[GTK] [CMake] Ensure that the autotools build and the CMake install the same files
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-01-05  Martin Robinson  <mrobinson@igalia.com>
2
3         [GTK] [CMake] Ensure that the autotools build and the CMake install the same files
4         https://bugs.webkit.org/show_bug.cgi?id=116379
5
6         Reviewed by Gustavo Noronha Silva.
7
8         * PlatformGTK.cmake: Install API headers, gir files, and the pkg-config file.
9
10 2014-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
11
12         Use Compiler macros instead of raw "final" and "override"
13         https://bugs.webkit.org/show_bug.cgi?id=126490
14
15         Reviewed by Sam Weinig.
16
17         * runtime/JSPromiseReaction.cpp:
18
19 2014-01-04  Martin Robinson  <mrobinson@igalia.com>
20
21         [GTK] [CMake] Improve the way we locate gobject-introspection
22         https://bugs.webkit.org/show_bug.cgi?id=126452
23
24         Reviewed by Philippe Normand.
25
26         * PlatformGTK.cmake: Use the new introspection variables.
27
28 2014-01-04  Zan Dobersek  <zdobersek@igalia.com>
29
30         Explicitly use the std:: nested name specifier when using std::pair, std::make_pair
31         https://bugs.webkit.org/show_bug.cgi?id=126439
32
33         Reviewed by Andreas Kling.
34
35         Instead of relying on std::pair and std::make_pair symbols being present in the current scope
36         through the pair and make_pair symbols, the std:: specifier should be used explicitly.
37
38         * bytecode/Opcode.cpp:
39         (JSC::compareOpcodePairIndices):
40         (JSC::OpcodeStats::~OpcodeStats):
41         * bytecompiler/BytecodeGenerator.cpp:
42         (JSC::BytecodeGenerator::BytecodeGenerator):
43         * parser/ASTBuilder.h:
44         (JSC::ASTBuilder::makeBinaryNode):
45         * parser/Parser.cpp:
46         (JSC::Parser<LexerType>::parseIfStatement):
47         * runtime/Structure.cpp:
48         (JSC::StructureTransitionTable::contains):
49         (JSC::StructureTransitionTable::get):
50         (JSC::StructureTransitionTable::add):
51
52 2014-01-03  David Farler  <dfarler@apple.com>
53
54         [super dealloc] missing in Source/JavaScriptCore/API/tests/testapi.mm, fails to build with -Werror,-Wobjc-missing-super-calls
55         https://bugs.webkit.org/show_bug.cgi?id=126454
56
57         Reviewed by Geoffrey Garen.
58
59         * API/tests/testapi.mm:
60         (-[TextXYZ dealloc]):
61         add [super dealloc]
62         (-[EvilAllocationObject dealloc]):
63         add [super dealloc]
64
65 2014-01-02  Carlos Garcia Campos  <cgarcia@igalia.com>
66
67         REGRESSION(r160304): [GTK] Disable libtool fast install
68         https://bugs.webkit.org/show_bug.cgi?id=126381
69
70         Reviewed by Martin Robinson.
71
72         Remove -no-fast-install ld flag since fast install is now disabled
73         globally.
74
75         * GNUmakefile.am:
76
77 2014-01-02  Sam Weinig  <sam@webkit.org>
78
79         Update Promises to the https://github.com/domenic/promises-unwrapping spec
80         https://bugs.webkit.org/show_bug.cgi?id=120954
81
82         Reviewed by Filip Pizlo.
83
84         Update Promises to the revised spec. Notable changes:
85         - JSPromiseResolver is gone.
86         - TaskContext has been renamed Microtask and now has a virtual run() function.
87         - Instead of using custom InternalFunction subclasses, JSFunctions are used
88           with PrivateName properties for internal slots.
89
90         * CMakeLists.txt:
91         * DerivedSources.make:
92         * GNUmakefile.list.am:
93         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
94         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
95         * JavaScriptCore.xcodeproj/project.pbxproj:
96         * interpreter/CallFrame.h:
97         (JSC::ExecState::promiseConstructorTable):
98         * runtime/CommonIdentifiers.cpp:
99         (JSC::CommonIdentifiers::CommonIdentifiers):
100         * runtime/CommonIdentifiers.h:
101         * runtime/JSGlobalObject.cpp:
102         (JSC::JSGlobalObject::reset):
103         (JSC::JSGlobalObject::visitChildren):
104         (JSC::JSGlobalObject::queueMicrotask):
105         * runtime/JSGlobalObject.h:
106         (JSC::JSGlobalObject::promiseConstructor):
107         (JSC::JSGlobalObject::promisePrototype):
108         (JSC::JSGlobalObject::promiseStructure):
109         * runtime/JSPromise.cpp:
110         (JSC::JSPromise::create):
111         (JSC::JSPromise::JSPromise):
112         (JSC::JSPromise::finishCreation):
113         (JSC::JSPromise::visitChildren):
114         (JSC::JSPromise::reject):
115         (JSC::JSPromise::resolve):
116         (JSC::JSPromise::appendResolveReaction):
117         (JSC::JSPromise::appendRejectReaction):
118         (JSC::triggerPromiseReactions):
119         * runtime/JSPromise.h:
120         (JSC::JSPromise::status):
121         (JSC::JSPromise::result):
122         (JSC::JSPromise::constructor):
123         * runtime/JSPromiseCallback.cpp: Removed.
124         * runtime/JSPromiseCallback.h: Removed.
125         * runtime/JSPromiseConstructor.cpp:
126         (JSC::constructPromise):
127         (JSC::JSPromiseConstructor::getCallData):
128         (JSC::JSPromiseConstructorFuncCast):
129         (JSC::JSPromiseConstructorFuncResolve):
130         (JSC::JSPromiseConstructorFuncReject):
131         * runtime/JSPromiseConstructor.h:
132         * runtime/JSPromiseDeferred.cpp: Added.
133         (JSC::JSPromiseDeferred::create):
134         (JSC::JSPromiseDeferred::JSPromiseDeferred):
135         (JSC::JSPromiseDeferred::finishCreation):
136         (JSC::JSPromiseDeferred::visitChildren):
137         (JSC::createJSPromiseDeferredFromConstructor):
138         (JSC::updateDeferredFromPotentialThenable):
139         * runtime/JSPromiseDeferred.h: Added.
140         (JSC::JSPromiseDeferred::createStructure):
141         (JSC::JSPromiseDeferred::promise):
142         (JSC::JSPromiseDeferred::resolve):
143         (JSC::JSPromiseDeferred::reject):
144         * runtime/JSPromiseFunctions.cpp: Added.
145         (JSC::deferredConstructionFunction):
146         (JSC::createDeferredConstructionFunction):
147         (JSC::identifyFunction):
148         (JSC::createIdentifyFunction):
149         (JSC::promiseAllCountdownFunction):
150         (JSC::createPromiseAllCountdownFunction):
151         (JSC::promiseResolutionHandlerFunction):
152         (JSC::createPromiseResolutionHandlerFunction):
153         (JSC::rejectPromiseFunction):
154         (JSC::createRejectPromiseFunction):
155         (JSC::resolvePromiseFunction):
156         (JSC::createResolvePromiseFunction):
157         (JSC::throwerFunction):
158         (JSC::createThrowerFunction):
159         * runtime/JSPromiseFunctions.h: Added.
160         * runtime/JSPromisePrototype.cpp:
161         (JSC::JSPromisePrototypeFuncThen):
162         (JSC::JSPromisePrototypeFuncCatch):
163         * runtime/JSPromiseReaction.cpp: Added.
164         (JSC::createExecutePromiseReactionMicroTask):
165         (JSC::ExecutePromiseReactionMicroTask::run):
166         (JSC::JSPromiseReaction::create):
167         (JSC::JSPromiseReaction::JSPromiseReaction):
168         (JSC::JSPromiseReaction::finishCreation):
169         (JSC::JSPromiseReaction::visitChildren):
170         * runtime/JSPromiseReaction.h: Added.
171         (JSC::JSPromiseReaction::createStructure):
172         (JSC::JSPromiseReaction::deferred):
173         (JSC::JSPromiseReaction::handler):
174         * runtime/JSPromiseResolver.cpp: Removed.
175         * runtime/JSPromiseResolver.h: Removed.
176         * runtime/JSPromiseResolverConstructor.cpp: Removed.
177         * runtime/JSPromiseResolverConstructor.h: Removed.
178         * runtime/JSPromiseResolverPrototype.cpp: Removed.
179         * runtime/JSPromiseResolverPrototype.h: Removed.
180         * runtime/Microtask.h: Added.
181         * runtime/VM.cpp:
182         (JSC::VM::VM):
183         (JSC::VM::~VM):
184         * runtime/VM.h:
185
186 2014-01-02  Mark Hahnenberg  <mhahnenberg@apple.com>
187
188         Add support for StoreBarrier and friends to the FTL
189         https://bugs.webkit.org/show_bug.cgi?id=126040
190
191         Reviewed by Filip Pizlo.
192
193         * ftl/FTLAbstractHeapRepository.h:
194         * ftl/FTLCapabilities.cpp:
195         (JSC::FTL::canCompile):
196         * ftl/FTLIntrinsicRepository.h:
197         * ftl/FTLLowerDFGToLLVM.cpp:
198         (JSC::FTL::LowerDFGToLLVM::compileNode):
199         (JSC::FTL::LowerDFGToLLVM::compileStoreBarrier):
200         (JSC::FTL::LowerDFGToLLVM::compileConditionalStoreBarrier):
201         (JSC::FTL::LowerDFGToLLVM::compileStoreBarrierWithNullCheck):
202         (JSC::FTL::LowerDFGToLLVM::loadMarkByte):
203         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
204         * heap/Heap.cpp:
205         (JSC::Heap::Heap):
206         * heap/Heap.h:
207         (JSC::Heap::writeBarrierBuffer):
208
209 2014-01-02  Mark Hahnenberg  <mhahnenberg@apple.com>
210
211         Storing new CopiedSpace memory into a JSObject should fire a write barrier
212         https://bugs.webkit.org/show_bug.cgi?id=126025
213
214         Reviewed by Filip Pizlo.
215
216         Technically this is creating a pointer between a (potentially) old generation object and a young 
217         generation chunk of memory, thus there needs to be a barrier.
218
219         * JavaScriptCore.xcodeproj/project.pbxproj:
220         * dfg/DFGOperations.cpp:
221         * heap/CopyWriteBarrier.h: Added. This class functions similarly to the WriteBarrier class. It 
222         acts as a proxy for pointers to CopiedSpace. Assignments to the field cause a write barrier to 
223         fire for the object that is the owner of the CopiedSpace memory. This is to ensure during nursery 
224         collections that objects with new backing stores are visited, even if they are old generation objects. 
225         (JSC::CopyWriteBarrier::CopyWriteBarrier):
226         (JSC::CopyWriteBarrier::operator!):
227         (JSC::CopyWriteBarrier::operator UnspecifiedBoolType*):
228         (JSC::CopyWriteBarrier::get):
229         (JSC::CopyWriteBarrier::operator*):
230         (JSC::CopyWriteBarrier::operator->):
231         (JSC::CopyWriteBarrier::set):
232         (JSC::CopyWriteBarrier::setWithoutWriteBarrier):
233         (JSC::CopyWriteBarrier::clear):
234         * heap/Heap.h:
235         * runtime/JSArray.cpp:
236         (JSC::JSArray::unshiftCountSlowCase):
237         (JSC::JSArray::shiftCountWithArrayStorage):
238         (JSC::JSArray::unshiftCountWithArrayStorage):
239         * runtime/JSCell.h:
240         (JSC::JSCell::unvalidatedStructure):
241         * runtime/JSGenericTypedArrayViewInlines.h:
242         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
243         * runtime/JSObject.cpp:
244         (JSC::JSObject::copyButterfly):
245         (JSC::JSObject::getOwnPropertySlotByIndex):
246         (JSC::JSObject::putByIndex):
247         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
248         (JSC::JSObject::createInitialIndexedStorage):
249         (JSC::JSObject::createArrayStorage):
250         (JSC::JSObject::deletePropertyByIndex):
251         (JSC::JSObject::getOwnPropertyNames):
252         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
253         (JSC::JSObject::countElements):
254         (JSC::JSObject::increaseVectorLength):
255         (JSC::JSObject::ensureLengthSlow):
256         * runtime/JSObject.h:
257         (JSC::JSObject::butterfly):
258         (JSC::JSObject::setStructureAndButterfly):
259         (JSC::JSObject::setButterflyWithoutChangingStructure):
260         (JSC::JSObject::JSObject):
261         (JSC::JSObject::putDirectInternal):
262         (JSC::JSObject::putDirectWithoutTransition):
263         * runtime/MapData.cpp:
264         (JSC::MapData::ensureSpaceForAppend):
265         * runtime/Structure.cpp:
266         (JSC::Structure::materializePropertyMap):
267
268 2013-12-23  Oliver Hunt  <oliver@apple.com>
269
270         Refactor PutPropertySlot to be aware of custom properties
271         https://bugs.webkit.org/show_bug.cgi?id=126187
272
273         Reviewed by Antti Koivisto.
274
275         Refactor PutPropertySlot, making the constructor take the thisValue
276         used as a target.  This results in a wide range of boilerplate changes
277         to pass the new parameter.
278
279         * API/JSObjectRef.cpp:
280         (JSObjectSetProperty):
281         * dfg/DFGOperations.cpp:
282         (JSC::DFG::operationPutByValInternal):
283         * interpreter/Interpreter.cpp:
284         (JSC::Interpreter::execute):
285         * jit/JITOperations.cpp:
286         * llint/LLIntSlowPaths.cpp:
287         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
288         * runtime/Arguments.cpp:
289         (JSC::Arguments::putByIndex):
290         * runtime/ArrayPrototype.cpp:
291         (JSC::putProperty):
292         (JSC::arrayProtoFuncPush):
293         * runtime/JSCJSValue.cpp:
294         (JSC::JSValue::putToPrimitiveByIndex):
295         * runtime/JSCell.cpp:
296         (JSC::JSCell::putByIndex):
297         * runtime/JSFunction.cpp:
298         (JSC::JSFunction::put):
299         * runtime/JSGenericTypedArrayViewInlines.h:
300         (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
301         * runtime/JSONObject.cpp:
302         (JSC::Walker::walk):
303         * runtime/JSObject.cpp:
304         (JSC::JSObject::putByIndex):
305         (JSC::JSObject::putDirectNonIndexAccessor):
306         (JSC::JSObject::deleteProperty):
307         * runtime/JSObject.h:
308         (JSC::JSObject::putDirect):
309         * runtime/Lookup.h:
310         (JSC::putEntry):
311         (JSC::lookupPut):
312         * runtime/PutPropertySlot.h:
313         (JSC::PutPropertySlot::PutPropertySlot):
314         (JSC::PutPropertySlot::setCustomProperty):
315         (JSC::PutPropertySlot::thisValue):
316         (JSC::PutPropertySlot::isCacheable):
317
318 2014-01-01  Filip Pizlo  <fpizlo@apple.com>
319
320         Rationalize DFG DCE
321         https://bugs.webkit.org/show_bug.cgi?id=125523
322
323         Reviewed by Mark Hahnenberg.
324         
325         Adds the ability to DCE more things. It's now the case that if a node is completely
326         pure, we clear NodeMustGenerate and the node becomes a DCE candidate.
327
328         * dfg/DFGAbstractInterpreterInlines.h:
329         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
330         * dfg/DFGCSEPhase.cpp:
331         (JSC::DFG::CSEPhase::performNodeCSE):
332         * dfg/DFGClobberize.h:
333         (JSC::DFG::clobberize):
334         * dfg/DFGDCEPhase.cpp:
335         (JSC::DFG::DCEPhase::cleanVariables):
336         * dfg/DFGFixupPhase.cpp:
337         (JSC::DFG::FixupPhase::fixupNode):
338         * dfg/DFGGraph.h:
339         (JSC::DFG::Graph::clobbersWorld):
340         * dfg/DFGNodeType.h:
341         * dfg/DFGSpeculativeJIT.cpp:
342         (JSC::DFG::SpeculativeJIT::compileAdd):
343         * dfg/DFGSpeculativeJIT.h:
344         * dfg/DFGSpeculativeJIT32_64.cpp:
345         (JSC::DFG::SpeculativeJIT::compile):
346         * dfg/DFGSpeculativeJIT64.cpp:
347         (JSC::DFG::SpeculativeJIT::compile):
348         * ftl/FTLLowerDFGToLLVM.cpp:
349         (JSC::FTL::LowerDFGToLLVM::compileNode):
350         (JSC::FTL::LowerDFGToLLVM::compileValueAdd):
351
352 2014-01-02  Benjamin Poulain  <benjamin@webkit.org>
353
354         Attempt to fix the build of WebCore's code generator on CMake based system
355         https://bugs.webkit.org/show_bug.cgi?id=126271
356
357         Reviewed by Sam Weinig.
358
359         * CMakeLists.txt:
360
361 2013-12-30  Commit Queue  <commit-queue@webkit.org>
362
363         Unreviewed, rolling out r161157, r161158, r161160, r161161,
364         r161163, and r161165.
365         http://trac.webkit.org/changeset/161157
366         http://trac.webkit.org/changeset/161158
367         http://trac.webkit.org/changeset/161160
368         http://trac.webkit.org/changeset/161161
369         http://trac.webkit.org/changeset/161163
370         http://trac.webkit.org/changeset/161165
371         https://bugs.webkit.org/show_bug.cgi?id=126332
372
373         Broke WebKit2 on Mountain Lion (Requested by ap on #webkit).
374
375         * heap/BlockAllocator.cpp:
376         (JSC::BlockAllocator::~BlockAllocator):
377         (JSC::BlockAllocator::waitForRelativeTimeWhileHoldingLock):
378         (JSC::BlockAllocator::waitForRelativeTime):
379         (JSC::BlockAllocator::blockFreeingThreadMain):
380         * heap/BlockAllocator.h:
381         (JSC::BlockAllocator::deallocate):
382
383 2013-12-30  Anders Carlsson  <andersca@apple.com>
384
385         Fix build.
386
387         * heap/BlockAllocator.h:
388
389 2013-12-30  Anders Carlsson  <andersca@apple.com>
390
391         Stop using ThreadCondition in BlockAllocator
392         https://bugs.webkit.org/show_bug.cgi?id=126313
393
394         Reviewed by Sam Weinig.
395
396         * heap/BlockAllocator.cpp:
397         (JSC::BlockAllocator::~BlockAllocator):
398         (JSC::BlockAllocator::waitForDuration):
399         (JSC::BlockAllocator::blockFreeingThreadMain):
400         * heap/BlockAllocator.h:
401         (JSC::BlockAllocator::deallocate):
402
403 2013-12-30  Anders Carlsson  <andersca@apple.com>
404
405         Stop using ThreadCondition in jsc.cpp
406         https://bugs.webkit.org/show_bug.cgi?id=126311
407
408         Reviewed by Sam Weinig.
409
410         * jsc.cpp:
411         (timeoutThreadMain):
412         (main):
413
414 2013-12-30  Anders Carlsson  <andersca@apple.com>
415
416         Replace WTF::ThreadingOnce with std::call_once
417         https://bugs.webkit.org/show_bug.cgi?id=126215
418
419         Reviewed by Sam Weinig.
420
421         * dfg/DFGWorklist.cpp:
422         (JSC::DFG::globalWorklist):
423         * runtime/InitializeThreading.cpp:
424         (JSC::initializeThreading):
425
426 2013-12-30  Martin Robinson  <mrobinson@igalia.com>
427
428         [CMake] [GTK] Add support for GObject introspection
429         https://bugs.webkit.org/show_bug.cgi?id=126162
430
431         Reviewed by Daniel Bates.
432
433         * PlatformGTK.cmake: Add the GIR targets.
434
435 2013-12-28  Filip Pizlo  <fpizlo@apple.com>
436
437         Get rid of DFG forward exiting
438         https://bugs.webkit.org/show_bug.cgi?id=125531
439
440         Reviewed by Oliver Hunt.
441         
442         This finally gets rid of forward exiting. Forward exiting was always a fragile concept
443         since it involved the compiler trying to figure out how to "roll forward" the
444         execution from some DFG node to the next bytecode index. It was always easy to find
445         counterexamples where it broke, and it has always served as an obstacle to adding
446         compiler improvements - the latest being http://webkit.org/b/125523, which tried to
447         make DCE work for more things.
