GetById list caching should use something object-oriented rather than PolymorphicAcce...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-03-10  Filip Pizlo  <fpizlo@apple.com>
2
3         GetById list caching should use something object-oriented rather than PolymorphicAccessStructureList
4         https://bugs.webkit.org/show_bug.cgi?id=129778
5
6         Reviewed by Geoffrey Garen.
7         
8         Also deduplicate the GetById getter call caching. Also add some small tests for
9         get stubs.
10         
11         This change reduces the amount of code involved in GetById access caching and it
12         creates data structures that can serve as an elegant scaffold for introducing other
13         kinds of caches or improving current caching styles. It will definitely make getter
14         performance improvements easier to implement.
15
16         * CMakeLists.txt:
17         * GNUmakefile.list.am:
18         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
19         * JavaScriptCore.xcodeproj/project.pbxproj:
20         * bytecode/CodeBlock.cpp:
21         (JSC::CodeBlock::printGetByIdCacheStatus):
22         * bytecode/GetByIdStatus.cpp:
23         (JSC::GetByIdStatus::computeForStubInfo):
24         * bytecode/PolymorphicGetByIdList.cpp: Added.
25         (JSC::GetByIdAccess::GetByIdAccess):
26         (JSC::GetByIdAccess::~GetByIdAccess):
27         (JSC::GetByIdAccess::fromStructureStubInfo):
28         (JSC::GetByIdAccess::visitWeak):
29         (JSC::PolymorphicGetByIdList::PolymorphicGetByIdList):
30         (JSC::PolymorphicGetByIdList::from):
31         (JSC::PolymorphicGetByIdList::~PolymorphicGetByIdList):
32         (JSC::PolymorphicGetByIdList::currentSlowPathTarget):
33         (JSC::PolymorphicGetByIdList::addAccess):
34         (JSC::PolymorphicGetByIdList::isFull):
35         (JSC::PolymorphicGetByIdList::isAlmostFull):
36         (JSC::PolymorphicGetByIdList::didSelfPatching):
37         (JSC::PolymorphicGetByIdList::visitWeak):
38         * bytecode/PolymorphicGetByIdList.h: Added.
39         (JSC::GetByIdAccess::GetByIdAccess):
40         (JSC::GetByIdAccess::isSet):
41         (JSC::GetByIdAccess::operator!):
42         (JSC::GetByIdAccess::type):
43         (JSC::GetByIdAccess::structure):
44         (JSC::GetByIdAccess::chain):
45         (JSC::GetByIdAccess::chainCount):
46         (JSC::GetByIdAccess::stubRoutine):
47         (JSC::GetByIdAccess::doesCalls):
48         (JSC::PolymorphicGetByIdList::isEmpty):
49         (JSC::PolymorphicGetByIdList::size):
50         (JSC::PolymorphicGetByIdList::at):
51         (JSC::PolymorphicGetByIdList::operator[]):
52         * bytecode/StructureStubInfo.cpp:
53         (JSC::StructureStubInfo::deref):
54         (JSC::StructureStubInfo::visitWeakReferences):
55         * bytecode/StructureStubInfo.h:
56         (JSC::isGetByIdAccess):
57         (JSC::StructureStubInfo::initGetByIdList):
58         * jit/Repatch.cpp:
59         (JSC::generateGetByIdStub):
60         (JSC::tryCacheGetByID):
61         (JSC::patchJumpToGetByIdStub):
62         (JSC::tryBuildGetByIDList):
63         (JSC::tryBuildPutByIdList):
64         * tests/stress/getter.js: Added.
65         (foo):
66         (.o):
67         * tests/stress/polymorphic-prototype-accesses.js: Added.
68         (Foo):
69         (Bar):
70         (foo):
71         * tests/stress/prototype-getter.js: Added.
72         (Foo):
73         (foo):
74         * tests/stress/simple-prototype-accesses.js: Added.
75         (Foo):
76         (foo):
77
78 2014-03-11  Mark Hahnenberg  <mhahnenberg@apple.com>
79
80         MarkedBlocks that are "full enough" shouldn't be swept after EdenCollections
81         https://bugs.webkit.org/show_bug.cgi?id=129920
82
83         Reviewed by Geoffrey Garen.
84
85         This patch introduces the notion of "retiring" MarkedBlocks. We retire a MarkedBlock
86         when the amount of free space in a MarkedBlock drops below a certain threshold.
87         Retired blocks are not considered for sweeping.
88
89         This is profitable because it reduces churn during sweeping. To build a free list, 
90         we have to scan through each cell in a block. After a collection, all objects that 
91         are live in the block will remain live until the next FullCollection, at which time
92         we un-retire all previously retired blocks. Thus, a small number of objects in a block
93         that die during each EdenCollection could cause us to do a disproportiante amount of 
94         sweeping for how much free memory we get back.
95
96         This patch looks like a consistent ~2% progression on boyer and is neutral everywhere else.
97
98         * heap/Heap.h:
99         (JSC::Heap::didRetireBlockWithFreeListSize):
100         * heap/MarkedAllocator.cpp:
101         (JSC::MarkedAllocator::tryAllocateHelper):
102         (JSC::MarkedAllocator::removeBlock):
103         (JSC::MarkedAllocator::reset):
104         * heap/MarkedAllocator.h:
105         (JSC::MarkedAllocator::MarkedAllocator):
106         (JSC::MarkedAllocator::forEachBlock):
107         * heap/MarkedBlock.cpp:
108         (JSC::MarkedBlock::sweepHelper):
109         (JSC::MarkedBlock::clearMarksWithCollectionType):
110         (JSC::MarkedBlock::didRetireBlock):
111         * heap/MarkedBlock.h:
112         (JSC::MarkedBlock::willRemoveBlock):
113         (JSC::MarkedBlock::isLive):
114         * heap/MarkedSpace.cpp:
115         (JSC::MarkedSpace::clearNewlyAllocated):
116         (JSC::MarkedSpace::clearMarks):
117         * runtime/Options.h:
118
119 2014-03-11  Andreas Kling  <akling@apple.com>
120
121         Streamline PropertyTable for lookup-only access.
122         <https://webkit.org/b/130060>
123
124         The PropertyTable lookup algorithm was written to support both read
125         and write access. This wasn't actually needed in most places.
126
127         This change adds a PropertyTable::get() that just returns the value
128         type (instead of an insertion iterator.) It also adds an early return
129         for empty tables.
130
131         Finally, up the minimum table capacity from 8 to 16. It was lowered
132         to 8 in order to save memory, but that was before PropertyTables were
133         GC allocated. Nowadays we don't have nearly as many tables, since all
134         the unpinned transitions die off.
135
136         Reviewed by Darin Adler.
137
138         * runtime/PropertyMapHashTable.h:
139         (JSC::PropertyTable::get):
140         * runtime/Structure.cpp:
141         (JSC::Structure::despecifyDictionaryFunction):
142         (JSC::Structure::attributeChangeTransition):
143         (JSC::Structure::get):
144         (JSC::Structure::despecifyFunction):
145         * runtime/StructureInlines.h:
146         (JSC::Structure::get):
147
148 2014-03-10  Mark Hahnenberg  <mhahnenberg@apple.com>
149
150         REGRESSION(r165407): DoYouEvenBench crashes in DRT
151         https://bugs.webkit.org/show_bug.cgi?id=130066
152
153         Reviewed by Geoffrey Garen.
154
155         The baseline JIT does a conditional store barrier for the put_by_id, but we need 
156         an unconditional store barrier so that we cover the butterfly case as well in emitPutTransitionStub.
157
158         * jit/JIT.h:
159         * jit/JITPropertyAccess.cpp:
160         (JSC::JIT::emit_op_put_by_id):
161         (JSC::JIT::emitWriteBarrier):
162
163 2014-03-10  Mark Lam  <mark.lam@apple.com>
164
165         Resurrect bit-rotted JIT::probe() mechanism.
166         <https://webkit.org/b/130067>
167
168         Reviewed by Geoffrey Garen.
169
170         * jit/JITStubs.cpp:
171         - Added the needed #include <wtf/InlineASM.h>.
172
173 2014-03-10  Joseph Pecoraro  <pecoraro@apple.com>
174
175         Fix typo in EXCLUDED_SOURCE_FILE_NAMES_iphoneos.
176
177         Rubber-stamped by Dan Bernstein.
178
179         * Configurations/JavaScriptCore.xcconfig:
180
181 2014-03-10  Mark Lam  <mark.lam@apple.com>
182
183         r165414 broke the 32-bit x86 tests: ASSERTION FAILED: result != InvalidIndex @ GPRInfo.h:330.
184         <https://webkit.org/b/130065>
185
186         Reviewed by Michael Saboff.
187
188         There is code in ScratchRegisterAllocator.cpp that is relying on GPRInfo::toIndex()
189         being able to return InvalidIndex.  Hence, the assertion is invalid.  Ditto for
190         FPRInfo::toIndex().
191
192         The fix is to remove the "result != InvalidIndex" assertions.
193
194         * jit/FPRInfo.h:
195         (JSC::FPRInfo::toIndex):
196         * jit/GPRInfo.h:
197         (JSC::GPRInfo::toIndex):
198
199 2014-03-10  Mark Lam  <mark.lam@apple.com>
200
201         Crash on a stack overflow on 32-bit x86 in http/tests/websocket/tests/hybi/workers/no-onmessage-in-sync-op.html.
202         <https://webkit.org/b/129955>
203
204         Reviewed by Geoffrey Garen.
205
206         The 32-bit x86 version of getHostCallReturnValue() was leaking 16 bytes
207         stack memory every time it was called.  This is now fixed.
208
209         * jit/JITOperations.cpp:
210
211 2014-03-10  Joseph Pecoraro  <pecoraro@apple.com>
212
213         Better JSContext API for named evaluations (other than //# sourceURL)
214         https://bugs.webkit.org/show_bug.cgi?id=129911
215
216         Reviewed by Geoffrey Garen.
217
218         * API/JSBase.h:
219         * API/JSContext.h:
220         * API/JSContext.mm:
221         (-[JSContext evaluateScript:]):
222         (-[JSContext evaluateScript:withSourceURL:]):
223         Add new evaluateScript:withSourceURL:.
224
225         * API/tests/testapi.c:
226         (main):
227         * API/tests/testapi.mm:
228         (testObjectiveCAPI):
229         Add tests for sourceURL in evaluate APIs. It should
230         affect the exception objects.
231
232 2014-03-10  Filip Pizlo  <fpizlo@apple.com>
233
234         Repatch should save and restore all used registers - not just temp ones - when making a call
235         https://bugs.webkit.org/show_bug.cgi?id=130041
236
237         Reviewed by Geoffrey Garen and Mark Hahnenberg.
238         
239         The save/restore code was written back when the only client was the DFG, which only uses a
240         subset of hardware registers: the "temp" registers in our lingo. But the FTL may use many
241         other registers, especially on ARM64. The fact that Repatch doesn't know to save those can
242         lead to data corruption on ARM64. 
243
244         * jit/RegisterSet.cpp:
245         (JSC::RegisterSet::calleeSaveRegisters):
246         (JSC::RegisterSet::numberOfSetGPRs):
247         (JSC::RegisterSet::numberOfSetFPRs):
248         * jit/RegisterSet.h:
249         * jit/Repatch.cpp:
250         (JSC::storeToWriteBarrierBuffer):
251         (JSC::emitPutTransitionStub):
252         * jit/ScratchRegisterAllocator.cpp:
253         (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
254         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
255         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
256         (JSC::ScratchRegisterAllocator::usedRegistersForCall):
257         (JSC::ScratchRegisterAllocator::desiredScratchBufferSizeForCall):
258         (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
259         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
260         * jit/ScratchRegisterAllocator.h:
261
262 2014-03-10  Mark Hahnenberg  <mhahnenberg@apple.com>
263
264         Remove ConditionalStore barrier
265         https://bugs.webkit.org/show_bug.cgi?id=130040
266
267         Reviewed by Geoffrey Garen.
268
269         ConditionalStoreBarrier was created when barriers were much more expensive. Now that 
270         they're cheap(er), we can get rid of them. This also allows us to get rid of the write 
271         barrier logic in emitPutTransitionStub because we always will have executed a write barrier 
272         on the base object in the case where we are allocating and storing a new Butterfly into it. 
273         Previously, a ConditionalStoreBarrier might or might not have barrier-ed the base object, 
274         so we'd have to emit a write barrier in the transition case.
275
276         This is performance neutral on the benchmarks we track.
277
278         * dfg/DFGAbstractInterpreterInlines.h:
279         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
280         * dfg/DFGClobberize.h:
281         (JSC::DFG::clobberize):
282         * dfg/DFGConstantFoldingPhase.cpp:
283         (JSC::DFG::ConstantFoldingPhase::foldConstants):
284         (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
285         * dfg/DFGFixupPhase.cpp:
286         (JSC::DFG::FixupPhase::fixupNode):
287         (JSC::DFG::FixupPhase::insertStoreBarrier):
288         * dfg/DFGNode.h:
289         (JSC::DFG::Node::isStoreBarrier):
290         * dfg/DFGNodeType.h:
291         * dfg/DFGPredictionPropagationPhase.cpp:
292         (JSC::DFG::PredictionPropagationPhase::propagate):
293         * dfg/DFGSafeToExecute.h:
294         (JSC::DFG::safeToExecute):
295         * dfg/DFGSpeculativeJIT.cpp:
296         (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
297         * dfg/DFGSpeculativeJIT32_64.cpp:
298         (JSC::DFG::SpeculativeJIT::compile):
299         * dfg/DFGSpeculativeJIT64.cpp:
300         (JSC::DFG::SpeculativeJIT::compile):
301         * ftl/FTLCapabilities.cpp:
302         (JSC::FTL::canCompile):
303         * ftl/FTLLowerDFGToLLVM.cpp:
304         (JSC::FTL::LowerDFGToLLVM::compileNode):
305         * jit/Repatch.cpp:
306         (JSC::emitPutTransitionStub):
307
308 2014-03-10  Filip Pizlo  <fpizlo@apple.com>
309
310         DFG and FTL should know that comparing anything to Misc is cheap and easy
311         https://bugs.webkit.org/show_bug.cgi?id=130001
312
313         Reviewed by Geoffrey Garen.
314         
315         - Expand CompareStrictEq(Misc:, Misc:) to work for cases where either side of the
316           comparison is just Untyped:.
317         
318         - This obviates the need for CompareStrictEqConstant, so remove it.
319         
320         - FTL had a thing called "Nully" which is really "Other". Rename it and add
321           OtherUse.
322         
323         9% speed-up on box2d.
324
325         * dfg/DFGAbstractInterpreterInlines.h:
326         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
327         * dfg/DFGByteCodeParser.cpp:
328         (JSC::DFG::ByteCodeParser::parseBlock):
329         * dfg/DFGClobberize.h:
330         (JSC::DFG::clobberize):
331         * dfg/DFGFixupPhase.cpp:
332         (JSC::DFG::FixupPhase::fixupNode):
333         * dfg/DFGNode.h:
334         (JSC::DFG::Node::isBinaryUseKind):
335         (JSC::DFG::Node::shouldSpeculateOther):
336         * dfg/DFGNodeType.h:
337         * dfg/DFGPredictionPropagationPhase.cpp:
338         (JSC::DFG::PredictionPropagationPhase::propagate):
339         * dfg/DFGSafeToExecute.h:
340         (JSC::DFG::safeToExecute):
341         * dfg/DFGSpeculativeJIT.cpp:
342         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
343         (JSC::DFG::SpeculativeJIT::compare):
344         (JSC::DFG::SpeculativeJIT::compileStrictEq):
345         * dfg/DFGSpeculativeJIT.h:
346         * dfg/DFGSpeculativeJIT32_64.cpp:
347         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
348         (JSC::DFG::SpeculativeJIT::compile):
349         * dfg/DFGSpeculativeJIT64.cpp:
350         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
351         (JSC::DFG::SpeculativeJIT::compile):
352         * ftl/FTLCapabilities.cpp:
353         (JSC::FTL::canCompile):
354         * ftl/FTLLowerDFGToLLVM.cpp:
355         (JSC::FTL::LowerDFGToLLVM::compileNode):
356         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
357         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
358         (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
359         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
360         (JSC::FTL::LowerDFGToLLVM::isNotOther):
361         (JSC::FTL::LowerDFGToLLVM::isOther):
362         (JSC::FTL::LowerDFGToLLVM::speculate):
363         (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
364         (JSC::FTL::LowerDFGToLLVM::speculateNotCell):
365         (JSC::FTL::LowerDFGToLLVM::speculateOther):
366         (JSC::FTL::LowerDFGToLLVM::speculateMisc):
367         * tests/stress/compare-strict-eq-integer-to-misc.js: Added.
368
369 2014-03-10  Filip Pizlo  <fpizlo@apple.com>
370
371         Unreviewed, remove unintended change.
372
373         * dfg/DFGDriver.cpp:
374         (JSC::DFG::compileImpl):
375
376 2014-03-10  Filip Pizlo  <fpizlo@apple.com>
377
378         jsc commandline shouldn't have a "console" because that confuses some tests into thinking
379         that they're running in the browser.
380
381         Rubber stamped by Mark Hahnenberg.
382
383         * jsc.cpp:
384         (GlobalObject::finishCreation):
385
386 2014-03-10  Filip Pizlo  <fpizlo@apple.com>
387
388         Out-line ScratchRegisterAllocator
389
390         Rubber stamped by Mark Hahnenberg.
391
392         * CMakeLists.txt:
393         * GNUmakefile.list.am:
394         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
395         * JavaScriptCore.xcodeproj/project.pbxproj:
396         * dfg/DFGDriver.cpp:
397         (JSC::DFG::compileImpl):
398         * jit/ScratchRegisterAllocator.cpp: Added.
399         (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
400         (JSC::ScratchRegisterAllocator::~ScratchRegisterAllocator):
401         (JSC::ScratchRegisterAllocator::lock):
402         (JSC::ScratchRegisterAllocator::allocateScratch):
403         (JSC::ScratchRegisterAllocator::allocateScratchGPR):
404         (JSC::ScratchRegisterAllocator::allocateScratchFPR):
405         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
406         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
407         (JSC::ScratchRegisterAllocator::desiredScratchBufferSize):
408         (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer):
409         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer):
410         * jit/ScratchRegisterAllocator.h:
411
412 2014-03-10  Brent Fulgham  <bfulgham@apple.com>
413
414         [Win] Pass environment to Pre-Build, Pre-link, and Post-Build Stages.
415         https://bugs.webkit.org/show_bug.cgi?id=130023
416
417         Reviewed by Dean Jackson.
418
419         * JavaScriptCore.vcxproj/JavaScriptCore.proj: Avoid trailing backslashes in
420         path names to avoid accidental escaping of later string substitutions.
421
422 2014-03-10  Andreas Kling  <akling@apple.com>
423
424         [X86_64] Smaller code for testb_i8r when register is accumulator.
425         <https://webkit.org/b/130026>
426
427         Generate the shorthand version of "test al, imm" when possible.
428
429         Reviewed by Michael Saboff.
430
431         * assembler/X86Assembler.h:
432         (JSC::X86Assembler::testb_i8r):
433
434 2014-03-10  Andreas Kling  <akling@apple.com>
435
436         [X86_64] Smaller code for sub_ir when register is accumulator.
