DFG SSA stack accesses shouldn't speak of VariableAccessDatas
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-02-25  Filip Pizlo  <fpizlo@apple.com>
2
3         DFG SSA stack accesses shouldn't speak of VariableAccessDatas
4         https://bugs.webkit.org/show_bug.cgi?id=142036
5
6         Reviewed by Michael Saboff.
7         
8         VariableAccessData is a useful thing in LoadStore and ThreadedCPS, but it's purely harmful in
9         SSA because you can't cook up new VariableAccessDatas. So, if you know that you want to load
10         or store to the stack, and you know what format to use as well as the location, then prior to
11         this patch you couldn't do it unless you found some existing VariableAccessData that matched
12         your requirements. That can be a hard task.
13         
14         It's better if SSA doesn't speak of VariableAccessDatas but instead just has stack accesses
15         that speak of the things that a stack access needs: local, machineLocal, and format. This
16         patch changes the SSA way of accessing the stack to do just that.
17         
18         Also add more IR validation.
19
20         * CMakeLists.txt:
21         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
22         * JavaScriptCore.xcodeproj/project.pbxproj:
23         * dfg/DFGAbstractInterpreterInlines.h:
24         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
25         * dfg/DFGClobberize.h:
26         (JSC::DFG::clobberize):
27         * dfg/DFGConstantFoldingPhase.cpp:
28         (JSC::DFG::ConstantFoldingPhase::foldConstants):
29         * dfg/DFGDoesGC.cpp:
30         (JSC::DFG::doesGC):
31         * dfg/DFGFixupPhase.cpp:
32         (JSC::DFG::FixupPhase::fixupNode):
33         * dfg/DFGFlushFormat.h:
34         (JSC::DFG::isConcrete):
35         * dfg/DFGGraph.cpp:
36         (JSC::DFG::Graph::dump):
37         * dfg/DFGGraph.h:
38         * dfg/DFGMayExit.cpp:
39         (JSC::DFG::mayExit):
40         * dfg/DFGNode.cpp:
41         (JSC::DFG::Node::hasVariableAccessData):
42         * dfg/DFGNode.h:
43         (JSC::DFG::StackAccessData::StackAccessData):
44         (JSC::DFG::StackAccessData::flushedAt):
45         (JSC::DFG::Node::convertToPutStack):
46         (JSC::DFG::Node::convertToGetStack):
47         (JSC::DFG::Node::hasUnlinkedLocal):
48         (JSC::DFG::Node::hasStackAccessData):
49         (JSC::DFG::Node::stackAccessData):
50         (JSC::DFG::Node::willHaveCodeGenOrOSR):
51         * dfg/DFGNodeType.h:
52         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
53         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
54         * dfg/DFGPlan.cpp:
55         (JSC::DFG::Plan::compileInThreadImpl):
56         * dfg/DFGPredictionPropagationPhase.cpp:
57         (JSC::DFG::PredictionPropagationPhase::propagate):
58         * dfg/DFGPutLocalSinkingPhase.cpp: Removed.
59         * dfg/DFGPutLocalSinkingPhase.h: Removed.
60         * dfg/DFGPutStackSinkingPhase.cpp: Copied from Source/JavaScriptCore/dfg/DFGPutLocalSinkingPhase.cpp.
61         (JSC::DFG::performPutStackSinking):
62         (JSC::DFG::performPutLocalSinking): Deleted.
63         * dfg/DFGPutStackSinkingPhase.h: Copied from Source/JavaScriptCore/dfg/DFGPutLocalSinkingPhase.h.
64         * dfg/DFGSSAConversionPhase.cpp:
65         (JSC::DFG::SSAConversionPhase::run):
66         * dfg/DFGSafeToExecute.h:
67         (JSC::DFG::safeToExecute):
68         * dfg/DFGSpeculativeJIT32_64.cpp:
69         (JSC::DFG::SpeculativeJIT::compile):
70         * dfg/DFGSpeculativeJIT64.cpp:
71         (JSC::DFG::SpeculativeJIT::compile):
72         * dfg/DFGStackLayoutPhase.cpp:
73         (JSC::DFG::StackLayoutPhase::run):
74         * dfg/DFGValidate.cpp:
75         (JSC::DFG::Validate::validate):
76         (JSC::DFG::Validate::validateCPS):
77         (JSC::DFG::Validate::validateSSA):
78         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
79         (JSC::DFG::VirtualRegisterAllocationPhase::run):
80         * ftl/FTLCapabilities.cpp:
81         (JSC::FTL::canCompile):
82         * ftl/FTLLowerDFGToLLVM.cpp:
83         (JSC::FTL::LowerDFGToLLVM::lower):
84         (JSC::FTL::LowerDFGToLLVM::compileNode):
85         (JSC::FTL::LowerDFGToLLVM::compileGetStack):
86         (JSC::FTL::LowerDFGToLLVM::compilePutStack):
87         (JSC::FTL::LowerDFGToLLVM::compileGetLocal): Deleted.
88         (JSC::FTL::LowerDFGToLLVM::compilePutLocal): Deleted.
89         * ftl/FTLOSRExit.h:
90         * tests/stress/many-sunken-locals.js: Added. This failure mode was caught by some miscellaneous test, so I figured I should write an explicit test for it.
91         (foo):
92         (bar):
93         (baz):
94         (fuzz):
95         (buzz):
96
97 2015-02-26  Mark Lam  <mark.lam@apple.com>
98
99         Rolling out r180602, r180608, r180613, r180617, r180671.
100         <https://webkit.org/b/141990>
101
102         Not reviewed.
103
104         The r180602 solution does result in more work for GC when worker
105         threads are in use.  Filip is uncomfortable with that.
106         The EFL and GTK ports also seem to be unhappy with this change.
107         Rolling out while we investigate.
108
109         * heap/Heap.cpp:
110         (JSC::Heap::Heap):
111         (JSC::Heap::gatherStackRoots):
112         (JSC::Heap::machineThreads): Deleted.
113         * heap/Heap.h:
114         (JSC::Heap::machineThreads):
115         * heap/MachineStackMarker.cpp:
116         (JSC::MachineThreads::MachineThreads):
117         (JSC::MachineThreads::~MachineThreads):
118         (JSC::MachineThreads::addCurrentThread):
119         * heap/MachineStackMarker.h:
120         * runtime/JSLock.cpp:
121         (JSC::JSLock::didAcquireLock):
122
123 2015-02-26  Myles C. Maxfield  <mmaxfield@apple.com>
124
125         [Mac] [iOS] Parsing support for -apple-trailing-word
126         https://bugs.webkit.org/show_bug.cgi?id=141939
127
128         Reviewed by Andreas Kling.
129
130         * Configurations/FeatureDefines.xcconfig:
131
132 2015-02-26  Michael Saboff  <msaboff@apple.com>
133
134         [Win] Debug-only JavaScriptCore failures
135         https://bugs.webkit.org/show_bug.cgi?id=142045
136
137         Rubber stamped by Filip Pizlo.
138
139         Reduced loop count to a more reasonable value of 10,000.  This still gets us to tier up
140         to the FTL, but doesn't take too long to run.
141
142         * tests/stress/repeated-arity-check-fail.js:
143
144 2015-02-26  Brent Fulgham  <bfulgham@apple.com>
145
146         [Win] Make build logs more legible by reducing noise
147         https://bugs.webkit.org/show_bug.cgi?id=142034
148
149         Reviewed by Alexey Proskuryakov.
150
151         Modify batch files, makefiles, and DOS commands to remove
152         uninteresting/unhelpful output.
153
154         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
155         * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd:
156         * JavaScriptCore.vcxproj/copy-files.cmd:
157         * JavaScriptCore.vcxproj/jsc/jscLauncherPreBuild.cmd:
158         * JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd:
159         * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncherPreBuild.cmd:
160         * JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd:
161         * JavaScriptCore.vcxproj/testapi/testapiLauncherPostBuild.cmd:
162         * JavaScriptCore.vcxproj/testapi/testapiLauncherPreBuild.cmd:
163         * JavaScriptCore.vcxproj/testapi/testapiPostBuild.cmd:
164         * JavaScriptCore.vcxproj/testapi/testapiPreBuild.cmd:
165
166 2015-02-26  Csaba Osztrogonác  <ossy@webkit.org>
167
168         Add calleeSaveRegisters() implementation for ARM Traditional
169         https://bugs.webkit.org/show_bug.cgi?id=141903
170
171         Reviewed by Darin Adler.
172
173         * jit/RegisterSet.cpp:
174         (JSC::RegisterSet::calleeSaveRegisters):
175
176 2015-02-25  Michael Saboff  <msaboff@apple.com>
177
178         Web Inspector: CRASH when debugger pauses inside a Promise handler
179         https://bugs.webkit.org/show_bug.cgi?id=141396
180
181         Reviewed by Mark Lam.
182
183         For frames that don't have a scope, typically native frames, use the lexicalGlobalObject to
184         create the DebuggerScope for that frame.
185
186         * debugger/DebuggerCallFrame.cpp:
187         (JSC::DebuggerCallFrame::scope):
188
189 2015-02-25  Filip Pizlo  <fpizlo@apple.com>
190
191         DFG abstract heaps should respect the difference between heap and stack
192         https://bugs.webkit.org/show_bug.cgi?id=142022
193
194         Reviewed by Geoffrey Garen.
195         
196         We will soon (https://bugs.webkit.org/show_bug.cgi?id=141174) be in a world where a "world
197         clobbering" operation cannot write to our stack, but may be able to read from it. This
198         means that we need to change the DFG abstract heap hierarchy to have a notion of Heap that
199         subsumes all that World previously subsumed, and a new notion of Stack that is a subtype
200         of World and a sibling of Heap.
201
202         So, henceforth "clobbering the world" means reading World and writing Heap.
203         
204         This makes a bunch of changes to make this work, including changing the implementation of
205         disjointness in AbstractHeap to make it support a more general hierarchy. I was expecting
206         a slow-down, but I measured the heck out of this and found no perf difference.
207
208         * dfg/DFGAbstractHeap.cpp:
209         (JSC::DFG::AbstractHeap::dump):
210         * dfg/DFGAbstractHeap.h:
211         (JSC::DFG::AbstractHeap::supertype):
212         (JSC::DFG::AbstractHeap::isStrictSubtypeOf):
213         (JSC::DFG::AbstractHeap::isSubtypeOf):
214         (JSC::DFG::AbstractHeap::overlaps):
215         (JSC::DFG::AbstractHeap::isDisjoint):
216         * dfg/DFGClobberize.cpp:
217         (JSC::DFG::clobbersHeap):
218         (JSC::DFG::clobbersWorld): Deleted.
219         * dfg/DFGClobberize.h:
220         (JSC::DFG::clobberize):
221         * dfg/DFGDoesGC.cpp:
222         (JSC::DFG::doesGC):
223
224 2015-02-25  Ryosuke Niwa  <rniwa@webkit.org>
225
226         REGRESSION(r180595): construct varargs fails in FTL
227         https://bugs.webkit.org/show_bug.cgi?id=142030
228
229         Reviewed by Geoffrey Garen.
230
231         The bug was caused by IC size being too small for construct_varargs even though we've added a new argument.
232         Fixed the bug by increasing the IC size to match call_varargs.
233
234         * ftl/FTLInlineCacheSize.cpp:
235         (JSC::FTL::sizeOfConstructVarargs):
236
237 2015-02-25  Mark Lam  <mark.lam@apple.com>
238
239         ASan does not like JSC::MachineThreads::tryCopyOtherThreadStack.
240         <https://webkit.org/b/141672>
241
242         Reviewed by Alexey Proskuryakov.
243
244         ASan does not like the fact that we memcpy the stack for GC scans.  So,
245         we're working around this by using our own memcpy (asanUnsafeMemcpy)
246         implementation that we can tell ASan to ignore.
247
248         * heap/MachineStackMarker.cpp:
249         (JSC::asanUnsafeMemcpy):
250
251 2015-02-25  Benjamin Poulain  <bpoulain@apple.com>
252
253         CodeBlock crashes when dumping op_push_name_scope
254         https://bugs.webkit.org/show_bug.cgi?id=141953
255
256         Reviewed by Filip Pizlo and Csaba Osztrogonác.
257
258         * bytecode/CodeBlock.cpp:
259         (JSC::CodeBlock::dumpBytecode):
260         * tests/stress/op-push-name-scope-crashes-profiler.js: Added.
261
262 2015-02-25  Benjamin Poulain  <benjamin@webkit.org>
263
264         Make ParserError immutable by design
265         https://bugs.webkit.org/show_bug.cgi?id=141955
266
267         Reviewed by Geoffrey Garen.
268
269         This patch enforce that no field of ParserError can
270         be modified after the constructor.
271
272         * parser/ParserError.h:
273         Move the attributes to pack the integer + 2 bytes together.
274         This is irrelevant for memory impact, it is to remve a load-store
275         when copying by value.
276
277         Also move the attributes to be private.
278
279         (JSC::ParserError::isValid):
280         To client of the interface cared about the type of the error,
281         the only information needed was: is there an error.
282
283         (JSC::ParserError::ParserError):
284         (JSC::ParserError::syntaxErrorType):
285         (JSC::ParserError::token):
286         (JSC::ParserError::message):
287         (JSC::ParserError::line):
288         (JSC::ParserError::toErrorObject):
289         * API/JSScriptRef.cpp:
290         * builtins/BuiltinExecutables.cpp:
291         (JSC::BuiltinExecutables::createBuiltinExecutable):
292         * bytecode/UnlinkedCodeBlock.cpp:
293         (JSC::generateFunctionCodeBlock):
294         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
295         (JSC::UnlinkedFunctionExecutable::codeBlockFor):
296         * bytecode/UnlinkedCodeBlock.h:
297         * inspector/agents/InspectorRuntimeAgent.cpp:
298         (Inspector::InspectorRuntimeAgent::parse):
299         * jsc.cpp:
300         (runInteractive):
301         * parser/Parser.h:
302         (JSC::parse):
303         * runtime/CodeCache.cpp:
304         (JSC::CodeCache::getGlobalCodeBlock):
305         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
306         * runtime/CodeCache.h:
307         * runtime/Completion.h:
308         * runtime/Executable.cpp:
309         (JSC::ProgramExecutable::checkSyntax):
310         * runtime/JSGlobalObject.cpp:
311         (JSC::JSGlobalObject::createProgramCodeBlock):
312         (JSC::JSGlobalObject::createEvalCodeBlock):
313
314 2015-02-25  Filip Pizlo  <fpizlo@apple.com>
315
316         Need to pass RTLD_DEEPBIND to dlopen() to ensure that our LLVMOverrides take effect on Linux
317         https://bugs.webkit.org/show_bug.cgi?id=142006
318
319         Reviewed by Csaba Osztrogonác.
320
321         This fixes hard-to-reproduce concurrency-related crashes when running stress tests with FTL and
322         concurrent JIT enabled.
323
324         * llvm/InitializeLLVMPOSIX.cpp:
325         (JSC::initializeLLVMPOSIX):
326
327 2015-02-24  Filip Pizlo  <fpizlo@apple.com>
328
329         CMake build of libllvmForJSC.so should limit its export list like the Xcode build does
330         https://bugs.webkit.org/show_bug.cgi?id=141989
331
332         Reviewed by Gyuyoung Kim.
333
334         * CMakeLists.txt:
335         * llvm/library/libllvmForJSC.version: Added.
336
337 2015-02-24  Alexey Proskuryakov  <ap@apple.com>
338
339         More iOS build fix after r180602.
340
341         * heap/Heap.h: Export Heap::machineThreads().
342
343 2015-02-24  Brent Fulgham  <bfulgham@apple.com>
344
345         Unreviewed build fix after r180602.
346
347         * heap/MachineStackMarker.h: Add missing 'no return'
348         declaration for Windows.
349
350 2015-02-24  Commit Queue  <commit-queue@webkit.org>
351
352         Unreviewed, rolling out r180599.
353         https://bugs.webkit.org/show_bug.cgi?id=141998
354
355         Lots of new test failures (Requested by smfr on #webkit).
356
357         Reverted changeset:
358
359         "Parsing support for -webkit-trailing-word"
360         https://bugs.webkit.org/show_bug.cgi?id=141939
361         http://trac.webkit.org/changeset/180599
362
363 2015-02-24  Mark Lam  <mark.lam@apple.com>
364
365         MachineThreads::Thread clean up has a use after free race condition.
366         <https://webkit.org/b/141990>
367
368         Reviewed by Michael Saboff.
369
370         MachineThreads::Thread clean up relies on the clean up mechanism
371         implemented in _pthread_tsd_cleanup_key(), which looks like this:
372
373         void _pthread_tsd_cleanup_key(pthread_t self, pthread_key_t key)
374         {
375             void (*destructor)(void *);
376             if (_pthread_key_get_destructor(key, &destructor)) {
377                 void **ptr = &self->tsd[key];
378                 void *value = *ptr;
379
380                 // At this point, this thread has cached "destructor" and "value"
381                 // (which is a MachineThreads*).  If the VM gets destructed (along
382                 // with its MachineThreads registry) by another thread, then this
383                 // thread will have no way of knowing that the MachineThreads* is
384                 // now pointing to freed memory.  Calling the destructor below will
385                 // therefore result in a use after free scenario when it tries to
386                 // access the MachineThreads' data members.
387
388                 if (value) {
389                     *ptr = NULL;
390                     if (destructor) {
391                         destructor(value);
392                     }
393                 }
394             }
395         }
396
397         The solution is simply to change MachineThreads from a per VM thread
398         registry to a process global singleton thread registry i.e. the
399         MachineThreads registry is now immortal and we cannot have a use after
400         free scenario since we never free it.
401
402         The cost of this change is that all VM instances will have to scan
403         stacks of all threads ever touched by a VM, and not just those that
404         touched a specific VM.  However, stacks tend to be shallow.  Hence,
405         those additional scans will tend to be cheap.
406
407         Secondly, it is not common for there to be multiple JSC VMs in use
408         concurrently on multiple threads.  Hence, this cost should rarely
409         manifest in real world applications.
410
411         * heap/Heap.cpp:
412         (JSC::Heap::Heap):
413         (JSC::Heap::machineThreads):
414         (JSC::Heap::gatherStackRoots):
415         * heap/Heap.h:
416         (JSC::Heap::machineThreads): Deleted.
417         * heap/MachineStackMarker.cpp:
418         (JSC::MachineThreads::MachineThreads):
419         (JSC::MachineThreads::~MachineThreads):
420         (JSC::MachineThreads::addCurrentThread):
421         * heap/MachineStackMarker.h:
422         * runtime/JSLock.cpp:
423         (JSC::JSLock::didAcquireLock):
424
425 2015-02-24  Myles C. Maxfield  <mmaxfield@apple.com>
426
427         [Mac] [iOS] Parsing support for -apple-trailing-word
428         https://bugs.webkit.org/show_bug.cgi?id=141939
429
430         Reviewed by Andreas Kling.
431
432         * Configurations/FeatureDefines.xcconfig:
433
434 2015-02-24  Ryosuke Niwa  <rniwa@webkit.org>
435
436         Use "this" instead of "callee" to get the constructor
437         https://bugs.webkit.org/show_bug.cgi?id=141019
438
439         Reviewed by Filip Pizlo.
440
441         This patch uses "this" register to pass the constructor (newTarget) to op_create_this from
442         op_construct or op_construct_varargs. This will allow future patches that implement ES6 class
443         to pass in the most derived class' constructor through "this" argument.
444
445         BytecodeGenerator's emitConstruct and emitConstructVarargs now passes thisRegister like
446         regular calls and emitCreateThis passes in this register to op_create_this as constructor.
447
448         The rest of the code change removes the code for special casing "this" register not being used
449         in call to construct.
