JSC::PutByIdStatus::makesCalls):
3643         * bytecode/StructureStubInfo.h:
3644         * dfg/DFGAbstractInterpreterInlines.h:
3645         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3646         * dfg/DFGByteCodeParser.cpp:
3647         (JSC::DFG::ByteCodeParser::emitPutById):
3648         (JSC::DFG::ByteCodeParser::handlePutById):
3649         * dfg/DFGClobberize.h:
3650         (JSC::DFG::clobberize):
3651         * dfg/DFGCommon.h:
3652         * dfg/DFGConstantFoldingPhase.cpp:
3653         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3654         * dfg/DFGFixupPhase.cpp:
3655         (JSC::DFG::FixupPhase::fixupNode):
3656         * dfg/DFGNode.h:
3657         (JSC::DFG::Node::hasIdentifier):
3658         * dfg/DFGNodeType.h:
3659         * dfg/DFGPredictionPropagationPhase.cpp:
3660         (JSC::DFG::PredictionPropagationPhase::propagate):
3661         * dfg/DFGSafeToExecute.h:
3662         (JSC::DFG::safeToExecute):
3663         * dfg/DFGSpeculativeJIT.cpp:
3664         (JSC::DFG::SpeculativeJIT::compileIn):
3665         * dfg/DFGSpeculativeJIT.h:
3666         * dfg/DFGSpeculativeJIT32_64.cpp:
3667         (JSC::DFG::SpeculativeJIT::cachedGetById):
3668         (JSC::DFG::SpeculativeJIT::cachedPutById):
3669         (JSC::DFG::SpeculativeJIT::compile):
3670         * dfg/DFGSpeculativeJIT64.cpp:
3671         (JSC::DFG::SpeculativeJIT::cachedGetById):
3672         (JSC::DFG::SpeculativeJIT::cachedPutById):
3673         (JSC::DFG::SpeculativeJIT::compile):
3674         * jit/CCallHelpers.h:
3675         (JSC::CCallHelpers::setupArgumentsWithExecState):
3676         * jit/JITInlineCacheGenerator.cpp:
3677         (JSC::JITByIdGenerator::JITByIdGenerator):
3678         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
3679         * jit/JITInlineCacheGenerator.h:
3680         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
3681         * jit/JITOperations.cpp:
3682         * jit/JITOperations.h:
3683         * jit/JITPropertyAccess.cpp:
3684         (JSC::JIT::emit_op_get_by_id):
3685         (JSC::JIT::emit_op_put_by_id):
3686         * jit/JITPropertyAccess32_64.cpp:
3687         (JSC::JIT::emit_op_get_by_id):
3688         (JSC::JIT::emit_op_put_by_id):
3689         * jit/Repatch.cpp:
3690         (JSC::tryCacheGetByID):
3691         (JSC::tryBuildGetByIDList):
3692         (JSC::emitCustomSetterStub):
3693         (JSC::tryCachePutByID):
3694         (JSC::tryBuildPutByIdList):
3695         * jit/SpillRegistersMode.h: Added.
3696         * llint/LLIntSlowPaths.cpp:
3697         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3698         * runtime/Lookup.h:
3699         (JSC::putEntry):
3700         * runtime/PutPropertySlot.h:
3701         (JSC::PutPropertySlot::setCacheableCustomProperty):
3702         (JSC::PutPropertySlot::customSetter):
3703         (JSC::PutPropertySlot::isCacheablePut):
3704         (JSC::PutPropertySlot::isCacheableCustomProperty):
3705         (JSC::PutPropertySlot::cachedOffset):
3706
3707 2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>
3708
3709         JSCell::m_gcData should encode its information differently
3710         https://bugs.webkit.org/show_bug.cgi?id=129741
3711
3712         Reviewed by Geoffrey Garen.
3713
3714         We want to keep track of three GC states for an object:
3715
3716         1. Not marked (which implies not in the remembered set)
3717         2. Marked but not in the remembered set
3718         3. Marked and in the remembered set
3719         
3720         Currently we only indicate marked vs. not marked in JSCell::m_gcData. During a write 
3721         barrier, we only want to take the slow path if the object being stored to is in state #2. 
3722         We'd like to make the test for state #2 as fast as possible, which means making it a 
3723         compare against 0.
