5b35b941fe059f6265b22cb6585fe7b3d90a4988
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-02-25  Benjamin Poulain  <benjamin@webkit.org>
2
3         Make ParserError immutable by design
4         https://bugs.webkit.org/show_bug.cgi?id=141955
5
6         Reviewed by Geoffrey Garen.
7
8         This patch enforce that no field of ParserError can
9         be modified after the constructor.
10
11         * parser/ParserError.h:
12         Move the attributes to pack the integer + 2 bytes together.
13         This is irrelevant for memory impact, it is to remve a load-store
14         when copying by value.
15
16         Also move the attributes to be private.
17
18         (JSC::ParserError::isValid):
19         To client of the interface cared about the type of the error,
20         the only information needed was: is there an error.
21
22         (JSC::ParserError::ParserError):
23         (JSC::ParserError::syntaxErrorType):
24         (JSC::ParserError::token):
25         (JSC::ParserError::message):
26         (JSC::ParserError::line):
27         (JSC::ParserError::toErrorObject):
28         * API/JSScriptRef.cpp:
29         * builtins/BuiltinExecutables.cpp:
30         (JSC::BuiltinExecutables::createBuiltinExecutable):
31         * bytecode/UnlinkedCodeBlock.cpp:
32         (JSC::generateFunctionCodeBlock):
33         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
34         (JSC::UnlinkedFunctionExecutable::codeBlockFor):
35         * bytecode/UnlinkedCodeBlock.h:
36         * inspector/agents/InspectorRuntimeAgent.cpp:
37         (Inspector::InspectorRuntimeAgent::parse):
38         * jsc.cpp:
39         (runInteractive):
40         * parser/Parser.h:
41         (JSC::parse):
42         * runtime/CodeCache.cpp:
43         (JSC::CodeCache::getGlobalCodeBlock):
44         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
45         * runtime/CodeCache.h:
46         * runtime/Completion.h:
47         * runtime/Executable.cpp:
48         (JSC::ProgramExecutable::checkSyntax):
49         * runtime/JSGlobalObject.cpp:
50         (JSC::JSGlobalObject::createProgramCodeBlock):
51         (JSC::JSGlobalObject::createEvalCodeBlock):
52
53 2015-02-25  Filip Pizlo  <fpizlo@apple.com>
54
55         Need to pass RTLD_DEEPBIND to dlopen() to ensure that our LLVMOverrides take effect on Linux
56         https://bugs.webkit.org/show_bug.cgi?id=142006
57
58         Reviewed by Csaba Osztrogonác.
59
60         This fixes hard-to-reproduce concurrency-related crashes when running stress tests with FTL and
61         concurrent JIT enabled.
62
63         * llvm/InitializeLLVMPOSIX.cpp:
64         (JSC::initializeLLVMPOSIX):
65
66 2015-02-24  Filip Pizlo  <fpizlo@apple.com>
67
68         CMake build of libllvmForJSC.so should limit its export list like the Xcode build does
69         https://bugs.webkit.org/show_bug.cgi?id=141989
70
71         Reviewed by Gyuyoung Kim.
72
73         * CMakeLists.txt:
74         * llvm/library/libllvmForJSC.version: Added.
75
76 2015-02-24  Alexey Proskuryakov  <ap@apple.com>
77
78         More iOS build fix after r180602.
79
80         * heap/Heap.h: Export Heap::machineThreads().
81
82 2015-02-24  Brent Fulgham  <bfulgham@apple.com>
83
84         Unreviewed build fix after r180602.
85
86         * heap/MachineStackMarker.h: Add missing 'no return'
87         declaration for Windows.
88
89 2015-02-24  Commit Queue  <commit-queue@webkit.org>
90
91         Unreviewed, rolling out r180599.
92         https://bugs.webkit.org/show_bug.cgi?id=141998
93
94         Lots of new test failures (Requested by smfr on #webkit).
95
96         Reverted changeset:
97
98         "Parsing support for -webkit-trailing-word"
99         https://bugs.webkit.org/show_bug.cgi?id=141939
100         http://trac.webkit.org/changeset/180599
101
102 2015-02-24  Mark Lam  <mark.lam@apple.com>
103
104         MachineThreads::Thread clean up has a use after free race condition.
105         <https://webkit.org/b/141990>
106
107         Reviewed by Michael Saboff.
108
109         MachineThreads::Thread clean up relies on the clean up mechanism
110         implemented in _pthread_tsd_cleanup_key(), which looks like this:
111
112         void _pthread_tsd_cleanup_key(pthread_t self, pthread_key_t key)
113         {
114             void (*destructor)(void *);
115             if (_pthread_key_get_destructor(key, &destructor)) {
116                 void **ptr = &self->tsd[key];
117                 void *value = *ptr;
118
119                 // At this point, this thread has cached "destructor" and "value"
120                 // (which is a MachineThreads*).  If the VM gets destructed (along
121                 // with its MachineThreads registry) by another thread, then this
122                 // thread will have no way of knowing that the MachineThreads* is
123                 // now pointing to freed memory.  Calling the destructor below will
124                 // therefore result in a use after free scenario when it tries to
125                 // access the MachineThreads' data members.
126
127                 if (value) {
128                     *ptr = NULL;
129                     if (destructor) {
130                         destructor(value);
131                     }
132                 }
133             }
134         }
135
136         The solution is simply to change MachineThreads from a per VM thread
137         registry to a process global singleton thread registry i.e. the
138         MachineThreads registry is now immortal and we cannot have a use after
139         free scenario since we never free it.
140
141         The cost of this change is that all VM instances will have to scan
142         stacks of all threads ever touched by a VM, and not just those that
143         touched a specific VM.  However, stacks tend to be shallow.  Hence,
144         those additional scans will tend to be cheap.
145
146         Secondly, it is not common for there to be multiple JSC VMs in use
147         concurrently on multiple threads.  Hence, this cost should rarely
148         manifest in real world applications.
149
150         * heap/Heap.cpp:
151         (JSC::Heap::Heap):
152         (JSC::Heap::machineThreads):
153         (JSC::Heap::gatherStackRoots):
154         * heap/Heap.h:
155         (JSC::Heap::machineThreads): Deleted.
156         * heap/MachineStackMarker.cpp:
157         (JSC::MachineThreads::MachineThreads):
158         (JSC::MachineThreads::~MachineThreads):
159         (JSC::MachineThreads::addCurrentThread):
160         * heap/MachineStackMarker.h:
161         * runtime/JSLock.cpp:
162         (JSC::JSLock::didAcquireLock):
163
164 2015-02-24  Myles C. Maxfield  <mmaxfield@apple.com>
165
166         [Mac] [iOS] Parsing support for -apple-trailing-word
167         https://bugs.webkit.org/show_bug.cgi?id=141939
168
169         Reviewed by Andreas Kling.
170
171         * Configurations/FeatureDefines.xcconfig:
172
173 2015-02-24  Ryosuke Niwa  <rniwa@webkit.org>
174
175         Use "this" instead of "callee" to get the constructor
176         https://bugs.webkit.org/show_bug.cgi?id=141019
177
178         Reviewed by Filip Pizlo.
179
180         This patch uses "this" register to pass the constructor (newTarget) to op_create_this from
181         op_construct or op_construct_varargs. This will allow future patches that implement ES6 class
182         to pass in the most derived class' constructor through "this" argument.
183
184         BytecodeGenerator's emitConstruct and emitConstructVarargs now passes thisRegister like
185         regular calls and emitCreateThis passes in this register to op_create_this as constructor.
186
187         The rest of the code change removes the code for special casing "this" register not being used
188         in call to construct.
189
190         * bytecode/BytecodeUseDef.h:
191         (JSC::computeUsesForBytecodeOffset):
192         * bytecompiler/BytecodeGenerator.cpp:
193         (JSC::BytecodeGenerator::emitCreateThis):
194         (JSC::BytecodeGenerator::emitConstructVarargs):
195         (JSC::BytecodeGenerator::emitConstruct):
196         * bytecompiler/BytecodeGenerator.h:
197         * bytecompiler/NodesCodegen.cpp:
198         (JSC::NewExprNode::emitBytecode):
199         * dfg/DFGByteCodeParser.cpp:
200         (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
201         (JSC::DFG::ByteCodeParser::handleVarargsCall):
202         (JSC::DFG::ByteCodeParser::emitArgumentPhantoms):
203         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
204         (JSC::DFG::ByteCodeParser::handleInlining):
205         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
206         (JSC::DFG::ByteCodeParser::parseBlock):
207         * dfg/DFGJITCode.cpp:
208         (JSC::DFG::JITCode::reconstruct):
209         * dfg/DFGSpeculativeJIT32_64.cpp:
210         (JSC::DFG::SpeculativeJIT::emitCall):
211         * dfg/DFGSpeculativeJIT64.cpp:
212         (JSC::DFG::SpeculativeJIT::emitCall):
213         * ftl/FTLJSCallVarargs.cpp:
214         (JSC::FTL::JSCallVarargs::emit):
215         * ftl/FTLLowerDFGToLLVM.cpp:
216         (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct):
217         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
218         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstructVarargs):
219         * interpreter/Interpreter.cpp:
220         (JSC::Interpreter::executeConstruct):
221         * jit/JITOperations.cpp:
222
223 2015-02-24  Joseph Pecoraro  <pecoraro@apple.com>
224
225         Web Inspector: Make Getter/Setter RemoteObject property and ObjectPreview handling consistent
226         https://bugs.webkit.org/show_bug.cgi?id=141587
227
228         Reviewed by Timothy Hatcher.
229
230         Convert getProperties(ownAndGetterProperties) to getDisplayableProperties().
231         Mark PropertyDescriptors that are presumed to be native getters / bindings
232         separately so that the frontend may display them differently.
233
234         * inspector/InjectedScript.cpp:
235         (Inspector::InjectedScript::getProperties):
236         (Inspector::InjectedScript::getDisplayableProperties):
237         * inspector/InjectedScript.h:
238         * inspector/InjectedScriptSource.js:
239         * inspector/agents/InspectorRuntimeAgent.cpp:
240         (Inspector::InspectorRuntimeAgent::getProperties):
241         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
242         * inspector/agents/InspectorRuntimeAgent.h:
243         * inspector/protocol/Runtime.json:
244
245 2015-02-24  Mark Lam  <mark.lam@apple.com>
246
247         Rolling out r179753.  The fix was invalid.
248         <https://webkit.org/b/141990>
249
250         Not reviewed.
251
252         * API/tests/testapi.mm:
253         (threadMain):
254         (useVMFromOtherThread): Deleted.
255         (useVMFromOtherThreadAndOutliveVM): Deleted.
256         * heap/Heap.cpp:
257         (JSC::Heap::Heap):
258         (JSC::Heap::~Heap):
259         (JSC::Heap::gatherStackRoots):
260         * heap/Heap.h:
261         (JSC::Heap::machineThreads):
262         * heap/MachineStackMarker.cpp:
263         (JSC::MachineThreads::Thread::Thread):
264         (JSC::MachineThreads::MachineThreads):
265         (JSC::MachineThreads::~MachineThreads):
266         (JSC::MachineThreads::addCurrentThread):
267         (JSC::MachineThreads::removeThread):
268         (JSC::MachineThreads::removeCurrentThread):
269         * heap/MachineStackMarker.h:
270
271 2015-02-24  Yusuke Suzuki  <utatane.tea@gmail.com>
272
273         Constructor returning null should construct an object instead of null
274         https://bugs.webkit.org/show_bug.cgi?id=141640
275
276         Reviewed by Filip Pizlo.
277
278         When constructor code doesn't return object, constructor should return `this` object instead.
279         Since we used `op_is_object` for this check and `op_is_object` is intended to be used for `typeof`,
280         it allows `null` as an object.
281         This patch fixes it by introducing an new bytecode `op_is_object_or_null` for `typeof` use cases.
282         Instead, constructor uses simplified `is_object`.
283
284         As a result, `op_is_object` becomes fairly simple. So we introduce optimization for `op_is_object`.
285
286         1. LLInt and baseline JIT support `op_is_object` as a fast path.
287         2. DFG abstract interpreter support `op_is_object`. And recognize its speculated type and read-write effects.
288         3. DFG introduces inlined asm for `op_is_object` rather than calling a C++ function.
289         4. FTL lowers DFG's IsObject into LLVM IR.
290
291         And at the same time, this patch fixes isString / isObject predicate used for `op_is_object` and others
292         in LLInt, JIT, DFG and FTL.
293         Before introducing ES6 Symbol, JSCell is only used for object and string in user observable area.
294         So in many places, when the cell is not object, we recognize it as a string, and vice versa.
295         However, now ES6 Symbol is implemented as a JSCell, this assumption is broken.
296         So this patch stop using !isString as isObject.
297         To check whether a cell is an object, instead of seeing that structure ID of a cell is not stringStructure,
298         we examine typeInfo in JSCell.
299
300         * JavaScriptCore.order:
301         * bytecode/BytecodeList.json:
302         * bytecode/BytecodeUseDef.h:
303         (JSC::computeUsesForBytecodeOffset):
304         (JSC::computeDefsForBytecodeOffset):
305         * bytecode/CodeBlock.cpp:
306         (JSC::CodeBlock::dumpBytecode):
307         * bytecode/PutByIdStatus.cpp:
308         (JSC::PutByIdStatus::computeFor):
309         * bytecompiler/BytecodeGenerator.cpp:
310         (JSC::BytecodeGenerator::emitEqualityOp):
311         (JSC::BytecodeGenerator::emitReturn):
312         * dfg/DFGAbstractInterpreterInlines.h:
313         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
314         * dfg/DFGByteCodeParser.cpp:
315         (JSC::DFG::ByteCodeParser::parseBlock):
316         * dfg/DFGCapabilities.cpp:
317         (JSC::DFG::capabilityLevel):
318         * dfg/DFGClobberize.h:
319         (JSC::DFG::clobberize):
320
321         IsObject operation only touches JSCell typeInfoType.
322         And this value would be changed through structure transition.
323         As a result, IsObject can report that it doesn't read any information.
324
325         * dfg/DFGConstantFoldingPhase.cpp:
326         (JSC::DFG::ConstantFoldingPhase::foldConstants):
327         * dfg/DFGDoesGC.cpp:
328         (JSC::DFG::doesGC):
329         * dfg/DFGFixupPhase.cpp:
330         (JSC::DFG::FixupPhase::fixupNode):
331
332         Just like IsString, IsObject is also fixed up.
333
334         * dfg/DFGHeapLocation.cpp:
335         (WTF::printInternal):
336         * dfg/DFGHeapLocation.h:
337         * dfg/DFGNodeType.h:
338         * dfg/DFGOperations.cpp:
339         * dfg/DFGOperations.h:
340         * dfg/DFGPredictionPropagationPhase.cpp:
341         (JSC::DFG::PredictionPropagationPhase::propagate):
342         * dfg/DFGSafeToExecute.h:
343         (JSC::DFG::safeToExecute):
344         * dfg/DFGSpeculativeJIT.cpp:
345         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
346         (JSC::DFG::SpeculativeJIT::compileStringToUntypedEquality):
347         (JSC::DFG::SpeculativeJIT::compileStringIdentToNotStringVarEquality):
348         (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
349         (JSC::DFG::SpeculativeJIT::speculateObject):
350         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
351         (JSC::DFG::SpeculativeJIT::speculateString):
352         (JSC::DFG::SpeculativeJIT::speculateNotStringVar):
353         (JSC::DFG::SpeculativeJIT::emitSwitchChar):
354         (JSC::DFG::SpeculativeJIT::emitSwitchString):
355         (JSC::DFG::SpeculativeJIT::branchIsObject):
356         (JSC::DFG::SpeculativeJIT::branchNotObject):
357         (JSC::DFG::SpeculativeJIT::branchIsString):
358         (JSC::DFG::SpeculativeJIT::branchNotString):
359         * dfg/DFGSpeculativeJIT.h:
360         * dfg/DFGSpeculativeJIT32_64.cpp:
361         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
362         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
363         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
364         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
365         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
366         (JSC::DFG::SpeculativeJIT::compile):
367         * dfg/DFGSpeculativeJIT64.cpp:
368         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
369         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
370         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
371         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
372         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
373         (JSC::DFG::SpeculativeJIT::compile):
374         * ftl/FTLCapabilities.cpp:
375         (JSC::FTL::canCompile):
376         * ftl/FTLLowerDFGToLLVM.cpp:
377         (JSC::FTL::LowerDFGToLLVM::compileNode):
378         (JSC::FTL::LowerDFGToLLVM::compileToString):
379         (JSC::FTL::LowerDFGToLLVM::compileIsObject):
380         (JSC::FTL::LowerDFGToLLVM::compileIsObjectOrNull):
381         (JSC::FTL::LowerDFGToLLVM::speculateTruthyObject):
382         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
383         (JSC::FTL::LowerDFGToLLVM::isObject):
384         (JSC::FTL::LowerDFGToLLVM::isNotObject):
385         (JSC::FTL::LowerDFGToLLVM::isNotString):
386         (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
387         * jit/JIT.cpp:
388         (JSC::JIT::privateCompileMainPass):
389         * jit/JIT.h:
390         * jit/JITInlines.h:
391         (JSC::JIT::emitJumpIfCellObject):
392         * jit/JITOpcodes.cpp:
393         (JSC::JIT::emit_op_is_object):
394         (JSC::JIT::emit_op_to_primitive):
395         * jit/JITOpcodes32_64.cpp:
396         (JSC::JIT::emit_op_is_object):
397         (JSC::JIT::emit_op_to_primitive):
398         (JSC::JIT::compileOpStrictEq):
399         * llint/LowLevelInterpreter.asm:
400         * llint/LowLevelInterpreter32_64.asm:
401         * llint/LowLevelInterpreter64.asm:
402         * runtime/CommonSlowPaths.cpp:
403         (JSC::SLOW_PATH_DECL):
404         * runtime/CommonSlowPaths.h:
405         * runtime/Operations.cpp:
406         (JSC::jsIsObjectTypeOrNull):
407         (JSC::jsIsObjectType): Deleted.