450
451         * bytecode/BytecodeUseDef.h:
452         (JSC::computeUsesForBytecodeOffset):
453         * bytecompiler/BytecodeGenerator.cpp:
454         (JSC::BytecodeGenerator::emitCreateThis):
455         (JSC::BytecodeGenerator::emitConstructVarargs):
456         (JSC::BytecodeGenerator::emitConstruct):
457         * bytecompiler/BytecodeGenerator.h:
458         * bytecompiler/NodesCodegen.cpp:
459         (JSC::NewExprNode::emitBytecode):
460         * dfg/DFGByteCodeParser.cpp:
461         (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
462         (JSC::DFG::ByteCodeParser::handleVarargsCall):
463         (JSC::DFG::ByteCodeParser::emitArgumentPhantoms):
464         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
465         (JSC::DFG::ByteCodeParser::handleInlining):
466         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
467         (JSC::DFG::ByteCodeParser::parseBlock):
468         * dfg/DFGJITCode.cpp:
469         (JSC::DFG::JITCode::reconstruct):
470         * dfg/DFGSpeculativeJIT32_64.cpp:
471         (JSC::DFG::SpeculativeJIT::emitCall):
472         * dfg/DFGSpeculativeJIT64.cpp:
473         (JSC::DFG::SpeculativeJIT::emitCall):
474         * ftl/FTLJSCallVarargs.cpp:
475         (JSC::FTL::JSCallVarargs::emit):
476         * ftl/FTLLowerDFGToLLVM.cpp:
477         (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct):
478         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
479         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstructVarargs):
480         * interpreter/Interpreter.cpp:
481         (JSC::Interpreter::executeConstruct):
482         * jit/JITOperations.cpp:
483
484 2015-02-24  Joseph Pecoraro  <pecoraro@apple.com>
485
486         Web Inspector: Make Getter/Setter RemoteObject property and ObjectPreview handling consistent
487         https://bugs.webkit.org/show_bug.cgi?id=141587
488
489         Reviewed by Timothy Hatcher.
490
491         Convert getProperties(ownAndGetterProperties) to getDisplayableProperties().
492         Mark PropertyDescriptors that are presumed to be native getters / bindings
493         separately so that the frontend may display them differently.
494
495         * inspector/InjectedScript.cpp:
496         (Inspector::InjectedScript::getProperties):
497         (Inspector::InjectedScript::getDisplayableProperties):
498         * inspector/InjectedScript.h:
499         * inspector/InjectedScriptSource.js:
500         * inspector/agents/InspectorRuntimeAgent.cpp:
501         (Inspector::InspectorRuntimeAgent::getProperties):
502         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
503         * inspector/agents/InspectorRuntimeAgent.h:
504         * inspector/protocol/Runtime.json:
505
506 2015-02-24  Mark Lam  <mark.lam@apple.com>
507
508         Rolling out r179753.  The fix was invalid.
509         <https://webkit.org/b/141990>
510
511         Not reviewed.
512
513         * API/tests/testapi.mm:
514         (threadMain):
515         (useVMFromOtherThread): Deleted.
516         (useVMFromOtherThreadAndOutliveVM): Deleted.
517         * heap/Heap.cpp:
518         (JSC::Heap::Heap):
519         (JSC::Heap::~Heap):
520         (JSC::Heap::gatherStackRoots):
521         * heap/Heap.h:
522         (JSC::Heap::machineThreads):
523         * heap/MachineStackMarker.cpp:
524         (JSC::MachineThreads::Thread::Thread):
525         (JSC::MachineThreads::MachineThreads):
526         (JSC::MachineThreads::~MachineThreads):
527         (JSC::MachineThreads::addCurrentThread):
528         (JSC::MachineThreads::removeThread):
529         (JSC::MachineThreads::removeCurrentThread):
530         * heap/MachineStackMarker.h:
531
532 2015-02-24  Yusuke Suzuki  <utatane.tea@gmail.com>
533
534         Constructor returning null should construct an object instead of null
535         https://bugs.webkit.org/show_bug.cgi?id=141640
536
537         Reviewed by Filip Pizlo.
538
539         When constructor code doesn't return object, constructor should return `this` object instead.
540         Since we used `op_is_object` for this check and `op_is_object` is intended to be used for `typeof`,
541         it allows `null` as an object.
542         This patch fixes it by introducing an new bytecode `op_is_object_or_null` for `typeof` use cases.
543         Instead, constructor uses simplified `is_object`.
544
545         As a result, `op_is_object` becomes fairly simple. So we introduce optimization for `op_is_object`.
546
547         1. LLInt and baseline JIT support `op_is_object` as a fast path.
548         2. DFG abstract interpreter support `op_is_object`. And recognize its speculated type and read-write effects.
549         3. DFG introduces inlined asm for `op_is_object` rather than calling a C++ function.
550         4. FTL lowers DFG's IsObject into LLVM IR.
551
552         And at the same time, this patch fixes isString / isObject predicate used for `op_is_object` and others
553         in LLInt, JIT, DFG and FTL.
554         Before introducing ES6 Symbol, JSCell is only used for object and string in user observable area.
555         So in many places, when the cell is not object, we recognize it as a string, and vice versa.
556         However, now ES6 Symbol is implemented as a JSCell, this assumption is broken.
557         So this patch stop using !isString as isObject.
558         To check whether a cell is an object, instead of seeing that structure ID of a cell is not stringStructure,
559         we examine typeInfo in JSCell.
560
561         * JavaScriptCore.order:
562         * bytecode/BytecodeList.json:
563         * bytecode/BytecodeUseDef.h:
564         (JSC::computeUsesForBytecodeOffset):
565         (JSC::computeDefsForBytecodeOffset):
566         * bytecode/CodeBlock.cpp:
567         (JSC::CodeBlock::dumpBytecode):
568         * bytecode/PutByIdStatus.cpp:
569         (JSC::PutByIdStatus::computeFor):
570         * bytecompiler/BytecodeGenerator.cpp:
571         (JSC::BytecodeGenerator::emitEqualityOp):
572         (JSC::BytecodeGenerator::emitReturn):
573         * dfg/DFGAbstractInterpreterInlines.h:
574         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
575         * dfg/DFGByteCodeParser.cpp:
576         (JSC::DFG::ByteCodeParser::parseBlock):
577         * dfg/DFGCapabilities.cpp:
578         (JSC::DFG::capabilityLevel):
579         * dfg/DFGClobberize.h:
580         (JSC::DFG::clobberize):
581
582         IsObject operation only touches JSCell typeInfoType.
583         And this value would be changed through structure transition.
584         As a result, IsObject can report that it doesn't read any information.
585
586         * dfg/DFGConstantFoldingPhase.cpp:
587         (JSC::DFG::ConstantFoldingPhase::foldConstants):
588         * dfg/DFGDoesGC.cpp:
589         (JSC::DFG::doesGC):
590         * dfg/DFGFixupPhase.cpp:
591         (JSC::DFG::FixupPhase::fixupNode):
592
593         Just like IsString, IsObject is also fixed up.
594
595         * dfg/DFGHeapLocation.cpp:
596         (WTF::printInternal):
597         * dfg/DFGHeapLocation.h:
598         * dfg/DFGNodeType.h:
599         * dfg/DFGOperations.cpp:
600         * dfg/DFGOperations.h:
601         * dfg/DFGPredictionPropagationPhase.cpp:
602         (JSC::DFG::PredictionPropagationPhase::propagate):
603         * dfg/DFGSafeToExecute.h:
604         (JSC::DFG::safeToExecute):
605         * dfg/DFGSpeculativeJIT.cpp:
606         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
607         (JSC::DFG::SpeculativeJIT::compileStringToUntypedEquality):
608         (JSC::DFG::SpeculativeJIT::compileStringIdentToNotStringVarEquality):
609         (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
610         (JSC::DFG::SpeculativeJIT::speculateObject):
611         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
612         (JSC::DFG::SpeculativeJIT::speculateString):
613         (JSC::DFG::SpeculativeJIT::speculateNotStringVar):
614         (JSC::DFG::SpeculativeJIT::emitSwitchChar):
615         (JSC::DFG::SpeculativeJIT::emitSwitchString):
616         (JSC::DFG::SpeculativeJIT::branchIsObject):
617         (JSC::DFG::SpeculativeJIT::branchNotObject):
618         (JSC::DFG::SpeculativeJIT::branchIsString):
619         (JSC::DFG::SpeculativeJIT::branchNotString):
620         * dfg/DFGSpeculativeJIT.h:
621         * dfg/DFGSpeculativeJIT32_64.cpp:
622         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
623         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
624         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
625         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
626         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
627         (JSC::DFG::SpeculativeJIT::compile):
628         * dfg/DFGSpeculativeJIT64.cpp:
629         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
630         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
631         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
632         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
633         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
634         (JSC::DFG::SpeculativeJIT::compile):
635         * ftl/FTLCapabilities.cpp:
636         (JSC::FTL::canCompile):
637         * ftl/FTLLowerDFGToLLVM.cpp:
638         (JSC::FTL::LowerDFGToLLVM::compileNode):
639         (JSC::FTL::LowerDFGToLLVM::compileToString):
640         (JSC::FTL::LowerDFGToLLVM::compileIsObject):
641         (JSC::FTL::LowerDFGToLLVM::compileIsObjectOrNull):
642         (JSC::FTL::LowerDFGToLLVM::speculateTruthyObject):
643         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
644         (JSC::FTL::LowerDFGToLLVM::isObject):
645         (JSC::FTL::LowerDFGToLLVM::isNotObject):
646         (JSC::FTL::LowerDFGToLLVM::isNotString):
647         (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
648         * jit/JIT.cpp:
649         (JSC::JIT::privateCompileMainPass):
650         * jit/JIT.h:
651         * jit/JITInlines.h:
652         (JSC::JIT::emitJumpIfCellObject):
653         * jit/JITOpcodes.cpp:
654         (JSC::JIT::emit_op_is_object):
655         (JSC::JIT::emit_op_to_primitive):
656         * jit/JITOpcodes32_64.cpp:
657         (JSC::JIT::emit_op_is_object):
658         (JSC::JIT::emit_op_to_primitive):
659         (JSC::JIT::compileOpStrictEq):
660         * llint/LowLevelInterpreter.asm:
661         * llint/LowLevelInterpreter32_64.asm:
662         * llint/LowLevelInterpreter64.asm:
663         * runtime/CommonSlowPaths.cpp:
664         (JSC::SLOW_PATH_DECL):
665         * runtime/CommonSlowPaths.h:
666         * runtime/Operations.cpp:
667         (JSC::jsIsObjectTypeOrNull):
668         (JSC::jsIsObjectType): Deleted.
669         * runtime/Operations.h:
670         * tests/stress/constructor-with-return.js: Added.
671         (Test):
672
673         When constructor doesn't return an object, `this` should be returned instead.
674         In this test, we check all primitives. And test object, array and wrappers.
675
676         * tests/stress/dfg-to-primitive-pass-symbol.js: Added.
677         (toPrimitiveTarget):
678         (doToPrimitive):
679
680         op_to_primitive operation passes Symbol in fast path.
681
682 2015-02-24  Yusuke Suzuki  <utatane.tea@gmail.com>
683
684         REGRESSION(r179429): Can't type comments in Facebook
685         https://bugs.webkit.org/show_bug.cgi?id=141859
686
687         Reviewed by Brent Fulgham.
688
689         When window.Symbol is exposed to user-space pages,
690         Facebook's JavaScript use it (maybe, for immutable-js and React.js's unique key).
691         However, to work with Symbols completely, it also requires
692         1) Object.getOwnPropertySymbols (for mixin including Symbols)
693         2) the latest ES6 Iterator interface that uses Iterator.next and it returns { done: boolean, value: value }.
694         Since they are not landed yet, comments in Facebook don't work.
695
696         This patch introduces RuntimeFlags for JavaScriptCore.
697         Specifying SymbolEnabled flag under test runner and inspector to continue to work with Symbol.
698         And drop JavaScriptExperimentsEnabled flag
699         because it is no longer used and use case of this is duplicated to runtime flags.
700
701         * JavaScriptCore.order:
702         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
703         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
704         * JavaScriptCore.xcodeproj/project.pbxproj:
705         * jsc.cpp:
706         (GlobalObject::javaScriptRuntimeFlags):
707         (GlobalObject::javaScriptExperimentsEnabled): Deleted.
708         * runtime/JSGlobalObject.cpp:
709         (JSC::JSGlobalObject::JSGlobalObject):
710         (JSC::JSGlobalObject::init):
711         * runtime/JSGlobalObject.h:
712         (JSC::JSGlobalObject::finishCreation):
713         (JSC::JSGlobalObject::javaScriptRuntimeFlags):
714         (JSC::JSGlobalObject::javaScriptExperimentsEnabled): Deleted.
715         * runtime/RuntimeFlags.h: Added.
716         (JSC::RuntimeFlags::RuntimeFlags):
717         (JSC::RuntimeFlags::createAllEnabled):
718
719 2015-02-23  Filip Pizlo  <fpizlo@apple.com>
720
721         Our bizarre behavior on Arguments::defineOwnProperty should be deliberate rather than a spaghetti incident
722         https://bugs.webkit.org/show_bug.cgi?id=141951
723
724         Reviewed by Benjamin Poulain.
725         
726         This patch has no behavioral change, but it simplifies a bunch of wrong code. The code is
727         still wrong in exactly the same way, but at least it's obvious what's going on. The wrongness
728         is covered by this bug: https://bugs.webkit.org/show_bug.cgi?id=141952.
729
730         * runtime/Arguments.cpp:
731         (JSC::Arguments::copyBackingStore): We should only see the arguments token; assert otherwise. This works because if the GC sees the butterfly token it calls the JSObject::copyBackingStore method directly.
732         (JSC::Arguments::defineOwnProperty): Make our bizarre behavior deliberate rather than an accident of a decade of patches.
733         * tests/stress/arguments-bizarre-behavior.js: Added.
734         (foo):
735         * tests/stress/arguments-bizarre-behaviour-disable-enumerability.js: Added. My choice of spellings of the word "behavio[u]r" is almost as consistent as our implementation of arguments.
736         (foo):
737         * tests/stress/arguments-custom-properties-gc.js: Added. I added this test because at first I was unsure if we GCd arguments correctly.
738         (makeBaseArguments):
739         (makeArray):
740         (cons):
741
742 2015-02-23  Commit Queue  <commit-queue@webkit.org>
743
744         Unreviewed, rolling out r180547 and r180550.
745         https://bugs.webkit.org/show_bug.cgi?id=141957
746
747         Broke 10 Windows tests. (Requested by bfulgham_ on #webkit).
748
749         Reverted changesets:
750
751         "REGRESSION(r179429): Can't type comments in Facebook"
752         https://bugs.webkit.org/show_bug.cgi?id=141859
753         http://trac.webkit.org/changeset/180547
754
755         "Constructor returning null should construct an object instead
756         of null"
757         https://bugs.webkit.org/show_bug.cgi?id=141640
758         http://trac.webkit.org/changeset/180550
759
760 2015-02-23  Yusuke Suzuki  <utatane.tea@gmail.com>
761
762         Constructor returning null should construct an object instead of null
763         https://bugs.webkit.org/show_bug.cgi?id=141640
764
765         Reviewed by Geoffrey Garen.
766
767         When constructor code doesn't return object, constructor should return `this` object instead.
768         Since we used `op_is_object` for this check and `op_is_object` is intended to be used for `typeof`,
769         it allows `null` as an object.
770         This patch fixes it by introducing an new bytecode `op_is_object_or_null` for `typeof` use cases.
771         Instead, constructor uses simplified `is_object`.
772
773         As a result, `op_is_object` becomes fairly simple. So we introduce optimization for `op_is_object`.
774
775         1. LLInt and baseline JIT support `op_is_object` as a fast path.
776         2. DFG abstract interpreter support `op_is_object`. And recognize its speculated type and read-write effects.
777         3. DFG introduces inlined asm for `op_is_object` rather than calling a C++ function.
778         4. FTL lowers DFG's IsObject into LLVM IR.
779
780         And at the same time, this patch fixes isString / isObject predicate used for `op_is_object` and others
781         in LLInt, JIT, DFG and FTL.
782         Before introducing ES6 Symbol, JSCell is only used for object and string in user observable area.
783         So in many places, when the cell is not object, we recognize it as a string, and vice versa.
784         However, now ES6 Symbol is implemented as a JSCell, this assumption is broken.
785         So this patch stop using !isString as isObject.
786         To check whether a cell is an object, instead of seeing that structure ID of a cell is not stringStructure,
787         we examine typeInfo in JSCell.
788
789         * JavaScriptCore.order:
790         * bytecode/BytecodeList.json:
791         * bytecode/BytecodeUseDef.h:
792         (JSC::computeUsesForBytecodeOffset):
793         (JSC::computeDefsForBytecodeOffset):
794         * bytecode/CodeBlock.cpp:
795         (JSC::CodeBlock::dumpBytecode):
796         * bytecode/PutByIdStatus.cpp:
797         (JSC::PutByIdStatus::computeFor):
798         * bytecompiler/BytecodeGenerator.cpp:
799         (JSC::BytecodeGenerator::emitEqualityOp):
800         (JSC::BytecodeGenerator::emitReturn):
801         * dfg/DFGAbstractInterpreterInlines.h:
802         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
803         * dfg/DFGByteCodeParser.cpp:
804         (JSC::DFG::ByteCodeParser::parseBlock):
805         * dfg/DFGCapabilities.cpp:
806         (JSC::DFG::capabilityLevel):
807         * dfg/DFGClobberize.h:
808         (JSC::DFG::clobberize):
809
810         IsObject operation only touches JSCell typeInfoType.
811         And this value would not be changed through structure transition.
812         As a result, IsObject can report that it doesn't read any information.
813
814         * dfg/DFGDoesGC.cpp:
815         (JSC::DFG::doesGC):
816         * dfg/DFGFixupPhase.cpp:
817         (JSC::DFG::FixupPhase::fixupNode):
818
819         Just like IsString, IsObject is also fixed up.
820
821         * dfg/DFGHeapLocation.cpp:
822         (WTF::printInternal):
823         * dfg/DFGHeapLocation.h:
824         * dfg/DFGNodeType.h:
825         * dfg/DFGOperations.cpp:
826         * dfg/DFGOperations.h:
827         * dfg/DFGPredictionPropagationPhase.cpp:
828         (JSC::DFG::PredictionPropagationPhase::propagate):
829         * dfg/DFGSafeToExecute.h:
830         (JSC::DFG::safeToExecute):
831         * dfg/DFGSpeculativeJIT.cpp:
832         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
833         (JSC::DFG::SpeculativeJIT::compileStringToUntypedEquality):
834         (JSC::DFG::SpeculativeJIT::compileStringIdentToNotStringVarEquality):
835         (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
836         (JSC::DFG::SpeculativeJIT::speculateObject):
837         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
838         (JSC::DFG::SpeculativeJIT::speculateString):
839         (JSC::DFG::SpeculativeJIT::speculateNotStringVar):
840         (JSC::DFG::SpeculativeJIT::emitSwitchChar):
841         (JSC::DFG::SpeculativeJIT::emitSwitchString):
842         (JSC::DFG::SpeculativeJIT::branchIsObject):
843         (JSC::DFG::SpeculativeJIT::branchNotObject):
844         (JSC::DFG::SpeculativeJIT::branchIsString):
845         (JSC::DFG::SpeculativeJIT::branchNotString):
846         * dfg/DFGSpeculativeJIT.h:
847         * dfg/DFGSpeculativeJIT32_64.cpp:
848         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
849         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
850         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
851         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
852         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
853         (JSC::DFG::SpeculativeJIT::compile):
854         * dfg/DFGSpeculativeJIT64.cpp:
855         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
856         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
857         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
858         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
859         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
860         (JSC::DFG::SpeculativeJIT::compile):
861         * ftl/FTLCapabilities.cpp:
862         (JSC::FTL::canCompile):
863         * ftl/FTLLowerDFGToLLVM.cpp:
864         (JSC::FTL::LowerDFGToLLVM::compileNode):
865         (JSC::FTL::LowerDFGToLLVM::compileToString):
866         (JSC::FTL::LowerDFGToLLVM::compileIsObject):
867         (JSC::FTL::LowerDFGToLLVM::compileIsObjectOrNull):
868         (JSC::FTL::LowerDFGToLLVM::speculateTruthyObject):
869         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
870         (JSC::FTL::LowerDFGToLLVM::isObject):
871         (JSC::FTL::LowerDFGToLLVM::isNotObject):
872         (JSC::FTL::LowerDFGToLLVM::isNotString):
873         (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
874         * jit/JIT.cpp:
875         (JSC::JIT::privateCompileMainPass):
876         * jit/JIT.h:
877         * jit/JITInlines.h:
878         (JSC::JIT::emitJumpIfCellObject):
879         * jit/JITOpcodes.cpp:
880         (JSC::JIT::emit_op_is_object):
881         (JSC::JIT::emit_op_to_primitive):
882         * jit/JITOpcodes32_64.cpp:
883         (JSC::JIT::emit_op_is_object):
884         (JSC::JIT::emit_op_to_primitive):
885         (JSC::JIT::compileOpStrictEq):
886         * llint/LowLevelInterpreter.asm:
887         * llint/LowLevelInterpreter32_64.asm:
888         * llint/LowLevelInterpreter64.asm:
889         * runtime/CommonSlowPaths.cpp:
890         (JSC::SLOW_PATH_DECL):
891         * runtime/CommonSlowPaths.h:
892         * runtime/Operations.cpp:
893         (JSC::jsIsObjectTypeOrNull):
894         (JSC::jsIsObjectType): Deleted.