3724
3725         * dfg/DFGOSRExitCompilerCommon.cpp:
3726         (JSC::DFG::osrWriteBarrier):
3727         * dfg/DFGSpeculativeJIT.cpp:
3728         (JSC::DFG::SpeculativeJIT::checkMarkByte):
3729         (JSC::DFG::SpeculativeJIT::writeBarrier):
3730         * dfg/DFGSpeculativeJIT.h:
3731         * dfg/DFGSpeculativeJIT32_64.cpp:
3732         (JSC::DFG::SpeculativeJIT::writeBarrier):
3733         * dfg/DFGSpeculativeJIT64.cpp:
3734         (JSC::DFG::SpeculativeJIT::writeBarrier):
3735         * ftl/FTLLowerDFGToLLVM.cpp:
3736         (JSC::FTL::LowerDFGToLLVM::allocateCell):
3737         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
3738         * heap/Heap.cpp:
3739         (JSC::Heap::clearRememberedSet):
3740         (JSC::Heap::addToRememberedSet):
3741         * jit/AssemblyHelpers.h:
3742         (JSC::AssemblyHelpers::checkMarkByte):
3743         * jit/JIT.h:
3744         * jit/JITPropertyAccess.cpp:
3745         (JSC::JIT::checkMarkByte):
3746         (JSC::JIT::emitWriteBarrier):
3747         * jit/Repatch.cpp:
3748         (JSC::writeBarrier):
3749         * llint/LowLevelInterpreter.asm:
3750         * llint/LowLevelInterpreter32_64.asm:
3751         * llint/LowLevelInterpreter64.asm:
3752         * runtime/JSCell.h:
3753         (JSC::JSCell::mark):
3754         (JSC::JSCell::remember):
3755         (JSC::JSCell::forget):
3756         (JSC::JSCell::isMarked):
3757         (JSC::JSCell::isRemembered):
3758         * runtime/JSCellInlines.h:
3759         (JSC::JSCell::JSCell):
3760         * runtime/StructureIDBlob.h:
3761         (JSC::StructureIDBlob::StructureIDBlob):
3762
3763 2014-03-05  Filip Pizlo  <fpizlo@apple.com>
3764
3765         More FTL ARM fixes
3766         https://bugs.webkit.org/show_bug.cgi?id=129755
3767
3768         Reviewed by Geoffrey Garen.
3769         
3770         - Be more defensive about inline caches that have degenerate chains.
3771         
3772         - Temporarily switch to allocating all MCJIT memory in the executable pool on non-x86
3773           platforms. The bug tracking the real fix is: https://bugs.webkit.org/show_bug.cgi?id=129756
3774         
3775         - Don't even emit intrinsic declarations on non-x86 platforms.
3776         
3777         - More debug printing support.
3778         
3779         - Don't use vmCall() in the prologue. This should have crashed on all platforms all the time
3780           but somehow it gets lucky on x86.
3781
3782         * bytecode/GetByIdStatus.cpp:
3783         (JSC::GetByIdStatus::appendVariant):
3784         (JSC::GetByIdStatus::computeForChain):
3785         (JSC::GetByIdStatus::computeForStubInfo):
3786         * bytecode/GetByIdStatus.h:
3787         * bytecode/PutByIdStatus.cpp:
3788         (JSC::PutByIdStatus::appendVariant):
3789         (JSC::PutByIdStatus::computeForStubInfo):
3790         * bytecode/PutByIdStatus.h:
3791         * bytecode/StructureSet.h:
3792         (JSC::StructureSet::overlaps):
3793         * ftl/FTLCompile.cpp:
3794         (JSC::FTL::mmAllocateDataSection):
3795         * ftl/FTLDataSection.cpp:
3796         (JSC::FTL::DataSection::DataSection):
3797         (JSC::FTL::DataSection::~DataSection):
3798         * ftl/FTLDataSection.h:
3799         * ftl/FTLLowerDFGToLLVM.cpp:
3800         (JSC::FTL::LowerDFGToLLVM::lower):
3801         * ftl/FTLOutput.h:
3802         (JSC::FTL::Output::doubleSin):
3803         (JSC::FTL::Output::doubleCos):
3804         * runtime/JSCJSValue.cpp:
3805         (JSC::JSValue::dumpInContext):
3806         * runtime/JSCell.h:
3807         (JSC::JSCell::structureID):
3808
3809 2014-03-05  peavo@outlook.com  <peavo@outlook.com>
3810
3811         [Win32][LLINT] Crash when running JSC stress tests.
