Removing PAGE_VISIBILITY_API compile guard.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-06-21  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
2
3         Removing PAGE_VISIBILITY_API compile guard.
4         https://bugs.webkit.org/show_bug.cgi?id=133844
5
6         Reviewed by Gavin Barraclough.
7
8         * Configurations/FeatureDefines.xcconfig:
9
10 2014-06-21  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
11
12         ARM traditional buildfix after r169942.
13         https://bugs.webkit.org/show_bug.cgi?id=134100
14
15         Reviewed by Zoltan Herczeg.
16
17         * assembler/MacroAssemblerARM.h:
18         (JSC::MacroAssemblerARM::abortWithReason): Added.
19
20 2014-06-20  Andreas Kling  <akling@apple.com>
21
22         [Cocoa] Release freed up blocks from the JS heap after simulated memory pressure.
23         <https://webkit.org/b/134112>
24
25         Reviewed by Mark Hahnenberg.
26
27         * heap/BlockAllocator.h:
28
29 2014-06-19  Alex Christensen  <achristensen@webkit.org>
30
31         Unreviewed fix after r170130.
32
33         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj:
34         Corrected directory so it can find common.props when opening Visual Studio.
35
36 2014-06-19  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
37
38         Remove ENABLE(LLINT) and ENABLE(LLINT_C_LOOP) guards
39         https://bugs.webkit.org/show_bug.cgi?id=130389
40
41         Reviewed by Mark Lam.
42
43         Removed ENABLE(LLINT) since we always build with it, and changed ENABLE(LLINT_C_LOOP)
44         into !ENABLE(JIT) since they are mutually exclusive.
45
46         * CMakeLists.txt:
47         * assembler/MacroAssemblerCodeRef.h:
48         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
49         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
50         * assembler/MaxFrameExtentForSlowPathCall.h:
51         * bytecode/CallLinkStatus.cpp:
52         (JSC::CallLinkStatus::computeFromLLInt):
53         * bytecode/CodeBlock.cpp:
54         (JSC::dumpStructure):
55         (JSC::CodeBlock::printGetByIdCacheStatus):
56         (JSC::CodeBlock::printCallOp):
57         (JSC::CodeBlock::CodeBlock):
58         (JSC::CodeBlock::~CodeBlock):
59         (JSC::CodeBlock::propagateTransitions):
60         (JSC::CodeBlock::finalizeUnconditionally):
61         (JSC::CodeBlock::unlinkCalls):
62         (JSC::CodeBlock::unlinkIncomingCalls):
63         (JSC::CodeBlock::linkIncomingCall):
64         (JSC::CodeBlock::frameRegisterCount):
65         * bytecode/CodeBlock.h:
66         * bytecode/GetByIdStatus.cpp:
67         (JSC::GetByIdStatus::computeFromLLInt):
68         * bytecode/Opcode.h:
69         (JSC::padOpcodeName):
70         * bytecode/PutByIdStatus.cpp:
71         (JSC::PutByIdStatus::computeFromLLInt):
72         * bytecompiler/BytecodeGenerator.cpp:
73         (JSC::BytecodeGenerator::emitCall):
74         (JSC::BytecodeGenerator::emitConstruct):
75         * heap/Heap.cpp:
76         (JSC::Heap::gatherJSStackRoots):
77         * interpreter/Interpreter.cpp:
78         (JSC::Interpreter::initialize):
79         (JSC::Interpreter::isOpcode):
80         * interpreter/Interpreter.h:
81         (JSC::Interpreter::getOpcodeID):
82         * interpreter/JSStack.cpp:
83         (JSC::JSStack::JSStack):
84         (JSC::JSStack::committedByteCount):
85         * interpreter/JSStack.h:
86         * interpreter/JSStackInlines.h:
87         (JSC::JSStack::ensureCapacityFor):
88         (JSC::JSStack::topOfFrameFor):
89         (JSC::JSStack::setStackLimit):
90         * jit/ExecutableAllocatorFixedVMPool.cpp:
91         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
92         * jit/JIT.h:
93         (JSC::JIT::compileCTINativeCall):
94         * jit/JITExceptions.h:
95         * jit/JITThunks.cpp:
96         (JSC::JITThunks::ctiNativeCall):
97         (JSC::JITThunks::ctiNativeConstruct):
98         * llint/LLIntCLoop.cpp:
99         * llint/LLIntCLoop.h:
100         * llint/LLIntData.cpp:
101         (JSC::LLInt::initialize):
102         (JSC::LLInt::Data::performAssertions):
103         * llint/LLIntData.h:
104         (JSC::LLInt::Data::performAssertions): Deleted.
105         * llint/LLIntEntrypoint.cpp:
106         * llint/LLIntEntrypoint.h:
107         * llint/LLIntExceptions.cpp:
108         * llint/LLIntExceptions.h:
109         * llint/LLIntOfflineAsmConfig.h:
110         * llint/LLIntOffsetsExtractor.cpp:
111         (JSC::LLIntOffsetsExtractor::dummy):
112         * llint/LLIntOpcode.h:
113         * llint/LLIntSlowPaths.cpp:
114         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
115         * llint/LLIntSlowPaths.h:
116         * llint/LLIntThunks.cpp:
117         * llint/LLIntThunks.h:
118         * llint/LowLevelInterpreter.cpp:
119         * llint/LowLevelInterpreter.h:
120         * runtime/CommonSlowPaths.cpp:
121         * runtime/CommonSlowPaths.h:
122         * runtime/ErrorHandlingScope.cpp:
123         (JSC::ErrorHandlingScope::ErrorHandlingScope):
124         (JSC::ErrorHandlingScope::~ErrorHandlingScope):
125         * runtime/Executable.cpp:
126         (JSC::setupLLInt):
127         * runtime/InitializeThreading.cpp:
128         (JSC::initializeThreading):
129         * runtime/JSCJSValue.h:
130         * runtime/JSCJSValueInlines.h:
131         * runtime/Options.cpp:
132         (JSC::recomputeDependentOptions):
133         * runtime/VM.cpp:
134         (JSC::VM::VM):
135         (JSC::sanitizeStackForVM):
136         * runtime/VM.h:
137         (JSC::VM::canUseJIT): Deleted.
138
139 2014-06-18  Alex Christensen  <achristensen@webkit.org>
140
141         Add FTL to Windows build.
142         https://bugs.webkit.org/show_bug.cgi?id=134015
143
144         Reviewed by Filip Pizlo.
145
146         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
147         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
148         Added ftl source files.
149         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
150         Added ftl and llvm directories to include path.
151         * JavaScriptCore.vcxproj/libllvmForJSC: Added.
152         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.props: Added.
153         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj: Added.
154         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj.filters: Added.
155         * ftl/FTLLowerDFGToLLVM.cpp:
156         (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
157         MSVC doesn't like to divide by zero while compiling.  Use std::nan instead.
158         * llvm/InitializeLLVMWin.cpp: Added.
159         (JSC::initializeLLVMImpl):
160         Implemented dynamic loading and linking for Windows.
161
162 2014-06-18  Alex Christensen  <achristensen@webkit.org>
163
164         Unreviewed build fix after r170107.
165
166         * dfg/DFGSpeculativeJIT.cpp:
167         (JSC::DFG::SpeculativeJIT::compileArithMod):
168         Use non-template sub for armv7s.
169
170 2014-06-18  David Kilzer  <ddkilzer@apple.com>
171
172         -[JSContext setName:] leaks NSString
173         <http://webkit.org/b/134038>
174
175         Reviewed by Joseph Pecoraro.
176
177         Fixes the following static analyzer warning:
178
179             JavaScriptCore/API/JSContext.mm:200:73: warning: Potential leak of an object
180                 JSStringRef nameJS = name ? JSStringCreateWithCFString((CFStringRef)[name copy]) : nullptr;
181                                                                                     ^
182
183         * API/JSContext.mm:
184         (-[JSContext setName:]): Autorelease the copy of |name|.
185
186 2014-06-18  Mark Lam  <mark.lam@apple.com>
187
188         DFGGraph::m_doubleConstantMap will not map 0 values correctly.
189         <https://webkit.org/b/133994>
190
191         Reviewed by Geoffrey Garen.
192
193         DFGGraph::m_doubleConstantsMap should not use a double as a key to its HashMap,
194         because it means two unfortunate things:
195         - It will probably break for zero.
196         - It will think that -0 is the same as +0 under some circumstances, size
197           -0==+0 even though they are distinct values (for example 1/-0 != 1/+0).
198
199         The fix is to use std::unordered_map which does not require special empty
200         and deleted values, and to use the raw bits instead of the double value as
201         the key.
202
203         * dfg/DFGGraph.h:
204         * dfg/DFGJITCompiler.cpp:
205         (JSC::DFG::JITCompiler::addressOfDoubleConstant):
206
207 2014-06-18  Alex Christensen  <achristensen@webkit.org>
208
209         Remove duplicate code using sdiv.
210         https://bugs.webkit.org/show_bug.cgi?id=133764
211
212         Reviewed by Daniel Bates.
213
214         * assembler/ARMv7Assembler.h:
215         (JSC::ARMv7Assembler::sdiv):
216         Make sdiv a template to match arm64.
217         * dfg/DFGSpeculativeJIT.cpp:
218         (JSC::DFG::SpeculativeJIT::compileArithDiv):
219         (JSC::DFG::SpeculativeJIT::compileArithMod):
220         Remove duplicate code that was identical except for sdiv not being a template.
221
222 2014-06-17  Commit Queue  <commit-queue@webkit.org>
223
224         Unreviewed, rolling out r170082.
225         https://bugs.webkit.org/show_bug.cgi?id=134006
226
227         Breaks build. (Requested by mlam on #webkit).
228
229         Reverted changeset:
230
231         "DFGGraph::m_doubleConstantMap will not map 0 values
232         correctly."
233         https://bugs.webkit.org/show_bug.cgi?id=133994
234         http://trac.webkit.org/changeset/170082
235
236 2014-06-17  Mark Lam  <mark.lam@apple.com>
237
238         DFGGraph::m_doubleConstantMap will not map 0 values correctly.
239         <https://webkit.org/b/133994>
240
241         Reviewed by Geoffrey Garen.
242
243         DFGGraph::m_doubleConstantsMap should not use a double as a key to its HashMap,
244         because it means two unfortunate things:
245         - It will probably break for zero.
246         - It will think that -0 is the same as +0 under some circumstances, size
247           -0==+0 even though they are distinct values (for example 1/-0 != 1/+0).
248
249         The fix is to use std::unordered_map which does not require special empty
250         and deleted values, and to use the raw bits instead of the double value as
251         the key.
252
253         * dfg/DFGGraph.h:
254         * dfg/DFGJITCompiler.cpp:
255         (JSC::DFG::JITCompiler::addressOfDoubleConstant):
256
257 2014-06-17  Oliver Hunt  <oliver@apple.com>
258
259         Fix error messages for incorrect hex literals
260         https://bugs.webkit.org/show_bug.cgi?id=133998
261
262         Reviewed by Mark Lam.
263
264         Ensure that the error messages for bogus hex literals actually
265         make sense.
266
267         * parser/Lexer.cpp:
268         (JSC::Lexer<T>::lex):
269         * parser/ParserTokens.h:
270
271 2014-06-17  Matthew Mirman  <mmirman@apple.com>
272
273         Fixes bug where building JSC sometimes crashes at build-symbol-table-index.py. Also adds licenses. 
274         https://bugs.webkit.org/show_bug.cgi?id=133814
275
276         Reviewed by Filip Pizlo.
277         
278         Adds the "shopt -s nullglob" line necessary to prevent the loop in the shell 
279         script from using "*.o" as a file when no other files in the directory exist. 
280         
281         * build-symbol-table-index.sh: Added license.
282         * copy-llvm-ir-to-derived-sources.sh: Added license and "shopt -s nullglob" line.
283
284 2014-06-16  Sam Weinig  <sam@webkit.org>
285
286         Move forward declaration of bindings static functions into their implementation files
287         https://bugs.webkit.org/show_bug.cgi?id=133943
288
289         Reviewed by Geoffrey Garen.
290
291         * runtime/CommonIdentifiers.h:
292         Add a few identifiers that are needed by the DOM.
293
294 2014-06-16  Mark Lam  <mark.lam@apple.com>
295
296         Parser statementDepth accounting needs to account for when a function body excludes its braces.
297         <https://webkit.org/b/133832>
298
299         Reviewed by Oliver Hunt.
300
301         In some cases (e.g. when a Function object is instantiated from a string), the
302         function body source may not include its braces.  The parser needs to account
303         for this when calculating its statementDepth.
304
305         * bytecode/UnlinkedCodeBlock.cpp:
306         (JSC::generateFunctionCodeBlock):
307         (JSC::UnlinkedFunctionExecutable::codeBlockFor):
308         * bytecode/UnlinkedCodeBlock.h:
309         * parser/Parser.cpp:
310         (JSC::Parser<LexerType>::parseStatement):
311         - Also fixed the error message for declaring nested functions in strict mode
312           to be more accurate.
313         * parser/Parser.h:
314         (JSC::Parser<LexerType>::parse):
315         (JSC::parse):
316         * runtime/Executable.cpp:
317         (JSC::ScriptExecutable::newCodeBlockFor):
318
319 2014-06-16  Juergen Ributzka  <juergen@apple.com>
320
321         Change the order of the alias analysis passes to align with the opt pipeline of LLVM
322         https://bugs.webkit.org/show_bug.cgi?id=133753
323
324         Reviewed by Geoffrey Garen.
325
326         The order in which the alias analysis passes are added affects also the
327         order in which they are utilized. Change the order to align with the
328         one use by LLVM itself. The last alias analysis pass added will be
329         evaluated first. With this change we first perform a basic alias
330         analysis and then use the type-based alias analysis (if required).
331
332         * ftl/FTLCompile.cpp:
333         (JSC::FTL::compile):
334
335 2014-06-16  Juergen Ributzka  <juergen@apple.com>
336
337         Fix the arguments passed to the LLVM dylib
338         https://bugs.webkit.org/show_bug.cgi?id=133757
339
340         Reviewed by Geoffrey Garen.
341
342         The LLVM command line argument parser assumes that the first argument
343         is the program name. We need to add a fake program name, otherwise the
344         first argument will be parsed as program name and ignored.
345
346         * llvm/library/LLVMExports.cpp:
347         (initializeAndGetJSCLLVMAPI):
348
349 2014-06-16  Michael Saboff  <msaboff@apple.com>
350
351         Convert ASSERT in inlineFunctionForCapabilityLevel to early return
352         https://bugs.webkit.org/show_bug.cgi?id=133903
353
354         Reviewed by Mark Hahnenberg.
355
356         Hardened code by Converting ASSERT to return CannotCompile.
357
358         * dfg/DFGCapabilities.h:
359         (JSC::DFG::inlineFunctionForCapabilityLevel):
360
361 2014-06-13  Sam Weinig  <sam@webkit.org>
362
363         Store DOM constants directly in the JS object rather than jumping through a custom accessor
364         https://bugs.webkit.org/show_bug.cgi?id=133898
365
366         Reviewed by Oliver Hunt.
367
368         * runtime/Lookup.h:
369         (JSC::HashTableValue::attributes):
370         Switch attributes to be stored as an unsigned rather than an unsigned char, since there is no difference in memory use
371         and will make adding more flags possibles.
372
373         (JSC::HashTableValue::propertyGetter):
374         (JSC::HashTableValue::propertyPutter):
375         Change assertion to use BuiltinOrFunctionOrConstant.
376
377         (JSC::HashTableValue::constantInteger):
378         Added.
379
380         (JSC::getStaticPropertySlot):
381         (JSC::getStaticValueSlot):
382         Use PropertySlot::setValue() for constants during static lookup.
383
384         (JSC::reifyStaticProperties):
385         Put the constant directly on the object when eagerly reifying.
386
387         * runtime/PropertySlot.h:
388         Add ConstantInteger flag and BuiltinOrFunctionOrConstant helper.
389
390 2014-06-14  Michael Saboff  <msaboff@apple.com>
391
392         operationCreateArguments could cause a GC during OSR exit
393         https://bugs.webkit.org/show_bug.cgi?id=133905
394
395         Reviewed by Filip Pizlo.
396
397         Defer GC via new wrapper functions for operationCreateArguments and operationCreateInlinedArguments
398         for use by OSR exit stubs.
399
400         * dfg/DFGOSRExitCompilerCommon.cpp:
401         (JSC::DFG::ArgumentsRecoveryGenerator::generateFor):
402         * dfg/DFGOperations.cpp:
403         * dfg/DFGOperations.h:
404         * jit/JITOperations.cpp:
405         * jit/JITOperations.h:
406
407 2014-06-13  Mark Hahnenberg  <mhahnenberg@apple.com>
408
409         OSR exit should barrier the Executables for all InlineCallFrames, not just those on the stack at the time of exit
410         https://bugs.webkit.org/show_bug.cgi?id=133880
411
412         Reviewed by Filip Pizlo.
413
414         We could have exited due to a value received from an inlined block that's no longer on 
415         the stack, so we should just barrier all InlineCallFrames.
416
417         * dfg/DFGOSRExitCompilerCommon.cpp:
418         (JSC::DFG::adjustAndJumpToTarget):
419
420 2014-06-13  Alex Christensen  <achristensen@webkit.org>
421
422         Make css jit compile for armv7.
423         https://bugs.webkit.org/show_bug.cgi?id=133596
424
425         Reviewed by Benjamin Poulain.
426
427         * assembler/MacroAssembler.h:
428         Use branchPtr on ARM_THUMB2.
429         * assembler/MacroAssemblerARMv7.h:
430         (JSC::MacroAssemblerARMv7::addPtrNoFlags):
431         (JSC::MacroAssemblerARMv7::or32):
432         (JSC::MacroAssemblerARMv7::test32):
433         (JSC::MacroAssemblerARMv7::branch):
434         (JSC::MacroAssemblerARMv7::branchPtr):
435         Added macros necessary for css jit.
436
437 2014-06-13  Filip Pizlo  <fpizlo@apple.com>
438
439         Unreviewed, fix ARMv7.
440
441         * assembler/MacroAssemblerARMv7.h:
442         (JSC::MacroAssemblerARMv7::abortWithReason):
443
444 2014-06-12  Filip Pizlo  <fpizlo@apple.com>
445
446         Even better diagnostics from DFG traps
447         https://bugs.webkit.org/show_bug.cgi?id=133836
448
449         Reviewed by Oliver Hunt.
450         
451         We now stuff the DFG::NodeType into a register before bailing. Also made the
452         DFGBailed abort reason a bit more specific. As planned, the new abort reasons use
453         different numbers than any previous abort reasons.
454
455         * assembler/AbortReason.h:
456         * assembler/MacroAssemblerARM64.h:
457         (JSC::MacroAssemblerARM64::abortWithReason):
458         * assembler/MacroAssemblerARMv7.h:
459         (JSC::MacroAssemblerARMv7::abortWithReason):
460         * assembler/MacroAssemblerX86.h:
461         (JSC::MacroAssemblerX86::abortWithReason):
462         * assembler/MacroAssemblerX86_64.h:
463         (JSC::MacroAssemblerX86_64::abortWithReason):
464         * dfg/DFGSpeculativeJIT.cpp:
465         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
466         (JSC::DFG::SpeculativeJIT::bail):
467         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
468         * dfg/DFGSpeculativeJIT.h:
469
470 2014-06-12  Simon Fraser  <simon.fraser@apple.com>
471
472         Fix assertions under JSC::setNeverInline() when running js tests in WebKitTestRunner
473         https://bugs.webkit.org/show_bug.cgi?id=133840
474
475         Reviewed by Filip Pizlo.
476         
477         Fix ASSERT(exec->vm().currentThreadIsHoldingAPILock()); under JSC::setNeverInline()
478         when running DFG tests.