437         <https://webkit.org/b/130025>
438
439         Generate the shorthand version of "sub eax, imm" when possible.
440
441         Reviewed by Michael Saboff.
442
443         * assembler/X86Assembler.h:
444         (JSC::X86Assembler::subl_ir):
445         (JSC::X86Assembler::subq_ir):
446
447 2014-03-10  Andreas Kling  <akling@apple.com>
448
449         [X86_64] Smaller code for add_ir when register is accumulator.
450         <https://webkit.org/b/130024>
451
452         Generate the shorthand version of "add eax, imm" when possible.
453
454         Reviewed by Michael Saboff.
455
456         * assembler/X86Assembler.h:
457         (JSC::X86Assembler::addl_ir):
458         (JSC::X86Assembler::addq_ir):
459
460 2014-03-10  Mark Hahnenberg  <mhahnenberg@apple.com>
461
462         writeBarrier in emitPutReplaceStub is unnecessary
463         https://bugs.webkit.org/show_bug.cgi?id=130030
464
465         Reviewed by Filip Pizlo.
466
467         We already emit write barriers for each put-by-id when they're first compiled, so it's 
468         redundant to emit a write barrier as part of the repatched code.
469
470         * jit/Repatch.cpp:
471         (JSC::emitPutReplaceStub):
472
473 2014-03-10  Andreas Kling  <akling@apple.com>
474
475         [X86_64] Smaller code for xor_ir when register is accumulator.
476         <https://webkit.org/b/130008>
477
478         Generate the shorthand version of "xor eax, imm" when possible.
479
480         Reviewed by Benjamin Poulain.
481
482         * assembler/X86Assembler.h:
483         (JSC::X86Assembler::xorl_ir):
484         (JSC::X86Assembler::xorq_ir):
485
486 2014-03-10  Andreas Kling  <akling@apple.com>
487
488         [X86_64] Smaller code for or_ir when register is accumulator.
489         <https://webkit.org/b/130007>
490
491         Generate the shorthand version of "or eax, imm" when possible.
492
493         Reviewed by Benjamin Poulain.
494
495         * assembler/X86Assembler.h:
496         (JSC::X86Assembler::orl_ir):
497         (JSC::X86Assembler::orq_ir):
498
499 2014-03-10  Andreas Kling  <akling@apple.com>
500
501         [X86_64] Smaller code for test_ir when register is accumulator.
502         <https://webkit.org/b/130006>
503
504         Generate the shorthand version of "test eax, imm" when possible.
505
506         Reviewed by Benjamin Poulain.
507
508         * assembler/X86Assembler.h:
509         (JSC::X86Assembler::testl_i32r):
510         (JSC::X86Assembler::testq_i32r):
511
512 2014-03-10  Andreas Kling  <akling@apple.com>
513
514         [X86_64] Smaller code for cmp_ir when register is accumulator.
515         <https://webkit.org/b/130005>
516
517         Generate the shorthand version of "cmp eax, imm" when possible.
518
519         Reviewed by Benjamin Poulain.
520
521         * assembler/X86Assembler.h:
522         (JSC::X86Assembler::cmpl_ir):
523         (JSC::X86Assembler::cmpq_ir):
524
525 2014-03-10  Andreas Kling  <akling@apple.com>
526
527         [X86_64] Smaller code for store64(imm, address) when imm fits in 32 bits.
528         <https://webkit.org/b/130002>
529
530         Generate this:
531
532             mov [address], imm32
533
534         Instead of this:
535
536             mov scratchRegister, imm32
537             mov [address], scratchRegister
538
539         For store64(imm, address) where the 64-bit immediate can be passed as
540         a sign-extended 32-bit value.
541
542         Reviewed by Benjamin Poulain.
543
544         * assembler/MacroAssemblerX86_64.h:
545         (CAN_SIGN_EXTEND_32_64):
546         (JSC::MacroAssemblerX86_64::store64):
547
548 2014-03-10  Andreas Kling  <akling@apple.com>
549
550         [X86_64] Smaller code for xchg_rr when one register is accumulator.
551         <https://webkit.org/b/130004>
552
553         Generate the 1-byte version of "xchg eax, reg" when possible.
554
555         Reviewed by Benjamin Poulain.
556
557         * assembler/X86Assembler.h:
558         (JSC::X86Assembler::xchgl_rr):
559         (JSC::X86Assembler::xchgq_rr):
560
561 2014-03-09  Filip Pizlo  <fpizlo@apple.com>
562
563         GPRInfo::toIndex should return InvalidIndex for non-temp registers on ARM64
564         https://bugs.webkit.org/show_bug.cgi?id=129998
565
566         Reviewed by Geoffrey Garen.
567         
568         Not only is that the established contract, but this is used to signal to
569         ScratchRegisterAllocator that the register doesn't need locking since it isn't a register
570         that this allocator would use. In the FTL, we may have an inline cache where LLVM had used
571         some non-temp register (i.e. a register that JSC itself wouldn't have used). This is totally
572         fine but previously it would have led to either an assertion failure, or data corruption, in
573         the ScratchRegisterAllocator.
574
575         * jit/GPRInfo.h:
576         (JSC::GPRInfo::toIndex):
577
578 2014-03-09  Filip Pizlo  <fpizlo@apple.com>
579
580         FTL fails the new equals-masquerader strictEqualConstant test
581         https://bugs.webkit.org/show_bug.cgi?id=129996
582
583         Reviewed by Mark Lam.
584         
585         It turns out that the FTL was trying to do the masquerading stuff for ===null. But
586         that's wrong since none of the other engines do it. The DFG even had an ancient
587         FIXME about doing it - but that doesn't make sense since the LLInt and baseline JIT
588         don't do it and JSValue::strictEqual() doesn't do it.
589         
590         Remove the FIXME and remove the extra checks in the FTL.
591         
592         This is a glorious patch: nothing but red and it fixes a test failure.
593
594         * dfg/DFGSpeculativeJIT.cpp:
595         (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
596         * ftl/FTLLowerDFGToLLVM.cpp:
597         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
598
599 2014-03-09  Andreas Kling  <akling@apple.com>
600
601         Short-circuit JSGlobalObjectInspectorController when not inspecting.
602         <https://webkit.org/b/129995>
603
604         Add an early return in reportAPIException() when the console agent
605         is disabled. This avoids expensive symbolication during exceptions
606         if there's nobody expecting the fancy backtrace anyway.
607
608         ~2% progression on DYEB on my MBP.
609
610         Reviewed by Geoff Garen.
611
612         * inspector/JSGlobalObjectInspectorController.cpp:
613         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
614
615 2014-03-09  Andreas Kling  <akling@apple.com>
616
617         Inline the trivial parts of GC deferral.
618         <https://webkit.org/b/129984>
619
620         Made most of the functions called by the DeferGC RAII object inline
621         to avoid function call overhead.
622
623         Looks like ~1% progression on DYEB.
624
625         Reviewed by Geoffrey Garen.
626
627         * heap/Heap.cpp:
628         * heap/Heap.h:
629         (JSC::Heap::incrementDeferralDepth):
630         (JSC::Heap::decrementDeferralDepth):
631         (JSC::Heap::collectIfNecessaryOrDefer):
632         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
633
634 2014-03-08  Mark Lam  <mark.lam@apple.com>
635
636         32-bit x86 handleUncaughtException returns to wrong location after a stack overflow.
637         <https://webkit.org/b/129969>
638
639         Reviewed by Geoffrey Garen.
640
641         The 32-bit version of handleUncaughtException was missing the handling of an
642         edge case for stack overflows where the current frame may already be the
643         sentinel frame.  This edge case was handled in the 64-bit version.  The fix
644         is to bring the 32-bit version up to parity.
645
646         * jit/JIT.cpp:
647         (JSC::JIT::privateCompile):
648         * llint/LowLevelInterpreter32_64.asm:
649
650 2014-03-07  Mark Lam  <mark.lam@apple.com>
651
652         Fix bugs in 32-bit Structure implementation.
653         <https://webkit.org/b/129947>
654
655         Reviewed by Mark Hahnenberg.
656
657         Added the loading of the Structure (from the JSCell) before use that was
658         missing in a few places.  Also added more test cases to equals-masquerader.js.
659
660         * dfg/DFGSpeculativeJIT32_64.cpp:
661         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
662         (JSC::DFG::SpeculativeJIT::compile):
663         * dfg/DFGSpeculativeJIT64.cpp:
664         (JSC::DFG::SpeculativeJIT::compile):
665         * llint/LowLevelInterpreter32_64.asm:
666         * tests/stress/equals-masquerader.js:
667         (equalsNull):
668         (notEqualsNull):
669         (strictEqualsNull):
670         (strictNotEqualsNull):
671         (equalsUndefined):
672         (notEqualsUndefined):
673         (strictEqualsUndefined):
674         (strictNotEqualsUndefined):
675         (isFalsey):
676         (test):
677
678 2014-03-07  Andrew Trick  <atrick@apple.com>
679
680         Temporarily disable repeat-out-of-bounds stress tests pending fix for 129953.
681         https://bugs.webkit.org/show_bug.cgi?id=129954
682
683         Reviewed by Filip Pizlo.
684
685         * tests/stress/float32-repeat-out-of-bounds.js:
686         * tests/stress/int8-repeat-out-of-bounds.js:
687
688 2014-03-07  Michael Saboff  <msaboff@apple.com>
689
690         .cfi directives in LowLevelInterpreter.cpp are providing no benefit
691         https://bugs.webkit.org/show_bug.cgi?id=129945
692
693         Reviewed by Mark Lam.
694
695         Removed .cfi directive.  Verified that stack traces didn't regress in crash reporter
696         or in lldb.
697
698         * llint/LowLevelInterpreter.cpp:
699
700 2014-03-07  Oliver Hunt  <oliver@apple.com>
701
702         Continue hangs when performing for-of over arguments
703         https://bugs.webkit.org/show_bug.cgi?id=129915
704
705         Reviewed by Geoffrey Garen.
706
707         Put the continue label in the right place
708
709         * bytecompiler/BytecodeGenerator.cpp:
710         (JSC::BytecodeGenerator::emitEnumeration):
711
712 2014-03-07  peavo@outlook.com  <peavo@outlook.com>
713
714         [Win64] Compile error after r165128.
715         https://bugs.webkit.org/show_bug.cgi?id=129807
716
717         Reviewed by Mark Lam.
718
719         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: 
720         Check platform environment variable to determine if an assembler file should be generated.
721
722 2014-03-07  Michael Saboff  <msaboff@apple.com>
723
724         Clarify how we deal with "special" registers
725         https://bugs.webkit.org/show_bug.cgi?id=129806
726
727         Already reviewed change being relanded.
728
729         Relanding change set r165196 as it wasn't responsible for the breakage reported in
730         https://bugs.webkit.org/show_bug.cgi?id=129822.  That appears to be a build or
731
732         Reviewed by Michael Saboff.
733         configuration issue.
734
735         * assembler/ARM64Assembler.h:
736         (JSC::ARM64Assembler::lastRegister):
737         * assembler/MacroAssembler.h:
738         (JSC::MacroAssembler::nextRegister):
739         * ftl/FTLLocation.cpp:
740         (JSC::FTL::Location::restoreInto):
741         * ftl/FTLSaveRestore.cpp:
742         (JSC::FTL::saveAllRegisters):
743         (JSC::FTL::restoreAllRegisters):
744         * ftl/FTLSlowPathCall.cpp:
745         * jit/RegisterSet.cpp:
746         (JSC::RegisterSet::reservedHardwareRegisters):
747         (JSC::RegisterSet::runtimeRegisters):
748         (JSC::RegisterSet::specialRegisters):
749         (JSC::RegisterSet::calleeSaveRegisters):
750         * jit/RegisterSet.h:
751
752 2014-03-07  Mark Hahnenberg  <mhahnenberg@apple.com>
753
754         Move GCActivityCallback to heap
755         https://bugs.webkit.org/show_bug.cgi?id=129457
756
757         Reviewed by Geoffrey Garen.
758
759         All the other GC timer related stuff is there already.
760
761         * CMakeLists.txt:
762         * GNUmakefile.list.am:
763         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
764         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
765         * JavaScriptCore.xcodeproj/project.pbxproj:
766         * heap/GCActivityCallback.cpp: Copied from Source/JavaScriptCore/runtime/GCActivityCallback.cpp.
767         * heap/GCActivityCallback.h: Copied from Source/JavaScriptCore/runtime/GCActivityCallback.h.
768         * runtime/GCActivityCallback.cpp: Removed.
769         * runtime/GCActivityCallback.h: Removed.
770
771 2014-03-07  Andrew Trick  <atrick@apple.com>
772
773         Correct a comment typo from:
774         FLT should call fmod directly on platforms where LLVM cannot relocate the libcall
775         https://bugs.webkit.org/show_bug.cgi?id=129865
776
777         Reviewed by Mark Lam.
778
779         * ftl/FTLOutput.h:
780         (JSC::FTL::Output::doubleRem):
781
782 2014-03-07  Mark Hahnenberg  <mhahnenberg@apple.com>
783
784         Use OwnPtr in StructureIDTable
785         https://bugs.webkit.org/show_bug.cgi?id=129828
786
787         Reviewed by Geoffrey Garen.
788
789         This reduces the amount of boilerplate and fixes a memory leak.
790
791         * runtime/StructureIDTable.cpp:
792         (JSC::StructureIDTable::StructureIDTable):
793         (JSC::StructureIDTable::resize):
794         (JSC::StructureIDTable::flushOldTables):
795         (JSC::StructureIDTable::allocateID):
796         (JSC::StructureIDTable::deallocateID):
797         * runtime/StructureIDTable.h:
798         (JSC::StructureIDTable::table):
799         (JSC::StructureIDTable::get):
800
801 2014-03-07  Andrew Trick  <atrick@apple.com>
802
803         FLT should call fmod directly on platforms where LLVM cannot relocate the libcall
804         https://bugs.webkit.org/show_bug.cgi?id=129865
805
806         Reviewed by Filip Pizlo.
807
808         * ftl/FTLIntrinsicRepository.h:
809         * ftl/FTLOutput.h:
810         (JSC::FTL::Output::doubleRem):
811
812 2014-03-06  Filip Pizlo  <fpizlo@apple.com>
813
814         If the FTL is build-time enabled then it should be run-time enabled.
815
816         Rubber stamped by Geoffrey Garen.
817
818         * runtime/Options.cpp:
819         (JSC::recomputeDependentOptions):
820         * runtime/Options.h:
821
822 2014-03-06  Joseph Pecoraro  <pecoraro@apple.com>
823
824         [OS X] Web Inspector: Allow Apps using JavaScriptCore to access "com.apple.webinspector" mach port
825         https://bugs.webkit.org/show_bug.cgi?id=129852
826
827         Reviewed by Geoffrey Garen.
828
829         * framework.sb: Added.
830         Sandbox extension to allow access to "com.apple.webinspector".
831
832         * JavaScriptCore.xcodeproj/project.pbxproj:
833         Add a Copy Resources build phase and include framework.sb.
834
835         * Configurations/JavaScriptCore.xcconfig:
836         Do not copy framework.sb on iOS.
837
838 2014-03-06  Mark Hahnenberg  <mhahnenberg@apple.com>
839
840         JSGlobalContextRelease incorrectly handles saving/restoring IdentifierTable
841         https://bugs.webkit.org/show_bug.cgi?id=129858
842
843         Reviewed by Mark Lam.
844
845         It was correct (but really ugly) prior to the combining of APIEntryShim and JSLock, 
846         but now it ends up overwriting the IdentifierTable that JSLock just restored.
847
848         * API/JSContextRef.cpp:
849         (JSGlobalContextRelease):
850
851 2014-03-06  Oliver Hunt  <oliver@apple.com>
852
853         Fix FTL build.
854
855         * dfg/DFGConstantFoldingPhase.cpp:
856         (JSC::DFG::ConstantFoldingPhase::foldConstants):
857
858 2014-03-06  Brent Fulgham  <bfulgham@apple.com>
859
860         Unreviewed build fix after r165128.
861
862         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: The SEH flag was not getting set when
863         performing 'Production' and 'DebugSuffix' type builds.
864
865 2014-03-06  Julien Brianceau  <jbriance@cisco.com>
866
867         Unreviewed, fix style in my previous commit.
868         https://bugs.webkit.org/show_bug.cgi?id=129833
869
870         * runtime/JSConsole.cpp:
871
872 2014-03-06  Julien Brianceau  <jbriance@cisco.com>
873
874         Build fix: add missing include in JSConole.cpp.
875         https://bugs.webkit.org/show_bug.cgi?id=129833
876
877         Reviewed by Oliver Hunt.
878
879         * runtime/JSConsole.cpp:
880
881 2014-03-06  Oliver Hunt  <oliver@apple.com>
882
883         Fix ARMv7
884
885         * jit/CCallHelpers.h:
886         (JSC::CCallHelpers::setupArgumentsWithExecState):
887
888 2014-03-06  Commit Queue  <commit-queue@webkit.org>
889
890         Unreviewed, rolling out r165196.
891         http://trac.webkit.org/changeset/165196
892         https://bugs.webkit.org/show_bug.cgi?id=129822
893
894         broke arm64 on hardware (Requested by bfulgham on #webkit).
895
896         * assembler/ARM64Assembler.h:
897         (JSC::ARM64Assembler::lastRegister):
898         * assembler/MacroAssembler.h:
899         (JSC::MacroAssembler::isStackRelated):
900         (JSC::MacroAssembler::firstRealRegister):
901         (JSC::MacroAssembler::nextRegister):
902         (JSC::MacroAssembler::secondRealRegister):
903         * ftl/FTLLocation.cpp:
904         (JSC::FTL::Location::restoreInto):
905         * ftl/FTLSaveRestore.cpp:
906         (JSC::FTL::saveAllRegisters):
907         (JSC::FTL::restoreAllRegisters):
908         * ftl/FTLSlowPathCall.cpp:
909         * jit/RegisterSet.cpp:
910         (JSC::RegisterSet::specialRegisters):
911         (JSC::RegisterSet::calleeSaveRegisters):
912         * jit/RegisterSet.h:
913
914 2014-03-06  Mark Lam  <mark.lam@apple.com>
915
916         REGRESSION(r165205): broke the CLOOP build (Requested by smfr on #webkit).
917         <https://webkit.org/b/129813>
918
919         Reviewed by Michael Saboff.
920
921         Fixed broken C loop LLINT build.
922
923         * llint/LowLevelInterpreter.cpp:
924         (JSC::CLoop::execute):
925         * offlineasm/cloop.rb:
926
927 2014-03-03  Oliver Hunt  <oliver@apple.com>
928
929         Support caching of custom setters
930         https://bugs.webkit.org/show_bug.cgi?id=129519
931
932         Reviewed by Filip Pizlo.
933
934         This patch adds caching of assignment to properties that
935         are backed by C functions. This provides most of the leg
936         work required to start supporting setters, and resolves
937         the remaining regressions from moving DOM properties up
938         the prototype chain.
