4a838233a4672989c68781894311b27a72e696e5
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-03-06  Mark Hahnenberg  <mhahnenberg@apple.com>
2
3         Fix write barriers in Repatch.cpp for !ENABLE(DFG_JIT) platforms after r165128
4         https://bugs.webkit.org/show_bug.cgi?id=129760
5
6         Reviewed by Geoffrey Garen.
7
8         r165128 disabled the write barrier fast path for inline caches on !ENABLE(DFG_JIT) platforms. 
9         The fix is to refactor the write barrier code into AssemblyHelpers and use that everywhere.
10
11         * dfg/DFGSpeculativeJIT.cpp:
12         (JSC::DFG::SpeculativeJIT::writeBarrier):
13         * dfg/DFGSpeculativeJIT.h:
14         * dfg/DFGSpeculativeJIT32_64.cpp:
15         (JSC::DFG::SpeculativeJIT::writeBarrier):
16         * dfg/DFGSpeculativeJIT64.cpp:
17         (JSC::DFG::SpeculativeJIT::writeBarrier):
18         * jit/AssemblyHelpers.h:
19         (JSC::AssemblyHelpers::checkMarkByte):
20         * jit/JIT.h:
21         * jit/JITPropertyAccess.cpp:
22         * jit/Repatch.cpp:
23         (JSC::writeBarrier):
24
25 2014-03-06  Joseph Pecoraro  <pecoraro@apple.com>
26
27         Web Inspector: Expose the console object in JSContexts to interact with Web Inspector
28         https://bugs.webkit.org/show_bug.cgi?id=127944
29
30         Reviewed by Geoffrey Garen.
31
32         Always expose the Console object in JSContexts, just like we
33         do for web pages. The default behavior will route to an
34         attached JSContext inspector. This can be overriden by
35         setting the ConsoleClient on the JSGlobalObject, which WebCore
36         does to get slightly different behavior.
37
38         * CMakeLists.txt:
39         * GNUmakefile.list.am:
40         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
41         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
42         * JavaScriptCore.xcodeproj/project.pbxproj:
43         Update build systems.
44
45         * API/tests/testapi.js:
46         * API/tests/testapi.mm:
47         Test that "console" exists in C and ObjC contexts.
48
49         * runtime/ConsoleClient.cpp: Added.
50         (JSC::ConsoleClient::printURLAndPosition):
51         (JSC::ConsoleClient::printMessagePrefix):
52         (JSC::ConsoleClient::printConsoleMessage):
53         (JSC::ConsoleClient::printConsoleMessageWithArguments):
54         (JSC::ConsoleClient::internalMessageWithTypeAndLevel):
55         (JSC::ConsoleClient::logWithLevel):
56         (JSC::ConsoleClient::clear):
57         (JSC::ConsoleClient::dir):
58         (JSC::ConsoleClient::dirXML):
59         (JSC::ConsoleClient::table):
60         (JSC::ConsoleClient::trace):
61         (JSC::ConsoleClient::assertCondition):
62         (JSC::ConsoleClient::group):
63         (JSC::ConsoleClient::groupCollapsed):
64         (JSC::ConsoleClient::groupEnd):
65         * runtime/ConsoleClient.h: Added.
66         (JSC::ConsoleClient::~ConsoleClient):
67         New private interface for handling the console object's methods.
68         A lot of the methods funnel through messageWithTypeAndLevel.
69
70         * runtime/ConsoleTypes.h: Renamed from Source/JavaScriptCore/inspector/ConsoleTypes.h.
71         Moved to JSC namespace.
72
73         * runtime/JSGlobalObject.cpp:
74         (JSC::JSGlobalObject::JSGlobalObject):
75         (JSC::JSGlobalObject::init):
76         (JSC::JSGlobalObject::reset):
77         (JSC::JSGlobalObject::visitChildren):
78         Create the "console" object when initializing the environment.
79         Also set the default console client to be the JS context inspector.
80
81         * runtime/JSGlobalObject.h:
82         (JSC::JSGlobalObject::setConsoleClient):
83         (JSC::JSGlobalObject::consoleClient):
84         Ability to change the console client, so WebCore can set a custom client.
85
86         * runtime/ConsolePrototype.cpp: Added.
87         (JSC::ConsolePrototype::finishCreation):
88         (JSC::valueToStringWithUndefinedOrNullCheck):
89         (JSC::consoleLogWithLevel):
90         (JSC::consoleProtoFuncDebug):
91         (JSC::consoleProtoFuncError):
92         (JSC::consoleProtoFuncLog):
93         (JSC::consoleProtoFuncWarn):
94         (JSC::consoleProtoFuncClear):
95         (JSC::consoleProtoFuncDir):
96         (JSC::consoleProtoFuncDirXML):
97         (JSC::consoleProtoFuncTable):
98         (JSC::consoleProtoFuncTrace):
99         (JSC::consoleProtoFuncAssert):
100         (JSC::consoleProtoFuncCount):
101         (JSC::consoleProtoFuncProfile):
102         (JSC::consoleProtoFuncProfileEnd):
103         (JSC::consoleProtoFuncTime):
104         (JSC::consoleProtoFuncTimeEnd):
105         (JSC::consoleProtoFuncTimeStamp):
106         (JSC::consoleProtoFuncGroup):
107         (JSC::consoleProtoFuncGroupCollapsed):
108         (JSC::consoleProtoFuncGroupEnd):
109         * runtime/ConsolePrototype.h: Added.
110         (JSC::ConsolePrototype::create):
111         (JSC::ConsolePrototype::createStructure):
112         (JSC::ConsolePrototype::ConsolePrototype):
113         Define the console object interface. Parse out required / expected
114         arguments and throw expcetions when methods are misused.
115
116         * runtime/JSConsole.cpp: Added.
117         * runtime/JSConsole.h: Added.
118         (JSC::JSConsole::createStructure):
119         (JSC::JSConsole::create):
120         (JSC::JSConsole::JSConsole):
121         Empty "console" object. Everything is in the prototype.
122
123         * inspector/JSConsoleClient.cpp: Added.
124         (Inspector::JSConsoleClient::JSGlobalObjectConsole):
125         (Inspector::JSConsoleClient::count):
126         (Inspector::JSConsoleClient::profile):
127         (Inspector::JSConsoleClient::profileEnd):
128         (Inspector::JSConsoleClient::time):
129         (Inspector::JSConsoleClient::timeEnd):
130         (Inspector::JSConsoleClient::timeStamp):
131         (Inspector::JSConsoleClient::warnUnimplemented):
132         (Inspector::JSConsoleClient::internalAddMessage):
133         * inspector/JSConsoleClient.h: Added.
134         * inspector/JSGlobalObjectInspectorController.cpp:
135         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
136         (Inspector::JSGlobalObjectInspectorController::consoleClient):
137         * inspector/JSGlobalObjectInspectorController.h:
138         Default JSContext ConsoleClient implementation. Handle nearly
139         everything exception profile/profileEnd and timeStamp.
140
141 2014-03-06  Andreas Kling  <akling@apple.com>
142
143         Drop unlinked function code on memory pressure.
144         <https://webkit.org/b/129789>
145
146         Make VM::discardAllCode() also drop UnlinkedFunctionCodeBlocks that
147         are not currently being compiled.
148
149         4.5 MB progression on Membuster.
150
151         Reviewed by Geoffrey Garen.
152
153         * heap/Heap.cpp:
154         (JSC::Heap::deleteAllUnlinkedFunctionCode):
155         * heap/Heap.h:
156         * runtime/VM.cpp:
157         (JSC::VM::discardAllCode):
158
159 2014-03-06  Filip Pizlo  <fpizlo@apple.com>
160
161         Clarify how we deal with "special" registers
162         https://bugs.webkit.org/show_bug.cgi?id=129806
163
164         Reviewed by Michael Saboff.
165         
166         Previously we had two different places that defined what "stack" registers are, a thing
167         called "specialRegisters" that had unclear meaning, and a really weird "firstRealRegister"/
168         "secondRealRegister"/"nextRegister" idiom in MacroAssembler that appeared to only be used by
169         one place and had a baked-in notion of what it meant for a register to be "real" or not.
170         
171         It's not cool to use words like "real" and "special" to describe registers, especially if you
172         fail to qualify what that means. This originally made sense on X86 - "real" registers were
173         the ones that weren't "stack related" (so "real" was the opposite of "stack"). But on ARM64,
174         you also have to worry about the LR register, which we'd want to say is "not real" but it's
175         also not a "stack" register. This got super confusing.
176         
177         So, this patch removes any mention of "real" registers, consolidates the knowledge of what is
178         a "stack" register, and uses the word special only in places where it's clearly defined and
179         where no better word comes to mind.
180         
181         This cleans up the code and fixes what seems like it was probably a harmless ARM64 bug: the
182         Reg and RegisterSet data structures would sometimes think that FP was Q0. Somehow this
183         magically didn't break anything because you never need to save/restore either FP or Q0, but
184         it was still super weird.
185
186         * assembler/ARM64Assembler.h:
187         (JSC::ARM64Assembler::lastRegister):
188         * assembler/MacroAssembler.h:
189         (JSC::MacroAssembler::nextRegister):
190         * ftl/FTLLocation.cpp:
191         (JSC::FTL::Location::restoreInto):
192         * ftl/FTLSaveRestore.cpp:
193         (JSC::FTL::saveAllRegisters):
194         (JSC::FTL::restoreAllRegisters):
195         * ftl/FTLSlowPathCall.cpp:
196         * jit/RegisterSet.cpp:
197         (JSC::RegisterSet::reservedHardwareRegisters):
198         (JSC::RegisterSet::runtimeRegisters):
199         (JSC::RegisterSet::specialRegisters):
200         (JSC::RegisterSet::calleeSaveRegisters):
201         * jit/RegisterSet.h:
202
203 2014-03-06  Filip Pizlo  <fpizlo@apple.com>
204
205         Unreviewed, fix build.
206
207         * disassembler/ARM64Disassembler.cpp:
208
209 2014-03-06  Filip Pizlo  <fpizlo@apple.com>
210
211         Use the LLVM disassembler on ARM64 if we are enabling the FTL
212         https://bugs.webkit.org/show_bug.cgi?id=129785
213
214         Reviewed by Geoffrey Garen.
215         
216         Our disassembler can't handle some of the code sequences that LLVM emits. LLVM's disassembler
217         is strictly more capable at this point. Use it if it's available.
218
219         * disassembler/ARM64Disassembler.cpp:
220         (JSC::tryToDisassemble):
221
222 2014-03-05  Joseph Pecoraro  <pecoraro@apple.com>
223
224         Web Inspector: Reduce RWI message frequency
225         https://bugs.webkit.org/show_bug.cgi?id=129767
226
227         Reviewed by Timothy Hatcher.
228
229         This used to be 0.2s and changed by accident to 0.02s.
230
231         * inspector/remote/RemoteInspector.mm:
232         (Inspector::RemoteInspector::pushListingSoon):
233
234 2014-03-05  Commit Queue  <commit-queue@webkit.org>
235
236         Unreviewed, rolling out r165141, r165157, and r165158.
237         http://trac.webkit.org/changeset/165141
238         http://trac.webkit.org/changeset/165157
239         http://trac.webkit.org/changeset/165158
240         https://bugs.webkit.org/show_bug.cgi?id=129772
241
242         "broke ftl" (Requested by olliej_ on #webkit).
243
244         * JavaScriptCore.xcodeproj/project.pbxproj:
245         * bytecode/PolymorphicPutByIdList.cpp:
246         (JSC::PutByIdAccess::visitWeak):
247         (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
248         (JSC::PolymorphicPutByIdList::from):
249         * bytecode/PolymorphicPutByIdList.h:
250         (JSC::PutByIdAccess::transition):
251         (JSC::PutByIdAccess::replace):
252         (JSC::PutByIdAccess::oldStructure):
253         (JSC::PutByIdAccess::chain):
254         (JSC::PutByIdAccess::stubRoutine):
255         * bytecode/PutByIdStatus.cpp:
256         (JSC::PutByIdStatus::computeForStubInfo):
257         (JSC::PutByIdStatus::computeFor):
258         (JSC::PutByIdStatus::dump):
259         * bytecode/PutByIdStatus.h:
260         (JSC::PutByIdStatus::PutByIdStatus):
261         (JSC::PutByIdStatus::takesSlowPath):
262         * bytecode/StructureStubInfo.h:
263         * dfg/DFGAbstractInterpreterInlines.h:
264         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
265         * dfg/DFGByteCodeParser.cpp:
266         (JSC::DFG::ByteCodeParser::emitPutById):
267         (JSC::DFG::ByteCodeParser::handlePutById):
268         * dfg/DFGClobberize.h:
269         (JSC::DFG::clobberize):
270         * dfg/DFGCommon.h:
271         * dfg/DFGConstantFoldingPhase.cpp:
272         (JSC::DFG::ConstantFoldingPhase::foldConstants):
273         * dfg/DFGFixupPhase.cpp:
274         (JSC::DFG::FixupPhase::fixupNode):
275         * dfg/DFGNode.h:
276         (JSC::DFG::Node::hasIdentifier):
277         * dfg/DFGNodeType.h:
278         * dfg/DFGPredictionPropagationPhase.cpp:
279         (JSC::DFG::PredictionPropagationPhase::propagate):
280         * dfg/DFGSafeToExecute.h:
281         (JSC::DFG::safeToExecute):
282         * dfg/DFGSpeculativeJIT.cpp:
283         (JSC::DFG::SpeculativeJIT::compileIn):
284         * dfg/DFGSpeculativeJIT.h:
285         * dfg/DFGSpeculativeJIT32_64.cpp:
286         (JSC::DFG::SpeculativeJIT::cachedGetById):
287         (JSC::DFG::SpeculativeJIT::cachedPutById):
288         (JSC::DFG::SpeculativeJIT::compile):
289         * dfg/DFGSpeculativeJIT64.cpp:
290         (JSC::DFG::SpeculativeJIT::cachedGetById):
291         (JSC::DFG::SpeculativeJIT::cachedPutById):
292         (JSC::DFG::SpeculativeJIT::compile):
293         * ftl/FTLCompile.cpp:
294         (JSC::FTL::fixFunctionBasedOnStackMaps):
295         * jit/CCallHelpers.h:
296         (JSC::CCallHelpers::setupArgumentsWithExecState):
297         * jit/JITInlineCacheGenerator.cpp:
298         (JSC::JITByIdGenerator::JITByIdGenerator):
299         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
300         * jit/JITInlineCacheGenerator.h:
301         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
302         * jit/JITOperations.cpp:
303         * jit/JITOperations.h:
304         * jit/JITPropertyAccess.cpp:
305         (JSC::JIT::emit_op_get_by_id):
306         (JSC::JIT::emit_op_put_by_id):
307         * jit/JITPropertyAccess32_64.cpp:
308         (JSC::JIT::emit_op_get_by_id):
309         (JSC::JIT::emit_op_put_by_id):
310         * jit/Repatch.cpp:
311         (JSC::tryCacheGetByID):
312         (JSC::tryBuildGetByIDList):
313         (JSC::tryCachePutByID):
314         (JSC::tryBuildPutByIdList):
315         * jit/SpillRegistersMode.h: Removed.
316         * llint/LLIntSlowPaths.cpp:
317         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
318         * runtime/Lookup.h:
319         (JSC::putEntry):
320         * runtime/PutPropertySlot.h:
321         (JSC::PutPropertySlot::isCacheable):
322         (JSC::PutPropertySlot::cachedOffset):
323
324 2014-03-05  Joseph Pecoraro  <pecoraro@apple.com>
325
326         Web Inspector: Prevent possible deadlock in view indication
327         https://bugs.webkit.org/show_bug.cgi?id=129766
328
329         Reviewed by Geoffrey Garen.
330
331         * inspector/remote/RemoteInspector.mm:
332         (Inspector::RemoteInspector::receivedIndicateMessage):
333
334 2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>
335
336         JSObject::fastGetOwnPropertySlot does a slow check for OverridesGetOwnPropertySlot
337         https://bugs.webkit.org/show_bug.cgi?id=129754
338
339         Reviewed by Geoffrey Garen.
340
341         InlineTypeFlags are stored in JSCell, so we can just load those instead of going through the TypeInfo.
342
343         * runtime/JSCell.h:
344         (JSC::JSCell::inlineTypeFlags):
345         * runtime/JSObject.h:
346         (JSC::JSObject::fastGetOwnPropertySlot):
347         * runtime/JSTypeInfo.h:
348         (JSC::TypeInfo::TypeInfo):
349         (JSC::TypeInfo::overridesGetOwnPropertySlot):
350
351 2014-03-05  Joseph Pecoraro  <pecoraro@apple.com>
352
353         Web Inspector: ASSERTION FAILED: m_javaScriptBreakpoints.isEmpty()
354         https://bugs.webkit.org/show_bug.cgi?id=129763
355
356         Reviewed by Geoffrey Garen.
357
358         Clear the list of all breakpoints, including unresolved breakpoints.
359
360         * inspector/agents/InspectorDebuggerAgent.cpp:
361         (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):
362
363 2014-03-05  Mark Lam  <mark.lam@apple.com>
364
365         llint_slow_path_check_has_instance() should not adjust PC before accessing operands.
366         <https://webkit.org/b/129768>
367
368         Reviewed by Mark Hahnenberg.
369
370         When evaluating "a instanceof b" where b is an object that ImplementsHasInstance
371         and OverridesHasInstance (e.g. a bound function), the LLINT will take the slow
372         path llint_slow_path_check_has_instance(), and execute a code path that does the
373         following:
374         1. Adjusts the byte code PC to the jump target PC.
375         2. For the purpose of storing the result, get the result registerIndex from the
376            1st operand using the PC as if the PC is still pointing to op_check_has_instance
377            bytecode.
378
379         The result is that whatever value resides after where the jump target PC is will
380         be used as a result register value.  Depending on what that value is, the result
381         can be:
382         1. the code coincidently works correctly
383         2. memory corruption
384         3. crashes
385
386         The fix is to only adjust the byte code PC after we have stored the result.
387         
388         * llint/LLIntSlowPaths.cpp:
389         (llint_slow_path_check_has_instance):
390
391 2014-03-05  Ryosuke Niwa  <rniwa@webkit.org>
392
393         Another build fix attempt after r165141.
394
395         * ftl/FTLCompile.cpp:
396         (JSC::FTL::fixFunctionBasedOnStackMaps):
397
398 2014-03-05  Ryosuke Niwa  <rniwa@webkit.org>
399
400         FTL build fix attempt after r165141.
401
402         * ftl/FTLCompile.cpp:
403         (JSC::FTL::fixFunctionBasedOnStackMaps):
404
405 2014-03-05  Gavin Barraclough  <barraclough@apple.com>
406
407         https://bugs.webkit.org/show_bug.cgi?id=128625
408         Add fast mapping from StringImpl to JSString
409
410         Unreviewed roll-out.
411
412         Reverting r164347, r165054, r165066 - not clear the performance tradeoff was right.
413
414         * runtime/JSString.cpp:
415         * runtime/JSString.h:
416         * runtime/VM.cpp:
417         (JSC::VM::createLeaked):
418         * runtime/VM.h:
419
420 2014-03-03  Oliver Hunt  <oliver@apple.com>
421
422         Support caching of custom setters
423         https://bugs.webkit.org/show_bug.cgi?id=129519
424
425         Reviewed by Filip Pizlo.
426
427         This patch adds caching of assignment to properties that
428         are backed by C functions. This provides most of the leg
429         work required to start supporting setters, and resolves
430         the remaining regressions from moving DOM properties up
431         the prototype chain.
432
433         * JavaScriptCore.xcodeproj/project.pbxproj:
434         * bytecode/PolymorphicPutByIdList.cpp:
435         (JSC::PutByIdAccess::visitWeak):
436         (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
437         (JSC::PolymorphicPutByIdList::from):
438         * bytecode/PolymorphicPutByIdList.h:
439         (JSC::PutByIdAccess::transition):
440         (JSC::PutByIdAccess::replace):
441         (JSC::PutByIdAccess::customSetter):
442         (JSC::PutByIdAccess::isCustom):
443         (JSC::PutByIdAccess::oldStructure):
444         (JSC::PutByIdAccess::chain):
445         (JSC::PutByIdAccess::stubRoutine):
446         * bytecode/PutByIdStatus.cpp:
447         (JSC::PutByIdStatus::computeForStubInfo):
448         (JSC::PutByIdStatus::computeFor):
449         (JSC::PutByIdStatus::dump):
450         * bytecode/PutByIdStatus.h:
451         (JSC::PutByIdStatus::PutByIdStatus):
452         (JSC::PutByIdStatus::takesSlowPath):
453         (JSC::PutByIdStatus::makesCalls):
454         * bytecode/StructureStubInfo.h:
455         * dfg/DFGAbstractInterpreterInlines.h:
456         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
457         * dfg/DFGByteCodeParser.cpp:
458         (JSC::DFG::ByteCodeParser::emitPutById):
459         (JSC::DFG::ByteCodeParser::handlePutById):
460         * dfg/DFGClobberize.h:
461         (JSC::DFG::clobberize):
462         * dfg/DFGCommon.h:
463         * dfg/DFGConstantFoldingPhase.cpp:
464         (JSC::DFG::ConstantFoldingPhase::foldConstants):
465         * dfg/DFGFixupPhase.cpp:
466         (JSC::DFG::FixupPhase::fixupNode):
467         * dfg/DFGNode.h:
468         (JSC::DFG::Node::hasIdentifier):
469         * dfg/DFGNodeType.h:
470         * dfg/DFGPredictionPropagationPhase.cpp:
471         (JSC::DFG::PredictionPropagationPhase::propagate):
472         * dfg/DFGSafeToExecute.h:
473         (JSC::DFG::safeToExecute):
474         * dfg/DFGSpeculativeJIT.cpp:
475         (JSC::DFG::SpeculativeJIT::compileIn):
476         * dfg/DFGSpeculativeJIT.h:
477         * dfg/DFGSpeculativeJIT32_64.cpp:
478         (JSC::DFG::SpeculativeJIT::cachedGetById):
479         (JSC::DFG::SpeculativeJIT::cachedPutById):
480         (JSC::DFG::SpeculativeJIT::compile):
481         * dfg/DFGSpeculativeJIT64.cpp:
482         (JSC::DFG::SpeculativeJIT::cachedGetById):
483         (JSC::DFG::SpeculativeJIT::cachedPutById):
484         (JSC::DFG::SpeculativeJIT::compile):
485         * jit/CCallHelpers.h:
486         (JSC::CCallHelpers::setupArgumentsWithExecState):
487         * jit/JITInlineCacheGenerator.cpp:
488         (JSC::JITByIdGenerator::JITByIdGenerator):
489         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
490         * jit/JITInlineCacheGenerator.h:
491         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
492         * jit/JITOperations.cpp:
493         * jit/JITOperations.h:
494         * jit/JITPropertyAccess.cpp:
495         (JSC::JIT::emit_op_get_by_id):
496         (JSC::JIT::emit_op_put_by_id):
497         * jit/JITPropertyAccess32_64.cpp:
498         (JSC::JIT::emit_op_get_by_id):
499         (JSC::JIT::emit_op_put_by_id):
500         * jit/Repatch.cpp:
501         (JSC::tryCacheGetByID):
502         (JSC::tryBuildGetByIDList):
503         (JSC::emitCustomSetterStub):
504         (JSC::tryCachePutByID):
505         (JSC::tryBuildPutByIdList):
506         * jit/SpillRegistersMode.h: Added.