479
480         * API/JSCTestRunnerUtils.cpp:
481         (JSC::numberOfDFGCompiles):
482         (JSC::setNeverInline):
483
484 2014-06-12  Brent Fulgham  <bfulgham@apple.com>
485
486         [Win] Avoid fork bomb during build
487         https://bugs.webkit.org/show_bug.cgi?id=133837
488         <rdar://problem/17296034>
489
490         Reviewed by Tim Horton.
491
492         * JavaScriptCore.vcxproj/build-generated-files.sh: Use a
493         reasonable default value when the 'num-cpus' script is not available.
494
495 2014-06-12  Mark Lam  <mark.lam@apple.com>
496
497         Remove some dead / unused code.
498         <https://webkit.org/b/133828>
499
500         Reviewed by Filip Pizlo.
501
502         * builtins/BuiltinExecutables.cpp:
503         (JSC::BuiltinExecutables::createBuiltinExecutable):
504         * bytecode/UnlinkedCodeBlock.cpp:
505         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
506         * bytecode/UnlinkedCodeBlock.h:
507         (JSC::UnlinkedFunctionExecutable::create):
508         * bytecompiler/BytecodeGenerator.h:
509         (JSC::BytecodeGenerator::makeFunction):
510         * parser/Parser.h:
511         (JSC::DepthManager::DepthManager): Deleted.
512         (JSC::DepthManager::~DepthManager): Deleted.
513         * runtime/CodeCache.cpp:
514         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
515
516 2014-06-12  Mark Hahnenberg  <mhahnenberg@apple.com>
517
518         Move structureHasRareData out of TypeInfo
519         https://bugs.webkit.org/show_bug.cgi?id=133800
520
521         Reviewed by Andreas Kling.
522
523         StructureHasRareData was originally put in TypeInfo to avoid making Structure bigger, 
524         but we have a few spare bits in Structure so it would be nice to remove this hack.
525
526         * runtime/JSTypeInfo.h:
527         (JSC::TypeInfo::newImpurePropertyFiresWatchpoints):
528         (JSC::TypeInfo::structureHasRareData): Deleted.
529         * runtime/Structure.cpp:
530         (JSC::Structure::Structure):
531         (JSC::Structure::allocateRareData):
532         (JSC::Structure::cloneRareDataFrom):
533         * runtime/Structure.h:
534         (JSC::Structure::previousID):
535         (JSC::Structure::objectToStringValue):
536         (JSC::Structure::setObjectToStringValue):
537         (JSC::Structure::setPreviousID):
538         (JSC::Structure::clearPreviousID):
539         (JSC::Structure::previous):
540         (JSC::Structure::rareData):
541         * runtime/StructureInlines.h:
542         (JSC::Structure::setEnumerationCache):
543         (JSC::Structure::enumerationCache):
544
545 2014-06-12  Zsolt Borbely  <zsborbely.u-szeged@partner.samsung.com>
546
547         Allow enum guards to be generated from the replay json files
548         https://bugs.webkit.org/show_bug.cgi?id=133399
549
550         Reviewed by Csaba Osztrogonác.
551
552         * replay/scripts/CodeGeneratorReplayInputs.py:
553         (Type.__init__):
554         (InputsModel.parse_type_with_framework_name):
555         (Generator.generate_header):
556         (Generator.generate_implementation):
557         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp: Added.
558         (Test::HandleWheelEvent::HandleWheelEvent):
559         (Test::HandleWheelEvent::~HandleWheelEvent):
560         (JSC::InputTraits<Test::HandleWheelEvent>::type):
561         (JSC::InputTraits<Test::HandleWheelEvent>::encode):
562         (JSC::InputTraits<Test::HandleWheelEvent>::decode):
563         (JSC::EncodingTraits<WebCore::PlatformWheelEventPhase>::encodeValue):
564         (JSC::EncodingTraits<WebCore::PlatformWheelEventPhase>::decodeValue):
565         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h: Added.
566         (JSC::InputTraits<Test::HandleWheelEvent>::queue):
567         (Test::HandleWheelEvent::platformEvent):
568         * replay/scripts/tests/generate-enum-with-guard.json: Added.
569
570 2014-06-12  Carlos Garcia Campos  <cgarcia@igalia.com>
571
572         Unreviewed. Fix GTK+ build after r169823.
573
574         Include StructureInlines.h in a few more files to fix linking
575         issues due to JSC::Structure::get undefined symbol.
576
577         * runtime/ArrayIteratorConstructor.cpp:
578         * runtime/ArrayIteratorPrototype.cpp:
579         * runtime/JSConsole.cpp:
580         * runtime/JSMapIterator.cpp:
581         * runtime/JSSet.cpp:
582         * runtime/JSSetIterator.cpp:
583         * runtime/JSWeakMap.cpp:
584         * runtime/MapIteratorPrototype.cpp:
585         * runtime/MapPrototype.cpp:
586         * runtime/SetIteratorPrototype.cpp:
587         * runtime/SetPrototype.cpp:
588         * runtime/WeakMapPrototype.cpp:
589
590 2014-06-12  Csaba Osztrogonác  <ossy@webkit.org>
591
592         [EFL] One more URTBF after r169823 to make ARM64 build happy too.
593
594         * runtime/JSMap.cpp:
595
596 2014-06-11  Mark Hahnenberg  <mhahnenberg@apple.com>
597
598         Inline caching should try to flatten uncacheable dictionaries
599         https://bugs.webkit.org/show_bug.cgi?id=133683
600
601         Reviewed by Geoffrey Garen.
602
603         There exists a body of JS code that deletes properties off of objects (especially function/constructor objects), 
604         which puts them into an uncacheable dictionary state. This prevents all future inline caching for these objects. 
605         If properties are deleted out of the object during its initialization, we can enable caching for that object by 
606         attempting to flatten it when we see we're trying to do inline caching with that object. We then record that we 
607         performed this flattening optimization in the object's Structure. If it ever re-enters the uncacheable dictionary 
608         state then we can just give up on caching that object.
609
610         In refactoring some of the code in tryCacheGetById and tryBuildGetByIdList to reduce some duplication, I added
611         the InlineCacheAction enum, a new way to indicate the success or failure of an inline caching attempt. I changed
612         the other inline caching functions to return this enum rather than the opaque booleans that we were previously 
613         returning.
614
615         * jit/Repatch.cpp:
616         (JSC::actionForCell):
617         (JSC::tryCacheGetByID):
618         (JSC::repatchGetByID):
619         (JSC::tryBuildGetByIDList):
620         (JSC::buildGetByIDList):
621         (JSC::tryCachePutByID):
622         (JSC::repatchPutByID):
623         (JSC::tryBuildPutByIdList):
624         (JSC::buildPutByIdList):
625         (JSC::tryRepatchIn):
626         (JSC::repatchIn):
627         * runtime/Structure.cpp:
628         (JSC::Structure::Structure):
629         (JSC::Structure::flattenDictionaryStructure):
630         * runtime/Structure.h:
631         (JSC::Structure::hasBeenFlattenedBefore):
632
633 2014-06-11  Csaba Osztrogonác  <ossy@webkit.org>
634
635         [EFL] URTBF after r169823.
636
637         * bindings/ScriptValue.cpp: Missing include added.
638
639 2014-06-11  Ryosuke Niwa  <rniwa@webkit.org>
640
641         Remove an unnecessary asObject(this) call inside JSObject::fastGetOwnPropertySlot.
642
643         Rubber-stamped by Andreas Kling.
644
645         * runtime/JSObject.h:
646         (JSC::JSObject::fastGetOwnPropertySlot):
647
648 2014-06-11  Ryosuke Niwa  <rniwa@webkit.org>
649
650         Turning on DUMP_PROPERTYMAP_STATS causes a build failure
651         https://bugs.webkit.org/show_bug.cgi?id=133673
652
653         Reviewed by Andreas Kling.
654
655         Rewrote the property map statistics code because the old code wasn't building,
656         and it was also mixing numbers for lookups and insertions/removals.
657
658         New logging code records the number of calls to PropertyTable::find (finds) and
659         PropertyTable::get/PropertyTable::findWithString separately so that we can quantify
660         the number of probing during updates and lookups.
661
662         * jsc.cpp:
663         * runtime/PropertyMapHashTable.h:
664         (JSC::PropertyTable::find):
665         (JSC::PropertyTable::get):
666         (JSC::PropertyTable::findWithString):
667         (JSC::PropertyTable::add):
668         (JSC::PropertyTable::remove):
669         (JSC::PropertyTable::reinsert):
670         (JSC::PropertyTable::rehash):
671         * runtime/Structure.cpp:
672         (JSC::PropertyMapStatisticsExitLogger::PropertyMapStatisticsExitLogger):
673         (JSC::PropertyMapStatisticsExitLogger::~PropertyMapStatisticsExitLogger):
674
675 2014-06-11  Andreas Kling  <akling@apple.com>
676
677         Always inline JSValue::get() and Structure::get().
678         <https://webkit.org/b/133755>
679
680         Reviewed by Ryosuke Niwa.
681
682         These functions get really hot, so ask the compiler to be more
683         aggressive about inlining them.
684
685         ~28% speed-up on Ryosuke's microbenchmark for accessing nextSibling
686         through GetByVal.
687
688         * runtime/JSArrayIterator.cpp:
689         * runtime/JSCJSValue.cpp:
690         * runtime/JSCJSValueInlines.h:
691         (JSC::JSValue::get):
692         * runtime/JSPromiseDeferred.cpp:
693         * runtime/StructureInlines.h:
694         (JSC::Structure::get):
695
696 2014-06-11  Ryosuke Niwa  <rniwa@webkit.org>
697
698         Structure::get should instantiate DeferGC only when materializing property map
699         https://bugs.webkit.org/show_bug.cgi?id=133727
700
701         Rubber-stamped by Andreas Kling.
702
703         Make materializePropertyMapIfNecessary always inline.
704
705         This is ~12% improvement on the microbenchmark attached in the bug.
706
707         * runtime/Structure.h:
708         (JSC::Structure::materializePropertyMapIfNecessary):
709         (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
710
711 2014-06-11  Ryosuke Niwa  <rniwa@webkit.org>
712
713         Structure::get should instantiate DeferGC only when materializing property map
714         https://bugs.webkit.org/show_bug.cgi?id=133727
715
716         Reviewed by Geoffrey Garen.
717
718         DeferGC instances in Structure::get was added in http://trac.webkit.org/r157539 in order to avoid
719         collecting the property table newly created by materializePropertyMapIfNecessary since GC can happen
720         when GCSafeConcurrentJITLocker goes out of scope.
721
722         However, always instantiating DeferGC inside Structure::get introduced a new performance bottleneck
723         in JSObject::getPropertySlot because frequently incrementing and decrementing a counter in vm.m_heap
724         and running a release assertion inside Heap::incrementDeferralDepth() is expensive.
725
726         Work around this by instantiating DeferGC only when we're actually calling materializePropertyMap,
727         and immediately storing a pointer to the newly created property table in the stack before DeferGC
728         goes out of scope so that the property table will be marked.
729
730         This shows 13-16% improvement on the microbenchmark attached in the bug.
731
732         * runtime/JSCJSValue.cpp:
733         * runtime/JSObject.h:
734         (JSC::JSObject::fastGetOwnPropertySlot):
735         * runtime/Structure.h:
736         (JSC::Structure::materializePropertyMapIfNecessary):
737         * runtime/StructureInlines.h:
738         (JSC::Structure::get):
739
740 2014-06-11  Andreas Kling  <akling@apple.com>
741
742         Some JSValue::get() micro-optimzations.
743         <https://webkit.org/b/133739>
744
745         Tighten some of the property lookup code to improve performance of the
746         eagerly reified prototype attributes:
747
748         - Instead of converting the property name to an integer at every step
749           in the prototype chain, move that to a separate pass at the end
750           since it should be a rare case.
751
752         - Cache the StructureIDTable in a local instead of fetching it from
753           the Heap on every step.
754
755         - Make fillCustomGetterPropertySlot inline. It was out-of-lined based
756           on the assumption that clients would mostly be cacheable GetByIds,
757           and it gets pretty hot (~1%) in GetByVal.
758
759         - Pass the Structure directly to fillCustomGetterPropertySlot instead
760           of refetching it from the StructureIDTable.
761
762         Reviewed by Geoff Garen.
763
764         * runtime/JSObject.cpp:
765         (JSC::JSObject::fillCustomGetterPropertySlot): Deleted.
766         * runtime/JSObject.h:
767         (JSC::JSObject::inlineGetOwnPropertySlot):
768         (JSC::JSObject::fillCustomGetterPropertySlot):
769         (JSC::JSObject::getOwnPropertySlot):
770         (JSC::JSObject::fastGetOwnPropertySlot):
771         (JSC::JSObject::getPropertySlot):
772         (JSC::JSObject::getOwnPropertySlotSlow): Deleted.
773
774 2014-06-10  Sam Weinig  <sam@webkit.org>
775
776         Don't create a HashTable for JSObjects that use eager reification
777         https://bugs.webkit.org/show_bug.cgi?id=133705
778
779         Reviewed by Geoffrey Garen.
780
781         * runtime/Lookup.h:
782         (JSC::reifyStaticProperties):
783         Add a version of reifyStaticProperties that takes an array of HashTableValues
784         rather than a HashTable.
785
786 2014-06-10  Filip Pizlo  <fpizlo@apple.com>
787
788         Prediction propagator should make sure everyone knows that a variable that is in an argument position where other versions of that variable are not MachineInts cannot possibly be flushed as Int52
789         https://bugs.webkit.org/show_bug.cgi?id=133698
790
791         Reviewed by Geoffrey Garen and Mark Hahnenberg.
792
793         * dfg/DFGPredictionPropagationPhase.cpp:
794         (JSC::DFG::PredictionPropagationPhase::propagate): Use the new utility to figure out if a variable could ever represent an Int52.
795         * dfg/DFGVariableAccessData.cpp:
796         (JSC::DFG::VariableAccessData::couldRepresentInt52): Add a new utility to detect early on if a variable could possibly be Int52.
797         (JSC::DFG::VariableAccessData::couldRepresentInt52Impl):
798         (JSC::DFG::VariableAccessData::flushFormat):
799         * dfg/DFGVariableAccessData.h:
800         * tests/stress/int52-inlined-call-argument.js: Added.
801         (foo):
802         (bar):
803
804 2014-06-10  Mark Lam  <mark.lam@apple.com>
805
806         Assertion failure at JSC::Structure::checkOffsetConsistency() const + 234.
807         <https://webkit.org/b/133356>
808
809         Reviewed by Mark Hahnenberg.
810
811         The root cause of this issue is that a nonPropertyTransition can transition
812         a pinned dictionary structure to an unpinned dictionary structure.  The new
813         structure will get a copy of the property table from the original structure.
814         However, when a GC occurs, the property table in the new structure will be
815         cleared because it is unpinned.  This leads to complications in subsequent
816         derivative structures when flattening occurs, which eventually leads to the
817         assertion failure in this bug.
818
819         The fix is to ensure that the new dictionary structure generated by the
820         nonPropertyTransition will have a copy of its predecessor's property table
821         and is pinned.
822
823         * runtime/Structure.cpp:
824         (JSC::Structure::nonPropertyTransition):
825
826 2014-06-10  Michael Saboff  <msaboff@apple.com>
827
828         In a certain app state, Array.prototype.filter() returns incorrect results
829         https://bugs.webkit.org/show_bug.cgi?id=133577
830
831         Reviewed by Oliver Hunt.
832
833         Fixed the LLInt processing of op_put_by_val_direct to have the same hole check as op_put_by_val.
834
835         * llint/LowLevelInterpreter32_64.asm:
836         * llint/LowLevelInterpreter64.asm:
837
838 2014-06-09  Mark Hahnenberg  <mhahnenberg@apple.com>
839
840         Global HashTables contain references to atomic StringImpls
841         https://bugs.webkit.org/show_bug.cgi?id=133661
842
843         Reviewed by Geoffrey Garen.
844
845         This was a long-standing bug revealed by bug 133558. The issue is that the global static HashTables 
846         cache their set of keys as StringImpls that are associated with a particular VM.  This is obviously 
847         incompatible with using multiple VMs on multiple threads (e.g. when using workers). The fix is to 
848         change the "keys" field of the static HashTables to be char** instead of StringImpl**.
849
850         * runtime/JSObject.cpp:
851         (JSC::getClassPropertyNames):
852         * runtime/Lookup.cpp:
853         (JSC::HashTable::createTable):
854         (JSC::HashTable::deleteTable):
855         * runtime/Lookup.h:
856         (JSC::HashTable::ConstIterator::key):
857         (JSC::HashTable::entry):
858
859 2014-06-09  Mark Hahnenberg  <mhahnenberg@apple.com>
860
861         Build fix after r169703
862
863         * JavaScriptCore.xcodeproj/project.pbxproj:
864
865 2014-06-05  Mark Hahnenberg  <mhahnenberg@apple.com>
866
867         Eagerly reify DOM prototype attributes
868         https://bugs.webkit.org/show_bug.cgi?id=133558
869
870         Reviewed by Oliver Hunt.
871
872         This allows us to get rid of a lot of the additional overhead of pushing DOM attributes up into the prototype. 
873         By eagerly reifying the custom getters and setters into the actual JSObject we avoid having to override 
874         getOwnPropertySlot for all of the DOM prototypes, which is a lot of the overhead of doing property lookups on 
875         DOM wrappers.
876
877         * CMakeLists.txt:
878         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
879         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
880         * JavaScriptCore.xcodeproj/project.pbxproj:
881         * llint/LLIntData.cpp:
882         (JSC::LLInt::Data::performAssertions):
883         * llint/LowLevelInterpreter.asm:
884         * runtime/BatchedTransitionOptimizer.h:
885         (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
886         * runtime/CustomGetterSetter.cpp: Added.
887         (JSC::callCustomSetter):
888         * runtime/CustomGetterSetter.h: Added.
889         (JSC::CustomGetterSetter::create):
890         (JSC::CustomGetterSetter::getter):
891         (JSC::CustomGetterSetter::setter):
892         (JSC::CustomGetterSetter::createStructure):
893         (JSC::CustomGetterSetter::CustomGetterSetter):
894         * runtime/JSCJSValue.cpp:
895         (JSC::JSValue::putToPrimitive):
896         * runtime/JSCJSValue.h:
897         * runtime/JSCJSValueInlines.h:
898         (JSC::JSValue::isCustomGetterSetter):
899         * runtime/JSCell.h:
900         * runtime/JSCellInlines.h:
901         (JSC::JSCell::isCustomGetterSetter):
902         (JSC::JSCell::canUseFastGetOwnProperty):
903         * runtime/JSFunction.cpp:
904         (JSC::JSFunction::isHostOrBuiltinFunction): Deleted.
905         (JSC::JSFunction::isBuiltinFunction): Deleted.
906         * runtime/JSFunction.h:
907         * runtime/JSFunctionInlines.h: Inlined some random functions that appeared hot during profiling.
908         (JSC::JSFunction::isBuiltinFunction):
909         (JSC::JSFunction::isHostOrBuiltinFunction):
910         * runtime/JSObject.cpp:
911         (JSC::JSObject::put):
912         (JSC::JSObject::putDirectCustomAccessor):
913         (JSC::JSObject::fillGetterPropertySlot):
914         (JSC::JSObject::fillCustomGetterPropertySlot):
915         (JSC::JSObject::getOwnPropertySlotSlow): Deleted.
