4d13ec097601a411e2f6512d22fcf1e89690114a
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-08-04  Benjamin Poulain  <benjamin@webkit.org>
2
3         Add a flag for the CSS Selectors level 4 implementation
4         https://bugs.webkit.org/show_bug.cgi?id=135535
5
6         Reviewed by Andreas Kling.
7
8         * Configurations/FeatureDefines.xcconfig:
9
10 2014-08-04  Alex Christensen  <achristensen@webkit.org>
11
12         Progress towards CMake on Mac.
13         https://bugs.webkit.org/show_bug.cgi?id=135528
14
15         Reviewed by Gyuyoung Kim.
16
17         * CMakeLists.txt:
18         Include necessary directories and copy all necessary forwarding headers.
19         Only compile UDis86Disassembler.cpp if we're using UDIS86.
20         * PlatformMac.cmake: Added.
21         * tools/CodeProfiling.cpp:
22         Compile fix.  Include sys/time.h on darwin, too.
23
24 2014-08-04  Saam Barati  <sbarati@apple.com>
25
26         Create a more generic way for VMEntryScope to notify those interested that it will be destroyed
27         https://bugs.webkit.org/show_bug.cgi?id=135358
28
29         Reviewed by Geoffrey Garen.
30
31         When VMEntryScope is destroyed, and it has a flag set indicating that the
32         Debugger needs to recompile all functions, it calls Debugger::recompileAllJSFunctions. 
33         This flag is only used by Debugger to have VMEntryScope notify it when the
34         Debugger is safe to recompile all functions. This patch will substitute this
35         Debugger-specific recompilation flag with a list of callbacks that are notified 
36         when the outermost VMEntryScope dies. This creates a general purpose interface 
37         for being notified when the VM stops executing code via the event of the outermost 
38         VMEntryScope dying.
39
40         * debugger/Debugger.cpp:
41         (JSC::Debugger::recompileAllJSFunctions):
42         * runtime/VMEntryScope.cpp:
43         (JSC::VMEntryScope::VMEntryScope):
44         (JSC::VMEntryScope::addEntryScopeDidPopListener):
45         (JSC::VMEntryScope::~VMEntryScope):
46         * runtime/VMEntryScope.h:
47         (JSC::VMEntryScope::setRecompilationNeeded): Deleted.
48
49 2014-08-01  Carlos Alberto Lopez Perez  <clopez@igalia.com>
50
51         REGRESSION(r171942): [CMAKE] [GTK] build broken (clean build).
52         https://bugs.webkit.org/show_bug.cgi?id=135522
53
54         Reviewed by Martin Robinson.
55
56         * CMakeLists.txt: Output the inspector headers inside inspector
57         subdirectory.
58
59 2014-08-01  Mark Lam  <mark.lam@apple.com>
60
61         Add some structure related assertions.
62         <https://webkit.org/b/135523>
63
64         Reviewed by Geoffrey Garen.
65
66         Adding 2 assertions:
67         1. assert that we don't index pass the end of the StructureIDTable.
68            This should never happen, but this assertion will help catch bugs
69            where a bad structureID gets passed in.
70         2. assert that cells in MarkedBlock::callDestructor() that are not
71            zapped should have a non-null StructureID.  This will help us catch
72            bugs where the other cell header flag bits get set after the cell is
73            zapped, thereby making the cell look like an unzapped cell but has a
74            null structureID.
75
76         * heap/MarkedBlock.cpp:
77         (JSC::MarkedBlock::callDestructor):
78         * runtime/StructureIDTable.h:
79         (JSC::StructureIDTable::get):
80
81 2014-08-01  Csaba Osztrogonác  <ossy@webkit.org>
82
83         URTBF after r171946 to fix non-Apple builds.
84
85         * bytecode/InlineCallFrameSet.cpp:
86
87 2014-08-01  Mark Hahnenberg  <mhahnenberg@apple.com>
88
89         CodeBlock fails to visit the Executables of its InlineCallFrames
90         https://bugs.webkit.org/show_bug.cgi?id=135471
91
92         Reviewed by Geoffrey Garen.
93
94         CodeBlock needs to visit its InlineCallFrames' owner Executables. If it doesn't, they 
95         can be prematurely collected and cause crashes.
96
97         * bytecode/CodeBlock.cpp:
98         (JSC::CodeBlock::stronglyVisitStrongReferences):
99         * bytecode/CodeOrigin.h:
100         (JSC::InlineCallFrame::visitAggregate):
101         * bytecode/InlineCallFrameSet.cpp:
102         (JSC::InlineCallFrameSet::visitAggregate):
103         * bytecode/InlineCallFrameSet.h:
104
105 2014-08-01  Alex Christensen  <achristensen@webkit.org>
106
107         Progress towards cmake on Windows.
108         https://bugs.webkit.org/show_bug.cgi?id=135484
109
110         Reviewed by Martin Robinson.
111
112         * CMakeLists.txt:
113         Generate code directly to inspector directory to avoid using the cp command
114         which is not available on Windows.
115         * PlatformWin.cmake: Added.
116
117 2014-07-31  Andreas Kling  <akling@apple.com>
118
119         Remove the JSC::OverridesVisitChildren flag.
120         <https://webkit.org/b/135489>
121
122         Except for 3 special classes, the visitChildren() call is always
123         dispatched through the method table (see SlotVisitor.cpp.)
124
125         The OverridesVisitChildren flag doesn't actually do anything.
126         It could be used to implement a non-virtual direct call to
127         JSCell::visitChildren, bypassing the method table for some objects,
128         but such a micro-optimization seems like a weak trade for all this
129         code complexity. Instead, just remove the flag.
130
131         This change frees up an inline flag bit in JSCell.
132
133         Reviewed by Geoffrey Garen.
134
135         * API/JSAPIWrapperObject.h:
136         * API/JSAPIWrapperObject.mm:
137         (JSC::JSAPIWrapperObject::visitChildren):
138         * API/JSCallbackObject.h:
139         (JSC::JSCallbackObject::visitChildren):
140         * bytecode/UnlinkedCodeBlock.cpp:
141         (JSC::UnlinkedFunctionExecutable::visitChildren):
142         (JSC::UnlinkedCodeBlock::visitChildren):
143         (JSC::UnlinkedProgramCodeBlock::visitChildren):
144         * bytecode/UnlinkedCodeBlock.h:
145         * debugger/DebuggerScope.cpp:
146         (JSC::DebuggerScope::visitChildren):
147         * debugger/DebuggerScope.h:
148         * jsc.cpp:
149         * runtime/Arguments.cpp:
150         (JSC::Arguments::visitChildren):
151         * runtime/Arguments.h:
152         * runtime/Executable.cpp:
153         (JSC::EvalExecutable::visitChildren):
154         (JSC::ProgramExecutable::visitChildren):
155         (JSC::FunctionExecutable::visitChildren):
156         * runtime/Executable.h:
157         * runtime/GetterSetter.cpp:
158         (JSC::GetterSetter::visitChildren):
159         * runtime/GetterSetter.h:
160         (JSC::GetterSetter::createStructure):
161         * runtime/JSAPIValueWrapper.h:
162         (JSC::JSAPIValueWrapper::createStructure):
163         * runtime/JSActivation.cpp:
164         (JSC::JSActivation::visitChildren):
165         * runtime/JSActivation.h:
166         * runtime/JSArrayIterator.cpp:
167         (JSC::JSArrayIterator::visitChildren):
168         * runtime/JSArrayIterator.h:
169         * runtime/JSBoundFunction.cpp:
170         (JSC::JSBoundFunction::visitChildren):
171         * runtime/JSBoundFunction.h:
172         * runtime/JSCellInlines.h:
173         (JSC::JSCell::setStructure):
174         * runtime/JSFunction.cpp:
175         (JSC::JSFunction::visitChildren):
176         * runtime/JSFunction.h:
177         * runtime/JSGlobalObject.cpp:
178         (JSC::JSGlobalObject::visitChildren):
179         * runtime/JSGlobalObject.h:
180         * runtime/JSMap.h:
181         * runtime/JSMapIterator.cpp:
182         (JSC::JSMapIterator::visitChildren):
183         * runtime/JSMapIterator.h:
184         * runtime/JSNameScope.cpp:
185         (JSC::JSNameScope::visitChildren):
186         * runtime/JSNameScope.h:
187         * runtime/JSPromise.cpp:
188         (JSC::JSPromise::visitChildren):
189         * runtime/JSPromise.h:
190         * runtime/JSPromiseDeferred.cpp:
191         (JSC::JSPromiseDeferred::visitChildren):
192         * runtime/JSPromiseDeferred.h:
193         * runtime/JSPromiseReaction.cpp:
194         (JSC::JSPromiseReaction::visitChildren):
195         * runtime/JSPromiseReaction.h:
196         * runtime/JSPropertyNameIterator.cpp:
197         (JSC::JSPropertyNameIterator::visitChildren):
198         * runtime/JSPropertyNameIterator.h:
199         * runtime/JSProxy.cpp:
200         (JSC::JSProxy::visitChildren):
201         * runtime/JSProxy.h:
202         * runtime/JSScope.cpp:
203         (JSC::JSScope::visitChildren):
204         * runtime/JSScope.h:
205         * runtime/JSSegmentedVariableObject.cpp:
206         (JSC::JSSegmentedVariableObject::visitChildren):
207         * runtime/JSSegmentedVariableObject.h:
208         * runtime/JSSet.h:
209         * runtime/JSSetIterator.cpp:
210         (JSC::JSSetIterator::visitChildren):
211         * runtime/JSSetIterator.h:
212         * runtime/JSSymbolTableObject.cpp:
213         (JSC::JSSymbolTableObject::visitChildren):
214         * runtime/JSSymbolTableObject.h:
215         * runtime/JSTypeInfo.h:
216         (JSC::TypeInfo::overridesVisitChildren): Deleted.
217         * runtime/JSWeakMap.h:
218         * runtime/JSWithScope.cpp:
219         (JSC::JSWithScope::visitChildren):
220         * runtime/JSWithScope.h:
221         * runtime/JSWrapperObject.cpp:
222         (JSC::JSWrapperObject::visitChildren):
223         * runtime/JSWrapperObject.h:
224         * runtime/MapData.h:
225         * runtime/NativeErrorConstructor.cpp:
226         (JSC::NativeErrorConstructor::visitChildren):
227         * runtime/NativeErrorConstructor.h:
228         * runtime/PropertyMapHashTable.h:
229         * runtime/PropertyTable.cpp:
230         (JSC::PropertyTable::visitChildren):
231         * runtime/RegExpConstructor.cpp:
232         (JSC::RegExpConstructor::visitChildren):
233         * runtime/RegExpConstructor.h:
234         * runtime/RegExpMatchesArray.cpp:
235         (JSC::RegExpMatchesArray::visitChildren):
236         * runtime/RegExpMatchesArray.h:
237         * runtime/RegExpObject.cpp:
238         (JSC::RegExpObject::visitChildren):
239         * runtime/RegExpObject.h:
240         * runtime/SparseArrayValueMap.h:
241         * runtime/Structure.cpp:
242         (JSC::Structure::Structure):
243         (JSC::Structure::visitChildren):
244         * runtime/StructureChain.cpp:
245         (JSC::StructureChain::visitChildren):
246         * runtime/StructureChain.h:
247         * runtime/StructureRareData.cpp:
248         (JSC::StructureRareData::visitChildren):
249         * runtime/StructureRareData.h:
250         * runtime/WeakMapData.h:
251
252 2014-07-31  Mark Lam  <mark.lam@apple.com>
253
254         JSCell::classInfo() belongs in JSCellInlines.h.
255         <https://webkit.org/b/135475>
256
257         Reviewed by Mark Hahnenberg.
258
259         * runtime/JSCellInlines.h:
260         (JSC::JSCell::classInfo):
261         * runtime/JSDestructibleObject.h:
262         (JSC::JSCell::classInfo): Deleted.
263
264 2014-07-31  Tanay C  <tanay.c@samsung.com>
265
266         Build warning in webkit/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
267         https://bugs.webkit.org/show_bug.cgi?id=135414
268
269         Reviewed by Csaba Osztrogonác.
270
271         * llint/LLIntSlowPaths.cpp:
272         (JSC::LLInt::putToScopeCommon):removed unused parameter from function definition
273
274 2014-07-30  Filip Pizlo  <fpizlo@apple.com>
275
276         NewFunctionExpression and NewFunctionNoCheck should setHaveStructures(true)
277         https://bugs.webkit.org/show_bug.cgi?id=135430
278
279         Reviewed by Mark Hahnenberg.
280
281         We already handled this correctly after the ftlopt merge, but it's useful to have the test.
282
283         * tests/stress/new-function-expression-has-structures.js: Added.
284         (foo.f):
285         (foo.f.prototype.f):
286         (foo):
287
288 2014-07-30  Andreas Kling  <akling@apple.com>
289
290         Speculative Windows build fix.
291
292         Try to dllimport the dllexported global object HashTable.
293
294         * jsc.cpp:
295         * testRegExp.cpp:
296
297 2014-07-30  Andreas Kling  <akling@apple.com>
298
299         PropertyName's internal string is always atomic.
300         <https://webkit.org/b/135451>
301
302         Now that we've merged the JSC::Identifier and WTF::AtomicString tables,
303         we know that any string that's an Identifier is guaranteed to be atomic.
304
305         A PropertyName can be either an Identifier or a PrivateName, and the
306         private names are also guaranteed to be atomic internally.
307
308         Make PropertyName vend AtomicStringImpl* instead of StringImpl*.
309
310         Reviewed by Benjamin Poulain.
311
312         * runtime/PropertyName.h:
313         (JSC::PropertyName::PropertyName):
314         (JSC::PropertyName::uid):
315         (JSC::PropertyName::publicName):
316
317 2014-07-30  Andy Estes  <aestes@apple.com>
318
319         USE(CONTENT_FILTERING) should be ENABLE(CONTENT_FILTERING)
320         https://bugs.webkit.org/show_bug.cgi?id=135439
321
322         Reviewed by Tim Horton.
323
324         We now support two different platform content filters, and will soon support a mock content filter (as part of
325         webkit.org/b/128858). This makes content filtering a feature of WebKit, not just an adoption of a third-party
326         library. ENABLE() is the correct macro to use for such a feature.
327
328         * Configurations/FeatureDefines.xcconfig:
329
330 2014-07-30  Andreas Kling  <akling@apple.com>
331
332         Static hash tables no longer need to be coupled with a VM.
333         <https://webkit.org/b/135421>
334
335         Now that the static hash tables are using char** instead of StringImpl**,
336         it's no longer necessary to make them per-VM.
337
338         This patch removes the hook in ClassInfo for providing your own static
339         hash table getter. Everyone now uses ClassInfo::staticPropHashTable.
340         Most of this patch is tweaking ClassInfo construction sites to pass one
341         less null pointer.
342
343         Also simplified Lookup.h to stop requiring ExecState/VM to access the
344         static hash tables.
345
346         Reviewed by Geoffrey Garen.
347
348         * API/JSAPIWrapperObject.mm:
349         * API/JSCallbackConstructor.cpp:
350         * API/JSCallbackFunction.cpp:
351         * API/JSCallbackObject.cpp:
352         * API/ObjCCallbackFunction.mm:
353         * bytecode/UnlinkedCodeBlock.cpp:
354         * create_hash_table:
355         * debugger/DebuggerScope.cpp:
356         * inspector/JSInjectedScriptHost.cpp:
357         * inspector/JSInjectedScriptHostPrototype.cpp:
358         * inspector/JSJavaScriptCallFrame.cpp:
359         * inspector/JSJavaScriptCallFramePrototype.cpp:
360         * interpreter/CallFrame.h:
361         (JSC::ExecState::arrayConstructorTable): Deleted.
362         (JSC::ExecState::arrayPrototypeTable): Deleted.
363         (JSC::ExecState::booleanPrototypeTable): Deleted.
364         (JSC::ExecState::dataViewTable): Deleted.
365         (JSC::ExecState::dateTable): Deleted.
366         (JSC::ExecState::dateConstructorTable): Deleted.
367         (JSC::ExecState::errorPrototypeTable): Deleted.
368         (JSC::ExecState::globalObjectTable): Deleted.
369         (JSC::ExecState::jsonTable): Deleted.
370         (JSC::ExecState::numberConstructorTable): Deleted.
371         (JSC::ExecState::numberPrototypeTable): Deleted.
372         (JSC::ExecState::objectConstructorTable): Deleted.
373         (JSC::ExecState::privateNamePrototypeTable): Deleted.
374         (JSC::ExecState::regExpTable): Deleted.
375         (JSC::ExecState::regExpConstructorTable): Deleted.
376         (JSC::ExecState::regExpPrototypeTable): Deleted.
377         (JSC::ExecState::stringConstructorTable): Deleted.
378         (JSC::ExecState::promisePrototypeTable): Deleted.
379         (JSC::ExecState::promiseConstructorTable): Deleted.
380         * jsc.cpp:
381         * parser/Lexer.h:
382         (JSC::Keywords::isKeyword):
383         (JSC::Keywords::getKeyword):
384         * runtime/Arguments.cpp:
385         * runtime/ArgumentsIteratorConstructor.cpp:
386         * runtime/ArgumentsIteratorPrototype.cpp:
387         * runtime/ArrayBufferNeuteringWatchpoint.cpp:
388         * runtime/ArrayConstructor.cpp:
389         (JSC::ArrayConstructor::getOwnPropertySlot):
390         * runtime/ArrayIteratorConstructor.cpp:
391         * runtime/ArrayIteratorPrototype.cpp:
392         * runtime/ArrayPrototype.cpp:
393         (JSC::ArrayPrototype::getOwnPropertySlot):
394         * runtime/BooleanConstructor.cpp:
395         * runtime/BooleanObject.cpp:
396         * runtime/BooleanPrototype.cpp:
397         (JSC::BooleanPrototype::getOwnPropertySlot):
398         * runtime/ClassInfo.h:
399         (JSC::ClassInfo::hasStaticProperties):
400         (JSC::ClassInfo::propHashTable): Deleted.
401         * runtime/ConsolePrototype.cpp:
402         * runtime/CustomGetterSetter.cpp:
403         * runtime/DateConstructor.cpp:
404         (JSC::DateConstructor::getOwnPropertySlot):
405         * runtime/DateInstance.cpp:
406         * runtime/DatePrototype.cpp:
407         (JSC::DatePrototype::getOwnPropertySlot):
408         * runtime/Error.cpp:
409         * runtime/ErrorConstructor.cpp:
410         * runtime/ErrorInstance.cpp:
411         * runtime/ErrorPrototype.cpp:
412         (JSC::ErrorPrototype::getOwnPropertySlot):
413         * runtime/ExceptionHelpers.cpp:
414         * runtime/Executable.cpp:
415         * runtime/FunctionConstructor.cpp:
416         * runtime/FunctionPrototype.cpp:
417         * runtime/GetterSetter.cpp:
418         * runtime/InternalFunction.cpp:
419         * runtime/JSAPIValueWrapper.cpp:
420         * runtime/JSActivation.cpp:
421         * runtime/JSArgumentsIterator.cpp:
422         * runtime/JSArray.cpp:
423         * runtime/JSArrayBuffer.cpp:
424         * runtime/JSArrayBufferConstructor.cpp:
425         * runtime/JSArrayBufferPrototype.cpp:
426         * runtime/JSArrayBufferView.cpp:
427         * runtime/JSArrayIterator.cpp:
428         * runtime/JSBoundFunction.cpp:
429         * runtime/JSConsole.cpp:
430         * runtime/JSDataView.cpp:
431         * runtime/JSDataViewPrototype.cpp:
432         (JSC::JSDataViewPrototype::getOwnPropertySlot):
433         * runtime/JSFunction.cpp:
434         * runtime/JSGlobalObject.cpp:
435         (JSC::JSGlobalObject::getOwnPropertySlot):
436         * runtime/JSMap.cpp:
437         * runtime/JSMapIterator.cpp:
438         * runtime/JSNameScope.cpp:
439         * runtime/JSNotAnObject.cpp:
440         * runtime/JSONObject.cpp:
441         (JSC::JSONObject::getOwnPropertySlot):
442         * runtime/JSObject.cpp:
443         (JSC::getClassPropertyNames):
444         (JSC::JSObject::put):
445         (JSC::JSObject::deleteProperty):
446         (JSC::JSObject::findPropertyHashEntry):
447         (JSC::JSObject::reifyStaticFunctionsForDelete):
448         * runtime/JSObject.h:
449         * runtime/JSPromise.cpp:
450         * runtime/JSPromiseConstructor.cpp:
451         (JSC::JSPromiseConstructor::getOwnPropertySlot):
452         * runtime/JSPromiseDeferred.cpp:
453         * runtime/JSPromisePrototype.cpp:
454         (JSC::JSPromisePrototype::getOwnPropertySlot):
455         * runtime/JSPromiseReaction.cpp:
456         * runtime/JSPropertyNameIterator.cpp:
457         * runtime/JSProxy.cpp:
458         * runtime/JSSet.cpp:
459         * runtime/JSSetIterator.cpp:
460         * runtime/JSString.cpp:
461         * runtime/JSTypedArrayConstructors.cpp:
462         * runtime/JSTypedArrayPrototypes.cpp:
463         * runtime/JSTypedArrays.cpp:
464         * runtime/JSVariableObject.cpp:
465         * runtime/JSWeakMap.cpp:
466         * runtime/JSWithScope.cpp:
467         * runtime/Lookup.cpp:
468         (JSC::HashTable::createTable):
469         * runtime/Lookup.h:
470         (JSC::HashTable::initializeIfNeeded):
471         (JSC::HashTable::entry):
472         (JSC::HashTable::begin):
473         (JSC::HashTable::end):
474         (JSC::getStaticPropertySlot):
475         (JSC::getStaticFunctionSlot):
476         (JSC::getStaticValueSlot):
477         (JSC::lookupPut):
478         * runtime/MapConstructor.cpp:
479         * runtime/MapData.cpp:
480         * runtime/MapIteratorConstructor.cpp:
481         * runtime/MapIteratorPrototype.cpp:
482         * runtime/MapPrototype.cpp:
483         * runtime/MathObject.cpp:
484         * runtime/NameConstructor.cpp:
485         * runtime/NameInstance.cpp:
486         * runtime/NamePrototype.cpp:
487         (JSC::NamePrototype::getOwnPropertySlot):
488         * runtime/NativeErrorConstructor.cpp:
489         * runtime/NumberConstructor.cpp:
490         (JSC::NumberConstructor::getOwnPropertySlot):
491         * runtime/NumberObject.cpp:
492         * runtime/NumberPrototype.cpp:
493         (JSC::NumberPrototype::getOwnPropertySlot):
494         * runtime/ObjectConstructor.cpp:
495         (JSC::ObjectConstructor::getOwnPropertySlot):
496         * runtime/ObjectPrototype.cpp:
497         * runtime/PropertyTable.cpp:
498         * runtime/RegExp.cpp:
499         * runtime/RegExpConstructor.cpp:
500         (JSC::RegExpConstructor::getOwnPropertySlot):
501         * runtime/RegExpMatchesArray.cpp:
502         * runtime/RegExpObject.cpp:
503         (JSC::RegExpObject::getOwnPropertySlot):
504         * runtime/RegExpPrototype.cpp:
505         (JSC::RegExpPrototype::getOwnPropertySlot):
506         * runtime/SetConstructor.cpp:
507         * runtime/SetIteratorConstructor.cpp:
508         * runtime/SetIteratorPrototype.cpp:
509         * runtime/SetPrototype.cpp:
510         * runtime/SparseArrayValueMap.cpp:
511         * runtime/StrictEvalActivation.cpp:
512         * runtime/StringConstructor.cpp:
513         (JSC::StringConstructor::getOwnPropertySlot):
514         * runtime/StringObject.cpp:
515         * runtime/StringPrototype.cpp:
516         * runtime/Structure.cpp:
517         (JSC::Structure::Structure):
518         (JSC::Structure::freezeTransition):
519         (JSC::ClassInfo::hasStaticSetterOrReadonlyProperties):
520         * runtime/StructureChain.cpp:
521         * runtime/StructureRareData.cpp:
522         * runtime/SymbolTable.cpp:
523         * runtime/VM.cpp:
524         (JSC::VM::VM):
525         (JSC::VM::~VM):
526         * runtime/VM.h:
527         * runtime/WeakMapConstructor.cpp:
528         * runtime/WeakMapData.cpp:
529         * runtime/WeakMapPrototype.cpp:
530         * testRegExp.cpp:
531
532 2014-07-29  Brent Fulgham  <bfulgham@apple.com>
533
534         [Win] Modify version numbering scheme to support 5-tuple versions
535         https://bugs.webkit.org/show_bug.cgi?id=135400
536         <rdar://problem/17849033>
537
538         Reviewed by David Kilzer.
539
540         * JavaScriptCore.vcxproj/JavaScriptCorePostBuild.cmd: Use the
541         new version-stamp.pl script to version JavaScriptCore.dll.
