32596b88fec20a9666eeec026ee50e3ff77c778a
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-03-11  Mark Hahnenberg  <mhahnenberg@apple.com>
2
3         MarkedBlocks that are "full enough" shouldn't be swept after EdenCollections
4         https://bugs.webkit.org/show_bug.cgi?id=129920
5
6         Reviewed by Geoffrey Garen.
7
8         This patch introduces the notion of "retiring" MarkedBlocks. We retire a MarkedBlock
9         when the amount of free space in a MarkedBlock drops below a certain threshold.
10         Retired blocks are not considered for sweeping.
11
12         This is profitable because it reduces churn during sweeping. To build a free list, 
13         we have to scan through each cell in a block. After a collection, all objects that 
14         are live in the block will remain live until the next FullCollection, at which time
15         we un-retire all previously retired blocks. Thus, a small number of objects in a block
16         that die during each EdenCollection could cause us to do a disproportiante amount of 
17         sweeping for how much free memory we get back.
18
19         This patch looks like a consistent ~2% progression on boyer and is neutral everywhere else.
20
21         * heap/Heap.h:
22         (JSC::Heap::didRetireBlockWithFreeListSize):
23         * heap/MarkedAllocator.cpp:
24         (JSC::MarkedAllocator::tryAllocateHelper):
25         (JSC::MarkedAllocator::removeBlock):
26         (JSC::MarkedAllocator::reset):
27         * heap/MarkedAllocator.h:
28         (JSC::MarkedAllocator::MarkedAllocator):
29         (JSC::MarkedAllocator::forEachBlock):
30         * heap/MarkedBlock.cpp:
31         (JSC::MarkedBlock::sweepHelper):
32         (JSC::MarkedBlock::clearMarksWithCollectionType):
33         (JSC::MarkedBlock::didRetireBlock):
34         * heap/MarkedBlock.h:
35         (JSC::MarkedBlock::willRemoveBlock):
36         (JSC::MarkedBlock::isLive):
37         * heap/MarkedSpace.cpp:
38         (JSC::MarkedSpace::clearNewlyAllocated):
39         (JSC::MarkedSpace::clearMarks):
40         * runtime/Options.h:
41
42 2014-03-11  Andreas Kling  <akling@apple.com>
43
44         Streamline PropertyTable for lookup-only access.
45         <https://webkit.org/b/130060>
46
47         The PropertyTable lookup algorithm was written to support both read
48         and write access. This wasn't actually needed in most places.
49
50         This change adds a PropertyTable::get() that just returns the value
51         type (instead of an insertion iterator.) It also adds an early return
52         for empty tables.
53
54         Finally, up the minimum table capacity from 8 to 16. It was lowered
55         to 8 in order to save memory, but that was before PropertyTables were
56         GC allocated. Nowadays we don't have nearly as many tables, since all
57         the unpinned transitions die off.
58
59         Reviewed by Darin Adler.
60
61         * runtime/PropertyMapHashTable.h:
62         (JSC::PropertyTable::get):
63         * runtime/Structure.cpp:
64         (JSC::Structure::despecifyDictionaryFunction):
65         (JSC::Structure::attributeChangeTransition):
66         (JSC::Structure::get):
67         (JSC::Structure::despecifyFunction):
68         * runtime/StructureInlines.h:
69         (JSC::Structure::get):
70
71 2014-03-10  Mark Hahnenberg  <mhahnenberg@apple.com>
72
73         REGRESSION(r165407): DoYouEvenBench crashes in DRT
74         https://bugs.webkit.org/show_bug.cgi?id=130066
75
76         Reviewed by Geoffrey Garen.
77
78         The baseline JIT does a conditional store barrier for the put_by_id, but we need 
79         an unconditional store barrier so that we cover the butterfly case as well in emitPutTransitionStub.
80
81         * jit/JIT.h:
82         * jit/JITPropertyAccess.cpp:
83         (JSC::JIT::emit_op_put_by_id):
84         (JSC::JIT::emitWriteBarrier):
85
86 2014-03-10  Mark Lam  <mark.lam@apple.com>
87
88         Resurrect bit-rotted JIT::probe() mechanism.
89         <https://webkit.org/b/130067>
90
91         Reviewed by Geoffrey Garen.
92
93         * jit/JITStubs.cpp:
94         - Added the needed #include <wtf/InlineASM.h>.
95
96 2014-03-10  Joseph Pecoraro  <pecoraro@apple.com>
97
98         Fix typo in EXCLUDED_SOURCE_FILE_NAMES_iphoneos.
99
100         Rubber-stamped by Dan Bernstein.
101
102         * Configurations/JavaScriptCore.xcconfig:
103
104 2014-03-10  Mark Lam  <mark.lam@apple.com>
105
106         r165414 broke the 32-bit x86 tests: ASSERTION FAILED: result != InvalidIndex @ GPRInfo.h:330.
107         <https://webkit.org/b/130065>
108
109         Reviewed by Michael Saboff.
110
111         There is code in ScratchRegisterAllocator.cpp that is relying on GPRInfo::toIndex()
112         being able to return InvalidIndex.  Hence, the assertion is invalid.  Ditto for
113         FPRInfo::toIndex().
114
115         The fix is to remove the "result != InvalidIndex" assertions.
116
117         * jit/FPRInfo.h:
118         (JSC::FPRInfo::toIndex):
119         * jit/GPRInfo.h:
120         (JSC::GPRInfo::toIndex):
121
122 2014-03-10  Mark Lam  <mark.lam@apple.com>
123
124         Crash on a stack overflow on 32-bit x86 in http/tests/websocket/tests/hybi/workers/no-onmessage-in-sync-op.html.
125         <https://webkit.org/b/129955>
126
127         Reviewed by Geoffrey Garen.
128
129         The 32-bit x86 version of getHostCallReturnValue() was leaking 16 bytes
130         stack memory every time it was called.  This is now fixed.
131
132         * jit/JITOperations.cpp:
133
134 2014-03-10  Joseph Pecoraro  <pecoraro@apple.com>
135
136         Better JSContext API for named evaluations (other than //# sourceURL)
137         https://bugs.webkit.org/show_bug.cgi?id=129911
138
139         Reviewed by Geoffrey Garen.
140
141         * API/JSBase.h:
142         * API/JSContext.h:
143         * API/JSContext.mm:
144         (-[JSContext evaluateScript:]):
145         (-[JSContext evaluateScript:withSourceURL:]):
146         Add new evaluateScript:withSourceURL:.
147
148         * API/tests/testapi.c:
149         (main):
150         * API/tests/testapi.mm:
151         (testObjectiveCAPI):
152         Add tests for sourceURL in evaluate APIs. It should
153         affect the exception objects.
154
155 2014-03-10  Filip Pizlo  <fpizlo@apple.com>
156
157         Repatch should save and restore all used registers - not just temp ones - when making a call
158         https://bugs.webkit.org/show_bug.cgi?id=130041
159
160         Reviewed by Geoffrey Garen and Mark Hahnenberg.
161         
162         The save/restore code was written back when the only client was the DFG, which only uses a
163         subset of hardware registers: the "temp" registers in our lingo. But the FTL may use many
164         other registers, especially on ARM64. The fact that Repatch doesn't know to save those can
165         lead to data corruption on ARM64. 
166
167         * jit/RegisterSet.cpp:
168         (JSC::RegisterSet::calleeSaveRegisters):
169         (JSC::RegisterSet::numberOfSetGPRs):
170         (JSC::RegisterSet::numberOfSetFPRs):
171         * jit/RegisterSet.h:
172         * jit/Repatch.cpp:
173         (JSC::storeToWriteBarrierBuffer):
174         (JSC::emitPutTransitionStub):
175         * jit/ScratchRegisterAllocator.cpp:
176         (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
177         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
178         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
179         (JSC::ScratchRegisterAllocator::usedRegistersForCall):
180         (JSC::ScratchRegisterAllocator::desiredScratchBufferSizeForCall):
181         (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
182         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
183         * jit/ScratchRegisterAllocator.h:
184
185 2014-03-10  Mark Hahnenberg  <mhahnenberg@apple.com>
186
187         Remove ConditionalStore barrier
188         https://bugs.webkit.org/show_bug.cgi?id=130040
189
190         Reviewed by Geoffrey Garen.
191
192         ConditionalStoreBarrier was created when barriers were much more expensive. Now that 
193         they're cheap(er), we can get rid of them. This also allows us to get rid of the write 
194         barrier logic in emitPutTransitionStub because we always will have executed a write barrier 
195         on the base object in the case where we are allocating and storing a new Butterfly into it. 
196         Previously, a ConditionalStoreBarrier might or might not have barrier-ed the base object, 
197         so we'd have to emit a write barrier in the transition case.
198
199         This is performance neutral on the benchmarks we track.
200
201         * dfg/DFGAbstractInterpreterInlines.h:
202         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
203         * dfg/DFGClobberize.h:
204         (JSC::DFG::clobberize):
205         * dfg/DFGConstantFoldingPhase.cpp:
206         (JSC::DFG::ConstantFoldingPhase::foldConstants):
207         (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
208         * dfg/DFGFixupPhase.cpp:
209         (JSC::DFG::FixupPhase::fixupNode):
210         (JSC::DFG::FixupPhase::insertStoreBarrier):
211         * dfg/DFGNode.h:
212         (JSC::DFG::Node::isStoreBarrier):
213         * dfg/DFGNodeType.h:
214         * dfg/DFGPredictionPropagationPhase.cpp:
215         (JSC::DFG::PredictionPropagationPhase::propagate):
216         * dfg/DFGSafeToExecute.h:
217         (JSC::DFG::safeToExecute):
218         * dfg/DFGSpeculativeJIT.cpp:
219         (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
220         * dfg/DFGSpeculativeJIT32_64.cpp:
221         (JSC::DFG::SpeculativeJIT::compile):
222         * dfg/DFGSpeculativeJIT64.cpp:
223         (JSC::DFG::SpeculativeJIT::compile):
224         * ftl/FTLCapabilities.cpp:
225         (JSC::FTL::canCompile):
226         * ftl/FTLLowerDFGToLLVM.cpp:
227         (JSC::FTL::LowerDFGToLLVM::compileNode):
228         * jit/Repatch.cpp:
229         (JSC::emitPutTransitionStub):
230
231 2014-03-10  Filip Pizlo  <fpizlo@apple.com>
232
233         DFG and FTL should know that comparing anything to Misc is cheap and easy
234         https://bugs.webkit.org/show_bug.cgi?id=130001
235
236         Reviewed by Geoffrey Garen.
237         
238         - Expand CompareStrictEq(Misc:, Misc:) to work for cases where either side of the
239           comparison is just Untyped:.
240         
241         - This obviates the need for CompareStrictEqConstant, so remove it.
242         
243         - FTL had a thing called "Nully" which is really "Other". Rename it and add
244           OtherUse.
245         
246         9% speed-up on box2d.
247
248         * dfg/DFGAbstractInterpreterInlines.h:
249         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
250         * dfg/DFGByteCodeParser.cpp:
251         (JSC::DFG::ByteCodeParser::parseBlock):
252         * dfg/DFGClobberize.h:
253         (JSC::DFG::clobberize):
254         * dfg/DFGFixupPhase.cpp:
255         (JSC::DFG::FixupPhase::fixupNode):
256         * dfg/DFGNode.h:
257         (JSC::DFG::Node::isBinaryUseKind):
258         (JSC::DFG::Node::shouldSpeculateOther):
259         * dfg/DFGNodeType.h:
260         * dfg/DFGPredictionPropagationPhase.cpp:
261         (JSC::DFG::PredictionPropagationPhase::propagate):
262         * dfg/DFGSafeToExecute.h:
263         (JSC::DFG::safeToExecute):
264         * dfg/DFGSpeculativeJIT.cpp:
265         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
266         (JSC::DFG::SpeculativeJIT::compare):
267         (JSC::DFG::SpeculativeJIT::compileStrictEq):
268         * dfg/DFGSpeculativeJIT.h:
269         * dfg/DFGSpeculativeJIT32_64.cpp:
270         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
271         (JSC::DFG::SpeculativeJIT::compile):
272         * dfg/DFGSpeculativeJIT64.cpp:
273         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
274         (JSC::DFG::SpeculativeJIT::compile):
275         * ftl/FTLCapabilities.cpp:
276         (JSC::FTL::canCompile):
277         * ftl/FTLLowerDFGToLLVM.cpp:
278         (JSC::FTL::LowerDFGToLLVM::compileNode):
279         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
280         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
281         (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
282         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
283         (JSC::FTL::LowerDFGToLLVM::isNotOther):
284         (JSC::FTL::LowerDFGToLLVM::isOther):
285         (JSC::FTL::LowerDFGToLLVM::speculate):
286         (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
287         (JSC::FTL::LowerDFGToLLVM::speculateNotCell):
288         (JSC::FTL::LowerDFGToLLVM::speculateOther):
289         (JSC::FTL::LowerDFGToLLVM::speculateMisc):
290         * tests/stress/compare-strict-eq-integer-to-misc.js: Added.
291
292 2014-03-10  Filip Pizlo  <fpizlo@apple.com>
293
294         Unreviewed, remove unintended change.
295
296         * dfg/DFGDriver.cpp:
297         (JSC::DFG::compileImpl):
298
299 2014-03-10  Filip Pizlo  <fpizlo@apple.com>
300
301         jsc commandline shouldn't have a "console" because that confuses some tests into thinking
302         that they're running in the browser.
303
304         Rubber stamped by Mark Hahnenberg.
305
306         * jsc.cpp:
307         (GlobalObject::finishCreation):
308
309 2014-03-10  Filip Pizlo  <fpizlo@apple.com>
310
311         Out-line ScratchRegisterAllocator
312
313         Rubber stamped by Mark Hahnenberg.
314
315         * CMakeLists.txt:
316         * GNUmakefile.list.am:
317         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
318         * JavaScriptCore.xcodeproj/project.pbxproj:
319         * dfg/DFGDriver.cpp:
320         (JSC::DFG::compileImpl):
321         * jit/ScratchRegisterAllocator.cpp: Added.
322         (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
323         (JSC::ScratchRegisterAllocator::~ScratchRegisterAllocator):
324         (JSC::ScratchRegisterAllocator::lock):
325         (JSC::ScratchRegisterAllocator::allocateScratch):
326         (JSC::ScratchRegisterAllocator::allocateScratchGPR):
327         (JSC::ScratchRegisterAllocator::allocateScratchFPR):
328         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
329         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
330         (JSC::ScratchRegisterAllocator::desiredScratchBufferSize):
331         (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer):
332         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer):
333         * jit/ScratchRegisterAllocator.h:
334
335 2014-03-10  Brent Fulgham  <bfulgham@apple.com>
336
337         [Win] Pass environment to Pre-Build, Pre-link, and Post-Build Stages.
338         https://bugs.webkit.org/show_bug.cgi?id=130023
339
340         Reviewed by Dean Jackson.
341
342         * JavaScriptCore.vcxproj/JavaScriptCore.proj: Avoid trailing backslashes in
343         path names to avoid accidental escaping of later string substitutions.
344
345 2014-03-10  Andreas Kling  <akling@apple.com>
346
347         [X86_64] Smaller code for testb_i8r when register is accumulator.
348         <https://webkit.org/b/130026>
349
350         Generate the shorthand version of "test al, imm" when possible.
351
352         Reviewed by Michael Saboff.
353
354         * assembler/X86Assembler.h:
355         (JSC::X86Assembler::testb_i8r):
356
357 2014-03-10  Andreas Kling  <akling@apple.com>
358
359         [X86_64] Smaller code for sub_ir when register is accumulator.
360         <https://webkit.org/b/130025>
361
362         Generate the shorthand version of "sub eax, imm" when possible.
363
364         Reviewed by Michael Saboff.
365
366         * assembler/X86Assembler.h:
367         (JSC::X86Assembler::subl_ir):
368         (JSC::X86Assembler::subq_ir):
369
370 2014-03-10  Andreas Kling  <akling@apple.com>
371
372         [X86_64] Smaller code for add_ir when register is accumulator.
373         <https://webkit.org/b/130024>
374
375         Generate the shorthand version of "add eax, imm" when possible.
376
377         Reviewed by Michael Saboff.
378
379         * assembler/X86Assembler.h:
380         (JSC::X86Assembler::addl_ir):
381         (JSC::X86Assembler::addq_ir):
382
383 2014-03-10  Mark Hahnenberg  <mhahnenberg@apple.com>
384
385         writeBarrier in emitPutReplaceStub is unnecessary
386         https://bugs.webkit.org/show_bug.cgi?id=130030
387
388         Reviewed by Filip Pizlo.
389
390         We already emit write barriers for each put-by-id when they're first compiled, so it's 
391         redundant to emit a write barrier as part of the repatched code.
392
393         * jit/Repatch.cpp:
394         (JSC::emitPutReplaceStub):
395
396 2014-03-10  Andreas Kling  <akling@apple.com>
397
398         [X86_64] Smaller code for xor_ir when register is accumulator.
399         <https://webkit.org/b/130008>
400
401         Generate the shorthand version of "xor eax, imm" when possible.
402
403         Reviewed by Benjamin Poulain.
404
405         * assembler/X86Assembler.h:
406         (JSC::X86Assembler::xorl_ir):
407         (JSC::X86Assembler::xorq_ir):
408
409 2014-03-10  Andreas Kling  <akling@apple.com>
410
411         [X86_64] Smaller code for or_ir when register is accumulator.
412         <https://webkit.org/b/130007>
413
414         Generate the shorthand version of "or eax, imm" when possible.
415
416         Reviewed by Benjamin Poulain.
417
418         * assembler/X86Assembler.h:
419         (JSC::X86Assembler::orl_ir):
420         (JSC::X86Assembler::orq_ir):
421
422 2014-03-10  Andreas Kling  <akling@apple.com>
423
424         [X86_64] Smaller code for test_ir when register is accumulator.
425         <https://webkit.org/b/130006>
426
427         Generate the shorthand version of "test eax, imm" when possible.
428
429         Reviewed by Benjamin Poulain.
430
431         * assembler/X86Assembler.h:
432         (JSC::X86Assembler::testl_i32r):
433         (JSC::X86Assembler::testq_i32r):
434
435 2014-03-10  Andreas Kling  <akling@apple.com>
436
437         [X86_64] Smaller code for cmp_ir when register is accumulator.
438         <https://webkit.org/b/130005>
439
440         Generate the shorthand version of "cmp eax, imm" when possible.
441
442         Reviewed by Benjamin Poulain.
443
444         * assembler/X86Assembler.h:
445         (JSC::X86Assembler::cmpl_ir):
446         (JSC::X86Assembler::cmpq_ir):
447
448 2014-03-10  Andreas Kling  <akling@apple.com>
449
450         [X86_64] Smaller code for store64(imm, address) when imm fits in 32 bits.
451         <https://webkit.org/b/130002>
452
453         Generate this:
454
455             mov [address], imm32
456
457         Instead of this:
458
459             mov scratchRegister, imm32
460             mov [address], scratchRegister
461
462         For store64(imm, address) where the 64-bit immediate can be passed as
463         a sign-extended 32-bit value.
464
465         Reviewed by Benjamin Poulain.
466
467         * assembler/MacroAssemblerX86_64.h:
468         (CAN_SIGN_EXTEND_32_64):
469         (JSC::MacroAssemblerX86_64::store64):
470
471 2014-03-10  Andreas Kling  <akling@apple.com>
472
473         [X86_64] Smaller code for xchg_rr when one register is accumulator.
474         <https://webkit.org/b/130004>
475
476         Generate the 1-byte version of "xchg eax, reg" when possible.
477
478         Reviewed by Benjamin Poulain.
479
480         * assembler/X86Assembler.h:
481         (JSC::X86Assembler::xchgl_rr):
482         (JSC::X86Assembler::xchgq_rr):
483
484 2014-03-09  Filip Pizlo  <fpizlo@apple.com>
485
486         GPRInfo::toIndex should return InvalidIndex for non-temp registers on ARM64
487         https://bugs.webkit.org/show_bug.cgi?id=129998
488
489         Reviewed by Geoffrey Garen.
490         
491         Not only is that the established contract, but this is used to signal to
492         ScratchRegisterAllocator that the register doesn't need locking since it isn't a register
493         that this allocator would use. In the FTL, we may have an inline cache where LLVM had used
494         some non-temp register (i.e. a register that JSC itself wouldn't have used). This is totally
495         fine but previously it would have led to either an assertion failure, or data corruption, in
496         the ScratchRegisterAllocator.
497
498         * jit/GPRInfo.h:
499         (JSC::GPRInfo::toIndex):
500
501 2014-03-09  Filip Pizlo  <fpizlo@apple.com>
502
503         FTL fails the new equals-masquerader strictEqualConstant test
504         https://bugs.webkit.org/show_bug.cgi?id=129996
505
506         Reviewed by Mark Lam.
507         
508         It turns out that the FTL was trying to do the masquerading stuff for ===null. But
509         that's wrong since none of the other engines do it. The DFG even had an ancient
510         FIXME about doing it - but that doesn't make sense since the LLInt and baseline JIT
511         don't do it and JSValue::strictEqual() doesn't do it.
512         
513         Remove the FIXME and remove the extra checks in the FTL.
514         
515         This is a glorious patch: nothing but red and it fixes a test failure.
516
517         * dfg/DFGSpeculativeJIT.cpp:
518         (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
519         * ftl/FTLLowerDFGToLLVM.cpp:
520         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
521
522 2014-03-09  Andreas Kling  <akling@apple.com>
523
524         Short-circuit JSGlobalObjectInspectorController when not inspecting.
525         <https://webkit.org/b/129995>
526
527         Add an early return in reportAPIException() when the console agent
528         is disabled. This avoids expensive symbolication during exceptions
529         if there's nobody expecting the fancy backtrace anyway.
530
531         ~2% progression on DYEB on my MBP.
532
533         Reviewed by Geoff Garen.
534
535         * inspector/JSGlobalObjectInspectorController.cpp:
536         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
537
538 2014-03-09  Andreas Kling  <akling@apple.com>
539
540         Inline the trivial parts of GC deferral.
541         <https://webkit.org/b/129984>
542
543         Made most of the functions called by the DeferGC RAII object inline
544         to avoid function call overhead.
545
546         Looks like ~1% progression on DYEB.
547
548         Reviewed by Geoffrey Garen.
549
550         * heap/Heap.cpp:
551         * heap/Heap.h:
552         (JSC::Heap::incrementDeferralDepth):
553         (JSC::Heap::decrementDeferralDepth):
554         (JSC::Heap::collectIfNecessaryOrDefer):
555         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
556
557 2014-03-08  Mark Lam  <mark.lam@apple.com>
558
559         32-bit x86 handleUncaughtException returns to wrong location after a stack overflow.
560         <https://webkit.org/b/129969>
561
562         Reviewed by Geoffrey Garen.
563
564         The 32-bit version of handleUncaughtException was missing the handling of an
565         edge case for stack overflows where the current frame may already be the
566         sentinel frame.  This edge case was handled in the 64-bit version.  The fix
567         is to bring the 32-bit version up to parity.