507         * llint/LLIntSlowPaths.cpp:
508         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
509         * runtime/Lookup.h:
510         (JSC::putEntry):
511         * runtime/PutPropertySlot.h:
512         (JSC::PutPropertySlot::setCacheableCustomProperty):
513         (JSC::PutPropertySlot::customSetter):
514         (JSC::PutPropertySlot::isCacheablePut):
515         (JSC::PutPropertySlot::isCacheableCustomProperty):
516         (JSC::PutPropertySlot::cachedOffset):
517
518 2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>
519
520         JSCell::m_gcData should encode its information differently
521         https://bugs.webkit.org/show_bug.cgi?id=129741
522
523         Reviewed by Geoffrey Garen.
524
525         We want to keep track of three GC states for an object:
526
527         1. Not marked (which implies not in the remembered set)
528         2. Marked but not in the remembered set
529         3. Marked and in the remembered set
530         
531         Currently we only indicate marked vs. not marked in JSCell::m_gcData. During a write 
532         barrier, we only want to take the slow path if the object being stored to is in state #2. 
533         We'd like to make the test for state #2 as fast as possible, which means making it a 
534         compare against 0.
535
536         * dfg/DFGOSRExitCompilerCommon.cpp:
537         (JSC::DFG::osrWriteBarrier):
538         * dfg/DFGSpeculativeJIT.cpp:
539         (JSC::DFG::SpeculativeJIT::checkMarkByte):
540         (JSC::DFG::SpeculativeJIT::writeBarrier):
541         * dfg/DFGSpeculativeJIT.h:
542         * dfg/DFGSpeculativeJIT32_64.cpp:
543         (JSC::DFG::SpeculativeJIT::writeBarrier):
544         * dfg/DFGSpeculativeJIT64.cpp:
545         (JSC::DFG::SpeculativeJIT::writeBarrier):
546         * ftl/FTLLowerDFGToLLVM.cpp:
547         (JSC::FTL::LowerDFGToLLVM::allocateCell):
548         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
549         * heap/Heap.cpp:
550         (JSC::Heap::clearRememberedSet):
551         (JSC::Heap::addToRememberedSet):
552         * jit/AssemblyHelpers.h:
553         (JSC::AssemblyHelpers::checkMarkByte):
554         * jit/JIT.h:
555         * jit/JITPropertyAccess.cpp:
556         (JSC::JIT::checkMarkByte):
557         (JSC::JIT::emitWriteBarrier):
558         * jit/Repatch.cpp:
559         (JSC::writeBarrier):
560         * llint/LowLevelInterpreter.asm:
561         * llint/LowLevelInterpreter32_64.asm:
562         * llint/LowLevelInterpreter64.asm:
563         * runtime/JSCell.h:
564         (JSC::JSCell::mark):
565         (JSC::JSCell::remember):
566         (JSC::JSCell::forget):
567         (JSC::JSCell::isMarked):
568         (JSC::JSCell::isRemembered):
569         * runtime/JSCellInlines.h:
570         (JSC::JSCell::JSCell):
571         * runtime/StructureIDBlob.h:
572         (JSC::StructureIDBlob::StructureIDBlob):
573
574 2014-03-05  Filip Pizlo  <fpizlo@apple.com>
575
576         More FTL ARM fixes
577         https://bugs.webkit.org/show_bug.cgi?id=129755
578
579         Reviewed by Geoffrey Garen.
580         
581         - Be more defensive about inline caches that have degenerate chains.
582         
583         - Temporarily switch to allocating all MCJIT memory in the executable pool on non-x86
584           platforms. The bug tracking the real fix is: https://bugs.webkit.org/show_bug.cgi?id=129756
585         
586         - Don't even emit intrinsic declarations on non-x86 platforms.
587         
588         - More debug printing support.
589         
590         - Don't use vmCall() in the prologue. This should have crashed on all platforms all the time
591           but somehow it gets lucky on x86.
592
593         * bytecode/GetByIdStatus.cpp:
594         (JSC::GetByIdStatus::appendVariant):
595         (JSC::GetByIdStatus::computeForChain):
596         (JSC::GetByIdStatus::computeForStubInfo):
597         * bytecode/GetByIdStatus.h:
598         * bytecode/PutByIdStatus.cpp:
599         (JSC::PutByIdStatus::appendVariant):
600         (JSC::PutByIdStatus::computeForStubInfo):
601         * bytecode/PutByIdStatus.h:
602         * bytecode/StructureSet.h:
603         (JSC::StructureSet::overlaps):
604         * ftl/FTLCompile.cpp:
605         (JSC::FTL::mmAllocateDataSection):
606         * ftl/FTLDataSection.cpp:
607         (JSC::FTL::DataSection::DataSection):
608         (JSC::FTL::DataSection::~DataSection):
609         * ftl/FTLDataSection.h:
610         * ftl/FTLLowerDFGToLLVM.cpp:
611         (JSC::FTL::LowerDFGToLLVM::lower):
612         * ftl/FTLOutput.h:
613         (JSC::FTL::Output::doubleSin):
614         (JSC::FTL::Output::doubleCos):
615         * runtime/JSCJSValue.cpp:
616         (JSC::JSValue::dumpInContext):
617         * runtime/JSCell.h:
618         (JSC::JSCell::structureID):
619
620 2014-03-05  peavo@outlook.com  <peavo@outlook.com>
621
622         [Win32][LLINT] Crash when running JSC stress tests.
623         https://bugs.webkit.org/show_bug.cgi?id=129429
624
625         On Windows the reserved stack space consists of committed memory, a guard page, and uncommitted memory,
626         where the guard page is a barrier between committed and uncommitted memory.
627         When data from the guard page is read or written, the guard page is moved, and memory is committed.
628         This is how the system grows the stack.
629         When using the C stack on Windows we need to precommit the needed stack space.
630         Otherwise we might crash later if we access uncommitted stack memory.
631         This can happen if we allocate stack space larger than the page guard size (4K).
632         The system does not get the chance to move the guard page, and commit more memory,
633         and we crash if uncommitted memory is accessed.
634         The MSVC compiler fixes this by inserting a call to the _chkstk() function,
635         when needed, see http://support.microsoft.com/kb/100775.
636
637         Reviewed by Geoffrey Garen.
638
639         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Enable LLINT.
640         * jit/Repatch.cpp:
641         (JSC::writeBarrier): Compile fix when DFG_JIT is not enabled.
642         * offlineasm/x86.rb: Compile fix, and small simplification.
643         * runtime/VM.cpp:
644         (JSC::preCommitStackMemory): Added function to precommit stack memory.
645         (JSC::VM::updateStackLimit): Call function to precommit stack memory when stack limit is updated.
646
647 2014-03-05  Michael Saboff  <msaboff@apple.com>
648
649         JSDataViewPrototype::getData() and setData() crash on platforms that don't allow unaligned accesses
650         https://bugs.webkit.org/show_bug.cgi?id=129746
651
652         Reviewed by Filip Pizlo.
653
654         Changed to use a union to manually assemble or disassemble the various types
655         from / to the corresponding bytes.  All memory access is now done using
656         byte accesses.
657
658         * runtime/JSDataViewPrototype.cpp:
659         (JSC::getData):
660         (JSC::setData):
661
662 2014-03-05  Filip Pizlo  <fpizlo@apple.com>
663
664         FTL loadStructure always generates invalid IR
665         https://bugs.webkit.org/show_bug.cgi?id=129747
666
667         Reviewed by Mark Hahnenberg.
668
669         As the comment at the top of FTL::Output states, the FTL doesn't use LLVM's notion
670         of pointers. LLVM's notion of pointers tries to model C, in the sense that you have
671         to have a pointer to a type, and you can only load things of that type from that
672         pointer. Pointer arithmetic is basically not possible except through the bizarre
673         getelementptr operator. This doesn't fit with how the JS object model works since
674         the JS object model doesn't consist of nice and tidy C types placed in C arrays.
675         Also, it would be impossible to use getelementptr and LLVM pointers for accessing
676         any of JSC's C or C++ objects unless we went through the exercise of redeclaring
677         all of our fundamental data structures in LLVM IR as LLVM types. Clang could do
678         this for us, but that would require that to use the FTL, JSC itself would have to
679         be compiled with clang. Worse, it would have to be compiled with a clang that uses
680         a version of LLVM that is compatible with the one against which the FTL is linked.
681         Yuck!
682
683         The solution is to NEVER use LLVM pointers. This has always been the case in the
684         FTL. But it causes some confusion.
685         
686         Not using LLVM pointers means that if the FTL has a "pointer", it's actually a
687         pointer-wide integer (m_out.intPtr in FTL-speak). The act of "loading" and
688         "storing" from or to a pointer involves first bitcasting the intPtr to a real LLVM
689         pointer that has the type that we want. The load and store operations over pointers
690         are called Output::load* and Output::store*, where * is one of "8", "16", "32",
691         "64", "Ptr", "Float", or "Double.
692         
693         There is unavoidable confusion here. It would be bizarre for the FTL to call its
694         "pointer-wide integers" anything other than "pointers", since they are, in all
695         respects that we care about, simply pointers. But they are *not* LLVM pointers and
696         they never will be that.
697         
698         There is one exception to this "no pointers" rule. The FTL does use actual LLVM
699         pointers for refering to LLVM alloca's - i.e. local variables. To try to reduce
700         confusion, we call these "references". So an "FTL reference" is actually an "LLVM
701         pointer", while an "FTL pointer" is actually an "LLVM integer". FTL references have
702         methods for access called Output::get and Output::set. These lower to LLVM load
703         and store, since FTL references are just LLVM pointers.
704         
705         This confusion appears to have led to incorrect code in loadStructure().
706         loadStructure() was using get() and set() to access FTL pointers. But those methods
707         don't work on FTL pointers and never will, since they are for FTL references.
708         
709         The worst part of this is that it was previously impossible to have test coverage
710         for the relevant path (MasqueradesAsUndefined) without writing a DRT test. This
711         patch fixes this by introducing a Masquerader object to jsc.cpp.
712         
713         * ftl/FTLAbstractHeapRepository.h: Add an abstract heap for the structure table.
714         * ftl/FTLLowerDFGToLLVM.cpp:
715         (JSC::FTL::LowerDFGToLLVM::loadStructure): This was wrong.
716         * ftl/FTLOutput.h: Add a comment to disuade people from using get() and set().
717         * jsc.cpp: Give us the power to test for MasqueradesAsUndefined.
718         (WTF::Masquerader::Masquerader):
719         (WTF::Masquerader::create):
720         (WTF::Masquerader::createStructure):
721         (GlobalObject::finishCreation):
722         (functionMakeMasquerader):
723         * tests/stress/equals-masquerader.js: Added.
724         (foo):
725         (test):
726
727 2014-03-05  Anders Carlsson  <andersca@apple.com>
728
729         Tweak after r165109 to avoid extra copies
730         https://bugs.webkit.org/show_bug.cgi?id=129745
731
732         Reviewed by Geoffrey Garen.
733
734         * heap/Heap.cpp:
735         (JSC::Heap::visitProtectedObjects):
736         (JSC::Heap::visitTempSortVectors):
737         (JSC::Heap::clearRememberedSet):
738         * heap/Heap.h:
739         (JSC::Heap::forEachProtectedCell):
740
741 2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>
742
743         DFGStoreBarrierElisionPhase should should GCState directly instead of m_gcClobberSet when calling writesOverlap()
744         https://bugs.webkit.org/show_bug.cgi?id=129717
745
746         Reviewed by Filip Pizlo.
747
748         * dfg/DFGStoreBarrierElisionPhase.cpp:
749         (JSC::DFG::StoreBarrierElisionPhase::StoreBarrierElisionPhase):
750         (JSC::DFG::StoreBarrierElisionPhase::couldCauseGC):
751
752 2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>
753
754         Use range-based loops where possible in Heap methods
755         https://bugs.webkit.org/show_bug.cgi?id=129513
756
757         Reviewed by Mark Lam.
758
759         Replace old school iterator based loops with the new range-based loop hotness
760         for a better tomorrow.
761
762         * heap/CodeBlockSet.cpp:
763         (JSC::CodeBlockSet::~CodeBlockSet):
764         (JSC::CodeBlockSet::clearMarks):
765         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
766         (JSC::CodeBlockSet::traceMarked):
767         * heap/Heap.cpp:
768         (JSC::Heap::visitProtectedObjects):
769         (JSC::Heap::visitTempSortVectors):
770         (JSC::Heap::clearRememberedSet):
771         * heap/Heap.h:
772         (JSC::Heap::forEachProtectedCell):
773
774 2014-03-04  Filip Pizlo  <fpizlo@apple.com>
775
776         DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e. boolean, undefined, or null)
777         https://bugs.webkit.org/show_bug.cgi?id=129563
778
779         Reviewed by Geoffrey Garen.
780         
781         Rolling this back in after fixing an assertion failure. speculateMisc() should have
782         said DFG_TYPE_CHECK instead of typeCheck.
783         
784         This adds a specialization of CompareStrictEq over Misc. I noticed the need for this
785         when I saw that we didn't support CompareStrictEq(Untyped) in FTL but that the main
786         user of this was EarleyBoyer, and in that benchmark what it was really doing was
787         comparing undefined, null, and booleans to each other.
788         
789         This also adds support for miscellaneous things that I needed to make my various test
790         cases work. This includes comparison over booleans and the various Throw-related node
791         types.
792         
793         This also improves constant folding of CompareStrictEq and CompareEq.
794         
795         Also found a bug where we were claiming that GetByVals on typed arrays are OutOfBounds
796         based on profiling, which caused some downstream badness. We don't actually support
797         compiling OutOfBounds GetByVals on typed arrays. The DFG would ignore the flag and just
798         emit a bounds check, but in the FTL path, the SSA lowering phase would assume that it
799         shouldn't factor out the bounds check since the access is not InBounds but then the
800         backend would ignore the flag and assume that the bounds check was already emitted.
801         This showed up on an existing test but I added a test for this explicitly to have more
802         certain coverage. The fix is to not mark something as OutOfBounds if the semantics are
803         that we'll have a bounds check anyway.
804         
805         This is a 1% speed-up on Octane mostly because of raytrace, but also because of just
806         general progressions across the board. No speed-up yet on EarleyBoyer, since there is
807         still a lot more coverage work to be done there.
808
809         * bytecode/SpeculatedType.cpp:
810         (JSC::speculationToAbbreviatedString):
811         (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
812         (JSC::valuesCouldBeEqual):
813         * bytecode/SpeculatedType.h:
814         (JSC::isMiscSpeculation):
815         * dfg/DFGAbstractInterpreterInlines.h:
816         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
817         * dfg/DFGArrayMode.cpp:
818         (JSC::DFG::ArrayMode::refine):
819         * dfg/DFGArrayMode.h:
820         * dfg/DFGFixupPhase.cpp:
821         (JSC::DFG::FixupPhase::fixupNode):
822         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
823         * dfg/DFGNode.h:
824         (JSC::DFG::Node::shouldSpeculateMisc):
825         * dfg/DFGSafeToExecute.h:
826         (JSC::DFG::SafeToExecuteEdge::operator()):
827         * dfg/DFGSpeculativeJIT.cpp:
828         (JSC::DFG::SpeculativeJIT::compileStrictEq):
829         (JSC::DFG::SpeculativeJIT::speculateMisc):
830         (JSC::DFG::SpeculativeJIT::speculate):
831         * dfg/DFGSpeculativeJIT.h:
832         * dfg/DFGSpeculativeJIT32_64.cpp:
833         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
834         * dfg/DFGSpeculativeJIT64.cpp:
835         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
836         * dfg/DFGUseKind.cpp:
837         (WTF::printInternal):
838         * dfg/DFGUseKind.h:
839         (JSC::DFG::typeFilterFor):
840         * ftl/FTLCapabilities.cpp:
841         (JSC::FTL::canCompile):
842         * ftl/FTLLowerDFGToLLVM.cpp:
843         (JSC::FTL::LowerDFGToLLVM::compileNode):
844         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
845         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
846         (JSC::FTL::LowerDFGToLLVM::compileThrow):
847         (JSC::FTL::LowerDFGToLLVM::isNotMisc):
848         (JSC::FTL::LowerDFGToLLVM::isMisc):
849         (JSC::FTL::LowerDFGToLLVM::speculate):
850         (JSC::FTL::LowerDFGToLLVM::speculateMisc):
851         * tests/stress/float32-array-out-of-bounds.js: Added.
852         * tests/stress/weird-equality-folding-cases.js: Added.
853
854 2014-03-04  Commit Queue  <commit-queue@webkit.org>
855
856         Unreviewed, rolling out r165085.
857         http://trac.webkit.org/changeset/165085
858         https://bugs.webkit.org/show_bug.cgi?id=129729
859
860         Broke imported/w3c/html-templates/template-element/template-
861         content.html (Requested by ap on #webkit).
862
863         * bytecode/SpeculatedType.cpp:
864         (JSC::speculationToAbbreviatedString):
865         * bytecode/SpeculatedType.h:
866         * dfg/DFGAbstractInterpreterInlines.h:
867         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
868         * dfg/DFGArrayMode.cpp:
869         (JSC::DFG::ArrayMode::refine):
870         * dfg/DFGArrayMode.h:
871         * dfg/DFGFixupPhase.cpp:
872         (JSC::DFG::FixupPhase::fixupNode):
873         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
874         * dfg/DFGNode.h:
875         (JSC::DFG::Node::shouldSpeculateBoolean):
876         * dfg/DFGSafeToExecute.h:
877         (JSC::DFG::SafeToExecuteEdge::operator()):
878         * dfg/DFGSpeculativeJIT.cpp:
879         (JSC::DFG::SpeculativeJIT::compileStrictEq):
880         (JSC::DFG::SpeculativeJIT::speculate):
881         * dfg/DFGSpeculativeJIT.h:
882         * dfg/DFGSpeculativeJIT32_64.cpp:
883         * dfg/DFGSpeculativeJIT64.cpp:
884         * dfg/DFGUseKind.cpp:
885         (WTF::printInternal):
886         * dfg/DFGUseKind.h:
887         (JSC::DFG::typeFilterFor):
888         * ftl/FTLCapabilities.cpp:
889         (JSC::FTL::canCompile):
890         * ftl/FTLLowerDFGToLLVM.cpp:
891         (JSC::FTL::LowerDFGToLLVM::compileNode):
892         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
893         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
894         (JSC::FTL::LowerDFGToLLVM::speculate):
895         * tests/stress/float32-array-out-of-bounds.js: Removed.
896         * tests/stress/weird-equality-folding-cases.js: Removed.
897
898 2014-03-04  Brian Burg  <bburg@apple.com>
899
900         Inspector does not restore breakpoints after a page reload
901         https://bugs.webkit.org/show_bug.cgi?id=129655
902
903         Reviewed by Joseph Pecoraro.
904
905         Fix a regression introduced by r162096 that erroneously removed
906         the inspector backend's mapping of files to breakpoints whenever the
907         global object was cleared.
908
909         The inspector's breakpoint mappings should only be cleared when the
910         debugger agent is disabled or destroyed. We should only clear the
911         debugger's breakpoint state when the global object is cleared.
912
913         To make it clearer what state is being cleared, the two cases have
914         been split into separate methods.
915
916         * inspector/agents/InspectorDebuggerAgent.cpp:
917         (Inspector::InspectorDebuggerAgent::disable):
918         (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):
919         (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
920         (Inspector::InspectorDebuggerAgent::didClearGlobalObject):
921         * inspector/agents/InspectorDebuggerAgent.h:
922
923 2014-03-04  Andreas Kling  <akling@apple.com>
924
925         Streamline JSValue::get().
926         <https://webkit.org/b/129720>
927
928         Fetch each Structure and VM only once when walking the prototype chain
929         in JSObject::getPropertySlot(), then pass it along to the functions
930         we call from there, so they don't have to re-fetch it.
931
932         Reviewed by Geoff Garen.
933
934         * runtime/JSObject.h:
935         (JSC::JSObject::inlineGetOwnPropertySlot):
936         (JSC::JSObject::fastGetOwnPropertySlot):
937         (JSC::JSObject::getPropertySlot):
938
939 2014-03-01  Filip Pizlo  <fpizlo@apple.com>
940
941         DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e. boolean, undefined, or null)
942         https://bugs.webkit.org/show_bug.cgi?id=129563
943
944         Reviewed by Geoffrey Garen.
945         
946         This adds a specialization of CompareStrictEq over Misc. I noticed the need for this
947         when I saw that we didn't support CompareStrictEq(Untyped) in FTL but that the main
948         user of this was EarleyBoyer, and in that benchmark what it was really doing was
949         comparing undefined, null, and booleans to each other.
950         
951         This also adds support for miscellaneous things that I needed to make my various test
952         cases work. This includes comparison over booleans and the various Throw-related node
953         types.
954         
955         This also improves constant folding of CompareStrictEq and CompareEq.
956         
957         Also found a bug where we were claiming that GetByVals on typed arrays are OutOfBounds
958         based on profiling, which caused some downstream badness. We don't actually support
959         compiling OutOfBounds GetByVals on typed arrays. The DFG would ignore the flag and just
960         emit a bounds check, but in the FTL path, the SSA lowering phase would assume that it
961         shouldn't factor out the bounds check since the access is not InBounds but then the
962         backend would ignore the flag and assume that the bounds check was already emitted.
963         This showed up on an existing test but I added a test for this explicitly to have more
964         certain coverage. The fix is to not mark something as OutOfBounds if the semantics are
965         that we'll have a bounds check anyway.
966         
967         This is a 1% speed-up on Octane mostly because of raytrace, but also because of just
968         general progressions across the board. No speed-up yet on EarleyBoyer, since there is
969         still a lot more coverage work to be done there.
