51115559051d38e04b88cdf6b44648a9ae62eb62
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         Use Compiler macros instead of raw "final" and "override"
4         https://bugs.webkit.org/show_bug.cgi?id=126490
5
6         Reviewed by Sam Weinig.
7
8         * runtime/JSPromiseReaction.cpp:
9
10 2014-01-04  Martin Robinson  <mrobinson@igalia.com>
11
12         [GTK] [CMake] Improve the way we locate gobject-introspection
13         https://bugs.webkit.org/show_bug.cgi?id=126452
14
15         Reviewed by Philippe Normand.
16
17         * PlatformGTK.cmake: Use the new introspection variables.
18
19 2014-01-04  Zan Dobersek  <zdobersek@igalia.com>
20
21         Explicitly use the std:: nested name specifier when using std::pair, std::make_pair
22         https://bugs.webkit.org/show_bug.cgi?id=126439
23
24         Reviewed by Andreas Kling.
25
26         Instead of relying on std::pair and std::make_pair symbols being present in the current scope
27         through the pair and make_pair symbols, the std:: specifier should be used explicitly.
28
29         * bytecode/Opcode.cpp:
30         (JSC::compareOpcodePairIndices):
31         (JSC::OpcodeStats::~OpcodeStats):
32         * bytecompiler/BytecodeGenerator.cpp:
33         (JSC::BytecodeGenerator::BytecodeGenerator):
34         * parser/ASTBuilder.h:
35         (JSC::ASTBuilder::makeBinaryNode):
36         * parser/Parser.cpp:
37         (JSC::Parser<LexerType>::parseIfStatement):
38         * runtime/Structure.cpp:
39         (JSC::StructureTransitionTable::contains):
40         (JSC::StructureTransitionTable::get):
41         (JSC::StructureTransitionTable::add):
42
43 2014-01-03  David Farler  <dfarler@apple.com>
44
45         [super dealloc] missing in Source/JavaScriptCore/API/tests/testapi.mm, fails to build with -Werror,-Wobjc-missing-super-calls
46         https://bugs.webkit.org/show_bug.cgi?id=126454
47
48         Reviewed by Geoffrey Garen.
49
50         * API/tests/testapi.mm:
51         (-[TextXYZ dealloc]):
52         add [super dealloc]
53         (-[EvilAllocationObject dealloc]):
54         add [super dealloc]
55
56 2014-01-02  Carlos Garcia Campos  <cgarcia@igalia.com>
57
58         REGRESSION(r160304): [GTK] Disable libtool fast install
59         https://bugs.webkit.org/show_bug.cgi?id=126381
60
61         Reviewed by Martin Robinson.
62
63         Remove -no-fast-install ld flag since fast install is now disabled
64         globally.
65
66         * GNUmakefile.am:
67
68 2014-01-02  Sam Weinig  <sam@webkit.org>
69
70         Update Promises to the https://github.com/domenic/promises-unwrapping spec
71         https://bugs.webkit.org/show_bug.cgi?id=120954
72
73         Reviewed by Filip Pizlo.
74
75         Update Promises to the revised spec. Notable changes:
76         - JSPromiseResolver is gone.
77         - TaskContext has been renamed Microtask and now has a virtual run() function.
78         - Instead of using custom InternalFunction subclasses, JSFunctions are used
79           with PrivateName properties for internal slots.
80
81         * CMakeLists.txt:
82         * DerivedSources.make:
83         * GNUmakefile.list.am:
84         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
85         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
86         * JavaScriptCore.xcodeproj/project.pbxproj:
87         * interpreter/CallFrame.h:
88         (JSC::ExecState::promiseConstructorTable):
89         * runtime/CommonIdentifiers.cpp:
90         (JSC::CommonIdentifiers::CommonIdentifiers):
91         * runtime/CommonIdentifiers.h:
92         * runtime/JSGlobalObject.cpp:
93         (JSC::JSGlobalObject::reset):
94         (JSC::JSGlobalObject::visitChildren):
95         (JSC::JSGlobalObject::queueMicrotask):
96         * runtime/JSGlobalObject.h:
97         (JSC::JSGlobalObject::promiseConstructor):
98         (JSC::JSGlobalObject::promisePrototype):
99         (JSC::JSGlobalObject::promiseStructure):
100         * runtime/JSPromise.cpp:
101         (JSC::JSPromise::create):
102         (JSC::JSPromise::JSPromise):
103         (JSC::JSPromise::finishCreation):
104         (JSC::JSPromise::visitChildren):
105         (JSC::JSPromise::reject):
106         (JSC::JSPromise::resolve):
107         (JSC::JSPromise::appendResolveReaction):
108         (JSC::JSPromise::appendRejectReaction):
109         (JSC::triggerPromiseReactions):
110         * runtime/JSPromise.h:
111         (JSC::JSPromise::status):
112         (JSC::JSPromise::result):
113         (JSC::JSPromise::constructor):
114         * runtime/JSPromiseCallback.cpp: Removed.
115         * runtime/JSPromiseCallback.h: Removed.
116         * runtime/JSPromiseConstructor.cpp:
117         (JSC::constructPromise):
118         (JSC::JSPromiseConstructor::getCallData):
119         (JSC::JSPromiseConstructorFuncCast):
120         (JSC::JSPromiseConstructorFuncResolve):
121         (JSC::JSPromiseConstructorFuncReject):
122         * runtime/JSPromiseConstructor.h:
123         * runtime/JSPromiseDeferred.cpp: Added.
124         (JSC::JSPromiseDeferred::create):
125         (JSC::JSPromiseDeferred::JSPromiseDeferred):
126         (JSC::JSPromiseDeferred::finishCreation):
127         (JSC::JSPromiseDeferred::visitChildren):
128         (JSC::createJSPromiseDeferredFromConstructor):
129         (JSC::updateDeferredFromPotentialThenable):
130         * runtime/JSPromiseDeferred.h: Added.
131         (JSC::JSPromiseDeferred::createStructure):
132         (JSC::JSPromiseDeferred::promise):
133         (JSC::JSPromiseDeferred::resolve):
134         (JSC::JSPromiseDeferred::reject):
135         * runtime/JSPromiseFunctions.cpp: Added.
136         (JSC::deferredConstructionFunction):
137         (JSC::createDeferredConstructionFunction):
138         (JSC::identifyFunction):
139         (JSC::createIdentifyFunction):
140         (JSC::promiseAllCountdownFunction):
141         (JSC::createPromiseAllCountdownFunction):
142         (JSC::promiseResolutionHandlerFunction):
143         (JSC::createPromiseResolutionHandlerFunction):
144         (JSC::rejectPromiseFunction):
145         (JSC::createRejectPromiseFunction):
146         (JSC::resolvePromiseFunction):
147         (JSC::createResolvePromiseFunction):
148         (JSC::throwerFunction):
149         (JSC::createThrowerFunction):
150         * runtime/JSPromiseFunctions.h: Added.
151         * runtime/JSPromisePrototype.cpp:
152         (JSC::JSPromisePrototypeFuncThen):
153         (JSC::JSPromisePrototypeFuncCatch):
154         * runtime/JSPromiseReaction.cpp: Added.
155         (JSC::createExecutePromiseReactionMicroTask):
156         (JSC::ExecutePromiseReactionMicroTask::run):
157         (JSC::JSPromiseReaction::create):
158         (JSC::JSPromiseReaction::JSPromiseReaction):
159         (JSC::JSPromiseReaction::finishCreation):
160         (JSC::JSPromiseReaction::visitChildren):
161         * runtime/JSPromiseReaction.h: Added.
162         (JSC::JSPromiseReaction::createStructure):
163         (JSC::JSPromiseReaction::deferred):
164         (JSC::JSPromiseReaction::handler):
165         * runtime/JSPromiseResolver.cpp: Removed.
166         * runtime/JSPromiseResolver.h: Removed.
167         * runtime/JSPromiseResolverConstructor.cpp: Removed.
168         * runtime/JSPromiseResolverConstructor.h: Removed.
169         * runtime/JSPromiseResolverPrototype.cpp: Removed.
170         * runtime/JSPromiseResolverPrototype.h: Removed.
171         * runtime/Microtask.h: Added.
172         * runtime/VM.cpp:
173         (JSC::VM::VM):
174         (JSC::VM::~VM):
175         * runtime/VM.h:
176
177 2014-01-02  Mark Hahnenberg  <mhahnenberg@apple.com>
178
179         Add support for StoreBarrier and friends to the FTL
180         https://bugs.webkit.org/show_bug.cgi?id=126040
181
182         Reviewed by Filip Pizlo.
183
184         * ftl/FTLAbstractHeapRepository.h:
185         * ftl/FTLCapabilities.cpp:
186         (JSC::FTL::canCompile):
187         * ftl/FTLIntrinsicRepository.h:
188         * ftl/FTLLowerDFGToLLVM.cpp:
189         (JSC::FTL::LowerDFGToLLVM::compileNode):
190         (JSC::FTL::LowerDFGToLLVM::compileStoreBarrier):
191         (JSC::FTL::LowerDFGToLLVM::compileConditionalStoreBarrier):
192         (JSC::FTL::LowerDFGToLLVM::compileStoreBarrierWithNullCheck):
193         (JSC::FTL::LowerDFGToLLVM::loadMarkByte):
194         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
195         * heap/Heap.cpp:
196         (JSC::Heap::Heap):
197         * heap/Heap.h:
198         (JSC::Heap::writeBarrierBuffer):
199
200 2014-01-02  Mark Hahnenberg  <mhahnenberg@apple.com>
201
202         Storing new CopiedSpace memory into a JSObject should fire a write barrier
203         https://bugs.webkit.org/show_bug.cgi?id=126025
204
205         Reviewed by Filip Pizlo.
206
207         Technically this is creating a pointer between a (potentially) old generation object and a young 
208         generation chunk of memory, thus there needs to be a barrier.
209
210         * JavaScriptCore.xcodeproj/project.pbxproj:
211         * dfg/DFGOperations.cpp:
212         * heap/CopyWriteBarrier.h: Added. This class functions similarly to the WriteBarrier class. It 
213         acts as a proxy for pointers to CopiedSpace. Assignments to the field cause a write barrier to 
214         fire for the object that is the owner of the CopiedSpace memory. This is to ensure during nursery 
215         collections that objects with new backing stores are visited, even if they are old generation objects. 
216         (JSC::CopyWriteBarrier::CopyWriteBarrier):
217         (JSC::CopyWriteBarrier::operator!):
218         (JSC::CopyWriteBarrier::operator UnspecifiedBoolType*):
219         (JSC::CopyWriteBarrier::get):
220         (JSC::CopyWriteBarrier::operator*):
221         (JSC::CopyWriteBarrier::operator->):
222         (JSC::CopyWriteBarrier::set):
223         (JSC::CopyWriteBarrier::setWithoutWriteBarrier):
224         (JSC::CopyWriteBarrier::clear):
225         * heap/Heap.h:
226         * runtime/JSArray.cpp:
227         (JSC::JSArray::unshiftCountSlowCase):
228         (JSC::JSArray::shiftCountWithArrayStorage):
229         (JSC::JSArray::unshiftCountWithArrayStorage):
230         * runtime/JSCell.h:
231         (JSC::JSCell::unvalidatedStructure):
232         * runtime/JSGenericTypedArrayViewInlines.h:
233         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
234         * runtime/JSObject.cpp:
235         (JSC::JSObject::copyButterfly):
236         (JSC::JSObject::getOwnPropertySlotByIndex):
237         (JSC::JSObject::putByIndex):
238         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
239         (JSC::JSObject::createInitialIndexedStorage):
240         (JSC::JSObject::createArrayStorage):
241         (JSC::JSObject::deletePropertyByIndex):
242         (JSC::JSObject::getOwnPropertyNames):
243         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
244         (JSC::JSObject::countElements):
245         (JSC::JSObject::increaseVectorLength):
246         (JSC::JSObject::ensureLengthSlow):
247         * runtime/JSObject.h:
248         (JSC::JSObject::butterfly):
249         (JSC::JSObject::setStructureAndButterfly):
250         (JSC::JSObject::setButterflyWithoutChangingStructure):
251         (JSC::JSObject::JSObject):
252         (JSC::JSObject::putDirectInternal):
253         (JSC::JSObject::putDirectWithoutTransition):
254         * runtime/MapData.cpp:
255         (JSC::MapData::ensureSpaceForAppend):
256         * runtime/Structure.cpp:
257         (JSC::Structure::materializePropertyMap):
258
259 2013-12-23  Oliver Hunt  <oliver@apple.com>
260
261         Refactor PutPropertySlot to be aware of custom properties
262         https://bugs.webkit.org/show_bug.cgi?id=126187
263
264         Reviewed by Antti Koivisto.
265
266         Refactor PutPropertySlot, making the constructor take the thisValue
267         used as a target.  This results in a wide range of boilerplate changes
268         to pass the new parameter.
269
270         * API/JSObjectRef.cpp:
271         (JSObjectSetProperty):
272         * dfg/DFGOperations.cpp:
273         (JSC::DFG::operationPutByValInternal):
274         * interpreter/Interpreter.cpp:
275         (JSC::Interpreter::execute):
276         * jit/JITOperations.cpp:
277         * llint/LLIntSlowPaths.cpp:
278         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
279         * runtime/Arguments.cpp:
280         (JSC::Arguments::putByIndex):
281         * runtime/ArrayPrototype.cpp:
282         (JSC::putProperty):
283         (JSC::arrayProtoFuncPush):
284         * runtime/JSCJSValue.cpp:
285         (JSC::JSValue::putToPrimitiveByIndex):
286         * runtime/JSCell.cpp:
287         (JSC::JSCell::putByIndex):
288         * runtime/JSFunction.cpp:
289         (JSC::JSFunction::put):
290         * runtime/JSGenericTypedArrayViewInlines.h:
291         (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
292         * runtime/JSONObject.cpp:
293         (JSC::Walker::walk):
294         * runtime/JSObject.cpp:
295         (JSC::JSObject::putByIndex):
296         (JSC::JSObject::putDirectNonIndexAccessor):
297         (JSC::JSObject::deleteProperty):
298         * runtime/JSObject.h:
299         (JSC::JSObject::putDirect):
300         * runtime/Lookup.h:
301         (JSC::putEntry):
302         (JSC::lookupPut):
303         * runtime/PutPropertySlot.h:
304         (JSC::PutPropertySlot::PutPropertySlot):
305         (JSC::PutPropertySlot::setCustomProperty):
306         (JSC::PutPropertySlot::thisValue):
307         (JSC::PutPropertySlot::isCacheable):
308
309 2014-01-01  Filip Pizlo  <fpizlo@apple.com>
310
311         Rationalize DFG DCE
312         https://bugs.webkit.org/show_bug.cgi?id=125523
313
314         Reviewed by Mark Hahnenberg.
315         
316         Adds the ability to DCE more things. It's now the case that if a node is completely
317         pure, we clear NodeMustGenerate and the node becomes a DCE candidate.
318
319         * dfg/DFGAbstractInterpreterInlines.h:
320         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
321         * dfg/DFGCSEPhase.cpp:
322         (JSC::DFG::CSEPhase::performNodeCSE):
323         * dfg/DFGClobberize.h:
324         (JSC::DFG::clobberize):
325         * dfg/DFGDCEPhase.cpp:
326         (JSC::DFG::DCEPhase::cleanVariables):
327         * dfg/DFGFixupPhase.cpp:
328         (JSC::DFG::FixupPhase::fixupNode):
329         * dfg/DFGGraph.h:
330         (JSC::DFG::Graph::clobbersWorld):
331         * dfg/DFGNodeType.h:
332         * dfg/DFGSpeculativeJIT.cpp:
333         (JSC::DFG::SpeculativeJIT::compileAdd):
334         * dfg/DFGSpeculativeJIT.h:
335         * dfg/DFGSpeculativeJIT32_64.cpp:
336         (JSC::DFG::SpeculativeJIT::compile):
337         * dfg/DFGSpeculativeJIT64.cpp:
338         (JSC::DFG::SpeculativeJIT::compile):
339         * ftl/FTLLowerDFGToLLVM.cpp:
340         (JSC::FTL::LowerDFGToLLVM::compileNode):
341         (JSC::FTL::LowerDFGToLLVM::compileValueAdd):
342
343 2014-01-02  Benjamin Poulain  <benjamin@webkit.org>
344
345         Attempt to fix the build of WebCore's code generator on CMake based system
346         https://bugs.webkit.org/show_bug.cgi?id=126271
347
348         Reviewed by Sam Weinig.
349
350         * CMakeLists.txt:
351
352 2013-12-30  Commit Queue  <commit-queue@webkit.org>
353
354         Unreviewed, rolling out r161157, r161158, r161160, r161161,
355         r161163, and r161165.
356         http://trac.webkit.org/changeset/161157
357         http://trac.webkit.org/changeset/161158
358         http://trac.webkit.org/changeset/161160
359         http://trac.webkit.org/changeset/161161
360         http://trac.webkit.org/changeset/161163
361         http://trac.webkit.org/changeset/161165
362         https://bugs.webkit.org/show_bug.cgi?id=126332
363
364         Broke WebKit2 on Mountain Lion (Requested by ap on #webkit).
365
366         * heap/BlockAllocator.cpp:
367         (JSC::BlockAllocator::~BlockAllocator):
368         (JSC::BlockAllocator::waitForRelativeTimeWhileHoldingLock):
369         (JSC::BlockAllocator::waitForRelativeTime):
370         (JSC::BlockAllocator::blockFreeingThreadMain):
371         * heap/BlockAllocator.h:
372         (JSC::BlockAllocator::deallocate):
373
374 2013-12-30  Anders Carlsson  <andersca@apple.com>
375
376         Fix build.
377
378         * heap/BlockAllocator.h:
379
380 2013-12-30  Anders Carlsson  <andersca@apple.com>
381
382         Stop using ThreadCondition in BlockAllocator
383         https://bugs.webkit.org/show_bug.cgi?id=126313
384
385         Reviewed by Sam Weinig.
386
387         * heap/BlockAllocator.cpp:
388         (JSC::BlockAllocator::~BlockAllocator):
389         (JSC::BlockAllocator::waitForDuration):
390         (JSC::BlockAllocator::blockFreeingThreadMain):
391         * heap/BlockAllocator.h:
392         (JSC::BlockAllocator::deallocate):
393
394 2013-12-30  Anders Carlsson  <andersca@apple.com>
395
396         Stop using ThreadCondition in jsc.cpp
397         https://bugs.webkit.org/show_bug.cgi?id=126311
398
399         Reviewed by Sam Weinig.
400
401         * jsc.cpp:
402         (timeoutThreadMain):
403         (main):
404
405 2013-12-30  Anders Carlsson  <andersca@apple.com>
406
407         Replace WTF::ThreadingOnce with std::call_once
408         https://bugs.webkit.org/show_bug.cgi?id=126215
409
410         Reviewed by Sam Weinig.
411
412         * dfg/DFGWorklist.cpp:
413         (JSC::DFG::globalWorklist):
414         * runtime/InitializeThreading.cpp:
415         (JSC::initializeThreading):
416
417 2013-12-30  Martin Robinson  <mrobinson@igalia.com>
418
419         [CMake] [GTK] Add support for GObject introspection
420         https://bugs.webkit.org/show_bug.cgi?id=126162
421
422         Reviewed by Daniel Bates.
423
424         * PlatformGTK.cmake: Add the GIR targets.
425
426 2013-12-28  Filip Pizlo  <fpizlo@apple.com>
427
428         Get rid of DFG forward exiting
429         https://bugs.webkit.org/show_bug.cgi?id=125531
430
431         Reviewed by Oliver Hunt.
432         
433         This finally gets rid of forward exiting. Forward exiting was always a fragile concept
434         since it involved the compiler trying to figure out how to "roll forward" the
435         execution from some DFG node to the next bytecode index. It was always easy to find
436         counterexamples where it broke, and it has always served as an obstacle to adding
437         compiler improvements - the latest being http://webkit.org/b/125523, which tried to
438         make DCE work for more things.
439         
440         This change finishes the work of removing forward exiting. A lot of forward exiting
441         was already removed in some other bugs, but SetLocal still did forward exits. SetLocal
442         is in many ways the hardest to remove, since the forward exiting of SetLocal also
443         implied that any conversion nodes inserted before the SetLocal would then also be
444         marked as forward-exiting. Hence SetLocal's forward-exiting made a bunch of other
445         things also forward-exiting, and this was always a source of weirdo bugs.
446         
447         SetLocal must be able to exit in case it performs a hoisted type speculation. Nodes
448         inserted just before SetLocal must also be able to exit - for example type check
449         hoisting may insert a CheckStructure, or fixup phase may insert something like
450         Int32ToDouble. But if any of those nodes tried to backward exit, then this could lead
451         to the reexecution of a side-effecting operation, for example:
452         
453             a: Call(...)
454             b: SetLocal(@a, r1)
455         
456         For a long time it seemed like SetLocal *had* to exit forward because of this. But
457         this change side-steps the problem by changing the ByteCodeParser to always emit a
458         kind of "two-phase commit" for stores to local variables. Now when the ByteCodeParser
459         wishes to store to a local, it first emits a MovHint and then enqueues a SetLocal.
460         The SetLocal isn't actually emitted until the beginning of the next bytecode
461         instruction (which the exception of op_enter and op_ret, which emit theirs immediately
462         since it's always safe to reexecute those bytecode instructions and since deferring
463         SetLocals would be weird there - op_enter has many SetLocals and op_ret is a set
464         followed by a jump in case of inlining, so we'd have to emit the SetLocal "after" the
465         jump and that would be awkward). This means that the above IR snippet would look
466         something like:
467         
468             a: Call(..., bc#42)
469             b: MovHint(@a, r1, bc#42)
470             c: SetLocal(@a, r1, bc#47)
471         
472         Where the SetLocal exits "backwards" but appears at the beginning of the next bytecode
473         instruction. This means that by the time we get to that SetLocal, the OSR exit
474         analysis already knows that r1 is associated with @a, and it means that the SetLocal
475         or anything hoisted above it can exit backwards as normal.
476         
477         This change also means that the "forward rewiring" can be killed. Previously, we might
478         have inserted a conversion node on SetLocal and then the SetLocal died (i.e. turned
479         into a MovHint) and the conversion node either died completely or had its lifetime
480         truncated to be less than the actual value's bytecode lifetime. This no longer happens
481         since conversion nodes are only inserted at SetLocals.
482         
483         More precisely, this change introduces two laws that we were basically already
484         following anyway:
485         
486         1) A MovHint's child should never be changed except if all other uses of that child
487            are also replaced. Specifically, this prohibits insertion of conversion nodes at
488            MovHints.
489         
490         2) Anytime any child is replaced with something else, and all other uses aren't also
491            replaced, we must insert a Phantom use of the original child.
492
493         This is a slight compile-time regression but has no effect on code-gen. It unlocks a
494         bunch of optimization opportunities so I think it's worth it.
