4d6ac6aca5aeeb5c991ee0341b8ca1897c6d5a02
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-07-03  Daniel Bates  <dabates@apple.com>
2
3         Add WTF::move()
4         https://bugs.webkit.org/show_bug.cgi?id=134500
5
6         Rubber-stamped by Anders Carlsson.
7
8         Substitute WTF::move() for std::move().
9
10         * bytecode/CodeBlock.h:
11         * bytecode/UnlinkedCodeBlock.cpp:
12         * bytecompiler/BytecodeGenerator.cpp:
13         * dfg/DFGGraph.cpp:
14         * dfg/DFGJITCompiler.cpp:
15         * dfg/DFGStackLayoutPhase.cpp:
16         * dfg/DFGWorklist.cpp:
17         * heap/DelayedReleaseScope.h:
18         * heap/HeapInlines.h:
19         [...]
20
21 2014-07-03  Filip Pizlo  <fpizlo@apple.com>
22
23         SSA DCE should process blocks in forward order
24         https://bugs.webkit.org/show_bug.cgi?id=134611
25
26         Reviewed by Andreas Kling.
27
28         * dfg/DFGDCEPhase.cpp:
29         (JSC::DFG::DCEPhase::run):
30         * ftl/FTLLowerDFGToLLVM.cpp:
31         (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
32         * tests/stress/dead-value-with-mov-hint-in-another-block.js: Added.
33         (foo):
34
35 2014-07-03  Filip Pizlo  <fpizlo@apple.com>
36
37         JSActivation::symbolTablePut() should invalidate variable watchpoints
38         https://bugs.webkit.org/show_bug.cgi?id=134602
39
40         Reviewed by Oliver Hunt.
41         
42         Usually stores to captured variables cause us to invalidate the variable watchpoint because CodeBlock does so
43         during linking - we essentially assume that if it's at all possible for an inner function to store to a
44         variable we declare then this variable cannot be a constant. But this misses the dynamic store case, i.e.
45         JSActivation::symbolTablePut(). Part of the problem here is that JSActivation duplicates
46         JSSymbolTableObject's symbolTablePut() logic, which did have the invalidation. This patch keeps that code
47         duplicated, but fixes JSActivation::symbolTablePut() to do the right thing.
48
49         * runtime/JSActivation.cpp:
50         (JSC::JSActivation::symbolTablePut):
51         * runtime/JSSymbolTableObject.h:
52         (JSC::symbolTablePut):
53         * tests/stress/constant-closure-var-with-dynamic-invalidation.js: Added.
54         (.):
55
56 2014-07-01  Mark Lam  <mark.lam@apple.com>
57
58         Debugger's breakpoint list should not be a Vector.
59         <https://webkit.org/b/134514>
60
61         Reviewed by Geoffrey Garen.
62
63         The debugger currently stores breakpoint data as entries in a Vector (see
64         BreakpointsInLine).  It also keeps a fast map look up of breakpoint IDs to
65         the breakpoint data (see m_breakpointIDToBreakpoint).  Because a Vector can
66         compact or reallocate its backing store, this can causes all sorts of havoc.
67         The m_breakpointIDToBreakpoint map assumes that the breakpoint data doesn't
68         move in memory.
69
70         The fix is to replace the BreakpointsInLine Vector with a BreakpointsList
71         doubly linked list.
72
73         * debugger/Breakpoint.h:
74         (JSC::Breakpoint::Breakpoint):
75         (JSC::BreakpointsList::~BreakpointsList):
76         * debugger/Debugger.cpp:
77         (JSC::Debugger::setBreakpoint):
78         (JSC::Debugger::removeBreakpoint):
79         (JSC::Debugger::hasBreakpoint):
80         * debugger/Debugger.h:
81
82 2014-06-30  Michael Saboff  <msaboff@apple.com>
83
84         Add option to run-jsc-stress-testes to filter out tests that use large heaps
85         https://bugs.webkit.org/show_bug.cgi?id=134458
86
87         Reviewed by Filip Pizlo.
88
89         Added test to skip js1_5/Regress/regress-159334.js when testing on a memory limited device.
90
91         * tests/mozilla/mozilla-tests.yaml:
92
93 2014-06-30  Daniel Bates  <dabates@apple.com>
94
95         Avoid copying closed variables vector; actually use move semantics
96
97         Rubber-stamped by Oliver Hunt.
98
99         Currently we always copy the closed variables vector passed by Parser::closedVariables()
100         to ProgramNode::setClosedVariables() because these member functions return and take a const
101         rvalue reference, respectively. Instead, these member functions should take an return a non-
102         constant rvalue reference so that we actually move the closed variables vector from the Parser
103         object to the Node object.
104
105         * parser/Nodes.cpp:
106         (JSC::ProgramNode::setClosedVariables): Remove const qualifier for argument.
107         * parser/Nodes.h:
108         (JSC::ScopeNode::setClosedVariables): Ditto.
109         * parser/Parser.h:
110         (JSC::Parser::closedVariables): Remove const qualifier on return type.
111         (JSC::parse): Remove extraneous call to std::move(). Calling std::move() is unnecessary here
112         because Parser::closedVariables() returns an rvalue reference.
113
114 2014-06-30  Joseph Pecoraro  <pecoraro@apple.com>
115
116         JSContext Inspection: Provide a way to use a non-Main RunLoop for Inspector JavaScript Evaluations
117         https://bugs.webkit.org/show_bug.cgi?id=134371
118
119         Reviewed by Timothy Hatcher.
120
121         * API/JSContextPrivate.h:
122         * API/JSContext.mm:
123         (-[JSContext _debuggerRunLoop]):
124         (-[JSContext _setDebuggerRunLoop:]):
125         Private API for setting the CFRunLoop for a debugger to evaluate in.
126         
127         * API/JSContextRefInternal.h: Added.
128         * API/JSContextRef.cpp:
129         (JSGlobalContextGetDebuggerRunLoop):
130         (JSGlobalContextSetDebuggerRunLoop):
131         Internal API for setting a CFRunLoop on a JSContextRef.
132         Set this on the debuggable.
133         
134         * inspector/remote/RemoteInspectorDebuggable.h:
135         * inspector/remote/RemoteInspectorDebuggableConnection.h:
136         (Inspector::RemoteInspectorBlock::RemoteInspectorBlock):
137         (Inspector::RemoteInspectorBlock::~RemoteInspectorBlock):
138         (Inspector::RemoteInspectorBlock::operator=):
139         (Inspector::RemoteInspectorBlock::operator()):
140         Moved into the header.
141
142         * runtime/JSGlobalObject.h:
143         (JSC::JSGlobalObject::inspectorDebuggable):
144         Lets store the RunLoop on the debuggable instead of this core
145         platform agnostic class, so expose the debuggable.
146
147         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
148         (Inspector::RemoteInspectorHandleRunSourceGlobal):
149         (Inspector::RemoteInspectorQueueTaskOnGlobalQueue):
150         (Inspector::RemoteInspectorInitializeGlobalQueue):
151         Rename the global functions for clarity.
152
153         (Inspector::RemoteInspectorHandleRunSourceWithInfo):
154         Handler for private run loops.
155
156         (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
157         (Inspector::RemoteInspectorDebuggableConnection::~RemoteInspectorDebuggableConnection):
158         (Inspector::RemoteInspectorDebuggableConnection::dispatchAsyncOnDebuggable):
159         (Inspector::RemoteInspectorDebuggableConnection::setupRunLoop):
160         (Inspector::RemoteInspectorDebuggableConnection::teardownRunLoop):
161         (Inspector::RemoteInspectorDebuggableConnection::queueTaskOnPrivateRunLoop):
162         Setup and teardown and use private run loop sources if the debuggable needs it.
163
164 2014-06-30  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>
165
166         Add missing ENABLE(DFG_JIT) guards
167         https://bugs.webkit.org/show_bug.cgi?id=134444
168
169         Reviewed by Darin Adler.
170
171         * dfg/DFGFunctionWhitelist.cpp:
172         * dfg/DFGFunctionWhitelist.h:
173
174 2014-06-29  Yoav Weiss  <yoav@yoav.ws>
175
176         Add support for HTMLImageElement's sizes attribute
177         https://bugs.webkit.org/show_bug.cgi?id=133620
178
179         Reviewed by Dean Jackson.
180
181         Added an ENABLE_PICTURE_SIZES compile flag.
182
183         * Configurations/FeatureDefines.xcconfig:
184
185 2014-06-27  Filip Pizlo  <fpizlo@apple.com>
186
187         Don't fold a UInt32ToNumber with DoOverflow to Identity since that would result in an Identity that takes an Int32 and returns a DoubleRep
188         https://bugs.webkit.org/show_bug.cgi?id=134412
189
190         Reviewed by Mark Hahnenberg.
191
192         * dfg/DFGCSEPhase.cpp:
193         (JSC::DFG::CSEPhase::setReplacement):
194         * dfg/DFGStrengthReductionPhase.cpp:
195         (JSC::DFG::StrengthReductionPhase::handleNode):
196         * dfg/DFGValidate.cpp:
197         (JSC::DFG::Validate::validate):
198         * tests/stress/uint32-to-number-fold-constant-with-do-overflow.js: Added.
199         (foo):
200         (bar):
201         (baz):
202
203 2014-06-27  Peyton Randolph  <prandolph@apple.com>
204
205          Add feature flag for link long-press gesture.                                                                   
206          https://bugs.webkit.org/show_bug.cgi?id=134262                                                                  
207                                                                                                                          
208          Reviewed by Enrica Casucci.                                                                                     
209                                                                                                                          
210          * Configurations/FeatureDefines.xcconfig:                                                                       
211          Add ENABLE_LINK_LONG_PRESS. 
212
213 2014-06-27  László Langó  <llango.u-szeged@partner.samsung.com>
214
215         [JavaScriptCore] FTL buildfix for EFL platform.
216         https://bugs.webkit.org/show_bug.cgi?id=133546
217
218         Reviewed by Darin Adler.
219
220         * ftl/FTLAbstractHeap.cpp:
221         (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap):
222         * ftl/FTLLocation.cpp:
223         (JSC::FTL::Location::forStackmaps):
224         * ftl/FTLLowerDFGToLLVM.cpp:
225         (JSC::FTL::LowerDFGToLLVM::opposite):
226         * ftl/FTLOSRExitCompiler.cpp:
227         (JSC::FTL::compileStub):
228         * ftl/FTLStackMaps.cpp:
229         (JSC::FTL::StackMaps::Constant::dump):
230         * llvm/InitializeLLVMPOSIX.cpp:
231         (JSC::initializeLLVMPOSIX):
232
233 2014-06-26  Benjamin Poulain  <benjamin@webkit.org>
234
235         iOS 8 beta 2 ES6 'Set' clear() broken
236         https://bugs.webkit.org/show_bug.cgi?id=134346
237
238         Reviewed by Oliver Hunt.
239
240         The object map was not cleared :(.
241
242         Kudos to Ashley Gullen for tracking this and making a regression test.
243         Credit to Oliver for finding the missing code.
244
245         * runtime/MapData.h:
246         (JSC::MapData::clear):
247
248 2014-06-25  Brent Fulgham  <bfulgham@apple.com>
249
250         [Win] Expose Cache Information to WinLauncher
251         https://bugs.webkit.org/show_bug.cgi?id=134318
252
253         Reviewed by Dean Jackson.
254
255         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing
256         MemoryStatistics files to the WIndows build.
257         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
258
259 2014-06-26  David Kilzer  <ddkilzer@apple.com>
260
261         DFG::FunctionWhitelist::parseFunctionNamesInFile does not close file
262         <http://webkit.org/b/134343>
263         <rdar://problem/17459487>
264
265         Reviewed by Michael Saboff.
266
267         * dfg/DFGFunctionWhitelist.cpp:
268         (JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile):
269         Close the file handle, and log an error on failure.
270
271 2014-06-25  Dana Burkart  <dburkart@apple.com>
272
273         Add support for 5-tuple versioning.
274
275         Reviewed by David Farler.
276
277         * Configurations/Version.xcconfig:
278
279 2014-06-25  Geoffrey Garen  <ggaren@apple.com>
280
281         Build fix.
282
283         Unreviewed.
284
285         * runtime/JSDateMath.cpp:
286         (JSC::parseDateFromNullTerminatedCharacters):
287         * runtime/VM.cpp:
288         (JSC::VM::resetDateCache): Use std::numeric_limits instead of QNaN
289         constant since that constant doesn't exist anymore.
290
291 2014-06-25  Geoffrey Garen  <ggaren@apple.com>
292
293         Unreviewed, rolling out r166876.
294
295         Caused some ECMA test262 failures
296
297         Reverted changeset:
298
299         "Date object needs to check for ES5 15.9.1.14 TimeClip limit."
300         https://bugs.webkit.org/show_bug.cgi?id=131248
301         http://trac.webkit.org/changeset/166876
302
303 2014-06-25  Brent Fulgham  <bfulgham@apple.com>
304
305         [Win] Unreviewed gardening.
306
307         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Update to
308         put various files in proper IDE categories.
309
310 2014-06-25  peavo@outlook.com  <peavo@outlook.com>
311
312         [Win64] ASM LLINT is not enabled.
313         https://bugs.webkit.org/show_bug.cgi?id=130638
314
315         This patch adds a new LLINT assembler backend for Win64, and implements it.
316         It makes adjustments to follow the Win64 ABI spec. where it's found to be needed.
317         Also, LLINT and JIT is enabled for Win64.
318
319         Reviewed by Mark Lam.
320
321         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added JITStubsMSVC64.asm.
322         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
323         * JavaScriptCore/JavaScriptCore.vcxproj/jsc/jscCommon.props: Increased stack size to avoid stack overflow in tests.
324         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Generate assembler source file for Win64.
325         * assembler/MacroAssemblerX86_64.h: 
326         (JSC::MacroAssemblerX86_64::call): Follow Win64 ABI spec.
327         * jit/JITStubsMSVC64.asm: Added.
328         * jit/Repatch.cpp:
329         (JSC::emitPutTransitionStub): Compile fix.
330         * jit/ThunkGenerators.cpp:
331         (JSC::nativeForGenerator): Follow Win64 ABI spec.
332         * llint/LLIntData.cpp:
333         (JSC::LLInt::Data::performAssertions): Ditto.
334         * llint/LLIntOfflineAsmConfig.h: Enable new llint backend for Win64.
335         * llint/LowLevelInterpreter.asm: Implement new Win64 backend, and follow Win64 ABI spec.
336         * llint/LowLevelInterpreter64.asm: Ditto.
337         * offlineasm/asm.rb: Compile fix.
338         * offlineasm/backends.rb: Add new llint backend for Win64.
339         * offlineasm/settings.rb: Compile fix.
340         * offlineasm/x86.rb: Implement new llint Win64 backend.
341
342 2014-06-25  Laszlo Gombos  <l.gombos@samsung.com>
343
344         Remove build guard for progress element
345         https://bugs.webkit.org/show_bug.cgi?id=134292
346
347         Reviewed by Benjamin Poulain.
348
349         * Configurations/FeatureDefines.xcconfig:
350
351 2014-06-24  Michael Saboff  <msaboff@apple.com>
352
353         Add support routines to provide descriptive JavaScript backtraces
354         https://bugs.webkit.org/show_bug.cgi?id=134278
355
356         Reviewed by Mark Lam.
357
358         * interpreter/CallFrame.cpp:
359         (JSC::CallFrame::dump):
360         (JSC::CallFrame::describeFrame):
361         * interpreter/CallFrame.h:
362         * runtime/JSCJSValue.cpp:
363         (JSC::JSValue::dumpForBacktrace):
364         * runtime/JSCJSValue.h:
365
366 2014-06-24  Brady Eidson  <beidson@apple.com>
367
368         Enable GAMEPAD in the Mac build, but disabled at runtime.
369         https://bugs.webkit.org/show_bug.cgi?id=134255
370
371         Reviewed by Dean Jackson.
372
373         * Configurations/FeatureDefines.xcconfig:
374
375         * runtime/JSObject.h: Export JSObject::removeDirect() to allow disabling
376           functions at runtime.
377
378 2014-06-24  Mark Hahnenberg  <mhahnenberg@apple.com>
379
380         REGRESSION (r169703): Invalid cast in JSC::asGetterSetter / JSC::JSObject::defineOwnNonIndexProperty
381         https://bugs.webkit.org/show_bug.cgi?id=134046
382
383         Reviewed by Filip Pizlo.
384
385         * runtime/GetterSetter.h:
386         (JSC::asGetterSetter):
387         * runtime/JSObject.cpp:
388         (JSC::JSObject::defineOwnNonIndexProperty): We need to check for a CustomGetterSetter here as well as
389         a normal GetterSetter. If we encounter a CustomGetterSetter, we delete it, create a new normal GetterSetter,
390         and insert it like normal. We also need to check for CustomAccessors when checking for unconfigurable properties.
391
392 2014-06-24  Brent Fulgham  <bfulgham@apple.com>
393
394         [Win] MSVC mishandles enums in bitfields
395         https://bugs.webkit.org/show_bug.cgi?id=134237
396
397         Reviewed by Michael Saboff.
398
399         Replace uses of enum types in bit fields with unsigned to
400         avoid losing a bit to hold the sign value. This can result
401         in Windows interpreting the value of the field improperly.
402
403         * bytecode/StructureStubInfo.h:
404         * parser/Nodes.h:
405
406 2014-06-23  Andreas Kling  <akling@apple.com>
407
408         Inline the UnlinkedInstructionStream::Reader logic.
409         <https://webkit.org/b/134203>
410
411         This class is only used by CodeBlock to unpack the unlinked instructions,
412         and we were spending 0.5% of total time on PLT calling Reader::next().
413         Move the logic to the header file and mark it ALWAYS_INLINE.
414
415         Reviewed by Geoffrey Garen.
416
417         * bytecode/UnlinkedInstructionStream.cpp:
418         * bytecode/UnlinkedInstructionStream.h:
419         (JSC::UnlinkedInstructionStream::Reader::Reader):
420         (JSC::UnlinkedInstructionStream::Reader::read8):
421         (JSC::UnlinkedInstructionStream::Reader::read32):
422         (JSC::UnlinkedInstructionStream::Reader::next):
423
424 2014-06-20  Sam Weinig  <sam@webkit.org>
425
426         Remove static tables for bindings that use eager reification
427         https://bugs.webkit.org/show_bug.cgi?id=134126
428
429         Reviewed by Oliver Hunt.
430
431         * runtime/JSObject.cpp:
432         (JSC::JSObject::putDirectCustomAccessor):
433         * runtime/Structure.h:
434         (JSC::Structure::setHasCustomGetterSetterProperties):
435         Change setHasCustomGetterSetterProperties to behave like setHasGetterSetterProperties, and set
436         the m_hasReadOnlyOrGetterSetterPropertiesExcludingProto bit if the property is not __proto__.
437         Without this, JSObject::put() won't think there are any setters on the prototype chain of an
438         object that has no static lookup table and uses eagerly reified custom getter/setter properties.
439
440 2014-06-21  Brady Eidson  <beidson@apple.com>
441
442         Gamepad API - Deprecate the existing implementation
443         https://bugs.webkit.org/show_bug.cgi?id=134108
444
445         Reviewed by Timothy Hatcher.
446
447         -Add new "GAMEPAD_DEPRECATED" build flag, moving the existing implementation to use it
448         -Move some implementation files into a "deprecated" subdirectory.
449
450         * Configurations/FeatureDefines.xcconfig:
451
452 2014-06-21  Commit Queue  <commit-queue@webkit.org>
453
454         Unreviewed, rolling out r170244.
455         https://bugs.webkit.org/show_bug.cgi?id=134157
456
457         GTK/EFL bindings generator works differently, making this
458         patch not work there.  Will fix entire patch after a rollout.
459         (Requested by bradee-oh on #webkit).
460
461         Reverted changeset:
462
463         "Gamepad API - Deprecate the existing implementation"
464         https://bugs.webkit.org/show_bug.cgi?id=134108
465         http://trac.webkit.org/changeset/170244
466
467 2014-06-21  Brady Eidson  <beidson@apple.com>
468
469         Gamepad API - Deprecate the existing implementation
470         https://bugs.webkit.org/show_bug.cgi?id=134108
471
472         Reviewed by Timothy Hatcher.
473
474         -Add new "GAMEPAD_DEPRECATED" build flag, moving the existing implementation to use it
475         -Add the "Deprecated" suffix to some implementation files
476
477         * Configurations/FeatureDefines.xcconfig:
478
479 2014-06-21  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
480
481         Removing PAGE_VISIBILITY_API compile guard.
482         https://bugs.webkit.org/show_bug.cgi?id=133844
483
484         Reviewed by Gavin Barraclough.
485
486         * Configurations/FeatureDefines.xcconfig:
487
488 2014-06-21  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
489
490         ARM traditional buildfix after r169942.
491         https://bugs.webkit.org/show_bug.cgi?id=134100
492
493         Reviewed by Zoltan Herczeg.
494
495         * assembler/MacroAssemblerARM.h:
496         (JSC::MacroAssemblerARM::abortWithReason): Added.
497
498 2014-06-20  Andreas Kling  <akling@apple.com>
499
500         [Cocoa] Release freed up blocks from the JS heap after simulated memory pressure.
501         <https://webkit.org/b/134112>
502
503         Reviewed by Mark Hahnenberg.
504
505         * heap/BlockAllocator.h:
506
507 2014-06-19  Alex Christensen  <achristensen@webkit.org>
508
509         Unreviewed fix after r170130.
510
511         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj:
512         Corrected directory so it can find common.props when opening Visual Studio.
513
514 2014-06-19  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
515
516         Remove ENABLE(LLINT) and ENABLE(LLINT_C_LOOP) guards
517         https://bugs.webkit.org/show_bug.cgi?id=130389
518
519         Reviewed by Mark Lam.
520
521         Removed ENABLE(LLINT) since we always build with it, and changed ENABLE(LLINT_C_LOOP)
522         into !ENABLE(JIT) since they are mutually exclusive.
