Source/JavaScriptCore: [Win] Pass environment to Pre-Build, Pre-link, and Post-Build...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-03-10  Brent Fulgham  <bfulgham@apple.com>
2
3         [Win] Pass environment to Pre-Build, Pre-link, and Post-Build Stages.
4         https://bugs.webkit.org/show_bug.cgi?id=130023
5
6         Reviewed by Dean Jackson.
7
8         * JavaScriptCore.vcxproj/JavaScriptCore.proj: Avoid trailing backslashes in
9         path names to avoid accidental escaping of later string substitutions.
10
11 2014-03-10  Andreas Kling  <akling@apple.com>
12
13         [X86_64] Smaller code for testb_i8r when register is accumulator.
14         <https://webkit.org/b/130026>
15
16         Generate the shorthand version of "test al, imm" when possible.
17
18         Reviewed by Michael Saboff.
19
20         * assembler/X86Assembler.h:
21         (JSC::X86Assembler::testb_i8r):
22
23 2014-03-10  Andreas Kling  <akling@apple.com>
24
25         [X86_64] Smaller code for sub_ir when register is accumulator.
26         <https://webkit.org/b/130025>
27
28         Generate the shorthand version of "sub eax, imm" when possible.
29
30         Reviewed by Michael Saboff.
31
32         * assembler/X86Assembler.h:
33         (JSC::X86Assembler::subl_ir):
34         (JSC::X86Assembler::subq_ir):
35
36 2014-03-10  Andreas Kling  <akling@apple.com>
37
38         [X86_64] Smaller code for add_ir when register is accumulator.
39         <https://webkit.org/b/130024>
40
41         Generate the shorthand version of "add eax, imm" when possible.
42
43         Reviewed by Michael Saboff.
44
45         * assembler/X86Assembler.h:
46         (JSC::X86Assembler::addl_ir):
47         (JSC::X86Assembler::addq_ir):
48
49 2014-03-10  Mark Hahnenberg  <mhahnenberg@apple.com>
50
51         writeBarrier in emitPutReplaceStub is unnecessary
52         https://bugs.webkit.org/show_bug.cgi?id=130030
53
54         Reviewed by Filip Pizlo.
55
56         We already emit write barriers for each put-by-id when they're first compiled, so it's 
57         redundant to emit a write barrier as part of the repatched code.
58
59         * jit/Repatch.cpp:
60         (JSC::emitPutReplaceStub):
61
62 2014-03-10  Andreas Kling  <akling@apple.com>
63
64         [X86_64] Smaller code for xor_ir when register is accumulator.
65         <https://webkit.org/b/130008>
66
67         Generate the shorthand version of "xor eax, imm" when possible.
68
69         Reviewed by Benjamin Poulain.
70
71         * assembler/X86Assembler.h:
72         (JSC::X86Assembler::xorl_ir):
73         (JSC::X86Assembler::xorq_ir):
74
75 2014-03-10  Andreas Kling  <akling@apple.com>
76
77         [X86_64] Smaller code for or_ir when register is accumulator.
78         <https://webkit.org/b/130007>
79
80         Generate the shorthand version of "or eax, imm" when possible.
81
82         Reviewed by Benjamin Poulain.
83
84         * assembler/X86Assembler.h:
85         (JSC::X86Assembler::orl_ir):
86         (JSC::X86Assembler::orq_ir):
87
88 2014-03-10  Andreas Kling  <akling@apple.com>
89
90         [X86_64] Smaller code for test_ir when register is accumulator.
91         <https://webkit.org/b/130006>
92
93         Generate the shorthand version of "test eax, imm" when possible.
94
95         Reviewed by Benjamin Poulain.
96
97         * assembler/X86Assembler.h:
98         (JSC::X86Assembler::testl_i32r):
99         (JSC::X86Assembler::testq_i32r):
100
101 2014-03-10  Andreas Kling  <akling@apple.com>
102
103         [X86_64] Smaller code for cmp_ir when register is accumulator.
104         <https://webkit.org/b/130005>
105
106         Generate the shorthand version of "cmp eax, imm" when possible.
107
108         Reviewed by Benjamin Poulain.
109
110         * assembler/X86Assembler.h:
111         (JSC::X86Assembler::cmpl_ir):
112         (JSC::X86Assembler::cmpq_ir):
113
114 2014-03-10  Andreas Kling  <akling@apple.com>
115
116         [X86_64] Smaller code for store64(imm, address) when imm fits in 32 bits.
117         <https://webkit.org/b/130002>
118
119         Generate this:
120
121             mov [address], imm32
122
123         Instead of this:
124
125             mov scratchRegister, imm32
126             mov [address], scratchRegister
127
128         For store64(imm, address) where the 64-bit immediate can be passed as
129         a sign-extended 32-bit value.
130
131         Reviewed by Benjamin Poulain.
132
133         * assembler/MacroAssemblerX86_64.h:
134         (CAN_SIGN_EXTEND_32_64):
135         (JSC::MacroAssemblerX86_64::store64):
136
137 2014-03-10  Andreas Kling  <akling@apple.com>
138
139         [X86_64] Smaller code for xchg_rr when one register is accumulator.
140         <https://webkit.org/b/130004>
141
142         Generate the 1-byte version of "xchg eax, reg" when possible.
143
144         Reviewed by Benjamin Poulain.
145
146         * assembler/X86Assembler.h:
147         (JSC::X86Assembler::xchgl_rr):
148         (JSC::X86Assembler::xchgq_rr):
149
150 2014-03-09  Filip Pizlo  <fpizlo@apple.com>
151
152         GPRInfo::toIndex should return InvalidIndex for non-temp registers on ARM64
153         https://bugs.webkit.org/show_bug.cgi?id=129998
154
155         Reviewed by Geoffrey Garen.
156         
157         Not only is that the established contract, but this is used to signal to
158         ScratchRegisterAllocator that the register doesn't need locking since it isn't a register
159         that this allocator would use. In the FTL, we may have an inline cache where LLVM had used
160         some non-temp register (i.e. a register that JSC itself wouldn't have used). This is totally
161         fine but previously it would have led to either an assertion failure, or data corruption, in
162         the ScratchRegisterAllocator.
163
164         * jit/GPRInfo.h:
165         (JSC::GPRInfo::toIndex):
166
167 2014-03-09  Filip Pizlo  <fpizlo@apple.com>
168
169         FTL fails the new equals-masquerader strictEqualConstant test
170         https://bugs.webkit.org/show_bug.cgi?id=129996
171
172         Reviewed by Mark Lam.
173         
174         It turns out that the FTL was trying to do the masquerading stuff for ===null. But
175         that's wrong since none of the other engines do it. The DFG even had an ancient
176         FIXME about doing it - but that doesn't make sense since the LLInt and baseline JIT
177         don't do it and JSValue::strictEqual() doesn't do it.
178         
179         Remove the FIXME and remove the extra checks in the FTL.
180         
181         This is a glorious patch: nothing but red and it fixes a test failure.
182
183         * dfg/DFGSpeculativeJIT.cpp:
184         (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
185         * ftl/FTLLowerDFGToLLVM.cpp:
186         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
187
188 2014-03-09  Andreas Kling  <akling@apple.com>
189
190         Short-circuit JSGlobalObjectInspectorController when not inspecting.
191         <https://webkit.org/b/129995>
192
193         Add an early return in reportAPIException() when the console agent
194         is disabled. This avoids expensive symbolication during exceptions
195         if there's nobody expecting the fancy backtrace anyway.
196
197         ~2% progression on DYEB on my MBP.
198
199         Reviewed by Geoff Garen.
200
201         * inspector/JSGlobalObjectInspectorController.cpp:
202         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
203
204 2014-03-09  Andreas Kling  <akling@apple.com>
205
206         Inline the trivial parts of GC deferral.
207         <https://webkit.org/b/129984>
208
209         Made most of the functions called by the DeferGC RAII object inline
210         to avoid function call overhead.
211
212         Looks like ~1% progression on DYEB.
213
214         Reviewed by Geoffrey Garen.
215
216         * heap/Heap.cpp:
217         * heap/Heap.h:
218         (JSC::Heap::incrementDeferralDepth):
219         (JSC::Heap::decrementDeferralDepth):
220         (JSC::Heap::collectIfNecessaryOrDefer):
221         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
222
223 2014-03-08  Mark Lam  <mark.lam@apple.com>
224
225         32-bit x86 handleUncaughtException returns to wrong location after a stack overflow.
226         <https://webkit.org/b/129969>
227
228         Reviewed by Geoffrey Garen.
229
230         The 32-bit version of handleUncaughtException was missing the handling of an
231         edge case for stack overflows where the current frame may already be the
232         sentinel frame.  This edge case was handled in the 64-bit version.  The fix
233         is to bring the 32-bit version up to parity.
234
235         * jit/JIT.cpp:
236         (JSC::JIT::privateCompile):
237         * llint/LowLevelInterpreter32_64.asm:
238
239 2014-03-07  Mark Lam  <mark.lam@apple.com>
240
241         Fix bugs in 32-bit Structure implementation.
242         <https://webkit.org/b/129947>
243
244         Reviewed by Mark Hahnenberg.
245
246         Added the loading of the Structure (from the JSCell) before use that was
247         missing in a few places.  Also added more test cases to equals-masquerader.js.
248
249         * dfg/DFGSpeculativeJIT32_64.cpp:
250         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
251         (JSC::DFG::SpeculativeJIT::compile):
252         * dfg/DFGSpeculativeJIT64.cpp:
253         (JSC::DFG::SpeculativeJIT::compile):
254         * llint/LowLevelInterpreter32_64.asm:
255         * tests/stress/equals-masquerader.js:
256         (equalsNull):
257         (notEqualsNull):
258         (strictEqualsNull):
259         (strictNotEqualsNull):
260         (equalsUndefined):
261         (notEqualsUndefined):
262         (strictEqualsUndefined):
263         (strictNotEqualsUndefined):
264         (isFalsey):
265         (test):
266
267 2014-03-07  Andrew Trick  <atrick@apple.com>
268
269         Temporarily disable repeat-out-of-bounds stress tests pending fix for 129953.
270         https://bugs.webkit.org/show_bug.cgi?id=129954
271
272         Reviewed by Filip Pizlo.
273
274         * tests/stress/float32-repeat-out-of-bounds.js:
275         * tests/stress/int8-repeat-out-of-bounds.js:
276
277 2014-03-07  Michael Saboff  <msaboff@apple.com>
278
279         .cfi directives in LowLevelInterpreter.cpp are providing no benefit
280         https://bugs.webkit.org/show_bug.cgi?id=129945
281
282         Reviewed by Mark Lam.
283
284         Removed .cfi directive.  Verified that stack traces didn't regress in crash reporter
285         or in lldb.
286
287         * llint/LowLevelInterpreter.cpp:
288
289 2014-03-07  Oliver Hunt  <oliver@apple.com>
290
291         Continue hangs when performing for-of over arguments
292         https://bugs.webkit.org/show_bug.cgi?id=129915
293
294         Reviewed by Geoffrey Garen.
295
296         Put the continue label in the right place
297
298         * bytecompiler/BytecodeGenerator.cpp:
299         (JSC::BytecodeGenerator::emitEnumeration):
300
301 2014-03-07  peavo@outlook.com  <peavo@outlook.com>
302
303         [Win64] Compile error after r165128.
304         https://bugs.webkit.org/show_bug.cgi?id=129807
305
306         Reviewed by Mark Lam.
307
308         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: 
309         Check platform environment variable to determine if an assembler file should be generated.
310
311 2014-03-07  Michael Saboff  <msaboff@apple.com>
312
313         Clarify how we deal with "special" registers
314         https://bugs.webkit.org/show_bug.cgi?id=129806
315
316         Already reviewed change being relanded.
317
318         Relanding change set r165196 as it wasn't responsible for the breakage reported in
319         https://bugs.webkit.org/show_bug.cgi?id=129822.  That appears to be a build or
320
321         Reviewed by Michael Saboff.
322         configuration issue.
323
324         * assembler/ARM64Assembler.h:
325         (JSC::ARM64Assembler::lastRegister):
326         * assembler/MacroAssembler.h:
327         (JSC::MacroAssembler::nextRegister):
328         * ftl/FTLLocation.cpp:
329         (JSC::FTL::Location::restoreInto):
330         * ftl/FTLSaveRestore.cpp:
331         (JSC::FTL::saveAllRegisters):
332         (JSC::FTL::restoreAllRegisters):
333         * ftl/FTLSlowPathCall.cpp:
334         * jit/RegisterSet.cpp:
335         (JSC::RegisterSet::reservedHardwareRegisters):
336         (JSC::RegisterSet::runtimeRegisters):
337         (JSC::RegisterSet::specialRegisters):
338         (JSC::RegisterSet::calleeSaveRegisters):
339         * jit/RegisterSet.h:
340
341 2014-03-07  Mark Hahnenberg  <mhahnenberg@apple.com>
342
343         Move GCActivityCallback to heap
344         https://bugs.webkit.org/show_bug.cgi?id=129457
345
346         Reviewed by Geoffrey Garen.
347
348         All the other GC timer related stuff is there already.
349
350         * CMakeLists.txt:
351         * GNUmakefile.list.am:
352         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
353         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
354         * JavaScriptCore.xcodeproj/project.pbxproj:
355         * heap/GCActivityCallback.cpp: Copied from Source/JavaScriptCore/runtime/GCActivityCallback.cpp.
356         * heap/GCActivityCallback.h: Copied from Source/JavaScriptCore/runtime/GCActivityCallback.h.
357         * runtime/GCActivityCallback.cpp: Removed.
358         * runtime/GCActivityCallback.h: Removed.
359
360 2014-03-07  Andrew Trick  <atrick@apple.com>
361
362         Correct a comment typo from:
363         FLT should call fmod directly on platforms where LLVM cannot relocate the libcall
364         https://bugs.webkit.org/show_bug.cgi?id=129865
365
366         Reviewed by Mark Lam.
367
368         * ftl/FTLOutput.h:
369         (JSC::FTL::Output::doubleRem):
370
371 2014-03-07  Mark Hahnenberg  <mhahnenberg@apple.com>
372
373         Use OwnPtr in StructureIDTable
374         https://bugs.webkit.org/show_bug.cgi?id=129828
375
376         Reviewed by Geoffrey Garen.
377
378         This reduces the amount of boilerplate and fixes a memory leak.
379
380         * runtime/StructureIDTable.cpp:
381         (JSC::StructureIDTable::StructureIDTable):
382         (JSC::StructureIDTable::resize):
383         (JSC::StructureIDTable::flushOldTables):
384         (JSC::StructureIDTable::allocateID):
385         (JSC::StructureIDTable::deallocateID):
386         * runtime/StructureIDTable.h:
387         (JSC::StructureIDTable::table):
388         (JSC::StructureIDTable::get):
389
390 2014-03-07  Andrew Trick  <atrick@apple.com>
391
392         FLT should call fmod directly on platforms where LLVM cannot relocate the libcall
393         https://bugs.webkit.org/show_bug.cgi?id=129865
394
395         Reviewed by Filip Pizlo.
396
397         * ftl/FTLIntrinsicRepository.h:
398         * ftl/FTLOutput.h:
399         (JSC::FTL::Output::doubleRem):
400
401 2014-03-06  Filip Pizlo  <fpizlo@apple.com>
402
403         If the FTL is build-time enabled then it should be run-time enabled.
404
405         Rubber stamped by Geoffrey Garen.
406
407         * runtime/Options.cpp:
408         (JSC::recomputeDependentOptions):
409         * runtime/Options.h:
410
411 2014-03-06  Joseph Pecoraro  <pecoraro@apple.com>
412
413         [OS X] Web Inspector: Allow Apps using JavaScriptCore to access "com.apple.webinspector" mach port
414         https://bugs.webkit.org/show_bug.cgi?id=129852
415
416         Reviewed by Geoffrey Garen.
417
418         * framework.sb: Added.
419         Sandbox extension to allow access to "com.apple.webinspector".
420
421         * JavaScriptCore.xcodeproj/project.pbxproj:
422         Add a Copy Resources build phase and include framework.sb.
423
424         * Configurations/JavaScriptCore.xcconfig:
425         Do not copy framework.sb on iOS.
426
427 2014-03-06  Mark Hahnenberg  <mhahnenberg@apple.com>
428
429         JSGlobalContextRelease incorrectly handles saving/restoring IdentifierTable
430         https://bugs.webkit.org/show_bug.cgi?id=129858
431
432         Reviewed by Mark Lam.
433
434         It was correct (but really ugly) prior to the combining of APIEntryShim and JSLock, 
435         but now it ends up overwriting the IdentifierTable that JSLock just restored.
436
437         * API/JSContextRef.cpp:
438         (JSGlobalContextRelease):
439
440 2014-03-06  Oliver Hunt  <oliver@apple.com>
441
442         Fix FTL build.
443
444         * dfg/DFGConstantFoldingPhase.cpp:
445         (JSC::DFG::ConstantFoldingPhase::foldConstants):
446
447 2014-03-06  Brent Fulgham  <bfulgham@apple.com>
448
449         Unreviewed build fix after r165128.
450
451         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: The SEH flag was not getting set when
452         performing 'Production' and 'DebugSuffix' type builds.
453
454 2014-03-06  Julien Brianceau  <jbriance@cisco.com>
455
456         Unreviewed, fix style in my previous commit.
457         https://bugs.webkit.org/show_bug.cgi?id=129833
458
459         * runtime/JSConsole.cpp:
460
461 2014-03-06  Julien Brianceau  <jbriance@cisco.com>
462
463         Build fix: add missing include in JSConole.cpp.
464         https://bugs.webkit.org/show_bug.cgi?id=129833
465
466         Reviewed by Oliver Hunt.
467
468         * runtime/JSConsole.cpp:
469
470 2014-03-06  Oliver Hunt  <oliver@apple.com>
471
472         Fix ARMv7
473
474         * jit/CCallHelpers.h:
475         (JSC::CCallHelpers::setupArgumentsWithExecState):
476
477 2014-03-06  Commit Queue  <commit-queue@webkit.org>
478
479         Unreviewed, rolling out r165196.
480         http://trac.webkit.org/changeset/165196
481         https://bugs.webkit.org/show_bug.cgi?id=129822
482
483         broke arm64 on hardware (Requested by bfulgham on #webkit).
484
485         * assembler/ARM64Assembler.h:
486         (JSC::ARM64Assembler::lastRegister):
487         * assembler/MacroAssembler.h:
488         (JSC::MacroAssembler::isStackRelated):
489         (JSC::MacroAssembler::firstRealRegister):
490         (JSC::MacroAssembler::nextRegister):
491         (JSC::MacroAssembler::secondRealRegister):
492         * ftl/FTLLocation.cpp:
493         (JSC::FTL::Location::restoreInto):
494         * ftl/FTLSaveRestore.cpp:
495         (JSC::FTL::saveAllRegisters):
496         (JSC::FTL::restoreAllRegisters):
497         * ftl/FTLSlowPathCall.cpp:
498         * jit/RegisterSet.cpp:
499         (JSC::RegisterSet::specialRegisters):
500         (JSC::RegisterSet::calleeSaveRegisters):
501         * jit/RegisterSet.h:
502
503 2014-03-06  Mark Lam  <mark.lam@apple.com>
504
505         REGRESSION(r165205): broke the CLOOP build (Requested by smfr on #webkit).
506         <https://webkit.org/b/129813>
507
508         Reviewed by Michael Saboff.
509
510         Fixed broken C loop LLINT build.
511
512         * llint/LowLevelInterpreter.cpp:
513         (JSC::CLoop::execute):
514         * offlineasm/cloop.rb:
515
516 2014-03-03  Oliver Hunt  <oliver@apple.com>
517
518         Support caching of custom setters
519         https://bugs.webkit.org/show_bug.cgi?id=129519
520
521         Reviewed by Filip Pizlo.
522
523         This patch adds caching of assignment to properties that
524         are backed by C functions. This provides most of the leg
525         work required to start supporting setters, and resolves
526         the remaining regressions from moving DOM properties up
527         the prototype chain.
