4671b508124cc5196d7d5a41cf700acbc09d65cf
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-05-22  Mark Lam  <mark.lam@apple.com>
2
3         REGRESSION(r154797): Debugger crashes when stepping over an uncaught exception.
4         <https://webkit.org/b/133182>
5
6         Reviewed by Oliver Hunt.
7
8         Before r154797, we used to clear the VM exception before calling into the
9         debugger.  After r154797, we don't.  This patch will restore this clearing
10         of the exception before calling into the debugger.
11
12         Also added assertions after returning from calls into the debugger to
13         ensure that the debugger did not introduce any exceptions.
14
15         * interpreter/Interpreter.cpp:
16         (JSC::unwindCallFrame):
17         (JSC::Interpreter::unwind):
18         (JSC::Interpreter::debug):
19         - Fixed the assertion here.  Interpreter::debug() should never be called
20           with a pending exception.  Debugger callbacks for exceptions should be
21           handled by Interpreter::unwind() and Interpreter::unwindCallFrame().
22
23 2014-05-21  Filip Pizlo  <fpizlo@apple.com>
24
25         Store barrier elision should run after DCE in both the DFG path and the FTL path
26         https://bugs.webkit.org/show_bug.cgi?id=129718
27
28         Rubber stamped by Mark Hahnenberg.
29
30         * dfg/DFGPlan.cpp:
31         (JSC::DFG::Plan::compileInThreadImpl):
32
33 2014-05-21  Zsolt Borbely  <zsborbely.u-szeged@partner.samsung.com>
34
35         [EFL] Add include path of compact_unwind_encoding.h if FTL JIT is enabled
36         https://bugs.webkit.org/show_bug.cgi?id=132907
37
38         Reviewed by Gyuyoung Kim.
39
40         * CMakeLists.txt:
41
42 2014-05-16  Martin Robinson  <mrobinson@igalia.com>
43
44         [CMake] Improve handling of LIB_INSTALL_DIR, EXEC_INSTALL_DIR, and LIBEXEC_INSTALL_DIR
45         https://bugs.webkit.org/show_bug.cgi?id=132819
46
47         Reviewed by Carlos Garcia Campos.
48
49         * javascriptcoregtk.pc.in: Instead of using the special pkg-config variables,
50         use the common CMake ones directly.
51
52 2014-05-21  Filip Pizlo  <fpizlo@apple.com>
53
54         Unreviewed, roll out http://trac.webkit.org/changeset/169159.
55         
56         This was a unilateral change and wasn't properly reviewed.
57
58         * tests/mozilla/mozilla-tests.yaml:
59
60 2014-05-21  Antoine Quint  <graouts@webkit.org>
61
62         Array.prototype.find and findIndex should skip holes
63         https://bugs.webkit.org/show_bug.cgi?id=132658
64
65         Reviewed by Geoffrey Garen.
66
67         Skip holes in the array when iterating such that callback isn't called.
68
69         * builtins/Array.prototype.js:
70         (find):
71         (findIndex):
72
73 2014-05-21  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
74
75         REGRESSION(r169092 and r169102): Skip failing JSC tests on ARM64 properly
76         https://bugs.webkit.org/show_bug.cgi?id=133149
77
78         Reviewed by Csaba Osztrogonác.
79
80         * tests/mozilla/mozilla-tests.yaml:
81
82 2014-05-20  Geoffrey Garen  <ggaren@apple.com>
83
84         Rolled out <http://trac.webkit.org/changeset/166184>
85         https://bugs.webkit.org/show_bug.cgi?id=133144
86
87         Reviewed by Gavin Barraclough.
88
89         It caused a performance regression.
90
91         * heap/BlockAllocator.cpp:
92         (JSC::BlockAllocator::blockFreeingThreadStartFunc):
93
94 2014-05-20  Filip Pizlo  <fpizlo@apple.com>
95
96         DFG prediction propagation should agree with fixup phase over the return type of GetByVal
97         https://bugs.webkit.org/show_bug.cgi?id=133134
98
99         Reviewed by Mark Hahnenberg.
100         
101         Make prediction propagator use ArrayMode refinement to decide the return type.
102         
103         Also introduce a heap prediction intrinsic that allows us to test weird corner cases
104         like this. The only way we'll see a mismatch like this in the real world is probably
105         through a gnarly race condition.
106
107         * dfg/DFGByteCodeParser.cpp:
108         (JSC::DFG::ByteCodeParser::handleIntrinsic):
109         * dfg/DFGNode.h:
110         (JSC::DFG::Node::setHeapPrediction):
111         * dfg/DFGPredictionPropagationPhase.cpp:
112         (JSC::DFG::PredictionPropagationPhase::propagate):
113         * jsc.cpp:
114         (GlobalObject::finishCreation):
115         (functionFalse1):
116         (functionFalse2):
117         (functionUndefined1):
118         (functionUndefined2):
119         (functionFalse): Deleted.
120         (functionOtherFalse): Deleted.
121         (functionUndefined): Deleted.
122         * runtime/Intrinsic.h:
123         * tests/stress/get-by-val-double-predicted-int.js: Added.
124         (foo):
125
126 2014-05-20  Mark Hahnenberg  <mhahnenberg@apple.com>
127
128         Watchdog timer should be lazily allocated
129         https://bugs.webkit.org/show_bug.cgi?id=133135
130
131         Reviewed by Geoffrey Garen.
132
133         We incur a noticeable amount of overhead on some benchmarks due to checking if the Watchdog ever fired. 
134         There is no reason to do this checking if we never activated the Watchdog, which can only be done through 
135         JSContextGroupSetExecutionTimeLimit or JSContextGroupClearExecutionTimeLimit. 
136
137         By allocating the Watchdog lazily on the VM we can avoid all of the associated overhead when we don't use 
138         these two API functions (which is true of most clients).
139
140         * API/JSContextRef.cpp:
141         (JSContextGroupSetExecutionTimeLimit):
142         (JSContextGroupClearExecutionTimeLimit):
143         * dfg/DFGByteCodeParser.cpp:
144         (JSC::DFG::ByteCodeParser::parseBlock):
145         * dfg/DFGSpeculativeJIT32_64.cpp:
146         (JSC::DFG::SpeculativeJIT::compile):
147         * dfg/DFGSpeculativeJIT64.cpp:
148         (JSC::DFG::SpeculativeJIT::compile):
149         * interpreter/Interpreter.cpp:
150         (JSC::Interpreter::execute):
151         (JSC::Interpreter::executeCall):
152         (JSC::Interpreter::executeConstruct):
153         * jit/JITOpcodes.cpp:
154         (JSC::JIT::emit_op_loop_hint):
155         (JSC::JIT::emitSlow_op_loop_hint):
156         * jit/JITOperations.cpp:
157         * llint/LLIntSlowPaths.cpp:
158         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
159         * runtime/VM.h:
160         * runtime/Watchdog.cpp:
161         (JSC::Watchdog::Scope::Scope): Deleted.
162         (JSC::Watchdog::Scope::~Scope): Deleted.
163         * runtime/Watchdog.h:
164         (JSC::Watchdog::Scope::Scope):
165         (JSC::Watchdog::Scope::~Scope):
166
167 2014-05-19  Mark Hahnenberg  <mhahnenberg@apple.com>
168
169         JSArray::shiftCountWith* could be more efficient
170         https://bugs.webkit.org/show_bug.cgi?id=133011
171
172         Reviewed by Geoffrey Garen.
173
174         Our current implementations of shiftCountWithAnyIndexingType and shiftCountWithArrayStorage 
175         are scared of the presence of any holes in the array. We can mitigate this somewhat by enabling 
176         them to correctly handle holes, thus avoiding the slowest of slow paths in most cases.
177
178         * runtime/ArrayStorage.h:
179         (JSC::ArrayStorage::indexingHeader):
180         (JSC::ArrayStorage::length):
181         (JSC::ArrayStorage::hasHoles):
182         * runtime/IndexingHeader.h:
183         (JSC::IndexingHeader::publicLength):
184         (JSC::IndexingHeader::from):
185         * runtime/JSArray.cpp:
186         (JSC::JSArray::shiftCountWithArrayStorage):
187         (JSC::JSArray::shiftCountWithAnyIndexingType):
188         (JSC::JSArray::unshiftCountWithArrayStorage):
189         * runtime/JSArray.h:
190         (JSC::JSArray::shiftCountForShift):
191         (JSC::JSArray::shiftCountForSplice):
192         (JSC::JSArray::shiftCount):
193         * runtime/Structure.cpp:
194         (JSC::Structure::holesRequireSpecialBehavior):
195         * runtime/Structure.h:
196
197 2014-05-19  Filip Pizlo  <fpizlo@apple.com>
198
199         Test gardening: skip some failing tests on not-X86.
200
201         * tests/mozilla/mozilla-tests.yaml:
202
203 2014-05-19  Mark Lam  <mark.lam@apple.com>
204
205         operationOptimize() should defer the GC for a while.
206         <https://webkit.org/b/133103>
207
208         Reviewed by Filip Pizlo.
209
210         Currently, operationOptimize() only defers the GC until its end.  As a result,
211         a GC may be triggered just before we return from operationOptimize(), and it may
212         jettison the optimize codeBlock that we're planning to OSR enter into when we
213         return from this function.  This is because the OSR entry on-ramp code hasn't
214         been executed yet, and hence, there is not yet a reference to this new codeBlock
215         from the stack, and there won't be until we've had a chance to return out of
216         operationOptimize() to run the OSR entry on-ramp code.
217
218         This issue is now fixed by using DeferGCForAWhile instead of DeferGC.  This
219         ensures that the GC will be deferred until after the OSR entry on-ramp can be
220         executed.
221
222         * jit/JITOperations.cpp:
223
224 2014-05-19  Filip Pizlo  <fpizlo@apple.com>
225
226         Take care of some ARM64 test failures
227         https://bugs.webkit.org/show_bug.cgi?id=133090
228
229         Reviewed by Geoffrey Garen.
230         
231         Constant blinding on ARM64 cannot use the scratch register.
232
233         * assembler/MacroAssembler.h:
234         (JSC::MacroAssembler::convertInt32ToDouble):
235         (JSC::MacroAssembler::branchPtr):
236         (JSC::MacroAssembler::storePtr):
237         (JSC::MacroAssembler::store64):
238         * assembler/MacroAssemblerARM64.h:
239         (JSC::MacroAssemblerARM64::scratchRegisterForBlinding):
240
241 2014-05-19  Tanay C  <tanay.c@samsung.com>
242
243         Removing some check-webkit-style warnings from ./dfg
244         https://bugs.webkit.org/show_bug.cgi?id=132854
245
246         Reviewed by Darin Adler.
247
248         * dfg/DFGAbstractInterpreter.h:
249         * dfg/DFGAbstractValue.h:
250         * dfg/DFGBlockInsertionSet.h:
251         * dfg/DFGCommonData.h:
252         * dfg/DFGDominators.h:
253         * dfg/DFGGraph.h:
254         * dfg/DFGInPlaceAbstractState.h:
255         * dfg/DFGPredictionPropagationPhase.h:
256
257 2014-05-18  Filip Pizlo  <fpizlo@apple.com>
258
259         Unreviewed, remove bogus comment. We already made the FTL use our calling convention.
260         That was a long time ago.
261
262         * ftl/FTLLowerDFGToLLVM.cpp:
263         (JSC::FTL::LowerDFGToLLVM::compileReturn):
264
265 2014-05-18  Rik Cabanier  <cabanier@adobe.com>
266
267         support for navigator.hardwareConcurrency
268         https://bugs.webkit.org/show_bug.cgi?id=132588
269
270         Reviewed by Filip Pizlo.
271
272         * Configurations/FeatureDefines.xcconfig:
273
274 2014-05-16  Michael Saboff  <msaboff@apple.com>
275
276         Crash in JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::generatePatternCharacterFixed() due to WTF::CrashOnOverflow::overflowed + 9
277         https://bugs.webkit.org/show_bug.cgi?id=133009
278
279         Reviewed by Oliver Hunt.
280
281         If we determine that any alternative requires a minumum match size greater than
282         INT_MAX, we handle the match in the interpreter.
283
284         Check to see if the pattern has unsigned lengths before invoking YARR JIT.
285         * runtime/RegExp.cpp:
286         (JSC::RegExp::compile):
287         (JSC::RegExp::compileMatchOnly):
288
289         * tests/stress/large-regexp.js: New test added.
290
291         Set m_containsUnsignedLengthPattern flag if any alternative's minimum length
292         doesn't fit in an int.
293         * yarr/YarrPattern.cpp:
294         (JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets):
295
296         Clear new m_containsUnsignedLengthPattern flag.
297         * yarr/YarrPattern.cpp:
298         (JSC::Yarr::YarrPattern::YarrPattern):
299         * yarr/YarrPattern.h:
300         (JSC::Yarr::YarrPattern::reset):
301         (JSC::Yarr::YarrPattern::containsUnsignedLengthPattern):
302
303 2014-05-15  Mark Hahnenberg  <mhahnenberg@apple.com>
304
305         JSDOMWindow should not claim HasImpureGetOwnPropertySlot
306         https://bugs.webkit.org/show_bug.cgi?id=132918
307
308         Reviewed by Geoffrey Garen.
309
310         * jit/Repatch.cpp:
311         (JSC::tryRepatchIn): We forgot to check for watchpoints when repatching "in".
312
313 2014-05-15  Alex Christensen  <achristensen@webkit.org>
314
315         Add pointer lock to features without enabling it.
316         https://bugs.webkit.org/show_bug.cgi?id=132961
317
318         Reviewed by Sam Weinig.
319
320         * Configurations/FeatureDefines.xcconfig:
321         Added ENABLE_POINTER_LOCK to list of features.
322
323 2014-05-14  Mark Hahnenberg  <mhahnenberg@apple.com>
324
325         Inline caching for proxies clobbers baseGPR too early
326         https://bugs.webkit.org/show_bug.cgi?id=132916
327
328         Reviewed by Filip Pizlo.
329
330         We clobber baseGPR prior to the Structure checks, so if any of the checks fail then the slow path 
331         gets the target of the proxy rather than the proxy itself. We need to delay the clobbering of baseGPR 
332         until we know the inline cache is going to succeed.
333
334         * jit/Repatch.cpp:
335         (JSC::generateByIdStub):
336
337 2014-05-14  Brent Fulgham  <bfulgham@apple.com>
338
339         [Win] Unreviewed build fix.
340
341         * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: This solution
342         was missing commands to build LLInt portions of JSC.
343         * llint/LLIntData.cpp: 64-bit build fix.
344
345 2014-05-14  Martin Hodovan <mhodovan.u-szeged@partner.samsung.com>
346
347         ARM Traditional buildfix after r168776.
348         https://bugs.webkit.org/show_bug.cgi?id=132903
349
350         Reviewed by Darin Adler.
351
352         * assembler/MacroAssemblerARM.h:
353         (JSC::MacroAssemblerARM::abortWithReason): Added.
354
355 2014-05-14  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>
356
357         Remove CSS_STICKY_POSITION guards
358         https://bugs.webkit.org/show_bug.cgi?id=132676
359
360         Reviewed by Simon Fraser.
361
362         * Configurations/FeatureDefines.xcconfig:
363
364 2014-05-13  Filip Pizlo  <fpizlo@apple.com>
365
366         JIT breakpoints should be more informative
367         https://bugs.webkit.org/show_bug.cgi?id=132882
368
369         Reviewed by Oliver Hunt.
370         
371         Introduce the notion of an AbortReason, which is a nice enumeration of coded assertion
372         failure names. This means that all you need to figure out why the JIT SIGTRAP'd is to look
373         at that platform's abort reason register (r11 on X86-64 for example).
374
375         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
376         * JavaScriptCore.xcodeproj/project.pbxproj:
377         * assembler/AbortReason.h: Added.
378         * assembler/AbstractMacroAssembler.h:
379         * assembler/MacroAssemblerARM64.h:
380         (JSC::MacroAssemblerARM64::abortWithReason):
381         * assembler/MacroAssemblerARMv7.h:
382         (JSC::MacroAssemblerARMv7::abortWithReason):
383         * assembler/MacroAssemblerX86.h:
384         (JSC::MacroAssemblerX86::abortWithReason):
385         * assembler/MacroAssemblerX86_64.h:
386         (JSC::MacroAssemblerX86_64::abortWithReason):
387         * dfg/DFGSlowPathGenerator.h:
388         (JSC::DFG::SlowPathGenerator::generate):
389         * dfg/DFGSpeculativeJIT.cpp:
390         (JSC::DFG::SpeculativeJIT::bail):
391         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
392         (JSC::DFG::SpeculativeJIT::compileMakeRope):
393         * dfg/DFGSpeculativeJIT.h:
394         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):
395         * dfg/DFGSpeculativeJIT32_64.cpp:
396         (JSC::DFG::SpeculativeJIT::compile):
397         * dfg/DFGSpeculativeJIT64.cpp:
398         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
399         (JSC::DFG::SpeculativeJIT::compile):
400         * dfg/DFGThunks.cpp:
401         (JSC::DFG::osrEntryThunkGenerator):
402         * jit/AssemblyHelpers.cpp:
403         (JSC::AssemblyHelpers::jitAssertIsInt32):
404         (JSC::AssemblyHelpers::jitAssertIsJSInt32):
405         (JSC::AssemblyHelpers::jitAssertIsJSNumber):
406         (JSC::AssemblyHelpers::jitAssertIsJSDouble):
407         (JSC::AssemblyHelpers::jitAssertIsCell):
408         (JSC::AssemblyHelpers::jitAssertTagsInPlace):
409         (JSC::AssemblyHelpers::jitAssertHasValidCallFrame):
410         (JSC::AssemblyHelpers::jitAssertIsNull):
411         (JSC::AssemblyHelpers::jitAssertArgumentCountSane):
412         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
413         * jit/AssemblyHelpers.h:
414         (JSC::AssemblyHelpers::checkStackPointerAlignment):
415         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo): Deleted.
416         * jit/JIT.h:
417         * jit/JITArithmetic.cpp:
418         (JSC::JIT::emitSlow_op_div):
419         * jit/JITOpcodes.cpp:
420         (JSC::JIT::emitSlow_op_loop_hint):
421         * jit/JITOpcodes32_64.cpp:
422         (JSC::JIT::privateCompileCTINativeCall):
423         * jit/JITPropertyAccess.cpp:
424         (JSC::JIT::emit_op_get_by_val):
425         (JSC::JIT::compileGetDirectOffset):
426         (JSC::JIT::addStructureTransitionCheck): Deleted.
427         (JSC::JIT::testPrototype): Deleted.
428         * jit/JITPropertyAccess32_64.cpp:
429         (JSC::JIT::emit_op_get_by_val):
430         (JSC::JIT::compileGetDirectOffset):
431         * jit/RegisterPreservationWrapperGenerator.cpp:
432         (JSC::generateRegisterRestoration):
433         * jit/Repatch.cpp:
434         (JSC::addStructureTransitionCheck):
435         (JSC::linkClosureCall):
436         * jit/ThunkGenerators.cpp:
437         (JSC::emitPointerValidation):
438         (JSC::nativeForGenerator):
439         * yarr/YarrJIT.cpp:
440         (JSC::Yarr::YarrGenerator::generate):
441
442 2014-05-13  peavo@outlook.com  <peavo@outlook.com>
443
444         [Win] Enum type with value zero is compatible with void*, potential cause of crashes.
445         https://bugs.webkit.org/show_bug.cgi?id=132772
446
447         Reviewed by Geoffrey Garen.
448
449         Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example).
450         This has caused crashes on Windows on two occasions (bug 132683, and bug 121001).
451         This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*.
452         The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr.
453
454         * assembler/MacroAssemblerARM.h:
455         (JSC::MacroAssemblerARM::loadDouble):
456         (JSC::MacroAssemblerARM::storeDouble):
457         * assembler/MacroAssemblerARM64.h:
458         (JSC::MacroAssemblerARM64::loadDouble):
459         (JSC::MacroAssemblerARM64::storeDouble):
460         * assembler/MacroAssemblerARMv7.h:
461         (JSC::MacroAssemblerARMv7::loadDouble):
462         (JSC::MacroAssemblerARMv7::storeDouble):
463         * assembler/MacroAssemblerMIPS.h:
464         (JSC::MacroAssemblerMIPS::loadDouble):
465         (JSC::MacroAssemblerMIPS::storeDouble):
466         * assembler/MacroAssemblerSH4.h:
467         (JSC::MacroAssemblerSH4::loadDouble):
468         (JSC::MacroAssemblerSH4::storeDouble):
469         * assembler/MacroAssemblerX86.h:
470         (JSC::MacroAssemblerX86::storeDouble):
471         * assembler/MacroAssemblerX86Common.h:
472         (JSC::MacroAssemblerX86Common::absDouble):
473         (JSC::MacroAssemblerX86Common::negateDouble):
474         (JSC::MacroAssemblerX86Common::loadDouble):
475         * dfg/DFGSpeculativeJIT.cpp:
476         (JSC::DFG::SpeculativeJIT::silentFill):
477         (JSC::DFG::compileClampDoubleToByte):
478         * dfg/DFGSpeculativeJIT32_64.cpp:
479         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
480         (JSC::DFG::SpeculativeJIT::compile):
481         * jit/AssemblyHelpers.cpp:
482         (JSC::AssemblyHelpers::purifyNaN):
483         * jit/JITInlines.h:
484         (JSC::JIT::emitLoadDouble):
485         * jit/JITPropertyAccess.cpp:
486         (JSC::JIT::emitFloatTypedArrayGetByVal):
487         * jit/ThunkGenerators.cpp:
488         (JSC::floorThunkGenerator):
489         (JSC::roundThunkGenerator):
490         (JSC::powThunkGenerator):
491
492 2014-05-12  Commit Queue  <commit-queue@webkit.org>
493
494         Unreviewed, rolling out r168642.
495         https://bugs.webkit.org/show_bug.cgi?id=132839
496
497         Broke ARM build (Requested by jpfau on #webkit).
498
499         Reverted changeset:
500
501         "[Win] Enum type with value zero is compatible with void*,
502         potential cause of crashes."
503         https://bugs.webkit.org/show_bug.cgi?id=132772
504         http://trac.webkit.org/changeset/168642
505
506 2014-05-12  peavo@outlook.com  <peavo@outlook.com>
507
508         [Win] Enum type with value zero is compatible with void*, potential cause of crashes.
509         https://bugs.webkit.org/show_bug.cgi?id=132772
510
511         Reviewed by Geoffrey Garen.
512
513         Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example).