916         * runtime/JSObject.h:
917         (JSC::JSObject::hasCustomGetterSetterProperties):
918         (JSC::JSObject::convertToDictionary):
919         (JSC::JSObject::inlineGetOwnPropertySlot):
920         (JSC::JSObject::getOwnPropertySlotSlow): Inlined because it looked hot during profiling.
921         (JSC::JSObject::putOwnDataProperty):
922         (JSC::JSObject::putDirect):
923         (JSC::JSObject::putDirectWithoutTransition):
924         * runtime/JSType.h:
925         * runtime/Lookup.h:
926         (JSC::reifyStaticProperties):
927         * runtime/PropertyDescriptor.h:
928         (JSC::PropertyDescriptor::PropertyDescriptor):
929         * runtime/Structure.cpp:
930         (JSC::Structure::Structure):
931         (JSC::nextOutOfLineStorageCapacity): Deleted.
932         (JSC::Structure::suggestedNewOutOfLineStorageCapacity): Deleted.
933         (JSC::Structure::get): Deleted.
934         * runtime/Structure.h:
935         (JSC::Structure::hasCustomGetterSetterProperties):
936         (JSC::Structure::setHasCustomGetterSetterProperties):
937         * runtime/StructureInlines.h:
938         (JSC::Structure::get): Inlined due to hotness.
939         (JSC::nextOutOfLineStorageCapacity): Inlined due to hotness.
940         (JSC::Structure::suggestedNewOutOfLineStorageCapacity): Inlined due to hotness.
941         * runtime/VM.cpp:
942         (JSC::VM::VM):
943         * runtime/VM.h:
944         * runtime/WriteBarrier.h:
945         (JSC::WriteBarrierBase<Unknown>::isCustomGetterSetter):
946
947 2014-06-07  Mark Lam  <mark.lam@apple.com>
948
949         Structure should initialize its previousID in its constructor.
950         <https://webkit.org/b/133606>
951
952         Reviewed by Mark Hahnenberg.
953
954         Currently, the Structure constructor that takes a previous structure will
955         initialize its previousID to point to the previous structure's previousID.
956         This is incorrect.  However, the caller of the Structure::create() factory
957         method (which instantiated the Structure) will later call setPreviousID()
958         to set the previousID to the correct previous structure.  This makes the
959         code confusing to read and more error prone in that the structure relies
960         on client code to fix its invalid previousID.
961
962         This patch fixes this by making the Structure constructor initialize
963         previousID correctly.
964
965         * runtime/Structure.cpp:
966         (JSC::Structure::Structure):
967         (JSC::Structure::addPropertyTransition):
968         (JSC::Structure::nonPropertyTransition):
969         * runtime/Structure.h:
970         * runtime/StructureInlines.h:
971         (JSC::Structure::create):
972
973 2014-06-06  Andreas Kling  <akling@apple.com>
974
975         Indexed getters should return values directly on the PropertySlot.
976         <https://webkit.org/b/133586>
977
978         Remove PropertySlot's custom index mode.
979
980         Reviewed by Darin Adler.
981
982         * runtime/JSObject.h:
983         (JSC::PropertySlot::getValue):
984         * runtime/PropertySlot.h:
985         (JSC::PropertySlot::setCustomIndex): Deleted.
986
987 2014-06-04  Timothy Horton  <timothy_horton@apple.com>
988
989         iOS Debug build fix
990
991         Rubber-stamped by Filip Pizlo.
992
993         * Configurations/LLVMForJSC.xcconfig:
994         Dead-code strip the llvmForJSC library unconditionally, to work around <rdar://problem/16920916>.
995
996 2014-06-04  Oliver Hunt  <oliver@apple.com>
997
998         ArrayIterator should not be exposed in Safari 8
999         https://bugs.webkit.org/show_bug.cgi?id=133494
1000
1001         Reviewed by Michael Saboff.
1002
1003         Separate out types that require constructor objects, and don't
1004         include the iterator types in that list.
1005
1006         * runtime/JSGlobalObject.cpp:
1007         (JSC::JSGlobalObject::reset):
1008         * runtime/JSGlobalObject.h:
1009
1010 2014-06-04  Filip Pizlo  <fpizlo@apple.com>
1011
1012         DFG::Safepoint::begin() should set m_didCallBegin before releasing the rightToRun lock, because otherwise, Safepoint::checkLivenessAndVisitChildren() may assert due to a race
1013         https://bugs.webkit.org/show_bug.cgi?id=133525
1014         <rdar://problem/16790296>
1015
1016         Reviewed by Oliver Hunt.
1017
1018         * dfg/DFGSafepoint.cpp:
1019         (JSC::DFG::Safepoint::begin):
1020
1021 2014-06-03  Filip Pizlo  <fpizlo@apple.com>
1022
1023         LLVM soft-linking should be truly fail-silent
1024         https://bugs.webkit.org/show_bug.cgi?id=133482
1025
1026         Reviewed by Mark Lam.
1027
1028         * llvm/InitializeLLVMPOSIX.cpp:
1029         (JSC::initializeLLVMPOSIX): Missing return statement in the dlsym() returning null case.
1030
1031 2014-06-03  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
1032
1033         REGRESSION(r169092 and r169102): Skip failing JSC tests poperly on non-x86 Darwin platforms
1034         https://bugs.webkit.org/show_bug.cgi?id=133149
1035
1036         Reviewed by Csaba Osztrogonác.
1037
1038         * tests/mozilla/mozilla-tests.yaml: Skip js1_5/Regress/regress-159334.js only if the architecture isn't x86 and the host is Darwin.
1039
1040 2014-05-31  Anders Carlsson  <andersca@apple.com>
1041
1042         Add a LazyNeverDestroyed class template and use it
1043         https://bugs.webkit.org/show_bug.cgi?id=133425
1044
1045         Reviewed by Darin Adler.
1046
1047         * dfg/DFGFunctionWhitelist.cpp:
1048         (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
1049         * dfg/DFGFunctionWhitelist.h:
1050
1051 2014-05-28  Filip Pizlo  <fpizlo@apple.com>
1052
1053         DFG::DCEPhase inserts into an insertion set in reverse, causing hilarious basic block corruption if you kill a lot of NewArrays
1054         https://bugs.webkit.org/show_bug.cgi?id=133368
1055
1056         Reviewed by Mark Lam.
1057
1058         * dfg/DFGDCEPhase.cpp:
1059         (JSC::DFG::DCEPhase::fixupBlock): Loop in the right order so that we insert in the right order.
1060         * tests/stress/new-array-dead.js: Added.
1061         (foo):
1062
1063 2014-05-28  Filip Pizlo  <fpizlo@apple.com>
1064
1065         Unreviewed, fix not-x86 32-bit.
1066
1067         * llint/LowLevelInterpreter32_64.asm:
1068
1069 2014-05-27  Filip Pizlo  <fpizlo@apple.com>
1070
1071         Arrayify neglects to inform the clobberizer that it might fire watchpoints
1072         https://bugs.webkit.org/show_bug.cgi?id=133340
1073
1074         Reviewed by Mark Lam.
1075
1076         * dfg/DFGClobberize.h:
1077         (JSC::DFG::clobberize): Be honest.
1078         * llint/LowLevelInterpreter32_64.asm: Profile the object, not its structure.
1079         * tests/stress/arrayify-fires-watchpoint.js: Added.
1080         (foo):
1081         (test):
1082         (makeObjectArray):
1083         * tests/stress/arrayify-structure-bad-test.js: Added.
1084         (foo):
1085         (test):
1086
1087 2014-05-27  Jon Lee  <jonlee@apple.com>
1088
1089         Update ENABLE(MEDIA_SOURCE) on Mac
1090         https://bugs.webkit.org/show_bug.cgi?id=133141
1091
1092         Reviewed by Darin Adler.
1093
1094         * Configurations/FeatureDefines.xcconfig:
1095
1096 2014-05-27  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>
1097
1098         Remove BLOB guards
1099         https://bugs.webkit.org/show_bug.cgi?id=132863
1100
1101         Reviewed by Csaba Osztrogonác.
1102
1103         * Configurations/FeatureDefines.xcconfig:
1104
1105 2014-05-27  Zsolt Borbely  <zsborbely.u-szeged@partner.samsung.com>
1106
1107         Allow building CMake based ports with WEB_REPLAY
1108         https://bugs.webkit.org/show_bug.cgi?id=133154
1109
1110         Reviewed by Csaba Osztrogonác.
1111
1112         * CMakeLists.txt:
1113
1114 2014-05-25  Filip Pizlo  <fpizlo@apple.com>
1115
1116         Latest emscripten life benchmark is 4x slower because the DFG doesn't realize that arithmetic on booleans is a thing
1117         https://bugs.webkit.org/show_bug.cgi?id=133136
1118
1119         Reviewed by Oliver Hunt.
1120         
1121         Some key concepts:
1122
1123         - Except for the prediction propagation and type fixup phases, which are super early in
1124           the pipeline, nobody has to know about the fact that booleans may flow into numerical
1125           operations because there will just be a BooleanToNumber node that will take a value
1126           and, if that value is a boolean, will convert it to the equivalent numerical value. It
1127           will have a BooleanUse mode where it will also speculate that the input is a boolean
1128           but it can also do UntypedUse in which case it will pass through any non-booleans.
1129           This operation is very easy to model in all of the compiler tiers.
1130
1131         - No changes to the baseline JIT. The Baseline JIT will still believe that boolean
1132           inputs require taking the slow path and it will still report that it took slow path
1133           for any such operations.  The DFG will now be smart enough to ignore baseline JIT slow
1134           path profiling on operations that were known to have had boolean inputs.  That's a
1135           little quirky, but it's probably easier than modifying the baseline JIT to track
1136           booleans correctly.
1137         
1138         4.1x speed-up on the emscripten "life" benchmark. Up to 10x speed-up on microbenchmarks.
1139
1140         * bytecode/SpeculatedType.h:
1141         (JSC::isInt32OrBooleanSpeculation):
1142         (JSC::isInt32SpeculationForArithmetic):
1143         (JSC::isInt32OrBooleanSpeculationForArithmetic):
1144         (JSC::isInt32OrBooleanSpeculationExpectingDefined):
1145         (JSC::isInt52Speculation):
1146         (JSC::isMachineIntSpeculation):
1147         (JSC::isFullNumberOrBooleanSpeculation):
1148         (JSC::isFullNumberOrBooleanSpeculationExpectingDefined):
1149         (JSC::isInt32SpeculationExpectingDefined): Deleted.
1150         (JSC::isMachineIntSpeculationExpectingDefined): Deleted.
1151         (JSC::isMachineIntSpeculationForArithmetic): Deleted.
1152         (JSC::isBytecodeNumberSpeculationExpectingDefined): Deleted.
1153         (JSC::isFullNumberSpeculationExpectingDefined): Deleted.
1154         * dfg/DFGAbstractInterpreterInlines.h:
1155         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1156         * dfg/DFGAllocator.h:
1157         (JSC::DFG::Allocator<T>::indexOf):
1158         * dfg/DFGByteCodeParser.cpp:
1159         (JSC::DFG::ByteCodeParser::makeSafe):
1160         (JSC::DFG::ByteCodeParser::makeDivSafe):
1161         (JSC::DFG::ByteCodeParser::handleIntrinsic):
1162         * dfg/DFGCSEPhase.cpp:
1163         (JSC::DFG::CSEPhase::performNodeCSE):
1164         * dfg/DFGClobberize.h:
1165         (JSC::DFG::clobberize):
1166         * dfg/DFGCommon.h:
1167         * dfg/DFGConstantFoldingPhase.cpp:
1168         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1169         * dfg/DFGFixupPhase.cpp:
1170         (JSC::DFG::FixupPhase::fixupNode):
1171         (JSC::DFG::FixupPhase::fixIntConvertingEdge):
1172         (JSC::DFG::FixupPhase::fixIntOrBooleanEdge):
1173         (JSC::DFG::FixupPhase::fixDoubleOrBooleanEdge):
1174         (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
1175         (JSC::DFG::FixupPhase::fixIntEdge): Deleted.
1176         * dfg/DFGGraph.h:
1177         (JSC::DFG::Graph::addSpeculationMode):
1178         (JSC::DFG::Graph::valueAddSpeculationMode):
1179         (JSC::DFG::Graph::arithAddSpeculationMode):
1180         (JSC::DFG::Graph::addShouldSpeculateInt32):
1181         (JSC::DFG::Graph::mulShouldSpeculateInt32):
1182         (JSC::DFG::Graph::mulShouldSpeculateMachineInt):
1183         (JSC::DFG::Graph::negateShouldSpeculateInt32):
1184         (JSC::DFG::Graph::negateShouldSpeculateMachineInt):
1185         (JSC::DFG::Graph::addImmediateShouldSpeculateInt32):
1186         (JSC::DFG::Graph::mulImmediateShouldSpeculateInt32): Deleted.
1187         * dfg/DFGNode.h:
1188         (JSC::DFG::Node::sawBooleans):
1189         (JSC::DFG::Node::shouldSpeculateInt32OrBoolean):
1190         (JSC::DFG::Node::shouldSpeculateInt32ForArithmetic):
1191         (JSC::DFG::Node::shouldSpeculateInt32OrBooleanForArithmetic):
1192         (JSC::DFG::Node::shouldSpeculateInt32OrBooleanExpectingDefined):
1193         (JSC::DFG::Node::shouldSpeculateMachineInt):
1194         (JSC::DFG::Node::shouldSpeculateDouble):
1195         (JSC::DFG::Node::shouldSpeculateNumberOrBoolean):
1196         (JSC::DFG::Node::shouldSpeculateNumberOrBooleanExpectingDefined):
1197         (JSC::DFG::Node::shouldSpeculateNumber):
1198         (JSC::DFG::Node::canSpeculateInt32):
1199         (JSC::DFG::Node::canSpeculateInt52):
1200         (JSC::DFG::Node::sourceFor):
1201         (JSC::DFG::Node::shouldSpeculateInt32ExpectingDefined): Deleted.
1202         (JSC::DFG::Node::shouldSpeculateMachineIntForArithmetic): Deleted.
1203         (JSC::DFG::Node::shouldSpeculateMachineIntExpectingDefined): Deleted.
1204         (JSC::DFG::Node::shouldSpeculateDoubleForArithmetic): Deleted.
1205         (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined): Deleted.
1206         * dfg/DFGNodeFlags.cpp:
1207         (JSC::DFG::dumpNodeFlags):
1208         * dfg/DFGNodeFlags.h:
1209         (JSC::DFG::nodeMayOverflow):
1210         (JSC::DFG::nodeMayNegZero):
1211         (JSC::DFG::nodeCanSpeculateInt32):
1212         (JSC::DFG::nodeCanSpeculateInt52):
1213         * dfg/DFGNodeType.h:
1214         * dfg/DFGPredictionPropagationPhase.cpp:
1215         (JSC::DFG::PredictionPropagationPhase::run):
1216         (JSC::DFG::PredictionPropagationPhase::propagateToFixpoint):
1217         (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
1218         (JSC::DFG::PredictionPropagationPhase::propagate):
1219         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
1220         * dfg/DFGSafeToExecute.h:
1221         (JSC::DFG::safeToExecute):
1222         * dfg/DFGSpeculativeJIT.cpp:
1223         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
1224         * dfg/DFGSpeculativeJIT32_64.cpp:
1225         (JSC::DFG::SpeculativeJIT::compile):
1226         * dfg/DFGSpeculativeJIT64.cpp:
1227         (JSC::DFG::SpeculativeJIT::compile):
1228         * ftl/FTLCapabilities.cpp:
1229         (JSC::FTL::canCompile):
1230         * ftl/FTLLowerDFGToLLVM.cpp:
1231         (JSC::FTL::LowerDFGToLLVM::compileNode):
1232         (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
1233         (JSC::FTL::LowerDFGToLLVM::compileBooleanToNumber):
1234         * runtime/JSCJSValue.h:
1235         * runtime/JSCJSValueInlines.h:
1236         (JSC::JSValue::asInt32ForArithmetic):
1237         * tests/stress/max-boolean-exit.js: Added.
1238         (foo):
1239         (test):
1240         * tests/stress/mul-boolean-exit.js: Added.
1241         (foo):
1242         (test):
1243         * tests/stress/plus-boolean-exit.js: Added.
1244         (foo):
1245         (test):
1246         * tests/stress/plus-boolean-or-double.js: Added.
1247         (foo):
1248         (test):
1249         * tests/stress/plus-boolean-or-int.js: Added.
1250         (foo):
1251         (test):
1252
1253 2014-05-26  Zsolt Borbely  <zsborbely.u-szeged@partner.samsung.com>
1254
1255         Remove dead code from VM.cpp
1256         https://bugs.webkit.org/show_bug.cgi?id=133284
1257
1258         Reviewed by Darin Adler.
1259
1260         This workaround was added in r127505. Since the clang is the
1261         only used compiler in this case, this workaround is obsolete.
1262
1263         * runtime/VM.cpp:
1264         (JSC::enableAssembler):
1265
1266 2014-05-26  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
1267
1268         JSC CLoop warning fix
1269         https://bugs.webkit.org/show_bug.cgi?id=133259
1270
1271         Reviewed by Darin Adler.
1272
1273         * llint/LLIntSlowPaths.cpp:
1274         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1275
1276 2014-05-24  Andreas Kling  <akling@apple.com>
1277
1278         Object.prototype.toString() should use cached strings for null/undefined.
1279         <https://webkit.org/b/133261>
1280
1281         Normally, when calling Object.prototype.toString() on a regular object,
1282         we'd cache the result of the stringification on the object's structure,
1283         making repeated calls fast.
1284
1285         For null and undefined, we were not as smart. We'd instead construct a
1286         new string with either "[object Null]" or "[object Undefined]" each time.
1287
1288         This was exposed by Dromaeo's JS library tests, where some prototype.js
1289         subtests generate millions of strings this way.
1290
1291         This patch adds two VM-permanent cached strings to the SmallStrings.
1292         Looks like ~10% speed-up on Dromaeo/jslib-traverse-prototype.html
1293
1294         Reviewed by Darin Adler.
1295
1296         * runtime/ObjectPrototype.cpp:
1297         (JSC::objectProtoFuncToString):
1298         * runtime/SmallStrings.cpp:
1299         (JSC::SmallStrings::SmallStrings):
1300         (JSC::SmallStrings::initializeCommonStrings):
1301         (JSC::SmallStrings::visitStrongReferences):
1302         * runtime/SmallStrings.h:
1303         (JSC::SmallStrings::nullObjectString):
1304         (JSC::SmallStrings::undefinedObjectString):
1305
1306 2014-05-23  Mark Hahnenberg  <mhahnenberg@apple.com>
1307
1308         Remove operationCallGetter
1309
1310         Rubber stamped by Filip Pizlo.
1311
1312         Nobody calls this function.
1313
1314         * JavaScriptCore.order:
1315         * jit/JITOperations.cpp:
1316         * jit/JITOperations.h:
1317
1318 2014-05-23  Andreas Kling  <akling@apple.com>
1319
1320         Templatize GC's destructor invocation for dtor type.
1321         <https://webkit.org/b/133231>
1322
1323         Get rid of a branch in callDestructor() by templatizing it for
1324         the DestructorType. Removed JSCell::methodTableForDestruction()
1325         since this was the only call site and it was jumping through
1326         a bunch of unnecessary hoops.
