Web Replay: don't encode/decode primitive types that lack explicit sizes
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-07-24  Brian J. Burg  <burg@cs.washington.edu>
2
3         Web Replay: don't encode/decode primitive types that lack explicit sizes
4         https://bugs.webkit.org/show_bug.cgi?id=133430
5
6         Reviewed by Anders Carlsson.
7
8         Don't support encode/decode of unsigned long, since its size is compiler-dependent.
9
10         * replay/EncodedValue.cpp:
11         (JSC::EncodedValue::convertTo<unsigned long>):
12         (JSC::unsigned long>::encodeValue): Deleted.
13         * replay/EncodedValue.h:
14
15 2014-07-24  Mark Lam  <mark.lam@apple.com>
16
17         JSWrapperMap's jsWrapperForObject() needs to defer GC.
18         <https://webkit.org/b/135258>
19
20         Reviewed by Oliver Hunt.
21
22         In the process of creating a JS wrapper, jsWrapperForObject() will create
23         the prototype and constructor of the corresponding ObjC class, as well as
24         for classes in its inheritance chain.  These prototypes and constructors
25         are stored in Weak references in the JSObjCClassInfo objects.  During all
26         the allocation that is being done to create all the prototypes and
27         constructors as well as the wrapper objects, a GC may occur thereby
28         collecting one or more of these newly created prototype and constructor
29         objects.
30
31         One example of where this problem can manifest is in wrapperForObject()
32         which is called from jsWrapperForObject().  In wrapperFoObject(), we do
33         the following steps:
34
35         1. reallocateConstructorAndOrPrototype() which creates the prototype
36            object and store it in JSObjCClassInfo's m_prototype which is a Weak
37            ref.
38         2. makeWrapper() to create the wrapper object, which may trigger a GC.
39            GC will collect the prototype object and nullify the corresponding
40            JSObjCClassInfo's m_prototype Weak ref.
41         3. call JSObjectSetPrototype() to set the JSObjCClassInfo's m_prototype
42            in the newly created wrapper.  This results in the wrapper getting a
43            jsNull as a prototype instead of the expected prototype object.
44
45         To ensure that the prototype and constructor objects are retained until
46         they can be referenced properly from the wrapper object,
47         jsWrapperForObject() should defer GC until it's done with its work.
48
49         * API/JSWrapperMap.mm:
50         (-[JSWrapperMap jsWrapperForObject:]):
51
52 2014-07-23  Brent Fulgham  <bfulgham@apple.com>
53
54         Build fix after r171482.
55
56         Rubberstamped by Joe Pecoraro.
57
58         * runtime/Identifier.h: Make header declarations match
59         implementation file.
60
61 2014-07-23  Brent Fulgham  <bfulgham@apple.com>
62
63         [Win] Use NO_RETURN_DUE_TO_CRASH on Windows
64         https://bugs.webkit.org/show_bug.cgi?id=135199
65
66         Reviewed by Mark Lam.
67
68         * jsc.cpp:
69         (WTF::RuntimeArray::deleteProperty): Stop using ugly
70         compiler work-around on Windows; use NO_RETURN_DUE_TO_CRASH
71         codepath instead.
72         * runtime/Identifier.h: Add NO_RETURN_DUE_TO_CRASH
73         to header so function declaration matches implementation.
74
75 2014-07-23  Bem Jones-Bey  <bjonesbe@adobe.com>
76
77         Remove CSS_EXCLUSIONS compile flag and leftover code
78         https://bugs.webkit.org/show_bug.cgi?id=135175
79
80         Reviewed by Zoltan Horvath.
81
82         At this point, the CSS_EXCLUSIONS flag guards nothing but some useless
83         stubs. This removes the flag and the useless code.
84
85         * Configurations/FeatureDefines.xcconfig:
86
87 2014-07-23  Commit Queue  <commit-queue@webkit.org>
88
89         Unreviewed, rolling out r171367.
90         https://bugs.webkit.org/show_bug.cgi?id=135192
91
92         broke three API tests (Requested by thorton on #webkit).
93
94         Reverted changeset:
95
96         "JSLock release should only modify the AtomicStringTable if it
97         modified in acquire"
98         https://bugs.webkit.org/show_bug.cgi?id=135143
99         http://trac.webkit.org/changeset/171367
100
101 2014-07-22  László Langó  <llango.u-szeged@partner.samsung.com>
102
103         [EFL] Build fix after the [ftlopt] branch merge.
104
105         Reviewed by Csaba Osztrogonác.
106
107         * dfg/DFGBranchDirection.h:
108         (JSC::DFG::branchDirectionToString):
109         * dfg/DFGStructureClobberState.h:
110         (JSC::DFG::merge):
111
112 2014-07-22  Brent Fulgham  <bfulgham@apple.com>
113
114         Build fix for non-clang compile.
115
116         * jsc.cpp:
117         (WTF::RuntimeArray::put): Remove incorrect return statement
118         I added.
119
120 2014-07-22  Brent Fulgham  <bfulgham@apple.com>
121
122         Build fix for non-clang compile.
123
124         * jsc.cpp:
125         (WTF::RuntimeArray::deleteProperty): Need (fake) return
126         value when NO_RETURN_DUE_TO_CRASH is not defined.
127
128 2014-07-22  Filip Pizlo  <fpizlo@apple.com>
129
130         Merge r169628 from ftlopt.
131
132     2014-06-04  Matthew Mirman  <mmirman@apple.com>
133     
134             Added system for inlining native functions via the FTL.
135             https://bugs.webkit.org/show_bug.cgi?id=131515
136     
137             Reviewed by Filip Pizlo.
138     
139             Also fixed the build to not compress the bitcode and to 
140             include all of the relevant runtime. With GCC_GENERATE_DEBUGGING_SYMBOLS = NO, 
141             the produced bitcode files are a 100th the size they were before.  
142             Now we can include all of the relevant runtime files with only a 3mb overhead. 
143             This is the same overhead as for two compressed files before, 
144             but done more efficiently (on both ends) and with less code.
145             
146             Deciding whether to inline native functions is left up to LLVM. 
147             The entire module containing the function is linked into the current 
148             compiled JS so that inlining the native functions shouldn't make them smaller.
149             
150             Rather than loading Runtime.symtbl at runtime FTLState.cpp now generates a file 
151             InlineRuntimeSymbolTable.h which statically builds the symbol table hash table.  
152             
153             * JavaScriptCore.xcodeproj/project.pbxproj: Added back runtime files to compile.
154             * build-symbol-table-index.py: Changed bitcode suffix. 
155             Added inclusion of only tested symbols.  
156             Added output to InlineRuntimeSymbolTable.h. 
157             * build-symbol-table-index.sh: Changed bitcode suffix.
158             * copy-llvm-ir-to-derived-sources.sh: Removed gzip compression.
159             * tested-symbols.symlst: Added.
160             * dfg/DFGByteCodeParser.cpp:
161             (JSC::DFG::ByteCodeParser::handleCall):  
162             Now sets the knownFunction of the call node if such a function exists 
163             and emits a check that during runtime the callee is in fact known.
164             * dfg/DFGNode.h:
165             Added functions to set the known function of a call node.
166             (JSC::DFG::Node::canBeKnownFunction): Added.
167             (JSC::DFG::Node::hasKnownFunction): Added.
168             (JSC::DFG::Node::knownFunction): Added.
169             (JSC::DFG::Node::giveKnownFunction): Added.
170             * ftl/FTLAbbreviatedTypes.h: Added a typedef for LLVMMemoryBufferRef
171             * ftl/FTLAbbreviations.h: Added some abbreviations.
172             * ftl/FTLLowerDFGToLLVM.cpp:
173             (JSC::FTL::LowerDFGToLLVM::isInlinableSize): Added. Hardcoded threshold to 275.
174             (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol): Added.
175             (JSC::FTL::LowerDFGToLLVM::getFunctionBySymbol): Added.
176             (JSC::FTL::LowerDFGToLLVM::possiblyCompileInlineableNativeCall): Added.
177             (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):  
178             Added call to possiblyCompileInlineableNativeCall
179             * ftl/FTLOutput.h:
180             (JSC::FTL::Output::allocaName):  Added. Useful for debugging.
181             * ftl/FTLState.cpp:
182             (JSC::FTL::State::State): Added an include for InlineRuntimeSymbolTable.h
183             * ftl/FTLState.h: Added symbol table hash table.
184             * ftl/FTLCompile.cpp:
185             (JSC::FTL::compile): Added inlining and dead function elimination passes.
186             * heap/HandleStack.h: Added JS_EXPORT_PRIVATE to a few functions to get inlining to compile.
187             * llvm/InitializeLLVMMac.mm: Deleted.
188             * llvm/InitializeLLVMMac.cpp: Added.
189             * llvm/LLVMAPIFunctions.h: Added macros to include Bitcode parsing and linking functions.
190             * llvm/LLVMHeaders.h: Added includes for Bitcode parsing and linking.
191             * runtime/BundlePath.h: Added.
192             * runtime/BundlePath.mm: Added.
193             * runtime/DateInstance.h: Added JS_EXPORT_PRIVATE to a few functions to get inlining to compile.
194             * runtime/DateInstance.h: ditto.
195             * runtime/DateConversion.h: ditto.
196             * runtime/ExceptionHelpers.h: ditto.
197             * runtime/JSCJSValue.h: ditto.
198             * runtime/JSArray.h: ditto.
199             * runtime/JSDateMath.h: ditto.
200             * runtime/JSObject.h: ditto.
201             * runtime/JSObject.h: ditto.
202             * runtime/RegExp.h: ditto.
203             * runtime/Structure.h: ditto.
204             * runtime/Options.h:  Added maximumLLVMInstructionCountForNativeInlining.
205     
206 2014-07-22  Mark Lam  <mark.lam@apple.com>
207
208         Array.concat() should work on runtime arrays too.
209         <https://webkit.org/b/135179>
210
211         Reviewed by Geoffrey Garen.
212
213         * jsc.cpp:
214         (WTF::RuntimeArray::create):
215         (WTF::RuntimeArray::~RuntimeArray):
216         (WTF::RuntimeArray::destroy):
217         (WTF::RuntimeArray::getOwnPropertySlot):
218         (WTF::RuntimeArray::getOwnPropertySlotByIndex):
219         (WTF::RuntimeArray::put):
220         (WTF::RuntimeArray::deleteProperty):
221         (WTF::RuntimeArray::getLength):
222         (WTF::RuntimeArray::createPrototype):
223         (WTF::RuntimeArray::createStructure):
224         (WTF::RuntimeArray::finishCreation):
225         (WTF::RuntimeArray::RuntimeArray):
226         (WTF::RuntimeArray::lengthGetter):
227         (GlobalObject::finishCreation):
228         (functionCreateRuntimeArray):
229         - Added support to create a runtime array for testing purpose.
230         * runtime/ArrayPrototype.cpp:
231         (JSC::getLength):
232         - Added fast case for when the array object is a JSArray.
233         (JSC::arrayProtoFuncJoin):
234         - Added a needed but missing exception check.
235         (JSC::arrayProtoFuncConcat):
236         - Use getLength() to compute the array length instead of assuming that
237           the array is a JSArray instance.
238         * tests/stress/regexp-matches-array.js: Added.
239         (testArrayConcat):
240         * tests/stress/runtime-array.js: Added.
241         (testArrayConcat):
242
243 2014-07-22  Brent Fulgham  <bfulgham@apple.com>
244
245         Fix Windows (return a value!)
246
247         * jsc.cpp:
248         (functionQuit): Satisfy compiler's need for
249         a return value.
250
251 2014-07-22  Brent Fulgham  <bfulgham@apple.com>
252
253         Fix Windows (sleep -> Sleep)
254
255         * jsc.cpp:
256         (WTF::jscExit):
257
258 2014-07-22  Filip Pizlo  <fpizlo@apple.com>
259
260         Fix Windows.
261
262         * jsc.cpp:
263         (WTF::jscExit):
264
265 2014-07-22  Filip Pizlo  <fpizlo@apple.com>
266
267         Fix 32-bit.
268
269         * dfg/DFGSpeculativeJIT32_64.cpp:
270         (JSC::DFG::SpeculativeJIT::compile):
271
272 2014-07-22  Filip Pizlo  <fpizlo@apple.com>
273
274         Merge r169148, r169185, r169188, r169578, r169582, r169584, r169588, r169753 from ftlopt.
275         
276         Note that r169753 is merged out of order because it fixes a bug in r169588.
277
278     2014-06-10  Filip Pizlo  <fpizlo@apple.com>
279     
280             [ftlopt] Structure::dfgShouldWatchIfPossible() is unsound
281             https://bugs.webkit.org/show_bug.cgi?id=133624
282     
283             Reviewed by Mark Hahnenberg.
284     
285             * runtime/Structure.h:
286             (JSC::Structure::dfgShouldWatchIfPossible): Make it sound and add some verbiage.
287     
288     2014-06-04  Filip Pizlo  <fpizlo@apple.com>
289     
290             [ftlopt] AI should be able track structure sets larger than 1
291             https://bugs.webkit.org/show_bug.cgi?id=128073
292     
293             Reviewed by Oliver Hunt.
294             
295             This makes two major changes to how AI (abstract interpreter) proves that a value has
296             some structure:
297             
298             - StructureAbstractValue can now track an arbitrary number of structures. A set whose
299               size is greater than one means that the value may have any of the structures, and we
300               don't know which - but we do know that it cannot be any structure not in the set. The
301               structure abstract value can still be TOP, which means the set of all structures. We
302               artificially limit the set size to StructureAbstractValue::polymorphismLimit to guard
303               memory explosion on pathological programs. This limit is big enough that it wouldn't
304               kick in for normal code, since we have other heuristics that limit the number of
305               structures that we would allow an inline cache to know about.
306             
307             - We eagerly set watchpoints on all watchable structures and then we assume that
308               watchable structures are being watched, and that the watchpoint will jettison the code.
309               This allows tracking of watchable structures to be far simpler than before. Previously,
310               a structure being tracked as "future possible" was predicated on it being watchable but
311               we might not actually watch it. This makes algebra over sets of future possible
312               structures quite weird. But watching all watchable structures means that we simple say
313               that a structure set can be in the following states: unclobbered, which means it's just
314               a set of structures and it doesn't matter what is watchable or what isn't because we've
315               proven that the value must have one of these structures right now; and clobbered, which
316               means that we have a set of structures, plus all possible structures temporarily, with
317               invalidation removing the "plus all possible structures". Clobbering a set means that
318               if any of its structures are unwatchable, the set just becomes TOP; but if all
319               structures in the set are watchable then we just set the clobbered bit to add the "plus
320               all possible structures temporarily" thing. This precisely tracks the exact meaning of
321               watchability and invalidation points.
322             
323             Slight SunSpider slow-down, neutral on Octane, slight AsmBench speed-up. I believe that
324             we will ultimately undo the SunSpider slow-down by making further improvements to the set
325             representation. I believe that Octane perfromance will ultimately improve once we remove
326             remaining singleton special-cases. The ultimate goal of this is to remove the need to
327             try quite so desperately hard to make everything monomorphic as we do currently.
328     
329             * CMakeLists.txt:
330             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
331             * JavaScriptCore.xcodeproj/project.pbxproj:
332             * bytecode/StructureSet.cpp:
333             (JSC::StructureSet::clear):
334             (JSC::StructureSet::remove):
335             (JSC::StructureSet::filter):
336             (JSC::StructureSet::copyFromOutOfLine):
337             (JSC::StructureSet::StructureSet): Deleted.
338             (JSC::StructureSet::operator=): Deleted.
339             (JSC::StructureSet::copyFrom): Deleted.
340             * bytecode/StructureSet.h:
341             (JSC::StructureSet::StructureSet):
342             (JSC::StructureSet::operator=):
343             (JSC::StructureSet::isEmpty):
344             (JSC::StructureSet::genericFilter):
345             (JSC::StructureSet::ContainsOutOfLine::ContainsOutOfLine):
346             (JSC::StructureSet::ContainsOutOfLine::operator()):
347             (JSC::StructureSet::copyFrom):
348             (JSC::StructureSet::deleteStructureListIfNecessary):
349             (JSC::StructureSet::setEmpty):
350             (JSC::StructureSet::getReservedFlag):
351             (JSC::StructureSet::setReservedFlag):
352             * dfg/DFGAbstractInterpreter.h:
353             (JSC::DFG::AbstractInterpreter::setBuiltInConstant):
354             * dfg/DFGAbstractInterpreterInlines.h:
355             (JSC::DFG::AbstractInterpreter<AbstractStateType>::booleanResult):
356             (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
357             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
358             (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberCapturedVars):
359             (JSC::DFG::AbstractInterpreter<AbstractStateType>::forAllValues):
360             (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberStructures):
361             (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
362             (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
363             (JSC::DFG::AbstractInterpreter<AbstractStateType>::setDidClobber):
364             (JSC::DFG::AbstractInterpreter<AbstractStateType>::dump):
365             * dfg/DFGAbstractValue.cpp:
366             (JSC::DFG::AbstractValue::observeTransitions):
367             (JSC::DFG::AbstractValue::setMostSpecific):
368             (JSC::DFG::AbstractValue::set):
369             (JSC::DFG::AbstractValue::filter):
370             (JSC::DFG::AbstractValue::shouldBeClear):
371             (JSC::DFG::AbstractValue::normalizeClarity):
372             (JSC::DFG::AbstractValue::checkConsistency):
373             (JSC::DFG::AbstractValue::assertIsWatched):
374             (JSC::DFG::AbstractValue::dumpInContext):
375             (JSC::DFG::AbstractValue::setFuturePossibleStructure): Deleted.
376             * dfg/DFGAbstractValue.h:
377             (JSC::DFG::AbstractValue::clear):
378             (JSC::DFG::AbstractValue::clobberStructures):
379             (JSC::DFG::AbstractValue::clobberStructuresFor):
380             (JSC::DFG::AbstractValue::observeInvalidationPoint):
381             (JSC::DFG::AbstractValue::observeInvalidationPointFor):
382             (JSC::DFG::AbstractValue::observeTransition):
383             (JSC::DFG::AbstractValue::TransitionObserver::TransitionObserver):
384             (JSC::DFG::AbstractValue::TransitionObserver::operator()):
385             (JSC::DFG::AbstractValue::TransitionsObserver::TransitionsObserver):
386             (JSC::DFG::AbstractValue::TransitionsObserver::operator()):
387             (JSC::DFG::AbstractValue::isHeapTop):
388             (JSC::DFG::AbstractValue::setType):
389             (JSC::DFG::AbstractValue::operator==):
390             (JSC::DFG::AbstractValue::merge):
391             (JSC::DFG::AbstractValue::validate):
392             (JSC::DFG::AbstractValue::hasClobberableState):
393             (JSC::DFG::AbstractValue::assertIsWatched):
394             (JSC::DFG::AbstractValue::observeIndexingTypeTransition):
395             (JSC::DFG::AbstractValue::makeTop):
396             (JSC::DFG::AbstractValue::bestProvenStructure): Deleted.
397             * dfg/DFGAllocator.h:
398             * dfg/DFGArgumentsSimplificationPhase.cpp:
399             (JSC::DFG::ArgumentsSimplificationPhase::run):
400             * dfg/DFGArrayMode.cpp:
401             (JSC::DFG::ArrayMode::alreadyChecked):
402             * dfg/DFGAtTailAbstractState.h:
403             (JSC::DFG::AtTailAbstractState::structureClobberState):
404             (JSC::DFG::AtTailAbstractState::setStructureClobberState):
405             (JSC::DFG::AtTailAbstractState::setFoundConstants):
406             (JSC::DFG::AtTailAbstractState::haveStructures): Deleted.
407             (JSC::DFG::AtTailAbstractState::setHaveStructures): Deleted.