970
971         * bytecode/SpeculatedType.cpp:
972         (JSC::speculationToAbbreviatedString):
973         (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
974         (JSC::valuesCouldBeEqual):
975         * bytecode/SpeculatedType.h:
976         (JSC::isMiscSpeculation):
977         * dfg/DFGAbstractInterpreterInlines.h:
978         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
979         * dfg/DFGFixupPhase.cpp:
980         (JSC::DFG::FixupPhase::fixupNode):
981         * dfg/DFGNode.h:
982         (JSC::DFG::Node::shouldSpeculateMisc):
983         * dfg/DFGSafeToExecute.h:
984         (JSC::DFG::SafeToExecuteEdge::operator()):
985         * dfg/DFGSpeculativeJIT.cpp:
986         (JSC::DFG::SpeculativeJIT::compileStrictEq):
987         (JSC::DFG::SpeculativeJIT::speculateMisc):
988         (JSC::DFG::SpeculativeJIT::speculate):
989         * dfg/DFGSpeculativeJIT.h:
990         * dfg/DFGSpeculativeJIT32_64.cpp:
991         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
992         * dfg/DFGSpeculativeJIT64.cpp:
993         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
994         * dfg/DFGUseKind.cpp:
995         (WTF::printInternal):
996         * dfg/DFGUseKind.h:
997         (JSC::DFG::typeFilterFor):
998         * ftl/FTLCapabilities.cpp:
999         (JSC::FTL::canCompile):
1000         * ftl/FTLLowerDFGToLLVM.cpp:
1001         (JSC::FTL::LowerDFGToLLVM::compileNode):
1002         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
1003         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
1004         (JSC::FTL::LowerDFGToLLVM::compileThrow):
1005         (JSC::FTL::LowerDFGToLLVM::isNotMisc):
1006         (JSC::FTL::LowerDFGToLLVM::isMisc):
1007         (JSC::FTL::LowerDFGToLLVM::speculate):
1008         (JSC::FTL::LowerDFGToLLVM::speculateMisc):
1009         * tests/stress/float32-array-out-of-bounds.js: Added.
1010         * tests/stress/weird-equality-folding-cases.js: Added.
1011
1012 2014-03-04  Andreas Kling  <akling@apple.com>
1013
1014         Spam static branch prediction hints on JS bindings.
1015         <https://webkit.org/b/129703>
1016
1017         Add LIKELY hint to jsDynamicCast since it's always used in a context
1018         where we expect it to succeed and takes an error path when it doesn't.
1019
1020         Reviewed by Geoff Garen.
1021
1022         * runtime/JSCell.h:
1023         (JSC::jsDynamicCast):
1024
1025 2014-03-04  Andreas Kling  <akling@apple.com>
1026
1027         Get to Structures more efficiently in JSCell::methodTable().
1028         <https://webkit.org/b/129702>
1029
1030         In JSCell::methodTable(), get the VM once and pass that along to
1031         structure(VM&) instead of using the heavier structure().
1032
1033         In JSCell::methodTable(VM&), replace calls to structure() with
1034         calls to structure(VM&).
1035
1036         Reviewed by Mark Hahnenberg.
1037
1038         * runtime/JSCellInlines.h:
1039         (JSC::JSCell::methodTable):
1040
1041 2014-03-04  Joseph Pecoraro  <pecoraro@apple.com>
1042
1043         Web Inspector: Listen for the XPC_ERROR_CONNECTION_INVALID event to deref
1044         https://bugs.webkit.org/show_bug.cgi?id=129697
1045
1046         Reviewed by Timothy Hatcher.
1047
1048         * inspector/remote/RemoteInspectorXPCConnection.mm:
1049         (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
1050         (Inspector::RemoteInspectorXPCConnection::handleEvent):
1051
1052 2014-03-04  Mark Hahnenberg  <mhahnenberg@apple.com>
1053
1054         Merge API shims and JSLock
1055         https://bugs.webkit.org/show_bug.cgi?id=129650
1056
1057         Reviewed by Mark Lam.
1058
1059         JSLock is now taking on all of APIEntryShim's responsibilities since there is never a reason 
1060         to take just the JSLock. Ditto for DropAllLocks and APICallbackShim.
1061
1062         * API/APICallbackFunction.h:
1063         (JSC::APICallbackFunction::call):
1064         (JSC::APICallbackFunction::construct):
1065         * API/APIShims.h: Removed.
1066         * API/JSBase.cpp:
1067         (JSEvaluateScript):
1068         (JSCheckScriptSyntax):
1069         (JSGarbageCollect):
1070         (JSReportExtraMemoryCost):
1071         (JSSynchronousGarbageCollectForDebugging):
1072         * API/JSCallbackConstructor.cpp:
1073         * API/JSCallbackFunction.cpp:
1074         * API/JSCallbackObjectFunctions.h:
1075         (JSC::JSCallbackObject<Parent>::init):
1076         (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
1077         (JSC::JSCallbackObject<Parent>::put):
1078         (JSC::JSCallbackObject<Parent>::putByIndex):
1079         (JSC::JSCallbackObject<Parent>::deleteProperty):
1080         (JSC::JSCallbackObject<Parent>::construct):
1081         (JSC::JSCallbackObject<Parent>::customHasInstance):
1082         (JSC::JSCallbackObject<Parent>::call):
1083         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
1084         (JSC::JSCallbackObject<Parent>::getStaticValue):
1085         (JSC::JSCallbackObject<Parent>::callbackGetter):
1086         * API/JSContext.mm:
1087         (-[JSContext setException:]):
1088         (-[JSContext wrapperForObjCObject:]):
1089         (-[JSContext wrapperForJSObject:]):
1090         * API/JSContextRef.cpp:
1091         (JSContextGroupRelease):
1092         (JSContextGroupSetExecutionTimeLimit):
1093         (JSContextGroupClearExecutionTimeLimit):
1094         (JSGlobalContextCreateInGroup):
1095         (JSGlobalContextRetain):
1096         (JSGlobalContextRelease):
1097         (JSContextGetGlobalObject):
1098         (JSContextGetGlobalContext):
1099         (JSGlobalContextCopyName):
1100         (JSGlobalContextSetName):
1101         * API/JSManagedValue.mm:
1102         (-[JSManagedValue value]):
1103         * API/JSObjectRef.cpp:
1104         (JSObjectMake):
1105         (JSObjectMakeFunctionWithCallback):
1106         (JSObjectMakeConstructor):
1107         (JSObjectMakeFunction):
1108         (JSObjectMakeArray):
1109         (JSObjectMakeDate):
1110         (JSObjectMakeError):
1111         (JSObjectMakeRegExp):
1112         (JSObjectGetPrototype):
1113         (JSObjectSetPrototype):
1114         (JSObjectHasProperty):
1115         (JSObjectGetProperty):
1116         (JSObjectSetProperty):
1117         (JSObjectGetPropertyAtIndex):
1118         (JSObjectSetPropertyAtIndex):
1119         (JSObjectDeleteProperty):
1120         (JSObjectGetPrivateProperty):
1121         (JSObjectSetPrivateProperty):
1122         (JSObjectDeletePrivateProperty):
1123         (JSObjectIsFunction):
1124         (JSObjectCallAsFunction):
1125         (JSObjectCallAsConstructor):
1126         (JSObjectCopyPropertyNames):
1127         (JSPropertyNameArrayRelease):
1128         (JSPropertyNameAccumulatorAddName):
1129         * API/JSScriptRef.cpp:
1130         * API/JSValue.mm:
1131         (isDate):
1132         (isArray):
1133         (containerValueToObject):
1134         (valueToArray):
1135         (valueToDictionary):
1136         (objectToValue):
1137         * API/JSValueRef.cpp:
1138         (JSValueGetType):
1139         (JSValueIsUndefined):
1140         (JSValueIsNull):
1141         (JSValueIsBoolean):
1142         (JSValueIsNumber):
1143         (JSValueIsString):
1144         (JSValueIsObject):
1145         (JSValueIsObjectOfClass):
1146         (JSValueIsEqual):
1147         (JSValueIsStrictEqual):
1148         (JSValueIsInstanceOfConstructor):
1149         (JSValueMakeUndefined):
1150         (JSValueMakeNull):
1151         (JSValueMakeBoolean):
1152         (JSValueMakeNumber):
1153         (JSValueMakeString):
1154         (JSValueMakeFromJSONString):
1155         (JSValueCreateJSONString):
1156         (JSValueToBoolean):
1157         (JSValueToNumber):
1158         (JSValueToStringCopy):
1159         (JSValueToObject):
1160         (JSValueProtect):
1161         (JSValueUnprotect):
1162         * API/JSVirtualMachine.mm:
1163         (-[JSVirtualMachine addManagedReference:withOwner:]):
1164         (-[JSVirtualMachine removeManagedReference:withOwner:]):
1165         * API/JSWeakObjectMapRefPrivate.cpp:
1166         * API/JSWrapperMap.mm:
1167         (constructorHasInstance):
1168         (makeWrapper):
1169         (tryUnwrapObjcObject):
1170         * API/ObjCCallbackFunction.mm:
1171         (JSC::objCCallbackFunctionCallAsFunction):
1172         (JSC::objCCallbackFunctionCallAsConstructor):
1173         (objCCallbackFunctionForInvocation):
1174         * CMakeLists.txt:
1175         * ForwardingHeaders/JavaScriptCore/APIShims.h: Removed.
1176         * GNUmakefile.list.am:
1177         * JavaScriptCore.xcodeproj/project.pbxproj:
1178         * dfg/DFGWorklist.cpp:
1179         * heap/DelayedReleaseScope.h:
1180         (JSC::DelayedReleaseScope::~DelayedReleaseScope):
1181         * heap/HeapTimer.cpp:
1182         (JSC::HeapTimer::timerDidFire):
1183         (JSC::HeapTimer::timerEvent):
1184         * heap/IncrementalSweeper.cpp:
1185         * inspector/InjectedScriptModule.cpp:
1186         (Inspector::InjectedScriptModule::ensureInjected):
1187         * jsc.cpp:
1188         (jscmain):
1189         * runtime/GCActivityCallback.cpp:
1190         (JSC::DefaultGCActivityCallback::doWork):
1191         * runtime/JSGlobalObjectDebuggable.cpp:
1192         (JSC::JSGlobalObjectDebuggable::connect):
1193         (JSC::JSGlobalObjectDebuggable::disconnect):
1194         (JSC::JSGlobalObjectDebuggable::dispatchMessageFromRemoteFrontend):
1195         * runtime/JSLock.cpp:
1196         (JSC::JSLock::lock):
1197         (JSC::JSLock::didAcquireLock):
1198         (JSC::JSLock::unlock):
1199         (JSC::JSLock::willReleaseLock):
1200         (JSC::JSLock::DropAllLocks::DropAllLocks):
1201         (JSC::JSLock::DropAllLocks::~DropAllLocks):
1202         * runtime/JSLock.h:
1203         * testRegExp.cpp:
1204         (realMain):
1205
1206 2014-03-04  Commit Queue  <commit-queue@webkit.org>
1207
1208         Unreviewed, rolling out r164812.
1209         http://trac.webkit.org/changeset/164812
1210         https://bugs.webkit.org/show_bug.cgi?id=129699
1211
1212         it made things run slower (Requested by pizlo on #webkit).
1213
1214         * interpreter/Interpreter.cpp:
1215         (JSC::Interpreter::execute):
1216         * jsc.cpp:
1217         (GlobalObject::finishCreation):
1218         * runtime/BatchedTransitionOptimizer.h:
1219         (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
1220         (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer):
1221
1222 2014-03-02  Filip Pizlo  <fpizlo@apple.com>
1223
1224         GetMyArgumentByVal in FTL
1225         https://bugs.webkit.org/show_bug.cgi?id=128850
1226
1227         Reviewed by Oliver Hunt.
1228         
1229         This would have been easy if the OSR exit compiler's arity checks hadn't been wrong.
1230         They checked arity by doing "exec->argumentCount == codeBlock->numParameters", which
1231         caused it to think that the arity check had failed if the caller had passed more
1232         arguments than needed. This would cause the call frame copying to sort of go into
1233         reverse (because the amount-by-which-we-failed-arity would have opposite sign,
1234         throwing off a bunch of math) and the stack would end up being corrupted.
1235         
1236         The bug was revealed by two existing tests although as far as I could tell, neither
1237         test was intending to cover this case directly. So, I added a new test.
1238
1239         * ftl/FTLCapabilities.cpp:
1240         (JSC::FTL::canCompile):
1241         * ftl/FTLLowerDFGToLLVM.cpp:
1242         (JSC::FTL::LowerDFGToLLVM::compileNode):
1243         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
1244         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
1245         (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated):
1246         (JSC::FTL::LowerDFGToLLVM::checkArgumentsNotCreated):
1247         * ftl/FTLOSRExitCompiler.cpp:
1248         (JSC::FTL::compileStub):
1249         * ftl/FTLState.h:
1250         * tests/stress/exit-from-ftl-when-caller-passed-extra-args-then-use-function-dot-arguments.js: Added.
1251         * tests/stress/ftl-get-my-argument-by-val-inlined-and-not-inlined.js: Added.
1252         * tests/stress/ftl-get-my-argument-by-val-inlined.js: Added.
1253         * tests/stress/ftl-get-my-argument-by-val.js: Added.
1254
1255 2014-03-04  Zan Dobersek  <zdobersek@igalia.com>
1256
1257         [GTK] Build the Udis86 disassembler
1258         https://bugs.webkit.org/show_bug.cgi?id=129679
1259
1260         Reviewed by Michael Saboff.
1261
1262         * GNUmakefile.am: Generate the Udis86-related derived sources. Distribute the required files.
1263         * GNUmakefile.list.am: Add the Udis86 disassembler files to the build.
1264
1265 2014-03-04  Andreas Kling  <akling@apple.com>
1266
1267         Fix too-narrow assertion I added in r165054.
1268
1269         It's okay for a 1-character string to come in here. This will happen
1270         if the VM small string optimization doesn't apply (ch > 0xFF)
1271
1272         * runtime/JSString.h:
1273         (JSC::jsStringWithWeakOwner):
1274
1275 2014-03-04  Andreas Kling  <akling@apple.com>
1276
1277         Micro-optimize Strings in JS bindings.
1278         <https://webkit.org/b/129673>
1279
1280         Make jsStringWithWeakOwner() take a StringImpl& instead of a String.
1281         This avoids branches in length() and operator[].
1282
1283         Also call JSString::create() directly instead of jsString() and just
1284         assert that the string length is >1. This way we don't duplicate the
1285         optimizations for empty and single-character strings.
1286
1287         Reviewed by Ryosuke Niwa.
1288
1289         * runtime/JSString.h:
1290         (JSC::jsStringWithWeakOwner):
1291
1292 2014-03-04  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
1293
1294         Implement Number.prototype.clz()
1295         https://bugs.webkit.org/show_bug.cgi?id=129479
1296
1297         Reviewed by Oliver Hunt.
1298
1299         Implemented Number.prototype.clz() as specified in the ES6 standard.
1300
1301         * runtime/NumberPrototype.cpp:
1302         (JSC::numberProtoFuncClz):
1303
1304 2014-03-03  Joseph Pecoraro  <pecoraro@apple.com>
1305
1306         Web Inspector: Avoid too early deref caused by RemoteInspectorXPCConnection::close
1307         https://bugs.webkit.org/show_bug.cgi?id=129631
1308
1309         Reviewed by Timothy Hatcher.
1310
1311         Avoid deref() too early if a client calls close(). The xpc_connection_close
1312         will cause another XPC_ERROR event to come in from the queue, deref then.
1313         Likewise, protect multithreaded access to m_client. If a client calls
1314         close() we want to immediately clear the pointer to prevent calls to it.
1315
1316         Overall the multi-threading aspects of RemoteInspectorXPCConnection are
1317         growing too complicated for probably little benefit. We may want to
1318         clean this up later.
1319
1320         * inspector/remote/RemoteInspector.mm:
1321         (Inspector::RemoteInspector::xpcConnectionFailed):
1322         * inspector/remote/RemoteInspectorXPCConnection.h:
1323         * inspector/remote/RemoteInspectorXPCConnection.mm:
1324         (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
1325         (Inspector::RemoteInspectorXPCConnection::close):
1326         (Inspector::RemoteInspectorXPCConnection::closeOnQueue):
1327         (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
1328         (Inspector::RemoteInspectorXPCConnection::handleEvent):
1329         (Inspector::RemoteInspectorXPCConnection::sendMessage):
1330
1331 2014-03-03  Michael Saboff  <msaboff@apple.com>
1332
1333         AbstractMacroAssembler::CachedTempRegister should start out invalid
1334         https://bugs.webkit.org/show_bug.cgi?id=129657
1335
1336         Reviewed by Filip Pizlo.
1337
1338         * assembler/AbstractMacroAssembler.h:
1339         (JSC::AbstractMacroAssembler::AbstractMacroAssembler):
1340         - Invalidate all cached registers in constructor as we don't know the
1341           contents of any register at the entry to the code we are going to
1342           generate.
1343
1344 2014-03-03  Andreas Kling  <akling@apple.com>
1345
1346         StructureOrOffset should be fastmalloced.
1347         <https://webkit.org/b/129640>
1348
1349         Reviewed by Geoffrey Garen.
1350
1351         * runtime/StructureIDTable.h:
1352
1353 2014-03-03  Michael Saboff  <msaboff@apple.com>
1354
1355         Crash in JIT code while watching a video @ storyboard.tumblr.com
1356         https://bugs.webkit.org/show_bug.cgi?id=129635
1357
1358         Reviewed by Filip Pizlo.
1359
1360         Clear m_set before we set bits in the TempRegisterSet(const RegisterSet& other)
1361         construtor.
1362
1363         * jit/TempRegisterSet.cpp:
1364         (JSC::TempRegisterSet::TempRegisterSet): Clear map before setting it.
1365         * jit/TempRegisterSet.h:
1366         (JSC::TempRegisterSet::TempRegisterSet): Use new clearAll() helper.
1367         (JSC::TempRegisterSet::clearAll): New private helper.
1368
1369 2014-03-03  Benjamin Poulain  <benjamin@webkit.org>
1370
1371         [x86] Improve code generation of byte test
1372         https://bugs.webkit.org/show_bug.cgi?id=129597
1373
1374         Reviewed by Geoffrey Garen.
1375
1376         When possible, test the 8 bit register to itself instead of comparing it
1377         to a literal.
1378
1379         * assembler/MacroAssemblerX86Common.h:
1380         (JSC::MacroAssemblerX86Common::test32):
1381
1382 2014-03-03  Mark Lam  <mark.lam@apple.com>
1383
1384         Web Inspector: debugger statements do not break.
1385         <https://webkit.org/b/129524>
1386
1387         Reviewed by Geoff Garen.
1388
1389         Since we no longer call op_debug hooks unless there is a debugger request
1390         made on the CodeBlock, the op_debug for the debugger statement never gets
1391         serviced.
1392
1393         With this fix, we check in the CodeBlock constructor if any debugger
1394         statements are present.  If so, we set a m_hasDebuggerStatement flag that
1395         causes the CodeBlock to show as having debugger requests.  Hence,
1396         breaking at debugger statements is now restored.
1397
1398         * bytecode/CodeBlock.cpp:
1399         (JSC::CodeBlock::CodeBlock):
1400         * bytecode/CodeBlock.h:
1401         (JSC::CodeBlock::hasDebuggerRequests):
1402         (JSC::CodeBlock::clearDebuggerRequests):
1403
1404 2014-03-03  Mark Lam  <mark.lam@apple.com>
1405
1406         ASSERTION FAILED: m_numBreakpoints >= numBreakpoints when deleting breakpoints.
1407         <https://webkit.org/b/129393>
1408
1409         Reviewed by Geoffrey Garen.
1410
1411         The issue manifests because the debugger will iterate all CodeBlocks in
1412         the heap when setting / clearing breakpoints, but it is possible for a
1413         CodeBlock to have been instantiate but is not yet registered with the
1414         debugger.  This can happen because of the following:
1415
1416         1. DFG worklist compilation is still in progress, and the target
1417            codeBlock is not ready for installation in its executable yet.
1418
1419         2. DFG compilation failed and we have a codeBlock that will never be
1420            installed in its executable, and the codeBlock has not been cleaned
1421            up by the GC yet.
1422
1423         The code for installing the codeBlock in its executable is the same code
1424         that registers it with the debugger.  Hence, these codeBlocks are not
1425         registered with the debugger, and any pending breakpoints that would map
1426         to that CodeBlock is as yet unset or will never be set.  As such, an
1427         attempt to remove a breakpoint in that CodeBlock will fail that assertion.
1428
1429         To fix this, we do the following:
1430
1431         1. We'll eagerly clean up any zombie CodeBlocks due to failed DFG / FTL
1432            compilation.  This is achieved by providing a
1433            DeferredCompilationCallback::compilationDidComplete() that does this
1434            clean up, and have all sub classes call it at the end of their
1435            compilationDidComplete() methods.
1436
1437         2. Before the debugger or profiler iterates CodeBlocks in the heap, they
1438            will wait for all compilations to complete before proceeding.  This
1439            ensures that:
1440            1. any zombie CodeBlocks would have been cleaned up, and won't be
1441               seen by the debugger or profiler.
1442            2. all CodeBlocks that the debugger and profiler needs to operate on
1443               will be "ready" for whatever needs to be done to them e.g.
1444               jettison'ing of DFG codeBlocks.
1445
1446         * bytecode/DeferredCompilationCallback.cpp:
1447         (JSC::DeferredCompilationCallback::compilationDidComplete):
1448         * bytecode/DeferredCompilationCallback.h:
1449         - Provide default implementation method to clean up zombie CodeBlocks.
1450
1451         * debugger/Debugger.cpp:
1452         (JSC::Debugger::forEachCodeBlock):
1453         - Utility function to iterate CodeBlocks.  It ensures that all compilations
1454           are complete before proceeding.
1455         (JSC::Debugger::setSteppingMode):
1456         (JSC::Debugger::toggleBreakpoint):
1457         (JSC::Debugger::recompileAllJSFunctions):
1458         (JSC::Debugger::clearBreakpoints):
1459         (JSC::Debugger::clearDebuggerRequests):
1460         - Use the utility iterator function.
1461
1462         * debugger/Debugger.h:
1463         * dfg/DFGOperations.cpp:
1464         - Added an assert to ensure that zombie CodeBlocks will be imminently cleaned up.
