Merge r169628 from ftlopt.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-07-22  Filip Pizlo  <fpizlo@apple.com>
2
3         Merge r169628 from ftlopt.
4
5     2014-06-04  Matthew Mirman  <mmirman@apple.com>
6     
7             Added system for inlining native functions via the FTL.
8             https://bugs.webkit.org/show_bug.cgi?id=131515
9     
10             Reviewed by Filip Pizlo.
11     
12             Also fixed the build to not compress the bitcode and to 
13             include all of the relevant runtime. With GCC_GENERATE_DEBUGGING_SYMBOLS = NO, 
14             the produced bitcode files are a 100th the size they were before.  
15             Now we can include all of the relevant runtime files with only a 3mb overhead. 
16             This is the same overhead as for two compressed files before, 
17             but done more efficiently (on both ends) and with less code.
18             
19             Deciding whether to inline native functions is left up to LLVM. 
20             The entire module containing the function is linked into the current 
21             compiled JS so that inlining the native functions shouldn't make them smaller.
22             
23             Rather than loading Runtime.symtbl at runtime FTLState.cpp now generates a file 
24             InlineRuntimeSymbolTable.h which statically builds the symbol table hash table.  
25             
26             * JavaScriptCore.xcodeproj/project.pbxproj: Added back runtime files to compile.
27             * build-symbol-table-index.py: Changed bitcode suffix. 
28             Added inclusion of only tested symbols.  
29             Added output to InlineRuntimeSymbolTable.h. 
30             * build-symbol-table-index.sh: Changed bitcode suffix.
31             * copy-llvm-ir-to-derived-sources.sh: Removed gzip compression.
32             * tested-symbols.symlst: Added.
33             * dfg/DFGByteCodeParser.cpp:
34             (JSC::DFG::ByteCodeParser::handleCall):  
35             Now sets the knownFunction of the call node if such a function exists 
36             and emits a check that during runtime the callee is in fact known.
37             * dfg/DFGNode.h:
38             Added functions to set the known function of a call node.
39             (JSC::DFG::Node::canBeKnownFunction): Added.
40             (JSC::DFG::Node::hasKnownFunction): Added.
41             (JSC::DFG::Node::knownFunction): Added.
42             (JSC::DFG::Node::giveKnownFunction): Added.
43             * ftl/FTLAbbreviatedTypes.h: Added a typedef for LLVMMemoryBufferRef
44             * ftl/FTLAbbreviations.h: Added some abbreviations.
45             * ftl/FTLLowerDFGToLLVM.cpp:
46             (JSC::FTL::LowerDFGToLLVM::isInlinableSize): Added. Hardcoded threshold to 275.
47             (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol): Added.
48             (JSC::FTL::LowerDFGToLLVM::getFunctionBySymbol): Added.
49             (JSC::FTL::LowerDFGToLLVM::possiblyCompileInlineableNativeCall): Added.
50             (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):  
51             Added call to possiblyCompileInlineableNativeCall
52             * ftl/FTLOutput.h:
53             (JSC::FTL::Output::allocaName):  Added. Useful for debugging.
54             * ftl/FTLState.cpp:
55             (JSC::FTL::State::State): Added an include for InlineRuntimeSymbolTable.h
56             * ftl/FTLState.h: Added symbol table hash table.
57             * ftl/FTLCompile.cpp:
58             (JSC::FTL::compile): Added inlining and dead function elimination passes.
59             * heap/HandleStack.h: Added JS_EXPORT_PRIVATE to a few functions to get inlining to compile.
60             * llvm/InitializeLLVMMac.mm: Deleted.
61             * llvm/InitializeLLVMMac.cpp: Added.
62             * llvm/LLVMAPIFunctions.h: Added macros to include Bitcode parsing and linking functions.
63             * llvm/LLVMHeaders.h: Added includes for Bitcode parsing and linking.
64             * runtime/BundlePath.h: Added.
65             * runtime/BundlePath.mm: Added.
66             * runtime/DateInstance.h: Added JS_EXPORT_PRIVATE to a few functions to get inlining to compile.
67             * runtime/DateInstance.h: ditto.
68             * runtime/DateConversion.h: ditto.
69             * runtime/ExceptionHelpers.h: ditto.
70             * runtime/JSCJSValue.h: ditto.
71             * runtime/JSArray.h: ditto.
72             * runtime/JSDateMath.h: ditto.
73             * runtime/JSObject.h: ditto.
74             * runtime/JSObject.h: ditto.
75             * runtime/RegExp.h: ditto.
76             * runtime/Structure.h: ditto.
77             * runtime/Options.h:  Added maximumLLVMInstructionCountForNativeInlining.
78     
79 2014-07-22  Mark Lam  <mark.lam@apple.com>
80
81         Array.concat() should work on runtime arrays too.
82         <https://webkit.org/b/135179>
83
84         Reviewed by Geoffrey Garen.
85
86         * jsc.cpp:
87         (WTF::RuntimeArray::create):
88         (WTF::RuntimeArray::~RuntimeArray):
89         (WTF::RuntimeArray::destroy):
90         (WTF::RuntimeArray::getOwnPropertySlot):
91         (WTF::RuntimeArray::getOwnPropertySlotByIndex):
92         (WTF::RuntimeArray::put):
93         (WTF::RuntimeArray::deleteProperty):
94         (WTF::RuntimeArray::getLength):
95         (WTF::RuntimeArray::createPrototype):
96         (WTF::RuntimeArray::createStructure):
97         (WTF::RuntimeArray::finishCreation):
98         (WTF::RuntimeArray::RuntimeArray):
99         (WTF::RuntimeArray::lengthGetter):
100         (GlobalObject::finishCreation):
101         (functionCreateRuntimeArray):
102         - Added support to create a runtime array for testing purpose.
103         * runtime/ArrayPrototype.cpp:
104         (JSC::getLength):
105         - Added fast case for when the array object is a JSArray.
106         (JSC::arrayProtoFuncJoin):
107         - Added a needed but missing exception check.
108         (JSC::arrayProtoFuncConcat):
109         - Use getLength() to compute the array length instead of assuming that
110           the array is a JSArray instance.
111         * tests/stress/regexp-matches-array.js: Added.
112         (testArrayConcat):
113         * tests/stress/runtime-array.js: Added.
114         (testArrayConcat):
115
116 2014-07-22  Brent Fulgham  <bfulgham@apple.com>
117
118         Fix Windows (return a value!)
119
120         * jsc.cpp:
121         (functionQuit): Satisfy compiler's need for
122         a return value.
123
124 2014-07-22  Brent Fulgham  <bfulgham@apple.com>
125
126         Fix Windows (sleep -> Sleep)
127
128         * jsc.cpp:
129         (WTF::jscExit):
130
131 2014-07-22  Filip Pizlo  <fpizlo@apple.com>
132
133         Fix Windows.
134
135         * jsc.cpp:
136         (WTF::jscExit):
137
138 2014-07-22  Filip Pizlo  <fpizlo@apple.com>
139
140         Fix 32-bit.
141
142         * dfg/DFGSpeculativeJIT32_64.cpp:
143         (JSC::DFG::SpeculativeJIT::compile):
144
145 2014-07-22  Filip Pizlo  <fpizlo@apple.com>
146
147         Merge r169148, r169185, r169188, r169578, r169582, r169584, r169588, r169753 from ftlopt.
148         
149         Note that r169753 is merged out of order because it fixes a bug in r169588.
150
151     2014-06-10  Filip Pizlo  <fpizlo@apple.com>
152     
153             [ftlopt] Structure::dfgShouldWatchIfPossible() is unsound
154             https://bugs.webkit.org/show_bug.cgi?id=133624
155     
156             Reviewed by Mark Hahnenberg.
157     
158             * runtime/Structure.h:
159             (JSC::Structure::dfgShouldWatchIfPossible): Make it sound and add some verbiage.
160     
161     2014-06-04  Filip Pizlo  <fpizlo@apple.com>
162     
163             [ftlopt] AI should be able track structure sets larger than 1
164             https://bugs.webkit.org/show_bug.cgi?id=128073
165     
166             Reviewed by Oliver Hunt.
167             
168             This makes two major changes to how AI (abstract interpreter) proves that a value has
169             some structure:
170             
171             - StructureAbstractValue can now track an arbitrary number of structures. A set whose
172               size is greater than one means that the value may have any of the structures, and we
173               don't know which - but we do know that it cannot be any structure not in the set. The
174               structure abstract value can still be TOP, which means the set of all structures. We
175               artificially limit the set size to StructureAbstractValue::polymorphismLimit to guard
176               memory explosion on pathological programs. This limit is big enough that it wouldn't
177               kick in for normal code, since we have other heuristics that limit the number of
178               structures that we would allow an inline cache to know about.
179             
180             - We eagerly set watchpoints on all watchable structures and then we assume that
181               watchable structures are being watched, and that the watchpoint will jettison the code.
182               This allows tracking of watchable structures to be far simpler than before. Previously,
183               a structure being tracked as "future possible" was predicated on it being watchable but
184               we might not actually watch it. This makes algebra over sets of future possible
185               structures quite weird. But watching all watchable structures means that we simple say
186               that a structure set can be in the following states: unclobbered, which means it's just
187               a set of structures and it doesn't matter what is watchable or what isn't because we've
188               proven that the value must have one of these structures right now; and clobbered, which
189               means that we have a set of structures, plus all possible structures temporarily, with
190               invalidation removing the "plus all possible structures". Clobbering a set means that
191               if any of its structures are unwatchable, the set just becomes TOP; but if all
192               structures in the set are watchable then we just set the clobbered bit to add the "plus
193               all possible structures temporarily" thing. This precisely tracks the exact meaning of
194               watchability and invalidation points.
195             
196             Slight SunSpider slow-down, neutral on Octane, slight AsmBench speed-up. I believe that
197             we will ultimately undo the SunSpider slow-down by making further improvements to the set
198             representation. I believe that Octane perfromance will ultimately improve once we remove
199             remaining singleton special-cases. The ultimate goal of this is to remove the need to
200             try quite so desperately hard to make everything monomorphic as we do currently.
201     
202             * CMakeLists.txt:
203             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
204             * JavaScriptCore.xcodeproj/project.pbxproj:
205             * bytecode/StructureSet.cpp:
206             (JSC::StructureSet::clear):
207             (JSC::StructureSet::remove):
208             (JSC::StructureSet::filter):
209             (JSC::StructureSet::copyFromOutOfLine):
210             (JSC::StructureSet::StructureSet): Deleted.
211             (JSC::StructureSet::operator=): Deleted.
212             (JSC::StructureSet::copyFrom): Deleted.
213             * bytecode/StructureSet.h:
214             (JSC::StructureSet::StructureSet):
215             (JSC::StructureSet::operator=):
216             (JSC::StructureSet::isEmpty):
217             (JSC::StructureSet::genericFilter):
218             (JSC::StructureSet::ContainsOutOfLine::ContainsOutOfLine):
219             (JSC::StructureSet::ContainsOutOfLine::operator()):
220             (JSC::StructureSet::copyFrom):
221             (JSC::StructureSet::deleteStructureListIfNecessary):
222             (JSC::StructureSet::setEmpty):
223             (JSC::StructureSet::getReservedFlag):
224             (JSC::StructureSet::setReservedFlag):
225             * dfg/DFGAbstractInterpreter.h:
226             (JSC::DFG::AbstractInterpreter::setBuiltInConstant):
227             * dfg/DFGAbstractInterpreterInlines.h:
228             (JSC::DFG::AbstractInterpreter<AbstractStateType>::booleanResult):
229             (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
230             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
231             (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberCapturedVars):
232             (JSC::DFG::AbstractInterpreter<AbstractStateType>::forAllValues):
233             (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberStructures):
234             (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
235             (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
236             (JSC::DFG::AbstractInterpreter<AbstractStateType>::setDidClobber):
237             (JSC::DFG::AbstractInterpreter<AbstractStateType>::dump):
238             * dfg/DFGAbstractValue.cpp:
239             (JSC::DFG::AbstractValue::observeTransitions):
240             (JSC::DFG::AbstractValue::setMostSpecific):
241             (JSC::DFG::AbstractValue::set):
242             (JSC::DFG::AbstractValue::filter):
243             (JSC::DFG::AbstractValue::shouldBeClear):
244             (JSC::DFG::AbstractValue::normalizeClarity):
245             (JSC::DFG::AbstractValue::checkConsistency):
246             (JSC::DFG::AbstractValue::assertIsWatched):
247             (JSC::DFG::AbstractValue::dumpInContext):
248             (JSC::DFG::AbstractValue::setFuturePossibleStructure): Deleted.
249             * dfg/DFGAbstractValue.h:
250             (JSC::DFG::AbstractValue::clear):
251             (JSC::DFG::AbstractValue::clobberStructures):
252             (JSC::DFG::AbstractValue::clobberStructuresFor):
253             (JSC::DFG::AbstractValue::observeInvalidationPoint):
254             (JSC::DFG::AbstractValue::observeInvalidationPointFor):
255             (JSC::DFG::AbstractValue::observeTransition):
256             (JSC::DFG::AbstractValue::TransitionObserver::TransitionObserver):
257             (JSC::DFG::AbstractValue::TransitionObserver::operator()):
258             (JSC::DFG::AbstractValue::TransitionsObserver::TransitionsObserver):
259             (JSC::DFG::AbstractValue::TransitionsObserver::operator()):
260             (JSC::DFG::AbstractValue::isHeapTop):
261             (JSC::DFG::AbstractValue::setType):
262             (JSC::DFG::AbstractValue::operator==):
263             (JSC::DFG::AbstractValue::merge):
264             (JSC::DFG::AbstractValue::validate):
265             (JSC::DFG::AbstractValue::hasClobberableState):
266             (JSC::DFG::AbstractValue::assertIsWatched):
267             (JSC::DFG::AbstractValue::observeIndexingTypeTransition):
268             (JSC::DFG::AbstractValue::makeTop):
269             (JSC::DFG::AbstractValue::bestProvenStructure): Deleted.
270             * dfg/DFGAllocator.h:
271             * dfg/DFGArgumentsSimplificationPhase.cpp:
272             (JSC::DFG::ArgumentsSimplificationPhase::run):
273             * dfg/DFGArrayMode.cpp:
274             (JSC::DFG::ArrayMode::alreadyChecked):
275             * dfg/DFGAtTailAbstractState.h:
276             (JSC::DFG::AtTailAbstractState::structureClobberState):
277             (JSC::DFG::AtTailAbstractState::setStructureClobberState):
278             (JSC::DFG::AtTailAbstractState::setFoundConstants):
279             (JSC::DFG::AtTailAbstractState::haveStructures): Deleted.
280             (JSC::DFG::AtTailAbstractState::setHaveStructures): Deleted.
281             * dfg/DFGBasicBlock.cpp:
282             (JSC::DFG::BasicBlock::BasicBlock):
283             * dfg/DFGBasicBlock.h:
284             * dfg/DFGBranchDirection.h:
285             (JSC::DFG::branchDirectionToString):
286             (WTF::printInternal):
287             * dfg/DFGByteCodeParser.cpp:
288             (JSC::DFG::ByteCodeParser::handlePutById):
289             * dfg/DFGCFAPhase.cpp:
290             (JSC::DFG::CFAPhase::performBlockCFA):
291             * dfg/DFGCSEPhase.cpp:
292             (JSC::DFG::CSEPhase::checkStructureElimination):
293             (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
294             (JSC::DFG::CSEPhase::performNodeCSE):
295             * dfg/DFGClobberize.h:
296             (JSC::DFG::clobberize):
297             * dfg/DFGCommon.cpp:
298             (JSC::DFG::startCrashing):
299             (JSC::DFG::isCrashing):
300             * dfg/DFGCommon.h:
301             * dfg/DFGCommonData.cpp:
302             (JSC::DFG::CommonData::notifyCompilingStructureTransition):
303             * dfg/DFGConstantFoldingPhase.cpp:
304             (JSC::DFG::ConstantFoldingPhase::foldConstants):
305             (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
306             (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
307             (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
308             * dfg/DFGDesiredWatchpoints.cpp:
309             (JSC::DFG::DesiredWatchpoints::consider):
310             (JSC::DFG::DesiredWatchpoints::addLazily): Deleted.
311             * dfg/DFGDesiredWatchpoints.h:
312             (JSC::DFG::GenericDesiredWatchpoints::reallyAdd):
313             (JSC::DFG::GenericDesiredWatchpoints::areStillValid):
314             (JSC::DFG::GenericDesiredWatchpoints::isWatched):
315             (JSC::DFG::DesiredWatchpoints::isWatched):
316             (JSC::DFG::WatchpointForGenericWatchpointSet::WatchpointForGenericWatchpointSet): Deleted.
317             (JSC::DFG::GenericDesiredWatchpoints::addLazily): Deleted.
318             (JSC::DFG::GenericDesiredWatchpoints::isStillValid): Deleted.
319             (JSC::DFG::GenericDesiredWatchpoints::shouldAssumeMixedState): Deleted.
320             (JSC::DFG::GenericDesiredWatchpoints::isValidOrMixed): Deleted.
321             (JSC::DFG::DesiredWatchpoints::isStillValid): Deleted.
322             (JSC::DFG::DesiredWatchpoints::shouldAssumeMixedState): Deleted.
323             (JSC::DFG::DesiredWatchpoints::isValidOrMixed): Deleted.
324             * dfg/DFGDoesGC.cpp:
325             (JSC::DFG::doesGC):
326             * dfg/DFGFixupPhase.cpp:
327             (JSC::DFG::FixupPhase::fixupNode):
328             (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
329             (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
330             * dfg/DFGGraph.cpp:
331             (JSC::DFG::Graph::~Graph):
332             (JSC::DFG::Graph::dump):
333             (JSC::DFG::Graph::dumpBlockHeader):
334             (JSC::DFG::Graph::tryGetFoldableView):
335             (JSC::DFG::Graph::visitChildren):
336             (JSC::DFG::Graph::assertIsWatched):
337             (JSC::DFG::Graph::handleAssertionFailure):
338             * dfg/DFGGraph.h:
339             (JSC::DFG::Graph::convertToConstant):
340             (JSC::DFG::Graph::masqueradesAsUndefinedWatchpointIsStillValid):
341             (JSC::DFG::Graph::addStructureTransitionData): Deleted.
342             * dfg/DFGInPlaceAbstractState.cpp:
343             (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
344             (JSC::DFG::InPlaceAbstractState::initialize):
345             (JSC::DFG::InPlaceAbstractState::endBasicBlock):
346             (JSC::DFG::InPlaceAbstractState::reset):
347             (JSC::DFG::InPlaceAbstractState::merge):
348             * dfg/DFGInPlaceAbstractState.h:
349             (JSC::DFG::InPlaceAbstractState::structureClobberState):
350             (JSC::DFG::InPlaceAbstractState::setStructureClobberState):
351             (JSC::DFG::InPlaceAbstractState::setFoundConstants):
352             (JSC::DFG::InPlaceAbstractState::haveStructures): Deleted.
353             (JSC::DFG::InPlaceAbstractState::setHaveStructures): Deleted.
354             * dfg/DFGLivenessAnalysisPhase.cpp:
355             (JSC::DFG::LivenessAnalysisPhase::run):
356             * dfg/DFGNode.h:
357             (JSC::DFG::Node::hasTransition):
358             (JSC::DFG::Node::transition):
359             (JSC::DFG::Node::hasStructure):
360             (JSC::DFG::StructureTransitionData::StructureTransitionData): Deleted.
361             (JSC::DFG::Node::convertToStructureTransitionWatchpoint): Deleted.
362             (JSC::DFG::Node::hasStructureTransitionData): Deleted.
363             (JSC::DFG::Node::structureTransitionData): Deleted.