939
940         * JavaScriptCore.xcodeproj/project.pbxproj:
941         * bytecode/PolymorphicPutByIdList.cpp:
942         (JSC::PutByIdAccess::visitWeak):
943         (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
944         (JSC::PolymorphicPutByIdList::from):
945         * bytecode/PolymorphicPutByIdList.h:
946         (JSC::PutByIdAccess::transition):
947         (JSC::PutByIdAccess::replace):
948         (JSC::PutByIdAccess::customSetter):
949         (JSC::PutByIdAccess::isCustom):
950         (JSC::PutByIdAccess::oldStructure):
951         (JSC::PutByIdAccess::chain):
952         (JSC::PutByIdAccess::stubRoutine):
953         * bytecode/PutByIdStatus.cpp:
954         (JSC::PutByIdStatus::computeForStubInfo):
955         (JSC::PutByIdStatus::computeFor):
956         (JSC::PutByIdStatus::dump):
957         * bytecode/PutByIdStatus.h:
958         (JSC::PutByIdStatus::PutByIdStatus):
959         (JSC::PutByIdStatus::takesSlowPath):
960         (JSC::PutByIdStatus::makesCalls):
961         * bytecode/StructureStubInfo.h:
962         * dfg/DFGAbstractInterpreterInlines.h:
963         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
964         * dfg/DFGByteCodeParser.cpp:
965         (JSC::DFG::ByteCodeParser::emitPutById):
966         (JSC::DFG::ByteCodeParser::handlePutById):
967         * dfg/DFGClobberize.h:
968         (JSC::DFG::clobberize):
969         * dfg/DFGCommon.h:
970         * dfg/DFGConstantFoldingPhase.cpp:
971         (JSC::DFG::ConstantFoldingPhase::foldConstants):
972         * dfg/DFGFixupPhase.cpp:
973         (JSC::DFG::FixupPhase::fixupNode):
974         * dfg/DFGNode.h:
975         (JSC::DFG::Node::hasIdentifier):
976         * dfg/DFGNodeType.h:
977         * dfg/DFGPredictionPropagationPhase.cpp:
978         (JSC::DFG::PredictionPropagationPhase::propagate):
979         * dfg/DFGSafeToExecute.h:
980         (JSC::DFG::safeToExecute):
981         * dfg/DFGSpeculativeJIT.cpp:
982         (JSC::DFG::SpeculativeJIT::compileIn):
983         * dfg/DFGSpeculativeJIT.h:
984         * dfg/DFGSpeculativeJIT32_64.cpp:
985         (JSC::DFG::SpeculativeJIT::cachedGetById):
986         (JSC::DFG::SpeculativeJIT::cachedPutById):
987         (JSC::DFG::SpeculativeJIT::compile):
988         * dfg/DFGSpeculativeJIT64.cpp:
989         (JSC::DFG::SpeculativeJIT::cachedGetById):
990         (JSC::DFG::SpeculativeJIT::cachedPutById):
991         (JSC::DFG::SpeculativeJIT::compile):
992         * jit/CCallHelpers.h:
993         (JSC::CCallHelpers::setupArgumentsWithExecState):
994         * jit/JITInlineCacheGenerator.cpp:
995         (JSC::JITByIdGenerator::JITByIdGenerator):
996         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
997         * jit/JITInlineCacheGenerator.h:
998         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
999         * jit/JITOperations.cpp:
1000         * jit/JITOperations.h:
1001         * jit/JITPropertyAccess.cpp:
1002         (JSC::JIT::emit_op_get_by_id):
1003         (JSC::JIT::emit_op_put_by_id):
1004         * jit/JITPropertyAccess32_64.cpp:
1005         (JSC::JIT::emit_op_get_by_id):
1006         (JSC::JIT::emit_op_put_by_id):
1007         * jit/Repatch.cpp:
1008         (JSC::tryCacheGetByID):
1009         (JSC::tryBuildGetByIDList):
1010         (JSC::emitCustomSetterStub):
1011         (JSC::tryCachePutByID):
1012         (JSC::tryBuildPutByIdList):
1013         * jit/SpillRegistersMode.h: Added.
1014         * llint/LLIntSlowPaths.cpp:
1015         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1016         * runtime/Lookup.h:
1017         (JSC::putEntry):
1018         * runtime/PutPropertySlot.h:
1019         (JSC::PutPropertySlot::setCacheableCustomProperty):
1020         (JSC::PutPropertySlot::customSetter):
1021         (JSC::PutPropertySlot::isCacheablePut):
1022         (JSC::PutPropertySlot::isCacheableCustomProperty):
1023         (JSC::PutPropertySlot::cachedOffset):
1024
1025 2014-03-06  Filip Pizlo  <fpizlo@apple.com>
1026
1027         FTL arity fixup should work on ARM64
1028         https://bugs.webkit.org/show_bug.cgi?id=129810
1029
1030         Reviewed by Michael Saboff.
1031         
1032         - Using regT5 to pass the thunk return address to arityFixup is shady since that's a
1033           callee-save.
1034         
1035         - The FTL path was assuming X86 conventions for where SP points at the top of the prologue.
1036         
1037         This makes some more tests pass.
1038
1039         * dfg/DFGJITCompiler.cpp:
1040         (JSC::DFG::JITCompiler::compileFunction):
1041         * ftl/FTLLink.cpp:
1042         (JSC::FTL::link):
1043         * jit/AssemblyHelpers.h:
1044         (JSC::AssemblyHelpers::prologueStackPointerDelta):
1045         * jit/JIT.cpp:
1046         (JSC::JIT::privateCompile):
1047         * jit/ThunkGenerators.cpp:
1048         (JSC::arityFixup):
1049         * llint/LowLevelInterpreter64.asm:
1050         * offlineasm/arm64.rb:
1051         * offlineasm/x86.rb: In addition to the t7 change, make t6 agree with GPRInfo.h.
1052
1053 2014-03-06  Mark Hahnenberg  <mhahnenberg@apple.com>
1054
1055         Fix write barriers in Repatch.cpp for !ENABLE(DFG_JIT) platforms after r165128
1056         https://bugs.webkit.org/show_bug.cgi?id=129760
1057
1058         Reviewed by Geoffrey Garen.
1059
1060         r165128 disabled the write barrier fast path for inline caches on !ENABLE(DFG_JIT) platforms. 
1061         The fix is to refactor the write barrier code into AssemblyHelpers and use that everywhere.
1062
1063         * dfg/DFGSpeculativeJIT.cpp:
1064         (JSC::DFG::SpeculativeJIT::writeBarrier):
1065         * dfg/DFGSpeculativeJIT.h:
1066         * dfg/DFGSpeculativeJIT32_64.cpp:
1067         (JSC::DFG::SpeculativeJIT::writeBarrier):
1068         * dfg/DFGSpeculativeJIT64.cpp:
1069         (JSC::DFG::SpeculativeJIT::writeBarrier):
1070         * jit/AssemblyHelpers.h:
1071         (JSC::AssemblyHelpers::checkMarkByte):
1072         * jit/JIT.h:
1073         * jit/JITPropertyAccess.cpp:
1074         * jit/Repatch.cpp:
1075         (JSC::writeBarrier):
1076
1077 2014-03-06  Joseph Pecoraro  <pecoraro@apple.com>
1078
1079         Web Inspector: Expose the console object in JSContexts to interact with Web Inspector
1080         https://bugs.webkit.org/show_bug.cgi?id=127944
1081
1082         Reviewed by Geoffrey Garen.
1083
1084         Always expose the Console object in JSContexts, just like we
1085         do for web pages. The default behavior will route to an
1086         attached JSContext inspector. This can be overriden by
1087         setting the ConsoleClient on the JSGlobalObject, which WebCore
1088         does to get slightly different behavior.
1089
1090         * CMakeLists.txt:
1091         * GNUmakefile.list.am:
1092         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1093         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1094         * JavaScriptCore.xcodeproj/project.pbxproj:
1095         Update build systems.
1096
1097         * API/tests/testapi.js:
1098         * API/tests/testapi.mm:
1099         Test that "console" exists in C and ObjC contexts.
1100
1101         * runtime/ConsoleClient.cpp: Added.
1102         (JSC::ConsoleClient::printURLAndPosition):
1103         (JSC::ConsoleClient::printMessagePrefix):
1104         (JSC::ConsoleClient::printConsoleMessage):
1105         (JSC::ConsoleClient::printConsoleMessageWithArguments):
1106         (JSC::ConsoleClient::internalMessageWithTypeAndLevel):
1107         (JSC::ConsoleClient::logWithLevel):
1108         (JSC::ConsoleClient::clear):
1109         (JSC::ConsoleClient::dir):
1110         (JSC::ConsoleClient::dirXML):
1111         (JSC::ConsoleClient::table):
1112         (JSC::ConsoleClient::trace):
1113         (JSC::ConsoleClient::assertCondition):
1114         (JSC::ConsoleClient::group):
1115         (JSC::ConsoleClient::groupCollapsed):
1116         (JSC::ConsoleClient::groupEnd):
1117         * runtime/ConsoleClient.h: Added.
1118         (JSC::ConsoleClient::~ConsoleClient):
1119         New private interface for handling the console object's methods.
1120         A lot of the methods funnel through messageWithTypeAndLevel.
1121
1122         * runtime/ConsoleTypes.h: Renamed from Source/JavaScriptCore/inspector/ConsoleTypes.h.
1123         Moved to JSC namespace.
1124
1125         * runtime/JSGlobalObject.cpp:
1126         (JSC::JSGlobalObject::JSGlobalObject):
1127         (JSC::JSGlobalObject::init):
1128         (JSC::JSGlobalObject::reset):
1129         (JSC::JSGlobalObject::visitChildren):
1130         Create the "console" object when initializing the environment.
1131         Also set the default console client to be the JS context inspector.
1132
1133         * runtime/JSGlobalObject.h:
1134         (JSC::JSGlobalObject::setConsoleClient):
1135         (JSC::JSGlobalObject::consoleClient):
1136         Ability to change the console client, so WebCore can set a custom client.
1137
1138         * runtime/ConsolePrototype.cpp: Added.
1139         (JSC::ConsolePrototype::finishCreation):
1140         (JSC::valueToStringWithUndefinedOrNullCheck):
1141         (JSC::consoleLogWithLevel):
1142         (JSC::consoleProtoFuncDebug):
1143         (JSC::consoleProtoFuncError):
1144         (JSC::consoleProtoFuncLog):
1145         (JSC::consoleProtoFuncWarn):
1146         (JSC::consoleProtoFuncClear):
1147         (JSC::consoleProtoFuncDir):
1148         (JSC::consoleProtoFuncDirXML):
1149         (JSC::consoleProtoFuncTable):
1150         (JSC::consoleProtoFuncTrace):
1151         (JSC::consoleProtoFuncAssert):
1152         (JSC::consoleProtoFuncCount):
1153         (JSC::consoleProtoFuncProfile):
1154         (JSC::consoleProtoFuncProfileEnd):
1155         (JSC::consoleProtoFuncTime):
1156         (JSC::consoleProtoFuncTimeEnd):
1157         (JSC::consoleProtoFuncTimeStamp):
1158         (JSC::consoleProtoFuncGroup):
1159         (JSC::consoleProtoFuncGroupCollapsed):
1160         (JSC::consoleProtoFuncGroupEnd):
1161         * runtime/ConsolePrototype.h: Added.
1162         (JSC::ConsolePrototype::create):
1163         (JSC::ConsolePrototype::createStructure):
1164         (JSC::ConsolePrototype::ConsolePrototype):
1165         Define the console object interface. Parse out required / expected
1166         arguments and throw expcetions when methods are misused.
1167
1168         * runtime/JSConsole.cpp: Added.
1169         * runtime/JSConsole.h: Added.
1170         (JSC::JSConsole::createStructure):
1171         (JSC::JSConsole::create):
1172         (JSC::JSConsole::JSConsole):
1173         Empty "console" object. Everything is in the prototype.
1174
1175         * inspector/JSConsoleClient.cpp: Added.
1176         (Inspector::JSConsoleClient::JSGlobalObjectConsole):
1177         (Inspector::JSConsoleClient::count):
1178         (Inspector::JSConsoleClient::profile):
1179         (Inspector::JSConsoleClient::profileEnd):
1180         (Inspector::JSConsoleClient::time):
1181         (Inspector::JSConsoleClient::timeEnd):
1182         (Inspector::JSConsoleClient::timeStamp):
1183         (Inspector::JSConsoleClient::warnUnimplemented):
1184         (Inspector::JSConsoleClient::internalAddMessage):
1185         * inspector/JSConsoleClient.h: Added.
1186         * inspector/JSGlobalObjectInspectorController.cpp:
1187         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1188         (Inspector::JSGlobalObjectInspectorController::consoleClient):
1189         * inspector/JSGlobalObjectInspectorController.h:
1190         Default JSContext ConsoleClient implementation. Handle nearly
1191         everything exception profile/profileEnd and timeStamp.
1192
1193 2014-03-06  Andreas Kling  <akling@apple.com>
1194
1195         Drop unlinked function code on memory pressure.
1196         <https://webkit.org/b/129789>
1197
1198         Make VM::discardAllCode() also drop UnlinkedFunctionCodeBlocks that
1199         are not currently being compiled.
1200
1201         4.5 MB progression on Membuster.
1202
1203         Reviewed by Geoffrey Garen.
1204
1205         * heap/Heap.cpp:
1206         (JSC::Heap::deleteAllUnlinkedFunctionCode):
1207         * heap/Heap.h:
1208         * runtime/VM.cpp:
1209         (JSC::VM::discardAllCode):
1210
1211 2014-03-06  Filip Pizlo  <fpizlo@apple.com>
1212
1213         Clarify how we deal with "special" registers
1214         https://bugs.webkit.org/show_bug.cgi?id=129806
1215
1216         Reviewed by Michael Saboff.
1217         
1218         Previously we had two different places that defined what "stack" registers are, a thing
1219         called "specialRegisters" that had unclear meaning, and a really weird "firstRealRegister"/
1220         "secondRealRegister"/"nextRegister" idiom in MacroAssembler that appeared to only be used by
1221         one place and had a baked-in notion of what it meant for a register to be "real" or not.
1222         
1223         It's not cool to use words like "real" and "special" to describe registers, especially if you
1224         fail to qualify what that means. This originally made sense on X86 - "real" registers were
1225         the ones that weren't "stack related" (so "real" was the opposite of "stack"). But on ARM64,
1226         you also have to worry about the LR register, which we'd want to say is "not real" but it's
1227         also not a "stack" register. This got super confusing.
1228         
1229         So, this patch removes any mention of "real" registers, consolidates the knowledge of what is
1230         a "stack" register, and uses the word special only in places where it's clearly defined and
1231         where no better word comes to mind.
1232         
1233         This cleans up the code and fixes what seems like it was probably a harmless ARM64 bug: the
1234         Reg and RegisterSet data structures would sometimes think that FP was Q0. Somehow this
1235         magically didn't break anything because you never need to save/restore either FP or Q0, but
1236         it was still super weird.
1237
1238         * assembler/ARM64Assembler.h:
1239         (JSC::ARM64Assembler::lastRegister):
1240         * assembler/MacroAssembler.h:
1241         (JSC::MacroAssembler::nextRegister):
1242         * ftl/FTLLocation.cpp:
1243         (JSC::FTL::Location::restoreInto):
1244         * ftl/FTLSaveRestore.cpp:
1245         (JSC::FTL::saveAllRegisters):
1246         (JSC::FTL::restoreAllRegisters):
1247         * ftl/FTLSlowPathCall.cpp:
1248         * jit/RegisterSet.cpp:
1249         (JSC::RegisterSet::reservedHardwareRegisters):
1250         (JSC::RegisterSet::runtimeRegisters):
1251         (JSC::RegisterSet::specialRegisters):
1252         (JSC::RegisterSet::calleeSaveRegisters):
1253         * jit/RegisterSet.h:
1254
1255 2014-03-06  Filip Pizlo  <fpizlo@apple.com>
1256
1257         Unreviewed, fix build.
1258
1259         * disassembler/ARM64Disassembler.cpp:
1260
1261 2014-03-06  Filip Pizlo  <fpizlo@apple.com>
1262
1263         Use the LLVM disassembler on ARM64 if we are enabling the FTL
1264         https://bugs.webkit.org/show_bug.cgi?id=129785
1265
1266         Reviewed by Geoffrey Garen.
1267         
1268         Our disassembler can't handle some of the code sequences that LLVM emits. LLVM's disassembler
1269         is strictly more capable at this point. Use it if it's available.
1270
1271         * disassembler/ARM64Disassembler.cpp:
1272         (JSC::tryToDisassemble):
1273
1274 2014-03-05  Joseph Pecoraro  <pecoraro@apple.com>
1275
1276         Web Inspector: Reduce RWI message frequency
1277         https://bugs.webkit.org/show_bug.cgi?id=129767
1278
1279         Reviewed by Timothy Hatcher.
1280
1281         This used to be 0.2s and changed by accident to 0.02s.
1282
1283         * inspector/remote/RemoteInspector.mm:
1284         (Inspector::RemoteInspector::pushListingSoon):
1285
1286 2014-03-05  Commit Queue  <commit-queue@webkit.org>
1287
1288         Unreviewed, rolling out r165141, r165157, and r165158.
1289         http://trac.webkit.org/changeset/165141
1290         http://trac.webkit.org/changeset/165157
1291         http://trac.webkit.org/changeset/165158
1292         https://bugs.webkit.org/show_bug.cgi?id=129772
1293
1294         "broke ftl" (Requested by olliej_ on #webkit).
1295
1296         * JavaScriptCore.xcodeproj/project.pbxproj:
1297         * bytecode/PolymorphicPutByIdList.cpp:
1298         (JSC::PutByIdAccess::visitWeak):
1299         (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
1300         (JSC::PolymorphicPutByIdList::from):
1301         * bytecode/PolymorphicPutByIdList.h:
1302         (JSC::PutByIdAccess::transition):
1303         (JSC::PutByIdAccess::replace):
1304         (JSC::PutByIdAccess::oldStructure):
1305         (JSC::PutByIdAccess::chain):
1306         (JSC::PutByIdAccess::stubRoutine):
1307         * bytecode/PutByIdStatus.cpp:
1308         (JSC::PutByIdStatus::computeForStubInfo):
1309         (JSC::PutByIdStatus::computeFor):
1310         (JSC::PutByIdStatus::dump):
1311         * bytecode/PutByIdStatus.h:
1312         (JSC::PutByIdStatus::PutByIdStatus):
1313         (JSC::PutByIdStatus::takesSlowPath):
1314         * bytecode/StructureStubInfo.h:
1315         * dfg/DFGAbstractInterpreterInlines.h:
1316         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1317         * dfg/DFGByteCodeParser.cpp:
1318         (JSC::DFG::ByteCodeParser::emitPutById):
1319         (JSC::DFG::ByteCodeParser::handlePutById):
1320         * dfg/DFGClobberize.h:
1321         (JSC::DFG::clobberize):
1322         * dfg/DFGCommon.h:
1323         * dfg/DFGConstantFoldingPhase.cpp:
1324         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1325         * dfg/DFGFixupPhase.cpp:
1326         (JSC::DFG::FixupPhase::fixupNode):
1327         * dfg/DFGNode.h:
1328         (JSC::DFG::Node::hasIdentifier):
1329         * dfg/DFGNodeType.h:
1330         * dfg/DFGPredictionPropagationPhase.cpp:
1331         (JSC::DFG::PredictionPropagationPhase::propagate):
1332         * dfg/DFGSafeToExecute.h:
1333         (JSC::DFG::safeToExecute):
1334         * dfg/DFGSpeculativeJIT.cpp:
1335         (JSC::DFG::SpeculativeJIT::compileIn):
1336         * dfg/DFGSpeculativeJIT.h:
1337         * dfg/DFGSpeculativeJIT32_64.cpp:
1338         (JSC::DFG::SpeculativeJIT::cachedGetById):
1339         (JSC::DFG::SpeculativeJIT::cachedPutById):
1340         (JSC::DFG::SpeculativeJIT::compile):
1341         * dfg/DFGSpeculativeJIT64.cpp:
1342         (JSC::DFG::SpeculativeJIT::cachedGetById):
1343         (JSC::DFG::SpeculativeJIT::cachedPutById):
1344         (JSC::DFG::SpeculativeJIT::compile):
1345         * ftl/FTLCompile.cpp:
1346         (JSC::FTL::fixFunctionBasedOnStackMaps):
1347         * jit/CCallHelpers.h:
1348         (JSC::CCallHelpers::setupArgumentsWithExecState):
1349         * jit/JITInlineCacheGenerator.cpp:
1350         (JSC::JITByIdGenerator::JITByIdGenerator):
1351         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
1352         * jit/JITInlineCacheGenerator.h:
1353         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
1354         * jit/JITOperations.cpp:
1355         * jit/JITOperations.h:
1356         * jit/JITPropertyAccess.cpp:
1357         (JSC::JIT::emit_op_get_by_id):
1358         (JSC::JIT::emit_op_put_by_id):
1359         * jit/JITPropertyAccess32_64.cpp:
1360         (JSC::JIT::emit_op_get_by_id):
1361         (JSC::JIT::emit_op_put_by_id):
1362         * jit/Repatch.cpp:
1363         (JSC::tryCacheGetByID):
1364         (JSC::tryBuildGetByIDList):
1365         (JSC::tryCachePutByID):
1366         (JSC::tryBuildPutByIdList):
1367         * jit/SpillRegistersMode.h: Removed.