568
569         * jit/JIT.cpp:
570         (JSC::JIT::privateCompile):
571         * llint/LowLevelInterpreter32_64.asm:
572
573 2014-03-07  Mark Lam  <mark.lam@apple.com>
574
575         Fix bugs in 32-bit Structure implementation.
576         <https://webkit.org/b/129947>
577
578         Reviewed by Mark Hahnenberg.
579
580         Added the loading of the Structure (from the JSCell) before use that was
581         missing in a few places.  Also added more test cases to equals-masquerader.js.
582
583         * dfg/DFGSpeculativeJIT32_64.cpp:
584         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
585         (JSC::DFG::SpeculativeJIT::compile):
586         * dfg/DFGSpeculativeJIT64.cpp:
587         (JSC::DFG::SpeculativeJIT::compile):
588         * llint/LowLevelInterpreter32_64.asm:
589         * tests/stress/equals-masquerader.js:
590         (equalsNull):
591         (notEqualsNull):
592         (strictEqualsNull):
593         (strictNotEqualsNull):
594         (equalsUndefined):
595         (notEqualsUndefined):
596         (strictEqualsUndefined):
597         (strictNotEqualsUndefined):
598         (isFalsey):
599         (test):
600
601 2014-03-07  Andrew Trick  <atrick@apple.com>
602
603         Temporarily disable repeat-out-of-bounds stress tests pending fix for 129953.
604         https://bugs.webkit.org/show_bug.cgi?id=129954
605
606         Reviewed by Filip Pizlo.
607
608         * tests/stress/float32-repeat-out-of-bounds.js:
609         * tests/stress/int8-repeat-out-of-bounds.js:
610
611 2014-03-07  Michael Saboff  <msaboff@apple.com>
612
613         .cfi directives in LowLevelInterpreter.cpp are providing no benefit
614         https://bugs.webkit.org/show_bug.cgi?id=129945
615
616         Reviewed by Mark Lam.
617
618         Removed .cfi directive.  Verified that stack traces didn't regress in crash reporter
619         or in lldb.
620
621         * llint/LowLevelInterpreter.cpp:
622
623 2014-03-07  Oliver Hunt  <oliver@apple.com>
624
625         Continue hangs when performing for-of over arguments
626         https://bugs.webkit.org/show_bug.cgi?id=129915
627
628         Reviewed by Geoffrey Garen.
629
630         Put the continue label in the right place
631
632         * bytecompiler/BytecodeGenerator.cpp:
633         (JSC::BytecodeGenerator::emitEnumeration):
634
635 2014-03-07  peavo@outlook.com  <peavo@outlook.com>
636
637         [Win64] Compile error after r165128.
638         https://bugs.webkit.org/show_bug.cgi?id=129807
639
640         Reviewed by Mark Lam.
641
642         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: 
643         Check platform environment variable to determine if an assembler file should be generated.
644
645 2014-03-07  Michael Saboff  <msaboff@apple.com>
646
647         Clarify how we deal with "special" registers
648         https://bugs.webkit.org/show_bug.cgi?id=129806
649
650         Already reviewed change being relanded.
651
652         Relanding change set r165196 as it wasn't responsible for the breakage reported in
653         https://bugs.webkit.org/show_bug.cgi?id=129822.  That appears to be a build or
654
655         Reviewed by Michael Saboff.
656         configuration issue.
657
658         * assembler/ARM64Assembler.h:
659         (JSC::ARM64Assembler::lastRegister):
660         * assembler/MacroAssembler.h:
661         (JSC::MacroAssembler::nextRegister):
662         * ftl/FTLLocation.cpp:
663         (JSC::FTL::Location::restoreInto):
664         * ftl/FTLSaveRestore.cpp:
665         (JSC::FTL::saveAllRegisters):
666         (JSC::FTL::restoreAllRegisters):
667         * ftl/FTLSlowPathCall.cpp:
668         * jit/RegisterSet.cpp:
669         (JSC::RegisterSet::reservedHardwareRegisters):
670         (JSC::RegisterSet::runtimeRegisters):
671         (JSC::RegisterSet::specialRegisters):
672         (JSC::RegisterSet::calleeSaveRegisters):
673         * jit/RegisterSet.h:
674
675 2014-03-07  Mark Hahnenberg  <mhahnenberg@apple.com>
676
677         Move GCActivityCallback to heap
678         https://bugs.webkit.org/show_bug.cgi?id=129457
679
680         Reviewed by Geoffrey Garen.
681
682         All the other GC timer related stuff is there already.
683
684         * CMakeLists.txt:
685         * GNUmakefile.list.am:
686         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
687         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
688         * JavaScriptCore.xcodeproj/project.pbxproj:
689         * heap/GCActivityCallback.cpp: Copied from Source/JavaScriptCore/runtime/GCActivityCallback.cpp.
690         * heap/GCActivityCallback.h: Copied from Source/JavaScriptCore/runtime/GCActivityCallback.h.
691         * runtime/GCActivityCallback.cpp: Removed.
692         * runtime/GCActivityCallback.h: Removed.
693
694 2014-03-07  Andrew Trick  <atrick@apple.com>
695
696         Correct a comment typo from:
697         FLT should call fmod directly on platforms where LLVM cannot relocate the libcall
698         https://bugs.webkit.org/show_bug.cgi?id=129865
699
700         Reviewed by Mark Lam.
701
702         * ftl/FTLOutput.h:
703         (JSC::FTL::Output::doubleRem):
704
705 2014-03-07  Mark Hahnenberg  <mhahnenberg@apple.com>
706
707         Use OwnPtr in StructureIDTable
708         https://bugs.webkit.org/show_bug.cgi?id=129828
709
710         Reviewed by Geoffrey Garen.
711
712         This reduces the amount of boilerplate and fixes a memory leak.
713
714         * runtime/StructureIDTable.cpp:
715         (JSC::StructureIDTable::StructureIDTable):
716         (JSC::StructureIDTable::resize):
717         (JSC::StructureIDTable::flushOldTables):
718         (JSC::StructureIDTable::allocateID):
719         (JSC::StructureIDTable::deallocateID):
720         * runtime/StructureIDTable.h:
721         (JSC::StructureIDTable::table):
722         (JSC::StructureIDTable::get):
723
724 2014-03-07  Andrew Trick  <atrick@apple.com>
725
726         FLT should call fmod directly on platforms where LLVM cannot relocate the libcall
727         https://bugs.webkit.org/show_bug.cgi?id=129865
728
729         Reviewed by Filip Pizlo.
730
731         * ftl/FTLIntrinsicRepository.h:
732         * ftl/FTLOutput.h:
733         (JSC::FTL::Output::doubleRem):
734
735 2014-03-06  Filip Pizlo  <fpizlo@apple.com>
736
737         If the FTL is build-time enabled then it should be run-time enabled.
738
739         Rubber stamped by Geoffrey Garen.
740
741         * runtime/Options.cpp:
742         (JSC::recomputeDependentOptions):
743         * runtime/Options.h:
744
745 2014-03-06  Joseph Pecoraro  <pecoraro@apple.com>
746
747         [OS X] Web Inspector: Allow Apps using JavaScriptCore to access "com.apple.webinspector" mach port
748         https://bugs.webkit.org/show_bug.cgi?id=129852
749
750         Reviewed by Geoffrey Garen.
751
752         * framework.sb: Added.
753         Sandbox extension to allow access to "com.apple.webinspector".
754
755         * JavaScriptCore.xcodeproj/project.pbxproj:
756         Add a Copy Resources build phase and include framework.sb.
757
758         * Configurations/JavaScriptCore.xcconfig:
759         Do not copy framework.sb on iOS.
760
761 2014-03-06  Mark Hahnenberg  <mhahnenberg@apple.com>
762
763         JSGlobalContextRelease incorrectly handles saving/restoring IdentifierTable
764         https://bugs.webkit.org/show_bug.cgi?id=129858
765
766         Reviewed by Mark Lam.
767
768         It was correct (but really ugly) prior to the combining of APIEntryShim and JSLock, 
769         but now it ends up overwriting the IdentifierTable that JSLock just restored.
770
771         * API/JSContextRef.cpp:
772         (JSGlobalContextRelease):
773
774 2014-03-06  Oliver Hunt  <oliver@apple.com>
775
776         Fix FTL build.
777
778         * dfg/DFGConstantFoldingPhase.cpp:
779         (JSC::DFG::ConstantFoldingPhase::foldConstants):
780
781 2014-03-06  Brent Fulgham  <bfulgham@apple.com>
782
783         Unreviewed build fix after r165128.
784
785         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: The SEH flag was not getting set when
786         performing 'Production' and 'DebugSuffix' type builds.
787
788 2014-03-06  Julien Brianceau  <jbriance@cisco.com>
789
790         Unreviewed, fix style in my previous commit.
791         https://bugs.webkit.org/show_bug.cgi?id=129833
792
793         * runtime/JSConsole.cpp:
794
795 2014-03-06  Julien Brianceau  <jbriance@cisco.com>
796
797         Build fix: add missing include in JSConole.cpp.
798         https://bugs.webkit.org/show_bug.cgi?id=129833
799
800         Reviewed by Oliver Hunt.
801
802         * runtime/JSConsole.cpp:
803
804 2014-03-06  Oliver Hunt  <oliver@apple.com>
805
806         Fix ARMv7
807
808         * jit/CCallHelpers.h:
809         (JSC::CCallHelpers::setupArgumentsWithExecState):
810
811 2014-03-06  Commit Queue  <commit-queue@webkit.org>
812
813         Unreviewed, rolling out r165196.
814         http://trac.webkit.org/changeset/165196
815         https://bugs.webkit.org/show_bug.cgi?id=129822
816
817         broke arm64 on hardware (Requested by bfulgham on #webkit).
818
819         * assembler/ARM64Assembler.h:
820         (JSC::ARM64Assembler::lastRegister):
821         * assembler/MacroAssembler.h:
822         (JSC::MacroAssembler::isStackRelated):
823         (JSC::MacroAssembler::firstRealRegister):
824         (JSC::MacroAssembler::nextRegister):
825         (JSC::MacroAssembler::secondRealRegister):
826         * ftl/FTLLocation.cpp:
827         (JSC::FTL::Location::restoreInto):
828         * ftl/FTLSaveRestore.cpp:
829         (JSC::FTL::saveAllRegisters):
830         (JSC::FTL::restoreAllRegisters):
831         * ftl/FTLSlowPathCall.cpp:
832         * jit/RegisterSet.cpp:
833         (JSC::RegisterSet::specialRegisters):
834         (JSC::RegisterSet::calleeSaveRegisters):
835         * jit/RegisterSet.h:
836
837 2014-03-06  Mark Lam  <mark.lam@apple.com>
838
839         REGRESSION(r165205): broke the CLOOP build (Requested by smfr on #webkit).
840         <https://webkit.org/b/129813>
841
842         Reviewed by Michael Saboff.
843
844         Fixed broken C loop LLINT build.
845
846         * llint/LowLevelInterpreter.cpp:
847         (JSC::CLoop::execute):
848         * offlineasm/cloop.rb:
849
850 2014-03-03  Oliver Hunt  <oliver@apple.com>
851
852         Support caching of custom setters
853         https://bugs.webkit.org/show_bug.cgi?id=129519
854
855         Reviewed by Filip Pizlo.
856
857         This patch adds caching of assignment to properties that
858         are backed by C functions. This provides most of the leg
859         work required to start supporting setters, and resolves
860         the remaining regressions from moving DOM properties up
861         the prototype chain.
862
863         * JavaScriptCore.xcodeproj/project.pbxproj:
864         * bytecode/PolymorphicPutByIdList.cpp:
865         (JSC::PutByIdAccess::visitWeak):
866         (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
867         (JSC::PolymorphicPutByIdList::from):
868         * bytecode/PolymorphicPutByIdList.h:
869         (JSC::PutByIdAccess::transition):
870         (JSC::PutByIdAccess::replace):
871         (JSC::PutByIdAccess::customSetter):
872         (JSC::PutByIdAccess::isCustom):
873         (JSC::PutByIdAccess::oldStructure):
874         (JSC::PutByIdAccess::chain):
875         (JSC::PutByIdAccess::stubRoutine):
876         * bytecode/PutByIdStatus.cpp:
877         (JSC::PutByIdStatus::computeForStubInfo):
878         (JSC::PutByIdStatus::computeFor):
879         (JSC::PutByIdStatus::dump):
880         * bytecode/PutByIdStatus.h:
881         (JSC::PutByIdStatus::PutByIdStatus):
882         (JSC::PutByIdStatus::takesSlowPath):
883         (JSC::PutByIdStatus::makesCalls):
884         * bytecode/StructureStubInfo.h:
885         * dfg/DFGAbstractInterpreterInlines.h:
886         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
887         * dfg/DFGByteCodeParser.cpp:
888         (JSC::DFG::ByteCodeParser::emitPutById):
889         (JSC::DFG::ByteCodeParser::handlePutById):
890         * dfg/DFGClobberize.h:
891         (JSC::DFG::clobberize):
892         * dfg/DFGCommon.h:
893         * dfg/DFGConstantFoldingPhase.cpp:
894         (JSC::DFG::ConstantFoldingPhase::foldConstants):
895         * dfg/DFGFixupPhase.cpp:
896         (JSC::DFG::FixupPhase::fixupNode):
897         * dfg/DFGNode.h:
898         (JSC::DFG::Node::hasIdentifier):
899         * dfg/DFGNodeType.h:
900         * dfg/DFGPredictionPropagationPhase.cpp:
901         (JSC::DFG::PredictionPropagationPhase::propagate):
902         * dfg/DFGSafeToExecute.h:
903         (JSC::DFG::safeToExecute):
904         * dfg/DFGSpeculativeJIT.cpp:
905         (JSC::DFG::SpeculativeJIT::compileIn):
906         * dfg/DFGSpeculativeJIT.h:
907         * dfg/DFGSpeculativeJIT32_64.cpp:
908         (JSC::DFG::SpeculativeJIT::cachedGetById):
909         (JSC::DFG::SpeculativeJIT::cachedPutById):
910         (JSC::DFG::SpeculativeJIT::compile):
911         * dfg/DFGSpeculativeJIT64.cpp:
912         (JSC::DFG::SpeculativeJIT::cachedGetById):
913         (JSC::DFG::SpeculativeJIT::cachedPutById):
914         (JSC::DFG::SpeculativeJIT::compile):
915         * jit/CCallHelpers.h:
916         (JSC::CCallHelpers::setupArgumentsWithExecState):
917         * jit/JITInlineCacheGenerator.cpp:
918         (JSC::JITByIdGenerator::JITByIdGenerator):
919         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
920         * jit/JITInlineCacheGenerator.h:
921         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
922         * jit/JITOperations.cpp:
923         * jit/JITOperations.h:
924         * jit/JITPropertyAccess.cpp:
925         (JSC::JIT::emit_op_get_by_id):
926         (JSC::JIT::emit_op_put_by_id):
927         * jit/JITPropertyAccess32_64.cpp:
928         (JSC::JIT::emit_op_get_by_id):
929         (JSC::JIT::emit_op_put_by_id):
930         * jit/Repatch.cpp:
931         (JSC::tryCacheGetByID):
932         (JSC::tryBuildGetByIDList):
933         (JSC::emitCustomSetterStub):
934         (JSC::tryCachePutByID):
935         (JSC::tryBuildPutByIdList):
936         * jit/SpillRegistersMode.h: Added.
937         * llint/LLIntSlowPaths.cpp:
938         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
939         * runtime/Lookup.h:
940         (JSC::putEntry):
941         * runtime/PutPropertySlot.h:
942         (JSC::PutPropertySlot::setCacheableCustomProperty):
943         (JSC::PutPropertySlot::customSetter):
944         (JSC::PutPropertySlot::isCacheablePut):
945         (JSC::PutPropertySlot::isCacheableCustomProperty):
946         (JSC::PutPropertySlot::cachedOffset):
947
948 2014-03-06  Filip Pizlo  <fpizlo@apple.com>
949
950         FTL arity fixup should work on ARM64
951         https://bugs.webkit.org/show_bug.cgi?id=129810
952
953         Reviewed by Michael Saboff.
954         
955         - Using regT5 to pass the thunk return address to arityFixup is shady since that's a
956           callee-save.
957         
958         - The FTL path was assuming X86 conventions for where SP points at the top of the prologue.
959         
960         This makes some more tests pass.
961
962         * dfg/DFGJITCompiler.cpp:
963         (JSC::DFG::JITCompiler::compileFunction):
964         * ftl/FTLLink.cpp:
965         (JSC::FTL::link):
966         * jit/AssemblyHelpers.h:
967         (JSC::AssemblyHelpers::prologueStackPointerDelta):
968         * jit/JIT.cpp:
969         (JSC::JIT::privateCompile):
970         * jit/ThunkGenerators.cpp:
971         (JSC::arityFixup):
972         * llint/LowLevelInterpreter64.asm:
973         * offlineasm/arm64.rb:
974         * offlineasm/x86.rb: In addition to the t7 change, make t6 agree with GPRInfo.h.
975
976 2014-03-06  Mark Hahnenberg  <mhahnenberg@apple.com>
977
978         Fix write barriers in Repatch.cpp for !ENABLE(DFG_JIT) platforms after r165128
979         https://bugs.webkit.org/show_bug.cgi?id=129760
980
981         Reviewed by Geoffrey Garen.
982
983         r165128 disabled the write barrier fast path for inline caches on !ENABLE(DFG_JIT) platforms. 
984         The fix is to refactor the write barrier code into AssemblyHelpers and use that everywhere.
985
986         * dfg/DFGSpeculativeJIT.cpp:
987         (JSC::DFG::SpeculativeJIT::writeBarrier):
988         * dfg/DFGSpeculativeJIT.h:
989         * dfg/DFGSpeculativeJIT32_64.cpp:
990         (JSC::DFG::SpeculativeJIT::writeBarrier):
991         * dfg/DFGSpeculativeJIT64.cpp:
992         (JSC::DFG::SpeculativeJIT::writeBarrier):
993         * jit/AssemblyHelpers.h:
994         (JSC::AssemblyHelpers::checkMarkByte):
995         * jit/JIT.h:
996         * jit/JITPropertyAccess.cpp:
997         * jit/Repatch.cpp:
998         (JSC::writeBarrier):
999
1000 2014-03-06  Joseph Pecoraro  <pecoraro@apple.com>
1001
1002         Web Inspector: Expose the console object in JSContexts to interact with Web Inspector
1003         https://bugs.webkit.org/show_bug.cgi?id=127944
1004
1005         Reviewed by Geoffrey Garen.
1006
1007         Always expose the Console object in JSContexts, just like we
1008         do for web pages. The default behavior will route to an
1009         attached JSContext inspector. This can be overriden by
1010         setting the ConsoleClient on the JSGlobalObject, which WebCore
1011         does to get slightly different behavior.
1012
1013         * CMakeLists.txt:
1014         * GNUmakefile.list.am:
1015         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1016         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1017         * JavaScriptCore.xcodeproj/project.pbxproj:
1018         Update build systems.
1019
1020         * API/tests/testapi.js:
1021         * API/tests/testapi.mm:
1022         Test that "console" exists in C and ObjC contexts.
1023
1024         * runtime/ConsoleClient.cpp: Added.
1025         (JSC::ConsoleClient::printURLAndPosition):
1026         (JSC::ConsoleClient::printMessagePrefix):
1027         (JSC::ConsoleClient::printConsoleMessage):
1028         (JSC::ConsoleClient::printConsoleMessageWithArguments):
1029         (JSC::ConsoleClient::internalMessageWithTypeAndLevel):
1030         (JSC::ConsoleClient::logWithLevel):
1031         (JSC::ConsoleClient::clear):
1032         (JSC::ConsoleClient::dir):
1033         (JSC::ConsoleClient::dirXML):
1034         (JSC::ConsoleClient::table):
1035         (JSC::ConsoleClient::trace):
1036         (JSC::ConsoleClient::assertCondition):
1037         (JSC::ConsoleClient::group):
1038         (JSC::ConsoleClient::groupCollapsed):
1039         (JSC::ConsoleClient::groupEnd):
1040         * runtime/ConsoleClient.h: Added.
1041         (JSC::ConsoleClient::~ConsoleClient):
1042         New private interface for handling the console object's methods.
1043         A lot of the methods funnel through messageWithTypeAndLevel.
1044
1045         * runtime/ConsoleTypes.h: Renamed from Source/JavaScriptCore/inspector/ConsoleTypes.h.
1046         Moved to JSC namespace.
1047
1048         * runtime/JSGlobalObject.cpp:
1049         (JSC::JSGlobalObject::JSGlobalObject):
1050         (JSC::JSGlobalObject::init):
1051         (JSC::JSGlobalObject::reset):
1052         (JSC::JSGlobalObject::visitChildren):
1053         Create the "console" object when initializing the environment.
1054         Also set the default console client to be the JS context inspector.
1055
1056         * runtime/JSGlobalObject.h:
1057         (JSC::JSGlobalObject::setConsoleClient):
1058         (JSC::JSGlobalObject::consoleClient):
1059         Ability to change the console client, so WebCore can set a custom client.
1060
1061         * runtime/ConsolePrototype.cpp: Added.
1062         (JSC::ConsolePrototype::finishCreation):
1063         (JSC::valueToStringWithUndefinedOrNullCheck):
1064         (JSC::consoleLogWithLevel):
1065         (JSC::consoleProtoFuncDebug):
1066         (JSC::consoleProtoFuncError):
1067         (JSC::consoleProtoFuncLog):
1068         (JSC::consoleProtoFuncWarn):
1069         (JSC::consoleProtoFuncClear):
1070         (JSC::consoleProtoFuncDir):
1071         (JSC::consoleProtoFuncDirXML):
1072         (JSC::consoleProtoFuncTable):
1073         (JSC::consoleProtoFuncTrace):
1074         (JSC::consoleProtoFuncAssert):
1075         (JSC::consoleProtoFuncCount):
1076         (JSC::consoleProtoFuncProfile):
1077         (JSC::consoleProtoFuncProfileEnd):
1078         (JSC::consoleProtoFuncTime):
1079         (JSC::consoleProtoFuncTimeEnd):
1080         (JSC::consoleProtoFuncTimeStamp):
1081         (JSC::consoleProtoFuncGroup):
1082         (JSC::consoleProtoFuncGroupCollapsed):
1083         (JSC::consoleProtoFuncGroupEnd):
1084         * runtime/ConsolePrototype.h: Added.
1085         (JSC::ConsolePrototype::create):
1086         (JSC::ConsolePrototype::createStructure):
1087         (JSC::ConsolePrototype::ConsolePrototype):
1088         Define the console object interface. Parse out required / expected
1089         arguments and throw expcetions when methods are misused.
1090
1091         * runtime/JSConsole.cpp: Added.
1092         * runtime/JSConsole.h: Added.
1093         (JSC::JSConsole::createStructure):
1094         (JSC::JSConsole::create):
1095         (JSC::JSConsole::JSConsole):
1096         Empty "console" object. Everything is in the prototype.
1097
1098         * inspector/JSConsoleClient.cpp: Added.