448         
449         This change finishes the work of removing forward exiting. A lot of forward exiting
450         was already removed in some other bugs, but SetLocal still did forward exits. SetLocal
451         is in many ways the hardest to remove, since the forward exiting of SetLocal also
452         implied that any conversion nodes inserted before the SetLocal would then also be
453         marked as forward-exiting. Hence SetLocal's forward-exiting made a bunch of other
454         things also forward-exiting, and this was always a source of weirdo bugs.
455         
456         SetLocal must be able to exit in case it performs a hoisted type speculation. Nodes
457         inserted just before SetLocal must also be able to exit - for example type check
458         hoisting may insert a CheckStructure, or fixup phase may insert something like
459         Int32ToDouble. But if any of those nodes tried to backward exit, then this could lead
460         to the reexecution of a side-effecting operation, for example:
461         
462             a: Call(...)
463             b: SetLocal(@a, r1)
464         
465         For a long time it seemed like SetLocal *had* to exit forward because of this. But
466         this change side-steps the problem by changing the ByteCodeParser to always emit a
467         kind of "two-phase commit" for stores to local variables. Now when the ByteCodeParser
468         wishes to store to a local, it first emits a MovHint and then enqueues a SetLocal.
469         The SetLocal isn't actually emitted until the beginning of the next bytecode
470         instruction (which the exception of op_enter and op_ret, which emit theirs immediately
471         since it's always safe to reexecute those bytecode instructions and since deferring
472         SetLocals would be weird there - op_enter has many SetLocals and op_ret is a set
473         followed by a jump in case of inlining, so we'd have to emit the SetLocal "after" the
474         jump and that would be awkward). This means that the above IR snippet would look
475         something like:
476         
477             a: Call(..., bc#42)
478             b: MovHint(@a, r1, bc#42)
479             c: SetLocal(@a, r1, bc#47)
480         
481         Where the SetLocal exits "backwards" but appears at the beginning of the next bytecode
482         instruction. This means that by the time we get to that SetLocal, the OSR exit
483         analysis already knows that r1 is associated with @a, and it means that the SetLocal
484         or anything hoisted above it can exit backwards as normal.
485         
486         This change also means that the "forward rewiring" can be killed. Previously, we might
487         have inserted a conversion node on SetLocal and then the SetLocal died (i.e. turned
488         into a MovHint) and the conversion node either died completely or had its lifetime
489         truncated to be less than the actual value's bytecode lifetime. This no longer happens
490         since conversion nodes are only inserted at SetLocals.
491         
492         More precisely, this change introduces two laws that we were basically already
493         following anyway:
494         
495         1) A MovHint's child should never be changed except if all other uses of that child
496            are also replaced. Specifically, this prohibits insertion of conversion nodes at
497            MovHints.
498         
499         2) Anytime any child is replaced with something else, and all other uses aren't also
500            replaced, we must insert a Phantom use of the original child.
501
502         This is a slight compile-time regression but has no effect on code-gen. It unlocks a
503         bunch of optimization opportunities so I think it's worth it.
504
505         * bytecode/CodeBlock.cpp:
506         (JSC::CodeBlock::dumpAssumingJITType):
507         * bytecode/CodeBlock.h:
508         (JSC::CodeBlock::instructionCount):
509         * dfg/DFGAbstractInterpreterInlines.h:
510         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
511         * dfg/DFGArgumentsSimplificationPhase.cpp:
512         (JSC::DFG::ArgumentsSimplificationPhase::run):
513         * dfg/DFGArrayifySlowPathGenerator.h:
514         (JSC::DFG::ArrayifySlowPathGenerator::ArrayifySlowPathGenerator):
515         * dfg/DFGBackwardsPropagationPhase.cpp:
516         (JSC::DFG::BackwardsPropagationPhase::propagate):
517         * dfg/DFGByteCodeParser.cpp:
518         (JSC::DFG::ByteCodeParser::setDirect):
519         (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal):
520         (JSC::DFG::ByteCodeParser::DelayedSetLocal::execute):
521         (JSC::DFG::ByteCodeParser::handleInlining):
522         (JSC::DFG::ByteCodeParser::parseBlock):
523         * dfg/DFGCSEPhase.cpp:
524         (JSC::DFG::CSEPhase::eliminate):
525         * dfg/DFGClobberize.h:
526         (JSC::DFG::clobberize):
527         * dfg/DFGCommon.h:
528         * dfg/DFGConstantFoldingPhase.cpp:
529         (JSC::DFG::ConstantFoldingPhase::foldConstants):
530         * dfg/DFGDCEPhase.cpp:
531         (JSC::DFG::DCEPhase::run):
532         (JSC::DFG::DCEPhase::fixupBlock):
533         (JSC::DFG::DCEPhase::cleanVariables):
534         * dfg/DFGFixupPhase.cpp:
535         (JSC::DFG::FixupPhase::fixupNode):
536         (JSC::DFG::FixupPhase::fixEdge):
537         (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
538         * dfg/DFGLICMPhase.cpp:
539         (JSC::DFG::LICMPhase::run):
540         (JSC::DFG::LICMPhase::attemptHoist):
541         * dfg/DFGMinifiedNode.cpp:
542         (JSC::DFG::MinifiedNode::fromNode):
543         * dfg/DFGMinifiedNode.h:
544         (JSC::DFG::belongsInMinifiedGraph):
545         (JSC::DFG::MinifiedNode::constantNumber):
546         (JSC::DFG::MinifiedNode::weakConstant):
547         * dfg/DFGNode.cpp:
548         (JSC::DFG::Node::hasVariableAccessData):
549         * dfg/DFGNode.h:
550         (JSC::DFG::Node::convertToPhantom):
551         (JSC::DFG::Node::convertToPhantomUnchecked):
552         (JSC::DFG::Node::convertToIdentity):
553         (JSC::DFG::Node::containsMovHint):
554         (JSC::DFG::Node::hasUnlinkedLocal):
555         (JSC::DFG::Node::willHaveCodeGenOrOSR):
556         * dfg/DFGNodeFlags.cpp:
557         (JSC::DFG::dumpNodeFlags):
558         * dfg/DFGNodeFlags.h:
559         * dfg/DFGNodeType.h:
560         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
561         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
562         * dfg/DFGOSREntrypointCreationPhase.cpp:
563         (JSC::DFG::OSREntrypointCreationPhase::run):
564         * dfg/DFGOSRExit.cpp:
565         * dfg/DFGOSRExit.h:
566         * dfg/DFGOSRExitBase.cpp:
567         * dfg/DFGOSRExitBase.h:
568         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSite):
569         * dfg/DFGPredictionPropagationPhase.cpp:
570         (JSC::DFG::PredictionPropagationPhase::propagate):
571         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
572         * dfg/DFGSSAConversionPhase.cpp:
573         (JSC::DFG::SSAConversionPhase::run):
574         * dfg/DFGSafeToExecute.h:
575         (JSC::DFG::safeToExecute):
576         * dfg/DFGSpeculativeJIT.cpp:
577         (JSC::DFG::SpeculativeJIT::speculationCheck):
578         (JSC::DFG::SpeculativeJIT::emitInvalidationPoint):
579         (JSC::DFG::SpeculativeJIT::typeCheck):
580         (JSC::DFG::SpeculativeJIT::compileMovHint):
581         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
582         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
583         (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
584         * dfg/DFGSpeculativeJIT.h:
585         (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch):
586         (JSC::DFG::SpeculativeJIT::needsTypeCheck):
587         * dfg/DFGSpeculativeJIT32_64.cpp:
588         (JSC::DFG::SpeculativeJIT::compile):
589         * dfg/DFGSpeculativeJIT64.cpp:
590         (JSC::DFG::SpeculativeJIT::compile):
591         * dfg/DFGTypeCheckHoistingPhase.cpp:
592         (JSC::DFG::TypeCheckHoistingPhase::run):
593         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
594         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
595         * dfg/DFGValidate.cpp:
596         (JSC::DFG::Validate::validateCPS):
597         * dfg/DFGVariableAccessData.h:
598         (JSC::DFG::VariableAccessData::VariableAccessData):
599         * dfg/DFGVariableEventStream.cpp:
600         (JSC::DFG::VariableEventStream::reconstruct):
601         * ftl/FTLCapabilities.cpp:
602         (JSC::FTL::canCompile):
603         * ftl/FTLLowerDFGToLLVM.cpp:
604         (JSC::FTL::LowerDFGToLLVM::compileNode):
605         (JSC::FTL::LowerDFGToLLVM::compileGetArgument):
606         (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
607         (JSC::FTL::LowerDFGToLLVM::compileMovHint):
608         (JSC::FTL::LowerDFGToLLVM::compileZombieHint):
609         (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble):
610         (JSC::FTL::LowerDFGToLLVM::speculate):
611         (JSC::FTL::LowerDFGToLLVM::typeCheck):
612         (JSC::FTL::LowerDFGToLLVM::appendTypeCheck):
613         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
614         (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
615         * ftl/FTLOSRExit.cpp:
616         * ftl/FTLOSRExit.h:
617         * tests/stress/dead-int32-to-double.js: Added.
618         (foo):
619         * tests/stress/dead-uint32-to-number.js: Added.
620         (foo):
621
622 2013-12-25  Commit Queue  <commit-queue@webkit.org>
623
624         Unreviewed, rolling out r161033 and r161074.
625         http://trac.webkit.org/changeset/161033
626         http://trac.webkit.org/changeset/161074
627         https://bugs.webkit.org/show_bug.cgi?id=126240
628
629         Oliver says that a rollout would be better (Requested by ap on
630         #webkit).
631
632         * API/JSObjectRef.cpp:
633         (JSObjectSetProperty):
634         * dfg/DFGOperations.cpp:
635         (JSC::DFG::operationPutByValInternal):
636         * interpreter/Interpreter.cpp:
637         (JSC::Interpreter::execute):
638         * jit/JITOperations.cpp:
639         * llint/LLIntSlowPaths.cpp:
640         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
641         * runtime/Arguments.cpp:
642         (JSC::Arguments::putByIndex):
643         * runtime/ArrayPrototype.cpp:
644         (JSC::putProperty):
645         (JSC::arrayProtoFuncPush):
646         * runtime/JSCJSValue.cpp:
647         (JSC::JSValue::putToPrimitiveByIndex):
648         * runtime/JSCell.cpp:
649         (JSC::JSCell::putByIndex):
650         * runtime/JSFunction.cpp:
651         (JSC::JSFunction::put):
652         * runtime/JSGenericTypedArrayViewInlines.h:
653         (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
654         * runtime/JSONObject.cpp:
655         (JSC::Walker::walk):
656         * runtime/JSObject.cpp:
657         (JSC::JSObject::putByIndex):
658         (JSC::JSObject::putDirectNonIndexAccessor):
659         (JSC::JSObject::deleteProperty):
660         * runtime/JSObject.h:
661         (JSC::JSObject::putDirect):
662         * runtime/Lookup.h:
663         (JSC::putEntry):
664         (JSC::lookupPut):
665         * runtime/PutPropertySlot.h:
666         (JSC::PutPropertySlot::PutPropertySlot):
667         (JSC::PutPropertySlot::setNewProperty):
668         (JSC::PutPropertySlot::isCacheable):
669
670 2013-12-25  Filip Pizlo  <fpizlo@apple.com>
671
672         DFG PhantomArguments shouldn't rely on a dead Phi graph
673         https://bugs.webkit.org/show_bug.cgi?id=126218
674
675         Reviewed by Oliver Hunt.
676         
677         This change dramatically rationalizes our handling of PhantomArguments (i.e.
678         speculative elision of arguments object allocation).
679         
680         It's now the case that if we decide that we can elide arguments allocation, we just
681         turn the arguments-creating node into a PhantomArguments and mark all locals that
682         it's stored to as being arguments aliases. Being an arguments alias and being a
683         PhantomArguments means basically the same thing: in DFG execution you have the empty
684         value, on OSR exit an arguments object is allocated in your place, and all operations
685         that use the value now just refer directly to the actual arguments in the call frame
686         header (or the arguments we know that we passed to the call, in case of inlining).
687         
688         This means that we no longer have arguments simplification creating a dead Phi graph
689         that then has to be interpreted by the OSR exit logic. That sort of never made any
690         sense.
691         
692         This means that PhantomArguments now has a clear story in SSA: basically SSA just
693         gets rid of the "locals" but everything else is the same.
694         
695         Finally, this means that we can more easily get rid of forward exiting. As I was
696         working on the code to get rid of forward exiting, I realized that I'd have to
697         carefully preserve the special meanings of MovHint and SetLocal in the case of
698         PhantomArguments. It was really bizarre: even the semantics of MovHint were tied to
699         our specific treatment of PhantomArguments. After this change this is no longer the
700         case.
701         
702         One of the really cool things about this change is that arguments reification now
703         just becomes a special kind of FlushFormat. This further unifies things: it means
704         that a MovHint(PhantomArguments) and a SetLocal(PhantomArguments) both have the same
705         meaning, since both of them dictate that the way we recover the local on exit is by
706         reifying arguments. Previously, the SetLocal(PhantomArguments) case needed some
707         special handling to accomplish this.
708         
709         A downside of this approach is that we will now emit code to store the empty value
710         into aliased arguments variables, and we will even emit code to load that empty value
711         as well. As far as I can tell this doesn't cost anything, since PhantomArguments are
712         most profitable in cases where it allows us to simplify control flow and kill the
713         arguments locals entirely. Of course, this isn't an issue in SSA form since SSA form
714         also eliminates the locals.
715
716         * dfg/DFGArgumentsSimplificationPhase.cpp:
717         (JSC::DFG::ArgumentsSimplificationPhase::run):
718         (JSC::DFG::ArgumentsSimplificationPhase::detypeArgumentsReferencingPhantomChild):
719         * dfg/DFGFlushFormat.cpp:
720         (WTF::printInternal):
721         * dfg/DFGFlushFormat.h:
722         (JSC::DFG::resultFor):
723         (JSC::DFG::useKindFor):
724         (JSC::DFG::dataFormatFor):
725         * dfg/DFGSpeculativeJIT.cpp:
726         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
727         * dfg/DFGSpeculativeJIT32_64.cpp:
728         (JSC::DFG::SpeculativeJIT::compile):
729         * dfg/DFGSpeculativeJIT64.cpp:
730         (JSC::DFG::SpeculativeJIT::compile):
731         * dfg/DFGValueSource.h:
732         (JSC::DFG::ValueSource::ValueSource):
733         (JSC::DFG::ValueSource::forFlushFormat):
734         * dfg/DFGVariableAccessData.h:
735         (JSC::DFG::VariableAccessData::flushFormat):
736         * ftl/FTLLowerDFGToLLVM.cpp:
737         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
738
739 2013-12-23  Oliver Hunt  <oliver@apple.com>
740
741         Refactor PutPropertySlot to be aware of custom properties
742         https://bugs.webkit.org/show_bug.cgi?id=126187
743
744         Reviewed by msaboff.
745
746         Refactor PutPropertySlot, making the constructor take the thisValue
747         used as a target.  This results in a wide range of boilerplate changes
748         to pass the new parameter.
749
750         * API/JSObjectRef.cpp:
751         (JSObjectSetProperty):
752         * dfg/DFGOperations.cpp:
753         (JSC::DFG::operationPutByValInternal):
754         * interpreter/Interpreter.cpp:
755         (JSC::Interpreter::execute):
756         * jit/JITOperations.cpp:
757         * llint/LLIntSlowPaths.cpp:
758         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
759         * runtime/Arguments.cpp:
760         (JSC::Arguments::putByIndex):
761         * runtime/ArrayPrototype.cpp:
762         (JSC::putProperty):
763         (JSC::arrayProtoFuncPush):
764         * runtime/JSCJSValue.cpp:
765         (JSC::JSValue::putToPrimitiveByIndex):
766         * runtime/JSCell.cpp:
767         (JSC::JSCell::putByIndex):
768         * runtime/JSFunction.cpp:
769         (JSC::JSFunction::put):
770         * runtime/JSGenericTypedArrayViewInlines.h:
771         (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
772         * runtime/JSONObject.cpp:
773         (JSC::Walker::walk):
774         * runtime/JSObject.cpp:
775         (JSC::JSObject::putByIndex):
776         (JSC::JSObject::putDirectNonIndexAccessor):
777         (JSC::JSObject::deleteProperty):
778         * runtime/JSObject.h:
779         (JSC::JSObject::putDirect):
780         * runtime/Lookup.h:
781         (JSC::putEntry):
782         (JSC::lookupPut):
783         * runtime/PutPropertySlot.h:
784         (JSC::PutPropertySlot::PutPropertySlot):
785         (JSC::PutPropertySlot::setCustomProperty):
786         (JSC::PutPropertySlot::thisValue):
787         (JSC::PutPropertySlot::isCacheable):
788
789 2013-12-23  Benjamin Poulain  <benjamin@webkit.org>
790
791         Add class matching to the Selector Code Generator
792         https://bugs.webkit.org/show_bug.cgi?id=126176
793
794         Reviewed by Antti Koivisto and Oliver Hunt.
795
796         Add test and branch based on BaseIndex addressing for x86_64.
797         Fast loops are needed to compete with clang on tight loops.
798
799         * assembler/MacroAssembler.h:
800         * assembler/MacroAssemblerX86_64.h:
801         (JSC::MacroAssemblerX86_64::branch64):
802         (JSC::MacroAssemblerX86_64::branchPtr):
803         * assembler/X86Assembler.h:
804         (JSC::X86Assembler::cmpq_rm):
805
806 2013-12-23  Oliver Hunt  <oliver@apple.com>
807
808         Update custom setter implementations to perform type checks
809         https://bugs.webkit.org/show_bug.cgi?id=126171
810
811         Reviewed by Daniel Bates.
812
813         Modify the setter function signature to take encoded values
814         as we're changing the setter usage everywhere anyway.
815
816         * runtime/Lookup.h:
817         (JSC::putEntry):
818
819 2013-12-23  Lucas Forschler  <lforschler@apple.com>
820
821         <rdar://problem/15682948> Update copyright strings
822         
823         Reviewed by Dan Bernstein.
824
825         * Info.plist:
826         * JavaScriptCore.vcxproj/JavaScriptCore.resources/Info.plist:
827
828 2013-12-23  Zan Dobersek  <zdobersek@igalia.com>
829
830         [GTK] Clean up compiler optimizations flags for libWTF, libJSC
831         https://bugs.webkit.org/show_bug.cgi?id=126157
832
833         Reviewed by Gustavo Noronha Silva.
834
835         * GNUmakefile.am: Remove the -fstrict-aliasing and -O3 compiler flags for libWTF.la. -O3 gets
836         overridden by -O2 that's listed in CXXFLAGS (or -O0 in case of debug builds) and -fstrict-aliasing
837         is enabled when -O2 is used (and shouldn't be enabled in debug builds anyway).
838
839 2013-12-22  Martin Robinson  <mrobinson@igalia.com>
840
841         [CMake] Fix typo from r160812
842         https://bugs.webkit.org/show_bug.cgi?id=126145
843
844         Reviewed by Gustavo Noronha Silva.
845
846         * CMakeLists.txt: Fix typo when detecting the type of library.
847
848 2013-12-22  Martin Robinson  <mrobinson@igalia.com>
849
850         [GTK][CMake] libtool-compatible soversion calculation
851         https://bugs.webkit.org/show_bug.cgi?id=125511
852
853         Reviewed by Gustavo Noronha Silva.
854
855         * CMakeLists.txt: Use the POPULATE_LIBRARY_VERSION macro and the
856         library-specific version information.
857
858 2013-12-23  Gustavo Noronha Silva  <gns@gnome.org>
859
860         [GTK] [CMake] Generate pkg-config files
861         https://bugs.webkit.org/show_bug.cgi?id=125685
862
863         Reviewed by Martin Robinson.
864
865         * PlatformGTK.cmake: Added. Generate javascriptcoregtk-3.0.pc.
866
867 2013-12-22  Benjamin Poulain  <benjamin@webkit.org>
868
869         Create a skeleton for CSS Selector code generation
870         https://bugs.webkit.org/show_bug.cgi?id=126044
871
872         Reviewed by Antti Koivisto and Gavin Barraclough.
873
874         * assembler/LinkBuffer.h:
875         Add a new owner UID for code compiled for CSS.
876         Export the symbols needed to link code from WebCore.
877
878 2013-12-19  Mark Hahnenberg  <mhahnenberg@apple.com>
879
880         Clean up DFG write barriers
881         https://bugs.webkit.org/show_bug.cgi?id=126047
882
883         Reviewed by Filip Pizlo.
884
885         * dfg/DFGSpeculativeJIT.cpp:
886         (JSC::DFG::SpeculativeJIT::storeToWriteBarrierBuffer): Use the register allocator to 
887         determine which registers need saving instead of saving every single one of them.