895         * runtime/Operations.h:
896
897 2015-02-23  Ryosuke Niwa  <rniwa@webkit.org>
898
899         Disable font loading events until our implementation gets updated to match the latest spec
900         https://bugs.webkit.org/show_bug.cgi?id=141938
901
902         Reviewed by Andreas Kling.
903
904         * Configurations/FeatureDefines.xcconfig:
905
906 2015-02-23  Yusuke Suzuki  <utatane.tea@gmail.com>
907
908         REGRESSION(r179429): Can't type comments in Facebook
909         https://bugs.webkit.org/show_bug.cgi?id=141859
910
911         Reviewed by Geoffrey Garen.
912
913         When window.Symbol is exposed to user-space pages,
914         Facebook's JavaScript use it (maybe, for immutable-js and React.js's unique key).
915         However, to work with Symbols completely, it also requires
916         1) Object.getOwnPropertySymbols (for mixin including Symbols)
917         2) the latest ES6 Iterator interface that uses Iterator.next and it returns { done: boolean, value: value }.
918         Since they are not landed yet, comments in Facebook don't work.
919
920         This patch introduces RuntimeFlags for JavaScriptCore.
921         Specifying SymbolEnabled flag under test runner and inspector to continue to work with Symbol.
922         And drop JavaScriptExperimentsEnabled flag
923         because it is no longer used and use case of this is duplicated to runtime flags.
924
925         * JavaScriptCore.order:
926         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
927         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
928         * JavaScriptCore.xcodeproj/project.pbxproj:
929         * jsc.cpp:
930         (GlobalObject::javaScriptRuntimeFlags):
931         (GlobalObject::javaScriptExperimentsEnabled): Deleted.
932         * runtime/JSGlobalObject.cpp:
933         (JSC::JSGlobalObject::JSGlobalObject):
934         (JSC::JSGlobalObject::init):
935         * runtime/JSGlobalObject.h:
936         (JSC::JSGlobalObject::finishCreation):
937         (JSC::JSGlobalObject::javaScriptRuntimeFlags):
938         (JSC::JSGlobalObject::javaScriptExperimentsEnabled): Deleted.
939         * runtime/RuntimeFlags.h: Added.
940         (JSC::RuntimeFlags::RuntimeFlags):
941         (JSC::RuntimeFlags::createAllEnabled):
942
943 2015-02-23  Benjamin Poulain  <bpoulain@apple.com>
944
945         Set the semantic origin of delayed SetLocal to the Bytecode that originated it
946         https://bugs.webkit.org/show_bug.cgi?id=141727
947
948         Reviewed by Filip Pizlo.
949
950         Previously, delayed SetLocals would have the NodeOrigin of the next
951         bytecode. This was because delayed SetLocal are...delayed... and
952         currentCodeOrigin() is the one where the node is emitted.
953
954         This made debugging a little awkward since the OSR exits on SetLocal
955         were reported for the next bytecode. This patch changes the semantic
956         origin to keep the original bytecode.
957
958         From benchmarks, this looks like it could be a tiny bit faster
959         but it likely just noise.
960
961         * dfg/DFGByteCodeParser.cpp:
962         (JSC::DFG::ByteCodeParser::setDirect):
963         (JSC::DFG::ByteCodeParser::setLocal):
964         (JSC::DFG::ByteCodeParser::setArgument):
965         (JSC::DFG::ByteCodeParser::currentNodeOrigin):
966         (JSC::DFG::ByteCodeParser::addToGraph):
967         (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal):
968         (JSC::DFG::ByteCodeParser::DelayedSetLocal::execute):
969
970 2015-02-23  Benjamin Poulain  <bpoulain@apple.com>
971
972         Remove DFGNode::predictHeap()
973         https://bugs.webkit.org/show_bug.cgi?id=141864
974
975         Reviewed by Geoffrey Garen.
976
977         * dfg/DFGNode.h:
978         (JSC::DFG::Node::predictHeap): Deleted.
979         Unused code.
980
981 2015-02-23  Filip Pizlo  <fpizlo@apple.com>
982
983         Get rid of JSLexicalEnvironment::argumentsGetter
984         https://bugs.webkit.org/show_bug.cgi?id=141930
985
986         Reviewed by Mark Lam.
987         
988         This function is unused, and the way it's written is bizarre - it's a return statement that
989         dominates a bunch of dead code.
990
991         * runtime/JSLexicalEnvironment.cpp:
992         (JSC::JSLexicalEnvironment::argumentsGetter): Deleted.
993         * runtime/JSLexicalEnvironment.h:
994
995 2015-02-23  Filip Pizlo  <fpizlo@apple.com>
996
997         Remove unused activationCount and allTheThingsCount variable declarations.
998
999         Rubber stamped by Mark Lam and Michael Saboff.
1000
1001         * runtime/JSLexicalEnvironment.h:
1002
1003 2015-02-23  Saam Barati  <saambarati1@gmail.com>
1004
1005         Adjust the ranges of basic block statements in JSC's control flow profiler to be mutually exclusive
1006         https://bugs.webkit.org/show_bug.cgi?id=141095
1007
1008         Reviewed by Mark Lam.
1009
1010         Suppose the control flow of a program forms basic block A with successor block
1011         B. A's end offset will be the *same* as B's start offset in the current architecture 
1012         of the control flow profiler. This makes reasoning about the text offsets of
1013         the control flow profiler unsound. To make reasoning about offsets sound, all 
1014         basic block ranges should be mutually exclusive.  All calls to emitProfileControlFlow 
1015         now pass in the *start* of a basic block as the text offset argument. This simplifies 
1016         all calls to emitProfileControlFlow because the previous implementation had a
1017         lot of edge cases for getting the desired basic block text boundaries.
1018
1019         This patch also ensures that the basic block boundary of a block statement 
1020         is the exactly the block's open and close brace offsets (inclusive). For example,
1021         in if/for/while statements. This also has the consequence that for statements 
1022         like "if (cond) foo();", the whitespace preceding "foo()" is not part of 
1023         the "foo()" basic block, but instead is part of the "if (cond) " basic block. 
1024         This is okay because these text offsets aren't meant to be human readable.
1025         Instead, they reflect the text offsets of JSC's AST nodes. The Web Inspector 
1026         is the only client of this API and user of these text offsets and it is 
1027         not negatively effected by this new behavior.
1028
1029         * bytecode/CodeBlock.cpp:
1030         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
1031         When computing basic block boundaries in CodeBlock, we ensure that every
1032         block's end offset is one less than its successor's start offset to
1033         maintain that boundaries' ranges should be mutually exclusive.
1034
1035         * bytecompiler/BytecodeGenerator.cpp:
1036         (JSC::BytecodeGenerator::BytecodeGenerator):
1037         Because the control flow profiler needs to know which functions
1038         have executed, we can't lazily create functions. This was a bug 
1039         from before that was hidden because the Type Profiler was always 
1040         enabled when the control flow profiler was enabled when profiling 
1041         was turned on from the Web Inspector. But, JSC allows for Control 
1042         Flow profiling to be turned on without Type Profiling, so we need 
1043         to ensure the Control Flow profiler has all the data it needs.
1044
1045         * bytecompiler/NodesCodegen.cpp:
1046         (JSC::ConditionalNode::emitBytecode):
1047         (JSC::IfElseNode::emitBytecode):
1048         (JSC::WhileNode::emitBytecode):
1049         (JSC::ForNode::emitBytecode):
1050         (JSC::ForInNode::emitMultiLoopBytecode):
1051         (JSC::ForOfNode::emitBytecode):
1052         (JSC::TryNode::emitBytecode):
1053         * jsc.cpp:
1054         (functionHasBasicBlockExecuted):
1055         We now assert that the substring argument is indeed a substring
1056         of the function argument's text because subtle bugs could be
1057         introduced otherwise.
1058
1059         * parser/ASTBuilder.h:
1060         (JSC::ASTBuilder::setStartOffset):
1061         * parser/Nodes.h:
1062         (JSC::Node::setStartOffset):
1063         * parser/Parser.cpp:
1064         (JSC::Parser<LexerType>::parseBlockStatement):
1065         (JSC::Parser<LexerType>::parseStatement):
1066         (JSC::Parser<LexerType>::parseMemberExpression):
1067         For the various function call AST nodes, their m_position member 
1068         variable is now the start of the entire function call expression 
1069         and not at the start of the open paren of the arguments list.
1070
1071         * runtime/BasicBlockLocation.cpp:
1072         (JSC::BasicBlockLocation::getExecutedRanges):
1073         * runtime/ControlFlowProfiler.cpp:
1074         (JSC::ControlFlowProfiler::getBasicBlocksForSourceID):
1075         Function ranges inserted as gaps should follow the same criteria
1076         that the bytecode generator uses to ensure that basic blocks
1077         start and end offsets are mutually exclusive.
1078
1079         * tests/controlFlowProfiler/brace-location.js: Added.
1080         (foo):
1081         (bar):
1082         (baz):
1083         (testIf):
1084         (testForRegular):
1085         (testForIn):
1086         (testForOf):
1087         (testWhile):
1088         (testIfNoBraces):
1089         (testForRegularNoBraces):
1090         (testForInNoBraces):
1091         (testForOfNoBraces):
1092         (testWhileNoBraces):
1093         * tests/controlFlowProfiler/conditional-expression.js: Added.
1094         (foo):
1095         (bar):
1096         (baz):
1097         (testConditionalBasic):
1098         (testConditionalFunctionCall):
1099         * tests/controlFlowProfiler/driver/driver.js:
1100         (checkBasicBlock):
1101
1102 2015-02-23  Matthew Mirman  <mmirman@apple.com>
1103
1104         r9 is volatile on ARMv7 for iOS 3 and up. 
1105         https://bugs.webkit.org/show_bug.cgi?id=141489
1106         rdar://problem/19432916
1107
1108         Reviewed by Michael Saboff.
1109
1110         * jit/RegisterSet.cpp: 
1111         (JSC::RegisterSet::calleeSaveRegisters): removed r9 from the list of ARMv7 callee save registers.
1112         * tests/stress/regress-141489.js: Added.
1113         (foo):
1114
1115 2015-02-23  Csaba Osztrogonác  <ossy@webkit.org>
1116
1117         [ARM] Add the necessary setupArgumentsWithExecState after bug141915
1118         https://bugs.webkit.org/show_bug.cgi?id=141921
1119
1120         Reviewed by Michael Saboff.
1121
1122         * jit/CCallHelpers.h:
1123         (JSC::CCallHelpers::setupArgumentsWithExecState):
1124
1125 2015-02-23  Filip Pizlo  <fpizlo@apple.com>
1126
1127         Scopes should always be created with a previously-created symbol table rather than creating one on the fly
1128         https://bugs.webkit.org/show_bug.cgi?id=141915
1129
1130         Reviewed by Mark Lam.
1131         
1132         The main effect of this change is that pushing name scopes no longer requires creating symbol
1133         tables on the fly.
1134         
1135         This also makes it so that JSEnvironmentRecords must always have an a priori symbol table.
1136         
1137         JSSegmentedVariableObject still does a hack where it creates a blank symbol table on-demand.
1138         This is needed because that's what JSGlobalObject and all of its many subclasses want. That's
1139         harmless; I mainly needed a prior symbol tables for JSEnvironmentRecords anyway.
1140
1141         * bytecode/BytecodeList.json:
1142         * bytecompiler/BytecodeGenerator.cpp:
1143         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
1144         (JSC::BytecodeGenerator::emitPushCatchScope):
1145         * jit/CCallHelpers.h:
1146         (JSC::CCallHelpers::setupArgumentsWithExecState):
1147         * jit/JIT.h:
1148         * jit/JITInlines.h:
1149         (JSC::JIT::callOperation):
1150         * jit/JITOpcodes.cpp:
1151         (JSC::JIT::emit_op_push_name_scope):
1152         * jit/JITOpcodes32_64.cpp:
1153         (JSC::JIT::emit_op_push_name_scope):
1154         * jit/JITOperations.cpp:
1155         (JSC::pushNameScope):
1156         * jit/JITOperations.h:
1157         * llint/LLIntSlowPaths.cpp:
1158         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1159         * llint/LowLevelInterpreter.asm:
1160         * runtime/Executable.cpp:
1161         (JSC::ScriptExecutable::newCodeBlockFor):
1162         * runtime/JSCatchScope.h:
1163         (JSC::JSCatchScope::JSCatchScope):
1164         (JSC::JSCatchScope::create):
1165         * runtime/JSEnvironmentRecord.h:
1166         (JSC::JSEnvironmentRecord::JSEnvironmentRecord):
1167         * runtime/JSFunctionNameScope.h:
1168         (JSC::JSFunctionNameScope::JSFunctionNameScope):
1169         (JSC::JSFunctionNameScope::create):
1170         * runtime/JSNameScope.cpp:
1171         (JSC::JSNameScope::create):
1172         * runtime/JSNameScope.h:
1173         (JSC::JSNameScope::create):
1174         (JSC::JSNameScope::finishCreation):
1175         (JSC::JSNameScope::JSNameScope):
1176         * runtime/JSSegmentedVariableObject.h:
1177         (JSC::JSSegmentedVariableObject::finishCreation):
1178         * runtime/JSSymbolTableObject.h:
1179         (JSC::JSSymbolTableObject::JSSymbolTableObject):
1180         (JSC::JSSymbolTableObject::finishCreation): Deleted.
1181         * runtime/SymbolTable.h:
1182         (JSC::SymbolTable::createNameScopeTable):
1183
1184 2015-02-23  Filip Pizlo  <fpizlo@apple.com>
1185
1186         Add a comment to clarify that the test was taken from the bug report, in response to
1187         feedback from Michael Saboff and Benjamin Poulain.
1188         
1189         * tests/stress/regress-141883.js:
1190
1191 2015-02-22  Filip Pizlo  <fpizlo@apple.com>
1192
1193         Function name scope is only created on the function instance that triggered parsing rather than on every function instance that needs it
1194         https://bugs.webkit.org/show_bug.cgi?id=141881
1195
1196         Reviewed by Michael Saboff.
1197         
1198         Previously we only created the function name scope in a way that made it visible to the
1199         function that triggered parsing/linking of the executable/codeBlock, and to the linker for
1200         that code block. This was sort of the bare minimum for the feature to appear to work right to
1201         synthetic tests.
1202
1203         There are two valid "times" to create the function name scope. Either it's created for each
1204         JSFunction instance that needs a name scope, or it's created for each execution of such a
1205         JSFunction. This change chooses the latter, because it happens to be the easiest to implement
1206         with what we have right now. I opened a bug for optimizing this if we ever need to:
1207         https://bugs.webkit.org/show_bug.cgi?id=141887.
1208         
1209         * bytecompiler/BytecodeGenerator.cpp:
1210         (JSC::BytecodeGenerator::BytecodeGenerator):
1211         * interpreter/Interpreter.cpp:
1212         (JSC::Interpreter::execute):
1213         (JSC::Interpreter::executeCall):
1214         (JSC::Interpreter::executeConstruct):
1215         (JSC::Interpreter::prepareForRepeatCall):
1216         * jit/JITOperations.cpp:
1217         * llint/LLIntSlowPaths.cpp:
1218         (JSC::LLInt::setUpCall):
1219         * runtime/ArrayPrototype.cpp:
1220         (JSC::isNumericCompareFunction):
1221         * runtime/Executable.cpp:
1222         (JSC::ScriptExecutable::newCodeBlockFor):
1223         (JSC::ScriptExecutable::prepareForExecutionImpl):
1224         (JSC::FunctionExecutable::FunctionExecutable):
1225         * runtime/Executable.h:
1226         (JSC::ScriptExecutable::prepareForExecution):
1227         * runtime/JSFunction.cpp:
1228         (JSC::JSFunction::addNameScopeIfNeeded): Deleted.
1229         * runtime/JSFunction.h:
1230         * tests/stress/function-name-scope.js: Added.
1231         (check.verify):
1232         (check):
1233
1234 2015-02-22  Filip Pizlo  <fpizlo@apple.com>
1235
1236         Crash in DFGFrozenValue
1237         https://bugs.webkit.org/show_bug.cgi?id=141883
1238
1239         Reviewed by Benjamin Poulain.
1240         
1241         If a value might be a cell, then we have to have Graph freeze it rather than trying to
1242         create the FrozenValue directly. Creating it directly is just an optimization for when you
1243         know for sure that it cannot be a cell.
1244
1245         * dfg/DFGAbstractInterpreterInlines.h:
1246         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1247         * tests/stress/regress-141883.js: Added. Hacked the original test to be faster while still crashing before this fix.
1248
1249 2015-02-21  Joseph Pecoraro  <pecoraro@apple.com>
1250
1251         Web Inspector: Generate Previews more often for RemoteObject interaction
1252         https://bugs.webkit.org/show_bug.cgi?id=141875
1253
1254         Reviewed by Timothy Hatcher.
1255
1256         * inspector/protocol/Runtime.json:
1257         Add generatePreview to getProperties.
1258
1259         * inspector/InjectedScript.cpp:
1260         (Inspector::InjectedScript::getProperties):
1261         (Inspector::InjectedScript::getInternalProperties):
1262         * inspector/InjectedScript.h:
1263         * inspector/agents/InspectorRuntimeAgent.cpp:
1264         (Inspector::InspectorRuntimeAgent::getProperties):
1265         * inspector/agents/InspectorRuntimeAgent.h:
1266         Plumb the generatePreview boolean through to the injected script.
1267
1268         * inspector/InjectedScriptSource.js:
1269         Add generatePreview for getProperties.
1270         Fix callFunctionOn to generatePreviews if asked.
1271
1272 2015-02-20  Mark Lam  <mark.lam@apple.com>
1273
1274         Refactor JSWrapperMap.mm to defer creation of the ObjC JSValue until the latest possible moment.
1275         <https://webkit.org/b/141856>
1276
1277         Reviewed by Geoffrey Garen.
1278
1279         1. Make JSObjCClassInfo's -constructor and -wrapperForObject return a
1280            JSC::JSObject* just like -prototype.
1281         2. Defer the creation of the ObjC JSValue from JSC::JSObject* until
1282            the latest moment when it is needed.  This allows us to not have to
1283            keep converting back to a JSC::JSObject* in intermediate code.