1099         (Inspector::JSConsoleClient::JSGlobalObjectConsole):
1100         (Inspector::JSConsoleClient::count):
1101         (Inspector::JSConsoleClient::profile):
1102         (Inspector::JSConsoleClient::profileEnd):
1103         (Inspector::JSConsoleClient::time):
1104         (Inspector::JSConsoleClient::timeEnd):
1105         (Inspector::JSConsoleClient::timeStamp):
1106         (Inspector::JSConsoleClient::warnUnimplemented):
1107         (Inspector::JSConsoleClient::internalAddMessage):
1108         * inspector/JSConsoleClient.h: Added.
1109         * inspector/JSGlobalObjectInspectorController.cpp:
1110         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1111         (Inspector::JSGlobalObjectInspectorController::consoleClient):
1112         * inspector/JSGlobalObjectInspectorController.h:
1113         Default JSContext ConsoleClient implementation. Handle nearly
1114         everything exception profile/profileEnd and timeStamp.
1115
1116 2014-03-06  Andreas Kling  <akling@apple.com>
1117
1118         Drop unlinked function code on memory pressure.
1119         <https://webkit.org/b/129789>
1120
1121         Make VM::discardAllCode() also drop UnlinkedFunctionCodeBlocks that
1122         are not currently being compiled.
1123
1124         4.5 MB progression on Membuster.
1125
1126         Reviewed by Geoffrey Garen.
1127
1128         * heap/Heap.cpp:
1129         (JSC::Heap::deleteAllUnlinkedFunctionCode):
1130         * heap/Heap.h:
1131         * runtime/VM.cpp:
1132         (JSC::VM::discardAllCode):
1133
1134 2014-03-06  Filip Pizlo  <fpizlo@apple.com>
1135
1136         Clarify how we deal with "special" registers
1137         https://bugs.webkit.org/show_bug.cgi?id=129806
1138
1139         Reviewed by Michael Saboff.
1140         
1141         Previously we had two different places that defined what "stack" registers are, a thing
1142         called "specialRegisters" that had unclear meaning, and a really weird "firstRealRegister"/
1143         "secondRealRegister"/"nextRegister" idiom in MacroAssembler that appeared to only be used by
1144         one place and had a baked-in notion of what it meant for a register to be "real" or not.
1145         
1146         It's not cool to use words like "real" and "special" to describe registers, especially if you
1147         fail to qualify what that means. This originally made sense on X86 - "real" registers were
1148         the ones that weren't "stack related" (so "real" was the opposite of "stack"). But on ARM64,
1149         you also have to worry about the LR register, which we'd want to say is "not real" but it's
1150         also not a "stack" register. This got super confusing.
1151         
1152         So, this patch removes any mention of "real" registers, consolidates the knowledge of what is
1153         a "stack" register, and uses the word special only in places where it's clearly defined and
1154         where no better word comes to mind.
1155         
1156         This cleans up the code and fixes what seems like it was probably a harmless ARM64 bug: the
1157         Reg and RegisterSet data structures would sometimes think that FP was Q0. Somehow this
1158         magically didn't break anything because you never need to save/restore either FP or Q0, but
1159         it was still super weird.
1160
1161         * assembler/ARM64Assembler.h:
1162         (JSC::ARM64Assembler::lastRegister):
1163         * assembler/MacroAssembler.h:
1164         (JSC::MacroAssembler::nextRegister):
1165         * ftl/FTLLocation.cpp:
1166         (JSC::FTL::Location::restoreInto):
1167         * ftl/FTLSaveRestore.cpp:
1168         (JSC::FTL::saveAllRegisters):
1169         (JSC::FTL::restoreAllRegisters):
1170         * ftl/FTLSlowPathCall.cpp:
1171         * jit/RegisterSet.cpp:
1172         (JSC::RegisterSet::reservedHardwareRegisters):
1173         (JSC::RegisterSet::runtimeRegisters):
1174         (JSC::RegisterSet::specialRegisters):
1175         (JSC::RegisterSet::calleeSaveRegisters):
1176         * jit/RegisterSet.h:
1177
1178 2014-03-06  Filip Pizlo  <fpizlo@apple.com>
1179
1180         Unreviewed, fix build.
1181
1182         * disassembler/ARM64Disassembler.cpp:
1183
1184 2014-03-06  Filip Pizlo  <fpizlo@apple.com>
1185
1186         Use the LLVM disassembler on ARM64 if we are enabling the FTL
1187         https://bugs.webkit.org/show_bug.cgi?id=129785
1188
1189         Reviewed by Geoffrey Garen.
1190         
1191         Our disassembler can't handle some of the code sequences that LLVM emits. LLVM's disassembler
1192         is strictly more capable at this point. Use it if it's available.
1193
1194         * disassembler/ARM64Disassembler.cpp:
1195         (JSC::tryToDisassemble):
1196
1197 2014-03-05  Joseph Pecoraro  <pecoraro@apple.com>
1198
1199         Web Inspector: Reduce RWI message frequency
1200         https://bugs.webkit.org/show_bug.cgi?id=129767
1201
1202         Reviewed by Timothy Hatcher.
1203
1204         This used to be 0.2s and changed by accident to 0.02s.
1205
1206         * inspector/remote/RemoteInspector.mm:
1207         (Inspector::RemoteInspector::pushListingSoon):
1208
1209 2014-03-05  Commit Queue  <commit-queue@webkit.org>
1210
1211         Unreviewed, rolling out r165141, r165157, and r165158.
1212         http://trac.webkit.org/changeset/165141
1213         http://trac.webkit.org/changeset/165157
1214         http://trac.webkit.org/changeset/165158
1215         https://bugs.webkit.org/show_bug.cgi?id=129772
1216
1217         "broke ftl" (Requested by olliej_ on #webkit).
1218
1219         * JavaScriptCore.xcodeproj/project.pbxproj:
1220         * bytecode/PolymorphicPutByIdList.cpp:
1221         (JSC::PutByIdAccess::visitWeak):
1222         (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
1223         (JSC::PolymorphicPutByIdList::from):
1224         * bytecode/PolymorphicPutByIdList.h:
1225         (JSC::PutByIdAccess::transition):
1226         (JSC::PutByIdAccess::replace):
1227         (JSC::PutByIdAccess::oldStructure):
1228         (JSC::PutByIdAccess::chain):
1229         (JSC::PutByIdAccess::stubRoutine):
1230         * bytecode/PutByIdStatus.cpp:
1231         (JSC::PutByIdStatus::computeForStubInfo):
1232         (JSC::PutByIdStatus::computeFor):
1233         (JSC::PutByIdStatus::dump):
1234         * bytecode/PutByIdStatus.h:
1235         (JSC::PutByIdStatus::PutByIdStatus):
1236         (JSC::PutByIdStatus::takesSlowPath):
1237         * bytecode/StructureStubInfo.h:
1238         * dfg/DFGAbstractInterpreterInlines.h:
1239         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1240         * dfg/DFGByteCodeParser.cpp:
1241         (JSC::DFG::ByteCodeParser::emitPutById):
1242         (JSC::DFG::ByteCodeParser::handlePutById):
1243         * dfg/DFGClobberize.h:
1244         (JSC::DFG::clobberize):
1245         * dfg/DFGCommon.h:
1246         * dfg/DFGConstantFoldingPhase.cpp:
1247         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1248         * dfg/DFGFixupPhase.cpp:
1249         (JSC::DFG::FixupPhase::fixupNode):
1250         * dfg/DFGNode.h:
1251         (JSC::DFG::Node::hasIdentifier):
1252         * dfg/DFGNodeType.h:
1253         * dfg/DFGPredictionPropagationPhase.cpp:
1254         (JSC::DFG::PredictionPropagationPhase::propagate):
1255         * dfg/DFGSafeToExecute.h:
1256         (JSC::DFG::safeToExecute):
1257         * dfg/DFGSpeculativeJIT.cpp:
1258         (JSC::DFG::SpeculativeJIT::compileIn):
1259         * dfg/DFGSpeculativeJIT.h:
1260         * dfg/DFGSpeculativeJIT32_64.cpp:
1261         (JSC::DFG::SpeculativeJIT::cachedGetById):
1262         (JSC::DFG::SpeculativeJIT::cachedPutById):
1263         (JSC::DFG::SpeculativeJIT::compile):
1264         * dfg/DFGSpeculativeJIT64.cpp:
1265         (JSC::DFG::SpeculativeJIT::cachedGetById):
1266         (JSC::DFG::SpeculativeJIT::cachedPutById):
1267         (JSC::DFG::SpeculativeJIT::compile):
1268         * ftl/FTLCompile.cpp:
1269         (JSC::FTL::fixFunctionBasedOnStackMaps):
1270         * jit/CCallHelpers.h:
1271         (JSC::CCallHelpers::setupArgumentsWithExecState):
1272         * jit/JITInlineCacheGenerator.cpp:
1273         (JSC::JITByIdGenerator::JITByIdGenerator):
1274         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
1275         * jit/JITInlineCacheGenerator.h:
1276         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
1277         * jit/JITOperations.cpp:
1278         * jit/JITOperations.h:
1279         * jit/JITPropertyAccess.cpp:
1280         (JSC::JIT::emit_op_get_by_id):
1281         (JSC::JIT::emit_op_put_by_id):
1282         * jit/JITPropertyAccess32_64.cpp:
1283         (JSC::JIT::emit_op_get_by_id):
1284         (JSC::JIT::emit_op_put_by_id):
1285         * jit/Repatch.cpp:
1286         (JSC::tryCacheGetByID):
1287         (JSC::tryBuildGetByIDList):
1288         (JSC::tryCachePutByID):
1289         (JSC::tryBuildPutByIdList):
1290         * jit/SpillRegistersMode.h: Removed.
1291         * llint/LLIntSlowPaths.cpp:
1292         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1293         * runtime/Lookup.h:
1294         (JSC::putEntry):
1295         * runtime/PutPropertySlot.h:
1296         (JSC::PutPropertySlot::isCacheable):
1297         (JSC::PutPropertySlot::cachedOffset):
1298
1299 2014-03-05  Joseph Pecoraro  <pecoraro@apple.com>
1300
1301         Web Inspector: Prevent possible deadlock in view indication
1302         https://bugs.webkit.org/show_bug.cgi?id=129766
1303
1304         Reviewed by Geoffrey Garen.
1305
1306         * inspector/remote/RemoteInspector.mm:
1307         (Inspector::RemoteInspector::receivedIndicateMessage):
1308
1309 2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>
1310
1311         JSObject::fastGetOwnPropertySlot does a slow check for OverridesGetOwnPropertySlot
1312         https://bugs.webkit.org/show_bug.cgi?id=129754
1313
1314         Reviewed by Geoffrey Garen.
1315
1316         InlineTypeFlags are stored in JSCell, so we can just load those instead of going through the TypeInfo.
1317
1318         * runtime/JSCell.h:
1319         (JSC::JSCell::inlineTypeFlags):
1320         * runtime/JSObject.h:
1321         (JSC::JSObject::fastGetOwnPropertySlot):
1322         * runtime/JSTypeInfo.h:
1323         (JSC::TypeInfo::TypeInfo):
1324         (JSC::TypeInfo::overridesGetOwnPropertySlot):
1325
1326 2014-03-05  Joseph Pecoraro  <pecoraro@apple.com>
1327
1328         Web Inspector: ASSERTION FAILED: m_javaScriptBreakpoints.isEmpty()
1329         https://bugs.webkit.org/show_bug.cgi?id=129763
1330
1331         Reviewed by Geoffrey Garen.
1332
1333         Clear the list of all breakpoints, including unresolved breakpoints.
1334
1335         * inspector/agents/InspectorDebuggerAgent.cpp:
1336         (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):
1337
1338 2014-03-05  Mark Lam  <mark.lam@apple.com>
1339
1340         llint_slow_path_check_has_instance() should not adjust PC before accessing operands.
1341         <https://webkit.org/b/129768>
1342
1343         Reviewed by Mark Hahnenberg.
1344
1345         When evaluating "a instanceof b" where b is an object that ImplementsHasInstance
1346         and OverridesHasInstance (e.g. a bound function), the LLINT will take the slow
1347         path llint_slow_path_check_has_instance(), and execute a code path that does the
1348         following:
1349         1. Adjusts the byte code PC to the jump target PC.
1350         2. For the purpose of storing the result, get the result registerIndex from the
1351            1st operand using the PC as if the PC is still pointing to op_check_has_instance
1352            bytecode.
1353
1354         The result is that whatever value resides after where the jump target PC is will
1355         be used as a result register value.  Depending on what that value is, the result
1356         can be:
1357         1. the code coincidently works correctly
1358         2. memory corruption
1359         3. crashes
1360
1361         The fix is to only adjust the byte code PC after we have stored the result.
1362         
1363         * llint/LLIntSlowPaths.cpp:
1364         (llint_slow_path_check_has_instance):
1365
1366 2014-03-05  Ryosuke Niwa  <rniwa@webkit.org>
1367
1368         Another build fix attempt after r165141.
1369
1370         * ftl/FTLCompile.cpp:
1371         (JSC::FTL::fixFunctionBasedOnStackMaps):
1372
1373 2014-03-05  Ryosuke Niwa  <rniwa@webkit.org>
1374
1375         FTL build fix attempt after r165141.
1376
1377         * ftl/FTLCompile.cpp:
1378         (JSC::FTL::fixFunctionBasedOnStackMaps):
1379
1380 2014-03-05  Gavin Barraclough  <barraclough@apple.com>
1381
1382         https://bugs.webkit.org/show_bug.cgi?id=128625
1383         Add fast mapping from StringImpl to JSString
1384
1385         Unreviewed roll-out.
1386
1387         Reverting r164347, r165054, r165066 - not clear the performance tradeoff was right.
1388
1389         * runtime/JSString.cpp:
1390         * runtime/JSString.h:
1391         * runtime/VM.cpp:
1392         (JSC::VM::createLeaked):
1393         * runtime/VM.h:
1394
1395 2014-03-03  Oliver Hunt  <oliver@apple.com>
1396
1397         Support caching of custom setters
1398         https://bugs.webkit.org/show_bug.cgi?id=129519
1399
1400         Reviewed by Filip Pizlo.
1401
1402         This patch adds caching of assignment to properties that
1403         are backed by C functions. This provides most of the leg
1404         work required to start supporting setters, and resolves
1405         the remaining regressions from moving DOM properties up
1406         the prototype chain.
1407
1408         * JavaScriptCore.xcodeproj/project.pbxproj:
1409         * bytecode/PolymorphicPutByIdList.cpp:
1410         (JSC::PutByIdAccess::visitWeak):
1411         (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
1412         (JSC::PolymorphicPutByIdList::from):
1413         * bytecode/PolymorphicPutByIdList.h:
1414         (JSC::PutByIdAccess::transition):
1415         (JSC::PutByIdAccess::replace):
1416         (JSC::PutByIdAccess::customSetter):
1417         (JSC::PutByIdAccess::isCustom):
1418         (JSC::PutByIdAccess::oldStructure):
1419         (JSC::PutByIdAccess::chain):
1420         (JSC::PutByIdAccess::stubRoutine):
1421         * bytecode/PutByIdStatus.cpp:
1422         (JSC::PutByIdStatus::computeForStubInfo):
1423         (JSC::PutByIdStatus::computeFor):
1424         (JSC::PutByIdStatus::dump):
1425         * bytecode/PutByIdStatus.h:
1426         (JSC::PutByIdStatus::PutByIdStatus):
1427         (JSC::PutByIdStatus::takesSlowPath):
1428         (JSC::PutByIdStatus::makesCalls):
1429         * bytecode/StructureStubInfo.h:
1430         * dfg/DFGAbstractInterpreterInlines.h:
1431         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1432         * dfg/DFGByteCodeParser.cpp:
1433         (JSC::DFG::ByteCodeParser::emitPutById):
1434         (JSC::DFG::ByteCodeParser::handlePutById):
1435         * dfg/DFGClobberize.h:
1436         (JSC::DFG::clobberize):
1437         * dfg/DFGCommon.h:
1438         * dfg/DFGConstantFoldingPhase.cpp:
1439         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1440         * dfg/DFGFixupPhase.cpp:
1441         (JSC::DFG::FixupPhase::fixupNode):
1442         * dfg/DFGNode.h:
1443         (JSC::DFG::Node::hasIdentifier):
1444         * dfg/DFGNodeType.h:
1445         * dfg/DFGPredictionPropagationPhase.cpp:
1446         (JSC::DFG::PredictionPropagationPhase::propagate):
1447         * dfg/DFGSafeToExecute.h:
1448         (JSC::DFG::safeToExecute):
1449         * dfg/DFGSpeculativeJIT.cpp:
1450         (JSC::DFG::SpeculativeJIT::compileIn):
1451         * dfg/DFGSpeculativeJIT.h:
1452         * dfg/DFGSpeculativeJIT32_64.cpp:
1453         (JSC::DFG::SpeculativeJIT::cachedGetById):
1454         (JSC::DFG::SpeculativeJIT::cachedPutById):
1455         (JSC::DFG::SpeculativeJIT::compile):
1456         * dfg/DFGSpeculativeJIT64.cpp:
1457         (JSC::DFG::SpeculativeJIT::cachedGetById):
1458         (JSC::DFG::SpeculativeJIT::cachedPutById):
1459         (JSC::DFG::SpeculativeJIT::compile):
1460         * jit/CCallHelpers.h:
1461         (JSC::CCallHelpers::setupArgumentsWithExecState):
1462         * jit/JITInlineCacheGenerator.cpp:
1463         (JSC::JITByIdGenerator::JITByIdGenerator):
1464         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
1465         * jit/JITInlineCacheGenerator.h:
1466         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
1467         * jit/JITOperations.cpp:
1468         * jit/JITOperations.h:
1469         * jit/JITPropertyAccess.cpp:
1470         (JSC::JIT::emit_op_get_by_id):
1471         (JSC::JIT::emit_op_put_by_id):
1472         * jit/JITPropertyAccess32_64.cpp:
1473         (JSC::JIT::emit_op_get_by_id):
1474         (JSC::JIT::emit_op_put_by_id):
1475         * jit/Repatch.cpp:
1476         (JSC::tryCacheGetByID):
1477         (JSC::tryBuildGetByIDList):
1478         (JSC::emitCustomSetterStub):
1479         (JSC::tryCachePutByID):
1480         (JSC::tryBuildPutByIdList):
1481         * jit/SpillRegistersMode.h: Added.
1482         * llint/LLIntSlowPaths.cpp:
1483         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1484         * runtime/Lookup.h:
1485         (JSC::putEntry):
1486         * runtime/PutPropertySlot.h:
1487         (JSC::PutPropertySlot::setCacheableCustomProperty):
1488         (JSC::PutPropertySlot::customSetter):
1489         (JSC::PutPropertySlot::isCacheablePut):
1490         (JSC::PutPropertySlot::isCacheableCustomProperty):
1491         (JSC::PutPropertySlot::cachedOffset):
1492
1493 2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>
1494
1495         JSCell::m_gcData should encode its information differently
1496         https://bugs.webkit.org/show_bug.cgi?id=129741
1497
1498         Reviewed by Geoffrey Garen.
1499
1500         We want to keep track of three GC states for an object:
1501
1502         1. Not marked (which implies not in the remembered set)
1503         2. Marked but not in the remembered set
1504         3. Marked and in the remembered set
1505         
1506         Currently we only indicate marked vs. not marked in JSCell::m_gcData. During a write 
1507         barrier, we only want to take the slow path if the object being stored to is in state #2. 
1508         We'd like to make the test for state #2 as fast as possible, which means making it a 
1509         compare against 0.
1510
1511         * dfg/DFGOSRExitCompilerCommon.cpp:
1512         (JSC::DFG::osrWriteBarrier):
1513         * dfg/DFGSpeculativeJIT.cpp:
1514         (JSC::DFG::SpeculativeJIT::checkMarkByte):
1515         (JSC::DFG::SpeculativeJIT::writeBarrier):
1516         * dfg/DFGSpeculativeJIT.h:
1517         * dfg/DFGSpeculativeJIT32_64.cpp:
1518         (JSC::DFG::SpeculativeJIT::writeBarrier):
1519         * dfg/DFGSpeculativeJIT64.cpp:
1520         (JSC::DFG::SpeculativeJIT::writeBarrier):
1521         * ftl/FTLLowerDFGToLLVM.cpp:
1522         (JSC::FTL::LowerDFGToLLVM::allocateCell):
1523         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
1524         * heap/Heap.cpp:
1525         (JSC::Heap::clearRememberedSet):
1526         (JSC::Heap::addToRememberedSet):
1527         * jit/AssemblyHelpers.h:
1528         (JSC::AssemblyHelpers::checkMarkByte):
1529         * jit/JIT.h:
1530         * jit/JITPropertyAccess.cpp:
1531         (JSC::JIT::checkMarkByte):
1532         (JSC::JIT::emitWriteBarrier):
1533         * jit/Repatch.cpp:
1534         (JSC::writeBarrier):
1535         * llint/LowLevelInterpreter.asm:
1536         * llint/LowLevelInterpreter32_64.asm:
1537         * llint/LowLevelInterpreter64.asm:
1538         * runtime/JSCell.h:
1539         (JSC::JSCell::mark):
1540         (JSC::JSCell::remember):
1541         (JSC::JSCell::forget):
1542         (JSC::JSCell::isMarked):
1543         (JSC::JSCell::isRemembered):
1544         * runtime/JSCellInlines.h:
1545         (JSC::JSCell::JSCell):
1546         * runtime/StructureIDBlob.h:
1547         (JSC::StructureIDBlob::StructureIDBlob):
1548
1549 2014-03-05  Filip Pizlo  <fpizlo@apple.com>
1550
1551         More FTL ARM fixes
1552         https://bugs.webkit.org/show_bug.cgi?id=129755
1553
1554         Reviewed by Geoffrey Garen.
1555         
1556         - Be more defensive about inline caches that have degenerate chains.
1557         
1558         - Temporarily switch to allocating all MCJIT memory in the executable pool on non-x86
1559           platforms. The bug tracking the real fix is: https://bugs.webkit.org/show_bug.cgi?id=129756
1560         
1561         - Don't even emit intrinsic declarations on non-x86 platforms.
1562         
1563         - More debug printing support.
1564         
1565         - Don't use vmCall() in the prologue. This should have crashed on all platforms all the time
1566           but somehow it gets lucky on x86.