888         (JSC::DFG::SpeculativeJIT::osrWriteBarrier): We don't need to save live register state 
889         because the write barriers during OSR execute when there are no live registers. Also we  
890         don't need to use pushes to pad the stack pointer for pokes on x86; we can just use an add.
891         (JSC::DFG::SpeculativeJIT::writeBarrier):
892         * dfg/DFGSpeculativeJIT.h:
893         * jit/Repatch.cpp:
894         (JSC::emitPutReplaceStub):
895         (JSC::emitPutTransitionStub):
896         * runtime/VM.h: Get rid of writeBarrierRegisterBuffer since it's no longer used.
897
898 2013-12-20  Balazs Kilvady  <kilvadyb@homejinni.com>
899
900         [MIPS] Missing MacroAssemblerMIPS::branchTest8(ResultCondition, BaseIndex, TrustedImm32)
901         https://bugs.webkit.org/show_bug.cgi?id=126062
902
903         Reviewed by Mark Hahnenberg.
904
905         * assembler/MacroAssemblerMIPS.h:
906         (JSC::MacroAssemblerMIPS::branchTest8):
907
908 2013-12-20  Julien Brianceau  <jbriance@cisco.com>
909
910         [sh4] Add missing implementation in MacroAssembler to fix build.
911         https://bugs.webkit.org/show_bug.cgi?id=126063
912
913         Reviewed by Mark Hahnenberg.
914
915         * assembler/MacroAssemblerSH4.h:
916         (JSC::MacroAssemblerSH4::branchTest8):
917
918 2013-12-20  Julien Brianceau  <jbriance@cisco.com>
919
920         [arm] Add missing implementation in MacroAssembler to fix CPU(ARM_TRADITIONAL) build.
921         https://bugs.webkit.org/show_bug.cgi?id=126064
922
923         Reviewed by Mark Hahnenberg.
924
925         * assembler/MacroAssemblerARM.h:
926         (JSC::MacroAssemblerARM::branchTest8):
927
928 2013-12-19  Joseph Pecoraro  <pecoraro@apple.com>
929
930         Web Inspector: Add InspectorFrontendHost.debuggableType to let the frontend know it's backend is JavaScript or Web
931         https://bugs.webkit.org/show_bug.cgi?id=126016
932
933         Reviewed by Timothy Hatcher.
934
935         * inspector/remote/RemoteInspector.mm:
936         (Inspector::RemoteInspector::listingForDebuggable):
937         * inspector/remote/RemoteInspectorConstants.h:
938         Include a debuggable type identifier in the debuggable listing,
939         so the remote frontend can know if it is debugging a Web Page
940         or JS Context.
941
942 2013-12-19  Benjamin Poulain  <benjamin@webkit.org>
943
944         Add an utility class to simplify generating function calls
945         https://bugs.webkit.org/show_bug.cgi?id=125972
946
947         Reviewed by Geoffrey Garen.
948
949         Split branchTest32 in two functions: test32AndSetFlags and branchOnFlags.
950         This is done to allow code where the flags are set, multiple operation that
951         do not modify the flags occur, then the flags are used.
952
953         This is used for function calls to test the return value while discarding the
954         return register.
955
956         * assembler/MacroAssemblerX86Common.h:
957         (JSC::MacroAssemblerX86Common::test32AndSetFlags):
958         (JSC::MacroAssemblerX86Common::branchOnFlags):
959         (JSC::MacroAssemblerX86Common::branchTest32):
960
961 2013-12-19  Mark Hahnenberg  <mhahnenberg@apple.com>
962
963         Put write barriers in the right places in the baseline JIT
964         https://bugs.webkit.org/show_bug.cgi?id=125975
965
966         Reviewed by Filip Pizlo.
967
968         * jit/JIT.cpp:
969         (JSC::JIT::privateCompileSlowCases):
970         * jit/JIT.h:
971         * jit/JITInlines.h:
972         (JSC::JIT::callOperation):
973         (JSC::JIT::emitArrayProfilingSite):
974         * jit/JITOpcodes.cpp:
975         (JSC::JIT::emit_op_enter):
976         (JSC::JIT::emitSlow_op_enter):
977         * jit/JITOpcodes32_64.cpp:
978         (JSC::JIT::emit_op_enter):
979         (JSC::JIT::emitSlow_op_enter):
980         * jit/JITPropertyAccess.cpp:
981         (JSC::JIT::emit_op_put_by_val):
982         (JSC::JIT::emitGenericContiguousPutByVal):
983         (JSC::JIT::emitArrayStoragePutByVal):
984         (JSC::JIT::emit_op_put_by_id):
985         (JSC::JIT::emitPutGlobalProperty):
986         (JSC::JIT::emitPutGlobalVar):
987         (JSC::JIT::emitPutClosureVar):
988         (JSC::JIT::emit_op_init_global_const):
989         (JSC::JIT::checkMarkWord):
990         (JSC::JIT::emitWriteBarrier):
991         (JSC::JIT::privateCompilePutByVal):
992         * jit/JITPropertyAccess32_64.cpp:
993         (JSC::JIT::emitGenericContiguousPutByVal):
994         (JSC::JIT::emitArrayStoragePutByVal):
995         (JSC::JIT::emit_op_put_by_id):
996         (JSC::JIT::emitSlow_op_put_by_id):
997         (JSC::JIT::emitPutGlobalProperty):
998         (JSC::JIT::emitPutGlobalVar):
999         (JSC::JIT::emitPutClosureVar):
1000         (JSC::JIT::emit_op_init_global_const):
1001         * jit/Repatch.cpp:
1002         (JSC::emitPutReplaceStub):
1003         (JSC::emitPutTransitionStub):
1004         (JSC::repatchPutByID):
1005         * runtime/CommonSlowPaths.cpp:
1006         (JSC::SLOW_PATH_DECL):
1007         * runtime/CommonSlowPaths.h:
1008
1009 2013-12-19  Brent Fulgham  <bfulgham@apple.com>
1010
1011         Implement ArrayBuffer.isView
1012         https://bugs.webkit.org/show_bug.cgi?id=126004
1013
1014         Reviewed by Filip Pizlo.
1015
1016         Test coverage in webgl/1.0.2/resources/webgl_test_files/conformance/typedarrays/array-unit-tests.html
1017
1018         * runtime/JSArrayBufferConstructor.cpp:
1019         (JSC::JSArrayBufferConstructor::finishCreation): Add 'isView' to object constructor.
1020         (JSC::arrayBufferFuncIsView): New method.
1021
1022 2013-12-19  Mark Lam  <mark.lam@apple.com>
1023
1024         Fix broken C loop LLINT build.
1025         https://bugs.webkit.org/show_bug.cgi?id=126024.
1026
1027         Reviewed by Oliver Hunt.
1028
1029         * runtime/VM.h:
1030
1031 2013-12-18  Mark Hahnenberg  <mhahnenberg@apple.com>
1032
1033         DelayedReleaseScope is in the wrong place
1034         https://bugs.webkit.org/show_bug.cgi?id=125876
1035
1036         Reviewed by Geoffrey Garen.
1037
1038         The DelayedReleaseScope needs to be around the free list sweeping in MarkedAllocator::tryAllocateHelper. 
1039         This location gives us a good safe point between getting ready to allocate  (i.e. identifying a non-empty 
1040         free list) and doing the actual allocation (popping the free list).
1041
1042         * heap/MarkedAllocator.cpp:
1043         (JSC::MarkedAllocator::tryAllocateHelper):
1044         (JSC::MarkedAllocator::allocateSlowCase):
1045         (JSC::MarkedAllocator::addBlock):
1046         * runtime/JSCellInlines.h:
1047         (JSC::allocateCell):
1048
1049 2013-12-18  Gustavo Noronha Silva  <gns@gnome.org>
1050
1051         [GTK][CMake] make libjavascriptcoregtk a public shared library again
1052         https://bugs.webkit.org/show_bug.cgi?id=125512
1053
1054         Reviewed by Martin Robinson.
1055
1056         * CMakeLists.txt: use target type instead of SHARED_CORE to decide whether
1057         JavaScriptCore is a shared library, since it's always shared for GTK+ regardless
1058         of SHARED_CORE.
1059
1060 2013-12-18  Benjamin Poulain  <benjamin@webkit.org>
1061
1062         Add a simple stack abstraction for x86_64
1063         https://bugs.webkit.org/show_bug.cgi?id=125908
1064
1065         Reviewed by Geoffrey Garen.
1066
1067         * assembler/MacroAssemblerX86_64.h:
1068         (JSC::MacroAssemblerX86_64::addPtrNoFlags):
1069         Add an explicit abstraction for the "lea" instruction. This is needed
1070         by the experimental JIT to have add and substract without changing the flags.
1071
1072         This is useful for function calls to test the return value, restore the registers,
1073         then branch on the flags from the return value.
1074
1075 2013-12-18  Mark Hahnenberg  <mhahnenberg@apple.com>
1076
1077         DFG should have a separate StoreBarrier node
1078         https://bugs.webkit.org/show_bug.cgi?id=125530
1079
1080         Reviewed by Filip Pizlo.
1081
1082         This is in preparation for GenGC. We use a separate StoreBarrier node instead of making them implicitly 
1083         part of other nodes so that it's easier to run analyses on them, e.g. for the StoreBarrierElisionPhase. 
1084         They are inserted during the fixup phase. Initially they do not generate any code.
1085
1086         * CMakeLists.txt:
1087         * GNUmakefile.list.am:
1088         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1089         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1090         * JavaScriptCore.xcodeproj/project.pbxproj:
1091         * dfg/DFGAbstractHeap.h:
1092         * dfg/DFGAbstractInterpreter.h:
1093         (JSC::DFG::AbstractInterpreter::isKnownNotCell):
1094         * dfg/DFGAbstractInterpreterInlines.h:
1095         (JSC::DFG::::executeEffects):
1096         * dfg/DFGClobberize.h:
1097         (JSC::DFG::clobberizeForAllocation):
1098         (JSC::DFG::clobberize):
1099         * dfg/DFGConstantFoldingPhase.cpp:
1100         (JSC::DFG::ConstantFoldingPhase::foldConstants): Whenever we insert new nodes that require StoreBarriers,
1101         we have to add those new StoreBarriers too. It's important to note that AllocatePropertyStorage and 
1102         ReallocatePropertyStorage nodes require their StoreBarriers to come after them since they allocate first,
1103         which could cause a GC, and then store the resulting buffer into their JSCell, which requires the barrier.
1104         If we ever require that write barriers occur before stores, we'll have to split these nodes into 
1105         AllocatePropertyStorage + StoreBarrier + PutPropertyStorage.
1106         * dfg/DFGFixupPhase.cpp:
1107         (JSC::DFG::FixupPhase::fixupNode):
1108         (JSC::DFG::FixupPhase::insertStoreBarrier):
1109         * dfg/DFGNode.h:
1110         (JSC::DFG::Node::isStoreBarrier):
1111         * dfg/DFGNodeType.h:
1112         * dfg/DFGOSRExitCompiler32_64.cpp:
1113         (JSC::DFG::OSRExitCompiler::compileExit):
1114         * dfg/DFGOSRExitCompiler64.cpp:
1115         (JSC::DFG::OSRExitCompiler::compileExit):
1116         * dfg/DFGPlan.cpp:
1117         (JSC::DFG::Plan::compileInThreadImpl):
1118         * dfg/DFGPredictionPropagationPhase.cpp:
1119         (JSC::DFG::PredictionPropagationPhase::propagate):
1120         * dfg/DFGSafeToExecute.h:
1121         (JSC::DFG::safeToExecute):
1122         * dfg/DFGSpeculativeJIT.cpp:
1123         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1124         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1125         (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
1126         (JSC::DFG::SpeculativeJIT::genericWriteBarrier): The fast path write barrier check. It loads the 
1127         byte that contains the mark bit of the object. 
1128         (JSC::DFG::SpeculativeJIT::storeToWriteBarrierBuffer): If the fast path check fails we try to store the 
1129         cell in the WriteBarrierBuffer so as to avoid frequently flushing all registers in order to make a C call.
1130         (JSC::DFG::SpeculativeJIT::writeBarrier):
1131         (JSC::DFG::SpeculativeJIT::osrWriteBarrier): More barebones version of the write barrier to be executed 
1132         during an OSR exit into baseline code. We must do this so that the baseline JIT object and array profiles 
1133         are properly cleared during GC.
1134         * dfg/DFGSpeculativeJIT.h:
1135         (JSC::DFG::SpeculativeJIT::callOperation):
1136         * dfg/DFGSpeculativeJIT32_64.cpp:
1137         (JSC::DFG::SpeculativeJIT::cachedPutById):
1138         (JSC::DFG::SpeculativeJIT::compileBaseValueStoreBarrier):
1139         (JSC::DFG::SpeculativeJIT::compile):
1140         (JSC::DFG::SpeculativeJIT::writeBarrier):
1141         * dfg/DFGSpeculativeJIT64.cpp:
1142         (JSC::DFG::SpeculativeJIT::cachedPutById):
1143         (JSC::DFG::SpeculativeJIT::compileBaseValueStoreBarrier):
1144         (JSC::DFG::SpeculativeJIT::compile):
1145         (JSC::DFG::SpeculativeJIT::writeBarrier):
1146         * dfg/DFGStoreBarrierElisionPhase.cpp: Added. New DFG phase that does block-local elision of redundant
1147         StoreBarriers. Every time a StoreBarrier on a particular object is executed, a bit is set indicating that 
1148         that object doesn't need any more StoreBarriers. 
1149         (JSC::DFG::StoreBarrierElisionPhase::StoreBarrierElisionPhase):
1150         (JSC::DFG::StoreBarrierElisionPhase::couldCauseGC): Nodes that could cause a GC reset the bits for all of the 
1151         objects known in the current block. 
1152         (JSC::DFG::StoreBarrierElisionPhase::allocatesFreshObject): A node that creates a new object automatically 
1153         sets the bit for that object since if a GC occurred as the result of that object's allocation then that 
1154         object would not need a barrier since it would be guaranteed to be a young generation object until the 
1155         next GC point.
1156         (JSC::DFG::StoreBarrierElisionPhase::noticeFreshObject):
1157         (JSC::DFG::StoreBarrierElisionPhase::getBaseOfStore):
1158         (JSC::DFG::StoreBarrierElisionPhase::shouldBeElided):
1159         (JSC::DFG::StoreBarrierElisionPhase::elideBarrier):
1160         (JSC::DFG::StoreBarrierElisionPhase::handleNode):
1161         (JSC::DFG::StoreBarrierElisionPhase::handleBlock):
1162         (JSC::DFG::StoreBarrierElisionPhase::run):
1163         (JSC::DFG::performStoreBarrierElision):
1164         * dfg/DFGStoreBarrierElisionPhase.h: Added.
1165         * heap/Heap.cpp:
1166         (JSC::Heap::Heap):
1167         (JSC::Heap::flushWriteBarrierBuffer):
1168         * heap/Heap.h:
1169         (JSC::Heap::writeBarrier):
1170         * heap/MarkedBlock.h:
1171         (JSC::MarkedBlock::offsetOfMarks):
1172         * heap/WriteBarrierBuffer.cpp: Added. The WriteBarrierBuffer buffers a set of JSCells that are awaiting 
1173         a pending WriteBarrier. This buffer is used by the DFG to avoid the overhead of calling out to C repeatedly
1174         to invoke a write barrier on a single JSCell. Instead the DFG has inline code to fill the WriteBarrier buffer
1175         until its full, and then to call out to C to flush it. The WriteBarrierBuffer will also be flushed prior to 
1176         each EdenCollection.
1177         (JSC::WriteBarrierBuffer::WriteBarrierBuffer):
1178         (JSC::WriteBarrierBuffer::~WriteBarrierBuffer):
1179         (JSC::WriteBarrierBuffer::flush):
1180         (JSC::WriteBarrierBuffer::reset):
1181         (JSC::WriteBarrierBuffer::add):
1182         * heap/WriteBarrierBuffer.h: Added.
1183         (JSC::WriteBarrierBuffer::currentIndexOffset):
1184         (JSC::WriteBarrierBuffer::capacityOffset):
1185         (JSC::WriteBarrierBuffer::bufferOffset):
1186         * jit/JITOperations.cpp:
1187         * jit/JITOperations.h:
1188         * runtime/VM.h:
1189
1190 2013-12-18  Carlos Garcia Campos  <cgarcia@igalia.com>
1191
1192         Unreviewed. Fix make distcheck.
1193
1194         * GNUmakefile.am:
1195
1196 2013-12-17  Julien Brianceau  <jbriance@cisco.com>
1197
1198         Fix armv7 and sh4 builds.
1199         https://bugs.webkit.org/show_bug.cgi?id=125848
1200
1201         Reviewed by Csaba Osztrogonác.
1202
1203         * assembler/ARMv7Assembler.h: Include limits.h for INT_MIN.
1204         * assembler/SH4Assembler.h: Include limits.h for INT_MIN.
1205
1206 2013-12-16  Oliver Hunt  <oliver@apple.com>
1207
1208         Avoid indirect function calls for custom getters
1209         https://bugs.webkit.org/show_bug.cgi?id=125821
1210
1211         Reviewed by Mark Hahnenberg.
1212
1213         Rather than invoking a helper function to perform an indirect call
1214         through a function pointer, just have the JIT call the function directly.
1215
1216         Unfortunately this only works in JSVALUE64 at the moment as there
1217         is not an obvious way to pass two EncodedJSValues uniformly over
1218         the various effected JITs.
1219
1220         * jit/CCallHelpers.h:
1221         (JSC::CCallHelpers::setupArguments):
1222         * jit/Repatch.cpp:
1223         (JSC::generateProtoChainAccessStub):
1224         (JSC::tryBuildGetByIDList):
1225
1226 2013-12-16  Joseph Pecoraro  <pecoraro@apple.com>
1227
1228         Fix some whitespace issues in inspector code
1229         https://bugs.webkit.org/show_bug.cgi?id=125814
1230
1231         Reviewed by Darin Adler.
1232
1233         * inspector/protocol/Debugger.json:
1234         * inspector/protocol/Runtime.json:
1235         * inspector/scripts/CodeGeneratorInspector.py:
1236         (Generator.process_command):
1237
1238 2013-12-16  Mark Hahnenberg  <mhahnenberg@apple.com>
1239
1240         Add some missing functions to MacroAssembler
1241         https://bugs.webkit.org/show_bug.cgi?id=125809
1242
1243         Reviewed by Oliver Hunt.
1244
1245         * assembler/AbstractMacroAssembler.h:
1246         * assembler/AssemblerBuffer.h:
1247         * assembler/LinkBuffer.cpp:
1248         * assembler/MacroAssembler.h:
1249         (JSC::MacroAssembler::storePtr):
1250         (JSC::MacroAssembler::andPtr):
1251         * assembler/MacroAssemblerARM64.h:
1252         (JSC::MacroAssemblerARM64::and64):
1253         (JSC::MacroAssemblerARM64::branchTest8):
1254         * assembler/MacroAssemblerARMv7.h:
1255         (JSC::MacroAssemblerARMv7::branchTest8):
1256         * assembler/X86Assembler.h:
1257
1258 2013-12-16  Brent Fulgham  <bfulgham@apple.com>
1259
1260         [Win] Remove dead code after conversion to VS2013
1261         https://bugs.webkit.org/show_bug.cgi?id=125795
1262
1263         Reviewed by Darin Adler.
1264
1265         * API/tests/testapi.c: Remove local nan implementation
1266
1267 2013-12-16  Oliver Hunt  <oliver@apple.com>
1268
1269         Cache getters and custom accessors on the prototype chain
1270         https://bugs.webkit.org/show_bug.cgi?id=125602
1271
1272         Reviewed by Michael Saboff.
1273
1274         Support caching of custom getters and accessors on the prototype chain.
1275         This is relatively trivial and just requires a little work compared to
1276         the direct access mode as we're under more register pressure.