3812         https://bugs.webkit.org/show_bug.cgi?id=129429
3813
3814         On Windows the reserved stack space consists of committed memory, a guard page, and uncommitted memory,
3815         where the guard page is a barrier between committed and uncommitted memory.
3816         When data from the guard page is read or written, the guard page is moved, and memory is committed.
3817         This is how the system grows the stack.
3818         When using the C stack on Windows we need to precommit the needed stack space.
3819         Otherwise we might crash later if we access uncommitted stack memory.
3820         This can happen if we allocate stack space larger than the page guard size (4K).
3821         The system does not get the chance to move the guard page, and commit more memory,
3822         and we crash if uncommitted memory is accessed.
3823         The MSVC compiler fixes this by inserting a call to the _chkstk() function,
3824         when needed, see http://support.microsoft.com/kb/100775.
3825
3826         Reviewed by Geoffrey Garen.
3827
3828         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Enable LLINT.
3829         * jit/Repatch.cpp:
3830         (JSC::writeBarrier): Compile fix when DFG_JIT is not enabled.
3831         * offlineasm/x86.rb: Compile fix, and small simplification.
3832         * runtime/VM.cpp:
3833         (JSC::preCommitStackMemory): Added function to precommit stack memory.
3834         (JSC::VM::updateStackLimit): Call function to precommit stack memory when stack limit is updated.
3835
3836 2014-03-05  Michael Saboff  <msaboff@apple.com>
3837
3838         JSDataViewPrototype::getData() and setData() crash on platforms that don't allow unaligned accesses
3839         https://bugs.webkit.org/show_bug.cgi?id=129746
3840
3841         Reviewed by Filip Pizlo.
3842
3843         Changed to use a union to manually assemble or disassemble the various types
3844         from / to the corresponding bytes.  All memory access is now done using
3845         byte accesses.
3846
3847         * runtime/JSDataViewPrototype.cpp:
3848         (JSC::getData):
3849         (JSC::setData):
3850
3851 2014-03-05  Filip Pizlo  <fpizlo@apple.com>
3852
3853         FTL loadStructure always generates invalid IR
3854         https://bugs.webkit.org/show_bug.cgi?id=129747
3855
3856         Reviewed by Mark Hahnenberg.
3857
3858         As the comment at the top of FTL::Output states, the FTL doesn't use LLVM's notion
3859         of pointers. LLVM's notion of pointers tries to model C, in the sense that you have
3860         to have a pointer to a type, and you can only load things of that type from that
3861         pointer. Pointer arithmetic is basically not possible except through the bizarre
3862         getelementptr operator. This doesn't fit with how the JS object model works since
3863         the JS object model doesn't consist of nice and tidy C types placed in C arrays.
3864         Also, it would be impossible to use getelementptr and LLVM pointers for accessing
3865         any of JSC's C or C++ objects unless we went through the exercise of redeclaring
3866         all of our fundamental data structures in LLVM IR as LLVM types. Clang could do
3867         this for us, but that would require that to use the FTL, JSC itself would have to
3868         be compiled with clang. Worse, it would have to be compiled with a clang that uses
3869         a version of LLVM that is compatible with the one against which the FTL is linked.
3870         Yuck!
3871
3872         The solution is to NEVER use LLVM pointers. This has always been the case in the
3873         FTL. But it causes some confusion.
3874         
3875         Not using LLVM pointers means that if the FTL has a "pointer", it's actually a
3876         pointer-wide integer (m_out.intPtr in FTL-speak). The act of "loading" and
3877         "storing" from or to a pointer involves first bitcasting the intPtr to a real LLVM
3878         pointer that has the type that we want. The load and store operations over pointers
3879         are called Output::load* and Output::store*, where * is one of "8", "16", "32",
3880         "64", "Ptr", "Float", or "Double.
3881         
3882         There is unavoidable confusion here. It would be bizarre for the FTL to call its
3883         "pointer-wide integers" anything other than "pointers", since they are, in all
3884         respects that we care about, simply pointers. But they are *not* LLVM pointers and
3885         they never will be that.
3886         
3887         There is one exception to this "no pointers" rule. The FTL does use actual LLVM
3888         pointers for refering to LLVM alloca's - i.e. local variables. To try to reduce
3889         confusion, we call these "references". So an "FTL reference" is actually an "LLVM
3890         pointer", while an "FTL pointer" is actually an "LLVM integer". FTL references have
3891         methods for access called Output::get and Output::set. These lower to LLVM load
3892         and store, since FTL references are just LLVM pointers.