528
529         * JavaScriptCore.xcodeproj/project.pbxproj:
530         * bytecode/PolymorphicPutByIdList.cpp:
531         (JSC::PutByIdAccess::visitWeak):
532         (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
533         (JSC::PolymorphicPutByIdList::from):
534         * bytecode/PolymorphicPutByIdList.h:
535         (JSC::PutByIdAccess::transition):
536         (JSC::PutByIdAccess::replace):
537         (JSC::PutByIdAccess::customSetter):
538         (JSC::PutByIdAccess::isCustom):
539         (JSC::PutByIdAccess::oldStructure):
540         (JSC::PutByIdAccess::chain):
541         (JSC::PutByIdAccess::stubRoutine):
542         * bytecode/PutByIdStatus.cpp:
543         (JSC::PutByIdStatus::computeForStubInfo):
544         (JSC::PutByIdStatus::computeFor):
545         (JSC::PutByIdStatus::dump):
546         * bytecode/PutByIdStatus.h:
547         (JSC::PutByIdStatus::PutByIdStatus):
548         (JSC::PutByIdStatus::takesSlowPath):
549         (JSC::PutByIdStatus::makesCalls):
550         * bytecode/StructureStubInfo.h:
551         * dfg/DFGAbstractInterpreterInlines.h:
552         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
553         * dfg/DFGByteCodeParser.cpp:
554         (JSC::DFG::ByteCodeParser::emitPutById):
555         (JSC::DFG::ByteCodeParser::handlePutById):
556         * dfg/DFGClobberize.h:
557         (JSC::DFG::clobberize):
558         * dfg/DFGCommon.h:
559         * dfg/DFGConstantFoldingPhase.cpp:
560         (JSC::DFG::ConstantFoldingPhase::foldConstants):
561         * dfg/DFGFixupPhase.cpp:
562         (JSC::DFG::FixupPhase::fixupNode):
563         * dfg/DFGNode.h:
564         (JSC::DFG::Node::hasIdentifier):
565         * dfg/DFGNodeType.h:
566         * dfg/DFGPredictionPropagationPhase.cpp:
567         (JSC::DFG::PredictionPropagationPhase::propagate):
568         * dfg/DFGSafeToExecute.h:
569         (JSC::DFG::safeToExecute):
570         * dfg/DFGSpeculativeJIT.cpp:
571         (JSC::DFG::SpeculativeJIT::compileIn):
572         * dfg/DFGSpeculativeJIT.h:
573         * dfg/DFGSpeculativeJIT32_64.cpp:
574         (JSC::DFG::SpeculativeJIT::cachedGetById):
575         (JSC::DFG::SpeculativeJIT::cachedPutById):
576         (JSC::DFG::SpeculativeJIT::compile):
577         * dfg/DFGSpeculativeJIT64.cpp:
578         (JSC::DFG::SpeculativeJIT::cachedGetById):
579         (JSC::DFG::SpeculativeJIT::cachedPutById):
580         (JSC::DFG::SpeculativeJIT::compile):
581         * jit/CCallHelpers.h:
582         (JSC::CCallHelpers::setupArgumentsWithExecState):
583         * jit/JITInlineCacheGenerator.cpp:
584         (JSC::JITByIdGenerator::JITByIdGenerator):
585         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
586         * jit/JITInlineCacheGenerator.h:
587         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
588         * jit/JITOperations.cpp:
589         * jit/JITOperations.h:
590         * jit/JITPropertyAccess.cpp:
591         (JSC::JIT::emit_op_get_by_id):
592         (JSC::JIT::emit_op_put_by_id):
593         * jit/JITPropertyAccess32_64.cpp:
594         (JSC::JIT::emit_op_get_by_id):
595         (JSC::JIT::emit_op_put_by_id):
596         * jit/Repatch.cpp:
597         (JSC::tryCacheGetByID):
598         (JSC::tryBuildGetByIDList):
599         (JSC::emitCustomSetterStub):
600         (JSC::tryCachePutByID):
601         (JSC::tryBuildPutByIdList):
602         * jit/SpillRegistersMode.h: Added.
603         * llint/LLIntSlowPaths.cpp:
604         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
605         * runtime/Lookup.h:
606         (JSC::putEntry):
607         * runtime/PutPropertySlot.h:
608         (JSC::PutPropertySlot::setCacheableCustomProperty):
609         (JSC::PutPropertySlot::customSetter):
610         (JSC::PutPropertySlot::isCacheablePut):
611         (JSC::PutPropertySlot::isCacheableCustomProperty):
612         (JSC::PutPropertySlot::cachedOffset):
613
614 2014-03-06  Filip Pizlo  <fpizlo@apple.com>
615
616         FTL arity fixup should work on ARM64
617         https://bugs.webkit.org/show_bug.cgi?id=129810
618
619         Reviewed by Michael Saboff.
620         
621         - Using regT5 to pass the thunk return address to arityFixup is shady since that's a
622           callee-save.
623         
624         - The FTL path was assuming X86 conventions for where SP points at the top of the prologue.
625         
626         This makes some more tests pass.
627
628         * dfg/DFGJITCompiler.cpp:
629         (JSC::DFG::JITCompiler::compileFunction):
630         * ftl/FTLLink.cpp:
631         (JSC::FTL::link):
632         * jit/AssemblyHelpers.h:
633         (JSC::AssemblyHelpers::prologueStackPointerDelta):
634         * jit/JIT.cpp:
635         (JSC::JIT::privateCompile):
636         * jit/ThunkGenerators.cpp:
637         (JSC::arityFixup):
638         * llint/LowLevelInterpreter64.asm:
639         * offlineasm/arm64.rb:
640         * offlineasm/x86.rb: In addition to the t7 change, make t6 agree with GPRInfo.h.
641
642 2014-03-06  Mark Hahnenberg  <mhahnenberg@apple.com>
643
644         Fix write barriers in Repatch.cpp for !ENABLE(DFG_JIT) platforms after r165128
645         https://bugs.webkit.org/show_bug.cgi?id=129760
646
647         Reviewed by Geoffrey Garen.
648
649         r165128 disabled the write barrier fast path for inline caches on !ENABLE(DFG_JIT) platforms. 
650         The fix is to refactor the write barrier code into AssemblyHelpers and use that everywhere.
651
652         * dfg/DFGSpeculativeJIT.cpp:
653         (JSC::DFG::SpeculativeJIT::writeBarrier):
654         * dfg/DFGSpeculativeJIT.h:
655         * dfg/DFGSpeculativeJIT32_64.cpp:
656         (JSC::DFG::SpeculativeJIT::writeBarrier):
657         * dfg/DFGSpeculativeJIT64.cpp:
658         (JSC::DFG::SpeculativeJIT::writeBarrier):
659         * jit/AssemblyHelpers.h:
660         (JSC::AssemblyHelpers::checkMarkByte):
661         * jit/JIT.h:
662         * jit/JITPropertyAccess.cpp:
663         * jit/Repatch.cpp:
664         (JSC::writeBarrier):
665
666 2014-03-06  Joseph Pecoraro  <pecoraro@apple.com>
667
668         Web Inspector: Expose the console object in JSContexts to interact with Web Inspector
669         https://bugs.webkit.org/show_bug.cgi?id=127944
670
671         Reviewed by Geoffrey Garen.
672
673         Always expose the Console object in JSContexts, just like we
674         do for web pages. The default behavior will route to an
675         attached JSContext inspector. This can be overriden by
676         setting the ConsoleClient on the JSGlobalObject, which WebCore
677         does to get slightly different behavior.
678
679         * CMakeLists.txt:
680         * GNUmakefile.list.am:
681         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
682         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
683         * JavaScriptCore.xcodeproj/project.pbxproj:
684         Update build systems.
685
686         * API/tests/testapi.js:
687         * API/tests/testapi.mm:
688         Test that "console" exists in C and ObjC contexts.
689
690         * runtime/ConsoleClient.cpp: Added.
691         (JSC::ConsoleClient::printURLAndPosition):
692         (JSC::ConsoleClient::printMessagePrefix):
693         (JSC::ConsoleClient::printConsoleMessage):
694         (JSC::ConsoleClient::printConsoleMessageWithArguments):
695         (JSC::ConsoleClient::internalMessageWithTypeAndLevel):
696         (JSC::ConsoleClient::logWithLevel):
697         (JSC::ConsoleClient::clear):
698         (JSC::ConsoleClient::dir):
699         (JSC::ConsoleClient::dirXML):
700         (JSC::ConsoleClient::table):
701         (JSC::ConsoleClient::trace):
702         (JSC::ConsoleClient::assertCondition):
703         (JSC::ConsoleClient::group):
704         (JSC::ConsoleClient::groupCollapsed):
705         (JSC::ConsoleClient::groupEnd):
706         * runtime/ConsoleClient.h: Added.
707         (JSC::ConsoleClient::~ConsoleClient):
708         New private interface for handling the console object's methods.
709         A lot of the methods funnel through messageWithTypeAndLevel.
710
711         * runtime/ConsoleTypes.h: Renamed from Source/JavaScriptCore/inspector/ConsoleTypes.h.
712         Moved to JSC namespace.
713
714         * runtime/JSGlobalObject.cpp:
715         (JSC::JSGlobalObject::JSGlobalObject):
716         (JSC::JSGlobalObject::init):
717         (JSC::JSGlobalObject::reset):
718         (JSC::JSGlobalObject::visitChildren):
719         Create the "console" object when initializing the environment.
720         Also set the default console client to be the JS context inspector.
721
722         * runtime/JSGlobalObject.h:
723         (JSC::JSGlobalObject::setConsoleClient):
724         (JSC::JSGlobalObject::consoleClient):
725         Ability to change the console client, so WebCore can set a custom client.
726
727         * runtime/ConsolePrototype.cpp: Added.
728         (JSC::ConsolePrototype::finishCreation):
729         (JSC::valueToStringWithUndefinedOrNullCheck):
730         (JSC::consoleLogWithLevel):
731         (JSC::consoleProtoFuncDebug):
732         (JSC::consoleProtoFuncError):
733         (JSC::consoleProtoFuncLog):
734         (JSC::consoleProtoFuncWarn):
735         (JSC::consoleProtoFuncClear):
736         (JSC::consoleProtoFuncDir):
737         (JSC::consoleProtoFuncDirXML):
738         (JSC::consoleProtoFuncTable):
739         (JSC::consoleProtoFuncTrace):
740         (JSC::consoleProtoFuncAssert):
741         (JSC::consoleProtoFuncCount):
742         (JSC::consoleProtoFuncProfile):
743         (JSC::consoleProtoFuncProfileEnd):
744         (JSC::consoleProtoFuncTime):
745         (JSC::consoleProtoFuncTimeEnd):
746         (JSC::consoleProtoFuncTimeStamp):
747         (JSC::consoleProtoFuncGroup):
748         (JSC::consoleProtoFuncGroupCollapsed):
749         (JSC::consoleProtoFuncGroupEnd):
750         * runtime/ConsolePrototype.h: Added.
751         (JSC::ConsolePrototype::create):
752         (JSC::ConsolePrototype::createStructure):
753         (JSC::ConsolePrototype::ConsolePrototype):
754         Define the console object interface. Parse out required / expected
755         arguments and throw expcetions when methods are misused.
756
757         * runtime/JSConsole.cpp: Added.
758         * runtime/JSConsole.h: Added.
759         (JSC::JSConsole::createStructure):
760         (JSC::JSConsole::create):
761         (JSC::JSConsole::JSConsole):
762         Empty "console" object. Everything is in the prototype.
763
764         * inspector/JSConsoleClient.cpp: Added.
765         (Inspector::JSConsoleClient::JSGlobalObjectConsole):
766         (Inspector::JSConsoleClient::count):
767         (Inspector::JSConsoleClient::profile):
768         (Inspector::JSConsoleClient::profileEnd):
769         (Inspector::JSConsoleClient::time):
770         (Inspector::JSConsoleClient::timeEnd):
771         (Inspector::JSConsoleClient::timeStamp):
772         (Inspector::JSConsoleClient::warnUnimplemented):
773         (Inspector::JSConsoleClient::internalAddMessage):
774         * inspector/JSConsoleClient.h: Added.
775         * inspector/JSGlobalObjectInspectorController.cpp:
776         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
777         (Inspector::JSGlobalObjectInspectorController::consoleClient):
778         * inspector/JSGlobalObjectInspectorController.h:
779         Default JSContext ConsoleClient implementation. Handle nearly
780         everything exception profile/profileEnd and timeStamp.
781
782 2014-03-06  Andreas Kling  <akling@apple.com>
783
784         Drop unlinked function code on memory pressure.
785         <https://webkit.org/b/129789>
786
787         Make VM::discardAllCode() also drop UnlinkedFunctionCodeBlocks that
788         are not currently being compiled.
789
790         4.5 MB progression on Membuster.
791
792         Reviewed by Geoffrey Garen.
793
794         * heap/Heap.cpp:
795         (JSC::Heap::deleteAllUnlinkedFunctionCode):
796         * heap/Heap.h:
797         * runtime/VM.cpp:
798         (JSC::VM::discardAllCode):
799
800 2014-03-06  Filip Pizlo  <fpizlo@apple.com>
801
802         Clarify how we deal with "special" registers
803         https://bugs.webkit.org/show_bug.cgi?id=129806
804
805         Reviewed by Michael Saboff.
806         
807         Previously we had two different places that defined what "stack" registers are, a thing
808         called "specialRegisters" that had unclear meaning, and a really weird "firstRealRegister"/
809         "secondRealRegister"/"nextRegister" idiom in MacroAssembler that appeared to only be used by
810         one place and had a baked-in notion of what it meant for a register to be "real" or not.
811         
812         It's not cool to use words like "real" and "special" to describe registers, especially if you
813         fail to qualify what that means. This originally made sense on X86 - "real" registers were
814         the ones that weren't "stack related" (so "real" was the opposite of "stack"). But on ARM64,
815         you also have to worry about the LR register, which we'd want to say is "not real" but it's
816         also not a "stack" register. This got super confusing.
817         
818         So, this patch removes any mention of "real" registers, consolidates the knowledge of what is
819         a "stack" register, and uses the word special only in places where it's clearly defined and
820         where no better word comes to mind.
821         
822         This cleans up the code and fixes what seems like it was probably a harmless ARM64 bug: the
823         Reg and RegisterSet data structures would sometimes think that FP was Q0. Somehow this
824         magically didn't break anything because you never need to save/restore either FP or Q0, but
825         it was still super weird.
826
827         * assembler/ARM64Assembler.h:
828         (JSC::ARM64Assembler::lastRegister):
829         * assembler/MacroAssembler.h:
830         (JSC::MacroAssembler::nextRegister):
831         * ftl/FTLLocation.cpp:
832         (JSC::FTL::Location::restoreInto):
833         * ftl/FTLSaveRestore.cpp:
834         (JSC::FTL::saveAllRegisters):
835         (JSC::FTL::restoreAllRegisters):
836         * ftl/FTLSlowPathCall.cpp:
837         * jit/RegisterSet.cpp:
838         (JSC::RegisterSet::reservedHardwareRegisters):
839         (JSC::RegisterSet::runtimeRegisters):
840         (JSC::RegisterSet::specialRegisters):
841         (JSC::RegisterSet::calleeSaveRegisters):
842         * jit/RegisterSet.h:
843
844 2014-03-06  Filip Pizlo  <fpizlo@apple.com>
845
846         Unreviewed, fix build.
847
848         * disassembler/ARM64Disassembler.cpp:
849
850 2014-03-06  Filip Pizlo  <fpizlo@apple.com>
851
852         Use the LLVM disassembler on ARM64 if we are enabling the FTL
853         https://bugs.webkit.org/show_bug.cgi?id=129785
854
855         Reviewed by Geoffrey Garen.
856         
857         Our disassembler can't handle some of the code sequences that LLVM emits. LLVM's disassembler
858         is strictly more capable at this point. Use it if it's available.
859
860         * disassembler/ARM64Disassembler.cpp:
861         (JSC::tryToDisassemble):
862
863 2014-03-05  Joseph Pecoraro  <pecoraro@apple.com>
864
865         Web Inspector: Reduce RWI message frequency
866         https://bugs.webkit.org/show_bug.cgi?id=129767
867
868         Reviewed by Timothy Hatcher.
869
870         This used to be 0.2s and changed by accident to 0.02s.
871
872         * inspector/remote/RemoteInspector.mm:
873         (Inspector::RemoteInspector::pushListingSoon):
874
875 2014-03-05  Commit Queue  <commit-queue@webkit.org>
876
877         Unreviewed, rolling out r165141, r165157, and r165158.
878         http://trac.webkit.org/changeset/165141
879         http://trac.webkit.org/changeset/165157
880         http://trac.webkit.org/changeset/165158
881         https://bugs.webkit.org/show_bug.cgi?id=129772
882
883         "broke ftl" (Requested by olliej_ on #webkit).
884
885         * JavaScriptCore.xcodeproj/project.pbxproj:
886         * bytecode/PolymorphicPutByIdList.cpp:
887         (JSC::PutByIdAccess::visitWeak):
888         (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
889         (JSC::PolymorphicPutByIdList::from):
890         * bytecode/PolymorphicPutByIdList.h:
891         (JSC::PutByIdAccess::transition):
892         (JSC::PutByIdAccess::replace):
893         (JSC::PutByIdAccess::oldStructure):
894         (JSC::PutByIdAccess::chain):
895         (JSC::PutByIdAccess::stubRoutine):
896         * bytecode/PutByIdStatus.cpp:
897         (JSC::PutByIdStatus::computeForStubInfo):
898         (JSC::PutByIdStatus::computeFor):
899         (JSC::PutByIdStatus::dump):
900         * bytecode/PutByIdStatus.h:
901         (JSC::PutByIdStatus::PutByIdStatus):
902         (JSC::PutByIdStatus::takesSlowPath):
903         * bytecode/StructureStubInfo.h:
904         * dfg/DFGAbstractInterpreterInlines.h:
905         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
906         * dfg/DFGByteCodeParser.cpp:
907         (JSC::DFG::ByteCodeParser::emitPutById):
908         (JSC::DFG::ByteCodeParser::handlePutById):
909         * dfg/DFGClobberize.h:
910         (JSC::DFG::clobberize):
911         * dfg/DFGCommon.h:
912         * dfg/DFGConstantFoldingPhase.cpp:
913         (JSC::DFG::ConstantFoldingPhase::foldConstants):
914         * dfg/DFGFixupPhase.cpp:
915         (JSC::DFG::FixupPhase::fixupNode):
916         * dfg/DFGNode.h:
917         (JSC::DFG::Node::hasIdentifier):
918         * dfg/DFGNodeType.h:
919         * dfg/DFGPredictionPropagationPhase.cpp:
920         (JSC::DFG::PredictionPropagationPhase::propagate):
921         * dfg/DFGSafeToExecute.h:
922         (JSC::DFG::safeToExecute):
923         * dfg/DFGSpeculativeJIT.cpp:
924         (JSC::DFG::SpeculativeJIT::compileIn):
925         * dfg/DFGSpeculativeJIT.h:
926         * dfg/DFGSpeculativeJIT32_64.cpp:
927         (JSC::DFG::SpeculativeJIT::cachedGetById):
928         (JSC::DFG::SpeculativeJIT::cachedPutById):
929         (JSC::DFG::SpeculativeJIT::compile):
930         * dfg/DFGSpeculativeJIT64.cpp:
931         (JSC::DFG::SpeculativeJIT::cachedGetById):
932         (JSC::DFG::SpeculativeJIT::cachedPutById):
933         (JSC::DFG::SpeculativeJIT::compile):
934         * ftl/FTLCompile.cpp:
935         (JSC::FTL::fixFunctionBasedOnStackMaps):
936         * jit/CCallHelpers.h:
937         (JSC::CCallHelpers::setupArgumentsWithExecState):
938         * jit/JITInlineCacheGenerator.cpp:
939         (JSC::JITByIdGenerator::JITByIdGenerator):
940         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
941         * jit/JITInlineCacheGenerator.h:
942         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
943         * jit/JITOperations.cpp:
944         * jit/JITOperations.h:
945         * jit/JITPropertyAccess.cpp:
946         (JSC::JIT::emit_op_get_by_id):
947         (JSC::JIT::emit_op_put_by_id):
948         * jit/JITPropertyAccess32_64.cpp:
949         (JSC::JIT::emit_op_get_by_id):
950         (JSC::JIT::emit_op_put_by_id):
951         * jit/Repatch.cpp:
952         (JSC::tryCacheGetByID):
953         (JSC::tryBuildGetByIDList):
954         (JSC::tryCachePutByID):
955         (JSC::tryBuildPutByIdList):
956         * jit/SpillRegistersMode.h: Removed.