1284
1285         * API/JSWrapperMap.mm:
1286         (makeWrapper):
1287         (objectWithCustomBrand):
1288         (constructorWithCustomBrand):
1289         (allocateConstructorForCustomClass):
1290         (-[JSObjCClassInfo allocateConstructorAndPrototype]):
1291         (-[JSObjCClassInfo wrapperForObject:]):
1292         (-[JSObjCClassInfo constructor]):
1293         (-[JSWrapperMap jsWrapperForObject:]):
1294
1295 2015-02-20  Filip Pizlo  <fpizlo@apple.com>
1296
1297         Build fix for gcc.
1298
1299         * runtime/JSNameScope.cpp:
1300         (JSC::JSNameScope::create):
1301
1302 2015-02-20  Filip Pizlo  <fpizlo@apple.com>
1303
1304         Get rid of JSNameScope::m_type
1305         https://bugs.webkit.org/show_bug.cgi?id=141851
1306
1307         Reviewed by Geoffrey Garen.
1308         
1309         This is a big step towards getting rid of JSEnvironmentRecord::m_registers. To do it we need
1310         to ensure that subclasses of JSEnvironmentRecord never have additional C++ fields, so that
1311         JSEnvironmentRecord can always place "registers" right after the end of itself.
1312
1313         * CMakeLists.txt:
1314         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1315         * JavaScriptCore.xcodeproj/project.pbxproj:
1316         * debugger/DebuggerScope.cpp:
1317         (JSC::DebuggerScope::isCatchScope):
1318         (JSC::DebuggerScope::isFunctionNameScope):
1319         * interpreter/Interpreter.cpp:
1320         (JSC::Interpreter::execute):
1321         * jit/JITOperations.cpp:
1322         * llint/LLIntSlowPaths.cpp:
1323         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1324         * runtime/JSCatchScope.cpp: Added.
1325         * runtime/JSCatchScope.h: Added.
1326         (JSC::JSCatchScope::JSCatchScope):
1327         (JSC::JSCatchScope::create):
1328         (JSC::JSCatchScope::createStructure):
1329         * runtime/JSFunction.cpp:
1330         (JSC::JSFunction::addNameScopeIfNeeded):
1331         * runtime/JSFunctionNameScope.cpp: Added.
1332         * runtime/JSFunctionNameScope.h: Added.
1333         (JSC::JSFunctionNameScope::JSFunctionNameScope):
1334         (JSC::JSFunctionNameScope::create):
1335         (JSC::JSFunctionNameScope::createStructure):
1336         * runtime/JSGlobalObject.cpp:
1337         (JSC::JSGlobalObject::init):
1338         (JSC::JSGlobalObject::visitChildren):
1339         * runtime/JSGlobalObject.h:
1340         (JSC::JSGlobalObject::catchScopeStructure):
1341         (JSC::JSGlobalObject::functionNameScopeStructure):
1342         (JSC::JSGlobalObject::nameScopeStructure): Deleted.
1343         * runtime/JSNameScope.cpp:
1344         (JSC::JSNameScope::create):
1345         * runtime/JSNameScope.h:
1346         (JSC::JSNameScope::create):
1347         (JSC::JSNameScope::JSNameScope):
1348         (JSC::JSNameScope::createStructure): Deleted.
1349         (JSC::JSNameScope::isFunctionNameScope): Deleted.
1350         (JSC::JSNameScope::isCatchScope): Deleted.
1351         * runtime/JSObject.cpp:
1352         (JSC::JSObject::isCatchScopeObject):
1353         (JSC::JSObject::isFunctionNameScopeObject):
1354         * runtime/JSObject.h:
1355
1356 2015-02-20  Mark Lam  <mark.lam@apple.com>
1357
1358         [JSObjCClassInfo reallocateConstructorAndOrPrototype] should also reallocate super class prototype chain.
1359         <https://webkit.org/b/141809>
1360
1361         Reviewed by Geoffrey Garen.
1362
1363         A ObjC class that implement the JSExport protocol will have a JS prototype
1364         chain and constructor automatically synthesized for its JS wrapper object.
1365         However, if there are no more instances of that ObjC class reachable by a
1366         JS GC root scan, then its synthesized prototype chain and constructors may
1367         be released by the GC.  If a new instance of that ObjC class is subsequently
1368         instantiated, then [JSObjCClassInfo reallocateConstructorAndOrPrototype]
1369         should re-construct the prototype chain and constructor (if they were
1370         previously released).  However, the current implementation only
1371         re-constructs the immediate prototype, but not every other prototype
1372         object upstream in the prototype chain.
1373
1374         To fix this, we do the following:
1375         1. We no longer allocate the JSObjCClassInfo's prototype and constructor
1376            eagerly.  Hence, -initWithContext:forClass: will no longer call
1377            -allocateConstructorAndPrototypeWithSuperClassInfo:.
1378         2. Instead, we'll always access the prototype and constructor thru
1379            accessor methods.  The accessor methods will call
1380            -allocateConstructorAndPrototype: if needed.
1381         3. -allocateConstructorAndPrototype: will fetch the needed superClassInfo
1382            from the JSWrapperMap itself.  This makes it so that we no longer
1383            need to pass the superClassInfo all over.
1384         4. -allocateConstructorAndPrototype: will get the super class prototype
1385            by invoking -prototype: on the superClassInfo, thereby allowing the
1386            super class to allocate its prototype and constructor if needed and
1387            fixing the issue in this bug.
1388
1389         5. Also removed the GC warning comments, and ensured that needed JS
1390            objects are kept alive by having a local var pointing to it from the
1391            stack (which makes a GC root).
1392
1393         * API/JSWrapperMap.mm:
1394         (-[JSObjCClassInfo initWithContext:forClass:]):
1395         (-[JSObjCClassInfo allocateConstructorAndPrototype]):
1396         (-[JSObjCClassInfo wrapperForObject:]):
1397         (-[JSObjCClassInfo constructor]):
1398         (-[JSObjCClassInfo prototype]):
1399         (-[JSWrapperMap classInfoForClass:]):
1400         (-[JSObjCClassInfo initWithContext:forClass:superClassInfo:]): Deleted.
1401         (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]): Deleted.
1402         (-[JSObjCClassInfo reallocateConstructorAndOrPrototype]): Deleted.
1403         * API/tests/Regress141809.h: Added.
1404         * API/tests/Regress141809.mm: Added.
1405         (-[TestClassB name]):
1406         (-[TestClassC name]):
1407         (runRegress141809):
1408         * API/tests/testapi.mm:
1409         * JavaScriptCore.xcodeproj/project.pbxproj:
1410
1411 2015-02-20  Alexey Proskuryakov  <ap@apple.com>
1412
1413         Remove svn:keywords property.
1414
1415         As far as I can tell, the property had no effect on any of these files, but also,
1416         when it has effect it's likely harmful.
1417
1418         * builtins/ArrayConstructor.js: Removed property svn:keywords.
1419
1420 2015-02-20  Michael Saboff  <msaboff@apple.com>
1421
1422         DFG JIT needs to check for stack overflow at the start of Program and Eval execution
1423         https://bugs.webkit.org/show_bug.cgi?id=141676
1424
1425         Reviewed by Filip Pizlo.
1426
1427         Added stack check to the beginning of the code the DFG copmiler emits for Program and Eval nodes.
1428         To aid in testing the code, I replaced the EvalCodeCache::maxCacheableSourceLength const
1429         a options in runtime/Options.h.  The test script, run-jsc-stress-tests, sets that option
1430         to a huge value when running with the "Eager" options.  This allows the updated test to 
1431         reliably exercise the code in questions.
1432
1433         * dfg/DFGJITCompiler.cpp:
1434         (JSC::DFG::JITCompiler::compile):
1435         Added stack check.
1436
1437         * bytecode/EvalCodeCache.h:
1438         (JSC::EvalCodeCache::tryGet):
1439         (JSC::EvalCodeCache::getSlow):
1440         * runtime/Options.h:
1441         Replaced EvalCodeCache::imaxCacheableSourceLength with Options::maximumEvalCacheableSourceLength
1442         so that it can be configured when running the related test.
1443
1444 2015-02-20  Eric Carlson  <eric.carlson@apple.com>
1445
1446         [iOS] cleanup AirPlay code
1447         https://bugs.webkit.org/show_bug.cgi?id=141811
1448
1449         Reviewed by Jer Noble.
1450
1451         * Configurations/FeatureDefines.xcconfig: IOS_AIRPLAY -> WIRELESS_PLAYBACK_TARGET.
1452
1453 2015-02-19  Dean Jackson  <dino@apple.com>
1454
1455         ES6: Implement Array.from()
1456         https://bugs.webkit.org/show_bug.cgi?id=141054
1457         <rdar://problem/19654521>
1458
1459         Reviewed by Filip Pizlo.
1460
1461         Implement the Array.from() ES6 method
1462         as defined in Section 22.1.2.1 of the specification.
1463
1464         Given that we can't rely on the built-in
1465         global functions or objects to be untainted,
1466         I had to expose a few of them directly to
1467         the function via private names. In particular:
1468         - Math.floor -> @floor
1469         - Math.abs -> @abs
1470         - Number -> @Number
1471         - Array -> @Array
1472         - isFinite -> @isFinite
1473
1474         * builtins/ArrayConstructor.js: Added.
1475         (from): Implementation of Array.from in JavaScript.
1476         * runtime/ArrayConstructor.cpp: Add "from" to the lookup
1477         table for the constructor object.
1478         * runtime/CommonIdentifiers.h: Add the private versions
1479         of the identifiers listed above.
1480         * runtime/JSGlobalObject.cpp: Add the implementations of
1481         those identifiers to the global object (using their
1482         private names).
1483         (JSC::JSGlobalObject::init):
1484         * runtime/JSGlobalObjectFunctions.cpp:
1485         (JSC::globalPrivateFuncAbs): Implementation of the abs function.
1486         (JSC::globalPrivateFuncFloor): Implementation of the floor function.
1487         * runtime/JSGlobalObjectFunctions.h:
1488
1489 2015-02-19  Benjamin Poulain  <bpoulain@apple.com>
1490
1491         Refine the FTL part of ArithPow
1492         https://bugs.webkit.org/show_bug.cgi?id=141792
1493
1494         Reviewed by Filip Pizlo.
1495
1496         This patch refines the FTL lowering of ArithPow. This was left out
1497         of the original patch to keep it simpler.
1498
1499         * ftl/FTLLowerDFGToLLVM.cpp:
1500         (JSC::FTL::LowerDFGToLLVM::compileArithPow):
1501         Two improvements here:
1502         1) Do not generate the NaN check unless we know the exponent might be a NaN.
1503         2) Use one BasicBlock per check with the appropriate weight. Now that we have
1504            one branch per test, move the Infinity check before the check for 1 since
1505            it is the less common case.
1506
1507         * tests/stress/math-pow-becomes-custom-function.js: Added.
1508         Test for changing the Math.pow() function after it has been optimized.
1509
1510         * tests/stress/math-pow-nan-behaviors.js:
1511         The previous tests were only going as far as the DFGAbstractInterpreter
1512         were the operations were replaced by the equivalent constant.
1513
1514         I duplicated the test functions to also test the dynamic behavior of DFG
1515         and FTL.
1516
1517         * tests/stress/math-pow-with-constants.js:
1518         Add cases covering exponent constants. LLVM removes many value
1519         checks for those.
1520
1521         * tests/stress/math-pow-with-never-NaN-exponent.js: Added.
1522         Test for the new optimization removing the NaN check.
1523
1524 2015-02-19  Csaba Osztrogonác  <ossy@webkit.org>
1525
1526         REGRESSION(r180279): It broke 20 tests on ARM Linux
1527         https://bugs.webkit.org/show_bug.cgi?id=141771
1528
1529         Reviewed by Filip Pizlo.
1530
1531         * dfg/DFGSpeculativeJIT.h:
1532         (JSC::DFG::SpeculativeJIT::callOperation): Align 64-bit values to respect ARM EABI.
1533
1534 2015-02-18  Benjamin Poulain  <bpoulain@apple.com>
1535
1536         Remove BytecodeGenerator's numberMap, it is dead code
1537         https://bugs.webkit.org/show_bug.cgi?id=141779
1538
1539         Reviewed by Filip Pizlo.
1540
1541         * bytecompiler/BytecodeGenerator.cpp:
1542         (JSC::BytecodeGenerator::emitLoad): Deleted.
1543         * bytecompiler/BytecodeGenerator.h:
1544         The JSValueMap seems better in every way.
1545
1546         The emitLoad() taking a double was the only way to use numberMap
1547         and that code has no caller.
1548
1549 2015-02-18  Michael Saboff  <msaboff@apple.com>
1550
1551         Rollout r180247 & r180249 from trunk
1552         https://bugs.webkit.org/show_bug.cgi?id=141773
1553
1554         Reviewed by Filip Pizlo.
1555
1556         Theses changes makes sense to fix the crash reported in https://bugs.webkit.org/show_bug.cgi?id=141730
1557         only for branches.  The change to fail the FTL compile but continue running is not comprehensive
1558         enough for general use on trunk.
1559
1560         * dfg/DFGPlan.cpp:
1561         (JSC::DFG::Plan::compileInThreadImpl):
1562         * ftl/FTLLowerDFGToLLVM.cpp:
1563         (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
1564         (JSC::FTL::LowerDFGToLLVM::lower):
1565         (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
1566         (JSC::FTL::LowerDFGToLLVM::compileNode):
1567         (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
1568         (JSC::FTL::LowerDFGToLLVM::compilePhi):
1569         (JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
1570         (JSC::FTL::LowerDFGToLLVM::compileValueRep):
1571         (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
1572         (JSC::FTL::LowerDFGToLLVM::compilePutLocal):
1573         (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub):
1574         (JSC::FTL::LowerDFGToLLVM::compileArithMul):
1575         (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
1576         (JSC::FTL::LowerDFGToLLVM::compileArithMod):
1577         (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
1578         (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
1579         (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
1580         (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
1581         (JSC::FTL::LowerDFGToLLVM::compileGetById):
1582         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
1583         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
1584         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
1585         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
1586         (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
1587         (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
1588         (JSC::FTL::LowerDFGToLLVM::compileNewArray):
1589         (JSC::FTL::LowerDFGToLLVM::compileToString):
1590         (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
1591         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
1592         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
1593         (JSC::FTL::LowerDFGToLLVM::compileSwitch):
1594         (JSC::FTL::LowerDFGToLLVM::compare):
1595         (JSC::FTL::LowerDFGToLLVM::boolify):
1596         (JSC::FTL::LowerDFGToLLVM::opposite):
1597         (JSC::FTL::LowerDFGToLLVM::lowJSValue):
1598         (JSC::FTL::LowerDFGToLLVM::speculate):
1599         (JSC::FTL::LowerDFGToLLVM::isArrayType):
1600         (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
1601         (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
1602         (JSC::FTL::LowerDFGToLLVM::setInt52):
1603         (JSC::FTL::lowerDFGToLLVM):
1604         (JSC::FTL::LowerDFGToLLVM::loweringFailed): Deleted.
1605         * ftl/FTLLowerDFGToLLVM.h:
1606
1607 2015-02-18  Filip Pizlo  <fpizlo@apple.com>
1608
1609         DFG should really support varargs
1610         https://bugs.webkit.org/show_bug.cgi?id=141332
1611
1612         Reviewed by Oliver Hunt.
1613         
1614         This adds comprehensive vararg call support to the DFG and FTL compilers. Previously, if a
1615         function had a varargs call, then it could only be compiled if that varargs call was just
1616         forwarding arguments and we were inlining the function rather than compiling it directly. Also,
1617         only varargs calls were dealt with; varargs constructs were not.
1618         
1619         This lifts all of those restrictions. Every varargs call or construct can now be compiled by both
1620         the DFG and the FTL. Those calls can also be inlined, too - provided that profiling gives us a
1621         sensible bound on arguments list length. When we inline a varargs call, the act of loading the
1622         varargs is now made explicit in IR. I believe that we have enough IR machinery in place that we
1623         would be able to do the arguments forwarding optimization as an IR transformation. This patch
1624         doesn't implement that yet, and keeps the old bytecode-based varargs argument forwarding
1625         optimization for now.
1626         
1627         There are three major IR features introduced in this patch:
1628         
1629         CallVarargs/ConstructVarargs: these are like Call/Construct except that they take an arguments
1630         array rather than a list of arguments. Currently, they splat this arguments array onto the stack
1631         using the same basic technique as the baseline JIT has always done. Except, these nodes indicate
1632         that we are not interested in doing the non-escaping "arguments" optimization.
1633         
1634         CallForwardVarargs: this is a form of CallVarargs that just does the non-escaping "arguments"
1635         optimization, aka forwarding arguments. It's somewhat lazy that this doesn't include
1636         ConstructForwardVarargs, but the reason is that once we eliminate the lazy tear-off for
1637         arguments, this whole thing will have to be tweaked - and for now forwarding on construct is just
1638         not important in benchmarks. ConstructVarargs will still do forwarding, just not inlined.
1639         
1640         LoadVarargs: loads all elements out of an array onto the stack in a manner suitable for a varargs
1641         call. This is used only when a varargs call (or construct) was inlined. The bytecode parser will
1642         make room on the stack for the arguments, and will use LoadVarars to put those arguments into
1643         place.
1644         
1645         In the future, we can consider adding strength reductions like:
1646         
1647         - If CallVarargs/ConstructVarargs see an array of known size with known elements, turn them into
1648           Call/Construct.
1649         
1650         - If CallVarargs/ConstructVarargs are passed an unmodified, unescaped Arguments object, then
1651           turn them into CallForwardVarargs/ConstructForwardVarargs.
1652         
1653         - If LoadVarargs sees an array of known size, then turn it into a sequence of GetByVals and
1654           PutLocals.
1655         
1656         - If LoadVarargs sees an unmodified, unescaped Arguments object, then turn it into something like
1657           LoadForwardVarargs.
1658         
1659         - If CallVarargs/ConstructVarargs/LoadVarargs see the result of a splice (or other Array
1660           prototype function), then do the splice and varargs loading in one go (maybe via a new node
1661           type).
1662
1663         * CMakeLists.txt:
1664         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1665         * JavaScriptCore.xcodeproj/project.pbxproj:
1666         * assembler/MacroAssembler.h:
1667         (JSC::MacroAssembler::rshiftPtr):
1668         (JSC::MacroAssembler::urshiftPtr):
1669         * assembler/MacroAssemblerARM64.h:
1670         (JSC::MacroAssemblerARM64::urshift64):
1671         * assembler/MacroAssemblerX86_64.h:
1672         (JSC::MacroAssemblerX86_64::urshift64):
1673         * assembler/X86Assembler.h:
1674         (JSC::X86Assembler::shrq_i8r):
1675         * bytecode/CallLinkInfo.h:
1676         (JSC::CallLinkInfo::CallLinkInfo):
1677         * bytecode/CallLinkStatus.cpp:
1678         (JSC::CallLinkStatus::computeFor):
1679         (JSC::CallLinkStatus::setProvenConstantCallee):
1680         (JSC::CallLinkStatus::dump):
1681         * bytecode/CallLinkStatus.h:
1682         (JSC::CallLinkStatus::maxNumArguments):
1683         (JSC::CallLinkStatus::setIsProved): Deleted.
1684         * bytecode/CodeOrigin.cpp:
1685         (WTF::printInternal):
1686         * bytecode/CodeOrigin.h:
1687         (JSC::InlineCallFrame::varargsKindFor):
1688         (JSC::InlineCallFrame::specializationKindFor):
1689         (JSC::InlineCallFrame::isVarargs):
1690         (JSC::InlineCallFrame::isNormalCall): Deleted.
1691         * bytecode/ExitKind.cpp:
1692         (JSC::exitKindToString):
1693         * bytecode/ExitKind.h:
1694         * bytecode/ValueRecovery.cpp:
1695         (JSC::ValueRecovery::dumpInContext):
1696         * dfg/DFGAbstractInterpreterInlines.h:
1697         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1698         * dfg/DFGArgumentsSimplificationPhase.cpp:
1699         (JSC::DFG::ArgumentsSimplificationPhase::run):
1700         * dfg/DFGByteCodeParser.cpp:
1701         (JSC::DFG::ByteCodeParser::flush):
1702         (JSC::DFG::ByteCodeParser::addCall):
1703         (JSC::DFG::ByteCodeParser::handleCall):
1704         (JSC::DFG::ByteCodeParser::handleVarargsCall):
1705         (JSC::DFG::ByteCodeParser::emitFunctionChecks):
1706         (JSC::DFG::ByteCodeParser::inliningCost):
1707         (JSC::DFG::ByteCodeParser::inlineCall):
1708         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
1709         (JSC::DFG::ByteCodeParser::handleInlining):
1710         (JSC::DFG::ByteCodeParser::handleMinMax):
1711         (JSC::DFG::ByteCodeParser::handleIntrinsic):
1712         (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
1713         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1714         (JSC::DFG::ByteCodeParser::parseBlock):
1715         (JSC::DFG::ByteCodeParser::removeLastNodeFromGraph): Deleted.