364             * dfg/DFGNodeType.h:
365             * dfg/DFGPlan.cpp:
366             (JSC::DFG::Plan::compileInThreadImpl):
367             * dfg/DFGPredictionPropagationPhase.cpp:
368             (JSC::DFG::PredictionPropagationPhase::propagate):
369             * dfg/DFGSafeToExecute.h:
370             (JSC::DFG::safeToExecute):
371             * dfg/DFGSpeculativeJIT.cpp:
372             (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
373             (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
374             * dfg/DFGSpeculativeJIT.h:
375             (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
376             * dfg/DFGSpeculativeJIT32_64.cpp:
377             (JSC::DFG::SpeculativeJIT::compile):
378             * dfg/DFGSpeculativeJIT64.cpp:
379             (JSC::DFG::SpeculativeJIT::compile):
380             * dfg/DFGStructureAbstractValue.cpp: Added.
381             (JSC::DFG::StructureAbstractValue::assertIsWatched):
382             (JSC::DFG::StructureAbstractValue::clobber):
383             (JSC::DFG::StructureAbstractValue::observeTransition):
384             (JSC::DFG::StructureAbstractValue::observeTransitions):
385             (JSC::DFG::StructureAbstractValue::add):
386             (JSC::DFG::StructureAbstractValue::merge):
387             (JSC::DFG::StructureAbstractValue::mergeSlow):
388             (JSC::DFG::StructureAbstractValue::mergeNotTop):
389             (JSC::DFG::StructureAbstractValue::filter):
390             (JSC::DFG::StructureAbstractValue::filterSlow):
391             (JSC::DFG::StructureAbstractValue::contains):
392             (JSC::DFG::StructureAbstractValue::isSubsetOf):
393             (JSC::DFG::StructureAbstractValue::isSupersetOf):
394             (JSC::DFG::StructureAbstractValue::overlaps):
395             (JSC::DFG::StructureAbstractValue::equalsSlow):
396             (JSC::DFG::StructureAbstractValue::dumpInContext):
397             (JSC::DFG::StructureAbstractValue::dump):
398             * dfg/DFGStructureAbstractValue.h:
399             (JSC::DFG::StructureAbstractValue::StructureAbstractValue):
400             (JSC::DFG::StructureAbstractValue::operator=):
401             (JSC::DFG::StructureAbstractValue::clear):
402             (JSC::DFG::StructureAbstractValue::makeTop):
403             (JSC::DFG::StructureAbstractValue::assertIsWatched):
404             (JSC::DFG::StructureAbstractValue::observeInvalidationPoint):
405             (JSC::DFG::StructureAbstractValue::top):
406             (JSC::DFG::StructureAbstractValue::isClear):
407             (JSC::DFG::StructureAbstractValue::isTop):
408             (JSC::DFG::StructureAbstractValue::isNeitherClearNorTop):
409             (JSC::DFG::StructureAbstractValue::isClobbered):
410             (JSC::DFG::StructureAbstractValue::merge):
411             (JSC::DFG::StructureAbstractValue::filter):
412             (JSC::DFG::StructureAbstractValue::operator==):
413             (JSC::DFG::StructureAbstractValue::size):
414             (JSC::DFG::StructureAbstractValue::at):
415             (JSC::DFG::StructureAbstractValue::operator[]):
416             (JSC::DFG::StructureAbstractValue::onlyStructure):
417             (JSC::DFG::StructureAbstractValue::isSupersetOf):
418             (JSC::DFG::StructureAbstractValue::makeTopWhenThin):
419             (JSC::DFG::StructureAbstractValue::setClobbered):
420             (JSC::DFG::StructureAbstractValue::add): Deleted.
421             (JSC::DFG::StructureAbstractValue::addAll): Deleted.
422             (JSC::DFG::StructureAbstractValue::contains): Deleted.
423             (JSC::DFG::StructureAbstractValue::isSubsetOf): Deleted.
424             (JSC::DFG::StructureAbstractValue::doesNotContainAnyOtherThan): Deleted.
425             (JSC::DFG::StructureAbstractValue::isClearOrTop): Deleted.
426             (JSC::DFG::StructureAbstractValue::last): Deleted.
427             (JSC::DFG::StructureAbstractValue::speculationFromStructures): Deleted.
428             (JSC::DFG::StructureAbstractValue::isValidOffset): Deleted.
429             (JSC::DFG::StructureAbstractValue::hasSingleton): Deleted.
430             (JSC::DFG::StructureAbstractValue::singleton): Deleted.
431             (JSC::DFG::StructureAbstractValue::dumpInContext): Deleted.
432             (JSC::DFG::StructureAbstractValue::dump): Deleted.
433             (JSC::DFG::StructureAbstractValue::topValue): Deleted.
434             * dfg/DFGStructureClobberState.h: Added.
435             (JSC::DFG::merge):
436             (WTF::printInternal):
437             * dfg/DFGTransition.cpp: Added.
438             (JSC::DFG::Transition::dumpInContext):
439             (JSC::DFG::Transition::dump):
440             * dfg/DFGTransition.h: Added.
441             (JSC::DFG::Transition::Transition):
442             * dfg/DFGTypeCheckHoistingPhase.cpp:
443             (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
444             (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
445             * dfg/DFGWatchableStructureWatchingPhase.cpp: Added.
446             (JSC::DFG::WatchableStructureWatchingPhase::WatchableStructureWatchingPhase):
447             (JSC::DFG::WatchableStructureWatchingPhase::run):
448             (JSC::DFG::WatchableStructureWatchingPhase::tryWatch):
449             (JSC::DFG::performWatchableStructureWatching):
450             * dfg/DFGWatchableStructureWatchingPhase.h: Added.
451             * dfg/DFGWatchpointCollectionPhase.cpp:
452             (JSC::DFG::WatchpointCollectionPhase::handle):
453             (JSC::DFG::WatchpointCollectionPhase::handleEdge): Deleted.
454             * ftl/FTLCapabilities.cpp:
455             (JSC::FTL::canCompile):
456             * ftl/FTLIntrinsicRepository.h:
457             * ftl/FTLLowerDFGToLLVM.cpp:
458             (JSC::FTL::ftlUnreachable):
459             (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
460             (JSC::FTL::LowerDFGToLLVM::compileBlock):
461             (JSC::FTL::LowerDFGToLLVM::compileNode):
462             (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
463             (JSC::FTL::LowerDFGToLLVM::compilePhi):
464             (JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
465             (JSC::FTL::LowerDFGToLLVM::compileValueRep):
466             (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
467             (JSC::FTL::LowerDFGToLLVM::compileGetArgument):
468             (JSC::FTL::LowerDFGToLLVM::compileGetLocal):
469             (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
470             (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub):
471             (JSC::FTL::LowerDFGToLLVM::compileArithMul):
472             (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
473             (JSC::FTL::LowerDFGToLLVM::compileArithMod):
474             (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
475             (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
476             (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
477             (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
478             (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
479             (JSC::FTL::LowerDFGToLLVM::compileGetById):
480             (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
481             (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
482             (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
483             (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
484             (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
485             (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
486             (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
487             (JSC::FTL::LowerDFGToLLVM::compileNewArray):
488             (JSC::FTL::LowerDFGToLLVM::compileNewArrayBuffer):
489             (JSC::FTL::LowerDFGToLLVM::compileAllocatePropertyStorage):
490             (JSC::FTL::LowerDFGToLLVM::compileReallocatePropertyStorage):
491             (JSC::FTL::LowerDFGToLLVM::compileToString):
492             (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
493             (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
494             (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
495             (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
496             (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
497             (JSC::FTL::LowerDFGToLLVM::compileSwitch):
498             (JSC::FTL::LowerDFGToLLVM::compare):
499             (JSC::FTL::LowerDFGToLLVM::boolify):
500             (JSC::FTL::LowerDFGToLLVM::terminate):
501             (JSC::FTL::LowerDFGToLLVM::lowInt32):
502             (JSC::FTL::LowerDFGToLLVM::lowInt52):
503             (JSC::FTL::LowerDFGToLLVM::opposite):
504             (JSC::FTL::LowerDFGToLLVM::lowCell):
505             (JSC::FTL::LowerDFGToLLVM::lowBoolean):
506             (JSC::FTL::LowerDFGToLLVM::lowDouble):
507             (JSC::FTL::LowerDFGToLLVM::lowJSValue):
508             (JSC::FTL::LowerDFGToLLVM::speculate):
509             (JSC::FTL::LowerDFGToLLVM::isArrayType):
510             (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructureID):
511             (JSC::FTL::LowerDFGToLLVM::callCheck):
512             (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
513             (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
514             (JSC::FTL::LowerDFGToLLVM::setInt52):
515             (JSC::FTL::LowerDFGToLLVM::crash):
516             (JSC::FTL::LowerDFGToLLVM::compileStructureTransitionWatchpoint): Deleted.
517             * ftl/FTLOutput.cpp:
518             (JSC::FTL::Output::crashNonTerminal): Deleted.
519             * ftl/FTLOutput.h:
520             (JSC::FTL::Output::crash): Deleted.
521             * jit/JITOperations.h:
522             * jsc.cpp:
523             (WTF::jscExit):
524             (functionQuit):
525             (main):
526             (printUsageStatement):
527             (CommandLine::parseArguments):
528             * runtime/Structure.h:
529             (JSC::Structure::dfgShouldWatchIfPossible):
530             (JSC::Structure::dfgShouldWatch):
531             * tests/stress/arrayify-to-structure-contradiction.js: Added.
532             (foo):
533             * tests/stress/ftl-getmyargumentslength-inline.js: Added.
534             (foo):
535             * tests/stress/multi-put-by-offset-multiple-transitions.js: Added.
536             (foo):
537             (Foo):
538             * tests/stress/throw-from-ftl-in-loop.js: Added.
539             * tests/stress/throw-from-ftl.js: Added.
540             (foo):
541     
542     2014-06-03  Filip Pizlo  <fpizlo@apple.com>
543     
544             [ftlopt] Unreviewed, roll out r169578. The build system needs some more love.
545     
546             * InlineRuntimeSymbolTable.h: Removed.
547             * JavaScriptCore.xcodeproj/project.pbxproj:
548             * build-symbol-table-index.py:
549             * build-symbol-table-index.sh:
550             * copy-llvm-ir-to-derived-sources.sh:
551             * dfg/DFGByteCodeParser.cpp:
552             (JSC::DFG::ByteCodeParser::handleCall):
553             * dfg/DFGNode.h:
554             (JSC::DFG::Node::canBeKnownFunction): Deleted.
555             (JSC::DFG::Node::hasKnownFunction): Deleted.
556             (JSC::DFG::Node::knownFunction): Deleted.
557             (JSC::DFG::Node::giveKnownFunction): Deleted.
558             * ftl/FTLAbbreviatedTypes.h:
559             * ftl/FTLCompile.cpp:
560             (JSC::FTL::compile):
561             * ftl/FTLLowerDFGToLLVM.cpp:
562             (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
563             (JSC::FTL::LowerDFGToLLVM::lower):
564             (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
565             (JSC::FTL::LowerDFGToLLVM::possiblyCompileInlineableNativeCall): Deleted.
566             (JSC::FTL::LowerDFGToLLVM::getFunctionBySymbol): Deleted.
567             (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol): Deleted.
568             (JSC::FTL::LowerDFGToLLVM::isInlinableSize): Deleted.
569             * ftl/FTLState.cpp:
570             (JSC::FTL::State::State):
571             * ftl/FTLState.h:
572             * heap/HandleStack.h:
573             * llvm/InitializeLLVM.h:
574             * llvm/InitializeLLVMMac.cpp: Removed.
575             * llvm/InitializeLLVMMac.mm: Added.
576             (JSC::initializeLLVMImpl):
577             * llvm/LLVMAPIFunctions.h:
578             * llvm/LLVMHeaders.h:
579             * runtime/BundlePath.h: Removed.
580             * runtime/BundlePath.mm: Removed.
581             * runtime/DateConversion.h:
582             * runtime/DateInstance.h:
583             * runtime/ExceptionHelpers.h:
584             * runtime/JSArray.h:
585             * runtime/JSCJSValue.h:
586             (JSC::JSValue::toFloat):
587             * runtime/JSDateMath.h:
588             * runtime/JSObject.h:
589             * runtime/JSWrapperObject.h:
590             * runtime/Options.h:
591             * runtime/RegExp.h:
592             * runtime/StringObject.h:
593             * runtime/Structure.h:
594             * tested-symbols.symlst: Removed.
595     
596     2014-06-03  Filip Pizlo  <fpizlo@apple.com>
597     
598             [ftlopt] FTL native inlining tests take far too long
599             https://bugs.webkit.org/show_bug.cgi?id=133498
600     
601             Unreviewed test gardening.
602             
603             Added a new exceptions test since the other one appears to not work.
604     
605             * tests/stress/ftl-library-exception.js:
606             * tests/stress/ftl-library-inline-gettimezoneoffset.js: Added.
607             (foo):
608             * tests/stress/ftl-library-inlining-exceptions-dataview.js: Added.
609             (foo):
610             * tests/stress/ftl-library-inlining-exceptions.js: Copied from LayoutTests/js/regress/script-tests/ftl-library-inlining-exceptions.js.
611             * tests/stress/ftl-library-inlining-loops.js: Copied from LayoutTests/js/regress/script-tests/ftl-library-inlining-loops.js.
612             * tests/stress/ftl-library-inlining-random.js:
613             * tests/stress/ftl-library-substring.js:
614     
615     2014-06-03  Matthew Mirman  <mmirman@apple.com>
616     
617             [ftlopt] Added system for inlining native functions via the FTL.
618             https://bugs.webkit.org/show_bug.cgi?id=131515
619     
620             Reviewed by Filip Pizlo.
621     
622             Also fixed the build to not compress the bitcode and to 
623             include all of the relevant runtime. With GCC_GENERATE_DEBUGGING_SYMBOLS = NO, 
624             the produced bitcode files are a 100th the size they were before.  
625             Now we can include all of the relevant runtime files with only a 3mb overhead. 
626             This is the same overhead as for two compressed files before, 
627             but done more efficiently (on both ends) and with less code.
628             
629             Deciding whether to inline native functions is left up to LLVM. 
630             The entire module containing the function is linked into the current 
631             compiled JS so that inlining the native functions shouldn't make them smaller.
632             
633             Rather than loading Runtime.symtbl at runtime FTLState.cpp now includes a file 
634             InlineRuntimeSymbolTable.h which statically builds the symbol table hash table.  
635             Currently build-symbol-table-index.py updates this file from the 
636             contents of tested-symbols.symlst when done building as a matter of convenience.  
637             However, in order to include the new contents of the file in the build
638             you'd need to build twice.  This will be fixed in future versions.
639     
640             * JavaScriptCore.xcodeproj/project.pbxproj: Added back runtime files to compile.
641             * build-symbol-table-index.py: Changed bitcode suffix. 
642             Added inclusion of only tested symbols.  
643             Added output to InlineRuntimeSymbolTable.h. 
644             * build-symbol-table-index.sh: Changed bitcode suffix.
645             * copy-llvm-ir-to-derived-sources.sh: Removed gzip compression.
646             * tested-symbols.symlst: Added.
647             * dfg/DFGByteCodeParser.cpp:
648             (JSC::DFG::ByteCodeParser::handleCall):  
649             Now sets the knownFunction of the call node if such a function exists 
650             and emits a check that during runtime the callee is in fact known.
651             * dfg/DFGNode.h:
652             Added functions to set the known function of a call node.
653             (JSC::DFG::Node::canBeKnownFunction): Added.
654             (JSC::DFG::Node::hasKnownFunction): Added.
655             (JSC::DFG::Node::knownFunction): Added.
656             (JSC::DFG::Node::giveKnownFunction): Added.
657             * ftl/FTLAbbreviatedTypes.h: Added a typedef for LLVMMemoryBufferRef
658             * ftl/FTLLowerDFGToLLVM.cpp:
659             (JSC::FTL::LowerDFGToLLVM::isInlinableSize): Added. Hardcoded threshold to 275.
660             (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol): Added.
661             (JSC::FTL::LowerDFGToLLVM::getFunctionBySymbol): Added.
662             (JSC::FTL::LowerDFGToLLVM::possiblyCompileInlineableNativeCall): Added.
663             (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):  
664             Added call to possiblyCompileInlineableNativeCall
665             * ftl/FTLOutput.h:
666             (JSC::FTL::Output::allocaName):  Added. Useful for debugging.
667             * ftl/FTLState.cpp:
668             (JSC::FTL::State::State): Added an include for InlineRuntimeSymbolTable.h
669             * ftl/FTLState.h: Added symbol table hash table.
670             * ftl/FTLCompile.cpp:
671             (JSC::FTL::compile): Added inlining and dead function elimination passes.
672             * heap/HandleStack.h: Added JS_EXPORT_PRIVATE to a few functions to get inlining to compile.
673             * InlineRuntimeSymbolTable.h: Added.  
674             * llvm/InitializeLLVMMac.mm: Deleted.
675             * llvm/InitializeLLVMMac.cpp: Added.
676             * llvm/LLVMAPIFunctions.h: Added macros to include Bitcode parsing and linking functions.
677             * llvm/LLVMHeaders.h: Added includes for Bitcode parsing and linking.
678             * runtime/BundlePath.h: Added.
679             * runtime/BundlePath.mm: Added.
680             * runtime/DateInstance.h: Added JS_EXPORT_PRIVATE to a few functions to get inlining to compile.
681             * runtime/DateInstance.h: ditto.
682             * runtime/DateConversion.h: ditto.
683             * runtime/ExceptionHelpers.h: ditto.
684             * runtime/JSCJSValue.h: ditto.
685             * runtime/JSArray.h: ditto.
686             * runtime/JSDateMath.h: ditto.
687             * runtime/JSObject.h: ditto.
688             * runtime/JSObject.h: ditto.
689             * runtime/RegExp.h: ditto.
690             * runtime/Structure.h: ditto.
691             * runtime/Options.h:  Added maximumLLVMInstructionCountForNativeInlining.
692             * tests/stress/ftl-library-inlining-random.js: Added.
693             * tests/stress/ftl-library-substring.js: Added.
694     
695     2014-05-21  Filip Pizlo  <fpizlo@apple.com>
696     
697             [ftlopt] DFG::clobberize should be blind to the effects of GC
698             https://bugs.webkit.org/show_bug.cgi?id=133166
699     
700             Reviewed by Goeffrey Garen.
701             
702             Move the computation of where GCs happen to DFG::doesGC().
703             
704             Large (>5x) speed-up on programs that do loop-invariant string concatenations.
705     
706             * CMakeLists.txt:
707             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
708             * JavaScriptCore.xcodeproj/project.pbxproj:
709             * dfg/DFGAbstractHeap.h:
710             * dfg/DFGClobberize.h:
711             (JSC::DFG::clobberize):
712             (JSC::DFG::clobberizeForAllocation): Deleted.
713             * dfg/DFGDoesGC.cpp: Added.
714             (JSC::DFG::doesGC):
715             * dfg/DFGDoesGC.h: Added.
716             * dfg/DFGStoreBarrierElisionPhase.cpp:
717             (JSC::DFG::StoreBarrierElisionPhase::handleNode):
718             (JSC::DFG::StoreBarrierElisionPhase::couldCauseGC): Deleted.
719     
720     2014-05-16  Filip Pizlo  <fpizlo@apple.com>
721     
722             [ftlopt] A StructureSet with one element should only require one word and no allocation
723             https://bugs.webkit.org/show_bug.cgi?id=133014
724     
725             Reviewed by Oliver Hunt.
726             
727             This makes it more efficient to use StructureSet in situations where the common case is
728             just one structure.
729             
730             I also took the opportunity to use the same set terminology we use in BitVector: merge,
731             filter, exclude, contains, etc.
732             
733             Eventually, this will be used to implement StructureAbstractValue as well.
734     
735             * CMakeLists.txt:
736             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
737             * JavaScriptCore.xcodeproj/project.pbxproj:
738             * bytecode/StructureSet.cpp: Added.