957         * llint/LLIntSlowPaths.cpp:
958         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
959         * runtime/Lookup.h:
960         (JSC::putEntry):
961         * runtime/PutPropertySlot.h:
962         (JSC::PutPropertySlot::isCacheable):
963         (JSC::PutPropertySlot::cachedOffset):
964
965 2014-03-05  Joseph Pecoraro  <pecoraro@apple.com>
966
967         Web Inspector: Prevent possible deadlock in view indication
968         https://bugs.webkit.org/show_bug.cgi?id=129766
969
970         Reviewed by Geoffrey Garen.
971
972         * inspector/remote/RemoteInspector.mm:
973         (Inspector::RemoteInspector::receivedIndicateMessage):
974
975 2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>
976
977         JSObject::fastGetOwnPropertySlot does a slow check for OverridesGetOwnPropertySlot
978         https://bugs.webkit.org/show_bug.cgi?id=129754
979
980         Reviewed by Geoffrey Garen.
981
982         InlineTypeFlags are stored in JSCell, so we can just load those instead of going through the TypeInfo.
983
984         * runtime/JSCell.h:
985         (JSC::JSCell::inlineTypeFlags):
986         * runtime/JSObject.h:
987         (JSC::JSObject::fastGetOwnPropertySlot):
988         * runtime/JSTypeInfo.h:
989         (JSC::TypeInfo::TypeInfo):
990         (JSC::TypeInfo::overridesGetOwnPropertySlot):
991
992 2014-03-05  Joseph Pecoraro  <pecoraro@apple.com>
993
994         Web Inspector: ASSERTION FAILED: m_javaScriptBreakpoints.isEmpty()
995         https://bugs.webkit.org/show_bug.cgi?id=129763
996
997         Reviewed by Geoffrey Garen.
998
999         Clear the list of all breakpoints, including unresolved breakpoints.
1000
1001         * inspector/agents/InspectorDebuggerAgent.cpp:
1002         (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):
1003
1004 2014-03-05  Mark Lam  <mark.lam@apple.com>
1005
1006         llint_slow_path_check_has_instance() should not adjust PC before accessing operands.
1007         <https://webkit.org/b/129768>
1008
1009         Reviewed by Mark Hahnenberg.
1010
1011         When evaluating "a instanceof b" where b is an object that ImplementsHasInstance
1012         and OverridesHasInstance (e.g. a bound function), the LLINT will take the slow
1013         path llint_slow_path_check_has_instance(), and execute a code path that does the
1014         following:
1015         1. Adjusts the byte code PC to the jump target PC.
1016         2. For the purpose of storing the result, get the result registerIndex from the
1017            1st operand using the PC as if the PC is still pointing to op_check_has_instance
1018            bytecode.
1019
1020         The result is that whatever value resides after where the jump target PC is will
1021         be used as a result register value.  Depending on what that value is, the result
1022         can be:
1023         1. the code coincidently works correctly
1024         2. memory corruption
1025         3. crashes
1026
1027         The fix is to only adjust the byte code PC after we have stored the result.
1028         
1029         * llint/LLIntSlowPaths.cpp:
1030         (llint_slow_path_check_has_instance):
1031
1032 2014-03-05  Ryosuke Niwa  <rniwa@webkit.org>
1033
1034         Another build fix attempt after r165141.
1035
1036         * ftl/FTLCompile.cpp:
1037         (JSC::FTL::fixFunctionBasedOnStackMaps):
1038
1039 2014-03-05  Ryosuke Niwa  <rniwa@webkit.org>
1040
1041         FTL build fix attempt after r165141.
1042
1043         * ftl/FTLCompile.cpp:
1044         (JSC::FTL::fixFunctionBasedOnStackMaps):
1045
1046 2014-03-05  Gavin Barraclough  <barraclough@apple.com>
1047
1048         https://bugs.webkit.org/show_bug.cgi?id=128625
1049         Add fast mapping from StringImpl to JSString
1050
1051         Unreviewed roll-out.
1052
1053         Reverting r164347, r165054, r165066 - not clear the performance tradeoff was right.
1054
1055         * runtime/JSString.cpp:
1056         * runtime/JSString.h:
1057         * runtime/VM.cpp:
1058         (JSC::VM::createLeaked):
1059         * runtime/VM.h:
1060
1061 2014-03-03  Oliver Hunt  <oliver@apple.com>
1062
1063         Support caching of custom setters
1064         https://bugs.webkit.org/show_bug.cgi?id=129519
1065
1066         Reviewed by Filip Pizlo.
1067
1068         This patch adds caching of assignment to properties that
1069         are backed by C functions. This provides most of the leg
1070         work required to start supporting setters, and resolves
1071         the remaining regressions from moving DOM properties up
1072         the prototype chain.
1073
1074         * JavaScriptCore.xcodeproj/project.pbxproj:
1075         * bytecode/PolymorphicPutByIdList.cpp:
1076         (JSC::PutByIdAccess::visitWeak):
1077         (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
1078         (JSC::PolymorphicPutByIdList::from):
1079         * bytecode/PolymorphicPutByIdList.h:
1080         (JSC::PutByIdAccess::transition):
1081         (JSC::PutByIdAccess::replace):
1082         (JSC::PutByIdAccess::customSetter):
1083         (JSC::PutByIdAccess::isCustom):
1084         (JSC::PutByIdAccess::oldStructure):
1085         (JSC::PutByIdAccess::chain):
1086         (JSC::PutByIdAccess::stubRoutine):
1087         * bytecode/PutByIdStatus.cpp:
1088         (JSC::PutByIdStatus::computeForStubInfo):
1089         (JSC::PutByIdStatus::computeFor):
1090         (JSC::PutByIdStatus::dump):
1091         * bytecode/PutByIdStatus.h:
1092         (JSC::PutByIdStatus::PutByIdStatus):
1093         (JSC::PutByIdStatus::takesSlowPath):
1094         (JSC::PutByIdStatus::makesCalls):
1095         * bytecode/StructureStubInfo.h:
1096         * dfg/DFGAbstractInterpreterInlines.h:
1097         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1098         * dfg/DFGByteCodeParser.cpp:
1099         (JSC::DFG::ByteCodeParser::emitPutById):
1100         (JSC::DFG::ByteCodeParser::handlePutById):
1101         * dfg/DFGClobberize.h:
1102         (JSC::DFG::clobberize):
1103         * dfg/DFGCommon.h:
1104         * dfg/DFGConstantFoldingPhase.cpp:
1105         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1106         * dfg/DFGFixupPhase.cpp:
1107         (JSC::DFG::FixupPhase::fixupNode):
1108         * dfg/DFGNode.h:
1109         (JSC::DFG::Node::hasIdentifier):
1110         * dfg/DFGNodeType.h:
1111         * dfg/DFGPredictionPropagationPhase.cpp:
1112         (JSC::DFG::PredictionPropagationPhase::propagate):
1113         * dfg/DFGSafeToExecute.h:
1114         (JSC::DFG::safeToExecute):
1115         * dfg/DFGSpeculativeJIT.cpp:
1116         (JSC::DFG::SpeculativeJIT::compileIn):
1117         * dfg/DFGSpeculativeJIT.h:
1118         * dfg/DFGSpeculativeJIT32_64.cpp:
1119         (JSC::DFG::SpeculativeJIT::cachedGetById):
1120         (JSC::DFG::SpeculativeJIT::cachedPutById):
1121         (JSC::DFG::SpeculativeJIT::compile):
1122         * dfg/DFGSpeculativeJIT64.cpp:
1123         (JSC::DFG::SpeculativeJIT::cachedGetById):
1124         (JSC::DFG::SpeculativeJIT::cachedPutById):
1125         (JSC::DFG::SpeculativeJIT::compile):
1126         * jit/CCallHelpers.h:
1127         (JSC::CCallHelpers::setupArgumentsWithExecState):
1128         * jit/JITInlineCacheGenerator.cpp:
1129         (JSC::JITByIdGenerator::JITByIdGenerator):
1130         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
1131         * jit/JITInlineCacheGenerator.h:
1132         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
1133         * jit/JITOperations.cpp:
1134         * jit/JITOperations.h:
1135         * jit/JITPropertyAccess.cpp:
1136         (JSC::JIT::emit_op_get_by_id):
1137         (JSC::JIT::emit_op_put_by_id):
1138         * jit/JITPropertyAccess32_64.cpp:
1139         (JSC::JIT::emit_op_get_by_id):
1140         (JSC::JIT::emit_op_put_by_id):
1141         * jit/Repatch.cpp:
1142         (JSC::tryCacheGetByID):
1143         (JSC::tryBuildGetByIDList):
1144         (JSC::emitCustomSetterStub):
1145         (JSC::tryCachePutByID):
1146         (JSC::tryBuildPutByIdList):
1147         * jit/SpillRegistersMode.h: Added.
1148         * llint/LLIntSlowPaths.cpp:
1149         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1150         * runtime/Lookup.h:
1151         (JSC::putEntry):
1152         * runtime/PutPropertySlot.h:
1153         (JSC::PutPropertySlot::setCacheableCustomProperty):
1154         (JSC::PutPropertySlot::customSetter):
1155         (JSC::PutPropertySlot::isCacheablePut):
1156         (JSC::PutPropertySlot::isCacheableCustomProperty):
1157         (JSC::PutPropertySlot::cachedOffset):
1158
1159 2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>
1160
1161         JSCell::m_gcData should encode its information differently
1162         https://bugs.webkit.org/show_bug.cgi?id=129741
1163
1164         Reviewed by Geoffrey Garen.
1165
1166         We want to keep track of three GC states for an object:
1167
1168         1. Not marked (which implies not in the remembered set)
1169         2. Marked but not in the remembered set
1170         3. Marked and in the remembered set
1171         
1172         Currently we only indicate marked vs. not marked in JSCell::m_gcData. During a write 
1173         barrier, we only want to take the slow path if the object being stored to is in state #2. 
1174         We'd like to make the test for state #2 as fast as possible, which means making it a 
1175         compare against 0.
1176
1177         * dfg/DFGOSRExitCompilerCommon.cpp:
1178         (JSC::DFG::osrWriteBarrier):
1179         * dfg/DFGSpeculativeJIT.cpp:
1180         (JSC::DFG::SpeculativeJIT::checkMarkByte):
1181         (JSC::DFG::SpeculativeJIT::writeBarrier):
1182         * dfg/DFGSpeculativeJIT.h:
1183         * dfg/DFGSpeculativeJIT32_64.cpp:
1184         (JSC::DFG::SpeculativeJIT::writeBarrier):
1185         * dfg/DFGSpeculativeJIT64.cpp:
1186         (JSC::DFG::SpeculativeJIT::writeBarrier):
1187         * ftl/FTLLowerDFGToLLVM.cpp:
1188         (JSC::FTL::LowerDFGToLLVM::allocateCell):
1189         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
1190         * heap/Heap.cpp:
1191         (JSC::Heap::clearRememberedSet):
1192         (JSC::Heap::addToRememberedSet):
1193         * jit/AssemblyHelpers.h:
1194         (JSC::AssemblyHelpers::checkMarkByte):
1195         * jit/JIT.h:
1196         * jit/JITPropertyAccess.cpp:
1197         (JSC::JIT::checkMarkByte):
1198         (JSC::JIT::emitWriteBarrier):
1199         * jit/Repatch.cpp:
1200         (JSC::writeBarrier):
1201         * llint/LowLevelInterpreter.asm:
1202         * llint/LowLevelInterpreter32_64.asm:
1203         * llint/LowLevelInterpreter64.asm:
1204         * runtime/JSCell.h:
1205         (JSC::JSCell::mark):
1206         (JSC::JSCell::remember):
1207         (JSC::JSCell::forget):
1208         (JSC::JSCell::isMarked):
1209         (JSC::JSCell::isRemembered):
1210         * runtime/JSCellInlines.h:
1211         (JSC::JSCell::JSCell):
1212         * runtime/StructureIDBlob.h:
1213         (JSC::StructureIDBlob::StructureIDBlob):
1214
1215 2014-03-05  Filip Pizlo  <fpizlo@apple.com>
1216
1217         More FTL ARM fixes
1218         https://bugs.webkit.org/show_bug.cgi?id=129755
1219
1220         Reviewed by Geoffrey Garen.
1221         
1222         - Be more defensive about inline caches that have degenerate chains.
1223         
1224         - Temporarily switch to allocating all MCJIT memory in the executable pool on non-x86
1225           platforms. The bug tracking the real fix is: https://bugs.webkit.org/show_bug.cgi?id=129756
1226         
1227         - Don't even emit intrinsic declarations on non-x86 platforms.
1228         
1229         - More debug printing support.
1230         
1231         - Don't use vmCall() in the prologue. This should have crashed on all platforms all the time
1232           but somehow it gets lucky on x86.
1233
1234         * bytecode/GetByIdStatus.cpp:
1235         (JSC::GetByIdStatus::appendVariant):
1236         (JSC::GetByIdStatus::computeForChain):
1237         (JSC::GetByIdStatus::computeForStubInfo):
1238         * bytecode/GetByIdStatus.h:
1239         * bytecode/PutByIdStatus.cpp:
1240         (JSC::PutByIdStatus::appendVariant):
1241         (JSC::PutByIdStatus::computeForStubInfo):
1242         * bytecode/PutByIdStatus.h:
1243         * bytecode/StructureSet.h:
1244         (JSC::StructureSet::overlaps):
1245         * ftl/FTLCompile.cpp:
1246         (JSC::FTL::mmAllocateDataSection):
1247         * ftl/FTLDataSection.cpp:
1248         (JSC::FTL::DataSection::DataSection):
1249         (JSC::FTL::DataSection::~DataSection):
1250         * ftl/FTLDataSection.h:
1251         * ftl/FTLLowerDFGToLLVM.cpp:
1252         (JSC::FTL::LowerDFGToLLVM::lower):
1253         * ftl/FTLOutput.h:
1254         (JSC::FTL::Output::doubleSin):
1255         (JSC::FTL::Output::doubleCos):
1256         * runtime/JSCJSValue.cpp:
1257         (JSC::JSValue::dumpInContext):
1258         * runtime/JSCell.h:
1259         (JSC::JSCell::structureID):
1260
1261 2014-03-05  peavo@outlook.com  <peavo@outlook.com>
1262
1263         [Win32][LLINT] Crash when running JSC stress tests.
1264         https://bugs.webkit.org/show_bug.cgi?id=129429
1265
1266         On Windows the reserved stack space consists of committed memory, a guard page, and uncommitted memory,
1267         where the guard page is a barrier between committed and uncommitted memory.
1268         When data from the guard page is read or written, the guard page is moved, and memory is committed.
1269         This is how the system grows the stack.
1270         When using the C stack on Windows we need to precommit the needed stack space.
1271         Otherwise we might crash later if we access uncommitted stack memory.
1272         This can happen if we allocate stack space larger than the page guard size (4K).
1273         The system does not get the chance to move the guard page, and commit more memory,
1274         and we crash if uncommitted memory is accessed.
1275         The MSVC compiler fixes this by inserting a call to the _chkstk() function,
1276         when needed, see http://support.microsoft.com/kb/100775.
1277
1278         Reviewed by Geoffrey Garen.
1279
1280         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Enable LLINT.
1281         * jit/Repatch.cpp:
1282         (JSC::writeBarrier): Compile fix when DFG_JIT is not enabled.
1283         * offlineasm/x86.rb: Compile fix, and small simplification.
1284         * runtime/VM.cpp:
1285         (JSC::preCommitStackMemory): Added function to precommit stack memory.
1286         (JSC::VM::updateStackLimit): Call function to precommit stack memory when stack limit is updated.
1287
1288 2014-03-05  Michael Saboff  <msaboff@apple.com>
1289
1290         JSDataViewPrototype::getData() and setData() crash on platforms that don't allow unaligned accesses
1291         https://bugs.webkit.org/show_bug.cgi?id=129746
1292
1293         Reviewed by Filip Pizlo.
1294
1295         Changed to use a union to manually assemble or disassemble the various types
1296         from / to the corresponding bytes.  All memory access is now done using
1297         byte accesses.
1298
1299         * runtime/JSDataViewPrototype.cpp:
1300         (JSC::getData):
1301         (JSC::setData):
1302
1303 2014-03-05  Filip Pizlo  <fpizlo@apple.com>
1304
1305         FTL loadStructure always generates invalid IR
1306         https://bugs.webkit.org/show_bug.cgi?id=129747
1307
1308         Reviewed by Mark Hahnenberg.
1309
1310         As the comment at the top of FTL::Output states, the FTL doesn't use LLVM's notion
1311         of pointers. LLVM's notion of pointers tries to model C, in the sense that you have
1312         to have a pointer to a type, and you can only load things of that type from that
1313         pointer. Pointer arithmetic is basically not possible except through the bizarre
1314         getelementptr operator. This doesn't fit with how the JS object model works since
1315         the JS object model doesn't consist of nice and tidy C types placed in C arrays.
1316         Also, it would be impossible to use getelementptr and LLVM pointers for accessing
1317         any of JSC's C or C++ objects unless we went through the exercise of redeclaring
1318         all of our fundamental data structures in LLVM IR as LLVM types. Clang could do
1319         this for us, but that would require that to use the FTL, JSC itself would have to
1320         be compiled with clang. Worse, it would have to be compiled with a clang that uses
1321         a version of LLVM that is compatible with the one against which the FTL is linked.
1322         Yuck!
1323
1324         The solution is to NEVER use LLVM pointers. This has always been the case in the
1325         FTL. But it causes some confusion.
1326         
1327         Not using LLVM pointers means that if the FTL has a "pointer", it's actually a
1328         pointer-wide integer (m_out.intPtr in FTL-speak). The act of "loading" and
1329         "storing" from or to a pointer involves first bitcasting the intPtr to a real LLVM
1330         pointer that has the type that we want. The load and store operations over pointers
1331         are called Output::load* and Output::store*, where * is one of "8", "16", "32",
1332         "64", "Ptr", "Float", or "Double.
1333         
1334         There is unavoidable confusion here. It would be bizarre for the FTL to call its
1335         "pointer-wide integers" anything other than "pointers", since they are, in all
1336         respects that we care about, simply pointers. But they are *not* LLVM pointers and
1337         they never will be that.
1338         
1339         There is one exception to this "no pointers" rule. The FTL does use actual LLVM
1340         pointers for refering to LLVM alloca's - i.e. local variables. To try to reduce
1341         confusion, we call these "references". So an "FTL reference" is actually an "LLVM
1342         pointer", while an "FTL pointer" is actually an "LLVM integer". FTL references have
1343         methods for access called Output::get and Output::set. These lower to LLVM load
1344         and store, since FTL references are just LLVM pointers.