408             * dfg/DFGBasicBlock.cpp:
409             (JSC::DFG::BasicBlock::BasicBlock):
410             * dfg/DFGBasicBlock.h:
411             * dfg/DFGBranchDirection.h:
412             (JSC::DFG::branchDirectionToString):
413             (WTF::printInternal):
414             * dfg/DFGByteCodeParser.cpp:
415             (JSC::DFG::ByteCodeParser::handlePutById):
416             * dfg/DFGCFAPhase.cpp:
417             (JSC::DFG::CFAPhase::performBlockCFA):
418             * dfg/DFGCSEPhase.cpp:
419             (JSC::DFG::CSEPhase::checkStructureElimination):
420             (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
421             (JSC::DFG::CSEPhase::performNodeCSE):
422             * dfg/DFGClobberize.h:
423             (JSC::DFG::clobberize):
424             * dfg/DFGCommon.cpp:
425             (JSC::DFG::startCrashing):
426             (JSC::DFG::isCrashing):
427             * dfg/DFGCommon.h:
428             * dfg/DFGCommonData.cpp:
429             (JSC::DFG::CommonData::notifyCompilingStructureTransition):
430             * dfg/DFGConstantFoldingPhase.cpp:
431             (JSC::DFG::ConstantFoldingPhase::foldConstants):
432             (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
433             (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
434             (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
435             * dfg/DFGDesiredWatchpoints.cpp:
436             (JSC::DFG::DesiredWatchpoints::consider):
437             (JSC::DFG::DesiredWatchpoints::addLazily): Deleted.
438             * dfg/DFGDesiredWatchpoints.h:
439             (JSC::DFG::GenericDesiredWatchpoints::reallyAdd):
440             (JSC::DFG::GenericDesiredWatchpoints::areStillValid):
441             (JSC::DFG::GenericDesiredWatchpoints::isWatched):
442             (JSC::DFG::DesiredWatchpoints::isWatched):
443             (JSC::DFG::WatchpointForGenericWatchpointSet::WatchpointForGenericWatchpointSet): Deleted.
444             (JSC::DFG::GenericDesiredWatchpoints::addLazily): Deleted.
445             (JSC::DFG::GenericDesiredWatchpoints::isStillValid): Deleted.
446             (JSC::DFG::GenericDesiredWatchpoints::shouldAssumeMixedState): Deleted.
447             (JSC::DFG::GenericDesiredWatchpoints::isValidOrMixed): Deleted.
448             (JSC::DFG::DesiredWatchpoints::isStillValid): Deleted.
449             (JSC::DFG::DesiredWatchpoints::shouldAssumeMixedState): Deleted.
450             (JSC::DFG::DesiredWatchpoints::isValidOrMixed): Deleted.
451             * dfg/DFGDoesGC.cpp:
452             (JSC::DFG::doesGC):
453             * dfg/DFGFixupPhase.cpp:
454             (JSC::DFG::FixupPhase::fixupNode):
455             (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
456             (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
457             * dfg/DFGGraph.cpp:
458             (JSC::DFG::Graph::~Graph):
459             (JSC::DFG::Graph::dump):
460             (JSC::DFG::Graph::dumpBlockHeader):
461             (JSC::DFG::Graph::tryGetFoldableView):
462             (JSC::DFG::Graph::visitChildren):
463             (JSC::DFG::Graph::assertIsWatched):
464             (JSC::DFG::Graph::handleAssertionFailure):
465             * dfg/DFGGraph.h:
466             (JSC::DFG::Graph::convertToConstant):
467             (JSC::DFG::Graph::masqueradesAsUndefinedWatchpointIsStillValid):
468             (JSC::DFG::Graph::addStructureTransitionData): Deleted.
469             * dfg/DFGInPlaceAbstractState.cpp:
470             (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
471             (JSC::DFG::InPlaceAbstractState::initialize):
472             (JSC::DFG::InPlaceAbstractState::endBasicBlock):
473             (JSC::DFG::InPlaceAbstractState::reset):
474             (JSC::DFG::InPlaceAbstractState::merge):
475             * dfg/DFGInPlaceAbstractState.h:
476             (JSC::DFG::InPlaceAbstractState::structureClobberState):
477             (JSC::DFG::InPlaceAbstractState::setStructureClobberState):
478             (JSC::DFG::InPlaceAbstractState::setFoundConstants):
479             (JSC::DFG::InPlaceAbstractState::haveStructures): Deleted.
480             (JSC::DFG::InPlaceAbstractState::setHaveStructures): Deleted.
481             * dfg/DFGLivenessAnalysisPhase.cpp:
482             (JSC::DFG::LivenessAnalysisPhase::run):
483             * dfg/DFGNode.h:
484             (JSC::DFG::Node::hasTransition):
485             (JSC::DFG::Node::transition):
486             (JSC::DFG::Node::hasStructure):
487             (JSC::DFG::StructureTransitionData::StructureTransitionData): Deleted.
488             (JSC::DFG::Node::convertToStructureTransitionWatchpoint): Deleted.
489             (JSC::DFG::Node::hasStructureTransitionData): Deleted.
490             (JSC::DFG::Node::structureTransitionData): Deleted.
491             * dfg/DFGNodeType.h:
492             * dfg/DFGPlan.cpp:
493             (JSC::DFG::Plan::compileInThreadImpl):
494             * dfg/DFGPredictionPropagationPhase.cpp:
495             (JSC::DFG::PredictionPropagationPhase::propagate):
496             * dfg/DFGSafeToExecute.h:
497             (JSC::DFG::safeToExecute):
498             * dfg/DFGSpeculativeJIT.cpp:
499             (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
500             (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
501             * dfg/DFGSpeculativeJIT.h:
502             (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
503             * dfg/DFGSpeculativeJIT32_64.cpp:
504             (JSC::DFG::SpeculativeJIT::compile):
505             * dfg/DFGSpeculativeJIT64.cpp:
506             (JSC::DFG::SpeculativeJIT::compile):
507             * dfg/DFGStructureAbstractValue.cpp: Added.
508             (JSC::DFG::StructureAbstractValue::assertIsWatched):
509             (JSC::DFG::StructureAbstractValue::clobber):
510             (JSC::DFG::StructureAbstractValue::observeTransition):
511             (JSC::DFG::StructureAbstractValue::observeTransitions):
512             (JSC::DFG::StructureAbstractValue::add):
513             (JSC::DFG::StructureAbstractValue::merge):
514             (JSC::DFG::StructureAbstractValue::mergeSlow):
515             (JSC::DFG::StructureAbstractValue::mergeNotTop):
516             (JSC::DFG::StructureAbstractValue::filter):
517             (JSC::DFG::StructureAbstractValue::filterSlow):
518             (JSC::DFG::StructureAbstractValue::contains):
519             (JSC::DFG::StructureAbstractValue::isSubsetOf):
520             (JSC::DFG::StructureAbstractValue::isSupersetOf):
521             (JSC::DFG::StructureAbstractValue::overlaps):
522             (JSC::DFG::StructureAbstractValue::equalsSlow):
523             (JSC::DFG::StructureAbstractValue::dumpInContext):
524             (JSC::DFG::StructureAbstractValue::dump):
525             * dfg/DFGStructureAbstractValue.h:
526             (JSC::DFG::StructureAbstractValue::StructureAbstractValue):
527             (JSC::DFG::StructureAbstractValue::operator=):
528             (JSC::DFG::StructureAbstractValue::clear):
529             (JSC::DFG::StructureAbstractValue::makeTop):
530             (JSC::DFG::StructureAbstractValue::assertIsWatched):
531             (JSC::DFG::StructureAbstractValue::observeInvalidationPoint):
532             (JSC::DFG::StructureAbstractValue::top):
533             (JSC::DFG::StructureAbstractValue::isClear):
534             (JSC::DFG::StructureAbstractValue::isTop):
535             (JSC::DFG::StructureAbstractValue::isNeitherClearNorTop):
536             (JSC::DFG::StructureAbstractValue::isClobbered):
537             (JSC::DFG::StructureAbstractValue::merge):
538             (JSC::DFG::StructureAbstractValue::filter):
539             (JSC::DFG::StructureAbstractValue::operator==):
540             (JSC::DFG::StructureAbstractValue::size):
541             (JSC::DFG::StructureAbstractValue::at):
542             (JSC::DFG::StructureAbstractValue::operator[]):
543             (JSC::DFG::StructureAbstractValue::onlyStructure):
544             (JSC::DFG::StructureAbstractValue::isSupersetOf):
545             (JSC::DFG::StructureAbstractValue::makeTopWhenThin):
546             (JSC::DFG::StructureAbstractValue::setClobbered):
547             (JSC::DFG::StructureAbstractValue::add): Deleted.
548             (JSC::DFG::StructureAbstractValue::addAll): Deleted.
549             (JSC::DFG::StructureAbstractValue::contains): Deleted.
550             (JSC::DFG::StructureAbstractValue::isSubsetOf): Deleted.
551             (JSC::DFG::StructureAbstractValue::doesNotContainAnyOtherThan): Deleted.
552             (JSC::DFG::StructureAbstractValue::isClearOrTop): Deleted.
553             (JSC::DFG::StructureAbstractValue::last): Deleted.
554             (JSC::DFG::StructureAbstractValue::speculationFromStructures): Deleted.
555             (JSC::DFG::StructureAbstractValue::isValidOffset): Deleted.
556             (JSC::DFG::StructureAbstractValue::hasSingleton): Deleted.
557             (JSC::DFG::StructureAbstractValue::singleton): Deleted.
558             (JSC::DFG::StructureAbstractValue::dumpInContext): Deleted.
559             (JSC::DFG::StructureAbstractValue::dump): Deleted.
560             (JSC::DFG::StructureAbstractValue::topValue): Deleted.
561             * dfg/DFGStructureClobberState.h: Added.
562             (JSC::DFG::merge):
563             (WTF::printInternal):
564             * dfg/DFGTransition.cpp: Added.
565             (JSC::DFG::Transition::dumpInContext):
566             (JSC::DFG::Transition::dump):
567             * dfg/DFGTransition.h: Added.
568             (JSC::DFG::Transition::Transition):
569             * dfg/DFGTypeCheckHoistingPhase.cpp:
570             (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
571             (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
572             * dfg/DFGWatchableStructureWatchingPhase.cpp: Added.
573             (JSC::DFG::WatchableStructureWatchingPhase::WatchableStructureWatchingPhase):
574             (JSC::DFG::WatchableStructureWatchingPhase::run):
575             (JSC::DFG::WatchableStructureWatchingPhase::tryWatch):
576             (JSC::DFG::performWatchableStructureWatching):
577             * dfg/DFGWatchableStructureWatchingPhase.h: Added.
578             * dfg/DFGWatchpointCollectionPhase.cpp:
579             (JSC::DFG::WatchpointCollectionPhase::handle):
580             (JSC::DFG::WatchpointCollectionPhase::handleEdge): Deleted.
581             * ftl/FTLCapabilities.cpp:
582             (JSC::FTL::canCompile):
583             * ftl/FTLIntrinsicRepository.h:
584             * ftl/FTLLowerDFGToLLVM.cpp:
585             (JSC::FTL::ftlUnreachable):
586             (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
587             (JSC::FTL::LowerDFGToLLVM::compileBlock):
588             (JSC::FTL::LowerDFGToLLVM::compileNode):
589             (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
590             (JSC::FTL::LowerDFGToLLVM::compilePhi):
591             (JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
592             (JSC::FTL::LowerDFGToLLVM::compileValueRep):
593             (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
594             (JSC::FTL::LowerDFGToLLVM::compileGetArgument):
595             (JSC::FTL::LowerDFGToLLVM::compileGetLocal):
596             (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
597             (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub):
598             (JSC::FTL::LowerDFGToLLVM::compileArithMul):
599             (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
600             (JSC::FTL::LowerDFGToLLVM::compileArithMod):
601             (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
602             (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
603             (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
604             (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
605             (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
606             (JSC::FTL::LowerDFGToLLVM::compileGetById):
607             (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
608             (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
609             (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
610             (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
611             (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
612             (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
613             (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
614             (JSC::FTL::LowerDFGToLLVM::compileNewArray):
615             (JSC::FTL::LowerDFGToLLVM::compileNewArrayBuffer):
616             (JSC::FTL::LowerDFGToLLVM::compileAllocatePropertyStorage):
617             (JSC::FTL::LowerDFGToLLVM::compileReallocatePropertyStorage):
618             (JSC::FTL::LowerDFGToLLVM::compileToString):
619             (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
620             (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
621             (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
622             (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
623             (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
624             (JSC::FTL::LowerDFGToLLVM::compileSwitch):
625             (JSC::FTL::LowerDFGToLLVM::compare):
626             (JSC::FTL::LowerDFGToLLVM::boolify):
627             (JSC::FTL::LowerDFGToLLVM::terminate):
628             (JSC::FTL::LowerDFGToLLVM::lowInt32):
629             (JSC::FTL::LowerDFGToLLVM::lowInt52):
630             (JSC::FTL::LowerDFGToLLVM::opposite):
631             (JSC::FTL::LowerDFGToLLVM::lowCell):
632             (JSC::FTL::LowerDFGToLLVM::lowBoolean):
633             (JSC::FTL::LowerDFGToLLVM::lowDouble):
634             (JSC::FTL::LowerDFGToLLVM::lowJSValue):
635             (JSC::FTL::LowerDFGToLLVM::speculate):
636             (JSC::FTL::LowerDFGToLLVM::isArrayType):
637             (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructureID):
638             (JSC::FTL::LowerDFGToLLVM::callCheck):
639             (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
640             (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
641             (JSC::FTL::LowerDFGToLLVM::setInt52):
642             (JSC::FTL::LowerDFGToLLVM::crash):
643             (JSC::FTL::LowerDFGToLLVM::compileStructureTransitionWatchpoint): Deleted.
644             * ftl/FTLOutput.cpp:
645             (JSC::FTL::Output::crashNonTerminal): Deleted.
646             * ftl/FTLOutput.h:
647             (JSC::FTL::Output::crash): Deleted.
648             * jit/JITOperations.h:
649             * jsc.cpp:
650             (WTF::jscExit):
651             (functionQuit):
652             (main):
653             (printUsageStatement):
654             (CommandLine::parseArguments):
655             * runtime/Structure.h:
656             (JSC::Structure::dfgShouldWatchIfPossible):
657             (JSC::Structure::dfgShouldWatch):
658             * tests/stress/arrayify-to-structure-contradiction.js: Added.
659             (foo):
660             * tests/stress/ftl-getmyargumentslength-inline.js: Added.
661             (foo):
662             * tests/stress/multi-put-by-offset-multiple-transitions.js: Added.
663             (foo):
664             (Foo):
665             * tests/stress/throw-from-ftl-in-loop.js: Added.
666             * tests/stress/throw-from-ftl.js: Added.
667             (foo):
668     
669     2014-06-03  Filip Pizlo  <fpizlo@apple.com>
670     
671             [ftlopt] Unreviewed, roll out r169578. The build system needs some more love.
672     
673             * InlineRuntimeSymbolTable.h: Removed.
674             * JavaScriptCore.xcodeproj/project.pbxproj:
675             * build-symbol-table-index.py:
676             * build-symbol-table-index.sh:
677             * copy-llvm-ir-to-derived-sources.sh:
678             * dfg/DFGByteCodeParser.cpp:
679             (JSC::DFG::ByteCodeParser::handleCall):
680             * dfg/DFGNode.h:
681             (JSC::DFG::Node::canBeKnownFunction): Deleted.
682             (JSC::DFG::Node::hasKnownFunction): Deleted.
683             (JSC::DFG::Node::knownFunction): Deleted.
684             (JSC::DFG::Node::giveKnownFunction): Deleted.
685             * ftl/FTLAbbreviatedTypes.h:
686             * ftl/FTLCompile.cpp:
687             (JSC::FTL::compile):
688             * ftl/FTLLowerDFGToLLVM.cpp:
689             (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
690             (JSC::FTL::LowerDFGToLLVM::lower):
691             (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
692             (JSC::FTL::LowerDFGToLLVM::possiblyCompileInlineableNativeCall): Deleted.
693             (JSC::FTL::LowerDFGToLLVM::getFunctionBySymbol): Deleted.
694             (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol): Deleted.
695             (JSC::FTL::LowerDFGToLLVM::isInlinableSize): Deleted.
696             * ftl/FTLState.cpp:
697             (JSC::FTL::State::State):
698             * ftl/FTLState.h:
699             * heap/HandleStack.h:
700             * llvm/InitializeLLVM.h:
701             * llvm/InitializeLLVMMac.cpp: Removed.
702             * llvm/InitializeLLVMMac.mm: Added.
703             (JSC::initializeLLVMImpl):
704             * llvm/LLVMAPIFunctions.h:
705             * llvm/LLVMHeaders.h:
706             * runtime/BundlePath.h: Removed.
707             * runtime/BundlePath.mm: Removed.
708             * runtime/DateConversion.h:
709             * runtime/DateInstance.h:
710             * runtime/ExceptionHelpers.h:
711             * runtime/JSArray.h:
712             * runtime/JSCJSValue.h:
713             (JSC::JSValue::toFloat):
714             * runtime/JSDateMath.h:
715             * runtime/JSObject.h:
716             * runtime/JSWrapperObject.h:
717             * runtime/Options.h:
718             * runtime/RegExp.h:
719             * runtime/StringObject.h:
720             * runtime/Structure.h:
721             * tested-symbols.symlst: Removed.
722     
723     2014-06-03  Filip Pizlo  <fpizlo@apple.com>
724     
725             [ftlopt] FTL native inlining tests take far too long
726             https://bugs.webkit.org/show_bug.cgi?id=133498
727     
728             Unreviewed test gardening.
729             
730             Added a new exceptions test since the other one appears to not work.
731     
732             * tests/stress/ftl-library-exception.js:
733             * tests/stress/ftl-library-inline-gettimezoneoffset.js: Added.
734             (foo):
735             * tests/stress/ftl-library-inlining-exceptions-dataview.js: Added.
736             (foo):
737             * tests/stress/ftl-library-inlining-exceptions.js: Copied from LayoutTests/js/regress/script-tests/ftl-library-inlining-exceptions.js.
738             * tests/stress/ftl-library-inlining-loops.js: Copied from LayoutTests/js/regress/script-tests/ftl-library-inlining-loops.js.
739             * tests/stress/ftl-library-inlining-random.js:
740             * tests/stress/ftl-library-substring.js:
741     
742     2014-06-03  Matthew Mirman  <mmirman@apple.com>
743     
744             [ftlopt] Added system for inlining native functions via the FTL.
745             https://bugs.webkit.org/show_bug.cgi?id=131515
746     
747             Reviewed by Filip Pizlo.
748     
749             Also fixed the build to not compress the bitcode and to 
750             include all of the relevant runtime. With GCC_GENERATE_DEBUGGING_SYMBOLS = NO, 
751             the produced bitcode files are a 100th the size they were before.  
752             Now we can include all of the relevant runtime files with only a 3mb overhead. 
753             This is the same overhead as for two compressed files before, 
754             but done more efficiently (on both ends) and with less code.
755             
756             Deciding whether to inline native functions is left up to LLVM. 
757             The entire module containing the function is linked into the current 
758             compiled JS so that inlining the native functions shouldn't make them smaller.
759             
760             Rather than loading Runtime.symtbl at runtime FTLState.cpp now includes a file 
761             InlineRuntimeSymbolTable.h which statically builds the symbol table hash table.  
762             Currently build-symbol-table-index.py updates this file from the 
763             contents of tested-symbols.symlst when done building as a matter of convenience.  
764             However, in order to include the new contents of the file in the build
765             you'd need to build twice.  This will be fixed in future versions.
766     
767             * JavaScriptCore.xcodeproj/project.pbxproj: Added back runtime files to compile.
768             * build-symbol-table-index.py: Changed bitcode suffix. 
769             Added inclusion of only tested symbols.  
770             Added output to InlineRuntimeSymbolTable.h. 
771             * build-symbol-table-index.sh: Changed bitcode suffix.