1368         * llint/LLIntSlowPaths.cpp:
1369         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1370         * runtime/Lookup.h:
1371         (JSC::putEntry):
1372         * runtime/PutPropertySlot.h:
1373         (JSC::PutPropertySlot::isCacheable):
1374         (JSC::PutPropertySlot::cachedOffset):
1375
1376 2014-03-05  Joseph Pecoraro  <pecoraro@apple.com>
1377
1378         Web Inspector: Prevent possible deadlock in view indication
1379         https://bugs.webkit.org/show_bug.cgi?id=129766
1380
1381         Reviewed by Geoffrey Garen.
1382
1383         * inspector/remote/RemoteInspector.mm:
1384         (Inspector::RemoteInspector::receivedIndicateMessage):
1385
1386 2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>
1387
1388         JSObject::fastGetOwnPropertySlot does a slow check for OverridesGetOwnPropertySlot
1389         https://bugs.webkit.org/show_bug.cgi?id=129754
1390
1391         Reviewed by Geoffrey Garen.
1392
1393         InlineTypeFlags are stored in JSCell, so we can just load those instead of going through the TypeInfo.
1394
1395         * runtime/JSCell.h:
1396         (JSC::JSCell::inlineTypeFlags):
1397         * runtime/JSObject.h:
1398         (JSC::JSObject::fastGetOwnPropertySlot):
1399         * runtime/JSTypeInfo.h:
1400         (JSC::TypeInfo::TypeInfo):
1401         (JSC::TypeInfo::overridesGetOwnPropertySlot):
1402
1403 2014-03-05  Joseph Pecoraro  <pecoraro@apple.com>
1404
1405         Web Inspector: ASSERTION FAILED: m_javaScriptBreakpoints.isEmpty()
1406         https://bugs.webkit.org/show_bug.cgi?id=129763
1407
1408         Reviewed by Geoffrey Garen.
1409
1410         Clear the list of all breakpoints, including unresolved breakpoints.
1411
1412         * inspector/agents/InspectorDebuggerAgent.cpp:
1413         (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):
1414
1415 2014-03-05  Mark Lam  <mark.lam@apple.com>
1416
1417         llint_slow_path_check_has_instance() should not adjust PC before accessing operands.
1418         <https://webkit.org/b/129768>
1419
1420         Reviewed by Mark Hahnenberg.
1421
1422         When evaluating "a instanceof b" where b is an object that ImplementsHasInstance
1423         and OverridesHasInstance (e.g. a bound function), the LLINT will take the slow
1424         path llint_slow_path_check_has_instance(), and execute a code path that does the
1425         following:
1426         1. Adjusts the byte code PC to the jump target PC.
1427         2. For the purpose of storing the result, get the result registerIndex from the
1428            1st operand using the PC as if the PC is still pointing to op_check_has_instance
1429            bytecode.
1430
1431         The result is that whatever value resides after where the jump target PC is will
1432         be used as a result register value.  Depending on what that value is, the result
1433         can be:
1434         1. the code coincidently works correctly
1435         2. memory corruption
1436         3. crashes
1437
1438         The fix is to only adjust the byte code PC after we have stored the result.
1439         
1440         * llint/LLIntSlowPaths.cpp:
1441         (llint_slow_path_check_has_instance):
1442
1443 2014-03-05  Ryosuke Niwa  <rniwa@webkit.org>
1444
1445         Another build fix attempt after r165141.
1446
1447         * ftl/FTLCompile.cpp:
1448         (JSC::FTL::fixFunctionBasedOnStackMaps):
1449
1450 2014-03-05  Ryosuke Niwa  <rniwa@webkit.org>
1451
1452         FTL build fix attempt after r165141.
1453
1454         * ftl/FTLCompile.cpp:
1455         (JSC::FTL::fixFunctionBasedOnStackMaps):
1456
1457 2014-03-05  Gavin Barraclough  <barraclough@apple.com>
1458
1459         https://bugs.webkit.org/show_bug.cgi?id=128625
1460         Add fast mapping from StringImpl to JSString
1461
1462         Unreviewed roll-out.
1463
1464         Reverting r164347, r165054, r165066 - not clear the performance tradeoff was right.
1465
1466         * runtime/JSString.cpp:
1467         * runtime/JSString.h:
1468         * runtime/VM.cpp:
1469         (JSC::VM::createLeaked):
1470         * runtime/VM.h:
1471
1472 2014-03-03  Oliver Hunt  <oliver@apple.com>
1473
1474         Support caching of custom setters
1475         https://bugs.webkit.org/show_bug.cgi?id=129519
1476
1477         Reviewed by Filip Pizlo.
1478
1479         This patch adds caching of assignment to properties that
1480         are backed by C functions. This provides most of the leg
1481         work required to start supporting setters, and resolves
1482         the remaining regressions from moving DOM properties up
1483         the prototype chain.
1484
1485         * JavaScriptCore.xcodeproj/project.pbxproj:
1486         * bytecode/PolymorphicPutByIdList.cpp:
1487         (JSC::PutByIdAccess::visitWeak):
1488         (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
1489         (JSC::PolymorphicPutByIdList::from):
1490         * bytecode/PolymorphicPutByIdList.h:
1491         (JSC::PutByIdAccess::transition):
1492         (JSC::PutByIdAccess::replace):
1493         (JSC::PutByIdAccess::customSetter):
1494         (JSC::PutByIdAccess::isCustom):
1495         (JSC::PutByIdAccess::oldStructure):
1496         (JSC::PutByIdAccess::chain):
1497         (JSC::PutByIdAccess::stubRoutine):
1498         * bytecode/PutByIdStatus.cpp:
1499         (JSC::PutByIdStatus::computeForStubInfo):
1500         (JSC::PutByIdStatus::computeFor):
1501         (JSC::PutByIdStatus::dump):
1502         * bytecode/PutByIdStatus.h:
1503         (JSC::PutByIdStatus::PutByIdStatus):
1504         (JSC::PutByIdStatus::takesSlowPath):
1505         (JSC::PutByIdStatus::makesCalls):
1506         * bytecode/StructureStubInfo.h:
1507         * dfg/DFGAbstractInterpreterInlines.h:
1508         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1509         * dfg/DFGByteCodeParser.cpp:
1510         (JSC::DFG::ByteCodeParser::emitPutById):
1511         (JSC::DFG::ByteCodeParser::handlePutById):
1512         * dfg/DFGClobberize.h:
1513         (JSC::DFG::clobberize):
1514         * dfg/DFGCommon.h:
1515         * dfg/DFGConstantFoldingPhase.cpp:
1516         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1517         * dfg/DFGFixupPhase.cpp:
1518         (JSC::DFG::FixupPhase::fixupNode):
1519         * dfg/DFGNode.h:
1520         (JSC::DFG::Node::hasIdentifier):
1521         * dfg/DFGNodeType.h:
1522         * dfg/DFGPredictionPropagationPhase.cpp:
1523         (JSC::DFG::PredictionPropagationPhase::propagate):
1524         * dfg/DFGSafeToExecute.h:
1525         (JSC::DFG::safeToExecute):
1526         * dfg/DFGSpeculativeJIT.cpp:
1527         (JSC::DFG::SpeculativeJIT::compileIn):
1528         * dfg/DFGSpeculativeJIT.h:
1529         * dfg/DFGSpeculativeJIT32_64.cpp:
1530         (JSC::DFG::SpeculativeJIT::cachedGetById):
1531         (JSC::DFG::SpeculativeJIT::cachedPutById):
1532         (JSC::DFG::SpeculativeJIT::compile):
1533         * dfg/DFGSpeculativeJIT64.cpp:
1534         (JSC::DFG::SpeculativeJIT::cachedGetById):
1535         (JSC::DFG::SpeculativeJIT::cachedPutById):
1536         (JSC::DFG::SpeculativeJIT::compile):
1537         * jit/CCallHelpers.h:
1538         (JSC::CCallHelpers::setupArgumentsWithExecState):
1539         * jit/JITInlineCacheGenerator.cpp:
1540         (JSC::JITByIdGenerator::JITByIdGenerator):
1541         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
1542         * jit/JITInlineCacheGenerator.h:
1543         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
1544         * jit/JITOperations.cpp:
1545         * jit/JITOperations.h:
1546         * jit/JITPropertyAccess.cpp:
1547         (JSC::JIT::emit_op_get_by_id):
1548         (JSC::JIT::emit_op_put_by_id):
1549         * jit/JITPropertyAccess32_64.cpp:
1550         (JSC::JIT::emit_op_get_by_id):
1551         (JSC::JIT::emit_op_put_by_id):
1552         * jit/Repatch.cpp:
1553         (JSC::tryCacheGetByID):
1554         (JSC::tryBuildGetByIDList):
1555         (JSC::emitCustomSetterStub):
1556         (JSC::tryCachePutByID):
1557         (JSC::tryBuildPutByIdList):
1558         * jit/SpillRegistersMode.h: Added.
1559         * llint/LLIntSlowPaths.cpp:
1560         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1561         * runtime/Lookup.h:
1562         (JSC::putEntry):
1563         * runtime/PutPropertySlot.h:
1564         (JSC::PutPropertySlot::setCacheableCustomProperty):
1565         (JSC::PutPropertySlot::customSetter):
1566         (JSC::PutPropertySlot::isCacheablePut):
1567         (JSC::PutPropertySlot::isCacheableCustomProperty):
1568         (JSC::PutPropertySlot::cachedOffset):
1569
1570 2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>
1571
1572         JSCell::m_gcData should encode its information differently
1573         https://bugs.webkit.org/show_bug.cgi?id=129741
1574
1575         Reviewed by Geoffrey Garen.
1576
1577         We want to keep track of three GC states for an object:
1578
1579         1. Not marked (which implies not in the remembered set)
1580         2. Marked but not in the remembered set
1581         3. Marked and in the remembered set
1582         
1583         Currently we only indicate marked vs. not marked in JSCell::m_gcData. During a write 
1584         barrier, we only want to take the slow path if the object being stored to is in state #2. 
1585         We'd like to make the test for state #2 as fast as possible, which means making it a 
1586         compare against 0.
1587
1588         * dfg/DFGOSRExitCompilerCommon.cpp:
1589         (JSC::DFG::osrWriteBarrier):
1590         * dfg/DFGSpeculativeJIT.cpp:
1591         (JSC::DFG::SpeculativeJIT::checkMarkByte):
1592         (JSC::DFG::SpeculativeJIT::writeBarrier):
1593         * dfg/DFGSpeculativeJIT.h:
1594         * dfg/DFGSpeculativeJIT32_64.cpp:
1595         (JSC::DFG::SpeculativeJIT::writeBarrier):
1596         * dfg/DFGSpeculativeJIT64.cpp:
1597         (JSC::DFG::SpeculativeJIT::writeBarrier):
1598         * ftl/FTLLowerDFGToLLVM.cpp:
1599         (JSC::FTL::LowerDFGToLLVM::allocateCell):
1600         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
1601         * heap/Heap.cpp:
1602         (JSC::Heap::clearRememberedSet):
1603         (JSC::Heap::addToRememberedSet):
1604         * jit/AssemblyHelpers.h:
1605         (JSC::AssemblyHelpers::checkMarkByte):
1606         * jit/JIT.h:
1607         * jit/JITPropertyAccess.cpp:
1608         (JSC::JIT::checkMarkByte):
1609         (JSC::JIT::emitWriteBarrier):
1610         * jit/Repatch.cpp:
1611         (JSC::writeBarrier):
1612         * llint/LowLevelInterpreter.asm:
1613         * llint/LowLevelInterpreter32_64.asm:
1614         * llint/LowLevelInterpreter64.asm:
1615         * runtime/JSCell.h:
1616         (JSC::JSCell::mark):
1617         (JSC::JSCell::remember):
1618         (JSC::JSCell::forget):
1619         (JSC::JSCell::isMarked):
1620         (JSC::JSCell::isRemembered):
1621         * runtime/JSCellInlines.h:
1622         (JSC::JSCell::JSCell):
1623         * runtime/StructureIDBlob.h:
1624         (JSC::StructureIDBlob::StructureIDBlob):
1625
1626 2014-03-05  Filip Pizlo  <fpizlo@apple.com>
1627
1628         More FTL ARM fixes
1629         https://bugs.webkit.org/show_bug.cgi?id=129755
1630
1631         Reviewed by Geoffrey Garen.
1632         
1633         - Be more defensive about inline caches that have degenerate chains.
1634         
1635         - Temporarily switch to allocating all MCJIT memory in the executable pool on non-x86
1636           platforms. The bug tracking the real fix is: https://bugs.webkit.org/show_bug.cgi?id=129756
1637         
1638         - Don't even emit intrinsic declarations on non-x86 platforms.
1639         
1640         - More debug printing support.
1641         
1642         - Don't use vmCall() in the prologue. This should have crashed on all platforms all the time
1643           but somehow it gets lucky on x86.
1644
1645         * bytecode/GetByIdStatus.cpp:
1646         (JSC::GetByIdStatus::appendVariant):
1647         (JSC::GetByIdStatus::computeForChain):
1648         (JSC::GetByIdStatus::computeForStubInfo):
1649         * bytecode/GetByIdStatus.h:
1650         * bytecode/PutByIdStatus.cpp:
1651         (JSC::PutByIdStatus::appendVariant):
1652         (JSC::PutByIdStatus::computeForStubInfo):
1653         * bytecode/PutByIdStatus.h:
1654         * bytecode/StructureSet.h:
1655         (JSC::StructureSet::overlaps):
1656         * ftl/FTLCompile.cpp:
1657         (JSC::FTL::mmAllocateDataSection):
1658         * ftl/FTLDataSection.cpp:
1659         (JSC::FTL::DataSection::DataSection):
1660         (JSC::FTL::DataSection::~DataSection):
1661         * ftl/FTLDataSection.h:
1662         * ftl/FTLLowerDFGToLLVM.cpp:
1663         (JSC::FTL::LowerDFGToLLVM::lower):
1664         * ftl/FTLOutput.h:
1665         (JSC::FTL::Output::doubleSin):
1666         (JSC::FTL::Output::doubleCos):
1667         * runtime/JSCJSValue.cpp:
1668         (JSC::JSValue::dumpInContext):
1669         * runtime/JSCell.h:
1670         (JSC::JSCell::structureID):
1671
1672 2014-03-05  peavo@outlook.com  <peavo@outlook.com>
1673
1674         [Win32][LLINT] Crash when running JSC stress tests.
1675         https://bugs.webkit.org/show_bug.cgi?id=129429
1676
1677         On Windows the reserved stack space consists of committed memory, a guard page, and uncommitted memory,
1678         where the guard page is a barrier between committed and uncommitted memory.
1679         When data from the guard page is read or written, the guard page is moved, and memory is committed.
1680         This is how the system grows the stack.
1681         When using the C stack on Windows we need to precommit the needed stack space.
1682         Otherwise we might crash later if we access uncommitted stack memory.
1683         This can happen if we allocate stack space larger than the page guard size (4K).
1684         The system does not get the chance to move the guard page, and commit more memory,
1685         and we crash if uncommitted memory is accessed.
1686         The MSVC compiler fixes this by inserting a call to the _chkstk() function,
1687         when needed, see http://support.microsoft.com/kb/100775.
1688
1689         Reviewed by Geoffrey Garen.
1690
1691         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Enable LLINT.
1692         * jit/Repatch.cpp:
1693         (JSC::writeBarrier): Compile fix when DFG_JIT is not enabled.
1694         * offlineasm/x86.rb: Compile fix, and small simplification.
1695         * runtime/VM.cpp:
1696         (JSC::preCommitStackMemory): Added function to precommit stack memory.
1697         (JSC::VM::updateStackLimit): Call function to precommit stack memory when stack limit is updated.
1698
1699 2014-03-05  Michael Saboff  <msaboff@apple.com>
1700
1701         JSDataViewPrototype::getData() and setData() crash on platforms that don't allow unaligned accesses
1702         https://bugs.webkit.org/show_bug.cgi?id=129746
1703
1704         Reviewed by Filip Pizlo.
1705
1706         Changed to use a union to manually assemble or disassemble the various types
1707         from / to the corresponding bytes.  All memory access is now done using
1708         byte accesses.
1709
1710         * runtime/JSDataViewPrototype.cpp:
1711         (JSC::getData):
1712         (JSC::setData):
1713
1714 2014-03-05  Filip Pizlo  <fpizlo@apple.com>
1715
1716         FTL loadStructure always generates invalid IR
1717         https://bugs.webkit.org/show_bug.cgi?id=129747
1718
1719         Reviewed by Mark Hahnenberg.
1720
1721         As the comment at the top of FTL::Output states, the FTL doesn't use LLVM's notion
1722         of pointers. LLVM's notion of pointers tries to model C, in the sense that you have
1723         to have a pointer to a type, and you can only load things of that type from that
1724         pointer. Pointer arithmetic is basically not possible except through the bizarre
1725         getelementptr operator. This doesn't fit with how the JS object model works since
1726         the JS object model doesn't consist of nice and tidy C types placed in C arrays.
1727         Also, it would be impossible to use getelementptr and LLVM pointers for accessing
1728         any of JSC's C or C++ objects unless we went through the exercise of redeclaring
1729         all of our fundamental data structures in LLVM IR as LLVM types. Clang could do
1730         this for us, but that would require that to use the FTL, JSC itself would have to
1731         be compiled with clang. Worse, it would have to be compiled with a clang that uses
1732         a version of LLVM that is compatible with the one against which the FTL is linked.
1733         Yuck!
1734
1735         The solution is to NEVER use LLVM pointers. This has always been the case in the
1736         FTL. But it causes some confusion.
1737         
1738         Not using LLVM pointers means that if the FTL has a "pointer", it's actually a
1739         pointer-wide integer (m_out.intPtr in FTL-speak). The act of "loading" and
1740         "storing" from or to a pointer involves first bitcasting the intPtr to a real LLVM
1741         pointer that has the type that we want. The load and store operations over pointers
1742         are called Output::load* and Output::store*, where * is one of "8", "16", "32",
1743         "64", "Ptr", "Float", or "Double.