1345         
1346         This confusion appears to have led to incorrect code in loadStructure().
1347         loadStructure() was using get() and set() to access FTL pointers. But those methods
1348         don't work on FTL pointers and never will, since they are for FTL references.
1349         
1350         The worst part of this is that it was previously impossible to have test coverage
1351         for the relevant path (MasqueradesAsUndefined) without writing a DRT test. This
1352         patch fixes this by introducing a Masquerader object to jsc.cpp.
1353         
1354         * ftl/FTLAbstractHeapRepository.h: Add an abstract heap for the structure table.
1355         * ftl/FTLLowerDFGToLLVM.cpp:
1356         (JSC::FTL::LowerDFGToLLVM::loadStructure): This was wrong.
1357         * ftl/FTLOutput.h: Add a comment to disuade people from using get() and set().
1358         * jsc.cpp: Give us the power to test for MasqueradesAsUndefined.
1359         (WTF::Masquerader::Masquerader):
1360         (WTF::Masquerader::create):
1361         (WTF::Masquerader::createStructure):
1362         (GlobalObject::finishCreation):
1363         (functionMakeMasquerader):
1364         * tests/stress/equals-masquerader.js: Added.
1365         (foo):
1366         (test):
1367
1368 2014-03-05  Anders Carlsson  <andersca@apple.com>
1369
1370         Tweak after r165109 to avoid extra copies
1371         https://bugs.webkit.org/show_bug.cgi?id=129745
1372
1373         Reviewed by Geoffrey Garen.
1374
1375         * heap/Heap.cpp:
1376         (JSC::Heap::visitProtectedObjects):
1377         (JSC::Heap::visitTempSortVectors):
1378         (JSC::Heap::clearRememberedSet):
1379         * heap/Heap.h:
1380         (JSC::Heap::forEachProtectedCell):
1381
1382 2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>
1383
1384         DFGStoreBarrierElisionPhase should should GCState directly instead of m_gcClobberSet when calling writesOverlap()
1385         https://bugs.webkit.org/show_bug.cgi?id=129717
1386
1387         Reviewed by Filip Pizlo.
1388
1389         * dfg/DFGStoreBarrierElisionPhase.cpp:
1390         (JSC::DFG::StoreBarrierElisionPhase::StoreBarrierElisionPhase):
1391         (JSC::DFG::StoreBarrierElisionPhase::couldCauseGC):
1392
1393 2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>
1394
1395         Use range-based loops where possible in Heap methods
1396         https://bugs.webkit.org/show_bug.cgi?id=129513
1397
1398         Reviewed by Mark Lam.
1399
1400         Replace old school iterator based loops with the new range-based loop hotness
1401         for a better tomorrow.
1402
1403         * heap/CodeBlockSet.cpp:
1404         (JSC::CodeBlockSet::~CodeBlockSet):
1405         (JSC::CodeBlockSet::clearMarks):
1406         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
1407         (JSC::CodeBlockSet::traceMarked):
1408         * heap/Heap.cpp:
1409         (JSC::Heap::visitProtectedObjects):
1410         (JSC::Heap::visitTempSortVectors):
1411         (JSC::Heap::clearRememberedSet):
1412         * heap/Heap.h:
1413         (JSC::Heap::forEachProtectedCell):
1414
1415 2014-03-04  Filip Pizlo  <fpizlo@apple.com>
1416
1417         DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e. boolean, undefined, or null)
1418         https://bugs.webkit.org/show_bug.cgi?id=129563
1419
1420         Reviewed by Geoffrey Garen.
1421         
1422         Rolling this back in after fixing an assertion failure. speculateMisc() should have
1423         said DFG_TYPE_CHECK instead of typeCheck.
1424         
1425         This adds a specialization of CompareStrictEq over Misc. I noticed the need for this
1426         when I saw that we didn't support CompareStrictEq(Untyped) in FTL but that the main
1427         user of this was EarleyBoyer, and in that benchmark what it was really doing was
1428         comparing undefined, null, and booleans to each other.
1429         
1430         This also adds support for miscellaneous things that I needed to make my various test
1431         cases work. This includes comparison over booleans and the various Throw-related node
1432         types.
1433         
1434         This also improves constant folding of CompareStrictEq and CompareEq.
1435         
1436         Also found a bug where we were claiming that GetByVals on typed arrays are OutOfBounds
1437         based on profiling, which caused some downstream badness. We don't actually support
1438         compiling OutOfBounds GetByVals on typed arrays. The DFG would ignore the flag and just
1439         emit a bounds check, but in the FTL path, the SSA lowering phase would assume that it
1440         shouldn't factor out the bounds check since the access is not InBounds but then the
1441         backend would ignore the flag and assume that the bounds check was already emitted.
1442         This showed up on an existing test but I added a test for this explicitly to have more
1443         certain coverage. The fix is to not mark something as OutOfBounds if the semantics are
1444         that we'll have a bounds check anyway.
1445         
1446         This is a 1% speed-up on Octane mostly because of raytrace, but also because of just
1447         general progressions across the board. No speed-up yet on EarleyBoyer, since there is
1448         still a lot more coverage work to be done there.
1449
1450         * bytecode/SpeculatedType.cpp:
1451         (JSC::speculationToAbbreviatedString):
1452         (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
1453         (JSC::valuesCouldBeEqual):
1454         * bytecode/SpeculatedType.h:
1455         (JSC::isMiscSpeculation):
1456         * dfg/DFGAbstractInterpreterInlines.h:
1457         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1458         * dfg/DFGArrayMode.cpp:
1459         (JSC::DFG::ArrayMode::refine):
1460         * dfg/DFGArrayMode.h:
1461         * dfg/DFGFixupPhase.cpp:
1462         (JSC::DFG::FixupPhase::fixupNode):
1463         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
1464         * dfg/DFGNode.h:
1465         (JSC::DFG::Node::shouldSpeculateMisc):
1466         * dfg/DFGSafeToExecute.h:
1467         (JSC::DFG::SafeToExecuteEdge::operator()):
1468         * dfg/DFGSpeculativeJIT.cpp:
1469         (JSC::DFG::SpeculativeJIT::compileStrictEq):
1470         (JSC::DFG::SpeculativeJIT::speculateMisc):
1471         (JSC::DFG::SpeculativeJIT::speculate):
1472         * dfg/DFGSpeculativeJIT.h:
1473         * dfg/DFGSpeculativeJIT32_64.cpp:
1474         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
1475         * dfg/DFGSpeculativeJIT64.cpp:
1476         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
1477         * dfg/DFGUseKind.cpp:
1478         (WTF::printInternal):
1479         * dfg/DFGUseKind.h:
1480         (JSC::DFG::typeFilterFor):
1481         * ftl/FTLCapabilities.cpp:
1482         (JSC::FTL::canCompile):
1483         * ftl/FTLLowerDFGToLLVM.cpp:
1484         (JSC::FTL::LowerDFGToLLVM::compileNode):
1485         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
1486         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
1487         (JSC::FTL::LowerDFGToLLVM::compileThrow):
1488         (JSC::FTL::LowerDFGToLLVM::isNotMisc):
1489         (JSC::FTL::LowerDFGToLLVM::isMisc):
1490         (JSC::FTL::LowerDFGToLLVM::speculate):
1491         (JSC::FTL::LowerDFGToLLVM::speculateMisc):
1492         * tests/stress/float32-array-out-of-bounds.js: Added.
1493         * tests/stress/weird-equality-folding-cases.js: Added.
1494
1495 2014-03-04  Commit Queue  <commit-queue@webkit.org>
1496
1497         Unreviewed, rolling out r165085.
1498         http://trac.webkit.org/changeset/165085
1499         https://bugs.webkit.org/show_bug.cgi?id=129729
1500
1501         Broke imported/w3c/html-templates/template-element/template-
1502         content.html (Requested by ap on #webkit).
1503
1504         * bytecode/SpeculatedType.cpp:
1505         (JSC::speculationToAbbreviatedString):
1506         * bytecode/SpeculatedType.h:
1507         * dfg/DFGAbstractInterpreterInlines.h:
1508         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1509         * dfg/DFGArrayMode.cpp:
1510         (JSC::DFG::ArrayMode::refine):
1511         * dfg/DFGArrayMode.h:
1512         * dfg/DFGFixupPhase.cpp:
1513         (JSC::DFG::FixupPhase::fixupNode):
1514         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
1515         * dfg/DFGNode.h:
1516         (JSC::DFG::Node::shouldSpeculateBoolean):
1517         * dfg/DFGSafeToExecute.h:
1518         (JSC::DFG::SafeToExecuteEdge::operator()):
1519         * dfg/DFGSpeculativeJIT.cpp:
1520         (JSC::DFG::SpeculativeJIT::compileStrictEq):
1521         (JSC::DFG::SpeculativeJIT::speculate):
1522         * dfg/DFGSpeculativeJIT.h:
1523         * dfg/DFGSpeculativeJIT32_64.cpp:
1524         * dfg/DFGSpeculativeJIT64.cpp:
1525         * dfg/DFGUseKind.cpp:
1526         (WTF::printInternal):
1527         * dfg/DFGUseKind.h:
1528         (JSC::DFG::typeFilterFor):
1529         * ftl/FTLCapabilities.cpp:
1530         (JSC::FTL::canCompile):
1531         * ftl/FTLLowerDFGToLLVM.cpp:
1532         (JSC::FTL::LowerDFGToLLVM::compileNode):
1533         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
1534         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
1535         (JSC::FTL::LowerDFGToLLVM::speculate):
1536         * tests/stress/float32-array-out-of-bounds.js: Removed.
1537         * tests/stress/weird-equality-folding-cases.js: Removed.
1538
1539 2014-03-04  Brian Burg  <bburg@apple.com>
1540
1541         Inspector does not restore breakpoints after a page reload
1542         https://bugs.webkit.org/show_bug.cgi?id=129655
1543
1544         Reviewed by Joseph Pecoraro.
1545
1546         Fix a regression introduced by r162096 that erroneously removed
1547         the inspector backend's mapping of files to breakpoints whenever the
1548         global object was cleared.
1549
1550         The inspector's breakpoint mappings should only be cleared when the
1551         debugger agent is disabled or destroyed. We should only clear the
1552         debugger's breakpoint state when the global object is cleared.
1553
1554         To make it clearer what state is being cleared, the two cases have
1555         been split into separate methods.
1556
1557         * inspector/agents/InspectorDebuggerAgent.cpp:
1558         (Inspector::InspectorDebuggerAgent::disable):
1559         (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):
1560         (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
1561         (Inspector::InspectorDebuggerAgent::didClearGlobalObject):
1562         * inspector/agents/InspectorDebuggerAgent.h:
1563
1564 2014-03-04  Andreas Kling  <akling@apple.com>
1565
1566         Streamline JSValue::get().
1567         <https://webkit.org/b/129720>
1568
1569         Fetch each Structure and VM only once when walking the prototype chain
1570         in JSObject::getPropertySlot(), then pass it along to the functions
1571         we call from there, so they don't have to re-fetch it.
1572
1573         Reviewed by Geoff Garen.
1574
1575         * runtime/JSObject.h:
1576         (JSC::JSObject::inlineGetOwnPropertySlot):
1577         (JSC::JSObject::fastGetOwnPropertySlot):
1578         (JSC::JSObject::getPropertySlot):
1579
1580 2014-03-01  Filip Pizlo  <fpizlo@apple.com>
1581
1582         DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e. boolean, undefined, or null)
1583         https://bugs.webkit.org/show_bug.cgi?id=129563
1584
1585         Reviewed by Geoffrey Garen.
1586         
1587         This adds a specialization of CompareStrictEq over Misc. I noticed the need for this
1588         when I saw that we didn't support CompareStrictEq(Untyped) in FTL but that the main
1589         user of this was EarleyBoyer, and in that benchmark what it was really doing was
1590         comparing undefined, null, and booleans to each other.
1591         
1592         This also adds support for miscellaneous things that I needed to make my various test
1593         cases work. This includes comparison over booleans and the various Throw-related node
1594         types.
1595         
1596         This also improves constant folding of CompareStrictEq and CompareEq.
1597         
1598         Also found a bug where we were claiming that GetByVals on typed arrays are OutOfBounds
1599         based on profiling, which caused some downstream badness. We don't actually support
1600         compiling OutOfBounds GetByVals on typed arrays. The DFG would ignore the flag and just
1601         emit a bounds check, but in the FTL path, the SSA lowering phase would assume that it
1602         shouldn't factor out the bounds check since the access is not InBounds but then the
1603         backend would ignore the flag and assume that the bounds check was already emitted.
1604         This showed up on an existing test but I added a test for this explicitly to have more
1605         certain coverage. The fix is to not mark something as OutOfBounds if the semantics are
1606         that we'll have a bounds check anyway.
1607         
1608         This is a 1% speed-up on Octane mostly because of raytrace, but also because of just
1609         general progressions across the board. No speed-up yet on EarleyBoyer, since there is
1610         still a lot more coverage work to be done there.
1611
1612         * bytecode/SpeculatedType.cpp:
1613         (JSC::speculationToAbbreviatedString):
1614         (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
1615         (JSC::valuesCouldBeEqual):
1616         * bytecode/SpeculatedType.h:
1617         (JSC::isMiscSpeculation):
1618         * dfg/DFGAbstractInterpreterInlines.h:
1619         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1620         * dfg/DFGFixupPhase.cpp:
1621         (JSC::DFG::FixupPhase::fixupNode):
1622         * dfg/DFGNode.h:
1623         (JSC::DFG::Node::shouldSpeculateMisc):
1624         * dfg/DFGSafeToExecute.h:
1625         (JSC::DFG::SafeToExecuteEdge::operator()):
1626         * dfg/DFGSpeculativeJIT.cpp:
1627         (JSC::DFG::SpeculativeJIT::compileStrictEq):
1628         (JSC::DFG::SpeculativeJIT::speculateMisc):
1629         (JSC::DFG::SpeculativeJIT::speculate):
1630         * dfg/DFGSpeculativeJIT.h:
1631         * dfg/DFGSpeculativeJIT32_64.cpp:
1632         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
1633         * dfg/DFGSpeculativeJIT64.cpp:
1634         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
1635         * dfg/DFGUseKind.cpp:
1636         (WTF::printInternal):
1637         * dfg/DFGUseKind.h:
1638         (JSC::DFG::typeFilterFor):
1639         * ftl/FTLCapabilities.cpp:
1640         (JSC::FTL::canCompile):
1641         * ftl/FTLLowerDFGToLLVM.cpp:
1642         (JSC::FTL::LowerDFGToLLVM::compileNode):
1643         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
1644         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
1645         (JSC::FTL::LowerDFGToLLVM::compileThrow):
1646         (JSC::FTL::LowerDFGToLLVM::isNotMisc):
1647         (JSC::FTL::LowerDFGToLLVM::isMisc):
1648         (JSC::FTL::LowerDFGToLLVM::speculate):
1649         (JSC::FTL::LowerDFGToLLVM::speculateMisc):
1650         * tests/stress/float32-array-out-of-bounds.js: Added.
1651         * tests/stress/weird-equality-folding-cases.js: Added.
1652
1653 2014-03-04  Andreas Kling  <akling@apple.com>
1654
1655         Spam static branch prediction hints on JS bindings.
1656         <https://webkit.org/b/129703>
1657
1658         Add LIKELY hint to jsDynamicCast since it's always used in a context
1659         where we expect it to succeed and takes an error path when it doesn't.
1660
1661         Reviewed by Geoff Garen.
1662
1663         * runtime/JSCell.h:
1664         (JSC::jsDynamicCast):
1665
1666 2014-03-04  Andreas Kling  <akling@apple.com>
1667
1668         Get to Structures more efficiently in JSCell::methodTable().
1669         <https://webkit.org/b/129702>
1670
1671         In JSCell::methodTable(), get the VM once and pass that along to
1672         structure(VM&) instead of using the heavier structure().
1673
1674         In JSCell::methodTable(VM&), replace calls to structure() with
1675         calls to structure(VM&).
1676
1677         Reviewed by Mark Hahnenberg.
1678
1679         * runtime/JSCellInlines.h:
1680         (JSC::JSCell::methodTable):
1681
1682 2014-03-04  Joseph Pecoraro  <pecoraro@apple.com>
1683
1684         Web Inspector: Listen for the XPC_ERROR_CONNECTION_INVALID event to deref
1685         https://bugs.webkit.org/show_bug.cgi?id=129697
1686
1687         Reviewed by Timothy Hatcher.
1688
1689         * inspector/remote/RemoteInspectorXPCConnection.mm:
1690         (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
1691         (Inspector::RemoteInspectorXPCConnection::handleEvent):
1692
1693 2014-03-04  Mark Hahnenberg  <mhahnenberg@apple.com>
1694
1695         Merge API shims and JSLock
1696         https://bugs.webkit.org/show_bug.cgi?id=129650
1697
1698         Reviewed by Mark Lam.
1699
1700         JSLock is now taking on all of APIEntryShim's responsibilities since there is never a reason 
1701         to take just the JSLock. Ditto for DropAllLocks and APICallbackShim.
1702
1703         * API/APICallbackFunction.h:
1704         (JSC::APICallbackFunction::call):
1705         (JSC::APICallbackFunction::construct):
1706         * API/APIShims.h: Removed.