772             * copy-llvm-ir-to-derived-sources.sh: Removed gzip compression.
773             * tested-symbols.symlst: Added.
774             * dfg/DFGByteCodeParser.cpp:
775             (JSC::DFG::ByteCodeParser::handleCall):  
776             Now sets the knownFunction of the call node if such a function exists 
777             and emits a check that during runtime the callee is in fact known.
778             * dfg/DFGNode.h:
779             Added functions to set the known function of a call node.
780             (JSC::DFG::Node::canBeKnownFunction): Added.
781             (JSC::DFG::Node::hasKnownFunction): Added.
782             (JSC::DFG::Node::knownFunction): Added.
783             (JSC::DFG::Node::giveKnownFunction): Added.
784             * ftl/FTLAbbreviatedTypes.h: Added a typedef for LLVMMemoryBufferRef
785             * ftl/FTLLowerDFGToLLVM.cpp:
786             (JSC::FTL::LowerDFGToLLVM::isInlinableSize): Added. Hardcoded threshold to 275.
787             (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol): Added.
788             (JSC::FTL::LowerDFGToLLVM::getFunctionBySymbol): Added.
789             (JSC::FTL::LowerDFGToLLVM::possiblyCompileInlineableNativeCall): Added.
790             (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):  
791             Added call to possiblyCompileInlineableNativeCall
792             * ftl/FTLOutput.h:
793             (JSC::FTL::Output::allocaName):  Added. Useful for debugging.
794             * ftl/FTLState.cpp:
795             (JSC::FTL::State::State): Added an include for InlineRuntimeSymbolTable.h
796             * ftl/FTLState.h: Added symbol table hash table.
797             * ftl/FTLCompile.cpp:
798             (JSC::FTL::compile): Added inlining and dead function elimination passes.
799             * heap/HandleStack.h: Added JS_EXPORT_PRIVATE to a few functions to get inlining to compile.
800             * InlineRuntimeSymbolTable.h: Added.  
801             * llvm/InitializeLLVMMac.mm: Deleted.
802             * llvm/InitializeLLVMMac.cpp: Added.
803             * llvm/LLVMAPIFunctions.h: Added macros to include Bitcode parsing and linking functions.
804             * llvm/LLVMHeaders.h: Added includes for Bitcode parsing and linking.
805             * runtime/BundlePath.h: Added.
806             * runtime/BundlePath.mm: Added.
807             * runtime/DateInstance.h: Added JS_EXPORT_PRIVATE to a few functions to get inlining to compile.
808             * runtime/DateInstance.h: ditto.
809             * runtime/DateConversion.h: ditto.
810             * runtime/ExceptionHelpers.h: ditto.
811             * runtime/JSCJSValue.h: ditto.
812             * runtime/JSArray.h: ditto.
813             * runtime/JSDateMath.h: ditto.
814             * runtime/JSObject.h: ditto.
815             * runtime/JSObject.h: ditto.
816             * runtime/RegExp.h: ditto.
817             * runtime/Structure.h: ditto.
818             * runtime/Options.h:  Added maximumLLVMInstructionCountForNativeInlining.
819             * tests/stress/ftl-library-inlining-random.js: Added.
820             * tests/stress/ftl-library-substring.js: Added.
821     
822     2014-05-21  Filip Pizlo  <fpizlo@apple.com>
823     
824             [ftlopt] DFG::clobberize should be blind to the effects of GC
825             https://bugs.webkit.org/show_bug.cgi?id=133166
826     
827             Reviewed by Goeffrey Garen.
828             
829             Move the computation of where GCs happen to DFG::doesGC().
830             
831             Large (>5x) speed-up on programs that do loop-invariant string concatenations.
832     
833             * CMakeLists.txt:
834             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
835             * JavaScriptCore.xcodeproj/project.pbxproj:
836             * dfg/DFGAbstractHeap.h:
837             * dfg/DFGClobberize.h:
838             (JSC::DFG::clobberize):
839             (JSC::DFG::clobberizeForAllocation): Deleted.
840             * dfg/DFGDoesGC.cpp: Added.
841             (JSC::DFG::doesGC):
842             * dfg/DFGDoesGC.h: Added.
843             * dfg/DFGStoreBarrierElisionPhase.cpp:
844             (JSC::DFG::StoreBarrierElisionPhase::handleNode):
845             (JSC::DFG::StoreBarrierElisionPhase::couldCauseGC): Deleted.
846     
847     2014-05-16  Filip Pizlo  <fpizlo@apple.com>
848     
849             [ftlopt] A StructureSet with one element should only require one word and no allocation
850             https://bugs.webkit.org/show_bug.cgi?id=133014
851     
852             Reviewed by Oliver Hunt.
853             
854             This makes it more efficient to use StructureSet in situations where the common case is
855             just one structure.
856             
857             I also took the opportunity to use the same set terminology we use in BitVector: merge,
858             filter, exclude, contains, etc.
859             
860             Eventually, this will be used to implement StructureAbstractValue as well.
861     
862             * CMakeLists.txt:
863             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
864             * JavaScriptCore.xcodeproj/project.pbxproj:
865             * bytecode/StructureSet.cpp: Added.
866             (JSC::StructureSet::StructureSet):
867             (JSC::StructureSet::operator=):
868             (JSC::StructureSet::clear):
869             (JSC::StructureSet::add):
870             (JSC::StructureSet::remove):
871             (JSC::StructureSet::contains):
872             (JSC::StructureSet::merge):
873             (JSC::StructureSet::filter):
874             (JSC::StructureSet::exclude):
875             (JSC::StructureSet::isSubsetOf):
876             (JSC::StructureSet::overlaps):
877             (JSC::StructureSet::operator==):
878             (JSC::StructureSet::speculationFromStructures):
879             (JSC::StructureSet::arrayModesFromStructures):
880             (JSC::StructureSet::dumpInContext):
881             (JSC::StructureSet::dump):
882             (JSC::StructureSet::addOutOfLine):
883             (JSC::StructureSet::containsOutOfLine):
884             (JSC::StructureSet::copyFrom):
885             (JSC::StructureSet::OutOfLineList::create):
886             (JSC::StructureSet::OutOfLineList::destroy):
887             * bytecode/StructureSet.h:
888             (JSC::StructureSet::StructureSet):
889             (JSC::StructureSet::~StructureSet):
890             (JSC::StructureSet::onlyStructure):
891             (JSC::StructureSet::isEmpty):
892             (JSC::StructureSet::size):
893             (JSC::StructureSet::at):
894             (JSC::StructureSet::operator[]):
895             (JSC::StructureSet::last):
896             (JSC::StructureSet::OutOfLineList::list):
897             (JSC::StructureSet::OutOfLineList::OutOfLineList):
898             (JSC::StructureSet::deleteStructureListIfNecessary):
899             (JSC::StructureSet::isThin):
900             (JSC::StructureSet::pointer):
901             (JSC::StructureSet::singleStructure):
902             (JSC::StructureSet::structureList):
903             (JSC::StructureSet::set):
904             (JSC::StructureSet::clear): Deleted.
905             (JSC::StructureSet::add): Deleted.
906             (JSC::StructureSet::addAll): Deleted.
907             (JSC::StructureSet::remove): Deleted.
908             (JSC::StructureSet::contains): Deleted.
909             (JSC::StructureSet::containsOnly): Deleted.
910             (JSC::StructureSet::isSubsetOf): Deleted.
911             (JSC::StructureSet::overlaps): Deleted.
912             (JSC::StructureSet::singletonStructure): Deleted.
913             (JSC::StructureSet::speculationFromStructures): Deleted.
914             (JSC::StructureSet::arrayModesFromStructures): Deleted.
915             (JSC::StructureSet::operator==): Deleted.
916             (JSC::StructureSet::dumpInContext): Deleted.
917             (JSC::StructureSet::dump): Deleted.
918             * dfg/DFGAbstractInterpreterInlines.h:
919             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
920             * dfg/DFGByteCodeParser.cpp:
921             (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
922             (JSC::DFG::ByteCodeParser::handleGetById):
923             (JSC::DFG::ByteCodeParser::parseBlock):
924             * dfg/DFGCSEPhase.cpp:
925             (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
926             * dfg/DFGNode.h:
927             (JSC::DFG::Node::convertToStructureTransitionWatchpoint):
928             * dfg/DFGTypeCheckHoistingPhase.cpp:
929             (JSC::DFG::TypeCheckHoistingPhase::noticeStructureCheck):
930     
931 2014-07-22  Ryuan Choi  <ryuan.choi@samsung.com>
932
933         Unreviewed build fix attempt on the EFL port after r171362.
934
935         Build break because of -Werror=return-type
936
937         * bytecode/GetByIdStatus.cpp:
938         (JSC::GetByIdStatus::makesCalls):
939
940 2014-07-22  Joseph Pecoraro  <pecoraro@apple.com>
941
942         JSLock release should only modify the AtomicStringTable if it modified in acquire
943         https://bugs.webkit.org/show_bug.cgi?id=135143
944
945         Reviewed by Pratik Solanki.
946
947         * runtime/JSLock.cpp:
948         (JSC::JSLock::willDestroyVM):
949         (JSC::JSLock::willReleaseLock):
950         Only set the AtomicStringTable when there was a VM, to balance JSLock::didAcquireLock.
951
952 2014-07-22  Filip Pizlo  <fpizlo@apple.com>
953
954         Fix cloop build.
955
956         * bytecode/CallLinkStatus.cpp:
957         (JSC::CallLinkStatus::computeExitSiteData):
958
959 2014-07-22  Filip Pizlo  <fpizlo@apple.com>
960
961         Merge r168635, r168780, r169005, r169014, and r169143 from ftlopt.
962
963     2014-05-20  Filip Pizlo  <fpizlo@apple.com>
964     
965             [ftlopt] DFG bytecode parser should turn GetById with nothing but a Getter stub as stuff+handleCall, and handleCall should be allowed to inline if it wants to
966             https://bugs.webkit.org/show_bug.cgi?id=133105
967     
968             Reviewed by Michael Saboff.
969             
970             - GetByIdStatus now knows about getters and can report intelligent things about them.
971               As is usually the case with how we do these things, GetByIdStatus knows more about
972               getters than the DFG can actually handle: it'll report details about polymorphic
973               getter calls even though the DFG won't be able to handle those. This is fine; the DFG
974               will see those statuses and bail to a generic slow path.
975             
976             - The DFG::ByteCodeParser now knows how to set up and do handleCall() for a getter call.
977               This can, and usually does, result in inlining of getters!
978             
979             - CodeOrigin and OSR exit know about inlined getter calls. When you OSR out of an
980               inlined getter, we set the return PC to a getter return thunk that fixes up the stack.
981               We use the usual offset-true-return-PC trick, where OSR exit places the true return PC
982               of the getter's caller as a phony argument that only the thunk knows how to find.
983             
984             - Removed a bunch of dead monomorphic chain support from StructureStubInfo.
985             
986             - A large chunk of this change is dragging GetGetterSetterByOffset, GetGetter, and
987               GetSetter through the DFG and FTL. GetGetterSetterByOffset is like GetByOffset except
988               that we know that we're returning a GetterSetter cell. GetGetter and GetSetter extract
989               the getter, or setter, from the GetterSetter.
990             
991             This is a ~2.5x speed-up on the getter microbenchmarks that we already had. So far none
992             of the "real" benchmarks exercise getters enough for this to matter. But I noticed that
993             some of the variants of the Richards benchmark in other languages - for example
994             Wolczko's Java translation of a C++ translation of Deutsch's Smalltalk version - use
995             getters and setters extensively. So, I created a getter/setter JavaScript version of
996             Richards and put it in regress/script-tests/getter-richards.js. That sees about a 2.4x
997             speed-up from this patch, which is very reassuring.
998     
999             * bytecode/CodeBlock.cpp:
1000             (JSC::CodeBlock::printGetByIdCacheStatus):
1001             (JSC::CodeBlock::findStubInfo):
1002             * bytecode/CodeBlock.h:
1003             * bytecode/CodeOrigin.cpp:
1004             (WTF::printInternal):
1005             * bytecode/CodeOrigin.h:
1006             (JSC::InlineCallFrame::specializationKindFor):
1007             * bytecode/GetByIdStatus.cpp:
1008             (JSC::GetByIdStatus::computeFor):
1009             (JSC::GetByIdStatus::computeForStubInfo):
1010             (JSC::GetByIdStatus::makesCalls):
1011             (JSC::GetByIdStatus::computeForChain): Deleted.
1012             * bytecode/GetByIdStatus.h:
1013             (JSC::GetByIdStatus::makesCalls): Deleted.
1014             * bytecode/GetByIdVariant.cpp:
1015             (JSC::GetByIdVariant::~GetByIdVariant):
1016             (JSC::GetByIdVariant::GetByIdVariant):
1017             (JSC::GetByIdVariant::operator=):
1018             (JSC::GetByIdVariant::dumpInContext):
1019             * bytecode/GetByIdVariant.h:
1020             (JSC::GetByIdVariant::GetByIdVariant):
1021             (JSC::GetByIdVariant::callLinkStatus):
1022             * bytecode/PolymorphicGetByIdList.cpp:
1023             (JSC::GetByIdAccess::fromStructureStubInfo):
1024             (JSC::PolymorphicGetByIdList::from):
1025             * bytecode/SpeculatedType.h:
1026             * bytecode/StructureStubInfo.cpp:
1027             (JSC::StructureStubInfo::deref):
1028             (JSC::StructureStubInfo::visitWeakReferences):
1029             * bytecode/StructureStubInfo.h:
1030             (JSC::isGetByIdAccess):
1031             (JSC::StructureStubInfo::initGetByIdChain): Deleted.
1032             * dfg/DFGAbstractHeap.h:
1033             * dfg/DFGAbstractInterpreterInlines.h:
1034             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1035             * dfg/DFGByteCodeParser.cpp:
1036             (JSC::DFG::ByteCodeParser::addCall):
1037             (JSC::DFG::ByteCodeParser::handleCall):
1038             (JSC::DFG::ByteCodeParser::handleInlining):
1039             (JSC::DFG::ByteCodeParser::handleGetByOffset):
1040             (JSC::DFG::ByteCodeParser::handleGetById):
1041             (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1042             (JSC::DFG::ByteCodeParser::parse):
1043             * dfg/DFGCSEPhase.cpp:
1044             (JSC::DFG::CSEPhase::getGetterSetterByOffsetLoadElimination):
1045             (JSC::DFG::CSEPhase::getInternalFieldLoadElimination):
1046             (JSC::DFG::CSEPhase::performNodeCSE):
1047             (JSC::DFG::CSEPhase::getTypedArrayByteOffsetLoadElimination): Deleted.
1048             * dfg/DFGClobberize.h:
1049             (JSC::DFG::clobberize):
1050             * dfg/DFGFixupPhase.cpp:
1051             (JSC::DFG::FixupPhase::fixupNode):
1052             * dfg/DFGJITCompiler.cpp:
1053             (JSC::DFG::JITCompiler::linkFunction):
1054             * dfg/DFGNode.h:
1055             (JSC::DFG::Node::hasStorageAccessData):
1056             * dfg/DFGNodeType.h:
1057             * dfg/DFGOSRExitCompilerCommon.cpp:
1058             (JSC::DFG::reifyInlinedCallFrames):
1059             * dfg/DFGPredictionPropagationPhase.cpp:
1060             (JSC::DFG::PredictionPropagationPhase::propagate):
1061             * dfg/DFGSafeToExecute.h:
1062             (JSC::DFG::safeToExecute):
1063             * dfg/DFGSpeculativeJIT32_64.cpp:
1064             (JSC::DFG::SpeculativeJIT::compile):
1065             * dfg/DFGSpeculativeJIT64.cpp:
1066             (JSC::DFG::SpeculativeJIT::compile):
1067             * ftl/FTLAbstractHeapRepository.cpp:
1068             * ftl/FTLAbstractHeapRepository.h:
1069             * ftl/FTLCapabilities.cpp:
1070             (JSC::FTL::canCompile):
1071             * ftl/FTLLink.cpp:
1072             (JSC::FTL::link):
1073             * ftl/FTLLowerDFGToLLVM.cpp:
1074             (JSC::FTL::LowerDFGToLLVM::compileNode):
1075             (JSC::FTL::LowerDFGToLLVM::compileGetGetter):
1076             (JSC::FTL::LowerDFGToLLVM::compileGetSetter):
1077             * jit/AccessorCallJITStubRoutine.h:
1078             * jit/JIT.cpp:
1079             (JSC::JIT::assertStackPointerOffset):
1080             (JSC::JIT::privateCompile):
1081             * jit/JIT.h:
1082             * jit/JITPropertyAccess.cpp:
1083             (JSC::JIT::emit_op_get_by_id):
1084             * jit/ThunkGenerators.cpp:
1085             (JSC::arityFixupGenerator):
1086             (JSC::baselineGetterReturnThunkGenerator):
1087             (JSC::baselineSetterReturnThunkGenerator):
1088             (JSC::arityFixup): Deleted.
1089             * jit/ThunkGenerators.h:
1090             * runtime/CommonSlowPaths.cpp:
1091             (JSC::setupArityCheckData):
1092             * tests/stress/exit-from-getter.js: Added.
1093             * tests/stress/poly-chain-getter.js: Added.
1094             (Cons):
1095             (foo):
1096             (test):
1097             * tests/stress/poly-chain-then-getter.js: Added.
1098             (Cons1):
1099             (Cons2):
1100             (foo):
1101             (test):
1102             * tests/stress/poly-getter-combo.js: Added.
1103             (Cons1):
1104             (Cons2):
1105             (foo):
1106             (test):
1107             (.test):
1108             * tests/stress/poly-getter-then-chain.js: Added.
1109             (Cons1):
1110             (Cons2):
1111             (foo):
1112             (test):
1113             * tests/stress/poly-getter-then-self.js: Added.
1114             (foo):
1115             (test):
1116             (.test):
1117             * tests/stress/poly-self-getter.js: Added.
1118             (foo):
1119             (test):
1120             (getter):
1121             * tests/stress/poly-self-then-getter.js: Added.
1122             (foo):
1123             (test):
1124             * tests/stress/weird-getter-counter.js: Added.
1125             (foo):
1126             (test):
1127     
1128     2014-05-17  Filip Pizlo  <fpizlo@apple.com>
1129     
1130             [ftlopt] Factor out how CallLinkStatus uses exit site data
1131             https://bugs.webkit.org/show_bug.cgi?id=133042
1132     
1133             Reviewed by Anders Carlsson.
1134             
1135             This makes it easier to use CallLinkStatus from clients that are calling into after
1136             already holding some of the relevant locks. This is necessary because we use a "one lock
1137             at a time" policy for CodeBlock locks: if you hold one then you're not allowed to acquire
1138             any of the others. So, any code that needs to lock multiple CodeBlock locks needs to sort
1139             of lock one, do some stuff, release it, then lock another, and then do more stuff. The
1140             exit site data corresponds to the stuff you do while holding the baseline lock, while the
1141             CallLinkInfo method corresponds to the stuff you do while holding the CallLinkInfo owner's
1142             lock.
1143     
1144             * bytecode/CallLinkStatus.cpp:
1145             (JSC::CallLinkStatus::computeFor):
1146             (JSC::CallLinkStatus::computeExitSiteData):
1147             (JSC::CallLinkStatus::computeDFGStatuses):
1148             * bytecode/CallLinkStatus.h:
1149             (JSC::CallLinkStatus::ExitSiteData::ExitSiteData):
1150     
1151     2014-05-17  Filip Pizlo  <fpizlo@apple.com>
1152     
1153             [ftlopt] InlineCallFrame::isCall should be an enumeration
1154             https://bugs.webkit.org/show_bug.cgi?id=133034
1155     
1156             Reviewed by Sam Weinig.
1157             
1158             Once we start inlining getters and setters, we'll want InlineCallFrame to be able to tell
1159             us that the inlined call was a getter call or a setter call. Initially I thought I would
1160             have a new field called "kind" that would have components NormalCall, GetterCall, and
1161             SetterCall. But that doesn't make sense, because for GetterCall and SetterCall, isCall
1162             would have to be true. Hence, It makes more sense to have one enumeration that is Call,
1163             Construct, GetterCall, or SetterCall. This patch is a first step towards this.
1164             
1165             It's interesting that isClosureCall should probably still be separate, since getter and
1166             setter inlining could inline closure calls.