542
543 2014-07-29  Daniel Bates  <dabates@apple.com>
544
545         Use WTF::move() instead of std::move() to help ensure move semantics
546         https://bugs.webkit.org/show_bug.cgi?id=135351
547
548         Reviewed by Alexey Proskuryakov.
549
550         * bytecode/GetByIdStatus.cpp:
551         (JSC::GetByIdStatus::computeForStubInfo):
552         * bytecode/GetByIdVariant.cpp:
553         (JSC::GetByIdVariant::GetByIdVariant):
554
555 2014-07-28  Tamas Gergely  <tgergely.u-szeged@partner.samsung.com>
556
557         BuildFix: JavaScriptCore/bytecode/StructureSet.h:262:77: warning.
558         https://bugs.webkit.org/show_bug.cgi?id=135287
559
560         Reviewed by Darin Adler.
561
562         The set() method tries to use a part of the old value (the reservedFlag bit) which
563         was not defined when the constructor is called. Initialize m_pointer to 0 explicitely.
564
565         * bytecode/StructureSet.h:
566         (JSC::StructureSet::StructureSet):
567
568 2014-07-28  Benjamin Poulain  <bpoulain@apple.com>
569
570         [JSC] JIT::assertStackPointerOffset() crashes on ARM64
571         https://bugs.webkit.org/show_bug.cgi?id=135316
572
573         Reviewed by Geoffrey Garen.
574
575         JIT::assertStackPointerOffset() does a compare between an arbitrary register
576         and the stack pointer. This was not supported by the ARM64 assembler.
577
578         There are no variation that can take a stack pointer for Xd. There is one version of subs
579         that can take a stack pointer, but only for the Xn: the shift+extend one.
580         To solve the problem, I changed cmp to swap the registers if necessary, and I fixed
581         the implementation of sub.
582
583         * assembler/ARM64Assembler.h:
584         (JSC::ARM64Assembler::sub):
585         In the generic sub(reg, reg), I added assertions to catch the condition that cannot be generated
586         with either version of sub.
587
588         In sub(with shift), I remove the weird special case for SP. First, it was quite misleading because
589         the Rd case only works if "setflag == false". The other confusing part is going to addSubtractShiftedRegister()
590         gives you a reduce shift range, which could create subtle bug that only appear when SP is used.
591
592         Since I removed the weird case, I need to differentiate between the sub() that support SP, and the one that does
593         not elsewhere. That is why that branch has moved to the generic sub(reg, reg). Since at that point we know
594         the shift value must be zero, it is safe to call either variant.
595
596         * assembler/MacroAssemblerARM64.h:
597         (JSC::MacroAssemblerARM64::branch64):
598         With the changes described above, we can now use SP for the left register. What do we do if the rightmost
599         register is SP?
600
601         For the case of JIT::assertStackPointerOffset(), the comparison is Equal so the order really does not matter,
602         we just switch the registers before generating the instruction.
603
604         For the generic case, just move the value of SP to a GPR before doing the CMP.
605
606 2014-07-28  Brian J. Burg  <burg@cs.washington.edu>
607
608         Unreviewed build fix after r171682.
609
610         * replay/EncodedValue.h: Don't mark the inlined Vector<char> specialization
611         as an exported symbol.
612
613 2014-07-28  Mark Hahnenberg  <mhahnenberg@apple.com>
614
615         REGRESSION: JSObjectSetPrototype() does not work on result of JSGetGlobalObject()
616         https://bugs.webkit.org/show_bug.cgi?id=135322
617
618         Reviewed by Oliver Hunt.
619
620         The prototype chain of the JSProxy object should match that of the JSGlobalObject. 
621
622         This is a separate but related issue with JSObjectSetPrototype which doesn't correctly 
623         account for JSProxies. I also audited the rest of the C API to check that we correctly 
624         handle JSProxies in all other situations where we expect a JSCallbackObject of some sort
625         and found some SPI calls (JSObject*PrivateProperty) that didn't behave correctly when 
626         passed a JSProxy.
627
628         I also added some new tests for these cases.
629
630         * API/JSObjectRef.cpp:
631         (JSObjectSetPrototype):
632         (JSObjectGetPrivateProperty):
633         (JSObjectSetPrivateProperty):
634         (JSObjectDeletePrivateProperty):
635         * API/JSWeakObjectMapRefPrivate.cpp:
636         * API/tests/CustomGlobalObjectClassTest.c:
637         (globalObjectSetPrototypeTest):
638         (globalObjectPrivatePropertyTest):
639         * API/tests/CustomGlobalObjectClassTest.h:
640         * API/tests/testapi.c:
641         (main):
642
643 2014-07-28  Filip Pizlo  <fpizlo@apple.com>
644
645         Make sure that we don't use non-speculative BooleanToNumber for a speculative Branch
646         https://bugs.webkit.org/show_bug.cgi?id=135350
647         <rdar://problem/17509889>
648
649         Reviewed by Mark Hahnenberg and Oliver Hunt.
650         
651         If we have an exiting node that uses a conversion node, then that exiting node
652         needs to have a Phantom after it for the the original node. But we can't do that
653         for Branch because https://bugs.webkit.org/show_bug.cgi?id=126778.
654
655         * dfg/DFGFixupPhase.cpp:
656         (JSC::DFG::FixupPhase::fixupNode):
657         (JSC::DFG::FixupPhase::clearPhantomsAtEnd):
658         * tests/stress/branch-check-int32-on-boolean-to-number-untyped.js: Added.
659         (foo):
660         (test):
661         * tests/stress/branch-check-number-on-boolean-to-number-untyped.js: Added.
662         (foo):
663         (test):
664
665 2014-07-28  Joseph Pecoraro  <pecoraro@apple.com>
666
667         JSContext Inspector: crash when using step-into
668         https://bugs.webkit.org/show_bug.cgi?id=135345
669
670         Reviewed by Timothy Hatcher.
671
672         * inspector/agents/InspectorDebuggerAgent.cpp:
673         (Inspector::InspectorDebuggerAgent::stepInto):
674         Null check m_listener since it may not be set.
675
676 2014-07-28  Brian J. Burg  <burg@cs.washington.edu>
677
678         Web Replay: auto-decoding of parameterized vector's elements is incorrect
679         https://bugs.webkit.org/show_bug.cgi?id=135343
680
681         Reviewed by Timothy Hatcher.
682
683         Fix an incorrect type argument in EncodingTraits<Vector<T>>::encodeValue
684         that was using the element's decoded type as the type parameter to
685         EncodedValue::append<T>. It should instead be the raw type T. This
686         causes problems when encoding Vector<RefPtr<T>>, as it later tries to
687         use encoding traits for RefPtr<T> rather than for T.
688
689         Fix incorrect generated encoding traits argument for vectors of
690         RefCounted objects. Updated test to cover this scenario.
691
692         * replay/scripts/CodeGeneratorReplayInputs.py:
693         (Type.encoding_type_argument):
694         (VectorType.type_name):
695         (VectorType):
696         (VectorType.encoding_type_argument):
697         (Generator.generate_input_encode_implementation):
698         (Generator.generate_input_decode_implementation):
699         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp:
700         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h:
701         * replay/scripts/tests/generate-input-with-vector-members.json: Updated.
702
703 2014-07-28  Brian J. Burg  <burg@cs.washington.edu>
704
705         Web Replay: incorrect serialization code generated for enum classes inside class scope
706         https://bugs.webkit.org/show_bug.cgi?id=135342
707
708         Reviewed by Timothy Hatcher.
709
710         If an enum class is defined inside of a class scope, then the enum class
711         cannot be forward-declared and the relevant header should be included.
712         Some generated code used incorrectly-scoped enum values in this situation.
713
714         * replay/scripts/CodeGeneratorReplayInputs.py:
715         (Generator.generate_includes.declaration.is):
716         (Generator.generate_enum_trait_implementation.is):
717         (Generator.generate_enum_trait_implementation):
718
719         Tests:
720
721         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Rebaselined.
722         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Rebaselined.
723         * replay/scripts/tests/generate-enums-with-same-base-name.json: Add enum
724         class types to this test case.
725
726 2014-07-28  Brian J. Burg  <burg@cs.washington.edu>
727
728         Web Replay: vectors of characters should be base64-encoded
729         https://bugs.webkit.org/show_bug.cgi?id=135341
730
731         Reviewed by Timothy Hatcher.
732
733         Without this specialization, encode/decode methods try to create an
734         array of single characters in JSON, rather than treating the
735         vector as a binary blob.
736
737         * replay/EncodedValue.cpp:
738         (JSC::EncodingTraits<Vector<char>>::encodeValue): Added.
739         (JSC::EncodingTraits<Vector<char>>::decodeValue): Added.
740         * replay/EncodedValue.h:
741
742 2014-07-28  Brent Fulgham  <bfulgham@apple.com>
743
744         [Win] Unreviewed build fix.
745
746         * JavaScriptCore.vcxproj/JavaScriptCore.proj: Switch from the 'Rebuild' target for MSBuild
747         builds to the 'Build' target to avoid a spurious 'clean' in between build steps.
748
749 2014-07-27  Ryuan Choi  <ryuan.choi@samsung.com>
750
751         Unreviewed build fix on the EFL port
752
753         Build break because of -Werror=return-type
754
755         * bytecode/PutByIdVariant.cpp:
756         (JSC::PutByIdVariant::oldStructureForTransition):
757         * dfg/DFGValueStrength.h:
758         (JSC::DFG::merge):
759
760 2014-07-27  Filip Pizlo  <fpizlo@apple.com>
761
762         [REGRESSION][ftlopt merge][32-bit] stress/prune-multi-put-by-offset-replace-or-transition-variant.js.dfg-eager hits an assertion in SpeculativeJIT::silentSavePlanForGPR
763         https://bugs.webkit.org/show_bug.cgi?id=135323
764
765         Reviewed by Oliver Hunt.
766         
767         SpeculativeJIT::silentSavePlanForGPR likes to believe that if a node is a constant,
768         then it's a constant that can be represented using that node's current DataFormat.
769         This doesn't work if the constant had been filled as a JSValue, and then one of the
770         fillSpeculateBlah() methods had speculated that it's of some type that the constant
771         isn't. Unless fillSpeculateBlah() specifically defends against this case, we'll have
772         a constant that claims to have a contradictory data format.
773         
774         This patch fixes such a bug in the 32-bit fillSpeculateCell(). The 64-bit
775         fillSpeculateCell() appears to not have this bug, but I added a similar defense
776         mechanism anyway just in case, since this is one of those mistakes that keeps
777         reappearing.
778
779         * dfg/DFGSpeculativeJIT.cpp:
780         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
781         * dfg/DFGSpeculativeJIT32_64.cpp:
782         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
783         * dfg/DFGSpeculativeJIT64.cpp:
784         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
785
786 2014-07-27  Filip Pizlo  <fpizlo@apple.com>
787
788         Merge r170090, r170092, r170129, r170141, r170161, r170215, r170275, r170375, r170376, r170382, r170383, r170399, r170436, r170489, r170490, r170556 from ftlopt.
789         
790         This fixes the previous mismerge and adds test coverage for the thing that went wrong.
791         
792         Additional changes listed here:
793
794         * jsc.cpp:
795         (functionHasCustomProperties): Expose a way of checking hasCustomProperties(), which the DOM relies on. The regression I previously introduced was because this didn't work right. Now we can test it!
796         * runtime/Structure.cpp:
797         (JSC::Structure::Structure): This was supposed to be setDidTransition(true); the last merge had it set to false.
798         * tests/stress/has-custom-properties.js: Added. This test failed with the mismerge.
799
800     2014-06-27  Michael Saboff  <msaboff@apple.com>
801     
802             Unreviewed build fix after r169795.
803     
804             Fixed ASSERT for 32 bit build.
805     
806             * dfg/DFGSpeculativeJIT.cpp:
807             (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
808     
809     2014-06-24  Saam Barati  <sbarati@apple.com>
810     
811             Web Inspector: debugger should be able to show variable types
812             https://bugs.webkit.org/show_bug.cgi?id=133395
813     
814             Reviewed by Filip Pizlo.
815     
816             Increase the amount of type information the VM gathers when directed
817             to do so. This initial commit is working towards the goal of
818             capturing, and then showing (via the Web Inspector) type information for all
819             assignment and load operations. This patch doesn't have the feature fully 
820             implemented, but it ensures the VM has no performance regressions
821             unless the feature is specifically turned on.
822     
823             * JavaScriptCore.xcodeproj/project.pbxproj:
824             * bytecode/BytecodeList.json:
825             * bytecode/BytecodeUseDef.h:
826             (JSC::computeUsesForBytecodeOffset):
827             (JSC::computeDefsForBytecodeOffset):
828             * bytecode/CodeBlock.cpp:
829             (JSC::CodeBlock::dumpBytecode):
830             (JSC::CodeBlock::CodeBlock):
831             (JSC::CodeBlock::finalizeUnconditionally):
832             * bytecode/CodeBlock.h:
833             * bytecode/Instruction.h:
834             * bytecode/TypeLocation.h: Added.
835             (JSC::TypeLocation::TypeLocation):
836             * bytecompiler/BytecodeGenerator.cpp:
837             (JSC::BytecodeGenerator::emitMove):
838             (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity):
839             (JSC::BytecodeGenerator::emitPutToScope):
840             (JSC::BytecodeGenerator::emitPutById):
841             (JSC::BytecodeGenerator::emitPutByVal):
842             * bytecompiler/BytecodeGenerator.h:
843             (JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity):
844             * bytecompiler/NodesCodegen.cpp:
845             (JSC::PostfixNode::emitResolve):
846             (JSC::PrefixNode::emitResolve):
847             (JSC::ReadModifyResolveNode::emitBytecode):
848             (JSC::AssignResolveNode::emitBytecode):
849             (JSC::ConstDeclNode::emitCodeSingle):
850             (JSC::ForInNode::emitBytecode):
851             * heap/Heap.cpp:
852             (JSC::Heap::collect):
853             * inspector/agents/InspectorRuntimeAgent.cpp:
854             (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange):
855             * inspector/agents/InspectorRuntimeAgent.h:
856             * inspector/protocol/Runtime.json:
857             * jsc.cpp:
858             (GlobalObject::finishCreation):
859             (functionDumpTypesForAllVariables):
860             * llint/LLIntSlowPaths.cpp:
861             (JSC::LLInt::LLINT_SLOW_PATH_DECL):
862             (JSC::LLInt::putToScopeCommon):
863             * llint/LLIntSlowPaths.h:
864             * llint/LowLevelInterpreter.asm:
865             * runtime/HighFidelityLog.cpp: Added.
866             (JSC::HighFidelityLog::initializeHighFidelityLog):
867             (JSC::HighFidelityLog::~HighFidelityLog):
868             (JSC::HighFidelityLog::recordTypeInformationForLocation):
869             (JSC::HighFidelityLog::processHighFidelityLog):
870             (JSC::HighFidelityLog::actuallyProcessLogThreadFunction):
871             * runtime/HighFidelityLog.h: Added.
872             (JSC::HighFidelityLog::HighFidelityLog):
873             * runtime/HighFidelityTypeProfiler.cpp: Added.
874             (JSC::HighFidelityTypeProfiler::getTypesForVariableInRange):
875             (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableInRange):
876             (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableInRange):
877             (JSC::HighFidelityTypeProfiler::insertNewLocation):
878             (JSC::HighFidelityTypeProfiler::getLocationBasedHash):
879             * runtime/HighFidelityTypeProfiler.h: Added.
880             * runtime/Options.h:
881             * runtime/Structure.cpp:
882             (JSC::Structure::toStructureShape):
883             * runtime/Structure.h:
884             * runtime/SymbolTable.cpp:
885             (JSC::SymbolTable::SymbolTable):
886             (JSC::SymbolTable::cloneCapturedNames):
887             (JSC::SymbolTable::uniqueIDForVariable):
888             (JSC::SymbolTable::uniqueIDForRegister):
889             (JSC::SymbolTable::globalTypeSetForRegister):
890             (JSC::SymbolTable::globalTypeSetForVariable):
891             * runtime/SymbolTable.h:
892             (JSC::SymbolTable::add):
893             (JSC::SymbolTable::set):
894             * runtime/TypeSet.cpp: Added.
895             (JSC::TypeSet::TypeSet):
896             (JSC::TypeSet::getRuntimeTypeForValue):
897             (JSC::TypeSet::addTypeForValue):
898             (JSC::TypeSet::removeDuplicatesInStructureHistory):
899             (JSC::TypeSet::seenTypes):
900             (JSC::TypeSet::dumpSeenTypes):
901             (JSC::StructureShape::StructureShape):
902             (JSC::StructureShape::markAsFinal):
903             (JSC::StructureShape::addProperty):
904             (JSC::StructureShape::propertyHash):
905             (JSC::StructureShape::leastUpperBound):
906             (JSC::StructureShape::stringRepresentation):
907             * runtime/TypeSet.h: Added.
908             (JSC::StructureShape::create):
909             (JSC::TypeSet::create):
910             * runtime/VM.cpp:
911             (JSC::VM::VM):
912             (JSC::VM::getTypesForVariableInRange):
913             (JSC::VM::updateHighFidelityTypeProfileState):
914             (JSC::VM::dumpHighFidelityProfilingTypes):
915             * runtime/VM.h:
916             (JSC::VM::isProfilingTypesWithHighFidelity):
917             (JSC::VM::highFidelityLog):
918             (JSC::VM::highFidelityTypeProfiler):
919             (JSC::VM::nextLocation):
920             (JSC::VM::getNextUniqueVariableID):
921     
922     2014-06-26  Mark Lam  <mark.lam@apple.com>
923     
924             Remove unused instantiation of the WithScope structure.
925             <https://webkit.org/b/134331>
926     
927             Reviewed by Oliver Hunt.
928     
929             The WithScope structure instance is the VM is unused, and is now removed.
930     
931             * runtime/VM.cpp:
932             (JSC::VM::VM):
933             * runtime/VM.h:
934     
935     2014-06-25  Mark Hahnenberg  <mhahnenberg@apple.com>
936     
937             Structure bit fields should have a consistent format
938             https://bugs.webkit.org/show_bug.cgi?id=134307
939     
940             Reviewed by Filip Pizlo.
941     
942             Currently we use C-style bit fields for a number of member variables in Structure to save space. 
943             This makes it difficult to load these fields in the JIT. We should instead use our own bitfield 
944             format to make it easy to load and test these variables in JIT code.
945     
946             * runtime/JSObject.cpp:
947             (JSC::JSObject::putDirectNonIndexAccessor):
948             (JSC::JSObject::reifyStaticFunctionsForDelete):
949             * runtime/Structure.cpp:
950             (JSC::StructureTransitionTable::contains):
951             (JSC::StructureTransitionTable::get):
952             (JSC::StructureTransitionTable::add):
953             (JSC::Structure::Structure):
954             (JSC::Structure::materializePropertyMap):
955             (JSC::Structure::addPropertyTransition):
956             (JSC::Structure::despecifyFunctionTransition):
957             (JSC::Structure::toDictionaryTransition):
958             (JSC::Structure::freezeTransition):
959             (JSC::Structure::preventExtensionsTransition):
960             (JSC::Structure::takePropertyTableOrCloneIfPinned):
961             (JSC::Structure::nonPropertyTransition):
962             (JSC::Structure::flattenDictionaryStructure):
963             (JSC::Structure::addPropertyWithoutTransition):
964             (JSC::Structure::pin):
965             (JSC::Structure::allocateRareData):
966             (JSC::Structure::cloneRareDataFrom):
967             (JSC::Structure::getConcurrently):
968             (JSC::Structure::putSpecificValue):
969             (JSC::Structure::getPropertyNamesFromStructure):
970             (JSC::Structure::visitChildren):
971             (JSC::Structure::checkConsistency):
972             * runtime/Structure.h:
973             (JSC::Structure::isExtensible):
974             (JSC::Structure::isDictionary):
975             (JSC::Structure::isUncacheableDictionary):
976             (JSC::Structure::propertyAccessesAreCacheable):
977             (JSC::Structure::previousID):
978             (JSC::Structure::setHasGetterSetterPropertiesWithProtoCheck):
979             (JSC::Structure::setContainsReadOnlyProperties):
980             (JSC::Structure::disableSpecificFunctionTracking):
981             (JSC::Structure::objectToStringValue):
982             (JSC::Structure::setObjectToStringValue):
983             (JSC::Structure::setPreviousID):
984             (JSC::Structure::clearPreviousID):
985             (JSC::Structure::previous):
986             (JSC::Structure::rareData):
987             (JSC::Structure::didTransition): Deleted.
988             (JSC::Structure::hasGetterSetterProperties): Deleted.
989             (JSC::Structure::hasReadOnlyOrGetterSetterPropertiesExcludingProto): Deleted.
990             (JSC::Structure::setHasGetterSetterProperties): Deleted.
991             (JSC::Structure::hasNonEnumerableProperties): Deleted.
992             (JSC::Structure::staticFunctionsReified): Deleted.
993             (JSC::Structure::setStaticFunctionsReified): Deleted.
994             * runtime/StructureInlines.h:
995             (JSC::Structure::setEnumerationCache):
996             (JSC::Structure::enumerationCache):
997             (JSC::Structure::checkOffsetConsistency):
998     
999     2014-06-24  Mark Lam  <mark.lam@apple.com>
1000     
1001             [ftlopt] Renamed DebuggerActivation to DebuggerScope.
1002             <https://webkit.org/b/134273>
1003     
1004             Reviewed by Michael Saboff.
1005     
1006             * CMakeLists.txt:
1007             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1008             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1009             * JavaScriptCore.xcodeproj/project.pbxproj:
1010             * debugger/DebuggerActivation.cpp: Removed.
1011             * debugger/DebuggerActivation.h: Removed.
1012             * debugger/DebuggerScope.cpp: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.cpp.
1013             (JSC::DebuggerScope::DebuggerScope):
1014             (JSC::DebuggerScope::finishCreation):
1015             (JSC::DebuggerScope::visitChildren):
1016             (JSC::DebuggerScope::className):
1017             (JSC::DebuggerScope::getOwnPropertySlot):
1018             (JSC::DebuggerScope::put):
1019             (JSC::DebuggerScope::deleteProperty):
1020             (JSC::DebuggerScope::getOwnPropertyNames):
1021             (JSC::DebuggerScope::defineOwnProperty):
1022             (JSC::DebuggerActivation::DebuggerActivation): Deleted.
1023             (JSC::DebuggerActivation::finishCreation): Deleted.
1024             (JSC::DebuggerActivation::visitChildren): Deleted.
1025             (JSC::DebuggerActivation::className): Deleted.
1026             (JSC::DebuggerActivation::getOwnPropertySlot): Deleted.
1027             (JSC::DebuggerActivation::put): Deleted.