739             (JSC::StructureSet::StructureSet):
740             (JSC::StructureSet::operator=):
741             (JSC::StructureSet::clear):
742             (JSC::StructureSet::add):
743             (JSC::StructureSet::remove):
744             (JSC::StructureSet::contains):
745             (JSC::StructureSet::merge):
746             (JSC::StructureSet::filter):
747             (JSC::StructureSet::exclude):
748             (JSC::StructureSet::isSubsetOf):
749             (JSC::StructureSet::overlaps):
750             (JSC::StructureSet::operator==):
751             (JSC::StructureSet::speculationFromStructures):
752             (JSC::StructureSet::arrayModesFromStructures):
753             (JSC::StructureSet::dumpInContext):
754             (JSC::StructureSet::dump):
755             (JSC::StructureSet::addOutOfLine):
756             (JSC::StructureSet::containsOutOfLine):
757             (JSC::StructureSet::copyFrom):
758             (JSC::StructureSet::OutOfLineList::create):
759             (JSC::StructureSet::OutOfLineList::destroy):
760             * bytecode/StructureSet.h:
761             (JSC::StructureSet::StructureSet):
762             (JSC::StructureSet::~StructureSet):
763             (JSC::StructureSet::onlyStructure):
764             (JSC::StructureSet::isEmpty):
765             (JSC::StructureSet::size):
766             (JSC::StructureSet::at):
767             (JSC::StructureSet::operator[]):
768             (JSC::StructureSet::last):
769             (JSC::StructureSet::OutOfLineList::list):
770             (JSC::StructureSet::OutOfLineList::OutOfLineList):
771             (JSC::StructureSet::deleteStructureListIfNecessary):
772             (JSC::StructureSet::isThin):
773             (JSC::StructureSet::pointer):
774             (JSC::StructureSet::singleStructure):
775             (JSC::StructureSet::structureList):
776             (JSC::StructureSet::set):
777             (JSC::StructureSet::clear): Deleted.
778             (JSC::StructureSet::add): Deleted.
779             (JSC::StructureSet::addAll): Deleted.
780             (JSC::StructureSet::remove): Deleted.
781             (JSC::StructureSet::contains): Deleted.
782             (JSC::StructureSet::containsOnly): Deleted.
783             (JSC::StructureSet::isSubsetOf): Deleted.
784             (JSC::StructureSet::overlaps): Deleted.
785             (JSC::StructureSet::singletonStructure): Deleted.
786             (JSC::StructureSet::speculationFromStructures): Deleted.
787             (JSC::StructureSet::arrayModesFromStructures): Deleted.
788             (JSC::StructureSet::operator==): Deleted.
789             (JSC::StructureSet::dumpInContext): Deleted.
790             (JSC::StructureSet::dump): Deleted.
791             * dfg/DFGAbstractInterpreterInlines.h:
792             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
793             * dfg/DFGByteCodeParser.cpp:
794             (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
795             (JSC::DFG::ByteCodeParser::handleGetById):
796             (JSC::DFG::ByteCodeParser::parseBlock):
797             * dfg/DFGCSEPhase.cpp:
798             (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
799             * dfg/DFGNode.h:
800             (JSC::DFG::Node::convertToStructureTransitionWatchpoint):
801             * dfg/DFGTypeCheckHoistingPhase.cpp:
802             (JSC::DFG::TypeCheckHoistingPhase::noticeStructureCheck):
803     
804 2014-07-22  Ryuan Choi  <ryuan.choi@samsung.com>
805
806         Unreviewed build fix attempt on the EFL port after r171362.
807
808         Build break because of -Werror=return-type
809
810         * bytecode/GetByIdStatus.cpp:
811         (JSC::GetByIdStatus::makesCalls):
812
813 2014-07-22  Joseph Pecoraro  <pecoraro@apple.com>
814
815         JSLock release should only modify the AtomicStringTable if it modified in acquire
816         https://bugs.webkit.org/show_bug.cgi?id=135143
817
818         Reviewed by Pratik Solanki.
819
820         * runtime/JSLock.cpp:
821         (JSC::JSLock::willDestroyVM):
822         (JSC::JSLock::willReleaseLock):
823         Only set the AtomicStringTable when there was a VM, to balance JSLock::didAcquireLock.
824
825 2014-07-22  Filip Pizlo  <fpizlo@apple.com>
826
827         Fix cloop build.
828
829         * bytecode/CallLinkStatus.cpp:
830         (JSC::CallLinkStatus::computeExitSiteData):
831
832 2014-07-22  Filip Pizlo  <fpizlo@apple.com>
833
834         Merge r168635, r168780, r169005, r169014, and r169143 from ftlopt.
835
836     2014-05-20  Filip Pizlo  <fpizlo@apple.com>
837     
838             [ftlopt] DFG bytecode parser should turn GetById with nothing but a Getter stub as stuff+handleCall, and handleCall should be allowed to inline if it wants to
839             https://bugs.webkit.org/show_bug.cgi?id=133105
840     
841             Reviewed by Michael Saboff.
842             
843             - GetByIdStatus now knows about getters and can report intelligent things about them.
844               As is usually the case with how we do these things, GetByIdStatus knows more about
845               getters than the DFG can actually handle: it'll report details about polymorphic
846               getter calls even though the DFG won't be able to handle those. This is fine; the DFG
847               will see those statuses and bail to a generic slow path.
848             
849             - The DFG::ByteCodeParser now knows how to set up and do handleCall() for a getter call.
850               This can, and usually does, result in inlining of getters!
851             
852             - CodeOrigin and OSR exit know about inlined getter calls. When you OSR out of an
853               inlined getter, we set the return PC to a getter return thunk that fixes up the stack.
854               We use the usual offset-true-return-PC trick, where OSR exit places the true return PC
855               of the getter's caller as a phony argument that only the thunk knows how to find.
856             
857             - Removed a bunch of dead monomorphic chain support from StructureStubInfo.
858             
859             - A large chunk of this change is dragging GetGetterSetterByOffset, GetGetter, and
860               GetSetter through the DFG and FTL. GetGetterSetterByOffset is like GetByOffset except
861               that we know that we're returning a GetterSetter cell. GetGetter and GetSetter extract
862               the getter, or setter, from the GetterSetter.
863             
864             This is a ~2.5x speed-up on the getter microbenchmarks that we already had. So far none
865             of the "real" benchmarks exercise getters enough for this to matter. But I noticed that
866             some of the variants of the Richards benchmark in other languages - for example
867             Wolczko's Java translation of a C++ translation of Deutsch's Smalltalk version - use
868             getters and setters extensively. So, I created a getter/setter JavaScript version of
869             Richards and put it in regress/script-tests/getter-richards.js. That sees about a 2.4x
870             speed-up from this patch, which is very reassuring.
871     
872             * bytecode/CodeBlock.cpp:
873             (JSC::CodeBlock::printGetByIdCacheStatus):
874             (JSC::CodeBlock::findStubInfo):
875             * bytecode/CodeBlock.h:
876             * bytecode/CodeOrigin.cpp:
877             (WTF::printInternal):
878             * bytecode/CodeOrigin.h:
879             (JSC::InlineCallFrame::specializationKindFor):
880             * bytecode/GetByIdStatus.cpp:
881             (JSC::GetByIdStatus::computeFor):
882             (JSC::GetByIdStatus::computeForStubInfo):
883             (JSC::GetByIdStatus::makesCalls):
884             (JSC::GetByIdStatus::computeForChain): Deleted.
885             * bytecode/GetByIdStatus.h:
886             (JSC::GetByIdStatus::makesCalls): Deleted.
887             * bytecode/GetByIdVariant.cpp:
888             (JSC::GetByIdVariant::~GetByIdVariant):
889             (JSC::GetByIdVariant::GetByIdVariant):
890             (JSC::GetByIdVariant::operator=):
891             (JSC::GetByIdVariant::dumpInContext):
892             * bytecode/GetByIdVariant.h:
893             (JSC::GetByIdVariant::GetByIdVariant):
894             (JSC::GetByIdVariant::callLinkStatus):
895             * bytecode/PolymorphicGetByIdList.cpp:
896             (JSC::GetByIdAccess::fromStructureStubInfo):
897             (JSC::PolymorphicGetByIdList::from):
898             * bytecode/SpeculatedType.h:
899             * bytecode/StructureStubInfo.cpp:
900             (JSC::StructureStubInfo::deref):
901             (JSC::StructureStubInfo::visitWeakReferences):
902             * bytecode/StructureStubInfo.h:
903             (JSC::isGetByIdAccess):
904             (JSC::StructureStubInfo::initGetByIdChain): Deleted.
905             * dfg/DFGAbstractHeap.h:
906             * dfg/DFGAbstractInterpreterInlines.h:
907             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
908             * dfg/DFGByteCodeParser.cpp:
909             (JSC::DFG::ByteCodeParser::addCall):
910             (JSC::DFG::ByteCodeParser::handleCall):
911             (JSC::DFG::ByteCodeParser::handleInlining):
912             (JSC::DFG::ByteCodeParser::handleGetByOffset):
913             (JSC::DFG::ByteCodeParser::handleGetById):
914             (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
915             (JSC::DFG::ByteCodeParser::parse):
916             * dfg/DFGCSEPhase.cpp:
917             (JSC::DFG::CSEPhase::getGetterSetterByOffsetLoadElimination):
918             (JSC::DFG::CSEPhase::getInternalFieldLoadElimination):
919             (JSC::DFG::CSEPhase::performNodeCSE):
920             (JSC::DFG::CSEPhase::getTypedArrayByteOffsetLoadElimination): Deleted.
921             * dfg/DFGClobberize.h:
922             (JSC::DFG::clobberize):
923             * dfg/DFGFixupPhase.cpp:
924             (JSC::DFG::FixupPhase::fixupNode):
925             * dfg/DFGJITCompiler.cpp:
926             (JSC::DFG::JITCompiler::linkFunction):
927             * dfg/DFGNode.h:
928             (JSC::DFG::Node::hasStorageAccessData):
929             * dfg/DFGNodeType.h:
930             * dfg/DFGOSRExitCompilerCommon.cpp:
931             (JSC::DFG::reifyInlinedCallFrames):
932             * dfg/DFGPredictionPropagationPhase.cpp:
933             (JSC::DFG::PredictionPropagationPhase::propagate):
934             * dfg/DFGSafeToExecute.h:
935             (JSC::DFG::safeToExecute):
936             * dfg/DFGSpeculativeJIT32_64.cpp:
937             (JSC::DFG::SpeculativeJIT::compile):
938             * dfg/DFGSpeculativeJIT64.cpp:
939             (JSC::DFG::SpeculativeJIT::compile):
940             * ftl/FTLAbstractHeapRepository.cpp:
941             * ftl/FTLAbstractHeapRepository.h:
942             * ftl/FTLCapabilities.cpp:
943             (JSC::FTL::canCompile):
944             * ftl/FTLLink.cpp:
945             (JSC::FTL::link):
946             * ftl/FTLLowerDFGToLLVM.cpp:
947             (JSC::FTL::LowerDFGToLLVM::compileNode):
948             (JSC::FTL::LowerDFGToLLVM::compileGetGetter):
949             (JSC::FTL::LowerDFGToLLVM::compileGetSetter):
950             * jit/AccessorCallJITStubRoutine.h:
951             * jit/JIT.cpp:
952             (JSC::JIT::assertStackPointerOffset):
953             (JSC::JIT::privateCompile):
954             * jit/JIT.h:
955             * jit/JITPropertyAccess.cpp:
956             (JSC::JIT::emit_op_get_by_id):
957             * jit/ThunkGenerators.cpp:
958             (JSC::arityFixupGenerator):
959             (JSC::baselineGetterReturnThunkGenerator):
960             (JSC::baselineSetterReturnThunkGenerator):
961             (JSC::arityFixup): Deleted.
962             * jit/ThunkGenerators.h:
963             * runtime/CommonSlowPaths.cpp:
964             (JSC::setupArityCheckData):
965             * tests/stress/exit-from-getter.js: Added.
966             * tests/stress/poly-chain-getter.js: Added.
967             (Cons):
968             (foo):
969             (test):
970             * tests/stress/poly-chain-then-getter.js: Added.
971             (Cons1):
972             (Cons2):
973             (foo):
974             (test):
975             * tests/stress/poly-getter-combo.js: Added.
976             (Cons1):
977             (Cons2):
978             (foo):
979             (test):
980             (.test):
981             * tests/stress/poly-getter-then-chain.js: Added.
982             (Cons1):
983             (Cons2):
984             (foo):
985             (test):
986             * tests/stress/poly-getter-then-self.js: Added.
987             (foo):
988             (test):
989             (.test):
990             * tests/stress/poly-self-getter.js: Added.
991             (foo):
992             (test):
993             (getter):
994             * tests/stress/poly-self-then-getter.js: Added.
995             (foo):
996             (test):
997             * tests/stress/weird-getter-counter.js: Added.
998             (foo):
999             (test):
1000     
1001     2014-05-17  Filip Pizlo  <fpizlo@apple.com>
1002     
1003             [ftlopt] Factor out how CallLinkStatus uses exit site data
1004             https://bugs.webkit.org/show_bug.cgi?id=133042
1005     
1006             Reviewed by Anders Carlsson.
1007             
1008             This makes it easier to use CallLinkStatus from clients that are calling into after
1009             already holding some of the relevant locks. This is necessary because we use a "one lock
1010             at a time" policy for CodeBlock locks: if you hold one then you're not allowed to acquire
1011             any of the others. So, any code that needs to lock multiple CodeBlock locks needs to sort
1012             of lock one, do some stuff, release it, then lock another, and then do more stuff. The
1013             exit site data corresponds to the stuff you do while holding the baseline lock, while the
1014             CallLinkInfo method corresponds to the stuff you do while holding the CallLinkInfo owner's
1015             lock.
1016     
1017             * bytecode/CallLinkStatus.cpp:
1018             (JSC::CallLinkStatus::computeFor):
1019             (JSC::CallLinkStatus::computeExitSiteData):
1020             (JSC::CallLinkStatus::computeDFGStatuses):
1021             * bytecode/CallLinkStatus.h:
1022             (JSC::CallLinkStatus::ExitSiteData::ExitSiteData):
1023     
1024     2014-05-17  Filip Pizlo  <fpizlo@apple.com>
1025     
1026             [ftlopt] InlineCallFrame::isCall should be an enumeration
1027             https://bugs.webkit.org/show_bug.cgi?id=133034
1028     
1029             Reviewed by Sam Weinig.
1030             
1031             Once we start inlining getters and setters, we'll want InlineCallFrame to be able to tell
1032             us that the inlined call was a getter call or a setter call. Initially I thought I would
1033             have a new field called "kind" that would have components NormalCall, GetterCall, and
1034             SetterCall. But that doesn't make sense, because for GetterCall and SetterCall, isCall
1035             would have to be true. Hence, It makes more sense to have one enumeration that is Call,
1036             Construct, GetterCall, or SetterCall. This patch is a first step towards this.
1037             
1038             It's interesting that isClosureCall should probably still be separate, since getter and
1039             setter inlining could inline closure calls.
1040     
1041             * bytecode/CodeBlock.h:
1042             (JSC::baselineCodeBlockForInlineCallFrame):
1043             * bytecode/CodeOrigin.cpp:
1044             (JSC::InlineCallFrame::dumpInContext):
1045             (WTF::printInternal):
1046             * bytecode/CodeOrigin.h:
1047             (JSC::InlineCallFrame::kindFor):
1048             (JSC::InlineCallFrame::specializationKindFor):
1049             (JSC::InlineCallFrame::InlineCallFrame):
1050             (JSC::InlineCallFrame::specializationKind):
1051             * dfg/DFGByteCodeParser.cpp:
1052             (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1053             * dfg/DFGOSRExitPreparation.cpp:
1054             (JSC::DFG::prepareCodeOriginForOSRExit):
1055             * runtime/Arguments.h:
1056             (JSC::Arguments::finishCreation):
1057     
1058     2014-05-13  Filip Pizlo  <fpizlo@apple.com>
1059     
1060             [ftlopt] DFG should not exit due to inadequate profiling coverage when it can trivially fill in the profiling coverage due to variable constant inference and the better prediction modeling of typed array GetByVals
1061             https://bugs.webkit.org/show_bug.cgi?id=132896
1062     
1063             Reviewed by Geoffrey Garen.
1064             
1065             This is a slight win on SunSpider, but it's meant to ultimately help us on
1066             embenchen/lua. We already do well on that benchmark but our convergence is slower than
1067             I'd like.
1068     
1069             * dfg/DFGArrayMode.cpp:
1070             (JSC::DFG::ArrayMode::refine):
1071             * dfg/DFGByteCodeParser.cpp:
1072             (JSC::DFG::ByteCodeParser::parseBlock):
1073             * dfg/DFGFixupPhase.cpp:
1074             (JSC::DFG::FixupPhase::fixupNode):
1075             * dfg/DFGPredictionPropagationPhase.cpp:
1076             (JSC::DFG::PredictionPropagationPhase::propagate):
1077     
1078     2014-05-08  Filip Pizlo  <fpizlo@apple.com>
1079     
1080             jsSubstring() should be lazy
1081             https://bugs.webkit.org/show_bug.cgi?id=132556
1082     
1083             Reviewed by Andreas Kling.
1084             
1085             jsSubstring() is now lazy by using a special rope that is a substring instead of a
1086             concatenation. To make this patch super simple, we require that a substring's base is
1087             never a rope. Hence, when resolving a rope, we either go down a non-recursive substring
1088             path, or we go down a concatenation path which may see exactly one level of substrings in
1089             its fibers.
1090             
1091             This is up to a 50% speed-up on microbenchmarks and a 10% speed-up on Octane/regexp.
1092             
1093             Relanding this with assertion fixes.
1094     
1095             * heap/MarkedBlock.cpp:
1096             (JSC::MarkedBlock::specializedSweep):
1097             * runtime/JSString.cpp:
1098             (JSC::JSRopeString::visitFibers):
1099             (JSC::JSRopeString::resolveRopeInternal8):
1100             (JSC::JSRopeString::resolveRopeInternal16):
1101             (JSC::JSRopeString::clearFibers):
1102             (JSC::JSRopeString::resolveRope):
1103             (JSC::JSRopeString::resolveRopeSlowCase8):
1104             (JSC::JSRopeString::resolveRopeSlowCase):
1105             * runtime/JSString.h:
1106             (JSC::JSRopeString::finishCreation):
1107             (JSC::JSRopeString::append):
1108             (JSC::JSRopeString::create):
1109             (JSC::JSRopeString::offsetOfFibers):
1110             (JSC::JSRopeString::fiber):
1111             (JSC::JSRopeString::substringBase):
1112             (JSC::JSRopeString::substringOffset):
1113             (JSC::JSRopeString::notSubstringSentinel):
1114             (JSC::JSRopeString::substringSentinel):
1115             (JSC::JSRopeString::isSubstring):
1116             (JSC::JSRopeString::setIsSubstring):
1117             (JSC::jsSubstring):
1118             * runtime/RegExpMatchesArray.cpp:
1119             (JSC::RegExpMatchesArray::reifyAllProperties):
1120             * runtime/StringPrototype.cpp:
1121             (JSC::stringProtoFuncSubstring):
1122     
1123 2014-07-21  Sam Weinig  <sam@webkit.org>
1124
1125         [Cocoa] WKScriptMessageHandlers don't seem to function properly after navigating
1126         https://bugs.webkit.org/show_bug.cgi?id=135148
1127
1128         Reviewed by Geoffrey Garen.
1129
1130         * runtime/CommonIdentifiers.h:
1131         Add a common identifier for the string "webkit".
1132
1133 2014-07-22  Filip Pizlo  <fpizlo@apple.com>
1134
1135         ASSERTION FAILED: info.spillFormat() & DataFormatJS in JSC::DFG::SpeculativeJIT::fillSpeculateCell
1136         https://bugs.webkit.org/show_bug.cgi?id=135155
1137         <rdar://problem/17763909>
1138
1139         Reviewed by Oliver Hunt.
1140         
1141         The DFG fillSpeculate code paths all need to be mindful of the fact that they may be stumbling upon a
1142         contradiction, and that this is OK. In this case, we were speculating cell on an int.