408         * runtime/Operations.h:
409         * tests/stress/constructor-with-return.js: Added.
410         (Test):
411
412         When constructor doesn't return an object, `this` should be returned instead.
413         In this test, we check all primitives. And test object, array and wrappers.
414
415         * tests/stress/dfg-to-primitive-pass-symbol.js: Added.
416         (toPrimitiveTarget):
417         (doToPrimitive):
418
419         op_to_primitive operation passes Symbol in fast path.
420
421 2015-02-24  Yusuke Suzuki  <utatane.tea@gmail.com>
422
423         REGRESSION(r179429): Can't type comments in Facebook
424         https://bugs.webkit.org/show_bug.cgi?id=141859
425
426         Reviewed by Brent Fulgham.
427
428         When window.Symbol is exposed to user-space pages,
429         Facebook's JavaScript use it (maybe, for immutable-js and React.js's unique key).
430         However, to work with Symbols completely, it also requires
431         1) Object.getOwnPropertySymbols (for mixin including Symbols)
432         2) the latest ES6 Iterator interface that uses Iterator.next and it returns { done: boolean, value: value }.
433         Since they are not landed yet, comments in Facebook don't work.
434
435         This patch introduces RuntimeFlags for JavaScriptCore.
436         Specifying SymbolEnabled flag under test runner and inspector to continue to work with Symbol.
437         And drop JavaScriptExperimentsEnabled flag
438         because it is no longer used and use case of this is duplicated to runtime flags.
439
440         * JavaScriptCore.order:
441         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
442         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
443         * JavaScriptCore.xcodeproj/project.pbxproj:
444         * jsc.cpp:
445         (GlobalObject::javaScriptRuntimeFlags):
446         (GlobalObject::javaScriptExperimentsEnabled): Deleted.
447         * runtime/JSGlobalObject.cpp:
448         (JSC::JSGlobalObject::JSGlobalObject):
449         (JSC::JSGlobalObject::init):
450         * runtime/JSGlobalObject.h:
451         (JSC::JSGlobalObject::finishCreation):
452         (JSC::JSGlobalObject::javaScriptRuntimeFlags):
453         (JSC::JSGlobalObject::javaScriptExperimentsEnabled): Deleted.
454         * runtime/RuntimeFlags.h: Added.
455         (JSC::RuntimeFlags::RuntimeFlags):
456         (JSC::RuntimeFlags::createAllEnabled):
457
458 2015-02-23  Filip Pizlo  <fpizlo@apple.com>
459
460         Our bizarre behavior on Arguments::defineOwnProperty should be deliberate rather than a spaghetti incident
461         https://bugs.webkit.org/show_bug.cgi?id=141951
462
463         Reviewed by Benjamin Poulain.
464         
465         This patch has no behavioral change, but it simplifies a bunch of wrong code. The code is
466         still wrong in exactly the same way, but at least it's obvious what's going on. The wrongness
467         is covered by this bug: https://bugs.webkit.org/show_bug.cgi?id=141952.
468
469         * runtime/Arguments.cpp:
470         (JSC::Arguments::copyBackingStore): We should only see the arguments token; assert otherwise. This works because if the GC sees the butterfly token it calls the JSObject::copyBackingStore method directly.
471         (JSC::Arguments::defineOwnProperty): Make our bizarre behavior deliberate rather than an accident of a decade of patches.
472         * tests/stress/arguments-bizarre-behavior.js: Added.
473         (foo):
474         * tests/stress/arguments-bizarre-behaviour-disable-enumerability.js: Added. My choice of spellings of the word "behavio[u]r" is almost as consistent as our implementation of arguments.
475         (foo):
476         * tests/stress/arguments-custom-properties-gc.js: Added. I added this test because at first I was unsure if we GCd arguments correctly.
477         (makeBaseArguments):
478         (makeArray):
479         (cons):
480
481 2015-02-23  Commit Queue  <commit-queue@webkit.org>
482
483         Unreviewed, rolling out r180547 and r180550.
484         https://bugs.webkit.org/show_bug.cgi?id=141957
485
486         Broke 10 Windows tests. (Requested by bfulgham_ on #webkit).
487
488         Reverted changesets:
489
490         "REGRESSION(r179429): Can't type comments in Facebook"
491         https://bugs.webkit.org/show_bug.cgi?id=141859
492         http://trac.webkit.org/changeset/180547
493
494         "Constructor returning null should construct an object instead
495         of null"
496         https://bugs.webkit.org/show_bug.cgi?id=141640
497         http://trac.webkit.org/changeset/180550
498
499 2015-02-23  Yusuke Suzuki  <utatane.tea@gmail.com>
500
501         Constructor returning null should construct an object instead of null
502         https://bugs.webkit.org/show_bug.cgi?id=141640
503
504         Reviewed by Geoffrey Garen.
505
506         When constructor code doesn't return object, constructor should return `this` object instead.
507         Since we used `op_is_object` for this check and `op_is_object` is intended to be used for `typeof`,
508         it allows `null` as an object.
509         This patch fixes it by introducing an new bytecode `op_is_object_or_null` for `typeof` use cases.
510         Instead, constructor uses simplified `is_object`.
511
512         As a result, `op_is_object` becomes fairly simple. So we introduce optimization for `op_is_object`.
513
514         1. LLInt and baseline JIT support `op_is_object` as a fast path.
515         2. DFG abstract interpreter support `op_is_object`. And recognize its speculated type and read-write effects.
516         3. DFG introduces inlined asm for `op_is_object` rather than calling a C++ function.
517         4. FTL lowers DFG's IsObject into LLVM IR.
518
519         And at the same time, this patch fixes isString / isObject predicate used for `op_is_object` and others
520         in LLInt, JIT, DFG and FTL.
521         Before introducing ES6 Symbol, JSCell is only used for object and string in user observable area.
522         So in many places, when the cell is not object, we recognize it as a string, and vice versa.
523         However, now ES6 Symbol is implemented as a JSCell, this assumption is broken.
524         So this patch stop using !isString as isObject.
525         To check whether a cell is an object, instead of seeing that structure ID of a cell is not stringStructure,
526         we examine typeInfo in JSCell.
527
528         * JavaScriptCore.order:
529         * bytecode/BytecodeList.json:
530         * bytecode/BytecodeUseDef.h:
531         (JSC::computeUsesForBytecodeOffset):
532         (JSC::computeDefsForBytecodeOffset):
533         * bytecode/CodeBlock.cpp:
534         (JSC::CodeBlock::dumpBytecode):
535         * bytecode/PutByIdStatus.cpp:
536         (JSC::PutByIdStatus::computeFor):
537         * bytecompiler/BytecodeGenerator.cpp:
538         (JSC::BytecodeGenerator::emitEqualityOp):
539         (JSC::BytecodeGenerator::emitReturn):
540         * dfg/DFGAbstractInterpreterInlines.h:
541         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
542         * dfg/DFGByteCodeParser.cpp:
543         (JSC::DFG::ByteCodeParser::parseBlock):
544         * dfg/DFGCapabilities.cpp:
545         (JSC::DFG::capabilityLevel):
546         * dfg/DFGClobberize.h:
547         (JSC::DFG::clobberize):
548
549         IsObject operation only touches JSCell typeInfoType.
550         And this value would not be changed through structure transition.
551         As a result, IsObject can report that it doesn't read any information.
552
553         * dfg/DFGDoesGC.cpp:
554         (JSC::DFG::doesGC):
555         * dfg/DFGFixupPhase.cpp:
556         (JSC::DFG::FixupPhase::fixupNode):
557
558         Just like IsString, IsObject is also fixed up.
559
560         * dfg/DFGHeapLocation.cpp:
561         (WTF::printInternal):
562         * dfg/DFGHeapLocation.h:
563         * dfg/DFGNodeType.h:
564         * dfg/DFGOperations.cpp:
565         * dfg/DFGOperations.h:
566         * dfg/DFGPredictionPropagationPhase.cpp:
567         (JSC::DFG::PredictionPropagationPhase::propagate):
568         * dfg/DFGSafeToExecute.h:
569         (JSC::DFG::safeToExecute):
570         * dfg/DFGSpeculativeJIT.cpp:
571         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
572         (JSC::DFG::SpeculativeJIT::compileStringToUntypedEquality):
573         (JSC::DFG::SpeculativeJIT::compileStringIdentToNotStringVarEquality):
574         (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
575         (JSC::DFG::SpeculativeJIT::speculateObject):
576         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
577         (JSC::DFG::SpeculativeJIT::speculateString):
578         (JSC::DFG::SpeculativeJIT::speculateNotStringVar):
579         (JSC::DFG::SpeculativeJIT::emitSwitchChar):
580         (JSC::DFG::SpeculativeJIT::emitSwitchString):
581         (JSC::DFG::SpeculativeJIT::branchIsObject):
582         (JSC::DFG::SpeculativeJIT::branchNotObject):
583         (JSC::DFG::SpeculativeJIT::branchIsString):
584         (JSC::DFG::SpeculativeJIT::branchNotString):
585         * dfg/DFGSpeculativeJIT.h:
586         * dfg/DFGSpeculativeJIT32_64.cpp:
587         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
588         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
589         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
590         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
591         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
592         (JSC::DFG::SpeculativeJIT::compile):
593         * dfg/DFGSpeculativeJIT64.cpp:
594         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
595         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
596         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
597         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
598         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
599         (JSC::DFG::SpeculativeJIT::compile):
600         * ftl/FTLCapabilities.cpp:
601         (JSC::FTL::canCompile):
602         * ftl/FTLLowerDFGToLLVM.cpp:
603         (JSC::FTL::LowerDFGToLLVM::compileNode):
604         (JSC::FTL::LowerDFGToLLVM::compileToString):
605         (JSC::FTL::LowerDFGToLLVM::compileIsObject):
606         (JSC::FTL::LowerDFGToLLVM::compileIsObjectOrNull):
607         (JSC::FTL::LowerDFGToLLVM::speculateTruthyObject):
608         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
609         (JSC::FTL::LowerDFGToLLVM::isObject):
610         (JSC::FTL::LowerDFGToLLVM::isNotObject):
611         (JSC::FTL::LowerDFGToLLVM::isNotString):
612         (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
613         * jit/JIT.cpp:
614         (JSC::JIT::privateCompileMainPass):
615         * jit/JIT.h:
616         * jit/JITInlines.h:
617         (JSC::JIT::emitJumpIfCellObject):
618         * jit/JITOpcodes.cpp:
619         (JSC::JIT::emit_op_is_object):
620         (JSC::JIT::emit_op_to_primitive):
621         * jit/JITOpcodes32_64.cpp:
622         (JSC::JIT::emit_op_is_object):
623         (JSC::JIT::emit_op_to_primitive):
624         (JSC::JIT::compileOpStrictEq):
625         * llint/LowLevelInterpreter.asm:
626         * llint/LowLevelInterpreter32_64.asm:
627         * llint/LowLevelInterpreter64.asm:
628         * runtime/CommonSlowPaths.cpp:
629         (JSC::SLOW_PATH_DECL):
630         * runtime/CommonSlowPaths.h:
631         * runtime/Operations.cpp:
632         (JSC::jsIsObjectTypeOrNull):
633         (JSC::jsIsObjectType): Deleted.
634         * runtime/Operations.h:
635
636 2015-02-23  Ryosuke Niwa  <rniwa@webkit.org>
637
638         Disable font loading events until our implementation gets updated to match the latest spec
639         https://bugs.webkit.org/show_bug.cgi?id=141938
640
641         Reviewed by Andreas Kling.
642
643         * Configurations/FeatureDefines.xcconfig:
644
645 2015-02-23  Yusuke Suzuki  <utatane.tea@gmail.com>
646
647         REGRESSION(r179429): Can't type comments in Facebook
648         https://bugs.webkit.org/show_bug.cgi?id=141859
649
650         Reviewed by Geoffrey Garen.
651
652         When window.Symbol is exposed to user-space pages,
653         Facebook's JavaScript use it (maybe, for immutable-js and React.js's unique key).
654         However, to work with Symbols completely, it also requires
655         1) Object.getOwnPropertySymbols (for mixin including Symbols)
656         2) the latest ES6 Iterator interface that uses Iterator.next and it returns { done: boolean, value: value }.
657         Since they are not landed yet, comments in Facebook don't work.
658
659         This patch introduces RuntimeFlags for JavaScriptCore.
660         Specifying SymbolEnabled flag under test runner and inspector to continue to work with Symbol.
661         And drop JavaScriptExperimentsEnabled flag
662         because it is no longer used and use case of this is duplicated to runtime flags.
663
664         * JavaScriptCore.order:
665         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
666         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
667         * JavaScriptCore.xcodeproj/project.pbxproj:
668         * jsc.cpp:
669         (GlobalObject::javaScriptRuntimeFlags):
670         (GlobalObject::javaScriptExperimentsEnabled): Deleted.
671         * runtime/JSGlobalObject.cpp:
672         (JSC::JSGlobalObject::JSGlobalObject):
673         (JSC::JSGlobalObject::init):
674         * runtime/JSGlobalObject.h:
675         (JSC::JSGlobalObject::finishCreation):
676         (JSC::JSGlobalObject::javaScriptRuntimeFlags):
677         (JSC::JSGlobalObject::javaScriptExperimentsEnabled): Deleted.
678         * runtime/RuntimeFlags.h: Added.
679         (JSC::RuntimeFlags::RuntimeFlags):
680         (JSC::RuntimeFlags::createAllEnabled):
681
682 2015-02-23  Benjamin Poulain  <bpoulain@apple.com>
683
684         Set the semantic origin of delayed SetLocal to the Bytecode that originated it
685         https://bugs.webkit.org/show_bug.cgi?id=141727
686
687         Reviewed by Filip Pizlo.
688
689         Previously, delayed SetLocals would have the NodeOrigin of the next
690         bytecode. This was because delayed SetLocal are...delayed... and
691         currentCodeOrigin() is the one where the node is emitted.
692
693         This made debugging a little awkward since the OSR exits on SetLocal
694         were reported for the next bytecode. This patch changes the semantic
695         origin to keep the original bytecode.
696
697         From benchmarks, this looks like it could be a tiny bit faster
698         but it likely just noise.