514         This has caused crashes on Windows on two occasions (bug 132683, and bug 121001).
515         This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*.
516         The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr.
517
518         * assembler/MacroAssemblerARM.h:
519         (JSC::MacroAssemblerARM::loadDouble):
520         (JSC::MacroAssemblerARM::storeDouble):
521         * assembler/MacroAssemblerARM64.h:
522         (JSC::MacroAssemblerARM64::loadDouble):
523         (JSC::MacroAssemblerARM64::storeDouble):
524         * assembler/MacroAssemblerARMv7.h:
525         (JSC::MacroAssemblerARMv7::loadDouble):
526         (JSC::MacroAssemblerARMv7::storeDouble):
527         * assembler/MacroAssemblerMIPS.h:
528         (JSC::MacroAssemblerMIPS::loadDouble):
529         (JSC::MacroAssemblerMIPS::storeDouble):
530         * assembler/MacroAssemblerSH4.h:
531         (JSC::MacroAssemblerSH4::loadDouble):
532         (JSC::MacroAssemblerSH4::storeDouble):
533         * assembler/MacroAssemblerX86.h:
534         (JSC::MacroAssemblerX86::storeDouble):
535         * assembler/MacroAssemblerX86Common.h:
536         (JSC::MacroAssemblerX86Common::absDouble):
537         (JSC::MacroAssemblerX86Common::negateDouble):
538         (JSC::MacroAssemblerX86Common::loadDouble):
539         * dfg/DFGSpeculativeJIT.cpp:
540         (JSC::DFG::SpeculativeJIT::silentFill):
541         (JSC::DFG::compileClampDoubleToByte):
542         * dfg/DFGSpeculativeJIT32_64.cpp:
543         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
544         (JSC::DFG::SpeculativeJIT::compile):
545         * jit/AssemblyHelpers.cpp:
546         (JSC::AssemblyHelpers::purifyNaN):
547         * jit/JITInlines.h:
548         (JSC::JIT::emitLoadDouble):
549         * jit/JITPropertyAccess.cpp:
550         (JSC::JIT::emitFloatTypedArrayGetByVal):
551         * jit/ThunkGenerators.cpp:
552         (JSC::floorThunkGenerator):
553         (JSC::roundThunkGenerator):
554         (JSC::powThunkGenerator):
555
556 2014-05-12  Andreas Kling  <akling@apple.com>
557
558         0.4% of PLT3 in JSCell::structure() below JSObject::visitChildren().
559         <https://webkit.org/b/132828>
560         <rdar://problem/16886285>
561
562         Reviewed by Michael Saboff.
563
564         * runtime/JSObject.cpp:
565         (JSC::JSObject::visitButterfly):
566         (JSC::JSObject::visitChildren):
567
568             Use JSCell::structure(VM&) to reduce the number of hoops we jump
569             through to find Structures during marking.
570
571 2014-05-12  László Langó  <llango.u-szeged@partner.samsung.com>
572
573         [cmake] Add missing FTL source files to the build system.
574
575         Reviewed by Csaba Osztrogonác.
576
577         * CMakeLists.txt:
578
579 2014-05-09  Joseph Pecoraro  <pecoraro@apple.com>
580
581         Web Inspector: Allow Remote Inspector to entitlement check UIProcess through WebProcess
582         https://bugs.webkit.org/show_bug.cgi?id=132409
583
584         Reviewed by Timothy Hatcher.
585
586         Proxy applications are applications which hold WebViews for other
587         applications. The WebProcess (Web Content Service) is a proxy application.
588         For legacy reasons we were supporting a scenario where proxy applications
589         could potentially host WebViews for more then one other application. That
590         was never the case for WebProcess and it is now a scenario we don't need
591         to worry about supporting.
592
593         With this change, a proxy application more naturally only holds WebViews
594         for a single parent / host application. The proxy process can set the
595         parent pid / audit_token data on the RemoteInspector singleton, and
596         that data will be sent on to webinspectord later on to be validated.
597         In the WebProcess<->UIProcess relationship that information is known
598         and set immediately. In the Legacy iOS case that information is set
599         soon after, but not immediately known at the point the WebView is created.
600
601         This allows us to simplify the RemoteInspectorDebuggable interface.
602         We no longer need a pid per-Debuggable.
603
604         * inspector/remote/RemoteInspector.h:
605         * inspector/remote/RemoteInspector.mm:
606         (Inspector::RemoteInspector::RemoteInspector):
607         (Inspector::RemoteInspector::setParentProcessInformation):
608         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
609         (Inspector::RemoteInspector::listingForDebuggable):
610         (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
611         Handle new proxy application setup message, and provide an API
612         for a proxy application to set the parent process information.
613
614         * inspector/remote/RemoteInspectorConstants.h:
615         New setup and response message for proxy applications to pass
616         their parent / host application information to webinspectord.
617
618         * inspector/remote/RemoteInspectorDebuggable.cpp:
619         (Inspector::RemoteInspectorDebuggable::info):
620         * inspector/remote/RemoteInspectorDebuggable.h:
621         (Inspector::RemoteInspectorDebuggableInfo::RemoteInspectorDebuggableInfo):
622         (Inspector::RemoteInspectorDebuggableInfo::hasParentProcess): Deleted.
623         pid per debuggable is no longer needed.
624
625 2014-05-09  Mark Hahnenberg  <mhahnenberg@apple.com>
626
627         JSDOMWindow should disable property caching after a certain point
628         https://bugs.webkit.org/show_bug.cgi?id=132751
629
630         Reviewed by Filip Pizlo.
631
632         This is part of removing HasImpureGetOwnPropertySlot from JSDOMWindow. After the lookup in the static 
633         hash table for JSDOMWindow fails we want to disable property caching even if the code that follows thinks 
634         that it has provided a cacheable value.
635
636         * runtime/PropertySlot.h:
637         (JSC::PropertySlot::PropertySlot):
638         (JSC::PropertySlot::isCacheable):
639         (JSC::PropertySlot::disableCaching):
640
641 2014-05-09  Andreas Kling  <akling@apple.com>
642
643         8.8% spent in Object.prototype.hasOwnProperty() on sbperftest.
644         <https://webkit.org/b/132749>
645
646         Leverage the fast-resolve-to-AtomicString optimization for JSRopeString
647         in Object.prototype.* by using JSString::toIdentifier() in the cases where
648         we are converting JSString -> String -> Identifier.
649
650         This brings time spent in hasOwnProperty() from 8.8% to 1.3% on
651         "The Great HTML5 Gaming Performance Test: 2014 edition"
652         <http://www.scirra.com/demos/c2/sbperftest/>
653
654         Reviewed by Oliver Hunt.
655
656         * runtime/ObjectPrototype.cpp:
657         (JSC::objectProtoFuncHasOwnProperty):
658         (JSC::objectProtoFuncDefineGetter):
659         (JSC::objectProtoFuncDefineSetter):
660         (JSC::objectProtoFuncLookupGetter):
661         (JSC::objectProtoFuncLookupSetter):
662
663 2014-05-08  Mark Hahnenberg  <mhahnenberg@apple.com>
664
665         JSDOMWindow should have a WatchpointSet to fire on window close
666         https://bugs.webkit.org/show_bug.cgi?id=132721
667
668         Reviewed by Filip Pizlo.
669
670         This patch allows us to reset the inline caches that assumed they could skip 
671         the first part of JSDOMWindow::getOwnPropertySlot that checks if the window has 
672         been closed. This is part of getting rid of HasImpureGetOwnPropertySlot on JSDOMWindow.
673
674         PropertySlot now accepts a WatchpointSet which the inline cache code can look for
675         to see if it should create a new Watchpoint for that particular inline cache site.
676
677         * bytecode/Watchpoint.h:
678         * jit/Repatch.cpp:
679         (JSC::generateByIdStub):
680         (JSC::tryBuildGetByIDList):
681         (JSC::tryCachePutByID):
682         (JSC::tryBuildPutByIdList):
683         * runtime/PropertySlot.h:
684         (JSC::PropertySlot::PropertySlot):
685         (JSC::PropertySlot::watchpointSet):
686         (JSC::PropertySlot::setWatchpointSet):
687
688 2014-05-09  Tanay C  <tanay.c@samsung.com>
689
690         Fix build warning (uninitialized variable) in DFGFixupPhase.cpp 
691         https://bugs.webkit.org/show_bug.cgi?id=132331
692
693         Reviewed by Darin Adler.
694
695         * dfg/DFGFixupPhase.cpp:
696         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
697
698 2014-05-09  peavo@outlook.com  <peavo@outlook.com>
699
700         [Win] Crash when enabling DFG JIT.
701         https://bugs.webkit.org/show_bug.cgi?id=132683
702
703         Reviewed by Geoffrey Garen.
704
705         On windows, using register GPRInfo::regT0 as parameter to e.g. JIT::storeDouble(..., GPRInfo::regT0)),
706         results in a call to JIT::storeDouble(FPRegisterID src, const void* address),
707         where the address parameter gets the value of GPRInfo::regT0, which is 0 (eax on Windows).
708         This causes the register to be written to address 0, hence the crash.
709
710         * dfg/DFGOSRExitCompiler32_64.cpp:
711         (JSC::DFG::OSRExitCompiler::compileExit): Use address in regT0 as parameter.
712         * dfg/DFGOSRExitCompiler64.cpp:
713         (JSC::DFG::OSRExitCompiler::compileExit): Ditto.
714
715 2014-05-09  Martin Hodovan <mhodovan.u-szeged@partner.samsung.com>
716
717         REGRESSION(r167094): JSC crashes on ARM Traditional
718         https://bugs.webkit.org/show_bug.cgi?id=132738
719
720         Reviewed by Zoltan Herczeg.
721
722         PC is two instructions ahead of the current instruction
723         on ARM Traditional, so the distance is 8 bytes not 2.
724
725         * llint/LowLevelInterpreter.asm:
726
727 2014-05-09  Alberto Garcia  <berto@igalia.com>
728
729         jsmin.py license header confusing, mentions non-free license
730         https://bugs.webkit.org/show_bug.cgi?id=123665
731
732         Reviewed by Darin Adler.
733
734         Pull the most recent version from upstream, which has a clear
735         license.
736
737         * inspector/scripts/jsmin.py:
738
739 2014-05-08  Mark Hahnenberg  <mhahnenberg@apple.com>
740
741         Base case for get-by-id inline cache doesn't check for HasImpureGetOwnPropertySlot
742         https://bugs.webkit.org/show_bug.cgi?id=132695
743
744         Reviewed by Filip Pizlo.
745
746         We check in the case where we're accessing something other than the base object (e.g. the prototype), 
747         but we fail to do so for the base object.
748
749         * jit/Repatch.cpp:
750         (JSC::tryCacheGetByID):
751         (JSC::tryBuildGetByIDList):
752         * jsc.cpp: Added some infrastructure to support this test. We don't currently trigger this bug anywhere in WebKit
753         because all of the values that are returned that could be impure are set to uncacheable anyways.
754         (WTF::ImpureGetter::ImpureGetter):
755         (WTF::ImpureGetter::createStructure):
756         (WTF::ImpureGetter::create):
757         (WTF::ImpureGetter::finishCreation):
758         (WTF::ImpureGetter::getOwnPropertySlot):
759         (WTF::ImpureGetter::visitChildren):
760         (WTF::ImpureGetter::setDelegate):
761         (GlobalObject::finishCreation):
762         (functionCreateImpureGetter):
763         (functionSetImpureGetterDelegate):
764         * tests/stress/impure-get-own-property-slot-inline-cache.js: Added.
765         (foo):
766
767 2014-05-08  Filip Pizlo  <fpizlo@apple.com>
768
769         deleteAllCompiledCode() shouldn't use the suspension worklist
770         https://bugs.webkit.org/show_bug.cgi?id=132708
771
772         Reviewed by Mark Hahnenberg.
773
774         * bytecode/CodeBlock.cpp:
775         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
776         * dfg/DFGPlan.cpp:
777         (JSC::DFG::Plan::isStillValid):
778         * heap/Heap.cpp:
779         (JSC::Heap::deleteAllCompiledCode):
780
781 2014-05-08  Filip Pizlo  <fpizlo@apple.com>
782
783         SSA conversion should delete PhantomLocals for captured variables
784         https://bugs.webkit.org/show_bug.cgi?id=132693
785
786         Reviewed by Mark Hahnenberg.
787
788         * dfg/DFGCommon.cpp:
789         (JSC::DFG::startCrashing): Parallel JIT and a JIT bug means that we man dump IR in parallel. This is the workaround. This patch uses it in all of the places where we dump IR and crash.
790         * dfg/DFGCommon.h:
791         * dfg/DFGFixupPhase.cpp:
792         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): Use the workaround.
793         * dfg/DFGLivenessAnalysisPhase.cpp:
794         (JSC::DFG::LivenessAnalysisPhase::run): Use the workaround.
795         * dfg/DFGSSAConversionPhase.cpp:
796         (JSC::DFG::SSAConversionPhase::run): Fix the bug - it's true that PhantomLocal for captured variables doesn't need anything done to it, but it's wrong that we didn't delete it outright.
797         * dfg/DFGValidate.cpp: Use the workaround.
798         * tests/stress/phantom-local-captured-but-not-flushed-to-ssa.js: Added.
799         (foo):
800         (bar):
801
802 2014-05-07  Commit Queue  <commit-queue@webkit.org>
803
804         Unreviewed, rolling out r168451.
805         https://bugs.webkit.org/show_bug.cgi?id=132670
806
807         Not a speed-up, just do what other compilers do. (Requested by
808         kling on #webkit).
809
810         Reverted changeset:
811
812         "[X86] Emit BT instruction for single-bit tests."
813         https://bugs.webkit.org/show_bug.cgi?id=132650
814         http://trac.webkit.org/changeset/168451
815
816 2014-05-07  Filip Pizlo  <fpizlo@apple.com>
817
818         Make Executable::clearCode() actually clear all of the entrypoints, and
819         clean up some other FTL-related calling convention stuff.
820         <rdar://problem/16720172>
821
822         Rubber stamped by Mark Hahnenberg.
823
824         * dfg/DFGOperations.cpp:
825         * dfg/DFGOperations.h:
826         * dfg/DFGWorklist.cpp:
827         (JSC::DFG::Worklist::Worklist):
828         (JSC::DFG::Worklist::finishCreation):
829         (JSC::DFG::Worklist::create):
830         (JSC::DFG::ensureGlobalDFGWorklist):
831         (JSC::DFG::ensureGlobalFTLWorklist):
832         * dfg/DFGWorklist.h:
833         * heap/CodeBlockSet.cpp:
834         (JSC::CodeBlockSet::dump):
835         * heap/CodeBlockSet.h:
836         * runtime/Executable.cpp:
837         (JSC::ExecutableBase::clearCode):
838
839 2014-05-07  Andreas Kling  <akling@apple.com>
840
841         [X86] Emit BT instruction for single-bit tests.
842         <https://webkit.org/b/132650>
843
844         Implement test-bit-and-branch slightly more efficiently by using
845         BT + JC/JNC instead of TEST + JZ/JNZ when we're only testing for
846         a single bit.
847
848         Reviewed by Michael Saboff.
849
850         * assembler/MacroAssemblerX86Common.h:
851         (JSC::MacroAssemblerX86Common::singleBitIndex):
852         (JSC::MacroAssemblerX86Common::branchTest32):
853         * assembler/X86Assembler.h:
854         (JSC::X86Assembler::bt_i8r):
855         (JSC::X86Assembler::bt_i8m):
856
857 2014-05-07  Mark Lam  <mark.lam@apple.com>
858
859         REGRESSION(r166678): Dromaeo/cssquery-dojo.html crashes regularly.
860         <https://webkit.org/b/131356>
861
862         Reviewed by Geoffrey Garen.
863
864         The issue is that GC needs to be made aware of writes to m_inferredValue
865         in the VariableWatchpointSet, but was not.  As a result, if a JSCell*
866         is written to a VariableWatchpointSet m_inferredValue, and that JSCell
867         does not survive an eden GC shortly after, we will end up with a stale
868         JSCell pointer left in the m_inferredValue.
869
870         This issue can be detected more easily by running Dromaeo/cssquery-dojo.html
871         using DumpRenderTree with the VM heap in zombie mode.
872
873         The fix is to change VariableWatchpointSet m_inferredValue to type
874         WriteBarrier<Unknown> and ensure that VariableWatchpointSet::notifyWrite()
875         is executed by all the execution engines so that the WriteBarrier semantics
876         are honored.
877
878         We still check if the value to be written is the same as the one in the
879         inferredValue.  We'll by-pass calling the slow path notifyWrite() if the
880         values are the same.        
881
882         * JavaScriptCore.xcodeproj/project.pbxproj:
883         * bytecode/CodeBlock.cpp:
884         (JSC::CodeBlock::CodeBlock):
885         - need to pass the symbolTable to prepareToWatch() because it will be needed
886           for instantiating the VariableWatchpointSet in prepareToWatch().
887
888         * bytecode/VariableWatchpointSet.h:
889         (JSC::VariableWatchpointSet::VariableWatchpointSet):
890         - VariableWatchpointSet now tracks its owner symbol table for its m_inferredValue
891           write barrier, and yes, m_inferredValue is now of type WriteBarrier<Unknown>.
892         (JSC::VariableWatchpointSet::inferredValue):
893         (JSC::VariableWatchpointSet::invalidate):
894         (JSC::VariableWatchpointSet::finalizeUnconditionally):
895         (JSC::VariableWatchpointSet::addressOfInferredValue):
896         (JSC::VariableWatchpointSet::notifyWrite): Deleted.
897         * bytecode/VariableWatchpointSetInlines.h: Added.
898         (JSC::VariableWatchpointSet::notifyWrite):
899
900         * dfg/DFGByteCodeParser.cpp:
901         (JSC::DFG::ByteCodeParser::cellConstant):
902         - Added an assert in case we try to make constants of zombified JSCells again.
903
904         * dfg/DFGOperations.cpp:
905         * dfg/DFGOperations.h:
906         * dfg/DFGSpeculativeJIT.h:
907         (JSC::DFG::SpeculativeJIT::callOperation):
908         * dfg/DFGSpeculativeJIT32_64.cpp:
909         (JSC::DFG::SpeculativeJIT::compile):
910         * dfg/DFGSpeculativeJIT64.cpp:
911         (JSC::DFG::SpeculativeJIT::compile):
912         - We now let the slow path handle the cases when the VariableWatchpointSet is
913           in state ClearWatchpoint and IsWatched, and the slow path will ensure that
914           we handle the needed write barrier semantics correctly.
915           We will by-pass the slow path if the value being written is the same as the
916           inferred value.
917
918         * ftl/FTLIntrinsicRepository.h:
919         * ftl/FTLLowerDFGToLLVM.cpp:
920         (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):
921         - Let the slow path handle the cases when the VariableWatchpointSet is
922           in state ClearWatchpoint and IsWatched.
923           We will by-pass the slow path if the value being written is the same as the
924           inferred value.
925
926         * heap/Heap.cpp:
927         (JSC::Zombify::operator()):
928         - Use a different value for the zombified bits (to distinguish it from 0xbbadbeef
929           which is used everywhere else).
930         * heap/Heap.h:
931         (JSC::Heap::isZombified):
932         - Provide a convenience test function to check if JSCells are zombified.  This is
933           currently only used in an assertion in the DFG bytecode parser, but the intent
934           it that we'll apply this test in other strategic places later to help with early
935           detection of usage of GC'ed objects when we run in zombie mode.
936
937         * jit/JITOpcodes.cpp:
938         (JSC::JIT::emitSlow_op_captured_mov):
939         * jit/JITOperations.h:
940         * jit/JITPropertyAccess.cpp:
941         (JSC::JIT::emitNotifyWrite):
942         * jit/JITPropertyAccess32_64.cpp:
943         (JSC::JIT::emitNotifyWrite):
944         (JSC::JIT::emitSlow_op_put_to_scope):
945         - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
946           is in state ClearWatchpoint and IsWatched.
947           We will by-pass the slow path if the value being written is the same as the
948           inferred value.
949         
950         * llint/LowLevelInterpreter32_64.asm:
951         * llint/LowLevelInterpreter64.asm:
952         - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
953           is in state ClearWatchpoint and IsWatched.
954           We will by-pass the slow path if the value being written is the same as the
955           inferred value.
956         
957         * runtime/CommonSlowPaths.cpp:
958
959         * runtime/JSCJSValue.h: Fixed some typos in the comments.
960         * runtime/JSGlobalObject.cpp:
961         (JSC::JSGlobalObject::addGlobalVar):
962         (JSC::JSGlobalObject::addFunction):
963         * runtime/JSSymbolTableObject.h:
964         (JSC::symbolTablePut):
965         (JSC::symbolTablePutWithAttributes):
966         * runtime/SymbolTable.cpp:
967         (JSC::SymbolTableEntry::prepareToWatch):
968         (JSC::SymbolTableEntry::notifyWriteSlow):
969         * runtime/SymbolTable.h:
970         (JSC::SymbolTableEntry::notifyWrite):
971
972 2014-05-06  Michael Saboff  <msaboff@apple.com>
973
974         Unreviewd build fix for C-LOOP after r168396.
975
976         * runtime/TestRunnerUtils.cpp:
977         (JSC::optimizeNextInvocation): Wrapped actual call inside #if ENABLE(JIT)
978
979 2014-05-06  Michael Saboff  <msaboff@apple.com>
980
981         Add test for deleteAllCompiledCode
982         https://bugs.webkit.org/show_bug.cgi?id=132632
983
984         Reviewed by Phil Pizlo.
985
986         Added two new hooks to jsc, one to call Heap::deleteAllCompiledCode() and
987         the other to call CodeBlock::optimizeNextInvocation().  Used these two hooks
988         to write a test that will queue up loads of DFG compiles and then call
989         Heap::deleteAllCompiledCode() to make sure that it can handle compiled
990         code as well as code being compiled.
991
992         * jsc.cpp:
993         (GlobalObject::finishCreation):
994         (functionDeleteAllCompiledCode):
995         (functionOptimizeNextInvocation):
996         * runtime/TestRunnerUtils.cpp:
997         (JSC::optimizeNextInvocation):
998         * runtime/TestRunnerUtils.h:
999         * tests/stress/deleteAllCompiledCode.js: Added.
1000         (functionList):
1001         (runTest):
1002
1003 2014-05-06  Andreas Kling  <akling@apple.com>
1004
1005         JSString::toAtomicString() should return AtomicString.
1006         <https://webkit.org/b/132627>
1007
1008         Remove premature optimization where I was trying to avoid refcount
1009         churn when returning an already atomicized String.
1010
1011         Instead of using reinterpret_cast to mangle the String member into
1012         a const AtomicString& return value, just return AtomicString.
1013
1014         Reviewed by Geoff Garen.
1015
1016         * runtime/JSString.h:
1017         (JSC::JSString::toAtomicString):
1018
1019 2014-05-06  Mark Hahnenberg  <mhahnenberg@apple.com>
1020
1021         Roll out r167889
1022
1023         Rubber stamped by Geoff Garen.
1024
1025         It broke some websites.
1026
1027         * runtime/JSPropertyNameIterator.cpp:
1028         (JSC::JSPropertyNameIterator::create):
1029         * runtime/PropertyMapHashTable.h:
1030         (JSC::PropertyTable::hasDeletedOffset):
1031         (JSC::PropertyTable::hadDeletedOffset): Deleted.
1032         * runtime/Structure.cpp:
1033         (JSC::Structure::Structure):
1034         (JSC::Structure::materializePropertyMap):
1035         (JSC::Structure::removePropertyTransition):
1036         (JSC::Structure::changePrototypeTransition):
1037         (JSC::Structure::despecifyFunctionTransition):
1038         (JSC::Structure::attributeChangeTransition):
1039         (JSC::Structure::toDictionaryTransition):
1040         (JSC::Structure::preventExtensionsTransition):
1041         (JSC::Structure::addPropertyWithoutTransition):
1042         (JSC::Structure::removePropertyWithoutTransition):
1043         (JSC::Structure::pin):
1044         (JSC::Structure::pinAndPreventTransitions): Deleted.