523
524         * CMakeLists.txt:
525         * assembler/MacroAssemblerCodeRef.h:
526         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
527         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
528         * assembler/MaxFrameExtentForSlowPathCall.h:
529         * bytecode/CallLinkStatus.cpp:
530         (JSC::CallLinkStatus::computeFromLLInt):
531         * bytecode/CodeBlock.cpp:
532         (JSC::dumpStructure):
533         (JSC::CodeBlock::printGetByIdCacheStatus):
534         (JSC::CodeBlock::printCallOp):
535         (JSC::CodeBlock::CodeBlock):
536         (JSC::CodeBlock::~CodeBlock):
537         (JSC::CodeBlock::propagateTransitions):
538         (JSC::CodeBlock::finalizeUnconditionally):
539         (JSC::CodeBlock::unlinkCalls):
540         (JSC::CodeBlock::unlinkIncomingCalls):
541         (JSC::CodeBlock::linkIncomingCall):
542         (JSC::CodeBlock::frameRegisterCount):
543         * bytecode/CodeBlock.h:
544         * bytecode/GetByIdStatus.cpp:
545         (JSC::GetByIdStatus::computeFromLLInt):
546         * bytecode/Opcode.h:
547         (JSC::padOpcodeName):
548         * bytecode/PutByIdStatus.cpp:
549         (JSC::PutByIdStatus::computeFromLLInt):
550         * bytecompiler/BytecodeGenerator.cpp:
551         (JSC::BytecodeGenerator::emitCall):
552         (JSC::BytecodeGenerator::emitConstruct):
553         * heap/Heap.cpp:
554         (JSC::Heap::gatherJSStackRoots):
555         * interpreter/Interpreter.cpp:
556         (JSC::Interpreter::initialize):
557         (JSC::Interpreter::isOpcode):
558         * interpreter/Interpreter.h:
559         (JSC::Interpreter::getOpcodeID):
560         * interpreter/JSStack.cpp:
561         (JSC::JSStack::JSStack):
562         (JSC::JSStack::committedByteCount):
563         * interpreter/JSStack.h:
564         * interpreter/JSStackInlines.h:
565         (JSC::JSStack::ensureCapacityFor):
566         (JSC::JSStack::topOfFrameFor):
567         (JSC::JSStack::setStackLimit):
568         * jit/ExecutableAllocatorFixedVMPool.cpp:
569         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
570         * jit/JIT.h:
571         (JSC::JIT::compileCTINativeCall):
572         * jit/JITExceptions.h:
573         * jit/JITThunks.cpp:
574         (JSC::JITThunks::ctiNativeCall):
575         (JSC::JITThunks::ctiNativeConstruct):
576         * llint/LLIntCLoop.cpp:
577         * llint/LLIntCLoop.h:
578         * llint/LLIntData.cpp:
579         (JSC::LLInt::initialize):
580         (JSC::LLInt::Data::performAssertions):
581         * llint/LLIntData.h:
582         (JSC::LLInt::Data::performAssertions): Deleted.
583         * llint/LLIntEntrypoint.cpp:
584         * llint/LLIntEntrypoint.h:
585         * llint/LLIntExceptions.cpp:
586         * llint/LLIntExceptions.h:
587         * llint/LLIntOfflineAsmConfig.h:
588         * llint/LLIntOffsetsExtractor.cpp:
589         (JSC::LLIntOffsetsExtractor::dummy):
590         * llint/LLIntOpcode.h:
591         * llint/LLIntSlowPaths.cpp:
592         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
593         * llint/LLIntSlowPaths.h:
594         * llint/LLIntThunks.cpp:
595         * llint/LLIntThunks.h:
596         * llint/LowLevelInterpreter.cpp:
597         * llint/LowLevelInterpreter.h:
598         * runtime/CommonSlowPaths.cpp:
599         * runtime/CommonSlowPaths.h:
600         * runtime/ErrorHandlingScope.cpp:
601         (JSC::ErrorHandlingScope::ErrorHandlingScope):
602         (JSC::ErrorHandlingScope::~ErrorHandlingScope):
603         * runtime/Executable.cpp:
604         (JSC::setupLLInt):
605         * runtime/InitializeThreading.cpp:
606         (JSC::initializeThreading):
607         * runtime/JSCJSValue.h:
608         * runtime/JSCJSValueInlines.h:
609         * runtime/Options.cpp:
610         (JSC::recomputeDependentOptions):
611         * runtime/VM.cpp:
612         (JSC::VM::VM):
613         (JSC::sanitizeStackForVM):
614         * runtime/VM.h:
615         (JSC::VM::canUseJIT): Deleted.
616
617 2014-06-18  Alex Christensen  <achristensen@webkit.org>
618
619         Add FTL to Windows build.
620         https://bugs.webkit.org/show_bug.cgi?id=134015
621
622         Reviewed by Filip Pizlo.
623
624         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
625         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
626         Added ftl source files.
627         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
628         Added ftl and llvm directories to include path.
629         * JavaScriptCore.vcxproj/libllvmForJSC: Added.
630         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.props: Added.
631         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj: Added.
632         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj.filters: Added.
633         * ftl/FTLLowerDFGToLLVM.cpp:
634         (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
635         MSVC doesn't like to divide by zero while compiling.  Use std::nan instead.
636         * llvm/InitializeLLVMWin.cpp: Added.
637         (JSC::initializeLLVMImpl):
638         Implemented dynamic loading and linking for Windows.
639
640 2014-06-18  Alex Christensen  <achristensen@webkit.org>
641
642         Unreviewed build fix after r170107.
643
644         * dfg/DFGSpeculativeJIT.cpp:
645         (JSC::DFG::SpeculativeJIT::compileArithMod):
646         Use non-template sub for armv7s.
647
648 2014-06-18  David Kilzer  <ddkilzer@apple.com>
649
650         -[JSContext setName:] leaks NSString
651         <http://webkit.org/b/134038>
652
653         Reviewed by Joseph Pecoraro.
654
655         Fixes the following static analyzer warning:
656
657             JavaScriptCore/API/JSContext.mm:200:73: warning: Potential leak of an object
658                 JSStringRef nameJS = name ? JSStringCreateWithCFString((CFStringRef)[name copy]) : nullptr;
659                                                                                     ^
660
661         * API/JSContext.mm:
662         (-[JSContext setName:]): Autorelease the copy of |name|.
663
664 2014-06-18  Mark Lam  <mark.lam@apple.com>
665
666         DFGGraph::m_doubleConstantMap will not map 0 values correctly.
667         <https://webkit.org/b/133994>
668
669         Reviewed by Geoffrey Garen.
670
671         DFGGraph::m_doubleConstantsMap should not use a double as a key to its HashMap,
672         because it means two unfortunate things:
673         - It will probably break for zero.
674         - It will think that -0 is the same as +0 under some circumstances, size
675           -0==+0 even though they are distinct values (for example 1/-0 != 1/+0).
676
677         The fix is to use std::unordered_map which does not require special empty
678         and deleted values, and to use the raw bits instead of the double value as
679         the key.
680
681         * dfg/DFGGraph.h:
682         * dfg/DFGJITCompiler.cpp:
683         (JSC::DFG::JITCompiler::addressOfDoubleConstant):
684
685 2014-06-18  Alex Christensen  <achristensen@webkit.org>
686
687         Remove duplicate code using sdiv.
688         https://bugs.webkit.org/show_bug.cgi?id=133764
689
690         Reviewed by Daniel Bates.
691
692         * assembler/ARMv7Assembler.h:
693         (JSC::ARMv7Assembler::sdiv):
694         Make sdiv a template to match arm64.
695         * dfg/DFGSpeculativeJIT.cpp:
696         (JSC::DFG::SpeculativeJIT::compileArithDiv):
697         (JSC::DFG::SpeculativeJIT::compileArithMod):
698         Remove duplicate code that was identical except for sdiv not being a template.
699
700 2014-06-17  Commit Queue  <commit-queue@webkit.org>
701
702         Unreviewed, rolling out r170082.
703         https://bugs.webkit.org/show_bug.cgi?id=134006
704
705         Breaks build. (Requested by mlam on #webkit).
706
707         Reverted changeset:
708
709         "DFGGraph::m_doubleConstantMap will not map 0 values
710         correctly."
711         https://bugs.webkit.org/show_bug.cgi?id=133994
712         http://trac.webkit.org/changeset/170082
713
714 2014-06-17  Mark Lam  <mark.lam@apple.com>
715
716         DFGGraph::m_doubleConstantMap will not map 0 values correctly.
717         <https://webkit.org/b/133994>
718
719         Reviewed by Geoffrey Garen.
720
721         DFGGraph::m_doubleConstantsMap should not use a double as a key to its HashMap,
722         because it means two unfortunate things:
723         - It will probably break for zero.
724         - It will think that -0 is the same as +0 under some circumstances, size
725           -0==+0 even though they are distinct values (for example 1/-0 != 1/+0).
726
727         The fix is to use std::unordered_map which does not require special empty
728         and deleted values, and to use the raw bits instead of the double value as
729         the key.
730
731         * dfg/DFGGraph.h:
732         * dfg/DFGJITCompiler.cpp:
733         (JSC::DFG::JITCompiler::addressOfDoubleConstant):
734
735 2014-06-17  Oliver Hunt  <oliver@apple.com>
736
737         Fix error messages for incorrect hex literals
738         https://bugs.webkit.org/show_bug.cgi?id=133998
739
740         Reviewed by Mark Lam.
741
742         Ensure that the error messages for bogus hex literals actually
743         make sense.
744
745         * parser/Lexer.cpp:
746         (JSC::Lexer<T>::lex):
747         * parser/ParserTokens.h:
748
749 2014-06-17  Matthew Mirman  <mmirman@apple.com>
750
751         Fixes bug where building JSC sometimes crashes at build-symbol-table-index.py. Also adds licenses. 
752         https://bugs.webkit.org/show_bug.cgi?id=133814
753
754         Reviewed by Filip Pizlo.
755         
756         Adds the "shopt -s nullglob" line necessary to prevent the loop in the shell 
757         script from using "*.o" as a file when no other files in the directory exist. 
758         
759         * build-symbol-table-index.sh: Added license.
760         * copy-llvm-ir-to-derived-sources.sh: Added license and "shopt -s nullglob" line.
761
762 2014-06-16  Sam Weinig  <sam@webkit.org>
763
764         Move forward declaration of bindings static functions into their implementation files
765         https://bugs.webkit.org/show_bug.cgi?id=133943
766
767         Reviewed by Geoffrey Garen.
768
769         * runtime/CommonIdentifiers.h:
770         Add a few identifiers that are needed by the DOM.
771
772 2014-06-16  Mark Lam  <mark.lam@apple.com>
773
774         Parser statementDepth accounting needs to account for when a function body excludes its braces.
775         <https://webkit.org/b/133832>
776
777         Reviewed by Oliver Hunt.
778
779         In some cases (e.g. when a Function object is instantiated from a string), the
780         function body source may not include its braces.  The parser needs to account
781         for this when calculating its statementDepth.
782
783         * bytecode/UnlinkedCodeBlock.cpp:
784         (JSC::generateFunctionCodeBlock):
785         (JSC::UnlinkedFunctionExecutable::codeBlockFor):
786         * bytecode/UnlinkedCodeBlock.h:
787         * parser/Parser.cpp:
788         (JSC::Parser<LexerType>::parseStatement):
789         - Also fixed the error message for declaring nested functions in strict mode
790           to be more accurate.
791         * parser/Parser.h:
792         (JSC::Parser<LexerType>::parse):
793         (JSC::parse):
794         * runtime/Executable.cpp:
795         (JSC::ScriptExecutable::newCodeBlockFor):
796
797 2014-06-16  Juergen Ributzka  <juergen@apple.com>
798
799         Change the order of the alias analysis passes to align with the opt pipeline of LLVM
800         https://bugs.webkit.org/show_bug.cgi?id=133753
801
802         Reviewed by Geoffrey Garen.
803
804         The order in which the alias analysis passes are added affects also the
805         order in which they are utilized. Change the order to align with the
806         one use by LLVM itself. The last alias analysis pass added will be
807         evaluated first. With this change we first perform a basic alias
808         analysis and then use the type-based alias analysis (if required).
809
810         * ftl/FTLCompile.cpp:
811         (JSC::FTL::compile):
812
813 2014-06-16  Juergen Ributzka  <juergen@apple.com>
814
815         Fix the arguments passed to the LLVM dylib
816         https://bugs.webkit.org/show_bug.cgi?id=133757
817
818         Reviewed by Geoffrey Garen.
819
820         The LLVM command line argument parser assumes that the first argument
821         is the program name. We need to add a fake program name, otherwise the
822         first argument will be parsed as program name and ignored.
823
824         * llvm/library/LLVMExports.cpp:
825         (initializeAndGetJSCLLVMAPI):
826
827 2014-06-16  Michael Saboff  <msaboff@apple.com>
828
829         Convert ASSERT in inlineFunctionForCapabilityLevel to early return
830         https://bugs.webkit.org/show_bug.cgi?id=133903
831
832         Reviewed by Mark Hahnenberg.
833
834         Hardened code by Converting ASSERT to return CannotCompile.
835
836         * dfg/DFGCapabilities.h:
837         (JSC::DFG::inlineFunctionForCapabilityLevel):
838
839 2014-06-13  Sam Weinig  <sam@webkit.org>
840
841         Store DOM constants directly in the JS object rather than jumping through a custom accessor
842         https://bugs.webkit.org/show_bug.cgi?id=133898
843
844         Reviewed by Oliver Hunt.
845
846         * runtime/Lookup.h:
847         (JSC::HashTableValue::attributes):
848         Switch attributes to be stored as an unsigned rather than an unsigned char, since there is no difference in memory use
849         and will make adding more flags possibles.
850
851         (JSC::HashTableValue::propertyGetter):
852         (JSC::HashTableValue::propertyPutter):
853         Change assertion to use BuiltinOrFunctionOrConstant.
854
855         (JSC::HashTableValue::constantInteger):
856         Added.
857
858         (JSC::getStaticPropertySlot):
859         (JSC::getStaticValueSlot):
860         Use PropertySlot::setValue() for constants during static lookup.
861
862         (JSC::reifyStaticProperties):
863         Put the constant directly on the object when eagerly reifying.
864
865         * runtime/PropertySlot.h:
866         Add ConstantInteger flag and BuiltinOrFunctionOrConstant helper.
867
868 2014-06-14  Michael Saboff  <msaboff@apple.com>
869
870         operationCreateArguments could cause a GC during OSR exit
871         https://bugs.webkit.org/show_bug.cgi?id=133905
872
873         Reviewed by Filip Pizlo.
874
875         Defer GC via new wrapper functions for operationCreateArguments and operationCreateInlinedArguments
876         for use by OSR exit stubs.
877
878         * dfg/DFGOSRExitCompilerCommon.cpp:
879         (JSC::DFG::ArgumentsRecoveryGenerator::generateFor):
880         * dfg/DFGOperations.cpp:
881         * dfg/DFGOperations.h:
882         * jit/JITOperations.cpp:
883         * jit/JITOperations.h:
884
885 2014-06-13  Mark Hahnenberg  <mhahnenberg@apple.com>
886
887         OSR exit should barrier the Executables for all InlineCallFrames, not just those on the stack at the time of exit
888         https://bugs.webkit.org/show_bug.cgi?id=133880
889
890         Reviewed by Filip Pizlo.
891
892         We could have exited due to a value received from an inlined block that's no longer on 
893         the stack, so we should just barrier all InlineCallFrames.
894
895         * dfg/DFGOSRExitCompilerCommon.cpp:
896         (JSC::DFG::adjustAndJumpToTarget):
897
898 2014-06-13  Alex Christensen  <achristensen@webkit.org>
899
900         Make css jit compile for armv7.
901         https://bugs.webkit.org/show_bug.cgi?id=133596
902
903         Reviewed by Benjamin Poulain.
904
905         * assembler/MacroAssembler.h:
906         Use branchPtr on ARM_THUMB2.
907         * assembler/MacroAssemblerARMv7.h:
908         (JSC::MacroAssemblerARMv7::addPtrNoFlags):
909         (JSC::MacroAssemblerARMv7::or32):
910         (JSC::MacroAssemblerARMv7::test32):
911         (JSC::MacroAssemblerARMv7::branch):
912         (JSC::MacroAssemblerARMv7::branchPtr):
913         Added macros necessary for css jit.
914
915 2014-06-13  Filip Pizlo  <fpizlo@apple.com>
916
917         Unreviewed, fix ARMv7.
918
919         * assembler/MacroAssemblerARMv7.h:
920         (JSC::MacroAssemblerARMv7::abortWithReason):
921
922 2014-06-12  Filip Pizlo  <fpizlo@apple.com>
923
924         Even better diagnostics from DFG traps
925         https://bugs.webkit.org/show_bug.cgi?id=133836
926
927         Reviewed by Oliver Hunt.
928         
929         We now stuff the DFG::NodeType into a register before bailing. Also made the
930         DFGBailed abort reason a bit more specific. As planned, the new abort reasons use
931         different numbers than any previous abort reasons.
932
933         * assembler/AbortReason.h:
934         * assembler/MacroAssemblerARM64.h:
935         (JSC::MacroAssemblerARM64::abortWithReason):
936         * assembler/MacroAssemblerARMv7.h:
937         (JSC::MacroAssemblerARMv7::abortWithReason):
938         * assembler/MacroAssemblerX86.h:
939         (JSC::MacroAssemblerX86::abortWithReason):
940         * assembler/MacroAssemblerX86_64.h:
941         (JSC::MacroAssemblerX86_64::abortWithReason):
942         * dfg/DFGSpeculativeJIT.cpp:
943         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
944         (JSC::DFG::SpeculativeJIT::bail):
945         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
946         * dfg/DFGSpeculativeJIT.h:
947
948 2014-06-12  Simon Fraser  <simon.fraser@apple.com>
949
950         Fix assertions under JSC::setNeverInline() when running js tests in WebKitTestRunner
951         https://bugs.webkit.org/show_bug.cgi?id=133840
952
953         Reviewed by Filip Pizlo.
954         
955         Fix ASSERT(exec->vm().currentThreadIsHoldingAPILock()); under JSC::setNeverInline()
956         when running DFG tests.
957
958         * API/JSCTestRunnerUtils.cpp:
959         (JSC::numberOfDFGCompiles):
960         (JSC::setNeverInline):
961
962 2014-06-12  Brent Fulgham  <bfulgham@apple.com>
963
964         [Win] Avoid fork bomb during build
965         https://bugs.webkit.org/show_bug.cgi?id=133837
966         <rdar://problem/17296034>
967
968         Reviewed by Tim Horton.
969
970         * JavaScriptCore.vcxproj/build-generated-files.sh: Use a
971         reasonable default value when the 'num-cpus' script is not available.
972
973 2014-06-12  Mark Lam  <mark.lam@apple.com>
974
975         Remove some dead / unused code.
976         <https://webkit.org/b/133828>
977
978         Reviewed by Filip Pizlo.
979
980         * builtins/BuiltinExecutables.cpp:
981         (JSC::BuiltinExecutables::createBuiltinExecutable):
982         * bytecode/UnlinkedCodeBlock.cpp:
983         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
984         * bytecode/UnlinkedCodeBlock.h:
985         (JSC::UnlinkedFunctionExecutable::create):
986         * bytecompiler/BytecodeGenerator.h:
987         (JSC::BytecodeGenerator::makeFunction):
988         * parser/Parser.h:
989         (JSC::DepthManager::DepthManager): Deleted.
990         (JSC::DepthManager::~DepthManager): Deleted.
991         * runtime/CodeCache.cpp:
992         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
993
994 2014-06-12  Mark Hahnenberg  <mhahnenberg@apple.com>
995
996         Move structureHasRareData out of TypeInfo
997         https://bugs.webkit.org/show_bug.cgi?id=133800
998
999         Reviewed by Andreas Kling.
1000
1001         StructureHasRareData was originally put in TypeInfo to avoid making Structure bigger, 
1002         but we have a few spare bits in Structure so it would be nice to remove this hack.
1003
1004         * runtime/JSTypeInfo.h:
1005         (JSC::TypeInfo::newImpurePropertyFiresWatchpoints):
1006         (JSC::TypeInfo::structureHasRareData): Deleted.
1007         * runtime/Structure.cpp:
1008         (JSC::Structure::Structure):
1009         (JSC::Structure::allocateRareData):
1010         (JSC::Structure::cloneRareDataFrom):
1011         * runtime/Structure.h:
1012         (JSC::Structure::previousID):
1013         (JSC::Structure::objectToStringValue):
1014         (JSC::Structure::setObjectToStringValue):
1015         (JSC::Structure::setPreviousID):
1016         (JSC::Structure::clearPreviousID):
1017         (JSC::Structure::previous):
1018         (JSC::Structure::rareData):
1019         * runtime/StructureInlines.h:
1020         (JSC::Structure::setEnumerationCache):
1021         (JSC::Structure::enumerationCache):
1022
1023 2014-06-12  Zsolt Borbely  <zsborbely.u-szeged@partner.samsung.com>
1024
1025         Allow enum guards to be generated from the replay json files
1026         https://bugs.webkit.org/show_bug.cgi?id=133399
1027
1028         Reviewed by Csaba Osztrogonác.
1029
1030         * replay/scripts/CodeGeneratorReplayInputs.py:
1031         (Type.__init__):
1032         (InputsModel.parse_type_with_framework_name):
1033         (Generator.generate_header):
1034         (Generator.generate_implementation):
1035         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp: Added.
1036         (Test::HandleWheelEvent::HandleWheelEvent):
1037         (Test::HandleWheelEvent::~HandleWheelEvent):
1038         (JSC::InputTraits<Test::HandleWheelEvent>::type):
1039         (JSC::InputTraits<Test::HandleWheelEvent>::encode):
1040         (JSC::InputTraits<Test::HandleWheelEvent>::decode):
1041         (JSC::EncodingTraits<WebCore::PlatformWheelEventPhase>::encodeValue):
1042         (JSC::EncodingTraits<WebCore::PlatformWheelEventPhase>::decodeValue):
1043         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h: Added.
1044         (JSC::InputTraits<Test::HandleWheelEvent>::queue):
1045         (Test::HandleWheelEvent::platformEvent):
1046         * replay/scripts/tests/generate-enum-with-guard.json: Added.
1047
1048 2014-06-12  Carlos Garcia Campos  <cgarcia@igalia.com>
1049
1050         Unreviewed. Fix GTK+ build after r169823.
1051
1052         Include StructureInlines.h in a few more files to fix linking
1053         issues due to JSC::Structure::get undefined symbol.
1054
1055         * runtime/ArrayIteratorConstructor.cpp:
1056         * runtime/ArrayIteratorPrototype.cpp:
1057         * runtime/JSConsole.cpp:
1058         * runtime/JSMapIterator.cpp:
1059         * runtime/JSSet.cpp:
1060         * runtime/JSSetIterator.cpp:
1061         * runtime/JSWeakMap.cpp:
1062         * runtime/MapIteratorPrototype.cpp:
1063         * runtime/MapPrototype.cpp:
1064         * runtime/SetIteratorPrototype.cpp:
1065         * runtime/SetPrototype.cpp:
1066         * runtime/WeakMapPrototype.cpp:
1067
1068 2014-06-12  Csaba Osztrogonác  <ossy@webkit.org>
1069
1070         [EFL] One more URTBF after r169823 to make ARM64 build happy too.