1028             (JSC::DebuggerActivation::deleteProperty): Deleted.
1029             (JSC::DebuggerActivation::getOwnPropertyNames): Deleted.
1030             (JSC::DebuggerActivation::defineOwnProperty): Deleted.
1031             * debugger/DebuggerScope.h: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.h.
1032             (JSC::DebuggerScope::create):
1033             (JSC::DebuggerActivation::create): Deleted.
1034             * runtime/VM.cpp:
1035             (JSC::VM::VM):
1036             * runtime/VM.h:
1037     
1038     2014-06-24  Filip Pizlo  <fpizlo@apple.com>
1039     
1040             [ftlopt] PutByIdFlush can also be converted to a PutByOffset so don't assert otherwise
1041             https://bugs.webkit.org/show_bug.cgi?id=134265
1042     
1043             Reviewed by Geoffrey Garen.
1044             
1045             More assertion fallout from the PutById folding work.
1046     
1047             * dfg/DFGNode.h:
1048             (JSC::DFG::Node::convertToPutByOffset):
1049     
1050     2014-06-24  Filip Pizlo  <fpizlo@apple.com>
1051     
1052             [ftlopt] GC should notify us if it resets to_this
1053             https://bugs.webkit.org/show_bug.cgi?id=128231
1054     
1055             Reviewed by Geoffrey Garen.
1056     
1057             * CMakeLists.txt:
1058             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1059             * JavaScriptCore.xcodeproj/project.pbxproj:
1060             * bytecode/BytecodeList.json:
1061             * bytecode/CodeBlock.cpp:
1062             (JSC::CodeBlock::dumpBytecode):
1063             (JSC::CodeBlock::finalizeUnconditionally):
1064             * bytecode/Instruction.h:
1065             * bytecode/ToThisStatus.cpp: Added.
1066             (JSC::merge):
1067             (WTF::printInternal):
1068             * bytecode/ToThisStatus.h: Added.
1069             * bytecompiler/BytecodeGenerator.cpp:
1070             (JSC::BytecodeGenerator::BytecodeGenerator):
1071             * dfg/DFGByteCodeParser.cpp:
1072             (JSC::DFG::ByteCodeParser::parseBlock):
1073             * llint/LowLevelInterpreter32_64.asm:
1074             * llint/LowLevelInterpreter64.asm:
1075             * runtime/CommonSlowPaths.cpp:
1076             (JSC::SLOW_PATH_DECL):
1077     
1078     2014-06-24  Filip Pizlo  <fpizlo@apple.com>
1079     
1080             [ftlopt] StructureAbstractValue::onlyStructure() should return nullptr if isClobbered()
1081             https://bugs.webkit.org/show_bug.cgi?id=134256
1082     
1083             Reviewed by Michael Saboff.
1084             
1085             This isn't testable right now (i.e. it's benign) but we should get it right anyway. The
1086             point is to be able to precisely model what goes on in the snippets of code between a
1087             side-effect and an InvalidationPoint.
1088             
1089             This patch also cleans up onlyStructure() by delegating more work to
1090             StructureSet::onlyStructure().
1091     
1092             * dfg/DFGStructureAbstractValue.h:
1093             (JSC::DFG::StructureAbstractValue::onlyStructure):
1094     
1095     2014-06-24  Filip Pizlo  <fpizlo@apple.com>
1096     
1097             [ftlopt][REGRESSION] PutById AI is introducing watchable structures without watching them
1098             https://bugs.webkit.org/show_bug.cgi?id=134260
1099     
1100             Reviewed by Geoffrey Garen.
1101             
1102             This was causing loads of assertion failures in debug builds.
1103     
1104             * dfg/DFGAbstractInterpreterInlines.h:
1105             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1106     
1107     2014-06-21  Filip Pizlo  <fpizlo@apple.com>
1108     
1109             [ftlopt] Fold GetById/PutById to MultiGetByOffset/GetByOffset or MultiPutByOffset/PutByOffset, which implies handling non-singleton sets
1110             https://bugs.webkit.org/show_bug.cgi?id=134090
1111     
1112             Reviewed by Oliver Hunt.
1113             
1114             This pretty much finishes off the work to eliminate the special-casing of singleton
1115             structure sets by making it possible to fold GetById and PutById to various polymorphic
1116             forms of the ByOffset nodes.
1117             
1118             * bytecode/GetByIdStatus.cpp:
1119             (JSC::GetByIdStatus::computeForStubInfo):
1120             (JSC::GetByIdStatus::computeFor):
1121             * bytecode/GetByIdStatus.h:
1122             * bytecode/PutByIdStatus.cpp:
1123             (JSC::PutByIdStatus::computeFor):
1124             * bytecode/PutByIdStatus.h:
1125             * bytecode/PutByIdVariant.h:
1126             (JSC::PutByIdVariant::constantChecks):
1127             * dfg/DFGAbstractInterpreterInlines.h:
1128             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1129             * dfg/DFGByteCodeParser.cpp:
1130             (JSC::DFG::ByteCodeParser::parseBlock):
1131             * dfg/DFGConstantFoldingPhase.cpp:
1132             (JSC::DFG::ConstantFoldingPhase::foldConstants):
1133             (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
1134             (JSC::DFG::ConstantFoldingPhase::addChecks):
1135             * dfg/DFGNode.h:
1136             (JSC::DFG::Node::convertToMultiGetByOffset):
1137             (JSC::DFG::Node::convertToMultiPutByOffset):
1138             * dfg/DFGSpeculativeJIT64.cpp: Also convert all release assertions to DFG assertions in this file, because I was hitting some of them while debugging.
1139             (JSC::DFG::SpeculativeJIT::fillJSValue):
1140             (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
1141             (JSC::DFG::SpeculativeJIT::emitCall):
1142             (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
1143             (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict):
1144             (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
1145             (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1146             (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1147             (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1148             (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1149             (JSC::DFG::SpeculativeJIT::emitBranch):
1150             (JSC::DFG::SpeculativeJIT::compile):
1151             * dfg/DFGStructureAbstractValue.h:
1152             (JSC::DFG::StructureAbstractValue::set):
1153     
1154     2014-06-19  Filip Pizlo  <fpizlo@apple.com>
1155     
1156             [ftlopt] StructureSet::onlyStructure() should return nullptr if it's not a singleton (instead of asserting)
1157             https://bugs.webkit.org/show_bug.cgi?id=134077
1158     
1159             Reviewed by Sam Weinig.
1160             
1161             This makes StructureSet and StructureAbstractValue more consistent and fixes a debug assert
1162             in the abstract interpreter.
1163     
1164             * bytecode/StructureSet.h:
1165             (JSC::StructureSet::onlyStructure):
1166     
1167     2014-06-18  Filip Pizlo  <fpizlo@apple.com>
1168     
1169             DFG AI and constant folder should be able to precisely prune MultiGetByOffset/MultiPutByOffset even if the base structure abstract value is not a singleton
1170             https://bugs.webkit.org/show_bug.cgi?id=133918
1171     
1172             Reviewed by Mark Hahnenberg.
1173             
1174             This also adds pruning of PutStructure, since I basically had no choice but
1175             to implement such logic within MultiPutByOffset.
1176             
1177             Also adds a bunch of PutById cache status dumping to bytecode dumping.
1178     
1179             * bytecode/GetByIdVariant.cpp:
1180             (JSC::GetByIdVariant::dumpInContext):
1181             * bytecode/GetByIdVariant.h:
1182             (JSC::GetByIdVariant::structureSet):
1183             * bytecode/PutByIdVariant.h:
1184             (JSC::PutByIdVariant::oldStructure):
1185             * bytecode/StructureSet.cpp:
1186             (JSC::StructureSet::filter):
1187             (JSC::StructureSet::filterArrayModes):
1188             * bytecode/StructureSet.h:
1189             * dfg/DFGAbstractInterpreterInlines.h:
1190             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1191             * dfg/DFGAbstractValue.cpp:
1192             (JSC::DFG::AbstractValue::changeStructure):
1193             (JSC::DFG::AbstractValue::contains):
1194             * dfg/DFGAbstractValue.h:
1195             (JSC::DFG::AbstractValue::couldBeType):
1196             (JSC::DFG::AbstractValue::isType):
1197             * dfg/DFGConstantFoldingPhase.cpp:
1198             (JSC::DFG::ConstantFoldingPhase::foldConstants):
1199             (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
1200             (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
1201             (JSC::DFG::ConstantFoldingPhase::addBaseCheck):
1202             * dfg/DFGGraph.cpp:
1203             (JSC::DFG::Graph::freezeStrong):
1204             * dfg/DFGGraph.h:
1205             * dfg/DFGStructureAbstractValue.h:
1206             (JSC::DFG::StructureAbstractValue::operator=):
1207             * ftl/FTLLowerDFGToLLVM.cpp:
1208             (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
1209             * tests/stress/fold-multi-get-by-offset-to-get-by-offset-without-folding-the-structure-check.js: Added.
1210             (foo):
1211             (fu):
1212             (bar):
1213             (baz):
1214             (.bar):
1215             (.baz):
1216             * tests/stress/fold-multi-put-by-offset-to-put-by-offset-without-folding-the-structure-check.js: Added.
1217             (foo):
1218             (fu):
1219             (bar):
1220             (baz):
1221             (.bar):
1222             (.baz):
1223             * tests/stress/prune-multi-put-by-offset-replace-or-transition-variant.js: Added.
1224             (foo):
1225             (fu):
1226             (bar):
1227             (baz):
1228             (.bar):
1229             (.baz):
1230     
1231     2014-06-18  Mark Hahnenberg  <mhahnenberg@apple.com>
1232     
1233             Remove CompoundType and LeafType
1234             https://bugs.webkit.org/show_bug.cgi?id=134037
1235     
1236             Reviewed by Filip Pizlo.
1237     
1238             We don't use them for anything. We'll replace them with a generic CellType type for all 
1239             the objects that are JSCells, aren't JSObjects, and for which we generally don't care about 
1240             their JSType at runtime.
1241     
1242             * llint/LLIntData.cpp:
1243             (JSC::LLInt::Data::performAssertions):
1244             * runtime/ArrayBufferNeuteringWatchpoint.cpp:
1245             (JSC::ArrayBufferNeuteringWatchpoint::createStructure):
1246             * runtime/Executable.h:
1247             (JSC::ExecutableBase::createStructure):
1248             (JSC::NativeExecutable::createStructure):
1249             * runtime/JSPromiseDeferred.h:
1250             (JSC::JSPromiseDeferred::createStructure):
1251             * runtime/JSPromiseReaction.h:
1252             (JSC::JSPromiseReaction::createStructure):
1253             * runtime/JSPropertyNameIterator.h:
1254             (JSC::JSPropertyNameIterator::createStructure):
1255             * runtime/JSType.h:
1256             * runtime/JSTypeInfo.h:
1257             (JSC::TypeInfo::TypeInfo):
1258             * runtime/MapData.h:
1259             (JSC::MapData::createStructure):
1260             * runtime/PropertyMapHashTable.h:
1261             (JSC::PropertyTable::createStructure):
1262             * runtime/RegExp.h:
1263             (JSC::RegExp::createStructure):
1264             * runtime/SparseArrayValueMap.cpp:
1265             (JSC::SparseArrayValueMap::createStructure):
1266             * runtime/Structure.cpp:
1267             (JSC::Structure::Structure):
1268             * runtime/StructureChain.h:
1269             (JSC::StructureChain::createStructure):
1270             * runtime/StructureRareData.cpp:
1271             (JSC::StructureRareData::createStructure):
1272             * runtime/SymbolTable.h:
1273             (JSC::SymbolTable::createStructure):
1274             * runtime/WeakMapData.h:
1275             (JSC::WeakMapData::createStructure):
1276     
1277     2014-06-17  Filip Pizlo  <fpizlo@apple.com>
1278     
1279             [ftlopt] PutStructure and PhantomPutStructure shouldn't leave the world in a clobbered state
1280             https://bugs.webkit.org/show_bug.cgi?id=134002
1281     
1282             Reviewed by Mark Hahnenberg.
1283             
1284             The effect of this bug was that if we had a PutStructure or PhantomPutStructure then any
1285             JSConstants would be in a Clobbered state, so we wouldn't take advantage of our knowledge
1286             of the structure if that structure was watchable.
1287             
1288             Also kill PhantomPutStructure.
1289     
1290             * dfg/DFGAbstractInterpreterInlines.h:
1291             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1292             (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
1293             (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
1294             * dfg/DFGClobberize.h:
1295             (JSC::DFG::clobberize):
1296             * dfg/DFGDoesGC.cpp:
1297             (JSC::DFG::doesGC):
1298             * dfg/DFGFixupPhase.cpp:
1299             (JSC::DFG::FixupPhase::fixupNode):
1300             * dfg/DFGGraph.cpp:
1301             (JSC::DFG::Graph::visitChildren):
1302             * dfg/DFGNode.h:
1303             (JSC::DFG::Node::hasTransition):
1304             * dfg/DFGNodeType.h:
1305             * dfg/DFGPredictionPropagationPhase.cpp:
1306             (JSC::DFG::PredictionPropagationPhase::propagate):
1307             * dfg/DFGSafeToExecute.h:
1308             (JSC::DFG::safeToExecute):
1309             * dfg/DFGSpeculativeJIT32_64.cpp:
1310             (JSC::DFG::SpeculativeJIT::compile):
1311             * dfg/DFGSpeculativeJIT64.cpp:
1312             (JSC::DFG::SpeculativeJIT::compile):
1313             * dfg/DFGStructureAbstractValue.cpp:
1314             (JSC::DFG::StructureAbstractValue::observeTransition):
1315             (JSC::DFG::StructureAbstractValue::observeTransitions):
1316             * dfg/DFGValidate.cpp:
1317             (JSC::DFG::Validate::validate):
1318             * dfg/DFGWatchableStructureWatchingPhase.cpp:
1319             (JSC::DFG::WatchableStructureWatchingPhase::run):
1320             * ftl/FTLCapabilities.cpp:
1321             (JSC::FTL::canCompile):
1322             * ftl/FTLLowerDFGToLLVM.cpp:
1323             (JSC::FTL::LowerDFGToLLVM::compileNode):
1324             (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure): Deleted.
1325     
1326     2014-06-17  Filip Pizlo  <fpizlo@apple.com>
1327     
1328             [ftlopt] DFG put_by_id should inline accesses with a slightly polymorphic base
1329             https://bugs.webkit.org/show_bug.cgi?id=133964
1330     
1331             Reviewed by Mark Hahnenberg.
1332     
1333             * bytecode/PutByIdStatus.cpp:
1334             (JSC::PutByIdStatus::appendVariant):
1335             (JSC::PutByIdStatus::computeForStubInfo):
1336             * bytecode/PutByIdVariant.cpp:
1337             (JSC::PutByIdVariant::oldStructureForTransition):
1338             (JSC::PutByIdVariant::writesStructures):
1339             (JSC::PutByIdVariant::reallocatesStorage):
1340             (JSC::PutByIdVariant::attemptToMerge):
1341             (JSC::PutByIdVariant::attemptToMergeTransitionWithReplace):
1342             (JSC::PutByIdVariant::dumpInContext):
1343             * bytecode/PutByIdVariant.h:
1344             (JSC::PutByIdVariant::PutByIdVariant):
1345             (JSC::PutByIdVariant::replace):
1346             (JSC::PutByIdVariant::transition):
1347             (JSC::PutByIdVariant::structure):
1348             (JSC::PutByIdVariant::oldStructure):
1349             * dfg/DFGAbstractInterpreterInlines.h:
1350             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1351             * dfg/DFGByteCodeParser.cpp:
1352             (JSC::DFG::ByteCodeParser::handlePutById):
1353             (JSC::DFG::ByteCodeParser::parseBlock):
1354             * dfg/DFGConstantFoldingPhase.cpp:
1355             (JSC::DFG::ConstantFoldingPhase::foldConstants):
1356             (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
1357             * dfg/DFGGraph.cpp:
1358             (JSC::DFG::Graph::visitChildren):
1359             * dfg/DFGNode.cpp:
1360             (JSC::DFG::MultiPutByOffsetData::writesStructures):
1361             (JSC::DFG::MultiPutByOffsetData::reallocatesStorage):
1362             * ftl/FTLAbbreviations.h:
1363             (JSC::FTL::getLinkage):
1364             * ftl/FTLLowerDFGToLLVM.cpp:
1365             (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
1366             (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol):
1367     
1368 2014-07-26  Filip Pizlo  <fpizlo@apple.com>
1369
1370         Unreviewed, roll out r171641-r171644. It broke some tests; will investigate and
1371         reland later.
1372
1373         * CMakeLists.txt:
1374         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1375         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1376         * JavaScriptCore.xcodeproj/project.pbxproj:
1377         * bytecode/BytecodeList.json:
1378         * bytecode/BytecodeUseDef.h:
1379         (JSC::computeUsesForBytecodeOffset):
1380         (JSC::computeDefsForBytecodeOffset):
1381         * bytecode/CodeBlock.cpp:
1382         (JSC::CodeBlock::dumpBytecode):
1383         (JSC::CodeBlock::CodeBlock):
1384         (JSC::CodeBlock::finalizeUnconditionally):
1385         (JSC::CodeBlock::printPutByIdCacheStatus): Deleted.
1386         * bytecode/CodeBlock.h:
1387         * bytecode/GetByIdStatus.cpp:
1388         (JSC::GetByIdStatus::computeForStubInfo):
1389         (JSC::GetByIdStatus::computeFor):
1390         * bytecode/GetByIdStatus.h:
1391         * bytecode/GetByIdVariant.cpp:
1392         (JSC::GetByIdVariant::dumpInContext):
1393         * bytecode/GetByIdVariant.h:
1394         (JSC::GetByIdVariant::structureSet):
1395         * bytecode/Instruction.h:
1396         * bytecode/PutByIdStatus.cpp:
1397         (JSC::PutByIdStatus::appendVariant):
1398         (JSC::PutByIdStatus::computeForStubInfo):
1399         (JSC::PutByIdStatus::computeFor):
1400         * bytecode/PutByIdStatus.h:
1401         * bytecode/PutByIdVariant.cpp:
1402         (JSC::PutByIdVariant::dumpInContext):
1403         (JSC::PutByIdVariant::oldStructureForTransition): Deleted.
1404         (JSC::PutByIdVariant::writesStructures): Deleted.
1405         (JSC::PutByIdVariant::reallocatesStorage): Deleted.
1406         (JSC::PutByIdVariant::attemptToMerge): Deleted.
1407         (JSC::PutByIdVariant::attemptToMergeTransitionWithReplace): Deleted.
1408         * bytecode/PutByIdVariant.h:
1409         (JSC::PutByIdVariant::PutByIdVariant):
1410         (JSC::PutByIdVariant::replace):
1411         (JSC::PutByIdVariant::transition):
1412         (JSC::PutByIdVariant::structure):
1413         (JSC::PutByIdVariant::oldStructure):
1414         (JSC::PutByIdVariant::newStructure):
1415         (JSC::PutByIdVariant::constantChecks):
1416         * bytecode/StructureSet.cpp:
1417         (JSC::StructureSet::filter): Deleted.
1418         (JSC::StructureSet::filterArrayModes): Deleted.
1419         * bytecode/StructureSet.h:
1420         (JSC::StructureSet::onlyStructure):
1421         * bytecode/ToThisStatus.cpp: Removed.
1422         * bytecode/ToThisStatus.h: Removed.
1423         * bytecode/TypeLocation.h: Removed.
1424         * bytecompiler/BytecodeGenerator.cpp:
1425         (JSC::BytecodeGenerator::BytecodeGenerator):
1426         (JSC::BytecodeGenerator::emitMove):
1427         (JSC::BytecodeGenerator::emitPutToScope):
1428         (JSC::BytecodeGenerator::emitPutById):
1429         (JSC::BytecodeGenerator::emitPutByVal):
1430         (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity): Deleted.
1431         * bytecompiler/BytecodeGenerator.h:
1432         (JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity): Deleted.
1433         * bytecompiler/NodesCodegen.cpp:
1434         (JSC::PostfixNode::emitResolve):
1435         (JSC::PrefixNode::emitResolve):
1436         (JSC::ReadModifyResolveNode::emitBytecode):
1437         (JSC::AssignResolveNode::emitBytecode):
1438         (JSC::ConstDeclNode::emitCodeSingle):
1439         (JSC::ForInNode::emitBytecode):
1440         * debugger/DebuggerActivation.cpp: Added.
1441         (JSC::DebuggerActivation::DebuggerActivation):
1442         (JSC::DebuggerActivation::finishCreation):
1443         (JSC::DebuggerActivation::visitChildren):
1444         (JSC::DebuggerActivation::className):
1445         (JSC::DebuggerActivation::getOwnPropertySlot):
1446         (JSC::DebuggerActivation::put):
1447         (JSC::DebuggerActivation::deleteProperty):
1448         (JSC::DebuggerActivation::getOwnPropertyNames):
1449         (JSC::DebuggerActivation::defineOwnProperty):
1450         * debugger/DebuggerActivation.h: Added.
1451         (JSC::DebuggerActivation::create):
1452         (JSC::DebuggerActivation::createStructure):
1453         * debugger/DebuggerScope.cpp: Removed.
1454         * debugger/DebuggerScope.h: Removed.
1455         * dfg/DFGAbstractInterpreterInlines.h:
1456         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1457         (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
1458         (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
1459         * dfg/DFGAbstractValue.cpp:
1460         (JSC::DFG::AbstractValue::changeStructure): Deleted.
1461         (JSC::DFG::AbstractValue::contains): Deleted.
1462         * dfg/DFGAbstractValue.h:
1463         (JSC::DFG::AbstractValue::couldBeType):
1464         (JSC::DFG::AbstractValue::isType):
1465         * dfg/DFGByteCodeParser.cpp:
1466         (JSC::DFG::ByteCodeParser::handlePutById):
1467         (JSC::DFG::ByteCodeParser::parseBlock):
1468         * dfg/DFGClobberize.h:
1469         (JSC::DFG::clobberize):
1470         * dfg/DFGConstantFoldingPhase.cpp:
1471         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1472         (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
1473         (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
1474         (JSC::DFG::ConstantFoldingPhase::addBaseCheck): Deleted.
1475         (JSC::DFG::ConstantFoldingPhase::addChecks): Deleted.
1476         * dfg/DFGDoesGC.cpp:
1477         (JSC::DFG::doesGC):
1478         * dfg/DFGFixupPhase.cpp:
1479         (JSC::DFG::FixupPhase::fixupNode):
1480         * dfg/DFGGraph.cpp:
1481         (JSC::DFG::Graph::visitChildren):
1482         (JSC::DFG::Graph::freezeStrong):
1483         * dfg/DFGGraph.h:
1484         * dfg/DFGNode.cpp:
1485         (JSC::DFG::MultiPutByOffsetData::writesStructures):
1486         (JSC::DFG::MultiPutByOffsetData::reallocatesStorage):
1487         * dfg/DFGNode.h:
1488         (JSC::DFG::Node::convertToPutByOffset):
1489         (JSC::DFG::Node::hasTransition):
1490         (JSC::DFG::Node::convertToMultiGetByOffset): Deleted.
1491         (JSC::DFG::Node::convertToMultiPutByOffset): Deleted.