1277
1278         * bytecode/StructureStubInfo.h:
1279           Removed the unsued initGetByIdProto as it was confusing to still have it present.
1280         * jit/Repatch.cpp:
1281         (JSC::generateProtoChainAccessStub):
1282         (JSC::tryCacheGetByID):
1283         (JSC::tryBuildGetByIDList):
1284
1285 2013-12-16  Mark Lam  <mark.lam@apple.com>
1286
1287         Change slow path result to take a void* instead of a ExecState*.
1288         https://bugs.webkit.org/show_bug.cgi?id=125802.
1289
1290         Reviewed by Filip Pizlo.
1291
1292         This is in preparation for C Stack OSR entry work that is coming soon.
1293         In the OSR entry case, we'll be returning a topOfFrame pointer value
1294         instead of the ExecState*.
1295
1296         * offlineasm/cloop.rb:
1297         * runtime/CommonSlowPaths.h:
1298         (JSC::encodeResult):
1299         (JSC::decodeResult):
1300
1301 2013-12-16  Alex Christensen  <achristensen@webkit.org>
1302
1303         Fixed Win64 build on VS2013.
1304         https://bugs.webkit.org/show_bug.cgi?id=125753
1305
1306         Reviewed by Brent Fulgham.
1307
1308         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1309         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj:
1310         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
1311         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
1312         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
1313         * JavaScriptCore.vcxproj/jsc/jsc.vcxproj:
1314         * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj:
1315         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
1316         Added correct PlatformToolset for 64-bit builds.
1317
1318 2013-12-16  Peter Szanka  <h868064@stud.u-szeged.hu>
1319
1320         Delete RVCT related code parts.
1321         https://bugs.webkit.org/show_bug.cgi?id=125626
1322
1323         Reviewed by Darin Adler.
1324
1325         * assembler/ARMAssembler.cpp:
1326         * assembler/ARMAssembler.h:
1327         (JSC::ARMAssembler::cacheFlush):
1328         * assembler/MacroAssemblerARM.cpp:
1329         (JSC::isVFPPresent):
1330         * jit/JITStubsARM.h:
1331         * jit/JITStubsARMv7.h:
1332
1333 2013-12-15  Ryosuke Niwa  <rniwa@webkit.org>
1334
1335         REGRESSION: 2x regression on Dromaeo DOM query tests
1336         https://bugs.webkit.org/show_bug.cgi?id=125377
1337
1338         Reviewed by Filip Pizlo.
1339
1340         The bug was caused by JSC not JIT'ing property access on "document" due to its type info having
1341         HasImpureGetOwnPropertySlot flag.
1342
1343         Fixed the bug by new type info flag NewImpurePropertyFiresWatchpoints, which allows the baseline
1344         JIT to generate byte code for access properties on an object with named properties (a.k.a.
1345         custom name getter) in DOM. When a new named property appears on the object, VM is notified via
1346         VM::addImpureProperty and fires StructureStubClearingWatchpoint added during the repatch.
1347
1348         * bytecode/GetByIdStatus.cpp:
1349         (JSC::GetByIdStatus::computeFromLLInt): Take the slow path if we have any object with impure
1350         properties in the prototype chain.
1351         (JSC::GetByIdStatus::computeForChain): Ditto.
1352
1353         * jit/Repatch.cpp:
1354         (JSC::repatchByIdSelfAccess): Throw away the byte code when a new impure property is added on any
1355         object in the prototype chain via StructureStubClearingWatchpoint.
1356         (JSC::generateProtoChainAccessStub): Ditto.
1357         (JSC::tryCacheGetByID):
1358         (JSC::tryBuildGetByIDList):
1359         (JSC::tryRepatchIn): Ditto.
1360
1361         * runtime/JSTypeInfo.h: Added NewImpurePropertyFiresWatchpoints.
1362         (JSC::TypeInfo::newImpurePropertyFiresWatchpoints): Added.
1363
1364         * runtime/Operations.h:
1365         (JSC::normalizePrototypeChainForChainAccess): Don't exit early if VM will be notified of new
1366         impure property even if the object had impure properties.
1367
1368         * runtime/Structure.h:
1369         (JSC::Structure::takesSlowPathInDFGForImpureProperty): Added. Wraps hasImpureGetOwnPropertySlot and
1370         asserts that newImpurePropertyFiresWatchpoints is true whenever hasImpureGetOwnPropertySlot is true.
1371
1372         * runtime/VM.cpp:
1373         (JSC::VM::registerWatchpointForImpureProperty): Added.
1374         (JSC::VM::addImpureProperty): Added. HTMLDocument calls it to notify JSC of a new impure property.
1375
1376         * runtime/VM.h:
1377
1378 2013-12-15  Andy Estes  <aestes@apple.com>
1379
1380         [iOS] Upstream changes to FeatureDefines.xcconfig
1381         https://bugs.webkit.org/show_bug.cgi?id=125742
1382
1383         Reviewed by Dan Bernstein.
1384
1385         * Configurations/FeatureDefines.xcconfig:
1386
1387 2013-12-14  Filip Pizlo  <fpizlo@apple.com>
1388
1389         FTL should *really* know when things are flushed
1390         https://bugs.webkit.org/show_bug.cgi?id=125747
1391
1392         Reviewed by Sam Weinig.
1393         
1394         Fix more codegen badness. This makes V8v7's crypto am3() function run faster in the FTL
1395         than in DFG. This means that even if we just compile those functions in V8v7 that don't
1396         make calls, the FTL gives us a 2% speed-up over the DFG. That's pretty good considering
1397         that we have still more optimizations to fix and we can make calls work.
1398
1399         * dfg/DFGSSAConversionPhase.cpp:
1400         (JSC::DFG::SSAConversionPhase::run):
1401         * ftl/FTLCompile.cpp:
1402         (JSC::FTL::fixFunctionBasedOnStackMaps):
1403
1404 2013-12-14  Andy Estes  <aestes@apple.com>
1405
1406         Unify FeatureDefines.xcconfig
1407         https://bugs.webkit.org/show_bug.cgi?id=125741
1408
1409         Rubber-stamped by Dan Bernstein.
1410
1411         * Configurations/FeatureDefines.xcconfig: Enable ENABLE_MEDIA_SOURCE.
1412
1413 2013-12-14  Mark Rowe  <mrowe@apple.com>
1414
1415         Build fix after r160557.
1416
1417         r160557 added the first generated header to JavaScriptCore that needs to be installed in to
1418         the framework wrapper. Sadly JavaScriptCore's Derived Sources target was not set to generate
1419         headers when invoked as part of the installhdrs action. This resulted in the build failing
1420         due to Xcode being unable to find the header file to install. The fix for this is to configure
1421         the Derived Sources target to use JavaScriptCore.xcconfig, which sets INSTALLHDRS_SCRIPT_PHASE
1422         to YES and allows Xcode to generate derived sources during the installhdrs action.
1423
1424         Enabling INSTALLHDRS_SCRIPT_PHASE required tweaking the Generate Derived Sources script build
1425         phase to skip running code related to offlineasm that depends on JSCLLIntOffsetExtractor
1426         having been compiled, which isn't the case at installhdrs time.
1427
1428         * JavaScriptCore.xcodeproj/project.pbxproj:
1429
1430 2013-12-13  Joseph Pecoraro  <pecoraro@apple.com>
1431
1432         Some Set and Map prototype functions have incorrect function lengths
1433         https://bugs.webkit.org/show_bug.cgi?id=125732
1434
1435         Reviewed by Oliver Hunt.
1436
1437         * runtime/MapPrototype.cpp:
1438         (JSC::MapPrototype::finishCreation):
1439         * runtime/SetPrototype.cpp:
1440         (JSC::SetPrototype::finishCreation):
1441
1442 2013-12-13  Joseph Pecoraro  <pecoraro@apple.com>
1443
1444         Web Inspector: Move Inspector and Debugger protocol domains into JavaScriptCore
1445         https://bugs.webkit.org/show_bug.cgi?id=125707
1446
1447         Reviewed by Timothy Hatcher.
1448
1449         * CMakeLists.txt:
1450         * DerivedSources.make:
1451         * GNUmakefile.am:
1452         * inspector/protocol/Debugger.json: Renamed from Source/WebCore/inspector/protocol/Debugger.json.
1453         * inspector/protocol/GenericTypes.json: Added.
1454         * inspector/protocol/InspectorDomain.json: Renamed from Source/WebCore/inspector/protocol/InspectorDomain.json.
1455         Add new files to inspector generation.
1456
1457         * inspector/scripts/CodeGeneratorInspector.py:
1458         (Generator.go):
1459         Only build TypeBuilder output if the domain only has types. Avoid
1460         backend/frontend dispatchers and backend commands.
1461
1462         (TypeBindings.create_type_declaration_.EnumBinding.get_setter_value_expression_pattern):
1463         (format_setter_value_expression):
1464         (Generator.process_command):
1465         (Generator.generate_send_method):
1466         * inspector/scripts/CodeGeneratorInspectorStrings.py:
1467         Export and name the get{JS,Web}EnumConstant function.
1468
1469 2013-12-11  Filip Pizlo  <fpizlo@apple.com>
1470
1471         Get rid of forward exit on UInt32ToNumber by adding an op_unsigned bytecode instruction
1472         https://bugs.webkit.org/show_bug.cgi?id=125553
1473
1474         Reviewed by Oliver Hunt.
1475         
1476         UInt32ToNumber was a super complicated node because it had to do a speculation, but it
1477         would do it after we already had computed the urshift. It couldn't just back to the
1478         beginning of the urshift because the inputs to the urshift weren't necessarily live
1479         anymore. We couldn't jump forward to the beginning of the next instruction because the
1480         result of the urshift was not yet unsigned-converted.
1481         
1482         For a while we solved this by forward-exiting in UInt32ToNumber. But that's really
1483         gross and I want to get rid of all forward exits. They cause a lot of bugs.
1484         
1485         We could also have turned UInt32ToNumber to a backwards exit by forcing the inputs to
1486         the urshift to be live. I figure that this might be a bit too extreme.
1487         
1488         So, I just created a new place that we can exit to: I split op_urshift into op_urshift
1489         followed by op_unsigned. op_unsigned is an "unsigned cast" along the lines of what
1490         UInt32ToNumber does. This allows me to get rid of all of the nastyness in the DFG for
1491         forward exiting in UInt32ToNumber.
1492         
1493         This patch enables massive code carnage in the DFG and FTL, and brings us closer to
1494         eliminating one of the DFG's most confusing concepts. On the flipside, it does make the
1495         bytecode slightly more complex (one new instruction). This is a profitable trade. We
1496         want the DFG and FTL to trend towards simplicity, since they are both currently too
1497         complicated.
1498
1499         * bytecode/BytecodeUseDef.h:
1500         (JSC::computeUsesForBytecodeOffset):
1501         (JSC::computeDefsForBytecodeOffset):
1502         * bytecode/CodeBlock.cpp:
1503         (JSC::CodeBlock::dumpBytecode):
1504         * bytecode/Opcode.h:
1505         (JSC::padOpcodeName):
1506         * bytecode/ValueRecovery.cpp:
1507         (JSC::ValueRecovery::dumpInContext):
1508         * bytecode/ValueRecovery.h:
1509         (JSC::ValueRecovery::gpr):
1510         * bytecompiler/NodesCodegen.cpp:
1511         (JSC::BinaryOpNode::emitBytecode):
1512         (JSC::emitReadModifyAssignment):
1513         * dfg/DFGByteCodeParser.cpp:
1514         (JSC::DFG::ByteCodeParser::toInt32):
1515         (JSC::DFG::ByteCodeParser::parseBlock):
1516         * dfg/DFGClobberize.h:
1517         (JSC::DFG::clobberize):
1518         * dfg/DFGNodeType.h:
1519         * dfg/DFGOSRExitCompiler32_64.cpp:
1520         (JSC::DFG::OSRExitCompiler::compileExit):
1521         * dfg/DFGOSRExitCompiler64.cpp:
1522         (JSC::DFG::OSRExitCompiler::compileExit):
1523         * dfg/DFGSpeculativeJIT.cpp:
1524         (JSC::DFG::SpeculativeJIT::compileMovHint):
1525         (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
1526         * dfg/DFGSpeculativeJIT.h:
1527         * dfg/DFGSpeculativeJIT32_64.cpp:
1528         * dfg/DFGSpeculativeJIT64.cpp:
1529         * dfg/DFGStrengthReductionPhase.cpp:
1530         (JSC::DFG::StrengthReductionPhase::handleNode):
1531         (JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild):
1532         (JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild1):
1533         (JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild2):
1534         * ftl/FTLFormattedValue.h:
1535         (JSC::FTL::int32Value):
1536         * ftl/FTLLowerDFGToLLVM.cpp:
1537         (JSC::FTL::LowerDFGToLLVM::compileUInt32ToNumber):
1538         * ftl/FTLValueFormat.cpp:
1539         (JSC::FTL::reboxAccordingToFormat):
1540         (WTF::printInternal):
1541         * ftl/FTLValueFormat.h:
1542         * jit/JIT.cpp:
1543         (JSC::JIT::privateCompileMainPass):
1544         (JSC::JIT::privateCompileSlowCases):
1545         * jit/JIT.h:
1546         * jit/JITArithmetic.cpp:
1547         (JSC::JIT::emit_op_urshift):
1548         (JSC::JIT::emitSlow_op_urshift):
1549         (JSC::JIT::emit_op_unsigned):
1550         (JSC::JIT::emitSlow_op_unsigned):
1551         * jit/JITArithmetic32_64.cpp:
1552         (JSC::JIT::emitRightShift):
1553         (JSC::JIT::emitRightShiftSlowCase):
1554         (JSC::JIT::emit_op_unsigned):
1555         (JSC::JIT::emitSlow_op_unsigned):
1556         * llint/LowLevelInterpreter32_64.asm:
1557         * llint/LowLevelInterpreter64.asm:
1558         * runtime/CommonSlowPaths.cpp:
1559         (JSC::SLOW_PATH_DECL):
1560         * runtime/CommonSlowPaths.h:
1561
1562 2013-12-13  Mark Hahnenberg  <mhahnenberg@apple.com>
1563
1564         LLInt should not conditionally branch to to labels outside of its function
1565         https://bugs.webkit.org/show_bug.cgi?id=125713
1566
1567         Reviewed by Geoffrey Garen.
1568
1569         Conditional branches are insufficient for jumping to out-of-function labels.
1570         The fix is to use an unconditional jmp to the label combined with a conditional branch around the jmp.
1571
1572         * llint/LowLevelInterpreter32_64.asm:
1573         * llint/LowLevelInterpreter64.asm:
1574
1575 2013-12-13  Joseph Pecoraro  <pecoraro@apple.com>
1576
1577         [GTK] Remove Warnings in building about duplicate INSPECTOR variables
1578         https://bugs.webkit.org/show_bug.cgi?id=125710
1579
1580         Reviewed by Tim Horton.
1581
1582         * GNUmakefile.am:
1583
1584 2013-12-13  Joseph Pecoraro  <pecoraro@apple.com>
1585
1586         Cleanup CodeGeneratorInspectorStrings a bit
1587         https://bugs.webkit.org/show_bug.cgi?id=125705
1588
1589         Reviewed by Timothy Hatcher.
1590
1591         * inspector/scripts/CodeGeneratorInspectorStrings.py:
1592         Use ${foo} variable syntax and add an ASCIILiteral.
1593
1594 2013-12-13  Brent Fulgham  <bfulgham@apple.com>
1595
1596         [Win] Unreviewed build fix after r160563
1597
1598         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj: Missed the Debug
1599         target in my last patch.
1600
1601 2013-12-13  Brent Fulgham  <bfulgham@apple.com>
1602
1603         [Win] Unreviewed build fix after r160548
1604
1605         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj: Specify
1606         that we are using the vs12_xp target for Makefile-based projects.
1607         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj: Ditto
1608         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj: Ditto.
1609
1610 2013-12-13  Joseph Pecoraro  <pecoraro@apple.com>
1611
1612         Make inspector folder groups smarter in JavaScriptCore.xcodeproj
1613         https://bugs.webkit.org/show_bug.cgi?id=125663
1614
1615         Reviewed by Darin Adler.
1616
1617         * JavaScriptCore.xcodeproj/project.pbxproj:
1618
1619 2013-12-13  Joseph Pecoraro  <pecoraro@apple.com>
1620
1621         Web Inspector: Add Inspector Code Generation to JavaScriptCore for Runtime Domain
1622         https://bugs.webkit.org/show_bug.cgi?id=125595
1623
1624         Reviewed by Timothy Hatcher.
1625
1626           - Move CodeGeneration scripts from WebCore into JavaScriptCore/inspector/scripts
1627           - For ports that build WebKit frameworks separately, export the scripts as PrivateHeaders
1628           - Update CodeGeneratorInspector.py in a few ways:
1629             - output dynamic filenames, so JavaScriptCore generates InspectorJSFoo.* and WebCore generates InspectorWebFoo.*
1630             - take in more then one protocol JSON file. The first contains domains to generate, the others are dependencies
1631               that are generated elsewhere that we can depend on for Types.
1632           - Add DerivedSources build step to generate the Inspector Interfaces
1633
1634         * CMakeLists.txt:
1635         * DerivedSources.make:
1636         * GNUmakefile.am:
1637         * GNUmakefile.list.am:
1638         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1639         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1640         * JavaScriptCore.vcxproj/copy-files.cmd:
1641         * JavaScriptCore.xcodeproj/project.pbxproj:
1642         Add scripts and code generation.
1643
1644         * inspector/protocol/Runtime.json: Renamed from Source/WebCore/inspector/protocol/Runtime.json.
1645         Move protocol file into JavaScriptCore so its types will be generated in JavaScriptCore.
1646
1647         * inspector/scripts/CodeGeneratorInspector.py: Renamed from Source/WebCore/inspector/CodeGeneratorInspector.py.
1648         Updates to the script as listed above.
1649
1650         * inspector/scripts/CodeGeneratorInspectorStrings.py: Renamed from Source/WebCore/inspector/CodeGeneratorInspectorStrings.py.
1651         * inspector/scripts/generate-combined-inspector-json.py: Renamed from Source/WebCore/inspector/Scripts/generate-combined-inspector-json.py.
1652         Moved from WebCore into JavaScriptCore for code generation.
1653
1654 2013-12-13  Peter Szanka  <h868064@stud.u-szeged.hu>
1655
1656         Delete INTEL C compiler related code parts.
1657         https://bugs.webkit.org/show_bug.cgi?id=125625
1658
1659         Reviewed by Darin Adler.
1660
1661         * jsc.cpp:
1662         * testRegExp.cpp:
1663
1664 2013-12-13  Brent Fulgham  <bfulgham@apple.com>
1665
1666         [Win] Switch WebKit solution to Visual Studio 2013
1667         https://bugs.webkit.org/show_bug.cgi?id=125192
1668
1669         Reviewed by Anders Carlsson.
1670
1671         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Update for VS2013
1672         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
1673         Ditto
1674         * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: Ditto
1675         * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj: Ditto
1676         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: Ditto
1677
1678 2013-12-12  Joseph Pecoraro  <pecoraro@apple.com>
1679
1680         Add a few more ASCIILiterals
1681         https://bugs.webkit.org/show_bug.cgi?id=125662
1682
1683         Reviewed by Darin Adler.
1684
1685         * inspector/InspectorBackendDispatcher.cpp:
1686         (Inspector::InspectorBackendDispatcher::dispatch):
1687
1688 2013-12-12  Joseph Pecoraro  <pecoraro@apple.com>
1689
1690         Test new JSContext name APIs
1691         https://bugs.webkit.org/show_bug.cgi?id=125607
1692
1693         Reviewed by Darin Adler.
1694
1695         * API/JSContext.h:
1696         * API/JSContextRef.h:
1697         Fix whitespace issues.
1698
1699         * API/tests/testapi.c:
1700         (globalContextNameTest):
1701         (main):
1702         * API/tests/testapi.mm:
1703         Add tests for JSContext set/get name APIs.
1704
1705 2013-12-11  Filip Pizlo  <fpizlo@apple.com>
1706
1707         ARM64: Hang running pdfjs test, suspect DFG generated code for "in"
1708         https://bugs.webkit.org/show_bug.cgi?id=124727
1709         <rdar://problem/15566923>
1710
1711         Reviewed by Michael Saboff.
1712         
1713         Get rid of In's hackish use of StructureStubInfo. Previously it was using hotPathBegin,
1714         and it was the only IC that used that field, which was wasteful. Moreover, it used it
1715         to store two separate locations: the label for patching the jump and the label right
1716         after the jump. The code was relying on those two being the same label, which is true
1717         on X86 and some other platforms, but it isn't true on ARM64.