1071
1072         * runtime/JSMap.cpp:
1073
1074 2014-06-11  Mark Hahnenberg  <mhahnenberg@apple.com>
1075
1076         Inline caching should try to flatten uncacheable dictionaries
1077         https://bugs.webkit.org/show_bug.cgi?id=133683
1078
1079         Reviewed by Geoffrey Garen.
1080
1081         There exists a body of JS code that deletes properties off of objects (especially function/constructor objects), 
1082         which puts them into an uncacheable dictionary state. This prevents all future inline caching for these objects. 
1083         If properties are deleted out of the object during its initialization, we can enable caching for that object by 
1084         attempting to flatten it when we see we're trying to do inline caching with that object. We then record that we 
1085         performed this flattening optimization in the object's Structure. If it ever re-enters the uncacheable dictionary 
1086         state then we can just give up on caching that object.
1087
1088         In refactoring some of the code in tryCacheGetById and tryBuildGetByIdList to reduce some duplication, I added
1089         the InlineCacheAction enum, a new way to indicate the success or failure of an inline caching attempt. I changed
1090         the other inline caching functions to return this enum rather than the opaque booleans that we were previously 
1091         returning.
1092
1093         * jit/Repatch.cpp:
1094         (JSC::actionForCell):
1095         (JSC::tryCacheGetByID):
1096         (JSC::repatchGetByID):
1097         (JSC::tryBuildGetByIDList):
1098         (JSC::buildGetByIDList):
1099         (JSC::tryCachePutByID):
1100         (JSC::repatchPutByID):
1101         (JSC::tryBuildPutByIdList):
1102         (JSC::buildPutByIdList):
1103         (JSC::tryRepatchIn):
1104         (JSC::repatchIn):
1105         * runtime/Structure.cpp:
1106         (JSC::Structure::Structure):
1107         (JSC::Structure::flattenDictionaryStructure):
1108         * runtime/Structure.h:
1109         (JSC::Structure::hasBeenFlattenedBefore):
1110
1111 2014-06-11  Csaba Osztrogonác  <ossy@webkit.org>
1112
1113         [EFL] URTBF after r169823.
1114
1115         * bindings/ScriptValue.cpp: Missing include added.
1116
1117 2014-06-11  Ryosuke Niwa  <rniwa@webkit.org>
1118
1119         Remove an unnecessary asObject(this) call inside JSObject::fastGetOwnPropertySlot.
1120
1121         Rubber-stamped by Andreas Kling.
1122
1123         * runtime/JSObject.h:
1124         (JSC::JSObject::fastGetOwnPropertySlot):
1125
1126 2014-06-11  Ryosuke Niwa  <rniwa@webkit.org>
1127
1128         Turning on DUMP_PROPERTYMAP_STATS causes a build failure
1129         https://bugs.webkit.org/show_bug.cgi?id=133673
1130
1131         Reviewed by Andreas Kling.
1132
1133         Rewrote the property map statistics code because the old code wasn't building,
1134         and it was also mixing numbers for lookups and insertions/removals.
1135
1136         New logging code records the number of calls to PropertyTable::find (finds) and
1137         PropertyTable::get/PropertyTable::findWithString separately so that we can quantify
1138         the number of probing during updates and lookups.
1139
1140         * jsc.cpp:
1141         * runtime/PropertyMapHashTable.h:
1142         (JSC::PropertyTable::find):
1143         (JSC::PropertyTable::get):
1144         (JSC::PropertyTable::findWithString):
1145         (JSC::PropertyTable::add):
1146         (JSC::PropertyTable::remove):
1147         (JSC::PropertyTable::reinsert):
1148         (JSC::PropertyTable::rehash):
1149         * runtime/Structure.cpp:
1150         (JSC::PropertyMapStatisticsExitLogger::PropertyMapStatisticsExitLogger):
1151         (JSC::PropertyMapStatisticsExitLogger::~PropertyMapStatisticsExitLogger):
1152
1153 2014-06-11  Andreas Kling  <akling@apple.com>
1154
1155         Always inline JSValue::get() and Structure::get().
1156         <https://webkit.org/b/133755>
1157
1158         Reviewed by Ryosuke Niwa.
1159
1160         These functions get really hot, so ask the compiler to be more
1161         aggressive about inlining them.
1162
1163         ~28% speed-up on Ryosuke's microbenchmark for accessing nextSibling
1164         through GetByVal.
1165
1166         * runtime/JSArrayIterator.cpp:
1167         * runtime/JSCJSValue.cpp:
1168         * runtime/JSCJSValueInlines.h:
1169         (JSC::JSValue::get):
1170         * runtime/JSPromiseDeferred.cpp:
1171         * runtime/StructureInlines.h:
1172         (JSC::Structure::get):
1173
1174 2014-06-11  Ryosuke Niwa  <rniwa@webkit.org>
1175
1176         Structure::get should instantiate DeferGC only when materializing property map
1177         https://bugs.webkit.org/show_bug.cgi?id=133727
1178
1179         Rubber-stamped by Andreas Kling.
1180
1181         Make materializePropertyMapIfNecessary always inline.
1182
1183         This is ~12% improvement on the microbenchmark attached in the bug.
1184
1185         * runtime/Structure.h:
1186         (JSC::Structure::materializePropertyMapIfNecessary):
1187         (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
1188
1189 2014-06-11  Ryosuke Niwa  <rniwa@webkit.org>
1190
1191         Structure::get should instantiate DeferGC only when materializing property map
1192         https://bugs.webkit.org/show_bug.cgi?id=133727
1193
1194         Reviewed by Geoffrey Garen.
1195
1196         DeferGC instances in Structure::get was added in http://trac.webkit.org/r157539 in order to avoid
1197         collecting the property table newly created by materializePropertyMapIfNecessary since GC can happen
1198         when GCSafeConcurrentJITLocker goes out of scope.
1199
1200         However, always instantiating DeferGC inside Structure::get introduced a new performance bottleneck
1201         in JSObject::getPropertySlot because frequently incrementing and decrementing a counter in vm.m_heap
1202         and running a release assertion inside Heap::incrementDeferralDepth() is expensive.
1203
1204         Work around this by instantiating DeferGC only when we're actually calling materializePropertyMap,
1205         and immediately storing a pointer to the newly created property table in the stack before DeferGC
1206         goes out of scope so that the property table will be marked.
1207
1208         This shows 13-16% improvement on the microbenchmark attached in the bug.
1209
1210         * runtime/JSCJSValue.cpp:
1211         * runtime/JSObject.h:
1212         (JSC::JSObject::fastGetOwnPropertySlot):
1213         * runtime/Structure.h:
1214         (JSC::Structure::materializePropertyMapIfNecessary):
1215         * runtime/StructureInlines.h:
1216         (JSC::Structure::get):
1217
1218 2014-06-11  Andreas Kling  <akling@apple.com>
1219
1220         Some JSValue::get() micro-optimzations.
1221         <https://webkit.org/b/133739>
1222
1223         Tighten some of the property lookup code to improve performance of the
1224         eagerly reified prototype attributes:
1225
1226         - Instead of converting the property name to an integer at every step
1227           in the prototype chain, move that to a separate pass at the end
1228           since it should be a rare case.
1229
1230         - Cache the StructureIDTable in a local instead of fetching it from
1231           the Heap on every step.
1232
1233         - Make fillCustomGetterPropertySlot inline. It was out-of-lined based
1234           on the assumption that clients would mostly be cacheable GetByIds,
1235           and it gets pretty hot (~1%) in GetByVal.
1236
1237         - Pass the Structure directly to fillCustomGetterPropertySlot instead
1238           of refetching it from the StructureIDTable.
1239
1240         Reviewed by Geoff Garen.
1241
1242         * runtime/JSObject.cpp:
1243         (JSC::JSObject::fillCustomGetterPropertySlot): Deleted.
1244         * runtime/JSObject.h:
1245         (JSC::JSObject::inlineGetOwnPropertySlot):
1246         (JSC::JSObject::fillCustomGetterPropertySlot):
1247         (JSC::JSObject::getOwnPropertySlot):
1248         (JSC::JSObject::fastGetOwnPropertySlot):
1249         (JSC::JSObject::getPropertySlot):
1250         (JSC::JSObject::getOwnPropertySlotSlow): Deleted.
1251
1252 2014-06-10  Sam Weinig  <sam@webkit.org>
1253
1254         Don't create a HashTable for JSObjects that use eager reification
1255         https://bugs.webkit.org/show_bug.cgi?id=133705
1256
1257         Reviewed by Geoffrey Garen.
1258
1259         * runtime/Lookup.h:
1260         (JSC::reifyStaticProperties):
1261         Add a version of reifyStaticProperties that takes an array of HashTableValues
1262         rather than a HashTable.
1263
1264 2014-06-10  Filip Pizlo  <fpizlo@apple.com>
1265
1266         Prediction propagator should make sure everyone knows that a variable that is in an argument position where other versions of that variable are not MachineInts cannot possibly be flushed as Int52
1267         https://bugs.webkit.org/show_bug.cgi?id=133698
1268
1269         Reviewed by Geoffrey Garen and Mark Hahnenberg.
1270
1271         * dfg/DFGPredictionPropagationPhase.cpp:
1272         (JSC::DFG::PredictionPropagationPhase::propagate): Use the new utility to figure out if a variable could ever represent an Int52.
1273         * dfg/DFGVariableAccessData.cpp:
1274         (JSC::DFG::VariableAccessData::couldRepresentInt52): Add a new utility to detect early on if a variable could possibly be Int52.
1275         (JSC::DFG::VariableAccessData::couldRepresentInt52Impl):
1276         (JSC::DFG::VariableAccessData::flushFormat):
1277         * dfg/DFGVariableAccessData.h:
1278         * tests/stress/int52-inlined-call-argument.js: Added.
1279         (foo):
1280         (bar):
1281
1282 2014-06-10  Mark Lam  <mark.lam@apple.com>
1283
1284         Assertion failure at JSC::Structure::checkOffsetConsistency() const + 234.
1285         <https://webkit.org/b/133356>
1286
1287         Reviewed by Mark Hahnenberg.
1288
1289         The root cause of this issue is that a nonPropertyTransition can transition
1290         a pinned dictionary structure to an unpinned dictionary structure.  The new
1291         structure will get a copy of the property table from the original structure.
1292         However, when a GC occurs, the property table in the new structure will be
1293         cleared because it is unpinned.  This leads to complications in subsequent
1294         derivative structures when flattening occurs, which eventually leads to the
1295         assertion failure in this bug.
1296
1297         The fix is to ensure that the new dictionary structure generated by the
1298         nonPropertyTransition will have a copy of its predecessor's property table
1299         and is pinned.
1300
1301         * runtime/Structure.cpp:
1302         (JSC::Structure::nonPropertyTransition):
1303
1304 2014-06-10  Michael Saboff  <msaboff@apple.com>
1305
1306         In a certain app state, Array.prototype.filter() returns incorrect results
1307         https://bugs.webkit.org/show_bug.cgi?id=133577
1308
1309         Reviewed by Oliver Hunt.
1310
1311         Fixed the LLInt processing of op_put_by_val_direct to have the same hole check as op_put_by_val.
1312
1313         * llint/LowLevelInterpreter32_64.asm:
1314         * llint/LowLevelInterpreter64.asm:
1315
1316 2014-06-09  Mark Hahnenberg  <mhahnenberg@apple.com>
1317
1318         Global HashTables contain references to atomic StringImpls
1319         https://bugs.webkit.org/show_bug.cgi?id=133661
1320
1321         Reviewed by Geoffrey Garen.
1322
1323         This was a long-standing bug revealed by bug 133558. The issue is that the global static HashTables 
1324         cache their set of keys as StringImpls that are associated with a particular VM.  This is obviously 
1325         incompatible with using multiple VMs on multiple threads (e.g. when using workers). The fix is to 
1326         change the "keys" field of the static HashTables to be char** instead of StringImpl**.
1327
1328         * runtime/JSObject.cpp:
1329         (JSC::getClassPropertyNames):
1330         * runtime/Lookup.cpp:
1331         (JSC::HashTable::createTable):
1332         (JSC::HashTable::deleteTable):
1333         * runtime/Lookup.h:
1334         (JSC::HashTable::ConstIterator::key):
1335         (JSC::HashTable::entry):
1336
1337 2014-06-09  Mark Hahnenberg  <mhahnenberg@apple.com>
1338
1339         Build fix after r169703
1340
1341         * JavaScriptCore.xcodeproj/project.pbxproj:
1342
1343 2014-06-05  Mark Hahnenberg  <mhahnenberg@apple.com>
1344
1345         Eagerly reify DOM prototype attributes
1346         https://bugs.webkit.org/show_bug.cgi?id=133558
1347
1348         Reviewed by Oliver Hunt.
1349
1350         This allows us to get rid of a lot of the additional overhead of pushing DOM attributes up into the prototype. 
1351         By eagerly reifying the custom getters and setters into the actual JSObject we avoid having to override 
1352         getOwnPropertySlot for all of the DOM prototypes, which is a lot of the overhead of doing property lookups on 
1353         DOM wrappers.
1354
1355         * CMakeLists.txt:
1356         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1357         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1358         * JavaScriptCore.xcodeproj/project.pbxproj:
1359         * llint/LLIntData.cpp:
1360         (JSC::LLInt::Data::performAssertions):
1361         * llint/LowLevelInterpreter.asm:
1362         * runtime/BatchedTransitionOptimizer.h:
1363         (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
1364         * runtime/CustomGetterSetter.cpp: Added.
1365         (JSC::callCustomSetter):
1366         * runtime/CustomGetterSetter.h: Added.
1367         (JSC::CustomGetterSetter::create):
1368         (JSC::CustomGetterSetter::getter):
1369         (JSC::CustomGetterSetter::setter):
1370         (JSC::CustomGetterSetter::createStructure):
1371         (JSC::CustomGetterSetter::CustomGetterSetter):
1372         * runtime/JSCJSValue.cpp:
1373         (JSC::JSValue::putToPrimitive):
1374         * runtime/JSCJSValue.h:
1375         * runtime/JSCJSValueInlines.h:
1376         (JSC::JSValue::isCustomGetterSetter):
1377         * runtime/JSCell.h:
1378         * runtime/JSCellInlines.h:
1379         (JSC::JSCell::isCustomGetterSetter):
1380         (JSC::JSCell::canUseFastGetOwnProperty):
1381         * runtime/JSFunction.cpp:
1382         (JSC::JSFunction::isHostOrBuiltinFunction): Deleted.
1383         (JSC::JSFunction::isBuiltinFunction): Deleted.
1384         * runtime/JSFunction.h:
1385         * runtime/JSFunctionInlines.h: Inlined some random functions that appeared hot during profiling.
1386         (JSC::JSFunction::isBuiltinFunction):
1387         (JSC::JSFunction::isHostOrBuiltinFunction):
1388         * runtime/JSObject.cpp:
1389         (JSC::JSObject::put):
1390         (JSC::JSObject::putDirectCustomAccessor):
1391         (JSC::JSObject::fillGetterPropertySlot):
1392         (JSC::JSObject::fillCustomGetterPropertySlot):
1393         (JSC::JSObject::getOwnPropertySlotSlow): Deleted.
1394         * runtime/JSObject.h:
1395         (JSC::JSObject::hasCustomGetterSetterProperties):
1396         (JSC::JSObject::convertToDictionary):
1397         (JSC::JSObject::inlineGetOwnPropertySlot):
1398         (JSC::JSObject::getOwnPropertySlotSlow): Inlined because it looked hot during profiling.
1399         (JSC::JSObject::putOwnDataProperty):
1400         (JSC::JSObject::putDirect):
1401         (JSC::JSObject::putDirectWithoutTransition):
1402         * runtime/JSType.h:
1403         * runtime/Lookup.h:
1404         (JSC::reifyStaticProperties):
1405         * runtime/PropertyDescriptor.h:
1406         (JSC::PropertyDescriptor::PropertyDescriptor):
1407         * runtime/Structure.cpp:
1408         (JSC::Structure::Structure):
1409         (JSC::nextOutOfLineStorageCapacity): Deleted.
1410         (JSC::Structure::suggestedNewOutOfLineStorageCapacity): Deleted.
1411         (JSC::Structure::get): Deleted.
1412         * runtime/Structure.h:
1413         (JSC::Structure::hasCustomGetterSetterProperties):
1414         (JSC::Structure::setHasCustomGetterSetterProperties):
1415         * runtime/StructureInlines.h:
1416         (JSC::Structure::get): Inlined due to hotness.
1417         (JSC::nextOutOfLineStorageCapacity): Inlined due to hotness.
1418         (JSC::Structure::suggestedNewOutOfLineStorageCapacity): Inlined due to hotness.
1419         * runtime/VM.cpp:
1420         (JSC::VM::VM):
1421         * runtime/VM.h:
1422         * runtime/WriteBarrier.h:
1423         (JSC::WriteBarrierBase<Unknown>::isCustomGetterSetter):
1424
1425 2014-06-07  Mark Lam  <mark.lam@apple.com>
1426
1427         Structure should initialize its previousID in its constructor.
1428         <https://webkit.org/b/133606>
1429
1430         Reviewed by Mark Hahnenberg.
1431
1432         Currently, the Structure constructor that takes a previous structure will
1433         initialize its previousID to point to the previous structure's previousID.
1434         This is incorrect.  However, the caller of the Structure::create() factory
1435         method (which instantiated the Structure) will later call setPreviousID()
1436         to set the previousID to the correct previous structure.  This makes the
1437         code confusing to read and more error prone in that the structure relies
1438         on client code to fix its invalid previousID.
1439
1440         This patch fixes this by making the Structure constructor initialize
1441         previousID correctly.
1442
1443         * runtime/Structure.cpp:
1444         (JSC::Structure::Structure):
1445         (JSC::Structure::addPropertyTransition):
1446         (JSC::Structure::nonPropertyTransition):
1447         * runtime/Structure.h:
1448         * runtime/StructureInlines.h:
1449         (JSC::Structure::create):
1450
1451 2014-06-06  Andreas Kling  <akling@apple.com>
1452
1453         Indexed getters should return values directly on the PropertySlot.
1454         <https://webkit.org/b/133586>
1455
1456         Remove PropertySlot's custom index mode.
1457
1458         Reviewed by Darin Adler.
1459
1460         * runtime/JSObject.h:
1461         (JSC::PropertySlot::getValue):
1462         * runtime/PropertySlot.h:
1463         (JSC::PropertySlot::setCustomIndex): Deleted.
1464
1465 2014-06-04  Timothy Horton  <timothy_horton@apple.com>
1466
1467         iOS Debug build fix
1468
1469         Rubber-stamped by Filip Pizlo.
1470
1471         * Configurations/LLVMForJSC.xcconfig:
1472         Dead-code strip the llvmForJSC library unconditionally, to work around <rdar://problem/16920916>.
1473
1474 2014-06-04  Oliver Hunt  <oliver@apple.com>
1475
1476         ArrayIterator should not be exposed in Safari 8
1477         https://bugs.webkit.org/show_bug.cgi?id=133494
1478
1479         Reviewed by Michael Saboff.
1480
1481         Separate out types that require constructor objects, and don't
1482         include the iterator types in that list.
1483
1484         * runtime/JSGlobalObject.cpp:
1485         (JSC::JSGlobalObject::reset):
1486         * runtime/JSGlobalObject.h:
1487
1488 2014-06-04  Filip Pizlo  <fpizlo@apple.com>
1489
1490         DFG::Safepoint::begin() should set m_didCallBegin before releasing the rightToRun lock, because otherwise, Safepoint::checkLivenessAndVisitChildren() may assert due to a race
1491         https://bugs.webkit.org/show_bug.cgi?id=133525
1492         <rdar://problem/16790296>
1493
1494         Reviewed by Oliver Hunt.
1495
1496         * dfg/DFGSafepoint.cpp:
1497         (JSC::DFG::Safepoint::begin):
1498
1499 2014-06-03  Filip Pizlo  <fpizlo@apple.com>
1500
1501         LLVM soft-linking should be truly fail-silent
1502         https://bugs.webkit.org/show_bug.cgi?id=133482
1503
1504         Reviewed by Mark Lam.
1505
1506         * llvm/InitializeLLVMPOSIX.cpp:
1507         (JSC::initializeLLVMPOSIX): Missing return statement in the dlsym() returning null case.
1508
1509 2014-06-03  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
1510
1511         REGRESSION(r169092 and r169102): Skip failing JSC tests poperly on non-x86 Darwin platforms
1512         https://bugs.webkit.org/show_bug.cgi?id=133149
1513
1514         Reviewed by Csaba Osztrogonác.
1515
1516         * tests/mozilla/mozilla-tests.yaml: Skip js1_5/Regress/regress-159334.js only if the architecture isn't x86 and the host is Darwin.
1517
1518 2014-05-31  Anders Carlsson  <andersca@apple.com>
1519
1520         Add a LazyNeverDestroyed class template and use it
1521         https://bugs.webkit.org/show_bug.cgi?id=133425
1522
1523         Reviewed by Darin Adler.
1524
1525         * dfg/DFGFunctionWhitelist.cpp:
1526         (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
1527         * dfg/DFGFunctionWhitelist.h:
1528
1529 2014-05-28  Filip Pizlo  <fpizlo@apple.com>
1530
1531         DFG::DCEPhase inserts into an insertion set in reverse, causing hilarious basic block corruption if you kill a lot of NewArrays
1532         https://bugs.webkit.org/show_bug.cgi?id=133368
1533
1534         Reviewed by Mark Lam.
1535
1536         * dfg/DFGDCEPhase.cpp:
1537         (JSC::DFG::DCEPhase::fixupBlock): Loop in the right order so that we insert in the right order.
1538         * tests/stress/new-array-dead.js: Added.
1539         (foo):
1540
1541 2014-05-28  Filip Pizlo  <fpizlo@apple.com>
1542
1543         Unreviewed, fix not-x86 32-bit.
1544
1545         * llint/LowLevelInterpreter32_64.asm:
1546
1547 2014-05-27  Filip Pizlo  <fpizlo@apple.com>
1548
1549         Arrayify neglects to inform the clobberizer that it might fire watchpoints
1550         https://bugs.webkit.org/show_bug.cgi?id=133340
1551
1552         Reviewed by Mark Lam.
1553
1554         * dfg/DFGClobberize.h:
1555         (JSC::DFG::clobberize): Be honest.
1556         * llint/LowLevelInterpreter32_64.asm: Profile the object, not its structure.
1557         * tests/stress/arrayify-fires-watchpoint.js: Added.
1558         (foo):
1559         (test):
1560         (makeObjectArray):
1561         * tests/stress/arrayify-structure-bad-test.js: Added.