1707         * API/JSBase.cpp:
1708         (JSEvaluateScript):
1709         (JSCheckScriptSyntax):
1710         (JSGarbageCollect):
1711         (JSReportExtraMemoryCost):
1712         (JSSynchronousGarbageCollectForDebugging):
1713         * API/JSCallbackConstructor.cpp:
1714         * API/JSCallbackFunction.cpp:
1715         * API/JSCallbackObjectFunctions.h:
1716         (JSC::JSCallbackObject<Parent>::init):
1717         (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
1718         (JSC::JSCallbackObject<Parent>::put):
1719         (JSC::JSCallbackObject<Parent>::putByIndex):
1720         (JSC::JSCallbackObject<Parent>::deleteProperty):
1721         (JSC::JSCallbackObject<Parent>::construct):
1722         (JSC::JSCallbackObject<Parent>::customHasInstance):
1723         (JSC::JSCallbackObject<Parent>::call):
1724         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
1725         (JSC::JSCallbackObject<Parent>::getStaticValue):
1726         (JSC::JSCallbackObject<Parent>::callbackGetter):
1727         * API/JSContext.mm:
1728         (-[JSContext setException:]):
1729         (-[JSContext wrapperForObjCObject:]):
1730         (-[JSContext wrapperForJSObject:]):
1731         * API/JSContextRef.cpp:
1732         (JSContextGroupRelease):
1733         (JSContextGroupSetExecutionTimeLimit):
1734         (JSContextGroupClearExecutionTimeLimit):
1735         (JSGlobalContextCreateInGroup):
1736         (JSGlobalContextRetain):
1737         (JSGlobalContextRelease):
1738         (JSContextGetGlobalObject):
1739         (JSContextGetGlobalContext):
1740         (JSGlobalContextCopyName):
1741         (JSGlobalContextSetName):
1742         * API/JSManagedValue.mm:
1743         (-[JSManagedValue value]):
1744         * API/JSObjectRef.cpp:
1745         (JSObjectMake):
1746         (JSObjectMakeFunctionWithCallback):
1747         (JSObjectMakeConstructor):
1748         (JSObjectMakeFunction):
1749         (JSObjectMakeArray):
1750         (JSObjectMakeDate):
1751         (JSObjectMakeError):
1752         (JSObjectMakeRegExp):
1753         (JSObjectGetPrototype):
1754         (JSObjectSetPrototype):
1755         (JSObjectHasProperty):
1756         (JSObjectGetProperty):
1757         (JSObjectSetProperty):
1758         (JSObjectGetPropertyAtIndex):
1759         (JSObjectSetPropertyAtIndex):
1760         (JSObjectDeleteProperty):
1761         (JSObjectGetPrivateProperty):
1762         (JSObjectSetPrivateProperty):
1763         (JSObjectDeletePrivateProperty):
1764         (JSObjectIsFunction):
1765         (JSObjectCallAsFunction):
1766         (JSObjectCallAsConstructor):
1767         (JSObjectCopyPropertyNames):
1768         (JSPropertyNameArrayRelease):
1769         (JSPropertyNameAccumulatorAddName):
1770         * API/JSScriptRef.cpp:
1771         * API/JSValue.mm:
1772         (isDate):
1773         (isArray):
1774         (containerValueToObject):
1775         (valueToArray):
1776         (valueToDictionary):
1777         (objectToValue):
1778         * API/JSValueRef.cpp:
1779         (JSValueGetType):
1780         (JSValueIsUndefined):
1781         (JSValueIsNull):
1782         (JSValueIsBoolean):
1783         (JSValueIsNumber):
1784         (JSValueIsString):
1785         (JSValueIsObject):
1786         (JSValueIsObjectOfClass):
1787         (JSValueIsEqual):
1788         (JSValueIsStrictEqual):
1789         (JSValueIsInstanceOfConstructor):
1790         (JSValueMakeUndefined):
1791         (JSValueMakeNull):
1792         (JSValueMakeBoolean):
1793         (JSValueMakeNumber):
1794         (JSValueMakeString):
1795         (JSValueMakeFromJSONString):
1796         (JSValueCreateJSONString):
1797         (JSValueToBoolean):
1798         (JSValueToNumber):
1799         (JSValueToStringCopy):
1800         (JSValueToObject):
1801         (JSValueProtect):
1802         (JSValueUnprotect):
1803         * API/JSVirtualMachine.mm:
1804         (-[JSVirtualMachine addManagedReference:withOwner:]):
1805         (-[JSVirtualMachine removeManagedReference:withOwner:]):
1806         * API/JSWeakObjectMapRefPrivate.cpp:
1807         * API/JSWrapperMap.mm:
1808         (constructorHasInstance):
1809         (makeWrapper):
1810         (tryUnwrapObjcObject):
1811         * API/ObjCCallbackFunction.mm:
1812         (JSC::objCCallbackFunctionCallAsFunction):
1813         (JSC::objCCallbackFunctionCallAsConstructor):
1814         (objCCallbackFunctionForInvocation):
1815         * CMakeLists.txt:
1816         * ForwardingHeaders/JavaScriptCore/APIShims.h: Removed.
1817         * GNUmakefile.list.am:
1818         * JavaScriptCore.xcodeproj/project.pbxproj:
1819         * dfg/DFGWorklist.cpp:
1820         * heap/DelayedReleaseScope.h:
1821         (JSC::DelayedReleaseScope::~DelayedReleaseScope):
1822         * heap/HeapTimer.cpp:
1823         (JSC::HeapTimer::timerDidFire):
1824         (JSC::HeapTimer::timerEvent):
1825         * heap/IncrementalSweeper.cpp:
1826         * inspector/InjectedScriptModule.cpp:
1827         (Inspector::InjectedScriptModule::ensureInjected):
1828         * jsc.cpp:
1829         (jscmain):
1830         * runtime/GCActivityCallback.cpp:
1831         (JSC::DefaultGCActivityCallback::doWork):
1832         * runtime/JSGlobalObjectDebuggable.cpp:
1833         (JSC::JSGlobalObjectDebuggable::connect):
1834         (JSC::JSGlobalObjectDebuggable::disconnect):
1835         (JSC::JSGlobalObjectDebuggable::dispatchMessageFromRemoteFrontend):
1836         * runtime/JSLock.cpp:
1837         (JSC::JSLock::lock):
1838         (JSC::JSLock::didAcquireLock):
1839         (JSC::JSLock::unlock):
1840         (JSC::JSLock::willReleaseLock):
1841         (JSC::JSLock::DropAllLocks::DropAllLocks):
1842         (JSC::JSLock::DropAllLocks::~DropAllLocks):
1843         * runtime/JSLock.h:
1844         * testRegExp.cpp:
1845         (realMain):
1846
1847 2014-03-04  Commit Queue  <commit-queue@webkit.org>
1848
1849         Unreviewed, rolling out r164812.
1850         http://trac.webkit.org/changeset/164812
1851         https://bugs.webkit.org/show_bug.cgi?id=129699
1852
1853         it made things run slower (Requested by pizlo on #webkit).
1854
1855         * interpreter/Interpreter.cpp:
1856         (JSC::Interpreter::execute):
1857         * jsc.cpp:
1858         (GlobalObject::finishCreation):
1859         * runtime/BatchedTransitionOptimizer.h:
1860         (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
1861         (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer):
1862
1863 2014-03-02  Filip Pizlo  <fpizlo@apple.com>
1864
1865         GetMyArgumentByVal in FTL
1866         https://bugs.webkit.org/show_bug.cgi?id=128850
1867
1868         Reviewed by Oliver Hunt.
1869         
1870         This would have been easy if the OSR exit compiler's arity checks hadn't been wrong.
1871         They checked arity by doing "exec->argumentCount == codeBlock->numParameters", which
1872         caused it to think that the arity check had failed if the caller had passed more
1873         arguments than needed. This would cause the call frame copying to sort of go into
1874         reverse (because the amount-by-which-we-failed-arity would have opposite sign,
1875         throwing off a bunch of math) and the stack would end up being corrupted.
1876         
1877         The bug was revealed by two existing tests although as far as I could tell, neither
1878         test was intending to cover this case directly. So, I added a new test.
1879
1880         * ftl/FTLCapabilities.cpp:
1881         (JSC::FTL::canCompile):
1882         * ftl/FTLLowerDFGToLLVM.cpp:
1883         (JSC::FTL::LowerDFGToLLVM::compileNode):
1884         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
1885         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
1886         (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated):
1887         (JSC::FTL::LowerDFGToLLVM::checkArgumentsNotCreated):
1888         * ftl/FTLOSRExitCompiler.cpp:
1889         (JSC::FTL::compileStub):
1890         * ftl/FTLState.h:
1891         * tests/stress/exit-from-ftl-when-caller-passed-extra-args-then-use-function-dot-arguments.js: Added.
1892         * tests/stress/ftl-get-my-argument-by-val-inlined-and-not-inlined.js: Added.
1893         * tests/stress/ftl-get-my-argument-by-val-inlined.js: Added.
1894         * tests/stress/ftl-get-my-argument-by-val.js: Added.
1895
1896 2014-03-04  Zan Dobersek  <zdobersek@igalia.com>
1897
1898         [GTK] Build the Udis86 disassembler
1899         https://bugs.webkit.org/show_bug.cgi?id=129679
1900
1901         Reviewed by Michael Saboff.
1902
1903         * GNUmakefile.am: Generate the Udis86-related derived sources. Distribute the required files.
1904         * GNUmakefile.list.am: Add the Udis86 disassembler files to the build.
1905
1906 2014-03-04  Andreas Kling  <akling@apple.com>
1907
1908         Fix too-narrow assertion I added in r165054.
1909
1910         It's okay for a 1-character string to come in here. This will happen
1911         if the VM small string optimization doesn't apply (ch > 0xFF)
1912
1913         * runtime/JSString.h:
1914         (JSC::jsStringWithWeakOwner):
1915
1916 2014-03-04  Andreas Kling  <akling@apple.com>
1917
1918         Micro-optimize Strings in JS bindings.
1919         <https://webkit.org/b/129673>
1920
1921         Make jsStringWithWeakOwner() take a StringImpl& instead of a String.
1922         This avoids branches in length() and operator[].
1923
1924         Also call JSString::create() directly instead of jsString() and just
1925         assert that the string length is >1. This way we don't duplicate the
1926         optimizations for empty and single-character strings.
1927
1928         Reviewed by Ryosuke Niwa.
1929
1930         * runtime/JSString.h:
1931         (JSC::jsStringWithWeakOwner):
1932
1933 2014-03-04  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
1934
1935         Implement Number.prototype.clz()
1936         https://bugs.webkit.org/show_bug.cgi?id=129479
1937
1938         Reviewed by Oliver Hunt.
1939
1940         Implemented Number.prototype.clz() as specified in the ES6 standard.
1941
1942         * runtime/NumberPrototype.cpp:
1943         (JSC::numberProtoFuncClz):
1944
1945 2014-03-03  Joseph Pecoraro  <pecoraro@apple.com>
1946
1947         Web Inspector: Avoid too early deref caused by RemoteInspectorXPCConnection::close
1948         https://bugs.webkit.org/show_bug.cgi?id=129631
1949
1950         Reviewed by Timothy Hatcher.
1951
1952         Avoid deref() too early if a client calls close(). The xpc_connection_close
1953         will cause another XPC_ERROR event to come in from the queue, deref then.
1954         Likewise, protect multithreaded access to m_client. If a client calls
1955         close() we want to immediately clear the pointer to prevent calls to it.
1956
1957         Overall the multi-threading aspects of RemoteInspectorXPCConnection are
1958         growing too complicated for probably little benefit. We may want to
1959         clean this up later.
1960
1961         * inspector/remote/RemoteInspector.mm:
1962         (Inspector::RemoteInspector::xpcConnectionFailed):
1963         * inspector/remote/RemoteInspectorXPCConnection.h:
1964         * inspector/remote/RemoteInspectorXPCConnection.mm:
1965         (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
1966         (Inspector::RemoteInspectorXPCConnection::close):
1967         (Inspector::RemoteInspectorXPCConnection::closeOnQueue):
1968         (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
1969         (Inspector::RemoteInspectorXPCConnection::handleEvent):
1970         (Inspector::RemoteInspectorXPCConnection::sendMessage):
1971
1972 2014-03-03  Michael Saboff  <msaboff@apple.com>
1973
1974         AbstractMacroAssembler::CachedTempRegister should start out invalid
1975         https://bugs.webkit.org/show_bug.cgi?id=129657
1976
1977         Reviewed by Filip Pizlo.
1978
1979         * assembler/AbstractMacroAssembler.h:
1980         (JSC::AbstractMacroAssembler::AbstractMacroAssembler):
1981         - Invalidate all cached registers in constructor as we don't know the
1982           contents of any register at the entry to the code we are going to
1983           generate.
1984
1985 2014-03-03  Andreas Kling  <akling@apple.com>
1986
1987         StructureOrOffset should be fastmalloced.
1988         <https://webkit.org/b/129640>
1989
1990         Reviewed by Geoffrey Garen.
1991
1992         * runtime/StructureIDTable.h:
1993
1994 2014-03-03  Michael Saboff  <msaboff@apple.com>
1995
1996         Crash in JIT code while watching a video @ storyboard.tumblr.com
1997         https://bugs.webkit.org/show_bug.cgi?id=129635
1998
1999         Reviewed by Filip Pizlo.
2000
2001         Clear m_set before we set bits in the TempRegisterSet(const RegisterSet& other)
2002         construtor.
2003
2004         * jit/TempRegisterSet.cpp:
2005         (JSC::TempRegisterSet::TempRegisterSet): Clear map before setting it.
2006         * jit/TempRegisterSet.h:
2007         (JSC::TempRegisterSet::TempRegisterSet): Use new clearAll() helper.
2008         (JSC::TempRegisterSet::clearAll): New private helper.
2009
2010 2014-03-03  Benjamin Poulain  <benjamin@webkit.org>
2011
2012         [x86] Improve code generation of byte test
2013         https://bugs.webkit.org/show_bug.cgi?id=129597
2014
2015         Reviewed by Geoffrey Garen.
2016
2017         When possible, test the 8 bit register to itself instead of comparing it
2018         to a literal.
2019
2020         * assembler/MacroAssemblerX86Common.h:
2021         (JSC::MacroAssemblerX86Common::test32):
2022
2023 2014-03-03  Mark Lam  <mark.lam@apple.com>
2024
2025         Web Inspector: debugger statements do not break.
2026         <https://webkit.org/b/129524>
2027
2028         Reviewed by Geoff Garen.
2029
2030         Since we no longer call op_debug hooks unless there is a debugger request
2031         made on the CodeBlock, the op_debug for the debugger statement never gets
2032         serviced.
2033
2034         With this fix, we check in the CodeBlock constructor if any debugger
2035         statements are present.  If so, we set a m_hasDebuggerStatement flag that
2036         causes the CodeBlock to show as having debugger requests.  Hence,
2037         breaking at debugger statements is now restored.
2038
2039         * bytecode/CodeBlock.cpp:
2040         (JSC::CodeBlock::CodeBlock):
2041         * bytecode/CodeBlock.h:
2042         (JSC::CodeBlock::hasDebuggerRequests):
2043         (JSC::CodeBlock::clearDebuggerRequests):
2044
2045 2014-03-03  Mark Lam  <mark.lam@apple.com>
2046
2047         ASSERTION FAILED: m_numBreakpoints >= numBreakpoints when deleting breakpoints.
2048         <https://webkit.org/b/129393>
2049
2050         Reviewed by Geoffrey Garen.
2051
2052         The issue manifests because the debugger will iterate all CodeBlocks in
2053         the heap when setting / clearing breakpoints, but it is possible for a
2054         CodeBlock to have been instantiate but is not yet registered with the
2055         debugger.  This can happen because of the following:
2056
2057         1. DFG worklist compilation is still in progress, and the target
2058            codeBlock is not ready for installation in its executable yet.
2059
2060         2. DFG compilation failed and we have a codeBlock that will never be
2061            installed in its executable, and the codeBlock has not been cleaned
2062            up by the GC yet.
2063
2064         The code for installing the codeBlock in its executable is the same code
2065         that registers it with the debugger.  Hence, these codeBlocks are not
2066         registered with the debugger, and any pending breakpoints that would map
2067         to that CodeBlock is as yet unset or will never be set.  As such, an
2068         attempt to remove a breakpoint in that CodeBlock will fail that assertion.
2069
2070         To fix this, we do the following:
2071
2072         1. We'll eagerly clean up any zombie CodeBlocks due to failed DFG / FTL
2073            compilation.  This is achieved by providing a
2074            DeferredCompilationCallback::compilationDidComplete() that does this
2075            clean up, and have all sub classes call it at the end of their
2076            compilationDidComplete() methods.
2077
2078         2. Before the debugger or profiler iterates CodeBlocks in the heap, they
2079            will wait for all compilations to complete before proceeding.  This
2080            ensures that:
2081            1. any zombie CodeBlocks would have been cleaned up, and won't be
2082               seen by the debugger or profiler.
2083            2. all CodeBlocks that the debugger and profiler needs to operate on
2084               will be "ready" for whatever needs to be done to them e.g.
2085               jettison'ing of DFG codeBlocks.
2086
2087         * bytecode/DeferredCompilationCallback.cpp:
2088         (JSC::DeferredCompilationCallback::compilationDidComplete):
2089         * bytecode/DeferredCompilationCallback.h:
2090         - Provide default implementation method to clean up zombie CodeBlocks.
2091
2092         * debugger/Debugger.cpp:
2093         (JSC::Debugger::forEachCodeBlock):
2094         - Utility function to iterate CodeBlocks.  It ensures that all compilations
2095           are complete before proceeding.
2096         (JSC::Debugger::setSteppingMode):
2097         (JSC::Debugger::toggleBreakpoint):
2098         (JSC::Debugger::recompileAllJSFunctions):
2099         (JSC::Debugger::clearBreakpoints):
2100         (JSC::Debugger::clearDebuggerRequests):
2101         - Use the utility iterator function.
2102
2103         * debugger/Debugger.h:
2104         * dfg/DFGOperations.cpp:
2105         - Added an assert to ensure that zombie CodeBlocks will be imminently cleaned up.
2106
2107         * dfg/DFGPlan.cpp:
2108         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
2109         - Remove unneeded code (that was not the best solution anyway) for ensuring
2110           that we don't generate new DFG codeBlocks after enabling the debugger or
2111           profiler.  Now that we wait for compilations to complete before proceeding
2112           with debugger and profiler work, this scenario will never happen.
2113
2114         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
2115         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
2116         - Call the super class method to clean up zombie codeBlocks.
2117
2118         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
2119         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete):
2120         - Call the super class method to clean up zombie codeBlocks.
2121
2122         * heap/CodeBlockSet.cpp:
2123         (JSC::CodeBlockSet::remove):
2124         * heap/CodeBlockSet.h:
2125         * heap/Heap.h:
2126         (JSC::Heap::removeCodeBlock):
2127         - New method to remove a codeBlock from the codeBlock set.
2128
2129         * jit/JITOperations.cpp:
2130         - Added an assert to ensure that zombie CodeBlocks will be imminently cleaned up.
2131
2132         * jit/JITToDFGDeferredCompilationCallback.cpp:
2133         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
2134         - Call the super class method to clean up zombie codeBlocks.
2135
2136         * runtime/VM.cpp:
2137         (JSC::VM::waitForCompilationsToComplete):
2138         - Renamed from prepareToDiscardCode() to be clearer about what it does.
2139
2140         (JSC::VM::discardAllCode):
2141         (JSC::VM::releaseExecutableMemory):
2142         (JSC::VM::setEnabledProfiler):
2143         - Wait for compilation to complete before enabling the profiler.
2144
2145         * runtime/VM.h:
2146
2147 2014-03-03  Brian Burg  <bburg@apple.com>
2148
2149         Another unreviewed build fix attempt for Windows after r164986.
2150
2151         We never told Visual Studio to copy over the web replay code generator scripts
2152         and the generated headers for JavaScriptCore replay inputs as if they were
2153         private headers.
2154
2155         * JavaScriptCore.vcxproj/copy-files.cmd:
2156
2157 2014-03-03  Brian Burg  <bburg@apple.com>
2158
2159         Web Replay: upstream input storage, capture/replay machinery, and inspector domain
2160         https://bugs.webkit.org/show_bug.cgi?id=128782
2161
2162         Reviewed by Timothy Hatcher.
2163
2164         Alter the replay inputs code generator so that it knows when it is necessary to
2165         to include headers for HEAVY_SCALAR types such as WTF::String and WebCore::URL.
2166
2167         * JavaScriptCore.xcodeproj/project.pbxproj:
2168         * replay/scripts/CodeGeneratorReplayInputs.py:
2169         (Framework.fromString):
2170         (Frameworks): Add WTF as an allowed framework for code generation.
2171         (Generator.generate_includes): Include headers for HEAVY_SCALAR types in the header file.
2172         (Generator.generate_includes.declaration):
2173         (Generator.generate_includes.or):
2174         (Generator.generate_type_forward_declarations): Skip HEAVY_SCALAR types.
2175
2176 2014-03-02  Filip Pizlo  <fpizlo@apple.com>
2177
2178         PolymorphicPutByIdList should have a simpler construction API with basically a single entrypoint
2179         https://bugs.webkit.org/show_bug.cgi?id=129591
2180
2181         Reviewed by Michael Saboff.
2182
2183         * bytecode/PolymorphicPutByIdList.cpp:
2184         (JSC::PutByIdAccess::fromStructureStubInfo): This function can figure out the slow path target for itself.
2185         (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList): This constuctor should be private, only from() should call it.
2186         (JSC::PolymorphicPutByIdList::from):
2187         * bytecode/PolymorphicPutByIdList.h:
2188         (JSC::PutByIdAccess::stubRoutine):
2189         * jit/Repatch.cpp:
2190         (JSC::tryBuildPutByIdList): Don't pass the slow path target since it can be derived from the stubInfo.