1045         * runtime/Structure.h:
1046         * runtime/StructureInlines.h:
1047         (JSC::Structure::setEnumerationCache):
1048         (JSC::Structure::propertyTable):
1049         (JSC::Structure::checkOffsetConsistency):
1050         (JSC::Structure::hadDeletedOffsets): Deleted.
1051         * tests/stress/for-in-after-delete.js:
1052         (foo): Deleted.
1053
1054 2014-05-05  Andreas Kling  <akling@apple.com>
1055
1056         Fix debug build.
1057
1058         * runtime/JSCellInlines.h:
1059         (JSC::JSCell::fastGetOwnProperty):
1060
1061 2014-05-05  Andreas Kling  <akling@apple.com>
1062
1063         Optimize GetByVal when subscript is a rope string.
1064         <https://webkit.org/b/132590>
1065
1066         Use JSString::toIdentifier() in the various GetByVal implementations
1067         to try and avoid allocating extra strings.
1068
1069         Added canUseFastGetOwnProperty() and wrap calls to fastGetOwnProperty()
1070         in that, to avoid calling JSString::value() which always resolves ropes
1071         into new strings and de-optimizes subsequent toIdentifier() calls.
1072
1073         My iMac says ~9% progression on Dromaeo/dom-attr.html
1074
1075         Reviewed by Phil Pizlo.
1076
1077         * dfg/DFGOperations.cpp:
1078         * jit/JITOperations.cpp:
1079         (JSC::getByVal):
1080         * llint/LLIntSlowPaths.cpp:
1081         (JSC::LLInt::getByVal):
1082         * runtime/JSCell.h:
1083         * runtime/JSCellInlines.h:
1084         (JSC::JSCell::fastGetOwnProperty):
1085         (JSC::JSCell::canUseFastGetOwnProperty):
1086
1087 2014-05-05  Andreas Kling  <akling@apple.com>
1088
1089         REGRESSION (r168256): ASSERTION FAILED: (buffer + m_length) == position loading vanityfair.com article.
1090         <https://webkit.org/b/168256>
1091         <rdar://problem/16816316>
1092
1093         Make resolveRopeSlowCase8() behave like its 16-bit counterpart and not
1094         clear the fibers. The caller takes care of this.
1095
1096         Test: fast/dom/getElementById-with-rope-string-arg.html
1097
1098         Reviewed by Geoffrey Garen.
1099
1100         * runtime/JSString.cpp:
1101         (JSC::JSRopeString::resolveRopeSlowCase8):
1102
1103 2014-05-05  Michael Saboff  <msaboff@apple.com>
1104
1105         REGRESSION: RELEASE_ASSERT in CodeBlock::baselineVersion @ cnn.com
1106         https://bugs.webkit.org/show_bug.cgi?id=132581
1107
1108         Reviewed by Filip Pizlo.
1109
1110         * dfg/DFGPlan.cpp:
1111         (JSC::DFG::Plan::isStillValid): Check that the alternative codeBlock we
1112         started compiling for is still the same at the end of compilation.
1113         Also did some minor restructuring.
1114
1115 2014-05-05  Andreas Kling  <akling@apple.com>
1116
1117         Optimize PutByVal when subscript is a rope string.
1118         <https://webkit.org/b/132572>
1119
1120         Add a JSString::toIdentifier() that is smarter when the JSString is
1121         really a rope string. Use this in baseline & DFG's PutByVal to avoid
1122         allocating new StringImpls that we immediately deduplicate anyway.
1123
1124         Reviewed by Antti Koivisto.
1125
1126         * dfg/DFGOperations.cpp:
1127         (JSC::DFG::operationPutByValInternal):
1128         * jit/JITOperations.cpp:
1129         * runtime/JSString.h:
1130         (JSC::JSString::toIdentifier):
1131
1132 2014-05-05  Andreas Kling  <akling@apple.com>
1133
1134         Remove two now-incorrect assertions after r168256.
1135
1136         * runtime/JSString.cpp:
1137         (JSC::JSRopeString::resolveRopeSlowCase8):
1138         (JSC::JSRopeString::resolveRopeSlowCase):
1139
1140 2014-05-04  Andreas Kling  <akling@apple.com>
1141
1142         Optimize JSRopeString for resolving directly to AtomicString.
1143         <https://webkit.org/b/132548>
1144
1145         If we know that the JSRopeString we are resolving is going to be used
1146         as an AtomicString, we can try to avoid creating a new string.
1147
1148         We do this by first resolving the rope into a stack buffer, and using
1149         that buffer as a key into the AtomicString table. If there is already
1150         an AtomicString with the same characters, we reuse that instead of
1151         constructing a new StringImpl.
1152
1153         JSString gains these two public functions:
1154
1155         - AtomicString toAtomicString()
1156
1157             Returns an AtomicString, tries to avoid allocating a new string
1158             if possible.
1159
1160         - AtomicStringImpl* toExistingAtomicString()
1161
1162             Returns a non-null AtomicStringImpl* if one already exists in the
1163             AtomicString table. If none is found, the rope is left unresolved.
1164
1165         Reviewed by Filip Pizlo.
1166
1167         * runtime/JSString.cpp:
1168         (JSC::JSRopeString::resolveRopeInternal8):
1169         (JSC::JSRopeString::resolveRopeInternal16):
1170         (JSC::JSRopeString::resolveRopeToAtomicString):
1171         (JSC::JSRopeString::clearFibers):
1172         (JSC::JSRopeString::resolveRopeToExistingAtomicString):
1173         (JSC::JSRopeString::resolveRope):
1174         (JSC::JSRopeString::outOfMemory):
1175         * runtime/JSString.h:
1176         (JSC::JSString::toAtomicString):
1177         (JSC::JSString::toExistingAtomicString):
1178
1179 2014-05-04  Andreas Kling  <akling@apple.com>
1180
1181         Unreviewed, rolling out r168254.
1182
1183         Very crashy on debug JSC tests.
1184
1185         Reverted changeset:
1186
1187         "jsSubstring() should be lazy"
1188         https://bugs.webkit.org/show_bug.cgi?id=132556
1189         http://trac.webkit.org/changeset/168254
1190
1191 2014-05-04  Filip Pizlo  <fpizlo@apple.com>
1192
1193         jsSubstring() should be lazy
1194         https://bugs.webkit.org/show_bug.cgi?id=132556
1195
1196         Reviewed by Andreas Kling.
1197         
1198         jsSubstring() is now lazy by using a special rope that is a substring instead of a
1199         concatenation. To make this patch super simple, we require that a substring's base is
1200         never a rope. Hence, when resolving a rope, we either go down a non-recursive substring
1201         path, or we go down a concatenation path which may see exactly one level of substrings in
1202         its fibers.
1203         
1204         This is up to a 50% speed-up on microbenchmarks and a 10% speed-up on Octane/regexp.
1205
1206         * heap/MarkedBlock.cpp:
1207         (JSC::MarkedBlock::specializedSweep):
1208         * runtime/JSString.cpp:
1209         (JSC::JSRopeString::visitFibers):
1210         (JSC::JSRopeString::resolveRope):
1211         (JSC::JSRopeString::resolveRopeSlowCase8):
1212         (JSC::JSRopeString::resolveRopeSlowCase):
1213         (JSC::JSRopeString::outOfMemory):
1214         * runtime/JSString.h:
1215         (JSC::JSRopeString::finishCreation):
1216         (JSC::JSRopeString::append):
1217         (JSC::JSRopeString::create):
1218         (JSC::JSRopeString::offsetOfFibers):
1219         (JSC::JSRopeString::fiber):
1220         (JSC::JSRopeString::substringBase):
1221         (JSC::JSRopeString::substringOffset):
1222         (JSC::JSRopeString::substringSentinel):
1223         (JSC::JSRopeString::isSubstring):
1224         (JSC::jsSubstring):
1225         * runtime/RegExpMatchesArray.cpp:
1226         (JSC::RegExpMatchesArray::reifyAllProperties):
1227         * runtime/StringPrototype.cpp:
1228         (JSC::stringProtoFuncSubstring):
1229
1230 2014-05-02  Michael Saboff  <msaboff@apple.com>
1231
1232         "arm64 function not 4-byte aligned" warnings when building JSC
1233         https://bugs.webkit.org/show_bug.cgi?id=132495
1234
1235         Reviewed by Geoffrey Garen.
1236
1237         Added ".align 4" for both ARM Thumb2 and ARM 64 to silence the linker.
1238
1239         * llint/LowLevelInterpreter.cpp:
1240
1241 2014-05-02  Mark Hahnenberg  <mhahnenberg@apple.com>
1242
1243         Fix cloop build after r168178
1244
1245         * bytecode/CodeBlock.cpp:
1246
1247 2014-05-01  Mark Hahnenberg  <mhahnenberg@apple.com>
1248
1249         Add a DFG function whitelist
1250         https://bugs.webkit.org/show_bug.cgi?id=132437
1251
1252         Reviewed by Geoffrey Garen.
1253
1254         Often times when debugging, using bytecode ranges isn't enough to narrow down to the 
1255         particular DFG block that's causing issues. This patch adds the ability to whitelist 
1256         specific functions specified in a file to enable further filtering without having to recompile.
1257
1258         * CMakeLists.txt:
1259         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1260         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1261         * JavaScriptCore.xcodeproj/project.pbxproj:
1262         * dfg/DFGCapabilities.cpp:
1263         (JSC::DFG::isSupported):
1264         (JSC::DFG::mightInlineFunctionForCall):
1265         (JSC::DFG::mightInlineFunctionForClosureCall):
1266         (JSC::DFG::mightInlineFunctionForConstruct):
1267         * dfg/DFGFunctionWhitelist.cpp: Added.
1268         (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
1269         (JSC::DFG::FunctionWhitelist::FunctionWhitelist):
1270         (JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile):
1271         (JSC::DFG::FunctionWhitelist::contains):
1272         * dfg/DFGFunctionWhitelist.h: Added.
1273         * runtime/Options.cpp:
1274         (JSC::parse):
1275         (JSC::Options::dumpOption):
1276         * runtime/Options.h:
1277
1278 2014-05-02  Filip Pizlo  <fpizlo@apple.com>
1279
1280         DFGAbstractInterpreter should not claim Int52 arithmetic creates Int52s
1281         https://bugs.webkit.org/show_bug.cgi?id=132446
1282
1283         Reviewed by Mark Hahnenberg.
1284         
1285         Basically any arithmetic operation can turn an Int52 into an Int32 or vice-versa, and
1286         our modeling of Int52Rep nodes is such that they can have either Int32 or Int52 type
1287         to indicate a bound on the value. This is useful for knowing, for example, that
1288         Int52Rep(Int32:) returns a value that cannot be outside the Int32 range. Also,
1289         ValueRep(Int52Rep:) uses this to determine whether it may return a double or an int.
1290         But this means that all arithmetic operations must be careful to note that they may
1291         turn Int32 inputs into an Int52 output or vice-versa, as these new tests show.
1292
1293         * dfg/DFGAbstractInterpreterInlines.h:
1294         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1295         * dfg/DFGByteCodeParser.cpp:
1296         (JSC::DFG::ByteCodeParser::makeSafe):
1297         * tests/stress/int52-ai-add-then-filter-int32.js: Added.
1298         (foo):
1299         * tests/stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js: Added.
1300         (foo):
1301         * tests/stress/int52-ai-mul-then-filter-int32-directly.js: Added.
1302         (foo):
1303         * tests/stress/int52-ai-mul-then-filter-int32.js: Added.
1304         (foo):
1305         * tests/stress/int52-ai-neg-then-filter-int32.js: Added.
1306         (foo):
1307         * tests/stress/int52-ai-sub-then-filter-int32.js: Added.
1308         (foo):
1309
1310 2014-05-01  Geoffrey Garen  <ggaren@apple.com>
1311
1312         JavaScriptCore fails to build with some versions of clang
1313         https://bugs.webkit.org/show_bug.cgi?id=132436
1314
1315         Reviewed by Anders Carlsson.
1316
1317         * runtime/ArgumentsIteratorConstructor.cpp: Since we call
1318         putDirectWithoutTransition, and it calls putWillGrowOutOfLineStorage,
1319         and both are marked inline, it's valid for the compiler to decide
1320         to inline both and emit neither in the binary. Therefore, we need
1321         both inline definitions to be available in the translation unit at
1322         compile time, or we'll try to link against a function that doesn't exist.
1323
1324 2014-05-01  Commit Queue  <commit-queue@webkit.org>
1325
1326         Unreviewed, rolling out r167964.
1327         https://bugs.webkit.org/show_bug.cgi?id=132431
1328
1329         Memory improvements should not regress memory usage (Requested
1330         by olliej on #webkit).
1331
1332         Reverted changeset:
1333
1334         "Don't hold on to parameter BindingNodes forever"
1335         https://bugs.webkit.org/show_bug.cgi?id=132360
1336         http://trac.webkit.org/changeset/167964
1337
1338 2014-05-01  Filip Pizlo  <fpizlo@apple.com>
1339
1340         Fix trivial debug-only race-that-crashes in CallLinkStatus and explain why the remaining races are totally awesome
1341         https://bugs.webkit.org/show_bug.cgi?id=132427
1342
1343         Reviewed by Mark Hahnenberg.
1344
1345         * bytecode/CallLinkStatus.cpp:
1346         (JSC::CallLinkStatus::computeFor):
1347
1348 2014-04-30  Simon Fraser  <simon.fraser@apple.com>
1349
1350         Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO
1351         https://bugs.webkit.org/show_bug.cgi?id=132396
1352
1353         Reviewed by Eric Carlson.
1354
1355         Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO and related code.
1356
1357         * Configurations/FeatureDefines.xcconfig:
1358
1359 2014-04-30  Filip Pizlo  <fpizlo@apple.com>
1360
1361         Argument flush formats should not be presumed to be JSValue since 'this' is weird
1362         https://bugs.webkit.org/show_bug.cgi?id=132404
1363
1364         Reviewed by Michael Saboff.
1365
1366         * dfg/DFGSpeculativeJIT.cpp:
1367         (JSC::DFG::SpeculativeJIT::compileCurrentBlock): Don't assume that arguments are flushed as JSValue. Use the logic for locals instead.
1368         * dfg/DFGSpeculativeJIT32_64.cpp:
1369         (JSC::DFG::SpeculativeJIT::compile): SetArgument "changes" the format because before this we wouldn't know we had arguments.
1370         * dfg/DFGSpeculativeJIT64.cpp:
1371         (JSC::DFG::SpeculativeJIT::compile): Ditto.
1372         * dfg/DFGValueSource.cpp:
1373         (JSC::DFG::ValueSource::dumpInContext): Make this easier to dump.
1374         * dfg/DFGValueSource.h:
1375         (JSC::DFG::ValueSource::operator!): Make this easier to dump because Operands<T> uses T::operator!().
1376         * ftl/FTLOSREntry.cpp:
1377         (JSC::FTL::prepareOSREntry): This had a useful assertion for everything except 'this'.
1378         * tests/stress/strict-to-this-int.js: Added.
1379         (foo):
1380         (Number.prototype.valueOf):
1381         (test):
1382
1383 2014-04-29  Oliver Hunt  <oliver@apple.com>
1384
1385         Don't hold on to parameterBindingNodes forever
1386         https://bugs.webkit.org/show_bug.cgi?id=132360
1387
1388         Reviewed by Geoffrey Garen.
1389
1390         Don't keep the parameter nodes anymore. Instead we store the
1391         original parameter string and reparse whenever we actually
1392         need them. Because we only actually need them for compilation
1393         this only results in a single extra parse.
1394
1395         * bytecode/UnlinkedCodeBlock.cpp:
1396         (JSC::generateFunctionCodeBlock):
1397         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1398         (JSC::UnlinkedFunctionExecutable::visitChildren):
1399         (JSC::UnlinkedFunctionExecutable::finishCreation):
1400         (JSC::UnlinkedFunctionExecutable::paramString):
1401         (JSC::UnlinkedFunctionExecutable::parameters):
1402         (JSC::UnlinkedFunctionExecutable::parameterCount): Deleted.
1403         * bytecode/UnlinkedCodeBlock.h:
1404         (JSC::UnlinkedFunctionExecutable::create):
1405         (JSC::UnlinkedFunctionExecutable::parameterCount):
1406         (JSC::UnlinkedFunctionExecutable::parameters): Deleted.
1407         (JSC::UnlinkedFunctionExecutable::finishCreation): Deleted.
1408         * parser/ASTBuilder.h:
1409         (JSC::ASTBuilder::ASTBuilder):
1410         (JSC::ASTBuilder::setFunctionBodyParameters):
1411         * parser/Nodes.h:
1412         (JSC::FunctionBodyNode::parametersStartOffset):
1413         (JSC::FunctionBodyNode::parametersEndOffset):
1414         (JSC::FunctionBodyNode::setParameterLocation):
1415         * parser/Parser.cpp:
1416         (JSC::Parser<LexerType>::parseFunctionInfo):
1417         (JSC::parseParameters):
1418         * parser/Parser.h:
1419         (JSC::parse):
1420         * parser/SourceCode.h:
1421         (JSC::SourceCode::subExpression):
1422         * parser/SyntaxChecker.h:
1423         (JSC::SyntaxChecker::setFunctionBodyParameters):
1424
1425 2014-04-29  Mark Hahnenberg  <mhahnenberg@apple.com>
1426
1427         JSProxies should be cacheable
1428         https://bugs.webkit.org/show_bug.cgi?id=132351
1429
1430         Reviewed by Geoffrey Garen.
1431
1432         Whenever we encounter a proxy in an inline cache we should try to cache on the 
1433         proxy's target instead of giving up.
1434
1435         This patch adds support for a simple "recursive" inline cache if the base object
1436         we're accessing is a pure forwarding proxy. JSGlobalObject and its subclasses 
1437         are the only ones to benefit from this right now.
1438
1439         This is performance neutral on the benchmarks we track. Currently we won't
1440         cache on JSDOMWindow due to HasImpureGetOwnPropertySlot, but this issue will be fixed soon.
1441
1442         * jit/Repatch.cpp:
1443         (JSC::generateByIdStub):
1444         (JSC::tryBuildGetByIDList):
1445         (JSC::tryCachePutByID):
1446         (JSC::tryBuildPutByIdList):
1447         * jsc.cpp:
1448         (GlobalObject::finishCreation):
1449         (functionCreateProxy):
1450         * runtime/IntendedStructureChain.cpp:
1451         (JSC::IntendedStructureChain::isNormalized):
1452         * runtime/JSCellInlines.h:
1453         (JSC::JSCell::isProxy):
1454         * runtime/JSGlobalObject.h:
1455         (JSC::JSGlobalObject::finishCreation):
1456         * runtime/JSProxy.h:
1457         (JSC::JSProxy::createStructure):
1458         (JSC::JSProxy::targetOffset):
1459         * runtime/JSType.h:
1460         * runtime/Operations.h:
1461         (JSC::isPrototypeChainNormalized):
1462         * runtime/Structure.h:
1463         (JSC::Structure::isProxy):
1464         * tests/stress/proxy-inline-cache.js: Added.
1465         (cacheOnTarget.getX):
1466         (cacheOnTarget):
1467         (cacheOnPrototypeOfTarget.getX):
1468         (cacheOnPrototypeOfTarget):
1469         (dontCacheOnProxyInPrototypeChain.getX):
1470         (dontCacheOnProxyInPrototypeChain):
1471         (dontCacheOnTargetOfProxyInPrototypeChainOfTarget.getX):
1472         (dontCacheOnTargetOfProxyInPrototypeChainOfTarget):
1473
1474 2014-04-29  Filip Pizlo  <fpizlo@apple.com>
1475
1476         Use LLVM as a backend for the fourth-tier DFG JIT (a.k.a. the FTL JIT)
1477         https://bugs.webkit.org/show_bug.cgi?id=112840
1478
1479         Rubber stamped by Geoffrey Garen.
1480
1481         * Configurations/FeatureDefines.xcconfig:
1482
1483 2014-04-29  Geoffrey Garen  <ggaren@apple.com>
1484
1485         String.prototype.trim removes U+200B from strings.
1486         https://bugs.webkit.org/show_bug.cgi?id=130184
1487
1488         Reviewed by Michael Saboff.
1489
1490         * runtime/StringPrototype.cpp:
1491         (JSC::trimString):
1492         (JSC::isTrimWhitespace): Deleted.
1493
1494 2014-04-29  Mark Lam  <mark.lam@apple.com>
1495
1496         Zombifying sweep should ignore retired blocks.
1497         <https://webkit.org/b/132344>
1498
1499         Reviewed by Mark Hahnenberg.
1500
1501         By definition, retired blocks do not have "dead" objects, or at least
1502         none that we know of yet until the next marking phase has been run
1503         over it.  So, we should not be sweeping them (even for zombie mode).
1504
1505         * heap/Heap.cpp:
1506         (JSC::Heap::zombifyDeadObjects):
1507         * heap/MarkedSpace.cpp:
1508         (JSC::MarkedSpace::zombifySweep):
1509         * heap/MarkedSpace.h:
1510         (JSC::ZombifySweep::operator()):
1511
1512 2014-04-29  Mark Lam  <mark.lam@apple.com>
1513
1514         Fix bit rot in zombie mode heap code.
1515         <https://webkit.org/b/132342>
1516
1517         Reviewed by Mark Hahnenberg.
1518
1519         Need to enter a DelayedReleaseScope before doing a sweep.
1520
1521         * heap/Heap.cpp:
1522         (JSC::Heap::zombifyDeadObjects):
1523
1524 2014-04-29  Tomas Popela  <tpopela@redhat.com>
1525
1526         LLINT loadisFromInstruction doesn't need special case for big endians
1527         https://bugs.webkit.org/show_bug.cgi?id=132330
1528
1529         Reviewed by Mark Lam.
1530
1531         The change introduced in r167076 was wrong. We should not apply the offset
1532         adjustment on loadisFromInstruction usage as the instruction
1533         (UnlinkedInstruction) is declared as an union (i.e. with the int32_t
1534         operand variable). The offset of the other union members will be the
1535         same as the offset of the first one, that is 0. The behavior here is the
1536         same on little and big endian architectures. Thus we don't need
1537         special case for big endians.
1538
1539         * llint/LowLevelInterpreter.asm:
1540
1541 2014-04-28  Mark Hahnenberg  <mhahnenberg@apple.com>
1542
1543         Simplify tryCacheGetById
1544         https://bugs.webkit.org/show_bug.cgi?id=132314
1545
1546         Reviewed by Oliver Hunt and Filip Pizlo.
1547
1548         This is neutral across all benchmarks we track, although it looks like a wee 0.5% progression on sunspider.
1549
1550         * jit/Repatch.cpp:
1551         (JSC::tryCacheGetByID): If we fail to cache on self, we just repatch to call tryBuildGetByIDList next time.
1552
1553 2014-04-28  Michael Saboff  <msaboff@apple.com>
1554
1555         REGRESSION(r153142) ASSERT from CodeBlock::dumpBytecode dumping String Switch Jump Tables
1556         https://bugs.webkit.org/show_bug.cgi?id=132315
1557
1558         Reviewed by Mark Hahnenberg.
1559
1560         Used the StringImpl version of utf8() instead of creating a String first.
1561
1562         * bytecode/CodeBlock.cpp:
1563         (JSC::CodeBlock::dumpBytecode):
1564
1565 2014-04-28  Filip Pizlo  <fpizlo@apple.com>
1566
1567         The LLInt is awesome and it should get more of the action.
1568
1569         Rubber stamped by Geoffrey Garen.
1570         
1571         5% speed-up on JSBench and no meaningful regressions.  Should be a PLT/DYE speed-up also.