1716         (JSC::DFG::ByteCodeParser::undoFunctionChecks): Deleted.
1717         * dfg/DFGCapabilities.cpp:
1718         (JSC::DFG::capabilityLevel):
1719         * dfg/DFGCapabilities.h:
1720         (JSC::DFG::functionCapabilityLevel):
1721         (JSC::DFG::mightCompileFunctionFor):
1722         * dfg/DFGClobberize.h:
1723         (JSC::DFG::clobberize):
1724         * dfg/DFGCommon.cpp:
1725         (WTF::printInternal):
1726         * dfg/DFGCommon.h:
1727         (JSC::DFG::canInline):
1728         (JSC::DFG::leastUpperBound):
1729         * dfg/DFGDoesGC.cpp:
1730         (JSC::DFG::doesGC):
1731         * dfg/DFGFixupPhase.cpp:
1732         (JSC::DFG::FixupPhase::fixupNode):
1733         * dfg/DFGGraph.cpp:
1734         (JSC::DFG::Graph::dump):
1735         (JSC::DFG::Graph::dumpBlockHeader):
1736         (JSC::DFG::Graph::isLiveInBytecode):
1737         (JSC::DFG::Graph::valueProfileFor):
1738         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
1739         * dfg/DFGGraph.h:
1740         (JSC::DFG::Graph::valueProfileFor): Deleted.
1741         (JSC::DFG::Graph::methodOfGettingAValueProfileFor): Deleted.
1742         * dfg/DFGJITCompiler.cpp:
1743         (JSC::DFG::JITCompiler::compileExceptionHandlers):
1744         (JSC::DFG::JITCompiler::link):
1745         * dfg/DFGMayExit.cpp:
1746         (JSC::DFG::mayExit):
1747         * dfg/DFGNode.h:
1748         (JSC::DFG::Node::hasCallVarargsData):
1749         (JSC::DFG::Node::callVarargsData):
1750         (JSC::DFG::Node::hasLoadVarargsData):
1751         (JSC::DFG::Node::loadVarargsData):
1752         (JSC::DFG::Node::hasHeapPrediction):
1753         * dfg/DFGNodeType.h:
1754         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
1755         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
1756         * dfg/DFGOSRExitCompilerCommon.cpp:
1757         (JSC::DFG::reifyInlinedCallFrames):
1758         * dfg/DFGOperations.cpp:
1759         * dfg/DFGOperations.h:
1760         * dfg/DFGPlan.cpp:
1761         (JSC::DFG::dumpAndVerifyGraph):
1762         (JSC::DFG::Plan::compileInThreadImpl):
1763         * dfg/DFGPreciseLocalClobberize.h:
1764         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
1765         (JSC::DFG::PreciseLocalClobberizeAdaptor::writeTop):
1766         * dfg/DFGPredictionPropagationPhase.cpp:
1767         (JSC::DFG::PredictionPropagationPhase::propagate):
1768         * dfg/DFGSSAConversionPhase.cpp:
1769         * dfg/DFGSafeToExecute.h:
1770         (JSC::DFG::safeToExecute):
1771         * dfg/DFGSpeculativeJIT.h:
1772         (JSC::DFG::SpeculativeJIT::isFlushed):
1773         (JSC::DFG::SpeculativeJIT::callOperation):
1774         * dfg/DFGSpeculativeJIT32_64.cpp:
1775         (JSC::DFG::SpeculativeJIT::emitCall):
1776         (JSC::DFG::SpeculativeJIT::compile):
1777         * dfg/DFGSpeculativeJIT64.cpp:
1778         (JSC::DFG::SpeculativeJIT::emitCall):
1779         (JSC::DFG::SpeculativeJIT::compile):
1780         * dfg/DFGStackLayoutPhase.cpp:
1781         (JSC::DFG::StackLayoutPhase::run):
1782         (JSC::DFG::StackLayoutPhase::assign):
1783         * dfg/DFGStrengthReductionPhase.cpp:
1784         (JSC::DFG::StrengthReductionPhase::handleNode):
1785         * dfg/DFGTypeCheckHoistingPhase.cpp:
1786         (JSC::DFG::TypeCheckHoistingPhase::run):
1787         * dfg/DFGValidate.cpp:
1788         (JSC::DFG::Validate::validateCPS):
1789         * ftl/FTLAbbreviations.h:
1790         (JSC::FTL::functionType):
1791         (JSC::FTL::buildCall):
1792         * ftl/FTLCapabilities.cpp:
1793         (JSC::FTL::canCompile):
1794         * ftl/FTLCompile.cpp:
1795         (JSC::FTL::mmAllocateDataSection):
1796         * ftl/FTLInlineCacheSize.cpp:
1797         (JSC::FTL::sizeOfCall):
1798         (JSC::FTL::sizeOfCallVarargs):
1799         (JSC::FTL::sizeOfCallForwardVarargs):
1800         (JSC::FTL::sizeOfConstructVarargs):
1801         (JSC::FTL::sizeOfIn):
1802         (JSC::FTL::sizeOfICFor):
1803         (JSC::FTL::sizeOfCheckIn): Deleted.
1804         * ftl/FTLInlineCacheSize.h:
1805         * ftl/FTLIntrinsicRepository.h:
1806         * ftl/FTLJSCall.cpp:
1807         (JSC::FTL::JSCall::JSCall):
1808         * ftl/FTLJSCallBase.cpp:
1809         * ftl/FTLJSCallBase.h:
1810         * ftl/FTLJSCallVarargs.cpp: Added.
1811         (JSC::FTL::JSCallVarargs::JSCallVarargs):
1812         (JSC::FTL::JSCallVarargs::numSpillSlotsNeeded):
1813         (JSC::FTL::JSCallVarargs::emit):
1814         (JSC::FTL::JSCallVarargs::link):
1815         * ftl/FTLJSCallVarargs.h: Added.
1816         (JSC::FTL::JSCallVarargs::node):
1817         (JSC::FTL::JSCallVarargs::stackmapID):
1818         (JSC::FTL::JSCallVarargs::operator<):
1819         * ftl/FTLLowerDFGToLLVM.cpp:
1820         (JSC::FTL::LowerDFGToLLVM::lower):
1821         (JSC::FTL::LowerDFGToLLVM::compileNode):
1822         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
1823         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
1824         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstructVarargs):
1825         (JSC::FTL::LowerDFGToLLVM::compileLoadVarargs):
1826         (JSC::FTL::LowerDFGToLLVM::compileIn):
1827         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
1828         (JSC::FTL::LowerDFGToLLVM::vmCall):
1829         (JSC::FTL::LowerDFGToLLVM::vmCallNoExceptions):
1830         (JSC::FTL::LowerDFGToLLVM::callCheck):
1831         * ftl/FTLOutput.h:
1832         (JSC::FTL::Output::call):
1833         * ftl/FTLState.cpp:
1834         (JSC::FTL::State::State):
1835         * ftl/FTLState.h:
1836         * interpreter/Interpreter.cpp:
1837         (JSC::sizeOfVarargs):
1838         (JSC::sizeFrameForVarargs):
1839         * interpreter/Interpreter.h:
1840         * interpreter/StackVisitor.cpp:
1841         (JSC::StackVisitor::readInlinedFrame):
1842         * jit/AssemblyHelpers.cpp:
1843         (JSC::AssemblyHelpers::emitExceptionCheck):
1844         * jit/AssemblyHelpers.h:
1845         (JSC::AssemblyHelpers::addressFor):
1846         (JSC::AssemblyHelpers::calleeFrameSlot):
1847         (JSC::AssemblyHelpers::calleeArgumentSlot):
1848         (JSC::AssemblyHelpers::calleeFrameTagSlot):
1849         (JSC::AssemblyHelpers::calleeFramePayloadSlot):
1850         (JSC::AssemblyHelpers::calleeArgumentTagSlot):
1851         (JSC::AssemblyHelpers::calleeArgumentPayloadSlot):
1852         (JSC::AssemblyHelpers::calleeFrameCallerFrame):
1853         (JSC::AssemblyHelpers::selectScratchGPR):
1854         * jit/CCallHelpers.h:
1855         (JSC::CCallHelpers::setupArgumentsWithExecState):
1856         * jit/GPRInfo.h:
1857         * jit/JIT.cpp:
1858         (JSC::JIT::privateCompile):
1859         * jit/JIT.h:
1860         * jit/JITCall.cpp:
1861         (JSC::JIT::compileSetupVarargsFrame):
1862         (JSC::JIT::compileOpCall):
1863         * jit/JITCall32_64.cpp:
1864         (JSC::JIT::compileSetupVarargsFrame):
1865         (JSC::JIT::compileOpCall):
1866         * jit/JITOperations.h:
1867         * jit/SetupVarargsFrame.cpp:
1868         (JSC::emitSetupVarargsFrameFastCase):
1869         * jit/SetupVarargsFrame.h:
1870         * runtime/Arguments.h:
1871         (JSC::Arguments::create):
1872         (JSC::Arguments::registerArraySizeInBytes):
1873         (JSC::Arguments::finishCreation):
1874         * runtime/Options.h:
1875         * tests/stress/construct-varargs-inline-smaller-Foo.js: Added.
1876         (Foo):
1877         (bar):
1878         (checkEqual):
1879         (test):
1880         * tests/stress/construct-varargs-inline.js: Added.
1881         (Foo):
1882         (bar):
1883         (checkEqual):
1884         (test):
1885         * tests/stress/construct-varargs-no-inline.js: Added.
1886         (Foo):
1887         (bar):
1888         (checkEqual):
1889         (test):
1890         * tests/stress/get-argument-by-val-in-inlined-varargs-call-out-of-bounds.js: Added.
1891         (foo):
1892         (bar):
1893         * tests/stress/get-argument-by-val-safe-in-inlined-varargs-call-out-of-bounds.js: Added.
1894         (foo):
1895         (bar):
1896         * tests/stress/get-my-argument-by-val-creates-arguments.js: Added.
1897         (blah):
1898         (foo):
1899         (bar):
1900         (checkEqual):
1901         (test):
1902         * tests/stress/load-varargs-then-inlined-call-exit-in-foo.js: Added.
1903         (foo):
1904         (bar):
1905         (checkEqual):
1906         * tests/stress/load-varargs-then-inlined-call-inlined.js: Added.
1907         (foo):
1908         (bar):
1909         (baz):
1910         (checkEqual):
1911         (test):
1912         * tests/stress/load-varargs-then-inlined-call.js: Added.
1913         (foo):
1914         (bar):
1915         (checkEqual):
1916         (test):
1917
1918 2015-02-17  Michael Saboff  <msaboff@apple.com>
1919
1920         Unreviewed, Restoring the C LOOP insta-crash fix in r180184.
1921
1922         Fixed a typo that only affected the C Loop in the prologue() macro in LowLevelInterpreter.asm.
1923         After the stackHeightOKGetCodeBlock label, codeBlockSetter(t1) should be codeBlockGetter(t1).
1924
1925         * llint/LowLevelInterpreter.asm: Fixed a typo.
1926
1927 2015-02-18  Csaba Osztrogonác  <ossy@webkit.org>
1928
1929         URTBF after r180258 to fix Windows build.
1930
1931         * runtime/MathCommon.cpp:
1932         (JSC::mathPowInternal):
1933
1934 2015-02-18  Joseph Pecoraro  <pecoraro@apple.com>
1935
1936         REGRESSION(r180235): It broke the !ENABLE(PROMISES) build
1937         https://bugs.webkit.org/show_bug.cgi?id=141746
1938
1939         Unreviewed build fix.
1940
1941         * inspector/JSInjectedScriptHost.cpp:
1942         (Inspector::JSInjectedScriptHost::getInternalProperties):
1943         Wrap JSPromise related code in ENABLE(PROMISES) guard.
1944
1945 2015-02-18  Benjamin Poulain  <benjamin@webkit.org>
1946
1947         Fix the C-Loop LLInt build
1948         https://bugs.webkit.org/show_bug.cgi?id=141618
1949
1950         Reviewed by Filip Pizlo.
1951
1952         I broke C-Loop when moving the common code of pow()
1953         to JITOperations because that file is #ifdefed out
1954         when the JITs are disabled.
1955
1956         It would be weird to move it back to MathObject since
1957         the function needs to know about the calling conventions.
1958
1959         To avoid making a mess, I just gave the function its own file
1960         that is used by both the runtime and the JIT.
1961
1962         * CMakeLists.txt:
1963         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1964         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1965         * JavaScriptCore.xcodeproj/project.pbxproj:
1966         * dfg/DFGAbstractInterpreterInlines.h:
1967         * jit/JITOperations.cpp:
1968         * jit/JITOperations.h:
1969         * runtime/MathCommon.cpp: Added.
1970         (JSC::fdlibmScalbn):
1971         (JSC::fdlibmPow):
1972         (JSC::isDenormal):
1973         (JSC::isEdgeCase):
1974         (JSC::mathPowInternal):
1975         (JSC::operationMathPow):
1976         * runtime/MathCommon.h: Added.
1977         * runtime/MathObject.cpp:
1978
1979 2015-02-17  Benjamin Poulain  <bpoulain@apple.com>
1980
1981         Clean up OSRExit's considerAddingAsFrequentExitSite()
1982         https://bugs.webkit.org/show_bug.cgi?id=141690
1983
1984         Reviewed by Anders Carlsson.
1985
1986         Looks like some code was removed from CodeBlock::tallyFrequentExitSites()
1987         and the OSRExit were left untouched.
1988
1989         This patch cleans up the two loops and remove the boolean return
1990         on considerAddingAsFrequentExitSite().
1991
1992         * bytecode/CodeBlock.cpp:
1993         (JSC::CodeBlock::tallyFrequentExitSites):
1994         * dfg/DFGOSRExit.h:
1995         (JSC::DFG::OSRExit::considerAddingAsFrequentExitSite):
1996         * dfg/DFGOSRExitBase.cpp:
1997         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
1998         * dfg/DFGOSRExitBase.h:
1999         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSite):
2000         * ftl/FTLOSRExit.h:
2001         (JSC::FTL::OSRExit::considerAddingAsFrequentExitSite):
2002
2003 2015-02-17  Alexey Proskuryakov  <ap@apple.com>
2004
2005         Debug build fix after r180247.
2006
2007         * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::loweringFailed):
2008
2009 2015-02-17  Commit Queue  <commit-queue@webkit.org>
2010
2011         Unreviewed, rolling out r180184.
2012         https://bugs.webkit.org/show_bug.cgi?id=141733
2013
2014         Caused infinite recursion on js/function-apply-aliased.html
2015         (Requested by ap_ on #webkit).
2016
2017         Reverted changeset:
2018
2019         "REGRESSION(r180060): C Loop crashes"
2020         https://bugs.webkit.org/show_bug.cgi?id=141671
2021         http://trac.webkit.org/changeset/180184
2022
2023 2015-02-17  Michael Saboff  <msaboff@apple.com>
2024
2025         CrashTracer: DFG_CRASH beneath JSC::FTL::LowerDFGToLLVM::compileNode
2026         https://bugs.webkit.org/show_bug.cgi?id=141730
2027
2028         Reviewed by Geoffrey Garen.
2029
2030         Added a new failure handler, loweringFailed(), to LowerDFGToLLVM that reports failures
2031         while processing DFG lowering.  For debug builds, the failures are logged identical
2032         to the way the DFG_CRASH() reports them.  For release builds, the failures are reported
2033         and that FTL compilation is terminated, but the process is allowed to continue.
2034         Wrapped calls to loweringFailed() in a macro LOWERING_FAILED so the function and
2035         line number are reported at the point of the inconsistancy.
2036
2037         Converted instances of DFG_CRASH to LOWERING_FAILED.
2038
2039         * dfg/DFGPlan.cpp:
2040         (JSC::DFG::Plan::compileInThreadImpl): Added lowerDFGToLLVM() failure check that
2041         will fail the FTL compile.
2042
2043         * ftl/FTLLowerDFGToLLVM.cpp:
2044         (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
2045         Added new member variable, m_loweringSucceeded, to stop compilation on the first
2046         reported failure.
2047
2048         * ftl/FTLLowerDFGToLLVM.cpp:
2049         (JSC::FTL::LowerDFGToLLVM::lower):
2050         * ftl/FTLLowerDFGToLLVM.h:
2051         Added check for compilation failures and now report those failures via a boolean
2052         return value.
2053
2054         * ftl/FTLLowerDFGToLLVM.cpp:
2055         (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
2056         (JSC::FTL::LowerDFGToLLVM::compileNode):
2057         (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
2058         (JSC::FTL::LowerDFGToLLVM::compilePhi):
2059         (JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
2060         (JSC::FTL::LowerDFGToLLVM::compileValueRep):
2061         (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
2062         (JSC::FTL::LowerDFGToLLVM::compilePutLocal):
2063         (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub):
2064         (JSC::FTL::LowerDFGToLLVM::compileArithMul):
2065         (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
2066         (JSC::FTL::LowerDFGToLLVM::compileArithMod):
2067         (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
2068         (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
2069         (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
2070         (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
2071         (JSC::FTL::LowerDFGToLLVM::compileGetById):
2072         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
2073         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
2074         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
2075         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2076         (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
2077         (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
2078         (JSC::FTL::LowerDFGToLLVM::compileNewArray):
2079         (JSC::FTL::LowerDFGToLLVM::compileToString):
2080         (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
2081         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
2082         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
2083         (JSC::FTL::LowerDFGToLLVM::compileSwitch):
2084         (JSC::FTL::LowerDFGToLLVM::compare):
2085         (JSC::FTL::LowerDFGToLLVM::boolify):
2086         (JSC::FTL::LowerDFGToLLVM::opposite):
2087         (JSC::FTL::LowerDFGToLLVM::lowJSValue):
2088         (JSC::FTL::LowerDFGToLLVM::speculate):
2089         (JSC::FTL::LowerDFGToLLVM::isArrayType):
2090         (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
2091         (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
2092         (JSC::FTL::LowerDFGToLLVM::setInt52):
2093         Changed DFG_CRASH() to LOWERING_FAILED().  Updated related control flow as appropriate.
2094
2095         (JSC::FTL::LowerDFGToLLVM::loweringFailed): New error reporting member function.
2096
2097 2015-02-17  Filip Pizlo  <fpizlo@apple.com>
2098
2099         StackLayoutPhase should use CodeBlock::usesArguments rather than FunctionExecutable::usesArguments
2100         https://bugs.webkit.org/show_bug.cgi?id=141721
2101         rdar://problem/17198633
2102
2103         Reviewed by Michael Saboff.
2104         
2105         I've seen cases where the two are out of sync.  We know we can trust the CodeBlock::usesArguments because
2106         we use it everywhere else.
2107         
2108         No test because I could never reproduce the crash.
2109
2110         * dfg/DFGGraph.h:
2111         (JSC::DFG::Graph::usesArguments):
2112         * dfg/DFGStackLayoutPhase.cpp:
2113         (JSC::DFG::StackLayoutPhase::run):
2114
2115 2015-02-16  Joseph Pecoraro  <pecoraro@apple.com>
2116
2117         Web Inspector: Improved Console Support for Bound Functions
2118         https://bugs.webkit.org/show_bug.cgi?id=141635
2119
2120         Reviewed by Timothy Hatcher.
2121
2122         * inspector/JSInjectedScriptHost.cpp:
2123         (Inspector::JSInjectedScriptHost::getInternalProperties):
2124         Expose internal properties of a JSBoundFunction.
2125
2126 2015-02-16  Joseph Pecoraro  <pecoraro@apple.com>
2127
2128         Web Inspector: ES6: Improved Console Support for Promise Objects
2129         https://bugs.webkit.org/show_bug.cgi?id=141634
2130
2131         Reviewed by Timothy Hatcher.
2132
2133         * inspector/InjectedScript.cpp:
2134         (Inspector::InjectedScript::getInternalProperties):
2135         * inspector/InjectedScriptSource.js:
2136         Include internal properties in previews. Share code
2137         with normal internal property handling.