2191
2192 2014-03-02  Filip Pizlo  <fpizlo@apple.com>
2193
2194         Debugging improvements from my gbemu investigation session
2195         https://bugs.webkit.org/show_bug.cgi?id=129599
2196
2197         Reviewed by Mark Lam.
2198         
2199         Various improvements from when I was investigating bug 129411.
2200
2201         * bytecode/CodeBlock.cpp:
2202         (JSC::CodeBlock::optimizationThresholdScalingFactor): Make the dataLog() statement print the actual multiplier.
2203         * jsc.cpp:
2204         (GlobalObject::finishCreation):
2205         (functionDescribe): Make describe() return a string rather than printing the string.
2206         (functionDescribeArray): Like describe(), but prints details about arrays.
2207
2208 2014-02-25  Andreas Kling  <akling@apple.com>
2209
2210         JSDOMWindow::commonVM() should return a reference.
2211         <https://webkit.org/b/129293>
2212
2213         Added a DropAllLocks constructor that takes VM& without null checks.
2214
2215         Reviewed by Geoff Garen.
2216
2217 2014-03-02  Mark Lam  <mark.lam@apple.com>
2218
2219         CodeBlock::hasDebuggerRequests() should returning a bool instead of an int.
2220         <https://webkit.org/b/129584>
2221
2222         Reviewed by Darin Adler.
2223
2224         * bytecode/CodeBlock.h:
2225         (JSC::CodeBlock::hasDebuggerRequests):
2226
2227 2014-03-02  Mark Lam  <mark.lam@apple.com>
2228
2229         Clean up use of Options::enableConcurrentJIT().
2230         <https://webkit.org/b/129582>
2231
2232         Reviewed by Filip Pizlo.
2233
2234         DFG Driver was conditionally checking Options::enableConcurrentJIT()
2235         only if ENABLE(CONCURRENT_JIT).  Otherwise, it bypasses it with a local
2236         enableConcurrentJIT set to false.
2237
2238         Instead we should configure Options::enableConcurrentJIT() to be false
2239         in Options.cpp if !ENABLE(CONCURRENT_JIT), and DFG Driver should always
2240         check Options::enableConcurrentJIT().  This makes the code read a little
2241         cleaner.
2242
2243         * dfg/DFGDriver.cpp:
2244         (JSC::DFG::compileImpl):
2245         * runtime/Options.cpp:
2246         (JSC::recomputeDependentOptions):
2247
2248 2014-03-01  Filip Pizlo  <fpizlo@apple.com>
2249
2250         This shouldn't have been a layout test since it runs only under jsc. Moving it to JSC
2251         stress tests.
2252
2253         * tests/stress/generational-opaque-roots.js: Copied from LayoutTests/js/script-tests/generational-opaque-roots.js.
2254
2255 2014-03-01  Andreas Kling  <akling@apple.com>
2256
2257         JSCell::fastGetOwnProperty() should get the Structure more efficiently.
2258         <https://webkit.org/b/129560>
2259
2260         Now that structure() is nontrivial and we have a faster structure(VM&),
2261         make use of that in fastGetOwnProperty() since we already have VM.
2262
2263         Reviewed by Sam Weinig.
2264
2265         * runtime/JSCellInlines.h:
2266         (JSC::JSCell::fastGetOwnProperty):
2267
2268 2014-03-01  Andreas Kling  <akling@apple.com>
2269
2270         Avoid going through ExecState for VM when we already have it (in some places.)
2271         <https://webkit.org/b/129554>
2272
2273         Tweak some places that jump through unnecessary hoops to get the VM.
2274         There are many more like this.
2275
2276         Reviewed by Sam Weinig.
2277
2278         * runtime/JSObject.cpp:
2279         (JSC::JSObject::putByIndexBeyondVectorLength):
2280         (JSC::JSObject::putDirectIndexBeyondVectorLength):
2281         * runtime/ObjectPrototype.cpp:
2282         (JSC::objectProtoFuncToString):
2283
2284 2014-02-28  Filip Pizlo  <fpizlo@apple.com>
2285
2286         FTL should support PhantomArguments
2287         https://bugs.webkit.org/show_bug.cgi?id=113986
2288
2289         Reviewed by Oliver Hunt.
2290         
2291         Adding PhantomArguments to the FTL mostly means wiring the recovery of the Arguments
2292         object into the FTL's OSR exit compiler.
2293         
2294         This isn't a speed-up yet, since there is still more to be done to fully support
2295         all of the arguments craziness that our varargs benchmarks do.
2296
2297         * dfg/DFGOSRExitCompiler32_64.cpp:
2298         (JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp
2299         * dfg/DFGOSRExitCompiler64.cpp:
2300         (JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp
2301         * dfg/DFGOSRExitCompilerCommon.cpp:
2302         (JSC::DFG::ArgumentsRecoveryGenerator::ArgumentsRecoveryGenerator):
2303         (JSC::DFG::ArgumentsRecoveryGenerator::~ArgumentsRecoveryGenerator):
2304         (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): this is the common place for the recovery code
2305         * dfg/DFGOSRExitCompilerCommon.h:
2306         * ftl/FTLCapabilities.cpp:
2307         (JSC::FTL::canCompile):
2308         * ftl/FTLExitValue.cpp:
2309         (JSC::FTL::ExitValue::dumpInContext):
2310         * ftl/FTLExitValue.h:
2311         (JSC::FTL::ExitValue::argumentsObjectThatWasNotCreated):
2312         (JSC::FTL::ExitValue::isArgumentsObjectThatWasNotCreated):
2313         (JSC::FTL::ExitValue::valueFormat):
2314         * ftl/FTLLowerDFGToLLVM.cpp:
2315         (JSC::FTL::LowerDFGToLLVM::compileNode):
2316         (JSC::FTL::LowerDFGToLLVM::compilePhantomArguments):
2317         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
2318         (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
2319         * ftl/FTLOSRExitCompiler.cpp:
2320         (JSC::FTL::compileStub): Call into the ArgumentsRecoveryGenerator
2321         * tests/stress/slightly-more-difficult-to-fold-reflective-arguments-access.js: Added.
2322         * tests/stress/trivially-foldable-reflective-arguments-access.js: Added.
2323
2324 2014-02-28  Filip Pizlo  <fpizlo@apple.com>
2325
2326         Unreviewed, uncomment some code. It wasn't meant to be commented in the first place.
2327
2328         * dfg/DFGCSEPhase.cpp:
2329         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
2330
2331 2014-02-28  Andreas Kling  <akling@apple.com>
2332
2333         JSObject::findPropertyHashEntry() should take VM instead of ExecState.
2334         <https://webkit.org/b/129529>
2335
2336         Callers already have VM in a local, and findPropertyHashEntry() only
2337         uses the VM, no need to go all the way through ExecState.
2338
2339         Reviewed by Geoffrey Garen.
2340
2341         * runtime/JSObject.cpp:
2342         (JSC::JSObject::put):
2343         (JSC::JSObject::deleteProperty):
2344         (JSC::JSObject::findPropertyHashEntry):
2345         * runtime/JSObject.h:
2346
2347 2014-02-28  Joseph Pecoraro  <pecoraro@apple.com>
2348
2349         Deadlock remotely inspecting iOS Simulator
2350         https://bugs.webkit.org/show_bug.cgi?id=129511
2351
2352         Reviewed by Timothy Hatcher.
2353
2354         Avoid synchronous setup. Do it asynchronously, and let
2355         the RemoteInspector singleton know later if it failed.
2356
2357         * inspector/remote/RemoteInspector.h:
2358         * inspector/remote/RemoteInspector.mm:
2359         (Inspector::RemoteInspector::setupFailed):
2360         * inspector/remote/RemoteInspectorDebuggableConnection.h:
2361         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
2362         (Inspector::RemoteInspectorDebuggableConnection::setup):
2363
2364 2014-02-28  Oliver Hunt  <oliver@apple.com>
2365
2366         REGRESSION(r164835): It broke 10 JSC stress test on 32 bit platforms
2367         https://bugs.webkit.org/show_bug.cgi?id=129488
2368
2369         Reviewed by Mark Lam.
2370
2371         Whoops, modify the right register.
2372
2373         * jit/JITCall32_64.cpp:
2374         (JSC::JIT::compileLoadVarargs):
2375
2376 2014-02-28  Filip Pizlo  <fpizlo@apple.com>
2377
2378         FTL should be able to call sin/cos directly on platforms where the intrinsic is busted
2379         https://bugs.webkit.org/show_bug.cgi?id=129503
2380
2381         Reviewed by Mark Lam.
2382
2383         * ftl/FTLIntrinsicRepository.h:
2384         * ftl/FTLOutput.h:
2385         (JSC::FTL::Output::doubleSin):
2386         (JSC::FTL::Output::doubleCos):
2387         (JSC::FTL::Output::intrinsicOrOperation):
2388
2389 2014-02-28  Mark Hahnenberg  <mhahnenberg@apple.com>
2390
2391         Fix !ENABLE(GGC) builds
2392
2393         * heap/Heap.cpp:
2394         (JSC::Heap::markRoots):
2395         (JSC::Heap::gatherJSStackRoots): Also fix one of the names of the GC phases.
2396
2397 2014-02-27  Mark Hahnenberg  <mhahnenberg@apple.com>
2398
2399         Clean up Heap::collect and Heap::markRoots
2400         https://bugs.webkit.org/show_bug.cgi?id=129464
2401
2402         Reviewed by Geoffrey Garen.
2403
2404         These functions have built up a lot of cruft recently. 
2405         We should do a bit of cleanup to make them easier to grok.
2406
2407         * heap/Heap.cpp:
2408         (JSC::Heap::finalizeUnconditionalFinalizers):
2409         (JSC::Heap::gatherStackRoots):
2410         (JSC::Heap::gatherJSStackRoots):
2411         (JSC::Heap::gatherScratchBufferRoots):
2412         (JSC::Heap::clearLivenessData):
2413         (JSC::Heap::visitSmallStrings):
2414         (JSC::Heap::visitConservativeRoots):
2415         (JSC::Heap::visitCompilerWorklists):
2416         (JSC::Heap::markProtectedObjects):
2417         (JSC::Heap::markTempSortVectors):
2418         (JSC::Heap::markArgumentBuffers):
2419         (JSC::Heap::visitException):
2420         (JSC::Heap::visitStrongHandles):
2421         (JSC::Heap::visitHandleStack):
2422         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
2423         (JSC::Heap::converge):
2424         (JSC::Heap::visitWeakHandles):
2425         (JSC::Heap::clearRememberedSet):
2426         (JSC::Heap::updateObjectCounts):
2427         (JSC::Heap::resetVisitors):
2428         (JSC::Heap::markRoots):
2429         (JSC::Heap::copyBackingStores):
2430         (JSC::Heap::deleteUnmarkedCompiledCode):
2431         (JSC::Heap::collect):
2432         (JSC::Heap::collectIfNecessaryOrDefer):
2433         (JSC::Heap::suspendCompilerThreads):
2434         (JSC::Heap::willStartCollection):
2435         (JSC::Heap::deleteOldCode):
2436         (JSC::Heap::flushOldStructureIDTables):
2437         (JSC::Heap::flushWriteBarrierBuffer):
2438         (JSC::Heap::stopAllocation):
2439         (JSC::Heap::reapWeakHandles):
2440         (JSC::Heap::sweepArrayBuffers):
2441         (JSC::Heap::snapshotMarkedSpace):
2442         (JSC::Heap::deleteSourceProviderCaches):
2443         (JSC::Heap::notifyIncrementalSweeper):
2444         (JSC::Heap::rememberCurrentlyExecutingCodeBlocks):
2445         (JSC::Heap::resetAllocators):
2446         (JSC::Heap::updateAllocationLimits):
2447         (JSC::Heap::didFinishCollection):
2448         (JSC::Heap::resumeCompilerThreads):
2449         * heap/Heap.h:
2450
2451 2014-02-27  Ryosuke Niwa  <rniwa@webkit.org>
2452
2453         indexOf and lastIndexOf shouldn't resolve ropes when needle is longer than haystack
2454         https://bugs.webkit.org/show_bug.cgi?id=129466
2455
2456         Reviewed by Michael Saboff.
2457
2458         Refactored the code to avoid calling JSString::value when needle is longer than haystack.
2459
2460         * runtime/StringPrototype.cpp:
2461         (JSC::stringProtoFuncIndexOf):
2462         (JSC::stringProtoFuncLastIndexOf):
2463
2464 2014-02-27  Timothy Hatcher  <timothy@apple.com>
2465
2466         Improve how ContentSearchUtilities::lineEndings works by supporting the three common line endings.
2467
2468         https://bugs.webkit.org/show_bug.cgi?id=129458
2469
2470         Reviewed by Joseph Pecoraro.
2471
2472         * inspector/ContentSearchUtilities.cpp:
2473         (Inspector::ContentSearchUtilities::textPositionFromOffset): Remove assumption about line ending length.
2474         (Inspector::ContentSearchUtilities::getRegularExpressionMatchesByLines): Remove assumption about
2475         line ending type and don't try to strip the line ending. Use size_t
2476         (Inspector::ContentSearchUtilities::lineEndings): Use findNextLineStart to find the lines.
2477         This will include the line ending in the lines, but that is okay.
2478         (Inspector::ContentSearchUtilities::buildObjectForSearchMatch): Use size_t.
2479         (Inspector::ContentSearchUtilities::searchInTextByLines): Modernize.
2480
2481 2014-02-27  Joseph Pecoraro  <pecoraro@apple.com>
2482
2483         [Mac] Warning: Multiple build commands for output file GCSegmentedArray and InspectorAgent
2484         https://bugs.webkit.org/show_bug.cgi?id=129446
2485
2486         Reviewed by Timothy Hatcher.
2487
2488         Remove duplicate header entries in Copy Header build phase.
2489
2490         * JavaScriptCore.xcodeproj/project.pbxproj:
2491
2492 2014-02-27  Oliver Hunt  <oliver@apple.com>
2493
2494         Whoops, include all of last patch.
2495
2496         * jit/JITCall32_64.cpp:
2497         (JSC::JIT::compileLoadVarargs):
2498
2499 2014-02-27  Oliver Hunt  <oliver@apple.com>
2500
2501         Slow cases for function.apply and function.call should not require vm re-entry
2502         https://bugs.webkit.org/show_bug.cgi?id=129454
2503
2504         Reviewed by Geoffrey Garen.
2505
2506         Implement call and apply using builtins. Happily the use
2507         of @call and @apply don't perform function equality checks
2508         and just plant direct var_args calls. This did expose a few
2509         codegen issues, but they're all covered by existing tests
2510         once call and apply are implemented in JS.
2511
2512         * JavaScriptCore.xcodeproj/project.pbxproj:
2513         * builtins/Function.prototype.js: Added.
2514         (call):
2515         (apply):
2516         * bytecompiler/NodesCodegen.cpp:
2517         (JSC::CallFunctionCallDotNode::emitBytecode):
2518         (JSC::ApplyFunctionCallDotNode::emitBytecode):
2519         * dfg/DFGCapabilities.cpp:
2520         (JSC::DFG::capabilityLevel):
2521         * interpreter/Interpreter.cpp:
2522         (JSC::sizeFrameForVarargs):
2523         (JSC::loadVarargs):
2524         * interpreter/Interpreter.h:
2525         * jit/JITCall.cpp:
2526         (JSC::JIT::compileLoadVarargs):
2527         * parser/ASTBuilder.h:
2528         (JSC::ASTBuilder::makeFunctionCallNode):
2529         * parser/Lexer.cpp:
2530         (JSC::isSafeBuiltinIdentifier):
2531         * runtime/CommonIdentifiers.h:
2532         * runtime/FunctionPrototype.cpp:
2533         (JSC::FunctionPrototype::addFunctionProperties):
2534         * runtime/JSObject.cpp:
2535         (JSC::JSObject::putDirectBuiltinFunction):
2536         (JSC::JSObject::putDirectBuiltinFunctionWithoutTransition):
2537         * runtime/JSObject.h:
2538
2539 2014-02-27  Joseph Pecoraro  <pecoraro@apple.com>
2540
2541         Web Inspector: Better name for RemoteInspectorDebuggableConnection dispatch queue
2542         https://bugs.webkit.org/show_bug.cgi?id=129443
2543
2544         Reviewed by Timothy Hatcher.
2545
2546         This queue is specific to the JSContext debuggable connections,
2547         there is no XPC involved. Give it a better name.
2548
2549         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
2550         (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
2551
2552 2014-02-27  David Kilzer  <ddkilzer@apple.com>
2553
2554         Remove jsc symlink if it already exists
2555
2556         This is a follow-up fix for:
2557
2558         Create symlink to /usr/local/bin/jsc during installation
2559         <http://webkit.org/b/129399>
2560         <rdar://problem/16168734>
2561
2562         * JavaScriptCore.xcodeproj/project.pbxproj:
2563         (Create /usr/local/bin/jsc symlink): If a jsc symlink already
2564         exists where we're about to create the symlink, remove the old
2565         one first.
2566
2567 2014-02-27  Michael Saboff  <msaboff@apple.com>
2568
2569         Unreviewed build fix for Mac tools after r164814
2570
2571         * Configurations/ToolExecutable.xcconfig:
2572         - Added JavaScriptCore.framework/PrivateHeaders to ToolExecutable include path.
2573         * JavaScriptCore.xcodeproj/project.pbxproj:
2574         - Changed productName to testRegExp for testRegExp target.
2575
2576 2014-02-27  Joseph Pecoraro  <pecoraro@apple.com>
2577
2578         Web Inspector: JSContext inspection should report exceptions in the console
2579         https://bugs.webkit.org/show_bug.cgi?id=128776
2580
2581         Reviewed by Timothy Hatcher.
2582
2583         When JavaScript API functions have an exception, let the inspector
2584         know so it can log the JavaScript and Native backtrace that caused
2585         the exception.
2586
2587         Include some clean up of ConsoleMessage and ScriptCallStack construction.
2588
2589         * API/JSBase.cpp:
2590         (JSEvaluateScript):
2591         (JSCheckScriptSyntax):
2592         * API/JSObjectRef.cpp:
2593         (JSObjectMakeFunction):
2594         (JSObjectMakeArray):
2595         (JSObjectMakeDate):
2596         (JSObjectMakeError):
2597         (JSObjectMakeRegExp):
2598         (JSObjectGetProperty):
2599         (JSObjectSetProperty):
2600         (JSObjectGetPropertyAtIndex):
2601         (JSObjectSetPropertyAtIndex):
2602         (JSObjectDeleteProperty):
2603         (JSObjectCallAsFunction):
2604         (JSObjectCallAsConstructor):
2605         * API/JSValue.mm:
2606         (reportExceptionToInspector):
2607         (valueToArray):
2608         (valueToDictionary):
2609         * API/JSValueRef.cpp:
2610         (JSValueIsEqual):
2611         (JSValueIsInstanceOfConstructor):
2612         (JSValueCreateJSONString):
2613         (JSValueToNumber):
2614         (JSValueToStringCopy):
2615         (JSValueToObject):
2616         When seeing an exception, let the inspector know there was an exception.
2617
2618         * inspector/JSGlobalObjectInspectorController.h:
2619         * inspector/JSGlobalObjectInspectorController.cpp:
2620         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2621         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
2622         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
2623         Log API exceptions by also grabbing the native backtrace.
2624
2625         * inspector/ScriptCallStack.h:
2626         * inspector/ScriptCallStack.cpp:
2627         (Inspector::ScriptCallStack::firstNonNativeCallFrame):
2628         (Inspector::ScriptCallStack::append):
2629         Minor extensions to ScriptCallStack to make it easier to work with.
2630
2631         * inspector/ConsoleMessage.cpp:
2632         (Inspector::ConsoleMessage::ConsoleMessage):
2633         (Inspector::ConsoleMessage::autogenerateMetadata):
2634         Provide better default information if the first call frame was native.
2635
2636         * inspector/ScriptCallStackFactory.cpp:
2637         (Inspector::createScriptCallStack):
2638         (Inspector::extractSourceInformationFromException):
2639         (Inspector::createScriptCallStackFromException):
2640         Perform the handling here of inserting a fake call frame for exceptions
2641         if there was no call stack (e.g. a SyntaxError) or if the first call
2642         frame had no information.