1492         * dfg/DFGNodeType.h:
1493         * dfg/DFGPredictionPropagationPhase.cpp:
1494         (JSC::DFG::PredictionPropagationPhase::propagate):
1495         * dfg/DFGSafeToExecute.h:
1496         (JSC::DFG::safeToExecute):
1497         * dfg/DFGSpeculativeJIT.cpp:
1498         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
1499         * dfg/DFGSpeculativeJIT32_64.cpp:
1500         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1501         (JSC::DFG::SpeculativeJIT::compile):
1502         * dfg/DFGSpeculativeJIT64.cpp:
1503         (JSC::DFG::SpeculativeJIT::fillJSValue):
1504         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
1505         (JSC::DFG::SpeculativeJIT::emitCall):
1506         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
1507         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict):
1508         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
1509         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1510         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1511         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1512         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1513         (JSC::DFG::SpeculativeJIT::emitBranch):
1514         (JSC::DFG::SpeculativeJIT::compile):
1515         * dfg/DFGStructureAbstractValue.cpp:
1516         (JSC::DFG::StructureAbstractValue::observeTransition):
1517         (JSC::DFG::StructureAbstractValue::observeTransitions):
1518         * dfg/DFGStructureAbstractValue.h:
1519         (JSC::DFG::StructureAbstractValue::onlyStructure):
1520         (JSC::DFG::StructureAbstractValue::operator=): Deleted.
1521         (JSC::DFG::StructureAbstractValue::set): Deleted.
1522         * dfg/DFGValidate.cpp:
1523         (JSC::DFG::Validate::validate):
1524         * dfg/DFGWatchableStructureWatchingPhase.cpp:
1525         (JSC::DFG::WatchableStructureWatchingPhase::run):
1526         * ftl/FTLAbbreviations.h:
1527         (JSC::FTL::getLinkage): Deleted.
1528         * ftl/FTLCapabilities.cpp:
1529         (JSC::FTL::canCompile):
1530         * ftl/FTLLowerDFGToLLVM.cpp:
1531         (JSC::FTL::LowerDFGToLLVM::compileNode):
1532         (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure):
1533         (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
1534         (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
1535         (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol):
1536         * heap/Heap.cpp:
1537         (JSC::Heap::collect):
1538         * inspector/agents/InspectorRuntimeAgent.cpp:
1539         (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange): Deleted.
1540         * inspector/agents/InspectorRuntimeAgent.h:
1541         * inspector/protocol/Runtime.json:
1542         * jsc.cpp:
1543         (GlobalObject::finishCreation):
1544         (functionDumpTypesForAllVariables): Deleted.
1545         * llint/LLIntData.cpp:
1546         (JSC::LLInt::Data::performAssertions):
1547         * llint/LLIntSlowPaths.cpp:
1548         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1549         (JSC::LLInt::putToScopeCommon): Deleted.
1550         * llint/LLIntSlowPaths.h:
1551         * llint/LowLevelInterpreter.asm:
1552         * llint/LowLevelInterpreter32_64.asm:
1553         * llint/LowLevelInterpreter64.asm:
1554         * runtime/ArrayBufferNeuteringWatchpoint.cpp:
1555         (JSC::ArrayBufferNeuteringWatchpoint::createStructure):
1556         * runtime/CommonSlowPaths.cpp:
1557         (JSC::SLOW_PATH_DECL):
1558         * runtime/Executable.h:
1559         (JSC::ExecutableBase::createStructure):
1560         (JSC::NativeExecutable::createStructure):
1561         * runtime/HighFidelityLog.cpp: Removed.
1562         * runtime/HighFidelityLog.h: Removed.
1563         * runtime/HighFidelityTypeProfiler.cpp: Removed.
1564         * runtime/HighFidelityTypeProfiler.h: Removed.
1565         * runtime/JSObject.cpp:
1566         (JSC::JSObject::putDirectCustomAccessor):
1567         (JSC::JSObject::putDirectNonIndexAccessor):
1568         (JSC::JSObject::reifyStaticFunctionsForDelete):
1569         * runtime/JSPromiseDeferred.h:
1570         (JSC::JSPromiseDeferred::createStructure):
1571         * runtime/JSPromiseReaction.h:
1572         (JSC::JSPromiseReaction::createStructure):
1573         * runtime/JSPropertyNameIterator.h:
1574         (JSC::JSPropertyNameIterator::createStructure):
1575         * runtime/JSType.h:
1576         * runtime/JSTypeInfo.h:
1577         (JSC::TypeInfo::TypeInfo):
1578         * runtime/MapData.h:
1579         (JSC::MapData::createStructure):
1580         * runtime/Options.h:
1581         * runtime/PropertyMapHashTable.h:
1582         (JSC::PropertyTable::createStructure):
1583         * runtime/RegExp.h:
1584         (JSC::RegExp::createStructure):
1585         * runtime/SparseArrayValueMap.cpp:
1586         (JSC::SparseArrayValueMap::createStructure):
1587         * runtime/Structure.cpp:
1588         (JSC::StructureTransitionTable::contains):
1589         (JSC::StructureTransitionTable::get):
1590         (JSC::StructureTransitionTable::add):
1591         (JSC::Structure::Structure):
1592         (JSC::Structure::materializePropertyMap):
1593         (JSC::Structure::addPropertyTransition):
1594         (JSC::Structure::despecifyFunctionTransition):
1595         (JSC::Structure::toDictionaryTransition):
1596         (JSC::Structure::freezeTransition):
1597         (JSC::Structure::preventExtensionsTransition):
1598         (JSC::Structure::takePropertyTableOrCloneIfPinned):
1599         (JSC::Structure::nonPropertyTransition):
1600         (JSC::Structure::flattenDictionaryStructure):
1601         (JSC::Structure::addPropertyWithoutTransition):
1602         (JSC::Structure::pin):
1603         (JSC::Structure::allocateRareData):
1604         (JSC::Structure::cloneRareDataFrom):
1605         (JSC::Structure::getConcurrently):
1606         (JSC::Structure::putSpecificValue):
1607         (JSC::Structure::getPropertyNamesFromStructure):
1608         (JSC::Structure::visitChildren):
1609         (JSC::Structure::checkConsistency):
1610         (JSC::Structure::toStructureShape): Deleted.
1611         * runtime/Structure.h:
1612         (JSC::Structure::isExtensible):
1613         (JSC::Structure::didTransition):
1614         (JSC::Structure::isDictionary):
1615         (JSC::Structure::isUncacheableDictionary):
1616         (JSC::Structure::hasBeenFlattenedBefore):
1617         (JSC::Structure::propertyAccessesAreCacheable):
1618         (JSC::Structure::previousID):
1619         (JSC::Structure::hasGetterSetterProperties):
1620         (JSC::Structure::hasReadOnlyOrGetterSetterPropertiesExcludingProto):
1621         (JSC::Structure::setHasGetterSetterProperties):
1622         (JSC::Structure::hasCustomGetterSetterProperties):
1623         (JSC::Structure::setHasCustomGetterSetterProperties):
1624         (JSC::Structure::setContainsReadOnlyProperties):
1625         (JSC::Structure::hasNonEnumerableProperties):
1626         (JSC::Structure::disableSpecificFunctionTracking):
1627         (JSC::Structure::objectToStringValue):
1628         (JSC::Structure::setObjectToStringValue):
1629         (JSC::Structure::staticFunctionsReified):
1630         (JSC::Structure::setStaticFunctionsReified):
1631         (JSC::Structure::transitionWatchpointSet):
1632         (JSC::Structure::setPreviousID):
1633         (JSC::Structure::clearPreviousID):
1634         (JSC::Structure::previous):
1635         (JSC::Structure::rareData):
1636         (JSC::Structure::setHasGetterSetterPropertiesWithProtoCheck): Deleted.
1637         (JSC::Structure::setHasCustomGetterSetterPropertiesWithProtoCheck): Deleted.
1638         * runtime/StructureChain.h:
1639         (JSC::StructureChain::createStructure):
1640         * runtime/StructureInlines.h:
1641         (JSC::Structure::setEnumerationCache):
1642         (JSC::Structure::enumerationCache):
1643         (JSC::Structure::checkOffsetConsistency):
1644         * runtime/StructureRareData.cpp:
1645         (JSC::StructureRareData::createStructure):
1646         * runtime/SymbolTable.cpp:
1647         (JSC::SymbolTable::SymbolTable):
1648         (JSC::SymbolTable::cloneCapturedNames):
1649         (JSC::SymbolTable::uniqueIDForVariable): Deleted.
1650         (JSC::SymbolTable::uniqueIDForRegister): Deleted.
1651         (JSC::SymbolTable::globalTypeSetForRegister): Deleted.
1652         (JSC::SymbolTable::globalTypeSetForVariable): Deleted.
1653         * runtime/SymbolTable.h:
1654         (JSC::SymbolTable::createStructure):
1655         (JSC::SymbolTable::add):
1656         (JSC::SymbolTable::set):
1657         * runtime/TypeSet.cpp: Removed.
1658         * runtime/TypeSet.h: Removed.
1659         * runtime/VM.cpp:
1660         (JSC::VM::VM):
1661         (JSC::VM::getTypesForVariableInRange): Deleted.
1662         (JSC::VM::updateHighFidelityTypeProfileState): Deleted.
1663         (JSC::VM::dumpHighFidelityProfilingTypes): Deleted.
1664         * runtime/VM.h:
1665         (JSC::VM::isProfilingTypesWithHighFidelity): Deleted.
1666         (JSC::VM::highFidelityLog): Deleted.
1667         (JSC::VM::highFidelityTypeProfiler): Deleted.
1668         (JSC::VM::nextLocation): Deleted.
1669         (JSC::VM::getNextUniqueVariableID): Deleted.
1670         * runtime/WeakMapData.h:
1671         (JSC::WeakMapData::createStructure):
1672         * tests/stress/fold-multi-get-by-offset-to-get-by-offset-without-folding-the-structure-check.js: Removed.
1673         * tests/stress/fold-multi-put-by-offset-to-put-by-offset-without-folding-the-structure-check.js: Removed.
1674         * tests/stress/prune-multi-put-by-offset-replace-or-transition-variant.js: Removed.
1675
1676 2014-07-25  Filip Pizlo  <fpizlo@apple.com>
1677
1678         Attempt to fix non-Xcode platforms.
1679
1680         * CMakeLists.txt:
1681         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1682
1683 2014-07-25  Filip Pizlo  <fpizlo@apple.com>
1684
1685         Fix cloop.
1686
1687         * bytecode/CodeBlock.cpp:
1688         (JSC::dumpChain):
1689         (JSC::CodeBlock::printPutByIdCacheStatus):
1690         * bytecode/StructureSet.cpp:
1691         * bytecode/StructureSet.h:
1692
1693 2014-07-25  Filip Pizlo  <fpizlo@apple.com>
1694
1695         Merge r170090, r170092, r170129, r170141, r170161, r170215, r170275, r170375, r170376, r170382, r170383, r170399, r170436, r170489, r170490, r170556 from ftlopt.
1696
1697     2014-06-27  Michael Saboff  <msaboff@apple.com>
1698     
1699             Unreviewed build fix after r169795.
1700     
1701             Fixed ASSERT for 32 bit build.
1702     
1703             * dfg/DFGSpeculativeJIT.cpp:
1704             (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
1705     
1706     2014-06-24  Saam Barati  <sbarati@apple.com>
1707     
1708             Web Inspector: debugger should be able to show variable types
1709             https://bugs.webkit.org/show_bug.cgi?id=133395
1710     
1711             Reviewed by Filip Pizlo.
1712     
1713             Increase the amount of type information the VM gathers when directed
1714             to do so. This initial commit is working towards the goal of
1715             capturing, and then showing (via the Web Inspector) type information for all
1716             assignment and load operations. This patch doesn't have the feature fully 
1717             implemented, but it ensures the VM has no performance regressions
1718             unless the feature is specifically turned on.
1719     
1720             * JavaScriptCore.xcodeproj/project.pbxproj:
1721             * bytecode/BytecodeList.json:
1722             * bytecode/BytecodeUseDef.h:
1723             (JSC::computeUsesForBytecodeOffset):
1724             (JSC::computeDefsForBytecodeOffset):
1725             * bytecode/CodeBlock.cpp:
1726             (JSC::CodeBlock::dumpBytecode):
1727             (JSC::CodeBlock::CodeBlock):
1728             (JSC::CodeBlock::finalizeUnconditionally):
1729             * bytecode/CodeBlock.h:
1730             * bytecode/Instruction.h:
1731             * bytecode/TypeLocation.h: Added.
1732             (JSC::TypeLocation::TypeLocation):
1733             * bytecompiler/BytecodeGenerator.cpp:
1734             (JSC::BytecodeGenerator::emitMove):
1735             (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity):
1736             (JSC::BytecodeGenerator::emitPutToScope):
1737             (JSC::BytecodeGenerator::emitPutById):
1738             (JSC::BytecodeGenerator::emitPutByVal):
1739             * bytecompiler/BytecodeGenerator.h:
1740             (JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity):
1741             * bytecompiler/NodesCodegen.cpp:
1742             (JSC::PostfixNode::emitResolve):
1743             (JSC::PrefixNode::emitResolve):
1744             (JSC::ReadModifyResolveNode::emitBytecode):
1745             (JSC::AssignResolveNode::emitBytecode):
1746             (JSC::ConstDeclNode::emitCodeSingle):
1747             (JSC::ForInNode::emitBytecode):
1748             * heap/Heap.cpp:
1749             (JSC::Heap::collect):
1750             * inspector/agents/InspectorRuntimeAgent.cpp:
1751             (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange):
1752             * inspector/agents/InspectorRuntimeAgent.h:
1753             * inspector/protocol/Runtime.json:
1754             * jsc.cpp:
1755             (GlobalObject::finishCreation):
1756             (functionDumpTypesForAllVariables):
1757             * llint/LLIntSlowPaths.cpp:
1758             (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1759             (JSC::LLInt::putToScopeCommon):
1760             * llint/LLIntSlowPaths.h:
1761             * llint/LowLevelInterpreter.asm:
1762             * runtime/HighFidelityLog.cpp: Added.
1763             (JSC::HighFidelityLog::initializeHighFidelityLog):
1764             (JSC::HighFidelityLog::~HighFidelityLog):
1765             (JSC::HighFidelityLog::recordTypeInformationForLocation):
1766             (JSC::HighFidelityLog::processHighFidelityLog):
1767             (JSC::HighFidelityLog::actuallyProcessLogThreadFunction):
1768             * runtime/HighFidelityLog.h: Added.
1769             (JSC::HighFidelityLog::HighFidelityLog):
1770             * runtime/HighFidelityTypeProfiler.cpp: Added.
1771             (JSC::HighFidelityTypeProfiler::getTypesForVariableInRange):
1772             (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableInRange):
1773             (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableInRange):
1774             (JSC::HighFidelityTypeProfiler::insertNewLocation):
1775             (JSC::HighFidelityTypeProfiler::getLocationBasedHash):
1776             * runtime/HighFidelityTypeProfiler.h: Added.
1777             * runtime/Options.h:
1778             * runtime/Structure.cpp:
1779             (JSC::Structure::toStructureShape):
1780             * runtime/Structure.h:
1781             * runtime/SymbolTable.cpp:
1782             (JSC::SymbolTable::SymbolTable):
1783             (JSC::SymbolTable::cloneCapturedNames):
1784             (JSC::SymbolTable::uniqueIDForVariable):
1785             (JSC::SymbolTable::uniqueIDForRegister):
1786             (JSC::SymbolTable::globalTypeSetForRegister):
1787             (JSC::SymbolTable::globalTypeSetForVariable):
1788             * runtime/SymbolTable.h:
1789             (JSC::SymbolTable::add):
1790             (JSC::SymbolTable::set):
1791             * runtime/TypeSet.cpp: Added.
1792             (JSC::TypeSet::TypeSet):
1793             (JSC::TypeSet::getRuntimeTypeForValue):
1794             (JSC::TypeSet::addTypeForValue):
1795             (JSC::TypeSet::removeDuplicatesInStructureHistory):
1796             (JSC::TypeSet::seenTypes):
1797             (JSC::TypeSet::dumpSeenTypes):
1798             (JSC::StructureShape::StructureShape):
1799             (JSC::StructureShape::markAsFinal):
1800             (JSC::StructureShape::addProperty):
1801             (JSC::StructureShape::propertyHash):
1802             (JSC::StructureShape::leastUpperBound):
1803             (JSC::StructureShape::stringRepresentation):
1804             * runtime/TypeSet.h: Added.
1805             (JSC::StructureShape::create):
1806             (JSC::TypeSet::create):
1807             * runtime/VM.cpp:
1808             (JSC::VM::VM):
1809             (JSC::VM::getTypesForVariableInRange):
1810             (JSC::VM::updateHighFidelityTypeProfileState):
1811             (JSC::VM::dumpHighFidelityProfilingTypes):
1812             * runtime/VM.h:
1813             (JSC::VM::isProfilingTypesWithHighFidelity):
1814             (JSC::VM::highFidelityLog):
1815             (JSC::VM::highFidelityTypeProfiler):
1816             (JSC::VM::nextLocation):
1817             (JSC::VM::getNextUniqueVariableID):
1818     
1819     2014-06-26  Mark Lam  <mark.lam@apple.com>
1820     
1821             Remove unused instantiation of the WithScope structure.
1822             <https://webkit.org/b/134331>
1823     
1824             Reviewed by Oliver Hunt.
1825     
1826             The WithScope structure instance is the VM is unused, and is now removed.
1827     
1828             * runtime/VM.cpp:
1829             (JSC::VM::VM):
1830             * runtime/VM.h:
1831     
1832     2014-06-25  Mark Hahnenberg  <mhahnenberg@apple.com>
1833     
1834             Structure bit fields should have a consistent format
1835             https://bugs.webkit.org/show_bug.cgi?id=134307
1836     
1837             Reviewed by Filip Pizlo.
1838     
1839             Currently we use C-style bit fields for a number of member variables in Structure to save space. 
1840             This makes it difficult to load these fields in the JIT. We should instead use our own bitfield 
1841             format to make it easy to load and test these variables in JIT code.
1842     
1843             * runtime/JSObject.cpp:
1844             (JSC::JSObject::putDirectNonIndexAccessor):
1845             (JSC::JSObject::reifyStaticFunctionsForDelete):
1846             * runtime/Structure.cpp:
1847             (JSC::StructureTransitionTable::contains):
1848             (JSC::StructureTransitionTable::get):
1849             (JSC::StructureTransitionTable::add):
1850             (JSC::Structure::Structure):
1851             (JSC::Structure::materializePropertyMap):
1852             (JSC::Structure::addPropertyTransition):
1853             (JSC::Structure::despecifyFunctionTransition):
1854             (JSC::Structure::toDictionaryTransition):
1855             (JSC::Structure::freezeTransition):
1856             (JSC::Structure::preventExtensionsTransition):
1857             (JSC::Structure::takePropertyTableOrCloneIfPinned):
1858             (JSC::Structure::nonPropertyTransition):
1859             (JSC::Structure::flattenDictionaryStructure):
1860             (JSC::Structure::addPropertyWithoutTransition):
1861             (JSC::Structure::pin):
1862             (JSC::Structure::allocateRareData):
1863             (JSC::Structure::cloneRareDataFrom):
1864             (JSC::Structure::getConcurrently):
1865             (JSC::Structure::putSpecificValue):
1866             (JSC::Structure::getPropertyNamesFromStructure):
1867             (JSC::Structure::visitChildren):
1868             (JSC::Structure::checkConsistency):
1869             * runtime/Structure.h:
1870             (JSC::Structure::isExtensible):
1871             (JSC::Structure::isDictionary):
1872             (JSC::Structure::isUncacheableDictionary):
1873             (JSC::Structure::propertyAccessesAreCacheable):
1874             (JSC::Structure::previousID):
1875             (JSC::Structure::setHasGetterSetterPropertiesWithProtoCheck):
1876             (JSC::Structure::setContainsReadOnlyProperties):
1877             (JSC::Structure::disableSpecificFunctionTracking):
1878             (JSC::Structure::objectToStringValue):
1879             (JSC::Structure::setObjectToStringValue):
1880             (JSC::Structure::setPreviousID):
1881             (JSC::Structure::clearPreviousID):
1882             (JSC::Structure::previous):
1883             (JSC::Structure::rareData):
1884             (JSC::Structure::didTransition): Deleted.
1885             (JSC::Structure::hasGetterSetterProperties): Deleted.
1886             (JSC::Structure::hasReadOnlyOrGetterSetterPropertiesExcludingProto): Deleted.
1887             (JSC::Structure::setHasGetterSetterProperties): Deleted.
1888             (JSC::Structure::hasNonEnumerableProperties): Deleted.
1889             (JSC::Structure::staticFunctionsReified): Deleted.
1890             (JSC::Structure::setStaticFunctionsReified): Deleted.
1891             * runtime/StructureInlines.h:
1892             (JSC::Structure::setEnumerationCache):
1893             (JSC::Structure::enumerationCache):
1894             (JSC::Structure::checkOffsetConsistency):
1895     
1896     2014-06-24  Mark Lam  <mark.lam@apple.com>
1897     
1898             [ftlopt] Renamed DebuggerActivation to DebuggerScope.
1899             <https://webkit.org/b/134273>
1900     
1901             Reviewed by Michael Saboff.
1902     
1903             * CMakeLists.txt:
1904             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1905             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1906             * JavaScriptCore.xcodeproj/project.pbxproj:
1907             * debugger/DebuggerActivation.cpp: Removed.
1908             * debugger/DebuggerActivation.h: Removed.
1909             * debugger/DebuggerScope.cpp: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.cpp.
1910             (JSC::DebuggerScope::DebuggerScope):
1911             (JSC::DebuggerScope::finishCreation):
1912             (JSC::DebuggerScope::visitChildren):
1913             (JSC::DebuggerScope::className):
1914             (JSC::DebuggerScope::getOwnPropertySlot):
1915             (JSC::DebuggerScope::put):
1916             (JSC::DebuggerScope::deleteProperty):
1917             (JSC::DebuggerScope::getOwnPropertyNames):
1918             (JSC::DebuggerScope::defineOwnProperty):
1919             (JSC::DebuggerActivation::DebuggerActivation): Deleted.
1920             (JSC::DebuggerActivation::finishCreation): Deleted.
1921             (JSC::DebuggerActivation::visitChildren): Deleted.
1922             (JSC::DebuggerActivation::className): Deleted.
1923             (JSC::DebuggerActivation::getOwnPropertySlot): Deleted.
1924             (JSC::DebuggerActivation::put): Deleted.
1925             (JSC::DebuggerActivation::deleteProperty): Deleted.
1926             (JSC::DebuggerActivation::getOwnPropertyNames): Deleted.
1927             (JSC::DebuggerActivation::defineOwnProperty): Deleted.
1928             * debugger/DebuggerScope.h: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.h.
1929             (JSC::DebuggerScope::create):
1930             (JSC::DebuggerActivation::create): Deleted.
1931             * runtime/VM.cpp:
1932             (JSC::VM::VM):
1933             * runtime/VM.h:
1934     
1935     2014-06-24  Filip Pizlo  <fpizlo@apple.com>
1936     
1937             [ftlopt] PutByIdFlush can also be converted to a PutByOffset so don't assert otherwise
1938             https://bugs.webkit.org/show_bug.cgi?id=134265
1939     
1940             Reviewed by Geoffrey Garen.
1941             
1942             More assertion fallout from the PutById folding work.
1943     
1944             * dfg/DFGNode.h:
1945             (JSC::DFG::Node::convertToPutByOffset):
1946     
1947     2014-06-24  Filip Pizlo  <fpizlo@apple.com>
1948     
1949             [ftlopt] GC should notify us if it resets to_this
1950             https://bugs.webkit.org/show_bug.cgi?id=128231
1951     
1952             Reviewed by Geoffrey Garen.
1953     
1954             * CMakeLists.txt:
1955             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1956             * JavaScriptCore.xcodeproj/project.pbxproj:
1957             * bytecode/BytecodeList.json:
1958             * bytecode/CodeBlock.cpp:
1959             (JSC::CodeBlock::dumpBytecode):
1960             (JSC::CodeBlock::finalizeUnconditionally):
1961             * bytecode/Instruction.h:
1962             * bytecode/ToThisStatus.cpp: Added.
1963             (JSC::merge):
1964             (WTF::printInternal):
1965             * bytecode/ToThisStatus.h: Added.