1744         
1745         There is unavoidable confusion here. It would be bizarre for the FTL to call its
1746         "pointer-wide integers" anything other than "pointers", since they are, in all
1747         respects that we care about, simply pointers. But they are *not* LLVM pointers and
1748         they never will be that.
1749         
1750         There is one exception to this "no pointers" rule. The FTL does use actual LLVM
1751         pointers for refering to LLVM alloca's - i.e. local variables. To try to reduce
1752         confusion, we call these "references". So an "FTL reference" is actually an "LLVM
1753         pointer", while an "FTL pointer" is actually an "LLVM integer". FTL references have
1754         methods for access called Output::get and Output::set. These lower to LLVM load
1755         and store, since FTL references are just LLVM pointers.
1756         
1757         This confusion appears to have led to incorrect code in loadStructure().
1758         loadStructure() was using get() and set() to access FTL pointers. But those methods
1759         don't work on FTL pointers and never will, since they are for FTL references.
1760         
1761         The worst part of this is that it was previously impossible to have test coverage
1762         for the relevant path (MasqueradesAsUndefined) without writing a DRT test. This
1763         patch fixes this by introducing a Masquerader object to jsc.cpp.
1764         
1765         * ftl/FTLAbstractHeapRepository.h: Add an abstract heap for the structure table.
1766         * ftl/FTLLowerDFGToLLVM.cpp:
1767         (JSC::FTL::LowerDFGToLLVM::loadStructure): This was wrong.
1768         * ftl/FTLOutput.h: Add a comment to disuade people from using get() and set().
1769         * jsc.cpp: Give us the power to test for MasqueradesAsUndefined.
1770         (WTF::Masquerader::Masquerader):
1771         (WTF::Masquerader::create):
1772         (WTF::Masquerader::createStructure):
1773         (GlobalObject::finishCreation):
1774         (functionMakeMasquerader):
1775         * tests/stress/equals-masquerader.js: Added.
1776         (foo):
1777         (test):
1778
1779 2014-03-05  Anders Carlsson  <andersca@apple.com>
1780
1781         Tweak after r165109 to avoid extra copies
1782         https://bugs.webkit.org/show_bug.cgi?id=129745
1783
1784         Reviewed by Geoffrey Garen.
1785
1786         * heap/Heap.cpp:
1787         (JSC::Heap::visitProtectedObjects):
1788         (JSC::Heap::visitTempSortVectors):
1789         (JSC::Heap::clearRememberedSet):
1790         * heap/Heap.h:
1791         (JSC::Heap::forEachProtectedCell):
1792
1793 2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>
1794
1795         DFGStoreBarrierElisionPhase should should GCState directly instead of m_gcClobberSet when calling writesOverlap()
1796         https://bugs.webkit.org/show_bug.cgi?id=129717
1797
1798         Reviewed by Filip Pizlo.
1799
1800         * dfg/DFGStoreBarrierElisionPhase.cpp:
1801         (JSC::DFG::StoreBarrierElisionPhase::StoreBarrierElisionPhase):
1802         (JSC::DFG::StoreBarrierElisionPhase::couldCauseGC):
1803
1804 2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>
1805
1806         Use range-based loops where possible in Heap methods
1807         https://bugs.webkit.org/show_bug.cgi?id=129513
1808
1809         Reviewed by Mark Lam.
1810
1811         Replace old school iterator based loops with the new range-based loop hotness
1812         for a better tomorrow.
1813
1814         * heap/CodeBlockSet.cpp:
1815         (JSC::CodeBlockSet::~CodeBlockSet):
1816         (JSC::CodeBlockSet::clearMarks):
1817         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
1818         (JSC::CodeBlockSet::traceMarked):
1819         * heap/Heap.cpp:
1820         (JSC::Heap::visitProtectedObjects):
1821         (JSC::Heap::visitTempSortVectors):
1822         (JSC::Heap::clearRememberedSet):
1823         * heap/Heap.h:
1824         (JSC::Heap::forEachProtectedCell):
1825
1826 2014-03-04  Filip Pizlo  <fpizlo@apple.com>
1827
1828         DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e. boolean, undefined, or null)
1829         https://bugs.webkit.org/show_bug.cgi?id=129563
1830
1831         Reviewed by Geoffrey Garen.
1832         
1833         Rolling this back in after fixing an assertion failure. speculateMisc() should have
1834         said DFG_TYPE_CHECK instead of typeCheck.
1835         
1836         This adds a specialization of CompareStrictEq over Misc. I noticed the need for this
1837         when I saw that we didn't support CompareStrictEq(Untyped) in FTL but that the main
1838         user of this was EarleyBoyer, and in that benchmark what it was really doing was
1839         comparing undefined, null, and booleans to each other.
1840         
1841         This also adds support for miscellaneous things that I needed to make my various test
1842         cases work. This includes comparison over booleans and the various Throw-related node
1843         types.
1844         
1845         This also improves constant folding of CompareStrictEq and CompareEq.
1846         
1847         Also found a bug where we were claiming that GetByVals on typed arrays are OutOfBounds
1848         based on profiling, which caused some downstream badness. We don't actually support
1849         compiling OutOfBounds GetByVals on typed arrays. The DFG would ignore the flag and just
1850         emit a bounds check, but in the FTL path, the SSA lowering phase would assume that it
1851         shouldn't factor out the bounds check since the access is not InBounds but then the
1852         backend would ignore the flag and assume that the bounds check was already emitted.
1853         This showed up on an existing test but I added a test for this explicitly to have more
1854         certain coverage. The fix is to not mark something as OutOfBounds if the semantics are
1855         that we'll have a bounds check anyway.
1856         
1857         This is a 1% speed-up on Octane mostly because of raytrace, but also because of just
1858         general progressions across the board. No speed-up yet on EarleyBoyer, since there is
1859         still a lot more coverage work to be done there.
1860
1861         * bytecode/SpeculatedType.cpp:
1862         (JSC::speculationToAbbreviatedString):
1863         (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
1864         (JSC::valuesCouldBeEqual):
1865         * bytecode/SpeculatedType.h:
1866         (JSC::isMiscSpeculation):
1867         * dfg/DFGAbstractInterpreterInlines.h:
1868         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1869         * dfg/DFGArrayMode.cpp:
1870         (JSC::DFG::ArrayMode::refine):
1871         * dfg/DFGArrayMode.h:
1872         * dfg/DFGFixupPhase.cpp:
1873         (JSC::DFG::FixupPhase::fixupNode):
1874         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
1875         * dfg/DFGNode.h:
1876         (JSC::DFG::Node::shouldSpeculateMisc):
1877         * dfg/DFGSafeToExecute.h:
1878         (JSC::DFG::SafeToExecuteEdge::operator()):
1879         * dfg/DFGSpeculativeJIT.cpp:
1880         (JSC::DFG::SpeculativeJIT::compileStrictEq):
1881         (JSC::DFG::SpeculativeJIT::speculateMisc):
1882         (JSC::DFG::SpeculativeJIT::speculate):
1883         * dfg/DFGSpeculativeJIT.h:
1884         * dfg/DFGSpeculativeJIT32_64.cpp:
1885         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
1886         * dfg/DFGSpeculativeJIT64.cpp:
1887         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
1888         * dfg/DFGUseKind.cpp:
1889         (WTF::printInternal):
1890         * dfg/DFGUseKind.h:
1891         (JSC::DFG::typeFilterFor):
1892         * ftl/FTLCapabilities.cpp:
1893         (JSC::FTL::canCompile):
1894         * ftl/FTLLowerDFGToLLVM.cpp:
1895         (JSC::FTL::LowerDFGToLLVM::compileNode):
1896         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
1897         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
1898         (JSC::FTL::LowerDFGToLLVM::compileThrow):
1899         (JSC::FTL::LowerDFGToLLVM::isNotMisc):
1900         (JSC::FTL::LowerDFGToLLVM::isMisc):
1901         (JSC::FTL::LowerDFGToLLVM::speculate):
1902         (JSC::FTL::LowerDFGToLLVM::speculateMisc):
1903         * tests/stress/float32-array-out-of-bounds.js: Added.
1904         * tests/stress/weird-equality-folding-cases.js: Added.
1905
1906 2014-03-04  Commit Queue  <commit-queue@webkit.org>
1907
1908         Unreviewed, rolling out r165085.
1909         http://trac.webkit.org/changeset/165085
1910         https://bugs.webkit.org/show_bug.cgi?id=129729
1911
1912         Broke imported/w3c/html-templates/template-element/template-
1913         content.html (Requested by ap on #webkit).
1914
1915         * bytecode/SpeculatedType.cpp:
1916         (JSC::speculationToAbbreviatedString):
1917         * bytecode/SpeculatedType.h:
1918         * dfg/DFGAbstractInterpreterInlines.h:
1919         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1920         * dfg/DFGArrayMode.cpp:
1921         (JSC::DFG::ArrayMode::refine):
1922         * dfg/DFGArrayMode.h:
1923         * dfg/DFGFixupPhase.cpp:
1924         (JSC::DFG::FixupPhase::fixupNode):
1925         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
1926         * dfg/DFGNode.h:
1927         (JSC::DFG::Node::shouldSpeculateBoolean):
1928         * dfg/DFGSafeToExecute.h:
1929         (JSC::DFG::SafeToExecuteEdge::operator()):
1930         * dfg/DFGSpeculativeJIT.cpp:
1931         (JSC::DFG::SpeculativeJIT::compileStrictEq):
1932         (JSC::DFG::SpeculativeJIT::speculate):
1933         * dfg/DFGSpeculativeJIT.h:
1934         * dfg/DFGSpeculativeJIT32_64.cpp:
1935         * dfg/DFGSpeculativeJIT64.cpp:
1936         * dfg/DFGUseKind.cpp:
1937         (WTF::printInternal):
1938         * dfg/DFGUseKind.h:
1939         (JSC::DFG::typeFilterFor):
1940         * ftl/FTLCapabilities.cpp:
1941         (JSC::FTL::canCompile):
1942         * ftl/FTLLowerDFGToLLVM.cpp:
1943         (JSC::FTL::LowerDFGToLLVM::compileNode):
1944         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
1945         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
1946         (JSC::FTL::LowerDFGToLLVM::speculate):
1947         * tests/stress/float32-array-out-of-bounds.js: Removed.
1948         * tests/stress/weird-equality-folding-cases.js: Removed.
1949
1950 2014-03-04  Brian Burg  <bburg@apple.com>
1951
1952         Inspector does not restore breakpoints after a page reload
1953         https://bugs.webkit.org/show_bug.cgi?id=129655
1954
1955         Reviewed by Joseph Pecoraro.
1956
1957         Fix a regression introduced by r162096 that erroneously removed
1958         the inspector backend's mapping of files to breakpoints whenever the
1959         global object was cleared.
1960
1961         The inspector's breakpoint mappings should only be cleared when the
1962         debugger agent is disabled or destroyed. We should only clear the
1963         debugger's breakpoint state when the global object is cleared.
1964
1965         To make it clearer what state is being cleared, the two cases have
1966         been split into separate methods.
1967
1968         * inspector/agents/InspectorDebuggerAgent.cpp:
1969         (Inspector::InspectorDebuggerAgent::disable):
1970         (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):
1971         (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
1972         (Inspector::InspectorDebuggerAgent::didClearGlobalObject):
1973         * inspector/agents/InspectorDebuggerAgent.h:
1974
1975 2014-03-04  Andreas Kling  <akling@apple.com>
1976
1977         Streamline JSValue::get().
1978         <https://webkit.org/b/129720>
1979
1980         Fetch each Structure and VM only once when walking the prototype chain
1981         in JSObject::getPropertySlot(), then pass it along to the functions
1982         we call from there, so they don't have to re-fetch it.
1983
1984         Reviewed by Geoff Garen.
1985
1986         * runtime/JSObject.h:
1987         (JSC::JSObject::inlineGetOwnPropertySlot):
1988         (JSC::JSObject::fastGetOwnPropertySlot):
1989         (JSC::JSObject::getPropertySlot):
1990
1991 2014-03-01  Filip Pizlo  <fpizlo@apple.com>
1992
1993         DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e. boolean, undefined, or null)
1994         https://bugs.webkit.org/show_bug.cgi?id=129563
1995
1996         Reviewed by Geoffrey Garen.
1997         
1998         This adds a specialization of CompareStrictEq over Misc. I noticed the need for this
1999         when I saw that we didn't support CompareStrictEq(Untyped) in FTL but that the main
2000         user of this was EarleyBoyer, and in that benchmark what it was really doing was
2001         comparing undefined, null, and booleans to each other.
2002         
2003         This also adds support for miscellaneous things that I needed to make my various test
2004         cases work. This includes comparison over booleans and the various Throw-related node
2005         types.
2006         
2007         This also improves constant folding of CompareStrictEq and CompareEq.
2008         
2009         Also found a bug where we were claiming that GetByVals on typed arrays are OutOfBounds
2010         based on profiling, which caused some downstream badness. We don't actually support
2011         compiling OutOfBounds GetByVals on typed arrays. The DFG would ignore the flag and just
2012         emit a bounds check, but in the FTL path, the SSA lowering phase would assume that it
2013         shouldn't factor out the bounds check since the access is not InBounds but then the
2014         backend would ignore the flag and assume that the bounds check was already emitted.
2015         This showed up on an existing test but I added a test for this explicitly to have more
2016         certain coverage. The fix is to not mark something as OutOfBounds if the semantics are
2017         that we'll have a bounds check anyway.
2018         
2019         This is a 1% speed-up on Octane mostly because of raytrace, but also because of just
2020         general progressions across the board. No speed-up yet on EarleyBoyer, since there is
2021         still a lot more coverage work to be done there.
2022
2023         * bytecode/SpeculatedType.cpp:
2024         (JSC::speculationToAbbreviatedString):
2025         (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
2026         (JSC::valuesCouldBeEqual):
2027         * bytecode/SpeculatedType.h:
2028         (JSC::isMiscSpeculation):
2029         * dfg/DFGAbstractInterpreterInlines.h:
2030         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2031         * dfg/DFGFixupPhase.cpp:
2032         (JSC::DFG::FixupPhase::fixupNode):
2033         * dfg/DFGNode.h:
2034         (JSC::DFG::Node::shouldSpeculateMisc):
2035         * dfg/DFGSafeToExecute.h:
2036         (JSC::DFG::SafeToExecuteEdge::operator()):
2037         * dfg/DFGSpeculativeJIT.cpp:
2038         (JSC::DFG::SpeculativeJIT::compileStrictEq):
2039         (JSC::DFG::SpeculativeJIT::speculateMisc):
2040         (JSC::DFG::SpeculativeJIT::speculate):
2041         * dfg/DFGSpeculativeJIT.h:
2042         * dfg/DFGSpeculativeJIT32_64.cpp:
2043         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
2044         * dfg/DFGSpeculativeJIT64.cpp:
2045         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
2046         * dfg/DFGUseKind.cpp:
2047         (WTF::printInternal):
2048         * dfg/DFGUseKind.h:
2049         (JSC::DFG::typeFilterFor):
2050         * ftl/FTLCapabilities.cpp:
2051         (JSC::FTL::canCompile):
2052         * ftl/FTLLowerDFGToLLVM.cpp:
2053         (JSC::FTL::LowerDFGToLLVM::compileNode):
2054         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
2055         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
2056         (JSC::FTL::LowerDFGToLLVM::compileThrow):
2057         (JSC::FTL::LowerDFGToLLVM::isNotMisc):
2058         (JSC::FTL::LowerDFGToLLVM::isMisc):
2059         (JSC::FTL::LowerDFGToLLVM::speculate):
2060         (JSC::FTL::LowerDFGToLLVM::speculateMisc):
2061         * tests/stress/float32-array-out-of-bounds.js: Added.
2062         * tests/stress/weird-equality-folding-cases.js: Added.
2063
2064 2014-03-04  Andreas Kling  <akling@apple.com>
2065
2066         Spam static branch prediction hints on JS bindings.
2067         <https://webkit.org/b/129703>
2068
2069         Add LIKELY hint to jsDynamicCast since it's always used in a context
2070         where we expect it to succeed and takes an error path when it doesn't.
2071
2072         Reviewed by Geoff Garen.
2073
2074         * runtime/JSCell.h:
2075         (JSC::jsDynamicCast):
2076
2077 2014-03-04  Andreas Kling  <akling@apple.com>
2078
2079         Get to Structures more efficiently in JSCell::methodTable().
2080         <https://webkit.org/b/129702>
2081
2082         In JSCell::methodTable(), get the VM once and pass that along to
2083         structure(VM&) instead of using the heavier structure().
2084
2085         In JSCell::methodTable(VM&), replace calls to structure() with
2086         calls to structure(VM&).
2087
2088         Reviewed by Mark Hahnenberg.
2089
2090         * runtime/JSCellInlines.h:
2091         (JSC::JSCell::methodTable):
2092
2093 2014-03-04  Joseph Pecoraro  <pecoraro@apple.com>
2094
2095         Web Inspector: Listen for the XPC_ERROR_CONNECTION_INVALID event to deref
2096         https://bugs.webkit.org/show_bug.cgi?id=129697
2097
2098         Reviewed by Timothy Hatcher.
2099
2100         * inspector/remote/RemoteInspectorXPCConnection.mm:
2101         (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
2102         (Inspector::RemoteInspectorXPCConnection::handleEvent):
2103
2104 2014-03-04  Mark Hahnenberg  <mhahnenberg@apple.com>
2105
2106         Merge API shims and JSLock
2107         https://bugs.webkit.org/show_bug.cgi?id=129650
2108
2109         Reviewed by Mark Lam.
2110
2111         JSLock is now taking on all of APIEntryShim's responsibilities since there is never a reason 
2112         to take just the JSLock. Ditto for DropAllLocks and APICallbackShim.
2113
2114         * API/APICallbackFunction.h:
2115         (JSC::APICallbackFunction::call):
2116         (JSC::APICallbackFunction::construct):
2117         * API/APIShims.h: Removed.