2643
2644         * inspector/ConsoleMessage.cpp:
2645         (Inspector::ConsoleMessage::ConsoleMessage):
2646         (Inspector::ConsoleMessage::autogenerateMetadata):
2647         * inspector/ConsoleMessage.h:
2648         * inspector/ScriptCallStackFactory.cpp:
2649         (Inspector::createScriptCallStack):
2650         (Inspector::createScriptCallStackForConsole):
2651         * inspector/ScriptCallStackFactory.h:
2652         * inspector/agents/InspectorConsoleAgent.cpp:
2653         (Inspector::InspectorConsoleAgent::enable):
2654         (Inspector::InspectorConsoleAgent::addMessageToConsole):
2655         (Inspector::InspectorConsoleAgent::count):
2656         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
2657         (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
2658         ConsoleMessage cleanup.
2659
2660 2014-02-27  David Kilzer  <ddkilzer@apple.com>
2661
2662         Create symlink to /usr/local/bin/jsc during installation
2663         <http://webkit.org/b/129399>
2664         <rdar://problem/16168734>
2665
2666         Reviewed by Dan Bernstein.
2667
2668         * JavaScriptCore.xcodeproj/project.pbxproj:
2669         - Add "Create /usr/local/bin/jsc symlink" build phase script to
2670           create the symlink during installation.
2671
2672 2014-02-27  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>
2673
2674         Math.{max, min}() must not return after first NaN value
2675         https://bugs.webkit.org/show_bug.cgi?id=104147
2676
2677         Reviewed by Oliver Hunt.
2678
2679         According to the spec, ToNumber going to be called on each argument
2680         even if a `NaN` value was already found
2681
2682         * runtime/MathObject.cpp:
2683         (JSC::mathProtoFuncMax):
2684         (JSC::mathProtoFuncMin):
2685
2686 2014-02-27  Gergo Balogh  <gbalogh.u-szeged@partner.samsung.com>
2687
2688         JSType upper limit (0xff) assertion can be removed.
2689         https://bugs.webkit.org/show_bug.cgi?id=129424
2690
2691         Reviewed by Geoffrey Garen.
2692
2693         * runtime/JSTypeInfo.h:
2694         (JSC::TypeInfo::TypeInfo):
2695
2696 2014-02-26  Michael Saboff  <msaboff@apple.com>
2697
2698         Auto generate bytecode information for bytecode parser and LLInt
2699         https://bugs.webkit.org/show_bug.cgi?id=129181
2700
2701         Reviewed by Mark Lam.
2702
2703         Added new bytecode/BytecodeList.json that contains a list of bytecodes and related
2704         helpers.  It also includes bytecode length and other information used to generate files.
2705         Added a new generator, generate-bytecode-files that generates Bytecodes.h and InitBytecodes.asm
2706         in DerivedSources/JavaScriptCore/.
2707
2708         Added the generation of these files to the "DerivedSource" build step.
2709         Slighty changed the build order, since the Bytecodes.h file is needed by
2710         JSCLLIntOffsetsExtractor.  Moved the offline assembly to a separate step since it needs
2711         to be run after JSCLLIntOffsetsExtractor.
2712
2713         Made related changes to OPCODE macros and their use.
2714
2715         Added JavaScriptCore.framework/PrivateHeaders to header file search path for building
2716         jsc to resolve Mac build issue.
2717
2718         * CMakeLists.txt:
2719         * Configurations/JSC.xcconfig:
2720         * DerivedSources.make:
2721         * GNUmakefile.am:
2722         * GNUmakefile.list.am:
2723         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2724         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2725         * JavaScriptCore.vcxproj/copy-files.cmd:
2726         * JavaScriptCore.xcodeproj/project.pbxproj:
2727         * bytecode/Opcode.h:
2728         (JSC::padOpcodeName):
2729         * llint/LLIntCLoop.cpp:
2730         (JSC::LLInt::CLoop::initialize):
2731         * llint/LLIntCLoop.h:
2732         * llint/LLIntData.cpp:
2733         (JSC::LLInt::initialize):
2734         * llint/LLIntOpcode.h:
2735         * llint/LowLevelInterpreter.asm:
2736
2737 2014-02-27  Julien Brianceau   <jbriance@cisco.com>
2738
2739         Fix 32-bit V_JITOperation_EJ callOperation introduced in r162652.
2740         https://bugs.webkit.org/show_bug.cgi?id=129420
2741
2742         Reviewed by Geoffrey Garen.
2743
2744         * dfg/DFGSpeculativeJIT.h:
2745         (JSC::DFG::SpeculativeJIT::callOperation): Payload and tag are swapped.
2746         Also, EABI_32BIT_DUMMY_ARG is missing for arm EABI and mips.
2747
2748 2014-02-27  Filip Pizlo  <fpizlo@apple.com>
2749
2750         Octane/closure thrashes between flattening dictionaries during global object initialization in a global eval
2751         https://bugs.webkit.org/show_bug.cgi?id=129435
2752
2753         Reviewed by Oliver Hunt.
2754         
2755         This is a 5-10% speed-up on Octane/closure.
2756
2757         * interpreter/Interpreter.cpp:
2758         (JSC::Interpreter::execute):
2759         * jsc.cpp:
2760         (GlobalObject::finishCreation):
2761         (functionClearCodeCache):
2762         * runtime/BatchedTransitionOptimizer.h:
2763         (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
2764         (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer):
2765
2766 2014-02-27  Alexey Proskuryakov  <ap@apple.com>
2767
2768         Added svn:ignore to two directories, so that .pyc files don't show up as unversioned.
2769
2770         * inspector/scripts: Added property svn:ignore.
2771         * replay/scripts: Added property svn:ignore.
2772
2773 2014-02-27  Gabor Rapcsanyi  <rgabor@webkit.org>
2774
2775         r164764 broke the ARM build
2776         https://bugs.webkit.org/show_bug.cgi?id=129415
2777
2778         Reviewed by Zoltan Herczeg.
2779
2780         * assembler/MacroAssemblerARM.h:
2781         (JSC::MacroAssemblerARM::moveWithPatch): Change reinterpret_cast to static_cast.
2782         (JSC::MacroAssemblerARM::canJumpReplacePatchableBranch32WithPatch): Add missing function.
2783         (JSC::MacroAssemblerARM::startOfPatchableBranch32WithPatchOnAddress): Add missing function.
2784         (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranch32WithPatch): Add missing function.
2785
2786 2014-02-27  Mark Hahnenberg  <mhahnenberg@apple.com>
2787
2788         r164764 broke the ARM build
2789         https://bugs.webkit.org/show_bug.cgi?id=129415
2790
2791         Reviewed by Geoffrey Garen.
2792
2793         * assembler/MacroAssemblerARM.h:
2794         (JSC::MacroAssemblerARM::moveWithPatch):
2795
2796 2014-02-26  Mark Hahnenberg  <mhahnenberg@apple.com>
2797
2798         r164764 broke the ARM build
2799         https://bugs.webkit.org/show_bug.cgi?id=129415
2800
2801         Reviewed by Geoffrey Garen.
2802
2803         * assembler/MacroAssemblerARM.h:
2804         (JSC::MacroAssemblerARM::branch32WithPatch): Missing this function.
2805
2806 2014-02-26  Mark Hahnenberg  <mhahnenberg@apple.com>
2807
2808         EFL build fix
2809
2810         * dfg/DFGSpeculativeJIT32_64.cpp: Remove unused variables.
2811         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
2812         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
2813
2814 2014-02-25  Mark Hahnenberg  <mhahnenberg@apple.com>
2815
2816         Make JSCells have 32-bit Structure pointers
2817         https://bugs.webkit.org/show_bug.cgi?id=123195
2818
2819         Reviewed by Filip Pizlo.
2820
2821         This patch changes JSCells such that they no longer have a full 64-bit Structure
2822         pointer in their header. Instead they now have a 32-bit index into
2823         a per-VM table of Structure pointers. 32-bit platforms still use normal Structure
2824         pointers.
2825
2826         This change frees up an additional 32 bits of information in our object headers.
2827         We then use this extra space to store the indexing type of the object, the JSType
2828         of the object, some various type flags, and garbage collection data (e.g. mark bit).
2829         Because this inline type information is now faster to read, it pays for the slowdown 
2830         incurred by having to perform an extra indirection through the StructureIDTable.
2831
2832         This patch also threads a reference to the current VM through more of the C++ runtime
2833         to offset the cost of having to look up the VM to get the actual Structure pointer.
2834
2835         * API/JSContext.mm:
2836         (-[JSContext setException:]):
2837         (-[JSContext wrapperForObjCObject:]):
2838         (-[JSContext wrapperForJSObject:]):
2839         * API/JSContextRef.cpp:
2840         (JSContextGroupRelease):
2841         (JSGlobalContextRelease):
2842         * API/JSObjectRef.cpp:
2843         (JSObjectIsFunction):
2844         (JSObjectCopyPropertyNames):
2845         * API/JSValue.mm:
2846         (containerValueToObject):
2847         * API/JSWrapperMap.mm:
2848         (tryUnwrapObjcObject):
2849         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2850         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2851         * JavaScriptCore.xcodeproj/project.pbxproj:
2852         * assembler/AbstractMacroAssembler.h:
2853         * assembler/MacroAssembler.h:
2854         (JSC::MacroAssembler::patchableBranch32WithPatch):
2855         (JSC::MacroAssembler::patchableBranch32):
2856         * assembler/MacroAssemblerARM64.h:
2857         (JSC::MacroAssemblerARM64::branchPtrWithPatch):
2858         (JSC::MacroAssemblerARM64::patchableBranch32WithPatch):
2859         (JSC::MacroAssemblerARM64::canJumpReplacePatchableBranch32WithPatch):
2860         (JSC::MacroAssemblerARM64::startOfPatchableBranch32WithPatchOnAddress):
2861         (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranch32WithPatch):
2862         * assembler/MacroAssemblerARMv7.h:
2863         (JSC::MacroAssemblerARMv7::store8):
2864         (JSC::MacroAssemblerARMv7::branch32WithPatch):
2865         (JSC::MacroAssemblerARMv7::patchableBranch32WithPatch):
2866         (JSC::MacroAssemblerARMv7::canJumpReplacePatchableBranch32WithPatch):
2867         (JSC::MacroAssemblerARMv7::startOfPatchableBranch32WithPatchOnAddress):
2868         (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranch32WithPatch):
2869         * assembler/MacroAssemblerX86.h:
2870         (JSC::MacroAssemblerX86::branch32WithPatch):
2871         (JSC::MacroAssemblerX86::canJumpReplacePatchableBranch32WithPatch):
2872         (JSC::MacroAssemblerX86::startOfPatchableBranch32WithPatchOnAddress):
2873         (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranch32WithPatch):
2874         * assembler/MacroAssemblerX86_64.h:
2875         (JSC::MacroAssemblerX86_64::store32):
2876         (JSC::MacroAssemblerX86_64::moveWithPatch):
2877         (JSC::MacroAssemblerX86_64::branch32WithPatch):
2878         (JSC::MacroAssemblerX86_64::canJumpReplacePatchableBranch32WithPatch):
2879         (JSC::MacroAssemblerX86_64::startOfBranch32WithPatchOnRegister):
2880         (JSC::MacroAssemblerX86_64::startOfPatchableBranch32WithPatchOnAddress):
2881         (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranch32WithPatch):
2882         * assembler/RepatchBuffer.h:
2883         (JSC::RepatchBuffer::startOfPatchableBranch32WithPatchOnAddress):
2884         (JSC::RepatchBuffer::revertJumpReplacementToPatchableBranch32WithPatch):
2885         * assembler/X86Assembler.h:
2886         (JSC::X86Assembler::revertJumpTo_movq_i64r):
2887         (JSC::X86Assembler::revertJumpTo_movl_i32r):
2888         * bytecode/ArrayProfile.cpp:
2889         (JSC::ArrayProfile::computeUpdatedPrediction):
2890         * bytecode/ArrayProfile.h:
2891         (JSC::ArrayProfile::ArrayProfile):
2892         (JSC::ArrayProfile::addressOfLastSeenStructureID):
2893         (JSC::ArrayProfile::observeStructure):
2894         * bytecode/CodeBlock.h:
2895         (JSC::CodeBlock::heap):
2896         * bytecode/UnlinkedCodeBlock.h:
2897         * debugger/Debugger.h:
2898         * dfg/DFGAbstractHeap.h:
2899         * dfg/DFGArrayifySlowPathGenerator.h:
2900         * dfg/DFGClobberize.h:
2901         (JSC::DFG::clobberize):
2902         * dfg/DFGJITCompiler.h:
2903         (JSC::DFG::JITCompiler::branchWeakStructure):
2904         (JSC::DFG::JITCompiler::branchStructurePtr):
2905         * dfg/DFGOSRExitCompiler32_64.cpp:
2906         (JSC::DFG::OSRExitCompiler::compileExit):
2907         * dfg/DFGOSRExitCompiler64.cpp:
2908         (JSC::DFG::OSRExitCompiler::compileExit):
2909         * dfg/DFGOSRExitCompilerCommon.cpp:
2910         (JSC::DFG::osrWriteBarrier):
2911         (JSC::DFG::adjustAndJumpToTarget):
2912         * dfg/DFGOperations.cpp:
2913         (JSC::DFG::putByVal):
2914         * dfg/DFGSpeculativeJIT.cpp:
2915         (JSC::DFG::SpeculativeJIT::checkArray):
2916         (JSC::DFG::SpeculativeJIT::arrayify):
2917         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
2918         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
2919         (JSC::DFG::SpeculativeJIT::compileInstanceOf):
2920         (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
2921         (JSC::DFG::SpeculativeJIT::speculateObject):
2922         (JSC::DFG::SpeculativeJIT::speculateFinalObject):
2923         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
2924         (JSC::DFG::SpeculativeJIT::speculateString):
2925         (JSC::DFG::SpeculativeJIT::speculateStringObject):
2926         (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
2927         (JSC::DFG::SpeculativeJIT::emitSwitchChar):
2928         (JSC::DFG::SpeculativeJIT::emitSwitchString):
2929         (JSC::DFG::SpeculativeJIT::genericWriteBarrier):
2930         (JSC::DFG::SpeculativeJIT::writeBarrier):
2931         * dfg/DFGSpeculativeJIT.h:
2932         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
2933         (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
2934         * dfg/DFGSpeculativeJIT32_64.cpp:
2935         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
2936         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
2937         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
2938         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
2939         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
2940         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
2941         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
2942         (JSC::DFG::SpeculativeJIT::compile):
2943         (JSC::DFG::SpeculativeJIT::writeBarrier):
2944         * dfg/DFGSpeculativeJIT64.cpp:
2945         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
2946         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
2947         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
2948         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
2949         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
2950         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
2951         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
2952         (JSC::DFG::SpeculativeJIT::compile):
2953         (JSC::DFG::SpeculativeJIT::writeBarrier):
2954         * dfg/DFGWorklist.cpp:
2955         * ftl/FTLAbstractHeapRepository.cpp:
2956         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
2957         * ftl/FTLAbstractHeapRepository.h:
2958         * ftl/FTLLowerDFGToLLVM.cpp:
2959         (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
2960         (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
2961         (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
2962         (JSC::FTL::LowerDFGToLLVM::compileToString):
2963         (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
2964         (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
2965         (JSC::FTL::LowerDFGToLLVM::speculateTruthyObject):
2966         (JSC::FTL::LowerDFGToLLVM::allocateCell):
2967         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
2968         (JSC::FTL::LowerDFGToLLVM::isObject):
2969         (JSC::FTL::LowerDFGToLLVM::isString):
2970         (JSC::FTL::LowerDFGToLLVM::isArrayType):
2971         (JSC::FTL::LowerDFGToLLVM::hasClassInfo):
2972         (JSC::FTL::LowerDFGToLLVM::isType):
2973         (JSC::FTL::LowerDFGToLLVM::speculateStringOrStringObject):
2974         (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForCell):
2975         (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructureID):
2976         (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
2977         (JSC::FTL::LowerDFGToLLVM::loadMarkByte):
2978         (JSC::FTL::LowerDFGToLLVM::loadStructure):
2979         (JSC::FTL::LowerDFGToLLVM::weakStructure):
2980         * ftl/FTLOSRExitCompiler.cpp:
2981         (JSC::FTL::compileStub):
2982         * ftl/FTLOutput.h:
2983         (JSC::FTL::Output::store8):
2984         * heap/GCAssertions.h:
2985         * heap/Heap.cpp:
2986         (JSC::Heap::getConservativeRegisterRoots):
2987         (JSC::Heap::collect):
2988         (JSC::Heap::writeBarrier):
2989         * heap/Heap.h:
2990         (JSC::Heap::structureIDTable):
2991         * heap/MarkedSpace.h:
2992         (JSC::MarkedSpace::forEachBlock):
2993         * heap/SlotVisitorInlines.h:
2994         (JSC::SlotVisitor::internalAppend):
2995         * jit/AssemblyHelpers.h:
2996         (JSC::AssemblyHelpers::branchIfCellNotObject):
2997         (JSC::AssemblyHelpers::genericWriteBarrier):
2998         (JSC::AssemblyHelpers::emitLoadStructure):
2999         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
3000         * jit/JIT.h:
3001         * jit/JITCall.cpp:
3002         (JSC::JIT::compileOpCall):
3003         (JSC::JIT::privateCompileClosureCall):
3004         * jit/JITCall32_64.cpp:
3005         (JSC::JIT::emit_op_ret_object_or_this):
3006         (JSC::JIT::compileOpCall):
3007         (JSC::JIT::privateCompileClosureCall):
3008         * jit/JITInlineCacheGenerator.cpp:
3009         (JSC::JITByIdGenerator::generateFastPathChecks):
3010         * jit/JITInlineCacheGenerator.h:
3011         * jit/JITInlines.h:
3012         (JSC::JIT::emitLoadCharacterString):
3013         (JSC::JIT::checkStructure):
3014         (JSC::JIT::emitJumpIfCellNotObject):
3015         (JSC::JIT::emitAllocateJSObject):
3016         (JSC::JIT::emitArrayProfilingSiteWithCell):
3017         (JSC::JIT::emitArrayProfilingSiteForBytecodeIndexWithCell):
3018         (JSC::JIT::branchStructure):