1966             * bytecompiler/BytecodeGenerator.cpp:
1967             (JSC::BytecodeGenerator::BytecodeGenerator):
1968             * dfg/DFGByteCodeParser.cpp:
1969             (JSC::DFG::ByteCodeParser::parseBlock):
1970             * llint/LowLevelInterpreter32_64.asm:
1971             * llint/LowLevelInterpreter64.asm:
1972             * runtime/CommonSlowPaths.cpp:
1973             (JSC::SLOW_PATH_DECL):
1974     
1975     2014-06-24  Filip Pizlo  <fpizlo@apple.com>
1976     
1977             [ftlopt] StructureAbstractValue::onlyStructure() should return nullptr if isClobbered()
1978             https://bugs.webkit.org/show_bug.cgi?id=134256
1979     
1980             Reviewed by Michael Saboff.
1981             
1982             This isn't testable right now (i.e. it's benign) but we should get it right anyway. The
1983             point is to be able to precisely model what goes on in the snippets of code between a
1984             side-effect and an InvalidationPoint.
1985             
1986             This patch also cleans up onlyStructure() by delegating more work to
1987             StructureSet::onlyStructure().
1988     
1989             * dfg/DFGStructureAbstractValue.h:
1990             (JSC::DFG::StructureAbstractValue::onlyStructure):
1991     
1992     2014-06-24  Filip Pizlo  <fpizlo@apple.com>
1993     
1994             [ftlopt][REGRESSION] PutById AI is introducing watchable structures without watching them
1995             https://bugs.webkit.org/show_bug.cgi?id=134260
1996     
1997             Reviewed by Geoffrey Garen.
1998             
1999             This was causing loads of assertion failures in debug builds.
2000     
2001             * dfg/DFGAbstractInterpreterInlines.h:
2002             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2003     
2004     2014-06-21  Filip Pizlo  <fpizlo@apple.com>
2005     
2006             [ftlopt] Fold GetById/PutById to MultiGetByOffset/GetByOffset or MultiPutByOffset/PutByOffset, which implies handling non-singleton sets
2007             https://bugs.webkit.org/show_bug.cgi?id=134090
2008     
2009             Reviewed by Oliver Hunt.
2010             
2011             This pretty much finishes off the work to eliminate the special-casing of singleton
2012             structure sets by making it possible to fold GetById and PutById to various polymorphic
2013             forms of the ByOffset nodes.
2014             
2015             * bytecode/GetByIdStatus.cpp:
2016             (JSC::GetByIdStatus::computeForStubInfo):
2017             (JSC::GetByIdStatus::computeFor):
2018             * bytecode/GetByIdStatus.h:
2019             * bytecode/PutByIdStatus.cpp:
2020             (JSC::PutByIdStatus::computeFor):
2021             * bytecode/PutByIdStatus.h:
2022             * bytecode/PutByIdVariant.h:
2023             (JSC::PutByIdVariant::constantChecks):
2024             * dfg/DFGAbstractInterpreterInlines.h:
2025             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2026             * dfg/DFGByteCodeParser.cpp:
2027             (JSC::DFG::ByteCodeParser::parseBlock):
2028             * dfg/DFGConstantFoldingPhase.cpp:
2029             (JSC::DFG::ConstantFoldingPhase::foldConstants):
2030             (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
2031             (JSC::DFG::ConstantFoldingPhase::addChecks):
2032             * dfg/DFGNode.h:
2033             (JSC::DFG::Node::convertToMultiGetByOffset):
2034             (JSC::DFG::Node::convertToMultiPutByOffset):
2035             * dfg/DFGSpeculativeJIT64.cpp: Also convert all release assertions to DFG assertions in this file, because I was hitting some of them while debugging.
2036             (JSC::DFG::SpeculativeJIT::fillJSValue):
2037             (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
2038             (JSC::DFG::SpeculativeJIT::emitCall):
2039             (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2040             (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict):
2041             (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
2042             (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2043             (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2044             (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2045             (JSC::DFG::SpeculativeJIT::compileLogicalNot):
2046             (JSC::DFG::SpeculativeJIT::emitBranch):
2047             (JSC::DFG::SpeculativeJIT::compile):
2048             * dfg/DFGStructureAbstractValue.h:
2049             (JSC::DFG::StructureAbstractValue::set):
2050     
2051     2014-06-19  Filip Pizlo  <fpizlo@apple.com>
2052     
2053             [ftlopt] StructureSet::onlyStructure() should return nullptr if it's not a singleton (instead of asserting)
2054             https://bugs.webkit.org/show_bug.cgi?id=134077
2055     
2056             Reviewed by Sam Weinig.
2057             
2058             This makes StructureSet and StructureAbstractValue more consistent and fixes a debug assert
2059             in the abstract interpreter.
2060     
2061             * bytecode/StructureSet.h:
2062             (JSC::StructureSet::onlyStructure):
2063     
2064     2014-06-18  Filip Pizlo  <fpizlo@apple.com>
2065     
2066             DFG AI and constant folder should be able to precisely prune MultiGetByOffset/MultiPutByOffset even if the base structure abstract value is not a singleton
2067             https://bugs.webkit.org/show_bug.cgi?id=133918
2068     
2069             Reviewed by Mark Hahnenberg.
2070             
2071             This also adds pruning of PutStructure, since I basically had no choice but
2072             to implement such logic within MultiPutByOffset.
2073             
2074             Also adds a bunch of PutById cache status dumping to bytecode dumping.
2075     
2076             * bytecode/GetByIdVariant.cpp:
2077             (JSC::GetByIdVariant::dumpInContext):
2078             * bytecode/GetByIdVariant.h:
2079             (JSC::GetByIdVariant::structureSet):
2080             * bytecode/PutByIdVariant.h:
2081             (JSC::PutByIdVariant::oldStructure):
2082             * bytecode/StructureSet.cpp:
2083             (JSC::StructureSet::filter):
2084             (JSC::StructureSet::filterArrayModes):
2085             * bytecode/StructureSet.h:
2086             * dfg/DFGAbstractInterpreterInlines.h:
2087             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2088             * dfg/DFGAbstractValue.cpp:
2089             (JSC::DFG::AbstractValue::changeStructure):
2090             (JSC::DFG::AbstractValue::contains):
2091             * dfg/DFGAbstractValue.h:
2092             (JSC::DFG::AbstractValue::couldBeType):
2093             (JSC::DFG::AbstractValue::isType):
2094             * dfg/DFGConstantFoldingPhase.cpp:
2095             (JSC::DFG::ConstantFoldingPhase::foldConstants):
2096             (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
2097             (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
2098             (JSC::DFG::ConstantFoldingPhase::addBaseCheck):
2099             * dfg/DFGGraph.cpp:
2100             (JSC::DFG::Graph::freezeStrong):
2101             * dfg/DFGGraph.h:
2102             * dfg/DFGStructureAbstractValue.h:
2103             (JSC::DFG::StructureAbstractValue::operator=):
2104             * ftl/FTLLowerDFGToLLVM.cpp:
2105             (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
2106             * tests/stress/fold-multi-get-by-offset-to-get-by-offset-without-folding-the-structure-check.js: Added.
2107             (foo):
2108             (fu):
2109             (bar):
2110             (baz):
2111             (.bar):
2112             (.baz):
2113             * tests/stress/fold-multi-put-by-offset-to-put-by-offset-without-folding-the-structure-check.js: Added.
2114             (foo):
2115             (fu):
2116             (bar):
2117             (baz):
2118             (.bar):
2119             (.baz):
2120             * tests/stress/prune-multi-put-by-offset-replace-or-transition-variant.js: Added.
2121             (foo):
2122             (fu):
2123             (bar):
2124             (baz):
2125             (.bar):
2126             (.baz):
2127     
2128     2014-06-18  Mark Hahnenberg  <mhahnenberg@apple.com>
2129     
2130             Remove CompoundType and LeafType
2131             https://bugs.webkit.org/show_bug.cgi?id=134037
2132     
2133             Reviewed by Filip Pizlo.
2134     
2135             We don't use them for anything. We'll replace them with a generic CellType type for all 
2136             the objects that are JSCells, aren't JSObjects, and for which we generally don't care about 
2137             their JSType at runtime.
2138     
2139             * llint/LLIntData.cpp:
2140             (JSC::LLInt::Data::performAssertions):
2141             * runtime/ArrayBufferNeuteringWatchpoint.cpp:
2142             (JSC::ArrayBufferNeuteringWatchpoint::createStructure):
2143             * runtime/Executable.h:
2144             (JSC::ExecutableBase::createStructure):
2145             (JSC::NativeExecutable::createStructure):
2146             * runtime/JSPromiseDeferred.h:
2147             (JSC::JSPromiseDeferred::createStructure):
2148             * runtime/JSPromiseReaction.h:
2149             (JSC::JSPromiseReaction::createStructure):
2150             * runtime/JSPropertyNameIterator.h:
2151             (JSC::JSPropertyNameIterator::createStructure):
2152             * runtime/JSType.h:
2153             * runtime/JSTypeInfo.h:
2154             (JSC::TypeInfo::TypeInfo):
2155             * runtime/MapData.h:
2156             (JSC::MapData::createStructure):
2157             * runtime/PropertyMapHashTable.h:
2158             (JSC::PropertyTable::createStructure):
2159             * runtime/RegExp.h:
2160             (JSC::RegExp::createStructure):
2161             * runtime/SparseArrayValueMap.cpp:
2162             (JSC::SparseArrayValueMap::createStructure):
2163             * runtime/Structure.cpp:
2164             (JSC::Structure::Structure):
2165             * runtime/StructureChain.h:
2166             (JSC::StructureChain::createStructure):
2167             * runtime/StructureRareData.cpp:
2168             (JSC::StructureRareData::createStructure):
2169             * runtime/SymbolTable.h:
2170             (JSC::SymbolTable::createStructure):
2171             * runtime/WeakMapData.h:
2172             (JSC::WeakMapData::createStructure):
2173     
2174     2014-06-17  Filip Pizlo  <fpizlo@apple.com>
2175     
2176             [ftlopt] PutStructure and PhantomPutStructure shouldn't leave the world in a clobbered state
2177             https://bugs.webkit.org/show_bug.cgi?id=134002
2178     
2179             Reviewed by Mark Hahnenberg.
2180             
2181             The effect of this bug was that if we had a PutStructure or PhantomPutStructure then any
2182             JSConstants would be in a Clobbered state, so we wouldn't take advantage of our knowledge
2183             of the structure if that structure was watchable.
2184             
2185             Also kill PhantomPutStructure.
2186     
2187             * dfg/DFGAbstractInterpreterInlines.h:
2188             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2189             (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
2190             (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
2191             * dfg/DFGClobberize.h:
2192             (JSC::DFG::clobberize):
2193             * dfg/DFGDoesGC.cpp:
2194             (JSC::DFG::doesGC):
2195             * dfg/DFGFixupPhase.cpp:
2196             (JSC::DFG::FixupPhase::fixupNode):
2197             * dfg/DFGGraph.cpp:
2198             (JSC::DFG::Graph::visitChildren):
2199             * dfg/DFGNode.h:
2200             (JSC::DFG::Node::hasTransition):
2201             * dfg/DFGNodeType.h:
2202             * dfg/DFGPredictionPropagationPhase.cpp:
2203             (JSC::DFG::PredictionPropagationPhase::propagate):
2204             * dfg/DFGSafeToExecute.h:
2205             (JSC::DFG::safeToExecute):
2206             * dfg/DFGSpeculativeJIT32_64.cpp:
2207             (JSC::DFG::SpeculativeJIT::compile):
2208             * dfg/DFGSpeculativeJIT64.cpp:
2209             (JSC::DFG::SpeculativeJIT::compile):
2210             * dfg/DFGStructureAbstractValue.cpp:
2211             (JSC::DFG::StructureAbstractValue::observeTransition):
2212             (JSC::DFG::StructureAbstractValue::observeTransitions):
2213             * dfg/DFGValidate.cpp:
2214             (JSC::DFG::Validate::validate):
2215             * dfg/DFGWatchableStructureWatchingPhase.cpp:
2216             (JSC::DFG::WatchableStructureWatchingPhase::run):
2217             * ftl/FTLCapabilities.cpp:
2218             (JSC::FTL::canCompile):
2219             * ftl/FTLLowerDFGToLLVM.cpp:
2220             (JSC::FTL::LowerDFGToLLVM::compileNode):
2221             (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure): Deleted.
2222     
2223     2014-06-17  Filip Pizlo  <fpizlo@apple.com>
2224     
2225             [ftlopt] DFG put_by_id should inline accesses with a slightly polymorphic base
2226             https://bugs.webkit.org/show_bug.cgi?id=133964
2227     
2228             Reviewed by Mark Hahnenberg.
2229     
2230             * bytecode/PutByIdStatus.cpp:
2231             (JSC::PutByIdStatus::appendVariant):
2232             (JSC::PutByIdStatus::computeForStubInfo):
2233             * bytecode/PutByIdVariant.cpp:
2234             (JSC::PutByIdVariant::oldStructureForTransition):
2235             (JSC::PutByIdVariant::writesStructures):
2236             (JSC::PutByIdVariant::reallocatesStorage):
2237             (JSC::PutByIdVariant::attemptToMerge):
2238             (JSC::PutByIdVariant::attemptToMergeTransitionWithReplace):
2239             (JSC::PutByIdVariant::dumpInContext):
2240             * bytecode/PutByIdVariant.h:
2241             (JSC::PutByIdVariant::PutByIdVariant):
2242             (JSC::PutByIdVariant::replace):
2243             (JSC::PutByIdVariant::transition):
2244             (JSC::PutByIdVariant::structure):
2245             (JSC::PutByIdVariant::oldStructure):
2246             * dfg/DFGAbstractInterpreterInlines.h:
2247             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2248             * dfg/DFGByteCodeParser.cpp:
2249             (JSC::DFG::ByteCodeParser::handlePutById):
2250             (JSC::DFG::ByteCodeParser::parseBlock):
2251             * dfg/DFGConstantFoldingPhase.cpp:
2252             (JSC::DFG::ConstantFoldingPhase::foldConstants):
2253             (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
2254             * dfg/DFGGraph.cpp:
2255             (JSC::DFG::Graph::visitChildren):
2256             * dfg/DFGNode.cpp:
2257             (JSC::DFG::MultiPutByOffsetData::writesStructures):
2258             (JSC::DFG::MultiPutByOffsetData::reallocatesStorage):
2259             * ftl/FTLAbbreviations.h:
2260             (JSC::FTL::getLinkage):
2261             * ftl/FTLLowerDFGToLLVM.cpp:
2262             (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
2263             (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol):
2264     
2265 2014-07-25  Filip Pizlo  <fpizlo@apple.com>
2266
2267         Add an option to disable native call inlining. Disable it for now to see how it
2268         affects the bots.
2269
2270         * dfg/DFGByteCodeParser.cpp:
2271         (JSC::DFG::ByteCodeParser::handleCall):
2272         * runtime/Options.h:
2273
2274 2014-07-25  Filip Pizlo  <fpizlo@apple.com>
2275
2276         Fix cloop.
2277
2278         * dfg/DFGMayExit.cpp:
2279
2280 2014-07-25  Filip Pizlo  <fpizlo@apple.com>
2281
2282         Merge r169795, r169819, r169864, r169902, r169949, r169950, r170016, r170017, r170060, r170064 from ftlopt.
2283
2284     2014-06-17  Filip Pizlo  <fpizlo@apple.com>
2285     
2286             [ftlopt] Fold constant Phis
2287             https://bugs.webkit.org/show_bug.cgi?id=133967
2288     
2289             Reviewed by Mark Hahnenberg.
2290             
2291             It's surprising but we didn't really do this before. Or, rather, we only did it
2292             incidentally when we would likely crash if it ever happened.
2293             
2294             Making this work required cleaning up the validater a bit, so I did that too. I also added
2295             mayExit() validation for nodes that didn't have origin.forExit (i.e. nodes that end up in
2296             the Phi header of basic blocks). But this required beefing up mayExit() a bit.
2297     
2298             * dfg/DFGAbstractInterpreterInlines.h:
2299             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2300             * dfg/DFGAdjacencyList.h:
2301             (JSC::DFG::AdjacencyList::isEmpty):
2302             * dfg/DFGConstantFoldingPhase.cpp:
2303             (JSC::DFG::ConstantFoldingPhase::run):
2304             (JSC::DFG::ConstantFoldingPhase::foldConstants):
2305             (JSC::DFG::ConstantFoldingPhase::fixUpsilons):
2306             * dfg/DFGInPlaceAbstractState.h:
2307             * dfg/DFGLICMPhase.cpp:
2308             (JSC::DFG::LICMPhase::run):
2309             (JSC::DFG::LICMPhase::attemptHoist):
2310             * dfg/DFGMayExit.cpp:
2311             (JSC::DFG::mayExit):
2312             * dfg/DFGValidate.cpp:
2313             (JSC::DFG::Validate::validate):
2314             (JSC::DFG::Validate::validateSSA):
2315     
2316     2014-06-17  Filip Pizlo  <fpizlo@apple.com>
2317     
2318             [ftlopt] Get rid of NodeDoesNotExit and also get rid of StoreEliminationPhase
2319             https://bugs.webkit.org/show_bug.cgi?id=133985
2320     
2321             Reviewed by Michael Saboff and Mark Hahnenberg.
2322             
2323             Store elimination phase has never been very profitable, and now that LLVM can do dead
2324             store elimination for us, this phase is just completely pointless.
2325             
2326             This phase is also the primary user of NodeDoesNotExit, which is a flag that the CFA
2327             computes. It computes it poorly and we often get bugs in it. It's also a lot of code to
2328             maintain.
2329             
2330             This patch does introduce a new mayExit() calculator that is independent of the CFA and
2331             should be enough for most of the previous NodeDoesNotExit users. Currently it's only used
2332             for assertions in the DFG backend, but we could use it if we ever brought back any of the
2333             other optimizations that previously relied upon NodeDoesNotExit.
2334             
2335             This is performance-neutral, except for SunSpider, where it's a speed-up.
2336     
2337             * CMakeLists.txt:
2338             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2339             * JavaScriptCore.xcodeproj/project.pbxproj:
2340             * dfg/DFGAbstractInterpreter.h:
2341             (JSC::DFG::AbstractInterpreter::filterEdgeByUse):
2342             (JSC::DFG::AbstractInterpreter::filterByType):
2343             * dfg/DFGAbstractInterpreterInlines.h:
2344             (JSC::DFG::AbstractInterpreter<AbstractStateType>::startExecuting):
2345             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2346             * dfg/DFGCSEPhase.cpp:
2347             (JSC::DFG::CSEPhase::CSEPhase):
2348             (JSC::DFG::CSEPhase::invalidationPointElimination):
2349             (JSC::DFG::CSEPhase::setLocalStoreElimination):
2350             (JSC::DFG::CSEPhase::performNodeCSE):
2351             (JSC::DFG::CSEPhase::performBlockCSE):
2352             (JSC::DFG::performCSE):
2353             (JSC::DFG::CSEPhase::globalVarStoreElimination): Deleted.
2354             (JSC::DFG::CSEPhase::scopedVarStoreElimination): Deleted.
2355             (JSC::DFG::CSEPhase::putStructureStoreElimination): Deleted.
2356             (JSC::DFG::CSEPhase::putByOffsetStoreElimination): Deleted.
2357             (JSC::DFG::CSEPhase::SetLocalStoreEliminationResult::SetLocalStoreEliminationResult): Deleted.
2358             (JSC::DFG::performStoreElimination): Deleted.
2359             * dfg/DFGCSEPhase.h:
2360             * dfg/DFGFixupPhase.cpp:
2361             (JSC::DFG::FixupPhase::fixupNode):
2362             * dfg/DFGGraph.cpp:
2363             (JSC::DFG::Graph::resetExitStates): Deleted.
2364             * dfg/DFGGraph.h:
2365             * dfg/DFGMayExit.cpp: Added.
2366             (JSC::DFG::mayExit):
2367             * dfg/DFGMayExit.h: Added.
2368             * dfg/DFGNode.h:
2369             (JSC::DFG::Node::mergeFlags):
2370             (JSC::DFG::Node::filterFlags):
2371             (JSC::DFG::Node::setCanExit): Deleted.
2372             (JSC::DFG::Node::canExit): Deleted.
2373             * dfg/DFGNodeFlags.cpp:
2374             (JSC::DFG::dumpNodeFlags):
2375             * dfg/DFGNodeFlags.h:
2376             * dfg/DFGNodeType.h:
2377             * dfg/DFGPlan.cpp:
2378             (JSC::DFG::Plan::compileInThreadImpl):
2379             * dfg/DFGSpeculativeJIT.cpp:
2380             (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
2381             (JSC::DFG::SpeculativeJIT::bail):
2382             (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
2383             * dfg/DFGSpeculativeJIT32_64.cpp:
2384             (JSC::DFG::SpeculativeJIT::compile):
2385             * dfg/DFGSpeculativeJIT64.cpp:
2386             (JSC::DFG::SpeculativeJIT::compile):
2387     
2388     2014-06-15  Filip Pizlo  <fpizlo@apple.com>
2389     
2390             [ftlopt] Remove the DFG optimization fixpoint and remove some obvious reasons why we previously benefited from it
2391             https://bugs.webkit.org/show_bug.cgi?id=133931
2392     
2393             Reviewed by Oliver Hunt.
2394     
2395             * dfg/DFGAbstractInterpreterInlines.h:
2396             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Trigger constant-folding for GetMyArgumentByVal (which means turning it into GetLocalUnlinked) and correct the handling of Upsilon so we don't fold them away.
2397             * dfg/DFGConstantFoldingPhase.cpp:
2398             (JSC::DFG::ConstantFoldingPhase::foldConstants): Implement constant-folding for GetMyArgumentByVal.
2399             * dfg/DFGPlan.cpp:
2400             (JSC::DFG::Plan::compileInThreadImpl): Remove the fixpoint.
2401     
2402     2014-06-15  Filip Pizlo  <fpizlo@apple.com>
2403     
2404             [ftlopt] DFG OSR entry should have a crystal-clear story for when it's safe to enter at a block with a set of values
2405             https://bugs.webkit.org/show_bug.cgi?id=133935
2406     
2407             Reviewed by Oliver Hunt.
2408     
2409             * bytecode/Operands.h:
2410             (JSC::Operands::Operands):
2411             (JSC::Operands::ensureLocals):
2412             * dfg/DFGAbstractValue.cpp:
2413             (JSC::DFG::AbstractValue::filter): Now we can compute intersections of abstract values!
2414             * dfg/DFGAbstractValue.h:
2415             (JSC::DFG::AbstractValue::makeFullTop): Completeness.
2416             (JSC::DFG::AbstractValue::bytecodeTop): Completeness.
2417             (JSC::DFG::AbstractValue::fullTop): Completeness. We end up using this one.
2418             * dfg/DFGBasicBlock.cpp:
2419             (JSC::DFG::BasicBlock::BasicBlock):
2420             (JSC::DFG::BasicBlock::ensureLocals):
2421             * dfg/DFGBasicBlock.h: Remember the intersection of all things ever proven.
2422             * dfg/DFGCFAPhase.cpp:
2423             (JSC::DFG::CFAPhase::run): Compute the intersection.
2424             * dfg/DFGConstantFoldingPhase.cpp:
2425             (JSC::DFG::ConstantFoldingPhase::foldConstants): No need for the weirdo merge check since this fixes the root of the problem.
2426             * dfg/DFGGraph.cpp:
2427             (JSC::DFG::Graph::dumpBlockHeader): Better dumping.
2428             (JSC::DFG::Graph::dump): Better dumping.
2429             * dfg/DFGJITCompiler.h:
2430             (JSC::DFG::JITCompiler::noticeOSREntry): Use the intersected abstract value.
2431             * dfg/DFGSpeculativeJIT.cpp:
2432             (JSC::DFG::SpeculativeJIT::compileCurrentBlock): Assert if the intersected state indicates the block shouldn't execute.