1167     
1168             * bytecode/CodeBlock.h:
1169             (JSC::baselineCodeBlockForInlineCallFrame):
1170             * bytecode/CodeOrigin.cpp:
1171             (JSC::InlineCallFrame::dumpInContext):
1172             (WTF::printInternal):
1173             * bytecode/CodeOrigin.h:
1174             (JSC::InlineCallFrame::kindFor):
1175             (JSC::InlineCallFrame::specializationKindFor):
1176             (JSC::InlineCallFrame::InlineCallFrame):
1177             (JSC::InlineCallFrame::specializationKind):
1178             * dfg/DFGByteCodeParser.cpp:
1179             (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1180             * dfg/DFGOSRExitPreparation.cpp:
1181             (JSC::DFG::prepareCodeOriginForOSRExit):
1182             * runtime/Arguments.h:
1183             (JSC::Arguments::finishCreation):
1184     
1185     2014-05-13  Filip Pizlo  <fpizlo@apple.com>
1186     
1187             [ftlopt] DFG should not exit due to inadequate profiling coverage when it can trivially fill in the profiling coverage due to variable constant inference and the better prediction modeling of typed array GetByVals
1188             https://bugs.webkit.org/show_bug.cgi?id=132896
1189     
1190             Reviewed by Geoffrey Garen.
1191             
1192             This is a slight win on SunSpider, but it's meant to ultimately help us on
1193             embenchen/lua. We already do well on that benchmark but our convergence is slower than
1194             I'd like.
1195     
1196             * dfg/DFGArrayMode.cpp:
1197             (JSC::DFG::ArrayMode::refine):
1198             * dfg/DFGByteCodeParser.cpp:
1199             (JSC::DFG::ByteCodeParser::parseBlock):
1200             * dfg/DFGFixupPhase.cpp:
1201             (JSC::DFG::FixupPhase::fixupNode):
1202             * dfg/DFGPredictionPropagationPhase.cpp:
1203             (JSC::DFG::PredictionPropagationPhase::propagate):
1204     
1205     2014-05-08  Filip Pizlo  <fpizlo@apple.com>
1206     
1207             jsSubstring() should be lazy
1208             https://bugs.webkit.org/show_bug.cgi?id=132556
1209     
1210             Reviewed by Andreas Kling.
1211             
1212             jsSubstring() is now lazy by using a special rope that is a substring instead of a
1213             concatenation. To make this patch super simple, we require that a substring's base is
1214             never a rope. Hence, when resolving a rope, we either go down a non-recursive substring
1215             path, or we go down a concatenation path which may see exactly one level of substrings in
1216             its fibers.
1217             
1218             This is up to a 50% speed-up on microbenchmarks and a 10% speed-up on Octane/regexp.
1219             
1220             Relanding this with assertion fixes.
1221     
1222             * heap/MarkedBlock.cpp:
1223             (JSC::MarkedBlock::specializedSweep):
1224             * runtime/JSString.cpp:
1225             (JSC::JSRopeString::visitFibers):
1226             (JSC::JSRopeString::resolveRopeInternal8):
1227             (JSC::JSRopeString::resolveRopeInternal16):
1228             (JSC::JSRopeString::clearFibers):
1229             (JSC::JSRopeString::resolveRope):
1230             (JSC::JSRopeString::resolveRopeSlowCase8):
1231             (JSC::JSRopeString::resolveRopeSlowCase):
1232             * runtime/JSString.h:
1233             (JSC::JSRopeString::finishCreation):
1234             (JSC::JSRopeString::append):
1235             (JSC::JSRopeString::create):
1236             (JSC::JSRopeString::offsetOfFibers):
1237             (JSC::JSRopeString::fiber):
1238             (JSC::JSRopeString::substringBase):
1239             (JSC::JSRopeString::substringOffset):
1240             (JSC::JSRopeString::notSubstringSentinel):
1241             (JSC::JSRopeString::substringSentinel):
1242             (JSC::JSRopeString::isSubstring):
1243             (JSC::JSRopeString::setIsSubstring):
1244             (JSC::jsSubstring):
1245             * runtime/RegExpMatchesArray.cpp:
1246             (JSC::RegExpMatchesArray::reifyAllProperties):
1247             * runtime/StringPrototype.cpp:
1248             (JSC::stringProtoFuncSubstring):
1249     
1250 2014-07-21  Sam Weinig  <sam@webkit.org>
1251
1252         [Cocoa] WKScriptMessageHandlers don't seem to function properly after navigating
1253         https://bugs.webkit.org/show_bug.cgi?id=135148
1254
1255         Reviewed by Geoffrey Garen.
1256
1257         * runtime/CommonIdentifiers.h:
1258         Add a common identifier for the string "webkit".
1259
1260 2014-07-22  Filip Pizlo  <fpizlo@apple.com>
1261
1262         ASSERTION FAILED: info.spillFormat() & DataFormatJS in JSC::DFG::SpeculativeJIT::fillSpeculateCell
1263         https://bugs.webkit.org/show_bug.cgi?id=135155
1264         <rdar://problem/17763909>
1265
1266         Reviewed by Oliver Hunt.
1267         
1268         The DFG fillSpeculate code paths all need to be mindful of the fact that they may be stumbling upon a
1269         contradiction, and that this is OK. In this case, we were speculating cell on an int.
1270
1271         * dfg/DFGSpeculativeJIT64.cpp:
1272         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1273         * tests/stress/regress-135155.js: Added.
1274         (run.t.length):
1275         (run):
1276
1277 2014-07-18  Filip Pizlo  <fpizlo@apple.com>
1278
1279         Extend exception fuzzing to the LLInt
1280         https://bugs.webkit.org/show_bug.cgi?id=135076
1281
1282         Reviewed by Oliver Hunt.
1283
1284         * CMakeLists.txt:
1285         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1286         * JavaScriptCore.xcodeproj/project.pbxproj:
1287         * jit/JITOperations.cpp:
1288         (JSC::numberOfExceptionFuzzChecks): Deleted.
1289         * llint/LLIntSlowPaths.cpp:
1290         (JSC::LLInt::setUpCall):
1291         * runtime/CommonSlowPaths.cpp:
1292         * runtime/ExceptionFuzz.cpp: Added.
1293         (JSC::numberOfExceptionFuzzChecks):
1294         (JSC::doExceptionFuzzing):
1295         * runtime/ExceptionFuzz.h: Added.
1296         (JSC::doExceptionFuzzingIfEnabled):
1297
1298 2014-07-21  Mark Lam  <mark.lam@apple.com>
1299
1300         Refactor ArrayPrototype to use getLength() and putLength() utility functions.
1301         https://bugs.webkit.org/show_bug.cgi?id=135139.
1302
1303         Reviewed by Oliver Hunt.
1304
1305         - Specialize putProperty() to putLength() because it is only used for setting
1306           the length property.
1307         - Added a getLength() utility function to get the value of the length property.
1308         - Use these getLength() and putLength() functions instead of the existing code
1309           to get and put the length property.  Less code to read, easier to understand.
1310
1311         * runtime/ArrayPrototype.cpp:
1312         (JSC::getLength):
1313         (JSC::putLength):
1314         (JSC::arrayProtoFuncToString):
1315         (JSC::arrayProtoFuncToLocaleString):
1316         (JSC::arrayProtoFuncJoin):
1317         (JSC::arrayProtoFuncPop):
1318         (JSC::arrayProtoFuncPush):
1319         (JSC::arrayProtoFuncReverse):
1320         (JSC::arrayProtoFuncShift):
1321         (JSC::arrayProtoFuncSlice):
1322         (JSC::arrayProtoFuncSort):
1323         (JSC::arrayProtoFuncSplice):
1324         (JSC::arrayProtoFuncUnShift):
1325         (JSC::arrayProtoFuncReduce):
1326         (JSC::arrayProtoFuncReduceRight):
1327         (JSC::arrayProtoFuncIndexOf):
1328         (JSC::arrayProtoFuncLastIndexOf):
1329         (JSC::putProperty): Deleted.
1330
1331 2014-07-21  Diego Pino Garcia  <dpino@igalia.com>
1332
1333         new Int32Array(new ArrayBuffer(100), 1, 1) shouldn't throw an error that says "RangeError: Byte offset and length out of range of buffer"
1334         https://bugs.webkit.org/show_bug.cgi?id=125391
1335
1336         Reviewed by Darin Adler.
1337
1338         Create own method for verifying byte offset alignment.
1339
1340         * runtime/ArrayBufferView.h:
1341         (JSC::ArrayBufferView::verifyByteOffsetAlignment):
1342         (JSC::ArrayBufferView::verifySubRangeLength):
1343         (JSC::ArrayBufferView::verifySubRange): Deleted.
1344         * runtime/GenericTypedArrayViewInlines.h:
1345         (JSC::GenericTypedArrayView<Adaptor>::create):
1346         * runtime/JSDataView.cpp:
1347         (JSC::JSDataView::create):
1348         * runtime/JSGenericTypedArrayViewInlines.h:
1349         (JSC::JSGenericTypedArrayView<Adaptor>::create):
1350
1351 2014-07-20  Diego Pino Garcia  <dpino@igalia.com>
1352
1353         ES6: Implement Math.sign()
1354         https://bugs.webkit.org/show_bug.cgi?id=134980
1355
1356         Reviewed by Darin Adler.
1357
1358         * runtime/MathObject.cpp:
1359         (JSC::MathObject::finishCreation):
1360         (JSC::mathProtoFuncSign):
1361
1362 2014-07-18  Filip Pizlo  <fpizlo@apple.com>
1363
1364         Exception fuzzing should work on iOS
1365         https://bugs.webkit.org/show_bug.cgi?id=135070
1366
1367         Reviewed by Mark Hahnenberg.
1368
1369         * tests/exceptionFuzz.yaml:
1370
1371 2014-07-18  Filip Pizlo  <fpizlo@apple.com>
1372
1373         Fix cloop build.
1374
1375         * jsc.cpp:
1376         (jscmain):
1377
1378 2014-07-15  Filip Pizlo  <fpizlo@apple.com>
1379
1380         Need ability to fuzz exception throwing
1381         https://bugs.webkit.org/show_bug.cgi?id=134945
1382         <rdar://problem/17722027>
1383
1384         Reviewed by Sam Weinig.
1385         
1386         Adds the ability to instrument exception checks, and to force some random
1387         exception check to artificially throw an exception. Also adds new tests that
1388         are suitable for testing this. Note that this is closely tied to the Tools
1389         directory changes that are also part of this changeset.
1390         
1391         This also fixes an activation tear-off bug that arises if we ever throw an
1392         exception from operationOptimize, or if due to some other bug it's only due
1393         to the operationOptimize exception check that we realize that there is an
1394         exception to be thrown.
1395
1396         * dfg/DFGJITCompiler.h:
1397         (JSC::DFG::JITCompiler::fastExceptionCheck):
1398         * ftl/FTLIntrinsicRepository.h:
1399         * ftl/FTLLowerDFGToLLVM.cpp:
1400         (JSC::FTL::LowerDFGToLLVM::callCheck):
1401         * interpreter/Interpreter.cpp:
1402         (JSC::unwindCallFrame):
1403         * jit/AssemblyHelpers.cpp:
1404         (JSC::AssemblyHelpers::callExceptionFuzz):
1405         (JSC::AssemblyHelpers::emitExceptionCheck):
1406         * jit/AssemblyHelpers.h:
1407         (JSC::AssemblyHelpers::emitExceptionCheck): Deleted.
1408         * jit/JIT.cpp:
1409         (JSC::JIT::privateCompileMainPass):
1410         * jit/JITOpcodes.cpp:
1411         (JSC::JIT::emit_op_enter):
1412         * jit/JITOperations.cpp:
1413         (JSC::numberOfExceptionFuzzChecks):
1414         * jit/JITOperations.h:
1415         * jsc.cpp:
1416         (jscmain):
1417         * runtime/Options.h:
1418         * runtime/TestRunnerUtils.h:
1419         * tests/exceptionFuzz.yaml: Added.
1420         * tests/exceptionFuzz: Added.
1421         * tests/exceptionFuzz/3d-cube.js: Added.
1422         * tests/exceptionFuzz/date-format-xparb.js: Added.
1423         * tests/exceptionFuzz/earley-boyer.js: Added.
1424
1425 2014-07-17  David Kilzer  <ddkilzer@apple.com>
1426
1427         SECTORDER_FLAGS should be defined in target's xcconfig file, not Base.xcconfig
1428         <http://webkit.org/b/135006>
1429
1430         Reviewed by Darin Adler.
1431
1432         * Configurations/Base.xcconfig: Move SECTORDER_FLAGS to
1433         JavaScriptCore.xcconfig.
1434         * Configurations/CompileRuntimeToLLVMIR.xcconfig: Remove empty
1435         SECTORDER_FLAGS definition.
1436         * Configurations/DebugRelease.xcconfig: Ditto.
1437         * Configurations/JavaScriptCore.xcconfig: Use $(CONFIGURATION)
1438         so SECTORDER_FLAGS is only set on Production builds.
1439
1440 2014-07-17  Juergen Ributzka  <juergen@apple.com>
1441
1442         Disable live-out calculation for stackmap intrinsics.
1443         https://bugs.webkit.org/show_bug.cgi?id=134366
1444
1445         The live-out variables are not required for the stackmaps, because we
1446         don't care about preserving the state when we perform destructive
1447         patching.
1448
1449         Reviewed by Filip Pizlo.
1450
1451         * llvm/library/LLVMExports.cpp:
1452         (initializeAndGetJSCLLVMAPI):
1453
1454 2014-07-17  Joseph Pecoraro  <pecoraro@apple.com>
1455
1456         Follow-up fix to r171195 to prevent ASSERT in fast/profiler/profile-with-no-title.html
1457
1458         Rubber-stamped by Alexey Proskuryakov.
1459
1460         Null / empty titles should be fine. Tests pass in release builds
1461         which allowed empty titles, and it looks like the LegacyProfiler
1462         stopProfiling handles empty titles as expected already.
1463
1464         * profiler/LegacyProfiler.cpp:
1465         (JSC::LegacyProfiler::startProfiling):
1466
1467 2014-07-16  Filip Pizlo  <fpizlo@apple.com>
1468
1469         DFG Flush(SetLocal) store elimination is overzealous for captured variables in the presence of nodes that have no effects but may throw
1470         https://bugs.webkit.org/show_bug.cgi?id=134988
1471         <rdar://problem/17706349>
1472
1473         Reviewed by Oliver Hunt.
1474         
1475         Luckily, we also don't need this optimization to be super powerful: the only place
1476         where it really matters is for getting rid of the redundancy between op_enter and
1477         op_init_lazy_reg, and in that case, there is a small set of possible nodes between the
1478         two things. This change updates the store eliminator to know about only that small,
1479         obviously safe, set of nodes over which we can store-eliminate.
1480         
1481         This shouldn't have any performance impact in the DFG because this optimization kicks
1482         in relatively rarely already. And once we tier up into the FTL, we get a much better
1483         store elimination over LLVM IR, so this really shouldn't matter at all.
1484         
1485         The tricky part of this patch is that there is a close relative of this optimization,
1486         for uncaptured variables that got flushed. This happens for arguments to inlined calls.
1487         I make this work by splitting it into two different store eliminators.
1488         
1489         Note that in the process of crafting the tests, I realized that we were incorrectly
1490         DCEing NewArrayWithSize. That's not cool, since that can throw an exception for
1491         negative array sizes. If we ever did want to DCE this node, we'd need to lower the node
1492         to a check node followed by the actual allocation.
1493
1494         * dfg/DFGCSEPhase.cpp:
1495         (JSC::DFG::CSEPhase::uncapturedSetLocalStoreElimination):
1496         (JSC::DFG::CSEPhase::capturedSetLocalStoreElimination):
1497         (JSC::DFG::CSEPhase::setLocalStoreElimination):
1498         (JSC::DFG::CSEPhase::performNodeCSE):
1499         (JSC::DFG::CSEPhase::SetLocalStoreEliminationResult::SetLocalStoreEliminationResult): Deleted.
1500         * dfg/DFGNodeType.h:
1501         * tests/stress/capture-escape-and-throw.js: Added.
1502         (foo.f):
1503         (foo):
1504         * tests/stress/new-array-with-size-throw-exception-and-tear-off-arguments.js: Added.
1505         (foo):
1506         (bar):
1507
1508 2014-07-15  Benjamin Poulain  <benjamin@webkit.org>
1509
1510         Reduce the overhead of updating the AssemblerBuffer
1511         https://bugs.webkit.org/show_bug.cgi?id=134659
1512
1513         Reviewed by Gavin Barraclough.
1514
1515         In r164548, the linker was changed to allow the LinkBuffer to survive its MacroAssembler.
1516         That feature is useful for JSC to get offsets inside a linked buffer in order to jump directly
1517         there.
1518
1519         On ARM, we use branch compaction and we need to keep the "compaction offset" somewher to be able
1520         to get the real address of a lable. That is done by reusing the memory of AssemblerData.
1521
1522         To share the memory between LinkBuffer and the Assembler, r164548 moved the AssemblerData into
1523         a ref-counted object. Unfortunately, the extra complexity related to the new AssemblerData was enough
1524         to make clang give up a bunch of optimizations.
1525
1526         This patch solve (some of) the problems by making AssemblerBuffer and AssemblerData super low overhead structures.
1527         In particular, the grow() function becomes 8 Thumb instructions, which is easily inlined everywhere it is used.
1528
1529         Instead of sharing ownership between the Assembler and LinkBuffer, LinkBuffer now takes full ownership of
1530         the AssemblerData. I feel this is also safer since LinkBuffer is reusing the AssemblerData is a very
1531         specific way that would make it unusable for the Assembler.
1532
1533         -- Technical details --
1534
1535         From LinkBuffer, we don't want to ever access the Assembler after releasing its buffer (or writting anything
1536         into it really). This was obviously already the case, but that was hard to prove from LinkBuffer::copyCompactAndLinkCode().
1537         To make this easier to work with, I changed all the assembler specific function to be static. This way we know
1538         exactly what code access the Assembler instance. The code that does access the instance is then moved
1539         at the beginning, before we modify anything.
1540
1541         The function recordLinkOffsets() that was on the MacroAssembler and copied in Assembler was moved directly
1542         to LinkBuffer. This make the modification of AssemblerData completely explicit, and that code is specific
1543         to LinkBuffer anyway (see LinkBuffer::executableOffsetFor()).
1544
1545         -- Perf impact --
1546
1547         This does not put us exactly at before r164548 due to the missing inline buffer. Still, it is very close.
1548         On ARMv7, this reduces the time spent in Assembler by half. On the CSS JIT, this reduces the compilation
1549         time by ~20%.
1550
1551         I could not measure any difference on x86_64.
1552
1553         * assembler/ARM64Assembler.h:
1554         (JSC::ARM64Assembler::jumpSizeDelta):
1555         (JSC::ARM64Assembler::canCompact):
1556         (JSC::ARM64Assembler::computeJumpType):
1557         (JSC::ARM64Assembler::link):
1558         (JSC::ARM64Assembler::recordLinkOffsets): Deleted.
1559         * assembler/ARMv7Assembler.h:
1560         (JSC::ARMv7Assembler::ifThenElseConditionBit):
1561         (JSC::ARMv7Assembler::ifThenElse):
1562         (JSC::ARMv7Assembler::jumpSizeDelta):
1563         (JSC::ARMv7Assembler::canCompact):
1564         (JSC::ARMv7Assembler::computeJumpType):
1565         (JSC::ARMv7Assembler::link):
1566         (JSC::ARMv7Assembler::linkJumpT1):
1567         (JSC::ARMv7Assembler::linkJumpT3):
1568         (JSC::ARMv7Assembler::linkConditionalJumpT4):
1569         (JSC::ARMv7Assembler::linkConditionalBX):
1570         (JSC::ARMv7Assembler::recordLinkOffsets): Deleted.