1143
1144         * dfg/DFGSpeculativeJIT64.cpp:
1145         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1146         * tests/stress/regress-135155.js: Added.
1147         (run.t.length):
1148         (run):
1149
1150 2014-07-18  Filip Pizlo  <fpizlo@apple.com>
1151
1152         Extend exception fuzzing to the LLInt
1153         https://bugs.webkit.org/show_bug.cgi?id=135076
1154
1155         Reviewed by Oliver Hunt.
1156
1157         * CMakeLists.txt:
1158         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1159         * JavaScriptCore.xcodeproj/project.pbxproj:
1160         * jit/JITOperations.cpp:
1161         (JSC::numberOfExceptionFuzzChecks): Deleted.
1162         * llint/LLIntSlowPaths.cpp:
1163         (JSC::LLInt::setUpCall):
1164         * runtime/CommonSlowPaths.cpp:
1165         * runtime/ExceptionFuzz.cpp: Added.
1166         (JSC::numberOfExceptionFuzzChecks):
1167         (JSC::doExceptionFuzzing):
1168         * runtime/ExceptionFuzz.h: Added.
1169         (JSC::doExceptionFuzzingIfEnabled):
1170
1171 2014-07-21  Mark Lam  <mark.lam@apple.com>
1172
1173         Refactor ArrayPrototype to use getLength() and putLength() utility functions.
1174         https://bugs.webkit.org/show_bug.cgi?id=135139.
1175
1176         Reviewed by Oliver Hunt.
1177
1178         - Specialize putProperty() to putLength() because it is only used for setting
1179           the length property.
1180         - Added a getLength() utility function to get the value of the length property.
1181         - Use these getLength() and putLength() functions instead of the existing code
1182           to get and put the length property.  Less code to read, easier to understand.
1183
1184         * runtime/ArrayPrototype.cpp:
1185         (JSC::getLength):
1186         (JSC::putLength):
1187         (JSC::arrayProtoFuncToString):
1188         (JSC::arrayProtoFuncToLocaleString):
1189         (JSC::arrayProtoFuncJoin):
1190         (JSC::arrayProtoFuncPop):
1191         (JSC::arrayProtoFuncPush):
1192         (JSC::arrayProtoFuncReverse):
1193         (JSC::arrayProtoFuncShift):
1194         (JSC::arrayProtoFuncSlice):
1195         (JSC::arrayProtoFuncSort):
1196         (JSC::arrayProtoFuncSplice):
1197         (JSC::arrayProtoFuncUnShift):
1198         (JSC::arrayProtoFuncReduce):
1199         (JSC::arrayProtoFuncReduceRight):
1200         (JSC::arrayProtoFuncIndexOf):
1201         (JSC::arrayProtoFuncLastIndexOf):
1202         (JSC::putProperty): Deleted.
1203
1204 2014-07-21  Diego Pino Garcia  <dpino@igalia.com>
1205
1206         new Int32Array(new ArrayBuffer(100), 1, 1) shouldn't throw an error that says "RangeError: Byte offset and length out of range of buffer"
1207         https://bugs.webkit.org/show_bug.cgi?id=125391
1208
1209         Reviewed by Darin Adler.
1210
1211         Create own method for verifying byte offset alignment.
1212
1213         * runtime/ArrayBufferView.h:
1214         (JSC::ArrayBufferView::verifyByteOffsetAlignment):
1215         (JSC::ArrayBufferView::verifySubRangeLength):
1216         (JSC::ArrayBufferView::verifySubRange): Deleted.
1217         * runtime/GenericTypedArrayViewInlines.h:
1218         (JSC::GenericTypedArrayView<Adaptor>::create):
1219         * runtime/JSDataView.cpp:
1220         (JSC::JSDataView::create):
1221         * runtime/JSGenericTypedArrayViewInlines.h:
1222         (JSC::JSGenericTypedArrayView<Adaptor>::create):
1223
1224 2014-07-20  Diego Pino Garcia  <dpino@igalia.com>
1225
1226         ES6: Implement Math.sign()
1227         https://bugs.webkit.org/show_bug.cgi?id=134980
1228
1229         Reviewed by Darin Adler.
1230
1231         * runtime/MathObject.cpp:
1232         (JSC::MathObject::finishCreation):
1233         (JSC::mathProtoFuncSign):
1234
1235 2014-07-18  Filip Pizlo  <fpizlo@apple.com>
1236
1237         Exception fuzzing should work on iOS
1238         https://bugs.webkit.org/show_bug.cgi?id=135070
1239
1240         Reviewed by Mark Hahnenberg.
1241
1242         * tests/exceptionFuzz.yaml:
1243
1244 2014-07-18  Filip Pizlo  <fpizlo@apple.com>
1245
1246         Fix cloop build.
1247
1248         * jsc.cpp:
1249         (jscmain):
1250
1251 2014-07-15  Filip Pizlo  <fpizlo@apple.com>
1252
1253         Need ability to fuzz exception throwing
1254         https://bugs.webkit.org/show_bug.cgi?id=134945
1255         <rdar://problem/17722027>
1256
1257         Reviewed by Sam Weinig.
1258         
1259         Adds the ability to instrument exception checks, and to force some random
1260         exception check to artificially throw an exception. Also adds new tests that
1261         are suitable for testing this. Note that this is closely tied to the Tools
1262         directory changes that are also part of this changeset.
1263         
1264         This also fixes an activation tear-off bug that arises if we ever throw an
1265         exception from operationOptimize, or if due to some other bug it's only due
1266         to the operationOptimize exception check that we realize that there is an
1267         exception to be thrown.
1268
1269         * dfg/DFGJITCompiler.h:
1270         (JSC::DFG::JITCompiler::fastExceptionCheck):
1271         * ftl/FTLIntrinsicRepository.h:
1272         * ftl/FTLLowerDFGToLLVM.cpp:
1273         (JSC::FTL::LowerDFGToLLVM::callCheck):
1274         * interpreter/Interpreter.cpp:
1275         (JSC::unwindCallFrame):
1276         * jit/AssemblyHelpers.cpp:
1277         (JSC::AssemblyHelpers::callExceptionFuzz):
1278         (JSC::AssemblyHelpers::emitExceptionCheck):
1279         * jit/AssemblyHelpers.h:
1280         (JSC::AssemblyHelpers::emitExceptionCheck): Deleted.
1281         * jit/JIT.cpp:
1282         (JSC::JIT::privateCompileMainPass):
1283         * jit/JITOpcodes.cpp:
1284         (JSC::JIT::emit_op_enter):
1285         * jit/JITOperations.cpp:
1286         (JSC::numberOfExceptionFuzzChecks):
1287         * jit/JITOperations.h:
1288         * jsc.cpp:
1289         (jscmain):
1290         * runtime/Options.h:
1291         * runtime/TestRunnerUtils.h:
1292         * tests/exceptionFuzz.yaml: Added.
1293         * tests/exceptionFuzz: Added.
1294         * tests/exceptionFuzz/3d-cube.js: Added.
1295         * tests/exceptionFuzz/date-format-xparb.js: Added.
1296         * tests/exceptionFuzz/earley-boyer.js: Added.
1297
1298 2014-07-17  David Kilzer  <ddkilzer@apple.com>
1299
1300         SECTORDER_FLAGS should be defined in target's xcconfig file, not Base.xcconfig
1301         <http://webkit.org/b/135006>
1302
1303         Reviewed by Darin Adler.
1304
1305         * Configurations/Base.xcconfig: Move SECTORDER_FLAGS to
1306         JavaScriptCore.xcconfig.
1307         * Configurations/CompileRuntimeToLLVMIR.xcconfig: Remove empty
1308         SECTORDER_FLAGS definition.
1309         * Configurations/DebugRelease.xcconfig: Ditto.
1310         * Configurations/JavaScriptCore.xcconfig: Use $(CONFIGURATION)
1311         so SECTORDER_FLAGS is only set on Production builds.
1312
1313 2014-07-17  Juergen Ributzka  <juergen@apple.com>
1314
1315         Disable live-out calculation for stackmap intrinsics.
1316         https://bugs.webkit.org/show_bug.cgi?id=134366
1317
1318         The live-out variables are not required for the stackmaps, because we
1319         don't care about preserving the state when we perform destructive
1320         patching.
1321
1322         Reviewed by Filip Pizlo.
1323
1324         * llvm/library/LLVMExports.cpp:
1325         (initializeAndGetJSCLLVMAPI):
1326
1327 2014-07-17  Joseph Pecoraro  <pecoraro@apple.com>
1328
1329         Follow-up fix to r171195 to prevent ASSERT in fast/profiler/profile-with-no-title.html
1330
1331         Rubber-stamped by Alexey Proskuryakov.
1332
1333         Null / empty titles should be fine. Tests pass in release builds
1334         which allowed empty titles, and it looks like the LegacyProfiler
1335         stopProfiling handles empty titles as expected already.
1336
1337         * profiler/LegacyProfiler.cpp:
1338         (JSC::LegacyProfiler::startProfiling):
1339
1340 2014-07-16  Filip Pizlo  <fpizlo@apple.com>
1341
1342         DFG Flush(SetLocal) store elimination is overzealous for captured variables in the presence of nodes that have no effects but may throw
1343         https://bugs.webkit.org/show_bug.cgi?id=134988
1344         <rdar://problem/17706349>
1345
1346         Reviewed by Oliver Hunt.
1347         
1348         Luckily, we also don't need this optimization to be super powerful: the only place
1349         where it really matters is for getting rid of the redundancy between op_enter and
1350         op_init_lazy_reg, and in that case, there is a small set of possible nodes between the
1351         two things. This change updates the store eliminator to know about only that small,
1352         obviously safe, set of nodes over which we can store-eliminate.
1353         
1354         This shouldn't have any performance impact in the DFG because this optimization kicks
1355         in relatively rarely already. And once we tier up into the FTL, we get a much better
1356         store elimination over LLVM IR, so this really shouldn't matter at all.
1357         
1358         The tricky part of this patch is that there is a close relative of this optimization,
1359         for uncaptured variables that got flushed. This happens for arguments to inlined calls.
1360         I make this work by splitting it into two different store eliminators.
1361         
1362         Note that in the process of crafting the tests, I realized that we were incorrectly
1363         DCEing NewArrayWithSize. That's not cool, since that can throw an exception for
1364         negative array sizes. If we ever did want to DCE this node, we'd need to lower the node
1365         to a check node followed by the actual allocation.
1366
1367         * dfg/DFGCSEPhase.cpp:
1368         (JSC::DFG::CSEPhase::uncapturedSetLocalStoreElimination):
1369         (JSC::DFG::CSEPhase::capturedSetLocalStoreElimination):
1370         (JSC::DFG::CSEPhase::setLocalStoreElimination):
1371         (JSC::DFG::CSEPhase::performNodeCSE):
1372         (JSC::DFG::CSEPhase::SetLocalStoreEliminationResult::SetLocalStoreEliminationResult): Deleted.
1373         * dfg/DFGNodeType.h:
1374         * tests/stress/capture-escape-and-throw.js: Added.
1375         (foo.f):
1376         (foo):
1377         * tests/stress/new-array-with-size-throw-exception-and-tear-off-arguments.js: Added.
1378         (foo):
1379         (bar):
1380
1381 2014-07-15  Benjamin Poulain  <benjamin@webkit.org>
1382
1383         Reduce the overhead of updating the AssemblerBuffer
1384         https://bugs.webkit.org/show_bug.cgi?id=134659
1385
1386         Reviewed by Gavin Barraclough.
1387
1388         In r164548, the linker was changed to allow the LinkBuffer to survive its MacroAssembler.
1389         That feature is useful for JSC to get offsets inside a linked buffer in order to jump directly
1390         there.
1391
1392         On ARM, we use branch compaction and we need to keep the "compaction offset" somewher to be able
1393         to get the real address of a lable. That is done by reusing the memory of AssemblerData.
1394
1395         To share the memory between LinkBuffer and the Assembler, r164548 moved the AssemblerData into
1396         a ref-counted object. Unfortunately, the extra complexity related to the new AssemblerData was enough
1397         to make clang give up a bunch of optimizations.
1398
1399         This patch solve (some of) the problems by making AssemblerBuffer and AssemblerData super low overhead structures.
1400         In particular, the grow() function becomes 8 Thumb instructions, which is easily inlined everywhere it is used.
1401
1402         Instead of sharing ownership between the Assembler and LinkBuffer, LinkBuffer now takes full ownership of
1403         the AssemblerData. I feel this is also safer since LinkBuffer is reusing the AssemblerData is a very
1404         specific way that would make it unusable for the Assembler.
1405
1406         -- Technical details --
1407
1408         From LinkBuffer, we don't want to ever access the Assembler after releasing its buffer (or writting anything
1409         into it really). This was obviously already the case, but that was hard to prove from LinkBuffer::copyCompactAndLinkCode().
1410         To make this easier to work with, I changed all the assembler specific function to be static. This way we know
1411         exactly what code access the Assembler instance. The code that does access the instance is then moved
1412         at the beginning, before we modify anything.
1413
1414         The function recordLinkOffsets() that was on the MacroAssembler and copied in Assembler was moved directly
1415         to LinkBuffer. This make the modification of AssemblerData completely explicit, and that code is specific
1416         to LinkBuffer anyway (see LinkBuffer::executableOffsetFor()).
1417
1418         -- Perf impact --
1419
1420         This does not put us exactly at before r164548 due to the missing inline buffer. Still, it is very close.
1421         On ARMv7, this reduces the time spent in Assembler by half. On the CSS JIT, this reduces the compilation
1422         time by ~20%.
1423
1424         I could not measure any difference on x86_64.
1425
1426         * assembler/ARM64Assembler.h:
1427         (JSC::ARM64Assembler::jumpSizeDelta):
1428         (JSC::ARM64Assembler::canCompact):
1429         (JSC::ARM64Assembler::computeJumpType):
1430         (JSC::ARM64Assembler::link):
1431         (JSC::ARM64Assembler::recordLinkOffsets): Deleted.
1432         * assembler/ARMv7Assembler.h:
1433         (JSC::ARMv7Assembler::ifThenElseConditionBit):
1434         (JSC::ARMv7Assembler::ifThenElse):
1435         (JSC::ARMv7Assembler::jumpSizeDelta):
1436         (JSC::ARMv7Assembler::canCompact):
1437         (JSC::ARMv7Assembler::computeJumpType):
1438         (JSC::ARMv7Assembler::link):
1439         (JSC::ARMv7Assembler::linkJumpT1):
1440         (JSC::ARMv7Assembler::linkJumpT3):
1441         (JSC::ARMv7Assembler::linkConditionalJumpT4):
1442         (JSC::ARMv7Assembler::linkConditionalBX):
1443         (JSC::ARMv7Assembler::recordLinkOffsets): Deleted.
1444         * assembler/AssemblerBuffer.h:
1445         (JSC::AssemblerData::AssemblerData):
1446         (JSC::AssemblerData::operator=):
1447         (JSC::AssemblerData::~AssemblerData):
1448         (JSC::AssemblerData::buffer):
1449         (JSC::AssemblerData::capacity):
1450         (JSC::AssemblerData::grow):
1451         (JSC::AssemblerBuffer::AssemblerBuffer):
1452         (JSC::AssemblerBuffer::isAvailable):
1453         (JSC::AssemblerBuffer::data):
1454         (JSC::AssemblerBuffer::releaseAssemblerData):
1455         (JSC::AssemblerBuffer::putIntegral):
1456         (JSC::AssemblerBuffer::putIntegralUnchecked):
1457         (JSC::AssemblerBuffer::append):
1458         (JSC::AssemblerBuffer::grow):
1459         (JSC::AssemblerBuffer::~AssemblerBuffer): Deleted.
1460         (JSC::AssemblerBuffer::storage): Deleted.
1461         * assembler/LinkBuffer.cpp:
1462         (JSC::recordLinkOffsets):
1463         (JSC::LinkBuffer::copyCompactAndLinkCode):
1464         * assembler/LinkBuffer.h:
1465         (JSC::LinkBuffer::LinkBuffer):
1466         (JSC::LinkBuffer::executableOffsetFor):
1467         * assembler/MacroAssemblerARM64.h:
1468         (JSC::MacroAssemblerARM64::canCompact):
1469         (JSC::MacroAssemblerARM64::computeJumpType):
1470         (JSC::MacroAssemblerARM64::jumpSizeDelta):
1471         (JSC::MacroAssemblerARM64::link):
1472         (JSC::MacroAssemblerARM64::recordLinkOffsets): Deleted.
1473         * assembler/MacroAssemblerARMv7.h:
1474         (JSC::MacroAssemblerARMv7::canCompact):
1475         (JSC::MacroAssemblerARMv7::computeJumpType):
1476         (JSC::MacroAssemblerARMv7::jumpSizeDelta):
1477         (JSC::MacroAssemblerARMv7::link):
1478         (JSC::MacroAssemblerARMv7::recordLinkOffsets): Deleted.
1479
1480 2014-07-15  Mark Hahnenberg  <mhahnenberg@apple.com>
1481
1482         Stores to PropertyTable use the Structure as the owner
1483         https://bugs.webkit.org/show_bug.cgi?id=134595
1484
1485         Reviewed by Darin Adler.
1486
1487         Since PropertyTable is the object that does the marking of these references, it should be the owner.
1488
1489         Also removed some unused parameters to other methods that historically used the Structure as the owner.
1490
1491         * runtime/JSPropertyNameIterator.h:
1492         (JSC::StructureRareData::setEnumerationCache):
1493         * runtime/ObjectPrototype.cpp:
1494         (JSC::objectProtoFuncToString):
1495         * runtime/PropertyMapHashTable.h:
1496         (JSC::PropertyTable::copy):
1497         * runtime/PropertyTable.cpp:
1498         (JSC::PropertyTable::clone):
1499         (JSC::PropertyTable::PropertyTable):
1500         * runtime/Structure.cpp:
1501         (JSC::Structure::Structure):
1502         (JSC::Structure::materializePropertyMap):
1503         (JSC::Structure::addPropertyTransition):
1504         (JSC::Structure::changePrototypeTransition):
1505         (JSC::Structure::despecifyFunctionTransition):
1506         (JSC::Structure::attributeChangeTransition):
1507         (JSC::Structure::toDictionaryTransition):
1508         (JSC::Structure::preventExtensionsTransition):
1509         (JSC::Structure::takePropertyTableOrCloneIfPinned):
1510         (JSC::Structure::nonPropertyTransition):
1511         (JSC::Structure::copyPropertyTable):
1512         (JSC::Structure::copyPropertyTableForPinning):
1513         (JSC::Structure::putSpecificValue):
1514         * runtime/Structure.h:
1515         (JSC::Structure::setObjectToStringValue):
1516         (JSC::Structure::setPreviousID):
1517         * runtime/StructureInlines.h:
1518         (JSC::Structure::setEnumerationCache):
1519         * runtime/StructureRareData.h:
1520         * runtime/StructureRareDataInlines.h:
1521         (JSC::StructureRareData::setPreviousID):
1522         (JSC::StructureRareData::setObjectToStringValue):
1523
1524 2014-07-15  Mark Hahnenberg  <mhahnenberg@apple.com>
1525
1526         ScriptExecutable::forEachCodeBlock can dereference null CodeBlocks
1527         https://bugs.webkit.org/show_bug.cgi?id=134928
1528
1529         Reviewed by Andreas Kling.
1530
1531         * bytecode/CodeBlock.h:
1532         (JSC::ScriptExecutable::forEachCodeBlock): Check for null CodeBlocks before calling forEachRelatedCodeBlock.