699
700         * dfg/DFGByteCodeParser.cpp:
701         (JSC::DFG::ByteCodeParser::setDirect):
702         (JSC::DFG::ByteCodeParser::setLocal):
703         (JSC::DFG::ByteCodeParser::setArgument):
704         (JSC::DFG::ByteCodeParser::currentNodeOrigin):
705         (JSC::DFG::ByteCodeParser::addToGraph):
706         (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal):
707         (JSC::DFG::ByteCodeParser::DelayedSetLocal::execute):
708
709 2015-02-23  Benjamin Poulain  <bpoulain@apple.com>
710
711         Remove DFGNode::predictHeap()
712         https://bugs.webkit.org/show_bug.cgi?id=141864
713
714         Reviewed by Geoffrey Garen.
715
716         * dfg/DFGNode.h:
717         (JSC::DFG::Node::predictHeap): Deleted.
718         Unused code.
719
720 2015-02-23  Filip Pizlo  <fpizlo@apple.com>
721
722         Get rid of JSLexicalEnvironment::argumentsGetter
723         https://bugs.webkit.org/show_bug.cgi?id=141930
724
725         Reviewed by Mark Lam.
726         
727         This function is unused, and the way it's written is bizarre - it's a return statement that
728         dominates a bunch of dead code.
729
730         * runtime/JSLexicalEnvironment.cpp:
731         (JSC::JSLexicalEnvironment::argumentsGetter): Deleted.
732         * runtime/JSLexicalEnvironment.h:
733
734 2015-02-23  Filip Pizlo  <fpizlo@apple.com>
735
736         Remove unused activationCount and allTheThingsCount variable declarations.
737
738         Rubber stamped by Mark Lam and Michael Saboff.
739
740         * runtime/JSLexicalEnvironment.h:
741
742 2015-02-23  Saam Barati  <saambarati1@gmail.com>
743
744         Adjust the ranges of basic block statements in JSC's control flow profiler to be mutually exclusive
745         https://bugs.webkit.org/show_bug.cgi?id=141095
746
747         Reviewed by Mark Lam.
748
749         Suppose the control flow of a program forms basic block A with successor block
750         B. A's end offset will be the *same* as B's start offset in the current architecture 
751         of the control flow profiler. This makes reasoning about the text offsets of
752         the control flow profiler unsound. To make reasoning about offsets sound, all 
753         basic block ranges should be mutually exclusive.  All calls to emitProfileControlFlow 
754         now pass in the *start* of a basic block as the text offset argument. This simplifies 
755         all calls to emitProfileControlFlow because the previous implementation had a
756         lot of edge cases for getting the desired basic block text boundaries.
757
758         This patch also ensures that the basic block boundary of a block statement 
759         is the exactly the block's open and close brace offsets (inclusive). For example,
760         in if/for/while statements. This also has the consequence that for statements 
761         like "if (cond) foo();", the whitespace preceding "foo()" is not part of 
762         the "foo()" basic block, but instead is part of the "if (cond) " basic block. 
763         This is okay because these text offsets aren't meant to be human readable.
764         Instead, they reflect the text offsets of JSC's AST nodes. The Web Inspector 
765         is the only client of this API and user of these text offsets and it is 
766         not negatively effected by this new behavior.
767
768         * bytecode/CodeBlock.cpp:
769         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
770         When computing basic block boundaries in CodeBlock, we ensure that every
771         block's end offset is one less than its successor's start offset to
772         maintain that boundaries' ranges should be mutually exclusive.
773
774         * bytecompiler/BytecodeGenerator.cpp:
775         (JSC::BytecodeGenerator::BytecodeGenerator):
776         Because the control flow profiler needs to know which functions
777         have executed, we can't lazily create functions. This was a bug 
778         from before that was hidden because the Type Profiler was always 
779         enabled when the control flow profiler was enabled when profiling 
780         was turned on from the Web Inspector. But, JSC allows for Control 
781         Flow profiling to be turned on without Type Profiling, so we need 
782         to ensure the Control Flow profiler has all the data it needs.
783
784         * bytecompiler/NodesCodegen.cpp:
785         (JSC::ConditionalNode::emitBytecode):
786         (JSC::IfElseNode::emitBytecode):
787         (JSC::WhileNode::emitBytecode):
788         (JSC::ForNode::emitBytecode):
789         (JSC::ForInNode::emitMultiLoopBytecode):
790         (JSC::ForOfNode::emitBytecode):
791         (JSC::TryNode::emitBytecode):
792         * jsc.cpp:
793         (functionHasBasicBlockExecuted):
794         We now assert that the substring argument is indeed a substring
795         of the function argument's text because subtle bugs could be
796         introduced otherwise.
797
798         * parser/ASTBuilder.h:
799         (JSC::ASTBuilder::setStartOffset):
800         * parser/Nodes.h:
801         (JSC::Node::setStartOffset):
802         * parser/Parser.cpp:
803         (JSC::Parser<LexerType>::parseBlockStatement):
804         (JSC::Parser<LexerType>::parseStatement):
805         (JSC::Parser<LexerType>::parseMemberExpression):
806         For the various function call AST nodes, their m_position member 
807         variable is now the start of the entire function call expression 
808         and not at the start of the open paren of the arguments list.
809
810         * runtime/BasicBlockLocation.cpp:
811         (JSC::BasicBlockLocation::getExecutedRanges):
812         * runtime/ControlFlowProfiler.cpp:
813         (JSC::ControlFlowProfiler::getBasicBlocksForSourceID):
814         Function ranges inserted as gaps should follow the same criteria
815         that the bytecode generator uses to ensure that basic blocks
816         start and end offsets are mutually exclusive.
817
818         * tests/controlFlowProfiler/brace-location.js: Added.
819         (foo):
820         (bar):
821         (baz):
822         (testIf):
823         (testForRegular):
824         (testForIn):
825         (testForOf):
826         (testWhile):
827         (testIfNoBraces):
828         (testForRegularNoBraces):
829         (testForInNoBraces):
830         (testForOfNoBraces):
831         (testWhileNoBraces):
832         * tests/controlFlowProfiler/conditional-expression.js: Added.
833         (foo):
834         (bar):
835         (baz):
836         (testConditionalBasic):
837         (testConditionalFunctionCall):
838         * tests/controlFlowProfiler/driver/driver.js:
839         (checkBasicBlock):
840
841 2015-02-23  Matthew Mirman  <mmirman@apple.com>
842
843         r9 is volatile on ARMv7 for iOS 3 and up. 
844         https://bugs.webkit.org/show_bug.cgi?id=141489
845         rdar://problem/19432916
846
847         Reviewed by Michael Saboff.
848
849         * jit/RegisterSet.cpp: 
850         (JSC::RegisterSet::calleeSaveRegisters): removed r9 from the list of ARMv7 callee save registers.
851         * tests/stress/regress-141489.js: Added.
852         (foo):
853
854 2015-02-23  Csaba Osztrogonác  <ossy@webkit.org>
855
856         [ARM] Add the necessary setupArgumentsWithExecState after bug141915
857         https://bugs.webkit.org/show_bug.cgi?id=141921
858
859         Reviewed by Michael Saboff.
860
861         * jit/CCallHelpers.h:
862         (JSC::CCallHelpers::setupArgumentsWithExecState):
863
864 2015-02-23  Filip Pizlo  <fpizlo@apple.com>
865
866         Scopes should always be created with a previously-created symbol table rather than creating one on the fly
867         https://bugs.webkit.org/show_bug.cgi?id=141915
868
869         Reviewed by Mark Lam.
870         
871         The main effect of this change is that pushing name scopes no longer requires creating symbol
872         tables on the fly.
873         
874         This also makes it so that JSEnvironmentRecords must always have an a priori symbol table.
875         
876         JSSegmentedVariableObject still does a hack where it creates a blank symbol table on-demand.
877         This is needed because that's what JSGlobalObject and all of its many subclasses want. That's
878         harmless; I mainly needed a prior symbol tables for JSEnvironmentRecords anyway.
879
880         * bytecode/BytecodeList.json:
881         * bytecompiler/BytecodeGenerator.cpp:
882         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
883         (JSC::BytecodeGenerator::emitPushCatchScope):
884         * jit/CCallHelpers.h:
885         (JSC::CCallHelpers::setupArgumentsWithExecState):
886         * jit/JIT.h:
887         * jit/JITInlines.h:
888         (JSC::JIT::callOperation):
889         * jit/JITOpcodes.cpp:
890         (JSC::JIT::emit_op_push_name_scope):
891         * jit/JITOpcodes32_64.cpp:
892         (JSC::JIT::emit_op_push_name_scope):
893         * jit/JITOperations.cpp:
894         (JSC::pushNameScope):
895         * jit/JITOperations.h:
896         * llint/LLIntSlowPaths.cpp:
897         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
898         * llint/LowLevelInterpreter.asm:
899         * runtime/Executable.cpp:
900         (JSC::ScriptExecutable::newCodeBlockFor):
901         * runtime/JSCatchScope.h:
902         (JSC::JSCatchScope::JSCatchScope):
903         (JSC::JSCatchScope::create):
904         * runtime/JSEnvironmentRecord.h:
905         (JSC::JSEnvironmentRecord::JSEnvironmentRecord):
906         * runtime/JSFunctionNameScope.h:
907         (JSC::JSFunctionNameScope::JSFunctionNameScope):
908         (JSC::JSFunctionNameScope::create):
909         * runtime/JSNameScope.cpp:
910         (JSC::JSNameScope::create):
911         * runtime/JSNameScope.h:
912         (JSC::JSNameScope::create):
913         (JSC::JSNameScope::finishCreation):
914         (JSC::JSNameScope::JSNameScope):
915         * runtime/JSSegmentedVariableObject.h:
916         (JSC::JSSegmentedVariableObject::finishCreation):
917         * runtime/JSSymbolTableObject.h:
918         (JSC::JSSymbolTableObject::JSSymbolTableObject):
919         (JSC::JSSymbolTableObject::finishCreation): Deleted.
920         * runtime/SymbolTable.h:
921         (JSC::SymbolTable::createNameScopeTable):
922
923 2015-02-23  Filip Pizlo  <fpizlo@apple.com>
924
925         Add a comment to clarify that the test was taken from the bug report, in response to
926         feedback from Michael Saboff and Benjamin Poulain.
927         
928         * tests/stress/regress-141883.js:
929
930 2015-02-22  Filip Pizlo  <fpizlo@apple.com>
931
932         Function name scope is only created on the function instance that triggered parsing rather than on every function instance that needs it
933         https://bugs.webkit.org/show_bug.cgi?id=141881
934
935         Reviewed by Michael Saboff.
936         
937         Previously we only created the function name scope in a way that made it visible to the
938         function that triggered parsing/linking of the executable/codeBlock, and to the linker for
939         that code block. This was sort of the bare minimum for the feature to appear to work right to
940         synthetic tests.
941
942         There are two valid "times" to create the function name scope. Either it's created for each
943         JSFunction instance that needs a name scope, or it's created for each execution of such a
944         JSFunction. This change chooses the latter, because it happens to be the easiest to implement
945         with what we have right now. I opened a bug for optimizing this if we ever need to:
946         https://bugs.webkit.org/show_bug.cgi?id=141887.
947         
948         * bytecompiler/BytecodeGenerator.cpp:
949         (JSC::BytecodeGenerator::BytecodeGenerator):
950         * interpreter/Interpreter.cpp:
951         (JSC::Interpreter::execute):
952         (JSC::Interpreter::executeCall):
953         (JSC::Interpreter::executeConstruct):
954         (JSC::Interpreter::prepareForRepeatCall):
955         * jit/JITOperations.cpp:
956         * llint/LLIntSlowPaths.cpp:
957         (JSC::LLInt::setUpCall):
958         * runtime/ArrayPrototype.cpp:
959         (JSC::isNumericCompareFunction):
960         * runtime/Executable.cpp:
961         (JSC::ScriptExecutable::newCodeBlockFor):
962         (JSC::ScriptExecutable::prepareForExecutionImpl):
963         (JSC::FunctionExecutable::FunctionExecutable):
964         * runtime/Executable.h:
965         (JSC::ScriptExecutable::prepareForExecution):
966         * runtime/JSFunction.cpp:
967         (JSC::JSFunction::addNameScopeIfNeeded): Deleted.
968         * runtime/JSFunction.h:
969         * tests/stress/function-name-scope.js: Added.
970         (check.verify):
971         (check):
972
973 2015-02-22  Filip Pizlo  <fpizlo@apple.com>
974
975         Crash in DFGFrozenValue
976         https://bugs.webkit.org/show_bug.cgi?id=141883
977
978         Reviewed by Benjamin Poulain.
979         
980         If a value might be a cell, then we have to have Graph freeze it rather than trying to
981         create the FrozenValue directly. Creating it directly is just an optimization for when you
982         know for sure that it cannot be a cell.
983
984         * dfg/DFGAbstractInterpreterInlines.h:
985         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
986         * tests/stress/regress-141883.js: Added. Hacked the original test to be faster while still crashing before this fix.
987
988 2015-02-21  Joseph Pecoraro  <pecoraro@apple.com>
989
990         Web Inspector: Generate Previews more often for RemoteObject interaction
991         https://bugs.webkit.org/show_bug.cgi?id=141875
992
993         Reviewed by Timothy Hatcher.
994
995         * inspector/protocol/Runtime.json:
996         Add generatePreview to getProperties.
997
998         * inspector/InjectedScript.cpp:
999         (Inspector::InjectedScript::getProperties):
1000         (Inspector::InjectedScript::getInternalProperties):
1001         * inspector/InjectedScript.h:
1002         * inspector/agents/InspectorRuntimeAgent.cpp:
1003         (Inspector::InspectorRuntimeAgent::getProperties):
1004         * inspector/agents/InspectorRuntimeAgent.h:
1005         Plumb the generatePreview boolean through to the injected script.
1006
1007         * inspector/InjectedScriptSource.js:
1008         Add generatePreview for getProperties.
1009         Fix callFunctionOn to generatePreviews if asked.
1010
1011 2015-02-20  Mark Lam  <mark.lam@apple.com>
1012
1013         Refactor JSWrapperMap.mm to defer creation of the ObjC JSValue until the latest possible moment.
1014         <https://webkit.org/b/141856>
1015
1016         Reviewed by Geoffrey Garen.
1017
1018         1. Make JSObjCClassInfo's -constructor and -wrapperForObject return a
1019            JSC::JSObject* just like -prototype.
1020         2. Defer the creation of the ObjC JSValue from JSC::JSObject* until
1021            the latest moment when it is needed.  This allows us to not have to
1022            keep converting back to a JSC::JSObject* in intermediate code.
1023
1024         * API/JSWrapperMap.mm:
1025         (makeWrapper):
1026         (objectWithCustomBrand):
1027         (constructorWithCustomBrand):
1028         (allocateConstructorForCustomClass):
1029         (-[JSObjCClassInfo allocateConstructorAndPrototype]):
1030         (-[JSObjCClassInfo wrapperForObject:]):
1031         (-[JSObjCClassInfo constructor]):
1032         (-[JSWrapperMap jsWrapperForObject:]):
1033
1034 2015-02-20  Filip Pizlo  <fpizlo@apple.com>
1035
1036         Build fix for gcc.
1037
1038         * runtime/JSNameScope.cpp:
1039         (JSC::JSNameScope::create):
1040
1041 2015-02-20  Filip Pizlo  <fpizlo@apple.com>
1042
1043         Get rid of JSNameScope::m_type
1044         https://bugs.webkit.org/show_bug.cgi?id=141851
1045
1046         Reviewed by Geoffrey Garen.
1047         
1048         This is a big step towards getting rid of JSEnvironmentRecord::m_registers. To do it we need
1049         to ensure that subclasses of JSEnvironmentRecord never have additional C++ fields, so that
1050         JSEnvironmentRecord can always place "registers" right after the end of itself.
1051
1052         * CMakeLists.txt:
1053         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1054         * JavaScriptCore.xcodeproj/project.pbxproj:
1055         * debugger/DebuggerScope.cpp:
1056         (JSC::DebuggerScope::isCatchScope):
1057         (JSC::DebuggerScope::isFunctionNameScope):
1058         * interpreter/Interpreter.cpp:
1059         (JSC::Interpreter::execute):
1060         * jit/JITOperations.cpp:
1061         * llint/LLIntSlowPaths.cpp:
1062         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1063         * runtime/JSCatchScope.cpp: Added.