495
496         * bytecode/CodeBlock.cpp:
497         (JSC::CodeBlock::dumpAssumingJITType):
498         * bytecode/CodeBlock.h:
499         (JSC::CodeBlock::instructionCount):
500         * dfg/DFGAbstractInterpreterInlines.h:
501         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
502         * dfg/DFGArgumentsSimplificationPhase.cpp:
503         (JSC::DFG::ArgumentsSimplificationPhase::run):
504         * dfg/DFGArrayifySlowPathGenerator.h:
505         (JSC::DFG::ArrayifySlowPathGenerator::ArrayifySlowPathGenerator):
506         * dfg/DFGBackwardsPropagationPhase.cpp:
507         (JSC::DFG::BackwardsPropagationPhase::propagate):
508         * dfg/DFGByteCodeParser.cpp:
509         (JSC::DFG::ByteCodeParser::setDirect):
510         (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal):
511         (JSC::DFG::ByteCodeParser::DelayedSetLocal::execute):
512         (JSC::DFG::ByteCodeParser::handleInlining):
513         (JSC::DFG::ByteCodeParser::parseBlock):
514         * dfg/DFGCSEPhase.cpp:
515         (JSC::DFG::CSEPhase::eliminate):
516         * dfg/DFGClobberize.h:
517         (JSC::DFG::clobberize):
518         * dfg/DFGCommon.h:
519         * dfg/DFGConstantFoldingPhase.cpp:
520         (JSC::DFG::ConstantFoldingPhase::foldConstants):
521         * dfg/DFGDCEPhase.cpp:
522         (JSC::DFG::DCEPhase::run):
523         (JSC::DFG::DCEPhase::fixupBlock):
524         (JSC::DFG::DCEPhase::cleanVariables):
525         * dfg/DFGFixupPhase.cpp:
526         (JSC::DFG::FixupPhase::fixupNode):
527         (JSC::DFG::FixupPhase::fixEdge):
528         (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
529         * dfg/DFGLICMPhase.cpp:
530         (JSC::DFG::LICMPhase::run):
531         (JSC::DFG::LICMPhase::attemptHoist):
532         * dfg/DFGMinifiedNode.cpp:
533         (JSC::DFG::MinifiedNode::fromNode):
534         * dfg/DFGMinifiedNode.h:
535         (JSC::DFG::belongsInMinifiedGraph):
536         (JSC::DFG::MinifiedNode::constantNumber):
537         (JSC::DFG::MinifiedNode::weakConstant):
538         * dfg/DFGNode.cpp:
539         (JSC::DFG::Node::hasVariableAccessData):
540         * dfg/DFGNode.h:
541         (JSC::DFG::Node::convertToPhantom):
542         (JSC::DFG::Node::convertToPhantomUnchecked):
543         (JSC::DFG::Node::convertToIdentity):
544         (JSC::DFG::Node::containsMovHint):
545         (JSC::DFG::Node::hasUnlinkedLocal):
546         (JSC::DFG::Node::willHaveCodeGenOrOSR):
547         * dfg/DFGNodeFlags.cpp:
548         (JSC::DFG::dumpNodeFlags):
549         * dfg/DFGNodeFlags.h:
550         * dfg/DFGNodeType.h:
551         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
552         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
553         * dfg/DFGOSREntrypointCreationPhase.cpp:
554         (JSC::DFG::OSREntrypointCreationPhase::run):
555         * dfg/DFGOSRExit.cpp:
556         * dfg/DFGOSRExit.h:
557         * dfg/DFGOSRExitBase.cpp:
558         * dfg/DFGOSRExitBase.h:
559         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSite):
560         * dfg/DFGPredictionPropagationPhase.cpp:
561         (JSC::DFG::PredictionPropagationPhase::propagate):
562         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
563         * dfg/DFGSSAConversionPhase.cpp:
564         (JSC::DFG::SSAConversionPhase::run):
565         * dfg/DFGSafeToExecute.h:
566         (JSC::DFG::safeToExecute):
567         * dfg/DFGSpeculativeJIT.cpp:
568         (JSC::DFG::SpeculativeJIT::speculationCheck):
569         (JSC::DFG::SpeculativeJIT::emitInvalidationPoint):
570         (JSC::DFG::SpeculativeJIT::typeCheck):
571         (JSC::DFG::SpeculativeJIT::compileMovHint):
572         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
573         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
574         (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
575         * dfg/DFGSpeculativeJIT.h:
576         (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch):
577         (JSC::DFG::SpeculativeJIT::needsTypeCheck):
578         * dfg/DFGSpeculativeJIT32_64.cpp:
579         (JSC::DFG::SpeculativeJIT::compile):
580         * dfg/DFGSpeculativeJIT64.cpp:
581         (JSC::DFG::SpeculativeJIT::compile):
582         * dfg/DFGTypeCheckHoistingPhase.cpp:
583         (JSC::DFG::TypeCheckHoistingPhase::run):
584         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
585         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
586         * dfg/DFGValidate.cpp:
587         (JSC::DFG::Validate::validateCPS):
588         * dfg/DFGVariableAccessData.h:
589         (JSC::DFG::VariableAccessData::VariableAccessData):
590         * dfg/DFGVariableEventStream.cpp:
591         (JSC::DFG::VariableEventStream::reconstruct):
592         * ftl/FTLCapabilities.cpp:
593         (JSC::FTL::canCompile):
594         * ftl/FTLLowerDFGToLLVM.cpp:
595         (JSC::FTL::LowerDFGToLLVM::compileNode):
596         (JSC::FTL::LowerDFGToLLVM::compileGetArgument):
597         (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
598         (JSC::FTL::LowerDFGToLLVM::compileMovHint):
599         (JSC::FTL::LowerDFGToLLVM::compileZombieHint):
600         (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble):
601         (JSC::FTL::LowerDFGToLLVM::speculate):
602         (JSC::FTL::LowerDFGToLLVM::typeCheck):
603         (JSC::FTL::LowerDFGToLLVM::appendTypeCheck):
604         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
605         (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
606         * ftl/FTLOSRExit.cpp:
607         * ftl/FTLOSRExit.h:
608         * tests/stress/dead-int32-to-double.js: Added.
609         (foo):
610         * tests/stress/dead-uint32-to-number.js: Added.
611         (foo):
612
613 2013-12-25  Commit Queue  <commit-queue@webkit.org>
614
615         Unreviewed, rolling out r161033 and r161074.
616         http://trac.webkit.org/changeset/161033
617         http://trac.webkit.org/changeset/161074
618         https://bugs.webkit.org/show_bug.cgi?id=126240
619
620         Oliver says that a rollout would be better (Requested by ap on
621         #webkit).
622
623         * API/JSObjectRef.cpp:
624         (JSObjectSetProperty):
625         * dfg/DFGOperations.cpp:
626         (JSC::DFG::operationPutByValInternal):
627         * interpreter/Interpreter.cpp:
628         (JSC::Interpreter::execute):
629         * jit/JITOperations.cpp:
630         * llint/LLIntSlowPaths.cpp:
631         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
632         * runtime/Arguments.cpp:
633         (JSC::Arguments::putByIndex):
634         * runtime/ArrayPrototype.cpp:
635         (JSC::putProperty):
636         (JSC::arrayProtoFuncPush):
637         * runtime/JSCJSValue.cpp:
638         (JSC::JSValue::putToPrimitiveByIndex):
639         * runtime/JSCell.cpp:
640         (JSC::JSCell::putByIndex):
641         * runtime/JSFunction.cpp:
642         (JSC::JSFunction::put):
643         * runtime/JSGenericTypedArrayViewInlines.h:
644         (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
645         * runtime/JSONObject.cpp:
646         (JSC::Walker::walk):
647         * runtime/JSObject.cpp:
648         (JSC::JSObject::putByIndex):
649         (JSC::JSObject::putDirectNonIndexAccessor):
650         (JSC::JSObject::deleteProperty):
651         * runtime/JSObject.h:
652         (JSC::JSObject::putDirect):
653         * runtime/Lookup.h:
654         (JSC::putEntry):
655         (JSC::lookupPut):
656         * runtime/PutPropertySlot.h:
657         (JSC::PutPropertySlot::PutPropertySlot):
658         (JSC::PutPropertySlot::setNewProperty):
659         (JSC::PutPropertySlot::isCacheable):
660
661 2013-12-25  Filip Pizlo  <fpizlo@apple.com>
662
663         DFG PhantomArguments shouldn't rely on a dead Phi graph
664         https://bugs.webkit.org/show_bug.cgi?id=126218
665
666         Reviewed by Oliver Hunt.
667         
668         This change dramatically rationalizes our handling of PhantomArguments (i.e.
669         speculative elision of arguments object allocation).
670         
671         It's now the case that if we decide that we can elide arguments allocation, we just
672         turn the arguments-creating node into a PhantomArguments and mark all locals that
673         it's stored to as being arguments aliases. Being an arguments alias and being a
674         PhantomArguments means basically the same thing: in DFG execution you have the empty
675         value, on OSR exit an arguments object is allocated in your place, and all operations
676         that use the value now just refer directly to the actual arguments in the call frame
677         header (or the arguments we know that we passed to the call, in case of inlining).
678         
679         This means that we no longer have arguments simplification creating a dead Phi graph
680         that then has to be interpreted by the OSR exit logic. That sort of never made any
681         sense.
682         
683         This means that PhantomArguments now has a clear story in SSA: basically SSA just
684         gets rid of the "locals" but everything else is the same.
685         
686         Finally, this means that we can more easily get rid of forward exiting. As I was
687         working on the code to get rid of forward exiting, I realized that I'd have to
688         carefully preserve the special meanings of MovHint and SetLocal in the case of
689         PhantomArguments. It was really bizarre: even the semantics of MovHint were tied to
690         our specific treatment of PhantomArguments. After this change this is no longer the
691         case.
692         
693         One of the really cool things about this change is that arguments reification now
694         just becomes a special kind of FlushFormat. This further unifies things: it means
695         that a MovHint(PhantomArguments) and a SetLocal(PhantomArguments) both have the same
696         meaning, since both of them dictate that the way we recover the local on exit is by
697         reifying arguments. Previously, the SetLocal(PhantomArguments) case needed some
698         special handling to accomplish this.
699         
700         A downside of this approach is that we will now emit code to store the empty value
701         into aliased arguments variables, and we will even emit code to load that empty value
702         as well. As far as I can tell this doesn't cost anything, since PhantomArguments are
703         most profitable in cases where it allows us to simplify control flow and kill the
704         arguments locals entirely. Of course, this isn't an issue in SSA form since SSA form
705         also eliminates the locals.
706
707         * dfg/DFGArgumentsSimplificationPhase.cpp:
708         (JSC::DFG::ArgumentsSimplificationPhase::run):
709         (JSC::DFG::ArgumentsSimplificationPhase::detypeArgumentsReferencingPhantomChild):
710         * dfg/DFGFlushFormat.cpp:
711         (WTF::printInternal):
712         * dfg/DFGFlushFormat.h:
713         (JSC::DFG::resultFor):
714         (JSC::DFG::useKindFor):
715         (JSC::DFG::dataFormatFor):
716         * dfg/DFGSpeculativeJIT.cpp:
717         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
718         * dfg/DFGSpeculativeJIT32_64.cpp:
719         (JSC::DFG::SpeculativeJIT::compile):
720         * dfg/DFGSpeculativeJIT64.cpp:
721         (JSC::DFG::SpeculativeJIT::compile):
722         * dfg/DFGValueSource.h:
723         (JSC::DFG::ValueSource::ValueSource):
724         (JSC::DFG::ValueSource::forFlushFormat):
725         * dfg/DFGVariableAccessData.h:
726         (JSC::DFG::VariableAccessData::flushFormat):
727         * ftl/FTLLowerDFGToLLVM.cpp:
728         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
729
730 2013-12-23  Oliver Hunt  <oliver@apple.com>
731
732         Refactor PutPropertySlot to be aware of custom properties
733         https://bugs.webkit.org/show_bug.cgi?id=126187
734
735         Reviewed by msaboff.
736
737         Refactor PutPropertySlot, making the constructor take the thisValue
738         used as a target.  This results in a wide range of boilerplate changes
739         to pass the new parameter.
740
741         * API/JSObjectRef.cpp:
742         (JSObjectSetProperty):
743         * dfg/DFGOperations.cpp:
744         (JSC::DFG::operationPutByValInternal):
745         * interpreter/Interpreter.cpp:
746         (JSC::Interpreter::execute):
747         * jit/JITOperations.cpp:
748         * llint/LLIntSlowPaths.cpp:
749         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
750         * runtime/Arguments.cpp:
751         (JSC::Arguments::putByIndex):
752         * runtime/ArrayPrototype.cpp:
753         (JSC::putProperty):
754         (JSC::arrayProtoFuncPush):
755         * runtime/JSCJSValue.cpp:
756         (JSC::JSValue::putToPrimitiveByIndex):
757         * runtime/JSCell.cpp:
758         (JSC::JSCell::putByIndex):
759         * runtime/JSFunction.cpp:
760         (JSC::JSFunction::put):
761         * runtime/JSGenericTypedArrayViewInlines.h:
762         (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
763         * runtime/JSONObject.cpp:
764         (JSC::Walker::walk):
765         * runtime/JSObject.cpp:
766         (JSC::JSObject::putByIndex):
767         (JSC::JSObject::putDirectNonIndexAccessor):
768         (JSC::JSObject::deleteProperty):
769         * runtime/JSObject.h:
770         (JSC::JSObject::putDirect):
771         * runtime/Lookup.h:
772         (JSC::putEntry):
773         (JSC::lookupPut):
774         * runtime/PutPropertySlot.h:
775         (JSC::PutPropertySlot::PutPropertySlot):
776         (JSC::PutPropertySlot::setCustomProperty):
777         (JSC::PutPropertySlot::thisValue):
778         (JSC::PutPropertySlot::isCacheable):
779
780 2013-12-23  Benjamin Poulain  <benjamin@webkit.org>
781
782         Add class matching to the Selector Code Generator
783         https://bugs.webkit.org/show_bug.cgi?id=126176
784
785         Reviewed by Antti Koivisto and Oliver Hunt.
786
787         Add test and branch based on BaseIndex addressing for x86_64.
788         Fast loops are needed to compete with clang on tight loops.
789
790         * assembler/MacroAssembler.h:
791         * assembler/MacroAssemblerX86_64.h:
792         (JSC::MacroAssemblerX86_64::branch64):
793         (JSC::MacroAssemblerX86_64::branchPtr):
794         * assembler/X86Assembler.h:
795         (JSC::X86Assembler::cmpq_rm):
796
797 2013-12-23  Oliver Hunt  <oliver@apple.com>
798
799         Update custom setter implementations to perform type checks
800         https://bugs.webkit.org/show_bug.cgi?id=126171
801
802         Reviewed by Daniel Bates.
803
804         Modify the setter function signature to take encoded values
805         as we're changing the setter usage everywhere anyway.
806
807         * runtime/Lookup.h:
808         (JSC::putEntry):
809
810 2013-12-23  Lucas Forschler  <lforschler@apple.com>
811
812         <rdar://problem/15682948> Update copyright strings
813         
814         Reviewed by Dan Bernstein.
815
816         * Info.plist:
817         * JavaScriptCore.vcxproj/JavaScriptCore.resources/Info.plist:
818
819 2013-12-23  Zan Dobersek  <zdobersek@igalia.com>
820
821         [GTK] Clean up compiler optimizations flags for libWTF, libJSC
822         https://bugs.webkit.org/show_bug.cgi?id=126157
823
824         Reviewed by Gustavo Noronha Silva.
825
826         * GNUmakefile.am: Remove the -fstrict-aliasing and -O3 compiler flags for libWTF.la. -O3 gets
827         overridden by -O2 that's listed in CXXFLAGS (or -O0 in case of debug builds) and -fstrict-aliasing
828         is enabled when -O2 is used (and shouldn't be enabled in debug builds anyway).
829
830 2013-12-22  Martin Robinson  <mrobinson@igalia.com>
831
832         [CMake] Fix typo from r160812
833         https://bugs.webkit.org/show_bug.cgi?id=126145
834
835         Reviewed by Gustavo Noronha Silva.
836
837         * CMakeLists.txt: Fix typo when detecting the type of library.
838
839 2013-12-22  Martin Robinson  <mrobinson@igalia.com>
840
841         [GTK][CMake] libtool-compatible soversion calculation
842         https://bugs.webkit.org/show_bug.cgi?id=125511
843
844         Reviewed by Gustavo Noronha Silva.
845
846         * CMakeLists.txt: Use the POPULATE_LIBRARY_VERSION macro and the
847         library-specific version information.
848
849 2013-12-23  Gustavo Noronha Silva  <gns@gnome.org>
850
851         [GTK] [CMake] Generate pkg-config files
852         https://bugs.webkit.org/show_bug.cgi?id=125685
853
854         Reviewed by Martin Robinson.
855
856         * PlatformGTK.cmake: Added. Generate javascriptcoregtk-3.0.pc.
857
858 2013-12-22  Benjamin Poulain  <benjamin@webkit.org>
859
860         Create a skeleton for CSS Selector code generation
861         https://bugs.webkit.org/show_bug.cgi?id=126044
862
863         Reviewed by Antti Koivisto and Gavin Barraclough.
864
865         * assembler/LinkBuffer.h:
866         Add a new owner UID for code compiled for CSS.
867         Export the symbols needed to link code from WebCore.
868
869 2013-12-19  Mark Hahnenberg  <mhahnenberg@apple.com>
870
871         Clean up DFG write barriers
872         https://bugs.webkit.org/show_bug.cgi?id=126047
873
874         Reviewed by Filip Pizlo.
875
876         * dfg/DFGSpeculativeJIT.cpp:
877         (JSC::DFG::SpeculativeJIT::storeToWriteBarrierBuffer): Use the register allocator to 
878         determine which registers need saving instead of saving every single one of them.
879         (JSC::DFG::SpeculativeJIT::osrWriteBarrier): We don't need to save live register state 
880         because the write barriers during OSR execute when there are no live registers. Also we  
881         don't need to use pushes to pad the stack pointer for pokes on x86; we can just use an add.
882         (JSC::DFG::SpeculativeJIT::writeBarrier):
883         * dfg/DFGSpeculativeJIT.h:
884         * jit/Repatch.cpp:
885         (JSC::emitPutReplaceStub):
886         (JSC::emitPutTransitionStub):
887         * runtime/VM.h: Get rid of writeBarrierRegisterBuffer since it's no longer used.
888
889 2013-12-20  Balazs Kilvady  <kilvadyb@homejinni.com>
890
891         [MIPS] Missing MacroAssemblerMIPS::branchTest8(ResultCondition, BaseIndex, TrustedImm32)
892         https://bugs.webkit.org/show_bug.cgi?id=126062
893
894         Reviewed by Mark Hahnenberg.
895
896         * assembler/MacroAssemblerMIPS.h:
897         (JSC::MacroAssemblerMIPS::branchTest8):
898
899 2013-12-20  Julien Brianceau  <jbriance@cisco.com>
900
901         [sh4] Add missing implementation in MacroAssembler to fix build.
902         https://bugs.webkit.org/show_bug.cgi?id=126063
903
904         Reviewed by Mark Hahnenberg.
905
906         * assembler/MacroAssemblerSH4.h:
907         (JSC::MacroAssemblerSH4::branchTest8):
908
909 2013-12-20  Julien Brianceau  <jbriance@cisco.com>
910
911         [arm] Add missing implementation in MacroAssembler to fix CPU(ARM_TRADITIONAL) build.
912         https://bugs.webkit.org/show_bug.cgi?id=126064
913
914         Reviewed by Mark Hahnenberg.
915
916         * assembler/MacroAssemblerARM.h:
917         (JSC::MacroAssemblerARM::branchTest8):
918
919 2013-12-19  Joseph Pecoraro  <pecoraro@apple.com>
920
921         Web Inspector: Add InspectorFrontendHost.debuggableType to let the frontend know it's backend is JavaScript or Web
922         https://bugs.webkit.org/show_bug.cgi?id=126016
923
924         Reviewed by Timothy Hatcher.
925
926         * inspector/remote/RemoteInspector.mm:
927         (Inspector::RemoteInspector::listingForDebuggable):
928         * inspector/remote/RemoteInspectorConstants.h:
929         Include a debuggable type identifier in the debuggable listing,
930         so the remote frontend can know if it is debugging a Web Page
931         or JS Context.
932
933 2013-12-19  Benjamin Poulain  <benjamin@webkit.org>
934
935         Add an utility class to simplify generating function calls
936         https://bugs.webkit.org/show_bug.cgi?id=125972
937
938         Reviewed by Geoffrey Garen.
939
940         Split branchTest32 in two functions: test32AndSetFlags and branchOnFlags.
941         This is done to allow code where the flags are set, multiple operation that
942         do not modify the flags occur, then the flags are used.
943
944         This is used for function calls to test the return value while discarding the
945         return register.
946
947         * assembler/MacroAssemblerX86Common.h:
948         (JSC::MacroAssemblerX86Common::test32AndSetFlags):
949         (JSC::MacroAssemblerX86Common::branchOnFlags):
950         (JSC::MacroAssemblerX86Common::branchTest32):
951
952 2013-12-19  Mark Hahnenberg  <mhahnenberg@apple.com>
953
954         Put write barriers in the right places in the baseline JIT
955         https://bugs.webkit.org/show_bug.cgi?id=125975
956
957         Reviewed by Filip Pizlo.
958
959         * jit/JIT.cpp:
960         (JSC::JIT::privateCompileSlowCases):
961         * jit/JIT.h:
962         * jit/JITInlines.h:
963         (JSC::JIT::callOperation):
964         (JSC::JIT::emitArrayProfilingSite):
965         * jit/JITOpcodes.cpp:
966         (JSC::JIT::emit_op_enter):
967         (JSC::JIT::emitSlow_op_enter):
968         * jit/JITOpcodes32_64.cpp:
969         (JSC::JIT::emit_op_enter):
970         (JSC::JIT::emitSlow_op_enter):
971         * jit/JITPropertyAccess.cpp:
972         (JSC::JIT::emit_op_put_by_val):
973         (JSC::JIT::emitGenericContiguousPutByVal):
974         (JSC::JIT::emitArrayStoragePutByVal):
975         (JSC::JIT::emit_op_put_by_id):
976         (JSC::JIT::emitPutGlobalProperty):
977         (JSC::JIT::emitPutGlobalVar):
978         (JSC::JIT::emitPutClosureVar):
979         (JSC::JIT::emit_op_init_global_const):
980         (JSC::JIT::checkMarkWord):
981         (JSC::JIT::emitWriteBarrier):
982         (JSC::JIT::privateCompilePutByVal):
983         * jit/JITPropertyAccess32_64.cpp:
984         (JSC::JIT::emitGenericContiguousPutByVal):
985         (JSC::JIT::emitArrayStoragePutByVal):
986         (JSC::JIT::emit_op_put_by_id):
987         (JSC::JIT::emitSlow_op_put_by_id):
988         (JSC::JIT::emitPutGlobalProperty):
989         (JSC::JIT::emitPutGlobalVar):
990         (JSC::JIT::emitPutClosureVar):
991         (JSC::JIT::emit_op_init_global_const):
992         * jit/Repatch.cpp:
993         (JSC::emitPutReplaceStub):
994         (JSC::emitPutTransitionStub):
995         (JSC::repatchPutByID):
996         * runtime/CommonSlowPaths.cpp:
997         (JSC::SLOW_PATH_DECL):
998         * runtime/CommonSlowPaths.h:
999
1000 2013-12-19  Brent Fulgham  <bfulgham@apple.com>
1001
1002         Implement ArrayBuffer.isView
1003         https://bugs.webkit.org/show_bug.cgi?id=126004
1004
1005         Reviewed by Filip Pizlo.
1006
1007         Test coverage in webgl/1.0.2/resources/webgl_test_files/conformance/typedarrays/array-unit-tests.html
1008
1009         * runtime/JSArrayBufferConstructor.cpp:
1010         (JSC::JSArrayBufferConstructor::finishCreation): Add 'isView' to object constructor.
1011         (JSC::arrayBufferFuncIsView): New method.
1012
1013 2013-12-19  Mark Lam  <mark.lam@apple.com>
1014
1015         Fix broken C loop LLINT build.
1016         https://bugs.webkit.org/show_bug.cgi?id=126024.
1017
1018         Reviewed by Oliver Hunt.
1019
1020         * runtime/VM.h:
1021
1022 2013-12-18  Mark Hahnenberg  <mhahnenberg@apple.com>
1023
1024         DelayedReleaseScope is in the wrong place
1025         https://bugs.webkit.org/show_bug.cgi?id=125876
1026
1027         Reviewed by Geoffrey Garen.
1028
1029         The DelayedReleaseScope needs to be around the free list sweeping in MarkedAllocator::tryAllocateHelper. 
1030         This location gives us a good safe point between getting ready to allocate  (i.e. identifying a non-empty 
1031         free list) and doing the actual allocation (popping the free list).