1572
1573         * runtime/Options.h:
1574
1575 2014-04-27  Filip Pizlo  <fpizlo@apple.com>
1576
1577         GC should be able to remove things from the DFG worklist and cancel on-going compilations if it knows that the compilation would already be invalidated
1578         https://bugs.webkit.org/show_bug.cgi?id=132166
1579
1580         Reviewed by Oliver Hunt and Mark Hahnenberg.
1581         
1582         The GC can aid type inference by removing structures that are dead and jettisoning
1583         code that relies on those structures. This can dramatically accelerate type inference
1584         for some tricky programs.
1585         
1586         Unfortunately, we previously pinned any structures that enqueued compilations depended
1587         on. This means that if you're on a machine that only runs a single compilation thread
1588         and where compilations are relatively slow, you have a high chance of large numbers of
1589         structures being pinned during any GC since the compilation queue is likely to be full
1590         of random stuff.
1591         
1592         This comprehensively fixes this issue by allowing the GC to remove compilation plans
1593         if the things they depend on are dead, and to even cancel safepointed compilations.
1594         
1595         * bytecode/CodeBlock.cpp:
1596         (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan):
1597         (JSC::CodeBlock::isKnownToBeLiveDuringGC):
1598         (JSC::CodeBlock::finalizeUnconditionally):
1599         * bytecode/CodeBlock.h:
1600         (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan): Deleted.
1601         * dfg/DFGDesiredIdentifiers.cpp:
1602         (JSC::DFG::DesiredIdentifiers::DesiredIdentifiers):
1603         * dfg/DFGDesiredIdentifiers.h:
1604         * dfg/DFGDesiredWatchpoints.h:
1605         * dfg/DFGDesiredWeakReferences.cpp:
1606         (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
1607         * dfg/DFGDesiredWeakReferences.h:
1608         * dfg/DFGGraphSafepoint.cpp:
1609         (JSC::DFG::GraphSafepoint::GraphSafepoint):
1610         * dfg/DFGGraphSafepoint.h:
1611         * dfg/DFGPlan.cpp:
1612         (JSC::DFG::Plan::Plan):
1613         (JSC::DFG::Plan::compileInThread):
1614         (JSC::DFG::Plan::compileInThreadImpl):
1615         (JSC::DFG::Plan::notifyCompiling):
1616         (JSC::DFG::Plan::notifyCompiled):
1617         (JSC::DFG::Plan::notifyReady):
1618         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
1619         (JSC::DFG::Plan::isKnownToBeLiveDuringGC):
1620         (JSC::DFG::Plan::cancel):
1621         (JSC::DFG::Plan::visitChildren): Deleted.
1622         * dfg/DFGPlan.h:
1623         * dfg/DFGSafepoint.cpp:
1624         (JSC::DFG::Safepoint::Result::~Result):
1625         (JSC::DFG::Safepoint::Result::didGetCancelled):
1626         (JSC::DFG::Safepoint::Safepoint):
1627         (JSC::DFG::Safepoint::~Safepoint):
1628         (JSC::DFG::Safepoint::checkLivenessAndVisitChildren):
1629         (JSC::DFG::Safepoint::isKnownToBeLiveDuringGC):
1630         (JSC::DFG::Safepoint::cancel):
1631         (JSC::DFG::Safepoint::visitChildren): Deleted.
1632         * dfg/DFGSafepoint.h:
1633         (JSC::DFG::Safepoint::Result::Result):
1634         * dfg/DFGWorklist.cpp:
1635         (JSC::DFG::Worklist::compilationState):
1636         (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
1637         (JSC::DFG::Worklist::removeAllReadyPlansForVM):
1638         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
1639         (JSC::DFG::Worklist::visitWeakReferences):
1640         (JSC::DFG::Worklist::removeDeadPlans):
1641         (JSC::DFG::Worklist::runThread):
1642         (JSC::DFG::Worklist::visitChildren): Deleted.
1643         * dfg/DFGWorklist.h:
1644         * ftl/FTLCompile.cpp:
1645         (JSC::FTL::compile):
1646         * ftl/FTLCompile.h:
1647         * heap/CodeBlockSet.cpp:
1648         (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks):
1649         * heap/Heap.cpp:
1650         (JSC::Heap::markRoots):
1651         (JSC::Heap::visitCompilerWorklistWeakReferences):
1652         (JSC::Heap::removeDeadCompilerWorklistEntries):
1653         (JSC::Heap::visitWeakHandles):
1654         (JSC::Heap::collect):
1655         (JSC::Heap::visitCompilerWorklists): Deleted.
1656         * heap/Heap.h:
1657
1658 2014-04-28  Mark Hahnenberg  <mhahnenberg@apple.com>
1659
1660         Deleting properties poisons objects
1661         https://bugs.webkit.org/show_bug.cgi?id=131551
1662
1663         Reviewed by Oliver Hunt.
1664
1665         This is ~3% progression on Dromaeo with a ~6% progression on the jslib portion of Dromaeo in particular.
1666
1667         * runtime/JSPropertyNameIterator.cpp:
1668         (JSC::JSPropertyNameIterator::create):
1669         * runtime/PropertyMapHashTable.h:
1670         (JSC::PropertyTable::hasDeletedOffset):
1671         (JSC::PropertyTable::hadDeletedOffset): If we ever had deleted properties we can no longer cache offsets when 
1672         iterating properties because we're required to iterate properties in insertion order.
1673         * runtime/Structure.cpp:
1674         (JSC::Structure::Structure):
1675         (JSC::Structure::materializePropertyMap): We now re-use deleted properties when materializing the property map.
1676         (JSC::Structure::removePropertyTransition): We allow up to 5 deletes for a particular path through the tree of 
1677         Structure transitions. After that, we convert to an uncacheable dictionary like we used to. We don't cache 
1678         delete transitions, but we allow transitioning from them.
1679         (JSC::Structure::changePrototypeTransition):
1680         (JSC::Structure::despecifyFunctionTransition):
1681         (JSC::Structure::attributeChangeTransition):
1682         (JSC::Structure::toDictionaryTransition):
1683         (JSC::Structure::preventExtensionsTransition):
1684         (JSC::Structure::addPropertyWithoutTransition):
1685         (JSC::Structure::removePropertyWithoutTransition):
1686         (JSC::Structure::pin): Now does only what it says it does--marks the property table as pinned.
1687         (JSC::Structure::pinAndPreventTransitions): More descriptive version of what the old pin() was doing.
1688         * runtime/Structure.h:
1689         * runtime/StructureInlines.h:
1690         (JSC::Structure::setEnumerationCache):
1691         (JSC::Structure::hadDeletedOffsets):
1692         (JSC::Structure::propertyTable):
1693         (JSC::Structure::checkOffsetConsistency): Rearranged variables to be more sensible.
1694         * tests/stress/for-in-after-delete.js: Added.
1695         (foo):
1696
1697 2014-04-25  Andreas Kling  <akling@apple.com>
1698
1699         Inline (C++) GetByVal with numeric indices more aggressively.
1700         <https://webkit.org/b/132218>
1701
1702         We were already inlining the string indexed GetByVal path pretty well,
1703         while the path for numeric indices got neglected. No more!
1704
1705         ~9.5% improvement on Dromaeo/dom-traverse.html on my MBP:
1706
1707             Before: 199.50 runs/s
1708              After: 218.58 runs/s
1709
1710         Reviewed by Phil Pizlo.
1711
1712         * dfg/DFGOperations.cpp:
1713         * runtime/JSCJSValueInlines.h:
1714         (JSC::JSValue::get):
1715
1716             ALWAYS_INLINE all the things.
1717
1718         * runtime/JSObject.h:
1719         (JSC::JSObject::getPropertySlot):
1720
1721             Avoid fetching the Structure more than once. We have the same
1722             optimization in the string-indexed code path.
1723
1724 2014-04-25  Oliver Hunt  <oliver@apple.com>
1725
1726         Need earlier cell test
1727         https://bugs.webkit.org/show_bug.cgi?id=132211
1728
1729         Reviewed by Mark Lam.
1730
1731         Move cell test to before the function call repatch
1732         location, as the repatch logic for 32bit assumes that the
1733         caller will already have performed a cell check.
1734
1735         * jit/JITCall32_64.cpp:
1736         (JSC::JIT::compileOpCall):
1737
1738 2014-04-25  Andreas Kling  <akling@apple.com>
1739
1740         Un-fast-allocate JSGlobalObjectRareData because Windows doesn't build and I'm not in the mood.
1741
1742         * runtime/JSGlobalObject.h:
1743         (JSC::JSGlobalObject::JSGlobalObjectRareData::JSGlobalObjectRareData):
1744         (JSC::JSGlobalObject::JSGlobalObjectRareData::~JSGlobalObjectRareData): Deleted.
1745
1746 2014-04-25  Andreas Kling  <akling@apple.com>
1747
1748         Windows build fix attempt.
1749
1750         * runtime/JSGlobalObject.h:
1751         (JSC::JSGlobalObject::JSGlobalObjectRareData::~JSGlobalObjectRareData):
1752
1753 2014-04-25  Mark Lam  <mark.lam@apple.com>
1754
1755         Refactor debugging code to use BreakpointActions instead of Vector<ScriptBreakpointAction>.
1756         <https://webkit.org/b/132201>
1757
1758         Reviewed by Joseph Pecoraro.
1759
1760         BreakpointActions is Vector<ScriptBreakpointAction>.  Let's just consistently use
1761         BreakpointActions everywhere.
1762
1763         * inspector/ScriptBreakpoint.h:
1764         (Inspector::ScriptBreakpoint::ScriptBreakpoint):
1765         * inspector/ScriptDebugServer.cpp:
1766         (Inspector::ScriptDebugServer::setBreakpoint):
1767         (Inspector::ScriptDebugServer::getActionsForBreakpoint):
1768         * inspector/ScriptDebugServer.h:
1769         * inspector/agents/InspectorDebuggerAgent.cpp:
1770         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
1771         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
1772         (Inspector::InspectorDebuggerAgent::setBreakpoint):
1773         (Inspector::InspectorDebuggerAgent::removeBreakpoint):
1774         * inspector/agents/InspectorDebuggerAgent.h:
1775
1776 2014-04-24  Filip Pizlo  <fpizlo@apple.com>
1777
1778         DFG worklist scanning should not treat the key as a separate entity
1779         https://bugs.webkit.org/show_bug.cgi?id=132167
1780
1781         Reviewed by Mark Hahnenberg.
1782         
1783         This simplifies the interface to the GC and will enable more optimizations.
1784
1785         * dfg/DFGCompilationKey.cpp:
1786         (JSC::DFG::CompilationKey::visitChildren): Deleted.
1787         * dfg/DFGCompilationKey.h:
1788         * dfg/DFGPlan.cpp:
1789         (JSC::DFG::Plan::visitChildren):
1790         * dfg/DFGWorklist.cpp:
1791         (JSC::DFG::Worklist::visitChildren):
1792
1793 2014-04-25  Oliver Hunt  <oliver@apple.com>
1794
1795         Remove unused parameter from codeblock linking function
1796         https://bugs.webkit.org/show_bug.cgi?id=132199
1797
1798         Reviewed by Anders Carlsson.
1799
1800         No change in behaviour. This is just a small change to make it
1801         slightly easier to reason about what the offsets in UnlinkedFunctionExecutable
1802         actually mean.
1803
1804         * bytecode/UnlinkedCodeBlock.cpp:
1805         (JSC::UnlinkedFunctionExecutable::link):
1806         * bytecode/UnlinkedCodeBlock.h:
1807         * runtime/Executable.cpp:
1808         (JSC::ProgramExecutable::initializeGlobalProperties):
1809
1810 2014-04-25  Andreas Kling  <akling@apple.com>
1811
1812         Mark some things with WTF_MAKE_FAST_ALLOCATED.
1813         <https://webkit.org/b/132198>
1814
1815         Use FastMalloc for more things.
1816
1817         Reviewed by Anders Carlsson.
1818
1819         * builtins/BuiltinExecutables.h:
1820         * heap/GCThreadSharedData.h:
1821         * inspector/JSConsoleClient.h:
1822         * inspector/agents/InspectorAgent.h:
1823         * runtime/CodeCache.h:
1824         * runtime/JSGlobalObject.h:
1825         * runtime/Lookup.cpp:
1826         (JSC::HashTable::createTable):
1827         (JSC::HashTable::deleteTable):
1828         * runtime/WeakGCMap.h:
1829
1830 2014-04-25  Antoine Quint  <graouts@webkit.org>
1831
1832         Implement Array.prototype.find()
1833         https://bugs.webkit.org/show_bug.cgi?id=130966
1834
1835         Reviewed by Oliver Hunt.
1836
1837         Implement Array.prototype.find() and Array.prototype.findIndex() as proposed in the Harmony spec.
1838
1839         * builtins/Array.prototype.js:
1840         (find):
1841         (findIndex):
1842         * runtime/ArrayPrototype.cpp:
1843
1844 2014-04-24  Brady Eidson  <beidson@apple.com>
1845
1846         Rename "IMAGE_CONTROLS" feature to "SERVICE_CONTROLS"
1847         https://bugs.webkit.org/show_bug.cgi?id=132155
1848
1849         Reviewed by Tim Horton.
1850
1851         * Configurations/FeatureDefines.xcconfig:
1852
1853 2014-04-24  Michael Saboff  <msaboff@apple.com>
1854
1855         REGRESSION: Apparent hang of PCE.js Mac OS System 7.0.1 on ARM64 devices
1856         https://bugs.webkit.org/show_bug.cgi?id=132147
1857
1858         Reviewed by Mark Lam.
1859
1860         Fixed or64(), eor32( ) and eor64() to use "src" register when we have a valid logicalImm.
1861
1862         * assembler/MacroAssemblerARM64.h:
1863         (JSC::MacroAssemblerARM64::or64):
1864         (JSC::MacroAssemblerARM64::xor32):
1865         (JSC::MacroAssemblerARM64::xor64):
1866         * tests/stress/regress-132147.js: Added test.
1867
1868 2014-04-24  Mark Lam  <mark.lam@apple.com>
1869
1870         Make slowPathAllocsBetweenGCs a runtime option.
1871         <https://webkit.org/b/132137>
1872
1873         Reviewed by Mark Hahnenberg.
1874
1875         This will make it easier to more casually run tests with this configuration
1876         as well as to reproduce issues (instead of requiring a code mod and rebuild).
1877         We will now take --slowPathAllocsBetweenGCs=N where N is the number of
1878         slow path allocations before we trigger a collection.
1879
1880         The option defaults to 0, which is reserved to mean that we will not trigger
1881         any collections there.
1882
1883         * heap/Heap.h:
1884         * heap/MarkedAllocator.cpp:
1885         (JSC::MarkedAllocator::doTestCollectionsIfNeeded):
1886         (JSC::MarkedAllocator::allocateSlowCase):
1887         * heap/MarkedAllocator.h:
1888         * runtime/Options.h:
1889
1890 2014-04-23  Mark Lam  <mark.lam@apple.com>
1891
1892         The GC should only resume compiler threads that it suspended in the same GC pass.
1893         <https://webkit.org/b/132088>
1894
1895         Reviewed by Mark Hahnenberg.
1896
1897         Previously, this scenario can occur:
1898         1. Thread 1 starts a GC and tries to suspend DFG worklist threads.  However,
1899            no worklists were created yet at the that time.
1900         2. Thread 2 starts to compile some functions and creates a DFG worklist, and
1901            acquires the worklist thread's lock.
1902         3. Thread 1's GC completes and tries to resume suspended DFG worklist thread.
1903            This time, it sees the worklist created by Thread 2 and ends up unlocking
1904            the worklist thread's lock that is supposedly held by Thread 2.
1905         Thereafter, chaos ensues.
1906
1907         The fix is to cache the worklists that were actually suspended by each GC pass,
1908         and only resume those when the GC is done.
1909
1910         This issue was discovered by enabling COLLECT_ON_EVERY_ALLOCATION and running
1911         the fast/workers layout tests.
1912
1913         * heap/Heap.cpp:
1914         (JSC::Heap::visitCompilerWorklists):
1915         (JSC::Heap::deleteAllCompiledCode):
1916         (JSC::Heap::suspendCompilerThreads):
1917         (JSC::Heap::resumeCompilerThreads):
1918         * heap/Heap.h:
1919
1920 2014-04-23  Mark Hahnenberg  <mhahnenberg@apple.com>
1921
1922         Arguments::copyBackingStore needs to update m_registers in tandem with m_registerArray
1923         https://bugs.webkit.org/show_bug.cgi?id=132079
1924
1925         Reviewed by Michael Saboff.
1926
1927         Since we're moving the register backing store, we don't want to leave a dangling pointer into a random CopiedBlock.
1928
1929         Also added a test that previously triggered this bug.
1930
1931         * runtime/Arguments.cpp:
1932         (JSC::Arguments::copyBackingStore): D'oh!
1933         * tests/stress/arguments-copy-register-array-backing-store.js: Added.
1934         (foo):
1935         (bar):
1936
1937 2014-04-23  Mark Rowe  <mrowe@apple.com>
1938
1939         [Mac] REGRESSION (r164823): Building JavaScriptCore creates files under /tmp/JavaScriptCore.dst
1940         <https://webkit.org/b/132053>
1941
1942         Reviewed by Dan Bernstein.
1943
1944         * JavaScriptCore.xcodeproj/project.pbxproj: Don't try to create a symlink at /usr/local/bin/jsc inside
1945         the DSTROOT unless we're building to the deployment location. Also remove the unnecessary -x argument
1946         from /bin/sh since that generates unnecessary output.
1947
1948 2014-04-22  Mark Lam  <mark.lam@apple.com>
1949
1950         DFG::Worklist should acquire the m_lock before iterating DFG plans.
1951         <https://webkit.org/b/132032>
1952
1953         Reviewed by Filip Pizlo.
1954
1955         Currently, there's a rightToRun mechanism that ensures that no compilation
1956         threads are running when the GC is iterating through the DFG worklists.
1957         However, this does not prevent a Worker thread from doing a DFG compilation
1958         and modifying the plans in the worklists thereby invalidating the plan
1959         iterator that the GC is using.  This patch fixes the issue by acquiring
1960         the worklist m_lock before iterating the worklist plans.
1961
1962         This issue was uncovered by running the fast/workers layout tests with
1963         COLLECT_ON_EVERY_ALLOCATION enabled.
1964
1965         * dfg/DFGWorklist.cpp:
1966         (JSC::DFG::Worklist::isActiveForVM):
1967         (JSC::DFG::Worklist::visitChildren):
1968
1969 2014-04-22  Brent Fulgham  <bfulgham@apple.com>
1970
1971         [Win] Support Python 2.7 in Cygwin
1972         https://bugs.webkit.org/show_bug.cgi?id=132023
1973
1974         Reviewed by Michael Saboff.
1975
1976         * DerivedSources.make: Use a conditional variable to define
1977         the path to Python/Perl.
1978
1979 2014-04-22  Filip Pizlo  <fpizlo@apple.com>
1980
1981         Switch the LLVMForJSC target to using the LLVM in /usr/local rather than /usr/local/LLVMForJavaScriptCore on iOS
1982         https://bugs.webkit.org/show_bug.cgi?id=130867
1983         <rdar://problem/16432456> 
1984
1985         Reviewed by Mark Hahnenberg.
1986
1987         * Configurations/Base.xcconfig:
1988         * Configurations/LLVMForJSC.xcconfig:
1989
1990 2014-04-22  Alex Christensen  <achristensen@webkit.org>
1991
1992         [Win] Unreviewed build fix after my r167666.
1993
1994         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
1995         Added ../../../ again to include headers in Source/JavaScriptCore.
1996
1997 2014-04-22  Alex Christensen  <achristensen@webkit.org>
1998
1999         Removed old stdbool and inttypes headers.
2000         https://bugs.webkit.org/show_bug.cgi?id=131966
2001
2002         Reviewed by Brent Fulgham.
2003
2004         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
2005         * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
2006         Removed references to os-win32 directory.
2007         * os-win32: Removed.
2008         * os-win32/inttypes.h: Removed.
2009         * os-win32/stdbool.h: Removed.
2010
2011 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
2012
2013         DFG::clobberize() should honestly admit that profiler and debugger nodes are effectful
2014         https://bugs.webkit.org/show_bug.cgi?id=131971
2015         <rdar://problem/16676511>
2016
2017         Reviewed by Mark Lam.
2018
2019         * dfg/DFGClobberize.h:
2020         (JSC::DFG::clobberize):
2021
2022 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
2023
2024         Switch statements that skip the baseline JIT should work
2025         https://bugs.webkit.org/show_bug.cgi?id=131965
2026
2027         Reviewed by Mark Hahnenberg.
2028
2029         * bytecode/JumpTable.h:
2030         (JSC::SimpleJumpTable::ensureCTITable):
2031         * dfg/DFGSpeculativeJIT.cpp:
2032         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
2033         * jit/JITOpcodes.cpp:
2034         (JSC::JIT::emit_op_switch_imm):
2035         (JSC::JIT::emit_op_switch_char):
2036         * jit/JITOpcodes32_64.cpp:
2037         (JSC::JIT::emit_op_switch_imm):
2038         (JSC::JIT::emit_op_switch_char):
2039         * tests/stress/inline-llint-with-switch.js: Added.
2040         (foo):
2041         (bar):
2042         (test):
2043
2044 2014-04-21  Mark Hahnenberg  <mhahnenberg@apple.com>
2045
2046         Arguments objects shouldn't need a destructor
2047         https://bugs.webkit.org/show_bug.cgi?id=131899
2048
2049         Reviewed by Oliver Hunt.
2050
2051         This patch rids Arguments objects of their destructors. It does this by 
2052         switching their backing stores to use CopiedSpace rather than malloc memory.
2053
2054         * dfg/DFGSpeculativeJIT.cpp:
2055         (JSC::DFG::SpeculativeJIT::emitAllocateArguments): Fix the code emitted for inline
2056         Arguments allocation so that it only emits an extra write for strict mode code rather
2057         than unconditionally.
2058         * heap/CopyToken.h: New CopyTokens for the two different types of Arguments backing stores.
2059         * runtime/Arguments.cpp:
2060         (JSC::Arguments::visitChildren): We need to tell the collector to copy the back stores now.
2061         (JSC::Arguments::copyBackingStore): Do the actual copying of the backing stores.
2062         (JSC::Arguments::deletePropertyByIndex): Update all the accesses to SlowArgumentData and m_registerArray.
2063         (JSC::Arguments::deleteProperty):
2064         (JSC::Arguments::defineOwnProperty):
2065         (JSC::Arguments::allocateRegisterArray):
2066         (JSC::Arguments::tearOff):
2067         (JSC::Arguments::destroy): Deleted. We don't need the destructor any more.
2068         * runtime/Arguments.h:
2069         (JSC::Arguments::registerArraySizeInBytes):
2070         (JSC::Arguments::SlowArgumentData::SlowArgumentData): Switch SlowArgumentData to being allocated
2071         in CopiedSpace. Now the SlowArgumentData and its backing store are a single contiguous CopiedSpace
2072         allocation.