1064         * runtime/JSCatchScope.h: Added.
1065         (JSC::JSCatchScope::JSCatchScope):
1066         (JSC::JSCatchScope::create):
1067         (JSC::JSCatchScope::createStructure):
1068         * runtime/JSFunction.cpp:
1069         (JSC::JSFunction::addNameScopeIfNeeded):
1070         * runtime/JSFunctionNameScope.cpp: Added.
1071         * runtime/JSFunctionNameScope.h: Added.
1072         (JSC::JSFunctionNameScope::JSFunctionNameScope):
1073         (JSC::JSFunctionNameScope::create):
1074         (JSC::JSFunctionNameScope::createStructure):
1075         * runtime/JSGlobalObject.cpp:
1076         (JSC::JSGlobalObject::init):
1077         (JSC::JSGlobalObject::visitChildren):
1078         * runtime/JSGlobalObject.h:
1079         (JSC::JSGlobalObject::catchScopeStructure):
1080         (JSC::JSGlobalObject::functionNameScopeStructure):
1081         (JSC::JSGlobalObject::nameScopeStructure): Deleted.
1082         * runtime/JSNameScope.cpp:
1083         (JSC::JSNameScope::create):
1084         * runtime/JSNameScope.h:
1085         (JSC::JSNameScope::create):
1086         (JSC::JSNameScope::JSNameScope):
1087         (JSC::JSNameScope::createStructure): Deleted.
1088         (JSC::JSNameScope::isFunctionNameScope): Deleted.
1089         (JSC::JSNameScope::isCatchScope): Deleted.
1090         * runtime/JSObject.cpp:
1091         (JSC::JSObject::isCatchScopeObject):
1092         (JSC::JSObject::isFunctionNameScopeObject):
1093         * runtime/JSObject.h:
1094
1095 2015-02-20  Mark Lam  <mark.lam@apple.com>
1096
1097         [JSObjCClassInfo reallocateConstructorAndOrPrototype] should also reallocate super class prototype chain.
1098         <https://webkit.org/b/141809>
1099
1100         Reviewed by Geoffrey Garen.
1101
1102         A ObjC class that implement the JSExport protocol will have a JS prototype
1103         chain and constructor automatically synthesized for its JS wrapper object.
1104         However, if there are no more instances of that ObjC class reachable by a
1105         JS GC root scan, then its synthesized prototype chain and constructors may
1106         be released by the GC.  If a new instance of that ObjC class is subsequently
1107         instantiated, then [JSObjCClassInfo reallocateConstructorAndOrPrototype]
1108         should re-construct the prototype chain and constructor (if they were
1109         previously released).  However, the current implementation only
1110         re-constructs the immediate prototype, but not every other prototype
1111         object upstream in the prototype chain.
1112
1113         To fix this, we do the following:
1114         1. We no longer allocate the JSObjCClassInfo's prototype and constructor
1115            eagerly.  Hence, -initWithContext:forClass: will no longer call
1116            -allocateConstructorAndPrototypeWithSuperClassInfo:.
1117         2. Instead, we'll always access the prototype and constructor thru
1118            accessor methods.  The accessor methods will call
1119            -allocateConstructorAndPrototype: if needed.
1120         3. -allocateConstructorAndPrototype: will fetch the needed superClassInfo
1121            from the JSWrapperMap itself.  This makes it so that we no longer
1122            need to pass the superClassInfo all over.
1123         4. -allocateConstructorAndPrototype: will get the super class prototype
1124            by invoking -prototype: on the superClassInfo, thereby allowing the
1125            super class to allocate its prototype and constructor if needed and
1126            fixing the issue in this bug.
1127
1128         5. Also removed the GC warning comments, and ensured that needed JS
1129            objects are kept alive by having a local var pointing to it from the
1130            stack (which makes a GC root).
1131
1132         * API/JSWrapperMap.mm:
1133         (-[JSObjCClassInfo initWithContext:forClass:]):
1134         (-[JSObjCClassInfo allocateConstructorAndPrototype]):
1135         (-[JSObjCClassInfo wrapperForObject:]):
1136         (-[JSObjCClassInfo constructor]):
1137         (-[JSObjCClassInfo prototype]):
1138         (-[JSWrapperMap classInfoForClass:]):
1139         (-[JSObjCClassInfo initWithContext:forClass:superClassInfo:]): Deleted.
1140         (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]): Deleted.
1141         (-[JSObjCClassInfo reallocateConstructorAndOrPrototype]): Deleted.
1142         * API/tests/Regress141809.h: Added.
1143         * API/tests/Regress141809.mm: Added.
1144         (-[TestClassB name]):
1145         (-[TestClassC name]):
1146         (runRegress141809):
1147         * API/tests/testapi.mm:
1148         * JavaScriptCore.xcodeproj/project.pbxproj:
1149
1150 2015-02-20  Alexey Proskuryakov  <ap@apple.com>
1151
1152         Remove svn:keywords property.
1153
1154         As far as I can tell, the property had no effect on any of these files, but also,
1155         when it has effect it's likely harmful.
1156
1157         * builtins/ArrayConstructor.js: Removed property svn:keywords.
1158
1159 2015-02-20  Michael Saboff  <msaboff@apple.com>
1160
1161         DFG JIT needs to check for stack overflow at the start of Program and Eval execution
1162         https://bugs.webkit.org/show_bug.cgi?id=141676
1163
1164         Reviewed by Filip Pizlo.
1165
1166         Added stack check to the beginning of the code the DFG copmiler emits for Program and Eval nodes.
1167         To aid in testing the code, I replaced the EvalCodeCache::maxCacheableSourceLength const
1168         a options in runtime/Options.h.  The test script, run-jsc-stress-tests, sets that option
1169         to a huge value when running with the "Eager" options.  This allows the updated test to 
1170         reliably exercise the code in questions.
1171
1172         * dfg/DFGJITCompiler.cpp:
1173         (JSC::DFG::JITCompiler::compile):
1174         Added stack check.
1175
1176         * bytecode/EvalCodeCache.h:
1177         (JSC::EvalCodeCache::tryGet):
1178         (JSC::EvalCodeCache::getSlow):
1179         * runtime/Options.h:
1180         Replaced EvalCodeCache::imaxCacheableSourceLength with Options::maximumEvalCacheableSourceLength
1181         so that it can be configured when running the related test.
1182
1183 2015-02-20  Eric Carlson  <eric.carlson@apple.com>
1184
1185         [iOS] cleanup AirPlay code
1186         https://bugs.webkit.org/show_bug.cgi?id=141811
1187
1188         Reviewed by Jer Noble.
1189
1190         * Configurations/FeatureDefines.xcconfig: IOS_AIRPLAY -> WIRELESS_PLAYBACK_TARGET.
1191
1192 2015-02-19  Dean Jackson  <dino@apple.com>
1193
1194         ES6: Implement Array.from()
1195         https://bugs.webkit.org/show_bug.cgi?id=141054
1196         <rdar://problem/19654521>
1197
1198         Reviewed by Filip Pizlo.
1199
1200         Implement the Array.from() ES6 method
1201         as defined in Section 22.1.2.1 of the specification.
1202
1203         Given that we can't rely on the built-in
1204         global functions or objects to be untainted,
1205         I had to expose a few of them directly to
1206         the function via private names. In particular:
1207         - Math.floor -> @floor
1208         - Math.abs -> @abs
1209         - Number -> @Number
1210         - Array -> @Array
1211         - isFinite -> @isFinite
1212
1213         * builtins/ArrayConstructor.js: Added.
1214         (from): Implementation of Array.from in JavaScript.
1215         * runtime/ArrayConstructor.cpp: Add "from" to the lookup
1216         table for the constructor object.
1217         * runtime/CommonIdentifiers.h: Add the private versions
1218         of the identifiers listed above.
1219         * runtime/JSGlobalObject.cpp: Add the implementations of
1220         those identifiers to the global object (using their
1221         private names).
1222         (JSC::JSGlobalObject::init):
1223         * runtime/JSGlobalObjectFunctions.cpp:
1224         (JSC::globalPrivateFuncAbs): Implementation of the abs function.
1225         (JSC::globalPrivateFuncFloor): Implementation of the floor function.
1226         * runtime/JSGlobalObjectFunctions.h:
1227
1228 2015-02-19  Benjamin Poulain  <bpoulain@apple.com>
1229
1230         Refine the FTL part of ArithPow
1231         https://bugs.webkit.org/show_bug.cgi?id=141792
1232
1233         Reviewed by Filip Pizlo.
1234
1235         This patch refines the FTL lowering of ArithPow. This was left out
1236         of the original patch to keep it simpler.
1237
1238         * ftl/FTLLowerDFGToLLVM.cpp:
1239         (JSC::FTL::LowerDFGToLLVM::compileArithPow):
1240         Two improvements here:
1241         1) Do not generate the NaN check unless we know the exponent might be a NaN.
1242         2) Use one BasicBlock per check with the appropriate weight. Now that we have
1243            one branch per test, move the Infinity check before the check for 1 since
1244            it is the less common case.
1245
1246         * tests/stress/math-pow-becomes-custom-function.js: Added.
1247         Test for changing the Math.pow() function after it has been optimized.
1248
1249         * tests/stress/math-pow-nan-behaviors.js:
1250         The previous tests were only going as far as the DFGAbstractInterpreter
1251         were the operations were replaced by the equivalent constant.
1252
1253         I duplicated the test functions to also test the dynamic behavior of DFG
1254         and FTL.
1255
1256         * tests/stress/math-pow-with-constants.js:
1257         Add cases covering exponent constants. LLVM removes many value
1258         checks for those.
1259
1260         * tests/stress/math-pow-with-never-NaN-exponent.js: Added.
1261         Test for the new optimization removing the NaN check.
1262
1263 2015-02-19  Csaba Osztrogonác  <ossy@webkit.org>
1264
1265         REGRESSION(r180279): It broke 20 tests on ARM Linux
1266         https://bugs.webkit.org/show_bug.cgi?id=141771
1267
1268         Reviewed by Filip Pizlo.
1269
1270         * dfg/DFGSpeculativeJIT.h:
1271         (JSC::DFG::SpeculativeJIT::callOperation): Align 64-bit values to respect ARM EABI.
1272
1273 2015-02-18  Benjamin Poulain  <bpoulain@apple.com>
1274
1275         Remove BytecodeGenerator's numberMap, it is dead code
1276         https://bugs.webkit.org/show_bug.cgi?id=141779
1277
1278         Reviewed by Filip Pizlo.
1279
1280         * bytecompiler/BytecodeGenerator.cpp:
1281         (JSC::BytecodeGenerator::emitLoad): Deleted.
1282         * bytecompiler/BytecodeGenerator.h:
1283         The JSValueMap seems better in every way.
1284
1285         The emitLoad() taking a double was the only way to use numberMap
1286         and that code has no caller.
1287
1288 2015-02-18  Michael Saboff  <msaboff@apple.com>
1289
1290         Rollout r180247 & r180249 from trunk
1291         https://bugs.webkit.org/show_bug.cgi?id=141773
1292
1293         Reviewed by Filip Pizlo.
1294
1295         Theses changes makes sense to fix the crash reported in https://bugs.webkit.org/show_bug.cgi?id=141730
1296         only for branches.  The change to fail the FTL compile but continue running is not comprehensive
1297         enough for general use on trunk.
1298
1299         * dfg/DFGPlan.cpp:
1300         (JSC::DFG::Plan::compileInThreadImpl):
1301         * ftl/FTLLowerDFGToLLVM.cpp:
1302         (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
1303         (JSC::FTL::LowerDFGToLLVM::lower):
1304         (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
1305         (JSC::FTL::LowerDFGToLLVM::compileNode):
1306         (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
1307         (JSC::FTL::LowerDFGToLLVM::compilePhi):
1308         (JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
1309         (JSC::FTL::LowerDFGToLLVM::compileValueRep):
1310         (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
1311         (JSC::FTL::LowerDFGToLLVM::compilePutLocal):
1312         (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub):
1313         (JSC::FTL::LowerDFGToLLVM::compileArithMul):
1314         (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
1315         (JSC::FTL::LowerDFGToLLVM::compileArithMod):
1316         (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
1317         (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
1318         (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
1319         (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
1320         (JSC::FTL::LowerDFGToLLVM::compileGetById):
1321         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
1322         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
1323         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
1324         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
1325         (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
1326         (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
1327         (JSC::FTL::LowerDFGToLLVM::compileNewArray):
1328         (JSC::FTL::LowerDFGToLLVM::compileToString):
1329         (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
1330         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
1331         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
1332         (JSC::FTL::LowerDFGToLLVM::compileSwitch):
1333         (JSC::FTL::LowerDFGToLLVM::compare):
1334         (JSC::FTL::LowerDFGToLLVM::boolify):
1335         (JSC::FTL::LowerDFGToLLVM::opposite):
1336         (JSC::FTL::LowerDFGToLLVM::lowJSValue):
1337         (JSC::FTL::LowerDFGToLLVM::speculate):
1338         (JSC::FTL::LowerDFGToLLVM::isArrayType):
1339         (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
1340         (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
1341         (JSC::FTL::LowerDFGToLLVM::setInt52):
1342         (JSC::FTL::lowerDFGToLLVM):
1343         (JSC::FTL::LowerDFGToLLVM::loweringFailed): Deleted.
1344         * ftl/FTLLowerDFGToLLVM.h:
1345
1346 2015-02-18  Filip Pizlo  <fpizlo@apple.com>
1347
1348         DFG should really support varargs
1349         https://bugs.webkit.org/show_bug.cgi?id=141332
1350
1351         Reviewed by Oliver Hunt.
1352         
1353         This adds comprehensive vararg call support to the DFG and FTL compilers. Previously, if a
1354         function had a varargs call, then it could only be compiled if that varargs call was just
1355         forwarding arguments and we were inlining the function rather than compiling it directly. Also,
1356         only varargs calls were dealt with; varargs constructs were not.
1357         
1358         This lifts all of those restrictions. Every varargs call or construct can now be compiled by both
1359         the DFG and the FTL. Those calls can also be inlined, too - provided that profiling gives us a
1360         sensible bound on arguments list length. When we inline a varargs call, the act of loading the
1361         varargs is now made explicit in IR. I believe that we have enough IR machinery in place that we
1362         would be able to do the arguments forwarding optimization as an IR transformation. This patch
1363         doesn't implement that yet, and keeps the old bytecode-based varargs argument forwarding
1364         optimization for now.
1365         
1366         There are three major IR features introduced in this patch:
1367         
1368         CallVarargs/ConstructVarargs: these are like Call/Construct except that they take an arguments
1369         array rather than a list of arguments. Currently, they splat this arguments array onto the stack
1370         using the same basic technique as the baseline JIT has always done. Except, these nodes indicate
1371         that we are not interested in doing the non-escaping "arguments" optimization.
1372         
1373         CallForwardVarargs: this is a form of CallVarargs that just does the non-escaping "arguments"
1374         optimization, aka forwarding arguments. It's somewhat lazy that this doesn't include
1375         ConstructForwardVarargs, but the reason is that once we eliminate the lazy tear-off for
1376         arguments, this whole thing will have to be tweaked - and for now forwarding on construct is just
1377         not important in benchmarks. ConstructVarargs will still do forwarding, just not inlined.
1378         
1379         LoadVarargs: loads all elements out of an array onto the stack in a manner suitable for a varargs
1380         call. This is used only when a varargs call (or construct) was inlined. The bytecode parser will
1381         make room on the stack for the arguments, and will use LoadVarars to put those arguments into
1382         place.
1383         
1384         In the future, we can consider adding strength reductions like:
1385         
1386         - If CallVarargs/ConstructVarargs see an array of known size with known elements, turn them into
1387           Call/Construct.
1388         
1389         - If CallVarargs/ConstructVarargs are passed an unmodified, unescaped Arguments object, then
1390           turn them into CallForwardVarargs/ConstructForwardVarargs.
1391         
1392         - If LoadVarargs sees an array of known size, then turn it into a sequence of GetByVals and
1393           PutLocals.
1394         
1395         - If LoadVarargs sees an unmodified, unescaped Arguments object, then turn it into something like
1396           LoadForwardVarargs.
1397         
1398         - If CallVarargs/ConstructVarargs/LoadVarargs see the result of a splice (or other Array
1399           prototype function), then do the splice and varargs loading in one go (maybe via a new node
1400           type).