1562         (foo):
1563         (test):
1564
1565 2014-05-27  Jon Lee  <jonlee@apple.com>
1566
1567         Update ENABLE(MEDIA_SOURCE) on Mac
1568         https://bugs.webkit.org/show_bug.cgi?id=133141
1569
1570         Reviewed by Darin Adler.
1571
1572         * Configurations/FeatureDefines.xcconfig:
1573
1574 2014-05-27  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>
1575
1576         Remove BLOB guards
1577         https://bugs.webkit.org/show_bug.cgi?id=132863
1578
1579         Reviewed by Csaba Osztrogonác.
1580
1581         * Configurations/FeatureDefines.xcconfig:
1582
1583 2014-05-27  Zsolt Borbely  <zsborbely.u-szeged@partner.samsung.com>
1584
1585         Allow building CMake based ports with WEB_REPLAY
1586         https://bugs.webkit.org/show_bug.cgi?id=133154
1587
1588         Reviewed by Csaba Osztrogonác.
1589
1590         * CMakeLists.txt:
1591
1592 2014-05-25  Filip Pizlo  <fpizlo@apple.com>
1593
1594         Latest emscripten life benchmark is 4x slower because the DFG doesn't realize that arithmetic on booleans is a thing
1595         https://bugs.webkit.org/show_bug.cgi?id=133136
1596
1597         Reviewed by Oliver Hunt.
1598         
1599         Some key concepts:
1600
1601         - Except for the prediction propagation and type fixup phases, which are super early in
1602           the pipeline, nobody has to know about the fact that booleans may flow into numerical
1603           operations because there will just be a BooleanToNumber node that will take a value
1604           and, if that value is a boolean, will convert it to the equivalent numerical value. It
1605           will have a BooleanUse mode where it will also speculate that the input is a boolean
1606           but it can also do UntypedUse in which case it will pass through any non-booleans.
1607           This operation is very easy to model in all of the compiler tiers.
1608
1609         - No changes to the baseline JIT. The Baseline JIT will still believe that boolean
1610           inputs require taking the slow path and it will still report that it took slow path
1611           for any such operations.  The DFG will now be smart enough to ignore baseline JIT slow
1612           path profiling on operations that were known to have had boolean inputs.  That's a
1613           little quirky, but it's probably easier than modifying the baseline JIT to track
1614           booleans correctly.
1615         
1616         4.1x speed-up on the emscripten "life" benchmark. Up to 10x speed-up on microbenchmarks.
1617
1618         * bytecode/SpeculatedType.h:
1619         (JSC::isInt32OrBooleanSpeculation):
1620         (JSC::isInt32SpeculationForArithmetic):
1621         (JSC::isInt32OrBooleanSpeculationForArithmetic):
1622         (JSC::isInt32OrBooleanSpeculationExpectingDefined):
1623         (JSC::isInt52Speculation):
1624         (JSC::isMachineIntSpeculation):
1625         (JSC::isFullNumberOrBooleanSpeculation):
1626         (JSC::isFullNumberOrBooleanSpeculationExpectingDefined):
1627         (JSC::isInt32SpeculationExpectingDefined): Deleted.
1628         (JSC::isMachineIntSpeculationExpectingDefined): Deleted.
1629         (JSC::isMachineIntSpeculationForArithmetic): Deleted.
1630         (JSC::isBytecodeNumberSpeculationExpectingDefined): Deleted.
1631         (JSC::isFullNumberSpeculationExpectingDefined): Deleted.
1632         * dfg/DFGAbstractInterpreterInlines.h:
1633         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1634         * dfg/DFGAllocator.h:
1635         (JSC::DFG::Allocator<T>::indexOf):
1636         * dfg/DFGByteCodeParser.cpp:
1637         (JSC::DFG::ByteCodeParser::makeSafe):
1638         (JSC::DFG::ByteCodeParser::makeDivSafe):
1639         (JSC::DFG::ByteCodeParser::handleIntrinsic):
1640         * dfg/DFGCSEPhase.cpp:
1641         (JSC::DFG::CSEPhase::performNodeCSE):
1642         * dfg/DFGClobberize.h:
1643         (JSC::DFG::clobberize):
1644         * dfg/DFGCommon.h:
1645         * dfg/DFGConstantFoldingPhase.cpp:
1646         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1647         * dfg/DFGFixupPhase.cpp:
1648         (JSC::DFG::FixupPhase::fixupNode):
1649         (JSC::DFG::FixupPhase::fixIntConvertingEdge):
1650         (JSC::DFG::FixupPhase::fixIntOrBooleanEdge):
1651         (JSC::DFG::FixupPhase::fixDoubleOrBooleanEdge):
1652         (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
1653         (JSC::DFG::FixupPhase::fixIntEdge): Deleted.
1654         * dfg/DFGGraph.h:
1655         (JSC::DFG::Graph::addSpeculationMode):
1656         (JSC::DFG::Graph::valueAddSpeculationMode):
1657         (JSC::DFG::Graph::arithAddSpeculationMode):
1658         (JSC::DFG::Graph::addShouldSpeculateInt32):
1659         (JSC::DFG::Graph::mulShouldSpeculateInt32):
1660         (JSC::DFG::Graph::mulShouldSpeculateMachineInt):
1661         (JSC::DFG::Graph::negateShouldSpeculateInt32):
1662         (JSC::DFG::Graph::negateShouldSpeculateMachineInt):
1663         (JSC::DFG::Graph::addImmediateShouldSpeculateInt32):
1664         (JSC::DFG::Graph::mulImmediateShouldSpeculateInt32): Deleted.
1665         * dfg/DFGNode.h:
1666         (JSC::DFG::Node::sawBooleans):
1667         (JSC::DFG::Node::shouldSpeculateInt32OrBoolean):
1668         (JSC::DFG::Node::shouldSpeculateInt32ForArithmetic):
1669         (JSC::DFG::Node::shouldSpeculateInt32OrBooleanForArithmetic):
1670         (JSC::DFG::Node::shouldSpeculateInt32OrBooleanExpectingDefined):
1671         (JSC::DFG::Node::shouldSpeculateMachineInt):
1672         (JSC::DFG::Node::shouldSpeculateDouble):
1673         (JSC::DFG::Node::shouldSpeculateNumberOrBoolean):
1674         (JSC::DFG::Node::shouldSpeculateNumberOrBooleanExpectingDefined):
1675         (JSC::DFG::Node::shouldSpeculateNumber):
1676         (JSC::DFG::Node::canSpeculateInt32):
1677         (JSC::DFG::Node::canSpeculateInt52):
1678         (JSC::DFG::Node::sourceFor):
1679         (JSC::DFG::Node::shouldSpeculateInt32ExpectingDefined): Deleted.
1680         (JSC::DFG::Node::shouldSpeculateMachineIntForArithmetic): Deleted.
1681         (JSC::DFG::Node::shouldSpeculateMachineIntExpectingDefined): Deleted.
1682         (JSC::DFG::Node::shouldSpeculateDoubleForArithmetic): Deleted.
1683         (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined): Deleted.
1684         * dfg/DFGNodeFlags.cpp:
1685         (JSC::DFG::dumpNodeFlags):
1686         * dfg/DFGNodeFlags.h:
1687         (JSC::DFG::nodeMayOverflow):
1688         (JSC::DFG::nodeMayNegZero):
1689         (JSC::DFG::nodeCanSpeculateInt32):
1690         (JSC::DFG::nodeCanSpeculateInt52):
1691         * dfg/DFGNodeType.h:
1692         * dfg/DFGPredictionPropagationPhase.cpp:
1693         (JSC::DFG::PredictionPropagationPhase::run):
1694         (JSC::DFG::PredictionPropagationPhase::propagateToFixpoint):
1695         (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
1696         (JSC::DFG::PredictionPropagationPhase::propagate):
1697         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
1698         * dfg/DFGSafeToExecute.h:
1699         (JSC::DFG::safeToExecute):
1700         * dfg/DFGSpeculativeJIT.cpp:
1701         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
1702         * dfg/DFGSpeculativeJIT32_64.cpp:
1703         (JSC::DFG::SpeculativeJIT::compile):
1704         * dfg/DFGSpeculativeJIT64.cpp:
1705         (JSC::DFG::SpeculativeJIT::compile):
1706         * ftl/FTLCapabilities.cpp:
1707         (JSC::FTL::canCompile):
1708         * ftl/FTLLowerDFGToLLVM.cpp:
1709         (JSC::FTL::LowerDFGToLLVM::compileNode):
1710         (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
1711         (JSC::FTL::LowerDFGToLLVM::compileBooleanToNumber):
1712         * runtime/JSCJSValue.h:
1713         * runtime/JSCJSValueInlines.h:
1714         (JSC::JSValue::asInt32ForArithmetic):
1715         * tests/stress/max-boolean-exit.js: Added.
1716         (foo):
1717         (test):
1718         * tests/stress/mul-boolean-exit.js: Added.
1719         (foo):
1720         (test):
1721         * tests/stress/plus-boolean-exit.js: Added.
1722         (foo):
1723         (test):
1724         * tests/stress/plus-boolean-or-double.js: Added.
1725         (foo):
1726         (test):
1727         * tests/stress/plus-boolean-or-int.js: Added.
1728         (foo):
1729         (test):
1730
1731 2014-05-26  Zsolt Borbely  <zsborbely.u-szeged@partner.samsung.com>
1732
1733         Remove dead code from VM.cpp
1734         https://bugs.webkit.org/show_bug.cgi?id=133284
1735
1736         Reviewed by Darin Adler.
1737
1738         This workaround was added in r127505. Since the clang is the
1739         only used compiler in this case, this workaround is obsolete.
1740
1741         * runtime/VM.cpp:
1742         (JSC::enableAssembler):
1743
1744 2014-05-26  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
1745
1746         JSC CLoop warning fix
1747         https://bugs.webkit.org/show_bug.cgi?id=133259
1748
1749         Reviewed by Darin Adler.
1750
1751         * llint/LLIntSlowPaths.cpp:
1752         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1753
1754 2014-05-24  Andreas Kling  <akling@apple.com>
1755
1756         Object.prototype.toString() should use cached strings for null/undefined.
1757         <https://webkit.org/b/133261>
1758
1759         Normally, when calling Object.prototype.toString() on a regular object,
1760         we'd cache the result of the stringification on the object's structure,
1761         making repeated calls fast.
1762
1763         For null and undefined, we were not as smart. We'd instead construct a
1764         new string with either "[object Null]" or "[object Undefined]" each time.
1765
1766         This was exposed by Dromaeo's JS library tests, where some prototype.js
1767         subtests generate millions of strings this way.
1768
1769         This patch adds two VM-permanent cached strings to the SmallStrings.
1770         Looks like ~10% speed-up on Dromaeo/jslib-traverse-prototype.html
1771
1772         Reviewed by Darin Adler.
1773
1774         * runtime/ObjectPrototype.cpp:
1775         (JSC::objectProtoFuncToString):
1776         * runtime/SmallStrings.cpp:
1777         (JSC::SmallStrings::SmallStrings):
1778         (JSC::SmallStrings::initializeCommonStrings):
1779         (JSC::SmallStrings::visitStrongReferences):
1780         * runtime/SmallStrings.h:
1781         (JSC::SmallStrings::nullObjectString):
1782         (JSC::SmallStrings::undefinedObjectString):
1783
1784 2014-05-23  Mark Hahnenberg  <mhahnenberg@apple.com>
1785
1786         Remove operationCallGetter
1787
1788         Rubber stamped by Filip Pizlo.
1789
1790         Nobody calls this function.
1791
1792         * JavaScriptCore.order:
1793         * jit/JITOperations.cpp:
1794         * jit/JITOperations.h:
1795
1796 2014-05-23  Andreas Kling  <akling@apple.com>
1797
1798         Templatize GC's destructor invocation for dtor type.
1799         <https://webkit.org/b/133231>
1800
1801         Get rid of a branch in callDestructor() by templatizing it for
1802         the DestructorType. Removed JSCell::methodTableForDestruction()
1803         since this was the only call site and it was jumping through
1804         a bunch of unnecessary hoops.
1805
1806         Reviewed by Geoffrey Garen.
1807
1808         * heap/MarkedBlock.cpp:
1809         (JSC::MarkedBlock::callDestructor):
1810         (JSC::MarkedBlock::specializedSweep):
1811         * heap/MarkedBlock.h:
1812         * runtime/JSCell.h:
1813         * runtime/JSCellInlines.h:
1814         (JSC::JSCell::methodTableForDestruction): Deleted.
1815
1816 2014-05-23  Andreas Kling  <akling@apple.com>
1817
1818         Support inline caching of RegExpMatchesArray.length
1819         <https://webkit.org/b/133234>
1820
1821         Give RegExpMatchesArray.length the same treatment as JSArray in
1822         repatch so we don't have to go out of line on every access.
1823
1824         ~13% speed-up on Octane/regexp.
1825
1826         Reviewed by Geoffrey Garen.
1827
1828         * jit/Repatch.cpp:
1829         (JSC::tryCacheGetByID):
1830         * runtime/RegExpMatchesArray.h:
1831         (JSC::isRegExpMatchesArray):
1832
1833 2014-05-22  Mark Lam  <mark.lam@apple.com>
1834
1835         REGRESSION(r154797): Debugger crashes when stepping over an uncaught exception.
1836         <https://webkit.org/b/133182>
1837
1838         Reviewed by Oliver Hunt.
1839
1840         Before r154797, we used to clear the VM exception before calling into the
1841         debugger.  After r154797, we don't.  This patch will restore this clearing
1842         of the exception before calling into the debugger.
1843
1844         Also added assertions after returning from calls into the debugger to
1845         ensure that the debugger did not introduce any exceptions.
1846
1847         * interpreter/Interpreter.cpp:
1848         (JSC::unwindCallFrame):
1849         (JSC::Interpreter::unwind):
1850         (JSC::Interpreter::debug):
1851         - Fixed the assertion here.  Interpreter::debug() should never be called
1852           with a pending exception.  Debugger callbacks for exceptions should be
1853           handled by Interpreter::unwind() and Interpreter::unwindCallFrame().
1854
1855 2014-05-21  Filip Pizlo  <fpizlo@apple.com>
1856
1857         Store barrier elision should run after DCE in both the DFG path and the FTL path
1858         https://bugs.webkit.org/show_bug.cgi?id=129718
1859
1860         Rubber stamped by Mark Hahnenberg.
1861
1862         * dfg/DFGPlan.cpp:
1863         (JSC::DFG::Plan::compileInThreadImpl):
1864
1865 2014-05-21  Zsolt Borbely  <zsborbely.u-szeged@partner.samsung.com>
1866
1867         [EFL] Add include path of compact_unwind_encoding.h if FTL JIT is enabled
1868         https://bugs.webkit.org/show_bug.cgi?id=132907
1869
1870         Reviewed by Gyuyoung Kim.
1871
1872         * CMakeLists.txt:
1873
1874 2014-05-16  Martin Robinson  <mrobinson@igalia.com>
1875
1876         [CMake] Improve handling of LIB_INSTALL_DIR, EXEC_INSTALL_DIR, and LIBEXEC_INSTALL_DIR
1877         https://bugs.webkit.org/show_bug.cgi?id=132819
1878
1879         Reviewed by Carlos Garcia Campos.
1880
1881         * javascriptcoregtk.pc.in: Instead of using the special pkg-config variables,
1882         use the common CMake ones directly.
1883
1884 2014-05-21  Filip Pizlo  <fpizlo@apple.com>
1885
1886         Unreviewed, roll out http://trac.webkit.org/changeset/169159.
1887         
1888         This was a unilateral change and wasn't properly reviewed.
1889
1890         * tests/mozilla/mozilla-tests.yaml:
1891
1892 2014-05-21  Antoine Quint  <graouts@webkit.org>
1893
1894         Array.prototype.find and findIndex should skip holes
1895         https://bugs.webkit.org/show_bug.cgi?id=132658
1896
1897         Reviewed by Geoffrey Garen.
1898
1899         Skip holes in the array when iterating such that callback isn't called.
1900
1901         * builtins/Array.prototype.js:
1902         (find):
1903         (findIndex):
1904
1905 2014-05-21  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
1906
1907         REGRESSION(r169092 and r169102): Skip failing JSC tests on ARM64 properly
1908         https://bugs.webkit.org/show_bug.cgi?id=133149
1909
1910         Reviewed by Csaba Osztrogonác.
1911
1912         * tests/mozilla/mozilla-tests.yaml:
1913
1914 2014-05-20  Geoffrey Garen  <ggaren@apple.com>
1915
1916         Rolled out <http://trac.webkit.org/changeset/166184>
1917         https://bugs.webkit.org/show_bug.cgi?id=133144
1918
1919         Reviewed by Gavin Barraclough.
1920
1921         It caused a performance regression.
1922
1923         * heap/BlockAllocator.cpp:
1924         (JSC::BlockAllocator::blockFreeingThreadStartFunc):
1925
1926 2014-05-20  Filip Pizlo  <fpizlo@apple.com>
1927
1928         DFG prediction propagation should agree with fixup phase over the return type of GetByVal
1929         https://bugs.webkit.org/show_bug.cgi?id=133134
1930
1931         Reviewed by Mark Hahnenberg.
1932         
1933         Make prediction propagator use ArrayMode refinement to decide the return type.
1934         
1935         Also introduce a heap prediction intrinsic that allows us to test weird corner cases
1936         like this. The only way we'll see a mismatch like this in the real world is probably
1937         through a gnarly race condition.
1938
1939         * dfg/DFGByteCodeParser.cpp:
1940         (JSC::DFG::ByteCodeParser::handleIntrinsic):
1941         * dfg/DFGNode.h:
1942         (JSC::DFG::Node::setHeapPrediction):
1943         * dfg/DFGPredictionPropagationPhase.cpp:
1944         (JSC::DFG::PredictionPropagationPhase::propagate):
1945         * jsc.cpp:
1946         (GlobalObject::finishCreation):
1947         (functionFalse1):
1948         (functionFalse2):
1949         (functionUndefined1):
1950         (functionUndefined2):
1951         (functionFalse): Deleted.
1952         (functionOtherFalse): Deleted.
1953         (functionUndefined): Deleted.
1954         * runtime/Intrinsic.h:
1955         * tests/stress/get-by-val-double-predicted-int.js: Added.
1956         (foo):
1957
1958 2014-05-20  Mark Hahnenberg  <mhahnenberg@apple.com>
1959
1960         Watchdog timer should be lazily allocated
1961         https://bugs.webkit.org/show_bug.cgi?id=133135
1962
1963         Reviewed by Geoffrey Garen.
1964
1965         We incur a noticeable amount of overhead on some benchmarks due to checking if the Watchdog ever fired. 
1966         There is no reason to do this checking if we never activated the Watchdog, which can only be done through 
1967         JSContextGroupSetExecutionTimeLimit or JSContextGroupClearExecutionTimeLimit. 
1968
1969         By allocating the Watchdog lazily on the VM we can avoid all of the associated overhead when we don't use 
1970         these two API functions (which is true of most clients).
1971
1972         * API/JSContextRef.cpp:
1973         (JSContextGroupSetExecutionTimeLimit):
1974         (JSContextGroupClearExecutionTimeLimit):
1975         * dfg/DFGByteCodeParser.cpp:
1976         (JSC::DFG::ByteCodeParser::parseBlock):
1977         * dfg/DFGSpeculativeJIT32_64.cpp:
1978         (JSC::DFG::SpeculativeJIT::compile):
1979         * dfg/DFGSpeculativeJIT64.cpp:
1980         (JSC::DFG::SpeculativeJIT::compile):
1981         * interpreter/Interpreter.cpp:
1982         (JSC::Interpreter::execute):
1983         (JSC::Interpreter::executeCall):
1984         (JSC::Interpreter::executeConstruct):
1985         * jit/JITOpcodes.cpp:
1986         (JSC::JIT::emit_op_loop_hint):
1987         (JSC::JIT::emitSlow_op_loop_hint):
1988         * jit/JITOperations.cpp:
1989         * llint/LLIntSlowPaths.cpp:
1990         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1991         * runtime/VM.h:
1992         * runtime/Watchdog.cpp:
1993         (JSC::Watchdog::Scope::Scope): Deleted.
1994         (JSC::Watchdog::Scope::~Scope): Deleted.
1995         * runtime/Watchdog.h:
1996         (JSC::Watchdog::Scope::Scope):
1997         (JSC::Watchdog::Scope::~Scope):
1998
1999 2014-05-19  Mark Hahnenberg  <mhahnenberg@apple.com>
2000
2001         JSArray::shiftCountWith* could be more efficient
2002         https://bugs.webkit.org/show_bug.cgi?id=133011
2003
2004         Reviewed by Geoffrey Garen.
2005
2006         Our current implementations of shiftCountWithAnyIndexingType and shiftCountWithArrayStorage 
2007         are scared of the presence of any holes in the array. We can mitigate this somewhat by enabling 
2008         them to correctly handle holes, thus avoiding the slowest of slow paths in most cases.
2009
2010         * runtime/ArrayStorage.h:
2011         (JSC::ArrayStorage::indexingHeader):
2012         (JSC::ArrayStorage::length):
2013         (JSC::ArrayStorage::hasHoles):
2014         * runtime/IndexingHeader.h:
2015         (JSC::IndexingHeader::publicLength):
2016         (JSC::IndexingHeader::from):
2017         * runtime/JSArray.cpp:
2018         (JSC::JSArray::shiftCountWithArrayStorage):
2019         (JSC::JSArray::shiftCountWithAnyIndexingType):
2020         (JSC::JSArray::unshiftCountWithArrayStorage):
2021         * runtime/JSArray.h:
2022         (JSC::JSArray::shiftCountForShift):
2023         (JSC::JSArray::shiftCountForSplice):
2024         (JSC::JSArray::shiftCount):
2025         * runtime/Structure.cpp:
2026         (JSC::Structure::holesRequireSpecialBehavior):
2027         * runtime/Structure.h:
2028
2029 2014-05-19  Filip Pizlo  <fpizlo@apple.com>
2030
2031         Test gardening: skip some failing tests on not-X86.
2032
2033         * tests/mozilla/mozilla-tests.yaml:
2034
2035 2014-05-19  Mark Lam  <mark.lam@apple.com>
2036
2037         operationOptimize() should defer the GC for a while.
2038         <https://webkit.org/b/133103>
2039
2040         Reviewed by Filip Pizlo.
2041
2042         Currently, operationOptimize() only defers the GC until its end.  As a result,
2043         a GC may be triggered just before we return from operationOptimize(), and it may
2044         jettison the optimize codeBlock that we're planning to OSR enter into when we
2045         return from this function.  This is because the OSR entry on-ramp code hasn't
2046         been executed yet, and hence, there is not yet a reference to this new codeBlock
2047         from the stack, and there won't be until we've had a chance to return out of
2048         operationOptimize() to run the OSR entry on-ramp code.