1465
1466         * dfg/DFGPlan.cpp:
1467         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
1468         - Remove unneeded code (that was not the best solution anyway) for ensuring
1469           that we don't generate new DFG codeBlocks after enabling the debugger or
1470           profiler.  Now that we wait for compilations to complete before proceeding
1471           with debugger and profiler work, this scenario will never happen.
1472
1473         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
1474         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
1475         - Call the super class method to clean up zombie codeBlocks.
1476
1477         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
1478         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete):
1479         - Call the super class method to clean up zombie codeBlocks.
1480
1481         * heap/CodeBlockSet.cpp:
1482         (JSC::CodeBlockSet::remove):
1483         * heap/CodeBlockSet.h:
1484         * heap/Heap.h:
1485         (JSC::Heap::removeCodeBlock):
1486         - New method to remove a codeBlock from the codeBlock set.
1487
1488         * jit/JITOperations.cpp:
1489         - Added an assert to ensure that zombie CodeBlocks will be imminently cleaned up.
1490
1491         * jit/JITToDFGDeferredCompilationCallback.cpp:
1492         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
1493         - Call the super class method to clean up zombie codeBlocks.
1494
1495         * runtime/VM.cpp:
1496         (JSC::VM::waitForCompilationsToComplete):
1497         - Renamed from prepareToDiscardCode() to be clearer about what it does.
1498
1499         (JSC::VM::discardAllCode):
1500         (JSC::VM::releaseExecutableMemory):
1501         (JSC::VM::setEnabledProfiler):
1502         - Wait for compilation to complete before enabling the profiler.
1503
1504         * runtime/VM.h:
1505
1506 2014-03-03  Brian Burg  <bburg@apple.com>
1507
1508         Another unreviewed build fix attempt for Windows after r164986.
1509
1510         We never told Visual Studio to copy over the web replay code generator scripts
1511         and the generated headers for JavaScriptCore replay inputs as if they were
1512         private headers.
1513
1514         * JavaScriptCore.vcxproj/copy-files.cmd:
1515
1516 2014-03-03  Brian Burg  <bburg@apple.com>
1517
1518         Web Replay: upstream input storage, capture/replay machinery, and inspector domain
1519         https://bugs.webkit.org/show_bug.cgi?id=128782
1520
1521         Reviewed by Timothy Hatcher.
1522
1523         Alter the replay inputs code generator so that it knows when it is necessary to
1524         to include headers for HEAVY_SCALAR types such as WTF::String and WebCore::URL.
1525
1526         * JavaScriptCore.xcodeproj/project.pbxproj:
1527         * replay/scripts/CodeGeneratorReplayInputs.py:
1528         (Framework.fromString):
1529         (Frameworks): Add WTF as an allowed framework for code generation.
1530         (Generator.generate_includes): Include headers for HEAVY_SCALAR types in the header file.
1531         (Generator.generate_includes.declaration):
1532         (Generator.generate_includes.or):
1533         (Generator.generate_type_forward_declarations): Skip HEAVY_SCALAR types.
1534
1535 2014-03-02  Filip Pizlo  <fpizlo@apple.com>
1536
1537         PolymorphicPutByIdList should have a simpler construction API with basically a single entrypoint
1538         https://bugs.webkit.org/show_bug.cgi?id=129591
1539
1540         Reviewed by Michael Saboff.
1541
1542         * bytecode/PolymorphicPutByIdList.cpp:
1543         (JSC::PutByIdAccess::fromStructureStubInfo): This function can figure out the slow path target for itself.
1544         (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList): This constuctor should be private, only from() should call it.
1545         (JSC::PolymorphicPutByIdList::from):
1546         * bytecode/PolymorphicPutByIdList.h:
1547         (JSC::PutByIdAccess::stubRoutine):
1548         * jit/Repatch.cpp:
1549         (JSC::tryBuildPutByIdList): Don't pass the slow path target since it can be derived from the stubInfo.
1550
1551 2014-03-02  Filip Pizlo  <fpizlo@apple.com>
1552
1553         Debugging improvements from my gbemu investigation session
1554         https://bugs.webkit.org/show_bug.cgi?id=129599
1555
1556         Reviewed by Mark Lam.
1557         
1558         Various improvements from when I was investigating bug 129411.
1559
1560         * bytecode/CodeBlock.cpp:
1561         (JSC::CodeBlock::optimizationThresholdScalingFactor): Make the dataLog() statement print the actual multiplier.
1562         * jsc.cpp:
1563         (GlobalObject::finishCreation):
1564         (functionDescribe): Make describe() return a string rather than printing the string.
1565         (functionDescribeArray): Like describe(), but prints details about arrays.
1566
1567 2014-02-25  Andreas Kling  <akling@apple.com>
1568
1569         JSDOMWindow::commonVM() should return a reference.
1570         <https://webkit.org/b/129293>
1571
1572         Added a DropAllLocks constructor that takes VM& without null checks.
1573
1574         Reviewed by Geoff Garen.
1575
1576 2014-03-02  Mark Lam  <mark.lam@apple.com>
1577
1578         CodeBlock::hasDebuggerRequests() should returning a bool instead of an int.
1579         <https://webkit.org/b/129584>
1580
1581         Reviewed by Darin Adler.
1582
1583         * bytecode/CodeBlock.h:
1584         (JSC::CodeBlock::hasDebuggerRequests):
1585
1586 2014-03-02  Mark Lam  <mark.lam@apple.com>
1587
1588         Clean up use of Options::enableConcurrentJIT().
1589         <https://webkit.org/b/129582>
1590
1591         Reviewed by Filip Pizlo.
1592
1593         DFG Driver was conditionally checking Options::enableConcurrentJIT()
1594         only if ENABLE(CONCURRENT_JIT).  Otherwise, it bypasses it with a local
1595         enableConcurrentJIT set to false.
1596
1597         Instead we should configure Options::enableConcurrentJIT() to be false
1598         in Options.cpp if !ENABLE(CONCURRENT_JIT), and DFG Driver should always
1599         check Options::enableConcurrentJIT().  This makes the code read a little
1600         cleaner.
1601
1602         * dfg/DFGDriver.cpp:
1603         (JSC::DFG::compileImpl):
1604         * runtime/Options.cpp:
1605         (JSC::recomputeDependentOptions):
1606
1607 2014-03-01  Filip Pizlo  <fpizlo@apple.com>
1608
1609         This shouldn't have been a layout test since it runs only under jsc. Moving it to JSC
1610         stress tests.
1611
1612         * tests/stress/generational-opaque-roots.js: Copied from LayoutTests/js/script-tests/generational-opaque-roots.js.
1613
1614 2014-03-01  Andreas Kling  <akling@apple.com>
1615
1616         JSCell::fastGetOwnProperty() should get the Structure more efficiently.
1617         <https://webkit.org/b/129560>
1618
1619         Now that structure() is nontrivial and we have a faster structure(VM&),
1620         make use of that in fastGetOwnProperty() since we already have VM.
1621
1622         Reviewed by Sam Weinig.
1623
1624         * runtime/JSCellInlines.h:
1625         (JSC::JSCell::fastGetOwnProperty):
1626
1627 2014-03-01  Andreas Kling  <akling@apple.com>
1628
1629         Avoid going through ExecState for VM when we already have it (in some places.)
1630         <https://webkit.org/b/129554>
1631
1632         Tweak some places that jump through unnecessary hoops to get the VM.
1633         There are many more like this.
1634
1635         Reviewed by Sam Weinig.
1636
1637         * runtime/JSObject.cpp:
1638         (JSC::JSObject::putByIndexBeyondVectorLength):
1639         (JSC::JSObject::putDirectIndexBeyondVectorLength):
1640         * runtime/ObjectPrototype.cpp:
1641         (JSC::objectProtoFuncToString):
1642
1643 2014-02-28  Filip Pizlo  <fpizlo@apple.com>
1644
1645         FTL should support PhantomArguments
1646         https://bugs.webkit.org/show_bug.cgi?id=113986
1647
1648         Reviewed by Oliver Hunt.
1649         
1650         Adding PhantomArguments to the FTL mostly means wiring the recovery of the Arguments
1651         object into the FTL's OSR exit compiler.
1652         
1653         This isn't a speed-up yet, since there is still more to be done to fully support
1654         all of the arguments craziness that our varargs benchmarks do.
1655
1656         * dfg/DFGOSRExitCompiler32_64.cpp:
1657         (JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp
1658         * dfg/DFGOSRExitCompiler64.cpp:
1659         (JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp
1660         * dfg/DFGOSRExitCompilerCommon.cpp:
1661         (JSC::DFG::ArgumentsRecoveryGenerator::ArgumentsRecoveryGenerator):
1662         (JSC::DFG::ArgumentsRecoveryGenerator::~ArgumentsRecoveryGenerator):
1663         (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): this is the common place for the recovery code
1664         * dfg/DFGOSRExitCompilerCommon.h:
1665         * ftl/FTLCapabilities.cpp:
1666         (JSC::FTL::canCompile):
1667         * ftl/FTLExitValue.cpp:
1668         (JSC::FTL::ExitValue::dumpInContext):
1669         * ftl/FTLExitValue.h:
1670         (JSC::FTL::ExitValue::argumentsObjectThatWasNotCreated):
1671         (JSC::FTL::ExitValue::isArgumentsObjectThatWasNotCreated):
1672         (JSC::FTL::ExitValue::valueFormat):
1673         * ftl/FTLLowerDFGToLLVM.cpp:
1674         (JSC::FTL::LowerDFGToLLVM::compileNode):
1675         (JSC::FTL::LowerDFGToLLVM::compilePhantomArguments):
1676         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
1677         (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
1678         * ftl/FTLOSRExitCompiler.cpp:
1679         (JSC::FTL::compileStub): Call into the ArgumentsRecoveryGenerator
1680         * tests/stress/slightly-more-difficult-to-fold-reflective-arguments-access.js: Added.
1681         * tests/stress/trivially-foldable-reflective-arguments-access.js: Added.
1682
1683 2014-02-28  Filip Pizlo  <fpizlo@apple.com>
1684
1685         Unreviewed, uncomment some code. It wasn't meant to be commented in the first place.
1686
1687         * dfg/DFGCSEPhase.cpp:
1688         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
1689
1690 2014-02-28  Andreas Kling  <akling@apple.com>
1691
1692         JSObject::findPropertyHashEntry() should take VM instead of ExecState.
1693         <https://webkit.org/b/129529>
1694
1695         Callers already have VM in a local, and findPropertyHashEntry() only
1696         uses the VM, no need to go all the way through ExecState.
1697
1698         Reviewed by Geoffrey Garen.
1699
1700         * runtime/JSObject.cpp:
1701         (JSC::JSObject::put):
1702         (JSC::JSObject::deleteProperty):
1703         (JSC::JSObject::findPropertyHashEntry):
1704         * runtime/JSObject.h:
1705
1706 2014-02-28  Joseph Pecoraro  <pecoraro@apple.com>
1707
1708         Deadlock remotely inspecting iOS Simulator
1709         https://bugs.webkit.org/show_bug.cgi?id=129511
1710
1711         Reviewed by Timothy Hatcher.
1712
1713         Avoid synchronous setup. Do it asynchronously, and let
1714         the RemoteInspector singleton know later if it failed.
1715
1716         * inspector/remote/RemoteInspector.h:
1717         * inspector/remote/RemoteInspector.mm:
1718         (Inspector::RemoteInspector::setupFailed):
1719         * inspector/remote/RemoteInspectorDebuggableConnection.h:
1720         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
1721         (Inspector::RemoteInspectorDebuggableConnection::setup):
1722
1723 2014-02-28  Oliver Hunt  <oliver@apple.com>
1724
1725         REGRESSION(r164835): It broke 10 JSC stress test on 32 bit platforms
1726         https://bugs.webkit.org/show_bug.cgi?id=129488
1727
1728         Reviewed by Mark Lam.
1729
1730         Whoops, modify the right register.
1731
1732         * jit/JITCall32_64.cpp:
1733         (JSC::JIT::compileLoadVarargs):
1734
1735 2014-02-28  Filip Pizlo  <fpizlo@apple.com>
1736
1737         FTL should be able to call sin/cos directly on platforms where the intrinsic is busted
1738         https://bugs.webkit.org/show_bug.cgi?id=129503
1739
1740         Reviewed by Mark Lam.
1741
1742         * ftl/FTLIntrinsicRepository.h:
1743         * ftl/FTLOutput.h:
1744         (JSC::FTL::Output::doubleSin):
1745         (JSC::FTL::Output::doubleCos):
1746         (JSC::FTL::Output::intrinsicOrOperation):
1747
1748 2014-02-28  Mark Hahnenberg  <mhahnenberg@apple.com>
1749
1750         Fix !ENABLE(GGC) builds
1751
1752         * heap/Heap.cpp:
1753         (JSC::Heap::markRoots):
1754         (JSC::Heap::gatherJSStackRoots): Also fix one of the names of the GC phases.
1755
1756 2014-02-27  Mark Hahnenberg  <mhahnenberg@apple.com>
1757
1758         Clean up Heap::collect and Heap::markRoots
1759         https://bugs.webkit.org/show_bug.cgi?id=129464
1760
1761         Reviewed by Geoffrey Garen.
1762
1763         These functions have built up a lot of cruft recently. 
1764         We should do a bit of cleanup to make them easier to grok.
1765
1766         * heap/Heap.cpp:
1767         (JSC::Heap::finalizeUnconditionalFinalizers):
1768         (JSC::Heap::gatherStackRoots):
1769         (JSC::Heap::gatherJSStackRoots):
1770         (JSC::Heap::gatherScratchBufferRoots):
1771         (JSC::Heap::clearLivenessData):
1772         (JSC::Heap::visitSmallStrings):
1773         (JSC::Heap::visitConservativeRoots):
1774         (JSC::Heap::visitCompilerWorklists):
1775         (JSC::Heap::markProtectedObjects):
1776         (JSC::Heap::markTempSortVectors):
1777         (JSC::Heap::markArgumentBuffers):
1778         (JSC::Heap::visitException):
1779         (JSC::Heap::visitStrongHandles):
1780         (JSC::Heap::visitHandleStack):
1781         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
1782         (JSC::Heap::converge):
1783         (JSC::Heap::visitWeakHandles):
1784         (JSC::Heap::clearRememberedSet):
1785         (JSC::Heap::updateObjectCounts):
1786         (JSC::Heap::resetVisitors):
1787         (JSC::Heap::markRoots):
1788         (JSC::Heap::copyBackingStores):
1789         (JSC::Heap::deleteUnmarkedCompiledCode):
1790         (JSC::Heap::collect):
1791         (JSC::Heap::collectIfNecessaryOrDefer):
1792         (JSC::Heap::suspendCompilerThreads):
1793         (JSC::Heap::willStartCollection):
1794         (JSC::Heap::deleteOldCode):
1795         (JSC::Heap::flushOldStructureIDTables):
1796         (JSC::Heap::flushWriteBarrierBuffer):
1797         (JSC::Heap::stopAllocation):
1798         (JSC::Heap::reapWeakHandles):
1799         (JSC::Heap::sweepArrayBuffers):
1800         (JSC::Heap::snapshotMarkedSpace):
1801         (JSC::Heap::deleteSourceProviderCaches):
1802         (JSC::Heap::notifyIncrementalSweeper):
1803         (JSC::Heap::rememberCurrentlyExecutingCodeBlocks):
1804         (JSC::Heap::resetAllocators):
1805         (JSC::Heap::updateAllocationLimits):
1806         (JSC::Heap::didFinishCollection):
1807         (JSC::Heap::resumeCompilerThreads):
1808         * heap/Heap.h:
1809
1810 2014-02-27  Ryosuke Niwa  <rniwa@webkit.org>
1811
1812         indexOf and lastIndexOf shouldn't resolve ropes when needle is longer than haystack
1813         https://bugs.webkit.org/show_bug.cgi?id=129466
1814
1815         Reviewed by Michael Saboff.
1816
1817         Refactored the code to avoid calling JSString::value when needle is longer than haystack.
1818
1819         * runtime/StringPrototype.cpp:
1820         (JSC::stringProtoFuncIndexOf):
1821         (JSC::stringProtoFuncLastIndexOf):
1822
1823 2014-02-27  Timothy Hatcher  <timothy@apple.com>
1824
1825         Improve how ContentSearchUtilities::lineEndings works by supporting the three common line endings.
1826
1827         https://bugs.webkit.org/show_bug.cgi?id=129458
1828
1829         Reviewed by Joseph Pecoraro.
1830
1831         * inspector/ContentSearchUtilities.cpp:
1832         (Inspector::ContentSearchUtilities::textPositionFromOffset): Remove assumption about line ending length.
1833         (Inspector::ContentSearchUtilities::getRegularExpressionMatchesByLines): Remove assumption about
1834         line ending type and don't try to strip the line ending. Use size_t
1835         (Inspector::ContentSearchUtilities::lineEndings): Use findNextLineStart to find the lines.
1836         This will include the line ending in the lines, but that is okay.
1837         (Inspector::ContentSearchUtilities::buildObjectForSearchMatch): Use size_t.
1838         (Inspector::ContentSearchUtilities::searchInTextByLines): Modernize.
1839
1840 2014-02-27  Joseph Pecoraro  <pecoraro@apple.com>
1841
1842         [Mac] Warning: Multiple build commands for output file GCSegmentedArray and InspectorAgent
1843         https://bugs.webkit.org/show_bug.cgi?id=129446
1844
1845         Reviewed by Timothy Hatcher.
1846
1847         Remove duplicate header entries in Copy Header build phase.
1848
1849         * JavaScriptCore.xcodeproj/project.pbxproj:
1850
1851 2014-02-27  Oliver Hunt  <oliver@apple.com>
1852
1853         Whoops, include all of last patch.
1854
1855         * jit/JITCall32_64.cpp:
1856         (JSC::JIT::compileLoadVarargs):
1857
1858 2014-02-27  Oliver Hunt  <oliver@apple.com>
1859
1860         Slow cases for function.apply and function.call should not require vm re-entry
1861         https://bugs.webkit.org/show_bug.cgi?id=129454
1862
1863         Reviewed by Geoffrey Garen.
1864
1865         Implement call and apply using builtins. Happily the use
1866         of @call and @apply don't perform function equality checks
1867         and just plant direct var_args calls. This did expose a few
1868         codegen issues, but they're all covered by existing tests
1869         once call and apply are implemented in JS.
1870
1871         * JavaScriptCore.xcodeproj/project.pbxproj:
1872         * builtins/Function.prototype.js: Added.
1873         (call):
1874         (apply):
1875         * bytecompiler/NodesCodegen.cpp:
1876         (JSC::CallFunctionCallDotNode::emitBytecode):
1877         (JSC::ApplyFunctionCallDotNode::emitBytecode):
1878         * dfg/DFGCapabilities.cpp:
1879         (JSC::DFG::capabilityLevel):
1880         * interpreter/Interpreter.cpp:
1881         (JSC::sizeFrameForVarargs):
1882         (JSC::loadVarargs):
1883         * interpreter/Interpreter.h:
1884         * jit/JITCall.cpp:
1885         (JSC::JIT::compileLoadVarargs):
1886         * parser/ASTBuilder.h:
1887         (JSC::ASTBuilder::makeFunctionCallNode):
1888         * parser/Lexer.cpp:
1889         (JSC::isSafeBuiltinIdentifier):
1890         * runtime/CommonIdentifiers.h:
1891         * runtime/FunctionPrototype.cpp:
1892         (JSC::FunctionPrototype::addFunctionProperties):
1893         * runtime/JSObject.cpp:
1894         (JSC::JSObject::putDirectBuiltinFunction):
1895         (JSC::JSObject::putDirectBuiltinFunctionWithoutTransition):
1896         * runtime/JSObject.h:
1897
1898 2014-02-27  Joseph Pecoraro  <pecoraro@apple.com>
1899
1900         Web Inspector: Better name for RemoteInspectorDebuggableConnection dispatch queue
1901         https://bugs.webkit.org/show_bug.cgi?id=129443
1902
1903         Reviewed by Timothy Hatcher.
1904
1905         This queue is specific to the JSContext debuggable connections,
1906         there is no XPC involved. Give it a better name.
1907
1908         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
1909         (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
1910
1911 2014-02-27  David Kilzer  <ddkilzer@apple.com>
1912
1913         Remove jsc symlink if it already exists
1914
1915         This is a follow-up fix for:
1916
1917         Create symlink to /usr/local/bin/jsc during installation
1918         <http://webkit.org/b/129399>
1919         <rdar://problem/16168734>
1920
1921         * JavaScriptCore.xcodeproj/project.pbxproj:
1922         (Create /usr/local/bin/jsc symlink): If a jsc symlink already
1923         exists where we're about to create the symlink, remove the old
1924         one first.
1925
1926 2014-02-27  Michael Saboff  <msaboff@apple.com>
1927
1928         Unreviewed build fix for Mac tools after r164814
1929
1930         * Configurations/ToolExecutable.xcconfig:
1931         - Added JavaScriptCore.framework/PrivateHeaders to ToolExecutable include path.
1932         * JavaScriptCore.xcodeproj/project.pbxproj:
1933         - Changed productName to testRegExp for testRegExp target.
1934
1935 2014-02-27  Joseph Pecoraro  <pecoraro@apple.com>
1936
1937         Web Inspector: JSContext inspection should report exceptions in the console
1938         https://bugs.webkit.org/show_bug.cgi?id=128776
1939
1940         Reviewed by Timothy Hatcher.
1941
1942         When JavaScript API functions have an exception, let the inspector
1943         know so it can log the JavaScript and Native backtrace that caused
1944         the exception.