1401
1402         * CMakeLists.txt:
1403         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1404         * JavaScriptCore.xcodeproj/project.pbxproj:
1405         * assembler/MacroAssembler.h:
1406         (JSC::MacroAssembler::rshiftPtr):
1407         (JSC::MacroAssembler::urshiftPtr):
1408         * assembler/MacroAssemblerARM64.h:
1409         (JSC::MacroAssemblerARM64::urshift64):
1410         * assembler/MacroAssemblerX86_64.h:
1411         (JSC::MacroAssemblerX86_64::urshift64):
1412         * assembler/X86Assembler.h:
1413         (JSC::X86Assembler::shrq_i8r):
1414         * bytecode/CallLinkInfo.h:
1415         (JSC::CallLinkInfo::CallLinkInfo):
1416         * bytecode/CallLinkStatus.cpp:
1417         (JSC::CallLinkStatus::computeFor):
1418         (JSC::CallLinkStatus::setProvenConstantCallee):
1419         (JSC::CallLinkStatus::dump):
1420         * bytecode/CallLinkStatus.h:
1421         (JSC::CallLinkStatus::maxNumArguments):
1422         (JSC::CallLinkStatus::setIsProved): Deleted.
1423         * bytecode/CodeOrigin.cpp:
1424         (WTF::printInternal):
1425         * bytecode/CodeOrigin.h:
1426         (JSC::InlineCallFrame::varargsKindFor):
1427         (JSC::InlineCallFrame::specializationKindFor):
1428         (JSC::InlineCallFrame::isVarargs):
1429         (JSC::InlineCallFrame::isNormalCall): Deleted.
1430         * bytecode/ExitKind.cpp:
1431         (JSC::exitKindToString):
1432         * bytecode/ExitKind.h:
1433         * bytecode/ValueRecovery.cpp:
1434         (JSC::ValueRecovery::dumpInContext):
1435         * dfg/DFGAbstractInterpreterInlines.h:
1436         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1437         * dfg/DFGArgumentsSimplificationPhase.cpp:
1438         (JSC::DFG::ArgumentsSimplificationPhase::run):
1439         * dfg/DFGByteCodeParser.cpp:
1440         (JSC::DFG::ByteCodeParser::flush):
1441         (JSC::DFG::ByteCodeParser::addCall):
1442         (JSC::DFG::ByteCodeParser::handleCall):
1443         (JSC::DFG::ByteCodeParser::handleVarargsCall):
1444         (JSC::DFG::ByteCodeParser::emitFunctionChecks):
1445         (JSC::DFG::ByteCodeParser::inliningCost):
1446         (JSC::DFG::ByteCodeParser::inlineCall):
1447         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
1448         (JSC::DFG::ByteCodeParser::handleInlining):
1449         (JSC::DFG::ByteCodeParser::handleMinMax):
1450         (JSC::DFG::ByteCodeParser::handleIntrinsic):
1451         (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
1452         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1453         (JSC::DFG::ByteCodeParser::parseBlock):
1454         (JSC::DFG::ByteCodeParser::removeLastNodeFromGraph): Deleted.
1455         (JSC::DFG::ByteCodeParser::undoFunctionChecks): Deleted.
1456         * dfg/DFGCapabilities.cpp:
1457         (JSC::DFG::capabilityLevel):
1458         * dfg/DFGCapabilities.h:
1459         (JSC::DFG::functionCapabilityLevel):
1460         (JSC::DFG::mightCompileFunctionFor):
1461         * dfg/DFGClobberize.h:
1462         (JSC::DFG::clobberize):
1463         * dfg/DFGCommon.cpp:
1464         (WTF::printInternal):
1465         * dfg/DFGCommon.h:
1466         (JSC::DFG::canInline):
1467         (JSC::DFG::leastUpperBound):
1468         * dfg/DFGDoesGC.cpp:
1469         (JSC::DFG::doesGC):
1470         * dfg/DFGFixupPhase.cpp:
1471         (JSC::DFG::FixupPhase::fixupNode):
1472         * dfg/DFGGraph.cpp:
1473         (JSC::DFG::Graph::dump):
1474         (JSC::DFG::Graph::dumpBlockHeader):
1475         (JSC::DFG::Graph::isLiveInBytecode):
1476         (JSC::DFG::Graph::valueProfileFor):
1477         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
1478         * dfg/DFGGraph.h:
1479         (JSC::DFG::Graph::valueProfileFor): Deleted.
1480         (JSC::DFG::Graph::methodOfGettingAValueProfileFor): Deleted.
1481         * dfg/DFGJITCompiler.cpp:
1482         (JSC::DFG::JITCompiler::compileExceptionHandlers):
1483         (JSC::DFG::JITCompiler::link):
1484         * dfg/DFGMayExit.cpp:
1485         (JSC::DFG::mayExit):
1486         * dfg/DFGNode.h:
1487         (JSC::DFG::Node::hasCallVarargsData):
1488         (JSC::DFG::Node::callVarargsData):
1489         (JSC::DFG::Node::hasLoadVarargsData):
1490         (JSC::DFG::Node::loadVarargsData):
1491         (JSC::DFG::Node::hasHeapPrediction):
1492         * dfg/DFGNodeType.h:
1493         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
1494         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
1495         * dfg/DFGOSRExitCompilerCommon.cpp:
1496         (JSC::DFG::reifyInlinedCallFrames):
1497         * dfg/DFGOperations.cpp:
1498         * dfg/DFGOperations.h:
1499         * dfg/DFGPlan.cpp:
1500         (JSC::DFG::dumpAndVerifyGraph):
1501         (JSC::DFG::Plan::compileInThreadImpl):
1502         * dfg/DFGPreciseLocalClobberize.h:
1503         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
1504         (JSC::DFG::PreciseLocalClobberizeAdaptor::writeTop):
1505         * dfg/DFGPredictionPropagationPhase.cpp:
1506         (JSC::DFG::PredictionPropagationPhase::propagate):
1507         * dfg/DFGSSAConversionPhase.cpp:
1508         * dfg/DFGSafeToExecute.h:
1509         (JSC::DFG::safeToExecute):
1510         * dfg/DFGSpeculativeJIT.h:
1511         (JSC::DFG::SpeculativeJIT::isFlushed):
1512         (JSC::DFG::SpeculativeJIT::callOperation):
1513         * dfg/DFGSpeculativeJIT32_64.cpp:
1514         (JSC::DFG::SpeculativeJIT::emitCall):
1515         (JSC::DFG::SpeculativeJIT::compile):
1516         * dfg/DFGSpeculativeJIT64.cpp:
1517         (JSC::DFG::SpeculativeJIT::emitCall):
1518         (JSC::DFG::SpeculativeJIT::compile):
1519         * dfg/DFGStackLayoutPhase.cpp:
1520         (JSC::DFG::StackLayoutPhase::run):
1521         (JSC::DFG::StackLayoutPhase::assign):
1522         * dfg/DFGStrengthReductionPhase.cpp:
1523         (JSC::DFG::StrengthReductionPhase::handleNode):
1524         * dfg/DFGTypeCheckHoistingPhase.cpp:
1525         (JSC::DFG::TypeCheckHoistingPhase::run):
1526         * dfg/DFGValidate.cpp:
1527         (JSC::DFG::Validate::validateCPS):
1528         * ftl/FTLAbbreviations.h:
1529         (JSC::FTL::functionType):
1530         (JSC::FTL::buildCall):
1531         * ftl/FTLCapabilities.cpp:
1532         (JSC::FTL::canCompile):
1533         * ftl/FTLCompile.cpp:
1534         (JSC::FTL::mmAllocateDataSection):
1535         * ftl/FTLInlineCacheSize.cpp:
1536         (JSC::FTL::sizeOfCall):
1537         (JSC::FTL::sizeOfCallVarargs):
1538         (JSC::FTL::sizeOfCallForwardVarargs):
1539         (JSC::FTL::sizeOfConstructVarargs):
1540         (JSC::FTL::sizeOfIn):
1541         (JSC::FTL::sizeOfICFor):
1542         (JSC::FTL::sizeOfCheckIn): Deleted.
1543         * ftl/FTLInlineCacheSize.h:
1544         * ftl/FTLIntrinsicRepository.h:
1545         * ftl/FTLJSCall.cpp:
1546         (JSC::FTL::JSCall::JSCall):
1547         * ftl/FTLJSCallBase.cpp:
1548         * ftl/FTLJSCallBase.h:
1549         * ftl/FTLJSCallVarargs.cpp: Added.
1550         (JSC::FTL::JSCallVarargs::JSCallVarargs):
1551         (JSC::FTL::JSCallVarargs::numSpillSlotsNeeded):
1552         (JSC::FTL::JSCallVarargs::emit):
1553         (JSC::FTL::JSCallVarargs::link):
1554         * ftl/FTLJSCallVarargs.h: Added.
1555         (JSC::FTL::JSCallVarargs::node):
1556         (JSC::FTL::JSCallVarargs::stackmapID):
1557         (JSC::FTL::JSCallVarargs::operator<):
1558         * ftl/FTLLowerDFGToLLVM.cpp:
1559         (JSC::FTL::LowerDFGToLLVM::lower):
1560         (JSC::FTL::LowerDFGToLLVM::compileNode):
1561         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
1562         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
1563         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstructVarargs):
1564         (JSC::FTL::LowerDFGToLLVM::compileLoadVarargs):
1565         (JSC::FTL::LowerDFGToLLVM::compileIn):
1566         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
1567         (JSC::FTL::LowerDFGToLLVM::vmCall):
1568         (JSC::FTL::LowerDFGToLLVM::vmCallNoExceptions):
1569         (JSC::FTL::LowerDFGToLLVM::callCheck):
1570         * ftl/FTLOutput.h:
1571         (JSC::FTL::Output::call):
1572         * ftl/FTLState.cpp:
1573         (JSC::FTL::State::State):
1574         * ftl/FTLState.h:
1575         * interpreter/Interpreter.cpp:
1576         (JSC::sizeOfVarargs):
1577         (JSC::sizeFrameForVarargs):
1578         * interpreter/Interpreter.h:
1579         * interpreter/StackVisitor.cpp:
1580         (JSC::StackVisitor::readInlinedFrame):
1581         * jit/AssemblyHelpers.cpp:
1582         (JSC::AssemblyHelpers::emitExceptionCheck):
1583         * jit/AssemblyHelpers.h:
1584         (JSC::AssemblyHelpers::addressFor):
1585         (JSC::AssemblyHelpers::calleeFrameSlot):
1586         (JSC::AssemblyHelpers::calleeArgumentSlot):
1587         (JSC::AssemblyHelpers::calleeFrameTagSlot):
1588         (JSC::AssemblyHelpers::calleeFramePayloadSlot):
1589         (JSC::AssemblyHelpers::calleeArgumentTagSlot):
1590         (JSC::AssemblyHelpers::calleeArgumentPayloadSlot):
1591         (JSC::AssemblyHelpers::calleeFrameCallerFrame):
1592         (JSC::AssemblyHelpers::selectScratchGPR):
1593         * jit/CCallHelpers.h:
1594         (JSC::CCallHelpers::setupArgumentsWithExecState):
1595         * jit/GPRInfo.h:
1596         * jit/JIT.cpp:
1597         (JSC::JIT::privateCompile):
1598         * jit/JIT.h:
1599         * jit/JITCall.cpp:
1600         (JSC::JIT::compileSetupVarargsFrame):
1601         (JSC::JIT::compileOpCall):
1602         * jit/JITCall32_64.cpp:
1603         (JSC::JIT::compileSetupVarargsFrame):
1604         (JSC::JIT::compileOpCall):
1605         * jit/JITOperations.h:
1606         * jit/SetupVarargsFrame.cpp:
1607         (JSC::emitSetupVarargsFrameFastCase):
1608         * jit/SetupVarargsFrame.h:
1609         * runtime/Arguments.h:
1610         (JSC::Arguments::create):
1611         (JSC::Arguments::registerArraySizeInBytes):
1612         (JSC::Arguments::finishCreation):
1613         * runtime/Options.h:
1614         * tests/stress/construct-varargs-inline-smaller-Foo.js: Added.
1615         (Foo):
1616         (bar):
1617         (checkEqual):
1618         (test):
1619         * tests/stress/construct-varargs-inline.js: Added.
1620         (Foo):
1621         (bar):
1622         (checkEqual):
1623         (test):
1624         * tests/stress/construct-varargs-no-inline.js: Added.
1625         (Foo):
1626         (bar):
1627         (checkEqual):
1628         (test):
1629         * tests/stress/get-argument-by-val-in-inlined-varargs-call-out-of-bounds.js: Added.
1630         (foo):
1631         (bar):
1632         * tests/stress/get-argument-by-val-safe-in-inlined-varargs-call-out-of-bounds.js: Added.
1633         (foo):
1634         (bar):
1635         * tests/stress/get-my-argument-by-val-creates-arguments.js: Added.
1636         (blah):
1637         (foo):
1638         (bar):
1639         (checkEqual):
1640         (test):
1641         * tests/stress/load-varargs-then-inlined-call-exit-in-foo.js: Added.
1642         (foo):
1643         (bar):
1644         (checkEqual):
1645         * tests/stress/load-varargs-then-inlined-call-inlined.js: Added.
1646         (foo):
1647         (bar):
1648         (baz):
1649         (checkEqual):
1650         (test):
1651         * tests/stress/load-varargs-then-inlined-call.js: Added.
1652         (foo):
1653         (bar):
1654         (checkEqual):
1655         (test):
1656
1657 2015-02-17  Michael Saboff  <msaboff@apple.com>
1658
1659         Unreviewed, Restoring the C LOOP insta-crash fix in r180184.
1660
1661         Fixed a typo that only affected the C Loop in the prologue() macro in LowLevelInterpreter.asm.
1662         After the stackHeightOKGetCodeBlock label, codeBlockSetter(t1) should be codeBlockGetter(t1).
1663
1664         * llint/LowLevelInterpreter.asm: Fixed a typo.
1665
1666 2015-02-18  Csaba Osztrogonác  <ossy@webkit.org>
1667
1668         URTBF after r180258 to fix Windows build.
1669
1670         * runtime/MathCommon.cpp:
1671         (JSC::mathPowInternal):
1672
1673 2015-02-18  Joseph Pecoraro  <pecoraro@apple.com>
1674
1675         REGRESSION(r180235): It broke the !ENABLE(PROMISES) build
1676         https://bugs.webkit.org/show_bug.cgi?id=141746
1677
1678         Unreviewed build fix.
1679
1680         * inspector/JSInjectedScriptHost.cpp:
1681         (Inspector::JSInjectedScriptHost::getInternalProperties):
1682         Wrap JSPromise related code in ENABLE(PROMISES) guard.
1683
1684 2015-02-18  Benjamin Poulain  <benjamin@webkit.org>
1685
1686         Fix the C-Loop LLInt build
1687         https://bugs.webkit.org/show_bug.cgi?id=141618
1688
1689         Reviewed by Filip Pizlo.
1690
1691         I broke C-Loop when moving the common code of pow()
1692         to JITOperations because that file is #ifdefed out
1693         when the JITs are disabled.
1694
1695         It would be weird to move it back to MathObject since
1696         the function needs to know about the calling conventions.
1697
1698         To avoid making a mess, I just gave the function its own file
1699         that is used by both the runtime and the JIT.
1700
1701         * CMakeLists.txt:
1702         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1703         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1704         * JavaScriptCore.xcodeproj/project.pbxproj:
1705         * dfg/DFGAbstractInterpreterInlines.h:
1706         * jit/JITOperations.cpp:
1707         * jit/JITOperations.h:
1708         * runtime/MathCommon.cpp: Added.
1709         (JSC::fdlibmScalbn):
1710         (JSC::fdlibmPow):
1711         (JSC::isDenormal):
1712         (JSC::isEdgeCase):
1713         (JSC::mathPowInternal):
1714         (JSC::operationMathPow):
1715         * runtime/MathCommon.h: Added.