2073         (JSC::Arguments::SlowArgumentData::slowArguments):
2074         (JSC::Arguments::SlowArgumentData::bytecodeToMachineCaptureOffset):
2075         (JSC::Arguments::SlowArgumentData::setBytecodeToMachineCaptureOffset):
2076         (JSC::Arguments::SlowArgumentData::sizeForNumArguments):
2077         (JSC::Arguments::Arguments):
2078         (JSC::Arguments::allocateSlowArguments):
2079         (JSC::Arguments::tryDeleteArgument):
2080         (JSC::Arguments::isDeletedArgument):
2081         (JSC::Arguments::isArgument):
2082         (JSC::Arguments::argument):
2083         (JSC::Arguments::finishCreation):
2084         * runtime/SymbolTable.h:
2085
2086 2014-04-21  Eric Carlson  <eric.carlson@apple.com>
2087
2088         [Mac] implement WebKitDataCue
2089         https://bugs.webkit.org/show_bug.cgi?id=131799
2090
2091         Reviewed by Dean Jackson.
2092
2093         * Configurations/FeatureDefines.xcconfig: Define ENABLE_DATACUE_VALUE.
2094
2095 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
2096
2097         Unreviewed test gardening, run the repeat-out-of-bounds tests again.
2098
2099         * tests/stress/float32-repeat-out-of-bounds.js:
2100         * tests/stress/int8-repeat-out-of-bounds.js:
2101
2102 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
2103
2104         OSR exit should know about Int52 and Double constants
2105         https://bugs.webkit.org/show_bug.cgi?id=131945
2106
2107         Reviewed by Oliver Hunt.
2108         
2109         The DFG OSR exit machinery's ignorance would lead to some constants becoming
2110         jsUndefined() after OSR exit.
2111         
2112         The FTL OSR exit machinery's ignorance just meant that we would sometimes use a
2113         stackmap constant rather than baking the constant into the OSRExit data structure.
2114         So, not a big deal, but worth fixing.
2115         
2116         Also added some helpful hacks to jsc.cpp for testing such OSR exit pathologies.
2117
2118         * dfg/DFGByteCodeParser.cpp:
2119         (JSC::DFG::ByteCodeParser::handleIntrinsic):
2120         * dfg/DFGMinifiedNode.h:
2121         (JSC::DFG::belongsInMinifiedGraph):
2122         (JSC::DFG::MinifiedNode::hasConstantNumber):
2123         * ftl/FTLLowerDFGToLLVM.cpp:
2124         (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
2125         * jsc.cpp:
2126         (GlobalObject::finishCreation):
2127         (functionOtherFalse):
2128         (functionUndefined):
2129         * runtime/Intrinsic.h:
2130         * tests/stress/fold-to-double-constant-then-exit.js: Added.
2131         (foo):
2132         * tests/stress/fold-to-int52-constant-then-exit.js: Added.
2133         (foo):
2134
2135 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
2136
2137         Provide feedback when we encounter an unrecognied node in the FTL backend.
2138
2139         Rubber stamped by Alexey Proskuryakov.
2140
2141         * ftl/FTLLowerDFGToLLVM.cpp:
2142         (JSC::FTL::LowerDFGToLLVM::compileNode):
2143
2144 2014-04-21  Andreas Kling  <akling@apple.com>
2145
2146         Move the JSString cache from DOMWrapperWorld to VM.
2147         <https://webkit.org/b/131940>
2148
2149         Reviewed by Geoff Garen.
2150
2151         * runtime/VM.h:
2152
2153 2014-04-19  Filip Pizlo  <fpizlo@apple.com>
2154
2155         Take block execution count estimates into account when voting double
2156         https://bugs.webkit.org/show_bug.cgi?id=131906
2157
2158         Reviewed by Geoffrey Garen.
2159         
2160         This was a drama in three acts.
2161         
2162         Act I: Slurp in BasicBlock::executionCount and use it as a weight when counting the
2163             number of uses of a variable that want double or non-double. Easy as pie. This
2164             gave me a huge speed-up on FloatMM and a huge slow-down on basically everything
2165             else.
2166         
2167         Act II: Realize that there were some programs where our previous double voting was
2168             just on the edge of disaster and making it more precise tipped it over. In
2169             particular, if you had an integer variable that would infrequently be used in a
2170             computation that resulted in a variable that was frequently used as an array index,
2171             the outer infrequentness would be the thing we'd use in the vote. So, an array
2172             index would become double. We fix this by reviving global backwards propagation
2173             and introducing the concept of ReallyWantsInt, which is used just for array
2174             indices. Any variable transitively flagged as ReallyWantsInt will never be forced
2175             double. We need that flag to be separate from UsedAsInt, since UsedAsInt needs to
2176             be set in bitops for RageConversion but using it for double forcing is too much.
2177             Basically, it's cheaper to have to convert a double to an int for a bitop than it
2178             is to convert a double to an int for an array index; also a variable being used as
2179             an array index is a much stronger hint that it ought to be an int. This recovered
2180             performance on everything except programs that used FTL OSR entry.
2181         
2182         Act III: Realize that OSR entrypoint creation creates blocks that have NaN execution
2183             count, which then completely pollutes the weighting - essentially all votes go
2184             NaN. Fix this with some surgical defenses. Basically, any client of execution
2185             counts should allow for them to be NaN and shouldn't completely fall off a cliff
2186             when it happens.
2187         
2188         This is awesome. 75% speed-up on FloatMM. 11% speed-up on audio-dft. This leads to
2189         7% speed-up on AsmBench and 2% speed-up on Kraken.
2190
2191         * CMakeLists.txt:
2192         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2193         * JavaScriptCore.xcodeproj/project.pbxproj:
2194         * dfg/DFGBackwardsPropagationPhase.cpp:
2195         (JSC::DFG::BackwardsPropagationPhase::run):
2196         (JSC::DFG::BackwardsPropagationPhase::propagate):
2197         * dfg/DFGGraph.cpp:
2198         (JSC::DFG::Graph::dumpBlockHeader):
2199         * dfg/DFGGraph.h:
2200         (JSC::DFG::Graph::voteNode):
2201         (JSC::DFG::Graph::voteChildren):
2202         * dfg/DFGNodeFlags.cpp:
2203         (JSC::DFG::dumpNodeFlags):
2204         * dfg/DFGNodeFlags.h:
2205         * dfg/DFGOSREntrypointCreationPhase.cpp:
2206         (JSC::DFG::OSREntrypointCreationPhase::run):
2207         * dfg/DFGPlan.cpp:
2208         (JSC::DFG::Plan::compileInThreadImpl):
2209         * dfg/DFGPredictionPropagationPhase.cpp:
2210         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
2211         (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
2212         * dfg/DFGVariableAccessData.cpp: Added.
2213         (JSC::DFG::VariableAccessData::VariableAccessData):
2214         (JSC::DFG::VariableAccessData::mergeIsCaptured):
2215         (JSC::DFG::VariableAccessData::mergeShouldNeverUnbox):
2216         (JSC::DFG::VariableAccessData::predict):
2217         (JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction):
2218         (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
2219         (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat):
2220         (JSC::DFG::VariableAccessData::mergeDoubleFormatState):
2221         (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
2222         (JSC::DFG::VariableAccessData::flushFormat):
2223         * dfg/DFGVariableAccessData.h:
2224         (JSC::DFG::VariableAccessData::vote):
2225         (JSC::DFG::VariableAccessData::VariableAccessData): Deleted.
2226         (JSC::DFG::VariableAccessData::mergeIsCaptured): Deleted.
2227         (JSC::DFG::VariableAccessData::mergeShouldNeverUnbox): Deleted.
2228         (JSC::DFG::VariableAccessData::predict): Deleted.
2229         (JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction): Deleted.
2230         (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote): Deleted.
2231         (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat): Deleted.
2232         (JSC::DFG::VariableAccessData::mergeDoubleFormatState): Deleted.
2233         (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat): Deleted.
2234         (JSC::DFG::VariableAccessData::flushFormat): Deleted.
2235
2236 2014-04-21  Michael Saboff  <msaboff@apple.com>
2237
2238         REGRESSION(r167591): ARM64 and ARM traditional builds broken
2239         https://bugs.webkit.org/show_bug.cgi?id=131935
2240
2241         Reviewed by Mark Hahnenberg.
2242
2243         Added store8(TrustedImm32, MacroAssembler::Address) to the ARM traditional and ARM64
2244         macro assemblers.  Added a new test for the original patch.
2245
2246         * assembler/MacroAssemblerARM.h:
2247         (JSC::MacroAssemblerARM::store8):
2248         * assembler/MacroAssemblerARM64.h:
2249         (JSC::MacroAssemblerARM64::store8):
2250         * tests/stress/dfg-create-arguments-inline-alloc.js: New test.
2251
2252 2014-04-21  Mark Hahnenberg  <mhahnenberg@apple.com>
2253
2254         Inline allocate Arguments objects in the DFG
2255         https://bugs.webkit.org/show_bug.cgi?id=131897
2256
2257         Reviewed by Geoffrey Garen.
2258
2259         Many libraries/frameworks depend on the arguments object for overloaded API entry points. 
2260         This is the first step to making Arguments fast(er). We'll duplicate the logic in Arguments::create 
2261         for now and take the slow path for complicated cases like slow arguments, tearing off for strict mode, etc.
2262
2263         * dfg/DFGSpeculativeJIT.cpp:
2264         (JSC::DFG::SpeculativeJIT::emitAllocateArguments):
2265         * dfg/DFGSpeculativeJIT.h:
2266         (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject):
2267         * dfg/DFGSpeculativeJIT32_64.cpp:
2268         (JSC::DFG::SpeculativeJIT::compile):
2269         * dfg/DFGSpeculativeJIT64.cpp:
2270         (JSC::DFG::SpeculativeJIT::compile):
2271         * runtime/Arguments.h:
2272         (JSC::Arguments::offsetOfActivation):
2273         (JSC::Arguments::offsetOfOverrodeLength):
2274         (JSC::Arguments::offsetOfIsStrictMode):
2275         (JSC::Arguments::offsetOfRegisterArray):
2276         (JSC::Arguments::offsetOfCallee):
2277         (JSC::Arguments::allocationSize):
2278
2279 2014-04-20  Andreas Kling  <akling@apple.com>
2280
2281         Speed up jsStringWithCache() through WeakGCMap inlining.
2282         <https://webkit.org/b/131923>
2283
2284         Always inline WeakGCMap::add() but move the slow garbage collecting
2285         path out-of-line.
2286
2287         Reviewed by Darin Adler.
2288
2289         * runtime/WeakGCMap.h:
2290         (JSC::WeakGCMap::add):
2291         (JSC::WeakGCMap::gcMap):
2292
2293 2014-04-20  László Langó  <llango.u-szeged@partner.samsung.com>
2294
2295         JavaScriptCore: ARM build fix after r167094.
2296         https://bugs.webkit.org/show_bug.cgi?id=131612
2297
2298         Reviewed by Michael Saboff.
2299
2300         After r167094 there are many build errors on ARM like these:
2301
2302             /tmp/ccgtHRno.s:370: Error: invalid constant (425a) after fixup
2303             /tmp/ccgtHRno.s:374: Error: invalid constant (426e) after fixup
2304             /tmp/ccgtHRno.s:378: Error: invalid constant (4282) after fixup
2305             /tmp/ccgtHRno.s:382: Error: invalid constant (4296) after fixup
2306
2307         Problem is caused by the wrong generated assembly like:
2308             "\tmov r2, (" LOCAL_LABEL_STRING(llint_op_strcat) " - " LOCAL_LABEL_STRING(relativePCBase) ")\n" // /home/webkit/WebKit/Source/JavaScriptCore/llint/LowLevelInterpreter.asm:741
2309
2310         `mov` can only move 8 bit immediate, but not every constant fit into 8 bit. Clang converts
2311         the mov to a single movw or a movw and a movt, depending on the immediate, but binutils doesn't.
2312         Add a new ARM specific offline assembler instruction (`mvlbl`) for the following llint_entry
2313         use case: move rn, (label1-label2) which is translated to movw and movt.
2314
2315         * llint/LowLevelInterpreter.asm:
2316         * offlineasm/arm.rb:
2317         * offlineasm/instructions.rb:
2318
2319 2014-04-20  Csaba Osztrogonác  <ossy@webkit.org>
2320
2321         [ARM] Unreviewed build fix after r167336.
2322
2323         * assembler/MacroAssemblerARM.h:
2324         (JSC::MacroAssemblerARM::branchAdd32):
2325
2326 2014-04-20  Commit Queue  <commit-queue@webkit.org>
2327
2328         Unreviewed, rolling out r167501.
2329         https://bugs.webkit.org/show_bug.cgi?id=131913
2330
2331         It broke DYEBench (Requested by mhahnenberg on #webkit).
2332
2333         Reverted changeset:
2334
2335         "Deleting properties poisons objects"
2336         https://bugs.webkit.org/show_bug.cgi?id=131551
2337         http://trac.webkit.org/changeset/167501
2338
2339 2014-04-19  Filip Pizlo  <fpizlo@apple.com>
2340
2341         It should be OK to store new fields into objects that have no prototypes
2342         https://bugs.webkit.org/show_bug.cgi?id=131905
2343
2344         Reviewed by Mark Hahnenberg.
2345
2346         * dfg/DFGByteCodeParser.cpp:
2347         (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
2348         * tests/stress/put-by-id-transition-null-prototype.js: Added.
2349         (foo):
2350
2351 2014-04-19  Benjamin Poulain  <bpoulain@apple.com>
2352
2353         Make the CSS JIT compile for ARM64
2354         https://bugs.webkit.org/show_bug.cgi?id=131834
2355
2356         Reviewed by Gavin Barraclough.
2357
2358         Extend the ARM64 MacroAssembler to support the code generation required by
2359         the CSS JIT.
2360
2361         * assembler/MacroAssembler.h:
2362         * assembler/MacroAssemblerARM64.h:
2363         (JSC::MacroAssemblerARM64::addPtrNoFlags):
2364         (JSC::MacroAssemblerARM64::or32):
2365         (JSC::MacroAssemblerARM64::branchPtr):
2366         (JSC::MacroAssemblerARM64::test32):
2367         (JSC::MacroAssemblerARM64::branch):
2368         * assembler/MacroAssemblerX86Common.h:
2369         (JSC::MacroAssemblerX86Common::test32):
2370
2371 2014-04-19  Andreas Kling  <akling@apple.com>
2372
2373         Two little shortcuts to the JSType.
2374         <https://webkit.org/b/131896>
2375
2376         Tweak two sites that take the long road through JSCell::structure()->typeInfo()
2377         to look at data that's already in JSCell::type().
2378
2379         Reviewed by Darin Adler.
2380
2381         * runtime/NameInstance.h:
2382         (JSC::isName):
2383         * runtime/NumberPrototype.cpp:
2384         (JSC::toThisNumber):
2385
2386 2014-04-19  Filip Pizlo  <fpizlo@apple.com>
2387
2388         Make it easier to check if an integer sum would overflow
2389         https://bugs.webkit.org/show_bug.cgi?id=131900
2390
2391         Reviewed by Darin Adler.
2392
2393         * dfg/DFGOperations.cpp:
2394         * runtime/Operations.h:
2395         (JSC::jsString):
2396
2397 2014-04-19  Filip Pizlo  <fpizlo@apple.com>
2398
2399         Address some feedback on https://bugs.webkit.org/show_bug.cgi?id=130684.
2400
2401         * dfg/DFGOperations.cpp:
2402         * runtime/JSString.h:
2403         (JSC::JSRopeString::RopeBuilder::append):
2404
2405 2014-04-18  Mark Lam  <mark.lam@apple.com>
2406
2407         REGRESSION(r164205): WebKit crash @StructureIDTable::get.
2408         <https://webkit.org/b/130539>
2409
2410         Reviewed by Geoffrey Garen.
2411
2412         prepareOSREntry() prepares for OSR entry by first copying the local var
2413         values from the baseline frame to a scartch buffer, which is then used
2414         to fill in the locals in their new position in the DFG frame.  Unfortunately,
2415         prepareOSREntry() was using the DFG frame's frameRegisterCount as the frame
2416         size of the baseline frame.  As a result, some values of locals in the
2417         baseline frame were not saved off, and the DFG frame may get initialized
2418         with random content that happened to be in the uninitialized (and possibly
2419         unallocated) portions of the scratch buffer.
2420
2421         The fix is to use OSREntryData::m_expectedValues.numberOfLocals() as the
2422         number of locals in the baseline frame that we want to copy to the scratch
2423         buffer.
2424
2425         Note: osrEntryThunkGenerator() is expecting the DFG frameRegisterCount
2426         at offset 0 in the scratch buffer.  So, we continue to write that value
2427         there, not the baseline frame size.
2428
2429         * dfg/DFGOSREntry.cpp:
2430         (JSC::DFG::prepareOSREntry):
2431
2432 2014-04-18  Timothy Hatcher  <timothy@apple.com>
2433
2434         Web Inspector: Move InspectorProfilerAgent to JavaScriptCore
2435         https://bugs.webkit.org/show_bug.cgi?id=131673
2436
2437         Passes existing profiler and inspector tests.
2438
2439         Reviewed by Joseph Pecoraro.
2440
2441         * CMakeLists.txt:
2442         * DerivedSources.make:
2443         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2444         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2445         * JavaScriptCore.xcodeproj/project.pbxproj:
2446         * inspector/JSConsoleClient.cpp:
2447         (Inspector::JSConsoleClient::JSConsoleClient):
2448         (Inspector::JSConsoleClient::profile):
2449         (Inspector::JSConsoleClient::profileEnd):
2450         (Inspector::JSConsoleClient::count): Deleted.
2451         * inspector/JSConsoleClient.h:
2452         * inspector/JSGlobalObjectInspectorController.cpp:
2453         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2454         * inspector/agents/InspectorProfilerAgent.cpp: Added.
2455         (Inspector::InspectorProfilerAgent::InspectorProfilerAgent):
2456         (Inspector::InspectorProfilerAgent::~InspectorProfilerAgent):
2457         (Inspector::InspectorProfilerAgent::addProfile):
2458         (Inspector::InspectorProfilerAgent::createProfileHeader):
2459         (Inspector::InspectorProfilerAgent::enable):
2460         (Inspector::InspectorProfilerAgent::disable):
2461         (Inspector::InspectorProfilerAgent::getUserInitiatedProfileName):
2462         (Inspector::InspectorProfilerAgent::getProfileHeaders):
2463         (Inspector::buildInspectorObject):
2464         (Inspector::InspectorProfilerAgent::buildProfileInspectorObject):
2465         (Inspector::InspectorProfilerAgent::getCPUProfile):
2466         (Inspector::InspectorProfilerAgent::removeProfile):
2467         (Inspector::InspectorProfilerAgent::reset):
2468         (Inspector::InspectorProfilerAgent::didCreateFrontendAndBackend):
2469         (Inspector::InspectorProfilerAgent::willDestroyFrontendAndBackend):
2470         (Inspector::InspectorProfilerAgent::start):
2471         (Inspector::InspectorProfilerAgent::stop):
2472         (Inspector::InspectorProfilerAgent::setRecordingProfile):
2473         (Inspector::InspectorProfilerAgent::startProfiling):
2474         (Inspector::InspectorProfilerAgent::stopProfiling):
2475         * inspector/agents/InspectorProfilerAgent.h: Added.
2476         * inspector/agents/JSGlobalObjectProfilerAgent.cpp: Copied from Source/WebCore/inspector/ScriptProfile.idl.
2477         (Inspector::JSGlobalObjectProfilerAgent::JSGlobalObjectProfilerAgent):
2478         (Inspector::JSGlobalObjectProfilerAgent::profilingGlobalExecState):
2479         * inspector/agents/JSGlobalObjectProfilerAgent.h: Copied from Source/WebCore/inspector/ScriptProfile.idl.
2480         * inspector/protocol/Profiler.json: Renamed from Source/WebCore/inspector/protocol/Profiler.json.
2481         * profiler/Profile.h:
2482         * runtime/ConsoleClient.h:
2483
2484 2014-04-18  Commit Queue  <commit-queue@webkit.org>
2485
2486         Unreviewed, rolling out r167527.
2487         https://bugs.webkit.org/show_bug.cgi?id=131883
2488
2489         Broke 32-bit build (Requested by ap on #webkit).
2490
2491         Reverted changeset:
2492
2493         "[Mac] implement WebKitDataCue"
2494         https://bugs.webkit.org/show_bug.cgi?id=131799
2495         http://trac.webkit.org/changeset/167527
2496
2497 2014-04-18  Eric Carlson  <eric.carlson@apple.com>
2498
2499         [Mac] implement WebKitDataCue
2500         https://bugs.webkit.org/show_bug.cgi?id=131799
2501
2502         Reviewed by Dean Jackson.
2503
2504         * Configurations/FeatureDefines.xcconfig: Define ENABLE_DATACUE_VALUE.
2505
2506 2014-04-18  Filip Pizlo  <fpizlo@apple.com>
2507
2508         Actually address Mark's review feedback.
2509
2510         * dfg/DFGOSRExitCompilerCommon.cpp:
2511         (JSC::DFG::handleExitCounts):
2512
2513 2014-04-18  Filip Pizlo  <fpizlo@apple.com>
2514
2515         Options::maximumExecutionCountsBetweenCheckpoints() should be higher for DFG->FTL tier-up but the same for other tier-ups
2516         https://bugs.webkit.org/show_bug.cgi?id=131850
2517
2518         Reviewed by Mark Hahnenberg.
2519         
2520         Templatize ExecutionCounter to allow for two different styles of calculating the
2521         checkpoint threshold.
2522         
2523         Appears to be a slight speed-up on DYEBench.
2524
2525         * bytecode/CodeBlock.h:
2526         (JSC::CodeBlock::llintExecuteCounter):
2527         (JSC::CodeBlock::offsetOfJITExecuteCounter):
2528         (JSC::CodeBlock::offsetOfJITExecutionActiveThreshold):
2529         (JSC::CodeBlock::offsetOfJITExecutionTotalCount):
2530         (JSC::CodeBlock::jitExecuteCounter):
2531         * bytecode/ExecutionCounter.cpp:
2532         (JSC::ExecutionCounter<countingVariant>::ExecutionCounter):
2533         (JSC::ExecutionCounter<countingVariant>::forceSlowPathConcurrently):
2534         (JSC::ExecutionCounter<countingVariant>::checkIfThresholdCrossedAndSet):
2535         (JSC::ExecutionCounter<countingVariant>::setNewThreshold):
2536         (JSC::ExecutionCounter<countingVariant>::deferIndefinitely):
2537         (JSC::applyMemoryUsageHeuristics):
2538         (JSC::applyMemoryUsageHeuristicsAndConvertToInt):
2539         (JSC::ExecutionCounter<countingVariant>::hasCrossedThreshold):
2540         (JSC::ExecutionCounter<countingVariant>::setThreshold):
2541         (JSC::ExecutionCounter<countingVariant>::reset):
2542         (JSC::ExecutionCounter<countingVariant>::dump):
2543         (JSC::ExecutionCounter::ExecutionCounter): Deleted.
2544         (JSC::ExecutionCounter::forceSlowPathConcurrently): Deleted.
2545         (JSC::ExecutionCounter::checkIfThresholdCrossedAndSet): Deleted.
2546         (JSC::ExecutionCounter::setNewThreshold): Deleted.