1945
1946         Include some clean up of ConsoleMessage and ScriptCallStack construction.
1947
1948         * API/JSBase.cpp:
1949         (JSEvaluateScript):
1950         (JSCheckScriptSyntax):
1951         * API/JSObjectRef.cpp:
1952         (JSObjectMakeFunction):
1953         (JSObjectMakeArray):
1954         (JSObjectMakeDate):
1955         (JSObjectMakeError):
1956         (JSObjectMakeRegExp):
1957         (JSObjectGetProperty):
1958         (JSObjectSetProperty):
1959         (JSObjectGetPropertyAtIndex):
1960         (JSObjectSetPropertyAtIndex):
1961         (JSObjectDeleteProperty):
1962         (JSObjectCallAsFunction):
1963         (JSObjectCallAsConstructor):
1964         * API/JSValue.mm:
1965         (reportExceptionToInspector):
1966         (valueToArray):
1967         (valueToDictionary):
1968         * API/JSValueRef.cpp:
1969         (JSValueIsEqual):
1970         (JSValueIsInstanceOfConstructor):
1971         (JSValueCreateJSONString):
1972         (JSValueToNumber):
1973         (JSValueToStringCopy):
1974         (JSValueToObject):
1975         When seeing an exception, let the inspector know there was an exception.
1976
1977         * inspector/JSGlobalObjectInspectorController.h:
1978         * inspector/JSGlobalObjectInspectorController.cpp:
1979         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1980         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
1981         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
1982         Log API exceptions by also grabbing the native backtrace.
1983
1984         * inspector/ScriptCallStack.h:
1985         * inspector/ScriptCallStack.cpp:
1986         (Inspector::ScriptCallStack::firstNonNativeCallFrame):
1987         (Inspector::ScriptCallStack::append):
1988         Minor extensions to ScriptCallStack to make it easier to work with.
1989
1990         * inspector/ConsoleMessage.cpp:
1991         (Inspector::ConsoleMessage::ConsoleMessage):
1992         (Inspector::ConsoleMessage::autogenerateMetadata):
1993         Provide better default information if the first call frame was native.
1994
1995         * inspector/ScriptCallStackFactory.cpp:
1996         (Inspector::createScriptCallStack):
1997         (Inspector::extractSourceInformationFromException):
1998         (Inspector::createScriptCallStackFromException):
1999         Perform the handling here of inserting a fake call frame for exceptions
2000         if there was no call stack (e.g. a SyntaxError) or if the first call
2001         frame had no information.
2002
2003         * inspector/ConsoleMessage.cpp:
2004         (Inspector::ConsoleMessage::ConsoleMessage):
2005         (Inspector::ConsoleMessage::autogenerateMetadata):
2006         * inspector/ConsoleMessage.h:
2007         * inspector/ScriptCallStackFactory.cpp:
2008         (Inspector::createScriptCallStack):
2009         (Inspector::createScriptCallStackForConsole):
2010         * inspector/ScriptCallStackFactory.h:
2011         * inspector/agents/InspectorConsoleAgent.cpp:
2012         (Inspector::InspectorConsoleAgent::enable):
2013         (Inspector::InspectorConsoleAgent::addMessageToConsole):
2014         (Inspector::InspectorConsoleAgent::count):
2015         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
2016         (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
2017         ConsoleMessage cleanup.
2018
2019 2014-02-27  David Kilzer  <ddkilzer@apple.com>
2020
2021         Create symlink to /usr/local/bin/jsc during installation
2022         <http://webkit.org/b/129399>
2023         <rdar://problem/16168734>
2024
2025         Reviewed by Dan Bernstein.
2026
2027         * JavaScriptCore.xcodeproj/project.pbxproj:
2028         - Add "Create /usr/local/bin/jsc symlink" build phase script to
2029           create the symlink during installation.
2030
2031 2014-02-27  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>
2032
2033         Math.{max, min}() must not return after first NaN value
2034         https://bugs.webkit.org/show_bug.cgi?id=104147
2035
2036         Reviewed by Oliver Hunt.
2037
2038         According to the spec, ToNumber going to be called on each argument
2039         even if a `NaN` value was already found
2040
2041         * runtime/MathObject.cpp:
2042         (JSC::mathProtoFuncMax):
2043         (JSC::mathProtoFuncMin):
2044
2045 2014-02-27  Gergo Balogh  <gbalogh.u-szeged@partner.samsung.com>
2046
2047         JSType upper limit (0xff) assertion can be removed.
2048         https://bugs.webkit.org/show_bug.cgi?id=129424
2049
2050         Reviewed by Geoffrey Garen.
2051
2052         * runtime/JSTypeInfo.h:
2053         (JSC::TypeInfo::TypeInfo):
2054
2055 2014-02-26  Michael Saboff  <msaboff@apple.com>
2056
2057         Auto generate bytecode information for bytecode parser and LLInt
2058         https://bugs.webkit.org/show_bug.cgi?id=129181
2059
2060         Reviewed by Mark Lam.
2061
2062         Added new bytecode/BytecodeList.json that contains a list of bytecodes and related
2063         helpers.  It also includes bytecode length and other information used to generate files.
2064         Added a new generator, generate-bytecode-files that generates Bytecodes.h and InitBytecodes.asm
2065         in DerivedSources/JavaScriptCore/.
2066
2067         Added the generation of these files to the "DerivedSource" build step.
2068         Slighty changed the build order, since the Bytecodes.h file is needed by
2069         JSCLLIntOffsetsExtractor.  Moved the offline assembly to a separate step since it needs
2070         to be run after JSCLLIntOffsetsExtractor.
2071
2072         Made related changes to OPCODE macros and their use.
2073
2074         Added JavaScriptCore.framework/PrivateHeaders to header file search path for building
2075         jsc to resolve Mac build issue.
2076
2077         * CMakeLists.txt:
2078         * Configurations/JSC.xcconfig:
2079         * DerivedSources.make:
2080         * GNUmakefile.am:
2081         * GNUmakefile.list.am:
2082         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2083         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2084         * JavaScriptCore.vcxproj/copy-files.cmd:
2085         * JavaScriptCore.xcodeproj/project.pbxproj:
2086         * bytecode/Opcode.h:
2087         (JSC::padOpcodeName):
2088         * llint/LLIntCLoop.cpp:
2089         (JSC::LLInt::CLoop::initialize):
2090         * llint/LLIntCLoop.h:
2091         * llint/LLIntData.cpp:
2092         (JSC::LLInt::initialize):
2093         * llint/LLIntOpcode.h:
2094         * llint/LowLevelInterpreter.asm:
2095
2096 2014-02-27  Julien Brianceau   <jbriance@cisco.com>
2097
2098         Fix 32-bit V_JITOperation_EJ callOperation introduced in r162652.
2099         https://bugs.webkit.org/show_bug.cgi?id=129420
2100
2101         Reviewed by Geoffrey Garen.
2102
2103         * dfg/DFGSpeculativeJIT.h:
2104         (JSC::DFG::SpeculativeJIT::callOperation): Payload and tag are swapped.
2105         Also, EABI_32BIT_DUMMY_ARG is missing for arm EABI and mips.
2106
2107 2014-02-27  Filip Pizlo  <fpizlo@apple.com>
2108
2109         Octane/closure thrashes between flattening dictionaries during global object initialization in a global eval
2110         https://bugs.webkit.org/show_bug.cgi?id=129435
2111
2112         Reviewed by Oliver Hunt.
2113         
2114         This is a 5-10% speed-up on Octane/closure.
2115
2116         * interpreter/Interpreter.cpp:
2117         (JSC::Interpreter::execute):
2118         * jsc.cpp:
2119         (GlobalObject::finishCreation):
2120         (functionClearCodeCache):
2121         * runtime/BatchedTransitionOptimizer.h:
2122         (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
2123         (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer):
2124
2125 2014-02-27  Alexey Proskuryakov  <ap@apple.com>
2126
2127         Added svn:ignore to two directories, so that .pyc files don't show up as unversioned.
2128
2129         * inspector/scripts: Added property svn:ignore.
2130         * replay/scripts: Added property svn:ignore.
2131
2132 2014-02-27  Gabor Rapcsanyi  <rgabor@webkit.org>
2133
2134         r164764 broke the ARM build
2135         https://bugs.webkit.org/show_bug.cgi?id=129415
2136
2137         Reviewed by Zoltan Herczeg.
2138
2139         * assembler/MacroAssemblerARM.h:
2140         (JSC::MacroAssemblerARM::moveWithPatch): Change reinterpret_cast to static_cast.
2141         (JSC::MacroAssemblerARM::canJumpReplacePatchableBranch32WithPatch): Add missing function.
2142         (JSC::MacroAssemblerARM::startOfPatchableBranch32WithPatchOnAddress): Add missing function.
2143         (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranch32WithPatch): Add missing function.
2144
2145 2014-02-27  Mark Hahnenberg  <mhahnenberg@apple.com>
2146
2147         r164764 broke the ARM build
2148         https://bugs.webkit.org/show_bug.cgi?id=129415
2149
2150         Reviewed by Geoffrey Garen.
2151
2152         * assembler/MacroAssemblerARM.h:
2153         (JSC::MacroAssemblerARM::moveWithPatch):
2154
2155 2014-02-26  Mark Hahnenberg  <mhahnenberg@apple.com>
2156
2157         r164764 broke the ARM build
2158         https://bugs.webkit.org/show_bug.cgi?id=129415
2159
2160         Reviewed by Geoffrey Garen.
2161
2162         * assembler/MacroAssemblerARM.h:
2163         (JSC::MacroAssemblerARM::branch32WithPatch): Missing this function.
2164
2165 2014-02-26  Mark Hahnenberg  <mhahnenberg@apple.com>
2166
2167         EFL build fix
2168
2169         * dfg/DFGSpeculativeJIT32_64.cpp: Remove unused variables.
2170         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
2171         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
2172
2173 2014-02-25  Mark Hahnenberg  <mhahnenberg@apple.com>
2174
2175         Make JSCells have 32-bit Structure pointers
2176         https://bugs.webkit.org/show_bug.cgi?id=123195
2177
2178         Reviewed by Filip Pizlo.
2179
2180         This patch changes JSCells such that they no longer have a full 64-bit Structure
2181         pointer in their header. Instead they now have a 32-bit index into
2182         a per-VM table of Structure pointers. 32-bit platforms still use normal Structure
2183         pointers.
2184
2185         This change frees up an additional 32 bits of information in our object headers.
2186         We then use this extra space to store the indexing type of the object, the JSType
2187         of the object, some various type flags, and garbage collection data (e.g. mark bit).
2188         Because this inline type information is now faster to read, it pays for the slowdown 
2189         incurred by having to perform an extra indirection through the StructureIDTable.
2190
2191         This patch also threads a reference to the current VM through more of the C++ runtime
2192         to offset the cost of having to look up the VM to get the actual Structure pointer.
2193
2194         * API/JSContext.mm:
2195         (-[JSContext setException:]):
2196         (-[JSContext wrapperForObjCObject:]):
2197         (-[JSContext wrapperForJSObject:]):
2198         * API/JSContextRef.cpp:
2199         (JSContextGroupRelease):
2200         (JSGlobalContextRelease):
2201         * API/JSObjectRef.cpp:
2202         (JSObjectIsFunction):
2203         (JSObjectCopyPropertyNames):
2204         * API/JSValue.mm:
2205         (containerValueToObject):
2206         * API/JSWrapperMap.mm:
2207         (tryUnwrapObjcObject):
2208         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2209         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2210         * JavaScriptCore.xcodeproj/project.pbxproj:
2211         * assembler/AbstractMacroAssembler.h:
2212         * assembler/MacroAssembler.h:
2213         (JSC::MacroAssembler::patchableBranch32WithPatch):
2214         (JSC::MacroAssembler::patchableBranch32):
2215         * assembler/MacroAssemblerARM64.h:
2216         (JSC::MacroAssemblerARM64::branchPtrWithPatch):
2217         (JSC::MacroAssemblerARM64::patchableBranch32WithPatch):
2218         (JSC::MacroAssemblerARM64::canJumpReplacePatchableBranch32WithPatch):
2219         (JSC::MacroAssemblerARM64::startOfPatchableBranch32WithPatchOnAddress):
2220         (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranch32WithPatch):
2221         * assembler/MacroAssemblerARMv7.h:
2222         (JSC::MacroAssemblerARMv7::store8):
2223         (JSC::MacroAssemblerARMv7::branch32WithPatch):
2224         (JSC::MacroAssemblerARMv7::patchableBranch32WithPatch):
2225         (JSC::MacroAssemblerARMv7::canJumpReplacePatchableBranch32WithPatch):
2226         (JSC::MacroAssemblerARMv7::startOfPatchableBranch32WithPatchOnAddress):
2227         (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranch32WithPatch):
2228         * assembler/MacroAssemblerX86.h:
2229         (JSC::MacroAssemblerX86::branch32WithPatch):
2230         (JSC::MacroAssemblerX86::canJumpReplacePatchableBranch32WithPatch):
2231         (JSC::MacroAssemblerX86::startOfPatchableBranch32WithPatchOnAddress):
2232         (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranch32WithPatch):
2233         * assembler/MacroAssemblerX86_64.h:
2234         (JSC::MacroAssemblerX86_64::store32):
2235         (JSC::MacroAssemblerX86_64::moveWithPatch):
2236         (JSC::MacroAssemblerX86_64::branch32WithPatch):
2237         (JSC::MacroAssemblerX86_64::canJumpReplacePatchableBranch32WithPatch):
2238         (JSC::MacroAssemblerX86_64::startOfBranch32WithPatchOnRegister):
2239         (JSC::MacroAssemblerX86_64::startOfPatchableBranch32WithPatchOnAddress):
2240         (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranch32WithPatch):
2241         * assembler/RepatchBuffer.h:
2242         (JSC::RepatchBuffer::startOfPatchableBranch32WithPatchOnAddress):
2243         (JSC::RepatchBuffer::revertJumpReplacementToPatchableBranch32WithPatch):
2244         * assembler/X86Assembler.h:
2245         (JSC::X86Assembler::revertJumpTo_movq_i64r):
2246         (JSC::X86Assembler::revertJumpTo_movl_i32r):
2247         * bytecode/ArrayProfile.cpp:
2248         (JSC::ArrayProfile::computeUpdatedPrediction):
2249         * bytecode/ArrayProfile.h:
2250         (JSC::ArrayProfile::ArrayProfile):
2251         (JSC::ArrayProfile::addressOfLastSeenStructureID):
2252         (JSC::ArrayProfile::observeStructure):
2253         * bytecode/CodeBlock.h:
2254         (JSC::CodeBlock::heap):
2255         * bytecode/UnlinkedCodeBlock.h:
2256         * debugger/Debugger.h:
2257         * dfg/DFGAbstractHeap.h:
2258         * dfg/DFGArrayifySlowPathGenerator.h:
2259         * dfg/DFGClobberize.h:
2260         (JSC::DFG::clobberize):
2261         * dfg/DFGJITCompiler.h:
2262         (JSC::DFG::JITCompiler::branchWeakStructure):
2263         (JSC::DFG::JITCompiler::branchStructurePtr):
2264         * dfg/DFGOSRExitCompiler32_64.cpp:
2265         (JSC::DFG::OSRExitCompiler::compileExit):
2266         * dfg/DFGOSRExitCompiler64.cpp:
2267         (JSC::DFG::OSRExitCompiler::compileExit):
2268         * dfg/DFGOSRExitCompilerCommon.cpp:
2269         (JSC::DFG::osrWriteBarrier):
2270         (JSC::DFG::adjustAndJumpToTarget):
2271         * dfg/DFGOperations.cpp:
2272         (JSC::DFG::putByVal):
2273         * dfg/DFGSpeculativeJIT.cpp:
2274         (JSC::DFG::SpeculativeJIT::checkArray):
2275         (JSC::DFG::SpeculativeJIT::arrayify):
2276         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
2277         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
2278         (JSC::DFG::SpeculativeJIT::compileInstanceOf):
2279         (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
2280         (JSC::DFG::SpeculativeJIT::speculateObject):
2281         (JSC::DFG::SpeculativeJIT::speculateFinalObject):
2282         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
2283         (JSC::DFG::SpeculativeJIT::speculateString):
2284         (JSC::DFG::SpeculativeJIT::speculateStringObject):
2285         (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
2286         (JSC::DFG::SpeculativeJIT::emitSwitchChar):
2287         (JSC::DFG::SpeculativeJIT::emitSwitchString):
2288         (JSC::DFG::SpeculativeJIT::genericWriteBarrier):
2289         (JSC::DFG::SpeculativeJIT::writeBarrier):
2290         * dfg/DFGSpeculativeJIT.h:
2291         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
2292         (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
2293         * dfg/DFGSpeculativeJIT32_64.cpp:
2294         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
2295         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
2296         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
2297         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
2298         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
2299         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
2300         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
2301         (JSC::DFG::SpeculativeJIT::compile):
2302         (JSC::DFG::SpeculativeJIT::writeBarrier):
2303         * dfg/DFGSpeculativeJIT64.cpp:
2304         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
2305         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
2306         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
2307         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
2308         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
2309         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
2310         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
2311         (JSC::DFG::SpeculativeJIT::compile):
2312         (JSC::DFG::SpeculativeJIT::writeBarrier):
2313         * dfg/DFGWorklist.cpp:
2314         * ftl/FTLAbstractHeapRepository.cpp:
2315         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
2316         * ftl/FTLAbstractHeapRepository.h:
2317         * ftl/FTLLowerDFGToLLVM.cpp:
2318         (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
2319         (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
2320         (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
2321         (JSC::FTL::LowerDFGToLLVM::compileToString):
2322         (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
2323         (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
2324         (JSC::FTL::LowerDFGToLLVM::speculateTruthyObject):
2325         (JSC::FTL::LowerDFGToLLVM::allocateCell):
2326         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
2327         (JSC::FTL::LowerDFGToLLVM::isObject):
2328         (JSC::FTL::LowerDFGToLLVM::isString):
2329         (JSC::FTL::LowerDFGToLLVM::isArrayType):
2330         (JSC::FTL::LowerDFGToLLVM::hasClassInfo):
2331         (JSC::FTL::LowerDFGToLLVM::isType):
2332         (JSC::FTL::LowerDFGToLLVM::speculateStringOrStringObject):
2333         (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForCell):
2334         (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructureID):
2335         (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
2336         (JSC::FTL::LowerDFGToLLVM::loadMarkByte):
2337         (JSC::FTL::LowerDFGToLLVM::loadStructure):
2338         (JSC::FTL::LowerDFGToLLVM::weakStructure):
2339         * ftl/FTLOSRExitCompiler.cpp:
2340         (JSC::FTL::compileStub):
2341         * ftl/FTLOutput.h:
2342         (JSC::FTL::Output::store8):
2343         * heap/GCAssertions.h:
2344         * heap/Heap.cpp:
2345         (JSC::Heap::getConservativeRegisterRoots):
2346         (JSC::Heap::collect):
2347         (JSC::Heap::writeBarrier):
2348         * heap/Heap.h:
2349         (JSC::Heap::structureIDTable):
2350         * heap/MarkedSpace.h:
2351         (JSC::MarkedSpace::forEachBlock):
2352         * heap/SlotVisitorInlines.h:
2353         (JSC::SlotVisitor::internalAppend):
2354         * jit/AssemblyHelpers.h:
2355         (JSC::AssemblyHelpers::branchIfCellNotObject):
2356         (JSC::AssemblyHelpers::genericWriteBarrier):
2357         (JSC::AssemblyHelpers::emitLoadStructure):
2358         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
2359         * jit/JIT.h:
2360         * jit/JITCall.cpp:
2361         (JSC::JIT::compileOpCall):
2362         (JSC::JIT::privateCompileClosureCall):
2363         * jit/JITCall32_64.cpp:
2364         (JSC::JIT::emit_op_ret_object_or_this):
2365         (JSC::JIT::compileOpCall):
2366         (JSC::JIT::privateCompileClosureCall):
2367         * jit/JITInlineCacheGenerator.cpp:
2368         (JSC::JITByIdGenerator::generateFastPathChecks):
2369         * jit/JITInlineCacheGenerator.h:
2370         * jit/JITInlines.h:
2371         (JSC::JIT::emitLoadCharacterString):
2372         (JSC::JIT::checkStructure):
2373         (JSC::JIT::emitJumpIfCellNotObject):
2374         (JSC::JIT::emitAllocateJSObject):
2375         (JSC::JIT::emitArrayProfilingSiteWithCell):
2376         (JSC::JIT::emitArrayProfilingSiteForBytecodeIndexWithCell):
2377         (JSC::JIT::branchStructure):
2378         (JSC::branchStructure):
2379         * jit/JITOpcodes.cpp:
2380         (JSC::JIT::emit_op_check_has_instance):
2381         (JSC::JIT::emit_op_instanceof):
2382         (JSC::JIT::emit_op_is_undefined):
2383         (JSC::JIT::emit_op_is_string):
2384         (JSC::JIT::emit_op_ret_object_or_this):
2385         (JSC::JIT::emit_op_to_primitive):
2386         (JSC::JIT::emit_op_jeq_null):
2387         (JSC::JIT::emit_op_jneq_null):
2388         (JSC::JIT::emit_op_get_pnames):
2389         (JSC::JIT::emit_op_next_pname):
2390         (JSC::JIT::emit_op_eq_null):