1327
1328         Reviewed by Geoffrey Garen.
1329
1330         * heap/MarkedBlock.cpp:
1331         (JSC::MarkedBlock::callDestructor):
1332         (JSC::MarkedBlock::specializedSweep):
1333         * heap/MarkedBlock.h:
1334         * runtime/JSCell.h:
1335         * runtime/JSCellInlines.h:
1336         (JSC::JSCell::methodTableForDestruction): Deleted.
1337
1338 2014-05-23  Andreas Kling  <akling@apple.com>
1339
1340         Support inline caching of RegExpMatchesArray.length
1341         <https://webkit.org/b/133234>
1342
1343         Give RegExpMatchesArray.length the same treatment as JSArray in
1344         repatch so we don't have to go out of line on every access.
1345
1346         ~13% speed-up on Octane/regexp.
1347
1348         Reviewed by Geoffrey Garen.
1349
1350         * jit/Repatch.cpp:
1351         (JSC::tryCacheGetByID):
1352         * runtime/RegExpMatchesArray.h:
1353         (JSC::isRegExpMatchesArray):
1354
1355 2014-05-22  Mark Lam  <mark.lam@apple.com>
1356
1357         REGRESSION(r154797): Debugger crashes when stepping over an uncaught exception.
1358         <https://webkit.org/b/133182>
1359
1360         Reviewed by Oliver Hunt.
1361
1362         Before r154797, we used to clear the VM exception before calling into the
1363         debugger.  After r154797, we don't.  This patch will restore this clearing
1364         of the exception before calling into the debugger.
1365
1366         Also added assertions after returning from calls into the debugger to
1367         ensure that the debugger did not introduce any exceptions.
1368
1369         * interpreter/Interpreter.cpp:
1370         (JSC::unwindCallFrame):
1371         (JSC::Interpreter::unwind):
1372         (JSC::Interpreter::debug):
1373         - Fixed the assertion here.  Interpreter::debug() should never be called
1374           with a pending exception.  Debugger callbacks for exceptions should be
1375           handled by Interpreter::unwind() and Interpreter::unwindCallFrame().
1376
1377 2014-05-21  Filip Pizlo  <fpizlo@apple.com>
1378
1379         Store barrier elision should run after DCE in both the DFG path and the FTL path
1380         https://bugs.webkit.org/show_bug.cgi?id=129718
1381
1382         Rubber stamped by Mark Hahnenberg.
1383
1384         * dfg/DFGPlan.cpp:
1385         (JSC::DFG::Plan::compileInThreadImpl):
1386
1387 2014-05-21  Zsolt Borbely  <zsborbely.u-szeged@partner.samsung.com>
1388
1389         [EFL] Add include path of compact_unwind_encoding.h if FTL JIT is enabled
1390         https://bugs.webkit.org/show_bug.cgi?id=132907
1391
1392         Reviewed by Gyuyoung Kim.
1393
1394         * CMakeLists.txt:
1395
1396 2014-05-16  Martin Robinson  <mrobinson@igalia.com>
1397
1398         [CMake] Improve handling of LIB_INSTALL_DIR, EXEC_INSTALL_DIR, and LIBEXEC_INSTALL_DIR
1399         https://bugs.webkit.org/show_bug.cgi?id=132819
1400
1401         Reviewed by Carlos Garcia Campos.
1402
1403         * javascriptcoregtk.pc.in: Instead of using the special pkg-config variables,
1404         use the common CMake ones directly.
1405
1406 2014-05-21  Filip Pizlo  <fpizlo@apple.com>
1407
1408         Unreviewed, roll out http://trac.webkit.org/changeset/169159.
1409         
1410         This was a unilateral change and wasn't properly reviewed.
1411
1412         * tests/mozilla/mozilla-tests.yaml:
1413
1414 2014-05-21  Antoine Quint  <graouts@webkit.org>
1415
1416         Array.prototype.find and findIndex should skip holes
1417         https://bugs.webkit.org/show_bug.cgi?id=132658
1418
1419         Reviewed by Geoffrey Garen.
1420
1421         Skip holes in the array when iterating such that callback isn't called.
1422
1423         * builtins/Array.prototype.js:
1424         (find):
1425         (findIndex):
1426
1427 2014-05-21  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
1428
1429         REGRESSION(r169092 and r169102): Skip failing JSC tests on ARM64 properly
1430         https://bugs.webkit.org/show_bug.cgi?id=133149
1431
1432         Reviewed by Csaba Osztrogonác.
1433
1434         * tests/mozilla/mozilla-tests.yaml:
1435
1436 2014-05-20  Geoffrey Garen  <ggaren@apple.com>
1437
1438         Rolled out <http://trac.webkit.org/changeset/166184>
1439         https://bugs.webkit.org/show_bug.cgi?id=133144
1440
1441         Reviewed by Gavin Barraclough.
1442
1443         It caused a performance regression.
1444
1445         * heap/BlockAllocator.cpp:
1446         (JSC::BlockAllocator::blockFreeingThreadStartFunc):
1447
1448 2014-05-20  Filip Pizlo  <fpizlo@apple.com>
1449
1450         DFG prediction propagation should agree with fixup phase over the return type of GetByVal
1451         https://bugs.webkit.org/show_bug.cgi?id=133134
1452
1453         Reviewed by Mark Hahnenberg.
1454         
1455         Make prediction propagator use ArrayMode refinement to decide the return type.
1456         
1457         Also introduce a heap prediction intrinsic that allows us to test weird corner cases
1458         like this. The only way we'll see a mismatch like this in the real world is probably
1459         through a gnarly race condition.
1460
1461         * dfg/DFGByteCodeParser.cpp:
1462         (JSC::DFG::ByteCodeParser::handleIntrinsic):
1463         * dfg/DFGNode.h:
1464         (JSC::DFG::Node::setHeapPrediction):
1465         * dfg/DFGPredictionPropagationPhase.cpp:
1466         (JSC::DFG::PredictionPropagationPhase::propagate):
1467         * jsc.cpp:
1468         (GlobalObject::finishCreation):
1469         (functionFalse1):
1470         (functionFalse2):
1471         (functionUndefined1):
1472         (functionUndefined2):
1473         (functionFalse): Deleted.
1474         (functionOtherFalse): Deleted.
1475         (functionUndefined): Deleted.
1476         * runtime/Intrinsic.h:
1477         * tests/stress/get-by-val-double-predicted-int.js: Added.
1478         (foo):
1479
1480 2014-05-20  Mark Hahnenberg  <mhahnenberg@apple.com>
1481
1482         Watchdog timer should be lazily allocated
1483         https://bugs.webkit.org/show_bug.cgi?id=133135
1484
1485         Reviewed by Geoffrey Garen.
1486
1487         We incur a noticeable amount of overhead on some benchmarks due to checking if the Watchdog ever fired. 
1488         There is no reason to do this checking if we never activated the Watchdog, which can only be done through 
1489         JSContextGroupSetExecutionTimeLimit or JSContextGroupClearExecutionTimeLimit. 
1490
1491         By allocating the Watchdog lazily on the VM we can avoid all of the associated overhead when we don't use 
1492         these two API functions (which is true of most clients).
1493
1494         * API/JSContextRef.cpp:
1495         (JSContextGroupSetExecutionTimeLimit):
1496         (JSContextGroupClearExecutionTimeLimit):
1497         * dfg/DFGByteCodeParser.cpp:
1498         (JSC::DFG::ByteCodeParser::parseBlock):
1499         * dfg/DFGSpeculativeJIT32_64.cpp:
1500         (JSC::DFG::SpeculativeJIT::compile):
1501         * dfg/DFGSpeculativeJIT64.cpp:
1502         (JSC::DFG::SpeculativeJIT::compile):
1503         * interpreter/Interpreter.cpp:
1504         (JSC::Interpreter::execute):
1505         (JSC::Interpreter::executeCall):
1506         (JSC::Interpreter::executeConstruct):
1507         * jit/JITOpcodes.cpp:
1508         (JSC::JIT::emit_op_loop_hint):
1509         (JSC::JIT::emitSlow_op_loop_hint):
1510         * jit/JITOperations.cpp:
1511         * llint/LLIntSlowPaths.cpp:
1512         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1513         * runtime/VM.h:
1514         * runtime/Watchdog.cpp:
1515         (JSC::Watchdog::Scope::Scope): Deleted.
1516         (JSC::Watchdog::Scope::~Scope): Deleted.
1517         * runtime/Watchdog.h:
1518         (JSC::Watchdog::Scope::Scope):
1519         (JSC::Watchdog::Scope::~Scope):
1520
1521 2014-05-19  Mark Hahnenberg  <mhahnenberg@apple.com>
1522
1523         JSArray::shiftCountWith* could be more efficient
1524         https://bugs.webkit.org/show_bug.cgi?id=133011
1525
1526         Reviewed by Geoffrey Garen.
1527
1528         Our current implementations of shiftCountWithAnyIndexingType and shiftCountWithArrayStorage 
1529         are scared of the presence of any holes in the array. We can mitigate this somewhat by enabling 
1530         them to correctly handle holes, thus avoiding the slowest of slow paths in most cases.
1531
1532         * runtime/ArrayStorage.h:
1533         (JSC::ArrayStorage::indexingHeader):
1534         (JSC::ArrayStorage::length):
1535         (JSC::ArrayStorage::hasHoles):
1536         * runtime/IndexingHeader.h:
1537         (JSC::IndexingHeader::publicLength):
1538         (JSC::IndexingHeader::from):
1539         * runtime/JSArray.cpp:
1540         (JSC::JSArray::shiftCountWithArrayStorage):
1541         (JSC::JSArray::shiftCountWithAnyIndexingType):
1542         (JSC::JSArray::unshiftCountWithArrayStorage):
1543         * runtime/JSArray.h:
1544         (JSC::JSArray::shiftCountForShift):
1545         (JSC::JSArray::shiftCountForSplice):
1546         (JSC::JSArray::shiftCount):
1547         * runtime/Structure.cpp:
1548         (JSC::Structure::holesRequireSpecialBehavior):
1549         * runtime/Structure.h:
1550
1551 2014-05-19  Filip Pizlo  <fpizlo@apple.com>
1552
1553         Test gardening: skip some failing tests on not-X86.
1554
1555         * tests/mozilla/mozilla-tests.yaml:
1556
1557 2014-05-19  Mark Lam  <mark.lam@apple.com>
1558
1559         operationOptimize() should defer the GC for a while.
1560         <https://webkit.org/b/133103>
1561
1562         Reviewed by Filip Pizlo.
1563
1564         Currently, operationOptimize() only defers the GC until its end.  As a result,
1565         a GC may be triggered just before we return from operationOptimize(), and it may
1566         jettison the optimize codeBlock that we're planning to OSR enter into when we
1567         return from this function.  This is because the OSR entry on-ramp code hasn't
1568         been executed yet, and hence, there is not yet a reference to this new codeBlock
1569         from the stack, and there won't be until we've had a chance to return out of
1570         operationOptimize() to run the OSR entry on-ramp code.
1571
1572         This issue is now fixed by using DeferGCForAWhile instead of DeferGC.  This
1573         ensures that the GC will be deferred until after the OSR entry on-ramp can be
1574         executed.
1575
1576         * jit/JITOperations.cpp:
1577
1578 2014-05-19  Filip Pizlo  <fpizlo@apple.com>
1579
1580         Take care of some ARM64 test failures
1581         https://bugs.webkit.org/show_bug.cgi?id=133090
1582
1583         Reviewed by Geoffrey Garen.
1584         
1585         Constant blinding on ARM64 cannot use the scratch register.
1586
1587         * assembler/MacroAssembler.h:
1588         (JSC::MacroAssembler::convertInt32ToDouble):
1589         (JSC::MacroAssembler::branchPtr):
1590         (JSC::MacroAssembler::storePtr):
1591         (JSC::MacroAssembler::store64):
1592         * assembler/MacroAssemblerARM64.h:
1593         (JSC::MacroAssemblerARM64::scratchRegisterForBlinding):
1594
1595 2014-05-19  Tanay C  <tanay.c@samsung.com>
1596
1597         Removing some check-webkit-style warnings from ./dfg
1598         https://bugs.webkit.org/show_bug.cgi?id=132854
1599
1600         Reviewed by Darin Adler.
1601
1602         * dfg/DFGAbstractInterpreter.h:
1603         * dfg/DFGAbstractValue.h:
1604         * dfg/DFGBlockInsertionSet.h:
1605         * dfg/DFGCommonData.h:
1606         * dfg/DFGDominators.h:
1607         * dfg/DFGGraph.h:
1608         * dfg/DFGInPlaceAbstractState.h:
1609         * dfg/DFGPredictionPropagationPhase.h:
1610
1611 2014-05-18  Filip Pizlo  <fpizlo@apple.com>
1612
1613         Unreviewed, remove bogus comment. We already made the FTL use our calling convention.
1614         That was a long time ago.
1615
1616         * ftl/FTLLowerDFGToLLVM.cpp:
1617         (JSC::FTL::LowerDFGToLLVM::compileReturn):
1618
1619 2014-05-18  Rik Cabanier  <cabanier@adobe.com>
1620
1621         support for navigator.hardwareConcurrency
1622         https://bugs.webkit.org/show_bug.cgi?id=132588
1623
1624         Reviewed by Filip Pizlo.
1625
1626         * Configurations/FeatureDefines.xcconfig:
1627
1628 2014-05-16  Michael Saboff  <msaboff@apple.com>
1629
1630         Crash in JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::generatePatternCharacterFixed() due to WTF::CrashOnOverflow::overflowed + 9
1631         https://bugs.webkit.org/show_bug.cgi?id=133009
1632
1633         Reviewed by Oliver Hunt.
1634
1635         If we determine that any alternative requires a minumum match size greater than
1636         INT_MAX, we handle the match in the interpreter.
1637
1638         Check to see if the pattern has unsigned lengths before invoking YARR JIT.
1639         * runtime/RegExp.cpp:
1640         (JSC::RegExp::compile):
1641         (JSC::RegExp::compileMatchOnly):
1642
1643         * tests/stress/large-regexp.js: New test added.
1644
1645         Set m_containsUnsignedLengthPattern flag if any alternative's minimum length
1646         doesn't fit in an int.
1647         * yarr/YarrPattern.cpp:
1648         (JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets):
1649
1650         Clear new m_containsUnsignedLengthPattern flag.
1651         * yarr/YarrPattern.cpp:
1652         (JSC::Yarr::YarrPattern::YarrPattern):
1653         * yarr/YarrPattern.h:
1654         (JSC::Yarr::YarrPattern::reset):
1655         (JSC::Yarr::YarrPattern::containsUnsignedLengthPattern):
1656
1657 2014-05-15  Mark Hahnenberg  <mhahnenberg@apple.com>
1658
1659         JSDOMWindow should not claim HasImpureGetOwnPropertySlot
1660         https://bugs.webkit.org/show_bug.cgi?id=132918
1661
1662         Reviewed by Geoffrey Garen.
1663
1664         * jit/Repatch.cpp:
1665         (JSC::tryRepatchIn): We forgot to check for watchpoints when repatching "in".
1666
1667 2014-05-15  Alex Christensen  <achristensen@webkit.org>
1668
1669         Add pointer lock to features without enabling it.
1670         https://bugs.webkit.org/show_bug.cgi?id=132961
1671
1672         Reviewed by Sam Weinig.
1673
1674         * Configurations/FeatureDefines.xcconfig:
1675         Added ENABLE_POINTER_LOCK to list of features.
1676
1677 2014-05-14  Mark Hahnenberg  <mhahnenberg@apple.com>
1678
1679         Inline caching for proxies clobbers baseGPR too early
1680         https://bugs.webkit.org/show_bug.cgi?id=132916
1681
1682         Reviewed by Filip Pizlo.
1683
1684         We clobber baseGPR prior to the Structure checks, so if any of the checks fail then the slow path 
1685         gets the target of the proxy rather than the proxy itself. We need to delay the clobbering of baseGPR 
1686         until we know the inline cache is going to succeed.
1687
1688         * jit/Repatch.cpp:
1689         (JSC::generateByIdStub):
1690
1691 2014-05-14  Brent Fulgham  <bfulgham@apple.com>
1692
1693         [Win] Unreviewed build fix.
1694
1695         * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: This solution
1696         was missing commands to build LLInt portions of JSC.
1697         * llint/LLIntData.cpp: 64-bit build fix.
1698
1699 2014-05-14  Martin Hodovan <mhodovan.u-szeged@partner.samsung.com>
1700
1701         ARM Traditional buildfix after r168776.
1702         https://bugs.webkit.org/show_bug.cgi?id=132903
1703
1704         Reviewed by Darin Adler.
1705
1706         * assembler/MacroAssemblerARM.h:
1707         (JSC::MacroAssemblerARM::abortWithReason): Added.
1708
1709 2014-05-14  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>
1710
1711         Remove CSS_STICKY_POSITION guards
1712         https://bugs.webkit.org/show_bug.cgi?id=132676
1713
1714         Reviewed by Simon Fraser.
1715
1716         * Configurations/FeatureDefines.xcconfig:
1717
1718 2014-05-13  Filip Pizlo  <fpizlo@apple.com>
1719
1720         JIT breakpoints should be more informative
1721         https://bugs.webkit.org/show_bug.cgi?id=132882
1722
1723         Reviewed by Oliver Hunt.
1724         
1725         Introduce the notion of an AbortReason, which is a nice enumeration of coded assertion
1726         failure names. This means that all you need to figure out why the JIT SIGTRAP'd is to look
1727         at that platform's abort reason register (r11 on X86-64 for example).
1728
1729         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1730         * JavaScriptCore.xcodeproj/project.pbxproj:
1731         * assembler/AbortReason.h: Added.
1732         * assembler/AbstractMacroAssembler.h:
1733         * assembler/MacroAssemblerARM64.h:
1734         (JSC::MacroAssemblerARM64::abortWithReason):
1735         * assembler/MacroAssemblerARMv7.h:
1736         (JSC::MacroAssemblerARMv7::abortWithReason):
1737         * assembler/MacroAssemblerX86.h:
1738         (JSC::MacroAssemblerX86::abortWithReason):
1739         * assembler/MacroAssemblerX86_64.h:
1740         (JSC::MacroAssemblerX86_64::abortWithReason):
1741         * dfg/DFGSlowPathGenerator.h:
1742         (JSC::DFG::SlowPathGenerator::generate):
1743         * dfg/DFGSpeculativeJIT.cpp:
1744         (JSC::DFG::SpeculativeJIT::bail):
1745         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
1746         (JSC::DFG::SpeculativeJIT::compileMakeRope):
1747         * dfg/DFGSpeculativeJIT.h:
1748         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):
1749         * dfg/DFGSpeculativeJIT32_64.cpp:
1750         (JSC::DFG::SpeculativeJIT::compile):
1751         * dfg/DFGSpeculativeJIT64.cpp:
1752         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1753         (JSC::DFG::SpeculativeJIT::compile):
1754         * dfg/DFGThunks.cpp:
1755         (JSC::DFG::osrEntryThunkGenerator):
1756         * jit/AssemblyHelpers.cpp:
1757         (JSC::AssemblyHelpers::jitAssertIsInt32):
1758         (JSC::AssemblyHelpers::jitAssertIsJSInt32):
1759         (JSC::AssemblyHelpers::jitAssertIsJSNumber):
1760         (JSC::AssemblyHelpers::jitAssertIsJSDouble):
1761         (JSC::AssemblyHelpers::jitAssertIsCell):
1762         (JSC::AssemblyHelpers::jitAssertTagsInPlace):
1763         (JSC::AssemblyHelpers::jitAssertHasValidCallFrame):
1764         (JSC::AssemblyHelpers::jitAssertIsNull):
1765         (JSC::AssemblyHelpers::jitAssertArgumentCountSane):
1766         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
1767         * jit/AssemblyHelpers.h:
1768         (JSC::AssemblyHelpers::checkStackPointerAlignment):
1769         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo): Deleted.