1567
1568         * bytecode/GetByIdStatus.cpp:
1569         (JSC::GetByIdStatus::appendVariant):
1570         (JSC::GetByIdStatus::computeForChain):
1571         (JSC::GetByIdStatus::computeForStubInfo):
1572         * bytecode/GetByIdStatus.h:
1573         * bytecode/PutByIdStatus.cpp:
1574         (JSC::PutByIdStatus::appendVariant):
1575         (JSC::PutByIdStatus::computeForStubInfo):
1576         * bytecode/PutByIdStatus.h:
1577         * bytecode/StructureSet.h:
1578         (JSC::StructureSet::overlaps):
1579         * ftl/FTLCompile.cpp:
1580         (JSC::FTL::mmAllocateDataSection):
1581         * ftl/FTLDataSection.cpp:
1582         (JSC::FTL::DataSection::DataSection):
1583         (JSC::FTL::DataSection::~DataSection):
1584         * ftl/FTLDataSection.h:
1585         * ftl/FTLLowerDFGToLLVM.cpp:
1586         (JSC::FTL::LowerDFGToLLVM::lower):
1587         * ftl/FTLOutput.h:
1588         (JSC::FTL::Output::doubleSin):
1589         (JSC::FTL::Output::doubleCos):
1590         * runtime/JSCJSValue.cpp:
1591         (JSC::JSValue::dumpInContext):
1592         * runtime/JSCell.h:
1593         (JSC::JSCell::structureID):
1594
1595 2014-03-05  peavo@outlook.com  <peavo@outlook.com>
1596
1597         [Win32][LLINT] Crash when running JSC stress tests.
1598         https://bugs.webkit.org/show_bug.cgi?id=129429
1599
1600         On Windows the reserved stack space consists of committed memory, a guard page, and uncommitted memory,
1601         where the guard page is a barrier between committed and uncommitted memory.
1602         When data from the guard page is read or written, the guard page is moved, and memory is committed.
1603         This is how the system grows the stack.
1604         When using the C stack on Windows we need to precommit the needed stack space.
1605         Otherwise we might crash later if we access uncommitted stack memory.
1606         This can happen if we allocate stack space larger than the page guard size (4K).
1607         The system does not get the chance to move the guard page, and commit more memory,
1608         and we crash if uncommitted memory is accessed.
1609         The MSVC compiler fixes this by inserting a call to the _chkstk() function,
1610         when needed, see http://support.microsoft.com/kb/100775.
1611
1612         Reviewed by Geoffrey Garen.
1613
1614         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Enable LLINT.
1615         * jit/Repatch.cpp:
1616         (JSC::writeBarrier): Compile fix when DFG_JIT is not enabled.
1617         * offlineasm/x86.rb: Compile fix, and small simplification.
1618         * runtime/VM.cpp:
1619         (JSC::preCommitStackMemory): Added function to precommit stack memory.
1620         (JSC::VM::updateStackLimit): Call function to precommit stack memory when stack limit is updated.
1621
1622 2014-03-05  Michael Saboff  <msaboff@apple.com>
1623
1624         JSDataViewPrototype::getData() and setData() crash on platforms that don't allow unaligned accesses
1625         https://bugs.webkit.org/show_bug.cgi?id=129746
1626
1627         Reviewed by Filip Pizlo.
1628
1629         Changed to use a union to manually assemble or disassemble the various types
1630         from / to the corresponding bytes.  All memory access is now done using
1631         byte accesses.
1632
1633         * runtime/JSDataViewPrototype.cpp:
1634         (JSC::getData):
1635         (JSC::setData):
1636
1637 2014-03-05  Filip Pizlo  <fpizlo@apple.com>
1638
1639         FTL loadStructure always generates invalid IR
1640         https://bugs.webkit.org/show_bug.cgi?id=129747
1641
1642         Reviewed by Mark Hahnenberg.
1643
1644         As the comment at the top of FTL::Output states, the FTL doesn't use LLVM's notion
1645         of pointers. LLVM's notion of pointers tries to model C, in the sense that you have
1646         to have a pointer to a type, and you can only load things of that type from that
1647         pointer. Pointer arithmetic is basically not possible except through the bizarre
1648         getelementptr operator. This doesn't fit with how the JS object model works since
1649         the JS object model doesn't consist of nice and tidy C types placed in C arrays.
1650         Also, it would be impossible to use getelementptr and LLVM pointers for accessing
1651         any of JSC's C or C++ objects unless we went through the exercise of redeclaring
1652         all of our fundamental data structures in LLVM IR as LLVM types. Clang could do
1653         this for us, but that would require that to use the FTL, JSC itself would have to
1654         be compiled with clang. Worse, it would have to be compiled with a clang that uses
1655         a version of LLVM that is compatible with the one against which the FTL is linked.
1656         Yuck!
1657
1658         The solution is to NEVER use LLVM pointers. This has always been the case in the
1659         FTL. But it causes some confusion.
1660         
1661         Not using LLVM pointers means that if the FTL has a "pointer", it's actually a
1662         pointer-wide integer (m_out.intPtr in FTL-speak). The act of "loading" and
1663         "storing" from or to a pointer involves first bitcasting the intPtr to a real LLVM
1664         pointer that has the type that we want. The load and store operations over pointers
1665         are called Output::load* and Output::store*, where * is one of "8", "16", "32",
1666         "64", "Ptr", "Float", or "Double.
1667         
1668         There is unavoidable confusion here. It would be bizarre for the FTL to call its
1669         "pointer-wide integers" anything other than "pointers", since they are, in all
1670         respects that we care about, simply pointers. But they are *not* LLVM pointers and
1671         they never will be that.
1672         
1673         There is one exception to this "no pointers" rule. The FTL does use actual LLVM
1674         pointers for refering to LLVM alloca's - i.e. local variables. To try to reduce
1675         confusion, we call these "references". So an "FTL reference" is actually an "LLVM
1676         pointer", while an "FTL pointer" is actually an "LLVM integer". FTL references have
1677         methods for access called Output::get and Output::set. These lower to LLVM load
1678         and store, since FTL references are just LLVM pointers.
1679         
1680         This confusion appears to have led to incorrect code in loadStructure().
1681         loadStructure() was using get() and set() to access FTL pointers. But those methods
1682         don't work on FTL pointers and never will, since they are for FTL references.
1683         
1684         The worst part of this is that it was previously impossible to have test coverage
1685         for the relevant path (MasqueradesAsUndefined) without writing a DRT test. This
1686         patch fixes this by introducing a Masquerader object to jsc.cpp.
1687         
1688         * ftl/FTLAbstractHeapRepository.h: Add an abstract heap for the structure table.
1689         * ftl/FTLLowerDFGToLLVM.cpp:
1690         (JSC::FTL::LowerDFGToLLVM::loadStructure): This was wrong.
1691         * ftl/FTLOutput.h: Add a comment to disuade people from using get() and set().
1692         * jsc.cpp: Give us the power to test for MasqueradesAsUndefined.
1693         (WTF::Masquerader::Masquerader):
1694         (WTF::Masquerader::create):
1695         (WTF::Masquerader::createStructure):
1696         (GlobalObject::finishCreation):
1697         (functionMakeMasquerader):
1698         * tests/stress/equals-masquerader.js: Added.
1699         (foo):
1700         (test):
1701
1702 2014-03-05  Anders Carlsson  <andersca@apple.com>
1703
1704         Tweak after r165109 to avoid extra copies
1705         https://bugs.webkit.org/show_bug.cgi?id=129745
1706
1707         Reviewed by Geoffrey Garen.
1708
1709         * heap/Heap.cpp:
1710         (JSC::Heap::visitProtectedObjects):
1711         (JSC::Heap::visitTempSortVectors):
1712         (JSC::Heap::clearRememberedSet):
1713         * heap/Heap.h:
1714         (JSC::Heap::forEachProtectedCell):
1715
1716 2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>
1717
1718         DFGStoreBarrierElisionPhase should should GCState directly instead of m_gcClobberSet when calling writesOverlap()
1719         https://bugs.webkit.org/show_bug.cgi?id=129717
1720
1721         Reviewed by Filip Pizlo.
1722
1723         * dfg/DFGStoreBarrierElisionPhase.cpp:
1724         (JSC::DFG::StoreBarrierElisionPhase::StoreBarrierElisionPhase):
1725         (JSC::DFG::StoreBarrierElisionPhase::couldCauseGC):
1726
1727 2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>
1728
1729         Use range-based loops where possible in Heap methods
1730         https://bugs.webkit.org/show_bug.cgi?id=129513
1731
1732         Reviewed by Mark Lam.
1733
1734         Replace old school iterator based loops with the new range-based loop hotness
1735         for a better tomorrow.
1736
1737         * heap/CodeBlockSet.cpp:
1738         (JSC::CodeBlockSet::~CodeBlockSet):
1739         (JSC::CodeBlockSet::clearMarks):
1740         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
1741         (JSC::CodeBlockSet::traceMarked):
1742         * heap/Heap.cpp:
1743         (JSC::Heap::visitProtectedObjects):
1744         (JSC::Heap::visitTempSortVectors):
1745         (JSC::Heap::clearRememberedSet):
1746         * heap/Heap.h:
1747         (JSC::Heap::forEachProtectedCell):
1748
1749 2014-03-04  Filip Pizlo  <fpizlo@apple.com>
1750
1751         DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e. boolean, undefined, or null)
1752         https://bugs.webkit.org/show_bug.cgi?id=129563
1753
1754         Reviewed by Geoffrey Garen.
1755         
1756         Rolling this back in after fixing an assertion failure. speculateMisc() should have
1757         said DFG_TYPE_CHECK instead of typeCheck.
1758         
1759         This adds a specialization of CompareStrictEq over Misc. I noticed the need for this
1760         when I saw that we didn't support CompareStrictEq(Untyped) in FTL but that the main
1761         user of this was EarleyBoyer, and in that benchmark what it was really doing was
1762         comparing undefined, null, and booleans to each other.
1763         
1764         This also adds support for miscellaneous things that I needed to make my various test
1765         cases work. This includes comparison over booleans and the various Throw-related node
1766         types.
1767         
1768         This also improves constant folding of CompareStrictEq and CompareEq.
1769         
1770         Also found a bug where we were claiming that GetByVals on typed arrays are OutOfBounds
1771         based on profiling, which caused some downstream badness. We don't actually support
1772         compiling OutOfBounds GetByVals on typed arrays. The DFG would ignore the flag and just
1773         emit a bounds check, but in the FTL path, the SSA lowering phase would assume that it
1774         shouldn't factor out the bounds check since the access is not InBounds but then the
1775         backend would ignore the flag and assume that the bounds check was already emitted.
1776         This showed up on an existing test but I added a test for this explicitly to have more
1777         certain coverage. The fix is to not mark something as OutOfBounds if the semantics are
1778         that we'll have a bounds check anyway.
1779         
1780         This is a 1% speed-up on Octane mostly because of raytrace, but also because of just
1781         general progressions across the board. No speed-up yet on EarleyBoyer, since there is
1782         still a lot more coverage work to be done there.
1783
1784         * bytecode/SpeculatedType.cpp:
1785         (JSC::speculationToAbbreviatedString):
1786         (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
1787         (JSC::valuesCouldBeEqual):
1788         * bytecode/SpeculatedType.h:
1789         (JSC::isMiscSpeculation):
1790         * dfg/DFGAbstractInterpreterInlines.h:
1791         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1792         * dfg/DFGArrayMode.cpp:
1793         (JSC::DFG::ArrayMode::refine):
1794         * dfg/DFGArrayMode.h:
1795         * dfg/DFGFixupPhase.cpp:
1796         (JSC::DFG::FixupPhase::fixupNode):
1797         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
1798         * dfg/DFGNode.h:
1799         (JSC::DFG::Node::shouldSpeculateMisc):
1800         * dfg/DFGSafeToExecute.h:
1801         (JSC::DFG::SafeToExecuteEdge::operator()):
1802         * dfg/DFGSpeculativeJIT.cpp:
1803         (JSC::DFG::SpeculativeJIT::compileStrictEq):
1804         (JSC::DFG::SpeculativeJIT::speculateMisc):
1805         (JSC::DFG::SpeculativeJIT::speculate):
1806         * dfg/DFGSpeculativeJIT.h:
1807         * dfg/DFGSpeculativeJIT32_64.cpp:
1808         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
1809         * dfg/DFGSpeculativeJIT64.cpp:
1810         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
1811         * dfg/DFGUseKind.cpp:
1812         (WTF::printInternal):
1813         * dfg/DFGUseKind.h:
1814         (JSC::DFG::typeFilterFor):
1815         * ftl/FTLCapabilities.cpp:
1816         (JSC::FTL::canCompile):
1817         * ftl/FTLLowerDFGToLLVM.cpp:
1818         (JSC::FTL::LowerDFGToLLVM::compileNode):
1819         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
1820         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
1821         (JSC::FTL::LowerDFGToLLVM::compileThrow):
1822         (JSC::FTL::LowerDFGToLLVM::isNotMisc):
1823         (JSC::FTL::LowerDFGToLLVM::isMisc):
1824         (JSC::FTL::LowerDFGToLLVM::speculate):
1825         (JSC::FTL::LowerDFGToLLVM::speculateMisc):
1826         * tests/stress/float32-array-out-of-bounds.js: Added.
1827         * tests/stress/weird-equality-folding-cases.js: Added.
1828
1829 2014-03-04  Commit Queue  <commit-queue@webkit.org>
1830
1831         Unreviewed, rolling out r165085.
1832         http://trac.webkit.org/changeset/165085
1833         https://bugs.webkit.org/show_bug.cgi?id=129729
1834
1835         Broke imported/w3c/html-templates/template-element/template-
1836         content.html (Requested by ap on #webkit).
1837
1838         * bytecode/SpeculatedType.cpp:
1839         (JSC::speculationToAbbreviatedString):
1840         * bytecode/SpeculatedType.h:
1841         * dfg/DFGAbstractInterpreterInlines.h:
1842         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1843         * dfg/DFGArrayMode.cpp:
1844         (JSC::DFG::ArrayMode::refine):
1845         * dfg/DFGArrayMode.h:
1846         * dfg/DFGFixupPhase.cpp:
1847         (JSC::DFG::FixupPhase::fixupNode):
1848         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
1849         * dfg/DFGNode.h:
1850         (JSC::DFG::Node::shouldSpeculateBoolean):
1851         * dfg/DFGSafeToExecute.h:
1852         (JSC::DFG::SafeToExecuteEdge::operator()):
1853         * dfg/DFGSpeculativeJIT.cpp:
1854         (JSC::DFG::SpeculativeJIT::compileStrictEq):
1855         (JSC::DFG::SpeculativeJIT::speculate):
1856         * dfg/DFGSpeculativeJIT.h:
1857         * dfg/DFGSpeculativeJIT32_64.cpp:
1858         * dfg/DFGSpeculativeJIT64.cpp:
1859         * dfg/DFGUseKind.cpp:
1860         (WTF::printInternal):
1861         * dfg/DFGUseKind.h:
1862         (JSC::DFG::typeFilterFor):
1863         * ftl/FTLCapabilities.cpp:
1864         (JSC::FTL::canCompile):
1865         * ftl/FTLLowerDFGToLLVM.cpp:
1866         (JSC::FTL::LowerDFGToLLVM::compileNode):
1867         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
1868         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
1869         (JSC::FTL::LowerDFGToLLVM::speculate):
1870         * tests/stress/float32-array-out-of-bounds.js: Removed.
1871         * tests/stress/weird-equality-folding-cases.js: Removed.
1872
1873 2014-03-04  Brian Burg  <bburg@apple.com>
1874
1875         Inspector does not restore breakpoints after a page reload
1876         https://bugs.webkit.org/show_bug.cgi?id=129655
1877
1878         Reviewed by Joseph Pecoraro.
1879
1880         Fix a regression introduced by r162096 that erroneously removed
1881         the inspector backend's mapping of files to breakpoints whenever the
1882         global object was cleared.
1883
1884         The inspector's breakpoint mappings should only be cleared when the
1885         debugger agent is disabled or destroyed. We should only clear the
1886         debugger's breakpoint state when the global object is cleared.
1887
1888         To make it clearer what state is being cleared, the two cases have
1889         been split into separate methods.
1890
1891         * inspector/agents/InspectorDebuggerAgent.cpp:
1892         (Inspector::InspectorDebuggerAgent::disable):
1893         (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):
1894         (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
1895         (Inspector::InspectorDebuggerAgent::didClearGlobalObject):
1896         * inspector/agents/InspectorDebuggerAgent.h:
1897
1898 2014-03-04  Andreas Kling  <akling@apple.com>
1899
1900         Streamline JSValue::get().
1901         <https://webkit.org/b/129720>
1902
1903         Fetch each Structure and VM only once when walking the prototype chain
1904         in JSObject::getPropertySlot(), then pass it along to the functions
1905         we call from there, so they don't have to re-fetch it.
1906
1907         Reviewed by Geoff Garen.
1908
1909         * runtime/JSObject.h:
1910         (JSC::JSObject::inlineGetOwnPropertySlot):
1911         (JSC::JSObject::fastGetOwnPropertySlot):
1912         (JSC::JSObject::getPropertySlot):
1913
1914 2014-03-01  Filip Pizlo  <fpizlo@apple.com>
1915
1916         DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e. boolean, undefined, or null)
1917         https://bugs.webkit.org/show_bug.cgi?id=129563
1918
1919         Reviewed by Geoffrey Garen.
1920         
1921         This adds a specialization of CompareStrictEq over Misc. I noticed the need for this
1922         when I saw that we didn't support CompareStrictEq(Untyped) in FTL but that the main
1923         user of this was EarleyBoyer, and in that benchmark what it was really doing was
1924         comparing undefined, null, and booleans to each other.
1925         
1926         This also adds support for miscellaneous things that I needed to make my various test
1927         cases work. This includes comparison over booleans and the various Throw-related node
1928         types.
1929         
1930         This also improves constant folding of CompareStrictEq and CompareEq.
1931         
1932         Also found a bug where we were claiming that GetByVals on typed arrays are OutOfBounds
1933         based on profiling, which caused some downstream badness. We don't actually support
1934         compiling OutOfBounds GetByVals on typed arrays. The DFG would ignore the flag and just
1935         emit a bounds check, but in the FTL path, the SSA lowering phase would assume that it
1936         shouldn't factor out the bounds check since the access is not InBounds but then the
1937         backend would ignore the flag and assume that the bounds check was already emitted.
1938         This showed up on an existing test but I added a test for this explicitly to have more
1939         certain coverage. The fix is to not mark something as OutOfBounds if the semantics are
1940         that we'll have a bounds check anyway.
1941         
1942         This is a 1% speed-up on Octane mostly because of raytrace, but also because of just
1943         general progressions across the board. No speed-up yet on EarleyBoyer, since there is
1944         still a lot more coverage work to be done there.
1945
1946         * bytecode/SpeculatedType.cpp:
1947         (JSC::speculationToAbbreviatedString):
1948         (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
1949         (JSC::valuesCouldBeEqual):
1950         * bytecode/SpeculatedType.h:
1951         (JSC::isMiscSpeculation):
1952         * dfg/DFGAbstractInterpreterInlines.h:
1953         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1954         * dfg/DFGFixupPhase.cpp:
1955         (JSC::DFG::FixupPhase::fixupNode):
1956         * dfg/DFGNode.h:
1957         (JSC::DFG::Node::shouldSpeculateMisc):
1958         * dfg/DFGSafeToExecute.h:
1959         (JSC::DFG::SafeToExecuteEdge::operator()):
1960         * dfg/DFGSpeculativeJIT.cpp:
1961         (JSC::DFG::SpeculativeJIT::compileStrictEq):
1962         (JSC::DFG::SpeculativeJIT::speculateMisc):
1963         (JSC::DFG::SpeculativeJIT::speculate):
1964         * dfg/DFGSpeculativeJIT.h:
1965         * dfg/DFGSpeculativeJIT32_64.cpp:
1966         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
1967         * dfg/DFGSpeculativeJIT64.cpp:
1968         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
1969         * dfg/DFGUseKind.cpp:
1970         (WTF::printInternal):
1971         * dfg/DFGUseKind.h:
1972         (JSC::DFG::typeFilterFor):
1973         * ftl/FTLCapabilities.cpp:
1974         (JSC::FTL::canCompile):
1975         * ftl/FTLLowerDFGToLLVM.cpp:
1976         (JSC::FTL::LowerDFGToLLVM::compileNode):
1977         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
1978         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
1979         (JSC::FTL::LowerDFGToLLVM::compileThrow):
1980         (JSC::FTL::LowerDFGToLLVM::isNotMisc):
1981         (JSC::FTL::LowerDFGToLLVM::isMisc):
1982         (JSC::FTL::LowerDFGToLLVM::speculate):
1983         (JSC::FTL::LowerDFGToLLVM::speculateMisc):
1984         * tests/stress/float32-array-out-of-bounds.js: Added.
1985         * tests/stress/weird-equality-folding-cases.js: Added.
1986
1987 2014-03-04  Andreas Kling  <akling@apple.com>
1988
1989         Spam static branch prediction hints on JS bindings.
1990         <https://webkit.org/b/129703>
1991
1992         Add LIKELY hint to jsDynamicCast since it's always used in a context
1993         where we expect it to succeed and takes an error path when it doesn't.
1994
1995         Reviewed by Geoff Garen.
1996
1997         * runtime/JSCell.h:
1998         (JSC::jsDynamicCast):
1999
2000 2014-03-04  Andreas Kling  <akling@apple.com>
2001
2002         Get to Structures more efficiently in JSCell::methodTable().
2003         <https://webkit.org/b/129702>
2004
2005         In JSCell::methodTable(), get the VM once and pass that along to
2006         structure(VM&) instead of using the heavier structure().
2007
2008         In JSCell::methodTable(VM&), replace calls to structure() with
2009         calls to structure(VM&).
2010
2011         Reviewed by Mark Hahnenberg.
2012
2013         * runtime/JSCellInlines.h:
2014         (JSC::JSCell::methodTable):
2015
2016 2014-03-04  Joseph Pecoraro  <pecoraro@apple.com>
2017
2018         Web Inspector: Listen for the XPC_ERROR_CONNECTION_INVALID event to deref
2019         https://bugs.webkit.org/show_bug.cgi?id=129697
2020
2021         Reviewed by Timothy Hatcher.
2022
2023         * inspector/remote/RemoteInspectorXPCConnection.mm:
2024         (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
2025         (Inspector::RemoteInspectorXPCConnection::handleEvent):
2026
2027 2014-03-04  Mark Hahnenberg  <mhahnenberg@apple.com>
2028
2029         Merge API shims and JSLock
2030         https://bugs.webkit.org/show_bug.cgi?id=129650
2031
2032         Reviewed by Mark Lam.
2033
2034         JSLock is now taking on all of APIEntryShim's responsibilities since there is never a reason 
2035         to take just the JSLock. Ditto for DropAllLocks and APICallbackShim.
2036
2037         * API/APICallbackFunction.h:
2038         (JSC::APICallbackFunction::call):
2039         (JSC::APICallbackFunction::construct):
2040         * API/APIShims.h: Removed.