1032
1033         * heap/MarkedAllocator.cpp:
1034         (JSC::MarkedAllocator::tryAllocateHelper):
1035         (JSC::MarkedAllocator::allocateSlowCase):
1036         (JSC::MarkedAllocator::addBlock):
1037         * runtime/JSCellInlines.h:
1038         (JSC::allocateCell):
1039
1040 2013-12-18  Gustavo Noronha Silva  <gns@gnome.org>
1041
1042         [GTK][CMake] make libjavascriptcoregtk a public shared library again
1043         https://bugs.webkit.org/show_bug.cgi?id=125512
1044
1045         Reviewed by Martin Robinson.
1046
1047         * CMakeLists.txt: use target type instead of SHARED_CORE to decide whether
1048         JavaScriptCore is a shared library, since it's always shared for GTK+ regardless
1049         of SHARED_CORE.
1050
1051 2013-12-18  Benjamin Poulain  <benjamin@webkit.org>
1052
1053         Add a simple stack abstraction for x86_64
1054         https://bugs.webkit.org/show_bug.cgi?id=125908
1055
1056         Reviewed by Geoffrey Garen.
1057
1058         * assembler/MacroAssemblerX86_64.h:
1059         (JSC::MacroAssemblerX86_64::addPtrNoFlags):
1060         Add an explicit abstraction for the "lea" instruction. This is needed
1061         by the experimental JIT to have add and substract without changing the flags.
1062
1063         This is useful for function calls to test the return value, restore the registers,
1064         then branch on the flags from the return value.
1065
1066 2013-12-18  Mark Hahnenberg  <mhahnenberg@apple.com>
1067
1068         DFG should have a separate StoreBarrier node
1069         https://bugs.webkit.org/show_bug.cgi?id=125530
1070
1071         Reviewed by Filip Pizlo.
1072
1073         This is in preparation for GenGC. We use a separate StoreBarrier node instead of making them implicitly 
1074         part of other nodes so that it's easier to run analyses on them, e.g. for the StoreBarrierElisionPhase. 
1075         They are inserted during the fixup phase. Initially they do not generate any code.
1076
1077         * CMakeLists.txt:
1078         * GNUmakefile.list.am:
1079         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1080         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1081         * JavaScriptCore.xcodeproj/project.pbxproj:
1082         * dfg/DFGAbstractHeap.h:
1083         * dfg/DFGAbstractInterpreter.h:
1084         (JSC::DFG::AbstractInterpreter::isKnownNotCell):
1085         * dfg/DFGAbstractInterpreterInlines.h:
1086         (JSC::DFG::::executeEffects):
1087         * dfg/DFGClobberize.h:
1088         (JSC::DFG::clobberizeForAllocation):
1089         (JSC::DFG::clobberize):
1090         * dfg/DFGConstantFoldingPhase.cpp:
1091         (JSC::DFG::ConstantFoldingPhase::foldConstants): Whenever we insert new nodes that require StoreBarriers,
1092         we have to add those new StoreBarriers too. It's important to note that AllocatePropertyStorage and 
1093         ReallocatePropertyStorage nodes require their StoreBarriers to come after them since they allocate first,
1094         which could cause a GC, and then store the resulting buffer into their JSCell, which requires the barrier.
1095         If we ever require that write barriers occur before stores, we'll have to split these nodes into 
1096         AllocatePropertyStorage + StoreBarrier + PutPropertyStorage.
1097         * dfg/DFGFixupPhase.cpp:
1098         (JSC::DFG::FixupPhase::fixupNode):
1099         (JSC::DFG::FixupPhase::insertStoreBarrier):
1100         * dfg/DFGNode.h:
1101         (JSC::DFG::Node::isStoreBarrier):
1102         * dfg/DFGNodeType.h:
1103         * dfg/DFGOSRExitCompiler32_64.cpp:
1104         (JSC::DFG::OSRExitCompiler::compileExit):
1105         * dfg/DFGOSRExitCompiler64.cpp:
1106         (JSC::DFG::OSRExitCompiler::compileExit):
1107         * dfg/DFGPlan.cpp:
1108         (JSC::DFG::Plan::compileInThreadImpl):
1109         * dfg/DFGPredictionPropagationPhase.cpp:
1110         (JSC::DFG::PredictionPropagationPhase::propagate):
1111         * dfg/DFGSafeToExecute.h:
1112         (JSC::DFG::safeToExecute):
1113         * dfg/DFGSpeculativeJIT.cpp:
1114         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1115         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1116         (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
1117         (JSC::DFG::SpeculativeJIT::genericWriteBarrier): The fast path write barrier check. It loads the 
1118         byte that contains the mark bit of the object. 
1119         (JSC::DFG::SpeculativeJIT::storeToWriteBarrierBuffer): If the fast path check fails we try to store the 
1120         cell in the WriteBarrierBuffer so as to avoid frequently flushing all registers in order to make a C call.
1121         (JSC::DFG::SpeculativeJIT::writeBarrier):
1122         (JSC::DFG::SpeculativeJIT::osrWriteBarrier): More barebones version of the write barrier to be executed 
1123         during an OSR exit into baseline code. We must do this so that the baseline JIT object and array profiles 
1124         are properly cleared during GC.
1125         * dfg/DFGSpeculativeJIT.h:
1126         (JSC::DFG::SpeculativeJIT::callOperation):
1127         * dfg/DFGSpeculativeJIT32_64.cpp:
1128         (JSC::DFG::SpeculativeJIT::cachedPutById):
1129         (JSC::DFG::SpeculativeJIT::compileBaseValueStoreBarrier):
1130         (JSC::DFG::SpeculativeJIT::compile):
1131         (JSC::DFG::SpeculativeJIT::writeBarrier):
1132         * dfg/DFGSpeculativeJIT64.cpp:
1133         (JSC::DFG::SpeculativeJIT::cachedPutById):
1134         (JSC::DFG::SpeculativeJIT::compileBaseValueStoreBarrier):
1135         (JSC::DFG::SpeculativeJIT::compile):
1136         (JSC::DFG::SpeculativeJIT::writeBarrier):
1137         * dfg/DFGStoreBarrierElisionPhase.cpp: Added. New DFG phase that does block-local elision of redundant
1138         StoreBarriers. Every time a StoreBarrier on a particular object is executed, a bit is set indicating that 
1139         that object doesn't need any more StoreBarriers. 
1140         (JSC::DFG::StoreBarrierElisionPhase::StoreBarrierElisionPhase):
1141         (JSC::DFG::StoreBarrierElisionPhase::couldCauseGC): Nodes that could cause a GC reset the bits for all of the 
1142         objects known in the current block. 
1143         (JSC::DFG::StoreBarrierElisionPhase::allocatesFreshObject): A node that creates a new object automatically 
1144         sets the bit for that object since if a GC occurred as the result of that object's allocation then that 
1145         object would not need a barrier since it would be guaranteed to be a young generation object until the 
1146         next GC point.
1147         (JSC::DFG::StoreBarrierElisionPhase::noticeFreshObject):
1148         (JSC::DFG::StoreBarrierElisionPhase::getBaseOfStore):
1149         (JSC::DFG::StoreBarrierElisionPhase::shouldBeElided):
1150         (JSC::DFG::StoreBarrierElisionPhase::elideBarrier):
1151         (JSC::DFG::StoreBarrierElisionPhase::handleNode):
1152         (JSC::DFG::StoreBarrierElisionPhase::handleBlock):
1153         (JSC::DFG::StoreBarrierElisionPhase::run):
1154         (JSC::DFG::performStoreBarrierElision):
1155         * dfg/DFGStoreBarrierElisionPhase.h: Added.
1156         * heap/Heap.cpp:
1157         (JSC::Heap::Heap):
1158         (JSC::Heap::flushWriteBarrierBuffer):
1159         * heap/Heap.h:
1160         (JSC::Heap::writeBarrier):
1161         * heap/MarkedBlock.h:
1162         (JSC::MarkedBlock::offsetOfMarks):
1163         * heap/WriteBarrierBuffer.cpp: Added. The WriteBarrierBuffer buffers a set of JSCells that are awaiting 
1164         a pending WriteBarrier. This buffer is used by the DFG to avoid the overhead of calling out to C repeatedly
1165         to invoke a write barrier on a single JSCell. Instead the DFG has inline code to fill the WriteBarrier buffer
1166         until its full, and then to call out to C to flush it. The WriteBarrierBuffer will also be flushed prior to 
1167         each EdenCollection.
1168         (JSC::WriteBarrierBuffer::WriteBarrierBuffer):
1169         (JSC::WriteBarrierBuffer::~WriteBarrierBuffer):
1170         (JSC::WriteBarrierBuffer::flush):
1171         (JSC::WriteBarrierBuffer::reset):
1172         (JSC::WriteBarrierBuffer::add):
1173         * heap/WriteBarrierBuffer.h: Added.
1174         (JSC::WriteBarrierBuffer::currentIndexOffset):
1175         (JSC::WriteBarrierBuffer::capacityOffset):
1176         (JSC::WriteBarrierBuffer::bufferOffset):
1177         * jit/JITOperations.cpp:
1178         * jit/JITOperations.h:
1179         * runtime/VM.h:
1180
1181 2013-12-18  Carlos Garcia Campos  <cgarcia@igalia.com>
1182
1183         Unreviewed. Fix make distcheck.
1184
1185         * GNUmakefile.am:
1186
1187 2013-12-17  Julien Brianceau  <jbriance@cisco.com>
1188
1189         Fix armv7 and sh4 builds.
1190         https://bugs.webkit.org/show_bug.cgi?id=125848
1191
1192         Reviewed by Csaba Osztrogonác.
1193
1194         * assembler/ARMv7Assembler.h: Include limits.h for INT_MIN.
1195         * assembler/SH4Assembler.h: Include limits.h for INT_MIN.
1196
1197 2013-12-16  Oliver Hunt  <oliver@apple.com>
1198
1199         Avoid indirect function calls for custom getters
1200         https://bugs.webkit.org/show_bug.cgi?id=125821
1201
1202         Reviewed by Mark Hahnenberg.
1203
1204         Rather than invoking a helper function to perform an indirect call
1205         through a function pointer, just have the JIT call the function directly.
1206
1207         Unfortunately this only works in JSVALUE64 at the moment as there
1208         is not an obvious way to pass two EncodedJSValues uniformly over
1209         the various effected JITs.
1210
1211         * jit/CCallHelpers.h:
1212         (JSC::CCallHelpers::setupArguments):
1213         * jit/Repatch.cpp:
1214         (JSC::generateProtoChainAccessStub):
1215         (JSC::tryBuildGetByIDList):
1216
1217 2013-12-16  Joseph Pecoraro  <pecoraro@apple.com>
1218
1219         Fix some whitespace issues in inspector code
1220         https://bugs.webkit.org/show_bug.cgi?id=125814
1221
1222         Reviewed by Darin Adler.
1223
1224         * inspector/protocol/Debugger.json:
1225         * inspector/protocol/Runtime.json:
1226         * inspector/scripts/CodeGeneratorInspector.py:
1227         (Generator.process_command):
1228
1229 2013-12-16  Mark Hahnenberg  <mhahnenberg@apple.com>
1230
1231         Add some missing functions to MacroAssembler
1232         https://bugs.webkit.org/show_bug.cgi?id=125809
1233
1234         Reviewed by Oliver Hunt.
1235
1236         * assembler/AbstractMacroAssembler.h:
1237         * assembler/AssemblerBuffer.h:
1238         * assembler/LinkBuffer.cpp:
1239         * assembler/MacroAssembler.h:
1240         (JSC::MacroAssembler::storePtr):
1241         (JSC::MacroAssembler::andPtr):
1242         * assembler/MacroAssemblerARM64.h:
1243         (JSC::MacroAssemblerARM64::and64):
1244         (JSC::MacroAssemblerARM64::branchTest8):
1245         * assembler/MacroAssemblerARMv7.h:
1246         (JSC::MacroAssemblerARMv7::branchTest8):
1247         * assembler/X86Assembler.h:
1248
1249 2013-12-16  Brent Fulgham  <bfulgham@apple.com>
1250
1251         [Win] Remove dead code after conversion to VS2013
1252         https://bugs.webkit.org/show_bug.cgi?id=125795
1253
1254         Reviewed by Darin Adler.
1255
1256         * API/tests/testapi.c: Remove local nan implementation
1257
1258 2013-12-16  Oliver Hunt  <oliver@apple.com>
1259
1260         Cache getters and custom accessors on the prototype chain
1261         https://bugs.webkit.org/show_bug.cgi?id=125602
1262
1263         Reviewed by Michael Saboff.
1264
1265         Support caching of custom getters and accessors on the prototype chain.
1266         This is relatively trivial and just requires a little work compared to
1267         the direct access mode as we're under more register pressure.
1268
1269         * bytecode/StructureStubInfo.h:
1270           Removed the unsued initGetByIdProto as it was confusing to still have it present.
1271         * jit/Repatch.cpp:
1272         (JSC::generateProtoChainAccessStub):
1273         (JSC::tryCacheGetByID):
1274         (JSC::tryBuildGetByIDList):
1275
1276 2013-12-16  Mark Lam  <mark.lam@apple.com>
1277
1278         Change slow path result to take a void* instead of a ExecState*.
1279         https://bugs.webkit.org/show_bug.cgi?id=125802.
1280
1281         Reviewed by Filip Pizlo.
1282
1283         This is in preparation for C Stack OSR entry work that is coming soon.
1284         In the OSR entry case, we'll be returning a topOfFrame pointer value
1285         instead of the ExecState*.
1286
1287         * offlineasm/cloop.rb:
1288         * runtime/CommonSlowPaths.h:
1289         (JSC::encodeResult):
1290         (JSC::decodeResult):
1291
1292 2013-12-16  Alex Christensen  <achristensen@webkit.org>
1293
1294         Fixed Win64 build on VS2013.
1295         https://bugs.webkit.org/show_bug.cgi?id=125753
1296
1297         Reviewed by Brent Fulgham.
1298
1299         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1300         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj:
1301         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
1302         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
1303         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
1304         * JavaScriptCore.vcxproj/jsc/jsc.vcxproj:
1305         * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj:
1306         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
1307         Added correct PlatformToolset for 64-bit builds.
1308
1309 2013-12-16  Peter Szanka  <h868064@stud.u-szeged.hu>
1310
1311         Delete RVCT related code parts.
1312         https://bugs.webkit.org/show_bug.cgi?id=125626
1313
1314         Reviewed by Darin Adler.
1315
1316         * assembler/ARMAssembler.cpp:
1317         * assembler/ARMAssembler.h:
1318         (JSC::ARMAssembler::cacheFlush):
1319         * assembler/MacroAssemblerARM.cpp:
1320         (JSC::isVFPPresent):
1321         * jit/JITStubsARM.h:
1322         * jit/JITStubsARMv7.h:
1323
1324 2013-12-15  Ryosuke Niwa  <rniwa@webkit.org>
1325
1326         REGRESSION: 2x regression on Dromaeo DOM query tests
1327         https://bugs.webkit.org/show_bug.cgi?id=125377
1328
1329         Reviewed by Filip Pizlo.
1330
1331         The bug was caused by JSC not JIT'ing property access on "document" due to its type info having
1332         HasImpureGetOwnPropertySlot flag.
1333
1334         Fixed the bug by new type info flag NewImpurePropertyFiresWatchpoints, which allows the baseline
1335         JIT to generate byte code for access properties on an object with named properties (a.k.a.
1336         custom name getter) in DOM. When a new named property appears on the object, VM is notified via
1337         VM::addImpureProperty and fires StructureStubClearingWatchpoint added during the repatch.
1338
1339         * bytecode/GetByIdStatus.cpp:
1340         (JSC::GetByIdStatus::computeFromLLInt): Take the slow path if we have any object with impure
1341         properties in the prototype chain.
1342         (JSC::GetByIdStatus::computeForChain): Ditto.
1343
1344         * jit/Repatch.cpp:
1345         (JSC::repatchByIdSelfAccess): Throw away the byte code when a new impure property is added on any
1346         object in the prototype chain via StructureStubClearingWatchpoint.
1347         (JSC::generateProtoChainAccessStub): Ditto.
1348         (JSC::tryCacheGetByID):
1349         (JSC::tryBuildGetByIDList):
1350         (JSC::tryRepatchIn): Ditto.
1351
1352         * runtime/JSTypeInfo.h: Added NewImpurePropertyFiresWatchpoints.
1353         (JSC::TypeInfo::newImpurePropertyFiresWatchpoints): Added.
1354
1355         * runtime/Operations.h:
1356         (JSC::normalizePrototypeChainForChainAccess): Don't exit early if VM will be notified of new
1357         impure property even if the object had impure properties.
1358
1359         * runtime/Structure.h:
1360         (JSC::Structure::takesSlowPathInDFGForImpureProperty): Added. Wraps hasImpureGetOwnPropertySlot and
1361         asserts that newImpurePropertyFiresWatchpoints is true whenever hasImpureGetOwnPropertySlot is true.
1362
1363         * runtime/VM.cpp:
1364         (JSC::VM::registerWatchpointForImpureProperty): Added.
1365         (JSC::VM::addImpureProperty): Added. HTMLDocument calls it to notify JSC of a new impure property.
1366
1367         * runtime/VM.h:
1368
1369 2013-12-15  Andy Estes  <aestes@apple.com>
1370
1371         [iOS] Upstream changes to FeatureDefines.xcconfig
1372         https://bugs.webkit.org/show_bug.cgi?id=125742
1373
1374         Reviewed by Dan Bernstein.
1375
1376         * Configurations/FeatureDefines.xcconfig:
1377
1378 2013-12-14  Filip Pizlo  <fpizlo@apple.com>
1379
1380         FTL should *really* know when things are flushed
1381         https://bugs.webkit.org/show_bug.cgi?id=125747
1382
1383         Reviewed by Sam Weinig.
1384         
1385         Fix more codegen badness. This makes V8v7's crypto am3() function run faster in the FTL
1386         than in DFG. This means that even if we just compile those functions in V8v7 that don't
1387         make calls, the FTL gives us a 2% speed-up over the DFG. That's pretty good considering
1388         that we have still more optimizations to fix and we can make calls work.
1389
1390         * dfg/DFGSSAConversionPhase.cpp:
1391         (JSC::DFG::SSAConversionPhase::run):
1392         * ftl/FTLCompile.cpp:
1393         (JSC::FTL::fixFunctionBasedOnStackMaps):
1394
1395 2013-12-14  Andy Estes  <aestes@apple.com>
1396
1397         Unify FeatureDefines.xcconfig
1398         https://bugs.webkit.org/show_bug.cgi?id=125741
1399
1400         Rubber-stamped by Dan Bernstein.
1401
1402         * Configurations/FeatureDefines.xcconfig: Enable ENABLE_MEDIA_SOURCE.
1403
1404 2013-12-14  Mark Rowe  <mrowe@apple.com>
1405
1406         Build fix after r160557.
1407
1408         r160557 added the first generated header to JavaScriptCore that needs to be installed in to
1409         the framework wrapper. Sadly JavaScriptCore's Derived Sources target was not set to generate
1410         headers when invoked as part of the installhdrs action. This resulted in the build failing
1411         due to Xcode being unable to find the header file to install. The fix for this is to configure
1412         the Derived Sources target to use JavaScriptCore.xcconfig, which sets INSTALLHDRS_SCRIPT_PHASE
1413         to YES and allows Xcode to generate derived sources during the installhdrs action.
1414
1415         Enabling INSTALLHDRS_SCRIPT_PHASE required tweaking the Generate Derived Sources script build
1416         phase to skip running code related to offlineasm that depends on JSCLLIntOffsetExtractor
1417         having been compiled, which isn't the case at installhdrs time.
1418
1419         * JavaScriptCore.xcodeproj/project.pbxproj:
1420
1421 2013-12-13  Joseph Pecoraro  <pecoraro@apple.com>
1422
1423         Some Set and Map prototype functions have incorrect function lengths
1424         https://bugs.webkit.org/show_bug.cgi?id=125732
1425
1426         Reviewed by Oliver Hunt.
1427
1428         * runtime/MapPrototype.cpp:
1429         (JSC::MapPrototype::finishCreation):
1430         * runtime/SetPrototype.cpp:
1431         (JSC::SetPrototype::finishCreation):
1432
1433 2013-12-13  Joseph Pecoraro  <pecoraro@apple.com>
1434
1435         Web Inspector: Move Inspector and Debugger protocol domains into JavaScriptCore
1436         https://bugs.webkit.org/show_bug.cgi?id=125707
1437
1438         Reviewed by Timothy Hatcher.
1439
1440         * CMakeLists.txt:
1441         * DerivedSources.make:
1442         * GNUmakefile.am:
1443         * inspector/protocol/Debugger.json: Renamed from Source/WebCore/inspector/protocol/Debugger.json.
1444         * inspector/protocol/GenericTypes.json: Added.
1445         * inspector/protocol/InspectorDomain.json: Renamed from Source/WebCore/inspector/protocol/InspectorDomain.json.
1446         Add new files to inspector generation.
1447
1448         * inspector/scripts/CodeGeneratorInspector.py:
1449         (Generator.go):
1450         Only build TypeBuilder output if the domain only has types. Avoid
1451         backend/frontend dispatchers and backend commands.
1452
1453         (TypeBindings.create_type_declaration_.EnumBinding.get_setter_value_expression_pattern):
1454         (format_setter_value_expression):
1455         (Generator.process_command):
1456         (Generator.generate_send_method):
1457         * inspector/scripts/CodeGeneratorInspectorStrings.py:
1458         Export and name the get{JS,Web}EnumConstant function.
1459
1460 2013-12-11  Filip Pizlo  <fpizlo@apple.com>
1461
1462         Get rid of forward exit on UInt32ToNumber by adding an op_unsigned bytecode instruction
1463         https://bugs.webkit.org/show_bug.cgi?id=125553
1464
1465         Reviewed by Oliver Hunt.
1466         
1467         UInt32ToNumber was a super complicated node because it had to do a speculation, but it
1468         would do it after we already had computed the urshift. It couldn't just back to the
1469         beginning of the urshift because the inputs to the urshift weren't necessarily live
1470         anymore. We couldn't jump forward to the beginning of the next instruction because the
1471         result of the urshift was not yet unsigned-converted.
1472         
1473         For a while we solved this by forward-exiting in UInt32ToNumber. But that's really
1474         gross and I want to get rid of all forward exits. They cause a lot of bugs.
1475         
1476         We could also have turned UInt32ToNumber to a backwards exit by forcing the inputs to
1477         the urshift to be live. I figure that this might be a bit too extreme.
1478         
1479         So, I just created a new place that we can exit to: I split op_urshift into op_urshift
1480         followed by op_unsigned. op_unsigned is an "unsigned cast" along the lines of what
1481         UInt32ToNumber does. This allows me to get rid of all of the nastyness in the DFG for
1482         forward exiting in UInt32ToNumber.
1483         
1484         This patch enables massive code carnage in the DFG and FTL, and brings us closer to
1485         eliminating one of the DFG's most confusing concepts. On the flipside, it does make the
1486         bytecode slightly more complex (one new instruction). This is a profitable trade. We
1487         want the DFG and FTL to trend towards simplicity, since they are both currently too
1488         complicated.