2138
2139         * inspector/JSInjectedScriptHost.cpp:
2140         (Inspector::constructInternalProperty):
2141         (Inspector::JSInjectedScriptHost::getInternalProperties):
2142         Provide internal state of Promises.
2143
2144         * inspector/protocol/Runtime.json:
2145         Provide an optional field to distinguish if a PropertyPreview
2146         is for an Internal property or not.
2147
2148 2015-02-17  Filip Pizlo  <fpizlo@apple.com>
2149
2150         Throwing from an FTL call IC slow path may result in tag registers being clobbered on 64-bit CPUs
2151         https://bugs.webkit.org/show_bug.cgi?id=141717
2152         rdar://problem/19863382
2153
2154         Reviewed by Geoffrey Garen.
2155         
2156         The best solution is to ensure that the engine catching an exception restores tag registers.
2157         
2158         Each of these new test cases reliably crashed prior to this patch and they don't crash at all now.
2159
2160         * jit/JITOpcodes.cpp:
2161         (JSC::JIT::emit_op_catch):
2162         * llint/LowLevelInterpreter.asm:
2163         * llint/LowLevelInterpreter64.asm:
2164         * tests/stress/throw-from-ftl-call-ic-slow-path-cells.js: Added.
2165         * tests/stress/throw-from-ftl-call-ic-slow-path-undefined.js: Added.
2166         * tests/stress/throw-from-ftl-call-ic-slow-path.js: Added.
2167
2168 2015-02-17  Csaba Osztrogonác  <ossy@webkit.org>
2169
2170         [ARM] Add the necessary setupArgumentsWithExecState after bug141332
2171         https://bugs.webkit.org/show_bug.cgi?id=141714
2172
2173         Reviewed by Michael Saboff.
2174
2175         * jit/CCallHelpers.h:
2176         (JSC::CCallHelpers::setupArgumentsWithExecState):
2177
2178 2015-02-15  Sam Weinig  <sam@webkit.org>
2179
2180         Add experimental <attachment> element support
2181         https://bugs.webkit.org/show_bug.cgi?id=141626
2182
2183         Reviewed by Tim Horton.
2184
2185         * Configurations/FeatureDefines.xcconfig:
2186
2187 2015-02-16  Michael Saboff  <msaboff@apple.com>
2188
2189         REGRESSION(r180060): C Loop crashes
2190         https://bugs.webkit.org/show_bug.cgi?id=141671
2191
2192         Reviewed by Geoffrey Garen.
2193
2194         Fixed a typo that only affected the C Loop in the prologue() macro in LowLevelInterpreter.asm.
2195         After the stackHeightOKGetCodeBlock label, codeBlockSetter(t1) should be codeBlockGetter(t1).
2196         Fixed the processing of an out of stack exception in llint_stack_check to not get the caller's
2197         frame.  This isn't needed, since this helper is only called to check the stack on entry.  Any
2198         exception will be handled by a call ancestor.
2199
2200         * llint/LLIntSlowPaths.cpp:
2201         (JSC::LLInt::llint_stack_check): Changed to use the current frame for processing an exception.
2202         * llint/LowLevelInterpreter.asm: Fixed a typo.
2203
2204 2015-02-16  Joseph Pecoraro  <pecoraro@apple.com>
2205
2206         Web Inspector: Scope details sidebar should label objects with constructor names
2207         https://bugs.webkit.org/show_bug.cgi?id=139449
2208
2209         Reviewed by Timothy Hatcher.
2210
2211         * inspector/JSInjectedScriptHost.cpp:
2212         (Inspector::JSInjectedScriptHost::internalConstructorName):
2213         * runtime/Structure.cpp:
2214         (JSC::Structure::toStructureShape):
2215         Share calculatedClassName.
2216
2217         * runtime/JSObject.h:        
2218         * runtime/JSObject.cpp:
2219         (JSC::JSObject::calculatedClassName):
2220         Elaborate on a way to get an Object's class name.
2221
2222 2015-02-16  Filip Pizlo  <fpizlo@apple.com>
2223
2224         DFG SSA should use GetLocal for arguments, and the GetArgument node type should be removed
2225         https://bugs.webkit.org/show_bug.cgi?id=141623
2226
2227         Reviewed by Oliver Hunt.
2228         
2229         During development of https://bugs.webkit.org/show_bug.cgi?id=141332, I realized that I
2230         needed to use GetArgument for loading something that has magically already appeared on the
2231         stack, so currently trunk sort of allows this. But then I realized three things:
2232         
2233         - A GetArgument with a non-JSValue flush format means speculating that the value on the
2234           stack obeys that format, rather than just assuming that that it already has that format.
2235           In bug 141332, I want it to assume rather than speculate. That also happens to be more
2236           intuitive; I don't think I was wrong to expect that.
2237         
2238         - The node I really want is GetLocal. I'm just getting the value of the local and I don't
2239           want to do anything else.
2240         
2241         - Maybe it would be easier if we just used GetLocal for all of the cases where we currently
2242           use GetArgument.
2243         
2244         This changes the FTL to do argument speculations in the prologue just like the DFG does.
2245         This brings some consistency to our system, and allows us to get rid of the GetArgument
2246         node. The speculations that the FTL must do are now made explicit in the m_argumentFormats
2247         vector in DFG::Graph. This has natural DCE behavior: even if all uses of the argument are
2248         dead we will still speculate. We already have safeguards to ensure we only speculate if
2249         there are uses that benefit from speculation (which is a much more conservative criterion
2250         than DCE).
2251         
2252         * dfg/DFGAbstractInterpreterInlines.h:
2253         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2254         * dfg/DFGClobberize.h:
2255         (JSC::DFG::clobberize):
2256         * dfg/DFGDCEPhase.cpp:
2257         (JSC::DFG::DCEPhase::run):
2258         * dfg/DFGDoesGC.cpp:
2259         (JSC::DFG::doesGC):
2260         * dfg/DFGFixupPhase.cpp:
2261         (JSC::DFG::FixupPhase::fixupNode):
2262         * dfg/DFGFlushFormat.h:
2263         (JSC::DFG::typeFilterFor):
2264         * dfg/DFGGraph.cpp:
2265         (JSC::DFG::Graph::dump):
2266         * dfg/DFGGraph.h:
2267         (JSC::DFG::Graph::valueProfileFor):
2268         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2269         * dfg/DFGInPlaceAbstractState.cpp:
2270         (JSC::DFG::InPlaceAbstractState::initialize):
2271         * dfg/DFGNode.cpp:
2272         (JSC::DFG::Node::hasVariableAccessData):
2273         * dfg/DFGNodeType.h:
2274         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
2275         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
2276         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
2277         * dfg/DFGPredictionPropagationPhase.cpp:
2278         (JSC::DFG::PredictionPropagationPhase::propagate):
2279         * dfg/DFGPutLocalSinkingPhase.cpp:
2280         * dfg/DFGSSAConversionPhase.cpp:
2281         (JSC::DFG::SSAConversionPhase::run):
2282         * dfg/DFGSafeToExecute.h:
2283         (JSC::DFG::safeToExecute):
2284         * dfg/DFGSpeculativeJIT32_64.cpp:
2285         (JSC::DFG::SpeculativeJIT::compile):
2286         * dfg/DFGSpeculativeJIT64.cpp:
2287         (JSC::DFG::SpeculativeJIT::compile):
2288         * ftl/FTLCapabilities.cpp:
2289         (JSC::FTL::canCompile):
2290         * ftl/FTLLowerDFGToLLVM.cpp:
2291         (JSC::FTL::LowerDFGToLLVM::lower):
2292         (JSC::FTL::LowerDFGToLLVM::compileNode):
2293         (JSC::FTL::LowerDFGToLLVM::compileGetLocal):
2294         (JSC::FTL::LowerDFGToLLVM::compileGetArgument): Deleted.
2295         * tests/stress/dead-speculating-argument-use.js: Added.
2296         (foo):
2297         (o.valueOf):
2298
2299 2015-02-15  Filip Pizlo  <fpizlo@apple.com>
2300
2301         Rare case profiling should actually work
2302         https://bugs.webkit.org/show_bug.cgi?id=141632
2303
2304         Reviewed by Michael Saboff.
2305         
2306         This simple adjustment appears to be a 2% speed-up on Octane. Over time, the slow case
2307         heuristic has essentially stopped working because the typical execution count threshold for a
2308         bytecode instruction is around 66 while the slow case threshold is 100: virtually
2309         guaranteeing that the DFG will never think that a bytecode instruction has taken the slow
2310         case even if it took it every single time. So, this changes the slow case threshold to 20.
2311         
2312         I checked if we could lower this down further, like to 10. That is worse than 20, and about
2313         as bad as 100.
2314
2315         * runtime/Options.h:
2316
2317 2015-02-15  Brian J. Burg  <burg@cs.washington.edu>
2318
2319         Web Inspector: remove unused XHR replay code
2320         https://bugs.webkit.org/show_bug.cgi?id=141622
2321
2322         Reviewed by Timothy Hatcher.
2323
2324         * inspector/protocol/Network.json: remove XHR replay methods.
2325
2326 2015-02-15  David Kilzer  <ddkilzer@apple.com>
2327
2328         REGRESSION (r180082): WebCore Debug builds fail on Mavericks due to weak export symbols
2329         <http://webkit.org/b/141607>
2330
2331         More work towards fixing the Mavericks Debug build.
2332
2333         * inspector/ScriptDebugServer.h:
2334         (Inspector::ScriptDebugServer::Task):
2335         * inspector/agents/InspectorDebuggerAgent.h:
2336         (Inspector::InspectorDebuggerAgent::Listener):
2337         - Remove subclass exports. They did not help.
2338
2339         * runtime/JSCJSValue.h:
2340         (JSC::JSValue::toFloat): Do not mark inline method for export.
2341
2342 2015-02-09  Brian J. Burg  <burg@cs.washington.edu>
2343
2344         Web Inspector: remove some unnecessary Inspector prefixes from class names in Inspector namespace
2345         https://bugs.webkit.org/show_bug.cgi?id=141372
2346
2347         Reviewed by Joseph Pecoraro.
2348
2349         * inspector/ConsoleMessage.cpp:
2350         (Inspector::ConsoleMessage::addToFrontend):
2351         (Inspector::ConsoleMessage::updateRepeatCountInConsole):
2352         * inspector/ConsoleMessage.h:
2353         * inspector/InspectorAgentBase.h:
2354         * inspector/InspectorAgentRegistry.cpp:
2355         (Inspector::AgentRegistry::AgentRegistry):
2356         (Inspector::AgentRegistry::append):
2357         (Inspector::AgentRegistry::appendExtraAgent):
2358         (Inspector::AgentRegistry::didCreateFrontendAndBackend):
2359         (Inspector::AgentRegistry::willDestroyFrontendAndBackend):
2360         (Inspector::AgentRegistry::discardAgents):
2361         (Inspector::InspectorAgentRegistry::InspectorAgentRegistry): Deleted.
2362         (Inspector::InspectorAgentRegistry::append): Deleted.
2363         (Inspector::InspectorAgentRegistry::appendExtraAgent): Deleted.
2364         (Inspector::InspectorAgentRegistry::didCreateFrontendAndBackend): Deleted.
2365         (Inspector::InspectorAgentRegistry::willDestroyFrontendAndBackend): Deleted.
2366         (Inspector::InspectorAgentRegistry::discardAgents): Deleted.
2367         * inspector/InspectorAgentRegistry.h:
2368         * inspector/InspectorBackendDispatcher.cpp:
2369         (Inspector::BackendDispatcher::CallbackBase::CallbackBase):
2370         (Inspector::BackendDispatcher::CallbackBase::isActive):
2371         (Inspector::BackendDispatcher::CallbackBase::sendFailure):
2372         (Inspector::BackendDispatcher::CallbackBase::sendIfActive):
2373         (Inspector::BackendDispatcher::create):
2374         (Inspector::BackendDispatcher::registerDispatcherForDomain):
2375         (Inspector::BackendDispatcher::dispatch):
2376         (Inspector::BackendDispatcher::sendResponse):
2377         (Inspector::BackendDispatcher::reportProtocolError):
2378         (Inspector::BackendDispatcher::getInteger):
2379         (Inspector::BackendDispatcher::getDouble):
2380         (Inspector::BackendDispatcher::getString):
2381         (Inspector::BackendDispatcher::getBoolean):
2382         (Inspector::BackendDispatcher::getObject):
2383         (Inspector::BackendDispatcher::getArray):
2384         (Inspector::BackendDispatcher::getValue):
2385         (Inspector::InspectorBackendDispatcher::CallbackBase::CallbackBase): Deleted.
2386         (Inspector::InspectorBackendDispatcher::CallbackBase::isActive): Deleted.
2387         (Inspector::InspectorBackendDispatcher::CallbackBase::sendFailure): Deleted.
2388         (Inspector::InspectorBackendDispatcher::CallbackBase::sendIfActive): Deleted.
2389         (Inspector::InspectorBackendDispatcher::create): Deleted.
2390         (Inspector::InspectorBackendDispatcher::registerDispatcherForDomain): Deleted.
2391         (Inspector::InspectorBackendDispatcher::dispatch): Deleted.
2392         (Inspector::InspectorBackendDispatcher::sendResponse): Deleted.
2393         (Inspector::InspectorBackendDispatcher::reportProtocolError): Deleted.
2394         (Inspector::InspectorBackendDispatcher::getInteger): Deleted.
2395         (Inspector::InspectorBackendDispatcher::getDouble): Deleted.
2396         (Inspector::InspectorBackendDispatcher::getString): Deleted.
2397         (Inspector::InspectorBackendDispatcher::getBoolean): Deleted.
2398         (Inspector::InspectorBackendDispatcher::getObject): Deleted.
2399         (Inspector::InspectorBackendDispatcher::getArray): Deleted.
2400         (Inspector::InspectorBackendDispatcher::getValue): Deleted.
2401         * inspector/InspectorBackendDispatcher.h:
2402         (Inspector::SupplementalBackendDispatcher::SupplementalBackendDispatcher):
2403         (Inspector::SupplementalBackendDispatcher::~SupplementalBackendDispatcher):
2404         (Inspector::InspectorSupplementalBackendDispatcher::InspectorSupplementalBackendDispatcher): Deleted.
2405         (Inspector::InspectorSupplementalBackendDispatcher::~InspectorSupplementalBackendDispatcher): Deleted.
2406         * inspector/InspectorFrontendChannel.h:
2407         (Inspector::FrontendChannel::~FrontendChannel):
2408         (Inspector::InspectorFrontendChannel::~InspectorFrontendChannel): Deleted.
2409         * inspector/JSGlobalObjectInspectorController.cpp:
2410         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2411         (Inspector::JSGlobalObjectInspectorController::globalObjectDestroyed):
2412         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
2413         (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
2414         (Inspector::JSGlobalObjectInspectorController::dispatchMessageFromFrontend):
2415         (Inspector::JSGlobalObjectInspectorController::appendExtraAgent):
2416         * inspector/JSGlobalObjectInspectorController.h:
2417         * inspector/agents/InspectorAgent.cpp:
2418         (Inspector::InspectorAgent::didCreateFrontendAndBackend):
2419         (Inspector::InspectorAgent::willDestroyFrontendAndBackend):
2420         * inspector/agents/InspectorAgent.h:
2421         * inspector/agents/InspectorConsoleAgent.cpp:
2422         (Inspector::InspectorConsoleAgent::didCreateFrontendAndBackend):
2423         (Inspector::InspectorConsoleAgent::willDestroyFrontendAndBackend):
2424         * inspector/agents/InspectorConsoleAgent.h:
2425         * inspector/agents/InspectorDebuggerAgent.cpp:
2426         (Inspector::InspectorDebuggerAgent::didCreateFrontendAndBackend):
2427         (Inspector::InspectorDebuggerAgent::willDestroyFrontendAndBackend):
2428         (Inspector::InspectorDebuggerAgent::handleConsoleAssert):
2429         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
2430         (Inspector::InspectorDebuggerAgent::pause):
2431         (Inspector::InspectorDebuggerAgent::scriptExecutionBlockedByCSP):
2432         (Inspector::InspectorDebuggerAgent::didPause):
2433         (Inspector::InspectorDebuggerAgent::breakProgram):
2434         (Inspector::InspectorDebuggerAgent::clearBreakDetails):
2435         * inspector/agents/InspectorDebuggerAgent.h:
2436         * inspector/agents/InspectorRuntimeAgent.cpp:
2437         (Inspector::InspectorRuntimeAgent::willDestroyFrontendAndBackend):
2438         * inspector/agents/InspectorRuntimeAgent.h:
2439         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
2440         (Inspector::JSGlobalObjectRuntimeAgent::didCreateFrontendAndBackend):
2441         (Inspector::JSGlobalObjectRuntimeAgent::willDestroyFrontendAndBackend):
2442         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
2443         * inspector/augmentable/AlternateDispatchableAgent.h:
2444         * inspector/augmentable/AugmentableInspectorController.h:
2445         * inspector/remote/RemoteInspectorDebuggable.h:
2446         * inspector/remote/RemoteInspectorDebuggableConnection.h:
2447         * inspector/scripts/codegen/cpp_generator.py:
2448         (CppGenerator.cpp_type_for_formal_out_parameter):
2449         (CppGenerator.cpp_type_for_stack_out_parameter):
2450         * inspector/scripts/codegen/cpp_generator_templates.py:
2451         (AlternateBackendDispatcher):
2452         (Alternate):
2453         (void):
2454         (AlternateInspectorBackendDispatcher): Deleted.
2455         (AlternateInspector): Deleted.
2456         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
2457         (CppBackendDispatcherHeaderGenerator._generate_alternate_handler_forward_declarations_for_domains.Alternate):
2458         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
2459         (CppBackendDispatcherHeaderGenerator._generate_alternate_handler_forward_declarations_for_domains.AlternateInspector): Deleted.
2460         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
2461         (CppBackendDispatcherImplementationGenerator._generate_handler_class_destructor_for_domain):
2462         (CppBackendDispatcherImplementationGenerator._generate_large_dispatcher_switch_implementation_for_domain):
2463         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
2464         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
2465         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
2466         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
2467         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
2468         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2469         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2470         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2471         * inspector/scripts/tests/expected/enum-values.json-result:
2472         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
2473         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2474         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
2475         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
2476         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
2477         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
2478         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
2479         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2480         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2481         * runtime/JSGlobalObjectDebuggable.cpp:
2482         (JSC::JSGlobalObjectDebuggable::connect):
2483         (JSC::JSGlobalObjectDebuggable::disconnect):
2484         * runtime/JSGlobalObjectDebuggable.h:
2485
2486 2015-02-14  David Kilzer  <ddkilzer@apple.com>
2487
2488         REGRESSION (r180082): WebCore Debug builds fail on Mavericks due to weak export symbols
2489         <http://webkit.org/b/141607>
2490
2491         Work towards fixing the Mavericks Debug build.
2492
2493         * inspector/ScriptDebugServer.h:
2494         (Inspector::ScriptDebugServer::Task): Export class.
2495         * inspector/agents/InspectorDebuggerAgent.h:
2496         (Inspector::InspectorDebuggerAgent::Listener): Export class.
2497         * runtime/JSGlobalObject.h:
2498         (JSC::JSGlobalObject::setConsoleClient): Do not mark inline
2499         method for export.
2500
2501 2015-02-14  Joseph Pecoraro  <pecoraro@apple.com>
2502
2503         Web Inspector: Symbol RemoteObject should not send sub-type
2504         https://bugs.webkit.org/show_bug.cgi?id=141604
2505
2506         Reviewed by Brian Burg.
2507
2508         * inspector/InjectedScriptSource.js:
2509
2510 2015-02-13  Benjamin Poulain  <bpoulain@apple.com>
2511
2512         Attempt to fix 32bits build after r180098
2513
2514         * jit/JITOperations.cpp:
2515         * jit/JITOperations.h:
2516         I copied the attribute from the MathObject version of that function when I moved
2517         it over. DFG has no version of a function call taking those attributes.