2041         * API/JSBase.cpp:
2042         (JSEvaluateScript):
2043         (JSCheckScriptSyntax):
2044         (JSGarbageCollect):
2045         (JSReportExtraMemoryCost):
2046         (JSSynchronousGarbageCollectForDebugging):
2047         * API/JSCallbackConstructor.cpp:
2048         * API/JSCallbackFunction.cpp:
2049         * API/JSCallbackObjectFunctions.h:
2050         (JSC::JSCallbackObject<Parent>::init):
2051         (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
2052         (JSC::JSCallbackObject<Parent>::put):
2053         (JSC::JSCallbackObject<Parent>::putByIndex):
2054         (JSC::JSCallbackObject<Parent>::deleteProperty):
2055         (JSC::JSCallbackObject<Parent>::construct):
2056         (JSC::JSCallbackObject<Parent>::customHasInstance):
2057         (JSC::JSCallbackObject<Parent>::call):
2058         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
2059         (JSC::JSCallbackObject<Parent>::getStaticValue):
2060         (JSC::JSCallbackObject<Parent>::callbackGetter):
2061         * API/JSContext.mm:
2062         (-[JSContext setException:]):
2063         (-[JSContext wrapperForObjCObject:]):
2064         (-[JSContext wrapperForJSObject:]):
2065         * API/JSContextRef.cpp:
2066         (JSContextGroupRelease):
2067         (JSContextGroupSetExecutionTimeLimit):
2068         (JSContextGroupClearExecutionTimeLimit):
2069         (JSGlobalContextCreateInGroup):
2070         (JSGlobalContextRetain):
2071         (JSGlobalContextRelease):
2072         (JSContextGetGlobalObject):
2073         (JSContextGetGlobalContext):
2074         (JSGlobalContextCopyName):
2075         (JSGlobalContextSetName):
2076         * API/JSManagedValue.mm:
2077         (-[JSManagedValue value]):
2078         * API/JSObjectRef.cpp:
2079         (JSObjectMake):
2080         (JSObjectMakeFunctionWithCallback):
2081         (JSObjectMakeConstructor):
2082         (JSObjectMakeFunction):
2083         (JSObjectMakeArray):
2084         (JSObjectMakeDate):
2085         (JSObjectMakeError):
2086         (JSObjectMakeRegExp):
2087         (JSObjectGetPrototype):
2088         (JSObjectSetPrototype):
2089         (JSObjectHasProperty):
2090         (JSObjectGetProperty):
2091         (JSObjectSetProperty):
2092         (JSObjectGetPropertyAtIndex):
2093         (JSObjectSetPropertyAtIndex):
2094         (JSObjectDeleteProperty):
2095         (JSObjectGetPrivateProperty):
2096         (JSObjectSetPrivateProperty):
2097         (JSObjectDeletePrivateProperty):
2098         (JSObjectIsFunction):
2099         (JSObjectCallAsFunction):
2100         (JSObjectCallAsConstructor):
2101         (JSObjectCopyPropertyNames):
2102         (JSPropertyNameArrayRelease):
2103         (JSPropertyNameAccumulatorAddName):
2104         * API/JSScriptRef.cpp:
2105         * API/JSValue.mm:
2106         (isDate):
2107         (isArray):
2108         (containerValueToObject):
2109         (valueToArray):
2110         (valueToDictionary):
2111         (objectToValue):
2112         * API/JSValueRef.cpp:
2113         (JSValueGetType):
2114         (JSValueIsUndefined):
2115         (JSValueIsNull):
2116         (JSValueIsBoolean):
2117         (JSValueIsNumber):
2118         (JSValueIsString):
2119         (JSValueIsObject):
2120         (JSValueIsObjectOfClass):
2121         (JSValueIsEqual):
2122         (JSValueIsStrictEqual):
2123         (JSValueIsInstanceOfConstructor):
2124         (JSValueMakeUndefined):
2125         (JSValueMakeNull):
2126         (JSValueMakeBoolean):
2127         (JSValueMakeNumber):
2128         (JSValueMakeString):
2129         (JSValueMakeFromJSONString):
2130         (JSValueCreateJSONString):
2131         (JSValueToBoolean):
2132         (JSValueToNumber):
2133         (JSValueToStringCopy):
2134         (JSValueToObject):
2135         (JSValueProtect):
2136         (JSValueUnprotect):
2137         * API/JSVirtualMachine.mm:
2138         (-[JSVirtualMachine addManagedReference:withOwner:]):
2139         (-[JSVirtualMachine removeManagedReference:withOwner:]):
2140         * API/JSWeakObjectMapRefPrivate.cpp:
2141         * API/JSWrapperMap.mm:
2142         (constructorHasInstance):
2143         (makeWrapper):
2144         (tryUnwrapObjcObject):
2145         * API/ObjCCallbackFunction.mm:
2146         (JSC::objCCallbackFunctionCallAsFunction):
2147         (JSC::objCCallbackFunctionCallAsConstructor):
2148         (objCCallbackFunctionForInvocation):
2149         * CMakeLists.txt:
2150         * ForwardingHeaders/JavaScriptCore/APIShims.h: Removed.
2151         * GNUmakefile.list.am:
2152         * JavaScriptCore.xcodeproj/project.pbxproj:
2153         * dfg/DFGWorklist.cpp:
2154         * heap/DelayedReleaseScope.h:
2155         (JSC::DelayedReleaseScope::~DelayedReleaseScope):
2156         * heap/HeapTimer.cpp:
2157         (JSC::HeapTimer::timerDidFire):
2158         (JSC::HeapTimer::timerEvent):
2159         * heap/IncrementalSweeper.cpp:
2160         * inspector/InjectedScriptModule.cpp:
2161         (Inspector::InjectedScriptModule::ensureInjected):
2162         * jsc.cpp:
2163         (jscmain):
2164         * runtime/GCActivityCallback.cpp:
2165         (JSC::DefaultGCActivityCallback::doWork):
2166         * runtime/JSGlobalObjectDebuggable.cpp:
2167         (JSC::JSGlobalObjectDebuggable::connect):
2168         (JSC::JSGlobalObjectDebuggable::disconnect):
2169         (JSC::JSGlobalObjectDebuggable::dispatchMessageFromRemoteFrontend):
2170         * runtime/JSLock.cpp:
2171         (JSC::JSLock::lock):
2172         (JSC::JSLock::didAcquireLock):
2173         (JSC::JSLock::unlock):
2174         (JSC::JSLock::willReleaseLock):
2175         (JSC::JSLock::DropAllLocks::DropAllLocks):
2176         (JSC::JSLock::DropAllLocks::~DropAllLocks):
2177         * runtime/JSLock.h:
2178         * testRegExp.cpp:
2179         (realMain):
2180
2181 2014-03-04  Commit Queue  <commit-queue@webkit.org>
2182
2183         Unreviewed, rolling out r164812.
2184         http://trac.webkit.org/changeset/164812
2185         https://bugs.webkit.org/show_bug.cgi?id=129699
2186
2187         it made things run slower (Requested by pizlo on #webkit).
2188
2189         * interpreter/Interpreter.cpp:
2190         (JSC::Interpreter::execute):
2191         * jsc.cpp:
2192         (GlobalObject::finishCreation):
2193         * runtime/BatchedTransitionOptimizer.h:
2194         (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
2195         (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer):
2196
2197 2014-03-02  Filip Pizlo  <fpizlo@apple.com>
2198
2199         GetMyArgumentByVal in FTL
2200         https://bugs.webkit.org/show_bug.cgi?id=128850
2201
2202         Reviewed by Oliver Hunt.
2203         
2204         This would have been easy if the OSR exit compiler's arity checks hadn't been wrong.
2205         They checked arity by doing "exec->argumentCount == codeBlock->numParameters", which
2206         caused it to think that the arity check had failed if the caller had passed more
2207         arguments than needed. This would cause the call frame copying to sort of go into
2208         reverse (because the amount-by-which-we-failed-arity would have opposite sign,
2209         throwing off a bunch of math) and the stack would end up being corrupted.
2210         
2211         The bug was revealed by two existing tests although as far as I could tell, neither
2212         test was intending to cover this case directly. So, I added a new test.
2213
2214         * ftl/FTLCapabilities.cpp:
2215         (JSC::FTL::canCompile):
2216         * ftl/FTLLowerDFGToLLVM.cpp:
2217         (JSC::FTL::LowerDFGToLLVM::compileNode):
2218         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
2219         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
2220         (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated):
2221         (JSC::FTL::LowerDFGToLLVM::checkArgumentsNotCreated):
2222         * ftl/FTLOSRExitCompiler.cpp:
2223         (JSC::FTL::compileStub):
2224         * ftl/FTLState.h:
2225         * tests/stress/exit-from-ftl-when-caller-passed-extra-args-then-use-function-dot-arguments.js: Added.
2226         * tests/stress/ftl-get-my-argument-by-val-inlined-and-not-inlined.js: Added.
2227         * tests/stress/ftl-get-my-argument-by-val-inlined.js: Added.
2228         * tests/stress/ftl-get-my-argument-by-val.js: Added.
2229
2230 2014-03-04  Zan Dobersek  <zdobersek@igalia.com>
2231
2232         [GTK] Build the Udis86 disassembler
2233         https://bugs.webkit.org/show_bug.cgi?id=129679
2234
2235         Reviewed by Michael Saboff.
2236
2237         * GNUmakefile.am: Generate the Udis86-related derived sources. Distribute the required files.
2238         * GNUmakefile.list.am: Add the Udis86 disassembler files to the build.
2239
2240 2014-03-04  Andreas Kling  <akling@apple.com>
2241
2242         Fix too-narrow assertion I added in r165054.
2243
2244         It's okay for a 1-character string to come in here. This will happen
2245         if the VM small string optimization doesn't apply (ch > 0xFF)
2246
2247         * runtime/JSString.h:
2248         (JSC::jsStringWithWeakOwner):
2249
2250 2014-03-04  Andreas Kling  <akling@apple.com>
2251
2252         Micro-optimize Strings in JS bindings.
2253         <https://webkit.org/b/129673>
2254
2255         Make jsStringWithWeakOwner() take a StringImpl& instead of a String.
2256         This avoids branches in length() and operator[].
2257
2258         Also call JSString::create() directly instead of jsString() and just
2259         assert that the string length is >1. This way we don't duplicate the
2260         optimizations for empty and single-character strings.
2261
2262         Reviewed by Ryosuke Niwa.
2263
2264         * runtime/JSString.h:
2265         (JSC::jsStringWithWeakOwner):
2266
2267 2014-03-04  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
2268
2269         Implement Number.prototype.clz()
2270         https://bugs.webkit.org/show_bug.cgi?id=129479
2271
2272         Reviewed by Oliver Hunt.
2273
2274         Implemented Number.prototype.clz() as specified in the ES6 standard.
2275
2276         * runtime/NumberPrototype.cpp:
2277         (JSC::numberProtoFuncClz):
2278
2279 2014-03-03  Joseph Pecoraro  <pecoraro@apple.com>
2280
2281         Web Inspector: Avoid too early deref caused by RemoteInspectorXPCConnection::close
2282         https://bugs.webkit.org/show_bug.cgi?id=129631
2283
2284         Reviewed by Timothy Hatcher.
2285
2286         Avoid deref() too early if a client calls close(). The xpc_connection_close
2287         will cause another XPC_ERROR event to come in from the queue, deref then.
2288         Likewise, protect multithreaded access to m_client. If a client calls
2289         close() we want to immediately clear the pointer to prevent calls to it.
2290
2291         Overall the multi-threading aspects of RemoteInspectorXPCConnection are
2292         growing too complicated for probably little benefit. We may want to
2293         clean this up later.
2294
2295         * inspector/remote/RemoteInspector.mm:
2296         (Inspector::RemoteInspector::xpcConnectionFailed):
2297         * inspector/remote/RemoteInspectorXPCConnection.h:
2298         * inspector/remote/RemoteInspectorXPCConnection.mm:
2299         (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
2300         (Inspector::RemoteInspectorXPCConnection::close):
2301         (Inspector::RemoteInspectorXPCConnection::closeOnQueue):
2302         (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
2303         (Inspector::RemoteInspectorXPCConnection::handleEvent):
2304         (Inspector::RemoteInspectorXPCConnection::sendMessage):
2305
2306 2014-03-03  Michael Saboff  <msaboff@apple.com>
2307
2308         AbstractMacroAssembler::CachedTempRegister should start out invalid
2309         https://bugs.webkit.org/show_bug.cgi?id=129657
2310
2311         Reviewed by Filip Pizlo.
2312
2313         * assembler/AbstractMacroAssembler.h:
2314         (JSC::AbstractMacroAssembler::AbstractMacroAssembler):
2315         - Invalidate all cached registers in constructor as we don't know the
2316           contents of any register at the entry to the code we are going to
2317           generate.
2318
2319 2014-03-03  Andreas Kling  <akling@apple.com>
2320
2321         StructureOrOffset should be fastmalloced.
2322         <https://webkit.org/b/129640>
2323
2324         Reviewed by Geoffrey Garen.
2325
2326         * runtime/StructureIDTable.h:
2327
2328 2014-03-03  Michael Saboff  <msaboff@apple.com>
2329
2330         Crash in JIT code while watching a video @ storyboard.tumblr.com
2331         https://bugs.webkit.org/show_bug.cgi?id=129635
2332
2333         Reviewed by Filip Pizlo.
2334
2335         Clear m_set before we set bits in the TempRegisterSet(const RegisterSet& other)
2336         construtor.
2337
2338         * jit/TempRegisterSet.cpp:
2339         (JSC::TempRegisterSet::TempRegisterSet): Clear map before setting it.
2340         * jit/TempRegisterSet.h:
2341         (JSC::TempRegisterSet::TempRegisterSet): Use new clearAll() helper.
2342         (JSC::TempRegisterSet::clearAll): New private helper.
2343
2344 2014-03-03  Benjamin Poulain  <benjamin@webkit.org>
2345
2346         [x86] Improve code generation of byte test
2347         https://bugs.webkit.org/show_bug.cgi?id=129597
2348
2349         Reviewed by Geoffrey Garen.
2350
2351         When possible, test the 8 bit register to itself instead of comparing it
2352         to a literal.
2353
2354         * assembler/MacroAssemblerX86Common.h:
2355         (JSC::MacroAssemblerX86Common::test32):
2356
2357 2014-03-03  Mark Lam  <mark.lam@apple.com>
2358
2359         Web Inspector: debugger statements do not break.
2360         <https://webkit.org/b/129524>
2361
2362         Reviewed by Geoff Garen.
2363
2364         Since we no longer call op_debug hooks unless there is a debugger request
2365         made on the CodeBlock, the op_debug for the debugger statement never gets
2366         serviced.
2367
2368         With this fix, we check in the CodeBlock constructor if any debugger
2369         statements are present.  If so, we set a m_hasDebuggerStatement flag that
2370         causes the CodeBlock to show as having debugger requests.  Hence,
2371         breaking at debugger statements is now restored.
2372
2373         * bytecode/CodeBlock.cpp:
2374         (JSC::CodeBlock::CodeBlock):
2375         * bytecode/CodeBlock.h:
2376         (JSC::CodeBlock::hasDebuggerRequests):
2377         (JSC::CodeBlock::clearDebuggerRequests):
2378
2379 2014-03-03  Mark Lam  <mark.lam@apple.com>
2380
2381         ASSERTION FAILED: m_numBreakpoints >= numBreakpoints when deleting breakpoints.
2382         <https://webkit.org/b/129393>
2383
2384         Reviewed by Geoffrey Garen.
2385
2386         The issue manifests because the debugger will iterate all CodeBlocks in
2387         the heap when setting / clearing breakpoints, but it is possible for a
2388         CodeBlock to have been instantiate but is not yet registered with the
2389         debugger.  This can happen because of the following:
2390
2391         1. DFG worklist compilation is still in progress, and the target
2392            codeBlock is not ready for installation in its executable yet.
2393
2394         2. DFG compilation failed and we have a codeBlock that will never be
2395            installed in its executable, and the codeBlock has not been cleaned
2396            up by the GC yet.
2397
2398         The code for installing the codeBlock in its executable is the same code
2399         that registers it with the debugger.  Hence, these codeBlocks are not
2400         registered with the debugger, and any pending breakpoints that would map
2401         to that CodeBlock is as yet unset or will never be set.  As such, an
2402         attempt to remove a breakpoint in that CodeBlock will fail that assertion.
2403
2404         To fix this, we do the following:
2405
2406         1. We'll eagerly clean up any zombie CodeBlocks due to failed DFG / FTL
2407            compilation.  This is achieved by providing a
2408            DeferredCompilationCallback::compilationDidComplete() that does this
2409            clean up, and have all sub classes call it at the end of their
2410            compilationDidComplete() methods.
2411
2412         2. Before the debugger or profiler iterates CodeBlocks in the heap, they
2413            will wait for all compilations to complete before proceeding.  This
2414            ensures that:
2415            1. any zombie CodeBlocks would have been cleaned up, and won't be
2416               seen by the debugger or profiler.
2417            2. all CodeBlocks that the debugger and profiler needs to operate on
2418               will be "ready" for whatever needs to be done to them e.g.
2419               jettison'ing of DFG codeBlocks.
2420
2421         * bytecode/DeferredCompilationCallback.cpp:
2422         (JSC::DeferredCompilationCallback::compilationDidComplete):
2423         * bytecode/DeferredCompilationCallback.h:
2424         - Provide default implementation method to clean up zombie CodeBlocks.
2425
2426         * debugger/Debugger.cpp:
2427         (JSC::Debugger::forEachCodeBlock):
2428         - Utility function to iterate CodeBlocks.  It ensures that all compilations
2429           are complete before proceeding.
2430         (JSC::Debugger::setSteppingMode):
2431         (JSC::Debugger::toggleBreakpoint):
2432         (JSC::Debugger::recompileAllJSFunctions):
2433         (JSC::Debugger::clearBreakpoints):
2434         (JSC::Debugger::clearDebuggerRequests):
2435         - Use the utility iterator function.
2436
2437         * debugger/Debugger.h:
2438         * dfg/DFGOperations.cpp:
2439         - Added an assert to ensure that zombie CodeBlocks will be imminently cleaned up.
2440
2441         * dfg/DFGPlan.cpp:
2442         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
2443         - Remove unneeded code (that was not the best solution anyway) for ensuring
2444           that we don't generate new DFG codeBlocks after enabling the debugger or
2445           profiler.  Now that we wait for compilations to complete before proceeding
2446           with debugger and profiler work, this scenario will never happen.
2447
2448         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
2449         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
2450         - Call the super class method to clean up zombie codeBlocks.
2451
2452         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
2453         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete):
2454         - Call the super class method to clean up zombie codeBlocks.
2455
2456         * heap/CodeBlockSet.cpp:
2457         (JSC::CodeBlockSet::remove):
2458         * heap/CodeBlockSet.h:
2459         * heap/Heap.h:
2460         (JSC::Heap::removeCodeBlock):
2461         - New method to remove a codeBlock from the codeBlock set.
2462
2463         * jit/JITOperations.cpp:
2464         - Added an assert to ensure that zombie CodeBlocks will be imminently cleaned up.
2465
2466         * jit/JITToDFGDeferredCompilationCallback.cpp:
2467         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
2468         - Call the super class method to clean up zombie codeBlocks.
2469
2470         * runtime/VM.cpp:
2471         (JSC::VM::waitForCompilationsToComplete):
2472         - Renamed from prepareToDiscardCode() to be clearer about what it does.
2473
2474         (JSC::VM::discardAllCode):
2475         (JSC::VM::releaseExecutableMemory):
2476         (JSC::VM::setEnabledProfiler):
2477         - Wait for compilation to complete before enabling the profiler.
2478
2479         * runtime/VM.h:
2480
2481 2014-03-03  Brian Burg  <bburg@apple.com>
2482
2483         Another unreviewed build fix attempt for Windows after r164986.
2484
2485         We never told Visual Studio to copy over the web replay code generator scripts
2486         and the generated headers for JavaScriptCore replay inputs as if they were
2487         private headers.
2488
2489         * JavaScriptCore.vcxproj/copy-files.cmd:
2490
2491 2014-03-03  Brian Burg  <bburg@apple.com>
2492
2493         Web Replay: upstream input storage, capture/replay machinery, and inspector domain
2494         https://bugs.webkit.org/show_bug.cgi?id=128782
2495
2496         Reviewed by Timothy Hatcher.
2497
2498         Alter the replay inputs code generator so that it knows when it is necessary to
2499         to include headers for HEAVY_SCALAR types such as WTF::String and WebCore::URL.
2500
2501         * JavaScriptCore.xcodeproj/project.pbxproj:
2502         * replay/scripts/CodeGeneratorReplayInputs.py:
2503         (Framework.fromString):
2504         (Frameworks): Add WTF as an allowed framework for code generation.
2505         (Generator.generate_includes): Include headers for HEAVY_SCALAR types in the header file.
2506         (Generator.generate_includes.declaration):
2507         (Generator.generate_includes.or):
2508         (Generator.generate_type_forward_declarations): Skip HEAVY_SCALAR types.
2509
2510 2014-03-02  Filip Pizlo  <fpizlo@apple.com>
2511
2512         PolymorphicPutByIdList should have a simpler construction API with basically a single entrypoint
2513         https://bugs.webkit.org/show_bug.cgi?id=129591
2514
2515         Reviewed by Michael Saboff.
2516
2517         * bytecode/PolymorphicPutByIdList.cpp:
2518         (JSC::PutByIdAccess::fromStructureStubInfo): This function can figure out the slow path target for itself.
2519         (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList): This constuctor should be private, only from() should call it.
2520         (JSC::PolymorphicPutByIdList::from):
2521         * bytecode/PolymorphicPutByIdList.h:
2522         (JSC::PutByIdAccess::stubRoutine):
2523         * jit/Repatch.cpp:
2524         (JSC::tryBuildPutByIdList): Don't pass the slow path target since it can be derived from the stubInfo.
2525
2526 2014-03-02  Filip Pizlo  <fpizlo@apple.com>
2527
2528         Debugging improvements from my gbemu investigation session
2529         https://bugs.webkit.org/show_bug.cgi?id=129599
2530
2531         Reviewed by Mark Lam.
2532         
2533         Various improvements from when I was investigating bug 129411.
2534
2535         * bytecode/CodeBlock.cpp:
2536         (JSC::CodeBlock::optimizationThresholdScalingFactor): Make the dataLog() statement print the actual multiplier.
2537         * jsc.cpp:
2538         (GlobalObject::finishCreation):
2539         (functionDescribe): Make describe() return a string rather than printing the string.
2540         (functionDescribeArray): Like describe(), but prints details about arrays.
2541
2542 2014-02-25  Andreas Kling  <akling@apple.com>
2543
2544         JSDOMWindow::commonVM() should return a reference.
2545         <https://webkit.org/b/129293>
2546
2547         Added a DropAllLocks constructor that takes VM& without null checks.
2548
2549         Reviewed by Geoff Garen.
2550
2551 2014-03-02  Mark Lam  <mark.lam@apple.com>
2552
2553         CodeBlock::hasDebuggerRequests() should returning a bool instead of an int.
2554         <https://webkit.org/b/129584>
2555
2556         Reviewed by Darin Adler.
2557
2558         * bytecode/CodeBlock.h:
2559         (JSC::CodeBlock::hasDebuggerRequests):
2560
2561 2014-03-02  Mark Lam  <mark.lam@apple.com>
2562
2563         Clean up use of Options::enableConcurrentJIT().
2564         <https://webkit.org/b/129582>
2565
2566         Reviewed by Filip Pizlo.
2567
2568         DFG Driver was conditionally checking Options::enableConcurrentJIT()
2569         only if ENABLE(CONCURRENT_JIT).  Otherwise, it bypasses it with a local
2570         enableConcurrentJIT set to false.