2547         (JSC::ExecutionCounter::deferIndefinitely): Deleted.
2548         (JSC::ExecutionCounter::applyMemoryUsageHeuristics): Deleted.
2549         (JSC::ExecutionCounter::applyMemoryUsageHeuristicsAndConvertToInt): Deleted.
2550         (JSC::ExecutionCounter::hasCrossedThreshold): Deleted.
2551         (JSC::ExecutionCounter::setThreshold): Deleted.
2552         (JSC::ExecutionCounter::reset): Deleted.
2553         (JSC::ExecutionCounter::dump): Deleted.
2554         * bytecode/ExecutionCounter.h:
2555         (JSC::formattedTotalExecutionCount):
2556         (JSC::ExecutionCounter::maximumExecutionCountsBetweenCheckpoints):
2557         (JSC::ExecutionCounter::clippedThreshold):
2558         (JSC::ExecutionCounter::formattedTotalCount): Deleted.
2559         * dfg/DFGJITCode.h:
2560         * dfg/DFGOSRExitCompilerCommon.cpp:
2561         (JSC::DFG::handleExitCounts):
2562         * llint/LowLevelInterpreter.asm:
2563         * runtime/Options.h:
2564
2565 2014-04-17  Mark Hahnenberg  <mhahnenberg@apple.com>
2566
2567         Deleting properties poisons objects
2568         https://bugs.webkit.org/show_bug.cgi?id=131551
2569
2570         Reviewed by Geoffrey Garen.
2571
2572         This is ~3% progression on Dromaeo with a ~6% progression on the jslib portion of Dromaeo in particular.
2573
2574         * runtime/Structure.cpp:
2575         (JSC::Structure::Structure):
2576         (JSC::Structure::materializePropertyMap): We now re-use deleted properties when materializing the property map.
2577         (JSC::Structure::removePropertyTransition): We allow up to 5 deletes for a particular path through the tree of 
2578         Structure transitions. After that, we convert to an uncacheable dictionary like we used to. We don't cache 
2579         delete transitions, but we allow transitioning from them.
2580         (JSC::Structure::changePrototypeTransition):
2581         (JSC::Structure::despecifyFunctionTransition):
2582         (JSC::Structure::attributeChangeTransition):
2583         (JSC::Structure::toDictionaryTransition):
2584         (JSC::Structure::preventExtensionsTransition):
2585         (JSC::Structure::addPropertyWithoutTransition):
2586         (JSC::Structure::removePropertyWithoutTransition):
2587         (JSC::Structure::pin): Now does only what it says it does--marks the property table as pinned.
2588         (JSC::Structure::pinAndPreventTransitions): More descriptive version of what the old pin() was doing.
2589         * runtime/Structure.h:
2590         * runtime/StructureInlines.h:
2591         (JSC::Structure::checkOffsetConsistency): Rearranged variables to be more sensible.
2592
2593 2014-04-17  Filip Pizlo  <fpizlo@apple.com>
2594
2595         InlineCallFrameSet should be refcounted
2596         https://bugs.webkit.org/show_bug.cgi?id=131829
2597
2598         Reviewed by Geoffrey Garen.
2599         
2600         And DFG::Plan should hold a ref to it. Previously it was owned by Graph until it
2601         became owned by JITCode. Except that if we're "failing" to compile, JITCode may die.
2602         Even as it dies, the GC may still want to scan the DFG::Plan, which leads to scanning
2603         the DesiredWriteBarriers, which leads to scanning the InlineCallFrameSet.
2604         
2605         So, just make the darn thing refcounted.
2606
2607         * bytecode/InlineCallFrameSet.h:
2608         * dfg/DFGArgumentsSimplificationPhase.cpp:
2609         (JSC::DFG::ArgumentsSimplificationPhase::run):
2610         * dfg/DFGByteCodeParser.cpp:
2611         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2612         * dfg/DFGCommonData.h:
2613         * dfg/DFGGraph.cpp:
2614         (JSC::DFG::Graph::Graph):
2615         (JSC::DFG::Graph::requiredRegisterCountForExit):
2616         * dfg/DFGGraph.h:
2617         * dfg/DFGJITCompiler.cpp:
2618         (JSC::DFG::JITCompiler::link):
2619         * dfg/DFGPlan.cpp:
2620         (JSC::DFG::Plan::Plan):
2621         * dfg/DFGPlan.h:
2622         * dfg/DFGStackLayoutPhase.cpp:
2623         (JSC::DFG::StackLayoutPhase::run):
2624         * ftl/FTLFail.cpp:
2625         (JSC::FTL::fail):
2626         * ftl/FTLLink.cpp:
2627         (JSC::FTL::link):
2628
2629 2014-04-17  Filip Pizlo  <fpizlo@apple.com>
2630
2631         FTL::fail() should manage memory "correctly"
2632         https://bugs.webkit.org/show_bug.cgi?id=131823
2633         <rdar://problem/16384297>
2634
2635         Reviewed by Oliver Hunt.
2636
2637         * ftl/FTLFail.cpp:
2638         (JSC::FTL::fail):
2639
2640 2014-04-17  Filip Pizlo  <fpizlo@apple.com>
2641
2642         Prediction propagator should correctly model Int52s flowing through arguments
2643         https://bugs.webkit.org/show_bug.cgi?id=131822
2644         <rdar://problem/16641408>
2645
2646         Reviewed by Oliver Hunt.
2647
2648         * dfg/DFGPredictionPropagationPhase.cpp:
2649         (JSC::DFG::PredictionPropagationPhase::propagate):
2650         * tests/stress/int52-argument.js: Added.
2651         (foo):
2652         * tests/stress/int52-variable.js: Added.
2653         (foo):
2654
2655 2014-04-17  Filip Pizlo  <fpizlo@apple.com>
2656
2657         REGRESSION: ASSERT(!typeInfo().hasImpureGetOwnPropertySlot() || typeInfo().newImpurePropertyFiresWatchpoints()) on jquery tests
2658         https://bugs.webkit.org/show_bug.cgi?id=131798
2659
2660         Reviewed by Alexey Proskuryakov.
2661         
2662         Some day, we will fix https://bugs.webkit.org/show_bug.cgi?id=131810 and some version
2663         of this assertion can return. For now, it's not clear that the assertion is guarding
2664         any truly undesirable behavior - so it should just go away and be replaced with a
2665         FIXME.
2666
2667         * bytecode/GetByIdStatus.cpp:
2668         (JSC::GetByIdStatus::computeForStubInfo):
2669         * runtime/Structure.h:
2670         (JSC::Structure::takesSlowPathInDFGForImpureProperty):
2671
2672 2014-04-17  David Kilzer  <ddkilzer@apple.com>
2673
2674         Blind attempt to fix Windows build after r166837
2675         <http://webkit.org/b/131246>
2676
2677         Hoping to fix this build error:
2678
2679             warning MSB8027: Two or more files with the name of GCLogging.cpp will produce outputs to the same location. This can lead to an incorrect build result.  The files involved are ..\heap\GCLogging.cpp, ..\heap\GCLogging.cpp.
2680
2681         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Fix copy-paste
2682         boo-boo by changing the GCLogging.cpp ClCompile entry to a
2683         GCLogging.h ClInclude entry.
2684
2685 2014-04-16  Filip Pizlo  <fpizlo@apple.com>
2686
2687         AI for GetLocal should match the DFG backend, and in this case, the best way to do that is to get rid of the "exit if empty prediction" thing since it's a vestige of a time long gone
2688         https://bugs.webkit.org/show_bug.cgi?id=131764
2689
2690         Reviewed by Geoffrey Garen.
2691         
2692         The attached test case can be made to not crash by deleting old code. It used to be
2693         the case that the DFG needed empty prediction guards, for shady reasons. We fixed that
2694         long ago. At this point, these guards just make life difficult. So get rid of them.
2695
2696         * dfg/DFGAbstractInterpreterInlines.h:
2697         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2698         * dfg/DFGSpeculativeJIT32_64.cpp:
2699         (JSC::DFG::SpeculativeJIT::compile):
2700         * dfg/DFGSpeculativeJIT64.cpp:
2701         (JSC::DFG::SpeculativeJIT::compile):
2702         * tests/stress/bug-131764.js: Added.
2703         (test1):
2704         (test2):
2705
2706 2014-04-17  Darin Adler  <darin@apple.com>
2707
2708         Add separate flag for IndexedDatabase in workers since the current implementation is not threadsafe
2709         https://bugs.webkit.org/show_bug.cgi?id=131785
2710         rdar://problem/16003108
2711
2712         Reviewed by Brady Eidson.
2713
2714         * Configurations/FeatureDefines.xcconfig: Added INDEXED_DATABASE_IN_WORKERS.
2715
2716 2014-04-16  Alexey Proskuryakov  <ap@apple.com>
2717
2718         Build fix after http://trac.webkit.org/changeset/167416 (Sink NaN sanitization)
2719
2720         * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::speculate):
2721
2722 2014-04-16  Filip Pizlo  <fpizlo@apple.com>
2723
2724         Extra error reporting for invalid value conversions
2725         https://bugs.webkit.org/show_bug.cgi?id=131786
2726
2727         Rubber stamped by Ryosuke Niwa.
2728
2729         * dfg/DFGFixupPhase.cpp:
2730         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
2731
2732 2014-04-16  Filip Pizlo  <fpizlo@apple.com>
2733
2734         Sink NaN sanitization to uses and remove it when it's unnecessary
2735         https://bugs.webkit.org/show_bug.cgi?id=131419
2736
2737         Reviewed by Oliver Hunt.
2738         
2739         This moves NaN purification to stores that could see an impure NaN.
2740         
2741         5% speed-up on AsmBench, 50% speed-up on AsmBench/n-body. It is a regression on FloatMM
2742         though, because of the other bug that causes that benchmark to box doubles in a loop.
2743
2744         * bytecode/SpeculatedType.h:
2745         (JSC::isInt32SpeculationForArithmetic):
2746         (JSC::isMachineIntSpeculationForArithmetic):
2747         (JSC::isDoubleSpeculation):
2748         (JSC::isDoubleSpeculationForArithmetic):
2749         * dfg/DFGAbstractInterpreterInlines.h:
2750         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2751         * dfg/DFGAbstractValue.cpp:
2752         (JSC::DFG::AbstractValue::fixTypeForRepresentation):
2753         * dfg/DFGFixupPhase.cpp:
2754         (JSC::DFG::FixupPhase::fixupNode):
2755         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
2756         * dfg/DFGInPlaceAbstractState.cpp:
2757         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
2758         * dfg/DFGPredictionPropagationPhase.cpp:
2759         (JSC::DFG::PredictionPropagationPhase::propagate):
2760         * dfg/DFGSpeculativeJIT.cpp:
2761         (JSC::DFG::SpeculativeJIT::compileValueRep):
2762         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
2763         * dfg/DFGUseKind.h:
2764         (JSC::DFG::typeFilterFor):
2765         * ftl/FTLLowerDFGToLLVM.cpp:
2766         (JSC::FTL::LowerDFGToLLVM::compileValueRep):
2767         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
2768         * runtime/PureNaN.h:
2769         * tests/stress/float32-array-nan-inlined.js: Added.
2770         (foo):
2771         (test):
2772         * tests/stress/float32-array-nan.js: Added.
2773         (foo):
2774         (test):
2775         * tests/stress/float64-array-nan-inlined.js: Added.
2776         (foo):
2777         (isBigEndian):
2778         (test):
2779         * tests/stress/float64-array-nan.js: Added.
2780         (foo):
2781         (isBigEndian):
2782         (test):
2783
2784 2014-04-16  Brent Fulgham  <bfulgham@apple.com>
2785
2786         [Win] Unreviewed Windows gardening. Restrict our new 'isinf' check
2787         to 32-bit builds, and revise the comment to explain what we are
2788         doing.
2789
2790         * runtime/JSCJSValueInlines.h:
2791         (JSC::JSValue::isMachineInt): Provide motivation for the new
2792         'isinf' check for our 32-bit code path.
2793
2794 2014-04-16  Juergen Ributzka  <juergen@apple.com>
2795
2796         Allocate the data section on the heap again for FTL on ARM64
2797         https://bugs.webkit.org/show_bug.cgi?id=130156
2798
2799         Reviewed by Geoffrey Garen and Filip Pizlo.
2800
2801         * ftl/FTLCompile.cpp:
2802         (JSC::FTL::mmAllocateDataSection):
2803         * ftl/FTLDataSection.cpp:
2804         (JSC::FTL::DataSection::DataSection):
2805         (JSC::FTL::DataSection::~DataSection):
2806         * ftl/FTLDataSection.h:
2807
2808 2014-04-16  Mark Lam  <mark.lam@apple.com>
2809
2810         Crash in CodeBlock::setOptimizationThresholdBasedOnCompilationResult() when the debugger activates.
2811         <https://webkit.org/b/131747>
2812
2813         Reviewed by Filip Pizlo.
2814
2815         When the debugger is about to activate (e.g. enter stepping mode), it first
2816         waits for all DFG compilations to complete.  However, when the DFG completes,
2817         if compilation is successful, it will install a new DFG codeBlock.  The
2818         CodeBlock installation process is required to register codeBlocks with the
2819         debugger.  Debugger::registerCodeBlock() will eventually call
2820         CodeBlock::setSteppingMode() which may jettison the DFG codeBlock that we're
2821         trying to install.  Thereafter, chaos ensues.
2822
2823         This jettison'ing only happens because the debugger currently set its
2824         m_steppingMode flag before waiting for compilation to complete.  The fix is
2825         simply to set that flag only after compilation is complete.
2826
2827         * debugger/Debugger.cpp:
2828         (JSC::Debugger::setSteppingMode):
2829         (JSC::Debugger::registerCodeBlock):
2830
2831 2014-04-16  Filip Pizlo  <fpizlo@apple.com>
2832
2833         Discern between NaNs that would be safe to tag and NaNs that need some purification before tagging
2834         https://bugs.webkit.org/show_bug.cgi?id=131420
2835
2836         Reviewed by Oliver Hunt.
2837         
2838         Rationalizes our handling of NaNs. We now have the notion of pureNaN(), or PNaN, which
2839         replaces QNaN and represents a "safe" NaN for our tagging purposes. NaN purification now
2840         goes through the purifyNaN() API.
2841         
2842         SpeculatedType and its clients can now distinguish between a PureNaN and an ImpureNaN.
2843         
2844         Prediction propagator is made slightly more cautious when dealing with NaNs. It doesn't
2845         have to be too cautious since most prediction-based logic only cares about whether or not
2846         a value could be an integer.
2847         
2848         AI is made much more cautious when dealing with NaNs. We don't yet introduce ImpureNaN
2849         anywhere in the compiler, but when we do, we ought to be able to trust AI to propagate it
2850         soundly and precisely.
2851         
2852         No performance change because this just unblocks
2853         https://bugs.webkit.org/show_bug.cgi?id=131419.
2854
2855         * API/JSValueRef.cpp:
2856         (JSValueMakeNumber):
2857         (JSValueToNumber):
2858         * JavaScriptCore.xcodeproj/project.pbxproj:
2859         * bytecode/SpeculatedType.cpp:
2860         (JSC::dumpSpeculation):
2861         (JSC::speculationFromValue):
2862         (JSC::typeOfDoubleSum):
2863         (JSC::typeOfDoubleDifference):
2864         (JSC::typeOfDoubleProduct):
2865         (JSC::polluteDouble):
2866         (JSC::typeOfDoubleQuotient):
2867         (JSC::typeOfDoubleMinMax):
2868         (JSC::typeOfDoubleNegation):
2869         (JSC::typeOfDoubleAbs):
2870         (JSC::typeOfDoubleFRound):
2871         (JSC::typeOfDoubleBinaryOp):
2872         (JSC::typeOfDoubleUnaryOp):
2873         * bytecode/SpeculatedType.h:
2874         * dfg/DFGAbstractInterpreterInlines.h:
2875         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2876         * dfg/DFGByteCodeParser.cpp:
2877         (JSC::DFG::ByteCodeParser::handleInlining):
2878         (JSC::DFG::ByteCodeParser::parseCodeBlock):
2879         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
2880         (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
2881         * dfg/DFGInPlaceAbstractState.cpp:
2882         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
2883         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
2884         (JSC::DFG::createPreHeader):
2885         * dfg/DFGNode.h:
2886         (JSC::DFG::BranchTarget::BranchTarget):
2887         * dfg/DFGOSREntrypointCreationPhase.cpp:
2888         (JSC::DFG::OSREntrypointCreationPhase::run):
2889         * dfg/DFGOSRExitCompiler32_64.cpp:
2890         (JSC::DFG::OSRExitCompiler::compileExit):
2891         * dfg/DFGOSRExitCompiler64.cpp:
2892         (JSC::DFG::OSRExitCompiler::compileExit):
2893         * dfg/DFGPredictionPropagationPhase.cpp:
2894         (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
2895         (JSC::DFG::PredictionPropagationPhase::propagate):
2896         * dfg/DFGSpeculativeJIT.cpp:
2897         (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
2898         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
2899         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
2900         * dfg/DFGSpeculativeJIT32_64.cpp:
2901         (JSC::DFG::SpeculativeJIT::compile):
2902         * dfg/DFGSpeculativeJIT64.cpp:
2903         (JSC::DFG::SpeculativeJIT::compile):
2904         * dfg/DFGVariableAccessData.h:
2905         (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
2906         * ftl/FTLLowerDFGToLLVM.cpp:
2907         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
2908         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2909         (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
2910         (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
2911         (JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize):
2912         (JSC::FTL::LowerDFGToLLVM::numberOrNotCellToInt32):
2913         (JSC::FTL::LowerDFGToLLVM::allocateJSArray):
2914         * ftl/FTLValueFormat.cpp:
2915         (JSC::FTL::reboxAccordingToFormat):
2916         * jit/AssemblyHelpers.cpp:
2917         (JSC::AssemblyHelpers::purifyNaN):
2918         (JSC::AssemblyHelpers::sanitizeDouble): Deleted.
2919         * jit/AssemblyHelpers.h:
2920         * jit/JITPropertyAccess.cpp:
2921         (JSC::JIT::emitFloatTypedArrayGetByVal):
2922         * runtime/DateConstructor.cpp:
2923         (JSC::constructDate):
2924         * runtime/DateInstanceCache.h:
2925         (JSC::DateInstanceData::DateInstanceData):
2926         (JSC::DateInstanceCache::reset):
2927         * runtime/ExceptionHelpers.cpp:
2928         (JSC::TerminatedExecutionError::defaultValue):
2929         * runtime/JSArray.cpp:
2930         (JSC::JSArray::setLength):
2931         (JSC::JSArray::pop):
2932         (JSC::JSArray::shiftCountWithAnyIndexingType):
2933         (JSC::JSArray::sortVector):
2934         (JSC::JSArray::compactForSorting):
2935         * runtime/JSArray.h:
2936         (JSC::JSArray::create):
2937         (JSC::JSArray::tryCreateUninitialized):
2938         * runtime/JSCJSValue.cpp:
2939         (JSC::JSValue::toNumberSlowCase):
2940         * runtime/JSCJSValue.h:
2941         * runtime/JSCJSValueInlines.h:
2942         (JSC::jsNaN):
2943         (JSC::JSValue::JSValue):
2944         (JSC::JSValue::getPrimitiveNumber):
2945         * runtime/JSGlobalObjectFunctions.cpp:
2946         (JSC::parseInt):
2947         (JSC::jsStrDecimalLiteral):
2948         (JSC::toDouble):
2949         (JSC::jsToNumber):
2950         (JSC::parseFloat):
2951         * runtime/JSObject.cpp:
2952         (JSC::JSObject::createInitialDouble):
2953         (JSC::JSObject::convertUndecidedToDouble):
2954         (JSC::JSObject::convertInt32ToDouble):
2955         (JSC::JSObject::deletePropertyByIndex):
2956         (JSC::JSObject::ensureLengthSlow):
2957         * runtime/MathObject.cpp:
2958         (JSC::mathProtoFuncMax):
2959         (JSC::mathProtoFuncMin):
2960         * runtime/PureNaN.h: Added.
2961         (JSC::pureNaN):
2962         (JSC::isImpureNaN):
2963         (JSC::purifyNaN):
2964         * runtime/TypedArrayAdaptors.h:
2965         (JSC::FloatTypedArrayAdaptor::toJSValue):
2966
2967 2014-04-16  Juergen Ributzka  <juergen@apple.com>
2968
2969         Enable system library calls in FTL for ARM64
2970         https://bugs.webkit.org/show_bug.cgi?id=130154
2971
2972         Reviewed by Geoffrey Garen and Filip Pizlo.
2973
2974         * ftl/FTLIntrinsicRepository.h:
2975         * ftl/FTLOutput.h:
2976         (JSC::FTL::Output::doubleRem):
2977         (JSC::FTL::Output::doubleSin):
2978         (JSC::FTL::Output::doubleCos):
2979
2980 2014-04-16  peavo@outlook.com  <peavo@outlook.com>
2981
2982         Fix JSC Debug Regressions on Windows
2983         https://bugs.webkit.org/show_bug.cgi?id=131182
2984
2985         Reviewed by Brent Fulgham.
2986
2987         The cast static_cast<int64_t>(number) in JSValue::isMachineInt() can generate a floating point error,
2988         and set the st floating point register tags, if the value of the number parameter is infinite.
2989         If the st floating point register tags are not cleared, this can cause strange floating point behavior later on.
2990         This can be avoided by checking for infinity first.
2991
2992         * runtime/JSCJSValueInlines.h:
2993         (JSC::JSValue::isMachineInt): Avoid floating point error by checking for infinity first.
2994         * runtime/Options.cpp:
2995         (JSC::recomputeDependentOptions): Re-enable jit for Windows.
2996
2997 2014-04-16  Oliver Hunt  <oliver@apple.com>
2998
2999         Simple ES6 feature:Array.prototype.fill
3000         https://bugs.webkit.org/show_bug.cgi?id=131703
3001
3002         Reviewed by David Hyatt.
3003
3004         Add support for Array.prototype.fill
3005
3006         * builtins/Array.prototype.js:
3007         (fill):
3008         * runtime/ArrayPrototype.cpp:
3009
3010 2014-04-16  Mark Hahnenberg  <mhahnenberg@apple.com>
3011
3012         [WebKit] Cleanup the build from uninitialized variable in JavaScriptCore
3013         https://bugs.webkit.org/show_bug.cgi?id=131728
3014
3015         Reviewed by Darin Adler.
3016
3017         * runtime/JSObject.cpp:
3018         (JSC::JSObject::genericConvertDoubleToContiguous): Add a RELEASE_ASSERT on the 
3019         path we expect to never take. Also shut up confused compilers about uninitialized things.
3020
3021 2014-04-16  Filip Pizlo  <fpizlo@apple.com>
3022
3023         Unreviewed, ARMv7 build fix after r167336.
3024
3025         * assembler/MacroAssemblerARMv7.h:
3026         (JSC::MacroAssemblerARMv7::branchAdd32):
3027
3028 2014-04-16  Gabor Rapcsanyi  <rgabor@webkit.org>
3029
3030         Unreviewed, ARM64 buildfix after r167336.
3031
3032         * assembler/MacroAssemblerARM64.h:
3033         (JSC::MacroAssemblerARM64::branchAdd32): Add missing function.