2118         * API/JSBase.cpp:
2119         (JSEvaluateScript):
2120         (JSCheckScriptSyntax):
2121         (JSGarbageCollect):
2122         (JSReportExtraMemoryCost):
2123         (JSSynchronousGarbageCollectForDebugging):
2124         * API/JSCallbackConstructor.cpp:
2125         * API/JSCallbackFunction.cpp:
2126         * API/JSCallbackObjectFunctions.h:
2127         (JSC::JSCallbackObject<Parent>::init):
2128         (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
2129         (JSC::JSCallbackObject<Parent>::put):
2130         (JSC::JSCallbackObject<Parent>::putByIndex):
2131         (JSC::JSCallbackObject<Parent>::deleteProperty):
2132         (JSC::JSCallbackObject<Parent>::construct):
2133         (JSC::JSCallbackObject<Parent>::customHasInstance):
2134         (JSC::JSCallbackObject<Parent>::call):
2135         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
2136         (JSC::JSCallbackObject<Parent>::getStaticValue):
2137         (JSC::JSCallbackObject<Parent>::callbackGetter):
2138         * API/JSContext.mm:
2139         (-[JSContext setException:]):
2140         (-[JSContext wrapperForObjCObject:]):
2141         (-[JSContext wrapperForJSObject:]):
2142         * API/JSContextRef.cpp:
2143         (JSContextGroupRelease):
2144         (JSContextGroupSetExecutionTimeLimit):
2145         (JSContextGroupClearExecutionTimeLimit):
2146         (JSGlobalContextCreateInGroup):
2147         (JSGlobalContextRetain):
2148         (JSGlobalContextRelease):
2149         (JSContextGetGlobalObject):
2150         (JSContextGetGlobalContext):
2151         (JSGlobalContextCopyName):
2152         (JSGlobalContextSetName):
2153         * API/JSManagedValue.mm:
2154         (-[JSManagedValue value]):
2155         * API/JSObjectRef.cpp:
2156         (JSObjectMake):
2157         (JSObjectMakeFunctionWithCallback):
2158         (JSObjectMakeConstructor):
2159         (JSObjectMakeFunction):
2160         (JSObjectMakeArray):
2161         (JSObjectMakeDate):
2162         (JSObjectMakeError):
2163         (JSObjectMakeRegExp):
2164         (JSObjectGetPrototype):
2165         (JSObjectSetPrototype):
2166         (JSObjectHasProperty):
2167         (JSObjectGetProperty):
2168         (JSObjectSetProperty):
2169         (JSObjectGetPropertyAtIndex):
2170         (JSObjectSetPropertyAtIndex):
2171         (JSObjectDeleteProperty):
2172         (JSObjectGetPrivateProperty):
2173         (JSObjectSetPrivateProperty):
2174         (JSObjectDeletePrivateProperty):
2175         (JSObjectIsFunction):
2176         (JSObjectCallAsFunction):
2177         (JSObjectCallAsConstructor):
2178         (JSObjectCopyPropertyNames):
2179         (JSPropertyNameArrayRelease):
2180         (JSPropertyNameAccumulatorAddName):
2181         * API/JSScriptRef.cpp:
2182         * API/JSValue.mm:
2183         (isDate):
2184         (isArray):
2185         (containerValueToObject):
2186         (valueToArray):
2187         (valueToDictionary):
2188         (objectToValue):
2189         * API/JSValueRef.cpp:
2190         (JSValueGetType):
2191         (JSValueIsUndefined):
2192         (JSValueIsNull):
2193         (JSValueIsBoolean):
2194         (JSValueIsNumber):
2195         (JSValueIsString):
2196         (JSValueIsObject):
2197         (JSValueIsObjectOfClass):
2198         (JSValueIsEqual):
2199         (JSValueIsStrictEqual):
2200         (JSValueIsInstanceOfConstructor):
2201         (JSValueMakeUndefined):
2202         (JSValueMakeNull):
2203         (JSValueMakeBoolean):
2204         (JSValueMakeNumber):
2205         (JSValueMakeString):
2206         (JSValueMakeFromJSONString):
2207         (JSValueCreateJSONString):
2208         (JSValueToBoolean):
2209         (JSValueToNumber):
2210         (JSValueToStringCopy):
2211         (JSValueToObject):
2212         (JSValueProtect):
2213         (JSValueUnprotect):
2214         * API/JSVirtualMachine.mm:
2215         (-[JSVirtualMachine addManagedReference:withOwner:]):
2216         (-[JSVirtualMachine removeManagedReference:withOwner:]):
2217         * API/JSWeakObjectMapRefPrivate.cpp:
2218         * API/JSWrapperMap.mm:
2219         (constructorHasInstance):
2220         (makeWrapper):
2221         (tryUnwrapObjcObject):
2222         * API/ObjCCallbackFunction.mm:
2223         (JSC::objCCallbackFunctionCallAsFunction):
2224         (JSC::objCCallbackFunctionCallAsConstructor):
2225         (objCCallbackFunctionForInvocation):
2226         * CMakeLists.txt:
2227         * ForwardingHeaders/JavaScriptCore/APIShims.h: Removed.
2228         * GNUmakefile.list.am:
2229         * JavaScriptCore.xcodeproj/project.pbxproj:
2230         * dfg/DFGWorklist.cpp:
2231         * heap/DelayedReleaseScope.h:
2232         (JSC::DelayedReleaseScope::~DelayedReleaseScope):
2233         * heap/HeapTimer.cpp:
2234         (JSC::HeapTimer::timerDidFire):
2235         (JSC::HeapTimer::timerEvent):
2236         * heap/IncrementalSweeper.cpp:
2237         * inspector/InjectedScriptModule.cpp:
2238         (Inspector::InjectedScriptModule::ensureInjected):
2239         * jsc.cpp:
2240         (jscmain):
2241         * runtime/GCActivityCallback.cpp:
2242         (JSC::DefaultGCActivityCallback::doWork):
2243         * runtime/JSGlobalObjectDebuggable.cpp:
2244         (JSC::JSGlobalObjectDebuggable::connect):
2245         (JSC::JSGlobalObjectDebuggable::disconnect):
2246         (JSC::JSGlobalObjectDebuggable::dispatchMessageFromRemoteFrontend):
2247         * runtime/JSLock.cpp:
2248         (JSC::JSLock::lock):
2249         (JSC::JSLock::didAcquireLock):
2250         (JSC::JSLock::unlock):
2251         (JSC::JSLock::willReleaseLock):
2252         (JSC::JSLock::DropAllLocks::DropAllLocks):
2253         (JSC::JSLock::DropAllLocks::~DropAllLocks):
2254         * runtime/JSLock.h:
2255         * testRegExp.cpp:
2256         (realMain):
2257
2258 2014-03-04  Commit Queue  <commit-queue@webkit.org>
2259
2260         Unreviewed, rolling out r164812.
2261         http://trac.webkit.org/changeset/164812
2262         https://bugs.webkit.org/show_bug.cgi?id=129699
2263
2264         it made things run slower (Requested by pizlo on #webkit).
2265
2266         * interpreter/Interpreter.cpp:
2267         (JSC::Interpreter::execute):
2268         * jsc.cpp:
2269         (GlobalObject::finishCreation):
2270         * runtime/BatchedTransitionOptimizer.h:
2271         (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
2272         (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer):
2273
2274 2014-03-02  Filip Pizlo  <fpizlo@apple.com>
2275
2276         GetMyArgumentByVal in FTL
2277         https://bugs.webkit.org/show_bug.cgi?id=128850
2278
2279         Reviewed by Oliver Hunt.
2280         
2281         This would have been easy if the OSR exit compiler's arity checks hadn't been wrong.
2282         They checked arity by doing "exec->argumentCount == codeBlock->numParameters", which
2283         caused it to think that the arity check had failed if the caller had passed more
2284         arguments than needed. This would cause the call frame copying to sort of go into
2285         reverse (because the amount-by-which-we-failed-arity would have opposite sign,
2286         throwing off a bunch of math) and the stack would end up being corrupted.
2287         
2288         The bug was revealed by two existing tests although as far as I could tell, neither
2289         test was intending to cover this case directly. So, I added a new test.
2290
2291         * ftl/FTLCapabilities.cpp:
2292         (JSC::FTL::canCompile):
2293         * ftl/FTLLowerDFGToLLVM.cpp:
2294         (JSC::FTL::LowerDFGToLLVM::compileNode):
2295         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
2296         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
2297         (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated):
2298         (JSC::FTL::LowerDFGToLLVM::checkArgumentsNotCreated):
2299         * ftl/FTLOSRExitCompiler.cpp:
2300         (JSC::FTL::compileStub):
2301         * ftl/FTLState.h:
2302         * tests/stress/exit-from-ftl-when-caller-passed-extra-args-then-use-function-dot-arguments.js: Added.
2303         * tests/stress/ftl-get-my-argument-by-val-inlined-and-not-inlined.js: Added.
2304         * tests/stress/ftl-get-my-argument-by-val-inlined.js: Added.
2305         * tests/stress/ftl-get-my-argument-by-val.js: Added.
2306
2307 2014-03-04  Zan Dobersek  <zdobersek@igalia.com>
2308
2309         [GTK] Build the Udis86 disassembler
2310         https://bugs.webkit.org/show_bug.cgi?id=129679
2311
2312         Reviewed by Michael Saboff.
2313
2314         * GNUmakefile.am: Generate the Udis86-related derived sources. Distribute the required files.
2315         * GNUmakefile.list.am: Add the Udis86 disassembler files to the build.
2316
2317 2014-03-04  Andreas Kling  <akling@apple.com>
2318
2319         Fix too-narrow assertion I added in r165054.
2320
2321         It's okay for a 1-character string to come in here. This will happen
2322         if the VM small string optimization doesn't apply (ch > 0xFF)
2323
2324         * runtime/JSString.h:
2325         (JSC::jsStringWithWeakOwner):
2326
2327 2014-03-04  Andreas Kling  <akling@apple.com>
2328
2329         Micro-optimize Strings in JS bindings.
2330         <https://webkit.org/b/129673>
2331
2332         Make jsStringWithWeakOwner() take a StringImpl& instead of a String.
2333         This avoids branches in length() and operator[].
2334
2335         Also call JSString::create() directly instead of jsString() and just
2336         assert that the string length is >1. This way we don't duplicate the
2337         optimizations for empty and single-character strings.
2338
2339         Reviewed by Ryosuke Niwa.
2340
2341         * runtime/JSString.h:
2342         (JSC::jsStringWithWeakOwner):
2343
2344 2014-03-04  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
2345
2346         Implement Number.prototype.clz()
2347         https://bugs.webkit.org/show_bug.cgi?id=129479
2348
2349         Reviewed by Oliver Hunt.
2350
2351         Implemented Number.prototype.clz() as specified in the ES6 standard.
2352
2353         * runtime/NumberPrototype.cpp:
2354         (JSC::numberProtoFuncClz):
2355
2356 2014-03-03  Joseph Pecoraro  <pecoraro@apple.com>
2357
2358         Web Inspector: Avoid too early deref caused by RemoteInspectorXPCConnection::close
2359         https://bugs.webkit.org/show_bug.cgi?id=129631
2360
2361         Reviewed by Timothy Hatcher.
2362
2363         Avoid deref() too early if a client calls close(). The xpc_connection_close
2364         will cause another XPC_ERROR event to come in from the queue, deref then.
2365         Likewise, protect multithreaded access to m_client. If a client calls
2366         close() we want to immediately clear the pointer to prevent calls to it.
2367
2368         Overall the multi-threading aspects of RemoteInspectorXPCConnection are
2369         growing too complicated for probably little benefit. We may want to
2370         clean this up later.
2371
2372         * inspector/remote/RemoteInspector.mm:
2373         (Inspector::RemoteInspector::xpcConnectionFailed):
2374         * inspector/remote/RemoteInspectorXPCConnection.h:
2375         * inspector/remote/RemoteInspectorXPCConnection.mm:
2376         (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
2377         (Inspector::RemoteInspectorXPCConnection::close):
2378         (Inspector::RemoteInspectorXPCConnection::closeOnQueue):
2379         (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
2380         (Inspector::RemoteInspectorXPCConnection::handleEvent):
2381         (Inspector::RemoteInspectorXPCConnection::sendMessage):
2382
2383 2014-03-03  Michael Saboff  <msaboff@apple.com>
2384
2385         AbstractMacroAssembler::CachedTempRegister should start out invalid
2386         https://bugs.webkit.org/show_bug.cgi?id=129657
2387
2388         Reviewed by Filip Pizlo.
2389
2390         * assembler/AbstractMacroAssembler.h:
2391         (JSC::AbstractMacroAssembler::AbstractMacroAssembler):
2392         - Invalidate all cached registers in constructor as we don't know the
2393           contents of any register at the entry to the code we are going to
2394           generate.
2395
2396 2014-03-03  Andreas Kling  <akling@apple.com>
2397
2398         StructureOrOffset should be fastmalloced.
2399         <https://webkit.org/b/129640>
2400
2401         Reviewed by Geoffrey Garen.
2402
2403         * runtime/StructureIDTable.h:
2404
2405 2014-03-03  Michael Saboff  <msaboff@apple.com>
2406
2407         Crash in JIT code while watching a video @ storyboard.tumblr.com
2408         https://bugs.webkit.org/show_bug.cgi?id=129635
2409
2410         Reviewed by Filip Pizlo.
2411
2412         Clear m_set before we set bits in the TempRegisterSet(const RegisterSet& other)
2413         construtor.
2414
2415         * jit/TempRegisterSet.cpp:
2416         (JSC::TempRegisterSet::TempRegisterSet): Clear map before setting it.
2417         * jit/TempRegisterSet.h:
2418         (JSC::TempRegisterSet::TempRegisterSet): Use new clearAll() helper.
2419         (JSC::TempRegisterSet::clearAll): New private helper.
2420
2421 2014-03-03  Benjamin Poulain  <benjamin@webkit.org>
2422
2423         [x86] Improve code generation of byte test
2424         https://bugs.webkit.org/show_bug.cgi?id=129597
2425
2426         Reviewed by Geoffrey Garen.
2427
2428         When possible, test the 8 bit register to itself instead of comparing it
2429         to a literal.
2430
2431         * assembler/MacroAssemblerX86Common.h:
2432         (JSC::MacroAssemblerX86Common::test32):
2433
2434 2014-03-03  Mark Lam  <mark.lam@apple.com>
2435
2436         Web Inspector: debugger statements do not break.
2437         <https://webkit.org/b/129524>
2438
2439         Reviewed by Geoff Garen.
2440
2441         Since we no longer call op_debug hooks unless there is a debugger request
2442         made on the CodeBlock, the op_debug for the debugger statement never gets
2443         serviced.
2444
2445         With this fix, we check in the CodeBlock constructor if any debugger
2446         statements are present.  If so, we set a m_hasDebuggerStatement flag that
2447         causes the CodeBlock to show as having debugger requests.  Hence,
2448         breaking at debugger statements is now restored.
2449
2450         * bytecode/CodeBlock.cpp:
2451         (JSC::CodeBlock::CodeBlock):
2452         * bytecode/CodeBlock.h:
2453         (JSC::CodeBlock::hasDebuggerRequests):
2454         (JSC::CodeBlock::clearDebuggerRequests):
2455
2456 2014-03-03  Mark Lam  <mark.lam@apple.com>
2457
2458         ASSERTION FAILED: m_numBreakpoints >= numBreakpoints when deleting breakpoints.
2459         <https://webkit.org/b/129393>
2460
2461         Reviewed by Geoffrey Garen.
2462
2463         The issue manifests because the debugger will iterate all CodeBlocks in
2464         the heap when setting / clearing breakpoints, but it is possible for a
2465         CodeBlock to have been instantiate but is not yet registered with the
2466         debugger.  This can happen because of the following:
2467
2468         1. DFG worklist compilation is still in progress, and the target
2469            codeBlock is not ready for installation in its executable yet.
2470
2471         2. DFG compilation failed and we have a codeBlock that will never be
2472            installed in its executable, and the codeBlock has not been cleaned
2473            up by the GC yet.
2474
2475         The code for installing the codeBlock in its executable is the same code
2476         that registers it with the debugger.  Hence, these codeBlocks are not
2477         registered with the debugger, and any pending breakpoints that would map
2478         to that CodeBlock is as yet unset or will never be set.  As such, an
2479         attempt to remove a breakpoint in that CodeBlock will fail that assertion.
2480
2481         To fix this, we do the following:
2482
2483         1. We'll eagerly clean up any zombie CodeBlocks due to failed DFG / FTL
2484            compilation.  This is achieved by providing a
2485            DeferredCompilationCallback::compilationDidComplete() that does this
2486            clean up, and have all sub classes call it at the end of their
2487            compilationDidComplete() methods.
2488
2489         2. Before the debugger or profiler iterates CodeBlocks in the heap, they
2490            will wait for all compilations to complete before proceeding.  This
2491            ensures that:
2492            1. any zombie CodeBlocks would have been cleaned up, and won't be
2493               seen by the debugger or profiler.
2494            2. all CodeBlocks that the debugger and profiler needs to operate on
2495               will be "ready" for whatever needs to be done to them e.g.
2496               jettison'ing of DFG codeBlocks.
2497
2498         * bytecode/DeferredCompilationCallback.cpp:
2499         (JSC::DeferredCompilationCallback::compilationDidComplete):
2500         * bytecode/DeferredCompilationCallback.h:
2501         - Provide default implementation method to clean up zombie CodeBlocks.
2502
2503         * debugger/Debugger.cpp:
2504         (JSC::Debugger::forEachCodeBlock):
2505         - Utility function to iterate CodeBlocks.  It ensures that all compilations
2506           are complete before proceeding.
2507         (JSC::Debugger::setSteppingMode):
2508         (JSC::Debugger::toggleBreakpoint):
2509         (JSC::Debugger::recompileAllJSFunctions):
2510         (JSC::Debugger::clearBreakpoints):
2511         (JSC::Debugger::clearDebuggerRequests):
2512         - Use the utility iterator function.
2513
2514         * debugger/Debugger.h:
2515         * dfg/DFGOperations.cpp:
2516         - Added an assert to ensure that zombie CodeBlocks will be imminently cleaned up.
2517
2518         * dfg/DFGPlan.cpp:
2519         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
2520         - Remove unneeded code (that was not the best solution anyway) for ensuring
2521           that we don't generate new DFG codeBlocks after enabling the debugger or
2522           profiler.  Now that we wait for compilations to complete before proceeding
2523           with debugger and profiler work, this scenario will never happen.
2524
2525         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
2526         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
2527         - Call the super class method to clean up zombie codeBlocks.
2528
2529         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
2530         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete):
2531         - Call the super class method to clean up zombie codeBlocks.
2532
2533         * heap/CodeBlockSet.cpp:
2534         (JSC::CodeBlockSet::remove):
2535         * heap/CodeBlockSet.h:
2536         * heap/Heap.h:
2537         (JSC::Heap::removeCodeBlock):
2538         - New method to remove a codeBlock from the codeBlock set.
2539
2540         * jit/JITOperations.cpp:
2541         - Added an assert to ensure that zombie CodeBlocks will be imminently cleaned up.
2542
2543         * jit/JITToDFGDeferredCompilationCallback.cpp:
2544         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
2545         - Call the super class method to clean up zombie codeBlocks.
2546
2547         * runtime/VM.cpp:
2548         (JSC::VM::waitForCompilationsToComplete):
2549         - Renamed from prepareToDiscardCode() to be clearer about what it does.
2550
2551         (JSC::VM::discardAllCode):
2552         (JSC::VM::releaseExecutableMemory):
2553         (JSC::VM::setEnabledProfiler):
2554         - Wait for compilation to complete before enabling the profiler.
2555
2556         * runtime/VM.h:
2557
2558 2014-03-03  Brian Burg  <bburg@apple.com>
2559
2560         Another unreviewed build fix attempt for Windows after r164986.
2561
2562         We never told Visual Studio to copy over the web replay code generator scripts
2563         and the generated headers for JavaScriptCore replay inputs as if they were
2564         private headers.
2565
2566         * JavaScriptCore.vcxproj/copy-files.cmd:
2567
2568 2014-03-03  Brian Burg  <bburg@apple.com>
2569
2570         Web Replay: upstream input storage, capture/replay machinery, and inspector domain
2571         https://bugs.webkit.org/show_bug.cgi?id=128782
2572
2573         Reviewed by Timothy Hatcher.
2574
2575         Alter the replay inputs code generator so that it knows when it is necessary to
2576         to include headers for HEAVY_SCALAR types such as WTF::String and WebCore::URL.
2577
2578         * JavaScriptCore.xcodeproj/project.pbxproj:
2579         * replay/scripts/CodeGeneratorReplayInputs.py:
2580         (Framework.fromString):
2581         (Frameworks): Add WTF as an allowed framework for code generation.
2582         (Generator.generate_includes): Include headers for HEAVY_SCALAR types in the header file.
2583         (Generator.generate_includes.declaration):
2584         (Generator.generate_includes.or):
2585         (Generator.generate_type_forward_declarations): Skip HEAVY_SCALAR types.