2391         (JSC::JIT::emit_op_neq_null):
2392         (JSC::JIT::emit_op_to_this):
2393         (JSC::JIT::emitSlow_op_to_this):
2394         * jit/JITOpcodes32_64.cpp:
2395         (JSC::JIT::emit_op_check_has_instance):
2396         (JSC::JIT::emit_op_instanceof):
2397         (JSC::JIT::emit_op_is_undefined):
2398         (JSC::JIT::emit_op_is_string):
2399         (JSC::JIT::emit_op_to_primitive):
2400         (JSC::JIT::emit_op_jeq_null):
2401         (JSC::JIT::emit_op_jneq_null):
2402         (JSC::JIT::emitSlow_op_eq):
2403         (JSC::JIT::emitSlow_op_neq):
2404         (JSC::JIT::compileOpStrictEq):
2405         (JSC::JIT::emit_op_eq_null):
2406         (JSC::JIT::emit_op_neq_null):
2407         (JSC::JIT::emit_op_get_pnames):
2408         (JSC::JIT::emit_op_next_pname):
2409         (JSC::JIT::emit_op_to_this):
2410         * jit/JITOperations.cpp:
2411         * jit/JITPropertyAccess.cpp:
2412         (JSC::JIT::stringGetByValStubGenerator):
2413         (JSC::JIT::emit_op_get_by_val):
2414         (JSC::JIT::emitSlow_op_get_by_val):
2415         (JSC::JIT::emit_op_get_by_pname):
2416         (JSC::JIT::emit_op_put_by_val):
2417         (JSC::JIT::emit_op_get_by_id):
2418         (JSC::JIT::emitLoadWithStructureCheck):
2419         (JSC::JIT::emitSlow_op_get_from_scope):
2420         (JSC::JIT::emitSlow_op_put_to_scope):
2421         (JSC::JIT::checkMarkWord):
2422         (JSC::JIT::emitWriteBarrier):
2423         (JSC::JIT::addStructureTransitionCheck):
2424         (JSC::JIT::emitIntTypedArrayGetByVal):
2425         (JSC::JIT::emitFloatTypedArrayGetByVal):
2426         (JSC::JIT::emitIntTypedArrayPutByVal):
2427         (JSC::JIT::emitFloatTypedArrayPutByVal):
2428         * jit/JITPropertyAccess32_64.cpp:
2429         (JSC::JIT::stringGetByValStubGenerator):
2430         (JSC::JIT::emit_op_get_by_val):
2431         (JSC::JIT::emitSlow_op_get_by_val):
2432         (JSC::JIT::emit_op_put_by_val):
2433         (JSC::JIT::emit_op_get_by_id):
2434         (JSC::JIT::emit_op_get_by_pname):
2435         (JSC::JIT::emitLoadWithStructureCheck):
2436         * jit/JSInterfaceJIT.h:
2437         (JSC::JSInterfaceJIT::emitJumpIfNotType):
2438         * jit/Repatch.cpp:
2439         (JSC::repatchByIdSelfAccess):
2440         (JSC::addStructureTransitionCheck):
2441         (JSC::replaceWithJump):
2442         (JSC::generateProtoChainAccessStub):
2443         (JSC::tryCacheGetByID):
2444         (JSC::tryBuildGetByIDList):
2445         (JSC::writeBarrier):
2446         (JSC::emitPutReplaceStub):
2447         (JSC::emitPutTransitionStub):
2448         (JSC::tryBuildPutByIdList):
2449         (JSC::tryRepatchIn):
2450         (JSC::linkClosureCall):
2451         (JSC::resetGetByID):
2452         (JSC::resetPutByID):
2453         * jit/SpecializedThunkJIT.h:
2454         (JSC::SpecializedThunkJIT::loadJSStringArgument):
2455         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
2456         * jit/ThunkGenerators.cpp:
2457         (JSC::virtualForThunkGenerator):
2458         (JSC::arrayIteratorNextThunkGenerator):
2459         * jit/UnusedPointer.h:
2460         * llint/LowLevelInterpreter.asm:
2461         * llint/LowLevelInterpreter32_64.asm:
2462         * llint/LowLevelInterpreter64.asm:
2463         * runtime/Arguments.cpp:
2464         (JSC::Arguments::createStrictModeCallerIfNecessary):
2465         (JSC::Arguments::createStrictModeCalleeIfNecessary):
2466         * runtime/Arguments.h:
2467         (JSC::Arguments::createStructure):
2468         * runtime/ArrayPrototype.cpp:
2469         (JSC::shift):
2470         (JSC::unshift):
2471         (JSC::arrayProtoFuncToString):
2472         (JSC::arrayProtoFuncPop):
2473         (JSC::arrayProtoFuncReverse):
2474         (JSC::performSlowSort):
2475         (JSC::arrayProtoFuncSort):
2476         (JSC::arrayProtoFuncSplice):
2477         (JSC::arrayProtoFuncUnShift):
2478         * runtime/CommonSlowPaths.cpp:
2479         (JSC::SLOW_PATH_DECL):
2480         * runtime/Executable.h:
2481         (JSC::ExecutableBase::isFunctionExecutable):
2482         (JSC::ExecutableBase::clearCodeVirtual):
2483         (JSC::ScriptExecutable::unlinkCalls):
2484         * runtime/GetterSetter.cpp:
2485         (JSC::callGetter):
2486         (JSC::callSetter):
2487         * runtime/InitializeThreading.cpp:
2488         * runtime/JSArray.cpp:
2489         (JSC::JSArray::unshiftCountSlowCase):
2490         (JSC::JSArray::setLength):
2491         (JSC::JSArray::pop):
2492         (JSC::JSArray::push):
2493         (JSC::JSArray::shiftCountWithArrayStorage):
2494         (JSC::JSArray::shiftCountWithAnyIndexingType):
2495         (JSC::JSArray::unshiftCountWithArrayStorage):
2496         (JSC::JSArray::unshiftCountWithAnyIndexingType):
2497         (JSC::JSArray::sortNumericVector):
2498         (JSC::JSArray::sortNumeric):
2499         (JSC::JSArray::sortCompactedVector):
2500         (JSC::JSArray::sort):
2501         (JSC::JSArray::sortVector):
2502         (JSC::JSArray::fillArgList):
2503         (JSC::JSArray::copyToArguments):
2504         (JSC::JSArray::compactForSorting):
2505         * runtime/JSCJSValueInlines.h:
2506         (JSC::JSValue::toThis):
2507         (JSC::JSValue::put):
2508         (JSC::JSValue::putByIndex):
2509         (JSC::JSValue::equalSlowCaseInline):
2510         * runtime/JSCell.cpp:
2511         (JSC::JSCell::put):
2512         (JSC::JSCell::putByIndex):
2513         (JSC::JSCell::deleteProperty):
2514         (JSC::JSCell::deletePropertyByIndex):
2515         * runtime/JSCell.h:
2516         (JSC::JSCell::clearStructure):
2517         (JSC::JSCell::mark):
2518         (JSC::JSCell::isMarked):
2519         (JSC::JSCell::structureIDOffset):
2520         (JSC::JSCell::typeInfoFlagsOffset):
2521         (JSC::JSCell::typeInfoTypeOffset):
2522         (JSC::JSCell::indexingTypeOffset):
2523         (JSC::JSCell::gcDataOffset):
2524         * runtime/JSCellInlines.h:
2525         (JSC::JSCell::JSCell):
2526         (JSC::JSCell::finishCreation):
2527         (JSC::JSCell::type):
2528         (JSC::JSCell::indexingType):
2529         (JSC::JSCell::structure):
2530         (JSC::JSCell::visitChildren):
2531         (JSC::JSCell::isObject):
2532         (JSC::JSCell::isString):
2533         (JSC::JSCell::isGetterSetter):
2534         (JSC::JSCell::isProxy):
2535         (JSC::JSCell::isAPIValueWrapper):
2536         (JSC::JSCell::setStructure):
2537         (JSC::JSCell::methodTable):
2538         (JSC::Heap::writeBarrier):
2539         * runtime/JSDataView.cpp:
2540         (JSC::JSDataView::createStructure):
2541         * runtime/JSDestructibleObject.h:
2542         (JSC::JSCell::classInfo):
2543         * runtime/JSFunction.cpp:
2544         (JSC::JSFunction::getOwnNonIndexPropertyNames):
2545         (JSC::JSFunction::put):
2546         (JSC::JSFunction::defineOwnProperty):
2547         * runtime/JSGenericTypedArrayView.h:
2548         (JSC::JSGenericTypedArrayView::createStructure):
2549         * runtime/JSObject.cpp:
2550         (JSC::getCallableObjectSlow):
2551         (JSC::JSObject::copyButterfly):
2552         (JSC::JSObject::visitButterfly):
2553         (JSC::JSFinalObject::visitChildren):
2554         (JSC::JSObject::getOwnPropertySlotByIndex):
2555         (JSC::JSObject::put):
2556         (JSC::JSObject::putByIndex):
2557         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
2558         (JSC::JSObject::enterDictionaryIndexingMode):
2559         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
2560         (JSC::JSObject::createInitialIndexedStorage):
2561         (JSC::JSObject::createInitialUndecided):
2562         (JSC::JSObject::createInitialInt32):
2563         (JSC::JSObject::createInitialDouble):
2564         (JSC::JSObject::createInitialContiguous):
2565         (JSC::JSObject::createArrayStorage):
2566         (JSC::JSObject::convertUndecidedToInt32):
2567         (JSC::JSObject::convertUndecidedToDouble):
2568         (JSC::JSObject::convertUndecidedToContiguous):
2569         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
2570         (JSC::JSObject::convertUndecidedToArrayStorage):
2571         (JSC::JSObject::convertInt32ToDouble):
2572         (JSC::JSObject::convertInt32ToContiguous):
2573         (JSC::JSObject::convertInt32ToArrayStorage):
2574         (JSC::JSObject::genericConvertDoubleToContiguous):
2575         (JSC::JSObject::convertDoubleToArrayStorage):
2576         (JSC::JSObject::convertContiguousToArrayStorage):
2577         (JSC::JSObject::ensureInt32Slow):
2578         (JSC::JSObject::ensureDoubleSlow):
2579         (JSC::JSObject::ensureContiguousSlow):
2580         (JSC::JSObject::ensureArrayStorageSlow):
2581         (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
2582         (JSC::JSObject::switchToSlowPutArrayStorage):
2583         (JSC::JSObject::setPrototype):
2584         (JSC::JSObject::setPrototypeWithCycleCheck):
2585         (JSC::JSObject::putDirectNonIndexAccessor):
2586         (JSC::JSObject::deleteProperty):
2587         (JSC::JSObject::hasOwnProperty):
2588         (JSC::JSObject::deletePropertyByIndex):
2589         (JSC::JSObject::getPrimitiveNumber):
2590         (JSC::JSObject::hasInstance):
2591         (JSC::JSObject::getPropertySpecificValue):
2592         (JSC::JSObject::getPropertyNames):
2593         (JSC::JSObject::getOwnPropertyNames):
2594         (JSC::JSObject::getOwnNonIndexPropertyNames):
2595         (JSC::JSObject::seal):
2596         (JSC::JSObject::freeze):
2597         (JSC::JSObject::preventExtensions):
2598         (JSC::JSObject::reifyStaticFunctionsForDelete):
2599         (JSC::JSObject::removeDirect):
2600         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
2601         (JSC::JSObject::putByIndexBeyondVectorLength):
2602         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
2603         (JSC::JSObject::putDirectIndexBeyondVectorLength):
2604         (JSC::JSObject::getNewVectorLength):
2605         (JSC::JSObject::countElements):
2606         (JSC::JSObject::increaseVectorLength):
2607         (JSC::JSObject::ensureLengthSlow):
2608         (JSC::JSObject::growOutOfLineStorage):
2609         (JSC::JSObject::getOwnPropertyDescriptor):
2610         (JSC::putDescriptor):
2611         (JSC::JSObject::defineOwnNonIndexProperty):
2612         * runtime/JSObject.h:
2613         (JSC::getJSFunction):
2614         (JSC::JSObject::getArrayLength):
2615         (JSC::JSObject::getVectorLength):
2616         (JSC::JSObject::putByIndexInline):
2617         (JSC::JSObject::canGetIndexQuickly):
2618         (JSC::JSObject::getIndexQuickly):
2619         (JSC::JSObject::tryGetIndexQuickly):
2620         (JSC::JSObject::getDirectIndex):
2621         (JSC::JSObject::canSetIndexQuickly):
2622         (JSC::JSObject::canSetIndexQuicklyForPutDirect):
2623         (JSC::JSObject::setIndexQuickly):
2624         (JSC::JSObject::initializeIndex):
2625         (JSC::JSObject::hasSparseMap):
2626         (JSC::JSObject::inSparseIndexingMode):
2627         (JSC::JSObject::getDirect):
2628         (JSC::JSObject::getDirectOffset):
2629         (JSC::JSObject::isSealed):
2630         (JSC::JSObject::isFrozen):
2631         (JSC::JSObject::flattenDictionaryObject):
2632         (JSC::JSObject::ensureInt32):
2633         (JSC::JSObject::ensureDouble):
2634         (JSC::JSObject::ensureContiguous):
2635         (JSC::JSObject::rageEnsureContiguous):
2636         (JSC::JSObject::ensureArrayStorage):
2637         (JSC::JSObject::arrayStorage):
2638         (JSC::JSObject::arrayStorageOrNull):
2639         (JSC::JSObject::ensureLength):
2640         (JSC::JSObject::currentIndexingData):
2641         (JSC::JSObject::getHolyIndexQuickly):
2642         (JSC::JSObject::currentRelevantLength):
2643         (JSC::JSObject::isGlobalObject):
2644         (JSC::JSObject::isVariableObject):
2645         (JSC::JSObject::isStaticScopeObject):
2646         (JSC::JSObject::isNameScopeObject):
2647         (JSC::JSObject::isActivationObject):
2648         (JSC::JSObject::isErrorInstance):
2649         (JSC::JSObject::inlineGetOwnPropertySlot):
2650         (JSC::JSObject::fastGetOwnPropertySlot):
2651         (JSC::JSObject::getPropertySlot):
2652         (JSC::JSObject::putDirectInternal):
2653         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
2654         * runtime/JSPropertyNameIterator.h:
2655         (JSC::JSPropertyNameIterator::createStructure):
2656         * runtime/JSProxy.cpp:
2657         (JSC::JSProxy::getOwnPropertySlot):
2658         (JSC::JSProxy::getOwnPropertySlotByIndex):
2659         (JSC::JSProxy::put):
2660         (JSC::JSProxy::putByIndex):
2661         (JSC::JSProxy::defineOwnProperty):
2662         (JSC::JSProxy::deleteProperty):
2663         (JSC::JSProxy::deletePropertyByIndex):
2664         (JSC::JSProxy::getPropertyNames):
2665         (JSC::JSProxy::getOwnPropertyNames):
2666         * runtime/JSScope.cpp:
2667         (JSC::JSScope::objectAtScope):
2668         * runtime/JSString.h:
2669         (JSC::JSString::createStructure):
2670         (JSC::isJSString):
2671         * runtime/JSType.h:
2672         * runtime/JSTypeInfo.h:
2673         (JSC::TypeInfo::TypeInfo):
2674         (JSC::TypeInfo::isObject):
2675         (JSC::TypeInfo::structureIsImmortal):
2676         (JSC::TypeInfo::zeroedGCDataOffset):
2677         (JSC::TypeInfo::inlineTypeFlags):
2678         * runtime/MapData.h:
2679         * runtime/ObjectConstructor.cpp:
2680         (JSC::objectConstructorGetOwnPropertyNames):
2681         (JSC::objectConstructorKeys):
2682         (JSC::objectConstructorDefineProperty):
2683         (JSC::defineProperties):
2684         (JSC::objectConstructorSeal):
2685         (JSC::objectConstructorFreeze):
2686         (JSC::objectConstructorIsSealed):
2687         (JSC::objectConstructorIsFrozen):
2688         * runtime/ObjectPrototype.cpp:
2689         (JSC::objectProtoFuncDefineGetter):
2690         (JSC::objectProtoFuncDefineSetter):
2691         (JSC::objectProtoFuncToString):
2692         * runtime/Operations.cpp:
2693         (JSC::jsTypeStringForValue):
2694         (JSC::jsIsObjectType):
2695         * runtime/Operations.h:
2696         (JSC::normalizePrototypeChainForChainAccess):
2697         (JSC::normalizePrototypeChain):
2698         * runtime/PropertyMapHashTable.h:
2699         (JSC::PropertyTable::createStructure):
2700         * runtime/RegExp.h:
2701         (JSC::RegExp::createStructure):
2702         * runtime/SparseArrayValueMap.h:
2703         * runtime/Structure.cpp:
2704         (JSC::Structure::Structure):
2705         (JSC::Structure::~Structure):
2706         (JSC::Structure::prototypeChainMayInterceptStoreTo):
2707         * runtime/Structure.h:
2708         (JSC::Structure::id):
2709         (JSC::Structure::idBlob):
2710         (JSC::Structure::objectInitializationFields):
2711         (JSC::Structure::structureIDOffset):
2712         * runtime/StructureChain.h:
2713         (JSC::StructureChain::createStructure):
2714         * runtime/StructureIDTable.cpp: Added.
2715         (JSC::StructureIDTable::StructureIDTable):
2716         (JSC::StructureIDTable::~StructureIDTable):
2717         (JSC::StructureIDTable::resize):
2718         (JSC::StructureIDTable::flushOldTables):
2719         (JSC::StructureIDTable::allocateID):
2720         (JSC::StructureIDTable::deallocateID):
2721         * runtime/StructureIDTable.h: Added.
2722         (JSC::StructureIDTable::base):
2723         (JSC::StructureIDTable::get):
2724         * runtime/SymbolTable.h:
2725         * runtime/TypedArrayType.cpp:
2726         (JSC::typeForTypedArrayType):
2727         * runtime/TypedArrayType.h:
2728         * runtime/WeakMapData.h:
2729
2730 2014-02-26  Mark Hahnenberg  <mhahnenberg@apple.com>
2731
2732         Unconditional logging in compileFTLOSRExit
2733         https://bugs.webkit.org/show_bug.cgi?id=129407
2734
2735         Reviewed by Michael Saboff.
2736
2737         This was causing tests to fail with the FTL enabled.
2738
2739         * ftl/FTLOSRExitCompiler.cpp:
2740         (JSC::FTL::compileFTLOSRExit):
2741
2742 2014-02-26  Oliver Hunt  <oliver@apple.com>
2743
2744         Remove unused access types
2745         https://bugs.webkit.org/show_bug.cgi?id=129385
2746
2747         Reviewed by Filip Pizlo.
2748
2749         Remove unused cruft.
2750
2751         * bytecode/CodeBlock.cpp:
2752         (JSC::CodeBlock::printGetByIdCacheStatus):
2753         * bytecode/StructureStubInfo.cpp:
2754         (JSC::StructureStubInfo::deref):
2755         * bytecode/StructureStubInfo.h:
2756         (JSC::isGetByIdAccess):
2757         (JSC::isPutByIdAccess):
2758
2759 2014-02-26  Oliver Hunt  <oliver@apple.com>
2760
2761         Function.prototype.apply has a bad time with the spread operator
2762         https://bugs.webkit.org/show_bug.cgi?id=129381
2763
2764         Reviewed by Mark Hahnenberg.
2765
2766         Make sure our apply logic handle the spread operator correctly.
2767         To do this we simply emit the enumeration logic that we'd normally
2768         use for other enumerations, but only store the first two results
2769         to registers.  Then perform a varargs call.
2770
2771         * bytecompiler/NodesCodegen.cpp:
2772         (JSC::ApplyFunctionCallDotNode::emitBytecode):
2773
2774 2014-02-26  Mark Lam  <mark.lam@apple.com>
2775
2776         Compilation policy management belongs in operationOptimize(), not the DFG Driver.
2777         <https://webkit.org/b/129355>
2778
2779         Reviewed by Filip Pizlo.
2780
2781         By compilation policy, I mean the rules for determining whether to
2782         compile, when to compile, when to attempt compilation again, etc.  The
2783         few of these policy decisions that were previously being made in the
2784         DFG driver are now moved to operationOptimize() where we keep the rest
2785         of the policy logic.  Decisions that are based on the capabilities
2786         supported by the DFG are moved to DFG capabiliityLevel().
2787
2788         I've run the following benchmarks:
2789         1. the collection of jsc benchmarks on the jsc executable vs. its
2790            baseline.
2791         2. Octane 2.0 in browser without the WebInspector.
2792         3. Octane 2.0 in browser with the WebInspector open and a breakpoint
2793            set somewhere where it won't break.
2794
2795         In all of these, the results came out to be a wash as expected.
2796
2797         * dfg/DFGCapabilities.cpp:
2798         (JSC::DFG::isSupported):
2799         (JSC::DFG::mightCompileEval):
2800         (JSC::DFG::mightCompileProgram):
2801         (JSC::DFG::mightCompileFunctionForCall):
2802         (JSC::DFG::mightCompileFunctionForConstruct):
2803         (JSC::DFG::mightInlineFunctionForCall):
2804         (JSC::DFG::mightInlineFunctionForClosureCall):
2805         (JSC::DFG::mightInlineFunctionForConstruct):
2806         * dfg/DFGCapabilities.h:
2807         * dfg/DFGDriver.cpp:
2808         (JSC::DFG::compileImpl):
2809         * jit/JITOperations.cpp:
2810
2811 2014-02-26  Mark Lam  <mark.lam@apple.com>
2812
2813         ASSERTION FAILED: m_heap->vm()->currentThreadIsHoldingAPILock() in inspector-protocol/*.
2814         <https://webkit.org/b/129364>
2815
2816         Reviewed by Alexey Proskuryakov.
2817
2818         InjectedScriptModule::ensureInjected() needs an APIEntryShim.
2819
2820         * inspector/InjectedScriptModule.cpp:
2821         (Inspector::InjectedScriptModule::ensureInjected):
2822         - Added the needed but missing APIEntryShim. 
2823
2824 2014-02-25  Mark Lam  <mark.lam@apple.com>
2825
2826         Web Inspector: CRASH when evaluating in console of JSContext RWI with disabled breakpoints.
2827         <https://webkit.org/b/128766>
2828
2829         Reviewed by Geoffrey Garen.
2830
2831         Make the JSLock::grabAllLocks() work the same way as for the C loop LLINT.
2832         The reasoning is that we don't know of any clients that need unordered
2833         re-entry into the VM from different threads. So, we're enforcing ordered
2834         re-entry i.e. we must re-grab locks in the reverse order of dropping locks.
2835
2836         The crash in this bug happened because we were allowing unordered re-entry,
2837         and the following type of scenario occurred:
2838
2839         1. Thread T1 locks the VM, and enters the VM to execute some JS code.
2840         2. On entry, T1 detects that VM::m_entryScope is null i.e. this is the
2841            first time it entered the VM.
2842            T1 sets VM::m_entryScope to T1's entryScope.
2843         3. T1 drops all locks.
2844
2845         4. Thread T2 locks the VM, and enters the VM to execute some JS code.
2846            On entry, T2 sees that VM::m_entryScope is NOT null, and therefore
2847            does not set the entryScope.
2848         5. T2 drops all locks.
2849
2850         6. T1 re-grabs locks.
2851         7. T1 returns all the way out of JS code. On exit from the outer most
2852            JS function, T1 clears VM::m_entryScope (because T1 was the one who
2853            set it).
2854         8. T1 unlocks the VM.
2855
2856         9. T2 re-grabs locks.
2857         10. T2 proceeds to execute some code and expects VM::m_entryScope to be
2858             NOT null, but it turns out to be null. Assertion failures and
2859             crashes ensue.
2860
2861         With ordered re-entry, at step 6, T1 will loop and yield until T2 exits
2862         the VM. Hence, the issue will no longer manifest.