1489
1490         * bytecode/BytecodeUseDef.h:
1491         (JSC::computeUsesForBytecodeOffset):
1492         (JSC::computeDefsForBytecodeOffset):
1493         * bytecode/CodeBlock.cpp:
1494         (JSC::CodeBlock::dumpBytecode):
1495         * bytecode/Opcode.h:
1496         (JSC::padOpcodeName):
1497         * bytecode/ValueRecovery.cpp:
1498         (JSC::ValueRecovery::dumpInContext):
1499         * bytecode/ValueRecovery.h:
1500         (JSC::ValueRecovery::gpr):
1501         * bytecompiler/NodesCodegen.cpp:
1502         (JSC::BinaryOpNode::emitBytecode):
1503         (JSC::emitReadModifyAssignment):
1504         * dfg/DFGByteCodeParser.cpp:
1505         (JSC::DFG::ByteCodeParser::toInt32):
1506         (JSC::DFG::ByteCodeParser::parseBlock):
1507         * dfg/DFGClobberize.h:
1508         (JSC::DFG::clobberize):
1509         * dfg/DFGNodeType.h:
1510         * dfg/DFGOSRExitCompiler32_64.cpp:
1511         (JSC::DFG::OSRExitCompiler::compileExit):
1512         * dfg/DFGOSRExitCompiler64.cpp:
1513         (JSC::DFG::OSRExitCompiler::compileExit):
1514         * dfg/DFGSpeculativeJIT.cpp:
1515         (JSC::DFG::SpeculativeJIT::compileMovHint):
1516         (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
1517         * dfg/DFGSpeculativeJIT.h:
1518         * dfg/DFGSpeculativeJIT32_64.cpp:
1519         * dfg/DFGSpeculativeJIT64.cpp:
1520         * dfg/DFGStrengthReductionPhase.cpp:
1521         (JSC::DFG::StrengthReductionPhase::handleNode):
1522         (JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild):
1523         (JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild1):
1524         (JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild2):
1525         * ftl/FTLFormattedValue.h:
1526         (JSC::FTL::int32Value):
1527         * ftl/FTLLowerDFGToLLVM.cpp:
1528         (JSC::FTL::LowerDFGToLLVM::compileUInt32ToNumber):
1529         * ftl/FTLValueFormat.cpp:
1530         (JSC::FTL::reboxAccordingToFormat):
1531         (WTF::printInternal):
1532         * ftl/FTLValueFormat.h:
1533         * jit/JIT.cpp:
1534         (JSC::JIT::privateCompileMainPass):
1535         (JSC::JIT::privateCompileSlowCases):
1536         * jit/JIT.h:
1537         * jit/JITArithmetic.cpp:
1538         (JSC::JIT::emit_op_urshift):
1539         (JSC::JIT::emitSlow_op_urshift):
1540         (JSC::JIT::emit_op_unsigned):
1541         (JSC::JIT::emitSlow_op_unsigned):
1542         * jit/JITArithmetic32_64.cpp:
1543         (JSC::JIT::emitRightShift):
1544         (JSC::JIT::emitRightShiftSlowCase):
1545         (JSC::JIT::emit_op_unsigned):
1546         (JSC::JIT::emitSlow_op_unsigned):
1547         * llint/LowLevelInterpreter32_64.asm:
1548         * llint/LowLevelInterpreter64.asm:
1549         * runtime/CommonSlowPaths.cpp:
1550         (JSC::SLOW_PATH_DECL):
1551         * runtime/CommonSlowPaths.h:
1552
1553 2013-12-13  Mark Hahnenberg  <mhahnenberg@apple.com>
1554
1555         LLInt should not conditionally branch to to labels outside of its function
1556         https://bugs.webkit.org/show_bug.cgi?id=125713
1557
1558         Reviewed by Geoffrey Garen.
1559
1560         Conditional branches are insufficient for jumping to out-of-function labels.
1561         The fix is to use an unconditional jmp to the label combined with a conditional branch around the jmp.
1562
1563         * llint/LowLevelInterpreter32_64.asm:
1564         * llint/LowLevelInterpreter64.asm:
1565
1566 2013-12-13  Joseph Pecoraro  <pecoraro@apple.com>
1567
1568         [GTK] Remove Warnings in building about duplicate INSPECTOR variables
1569         https://bugs.webkit.org/show_bug.cgi?id=125710
1570
1571         Reviewed by Tim Horton.
1572
1573         * GNUmakefile.am:
1574
1575 2013-12-13  Joseph Pecoraro  <pecoraro@apple.com>
1576
1577         Cleanup CodeGeneratorInspectorStrings a bit
1578         https://bugs.webkit.org/show_bug.cgi?id=125705
1579
1580         Reviewed by Timothy Hatcher.
1581
1582         * inspector/scripts/CodeGeneratorInspectorStrings.py:
1583         Use ${foo} variable syntax and add an ASCIILiteral.
1584
1585 2013-12-13  Brent Fulgham  <bfulgham@apple.com>
1586
1587         [Win] Unreviewed build fix after r160563
1588
1589         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj: Missed the Debug
1590         target in my last patch.
1591
1592 2013-12-13  Brent Fulgham  <bfulgham@apple.com>
1593
1594         [Win] Unreviewed build fix after r160548
1595
1596         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj: Specify
1597         that we are using the vs12_xp target for Makefile-based projects.
1598         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj: Ditto
1599         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj: Ditto.
1600
1601 2013-12-13  Joseph Pecoraro  <pecoraro@apple.com>
1602
1603         Make inspector folder groups smarter in JavaScriptCore.xcodeproj
1604         https://bugs.webkit.org/show_bug.cgi?id=125663
1605
1606         Reviewed by Darin Adler.
1607
1608         * JavaScriptCore.xcodeproj/project.pbxproj:
1609
1610 2013-12-13  Joseph Pecoraro  <pecoraro@apple.com>
1611
1612         Web Inspector: Add Inspector Code Generation to JavaScriptCore for Runtime Domain
1613         https://bugs.webkit.org/show_bug.cgi?id=125595
1614
1615         Reviewed by Timothy Hatcher.
1616
1617           - Move CodeGeneration scripts from WebCore into JavaScriptCore/inspector/scripts
1618           - For ports that build WebKit frameworks separately, export the scripts as PrivateHeaders
1619           - Update CodeGeneratorInspector.py in a few ways:
1620             - output dynamic filenames, so JavaScriptCore generates InspectorJSFoo.* and WebCore generates InspectorWebFoo.*
1621             - take in more then one protocol JSON file. The first contains domains to generate, the others are dependencies
1622               that are generated elsewhere that we can depend on for Types.
1623           - Add DerivedSources build step to generate the Inspector Interfaces
1624
1625         * CMakeLists.txt:
1626         * DerivedSources.make:
1627         * GNUmakefile.am:
1628         * GNUmakefile.list.am:
1629         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1630         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1631         * JavaScriptCore.vcxproj/copy-files.cmd:
1632         * JavaScriptCore.xcodeproj/project.pbxproj:
1633         Add scripts and code generation.
1634
1635         * inspector/protocol/Runtime.json: Renamed from Source/WebCore/inspector/protocol/Runtime.json.
1636         Move protocol file into JavaScriptCore so its types will be generated in JavaScriptCore.
1637
1638         * inspector/scripts/CodeGeneratorInspector.py: Renamed from Source/WebCore/inspector/CodeGeneratorInspector.py.
1639         Updates to the script as listed above.
1640
1641         * inspector/scripts/CodeGeneratorInspectorStrings.py: Renamed from Source/WebCore/inspector/CodeGeneratorInspectorStrings.py.
1642         * inspector/scripts/generate-combined-inspector-json.py: Renamed from Source/WebCore/inspector/Scripts/generate-combined-inspector-json.py.
1643         Moved from WebCore into JavaScriptCore for code generation.
1644
1645 2013-12-13  Peter Szanka  <h868064@stud.u-szeged.hu>
1646
1647         Delete INTEL C compiler related code parts.
1648         https://bugs.webkit.org/show_bug.cgi?id=125625
1649
1650         Reviewed by Darin Adler.
1651
1652         * jsc.cpp:
1653         * testRegExp.cpp:
1654
1655 2013-12-13  Brent Fulgham  <bfulgham@apple.com>
1656
1657         [Win] Switch WebKit solution to Visual Studio 2013
1658         https://bugs.webkit.org/show_bug.cgi?id=125192
1659
1660         Reviewed by Anders Carlsson.
1661
1662         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Update for VS2013
1663         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
1664         Ditto
1665         * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: Ditto
1666         * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj: Ditto
1667         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: Ditto
1668
1669 2013-12-12  Joseph Pecoraro  <pecoraro@apple.com>
1670
1671         Add a few more ASCIILiterals
1672         https://bugs.webkit.org/show_bug.cgi?id=125662
1673
1674         Reviewed by Darin Adler.
1675
1676         * inspector/InspectorBackendDispatcher.cpp:
1677         (Inspector::InspectorBackendDispatcher::dispatch):
1678
1679 2013-12-12  Joseph Pecoraro  <pecoraro@apple.com>
1680
1681         Test new JSContext name APIs
1682         https://bugs.webkit.org/show_bug.cgi?id=125607
1683
1684         Reviewed by Darin Adler.
1685
1686         * API/JSContext.h:
1687         * API/JSContextRef.h:
1688         Fix whitespace issues.
1689
1690         * API/tests/testapi.c:
1691         (globalContextNameTest):
1692         (main):
1693         * API/tests/testapi.mm:
1694         Add tests for JSContext set/get name APIs.
1695
1696 2013-12-11  Filip Pizlo  <fpizlo@apple.com>
1697
1698         ARM64: Hang running pdfjs test, suspect DFG generated code for "in"
1699         https://bugs.webkit.org/show_bug.cgi?id=124727
1700         <rdar://problem/15566923>
1701
1702         Reviewed by Michael Saboff.
1703         
1704         Get rid of In's hackish use of StructureStubInfo. Previously it was using hotPathBegin,
1705         and it was the only IC that used that field, which was wasteful. Moreover, it used it
1706         to store two separate locations: the label for patching the jump and the label right
1707         after the jump. The code was relying on those two being the same label, which is true
1708         on X86 and some other platforms, but it isn't true on ARM64.
1709         
1710         This gets rid of hotPathBegin and makes In express those two locations as offsets from
1711         the callReturnLocation, which is analogous to what the other IC's do.
1712         
1713         This fixes a bug where any successful In patching would result in a trivially infinite
1714         loop - and hence a hang - on ARM64.
1715
1716         * bytecode/StructureStubInfo.h:
1717         * dfg/DFGJITCompiler.cpp:
1718         (JSC::DFG::JITCompiler::link):
1719         * dfg/DFGJITCompiler.h:
1720         (JSC::DFG::InRecord::InRecord):
1721         * dfg/DFGSpeculativeJIT.cpp:
1722         (JSC::DFG::SpeculativeJIT::compileIn):
1723         * jit/JITInlineCacheGenerator.cpp:
1724         (JSC::JITByIdGenerator::finalize):
1725         * jit/Repatch.cpp:
1726         (JSC::replaceWithJump):
1727         (JSC::patchJumpToGetByIdStub):
1728         (JSC::tryCachePutByID):
1729         (JSC::tryBuildPutByIdList):
1730         (JSC::tryRepatchIn):
1731         (JSC::resetGetByID):
1732         (JSC::resetPutByID):
1733         (JSC::resetIn):
1734
1735 2013-12-11  Joseph Pecoraro  <pecoraro@apple.com>
1736
1737         Web Inspector: Push More Inspector Required Classes Down into JavaScriptCore
1738         https://bugs.webkit.org/show_bug.cgi?id=125324
1739
1740         Reviewed by Timothy Hatcher.
1741
1742         * CMakeLists.txt:
1743         * GNUmakefile.am:
1744         * GNUmakefile.list.am:
1745         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1746         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1747         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
1748         * JavaScriptCore.vcxproj/copy-files.cmd:
1749         * JavaScriptCore.xcodeproj/project.pbxproj:
1750         * bindings/ScriptFunctionCall.cpp: Renamed from Source/WebCore/bindings/js/ScriptFunctionCall.cpp.
1751         * bindings/ScriptFunctionCall.h: Renamed from Source/WebCore/bindings/js/ScriptFunctionCall.h.
1752         * bindings/ScriptObject.cpp: Copied from Source/WebCore/inspector/WorkerConsoleAgent.cpp.
1753         * bindings/ScriptObject.h: Renamed from Source/WebCore/inspector/InspectorBaseAgent.h.
1754         * bindings/ScriptValue.cpp: Renamed from Source/WebCore/bindings/js/ScriptValue.cpp.
1755         * bindings/ScriptValue.h: Renamed from Source/WebCore/bindings/js/ScriptValue.h.
1756         * inspector/InspectorAgentBase.h: Copied from Source/WebCore/inspector/InspectorAgentRegistry.h.
1757         * inspector/InspectorAgentRegistry.cpp: Renamed from Source/WebCore/inspector/InspectorAgentRegistry.cpp.
1758         * inspector/InspectorBackendDispatcher.h: Renamed from Source/WebCore/inspector/InspectorBackendDispatcher.h.
1759         (Inspector::InspectorSupplementalBackendDispatcher::InspectorSupplementalBackendDispatcher):
1760         (Inspector::InspectorSupplementalBackendDispatcher::~InspectorSupplementalBackendDispatcher):
1761         * inspector/InspectorValues.cpp: Renamed from Source/WebCore/inspector/InspectorValues.cpp.
1762         * inspector/InspectorValues.h: Renamed from Source/WebCore/inspector/InspectorValues.h.
1763
1764 2013-12-11  Laszlo Vidacs  <lac@inf.u-szeged.hu>
1765
1766         Store SHA1 hash in std::array
1767         https://bugs.webkit.org/show_bug.cgi?id=125446
1768
1769         Reviewed by Darin Adler.
1770
1771         Change Vector to std::array and use typedef.
1772
1773         * bytecode/CodeBlockHash.cpp:
1774         (JSC::CodeBlockHash::CodeBlockHash):
1775
1776 2013-12-11  Mark Rowe  <mrowe@apple.com>
1777
1778         <https://webkit.org/b/125141> Modernize the JavaScriptCore API headers
1779         <rdar://problem/15540121>
1780
1781         This consists of three main changes:
1782         1) Converting the return type of initializer methods to instancetype.
1783         2) Declaring properties rather than getters and setters.
1784         3) Tagging C API methods with information about their memory management semantics.
1785
1786         Changing the declarations from getters and setters to properties also required
1787         updating the headerdoc in a number of places.
1788
1789         Reviewed by Anders Carlsson.
1790
1791         * API/JSContext.h:
1792         * API/JSContext.mm:
1793         * API/JSManagedValue.h:
1794         * API/JSManagedValue.mm:
1795         * API/JSStringRefCF.h:
1796         * API/JSValue.h:
1797         * API/JSVirtualMachine.h:
1798         * API/JSVirtualMachine.mm:
1799
1800 2013-12-11  Mark Rowe  <mrowe@apple.com>
1801
1802         <https://webkit.org/b/125559> Move JavaScriptCore off the legacy WebKit availability macros
1803
1804         The legacy WebKit availability macros are verbose, confusing, and provide no benefit over
1805         using the system availability macros directly. The original vision was that they'd serve
1806         a cross-platform purpose but that never came to be.
1807
1808         Map from WebKit version to OS X version based on the mapping in WebKitAvailability.h.
1809         All iOS versions are specified as 7.0 as that is when the JavaScriptCore C API was made
1810         public.
1811
1812         Part of <rdar://problem/15512304>.
1813
1814         Reviewed by Anders Carlsson.
1815
1816         * API/JSBasePrivate.h:
1817         * API/JSContextRef.h:
1818         * API/JSContextRefPrivate.h:
1819         * API/JSObjectRef.h:
1820         * API/JSValueRef.h:
1821
1822 2013-12-10  Filip Pizlo  <fpizlo@apple.com>
1823
1824         Get rid of forward exit on DoubleAsInt32
1825         https://bugs.webkit.org/show_bug.cgi?id=125552
1826
1827         Reviewed by Oliver Hunt.
1828         
1829         The forward exit was just there so that we wouldn't have to keep the inputs alive up to
1830         the DoubleAsInt32. That's dumb. Forward exits are a complicated piece of machinery and
1831         we shouldn't have it just for a bit of liveness micro-optimization.
1832         
1833         Also add a bunch of machinery to test this case on X86.
1834
1835         * assembler/AbstractMacroAssembler.h:
1836         (JSC::optimizeForARMv7s):
1837         (JSC::optimizeForARM64):
1838         (JSC::optimizeForX86):
1839         * dfg/DFGFixupPhase.cpp:
1840         (JSC::DFG::FixupPhase::fixupNode):
1841         * dfg/DFGNodeType.h:
1842         * dfg/DFGSpeculativeJIT.cpp:
1843         (JSC::DFG::SpeculativeJIT::compileDoubleAsInt32):
1844         * runtime/Options.h:
1845         * tests/stress/double-as-int32.js: Added.
1846         (foo):
1847         (test):
1848
1849 2013-12-10  Filip Pizlo  <fpizlo@apple.com>
1850
1851         Simplify CSE's treatment of NodeRelevantToOSR
1852         https://bugs.webkit.org/show_bug.cgi?id=125538
1853
1854         Reviewed by Oliver Hunt.
1855         
1856         Make the NodeRelevantToOSR thing obvious: if there is any MovHint on a node then the
1857         node is relevant to OSR.
1858
1859         * dfg/DFGCSEPhase.cpp:
1860         (JSC::DFG::CSEPhase::run):
1861         (JSC::DFG::CSEPhase::performNodeCSE):
1862         (JSC::DFG::CSEPhase::performBlockCSE):
1863
1864 2013-12-10  Filip Pizlo  <fpizlo@apple.com>
1865
1866         Get rid of forward exit in GetByVal on Uint32Array
1867         https://bugs.webkit.org/show_bug.cgi?id=125543
1868
1869         Reviewed by Oliver Hunt.
1870
1871         * dfg/DFGSpeculativeJIT.cpp:
1872         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
1873         * ftl/FTLLowerDFGToLLVM.cpp:
1874         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
1875
1876 2013-12-10  Balazs Kilvady  <kilvadyb@homejinni.com>
1877
1878         [MIPS] Redundant instructions in code generated from offlineasm.
1879         https://bugs.webkit.org/show_bug.cgi?id=125528
1880
1881         Reviewed by Michael Saboff.
1882
1883         Optimize lowering of offlineasm BaseIndex Addresses.
1884
1885         * offlineasm/mips.rb:
1886
1887 2013-12-10  Oliver Hunt  <oliver@apple.com>
1888
1889         Reduce the mass templatizing of the JS parser
1890         https://bugs.webkit.org/show_bug.cgi?id=125535
1891
1892         Reviewed by Michael Saboff.
1893
1894         The various caches we have now have removed the need for many of
1895         the template vs. regular parameters.  This patch converts those
1896         template parameters to regular parameters and updates the call
1897         sites.  This reduces the code size of the parser by around 15%.
1898
1899         * parser/ASTBuilder.h:
1900         (JSC::ASTBuilder::createGetterOrSetterProperty):
1901         (JSC::ASTBuilder::createProperty):
1902         * parser/Parser.cpp:
1903         (JSC::::parseInner):
1904         (JSC::::parseSourceElements):
1905         (JSC::::parseVarDeclarationList):
1906         (JSC::::createBindingPattern):
1907         (JSC::::tryParseDeconstructionPatternExpression):
1908         (JSC::::parseDeconstructionPattern):
1909         (JSC::::parseSwitchClauses):
1910         (JSC::::parseSwitchDefaultClause):
1911         (JSC::::parseBlockStatement):
1912         (JSC::::parseFormalParameters):
1913         (JSC::::parseFunctionInfo):
1914         (JSC::::parseFunctionDeclaration):
1915         (JSC::::parseProperty):
1916         (JSC::::parseObjectLiteral):
1917         (JSC::::parseStrictObjectLiteral):
1918         (JSC::::parseMemberExpression):
1919         * parser/Parser.h:
1920         * parser/SyntaxChecker.h:
1921         (JSC::SyntaxChecker::createProperty):
1922         (JSC::SyntaxChecker::createGetterOrSetterProperty):
1923
1924 2013-12-10  Mark Hahnenberg  <mhahnenberg@apple.com>
1925
1926         ASSERT !heap.vm()->isInitializingObject() when finishing DFG compilation at beginning of GC
1927         https://bugs.webkit.org/show_bug.cgi?id=125472
1928
1929         Reviewed by Geoff Garen.
1930
1931         This patch makes it look like it's okay to allocate so that the DFG plan finalization stuff 
1932         can do what it needs to do. We already expected that we might do allocation during plan 
1933         finalization and we increased the deferral depth to handle this, but we need to fix this other 
1934         ASSERT stuff too.
1935
1936         * GNUmakefile.list.am:
1937         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1938         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1939         * JavaScriptCore.xcodeproj/project.pbxproj:
1940         * heap/Heap.cpp:
1941         (JSC::Heap::collect):
1942         * heap/Heap.h:
1943         * heap/RecursiveAllocationScope.h: Added.
1944         (JSC::RecursiveAllocationScope::RecursiveAllocationScope):
1945         (JSC::RecursiveAllocationScope::~RecursiveAllocationScope):
1946         * runtime/VM.h:
1947
1948 2013-12-09  Filip Pizlo  <fpizlo@apple.com>
1949
1950         Impose and enforce some basic rules of sanity for where Phi functions are allowed to occur and where their (optional) corresponding MovHints can be
1951         https://bugs.webkit.org/show_bug.cgi?id=125480
1952
1953         Reviewed by Geoffrey Garen.
1954         
1955         Previously, if you wanted to insert some speculation right after where a value was
1956         produced, you'd get super confused if that value was produced by a Phi node.  You can't
1957         necessarily insert speculations after a Phi node because Phi nodes appear in this
1958         special sequence of Phis and MovHints that establish the OSR exit state for a block.
1959         So, you'd probably want to search for the next place where it's safe to insert things.
1960         We already do this "search for beginning of next bytecode instruction" search by
1961         looking at the next node that has a different CodeOrigin.  But this would be hard for a
1962         Phi because those Phis and MovHints have basically random CodeOrigins and they can all
1963         have different CodeOrigins.
1964
1965         This change imposes some sanity for this situation:
1966
1967         - Phis must have unset CodeOrigins.
1968
1969         - In each basic block, all nodes that have unset CodeOrigins must come before all nodes
1970           that have set CodeOrigins.
1971
1972         This all ends up working out just great because prior to this change we didn't have a 
1973         use for unset CodeOrigins.  I think it's appropriate to make "unset CodeOrigin" mean
1974         that we're in the prologue of a basic block.
1975
1976         It's interesting what this means for block merging, which we don't yet do in SSA.
1977         Consider merging the edge A->B.  One possibility is that the block merger is now
1978         required to clean up Phi/Upsilons, and reascribe the MovHints to have the CodeOrigin of
1979         the A's block terminal.  But an answer that might be better is that the originless
1980         nodes at the top of the B are just given the origin of the terminal and we keep the
1981         Phis.  That would require changing the above rules.  We'll see how it goes, and what we
1982         end up picking...
1983
1984         Overall, this special-things-at-the-top rule is analogous to what other SSA-based
1985         compilers do.  For example, LLVM has rules mandating that Phis appear at the top of a
1986         block.
1987
1988         * bytecode/CodeOrigin.cpp:
1989         (JSC::CodeOrigin::dump):
1990         * dfg/DFGOSRExitBase.h:
1991         (JSC::DFG::OSRExitBase::OSRExitBase):
1992         * dfg/DFGSSAConversionPhase.cpp:
1993         (JSC::DFG::SSAConversionPhase::run):
1994         * dfg/DFGValidate.cpp:
1995         (JSC::DFG::Validate::validate):
1996         (JSC::DFG::Validate::validateSSA):
1997
1998 2013-12-08  Filip Pizlo  <fpizlo@apple.com>
1999
2000         Reveal array bounds checks in DFG IR
2001         https://bugs.webkit.org/show_bug.cgi?id=125253
2002
2003         Reviewed by Oliver Hunt and Mark Hahnenberg.
2004         
2005         In SSA mode, this reveals array bounds checks and the load of array length in DFG IR,
2006         making this a candidate for LICM.