1571         * assembler/AssemblerBuffer.h:
1572         (JSC::AssemblerData::AssemblerData):
1573         (JSC::AssemblerData::operator=):
1574         (JSC::AssemblerData::~AssemblerData):
1575         (JSC::AssemblerData::buffer):
1576         (JSC::AssemblerData::capacity):
1577         (JSC::AssemblerData::grow):
1578         (JSC::AssemblerBuffer::AssemblerBuffer):
1579         (JSC::AssemblerBuffer::isAvailable):
1580         (JSC::AssemblerBuffer::data):
1581         (JSC::AssemblerBuffer::releaseAssemblerData):
1582         (JSC::AssemblerBuffer::putIntegral):
1583         (JSC::AssemblerBuffer::putIntegralUnchecked):
1584         (JSC::AssemblerBuffer::append):
1585         (JSC::AssemblerBuffer::grow):
1586         (JSC::AssemblerBuffer::~AssemblerBuffer): Deleted.
1587         (JSC::AssemblerBuffer::storage): Deleted.
1588         * assembler/LinkBuffer.cpp:
1589         (JSC::recordLinkOffsets):
1590         (JSC::LinkBuffer::copyCompactAndLinkCode):
1591         * assembler/LinkBuffer.h:
1592         (JSC::LinkBuffer::LinkBuffer):
1593         (JSC::LinkBuffer::executableOffsetFor):
1594         * assembler/MacroAssemblerARM64.h:
1595         (JSC::MacroAssemblerARM64::canCompact):
1596         (JSC::MacroAssemblerARM64::computeJumpType):
1597         (JSC::MacroAssemblerARM64::jumpSizeDelta):
1598         (JSC::MacroAssemblerARM64::link):
1599         (JSC::MacroAssemblerARM64::recordLinkOffsets): Deleted.
1600         * assembler/MacroAssemblerARMv7.h:
1601         (JSC::MacroAssemblerARMv7::canCompact):
1602         (JSC::MacroAssemblerARMv7::computeJumpType):
1603         (JSC::MacroAssemblerARMv7::jumpSizeDelta):
1604         (JSC::MacroAssemblerARMv7::link):
1605         (JSC::MacroAssemblerARMv7::recordLinkOffsets): Deleted.
1606
1607 2014-07-15  Mark Hahnenberg  <mhahnenberg@apple.com>
1608
1609         Stores to PropertyTable use the Structure as the owner
1610         https://bugs.webkit.org/show_bug.cgi?id=134595
1611
1612         Reviewed by Darin Adler.
1613
1614         Since PropertyTable is the object that does the marking of these references, it should be the owner.
1615
1616         Also removed some unused parameters to other methods that historically used the Structure as the owner.
1617
1618         * runtime/JSPropertyNameIterator.h:
1619         (JSC::StructureRareData::setEnumerationCache):
1620         * runtime/ObjectPrototype.cpp:
1621         (JSC::objectProtoFuncToString):
1622         * runtime/PropertyMapHashTable.h:
1623         (JSC::PropertyTable::copy):
1624         * runtime/PropertyTable.cpp:
1625         (JSC::PropertyTable::clone):
1626         (JSC::PropertyTable::PropertyTable):
1627         * runtime/Structure.cpp:
1628         (JSC::Structure::Structure):
1629         (JSC::Structure::materializePropertyMap):
1630         (JSC::Structure::addPropertyTransition):
1631         (JSC::Structure::changePrototypeTransition):
1632         (JSC::Structure::despecifyFunctionTransition):
1633         (JSC::Structure::attributeChangeTransition):
1634         (JSC::Structure::toDictionaryTransition):
1635         (JSC::Structure::preventExtensionsTransition):
1636         (JSC::Structure::takePropertyTableOrCloneIfPinned):
1637         (JSC::Structure::nonPropertyTransition):
1638         (JSC::Structure::copyPropertyTable):
1639         (JSC::Structure::copyPropertyTableForPinning):
1640         (JSC::Structure::putSpecificValue):
1641         * runtime/Structure.h:
1642         (JSC::Structure::setObjectToStringValue):
1643         (JSC::Structure::setPreviousID):
1644         * runtime/StructureInlines.h:
1645         (JSC::Structure::setEnumerationCache):
1646         * runtime/StructureRareData.h:
1647         * runtime/StructureRareDataInlines.h:
1648         (JSC::StructureRareData::setPreviousID):
1649         (JSC::StructureRareData::setObjectToStringValue):
1650
1651 2014-07-15  Mark Hahnenberg  <mhahnenberg@apple.com>
1652
1653         ScriptExecutable::forEachCodeBlock can dereference null CodeBlocks
1654         https://bugs.webkit.org/show_bug.cgi?id=134928
1655
1656         Reviewed by Andreas Kling.
1657
1658         * bytecode/CodeBlock.h:
1659         (JSC::ScriptExecutable::forEachCodeBlock): Check for null CodeBlocks before calling forEachRelatedCodeBlock.
1660
1661 2014-07-15  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
1662
1663         Buildfix if LLINT_SLOW_PATH_TRACING is enabled
1664         https://bugs.webkit.org/show_bug.cgi?id=133790
1665
1666         Reviewed by Mark Lam.
1667
1668         * llint/LLIntSlowPaths.cpp:
1669         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1670
1671 2014-07-14  Filip Pizlo  <fpizlo@apple.com>
1672
1673         Allow for Int52Rep to see things other than Int32, and make this testable
1674         https://bugs.webkit.org/show_bug.cgi?id=134873
1675         <rdar://problem/17641915>
1676
1677         Reviewed by Geoffrey Garen and Mark Hahnenberg.
1678         
1679         A major premise of our type inference is that prediction propagation can say whatever it
1680         wants and we'll still have valid IR after Fixup. This previously didn't work with Int52s.
1681         We required some kind of agreement between prediction propagation and fixup over which
1682         data flow paths were Int52 and which weren't.
1683         
1684         It turns out that we basically had such an agreement, with the exception of code that was
1685         unreachable due to ForceOSRExit. Then, fixup and prediction propagation would disagree. It
1686         might be nice to fix that bug - but it's only in the case of Int52 that such a thing would
1687         be a bug! Normally, we allow sloppiness in prediction propagation.
1688         
1689         This patch allows us to be sloppy with Int52 prediction propagation by giving Int52Rep the
1690         ability to see inputs other than Int32. This fixes the particular ForceOSRExit bug (see
1691         int52-force-osr-exit-path.js for the reduced test case). To make sure that the newly
1692         empowered Int52Rep is actually correct - in case we end up using it on paths other than
1693         ForceOSRExit - this patch introduces an internal intrinsic called fiatInt52() that forces
1694         us to attempt Int52 conversion on the input. This patch adds a bunch of tests that stress
1695         this intrinsic. This means that we're now stressing Int52Rep more so than ever before!
1696         
1697         Note that it would still be a bug for prediction propagation to ever cause us to create an
1698         Int52Rep node for a non-Int32 input. But, this will now be a performance bug, rather than
1699         a crash bug.
1700
1701         * dfg/DFGAbstractInterpreterInlines.h:
1702         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1703         * dfg/DFGAbstractValue.cpp:
1704         (JSC::DFG::AbstractValue::fixTypeForRepresentation):
1705         * dfg/DFGByteCodeParser.cpp:
1706         (JSC::DFG::ByteCodeParser::handleIntrinsic):
1707         * dfg/DFGClobberize.h:
1708         (JSC::DFG::clobberize):
1709         * dfg/DFGFixupPhase.cpp:
1710         (JSC::DFG::FixupPhase::fixupNode):
1711         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
1712         * dfg/DFGGraph.h:
1713         (JSC::DFG::Graph::isMachineIntConstant):
1714         * dfg/DFGNode.h:
1715         (JSC::DFG::Node::isMachineIntConstant):
1716         * dfg/DFGNodeType.h:
1717         * dfg/DFGOperations.cpp:
1718         * dfg/DFGOperations.h:
1719         * dfg/DFGPredictionPropagationPhase.cpp:
1720         (JSC::DFG::PredictionPropagationPhase::propagate):
1721         * dfg/DFGSafeToExecute.h:
1722         (JSC::DFG::SafeToExecuteEdge::operator()):
1723         (JSC::DFG::safeToExecute):
1724         * dfg/DFGSpeculativeJIT.cpp:
1725         (JSC::DFG::SpeculativeJIT::speculate):
1726         * dfg/DFGSpeculativeJIT.h:
1727         (JSC::DFG::SpeculativeJIT::callOperation):
1728         * dfg/DFGSpeculativeJIT32_64.cpp:
1729         (JSC::DFG::SpeculativeJIT::compile):
1730         * dfg/DFGSpeculativeJIT64.cpp:
1731         (JSC::DFG::SpeculativeJIT::compile):
1732         (JSC::DFG::SpeculativeJIT::convertMachineInt):
1733         (JSC::DFG::SpeculativeJIT::speculateMachineInt):
1734         (JSC::DFG::SpeculativeJIT::speculateDoubleRepMachineInt):
1735         * dfg/DFGStrengthReductionPhase.cpp:
1736         (JSC::DFG::StrengthReductionPhase::handleNode):
1737         * dfg/DFGUseKind.cpp:
1738         (WTF::printInternal):
1739         * dfg/DFGUseKind.h:
1740         (JSC::DFG::typeFilterFor):
1741         (JSC::DFG::isNumerical):
1742         (JSC::DFG::isDouble):
1743         * dfg/DFGValidate.cpp:
1744         (JSC::DFG::Validate::validate):
1745         * ftl/FTLCapabilities.cpp:
1746         (JSC::FTL::canCompile):
1747         * ftl/FTLIntrinsicRepository.h:
1748         * ftl/FTLLowerDFGToLLVM.cpp:
1749         (JSC::FTL::LowerDFGToLLVM::compileInt52Rep):
1750         (JSC::FTL::LowerDFGToLLVM::doubleToInt32):
1751         (JSC::FTL::LowerDFGToLLVM::jsValueToDouble):
1752         (JSC::FTL::LowerDFGToLLVM::jsValueToStrictInt52):
1753         (JSC::FTL::LowerDFGToLLVM::doubleToStrictInt52):
1754         (JSC::FTL::LowerDFGToLLVM::speculate):
1755         (JSC::FTL::LowerDFGToLLVM::speculateMachineInt):
1756         (JSC::FTL::LowerDFGToLLVM::speculateDoubleRepMachineInt):
1757         * jit/JITOperations.h:
1758         * jsc.cpp:
1759         (GlobalObject::finishCreation):
1760         (functionIdentity):
1761         * runtime/Intrinsic.h:
1762         * runtime/JSCJSValue.h:
1763         * runtime/JSCJSValueInlines.h:
1764         (JSC::tryConvertToInt52):
1765         (JSC::isInt52):
1766         (JSC::JSValue::isMachineInt):
1767         * tests/stress/dead-fiat-double-to-int52-then-exit-not-int52.js: Added.
1768         (foo):
1769         * tests/stress/dead-fiat-double-to-int52.js: Added.
1770         (foo):
1771         * tests/stress/dead-fiat-int32-to-int52.js: Added.
1772         (foo):
1773         * tests/stress/dead-fiat-value-to-int52-double-path.js: Added.
1774         (foo):
1775         (bar):
1776         * tests/stress/dead-fiat-value-to-int52-then-exit-not-double.js: Added.
1777         (foo):
1778         (bar):
1779         * tests/stress/dead-fiat-value-to-int52-then-exit-not-int52.js: Added.
1780         (foo):
1781         (bar):
1782         * tests/stress/dead-fiat-value-to-int52.js: Added.
1783         (foo):
1784         (bar):
1785         * tests/stress/fiat-double-to-int52-then-exit-not-int52.js: Added.
1786         (foo):
1787         * tests/stress/fiat-double-to-int52-then-fail-to-fold.js: Added.
1788         (foo):
1789         * tests/stress/fiat-double-to-int52-then-fold.js: Added.
1790         (foo):
1791         * tests/stress/fiat-double-to-int52.js: Added.
1792         (foo):
1793         * tests/stress/fiat-int32-to-int52.js: Added.
1794         (foo):
1795         * tests/stress/fiat-value-to-int52-double-path.js: Added.
1796         (foo):
1797         (bar):
1798         * tests/stress/fiat-value-to-int52-then-exit-not-double.js: Added.
1799         (foo):
1800         (bar):
1801         * tests/stress/fiat-value-to-int52-then-exit-not-int52.js: Added.
1802         (foo):
1803         (bar):
1804         * tests/stress/fiat-value-to-int52-then-fail-to-fold.js: Added.
1805         (foo):
1806         * tests/stress/fiat-value-to-int52-then-fold.js: Added.
1807         (foo):
1808         * tests/stress/fiat-value-to-int52.js: Added.
1809         (foo):
1810         (bar):
1811         * tests/stress/int52-force-osr-exit-path.js: Added.
1812         (foo):
1813
1814 2014-07-14  Mark Hahnenberg  <mhahnenberg@apple.com>
1815
1816         Flattening dictionaries with oversize backing stores can cause crashes
1817         https://bugs.webkit.org/show_bug.cgi?id=134906
1818
1819         Reviewed by Filip Pizlo.
1820
1821         The collector expects any pointers into CopiedSpace passed to copyLater are within 32 KB 
1822         of the CopiedBlock header. This was always the case except for when flattening a dictionary 
1823         caused the size of the Butterfly to decrease. This was equivalent to moving the base of the 
1824         Butterfly to higher addresses. If the object was reduced sufficiently in size, the base 
1825         would no longer be within the first 32 KB of the CopiedBlock and the next collection would 
1826         choke on the Butterfly pointer.
1827
1828         This patch fixes this issue by detect this situation during flattening and memmove-ing 
1829         the Butterfly down to where the old base was.
1830
1831         * runtime/JSObject.cpp:
1832         (JSC::JSObject::shiftButterflyAfterFlattening):
1833         * runtime/JSObject.h:
1834         (JSC::JSObject::butterflyPreCapacity):
1835         (JSC::JSObject::butterflyTotalSize):
1836         * runtime/Structure.cpp:
1837         (JSC::Structure::flattenDictionaryStructure):
1838         * tests/stress/flatten-oversize-dictionary-object.js: Added.
1839         (foo):
1840
1841 2014-07-14  Benjamin Poulain  <benjamin@webkit.org>
1842
1843         Remove some dead code from FTLJITFinalizer
1844         https://bugs.webkit.org/show_bug.cgi?id=134874
1845
1846         Reviewed by Geoffrey Garen.
1847
1848         Not sure what that code was for...but it does not do anything :)
1849
1850         * ftl/FTLJITFinalizer.cpp:
1851         (JSC::FTL::JITFinalizer::finalizeFunction):
1852         The pointer of the label is computed but never used.
1853
1854         * ftl/FTLJITFinalizer.h:
1855         * ftl/FTLLink.cpp:
1856         (JSC::FTL::link):
1857         The label is never set to anything.
1858
1859 2014-07-14  Bear Travis  <betravis@adobe.com>
1860
1861         [Feature Queries] Enable Feature Queries on Mac
1862         https://bugs.webkit.org/show_bug.cgi?id=134404
1863
1864         Reviewed by Antti Koivisto.
1865
1866         Enable Feature Queries on Mac and resume running the
1867         feature tests.
1868
1869         * Configurations/FeatureDefines.xcconfig: Turn on
1870         ENABLE_CSS3_CONDITIONAL_RULES.
1871
1872 2014-07-11  Joseph Pecoraro  <pecoraro@apple.com>
1873
1874         Web Inspector: Debugger Pause button does not work
1875         https://bugs.webkit.org/show_bug.cgi?id=134785
1876
1877         Reviewed by Timothy Hatcher.
1878
1879         * CMakeLists.txt:
1880         * DerivedSources.make:
1881         Minification strips the sourceURL command. Add it back with minification.
1882
1883 2014-07-11  peavo@outlook.com  <peavo@outlook.com>
1884
1885         [Win] Enable DFG JIT.
1886         https://bugs.webkit.org/show_bug.cgi?id=123615
1887
1888         Reviewed by Mark Lam.
1889
1890         When the return type of a JIT generated function call is larger than 64-bit (e.g. SlowPathReturnType),
1891         the normal call() implementation cannot be used on 64-bit Windows, because the 64-bit Windows ABI is different in this case.
1892         Also, when generating calls with double arguments, we need to make sure the arguments are put in the correct registers,
1893         since the register allocation differs on 64-bit Windows.
1894
1895         * assembler/MacroAssemblerX86_64.h:
1896         (JSC::MacroAssemblerX86_64::callWithSlowPathReturnType): Added method to handle function calls where the return value type size is larger than 64-bit.
1897         * jit/CCallHelpers.h:
1898         (JSC::CCallHelpers::setupArgumentsWithExecState): Move arguments to correct registers when there are floating point arguments.
1899         (JSC::CCallHelpers::setupArgumentsWithExecStateForCallWithSlowPathReturnType): Added method.
1900         * jit/JIT.h:
1901         (JSC::JIT::appendCallWithSlowPathReturnType): Added method.
1902         * jit/JITInlines.h:
1903         (JSC::JIT::appendCallWithExceptionCheckAndSlowPathReturnType): Added method.
1904         (JSC::JIT::callOperation): Call new method.
1905
1906 2014-07-09  Benjamin Poulain  <benjamin@webkit.org>
1907
1908         Use 16bits instructions for push/pop on ARMv7 when possible
1909         https://bugs.webkit.org/show_bug.cgi?id=134753
1910
1911         Reviewed by Geoffrey Garen.
1912
1913         The patch r170839 mixed the code for push/pop pair and single push/pop.
1914         That part was reverted in r170909.
1915
1916         This patch puts the code back but specialized for single push/pop.
1917
1918         * assembler/ARMv7Assembler.h:
1919         (JSC::ARMv7Assembler::pop):
1920         (JSC::ARMv7Assembler::push):
1921         * assembler/MacroAssemblerARMv7.h:
1922         (JSC::MacroAssemblerARMv7::pop):
1923         (JSC::MacroAssemblerARMv7::push):
1924
1925 2014-07-09  Brent Fulgham  <bfulgham@apple.com>
1926
1927         [Win] Remove uses of 'bash' in build system
1928         https://bugs.webkit.org/show_bug.cgi?id=134782
1929         <rdar://problem/17615533>
1930
1931         Reviewed by Dean Jackson.
1932
1933         Remove uses of 'bash' by replacing Windows-specific bash scripts
1934         with Perl equivalents.
1935
1936         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
1937         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj:
1938         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj.filters:
1939         * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd:
1940         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
1941         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
1942         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.pl: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh.
1943         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Removed.
1944         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
1945         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
1946         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh.
1947         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh: Removed.
1948         * JavaScriptCore.vcxproj/build-generated-files.pl: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/build-generated-files.sh.
1949         * JavaScriptCore.vcxproj/build-generated-files.sh: Removed.