1716         * runtime/MathObject.cpp:
1717
1718 2015-02-17  Benjamin Poulain  <bpoulain@apple.com>
1719
1720         Clean up OSRExit's considerAddingAsFrequentExitSite()
1721         https://bugs.webkit.org/show_bug.cgi?id=141690
1722
1723         Reviewed by Anders Carlsson.
1724
1725         Looks like some code was removed from CodeBlock::tallyFrequentExitSites()
1726         and the OSRExit were left untouched.
1727
1728         This patch cleans up the two loops and remove the boolean return
1729         on considerAddingAsFrequentExitSite().
1730
1731         * bytecode/CodeBlock.cpp:
1732         (JSC::CodeBlock::tallyFrequentExitSites):
1733         * dfg/DFGOSRExit.h:
1734         (JSC::DFG::OSRExit::considerAddingAsFrequentExitSite):
1735         * dfg/DFGOSRExitBase.cpp:
1736         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
1737         * dfg/DFGOSRExitBase.h:
1738         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSite):
1739         * ftl/FTLOSRExit.h:
1740         (JSC::FTL::OSRExit::considerAddingAsFrequentExitSite):
1741
1742 2015-02-17  Alexey Proskuryakov  <ap@apple.com>
1743
1744         Debug build fix after r180247.
1745
1746         * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::loweringFailed):
1747
1748 2015-02-17  Commit Queue  <commit-queue@webkit.org>
1749
1750         Unreviewed, rolling out r180184.
1751         https://bugs.webkit.org/show_bug.cgi?id=141733
1752
1753         Caused infinite recursion on js/function-apply-aliased.html
1754         (Requested by ap_ on #webkit).
1755
1756         Reverted changeset:
1757
1758         "REGRESSION(r180060): C Loop crashes"
1759         https://bugs.webkit.org/show_bug.cgi?id=141671
1760         http://trac.webkit.org/changeset/180184
1761
1762 2015-02-17  Michael Saboff  <msaboff@apple.com>
1763
1764         CrashTracer: DFG_CRASH beneath JSC::FTL::LowerDFGToLLVM::compileNode
1765         https://bugs.webkit.org/show_bug.cgi?id=141730
1766
1767         Reviewed by Geoffrey Garen.
1768
1769         Added a new failure handler, loweringFailed(), to LowerDFGToLLVM that reports failures
1770         while processing DFG lowering.  For debug builds, the failures are logged identical
1771         to the way the DFG_CRASH() reports them.  For release builds, the failures are reported
1772         and that FTL compilation is terminated, but the process is allowed to continue.
1773         Wrapped calls to loweringFailed() in a macro LOWERING_FAILED so the function and
1774         line number are reported at the point of the inconsistancy.
1775
1776         Converted instances of DFG_CRASH to LOWERING_FAILED.
1777
1778         * dfg/DFGPlan.cpp:
1779         (JSC::DFG::Plan::compileInThreadImpl): Added lowerDFGToLLVM() failure check that
1780         will fail the FTL compile.
1781
1782         * ftl/FTLLowerDFGToLLVM.cpp:
1783         (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
1784         Added new member variable, m_loweringSucceeded, to stop compilation on the first
1785         reported failure.
1786
1787         * ftl/FTLLowerDFGToLLVM.cpp:
1788         (JSC::FTL::LowerDFGToLLVM::lower):
1789         * ftl/FTLLowerDFGToLLVM.h:
1790         Added check for compilation failures and now report those failures via a boolean
1791         return value.
1792
1793         * ftl/FTLLowerDFGToLLVM.cpp:
1794         (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
1795         (JSC::FTL::LowerDFGToLLVM::compileNode):
1796         (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
1797         (JSC::FTL::LowerDFGToLLVM::compilePhi):
1798         (JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
1799         (JSC::FTL::LowerDFGToLLVM::compileValueRep):
1800         (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
1801         (JSC::FTL::LowerDFGToLLVM::compilePutLocal):
1802         (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub):
1803         (JSC::FTL::LowerDFGToLLVM::compileArithMul):
1804         (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
1805         (JSC::FTL::LowerDFGToLLVM::compileArithMod):
1806         (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
1807         (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
1808         (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
1809         (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
1810         (JSC::FTL::LowerDFGToLLVM::compileGetById):
1811         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
1812         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
1813         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
1814         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
1815         (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
1816         (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
1817         (JSC::FTL::LowerDFGToLLVM::compileNewArray):
1818         (JSC::FTL::LowerDFGToLLVM::compileToString):
1819         (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
1820         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
1821         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
1822         (JSC::FTL::LowerDFGToLLVM::compileSwitch):
1823         (JSC::FTL::LowerDFGToLLVM::compare):
1824         (JSC::FTL::LowerDFGToLLVM::boolify):
1825         (JSC::FTL::LowerDFGToLLVM::opposite):
1826         (JSC::FTL::LowerDFGToLLVM::lowJSValue):
1827         (JSC::FTL::LowerDFGToLLVM::speculate):
1828         (JSC::FTL::LowerDFGToLLVM::isArrayType):
1829         (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
1830         (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
1831         (JSC::FTL::LowerDFGToLLVM::setInt52):
1832         Changed DFG_CRASH() to LOWERING_FAILED().  Updated related control flow as appropriate.
1833
1834         (JSC::FTL::LowerDFGToLLVM::loweringFailed): New error reporting member function.
1835
1836 2015-02-17  Filip Pizlo  <fpizlo@apple.com>
1837
1838         StackLayoutPhase should use CodeBlock::usesArguments rather than FunctionExecutable::usesArguments
1839         https://bugs.webkit.org/show_bug.cgi?id=141721
1840         rdar://problem/17198633
1841
1842         Reviewed by Michael Saboff.
1843         
1844         I've seen cases where the two are out of sync.  We know we can trust the CodeBlock::usesArguments because
1845         we use it everywhere else.
1846         
1847         No test because I could never reproduce the crash.
1848
1849         * dfg/DFGGraph.h:
1850         (JSC::DFG::Graph::usesArguments):
1851         * dfg/DFGStackLayoutPhase.cpp:
1852         (JSC::DFG::StackLayoutPhase::run):
1853
1854 2015-02-16  Joseph Pecoraro  <pecoraro@apple.com>
1855
1856         Web Inspector: Improved Console Support for Bound Functions
1857         https://bugs.webkit.org/show_bug.cgi?id=141635
1858
1859         Reviewed by Timothy Hatcher.
1860
1861         * inspector/JSInjectedScriptHost.cpp:
1862         (Inspector::JSInjectedScriptHost::getInternalProperties):
1863         Expose internal properties of a JSBoundFunction.
1864
1865 2015-02-16  Joseph Pecoraro  <pecoraro@apple.com>
1866
1867         Web Inspector: ES6: Improved Console Support for Promise Objects
1868         https://bugs.webkit.org/show_bug.cgi?id=141634
1869
1870         Reviewed by Timothy Hatcher.
1871
1872         * inspector/InjectedScript.cpp:
1873         (Inspector::InjectedScript::getInternalProperties):
1874         * inspector/InjectedScriptSource.js:
1875         Include internal properties in previews. Share code
1876         with normal internal property handling.
1877
1878         * inspector/JSInjectedScriptHost.cpp:
1879         (Inspector::constructInternalProperty):
1880         (Inspector::JSInjectedScriptHost::getInternalProperties):
1881         Provide internal state of Promises.
1882
1883         * inspector/protocol/Runtime.json:
1884         Provide an optional field to distinguish if a PropertyPreview
1885         is for an Internal property or not.
1886
1887 2015-02-17  Filip Pizlo  <fpizlo@apple.com>
1888
1889         Throwing from an FTL call IC slow path may result in tag registers being clobbered on 64-bit CPUs
1890         https://bugs.webkit.org/show_bug.cgi?id=141717
1891         rdar://problem/19863382
1892
1893         Reviewed by Geoffrey Garen.
1894         
1895         The best solution is to ensure that the engine catching an exception restores tag registers.
1896         
1897         Each of these new test cases reliably crashed prior to this patch and they don't crash at all now.
1898
1899         * jit/JITOpcodes.cpp:
1900         (JSC::JIT::emit_op_catch):
1901         * llint/LowLevelInterpreter.asm:
1902         * llint/LowLevelInterpreter64.asm:
1903         * tests/stress/throw-from-ftl-call-ic-slow-path-cells.js: Added.
1904         * tests/stress/throw-from-ftl-call-ic-slow-path-undefined.js: Added.
1905         * tests/stress/throw-from-ftl-call-ic-slow-path.js: Added.
1906
1907 2015-02-17  Csaba Osztrogonác  <ossy@webkit.org>
1908
1909         [ARM] Add the necessary setupArgumentsWithExecState after bug141332
1910         https://bugs.webkit.org/show_bug.cgi?id=141714
1911
1912         Reviewed by Michael Saboff.
1913
1914         * jit/CCallHelpers.h:
1915         (JSC::CCallHelpers::setupArgumentsWithExecState):
1916
1917 2015-02-15  Sam Weinig  <sam@webkit.org>
1918
1919         Add experimental <attachment> element support
1920         https://bugs.webkit.org/show_bug.cgi?id=141626
1921
1922         Reviewed by Tim Horton.
1923
1924         * Configurations/FeatureDefines.xcconfig:
1925
1926 2015-02-16  Michael Saboff  <msaboff@apple.com>
1927
1928         REGRESSION(r180060): C Loop crashes
1929         https://bugs.webkit.org/show_bug.cgi?id=141671
1930
1931         Reviewed by Geoffrey Garen.
1932
1933         Fixed a typo that only affected the C Loop in the prologue() macro in LowLevelInterpreter.asm.
1934         After the stackHeightOKGetCodeBlock label, codeBlockSetter(t1) should be codeBlockGetter(t1).
1935         Fixed the processing of an out of stack exception in llint_stack_check to not get the caller's
1936         frame.  This isn't needed, since this helper is only called to check the stack on entry.  Any
1937         exception will be handled by a call ancestor.
1938
1939         * llint/LLIntSlowPaths.cpp:
1940         (JSC::LLInt::llint_stack_check): Changed to use the current frame for processing an exception.
1941         * llint/LowLevelInterpreter.asm: Fixed a typo.
1942
1943 2015-02-16  Joseph Pecoraro  <pecoraro@apple.com>
1944
1945         Web Inspector: Scope details sidebar should label objects with constructor names
1946         https://bugs.webkit.org/show_bug.cgi?id=139449
1947
1948         Reviewed by Timothy Hatcher.
1949
1950         * inspector/JSInjectedScriptHost.cpp:
1951         (Inspector::JSInjectedScriptHost::internalConstructorName):
1952         * runtime/Structure.cpp:
1953         (JSC::Structure::toStructureShape):
1954         Share calculatedClassName.
1955
1956         * runtime/JSObject.h:        
1957         * runtime/JSObject.cpp:
1958         (JSC::JSObject::calculatedClassName):
1959         Elaborate on a way to get an Object's class name.
1960
1961 2015-02-16  Filip Pizlo  <fpizlo@apple.com>
1962
1963         DFG SSA should use GetLocal for arguments, and the GetArgument node type should be removed
1964         https://bugs.webkit.org/show_bug.cgi?id=141623
1965
1966         Reviewed by Oliver Hunt.
1967         
1968         During development of https://bugs.webkit.org/show_bug.cgi?id=141332, I realized that I
1969         needed to use GetArgument for loading something that has magically already appeared on the
1970         stack, so currently trunk sort of allows this. But then I realized three things:
1971         
1972         - A GetArgument with a non-JSValue flush format means speculating that the value on the
1973           stack obeys that format, rather than just assuming that that it already has that format.
1974           In bug 141332, I want it to assume rather than speculate. That also happens to be more
1975           intuitive; I don't think I was wrong to expect that.
1976         
1977         - The node I really want is GetLocal. I'm just getting the value of the local and I don't
1978           want to do anything else.
1979         
1980         - Maybe it would be easier if we just used GetLocal for all of the cases where we currently
1981           use GetArgument.
1982         
1983         This changes the FTL to do argument speculations in the prologue just like the DFG does.
1984         This brings some consistency to our system, and allows us to get rid of the GetArgument
1985         node. The speculations that the FTL must do are now made explicit in the m_argumentFormats
1986         vector in DFG::Graph. This has natural DCE behavior: even if all uses of the argument are
1987         dead we will still speculate. We already have safeguards to ensure we only speculate if
1988         there are uses that benefit from speculation (which is a much more conservative criterion
1989         than DCE).
1990         
1991         * dfg/DFGAbstractInterpreterInlines.h:
1992         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1993         * dfg/DFGClobberize.h:
1994         (JSC::DFG::clobberize):
1995         * dfg/DFGDCEPhase.cpp:
1996         (JSC::DFG::DCEPhase::run):
1997         * dfg/DFGDoesGC.cpp:
1998         (JSC::DFG::doesGC):
1999         * dfg/DFGFixupPhase.cpp:
2000         (JSC::DFG::FixupPhase::fixupNode):
2001         * dfg/DFGFlushFormat.h:
2002         (JSC::DFG::typeFilterFor):
2003         * dfg/DFGGraph.cpp:
2004         (JSC::DFG::Graph::dump):
2005         * dfg/DFGGraph.h:
2006         (JSC::DFG::Graph::valueProfileFor):
2007         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2008         * dfg/DFGInPlaceAbstractState.cpp:
2009         (JSC::DFG::InPlaceAbstractState::initialize):
2010         * dfg/DFGNode.cpp:
2011         (JSC::DFG::Node::hasVariableAccessData):
2012         * dfg/DFGNodeType.h:
2013         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
2014         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
2015         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
2016         * dfg/DFGPredictionPropagationPhase.cpp:
2017         (JSC::DFG::PredictionPropagationPhase::propagate):
2018         * dfg/DFGPutLocalSinkingPhase.cpp:
2019         * dfg/DFGSSAConversionPhase.cpp:
2020         (JSC::DFG::SSAConversionPhase::run):
2021         * dfg/DFGSafeToExecute.h:
2022         (JSC::DFG::safeToExecute):
2023         * dfg/DFGSpeculativeJIT32_64.cpp:
2024         (JSC::DFG::SpeculativeJIT::compile):
2025         * dfg/DFGSpeculativeJIT64.cpp:
2026         (JSC::DFG::SpeculativeJIT::compile):
2027         * ftl/FTLCapabilities.cpp:
2028         (JSC::FTL::canCompile):
2029         * ftl/FTLLowerDFGToLLVM.cpp:
2030         (JSC::FTL::LowerDFGToLLVM::lower):
2031         (JSC::FTL::LowerDFGToLLVM::compileNode):
2032         (JSC::FTL::LowerDFGToLLVM::compileGetLocal):
2033         (JSC::FTL::LowerDFGToLLVM::compileGetArgument): Deleted.
2034         * tests/stress/dead-speculating-argument-use.js: Added.
2035         (foo):
2036         (o.valueOf):
2037
2038 2015-02-15  Filip Pizlo  <fpizlo@apple.com>
2039
2040         Rare case profiling should actually work
2041         https://bugs.webkit.org/show_bug.cgi?id=141632
2042
2043         Reviewed by Michael Saboff.
2044         
2045         This simple adjustment appears to be a 2% speed-up on Octane. Over time, the slow case
2046         heuristic has essentially stopped working because the typical execution count threshold for a
2047         bytecode instruction is around 66 while the slow case threshold is 100: virtually
2048         guaranteeing that the DFG will never think that a bytecode instruction has taken the slow
2049         case even if it took it every single time. So, this changes the slow case threshold to 20.
2050         
2051         I checked if we could lower this down further, like to 10. That is worse than 20, and about
2052         as bad as 100.
2053
2054         * runtime/Options.h:
2055
2056 2015-02-15  Brian J. Burg  <burg@cs.washington.edu>
2057
2058         Web Inspector: remove unused XHR replay code
2059         https://bugs.webkit.org/show_bug.cgi?id=141622
2060
2061         Reviewed by Timothy Hatcher.
2062
2063         * inspector/protocol/Network.json: remove XHR replay methods.
2064
2065 2015-02-15  David Kilzer  <ddkilzer@apple.com>
2066
2067         REGRESSION (r180082): WebCore Debug builds fail on Mavericks due to weak export symbols
2068         <http://webkit.org/b/141607>
2069
2070         More work towards fixing the Mavericks Debug build.
2071
2072         * inspector/ScriptDebugServer.h:
2073         (Inspector::ScriptDebugServer::Task):
2074         * inspector/agents/InspectorDebuggerAgent.h:
2075         (Inspector::InspectorDebuggerAgent::Listener):
2076         - Remove subclass exports. They did not help.