2518
2519 2015-02-13  Joseph Pecoraro  <pecoraro@apple.com>
2520
2521         JSContext Inspector: Do not stash console messages for non-debuggable JSContext
2522         https://bugs.webkit.org/show_bug.cgi?id=141589
2523
2524         Reviewed by Timothy Hatcher.
2525
2526         Consider developer extras disabled for JSContext inspection if the
2527         RemoteInspector server is not enabled (typically a non-debuggable
2528         process rejected by webinspectord) or if remote debugging on the
2529         JSContext was explicitly disabled via SPI.
2530
2531         When developer extras are disabled, console message will not be stashed.
2532
2533         * inspector/JSGlobalObjectInspectorController.cpp:
2534         (Inspector::JSGlobalObjectInspectorController::developerExtrasEnabled):
2535         * inspector/JSGlobalObjectInspectorController.h:
2536
2537 2015-02-13  Benjamin Poulain  <bpoulain@apple.com>
2538
2539         Add a DFG node for the Pow Intrinsics
2540         https://bugs.webkit.org/show_bug.cgi?id=141540
2541
2542         Reviewed by Filip Pizlo.
2543
2544         Add a DFG Node for PowIntrinsic. This patch covers the basic cases
2545         need to avoid massive regression. I will iterate over the node to cover
2546         the missing types.
2547
2548         With this patch I get the following progressions on benchmarks:
2549         -LongSpider's math-partial-sums: +5%.
2550         -Kraken's imaging-darkroom: +17%
2551         -AsmBench's cray.c: +6.6%
2552         -CompressionBench: +2.2% globally.
2553
2554         * dfg/DFGAbstractInterpreterInlines.h:
2555         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2556         Cover a couple of trivial cases:
2557         -If the exponent is zero, the result is always one, regardless of the base.
2558         -If both arguments are constants, compute the result at compile time.
2559
2560         * dfg/DFGByteCodeParser.cpp:
2561         (JSC::DFG::ByteCodeParser::handleIntrinsic):
2562         * dfg/DFGClobberize.h:
2563         (JSC::DFG::clobberize):
2564         * dfg/DFGDoesGC.cpp:
2565         (JSC::DFG::doesGC):
2566
2567         * dfg/DFGFixupPhase.cpp:
2568         (JSC::DFG::FixupPhase::fixupNode):
2569         We only support 2 basic cases at this time:
2570         -Math.pow(double, int)
2571         -Math.pow(double, double).
2572
2573         I'll cover Math.pow(int, int) in a follow up.
2574
2575         * dfg/DFGNode.h:
2576         (JSC::DFG::Node::convertToArithSqrt):
2577         (JSC::DFG::Node::arithNodeFlags):
2578         * dfg/DFGNodeType.h:
2579         * dfg/DFGPredictionPropagationPhase.cpp:
2580         (JSC::DFG::PredictionPropagationPhase::propagate):
2581         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
2582         * dfg/DFGSafeToExecute.h:
2583         (JSC::DFG::safeToExecute):
2584         * dfg/DFGSpeculativeJIT.cpp:
2585         (JSC::DFG::compileArithPowIntegerFastPath):
2586         (JSC::DFG::SpeculativeJIT::compileArithPow):
2587         * dfg/DFGSpeculativeJIT.h:
2588         * dfg/DFGSpeculativeJIT32_64.cpp:
2589         (JSC::DFG::SpeculativeJIT::compile):
2590         * dfg/DFGSpeculativeJIT64.cpp:
2591         (JSC::DFG::SpeculativeJIT::compile):
2592         * dfg/DFGStrengthReductionPhase.cpp:
2593         (JSC::DFG::StrengthReductionPhase::handleNode):
2594         * dfg/DFGValidate.cpp:
2595         (JSC::DFG::Validate::validate):
2596         * ftl/FTLCapabilities.cpp:
2597         (JSC::FTL::canCompile):
2598         * ftl/FTLIntrinsicRepository.h:
2599         * ftl/FTLLowerDFGToLLVM.cpp:
2600         (JSC::FTL::LowerDFGToLLVM::compileNode):
2601         (JSC::FTL::LowerDFGToLLVM::compileArithPow):
2602         * ftl/FTLOutput.h:
2603         (JSC::FTL::Output::doublePow):
2604         (JSC::FTL::Output::doublePowi):
2605         * jit/JITOperations.cpp:
2606         * jit/JITOperations.h:
2607         * runtime/MathObject.cpp:
2608         (JSC::mathProtoFuncPow):
2609         (JSC::isDenormal): Deleted.
2610         (JSC::isEdgeCase): Deleted.
2611         (JSC::mathPow): Deleted.
2612
2613         * tests/stress/math-pow-basics.js: Added.
2614         * tests/stress/math-pow-integer-exponent-fastpath.js: Added.
2615         * tests/stress/math-pow-nan-behaviors.js: Added.
2616         * tests/stress/math-pow-with-constants.js: Added.
2617         Start some basic testing of Math.pow().
2618         Due to the various transform, the value change when the code tiers up,
2619         I covered this by checking for approximate values.
2620
2621 2015-02-13  Benjamin Poulain  <bpoulain@apple.com>
2622
2623         ArithSqrt should not be conditional on supportsFloatingPointSqrt
2624         https://bugs.webkit.org/show_bug.cgi?id=141546
2625
2626         Reviewed by Geoffrey Garen and Filip Pizlo.
2627
2628         Just fallback to the function call in the DFG codegen.
2629
2630         * dfg/DFGByteCodeParser.cpp:
2631         (JSC::DFG::ByteCodeParser::handleIntrinsic):
2632         * dfg/DFGSpeculativeJIT.cpp:
2633         (JSC::DFG::SpeculativeJIT::compileArithSqrt):
2634         * dfg/DFGSpeculativeJIT.h:
2635         * dfg/DFGSpeculativeJIT32_64.cpp:
2636         (JSC::DFG::SpeculativeJIT::compile):
2637         * dfg/DFGSpeculativeJIT64.cpp:
2638         (JSC::DFG::SpeculativeJIT::compile):
2639         * tests/stress/math-sqrt-basics.js: Added.
2640         Basic coverage.
2641
2642         * tests/stress/math-sqrt-basics-disable-architecture-specific-optimizations.js: Added.
2643         Same tests but forcing the function call.
2644
2645 2015-02-13  Michael Saboff  <msaboff@apple.com>
2646
2647         REGRESSION(r180060) New js/regress-141098 test crashes when LLInt is disabled.
2648         https://bugs.webkit.org/show_bug.cgi?id=141577
2649
2650         Reviewed by Benjamin Poulain.
2651
2652         Changed the prologue of the baseline JIT to check for stack space for all
2653         types of code blocks.  Previously, it was only checking Function.  Now
2654         it checks Program and Eval as well.
2655
2656         * jit/JIT.cpp:
2657         (JSC::JIT::privateCompile):
2658
2659 2015-02-13  Benjamin Poulain  <bpoulain@apple.com>
2660
2661         Generate incq instead of addq when the immediate value is one
2662         https://bugs.webkit.org/show_bug.cgi?id=141548
2663
2664         Reviewed by Gavin Barraclough.
2665
2666         JSC emits "addq #1 (rXX)" *a lot*.
2667         This patch replace that by incq, which is one byte shorter
2668         and is the adviced form.
2669
2670         Sunspider: +0.47%
2671         Octane: +0.28%
2672         Kraken: +0.44%
2673         AsmBench, CompressionBench: neutral.
2674
2675         * assembler/MacroAssemblerX86_64.h:
2676         (JSC::MacroAssemblerX86_64::add64):
2677         * assembler/X86Assembler.h:
2678         (JSC::X86Assembler::incq_m):
2679
2680 2015-02-13  Benjamin Poulain  <benjamin@webkit.org>
2681
2682         Little clean up of Bytecode Generator's Label
2683         https://bugs.webkit.org/show_bug.cgi?id=141557
2684
2685         Reviewed by Michael Saboff.
2686
2687         * bytecompiler/BytecodeGenerator.h:
2688         * bytecompiler/BytecodeGenerator.cpp:
2689         Label was a friend of BytecodeGenerator in order to access
2690         m_instructions. There is no need for that, BytecodeGenerator
2691         has a public getter.
2692
2693         * bytecompiler/Label.h:
2694         (JSC::Label::Label):
2695         (JSC::Label::setLocation):
2696         (JSC::BytecodeGenerator::newLabel):
2697         Make it explicit that the generator must exist.
2698
2699 2015-02-13  Michael Saboff  <msaboff@apple.com>
2700
2701         Google doc spreadsheet reproducibly crashes when sorting
2702         https://bugs.webkit.org/show_bug.cgi?id=141098
2703
2704         Reviewed by Oliver Hunt.
2705
2706         Moved the stack check to before the callee registers are allocated in the
2707         prologue() by movving it from the functionInitialization() macro.  This
2708         way we can check the stack before moving the stack pointer, avoiding a
2709         crash during a "call" instruction.  Before this change, we weren't even
2710         checking the stack for program and eval execution.
2711
2712         Made a couple of supporting changes.
2713
2714         * llint/LLIntSlowPaths.cpp:
2715         (JSC::LLInt::llint_stack_check): We can't just go up one frame as we
2716         may be processing an exception to an entry frame.
2717
2718         * llint/LowLevelInterpreter.asm:
2719
2720         * llint/LowLevelInterpreter32_64.asm:
2721         * llint/LowLevelInterpreter64.asm:
2722         (llint_throw_from_slow_path_trampoline): Changed method to get the vm
2723         from the code block to not use the codeBlock, since we may need to
2724         continue from an exception in a native function.
2725
2726 2015-02-12  Benjamin Poulain  <benjamin@webkit.org>
2727
2728         Simplify the initialization of BytecodeGenerator a bit
2729         https://bugs.webkit.org/show_bug.cgi?id=141505
2730
2731         Reviewed by Anders Carlsson.
2732
2733         * bytecompiler/BytecodeGenerator.cpp:
2734         (JSC::BytecodeGenerator::BytecodeGenerator):
2735         * bytecompiler/BytecodeGenerator.h:
2736         Setup the default initialization at the declaration level
2737         instead of the constructor.
2738
2739         Also made m_scopeNode and m_codeType const to make it explicit
2740         that they are invariant after construction.
2741
2742         * parser/Nodes.cpp:
2743         * runtime/Executable.cpp:
2744         Remove 2 useless #includes.
2745
2746 2015-02-12  Benjamin Poulain  <benjamin@webkit.org>
2747
2748         Move the generators for GetScope and SkipScope to the common core in DFGSpeculativeJIT
2749         https://bugs.webkit.org/show_bug.cgi?id=141506
2750
2751         Reviewed by Michael Saboff.
2752
2753         The generators for the nodes GetScope and SkipScope were
2754         completely identical between 32 and 64bits.
2755
2756         This patch moves the duplicated code to DFGSpeculativeJIT.
2757
2758         * dfg/DFGSpeculativeJIT.cpp:
2759         (JSC::DFG::SpeculativeJIT::compileGetScope):
2760         (JSC::DFG::SpeculativeJIT::compileSkipScope):
2761         * dfg/DFGSpeculativeJIT.h:
2762         * dfg/DFGSpeculativeJIT32_64.cpp:
2763         (JSC::DFG::SpeculativeJIT::compile):
2764         * dfg/DFGSpeculativeJIT64.cpp:
2765         (JSC::DFG::SpeculativeJIT::compile):
2766
2767 2015-02-11  Brent Fulgham  <bfulgham@apple.com>
2768
2769         [Win] [64-bit] Work around MSVC2013 Runtime Bug
2770         https://bugs.webkit.org/show_bug.cgi?id=141498
2771         <rdar://problem/19803642>
2772
2773         Reviewed by Anders Carlsson.
2774
2775         Disable FMA3 instruction use in the MSVC math library to
2776         work around a VS2013 runtime crash. We can remove this
2777         workaround when we switch to VS2015.
2778
2779         * API/tests/testapi.c: Call _set_FMA3_enable(0) to disable
2780         FMA3 support.
2781         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add new files.
2782         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
2783         * JavaScriptCore.vcxproj/JavaScriptCoreDLL.cpp: Added.
2784         * JavaScriptCore.vcxproj/jsc/DLLLauncherMain.cpp: Call _set_FMA3_enable(0)
2785         to disable FMA3 support.
2786         * jsc.cpp: Ditto.
2787         * testRegExp.cpp: Ditto.
2788
2789 2015-02-11  Filip Pizlo  <fpizlo@apple.com>
2790
2791         The callee frame helpers in DFG::SpeculativeJIT should be available to other JITs
2792         https://bugs.webkit.org/show_bug.cgi?id=141493
2793
2794         Reviewed by Michael Saboff.
2795
2796         * dfg/DFGSpeculativeJIT.h:
2797         (JSC::DFG::SpeculativeJIT::calleeFrameSlot): Deleted.
2798         (JSC::DFG::SpeculativeJIT::calleeArgumentSlot): Deleted.
2799         (JSC::DFG::SpeculativeJIT::calleeFrameTagSlot): Deleted.
2800         (JSC::DFG::SpeculativeJIT::calleeFramePayloadSlot): Deleted.
2801         (JSC::DFG::SpeculativeJIT::calleeArgumentTagSlot): Deleted.
2802         (JSC::DFG::SpeculativeJIT::calleeArgumentPayloadSlot): Deleted.
2803         (JSC::DFG::SpeculativeJIT::calleeFrameCallerFrame): Deleted.
2804         * dfg/DFGSpeculativeJIT32_64.cpp:
2805         (JSC::DFG::SpeculativeJIT::emitCall):
2806         * dfg/DFGSpeculativeJIT64.cpp:
2807         (JSC::DFG::SpeculativeJIT::emitCall):
2808         * jit/AssemblyHelpers.h:
2809         (JSC::AssemblyHelpers::calleeFrameSlot):
2810         (JSC::AssemblyHelpers::calleeArgumentSlot):
2811         (JSC::AssemblyHelpers::calleeFrameTagSlot):
2812         (JSC::AssemblyHelpers::calleeFramePayloadSlot):
2813         (JSC::AssemblyHelpers::calleeArgumentTagSlot):
2814         (JSC::AssemblyHelpers::calleeArgumentPayloadSlot):
2815         (JSC::AssemblyHelpers::calleeFrameCallerFrame):
2816
2817 2015-02-11  Filip Pizlo  <fpizlo@apple.com>
2818
2819         SetupVarargsFrame should not assume that an inline stack frame would have identical layout to a normal stack frame
2820         https://bugs.webkit.org/show_bug.cgi?id=141485
2821
2822         Reviewed by Oliver Hunt.
2823         
2824         The inlineStackOffset argument was meant to make it easy for the DFG to use this helper for
2825         vararg calls from inlined code, but that doesn't work since the DFG inline call frame
2826         doesn't actually put the argument count at the JSStack::ArgumentCount offset. In fact there
2827         is really no such thing as an inlineStackOffset except when we OSR exit; while the code is
2828         running the stack layout is compacted so that the stackOffset is not meaningful.
2829
2830         * jit/JITCall.cpp:
2831         (JSC::JIT::compileSetupVarargsFrame):
2832         * jit/JITCall32_64.cpp:
2833         (JSC::JIT::compileSetupVarargsFrame):
2834         * jit/SetupVarargsFrame.cpp:
2835         (JSC::emitSetupVarargsFrameFastCase):
2836         * jit/SetupVarargsFrame.h:
2837
2838 2015-02-10  Filip Pizlo  <fpizlo@apple.com>
2839
2840         Split FTL::JSCall into the part that knows about call inline caching and the part that interacts with LLVM patchpoints
2841         https://bugs.webkit.org/show_bug.cgi?id=141455
2842
2843         Reviewed by Mark Lam.
2844         
2845         The newly introduced FTL::JSCallBase can be used to build other things, like the FTL portion
2846         of https://bugs.webkit.org/show_bug.cgi?id=141332.
2847
2848         * CMakeLists.txt:
2849         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2850         * JavaScriptCore.xcodeproj/project.pbxproj:
2851         * bytecode/CallLinkInfo.h:
2852         (JSC::CallLinkInfo::specializationKindFor):
2853         (JSC::CallLinkInfo::specializationKind):
2854         * ftl/FTLJSCall.cpp:
2855         (JSC::FTL::JSCall::JSCall):
2856         (JSC::FTL::JSCall::emit): Deleted.
2857         (JSC::FTL::JSCall::link): Deleted.
2858         * ftl/FTLJSCall.h:
2859         * ftl/FTLJSCallBase.cpp: Added.
2860         (JSC::FTL::JSCallBase::JSCallBase):
2861         (JSC::FTL::JSCallBase::emit):
2862         (JSC::FTL::JSCallBase::link):
2863         * ftl/FTLJSCallBase.h: Added.
2864
2865 2015-02-10  Filip Pizlo  <fpizlo@apple.com>
2866
2867         Unreviewed, fix build.
2868
2869         * jit/CCallHelpers.h:
2870         (JSC::CCallHelpers::setupArgumentsWithExecState):
2871
2872 2015-02-10  Filip Pizlo  <fpizlo@apple.com>
2873
2874         op_call_varargs should only load the length once
2875         https://bugs.webkit.org/show_bug.cgi?id=141440
2876         rdar://problem/19761683
2877
2878         Reviewed by Michael Saboff.
2879         
2880         Refactors the pair of calls that set up the varargs frame so that the first call returns the
2881         length, and the second call uses the length returned by the first one. It turns out that this
2882         gave me an opportunity to shorten a lot of the code.
2883
2884         * interpreter/Interpreter.cpp:
2885         (JSC::sizeFrameForVarargs):
2886         (JSC::loadVarargs):
2887         (JSC::setupVarargsFrame):
2888         (JSC::setupVarargsFrameAndSetThis):
2889         * interpreter/Interpreter.h:
2890         (JSC::calleeFrameForVarargs):
2891         * jit/CCallHelpers.h:
2892         (JSC::CCallHelpers::setupArgumentsWithExecState):
2893         * jit/JIT.h:
2894         * jit/JITCall.cpp:
2895         (JSC::JIT::compileSetupVarargsFrame):
2896         * jit/JITCall32_64.cpp:
2897         (JSC::JIT::compileSetupVarargsFrame):
2898         * jit/JITInlines.h:
2899         (JSC::JIT::callOperation):
2900         * jit/JITOperations.cpp:
2901         * jit/JITOperations.h:
2902         * jit/SetupVarargsFrame.cpp:
2903         (JSC::emitSetVarargsFrame):
2904         (JSC::emitSetupVarargsFrameFastCase):
2905         * jit/SetupVarargsFrame.h:
2906         * llint/LLIntSlowPaths.cpp:
2907         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2908         * runtime/Arguments.cpp:
2909         (JSC::Arguments::copyToArguments):
2910         * runtime/Arguments.h:
2911         * runtime/JSArray.cpp:
2912         (JSC::JSArray::copyToArguments):
2913         * runtime/JSArray.h:
2914         * runtime/VM.h:
2915         * tests/stress/call-varargs-length-effects.js: Added.
2916         (foo):
2917         (bar):
2918
2919 2015-02-10  Michael Saboff  <msaboff@apple.com>
2920
2921         Crash in JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq
2922         https://bugs.webkit.org/show_bug.cgi?id=139398
2923
2924         Reviewed by Filip Pizlo.
2925
2926         Due to CFA analysis, the CompareStrictEq node was determined to be unreachable, but later
2927         was determined to be reachable.  When we go to lower to LLVM, the edges for the CompareStrictEq
2928         node are UntypedUse which we can't compile.  Fixed this by checking that the IR before
2929         lowering can still be handled by the FTL.
2930
2931         Had to add GetArgument as a node that the FTL can compile as the SSA conversion phase converts
2932         a SetArgument to a GetArgument.  Before this change FTL::canCompile() would never see a GetArgument
2933         node.  With the check right before lowering, we see this node.
2934
2935         * dfg/DFGPlan.cpp:
2936         (JSC::DFG::Plan::compileInThreadImpl): Added a final FTL::canCompile() check before lowering
2937         to verify that after all the transformations we still have valid IR for the FTL.
2938         * ftl/FTLCapabilities.cpp:
2939         (JSC::FTL::canCompile): Added GetArgument as a node the FTL can compile.