2571
2572         Instead we should configure Options::enableConcurrentJIT() to be false
2573         in Options.cpp if !ENABLE(CONCURRENT_JIT), and DFG Driver should always
2574         check Options::enableConcurrentJIT().  This makes the code read a little
2575         cleaner.
2576
2577         * dfg/DFGDriver.cpp:
2578         (JSC::DFG::compileImpl):
2579         * runtime/Options.cpp:
2580         (JSC::recomputeDependentOptions):
2581
2582 2014-03-01  Filip Pizlo  <fpizlo@apple.com>
2583
2584         This shouldn't have been a layout test since it runs only under jsc. Moving it to JSC
2585         stress tests.
2586
2587         * tests/stress/generational-opaque-roots.js: Copied from LayoutTests/js/script-tests/generational-opaque-roots.js.
2588
2589 2014-03-01  Andreas Kling  <akling@apple.com>
2590
2591         JSCell::fastGetOwnProperty() should get the Structure more efficiently.
2592         <https://webkit.org/b/129560>
2593
2594         Now that structure() is nontrivial and we have a faster structure(VM&),
2595         make use of that in fastGetOwnProperty() since we already have VM.
2596
2597         Reviewed by Sam Weinig.
2598
2599         * runtime/JSCellInlines.h:
2600         (JSC::JSCell::fastGetOwnProperty):
2601
2602 2014-03-01  Andreas Kling  <akling@apple.com>
2603
2604         Avoid going through ExecState for VM when we already have it (in some places.)
2605         <https://webkit.org/b/129554>
2606
2607         Tweak some places that jump through unnecessary hoops to get the VM.
2608         There are many more like this.
2609
2610         Reviewed by Sam Weinig.
2611
2612         * runtime/JSObject.cpp:
2613         (JSC::JSObject::putByIndexBeyondVectorLength):
2614         (JSC::JSObject::putDirectIndexBeyondVectorLength):
2615         * runtime/ObjectPrototype.cpp:
2616         (JSC::objectProtoFuncToString):
2617
2618 2014-02-28  Filip Pizlo  <fpizlo@apple.com>
2619
2620         FTL should support PhantomArguments
2621         https://bugs.webkit.org/show_bug.cgi?id=113986
2622
2623         Reviewed by Oliver Hunt.
2624         
2625         Adding PhantomArguments to the FTL mostly means wiring the recovery of the Arguments
2626         object into the FTL's OSR exit compiler.
2627         
2628         This isn't a speed-up yet, since there is still more to be done to fully support
2629         all of the arguments craziness that our varargs benchmarks do.
2630
2631         * dfg/DFGOSRExitCompiler32_64.cpp:
2632         (JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp
2633         * dfg/DFGOSRExitCompiler64.cpp:
2634         (JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp
2635         * dfg/DFGOSRExitCompilerCommon.cpp:
2636         (JSC::DFG::ArgumentsRecoveryGenerator::ArgumentsRecoveryGenerator):
2637         (JSC::DFG::ArgumentsRecoveryGenerator::~ArgumentsRecoveryGenerator):
2638         (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): this is the common place for the recovery code
2639         * dfg/DFGOSRExitCompilerCommon.h:
2640         * ftl/FTLCapabilities.cpp:
2641         (JSC::FTL::canCompile):
2642         * ftl/FTLExitValue.cpp:
2643         (JSC::FTL::ExitValue::dumpInContext):
2644         * ftl/FTLExitValue.h:
2645         (JSC::FTL::ExitValue::argumentsObjectThatWasNotCreated):
2646         (JSC::FTL::ExitValue::isArgumentsObjectThatWasNotCreated):
2647         (JSC::FTL::ExitValue::valueFormat):
2648         * ftl/FTLLowerDFGToLLVM.cpp:
2649         (JSC::FTL::LowerDFGToLLVM::compileNode):
2650         (JSC::FTL::LowerDFGToLLVM::compilePhantomArguments):
2651         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
2652         (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
2653         * ftl/FTLOSRExitCompiler.cpp:
2654         (JSC::FTL::compileStub): Call into the ArgumentsRecoveryGenerator
2655         * tests/stress/slightly-more-difficult-to-fold-reflective-arguments-access.js: Added.
2656         * tests/stress/trivially-foldable-reflective-arguments-access.js: Added.
2657
2658 2014-02-28  Filip Pizlo  <fpizlo@apple.com>
2659
2660         Unreviewed, uncomment some code. It wasn't meant to be commented in the first place.
2661
2662         * dfg/DFGCSEPhase.cpp:
2663         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
2664
2665 2014-02-28  Andreas Kling  <akling@apple.com>
2666
2667         JSObject::findPropertyHashEntry() should take VM instead of ExecState.
2668         <https://webkit.org/b/129529>
2669
2670         Callers already have VM in a local, and findPropertyHashEntry() only
2671         uses the VM, no need to go all the way through ExecState.
2672
2673         Reviewed by Geoffrey Garen.
2674
2675         * runtime/JSObject.cpp:
2676         (JSC::JSObject::put):
2677         (JSC::JSObject::deleteProperty):
2678         (JSC::JSObject::findPropertyHashEntry):
2679         * runtime/JSObject.h:
2680
2681 2014-02-28  Joseph Pecoraro  <pecoraro@apple.com>
2682
2683         Deadlock remotely inspecting iOS Simulator
2684         https://bugs.webkit.org/show_bug.cgi?id=129511
2685
2686         Reviewed by Timothy Hatcher.
2687
2688         Avoid synchronous setup. Do it asynchronously, and let
2689         the RemoteInspector singleton know later if it failed.
2690
2691         * inspector/remote/RemoteInspector.h:
2692         * inspector/remote/RemoteInspector.mm:
2693         (Inspector::RemoteInspector::setupFailed):
2694         * inspector/remote/RemoteInspectorDebuggableConnection.h:
2695         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
2696         (Inspector::RemoteInspectorDebuggableConnection::setup):
2697
2698 2014-02-28  Oliver Hunt  <oliver@apple.com>
2699
2700         REGRESSION(r164835): It broke 10 JSC stress test on 32 bit platforms
2701         https://bugs.webkit.org/show_bug.cgi?id=129488
2702
2703         Reviewed by Mark Lam.
2704
2705         Whoops, modify the right register.
2706
2707         * jit/JITCall32_64.cpp:
2708         (JSC::JIT::compileLoadVarargs):
2709
2710 2014-02-28  Filip Pizlo  <fpizlo@apple.com>
2711
2712         FTL should be able to call sin/cos directly on platforms where the intrinsic is busted
2713         https://bugs.webkit.org/show_bug.cgi?id=129503
2714
2715         Reviewed by Mark Lam.
2716
2717         * ftl/FTLIntrinsicRepository.h:
2718         * ftl/FTLOutput.h:
2719         (JSC::FTL::Output::doubleSin):
2720         (JSC::FTL::Output::doubleCos):
2721         (JSC::FTL::Output::intrinsicOrOperation):
2722
2723 2014-02-28  Mark Hahnenberg  <mhahnenberg@apple.com>
2724
2725         Fix !ENABLE(GGC) builds
2726
2727         * heap/Heap.cpp:
2728         (JSC::Heap::markRoots):
2729         (JSC::Heap::gatherJSStackRoots): Also fix one of the names of the GC phases.
2730
2731 2014-02-27  Mark Hahnenberg  <mhahnenberg@apple.com>
2732
2733         Clean up Heap::collect and Heap::markRoots
2734         https://bugs.webkit.org/show_bug.cgi?id=129464
2735
2736         Reviewed by Geoffrey Garen.
2737
2738         These functions have built up a lot of cruft recently. 
2739         We should do a bit of cleanup to make them easier to grok.
2740
2741         * heap/Heap.cpp:
2742         (JSC::Heap::finalizeUnconditionalFinalizers):
2743         (JSC::Heap::gatherStackRoots):
2744         (JSC::Heap::gatherJSStackRoots):
2745         (JSC::Heap::gatherScratchBufferRoots):
2746         (JSC::Heap::clearLivenessData):
2747         (JSC::Heap::visitSmallStrings):
2748         (JSC::Heap::visitConservativeRoots):
2749         (JSC::Heap::visitCompilerWorklists):
2750         (JSC::Heap::markProtectedObjects):
2751         (JSC::Heap::markTempSortVectors):
2752         (JSC::Heap::markArgumentBuffers):
2753         (JSC::Heap::visitException):
2754         (JSC::Heap::visitStrongHandles):
2755         (JSC::Heap::visitHandleStack):
2756         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
2757         (JSC::Heap::converge):
2758         (JSC::Heap::visitWeakHandles):
2759         (JSC::Heap::clearRememberedSet):
2760         (JSC::Heap::updateObjectCounts):
2761         (JSC::Heap::resetVisitors):
2762         (JSC::Heap::markRoots):
2763         (JSC::Heap::copyBackingStores):
2764         (JSC::Heap::deleteUnmarkedCompiledCode):
2765         (JSC::Heap::collect):
2766         (JSC::Heap::collectIfNecessaryOrDefer):
2767         (JSC::Heap::suspendCompilerThreads):
2768         (JSC::Heap::willStartCollection):
2769         (JSC::Heap::deleteOldCode):
2770         (JSC::Heap::flushOldStructureIDTables):
2771         (JSC::Heap::flushWriteBarrierBuffer):
2772         (JSC::Heap::stopAllocation):
2773         (JSC::Heap::reapWeakHandles):
2774         (JSC::Heap::sweepArrayBuffers):
2775         (JSC::Heap::snapshotMarkedSpace):
2776         (JSC::Heap::deleteSourceProviderCaches):
2777         (JSC::Heap::notifyIncrementalSweeper):
2778         (JSC::Heap::rememberCurrentlyExecutingCodeBlocks):
2779         (JSC::Heap::resetAllocators):
2780         (JSC::Heap::updateAllocationLimits):
2781         (JSC::Heap::didFinishCollection):
2782         (JSC::Heap::resumeCompilerThreads):
2783         * heap/Heap.h:
2784
2785 2014-02-27  Ryosuke Niwa  <rniwa@webkit.org>
2786
2787         indexOf and lastIndexOf shouldn't resolve ropes when needle is longer than haystack
2788         https://bugs.webkit.org/show_bug.cgi?id=129466
2789
2790         Reviewed by Michael Saboff.
2791
2792         Refactored the code to avoid calling JSString::value when needle is longer than haystack.
2793
2794         * runtime/StringPrototype.cpp:
2795         (JSC::stringProtoFuncIndexOf):
2796         (JSC::stringProtoFuncLastIndexOf):
2797
2798 2014-02-27  Timothy Hatcher  <timothy@apple.com>
2799
2800         Improve how ContentSearchUtilities::lineEndings works by supporting the three common line endings.
2801
2802         https://bugs.webkit.org/show_bug.cgi?id=129458
2803
2804         Reviewed by Joseph Pecoraro.
2805
2806         * inspector/ContentSearchUtilities.cpp:
2807         (Inspector::ContentSearchUtilities::textPositionFromOffset): Remove assumption about line ending length.
2808         (Inspector::ContentSearchUtilities::getRegularExpressionMatchesByLines): Remove assumption about
2809         line ending type and don't try to strip the line ending. Use size_t
2810         (Inspector::ContentSearchUtilities::lineEndings): Use findNextLineStart to find the lines.
2811         This will include the line ending in the lines, but that is okay.
2812         (Inspector::ContentSearchUtilities::buildObjectForSearchMatch): Use size_t.
2813         (Inspector::ContentSearchUtilities::searchInTextByLines): Modernize.
2814
2815 2014-02-27  Joseph Pecoraro  <pecoraro@apple.com>
2816
2817         [Mac] Warning: Multiple build commands for output file GCSegmentedArray and InspectorAgent
2818         https://bugs.webkit.org/show_bug.cgi?id=129446
2819
2820         Reviewed by Timothy Hatcher.
2821
2822         Remove duplicate header entries in Copy Header build phase.
2823
2824         * JavaScriptCore.xcodeproj/project.pbxproj:
2825
2826 2014-02-27  Oliver Hunt  <oliver@apple.com>
2827
2828         Whoops, include all of last patch.
2829
2830         * jit/JITCall32_64.cpp:
2831         (JSC::JIT::compileLoadVarargs):
2832
2833 2014-02-27  Oliver Hunt  <oliver@apple.com>
2834
2835         Slow cases for function.apply and function.call should not require vm re-entry
2836         https://bugs.webkit.org/show_bug.cgi?id=129454
2837
2838         Reviewed by Geoffrey Garen.
2839
2840         Implement call and apply using builtins. Happily the use
2841         of @call and @apply don't perform function equality checks
2842         and just plant direct var_args calls. This did expose a few
2843         codegen issues, but they're all covered by existing tests
2844         once call and apply are implemented in JS.
2845
2846         * JavaScriptCore.xcodeproj/project.pbxproj:
2847         * builtins/Function.prototype.js: Added.
2848         (call):
2849         (apply):
2850         * bytecompiler/NodesCodegen.cpp:
2851         (JSC::CallFunctionCallDotNode::emitBytecode):
2852         (JSC::ApplyFunctionCallDotNode::emitBytecode):
2853         * dfg/DFGCapabilities.cpp:
2854         (JSC::DFG::capabilityLevel):
2855         * interpreter/Interpreter.cpp:
2856         (JSC::sizeFrameForVarargs):
2857         (JSC::loadVarargs):
2858         * interpreter/Interpreter.h:
2859         * jit/JITCall.cpp:
2860         (JSC::JIT::compileLoadVarargs):
2861         * parser/ASTBuilder.h:
2862         (JSC::ASTBuilder::makeFunctionCallNode):
2863         * parser/Lexer.cpp:
2864         (JSC::isSafeBuiltinIdentifier):
2865         * runtime/CommonIdentifiers.h:
2866         * runtime/FunctionPrototype.cpp:
2867         (JSC::FunctionPrototype::addFunctionProperties):
2868         * runtime/JSObject.cpp:
2869         (JSC::JSObject::putDirectBuiltinFunction):
2870         (JSC::JSObject::putDirectBuiltinFunctionWithoutTransition):
2871         * runtime/JSObject.h:
2872
2873 2014-02-27  Joseph Pecoraro  <pecoraro@apple.com>
2874
2875         Web Inspector: Better name for RemoteInspectorDebuggableConnection dispatch queue
2876         https://bugs.webkit.org/show_bug.cgi?id=129443
2877
2878         Reviewed by Timothy Hatcher.
2879
2880         This queue is specific to the JSContext debuggable connections,
2881         there is no XPC involved. Give it a better name.
2882
2883         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
2884         (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
2885
2886 2014-02-27  David Kilzer  <ddkilzer@apple.com>
2887
2888         Remove jsc symlink if it already exists
2889
2890         This is a follow-up fix for:
2891
2892         Create symlink to /usr/local/bin/jsc during installation
2893         <http://webkit.org/b/129399>
2894         <rdar://problem/16168734>
2895
2896         * JavaScriptCore.xcodeproj/project.pbxproj:
2897         (Create /usr/local/bin/jsc symlink): If a jsc symlink already
2898         exists where we're about to create the symlink, remove the old
2899         one first.
2900
2901 2014-02-27  Michael Saboff  <msaboff@apple.com>
2902
2903         Unreviewed build fix for Mac tools after r164814
2904
2905         * Configurations/ToolExecutable.xcconfig:
2906         - Added JavaScriptCore.framework/PrivateHeaders to ToolExecutable include path.
2907         * JavaScriptCore.xcodeproj/project.pbxproj:
2908         - Changed productName to testRegExp for testRegExp target.
2909
2910 2014-02-27  Joseph Pecoraro  <pecoraro@apple.com>
2911
2912         Web Inspector: JSContext inspection should report exceptions in the console
2913         https://bugs.webkit.org/show_bug.cgi?id=128776
2914
2915         Reviewed by Timothy Hatcher.
2916
2917         When JavaScript API functions have an exception, let the inspector
2918         know so it can log the JavaScript and Native backtrace that caused
2919         the exception.
2920
2921         Include some clean up of ConsoleMessage and ScriptCallStack construction.
2922
2923         * API/JSBase.cpp:
2924         (JSEvaluateScript):
2925         (JSCheckScriptSyntax):
2926         * API/JSObjectRef.cpp:
2927         (JSObjectMakeFunction):
2928         (JSObjectMakeArray):
2929         (JSObjectMakeDate):
2930         (JSObjectMakeError):
2931         (JSObjectMakeRegExp):
2932         (JSObjectGetProperty):
2933         (JSObjectSetProperty):
2934         (JSObjectGetPropertyAtIndex):
2935         (JSObjectSetPropertyAtIndex):
2936         (JSObjectDeleteProperty):
2937         (JSObjectCallAsFunction):
2938         (JSObjectCallAsConstructor):
2939         * API/JSValue.mm:
2940         (reportExceptionToInspector):
2941         (valueToArray):
2942         (valueToDictionary):
2943         * API/JSValueRef.cpp:
2944         (JSValueIsEqual):
2945         (JSValueIsInstanceOfConstructor):
2946         (JSValueCreateJSONString):
2947         (JSValueToNumber):
2948         (JSValueToStringCopy):
2949         (JSValueToObject):
2950         When seeing an exception, let the inspector know there was an exception.
2951
2952         * inspector/JSGlobalObjectInspectorController.h:
2953         * inspector/JSGlobalObjectInspectorController.cpp:
2954         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2955         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
2956         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
2957         Log API exceptions by also grabbing the native backtrace.
2958
2959         * inspector/ScriptCallStack.h:
2960         * inspector/ScriptCallStack.cpp:
2961         (Inspector::ScriptCallStack::firstNonNativeCallFrame):
2962         (Inspector::ScriptCallStack::append):
2963         Minor extensions to ScriptCallStack to make it easier to work with.
2964
2965         * inspector/ConsoleMessage.cpp:
2966         (Inspector::ConsoleMessage::ConsoleMessage):
2967         (Inspector::ConsoleMessage::autogenerateMetadata):
2968         Provide better default information if the first call frame was native.
2969
2970         * inspector/ScriptCallStackFactory.cpp:
2971         (Inspector::createScriptCallStack):
2972         (Inspector::extractSourceInformationFromException):
2973         (Inspector::createScriptCallStackFromException):
2974         Perform the handling here of inserting a fake call frame for exceptions
2975         if there was no call stack (e.g. a SyntaxError) or if the first call
2976         frame had no information.
2977
2978         * inspector/ConsoleMessage.cpp:
2979         (Inspector::ConsoleMessage::ConsoleMessage):
2980         (Inspector::ConsoleMessage::autogenerateMetadata):
2981         * inspector/ConsoleMessage.h:
2982         * inspector/ScriptCallStackFactory.cpp:
2983         (Inspector::createScriptCallStack):
2984         (Inspector::createScriptCallStackForConsole):
2985         * inspector/ScriptCallStackFactory.h:
2986         * inspector/agents/InspectorConsoleAgent.cpp:
2987         (Inspector::InspectorConsoleAgent::enable):
2988         (Inspector::InspectorConsoleAgent::addMessageToConsole):
2989         (Inspector::InspectorConsoleAgent::count):
2990         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
2991         (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
2992         ConsoleMessage cleanup.
2993
2994 2014-02-27  David Kilzer  <ddkilzer@apple.com>
2995
2996         Create symlink to /usr/local/bin/jsc during installation
2997         <http://webkit.org/b/129399>
2998         <rdar://problem/16168734>
2999
3000         Reviewed by Dan Bernstein.
3001
3002         * JavaScriptCore.xcodeproj/project.pbxproj:
3003         - Add "Create /usr/local/bin/jsc symlink" build phase script to
3004           create the symlink during installation.
3005
3006 2014-02-27  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>
3007
3008         Math.{max, min}() must not return after first NaN value
3009         https://bugs.webkit.org/show_bug.cgi?id=104147
3010
3011         Reviewed by Oliver Hunt.
3012
3013         According to the spec, ToNumber going to be called on each argument
3014         even if a `NaN` value was already found
3015
3016         * runtime/MathObject.cpp:
3017         (JSC::mathProtoFuncMax):
3018         (JSC::mathProtoFuncMin):
3019
3020 2014-02-27  Gergo Balogh  <gbalogh.u-szeged@partner.samsung.com>
3021
3022         JSType upper limit (0xff) assertion can be removed.
3023         https://bugs.webkit.org/show_bug.cgi?id=129424
3024
3025         Reviewed by Geoffrey Garen.
3026
3027         * runtime/JSTypeInfo.h:
3028         (JSC::TypeInfo::TypeInfo):
3029
3030 2014-02-26  Michael Saboff  <msaboff@apple.com>
3031
3032         Auto generate bytecode information for bytecode parser and LLInt
3033         https://bugs.webkit.org/show_bug.cgi?id=129181
3034
3035         Reviewed by Mark Lam.
3036
3037         Added new bytecode/BytecodeList.json that contains a list of bytecodes and related
3038         helpers.  It also includes bytecode length and other information used to generate files.
3039         Added a new generator, generate-bytecode-files that generates Bytecodes.h and InitBytecodes.asm
3040         in DerivedSources/JavaScriptCore/.
3041
3042         Added the generation of these files to the "DerivedSource" build step.
3043         Slighty changed the build order, since the Bytecodes.h file is needed by
3044         JSCLLIntOffsetsExtractor.  Moved the offline assembly to a separate step since it needs
3045         to be run after JSCLLIntOffsetsExtractor.
3046
3047         Made related changes to OPCODE macros and their use.
3048
3049         Added JavaScriptCore.framework/PrivateHeaders to header file search path for building
3050         jsc to resolve Mac build issue.
3051
3052         * CMakeLists.txt:
3053         * Configurations/JSC.xcconfig:
3054         * DerivedSources.make:
3055         * GNUmakefile.am:
3056         * GNUmakefile.list.am:
3057         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3058         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3059         * JavaScriptCore.vcxproj/copy-files.cmd:
3060         * JavaScriptCore.xcodeproj/project.pbxproj:
3061         * bytecode/Opcode.h:
3062         (JSC::padOpcodeName):
3063         * llint/LLIntCLoop.cpp:
3064         (JSC::LLInt::CLoop::initialize):
3065         * llint/LLIntCLoop.h:
3066         * llint/LLIntData.cpp:
3067         (JSC::LLInt::initialize):
3068         * llint/LLIntOpcode.h:
3069         * llint/LowLevelInterpreter.asm:
3070
3071 2014-02-27  Julien Brianceau   <jbriance@cisco.com>
3072
3073         Fix 32-bit V_JITOperation_EJ callOperation introduced in r162652.
3074         https://bugs.webkit.org/show_bug.cgi?id=129420
3075
3076         Reviewed by Geoffrey Garen.
3077
3078         * dfg/DFGSpeculativeJIT.h:
3079         (JSC::DFG::SpeculativeJIT::callOperation): Payload and tag are swapped.