1950         * JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd:
1951         * JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd:
1952         * JavaScriptCore.vcxproj/testapi/testapiPreBuild.cmd:
1953
1954 2014-07-09  Brent Fulgham  <bfulgham@apple.com>
1955
1956         [Win] Remove use of 'grep' in build steps
1957         https://bugs.webkit.org/show_bug.cgi?id=134770
1958         <rdar://problem/17608783>
1959
1960         Reviewed by Tim Horton.
1961
1962         Replace uses of the grep command in Windows builds with the equivalent
1963         Perl program.
1964
1965         * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd:
1966         * JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd:
1967         * JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd:
1968         * JavaScriptCore.vcxproj/testapi/testapiPreBuild.cmd:
1969
1970 2014-07-08  Benjamin Poulain  <benjamin@webkit.org>
1971
1972         Restore the assertion changed with 170839
1973
1974         * assembler/ARMv7Assembler.h:
1975         (JSC::ARMv7Assembler::pop):
1976         (JSC::ARMv7Assembler::push):
1977         Revert the Assembler part of 170839. The assertions do not match both encoding.
1978
1979         I'll add specific version of push and pop instead.
1980
1981 2014-07-08  Jon Honeycutt  <jhoneycutt@apple.com>
1982
1983         RemoteInspector::shared() should not call WTF::initializeMainThread()
1984         <https://bugs.webkit.org/show_bug.cgi?id=134747>
1985         <rdar://problem/17161482>
1986
1987         Reviewed by Joseph Pecoraro.
1988
1989         * inspector/remote/RemoteInspector.mm:
1990         (Inspector::RemoteInspector::shared):
1991         Don't call WTF::initializeMainThread(). WTF threading is initialized by
1992         JSC::initializeThreading().
1993
1994 2014-07-08  Andreas Kling  <akling@apple.com>
1995
1996         VM::lastCachedString should be a Strong, not a Weak.
1997         <https://webkit.org/b/134746>
1998
1999         Using Weak<JSString> for this regressed some of our bindings perf tests
2000         due to Weak having to allocate a new WeakImpl every time the last cached
2001         string changed. Make it a Strong instead should make that problem go away.
2002
2003         Reviewed by Geoffrey Garen.
2004
2005         * runtime/JSString.cpp:
2006         (JSC::jsStringWithCacheSlowCase):
2007         * runtime/VM.h:
2008
2009 2014-07-07  Benjamin Poulain  <bpoulain@apple.com>
2010
2011         Fix the build after r170876
2012
2013         * assembler/LinkBuffer.cpp:
2014         (JSC::LinkBuffer::linkCode):
2015
2016 2014-07-07  Benjamin Poulain  <benjamin@webkit.org>
2017
2018         LinkBuffer should not keep a reference to the MacroAssembler
2019         https://bugs.webkit.org/show_bug.cgi?id=134668
2020
2021         Reviewed by Geoffrey Garen.
2022
2023         In FTL, the LinkBuffer can outlive the MacroAssembler that was used for code generation.
2024         When that happens, the pointer m_assembler points to released memory. That was not causing
2025         issues because the attribute is not used after linking, but that was not particularily
2026         future proof.
2027
2028         This patch refactors LinkBuffer to avoid any lifetime risk. The MacroAssembler is now passed
2029         as a reference, it is used for linking but no reference is ever stored with the LinkBuffer.
2030
2031         While fixing the call sites to use a reference, I also discovered LinkBuffer.h was included
2032         everywhere. I refactored some #include to avoid that.
2033
2034         * assembler/LinkBuffer.cpp:
2035         (JSC::LinkBuffer::copyCompactAndLinkCode):
2036         (JSC::LinkBuffer::linkCode):
2037         * assembler/LinkBuffer.h:
2038         (JSC::LinkBuffer::LinkBuffer):
2039         * bytecode/Watchpoint.cpp:
2040         * dfg/DFGDisassembler.cpp:
2041         * dfg/DFGDisassembler.h:
2042         * dfg/DFGJITCompiler.cpp:
2043         (JSC::DFG::JITCompiler::link):
2044         (JSC::DFG::JITCompiler::linkFunction):
2045         * dfg/DFGOSRExitCompiler.cpp:
2046         * dfg/DFGPlan.cpp:
2047         * dfg/DFGThunks.cpp:
2048         (JSC::DFG::osrExitGenerationThunkGenerator):
2049         (JSC::DFG::osrEntryThunkGenerator):
2050         * ftl/FTLCompile.cpp:
2051         (JSC::FTL::generateICFastPath):
2052         (JSC::FTL::fixFunctionBasedOnStackMaps):
2053         * ftl/FTLJSCall.cpp:
2054         * ftl/FTLJSCall.h:
2055         * ftl/FTLLink.cpp:
2056         (JSC::FTL::link):
2057         * ftl/FTLLowerDFGToLLVM.cpp:
2058         * ftl/FTLOSRExitCompiler.cpp:
2059         (JSC::FTL::compileStub):
2060         * ftl/FTLThunks.cpp:
2061         (JSC::FTL::osrExitGenerationThunkGenerator):
2062         (JSC::FTL::slowPathCallThunkGenerator):
2063         * jit/ArityCheckFailReturnThunks.cpp:
2064         (JSC::ArityCheckFailReturnThunks::returnPCsFor):
2065         * jit/JIT.cpp:
2066         (JSC::JIT::privateCompile):
2067         * jit/JITCall.cpp:
2068         (JSC::JIT::privateCompileClosureCall):
2069         * jit/JITCall32_64.cpp:
2070         (JSC::JIT::privateCompileClosureCall):
2071         * jit/JITDisassembler.cpp:
2072         * jit/JITDisassembler.h:
2073         * jit/JITOpcodes.cpp:
2074         * jit/JITPropertyAccess.cpp:
2075         (JSC::JIT::stringGetByValStubGenerator):
2076         (JSC::JIT::privateCompileGetByVal):
2077         (JSC::JIT::privateCompilePutByVal):
2078         * jit/JITPropertyAccess32_64.cpp:
2079         (JSC::JIT::stringGetByValStubGenerator):
2080         * jit/RegisterPreservationWrapperGenerator.cpp:
2081         (JSC::generateRegisterPreservationWrapper):
2082         (JSC::registerRestorationThunkGenerator):
2083         * jit/Repatch.cpp:
2084         (JSC::generateByIdStub):
2085         (JSC::tryCacheGetByID):
2086         (JSC::emitPutReplaceStub):
2087         (JSC::emitPutTransitionStub):
2088         (JSC::tryRepatchIn):
2089         (JSC::linkClosureCall):
2090         * jit/SpecializedThunkJIT.h:
2091         (JSC::SpecializedThunkJIT::finalize):
2092         * jit/ThunkGenerators.cpp:
2093         (JSC::throwExceptionFromCallSlowPathGenerator):
2094         (JSC::linkForThunkGenerator):
2095         (JSC::linkClosureCallForThunkGenerator):
2096         (JSC::virtualForThunkGenerator):
2097         (JSC::nativeForGenerator):
2098         (JSC::arityFixup):
2099         * llint/LLIntThunks.cpp:
2100         (JSC::LLInt::generateThunkWithJumpTo):
2101         * yarr/YarrJIT.cpp:
2102         (JSC::Yarr::YarrGenerator::compile):
2103
2104 2014-07-07  Andreas Kling  <akling@apple.com>
2105
2106         Fast path for jsStringWithCache() when asked for the same string repeatedly.
2107         <https://webkit.org/b/134635>
2108
2109         Reviewed by Darin Adler.
2110
2111         Follow-up to r170818 addressing a review comment by Geoff Garen.
2112
2113         * runtime/JSString.cpp:
2114         (JSC::jsStringWithCacheSlowCase):
2115
2116 2014-07-07  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>
2117
2118         Add missing ENABLE(FTL_JIT) guards
2119         https://bugs.webkit.org/show_bug.cgi?id=134680
2120
2121         Reviewed by Darin Adler.
2122
2123         * ftl/FTLDWARFDebugLineInfo.cpp:
2124         * ftl/FTLDWARFDebugLineInfo.h:
2125         * ftl/FTLGeneratedFunction.h:
2126
2127 2014-07-07  Zan Dobersek  <zdobersek@igalia.com>
2128
2129         Enable ARMv7 disassembler for the GTK port
2130         https://bugs.webkit.org/show_bug.cgi?id=134676
2131
2132         Reviewed by Benjamin Poulain.
2133
2134         * CMakeLists.txt: Add ARMv7DOpcode.cpp file to the build.
2135         * disassembler/ARMv7/ARMv7DOpcode.cpp: Include the string.h header for strlen().
2136
2137 2014-07-06  Benjamin Poulain  <benjamin@webkit.org>
2138
2139         [ARMv7] Use 16 bits instructions for push/pop when possible
2140         https://bugs.webkit.org/show_bug.cgi?id=134656
2141
2142         Reviewed by Andreas Kling.
2143
2144         * assembler/ARMv7Assembler.h:
2145         (JSC::ARMv7Assembler::pop):
2146         (JSC::ARMv7Assembler::push):
2147         (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp7Imm9):
2148         Add the 16 bits version of push and pop.
2149
2150         * assembler/MacroAssemblerARMv7.h:
2151         (JSC::MacroAssemblerARMv7::pop):
2152         (JSC::MacroAssemblerARMv7::push):
2153         Use the new push/pop instead of a regular load/store.
2154
2155         * disassembler/ARMv7/ARMv7DOpcode.cpp:
2156         (JSC::ARMv7Disassembler::ARMv7DOpcode::appendRegisterList):
2157         * disassembler/ARMv7/ARMv7DOpcode.h:
2158         (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscPushPop::registerMask):
2159         Fix the disassembler for push/pop:
2160         -The register mask was on 7 bits for some reason.
2161         -The code printing the registers was comparing a register ID with a register
2162          mask.
2163
2164 2014-07-06  Yoav Weiss  <yoav@yoav.ws>
2165
2166         Turn on img@sizes compile flag
2167         https://bugs.webkit.org/show_bug.cgi?id=134634
2168
2169         Reviewed by Benjamin Poulain.
2170
2171         * Configurations/FeatureDefines.xcconfig: Moved compile flag to alphabetical order.
2172
2173 2014-07-06  Daewoong Jang  <daewoong.jang@navercorp.com>
2174
2175         Flags value of SourceCodeKey should be unique for each case.
2176         https://bugs.webkit.org/show_bug.cgi?id=134435
2177
2178         Reviewed by Darin Adler.
2179
2180         Different combinations of CodeType and JSParserStrictness could generate same m_flags value because
2181         the value of CodeType and the value of JSParserStrictness shares a bit inside m_flags member variable.
2182         Shift the value of CodeType one bit farther to the left so those values don't overlap.
2183
2184         * runtime/CodeCache.h:
2185         (JSC::SourceCodeKey::SourceCodeKey):
2186
2187 2014-07-04  Andreas Kling  <akling@apple.com>
2188
2189         Fast path for jsStringWithCache() when asked for the same string repeatedly.
2190         <https://webkit.org/b/134635>
2191
2192         Also moved the whole thing from WebCore to JavaScriptCore since it
2193         makes more sense here, and inline the lightweight checks, leaving only
2194         the hashmap stuff out of line.
2195
2196         Reviewed by Darin Adler.
2197
2198         * runtime/JSString.cpp:
2199         (JSC::jsStringWithCacheSlowCase):
2200         * runtime/JSString.h:
2201         (JSC::jsStringWithCache):
2202         * runtime/VM.h:
2203
2204 2014-07-03  Daniel Bates  <dabates@apple.com>
2205
2206         Add WTF::move()
2207         https://bugs.webkit.org/show_bug.cgi?id=134500
2208
2209         Rubber-stamped by Anders Carlsson.
2210
2211         Substitute WTF::move() for std::move().
2212
2213         * bytecode/CodeBlock.h:
2214         * bytecode/UnlinkedCodeBlock.cpp:
2215         * bytecompiler/BytecodeGenerator.cpp:
2216         * dfg/DFGGraph.cpp:
2217         * dfg/DFGJITCompiler.cpp:
2218         * dfg/DFGStackLayoutPhase.cpp:
2219         * dfg/DFGWorklist.cpp:
2220         * heap/DelayedReleaseScope.h:
2221         * heap/HeapInlines.h:
2222         [...]
2223
2224 2014-07-03  Filip Pizlo  <fpizlo@apple.com>
2225
2226         SSA DCE should process blocks in forward order
2227         https://bugs.webkit.org/show_bug.cgi?id=134611
2228
2229         Reviewed by Andreas Kling.
2230
2231         * dfg/DFGDCEPhase.cpp:
2232         (JSC::DFG::DCEPhase::run):
2233         * ftl/FTLLowerDFGToLLVM.cpp:
2234         (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
2235         * tests/stress/dead-value-with-mov-hint-in-another-block.js: Added.
2236         (foo):
2237
2238 2014-07-03  Filip Pizlo  <fpizlo@apple.com>
2239
2240         JSActivation::symbolTablePut() should invalidate variable watchpoints
2241         https://bugs.webkit.org/show_bug.cgi?id=134602
2242
2243         Reviewed by Oliver Hunt.
2244         
2245         Usually stores to captured variables cause us to invalidate the variable watchpoint because CodeBlock does so
2246         during linking - we essentially assume that if it's at all possible for an inner function to store to a
2247         variable we declare then this variable cannot be a constant. But this misses the dynamic store case, i.e.
2248         JSActivation::symbolTablePut(). Part of the problem here is that JSActivation duplicates
2249         JSSymbolTableObject's symbolTablePut() logic, which did have the invalidation. This patch keeps that code
2250         duplicated, but fixes JSActivation::symbolTablePut() to do the right thing.
2251
2252         * runtime/JSActivation.cpp:
2253         (JSC::JSActivation::symbolTablePut):
2254         * runtime/JSSymbolTableObject.h:
2255         (JSC::symbolTablePut):
2256         * tests/stress/constant-closure-var-with-dynamic-invalidation.js: Added.
2257         (.):
2258
2259 2014-07-01  Mark Lam  <mark.lam@apple.com>
2260
2261         Debugger's breakpoint list should not be a Vector.
2262         <https://webkit.org/b/134514>
2263
2264         Reviewed by Geoffrey Garen.
2265
2266         The debugger currently stores breakpoint data as entries in a Vector (see
2267         BreakpointsInLine).  It also keeps a fast map look up of breakpoint IDs to
2268         the breakpoint data (see m_breakpointIDToBreakpoint).  Because a Vector can
2269         compact or reallocate its backing store, this can causes all sorts of havoc.
2270         The m_breakpointIDToBreakpoint map assumes that the breakpoint data doesn't
2271         move in memory.
2272
2273         The fix is to replace the BreakpointsInLine Vector with a BreakpointsList
2274         doubly linked list.
2275
2276         * debugger/Breakpoint.h:
2277         (JSC::Breakpoint::Breakpoint):
2278         (JSC::BreakpointsList::~BreakpointsList):
2279         * debugger/Debugger.cpp:
2280         (JSC::Debugger::setBreakpoint):
2281         (JSC::Debugger::removeBreakpoint):
2282         (JSC::Debugger::hasBreakpoint):
2283         * debugger/Debugger.h:
2284
2285 2014-06-30  Michael Saboff  <msaboff@apple.com>
2286
2287         Add option to run-jsc-stress-testes to filter out tests that use large heaps
2288         https://bugs.webkit.org/show_bug.cgi?id=134458
2289
2290         Reviewed by Filip Pizlo.
2291
2292         Added test to skip js1_5/Regress/regress-159334.js when testing on a memory limited device.
2293
2294         * tests/mozilla/mozilla-tests.yaml:
2295
2296 2014-06-30  Daniel Bates  <dabates@apple.com>
2297
2298         Avoid copying closed variables vector; actually use move semantics
2299
2300         Rubber-stamped by Oliver Hunt.
2301
2302         Currently we always copy the closed variables vector passed by Parser::closedVariables()
2303         to ProgramNode::setClosedVariables() because these member functions return and take a const
2304         rvalue reference, respectively. Instead, these member functions should take an return a non-
2305         constant rvalue reference so that we actually move the closed variables vector from the Parser
2306         object to the Node object.
2307
2308         * parser/Nodes.cpp:
2309         (JSC::ProgramNode::setClosedVariables): Remove const qualifier for argument.
2310         * parser/Nodes.h:
2311         (JSC::ScopeNode::setClosedVariables): Ditto.
2312         * parser/Parser.h:
2313         (JSC::Parser::closedVariables): Remove const qualifier on return type.
2314         (JSC::parse): Remove extraneous call to std::move(). Calling std::move() is unnecessary here
2315         because Parser::closedVariables() returns an rvalue reference.
2316
2317 2014-06-30  Joseph Pecoraro  <pecoraro@apple.com>
2318
2319         JSContext Inspection: Provide a way to use a non-Main RunLoop for Inspector JavaScript Evaluations
2320         https://bugs.webkit.org/show_bug.cgi?id=134371
2321
2322         Reviewed by Timothy Hatcher.
2323
2324         * API/JSContextPrivate.h:
2325         * API/JSContext.mm:
2326         (-[JSContext _debuggerRunLoop]):
2327         (-[JSContext _setDebuggerRunLoop:]):
2328         Private API for setting the CFRunLoop for a debugger to evaluate in.
2329         
2330         * API/JSContextRefInternal.h: Added.
2331         * API/JSContextRef.cpp:
2332         (JSGlobalContextGetDebuggerRunLoop):
2333         (JSGlobalContextSetDebuggerRunLoop):
2334         Internal API for setting a CFRunLoop on a JSContextRef.
2335         Set this on the debuggable.
2336         
2337         * inspector/remote/RemoteInspectorDebuggable.h:
2338         * inspector/remote/RemoteInspectorDebuggableConnection.h:
2339         (Inspector::RemoteInspectorBlock::RemoteInspectorBlock):
2340         (Inspector::RemoteInspectorBlock::~RemoteInspectorBlock):
2341         (Inspector::RemoteInspectorBlock::operator=):
2342         (Inspector::RemoteInspectorBlock::operator()):
2343         Moved into the header.
2344
2345         * runtime/JSGlobalObject.h:
2346         (JSC::JSGlobalObject::inspectorDebuggable):
2347         Lets store the RunLoop on the debuggable instead of this core
2348         platform agnostic class, so expose the debuggable.
2349
2350         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
2351         (Inspector::RemoteInspectorHandleRunSourceGlobal):
2352         (Inspector::RemoteInspectorQueueTaskOnGlobalQueue):
2353         (Inspector::RemoteInspectorInitializeGlobalQueue):
2354         Rename the global functions for clarity.
2355
2356         (Inspector::RemoteInspectorHandleRunSourceWithInfo):
2357         Handler for private run loops.
2358
2359         (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
2360         (Inspector::RemoteInspectorDebuggableConnection::~RemoteInspectorDebuggableConnection):
2361         (Inspector::RemoteInspectorDebuggableConnection::dispatchAsyncOnDebuggable):
2362         (Inspector::RemoteInspectorDebuggableConnection::setupRunLoop):
2363         (Inspector::RemoteInspectorDebuggableConnection::teardownRunLoop):
2364         (Inspector::RemoteInspectorDebuggableConnection::queueTaskOnPrivateRunLoop):
2365         Setup and teardown and use private run loop sources if the debuggable needs it.
2366
2367 2014-06-30  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>
2368
2369         Add missing ENABLE(DFG_JIT) guards
2370         https://bugs.webkit.org/show_bug.cgi?id=134444
2371
2372         Reviewed by Darin Adler.
2373
2374         * dfg/DFGFunctionWhitelist.cpp:
2375         * dfg/DFGFunctionWhitelist.h:
2376
2377 2014-06-29  Yoav Weiss  <yoav@yoav.ws>
2378
2379         Add support for HTMLImageElement's sizes attribute
2380         https://bugs.webkit.org/show_bug.cgi?id=133620
2381
2382         Reviewed by Dean Jackson.
2383
2384         Added an ENABLE_PICTURE_SIZES compile flag.
2385
2386         * Configurations/FeatureDefines.xcconfig:
2387
2388 2014-06-27  Filip Pizlo  <fpizlo@apple.com>
2389
2390         Don't fold a UInt32ToNumber with DoOverflow to Identity since that would result in an Identity that takes an Int32 and returns a DoubleRep
2391         https://bugs.webkit.org/show_bug.cgi?id=134412
2392
2393         Reviewed by Mark Hahnenberg.
2394
2395         * dfg/DFGCSEPhase.cpp:
2396         (JSC::DFG::CSEPhase::setReplacement):
2397         * dfg/DFGStrengthReductionPhase.cpp:
2398         (JSC::DFG::StrengthReductionPhase::handleNode):
2399         * dfg/DFGValidate.cpp:
2400         (JSC::DFG::Validate::validate):
2401         * tests/stress/uint32-to-number-fold-constant-with-do-overflow.js: Added.