2433     
2434     2014-06-12  Filip Pizlo  <fpizlo@apple.com>
2435     
2436             [ftlopt] A DFG inlined ById access variant should not speak of a chain, but only of what structures to test the base for, whether to use a constant as an alternate base for the actual access, and what structures to check on what additional cell constants
2437             https://bugs.webkit.org/show_bug.cgi?id=133821
2438     
2439             Reviewed by Mark Hahnenberg.
2440             
2441             This allows us to efficiently cache accesses that differ only in the prototypes on the path
2442             from the base to the prototype that has the field.
2443             
2444             It also simplifies a bunch of code - IntendedStructureChain is now just an intermediate
2445             data structure.
2446     
2447             * CMakeLists.txt:
2448             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2449             * JavaScriptCore.xcodeproj/project.pbxproj:
2450             * bytecode/ConstantStructureCheck.cpp: Added.
2451             (JSC::ConstantStructureCheck::dumpInContext):
2452             (JSC::ConstantStructureCheck::dump):
2453             (JSC::structureFor):
2454             (JSC::areCompatible):
2455             (JSC::mergeInto):
2456             * bytecode/ConstantStructureCheck.h: Added.
2457             (JSC::ConstantStructureCheck::ConstantStructureCheck):
2458             (JSC::ConstantStructureCheck::operator!):
2459             (JSC::ConstantStructureCheck::constant):
2460             (JSC::ConstantStructureCheck::structure):
2461             * bytecode/GetByIdStatus.cpp:
2462             (JSC::GetByIdStatus::computeForStubInfo):
2463             * bytecode/GetByIdVariant.cpp:
2464             (JSC::GetByIdVariant::GetByIdVariant):
2465             (JSC::GetByIdVariant::operator=):
2466             (JSC::GetByIdVariant::attemptToMerge):
2467             (JSC::GetByIdVariant::dumpInContext):
2468             * bytecode/GetByIdVariant.h:
2469             (JSC::GetByIdVariant::constantChecks):
2470             (JSC::GetByIdVariant::alternateBase):
2471             (JSC::GetByIdVariant::GetByIdVariant): Deleted.
2472             (JSC::GetByIdVariant::chain): Deleted.
2473             * bytecode/PutByIdVariant.cpp:
2474             (JSC::PutByIdVariant::dumpInContext):
2475             * bytecode/PutByIdVariant.h:
2476             (JSC::PutByIdVariant::transition):
2477             (JSC::PutByIdVariant::constantChecks):
2478             (JSC::PutByIdVariant::structureChain): Deleted.
2479             * dfg/DFGAbstractInterpreterInlines.h:
2480             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2481             * dfg/DFGByteCodeParser.cpp:
2482             (JSC::DFG::ByteCodeParser::emitChecks):
2483             (JSC::DFG::ByteCodeParser::handleGetById):
2484             (JSC::DFG::ByteCodeParser::handlePutById):
2485             (JSC::DFG::ByteCodeParser::cellConstantWithStructureCheck): Deleted.
2486             (JSC::DFG::ByteCodeParser::structureChainIsStillValid): Deleted.
2487             (JSC::DFG::ByteCodeParser::emitPrototypeChecks): Deleted.
2488             * dfg/DFGConstantFoldingPhase.cpp:
2489             (JSC::DFG::ConstantFoldingPhase::foldConstants):
2490             (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
2491             (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
2492             (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
2493             * dfg/DFGDesiredStructureChains.cpp: Removed.
2494             * dfg/DFGDesiredStructureChains.h: Removed.
2495             * dfg/DFGGraph.h:
2496             (JSC::DFG::Graph::watchpoints):
2497             (JSC::DFG::Graph::chains): Deleted.
2498             * dfg/DFGPlan.cpp:
2499             (JSC::DFG::Plan::isStillValid):
2500             (JSC::DFG::Plan::checkLivenessAndVisitChildren):
2501             (JSC::DFG::Plan::cancel):
2502             * dfg/DFGPlan.h:
2503             * ftl/FTLLowerDFGToLLVM.cpp:
2504             (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
2505             * runtime/IntendedStructureChain.cpp:
2506             (JSC::IntendedStructureChain::gatherChecks):
2507             * runtime/IntendedStructureChain.h:
2508             (JSC::IntendedStructureChain::at):
2509             (JSC::IntendedStructureChain::operator[]):
2510     
2511     2014-06-12  Filip Pizlo  <fpizlo@apple.com>
2512     
2513             [ftlopt] Constant folding and strength reduction should work in SSA
2514             https://bugs.webkit.org/show_bug.cgi?id=133839
2515     
2516             Reviewed by Oliver Hunt.
2517     
2518             * dfg/DFGAtTailAbstractState.cpp:
2519             (JSC::DFG::AtTailAbstractState::AtTailAbstractState):
2520             (JSC::DFG::AtTailAbstractState::forNode):
2521             * dfg/DFGAtTailAbstractState.h:
2522             * dfg/DFGConstantFoldingPhase.cpp:
2523             (JSC::DFG::ConstantFoldingPhase::foldConstants):
2524             * dfg/DFGGraph.cpp:
2525             (JSC::DFG::Graph::convertToConstant):
2526             * dfg/DFGIntegerCheckCombiningPhase.cpp:
2527             (JSC::DFG::IntegerCheckCombiningPhase::rangeKeyAndAddend): Fix an unrelated regression that this uncovered.
2528             * dfg/DFGLICMPhase.cpp:
2529             (JSC::DFG::LICMPhase::LICMPhase):
2530             * dfg/DFGPlan.cpp:
2531             (JSC::DFG::Plan::compileInThreadImpl):
2532     
2533     2014-06-11  Filip Pizlo  <fpizlo@apple.com>
2534     
2535             [ftlopt] DFG get_by_id should inline chain accesses with a slightly polymorphic base
2536             https://bugs.webkit.org/show_bug.cgi?id=133751
2537     
2538             Reviewed by Mark Hahnenberg.
2539     
2540             * bytecode/GetByIdStatus.cpp:
2541             (JSC::GetByIdStatus::appendVariant):
2542             (JSC::GetByIdStatus::computeForStubInfo):
2543             * bytecode/GetByIdVariant.cpp:
2544             (JSC::GetByIdVariant::attemptToMerge):
2545             * bytecode/GetByIdVariant.h:
2546             * bytecode/PutByIdStatus.cpp:
2547             (JSC::PutByIdStatus::computeFor):
2548             * dfg/DFGByteCodeParser.cpp:
2549             (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
2550             (JSC::DFG::ByteCodeParser::handleGetById):
2551             (JSC::DFG::ByteCodeParser::handlePutById):
2552             * runtime/IntendedStructureChain.cpp:
2553             (JSC::IntendedStructureChain::IntendedStructureChain):
2554             (JSC::IntendedStructureChain::isStillValid):
2555             (JSC::IntendedStructureChain::isNormalized):
2556             (JSC::IntendedStructureChain::terminalPrototype):
2557             (JSC::IntendedStructureChain::operator==):
2558             (JSC::IntendedStructureChain::visitChildren):
2559             (JSC::IntendedStructureChain::dumpInContext):
2560             (JSC::IntendedStructureChain::chain): Deleted.
2561             * runtime/IntendedStructureChain.h:
2562             (JSC::IntendedStructureChain::prototype):
2563             (JSC::IntendedStructureChain::operator!=):
2564             (JSC::IntendedStructureChain::head): Deleted.
2565     
2566     2014-06-11  Matthew Mirman  <mmirman@apple.com>
2567     
2568            Readded native calling to the FTL and Split the DFG nodes 
2569            Call and Construct into NativeCall and NativeConstruct 
2570            to better represent their semantics.
2571            https://bugs.webkit.org/show_bug.cgi?id=133660
2572     
2573            Reviewed by Filip Pizlo.
2574     
2575            * dfg/DFGAbstractInterpreterInlines.h:
2576            (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): 
2577            Added NativeCall and NativeConstruct case
2578            * dfg/DFGByteCodeParser.cpp:
2579            (JSC::DFG::ByteCodeParser::addCall): added NativeCall case. 
2580            (JSC::DFG::ByteCodeParser::handleCall): 
2581            set to return NativeCall or NativeConstruct instead of Call or Construct
2582            in the presence of a native function.
2583            * dfg/DFGClobberize.h:
2584            (JSC::DFG::clobberize): added NativeCall and NativeConstruct case.
2585            * dfg/DFGDoesGC.cpp:
2586            (JSC::DFG::doesGC): added NativeCall and NativeConstruct case.
2587            * dfg/DFGFixupPhase.cpp:
2588            (JSC::DFG::FixupPhase::fixupNode): added NativeCall and NativeConstruct case.
2589            * dfg/DFGNode.h:
2590            (JSC::DFG::Node::hasHeapPrediction): added NativeCall and NativeConstruct case.
2591            (JSC::DFG::Node::canBeKnownFunction): changed to NativeCall and NativeConstruct.
2592            (JSC::DFG::Node::hasKnownFunction): changed to NativeCall and NativeConstruct.
2593            * dfg/DFGNodeType.h: added NativeCall and NativeConstruct.
2594            * dfg/DFGPredictionPropagationPhase.cpp:
2595            (JSC::DFG::PredictionPropagationPhase::propagate): added NativeCall and NativeConstruct case.
2596            * dfg/DFGSafeToExecute.h:
2597            (JSC::DFG::safeToExecute): added NativeCall and NativeConstruct case.
2598            * dfg/DFGSpeculativeJIT32_64.cpp:
2599            (JSC::DFG::SpeculativeJIT::emitCall): ditto
2600            (JSC::DFG::SpeculativeJIT::compile): ditto
2601            * dfg/DFGSpeculativeJIT64.cpp:
2602            (JSC::DFG::SpeculativeJIT::emitCall): ditto
2603            (JSC::DFG::SpeculativeJIT::compile): ditto
2604            * ftl/FTLCapabilities.cpp:
2605            (JSC::FTL::canCompile): ditto
2606            * ftl/FTLLowerDFGToLLVM.cpp:  
2607            (JSC::FTL::LowerDFGToLLVM::lower): ditto
2608            (JSC::FTL::LowerDFGToLLVM::compileNode): ditto.
2609            (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct): Added.
2610            (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct): removed NativeCall and NativeConstruct functionality.
2611            (JSC::FTL::LowerDFGToLLVM::didOverflowStack): added NativeCall and NativeConstruct case.
2612            * runtime/JSCJSValue.h: added JS_EXPORT_PRIVATE to toInteger as it is apparently needed.
2613            
2614     2014-06-11  Matthew Mirman  <mmirman@apple.com>
2615     
2616             Ensured Native Calls and Construct and associated checks 
2617             are only emitted during ftl mode.
2618             https://bugs.webkit.org/show_bug.cgi?id=133718
2619             
2620             Reviewed by Filip Pizlo.
2621             
2622             * dfg/DFGByteCodeParser.cpp:
2623             (JSC::DFG::ByteCodeParser::handleCall): Added check for ftl mode 
2624             before attaching the native function to Call or Construct.
2625             
2626     2014-06-10  Filip Pizlo  <fpizlo@apple.com>
2627     
2628             [ftlopt] DFG should use its own notion of JSValue, which we should call FrozenValue, that will carry around a copy of its structure
2629             https://bugs.webkit.org/show_bug.cgi?id=133426
2630     
2631             Reviewed by Geoffrey Garen.
2632             
2633             The impetus for this was to provide some sense and reason to race conditions arising from
2634             cell constants having their structure changed on the main thread - this is harmess because
2635             we defend against it, but when it goes wrong, it can be difficult to reproduce because it
2636             requires a race. Giving the DFG the ability to "freeze" a cell's structure fixes this.
2637             
2638             But this patch goes quite a bit further, and completely rationalizes how the DFG reasons
2639             about constants. It no longer relies on the CodeBlock constant pool at all, which allows
2640             for a more object-oriented approach: for example a Node that has a constant can tell you
2641             what constant it has without needing a CodeBlock.
2642     
2643             * CMakeLists.txt:
2644             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2645             * JavaScriptCore.xcodeproj/project.pbxproj:
2646             * bytecode/CallLinkStatus.cpp:
2647             (JSC::CallLinkStatus::computeExitSiteData):
2648             * bytecode/ExitKind.cpp:
2649             (JSC::exitKindToString):
2650             (JSC::exitKindIsCountable):
2651             * bytecode/ExitKind.h:
2652             (JSC::isWatchpoint): Deleted.
2653             * bytecode/GetByIdStatus.cpp:
2654             (JSC::GetByIdStatus::hasExitSite):
2655             * bytecode/PutByIdStatus.cpp:
2656             (JSC::PutByIdStatus::hasExitSite):
2657             * dfg/DFGAbstractInterpreter.h:
2658             (JSC::DFG::AbstractInterpreter::filterByValue):
2659             (JSC::DFG::AbstractInterpreter::setBuiltInConstant):
2660             (JSC::DFG::AbstractInterpreter::setConstant):
2661             * dfg/DFGAbstractInterpreterInlines.h:
2662             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2663             (JSC::DFG::AbstractInterpreter<AbstractStateType>::filterByValue):
2664             * dfg/DFGAbstractValue.cpp:
2665             (JSC::DFG::AbstractValue::setOSREntryValue):
2666             (JSC::DFG::AbstractValue::set):
2667             (JSC::DFG::AbstractValue::filterByValue):
2668             (JSC::DFG::AbstractValue::setMostSpecific): Deleted.
2669             * dfg/DFGAbstractValue.h:
2670             * dfg/DFGArgumentsSimplificationPhase.cpp:
2671             (JSC::DFG::ArgumentsSimplificationPhase::run):
2672             * dfg/DFGBackwardsPropagationPhase.cpp:
2673             (JSC::DFG::BackwardsPropagationPhase::isNotNegZero):
2674             (JSC::DFG::BackwardsPropagationPhase::isNotPosZero):
2675             (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwoForConstant):
2676             (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
2677             * dfg/DFGByteCodeParser.cpp:
2678             (JSC::DFG::ByteCodeParser::ByteCodeParser):
2679             (JSC::DFG::ByteCodeParser::getDirect):
2680             (JSC::DFG::ByteCodeParser::get):
2681             (JSC::DFG::ByteCodeParser::getLocal):
2682             (JSC::DFG::ByteCodeParser::setLocal):
2683             (JSC::DFG::ByteCodeParser::setArgument):
2684             (JSC::DFG::ByteCodeParser::jsConstant):
2685             (JSC::DFG::ByteCodeParser::weakJSConstant):
2686             (JSC::DFG::ByteCodeParser::cellConstantWithStructureCheck):
2687             (JSC::DFG::ByteCodeParser::InlineStackEntry::remapOperand):
2688             (JSC::DFG::ByteCodeParser::handleCall):
2689             (JSC::DFG::ByteCodeParser::emitFunctionChecks):
2690             (JSC::DFG::ByteCodeParser::handleInlining):
2691             (JSC::DFG::ByteCodeParser::handleMinMax):
2692             (JSC::DFG::ByteCodeParser::handleIntrinsic):
2693             (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2694             (JSC::DFG::ByteCodeParser::handleGetById):
2695             (JSC::DFG::ByteCodeParser::prepareToParseBlock):
2696             (JSC::DFG::ByteCodeParser::parseBlock):
2697             (JSC::DFG::ByteCodeParser::buildOperandMapsIfNecessary):
2698             (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2699             (JSC::DFG::ByteCodeParser::parseCodeBlock):
2700             (JSC::DFG::ByteCodeParser::addConstant): Deleted.
2701             (JSC::DFG::ByteCodeParser::getJSConstantForValue): Deleted.
2702             (JSC::DFG::ByteCodeParser::getJSConstant): Deleted.
2703             (JSC::DFG::ByteCodeParser::isJSConstant): Deleted.
2704             (JSC::DFG::ByteCodeParser::isInt32Constant): Deleted.
2705             (JSC::DFG::ByteCodeParser::valueOfJSConstant): Deleted.
2706             (JSC::DFG::ByteCodeParser::valueOfInt32Constant): Deleted.
2707             (JSC::DFG::ByteCodeParser::constantUndefined): Deleted.
2708             (JSC::DFG::ByteCodeParser::constantNull): Deleted.
2709             (JSC::DFG::ByteCodeParser::one): Deleted.
2710             (JSC::DFG::ByteCodeParser::constantNaN): Deleted.
2711             (JSC::DFG::ByteCodeParser::cellConstant): Deleted.
2712             (JSC::DFG::ByteCodeParser::inferredConstant): Deleted.
2713             (JSC::DFG::ByteCodeParser::ConstantRecord::ConstantRecord): Deleted.
2714             * dfg/DFGCFGSimplificationPhase.cpp:
2715             (JSC::DFG::CFGSimplificationPhase::run):
2716             * dfg/DFGCSEPhase.cpp:
2717             (JSC::DFG::CSEPhase::constantCSE):
2718             (JSC::DFG::CSEPhase::checkFunctionElimination):
2719             (JSC::DFG::CSEPhase::performNodeCSE):
2720             (JSC::DFG::CSEPhase::weakConstantCSE): Deleted.
2721             * dfg/DFGClobberize.h:
2722             (JSC::DFG::clobberize):
2723             * dfg/DFGCommon.h:
2724             * dfg/DFGConstantFoldingPhase.cpp:
2725             (JSC::DFG::ConstantFoldingPhase::foldConstants):
2726             (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
2727             (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
2728             * dfg/DFGDoesGC.cpp:
2729             (JSC::DFG::doesGC):
2730             * dfg/DFGFixupPhase.cpp:
2731             (JSC::DFG::FixupPhase::fixupNode):
2732             (JSC::DFG::FixupPhase::fixupMakeRope):
2733             (JSC::DFG::FixupPhase::truncateConstantToInt32):
2734             (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
2735             (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
2736             * dfg/DFGFrozenValue.cpp: Added.
2737             (JSC::DFG::FrozenValue::emptySingleton):
2738             (JSC::DFG::FrozenValue::dumpInContext):
2739             (JSC::DFG::FrozenValue::dump):
2740             * dfg/DFGFrozenValue.h: Added.
2741             (JSC::DFG::FrozenValue::FrozenValue):
2742             (JSC::DFG::FrozenValue::operator!):
2743             (JSC::DFG::FrozenValue::value):
2744             (JSC::DFG::FrozenValue::structure):
2745             (JSC::DFG::FrozenValue::strengthenTo):
2746             (JSC::DFG::FrozenValue::strength):
2747             (JSC::DFG::FrozenValue::freeze):
2748             * dfg/DFGGraph.cpp:
2749             (JSC::DFG::Graph::Graph):
2750             (JSC::DFG::Graph::dump):
2751             (JSC::DFG::Graph::tryGetActivation):
2752             (JSC::DFG::Graph::tryGetFoldableView):
2753             (JSC::DFG::Graph::registerFrozenValues):
2754             (JSC::DFG::Graph::visitChildren):
2755             (JSC::DFG::Graph::freezeFragile):
2756             (JSC::DFG::Graph::freeze):
2757             (JSC::DFG::Graph::freezeStrong):
2758             (JSC::DFG::Graph::convertToConstant):
2759             (JSC::DFG::Graph::convertToStrongConstant):
2760             (JSC::DFG::Graph::assertIsWatched):
2761             * dfg/DFGGraph.h:
2762             (JSC::DFG::Graph::addImmediateShouldSpeculateInt32):
2763             (JSC::DFG::Graph::convertToConstant): Deleted.
2764             (JSC::DFG::Graph::constantRegisterForConstant): Deleted.
2765             (JSC::DFG::Graph::getJSConstantSpeculation): Deleted.
2766             (JSC::DFG::Graph::isConstant): Deleted.
2767             (JSC::DFG::Graph::isJSConstant): Deleted.
2768             (JSC::DFG::Graph::isInt32Constant): Deleted.
2769             (JSC::DFG::Graph::isDoubleConstant): Deleted.
2770             (JSC::DFG::Graph::isNumberConstant): Deleted.
2771             (JSC::DFG::Graph::isBooleanConstant): Deleted.
2772             (JSC::DFG::Graph::isCellConstant): Deleted.
2773             (JSC::DFG::Graph::isFunctionConstant): Deleted.
2774             (JSC::DFG::Graph::isInternalFunctionConstant): Deleted.
2775             (JSC::DFG::Graph::valueOfJSConstant): Deleted.
2776             (JSC::DFG::Graph::valueOfInt32Constant): Deleted.
2777             (JSC::DFG::Graph::valueOfNumberConstant): Deleted.
2778             (JSC::DFG::Graph::valueOfBooleanConstant): Deleted.
2779             (JSC::DFG::Graph::valueOfFunctionConstant): Deleted.
2780             (JSC::DFG::Graph::mulImmediateShouldSpeculateInt32): Deleted.
2781             * dfg/DFGInPlaceAbstractState.cpp:
2782             (JSC::DFG::InPlaceAbstractState::initialize):
2783             * dfg/DFGInsertionSet.h:
2784             (JSC::DFG::InsertionSet::insertConstant):
2785             (JSC::DFG::InsertionSet::insertConstantForUse):
2786             * dfg/DFGIntegerCheckCombiningPhase.cpp:
2787             (JSC::DFG::IntegerCheckCombiningPhase::rangeKeyAndAddend):
2788             * dfg/DFGJITCompiler.cpp:
2789             (JSC::DFG::JITCompiler::link):
2790             * dfg/DFGLazyJSValue.cpp:
2791             (JSC::DFG::LazyJSValue::getValue):
2792             (JSC::DFG::LazyJSValue::strictEqual):
2793             (JSC::DFG::LazyJSValue::dumpInContext):
2794             * dfg/DFGLazyJSValue.h:
2795             (JSC::DFG::LazyJSValue::LazyJSValue):
2796             (JSC::DFG::LazyJSValue::tryGetValue):
2797             (JSC::DFG::LazyJSValue::value):
2798             (JSC::DFG::LazyJSValue::switchLookupValue):
2799             * dfg/DFGMinifiedNode.cpp:
2800             (JSC::DFG::MinifiedNode::fromNode):
2801             * dfg/DFGMinifiedNode.h:
2802             (JSC::DFG::belongsInMinifiedGraph):
2803             (JSC::DFG::MinifiedNode::hasConstant):
2804             (JSC::DFG::MinifiedNode::constant):
2805             (JSC::DFG::MinifiedNode::hasConstantNumber): Deleted.
2806             (JSC::DFG::MinifiedNode::constantNumber): Deleted.
2807             (JSC::DFG::MinifiedNode::hasWeakConstant): Deleted.
2808             (JSC::DFG::MinifiedNode::weakConstant): Deleted.
2809             * dfg/DFGNode.h:
2810             (JSC::DFG::Node::hasConstant):
2811             (JSC::DFG::Node::constant):
2812             (JSC::DFG::Node::convertToConstant):
2813             (JSC::DFG::Node::asJSValue):
2814             (JSC::DFG::Node::isInt32Constant):
2815             (JSC::DFG::Node::asInt32):
2816             (JSC::DFG::Node::asUInt32):
2817             (JSC::DFG::Node::isDoubleConstant):
2818             (JSC::DFG::Node::isNumberConstant):
2819             (JSC::DFG::Node::asNumber):
2820             (JSC::DFG::Node::isMachineIntConstant):
2821             (JSC::DFG::Node::asMachineInt):
2822             (JSC::DFG::Node::isBooleanConstant):
2823             (JSC::DFG::Node::asBoolean):
2824             (JSC::DFG::Node::isCellConstant):
2825             (JSC::DFG::Node::asCell):
2826             (JSC::DFG::Node::dynamicCastConstant):
2827             (JSC::DFG::Node::function):
2828             (JSC::DFG::Node::isWeakConstant): Deleted.
2829             (JSC::DFG::Node::constantNumber): Deleted.
2830             (JSC::DFG::Node::convertToWeakConstant): Deleted.