1718         
1719         This gets rid of hotPathBegin and makes In express those two locations as offsets from
1720         the callReturnLocation, which is analogous to what the other IC's do.
1721         
1722         This fixes a bug where any successful In patching would result in a trivially infinite
1723         loop - and hence a hang - on ARM64.
1724
1725         * bytecode/StructureStubInfo.h:
1726         * dfg/DFGJITCompiler.cpp:
1727         (JSC::DFG::JITCompiler::link):
1728         * dfg/DFGJITCompiler.h:
1729         (JSC::DFG::InRecord::InRecord):
1730         * dfg/DFGSpeculativeJIT.cpp:
1731         (JSC::DFG::SpeculativeJIT::compileIn):
1732         * jit/JITInlineCacheGenerator.cpp:
1733         (JSC::JITByIdGenerator::finalize):
1734         * jit/Repatch.cpp:
1735         (JSC::replaceWithJump):
1736         (JSC::patchJumpToGetByIdStub):
1737         (JSC::tryCachePutByID):
1738         (JSC::tryBuildPutByIdList):
1739         (JSC::tryRepatchIn):
1740         (JSC::resetGetByID):
1741         (JSC::resetPutByID):
1742         (JSC::resetIn):
1743
1744 2013-12-11  Joseph Pecoraro  <pecoraro@apple.com>
1745
1746         Web Inspector: Push More Inspector Required Classes Down into JavaScriptCore
1747         https://bugs.webkit.org/show_bug.cgi?id=125324
1748
1749         Reviewed by Timothy Hatcher.
1750
1751         * CMakeLists.txt:
1752         * GNUmakefile.am:
1753         * GNUmakefile.list.am:
1754         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1755         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1756         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
1757         * JavaScriptCore.vcxproj/copy-files.cmd:
1758         * JavaScriptCore.xcodeproj/project.pbxproj:
1759         * bindings/ScriptFunctionCall.cpp: Renamed from Source/WebCore/bindings/js/ScriptFunctionCall.cpp.
1760         * bindings/ScriptFunctionCall.h: Renamed from Source/WebCore/bindings/js/ScriptFunctionCall.h.
1761         * bindings/ScriptObject.cpp: Copied from Source/WebCore/inspector/WorkerConsoleAgent.cpp.
1762         * bindings/ScriptObject.h: Renamed from Source/WebCore/inspector/InspectorBaseAgent.h.
1763         * bindings/ScriptValue.cpp: Renamed from Source/WebCore/bindings/js/ScriptValue.cpp.
1764         * bindings/ScriptValue.h: Renamed from Source/WebCore/bindings/js/ScriptValue.h.
1765         * inspector/InspectorAgentBase.h: Copied from Source/WebCore/inspector/InspectorAgentRegistry.h.
1766         * inspector/InspectorAgentRegistry.cpp: Renamed from Source/WebCore/inspector/InspectorAgentRegistry.cpp.
1767         * inspector/InspectorBackendDispatcher.h: Renamed from Source/WebCore/inspector/InspectorBackendDispatcher.h.
1768         (Inspector::InspectorSupplementalBackendDispatcher::InspectorSupplementalBackendDispatcher):
1769         (Inspector::InspectorSupplementalBackendDispatcher::~InspectorSupplementalBackendDispatcher):
1770         * inspector/InspectorValues.cpp: Renamed from Source/WebCore/inspector/InspectorValues.cpp.
1771         * inspector/InspectorValues.h: Renamed from Source/WebCore/inspector/InspectorValues.h.
1772
1773 2013-12-11  Laszlo Vidacs  <lac@inf.u-szeged.hu>
1774
1775         Store SHA1 hash in std::array
1776         https://bugs.webkit.org/show_bug.cgi?id=125446
1777
1778         Reviewed by Darin Adler.
1779
1780         Change Vector to std::array and use typedef.
1781
1782         * bytecode/CodeBlockHash.cpp:
1783         (JSC::CodeBlockHash::CodeBlockHash):
1784
1785 2013-12-11  Mark Rowe  <mrowe@apple.com>
1786
1787         <https://webkit.org/b/125141> Modernize the JavaScriptCore API headers
1788         <rdar://problem/15540121>
1789
1790         This consists of three main changes:
1791         1) Converting the return type of initializer methods to instancetype.
1792         2) Declaring properties rather than getters and setters.
1793         3) Tagging C API methods with information about their memory management semantics.
1794
1795         Changing the declarations from getters and setters to properties also required
1796         updating the headerdoc in a number of places.
1797
1798         Reviewed by Anders Carlsson.
1799
1800         * API/JSContext.h:
1801         * API/JSContext.mm:
1802         * API/JSManagedValue.h:
1803         * API/JSManagedValue.mm:
1804         * API/JSStringRefCF.h:
1805         * API/JSValue.h:
1806         * API/JSVirtualMachine.h:
1807         * API/JSVirtualMachine.mm:
1808
1809 2013-12-11  Mark Rowe  <mrowe@apple.com>
1810
1811         <https://webkit.org/b/125559> Move JavaScriptCore off the legacy WebKit availability macros
1812
1813         The legacy WebKit availability macros are verbose, confusing, and provide no benefit over
1814         using the system availability macros directly. The original vision was that they'd serve
1815         a cross-platform purpose but that never came to be.
1816
1817         Map from WebKit version to OS X version based on the mapping in WebKitAvailability.h.
1818         All iOS versions are specified as 7.0 as that is when the JavaScriptCore C API was made
1819         public.
1820
1821         Part of <rdar://problem/15512304>.
1822
1823         Reviewed by Anders Carlsson.
1824
1825         * API/JSBasePrivate.h:
1826         * API/JSContextRef.h:
1827         * API/JSContextRefPrivate.h:
1828         * API/JSObjectRef.h:
1829         * API/JSValueRef.h:
1830
1831 2013-12-10  Filip Pizlo  <fpizlo@apple.com>
1832
1833         Get rid of forward exit on DoubleAsInt32
1834         https://bugs.webkit.org/show_bug.cgi?id=125552
1835
1836         Reviewed by Oliver Hunt.
1837         
1838         The forward exit was just there so that we wouldn't have to keep the inputs alive up to
1839         the DoubleAsInt32. That's dumb. Forward exits are a complicated piece of machinery and
1840         we shouldn't have it just for a bit of liveness micro-optimization.
1841         
1842         Also add a bunch of machinery to test this case on X86.
1843
1844         * assembler/AbstractMacroAssembler.h:
1845         (JSC::optimizeForARMv7s):
1846         (JSC::optimizeForARM64):
1847         (JSC::optimizeForX86):
1848         * dfg/DFGFixupPhase.cpp:
1849         (JSC::DFG::FixupPhase::fixupNode):
1850         * dfg/DFGNodeType.h:
1851         * dfg/DFGSpeculativeJIT.cpp:
1852         (JSC::DFG::SpeculativeJIT::compileDoubleAsInt32):
1853         * runtime/Options.h:
1854         * tests/stress/double-as-int32.js: Added.
1855         (foo):
1856         (test):
1857
1858 2013-12-10  Filip Pizlo  <fpizlo@apple.com>
1859
1860         Simplify CSE's treatment of NodeRelevantToOSR
1861         https://bugs.webkit.org/show_bug.cgi?id=125538
1862
1863         Reviewed by Oliver Hunt.
1864         
1865         Make the NodeRelevantToOSR thing obvious: if there is any MovHint on a node then the
1866         node is relevant to OSR.
1867
1868         * dfg/DFGCSEPhase.cpp:
1869         (JSC::DFG::CSEPhase::run):
1870         (JSC::DFG::CSEPhase::performNodeCSE):
1871         (JSC::DFG::CSEPhase::performBlockCSE):
1872
1873 2013-12-10  Filip Pizlo  <fpizlo@apple.com>
1874
1875         Get rid of forward exit in GetByVal on Uint32Array
1876         https://bugs.webkit.org/show_bug.cgi?id=125543
1877
1878         Reviewed by Oliver Hunt.
1879
1880         * dfg/DFGSpeculativeJIT.cpp:
1881         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
1882         * ftl/FTLLowerDFGToLLVM.cpp:
1883         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
1884
1885 2013-12-10  Balazs Kilvady  <kilvadyb@homejinni.com>
1886
1887         [MIPS] Redundant instructions in code generated from offlineasm.
1888         https://bugs.webkit.org/show_bug.cgi?id=125528
1889
1890         Reviewed by Michael Saboff.
1891
1892         Optimize lowering of offlineasm BaseIndex Addresses.
1893
1894         * offlineasm/mips.rb:
1895
1896 2013-12-10  Oliver Hunt  <oliver@apple.com>
1897
1898         Reduce the mass templatizing of the JS parser
1899         https://bugs.webkit.org/show_bug.cgi?id=125535
1900
1901         Reviewed by Michael Saboff.
1902
1903         The various caches we have now have removed the need for many of
1904         the template vs. regular parameters.  This patch converts those
1905         template parameters to regular parameters and updates the call
1906         sites.  This reduces the code size of the parser by around 15%.
1907
1908         * parser/ASTBuilder.h:
1909         (JSC::ASTBuilder::createGetterOrSetterProperty):
1910         (JSC::ASTBuilder::createProperty):
1911         * parser/Parser.cpp:
1912         (JSC::::parseInner):
1913         (JSC::::parseSourceElements):
1914         (JSC::::parseVarDeclarationList):
1915         (JSC::::createBindingPattern):
1916         (JSC::::tryParseDeconstructionPatternExpression):
1917         (JSC::::parseDeconstructionPattern):
1918         (JSC::::parseSwitchClauses):
1919         (JSC::::parseSwitchDefaultClause):
1920         (JSC::::parseBlockStatement):
1921         (JSC::::parseFormalParameters):
1922         (JSC::::parseFunctionInfo):
1923         (JSC::::parseFunctionDeclaration):
1924         (JSC::::parseProperty):
1925         (JSC::::parseObjectLiteral):
1926         (JSC::::parseStrictObjectLiteral):
1927         (JSC::::parseMemberExpression):
1928         * parser/Parser.h:
1929         * parser/SyntaxChecker.h:
1930         (JSC::SyntaxChecker::createProperty):
1931         (JSC::SyntaxChecker::createGetterOrSetterProperty):
1932
1933 2013-12-10  Mark Hahnenberg  <mhahnenberg@apple.com>
1934
1935         ASSERT !heap.vm()->isInitializingObject() when finishing DFG compilation at beginning of GC
1936         https://bugs.webkit.org/show_bug.cgi?id=125472
1937
1938         Reviewed by Geoff Garen.
1939
1940         This patch makes it look like it's okay to allocate so that the DFG plan finalization stuff 
1941         can do what it needs to do. We already expected that we might do allocation during plan 
1942         finalization and we increased the deferral depth to handle this, but we need to fix this other 
1943         ASSERT stuff too.
1944
1945         * GNUmakefile.list.am:
1946         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1947         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1948         * JavaScriptCore.xcodeproj/project.pbxproj:
1949         * heap/Heap.cpp:
1950         (JSC::Heap::collect):
1951         * heap/Heap.h:
1952         * heap/RecursiveAllocationScope.h: Added.
1953         (JSC::RecursiveAllocationScope::RecursiveAllocationScope):
1954         (JSC::RecursiveAllocationScope::~RecursiveAllocationScope):
1955         * runtime/VM.h:
1956
1957 2013-12-09  Filip Pizlo  <fpizlo@apple.com>
1958
1959         Impose and enforce some basic rules of sanity for where Phi functions are allowed to occur and where their (optional) corresponding MovHints can be
1960         https://bugs.webkit.org/show_bug.cgi?id=125480
1961
1962         Reviewed by Geoffrey Garen.
1963         
1964         Previously, if you wanted to insert some speculation right after where a value was
1965         produced, you'd get super confused if that value was produced by a Phi node.  You can't
1966         necessarily insert speculations after a Phi node because Phi nodes appear in this
1967         special sequence of Phis and MovHints that establish the OSR exit state for a block.
1968         So, you'd probably want to search for the next place where it's safe to insert things.
1969         We already do this "search for beginning of next bytecode instruction" search by
1970         looking at the next node that has a different CodeOrigin.  But this would be hard for a
1971         Phi because those Phis and MovHints have basically random CodeOrigins and they can all
1972         have different CodeOrigins.
1973
1974         This change imposes some sanity for this situation:
1975
1976         - Phis must have unset CodeOrigins.
1977
1978         - In each basic block, all nodes that have unset CodeOrigins must come before all nodes
1979           that have set CodeOrigins.
1980
1981         This all ends up working out just great because prior to this change we didn't have a 
1982         use for unset CodeOrigins.  I think it's appropriate to make "unset CodeOrigin" mean
1983         that we're in the prologue of a basic block.
1984
1985         It's interesting what this means for block merging, which we don't yet do in SSA.
1986         Consider merging the edge A->B.  One possibility is that the block merger is now
1987         required to clean up Phi/Upsilons, and reascribe the MovHints to have the CodeOrigin of
1988         the A's block terminal.  But an answer that might be better is that the originless
1989         nodes at the top of the B are just given the origin of the terminal and we keep the
1990         Phis.  That would require changing the above rules.  We'll see how it goes, and what we
1991         end up picking...
1992
1993         Overall, this special-things-at-the-top rule is analogous to what other SSA-based
1994         compilers do.  For example, LLVM has rules mandating that Phis appear at the top of a
1995         block.
1996
1997         * bytecode/CodeOrigin.cpp:
1998         (JSC::CodeOrigin::dump):
1999         * dfg/DFGOSRExitBase.h:
2000         (JSC::DFG::OSRExitBase::OSRExitBase):
2001         * dfg/DFGSSAConversionPhase.cpp:
2002         (JSC::DFG::SSAConversionPhase::run):
2003         * dfg/DFGValidate.cpp:
2004         (JSC::DFG::Validate::validate):
2005         (JSC::DFG::Validate::validateSSA):
2006
2007 2013-12-08  Filip Pizlo  <fpizlo@apple.com>
2008
2009         Reveal array bounds checks in DFG IR
2010         https://bugs.webkit.org/show_bug.cgi?id=125253
2011
2012         Reviewed by Oliver Hunt and Mark Hahnenberg.
2013         
2014         In SSA mode, this reveals array bounds checks and the load of array length in DFG IR,
2015         making this a candidate for LICM.
2016
2017         This also fixes a long-standing performance bug where the JSObject slow paths would
2018         always create contiguous storage, rather than type-specialized storage, when doing a
2019         "storage creating" storage, like:
2020         
2021             var o = {};
2022             o[0] = 42;
2023
2024         * CMakeLists.txt:
2025         * GNUmakefile.list.am:
2026         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2027         * JavaScriptCore.xcodeproj/project.pbxproj:
2028         * bytecode/ExitKind.cpp:
2029         (JSC::exitKindToString):
2030         (JSC::exitKindIsCountable):
2031         * bytecode/ExitKind.h:
2032         * dfg/DFGAbstractInterpreterInlines.h:
2033         (JSC::DFG::::executeEffects):
2034         * dfg/DFGArrayMode.cpp:
2035         (JSC::DFG::permitsBoundsCheckLowering):
2036         (JSC::DFG::ArrayMode::permitsBoundsCheckLowering):
2037         * dfg/DFGArrayMode.h:
2038         (JSC::DFG::ArrayMode::lengthNeedsStorage):
2039         * dfg/DFGClobberize.h:
2040         (JSC::DFG::clobberize):
2041         * dfg/DFGConstantFoldingPhase.cpp:
2042         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2043         * dfg/DFGFixupPhase.cpp:
2044         (JSC::DFG::FixupPhase::fixupNode):
2045         * dfg/DFGNodeType.h:
2046         * dfg/DFGPlan.cpp:
2047         (JSC::DFG::Plan::compileInThreadImpl):
2048         * dfg/DFGPredictionPropagationPhase.cpp:
2049         (JSC::DFG::PredictionPropagationPhase::propagate):
2050         * dfg/DFGSSALoweringPhase.cpp: Added.
2051         (JSC::DFG::SSALoweringPhase::SSALoweringPhase):
2052         (JSC::DFG::SSALoweringPhase::run):
2053         (JSC::DFG::SSALoweringPhase::handleNode):
2054         (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
2055         (JSC::DFG::performSSALowering):
2056         * dfg/DFGSSALoweringPhase.h: Added.
2057         * dfg/DFGSafeToExecute.h:
2058         (JSC::DFG::safeToExecute):
2059         * dfg/DFGSpeculativeJIT.cpp:
2060         (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
2061         * dfg/DFGSpeculativeJIT32_64.cpp:
2062         (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
2063         (JSC::DFG::SpeculativeJIT::compile):
2064         * dfg/DFGSpeculativeJIT64.cpp:
2065         (JSC::DFG::SpeculativeJIT::compile):
2066         * ftl/FTLCapabilities.cpp:
2067         (JSC::FTL::canCompile):
2068         * ftl/FTLLowerDFGToLLVM.cpp:
2069         (JSC::FTL::LowerDFGToLLVM::compileNode):
2070         (JSC::FTL::LowerDFGToLLVM::compileCheckInBounds):
2071         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
2072         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2073         (JSC::FTL::LowerDFGToLLVM::contiguousPutByValOutOfBounds):
2074         * runtime/JSObject.cpp:
2075         (JSC::JSObject::convertUndecidedForValue):
2076         (JSC::JSObject::createInitialForValueAndSet):
2077         (JSC::JSObject::putByIndexBeyondVectorLength):
2078         (JSC::JSObject::putDirectIndexBeyondVectorLength):
2079         * runtime/JSObject.h:
2080         * tests/stress/float32array-out-of-bounds.js: Added.
2081         (make):
2082         (foo):
2083         (test):
2084         * tests/stress/int32-object-out-of-bounds.js: Added.
2085         (make):
2086         (foo):
2087         (test):
2088         * tests/stress/int32-out-of-bounds.js: Added.
2089         (foo):
2090         (test):
2091
2092 2013-12-09  Sam Weinig  <sam@webkit.org>
2093
2094         Replace use of WTF::FixedArray with std::array
2095         https://bugs.webkit.org/show_bug.cgi?id=125475
2096
2097         Reviewed by Anders Carlsson.
2098
2099         * bytecode/CodeBlockHash.cpp:
2100         (JSC::CodeBlockHash::dump):
2101         * bytecode/Opcode.cpp:
2102         (JSC::OpcodeStats::~OpcodeStats):
2103         * dfg/DFGCSEPhase.cpp:
2104         * ftl/FTLAbstractHeap.h:
2105         * heap/MarkedSpace.h:
2106         * parser/ParserArena.h:
2107         * runtime/CodeCache.h:
2108         * runtime/DateInstanceCache.h:
2109         * runtime/JSGlobalObject.cpp:
2110         (JSC::JSGlobalObject::reset):
2111         * runtime/JSGlobalObject.h:
2112         * runtime/JSString.h:
2113         * runtime/LiteralParser.h:
2114         * runtime/NumericStrings.h:
2115         * runtime/RegExpCache.h:
2116         * runtime/SmallStrings.h:
2117
2118 2013-12-09  Joseph Pecoraro  <pecoraro@apple.com>
2119
2120         Remove miscellaneous unnecessary build statements
2121         https://bugs.webkit.org/show_bug.cgi?id=125466
2122
2123         Reviewed by Darin Adler.
2124
2125         * DerivedSources.make:
2126         * JavaScriptCore.vcxproj/build-generated-files.sh:
2127         * JavaScriptCore.xcodeproj/project.pbxproj:
2128         * make-generated-sources.sh:
2129
2130 2013-12-08  Filip Pizlo  <fpizlo@apple.com>
2131
2132         CSE should work in SSA
2133         https://bugs.webkit.org/show_bug.cgi?id=125430
2134
2135         Reviewed by Oliver Hunt and Mark Hahnenberg.
2136
2137         * dfg/DFGCSEPhase.cpp:
2138         (JSC::DFG::CSEPhase::run):
2139         (JSC::DFG::CSEPhase::performNodeCSE):
2140         * dfg/DFGPlan.cpp:
2141         (JSC::DFG::Plan::compileInThreadImpl):
2142
2143 2013-12-09  Joseph Pecoraro  <pecoraro@apple.com>
2144
2145         Remove docs/make-bytecode-docs.pl
2146         https://bugs.webkit.org/show_bug.cgi?id=125462
2147
2148         This sript is very old and no longer outputs useful data since the
2149         op code definitions have moved from Interpreter.cpp.