1770         * jit/JIT.h:
1771         * jit/JITArithmetic.cpp:
1772         (JSC::JIT::emitSlow_op_div):
1773         * jit/JITOpcodes.cpp:
1774         (JSC::JIT::emitSlow_op_loop_hint):
1775         * jit/JITOpcodes32_64.cpp:
1776         (JSC::JIT::privateCompileCTINativeCall):
1777         * jit/JITPropertyAccess.cpp:
1778         (JSC::JIT::emit_op_get_by_val):
1779         (JSC::JIT::compileGetDirectOffset):
1780         (JSC::JIT::addStructureTransitionCheck): Deleted.
1781         (JSC::JIT::testPrototype): Deleted.
1782         * jit/JITPropertyAccess32_64.cpp:
1783         (JSC::JIT::emit_op_get_by_val):
1784         (JSC::JIT::compileGetDirectOffset):
1785         * jit/RegisterPreservationWrapperGenerator.cpp:
1786         (JSC::generateRegisterRestoration):
1787         * jit/Repatch.cpp:
1788         (JSC::addStructureTransitionCheck):
1789         (JSC::linkClosureCall):
1790         * jit/ThunkGenerators.cpp:
1791         (JSC::emitPointerValidation):
1792         (JSC::nativeForGenerator):
1793         * yarr/YarrJIT.cpp:
1794         (JSC::Yarr::YarrGenerator::generate):
1795
1796 2014-05-13  peavo@outlook.com  <peavo@outlook.com>
1797
1798         [Win] Enum type with value zero is compatible with void*, potential cause of crashes.
1799         https://bugs.webkit.org/show_bug.cgi?id=132772
1800
1801         Reviewed by Geoffrey Garen.
1802
1803         Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example).
1804         This has caused crashes on Windows on two occasions (bug 132683, and bug 121001).
1805         This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*.
1806         The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr.
1807
1808         * assembler/MacroAssemblerARM.h:
1809         (JSC::MacroAssemblerARM::loadDouble):
1810         (JSC::MacroAssemblerARM::storeDouble):
1811         * assembler/MacroAssemblerARM64.h:
1812         (JSC::MacroAssemblerARM64::loadDouble):
1813         (JSC::MacroAssemblerARM64::storeDouble):
1814         * assembler/MacroAssemblerARMv7.h:
1815         (JSC::MacroAssemblerARMv7::loadDouble):
1816         (JSC::MacroAssemblerARMv7::storeDouble):
1817         * assembler/MacroAssemblerMIPS.h:
1818         (JSC::MacroAssemblerMIPS::loadDouble):
1819         (JSC::MacroAssemblerMIPS::storeDouble):
1820         * assembler/MacroAssemblerSH4.h:
1821         (JSC::MacroAssemblerSH4::loadDouble):
1822         (JSC::MacroAssemblerSH4::storeDouble):
1823         * assembler/MacroAssemblerX86.h:
1824         (JSC::MacroAssemblerX86::storeDouble):
1825         * assembler/MacroAssemblerX86Common.h:
1826         (JSC::MacroAssemblerX86Common::absDouble):
1827         (JSC::MacroAssemblerX86Common::negateDouble):
1828         (JSC::MacroAssemblerX86Common::loadDouble):
1829         * dfg/DFGSpeculativeJIT.cpp:
1830         (JSC::DFG::SpeculativeJIT::silentFill):
1831         (JSC::DFG::compileClampDoubleToByte):
1832         * dfg/DFGSpeculativeJIT32_64.cpp:
1833         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1834         (JSC::DFG::SpeculativeJIT::compile):
1835         * jit/AssemblyHelpers.cpp:
1836         (JSC::AssemblyHelpers::purifyNaN):
1837         * jit/JITInlines.h:
1838         (JSC::JIT::emitLoadDouble):
1839         * jit/JITPropertyAccess.cpp:
1840         (JSC::JIT::emitFloatTypedArrayGetByVal):
1841         * jit/ThunkGenerators.cpp:
1842         (JSC::floorThunkGenerator):
1843         (JSC::roundThunkGenerator):
1844         (JSC::powThunkGenerator):
1845
1846 2014-05-12  Commit Queue  <commit-queue@webkit.org>
1847
1848         Unreviewed, rolling out r168642.
1849         https://bugs.webkit.org/show_bug.cgi?id=132839
1850
1851         Broke ARM build (Requested by jpfau on #webkit).
1852
1853         Reverted changeset:
1854
1855         "[Win] Enum type with value zero is compatible with void*,
1856         potential cause of crashes."
1857         https://bugs.webkit.org/show_bug.cgi?id=132772
1858         http://trac.webkit.org/changeset/168642
1859
1860 2014-05-12  peavo@outlook.com  <peavo@outlook.com>
1861
1862         [Win] Enum type with value zero is compatible with void*, potential cause of crashes.
1863         https://bugs.webkit.org/show_bug.cgi?id=132772
1864
1865         Reviewed by Geoffrey Garen.
1866
1867         Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example).
1868         This has caused crashes on Windows on two occasions (bug 132683, and bug 121001).
1869         This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*.
1870         The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr.
1871
1872         * assembler/MacroAssemblerARM.h:
1873         (JSC::MacroAssemblerARM::loadDouble):
1874         (JSC::MacroAssemblerARM::storeDouble):
1875         * assembler/MacroAssemblerARM64.h:
1876         (JSC::MacroAssemblerARM64::loadDouble):
1877         (JSC::MacroAssemblerARM64::storeDouble):
1878         * assembler/MacroAssemblerARMv7.h:
1879         (JSC::MacroAssemblerARMv7::loadDouble):
1880         (JSC::MacroAssemblerARMv7::storeDouble):
1881         * assembler/MacroAssemblerMIPS.h:
1882         (JSC::MacroAssemblerMIPS::loadDouble):
1883         (JSC::MacroAssemblerMIPS::storeDouble):
1884         * assembler/MacroAssemblerSH4.h:
1885         (JSC::MacroAssemblerSH4::loadDouble):
1886         (JSC::MacroAssemblerSH4::storeDouble):
1887         * assembler/MacroAssemblerX86.h:
1888         (JSC::MacroAssemblerX86::storeDouble):
1889         * assembler/MacroAssemblerX86Common.h:
1890         (JSC::MacroAssemblerX86Common::absDouble):
1891         (JSC::MacroAssemblerX86Common::negateDouble):
1892         (JSC::MacroAssemblerX86Common::loadDouble):
1893         * dfg/DFGSpeculativeJIT.cpp:
1894         (JSC::DFG::SpeculativeJIT::silentFill):
1895         (JSC::DFG::compileClampDoubleToByte):
1896         * dfg/DFGSpeculativeJIT32_64.cpp:
1897         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1898         (JSC::DFG::SpeculativeJIT::compile):
1899         * jit/AssemblyHelpers.cpp:
1900         (JSC::AssemblyHelpers::purifyNaN):
1901         * jit/JITInlines.h:
1902         (JSC::JIT::emitLoadDouble):
1903         * jit/JITPropertyAccess.cpp:
1904         (JSC::JIT::emitFloatTypedArrayGetByVal):
1905         * jit/ThunkGenerators.cpp:
1906         (JSC::floorThunkGenerator):
1907         (JSC::roundThunkGenerator):
1908         (JSC::powThunkGenerator):
1909
1910 2014-05-12  Andreas Kling  <akling@apple.com>
1911
1912         0.4% of PLT3 in JSCell::structure() below JSObject::visitChildren().
1913         <https://webkit.org/b/132828>
1914         <rdar://problem/16886285>
1915
1916         Reviewed by Michael Saboff.
1917
1918         * runtime/JSObject.cpp:
1919         (JSC::JSObject::visitButterfly):
1920         (JSC::JSObject::visitChildren):
1921
1922             Use JSCell::structure(VM&) to reduce the number of hoops we jump
1923             through to find Structures during marking.
1924
1925 2014-05-12  László Langó  <llango.u-szeged@partner.samsung.com>
1926
1927         [cmake] Add missing FTL source files to the build system.
1928
1929         Reviewed by Csaba Osztrogonác.
1930
1931         * CMakeLists.txt:
1932
1933 2014-05-09  Joseph Pecoraro  <pecoraro@apple.com>
1934
1935         Web Inspector: Allow Remote Inspector to entitlement check UIProcess through WebProcess
1936         https://bugs.webkit.org/show_bug.cgi?id=132409
1937
1938         Reviewed by Timothy Hatcher.
1939
1940         Proxy applications are applications which hold WebViews for other
1941         applications. The WebProcess (Web Content Service) is a proxy application.
1942         For legacy reasons we were supporting a scenario where proxy applications
1943         could potentially host WebViews for more then one other application. That
1944         was never the case for WebProcess and it is now a scenario we don't need
1945         to worry about supporting.
1946
1947         With this change, a proxy application more naturally only holds WebViews
1948         for a single parent / host application. The proxy process can set the
1949         parent pid / audit_token data on the RemoteInspector singleton, and
1950         that data will be sent on to webinspectord later on to be validated.
1951         In the WebProcess<->UIProcess relationship that information is known
1952         and set immediately. In the Legacy iOS case that information is set
1953         soon after, but not immediately known at the point the WebView is created.
1954
1955         This allows us to simplify the RemoteInspectorDebuggable interface.
1956         We no longer need a pid per-Debuggable.
1957
1958         * inspector/remote/RemoteInspector.h:
1959         * inspector/remote/RemoteInspector.mm:
1960         (Inspector::RemoteInspector::RemoteInspector):
1961         (Inspector::RemoteInspector::setParentProcessInformation):
1962         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
1963         (Inspector::RemoteInspector::listingForDebuggable):
1964         (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
1965         Handle new proxy application setup message, and provide an API
1966         for a proxy application to set the parent process information.
1967
1968         * inspector/remote/RemoteInspectorConstants.h:
1969         New setup and response message for proxy applications to pass
1970         their parent / host application information to webinspectord.
1971
1972         * inspector/remote/RemoteInspectorDebuggable.cpp:
1973         (Inspector::RemoteInspectorDebuggable::info):
1974         * inspector/remote/RemoteInspectorDebuggable.h:
1975         (Inspector::RemoteInspectorDebuggableInfo::RemoteInspectorDebuggableInfo):
1976         (Inspector::RemoteInspectorDebuggableInfo::hasParentProcess): Deleted.
1977         pid per debuggable is no longer needed.
1978
1979 2014-05-09  Mark Hahnenberg  <mhahnenberg@apple.com>
1980
1981         JSDOMWindow should disable property caching after a certain point
1982         https://bugs.webkit.org/show_bug.cgi?id=132751
1983
1984         Reviewed by Filip Pizlo.
1985
1986         This is part of removing HasImpureGetOwnPropertySlot from JSDOMWindow. After the lookup in the static 
1987         hash table for JSDOMWindow fails we want to disable property caching even if the code that follows thinks 
1988         that it has provided a cacheable value.
1989
1990         * runtime/PropertySlot.h:
1991         (JSC::PropertySlot::PropertySlot):
1992         (JSC::PropertySlot::isCacheable):
1993         (JSC::PropertySlot::disableCaching):
1994
1995 2014-05-09  Andreas Kling  <akling@apple.com>
1996
1997         8.8% spent in Object.prototype.hasOwnProperty() on sbperftest.
1998         <https://webkit.org/b/132749>
1999
2000         Leverage the fast-resolve-to-AtomicString optimization for JSRopeString
2001         in Object.prototype.* by using JSString::toIdentifier() in the cases where
2002         we are converting JSString -> String -> Identifier.
2003
2004         This brings time spent in hasOwnProperty() from 8.8% to 1.3% on
2005         "The Great HTML5 Gaming Performance Test: 2014 edition"
2006         <http://www.scirra.com/demos/c2/sbperftest/>
2007
2008         Reviewed by Oliver Hunt.
2009
2010         * runtime/ObjectPrototype.cpp:
2011         (JSC::objectProtoFuncHasOwnProperty):
2012         (JSC::objectProtoFuncDefineGetter):
2013         (JSC::objectProtoFuncDefineSetter):
2014         (JSC::objectProtoFuncLookupGetter):
2015         (JSC::objectProtoFuncLookupSetter):
2016
2017 2014-05-08  Mark Hahnenberg  <mhahnenberg@apple.com>
2018
2019         JSDOMWindow should have a WatchpointSet to fire on window close
2020         https://bugs.webkit.org/show_bug.cgi?id=132721
2021
2022         Reviewed by Filip Pizlo.
2023
2024         This patch allows us to reset the inline caches that assumed they could skip 
2025         the first part of JSDOMWindow::getOwnPropertySlot that checks if the window has 
2026         been closed. This is part of getting rid of HasImpureGetOwnPropertySlot on JSDOMWindow.
2027
2028         PropertySlot now accepts a WatchpointSet which the inline cache code can look for
2029         to see if it should create a new Watchpoint for that particular inline cache site.
2030
2031         * bytecode/Watchpoint.h:
2032         * jit/Repatch.cpp:
2033         (JSC::generateByIdStub):
2034         (JSC::tryBuildGetByIDList):
2035         (JSC::tryCachePutByID):
2036         (JSC::tryBuildPutByIdList):
2037         * runtime/PropertySlot.h:
2038         (JSC::PropertySlot::PropertySlot):
2039         (JSC::PropertySlot::watchpointSet):
2040         (JSC::PropertySlot::setWatchpointSet):
2041
2042 2014-05-09  Tanay C  <tanay.c@samsung.com>
2043
2044         Fix build warning (uninitialized variable) in DFGFixupPhase.cpp 
2045         https://bugs.webkit.org/show_bug.cgi?id=132331
2046
2047         Reviewed by Darin Adler.
2048
2049         * dfg/DFGFixupPhase.cpp:
2050         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
2051
2052 2014-05-09  peavo@outlook.com  <peavo@outlook.com>
2053
2054         [Win] Crash when enabling DFG JIT.
2055         https://bugs.webkit.org/show_bug.cgi?id=132683
2056
2057         Reviewed by Geoffrey Garen.
2058
2059         On windows, using register GPRInfo::regT0 as parameter to e.g. JIT::storeDouble(..., GPRInfo::regT0)),
2060         results in a call to JIT::storeDouble(FPRegisterID src, const void* address),
2061         where the address parameter gets the value of GPRInfo::regT0, which is 0 (eax on Windows).
2062         This causes the register to be written to address 0, hence the crash.
2063
2064         * dfg/DFGOSRExitCompiler32_64.cpp:
2065         (JSC::DFG::OSRExitCompiler::compileExit): Use address in regT0 as parameter.
2066         * dfg/DFGOSRExitCompiler64.cpp:
2067         (JSC::DFG::OSRExitCompiler::compileExit): Ditto.
2068
2069 2014-05-09  Martin Hodovan <mhodovan.u-szeged@partner.samsung.com>
2070
2071         REGRESSION(r167094): JSC crashes on ARM Traditional
2072         https://bugs.webkit.org/show_bug.cgi?id=132738
2073
2074         Reviewed by Zoltan Herczeg.
2075
2076         PC is two instructions ahead of the current instruction
2077         on ARM Traditional, so the distance is 8 bytes not 2.
2078
2079         * llint/LowLevelInterpreter.asm:
2080
2081 2014-05-09  Alberto Garcia  <berto@igalia.com>
2082
2083         jsmin.py license header confusing, mentions non-free license
2084         https://bugs.webkit.org/show_bug.cgi?id=123665
2085
2086         Reviewed by Darin Adler.
2087
2088         Pull the most recent version from upstream, which has a clear
2089         license.
2090
2091         * inspector/scripts/jsmin.py:
2092
2093 2014-05-08  Mark Hahnenberg  <mhahnenberg@apple.com>
2094
2095         Base case for get-by-id inline cache doesn't check for HasImpureGetOwnPropertySlot
2096         https://bugs.webkit.org/show_bug.cgi?id=132695
2097
2098         Reviewed by Filip Pizlo.
2099
2100         We check in the case where we're accessing something other than the base object (e.g. the prototype), 
2101         but we fail to do so for the base object.
2102
2103         * jit/Repatch.cpp:
2104         (JSC::tryCacheGetByID):
2105         (JSC::tryBuildGetByIDList):
2106         * jsc.cpp: Added some infrastructure to support this test. We don't currently trigger this bug anywhere in WebKit
2107         because all of the values that are returned that could be impure are set to uncacheable anyways.
2108         (WTF::ImpureGetter::ImpureGetter):
2109         (WTF::ImpureGetter::createStructure):
2110         (WTF::ImpureGetter::create):
2111         (WTF::ImpureGetter::finishCreation):
2112         (WTF::ImpureGetter::getOwnPropertySlot):
2113         (WTF::ImpureGetter::visitChildren):
2114         (WTF::ImpureGetter::setDelegate):
2115         (GlobalObject::finishCreation):
2116         (functionCreateImpureGetter):
2117         (functionSetImpureGetterDelegate):
2118         * tests/stress/impure-get-own-property-slot-inline-cache.js: Added.
2119         (foo):
2120
2121 2014-05-08  Filip Pizlo  <fpizlo@apple.com>
2122
2123         deleteAllCompiledCode() shouldn't use the suspension worklist
2124         https://bugs.webkit.org/show_bug.cgi?id=132708
2125
2126         Reviewed by Mark Hahnenberg.
2127
2128         * bytecode/CodeBlock.cpp:
2129         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
2130         * dfg/DFGPlan.cpp:
2131         (JSC::DFG::Plan::isStillValid):
2132         * heap/Heap.cpp:
2133         (JSC::Heap::deleteAllCompiledCode):
2134
2135 2014-05-08  Filip Pizlo  <fpizlo@apple.com>
2136
2137         SSA conversion should delete PhantomLocals for captured variables
2138         https://bugs.webkit.org/show_bug.cgi?id=132693
2139
2140         Reviewed by Mark Hahnenberg.
2141
2142         * dfg/DFGCommon.cpp:
2143         (JSC::DFG::startCrashing): Parallel JIT and a JIT bug means that we man dump IR in parallel. This is the workaround. This patch uses it in all of the places where we dump IR and crash.
2144         * dfg/DFGCommon.h:
2145         * dfg/DFGFixupPhase.cpp:
2146         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): Use the workaround.
2147         * dfg/DFGLivenessAnalysisPhase.cpp:
2148         (JSC::DFG::LivenessAnalysisPhase::run): Use the workaround.
2149         * dfg/DFGSSAConversionPhase.cpp:
2150         (JSC::DFG::SSAConversionPhase::run): Fix the bug - it's true that PhantomLocal for captured variables doesn't need anything done to it, but it's wrong that we didn't delete it outright.
2151         * dfg/DFGValidate.cpp: Use the workaround.
2152         * tests/stress/phantom-local-captured-but-not-flushed-to-ssa.js: Added.
2153         (foo):
2154         (bar):
2155
2156 2014-05-07  Commit Queue  <commit-queue@webkit.org>
2157
2158         Unreviewed, rolling out r168451.
2159         https://bugs.webkit.org/show_bug.cgi?id=132670
2160
2161         Not a speed-up, just do what other compilers do. (Requested by
2162         kling on #webkit).
2163
2164         Reverted changeset:
2165
2166         "[X86] Emit BT instruction for single-bit tests."