2402         (foo):
2403         (bar):
2404         (baz):
2405
2406 2014-06-27  Peyton Randolph  <prandolph@apple.com>
2407
2408          Add feature flag for link long-press gesture.                                                                   
2409          https://bugs.webkit.org/show_bug.cgi?id=134262                                                                  
2410                                                                                                                          
2411          Reviewed by Enrica Casucci.                                                                                     
2412                                                                                                                          
2413          * Configurations/FeatureDefines.xcconfig:                                                                       
2414          Add ENABLE_LINK_LONG_PRESS. 
2415
2416 2014-06-27  László Langó  <llango.u-szeged@partner.samsung.com>
2417
2418         [JavaScriptCore] FTL buildfix for EFL platform.
2419         https://bugs.webkit.org/show_bug.cgi?id=133546
2420
2421         Reviewed by Darin Adler.
2422
2423         * ftl/FTLAbstractHeap.cpp:
2424         (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap):
2425         * ftl/FTLLocation.cpp:
2426         (JSC::FTL::Location::forStackmaps):
2427         * ftl/FTLLowerDFGToLLVM.cpp:
2428         (JSC::FTL::LowerDFGToLLVM::opposite):
2429         * ftl/FTLOSRExitCompiler.cpp:
2430         (JSC::FTL::compileStub):
2431         * ftl/FTLStackMaps.cpp:
2432         (JSC::FTL::StackMaps::Constant::dump):
2433         * llvm/InitializeLLVMPOSIX.cpp:
2434         (JSC::initializeLLVMPOSIX):
2435
2436 2014-06-26  Benjamin Poulain  <benjamin@webkit.org>
2437
2438         iOS 8 beta 2 ES6 'Set' clear() broken
2439         https://bugs.webkit.org/show_bug.cgi?id=134346
2440
2441         Reviewed by Oliver Hunt.
2442
2443         The object map was not cleared :(.
2444
2445         Kudos to Ashley Gullen for tracking this and making a regression test.
2446         Credit to Oliver for finding the missing code.
2447
2448         * runtime/MapData.h:
2449         (JSC::MapData::clear):
2450
2451 2014-06-25  Brent Fulgham  <bfulgham@apple.com>
2452
2453         [Win] Expose Cache Information to WinLauncher
2454         https://bugs.webkit.org/show_bug.cgi?id=134318
2455
2456         Reviewed by Dean Jackson.
2457
2458         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing
2459         MemoryStatistics files to the WIndows build.
2460         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2461
2462 2014-06-26  David Kilzer  <ddkilzer@apple.com>
2463
2464         DFG::FunctionWhitelist::parseFunctionNamesInFile does not close file
2465         <http://webkit.org/b/134343>
2466         <rdar://problem/17459487>
2467
2468         Reviewed by Michael Saboff.
2469
2470         * dfg/DFGFunctionWhitelist.cpp:
2471         (JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile):
2472         Close the file handle, and log an error on failure.
2473
2474 2014-06-25  Dana Burkart  <dburkart@apple.com>
2475
2476         Add support for 5-tuple versioning.
2477
2478         Reviewed by David Farler.
2479
2480         * Configurations/Version.xcconfig:
2481
2482 2014-06-25  Geoffrey Garen  <ggaren@apple.com>
2483
2484         Build fix.
2485
2486         Unreviewed.
2487
2488         * runtime/JSDateMath.cpp:
2489         (JSC::parseDateFromNullTerminatedCharacters):
2490         * runtime/VM.cpp:
2491         (JSC::VM::resetDateCache): Use std::numeric_limits instead of QNaN
2492         constant since that constant doesn't exist anymore.
2493
2494 2014-06-25  Geoffrey Garen  <ggaren@apple.com>
2495
2496         Unreviewed, rolling out r166876.
2497
2498         Caused some ECMA test262 failures
2499
2500         Reverted changeset:
2501
2502         "Date object needs to check for ES5 15.9.1.14 TimeClip limit."
2503         https://bugs.webkit.org/show_bug.cgi?id=131248
2504         http://trac.webkit.org/changeset/166876
2505
2506 2014-06-25  Brent Fulgham  <bfulgham@apple.com>
2507
2508         [Win] Unreviewed gardening.
2509
2510         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Update to
2511         put various files in proper IDE categories.
2512
2513 2014-06-25  peavo@outlook.com  <peavo@outlook.com>
2514
2515         [Win64] ASM LLINT is not enabled.
2516         https://bugs.webkit.org/show_bug.cgi?id=130638
2517
2518         This patch adds a new LLINT assembler backend for Win64, and implements it.
2519         It makes adjustments to follow the Win64 ABI spec. where it's found to be needed.
2520         Also, LLINT and JIT is enabled for Win64.
2521
2522         Reviewed by Mark Lam.
2523
2524         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added JITStubsMSVC64.asm.
2525         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
2526         * JavaScriptCore/JavaScriptCore.vcxproj/jsc/jscCommon.props: Increased stack size to avoid stack overflow in tests.
2527         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Generate assembler source file for Win64.
2528         * assembler/MacroAssemblerX86_64.h: 
2529         (JSC::MacroAssemblerX86_64::call): Follow Win64 ABI spec.
2530         * jit/JITStubsMSVC64.asm: Added.
2531         * jit/Repatch.cpp:
2532         (JSC::emitPutTransitionStub): Compile fix.
2533         * jit/ThunkGenerators.cpp:
2534         (JSC::nativeForGenerator): Follow Win64 ABI spec.
2535         * llint/LLIntData.cpp:
2536         (JSC::LLInt::Data::performAssertions): Ditto.
2537         * llint/LLIntOfflineAsmConfig.h: Enable new llint backend for Win64.
2538         * llint/LowLevelInterpreter.asm: Implement new Win64 backend, and follow Win64 ABI spec.
2539         * llint/LowLevelInterpreter64.asm: Ditto.
2540         * offlineasm/asm.rb: Compile fix.
2541         * offlineasm/backends.rb: Add new llint backend for Win64.
2542         * offlineasm/settings.rb: Compile fix.
2543         * offlineasm/x86.rb: Implement new llint Win64 backend.
2544
2545 2014-06-25  Laszlo Gombos  <l.gombos@samsung.com>
2546
2547         Remove build guard for progress element
2548         https://bugs.webkit.org/show_bug.cgi?id=134292
2549
2550         Reviewed by Benjamin Poulain.
2551
2552         * Configurations/FeatureDefines.xcconfig:
2553
2554 2014-06-24  Michael Saboff  <msaboff@apple.com>
2555
2556         Add support routines to provide descriptive JavaScript backtraces
2557         https://bugs.webkit.org/show_bug.cgi?id=134278
2558
2559         Reviewed by Mark Lam.
2560
2561         * interpreter/CallFrame.cpp:
2562         (JSC::CallFrame::dump):
2563         (JSC::CallFrame::describeFrame):
2564         * interpreter/CallFrame.h:
2565         * runtime/JSCJSValue.cpp:
2566         (JSC::JSValue::dumpForBacktrace):
2567         * runtime/JSCJSValue.h:
2568
2569 2014-06-24  Brady Eidson  <beidson@apple.com>
2570
2571         Enable GAMEPAD in the Mac build, but disabled at runtime.
2572         https://bugs.webkit.org/show_bug.cgi?id=134255
2573
2574         Reviewed by Dean Jackson.
2575
2576         * Configurations/FeatureDefines.xcconfig:
2577
2578         * runtime/JSObject.h: Export JSObject::removeDirect() to allow disabling
2579           functions at runtime.
2580
2581 2014-06-24  Mark Hahnenberg  <mhahnenberg@apple.com>
2582
2583         REGRESSION (r169703): Invalid cast in JSC::asGetterSetter / JSC::JSObject::defineOwnNonIndexProperty
2584         https://bugs.webkit.org/show_bug.cgi?id=134046
2585
2586         Reviewed by Filip Pizlo.
2587
2588         * runtime/GetterSetter.h:
2589         (JSC::asGetterSetter):
2590         * runtime/JSObject.cpp:
2591         (JSC::JSObject::defineOwnNonIndexProperty): We need to check for a CustomGetterSetter here as well as
2592         a normal GetterSetter. If we encounter a CustomGetterSetter, we delete it, create a new normal GetterSetter,
2593         and insert it like normal. We also need to check for CustomAccessors when checking for unconfigurable properties.
2594
2595 2014-06-24  Brent Fulgham  <bfulgham@apple.com>
2596
2597         [Win] MSVC mishandles enums in bitfields
2598         https://bugs.webkit.org/show_bug.cgi?id=134237
2599
2600         Reviewed by Michael Saboff.
2601
2602         Replace uses of enum types in bit fields with unsigned to
2603         avoid losing a bit to hold the sign value. This can result
2604         in Windows interpreting the value of the field improperly.
2605
2606         * bytecode/StructureStubInfo.h:
2607         * parser/Nodes.h:
2608
2609 2014-06-23  Andreas Kling  <akling@apple.com>
2610
2611         Inline the UnlinkedInstructionStream::Reader logic.
2612         <https://webkit.org/b/134203>
2613
2614         This class is only used by CodeBlock to unpack the unlinked instructions,
2615         and we were spending 0.5% of total time on PLT calling Reader::next().
2616         Move the logic to the header file and mark it ALWAYS_INLINE.
2617
2618         Reviewed by Geoffrey Garen.
2619
2620         * bytecode/UnlinkedInstructionStream.cpp:
2621         * bytecode/UnlinkedInstructionStream.h:
2622         (JSC::UnlinkedInstructionStream::Reader::Reader):
2623         (JSC::UnlinkedInstructionStream::Reader::read8):
2624         (JSC::UnlinkedInstructionStream::Reader::read32):
2625         (JSC::UnlinkedInstructionStream::Reader::next):
2626
2627 2014-06-20  Sam Weinig  <sam@webkit.org>
2628
2629         Remove static tables for bindings that use eager reification
2630         https://bugs.webkit.org/show_bug.cgi?id=134126
2631
2632         Reviewed by Oliver Hunt.
2633
2634         * runtime/JSObject.cpp:
2635         (JSC::JSObject::putDirectCustomAccessor):
2636         * runtime/Structure.h:
2637         (JSC::Structure::setHasCustomGetterSetterProperties):
2638         Change setHasCustomGetterSetterProperties to behave like setHasGetterSetterProperties, and set
2639         the m_hasReadOnlyOrGetterSetterPropertiesExcludingProto bit if the property is not __proto__.
2640         Without this, JSObject::put() won't think there are any setters on the prototype chain of an
2641         object that has no static lookup table and uses eagerly reified custom getter/setter properties.
2642
2643 2014-06-21  Brady Eidson  <beidson@apple.com>
2644
2645         Gamepad API - Deprecate the existing implementation
2646         https://bugs.webkit.org/show_bug.cgi?id=134108
2647
2648         Reviewed by Timothy Hatcher.
2649
2650         -Add new "GAMEPAD_DEPRECATED" build flag, moving the existing implementation to use it
2651         -Move some implementation files into a "deprecated" subdirectory.
2652
2653         * Configurations/FeatureDefines.xcconfig:
2654
2655 2014-06-21  Commit Queue  <commit-queue@webkit.org>
2656
2657         Unreviewed, rolling out r170244.
2658         https://bugs.webkit.org/show_bug.cgi?id=134157
2659
2660         GTK/EFL bindings generator works differently, making this
2661         patch not work there.  Will fix entire patch after a rollout.
2662         (Requested by bradee-oh on #webkit).
2663
2664         Reverted changeset:
2665
2666         "Gamepad API - Deprecate the existing implementation"
2667         https://bugs.webkit.org/show_bug.cgi?id=134108
2668         http://trac.webkit.org/changeset/170244
2669
2670 2014-06-21  Brady Eidson  <beidson@apple.com>
2671
2672         Gamepad API - Deprecate the existing implementation
2673         https://bugs.webkit.org/show_bug.cgi?id=134108
2674
2675         Reviewed by Timothy Hatcher.
2676
2677         -Add new "GAMEPAD_DEPRECATED" build flag, moving the existing implementation to use it
2678         -Add the "Deprecated" suffix to some implementation files
2679
2680         * Configurations/FeatureDefines.xcconfig:
2681
2682 2014-06-21  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
2683
2684         Removing PAGE_VISIBILITY_API compile guard.
2685         https://bugs.webkit.org/show_bug.cgi?id=133844
2686
2687         Reviewed by Gavin Barraclough.
2688
2689         * Configurations/FeatureDefines.xcconfig:
2690
2691 2014-06-21  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
2692
2693         ARM traditional buildfix after r169942.
2694         https://bugs.webkit.org/show_bug.cgi?id=134100
2695
2696         Reviewed by Zoltan Herczeg.
2697
2698         * assembler/MacroAssemblerARM.h:
2699         (JSC::MacroAssemblerARM::abortWithReason): Added.
2700
2701 2014-06-20  Andreas Kling  <akling@apple.com>
2702
2703         [Cocoa] Release freed up blocks from the JS heap after simulated memory pressure.
2704         <https://webkit.org/b/134112>
2705
2706         Reviewed by Mark Hahnenberg.
2707
2708         * heap/BlockAllocator.h:
2709
2710 2014-06-19  Alex Christensen  <achristensen@webkit.org>
2711
2712         Unreviewed fix after r170130.
2713
2714         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj:
2715         Corrected directory so it can find common.props when opening Visual Studio.
2716
2717 2014-06-19  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
2718
2719         Remove ENABLE(LLINT) and ENABLE(LLINT_C_LOOP) guards
2720         https://bugs.webkit.org/show_bug.cgi?id=130389
2721
2722         Reviewed by Mark Lam.
2723
2724         Removed ENABLE(LLINT) since we always build with it, and changed ENABLE(LLINT_C_LOOP)
2725         into !ENABLE(JIT) since they are mutually exclusive.
2726
2727         * CMakeLists.txt:
2728         * assembler/MacroAssemblerCodeRef.h:
2729         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
2730         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
2731         * assembler/MaxFrameExtentForSlowPathCall.h:
2732         * bytecode/CallLinkStatus.cpp:
2733         (JSC::CallLinkStatus::computeFromLLInt):
2734         * bytecode/CodeBlock.cpp:
2735         (JSC::dumpStructure):
2736         (JSC::CodeBlock::printGetByIdCacheStatus):
2737         (JSC::CodeBlock::printCallOp):
2738         (JSC::CodeBlock::CodeBlock):
2739         (JSC::CodeBlock::~CodeBlock):
2740         (JSC::CodeBlock::propagateTransitions):
2741         (JSC::CodeBlock::finalizeUnconditionally):
2742         (JSC::CodeBlock::unlinkCalls):
2743         (JSC::CodeBlock::unlinkIncomingCalls):
2744         (JSC::CodeBlock::linkIncomingCall):
2745         (JSC::CodeBlock::frameRegisterCount):
2746         * bytecode/CodeBlock.h:
2747         * bytecode/GetByIdStatus.cpp:
2748         (JSC::GetByIdStatus::computeFromLLInt):
2749         * bytecode/Opcode.h:
2750         (JSC::padOpcodeName):
2751         * bytecode/PutByIdStatus.cpp:
2752         (JSC::PutByIdStatus::computeFromLLInt):
2753         * bytecompiler/BytecodeGenerator.cpp:
2754         (JSC::BytecodeGenerator::emitCall):
2755         (JSC::BytecodeGenerator::emitConstruct):
2756         * heap/Heap.cpp:
2757         (JSC::Heap::gatherJSStackRoots):
2758         * interpreter/Interpreter.cpp:
2759         (JSC::Interpreter::initialize):
2760         (JSC::Interpreter::isOpcode):
2761         * interpreter/Interpreter.h:
2762         (JSC::Interpreter::getOpcodeID):
2763         * interpreter/JSStack.cpp:
2764         (JSC::JSStack::JSStack):
2765         (JSC::JSStack::committedByteCount):
2766         * interpreter/JSStack.h:
2767         * interpreter/JSStackInlines.h:
2768         (JSC::JSStack::ensureCapacityFor):
2769         (JSC::JSStack::topOfFrameFor):
2770         (JSC::JSStack::setStackLimit):
2771         * jit/ExecutableAllocatorFixedVMPool.cpp:
2772         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
2773         * jit/JIT.h:
2774         (JSC::JIT::compileCTINativeCall):
2775         * jit/JITExceptions.h:
2776         * jit/JITThunks.cpp:
2777         (JSC::JITThunks::ctiNativeCall):
2778         (JSC::JITThunks::ctiNativeConstruct):
2779         * llint/LLIntCLoop.cpp:
2780         * llint/LLIntCLoop.h:
2781         * llint/LLIntData.cpp:
2782         (JSC::LLInt::initialize):
2783         (JSC::LLInt::Data::performAssertions):
2784         * llint/LLIntData.h:
2785         (JSC::LLInt::Data::performAssertions): Deleted.
2786         * llint/LLIntEntrypoint.cpp:
2787         * llint/LLIntEntrypoint.h:
2788         * llint/LLIntExceptions.cpp:
2789         * llint/LLIntExceptions.h:
2790         * llint/LLIntOfflineAsmConfig.h:
2791         * llint/LLIntOffsetsExtractor.cpp:
2792         (JSC::LLIntOffsetsExtractor::dummy):
2793         * llint/LLIntOpcode.h:
2794         * llint/LLIntSlowPaths.cpp:
2795         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2796         * llint/LLIntSlowPaths.h:
2797         * llint/LLIntThunks.cpp:
2798         * llint/LLIntThunks.h:
2799         * llint/LowLevelInterpreter.cpp:
2800         * llint/LowLevelInterpreter.h:
2801         * runtime/CommonSlowPaths.cpp:
2802         * runtime/CommonSlowPaths.h:
2803         * runtime/ErrorHandlingScope.cpp:
2804         (JSC::ErrorHandlingScope::ErrorHandlingScope):
2805         (JSC::ErrorHandlingScope::~ErrorHandlingScope):
2806         * runtime/Executable.cpp:
2807         (JSC::setupLLInt):
2808         * runtime/InitializeThreading.cpp:
2809         (JSC::initializeThreading):
2810         * runtime/JSCJSValue.h:
2811         * runtime/JSCJSValueInlines.h:
2812         * runtime/Options.cpp:
2813         (JSC::recomputeDependentOptions):
2814         * runtime/VM.cpp:
2815         (JSC::VM::VM):
2816         (JSC::sanitizeStackForVM):
2817         * runtime/VM.h:
2818         (JSC::VM::canUseJIT): Deleted.
2819
2820 2014-06-18  Alex Christensen  <achristensen@webkit.org>
2821
2822         Add FTL to Windows build.
2823         https://bugs.webkit.org/show_bug.cgi?id=134015
2824
2825         Reviewed by Filip Pizlo.
2826
2827         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2828         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2829         Added ftl source files.
2830         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
2831         Added ftl and llvm directories to include path.
2832         * JavaScriptCore.vcxproj/libllvmForJSC: Added.
2833         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.props: Added.
2834         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj: Added.
2835         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj.filters: Added.
2836         * ftl/FTLLowerDFGToLLVM.cpp:
2837         (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
2838         MSVC doesn't like to divide by zero while compiling.  Use std::nan instead.
2839         * llvm/InitializeLLVMWin.cpp: Added.