2150
2151         Reviewed by Darin Adler.
2152
2153         * DerivedSources.make:
2154         * docs/make-bytecode-docs.pl: Removed.
2155
2156 2013-12-09  Julien Brianceau  <jbriance@cisco.com>
2157
2158         Fix sh4 LLINT build.
2159         https://bugs.webkit.org/show_bug.cgi?id=125454
2160
2161         Reviewed by Michael Saboff.
2162
2163         In LLINT, sh4 backend implementation didn't handle properly conditional jumps using
2164         a LabelReference instance. This patch fixes it through sh4LowerMisplacedLabels phase.
2165         Also, to avoid the need of a 4th temporary gpr, this phase is triggered later in
2166         getModifiedListSH4.
2167
2168         * offlineasm/sh4.rb:
2169
2170 2013-12-08  Filip Pizlo  <fpizlo@apple.com>
2171
2172         Add the notion of ConstantStoragePointer to DFG IR
2173         https://bugs.webkit.org/show_bug.cgi?id=125395
2174
2175         Reviewed by Oliver Hunt.
2176         
2177         This pushes more typed array folding into StrengthReductionPhase, and enables CSE on
2178         storage pointers. Previously, you might have separate nodes for the same storage
2179         pointer and this would cause some bad register pressure in the DFG. Note that this
2180         was really a theoretical problem and not, to my knowledge a practical one - so this
2181         patch is basically just a clean-up.
2182
2183         * dfg/DFGAbstractInterpreterInlines.h:
2184         (JSC::DFG::::executeEffects):
2185         * dfg/DFGCSEPhase.cpp:
2186         (JSC::DFG::CSEPhase::constantStoragePointerCSE):
2187         (JSC::DFG::CSEPhase::performNodeCSE):
2188         * dfg/DFGClobberize.h:
2189         (JSC::DFG::clobberize):
2190         * dfg/DFGFixupPhase.cpp:
2191         (JSC::DFG::FixupPhase::fixupNode):
2192         * dfg/DFGGraph.cpp:
2193         (JSC::DFG::Graph::dump):
2194         * dfg/DFGNode.h:
2195         (JSC::DFG::Node::convertToConstantStoragePointer):
2196         (JSC::DFG::Node::hasStoragePointer):
2197         (JSC::DFG::Node::storagePointer):
2198         * dfg/DFGNodeType.h:
2199         * dfg/DFGPredictionPropagationPhase.cpp:
2200         (JSC::DFG::PredictionPropagationPhase::propagate):
2201         * dfg/DFGSafeToExecute.h:
2202         (JSC::DFG::safeToExecute):
2203         * dfg/DFGSpeculativeJIT.cpp:
2204         (JSC::DFG::SpeculativeJIT::compileConstantStoragePointer):
2205         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
2206         * dfg/DFGSpeculativeJIT.h:
2207         * dfg/DFGSpeculativeJIT32_64.cpp:
2208         (JSC::DFG::SpeculativeJIT::compile):
2209         * dfg/DFGSpeculativeJIT64.cpp:
2210         (JSC::DFG::SpeculativeJIT::compile):
2211         * dfg/DFGStrengthReductionPhase.cpp:
2212         (JSC::DFG::StrengthReductionPhase::handleNode):
2213         (JSC::DFG::StrengthReductionPhase::foldTypedArrayPropertyToConstant):
2214         (JSC::DFG::StrengthReductionPhase::prepareToFoldTypedArray):
2215         * dfg/DFGWatchpointCollectionPhase.cpp:
2216         (JSC::DFG::WatchpointCollectionPhase::handle):
2217         * ftl/FTLLowerDFGToLLVM.cpp:
2218         (JSC::FTL::LowerDFGToLLVM::compileNode):
2219         (JSC::FTL::LowerDFGToLLVM::compileConstantStoragePointer):
2220         (JSC::FTL::LowerDFGToLLVM::compileGetIndexedPropertyStorage):
2221
2222 2013-12-08  Filip Pizlo  <fpizlo@apple.com>
2223
2224         FTL should support UntypedUse versions of Compare nodes
2225         https://bugs.webkit.org/show_bug.cgi?id=125426
2226
2227         Reviewed by Oliver Hunt.
2228         
2229         This adds UntypedUse versions of all comparisons except CompareStrictEq, which is
2230         sufficiently different that I thought I'd do it in another patch.
2231         
2232         This also extends our ability to abstract over comparison kind and removes a bunch of
2233         copy-paste code.
2234
2235         * dfg/DFGSpeculativeJIT64.cpp:
2236         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
2237         * ftl/FTLCapabilities.cpp:
2238         (JSC::FTL::canCompile):
2239         * ftl/FTLIntrinsicRepository.h:
2240         * ftl/FTLLowerDFGToLLVM.cpp:
2241         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
2242         (JSC::FTL::LowerDFGToLLVM::compileCompareLess):
2243         (JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
2244         (JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
2245         (JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):
2246         (JSC::FTL::LowerDFGToLLVM::compare):
2247         (JSC::FTL::LowerDFGToLLVM::nonSpeculativeCompare):
2248         * ftl/FTLOutput.h:
2249         (JSC::FTL::Output::icmp):
2250         (JSC::FTL::Output::equal):
2251         (JSC::FTL::Output::notEqual):
2252         (JSC::FTL::Output::above):
2253         (JSC::FTL::Output::aboveOrEqual):
2254         (JSC::FTL::Output::below):
2255         (JSC::FTL::Output::belowOrEqual):
2256         (JSC::FTL::Output::greaterThan):
2257         (JSC::FTL::Output::greaterThanOrEqual):
2258         (JSC::FTL::Output::lessThan):
2259         (JSC::FTL::Output::lessThanOrEqual):
2260         (JSC::FTL::Output::fcmp):
2261         (JSC::FTL::Output::doubleEqual):
2262         (JSC::FTL::Output::doubleNotEqualOrUnordered):
2263         (JSC::FTL::Output::doubleLessThan):
2264         (JSC::FTL::Output::doubleLessThanOrEqual):
2265         (JSC::FTL::Output::doubleGreaterThan):
2266         (JSC::FTL::Output::doubleGreaterThanOrEqual):
2267         (JSC::FTL::Output::doubleEqualOrUnordered):
2268         (JSC::FTL::Output::doubleNotEqual):
2269         (JSC::FTL::Output::doubleLessThanOrUnordered):
2270         (JSC::FTL::Output::doubleLessThanOrEqualOrUnordered):
2271         (JSC::FTL::Output::doubleGreaterThanOrUnordered):
2272         (JSC::FTL::Output::doubleGreaterThanOrEqualOrUnordered):
2273         * tests/stress/untyped-equality.js: Added.
2274         (foo):
2275         * tests/stress/untyped-less-than.js: Added.
2276         (foo):
2277
2278 2013-12-07  Filip Pizlo  <fpizlo@apple.com>
2279
2280         Fold typedArray.length if typedArray is constant
2281         https://bugs.webkit.org/show_bug.cgi?id=125252
2282
2283         Reviewed by Sam Weinig.
2284         
2285         This was meant to be easy. The problem is that there was no good place for putting
2286         the folding of typedArray.length to a constant. You can't quite do it in the
2287         bytecode parser because at that point you don't yet know if typedArray is really
2288         a typed array. You can't do it as part of constant folding because the folder
2289         assumes that it can opportunistically forward-flow a constant value without changing
2290         the IR; this doesn't work since we need to first change the IR to register a
2291         desired watchpoint and only after that can we introduce that constant. We could have
2292         done it in Fixup but that would have been awkward since Fixup's code for turning a
2293         GetById of "length" into GetArrayLength is already somewhat complex. We could have
2294         done it in CSE but CSE is already fairly gnarly and will probably get rewritten.
2295         
2296         So I introduced a new phase, called StrengthReduction. This phase should have any
2297         transformations that don't requite CFA or CSE and that it would be weird to put into
2298         those other phases.
2299         
2300         I also took the opportunity to refactor some of the other folding code.
2301         
2302         This also adds a test, but the test couldn't quite be a LayoutTests/js/regress so I
2303         introduced the notion of JavaScriptCore/tests/stress.
2304         
2305         The goal of this patch isn't really to improve performance or anything like that.
2306         It adds an optimization for completeness, and in doing so it unlocks a bunch of new
2307         possibilities. The one that I'm most excited about is revealing array length checks
2308         in DFG IR, which will allow for array bounds check hoisting and elimination.
2309
2310         * CMakeLists.txt:
2311         * GNUmakefile.list.am:
2312         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2313         * JavaScriptCore.xcodeproj/project.pbxproj:
2314         * dfg/DFGAbstractInterpreterInlines.h:
2315         (JSC::DFG::::executeEffects):
2316         * dfg/DFGClobberize.h:
2317         (JSC::DFG::clobberize):
2318         * dfg/DFGFixupPhase.cpp:
2319         (JSC::DFG::FixupPhase::fixupNode):
2320         * dfg/DFGGraph.cpp:
2321         (JSC::DFG::Graph::tryGetFoldableView):
2322         (JSC::DFG::Graph::tryGetFoldableViewForChild1):
2323         * dfg/DFGGraph.h:
2324         * dfg/DFGNode.h:
2325         (JSC::DFG::Node::hasTypedArray):
2326         (JSC::DFG::Node::typedArray):
2327         * dfg/DFGNodeType.h:
2328         * dfg/DFGPlan.cpp:
2329         (JSC::DFG::Plan::compileInThreadImpl):
2330         * dfg/DFGPredictionPropagationPhase.cpp:
2331         (JSC::DFG::PredictionPropagationPhase::propagate):
2332         * dfg/DFGSafeToExecute.h:
2333         (JSC::DFG::safeToExecute):
2334         * dfg/DFGSpeculativeJIT.cpp:
2335         (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
2336         (JSC::DFG::SpeculativeJIT::compileConstantIndexedPropertyStorage):
2337         * dfg/DFGSpeculativeJIT32_64.cpp:
2338         (JSC::DFG::SpeculativeJIT::compile):
2339         * dfg/DFGSpeculativeJIT64.cpp:
2340         (JSC::DFG::SpeculativeJIT::compile):
2341         * dfg/DFGStrengthReductionPhase.cpp: Added.
2342         (JSC::DFG::StrengthReductionPhase::StrengthReductionPhase):
2343         (JSC::DFG::StrengthReductionPhase::run):
2344         (JSC::DFG::StrengthReductionPhase::handleNode):
2345         (JSC::DFG::StrengthReductionPhase::foldTypedArrayPropertyToConstant):
2346         (JSC::DFG::performStrengthReduction):
2347         * dfg/DFGStrengthReductionPhase.h: Added.
2348         * dfg/DFGWatchpointCollectionPhase.cpp:
2349         (JSC::DFG::WatchpointCollectionPhase::handle):
2350         * ftl/FTLCapabilities.cpp:
2351         (JSC::FTL::canCompile):
2352         * ftl/FTLLowerDFGToLLVM.cpp:
2353         (JSC::FTL::LowerDFGToLLVM::compileNode):
2354         (JSC::FTL::LowerDFGToLLVM::compileGetIndexedPropertyStorage):
2355         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2356         (JSC::FTL::LowerDFGToLLVM::typedArrayLength):
2357         * jsc.cpp:
2358         (GlobalObject::finishCreation):
2359         (functionTransferArrayBuffer):
2360         * runtime/ArrayBufferView.h:
2361         * tests/stress: Added.
2362         * tests/stress/fold-typed-array-properties.js: Added.
2363         (foo):
2364
2365 2013-12-07  peavo@outlook.com  <peavo@outlook.com>
2366
2367         [Win][64-bit] Hitting breakpoint assembler instruction in callToJavaScript.
2368         https://bugs.webkit.org/show_bug.cgi?id=125382
2369
2370         Reviewed by Michael Saboff.
2371
2372         The WinCairo results from run-javascriptcore-tests are the same as the WinCairo 32-bits results, when removing these breakpoints.
2373
2374         * jit/JITStubsMSVC64.asm: Remove breakpoint instructions.
2375
2376 2013-12-06  Filip Pizlo  <fpizlo@apple.com>
2377
2378         FTL should support all of Branch/LogicalNot
2379         https://bugs.webkit.org/show_bug.cgi?id=125370
2380
2381         Reviewed by Mark Hahnenberg.
2382
2383         * ftl/FTLCapabilities.cpp:
2384         (JSC::FTL::canCompile):
2385         * ftl/FTLIntrinsicRepository.h:
2386         * ftl/FTLLowerDFGToLLVM.cpp:
2387         (JSC::FTL::LowerDFGToLLVM::boolify):
2388
2389 2013-12-06  Roger Fong <roger_fong@apple.com> and Brent Fulgham  <bfulgham@apple.com>
2390
2391         [Win] Support compiling with VS2013
2392         https://bugs.webkit.org/show_bug.cgi?id=125353
2393
2394         Reviewed by Anders Carlsson.
2395
2396         * API/tests/testapi.c: Use C99 defines if available.
2397         * jit/JITOperations.cpp: Don't attempt to define C linkage when
2398         returning a C++ object.
2399
2400 2013-12-06  Filip Pizlo  <fpizlo@apple.com>
2401
2402         FTL should support generic ByVal accesses
2403         https://bugs.webkit.org/show_bug.cgi?id=125368
2404
2405         Reviewed by Mark Hahnenberg.
2406
2407         * dfg/DFGGraph.h:
2408         (JSC::DFG::Graph::isStrictModeFor):
2409         (JSC::DFG::Graph::ecmaModeFor):
2410         * ftl/FTLCapabilities.cpp:
2411         (JSC::FTL::canCompile):
2412         * ftl/FTLIntrinsicRepository.h:
2413         * ftl/FTLLowerDFGToLLVM.cpp:
2414         (JSC::FTL::LowerDFGToLLVM::compileNode):
2415         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
2416         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2417
2418 2013-12-06  Filip Pizlo  <fpizlo@apple.com>
2419
2420         FTL should support hole/OOB array accesses
2421         https://bugs.webkit.org/show_bug.cgi?id=118077
2422
2423         Reviewed by Oliver Hunt and Mark Hahnenberg.
2424
2425         * ftl/FTLCapabilities.cpp:
2426         (JSC::FTL::canCompile):
2427         * ftl/FTLIntrinsicRepository.h:
2428         * ftl/FTLLowerDFGToLLVM.cpp:
2429         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
2430         (JSC::FTL::LowerDFGToLLVM::baseIndex):
2431
2432 2013-12-06  Michael Saboff  <msaboff@apple.com>
2433
2434         Split sizing of VarArgs frames from loading arguments for the frame
2435         https://bugs.webkit.org/show_bug.cgi?id=125331
2436
2437         Reviewed by Filip Pizlo.
2438
2439         Split loadVarargs into sizeAndAllocFrameForVarargs() and loadVarargs() in
2440         preparation for moving onto the C stack.  sizeAndAllocFrameForVarargs() will
2441         compute the size of the callee frame and allocate it, while loadVarargs()
2442         actually loads the argument values.
2443
2444         As part of moving onto the C stack, sizeAndAllocFrameForVarargs() will be
2445         changed to a function that just computes the size.  The caller will use that
2446         size to allocate the new frame on the stack before calling loadVargs() and
2447         actually making the call.
2448
2449         * interpreter/Interpreter.cpp:
2450         (JSC::sizeAndAllocFrameForVarargs):
2451         (JSC::loadVarargs):
2452         * interpreter/Interpreter.h:
2453         * jit/JIT.h:
2454         * jit/JITCall.cpp:
2455         (JSC::JIT::compileLoadVarargs):
2456         * jit/JITCall32_64.cpp:
2457         (JSC::JIT::compileLoadVarargs):
2458         * jit/JITInlines.h:
2459         (JSC::JIT::callOperation):
2460         * jit/JITOperations.cpp:
2461         * jit/JITOperations.h:
2462         * llint/LLIntSlowPaths.cpp:
2463         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2464         * llint/LLIntSlowPaths.h:
2465         * llint/LowLevelInterpreter.asm:
2466         * llint/LowLevelInterpreter32_64.asm:
2467         * llint/LowLevelInterpreter64.asm:
2468         * runtime/VM.h:
2469
2470 2013-12-06  Filip Pizlo  <fpizlo@apple.com>
2471
2472         FTL should support all of ValueToInt32
2473         https://bugs.webkit.org/show_bug.cgi?id=125283
2474
2475         Reviewed by Mark Hahnenberg.
2476
2477         * ftl/FTLCapabilities.cpp:
2478         (JSC::FTL::canCompile):
2479         * ftl/FTLLowerDFGToLLVM.cpp:
2480         (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
2481         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2482         (JSC::FTL::LowerDFGToLLVM::lowCell):
2483         (JSC::FTL::LowerDFGToLLVM::isCell):
2484
2485 2013-12-06  Filip Pizlo  <fpizlo@apple.com>
2486
2487         FTL shouldn't have a doubleToUInt32 path
2488         https://bugs.webkit.org/show_bug.cgi?id=125360
2489
2490         Reviewed by Mark Hahnenberg.
2491         
2492         This code existed because I incorrectly thought it was necessary. It's now basically
2493         dead.
2494
2495         * ftl/FTLLowerDFGToLLVM.cpp:
2496         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2497
2498 2013-12-06  Laszlo Vidacs  <lac@inf.u-szeged.hu>
2499
2500         Define SHA1 hash size in SHA1.h and use it at various places.
2501         https://bugs.webkit.org/show_bug.cgi?id=125345
2502
2503         Reviewed by Darin Adler.
2504
2505         Use SHA1::hashSize instead of local variables.
2506
2507         * bytecode/CodeBlockHash.cpp:
2508         (JSC::CodeBlockHash::CodeBlockHash): use SHA1::hashSize
2509
2510 2013-12-05  Michael Saboff  <msaboff@apple.com>
2511
2512         REGRESSION(r160213): Crash in js/dom/JSON-parse.html
2513         https://bugs.webkit.org/show_bug.cgi?id=125335
2514
2515         Reviewed by Mark Lam.
2516
2517         Changed _llint_op_catch to materialize the VM via the scope chain instead of 
2518         the CodeBlock.  CallFrames always have a scope chain, but may have a null CodeBlock.
2519
2520         * llint/LowLevelInterpreter32_64.asm:
2521         (_llint_op_catch):
2522         * llint/LowLevelInterpreter64.asm:
2523         (_llint_op_catch):
2524
2525 2013-12-05  Michael Saboff  <msaboff@apple.com>
2526
2527         JSC: Simplify interface between throw and catch handler
2528         https://bugs.webkit.org/show_bug.cgi?id=125328
2529
2530         Reviewed by Geoffrey Garen.
2531
2532         Simplified the throw - catch interface.  The throw side is only responsible for
2533         jumping to the appropriate op_catch handler or returnFromJavaScript for uncaught
2534         exceptions.  The handler uses the exception values like VM.callFrameForThrow
2535         as appropriate and no longer relies on the throw side putting anything in
2536         registers.
2537
2538         * jit/CCallHelpers.h:
2539         (JSC::CCallHelpers::jumpToExceptionHandler):
2540         * jit/JITOpcodes.cpp:
2541         (JSC::JIT::emit_op_catch):
2542         * jit/JITOpcodes32_64.cpp:
2543         (JSC::JIT::emit_op_catch):
2544         * llint/LowLevelInterpreter32_64.asm:
2545         (_llint_op_catch):
2546         (_llint_throw_from_slow_path_trampoline):
2547         * llint/LowLevelInterpreter64.asm:
2548         (_llint_op_catch):
2549         (_llint_throw_from_slow_path_trampoline):
2550
2551 2013-12-04  Oliver Hunt  <oliver@apple.com>
2552
2553         Refactor static getter function prototype to include thisValue in addition to the base object
2554         https://bugs.webkit.org/show_bug.cgi?id=124461
2555
2556         Reviewed by Geoffrey Garen.
2557
2558         Add thisValue parameter to static getter prototype, and switch
2559         from JSValue to EncodedJSValue for parameters and return value.
2560
2561         Currently none of the static getters use the thisValue, but
2562         separating out the refactoring will prevent future changes
2563         from getting lost in the noise of refactoring.  This means
2564         that this patch does not result in any change in behaviour.