2831             (JSC::DFG::Node::weakConstant): Deleted.
2832             (JSC::DFG::Node::valueOfJSConstant): Deleted.
2833             * dfg/DFGNodeType.h:
2834             * dfg/DFGOSRExitCompiler.cpp:
2835             * dfg/DFGPredictionPropagationPhase.cpp:
2836             (JSC::DFG::PredictionPropagationPhase::propagate):
2837             * dfg/DFGSafeToExecute.h:
2838             (JSC::DFG::safeToExecute):
2839             * dfg/DFGSpeculativeJIT.cpp:
2840             (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
2841             (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR):
2842             (JSC::DFG::SpeculativeJIT::silentFill):
2843             (JSC::DFG::SpeculativeJIT::compileIn):
2844             (JSC::DFG::SpeculativeJIT::compilePeepHoleBooleanBranch):
2845             (JSC::DFG::SpeculativeJIT::compilePeepHoleInt32Branch):
2846             (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
2847             (JSC::DFG::SpeculativeJIT::compileDoubleRep):
2848             (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
2849             (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
2850             (JSC::DFG::SpeculativeJIT::compileAdd):
2851             (JSC::DFG::SpeculativeJIT::compileArithSub):
2852             (JSC::DFG::SpeculativeJIT::compileArithMod):
2853             * dfg/DFGSpeculativeJIT.h:
2854             (JSC::DFG::SpeculativeJIT::valueOfJSConstantAsImm64):
2855             (JSC::DFG::SpeculativeJIT::initConstantInfo):
2856             (JSC::DFG::SpeculativeJIT::isConstant): Deleted.
2857             (JSC::DFG::SpeculativeJIT::isJSConstant): Deleted.
2858             (JSC::DFG::SpeculativeJIT::isInt32Constant): Deleted.
2859             (JSC::DFG::SpeculativeJIT::isDoubleConstant): Deleted.
2860             (JSC::DFG::SpeculativeJIT::isNumberConstant): Deleted.
2861             (JSC::DFG::SpeculativeJIT::isBooleanConstant): Deleted.
2862             (JSC::DFG::SpeculativeJIT::isFunctionConstant): Deleted.
2863             (JSC::DFG::SpeculativeJIT::valueOfInt32Constant): Deleted.
2864             (JSC::DFG::SpeculativeJIT::valueOfNumberConstant): Deleted.
2865             (JSC::DFG::SpeculativeJIT::addressOfDoubleConstant): Deleted.
2866             (JSC::DFG::SpeculativeJIT::valueOfJSConstant): Deleted.
2867             (JSC::DFG::SpeculativeJIT::valueOfBooleanConstant): Deleted.
2868             (JSC::DFG::SpeculativeJIT::valueOfFunctionConstant): Deleted.
2869             (JSC::DFG::SpeculativeJIT::isNullConstant): Deleted.
2870             (JSC::DFG::SpeculativeJIT::isInteger): Deleted.
2871             * dfg/DFGSpeculativeJIT32_64.cpp:
2872             (JSC::DFG::SpeculativeJIT::fillJSValue):
2873             (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2874             (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2875             (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2876             (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2877             (JSC::DFG::SpeculativeJIT::compile):
2878             * dfg/DFGSpeculativeJIT64.cpp:
2879             (JSC::DFG::SpeculativeJIT::fillJSValue):
2880             (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2881             (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
2882             (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2883             (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2884             (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2885             (JSC::DFG::SpeculativeJIT::compile):
2886             * dfg/DFGStrengthReductionPhase.cpp:
2887             (JSC::DFG::StrengthReductionPhase::handleNode):
2888             * dfg/DFGValidate.cpp:
2889             (JSC::DFG::Validate::validate):
2890             * dfg/DFGValueStrength.cpp: Added.
2891             (WTF::printInternal):
2892             * dfg/DFGValueStrength.h: Added.
2893             (JSC::DFG::merge):
2894             * dfg/DFGVariableEventStream.cpp:
2895             (JSC::DFG::VariableEventStream::tryToSetConstantRecovery):
2896             (JSC::DFG::VariableEventStream::reconstruct):
2897             * dfg/DFGVariableEventStream.h:
2898             * dfg/DFGWatchableStructureWatchingPhase.cpp:
2899             (JSC::DFG::WatchableStructureWatchingPhase::run):
2900             (JSC::DFG::WatchableStructureWatchingPhase::tryWatch):
2901             * dfg/DFGWatchpointCollectionPhase.cpp:
2902             (JSC::DFG::WatchpointCollectionPhase::handle):
2903             * ftl/FTLCapabilities.cpp:
2904             (JSC::FTL::canCompile):
2905             * ftl/FTLLink.cpp:
2906             (JSC::FTL::link):
2907             * ftl/FTLLowerDFGToLLVM.cpp:
2908             (JSC::FTL::LowerDFGToLLVM::compileNode):
2909             (JSC::FTL::LowerDFGToLLVM::compileDoubleConstant):
2910             (JSC::FTL::LowerDFGToLLVM::compileInt52Constant):
2911             (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
2912             (JSC::FTL::LowerDFGToLLVM::compileCheckFunction):
2913             (JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant):
2914             (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
2915             (JSC::FTL::LowerDFGToLLVM::lowInt32):
2916             (JSC::FTL::LowerDFGToLLVM::lowCell):
2917             (JSC::FTL::LowerDFGToLLVM::lowBoolean):
2918             (JSC::FTL::LowerDFGToLLVM::lowJSValue):
2919             (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
2920             (JSC::FTL::LowerDFGToLLVM::compileWeakJSConstant): Deleted.
2921             * ftl/FTLOSRExitCompiler.cpp:
2922             (JSC::FTL::compileStub):
2923             * runtime/JSCJSValue.cpp:
2924             (JSC::JSValue::dumpInContext):
2925             (JSC::JSValue::dumpInContextAssumingStructure):
2926             * runtime/JSCJSValue.h:
2927     
2928 2014-07-24  Brent Fulgham  <bfulgham@apple.com>
2929
2930         [Win] Correct build order in JavaScriptCore.submit.sln
2931         https://bugs.webkit.org/show_bug.cgi?id=135282
2932         <rdar://problem/17805592>
2933
2934         Unreviewed build fix.
2935
2936         * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: Correct build order
2937         such that LLIntDesiredOffset is built prior to the rest of JSC.
2938
2939 2014-07-24  Mark Lam  <mark.lam@apple.com>
2940
2941         JSWrapperMap's jsWrapperForObject() needs to keep weak prototype and constructors from being GCed.
2942         <https://webkit.org/b/135258>
2943
2944         Reviewed by Mark Hahnenberg.
2945
2946         Where needed, we cache the prototype object pointer in a stack local var.
2947         This allows it to be scanned by the GC, and hence be kept alive until
2948         we use it.  The constructor object will in turn be kept alive by the
2949         prototype object.
2950
2951         Also added some comments to warn against future code additions that could
2952         regress this issue.
2953
2954         * API/JSWrapperMap.mm:
2955         (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]):
2956         (-[JSObjCClassInfo reallocateConstructorAndOrPrototype]):
2957         (-[JSObjCClassInfo wrapperForObject:]):
2958         (-[JSObjCClassInfo constructor]):
2959
2960 2014-07-24  Joseph Pecoraro  <pecoraro@apple.com>
2961
2962         JSLock release should only modify the AtomicStringTable if it modified in acquire
2963         https://bugs.webkit.org/show_bug.cgi?id=135143
2964
2965         Reviewed by Darin Adler.
2966
2967         * runtime/JSLock.cpp:
2968         (JSC::JSLock::JSLock):
2969         Initialize the member variable to nullptr.
2970
2971         (JSC::JSLock::willDestroyVM):
2972         Update style to use nullptr instead of 0.
2973
2974         (JSC::JSLock::willReleaseLock):
2975         We should only reset the thread data's atomic string table if
2976         didAcquireLock changed it. m_entryAtomicStringTable will have
2977         been set by didAcquireLock if it changed, or nullptr if it didn't.
2978         This way we are sure we are balanced, regardless of m_vm changes.
2979
2980 2014-07-24  Peyton Randolph  <prandolph@apple.com>
2981
2982         Rename feature flag for long-press gesture on Mac.                                                                   
2983         https://bugs.webkit.org/show_bug.cgi?id=135259                                                                 
2984
2985         Reviewed by Beth Dakin.
2986
2987         * Configurations/FeatureDefines.xcconfig:
2988         Rename LINK_LONG_PRESS to MAC_LONG_PRESS.
2989
2990 2014-07-24  Commit Queue  <commit-queue@webkit.org>
2991
2992         Unreviewed, rolling out r171527.
2993         https://bugs.webkit.org/show_bug.cgi?id=135265
2994
2995         Breaks JSC API tests (Requested by mlam on #webkit).
2996
2997         Reverted changeset:
2998
2999         "JSWrapperMap's jsWrapperForObject() needs to defer GC."
3000         https://bugs.webkit.org/show_bug.cgi?id=135258
3001         http://trac.webkit.org/changeset/171527
3002
3003 2014-07-24  Mark Hahnenberg  <mhahnenberg@apple.com>
3004
3005         Creating a JSGlobalObject with a custom JSClassRef results in a JSProxy with the wrong prototype
3006         https://bugs.webkit.org/show_bug.cgi?id=135250
3007
3008         Reviewed by Geoffrey Garen.
3009
3010         JSGlobalObject::resetPrototype (which is called from JSGlobalContextCreateInGroup) doesn't change its 
3011         JSProxy's prototype as well. This results in a JSProxy where no properties in the original prototype 
3012         chain (as created from the JSClassRef hierarchy) are accessible. Changing resetPrototype to also change
3013         the JSProxy's prototype fixes the issue.
3014
3015         * API/JSValueRef.cpp:
3016         (JSValueIsObjectOfClass): Also fixed a bug where a JSProxy for a JSGlobalObject with a custom JSClassRef
3017         would claim it wasn't of the specified class, even if the target was of the specified class.
3018         * API/tests/CustomGlobalObjectClassTest.c: Added.
3019         (jsDoSomething):
3020         (customGlobalObjectClassTest):
3021         * API/tests/CustomGlobalObjectClassTest.h: Added.
3022         * API/tests/testapi.c:
3023         (assertTrue):
3024         (main):
3025         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
3026         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters:
3027         * JavaScriptCore.xcodeproj/project.pbxproj:
3028         * runtime/JSGlobalObject.cpp:
3029         (JSC::JSGlobalObject::resetPrototype):
3030
3031 2014-07-24  Brian J. Burg  <burg@cs.washington.edu>
3032
3033         Web Replay: don't encode/decode primitive types that lack explicit sizes
3034         https://bugs.webkit.org/show_bug.cgi?id=133430
3035
3036         Reviewed by Anders Carlsson.
3037
3038         Don't support encode/decode of unsigned long, since its size is compiler-dependent.
3039
3040         * replay/EncodedValue.cpp:
3041         (JSC::EncodedValue::convertTo<unsigned long>):
3042         (JSC::unsigned long>::encodeValue): Deleted.
3043         * replay/EncodedValue.h:
3044
3045 2014-07-24  Mark Lam  <mark.lam@apple.com>
3046
3047         JSWrapperMap's jsWrapperForObject() needs to defer GC.
3048         <https://webkit.org/b/135258>
3049
3050         Reviewed by Oliver Hunt.
3051
3052         In the process of creating a JS wrapper, jsWrapperForObject() will create
3053         the prototype and constructor of the corresponding ObjC class, as well as
3054         for classes in its inheritance chain.  These prototypes and constructors
3055         are stored in Weak references in the JSObjCClassInfo objects.  During all
3056         the allocation that is being done to create all the prototypes and
3057         constructors as well as the wrapper objects, a GC may occur thereby
3058         collecting one or more of these newly created prototype and constructor
3059         objects.
3060
3061         One example of where this problem can manifest is in wrapperForObject()
3062         which is called from jsWrapperForObject().  In wrapperFoObject(), we do
3063         the following steps:
3064
3065         1. reallocateConstructorAndOrPrototype() which creates the prototype
3066            object and store it in JSObjCClassInfo's m_prototype which is a Weak
3067            ref.
3068         2. makeWrapper() to create the wrapper object, which may trigger a GC.
3069            GC will collect the prototype object and nullify the corresponding
3070            JSObjCClassInfo's m_prototype Weak ref.
3071         3. call JSObjectSetPrototype() to set the JSObjCClassInfo's m_prototype
3072            in the newly created wrapper.  This results in the wrapper getting a
3073            jsNull as a prototype instead of the expected prototype object.
3074
3075         To ensure that the prototype and constructor objects are retained until
3076         they can be referenced properly from the wrapper object,
3077         jsWrapperForObject() should defer GC until it's done with its work.
3078
3079         * API/JSWrapperMap.mm:
3080         (-[JSWrapperMap jsWrapperForObject:]):
3081
3082 2014-07-23  Brent Fulgham  <bfulgham@apple.com>
3083
3084         Build fix after r171482.
3085
3086         Rubberstamped by Joe Pecoraro.
3087
3088         * runtime/Identifier.h: Make header declarations match
3089         implementation file.
3090
3091 2014-07-23  Brent Fulgham  <bfulgham@apple.com>
3092
3093         [Win] Use NO_RETURN_DUE_TO_CRASH on Windows
3094         https://bugs.webkit.org/show_bug.cgi?id=135199
3095
3096         Reviewed by Mark Lam.
3097
3098         * jsc.cpp:
3099         (WTF::RuntimeArray::deleteProperty): Stop using ugly
3100         compiler work-around on Windows; use NO_RETURN_DUE_TO_CRASH
3101         codepath instead.
3102         * runtime/Identifier.h: Add NO_RETURN_DUE_TO_CRASH
3103         to header so function declaration matches implementation.
3104
3105 2014-07-23  Bem Jones-Bey  <bjonesbe@adobe.com>
3106
3107         Remove CSS_EXCLUSIONS compile flag and leftover code
3108         https://bugs.webkit.org/show_bug.cgi?id=135175
3109
3110         Reviewed by Zoltan Horvath.
3111
3112         At this point, the CSS_EXCLUSIONS flag guards nothing but some useless
3113         stubs. This removes the flag and the useless code.
3114
3115         * Configurations/FeatureDefines.xcconfig:
3116
3117 2014-07-23  Commit Queue  <commit-queue@webkit.org>
3118
3119         Unreviewed, rolling out r171367.
3120         https://bugs.webkit.org/show_bug.cgi?id=135192
3121
3122         broke three API tests (Requested by thorton on #webkit).
3123
3124         Reverted changeset:
3125
3126         "JSLock release should only modify the AtomicStringTable if it
3127         modified in acquire"
3128         https://bugs.webkit.org/show_bug.cgi?id=135143
3129         http://trac.webkit.org/changeset/171367
3130
3131 2014-07-22  László Langó  <llango.u-szeged@partner.samsung.com>
3132
3133         [EFL] Build fix after the [ftlopt] branch merge.
3134
3135         Reviewed by Csaba Osztrogonác.
3136
3137         * dfg/DFGBranchDirection.h:
3138         (JSC::DFG::branchDirectionToString):
3139         * dfg/DFGStructureClobberState.h:
3140         (JSC::DFG::merge):
3141
3142 2014-07-22  Brent Fulgham  <bfulgham@apple.com>
3143
3144         Build fix for non-clang compile.
3145
3146         * jsc.cpp:
3147         (WTF::RuntimeArray::put): Remove incorrect return statement
3148         I added.
3149
3150 2014-07-22  Brent Fulgham  <bfulgham@apple.com>
3151
3152         Build fix for non-clang compile.
3153
3154         * jsc.cpp:
3155         (WTF::RuntimeArray::deleteProperty): Need (fake) return
3156         value when NO_RETURN_DUE_TO_CRASH is not defined.
3157
3158 2014-07-22  Filip Pizlo  <fpizlo@apple.com>
3159
3160         Merge r169628 from ftlopt.
3161
3162     2014-06-04  Matthew Mirman  <mmirman@apple.com>
3163     
3164             Added system for inlining native functions via the FTL.
3165             https://bugs.webkit.org/show_bug.cgi?id=131515
3166     
3167             Reviewed by Filip Pizlo.
3168     
3169             Also fixed the build to not compress the bitcode and to 
3170             include all of the relevant runtime. With GCC_GENERATE_DEBUGGING_SYMBOLS = NO, 
3171             the produced bitcode files are a 100th the size they were before.  
3172             Now we can include all of the relevant runtime files with only a 3mb overhead. 
3173             This is the same overhead as for two compressed files before, 
3174             but done more efficiently (on both ends) and with less code.
3175             
3176             Deciding whether to inline native functions is left up to LLVM. 
3177             The entire module containing the function is linked into the current 
3178             compiled JS so that inlining the native functions shouldn't make them smaller.
3179             
3180             Rather than loading Runtime.symtbl at runtime FTLState.cpp now generates a file 
3181             InlineRuntimeSymbolTable.h which statically builds the symbol table hash table.  
3182             
3183             * JavaScriptCore.xcodeproj/project.pbxproj: Added back runtime files to compile.
3184             * build-symbol-table-index.py: Changed bitcode suffix. 
3185             Added inclusion of only tested symbols.  
3186             Added output to InlineRuntimeSymbolTable.h. 
3187             * build-symbol-table-index.sh: Changed bitcode suffix.
3188             * copy-llvm-ir-to-derived-sources.sh: Removed gzip compression.
3189             * tested-symbols.symlst: Added.
3190             * dfg/DFGByteCodeParser.cpp:
3191             (JSC::DFG::ByteCodeParser::handleCall):  
3192             Now sets the knownFunction of the call node if such a function exists 
3193             and emits a check that during runtime the callee is in fact known.
3194             * dfg/DFGNode.h:
3195             Added functions to set the known function of a call node.
3196             (JSC::DFG::Node::canBeKnownFunction): Added.
3197             (JSC::DFG::Node::hasKnownFunction): Added.
3198             (JSC::DFG::Node::knownFunction): Added.
3199             (JSC::DFG::Node::giveKnownFunction): Added.
3200             * ftl/FTLAbbreviatedTypes.h: Added a typedef for LLVMMemoryBufferRef
3201             * ftl/FTLAbbreviations.h: Added some abbreviations.
3202             * ftl/FTLLowerDFGToLLVM.cpp:
3203             (JSC::FTL::LowerDFGToLLVM::isInlinableSize): Added. Hardcoded threshold to 275.
3204             (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol): Added.
3205             (JSC::FTL::LowerDFGToLLVM::getFunctionBySymbol): Added.
3206             (JSC::FTL::LowerDFGToLLVM::possiblyCompileInlineableNativeCall): Added.
3207             (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):  
3208             Added call to possiblyCompileInlineableNativeCall
3209             * ftl/FTLOutput.h:
3210             (JSC::FTL::Output::allocaName):  Added. Useful for debugging.
3211             * ftl/FTLState.cpp:
3212             (JSC::FTL::State::State): Added an include for InlineRuntimeSymbolTable.h
3213             * ftl/FTLState.h: Added symbol table hash table.
3214             * ftl/FTLCompile.cpp:
3215             (JSC::FTL::compile): Added inlining and dead function elimination passes.
3216             * heap/HandleStack.h: Added JS_EXPORT_PRIVATE to a few functions to get inlining to compile.
3217             * llvm/InitializeLLVMMac.mm: Deleted.
3218             * llvm/InitializeLLVMMac.cpp: Added.
3219             * llvm/LLVMAPIFunctions.h: Added macros to include Bitcode parsing and linking functions.
3220             * llvm/LLVMHeaders.h: Added includes for Bitcode parsing and linking.
3221             * runtime/BundlePath.h: Added.
3222             * runtime/BundlePath.mm: Added.
3223             * runtime/DateInstance.h: Added JS_EXPORT_PRIVATE to a few functions to get inlining to compile.
3224             * runtime/DateInstance.h: ditto.
3225             * runtime/DateConversion.h: ditto.
3226             * runtime/ExceptionHelpers.h: ditto.
3227             * runtime/JSCJSValue.h: ditto.
3228             * runtime/JSArray.h: ditto.
3229             * runtime/JSDateMath.h: ditto.
3230             * runtime/JSObject.h: ditto.
3231             * runtime/JSObject.h: ditto.
3232             * runtime/RegExp.h: ditto.
3233             * runtime/Structure.h: ditto.
3234             * runtime/Options.h:  Added maximumLLVMInstructionCountForNativeInlining.
3235     
3236 2014-07-22  Mark Lam  <mark.lam@apple.com>
3237
3238         Array.concat() should work on runtime arrays too.
3239         <https://webkit.org/b/135179>
3240
3241         Reviewed by Geoffrey Garen.
3242
3243         * jsc.cpp:
3244         (WTF::RuntimeArray::create):
3245         (WTF::RuntimeArray::~RuntimeArray):
3246         (WTF::RuntimeArray::destroy):
3247         (WTF::RuntimeArray::getOwnPropertySlot):
3248         (WTF::RuntimeArray::getOwnPropertySlotByIndex):
3249         (WTF::RuntimeArray::put):
3250         (WTF::RuntimeArray::deleteProperty):
3251         (WTF::RuntimeArray::getLength):
3252         (WTF::RuntimeArray::createPrototype):
3253         (WTF::RuntimeArray::createStructure):
3254         (WTF::RuntimeArray::finishCreation):
3255         (WTF::RuntimeArray::RuntimeArray):
3256         (WTF::RuntimeArray::lengthGetter):
3257         (GlobalObject::finishCreation):
3258         (functionCreateRuntimeArray):
3259         - Added support to create a runtime array for testing purpose.
3260         * runtime/ArrayPrototype.cpp:
3261         (JSC::getLength):
3262         - Added fast case for when the array object is a JSArray.
3263         (JSC::arrayProtoFuncJoin):
3264         - Added a needed but missing exception check.
3265         (JSC::arrayProtoFuncConcat):
3266         - Use getLength() to compute the array length instead of assuming that
3267           the array is a JSArray instance.
3268         * tests/stress/regexp-matches-array.js: Added.
3269         (testArrayConcat):
3270         * tests/stress/runtime-array.js: Added.
3271         (testArrayConcat):
3272
3273 2014-07-22  Brent Fulgham  <bfulgham@apple.com>
3274
3275         Fix Windows (return a value!)
3276
3277         * jsc.cpp:
3278         (functionQuit): Satisfy compiler's need for
3279         a return value.
3280
3281 2014-07-22  Brent Fulgham  <bfulgham@apple.com>
3282
3283         Fix Windows (sleep -> Sleep)
3284
3285         * jsc.cpp:
3286         (WTF::jscExit):
3287
3288 2014-07-22  Filip Pizlo  <fpizlo@apple.com>
3289
3290         Fix Windows.
3291
3292         * jsc.cpp:
3293         (WTF::jscExit):
3294
3295 2014-07-22  Filip Pizlo  <fpizlo@apple.com>
3296
3297         Fix 32-bit.
3298
3299         * dfg/DFGSpeculativeJIT32_64.cpp:
3300         (JSC::DFG::SpeculativeJIT::compile):
3301
3302 2014-07-22  Filip Pizlo  <fpizlo@apple.com>
3303
3304         Merge r169148, r169185, r169188, r169578, r169582, r169584, r169588, r169753 from ftlopt.
3305         
3306         Note that r169753 is merged out of order because it fixes a bug in r169588.
3307
3308     2014-06-10  Filip Pizlo  <fpizlo@apple.com>
3309     
3310             [ftlopt] Structure::dfgShouldWatchIfPossible() is unsound
3311             https://bugs.webkit.org/show_bug.cgi?id=133624
3312     
3313             Reviewed by Mark Hahnenberg.
3314     
3315             * runtime/Structure.h:
3316             (JSC::Structure::dfgShouldWatchIfPossible): Make it sound and add some verbiage.