2167         https://bugs.webkit.org/show_bug.cgi?id=132650
2168         http://trac.webkit.org/changeset/168451
2169
2170 2014-05-07  Filip Pizlo  <fpizlo@apple.com>
2171
2172         Make Executable::clearCode() actually clear all of the entrypoints, and
2173         clean up some other FTL-related calling convention stuff.
2174         <rdar://problem/16720172>
2175
2176         Rubber stamped by Mark Hahnenberg.
2177
2178         * dfg/DFGOperations.cpp:
2179         * dfg/DFGOperations.h:
2180         * dfg/DFGWorklist.cpp:
2181         (JSC::DFG::Worklist::Worklist):
2182         (JSC::DFG::Worklist::finishCreation):
2183         (JSC::DFG::Worklist::create):
2184         (JSC::DFG::ensureGlobalDFGWorklist):
2185         (JSC::DFG::ensureGlobalFTLWorklist):
2186         * dfg/DFGWorklist.h:
2187         * heap/CodeBlockSet.cpp:
2188         (JSC::CodeBlockSet::dump):
2189         * heap/CodeBlockSet.h:
2190         * runtime/Executable.cpp:
2191         (JSC::ExecutableBase::clearCode):
2192
2193 2014-05-07  Andreas Kling  <akling@apple.com>
2194
2195         [X86] Emit BT instruction for single-bit tests.
2196         <https://webkit.org/b/132650>
2197
2198         Implement test-bit-and-branch slightly more efficiently by using
2199         BT + JC/JNC instead of TEST + JZ/JNZ when we're only testing for
2200         a single bit.
2201
2202         Reviewed by Michael Saboff.
2203
2204         * assembler/MacroAssemblerX86Common.h:
2205         (JSC::MacroAssemblerX86Common::singleBitIndex):
2206         (JSC::MacroAssemblerX86Common::branchTest32):
2207         * assembler/X86Assembler.h:
2208         (JSC::X86Assembler::bt_i8r):
2209         (JSC::X86Assembler::bt_i8m):
2210
2211 2014-05-07  Mark Lam  <mark.lam@apple.com>
2212
2213         REGRESSION(r166678): Dromaeo/cssquery-dojo.html crashes regularly.
2214         <https://webkit.org/b/131356>
2215
2216         Reviewed by Geoffrey Garen.
2217
2218         The issue is that GC needs to be made aware of writes to m_inferredValue
2219         in the VariableWatchpointSet, but was not.  As a result, if a JSCell*
2220         is written to a VariableWatchpointSet m_inferredValue, and that JSCell
2221         does not survive an eden GC shortly after, we will end up with a stale
2222         JSCell pointer left in the m_inferredValue.
2223
2224         This issue can be detected more easily by running Dromaeo/cssquery-dojo.html
2225         using DumpRenderTree with the VM heap in zombie mode.
2226
2227         The fix is to change VariableWatchpointSet m_inferredValue to type
2228         WriteBarrier<Unknown> and ensure that VariableWatchpointSet::notifyWrite()
2229         is executed by all the execution engines so that the WriteBarrier semantics
2230         are honored.
2231
2232         We still check if the value to be written is the same as the one in the
2233         inferredValue.  We'll by-pass calling the slow path notifyWrite() if the
2234         values are the same.        
2235
2236         * JavaScriptCore.xcodeproj/project.pbxproj:
2237         * bytecode/CodeBlock.cpp:
2238         (JSC::CodeBlock::CodeBlock):
2239         - need to pass the symbolTable to prepareToWatch() because it will be needed
2240           for instantiating the VariableWatchpointSet in prepareToWatch().
2241
2242         * bytecode/VariableWatchpointSet.h:
2243         (JSC::VariableWatchpointSet::VariableWatchpointSet):
2244         - VariableWatchpointSet now tracks its owner symbol table for its m_inferredValue
2245           write barrier, and yes, m_inferredValue is now of type WriteBarrier<Unknown>.
2246         (JSC::VariableWatchpointSet::inferredValue):
2247         (JSC::VariableWatchpointSet::invalidate):
2248         (JSC::VariableWatchpointSet::finalizeUnconditionally):
2249         (JSC::VariableWatchpointSet::addressOfInferredValue):
2250         (JSC::VariableWatchpointSet::notifyWrite): Deleted.
2251         * bytecode/VariableWatchpointSetInlines.h: Added.
2252         (JSC::VariableWatchpointSet::notifyWrite):
2253
2254         * dfg/DFGByteCodeParser.cpp:
2255         (JSC::DFG::ByteCodeParser::cellConstant):
2256         - Added an assert in case we try to make constants of zombified JSCells again.
2257
2258         * dfg/DFGOperations.cpp:
2259         * dfg/DFGOperations.h:
2260         * dfg/DFGSpeculativeJIT.h:
2261         (JSC::DFG::SpeculativeJIT::callOperation):
2262         * dfg/DFGSpeculativeJIT32_64.cpp:
2263         (JSC::DFG::SpeculativeJIT::compile):
2264         * dfg/DFGSpeculativeJIT64.cpp:
2265         (JSC::DFG::SpeculativeJIT::compile):
2266         - We now let the slow path handle the cases when the VariableWatchpointSet is
2267           in state ClearWatchpoint and IsWatched, and the slow path will ensure that
2268           we handle the needed write barrier semantics correctly.
2269           We will by-pass the slow path if the value being written is the same as the
2270           inferred value.
2271
2272         * ftl/FTLIntrinsicRepository.h:
2273         * ftl/FTLLowerDFGToLLVM.cpp:
2274         (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):
2275         - Let the slow path handle the cases when the VariableWatchpointSet is
2276           in state ClearWatchpoint and IsWatched.
2277           We will by-pass the slow path if the value being written is the same as the
2278           inferred value.
2279
2280         * heap/Heap.cpp:
2281         (JSC::Zombify::operator()):
2282         - Use a different value for the zombified bits (to distinguish it from 0xbbadbeef
2283           which is used everywhere else).
2284         * heap/Heap.h:
2285         (JSC::Heap::isZombified):
2286         - Provide a convenience test function to check if JSCells are zombified.  This is
2287           currently only used in an assertion in the DFG bytecode parser, but the intent
2288           it that we'll apply this test in other strategic places later to help with early
2289           detection of usage of GC'ed objects when we run in zombie mode.
2290
2291         * jit/JITOpcodes.cpp:
2292         (JSC::JIT::emitSlow_op_captured_mov):
2293         * jit/JITOperations.h:
2294         * jit/JITPropertyAccess.cpp:
2295         (JSC::JIT::emitNotifyWrite):
2296         * jit/JITPropertyAccess32_64.cpp:
2297         (JSC::JIT::emitNotifyWrite):
2298         (JSC::JIT::emitSlow_op_put_to_scope):
2299         - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
2300           is in state ClearWatchpoint and IsWatched.
2301           We will by-pass the slow path if the value being written is the same as the
2302           inferred value.
2303         
2304         * llint/LowLevelInterpreter32_64.asm:
2305         * llint/LowLevelInterpreter64.asm:
2306         - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
2307           is in state ClearWatchpoint and IsWatched.
2308           We will by-pass the slow path if the value being written is the same as the
2309           inferred value.
2310         
2311         * runtime/CommonSlowPaths.cpp:
2312
2313         * runtime/JSCJSValue.h: Fixed some typos in the comments.
2314         * runtime/JSGlobalObject.cpp:
2315         (JSC::JSGlobalObject::addGlobalVar):
2316         (JSC::JSGlobalObject::addFunction):
2317         * runtime/JSSymbolTableObject.h:
2318         (JSC::symbolTablePut):
2319         (JSC::symbolTablePutWithAttributes):
2320         * runtime/SymbolTable.cpp:
2321         (JSC::SymbolTableEntry::prepareToWatch):
2322         (JSC::SymbolTableEntry::notifyWriteSlow):
2323         * runtime/SymbolTable.h:
2324         (JSC::SymbolTableEntry::notifyWrite):
2325
2326 2014-05-06  Michael Saboff  <msaboff@apple.com>
2327
2328         Unreviewd build fix for C-LOOP after r168396.
2329
2330         * runtime/TestRunnerUtils.cpp:
2331         (JSC::optimizeNextInvocation): Wrapped actual call inside #if ENABLE(JIT)
2332
2333 2014-05-06  Michael Saboff  <msaboff@apple.com>
2334
2335         Add test for deleteAllCompiledCode
2336         https://bugs.webkit.org/show_bug.cgi?id=132632
2337
2338         Reviewed by Phil Pizlo.
2339
2340         Added two new hooks to jsc, one to call Heap::deleteAllCompiledCode() and
2341         the other to call CodeBlock::optimizeNextInvocation().  Used these two hooks
2342         to write a test that will queue up loads of DFG compiles and then call
2343         Heap::deleteAllCompiledCode() to make sure that it can handle compiled
2344         code as well as code being compiled.
2345
2346         * jsc.cpp:
2347         (GlobalObject::finishCreation):
2348         (functionDeleteAllCompiledCode):
2349         (functionOptimizeNextInvocation):
2350         * runtime/TestRunnerUtils.cpp:
2351         (JSC::optimizeNextInvocation):
2352         * runtime/TestRunnerUtils.h:
2353         * tests/stress/deleteAllCompiledCode.js: Added.
2354         (functionList):
2355         (runTest):
2356
2357 2014-05-06  Andreas Kling  <akling@apple.com>
2358
2359         JSString::toAtomicString() should return AtomicString.
2360         <https://webkit.org/b/132627>
2361
2362         Remove premature optimization where I was trying to avoid refcount
2363         churn when returning an already atomicized String.
2364
2365         Instead of using reinterpret_cast to mangle the String member into
2366         a const AtomicString& return value, just return AtomicString.
2367
2368         Reviewed by Geoff Garen.
2369
2370         * runtime/JSString.h:
2371         (JSC::JSString::toAtomicString):
2372
2373 2014-05-06  Mark Hahnenberg  <mhahnenberg@apple.com>
2374
2375         Roll out r167889
2376
2377         Rubber stamped by Geoff Garen.
2378
2379         It broke some websites.
2380
2381         * runtime/JSPropertyNameIterator.cpp:
2382         (JSC::JSPropertyNameIterator::create):
2383         * runtime/PropertyMapHashTable.h:
2384         (JSC::PropertyTable::hasDeletedOffset):
2385         (JSC::PropertyTable::hadDeletedOffset): Deleted.
2386         * runtime/Structure.cpp:
2387         (JSC::Structure::Structure):
2388         (JSC::Structure::materializePropertyMap):
2389         (JSC::Structure::removePropertyTransition):
2390         (JSC::Structure::changePrototypeTransition):
2391         (JSC::Structure::despecifyFunctionTransition):
2392         (JSC::Structure::attributeChangeTransition):
2393         (JSC::Structure::toDictionaryTransition):
2394         (JSC::Structure::preventExtensionsTransition):
2395         (JSC::Structure::addPropertyWithoutTransition):
2396         (JSC::Structure::removePropertyWithoutTransition):
2397         (JSC::Structure::pin):
2398         (JSC::Structure::pinAndPreventTransitions): Deleted.
2399         * runtime/Structure.h:
2400         * runtime/StructureInlines.h:
2401         (JSC::Structure::setEnumerationCache):
2402         (JSC::Structure::propertyTable):
2403         (JSC::Structure::checkOffsetConsistency):
2404         (JSC::Structure::hadDeletedOffsets): Deleted.
2405         * tests/stress/for-in-after-delete.js:
2406         (foo): Deleted.
2407
2408 2014-05-05  Andreas Kling  <akling@apple.com>
2409
2410         Fix debug build.
2411
2412         * runtime/JSCellInlines.h:
2413         (JSC::JSCell::fastGetOwnProperty):
2414
2415 2014-05-05  Andreas Kling  <akling@apple.com>
2416
2417         Optimize GetByVal when subscript is a rope string.
2418         <https://webkit.org/b/132590>
2419
2420         Use JSString::toIdentifier() in the various GetByVal implementations
2421         to try and avoid allocating extra strings.
2422
2423         Added canUseFastGetOwnProperty() and wrap calls to fastGetOwnProperty()
2424         in that, to avoid calling JSString::value() which always resolves ropes
2425         into new strings and de-optimizes subsequent toIdentifier() calls.
2426
2427         My iMac says ~9% progression on Dromaeo/dom-attr.html
2428
2429         Reviewed by Phil Pizlo.
2430
2431         * dfg/DFGOperations.cpp:
2432         * jit/JITOperations.cpp:
2433         (JSC::getByVal):
2434         * llint/LLIntSlowPaths.cpp:
2435         (JSC::LLInt::getByVal):
2436         * runtime/JSCell.h:
2437         * runtime/JSCellInlines.h:
2438         (JSC::JSCell::fastGetOwnProperty):
2439         (JSC::JSCell::canUseFastGetOwnProperty):
2440
2441 2014-05-05  Andreas Kling  <akling@apple.com>
2442
2443         REGRESSION (r168256): ASSERTION FAILED: (buffer + m_length) == position loading vanityfair.com article.
2444         <https://webkit.org/b/168256>
2445         <rdar://problem/16816316>
2446
2447         Make resolveRopeSlowCase8() behave like its 16-bit counterpart and not
2448         clear the fibers. The caller takes care of this.
2449
2450         Test: fast/dom/getElementById-with-rope-string-arg.html
2451
2452         Reviewed by Geoffrey Garen.
2453
2454         * runtime/JSString.cpp:
2455         (JSC::JSRopeString::resolveRopeSlowCase8):
2456
2457 2014-05-05  Michael Saboff  <msaboff@apple.com>
2458
2459         REGRESSION: RELEASE_ASSERT in CodeBlock::baselineVersion @ cnn.com
2460         https://bugs.webkit.org/show_bug.cgi?id=132581
2461
2462         Reviewed by Filip Pizlo.
2463
2464         * dfg/DFGPlan.cpp:
2465         (JSC::DFG::Plan::isStillValid): Check that the alternative codeBlock we
2466         started compiling for is still the same at the end of compilation.
2467         Also did some minor restructuring.
2468
2469 2014-05-05  Andreas Kling  <akling@apple.com>
2470
2471         Optimize PutByVal when subscript is a rope string.
2472         <https://webkit.org/b/132572>
2473
2474         Add a JSString::toIdentifier() that is smarter when the JSString is
2475         really a rope string. Use this in baseline & DFG's PutByVal to avoid
2476         allocating new StringImpls that we immediately deduplicate anyway.
2477
2478         Reviewed by Antti Koivisto.
2479
2480         * dfg/DFGOperations.cpp:
2481         (JSC::DFG::operationPutByValInternal):
2482         * jit/JITOperations.cpp:
2483         * runtime/JSString.h:
2484         (JSC::JSString::toIdentifier):
2485
2486 2014-05-05  Andreas Kling  <akling@apple.com>
2487
2488         Remove two now-incorrect assertions after r168256.
2489
2490         * runtime/JSString.cpp:
2491         (JSC::JSRopeString::resolveRopeSlowCase8):
2492         (JSC::JSRopeString::resolveRopeSlowCase):
2493
2494 2014-05-04  Andreas Kling  <akling@apple.com>
2495
2496         Optimize JSRopeString for resolving directly to AtomicString.
2497         <https://webkit.org/b/132548>
2498
2499         If we know that the JSRopeString we are resolving is going to be used
2500         as an AtomicString, we can try to avoid creating a new string.
2501
2502         We do this by first resolving the rope into a stack buffer, and using
2503         that buffer as a key into the AtomicString table. If there is already
2504         an AtomicString with the same characters, we reuse that instead of
2505         constructing a new StringImpl.
2506
2507         JSString gains these two public functions:
2508
2509         - AtomicString toAtomicString()
2510
2511             Returns an AtomicString, tries to avoid allocating a new string
2512             if possible.
2513
2514         - AtomicStringImpl* toExistingAtomicString()
2515
2516             Returns a non-null AtomicStringImpl* if one already exists in the
2517             AtomicString table. If none is found, the rope is left unresolved.
2518
2519         Reviewed by Filip Pizlo.
2520
2521         * runtime/JSString.cpp:
2522         (JSC::JSRopeString::resolveRopeInternal8):
2523         (JSC::JSRopeString::resolveRopeInternal16):
2524         (JSC::JSRopeString::resolveRopeToAtomicString):
2525         (JSC::JSRopeString::clearFibers):
2526         (JSC::JSRopeString::resolveRopeToExistingAtomicString):
2527         (JSC::JSRopeString::resolveRope):
2528         (JSC::JSRopeString::outOfMemory):
2529         * runtime/JSString.h:
2530         (JSC::JSString::toAtomicString):
2531         (JSC::JSString::toExistingAtomicString):
2532
2533 2014-05-04  Andreas Kling  <akling@apple.com>
2534
2535         Unreviewed, rolling out r168254.
2536
2537         Very crashy on debug JSC tests.
2538
2539         Reverted changeset:
2540
2541         "jsSubstring() should be lazy"
2542         https://bugs.webkit.org/show_bug.cgi?id=132556
2543         http://trac.webkit.org/changeset/168254
2544
2545 2014-05-04  Filip Pizlo  <fpizlo@apple.com>
2546
2547         jsSubstring() should be lazy
2548         https://bugs.webkit.org/show_bug.cgi?id=132556
2549
2550         Reviewed by Andreas Kling.
2551         
2552         jsSubstring() is now lazy by using a special rope that is a substring instead of a
2553         concatenation. To make this patch super simple, we require that a substring's base is
2554         never a rope. Hence, when resolving a rope, we either go down a non-recursive substring
2555         path, or we go down a concatenation path which may see exactly one level of substrings in
2556         its fibers.
2557         
2558         This is up to a 50% speed-up on microbenchmarks and a 10% speed-up on Octane/regexp.
2559
2560         * heap/MarkedBlock.cpp:
2561         (JSC::MarkedBlock::specializedSweep):
2562         * runtime/JSString.cpp:
2563         (JSC::JSRopeString::visitFibers):
2564         (JSC::JSRopeString::resolveRope):
2565         (JSC::JSRopeString::resolveRopeSlowCase8):
2566         (JSC::JSRopeString::resolveRopeSlowCase):
2567         (JSC::JSRopeString::outOfMemory):
2568         * runtime/JSString.h:
2569         (JSC::JSRopeString::finishCreation):
2570         (JSC::JSRopeString::append):
2571         (JSC::JSRopeString::create):
2572         (JSC::JSRopeString::offsetOfFibers):
2573         (JSC::JSRopeString::fiber):
2574         (JSC::JSRopeString::substringBase):
2575         (JSC::JSRopeString::substringOffset):
2576         (JSC::JSRopeString::substringSentinel):
2577         (JSC::JSRopeString::isSubstring):
2578         (JSC::jsSubstring):
2579         * runtime/RegExpMatchesArray.cpp:
2580         (JSC::RegExpMatchesArray::reifyAllProperties):
2581         * runtime/StringPrototype.cpp:
2582         (JSC::stringProtoFuncSubstring):
2583
2584 2014-05-02  Michael Saboff  <msaboff@apple.com>
2585
2586         "arm64 function not 4-byte aligned" warnings when building JSC
2587         https://bugs.webkit.org/show_bug.cgi?id=132495
2588
2589         Reviewed by Geoffrey Garen.
2590
2591         Added ".align 4" for both ARM Thumb2 and ARM 64 to silence the linker.
2592
2593         * llint/LowLevelInterpreter.cpp:
2594
2595 2014-05-02  Mark Hahnenberg  <mhahnenberg@apple.com>
2596
2597         Fix cloop build after r168178
2598
2599         * bytecode/CodeBlock.cpp:
2600
2601 2014-05-01  Mark Hahnenberg  <mhahnenberg@apple.com>
2602
2603         Add a DFG function whitelist
2604         https://bugs.webkit.org/show_bug.cgi?id=132437
2605
2606         Reviewed by Geoffrey Garen.
2607
2608         Often times when debugging, using bytecode ranges isn't enough to narrow down to the 
2609         particular DFG block that's causing issues. This patch adds the ability to whitelist 
2610         specific functions specified in a file to enable further filtering without having to recompile.