2565
2566         * API/JSCallbackObject.h:
2567         * API/JSCallbackObjectFunctions.h:
2568         (JSC::::asCallbackObject):
2569         (JSC::::staticFunctionGetter):
2570         (JSC::::callbackGetter):
2571         * jit/JITOperations.cpp:
2572         * runtime/JSActivation.cpp:
2573         (JSC::JSActivation::argumentsGetter):
2574         * runtime/JSActivation.h:
2575         * runtime/JSFunction.cpp:
2576         (JSC::JSFunction::argumentsGetter):
2577         (JSC::JSFunction::callerGetter):
2578         (JSC::JSFunction::lengthGetter):
2579         (JSC::JSFunction::nameGetter):
2580         * runtime/JSFunction.h:
2581         * runtime/JSObject.h:
2582         (JSC::PropertySlot::getValue):
2583         * runtime/NumberConstructor.cpp:
2584         (JSC::numberConstructorNaNValue):
2585         (JSC::numberConstructorNegInfinity):
2586         (JSC::numberConstructorPosInfinity):
2587         (JSC::numberConstructorMaxValue):
2588         (JSC::numberConstructorMinValue):
2589         * runtime/PropertySlot.h:
2590         * runtime/RegExpConstructor.cpp:
2591         (JSC::asRegExpConstructor):
2592         (JSC::regExpConstructorDollar1):
2593         (JSC::regExpConstructorDollar2):
2594         (JSC::regExpConstructorDollar3):
2595         (JSC::regExpConstructorDollar4):
2596         (JSC::regExpConstructorDollar5):
2597         (JSC::regExpConstructorDollar6):
2598         (JSC::regExpConstructorDollar7):
2599         (JSC::regExpConstructorDollar8):
2600         (JSC::regExpConstructorDollar9):
2601         (JSC::regExpConstructorInput):
2602         (JSC::regExpConstructorMultiline):
2603         (JSC::regExpConstructorLastMatch):
2604         (JSC::regExpConstructorLastParen):
2605         (JSC::regExpConstructorLeftContext):
2606         (JSC::regExpConstructorRightContext):
2607         * runtime/RegExpObject.cpp:
2608         (JSC::asRegExpObject):
2609         (JSC::regExpObjectGlobal):
2610         (JSC::regExpObjectIgnoreCase):
2611         (JSC::regExpObjectMultiline):
2612         (JSC::regExpObjectSource):
2613
2614 2013-12-04  Filip Pizlo  <fpizlo@apple.com>
2615
2616         FTL should use cvttsd2si directly for double-to-int32 conversions
2617         https://bugs.webkit.org/show_bug.cgi?id=125275
2618
2619         Reviewed by Michael Saboff.
2620         
2621         Wow. This was an ordeal. Using cvttsd2si was actually easy, but I learned, and
2622         sometimes even fixed, some interesting things:
2623         
2624         - The llvm.x86.sse2.cvttsd2si intrinsic can actually result in LLVM emitting a
2625           vcvttsd2si. I guess the intrinsic doesn't actually imply the instruction.
2626         
2627         - That whole thing about branchTruncateDoubleToUint32? Yeah we don't need that. It's
2628           better to use branchTruncateDoubleToInt32 instead. It has the right semantics for
2629           all of its callers (err, its one-and-only caller), and it's more likely to take
2630           fast path. This patch kills branchTruncateDoubleToUint32.
2631         
2632         - "a[i] = v; v = a[i]". Does this change v? OK, assume that 'a[i]' is a pure-ish
2633           operation - like an array access with 'i' being an integer index and we're not
2634           having a bad time. Now does this change v? CSE assumes that it doesn't. That's
2635           wrong. If 'a' is a typed array - the most sensible and pure kind of array - then
2636           this can be a truncating cast. For example 'v' could be a double and 'a' could be
2637           an integer array.
2638         
2639         - "v1 = a[i]; v2 = a[i]". Is v1 === v2 assuming that 'a[i]' is pure-ish? The answer
2640           is no. You could have a different arrayMode in each access. I know this sounds
2641           weird, but with concurrent JIT that might happen.
2642         
2643         This patch adds tests for all of this stuff, except for the first issue (it's weird
2644         but probably doesn't matter) and the last issue (it's too much of a freakshow).
2645
2646         * assembler/MacroAssemblerARM64.h:
2647         * assembler/MacroAssemblerARMv7.h:
2648         * assembler/MacroAssemblerX86Common.h:
2649         * dfg/DFGCSEPhase.cpp:
2650         (JSC::DFG::CSEPhase::getByValLoadElimination):
2651         (JSC::DFG::CSEPhase::performNodeCSE):
2652         * dfg/DFGSpeculativeJIT.cpp:
2653         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
2654         * ftl/FTLAbbreviations.h:
2655         (JSC::FTL::vectorType):
2656         (JSC::FTL::getUndef):
2657         (JSC::FTL::buildInsertElement):
2658         * ftl/FTLIntrinsicRepository.h:
2659         * ftl/FTLLowerDFGToLLVM.cpp:
2660         (JSC::FTL::LowerDFGToLLVM::doubleToInt32):
2661         (JSC::FTL::LowerDFGToLLVM::doubleToUInt32):
2662         (JSC::FTL::LowerDFGToLLVM::sensibleDoubleToInt32):
2663         * ftl/FTLOutput.h:
2664         (JSC::FTL::Output::insertElement):
2665         (JSC::FTL::Output::hasSensibleDoubleToInt):
2666         (JSC::FTL::Output::sensibleDoubleToInt):
2667
2668 2013-12-05  Commit Queue  <commit-queue@webkit.org>
2669
2670         Unreviewed, rolling out r160133.
2671         http://trac.webkit.org/changeset/160133
2672         https://bugs.webkit.org/show_bug.cgi?id=125325
2673
2674         broke bindings tests on all the bots (Requested by thorton on
2675         #webkit).
2676
2677         * API/JSCallbackObject.h:
2678         * API/JSCallbackObjectFunctions.h:
2679         (JSC::::staticFunctionGetter):
2680         (JSC::::callbackGetter):
2681         * jit/JITOperations.cpp:
2682         * runtime/JSActivation.cpp:
2683         (JSC::JSActivation::argumentsGetter):
2684         * runtime/JSActivation.h:
2685         * runtime/JSFunction.cpp:
2686         (JSC::JSFunction::argumentsGetter):
2687         (JSC::JSFunction::callerGetter):
2688         (JSC::JSFunction::lengthGetter):
2689         (JSC::JSFunction::nameGetter):
2690         * runtime/JSFunction.h:
2691         * runtime/JSObject.h:
2692         (JSC::PropertySlot::getValue):
2693         * runtime/NumberConstructor.cpp:
2694         (JSC::numberConstructorNaNValue):
2695         (JSC::numberConstructorNegInfinity):
2696         (JSC::numberConstructorPosInfinity):
2697         (JSC::numberConstructorMaxValue):
2698         (JSC::numberConstructorMinValue):
2699         * runtime/PropertySlot.h:
2700         * runtime/RegExpConstructor.cpp:
2701         (JSC::regExpConstructorDollar1):
2702         (JSC::regExpConstructorDollar2):
2703         (JSC::regExpConstructorDollar3):
2704         (JSC::regExpConstructorDollar4):
2705         (JSC::regExpConstructorDollar5):
2706         (JSC::regExpConstructorDollar6):
2707         (JSC::regExpConstructorDollar7):
2708         (JSC::regExpConstructorDollar8):
2709         (JSC::regExpConstructorDollar9):
2710         (JSC::regExpConstructorInput):
2711         (JSC::regExpConstructorMultiline):
2712         (JSC::regExpConstructorLastMatch):
2713         (JSC::regExpConstructorLastParen):
2714         (JSC::regExpConstructorLeftContext):
2715         (JSC::regExpConstructorRightContext):
2716         * runtime/RegExpObject.cpp:
2717         (JSC::regExpObjectGlobal):
2718         (JSC::regExpObjectIgnoreCase):
2719         (JSC::regExpObjectMultiline):
2720         (JSC::regExpObjectSource):
2721
2722 2013-12-05  Mark Lam  <mark.lam@apple.com>
2723
2724         Make the C Loop LLINT work with callToJavaScript.
2725         https://bugs.webkit.org/show_bug.cgi?id=125294.
2726
2727         Reviewed by Michael Saboff.
2728
2729         1. Changed the C Loop LLINT to dispatch to an Executable via its JITCode
2730            instance which is consistent with how the ASM LLINT works.
2731         2. Changed CLoop::execute() to take an Opcode instead of an OpcodeID.
2732            This makes it play nice with the use of JITCode for dispatching.
2733         3. Introduce a callToJavaScript and callToNativeFunction for the C Loop
2734            LLINT. These will call JSStack::pushFrame() and popFrame() to setup
2735            and teardown the CallFrame.
2736         4. Also introduced a C Loop returnFromJavaScript which is just a
2737            replacement for ctiOpThrowNotCaught which had the same function.
2738         5. Remove a lot of #if ENABLE(LLINT_C_LOOP) code now that the dispatch
2739            mechanism is consistent.
2740
2741         This patch has been tested with both configurations of COMPUTED_GOTOs
2742         on and off.
2743
2744         * interpreter/CachedCall.h:
2745         (JSC::CachedCall::CachedCall):
2746         (JSC::CachedCall::call):
2747         (JSC::CachedCall::setArgument):
2748         * interpreter/CallFrameClosure.h:
2749         (JSC::CallFrameClosure::setThis):
2750         (JSC::CallFrameClosure::setArgument):
2751         (JSC::CallFrameClosure::resetCallFrame):
2752         * interpreter/Interpreter.cpp:
2753         (JSC::Interpreter::execute):
2754         (JSC::Interpreter::executeCall):
2755         (JSC::Interpreter::executeConstruct):
2756         (JSC::Interpreter::prepareForRepeatCall):
2757         * interpreter/Interpreter.h:
2758         * interpreter/JSStack.h:
2759         * interpreter/JSStackInlines.h:
2760         (JSC::JSStack::pushFrame):
2761         * interpreter/ProtoCallFrame.h:
2762         (JSC::ProtoCallFrame::scope):
2763         (JSC::ProtoCallFrame::callee):
2764         (JSC::ProtoCallFrame::thisValue):
2765         (JSC::ProtoCallFrame::argument):
2766         (JSC::ProtoCallFrame::setArgument):
2767         * jit/JITCode.cpp:
2768         (JSC::JITCode::execute):
2769         * jit/JITCode.h:
2770         * jit/JITExceptions.cpp:
2771         (JSC::genericUnwind):
2772         * llint/LLIntCLoop.cpp:
2773         (JSC::LLInt::CLoop::initialize):
2774         * llint/LLIntCLoop.h:
2775         * llint/LLIntEntrypoint.cpp:
2776         (JSC::LLInt::setFunctionEntrypoint):
2777         (JSC::LLInt::setEvalEntrypoint):
2778         (JSC::LLInt::setProgramEntrypoint):
2779         - Inverted the check for vm.canUseJIT(). This allows the JIT case to be
2780           #if'd out nicely when building the C Loop LLINT.
2781         * llint/LLIntOpcode.h:
2782         * llint/LLIntThunks.cpp:
2783         (JSC::doCallToJavaScript):
2784         (JSC::executeJS):
2785         (JSC::callToJavaScript):
2786         (JSC::executeNative):
2787         (JSC::callToNativeFunction):
2788         * llint/LLIntThunks.h:
2789         * llint/LowLevelInterpreter.cpp:
2790         (JSC::CLoop::execute):
2791         * runtime/Executable.h:
2792         (JSC::ExecutableBase::offsetOfNumParametersFor):
2793         (JSC::ExecutableBase::hostCodeEntryFor):
2794         (JSC::ExecutableBase::jsCodeEntryFor):
2795         (JSC::ExecutableBase::jsCodeWithArityCheckEntryFor):
2796         (JSC::NativeExecutable::create):
2797         (JSC::NativeExecutable::finishCreation):
2798         (JSC::ProgramExecutable::generatedJITCode):
2799         * runtime/JSArray.cpp:
2800         (JSC::AVLTreeAbstractorForArrayCompare::compare_key_key):
2801         * runtime/StringPrototype.cpp:
2802         (JSC::replaceUsingRegExpSearch):
2803         * runtime/VM.cpp:
2804         (JSC::VM::getHostFunction):
2805
2806 2013-12-05  Laszlo Vidacs  <lac@inf.u-szeged.hu>
2807
2808         Fix JavaScriptCore build if cloop is enabled after r160094
2809         https://bugs.webkit.org/show_bug.cgi?id=125292
2810
2811         Reviewed by Michael Saboff.
2812
2813         Move ProtoCallFrame outside the JIT guard.
2814
2815         * jit/JITCode.h:
2816
2817 2013-12-04  Filip Pizlo  <fpizlo@apple.com>
2818
2819         Fold constant typed arrays
2820         https://bugs.webkit.org/show_bug.cgi?id=125205
2821
2822         Reviewed by Oliver Hunt and Mark Hahnenberg.
2823         
2824         If by some other mechanism we have a typed array access on a compile-time constant
2825         typed array pointer, then fold:
2826         
2827         - Array bounds checks. Specifically, fold the load of length.
2828         
2829         - Loading the vector.
2830         
2831         This needs to install a watchpoint on the array itself because of the possibility of
2832         neutering. Neutering is ridiculous. We do this without bloating the size of
2833         ArrayBuffer or JSArrayBufferView in the common case (i.e. the case where you
2834         allocated an array that didn't end up becoming a compile-time constant). To install
2835         the watchpoint, we slowDownAndWasteMemory and then create an incoming reference to
2836         the ArrayBuffer, where that incoming reference is from a watchpoint object. The
2837         ArrayBuffer already knows about such incoming references and can fire the
2838         watchpoints that way.
2839         
2840         * CMakeLists.txt:
2841         * GNUmakefile.list.am:
2842         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2843         * JavaScriptCore.xcodeproj/project.pbxproj:
2844         * dfg/DFGDesiredWatchpoints.cpp:
2845         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
2846         (JSC::DFG::DesiredWatchpoints::addLazily):
2847         * dfg/DFGDesiredWatchpoints.h:
2848         (JSC::DFG::GenericSetAdaptor::add):
2849         (JSC::DFG::GenericSetAdaptor::hasBeenInvalidated):
2850         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::hasBeenInvalidated):
2851         (JSC::DFG::GenericDesiredWatchpoints::reallyAdd):
2852         (JSC::DFG::GenericDesiredWatchpoints::areStillValid):
2853         (JSC::DFG::GenericDesiredWatchpoints::isStillValid):
2854         (JSC::DFG::GenericDesiredWatchpoints::shouldAssumeMixedState):
2855         (JSC::DFG::DesiredWatchpoints::isStillValid):
2856         (JSC::DFG::DesiredWatchpoints::shouldAssumeMixedState):
2857         (JSC::DFG::DesiredWatchpoints::isValidOrMixed):
2858         * dfg/DFGGraph.cpp:
2859         (JSC::DFG::Graph::tryGetFoldableView):
2860         * dfg/DFGGraph.h:
2861         * dfg/DFGSpeculativeJIT.cpp:
2862         (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
2863         (JSC::DFG::SpeculativeJIT::emitTypedArrayBoundsCheck):
2864         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
2865         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
2866         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
2867         (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
2868         (JSC::DFG::SpeculativeJIT::compileConstantIndexedPropertyStorage):
2869         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
2870         * dfg/DFGSpeculativeJIT.h:
2871         * dfg/DFGWatchpointCollectionPhase.cpp:
2872         (JSC::DFG::WatchpointCollectionPhase::handle):
2873         (JSC::DFG::WatchpointCollectionPhase::addLazily):
2874         * ftl/FTLLowerDFGToLLVM.cpp:
2875         (JSC::FTL::LowerDFGToLLVM::compileGetIndexedPropertyStorage):
2876         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
2877         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2878         (JSC::FTL::LowerDFGToLLVM::typedArrayLength):
2879         * runtime/ArrayBuffer.cpp:
2880         (JSC::ArrayBuffer::transfer):
2881         * runtime/ArrayBufferNeuteringWatchpoint.cpp: Added.
2882         (JSC::ArrayBufferNeuteringWatchpoint::ArrayBufferNeuteringWatchpoint):
2883         (JSC::ArrayBufferNeuteringWatchpoint::~ArrayBufferNeuteringWatchpoint):
2884         (JSC::ArrayBufferNeuteringWatchpoint::finishCreation):
2885         (JSC::ArrayBufferNeuteringWatchpoint::destroy):
2886         (JSC::ArrayBufferNeuteringWatchpoint::create):
2887         (JSC::ArrayBufferNeuteringWatchpoint::createStructure):
2888         * runtime/ArrayBufferNeuteringWatchpoint.h: Added.
2889         (JSC::ArrayBufferNeuteringWatchpoint::set):
2890         * runtime/VM.cpp:
2891         (JSC::VM::VM):
2892         * runtime/VM.h:
2893
2894 2013-12-04  Commit Queue  <commit-queue@webkit.org>
2895
2896         Unreviewed, rolling out r160116.
2897         http://trac.webkit.org/changeset/160116
2898         https://bugs.webkit.org/show_bug.cgi?id=125264
2899
2900         Change doesn't work as intended. See bug comments for details.
2901         (Requested by bfulgham on #webkit).
2902
2903         * runtime/InitializeThreading.cpp:
2904         (JSC::initializeThreading):
2905
2906 2013-12-04  Oliver Hunt  <oliver@apple.com>
2907
2908         Refactor static getter function prototype to include thisValue in addition to the base object
2909         https://bugs.webkit.org/show_bug.cgi?id=124461
2910
2911         Reviewed by Geoffrey Garen.
2912
2913         Add thisValue parameter to static getter prototype, and switch
2914         from JSValue to EncodedJSValue for parameters and return value.
2915
2916         Currently none of the static getters use the thisValue, but
2917         separating out the refactoring will prevent future changes
2918         from getting lost in the noise of refactoring.  This means
2919         that this patch does not result in any change in behaviour.
2920
2921         * API/JSCallbackObject.h:
2922         * API/JSCallbackObjectFunctions.h:
2923         (JSC::::asCallbackObject):
2924         (JSC::::staticFunctionGetter):
2925         (JSC::::callbackGetter):
2926         * jit/JITOperations.cpp:
2927         * runtime/JSActivation.cpp:
2928         (JSC::JSActivation::argumentsGetter):
2929         * runtime/JSActivation.h:
2930         * runtime/JSFunction.cpp:
2931         (JSC::JSFunction::argumentsGetter):
2932         (JSC::JSFunction::callerGetter):
2933         (JSC::JSFunction::lengthGetter):
2934         (JSC::JSFunction::nameGetter):
2935         * runtime/JSFunction.h:
2936         * runtime/JSObject.h:
2937         (JSC::PropertySlot::getValue):
2938         * runtime/NumberConstructor.cpp:
2939         (JSC::numberConstructorNaNValue):
2940         (JSC::numberConstructorNegInfinity):
2941         (JSC::numberConstructorPosInfinity):
2942         (JSC::numberConstructorMaxValue):
2943         (JSC::numberConstructorMinValue):
2944         * runtime/PropertySlot.h:
2945         * runtime/RegExpConstructor.cpp:
2946         (JSC::asRegExpConstructor):
2947         (JSC::regExpConstructorDollar1):
2948         (JSC::regExpConstructorDollar2):
2949         (JSC::regExpConstructorDollar3):
2950         (JSC::regExpConstructorDollar4):
2951         (JSC::regExpConstructorDollar5):
2952         (JSC::regExpConstructorDollar6):
2953         (JSC::regExpConstructorDollar7):
2954         (JSC::regExpConstructorDollar8):
2955         (JSC::regExpConstructorDollar9):
2956         (JSC::regExpConstructorInput):
2957         (JSC::regExpConstructorMultiline):
2958         (JSC::regExpConstructorLastMatch):
2959         (JSC::regExpConstructorLastParen):
2960         (JSC::regExpConstructorLeftContext):
2961         (JSC::regExpConstructorRightContext):
2962         * runtime/RegExpObject.cpp:
2963         (JSC::asRegExpObject):
2964         (JSC::regExpObjectGlobal):
2965         (JSC::regExpObjectIgnoreCase):
2966         (JSC::regExpObjectMultiline):
2967         (JSC::regExpObjectSource):
2968
2969 2013-12-04  Daniel Bates  <dabates@apple.com>
2970
2971         [iOS] Enable Objective-C ARC when building JSC tools for iOS simulator
2972         https://bugs.webkit.org/show_bug.cgi?id=125170
2973
2974         Reviewed by Geoffrey Garen.
2975
2976         * API/tests/testapi.mm:
2977         * Configurations/ToolExecutable.xcconfig:
2978
2979 2013-12-04  peavo@outlook.com  <peavo@outlook.com>
2980
2981         Use ThreadingOnce class to encapsulate pthread_once functionality.
2982         https://bugs.webkit.org/show_bug.cgi?id=125228
2983
2984         Reviewed by Brent Fulgham.
2985
2986         * runtime/InitializeThreading.cpp:
2987         (JSC::initializeThreading):
2988
2989 2013-12-04  Mark Lam  <mark.lam@apple.com>
2990
2991         Remove unneeded semicolons.
2992         https://bugs.webkit.org/show_bug.cgi?id=125083.