1533
1534 2014-07-15  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
1535
1536         Buildfix if LLINT_SLOW_PATH_TRACING is enabled
1537         https://bugs.webkit.org/show_bug.cgi?id=133790
1538
1539         Reviewed by Mark Lam.
1540
1541         * llint/LLIntSlowPaths.cpp:
1542         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1543
1544 2014-07-14  Filip Pizlo  <fpizlo@apple.com>
1545
1546         Allow for Int52Rep to see things other than Int32, and make this testable
1547         https://bugs.webkit.org/show_bug.cgi?id=134873
1548         <rdar://problem/17641915>
1549
1550         Reviewed by Geoffrey Garen and Mark Hahnenberg.
1551         
1552         A major premise of our type inference is that prediction propagation can say whatever it
1553         wants and we'll still have valid IR after Fixup. This previously didn't work with Int52s.
1554         We required some kind of agreement between prediction propagation and fixup over which
1555         data flow paths were Int52 and which weren't.
1556         
1557         It turns out that we basically had such an agreement, with the exception of code that was
1558         unreachable due to ForceOSRExit. Then, fixup and prediction propagation would disagree. It
1559         might be nice to fix that bug - but it's only in the case of Int52 that such a thing would
1560         be a bug! Normally, we allow sloppiness in prediction propagation.
1561         
1562         This patch allows us to be sloppy with Int52 prediction propagation by giving Int52Rep the
1563         ability to see inputs other than Int32. This fixes the particular ForceOSRExit bug (see
1564         int52-force-osr-exit-path.js for the reduced test case). To make sure that the newly
1565         empowered Int52Rep is actually correct - in case we end up using it on paths other than
1566         ForceOSRExit - this patch introduces an internal intrinsic called fiatInt52() that forces
1567         us to attempt Int52 conversion on the input. This patch adds a bunch of tests that stress
1568         this intrinsic. This means that we're now stressing Int52Rep more so than ever before!
1569         
1570         Note that it would still be a bug for prediction propagation to ever cause us to create an
1571         Int52Rep node for a non-Int32 input. But, this will now be a performance bug, rather than
1572         a crash bug.
1573
1574         * dfg/DFGAbstractInterpreterInlines.h:
1575         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1576         * dfg/DFGAbstractValue.cpp:
1577         (JSC::DFG::AbstractValue::fixTypeForRepresentation):
1578         * dfg/DFGByteCodeParser.cpp:
1579         (JSC::DFG::ByteCodeParser::handleIntrinsic):
1580         * dfg/DFGClobberize.h:
1581         (JSC::DFG::clobberize):
1582         * dfg/DFGFixupPhase.cpp:
1583         (JSC::DFG::FixupPhase::fixupNode):
1584         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
1585         * dfg/DFGGraph.h:
1586         (JSC::DFG::Graph::isMachineIntConstant):
1587         * dfg/DFGNode.h:
1588         (JSC::DFG::Node::isMachineIntConstant):
1589         * dfg/DFGNodeType.h:
1590         * dfg/DFGOperations.cpp:
1591         * dfg/DFGOperations.h:
1592         * dfg/DFGPredictionPropagationPhase.cpp:
1593         (JSC::DFG::PredictionPropagationPhase::propagate):
1594         * dfg/DFGSafeToExecute.h:
1595         (JSC::DFG::SafeToExecuteEdge::operator()):
1596         (JSC::DFG::safeToExecute):
1597         * dfg/DFGSpeculativeJIT.cpp:
1598         (JSC::DFG::SpeculativeJIT::speculate):
1599         * dfg/DFGSpeculativeJIT.h:
1600         (JSC::DFG::SpeculativeJIT::callOperation):
1601         * dfg/DFGSpeculativeJIT32_64.cpp:
1602         (JSC::DFG::SpeculativeJIT::compile):
1603         * dfg/DFGSpeculativeJIT64.cpp:
1604         (JSC::DFG::SpeculativeJIT::compile):
1605         (JSC::DFG::SpeculativeJIT::convertMachineInt):
1606         (JSC::DFG::SpeculativeJIT::speculateMachineInt):
1607         (JSC::DFG::SpeculativeJIT::speculateDoubleRepMachineInt):
1608         * dfg/DFGStrengthReductionPhase.cpp:
1609         (JSC::DFG::StrengthReductionPhase::handleNode):
1610         * dfg/DFGUseKind.cpp:
1611         (WTF::printInternal):
1612         * dfg/DFGUseKind.h:
1613         (JSC::DFG::typeFilterFor):
1614         (JSC::DFG::isNumerical):
1615         (JSC::DFG::isDouble):
1616         * dfg/DFGValidate.cpp:
1617         (JSC::DFG::Validate::validate):
1618         * ftl/FTLCapabilities.cpp:
1619         (JSC::FTL::canCompile):
1620         * ftl/FTLIntrinsicRepository.h:
1621         * ftl/FTLLowerDFGToLLVM.cpp:
1622         (JSC::FTL::LowerDFGToLLVM::compileInt52Rep):
1623         (JSC::FTL::LowerDFGToLLVM::doubleToInt32):
1624         (JSC::FTL::LowerDFGToLLVM::jsValueToDouble):
1625         (JSC::FTL::LowerDFGToLLVM::jsValueToStrictInt52):
1626         (JSC::FTL::LowerDFGToLLVM::doubleToStrictInt52):
1627         (JSC::FTL::LowerDFGToLLVM::speculate):
1628         (JSC::FTL::LowerDFGToLLVM::speculateMachineInt):
1629         (JSC::FTL::LowerDFGToLLVM::speculateDoubleRepMachineInt):
1630         * jit/JITOperations.h:
1631         * jsc.cpp:
1632         (GlobalObject::finishCreation):
1633         (functionIdentity):
1634         * runtime/Intrinsic.h:
1635         * runtime/JSCJSValue.h:
1636         * runtime/JSCJSValueInlines.h:
1637         (JSC::tryConvertToInt52):
1638         (JSC::isInt52):
1639         (JSC::JSValue::isMachineInt):
1640         * tests/stress/dead-fiat-double-to-int52-then-exit-not-int52.js: Added.
1641         (foo):
1642         * tests/stress/dead-fiat-double-to-int52.js: Added.
1643         (foo):
1644         * tests/stress/dead-fiat-int32-to-int52.js: Added.
1645         (foo):
1646         * tests/stress/dead-fiat-value-to-int52-double-path.js: Added.
1647         (foo):
1648         (bar):
1649         * tests/stress/dead-fiat-value-to-int52-then-exit-not-double.js: Added.
1650         (foo):
1651         (bar):
1652         * tests/stress/dead-fiat-value-to-int52-then-exit-not-int52.js: Added.
1653         (foo):
1654         (bar):
1655         * tests/stress/dead-fiat-value-to-int52.js: Added.
1656         (foo):
1657         (bar):
1658         * tests/stress/fiat-double-to-int52-then-exit-not-int52.js: Added.
1659         (foo):
1660         * tests/stress/fiat-double-to-int52-then-fail-to-fold.js: Added.
1661         (foo):
1662         * tests/stress/fiat-double-to-int52-then-fold.js: Added.
1663         (foo):
1664         * tests/stress/fiat-double-to-int52.js: Added.
1665         (foo):
1666         * tests/stress/fiat-int32-to-int52.js: Added.
1667         (foo):
1668         * tests/stress/fiat-value-to-int52-double-path.js: Added.
1669         (foo):
1670         (bar):
1671         * tests/stress/fiat-value-to-int52-then-exit-not-double.js: Added.
1672         (foo):
1673         (bar):
1674         * tests/stress/fiat-value-to-int52-then-exit-not-int52.js: Added.
1675         (foo):
1676         (bar):
1677         * tests/stress/fiat-value-to-int52-then-fail-to-fold.js: Added.
1678         (foo):
1679         * tests/stress/fiat-value-to-int52-then-fold.js: Added.
1680         (foo):
1681         * tests/stress/fiat-value-to-int52.js: Added.
1682         (foo):
1683         (bar):
1684         * tests/stress/int52-force-osr-exit-path.js: Added.
1685         (foo):
1686
1687 2014-07-14  Mark Hahnenberg  <mhahnenberg@apple.com>
1688
1689         Flattening dictionaries with oversize backing stores can cause crashes
1690         https://bugs.webkit.org/show_bug.cgi?id=134906
1691
1692         Reviewed by Filip Pizlo.
1693
1694         The collector expects any pointers into CopiedSpace passed to copyLater are within 32 KB 
1695         of the CopiedBlock header. This was always the case except for when flattening a dictionary 
1696         caused the size of the Butterfly to decrease. This was equivalent to moving the base of the 
1697         Butterfly to higher addresses. If the object was reduced sufficiently in size, the base 
1698         would no longer be within the first 32 KB of the CopiedBlock and the next collection would 
1699         choke on the Butterfly pointer.
1700
1701         This patch fixes this issue by detect this situation during flattening and memmove-ing 
1702         the Butterfly down to where the old base was.
1703
1704         * runtime/JSObject.cpp:
1705         (JSC::JSObject::shiftButterflyAfterFlattening):
1706         * runtime/JSObject.h:
1707         (JSC::JSObject::butterflyPreCapacity):
1708         (JSC::JSObject::butterflyTotalSize):
1709         * runtime/Structure.cpp:
1710         (JSC::Structure::flattenDictionaryStructure):
1711         * tests/stress/flatten-oversize-dictionary-object.js: Added.
1712         (foo):
1713
1714 2014-07-14  Benjamin Poulain  <benjamin@webkit.org>
1715
1716         Remove some dead code from FTLJITFinalizer
1717         https://bugs.webkit.org/show_bug.cgi?id=134874
1718
1719         Reviewed by Geoffrey Garen.
1720
1721         Not sure what that code was for...but it does not do anything :)
1722
1723         * ftl/FTLJITFinalizer.cpp:
1724         (JSC::FTL::JITFinalizer::finalizeFunction):
1725         The pointer of the label is computed but never used.
1726
1727         * ftl/FTLJITFinalizer.h:
1728         * ftl/FTLLink.cpp:
1729         (JSC::FTL::link):
1730         The label is never set to anything.
1731
1732 2014-07-14  Bear Travis  <betravis@adobe.com>
1733
1734         [Feature Queries] Enable Feature Queries on Mac
1735         https://bugs.webkit.org/show_bug.cgi?id=134404
1736
1737         Reviewed by Antti Koivisto.
1738
1739         Enable Feature Queries on Mac and resume running the
1740         feature tests.
1741
1742         * Configurations/FeatureDefines.xcconfig: Turn on
1743         ENABLE_CSS3_CONDITIONAL_RULES.
1744
1745 2014-07-11  Joseph Pecoraro  <pecoraro@apple.com>
1746
1747         Web Inspector: Debugger Pause button does not work
1748         https://bugs.webkit.org/show_bug.cgi?id=134785
1749
1750         Reviewed by Timothy Hatcher.
1751
1752         * CMakeLists.txt:
1753         * DerivedSources.make:
1754         Minification strips the sourceURL command. Add it back with minification.
1755
1756 2014-07-11  peavo@outlook.com  <peavo@outlook.com>
1757
1758         [Win] Enable DFG JIT.
1759         https://bugs.webkit.org/show_bug.cgi?id=123615
1760
1761         Reviewed by Mark Lam.
1762
1763         When the return type of a JIT generated function call is larger than 64-bit (e.g. SlowPathReturnType),
1764         the normal call() implementation cannot be used on 64-bit Windows, because the 64-bit Windows ABI is different in this case.
1765         Also, when generating calls with double arguments, we need to make sure the arguments are put in the correct registers,
1766         since the register allocation differs on 64-bit Windows.
1767
1768         * assembler/MacroAssemblerX86_64.h:
1769         (JSC::MacroAssemblerX86_64::callWithSlowPathReturnType): Added method to handle function calls where the return value type size is larger than 64-bit.
1770         * jit/CCallHelpers.h:
1771         (JSC::CCallHelpers::setupArgumentsWithExecState): Move arguments to correct registers when there are floating point arguments.
1772         (JSC::CCallHelpers::setupArgumentsWithExecStateForCallWithSlowPathReturnType): Added method.
1773         * jit/JIT.h:
1774         (JSC::JIT::appendCallWithSlowPathReturnType): Added method.
1775         * jit/JITInlines.h:
1776         (JSC::JIT::appendCallWithExceptionCheckAndSlowPathReturnType): Added method.
1777         (JSC::JIT::callOperation): Call new method.
1778
1779 2014-07-09  Benjamin Poulain  <benjamin@webkit.org>
1780
1781         Use 16bits instructions for push/pop on ARMv7 when possible
1782         https://bugs.webkit.org/show_bug.cgi?id=134753
1783
1784         Reviewed by Geoffrey Garen.
1785
1786         The patch r170839 mixed the code for push/pop pair and single push/pop.
1787         That part was reverted in r170909.
1788
1789         This patch puts the code back but specialized for single push/pop.
1790
1791         * assembler/ARMv7Assembler.h:
1792         (JSC::ARMv7Assembler::pop):
1793         (JSC::ARMv7Assembler::push):
1794         * assembler/MacroAssemblerARMv7.h:
1795         (JSC::MacroAssemblerARMv7::pop):
1796         (JSC::MacroAssemblerARMv7::push):
1797
1798 2014-07-09  Brent Fulgham  <bfulgham@apple.com>
1799
1800         [Win] Remove uses of 'bash' in build system
1801         https://bugs.webkit.org/show_bug.cgi?id=134782
1802         <rdar://problem/17615533>
1803
1804         Reviewed by Dean Jackson.
1805
1806         Remove uses of 'bash' by replacing Windows-specific bash scripts
1807         with Perl equivalents.
1808
1809         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
1810         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj:
1811         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj.filters:
1812         * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd:
1813         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
1814         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
1815         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.pl: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh.
1816         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Removed.
1817         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
1818         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
1819         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh.
1820         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh: Removed.
1821         * JavaScriptCore.vcxproj/build-generated-files.pl: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/build-generated-files.sh.
1822         * JavaScriptCore.vcxproj/build-generated-files.sh: Removed.
1823         * JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd:
1824         * JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd:
1825         * JavaScriptCore.vcxproj/testapi/testapiPreBuild.cmd:
1826
1827 2014-07-09  Brent Fulgham  <bfulgham@apple.com>
1828
1829         [Win] Remove use of 'grep' in build steps
1830         https://bugs.webkit.org/show_bug.cgi?id=134770
1831         <rdar://problem/17608783>
1832
1833         Reviewed by Tim Horton.
1834
1835         Replace uses of the grep command in Windows builds with the equivalent
1836         Perl program.
1837
1838         * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd:
1839         * JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd:
1840         * JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd:
1841         * JavaScriptCore.vcxproj/testapi/testapiPreBuild.cmd:
1842
1843 2014-07-08  Benjamin Poulain  <benjamin@webkit.org>
1844
1845         Restore the assertion changed with 170839
1846
1847         * assembler/ARMv7Assembler.h:
1848         (JSC::ARMv7Assembler::pop):
1849         (JSC::ARMv7Assembler::push):
1850         Revert the Assembler part of 170839. The assertions do not match both encoding.
1851
1852         I'll add specific version of push and pop instead.
1853
1854 2014-07-08  Jon Honeycutt  <jhoneycutt@apple.com>
1855
1856         RemoteInspector::shared() should not call WTF::initializeMainThread()
1857         <https://bugs.webkit.org/show_bug.cgi?id=134747>
1858         <rdar://problem/17161482>
1859
1860         Reviewed by Joseph Pecoraro.
1861
1862         * inspector/remote/RemoteInspector.mm:
1863         (Inspector::RemoteInspector::shared):
1864         Don't call WTF::initializeMainThread(). WTF threading is initialized by
1865         JSC::initializeThreading().
1866
1867 2014-07-08  Andreas Kling  <akling@apple.com>
1868
1869         VM::lastCachedString should be a Strong, not a Weak.
1870         <https://webkit.org/b/134746>
1871
1872         Using Weak<JSString> for this regressed some of our bindings perf tests
1873         due to Weak having to allocate a new WeakImpl every time the last cached
1874         string changed. Make it a Strong instead should make that problem go away.
1875
1876         Reviewed by Geoffrey Garen.
1877
1878         * runtime/JSString.cpp:
1879         (JSC::jsStringWithCacheSlowCase):
1880         * runtime/VM.h:
1881
1882 2014-07-07  Benjamin Poulain  <bpoulain@apple.com>
1883
1884         Fix the build after r170876
1885
1886         * assembler/LinkBuffer.cpp:
1887         (JSC::LinkBuffer::linkCode):
1888
1889 2014-07-07  Benjamin Poulain  <benjamin@webkit.org>
1890
1891         LinkBuffer should not keep a reference to the MacroAssembler
1892         https://bugs.webkit.org/show_bug.cgi?id=134668
1893
1894         Reviewed by Geoffrey Garen.
1895
1896         In FTL, the LinkBuffer can outlive the MacroAssembler that was used for code generation.
1897         When that happens, the pointer m_assembler points to released memory. That was not causing
1898         issues because the attribute is not used after linking, but that was not particularily
1899         future proof.
1900
1901         This patch refactors LinkBuffer to avoid any lifetime risk. The MacroAssembler is now passed
1902         as a reference, it is used for linking but no reference is ever stored with the LinkBuffer.
1903
1904         While fixing the call sites to use a reference, I also discovered LinkBuffer.h was included
1905         everywhere. I refactored some #include to avoid that.
1906
1907         * assembler/LinkBuffer.cpp:
1908         (JSC::LinkBuffer::copyCompactAndLinkCode):
1909         (JSC::LinkBuffer::linkCode):
1910         * assembler/LinkBuffer.h:
1911         (JSC::LinkBuffer::LinkBuffer):
1912         * bytecode/Watchpoint.cpp:
1913         * dfg/DFGDisassembler.cpp:
1914         * dfg/DFGDisassembler.h:
1915         * dfg/DFGJITCompiler.cpp:
1916         (JSC::DFG::JITCompiler::link):
1917         (JSC::DFG::JITCompiler::linkFunction):
1918         * dfg/DFGOSRExitCompiler.cpp:
1919         * dfg/DFGPlan.cpp:
1920         * dfg/DFGThunks.cpp:
1921         (JSC::DFG::osrExitGenerationThunkGenerator):
1922         (JSC::DFG::osrEntryThunkGenerator):
1923         * ftl/FTLCompile.cpp:
1924         (JSC::FTL::generateICFastPath):
1925         (JSC::FTL::fixFunctionBasedOnStackMaps):
1926         * ftl/FTLJSCall.cpp:
1927         * ftl/FTLJSCall.h:
1928         * ftl/FTLLink.cpp:
1929         (JSC::FTL::link):
1930         * ftl/FTLLowerDFGToLLVM.cpp:
1931         * ftl/FTLOSRExitCompiler.cpp:
1932         (JSC::FTL::compileStub):
1933         * ftl/FTLThunks.cpp:
1934         (JSC::FTL::osrExitGenerationThunkGenerator):
1935         (JSC::FTL::slowPathCallThunkGenerator):
1936         * jit/ArityCheckFailReturnThunks.cpp:
1937         (JSC::ArityCheckFailReturnThunks::returnPCsFor):
1938         * jit/JIT.cpp:
1939         (JSC::JIT::privateCompile):
1940         * jit/JITCall.cpp:
1941         (JSC::JIT::privateCompileClosureCall):
1942         * jit/JITCall32_64.cpp:
1943         (JSC::JIT::privateCompileClosureCall):
1944         * jit/JITDisassembler.cpp:
1945         * jit/JITDisassembler.h:
1946         * jit/JITOpcodes.cpp:
1947         * jit/JITPropertyAccess.cpp:
1948         (JSC::JIT::stringGetByValStubGenerator):
1949         (JSC::JIT::privateCompileGetByVal):
1950         (JSC::JIT::privateCompilePutByVal):
1951         * jit/JITPropertyAccess32_64.cpp:
1952         (JSC::JIT::stringGetByValStubGenerator):
1953         * jit/RegisterPreservationWrapperGenerator.cpp:
1954         (JSC::generateRegisterPreservationWrapper):
1955         (JSC::registerRestorationThunkGenerator):
1956         * jit/Repatch.cpp:
1957         (JSC::generateByIdStub):
1958         (JSC::tryCacheGetByID):
1959         (JSC::emitPutReplaceStub):
1960         (JSC::emitPutTransitionStub):
1961         (JSC::tryRepatchIn):
1962         (JSC::linkClosureCall):
1963         * jit/SpecializedThunkJIT.h:
1964         (JSC::SpecializedThunkJIT::finalize):
1965         * jit/ThunkGenerators.cpp:
1966         (JSC::throwExceptionFromCallSlowPathGenerator):
1967         (JSC::linkForThunkGenerator):
1968         (JSC::linkClosureCallForThunkGenerator):
1969         (JSC::virtualForThunkGenerator):
1970         (JSC::nativeForGenerator):
1971         (JSC::arityFixup):
1972         * llint/LLIntThunks.cpp:
1973         (JSC::LLInt::generateThunkWithJumpTo):
1974         * yarr/YarrJIT.cpp:
1975         (JSC::Yarr::YarrGenerator::compile):
1976
1977 2014-07-07  Andreas Kling  <akling@apple.com>
1978
1979         Fast path for jsStringWithCache() when asked for the same string repeatedly.
1980         <https://webkit.org/b/134635>
1981
1982         Reviewed by Darin Adler.
1983
1984         Follow-up to r170818 addressing a review comment by Geoff Garen.
1985
1986         * runtime/JSString.cpp:
1987         (JSC::jsStringWithCacheSlowCase):
1988
1989 2014-07-07  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>
1990
1991         Add missing ENABLE(FTL_JIT) guards
1992         https://bugs.webkit.org/show_bug.cgi?id=134680
1993
1994         Reviewed by Darin Adler.
1995
1996         * ftl/FTLDWARFDebugLineInfo.cpp:
1997         * ftl/FTLDWARFDebugLineInfo.h:
1998         * ftl/FTLGeneratedFunction.h:
1999
2000 2014-07-07  Zan Dobersek  <zdobersek@igalia.com>
2001
2002         Enable ARMv7 disassembler for the GTK port
2003         https://bugs.webkit.org/show_bug.cgi?id=134676
2004
2005         Reviewed by Benjamin Poulain.
2006
2007         * CMakeLists.txt: Add ARMv7DOpcode.cpp file to the build.