2049
2050         This issue is now fixed by using DeferGCForAWhile instead of DeferGC.  This
2051         ensures that the GC will be deferred until after the OSR entry on-ramp can be
2052         executed.
2053
2054         * jit/JITOperations.cpp:
2055
2056 2014-05-19  Filip Pizlo  <fpizlo@apple.com>
2057
2058         Take care of some ARM64 test failures
2059         https://bugs.webkit.org/show_bug.cgi?id=133090
2060
2061         Reviewed by Geoffrey Garen.
2062         
2063         Constant blinding on ARM64 cannot use the scratch register.
2064
2065         * assembler/MacroAssembler.h:
2066         (JSC::MacroAssembler::convertInt32ToDouble):
2067         (JSC::MacroAssembler::branchPtr):
2068         (JSC::MacroAssembler::storePtr):
2069         (JSC::MacroAssembler::store64):
2070         * assembler/MacroAssemblerARM64.h:
2071         (JSC::MacroAssemblerARM64::scratchRegisterForBlinding):
2072
2073 2014-05-19  Tanay C  <tanay.c@samsung.com>
2074
2075         Removing some check-webkit-style warnings from ./dfg
2076         https://bugs.webkit.org/show_bug.cgi?id=132854
2077
2078         Reviewed by Darin Adler.
2079
2080         * dfg/DFGAbstractInterpreter.h:
2081         * dfg/DFGAbstractValue.h:
2082         * dfg/DFGBlockInsertionSet.h:
2083         * dfg/DFGCommonData.h:
2084         * dfg/DFGDominators.h:
2085         * dfg/DFGGraph.h:
2086         * dfg/DFGInPlaceAbstractState.h:
2087         * dfg/DFGPredictionPropagationPhase.h:
2088
2089 2014-05-18  Filip Pizlo  <fpizlo@apple.com>
2090
2091         Unreviewed, remove bogus comment. We already made the FTL use our calling convention.
2092         That was a long time ago.
2093
2094         * ftl/FTLLowerDFGToLLVM.cpp:
2095         (JSC::FTL::LowerDFGToLLVM::compileReturn):
2096
2097 2014-05-18  Rik Cabanier  <cabanier@adobe.com>
2098
2099         support for navigator.hardwareConcurrency
2100         https://bugs.webkit.org/show_bug.cgi?id=132588
2101
2102         Reviewed by Filip Pizlo.
2103
2104         * Configurations/FeatureDefines.xcconfig:
2105
2106 2014-05-16  Michael Saboff  <msaboff@apple.com>
2107
2108         Crash in JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::generatePatternCharacterFixed() due to WTF::CrashOnOverflow::overflowed + 9
2109         https://bugs.webkit.org/show_bug.cgi?id=133009
2110
2111         Reviewed by Oliver Hunt.
2112
2113         If we determine that any alternative requires a minumum match size greater than
2114         INT_MAX, we handle the match in the interpreter.
2115
2116         Check to see if the pattern has unsigned lengths before invoking YARR JIT.
2117         * runtime/RegExp.cpp:
2118         (JSC::RegExp::compile):
2119         (JSC::RegExp::compileMatchOnly):
2120
2121         * tests/stress/large-regexp.js: New test added.
2122
2123         Set m_containsUnsignedLengthPattern flag if any alternative's minimum length
2124         doesn't fit in an int.
2125         * yarr/YarrPattern.cpp:
2126         (JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets):
2127
2128         Clear new m_containsUnsignedLengthPattern flag.
2129         * yarr/YarrPattern.cpp:
2130         (JSC::Yarr::YarrPattern::YarrPattern):
2131         * yarr/YarrPattern.h:
2132         (JSC::Yarr::YarrPattern::reset):
2133         (JSC::Yarr::YarrPattern::containsUnsignedLengthPattern):
2134
2135 2014-05-15  Mark Hahnenberg  <mhahnenberg@apple.com>
2136
2137         JSDOMWindow should not claim HasImpureGetOwnPropertySlot
2138         https://bugs.webkit.org/show_bug.cgi?id=132918
2139
2140         Reviewed by Geoffrey Garen.
2141
2142         * jit/Repatch.cpp:
2143         (JSC::tryRepatchIn): We forgot to check for watchpoints when repatching "in".
2144
2145 2014-05-15  Alex Christensen  <achristensen@webkit.org>
2146
2147         Add pointer lock to features without enabling it.
2148         https://bugs.webkit.org/show_bug.cgi?id=132961
2149
2150         Reviewed by Sam Weinig.
2151
2152         * Configurations/FeatureDefines.xcconfig:
2153         Added ENABLE_POINTER_LOCK to list of features.
2154
2155 2014-05-14  Mark Hahnenberg  <mhahnenberg@apple.com>
2156
2157         Inline caching for proxies clobbers baseGPR too early
2158         https://bugs.webkit.org/show_bug.cgi?id=132916
2159
2160         Reviewed by Filip Pizlo.
2161
2162         We clobber baseGPR prior to the Structure checks, so if any of the checks fail then the slow path 
2163         gets the target of the proxy rather than the proxy itself. We need to delay the clobbering of baseGPR 
2164         until we know the inline cache is going to succeed.
2165
2166         * jit/Repatch.cpp:
2167         (JSC::generateByIdStub):
2168
2169 2014-05-14  Brent Fulgham  <bfulgham@apple.com>
2170
2171         [Win] Unreviewed build fix.
2172
2173         * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: This solution
2174         was missing commands to build LLInt portions of JSC.
2175         * llint/LLIntData.cpp: 64-bit build fix.
2176
2177 2014-05-14  Martin Hodovan <mhodovan.u-szeged@partner.samsung.com>
2178
2179         ARM Traditional buildfix after r168776.
2180         https://bugs.webkit.org/show_bug.cgi?id=132903
2181
2182         Reviewed by Darin Adler.
2183
2184         * assembler/MacroAssemblerARM.h:
2185         (JSC::MacroAssemblerARM::abortWithReason): Added.
2186
2187 2014-05-14  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>
2188
2189         Remove CSS_STICKY_POSITION guards
2190         https://bugs.webkit.org/show_bug.cgi?id=132676
2191
2192         Reviewed by Simon Fraser.
2193
2194         * Configurations/FeatureDefines.xcconfig:
2195
2196 2014-05-13  Filip Pizlo  <fpizlo@apple.com>
2197
2198         JIT breakpoints should be more informative
2199         https://bugs.webkit.org/show_bug.cgi?id=132882
2200
2201         Reviewed by Oliver Hunt.
2202         
2203         Introduce the notion of an AbortReason, which is a nice enumeration of coded assertion
2204         failure names. This means that all you need to figure out why the JIT SIGTRAP'd is to look
2205         at that platform's abort reason register (r11 on X86-64 for example).
2206
2207         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2208         * JavaScriptCore.xcodeproj/project.pbxproj:
2209         * assembler/AbortReason.h: Added.
2210         * assembler/AbstractMacroAssembler.h:
2211         * assembler/MacroAssemblerARM64.h:
2212         (JSC::MacroAssemblerARM64::abortWithReason):
2213         * assembler/MacroAssemblerARMv7.h:
2214         (JSC::MacroAssemblerARMv7::abortWithReason):
2215         * assembler/MacroAssemblerX86.h:
2216         (JSC::MacroAssemblerX86::abortWithReason):
2217         * assembler/MacroAssemblerX86_64.h:
2218         (JSC::MacroAssemblerX86_64::abortWithReason):
2219         * dfg/DFGSlowPathGenerator.h:
2220         (JSC::DFG::SlowPathGenerator::generate):
2221         * dfg/DFGSpeculativeJIT.cpp:
2222         (JSC::DFG::SpeculativeJIT::bail):
2223         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
2224         (JSC::DFG::SpeculativeJIT::compileMakeRope):
2225         * dfg/DFGSpeculativeJIT.h:
2226         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):
2227         * dfg/DFGSpeculativeJIT32_64.cpp:
2228         (JSC::DFG::SpeculativeJIT::compile):
2229         * dfg/DFGSpeculativeJIT64.cpp:
2230         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2231         (JSC::DFG::SpeculativeJIT::compile):
2232         * dfg/DFGThunks.cpp:
2233         (JSC::DFG::osrEntryThunkGenerator):
2234         * jit/AssemblyHelpers.cpp:
2235         (JSC::AssemblyHelpers::jitAssertIsInt32):
2236         (JSC::AssemblyHelpers::jitAssertIsJSInt32):
2237         (JSC::AssemblyHelpers::jitAssertIsJSNumber):
2238         (JSC::AssemblyHelpers::jitAssertIsJSDouble):
2239         (JSC::AssemblyHelpers::jitAssertIsCell):
2240         (JSC::AssemblyHelpers::jitAssertTagsInPlace):
2241         (JSC::AssemblyHelpers::jitAssertHasValidCallFrame):
2242         (JSC::AssemblyHelpers::jitAssertIsNull):
2243         (JSC::AssemblyHelpers::jitAssertArgumentCountSane):
2244         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
2245         * jit/AssemblyHelpers.h:
2246         (JSC::AssemblyHelpers::checkStackPointerAlignment):
2247         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo): Deleted.
2248         * jit/JIT.h:
2249         * jit/JITArithmetic.cpp:
2250         (JSC::JIT::emitSlow_op_div):
2251         * jit/JITOpcodes.cpp:
2252         (JSC::JIT::emitSlow_op_loop_hint):
2253         * jit/JITOpcodes32_64.cpp:
2254         (JSC::JIT::privateCompileCTINativeCall):
2255         * jit/JITPropertyAccess.cpp:
2256         (JSC::JIT::emit_op_get_by_val):
2257         (JSC::JIT::compileGetDirectOffset):
2258         (JSC::JIT::addStructureTransitionCheck): Deleted.
2259         (JSC::JIT::testPrototype): Deleted.
2260         * jit/JITPropertyAccess32_64.cpp:
2261         (JSC::JIT::emit_op_get_by_val):
2262         (JSC::JIT::compileGetDirectOffset):
2263         * jit/RegisterPreservationWrapperGenerator.cpp:
2264         (JSC::generateRegisterRestoration):
2265         * jit/Repatch.cpp:
2266         (JSC::addStructureTransitionCheck):
2267         (JSC::linkClosureCall):
2268         * jit/ThunkGenerators.cpp:
2269         (JSC::emitPointerValidation):
2270         (JSC::nativeForGenerator):
2271         * yarr/YarrJIT.cpp:
2272         (JSC::Yarr::YarrGenerator::generate):
2273
2274 2014-05-13  peavo@outlook.com  <peavo@outlook.com>
2275
2276         [Win] Enum type with value zero is compatible with void*, potential cause of crashes.
2277         https://bugs.webkit.org/show_bug.cgi?id=132772
2278
2279         Reviewed by Geoffrey Garen.
2280
2281         Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example).
2282         This has caused crashes on Windows on two occasions (bug 132683, and bug 121001).
2283         This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*.
2284         The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr.
2285
2286         * assembler/MacroAssemblerARM.h:
2287         (JSC::MacroAssemblerARM::loadDouble):
2288         (JSC::MacroAssemblerARM::storeDouble):
2289         * assembler/MacroAssemblerARM64.h:
2290         (JSC::MacroAssemblerARM64::loadDouble):
2291         (JSC::MacroAssemblerARM64::storeDouble):
2292         * assembler/MacroAssemblerARMv7.h:
2293         (JSC::MacroAssemblerARMv7::loadDouble):
2294         (JSC::MacroAssemblerARMv7::storeDouble):
2295         * assembler/MacroAssemblerMIPS.h:
2296         (JSC::MacroAssemblerMIPS::loadDouble):
2297         (JSC::MacroAssemblerMIPS::storeDouble):
2298         * assembler/MacroAssemblerSH4.h:
2299         (JSC::MacroAssemblerSH4::loadDouble):
2300         (JSC::MacroAssemblerSH4::storeDouble):
2301         * assembler/MacroAssemblerX86.h:
2302         (JSC::MacroAssemblerX86::storeDouble):
2303         * assembler/MacroAssemblerX86Common.h:
2304         (JSC::MacroAssemblerX86Common::absDouble):
2305         (JSC::MacroAssemblerX86Common::negateDouble):
2306         (JSC::MacroAssemblerX86Common::loadDouble):
2307         * dfg/DFGSpeculativeJIT.cpp:
2308         (JSC::DFG::SpeculativeJIT::silentFill):
2309         (JSC::DFG::compileClampDoubleToByte):
2310         * dfg/DFGSpeculativeJIT32_64.cpp:
2311         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2312         (JSC::DFG::SpeculativeJIT::compile):
2313         * jit/AssemblyHelpers.cpp:
2314         (JSC::AssemblyHelpers::purifyNaN):
2315         * jit/JITInlines.h:
2316         (JSC::JIT::emitLoadDouble):
2317         * jit/JITPropertyAccess.cpp:
2318         (JSC::JIT::emitFloatTypedArrayGetByVal):
2319         * jit/ThunkGenerators.cpp:
2320         (JSC::floorThunkGenerator):
2321         (JSC::roundThunkGenerator):
2322         (JSC::powThunkGenerator):
2323
2324 2014-05-12  Commit Queue  <commit-queue@webkit.org>
2325
2326         Unreviewed, rolling out r168642.
2327         https://bugs.webkit.org/show_bug.cgi?id=132839
2328
2329         Broke ARM build (Requested by jpfau on #webkit).
2330
2331         Reverted changeset:
2332
2333         "[Win] Enum type with value zero is compatible with void*,
2334         potential cause of crashes."
2335         https://bugs.webkit.org/show_bug.cgi?id=132772
2336         http://trac.webkit.org/changeset/168642
2337
2338 2014-05-12  peavo@outlook.com  <peavo@outlook.com>
2339
2340         [Win] Enum type with value zero is compatible with void*, potential cause of crashes.
2341         https://bugs.webkit.org/show_bug.cgi?id=132772
2342
2343         Reviewed by Geoffrey Garen.
2344
2345         Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example).
2346         This has caused crashes on Windows on two occasions (bug 132683, and bug 121001).
2347         This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*.
2348         The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr.
2349
2350         * assembler/MacroAssemblerARM.h:
2351         (JSC::MacroAssemblerARM::loadDouble):
2352         (JSC::MacroAssemblerARM::storeDouble):
2353         * assembler/MacroAssemblerARM64.h:
2354         (JSC::MacroAssemblerARM64::loadDouble):
2355         (JSC::MacroAssemblerARM64::storeDouble):
2356         * assembler/MacroAssemblerARMv7.h:
2357         (JSC::MacroAssemblerARMv7::loadDouble):
2358         (JSC::MacroAssemblerARMv7::storeDouble):
2359         * assembler/MacroAssemblerMIPS.h:
2360         (JSC::MacroAssemblerMIPS::loadDouble):
2361         (JSC::MacroAssemblerMIPS::storeDouble):
2362         * assembler/MacroAssemblerSH4.h:
2363         (JSC::MacroAssemblerSH4::loadDouble):
2364         (JSC::MacroAssemblerSH4::storeDouble):
2365         * assembler/MacroAssemblerX86.h:
2366         (JSC::MacroAssemblerX86::storeDouble):
2367         * assembler/MacroAssemblerX86Common.h:
2368         (JSC::MacroAssemblerX86Common::absDouble):
2369         (JSC::MacroAssemblerX86Common::negateDouble):
2370         (JSC::MacroAssemblerX86Common::loadDouble):
2371         * dfg/DFGSpeculativeJIT.cpp:
2372         (JSC::DFG::SpeculativeJIT::silentFill):
2373         (JSC::DFG::compileClampDoubleToByte):
2374         * dfg/DFGSpeculativeJIT32_64.cpp:
2375         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2376         (JSC::DFG::SpeculativeJIT::compile):
2377         * jit/AssemblyHelpers.cpp:
2378         (JSC::AssemblyHelpers::purifyNaN):
2379         * jit/JITInlines.h:
2380         (JSC::JIT::emitLoadDouble):
2381         * jit/JITPropertyAccess.cpp:
2382         (JSC::JIT::emitFloatTypedArrayGetByVal):
2383         * jit/ThunkGenerators.cpp:
2384         (JSC::floorThunkGenerator):
2385         (JSC::roundThunkGenerator):
2386         (JSC::powThunkGenerator):
2387
2388 2014-05-12  Andreas Kling  <akling@apple.com>
2389
2390         0.4% of PLT3 in JSCell::structure() below JSObject::visitChildren().
2391         <https://webkit.org/b/132828>
2392         <rdar://problem/16886285>
2393
2394         Reviewed by Michael Saboff.
2395
2396         * runtime/JSObject.cpp:
2397         (JSC::JSObject::visitButterfly):
2398         (JSC::JSObject::visitChildren):
2399
2400             Use JSCell::structure(VM&) to reduce the number of hoops we jump
2401             through to find Structures during marking.
2402
2403 2014-05-12  László Langó  <llango.u-szeged@partner.samsung.com>
2404
2405         [cmake] Add missing FTL source files to the build system.
2406
2407         Reviewed by Csaba Osztrogonác.
2408
2409         * CMakeLists.txt:
2410
2411 2014-05-09  Joseph Pecoraro  <pecoraro@apple.com>
2412
2413         Web Inspector: Allow Remote Inspector to entitlement check UIProcess through WebProcess
2414         https://bugs.webkit.org/show_bug.cgi?id=132409
2415
2416         Reviewed by Timothy Hatcher.
2417
2418         Proxy applications are applications which hold WebViews for other
2419         applications. The WebProcess (Web Content Service) is a proxy application.
2420         For legacy reasons we were supporting a scenario where proxy applications
2421         could potentially host WebViews for more then one other application. That
2422         was never the case for WebProcess and it is now a scenario we don't need
2423         to worry about supporting.
2424
2425         With this change, a proxy application more naturally only holds WebViews
2426         for a single parent / host application. The proxy process can set the
2427         parent pid / audit_token data on the RemoteInspector singleton, and
2428         that data will be sent on to webinspectord later on to be validated.
2429         In the WebProcess<->UIProcess relationship that information is known
2430         and set immediately. In the Legacy iOS case that information is set
2431         soon after, but not immediately known at the point the WebView is created.
2432
2433         This allows us to simplify the RemoteInspectorDebuggable interface.
2434         We no longer need a pid per-Debuggable.
2435
2436         * inspector/remote/RemoteInspector.h:
2437         * inspector/remote/RemoteInspector.mm:
2438         (Inspector::RemoteInspector::RemoteInspector):
2439         (Inspector::RemoteInspector::setParentProcessInformation):
2440         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
2441         (Inspector::RemoteInspector::listingForDebuggable):
2442         (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
2443         Handle new proxy application setup message, and provide an API
2444         for a proxy application to set the parent process information.
2445
2446         * inspector/remote/RemoteInspectorConstants.h:
2447         New setup and response message for proxy applications to pass
2448         their parent / host application information to webinspectord.
2449
2450         * inspector/remote/RemoteInspectorDebuggable.cpp:
2451         (Inspector::RemoteInspectorDebuggable::info):
2452         * inspector/remote/RemoteInspectorDebuggable.h:
2453         (Inspector::RemoteInspectorDebuggableInfo::RemoteInspectorDebuggableInfo):
2454         (Inspector::RemoteInspectorDebuggableInfo::hasParentProcess): Deleted.
2455         pid per debuggable is no longer needed.
2456
2457 2014-05-09  Mark Hahnenberg  <mhahnenberg@apple.com>
2458
2459         JSDOMWindow should disable property caching after a certain point
2460         https://bugs.webkit.org/show_bug.cgi?id=132751
2461
2462         Reviewed by Filip Pizlo.
2463
2464         This is part of removing HasImpureGetOwnPropertySlot from JSDOMWindow. After the lookup in the static 
2465         hash table for JSDOMWindow fails we want to disable property caching even if the code that follows thinks 
2466         that it has provided a cacheable value.
2467
2468         * runtime/PropertySlot.h:
2469         (JSC::PropertySlot::PropertySlot):
2470         (JSC::PropertySlot::isCacheable):
2471         (JSC::PropertySlot::disableCaching):
2472
2473 2014-05-09  Andreas Kling  <akling@apple.com>
2474
2475         8.8% spent in Object.prototype.hasOwnProperty() on sbperftest.
2476         <https://webkit.org/b/132749>
2477
2478         Leverage the fast-resolve-to-AtomicString optimization for JSRopeString
2479         in Object.prototype.* by using JSString::toIdentifier() in the cases where
2480         we are converting JSString -> String -> Identifier.
2481
2482         This brings time spent in hasOwnProperty() from 8.8% to 1.3% on
2483         "The Great HTML5 Gaming Performance Test: 2014 edition"
2484         <http://www.scirra.com/demos/c2/sbperftest/>
2485
2486         Reviewed by Oliver Hunt.
2487
2488         * runtime/ObjectPrototype.cpp:
2489         (JSC::objectProtoFuncHasOwnProperty):
2490         (JSC::objectProtoFuncDefineGetter):
2491         (JSC::objectProtoFuncDefineSetter):
2492         (JSC::objectProtoFuncLookupGetter):
2493         (JSC::objectProtoFuncLookupSetter):
2494
2495 2014-05-08  Mark Hahnenberg  <mhahnenberg@apple.com>
2496
2497         JSDOMWindow should have a WatchpointSet to fire on window close
2498         https://bugs.webkit.org/show_bug.cgi?id=132721
2499
2500         Reviewed by Filip Pizlo.
2501
2502         This patch allows us to reset the inline caches that assumed they could skip 
2503         the first part of JSDOMWindow::getOwnPropertySlot that checks if the window has 
2504         been closed. This is part of getting rid of HasImpureGetOwnPropertySlot on JSDOMWindow.
2505
2506         PropertySlot now accepts a WatchpointSet which the inline cache code can look for
2507         to see if it should create a new Watchpoint for that particular inline cache site.
2508
2509         * bytecode/Watchpoint.h:
2510         * jit/Repatch.cpp:
2511         (JSC::generateByIdStub):
2512         (JSC::tryBuildGetByIDList):
2513         (JSC::tryCachePutByID):
2514         (JSC::tryBuildPutByIdList):
2515         * runtime/PropertySlot.h:
2516         (JSC::PropertySlot::PropertySlot):
2517         (JSC::PropertySlot::watchpointSet):
2518         (JSC::PropertySlot::setWatchpointSet):
2519
2520 2014-05-09  Tanay C  <tanay.c@samsung.com>
2521
2522         Fix build warning (uninitialized variable) in DFGFixupPhase.cpp 
2523         https://bugs.webkit.org/show_bug.cgi?id=132331
2524
2525         Reviewed by Darin Adler.
2526
2527         * dfg/DFGFixupPhase.cpp:
2528         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
2529
2530 2014-05-09  peavo@outlook.com  <peavo@outlook.com>
2531
2532         [Win] Crash when enabling DFG JIT.