2611
2612         * CMakeLists.txt:
2613         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2614         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2615         * JavaScriptCore.xcodeproj/project.pbxproj:
2616         * dfg/DFGCapabilities.cpp:
2617         (JSC::DFG::isSupported):
2618         (JSC::DFG::mightInlineFunctionForCall):
2619         (JSC::DFG::mightInlineFunctionForClosureCall):
2620         (JSC::DFG::mightInlineFunctionForConstruct):
2621         * dfg/DFGFunctionWhitelist.cpp: Added.
2622         (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
2623         (JSC::DFG::FunctionWhitelist::FunctionWhitelist):
2624         (JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile):
2625         (JSC::DFG::FunctionWhitelist::contains):
2626         * dfg/DFGFunctionWhitelist.h: Added.
2627         * runtime/Options.cpp:
2628         (JSC::parse):
2629         (JSC::Options::dumpOption):
2630         * runtime/Options.h:
2631
2632 2014-05-02  Filip Pizlo  <fpizlo@apple.com>
2633
2634         DFGAbstractInterpreter should not claim Int52 arithmetic creates Int52s
2635         https://bugs.webkit.org/show_bug.cgi?id=132446
2636
2637         Reviewed by Mark Hahnenberg.
2638         
2639         Basically any arithmetic operation can turn an Int52 into an Int32 or vice-versa, and
2640         our modeling of Int52Rep nodes is such that they can have either Int32 or Int52 type
2641         to indicate a bound on the value. This is useful for knowing, for example, that
2642         Int52Rep(Int32:) returns a value that cannot be outside the Int32 range. Also,
2643         ValueRep(Int52Rep:) uses this to determine whether it may return a double or an int.
2644         But this means that all arithmetic operations must be careful to note that they may
2645         turn Int32 inputs into an Int52 output or vice-versa, as these new tests show.
2646
2647         * dfg/DFGAbstractInterpreterInlines.h:
2648         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2649         * dfg/DFGByteCodeParser.cpp:
2650         (JSC::DFG::ByteCodeParser::makeSafe):
2651         * tests/stress/int52-ai-add-then-filter-int32.js: Added.
2652         (foo):
2653         * tests/stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js: Added.
2654         (foo):
2655         * tests/stress/int52-ai-mul-then-filter-int32-directly.js: Added.
2656         (foo):
2657         * tests/stress/int52-ai-mul-then-filter-int32.js: Added.
2658         (foo):
2659         * tests/stress/int52-ai-neg-then-filter-int32.js: Added.
2660         (foo):
2661         * tests/stress/int52-ai-sub-then-filter-int32.js: Added.
2662         (foo):
2663
2664 2014-05-01  Geoffrey Garen  <ggaren@apple.com>
2665
2666         JavaScriptCore fails to build with some versions of clang
2667         https://bugs.webkit.org/show_bug.cgi?id=132436
2668
2669         Reviewed by Anders Carlsson.
2670
2671         * runtime/ArgumentsIteratorConstructor.cpp: Since we call
2672         putDirectWithoutTransition, and it calls putWillGrowOutOfLineStorage,
2673         and both are marked inline, it's valid for the compiler to decide
2674         to inline both and emit neither in the binary. Therefore, we need
2675         both inline definitions to be available in the translation unit at
2676         compile time, or we'll try to link against a function that doesn't exist.
2677
2678 2014-05-01  Commit Queue  <commit-queue@webkit.org>
2679
2680         Unreviewed, rolling out r167964.
2681         https://bugs.webkit.org/show_bug.cgi?id=132431
2682
2683         Memory improvements should not regress memory usage (Requested
2684         by olliej on #webkit).
2685
2686         Reverted changeset:
2687
2688         "Don't hold on to parameter BindingNodes forever"
2689         https://bugs.webkit.org/show_bug.cgi?id=132360
2690         http://trac.webkit.org/changeset/167964
2691
2692 2014-05-01  Filip Pizlo  <fpizlo@apple.com>
2693
2694         Fix trivial debug-only race-that-crashes in CallLinkStatus and explain why the remaining races are totally awesome
2695         https://bugs.webkit.org/show_bug.cgi?id=132427
2696
2697         Reviewed by Mark Hahnenberg.
2698
2699         * bytecode/CallLinkStatus.cpp:
2700         (JSC::CallLinkStatus::computeFor):
2701
2702 2014-04-30  Simon Fraser  <simon.fraser@apple.com>
2703
2704         Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO
2705         https://bugs.webkit.org/show_bug.cgi?id=132396
2706
2707         Reviewed by Eric Carlson.
2708
2709         Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO and related code.
2710
2711         * Configurations/FeatureDefines.xcconfig:
2712
2713 2014-04-30  Filip Pizlo  <fpizlo@apple.com>
2714
2715         Argument flush formats should not be presumed to be JSValue since 'this' is weird
2716         https://bugs.webkit.org/show_bug.cgi?id=132404
2717
2718         Reviewed by Michael Saboff.
2719
2720         * dfg/DFGSpeculativeJIT.cpp:
2721         (JSC::DFG::SpeculativeJIT::compileCurrentBlock): Don't assume that arguments are flushed as JSValue. Use the logic for locals instead.
2722         * dfg/DFGSpeculativeJIT32_64.cpp:
2723         (JSC::DFG::SpeculativeJIT::compile): SetArgument "changes" the format because before this we wouldn't know we had arguments.
2724         * dfg/DFGSpeculativeJIT64.cpp:
2725         (JSC::DFG::SpeculativeJIT::compile): Ditto.
2726         * dfg/DFGValueSource.cpp:
2727         (JSC::DFG::ValueSource::dumpInContext): Make this easier to dump.
2728         * dfg/DFGValueSource.h:
2729         (JSC::DFG::ValueSource::operator!): Make this easier to dump because Operands<T> uses T::operator!().
2730         * ftl/FTLOSREntry.cpp:
2731         (JSC::FTL::prepareOSREntry): This had a useful assertion for everything except 'this'.
2732         * tests/stress/strict-to-this-int.js: Added.
2733         (foo):
2734         (Number.prototype.valueOf):
2735         (test):
2736
2737 2014-04-29  Oliver Hunt  <oliver@apple.com>
2738
2739         Don't hold on to parameterBindingNodes forever
2740         https://bugs.webkit.org/show_bug.cgi?id=132360
2741
2742         Reviewed by Geoffrey Garen.
2743
2744         Don't keep the parameter nodes anymore. Instead we store the
2745         original parameter string and reparse whenever we actually
2746         need them. Because we only actually need them for compilation
2747         this only results in a single extra parse.
2748
2749         * bytecode/UnlinkedCodeBlock.cpp:
2750         (JSC::generateFunctionCodeBlock):
2751         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2752         (JSC::UnlinkedFunctionExecutable::visitChildren):
2753         (JSC::UnlinkedFunctionExecutable::finishCreation):
2754         (JSC::UnlinkedFunctionExecutable::paramString):
2755         (JSC::UnlinkedFunctionExecutable::parameters):
2756         (JSC::UnlinkedFunctionExecutable::parameterCount): Deleted.
2757         * bytecode/UnlinkedCodeBlock.h:
2758         (JSC::UnlinkedFunctionExecutable::create):
2759         (JSC::UnlinkedFunctionExecutable::parameterCount):
2760         (JSC::UnlinkedFunctionExecutable::parameters): Deleted.
2761         (JSC::UnlinkedFunctionExecutable::finishCreation): Deleted.
2762         * parser/ASTBuilder.h:
2763         (JSC::ASTBuilder::ASTBuilder):
2764         (JSC::ASTBuilder::setFunctionBodyParameters):
2765         * parser/Nodes.h:
2766         (JSC::FunctionBodyNode::parametersStartOffset):
2767         (JSC::FunctionBodyNode::parametersEndOffset):
2768         (JSC::FunctionBodyNode::setParameterLocation):
2769         * parser/Parser.cpp:
2770         (JSC::Parser<LexerType>::parseFunctionInfo):
2771         (JSC::parseParameters):
2772         * parser/Parser.h:
2773         (JSC::parse):
2774         * parser/SourceCode.h:
2775         (JSC::SourceCode::subExpression):
2776         * parser/SyntaxChecker.h:
2777         (JSC::SyntaxChecker::setFunctionBodyParameters):
2778
2779 2014-04-29  Mark Hahnenberg  <mhahnenberg@apple.com>
2780
2781         JSProxies should be cacheable
2782         https://bugs.webkit.org/show_bug.cgi?id=132351
2783
2784         Reviewed by Geoffrey Garen.
2785
2786         Whenever we encounter a proxy in an inline cache we should try to cache on the 
2787         proxy's target instead of giving up.
2788
2789         This patch adds support for a simple "recursive" inline cache if the base object
2790         we're accessing is a pure forwarding proxy. JSGlobalObject and its subclasses 
2791         are the only ones to benefit from this right now.
2792
2793         This is performance neutral on the benchmarks we track. Currently we won't
2794         cache on JSDOMWindow due to HasImpureGetOwnPropertySlot, but this issue will be fixed soon.
2795
2796         * jit/Repatch.cpp:
2797         (JSC::generateByIdStub):
2798         (JSC::tryBuildGetByIDList):
2799         (JSC::tryCachePutByID):
2800         (JSC::tryBuildPutByIdList):
2801         * jsc.cpp:
2802         (GlobalObject::finishCreation):
2803         (functionCreateProxy):
2804         * runtime/IntendedStructureChain.cpp:
2805         (JSC::IntendedStructureChain::isNormalized):
2806         * runtime/JSCellInlines.h:
2807         (JSC::JSCell::isProxy):
2808         * runtime/JSGlobalObject.h:
2809         (JSC::JSGlobalObject::finishCreation):
2810         * runtime/JSProxy.h:
2811         (JSC::JSProxy::createStructure):
2812         (JSC::JSProxy::targetOffset):
2813         * runtime/JSType.h:
2814         * runtime/Operations.h:
2815         (JSC::isPrototypeChainNormalized):
2816         * runtime/Structure.h:
2817         (JSC::Structure::isProxy):
2818         * tests/stress/proxy-inline-cache.js: Added.
2819         (cacheOnTarget.getX):
2820         (cacheOnTarget):
2821         (cacheOnPrototypeOfTarget.getX):
2822         (cacheOnPrototypeOfTarget):
2823         (dontCacheOnProxyInPrototypeChain.getX):
2824         (dontCacheOnProxyInPrototypeChain):
2825         (dontCacheOnTargetOfProxyInPrototypeChainOfTarget.getX):
2826         (dontCacheOnTargetOfProxyInPrototypeChainOfTarget):
2827
2828 2014-04-29  Filip Pizlo  <fpizlo@apple.com>
2829
2830         Use LLVM as a backend for the fourth-tier DFG JIT (a.k.a. the FTL JIT)
2831         https://bugs.webkit.org/show_bug.cgi?id=112840
2832
2833         Rubber stamped by Geoffrey Garen.
2834
2835         * Configurations/FeatureDefines.xcconfig:
2836
2837 2014-04-29  Geoffrey Garen  <ggaren@apple.com>
2838
2839         String.prototype.trim removes U+200B from strings.
2840         https://bugs.webkit.org/show_bug.cgi?id=130184
2841
2842         Reviewed by Michael Saboff.
2843
2844         * runtime/StringPrototype.cpp:
2845         (JSC::trimString):
2846         (JSC::isTrimWhitespace): Deleted.
2847
2848 2014-04-29  Mark Lam  <mark.lam@apple.com>
2849
2850         Zombifying sweep should ignore retired blocks.
2851         <https://webkit.org/b/132344>
2852
2853         Reviewed by Mark Hahnenberg.
2854
2855         By definition, retired blocks do not have "dead" objects, or at least
2856         none that we know of yet until the next marking phase has been run
2857         over it.  So, we should not be sweeping them (even for zombie mode).
2858
2859         * heap/Heap.cpp:
2860         (JSC::Heap::zombifyDeadObjects):
2861         * heap/MarkedSpace.cpp:
2862         (JSC::MarkedSpace::zombifySweep):
2863         * heap/MarkedSpace.h:
2864         (JSC::ZombifySweep::operator()):
2865
2866 2014-04-29  Mark Lam  <mark.lam@apple.com>
2867
2868         Fix bit rot in zombie mode heap code.
2869         <https://webkit.org/b/132342>
2870
2871         Reviewed by Mark Hahnenberg.
2872
2873         Need to enter a DelayedReleaseScope before doing a sweep.
2874
2875         * heap/Heap.cpp:
2876         (JSC::Heap::zombifyDeadObjects):
2877
2878 2014-04-29  Tomas Popela  <tpopela@redhat.com>
2879
2880         LLINT loadisFromInstruction doesn't need special case for big endians
2881         https://bugs.webkit.org/show_bug.cgi?id=132330
2882
2883         Reviewed by Mark Lam.
2884
2885         The change introduced in r167076 was wrong. We should not apply the offset
2886         adjustment on loadisFromInstruction usage as the instruction
2887         (UnlinkedInstruction) is declared as an union (i.e. with the int32_t
2888         operand variable). The offset of the other union members will be the
2889         same as the offset of the first one, that is 0. The behavior here is the
2890         same on little and big endian architectures. Thus we don't need
2891         special case for big endians.
2892
2893         * llint/LowLevelInterpreter.asm:
2894
2895 2014-04-28  Mark Hahnenberg  <mhahnenberg@apple.com>
2896
2897         Simplify tryCacheGetById
2898         https://bugs.webkit.org/show_bug.cgi?id=132314
2899
2900         Reviewed by Oliver Hunt and Filip Pizlo.
2901
2902         This is neutral across all benchmarks we track, although it looks like a wee 0.5% progression on sunspider.
2903
2904         * jit/Repatch.cpp:
2905         (JSC::tryCacheGetByID): If we fail to cache on self, we just repatch to call tryBuildGetByIDList next time.
2906
2907 2014-04-28  Michael Saboff  <msaboff@apple.com>
2908
2909         REGRESSION(r153142) ASSERT from CodeBlock::dumpBytecode dumping String Switch Jump Tables
2910         https://bugs.webkit.org/show_bug.cgi?id=132315
2911
2912         Reviewed by Mark Hahnenberg.
2913
2914         Used the StringImpl version of utf8() instead of creating a String first.
2915
2916         * bytecode/CodeBlock.cpp:
2917         (JSC::CodeBlock::dumpBytecode):
2918
2919 2014-04-28  Filip Pizlo  <fpizlo@apple.com>
2920
2921         The LLInt is awesome and it should get more of the action.
2922
2923         Rubber stamped by Geoffrey Garen.
2924         
2925         5% speed-up on JSBench and no meaningful regressions.  Should be a PLT/DYE speed-up also.
2926
2927         * runtime/Options.h:
2928
2929 2014-04-27  Filip Pizlo  <fpizlo@apple.com>
2930
2931         GC should be able to remove things from the DFG worklist and cancel on-going compilations if it knows that the compilation would already be invalidated
2932         https://bugs.webkit.org/show_bug.cgi?id=132166
2933
2934         Reviewed by Oliver Hunt and Mark Hahnenberg.
2935         
2936         The GC can aid type inference by removing structures that are dead and jettisoning
2937         code that relies on those structures. This can dramatically accelerate type inference
2938         for some tricky programs.
2939         
2940         Unfortunately, we previously pinned any structures that enqueued compilations depended
2941         on. This means that if you're on a machine that only runs a single compilation thread
2942         and where compilations are relatively slow, you have a high chance of large numbers of
2943         structures being pinned during any GC since the compilation queue is likely to be full
2944         of random stuff.
2945         
2946         This comprehensively fixes this issue by allowing the GC to remove compilation plans
2947         if the things they depend on are dead, and to even cancel safepointed compilations.
2948         
2949         * bytecode/CodeBlock.cpp:
2950         (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan):
2951         (JSC::CodeBlock::isKnownToBeLiveDuringGC):
2952         (JSC::CodeBlock::finalizeUnconditionally):
2953         * bytecode/CodeBlock.h:
2954         (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan): Deleted.
2955         * dfg/DFGDesiredIdentifiers.cpp:
2956         (JSC::DFG::DesiredIdentifiers::DesiredIdentifiers):
2957         * dfg/DFGDesiredIdentifiers.h:
2958         * dfg/DFGDesiredWatchpoints.h:
2959         * dfg/DFGDesiredWeakReferences.cpp:
2960         (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
2961         * dfg/DFGDesiredWeakReferences.h:
2962         * dfg/DFGGraphSafepoint.cpp:
2963         (JSC::DFG::GraphSafepoint::GraphSafepoint):
2964         * dfg/DFGGraphSafepoint.h:
2965         * dfg/DFGPlan.cpp:
2966         (JSC::DFG::Plan::Plan):
2967         (JSC::DFG::Plan::compileInThread):
2968         (JSC::DFG::Plan::compileInThreadImpl):
2969         (JSC::DFG::Plan::notifyCompiling):
2970         (JSC::DFG::Plan::notifyCompiled):
2971         (JSC::DFG::Plan::notifyReady):
2972         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
2973         (JSC::DFG::Plan::isKnownToBeLiveDuringGC):
2974         (JSC::DFG::Plan::cancel):
2975         (JSC::DFG::Plan::visitChildren): Deleted.
2976         * dfg/DFGPlan.h:
2977         * dfg/DFGSafepoint.cpp:
2978         (JSC::DFG::Safepoint::Result::~Result):
2979         (JSC::DFG::Safepoint::Result::didGetCancelled):
2980         (JSC::DFG::Safepoint::Safepoint):
2981         (JSC::DFG::Safepoint::~Safepoint):
2982         (JSC::DFG::Safepoint::checkLivenessAndVisitChildren):
2983         (JSC::DFG::Safepoint::isKnownToBeLiveDuringGC):
2984         (JSC::DFG::Safepoint::cancel):
2985         (JSC::DFG::Safepoint::visitChildren): Deleted.
2986         * dfg/DFGSafepoint.h:
2987         (JSC::DFG::Safepoint::Result::Result):
2988         * dfg/DFGWorklist.cpp:
2989         (JSC::DFG::Worklist::compilationState):
2990         (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
2991         (JSC::DFG::Worklist::removeAllReadyPlansForVM):
2992         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
2993         (JSC::DFG::Worklist::visitWeakReferences):
2994         (JSC::DFG::Worklist::removeDeadPlans):
2995         (JSC::DFG::Worklist::runThread):
2996         (JSC::DFG::Worklist::visitChildren): Deleted.
2997         * dfg/DFGWorklist.h:
2998         * ftl/FTLCompile.cpp:
2999         (JSC::FTL::compile):
3000         * ftl/FTLCompile.h:
3001         * heap/CodeBlockSet.cpp:
3002         (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks):
3003         * heap/Heap.cpp:
3004         (JSC::Heap::markRoots):
3005         (JSC::Heap::visitCompilerWorklistWeakReferences):
3006         (JSC::Heap::removeDeadCompilerWorklistEntries):
3007         (JSC::Heap::visitWeakHandles):
3008         (JSC::Heap::collect):
3009         (JSC::Heap::visitCompilerWorklists): Deleted.