2008         * disassembler/ARMv7/ARMv7DOpcode.cpp: Include the string.h header for strlen().
2009
2010 2014-07-06  Benjamin Poulain  <benjamin@webkit.org>
2011
2012         [ARMv7] Use 16 bits instructions for push/pop when possible
2013         https://bugs.webkit.org/show_bug.cgi?id=134656
2014
2015         Reviewed by Andreas Kling.
2016
2017         * assembler/ARMv7Assembler.h:
2018         (JSC::ARMv7Assembler::pop):
2019         (JSC::ARMv7Assembler::push):
2020         (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp7Imm9):
2021         Add the 16 bits version of push and pop.
2022
2023         * assembler/MacroAssemblerARMv7.h:
2024         (JSC::MacroAssemblerARMv7::pop):
2025         (JSC::MacroAssemblerARMv7::push):
2026         Use the new push/pop instead of a regular load/store.
2027
2028         * disassembler/ARMv7/ARMv7DOpcode.cpp:
2029         (JSC::ARMv7Disassembler::ARMv7DOpcode::appendRegisterList):
2030         * disassembler/ARMv7/ARMv7DOpcode.h:
2031         (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscPushPop::registerMask):
2032         Fix the disassembler for push/pop:
2033         -The register mask was on 7 bits for some reason.
2034         -The code printing the registers was comparing a register ID with a register
2035          mask.
2036
2037 2014-07-06  Yoav Weiss  <yoav@yoav.ws>
2038
2039         Turn on img@sizes compile flag
2040         https://bugs.webkit.org/show_bug.cgi?id=134634
2041
2042         Reviewed by Benjamin Poulain.
2043
2044         * Configurations/FeatureDefines.xcconfig: Moved compile flag to alphabetical order.
2045
2046 2014-07-06  Daewoong Jang  <daewoong.jang@navercorp.com>
2047
2048         Flags value of SourceCodeKey should be unique for each case.
2049         https://bugs.webkit.org/show_bug.cgi?id=134435
2050
2051         Reviewed by Darin Adler.
2052
2053         Different combinations of CodeType and JSParserStrictness could generate same m_flags value because
2054         the value of CodeType and the value of JSParserStrictness shares a bit inside m_flags member variable.
2055         Shift the value of CodeType one bit farther to the left so those values don't overlap.
2056
2057         * runtime/CodeCache.h:
2058         (JSC::SourceCodeKey::SourceCodeKey):
2059
2060 2014-07-04  Andreas Kling  <akling@apple.com>
2061
2062         Fast path for jsStringWithCache() when asked for the same string repeatedly.
2063         <https://webkit.org/b/134635>
2064
2065         Also moved the whole thing from WebCore to JavaScriptCore since it
2066         makes more sense here, and inline the lightweight checks, leaving only
2067         the hashmap stuff out of line.
2068
2069         Reviewed by Darin Adler.
2070
2071         * runtime/JSString.cpp:
2072         (JSC::jsStringWithCacheSlowCase):
2073         * runtime/JSString.h:
2074         (JSC::jsStringWithCache):
2075         * runtime/VM.h:
2076
2077 2014-07-03  Daniel Bates  <dabates@apple.com>
2078
2079         Add WTF::move()
2080         https://bugs.webkit.org/show_bug.cgi?id=134500
2081
2082         Rubber-stamped by Anders Carlsson.
2083
2084         Substitute WTF::move() for std::move().
2085
2086         * bytecode/CodeBlock.h:
2087         * bytecode/UnlinkedCodeBlock.cpp:
2088         * bytecompiler/BytecodeGenerator.cpp:
2089         * dfg/DFGGraph.cpp:
2090         * dfg/DFGJITCompiler.cpp:
2091         * dfg/DFGStackLayoutPhase.cpp:
2092         * dfg/DFGWorklist.cpp:
2093         * heap/DelayedReleaseScope.h:
2094         * heap/HeapInlines.h:
2095         [...]
2096
2097 2014-07-03  Filip Pizlo  <fpizlo@apple.com>
2098
2099         SSA DCE should process blocks in forward order
2100         https://bugs.webkit.org/show_bug.cgi?id=134611
2101
2102         Reviewed by Andreas Kling.
2103
2104         * dfg/DFGDCEPhase.cpp:
2105         (JSC::DFG::DCEPhase::run):
2106         * ftl/FTLLowerDFGToLLVM.cpp:
2107         (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
2108         * tests/stress/dead-value-with-mov-hint-in-another-block.js: Added.
2109         (foo):
2110
2111 2014-07-03  Filip Pizlo  <fpizlo@apple.com>
2112
2113         JSActivation::symbolTablePut() should invalidate variable watchpoints
2114         https://bugs.webkit.org/show_bug.cgi?id=134602
2115
2116         Reviewed by Oliver Hunt.
2117         
2118         Usually stores to captured variables cause us to invalidate the variable watchpoint because CodeBlock does so
2119         during linking - we essentially assume that if it's at all possible for an inner function to store to a
2120         variable we declare then this variable cannot be a constant. But this misses the dynamic store case, i.e.
2121         JSActivation::symbolTablePut(). Part of the problem here is that JSActivation duplicates
2122         JSSymbolTableObject's symbolTablePut() logic, which did have the invalidation. This patch keeps that code
2123         duplicated, but fixes JSActivation::symbolTablePut() to do the right thing.
2124
2125         * runtime/JSActivation.cpp:
2126         (JSC::JSActivation::symbolTablePut):
2127         * runtime/JSSymbolTableObject.h:
2128         (JSC::symbolTablePut):
2129         * tests/stress/constant-closure-var-with-dynamic-invalidation.js: Added.
2130         (.):
2131
2132 2014-07-01  Mark Lam  <mark.lam@apple.com>
2133
2134         Debugger's breakpoint list should not be a Vector.
2135         <https://webkit.org/b/134514>
2136
2137         Reviewed by Geoffrey Garen.
2138
2139         The debugger currently stores breakpoint data as entries in a Vector (see
2140         BreakpointsInLine).  It also keeps a fast map look up of breakpoint IDs to
2141         the breakpoint data (see m_breakpointIDToBreakpoint).  Because a Vector can
2142         compact or reallocate its backing store, this can causes all sorts of havoc.
2143         The m_breakpointIDToBreakpoint map assumes that the breakpoint data doesn't
2144         move in memory.
2145
2146         The fix is to replace the BreakpointsInLine Vector with a BreakpointsList
2147         doubly linked list.
2148
2149         * debugger/Breakpoint.h:
2150         (JSC::Breakpoint::Breakpoint):
2151         (JSC::BreakpointsList::~BreakpointsList):
2152         * debugger/Debugger.cpp:
2153         (JSC::Debugger::setBreakpoint):
2154         (JSC::Debugger::removeBreakpoint):
2155         (JSC::Debugger::hasBreakpoint):
2156         * debugger/Debugger.h:
2157
2158 2014-06-30  Michael Saboff  <msaboff@apple.com>
2159
2160         Add option to run-jsc-stress-testes to filter out tests that use large heaps
2161         https://bugs.webkit.org/show_bug.cgi?id=134458
2162
2163         Reviewed by Filip Pizlo.
2164
2165         Added test to skip js1_5/Regress/regress-159334.js when testing on a memory limited device.
2166
2167         * tests/mozilla/mozilla-tests.yaml:
2168
2169 2014-06-30  Daniel Bates  <dabates@apple.com>
2170
2171         Avoid copying closed variables vector; actually use move semantics
2172
2173         Rubber-stamped by Oliver Hunt.
2174
2175         Currently we always copy the closed variables vector passed by Parser::closedVariables()
2176         to ProgramNode::setClosedVariables() because these member functions return and take a const
2177         rvalue reference, respectively. Instead, these member functions should take an return a non-
2178         constant rvalue reference so that we actually move the closed variables vector from the Parser
2179         object to the Node object.
2180
2181         * parser/Nodes.cpp:
2182         (JSC::ProgramNode::setClosedVariables): Remove const qualifier for argument.
2183         * parser/Nodes.h:
2184         (JSC::ScopeNode::setClosedVariables): Ditto.
2185         * parser/Parser.h:
2186         (JSC::Parser::closedVariables): Remove const qualifier on return type.
2187         (JSC::parse): Remove extraneous call to std::move(). Calling std::move() is unnecessary here
2188         because Parser::closedVariables() returns an rvalue reference.
2189
2190 2014-06-30  Joseph Pecoraro  <pecoraro@apple.com>
2191
2192         JSContext Inspection: Provide a way to use a non-Main RunLoop for Inspector JavaScript Evaluations
2193         https://bugs.webkit.org/show_bug.cgi?id=134371
2194
2195         Reviewed by Timothy Hatcher.
2196
2197         * API/JSContextPrivate.h:
2198         * API/JSContext.mm:
2199         (-[JSContext _debuggerRunLoop]):
2200         (-[JSContext _setDebuggerRunLoop:]):
2201         Private API for setting the CFRunLoop for a debugger to evaluate in.
2202         
2203         * API/JSContextRefInternal.h: Added.
2204         * API/JSContextRef.cpp:
2205         (JSGlobalContextGetDebuggerRunLoop):
2206         (JSGlobalContextSetDebuggerRunLoop):
2207         Internal API for setting a CFRunLoop on a JSContextRef.
2208         Set this on the debuggable.
2209         
2210         * inspector/remote/RemoteInspectorDebuggable.h:
2211         * inspector/remote/RemoteInspectorDebuggableConnection.h:
2212         (Inspector::RemoteInspectorBlock::RemoteInspectorBlock):
2213         (Inspector::RemoteInspectorBlock::~RemoteInspectorBlock):
2214         (Inspector::RemoteInspectorBlock::operator=):
2215         (Inspector::RemoteInspectorBlock::operator()):
2216         Moved into the header.
2217
2218         * runtime/JSGlobalObject.h:
2219         (JSC::JSGlobalObject::inspectorDebuggable):
2220         Lets store the RunLoop on the debuggable instead of this core
2221         platform agnostic class, so expose the debuggable.
2222
2223         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
2224         (Inspector::RemoteInspectorHandleRunSourceGlobal):
2225         (Inspector::RemoteInspectorQueueTaskOnGlobalQueue):
2226         (Inspector::RemoteInspectorInitializeGlobalQueue):
2227         Rename the global functions for clarity.
2228
2229         (Inspector::RemoteInspectorHandleRunSourceWithInfo):
2230         Handler for private run loops.
2231
2232         (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
2233         (Inspector::RemoteInspectorDebuggableConnection::~RemoteInspectorDebuggableConnection):
2234         (Inspector::RemoteInspectorDebuggableConnection::dispatchAsyncOnDebuggable):
2235         (Inspector::RemoteInspectorDebuggableConnection::setupRunLoop):
2236         (Inspector::RemoteInspectorDebuggableConnection::teardownRunLoop):
2237         (Inspector::RemoteInspectorDebuggableConnection::queueTaskOnPrivateRunLoop):
2238         Setup and teardown and use private run loop sources if the debuggable needs it.
2239
2240 2014-06-30  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>
2241
2242         Add missing ENABLE(DFG_JIT) guards
2243         https://bugs.webkit.org/show_bug.cgi?id=134444
2244
2245         Reviewed by Darin Adler.
2246
2247         * dfg/DFGFunctionWhitelist.cpp:
2248         * dfg/DFGFunctionWhitelist.h:
2249
2250 2014-06-29  Yoav Weiss  <yoav@yoav.ws>
2251
2252         Add support for HTMLImageElement's sizes attribute
2253         https://bugs.webkit.org/show_bug.cgi?id=133620
2254
2255         Reviewed by Dean Jackson.
2256
2257         Added an ENABLE_PICTURE_SIZES compile flag.
2258
2259         * Configurations/FeatureDefines.xcconfig:
2260
2261 2014-06-27  Filip Pizlo  <fpizlo@apple.com>
2262
2263         Don't fold a UInt32ToNumber with DoOverflow to Identity since that would result in an Identity that takes an Int32 and returns a DoubleRep
2264         https://bugs.webkit.org/show_bug.cgi?id=134412
2265
2266         Reviewed by Mark Hahnenberg.
2267
2268         * dfg/DFGCSEPhase.cpp:
2269         (JSC::DFG::CSEPhase::setReplacement):
2270         * dfg/DFGStrengthReductionPhase.cpp:
2271         (JSC::DFG::StrengthReductionPhase::handleNode):
2272         * dfg/DFGValidate.cpp:
2273         (JSC::DFG::Validate::validate):
2274         * tests/stress/uint32-to-number-fold-constant-with-do-overflow.js: Added.
2275         (foo):
2276         (bar):
2277         (baz):
2278
2279 2014-06-27  Peyton Randolph  <prandolph@apple.com>
2280
2281          Add feature flag for link long-press gesture.                                                                   
2282          https://bugs.webkit.org/show_bug.cgi?id=134262                                                                  
2283                                                                                                                          
2284          Reviewed by Enrica Casucci.                                                                                     
2285                                                                                                                          
2286          * Configurations/FeatureDefines.xcconfig:                                                                       
2287          Add ENABLE_LINK_LONG_PRESS. 
2288
2289 2014-06-27  László Langó  <llango.u-szeged@partner.samsung.com>
2290
2291         [JavaScriptCore] FTL buildfix for EFL platform.
2292         https://bugs.webkit.org/show_bug.cgi?id=133546
2293
2294         Reviewed by Darin Adler.
2295
2296         * ftl/FTLAbstractHeap.cpp:
2297         (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap):
2298         * ftl/FTLLocation.cpp:
2299         (JSC::FTL::Location::forStackmaps):
2300         * ftl/FTLLowerDFGToLLVM.cpp:
2301         (JSC::FTL::LowerDFGToLLVM::opposite):
2302         * ftl/FTLOSRExitCompiler.cpp:
2303         (JSC::FTL::compileStub):
2304         * ftl/FTLStackMaps.cpp:
2305         (JSC::FTL::StackMaps::Constant::dump):
2306         * llvm/InitializeLLVMPOSIX.cpp:
2307         (JSC::initializeLLVMPOSIX):
2308
2309 2014-06-26  Benjamin Poulain  <benjamin@webkit.org>
2310
2311         iOS 8 beta 2 ES6 'Set' clear() broken
2312         https://bugs.webkit.org/show_bug.cgi?id=134346
2313
2314         Reviewed by Oliver Hunt.
2315
2316         The object map was not cleared :(.
2317
2318         Kudos to Ashley Gullen for tracking this and making a regression test.
2319         Credit to Oliver for finding the missing code.
2320
2321         * runtime/MapData.h:
2322         (JSC::MapData::clear):
2323
2324 2014-06-25  Brent Fulgham  <bfulgham@apple.com>
2325
2326         [Win] Expose Cache Information to WinLauncher
2327         https://bugs.webkit.org/show_bug.cgi?id=134318
2328
2329         Reviewed by Dean Jackson.
2330
2331         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing
2332         MemoryStatistics files to the WIndows build.
2333         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2334
2335 2014-06-26  David Kilzer  <ddkilzer@apple.com>
2336
2337         DFG::FunctionWhitelist::parseFunctionNamesInFile does not close file
2338         <http://webkit.org/b/134343>
2339         <rdar://problem/17459487>
2340
2341         Reviewed by Michael Saboff.
2342
2343         * dfg/DFGFunctionWhitelist.cpp:
2344         (JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile):
2345         Close the file handle, and log an error on failure.
2346
2347 2014-06-25  Dana Burkart  <dburkart@apple.com>
2348
2349         Add support for 5-tuple versioning.
2350
2351         Reviewed by David Farler.
2352
2353         * Configurations/Version.xcconfig:
2354
2355 2014-06-25  Geoffrey Garen  <ggaren@apple.com>
2356
2357         Build fix.
2358
2359         Unreviewed.
2360
2361         * runtime/JSDateMath.cpp:
2362         (JSC::parseDateFromNullTerminatedCharacters):
2363         * runtime/VM.cpp:
2364         (JSC::VM::resetDateCache): Use std::numeric_limits instead of QNaN
2365         constant since that constant doesn't exist anymore.
2366
2367 2014-06-25  Geoffrey Garen  <ggaren@apple.com>
2368
2369         Unreviewed, rolling out r166876.
2370
2371         Caused some ECMA test262 failures
2372
2373         Reverted changeset:
2374
2375         "Date object needs to check for ES5 15.9.1.14 TimeClip limit."
2376         https://bugs.webkit.org/show_bug.cgi?id=131248
2377         http://trac.webkit.org/changeset/166876
2378
2379 2014-06-25  Brent Fulgham  <bfulgham@apple.com>
2380
2381         [Win] Unreviewed gardening.
2382
2383         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Update to
2384         put various files in proper IDE categories.
2385
2386 2014-06-25  peavo@outlook.com  <peavo@outlook.com>
2387
2388         [Win64] ASM LLINT is not enabled.
2389         https://bugs.webkit.org/show_bug.cgi?id=130638
2390
2391         This patch adds a new LLINT assembler backend for Win64, and implements it.
2392         It makes adjustments to follow the Win64 ABI spec. where it's found to be needed.
2393         Also, LLINT and JIT is enabled for Win64.
2394
2395         Reviewed by Mark Lam.
2396
2397         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added JITStubsMSVC64.asm.
2398         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
2399         * JavaScriptCore/JavaScriptCore.vcxproj/jsc/jscCommon.props: Increased stack size to avoid stack overflow in tests.
2400         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Generate assembler source file for Win64.
2401         * assembler/MacroAssemblerX86_64.h: 
2402         (JSC::MacroAssemblerX86_64::call): Follow Win64 ABI spec.
2403         * jit/JITStubsMSVC64.asm: Added.
2404         * jit/Repatch.cpp:
2405         (JSC::emitPutTransitionStub): Compile fix.