3080         Also, EABI_32BIT_DUMMY_ARG is missing for arm EABI and mips.
3081
3082 2014-02-27  Filip Pizlo  <fpizlo@apple.com>
3083
3084         Octane/closure thrashes between flattening dictionaries during global object initialization in a global eval
3085         https://bugs.webkit.org/show_bug.cgi?id=129435
3086
3087         Reviewed by Oliver Hunt.
3088         
3089         This is a 5-10% speed-up on Octane/closure.
3090
3091         * interpreter/Interpreter.cpp:
3092         (JSC::Interpreter::execute):
3093         * jsc.cpp:
3094         (GlobalObject::finishCreation):
3095         (functionClearCodeCache):
3096         * runtime/BatchedTransitionOptimizer.h:
3097         (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
3098         (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer):
3099
3100 2014-02-27  Alexey Proskuryakov  <ap@apple.com>
3101
3102         Added svn:ignore to two directories, so that .pyc files don't show up as unversioned.
3103
3104         * inspector/scripts: Added property svn:ignore.
3105         * replay/scripts: Added property svn:ignore.
3106
3107 2014-02-27  Gabor Rapcsanyi  <rgabor@webkit.org>
3108
3109         r164764 broke the ARM build
3110         https://bugs.webkit.org/show_bug.cgi?id=129415
3111
3112         Reviewed by Zoltan Herczeg.
3113
3114         * assembler/MacroAssemblerARM.h:
3115         (JSC::MacroAssemblerARM::moveWithPatch): Change reinterpret_cast to static_cast.
3116         (JSC::MacroAssemblerARM::canJumpReplacePatchableBranch32WithPatch): Add missing function.
3117         (JSC::MacroAssemblerARM::startOfPatchableBranch32WithPatchOnAddress): Add missing function.
3118         (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranch32WithPatch): Add missing function.
3119
3120 2014-02-27  Mark Hahnenberg  <mhahnenberg@apple.com>
3121
3122         r164764 broke the ARM build
3123         https://bugs.webkit.org/show_bug.cgi?id=129415
3124
3125         Reviewed by Geoffrey Garen.
3126
3127         * assembler/MacroAssemblerARM.h:
3128         (JSC::MacroAssemblerARM::moveWithPatch):
3129
3130 2014-02-26  Mark Hahnenberg  <mhahnenberg@apple.com>
3131
3132         r164764 broke the ARM build
3133         https://bugs.webkit.org/show_bug.cgi?id=129415
3134
3135         Reviewed by Geoffrey Garen.
3136
3137         * assembler/MacroAssemblerARM.h:
3138         (JSC::MacroAssemblerARM::branch32WithPatch): Missing this function.
3139
3140 2014-02-26  Mark Hahnenberg  <mhahnenberg@apple.com>
3141
3142         EFL build fix
3143
3144         * dfg/DFGSpeculativeJIT32_64.cpp: Remove unused variables.
3145         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
3146         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
3147
3148 2014-02-25  Mark Hahnenberg  <mhahnenberg@apple.com>
3149
3150         Make JSCells have 32-bit Structure pointers
3151         https://bugs.webkit.org/show_bug.cgi?id=123195
3152
3153         Reviewed by Filip Pizlo.
3154
3155         This patch changes JSCells such that they no longer have a full 64-bit Structure
3156         pointer in their header. Instead they now have a 32-bit index into
3157         a per-VM table of Structure pointers. 32-bit platforms still use normal Structure
3158         pointers.
3159
3160         This change frees up an additional 32 bits of information in our object headers.
3161         We then use this extra space to store the indexing type of the object, the JSType
3162         of the object, some various type flags, and garbage collection data (e.g. mark bit).
3163         Because this inline type information is now faster to read, it pays for the slowdown 
3164         incurred by having to perform an extra indirection through the StructureIDTable.
3165
3166         This patch also threads a reference to the current VM through more of the C++ runtime
3167         to offset the cost of having to look up the VM to get the actual Structure pointer.
3168
3169         * API/JSContext.mm:
3170         (-[JSContext setException:]):
3171         (-[JSContext wrapperForObjCObject:]):
3172         (-[JSContext wrapperForJSObject:]):
3173         * API/JSContextRef.cpp:
3174         (JSContextGroupRelease):
3175         (JSGlobalContextRelease):
3176         * API/JSObjectRef.cpp:
3177         (JSObjectIsFunction):
3178         (JSObjectCopyPropertyNames):
3179         * API/JSValue.mm:
3180         (containerValueToObject):
3181         * API/JSWrapperMap.mm:
3182         (tryUnwrapObjcObject):
3183         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3184         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3185         * JavaScriptCore.xcodeproj/project.pbxproj:
3186         * assembler/AbstractMacroAssembler.h:
3187         * assembler/MacroAssembler.h:
3188         (JSC::MacroAssembler::patchableBranch32WithPatch):
3189         (JSC::MacroAssembler::patchableBranch32):
3190         * assembler/MacroAssemblerARM64.h:
3191         (JSC::MacroAssemblerARM64::branchPtrWithPatch):
3192         (JSC::MacroAssemblerARM64::patchableBranch32WithPatch):
3193         (JSC::MacroAssemblerARM64::canJumpReplacePatchableBranch32WithPatch):
3194         (JSC::MacroAssemblerARM64::startOfPatchableBranch32WithPatchOnAddress):
3195         (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranch32WithPatch):
3196         * assembler/MacroAssemblerARMv7.h:
3197         (JSC::MacroAssemblerARMv7::store8):
3198         (JSC::MacroAssemblerARMv7::branch32WithPatch):
3199         (JSC::MacroAssemblerARMv7::patchableBranch32WithPatch):
3200         (JSC::MacroAssemblerARMv7::canJumpReplacePatchableBranch32WithPatch):
3201         (JSC::MacroAssemblerARMv7::startOfPatchableBranch32WithPatchOnAddress):
3202         (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranch32WithPatch):
3203         * assembler/MacroAssemblerX86.h:
3204         (JSC::MacroAssemblerX86::branch32WithPatch):
3205         (JSC::MacroAssemblerX86::canJumpReplacePatchableBranch32WithPatch):
3206         (JSC::MacroAssemblerX86::startOfPatchableBranch32WithPatchOnAddress):
3207         (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranch32WithPatch):
3208         * assembler/MacroAssemblerX86_64.h:
3209         (JSC::MacroAssemblerX86_64::store32):
3210         (JSC::MacroAssemblerX86_64::moveWithPatch):
3211         (JSC::MacroAssemblerX86_64::branch32WithPatch):
3212         (JSC::MacroAssemblerX86_64::canJumpReplacePatchableBranch32WithPatch):
3213         (JSC::MacroAssemblerX86_64::startOfBranch32WithPatchOnRegister):
3214         (JSC::MacroAssemblerX86_64::startOfPatchableBranch32WithPatchOnAddress):
3215         (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranch32WithPatch):
3216         * assembler/RepatchBuffer.h:
3217         (JSC::RepatchBuffer::startOfPatchableBranch32WithPatchOnAddress):
3218         (JSC::RepatchBuffer::revertJumpReplacementToPatchableBranch32WithPatch):
3219         * assembler/X86Assembler.h:
3220         (JSC::X86Assembler::revertJumpTo_movq_i64r):
3221         (JSC::X86Assembler::revertJumpTo_movl_i32r):
3222         * bytecode/ArrayProfile.cpp:
3223         (JSC::ArrayProfile::computeUpdatedPrediction):
3224         * bytecode/ArrayProfile.h:
3225         (JSC::ArrayProfile::ArrayProfile):
3226         (JSC::ArrayProfile::addressOfLastSeenStructureID):
3227         (JSC::ArrayProfile::observeStructure):
3228         * bytecode/CodeBlock.h:
3229         (JSC::CodeBlock::heap):
3230         * bytecode/UnlinkedCodeBlock.h:
3231         * debugger/Debugger.h:
3232         * dfg/DFGAbstractHeap.h:
3233         * dfg/DFGArrayifySlowPathGenerator.h:
3234         * dfg/DFGClobberize.h:
3235         (JSC::DFG::clobberize):
3236         * dfg/DFGJITCompiler.h:
3237         (JSC::DFG::JITCompiler::branchWeakStructure):
3238         (JSC::DFG::JITCompiler::branchStructurePtr):
3239         * dfg/DFGOSRExitCompiler32_64.cpp:
3240         (JSC::DFG::OSRExitCompiler::compileExit):
3241         * dfg/DFGOSRExitCompiler64.cpp:
3242         (JSC::DFG::OSRExitCompiler::compileExit):
3243         * dfg/DFGOSRExitCompilerCommon.cpp:
3244         (JSC::DFG::osrWriteBarrier):
3245         (JSC::DFG::adjustAndJumpToTarget):
3246         * dfg/DFGOperations.cpp:
3247         (JSC::DFG::putByVal):
3248         * dfg/DFGSpeculativeJIT.cpp:
3249         (JSC::DFG::SpeculativeJIT::checkArray):
3250         (JSC::DFG::SpeculativeJIT::arrayify):
3251         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
3252         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
3253         (JSC::DFG::SpeculativeJIT::compileInstanceOf):
3254         (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
3255         (JSC::DFG::SpeculativeJIT::speculateObject):
3256         (JSC::DFG::SpeculativeJIT::speculateFinalObject):
3257         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
3258         (JSC::DFG::SpeculativeJIT::speculateString):
3259         (JSC::DFG::SpeculativeJIT::speculateStringObject):
3260         (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
3261         (JSC::DFG::SpeculativeJIT::emitSwitchChar):
3262         (JSC::DFG::SpeculativeJIT::emitSwitchString):
3263         (JSC::DFG::SpeculativeJIT::genericWriteBarrier):
3264         (JSC::DFG::SpeculativeJIT::writeBarrier):
3265         * dfg/DFGSpeculativeJIT.h:
3266         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
3267         (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
3268         * dfg/DFGSpeculativeJIT32_64.cpp:
3269         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
3270         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
3271         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
3272         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
3273         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
3274         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
3275         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
3276         (JSC::DFG::SpeculativeJIT::compile):
3277         (JSC::DFG::SpeculativeJIT::writeBarrier):
3278         * dfg/DFGSpeculativeJIT64.cpp:
3279         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
3280         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
3281         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
3282         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
3283         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
3284         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
3285         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
3286         (JSC::DFG::SpeculativeJIT::compile):
3287         (JSC::DFG::SpeculativeJIT::writeBarrier):
3288         * dfg/DFGWorklist.cpp:
3289         * ftl/FTLAbstractHeapRepository.cpp:
3290         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
3291         * ftl/FTLAbstractHeapRepository.h:
3292         * ftl/FTLLowerDFGToLLVM.cpp:
3293         (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
3294         (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
3295         (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
3296         (JSC::FTL::LowerDFGToLLVM::compileToString):
3297         (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
3298         (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
3299         (JSC::FTL::LowerDFGToLLVM::speculateTruthyObject):
3300         (JSC::FTL::LowerDFGToLLVM::allocateCell):
3301         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
3302         (JSC::FTL::LowerDFGToLLVM::isObject):
3303         (JSC::FTL::LowerDFGToLLVM::isString):
3304         (JSC::FTL::LowerDFGToLLVM::isArrayType):
3305         (JSC::FTL::LowerDFGToLLVM::hasClassInfo):
3306         (JSC::FTL::LowerDFGToLLVM::isType):
3307         (JSC::FTL::LowerDFGToLLVM::speculateStringOrStringObject):
3308         (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForCell):
3309         (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructureID):
3310         (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
3311         (JSC::FTL::LowerDFGToLLVM::loadMarkByte):
3312         (JSC::FTL::LowerDFGToLLVM::loadStructure):
3313         (JSC::FTL::LowerDFGToLLVM::weakStructure):
3314         * ftl/FTLOSRExitCompiler.cpp:
3315         (JSC::FTL::compileStub):
3316         * ftl/FTLOutput.h:
3317         (JSC::FTL::Output::store8):
3318         * heap/GCAssertions.h:
3319         * heap/Heap.cpp:
3320         (JSC::Heap::getConservativeRegisterRoots):
3321         (JSC::Heap::collect):
3322         (JSC::Heap::writeBarrier):
3323         * heap/Heap.h:
3324         (JSC::Heap::structureIDTable):
3325         * heap/MarkedSpace.h:
3326         (JSC::MarkedSpace::forEachBlock):
3327         * heap/SlotVisitorInlines.h:
3328         (JSC::SlotVisitor::internalAppend):
3329         * jit/AssemblyHelpers.h:
3330         (JSC::AssemblyHelpers::branchIfCellNotObject):
3331         (JSC::AssemblyHelpers::genericWriteBarrier):
3332         (JSC::AssemblyHelpers::emitLoadStructure):
3333         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
3334         * jit/JIT.h:
3335         * jit/JITCall.cpp:
3336         (JSC::JIT::compileOpCall):
3337         (JSC::JIT::privateCompileClosureCall):
3338         * jit/JITCall32_64.cpp:
3339         (JSC::JIT::emit_op_ret_object_or_this):
3340         (JSC::JIT::compileOpCall):
3341         (JSC::JIT::privateCompileClosureCall):
3342         * jit/JITInlineCacheGenerator.cpp:
3343         (JSC::JITByIdGenerator::generateFastPathChecks):
3344         * jit/JITInlineCacheGenerator.h:
3345         * jit/JITInlines.h:
3346         (JSC::JIT::emitLoadCharacterString):
3347         (JSC::JIT::checkStructure):
3348         (JSC::JIT::emitJumpIfCellNotObject):
3349         (JSC::JIT::emitAllocateJSObject):
3350         (JSC::JIT::emitArrayProfilingSiteWithCell):
3351         (JSC::JIT::emitArrayProfilingSiteForBytecodeIndexWithCell):
3352         (JSC::JIT::branchStructure):
3353         (JSC::branchStructure):
3354         * jit/JITOpcodes.cpp:
3355         (JSC::JIT::emit_op_check_has_instance):
3356         (JSC::JIT::emit_op_instanceof):
3357         (JSC::JIT::emit_op_is_undefined):
3358         (JSC::JIT::emit_op_is_string):
3359         (JSC::JIT::emit_op_ret_object_or_this):
3360         (JSC::JIT::emit_op_to_primitive):
3361         (JSC::JIT::emit_op_jeq_null):
3362         (JSC::JIT::emit_op_jneq_null):
3363         (JSC::JIT::emit_op_get_pnames):
3364         (JSC::JIT::emit_op_next_pname):
3365         (JSC::JIT::emit_op_eq_null):
3366         (JSC::JIT::emit_op_neq_null):
3367         (JSC::JIT::emit_op_to_this):
3368         (JSC::JIT::emitSlow_op_to_this):
3369         * jit/JITOpcodes32_64.cpp:
3370         (JSC::JIT::emit_op_check_has_instance):
3371         (JSC::JIT::emit_op_instanceof):
3372         (JSC::JIT::emit_op_is_undefined):
3373         (JSC::JIT::emit_op_is_string):
3374         (JSC::JIT::emit_op_to_primitive):
3375         (JSC::JIT::emit_op_jeq_null):
3376         (JSC::JIT::emit_op_jneq_null):
3377         (JSC::JIT::emitSlow_op_eq):
3378         (JSC::JIT::emitSlow_op_neq):
3379         (JSC::JIT::compileOpStrictEq):
3380         (JSC::JIT::emit_op_eq_null):
3381         (JSC::JIT::emit_op_neq_null):
3382         (JSC::JIT::emit_op_get_pnames):
3383         (JSC::JIT::emit_op_next_pname):
3384         (JSC::JIT::emit_op_to_this):
3385         * jit/JITOperations.cpp:
3386         * jit/JITPropertyAccess.cpp:
3387         (JSC::JIT::stringGetByValStubGenerator):
3388         (JSC::JIT::emit_op_get_by_val):
3389         (JSC::JIT::emitSlow_op_get_by_val):
3390         (JSC::JIT::emit_op_get_by_pname):
3391         (JSC::JIT::emit_op_put_by_val):
3392         (JSC::JIT::emit_op_get_by_id):
3393         (JSC::JIT::emitLoadWithStructureCheck):
3394         (JSC::JIT::emitSlow_op_get_from_scope):
3395         (JSC::JIT::emitSlow_op_put_to_scope):
3396         (JSC::JIT::checkMarkWord):
3397         (JSC::JIT::emitWriteBarrier):
3398         (JSC::JIT::addStructureTransitionCheck):
3399         (JSC::JIT::emitIntTypedArrayGetByVal):
3400         (JSC::JIT::emitFloatTypedArrayGetByVal):
3401         (JSC::JIT::emitIntTypedArrayPutByVal):
3402         (JSC::JIT::emitFloatTypedArrayPutByVal):
3403         * jit/JITPropertyAccess32_64.cpp:
3404         (JSC::JIT::stringGetByValStubGenerator):
3405         (JSC::JIT::emit_op_get_by_val):
3406         (JSC::JIT::emitSlow_op_get_by_val):
3407         (JSC::JIT::emit_op_put_by_val):
3408         (JSC::JIT::emit_op_get_by_id):
3409         (JSC::JIT::emit_op_get_by_pname):
3410         (JSC::JIT::emitLoadWithStructureCheck):
3411         * jit/JSInterfaceJIT.h:
3412         (JSC::JSInterfaceJIT::emitJumpIfNotType):
3413         * jit/Repatch.cpp:
3414         (JSC::repatchByIdSelfAccess):
3415         (JSC::addStructureTransitionCheck):
3416         (JSC::replaceWithJump):
3417         (JSC::generateProtoChainAccessStub):
3418         (JSC::tryCacheGetByID):
3419         (JSC::tryBuildGetByIDList):
3420         (JSC::writeBarrier):
3421         (JSC::emitPutReplaceStub):
3422         (JSC::emitPutTransitionStub):
3423         (JSC::tryBuildPutByIdList):
3424         (JSC::tryRepatchIn):
3425         (JSC::linkClosureCall):
3426         (JSC::resetGetByID):
3427         (JSC::resetPutByID):
3428         * jit/SpecializedThunkJIT.h:
3429         (JSC::SpecializedThunkJIT::loadJSStringArgument):
3430         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
3431         * jit/ThunkGenerators.cpp:
3432         (JSC::virtualForThunkGenerator):
3433         (JSC::arrayIteratorNextThunkGenerator):
3434         * jit/UnusedPointer.h:
3435         * llint/LowLevelInterpreter.asm:
3436         * llint/LowLevelInterpreter32_64.asm:
3437         * llint/LowLevelInterpreter64.asm:
3438         * runtime/Arguments.cpp:
3439         (JSC::Arguments::createStrictModeCallerIfNecessary):
3440         (JSC::Arguments::createStrictModeCalleeIfNecessary):
3441         * runtime/Arguments.h:
3442         (JSC::Arguments::createStructure):
3443         * runtime/ArrayPrototype.cpp:
3444         (JSC::shift):
3445         (JSC::unshift):
3446         (JSC::arrayProtoFuncToString):
3447         (JSC::arrayProtoFuncPop):
3448         (JSC::arrayProtoFuncReverse):
3449         (JSC::performSlowSort):
3450         (JSC::arrayProtoFuncSort):
3451         (JSC::arrayProtoFuncSplice):
3452         (JSC::arrayProtoFuncUnShift):
3453         * runtime/CommonSlowPaths.cpp:
3454         (JSC::SLOW_PATH_DECL):
3455         * runtime/Executable.h:
3456         (JSC::ExecutableBase::isFunctionExecutable):
3457         (JSC::ExecutableBase::clearCodeVirtual):
3458         (JSC::ScriptExecutable::unlinkCalls):
3459         * runtime/GetterSetter.cpp:
3460         (JSC::callGetter):
3461         (JSC::callSetter):
3462         * runtime/InitializeThreading.cpp:
3463         * runtime/JSArray.cpp:
3464         (JSC::JSArray::unshiftCountSlowCase):
3465         (JSC::JSArray::setLength):
3466         (JSC::JSArray::pop):
3467         (JSC::JSArray::push):
3468         (JSC::JSArray::shiftCountWithArrayStorage):
3469         (JSC::JSArray::shiftCountWithAnyIndexingType):
3470         (JSC::JSArray::unshiftCountWithArrayStorage):
3471         (JSC::JSArray::unshiftCountWithAnyIndexingType):
3472         (JSC::JSArray::sortNumericVector):
3473         (JSC::JSArray::sortNumeric):
3474         (JSC::JSArray::sortCompactedVector):
3475         (JSC::JSArray::sort):
3476         (JSC::JSArray::sortVector):
3477         (JSC::JSArray::fillArgList):
3478         (JSC::JSArray::copyToArguments):
3479         (JSC::JSArray::compactForSorting):
3480         * runtime/JSCJSValueInlines.h:
3481         (JSC::JSValue::toThis):
3482         (JSC::JSValue::put):
3483         (JSC::JSValue::putByIndex):
3484         (JSC::JSValue::equalSlowCaseInline):
3485         * runtime/JSCell.cpp:
3486         (JSC::JSCell::put):
3487         (JSC::JSCell::putByIndex):
3488         (JSC::JSCell::deleteProperty):
3489         (JSC::JSCell::deletePropertyByIndex):
3490         * runtime/JSCell.h:
3491         (JSC::JSCell::clearStructure):
3492         (JSC::JSCell::mark):
3493         (JSC::JSCell::isMarked):
3494         (JSC::JSCell::structureIDOffset):
3495         (JSC::JSCell::typeInfoFlagsOffset):
3496         (JSC::JSCell::typeInfoTypeOffset):
3497         (JSC::JSCell::indexingTypeOffset):
3498         (JSC::JSCell::gcDataOffset):
3499         * runtime/JSCellInlines.h:
3500         (JSC::JSCell::JSCell):
3501         (JSC::JSCell::finishCreation):
3502         (JSC::JSCell::type):
3503         (JSC::JSCell::indexingType):
3504         (JSC::JSCell::structure):
3505         (JSC::JSCell::visitChildren):
3506         (JSC::JSCell::isObject):
3507         (JSC::JSCell::isString):
3508         (JSC::JSCell::isGetterSetter):
3509         (JSC::JSCell::isProxy):
3510         (JSC::JSCell::isAPIValueWrapper):
3511         (JSC::JSCell::setStructure):
3512         (JSC::JSCell::methodTable):
3513         (JSC::Heap::writeBarrier):
3514         * runtime/JSDataView.cpp:
3515         (JSC::JSDataView::createStructure):
3516         * runtime/JSDestructibleObject.h:
3517         (JSC::JSCell::classInfo):
3518         * runtime/JSFunction.cpp:
3519         (JSC::JSFunction::getOwnNonIndexPropertyNames):