2533         https://bugs.webkit.org/show_bug.cgi?id=132683
2534
2535         Reviewed by Geoffrey Garen.
2536
2537         On windows, using register GPRInfo::regT0 as parameter to e.g. JIT::storeDouble(..., GPRInfo::regT0)),
2538         results in a call to JIT::storeDouble(FPRegisterID src, const void* address),
2539         where the address parameter gets the value of GPRInfo::regT0, which is 0 (eax on Windows).
2540         This causes the register to be written to address 0, hence the crash.
2541
2542         * dfg/DFGOSRExitCompiler32_64.cpp:
2543         (JSC::DFG::OSRExitCompiler::compileExit): Use address in regT0 as parameter.
2544         * dfg/DFGOSRExitCompiler64.cpp:
2545         (JSC::DFG::OSRExitCompiler::compileExit): Ditto.
2546
2547 2014-05-09  Martin Hodovan <mhodovan.u-szeged@partner.samsung.com>
2548
2549         REGRESSION(r167094): JSC crashes on ARM Traditional
2550         https://bugs.webkit.org/show_bug.cgi?id=132738
2551
2552         Reviewed by Zoltan Herczeg.
2553
2554         PC is two instructions ahead of the current instruction
2555         on ARM Traditional, so the distance is 8 bytes not 2.
2556
2557         * llint/LowLevelInterpreter.asm:
2558
2559 2014-05-09  Alberto Garcia  <berto@igalia.com>
2560
2561         jsmin.py license header confusing, mentions non-free license
2562         https://bugs.webkit.org/show_bug.cgi?id=123665
2563
2564         Reviewed by Darin Adler.
2565
2566         Pull the most recent version from upstream, which has a clear
2567         license.
2568
2569         * inspector/scripts/jsmin.py:
2570
2571 2014-05-08  Mark Hahnenberg  <mhahnenberg@apple.com>
2572
2573         Base case for get-by-id inline cache doesn't check for HasImpureGetOwnPropertySlot
2574         https://bugs.webkit.org/show_bug.cgi?id=132695
2575
2576         Reviewed by Filip Pizlo.
2577
2578         We check in the case where we're accessing something other than the base object (e.g. the prototype), 
2579         but we fail to do so for the base object.
2580
2581         * jit/Repatch.cpp:
2582         (JSC::tryCacheGetByID):
2583         (JSC::tryBuildGetByIDList):
2584         * jsc.cpp: Added some infrastructure to support this test. We don't currently trigger this bug anywhere in WebKit
2585         because all of the values that are returned that could be impure are set to uncacheable anyways.
2586         (WTF::ImpureGetter::ImpureGetter):
2587         (WTF::ImpureGetter::createStructure):
2588         (WTF::ImpureGetter::create):
2589         (WTF::ImpureGetter::finishCreation):
2590         (WTF::ImpureGetter::getOwnPropertySlot):
2591         (WTF::ImpureGetter::visitChildren):
2592         (WTF::ImpureGetter::setDelegate):
2593         (GlobalObject::finishCreation):
2594         (functionCreateImpureGetter):
2595         (functionSetImpureGetterDelegate):
2596         * tests/stress/impure-get-own-property-slot-inline-cache.js: Added.
2597         (foo):
2598
2599 2014-05-08  Filip Pizlo  <fpizlo@apple.com>
2600
2601         deleteAllCompiledCode() shouldn't use the suspension worklist
2602         https://bugs.webkit.org/show_bug.cgi?id=132708
2603
2604         Reviewed by Mark Hahnenberg.
2605
2606         * bytecode/CodeBlock.cpp:
2607         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
2608         * dfg/DFGPlan.cpp:
2609         (JSC::DFG::Plan::isStillValid):
2610         * heap/Heap.cpp:
2611         (JSC::Heap::deleteAllCompiledCode):
2612
2613 2014-05-08  Filip Pizlo  <fpizlo@apple.com>
2614
2615         SSA conversion should delete PhantomLocals for captured variables
2616         https://bugs.webkit.org/show_bug.cgi?id=132693
2617
2618         Reviewed by Mark Hahnenberg.
2619
2620         * dfg/DFGCommon.cpp:
2621         (JSC::DFG::startCrashing): Parallel JIT and a JIT bug means that we man dump IR in parallel. This is the workaround. This patch uses it in all of the places where we dump IR and crash.
2622         * dfg/DFGCommon.h:
2623         * dfg/DFGFixupPhase.cpp:
2624         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): Use the workaround.
2625         * dfg/DFGLivenessAnalysisPhase.cpp:
2626         (JSC::DFG::LivenessAnalysisPhase::run): Use the workaround.
2627         * dfg/DFGSSAConversionPhase.cpp:
2628         (JSC::DFG::SSAConversionPhase::run): Fix the bug - it's true that PhantomLocal for captured variables doesn't need anything done to it, but it's wrong that we didn't delete it outright.
2629         * dfg/DFGValidate.cpp: Use the workaround.
2630         * tests/stress/phantom-local-captured-but-not-flushed-to-ssa.js: Added.
2631         (foo):
2632         (bar):
2633
2634 2014-05-07  Commit Queue  <commit-queue@webkit.org>
2635
2636         Unreviewed, rolling out r168451.
2637         https://bugs.webkit.org/show_bug.cgi?id=132670
2638
2639         Not a speed-up, just do what other compilers do. (Requested by
2640         kling on #webkit).
2641
2642         Reverted changeset:
2643
2644         "[X86] Emit BT instruction for single-bit tests."
2645         https://bugs.webkit.org/show_bug.cgi?id=132650
2646         http://trac.webkit.org/changeset/168451
2647
2648 2014-05-07  Filip Pizlo  <fpizlo@apple.com>
2649
2650         Make Executable::clearCode() actually clear all of the entrypoints, and
2651         clean up some other FTL-related calling convention stuff.
2652         <rdar://problem/16720172>
2653
2654         Rubber stamped by Mark Hahnenberg.
2655
2656         * dfg/DFGOperations.cpp:
2657         * dfg/DFGOperations.h:
2658         * dfg/DFGWorklist.cpp:
2659         (JSC::DFG::Worklist::Worklist):
2660         (JSC::DFG::Worklist::finishCreation):
2661         (JSC::DFG::Worklist::create):
2662         (JSC::DFG::ensureGlobalDFGWorklist):
2663         (JSC::DFG::ensureGlobalFTLWorklist):
2664         * dfg/DFGWorklist.h:
2665         * heap/CodeBlockSet.cpp:
2666         (JSC::CodeBlockSet::dump):
2667         * heap/CodeBlockSet.h:
2668         * runtime/Executable.cpp:
2669         (JSC::ExecutableBase::clearCode):
2670
2671 2014-05-07  Andreas Kling  <akling@apple.com>
2672
2673         [X86] Emit BT instruction for single-bit tests.
2674         <https://webkit.org/b/132650>
2675
2676         Implement test-bit-and-branch slightly more efficiently by using
2677         BT + JC/JNC instead of TEST + JZ/JNZ when we're only testing for
2678         a single bit.
2679
2680         Reviewed by Michael Saboff.
2681
2682         * assembler/MacroAssemblerX86Common.h:
2683         (JSC::MacroAssemblerX86Common::singleBitIndex):
2684         (JSC::MacroAssemblerX86Common::branchTest32):
2685         * assembler/X86Assembler.h:
2686         (JSC::X86Assembler::bt_i8r):
2687         (JSC::X86Assembler::bt_i8m):
2688
2689 2014-05-07  Mark Lam  <mark.lam@apple.com>
2690
2691         REGRESSION(r166678): Dromaeo/cssquery-dojo.html crashes regularly.
2692         <https://webkit.org/b/131356>
2693
2694         Reviewed by Geoffrey Garen.
2695
2696         The issue is that GC needs to be made aware of writes to m_inferredValue
2697         in the VariableWatchpointSet, but was not.  As a result, if a JSCell*
2698         is written to a VariableWatchpointSet m_inferredValue, and that JSCell
2699         does not survive an eden GC shortly after, we will end up with a stale
2700         JSCell pointer left in the m_inferredValue.
2701
2702         This issue can be detected more easily by running Dromaeo/cssquery-dojo.html
2703         using DumpRenderTree with the VM heap in zombie mode.
2704
2705         The fix is to change VariableWatchpointSet m_inferredValue to type
2706         WriteBarrier<Unknown> and ensure that VariableWatchpointSet::notifyWrite()
2707         is executed by all the execution engines so that the WriteBarrier semantics
2708         are honored.
2709
2710         We still check if the value to be written is the same as the one in the
2711         inferredValue.  We'll by-pass calling the slow path notifyWrite() if the
2712         values are the same.        
2713
2714         * JavaScriptCore.xcodeproj/project.pbxproj:
2715         * bytecode/CodeBlock.cpp:
2716         (JSC::CodeBlock::CodeBlock):
2717         - need to pass the symbolTable to prepareToWatch() because it will be needed
2718           for instantiating the VariableWatchpointSet in prepareToWatch().
2719
2720         * bytecode/VariableWatchpointSet.h:
2721         (JSC::VariableWatchpointSet::VariableWatchpointSet):
2722         - VariableWatchpointSet now tracks its owner symbol table for its m_inferredValue
2723           write barrier, and yes, m_inferredValue is now of type WriteBarrier<Unknown>.
2724         (JSC::VariableWatchpointSet::inferredValue):
2725         (JSC::VariableWatchpointSet::invalidate):
2726         (JSC::VariableWatchpointSet::finalizeUnconditionally):
2727         (JSC::VariableWatchpointSet::addressOfInferredValue):
2728         (JSC::VariableWatchpointSet::notifyWrite): Deleted.
2729         * bytecode/VariableWatchpointSetInlines.h: Added.
2730         (JSC::VariableWatchpointSet::notifyWrite):
2731
2732         * dfg/DFGByteCodeParser.cpp:
2733         (JSC::DFG::ByteCodeParser::cellConstant):
2734         - Added an assert in case we try to make constants of zombified JSCells again.
2735
2736         * dfg/DFGOperations.cpp:
2737         * dfg/DFGOperations.h:
2738         * dfg/DFGSpeculativeJIT.h:
2739         (JSC::DFG::SpeculativeJIT::callOperation):
2740         * dfg/DFGSpeculativeJIT32_64.cpp:
2741         (JSC::DFG::SpeculativeJIT::compile):
2742         * dfg/DFGSpeculativeJIT64.cpp:
2743         (JSC::DFG::SpeculativeJIT::compile):
2744         - We now let the slow path handle the cases when the VariableWatchpointSet is
2745           in state ClearWatchpoint and IsWatched, and the slow path will ensure that
2746           we handle the needed write barrier semantics correctly.
2747           We will by-pass the slow path if the value being written is the same as the
2748           inferred value.
2749
2750         * ftl/FTLIntrinsicRepository.h:
2751         * ftl/FTLLowerDFGToLLVM.cpp:
2752         (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):
2753         - Let the slow path handle the cases when the VariableWatchpointSet is
2754           in state ClearWatchpoint and IsWatched.
2755           We will by-pass the slow path if the value being written is the same as the
2756           inferred value.
2757
2758         * heap/Heap.cpp:
2759         (JSC::Zombify::operator()):
2760         - Use a different value for the zombified bits (to distinguish it from 0xbbadbeef
2761           which is used everywhere else).
2762         * heap/Heap.h:
2763         (JSC::Heap::isZombified):
2764         - Provide a convenience test function to check if JSCells are zombified.  This is
2765           currently only used in an assertion in the DFG bytecode parser, but the intent
2766           it that we'll apply this test in other strategic places later to help with early
2767           detection of usage of GC'ed objects when we run in zombie mode.
2768
2769         * jit/JITOpcodes.cpp:
2770         (JSC::JIT::emitSlow_op_captured_mov):
2771         * jit/JITOperations.h:
2772         * jit/JITPropertyAccess.cpp:
2773         (JSC::JIT::emitNotifyWrite):
2774         * jit/JITPropertyAccess32_64.cpp:
2775         (JSC::JIT::emitNotifyWrite):
2776         (JSC::JIT::emitSlow_op_put_to_scope):
2777         - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
2778           is in state ClearWatchpoint and IsWatched.
2779           We will by-pass the slow path if the value being written is the same as the
2780           inferred value.
2781         
2782         * llint/LowLevelInterpreter32_64.asm:
2783         * llint/LowLevelInterpreter64.asm:
2784         - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
2785           is in state ClearWatchpoint and IsWatched.
2786           We will by-pass the slow path if the value being written is the same as the
2787           inferred value.
2788         
2789         * runtime/CommonSlowPaths.cpp:
2790
2791         * runtime/JSCJSValue.h: Fixed some typos in the comments.
2792         * runtime/JSGlobalObject.cpp:
2793         (JSC::JSGlobalObject::addGlobalVar):
2794         (JSC::JSGlobalObject::addFunction):
2795         * runtime/JSSymbolTableObject.h:
2796         (JSC::symbolTablePut):
2797         (JSC::symbolTablePutWithAttributes):
2798         * runtime/SymbolTable.cpp:
2799         (JSC::SymbolTableEntry::prepareToWatch):
2800         (JSC::SymbolTableEntry::notifyWriteSlow):
2801         * runtime/SymbolTable.h:
2802         (JSC::SymbolTableEntry::notifyWrite):
2803
2804 2014-05-06  Michael Saboff  <msaboff@apple.com>
2805
2806         Unreviewd build fix for C-LOOP after r168396.
2807
2808         * runtime/TestRunnerUtils.cpp:
2809         (JSC::optimizeNextInvocation): Wrapped actual call inside #if ENABLE(JIT)
2810
2811 2014-05-06  Michael Saboff  <msaboff@apple.com>
2812
2813         Add test for deleteAllCompiledCode
2814         https://bugs.webkit.org/show_bug.cgi?id=132632
2815
2816         Reviewed by Phil Pizlo.
2817
2818         Added two new hooks to jsc, one to call Heap::deleteAllCompiledCode() and
2819         the other to call CodeBlock::optimizeNextInvocation().  Used these two hooks
2820         to write a test that will queue up loads of DFG compiles and then call
2821         Heap::deleteAllCompiledCode() to make sure that it can handle compiled
2822         code as well as code being compiled.
2823
2824         * jsc.cpp:
2825         (GlobalObject::finishCreation):
2826         (functionDeleteAllCompiledCode):
2827         (functionOptimizeNextInvocation):
2828         * runtime/TestRunnerUtils.cpp:
2829         (JSC::optimizeNextInvocation):
2830         * runtime/TestRunnerUtils.h:
2831         * tests/stress/deleteAllCompiledCode.js: Added.
2832         (functionList):
2833         (runTest):
2834
2835 2014-05-06  Andreas Kling  <akling@apple.com>
2836
2837         JSString::toAtomicString() should return AtomicString.
2838         <https://webkit.org/b/132627>
2839
2840         Remove premature optimization where I was trying to avoid refcount
2841         churn when returning an already atomicized String.
2842
2843         Instead of using reinterpret_cast to mangle the String member into
2844         a const AtomicString& return value, just return AtomicString.
2845
2846         Reviewed by Geoff Garen.
2847
2848         * runtime/JSString.h:
2849         (JSC::JSString::toAtomicString):
2850
2851 2014-05-06  Mark Hahnenberg  <mhahnenberg@apple.com>
2852
2853         Roll out r167889
2854
2855         Rubber stamped by Geoff Garen.
2856
2857         It broke some websites.
2858
2859         * runtime/JSPropertyNameIterator.cpp:
2860         (JSC::JSPropertyNameIterator::create):
2861         * runtime/PropertyMapHashTable.h:
2862         (JSC::PropertyTable::hasDeletedOffset):
2863         (JSC::PropertyTable::hadDeletedOffset): Deleted.
2864         * runtime/Structure.cpp:
2865         (JSC::Structure::Structure):
2866         (JSC::Structure::materializePropertyMap):
2867         (JSC::Structure::removePropertyTransition):
2868         (JSC::Structure::changePrototypeTransition):
2869         (JSC::Structure::despecifyFunctionTransition):
2870         (JSC::Structure::attributeChangeTransition):
2871         (JSC::Structure::toDictionaryTransition):
2872         (JSC::Structure::preventExtensionsTransition):
2873         (JSC::Structure::addPropertyWithoutTransition):
2874         (JSC::Structure::removePropertyWithoutTransition):
2875         (JSC::Structure::pin):
2876         (JSC::Structure::pinAndPreventTransitions): Deleted.
2877         * runtime/Structure.h:
2878         * runtime/StructureInlines.h:
2879         (JSC::Structure::setEnumerationCache):
2880         (JSC::Structure::propertyTable):
2881         (JSC::Structure::checkOffsetConsistency):
2882         (JSC::Structure::hadDeletedOffsets): Deleted.
2883         * tests/stress/for-in-after-delete.js:
2884         (foo): Deleted.
2885
2886 2014-05-05  Andreas Kling  <akling@apple.com>
2887
2888         Fix debug build.
2889
2890         * runtime/JSCellInlines.h:
2891         (JSC::JSCell::fastGetOwnProperty):
2892
2893 2014-05-05  Andreas Kling  <akling@apple.com>
2894
2895         Optimize GetByVal when subscript is a rope string.
2896         <https://webkit.org/b/132590>
2897
2898         Use JSString::toIdentifier() in the various GetByVal implementations
2899         to try and avoid allocating extra strings.
2900
2901         Added canUseFastGetOwnProperty() and wrap calls to fastGetOwnProperty()
2902         in that, to avoid calling JSString::value() which always resolves ropes
2903         into new strings and de-optimizes subsequent toIdentifier() calls.
2904
2905         My iMac says ~9% progression on Dromaeo/dom-attr.html
2906
2907         Reviewed by Phil Pizlo.
2908
2909         * dfg/DFGOperations.cpp:
2910         * jit/JITOperations.cpp:
2911         (JSC::getByVal):
2912         * llint/LLIntSlowPaths.cpp:
2913         (JSC::LLInt::getByVal):
2914         * runtime/JSCell.h:
2915         * runtime/JSCellInlines.h:
2916         (JSC::JSCell::fastGetOwnProperty):
2917         (JSC::JSCell::canUseFastGetOwnProperty):
2918
2919 2014-05-05  Andreas Kling  <akling@apple.com>
2920
2921         REGRESSION (r168256): ASSERTION FAILED: (buffer + m_length) == position loading vanityfair.com article.
2922         <https://webkit.org/b/168256>
2923         <rdar://problem/16816316>
2924
2925         Make resolveRopeSlowCase8() behave like its 16-bit counterpart and not
2926         clear the fibers. The caller takes care of this.
2927
2928         Test: fast/dom/getElementById-with-rope-string-arg.html
2929
2930         Reviewed by Geoffrey Garen.
2931
2932         * runtime/JSString.cpp:
2933         (JSC::JSRopeString::resolveRopeSlowCase8):
2934
2935 2014-05-05  Michael Saboff  <msaboff@apple.com>
2936
2937         REGRESSION: RELEASE_ASSERT in CodeBlock::baselineVersion @ cnn.com
2938         https://bugs.webkit.org/show_bug.cgi?id=132581
2939
2940         Reviewed by Filip Pizlo.
2941
2942         * dfg/DFGPlan.cpp:
2943         (JSC::DFG::Plan::isStillValid): Check that the alternative codeBlock we
2944         started compiling for is still the same at the end of compilation.
2945         Also did some minor restructuring.
2946
2947 2014-05-05  Andreas Kling  <akling@apple.com>
2948
2949         Optimize PutByVal when subscript is a rope string.
2950         <https://webkit.org/b/132572>
2951
2952         Add a JSString::toIdentifier() that is smarter when the JSString is
2953         really a rope string. Use this in baseline & DFG's PutByVal to avoid
2954         allocating new StringImpls that we immediately deduplicate anyway.
2955
2956         Reviewed by Antti Koivisto.
2957
2958         * dfg/DFGOperations.cpp:
2959         (JSC::DFG::operationPutByValInternal):
2960         * jit/JITOperations.cpp:
2961         * runtime/JSString.h:
2962         (JSC::JSString::toIdentifier):
2963
2964 2014-05-05  Andreas Kling  <akling@apple.com>
2965
2966         Remove two now-incorrect assertions after r168256.
2967
2968         * runtime/JSString.cpp:
2969         (JSC::JSRopeString::resolveRopeSlowCase8):
2970         (JSC::JSRopeString::resolveRopeSlowCase):
2971
2972 2014-05-04  Andreas Kling  <akling@apple.com>
2973
2974         Optimize JSRopeString for resolving directly to AtomicString.
2975         <https://webkit.org/b/132548>
2976
2977         If we know that the JSRopeString we are resolving is going to be used
2978         as an AtomicString, we can try to avoid creating a new string.
2979
2980         We do this by first resolving the rope into a stack buffer, and using
2981         that buffer as a key into the AtomicString table. If there is already
2982         an AtomicString with the same characters, we reuse that instead of
2983         constructing a new StringImpl.
2984
2985         JSString gains these two public functions:
2986
2987         - AtomicString toAtomicString()
2988
2989             Returns an AtomicString, tries to avoid allocating a new string
2990             if possible.
2991
2992         - AtomicStringImpl* toExistingAtomicString()
2993
2994             Returns a non-null AtomicStringImpl* if one already exists in the
2995             AtomicString table. If none is found, the rope is left unresolved.
2996
2997         Reviewed by Filip Pizlo.
2998
2999         * runtime/JSString.cpp:
3000         (JSC::JSRopeString::resolveRopeInternal8):
3001         (JSC::JSRopeString::resolveRopeInternal16):
3002         (JSC::JSRopeString::resolveRopeToAtomicString):
3003         (JSC::JSRopeString::clearFibers):
3004         (JSC::JSRopeString::resolveRopeToExistingAtomicString):
3005         (JSC::JSRopeString::resolveRope):
3006         (JSC::JSRopeString::outOfMemory):
3007         * runtime/JSString.h:
3008         (JSC::JSString::toAtomicString):
3009         (JSC::JSString::toExistingAtomicString):
3010
3011 2014-05-04  Andreas Kling  <akling@apple.com>
3012
3013         Unreviewed, rolling out r168254.
3014
3015         Very crashy on debug JSC tests.
3016
3017         Reverted changeset:
3018
3019         "jsSubstring() should be lazy"
3020         https://bugs.webkit.org/show_bug.cgi?id=132556
3021         http://trac.webkit.org/changeset/168254
3022
3023 2014-05-04  Filip Pizlo  <fpizlo@apple.com>
3024
3025         jsSubstring() should be lazy
3026         https://bugs.webkit.org/show_bug.cgi?id=132556
3027
3028         Reviewed by Andreas Kling.
3029         
3030         jsSubstring() is now lazy by using a special rope that is a substring instead of a
3031         concatenation. To make this patch super simple, we require that a substring's base is
3032         never a rope. Hence, when resolving a rope, we either go down a non-recursive substring
3033         path, or we go down a concatenation path which may see exactly one level of substrings in
3034         its fibers.