2993
2994         Rubber-stamped by Filip Pizlo.
2995
2996         * debugger/Debugger.h:
2997         (JSC::Debugger::detach):
2998         (JSC::Debugger::sourceParsed):
2999         (JSC::Debugger::exception):
3000         (JSC::Debugger::atStatement):
3001         (JSC::Debugger::callEvent):
3002         (JSC::Debugger::returnEvent):
3003         (JSC::Debugger::willExecuteProgram):
3004         (JSC::Debugger::didExecuteProgram):
3005         (JSC::Debugger::didReachBreakpoint):
3006
3007 2013-12-04  Andy Estes  <aestes@apple.com>
3008
3009         [iOS] Build projects with $(ARCHS_STANDARD_32_64_BIT)
3010         https://bugs.webkit.org/show_bug.cgi?id=125236
3011
3012         Reviewed by Sam Weinig.
3013
3014         $(ARCHS_STANDARD_32_64_BIT) is what we want for both device and simulator builds.
3015
3016         * Configurations/DebugRelease.xcconfig:
3017
3018 2013-12-03  Filip Pizlo  <fpizlo@apple.com>
3019
3020         Infer constant closure variables
3021         https://bugs.webkit.org/show_bug.cgi?id=124630
3022
3023         Reviewed by Geoffrey Garen.
3024         
3025         Captured variables that are assigned once (not counting op_enter's Undefined
3026         initialization) and that are contained within a function that has thus far only been
3027         entered once are now constant folded. It's pretty awesome.
3028         
3029         This involves a watchpoint on the assignment to variables and a watchpoint on entry
3030         into the function. The former is reused from global variable constant inference and the
3031         latter is reused from one-time closure inference.
3032
3033         * GNUmakefile.list.am:
3034         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3035         * JavaScriptCore.xcodeproj/project.pbxproj:
3036         * bytecode/CodeBlock.cpp:
3037         (JSC::CodeBlock::dumpBytecode):
3038         (JSC::CodeBlock::CodeBlock):
3039         * bytecode/Instruction.h:
3040         (JSC::Instruction::Instruction):
3041         * bytecode/Opcode.h:
3042         (JSC::padOpcodeName):
3043         * bytecode/UnlinkedCodeBlock.h:
3044         (JSC::UnlinkedInstruction::UnlinkedInstruction):
3045         * bytecode/VariableWatchpointSet.h:
3046         (JSC::VariableWatchpointSet::invalidate):
3047         * bytecode/Watchpoint.h:
3048         (JSC::WatchpointSet::invalidate):
3049         * bytecompiler/BytecodeGenerator.cpp:
3050         (JSC::BytecodeGenerator::addVar):
3051         (JSC::BytecodeGenerator::BytecodeGenerator):
3052         (JSC::BytecodeGenerator::emitInitLazyRegister):
3053         (JSC::BytecodeGenerator::emitMove):
3054         (JSC::BytecodeGenerator::emitNewFunctionInternal):
3055         (JSC::BytecodeGenerator::createArgumentsIfNecessary):
3056         * bytecompiler/BytecodeGenerator.h:
3057         (JSC::BytecodeGenerator::addVar):
3058         (JSC::BytecodeGenerator::watchableVariable):
3059         * dfg/DFGByteCodeParser.cpp:
3060         (JSC::DFG::ByteCodeParser::getLocal):
3061         (JSC::DFG::ByteCodeParser::inferredConstant):
3062         (JSC::DFG::ByteCodeParser::parseBlock):
3063         (JSC::DFG::ByteCodeParser::parse):
3064         * dfg/DFGGraph.cpp:
3065         (JSC::DFG::Graph::tryGetActivation):
3066         (JSC::DFG::Graph::tryGetRegisters):
3067         * dfg/DFGGraph.h:
3068         * jit/JIT.cpp:
3069         (JSC::JIT::privateCompileMainPass):
3070         (JSC::JIT::privateCompileSlowCases):
3071         * jit/JIT.h:
3072         * jit/JITOpcodes.cpp:
3073         (JSC::JIT::emit_op_mov):
3074         (JSC::JIT::emit_op_captured_mov):
3075         (JSC::JIT::emit_op_new_captured_func):
3076         (JSC::JIT::emitSlow_op_captured_mov):
3077         * jit/JITOpcodes32_64.cpp:
3078         (JSC::JIT::emit_op_mov):
3079         (JSC::JIT::emit_op_captured_mov):
3080         * llint/LowLevelInterpreter32_64.asm:
3081         * llint/LowLevelInterpreter64.asm:
3082         * runtime/CommonSlowPaths.cpp:
3083         (JSC::SLOW_PATH_DECL):
3084         * runtime/CommonSlowPaths.h:
3085         * runtime/ConstantMode.h: Added.
3086         * runtime/JSGlobalObject.h:
3087         * runtime/JSScope.cpp:
3088         (JSC::abstractAccess):
3089         * runtime/SymbolTable.cpp:
3090         (JSC::SymbolTableEntry::prepareToWatch):
3091
3092 2013-12-04  Brent Fulgham  <bfulgham@apple.com>
3093
3094         [Win] Unreviewed project file gardening.
3095
3096         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Remove deleted files from project.
3097         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Put files in proper directory
3098         folders to match the directory structure of the source code.
3099
3100 2013-12-04  Joseph Pecoraro  <pecoraro@apple.com>
3101
3102         Unreviewed Windows Build Fix attempt after r160099.
3103
3104         * JavaScriptCore.vcxproj/copy-files.cmd:
3105
3106 2013-12-04  Julien Brianceau  <jbriance@cisco.com>
3107
3108         REGRESSION (r160094): Fix lots of crashes for sh4 architecture.
3109         https://bugs.webkit.org/show_bug.cgi?id=125227
3110
3111         Reviewed by Michael Saboff.
3112
3113         * llint/LowLevelInterpreter32_64.asm: Do not use t4 and t5 as they match a0 and a1.
3114         * offlineasm/registers.rb: Add t7, t8 and t9 in register list for sh4 port.
3115         * offlineasm/sh4.rb: Rearrange RegisterID list and add the missing ones.
3116
3117 2013-12-03  Joseph Pecoraro  <pecoraro@apple.com>
3118
3119         Web Inspector: Push Remote Inspector debugging connection management into JavaScriptCore
3120         https://bugs.webkit.org/show_bug.cgi?id=124613
3121
3122         Reviewed by Timothy Hatcher.
3123
3124         Move the ENABLE(REMOTE_INSPECTOR) remote debugger connection management
3125         into JavaScriptCore (originally from WebKit/mac). Include enhancements:
3126
3127           * allow for different types of remote debuggable targets,
3128             eventually at least a JSContext, WebView, WKView.
3129           * allow debuggables to be registered and debugged on any thread. Unlike
3130             WebViews, JSContexts may be run entirely off of the main thread.
3131           * move the remote connection (XPC connection) itself off of the main thread,
3132             it doesn't need to be on the main thread.
3133
3134         Make JSContext @class and JavaScriptCore::JSContextRef
3135         "JavaScript" Remote Debuggables.
3136
3137         * inspector/remote/RemoteInspectorDebuggable.h: Added.
3138         * inspector/remote/RemoteInspectorDebuggable.cpp: Added.
3139         (Inspector::RemoteInspectorDebuggable::RemoteInspectorDebuggable):
3140         (Inspector::RemoteInspectorDebuggable::~RemoteInspectorDebuggable):
3141         (Inspector::RemoteInspectorDebuggable::init):
3142         (Inspector::RemoteInspectorDebuggable::update):
3143         (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed):
3144         (Inspector::RemoteInspectorDebuggable::info):
3145         RemoteInspectorDebuggable defines a debuggable target. As long as
3146         something creates a debuggable and is set to allow remote inspection
3147         it will be listed in remote debuggers. For the different types of
3148         debuggables (JavaScript and Web) there is different basic information
3149         that may be listed.
3150
3151         * inspector/InspectorFrontendChannel.h: Added.
3152         (Inspector::InspectorFrontendChannel::~InspectorFrontendChannel):
3153         The only thing a debuggable needs for remote debugging is an
3154         InspectorFrontendChannel a way to send messages to a remote frontend.
3155         This class provides that method, and is vended to the
3156         RemoteInspectorDebuggable when a remote connection is setup.
3157
3158         * inspector/remote/RemoteInspector.h: Added.
3159         * inspector/remote/RemoteInspector.mm: Added.
3160         Singleton, created at least when the first Debuggable is created.
3161         This class manages the list of debuggables, any connection to a
3162         remote debugger proxy (XPC service "com.apple.webinspector").
3163
3164         (Inspector::dispatchAsyncOnQueueSafeForAnyDebuggable):
3165         (Inspector::RemoteInspector::shared):
3166         (Inspector::RemoteInspector::RemoteInspector):
3167         (Inspector::RemoteInspector::nextAvailableIdentifier):
3168         (Inspector::RemoteInspector::registerDebuggable):
3169         (Inspector::RemoteInspector::unregisterDebuggable):
3170         (Inspector::RemoteInspector::updateDebuggable):
3171         Debuggable management. When debuggables are added, removed, or updated
3172         we stash a copy of the debuggable information and push an update to
3173         debuggers. Stashing a copy of the information in the RemoteInspector
3174         is a thread safe way to avoid walking over all debuggables to gather
3175         the information when it is needed.
3176
3177         (Inspector::RemoteInspector::start):
3178         (Inspector::RemoteInspector::stop):
3179         Runtime API to enable / disable the feature.
3180
3181         (Inspector::RemoteInspector::listingForDebuggable):
3182         (Inspector::RemoteInspector::pushListingNow):
3183         (Inspector::RemoteInspector::pushListingSoon):
3184         Pushing a listing to remote debuggers.
3185
3186         (Inspector::RemoteInspector::sendMessageToRemoteFrontend):
3187         (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
3188         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
3189         (Inspector::RemoteInspector::xpcConnectionFailed):
3190         (Inspector::RemoteInspector::xpcConnectionUnhandledMessage):
3191         XPC setup, send, and receive handling.
3192
3193         (Inspector::RemoteInspector::updateHasActiveDebugSession):
3194         Applications being debugged may want to know when a debug
3195         session is active. This provides that notification.
3196
3197         (Inspector::RemoteInspector::receivedSetupMessage):
3198         (Inspector::RemoteInspector::receivedDataMessage):
3199         (Inspector::RemoteInspector::receivedDidCloseMessage):
3200         (Inspector::RemoteInspector::receivedGetListingMessage):
3201         (Inspector::RemoteInspector::receivedIndicateMessage):
3202         (Inspector::RemoteInspector::receivedConnectionDiedMessage):
3203         Dispatching incoming remote debugging protocol messages.
3204         These are wrapping above the inspector protocol messages.
3205
3206         * inspector/remote/RemoteInspectorConstants.h: Added.
3207         Protocol messages and dictionary keys inside the messages.
3208
3209         (Inspector::RemoteInspectorDebuggableInfo::RemoteInspectorDebuggableInfo):
3210         * inspector/remote/RemoteInspectorDebuggableConnection.h: Added.
3211         * inspector/remote/RemoteInspectorDebuggableConnection.mm: Added.
3212         This is a connection between the RemoteInspector singleton and a RemoteInspectorDebuggable.
3213
3214         (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
3215         (Inspector::RemoteInspectorDebuggableConnection::~RemoteInspectorDebuggableConnection):
3216         Allow for dispatching messages on JavaScript debuggables on a dispatch_queue
3217         instead of the main queue.
3218
3219         (Inspector::RemoteInspectorDebuggableConnection::destination):
3220         (Inspector::RemoteInspectorDebuggableConnection::connectionIdentifier):
3221         Needed in the remote debugging protocol to identify the remote debugger.
3222
3223         (Inspector::RemoteInspectorDebuggableConnection::dispatchSyncOnDebuggable):
3224         (Inspector::RemoteInspectorDebuggableConnection::dispatchAsyncOnDebuggable):
3225         (Inspector::RemoteInspectorDebuggableConnection::setup):
3226         (Inspector::RemoteInspectorDebuggableConnection::closeFromDebuggable):
3227         (Inspector::RemoteInspectorDebuggableConnection::close):
3228         (Inspector::RemoteInspectorDebuggableConnection::sendMessageToBackend):
3229         (Inspector::RemoteInspectorDebuggableConnection::sendMessageToFrontend):
3230         The connection is a thin channel between the two sides that can be closed
3231         from either side, so there is some logic around multi-threaded access.
3232
3233         * inspector/remote/RemoteInspectorXPCConnection.h: Added.
3234         (Inspector::RemoteInspectorXPCConnection::Client::~Client):
3235         * inspector/remote/RemoteInspectorXPCConnection.mm: Added.
3236         (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
3237         (Inspector::RemoteInspectorXPCConnection::~RemoteInspectorXPCConnection):
3238         (Inspector::RemoteInspectorXPCConnection::close):
3239         (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
3240         (Inspector::RemoteInspectorXPCConnection::handleEvent):
3241         (Inspector::RemoteInspectorXPCConnection::sendMessage):
3242         This is a connection between the RemoteInspector singleton and an XPC service
3243         named "com.apple.webinspector". This handles serialization of the dictionary
3244         messages to and from the service. The receiving is done on a non-main queue.
3245
3246         * API/JSContext.h:
3247         * API/JSContext.mm:
3248         (-[JSContext name]):
3249         (-[JSContext setName:]):
3250         ObjC API to enable/disable JSContext remote inspection and give a name.
3251
3252         * API/JSContextRef.h:
3253         * API/JSContextRef.cpp:
3254         (JSGlobalContextGetName):
3255         (JSGlobalContextSetName):
3256         C API to give a JSContext a name.
3257
3258         * runtime/JSGlobalObject.cpp:
3259         (JSC::JSGlobalObject::setName):
3260         * runtime/JSGlobalObject.h:
3261         (JSC::JSGlobalObject::name):
3262         Shared handling of the APIs above.
3263
3264         * runtime/JSGlobalObjectDebuggable.cpp: Added.
3265         (JSC::JSGlobalObjectDebuggable::JSGlobalObjectDebuggable):
3266         (JSC::JSGlobalObjectDebuggable::name):
3267         (JSC::JSGlobalObjectDebuggable::connect):
3268         (JSC::JSGlobalObjectDebuggable::disconnect):
3269         (JSC::JSGlobalObjectDebuggable::dispatchMessageFromRemoteFrontend):
3270         * runtime/JSGlobalObjectDebuggable.h: Added.
3271         Stub for the actual remote debugging implementation. We will push
3272         down the appropriate WebCore/inspector peices suitable for debugging
3273         just a JavaScript context.
3274
3275         * CMakeLists.txt:
3276         * JavaScriptCore.xcodeproj/project.pbxproj:
3277         * GNUmakefile.am:
3278         * GNUmakefile.list.am:
3279         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3280         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3281         Update build files.
3282
3283 2013-12-04  Michael Saboff  <msaboff@apple.com>
3284
3285         Move the setting up of callee's callFrame from pushFrame to callToJavaScript thunk
3286         https://bugs.webkit.org/show_bug.cgi?id=123999
3287
3288         Reviewed by Filip Pizlo.
3289
3290         Changed LLInt and/or JIT enabled ports to allocate the stack frame in the
3291         callToJavaScript stub.  Added an additional stub, callToNativeFunction that
3292         allocates a stack frame in a similar way for calling native entry points
3293         that take a single ExecState* argument.  These stubs are implemented
3294         using common macros in LowLevelInterpreter{32_64,64}.asm.  There are also
3295         Windows X86 and X86-64 versions in the corresponding JitStubsXX.h.
3296         The stubs allocate and create a sentinel frame, then create the callee's
3297         frame, populating  the header and arguments from the passed in ProtoCallFrame*.
3298         It is assumed that the caller of either stub does a check for enough stack space
3299         via JSStack::entryCheck().
3300
3301         For ports using the C-Loop interpreter, the prior method for allocating stack
3302         frame and invoking functions is used, namely with JSStack::pushFrame() and
3303         ::popFrame().
3304
3305         Made spelling changes "sentinal" -> "sentinel".
3306
3307         * CMakeLists.txt:
3308         * GNUmakefile.list.am:
3309         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3310         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3311         * JavaScriptCore.xcodeproj/project.pbxproj:
3312         * interpreter/CachedCall.h:
3313         (JSC::CachedCall::CachedCall):
3314         (JSC::CachedCall::setThis):
3315         (JSC::CachedCall::setArgument):
3316         * interpreter/CallFrameClosure.h:
3317         (JSC::CallFrameClosure::resetCallFrame):
3318         * interpreter/Interpreter.cpp:
3319         (JSC::Interpreter::execute):
3320         (JSC::Interpreter::executeCall):
3321         (JSC::Interpreter::executeConstruct):
3322         (JSC::Interpreter::prepareForRepeatCall):
3323         * interpreter/Interpreter.h:
3324         * interpreter/JSStack.h:
3325         * interpreter/JSStackInlines.h:
3326         (JSC::JSStack::entryCheck):
3327         (JSC::JSStack::pushFrame):
3328         (JSC::JSStack::popFrame):
3329         * interpreter/ProtoCallFrame.cpp: Added.
3330         (JSC::ProtoCallFrame::init):
3331         * interpreter/ProtoCallFrame.h: Added.
3332         (JSC::ProtoCallFrame::codeBlock):
3333         (JSC::ProtoCallFrame::setCodeBlock):
3334         (JSC::ProtoCallFrame::setScope):
3335         (JSC::ProtoCallFrame::setCallee):
3336         (JSC::ProtoCallFrame::argumentCountIncludingThis):
3337         (JSC::ProtoCallFrame::argumentCount):
3338         (JSC::ProtoCallFrame::setArgumentCountIncludingThis):
3339         (JSC::ProtoCallFrame::setPaddedArgsCount):
3340         (JSC::ProtoCallFrame::clearCurrentVPC):
3341         (JSC::ProtoCallFrame::setThisValue):
3342         (JSC::ProtoCallFrame::setArgument):
3343         * jit/JITCode.cpp:
3344         (JSC::JITCode::execute):
3345         * jit/JITCode.h:
3346         * jit/JITOperations.cpp:
3347         * jit/JITStubs.h:
3348         * jit/JITStubsMSVC64.asm:
3349         * jit/JITStubsX86.h:
3350         * llint/LLIntOffsetsExtractor.cpp:
3351         * llint/LLIntThunks.h:
3352         * llint/LowLevelInterpreter.asm:
3353         * llint/LowLevelInterpreter32_64.asm:
3354         * llint/LowLevelInterpreter64.asm:
3355         * runtime/ArgList.h:
3356         (JSC::ArgList::data):
3357         * runtime/JSArray.cpp:
3358         (JSC::AVLTreeAbstractorForArrayCompare::compare_key_key):
3359         * runtime/StringPrototype.cpp:
3360         (JSC::replaceUsingRegExpSearch):
3361
3362 2013-12-04  László Langó  <lango@inf.u-szeged.hu>
3363
3364         Remove stdio.h from JSC files.
3365         https://bugs.webkit.org/show_bug.cgi?id=125220
3366
3367         Reviewed by Michael Saboff.
3368
3369         * interpreter/VMInspector.cpp:
3370         * jit/JITArithmetic.cpp:
3371         * jit/JITArithmetic32_64.cpp:
3372         * jit/JITCall.cpp:
3373         * jit/JITCall32_64.cpp:
3374         * jit/JITPropertyAccess.cpp:
3375         * jit/JITPropertyAccess32_64.cpp:
3376         * runtime/Completion.cpp:
3377         * runtime/IndexingType.cpp:
3378         * runtime/Lookup.h:
3379         * runtime/Operations.cpp:
3380         * runtime/Options.cpp:
3381         * runtime/RegExp.cpp:
3382
3383 2013-12-04  László Langó  <lango@inf.u-szeged.hu>
3384
3385         Avoid to add zero offset in BaseIndex.