3010         * heap/Heap.h:
3011
3012 2014-04-28  Mark Hahnenberg  <mhahnenberg@apple.com>
3013
3014         Deleting properties poisons objects
3015         https://bugs.webkit.org/show_bug.cgi?id=131551
3016
3017         Reviewed by Oliver Hunt.
3018
3019         This is ~3% progression on Dromaeo with a ~6% progression on the jslib portion of Dromaeo in particular.
3020
3021         * runtime/JSPropertyNameIterator.cpp:
3022         (JSC::JSPropertyNameIterator::create):
3023         * runtime/PropertyMapHashTable.h:
3024         (JSC::PropertyTable::hasDeletedOffset):
3025         (JSC::PropertyTable::hadDeletedOffset): If we ever had deleted properties we can no longer cache offsets when 
3026         iterating properties because we're required to iterate properties in insertion order.
3027         * runtime/Structure.cpp:
3028         (JSC::Structure::Structure):
3029         (JSC::Structure::materializePropertyMap): We now re-use deleted properties when materializing the property map.
3030         (JSC::Structure::removePropertyTransition): We allow up to 5 deletes for a particular path through the tree of 
3031         Structure transitions. After that, we convert to an uncacheable dictionary like we used to. We don't cache 
3032         delete transitions, but we allow transitioning from them.
3033         (JSC::Structure::changePrototypeTransition):
3034         (JSC::Structure::despecifyFunctionTransition):
3035         (JSC::Structure::attributeChangeTransition):
3036         (JSC::Structure::toDictionaryTransition):
3037         (JSC::Structure::preventExtensionsTransition):
3038         (JSC::Structure::addPropertyWithoutTransition):
3039         (JSC::Structure::removePropertyWithoutTransition):
3040         (JSC::Structure::pin): Now does only what it says it does--marks the property table as pinned.
3041         (JSC::Structure::pinAndPreventTransitions): More descriptive version of what the old pin() was doing.
3042         * runtime/Structure.h:
3043         * runtime/StructureInlines.h:
3044         (JSC::Structure::setEnumerationCache):
3045         (JSC::Structure::hadDeletedOffsets):
3046         (JSC::Structure::propertyTable):
3047         (JSC::Structure::checkOffsetConsistency): Rearranged variables to be more sensible.
3048         * tests/stress/for-in-after-delete.js: Added.
3049         (foo):
3050
3051 2014-04-25  Andreas Kling  <akling@apple.com>
3052
3053         Inline (C++) GetByVal with numeric indices more aggressively.
3054         <https://webkit.org/b/132218>
3055
3056         We were already inlining the string indexed GetByVal path pretty well,
3057         while the path for numeric indices got neglected. No more!
3058
3059         ~9.5% improvement on Dromaeo/dom-traverse.html on my MBP:
3060
3061             Before: 199.50 runs/s
3062              After: 218.58 runs/s
3063
3064         Reviewed by Phil Pizlo.
3065
3066         * dfg/DFGOperations.cpp:
3067         * runtime/JSCJSValueInlines.h:
3068         (JSC::JSValue::get):
3069
3070             ALWAYS_INLINE all the things.
3071
3072         * runtime/JSObject.h:
3073         (JSC::JSObject::getPropertySlot):
3074
3075             Avoid fetching the Structure more than once. We have the same
3076             optimization in the string-indexed code path.
3077
3078 2014-04-25  Oliver Hunt  <oliver@apple.com>
3079
3080         Need earlier cell test
3081         https://bugs.webkit.org/show_bug.cgi?id=132211
3082
3083         Reviewed by Mark Lam.
3084
3085         Move cell test to before the function call repatch
3086         location, as the repatch logic for 32bit assumes that the
3087         caller will already have performed a cell check.
3088
3089         * jit/JITCall32_64.cpp:
3090         (JSC::JIT::compileOpCall):
3091
3092 2014-04-25  Andreas Kling  <akling@apple.com>
3093
3094         Un-fast-allocate JSGlobalObjectRareData because Windows doesn't build and I'm not in the mood.
3095
3096         * runtime/JSGlobalObject.h:
3097         (JSC::JSGlobalObject::JSGlobalObjectRareData::JSGlobalObjectRareData):
3098         (JSC::JSGlobalObject::JSGlobalObjectRareData::~JSGlobalObjectRareData): Deleted.
3099
3100 2014-04-25  Andreas Kling  <akling@apple.com>
3101
3102         Windows build fix attempt.
3103
3104         * runtime/JSGlobalObject.h:
3105         (JSC::JSGlobalObject::JSGlobalObjectRareData::~JSGlobalObjectRareData):
3106
3107 2014-04-25  Mark Lam  <mark.lam@apple.com>
3108
3109         Refactor debugging code to use BreakpointActions instead of Vector<ScriptBreakpointAction>.
3110         <https://webkit.org/b/132201>
3111
3112         Reviewed by Joseph Pecoraro.
3113
3114         BreakpointActions is Vector<ScriptBreakpointAction>.  Let's just consistently use
3115         BreakpointActions everywhere.
3116
3117         * inspector/ScriptBreakpoint.h:
3118         (Inspector::ScriptBreakpoint::ScriptBreakpoint):
3119         * inspector/ScriptDebugServer.cpp:
3120         (Inspector::ScriptDebugServer::setBreakpoint):
3121         (Inspector::ScriptDebugServer::getActionsForBreakpoint):
3122         * inspector/ScriptDebugServer.h:
3123         * inspector/agents/InspectorDebuggerAgent.cpp:
3124         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
3125         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
3126         (Inspector::InspectorDebuggerAgent::setBreakpoint):
3127         (Inspector::InspectorDebuggerAgent::removeBreakpoint):
3128         * inspector/agents/InspectorDebuggerAgent.h:
3129
3130 2014-04-24  Filip Pizlo  <fpizlo@apple.com>
3131
3132         DFG worklist scanning should not treat the key as a separate entity
3133         https://bugs.webkit.org/show_bug.cgi?id=132167
3134
3135         Reviewed by Mark Hahnenberg.
3136         
3137         This simplifies the interface to the GC and will enable more optimizations.
3138
3139         * dfg/DFGCompilationKey.cpp:
3140         (JSC::DFG::CompilationKey::visitChildren): Deleted.
3141         * dfg/DFGCompilationKey.h:
3142         * dfg/DFGPlan.cpp:
3143         (JSC::DFG::Plan::visitChildren):
3144         * dfg/DFGWorklist.cpp:
3145         (JSC::DFG::Worklist::visitChildren):
3146
3147 2014-04-25  Oliver Hunt  <oliver@apple.com>
3148
3149         Remove unused parameter from codeblock linking function
3150         https://bugs.webkit.org/show_bug.cgi?id=132199
3151
3152         Reviewed by Anders Carlsson.
3153
3154         No change in behaviour. This is just a small change to make it
3155         slightly easier to reason about what the offsets in UnlinkedFunctionExecutable
3156         actually mean.
3157
3158         * bytecode/UnlinkedCodeBlock.cpp:
3159         (JSC::UnlinkedFunctionExecutable::link):
3160         * bytecode/UnlinkedCodeBlock.h:
3161         * runtime/Executable.cpp:
3162         (JSC::ProgramExecutable::initializeGlobalProperties):
3163
3164 2014-04-25  Andreas Kling  <akling@apple.com>
3165
3166         Mark some things with WTF_MAKE_FAST_ALLOCATED.
3167         <https://webkit.org/b/132198>
3168
3169         Use FastMalloc for more things.
3170
3171         Reviewed by Anders Carlsson.
3172
3173         * builtins/BuiltinExecutables.h:
3174         * heap/GCThreadSharedData.h:
3175         * inspector/JSConsoleClient.h:
3176         * inspector/agents/InspectorAgent.h:
3177         * runtime/CodeCache.h:
3178         * runtime/JSGlobalObject.h:
3179         * runtime/Lookup.cpp:
3180         (JSC::HashTable::createTable):
3181         (JSC::HashTable::deleteTable):
3182         * runtime/WeakGCMap.h:
3183
3184 2014-04-25  Antoine Quint  <graouts@webkit.org>
3185
3186         Implement Array.prototype.find()
3187         https://bugs.webkit.org/show_bug.cgi?id=130966
3188
3189         Reviewed by Oliver Hunt.
3190
3191         Implement Array.prototype.find() and Array.prototype.findIndex() as proposed in the Harmony spec.
3192
3193         * builtins/Array.prototype.js:
3194         (find):
3195         (findIndex):
3196         * runtime/ArrayPrototype.cpp:
3197
3198 2014-04-24  Brady Eidson  <beidson@apple.com>
3199
3200         Rename "IMAGE_CONTROLS" feature to "SERVICE_CONTROLS"
3201         https://bugs.webkit.org/show_bug.cgi?id=132155
3202
3203         Reviewed by Tim Horton.
3204
3205         * Configurations/FeatureDefines.xcconfig:
3206
3207 2014-04-24  Michael Saboff  <msaboff@apple.com>
3208
3209         REGRESSION: Apparent hang of PCE.js Mac OS System 7.0.1 on ARM64 devices
3210         https://bugs.webkit.org/show_bug.cgi?id=132147
3211
3212         Reviewed by Mark Lam.
3213
3214         Fixed or64(), eor32( ) and eor64() to use "src" register when we have a valid logicalImm.
3215
3216         * assembler/MacroAssemblerARM64.h:
3217         (JSC::MacroAssemblerARM64::or64):
3218         (JSC::MacroAssemblerARM64::xor32):
3219         (JSC::MacroAssemblerARM64::xor64):
3220         * tests/stress/regress-132147.js: Added test.
3221
3222 2014-04-24  Mark Lam  <mark.lam@apple.com>
3223
3224         Make slowPathAllocsBetweenGCs a runtime option.
3225         <https://webkit.org/b/132137>
3226
3227         Reviewed by Mark Hahnenberg.
3228
3229         This will make it easier to more casually run tests with this configuration
3230         as well as to reproduce issues (instead of requiring a code mod and rebuild).
3231         We will now take --slowPathAllocsBetweenGCs=N where N is the number of
3232         slow path allocations before we trigger a collection.
3233
3234         The option defaults to 0, which is reserved to mean that we will not trigger
3235         any collections there.
3236
3237         * heap/Heap.h:
3238         * heap/MarkedAllocator.cpp:
3239         (JSC::MarkedAllocator::doTestCollectionsIfNeeded):
3240         (JSC::MarkedAllocator::allocateSlowCase):
3241         * heap/MarkedAllocator.h:
3242         * runtime/Options.h:
3243
3244 2014-04-23  Mark Lam  <mark.lam@apple.com>
3245
3246         The GC should only resume compiler threads that it suspended in the same GC pass.
3247         <https://webkit.org/b/132088>
3248
3249         Reviewed by Mark Hahnenberg.
3250
3251         Previously, this scenario can occur:
3252         1. Thread 1 starts a GC and tries to suspend DFG worklist threads.  However,
3253            no worklists were created yet at the that time.
3254         2. Thread 2 starts to compile some functions and creates a DFG worklist, and
3255            acquires the worklist thread's lock.
3256         3. Thread 1's GC completes and tries to resume suspended DFG worklist thread.
3257            This time, it sees the worklist created by Thread 2 and ends up unlocking
3258            the worklist thread's lock that is supposedly held by Thread 2.
3259         Thereafter, chaos ensues.
3260
3261         The fix is to cache the worklists that were actually suspended by each GC pass,
3262         and only resume those when the GC is done.
3263
3264         This issue was discovered by enabling COLLECT_ON_EVERY_ALLOCATION and running
3265         the fast/workers layout tests.
3266
3267         * heap/Heap.cpp:
3268         (JSC::Heap::visitCompilerWorklists):
3269         (JSC::Heap::deleteAllCompiledCode):
3270         (JSC::Heap::suspendCompilerThreads):
3271         (JSC::Heap::resumeCompilerThreads):
3272         * heap/Heap.h:
3273
3274 2014-04-23  Mark Hahnenberg  <mhahnenberg@apple.com>
3275
3276         Arguments::copyBackingStore needs to update m_registers in tandem with m_registerArray
3277         https://bugs.webkit.org/show_bug.cgi?id=132079
3278
3279         Reviewed by Michael Saboff.
3280
3281         Since we're moving the register backing store, we don't want to leave a dangling pointer into a random CopiedBlock.
3282
3283         Also added a test that previously triggered this bug.
3284
3285         * runtime/Arguments.cpp:
3286         (JSC::Arguments::copyBackingStore): D'oh!
3287         * tests/stress/arguments-copy-register-array-backing-store.js: Added.
3288         (foo):
3289         (bar):
3290
3291 2014-04-23  Mark Rowe  <mrowe@apple.com>
3292
3293         [Mac] REGRESSION (r164823): Building JavaScriptCore creates files under /tmp/JavaScriptCore.dst
3294         <https://webkit.org/b/132053>
3295
3296         Reviewed by Dan Bernstein.
3297
3298         * JavaScriptCore.xcodeproj/project.pbxproj: Don't try to create a symlink at /usr/local/bin/jsc inside
3299         the DSTROOT unless we're building to the deployment location. Also remove the unnecessary -x argument
3300         from /bin/sh since that generates unnecessary output.
3301
3302 2014-04-22  Mark Lam  <mark.lam@apple.com>
3303
3304         DFG::Worklist should acquire the m_lock before iterating DFG plans.
3305         <https://webkit.org/b/132032>
3306
3307         Reviewed by Filip Pizlo.
3308
3309         Currently, there's a rightToRun mechanism that ensures that no compilation
3310         threads are running when the GC is iterating through the DFG worklists.
3311         However, this does not prevent a Worker thread from doing a DFG compilation
3312         and modifying the plans in the worklists thereby invalidating the plan
3313         iterator that the GC is using.  This patch fixes the issue by acquiring
3314         the worklist m_lock before iterating the worklist plans.
3315
3316         This issue was uncovered by running the fast/workers layout tests with
3317         COLLECT_ON_EVERY_ALLOCATION enabled.
3318
3319         * dfg/DFGWorklist.cpp:
3320         (JSC::DFG::Worklist::isActiveForVM):
3321         (JSC::DFG::Worklist::visitChildren):
3322
3323 2014-04-22  Brent Fulgham  <bfulgham@apple.com>
3324
3325         [Win] Support Python 2.7 in Cygwin
3326         https://bugs.webkit.org/show_bug.cgi?id=132023
3327
3328         Reviewed by Michael Saboff.
3329
3330         * DerivedSources.make: Use a conditional variable to define
3331         the path to Python/Perl.
3332
3333 2014-04-22  Filip Pizlo  <fpizlo@apple.com>
3334
3335         Switch the LLVMForJSC target to using the LLVM in /usr/local rather than /usr/local/LLVMForJavaScriptCore on iOS
3336         https://bugs.webkit.org/show_bug.cgi?id=130867
3337         <rdar://problem/16432456> 
3338
3339         Reviewed by Mark Hahnenberg.
3340
3341         * Configurations/Base.xcconfig:
3342         * Configurations/LLVMForJSC.xcconfig:
3343
3344 2014-04-22  Alex Christensen  <achristensen@webkit.org>
3345
3346         [Win] Unreviewed build fix after my r167666.
3347
3348         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
3349         Added ../../../ again to include headers in Source/JavaScriptCore.
3350
3351 2014-04-22  Alex Christensen  <achristensen@webkit.org>
3352
3353         Removed old stdbool and inttypes headers.
3354         https://bugs.webkit.org/show_bug.cgi?id=131966
3355
3356         Reviewed by Brent Fulgham.
3357
3358         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
3359         * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
3360         Removed references to os-win32 directory.
3361         * os-win32: Removed.
3362         * os-win32/inttypes.h: Removed.
3363         * os-win32/stdbool.h: Removed.
3364
3365 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
3366
3367         DFG::clobberize() should honestly admit that profiler and debugger nodes are effectful
3368         https://bugs.webkit.org/show_bug.cgi?id=131971
3369         <rdar://problem/16676511>
3370
3371         Reviewed by Mark Lam.
3372
3373         * dfg/DFGClobberize.h:
3374         (JSC::DFG::clobberize):
3375
3376 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
3377
3378         Switch statements that skip the baseline JIT should work
3379         https://bugs.webkit.org/show_bug.cgi?id=131965
3380
3381         Reviewed by Mark Hahnenberg.
3382
3383         * bytecode/JumpTable.h:
3384         (JSC::SimpleJumpTable::ensureCTITable):
3385         * dfg/DFGSpeculativeJIT.cpp:
3386         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
3387         * jit/JITOpcodes.cpp:
3388         (JSC::JIT::emit_op_switch_imm):
3389         (JSC::JIT::emit_op_switch_char):
3390         * jit/JITOpcodes32_64.cpp:
3391         (JSC::JIT::emit_op_switch_imm):
3392         (JSC::JIT::emit_op_switch_char):
3393         * tests/stress/inline-llint-with-switch.js: Added.
3394         (foo):
3395         (bar):
3396         (test):
3397
3398 2014-04-21  Mark Hahnenberg  <mhahnenberg@apple.com>
3399
3400         Arguments objects shouldn't need a destructor
3401         https://bugs.webkit.org/show_bug.cgi?id=131899
3402
3403         Reviewed by Oliver Hunt.
3404
3405         This patch rids Arguments objects of their destructors. It does this by 
3406         switching their backing stores to use CopiedSpace rather than malloc memory.
3407
3408         * dfg/DFGSpeculativeJIT.cpp:
3409         (JSC::DFG::SpeculativeJIT::emitAllocateArguments): Fix the code emitted for inline
3410         Arguments allocation so that it only emits an extra write for strict mode code rather
3411         than unconditionally.
3412         * heap/CopyToken.h: New CopyTokens for the two different types of Arguments backing stores.
3413         * runtime/Arguments.cpp:
3414         (JSC::Arguments::visitChildren): We need to tell the collector to copy the back stores now.
3415         (JSC::Arguments::copyBackingStore): Do the actual copying of the backing stores.
3416         (JSC::Arguments::deletePropertyByIndex): Update all the accesses to SlowArgumentData and m_registerArray.
3417         (JSC::Arguments::deleteProperty):
3418         (JSC::Arguments::defineOwnProperty):
3419         (JSC::Arguments::allocateRegisterArray):
3420         (JSC::Arguments::tearOff):
3421         (JSC::Arguments::destroy): Deleted. We don't need the destructor any more.
3422         * runtime/Arguments.h:
3423         (JSC::Arguments::registerArraySizeInBytes):
3424         (JSC::Arguments::SlowArgumentData::SlowArgumentData): Switch SlowArgumentData to being allocated
3425         in CopiedSpace. Now the SlowArgumentData and its backing store are a single contiguous CopiedSpace
3426         allocation.
3427         (JSC::Arguments::SlowArgumentData::slowArguments):
3428         (JSC::Arguments::SlowArgumentData::bytecodeToMachineCaptureOffset):
3429         (JSC::Arguments::SlowArgumentData::setBytecodeToMachineCaptureOffset):
3430         (JSC::Arguments::SlowArgumentData::sizeForNumArguments):
3431         (JSC::Arguments::Arguments):
3432         (JSC::Arguments::allocateSlowArguments):
3433         (JSC::Arguments::tryDeleteArgument):
3434         (JSC::Arguments::isDeletedArgument):
3435         (JSC::Arguments::isArgument):
3436         (JSC::Arguments::argument):
3437         (JSC::Arguments::finishCreation):
3438         * runtime/SymbolTable.h:
3439
3440 2014-04-21  Eric Carlson  <eric.carlson@apple.com>