3035         
3036         This is up to a 50% speed-up on microbenchmarks and a 10% speed-up on Octane/regexp.
3037
3038         * heap/MarkedBlock.cpp:
3039         (JSC::MarkedBlock::specializedSweep):
3040         * runtime/JSString.cpp:
3041         (JSC::JSRopeString::visitFibers):
3042         (JSC::JSRopeString::resolveRope):
3043         (JSC::JSRopeString::resolveRopeSlowCase8):
3044         (JSC::JSRopeString::resolveRopeSlowCase):
3045         (JSC::JSRopeString::outOfMemory):
3046         * runtime/JSString.h:
3047         (JSC::JSRopeString::finishCreation):
3048         (JSC::JSRopeString::append):
3049         (JSC::JSRopeString::create):
3050         (JSC::JSRopeString::offsetOfFibers):
3051         (JSC::JSRopeString::fiber):
3052         (JSC::JSRopeString::substringBase):
3053         (JSC::JSRopeString::substringOffset):
3054         (JSC::JSRopeString::substringSentinel):
3055         (JSC::JSRopeString::isSubstring):
3056         (JSC::jsSubstring):
3057         * runtime/RegExpMatchesArray.cpp:
3058         (JSC::RegExpMatchesArray::reifyAllProperties):
3059         * runtime/StringPrototype.cpp:
3060         (JSC::stringProtoFuncSubstring):
3061
3062 2014-05-02  Michael Saboff  <msaboff@apple.com>
3063
3064         "arm64 function not 4-byte aligned" warnings when building JSC
3065         https://bugs.webkit.org/show_bug.cgi?id=132495
3066
3067         Reviewed by Geoffrey Garen.
3068
3069         Added ".align 4" for both ARM Thumb2 and ARM 64 to silence the linker.
3070
3071         * llint/LowLevelInterpreter.cpp:
3072
3073 2014-05-02  Mark Hahnenberg  <mhahnenberg@apple.com>
3074
3075         Fix cloop build after r168178
3076
3077         * bytecode/CodeBlock.cpp:
3078
3079 2014-05-01  Mark Hahnenberg  <mhahnenberg@apple.com>
3080
3081         Add a DFG function whitelist
3082         https://bugs.webkit.org/show_bug.cgi?id=132437
3083
3084         Reviewed by Geoffrey Garen.
3085
3086         Often times when debugging, using bytecode ranges isn't enough to narrow down to the 
3087         particular DFG block that's causing issues. This patch adds the ability to whitelist 
3088         specific functions specified in a file to enable further filtering without having to recompile.
3089
3090         * CMakeLists.txt:
3091         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3092         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3093         * JavaScriptCore.xcodeproj/project.pbxproj:
3094         * dfg/DFGCapabilities.cpp:
3095         (JSC::DFG::isSupported):
3096         (JSC::DFG::mightInlineFunctionForCall):
3097         (JSC::DFG::mightInlineFunctionForClosureCall):
3098         (JSC::DFG::mightInlineFunctionForConstruct):
3099         * dfg/DFGFunctionWhitelist.cpp: Added.
3100         (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
3101         (JSC::DFG::FunctionWhitelist::FunctionWhitelist):
3102         (JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile):
3103         (JSC::DFG::FunctionWhitelist::contains):
3104         * dfg/DFGFunctionWhitelist.h: Added.
3105         * runtime/Options.cpp:
3106         (JSC::parse):
3107         (JSC::Options::dumpOption):
3108         * runtime/Options.h:
3109
3110 2014-05-02  Filip Pizlo  <fpizlo@apple.com>
3111
3112         DFGAbstractInterpreter should not claim Int52 arithmetic creates Int52s
3113         https://bugs.webkit.org/show_bug.cgi?id=132446
3114
3115         Reviewed by Mark Hahnenberg.
3116         
3117         Basically any arithmetic operation can turn an Int52 into an Int32 or vice-versa, and
3118         our modeling of Int52Rep nodes is such that they can have either Int32 or Int52 type
3119         to indicate a bound on the value. This is useful for knowing, for example, that
3120         Int52Rep(Int32:) returns a value that cannot be outside the Int32 range. Also,
3121         ValueRep(Int52Rep:) uses this to determine whether it may return a double or an int.
3122         But this means that all arithmetic operations must be careful to note that they may
3123         turn Int32 inputs into an Int52 output or vice-versa, as these new tests show.
3124
3125         * dfg/DFGAbstractInterpreterInlines.h:
3126         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3127         * dfg/DFGByteCodeParser.cpp:
3128         (JSC::DFG::ByteCodeParser::makeSafe):
3129         * tests/stress/int52-ai-add-then-filter-int32.js: Added.
3130         (foo):
3131         * tests/stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js: Added.
3132         (foo):
3133         * tests/stress/int52-ai-mul-then-filter-int32-directly.js: Added.
3134         (foo):
3135         * tests/stress/int52-ai-mul-then-filter-int32.js: Added.
3136         (foo):
3137         * tests/stress/int52-ai-neg-then-filter-int32.js: Added.
3138         (foo):
3139         * tests/stress/int52-ai-sub-then-filter-int32.js: Added.
3140         (foo):
3141
3142 2014-05-01  Geoffrey Garen  <ggaren@apple.com>
3143
3144         JavaScriptCore fails to build with some versions of clang
3145         https://bugs.webkit.org/show_bug.cgi?id=132436
3146
3147         Reviewed by Anders Carlsson.
3148
3149         * runtime/ArgumentsIteratorConstructor.cpp: Since we call
3150         putDirectWithoutTransition, and it calls putWillGrowOutOfLineStorage,
3151         and both are marked inline, it's valid for the compiler to decide
3152         to inline both and emit neither in the binary. Therefore, we need
3153         both inline definitions to be available in the translation unit at
3154         compile time, or we'll try to link against a function that doesn't exist.
3155
3156 2014-05-01  Commit Queue  <commit-queue@webkit.org>
3157
3158         Unreviewed, rolling out r167964.
3159         https://bugs.webkit.org/show_bug.cgi?id=132431
3160
3161         Memory improvements should not regress memory usage (Requested
3162         by olliej on #webkit).
3163
3164         Reverted changeset:
3165
3166         "Don't hold on to parameter BindingNodes forever"
3167         https://bugs.webkit.org/show_bug.cgi?id=132360
3168         http://trac.webkit.org/changeset/167964
3169
3170 2014-05-01  Filip Pizlo  <fpizlo@apple.com>
3171
3172         Fix trivial debug-only race-that-crashes in CallLinkStatus and explain why the remaining races are totally awesome
3173         https://bugs.webkit.org/show_bug.cgi?id=132427
3174
3175         Reviewed by Mark Hahnenberg.
3176
3177         * bytecode/CallLinkStatus.cpp:
3178         (JSC::CallLinkStatus::computeFor):
3179
3180 2014-04-30  Simon Fraser  <simon.fraser@apple.com>
3181
3182         Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO
3183         https://bugs.webkit.org/show_bug.cgi?id=132396
3184
3185         Reviewed by Eric Carlson.
3186
3187         Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO and related code.
3188
3189         * Configurations/FeatureDefines.xcconfig:
3190
3191 2014-04-30  Filip Pizlo  <fpizlo@apple.com>
3192
3193         Argument flush formats should not be presumed to be JSValue since 'this' is weird
3194         https://bugs.webkit.org/show_bug.cgi?id=132404
3195
3196         Reviewed by Michael Saboff.
3197
3198         * dfg/DFGSpeculativeJIT.cpp:
3199         (JSC::DFG::SpeculativeJIT::compileCurrentBlock): Don't assume that arguments are flushed as JSValue. Use the logic for locals instead.
3200         * dfg/DFGSpeculativeJIT32_64.cpp:
3201         (JSC::DFG::SpeculativeJIT::compile): SetArgument "changes" the format because before this we wouldn't know we had arguments.
3202         * dfg/DFGSpeculativeJIT64.cpp:
3203         (JSC::DFG::SpeculativeJIT::compile): Ditto.
3204         * dfg/DFGValueSource.cpp:
3205         (JSC::DFG::ValueSource::dumpInContext): Make this easier to dump.
3206         * dfg/DFGValueSource.h:
3207         (JSC::DFG::ValueSource::operator!): Make this easier to dump because Operands<T> uses T::operator!().
3208         * ftl/FTLOSREntry.cpp:
3209         (JSC::FTL::prepareOSREntry): This had a useful assertion for everything except 'this'.
3210         * tests/stress/strict-to-this-int.js: Added.
3211         (foo):
3212         (Number.prototype.valueOf):
3213         (test):
3214
3215 2014-04-29  Oliver Hunt  <oliver@apple.com>
3216
3217         Don't hold on to parameterBindingNodes forever
3218         https://bugs.webkit.org/show_bug.cgi?id=132360
3219
3220         Reviewed by Geoffrey Garen.
3221
3222         Don't keep the parameter nodes anymore. Instead we store the
3223         original parameter string and reparse whenever we actually
3224         need them. Because we only actually need them for compilation
3225         this only results in a single extra parse.
3226
3227         * bytecode/UnlinkedCodeBlock.cpp:
3228         (JSC::generateFunctionCodeBlock):
3229         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3230         (JSC::UnlinkedFunctionExecutable::visitChildren):
3231         (JSC::UnlinkedFunctionExecutable::finishCreation):
3232         (JSC::UnlinkedFunctionExecutable::paramString):
3233         (JSC::UnlinkedFunctionExecutable::parameters):
3234         (JSC::UnlinkedFunctionExecutable::parameterCount): Deleted.
3235         * bytecode/UnlinkedCodeBlock.h:
3236         (JSC::UnlinkedFunctionExecutable::create):
3237         (JSC::UnlinkedFunctionExecutable::parameterCount):
3238         (JSC::UnlinkedFunctionExecutable::parameters): Deleted.
3239         (JSC::UnlinkedFunctionExecutable::finishCreation): Deleted.
3240         * parser/ASTBuilder.h:
3241         (JSC::ASTBuilder::ASTBuilder):
3242         (JSC::ASTBuilder::setFunctionBodyParameters):
3243         * parser/Nodes.h:
3244         (JSC::FunctionBodyNode::parametersStartOffset):
3245         (JSC::FunctionBodyNode::parametersEndOffset):
3246         (JSC::FunctionBodyNode::setParameterLocation):
3247         * parser/Parser.cpp:
3248         (JSC::Parser<LexerType>::parseFunctionInfo):
3249         (JSC::parseParameters):
3250         * parser/Parser.h:
3251         (JSC::parse):
3252         * parser/SourceCode.h:
3253         (JSC::SourceCode::subExpression):
3254         * parser/SyntaxChecker.h:
3255         (JSC::SyntaxChecker::setFunctionBodyParameters):
3256
3257 2014-04-29  Mark Hahnenberg  <mhahnenberg@apple.com>
3258
3259         JSProxies should be cacheable
3260         https://bugs.webkit.org/show_bug.cgi?id=132351
3261
3262         Reviewed by Geoffrey Garen.
3263
3264         Whenever we encounter a proxy in an inline cache we should try to cache on the 
3265         proxy's target instead of giving up.
3266
3267         This patch adds support for a simple "recursive" inline cache if the base object
3268         we're accessing is a pure forwarding proxy. JSGlobalObject and its subclasses 
3269         are the only ones to benefit from this right now.
3270
3271         This is performance neutral on the benchmarks we track. Currently we won't
3272         cache on JSDOMWindow due to HasImpureGetOwnPropertySlot, but this issue will be fixed soon.
3273
3274         * jit/Repatch.cpp:
3275         (JSC::generateByIdStub):
3276         (JSC::tryBuildGetByIDList):
3277         (JSC::tryCachePutByID):
3278         (JSC::tryBuildPutByIdList):
3279         * jsc.cpp:
3280         (GlobalObject::finishCreation):
3281         (functionCreateProxy):
3282         * runtime/IntendedStructureChain.cpp:
3283         (JSC::IntendedStructureChain::isNormalized):
3284         * runtime/JSCellInlines.h:
3285         (JSC::JSCell::isProxy):
3286         * runtime/JSGlobalObject.h:
3287         (JSC::JSGlobalObject::finishCreation):
3288         * runtime/JSProxy.h:
3289         (JSC::JSProxy::createStructure):
3290         (JSC::JSProxy::targetOffset):
3291         * runtime/JSType.h:
3292         * runtime/Operations.h:
3293         (JSC::isPrototypeChainNormalized):
3294         * runtime/Structure.h:
3295         (JSC::Structure::isProxy):
3296         * tests/stress/proxy-inline-cache.js: Added.
3297         (cacheOnTarget.getX):
3298         (cacheOnTarget):
3299         (cacheOnPrototypeOfTarget.getX):
3300         (cacheOnPrototypeOfTarget):
3301         (dontCacheOnProxyInPrototypeChain.getX):
3302         (dontCacheOnProxyInPrototypeChain):
3303         (dontCacheOnTargetOfProxyInPrototypeChainOfTarget.getX):
3304         (dontCacheOnTargetOfProxyInPrototypeChainOfTarget):
3305
3306 2014-04-29  Filip Pizlo  <fpizlo@apple.com>
3307
3308         Use LLVM as a backend for the fourth-tier DFG JIT (a.k.a. the FTL JIT)
3309         https://bugs.webkit.org/show_bug.cgi?id=112840
3310
3311         Rubber stamped by Geoffrey Garen.
3312
3313         * Configurations/FeatureDefines.xcconfig:
3314
3315 2014-04-29  Geoffrey Garen  <ggaren@apple.com>
3316
3317         String.prototype.trim removes U+200B from strings.
3318         https://bugs.webkit.org/show_bug.cgi?id=130184
3319
3320         Reviewed by Michael Saboff.
3321
3322         * runtime/StringPrototype.cpp:
3323         (JSC::trimString):
3324         (JSC::isTrimWhitespace): Deleted.
3325
3326 2014-04-29  Mark Lam  <mark.lam@apple.com>
3327
3328         Zombifying sweep should ignore retired blocks.
3329         <https://webkit.org/b/132344>
3330
3331         Reviewed by Mark Hahnenberg.
3332
3333         By definition, retired blocks do not have "dead" objects, or at least
3334         none that we know of yet until the next marking phase has been run
3335         over it.  So, we should not be sweeping them (even for zombie mode).
3336
3337         * heap/Heap.cpp:
3338         (JSC::Heap::zombifyDeadObjects):
3339         * heap/MarkedSpace.cpp:
3340         (JSC::MarkedSpace::zombifySweep):
3341         * heap/MarkedSpace.h:
3342         (JSC::ZombifySweep::operator()):
3343
3344 2014-04-29  Mark Lam  <mark.lam@apple.com>
3345
3346         Fix bit rot in zombie mode heap code.
3347         <https://webkit.org/b/132342>
3348
3349         Reviewed by Mark Hahnenberg.
3350
3351         Need to enter a DelayedReleaseScope before doing a sweep.
3352
3353         * heap/Heap.cpp:
3354         (JSC::Heap::zombifyDeadObjects):
3355
3356 2014-04-29  Tomas Popela  <tpopela@redhat.com>
3357
3358         LLINT loadisFromInstruction doesn't need special case for big endians
3359         https://bugs.webkit.org/show_bug.cgi?id=132330
3360
3361         Reviewed by Mark Lam.
3362
3363         The change introduced in r167076 was wrong. We should not apply the offset
3364         adjustment on loadisFromInstruction usage as the instruction
3365         (UnlinkedInstruction) is declared as an union (i.e. with the int32_t
3366         operand variable). The offset of the other union members will be the
3367         same as the offset of the first one, that is 0. The behavior here is the
3368         same on little and big endian architectures. Thus we don't need
3369         special case for big endians.
3370
3371         * llint/LowLevelInterpreter.asm:
3372
3373 2014-04-28  Mark Hahnenberg  <mhahnenberg@apple.com>
3374
3375         Simplify tryCacheGetById
3376         https://bugs.webkit.org/show_bug.cgi?id=132314
3377
3378         Reviewed by Oliver Hunt and Filip Pizlo.
3379
3380         This is neutral across all benchmarks we track, although it looks like a wee 0.5% progression on sunspider.
3381
3382         * jit/Repatch.cpp:
3383         (JSC::tryCacheGetByID): If we fail to cache on self, we just repatch to call tryBuildGetByIDList next time.
3384
3385 2014-04-28  Michael Saboff  <msaboff@apple.com>
3386
3387         REGRESSION(r153142) ASSERT from CodeBlock::dumpBytecode dumping String Switch Jump Tables
3388         https://bugs.webkit.org/show_bug.cgi?id=132315
3389
3390         Reviewed by Mark Hahnenberg.
3391
3392         Used the StringImpl version of utf8() instead of creating a String first.
3393
3394         * bytecode/CodeBlock.cpp:
3395         (JSC::CodeBlock::dumpBytecode):
3396
3397 2014-04-28  Filip Pizlo  <fpizlo@apple.com>
3398
3399         The LLInt is awesome and it should get more of the action.
3400
3401         Rubber stamped by Geoffrey Garen.
3402         
3403         5% speed-up on JSBench and no meaningful regressions.  Should be a PLT/DYE speed-up also.
3404
3405         * runtime/Options.h:
3406
3407 2014-04-27  Filip Pizlo  <fpizlo@apple.com>
3408
3409         GC should be able to remove things from the DFG worklist and cancel on-going compilations if it knows that the compilation would already be invalidated
3410         https://bugs.webkit.org/show_bug.cgi?id=132166
3411
3412         Reviewed by Oliver Hunt and Mark Hahnenberg.
3413         
3414         The GC can aid type inference by removing structures that are dead and jettisoning
3415         code that relies on those structures. This can dramatically accelerate type inference
3416         for some tricky programs.
3417         
3418         Unfortunately, we previously pinned any structures that enqueued compilations depended
3419         on. This means that if you're on a machine that only runs a single compilation thread
3420         and where compilations are relatively slow, you have a high chance of large numbers of
3421         structures being pinned during any GC since the compilation queue is likely to be full
3422         of random stuff.
3423         
3424         This comprehensively fixes this issue by allowing the GC to remove compilation plans
3425         if the things they depend on are dead, and to even cancel safepointed compilations.
3426         
3427         * bytecode/CodeBlock.cpp:
3428         (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan):
3429         (JSC::CodeBlock::isKnownToBeLiveDuringGC):
3430         (JSC::CodeBlock::finalizeUnconditionally):
3431         * bytecode/CodeBlock.h:
3432         (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan): Deleted.
3433         * dfg/DFGDesiredIdentifiers.cpp:
3434         (JSC::DFG::DesiredIdentifiers::DesiredIdentifiers):
3435         * dfg/DFGDesiredIdentifiers.h:
3436         * dfg/DFGDesiredWatchpoints.h:
3437         * dfg/DFGDesiredWeakReferences.cpp:
3438         (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
3439         * dfg/DFGDesiredWeakReferences.h:
3440         * dfg/DFGGraphSafepoint.cpp:
3441         (JSC::DFG::GraphSafepoint::GraphSafepoint):
3442         * dfg/DFGGraphSafepoint.h:
3443         * dfg/DFGPlan.cpp:
3444         (JSC::DFG::Plan::Plan):
3445         (JSC::DFG::Plan::compileInThread):
3446         (JSC::DFG::Plan::compileInThreadImpl):
3447         (JSC::DFG::Plan::notifyCompiling):
3448         (JSC::DFG::Plan::notifyCompiled):
3449         (JSC::DFG::Plan::notifyReady):
3450         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
3451         (JSC::DFG::Plan::isKnownToBeLiveDuringGC):
3452         (JSC::DFG::Plan::cancel):
3453         (JSC::DFG::Plan::visitChildren): Deleted.
3454         * dfg/DFGPlan.h:
3455         * dfg/DFGSafepoint.cpp:
3456         (JSC::DFG::Safepoint::Result::~Result):
3457         (JSC::DFG::Safepoint::Result::didGetCancelled):
3458         (JSC::DFG::Safepoint::Safepoint):
3459         (JSC::DFG::Safepoint::~Safepoint):
3460         (JSC::DFG::Safepoint::checkLivenessAndVisitChildren):
3461         (JSC::DFG::Safepoint::isKnownToBeLiveDuringGC):
3462         (JSC::DFG::Safepoint::cancel):
3463         (JSC::DFG::Safepoint::visitChildren): Deleted.
3464         * dfg/DFGSafepoint.h:
3465         (JSC::DFG::Safepoint::Result::Result):
3466         * dfg/DFGWorklist.cpp:
3467         (JSC::DFG::Worklist::compilationState):
3468         (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
3469         (JSC::DFG::Worklist::removeAllReadyPlansForVM):
3470         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
3471         (JSC::DFG::Worklist::visitWeakReferences):
3472         (JSC::DFG::Worklist::removeDeadPlans):
3473         (JSC::DFG::Worklist::runThread):
3474         (JSC::DFG::Worklist::visitChildren): Deleted.
3475         * dfg/DFGWorklist.h:
3476         * ftl/FTLCompile.cpp:
3477         (JSC::FTL::compile):
3478         * ftl/FTLCompile.h:
3479         * heap/CodeBlockSet.cpp:
3480         (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks):
3481         * heap/Heap.cpp:
3482         (JSC::Heap::markRoots):
3483         (JSC::Heap::visitCompilerWorklistWeakReferences):
3484         (JSC::Heap::removeDeadCompilerWorklistEntries):
3485         (JSC::Heap::visitWeakHandles):
3486         (JSC::Heap::collect):
3487         (JSC::Heap::visitCompilerWorklists): Deleted.
3488         * heap/Heap.h:
3489
3490 2014-04-28  Mark Hahnenberg  <mhahnenberg@apple.com>
3491
3492         Deleting properties poisons objects
3493         https://bugs.webkit.org/show_bug.cgi?id=131551
3494
3495         Reviewed by Oliver Hunt.
3496
3497         This is ~3% progression on Dromaeo with a ~6% progression on the jslib portion of Dromaeo in particular.
3498
3499         * runtime/JSPropertyNameIterator.cpp:
3500         (JSC::JSPropertyNameIterator::create):
3501         * runtime/PropertyMapHashTable.h:
3502         (JSC::PropertyTable::hasDeletedOffset):
3503         (JSC::PropertyTable::hadDeletedOffset): If we ever had deleted properties we can no longer cache offsets when 
3504         iterating properties because we're required to iterate properties in insertion order.
3505         * runtime/Structure.cpp:
3506         (JSC::Structure::Structure):
3507         (JSC::Structure::materializePropertyMap): We now re-use deleted properties when materializing the property map.