2406         * jit/ThunkGenerators.cpp:
2407         (JSC::nativeForGenerator): Follow Win64 ABI spec.
2408         * llint/LLIntData.cpp:
2409         (JSC::LLInt::Data::performAssertions): Ditto.
2410         * llint/LLIntOfflineAsmConfig.h: Enable new llint backend for Win64.
2411         * llint/LowLevelInterpreter.asm: Implement new Win64 backend, and follow Win64 ABI spec.
2412         * llint/LowLevelInterpreter64.asm: Ditto.
2413         * offlineasm/asm.rb: Compile fix.
2414         * offlineasm/backends.rb: Add new llint backend for Win64.
2415         * offlineasm/settings.rb: Compile fix.
2416         * offlineasm/x86.rb: Implement new llint Win64 backend.
2417
2418 2014-06-25  Laszlo Gombos  <l.gombos@samsung.com>
2419
2420         Remove build guard for progress element
2421         https://bugs.webkit.org/show_bug.cgi?id=134292
2422
2423         Reviewed by Benjamin Poulain.
2424
2425         * Configurations/FeatureDefines.xcconfig:
2426
2427 2014-06-24  Michael Saboff  <msaboff@apple.com>
2428
2429         Add support routines to provide descriptive JavaScript backtraces
2430         https://bugs.webkit.org/show_bug.cgi?id=134278
2431
2432         Reviewed by Mark Lam.
2433
2434         * interpreter/CallFrame.cpp:
2435         (JSC::CallFrame::dump):
2436         (JSC::CallFrame::describeFrame):
2437         * interpreter/CallFrame.h:
2438         * runtime/JSCJSValue.cpp:
2439         (JSC::JSValue::dumpForBacktrace):
2440         * runtime/JSCJSValue.h:
2441
2442 2014-06-24  Brady Eidson  <beidson@apple.com>
2443
2444         Enable GAMEPAD in the Mac build, but disabled at runtime.
2445         https://bugs.webkit.org/show_bug.cgi?id=134255
2446
2447         Reviewed by Dean Jackson.
2448
2449         * Configurations/FeatureDefines.xcconfig:
2450
2451         * runtime/JSObject.h: Export JSObject::removeDirect() to allow disabling
2452           functions at runtime.
2453
2454 2014-06-24  Mark Hahnenberg  <mhahnenberg@apple.com>
2455
2456         REGRESSION (r169703): Invalid cast in JSC::asGetterSetter / JSC::JSObject::defineOwnNonIndexProperty
2457         https://bugs.webkit.org/show_bug.cgi?id=134046
2458
2459         Reviewed by Filip Pizlo.
2460
2461         * runtime/GetterSetter.h:
2462         (JSC::asGetterSetter):
2463         * runtime/JSObject.cpp:
2464         (JSC::JSObject::defineOwnNonIndexProperty): We need to check for a CustomGetterSetter here as well as
2465         a normal GetterSetter. If we encounter a CustomGetterSetter, we delete it, create a new normal GetterSetter,
2466         and insert it like normal. We also need to check for CustomAccessors when checking for unconfigurable properties.
2467
2468 2014-06-24  Brent Fulgham  <bfulgham@apple.com>
2469
2470         [Win] MSVC mishandles enums in bitfields
2471         https://bugs.webkit.org/show_bug.cgi?id=134237
2472
2473         Reviewed by Michael Saboff.
2474
2475         Replace uses of enum types in bit fields with unsigned to
2476         avoid losing a bit to hold the sign value. This can result
2477         in Windows interpreting the value of the field improperly.
2478
2479         * bytecode/StructureStubInfo.h:
2480         * parser/Nodes.h:
2481
2482 2014-06-23  Andreas Kling  <akling@apple.com>
2483
2484         Inline the UnlinkedInstructionStream::Reader logic.
2485         <https://webkit.org/b/134203>
2486
2487         This class is only used by CodeBlock to unpack the unlinked instructions,
2488         and we were spending 0.5% of total time on PLT calling Reader::next().
2489         Move the logic to the header file and mark it ALWAYS_INLINE.
2490
2491         Reviewed by Geoffrey Garen.
2492
2493         * bytecode/UnlinkedInstructionStream.cpp:
2494         * bytecode/UnlinkedInstructionStream.h:
2495         (JSC::UnlinkedInstructionStream::Reader::Reader):
2496         (JSC::UnlinkedInstructionStream::Reader::read8):
2497         (JSC::UnlinkedInstructionStream::Reader::read32):
2498         (JSC::UnlinkedInstructionStream::Reader::next):
2499
2500 2014-06-20  Sam Weinig  <sam@webkit.org>
2501
2502         Remove static tables for bindings that use eager reification
2503         https://bugs.webkit.org/show_bug.cgi?id=134126
2504
2505         Reviewed by Oliver Hunt.
2506
2507         * runtime/JSObject.cpp:
2508         (JSC::JSObject::putDirectCustomAccessor):
2509         * runtime/Structure.h:
2510         (JSC::Structure::setHasCustomGetterSetterProperties):
2511         Change setHasCustomGetterSetterProperties to behave like setHasGetterSetterProperties, and set
2512         the m_hasReadOnlyOrGetterSetterPropertiesExcludingProto bit if the property is not __proto__.
2513         Without this, JSObject::put() won't think there are any setters on the prototype chain of an
2514         object that has no static lookup table and uses eagerly reified custom getter/setter properties.
2515
2516 2014-06-21  Brady Eidson  <beidson@apple.com>
2517
2518         Gamepad API - Deprecate the existing implementation
2519         https://bugs.webkit.org/show_bug.cgi?id=134108
2520
2521         Reviewed by Timothy Hatcher.
2522
2523         -Add new "GAMEPAD_DEPRECATED" build flag, moving the existing implementation to use it
2524         -Move some implementation files into a "deprecated" subdirectory.
2525
2526         * Configurations/FeatureDefines.xcconfig:
2527
2528 2014-06-21  Commit Queue  <commit-queue@webkit.org>
2529
2530         Unreviewed, rolling out r170244.
2531         https://bugs.webkit.org/show_bug.cgi?id=134157
2532
2533         GTK/EFL bindings generator works differently, making this
2534         patch not work there.  Will fix entire patch after a rollout.
2535         (Requested by bradee-oh on #webkit).
2536
2537         Reverted changeset:
2538
2539         "Gamepad API - Deprecate the existing implementation"
2540         https://bugs.webkit.org/show_bug.cgi?id=134108
2541         http://trac.webkit.org/changeset/170244
2542
2543 2014-06-21  Brady Eidson  <beidson@apple.com>
2544
2545         Gamepad API - Deprecate the existing implementation
2546         https://bugs.webkit.org/show_bug.cgi?id=134108
2547
2548         Reviewed by Timothy Hatcher.
2549
2550         -Add new "GAMEPAD_DEPRECATED" build flag, moving the existing implementation to use it
2551         -Add the "Deprecated" suffix to some implementation files
2552
2553         * Configurations/FeatureDefines.xcconfig:
2554
2555 2014-06-21  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
2556
2557         Removing PAGE_VISIBILITY_API compile guard.
2558         https://bugs.webkit.org/show_bug.cgi?id=133844
2559
2560         Reviewed by Gavin Barraclough.
2561
2562         * Configurations/FeatureDefines.xcconfig:
2563
2564 2014-06-21  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
2565
2566         ARM traditional buildfix after r169942.
2567         https://bugs.webkit.org/show_bug.cgi?id=134100
2568
2569         Reviewed by Zoltan Herczeg.
2570
2571         * assembler/MacroAssemblerARM.h:
2572         (JSC::MacroAssemblerARM::abortWithReason): Added.
2573
2574 2014-06-20  Andreas Kling  <akling@apple.com>
2575
2576         [Cocoa] Release freed up blocks from the JS heap after simulated memory pressure.
2577         <https://webkit.org/b/134112>
2578
2579         Reviewed by Mark Hahnenberg.
2580
2581         * heap/BlockAllocator.h:
2582
2583 2014-06-19  Alex Christensen  <achristensen@webkit.org>
2584
2585         Unreviewed fix after r170130.
2586
2587         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj:
2588         Corrected directory so it can find common.props when opening Visual Studio.
2589
2590 2014-06-19  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
2591
2592         Remove ENABLE(LLINT) and ENABLE(LLINT_C_LOOP) guards
2593         https://bugs.webkit.org/show_bug.cgi?id=130389
2594
2595         Reviewed by Mark Lam.
2596
2597         Removed ENABLE(LLINT) since we always build with it, and changed ENABLE(LLINT_C_LOOP)
2598         into !ENABLE(JIT) since they are mutually exclusive.
2599
2600         * CMakeLists.txt:
2601         * assembler/MacroAssemblerCodeRef.h:
2602         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
2603         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
2604         * assembler/MaxFrameExtentForSlowPathCall.h:
2605         * bytecode/CallLinkStatus.cpp:
2606         (JSC::CallLinkStatus::computeFromLLInt):
2607         * bytecode/CodeBlock.cpp:
2608         (JSC::dumpStructure):
2609         (JSC::CodeBlock::printGetByIdCacheStatus):
2610         (JSC::CodeBlock::printCallOp):
2611         (JSC::CodeBlock::CodeBlock):
2612         (JSC::CodeBlock::~CodeBlock):
2613         (JSC::CodeBlock::propagateTransitions):
2614         (JSC::CodeBlock::finalizeUnconditionally):
2615         (JSC::CodeBlock::unlinkCalls):
2616         (JSC::CodeBlock::unlinkIncomingCalls):
2617         (JSC::CodeBlock::linkIncomingCall):
2618         (JSC::CodeBlock::frameRegisterCount):
2619         * bytecode/CodeBlock.h:
2620         * bytecode/GetByIdStatus.cpp:
2621         (JSC::GetByIdStatus::computeFromLLInt):
2622         * bytecode/Opcode.h:
2623         (JSC::padOpcodeName):
2624         * bytecode/PutByIdStatus.cpp:
2625         (JSC::PutByIdStatus::computeFromLLInt):
2626         * bytecompiler/BytecodeGenerator.cpp:
2627         (JSC::BytecodeGenerator::emitCall):
2628         (JSC::BytecodeGenerator::emitConstruct):
2629         * heap/Heap.cpp:
2630         (JSC::Heap::gatherJSStackRoots):
2631         * interpreter/Interpreter.cpp:
2632         (JSC::Interpreter::initialize):
2633         (JSC::Interpreter::isOpcode):
2634         * interpreter/Interpreter.h:
2635         (JSC::Interpreter::getOpcodeID):
2636         * interpreter/JSStack.cpp:
2637         (JSC::JSStack::JSStack):
2638         (JSC::JSStack::committedByteCount):
2639         * interpreter/JSStack.h:
2640         * interpreter/JSStackInlines.h:
2641         (JSC::JSStack::ensureCapacityFor):
2642         (JSC::JSStack::topOfFrameFor):
2643         (JSC::JSStack::setStackLimit):
2644         * jit/ExecutableAllocatorFixedVMPool.cpp:
2645         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
2646         * jit/JIT.h:
2647         (JSC::JIT::compileCTINativeCall):
2648         * jit/JITExceptions.h:
2649         * jit/JITThunks.cpp:
2650         (JSC::JITThunks::ctiNativeCall):
2651         (JSC::JITThunks::ctiNativeConstruct):
2652         * llint/LLIntCLoop.cpp:
2653         * llint/LLIntCLoop.h:
2654         * llint/LLIntData.cpp:
2655         (JSC::LLInt::initialize):
2656         (JSC::LLInt::Data::performAssertions):
2657         * llint/LLIntData.h:
2658         (JSC::LLInt::Data::performAssertions): Deleted.
2659         * llint/LLIntEntrypoint.cpp:
2660         * llint/LLIntEntrypoint.h:
2661         * llint/LLIntExceptions.cpp:
2662         * llint/LLIntExceptions.h:
2663         * llint/LLIntOfflineAsmConfig.h:
2664         * llint/LLIntOffsetsExtractor.cpp:
2665         (JSC::LLIntOffsetsExtractor::dummy):
2666         * llint/LLIntOpcode.h:
2667         * llint/LLIntSlowPaths.cpp:
2668         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2669         * llint/LLIntSlowPaths.h:
2670         * llint/LLIntThunks.cpp:
2671         * llint/LLIntThunks.h:
2672         * llint/LowLevelInterpreter.cpp:
2673         * llint/LowLevelInterpreter.h:
2674         * runtime/CommonSlowPaths.cpp:
2675         * runtime/CommonSlowPaths.h:
2676         * runtime/ErrorHandlingScope.cpp:
2677         (JSC::ErrorHandlingScope::ErrorHandlingScope):
2678         (JSC::ErrorHandlingScope::~ErrorHandlingScope):
2679         * runtime/Executable.cpp:
2680         (JSC::setupLLInt):
2681         * runtime/InitializeThreading.cpp:
2682         (JSC::initializeThreading):
2683         * runtime/JSCJSValue.h:
2684         * runtime/JSCJSValueInlines.h:
2685         * runtime/Options.cpp:
2686         (JSC::recomputeDependentOptions):
2687         * runtime/VM.cpp:
2688         (JSC::VM::VM):
2689         (JSC::sanitizeStackForVM):
2690         * runtime/VM.h:
2691         (JSC::VM::canUseJIT): Deleted.
2692
2693 2014-06-18  Alex Christensen  <achristensen@webkit.org>
2694
2695         Add FTL to Windows build.
2696         https://bugs.webkit.org/show_bug.cgi?id=134015
2697
2698         Reviewed by Filip Pizlo.
2699
2700         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2701         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2702         Added ftl source files.
2703         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
2704         Added ftl and llvm directories to include path.
2705         * JavaScriptCore.vcxproj/libllvmForJSC: Added.
2706         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.props: Added.
2707         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj: Added.
2708         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj.filters: Added.
2709         * ftl/FTLLowerDFGToLLVM.cpp:
2710         (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
2711         MSVC doesn't like to divide by zero while compiling.  Use std::nan instead.
2712         * llvm/InitializeLLVMWin.cpp: Added.
2713         (JSC::initializeLLVMImpl):
2714         Implemented dynamic loading and linking for Windows.
2715
2716 2014-06-18  Alex Christensen  <achristensen@webkit.org>
2717
2718         Unreviewed build fix after r170107.
2719
2720         * dfg/DFGSpeculativeJIT.cpp:
2721         (JSC::DFG::SpeculativeJIT::compileArithMod):
2722         Use non-template sub for armv7s.
2723
2724 2014-06-18  David Kilzer  <ddkilzer@apple.com>
2725
2726         -[JSContext setName:] leaks NSString
2727         <http://webkit.org/b/134038>
2728
2729         Reviewed by Joseph Pecoraro.
2730
2731         Fixes the following static analyzer warning:
2732
2733             JavaScriptCore/API/JSContext.mm:200:73: warning: Potential leak of an object
2734                 JSStringRef nameJS = name ? JSStringCreateWithCFString((CFStringRef)[name copy]) : nullptr;
2735                                                                                     ^
2736
2737         * API/JSContext.mm:
2738         (-[JSContext setName:]): Autorelease the copy of |name|.
2739
2740 2014-06-18  Mark Lam  <mark.lam@apple.com>
2741
2742         DFGGraph::m_doubleConstantMap will not map 0 values correctly.
2743         <https://webkit.org/b/133994>
2744
2745         Reviewed by Geoffrey Garen.
2746
2747         DFGGraph::m_doubleConstantsMap should not use a double as a key to its HashMap,
2748         because it means two unfortunate things:
2749         - It will probably break for zero.
2750         - It will think that -0 is the same as +0 under some circumstances, size
2751           -0==+0 even though they are distinct values (for example 1/-0 != 1/+0).
2752
2753         The fix is to use std::unordered_map which does not require special empty
2754         and deleted values, and to use the raw bits instead of the double value as
2755         the key.
2756
2757         * dfg/DFGGraph.h:
2758         * dfg/DFGJITCompiler.cpp:
2759         (JSC::DFG::JITCompiler::addressOfDoubleConstant):
2760
2761 2014-06-18  Alex Christensen  <achristensen@webkit.org>
2762
2763         Remove duplicate code using sdiv.
2764         https://bugs.webkit.org/show_bug.cgi?id=133764
2765
2766         Reviewed by Daniel Bates.
2767
2768         * assembler/ARMv7Assembler.h:
2769         (JSC::ARMv7Assembler::sdiv):
2770         Make sdiv a template to match arm64.
2771         * dfg/DFGSpeculativeJIT.cpp:
2772         (JSC::DFG::SpeculativeJIT::compileArithDiv):
2773         (JSC::DFG::SpeculativeJIT::compileArithMod):
2774         Remove duplicate code that was identical except for sdiv not being a template.
2775
2776 2014-06-17  Commit Queue  <commit-queue@webkit.org>
2777
2778         Unreviewed, rolling out r170082.
2779         https://bugs.webkit.org/show_bug.cgi?id=134006
2780
2781         Breaks build. (Requested by mlam on #webkit).
2782
2783         Reverted changeset:
2784
2785         "DFGGraph::m_doubleConstantMap will not map 0 values
2786         correctly."
2787         https://bugs.webkit.org/show_bug.cgi?id=133994
2788         http://trac.webkit.org/changeset/170082
2789
2790 2014-06-17  Mark Lam  <mark.lam@apple.com>
2791
2792         DFGGraph::m_doubleConstantMap will not map 0 values correctly.
2793         <https://webkit.org/b/133994>
2794
2795         Reviewed by Geoffrey Garen.
2796
2797         DFGGraph::m_doubleConstantsMap should not use a double as a key to its HashMap,
2798         because it means two unfortunate things:
2799         - It will probably break for zero.
2800         - It will think that -0 is the same as +0 under some circumstances, size
2801           -0==+0 even though they are distinct values (for example 1/-0 != 1/+0).
2802
2803         The fix is to use std::unordered_map which does not require special empty
2804         and deleted values, and to use the raw bits instead of the double value as
2805         the key.
2806
2807         * dfg/DFGGraph.h:
2808         * dfg/DFGJITCompiler.cpp:
2809         (JSC::DFG::JITCompiler::addressOfDoubleConstant):
2810
2811 2014-06-17  Oliver Hunt  <oliver@apple.com>
2812
2813         Fix error messages for incorrect hex literals
2814         https://bugs.webkit.org/show_bug.cgi?id=133998
2815
2816         Reviewed by Mark Lam.
2817
2818         Ensure that the error messages for bogus hex literals actually
2819         make sense.
2820
2821         * parser/Lexer.cpp:
2822         (JSC::Lexer<T>::lex):
2823         * parser/ParserTokens.h:
2824
2825 2014-06-17  Matthew Mirman  <mmirman@apple.com>
2826
2827         Fixes bug where building JSC sometimes crashes at build-symbol-table-index.py. Also adds licenses. 
2828         https://bugs.webkit.org/show_bug.cgi?id=133814
2829
2830         Reviewed by Filip Pizlo.
2831         
2832         Adds the "shopt -s nullglob" line necessary to prevent the loop in the shell 
2833         script from using "*.o" as a file when no other files in the directory exist. 
2834         
2835         * build-symbol-table-index.sh: Added license.
2836         * copy-llvm-ir-to-derived-sources.sh: Added license and "shopt -s nullglob" line.
2837
2838 2014-06-16  Sam Weinig  <sam@webkit.org>
2839
2840         Move forward declaration of bindings static functions into their implementation files
2841         https://bugs.webkit.org/show_bug.cgi?id=133943
2842
2843         Reviewed by Geoffrey Garen.
2844
2845         * runtime/CommonIdentifiers.h:
2846         Add a few identifiers that are needed by the DOM.
2847
2848 2014-06-16  Mark Lam  <mark.lam@apple.com>
2849
2850         Parser statementDepth accounting needs to account for when a function body excludes its braces.
2851         <https://webkit.org/b/133832>
2852
2853         Reviewed by Oliver Hunt.
2854
2855         In some cases (e.g. when a Function object is instantiated from a string), the
2856         function body source may not include its braces.  The parser needs to account
2857         for this when calculating its statementDepth.