2586
2587 2014-03-02  Filip Pizlo  <fpizlo@apple.com>
2588
2589         PolymorphicPutByIdList should have a simpler construction API with basically a single entrypoint
2590         https://bugs.webkit.org/show_bug.cgi?id=129591
2591
2592         Reviewed by Michael Saboff.
2593
2594         * bytecode/PolymorphicPutByIdList.cpp:
2595         (JSC::PutByIdAccess::fromStructureStubInfo): This function can figure out the slow path target for itself.
2596         (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList): This constuctor should be private, only from() should call it.
2597         (JSC::PolymorphicPutByIdList::from):
2598         * bytecode/PolymorphicPutByIdList.h:
2599         (JSC::PutByIdAccess::stubRoutine):
2600         * jit/Repatch.cpp:
2601         (JSC::tryBuildPutByIdList): Don't pass the slow path target since it can be derived from the stubInfo.
2602
2603 2014-03-02  Filip Pizlo  <fpizlo@apple.com>
2604
2605         Debugging improvements from my gbemu investigation session
2606         https://bugs.webkit.org/show_bug.cgi?id=129599
2607
2608         Reviewed by Mark Lam.
2609         
2610         Various improvements from when I was investigating bug 129411.
2611
2612         * bytecode/CodeBlock.cpp:
2613         (JSC::CodeBlock::optimizationThresholdScalingFactor): Make the dataLog() statement print the actual multiplier.
2614         * jsc.cpp:
2615         (GlobalObject::finishCreation):
2616         (functionDescribe): Make describe() return a string rather than printing the string.
2617         (functionDescribeArray): Like describe(), but prints details about arrays.
2618
2619 2014-02-25  Andreas Kling  <akling@apple.com>
2620
2621         JSDOMWindow::commonVM() should return a reference.
2622         <https://webkit.org/b/129293>
2623
2624         Added a DropAllLocks constructor that takes VM& without null checks.
2625
2626         Reviewed by Geoff Garen.
2627
2628 2014-03-02  Mark Lam  <mark.lam@apple.com>
2629
2630         CodeBlock::hasDebuggerRequests() should returning a bool instead of an int.
2631         <https://webkit.org/b/129584>
2632
2633         Reviewed by Darin Adler.
2634
2635         * bytecode/CodeBlock.h:
2636         (JSC::CodeBlock::hasDebuggerRequests):
2637
2638 2014-03-02  Mark Lam  <mark.lam@apple.com>
2639
2640         Clean up use of Options::enableConcurrentJIT().
2641         <https://webkit.org/b/129582>
2642
2643         Reviewed by Filip Pizlo.
2644
2645         DFG Driver was conditionally checking Options::enableConcurrentJIT()
2646         only if ENABLE(CONCURRENT_JIT).  Otherwise, it bypasses it with a local
2647         enableConcurrentJIT set to false.
2648
2649         Instead we should configure Options::enableConcurrentJIT() to be false
2650         in Options.cpp if !ENABLE(CONCURRENT_JIT), and DFG Driver should always
2651         check Options::enableConcurrentJIT().  This makes the code read a little
2652         cleaner.
2653
2654         * dfg/DFGDriver.cpp:
2655         (JSC::DFG::compileImpl):
2656         * runtime/Options.cpp:
2657         (JSC::recomputeDependentOptions):
2658
2659 2014-03-01  Filip Pizlo  <fpizlo@apple.com>
2660
2661         This shouldn't have been a layout test since it runs only under jsc. Moving it to JSC
2662         stress tests.
2663
2664         * tests/stress/generational-opaque-roots.js: Copied from LayoutTests/js/script-tests/generational-opaque-roots.js.
2665
2666 2014-03-01  Andreas Kling  <akling@apple.com>
2667
2668         JSCell::fastGetOwnProperty() should get the Structure more efficiently.
2669         <https://webkit.org/b/129560>
2670
2671         Now that structure() is nontrivial and we have a faster structure(VM&),
2672         make use of that in fastGetOwnProperty() since we already have VM.
2673
2674         Reviewed by Sam Weinig.
2675
2676         * runtime/JSCellInlines.h:
2677         (JSC::JSCell::fastGetOwnProperty):
2678
2679 2014-03-01  Andreas Kling  <akling@apple.com>
2680
2681         Avoid going through ExecState for VM when we already have it (in some places.)
2682         <https://webkit.org/b/129554>
2683
2684         Tweak some places that jump through unnecessary hoops to get the VM.
2685         There are many more like this.
2686
2687         Reviewed by Sam Weinig.
2688
2689         * runtime/JSObject.cpp:
2690         (JSC::JSObject::putByIndexBeyondVectorLength):
2691         (JSC::JSObject::putDirectIndexBeyondVectorLength):
2692         * runtime/ObjectPrototype.cpp:
2693         (JSC::objectProtoFuncToString):
2694
2695 2014-02-28  Filip Pizlo  <fpizlo@apple.com>
2696
2697         FTL should support PhantomArguments
2698         https://bugs.webkit.org/show_bug.cgi?id=113986
2699
2700         Reviewed by Oliver Hunt.
2701         
2702         Adding PhantomArguments to the FTL mostly means wiring the recovery of the Arguments
2703         object into the FTL's OSR exit compiler.
2704         
2705         This isn't a speed-up yet, since there is still more to be done to fully support
2706         all of the arguments craziness that our varargs benchmarks do.
2707
2708         * dfg/DFGOSRExitCompiler32_64.cpp:
2709         (JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp
2710         * dfg/DFGOSRExitCompiler64.cpp:
2711         (JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp
2712         * dfg/DFGOSRExitCompilerCommon.cpp:
2713         (JSC::DFG::ArgumentsRecoveryGenerator::ArgumentsRecoveryGenerator):
2714         (JSC::DFG::ArgumentsRecoveryGenerator::~ArgumentsRecoveryGenerator):
2715         (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): this is the common place for the recovery code
2716         * dfg/DFGOSRExitCompilerCommon.h:
2717         * ftl/FTLCapabilities.cpp:
2718         (JSC::FTL::canCompile):
2719         * ftl/FTLExitValue.cpp:
2720         (JSC::FTL::ExitValue::dumpInContext):
2721         * ftl/FTLExitValue.h:
2722         (JSC::FTL::ExitValue::argumentsObjectThatWasNotCreated):
2723         (JSC::FTL::ExitValue::isArgumentsObjectThatWasNotCreated):
2724         (JSC::FTL::ExitValue::valueFormat):
2725         * ftl/FTLLowerDFGToLLVM.cpp:
2726         (JSC::FTL::LowerDFGToLLVM::compileNode):
2727         (JSC::FTL::LowerDFGToLLVM::compilePhantomArguments):
2728         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
2729         (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
2730         * ftl/FTLOSRExitCompiler.cpp:
2731         (JSC::FTL::compileStub): Call into the ArgumentsRecoveryGenerator
2732         * tests/stress/slightly-more-difficult-to-fold-reflective-arguments-access.js: Added.
2733         * tests/stress/trivially-foldable-reflective-arguments-access.js: Added.
2734
2735 2014-02-28  Filip Pizlo  <fpizlo@apple.com>
2736
2737         Unreviewed, uncomment some code. It wasn't meant to be commented in the first place.
2738
2739         * dfg/DFGCSEPhase.cpp:
2740         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
2741
2742 2014-02-28  Andreas Kling  <akling@apple.com>
2743
2744         JSObject::findPropertyHashEntry() should take VM instead of ExecState.
2745         <https://webkit.org/b/129529>
2746
2747         Callers already have VM in a local, and findPropertyHashEntry() only
2748         uses the VM, no need to go all the way through ExecState.
2749
2750         Reviewed by Geoffrey Garen.
2751
2752         * runtime/JSObject.cpp:
2753         (JSC::JSObject::put):
2754         (JSC::JSObject::deleteProperty):
2755         (JSC::JSObject::findPropertyHashEntry):
2756         * runtime/JSObject.h:
2757
2758 2014-02-28  Joseph Pecoraro  <pecoraro@apple.com>
2759
2760         Deadlock remotely inspecting iOS Simulator
2761         https://bugs.webkit.org/show_bug.cgi?id=129511
2762
2763         Reviewed by Timothy Hatcher.
2764
2765         Avoid synchronous setup. Do it asynchronously, and let
2766         the RemoteInspector singleton know later if it failed.
2767
2768         * inspector/remote/RemoteInspector.h:
2769         * inspector/remote/RemoteInspector.mm:
2770         (Inspector::RemoteInspector::setupFailed):
2771         * inspector/remote/RemoteInspectorDebuggableConnection.h:
2772         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
2773         (Inspector::RemoteInspectorDebuggableConnection::setup):
2774
2775 2014-02-28  Oliver Hunt  <oliver@apple.com>
2776
2777         REGRESSION(r164835): It broke 10 JSC stress test on 32 bit platforms
2778         https://bugs.webkit.org/show_bug.cgi?id=129488
2779
2780         Reviewed by Mark Lam.
2781
2782         Whoops, modify the right register.
2783
2784         * jit/JITCall32_64.cpp:
2785         (JSC::JIT::compileLoadVarargs):
2786
2787 2014-02-28  Filip Pizlo  <fpizlo@apple.com>
2788
2789         FTL should be able to call sin/cos directly on platforms where the intrinsic is busted
2790         https://bugs.webkit.org/show_bug.cgi?id=129503
2791
2792         Reviewed by Mark Lam.
2793
2794         * ftl/FTLIntrinsicRepository.h:
2795         * ftl/FTLOutput.h:
2796         (JSC::FTL::Output::doubleSin):
2797         (JSC::FTL::Output::doubleCos):
2798         (JSC::FTL::Output::intrinsicOrOperation):
2799
2800 2014-02-28  Mark Hahnenberg  <mhahnenberg@apple.com>
2801
2802         Fix !ENABLE(GGC) builds
2803
2804         * heap/Heap.cpp:
2805         (JSC::Heap::markRoots):
2806         (JSC::Heap::gatherJSStackRoots): Also fix one of the names of the GC phases.
2807
2808 2014-02-27  Mark Hahnenberg  <mhahnenberg@apple.com>
2809
2810         Clean up Heap::collect and Heap::markRoots
2811         https://bugs.webkit.org/show_bug.cgi?id=129464
2812
2813         Reviewed by Geoffrey Garen.
2814
2815         These functions have built up a lot of cruft recently. 
2816         We should do a bit of cleanup to make them easier to grok.
2817
2818         * heap/Heap.cpp:
2819         (JSC::Heap::finalizeUnconditionalFinalizers):
2820         (JSC::Heap::gatherStackRoots):
2821         (JSC::Heap::gatherJSStackRoots):
2822         (JSC::Heap::gatherScratchBufferRoots):
2823         (JSC::Heap::clearLivenessData):
2824         (JSC::Heap::visitSmallStrings):
2825         (JSC::Heap::visitConservativeRoots):
2826         (JSC::Heap::visitCompilerWorklists):
2827         (JSC::Heap::markProtectedObjects):
2828         (JSC::Heap::markTempSortVectors):
2829         (JSC::Heap::markArgumentBuffers):
2830         (JSC::Heap::visitException):
2831         (JSC::Heap::visitStrongHandles):
2832         (JSC::Heap::visitHandleStack):
2833         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
2834         (JSC::Heap::converge):
2835         (JSC::Heap::visitWeakHandles):
2836         (JSC::Heap::clearRememberedSet):
2837         (JSC::Heap::updateObjectCounts):
2838         (JSC::Heap::resetVisitors):
2839         (JSC::Heap::markRoots):
2840         (JSC::Heap::copyBackingStores):
2841         (JSC::Heap::deleteUnmarkedCompiledCode):
2842         (JSC::Heap::collect):
2843         (JSC::Heap::collectIfNecessaryOrDefer):
2844         (JSC::Heap::suspendCompilerThreads):
2845         (JSC::Heap::willStartCollection):
2846         (JSC::Heap::deleteOldCode):
2847         (JSC::Heap::flushOldStructureIDTables):
2848         (JSC::Heap::flushWriteBarrierBuffer):
2849         (JSC::Heap::stopAllocation):
2850         (JSC::Heap::reapWeakHandles):
2851         (JSC::Heap::sweepArrayBuffers):
2852         (JSC::Heap::snapshotMarkedSpace):
2853         (JSC::Heap::deleteSourceProviderCaches):
2854         (JSC::Heap::notifyIncrementalSweeper):
2855         (JSC::Heap::rememberCurrentlyExecutingCodeBlocks):
2856         (JSC::Heap::resetAllocators):
2857         (JSC::Heap::updateAllocationLimits):
2858         (JSC::Heap::didFinishCollection):
2859         (JSC::Heap::resumeCompilerThreads):
2860         * heap/Heap.h:
2861
2862 2014-02-27  Ryosuke Niwa  <rniwa@webkit.org>
2863
2864         indexOf and lastIndexOf shouldn't resolve ropes when needle is longer than haystack
2865         https://bugs.webkit.org/show_bug.cgi?id=129466
2866
2867         Reviewed by Michael Saboff.
2868
2869         Refactored the code to avoid calling JSString::value when needle is longer than haystack.
2870
2871         * runtime/StringPrototype.cpp:
2872         (JSC::stringProtoFuncIndexOf):
2873         (JSC::stringProtoFuncLastIndexOf):
2874
2875 2014-02-27  Timothy Hatcher  <timothy@apple.com>
2876
2877         Improve how ContentSearchUtilities::lineEndings works by supporting the three common line endings.
2878
2879         https://bugs.webkit.org/show_bug.cgi?id=129458
2880
2881         Reviewed by Joseph Pecoraro.
2882
2883         * inspector/ContentSearchUtilities.cpp:
2884         (Inspector::ContentSearchUtilities::textPositionFromOffset): Remove assumption about line ending length.
2885         (Inspector::ContentSearchUtilities::getRegularExpressionMatchesByLines): Remove assumption about
2886         line ending type and don't try to strip the line ending. Use size_t
2887         (Inspector::ContentSearchUtilities::lineEndings): Use findNextLineStart to find the lines.
2888         This will include the line ending in the lines, but that is okay.
2889         (Inspector::ContentSearchUtilities::buildObjectForSearchMatch): Use size_t.
2890         (Inspector::ContentSearchUtilities::searchInTextByLines): Modernize.
2891
2892 2014-02-27  Joseph Pecoraro  <pecoraro@apple.com>
2893
2894         [Mac] Warning: Multiple build commands for output file GCSegmentedArray and InspectorAgent
2895         https://bugs.webkit.org/show_bug.cgi?id=129446
2896
2897         Reviewed by Timothy Hatcher.
2898
2899         Remove duplicate header entries in Copy Header build phase.
2900
2901         * JavaScriptCore.xcodeproj/project.pbxproj:
2902
2903 2014-02-27  Oliver Hunt  <oliver@apple.com>
2904
2905         Whoops, include all of last patch.
2906
2907         * jit/JITCall32_64.cpp:
2908         (JSC::JIT::compileLoadVarargs):
2909
2910 2014-02-27  Oliver Hunt  <oliver@apple.com>
2911
2912         Slow cases for function.apply and function.call should not require vm re-entry
2913         https://bugs.webkit.org/show_bug.cgi?id=129454
2914
2915         Reviewed by Geoffrey Garen.
2916
2917         Implement call and apply using builtins. Happily the use
2918         of @call and @apply don't perform function equality checks
2919         and just plant direct var_args calls. This did expose a few
2920         codegen issues, but they're all covered by existing tests
2921         once call and apply are implemented in JS.
2922
2923         * JavaScriptCore.xcodeproj/project.pbxproj:
2924         * builtins/Function.prototype.js: Added.
2925         (call):
2926         (apply):
2927         * bytecompiler/NodesCodegen.cpp:
2928         (JSC::CallFunctionCallDotNode::emitBytecode):
2929         (JSC::ApplyFunctionCallDotNode::emitBytecode):
2930         * dfg/DFGCapabilities.cpp:
2931         (JSC::DFG::capabilityLevel):
2932         * interpreter/Interpreter.cpp:
2933         (JSC::sizeFrameForVarargs):
2934         (JSC::loadVarargs):
2935         * interpreter/Interpreter.h:
2936         * jit/JITCall.cpp:
2937         (JSC::JIT::compileLoadVarargs):
2938         * parser/ASTBuilder.h:
2939         (JSC::ASTBuilder::makeFunctionCallNode):
2940         * parser/Lexer.cpp:
2941         (JSC::isSafeBuiltinIdentifier):
2942         * runtime/CommonIdentifiers.h:
2943         * runtime/FunctionPrototype.cpp:
2944         (JSC::FunctionPrototype::addFunctionProperties):
2945         * runtime/JSObject.cpp:
2946         (JSC::JSObject::putDirectBuiltinFunction):
2947         (JSC::JSObject::putDirectBuiltinFunctionWithoutTransition):
2948         * runtime/JSObject.h:
2949
2950 2014-02-27  Joseph Pecoraro  <pecoraro@apple.com>
2951
2952         Web Inspector: Better name for RemoteInspectorDebuggableConnection dispatch queue
2953         https://bugs.webkit.org/show_bug.cgi?id=129443
2954
2955         Reviewed by Timothy Hatcher.
2956
2957         This queue is specific to the JSContext debuggable connections,
2958         there is no XPC involved. Give it a better name.
2959
2960         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
2961         (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
2962
2963 2014-02-27  David Kilzer  <ddkilzer@apple.com>
2964
2965         Remove jsc symlink if it already exists
2966
2967         This is a follow-up fix for:
2968
2969         Create symlink to /usr/local/bin/jsc during installation
2970         <http://webkit.org/b/129399>
2971         <rdar://problem/16168734>
2972
2973         * JavaScriptCore.xcodeproj/project.pbxproj:
2974         (Create /usr/local/bin/jsc symlink): If a jsc symlink already
2975         exists where we're about to create the symlink, remove the old
2976         one first.
2977
2978 2014-02-27  Michael Saboff  <msaboff@apple.com>
2979
2980         Unreviewed build fix for Mac tools after r164814
2981
2982         * Configurations/ToolExecutable.xcconfig:
2983         - Added JavaScriptCore.framework/PrivateHeaders to ToolExecutable include path.
2984         * JavaScriptCore.xcodeproj/project.pbxproj:
2985         - Changed productName to testRegExp for testRegExp target.
2986
2987 2014-02-27  Joseph Pecoraro  <pecoraro@apple.com>
2988
2989         Web Inspector: JSContext inspection should report exceptions in the console
2990         https://bugs.webkit.org/show_bug.cgi?id=128776
2991
2992         Reviewed by Timothy Hatcher.
2993
2994         When JavaScript API functions have an exception, let the inspector
2995         know so it can log the JavaScript and Native backtrace that caused
2996         the exception.