2007
2008         This also fixes a long-standing performance bug where the JSObject slow paths would
2009         always create contiguous storage, rather than type-specialized storage, when doing a
2010         "storage creating" storage, like:
2011         
2012             var o = {};
2013             o[0] = 42;
2014
2015         * CMakeLists.txt:
2016         * GNUmakefile.list.am:
2017         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2018         * JavaScriptCore.xcodeproj/project.pbxproj:
2019         * bytecode/ExitKind.cpp:
2020         (JSC::exitKindToString):
2021         (JSC::exitKindIsCountable):
2022         * bytecode/ExitKind.h:
2023         * dfg/DFGAbstractInterpreterInlines.h:
2024         (JSC::DFG::::executeEffects):
2025         * dfg/DFGArrayMode.cpp:
2026         (JSC::DFG::permitsBoundsCheckLowering):
2027         (JSC::DFG::ArrayMode::permitsBoundsCheckLowering):
2028         * dfg/DFGArrayMode.h:
2029         (JSC::DFG::ArrayMode::lengthNeedsStorage):
2030         * dfg/DFGClobberize.h:
2031         (JSC::DFG::clobberize):
2032         * dfg/DFGConstantFoldingPhase.cpp:
2033         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2034         * dfg/DFGFixupPhase.cpp:
2035         (JSC::DFG::FixupPhase::fixupNode):
2036         * dfg/DFGNodeType.h:
2037         * dfg/DFGPlan.cpp:
2038         (JSC::DFG::Plan::compileInThreadImpl):
2039         * dfg/DFGPredictionPropagationPhase.cpp:
2040         (JSC::DFG::PredictionPropagationPhase::propagate):
2041         * dfg/DFGSSALoweringPhase.cpp: Added.
2042         (JSC::DFG::SSALoweringPhase::SSALoweringPhase):
2043         (JSC::DFG::SSALoweringPhase::run):
2044         (JSC::DFG::SSALoweringPhase::handleNode):
2045         (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
2046         (JSC::DFG::performSSALowering):
2047         * dfg/DFGSSALoweringPhase.h: Added.
2048         * dfg/DFGSafeToExecute.h:
2049         (JSC::DFG::safeToExecute):
2050         * dfg/DFGSpeculativeJIT.cpp:
2051         (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
2052         * dfg/DFGSpeculativeJIT32_64.cpp:
2053         (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
2054         (JSC::DFG::SpeculativeJIT::compile):
2055         * dfg/DFGSpeculativeJIT64.cpp:
2056         (JSC::DFG::SpeculativeJIT::compile):
2057         * ftl/FTLCapabilities.cpp:
2058         (JSC::FTL::canCompile):
2059         * ftl/FTLLowerDFGToLLVM.cpp:
2060         (JSC::FTL::LowerDFGToLLVM::compileNode):
2061         (JSC::FTL::LowerDFGToLLVM::compileCheckInBounds):
2062         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
2063         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2064         (JSC::FTL::LowerDFGToLLVM::contiguousPutByValOutOfBounds):
2065         * runtime/JSObject.cpp:
2066         (JSC::JSObject::convertUndecidedForValue):
2067         (JSC::JSObject::createInitialForValueAndSet):
2068         (JSC::JSObject::putByIndexBeyondVectorLength):
2069         (JSC::JSObject::putDirectIndexBeyondVectorLength):
2070         * runtime/JSObject.h:
2071         * tests/stress/float32array-out-of-bounds.js: Added.
2072         (make):
2073         (foo):
2074         (test):
2075         * tests/stress/int32-object-out-of-bounds.js: Added.
2076         (make):
2077         (foo):
2078         (test):
2079         * tests/stress/int32-out-of-bounds.js: Added.
2080         (foo):
2081         (test):
2082
2083 2013-12-09  Sam Weinig  <sam@webkit.org>
2084
2085         Replace use of WTF::FixedArray with std::array
2086         https://bugs.webkit.org/show_bug.cgi?id=125475
2087
2088         Reviewed by Anders Carlsson.
2089
2090         * bytecode/CodeBlockHash.cpp:
2091         (JSC::CodeBlockHash::dump):
2092         * bytecode/Opcode.cpp:
2093         (JSC::OpcodeStats::~OpcodeStats):
2094         * dfg/DFGCSEPhase.cpp:
2095         * ftl/FTLAbstractHeap.h:
2096         * heap/MarkedSpace.h:
2097         * parser/ParserArena.h:
2098         * runtime/CodeCache.h:
2099         * runtime/DateInstanceCache.h:
2100         * runtime/JSGlobalObject.cpp:
2101         (JSC::JSGlobalObject::reset):
2102         * runtime/JSGlobalObject.h:
2103         * runtime/JSString.h:
2104         * runtime/LiteralParser.h:
2105         * runtime/NumericStrings.h:
2106         * runtime/RegExpCache.h:
2107         * runtime/SmallStrings.h:
2108
2109 2013-12-09  Joseph Pecoraro  <pecoraro@apple.com>
2110
2111         Remove miscellaneous unnecessary build statements
2112         https://bugs.webkit.org/show_bug.cgi?id=125466
2113
2114         Reviewed by Darin Adler.
2115
2116         * DerivedSources.make:
2117         * JavaScriptCore.vcxproj/build-generated-files.sh:
2118         * JavaScriptCore.xcodeproj/project.pbxproj:
2119         * make-generated-sources.sh:
2120
2121 2013-12-08  Filip Pizlo  <fpizlo@apple.com>
2122
2123         CSE should work in SSA
2124         https://bugs.webkit.org/show_bug.cgi?id=125430
2125
2126         Reviewed by Oliver Hunt and Mark Hahnenberg.
2127
2128         * dfg/DFGCSEPhase.cpp:
2129         (JSC::DFG::CSEPhase::run):
2130         (JSC::DFG::CSEPhase::performNodeCSE):
2131         * dfg/DFGPlan.cpp:
2132         (JSC::DFG::Plan::compileInThreadImpl):
2133
2134 2013-12-09  Joseph Pecoraro  <pecoraro@apple.com>
2135
2136         Remove docs/make-bytecode-docs.pl
2137         https://bugs.webkit.org/show_bug.cgi?id=125462
2138
2139         This sript is very old and no longer outputs useful data since the
2140         op code definitions have moved from Interpreter.cpp.
2141
2142         Reviewed by Darin Adler.
2143
2144         * DerivedSources.make:
2145         * docs/make-bytecode-docs.pl: Removed.
2146
2147 2013-12-09  Julien Brianceau  <jbriance@cisco.com>
2148
2149         Fix sh4 LLINT build.
2150         https://bugs.webkit.org/show_bug.cgi?id=125454
2151
2152         Reviewed by Michael Saboff.
2153
2154         In LLINT, sh4 backend implementation didn't handle properly conditional jumps using
2155         a LabelReference instance. This patch fixes it through sh4LowerMisplacedLabels phase.
2156         Also, to avoid the need of a 4th temporary gpr, this phase is triggered later in
2157         getModifiedListSH4.
2158
2159         * offlineasm/sh4.rb:
2160
2161 2013-12-08  Filip Pizlo  <fpizlo@apple.com>
2162
2163         Add the notion of ConstantStoragePointer to DFG IR
2164         https://bugs.webkit.org/show_bug.cgi?id=125395
2165
2166         Reviewed by Oliver Hunt.
2167         
2168         This pushes more typed array folding into StrengthReductionPhase, and enables CSE on
2169         storage pointers. Previously, you might have separate nodes for the same storage
2170         pointer and this would cause some bad register pressure in the DFG. Note that this
2171         was really a theoretical problem and not, to my knowledge a practical one - so this
2172         patch is basically just a clean-up.
2173
2174         * dfg/DFGAbstractInterpreterInlines.h:
2175         (JSC::DFG::::executeEffects):
2176         * dfg/DFGCSEPhase.cpp:
2177         (JSC::DFG::CSEPhase::constantStoragePointerCSE):
2178         (JSC::DFG::CSEPhase::performNodeCSE):
2179         * dfg/DFGClobberize.h:
2180         (JSC::DFG::clobberize):
2181         * dfg/DFGFixupPhase.cpp:
2182         (JSC::DFG::FixupPhase::fixupNode):
2183         * dfg/DFGGraph.cpp:
2184         (JSC::DFG::Graph::dump):
2185         * dfg/DFGNode.h:
2186         (JSC::DFG::Node::convertToConstantStoragePointer):
2187         (JSC::DFG::Node::hasStoragePointer):
2188         (JSC::DFG::Node::storagePointer):
2189         * dfg/DFGNodeType.h:
2190         * dfg/DFGPredictionPropagationPhase.cpp:
2191         (JSC::DFG::PredictionPropagationPhase::propagate):
2192         * dfg/DFGSafeToExecute.h:
2193         (JSC::DFG::safeToExecute):
2194         * dfg/DFGSpeculativeJIT.cpp:
2195         (JSC::DFG::SpeculativeJIT::compileConstantStoragePointer):
2196         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
2197         * dfg/DFGSpeculativeJIT.h:
2198         * dfg/DFGSpeculativeJIT32_64.cpp:
2199         (JSC::DFG::SpeculativeJIT::compile):
2200         * dfg/DFGSpeculativeJIT64.cpp:
2201         (JSC::DFG::SpeculativeJIT::compile):
2202         * dfg/DFGStrengthReductionPhase.cpp:
2203         (JSC::DFG::StrengthReductionPhase::handleNode):
2204         (JSC::DFG::StrengthReductionPhase::foldTypedArrayPropertyToConstant):
2205         (JSC::DFG::StrengthReductionPhase::prepareToFoldTypedArray):
2206         * dfg/DFGWatchpointCollectionPhase.cpp:
2207         (JSC::DFG::WatchpointCollectionPhase::handle):
2208         * ftl/FTLLowerDFGToLLVM.cpp:
2209         (JSC::FTL::LowerDFGToLLVM::compileNode):
2210         (JSC::FTL::LowerDFGToLLVM::compileConstantStoragePointer):
2211         (JSC::FTL::LowerDFGToLLVM::compileGetIndexedPropertyStorage):
2212
2213 2013-12-08  Filip Pizlo  <fpizlo@apple.com>
2214
2215         FTL should support UntypedUse versions of Compare nodes
2216         https://bugs.webkit.org/show_bug.cgi?id=125426
2217
2218         Reviewed by Oliver Hunt.
2219         
2220         This adds UntypedUse versions of all comparisons except CompareStrictEq, which is
2221         sufficiently different that I thought I'd do it in another patch.
2222         
2223         This also extends our ability to abstract over comparison kind and removes a bunch of
2224         copy-paste code.
2225
2226         * dfg/DFGSpeculativeJIT64.cpp:
2227         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
2228         * ftl/FTLCapabilities.cpp:
2229         (JSC::FTL::canCompile):
2230         * ftl/FTLIntrinsicRepository.h:
2231         * ftl/FTLLowerDFGToLLVM.cpp:
2232         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
2233         (JSC::FTL::LowerDFGToLLVM::compileCompareLess):
2234         (JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
2235         (JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
2236         (JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):
2237         (JSC::FTL::LowerDFGToLLVM::compare):
2238         (JSC::FTL::LowerDFGToLLVM::nonSpeculativeCompare):
2239         * ftl/FTLOutput.h:
2240         (JSC::FTL::Output::icmp):
2241         (JSC::FTL::Output::equal):
2242         (JSC::FTL::Output::notEqual):
2243         (JSC::FTL::Output::above):
2244         (JSC::FTL::Output::aboveOrEqual):
2245         (JSC::FTL::Output::below):
2246         (JSC::FTL::Output::belowOrEqual):
2247         (JSC::FTL::Output::greaterThan):
2248         (JSC::FTL::Output::greaterThanOrEqual):
2249         (JSC::FTL::Output::lessThan):
2250         (JSC::FTL::Output::lessThanOrEqual):
2251         (JSC::FTL::Output::fcmp):
2252         (JSC::FTL::Output::doubleEqual):
2253         (JSC::FTL::Output::doubleNotEqualOrUnordered):
2254         (JSC::FTL::Output::doubleLessThan):
2255         (JSC::FTL::Output::doubleLessThanOrEqual):
2256         (JSC::FTL::Output::doubleGreaterThan):
2257         (JSC::FTL::Output::doubleGreaterThanOrEqual):
2258         (JSC::FTL::Output::doubleEqualOrUnordered):
2259         (JSC::FTL::Output::doubleNotEqual):
2260         (JSC::FTL::Output::doubleLessThanOrUnordered):
2261         (JSC::FTL::Output::doubleLessThanOrEqualOrUnordered):
2262         (JSC::FTL::Output::doubleGreaterThanOrUnordered):
2263         (JSC::FTL::Output::doubleGreaterThanOrEqualOrUnordered):
2264         * tests/stress/untyped-equality.js: Added.
2265         (foo):
2266         * tests/stress/untyped-less-than.js: Added.
2267         (foo):
2268
2269 2013-12-07  Filip Pizlo  <fpizlo@apple.com>
2270
2271         Fold typedArray.length if typedArray is constant
2272         https://bugs.webkit.org/show_bug.cgi?id=125252
2273
2274         Reviewed by Sam Weinig.
2275         
2276         This was meant to be easy. The problem is that there was no good place for putting
2277         the folding of typedArray.length to a constant. You can't quite do it in the
2278         bytecode parser because at that point you don't yet know if typedArray is really
2279         a typed array. You can't do it as part of constant folding because the folder
2280         assumes that it can opportunistically forward-flow a constant value without changing
2281         the IR; this doesn't work since we need to first change the IR to register a
2282         desired watchpoint and only after that can we introduce that constant. We could have
2283         done it in Fixup but that would have been awkward since Fixup's code for turning a
2284         GetById of "length" into GetArrayLength is already somewhat complex. We could have
2285         done it in CSE but CSE is already fairly gnarly and will probably get rewritten.
2286         
2287         So I introduced a new phase, called StrengthReduction. This phase should have any
2288         transformations that don't requite CFA or CSE and that it would be weird to put into
2289         those other phases.
2290         
2291         I also took the opportunity to refactor some of the other folding code.
2292         
2293         This also adds a test, but the test couldn't quite be a LayoutTests/js/regress so I
2294         introduced the notion of JavaScriptCore/tests/stress.
2295         
2296         The goal of this patch isn't really to improve performance or anything like that.
2297         It adds an optimization for completeness, and in doing so it unlocks a bunch of new
2298         possibilities. The one that I'm most excited about is revealing array length checks
2299         in DFG IR, which will allow for array bounds check hoisting and elimination.
2300
2301         * CMakeLists.txt:
2302         * GNUmakefile.list.am:
2303         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2304         * JavaScriptCore.xcodeproj/project.pbxproj:
2305         * dfg/DFGAbstractInterpreterInlines.h:
2306         (JSC::DFG::::executeEffects):
2307         * dfg/DFGClobberize.h:
2308         (JSC::DFG::clobberize):
2309         * dfg/DFGFixupPhase.cpp:
2310         (JSC::DFG::FixupPhase::fixupNode):
2311         * dfg/DFGGraph.cpp:
2312         (JSC::DFG::Graph::tryGetFoldableView):
2313         (JSC::DFG::Graph::tryGetFoldableViewForChild1):
2314         * dfg/DFGGraph.h:
2315         * dfg/DFGNode.h:
2316         (JSC::DFG::Node::hasTypedArray):
2317         (JSC::DFG::Node::typedArray):
2318         * dfg/DFGNodeType.h:
2319         * dfg/DFGPlan.cpp:
2320         (JSC::DFG::Plan::compileInThreadImpl):
2321         * dfg/DFGPredictionPropagationPhase.cpp:
2322         (JSC::DFG::PredictionPropagationPhase::propagate):
2323         * dfg/DFGSafeToExecute.h:
2324         (JSC::DFG::safeToExecute):
2325         * dfg/DFGSpeculativeJIT.cpp:
2326         (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
2327         (JSC::DFG::SpeculativeJIT::compileConstantIndexedPropertyStorage):
2328         * dfg/DFGSpeculativeJIT32_64.cpp:
2329         (JSC::DFG::SpeculativeJIT::compile):
2330         * dfg/DFGSpeculativeJIT64.cpp:
2331         (JSC::DFG::SpeculativeJIT::compile):
2332         * dfg/DFGStrengthReductionPhase.cpp: Added.
2333         (JSC::DFG::StrengthReductionPhase::StrengthReductionPhase):
2334         (JSC::DFG::StrengthReductionPhase::run):
2335         (JSC::DFG::StrengthReductionPhase::handleNode):
2336         (JSC::DFG::StrengthReductionPhase::foldTypedArrayPropertyToConstant):
2337         (JSC::DFG::performStrengthReduction):
2338         * dfg/DFGStrengthReductionPhase.h: Added.
2339         * dfg/DFGWatchpointCollectionPhase.cpp:
2340         (JSC::DFG::WatchpointCollectionPhase::handle):
2341         * ftl/FTLCapabilities.cpp:
2342         (JSC::FTL::canCompile):
2343         * ftl/FTLLowerDFGToLLVM.cpp:
2344         (JSC::FTL::LowerDFGToLLVM::compileNode):
2345         (JSC::FTL::LowerDFGToLLVM::compileGetIndexedPropertyStorage):
2346         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2347         (JSC::FTL::LowerDFGToLLVM::typedArrayLength):
2348         * jsc.cpp:
2349         (GlobalObject::finishCreation):
2350         (functionTransferArrayBuffer):
2351         * runtime/ArrayBufferView.h:
2352         * tests/stress: Added.
2353         * tests/stress/fold-typed-array-properties.js: Added.
2354         (foo):
2355
2356 2013-12-07  peavo@outlook.com  <peavo@outlook.com>
2357
2358         [Win][64-bit] Hitting breakpoint assembler instruction in callToJavaScript.
2359         https://bugs.webkit.org/show_bug.cgi?id=125382
2360
2361         Reviewed by Michael Saboff.
2362
2363         The WinCairo results from run-javascriptcore-tests are the same as the WinCairo 32-bits results, when removing these breakpoints.
2364
2365         * jit/JITStubsMSVC64.asm: Remove breakpoint instructions.
2366
2367 2013-12-06  Filip Pizlo  <fpizlo@apple.com>
2368
2369         FTL should support all of Branch/LogicalNot
2370         https://bugs.webkit.org/show_bug.cgi?id=125370
2371
2372         Reviewed by Mark Hahnenberg.
2373
2374         * ftl/FTLCapabilities.cpp:
2375         (JSC::FTL::canCompile):
2376         * ftl/FTLIntrinsicRepository.h:
2377         * ftl/FTLLowerDFGToLLVM.cpp:
2378         (JSC::FTL::LowerDFGToLLVM::boolify):
2379
2380 2013-12-06  Roger Fong <roger_fong@apple.com> and Brent Fulgham  <bfulgham@apple.com>
2381
2382         [Win] Support compiling with VS2013
2383         https://bugs.webkit.org/show_bug.cgi?id=125353
2384
2385         Reviewed by Anders Carlsson.
2386
2387         * API/tests/testapi.c: Use C99 defines if available.
2388         * jit/JITOperations.cpp: Don't attempt to define C linkage when
2389         returning a C++ object.
2390
2391 2013-12-06  Filip Pizlo  <fpizlo@apple.com>
2392
2393         FTL should support generic ByVal accesses
2394         https://bugs.webkit.org/show_bug.cgi?id=125368
2395
2396         Reviewed by Mark Hahnenberg.
2397
2398         * dfg/DFGGraph.h:
2399         (JSC::DFG::Graph::isStrictModeFor):
2400         (JSC::DFG::Graph::ecmaModeFor):
2401         * ftl/FTLCapabilities.cpp:
2402         (JSC::FTL::canCompile):
2403         * ftl/FTLIntrinsicRepository.h:
2404         * ftl/FTLLowerDFGToLLVM.cpp:
2405         (JSC::FTL::LowerDFGToLLVM::compileNode):
2406         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
2407         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2408
2409 2013-12-06  Filip Pizlo  <fpizlo@apple.com>
2410
2411         FTL should support hole/OOB array accesses
2412         https://bugs.webkit.org/show_bug.cgi?id=118077
2413
2414         Reviewed by Oliver Hunt and Mark Hahnenberg.
2415
2416         * ftl/FTLCapabilities.cpp:
2417         (JSC::FTL::canCompile):
2418         * ftl/FTLIntrinsicRepository.h:
2419         * ftl/FTLLowerDFGToLLVM.cpp:
2420         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
2421         (JSC::FTL::LowerDFGToLLVM::baseIndex):
2422
2423 2013-12-06  Michael Saboff  <msaboff@apple.com>
2424
2425         Split sizing of VarArgs frames from loading arguments for the frame
2426         https://bugs.webkit.org/show_bug.cgi?id=125331
2427
2428         Reviewed by Filip Pizlo.
2429
2430         Split loadVarargs into sizeAndAllocFrameForVarargs() and loadVarargs() in
2431         preparation for moving onto the C stack.  sizeAndAllocFrameForVarargs() will
2432         compute the size of the callee frame and allocate it, while loadVarargs()
2433         actually loads the argument values.
2434
2435         As part of moving onto the C stack, sizeAndAllocFrameForVarargs() will be
2436         changed to a function that just computes the size.  The caller will use that
2437         size to allocate the new frame on the stack before calling loadVargs() and
2438         actually making the call.
2439
2440         * interpreter/Interpreter.cpp:
2441         (JSC::sizeAndAllocFrameForVarargs):
2442         (JSC::loadVarargs):
2443         * interpreter/Interpreter.h:
2444         * jit/JIT.h:
2445         * jit/JITCall.cpp:
2446         (JSC::JIT::compileLoadVarargs):
2447         * jit/JITCall32_64.cpp:
2448         (JSC::JIT::compileLoadVarargs):
2449         * jit/JITInlines.h:
2450         (JSC::JIT::callOperation):
2451         * jit/JITOperations.cpp:
2452         * jit/JITOperations.h:
2453         * llint/LLIntSlowPaths.cpp:
2454         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2455         * llint/LLIntSlowPaths.h:
2456         * llint/LowLevelInterpreter.asm:
2457         * llint/LowLevelInterpreter32_64.asm:
2458         * llint/LowLevelInterpreter64.asm:
2459         * runtime/VM.h:
2460
2461 2013-12-06  Filip Pizlo  <fpizlo@apple.com>
2462
2463         FTL should support all of ValueToInt32
2464         https://bugs.webkit.org/show_bug.cgi?id=125283
2465
2466         Reviewed by Mark Hahnenberg.
2467
2468         * ftl/FTLCapabilities.cpp:
2469         (JSC::FTL::canCompile):
2470         * ftl/FTLLowerDFGToLLVM.cpp:
2471         (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
2472         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2473         (JSC::FTL::LowerDFGToLLVM::lowCell):
2474         (JSC::FTL::LowerDFGToLLVM::isCell):
2475
2476 2013-12-06  Filip Pizlo  <fpizlo@apple.com>
2477
2478         FTL shouldn't have a doubleToUInt32 path
2479         https://bugs.webkit.org/show_bug.cgi?id=125360
2480
2481         Reviewed by Mark Hahnenberg.
2482         
2483         This code existed because I incorrectly thought it was necessary. It's now basically
2484         dead.
2485
2486         * ftl/FTLLowerDFGToLLVM.cpp:
2487         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2488
2489 2013-12-06  Laszlo Vidacs  <lac@inf.u-szeged.hu>
2490
2491         Define SHA1 hash size in SHA1.h and use it at various places.
2492         https://bugs.webkit.org/show_bug.cgi?id=125345
2493
2494         Reviewed by Darin Adler.
2495
2496         Use SHA1::hashSize instead of local variables.
2497
2498         * bytecode/CodeBlockHash.cpp:
2499         (JSC::CodeBlockHash::CodeBlockHash): use SHA1::hashSize
2500
2501 2013-12-05  Michael Saboff  <msaboff@apple.com>
2502
2503         REGRESSION(r160213): Crash in js/dom/JSON-parse.html
2504         https://bugs.webkit.org/show_bug.cgi?id=125335
2505
2506         Reviewed by Mark Lam.
2507
2508         Changed _llint_op_catch to materialize the VM via the scope chain instead of 
2509         the CodeBlock.  CallFrames always have a scope chain, but may have a null CodeBlock.