2858
2859         * bytecode/UnlinkedCodeBlock.cpp:
2860         (JSC::generateFunctionCodeBlock):
2861         (JSC::UnlinkedFunctionExecutable::codeBlockFor):
2862         * bytecode/UnlinkedCodeBlock.h:
2863         * parser/Parser.cpp:
2864         (JSC::Parser<LexerType>::parseStatement):
2865         - Also fixed the error message for declaring nested functions in strict mode
2866           to be more accurate.
2867         * parser/Parser.h:
2868         (JSC::Parser<LexerType>::parse):
2869         (JSC::parse):
2870         * runtime/Executable.cpp:
2871         (JSC::ScriptExecutable::newCodeBlockFor):
2872
2873 2014-06-16  Juergen Ributzka  <juergen@apple.com>
2874
2875         Change the order of the alias analysis passes to align with the opt pipeline of LLVM
2876         https://bugs.webkit.org/show_bug.cgi?id=133753
2877
2878         Reviewed by Geoffrey Garen.
2879
2880         The order in which the alias analysis passes are added affects also the
2881         order in which they are utilized. Change the order to align with the
2882         one use by LLVM itself. The last alias analysis pass added will be
2883         evaluated first. With this change we first perform a basic alias
2884         analysis and then use the type-based alias analysis (if required).
2885
2886         * ftl/FTLCompile.cpp:
2887         (JSC::FTL::compile):
2888
2889 2014-06-16  Juergen Ributzka  <juergen@apple.com>
2890
2891         Fix the arguments passed to the LLVM dylib
2892         https://bugs.webkit.org/show_bug.cgi?id=133757
2893
2894         Reviewed by Geoffrey Garen.
2895
2896         The LLVM command line argument parser assumes that the first argument
2897         is the program name. We need to add a fake program name, otherwise the
2898         first argument will be parsed as program name and ignored.
2899
2900         * llvm/library/LLVMExports.cpp:
2901         (initializeAndGetJSCLLVMAPI):
2902
2903 2014-06-16  Michael Saboff  <msaboff@apple.com>
2904
2905         Convert ASSERT in inlineFunctionForCapabilityLevel to early return
2906         https://bugs.webkit.org/show_bug.cgi?id=133903
2907
2908         Reviewed by Mark Hahnenberg.
2909
2910         Hardened code by Converting ASSERT to return CannotCompile.
2911
2912         * dfg/DFGCapabilities.h:
2913         (JSC::DFG::inlineFunctionForCapabilityLevel):
2914
2915 2014-06-13  Sam Weinig  <sam@webkit.org>
2916
2917         Store DOM constants directly in the JS object rather than jumping through a custom accessor
2918         https://bugs.webkit.org/show_bug.cgi?id=133898
2919
2920         Reviewed by Oliver Hunt.
2921
2922         * runtime/Lookup.h:
2923         (JSC::HashTableValue::attributes):
2924         Switch attributes to be stored as an unsigned rather than an unsigned char, since there is no difference in memory use
2925         and will make adding more flags possibles.
2926
2927         (JSC::HashTableValue::propertyGetter):
2928         (JSC::HashTableValue::propertyPutter):
2929         Change assertion to use BuiltinOrFunctionOrConstant.
2930
2931         (JSC::HashTableValue::constantInteger):
2932         Added.
2933
2934         (JSC::getStaticPropertySlot):
2935         (JSC::getStaticValueSlot):
2936         Use PropertySlot::setValue() for constants during static lookup.
2937
2938         (JSC::reifyStaticProperties):
2939         Put the constant directly on the object when eagerly reifying.
2940
2941         * runtime/PropertySlot.h:
2942         Add ConstantInteger flag and BuiltinOrFunctionOrConstant helper.
2943
2944 2014-06-14  Michael Saboff  <msaboff@apple.com>
2945
2946         operationCreateArguments could cause a GC during OSR exit
2947         https://bugs.webkit.org/show_bug.cgi?id=133905
2948
2949         Reviewed by Filip Pizlo.
2950
2951         Defer GC via new wrapper functions for operationCreateArguments and operationCreateInlinedArguments
2952         for use by OSR exit stubs.
2953
2954         * dfg/DFGOSRExitCompilerCommon.cpp:
2955         (JSC::DFG::ArgumentsRecoveryGenerator::generateFor):
2956         * dfg/DFGOperations.cpp:
2957         * dfg/DFGOperations.h:
2958         * jit/JITOperations.cpp:
2959         * jit/JITOperations.h:
2960
2961 2014-06-13  Mark Hahnenberg  <mhahnenberg@apple.com>
2962
2963         OSR exit should barrier the Executables for all InlineCallFrames, not just those on the stack at the time of exit
2964         https://bugs.webkit.org/show_bug.cgi?id=133880
2965
2966         Reviewed by Filip Pizlo.
2967
2968         We could have exited due to a value received from an inlined block that's no longer on 
2969         the stack, so we should just barrier all InlineCallFrames.
2970
2971         * dfg/DFGOSRExitCompilerCommon.cpp:
2972         (JSC::DFG::adjustAndJumpToTarget):
2973
2974 2014-06-13  Alex Christensen  <achristensen@webkit.org>
2975
2976         Make css jit compile for armv7.
2977         https://bugs.webkit.org/show_bug.cgi?id=133596
2978
2979         Reviewed by Benjamin Poulain.
2980
2981         * assembler/MacroAssembler.h:
2982         Use branchPtr on ARM_THUMB2.
2983         * assembler/MacroAssemblerARMv7.h:
2984         (JSC::MacroAssemblerARMv7::addPtrNoFlags):
2985         (JSC::MacroAssemblerARMv7::or32):
2986         (JSC::MacroAssemblerARMv7::test32):
2987         (JSC::MacroAssemblerARMv7::branch):
2988         (JSC::MacroAssemblerARMv7::branchPtr):
2989         Added macros necessary for css jit.
2990
2991 2014-06-13  Filip Pizlo  <fpizlo@apple.com>
2992
2993         Unreviewed, fix ARMv7.
2994
2995         * assembler/MacroAssemblerARMv7.h:
2996         (JSC::MacroAssemblerARMv7::abortWithReason):
2997
2998 2014-06-12  Filip Pizlo  <fpizlo@apple.com>
2999
3000         Even better diagnostics from DFG traps
3001         https://bugs.webkit.org/show_bug.cgi?id=133836
3002
3003         Reviewed by Oliver Hunt.
3004         
3005         We now stuff the DFG::NodeType into a register before bailing. Also made the
3006         DFGBailed abort reason a bit more specific. As planned, the new abort reasons use
3007         different numbers than any previous abort reasons.
3008
3009         * assembler/AbortReason.h:
3010         * assembler/MacroAssemblerARM64.h:
3011         (JSC::MacroAssemblerARM64::abortWithReason):
3012         * assembler/MacroAssemblerARMv7.h:
3013         (JSC::MacroAssemblerARMv7::abortWithReason):
3014         * assembler/MacroAssemblerX86.h:
3015         (JSC::MacroAssemblerX86::abortWithReason):
3016         * assembler/MacroAssemblerX86_64.h:
3017         (JSC::MacroAssemblerX86_64::abortWithReason):
3018         * dfg/DFGSpeculativeJIT.cpp:
3019         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
3020         (JSC::DFG::SpeculativeJIT::bail):
3021         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
3022         * dfg/DFGSpeculativeJIT.h:
3023
3024 2014-06-12  Simon Fraser  <simon.fraser@apple.com>
3025
3026         Fix assertions under JSC::setNeverInline() when running js tests in WebKitTestRunner
3027         https://bugs.webkit.org/show_bug.cgi?id=133840
3028
3029         Reviewed by Filip Pizlo.
3030         
3031         Fix ASSERT(exec->vm().currentThreadIsHoldingAPILock()); under JSC::setNeverInline()
3032         when running DFG tests.
3033
3034         * API/JSCTestRunnerUtils.cpp:
3035         (JSC::numberOfDFGCompiles):
3036         (JSC::setNeverInline):
3037
3038 2014-06-12  Brent Fulgham  <bfulgham@apple.com>
3039
3040         [Win] Avoid fork bomb during build
3041         https://bugs.webkit.org/show_bug.cgi?id=133837
3042         <rdar://problem/17296034>
3043
3044         Reviewed by Tim Horton.
3045
3046         * JavaScriptCore.vcxproj/build-generated-files.sh: Use a
3047         reasonable default value when the 'num-cpus' script is not available.
3048
3049 2014-06-12  Mark Lam  <mark.lam@apple.com>
3050
3051         Remove some dead / unused code.
3052         <https://webkit.org/b/133828>
3053
3054         Reviewed by Filip Pizlo.
3055
3056         * builtins/BuiltinExecutables.cpp:
3057         (JSC::BuiltinExecutables::createBuiltinExecutable):
3058         * bytecode/UnlinkedCodeBlock.cpp:
3059         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3060         * bytecode/UnlinkedCodeBlock.h:
3061         (JSC::UnlinkedFunctionExecutable::create):
3062         * bytecompiler/BytecodeGenerator.h:
3063         (JSC::BytecodeGenerator::makeFunction):
3064         * parser/Parser.h:
3065         (JSC::DepthManager::DepthManager): Deleted.
3066         (JSC::DepthManager::~DepthManager): Deleted.
3067         * runtime/CodeCache.cpp:
3068         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
3069
3070 2014-06-12  Mark Hahnenberg  <mhahnenberg@apple.com>
3071
3072         Move structureHasRareData out of TypeInfo
3073         https://bugs.webkit.org/show_bug.cgi?id=133800
3074
3075         Reviewed by Andreas Kling.
3076
3077         StructureHasRareData was originally put in TypeInfo to avoid making Structure bigger, 
3078         but we have a few spare bits in Structure so it would be nice to remove this hack.
3079
3080         * runtime/JSTypeInfo.h:
3081         (JSC::TypeInfo::newImpurePropertyFiresWatchpoints):
3082         (JSC::TypeInfo::structureHasRareData): Deleted.
3083         * runtime/Structure.cpp:
3084         (JSC::Structure::Structure):
3085         (JSC::Structure::allocateRareData):
3086         (JSC::Structure::cloneRareDataFrom):
3087         * runtime/Structure.h:
3088         (JSC::Structure::previousID):
3089         (JSC::Structure::objectToStringValue):
3090         (JSC::Structure::setObjectToStringValue):
3091         (JSC::Structure::setPreviousID):
3092         (JSC::Structure::clearPreviousID):
3093         (JSC::Structure::previous):
3094         (JSC::Structure::rareData):
3095         * runtime/StructureInlines.h:
3096         (JSC::Structure::setEnumerationCache):
3097         (JSC::Structure::enumerationCache):
3098
3099 2014-06-12  Zsolt Borbely  <zsborbely.u-szeged@partner.samsung.com>
3100
3101         Allow enum guards to be generated from the replay json files
3102         https://bugs.webkit.org/show_bug.cgi?id=133399
3103
3104         Reviewed by Csaba Osztrogonác.
3105
3106         * replay/scripts/CodeGeneratorReplayInputs.py:
3107         (Type.__init__):
3108         (InputsModel.parse_type_with_framework_name):
3109         (Generator.generate_header):
3110         (Generator.generate_implementation):
3111         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp: Added.
3112         (Test::HandleWheelEvent::HandleWheelEvent):
3113         (Test::HandleWheelEvent::~HandleWheelEvent):
3114         (JSC::InputTraits<Test::HandleWheelEvent>::type):
3115         (JSC::InputTraits<Test::HandleWheelEvent>::encode):
3116         (JSC::InputTraits<Test::HandleWheelEvent>::decode):
3117         (JSC::EncodingTraits<WebCore::PlatformWheelEventPhase>::encodeValue):
3118         (JSC::EncodingTraits<WebCore::PlatformWheelEventPhase>::decodeValue):
3119         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h: Added.
3120         (JSC::InputTraits<Test::HandleWheelEvent>::queue):
3121         (Test::HandleWheelEvent::platformEvent):
3122         * replay/scripts/tests/generate-enum-with-guard.json: Added.
3123
3124 2014-06-12  Carlos Garcia Campos  <cgarcia@igalia.com>
3125
3126         Unreviewed. Fix GTK+ build after r169823.
3127
3128         Include StructureInlines.h in a few more files to fix linking
3129         issues due to JSC::Structure::get undefined symbol.
3130
3131         * runtime/ArrayIteratorConstructor.cpp:
3132         * runtime/ArrayIteratorPrototype.cpp:
3133         * runtime/JSConsole.cpp:
3134         * runtime/JSMapIterator.cpp:
3135         * runtime/JSSet.cpp:
3136         * runtime/JSSetIterator.cpp:
3137         * runtime/JSWeakMap.cpp:
3138         * runtime/MapIteratorPrototype.cpp:
3139         * runtime/MapPrototype.cpp:
3140         * runtime/SetIteratorPrototype.cpp:
3141         * runtime/SetPrototype.cpp:
3142         * runtime/WeakMapPrototype.cpp:
3143
3144 2014-06-12  Csaba Osztrogonác  <ossy@webkit.org>
3145
3146         [EFL] One more URTBF after r169823 to make ARM64 build happy too.
3147
3148         * runtime/JSMap.cpp:
3149
3150 2014-06-11  Mark Hahnenberg  <mhahnenberg@apple.com>
3151
3152         Inline caching should try to flatten uncacheable dictionaries
3153         https://bugs.webkit.org/show_bug.cgi?id=133683
3154
3155         Reviewed by Geoffrey Garen.
3156
3157         There exists a body of JS code that deletes properties off of objects (especially function/constructor objects), 
3158         which puts them into an uncacheable dictionary state. This prevents all future inline caching for these objects. 
3159         If properties are deleted out of the object during its initialization, we can enable caching for that object by 
3160         attempting to flatten it when we see we're trying to do inline caching with that object. We then record that we 
3161         performed this flattening optimization in the object's Structure. If it ever re-enters the uncacheable dictionary 
3162         state then we can just give up on caching that object.
3163
3164         In refactoring some of the code in tryCacheGetById and tryBuildGetByIdList to reduce some duplication, I added
3165         the InlineCacheAction enum, a new way to indicate the success or failure of an inline caching attempt. I changed
3166         the other inline caching functions to return this enum rather than the opaque booleans that we were previously 
3167         returning.
3168
3169         * jit/Repatch.cpp:
3170         (JSC::actionForCell):
3171         (JSC::tryCacheGetByID):
3172         (JSC::repatchGetByID):
3173         (JSC::tryBuildGetByIDList):
3174         (JSC::buildGetByIDList):
3175         (JSC::tryCachePutByID):
3176         (JSC::repatchPutByID):
3177         (JSC::tryBuildPutByIdList):
3178         (JSC::buildPutByIdList):
3179         (JSC::tryRepatchIn):
3180         (JSC::repatchIn):
3181         * runtime/Structure.cpp:
3182         (JSC::Structure::Structure):
3183         (JSC::Structure::flattenDictionaryStructure):
3184         * runtime/Structure.h:
3185         (JSC::Structure::hasBeenFlattenedBefore):
3186
3187 2014-06-11  Csaba Osztrogonác  <ossy@webkit.org>
3188
3189         [EFL] URTBF after r169823.
3190
3191         * bindings/ScriptValue.cpp: Missing include added.
3192
3193 2014-06-11  Ryosuke Niwa  <rniwa@webkit.org>
3194
3195         Remove an unnecessary asObject(this) call inside JSObject::fastGetOwnPropertySlot.
3196
3197         Rubber-stamped by Andreas Kling.
3198
3199         * runtime/JSObject.h:
3200         (JSC::JSObject::fastGetOwnPropertySlot):
3201
3202 2014-06-11  Ryosuke Niwa  <rniwa@webkit.org>
3203
3204         Turning on DUMP_PROPERTYMAP_STATS causes a build failure
3205         https://bugs.webkit.org/show_bug.cgi?id=133673
3206
3207         Reviewed by Andreas Kling.
3208
3209         Rewrote the property map statistics code because the old code wasn't building,
3210         and it was also mixing numbers for lookups and insertions/removals.
3211
3212         New logging code records the number of calls to PropertyTable::find (finds) and
3213         PropertyTable::get/PropertyTable::findWithString separately so that we can quantify
3214         the number of probing during updates and lookups.
3215
3216         * jsc.cpp:
3217         * runtime/PropertyMapHashTable.h:
3218         (JSC::PropertyTable::find):
3219         (JSC::PropertyTable::get):
3220         (JSC::PropertyTable::findWithString):
3221         (JSC::PropertyTable::add):
3222         (JSC::PropertyTable::remove):
3223         (JSC::PropertyTable::reinsert):
3224         (JSC::PropertyTable::rehash):
3225         * runtime/Structure.cpp:
3226         (JSC::PropertyMapStatisticsExitLogger::PropertyMapStatisticsExitLogger):
3227         (JSC::PropertyMapStatisticsExitLogger::~PropertyMapStatisticsExitLogger):
3228
3229 2014-06-11  Andreas Kling  <akling@apple.com>
3230
3231         Always inline JSValue::get() and Structure::get().
3232         <https://webkit.org/b/133755>
3233
3234         Reviewed by Ryosuke Niwa.
3235
3236         These functions get really hot, so ask the compiler to be more
3237         aggressive about inlining them.
3238
3239         ~28% speed-up on Ryosuke's microbenchmark for accessing nextSibling
3240         through GetByVal.
3241
3242         * runtime/JSArrayIterator.cpp:
3243         * runtime/JSCJSValue.cpp:
3244         * runtime/JSCJSValueInlines.h:
3245         (JSC::JSValue::get):
3246         * runtime/JSPromiseDeferred.cpp:
3247         * runtime/StructureInlines.h:
3248         (JSC::Structure::get):
3249
3250 2014-06-11  Ryosuke Niwa  <rniwa@webkit.org>
3251
3252         Structure::get should instantiate DeferGC only when materializing property map
3253         https://bugs.webkit.org/show_bug.cgi?id=133727
3254
3255         Rubber-stamped by Andreas Kling.
3256
3257         Make materializePropertyMapIfNecessary always inline.
3258
3259         This is ~12% improvement on the microbenchmark attached in the bug.
3260
3261         * runtime/Structure.h:
3262         (JSC::Structure::materializePropertyMapIfNecessary):
3263         (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
3264
3265 2014-06-11  Ryosuke Niwa  <rniwa@webkit.org>
3266
3267         Structure::get should instantiate DeferGC only when materializing property map
3268         https://bugs.webkit.org/show_bug.cgi?id=133727
3269
3270         Reviewed by Geoffrey Garen.
3271
3272         DeferGC instances in Structure::get was added in http://trac.webkit.org/r157539 in order to avoid
3273         collecting the property table newly created by materializePropertyMapIfNecessary since GC can happen
3274         when GCSafeConcurrentJITLocker goes out of scope.
3275
3276         However, always instantiating DeferGC inside Structure::get introduced a new performance bottleneck
3277         in JSObject::getPropertySlot because frequently incrementing and decrementing a counter in vm.m_heap
3278         and running a release assertion inside Heap::incrementDeferralDepth() is expensive.
3279
3280         Work around this by instantiating DeferGC only when we're actually calling materializePropertyMap,
3281         and immediately storing a pointer to the newly created property table in the stack before DeferGC
3282         goes out of scope so that the property table will be marked.
3283
3284         This shows 13-16% improvement on the microbenchmark attached in the bug.
3285
3286         * runtime/JSCJSValue.cpp:
3287         * runtime/JSObject.h:
3288         (JSC::JSObject::fastGetOwnPropertySlot):
3289         * runtime/Structure.h:
3290         (JSC::Structure::materializePropertyMapIfNecessary):
3291         * runtime/StructureInlines.h:
3292         (JSC::Structure::get):
3293
3294 2014-06-11  Andreas Kling  <akling@apple.com>
3295
3296         Some JSValue::get() micro-optimzations.