2940
2941 2015-02-10  Filip Pizlo  <fpizlo@apple.com>
2942
2943         Remove unused DFG::SpeculativeJIT::calleeFrameOffset().
2944
2945         Rubber stamped by Michael Saboff.
2946         
2947         Not only was this not used, I believe that the math was wrong. The callee frame doesn't
2948         actually land past m_nextMachineLocal; instead it lands just below wherever we put SP and
2949         that decision is made elsewhere. Also, it makes no sense to subtract 1 from
2950         m_nextMachineLocal when trying to deduce the number of in-use stack slots.
2951
2952         * dfg/DFGSpeculativeJIT.h:
2953         (JSC::DFG::SpeculativeJIT::calleeFrameOffset): Deleted.
2954
2955 2015-02-10  Saam Barati  <saambarati1@gmail.com>
2956
2957         Parser::parseVarDeclarationList gets the wrong JSToken for the last identifier
2958         https://bugs.webkit.org/show_bug.cgi?id=141272
2959
2960         Reviewed by Oliver Hunt.
2961
2962         This patch fixes a bug where the wrong text location would be 
2963         assigned to a variable declaration inside a ForIn/ForOf loop. 
2964         It also fixes a bug in the type profiler where the type profiler 
2965         emits the wrong text offset for a ForIn loop's variable declarator 
2966         when it's not a pattern node.
2967
2968         * bytecompiler/NodesCodegen.cpp:
2969         (JSC::ForInNode::emitLoopHeader):
2970         * parser/Parser.cpp:
2971         (JSC::Parser<LexerType>::parseVarDeclarationList):
2972         * tests/typeProfiler/loop.js:
2973         (testForIn):
2974         (testForOf):
2975
2976 2015-02-09  Saam Barati  <saambarati1@gmail.com>
2977
2978         JSC's Type Profiler doesn't profile the type of the looping variable in ForOf/ForIn loops
2979         https://bugs.webkit.org/show_bug.cgi?id=141241
2980
2981         Reviewed by Filip Pizlo.
2982
2983         Type information is now recorded for ForIn and ForOf statements. 
2984         It was an oversight to not have these statements profiled before.
2985
2986         * bytecompiler/NodesCodegen.cpp:
2987         (JSC::ForInNode::emitLoopHeader):
2988         (JSC::ForOfNode::emitBytecode):
2989         * tests/typeProfiler/loop.js: Added.
2990         (testForIn):
2991         (testForOf):
2992
2993 2015-02-09  Filip Pizlo  <fpizlo@apple.com>
2994
2995         DFG::StackLayoutPhase should always set the scopeRegister to VirtualRegister() because the DFG doesn't do anything to make its value valid
2996         https://bugs.webkit.org/show_bug.cgi?id=141412
2997
2998         Reviewed by Michael Saboff.
2999         
3000         StackLayoutPhase was attempting to ensure that the register that
3001         CodeBlock::scopeRegister() points to is the right one for the DFG. But the DFG did nothing
3002         else to maintain the validity of the scopeRegister(). It wasn't captured as far as I can
3003         tell. StackLayoutPhase didn't explicitly mark it live. PreciseLocalClobberize didn't mark
3004         it as being live. So, by the time we got here the register referred to by
3005         CodeBlock::scopeRegister() would have been junk. Moreover, CodeBlock::scopeRegister() was
3006         not used for DFG code blocks, and was hardly ever used outside of bytecode generation.
3007         
3008         So, this patch just removes the code to manipulate this field and replaces it with an
3009         unconditional setScopeRegister(VirtualRegister()). Setting it to the invalid register
3010         ensures that any attempst to read the scopeRegister in a DFG or FTL frame immediately
3011         punts.
3012
3013         * dfg/DFGStackLayoutPhase.cpp:
3014         (JSC::DFG::StackLayoutPhase::run):
3015
3016 2015-02-09  Filip Pizlo  <fpizlo@apple.com>
3017
3018         Varargs frame set-up should be factored out for use by other JITs
3019         https://bugs.webkit.org/show_bug.cgi?id=141388
3020
3021         Reviewed by Michael Saboff.
3022         
3023         Previously the code that dealt with varargs always assumed that we were setting up a varargs call
3024         frame by literally following the execution semantics of op_call_varargs. This isn't how it'll
3025         happen once the DFG and FTL do varargs calls, or when varargs calls get inlined. The DFG and FTL
3026         don't literally execute bytecode; for example their stack frame layout has absolutely nothing in
3027         common with what the bytecode says, and that will never change.
3028         
3029         This patch makes two changes:
3030         
3031         Setting up the varargs callee frame can be done in smaller steps: particularly in the case of a
3032         varargs call that gets inlined, we aren't going to actually want to set up a callee frame in
3033         full - we just want to put the arguments somewhere, and that place will not have much (if
3034         anything) in common with the call frame format. This patch factors that out into something called
3035         a loadVarargs. The thing we used to call loadVarargs is now called setupVarargsFrame. This patch
3036         also separates loading varargs from setting this, since the fact that those two things are done
3037         together is a detail made explicit in bytecode but it's not at all required in the higher-tier
3038         engines. In the process of factoring this code out, I found a bunch of off-by-one errors in the
3039         various calculations. I fixed them. The distance from the caller's frame pointer to the callee
3040         frame pointer is always:
3041         
3042             numUsedCallerSlots + argCount + 1 + CallFrameSize
3043         
3044         where numUsedCallerSlots is toLocal(firstFreeRegister) - 1, which simplifies down to just
3045         -firstFreeRegister. The code now speaks of numUsedCallerSlots rather than firstFreeRegister,
3046         since the latter is a bytecode peculiarity that doesn't apply in the DFG or FTL. In the DFG, the
3047         internally-computed frame size, minus the parameter slots, will be used for numUsedCallerSlots.
3048         In the FTL, we will essentially compute numUsedCallerSlots dynamically by subtracting SP from FP.
3049         Eventually, LLVM might give us some cleaner way of doing this, but it probably doesn't matter
3050         very much.
3051         
3052         The arguments forwarding optimization is factored out of the Baseline JIT: the DFG and FTL will
3053         want to do this optimization as well, but it involves quite a bit of code. So, this code is now
3054         factored out into SetupVarargsFrame.h|cpp, so that other JITs can use it. In the process of factoring
3055         this code out I noticed that the 32-bit and 64-bit code is nearly identical, so I combined them.
3056
3057         * CMakeLists.txt:
3058         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3059         * JavaScriptCore.xcodeproj/project.pbxproj:
3060         * bytecode/CodeBlock.h:
3061         (JSC::ExecState::r):
3062         (JSC::ExecState::uncheckedR):
3063         * bytecode/VirtualRegister.h:
3064         (JSC::VirtualRegister::operator+):
3065         (JSC::VirtualRegister::operator-):
3066         (JSC::VirtualRegister::operator+=):
3067         (JSC::VirtualRegister::operator-=):
3068         * interpreter/CallFrame.h:
3069         * interpreter/Interpreter.cpp:
3070         (JSC::sizeFrameForVarargs):
3071         (JSC::loadVarargs):
3072         (JSC::setupVarargsFrame):
3073         (JSC::setupVarargsFrameAndSetThis):
3074         * interpreter/Interpreter.h:
3075         * jit/AssemblyHelpers.h:
3076         (JSC::AssemblyHelpers::emitGetFromCallFrameHeaderPtr):
3077         (JSC::AssemblyHelpers::emitGetFromCallFrameHeader32):
3078         (JSC::AssemblyHelpers::emitGetFromCallFrameHeader64):
3079         * jit/JIT.h:
3080         * jit/JITCall.cpp:
3081         (JSC::JIT::compileSetupVarargsFrame):
3082         * jit/JITCall32_64.cpp:
3083         (JSC::JIT::compileSetupVarargsFrame):
3084         * jit/JITInlines.h:
3085         (JSC::JIT::callOperation):
3086         (JSC::JIT::emitGetFromCallFrameHeaderPtr): Deleted.
3087         (JSC::JIT::emitGetFromCallFrameHeader32): Deleted.
3088         (JSC::JIT::emitGetFromCallFrameHeader64): Deleted.
3089         * jit/JITOperations.cpp:
3090         * jit/JITOperations.h:
3091         * jit/SetupVarargsFrame.cpp: Added.
3092         (JSC::emitSetupVarargsFrameFastCase):
3093         * jit/SetupVarargsFrame.h: Added.
3094         * llint/LLIntSlowPaths.cpp:
3095         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3096         * runtime/Arguments.cpp:
3097         (JSC::Arguments::copyToArguments):
3098         * runtime/Arguments.h:
3099         * runtime/JSArray.cpp:
3100         (JSC::JSArray::copyToArguments):
3101         * runtime/JSArray.h:
3102
3103 2015-02-09  Filip Pizlo  <fpizlo@apple.com>
3104
3105         DFG call codegen should resolve the callee operand as late as possible
3106         https://bugs.webkit.org/show_bug.cgi?id=141398
3107
3108         Reviewed by Mark Lam.
3109         
3110         This is mostly a benign restructuring to help with the implementation of
3111         https://bugs.webkit.org/show_bug.cgi?id=141332.
3112
3113         * dfg/DFGSpeculativeJIT32_64.cpp:
3114         (JSC::DFG::SpeculativeJIT::emitCall):
3115         * dfg/DFGSpeculativeJIT64.cpp:
3116         (JSC::DFG::SpeculativeJIT::emitCall):
3117
3118 2015-02-08  Filip Pizlo  <fpizlo@apple.com>
3119
3120         DFG should only have two mechanisms for describing effectfulness of nodes; previously there were three
3121         https://bugs.webkit.org/show_bug.cgi?id=141369
3122
3123         Reviewed by Michael Saboff.
3124
3125         We previously used the NodeMightClobber and NodeClobbersWorld NodeFlags to describe
3126         effectfulness.  Starting over a year ago, we introduced a more powerful mechanism - the
3127         DFG::clobberize() function.  Now we only have one remaining client of the old NodeFlags,
3128         and everyone else uses DFG::clobberize().  We should get rid of those NodeFlags and
3129         finally switch everyone over to DFG::clobberize().
3130         
3131         Unfortunately there is still another place where effectfulness of nodes is described: the
3132         AbstractInterpreter. This is because the AbstractInterpreter has special tuning both for
3133         compile time performance and there are places where the AI is more precise than
3134         clobberize() because of its flow-sensitivity.
3135         
3136         This means that after this change there will be only two places, rather than three, where
3137         the effectfulness of a node has to be described:
3138
3139         - DFG::clobberize()
3140         - DFG::AbstractInterpreter
3141
3142         * dfg/DFGClobberize.cpp:
3143         (JSC::DFG::clobbersWorld):
3144         * dfg/DFGClobberize.h:
3145         * dfg/DFGDoesGC.cpp:
3146         (JSC::DFG::doesGC):
3147         * dfg/DFGFixupPhase.cpp:
3148         (JSC::DFG::FixupPhase::fixupNode):
3149         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
3150         (JSC::DFG::FixupPhase::convertToGetArrayLength):
3151         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
3152         * dfg/DFGGraph.h:
3153         (JSC::DFG::Graph::isPredictedNumerical): Deleted.
3154         (JSC::DFG::Graph::byValIsPure): Deleted.
3155         (JSC::DFG::Graph::clobbersWorld): Deleted.
3156         * dfg/DFGNode.h:
3157         (JSC::DFG::Node::convertToConstant):
3158         (JSC::DFG::Node::convertToGetLocalUnlinked):
3159         (JSC::DFG::Node::convertToGetByOffset):
3160         (JSC::DFG::Node::convertToMultiGetByOffset):
3161         (JSC::DFG::Node::convertToPutByOffset):
3162         (JSC::DFG::Node::convertToMultiPutByOffset):
3163         * dfg/DFGNodeFlags.cpp:
3164         (JSC::DFG::dumpNodeFlags):
3165         * dfg/DFGNodeFlags.h:
3166         * dfg/DFGNodeType.h:
3167
3168 2015-02-09  Csaba Osztrogonác  <ossy@webkit.org>
3169
3170         Fix the !ENABLE(DFG_JIT) build
3171         https://bugs.webkit.org/show_bug.cgi?id=141387
3172
3173         Reviewed by Darin Adler.
3174
3175         * jit/Repatch.cpp:
3176
3177 2015-02-08  Benjamin Poulain  <benjamin@webkit.org>
3178
3179         Remove a few duplicate propagation steps from the DFG's PredictionPropagation phase
3180         https://bugs.webkit.org/show_bug.cgi?id=141363
3181
3182         Reviewed by Darin Adler.
3183
3184         * dfg/DFGPredictionPropagationPhase.cpp:
3185         (JSC::DFG::PredictionPropagationPhase::propagate):
3186         Some blocks were duplicated, they probably evolved separately
3187         to the same state.
3188
3189 2015-02-08  Benjamin Poulain  <benjamin@webkit.org>
3190
3191         Remove useless declarations and a stale comment from DFGByteCodeParser.h
3192         https://bugs.webkit.org/show_bug.cgi?id=141361
3193
3194         Reviewed by Darin Adler.
3195
3196         The comment refers to the original form of the ByteCodeParser:
3197             parse(Graph&, JSGlobalData*, CodeBlock*, unsigned startIndex);
3198
3199         That form is long dead, the comment is more misleading than anything.
3200
3201         * dfg/DFGByteCodeParser.cpp:
3202         * dfg/DFGByteCodeParser.h:
3203
3204 2015-02-08  Benjamin Poulain  <benjamin@webkit.org>
3205
3206         Encapsulate DFG::Plan's beforeFTL timestamp
3207         https://bugs.webkit.org/show_bug.cgi?id=141360
3208
3209         Reviewed by Darin Adler.
3210
3211         Make the attribute private, it is an internal state.
3212
3213         Rename beforeFTL->timeBeforeFTL for readability.
3214
3215         * dfg/DFGPlan.cpp:
3216         (JSC::DFG::Plan::compileInThread):
3217         (JSC::DFG::Plan::compileInThreadImpl):
3218         * dfg/DFGPlan.h:
3219
3220 2015-02-08  Benjamin Poulain  <bpoulain@apple.com>
3221
3222         Remove DFGNode::hasArithNodeFlags()
3223         https://bugs.webkit.org/show_bug.cgi?id=141319
3224
3225         Reviewed by Michael Saboff.
3226
3227         * dfg/DFGNode.h:
3228         (JSC::DFG::Node::hasArithNodeFlags): Deleted.
3229         Unused code is unused.
3230
3231 2015-02-07  Chris Dumez  <cdumez@apple.com>
3232
3233         Add Vector::removeFirstMatching() / removeAllMatching() methods taking lambda functions
3234         https://bugs.webkit.org/show_bug.cgi?id=141321
3235
3236         Reviewed by Darin Adler.
3237
3238         Use new Vector::removeFirstMatching() / removeAllMatching() methods.
3239
3240 2015-02-06  Filip Pizlo  <fpizlo@apple.com>
3241
3242         DFG SSA shouldn't have SetArgument nodes
3243         https://bugs.webkit.org/show_bug.cgi?id=141342
3244
3245         Reviewed by Mark Lam.
3246
3247         I was wondering why we kept the SetArgument around for captured
3248         variables. It turns out we did so because we thought we had to, even
3249         though we didn't have to. The node is meaningless in SSA.
3250
3251         * dfg/DFGSSAConversionPhase.cpp:
3252         (JSC::DFG::SSAConversionPhase::run):
3253         * ftl/FTLLowerDFGToLLVM.cpp:
3254         (JSC::FTL::LowerDFGToLLVM::compileNode):
3255
3256 2015-02-06  Filip Pizlo  <fpizlo@apple.com>
3257
3258         It should be possible to use the DFG SetArgument node to indicate that someone set the value of a local out-of-band
3259         https://bugs.webkit.org/show_bug.cgi?id=141337
3260
3261         Reviewed by Mark Lam.
3262
3263         This mainly involved ensuring that SetArgument behaves just like SetLocal from a CPS standpoint, but with a special case for those SetArguments that
3264         are associated with the prologue.
3265
3266         * dfg/DFGCPSRethreadingPhase.cpp:
3267         (JSC::DFG::CPSRethreadingPhase::run):
3268         (JSC::DFG::CPSRethreadingPhase::canonicalizeSet):
3269         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
3270         (JSC::DFG::CPSRethreadingPhase::specialCaseArguments):
3271         (JSC::DFG::CPSRethreadingPhase::canonicalizeSetLocal): Deleted.
3272         (JSC::DFG::CPSRethreadingPhase::canonicalizeSetArgument): Deleted.
3273
3274 2015-02-06  Mark Lam  <mark.lam@apple.com>
3275
3276         MachineThreads should be ref counted.
3277         <https://webkit.org/b/141317>
3278
3279         Reviewed by Filip Pizlo.
3280
3281         The VM's MachineThreads registry object is being referenced from other
3282         threads as a raw pointer.  In a scenario where the VM is destructed on
3283         the main thread, there is no guarantee that another thread isn't still
3284         holding a reference to the registry and will eventually invoke
3285         removeThread() on it on thread exit.  Hence, there's a possible use
3286         after free scenario here.
3287
3288         The fix is to make MachineThreads ThreadSafeRefCounted, and have all
3289         threads that references keep a RefPtr to it to ensure that it stays
3290         alive until the very last thread is done with it.
3291
3292         * API/tests/testapi.mm:
3293         (useVMFromOtherThread): - Renamed to be more descriptive.
3294         (useVMFromOtherThreadAndOutliveVM):
3295         - Added a test that has another thread which uses the VM outlive the
3296           VM to confirm that there is no crash.
3297
3298           However, I was not actually able to get the VM to crash without this
3299           patch because I wasn't always able to the thread destructor to be
3300           called.  With this patch applied, I did verify with some logging that
3301           the MachineThreads registry is only destructed after all threads
3302           have removed themselves from it.
3303
3304         (threadMain): Deleted.
3305
3306         * heap/Heap.cpp:
3307         (JSC::Heap::Heap):
3308         (JSC::Heap::~Heap):
3309         (JSC::Heap::gatherStackRoots):
3310         * heap/Heap.h:
3311         (JSC::Heap::machineThreads):
3312         * heap/MachineStackMarker.cpp:
3313         (JSC::MachineThreads::Thread::Thread):
3314         (JSC::MachineThreads::addCurrentThread):
3315         (JSC::MachineThreads::removeCurrentThread):
3316         * heap/MachineStackMarker.h:
3317
3318 2015-02-06  Commit Queue  <commit-queue@webkit.org>
3319
3320         Unreviewed, rolling out r179743.
3321         https://bugs.webkit.org/show_bug.cgi?id=141335
3322
3323         caused missing symbols in non-WebKit clients of WTF::Vector
3324         (Requested by kling on #webkit).
3325
3326         Reverted changeset:
3327
3328         "Remove WTF::fastMallocGoodSize()."
3329         https://bugs.webkit.org/show_bug.cgi?id=141020
3330         http://trac.webkit.org/changeset/179743
3331
3332 2015-02-04  Filip Pizlo  <fpizlo@apple.com>
3333
3334         Remove BytecodeGenerator::preserveLastVar() and replace it with a more robust mechanism for preserving non-temporary registers
3335         https://bugs.webkit.org/show_bug.cgi?id=141211
3336
3337         Reviewed by Mark Lam.
3338
3339         Previously, the way non-temporary registers were preserved (i.e. not reclaimed anytime
3340         we did newTemporary()) by calling preserveLastVar() after all non-temps are created. It
3341         would raise the refcount on the last (highest-numbered) variable created, and rely on
3342         the fact that register reclamation started at higher-numbered registers and worked its
3343         way down. So any retained register would block any lower-numbered registers from being
3344         reclaimed.
3345         
3346         Also, preserveLastVar() sets a thing called m_firstConstantIndex. It's unused.
3347         
3348         This removes preserveLastVar() and makes addVar() retain each register it creates. This
3349         is more explicit, since addVar() is the mechanism for creating non-temporary registers.
3350         
3351         To make this work I had to remove an assertion that Register::setIndex() can only be
3352         called when the refcount is zero. This method might be called after a var is created to
3353         change its index. This previously worked because preserveLastVar() would be called after
3354         we had already made all&nbs