3034
3035 2014-04-15  Filip Pizlo  <fpizlo@apple.com>
3036
3037         Unreviewed, add the obvious thing that marks MakeRope as exiting since it can exit.
3038
3039         * dfg/DFGAbstractInterpreterInlines.h:
3040         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3041
3042 2014-04-15  Filip Pizlo  <fpizlo@apple.com>
3043
3044         compileMakeRope does not emit necessary bounds checks
3045         https://bugs.webkit.org/show_bug.cgi?id=130684
3046         <rdar://problem/16398388>
3047
3048         Reviewed by Oliver Hunt.
3049         
3050         Add string length bounds checks in a bunch of places. We should never allow a string
3051         to have a length greater than 2^31-1 because it's not clear that the language has
3052         semantics for it and because there is code that assumes that this cannot happen.
3053         
3054         Also add a bunch of tests to that effect to cover the various ways in which this was
3055         previously allowed to happen.
3056
3057         * dfg/DFGOperations.cpp:
3058         * dfg/DFGSpeculativeJIT.cpp:
3059         (JSC::DFG::SpeculativeJIT::compileMakeRope):
3060         * ftl/FTLLowerDFGToLLVM.cpp:
3061         (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
3062         * runtime/JSString.cpp:
3063         (JSC::JSRopeString::RopeBuilder::expand):
3064         * runtime/JSString.h:
3065         (JSC::JSString::create):
3066         (JSC::JSRopeString::RopeBuilder::append):
3067         (JSC::JSRopeString::RopeBuilder::release):
3068         (JSC::JSRopeString::append):
3069         * runtime/Operations.h:
3070         (JSC::jsString):
3071         (JSC::jsStringFromRegisterArray):
3072         (JSC::jsStringFromArguments):
3073         * runtime/StringPrototype.cpp:
3074         (JSC::stringProtoFuncIndexOf):
3075         (JSC::stringProtoFuncSlice):
3076         (JSC::stringProtoFuncSubstring):
3077         (JSC::stringProtoFuncToLowerCase):
3078         * tests/stress/make-large-string-jit-strcat.js: Added.
3079         (foo):
3080         * tests/stress/make-large-string-jit.js: Added.
3081         (foo):
3082         * tests/stress/make-large-string-strcat.js: Added.
3083         * tests/stress/make-large-string.js: Added.
3084
3085 2014-04-15  Julien Brianceau  <jbriance@cisco.com>
3086
3087         Remove invalid sh4 specific code in JITInlines header.
3088         https://bugs.webkit.org/show_bug.cgi?id=131692
3089
3090         Reviewed by Geoffrey Garen.
3091
3092         * jit/JITInlines.h:
3093         (JSC::JIT::callOperation): Prototype is not F_JITOperation_EJJZ
3094         anymore since r160244, so the sh4 specific code is invalid now
3095         and has to be removed.
3096
3097 2014-04-15  Mark Hahnenberg  <mhahnenberg@apple.com>
3098
3099         Fix precedence issue in JSCell:setRemembered
3100
3101         Rubber stamped by Filip Pizlo.
3102
3103         * runtime/JSCell.h:
3104         (JSC::JSCell::setRemembered):
3105
3106 2014-04-15  Mark Hahnenberg  <mhahnenberg@apple.com>
3107
3108         Objective-C API external object graphs don't handle generational collection properly
3109         https://bugs.webkit.org/show_bug.cgi?id=131634
3110
3111         Reviewed by Geoffrey Garen.
3112
3113         If the set of Objective-C objects transitively reachable through an object changes, we 
3114         need to update the set of opaque roots accordingly. If we don't, the next EdenCollection 
3115         won't rescan the external object graph, which would lead us to consider a newly allocated 
3116         JSManagedValue to be dead.
3117
3118         * API/JSBase.cpp:
3119         (JSSynchronousEdenCollectForDebugging):
3120         * API/JSVirtualMachine.mm:
3121         (-[JSVirtualMachine initWithContextGroupRef:]):
3122         (-[JSVirtualMachine dealloc]):
3123         (-[JSVirtualMachine isOldExternalObject:]):
3124         (-[JSVirtualMachine addExternalRememberedObject:]):
3125         (-[JSVirtualMachine addManagedReference:withOwner:]):
3126         (-[JSVirtualMachine removeManagedReference:withOwner:]):
3127         (-[JSVirtualMachine externalRememberedSet]):
3128         (scanExternalObjectGraph):
3129         (scanExternalRememberedSet):
3130         * API/JSVirtualMachineInternal.h:
3131         * API/tests/testapi.mm:
3132         * heap/Heap.cpp:
3133         (JSC::Heap::markRoots):
3134         * heap/Heap.h:
3135         (JSC::Heap::slotVisitor):
3136         * heap/SlotVisitor.h:
3137         * heap/SlotVisitorInlines.h:
3138         (JSC::SlotVisitor::containsOpaqueRoot):
3139         (JSC::SlotVisitor::containsOpaqueRootTriState):
3140
3141 2014-04-15  Filip Pizlo  <fpizlo@apple.com>
3142
3143         DFG IR should keep the data flow of doubles and int52's separate from the data flow of JSValue's
3144         https://bugs.webkit.org/show_bug.cgi?id=131423
3145
3146         Reviewed by Geoffrey Garen.
3147         
3148         This introduces more static typing into DFG IR. Previously we just had the notion of
3149         JSValues and Storage. This was weird because doubles weren't always convertible to
3150         JSValues, and Int52s weren't always convertible to either doubles or JSValues. We would
3151         sort of insert explicit conversion nodes just for the places where we knew that an
3152         implicit conversion wouldn't have been possible -- but there was no hard and fast rule so
3153         we'd get bugs from forgetting to do the right conversion.
3154         
3155         This patch introduces a hard and fast rule: doubles can never be implicitly converted to
3156         anything but doubles, and likewise Int52's can never be implicitly converted. Conversion
3157         nodes are used for all of the conversions. Int52Rep, DoubleRep, and ValueRep are the
3158         conversions. They are like Identity but return the same value using a different
3159         representation. Likewise, constants may now be represented using either JSConstant,
3160         Int52Constant, or DoubleConstant. UseKinds have been adjusted accordingly, as well.
3161         Int52RepUse and DoubleRepUse are node uses that mean "the node must be of Int52 (or
3162         Double) type". They don't imply checks. There is also DoubleRepRealUse, which means that
3163         we speculate DoubleReal and expect Double representation.
3164         
3165         In addition to simplifying a bunch of rules in the IR and making the IR more verifiable,
3166         this also makes it easier to introduce optimizations in the future. It's now possible for
3167         AI to model when/how conversion take place. For example if doing a conversion results in
3168         NaN sanitization, then AI can model this and can allow us to sink sanitizations. That's
3169         what https://bugs.webkit.org/show_bug.cgi?id=131419 will be all about.
3170         
3171         This was a big change, so I had to do some interesting things, like finally get rid of
3172         the DFG's weird variadic template macro hacks and use real C++11 variadic templates. Also
3173         the ByteCodeParser no longer emits Identity nodes since that was always pointless.
3174         
3175         No performance change because this mostly just rationalizes preexisting behavior.
3176
3177         * JavaScriptCore.xcodeproj/project.pbxproj:
3178         * assembler/MacroAssemblerX86.h:
3179         * bytecode/CodeBlock.cpp:
3180         * bytecode/CodeBlock.h:
3181         * dfg/DFGAbstractInterpreter.h:
3182         (JSC::DFG::AbstractInterpreter::setBuiltInConstant):
3183         (JSC::DFG::AbstractInterpreter::setConstant):
3184         * dfg/DFGAbstractInterpreterInlines.h:
3185         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3186         * dfg/DFGAbstractValue.cpp:
3187         (JSC::DFG::AbstractValue::set):
3188         (JSC::DFG::AbstractValue::fixTypeForRepresentation):
3189         (JSC::DFG::AbstractValue::checkConsistency):
3190         * dfg/DFGAbstractValue.h:
3191         * dfg/DFGBackwardsPropagationPhase.cpp:
3192         (JSC::DFG::BackwardsPropagationPhase::propagate):
3193         * dfg/DFGBasicBlock.h:
3194         * dfg/DFGBasicBlockInlines.h:
3195         (JSC::DFG::BasicBlock::appendNode):
3196         (JSC::DFG::BasicBlock::appendNonTerminal):
3197         * dfg/DFGByteCodeParser.cpp:
3198         (JSC::DFG::ByteCodeParser::parseBlock):
3199         * dfg/DFGCSEPhase.cpp:
3200         (JSC::DFG::CSEPhase::constantCSE):
3201         (JSC::DFG::CSEPhase::performNodeCSE):
3202         (JSC::DFG::CSEPhase::int32ToDoubleCSE): Deleted.
3203         * dfg/DFGCapabilities.h:
3204         * dfg/DFGClobberize.h:
3205         (JSC::DFG::clobberize):
3206         * dfg/DFGConstantFoldingPhase.cpp:
3207         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3208         * dfg/DFGDCEPhase.cpp:
3209         (JSC::DFG::DCEPhase::fixupBlock):
3210         * dfg/DFGEdge.h:
3211         (JSC::DFG::Edge::willNotHaveCheck):
3212         * dfg/DFGFixupPhase.cpp:
3213         (JSC::DFG::FixupPhase::run):
3214         (JSC::DFG::FixupPhase::fixupNode):
3215         (JSC::DFG::FixupPhase::fixupGetAndSetLocalsInBlock):
3216         (JSC::DFG::FixupPhase::observeUseKindOnNode):
3217         (JSC::DFG::FixupPhase::fixIntEdge):
3218         (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
3219         (JSC::DFG::FixupPhase::injectTypeConversionsInBlock):
3220         (JSC::DFG::FixupPhase::tryToRelaxRepresentation):
3221         (JSC::DFG::FixupPhase::fixEdgeRepresentation):
3222         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
3223         (JSC::DFG::FixupPhase::addRequiredPhantom):
3224         (JSC::DFG::FixupPhase::addPhantomsIfNecessary):
3225         (JSC::DFG::FixupPhase::clearPhantomsAtEnd):
3226         (JSC::DFG::FixupPhase::fixupSetLocalsInBlock): Deleted.
3227         * dfg/DFGFlushFormat.h:
3228         (JSC::DFG::resultFor):
3229         (JSC::DFG::useKindFor):
3230         * dfg/DFGGraph.cpp:
3231         (JSC::DFG::Graph::dump):
3232         * dfg/DFGGraph.h:
3233         (JSC::DFG::Graph::addNode):
3234         * dfg/DFGInPlaceAbstractState.cpp:
3235         (JSC::DFG::InPlaceAbstractState::initialize):
3236         * dfg/DFGInsertionSet.h:
3237         (JSC::DFG::InsertionSet::insertNode):
3238         (JSC::DFG::InsertionSet::insertConstant):
3239         (JSC::DFG::InsertionSet::insertConstantForUse):
3240         * dfg/DFGIntegerCheckCombiningPhase.cpp:
3241         (JSC::DFG::IntegerCheckCombiningPhase::insertAdd):
3242         (JSC::DFG::IntegerCheckCombiningPhase::insertMustAdd):
3243         * dfg/DFGNode.cpp:
3244         (JSC::DFG::Node::convertToIdentity):
3245         (WTF::printInternal):
3246         * dfg/DFGNode.h:
3247         (JSC::DFG::Node::Node):
3248         (JSC::DFG::Node::setResult):
3249         (JSC::DFG::Node::result):
3250         (JSC::DFG::Node::isConstant):
3251         (JSC::DFG::Node::hasConstant):
3252         (JSC::DFG::Node::convertToConstant):
3253         (JSC::DFG::Node::valueOfJSConstant):
3254         (JSC::DFG::Node::hasResult):
3255         (JSC::DFG::Node::hasInt32Result):
3256         (JSC::DFG::Node::hasInt52Result):
3257         (JSC::DFG::Node::hasNumberResult):
3258         (JSC::DFG::Node::hasDoubleResult):
3259         (JSC::DFG::Node::hasJSResult):
3260         (JSC::DFG::Node::hasBooleanResult):
3261         (JSC::DFG::Node::hasStorageResult):
3262         (JSC::DFG::Node::defaultUseKind):
3263         (JSC::DFG::Node::defaultEdge):
3264         (JSC::DFG::Node::convertToIdentity): Deleted.
3265         * dfg/DFGNodeFlags.cpp:
3266         (JSC::DFG::dumpNodeFlags):
3267         * dfg/DFGNodeFlags.h:
3268         (JSC::DFG::canonicalResultRepresentation):
3269         * dfg/DFGNodeType.h:
3270         * dfg/DFGOSRExitCompiler32_64.cpp:
3271         (JSC::DFG::OSRExitCompiler::compileExit):
3272         * dfg/DFGOSRExitCompiler64.cpp:
3273         (JSC::DFG::OSRExitCompiler::compileExit):
3274         * dfg/DFGPredictionPropagationPhase.cpp:
3275         (JSC::DFG::PredictionPropagationPhase::propagate):
3276         * dfg/DFGResurrectionForValidationPhase.cpp:
3277         (JSC::DFG::ResurrectionForValidationPhase::run):
3278         * dfg/DFGSSAConversionPhase.cpp:
3279         (JSC::DFG::SSAConversionPhase::run):
3280         * dfg/DFGSafeToExecute.h:
3281         (JSC::DFG::SafeToExecuteEdge::operator()):
3282         (JSC::DFG::safeToExecute):
3283         * dfg/DFGSpeculativeJIT.cpp:
3284         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
3285         (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR):
3286         (JSC::DFG::SpeculativeJIT::silentFill):
3287         (JSC::DFG::JSValueRegsTemporary::JSValueRegsTemporary):
3288         (JSC::DFG::JSValueRegsTemporary::~JSValueRegsTemporary):
3289         (JSC::DFG::JSValueRegsTemporary::regs):
3290         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
3291         (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
3292         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
3293         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
3294         (JSC::DFG::SpeculativeJIT::compileValueRep):
3295         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
3296         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
3297         (JSC::DFG::SpeculativeJIT::compileAdd):
3298         (JSC::DFG::SpeculativeJIT::compileArithSub):
3299         (JSC::DFG::SpeculativeJIT::compileArithNegate):
3300         (JSC::DFG::SpeculativeJIT::compileArithMul):
3301         (JSC::DFG::SpeculativeJIT::compileArithDiv):
3302         (JSC::DFG::SpeculativeJIT::compileArithMod):
3303         (JSC::DFG::SpeculativeJIT::compare):
3304         (JSC::DFG::SpeculativeJIT::compileStrictEq):
3305         (JSC::DFG::SpeculativeJIT::speculateNumber):
3306         (JSC::DFG::SpeculativeJIT::speculateDoubleReal):
3307         (JSC::DFG::SpeculativeJIT::speculate):
3308         (JSC::DFG::SpeculativeJIT::compileInt32ToDouble): Deleted.
3309         (JSC::DFG::SpeculativeJIT::speculateMachineInt): Deleted.
3310         (JSC::DFG::SpeculativeJIT::speculateRealNumber): Deleted.
3311         * dfg/DFGSpeculativeJIT.h:
3312         (JSC::DFG::SpeculativeJIT::allocate):
3313         (JSC::DFG::SpeculativeJIT::use):
3314         (JSC::DFG::SpeculativeJIT::boxDouble):
3315         (JSC::DFG::SpeculativeJIT::spill):
3316         (JSC::DFG::SpeculativeJIT::jsValueResult):
3317         (JSC::DFG::SpeculateInt52Operand::SpeculateInt52Operand):
3318         (JSC::DFG::SpeculateStrictInt52Operand::SpeculateStrictInt52Operand):
3319         (JSC::DFG::SpeculateWhicheverInt52Operand::SpeculateWhicheverInt52Operand):
3320         (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
3321         * dfg/DFGSpeculativeJIT32_64.cpp:
3322         (JSC::DFG::SpeculativeJIT::fillJSValue):
3323         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
3324         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3325         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3326         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3327         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
3328         (JSC::DFG::SpeculativeJIT::emitBranch):
3329         (JSC::DFG::SpeculativeJIT::compile):
3330         (JSC::DFG::SpeculativeJIT::convertToDouble): Deleted.
3331         * dfg/DFGSpeculativeJIT64.cpp:
3332         (JSC::DFG::SpeculativeJIT::fillJSValue):
3333         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
3334         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
3335         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3336         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3337         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3338         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
3339         (JSC::DFG::SpeculativeJIT::emitBranch):
3340         (JSC::DFG::SpeculativeJIT::compile):
3341         (JSC::DFG::SpeculativeJIT::convertToDouble): Deleted.
3342         * dfg/DFGStrengthReductionPhase.cpp:
3343         (JSC::DFG::StrengthReductionPhase::handleNode):
3344         * dfg/DFGUseKind.cpp:
3345         (WTF::printInternal):
3346         * dfg/DFGUseKind.h:
3347         (JSC::DFG::typeFilterFor):
3348         (JSC::DFG::shouldNotHaveTypeCheck):
3349         (JSC::DFG::mayHaveTypeCheck):
3350         (JSC::DFG::isNumerical):
3351         (JSC::DFG::isDouble):
3352         (JSC::DFG::isCell):
3353         (JSC::DFG::usesStructure):
3354         (JSC::DFG::useKindForResult):
3355         * dfg/DFGValidate.cpp:
3356         (JSC::DFG::Validate::validate):
3357         * dfg/DFGVariadicFunction.h: Removed.
3358         * ftl/FTLCapabilities.cpp:
3359         (JSC::FTL::canCompile):
3360         * ftl/FTLLowerDFGToLLVM.cpp:
3361         (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
3362         (JSC::FTL::LowerDFGToLLVM::compileNode):
3363         (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
3364         (JSC::FTL::LowerDFGToLLVM::compilePhi):
3365         (JSC::FTL::LowerDFGToLLVM::compileDoubleConstant):
3366         (JSC::FTL::LowerDFGToLLVM::compileInt52Constant):
3367         (JSC::FTL::LowerDFGToLLVM::compileWeakJSConstant):
3368         (JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
3369         (JSC::FTL::LowerDFGToLLVM::compileValueRep):
3370         (JSC::FTL::LowerDFGToLLVM::compileInt52Rep):
3371         (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
3372         (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub):
3373         (JSC::FTL::LowerDFGToLLVM::compileArithMul):
3374         (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
3375         (JSC::FTL::LowerDFGToLLVM::compileArithMod):
3376         (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
3377         (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
3378         (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
3379         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
3380         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
3381         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
3382         (JSC::FTL::LowerDFGToLLVM::compare):
3383         (JSC::FTL::LowerDFGToLLVM::boolify):
3384         (JSC::FTL::LowerDFGToLLVM::lowInt52):
3385         (JSC::FTL::LowerDFGToLLVM::lowStrictInt52):
3386         (JSC::FTL::LowerDFGToLLVM::lowWhicheverInt52):
3387         (JSC::FTL::LowerDFGToLLVM::lowDouble):
3388         (JSC::FTL::LowerDFGToLLVM::lowJSValue):
3389         (JSC::FTL::LowerDFGToLLVM::strictInt52ToDouble):
3390         (JSC::FTL::LowerDFGToLLVM::jsValueToDouble):
3391         (JSC::FTL::LowerDFGToLLVM::speculate):
3392         (JSC::FTL::LowerDFGToLLVM::speculateNumber):
3393         (JSC::FTL::LowerDFGToLLVM::speculateDoubleReal):
3394         (JSC::FTL::LowerDFGToLLVM::compileInt52ToValue): Deleted.
3395         (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble): Deleted.
3396         (JSC::FTL::LowerDFGToLLVM::setInt52WithStrictValue): Deleted.
3397         (JSC::FTL::LowerDFGToLLVM::speculateRealNumber): Deleted.
3398         (JSC::FTL::LowerDFGToLLVM::speculateMachineInt): Deleted.
3399         * ftl/FTLValueFormat.cpp:
3400         (JSC::FTL::reboxAccordingToFormat):
3401         * jit/AssemblyHelpers.cpp:
3402         (JSC::AssemblyHelpers::sanitizeDouble):
3403         * jit/AssemblyHelpers.h:
3404         (JSC::AssemblyHelpers::boxDouble):
3405
3406 2014-04-15  Commit Queue  <commit-queue@webkit.org>
3407
3408         Unreviewed, rolling out r167199 and r167251.
3409         https://bugs.webkit.org/show_bug.cgi?id=131678
3410
3411         Caused a DYEBench regression and does not seem to improve perf
3412         on relevant websites (Requested by rniwa on #webkit).
3413
3414         Reverted changesets:
3415
3416         "Rewrite Function.bind as a builtin"
3417         https://bugs.webkit.org/show_bug.cgi?id=131083
3418         http://trac.webkit.org/changeset/167199
3419
3420         "Update test result"
3421         http://trac.webkit.org/changeset/167251
3422
3423 2014-04-14  Commit Queue  <commit-queue@webkit.org>
3424
3425         Unreviewed, rolling out r167272.
3426         https://bugs.webkit.org/show_bug.cgi?id=131666
3427
3428         Broke multiple tests (Requested by ap on #webkit).
3429
3430         Reverted changeset:
3431
3432         "Function.bind itself is too slow"
3433         https://bugs.webkit.org/show_bug.cgi?id=131636
3434         http://trac.webkit.org/changeset/167272
3435
3436 2014-04-14  Geoffrey Garen  <ggaren@apple.com>
3437
3438         ASSERT when firing low memory warning
3439         https://bugs.webkit.org/show_bug.cgi?id=131659
3440
3441         Reviewed by Mark Hahnenberg.
3442
3443         * heap/Heap.cpp:
3444         (JSC::Heap::deleteAllCompiledCode): Allow deleteAllCompiledCode to be
3445         called when no GC is happening because that is what we do when a low
3446         memory warning fires, and it is harmless.
3447
3448 2014-04-14  Mark Hahnenberg  <mhahnenberg@apple.com>
3449
3450         emit_op_put_by_id should not emit a write barrier that filters on value
3451         https://bugs.webkit.org/show_bug.cgi?id=131654
3452
3453         Reviewed by Filip Pizlo.
3454
3455         The 32-bit implementation does this, and it can cause crashes if we later repatch the 
3456         code to allocate and store new Butterflies.
3457
3458         * jit/JITPropertyAccess.cpp:
3459         (JSC::JIT::emitWriteBarrier): We also weren't verifying that the base was a cell on 
3460         32-bit if we were passed ShouldFilterBase. I also took the liberty of sinking the tag 
3461         load down into the if statement so that we don't do it if we're not filtering on the value.
3462         * jit/JITPropertyAccess32_64.cpp:
3463         (JSC::JIT::emit_op_put_by_id):
3464
3465 2014-04-14  Oliver Hunt  <oliver@apple.com>
3466
3467         Function.bind itself is too slow
3468         https://bugs.webkit.org/show_bug.cgi?id=131636
3469
3470         Reviewed by Geoffrey Garen.
3471
3472         Rather than forcing creation of an activation, we now store
3473         bound function properties directly on the returned closure.
3474         This is necessary to deal with code that creates many function
3475         bindings, but does not call them very often.