2863
2864         * runtime/JSLock.cpp:
2865         (JSC::JSLock::dropAllLocks):
2866         (JSC::JSLock::grabAllLocks):
2867         * runtime/JSLock.h:
2868         (JSC::JSLock::DropAllLocks::dropDepth):
2869
2870 2014-02-25  Mark Lam  <mark.lam@apple.com>
2871
2872         Need to initialize VM stack data even when the VM is on an exclusive thread.
2873         <https://webkit.org/b/129265>
2874
2875         Not reviewed.
2876
2877         Relanding r164627 now that <https://webkit.org/b/129341> is fixed.
2878
2879         * API/APIShims.h:
2880         (JSC::APIEntryShim::APIEntryShim):
2881         (JSC::APICallbackShim::shouldDropAllLocks):
2882         * heap/MachineStackMarker.cpp:
2883         (JSC::MachineThreads::addCurrentThread):
2884         * runtime/JSLock.cpp:
2885         (JSC::JSLockHolder::JSLockHolder):
2886         (JSC::JSLockHolder::init):
2887         (JSC::JSLockHolder::~JSLockHolder):
2888         (JSC::JSLock::JSLock):
2889         (JSC::JSLock::setExclusiveThread):
2890         (JSC::JSLock::lock):
2891         (JSC::JSLock::unlock):
2892         (JSC::JSLock::currentThreadIsHoldingLock):
2893         (JSC::JSLock::dropAllLocks):
2894         (JSC::JSLock::grabAllLocks):
2895         * runtime/JSLock.h:
2896         (JSC::JSLock::hasExclusiveThread):
2897         (JSC::JSLock::exclusiveThread):
2898         * runtime/VM.cpp:
2899         (JSC::VM::VM):
2900         * runtime/VM.h:
2901         (JSC::VM::hasExclusiveThread):
2902         (JSC::VM::exclusiveThread):
2903         (JSC::VM::setExclusiveThread):
2904         (JSC::VM::currentThreadIsHoldingAPILock):
2905
2906 2014-02-25  Filip Pizlo  <fpizlo@apple.com>
2907
2908         Inline caching in the FTL on ARM64 should "work"
2909         https://bugs.webkit.org/show_bug.cgi?id=129334
2910
2911         Reviewed by Mark Hahnenberg.
2912         
2913         Gets us to the point where simple tests that use inline caching are passing.
2914
2915         * assembler/LinkBuffer.cpp:
2916         (JSC::LinkBuffer::copyCompactAndLinkCode):
2917         (JSC::LinkBuffer::shrink):
2918         * ftl/FTLInlineCacheSize.cpp:
2919         (JSC::FTL::sizeOfGetById):
2920         (JSC::FTL::sizeOfPutById):
2921         (JSC::FTL::sizeOfCall):
2922         * ftl/FTLOSRExitCompiler.cpp:
2923         (JSC::FTL::compileFTLOSRExit):
2924         * ftl/FTLThunks.cpp:
2925         (JSC::FTL::osrExitGenerationThunkGenerator):
2926         * jit/GPRInfo.h:
2927         * offlineasm/arm64.rb:
2928
2929 2014-02-25  Commit Queue  <commit-queue@webkit.org>
2930
2931         Unreviewed, rolling out r164627.
2932         http://trac.webkit.org/changeset/164627
2933         https://bugs.webkit.org/show_bug.cgi?id=129325
2934
2935         Broke SubtleCrypto tests (Requested by ap on #webkit).
2936
2937         * API/APIShims.h:
2938         (JSC::APIEntryShim::APIEntryShim):
2939         (JSC::APICallbackShim::shouldDropAllLocks):
2940         * heap/MachineStackMarker.cpp:
2941         (JSC::MachineThreads::addCurrentThread):
2942         * runtime/JSLock.cpp:
2943         (JSC::JSLockHolder::JSLockHolder):
2944         (JSC::JSLockHolder::init):
2945         (JSC::JSLockHolder::~JSLockHolder):
2946         (JSC::JSLock::JSLock):
2947         (JSC::JSLock::lock):
2948         (JSC::JSLock::unlock):
2949         (JSC::JSLock::currentThreadIsHoldingLock):
2950         (JSC::JSLock::dropAllLocks):
2951         (JSC::JSLock::grabAllLocks):
2952         * runtime/JSLock.h:
2953         * runtime/VM.cpp:
2954         (JSC::VM::VM):
2955         * runtime/VM.h:
2956         (JSC::VM::currentThreadIsHoldingAPILock):
2957
2958 2014-02-25  Filip Pizlo  <fpizlo@apple.com>
2959
2960         ARM64 rshift64 should be an arithmetic shift
2961         https://bugs.webkit.org/show_bug.cgi?id=129323
2962
2963         Reviewed by Mark Hahnenberg.
2964
2965         * assembler/MacroAssemblerARM64.h:
2966         (JSC::MacroAssemblerARM64::rshift64):
2967
2968 2014-02-25  Sergio Villar Senin  <svillar@igalia.com>
2969
2970         [CSS Grid Layout] Add ENABLE flag
2971         https://bugs.webkit.org/show_bug.cgi?id=129153
2972
2973         Reviewed by Simon Fraser.
2974
2975         * Configurations/FeatureDefines.xcconfig: added ENABLE_CSS_GRID_LAYOUT feature flag.
2976
2977 2014-02-25  Michael Saboff  <msaboff@apple.com>
2978
2979         JIT Engines use the wrong stack limit for stack checks
2980         https://bugs.webkit.org/show_bug.cgi?id=129314
2981
2982         Reviewed by Filip Pizlo.
2983
2984         Change the Baseline and DFG code to use VM::m_stackLimit for stack limit checks.
2985
2986         * dfg/DFGJITCompiler.cpp:
2987         (JSC::DFG::JITCompiler::compileFunction):
2988         * jit/JIT.cpp:
2989         (JSC::JIT::privateCompile):
2990         * jit/JITCall.cpp:
2991         (JSC::JIT::compileLoadVarargs):
2992         * jit/JITCall32_64.cpp:
2993         (JSC::JIT::compileLoadVarargs):
2994         * runtime/VM.h:
2995         (JSC::VM::addressOfStackLimit):
2996
2997 2014-02-25  Filip Pizlo  <fpizlo@apple.com>
2998
2999         Unreviewed, roll out http://trac.webkit.org/changeset/164493.
3000         
3001         It causes crashes, apparently because it's removing too many barriers. I will investigate
3002         later.
3003
3004         * bytecode/SpeculatedType.cpp:
3005         (JSC::speculationToAbbreviatedString):
3006         * bytecode/SpeculatedType.h:
3007         * dfg/DFGFixupPhase.cpp:
3008         (JSC::DFG::FixupPhase::fixupNode):
3009         (JSC::DFG::FixupPhase::insertStoreBarrier):
3010         * dfg/DFGNode.h:
3011         * ftl/FTLCapabilities.cpp:
3012         (JSC::FTL::canCompile):
3013         * ftl/FTLLowerDFGToLLVM.cpp:
3014         (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
3015         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
3016         (JSC::FTL::LowerDFGToLLVM::isNotNully):
3017         (JSC::FTL::LowerDFGToLLVM::isNully):
3018         (JSC::FTL::LowerDFGToLLVM::speculate):
3019         (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
3020         (JSC::FTL::LowerDFGToLLVM::speculateNotCell):
3021
3022 2014-02-24  Oliver Hunt  <oliver@apple.com>
3023
3024         Fix build.
3025
3026         * jit/CCallHelpers.h:
3027         (JSC::CCallHelpers::setupArgumentsWithExecState):
3028
3029 2014-02-24  Oliver Hunt  <oliver@apple.com>
3030
3031         Spread operator has a bad time when applied to call function
3032         https://bugs.webkit.org/show_bug.cgi?id=128853
3033
3034         Reviewed by Geoffrey Garen.
3035
3036         Follow on from the previous patch the added an extra slot to
3037         op_call_varargs (and _call, _call_eval, _construct).  We now
3038         use the slot as an offset to in effect act as a 'slice' on
3039         the spread subject.  This allows us to automatically retain
3040         all our existing argument and array optimisatons.  Most of
3041         this patch is simply threading the offset around.
3042
3043         * bytecode/CodeBlock.cpp:
3044         (JSC::CodeBlock::dumpBytecode):
3045         * bytecompiler/BytecodeGenerator.cpp:
3046         (JSC::BytecodeGenerator::emitCall):
3047         (JSC::BytecodeGenerator::emitCallVarargs):
3048         * bytecompiler/BytecodeGenerator.h:
3049         * bytecompiler/NodesCodegen.cpp:
3050         (JSC::getArgumentByVal):
3051         (JSC::CallFunctionCallDotNode::emitBytecode):
3052         (JSC::ApplyFunctionCallDotNode::emitBytecode):
3053         * interpreter/Interpreter.cpp:
3054         (JSC::sizeFrameForVarargs):
3055         (JSC::loadVarargs):
3056         * interpreter/Interpreter.h:
3057         * jit/CCallHelpers.h:
3058         (JSC::CCallHelpers::setupArgumentsWithExecState):
3059         * jit/JIT.h:
3060         * jit/JITCall.cpp:
3061         (JSC::JIT::compileLoadVarargs):
3062         * jit/JITInlines.h:
3063         (JSC::JIT::callOperation):
3064         * jit/JITOperations.cpp:
3065         * jit/JITOperations.h:
3066         * llint/LLIntSlowPaths.cpp:
3067         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3068         * runtime/Arguments.cpp:
3069         (JSC::Arguments::copyToArguments):
3070         * runtime/Arguments.h:
3071         * runtime/JSArray.cpp:
3072         (JSC::JSArray::copyToArguments):
3073         * runtime/JSArray.h:
3074
3075 2014-02-24  Mark Lam  <mark.lam@apple.com>
3076
3077         Need to initialize VM stack data even when the VM is on an exclusive thread.
3078         <https://webkit.org/b/129265>
3079
3080         Reviewed by Geoffrey Garen.
3081
3082         We check VM::exclusiveThread as an optimization to forego the need to do
3083         JSLock locking. However, we recently started piggy backing on JSLock's
3084         lock() and unlock() to initialize VM stack data (stackPointerAtVMEntry
3085         and lastStackTop) to appropriate values for the current thread. This is
3086         needed because we may be acquiring the lock to enter the VM on a different
3087         thread.
3088
3089         As a result, we ended up not initializing the VM stack data when
3090         VM::exclusiveThread causes us to bypass the locking activity. Even though
3091         the VM::exclusiveThread will not have to deal with the VM being entered
3092         on a different thread, it still needs to initialize the VM stack data.
3093         The VM relies on that data being initialized properly once it has been
3094         entered.
3095
3096         With this fix, we push the check for exclusiveThread down into the JSLock,
3097         and handle the bypassing of unneeded locking activity there while still
3098         executing the necessary the VM stack data initialization.
3099
3100         * API/APIShims.h:
3101         (JSC::APIEntryShim::APIEntryShim):
3102         (JSC::APICallbackShim::shouldDropAllLocks):
3103         * heap/MachineStackMarker.cpp:
3104         (JSC::MachineThreads::addCurrentThread):
3105         * runtime/JSLock.cpp:
3106         (JSC::JSLockHolder::JSLockHolder):
3107         (JSC::JSLockHolder::init):
3108         (JSC::JSLockHolder::~JSLockHolder):
3109         (JSC::JSLock::JSLock):
3110         (JSC::JSLock::setExclusiveThread):
3111         (JSC::JSLock::lock):
3112         (JSLock::unlock):
3113         (JSLock::currentThreadIsHoldingLock):
3114         (JSLock::dropAllLocks):
3115         (JSLock::grabAllLocks):
3116         * runtime/JSLock.h:
3117         (JSC::JSLock::exclusiveThread):
3118         * runtime/VM.cpp:
3119         (JSC::VM::VM):
3120         * runtime/VM.h:
3121         (JSC::VM::exclusiveThread):
3122         (JSC::VM::setExclusiveThread):
3123         (JSC::VM::currentThreadIsHoldingAPILock):
3124
3125 2014-02-24  Filip Pizlo  <fpizlo@apple.com>
3126
3127         FTL should do polymorphic PutById inlining
3128         https://bugs.webkit.org/show_bug.cgi?id=129210
3129
3130         Reviewed by Mark Hahnenberg and Oliver Hunt.
3131         
3132         This makes PutByIdStatus inform us about polymorphic cases by returning an array of
3133         PutByIdVariants. The DFG now has a node called MultiPutByOffset that indicates a
3134         selection of multiple inlined PutByIdVariants.
3135         
3136         MultiPutByOffset is almost identical to MultiGetByOffset, which we added in
3137         http://trac.webkit.org/changeset/164207.
3138         
3139         This also does some FTL refactoring to make MultiPutByOffset share code with some nodes
3140         that generate similar code.
3141         
3142         1% speed-up on V8v7 due to splay improving by 6.8%. Splay does the thing where it
3143         sometimes swaps field insertion order, creating fake polymorphism.
3144
3145         * CMakeLists.txt:
3146         * GNUmakefile.list.am:
3147         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3148         * JavaScriptCore.xcodeproj/project.pbxproj:
3149         * bytecode/PutByIdStatus.cpp:
3150         (JSC::PutByIdStatus::computeFromLLInt):
3151         (JSC::PutByIdStatus::computeFor):
3152         (JSC::PutByIdStatus::computeForStubInfo):
3153         (JSC::PutByIdStatus::dump):
3154         * bytecode/PutByIdStatus.h:
3155         (JSC::PutByIdStatus::PutByIdStatus):
3156         (JSC::PutByIdStatus::isSimple):
3157         (JSC::PutByIdStatus::numVariants):
3158         (JSC::PutByIdStatus::variants):
3159         (JSC::PutByIdStatus::at):
3160         (JSC::PutByIdStatus::operator[]):
3161         * bytecode/PutByIdVariant.cpp: Added.
3162         (JSC::PutByIdVariant::dump):
3163         (JSC::PutByIdVariant::dumpInContext):
3164         * bytecode/PutByIdVariant.h: Added.
3165         (JSC::PutByIdVariant::PutByIdVariant):
3166         (JSC::PutByIdVariant::replace):
3167         (JSC::PutByIdVariant::transition):
3168         (JSC::PutByIdVariant::kind):
3169         (JSC::PutByIdVariant::isSet):
3170         (JSC::PutByIdVariant::operator!):
3171         (JSC::PutByIdVariant::structure):
3172         (JSC::PutByIdVariant::oldStructure):
3173         (JSC::PutByIdVariant::newStructure):
3174         (JSC::PutByIdVariant::structureChain):
3175         (JSC::PutByIdVariant::offset):
3176         * dfg/DFGAbstractInterpreterInlines.h:
3177         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3178         * dfg/DFGByteCodeParser.cpp:
3179         (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
3180         (JSC::DFG::ByteCodeParser::handleGetById):
3181         (JSC::DFG::ByteCodeParser::emitPutById):
3182         (JSC::DFG::ByteCodeParser::handlePutById):
3183         (JSC::DFG::ByteCodeParser::parseBlock):
3184         * dfg/DFGCSEPhase.cpp:
3185         (JSC::DFG::CSEPhase::checkStructureElimination):
3186         (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
3187         (JSC::DFG::CSEPhase::putStructureStoreElimination):
3188         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
3189         (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
3190         * dfg/DFGClobberize.h:
3191         (JSC::DFG::clobberize):
3192         * dfg/DFGConstantFoldingPhase.cpp:
3193         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3194         (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
3195         * dfg/DFGFixupPhase.cpp:
3196         (JSC::DFG::FixupPhase::fixupNode):
3197         * dfg/DFGGraph.cpp:
3198         (JSC::DFG::Graph::dump):
3199         * dfg/DFGGraph.h:
3200         * dfg/DFGNode.cpp:
3201         (JSC::DFG::MultiPutByOffsetData::writesStructures):
3202         (JSC::DFG::MultiPutByOffsetData::reallocatesStorage):
3203         * dfg/DFGNode.h:
3204         (JSC::DFG::Node::convertToPutByOffset):
3205         (JSC::DFG::Node::hasMultiPutByOffsetData):
3206         (JSC::DFG::Node::multiPutByOffsetData):
3207         * dfg/DFGNodeType.h:
3208         * dfg/DFGPredictionPropagationPhase.cpp:
3209         (JSC::DFG::PredictionPropagationPhase::propagate):
3210         * dfg/DFGSafeToExecute.h:
3211         (JSC::DFG::safeToExecute):
3212         * dfg/DFGSpeculativeJIT32_64.cpp:
3213         (JSC::DFG::SpeculativeJIT::compile):
3214         * dfg/DFGSpeculativeJIT64.cpp:
3215         (JSC::DFG::SpeculativeJIT::compile):
3216         * dfg/DFGTypeCheckHoistingPhase.cpp:
3217         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
3218         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
3219         * ftl/FTLCapabilities.cpp:
3220         (JSC::FTL::canCompile):
3221         * ftl/FTLLowerDFGToLLVM.cpp:
3222         (JSC::FTL::LowerDFGToLLVM::compileNode):
3223         (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
3224         (JSC::FTL::LowerDFGToLLVM::compileAllocatePropertyStorage):
3225         (JSC::FTL::LowerDFGToLLVM::compileReallocatePropertyStorage):
3226         (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
3227         (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
3228         (JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
3229         (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
3230         (JSC::FTL::LowerDFGToLLVM::loadProperty):
3231         (JSC::FTL::LowerDFGToLLVM::storeProperty):
3232         (JSC::FTL::LowerDFGToLLVM::addressOfProperty):
3233         (JSC::FTL::LowerDFGToLLVM::storageForTransition):
3234         (JSC::FTL::LowerDFGToLLVM::allocatePropertyStorage):
3235         (JSC::FTL::LowerDFGToLLVM::reallocatePropertyStorage):
3236         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
3237         * tests/stress/fold-multi-put-by-offset-to-put-by-offset.js: Added.
3238         * tests/stress/multi-put-by-offset-reallocation-butterfly-cse.js: Added.
3239         * tests/stress/multi-put-by-offset-reallocation-cases.js: Added.
3240
3241 2014-02-24  peavo@outlook.com  <peavo@outlook.com>
3242
3243         JSC regressions after r164494
3244         https://bugs.webkit.org/show_bug.cgi?id=129272
3245
3246         Reviewed by Mark Lam.
3247
3248         * offlineasm/x86.rb: Only avoid reverse opcode (fdivr) for Windows.
3249
3250 2014-02-24  Tamas Gergely  <tgergely.u-szeged@partner.samsung.com>
3251
3252         Code cleanup: remove leftover ENABLE(WORKERS) macros and support.
3253         https://bugs.webkit.org/show_bug.cgi?id=129255
3254
3255         Reviewed by Csaba Osztrogonác.
3256
3257         ENABLE_WORKERS macro was removed in r159679.
3258         Support is now also removed from xcconfig files.
3259
3260         * Configurations/FeatureDefines.xcconfig:
3261
3262 2014-02-24  David Kilzer  <ddkilzer@apple.com>
3263
3264         Remove redundant setting in FeatureDefines.xcconfig
3265
3266         * Configurations/FeatureDefines.xcconfig:
3267
3268 2014-02-23  Sam Weinig  <sam@webkit.org>
3269
3270         Update FeatureDefines.xcconfig
3271
3272         Rubber-stamped by Anders Carlsson.
3273
3274         * Configurations/FeatureDefines.xcconfig:
3275
3276 2014-02-23  Dean Jackson  <dino@apple.com>
3277
3278         Sort the project file with sort-Xcode-project-file.
3279
3280         Rubber-stamped by Sam Weinig.
3281
3282         * JavaScriptCore.xcodeproj/project.pbxproj:
3283
3284 2014-02-23  Sam Weinig  <sam@webkit.org>
3285
3286         Move telephone number detection behind its own ENABLE macro
3287         https://bugs.webkit.org/show_bug.cgi?id=129236
3288
3289         Reviewed by Dean Jackson.
3290
3291         * Configurations/FeatureDefines.xcconfig:
3292         Add ENABLE_TELEPHONE_NUMBER_DETECTION.
3293
3294 2014-02-22  Filip Pizlo  <fpizlo@apple.com>
3295
3296         Refine DFG+FTL inlining and compilation limits
3297         https://bugs.webkit.org/show_bug.cgi?id=129212
3298
3299         Reviewed by Mark Hahnenberg.
3300         
3301         Allow larger functions to be DFG-compiled. Institute a limit on FTL compilation,
3302         and set that limit quite high. Institute a limit on inlining-into. The idea here is
3303         that large functions tend to be autogenerated, and code generators like emscripten
3304         appear to leave few inlining opportunities anyway. Also, we don't want the code
3305         size explosion that we would risk if we allowed compilation of a large function and
3306         then inlined a ton of stuff into it.
3307         
3308         This is a 0.5% speed-up on Octane v2 and almost eliminates the typescript
3309         regression. This is a 9% speed-up on AsmBench.