3508         (JSC::Structure::removePropertyTransition): We allow up to 5 deletes for a particular path through the tree of 
3509         Structure transitions. After that, we convert to an uncacheable dictionary like we used to. We don't cache 
3510         delete transitions, but we allow transitioning from them.
3511         (JSC::Structure::changePrototypeTransition):
3512         (JSC::Structure::despecifyFunctionTransition):
3513         (JSC::Structure::attributeChangeTransition):
3514         (JSC::Structure::toDictionaryTransition):
3515         (JSC::Structure::preventExtensionsTransition):
3516         (JSC::Structure::addPropertyWithoutTransition):
3517         (JSC::Structure::removePropertyWithoutTransition):
3518         (JSC::Structure::pin): Now does only what it says it does--marks the property table as pinned.
3519         (JSC::Structure::pinAndPreventTransitions): More descriptive version of what the old pin() was doing.
3520         * runtime/Structure.h:
3521         * runtime/StructureInlines.h:
3522         (JSC::Structure::setEnumerationCache):
3523         (JSC::Structure::hadDeletedOffsets):
3524         (JSC::Structure::propertyTable):
3525         (JSC::Structure::checkOffsetConsistency): Rearranged variables to be more sensible.
3526         * tests/stress/for-in-after-delete.js: Added.
3527         (foo):
3528
3529 2014-04-25  Andreas Kling  <akling@apple.com>
3530
3531         Inline (C++) GetByVal with numeric indices more aggressively.
3532         <https://webkit.org/b/132218>
3533
3534         We were already inlining the string indexed GetByVal path pretty well,
3535         while the path for numeric indices got neglected. No more!
3536
3537         ~9.5% improvement on Dromaeo/dom-traverse.html on my MBP:
3538
3539             Before: 199.50 runs/s
3540              After: 218.58 runs/s
3541
3542         Reviewed by Phil Pizlo.
3543
3544         * dfg/DFGOperations.cpp:
3545         * runtime/JSCJSValueInlines.h:
3546         (JSC::JSValue::get):
3547
3548             ALWAYS_INLINE all the things.
3549
3550         * runtime/JSObject.h:
3551         (JSC::JSObject::getPropertySlot):
3552
3553             Avoid fetching the Structure more than once. We have the same
3554             optimization in the string-indexed code path.
3555
3556 2014-04-25  Oliver Hunt  <oliver@apple.com>
3557
3558         Need earlier cell test
3559         https://bugs.webkit.org/show_bug.cgi?id=132211
3560
3561         Reviewed by Mark Lam.
3562
3563         Move cell test to before the function call repatch
3564         location, as the repatch logic for 32bit assumes that the
3565         caller will already have performed a cell check.
3566
3567         * jit/JITCall32_64.cpp:
3568         (JSC::JIT::compileOpCall):
3569
3570 2014-04-25  Andreas Kling  <akling@apple.com>
3571
3572         Un-fast-allocate JSGlobalObjectRareData because Windows doesn't build and I'm not in the mood.
3573
3574         * runtime/JSGlobalObject.h:
3575         (JSC::JSGlobalObject::JSGlobalObjectRareData::JSGlobalObjectRareData):
3576         (JSC::JSGlobalObject::JSGlobalObjectRareData::~JSGlobalObjectRareData): Deleted.
3577
3578 2014-04-25  Andreas Kling  <akling@apple.com>
3579
3580         Windows build fix attempt.
3581
3582         * runtime/JSGlobalObject.h:
3583         (JSC::JSGlobalObject::JSGlobalObjectRareData::~JSGlobalObjectRareData):
3584
3585 2014-04-25  Mark Lam  <mark.lam@apple.com>
3586
3587         Refactor debugging code to use BreakpointActions instead of Vector<ScriptBreakpointAction>.
3588         <https://webkit.org/b/132201>
3589
3590         Reviewed by Joseph Pecoraro.
3591
3592         BreakpointActions is Vector<ScriptBreakpointAction>.  Let's just consistently use
3593         BreakpointActions everywhere.
3594
3595         * inspector/ScriptBreakpoint.h:
3596         (Inspector::ScriptBreakpoint::ScriptBreakpoint):
3597         * inspector/ScriptDebugServer.cpp:
3598         (Inspector::ScriptDebugServer::setBreakpoint):
3599         (Inspector::ScriptDebugServer::getActionsForBreakpoint):
3600         * inspector/ScriptDebugServer.h:
3601         * inspector/agents/InspectorDebuggerAgent.cpp:
3602         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
3603         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
3604         (Inspector::InspectorDebuggerAgent::setBreakpoint):
3605         (Inspector::InspectorDebuggerAgent::removeBreakpoint):
3606         * inspector/agents/InspectorDebuggerAgent.h:
3607
3608 2014-04-24  Filip Pizlo  <fpizlo@apple.com>
3609
3610         DFG worklist scanning should not treat the key as a separate entity
3611         https://bugs.webkit.org/show_bug.cgi?id=132167
3612
3613         Reviewed by Mark Hahnenberg.
3614         
3615         This simplifies the interface to the GC and will enable more optimizations.
3616
3617         * dfg/DFGCompilationKey.cpp:
3618         (JSC::DFG::CompilationKey::visitChildren): Deleted.
3619         * dfg/DFGCompilationKey.h:
3620         * dfg/DFGPlan.cpp:
3621         (JSC::DFG::Plan::visitChildren):
3622         * dfg/DFGWorklist.cpp:
3623         (JSC::DFG::Worklist::visitChildren):
3624
3625 2014-04-25  Oliver Hunt  <oliver@apple.com>
3626
3627         Remove unused parameter from codeblock linking function
3628         https://bugs.webkit.org/show_bug.cgi?id=132199
3629
3630         Reviewed by Anders Carlsson.
3631
3632         No change in behaviour. This is just a small change to make it
3633         slightly easier to reason about what the offsets in UnlinkedFunctionExecutable
3634         actually mean.
3635
3636         * bytecode/UnlinkedCodeBlock.cpp:
3637         (JSC::UnlinkedFunctionExecutable::link):
3638         * bytecode/UnlinkedCodeBlock.h:
3639         * runtime/Executable.cpp:
3640         (JSC::ProgramExecutable::initializeGlobalProperties):
3641
3642 2014-04-25  Andreas Kling  <akling@apple.com>
3643
3644         Mark some things with WTF_MAKE_FAST_ALLOCATED.
3645         <https://webkit.org/b/132198>
3646
3647         Use FastMalloc for more things.
3648
3649         Reviewed by Anders Carlsson.
3650
3651         * builtins/BuiltinExecutables.h:
3652         * heap/GCThreadSharedData.h:
3653         * inspector/JSConsoleClient.h:
3654         * inspector/agents/InspectorAgent.h:
3655         * runtime/CodeCache.h:
3656         * runtime/JSGlobalObject.h:
3657         * runtime/Lookup.cpp:
3658         (JSC::HashTable::createTable):
3659         (JSC::HashTable::deleteTable):
3660         * runtime/WeakGCMap.h:
3661
3662 2014-04-25  Antoine Quint  <graouts@webkit.org>
3663
3664         Implement Array.prototype.find()
3665         https://bugs.webkit.org/show_bug.cgi?id=130966
3666
3667         Reviewed by Oliver Hunt.
3668
3669         Implement Array.prototype.find() and Array.prototype.findIndex() as proposed in the Harmony spec.
3670
3671         * builtins/Array.prototype.js:
3672         (find):
3673         (findIndex):
3674         * runtime/ArrayPrototype.cpp:
3675
3676 2014-04-24  Brady Eidson  <beidson@apple.com>
3677
3678         Rename "IMAGE_CONTROLS" feature to "SERVICE_CONTROLS"
3679         https://bugs.webkit.org/show_bug.cgi?id=132155
3680
3681         Reviewed by Tim Horton.
3682
3683         * Configurations/FeatureDefines.xcconfig:
3684
3685 2014-04-24  Michael Saboff  <msaboff@apple.com>
3686
3687         REGRESSION: Apparent hang of PCE.js Mac OS System 7.0.1 on ARM64 devices
3688         https://bugs.webkit.org/show_bug.cgi?id=132147
3689
3690         Reviewed by Mark Lam.
3691
3692         Fixed or64(), eor32( ) and eor64() to use "src" register when we have a valid logicalImm.
3693
3694         * assembler/MacroAssemblerARM64.h:
3695         (JSC::MacroAssemblerARM64::or64):
3696         (JSC::MacroAssemblerARM64::xor32):
3697         (JSC::MacroAssemblerARM64::xor64):
3698         * tests/stress/regress-132147.js: Added test.
3699
3700 2014-04-24  Mark Lam  <mark.lam@apple.com>
3701
3702         Make slowPathAllocsBetweenGCs a runtime option.
3703         <https://webkit.org/b/132137>
3704
3705         Reviewed by Mark Hahnenberg.
3706
3707         This will make it easier to more casually run tests with this configuration
3708         as well as to reproduce issues (instead of requiring a code mod and rebuild).
3709         We will now take --slowPathAllocsBetweenGCs=N where N is the number of
3710         slow path allocations before we trigger a collection.
3711
3712         The option defaults to 0, which is reserved to mean that we will not trigger
3713         any collections there.
3714
3715         * heap/Heap.h:
3716         * heap/MarkedAllocator.cpp:
3717         (JSC::MarkedAllocator::doTestCollectionsIfNeeded):
3718         (JSC::MarkedAllocator::allocateSlowCase):
3719         * heap/MarkedAllocator.h:
3720         * runtime/Options.h:
3721
3722 2014-04-23  Mark Lam  <mark.lam@apple.com>
3723
3724         The GC should only resume compiler threads that it suspended in the same GC pass.
3725         <https://webkit.org/b/132088>
3726
3727         Reviewed by Mark Hahnenberg.
3728
3729         Previously, this scenario can occur:
3730         1. Thread 1 starts a GC and tries to suspend DFG worklist threads.  However,
3731            no worklists were created yet at the that time.
3732         2. Thread 2 starts to compile some functions and creates a DFG worklist, and
3733            acquires the worklist thread's lock.
3734         3. Thread 1's GC completes and tries to resume suspended DFG worklist thread.
3735            This time, it sees the worklist created by Thread 2 and ends up unlocking
3736            the worklist thread's lock that is supposedly held by Thread 2.
3737         Thereafter, chaos ensues.
3738
3739         The fix is to cache the worklists that were actually suspended by each GC pass,
3740         and only resume those when the GC is done.
3741
3742         This issue was discovered by enabling COLLECT_ON_EVERY_ALLOCATION and running
3743         the fast/workers layout tests.
3744
3745         * heap/Heap.cpp:
3746         (JSC::Heap::visitCompilerWorklists):
3747         (JSC::Heap::deleteAllCompiledCode):
3748         (JSC::Heap::suspendCompilerThreads):
3749         (JSC::Heap::resumeCompilerThreads):
3750         * heap/Heap.h:
3751
3752 2014-04-23  Mark Hahnenberg  <mhahnenberg@apple.com>
3753
3754         Arguments::copyBackingStore needs to update m_registers in tandem with m_registerArray
3755         https://bugs.webkit.org/show_bug.cgi?id=132079
3756
3757         Reviewed by Michael Saboff.
3758
3759         Since we're moving the register backing store, we don't want to leave a dangling pointer into a random CopiedBlock.
3760
3761         Also added a test that previously triggered this bug.
3762
3763         * runtime/Arguments.cpp:
3764         (JSC::Arguments::copyBackingStore): D'oh!
3765         * tests/stress/arguments-copy-register-array-backing-store.js: Added.
3766         (foo):
3767         (bar):
3768
3769 2014-04-23  Mark Rowe  <mrowe@apple.com>
3770
3771         [Mac] REGRESSION (r164823): Building JavaScriptCore creates files under /tmp/JavaScriptCore.dst
3772         <https://webkit.org/b/132053>
3773
3774         Reviewed by Dan Bernstein.
3775
3776         * JavaScriptCore.xcodeproj/project.pbxproj: Don't try to create a symlink at /usr/local/bin/jsc inside
3777         the DSTROOT unless we're building to the deployment location. Also remove the unnecessary -x argument
3778         from /bin/sh since that generates unnecessary output.
3779
3780 2014-04-22  Mark Lam  <mark.lam@apple.com>
3781
3782         DFG::Worklist should acquire the m_lock before iterating DFG plans.
3783         <https://webkit.org/b/132032>
3784
3785         Reviewed by Filip Pizlo.
3786
3787         Currently, there's a rightToRun mechanism that ensures that no compilation
3788         threads are running when the GC is iterating through the DFG worklists.
3789         However, this does not prevent a Worker thread from doing a DFG compilation
3790         and modifying the plans in the worklists thereby invalidating the plan
3791         iterator that the GC is using.  This patch fixes the issue by acquiring
3792         the worklist m_lock before iterating the worklist plans.
3793
3794         This issue was uncovered by running the fast/workers layout tests with
3795         COLLECT_ON_EVERY_ALLOCATION enabled.
3796
3797         * dfg/DFGWorklist.cpp:
3798         (JSC::DFG::Worklist::isActiveForVM):
3799         (JSC::DFG::Worklist::visitChildren):
3800
3801 2014-04-22  Brent Fulgham  <bfulgham@apple.com>
3802
3803         [Win] Support Python 2.7 in Cygwin
3804         https://bugs.webkit.org/show_bug.cgi?id=132023
3805
3806         Reviewed by Michael Saboff.
3807
3808         * DerivedSources.make: Use a conditional variable to define
3809         the path to Python/Perl.
3810
3811 2014-04-22  Filip Pizlo  <fpizlo@apple.com>
3812
3813         Switch the LLVMForJSC target to using the LLVM in /usr/local rather than /usr/local/LLVMForJavaScriptCore on iOS
3814         https://bugs.webkit.org/show_bug.cgi?id=130867
3815         <rdar://problem/16432456> 
3816
3817         Reviewed by Mark Hahnenberg.
3818
3819         * Configurations/Base.xcconfig:
3820         * Configurations/LLVMForJSC.xcconfig:
3821
3822 2014-04-22  Alex Christensen  <achristensen@webkit.org>
3823
3824         [Win] Unreviewed build fix after my r167666.
3825
3826         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
3827         Added ../../../ again to include headers in Source/JavaScriptCore.
3828
3829 2014-04-22  Alex Christensen  <achristensen@webkit.org>
3830
3831         Removed old stdbool and inttypes headers.
3832         https://bugs.webkit.org/show_bug.cgi?id=131966
3833
3834         Reviewed by Brent Fulgham.
3835
3836         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
3837         * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
3838         Removed references to os-win32 directory.
3839         * os-win32: Removed.
3840         * os-win32/inttypes.h: Removed.
3841         * os-win32/stdbool.h: Removed.
3842
3843 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
3844
3845         DFG::clobberize() should honestly admit that profiler and debugger nodes are effectful
3846         https://bugs.webkit.org/show_bug.cgi?id=131971
3847         <rdar://problem/16676511>
3848
3849         Reviewed by Mark Lam.
3850
3851         * dfg/DFGClobberize.h:
3852         (JSC::DFG::clobberize):
3853
3854 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
3855
3856         Switch statements that skip the baseline JIT should work
3857         https://bugs.webkit.org/show_bug.cgi?id=131965
3858
3859         Reviewed by Mark Hahnenberg.
3860
3861         * bytecode/JumpTable.h:
3862         (JSC::SimpleJumpTable::ensureCTITable):
3863         * dfg/DFGSpeculativeJIT.cpp:
3864         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
3865         * jit/JITOpcodes.cpp:
3866         (JSC::JIT::emit_op_switch_imm):
3867         (JSC::JIT::emit_op_switch_char):
3868         * jit/JITOpcodes32_64.cpp:
3869         (JSC::JIT::emit_op_switch_imm):
3870         (JSC::JIT::emit_op_switch_char):
3871         * tests/stress/inline-llint-with-switch.js: Added.
3872         (foo):
3873         (bar):
3874         (test):
3875
3876 2014-04-21  Mark Hahnenberg  <mhahnenberg@apple.com>
3877
3878         Arguments objects shouldn't need a destructor
3879         https://bugs.webkit.org/show_bug.cgi?id=131899
3880
3881         Reviewed by Oliver Hunt.
3882
3883         This patch rids Arguments objects of their destructors. It does this by 
3884         switching their backing stores to use CopiedSpace rather than malloc memory.
3885
3886         * dfg/DFGSpeculativeJIT.cpp:
3887         (JSC::DFG::SpeculativeJIT::emitAllocateArguments): Fix the code emitted for inline
3888         Arguments allocation so that it only emits an extra write for strict mode code rather
3889         than unconditionally.
3890         * heap/CopyToken.h: New CopyTokens for the two different types of Arguments backing stores.
3891         * runtime/Arguments.cpp:
3892         (JSC::Arguments::visitChildren): We need to tell the collector to copy the back stores now.
3893         (JSC::Arguments::copyBackingStore): Do the actual copying of the backing stores.
3894         (JSC::Arguments::deletePropertyByIndex): Update all the accesses to SlowArgumentData and m_registerArray.
3895         (JSC::Arguments::deleteProperty):
3896         (JSC::Arguments::defineOwnProperty):
3897         (JSC::Arguments::allocateRegisterArray):
3898         (JSC::Arguments::tearOff):
3899         (JSC::Arguments::destroy): Deleted. We don't need the destructor any more.
3900         * runtime/Arguments.h:
3901         (JSC::Arguments::registerArraySizeInBytes):
3902         (JSC::Arguments::SlowArgumentData::SlowArgumentData): Switch SlowArgumentData to being allocated
3903         in CopiedSpace. Now the SlowArgumentData and its backing store are a single contiguous CopiedSpace
3904         allocation.
3905         (JSC::Arguments::SlowArgumentData::slowArguments):
3906         (JSC::Arguments::SlowArgumentData::bytecodeToMachineCaptureOffset):
3907         (JSC::Arguments::SlowArgumentData::setBytecodeToMachineCaptureOffset):
3908         (JSC::Arguments::SlowArgumentData::sizeForNumArguments):
3909         (JSC::Arguments::Arguments):
3910         (JSC::Arguments::allocateSlowArguments):
3911         (JSC::Arguments::tryDeleteArgument):
3912         (JSC::Arguments::isDeletedArgument):
3913         (JSC::Arguments::isArgument):
3914         (JSC::Arguments::argument):
3915         (JSC::Arguments::finishCreation):
3916         * runtime/SymbolTable.h:
3917
3918 2014-04-21  Eric Carlson  <eric.carlson@apple.com>
3919
3920         [Mac] implement WebKitDataCue
3921         https://bugs.webkit.org/show_bug.cgi?id=131799
3922
3923         Reviewed by Dean Jackson.
3924
3925         * Configurations/FeatureDefines.xcconfig: Define ENABLE_DATACUE_VALUE.
3926
3927 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
3928
3929         Unreviewed test gardening, run the repeat-out-of-bounds tests again.
3930
3931         * tests/stress/float32-repeat-out-of-bounds.js:
3932         * tests/stress/int8-repeat-out-of-bounds.js:
3933
3934 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
3935
3936         OSR exit should know about Int52 and Double constants
3937         https://bugs.webkit.org/show_bug.cgi?id=131945
3938
3939         Reviewed by Oliver Hunt.
3940         
3941         The DFG OSR exit machinery's ignorance would lead to some constants becoming
3942         jsUndefined() after OSR exit.
3943         
3944         The FTL OSR exit machinery's ignorance just meant that we would sometimes use a
3945         stackmap constant rather than baking the constant into the OSRExit data structure.
3946         So, not a big deal, but worth fixing.
3947         
3948         Also added some helpful hacks to jsc.cpp for testing such OSR exit pathologies.
3949
3950         * dfg/DFGByteCodeParser.cpp:
3951         (JSC::DFG::ByteCodeParser::handleIntrinsic):
3952         * dfg/DFGMinifiedNode.h:
3953         (JSC::DFG::belongsInMinifiedGraph):
3954         (JSC::DFG::MinifiedNode::hasConstantNumber):
3955         * ftl/FTLLowerDFGToLLVM.cpp:
3956         (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
3957         * jsc.cpp:
3958         (GlobalObject::finishCreation):
3959         (functionOtherFalse):
3960         (functionUndefined):
3961         * runtime/Intrinsic.h:
3962         * tests/stress/fold-to-double-constant-then-exit.js: Added.
3963         (foo):
3964         * tests/stress/fold-to-int52-constant-then-exit.js: Added.
3965         (foo):
3966
3967 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
3968
3969         Provide feedback when we encounter an unrecognied node in the FTL backend.
3970
3971         Rubber stamped by Alexey Proskuryakov.
3972
3973         * ftl/FTLLowerDFGToLLVM.cpp:
3974         (JSC::FTL::LowerDFGToLLVM::compileNode):
3975
3976 2014-04-21  Andreas Kling  <akling@apple.com>
3977
3978         Move the JSString cache from DOMWrapperWorld to VM.
3979         <https://webkit.org/b/131940>
3980
3981         Reviewed by Geoff Garen.
3982
3983         * runtime/VM.h:
3984
3985 2014-04-19  Filip Pizlo  <fpizlo@apple.com>
3986
3987         Take block execution count estimates into account when voting double
3988         https://bugs.webkit.org/show_bug.cgi?id=131906
3989
3990         Reviewed by Geoffrey Garen.
3991         
3992         This was a drama in three acts.
3993         
3994         Act I: Slurp in BasicBlock::executionCount and use it as a weight when counting the
3995             number of uses of a variable that want double or non-double. Easy as pie. This
3996             gave me a huge speed-up on FloatMM and a huge slow-down on basically everything
3997             else.
3998         
3999         Act II: Realize that there were some programs where our previous double voting was
4000             just on the edge of disaster and making it more precise tipped it over. In
4001             particular, if you had an integer variable that would infrequently be used in a
4002             computation that resulted in a variable that was frequently used as an array index,
4003             the outer infrequentness would be the thing we'd use in the vote. So, an array
4004             index would become double. We fix this by reviving global backwards propagation
4005             and introducing the concept of ReallyWantsInt, which is used just for array
4006             indices. Any variable transitively flagged as ReallyWantsInt will never be forced
4007             double. We need that flag to be separate from UsedAsInt, since UsedAsInt needs to
4008             be set in bitops for RageConversion but using it for double forcing is too much.
4009             Basically, it's cheaper to have to convert a double to an int for a bitop than it
4010             is to convert a double to an int for an array index; also a variable being used as
4011             an array index is a much stronger hint that it ought to be an int. This recovered
4012             performance on everything except programs that used FTL OSR entry.
4013         
4014         Act III: Realize that OSR entrypoint creation creates blocks that have NaN execution
4015             count, which then completely pollutes the weighting - essentially all votes go