3476
3477         This is a 60% speed up in the included js/regress test.
3478
3479         * builtins/BuiltinExecutables.cpp:
3480         (JSC::BuiltinExecutables::createBuiltinExecutable):
3481         * builtins/Function.prototype.js:
3482         (bind.bindingFunction):
3483         (bind.else.switch.case.1.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk):
3484         (bind.else.switch.case.1.bindingFunction):
3485         (bind.else.switch.case.2.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk):
3486         (bind.else.switch.case.2.bindingFunction):
3487         (bind.else.switch.case.3.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk):
3488         (bind.else.switch.case.3.bindingFunction):
3489         (bind.else.switch.bindingFunction):
3490         (bind):
3491         (bind.else.switch.case.1.bindingFunction.oversizedCall): Deleted.
3492         (bind.else.switch.case.2.bindingFunction.oversizedCall): Deleted.
3493         (bind.else.switch.case.3.bindingFunction.oversizedCall): Deleted.
3494         * runtime/CommonIdentifiers.h:
3495
3496 2014-04-14  Julien Brianceau  <jbriance@cisco.com>
3497
3498         [sh4] Allow use of SubImmediates in LLINT.
3499         https://bugs.webkit.org/show_bug.cgi?id=131608
3500
3501         Reviewed by Mark Lam.
3502
3503         Allow use of SubImmediates with const pool so the sh4 architecture can
3504         share the arm path for setEntryAddress macro. It reduces architecture
3505         specific code and lead to a more optimal generated code for sh4.
3506
3507         * llint/LowLevelInterpreter.asm:
3508         * offlineasm/sh4.rb:
3509
3510 2014-04-14  Andreas Kling  <akling@apple.com>
3511
3512         Array.prototype.concat should allocate output storage only once.
3513         <https://webkit.org/b/131609>
3514
3515         Do a first pass across 'this' and any arguments to compute the
3516         final size of the resulting array from Array.prototype.concat.
3517         This avoids having to grow the output incrementally as we go.
3518
3519         This also includes two other micro-optimizations:
3520
3521         - Mark getProperty() with ALWAYS_INLINE.
3522
3523         - Use JSArray::length() instead of taking the generic property
3524           lookup path when we know an argument is an Array.
3525
3526         My MBP says ~3% progression on Dromaeo/jslib-traverse-jquery.
3527
3528         Reviewed by Oliver & Darin.
3529
3530         * runtime/ArrayPrototype.cpp:
3531         (JSC::getProperty):
3532         (JSC::arrayProtoFuncConcat):
3533
3534 2014-04-14  Commit Queue  <commit-queue@webkit.org>
3535
3536         Unreviewed, rolling out r167249.
3537         https://bugs.webkit.org/show_bug.cgi?id=131621
3538
3539         broke 3 tests on cloop (Requested by kling on #webkit).
3540
3541         Reverted changeset:
3542
3543         "Array.prototype.concat should allocate output storage only
3544         once."
3545         https://bugs.webkit.org/show_bug.cgi?id=131609
3546         http://trac.webkit.org/changeset/167249
3547
3548 2014-04-14  Alex Christensen  <achristensen@webkit.org>
3549
3550         Fixed potential integer truncation.
3551         https://bugs.webkit.org/show_bug.cgi?id=131615
3552
3553         Reviewed by Darin Adler.
3554
3555         * assembler/X86Assembler.h:
3556         (JSC::X86Assembler::fillNops):
3557         Truncate the size_t to an unsigned after it is limited to 15 instead of before.
3558
3559 2014-04-14  Andreas Kling  <akling@apple.com>
3560
3561         Array.prototype.concat should allocate output storage only once.
3562         <https://webkit.org/b/131609>
3563
3564         Do a first pass across 'this' and any arguments to compute the
3565         final size of the resulting array from Array.prototype.concat.
3566         This avoids having to grow the output incrementally as we go.
3567
3568         This also includes two other micro-optimizations:
3569
3570         - Mark getProperty() with ALWAYS_INLINE.
3571
3572         - Use JSArray::length() instead of taking the generic property
3573           lookup path when we know an argument is an Array.
3574
3575         My MBP says ~3% progression on Dromaeo/jslib-traverse-jquery.
3576
3577         Reviewed by Darin Adler.
3578
3579         * runtime/ArrayPrototype.cpp:
3580         (JSC::getProperty):
3581         (JSC::arrayProtoFuncConcat):
3582
3583 2014-04-14  Benjamin Poulain  <benjamin@webkit.org>
3584
3585         [JSC] Improve the call site of string comparison in some hot path
3586         https://bugs.webkit.org/show_bug.cgi?id=131605
3587
3588         Reviewed by Darin Adler.
3589
3590         When resolved, the String of a JSString is never null. It can be empty but not null.
3591         The null value is reserved for ropes but those would be resolved when getting the value.
3592
3593         Consequently, we should use the equal() operation that do not handle null values.
3594         Using the StringImpl directly is already common in StringPrototype but it was not used here for some reason.
3595
3596         * jit/JITOperations.cpp:
3597         * runtime/JSCJSValueInlines.h:
3598         (JSC::JSValue::equalSlowCaseInline):
3599         (JSC::JSValue::strictEqualSlowCaseInline):
3600         (JSC::JSValue::pureStrictEqual):
3601
3602 2014-04-08  Oliver Hunt  <oliver@apple.com>
3603
3604         Rewrite Function.bind as a builtin
3605         https://bugs.webkit.org/show_bug.cgi?id=131083
3606
3607         Reviewed by Geoffrey Garen.
3608
3609         This change removes the existing function.bind implementation
3610         entirely so JSBoundFunction is no more.
3611
3612         Instead we just return a regular JS closure with a few
3613         private properties hanging off it that allow us to perform
3614         the necessary bound function fakery.  While most of this is
3615         simple, a couple of key changes:
3616
3617         - The parser and lexer now directly track whether they're
3618           parsing code for call or construct and convert the private
3619           name @IsConstructor into TRUETOK or FALSETOK as appropriate.
3620           This automatically gives us the ability to vary behaviour
3621           from within the builtin. It also leaves a lot of headroom
3622           for trivial future improvements.
3623         - The instanceof operator now uses the prototypeForHasInstance
3624           private name, and we have a helper function to ensure that
3625           all objects that need to can update their magical 'prototype'
3626           property pair correctly.
3627
3628         * API/JSScriptRef.cpp:
3629         (parseScript):
3630         * JavaScriptCore.xcodeproj/project.pbxproj:
3631         * builtins/BuiltinExecutables.cpp:
3632         (JSC::BuiltinExecutables::createBuiltinExecutable):
3633         * builtins/Function.prototype.js:
3634         (bind.bindingFunction):
3635         (bind.else.bindingFunction):
3636         (bind):
3637         * bytecode/UnlinkedCodeBlock.cpp:
3638         (JSC::generateFunctionCodeBlock):
3639         * bytecompiler/NodesCodegen.cpp:
3640         (JSC::InstanceOfNode::emitBytecode):
3641         * interpreter/Interpreter.cpp:
3642         * parser/Lexer.cpp:
3643         (JSC::Lexer<T>::Lexer):
3644         (JSC::Lexer<LChar>::parseIdentifier):
3645         (JSC::Lexer<UChar>::parseIdentifier):
3646         * parser/Lexer.h:
3647         * parser/Parser.cpp:
3648         (JSC::Parser<LexerType>::Parser):
3649         (JSC::Parser<LexerType>::parseInner):
3650         * parser/Parser.h:
3651         (JSC::parse):
3652         * parser/ParserModes.h:
3653         * runtime/CodeCache.cpp:
3654         (JSC::CodeCache::getGlobalCodeBlock):
3655         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
3656         * runtime/CommonIdentifiers.h:
3657         * runtime/Completion.cpp:
3658         (JSC::checkSyntax):
3659         * runtime/Executable.cpp:
3660         (JSC::ProgramExecutable::checkSyntax):
3661         * runtime/FunctionPrototype.cpp:
3662         (JSC::FunctionPrototype::addFunctionProperties):
3663         (JSC::functionProtoFuncBind): Deleted.
3664         * runtime/JSBoundFunction.cpp: Removed.
3665         * runtime/JSBoundFunction.h: Removed.
3666         * runtime/JSFunction.cpp:
3667         (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor):
3668         (JSC::RetrieveCallerFunctionFunctor::operator()):
3669         (JSC::retrieveCallerFunction):
3670         (JSC::JSFunction::getOwnPropertySlot):
3671         (JSC::JSFunction::defineOwnProperty):
3672         * runtime/JSGlobalObject.cpp:
3673         (JSC::JSGlobalObject::reset):
3674         * runtime/JSGlobalObjectFunctions.cpp:
3675         (JSC::globalFuncSetTypeErrorAccessor):
3676         * runtime/JSGlobalObjectFunctions.h:
3677         * runtime/JSObject.h:
3678         (JSC::JSObject::inlineGetOwnPropertySlot):
3679
3680 2014-04-12  Filip Pizlo  <fpizlo@apple.com>
3681
3682         Math.fround() should be an intrinsic
3683         https://bugs.webkit.org/show_bug.cgi?id=131583
3684
3685         Reviewed by Geoffrey Garen.
3686         
3687         Makes programs that use Math.fround() run up to 6x faster.
3688
3689         * dfg/DFGAbstractInterpreterInlines.h:
3690         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3691         * dfg/DFGByteCodeParser.cpp:
3692         (JSC::DFG::ByteCodeParser::handleIntrinsic):
3693         * dfg/DFGCSEPhase.cpp:
3694         (JSC::DFG::CSEPhase::performNodeCSE):
3695         * dfg/DFGClobberize.h:
3696         (JSC::DFG::clobberize):
3697         * dfg/DFGFixupPhase.cpp:
3698         (JSC::DFG::FixupPhase::fixupNode):
3699         * dfg/DFGNodeType.h:
3700         * dfg/DFGPredictionPropagationPhase.cpp:
3701         (JSC::DFG::PredictionPropagationPhase::propagate):
3702         * dfg/DFGSafeToExecute.h:
3703         (JSC::DFG::safeToExecute):
3704         * dfg/DFGSpeculativeJIT32_64.cpp:
3705         (JSC::DFG::SpeculativeJIT::compile):
3706         * dfg/DFGSpeculativeJIT64.cpp:
3707         (JSC::DFG::SpeculativeJIT::compile):
3708         * ftl/FTLCapabilities.cpp:
3709         (JSC::FTL::canCompile):
3710         * ftl/FTLLowerDFGToLLVM.cpp:
3711         (JSC::FTL::LowerDFGToLLVM::compileNode):
3712         (JSC::FTL::LowerDFGToLLVM::compileArithFRound):
3713         * runtime/Intrinsic.h:
3714         * runtime/MathObject.cpp:
3715         (JSC::MathObject::finishCreation):
3716
3717 2014-04-12  Filip Pizlo  <fpizlo@apple.com>
3718
3719         FTL should use stackmap register liveness
3720         https://bugs.webkit.org/show_bug.cgi?id=130791
3721
3722         Reviewed by Goeffrey Garen.
3723         
3724         Enable the stackmap register liveness support by fixing the two last bugs:
3725         
3726         - If everything is dead after the patchpoint - a good possibility for a put_by_id -
3727           then we shouldn't crash due to a null scratch buffer.
3728         
3729         - Always consider callee-saves as if they were live. More precisely, we should
3730           consider those callee-saves that are not saved by the enclosing function to be live.
3731           For now we do the much simpler thing and consider callee-saves to be always live
3732           since it has minimal impact on the scratch register allocator. It will know not to
3733           preserve those for calls, anyway.
3734         
3735         I tried writing a test for the null scratch buffer thing, but failed. I will land the
3736         test anyway since it seems useful.
3737
3738         * ftl/FTLCompile.cpp:
3739         (JSC::FTL::usedRegistersFor):
3740         * jit/ScratchRegisterAllocator.cpp:
3741         (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
3742         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
3743         * runtime/Options.h:
3744         * tests/stress/repeated-put-by-id-reallocating-transition.js: Added.
3745         (foo):
3746
3747 2014-04-11  Filip Pizlo  <fpizlo@apple.com>
3748
3749         DFG::FixupPhase should insert conversion nodes after the rest of fixup so that we know how the types settled
3750         https://bugs.webkit.org/show_bug.cgi?id=131424
3751
3752         Reviewed by Geoffrey Garen.
3753         
3754         This defers type conversion injection until we've decided on types. This makes the
3755         process of deciding types a bit more flexible - for example we can naturally fixpoint
3756         and change our minds. Only when things are settled do we actually insert conversions.
3757         
3758         This is a necessary prerequisite for keeping double, int52, and JSValue data flow
3759         separate. A SetLocal/GetLocal will appear to be JSValue until we fixpoint and realize
3760         that there are typed uses. If we were eagerly inserting type conversions then we would
3761         first insert a to/from-JSValue conversion in some cases only to then replace it by
3762         the other conversions. It's probably trivial to remove those redundant conversions later
3763         but I think it's better if we don't insert them to begin with.
3764
3765         * bytecode/CodeOrigin.h:
3766         (JSC::CodeOrigin::operator!):
3767         * dfg/DFGFixupPhase.cpp:
3768         (JSC::DFG::FixupPhase::run):
3769         (JSC::DFG::FixupPhase::fixupBlock):
3770         (JSC::DFG::FixupPhase::fixupNode):
3771         (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
3772         (JSC::DFG::FixupPhase::fixEdge):
3773         (JSC::DFG::FixupPhase::fixIntEdge):
3774         (JSC::DFG::FixupPhase::injectTypeConversionsInBlock):
3775         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
3776         (JSC::DFG::FixupPhase::addRequiredPhantom):
3777         (JSC::DFG::FixupPhase::addPhantomsIfNecessary):
3778         (JSC::DFG::FixupPhase::clearPhantomsAtEnd):
3779         (JSC::DFG::FixupPhase::observeUntypedEdge): Deleted.
3780         (JSC::DFG::FixupPhase::fixupUntypedSetLocalsInBlock): Deleted.
3781         (JSC::DFG::FixupPhase::injectInt32ToDoubleNode): Deleted.
3782
3783 2014-04-11  Brian J. Burg  <burg@cs.washington.edu>
3784
3785         Web Replay: code generator should consider enclosing class when computing duplicate type names
3786         https://bugs.webkit.org/show_bug.cgi?id=131554
3787
3788         Reviewed by Timothy Hatcher.
3789
3790         We need to prepend an enum's enclosing class, if any, so that multiple enums with the same name
3791         can coexist without triggering a "duplicate types" error. Now, such enums must be referenced
3792         by the enclosing class and enum name.
3793
3794         Added tests for the new syntax, and rebaselined one test to reflect a previous patch's change.
3795
3796         * replay/scripts/CodeGeneratorReplayInputs.py:
3797         (Type.type_name): Prepend the enclosing class name.
3798         (Type.type_name.is):
3799         * replay/scripts/tests/expected/fail-on-duplicate-enum-type.json-error: Added.
3800         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Added.
3801         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Added.
3802         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: Rebaseline.
3803         * replay/scripts/tests/fail-on-duplicate-enum-type.json: Added.
3804         * replay/scripts/tests/generate-enums-with-same-base-name.json: Added.
3805
3806 2014-04-11  Gavin Barraclough  <baraclough@apple.com>
3807
3808         Rollout - Rewrite Function.bind as a builtin
3809         https://bugs.webkit.org/show_bug.cgi?id=131083
3810
3811         Unreviewed.
3812
3813         Rolling out r167020 while investigating a performance regression.
3814
3815         * API/JSObjectRef.cpp:
3816         (JSObjectMakeConstructor):
3817         * API/JSScriptRef.cpp:
3818         (parseScript):
3819         * CMakeLists.txt:
3820         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3821         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3822         * JavaScriptCore.xcodeproj/project.pbxproj:
3823         * builtins/BuiltinExecutables.cpp:
3824         (JSC::BuiltinExecutables::createBuiltinExecutable):
3825         * builtins/Function.prototype.js:
3826         (apply):
3827         (bind.bindingFunction): Deleted.
3828         (bind.else.bindingFunction): Deleted.
3829         (bind): Deleted.
3830         * bytecode/UnlinkedCodeBlock.cpp:
3831         (JSC::generateFunctionCodeBlock):
3832         * bytecompiler/NodesCodegen.cpp:
3833         (JSC::InstanceOfNode::emitBytecode):
3834         * interpreter/Interpreter.cpp:
3835         * parser/Lexer.cpp:
3836         (JSC::Lexer<T>::Lexer):
3837         (JSC::Lexer<LChar>::parseIdentifier):
3838         (JSC::Lexer<UChar>::parseIdentifier):
3839         * parser/Lexer.h:
3840         * parser/Parser.cpp:
3841         (JSC::Parser<LexerType>::Parser):
3842         (JSC::Parser<LexerType>::parseInner):
3843         * parser/Parser.h:
3844         (JSC::parse):
3845         * parser/ParserModes.h:
3846         * runtime/ArgumentsIteratorConstructor.cpp:
3847         (JSC::ArgumentsIteratorConstructor::finishCreation):
3848         * runtime/ArrayConstructor.cpp:
3849         (JSC::ArrayConstructor::finishCreation):
3850         * runtime/BooleanConstructor.cpp:
3851         (JSC::BooleanConstructor::finishCreation):
3852         * runtime/CodeCache.cpp:
3853         (JSC::CodeCache::getGlobalCodeBlock):
3854         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
3855         * runtime/CommonIdentifiers.h:
3856         * runtime/Completion.cpp:
3857         (JSC::checkSyntax):
3858         * runtime/DateConstructor.cpp:
3859         (JSC::DateConstructor::finishCreation):
3860         * runtime/ErrorConstructor.cpp:
3861         (JSC::ErrorConstructor::finishCreation):
3862         * runtime/Executable.cpp:
3863         (JSC::ProgramExecutable::checkSyntax):
3864         * runtime/FunctionConstructor.cpp:
3865         (JSC::FunctionConstructor::finishCreation):
3866         * runtime/FunctionPrototype.cpp:
3867         (JSC::FunctionPrototype::addFunctionProperties):
3868         (JSC::functionProtoFuncBind):
3869         * runtime/JSArrayBufferConstructor.cpp:
3870         (JSC::JSArrayBufferConstructor::finishCreation):
3871         * runtime/JSBoundFunction.cpp: Added.
3872         (JSC::boundFunctionCall):
3873         (JSC::boundFunctionConstruct):
3874         (JSC::JSBoundFunction::create):
3875         (JSC::JSBoundFunction::destroy):
3876         (JSC::JSBoundFunction::customHasInstance):
3877         (JSC::JSBoundFunction::JSBoundFunction):
3878         (JSC::JSBoundFunction::finishCreation):
3879         (JSC::JSBoundFunction::visitChildren):
3880         * runtime/JSBoundFunction.h: Added.
3881         (JSC::JSBoundFunction::targetFunction):
3882         (JSC::JSBoundFunction::boundThis):
3883         (JSC::JSBoundFunction::boundArgs):
3884         (JSC::JSBoundFunction::createStructure):
3885         * runtime/JSFunction.cpp:
3886         (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor):
3887         (JSC::RetrieveCallerFunctionFunctor::operator()):
3888         (JSC::retrieveCallerFunction):
3889         (JSC::JSFunction::getOwnPropertySlot):
3890         (JSC::JSFunction::getOwnNonIndexPropertyNames):
3891         (JSC::JSFunction::put):
3892         (JSC::JSFunction::defineOwnProperty):
3893         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
3894         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::finishCreation):
3895         * runtime/JSGlobalObject.cpp:
3896         (JSC::JSGlobalObject::reset):
3897         * runtime/JSGlobalObjectFunctions.cpp:
3898         (JSC::globalFuncSetTypeErrorAccessor): Deleted.
3899         * runtime/JSGlobalObjectFunctions.h:
3900         * runtime/JSObject.cpp:
3901         (JSC::JSObject::putDirectPrototypeProperty): Deleted.
3902         (JSC::JSObject::putDirectPrototypePropertyWithoutTransitions): Deleted.
3903         * runtime/JSObject.h:
3904         * runtime/JSPromiseConstructor.cpp:
3905         (JSC::JSPromiseConstructor::finishCreation):
3906         * runtime/MapConstructor.cpp:
3907         (JSC::MapConstructor::finishCreation):
3908         * runtime/MapIteratorConstructor.cpp:
3909         (JSC::MapIteratorConstructor::finishCreation):
3910         * runtime/NameConstructor.cpp:
3911         (JSC::NameConstructor::finishCreation):
3912         * runtime/NativeErrorConstructor.cpp:
3913         (JSC::NativeErrorConstructor::finishCreation):
3914         * runtime/NumberConstructor.cpp:
3915         (JSC::NumberConstructor::finishCreation):
3916         * runtime/ObjectConstructor.cpp:
3917         (JSC::ObjectConstructor::finishCreation):
3918         * runtime/RegExpConstructor.cpp:
3919         (JSC::RegExpConstructor::finishCreation):
3920         * runtime/SetConstructor.cpp:
3921         (JSC::SetConstructor::finishCreation):
3922         * runtime/SetIteratorConstructor.cpp:
3923         (JSC::SetIteratorConstructor::finishCreation):
3924         * runtime/StringConstructor.cpp:
3925         (JSC::StringConstructor::finishCreation):
3926         * runtime/WeakMapConstructor.cpp:
3927         (JSC::WeakMapConstructor::finishCreation):
3928
3929 2014-04-11  David Kilzer  <ddkilzer@apple.com>
3930
3931         [ASan] Build broke because libCompileRuntimeToLLVMIR.a links to libclang_rt.asan_osx_dynamic.dylib
3932         <http://webkit.org/b/131556>
3933         <rdar://problem/16591856>
3934
3935         Reviewed by Brent Fulgham.
3936
3937         * Configurations/CompileRuntimeToLLVMIR.xcconfig: Clear
3938         OTHER_LDFLAGS so the ASan build does not try to link to
3939         libclang_rt.asan_osx_dynamic.dylib.
3940
3941 2014-04-11  Mark Lam  <mark.lam@apple.com>
3942
3943         JSMainThreadExecState::call() should clear exceptions before returning.
3944         <https://webkit.org/b/131530>
3945
3946         Reviewed by Geoffrey Garen.
3947
3948         Added a version of JSC::call() that return any uncaught exception instead
3949         of leaving it pending in the VM.
3950
3951         As part of this change, I updated various parts of the code base to use the
3952         new API as needed.
3953
3954         * bindings/ScriptFunctionCall.cpp:
3955         (Deprecated::ScriptFunctionCall::call):
3956         - ScriptFunctionCall::call() is only used by the inspector to inject scripts.
3957           The injected scripts that will include Inspector scripts that should catch
3958           and handle any exceptions that were thrown.  We should not be seeing any
3959           exceptions returned from this call.  However, we do have checks for
3960           exceptions in case there are bugs in the Inspector scripts which allowed
3961           the exception to leak through.  Hence, it is proper to clear the exception
3962           here, and only record the fact that an exception was seen (if present).
3963
3964         * bindings/ScriptFunctionCall.h:
3965         * inspector/InspectorEnvironment.h:
3966         * runtime/CallData.cpp:
3967         (JSC::call):
3968         * runtime/CallData.h:
3969
3970 2014-04-11  Oliver Hunt  <oliver@apple.com>
3971
3972         Add BuiltinLog function to make debugging builtins easier
3973         https://bugs.webkit.org/show_bug.cgi?id=131550
3974
3975         Reviewed by Andreas Kling.
3976
3977         Add a logging function that builtins can use for debugging.
3978
3979         * runtime/CommonIdentifiers.h:
3980         * runtime/JSGlobalObject.cpp:
3981        &