2077
2078         * runtime/JSCJSValue.h:
2079         (JSC::JSValue::toFloat): Do not mark inline method for export.
2080
2081 2015-02-09  Brian J. Burg  <burg@cs.washington.edu>
2082
2083         Web Inspector: remove some unnecessary Inspector prefixes from class names in Inspector namespace
2084         https://bugs.webkit.org/show_bug.cgi?id=141372
2085
2086         Reviewed by Joseph Pecoraro.
2087
2088         * inspector/ConsoleMessage.cpp:
2089         (Inspector::ConsoleMessage::addToFrontend):
2090         (Inspector::ConsoleMessage::updateRepeatCountInConsole):
2091         * inspector/ConsoleMessage.h:
2092         * inspector/InspectorAgentBase.h:
2093         * inspector/InspectorAgentRegistry.cpp:
2094         (Inspector::AgentRegistry::AgentRegistry):
2095         (Inspector::AgentRegistry::append):
2096         (Inspector::AgentRegistry::appendExtraAgent):
2097         (Inspector::AgentRegistry::didCreateFrontendAndBackend):
2098         (Inspector::AgentRegistry::willDestroyFrontendAndBackend):
2099         (Inspector::AgentRegistry::discardAgents):
2100         (Inspector::InspectorAgentRegistry::InspectorAgentRegistry): Deleted.
2101         (Inspector::InspectorAgentRegistry::append): Deleted.
2102         (Inspector::InspectorAgentRegistry::appendExtraAgent): Deleted.
2103         (Inspector::InspectorAgentRegistry::didCreateFrontendAndBackend): Deleted.
2104         (Inspector::InspectorAgentRegistry::willDestroyFrontendAndBackend): Deleted.
2105         (Inspector::InspectorAgentRegistry::discardAgents): Deleted.
2106         * inspector/InspectorAgentRegistry.h:
2107         * inspector/InspectorBackendDispatcher.cpp:
2108         (Inspector::BackendDispatcher::CallbackBase::CallbackBase):
2109         (Inspector::BackendDispatcher::CallbackBase::isActive):
2110         (Inspector::BackendDispatcher::CallbackBase::sendFailure):
2111         (Inspector::BackendDispatcher::CallbackBase::sendIfActive):
2112         (Inspector::BackendDispatcher::create):
2113         (Inspector::BackendDispatcher::registerDispatcherForDomain):
2114         (Inspector::BackendDispatcher::dispatch):
2115         (Inspector::BackendDispatcher::sendResponse):
2116         (Inspector::BackendDispatcher::reportProtocolError):
2117         (Inspector::BackendDispatcher::getInteger):
2118         (Inspector::BackendDispatcher::getDouble):
2119         (Inspector::BackendDispatcher::getString):
2120         (Inspector::BackendDispatcher::getBoolean):
2121         (Inspector::BackendDispatcher::getObject):
2122         (Inspector::BackendDispatcher::getArray):
2123         (Inspector::BackendDispatcher::getValue):
2124         (Inspector::InspectorBackendDispatcher::CallbackBase::CallbackBase): Deleted.
2125         (Inspector::InspectorBackendDispatcher::CallbackBase::isActive): Deleted.
2126         (Inspector::InspectorBackendDispatcher::CallbackBase::sendFailure): Deleted.
2127         (Inspector::InspectorBackendDispatcher::CallbackBase::sendIfActive): Deleted.
2128         (Inspector::InspectorBackendDispatcher::create): Deleted.
2129         (Inspector::InspectorBackendDispatcher::registerDispatcherForDomain): Deleted.
2130         (Inspector::InspectorBackendDispatcher::dispatch): Deleted.
2131         (Inspector::InspectorBackendDispatcher::sendResponse): Deleted.
2132         (Inspector::InspectorBackendDispatcher::reportProtocolError): Deleted.
2133         (Inspector::InspectorBackendDispatcher::getInteger): Deleted.
2134         (Inspector::InspectorBackendDispatcher::getDouble): Deleted.
2135         (Inspector::InspectorBackendDispatcher::getString): Deleted.
2136         (Inspector::InspectorBackendDispatcher::getBoolean): Deleted.
2137         (Inspector::InspectorBackendDispatcher::getObject): Deleted.
2138         (Inspector::InspectorBackendDispatcher::getArray): Deleted.
2139         (Inspector::InspectorBackendDispatcher::getValue): Deleted.
2140         * inspector/InspectorBackendDispatcher.h:
2141         (Inspector::SupplementalBackendDispatcher::SupplementalBackendDispatcher):
2142         (Inspector::SupplementalBackendDispatcher::~SupplementalBackendDispatcher):
2143         (Inspector::InspectorSupplementalBackendDispatcher::InspectorSupplementalBackendDispatcher): Deleted.
2144         (Inspector::InspectorSupplementalBackendDispatcher::~InspectorSupplementalBackendDispatcher): Deleted.
2145         * inspector/InspectorFrontendChannel.h:
2146         (Inspector::FrontendChannel::~FrontendChannel):
2147         (Inspector::InspectorFrontendChannel::~InspectorFrontendChannel): Deleted.
2148         * inspector/JSGlobalObjectInspectorController.cpp:
2149         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2150         (Inspector::JSGlobalObjectInspectorController::globalObjectDestroyed):
2151         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
2152         (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
2153         (Inspector::JSGlobalObjectInspectorController::dispatchMessageFromFrontend):
2154         (Inspector::JSGlobalObjectInspectorController::appendExtraAgent):
2155         * inspector/JSGlobalObjectInspectorController.h:
2156         * inspector/agents/InspectorAgent.cpp:
2157         (Inspector::InspectorAgent::didCreateFrontendAndBackend):
2158         (Inspector::InspectorAgent::willDestroyFrontendAndBackend):
2159         * inspector/agents/InspectorAgent.h:
2160         * inspector/agents/InspectorConsoleAgent.cpp:
2161         (Inspector::InspectorConsoleAgent::didCreateFrontendAndBackend):
2162         (Inspector::InspectorConsoleAgent::willDestroyFrontendAndBackend):
2163         * inspector/agents/InspectorConsoleAgent.h:
2164         * inspector/agents/InspectorDebuggerAgent.cpp:
2165         (Inspector::InspectorDebuggerAgent::didCreateFrontendAndBackend):
2166         (Inspector::InspectorDebuggerAgent::willDestroyFrontendAndBackend):
2167         (Inspector::InspectorDebuggerAgent::handleConsoleAssert):
2168         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
2169         (Inspector::InspectorDebuggerAgent::pause):
2170         (Inspector::InspectorDebuggerAgent::scriptExecutionBlockedByCSP):
2171         (Inspector::InspectorDebuggerAgent::didPause):
2172         (Inspector::InspectorDebuggerAgent::breakProgram):
2173         (Inspector::InspectorDebuggerAgent::clearBreakDetails):
2174         * inspector/agents/InspectorDebuggerAgent.h:
2175         * inspector/agents/InspectorRuntimeAgent.cpp:
2176         (Inspector::InspectorRuntimeAgent::willDestroyFrontendAndBackend):
2177         * inspector/agents/InspectorRuntimeAgent.h:
2178         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
2179         (Inspector::JSGlobalObjectRuntimeAgent::didCreateFrontendAndBackend):
2180         (Inspector::JSGlobalObjectRuntimeAgent::willDestroyFrontendAndBackend):
2181         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
2182         * inspector/augmentable/AlternateDispatchableAgent.h:
2183         * inspector/augmentable/AugmentableInspectorController.h:
2184         * inspector/remote/RemoteInspectorDebuggable.h:
2185         * inspector/remote/RemoteInspectorDebuggableConnection.h:
2186         * inspector/scripts/codegen/cpp_generator.py:
2187         (CppGenerator.cpp_type_for_formal_out_parameter):
2188         (CppGenerator.cpp_type_for_stack_out_parameter):
2189         * inspector/scripts/codegen/cpp_generator_templates.py:
2190         (AlternateBackendDispatcher):
2191         (Alternate):
2192         (void):
2193         (AlternateInspectorBackendDispatcher): Deleted.
2194         (AlternateInspector): Deleted.
2195         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
2196         (CppBackendDispatcherHeaderGenerator._generate_alternate_handler_forward_declarations_for_domains.Alternate):
2197         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
2198         (CppBackendDispatcherHeaderGenerator._generate_alternate_handler_forward_declarations_for_domains.AlternateInspector): Deleted.
2199         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
2200         (CppBackendDispatcherImplementationGenerator._generate_handler_class_destructor_for_domain):
2201         (CppBackendDispatcherImplementationGenerator._generate_large_dispatcher_switch_implementation_for_domain):
2202         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
2203         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
2204         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
2205         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
2206         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
2207         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2208         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2209         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2210         * inspector/scripts/tests/expected/enum-values.json-result:
2211         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
2212         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2213         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
2214         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
2215         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
2216         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
2217         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
2218         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2219         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2220         * runtime/JSGlobalObjectDebuggable.cpp:
2221         (JSC::JSGlobalObjectDebuggable::connect):
2222         (JSC::JSGlobalObjectDebuggable::disconnect):
2223         * runtime/JSGlobalObjectDebuggable.h:
2224
2225 2015-02-14  David Kilzer  <ddkilzer@apple.com>
2226
2227         REGRESSION (r180082): WebCore Debug builds fail on Mavericks due to weak export symbols
2228         <http://webkit.org/b/141607>
2229
2230         Work towards fixing the Mavericks Debug build.
2231
2232         * inspector/ScriptDebugServer.h:
2233         (Inspector::ScriptDebugServer::Task): Export class.
2234         * inspector/agents/InspectorDebuggerAgent.h:
2235         (Inspector::InspectorDebuggerAgent::Listener): Export class.
2236         * runtime/JSGlobalObject.h:
2237         (JSC::JSGlobalObject::setConsoleClient): Do not mark inline
2238         method for export.
2239
2240 2015-02-14  Joseph Pecoraro  <pecoraro@apple.com>
2241
2242         Web Inspector: Symbol RemoteObject should not send sub-type
2243         https://bugs.webkit.org/show_bug.cgi?id=141604
2244
2245         Reviewed by Brian Burg.
2246
2247         * inspector/InjectedScriptSource.js:
2248
2249 2015-02-13  Benjamin Poulain  <bpoulain@apple.com>
2250
2251         Attempt to fix 32bits build after r180098
2252
2253         * jit/JITOperations.cpp:
2254         * jit/JITOperations.h:
2255         I copied the attribute from the MathObject version of that function when I moved
2256         it over. DFG has no version of a function call taking those attributes.
2257
2258 2015-02-13  Joseph Pecoraro  <pecoraro@apple.com>
2259
2260         JSContext Inspector: Do not stash console messages for non-debuggable JSContext
2261         https://bugs.webkit.org/show_bug.cgi?id=141589
2262
2263         Reviewed by Timothy Hatcher.
2264
2265         Consider developer extras disabled for JSContext inspection if the
2266         RemoteInspector server is not enabled (typically a non-debuggable
2267         process rejected by webinspectord) or if remote debugging on the
2268         JSContext was explicitly disabled via SPI.
2269
2270         When developer extras are disabled, console message will not be stashed.
2271
2272         * inspector/JSGlobalObjectInspectorController.cpp:
2273         (Inspector::JSGlobalObjectInspectorController::developerExtrasEnabled):
2274         * inspector/JSGlobalObjectInspectorController.h:
2275
2276 2015-02-13  Benjamin Poulain  <bpoulain@apple.com>
2277
2278         Add a DFG node for the Pow Intrinsics
2279         https://bugs.webkit.org/show_bug.cgi?id=141540
2280
2281         Reviewed by Filip Pizlo.
2282
2283         Add a DFG Node for PowIntrinsic. This patch covers the basic cases
2284         need to avoid massive regression. I will iterate over the node to cover
2285         the missing types.
2286
2287         With this patch I get the following progressions on benchmarks:
2288         -LongSpider's math-partial-sums: +5%.
2289         -Kraken's imaging-darkroom: +17%
2290         -AsmBench's cray.c: +6.6%
2291         -CompressionBench: +2.2% globally.
2292
2293         * dfg/DFGAbstractInterpreterInlines.h:
2294         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2295         Cover a couple of trivial cases:
2296         -If the exponent is zero, the result is always one, regardless of the base.
2297         -If both arguments are constants, compute the result at compile time.
2298
2299         * dfg/DFGByteCodeParser.cpp:
2300         (JSC::DFG::ByteCodeParser::handleIntrinsic):
2301         * dfg/DFGClobberize.h:
2302         (JSC::DFG::clobberize):
2303         * dfg/DFGDoesGC.cpp:
2304         (JSC::DFG::doesGC):
2305
2306         * dfg/DFGFixupPhase.cpp:
2307         (JSC::DFG::FixupPhase::fixupNode):
2308         We only support 2 basic cases at this time:
2309         -Math.pow(double, int)
2310         -Math.pow(double, double).
2311
2312         I'll cover Math.pow(int, int) in a follow up.
2313
2314         * dfg/DFGNode.h:
2315         (JSC::DFG::Node::convertToArithSqrt):
2316         (JSC::DFG::Node::arithNodeFlags):
2317         * dfg/DFGNodeType.h:
2318         * dfg/DFGPredictionPropagationPhase.cpp:
2319         (JSC::DFG::PredictionPropagationPhase::propagate):
2320         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
2321         * dfg/DFGSafeToExecute.h:
2322         (JSC::DFG::safeToExecute):
2323         * dfg/DFGSpeculativeJIT.cpp:
2324         (JSC::DFG::compileArithPowIntegerFastPath):
2325         (JSC::DFG::SpeculativeJIT::compileArithPow):
2326         * dfg/DFGSpeculativeJIT.h:
2327         * dfg/DFGSpeculativeJIT32_64.cpp:
2328         (JSC::DFG::SpeculativeJIT::compile):
2329         * dfg/DFGSpeculativeJIT64.cpp:
2330         (JSC::DFG::SpeculativeJIT::compile):
2331         * dfg/DFGStrengthReductionPhase.cpp:
2332         (JSC::DFG::StrengthReductionPhase::handleNode):
2333         * dfg/DFGValidate.cpp:
2334         (JSC::DFG::Validate::validate):
2335         * ftl/FTLCapabilities.cpp:
2336         (JSC::FTL::canCompile):
2337         * ftl/FTLIntrinsicRepository.h:
2338         * ftl/FTLLowerDFGToLLVM.cpp:
2339         (JSC::FTL::LowerDFGToLLVM::compileNode):
2340         (JSC::FTL::LowerDFGToLLVM::compileArithPow):
2341         * ftl/FTLOutput.h:
2342         (JSC::FTL::Output::doublePow):
2343         (JSC::FTL::Output::doublePowi):
2344         * jit/JITOperations.cpp:
2345         * jit/JITOperations.h:
2346         * runtime/MathObject.cpp:
2347         (JSC::mathProtoFuncPow):
2348         (JSC::isDenormal): Deleted.
2349         (JSC::isEdgeCase): Deleted.
2350         (JSC::mathPow): Deleted.
2351
2352         * tests/stress/math-pow-basics.js: Added.
2353         * tests/stress/math-pow-integer-exponent-fastpath.js: Added.
2354         * tests/stress/math-pow-nan-behaviors.js: Added.
2355         * tests/stress/math-pow-with-constants.js: Added.
2356         Start some basic testing of Math.pow().
2357         Due to the various transform, the value change when the code tiers up,
2358         I covered this by checking for approximate values.
2359
2360 2015-02-13  Benjamin Poulain  <bpoulain@apple.com>
2361
2362         ArithSqrt should not be conditional on supportsFloatingPointSqrt
2363         https://bugs.webkit.org/show_bug.cgi?id=141546
2364
2365         Reviewed by Geoffrey Garen and Filip Pizlo.
2366
2367         Just fallback to the function call in the DFG codegen.
2368
2369         * dfg/DFGByteCodeParser.cpp:
2370         (JSC::DFG::ByteCodeParser::handleIntrinsic):
2371         * dfg/DFGSpeculativeJIT.cpp:
2372         (JSC::DFG::SpeculativeJIT::compileArithSqrt):
2373         * dfg/DFGSpeculativeJIT.h:
2374         * dfg/DFGSpeculativeJIT32_64.cpp:
2375         (JSC::DFG::SpeculativeJIT::compile):
2376         * dfg/DFGSpeculativeJIT64.cpp:
2377         (JSC::DFG::SpeculativeJIT::compile):
2378         * tests/stress/math-sqrt-basics.js: Added.