2510
2511         * llint/LowLevelInterpreter32_64.asm:
2512         (_llint_op_catch):
2513         * llint/LowLevelInterpreter64.asm:
2514         (_llint_op_catch):
2515
2516 2013-12-05  Michael Saboff  <msaboff@apple.com>
2517
2518         JSC: Simplify interface between throw and catch handler
2519         https://bugs.webkit.org/show_bug.cgi?id=125328
2520
2521         Reviewed by Geoffrey Garen.
2522
2523         Simplified the throw - catch interface.  The throw side is only responsible for
2524         jumping to the appropriate op_catch handler or returnFromJavaScript for uncaught
2525         exceptions.  The handler uses the exception values like VM.callFrameForThrow
2526         as appropriate and no longer relies on the throw side putting anything in
2527         registers.
2528
2529         * jit/CCallHelpers.h:
2530         (JSC::CCallHelpers::jumpToExceptionHandler):
2531         * jit/JITOpcodes.cpp:
2532         (JSC::JIT::emit_op_catch):
2533         * jit/JITOpcodes32_64.cpp:
2534         (JSC::JIT::emit_op_catch):
2535         * llint/LowLevelInterpreter32_64.asm:
2536         (_llint_op_catch):
2537         (_llint_throw_from_slow_path_trampoline):
2538         * llint/LowLevelInterpreter64.asm:
2539         (_llint_op_catch):
2540         (_llint_throw_from_slow_path_trampoline):
2541
2542 2013-12-04  Oliver Hunt  <oliver@apple.com>
2543
2544         Refactor static getter function prototype to include thisValue in addition to the base object
2545         https://bugs.webkit.org/show_bug.cgi?id=124461
2546
2547         Reviewed by Geoffrey Garen.
2548
2549         Add thisValue parameter to static getter prototype, and switch
2550         from JSValue to EncodedJSValue for parameters and return value.
2551
2552         Currently none of the static getters use the thisValue, but
2553         separating out the refactoring will prevent future changes
2554         from getting lost in the noise of refactoring.  This means
2555         that this patch does not result in any change in behaviour.
2556
2557         * API/JSCallbackObject.h:
2558         * API/JSCallbackObjectFunctions.h:
2559         (JSC::::asCallbackObject):
2560         (JSC::::staticFunctionGetter):
2561         (JSC::::callbackGetter):
2562         * jit/JITOperations.cpp:
2563         * runtime/JSActivation.cpp:
2564         (JSC::JSActivation::argumentsGetter):
2565         * runtime/JSActivation.h:
2566         * runtime/JSFunction.cpp:
2567         (JSC::JSFunction::argumentsGetter):
2568         (JSC::JSFunction::callerGetter):
2569         (JSC::JSFunction::lengthGetter):
2570         (JSC::JSFunction::nameGetter):
2571         * runtime/JSFunction.h:
2572         * runtime/JSObject.h:
2573         (JSC::PropertySlot::getValue):
2574         * runtime/NumberConstructor.cpp:
2575         (JSC::numberConstructorNaNValue):
2576         (JSC::numberConstructorNegInfinity):
2577         (JSC::numberConstructorPosInfinity):
2578         (JSC::numberConstructorMaxValue):
2579         (JSC::numberConstructorMinValue):
2580         * runtime/PropertySlot.h:
2581         * runtime/RegExpConstructor.cpp:
2582         (JSC::asRegExpConstructor):
2583         (JSC::regExpConstructorDollar1):
2584         (JSC::regExpConstructorDollar2):
2585         (JSC::regExpConstructorDollar3):
2586         (JSC::regExpConstructorDollar4):
2587         (JSC::regExpConstructorDollar5):
2588         (JSC::regExpConstructorDollar6):
2589         (JSC::regExpConstructorDollar7):
2590         (JSC::regExpConstructorDollar8):
2591         (JSC::regExpConstructorDollar9):
2592         (JSC::regExpConstructorInput):
2593         (JSC::regExpConstructorMultiline):
2594         (JSC::regExpConstructorLastMatch):
2595         (JSC::regExpConstructorLastParen):
2596         (JSC::regExpConstructorLeftContext):
2597         (JSC::regExpConstructorRightContext):
2598         * runtime/RegExpObject.cpp:
2599         (JSC::asRegExpObject):
2600         (JSC::regExpObjectGlobal):
2601         (JSC::regExpObjectIgnoreCase):
2602         (JSC::regExpObjectMultiline):
2603         (JSC::regExpObjectSource):
2604
2605 2013-12-04  Filip Pizlo  <fpizlo@apple.com>
2606
2607         FTL should use cvttsd2si directly for double-to-int32 conversions
2608         https://bugs.webkit.org/show_bug.cgi?id=125275
2609
2610         Reviewed by Michael Saboff.
2611         
2612         Wow. This was an ordeal. Using cvttsd2si was actually easy, but I learned, and
2613         sometimes even fixed, some interesting things:
2614         
2615         - The llvm.x86.sse2.cvttsd2si intrinsic can actually result in LLVM emitting a
2616           vcvttsd2si. I guess the intrinsic doesn't actually imply the instruction.
2617         
2618         - That whole thing about branchTruncateDoubleToUint32? Yeah we don't need that. It's
2619           better to use branchTruncateDoubleToInt32 instead. It has the right semantics for
2620           all of its callers (err, its one-and-only caller), and it's more likely to take
2621           fast path. This patch kills branchTruncateDoubleToUint32.
2622         
2623         - "a[i] = v; v = a[i]". Does this change v? OK, assume that 'a[i]' is a pure-ish
2624           operation - like an array access with 'i' being an integer index and we're not
2625           having a bad time. Now does this change v? CSE assumes that it doesn't. That's
2626           wrong. If 'a' is a typed array - the most sensible and pure kind of array - then
2627           this can be a truncating cast. For example 'v' could be a double and 'a' could be
2628           an integer array.
2629         
2630         - "v1 = a[i]; v2 = a[i]". Is v1 === v2 assuming that 'a[i]' is pure-ish? The answer
2631           is no. You could have a different arrayMode in each access. I know this sounds
2632           weird, but with concurrent JIT that might happen.
2633         
2634         This patch adds tests for all of this stuff, except for the first issue (it's weird
2635         but probably doesn't matter) and the last issue (it's too much of a freakshow).
2636
2637         * assembler/MacroAssemblerARM64.h:
2638         * assembler/MacroAssemblerARMv7.h:
2639         * assembler/MacroAssemblerX86Common.h:
2640         * dfg/DFGCSEPhase.cpp:
2641         (JSC::DFG::CSEPhase::getByValLoadElimination):
2642         (JSC::DFG::CSEPhase::performNodeCSE):
2643         * dfg/DFGSpeculativeJIT.cpp:
2644         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
2645         * ftl/FTLAbbreviations.h:
2646         (JSC::FTL::vectorType):
2647         (JSC::FTL::getUndef):
2648         (JSC::FTL::buildInsertElement):
2649         * ftl/FTLIntrinsicRepository.h:
2650         * ftl/FTLLowerDFGToLLVM.cpp:
2651         (JSC::FTL::LowerDFGToLLVM::doubleToInt32):
2652         (JSC::FTL::LowerDFGToLLVM::doubleToUInt32):
2653         (JSC::FTL::LowerDFGToLLVM::sensibleDoubleToInt32):
2654         * ftl/FTLOutput.h:
2655         (JSC::FTL::Output::insertElement):
2656         (JSC::FTL::Output::hasSensibleDoubleToInt):
2657         (JSC::FTL::Output::sensibleDoubleToInt):
2658
2659 2013-12-05  Commit Queue  <commit-queue@webkit.org>
2660
2661         Unreviewed, rolling out r160133.
2662         http://trac.webkit.org/changeset/160133
2663         https://bugs.webkit.org/show_bug.cgi?id=125325
2664
2665         broke bindings tests on all the bots (Requested by thorton on
2666         #webkit).
2667
2668         * API/JSCallbackObject.h:
2669         * API/JSCallbackObjectFunctions.h:
2670         (JSC::::staticFunctionGetter):
2671         (JSC::::callbackGetter):
2672         * jit/JITOperations.cpp:
2673         * runtime/JSActivation.cpp:
2674         (JSC::JSActivation::argumentsGetter):
2675         * runtime/JSActivation.h:
2676         * runtime/JSFunction.cpp:
2677         (JSC::JSFunction::argumentsGetter):
2678         (JSC::JSFunction::callerGetter):
2679         (JSC::JSFunction::lengthGetter):
2680         (JSC::JSFunction::nameGetter):
2681         * runtime/JSFunction.h:
2682         * runtime/JSObject.h:
2683         (JSC::PropertySlot::getValue):
2684         * runtime/NumberConstructor.cpp:
2685         (JSC::numberConstructorNaNValue):
2686         (JSC::numberConstructorNegInfinity):
2687         (JSC::numberConstructorPosInfinity):
2688         (JSC::numberConstructorMaxValue):
2689         (JSC::numberConstructorMinValue):
2690         * runtime/PropertySlot.h:
2691         * runtime/RegExpConstructor.cpp:
2692         (JSC::regExpConstructorDollar1):
2693         (JSC::regExpConstructorDollar2):
2694         (JSC::regExpConstructorDollar3):
2695         (JSC::regExpConstructorDollar4):
2696         (JSC::regExpConstructorDollar5):
2697         (JSC::regExpConstructorDollar6):
2698         (JSC::regExpConstructorDollar7):
2699         (JSC::regExpConstructorDollar8):
2700         (JSC::regExpConstructorDollar9):
2701         (JSC::regExpConstructorInput):
2702         (JSC::regExpConstructorMultiline):
2703         (JSC::regExpConstructorLastMatch):
2704         (JSC::regExpConstructorLastParen):
2705         (JSC::regExpConstructorLeftContext):
2706         (JSC::regExpConstructorRightContext):
2707         * runtime/RegExpObject.cpp:
2708         (JSC::regExpObjectGlobal):
2709         (JSC::regExpObjectIgnoreCase):
2710         (JSC::regExpObjectMultiline):
2711         (JSC::regExpObjectSource):
2712
2713 2013-12-05  Mark Lam  <mark.lam@apple.com>
2714
2715         Make the C Loop LLINT work with callToJavaScript.
2716         https://bugs.webkit.org/show_bug.cgi?id=125294.
2717
2718         Reviewed by Michael Saboff.
2719
2720         1. Changed the C Loop LLINT to dispatch to an Executable via its JITCode
2721            instance which is consistent with how the ASM LLINT works.
2722         2. Changed CLoop::execute() to take an Opcode instead of an OpcodeID.
2723            This makes it play nice with the use of JITCode for dispatching.
2724         3. Introduce a callToJavaScript and callToNativeFunction for the C Loop
2725            LLINT. These will call JSStack::pushFrame() and popFrame() to setup
2726            and teardown the CallFrame.
2727         4. Also introduced a C Loop returnFromJavaScript which is just a
2728            replacement for ctiOpThrowNotCaught which had the same function.
2729         5. Remove a lot of #if ENABLE(LLINT_C_LOOP) code now that the dispatch
2730            mechanism is consistent.
2731
2732         This patch has been tested with both configurations of COMPUTED_GOTOs
2733         on and off.
2734
2735         * interpreter/CachedCall.h:
2736         (JSC::CachedCall::CachedCall):
2737         (JSC::CachedCall::call):
2738         (JSC::CachedCall::setArgument):
2739         * interpreter/CallFrameClosure.h:
2740         (JSC::CallFrameClosure::setThis):
2741         (JSC::CallFrameClosure::setArgument):
2742         (JSC::CallFrameClosure::resetCallFrame):
2743         * interpreter/Interpreter.cpp:
2744         (JSC::Interpreter::execute):
2745         (JSC::Interpreter::executeCall):
2746         (JSC::Interpreter::executeConstruct):
2747         (JSC::Interpreter::prepareForRepeatCall):
2748         * interpreter/Interpreter.h:
2749         * interpreter/JSStack.h:
2750         * interpreter/JSStackInlines.h:
2751         (JSC::JSStack::pushFrame):
2752         * interpreter/ProtoCallFrame.h:
2753         (JSC::ProtoCallFrame::scope):
2754         (JSC::ProtoCallFrame::callee):
2755         (JSC::ProtoCallFrame::thisValue):
2756         (JSC::ProtoCallFrame::argument):
2757         (JSC::ProtoCallFrame::setArgument):
2758         * jit/JITCode.cpp:
2759         (JSC::JITCode::execute):
2760         * jit/JITCode.h:
2761         * jit/JITExceptions.cpp:
2762         (JSC::genericUnwind):
2763         * llint/LLIntCLoop.cpp:
2764         (JSC::LLInt::CLoop::initialize):
2765         * llint/LLIntCLoop.h:
2766         * llint/LLIntEntrypoint.cpp:
2767         (JSC::LLInt::setFunctionEntrypoint):
2768         (JSC::LLInt::setEvalEntrypoint):
2769         (JSC::LLInt::setProgramEntrypoint):
2770         - Inverted the check for vm.canUseJIT(). This allows the JIT case to be
2771           #if'd out nicely when building the C Loop LLINT.
2772         * llint/LLIntOpcode.h:
2773         * llint/LLIntThunks.cpp:
2774         (JSC::doCallToJavaScript):
2775         (JSC::executeJS):
2776         (JSC::callToJavaScript):
2777         (JSC::executeNative):
2778         (JSC::callToNativeFunction):
2779         * llint/LLIntThunks.h:
2780         * llint/LowLevelInterpreter.cpp:
2781         (JSC::CLoop::execute):
2782         * runtime/Executable.h:
2783         (JSC::ExecutableBase::offsetOfNumParametersFor):
2784         (JSC::ExecutableBase::hostCodeEntryFor):
2785         (JSC::ExecutableBase::jsCodeEntryFor):
2786         (JSC::ExecutableBase::jsCodeWithArityCheckEntryFor):
2787         (JSC::NativeExecutable::create):
2788         (JSC::NativeExecutable::finishCreation):
2789         (JSC::ProgramExecutable::generatedJITCode):
2790         * runtime/JSArray.cpp:
2791         (JSC::AVLTreeAbstractorForArrayCompare::compare_key_key):
2792         * runtime/StringPrototype.cpp:
2793         (JSC::replaceUsingRegExpSearch):
2794         * runtime/VM.cpp:
2795         (JSC::VM::getHostFunction):
2796
2797 2013-12-05  Laszlo Vidacs  <lac@inf.u-szeged.hu>
2798
2799         Fix JavaScriptCore build if cloop is enabled after r160094
2800         https://bugs.webkit.org/show_bug.cgi?id=125292
2801
2802         Reviewed by Michael Saboff.
2803
2804         Move ProtoCallFrame outside the JIT guard.
2805
2806         * jit/JITCode.h:
2807
2808 2013-12-04  Filip Pizlo  <fpizlo@apple.com>
2809
2810         Fold constant typed arrays
2811         https://bugs.webkit.org/show_bug.cgi?id=125205
2812
2813         Reviewed by Oliver Hunt and Mark Hahnenberg.
2814         
2815         If by some other mechanism we have a typed array access on a compile-time constant
2816         typed array pointer, then fold:
2817         
2818         - Array bounds checks. Specifically, fold the load of length.
2819         
2820         - Loading the vector.
2821         
2822         This needs to install a watchpoint on the array itself because of the possibility of
2823         neutering. Neutering is ridiculous. We do this without bloating the size of
2824         ArrayBuffer or JSArrayBufferView in the common case (i.e. the case where you
2825         allocated an array that didn't end up becoming a compile-time constant). To install
2826         the watchpoint, we slowDownAndWasteMemory and then create an incoming reference to
2827         the ArrayBuffer, where that incoming reference is from a watchpoint object. The
2828         ArrayBuffer already knows about such incoming references and can fire the
2829         watchpoints that way.
2830         
2831         * CMakeLists.txt:
2832         * GNUmakefile.list.am:
2833         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2834         * JavaScriptCore.xcodeproj/project.pbxproj:
2835         * dfg/DFGDesiredWatchpoints.cpp:
2836         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
2837         (JSC::DFG::DesiredWatchpoints::addLazily):
2838         * dfg/DFGDesiredWatchpoints.h:
2839         (JSC::DFG::GenericSetAdaptor::add):
2840         (JSC::DFG::GenericSetAdaptor::hasBeenInvalidated):
2841         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::hasBeenInvalidated):
2842         (JSC::DFG::GenericDesiredWatchpoints::reallyAdd):
2843         (JSC::DFG::GenericDesiredWatchpoints::areStillValid):
2844         (JSC::DFG::GenericDesiredWatchpoints::isStillValid):
2845         (JSC::DFG::GenericDesiredWatchpoints::shouldAssumeMixedState):
2846         (JSC::DFG::DesiredWatchpoints::isStillValid):
2847         (JSC::DFG::DesiredWatchpoints::shouldAssumeMixedState):
2848         (JSC::DFG::DesiredWatchpoints::isValidOrMixed):
2849         * dfg/DFGGraph.cpp:
2850         (JSC::DFG::Graph::tryGetFoldableView):
2851         * dfg/DFGGraph.h:
2852         * dfg/DFGSpeculativeJIT.cpp:
2853         (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
2854         (JSC::DFG::SpeculativeJIT::emitTypedArrayBoundsCheck):
2855         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
2856         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
2857         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
2858         (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
2859         (JSC::DFG::SpeculativeJIT::compileConstantIndexedPropertyStorage):
2860         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
2861         * dfg/DFGSpeculativeJIT.h:
2862         * dfg/DFGWatchpointCollectionPhase.cpp:
2863         (JSC::DFG::WatchpointCollectionPhase::handle):
2864         (JSC::DFG::WatchpointCollectionPhase::addLazily):
2865         * ftl/FTLLowerDFGToLLVM.cpp:
2866         (JSC::FTL::LowerDFGToLLVM::compileGetIndexedPropertyStorage):
2867         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
2868         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2869         (JSC::FTL::LowerDFGToLLVM::typedArrayLength):
2870         * runtime/ArrayBuffer.cpp:
2871         (JSC::ArrayBuffer::transfer):
2872         * runtime/ArrayBufferNeuteringWatchpoint.cpp: Added.
2873         (JSC::ArrayBufferNeuteringWatchpoint::ArrayBufferNeuteringWatchpoint):
2874         (JSC::ArrayBufferNeuteringWatchpoint::~ArrayBufferNeuteringWatchpoint):
2875         (JSC::ArrayBufferNeuteringWatchpoint::finishCreation):
2876         (JSC::ArrayBufferNeuteringWatchpoint::destroy):
2877         (JSC::ArrayBufferNeuteringWatchpoint::create):
2878         (JSC::ArrayBufferNeuteringWatchpoint::createStructure):
2879         * runtime/ArrayBufferNeuteringWatchpoint.h: Added.
2880         (JSC::ArrayBufferNeuteringWatchpoint::set):
2881         * runtime/VM.cpp:
2882         (JSC::VM::VM):
2883         * runtime/VM.h:
2884
2885 2013-12-04  Commit Queue  <commit-queue@webkit.org>
2886
2887         Unreviewed, rolling out r160116.
2888         http://trac.webkit.org/changeset/160116
2889         https://bugs.webkit.org/show_bug.cgi?id=125264
2890
2891         Change doesn't work as intended. See bug comments for details.
2892         (Requested by bfulgham on #webkit).
2893
2894         * runtime/InitializeThreading.cpp:
2895         (JSC::initializeThreading):
2896
2897 2013-12-04  Oliver Hunt  <oliver@apple.com>
2898
2899         Refactor static getter function prototype to include thisValue in addition to the base object
2900         https://bugs.webkit.org/show_bug.cgi?id=124461
2901
2902         Reviewed by Geoffrey Garen.
2903
2904         Add thisValue parameter to static getter prototype, and switch
2905         from JSValue to EncodedJSValue for parameters and return value.
2906
2907         Currently none of the static getters use the thisValue, but
2908         separating out the refactoring will prevent future changes
2909         from getting lost in the noise of refactoring.  This means
2910         that this patch does not result in any change in behaviour.
2911
2912         * API/JSCallbackObject.h:
2913         * API/JSCallbackObjectFunctions.h:
2914         (JSC::::asCallbackObject):
2915         (JSC::::staticFunctionGetter):
2916         (JSC::::callbackGetter):
2917         * jit/JITOperations.cpp:
2918         * runtime/JSActivation.cpp:
2919         (JSC::JSActivation::argumentsGetter):
2920         * runtime/JSActivation.h:
2921         * runtime/JSFunction.cpp:
2922         (JSC::JSFunction::argumentsGetter):
2923         (JSC::JSFunction::callerGetter):
2924         (JSC::JSFunction::lengthGetter):
2925         (JSC::JSFunction::nameGetter):
2926         * runtime/JSFunction.h:
2927         * runtime/JSObject.h:
2928         (JSC::PropertySlot::getValue):
2929         * runtime/NumberConstructor.cpp:
2930         (JSC::numberConstructorNaNValue):
2931         (JSC::numberConstructorNegInfinity):
2932         (JSC::numberConstructorPosInfinity):
2933         (JSC::numberConstructorMaxValue):
2934         (JSC::numberConstructorMinValue):
2935         * runtime/PropertySlot.h:
2936         * runtime/RegExpConstructor.cpp:
2937         (JSC::asRegExpConstructor):
2938         (JSC::regExpConstructorDollar1):
2939         (JSC::regExpConstructorDollar2):
2940         (JSC::regExpConstructorDollar3):
2941         (JSC::regExpConstructorDollar4):
2942         (JSC::regExpConstructorDollar5):
2943         (JSC::regExpConstructorDollar6):
2944         (JSC::regExpConstructorDollar7):
2945         (JSC::regExpConstructorDollar8):
2946         (JSC::regExpConstructorDollar9):
2947         (JSC::regExpConstructorInput):
2948         (JSC::regExpConstructorMultiline):
2949         (JSC::regExpConstructorLastMatch):
2950         (JSC::regExpConstructorLastParen):
2951         (JSC::regExpConstructorLeftContext):
2952         (JSC::regExpConstructorRightContext):
2953         * runtime/RegExpObject.cpp:
2954         (JSC::asRegExpObject):
2955         (JSC::regExpObjectGlobal):
2956         (JSC::regExpObjectIgnoreCase):
2957         (JSC::regExpObjectMultiline):
2958         (JSC::regExpObjectSource):
2959
2960 2013-12-04  Daniel Bates  <dabates@apple.com>
2961
2962         [iOS] Enable Objective-C ARC when building JSC tools for iOS simulator
2963         https://bugs.webkit.org/show_bug.cgi?id=125170
2964
2965         Reviewed by Geoffrey Garen.
2966
2967         * API/tests/testapi.mm:
2968         * Configurations/ToolExecutable.xcconfig:
2969
2970 2013-12-04  peavo@outlook.com  <peavo@outlook.com>
2971
2972         Use ThreadingOnce class to encapsulate pthread_once functionality.
2973         https://bugs.webkit.org/show_bug.cgi?id=125228
2974
2975         Reviewed by Brent Fulgham.
2976
2977         * runtime/InitializeThreading.cpp:
2978         (JSC::initializeThreading):
2979
2980 2013-12-04  Mark Lam  <mark.lam@apple.com>
2981
2982         Remove unneeded semicolons.
2983         https://bugs.webkit.org/show_bug.cgi?id=125083.
2984
2985         Rubber-stamped by Filip Pizlo.
2986
2987         * debugger/Debugger.h:
2988         (JSC::Debugger::detach):
2989         (JSC::Debugger::sourceParsed):
2990         (JSC::Debugger::exception):
2991         (JSC::Debugger::atStatement):
2992         (JSC::Debugger::callEvent):
2993         (JSC::Debugger::returnEvent):
2994         (JSC::Debugger::willExecuteProgram):
2995         (JSC::Debugger::didExecuteProgram):
2996         (JSC::Debugger::didReachBreakpoint):
2997
2998 2013-12-04  Andy Estes  <aestes@apple.com>
2999
3000         [iOS] Build projects with $(ARCHS_STANDARD_32_64_BIT)
3001         https://bugs.webkit.org/show_bug.cgi?id=125236
3002
3003         Reviewed by Sam Weinig.
3004
3005         $(ARCHS_STANDARD_32_64_BIT) is what we want for both device and simulator builds.