3019         (JSC::branchStructure):
3020         * jit/JITOpcodes.cpp:
3021         (JSC::JIT::emit_op_check_has_instance):
3022         (JSC::JIT::emit_op_instanceof):
3023         (JSC::JIT::emit_op_is_undefined):
3024         (JSC::JIT::emit_op_is_string):
3025         (JSC::JIT::emit_op_ret_object_or_this):
3026         (JSC::JIT::emit_op_to_primitive):
3027         (JSC::JIT::emit_op_jeq_null):
3028         (JSC::JIT::emit_op_jneq_null):
3029         (JSC::JIT::emit_op_get_pnames):
3030         (JSC::JIT::emit_op_next_pname):
3031         (JSC::JIT::emit_op_eq_null):
3032         (JSC::JIT::emit_op_neq_null):
3033         (JSC::JIT::emit_op_to_this):
3034         (JSC::JIT::emitSlow_op_to_this):
3035         * jit/JITOpcodes32_64.cpp:
3036         (JSC::JIT::emit_op_check_has_instance):
3037         (JSC::JIT::emit_op_instanceof):
3038         (JSC::JIT::emit_op_is_undefined):
3039         (JSC::JIT::emit_op_is_string):
3040         (JSC::JIT::emit_op_to_primitive):
3041         (JSC::JIT::emit_op_jeq_null):
3042         (JSC::JIT::emit_op_jneq_null):
3043         (JSC::JIT::emitSlow_op_eq):
3044         (JSC::JIT::emitSlow_op_neq):
3045         (JSC::JIT::compileOpStrictEq):
3046         (JSC::JIT::emit_op_eq_null):
3047         (JSC::JIT::emit_op_neq_null):
3048         (JSC::JIT::emit_op_get_pnames):
3049         (JSC::JIT::emit_op_next_pname):
3050         (JSC::JIT::emit_op_to_this):
3051         * jit/JITOperations.cpp:
3052         * jit/JITPropertyAccess.cpp:
3053         (JSC::JIT::stringGetByValStubGenerator):
3054         (JSC::JIT::emit_op_get_by_val):
3055         (JSC::JIT::emitSlow_op_get_by_val):
3056         (JSC::JIT::emit_op_get_by_pname):
3057         (JSC::JIT::emit_op_put_by_val):
3058         (JSC::JIT::emit_op_get_by_id):
3059         (JSC::JIT::emitLoadWithStructureCheck):
3060         (JSC::JIT::emitSlow_op_get_from_scope):
3061         (JSC::JIT::emitSlow_op_put_to_scope):
3062         (JSC::JIT::checkMarkWord):
3063         (JSC::JIT::emitWriteBarrier):
3064         (JSC::JIT::addStructureTransitionCheck):
3065         (JSC::JIT::emitIntTypedArrayGetByVal):
3066         (JSC::JIT::emitFloatTypedArrayGetByVal):
3067         (JSC::JIT::emitIntTypedArrayPutByVal):
3068         (JSC::JIT::emitFloatTypedArrayPutByVal):
3069         * jit/JITPropertyAccess32_64.cpp:
3070         (JSC::JIT::stringGetByValStubGenerator):
3071         (JSC::JIT::emit_op_get_by_val):
3072         (JSC::JIT::emitSlow_op_get_by_val):
3073         (JSC::JIT::emit_op_put_by_val):
3074         (JSC::JIT::emit_op_get_by_id):
3075         (JSC::JIT::emit_op_get_by_pname):
3076         (JSC::JIT::emitLoadWithStructureCheck):
3077         * jit/JSInterfaceJIT.h:
3078         (JSC::JSInterfaceJIT::emitJumpIfNotType):
3079         * jit/Repatch.cpp:
3080         (JSC::repatchByIdSelfAccess):
3081         (JSC::addStructureTransitionCheck):
3082         (JSC::replaceWithJump):
3083         (JSC::generateProtoChainAccessStub):
3084         (JSC::tryCacheGetByID):
3085         (JSC::tryBuildGetByIDList):
3086         (JSC::writeBarrier):
3087         (JSC::emitPutReplaceStub):
3088         (JSC::emitPutTransitionStub):
3089         (JSC::tryBuildPutByIdList):
3090         (JSC::tryRepatchIn):
3091         (JSC::linkClosureCall):
3092         (JSC::resetGetByID):
3093         (JSC::resetPutByID):
3094         * jit/SpecializedThunkJIT.h:
3095         (JSC::SpecializedThunkJIT::loadJSStringArgument):
3096         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
3097         * jit/ThunkGenerators.cpp:
3098         (JSC::virtualForThunkGenerator):
3099         (JSC::arrayIteratorNextThunkGenerator):
3100         * jit/UnusedPointer.h:
3101         * llint/LowLevelInterpreter.asm:
3102         * llint/LowLevelInterpreter32_64.asm:
3103         * llint/LowLevelInterpreter64.asm:
3104         * runtime/Arguments.cpp:
3105         (JSC::Arguments::createStrictModeCallerIfNecessary):
3106         (JSC::Arguments::createStrictModeCalleeIfNecessary):
3107         * runtime/Arguments.h:
3108         (JSC::Arguments::createStructure):
3109         * runtime/ArrayPrototype.cpp:
3110         (JSC::shift):
3111         (JSC::unshift):
3112         (JSC::arrayProtoFuncToString):
3113         (JSC::arrayProtoFuncPop):
3114         (JSC::arrayProtoFuncReverse):
3115         (JSC::performSlowSort):
3116         (JSC::arrayProtoFuncSort):
3117         (JSC::arrayProtoFuncSplice):
3118         (JSC::arrayProtoFuncUnShift):
3119         * runtime/CommonSlowPaths.cpp:
3120         (JSC::SLOW_PATH_DECL):
3121         * runtime/Executable.h:
3122         (JSC::ExecutableBase::isFunctionExecutable):
3123         (JSC::ExecutableBase::clearCodeVirtual):
3124         (JSC::ScriptExecutable::unlinkCalls):
3125         * runtime/GetterSetter.cpp:
3126         (JSC::callGetter):
3127         (JSC::callSetter):
3128         * runtime/InitializeThreading.cpp:
3129         * runtime/JSArray.cpp:
3130         (JSC::JSArray::unshiftCountSlowCase):
3131         (JSC::JSArray::setLength):
3132         (JSC::JSArray::pop):
3133         (JSC::JSArray::push):
3134         (JSC::JSArray::shiftCountWithArrayStorage):
3135         (JSC::JSArray::shiftCountWithAnyIndexingType):
3136         (JSC::JSArray::unshiftCountWithArrayStorage):
3137         (JSC::JSArray::unshiftCountWithAnyIndexingType):
3138         (JSC::JSArray::sortNumericVector):
3139         (JSC::JSArray::sortNumeric):
3140         (JSC::JSArray::sortCompactedVector):
3141         (JSC::JSArray::sort):
3142         (JSC::JSArray::sortVector):
3143         (JSC::JSArray::fillArgList):
3144         (JSC::JSArray::copyToArguments):
3145         (JSC::JSArray::compactForSorting):
3146         * runtime/JSCJSValueInlines.h:
3147         (JSC::JSValue::toThis):
3148         (JSC::JSValue::put):
3149         (JSC::JSValue::putByIndex):
3150         (JSC::JSValue::equalSlowCaseInline):
3151         * runtime/JSCell.cpp:
3152         (JSC::JSCell::put):
3153         (JSC::JSCell::putByIndex):
3154         (JSC::JSCell::deleteProperty):
3155         (JSC::JSCell::deletePropertyByIndex):
3156         * runtime/JSCell.h:
3157         (JSC::JSCell::clearStructure):
3158         (JSC::JSCell::mark):
3159         (JSC::JSCell::isMarked):
3160         (JSC::JSCell::structureIDOffset):
3161         (JSC::JSCell::typeInfoFlagsOffset):
3162         (JSC::JSCell::typeInfoTypeOffset):
3163         (JSC::JSCell::indexingTypeOffset):
3164         (JSC::JSCell::gcDataOffset):
3165         * runtime/JSCellInlines.h:
3166         (JSC::JSCell::JSCell):
3167         (JSC::JSCell::finishCreation):
3168         (JSC::JSCell::type):
3169         (JSC::JSCell::indexingType):
3170         (JSC::JSCell::structure):
3171         (JSC::JSCell::visitChildren):
3172         (JSC::JSCell::isObject):
3173         (JSC::JSCell::isString):
3174         (JSC::JSCell::isGetterSetter):
3175         (JSC::JSCell::isProxy):
3176         (JSC::JSCell::isAPIValueWrapper):
3177         (JSC::JSCell::setStructure):
3178         (JSC::JSCell::methodTable):
3179         (JSC::Heap::writeBarrier):
3180         * runtime/JSDataView.cpp:
3181         (JSC::JSDataView::createStructure):
3182         * runtime/JSDestructibleObject.h:
3183         (JSC::JSCell::classInfo):
3184         * runtime/JSFunction.cpp:
3185         (JSC::JSFunction::getOwnNonIndexPropertyNames):
3186         (JSC::JSFunction::put):
3187         (JSC::JSFunction::defineOwnProperty):
3188         * runtime/JSGenericTypedArrayView.h:
3189         (JSC::JSGenericTypedArrayView::createStructure):
3190         * runtime/JSObject.cpp:
3191         (JSC::getCallableObjectSlow):
3192         (JSC::JSObject::copyButterfly):
3193         (JSC::JSObject::visitButterfly):
3194         (JSC::JSFinalObject::visitChildren):
3195         (JSC::JSObject::getOwnPropertySlotByIndex):
3196         (JSC::JSObject::put):
3197         (JSC::JSObject::putByIndex):
3198         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
3199         (JSC::JSObject::enterDictionaryIndexingMode):
3200         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
3201         (JSC::JSObject::createInitialIndexedStorage):
3202         (JSC::JSObject::createInitialUndecided):
3203         (JSC::JSObject::createInitialInt32):
3204         (JSC::JSObject::createInitialDouble):
3205         (JSC::JSObject::createInitialContiguous):
3206         (JSC::JSObject::createArrayStorage):
3207         (JSC::JSObject::convertUndecidedToInt32):
3208         (JSC::JSObject::convertUndecidedToDouble):
3209         (JSC::JSObject::convertUndecidedToContiguous):
3210         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
3211         (JSC::JSObject::convertUndecidedToArrayStorage):
3212         (JSC::JSObject::convertInt32ToDouble):
3213         (JSC::JSObject::convertInt32ToContiguous):
3214         (JSC::JSObject::convertInt32ToArrayStorage):
3215         (JSC::JSObject::genericConvertDoubleToContiguous):
3216         (JSC::JSObject::convertDoubleToArrayStorage):
3217         (JSC::JSObject::convertContiguousToArrayStorage):
3218         (JSC::JSObject::ensureInt32Slow):
3219         (JSC::JSObject::ensureDoubleSlow):
3220         (JSC::JSObject::ensureContiguousSlow):
3221         (JSC::JSObject::ensureArrayStorageSlow):
3222         (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
3223         (JSC::JSObject::switchToSlowPutArrayStorage):
3224         (JSC::JSObject::setPrototype):
3225         (JSC::JSObject::setPrototypeWithCycleCheck):
3226         (JSC::JSObject::putDirectNonIndexAccessor):
3227         (JSC::JSObject::deleteProperty):
3228         (JSC::JSObject::hasOwnProperty):
3229         (JSC::JSObject::deletePropertyByIndex):
3230         (JSC::JSObject::getPrimitiveNumber):
3231         (JSC::JSObject::hasInstance):
3232         (JSC::JSObject::getPropertySpecificValue):
3233         (JSC::JSObject::getPropertyNames):
3234         (JSC::JSObject::getOwnPropertyNames):
3235         (JSC::JSObject::getOwnNonIndexPropertyNames):
3236         (JSC::JSObject::seal):
3237         (JSC::JSObject::freeze):
3238         (JSC::JSObject::preventExtensions):
3239         (JSC::JSObject::reifyStaticFunctionsForDelete):
3240         (JSC::JSObject::removeDirect):
3241         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
3242         (JSC::JSObject::putByIndexBeyondVectorLength):
3243         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
3244         (JSC::JSObject::putDirectIndexBeyondVectorLength):
3245         (JSC::JSObject::getNewVectorLength):
3246         (JSC::JSObject::countElements):
3247         (JSC::JSObject::increaseVectorLength):
3248         (JSC::JSObject::ensureLengthSlow):
3249         (JSC::JSObject::growOutOfLineStorage):
3250         (JSC::JSObject::getOwnPropertyDescriptor):
3251         (JSC::putDescriptor):
3252         (JSC::JSObject::defineOwnNonIndexProperty):
3253         * runtime/JSObject.h:
3254         (JSC::getJSFunction):
3255         (JSC::JSObject::getArrayLength):
3256         (JSC::JSObject::getVectorLength):
3257         (JSC::JSObject::putByIndexInline):
3258         (JSC::JSObject::canGetIndexQuickly):
3259         (JSC::JSObject::getIndexQuickly):
3260         (JSC::JSObject::tryGetIndexQuickly):
3261         (JSC::JSObject::getDirectIndex):
3262         (JSC::JSObject::canSetIndexQuickly):
3263         (JSC::JSObject::canSetIndexQuicklyForPutDirect):
3264         (JSC::JSObject::setIndexQuickly):
3265         (JSC::JSObject::initializeIndex):
3266         (JSC::JSObject::hasSparseMap):
3267         (JSC::JSObject::inSparseIndexingMode):
3268         (JSC::JSObject::getDirect):
3269         (JSC::JSObject::getDirectOffset):
3270         (JSC::JSObject::isSealed):
3271         (JSC::JSObject::isFrozen):
3272         (JSC::JSObject::flattenDictionaryObject):
3273         (JSC::JSObject::ensureInt32):
3274         (JSC::JSObject::ensureDouble):
3275         (JSC::JSObject::ensureContiguous):
3276         (JSC::JSObject::rageEnsureContiguous):
3277         (JSC::JSObject::ensureArrayStorage):
3278         (JSC::JSObject::arrayStorage):
3279         (JSC::JSObject::arrayStorageOrNull):
3280         (JSC::JSObject::ensureLength):
3281         (JSC::JSObject::currentIndexingData):
3282         (JSC::JSObject::getHolyIndexQuickly):
3283         (JSC::JSObject::currentRelevantLength):
3284         (JSC::JSObject::isGlobalObject):
3285         (JSC::JSObject::isVariableObject):
3286         (JSC::JSObject::isStaticScopeObject):
3287         (JSC::JSObject::isNameScopeObject):
3288         (JSC::JSObject::isActivationObject):
3289         (JSC::JSObject::isErrorInstance):
3290         (JSC::JSObject::inlineGetOwnPropertySlot):
3291         (JSC::JSObject::fastGetOwnPropertySlot):
3292         (JSC::JSObject::getPropertySlot):
3293         (JSC::JSObject::putDirectInternal):
3294         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
3295         * runtime/JSPropertyNameIterator.h:
3296         (JSC::JSPropertyNameIterator::createStructure):
3297         * runtime/JSProxy.cpp:
3298         (JSC::JSProxy::getOwnPropertySlot):
3299         (JSC::JSProxy::getOwnPropertySlotByIndex):
3300         (JSC::JSProxy::put):
3301         (JSC::JSProxy::putByIndex):
3302         (JSC::JSProxy::defineOwnProperty):
3303         (JSC::JSProxy::deleteProperty):
3304         (JSC::JSProxy::deletePropertyByIndex):
3305         (JSC::JSProxy::getPropertyNames):
3306         (JSC::JSProxy::getOwnPropertyNames):
3307         * runtime/JSScope.cpp:
3308         (JSC::JSScope::objectAtScope):
3309         * runtime/JSString.h:
3310         (JSC::JSString::createStructure):
3311         (JSC::isJSString):
3312         * runtime/JSType.h:
3313         * runtime/JSTypeInfo.h:
3314         (JSC::TypeInfo::TypeInfo):
3315         (JSC::TypeInfo::isObject):
3316         (JSC::TypeInfo::structureIsImmortal):
3317         (JSC::TypeInfo::zeroedGCDataOffset):
3318         (JSC::TypeInfo::inlineTypeFlags):
3319         * runtime/MapData.h:
3320         * runtime/ObjectConstructor.cpp:
3321         (JSC::objectConstructorGetOwnPropertyNames):
3322         (JSC::objectConstructorKeys):
3323         (JSC::objectConstructorDefineProperty):
3324         (JSC::defineProperties):
3325         (JSC::objectConstructorSeal):
3326         (JSC::objectConstructorFreeze):
3327         (JSC::objectConstructorIsSealed):
3328         (JSC::objectConstructorIsFrozen):
3329         * runtime/ObjectPrototype.cpp:
3330         (JSC::objectProtoFuncDefineGetter):
3331         (JSC::objectProtoFuncDefineSetter):
3332         (JSC::objectProtoFuncToString):
3333         * runtime/Operations.cpp:
3334         (JSC::jsTypeStringForValue):
3335         (JSC::jsIsObjectType):
3336         * runtime/Operations.h:
3337         (JSC::normalizePrototypeChainForChainAccess):
3338         (JSC::normalizePrototypeChain):
3339         * runtime/PropertyMapHashTable.h:
3340         (JSC::PropertyTable::createStructure):
3341         * runtime/RegExp.h:
3342         (JSC::RegExp::createStructure):
3343         * runtime/SparseArrayValueMap.h:
3344         * runtime/Structure.cpp:
3345         (JSC::Structure::Structure):
3346         (JSC::Structure::~Structure):
3347         (JSC::Structure::prototypeChainMayInterceptStoreTo):
3348         * runtime/Structure.h:
3349         (JSC::Structure::id):
3350         (JSC::Structure::idBlob):
3351         (JSC::Structure::objectInitializationFields):
3352         (JSC::Structure::structureIDOffset):
3353         * runtime/StructureChain.h:
3354         (JSC::StructureChain::createStructure):
3355         * runtime/StructureIDTable.cpp: Added.
3356         (JSC::StructureIDTable::StructureIDTable):
3357         (JSC::StructureIDTable::~StructureIDTable):
3358         (JSC::StructureIDTable::resize):
3359         (JSC::StructureIDTable::flushOldTables):
3360         (JSC::StructureIDTable::allocateID):
3361         (JSC::StructureIDTable::deallocateID):
3362         * runtime/StructureIDTable.h: Added.
3363         (JSC::StructureIDTable::base):
3364         (JSC::StructureIDTable::get):
3365         * runtime/SymbolTable.h:
3366         * runtime/TypedArrayType.cpp:
3367         (JSC::typeForTypedArrayType):
3368         * runtime/TypedArrayType.h:
3369         * runtime/WeakMapData.h:
3370
3371 2014-02-26  Mark Hahnenberg  <mhahnenberg@apple.com>
3372
3373         Unconditional logging in compileFTLOSRExit
3374         https://bugs.webkit.org/show_bug.cgi?id=129407
3375
3376         Reviewed by Michael Saboff.
3377
3378         This was causing tests to fail with the FTL enabled.
3379
3380         * ftl/FTLOSRExitCompiler.cpp:
3381         (JSC::FTL::compileFTLOSRExit):
3382
3383 2014-02-26  Oliver Hunt  <oliver@apple.com>
3384
3385         Remove unused access types
3386         https://bugs.webkit.org/show_bug.cgi?id=129385
3387
3388         Reviewed by Filip Pizlo.
3389
3390         Remove unused cruft.
3391
3392         * bytecode/CodeBlock.cpp:
3393         (JSC::CodeBlock::printGetByIdCacheStatus):
3394         * bytecode/StructureStubInfo.cpp:
3395         (JSC::StructureStubInfo::deref):
3396         * bytecode/StructureStubInfo.h:
3397         (JSC::isGetByIdAccess):
3398         (JSC::isPutByIdAccess):
3399
3400 2014-02-26  Oliver Hunt  <oliver@apple.com>
3401
3402         Function.prototype.apply has a bad time with the spread operator
3403         https://bugs.webkit.org/show_bug.cgi?id=129381
3404
3405         Reviewed by Mark Hahnenberg.
3406
3407         Make sure our apply logic handle the spread operator correctly.
3408         To do this we simply emit the enumeration logic that we'd normally
3409         use for other enumerations, but only store the first two results
3410         to registers.  Then perform a varargs call.
3411
3412         * bytecompiler/NodesCodegen.cpp:
3413         (JSC::ApplyFunctionCallDotNode::emitBytecode):
3414
3415 2014-02-26  Mark Lam  <mark.lam@apple.com>
3416
3417         Compilation policy management belongs in operationOptimize(), not the DFG Driver.
3418         <https://webkit.org/b/129355>
3419
3420         Reviewed by Filip Pizlo.
3421
3422         By compilation policy, I mean the rules for determining whether to
3423         compile, when to compile, when to attempt compilation again, etc.  The
3424         few of these policy decisions that were previously being made in the
3425         DFG driver are now moved to operationOptim