3520         (JSC::JSFunction::put):
3521         (JSC::JSFunction::defineOwnProperty):
3522         * runtime/JSGenericTypedArrayView.h:
3523         (JSC::JSGenericTypedArrayView::createStructure):
3524         * runtime/JSObject.cpp:
3525         (JSC::getCallableObjectSlow):
3526         (JSC::JSObject::copyButterfly):
3527         (JSC::JSObject::visitButterfly):
3528         (JSC::JSFinalObject::visitChildren):
3529         (JSC::JSObject::getOwnPropertySlotByIndex):
3530         (JSC::JSObject::put):
3531         (JSC::JSObject::putByIndex):
3532         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
3533         (JSC::JSObject::enterDictionaryIndexingMode):
3534         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
3535         (JSC::JSObject::createInitialIndexedStorage):
3536         (JSC::JSObject::createInitialUndecided):
3537         (JSC::JSObject::createInitialInt32):
3538         (JSC::JSObject::createInitialDouble):
3539         (JSC::JSObject::createInitialContiguous):
3540         (JSC::JSObject::createArrayStorage):
3541         (JSC::JSObject::convertUndecidedToInt32):
3542         (JSC::JSObject::convertUndecidedToDouble):
3543         (JSC::JSObject::convertUndecidedToContiguous):
3544         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
3545         (JSC::JSObject::convertUndecidedToArrayStorage):
3546         (JSC::JSObject::convertInt32ToDouble):
3547         (JSC::JSObject::convertInt32ToContiguous):
3548         (JSC::JSObject::convertInt32ToArrayStorage):
3549         (JSC::JSObject::genericConvertDoubleToContiguous):
3550         (JSC::JSObject::convertDoubleToArrayStorage):
3551         (JSC::JSObject::convertContiguousToArrayStorage):
3552         (JSC::JSObject::ensureInt32Slow):
3553         (JSC::JSObject::ensureDoubleSlow):
3554         (JSC::JSObject::ensureContiguousSlow):
3555         (JSC::JSObject::ensureArrayStorageSlow):
3556         (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
3557         (JSC::JSObject::switchToSlowPutArrayStorage):
3558         (JSC::JSObject::setPrototype):
3559         (JSC::JSObject::setPrototypeWithCycleCheck):
3560         (JSC::JSObject::putDirectNonIndexAccessor):
3561         (JSC::JSObject::deleteProperty):
3562         (JSC::JSObject::hasOwnProperty):
3563         (JSC::JSObject::deletePropertyByIndex):
3564         (JSC::JSObject::getPrimitiveNumber):
3565         (JSC::JSObject::hasInstance):
3566         (JSC::JSObject::getPropertySpecificValue):
3567         (JSC::JSObject::getPropertyNames):
3568         (JSC::JSObject::getOwnPropertyNames):
3569         (JSC::JSObject::getOwnNonIndexPropertyNames):
3570         (JSC::JSObject::seal):
3571         (JSC::JSObject::freeze):
3572         (JSC::JSObject::preventExtensions):
3573         (JSC::JSObject::reifyStaticFunctionsForDelete):
3574         (JSC::JSObject::removeDirect):
3575         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
3576         (JSC::JSObject::putByIndexBeyondVectorLength):
3577         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
3578         (JSC::JSObject::putDirectIndexBeyondVectorLength):
3579         (JSC::JSObject::getNewVectorLength):
3580         (JSC::JSObject::countElements):
3581         (JSC::JSObject::increaseVectorLength):
3582         (JSC::JSObject::ensureLengthSlow):
3583         (JSC::JSObject::growOutOfLineStorage):
3584         (JSC::JSObject::getOwnPropertyDescriptor):
3585         (JSC::putDescriptor):
3586         (JSC::JSObject::defineOwnNonIndexProperty):
3587         * runtime/JSObject.h:
3588         (JSC::getJSFunction):
3589         (JSC::JSObject::getArrayLength):
3590         (JSC::JSObject::getVectorLength):
3591         (JSC::JSObject::putByIndexInline):
3592         (JSC::JSObject::canGetIndexQuickly):
3593         (JSC::JSObject::getIndexQuickly):
3594         (JSC::JSObject::tryGetIndexQuickly):
3595         (JSC::JSObject::getDirectIndex):
3596         (JSC::JSObject::canSetIndexQuickly):
3597         (JSC::JSObject::canSetIndexQuicklyForPutDirect):
3598         (JSC::JSObject::setIndexQuickly):
3599         (JSC::JSObject::initializeIndex):
3600         (JSC::JSObject::hasSparseMap):
3601         (JSC::JSObject::inSparseIndexingMode):
3602         (JSC::JSObject::getDirect):
3603         (JSC::JSObject::getDirectOffset):
3604         (JSC::JSObject::isSealed):
3605         (JSC::JSObject::isFrozen):
3606         (JSC::JSObject::flattenDictionaryObject):
3607         (JSC::JSObject::ensureInt32):
3608         (JSC::JSObject::ensureDouble):
3609         (JSC::JSObject::ensureContiguous):
3610         (JSC::JSObject::rageEnsureContiguous):
3611         (JSC::JSObject::ensureArrayStorage):
3612         (JSC::JSObject::arrayStorage):
3613         (JSC::JSObject::arrayStorageOrNull):
3614         (JSC::JSObject::ensureLength):
3615         (JSC::JSObject::currentIndexingData):
3616         (JSC::JSObject::getHolyIndexQuickly):
3617         (JSC::JSObject::currentRelevantLength):
3618         (JSC::JSObject::isGlobalObject):
3619         (JSC::JSObject::isVariableObject):
3620         (JSC::JSObject::isStaticScopeObject):
3621         (JSC::JSObject::isNameScopeObject):
3622         (JSC::JSObject::isActivationObject):
3623         (JSC::JSObject::isErrorInstance):
3624         (JSC::JSObject::inlineGetOwnPropertySlot):
3625         (JSC::JSObject::fastGetOwnPropertySlot):
3626         (JSC::JSObject::getPropertySlot):
3627         (JSC::JSObject::putDirectInternal):
3628         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
3629         * runtime/JSPropertyNameIterator.h:
3630         (JSC::JSPropertyNameIterator::createStructure):
3631         * runtime/JSProxy.cpp:
3632         (JSC::JSProxy::getOwnPropertySlot):
3633         (JSC::JSProxy::getOwnPropertySlotByIndex):
3634         (JSC::JSProxy::put):
3635         (JSC::JSProxy::putByIndex):
3636         (JSC::JSProxy::defineOwnProperty):
3637         (JSC::JSProxy::deleteProperty):
3638         (JSC::JSProxy::deletePropertyByIndex):
3639         (JSC::JSProxy::getPropertyNames):
3640         (JSC::JSProxy::getOwnPropertyNames):
3641         * runtime/JSScope.cpp:
3642         (JSC::JSScope::objectAtScope):
3643         * runtime/JSString.h:
3644         (JSC::JSString::createStructure):
3645         (JSC::isJSString):
3646         * runtime/JSType.h:
3647         * runtime/JSTypeInfo.h:
3648         (JSC::TypeInfo::TypeInfo):
3649         (JSC::TypeInfo::isObject):
3650         (JSC::TypeInfo::structureIsImmortal):
3651         (JSC::TypeInfo::zeroedGCDataOffset):
3652         (JSC::TypeInfo::inlineTypeFlags):
3653         * runtime/MapData.h:
3654         * runtime/ObjectConstructor.cpp:
3655         (JSC::objectConstructorGetOwnPropertyNames):
3656         (JSC::objectConstructorKeys):
3657         (JSC::objectConstructorDefineProperty):
3658         (JSC::defineProperties):
3659         (JSC::objectConstructorSeal):
3660         (JSC::objectConstructorFreeze):
3661         (JSC::objectConstructorIsSealed):
3662         (JSC::objectConstructorIsFrozen):
3663         * runtime/ObjectPrototype.cpp:
3664         (JSC::objectProtoFuncDefineGetter):
3665         (JSC::objectProtoFuncDefineSetter):
3666         (JSC::objectProtoFuncToString):
3667         * runtime/Operations.cpp:
3668         (JSC::jsTypeStringForValue):
3669         (JSC::jsIsObjectType):
3670         * runtime/Operations.h:
3671         (JSC::normalizePrototypeChainForChainAccess):
3672         (JSC::normalizePrototypeChain):
3673         * runtime/PropertyMapHashTable.h:
3674         (JSC::PropertyTable::createStructure):
3675         * runtime/RegExp.h:
3676         (JSC::RegExp::createStructure):
3677         * runtime/SparseArrayValueMap.h:
3678         * runtime/Structure.cpp:
3679         (JSC::Structure::Structure):
3680         (JSC::Structure::~Structure):
3681         (JSC::Structure::prototypeChainMayInterceptStoreTo):
3682         * runtime/Structure.h:
3683         (JSC::Structure::id):
3684         (JSC::Structure::idBlob):
3685         (JSC::Structure::objectInitializationFields):
3686         (JSC::Structure::structureIDOffset):
3687         * runtime/StructureChain.h:
3688         (JSC::StructureChain::createStructure):
3689         * runtime/StructureIDTable.cpp: Added.
3690         (JSC::StructureIDTable::StructureIDTable):
3691         (JSC::StructureIDTable::~StructureIDTable):
3692         (JSC::StructureIDTable::resize):
3693         (JSC::StructureIDTable::flushOldTables):
3694         (JSC::StructureIDTable::allocateID):
3695         (JSC::StructureIDTable::deallocateID):
3696         * runtime/StructureIDTable.h: Added.
3697         (JSC::StructureIDTable::base):
3698         (JSC::StructureIDTable::get):
3699         * runtime/SymbolTable.h:
3700         * runtime/TypedArrayType.cpp:
3701         (JSC::typeForTypedArrayType):
3702         * runtime/TypedArrayType.h:
3703         * runtime/WeakMapData.h:
3704
3705 2014-02-26  Mark Hahnenberg  <mhahnenberg@apple.com>
3706
3707         Unconditional logging in compileFTLOSRExit
3708         https://bugs.webkit.org/show_bug.cgi?id=129407
3709
3710         Reviewed by Michael Saboff.
3711
3712         This was causing tests to fail with the FTL enabled.
3713
3714         * ftl/FTLOSRExitCompiler.cpp:
3715         (JSC::FTL::compileFTLOSRExit):
3716
3717 2014-02-26  Oliver Hunt  <oliver@apple.com>
3718
3719         Remove unused access types
3720         https://bugs.webkit.org/show_bug.cgi?id=129385
3721
3722         Reviewed by Filip Pizlo.
3723
3724         Remove unused cruft.
3725
3726         * bytecode/CodeBlock.cpp:
3727         (JSC::CodeBlock::printGetByIdCacheStatus):
3728         * bytecode/StructureStubInfo.cpp:
3729         (JSC::StructureStubInfo::deref):
3730         * bytecode/StructureStubInfo.h:
3731         (JSC::isGetByIdAccess):
3732         (JSC::isPutByIdAccess):
3733
3734 2014-02-26  Oliver Hunt  <oliver@apple.com>
3735
3736         Function.prototype.apply has a bad time with the spread operator
3737         https://bugs.webkit.org/show_bug.cgi?id=129381
3738
3739         Reviewed by Mark Hahnenberg.
3740
3741         Make sure our apply logic handle the spread operator correctly.
3742         To do this we simply emit the enumeration logic that we'd normally
3743         use for other enumerations, but only store the first two results
3744         to registers.  Then perform a varargs call.
3745
3746         * bytecompiler/NodesCodegen.cpp:
3747         (JSC::ApplyFunctionCallDotNode::emitBytecode):
3748
3749 2014-02-26  Mark Lam  <mark.lam@apple.com>
3750
3751         Compilation policy management belongs in operationOptimize(), not the DFG Driver.
3752         <https://webkit.org/b/129355>
3753
3754         Reviewed by Filip Pizlo.
3755
3756         By compilation policy, I mean the rules for determining whether to
3757         compile, when to compile, when to attempt compilation again, etc.  The
3758         few of these policy decisions that were previously being made in the
3759         DFG driver are now moved to operationOptimize() where we keep the rest
3760         of the policy logic.  Decisions that are based on the capabilities
3761         supported by the DFG are moved to DFG capabiliityLevel().
3762
3763         I've run the following benchmarks:
3764         1. the collection of jsc benchmarks on the jsc executable vs. its
3765            baseline.
3766         2. Octane 2.0 in browser without the WebInspector.
3767         3. Octane 2.0 in browser with the WebInspector open and a breakpoint
3768            set somewhere where it won't break.
3769
3770         In all of these, the results came out to be a wash as expected.
3771
3772         * dfg/DFGCapabilities.cpp:
3773         (JSC::DFG::isSupported):
3774         (JSC::DFG::mightCompileEval):
3775         (JSC::DFG::mightCompileProgram):
3776         (JSC::DFG::mightCompileFunctionForCall):
3777         (JSC::DFG::mightCompileFunctionForConstruct):
3778         (JSC::DFG::mightInlineFunctionForCall):
3779         (JSC::DFG::mightInlineFunctionForClosureCall):
3780         (JSC::DFG::mightInlineFunctionForConstruct):
3781         * dfg/DFGCapabilities.h:
3782         * dfg/DFGDriver.cpp:
3783         (JSC::DFG::compileImpl):
3784         * jit/JITOperations.cpp:
3785
3786 2014-02-26  Mark Lam  <mark.lam@apple.com>
3787
3788         ASSERTION FAILED: m_heap->vm()->currentThreadIsHoldingAPILock() in inspector-protocol/*.
3789         <https://webkit.org/b/129364>
3790
3791         Reviewed by Alexey Proskuryakov.
3792
3793         InjectedScriptModule::ensureInjected() needs an APIEntryShim.
3794
3795         * inspector/InjectedScriptModule.cpp:
3796         (Inspector::InjectedScriptModule::ensureInjected):
3797         - Added the needed but missing APIEntryShim. 
3798
3799 2014-02-25  Mark Lam  <mark.lam@apple.com>
3800
3801         Web Inspector: CRASH when evaluating in console of JSContext RWI with disabled breakpoints.
3802         <https://webkit.org/b/128766>
3803
3804         Reviewed by Geoffrey Garen.
3805
3806         Make the JSLock::grabAllLocks() work the same way as for the C loop LLINT.
3807         The reasoning is that we don't know of any clients that need unordered
3808         re-entry into the VM from different threads. So, we're enforcing ordered
3809         re-entry i.e. we must re-grab locks in the reverse order of dropping locks.
3810
3811         The crash in this bug happened because we were allowing unordered re-entry,
3812         and the following type of scenario occurred:
3813
3814         1. Thread T1 locks the VM, and enters the VM to execute some JS code.
3815         2. On entry, T1 detects that VM::m_entryScope is null i.e. this is the
3816            first time it entered the VM.
3817            T1 sets VM::m_entryScope to T1's entryScope.
3818         3. T1 drops all locks.
3819
3820         4. Thread T2 locks the VM, and enters the VM to execute some JS code.
3821            On entry, T2 sees that VM::m_entryScope is NOT null, and therefore
3822            does not set the entryScope.
3823         5. T2 drops all locks.
3824
3825         6. T1 re-grabs locks.
3826         7. T1 returns all the way out of JS code. On exit from the outer most
3827            JS function, T1 clears VM::m_entryScope (because T1 was the one who
3828            set it).
3829         8. T1 unlocks the VM.
3830
3831         9. T2 re-grabs locks.
3832         10. T2 proceeds to execute some code and expects VM::m_entryScope to be
3833             NOT null, but it turns out to be null. Assertion failures and
3834             crashes ensue.
3835
3836         With ordered re-entry, at step 6, T1 will loop and yield until T2 exits
3837         the VM. Hence, the issue will no longer manifest.
3838
3839         * runtime/JSLock.cpp:
3840         (JSC::JSLock::dropAllLocks):
3841         (JSC::JSLock::grabAllLocks):
3842         * runtime/JSLock.h:
3843         (JSC::JSLock::DropAllLocks::dropDepth):
3844
3845 2014-02-25  Mark Lam  <mark.lam@apple.com>
3846
3847         Need to initialize VM stack data even when the VM is on an exclusive thread.
3848         <https://webkit.org/b/129265>
3849
3850         Not reviewed.
3851
3852         Relanding r164627 now that <https://webkit.org/b/129341> is fixed.
3853
3854         * API/APIShims.h:
3855         (JSC::APIEntryShim::APIEntryShim):
3856         (JSC::APICallbackShim::shouldDropAllLocks):
3857         * heap/MachineStackMarker.cpp:
3858         (JSC::MachineThreads::addCurrentThread):
3859         * runtime/JSLock.cpp:
3860         (JSC::JSLockHolder::JSLockHolder):
3861         (JSC::JSLockHolder::init):
3862         (JSC::JSLockHolder::~JSLockHolder):
3863         (JSC::JSLock::JSLock):
3864         (JSC::JSLock::setExclusiveThread):
3865         (JSC::JSLock::lock):
3866         (JSC::JSLock::unlock):
3867         (JSC::JSLock::currentThreadIsHoldingLock):
3868         (JSC::JSLock::dropAllLocks):
3869         (JSC::JSLock::grabAllLocks):
3870         * runtime/JSLock.h:
3871         (JSC::JSLock::hasExclusiveThread):
3872         (JSC::JSLock::exclusiveThread):
3873         * runtime/VM.cpp:
3874         (JSC::VM::VM):
3875         * runtime/VM.h:
3876         (JSC::VM::hasExclusiveThread):
3877         (JSC::VM::exclusiveThread):
3878         (JSC::VM::setExclusiveThread):
3879         (JSC::VM::currentThreadIsHoldingAPILock):
3880
3881 2014-02-25  Filip Pizlo  <fpizlo@apple.com>
3882
3883         Inline caching in the FTL on ARM64 should "work"
3884         https://bugs.webkit.org/show_bug.cgi?id=129334
3885
3886         Reviewed by Mark Hahnenberg.
3887         
3888         Gets us to the point where simple tests that use inline caching are passing.
3889
3890         * assembler/LinkBuffer.cpp:
3891         (JSC::LinkBuffer::copyCompactAndLinkCode):
3892         (JSC::LinkBuffer::shrink):
3893         * ftl/FTLInlineCacheSize.cpp:
3894         (JSC::FTL::sizeOfGetById):
3895         (JSC::FTL::sizeOfPutById):
3896         (JSC::FTL::sizeOfCall):
3897         * ftl/FTLOSRExitCompiler.cpp:
3898         (JSC::FTL::compileFTLOSRExit):
3899         * ftl/FTLThunks.cpp:
3900         (JSC::FTL::osrExitGenerationThunkGenerator):
3901         * jit/GPRInfo.h:
3902         * offlineasm/arm64.rb:
3903
3904 2014-02-25  Commit Queue  <commit-queue@webkit.org>
3905
3906         Unreviewed, rolling out r164627.
3907         http://trac.webkit.org/changeset/164627
3908         https://bugs.webkit.org/show_bug.cgi?id=129325
3909
3910         Broke SubtleCrypto tests (Requested by ap on #webkit).
3911
3912         * API/APIShims.h:
3913         (JSC::APIEntryShim::APIEntryShim):
3914         (JSC::APICallbackShim::shouldDropAllLocks):
3915         * heap/MachineStackMarker.cpp:
3916         (JSC::MachineThreads::addCurrentThread):
3917         * runtime/JSLock.cpp:
3918         (JSC::JSLockHolder::JSLockHolder):
3919         (JSC::JSLockHolder::init):
3920         (JSC::JSLockHolder::~JSLockHolder):
3921         (JSC::JSLock::JSLock):
3922         (JSC::JSLock::lock):
3923         (JSC::JSLock::unlock):
3924         (JSC::JSLock::currentThreadIsHoldingLock):
3925         (JSC::JSLock::dropAllLocks):
3926         (JSC::JSLock::grabAllLocks):
3927         * runtime/JSLock.h:
3928         * runtime/VM.cpp:
3929         (JSC::VM::VM):
3930         * runtime/VM.h:
3931         (JSC::VM::currentThreadIsHoldingAPILock):
3932
3933 2014-02-25  Filip Pizlo  <fpizlo@apple.com>
3934
3935         ARM64 rshift64 should be an arithmetic shift
3936         https://bugs.webkit.org/show_bug.cgi?id=129323
3937
3938         Reviewed by Mark Hahnenberg.
3939
3940         * assembler/MacroAssemblerARM64.h:
3941         (JSC::MacroAssemblerARM64::rshift64):
3942
3943 2014-02-25  Sergio Villar Senin  <svillar@igalia.com>
3944
3945         [CSS Grid Layout] Add ENABLE flag
3946         https://bugs.webkit.org/show_bug.cgi?id=129153
3947
3948         Reviewed by Simon Fraser.
3949
3950         * Configurations/FeatureDefines.xcconfig: added ENABLE_CSS_GRID_LAYOUT feature flag.
3951
3952 2014-02-25  Michael Saboff  <msaboff@apple.com>
3953
3954         JIT Engines use the wrong stack limit for stack checks
3955         https://bugs.webkit.org/show_bug.cgi?id=129314
3956
3957         Reviewed by Filip Pizlo.
3958
3959         Change the Baseline and DFG code to use VM::m_stackLimit for stack limit checks.
3960
3961         * dfg/DFGJITCompiler.cpp:
3962         (JSC::DFG::JITCompiler::compileFunction):
3963         * jit/JIT.cpp:
3964         (JSC::JIT::privateCompile):
3965         * jit/JITCall.cpp:
3966         (JSC::JIT::compileLoadVarargs):
3967         * jit/JITCall32_64.cpp:
3968         (JSC::JIT::compileLoadVarargs):
3969         * runtime/VM.h:
3970         (JSC::VM::addressOfStackLimit):
3971
3972 2014-02-25  Filip Pizlo  <fpizlo@apple.com>
3973
3974         Unreviewed, roll out http://trac.webkit.org/changeset/164493.
3975         
3976         It causes crashes, apparently because it's removing too many barriers. I will investigate
3977         later.
3978
3979         * bytecode/SpeculatedType.cpp:
3980         (JSC::speculationToAbbreviatedString):
3981         * bytecode/SpeculatedType.h:
3982         * dfg/DFGFixupPhase.cpp:
3983         (JSC::DFG::FixupPhase::fixupNode):
3984         (JSC::DFG::FixupPhase::insertStoreBarrier):
3985         * dfg/DFGNode.h:
3986         * ftl/FTLCapabilities.cpp:
3987         (JSC::FTL::canCompile):
3988         * ftl/FTLLowerDFGToLLVM.cpp:
3989         (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
3990         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
3991         (JSC::FTL::LowerDFGToLLVM::isNotNully):
3992         (JSC::FTL::LowerDFGToLLVM::isNully):
3993         (JSC::FTL::LowerDFGToLLVM::speculate):
3994         (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
3995         (JSC::FTL::LowerDFGToLLVM::speculateNotCell):
3996
3997 2014-02-24  Oliver Hunt  <oliver@apple.com>
3998
3999         Fix build.
4000
4001         * jit/CCallHelpers.h:
4002         (JSC::CCallHelpers::setupArgumentsWithExecState):
4003
4004 2014-02-24  Oliver Hunt  <oliver@apple.com>
4005
4006         Spread operator has a bad time when applied to call function
4007         https://bugs.webkit.org/show_bug.cgi?id=128853
4008
4009         Reviewed by Geoffrey Garen.
4010