2997
2998         Include some clean up of ConsoleMessage and ScriptCallStack construction.
2999
3000         * API/JSBase.cpp:
3001         (JSEvaluateScript):
3002         (JSCheckScriptSyntax):
3003         * API/JSObjectRef.cpp:
3004         (JSObjectMakeFunction):
3005         (JSObjectMakeArray):
3006         (JSObjectMakeDate):
3007         (JSObjectMakeError):
3008         (JSObjectMakeRegExp):
3009         (JSObjectGetProperty):
3010         (JSObjectSetProperty):
3011         (JSObjectGetPropertyAtIndex):
3012         (JSObjectSetPropertyAtIndex):
3013         (JSObjectDeleteProperty):
3014         (JSObjectCallAsFunction):
3015         (JSObjectCallAsConstructor):
3016         * API/JSValue.mm:
3017         (reportExceptionToInspector):
3018         (valueToArray):
3019         (valueToDictionary):
3020         * API/JSValueRef.cpp:
3021         (JSValueIsEqual):
3022         (JSValueIsInstanceOfConstructor):
3023         (JSValueCreateJSONString):
3024         (JSValueToNumber):
3025         (JSValueToStringCopy):
3026         (JSValueToObject):
3027         When seeing an exception, let the inspector know there was an exception.
3028
3029         * inspector/JSGlobalObjectInspectorController.h:
3030         * inspector/JSGlobalObjectInspectorController.cpp:
3031         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3032         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
3033         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
3034         Log API exceptions by also grabbing the native backtrace.
3035
3036         * inspector/ScriptCallStack.h:
3037         * inspector/ScriptCallStack.cpp:
3038         (Inspector::ScriptCallStack::firstNonNativeCallFrame):
3039         (Inspector::ScriptCallStack::append):
3040         Minor extensions to ScriptCallStack to make it easier to work with.
3041
3042         * inspector/ConsoleMessage.cpp:
3043         (Inspector::ConsoleMessage::ConsoleMessage):
3044         (Inspector::ConsoleMessage::autogenerateMetadata):
3045         Provide better default information if the first call frame was native.
3046
3047         * inspector/ScriptCallStackFactory.cpp:
3048         (Inspector::createScriptCallStack):
3049         (Inspector::extractSourceInformationFromException):
3050         (Inspector::createScriptCallStackFromException):
3051         Perform the handling here of inserting a fake call frame for exceptions
3052         if there was no call stack (e.g. a SyntaxError) or if the first call
3053         frame had no information.
3054
3055         * inspector/ConsoleMessage.cpp:
3056         (Inspector::ConsoleMessage::ConsoleMessage):
3057         (Inspector::ConsoleMessage::autogenerateMetadata):
3058         * inspector/ConsoleMessage.h:
3059         * inspector/ScriptCallStackFactory.cpp:
3060         (Inspector::createScriptCallStack):
3061         (Inspector::createScriptCallStackForConsole):
3062         * inspector/ScriptCallStackFactory.h:
3063         * inspector/agents/InspectorConsoleAgent.cpp:
3064         (Inspector::InspectorConsoleAgent::enable):
3065         (Inspector::InspectorConsoleAgent::addMessageToConsole):
3066         (Inspector::InspectorConsoleAgent::count):
3067         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
3068         (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
3069         ConsoleMessage cleanup.
3070
3071 2014-02-27  David Kilzer  <ddkilzer@apple.com>
3072
3073         Create symlink to /usr/local/bin/jsc during installation
3074         <http://webkit.org/b/129399>
3075         <rdar://problem/16168734>
3076
3077         Reviewed by Dan Bernstein.
3078
3079         * JavaScriptCore.xcodeproj/project.pbxproj:
3080         - Add "Create /usr/local/bin/jsc symlink" build phase script to
3081           create the symlink during installation.
3082
3083 2014-02-27  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>
3084
3085         Math.{max, min}() must not return after first NaN value
3086         https://bugs.webkit.org/show_bug.cgi?id=104147
3087
3088         Reviewed by Oliver Hunt.
3089
3090         According to the spec, ToNumber going to be called on each argument
3091         even if a `NaN` value was already found
3092
3093         * runtime/MathObject.cpp:
3094         (JSC::mathProtoFuncMax):
3095         (JSC::mathProtoFuncMin):
3096
3097 2014-02-27  Gergo Balogh  <gbalogh.u-szeged@partner.samsung.com>
3098
3099         JSType upper limit (0xff) assertion can be removed.
3100         https://bugs.webkit.org/show_bug.cgi?id=129424
3101
3102         Reviewed by Geoffrey Garen.
3103
3104         * runtime/JSTypeInfo.h:
3105         (JSC::TypeInfo::TypeInfo):
3106
3107 2014-02-26  Michael Saboff  <msaboff@apple.com>
3108
3109         Auto generate bytecode information for bytecode parser and LLInt
3110         https://bugs.webkit.org/show_bug.cgi?id=129181
3111
3112         Reviewed by Mark Lam.
3113
3114         Added new bytecode/BytecodeList.json that contains a list of bytecodes and related
3115         helpers.  It also includes bytecode length and other information used to generate files.
3116         Added a new generator, generate-bytecode-files that generates Bytecodes.h and InitBytecodes.asm
3117         in DerivedSources/JavaScriptCore/.
3118
3119         Added the generation of these files to the "DerivedSource" build step.
3120         Slighty changed the build order, since the Bytecodes.h file is needed by
3121         JSCLLIntOffsetsExtractor.  Moved the offline assembly to a separate step since it needs
3122         to be run after JSCLLIntOffsetsExtractor.
3123
3124         Made related changes to OPCODE macros and their use.
3125
3126         Added JavaScriptCore.framework/PrivateHeaders to header file search path for building
3127         jsc to resolve Mac build issue.
3128
3129         * CMakeLists.txt:
3130         * Configurations/JSC.xcconfig:
3131         * DerivedSources.make:
3132         * GNUmakefile.am:
3133         * GNUmakefile.list.am:
3134         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3135         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3136         * JavaScriptCore.vcxproj/copy-files.cmd:
3137         * JavaScriptCore.xcodeproj/project.pbxproj:
3138         * bytecode/Opcode.h:
3139         (JSC::padOpcodeName):
3140         * llint/LLIntCLoop.cpp:
3141         (JSC::LLInt::CLoop::initialize):
3142         * llint/LLIntCLoop.h:
3143         * llint/LLIntData.cpp:
3144         (JSC::LLInt::initialize):
3145         * llint/LLIntOpcode.h:
3146         * llint/LowLevelInterpreter.asm:
3147
3148 2014-02-27  Julien Brianceau   <jbriance@cisco.com>
3149
3150         Fix 32-bit V_JITOperation_EJ callOperation introduced in r162652.
3151         https://bugs.webkit.org/show_bug.cgi?id=129420
3152
3153         Reviewed by Geoffrey Garen.
3154
3155         * dfg/DFGSpeculativeJIT.h:
3156         (JSC::DFG::SpeculativeJIT::callOperation): Payload and tag are swapped.
3157         Also, EABI_32BIT_DUMMY_ARG is missing for arm EABI and mips.
3158
3159 2014-02-27  Filip Pizlo  <fpizlo@apple.com>
3160
3161         Octane/closure thrashes between flattening dictionaries during global object initialization in a global eval
3162         https://bugs.webkit.org/show_bug.cgi?id=129435
3163
3164         Reviewed by Oliver Hunt.
3165         
3166         This is a 5-10% speed-up on Octane/closure.
3167
3168         * interpreter/Interpreter.cpp:
3169         (JSC::Interpreter::execute):
3170         * jsc.cpp:
3171         (GlobalObject::finishCreation):
3172         (functionClearCodeCache):
3173         * runtime/BatchedTransitionOptimizer.h:
3174         (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
3175         (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer):
3176
3177 2014-02-27  Alexey Proskuryakov  <ap@apple.com>
3178
3179         Added svn:ignore to two directories, so that .pyc files don't show up as unversioned.
3180
3181         * inspector/scripts: Added property svn:ignore.
3182         * replay/scripts: Added property svn:ignore.
3183
3184 2014-02-27  Gabor Rapcsanyi  <rgabor@webkit.org>
3185
3186         r164764 broke the ARM build
3187         https://bugs.webkit.org/show_bug.cgi?id=129415
3188
3189         Reviewed by Zoltan Herczeg.
3190
3191         * assembler/MacroAssemblerARM.h:
3192         (JSC::MacroAssemblerARM::moveWithPatch): Change reinterpret_cast to static_cast.
3193         (JSC::MacroAssemblerARM::canJumpReplacePatchableBranch32WithPatch): Add missing function.
3194         (JSC::MacroAssemblerARM::startOfPatchableBranch32WithPatchOnAddress): Add missing function.
3195         (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranch32WithPatch): Add missing function.
3196
3197 2014-02-27  Mark Hahnenberg  <mhahnenberg@apple.com>
3198
3199         r164764 broke the ARM build
3200         https://bugs.webkit.org/show_bug.cgi?id=129415
3201
3202         Reviewed by Geoffrey Garen.
3203
3204         * assembler/MacroAssemblerARM.h:
3205         (JSC::MacroAssemblerARM::moveWithPatch):
3206
3207 2014-02-26  Mark Hahnenberg  <mhahnenberg@apple.com>
3208
3209         r164764 broke the ARM build
3210         https://bugs.webkit.org/show_bug.cgi?id=129415
3211
3212         Reviewed by Geoffrey Garen.
3213
3214         * assembler/MacroAssemblerARM.h:
3215         (JSC::MacroAssemblerARM::branch32WithPatch): Missing this function.
3216
3217 2014-02-26  Mark Hahnenberg  <mhahnenberg@apple.com>
3218
3219         EFL build fix
3220
3221         * dfg/DFGSpeculativeJIT32_64.cpp: Remove unused variables.
3222         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
3223         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
3224
3225 2014-02-25  Mark Hahnenberg  <mhahnenberg@apple.com>
3226
3227         Make JSCells have 32-bit Structure pointers
3228         https://bugs.webkit.org/show_bug.cgi?id=123195
3229
3230         Reviewed by Filip Pizlo.
3231
3232         This patch changes JSCells such that they no longer have a full 64-bit Structure
3233         pointer in their header. Instead they now have a 32-bit index into
3234         a per-VM table of Structure pointers. 32-bit platforms still use normal Structure
3235         pointers.
3236
3237         This change frees up an additional 32 bits of information in our object headers.
3238         We then use this extra space to store the indexing type of the object, the JSType
3239         of the object, some various type flags, and garbage collection data (e.g. mark bit).
3240         Because this inline type information is now faster to read, it pays for the slowdown 
3241         incurred by having to perform an extra indirection through the StructureIDTable.
3242
3243         This patch also threads a reference to the current VM through more of the C++ runtime
3244         to offset the cost of having to look up the VM to get the actual Structure pointer.
3245
3246         * API/JSContext.mm:
3247         (-[JSContext setException:]):
3248         (-[JSContext wrapperForObjCObject:]):
3249         (-[JSContext wrapperForJSObject:]):
3250         * API/JSContextRef.cpp:
3251         (JSContextGroupRelease):
3252         (JSGlobalContextRelease):
3253         * API/JSObjectRef.cpp:
3254         (JSObjectIsFunction):
3255         (JSObjectCopyPropertyNames):
3256         * API/JSValue.mm:
3257         (containerValueToObject):
3258         * API/JSWrapperMap.mm:
3259         (tryUnwrapObjcObject):
3260         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3261         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3262         * JavaScriptCore.xcodeproj/project.pbxproj:
3263         * assembler/AbstractMacroAssembler.h:
3264         * assembler/MacroAssembler.h:
3265         (JSC::MacroAssembler::patchableBranch32WithPatch):
3266         (JSC::MacroAssembler::patchableBranch32):
3267         * assembler/MacroAssemblerARM64.h:
3268         (JSC::MacroAssemblerARM64::branchPtrWithPatch):
3269         (JSC::MacroAssemblerARM64::patchableBranch32WithPatch):
3270         (JSC::MacroAssemblerARM64::canJumpReplacePatchableBranch32WithPatch):
3271         (JSC::MacroAssemblerARM64::startOfPatchableBranch32WithPatchOnAddress):
3272         (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranch32WithPatch):
3273         * assembler/MacroAssemblerARMv7.h:
3274         (JSC::MacroAssemblerARMv7::store8):
3275         (JSC::MacroAssemblerARMv7::branch32WithPatch):
3276         (JSC::MacroAssemblerARMv7::patchableBranch32WithPatch):
3277         (JSC::MacroAssemblerARMv7::canJumpReplacePatchableBranch32WithPatch):
3278         (JSC::MacroAssemblerARMv7::startOfPatchableBranch32WithPatchOnAddress):
3279         (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranch32WithPatch):
3280         * assembler/MacroAssemblerX86.h:
3281         (JSC::MacroAssemblerX86::branch32WithPatch):
3282         (JSC::MacroAssemblerX86::canJumpReplacePatchableBranch32WithPatch):
3283         (JSC::MacroAssemblerX86::startOfPatchableBranch32WithPatchOnAddress):
3284         (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranch32WithPatch):
3285         * assembler/MacroAssemblerX86_64.h:
3286         (JSC::MacroAssemblerX86_64::store32):
3287         (JSC::MacroAssemblerX86_64::moveWithPatch):
3288         (JSC::MacroAssemblerX86_64::branch32WithPatch):
3289         (JSC::MacroAssemblerX86_64::canJumpReplacePatchableBranch32WithPatch):
3290         (JSC::MacroAssemblerX86_64::startOfBranch32WithPatchOnRegister):
3291         (JSC::MacroAssemblerX86_64::startOfPatchableBranch32WithPatchOnAddress):
3292         (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranch32WithPatch):
3293         * assembler/RepatchBuffer.h:
3294         (JSC::RepatchBuffer::startOfPatchableBranch32WithPatchOnAddress):
3295         (JSC::RepatchBuffer::revertJumpReplacementToPatchableBranch32WithPatch):
3296         * assembler/X86Assembler.h:
3297         (JSC::X86Assembler::revertJumpTo_movq_i64r):
3298         (JSC::X86Assembler::revertJumpTo_movl_i32r):
3299         * bytecode/ArrayProfile.cpp:
3300         (JSC::ArrayProfile::computeUpdatedPrediction):
3301         * bytecode/ArrayProfile.h:
3302         (JSC::ArrayProfile::ArrayProfile):
3303         (JSC::ArrayProfile::addressOfLastSeenStructureID):
3304         (JSC::ArrayProfile::observeStructure):
3305         * bytecode/CodeBlock.h:
3306         (JSC::CodeBlock::heap):
3307         * bytecode/UnlinkedCodeBlock.h:
3308         * debugger/Debugger.h:
3309         * dfg/DFGAbstractHeap.h:
3310         * dfg/DFGArrayifySlowPathGenerator.h:
3311         * dfg/DFGClobberize.h:
3312         (JSC::DFG::clobberize):
3313         * dfg/DFGJITCompiler.h:
3314         (JSC::DFG::JITCompiler::branchWeakStructure):
3315         (JSC::DFG::JITCompiler::branchStructurePtr):
3316         * dfg/DFGOSRExitCompiler32_64.cpp:
3317         (JSC::DFG::OSRExitCompiler::compileExit):
3318         * dfg/DFGOSRExitCompiler64.cpp:
3319         (JSC::DFG::OSRExitCompiler::compileExit):
3320         * dfg/DFGOSRExitCompilerCommon.cpp:
3321         (JSC::DFG::osrWriteBarrier):
3322         (JSC::DFG::adjustAndJumpToTarget):
3323         * dfg/DFGOperations.cpp:
3324         (JSC::DFG::putByVal):
3325         * dfg/DFGSpeculativeJIT.cpp:
3326         (JSC::DFG::SpeculativeJIT::checkArray):
3327         (JSC::DFG::SpeculativeJIT::arrayify):
3328         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
3329         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
3330         (JSC::DFG::SpeculativeJIT::compileInstanceOf):
3331         (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
3332         (JSC::DFG::SpeculativeJIT::speculateObject):
3333         (JSC::DFG::SpeculativeJIT::speculateFinalObject):
3334         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
3335         (JSC::DFG::SpeculativeJIT::speculateString):
3336         (JSC::DFG::SpeculativeJIT::speculateStringObject):
3337         (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
3338         (JSC::DFG::SpeculativeJIT::emitSwitchChar):
3339         (JSC::DFG::SpeculativeJIT::emitSwitchString):
3340         (JSC::DFG::SpeculativeJIT::genericWriteBarrier):
3341         (JSC::DFG::SpeculativeJIT::writeBarrier):
3342         * dfg/DFGSpeculativeJIT.h:
3343         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
3344         (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
3345         * dfg/DFGSpeculativeJIT32_64.cpp:
3346         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
3347         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
3348         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
3349         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
3350         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
3351         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
3352         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
3353         (JSC::DFG::SpeculativeJIT::compile):
3354         (JSC::DFG::SpeculativeJIT::writeBarrier):
3355         * dfg/DFGSpeculativeJIT64.cpp:
3356         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
3357         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
3358         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
3359         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
3360         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
3361         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
3362         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
3363         (JSC::DFG::SpeculativeJIT::compile):
3364         (JSC::DFG::SpeculativeJIT::writeBarrier):
3365         * dfg/DFGWorklist.cpp:
3366         * ftl/FTLAbstractHeapRepository.cpp:
3367         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
3368         * ftl/FTLAbstractHeapRepository.h:
3369         * ftl/FTLLowerDFGToLLVM.cpp:
3370         (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
3371         (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
3372         (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
3373         (JSC::FTL::LowerDFGToLLVM::compileToString):
3374         (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
3375         (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
3376         (JSC::FTL::LowerDFGToLLVM::speculateTruthyObject):
3377         (JSC::FTL::LowerDFGToLLVM::allocateCell):
3378         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
3379         (JSC::FTL::LowerDFGToLLVM::isObject):
3380         (JSC::FTL::LowerDFGToLLVM::isString):
3381         (JSC::FTL::LowerDFGToLLVM::isArrayType):
3382         (JSC::FTL::LowerDFGToLLVM::hasClassInfo):
3383         (JSC::FTL::LowerDFGToLLVM::isType):
3384         (JSC::FTL::LowerDFGToLLVM::speculateStringOrStringObject):
3385         (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForCell):
3386         (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructureID):
3387         (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
3388         (JSC::FTL::LowerDFGToLLVM::loadMarkByte):
3389         (JSC::FTL::LowerDFGToLLVM::loadStructure):
3390         (JSC::FTL::LowerDFGToLLVM::weakStructure):
3391         * ftl/FTLOSRExitCompiler.cpp:
3392         (JSC::FTL::compileStub):
3393         * ftl/FTLOutput.h:
3394         (JSC::FTL::Output::store8):
3395         * heap/GCAssertions.h:
3396         * heap/Heap.cpp:
3397         (JSC::Heap::getConservativeRegisterRoots):
3398         (JSC::Heap::collect):
3399         (JSC::Heap::writeBarrier):
3400         * heap/Heap.h:
3401         (JSC::Heap::structureIDTable):
3402         * heap/MarkedSpace.h:
3403         (JSC::MarkedSpace::forEachBlock):
3404         * heap/SlotVisitorInlines.h:
3405         (JSC::SlotVisitor::internalAppend):
3406         * jit/AssemblyHelpers.h:
3407         (JSC::AssemblyHelpers::branchIfCellNotObject):
3408         (JSC::AssemblyHelpers::genericWriteBarrier):
3409         (JSC::AssemblyHelpers::emitLoadStructure):
3410         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
3411         * jit/JIT.h:
3412         * jit/JITCall.cpp:
3413         (JSC::JIT::compileOpCall):
3414         (JSC::JIT::privateCompileClosureCall):
3415         * jit/JITCall32_64.cpp:
3416         (JSC::JIT::emit_op_ret_object_or_this):
3417         (JSC::JIT::compileOpCall):
3418         (JSC::JIT::privateCompileClosureCall):
3419         * jit/JITInlineCacheGenerator.cpp:
3420         (JSC::JITByIdGenerator::generateFastPathChecks):
3421         * jit/JITInlineCacheGenerator.h:
3422         *&n