3893         
3894         This confusion appears to have led to incorrect code in loadStructure().
3895         loadStructure() was using get() and set() to access FTL pointers. But those methods
3896         don't work on FTL pointers and never will, since they are for FTL references.
3897         
3898         The worst part of this is that it was previously impossible to have test coverage
3899         for the relevant path (MasqueradesAsUndefined) without writing a DRT test. This
3900         patch fixes this by introducing a Masquerader object to jsc.cpp.
3901         
3902         * ftl/FTLAbstractHeapRepository.h: Add an abstract heap for the structure table.
3903         * ftl/FTLLowerDFGToLLVM.cpp:
3904         (JSC::FTL::LowerDFGToLLVM::loadStructure): This was wrong.
3905         * ftl/FTLOutput.h: Add a comment to disuade people from using get() and set().
3906         * jsc.cpp: Give us the power to test for MasqueradesAsUndefined.
3907         (WTF::Masquerader::Masquerader):
3908         (WTF::Masquerader::create):
3909         (WTF::Masquerader::createStructure):
3910         (GlobalObject::finishCreation):
3911         (functionMakeMasquerader):
3912         * tests/stress/equals-masquerader.js: Added.
3913         (foo):
3914         (test):
3915
3916 2014-03-05  Anders Carlsson  <andersca@apple.com>
3917
3918         Tweak after r165109 to avoid extra copies
3919         https://bugs.webkit.org/show_bug.cgi?id=129745
3920
3921         Reviewed by Geoffrey Garen.
3922
3923         * heap/Heap.cpp:
3924         (JSC::Heap::visitProtectedObjects):
3925         (JSC::Heap::visitTempSortVectors):
3926         (JSC::Heap::clearRememberedSet):
3927         * heap/Heap.h:
3928         (JSC::Heap::forEachProtectedCell):
3929
3930 2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>
3931
3932         DFGStoreBarrierElisionPhase should should GCState directly instead of m_gcClobberSet when calling writesOverlap()
3933         https://bugs.webkit.org/show_bug.cgi?id=129717
3934
3935         Reviewed by Filip Pizlo.
3936
3937         * dfg/DFGStoreBarrierElisionPhase.cpp:
3938         (JSC::DFG::StoreBarrierElisionPhase::StoreBarrierElisionPhase):
3939         (JSC::DFG::StoreBarrierElisionPhase::couldCauseGC):
3940
3941 2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>
3942
3943         Use range-based loops where possible in Heap methods
3944         https://bugs.webkit.org/show_bug.cgi?id=129513
3945
3946         Reviewed by Mark Lam.
3947
3948         Replace old school iterator based loops with the new range-based loop hotness
3949         for a better tomorrow.
3950
3951         * heap/CodeBlockSet.cpp:
3952         (JSC::CodeBlockSet::~CodeBlockSet):
3953         (JSC::CodeBlockSet::clearMarks):
3954         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
3955         (JSC::CodeBlockSet::traceMarked):
3956         * heap/Heap.cpp:
3957         (JSC::Heap::visitProtectedObjects):
3958         (JSC::Heap::visitTempSortVectors):
3959         (JSC::Heap::clearRememberedSet):
3960         * heap/Heap.h:
3961         (JSC::Heap::forEachProtectedCell):
3962
3963 2014-03-04  Filip Pizlo  <fpizlo@apple.com>
3964
3965         DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e. boolean, undefined, or null)
3966         https://bugs.webkit.org/show_bug.cgi?id=129563
3967
3968         Reviewed by Geoffrey Garen.
3969         
3970         Rolling this back in after fixing an assertion failure. speculateMisc() should have
3971         said DFG_TYPE_CHECK instead of typeCheck.
3972         
3973         This adds a specialization of CompareStrictEq over Misc. I noticed the need for this
3974         when I saw that we didn't support CompareStrictEq(Untyped) in FTL but that the main
3975         user of this was EarleyBoyer, and in that benchmark what it was really doing was
3976         comparing undefined, null, and booleans to each other.
3977         
3978         This also adds support for miscellaneous things that I needed to make my various test
3979         cases work. This includes comparison over booleans and the various Throw-related node
3980         types.
3981         
3982         This also improves constant folding of CompareStrictEq and CompareEq.
3983         
3984         Also found a bug where we were claiming that GetByVals on typed arrays are OutOfBounds
3985         based on profiling, which caused some&nbs