3317     
3318     2014-06-04  Filip Pizlo  <fpizlo@apple.com>
3319     
3320             [ftlopt] AI should be able track structure sets larger than 1
3321             https://bugs.webkit.org/show_bug.cgi?id=128073
3322     
3323             Reviewed by Oliver Hunt.
3324             
3325             This makes two major changes to how AI (abstract interpreter) proves that a value has
3326             some structure:
3327             
3328             - StructureAbstractValue can now track an arbitrary number of structures. A set whose
3329               size is greater than one means that the value may have any of the structures, and we
3330               don't know which - but we do know that it cannot be any structure not in the set. The
3331               structure abstract value can still be TOP, which means the set of all structures. We
3332               artificially limit the set size to StructureAbstractValue::polymorphismLimit to guard
3333               memory explosion on pathological programs. This limit is big enough that it wouldn't
3334               kick in for normal code, since we have other heuristics that limit the number of
3335               structures that we would allow an inline cache to know about.
3336             
3337             - We eagerly set watchpoints on all watchable structures and then we assume that
3338               watchable structures are being watched, and that the watchpoint will jettison the code.
3339               This allows tracking of watchable structures to be far simpler than before. Previously,
3340               a structure being tracked as "future possible" was predicated on it being watchable but
3341               we might not actually watch it. This makes algebra over sets of future possible
3342               structures quite weird. But watching all watchable structures means that we simple say
3343               that a structure set can be in the following states: unclobbered, which means it's just
3344               a set of structures and it doesn't matter what is watchable or what isn't because we've
3345               proven that the value must have one of these structures right now; and clobbered, which
3346               means that we have a set of structures, plus all possible structures temporarily, with
3347               invalidation removing the "plus all possible structures". Clobbering a set means that
3348               if any of its structures are unwatchable, the set just becomes TOP; but if all
3349               structures in the set are watchable then we just set the clobbered bit to add the "plus
3350               all possible structures temporarily" thing. This precisely tracks the exact meaning of
3351               watchability and invalidation points.
3352             
3353             Slight SunSpider slow-down, neutral on Octane, slight AsmBench speed-up. I believe that
3354             we will ultimately undo the SunSpider slow-down by making further improvements to the set
3355             representation. I believe that Octane perfromance will ultimately improve once we remove
3356             remaining singleton special-cases. The ultimate goal of this is to remove the need to
3357             try quite so desperately hard to make everything monomorphic as we do currently.
3358     
3359             * CMakeLists.txt:
3360             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3361             * JavaScriptCore.xcodeproj/project.pbxproj:
3362             * bytecode/StructureSet.cpp:
3363             (JSC::StructureSet::clear):
3364             (JSC::StructureSet::remove):
3365             (JSC::StructureSet::filter):
3366             (JSC::StructureSet::copyFromOutOfLine):
3367             (JSC::StructureSet::StructureSet): Deleted.
3368             (JSC::StructureSet::operator=): Deleted.
3369             (JSC::StructureSet::copyFrom): Deleted.
3370             * bytecode/StructureSet.h:
3371             (JSC::StructureSet::StructureSet):
3372             (JSC::StructureSet::operator=):
3373             (JSC::StructureSet::isEmpty):
3374             (JSC::StructureSet::genericFilter):
3375             (JSC::StructureSet::ContainsOutOfLine::ContainsOutOfLine):
3376             (JSC::StructureSet::ContainsOutOfLine::operator()):
3377             (JSC::StructureSet::copyFrom):
3378             (JSC::StructureSet::deleteStructureListIfNecessary):
3379             (JSC::StructureSet::setEmpty):
3380             (JSC::StructureSet::getReservedFlag):
3381             (JSC::StructureSet::setReservedFlag):
3382             * dfg/DFGAbstractInterpreter.h:
3383             (JSC::DFG::AbstractInterpreter::setBuiltInConstant):
3384             * dfg/DFGAbstractInterpreterInlines.h:
3385             (JSC::DFG::AbstractInterpreter<AbstractStateType>::booleanResult):
3386             (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
3387             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3388             (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberCapturedVars):
3389             (JSC::DFG::AbstractInterpreter<AbstractStateType>::forAllValues):
3390             (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberStructures):
3391             (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
3392             (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
3393             (JSC::DFG::AbstractInterpreter<AbstractStateType>::setDidClobber):
3394             (JSC::DFG::AbstractInterpreter<AbstractStateType>::dump):
3395             * dfg/DFGAbstractValue.cpp:
3396             (JSC::DFG::AbstractValue::observeTransitions):
3397             (JSC::DFG::AbstractValue::setMostSpecific):
3398             (JSC::DFG::AbstractValue::set):
3399             (JSC::DFG::AbstractValue::filter):
3400             (JSC::DFG::AbstractValue::shouldBeClear):
3401             (JSC::DFG::AbstractValue::normalizeClarity):
3402             (JSC::DFG::AbstractValue::checkConsistency):
3403             (JSC::DFG::AbstractValue::assertIsWatched):
3404             (JSC::DFG::AbstractValue::dumpInContext):
3405             (JSC::DFG::AbstractValue::setFuturePossibleStructure): Deleted.
3406             * dfg/DFGAbstractValue.h:
3407             (JSC::DFG::AbstractValue::clear):
3408             (JSC::DFG::AbstractValue::clobberStructures):
3409             (JSC::DFG::AbstractValue::clobberStructuresFor):
3410             (JSC::DFG::AbstractValue::observeInvalidationPoint):
3411             (JSC::DFG::AbstractValue::observeInvalidationPointFor):
3412             (JSC::DFG::AbstractValue::observeTransition):
3413             (JSC::DFG::AbstractValue::TransitionObserver::TransitionObserver):
3414             (JSC::DFG::AbstractValue::TransitionObserver::operator()):
3415             (JSC::DFG::AbstractValue::TransitionsObserver::TransitionsObserver):
3416             (JSC::DFG::AbstractValue::TransitionsObserver::operator()):
3417             (JSC::DFG::AbstractValue::isHeapTop):
3418             (JSC::DFG::AbstractValue::setType):
3419             (JSC::DFG::AbstractValue::operator==):
3420             (JSC::DFG::AbstractValue::merge):
3421             (JSC::DFG::AbstractValue::validate):
3422             (JSC::DFG::AbstractValue::hasClobberableState):
3423             (JSC::DFG::AbstractValue::assertIsWatched):
3424             (JSC::DFG::AbstractValue::observeIndexingTypeTransition):
3425             (JSC::DFG::AbstractValue::makeTop):
3426             (JSC::DFG::AbstractValue::bestProvenStructure): Deleted.
3427             * dfg/DFGAllocator.h:
3428             * dfg/DFGArgumentsSimplificationPhase.cpp:
3429             (JSC::DFG::ArgumentsSimplificationPhase::run):
3430             * dfg/DFGArrayMode.cpp:
3431             (JSC::DFG::ArrayMode::alreadyChecked):
3432             * dfg/DFGAtTailAbstractState.h:
3433             (JSC::DFG::AtTailAbstractState::structureClobberState):
3434             (JSC::DFG::AtTailAbstractState::setStructureClobberState):
3435             (JSC::DFG::AtTailAbstractState::setFoundConstants):
3436             (JSC::DFG::AtTailAbstractState::haveStructures): Deleted.
3437             (JSC::DFG::AtTailAbstractState::setHaveStructures): Deleted.
3438             * dfg/DFGBasicBlock.cpp:
3439             (JSC::DFG::BasicBlock::BasicBlock):
3440             * dfg/DFGBasicBlock.h:
3441             * dfg/DFGBranchDirection.h:
3442             (JSC::DFG::branchDirectionToString):
3443             (WTF::printInternal):
3444             * dfg/DFGByteCodeParser.cpp:
3445             (JSC::DFG::ByteCodeParser::handlePutById):
3446             * dfg/DFGCFAPhase.cpp:
3447             (JSC::DFG::CFAPhase::performBlockCFA):
3448             * dfg/DFGCSEPhase.cpp:
3449             (JSC::DFG::CSEPhase::checkStructureElimination):
3450             (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
3451             (JSC::DFG::CSEPhase::performNodeCSE):
3452             * dfg/DFGClobberize.h:
3453             (JSC::DFG::clobberize):
3454             * dfg/DFGCommon.cpp:
3455             (JSC::DFG::startCrashing):
3456             (JSC::DFG::isCrashing):
3457             * dfg/DFGCommon.h:
3458             * dfg/DFGCommonData.cpp:
3459             (JSC::DFG::CommonData::notifyCompilingStructureTransition):
3460             * dfg/DFGConstantFoldingPhase.cpp:
3461             (JSC::DFG::ConstantFoldingPhase::foldConstants):
3462             (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
3463             (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
3464             (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
3465             * dfg/DFGDesiredWatchpoints.cpp:
3466             (JSC::DFG::DesiredWatchpoints::consider):
3467             (JSC::DFG::DesiredWatchpoints::addLazily): Deleted.
3468             * dfg/DFGDesiredWatchpoints.h:
3469             (JSC::DFG::GenericDesiredWatchpoints::reallyAdd):
3470             (JSC::DFG::GenericDesiredWatchpoints::areStillValid):
3471             (JSC::DFG::GenericDesiredWatchpoints::isWatched):
3472             (JSC::DFG::DesiredWatchpoints::isWatched):
3473             (JSC::DFG::WatchpointForGenericWatchpointSet::WatchpointForGenericWatchpointSet): Deleted.
3474             (JSC::DFG::GenericDesiredWatchpoints::addLazily): Deleted.
3475             (JSC::DFG::GenericDesiredWatchpoints::isStillValid): Deleted.
3476             (JSC::DFG::GenericDesiredWatchpoints::shouldAssumeMixedState): Deleted.
3477             (JSC::DFG::GenericDesiredWatchpoints::isValidOrMixed): Deleted.
3478             (JSC::DFG::DesiredWatchpoints::isStillValid): Deleted.
3479             (JSC::DFG::DesiredWatchpoints::shouldAssumeMixedState): Deleted.
3480             (JSC::DFG::DesiredWatchpoints::isValidOrMixed): Deleted.
3481             * dfg/DFGDoesGC.cpp:
3482             (JSC::DFG::doesGC):
3483             * dfg/DFGFixupPhase.cpp:
3484             (JSC::DFG::FixupPhase::fixupNode):
3485             (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
3486             (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
3487             * dfg/DFGGraph.cpp:
3488             (JSC::DFG::Graph::~Graph):
3489             (JSC::DFG::Graph::dump):
3490             (JSC::DFG::Graph::dumpBlockHeader):
3491             (JSC::DFG::Graph::tryGetFoldableView):
3492             (JSC::DFG::Graph::visitChildren):
3493             (JSC::DFG::Graph::assertIsWatched):
3494             (JSC::DFG::Graph::handleAssertionFailure):
3495             * dfg/DFGGraph.h:
3496             (JSC::DFG::Graph::convertToConstant):
3497             (JSC::DFG::Graph::masqueradesAsUndefinedWatchpointIsStillValid):
3498             (JSC::DFG::Graph::addStructureTransitionData): Deleted.
3499             * dfg/DFGInPlaceAbstractState.cpp:
3500             (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
3501             (JSC::DFG::InPlaceAbstractState::initialize):
3502             (JSC::DFG::InPlaceAbstractState::endBasicBlock):
3503             (JSC::DFG::InPlaceAbstractState::reset):
3504             (JSC::DFG::InPlaceAbstractState::merge):
3505             * dfg/DFGInPlaceAbstractState.h:
3506             (JSC::DFG::InPlaceAbstractState::structureClobberState):
3507             (JSC::DFG::InPlaceAbstractState::setStructureClobberState):
3508             (JSC::DFG::InPlaceAbstractState::setFoundConstants):
3509             (JSC::DFG::InPlaceAbstractState::haveStructures): Deleted.
3510             (JSC::DFG::InPlaceAbstractState::setHaveStructures): Deleted.
3511             * dfg/DFGLivenessAnalysisPhase.cpp:
3512             (JSC::DFG::LivenessAnalysisPhase::run):
3513             * dfg/DFGNode.h:
3514             (JSC::DFG::Node::hasTransition):
3515             (JSC::DFG::Node::transition):
3516             (JSC::DFG::Node::hasStructure):
3517             (JSC::DFG::StructureTransitionData::StructureTransitionData): Deleted.
3518             (JSC::DFG::Node::convertToStructureTransitionWatchpoint): Deleted.
3519             (JSC::DFG::Node::hasStructureTransitionData): Deleted.
3520             (JSC::DFG::Node::structureTransitionData): Deleted.
3521             * dfg/DFGNodeType.h:
3522             * dfg/DFGPlan.cpp:
3523             (JSC::DFG::Plan::compileInThreadImpl):
3524             * dfg/DFGPredictionPropagationPhase.cpp:
3525             (JSC::DFG::PredictionPropagationPhase::propagate):
3526             * dfg/DFGSafeToExecute.h:
3527             (JSC::DFG::safeToExecute):
3528             * dfg/DFGSpeculativeJIT.cpp:
3529             (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
3530             (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
3531             * dfg/DFGSpeculativeJIT.h:
3532             (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
3533             * dfg/DFGSpeculativeJIT32_64.cpp:
3534             (JSC::DFG::SpeculativeJIT::compile):
3535             * dfg/DFGSpeculativeJIT64.cpp:
3536             (JSC::DFG::SpeculativeJIT::compile):
3537             * dfg/DFGStructureAbstractValue.cpp: Added.
3538             (JSC::DFG::StructureAbstractValue::assertIsWatched):
3539             (JSC::DFG::StructureAbstractValue::clobber):
3540             (JSC::DFG::StructureAbstractValue::observeTransition):
3541             (JSC::DFG::StructureAbstractValue::observeTransitions):
3542             (JSC::DFG::StructureAbstractValue::add):
3543             (JSC::DFG::StructureAbstractValue::merge):
3544             (JSC::DFG::StructureAbstractValue::mergeSlow):
3545             (JSC::DFG::StructureAbstractValue::mergeNotTop):
3546             (JSC::DFG::StructureAbstractValue::filter):
3547             (JSC::DFG::StructureAbstractValue::filterSlow):
3548             (JSC::DFG::StructureAbstractValue::contains):
3549             (JSC::DFG::StructureAbstractValue::isSubsetOf):
3550             (JSC::DFG::StructureAbstractValue::isSupersetOf):
3551             (JSC::DFG::StructureAbstractValue::overlaps):
3552             (JSC::DFG::StructureAbstractValue::equalsSlow):
3553             (JSC::DFG::StructureAbstractValue::dumpInContext):
3554             (JSC::DFG::StructureAbstractValue::dump):
3555             * dfg/DFGStructureAbstractValue.h:
3556             (JSC::DFG::StructureAbstractValue::StructureAbstractValue):
3557             (JSC::DFG::StructureAbstractValue::operator=):
3558             (JSC::DFG::StructureAbstractValue::clear):
3559             (JSC::DFG::StructureAbstractValue::makeTop):
3560             (JSC::DFG::StructureAbstractValue::assertIsWatched):
3561             (JSC::DFG::StructureAbstractValue::observeInvalidationPoint):
3562             (JSC::DFG::StructureAbstractValue::top):
3563             (JSC::DFG::StructureAbstractValue::isClear):
3564             (JSC::DFG::StructureAbstractValue::isTop):
3565             (JSC::DFG::StructureAbstractValue::isNeitherClearNorTop):
3566             (JSC::DFG::StructureAbstractValue::isClobbered):
3567             (JSC::DFG::StructureAbstractValue::merge):
3568             (JSC::DFG::StructureAbstractValue::filter):
3569             (JSC::DFG::StructureAbstractValue::operator==):
3570             (JSC::DFG::StructureAbstractValue::size):
3571             (JSC::DFG::StructureAbstractValue::at):
3572             (JSC::DFG::StructureAbstractValue::operator[]):
3573             (JSC::DFG::StructureAbstractValue::onlyStructure):
3574             (JSC::DFG::StructureAbstractValue::isSupersetOf):
3575             (JSC::DFG::StructureAbstractValue::makeTopWhenThin):
3576             (JSC::DFG::StructureAbstractValue::setClobbered):
3577             (JSC::DFG::StructureAbstractValue::add): Deleted.
3578             (JSC::DFG::StructureAbstractValue::addAll): Deleted.
3579             (JSC::DFG::StructureAbstractValue::contains): Deleted.
3580             (JSC::DFG::StructureAbstractValue::isSubsetOf): Deleted.
3581             (JSC::DFG::StructureAbstractValue::doesNotContainAnyOtherThan): Deleted.
3582             (JSC::DFG::StructureAbstractValue::isClearOrTop): Deleted.
3583             (JSC::DFG::StructureAbstractValue::last): Deleted.
3584             (JSC::DFG::StructureAbstractValue::speculationFromStructures): Deleted.
3585             (JSC::DFG::StructureAbstractValue::isValidOffset): Deleted.
3586             (JSC::DFG::StructureAbstractValue::hasSingleton): Deleted.
3587             (JSC::DFG::StructureAbstractValue::singleton): Deleted.
3588             (JSC::DFG::StructureAbstractValue::dumpInContext): Deleted.
3589             (JSC::DFG::StructureAbstractValue::dump): Deleted.
3590             (JSC::DFG::StructureAbstractValue::topValue): Deleted.
3591             * dfg/DFGStructureClobberState.h: Added.
3592             (JSC::DFG::merge):
3593             (WTF::printInternal):
3594             * dfg/DFGTransition.cpp: Added.
3595             (JSC::DFG::Transition::dumpInContext):
3596             (JSC::DFG::Transition::dump):
3597             * dfg/DFGTransition.h: Added.
3598             (JSC::DFG::Transition::Transition):
3599             * dfg/DFGTypeCheckHoistingPhase.cpp:
3600             (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
3601             (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
3602             * dfg/DFGWatchableStructureWatchingPhase.cpp: Added.
3603             (JSC::DFG::WatchableStructureWatchingPhase::WatchableStructureWatchingPhase):
3604             (JSC::DFG::WatchableStructureWatchingPhase::run):
3605             (JSC::DFG::WatchableStructureWatchingPhase::tryWatch):
3606             (JSC::DFG::performWatchableStructureWatching):
3607             * dfg/DFGWatchableStructureWatchingPhase.h: Added.
3608             * dfg/DFGWatchpointCollectionPhase.cpp:
3609             (JSC::DFG::WatchpointCollectionPhase::handle):
3610             (JSC::DFG::WatchpointCollectionPhase::handleEdge): Deleted.
3611             * ftl/FTLCapabilities.cpp:
3612             (JSC::FTL::canCompile):
3613             * ftl/FTLIntrinsicRepository.h:
3614             * ftl/FTLLowerDFGToLLVM.cpp:
3615             (JSC::FTL::ftlUnreachable):
3616             (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
3617             (JSC::FTL::LowerDFGToLLVM::compileBlock):
3618             (JSC::FTL::LowerDFGToLLVM::compileNode):
3619             (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
3620             (JSC::FTL::LowerDFGToLLVM::compilePhi):
3621             (JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
3622             (JSC::FTL::LowerDFGToLLVM::compileValueRep):
3623             (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
3624             (JSC::FTL::LowerDFGToLLVM::compileGetArgument):
3625             (JSC::FTL::LowerDFGToLLVM::compileGetLocal):
3626             (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
3627             (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub):
3628             (JSC::FTL::LowerDFGToLLVM::compileArithMul):
3629             (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
3630             (JSC::FTL::LowerDFGToLLVM::compileArithMod):
3631             (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
3632             (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
3633             (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
3634             (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
3635             (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
3636             (JSC::FTL::LowerDFGToLLVM::compileGetById):
3637             (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
3638             (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
3639             (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
3640             (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
3641             (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
3642             (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
3643             (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
3644             (JSC::FTL::LowerDFGToLLVM::compileNewArray):
3645             (JSC::FTL::LowerDFGToLLVM::compileNewArrayBuffer):
3646             (JSC::FTL::LowerDFGToLLVM::compileAllocatePropertyStorage):
3647             (JSC::FTL::LowerDFGToLLVM::compileReallocatePropertyStorage):
3648             (JSC::FTL::LowerDFGToLLVM::compileToString):
3649             (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
3650             (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
3651             (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
3652             (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
3653             (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
3654             (JSC::FTL::LowerDFGToLLVM::compileSwitch):
3655             (JSC::FTL::LowerDFGToLLVM::compare):
3656             (JSC::FTL::LowerDFGToLLVM::boolify):
3657             (JSC::FTL::LowerDFGToLLVM::terminate):
3658             (JSC::FTL::LowerDFGToLLVM::lowInt32):
3659             (JSC::FTL::LowerDFGToLLVM::lowInt52):
3660             (JSC::FTL::LowerDFGToLLVM::opposite):
3661             (JSC::FTL::LowerDFGToLLVM::lowCell):
3662             (JSC::FTL::LowerDFGToLLVM::lowBoolean):
3663             (JSC::FTL::LowerDFGToLLVM::lowDouble):
3664             (JSC::FTL::LowerDFGToLLVM::lowJSValue):
3665             (JSC::FTL::LowerDFGToLLVM::speculate):
3666             (JSC::FTL::LowerDFGToLLVM::isArrayType):
3667             (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructureID):
3668             (JSC::FTL::LowerDFGToLLVM::callCheck):
3669             (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
3670             (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
3671             (JSC::FTL::LowerDFGToLLVM::setInt52):
3672             (JSC::FTL::LowerDFGToLLVM::crash):
3673             (JSC::FTL::LowerDFGToLLVM::compileStructureTransitionWatchpoint): Deleted.
3674             * ftl/FTLOutput.cpp:
3675             (JSC::FTL::Output::crashNonTerminal): Deleted.
3676             * ftl/FTLOutput.h:
3677             (JSC::FTL::Output::crash): Deleted.
3678             * jit/JITOperations.h:
3679             * jsc.cpp:
3680             (WTF::jscExit):
3681             (functionQuit):
3682             (main):
3683             (printUsageStatement):
3684             (CommandLine::parseArguments):
3685             * runtime/Structure.h:
3686             (JSC::Structure::dfgShouldWatchIfPossible):
3687             (JSC::Structure::dfgShouldWatch):
3688             * tests/stress/arrayify-to-structure-contradiction.js: Added.
3689             (foo):
3690             * tests/stress/ftl-getmyargumentslength-inline.js: Added.
3691             (foo):
3692             * tests/stress/multi-put-by-offset-multiple-transitions.js: Added.
3693             (foo):
3694             (Foo):
3695             * tests/stress/throw-from-ftl-in-loop.js: Added.
3696             * tests/stress/throw-from-ftl.js: Added.
3697             (foo):
3698     
3699     2014-06-03  Filip Pizlo  <fpizlo@apple.com>
3700     
3701             [ftlopt] Unreviewed, roll out r169578. The build system needs some more love.
3702     
3703             * InlineRuntimeSymbolTable.h: Removed.
3704             * JavaScriptCore.xcodeproj/project.pbxproj:
3705             * build-symbol-table-index.py:
3706             * build-symbol-table-index.sh:
3707             * copy-llvm-ir-to-derived-sources.sh:
3708             * dfg/DFGByteCodeParser.cpp:
3709             (JSC::DFG::ByteCodeParser::handleCall):
3710             * dfg/DFGNode.h:
3711             (JSC::DFG::Node::canBeKnownFunction): Deleted.
3712             (JSC::DFG::Node::hasKnownFunction): Deleted.
3713             (JSC::DFG::Node::knownFunction): Deleted.
3714             (JSC::DFG::Node::giveKnownFunction): Deleted.
3715             * ftl/FTLAbbreviatedTypes.h:
3716             * ftl/FTLCompile.cpp:
3717             (JSC::FTL::compile):
3718             * ftl/FTLLowerDFGToLLVM.cpp:
3719             (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
3720             (JSC::FTL::LowerDFGToLLVM::lower):
3721             (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
3722             (JSC::FTL::LowerDFGToLLVM::possiblyCompileInlineableNativeCall): Deleted.