3006
3007         * Configurations/DebugRelease.xcconfig:
3008
3009 2013-12-03  Filip Pizlo  <fpizlo@apple.com>
3010
3011         Infer constant closure variables
3012         https://bugs.webkit.org/show_bug.cgi?id=124630
3013
3014         Reviewed by Geoffrey Garen.
3015         
3016         Captured variables that are assigned once (not counting op_enter's Undefined
3017         initialization) and that are contained within a function that has thus far only been
3018         entered once are now constant folded. It's pretty awesome.
3019         
3020         This involves a watchpoint on the assignment to variables and a watchpoint on entry
3021         into the function. The former is reused from global variable constant inference and the
3022         latter is reused from one-time closure inference.
3023
3024         * GNUmakefile.list.am:
3025         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3026         * JavaScriptCore.xcodeproj/project.pbxproj:
3027         * bytecode/CodeBlock.cpp:
3028         (JSC::CodeBlock::dumpBytecode):
3029         (JSC::CodeBlock::CodeBlock):
3030         * bytecode/Instruction.h:
3031         (JSC::Instruction::Instruction):
3032         * bytecode/Opcode.h:
3033         (JSC::padOpcodeName):
3034         * bytecode/UnlinkedCodeBlock.h:
3035         (JSC::UnlinkedInstruction::UnlinkedInstruction):
3036         * bytecode/VariableWatchpointSet.h:
3037         (JSC::VariableWatchpointSet::invalidate):
3038         * bytecode/Watchpoint.h:
3039         (JSC::WatchpointSet::invalidate):
3040         * bytecompiler/BytecodeGenerator.cpp:
3041         (JSC::BytecodeGenerator::addVar):
3042         (JSC::BytecodeGenerator::BytecodeGenerator):
3043         (JSC::BytecodeGenerator::emitInitLazyRegister):
3044         (JSC::BytecodeGenerator::emitMove):
3045         (JSC::BytecodeGenerator::emitNewFunctionInternal):
3046         (JSC::BytecodeGenerator::createArgumentsIfNecessary):
3047         * bytecompiler/BytecodeGenerator.h:
3048         (JSC::BytecodeGenerator::addVar):
3049         (JSC::BytecodeGenerator::watchableVariable):
3050         * dfg/DFGByteCodeParser.cpp:
3051         (JSC::DFG::ByteCodeParser::getLocal):
3052         (JSC::DFG::ByteCodeParser::inferredConstant):
3053         (JSC::DFG::ByteCodeParser::parseBlock):
3054         (JSC::DFG::ByteCodeParser::parse):
3055         * dfg/DFGGraph.cpp:
3056         (JSC::DFG::Graph::tryGetActivation):
3057         (JSC::DFG::Graph::tryGetRegisters):
3058         * dfg/DFGGraph.h:
3059         * jit/JIT.cpp:
3060         (JSC::JIT::privateCompileMainPass):
3061         (JSC::JIT::privateCompileSlowCases):
3062         * jit/JIT.h:
3063         * jit/JITOpcodes.cpp:
3064         (JSC::JIT::emit_op_mov):
3065         (JSC::JIT::emit_op_captured_mov):
3066         (JSC::JIT::emit_op_new_captured_func):
3067         (JSC::JIT::emitSlow_op_captured_mov):
3068         * jit/JITOpcodes32_64.cpp:
3069         (JSC::JIT::emit_op_mov):
3070         (JSC::JIT::emit_op_captured_mov):
3071         * llint/LowLevelInterpreter32_64.asm:
3072         * llint/LowLevelInterpreter64.asm:
3073         * runtime/CommonSlowPaths.cpp:
3074         (JSC::SLOW_PATH_DECL):
3075         * runtime/CommonSlowPaths.h:
3076         * runtime/ConstantMode.h: Added.
3077         * runtime/JSGlobalObject.h:
3078         * runtime/JSScope.cpp:
3079         (JSC::abstractAccess):
3080         * runtime/SymbolTable.cpp:
3081         (JSC::SymbolTableEntry::prepareToWatch):
3082
3083 2013-12-04  Brent Fulgham  <bfulgham@apple.com>
3084
3085         [Win] Unreviewed project file gardening.
3086
3087         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Remove deleted files from project.
3088         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Put files in proper directory
3089         folders to match the directory structure of the source code.
3090
3091 2013-12-04  Joseph Pecoraro  <pecoraro@apple.com>
3092
3093         Unreviewed Windows Build Fix attempt after r160099.
3094
3095         * JavaScriptCore.vcxproj/copy-files.cmd:
3096
3097 2013-12-04  Julien Brianceau  <jbriance@cisco.com>
3098
3099         REGRESSION (r160094): Fix lots of crashes for sh4 architecture.
3100         https://bugs.webkit.org/show_bug.cgi?id=125227
3101
3102         Reviewed by Michael Saboff.
3103
3104         * llint/LowLevelInterpreter32_64.asm: Do not use t4 and t5 as they match a0 and a1.
3105         * offlineasm/registers.rb: Add t7, t8 and t9 in register list for sh4 port.
3106         * offlineasm/sh4.rb: Rearrange RegisterID list and add the missing ones.
3107
3108 2013-12-03  Joseph Pecoraro  <pecoraro@apple.com>
3109
3110         Web Inspector: Push Remote Inspector debugging connection management into JavaScriptCore
3111         https://bugs.webkit.org/show_bug.cgi?id=124613
3112
3113         Reviewed by Timothy Hatcher.
3114
3115         Move the ENABLE(REMOTE_INSPECTOR) remote debugger connection management
3116         into JavaScriptCore (originally from WebKit/mac). Include enhancements:
3117
3118           * allow for different types of remote debuggable targets,
3119             eventually at least a JSContext, WebView, WKView.
3120           * allow debuggables to be registered and debugged on any thread. Unlike
3121             WebViews, JSContexts may be run entirely off of the main thread.
3122           * move the remote connection (XPC connection) itself off of the main thread,
3123             it doesn't need to be on the main thread.
3124
3125         Make JSContext @class and JavaScriptCore::JSContextRef
3126         "JavaScript" Remote Debuggables.
3127
3128         * inspector/remote/RemoteInspectorDebuggable.h: Added.
3129         * inspector/remote/RemoteInspectorDebuggable.cpp: Added.
3130         (Inspector::RemoteInspectorDebuggable::RemoteInspectorDebuggable):
3131         (Inspector::RemoteInspectorDebuggable::~RemoteInspectorDebuggable):
3132         (Inspector::RemoteInspectorDebuggable::init):
3133         (Inspector::RemoteInspectorDebuggable::update):
3134         (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed):
3135         (Inspector::RemoteInspectorDebuggable::info):
3136         RemoteInspectorDebuggable defines a debuggable target. As long as
3137         something creates a debuggable and is set to allow remote inspection
3138         it will be listed in remote debuggers. For the different types of
3139         debuggables (JavaScript and Web) there is different basic information
3140         that may be listed.
3141
3142         * inspector/InspectorFrontendChannel.h: Added.
3143         (Inspector::InspectorFrontendChannel::~InspectorFrontendChannel):
3144         The only thing a debuggable needs for remote debugging is an
3145         InspectorFrontendChannel a way to send messages to a remote frontend.
3146         This class provides that method, and is vended to the
3147         RemoteInspectorDebuggable when a remote connection is setup.
3148
3149         * inspector/remote/RemoteInspector.h: Added.
3150         * inspector/remote/RemoteInspector.mm: Added.
3151         Singleton, created at least when the first Debuggable is created.
3152         This class manages the list of debuggables, any connection to a
3153         remote debugger proxy (XPC service "com.apple.webinspector").
3154
3155         (Inspector::dispatchAsyncOnQueueSafeForAnyDebuggable):
3156         (Inspector::RemoteInspector::shared):
3157         (Inspector::RemoteInspector::RemoteInspector):
3158         (Inspector::RemoteInspector::nextAvailableIdentifier):
3159         (Inspector::RemoteInspector::registerDebuggable):
3160         (Inspector::RemoteInspector::unregisterDebuggable):
3161         (Inspector::RemoteInspector::updateDebuggable):
3162         Debuggable management. When debuggables are added, removed, or updated
3163         we stash a copy of the debuggable information and push an update to
3164         debuggers. Stashing a copy of the information in the RemoteInspector
3165         is a thread safe way to avoid walking over all debuggables to gather
3166         the information when it is needed.
3167
3168         (Inspector::RemoteInspector::start):
3169         (Inspector::RemoteInspector::stop):
3170         Runtime API to enable / disable the feature.
3171
3172         (Inspector::RemoteInspector::listingForDebuggable):
3173         (Inspector::RemoteInspector::pushListingNow):
3174         (Inspector::RemoteInspector::pushListingSoon):
3175         Pushing a listing to remote debuggers.
3176
3177         (Inspector::RemoteInspector::sendMessageToRemoteFrontend):
3178         (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
3179         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
3180         (Inspector::RemoteInspector::xpcConnectionFailed):
3181         (Inspector::RemoteInspector::xpcConnectionUnhandledMessage):
3182         XPC setup, send, and receive handling.
3183
3184         (Inspector::RemoteInspector::updateHasActiveDebugSession):
3185         Applications being debugged may want to know when a debug
3186         session is active. This provides that notification.
3187
3188         (Inspector::RemoteInspector::receivedSetupMessage):
3189         (Inspector::RemoteInspector::receivedDataMessage):
3190         (Inspector::RemoteInspector::receivedDidCloseMessage):
3191         (Inspector::RemoteInspector::receivedGetListingMessage):
3192         (Inspector::RemoteInspector::receivedIndicateMessage):
3193         (Inspector::RemoteInspector::receivedConnectionDiedMessage):
3194         Dispatching incoming remote debugging protocol messages.
3195         These are wrapping above the inspector protocol messages.
3196
3197         * inspector/remote/RemoteInspectorConstants.h: Added.
3198         Protocol messages and dictionary keys inside the messages.
3199
3200         (Inspector::RemoteInspectorDebuggableInfo::RemoteInspectorDebuggableInfo):
3201         * inspector/remote/RemoteInspectorDebuggableConnection.h: Added.
3202         * inspector/remote/RemoteInspectorDebuggableConnection.mm: Added.
3203         This is a connection between the RemoteInspector singleton and a RemoteInspectorDebuggable.
3204
3205         (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
3206         (Inspector::RemoteInspectorDebuggableConnection::~RemoteInspectorDebuggableConnection):
3207         Allow for dispatching messages on JavaScript debuggables on a dispatch_queue
3208         instead of the main queue.
3209
3210         (Inspector::RemoteInspectorDebuggableConnection::destination):
3211         (Inspector::RemoteInspectorDebuggableConnection::connectionIdentifier):
3212         Needed in the remote debugging protocol to identify the remote debugger.
3213
3214         (Inspector::RemoteInspectorDebuggableConnection::dispatchSyncOnDebuggable):
3215         (Inspector::RemoteInspectorDebuggableConnection::dispatchAsyncOnDebuggable):
3216         (Inspector::RemoteInspectorDebuggableConnection::setup):
3217         (Inspector::RemoteInspectorDebuggableConnection::closeFromDebuggable):
3218         (Inspector::RemoteInspectorDebuggableConnection::close):
3219         (Inspector::RemoteInspectorDebuggableConnection::sendMessageToBackend):
3220         (Inspector::RemoteInspectorDebuggableConnection::sendMessageToFrontend):
3221         The connection is a thin channel between the two sides that can be closed
3222         from either side, so there is some logic around multi-threaded access.
3223
3224         * inspector/remote/RemoteInspectorXPCConnection.h: Added.
3225         (Inspector::RemoteInspectorXPCConnection::Client::~Client):
3226         * inspector/remote/RemoteInspectorXPCConnection.mm: Added.
3227         (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
3228         (Inspector::RemoteInspectorXPCConnection::~RemoteInspectorXPCConnection):
3229         (Inspector::RemoteInspectorXPCConnection::close):
3230         (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
3231         (Inspector::RemoteInspectorXPCConnection::handleEvent):
3232         (Inspector::RemoteInspectorXPCConnection::sendMessage):
3233         This is a connection between the RemoteInspector singleton and an XPC service
3234         named "com.apple.webinspector". This handles serialization of the dictionary
3235         messages to and from the service. The receiving is done on a non-main queue.
3236
3237         * API/JSContext.h:
3238         * API/JSContext.mm:
3239         (-[JSContext name]):
3240         (-[JSContext setName:]):
3241         ObjC API to enable/disable JSContext remote inspection and give a name.
3242
3243         * API/JSContextRef.h:
3244         * API/JSContextRef.cpp:
3245         (JSGlobalContextGetName):
3246         (JSGlobalContextSetName):
3247         C API to give a JSContext a name.
3248
3249         * runtime/JSGlobalObject.cpp:
3250         (JSC::JSGlobalObject::setName):
3251         * runtime/JSGlobalObject.h:
3252         (JSC::JSGlobalObject::name):
3253         Shared handling of the APIs above.
3254
3255         * runtime/JSGlobalObjectDebuggable.cpp: Added.
3256         (JSC::JSGlobalObjectDebuggable::JSGlobalObjectDebuggable):
3257         (JSC::JSGlobalObjectDebuggable::name):
3258         (JSC::JSGlobalObjectDebuggable::connect):
3259         (JSC::JSGlobalObjectDebuggable::disconnect):
3260         (JSC::JSGlobalObjectDebuggable::dispatchMessageFromRemoteFrontend):
3261         * runtime/JSGlobalObjectDebuggable.h: Added.
3262         Stub for the actual remote debugging implementation. We will push
3263         down the appropriate WebCore/inspector peices suitable for debugging
3264         just a JavaScript context.
3265
3266         * CMakeLists.txt:
3267         * JavaScriptCore.xcodeproj/project.pbxproj:
3268         * GNUmakefile.am:
3269         * GNUmakefile.list.am:
3270         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3271         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3272         Update build files.
3273
3274 2013-12-04  Michael Saboff  <msaboff@apple.com>
3275
3276         Move the setting up of callee's callFrame from pushFrame to callToJavaScript thunk
3277         https://bugs.webkit.org/show_bug.cgi?id=123999
3278
3279         Reviewed by Filip Pizlo.
3280
3281         Changed LLInt and/or JIT enabled ports to allocate the stack frame in the
3282         callToJavaScript stub.  Added an additional stub, callToNativeFunction that
3283         allocates a stack frame in a similar way for calling native entry points
3284         that take a single ExecState* argument.  These stubs are implemented
3285         using common macros in LowLevelInterpreter{32_64,64}.asm.  There are also
3286         Windows X86 and X86-64 versions in the corresponding JitStubsXX.h.
3287         The stubs allocate and create a sentinel frame, then create the callee's
3288         frame, populating  the header and arguments from the passed in ProtoCallFrame*.
3289         It is assumed that the caller of either stub does a check for enough stack space
3290         via JSStack::entryCheck().
3291
3292         For ports using the C-Loop interpreter, the prior method for allocating stack
3293         frame and invoking functions is used, namely with JSStack::pushFrame() and
3294         ::popFrame().
3295
3296         Made spelling changes "sentinal" -> "sentinel".
3297
3298         * CMakeLists.txt:
3299         * GNUmakefile.list.am:
3300         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3301         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3302         * JavaScriptCore.xcodeproj/project.pbxproj:
3303         * interpreter/CachedCall.h:
3304         (JSC::CachedCall::CachedCall):
3305         (JSC::CachedCall::setThis):
3306         (JSC::CachedCall::setArgument):
3307         * interpreter/CallFrameClosure.h:
3308         (JSC::CallFrameClosure::resetCallFrame):
3309         * interpreter/Interpreter.cpp:
3310         (JSC::Interpreter::execute):
3311         (JSC::Interpreter::executeCall):
3312         (JSC::Interpreter::executeConstruct):
3313         (JSC::Interpreter::prepareForRepeatCall):
3314         * interpreter/Interpreter.h:
3315         * interpreter/JSStack.h:
3316         * interpreter/JSStackInlines.h:
3317         (JSC::JSStack::entryCheck):
3318         (JSC::JSStack::pushFrame):
3319         (JSC::JSStack::popFrame):
3320         * interpreter/ProtoCallFrame.cpp: Added.
3321         (JSC::ProtoCallFrame::init):
3322         * interpreter/ProtoCallFrame.h: Added.
3323         (JSC::ProtoCallFrame::codeBlock):
3324         (JSC::ProtoCallFrame::setCodeBlock):
3325         (JSC::ProtoCallFrame::setScope):
3326         (JSC::ProtoCallFrame::setCallee):
3327         (JSC::ProtoCallFrame::argumentCountIncludingThis):
3328         (JSC::ProtoCallFrame::argumentCount):
3329         (JSC::ProtoCallFrame::setArgumentCountIncludingThis):
3330         (JSC::ProtoCallFrame::setPaddedArgsCount):
3331         (JSC::ProtoCallFrame::clearCurrentVPC):
3332         (JSC::ProtoCallFrame::setThisValue):
3333         (JSC::ProtoCallFrame::setArgument):
3334         * jit/JITCode.cpp:
3335         (JSC::JITCode::execute):
3336         * jit/JITCode.h:
3337         * jit/JITOperations.cpp:
3338         * jit/JITStubs.h:
3339         * jit/JITStubsMSVC64.asm:
3340         * jit/JITStubsX86.h:
3341         * llint/LLIntOffsetsExtractor.cpp:
3342         * llint/LLIntThunks.h:
3343         * llint/LowLevelInterpreter.asm:
3344         * llint/LowLevelInterpreter32_64.asm:
3345         * llint/LowLevelInterpreter64.asm:
3346         * runtime/ArgList.h:
3347         (JSC::ArgList::data):
3348         * runtime/JSArray.cpp:
3349         (JSC::AVLTreeAbstractorForArrayCompare::compare_key_key):
3350         * runtime/StringPrototype.cpp:
3351         (JSC::replaceUsingRegExpSearch):
3352
3353 2013-12-04  László Langó  <lango@inf.u-szeged.hu>
3354
3355         Remove stdio.h from JSC files.
3356         https://bugs.webkit.org/show_bug.cgi?id=125220
3357
3358         Reviewed by Michael Saboff.
3359
3360         * interpreter/VMInspector.cpp:
3361         * jit/JITArithmetic.cpp:
3362         * jit/JITArithmetic32_64.cpp:
3363         * jit/JITCall.cpp:
3364         * jit/JITCall32_64.cpp:
3365         * jit/JITPropertyAccess.cpp:
3366         * jit/JITPropertyAccess32_64.cpp:
3367         * runtime/Completion.cpp:
3368         * runtime/IndexingType.cpp:
3369         * runtime/Lookup.h:
3370         * runtime/Operations.cpp:
3371         * runtime/Options.cpp:
3372         * runtime/RegExp.cpp:
3373
3374 2013-12-04  László Langó  <lango@inf.u-szeged.hu>
3375
3376         Avoid to add zero offset in BaseIndex.
3377         https://bugs.webkit.org/show_bug.cgi?id=125215
3378
3379         Reviewed by Michael Saboff.
3380
3381         When using cloop do not generate offsets additions for BaseIndex if the offset is zero.
3382
3383         * offlineasm/cloop.rb:
3384
3385 2013-12-04  Peter Molnar  <pmolnar.u-szeged@partner.samsung.com>
3386
3387         Fix !ENABLE(JAVASCRIPT_DEBUGGER) build.
3388         https://bugs.webkit.org/show_bug.cgi?id=125083
3389
3390         Reviewed by Mark Lam.
3391
3392         * debugger/Debugger.cpp:
3393         * debugger/Debugger.h:
3394         (JSC::Debugger::Debugger):
3395         (JSC::Debugger::needsOpDebugCallbacks):
3396         (JSC::Debugger::needsExceptionCallbacks):
3397         (JSC::Debugger::detach):
3398         (JSC::Debugger::sourceParsed):
3399         (JSC::Debugger::exception):
3400         (JSC::Debugger::atStatement):
3401         (JSC::Debugger::callEvent):
3402         (JSC::Debugger::returnEvent):
3403         (JSC::Debugger::willExecuteProgram):
3404         (JSC::Debugger::didExecuteProgram):
3405         (JSC::Debugger::didReachBreakpoint):
3406         * debugger/DebuggerPrimitives.h:
3407         * jit/JITOpcodes.cpp:
3408         (JSC::JIT::emit_op_debug):
3409         * jit/JITOpcodes32_64.cpp:
3410         (JSC::JIT::emit_op_debug):
3411         * llint/LLIntOfflineAsmConfig.h:
3412         * llint/LowLevelInterpreter.asm:
3413
3414 2013-12-03  Mark Lam  <mark.lam@apple.com>
3415
3416         testapi test crashes on Windows in WTF::Vector<wchar_t,64,WTF::UnsafeVectorOverflow>::size().
3417         https://bugs.webkit.org/show_bug.cgi?id=121972.
3418
3419         Reviewed by Brent Fulgham.
3420
3421         * interpreter/JSStack.cpp:
3422         (JSC::JSStack::~JSStack):
3423         - Reverting the change from r160004 since it's better to fix OSAllocatorWin
3424           to be consistent with OSAllocatorPosix.
3425
3426 2013-12-03  Mark Lam  <mark.lam@apple.com>
3427
3428         Fix LLINT_C_LOOP build for Win64.
3429         https://bugs.webkit.org/show_bug.cgi?id=125186.
3430
3431         Reviewed by Michael Saboff.
3432
3433         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3434         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3435         * jit/JITOperationsMSVC64.cpp: Added.
3436         (JSC::getHostCallReturnValueWithExecState):
3437         - Win64 will build JITStubMSVC64.asm even when !ENABLE(JIT). This results
3438           in a linkage error due to a missing getHostCallReturnValueWithExecState().
3439           So, we add a stub getHostCallReturnValueWithExecState() here to satisfy
3440           that linkage. This function will never be called.
3441           The alternative to providing such a stub is to make the MSVC project
3442           recognize if the JIT is enabled or not, and exclude JITStubMSVC64.asm
3443           if it's not enabled. We don't currently set ENABLE(JIT) via the MSVC
3444           project and the work to do that is too much trouble for what we're trying
3445           to achieve here. So, we're opting for this simpler workaround instead.
3446
3447         * llint/LowLevelInterpreter.asm:
3448         * llint/LowLevelInterpreter.cpp:
3449         (JSC::CLoop::execute):
3450         - Don't build callToJavaScript if we're building the C loop. Otherwise,
3451           the C loop won't build if !ENABLE(COMPUTE_GOTO_OPCODES). 
3452
3453 2013-12-03  Michael Saboff  <msaboff@apple.com>
3454
3455         ARM64: Crash in JIT code due to improper reuse of cached memory temp register
3456         https://bugs.webkit.org/show_bug.cgi?id=125181
3457
3458         Reviewed by Geoffrey Garen.
3459
3460         Changed load8() and load() to invalidate the memory temp CachedTempRegister when the
3461         destination of an absolute load is the memory temp register since the source address
3462         is also the memory temp register.  Change branch{8,32,64} of an AbsoluteAddress with
3463         a register to use the dataTempRegister as the destinate of the absolute load to
3464         reduce the chance that we need to invalidate the memory temp register cache.
3465         In the process, found and fixed an outright bug in branch8() where we'd load into
3466         the data temp register and then compare and branch on the memory temp register.