2840         (JSC::initializeLLVMImpl):
2841         Implemented dynamic loading and linking for Windows.
2842
2843 2014-06-18  Alex Christensen  <achristensen@webkit.org>
2844
2845         Unreviewed build fix after r170107.
2846
2847         * dfg/DFGSpeculativeJIT.cpp:
2848         (JSC::DFG::SpeculativeJIT::compileArithMod):
2849         Use non-template sub for armv7s.
2850
2851 2014-06-18  David Kilzer  <ddkilzer@apple.com>
2852
2853         -[JSContext setName:] leaks NSString
2854         <http://webkit.org/b/134038>
2855
2856         Reviewed by Joseph Pecoraro.
2857
2858         Fixes the following static analyzer warning:
2859
2860             JavaScriptCore/API/JSContext.mm:200:73: warning: Potential leak of an object
2861                 JSStringRef nameJS = name ? JSStringCreateWithCFString((CFStringRef)[name copy]) : nullptr;
2862                                                                                     ^
2863
2864         * API/JSContext.mm:
2865         (-[JSContext setName:]): Autorelease the copy of |name|.
2866
2867 2014-06-18  Mark Lam  <mark.lam@apple.com>
2868
2869         DFGGraph::m_doubleConstantMap will not map 0 values correctly.
2870         <https://webkit.org/b/133994>
2871
2872         Reviewed by Geoffrey Garen.
2873
2874         DFGGraph::m_doubleConstantsMap should not use a double as a key to its HashMap,
2875         because it means two unfortunate things:
2876         - It will probably break for zero.
2877         - It will think that -0 is the same as +0 under some circumstances, size
2878           -0==+0 even though they are distinct values (for example 1/-0 != 1/+0).
2879
2880         The fix is to use std::unordered_map which does not require special empty
2881         and deleted values, and to use the raw bits instead of the double value as
2882         the key.
2883
2884         * dfg/DFGGraph.h:
2885         * dfg/DFGJITCompiler.cpp:
2886         (JSC::DFG::JITCompiler::addressOfDoubleConstant):
2887
2888 2014-06-18  Alex Christensen  <achristensen@webkit.org>
2889
2890         Remove duplicate code using sdiv.
2891         https://bugs.webkit.org/show_bug.cgi?id=133764
2892
2893         Reviewed by Daniel Bates.
2894
2895         * assembler/ARMv7Assembler.h:
2896         (JSC::ARMv7Assembler::sdiv):
2897         Make sdiv a template to match arm64.
2898         * dfg/DFGSpeculativeJIT.cpp:
2899         (JSC::DFG::SpeculativeJIT::compileArithDiv):
2900         (JSC::DFG::SpeculativeJIT::compileArithMod):
2901         Remove duplicate code that was identical except for sdiv not being a template.
2902
2903 2014-06-17  Commit Queue  <commit-queue@webkit.org>
2904
2905         Unreviewed, rolling out r170082.
2906         https://bugs.webkit.org/show_bug.cgi?id=134006
2907
2908         Breaks build. (Requested by mlam on #webkit).
2909
2910         Reverted changeset:
2911
2912         "DFGGraph::m_doubleConstantMap will not map 0 values
2913         correctly."
2914         https://bugs.webkit.org/show_bug.cgi?id=133994
2915         http://trac.webkit.org/changeset/170082
2916
2917 2014-06-17  Mark Lam  <mark.lam@apple.com>
2918
2919         DFGGraph::m_doubleConstantMap will not map 0 values correctly.
2920         <https://webkit.org/b/133994>
2921
2922         Reviewed by Geoffrey Garen.
2923
2924         DFGGraph::m_doubleConstantsMap should not use a double as a key to its HashMap,
2925         because it means two unfortunate things:
2926         - It will probably break for zero.
2927         - It will think that -0 is the same as +0 under some circumstances, size
2928           -0==+0 even though they are distinct values (for example 1/-0 != 1/+0).
2929
2930         The fix is to use std::unordered_map which does not require special empty
2931         and deleted values, and to use the raw bits instead of the double value as
2932         the key.
2933
2934         * dfg/DFGGraph.h:
2935         * dfg/DFGJITCompiler.cpp:
2936         (JSC::DFG::JITCompiler::addressOfDoubleConstant):
2937
2938 2014-06-17  Oliver Hunt  <oliver@apple.com>
2939
2940         Fix error messages for incorrect hex literals
2941         https://bugs.webkit.org/show_bug.cgi?id=133998
2942
2943         Reviewed by Mark Lam.
2944
2945         Ensure that the error messages for bogus hex literals actually
2946         make sense.
2947
2948         * parser/Lexer.cpp:
2949         (JSC::Lexer<T>::lex):
2950         * parser/ParserTokens.h:
2951
2952 2014-06-17  Matthew Mirman  <mmirman@apple.com>
2953
2954         Fixes bug where building JSC sometimes crashes at build-symbol-table-index.py. Also adds licenses. 
2955         https://bugs.webkit.org/show_bug.cgi?id=133814
2956
2957         Reviewed by Filip Pizlo.
2958         
2959         Adds the "shopt -s nullglob" line necessary to prevent the loop in the shell 
2960         script from using "*.o" as a file when no other files in the directory exist. 
2961         
2962         * build-symbol-table-index.sh: Added license.
2963         * copy-llvm-ir-to-derived-sources.sh: Added license and "shopt -s nullglob" line.
2964
2965 2014-06-16  Sam Weinig  <sam@webkit.org>
2966
2967         Move forward declaration of bindings static functions into their implementation files
2968         https://bugs.webkit.org/show_bug.cgi?id=133943
2969
2970         Reviewed by Geoffrey Garen.
2971
2972         * runtime/CommonIdentifiers.h:
2973         Add a few identifiers that are needed by the DOM.
2974
2975 2014-06-16  Mark Lam  <mark.lam@apple.com>
2976
2977         Parser statementDepth accounting needs to account for when a function body excludes its braces.
2978         <https://webkit.org/b/133832>
2979
2980         Reviewed by Oliver Hunt.
2981
2982         In some cases (e.g. when a Function object is instantiated from a string), the
2983         function body source may not include its braces.  The parser needs to account
2984         for this when calculating its statementDepth.
2985
2986         * bytecode/UnlinkedCodeBlock.cpp:
2987         (JSC::generateFunctionCodeBlock):
2988         (JSC::UnlinkedFunctionExecutable::codeBlockFor):
2989         * bytecode/UnlinkedCodeBlock.h:
2990         * parser/Parser.cpp:
2991         (JSC::Parser<LexerType>::parseStatement):
2992         - Also fixed the error message for declaring nested functions in strict mode
2993           to be more accurate.
2994         * parser/Parser.h:
2995         (JSC::Parser<LexerType>::parse):
2996         (JSC::parse):
2997         * runtime/Executable.cpp:
2998         (JSC::ScriptExecutable::newCodeBlockFor):
2999
3000 2014-06-16  Juergen Ributzka  <juergen@apple.com>
3001
3002         Change the order of the alias analysis passes to align with the opt pipeline of LLVM
3003         https://bugs.webkit.org/show_bug.cgi?id=133753
3004
3005         Reviewed by Geoffrey Garen.
3006
3007         The order in which the alias analysis passes are added affects also the
3008         order in which they are utilized. Change the order to align with the
3009         one use by LLVM itself. The last alias analysis pass added will be
3010         evaluated first. With this change we first perform a basic alias
3011         analysis and then use the type-based alias analysis (if required).
3012
3013         * ftl/FTLCompile.cpp:
3014         (JSC::FTL::compile):
3015
3016 2014-06-16  Juergen Ributzka  <juergen@apple.com>
3017
3018         Fix the arguments passed to the LLVM dylib
3019         https://bugs.webkit.org/show_bug.cgi?id=133757
3020
3021         Reviewed by Geoffrey Garen.
3022
3023         The LLVM command line argument parser assumes that the first argument
3024         is the program name. We need to add a fake program name, otherwise the
3025         first argument will be parsed as program name and ignored.
3026
3027         * llvm/library/LLVMExports.cpp:
3028         (initializeAndGetJSCLLVMAPI):
3029
3030 2014-06-16  Michael Saboff  <msaboff@apple.com>
3031
3032         Convert ASSERT in inlineFunctionForCapabilityLevel to early return
3033         https://bugs.webkit.org/show_bug.cgi?id=133903
3034
3035         Reviewed by Mark Hahnenberg.
3036
3037         Hardened code by Converting ASSERT to return CannotCompile.
3038
3039         * dfg/DFGCapabilities.h:
3040         (JSC::DFG::inlineFunctionForCapabilityLevel):
3041
3042 2014-06-13  Sam Weinig  <sam@webkit.org>
3043
3044         Store DOM constants directly in the JS object rather than jumping through a custom accessor
3045         https://bugs.webkit.org/show_bug.cgi?id=133898
3046
3047         Reviewed by Oliver Hunt.
3048
3049         * runtime/Lookup.h:
3050         (JSC::HashTableValue::attributes):
3051         Switch attributes to be stored as an unsigned rather than an unsigned char, since there is no difference in memory use
3052         and will make adding more flags possibles.
3053
3054         (JSC::HashTableValue::propertyGetter):
3055         (JSC::HashTableValue::propertyPutter):
3056         Change assertion to use BuiltinOrFunctionOrConstant.
3057
3058         (JSC::HashTableValue::constantInteger):
3059         Added.
3060
3061         (JSC::getStaticPropertySlot):
3062         (JSC::getStaticValueSlot):
3063         Use PropertySlot::setValue() for constants during static lookup.
3064
3065         (JSC::reifyStaticProperties):
3066         Put the constant directly on the object when eagerly reifying.
3067
3068         * runtime/PropertySlot.h:
3069         Add ConstantInteger flag and BuiltinOrFunctionOrConstant helper.
3070
3071 2014-06-14  Michael Saboff  <msaboff@apple.com>
3072
3073         operationCreateArguments could cause a GC during OSR exit
3074         https://bugs.webkit.org/show_bug.cgi?id=133905
3075
3076         Reviewed by Filip Pizlo.
3077
3078         Defer GC via new wrapper functions for operationCreateArguments and operationCreateInlinedArguments
3079         for use by OSR exit stubs.
3080
3081         * dfg/DFGOSRExitCompilerCommon.cpp:
3082         (JSC::DFG::ArgumentsRecoveryGenerator::generateFor):
3083         * dfg/DFGOperations.cpp:
3084         * dfg/DFGOperations.h:
3085         * jit/JITOperations.cpp:
3086         * jit/JITOperations.h:
3087
3088 2014-06-13  Mark Hahnenberg  <mhahnenberg@apple.com>
3089
3090         OSR exit should barrier the Executables for all InlineCallFrames, not just those on the stack at the time of exit
3091         https://bugs.webkit.org/show_bug.cgi?id=133880
3092
3093         Reviewed by Filip Pizlo.
3094
3095         We could have exited due to a value received from an inlined block that's no longer on 
3096         the stack, so we should just barrier all InlineCallFrames.
3097
3098         * dfg/DFGOSRExitCompilerCommon.cpp:
3099         (JSC::DFG::adjustAndJumpToTarget):
3100
3101 2014-06-13  Alex Christensen  <achristensen@webkit.org>
3102
3103         Make css jit compile for armv7.
3104         https://bugs.webkit.org/show_bug.cgi?id=133596
3105
3106         Reviewed by Benjamin Poulain.
3107
3108         * assembler/MacroAssembler.h:
3109         Use branchPtr on ARM_THUMB2.
3110         * assembler/MacroAssemblerARMv7.h:
3111         (JSC::MacroAssemblerARMv7::addPtrNoFlags):
3112         (JSC::MacroAssemblerARMv7::or32):
3113         (JSC::MacroAssemblerARMv7::test32):
3114         (JSC::MacroAssemblerARMv7::branch):
3115         (JSC::MacroAssemblerARMv7::branchPtr):
3116         Added macros necessary for css jit.
3117
3118 2014-06-13  Filip Pizlo  <fpizlo@apple.com>
3119
3120         Unreviewed, fix ARMv7.
3121
3122         * assembler/MacroAssemblerARMv7.h:
3123         (JSC::MacroAssemblerARMv7::abortWithReason):
3124
3125 2014-06-12  Filip Pizlo  <fpizlo@apple.com>
3126
3127         Even better diagnostics from DFG traps
3128         https://bugs.webkit.org/show_bug.cgi?id=133836
3129
3130         Reviewed by Oliver Hunt.
3131         
3132         We now stuff the DFG::NodeType into a register before bailing. Also made the
3133         DFGBailed abort reason a bit more specific. As planned, the new abort reasons use
3134         different numbers than any previous abort reasons.
3135
3136         * assembler/AbortReason.h:
3137         * assembler/MacroAssemblerARM64.h:
3138         (JSC::MacroAssemblerARM64::abortWithReason):
3139         * assembler/MacroAssemblerARMv7.h:
3140         (JSC::MacroAssemblerARMv7::abortWithReason):
3141         * assembler/MacroAssemblerX86.h:
3142         (JSC::MacroAssemblerX86::abortWithReason):
3143         * assembler/MacroAssemblerX86_64.h:
3144         (JSC::MacroAssemblerX86_64::abortWithReason):
3145         * dfg/DFGSpeculativeJIT.cpp:
3146         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
3147         (JSC::DFG::SpeculativeJIT::bail):
3148         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
3149         * dfg/DFGSpeculativeJIT.h:
3150
3151 2014-06-12  Simon Fraser  <simon.fraser@apple.com>
3152
3153         Fix assertions under JSC::setNeverInline() when running js tests in WebKitTestRunner
3154         https://bugs.webkit.org/show_bug.cgi?id=133840
3155
3156         Reviewed by Filip Pizlo.
3157         
3158         Fix ASSERT(exec->vm().currentThreadIsHoldingAPILock()); under JSC::setNeverInline()
3159         when running DFG tests.
3160
3161         * API/JSCTestRunnerUtils.cpp:
3162         (JSC::numberOfDFGCompiles):
3163         (JSC::setNeverInline):
3164
3165 2014-06-12  Brent Fulgham  <bfulgham@apple.com>
3166
3167         [Win] Avoid fork bomb during build
3168         https://bugs.webkit.org/show_bug.cgi?id=133837
3169         <rdar://problem/17296034>
3170
3171         Reviewed by Tim Horton.
3172
3173         * JavaScriptCore.vcxproj/build-generated-files.sh: Use a
3174         reasonable default value when the 'num-cpus' script is not available.
3175
3176 2014-06-12  Mark Lam  <mark.lam@apple.com>
3177
3178         Remove some dead / unused code.
3179         <https://webkit.org/b/133828>
3180
3181         Reviewed by Filip Pizlo.
3182
3183         * builtins/BuiltinExecutables.cpp:
3184         (JSC::BuiltinExecutables::createBuiltinExecutable):
3185         * bytecode/UnlinkedCodeBlock.cpp:
3186         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3187         * bytecode/UnlinkedCodeBlock.h:
3188         (JSC::UnlinkedFunctionExecutable::create):
3189         * bytecompiler/BytecodeGenerator.h:
3190         (JSC::BytecodeGenerator::makeFunction):
3191         * parser/Parser.h:
3192         (JSC::DepthManager::DepthManager): Deleted.
3193         (JSC::DepthManager::~DepthManager): Deleted.
3194         * runtime/CodeCache.cpp:
3195         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
3196
3197 2014-06-12  Mark Hahnenberg  <mhahnenberg@apple.com>
3198
3199         Move structureHasRareData out of TypeInfo
3200         https://bugs.webkit.org/show_bug.cgi?id=133800
3201
3202         Reviewed by Andreas Kling.
3203
3204         StructureHasRareData was originally put in TypeInfo to avoid making Structure bigger, 
3205         but we have a few spare bits in Structure so it would be nice to remove this hack.
3206
3207         * runtime/JSTypeInfo.h:
3208         (JSC::TypeInfo::newImpurePropertyFiresWatchpoints):
3209         (JSC::TypeInfo::structureHasRareData): Deleted.
3210         * runtime/Structure.cpp:
3211         (JSC::Structure::Structure):
3212         (JSC::Structure::allocateRareData):
3213         (JSC::Structure::cloneRareDataFrom):
3214         * runtime/Structure.h:
3215         (JSC::Structure::previousID):
3216         (JSC::Structure::objectToStringValue):
3217         (JSC::Structure::setObjectToStringValue):
3218         (JSC::Structure::setPreviousID):
3219         (JSC::Structure::clearPreviousID):
3220         (JSC::Structure::previous):
3221         (JSC::Structure::rareData):
3222         * runtime/StructureInlines.h:
3223         (JSC::Structure::setEnumerationCache):
3224         (JSC::Structure::enumerationCache):
3225
3226 2014-06-12  Zsolt Borbely  <zsborbely.u-szeged@partner.samsung.com>
3227
3228         Allow enum guards to be generated from the replay json files
3229         https://bugs.webkit.org/show_bug.cgi?id=133399
3230
3231         Reviewed by Csaba Osztrogonác.
3232
3233         * replay/scripts/CodeGeneratorReplayInputs.py:
3234         (Type.__init__):
3235         (InputsModel.parse_type_with_framework_name):
3236         (Generator.generate_header):
3237         (Generator.generate_implementation):
3238         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp: Added.
3239         (Test::HandleWheelEvent::HandleWheelEvent):
3240         (Test::HandleWheelEvent::~HandleWheelEvent):
3241         (JSC::InputTraits<Test::HandleWheelEvent>::type):
3242         (JSC::InputTraits<Test::HandleWheelEvent>::encode):
3243         (JSC::InputTraits<Test::HandleWheelEvent>::decode):
3244         (JSC::EncodingTraits<WebCore::PlatformWheelEventPhase>::encodeValue):
3245         (JSC::EncodingTraits<WebCore::PlatformWheelEventPhase>::decodeValue):
3246         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h: Added.
3247         (JSC::InputTraits<Test::HandleWheelEvent>::queue):
3248         (Test::HandleWheelEvent::platformEvent):
3249         * replay/scripts/tests/generate-enum-with-guard.json: Added.
3250
3251 2014-06-12  Carlos Garcia Campos  <cgarcia@igalia.com>
3252
3253         Unreviewed. Fix GTK+ build after r169823.
3254
3255         Include StructureInlines.h in a few more files to fix linking
3256         issues due to JSC::Structure::get undefined symbol.
3257
3258         * runtime/ArrayIteratorConstructor.cpp:
3259         * runtime/ArrayIteratorPrototype.cpp:
3260         * runtime/JSConsole.cpp:
3261         * runtime/JSMapIterator.cpp:
3262         * runtime/JSSet.cpp:
3263         * runtime/JSSetIterator.cpp:
3264         * runtime/JSWeakMap.cpp:
3265         * runtime/MapIteratorPrototype.cpp:
3266         * runtime/MapPrototype.cpp:
3267         * runtime/SetIteratorPrototype.cpp:
3268         * runtime/SetPrototype.cpp:
3269         * runtime/WeakMapPrototype.cpp:
3270
3271 2014-06-12  Csaba Osztrogonác  <ossy@webkit.org>
3272
3273         [EFL] One more URTBF after r169823 to make ARM64 build happy too.
3274
3275         * runtime/JSMap.cpp:
3276
3277 2014-06-11  Mark Hahnenberg  <mhahnenberg@apple.com>
3278
3279         Inline caching should try to flatten uncacheable dictionaries
3280         https://bugs.webkit.org/show_bug.cgi?id=133683
3281
3282         Reviewed by Geoffrey Garen.
3283
3284         There exists a body of JS code that deletes properties off of objects (especially function/constructor objects), 
3285         which puts them into an uncacheable dictionary state. This prevents all future inline caching for these objects. 
3286         If properties are deleted out of the object during its initialization, we can enable caching for that object by 
3287         attempting to flatten it when we see we're trying to do inline caching with that object. We then record that we 
3288         performed this flattening optimization in the object's Structure. If it ever re-enters the uncacheable dictionary 
3289         state then we can just give up on caching that object.
3290
3291         In refactoring some of the code in tryCacheGetById and tryBuildGetByIdList to reduce some duplication, I added
3292         the InlineCacheAction enum, a new way to indicate the success or failure of an inline caching attempt. I changed
3293         the other inline caching functions to return this enum rather than the opaque booleans that we were previously 
3294         returning.
3295