3310
3311         * bytecode/CodeBlock.cpp:
3312         (JSC::CodeBlock::noticeIncomingCall):
3313         * dfg/DFGByteCodeParser.cpp:
3314         (JSC::DFG::ByteCodeParser::handleInlining):
3315         * dfg/DFGCapabilities.h:
3316         (JSC::DFG::isSmallEnoughToInlineCodeInto):
3317         * ftl/FTLCapabilities.cpp:
3318         (JSC::FTL::canCompile):
3319         * ftl/FTLState.h:
3320         (JSC::FTL::shouldShowDisassembly):
3321         * runtime/Options.h:
3322
3323 2014-02-22  Dan Bernstein  <mitz@apple.com>
3324
3325         REGRESSION (r164507): Crash beneath JSGlobalObjectInspectorController::reportAPIException at facebook.com, twitter.com, youtube.com
3326         https://bugs.webkit.org/show_bug.cgi?id=129227
3327
3328         Reviewed by Eric Carlson.
3329
3330         Reverted r164507.
3331
3332         * API/JSBase.cpp:
3333         (JSEvaluateScript):
3334         (JSCheckScriptSyntax):
3335         * API/JSObjectRef.cpp:
3336         (JSObjectMakeFunction):
3337         (JSObjectMakeArray):
3338         (JSObjectMakeDate):
3339         (JSObjectMakeError):
3340         (JSObjectMakeRegExp):
3341         (JSObjectGetProperty):
3342         (JSObjectSetProperty):
3343         (JSObjectGetPropertyAtIndex):
3344         (JSObjectSetPropertyAtIndex):
3345         (JSObjectDeleteProperty):
3346         (JSObjectCallAsFunction):
3347         (JSObjectCallAsConstructor):
3348         * API/JSValue.mm:
3349         (valueToArray):
3350         (valueToDictionary):
3351         * API/JSValueRef.cpp:
3352         (JSValueIsEqual):
3353         (JSValueIsInstanceOfConstructor):
3354         (JSValueCreateJSONString):
3355         (JSValueToNumber):
3356         (JSValueToStringCopy):
3357         (JSValueToObject):
3358         * inspector/ConsoleMessage.cpp:
3359         (Inspector::ConsoleMessage::ConsoleMessage):
3360         (Inspector::ConsoleMessage::autogenerateMetadata):
3361         * inspector/ConsoleMessage.h:
3362         * inspector/JSGlobalObjectInspectorController.cpp:
3363         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3364         * inspector/JSGlobalObjectInspectorController.h:
3365         * inspector/ScriptCallStack.cpp:
3366         * inspector/ScriptCallStack.h:
3367         * inspector/ScriptCallStackFactory.cpp:
3368         (Inspector::createScriptCallStack):
3369         (Inspector::createScriptCallStackForConsole):
3370         (Inspector::createScriptCallStackFromException):
3371         * inspector/ScriptCallStackFactory.h:
3372         * inspector/agents/InspectorConsoleAgent.cpp:
3373         (Inspector::InspectorConsoleAgent::enable):
3374         (Inspector::InspectorConsoleAgent::addMessageToConsole):
3375         (Inspector::InspectorConsoleAgent::count):
3376         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
3377         (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
3378
3379 2014-02-22  Joseph Pecoraro  <pecoraro@apple.com>
3380
3381         Remove some unreachable code (-Wunreachable-code)
3382         https://bugs.webkit.org/show_bug.cgi?id=129220
3383
3384         Reviewed by Eric Carlson.
3385
3386         * API/tests/testapi.c:
3387         (EvilExceptionObject_convertToType):
3388         * disassembler/udis86/udis86_decode.c:
3389         (decode_operand):
3390
3391 2014-02-22  Filip Pizlo  <fpizlo@apple.com>
3392
3393         Unreviewed, ARMv7 build fix.
3394
3395         * assembler/ARMv7Assembler.h:
3396
3397 2014-02-21  Filip Pizlo  <fpizlo@apple.com>
3398
3399         It should be possible for a LinkBuffer to outlive the MacroAssembler and still be useful
3400         https://bugs.webkit.org/show_bug.cgi?id=124733
3401
3402         Reviewed by Oliver Hunt.
3403         
3404         This also takes the opportunity to de-duplicate some branch compaction code.
3405
3406         * assembler/ARM64Assembler.h:
3407         * assembler/ARMv7Assembler.h:
3408         (JSC::ARMv7Assembler::buffer):
3409         * assembler/AssemblerBuffer.h:
3410         (JSC::AssemblerData::AssemblerData):
3411         (JSC::AssemblerBuffer::AssemblerBuffer):
3412         (JSC::AssemblerBuffer::storage):
3413         (JSC::AssemblerBuffer::grow):
3414         * assembler/LinkBuffer.h:
3415         (JSC::LinkBuffer::LinkBuffer):
3416         (JSC::LinkBuffer::executableOffsetFor):
3417         (JSC::LinkBuffer::applyOffset):
3418         * assembler/MacroAssemblerARM64.h:
3419         (JSC::MacroAssemblerARM64::link):
3420         * assembler/MacroAssemblerARMv7.h:
3421
3422 2014-02-21  Brent Fulgham  <bfulgham@apple.com>
3423
3424         Extend media support for WebVTT sources
3425         https://bugs.webkit.org/show_bug.cgi?id=129156
3426
3427         Reviewed by Eric Carlson.
3428
3429         * Configurations/FeatureDefines.xcconfig: Add new feature define for AVF_CAPTIONS
3430
3431 2014-02-21  Joseph Pecoraro  <pecoraro@apple.com>
3432
3433         Web Inspector: JSContext inspection should report exceptions in the console
3434         https://bugs.webkit.org/show_bug.cgi?id=128776
3435
3436         Reviewed by Timothy Hatcher.
3437
3438         When JavaScript API functions have an exception, let the inspector
3439         know so it can log the JavaScript and Native backtrace that caused
3440         the exception.
3441
3442         Include some clean up of ConsoleMessage and ScriptCallStack construction.
3443
3444         * API/JSBase.cpp:
3445         (JSEvaluateScript):
3446         (JSCheckScriptSyntax):
3447         * API/JSObjectRef.cpp:
3448         (JSObjectMakeFunction):
3449         (JSObjectMakeArray):
3450         (JSObjectMakeDate):
3451         (JSObjectMakeError):
3452         (JSObjectMakeRegExp):
3453         (JSObjectGetProperty):
3454         (JSObjectSetProperty):
3455         (JSObjectGetPropertyAtIndex):
3456         (JSObjectSetPropertyAtIndex):
3457         (JSObjectDeleteProperty):
3458         (JSObjectCallAsFunction):
3459         (JSObjectCallAsConstructor):
3460         * API/JSValue.mm:
3461         (reportExceptionToInspector):
3462         (valueToArray):
3463         (valueToDictionary):
3464         * API/JSValueRef.cpp:
3465         (JSValueIsEqual):
3466         (JSValueIsInstanceOfConstructor):
3467         (JSValueCreateJSONString):
3468         (JSValueToNumber):
3469         (JSValueToStringCopy):
3470         (JSValueToObject):
3471         When seeing an exception, let the inspector know there was an exception.
3472
3473         * inspector/JSGlobalObjectInspectorController.h:
3474         * inspector/JSGlobalObjectInspectorController.cpp:
3475         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3476         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
3477         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
3478         Log API exceptions by also grabbing the native backtrace.
3479
3480         * inspector/ScriptCallStack.h:
3481         * inspector/ScriptCallStack.cpp:
3482         (Inspector::ScriptCallStack::firstNonNativeCallFrame):
3483         (Inspector::ScriptCallStack::append):
3484         Minor extensions to ScriptCallStack to make it easier to work with.
3485
3486         * inspector/ConsoleMessage.cpp:
3487         (Inspector::ConsoleMessage::ConsoleMessage):
3488         (Inspector::ConsoleMessage::autogenerateMetadata):
3489         Provide better default information if the first call frame was native.
3490
3491         * inspector/ScriptCallStackFactory.cpp:
3492         (Inspector::createScriptCallStack):
3493         (Inspector::extractSourceInformationFromException):
3494         (Inspector::createScriptCallStackFromException):
3495         Perform the handling here of inserting a fake call frame for exceptions
3496         if there was no call stack (e.g. a SyntaxError) or if the first call
3497         frame had no information.
3498
3499         * inspector/ConsoleMessage.cpp:
3500         (Inspector::ConsoleMessage::ConsoleMessage):
3501         (Inspector::ConsoleMessage::autogenerateMetadata):
3502         * inspector/ConsoleMessage.h:
3503         * inspector/ScriptCallStackFactory.cpp:
3504         (Inspector::createScriptCallStack):
3505         (Inspector::createScriptCallStackForConsole):
3506         * inspector/ScriptCallStackFactory.h:
3507         * inspector/agents/InspectorConsoleAgent.cpp:
3508         (Inspector::InspectorConsoleAgent::enable):
3509         (Inspector::InspectorConsoleAgent::addMessageToConsole):
3510         (Inspector::InspectorConsoleAgent::count):
3511         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
3512         (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
3513         ConsoleMessage cleanup.
3514
3515 2014-02-21  Oliver Hunt  <oliver@apple.com>
3516
3517         Add extra space to op_call and related opcodes
3518         https://bugs.webkit.org/show_bug.cgi?id=129170
3519
3520         Reviewed by Mark Lam.
3521
3522         No change in behaviour, just some refactoring to add an extra
3523         slot to the op_call instructions, and refactoring to make similar
3524         changes easier in future.
3525
3526         * bytecode/CodeBlock.cpp:
3527         (JSC::CodeBlock::printCallOp):
3528         * bytecode/Opcode.h:
3529         (JSC::padOpcodeName):
3530         * bytecompiler/BytecodeGenerator.cpp:
3531         (JSC::BytecodeGenerator::emitCall):
3532         (JSC::BytecodeGenerator::emitCallVarargs):
3533         (JSC::BytecodeGenerator::emitConstruct):
3534         * dfg/DFGByteCodeParser.cpp:
3535         (JSC::DFG::ByteCodeParser::handleIntrinsic):
3536         * jit/JITCall.cpp:
3537         (JSC::JIT::compileOpCall):
3538         * jit/JITCall32_64.cpp:
3539         (JSC::JIT::compileOpCall):
3540         * llint/LowLevelInterpreter.asm:
3541         * llint/LowLevelInterpreter32_64.asm:
3542         * llint/LowLevelInterpreter64.asm:
3543
3544 2014-02-21  Mark Lam  <mark.lam@apple.com>
3545
3546         gatherFromOtherThread() needs to align the sp before gathering roots.
3547         <https://webkit.org/b/129169>
3548
3549         Reviewed by Geoffrey Garen.
3550
3551         The GC scans the stacks of other threads using MachineThreads::gatherFromOtherThread().
3552         gatherFromOtherThread() defines the range of the other thread's stack as
3553         being bounded by the other thread's stack pointer and stack base. While
3554         the stack base will always be aligned to sizeof(void*), the stack pointer
3555         may not be. This is because the other thread may have just pushed a 32-bit
3556         value on its stack before we suspended it for scanning.
3557
3558         The fix is to round the stack pointer up to the next aligned address of
3559         sizeof(void*) and start scanning from there. On 64-bit systems, we will
3560         effectively ignore the 32-bit word at the bottom of the stack (top of the
3561         stack for stacks growing up) because it cannot be a 64-bit pointer anyway.
3562         64-bit pointers should always be stored on 64-bit aligned boundaries (our
3563         conservative scan algorithm already depends on this assumption).
3564
3565         On 32-bit systems, the rounding is effectively a no-op.
3566
3567         * heap/ConservativeRoots.cpp:
3568         (JSC::ConservativeRoots::genericAddSpan):
3569         - Hardened somne assertions so that we can catch misalignment issues on
3570           release builds as well.
3571         * heap/MachineStackMarker.cpp:
3572         (JSC::MachineThreads::gatherFromOtherThread):
3573
3574 2014-02-21  Matthew Mirman  <mmirman@apple.com>
3575
3576         Added a GetMyArgumentsLengthSafe and added a speculation check.
3577         https://bugs.webkit.org/show_bug.cgi?id=129051
3578
3579         Reviewed by Filip Pizlo.
3580
3581         * ftl/FTLLowerDFGToLLVM.cpp:
3582         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
3583
3584 2014-02-21  peavo@outlook.com  <peavo@outlook.com>
3585
3586         [Win][LLINT] Many JSC stress test failures.
3587         https://bugs.webkit.org/show_bug.cgi?id=129155
3588
3589         Reviewed by Michael Saboff.
3590
3591         Intel syntax has reversed operand order compared to AT&T syntax, so we need to swap the operand order, in this case on floating point operations.
3592         Also avoid using the reverse opcode (e.g. fdivr), as this puts the result at the wrong position in the floating point stack.
3593         E.g. "divd ft0, ft1" would translate to fdivr st, st(1) (Intel syntax) on Windows, but this puts the result in st, when it should be in st(1).
3594
3595         * offlineasm/x86.rb: Swap operand order on Windows.
3596
3597 2014-02-21  Filip Pizlo  <fpizlo@apple.com>
3598
3599         DFG write barriers should do more speculations
3600         https://bugs.webkit.org/show_bug.cgi?id=129160
3601
3602         Reviewed by Mark Hahnenberg.
3603         
3604         Replace ConditionalStoreBarrier with the cheapest speculation that you could do
3605         instead.
3606         
3607         Miniscule speed-up on some things. It's a decent difference in code size, though.
3608
3609         * bytecode/SpeculatedType.cpp:
3610         (JSC::speculationToAbbreviatedString):
3611         * bytecode/SpeculatedType.h:
3612         (JSC::isNotCellSpeculation):
3613         * dfg/DFGFixupPhase.cpp:
3614         (JSC::DFG::FixupPhase::fixupNode):
3615         (JSC::DFG::FixupPhase::insertStoreBarrier):
3616         (JSC::DFG::FixupPhase::insertPhantomCheck):
3617         * dfg/DFGNode.h:
3618         (JSC::DFG::Node::shouldSpeculateOther):
3619         (JSC::DFG::Node::shouldSpeculateNotCell):
3620         * ftl/FTLCapabilities.cpp:
3621         (JSC::FTL::canCompile):
3622         * ftl/FTLLowerDFGToLLVM.cpp:
3623         (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
3624         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
3625         (JSC::FTL::LowerDFGToLLVM::isNotOther):
3626         (JSC::FTL::LowerDFGToLLVM::isOther):
3627         (JSC::FTL::LowerDFGToLLVM::speculate):
3628         (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
3629         (JSC::FTL::LowerDFGToLLVM::speculateOther):
3630         (JSC::FTL::LowerDFGToLLVM::speculateNotCell):
3631
3632 2014-02-21  Joseph Pecoraro  <pecoraro@apple.com>
3633
3634         Revert r164486, causing a number of test failures.
3635
3636         Unreviewed rollout.
3637
3638 2014-02-21  Filip Pizlo  <fpizlo@apple.com>
3639
3640         Revive SABI (aka shouldAlwaysBeInlined)
3641         https://bugs.webkit.org/show_bug.cgi?id=129159
3642
3643         Reviewed by Mark Hahnenberg.
3644         
3645         This is a small Octane speed-up.
3646
3647         * jit/Repatch.cpp:
3648         (JSC::linkFor): This code was assuming that if it's invoked then the caller is a DFG code block. That's wrong, since it's now used by all of the JITs.
3649
3650 2014-02-21  Joseph Pecoraro  <pecoraro@apple.com>
3651
3652         Web Inspector: JSContext inspection should report exceptions in the console
3653         https://bugs.webkit.org/show_bug.cgi?id=128776
3654
3655         Reviewed by Timothy Hatcher.
3656
3657         When JavaScript API functions have an exception, let the inspector
3658         know so it can log the JavaScript and Native backtrace that caused
3659         the exception.
3660
3661         Include some clean up of ConsoleMessage and ScriptCallStack construction.
3662
3663         * API/JSBase.cpp:
3664         (JSEvaluateScript):
3665         (JSCheckScriptSyntax):
3666         * API/JSObjectRef.cpp:
3667         (JSObjectMakeFunction):
3668         (JSObjectMakeArray):
3669         (JSObjectMakeDate):
3670         (JSObjectMakeError):
3671         (JSObjectMakeRegExp):
3672         (JSObjectGetProperty):
3673         (JSObjectSetProperty):
3674         (JSObjectGetPropertyAtIndex):
3675         (JSObjectSetPropertyAtIndex):
3676         (JSObjectDeleteProperty):
3677         (JSObjectCallAsFunction):
3678         (JSObjectCallAsConstructor):
3679         * API/JSValue.mm:
3680         (reportExceptionToInspector):
3681         (valueToArray):
3682         (valueToDictionary):
3683         * API/JSValueRef.cpp:
3684         (JSValueIsEqual):
3685         (JSValueIsInstanceOfConstructor):
3686         (JSValueCreateJSONString):
3687         (JSValueToNumber):
3688         (JSValueToStringCopy):
3689         (JSValueToObject):
3690         When seeing an exception, let the inspector know there was an exception.
3691
3692         * inspector/JSGlobalObjectInspectorController.h:
3693         * inspector/JSGlobalObjectInspectorController.cpp:
3694         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3695         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
3696         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
3697         Log API exceptions by also grabbing the native backtrace.
3698
3699         * inspector/ScriptCallStack.h:
3700         * inspector/ScriptCallStack.cpp:
3701         (Inspector::ScriptCallStack::firstNonNativeCallFrame):
3702         (Inspector::ScriptCallStack::append):
3703         Minor extensions to ScriptCallStack to make it easier to work with.
3704
3705         * inspector/ConsoleMessage.cpp:
3706         (Inspector::ConsoleMessage::ConsoleMessage):
3707         (Inspector::ConsoleMessage::autogenerateMetadata):
3708         Provide better default information if the first call frame was native.
3709
3710         * inspector/ScriptCallStackFactory.cpp:
3711         (Inspector::createScriptCallStack):
3712         (Inspector::extractSourceInformationFromException):
3713         (Inspector::createScriptCallStackFromException):
3714         Perform the handling here of inserting a fake call frame for exceptions
3715         if there was no call stack (e.g. a SyntaxError) or if the first call
3716         frame had no information.
3717
3718         * inspector/ConsoleMessage.cpp:
3719         (Inspector::ConsoleMessage::ConsoleMessage):
3720         (Inspector::ConsoleMessage::autogenerateMetadata):
3721         * inspector/ConsoleMessage.h:
3722         * inspector/ScriptCallStackFactory.cpp:
3723         (Inspector::createScriptCallStack):
3724         (Inspector::createScriptCallStackForConsole):
3725         * inspector/ScriptCallStackFactory.h:
3726         * inspector/agents/InspectorConsoleAgent.cpp:
3727         (Inspector::InspectorConsoleAgent::enable):
3728         (Inspector::InspectorConsoleAgent::addMessageToConsole):
3729         (Inspector::InspectorConsoleAgent::count):
3730         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
3731         (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
3732         ConsoleMessage cleanup.
3733
3734 2014-02-20  Anders Carlsson  <andersca@apple.com>
3735
3736         Modernize JSGlobalLock and JSLockHolder
3737         https://bugs.webkit.org/show_bug.cgi?id=129105
3738
3739         Reviewed by Michael Saboff.
3740
3741         Use std::mutex and std::thread::id where possible.
3742
3743         * runtime/JSLock.cpp:
3744         (JSC::GlobalJSLock::GlobalJSLock):
3745         (JSC::GlobalJSLock::~GlobalJSLock):
3746         (JSC::GlobalJSLock::initialize):
3747         (JSC::JSLock::JSLock):
3748         (JSC::JSLock::lock):
3749         (JSC::JSLock::unlock):
3750         (JSC::JSLock::currentThreadIsHoldingLock):
3751         * runtime/JSLock.h:
3752
3753 2014-02-20  Mark Lam  <mark.lam@apple.com>
3754
3755         virtualForWithFunction() should not throw an exception with a partially initialized frame.
3756         <https://webkit.org/b/129134>
3757
3758         Reviewed by Michael Saboff.
3759
3760         Currently, when JITOperations.cpp's virtualForWithFunction() fails to
3761         prepare the callee function for execution, it proceeds to throw the
3762         exception using the callee frame which is only partially initialized
3763         thus far. Instead, it should be throwing the exception using the caller
3764         frame because:
3765         1. the error happened "in" the caller while preparing the callee for
3766            execution i.e. the caller frame is the top fully initialized frame
3767            on the stack.
3768         2. the callee frame is not fully initialized yet, and the unwind
3769            mechanism cannot depend on the data in it.
3770
3771         * jit/JITOperations.cpp:
3772
3773 2014-02-20  Mark Lam  <mark.lam@apple.com>
3774
3775         DefaultGCActivityCallback::doWork() should reschedule if GC is deferred.
3776         <https://webkit.org/b/129131>
3777
3778         Reviewed by Mark Hahnenberg.
3779
3780         Currently, DefaultGCActivityCallback::doWork() does not check if the GC
3781         needs to be deferred before commencing. As a result, the GC may crash
3782         and/or corrupt data because the VM is not in the consistent state needed
3783         for the GC to run. With this fix, doWork() now checks if the GC is
3784         supposed to be deferred and re-schedules if needed. It only commences
3785         with GC'ing when it's safe to do so.
3786
3787         * runtime/GCActivityCallback.cpp:
3788         (JSC::DefaultGCActivityCallback::doWork):
3789
3790 2014-02-20  Geoffrey Garen  <ggaren@apple.com>
3791
3792         Math.imul gives wrong results
3793         https://bugs.webkit.org/show_bug.cgi?id=126345
3794
3795         Reviewed by Mark Hahnenberg.
3796
3797         Don't truncate non-int doubles to 0 -- that's just not how ToInt32 works.
3798         Instead, take a slow path that will do the right thing.
3799
3800         * jit/ThunkGenerators.cpp:
3801         (JSC::imulThunkGenerator):
3802
3803 2014-02-20  Filip Pizlo  <fpizlo@apple.com>
3804
3805         DFG should do its own static estimates of execution frequency before it starts creating OSR entrypoints
3806         https://bugs.webkit.org/show_bug.cgi?id=129129
3807
3808         Reviewed by Geoffrey Garen.
3809         
3810         We estimate execution counts based on loop depth, and then use those to estimate branch
3811         weights. These weights then get carried all the way down to LLVM prof branch_weights
3812         meta-data.
3813         
3814         This is better than letting LLVM do its own static estimates, since by the time we
3815         generate LLVM IR, we may have messed up the CFG due to OSR entrypoint creation. Of
3816         course, it would be even better if we just slurped in some kind of execution counts
3817         from profiling, but we don't do that, yet.
3818
3819         * CMakeLists.txt:
3820         * GNUmakefile.list.am:
3821         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3822         * JavaScriptCore.xcodeproj/project.pbxproj:
3823         * dfg/DFGBasicBlock.cpp:
3824         (JSC::DFG::BasicBlock::BasicBlock):
3825         * dfg/DFGBasicBlock.h:
3826         * dfg/DFGBlockInsertionSet.cpp:
3827         (JSC::DFG::BlockInsertionSet::insert):
3828         (JSC::DFG::BlockInsertionSet::insertBefore):
3829         * dfg/DFGBlockInsertionSet.h:
3830         * dfg/DFGByteCodeParser.cpp:
3831         (JSC::DFG::ByteCodeParser::handleInlining):
3832         (JSC::DFG::ByteCodeParser::parseCodeBlock):
3833         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
3834         (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
3835         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
3836         (JSC::DFG::createPreHeader):
3837         * dfg/DFGNaturalLoops.h:
3838         (JSC::DFG::NaturalLoops::loopDepth):
3839         * dfg/DFGOSREntrypointCreationPhase.cpp:
3840         (JSC::DFG::OSREntrypointCreationPhase::run):
3841         * dfg/DFGPlan.cpp:
3842         (JSC::DFG::Plan::compileInThreadImpl):
3843         * dfg/DFGStaticExecutionCountEstimationPhase.cpp: Added.
3844         (JSC::DFG::StaticExecutionCountEstimationPhase::StaticExecutionCountEstimationPhase):
3845         (JSC::DFG::StaticExecutionCountEstimationPhase::run):
3846         (JSC::DFG::StaticExecutionCountEstimationPhase::applyCounts):
3847         (JSC::DFG::performStaticExecutionCountEstimation):
3848         * dfg/DFGStaticExecutionCountEstimationPhase.h: Added.
3849
3850 2014-02-20  Filip Pizlo  <fpizlo@apple.com>
3851
3852         FTL may not see a compact_unwind section if there weren't any stackmaps
3853         https://bugs.webkit.org/show_bug.cgi?id=129125
3854
3855         Reviewed by Geoffrey Garen.
3856         
3857         It's OK to not have an unwind section, so long as the function also doesn't have any
3858         OSR exits.
3859
3860         * ftl/FTLCompile.cpp:
3861         (JSC::FTL::fixFunctionBasedOnStackMaps):
3862         (JSC::FTL::compile):
3863         * ftl/FTLUnwindInfo.cpp:
3864         (JSC::FTL::UnwindInfo::parse):
3865         * ftl/FTLUnwindInfo.h:
3866
3867 == Rolled over to ChangeLog-2014-02-20 ==