3467
3468         * assembler/MacroAssemblerARM64.h:
3469         (JSC::MacroAssemblerARM64::load8):
3470         (JSC::MacroAssemblerARM64::branch32):
3471         (JSC::MacroAssemblerARM64::branch64):
3472         (JSC::MacroAssemblerARM64::branch8):
3473         (JSC::MacroAssemblerARM64::load):
3474
3475 2013-12-03  Michael Saboff  <msaboff@apple.com>
3476
3477         jit/JITArithmetic.cpp doesn't build for non-X86 ports
3478         https://bugs.webkit.org/show_bug.cgi?id=125185
3479
3480         Rubber stamped by Mark Hahnenberg.
3481
3482         Removed unused declarations and related UNUSED_PARAM().
3483
3484         * jit/JITArithmetic.cpp:
3485         (JSC::JIT::emit_op_mod):
3486
3487 2013-12-03  Filip Pizlo  <fpizlo@apple.com>
3488
3489         ObjectAllocationProfile is racy and the DFG should be cool with that
3490         https://bugs.webkit.org/show_bug.cgi?id=125172
3491         <rdar://problem/15233487>
3492
3493         Reviewed by Mark Hahnenberg.
3494         
3495         We would previously sometimes get a null Structure because checking if the profile is non-null and loading
3496         the structure from it were two separate operations.
3497
3498         * dfg/DFGAbstractInterpreterInlines.h:
3499         (JSC::DFG::::executeEffects):
3500         * dfg/DFGAbstractValue.cpp:
3501         (JSC::DFG::AbstractValue::setFuturePossibleStructure):
3502         * dfg/DFGByteCodeParser.cpp:
3503         (JSC::DFG::ByteCodeParser::parseBlock):
3504         * runtime/JSFunction.h:
3505         (JSC::JSFunction::allocationProfile):
3506         (JSC::JSFunction::allocationStructure):
3507
3508 2013-12-03  peavo@outlook.com  <peavo@outlook.com>
3509
3510         testapi test crashes on Windows in WTF::Vector<wchar_t,64,WTF::UnsafeVectorOverflow>::size()
3511         https://bugs.webkit.org/show_bug.cgi?id=121972
3512
3513         Reviewed by Michael Saboff.
3514
3515         The reason for the crash is that the wrong memory block is decommitted.
3516         This can happen if no memory has been committed in the reserved block before the JSStack object is destroyed.
3517         In the JSStack destructor, the pointer to decommit then points to the end of the block (or the start of the next), and the decommit size is zero.
3518         If there is a block just after the block we are trying to decommit, this block will be decommitted, since Windows will decommit the whole block,
3519         if the decommit size is zero (see VirtualFree). When somebody tries to read/write to this block later, we crash.
3520
3521         * interpreter/JSStack.cpp:
3522         (JSC::JSStack::~JSStack): Don't decommit memory if nothing has been committed.
3523
3524 2013-12-03  László Langó  <lango@inf.u-szeged.hu>
3525
3526         Guard JIT include.
3527         https://bugs.webkit.org/show_bug.cgi?id=125063
3528
3529         Reviewed by Filip Pizlo.
3530
3531         * llint/LLIntThunks.cpp:
3532
3533 2013-12-03  Julien Brianceau  <jbriance@cisco.com>
3534
3535         Merge mips and arm/sh4 paths in nativeForGenerator and privateCompileCTINativeCall functions.
3536         https://bugs.webkit.org/show_bug.cgi?id=125067
3537
3538         Reviewed by Michael Saboff.
3539
3540         * jit/JITOpcodes32_64.cpp:
3541         (JSC::JIT::privateCompileCTINativeCall):
3542         * jit/ThunkGenerators.cpp:
3543         (JSC::nativeForGenerator):
3544
3545 2013-12-02  Mark Lam  <mark.lam@apple.com>
3546
3547         Build failure when disabling JIT, YARR_JIT, and ASSEMBLER.
3548         https://bugs.webkit.org/show_bug.cgi?id=123809.
3549
3550         Reviewed by Geoffrey Garen.
3551
3552         Also fixed build when disabling the DISASSEMBLER.
3553         Added some needed #if's and some comments.
3554
3555         * assembler/LinkBuffer.cpp:
3556         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
3557         * dfg/DFGDisassembler.cpp:
3558         * dfg/DFGDisassembler.h:
3559         (JSC::DFG::Disassembler::Disassembler):
3560         (JSC::DFG::Disassembler::setStartOfCode):
3561         (JSC::DFG::Disassembler::setForBlockIndex):
3562         (JSC::DFG::Disassembler::setForNode):
3563         (JSC::DFG::Disassembler::setEndOfMainPath):
3564         (JSC::DFG::Disassembler::setEndOfCode):
3565         (JSC::DFG::Disassembler::dump):
3566         (JSC::DFG::Disassembler::reportToProfiler):
3567         * disassembler/Disassembler.cpp:
3568         * disassembler/X86Disassembler.cpp:
3569         * jit/FPRInfo.h:
3570         * jit/GPRInfo.h:
3571         * jit/JITDisassembler.cpp:
3572         * jit/JITDisassembler.h:
3573         (JSC::JITDisassembler::JITDisassembler):
3574         (JSC::JITDisassembler::setStartOfCode):
3575         (JSC::JITDisassembler::setForBytecodeMainPath):
3576         (JSC::JITDisassembler::setForBytecodeSlowPath):
3577         (JSC::JITDisassembler::setEndOfSlowPath):
3578         (JSC::JITDisassembler::setEndOfCode):
3579         (JSC::JITDisassembler::dump):
3580         (JSC::JITDisassembler::reportToProfiler):
3581
3582 2013-12-02  Filip Pizlo  <fpizlo@apple.com>
3583
3584         Baseline JIT calls to CommonSlowPaths shouldn't restore the last result
3585         https://bugs.webkit.org/show_bug.cgi?id=125107
3586
3587         Reviewed by Mark Hahnenberg.
3588
3589         Just killing dead code.
3590
3591         * jit/JITArithmetic.cpp:
3592         (JSC::JIT::emitSlow_op_negate):
3593         (JSC::JIT::emitSlow_op_lshift):
3594         (JSC::JIT::emitSlow_op_rshift):
3595         (JSC::JIT::emitSlow_op_urshift):
3596         (JSC::JIT::emitSlow_op_bitand):
3597         (JSC::JIT::emitSlow_op_inc):
3598         (JSC::JIT::emitSlow_op_dec):
3599         (JSC::JIT::emitSlow_op_mod):
3600         (JSC::JIT::emit_op_mod):
3601         (JSC::JIT::compileBinaryArithOpSlowCase):
3602         (JSC::JIT::emitSlow_op_div):
3603         * jit/JITArithmetic32_64.cpp:
3604         (JSC::JIT::emitSlow_op_negate):
3605         (JSC::JIT::emitSlow_op_lshift):
3606         (JSC::JIT::emitRightShiftSlowCase):
3607         (JSC::JIT::emitSlow_op_bitand):
3608         (JSC::JIT::emitSlow_op_bitor):
3609         (JSC::JIT::emitSlow_op_bitxor):
3610         (JSC::JIT::emitSlow_op_inc):
3611         (JSC::JIT::emitSlow_op_dec):
3612         (JSC::JIT::emitSlow_op_add):
3613         (JSC::JIT::emitSlow_op_sub):
3614         (JSC::JIT::emitSlow_op_mul):
3615         (JSC::JIT::emitSlow_op_div):
3616         * jit/JITOpcodes.cpp:
3617         (JSC::JIT::emit_op_strcat):
3618         (JSC::JIT::emitSlow_op_get_callee):
3619         (JSC::JIT::emitSlow_op_create_this):
3620         (JSC::JIT::emitSlow_op_to_this):
3621         (JSC::JIT::emitSlow_op_to_primitive):
3622         (JSC::JIT::emitSlow_op_not):
3623         (JSC::JIT::emitSlow_op_bitxor):
3624         (JSC::JIT::emitSlow_op_bitor):
3625         (JSC::JIT::emitSlow_op_stricteq):
3626         (JSC::JIT::emitSlow_op_nstricteq):
3627         (JSC::JIT::emitSlow_op_to_number):
3628         * jit/JITOpcodes32_64.cpp:
3629         (JSC::JIT::emitSlow_op_to_primitive):
3630         (JSC::JIT::emitSlow_op_not):
3631         (JSC::JIT::emitSlow_op_stricteq):
3632         (JSC::JIT::emitSlow_op_nstricteq):
3633         (JSC::JIT::emitSlow_op_to_number):
3634         (JSC::JIT::emitSlow_op_get_callee):
3635         (JSC::JIT::emitSlow_op_create_this):
3636         (JSC::JIT::emitSlow_op_to_this):
3637
3638 2013-12-01  Filip Pizlo  <fpizlo@apple.com>
3639
3640         Stores to local captured variables should be intercepted
3641         https://bugs.webkit.org/show_bug.cgi?id=124883
3642
3643         Reviewed by Mark Hahnenberg.
3644         
3645         Previously, in bytecode, you could assign to a captured variable just as you would
3646         assign to any other kind of variable. This complicates closure variable constant
3647         inference because we don't have any place where we can intercept stores to captured
3648         variables in the LLInt.
3649         
3650         This patch institutes a policy that only certain instructions can store to captured
3651         variables. If you interpret those instructions and you are required to notifyWrite()
3652         then you need to check if the relevant variable is captured. Those instructions are
3653         tracked in CodeBlock.cpp's VerifyCapturedDef. The main one is simply op_captured_mov.
3654         In the future, we'll probably modify those instructions to have a pointer directly to
3655         the VariableWatchpointSet; but for now we just introduce the captured instructions as
3656         placeholders.
3657         
3658         In order to validate that the placeholders are inserted correctly, this patch improves
3659         the CodeBlock validation to be able to inspect every def in the bytecode. To do that,
3660         this patch refactors the liveness analysis' use/def calculator to be reusable; it now
3661         takes a functor for each use or def.
3662         
3663         In the process of refactoring the liveness analysis, I noticed that op_enter was
3664         claiming to def all callee registers. That's wrong; it only defs the non-temporary
3665         variables. Making that change revealed preexisting bugs in the liveness analysis, since
3666         now the validator would pick up cases where the bytecode claimed to use a temporary and
3667         the def calculator never noticed the definition (or the converse - where the bytecode
3668         was actually not using a temporary but the liveness analysis thought that it was a
3669         use). This patch fixes a few of those bugs.
3670
3671         * GNUmakefile.list.am:
3672         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3673         * JavaScriptCore.xcodeproj/project.pbxproj:
3674         * bytecode/BytecodeLivenessAnalysis.cpp:
3675         (JSC::stepOverInstruction):
3676         * bytecode/BytecodeUseDef.h: Added.
3677         (JSC::computeUsesForBytecodeOffset):
3678         (JSC::computeDefsForBytecodeOffset):
3679         * bytecode/CodeBlock.cpp:
3680         (JSC::CodeBlock::dumpBytecode):
3681         (JSC::CodeBlock::isCaptured):
3682         (JSC::CodeBlock::validate):
3683         * bytecode/CodeBlock.h:
3684         * bytecode/Opcode.h:
3685         (JSC::padOpcodeName):
3686         * bytecompiler/BytecodeGenerator.cpp:
3687         (JSC::BytecodeGenerator::BytecodeGenerator):
3688         (JSC::BytecodeGenerator::resolveCallee):
3689         (JSC::BytecodeGenerator::emitMove):
3690         (JSC::BytecodeGenerator::isCaptured):
3691         (JSC::BytecodeGenerator::local):
3692         (JSC::BytecodeGenerator::constLocal):
3693         (JSC::BytecodeGenerator::emitNewFunction):
3694         (JSC::BytecodeGenerator::emitLazyNewFunction):
3695         (JSC::BytecodeGenerator::emitNewFunctionInternal):
3696         * bytecompiler/BytecodeGenerator.h:
3697         (JSC::Local::Local):
3698         (JSC::Local::isCaptured):
3699         (JSC::Local::captureMode):
3700         (JSC::BytecodeGenerator::captureMode):
3701         (JSC::BytecodeGenerator::emitNode):
3702         (JSC::BytecodeGenerator::pushOptimisedForIn):
3703         * bytecompiler/NodesCodegen.cpp:
3704         (JSC::PostfixNode::emitResolve):
3705         (JSC::PrefixNode::emitResolve):
3706         (JSC::ReadModifyResolveNode::emitBytecode):
3707         (JSC::AssignResolveNode::emitBytecode):
3708         (JSC::ConstDeclNode::emitCodeSingle):
3709         (JSC::ForInNode::emitBytecode):
3710         * dfg/DFGByteCodeParser.cpp:
3711         (JSC::DFG::ByteCodeParser::parseBlock):
3712         * dfg/DFGCapabilities.cpp:
3713         (JSC::DFG::capabilityLevel):
3714         * jit/JIT.cpp:
3715         (JSC::JIT::privateCompileMainPass):
3716         * llint/LowLevelInterpreter32_64.asm:
3717         * llint/LowLevelInterpreter64.asm:
3718         * runtime/SymbolTable.h:
3719         (JSC::SymbolTable::isCaptured):
3720
3721 2013-12-02  Filip Pizlo  <fpizlo@apple.com>
3722
3723         Instead of watchpointing activation allocation, we should watchpoint entry into functions that have captured variables
3724         https://bugs.webkit.org/show_bug.cgi?id=125052
3725
3726         Reviewed by Mark Hahnenberg.
3727         
3728         This makes us watch function entry rather than activation creation. We only incur the
3729         costs of doing so for functions that have captured variables, and only on the first two
3730         entries into the function. This means that closure variable constant inference will
3731         naturally work even for local uses of the captured variable, like:
3732         
3733             (function(){
3734                 var blah = 42;
3735                 ... // stuff
3736                 function () { ... blah /* we can fold this to 42 */ }
3737                 ... blah // we can also fold this to 42.
3738             })();
3739         
3740         Previously, only the nested use would have been foldable.
3741
3742         * bytecode/BytecodeLivenessAnalysis.cpp:
3743         (JSC::computeUsesForBytecodeOffset):
3744         (JSC::computeDefsForBytecodeOffset):
3745         * bytecode/CodeBlock.cpp:
3746         (JSC::CodeBlock::dumpBytecode):
3747         * bytecode/Opcode.h:
3748         (JSC::padOpcodeName):
3749         * bytecode/Watchpoint.h:
3750         (JSC::WatchpointSet::touch):
3751         (JSC::InlineWatchpointSet::touch):
3752         * bytecompiler/BytecodeGenerator.cpp:
3753         (JSC::BytecodeGenerator::BytecodeGenerator):
3754         * dfg/DFGAbstractInterpreterInlines.h:
3755         (JSC::DFG::::executeEffects):
3756         * dfg/DFGByteCodeParser.cpp:
3757         (JSC::DFG::ByteCodeParser::parseBlock):
3758         * dfg/DFGCapabilities.cpp:
3759         (JSC::DFG::capabilityLevel):
3760         * dfg/DFGClobberize.h:
3761         (JSC::DFG::clobberize):
3762         * dfg/DFGFixupPhase.cpp:
3763         (JSC::DFG::FixupPhase::fixupNode):
3764         * dfg/DFGNode.h:
3765         (JSC::DFG::Node::hasSymbolTable):
3766         * dfg/DFGNodeType.h:
3767         * dfg/DFGPredictionPropagationPhase.cpp:
3768         (JSC::DFG::PredictionPropagationPhase::propagate):
3769         * dfg/DFGSafeToExecute.h:
3770         (JSC::DFG::safeToExecute):
3771         * dfg/DFGSpeculativeJIT32_64.cpp:
3772         (JSC::DFG::SpeculativeJIT::compile):
3773         * dfg/DFGSpeculativeJIT64.cpp:
3774         (JSC::DFG::SpeculativeJIT::compile):
3775         * dfg/DFGWatchpointCollectionPhase.cpp:
3776         (JSC::DFG::WatchpointCollectionPhase::handle):
3777         * ftl/FTLCapabilities.cpp:
3778         (JSC::FTL::canCompile):
3779         * ftl/FTLLowerDFGToLLVM.cpp:
3780         (JSC::FTL::LowerDFGToLLVM::compileNode):
3781         * jit/JIT.cpp:
3782         (JSC::JIT::privateCompileMainPass):
3783         * jit/JIT.h:
3784         * jit/JITOpcodes.cpp:
3785         (JSC::JIT::emit_op_touch_entry):
3786         * llint/LowLevelInterpreter.asm:
3787         * runtime/CommonSlowPaths.cpp:
3788         (JSC::SLOW_PATH_DECL):
3789         * runtime/CommonSlowPaths.h:
3790         * runtime/JSActivation.h:
3791         (JSC::JSActivation::create):
3792         * runtime/SymbolTable.cpp:
3793         (JSC::SymbolTable::SymbolTable):
3794         * runtime/SymbolTable.h:
3795
3796 2013-12-02  Nick Diego Yamane  <nick.yamane@openbossa.org>
3797
3798         [JSC] Get rid of some unused parameters in LLIntSlowPaths.cpp macros
3799         https://bugs.webkit.org/show_bug.cgi?id=125075
3800
3801         Reviewed by Michael Saboff.
3802
3803         * llint/LLIntSlowPaths.cpp:
3804         (JSC::LLInt::handleHostCall): added UNUSED_PARAM(pc).
3805         (JSC::LLInt::setUpCall): Doesn't pass 'pc' to LLINT_CALL macros.
3806         (JSC::LLInt::LLINT_SLOW_PATH_DECL): Ditto.
3807
3808 2013-12-02  László Langó  <lango@inf.u-szeged.hu>
3809
3810         Remove stdio.h from JSC files.
3811         https://bugs.webkit.org/show_bug.cgi?id=125066
3812
3813         Reviewed by Michael Saboff.
3814
3815         Remove stdio.h, when it is not necessary to be included.
3816
3817         * bytecode/CodeBlock.cpp:
3818         * bytecode/StructureSet.h:
3819         * profiler/LegacyProfiler.cpp:
3820         * profiler/Profile.cpp:
3821         * profiler/ProfileNode.cpp:
3822         * yarr/YarrInterpreter.cpp:
3823
3824 2013-12-02  László Langó  <lango@inf.u-szeged.hu>
3825
3826         Unused include files when building without JIT.
3827         https://bugs.webkit.org/show_bug.cgi?id=125062
3828
3829         Reviewed by Michael Saboff.
3830
3831         We should organize the includes, and guard JIT methods
3832         in ValueRecovery.
3833
3834         * bytecode/ValueRecovery.cpp: Guard include files.
3835         * bytecode/ValueRecovery.h: Guard JIT methods.
3836
3837 2013-12-02  Balazs Kilvady  <kilvadyb@homejinni.com>
3838
3839         [MIPS] Small stack frame causes regressions.
3840         https://bugs.webkit.org/show_bug.cgi?id=124945
3841
3842         Reviewed by Michael Saboff.
3843
3844         Fix stack space for LLInt on MIPS.
3845
3846         * llint/LowLevelInterpreter32_64.asm:
3847
3848 2013-12-02  Brian J. Burg  <burg@cs.washington.edu>
3849
3850         jsc: implement a native readFile function
3851         https://bugs.webkit.org/show_bug.cgi?id=125059
3852
3853         Reviewed by Filip Pizlo.
3854
3855         This adds a native readFile() function to jsc, used to slurp
3856         an entire file into a JavaScript string.
3857
3858         * jsc.cpp:
3859         (GlobalObject::finishCreation): Add readFile() to globals.
3860         (functionReadFile): Added.
3861
3862 2013-12-02  László Langó  <lango@inf.u-szeged.hu>
3863
3864         JSC does not build if OPCODE_STATS is enabled.
3865         https://bugs.webkit.org/show_bug.cgi?id=125011
3866
3867         Reviewed by Filip Pizlo.
3868
3869         * bytecode/Opcode.cpp:
3870
3871 2013-11-29  Filip Pizlo  <fpizlo@apple.com>
3872
3873         Finally remove those DFG_ENABLE things
3874         https://bugs.webkit.org/show_bug.cgi?id=125025
3875
3876         Rubber stamped by Sam Weinig.
3877         
3878         This removes a bunch of unused and untested insanity.
3879
3880         * bytecode/CodeBlock.cpp:
3881         (JSC::CodeBlock::tallyFrequentExitSites):
3882         * dfg/DFGArgumentsSimplificationPhase.cpp:
3883         (JSC::DFG::ArgumentsSimplificationPhase::run):
3884         * dfg/DFGByteCodeParser.cpp:
3885         (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
3886         (JSC::DFG::ByteCodeParser::getArrayModeConsideringSlowPath):
3887         (JSC::DFG::ByteCodeParser::makeSafe):
3888         (JSC::DFG::ByteCodeParser::makeDivSafe):
3889         (JSC::DFG::ByteCodeParser::handleCall):
3890         (JSC::DFG::ByteCodeParser::handleInlining):
3891         (JSC::DFG::ByteCodeParser::parseBlock):
3892         (JSC::DFG::ByteCodeParser::linkBlock):
3893         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
3894         (JSC::DFG::ByteCodeParser::parseCodeBlock):
3895         (JSC::DFG::ByteCodeParser::parse):
3896         (JSC::DFG::parse):
3897         * dfg/DFGCFGSimplificationPhase.cpp:
3898         (JSC::DFG::CFGSimplificationPhase::run):
3899         (JSC::DFG::CFGSimplificationPhase::convertToJump):
3900         (JSC::DFG::CFGSimplificationPhase::fixJettisonedPredecessors):
3901         * dfg/DFGCSEPhase.cpp:
3902         (JSC::DFG::CSEPhase::endIndexForPureCSE):
3903         (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren):
3904         (JSC::DFG::CSEPhase::setReplacement):
3905         (JSC::DFG::CSEPhase::eliminate):
3906         (JSC::DFG::CSEPhase::performNodeCSE):
3907         * dfg/DFGCommon.h:
3908         (JSC::DFG::verboseCompilationEnabled):
3909         (JSC::DFG::logCompilationChanges):
3910         (JSC::DFG::shouldDumpGraphAtEachPhase):
3911         * dfg/DFGConstantFoldingPhase.cpp:
3912         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3913         * dfg/DFGFixupPhase.cpp:
3914         (JSC::DFG::FixupPhase::fixupNode):
3915         (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
3916         * dfg/DFGInPlaceAbstractState.cpp:
3917         (JSC::DFG::InPlaceAbstractState::initialize):
3918         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
3919         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
3920         (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
3921         * dfg/DFGJITCompiler.cpp:
3922         (JSC::DFG::JITCompiler::compileBody):
3923         (JSC::DFG::JITCompiler::link):
3924         * dfg/DFGOSRExitCompiler.cpp:
3925         * dfg/DFGOSRExitCompiler32_64.cpp:
3926         (JSC::DFG::OSRExitCompiler::compileExit):
3927         * dfg/DFGOSRExitCompiler64.cpp:
3928         (JSC::DFG::OSRExitCompiler::compileExit):
3929         * dfg/DFGOSRExitCompilerCommon.cpp:
3930         (JSC::DFG::adjustAndJumpToTarget):
3931         * dfg/DFGPredictionInjectionPhase.cpp:
3932         (JSC::DFG::PredictionInjectionPhase::run):
3933         * dfg/DFGPredictionPropagationPhase.cpp:
3934         (JSC::DFG::PredictionPropagationPhase::run):
3935         (JSC::DFG::PredictionPropagationPhase::propagate):
3936         (JSC::DFG::PredictionPropagationPhase::propagateForward):
3937         (JSC::DFG::PredictionPropagationPhase::propagateBackward):
3938         (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
3939         * dfg/DFGScoreBoard.h:
3940         (JSC::DFG::ScoreBoard::use):
3941         * dfg/DFGSlowPathGenerator.h:
3942         (JSC::DFG::SlowPathGenerator::generate):
3943         * dfg/DFGSpeculativeJIT.cpp:
3944         (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
3945         (JSC::DFG::SpeculativeJIT::runSlowPathGenerators):
3946         (JSC::DFG::SpeculativeJIT::dump):
3947         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
3948         (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
3949         * dfg/DFGSpeculativeJIT.h:
3950         * dfg/DFGSpeculativeJIT32_64.cpp:
3951         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
3952         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3953         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3954         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3955         (JSC::DFG::SpeculativeJIT::compile):