2379         Basic coverage.
2380
2381         * tests/stress/math-sqrt-basics-disable-architecture-specific-optimizations.js: Added.
2382         Same tests but forcing the function call.
2383
2384 2015-02-13  Michael Saboff  <msaboff@apple.com>
2385
2386         REGRESSION(r180060) New js/regress-141098 test crashes when LLInt is disabled.
2387         https://bugs.webkit.org/show_bug.cgi?id=141577
2388
2389         Reviewed by Benjamin Poulain.
2390
2391         Changed the prologue of the baseline JIT to check for stack space for all
2392         types of code blocks.  Previously, it was only checking Function.  Now
2393         it checks Program and Eval as well.
2394
2395         * jit/JIT.cpp:
2396         (JSC::JIT::privateCompile):
2397
2398 2015-02-13  Benjamin Poulain  <bpoulain@apple.com>
2399
2400         Generate incq instead of addq when the immediate value is one
2401         https://bugs.webkit.org/show_bug.cgi?id=141548
2402
2403         Reviewed by Gavin Barraclough.
2404
2405         JSC emits "addq #1 (rXX)" *a lot*.
2406         This patch replace that by incq, which is one byte shorter
2407         and is the adviced form.
2408
2409         Sunspider: +0.47%
2410         Octane: +0.28%
2411         Kraken: +0.44%
2412         AsmBench, CompressionBench: neutral.
2413
2414         * assembler/MacroAssemblerX86_64.h:
2415         (JSC::MacroAssemblerX86_64::add64):
2416         * assembler/X86Assembler.h:
2417         (JSC::X86Assembler::incq_m):
2418
2419 2015-02-13  Benjamin Poulain  <benjamin@webkit.org>
2420
2421         Little clean up of Bytecode Generator's Label
2422         https://bugs.webkit.org/show_bug.cgi?id=141557
2423
2424         Reviewed by Michael Saboff.
2425
2426         * bytecompiler/BytecodeGenerator.h:
2427         * bytecompiler/BytecodeGenerator.cpp:
2428         Label was a friend of BytecodeGenerator in order to access
2429         m_instructions. There is no need for that, BytecodeGenerator
2430         has a public getter.
2431
2432         * bytecompiler/Label.h:
2433         (JSC::Label::Label):
2434         (JSC::Label::setLocation):
2435         (JSC::BytecodeGenerator::newLabel):
2436         Make it explicit that the generator must exist.
2437
2438 2015-02-13  Michael Saboff  <msaboff@apple.com>
2439
2440         Google doc spreadsheet reproducibly crashes when sorting
2441         https://bugs.webkit.org/show_bug.cgi?id=141098
2442
2443         Reviewed by Oliver Hunt.
2444
2445         Moved the stack check to before the callee registers are allocated in the
2446         prologue() by movving it from the functionInitialization() macro.  This
2447         way we can check the stack before moving the stack pointer, avoiding a
2448         crash during a "call" instruction.  Before this change, we weren't even
2449         checking the stack for program and eval execution.
2450
2451         Made a couple of supporting changes.
2452
2453         * llint/LLIntSlowPaths.cpp:
2454         (JSC::LLInt::llint_stack_check): We can't just go up one frame as we
2455         may be processing an exception to an entry frame.
2456
2457         * llint/LowLevelInterpreter.asm:
2458
2459         * llint/LowLevelInterpreter32_64.asm:
2460         * llint/LowLevelInterpreter64.asm:
2461         (llint_throw_from_slow_path_trampoline): Changed method to get the vm
2462         from the code block to not use the codeBlock, since we may need to
2463         continue from an exception in a native function.
2464
2465 2015-02-12  Benjamin Poulain  <benjamin@webkit.org>
2466
2467         Simplify the initialization of BytecodeGenerator a bit
2468         https://bugs.webkit.org/show_bug.cgi?id=141505
2469
2470         Reviewed by Anders Carlsson.
2471
2472         * bytecompiler/BytecodeGenerator.cpp:
2473         (JSC::BytecodeGenerator::BytecodeGenerator):
2474         * bytecompiler/BytecodeGenerator.h:
2475         Setup the default initialization at the declaration level
2476         instead of the constructor.
2477
2478         Also made m_scopeNode and m_codeType const to make it explicit
2479         that they are invariant after construction.
2480
2481         * parser/Nodes.cpp:
2482         * runtime/Executable.cpp:
2483         Remove 2 useless #includes.
2484
2485 2015-02-12  Benjamin Poulain  <benjamin@webkit.org>
2486
2487         Move the generators for GetScope and SkipScope to the common core in DFGSpeculativeJIT
2488         https://bugs.webkit.org/show_bug.cgi?id=141506
2489
2490         Reviewed by Michael Saboff.
2491
2492         The generators for the nodes GetScope and SkipScope were
2493         completely identical between 32 and 64bits.
2494
2495         This patch moves the duplicated code to DFGSpeculativeJIT.
2496
2497         * dfg/DFGSpeculativeJIT.cpp:
2498         (JSC::DFG::SpeculativeJIT::compileGetScope):
2499         (JSC::DFG::SpeculativeJIT::compileSkipScope):
2500         * dfg/DFGSpeculativeJIT.h:
2501         * dfg/DFGSpeculativeJIT32_64.cpp:
2502         (JSC::DFG::SpeculativeJIT::compile):
2503         * dfg/DFGSpeculativeJIT64.cpp:
2504         (JSC::DFG::SpeculativeJIT::compile):
2505
2506 2015-02-11  Brent Fulgham  <bfulgham@apple.com>
2507
2508         [Win] [64-bit] Work around MSVC2013 Runtime Bug
2509         https://bugs.webkit.org/show_bug.cgi?id=141498
2510         <rdar://problem/19803642>
2511
2512         Reviewed by Anders Carlsson.
2513
2514         Disable FMA3 instruction use in the MSVC math library to
2515         work around a VS2013 runtime crash. We can remove this
2516         workaround when we switch to VS2015.
2517
2518         * API/tests/testapi.c: Call _set_FMA3_enable(0) to disable
2519         FMA3 support.
2520         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add new files.
2521         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
2522         * JavaScriptCore.vcxproj/JavaScriptCoreDLL.cpp: Added.
2523         * JavaScriptCore.vcxproj/jsc/DLLLauncherMain.cpp: Call _set_FMA3_enable(0)
2524         to disable FMA3 support.
2525         * jsc.cpp: Ditto.
2526         * testRegExp.cpp: Ditto.
2527
2528 2015-02-11  Filip Pizlo  <fpizlo@apple.com>
2529
2530         The callee frame helpers in DFG::SpeculativeJIT should be available to other JITs
2531         https://bugs.webkit.org/show_bug.cgi?id=141493
2532
2533         Reviewed by Michael Saboff.
2534
2535         * dfg/DFGSpeculativeJIT.h:
2536         (JSC::DFG::SpeculativeJIT::calleeFrameSlot): Deleted.
2537         (JSC::DFG::SpeculativeJIT::calleeArgumentSlot): Deleted.
2538         (JSC::DFG::SpeculativeJIT::calleeFrameTagSlot): Deleted.
2539         (JSC::DFG::SpeculativeJIT::calleeFramePayloadSlot): Deleted.
2540         (JSC::DFG::SpeculativeJIT::calleeArgumentTagSlot): Deleted.
2541         (JSC::DFG::SpeculativeJIT::calleeArgumentPayloadSlot): Deleted.
2542         (JSC::DFG::SpeculativeJIT::calleeFrameCallerFrame): Deleted.
2543         * dfg/DFGSpeculativeJIT32_64.cpp:
2544         (JSC::DFG::SpeculativeJIT::emitCall):
2545         * dfg/DFGSpeculativeJIT64.cpp:
2546         (JSC::DFG::SpeculativeJIT::emitCall):
2547         * jit/AssemblyHelpers.h:
2548         (JSC::AssemblyHelpers::calleeFrameSlot):
2549         (JSC::AssemblyHelpers::calleeArgumentSlot):
2550         (JSC::AssemblyHelpers::calleeFrameTagSlot):
2551         (JSC::AssemblyHelpers::calleeFramePayloadSlot):
2552         (JSC::AssemblyHelpers::calleeArgumentTagSlot):
2553         (JSC::AssemblyHelpers::calleeArgumentPayloadSlot):
2554         (JSC::AssemblyHelpers::calleeFrameCallerFrame):
2555
2556 2015-02-11  Filip Pizlo  <fpizlo@apple.com>
2557
2558         SetupVarargsFrame should not assume that an inline stack frame would have identical layout to a normal stack frame
2559         https://bugs.webkit.org/show_bug.cgi?id=141485
2560
2561         Reviewed by Oliver Hunt.
2562         
2563         The inlineStackOffset argument was meant to make it easy for the DFG to use this helper for
2564         vararg calls from inlined code, but that doesn't work since the DFG inline call frame
2565         doesn't actually put the argument count at the JSStack::ArgumentCount offset. In fact there
2566         is really no such thing as an inlineStackOffset except when we OSR exit; while the code is
2567         running the stack layout is compacted so that the stackOffset is not meaningful.
2568
2569         * jit/JITCall.cpp:
2570         (JSC::JIT::compileSetupVarargsFrame):
2571         * jit/JITCall32_64.cpp:
2572         (JSC::JIT::compileSetupVarargsFrame):
2573         * jit/SetupVarargsFrame.cpp:
2574         (JSC::emitSetupVarargsFrameFastCase):
2575         * jit/SetupVarargsFrame.h:
2576
2577 2015-02-10  Filip Pizlo  <fpizlo@apple.com>
2578
2579         Split FTL::JSCall into the part that knows about call inline caching and the part that interacts with LLVM patchpoints
2580         https://bugs.webkit.org/show_bug.cgi?id=141455
2581
2582         Reviewed by Mark Lam.
2583         
2584         The newly introduced FTL::JSCallBase can be used to build other things, like the FTL portion
2585         of https://bugs.webkit.org/show_bug.cgi?id=141332.
2586
2587         * CMakeLists.txt:
2588         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2589         * JavaScriptCore.xcodeproj/project.pbxproj:
2590         * bytecode/CallLinkInfo.h:
2591         (JSC::CallLinkInfo::specializationKindFor):
2592         (JSC::CallLinkInfo::specializationKind):
2593         * ftl/FTLJSCall.cpp:
2594         (JSC::FTL::JSCall::JSCall):
2595         (JSC::FTL::JSCall::emit): Deleted.
2596         (JSC::FTL::JSCall::link): Deleted.
2597         * ftl/FTLJSCall.h:
2598         * ftl/FTLJSCallBase.cpp: Added.
2599         (JSC::FTL::JSCallBase::JSCallBase):
2600         (JSC::FTL::JSCallBase::emit):
2601         (JSC::FTL::JSCallBase::link):
2602         * ftl/FTLJSCallBase.h: Added.
2603
2604 2015-02-10  Filip Pizlo  <fpizlo@apple.com>
2605
2606         Unreviewed, fix build.
2607
2608         * jit/CCallHelpers.h:
2609         (JSC::CCallHelpers::setupArgumentsWithExecState):
2610
2611 2015-02-10  Filip Pizlo  <fpizlo@apple.com>
2612
2613         op_call_varargs should only load the length once
2614         https://bugs.webkit.org/show_bug.cgi?id=141440
2615         rdar://problem/19761683
2616
2617         Reviewed by Michael Saboff.
2618         
2619         Refactors the pair of calls that set up the varargs frame so that the first call returns the
2620         length, and the second call uses the length returned by the first one. It turns out that this
2621         gave me an opportunity to shorten a lot of the code.
2622
2623         * interpreter/Interpreter.cpp:
2624         (JSC::sizeFrameForVarargs):
2625         (JSC::loadVarargs):
2626         (JSC::setupVarargsFrame):
2627         (JSC::setupVarargsFrameAndSetThis):
2628         * interpreter/Interpreter.h:
2629         (JSC::calleeFrameForVarargs):
2630         * jit/CCallHelpers.h:
2631         (JSC::CCallHelpers::setupArgumentsWithExecState):
2632         * jit/JIT.h:
2633         * jit/JITCall.cpp:
2634         (JSC::JIT::compileSetupVarargsFrame):
2635         * jit/JITCall32_64.cpp:
2636         (JSC::JIT::compileSetupVarargsFrame):
2637         * jit/JITInlines.h:
2638         (JSC::JIT::callOperation):
2639         * jit/JITOperations.cpp:
2640         * jit/JITOperations.h:
2641         * jit/SetupVarargsFrame.cpp:
2642         (JSC::emitSetVarargsFrame):
2643         (JSC::emitSetupVarargsFrameFastCase):
2644         * jit/SetupVarargsFrame.h:
2645         * llint/LLIntSlowPaths.cpp:
2646         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2647         * runtime/Arguments.cpp:
2648         (JSC::Arguments::copyToArguments):
2649         * runtime/Arguments.h:
2650         * runtime/JSArray.cpp:
2651         (JSC::JSArray::copyToArguments):
2652         * runtime/JSArray.h:
2653         * runtime/VM.h:
2654         * tests/stress/call-varargs-length-effects.js: Added.
2655         (foo):
2656         (bar):
2657
2658 2015-02-10  Michael Saboff  <msaboff@apple.com>
2659
2660         Crash in JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq
2661         https://bugs.webkit.org/show_bug.cgi?id=139398
2662
2663         Reviewed by Filip Pizlo.
2664
2665         Due to CFA analysis, the CompareStrictEq node was determined to be unreachable, but later
2666         was determined to be reachable.  When we go to lower to LLVM, the edges for the CompareStrictEq
2667         node are UntypedUse which we can't compile.  Fixed this by checking that the IR before
2668         lowering can still be handled by the FTL.
2669
2670         Had to add GetArgument as a node that the FTL can compile as the SSA conversion phase converts
2671         a SetArgument to a GetArgument.  Before this change FTL::canCompile() would never see a GetArgument
2672         node.  With the check right before lowering, we see this node.
2673
2674         * dfg/DFGPlan.cpp:
2675         (JSC::DFG::Plan::compileInThreadImpl): Added a final FTL::canCompile() check before lowering
2676         to verify that after all the transformations we still have valid IR for the FTL.
2677         * ftl/FTLCapabilities.cpp:
2678         (JSC::FTL::canCompile): Added GetArgument as a node the FTL can compile.
2679
2680 2015-02-10  Filip Pizlo  <fpizlo@apple.com>
2681
2682         Remove unused DFG::SpeculativeJIT::calleeFrameOffset().
2683
2684         Rubber stamped by Michael Saboff.
2685         
2686         Not only was this not used, I believe that the math was wrong. The callee frame doesn't
2687         actually land past m_nextMachineLocal; instead it lands just below wherever we put SP and
2688         that decision is made elsewhere. Also, it makes no sense to subtract 1 from
2689         m_nextMachineLocal when trying to deduce the number of in-use stack slots.
2690
2691         * dfg/DFGSpeculativeJIT.h:
2692         (JSC::DFG::SpeculativeJIT::calleeFrameOffset): Deleted.
2693
2694 2015-02-10  Saam Barati  <saambarati1@gmail.com>
2695
2696         Parser::parseVarDeclarationList gets the wrong JSToken for the last identifier
2697         https://bugs.webkit.org/show_bug.cgi?id=141272
2698
2699         Reviewed by Oliver Hunt.
2700
2701         This patch fixes a bug where the wrong text location would be 
2702         assigned to a variable declaration inside a ForIn/ForOf loop. 
2703         It also fixes a bug in the type profiler where the type profiler 
2704         emits the wrong text offset for a ForIn loop's variable declarator 
2705         when it's not a pattern node.
2706
2707         * bytecompiler/NodesCodegen.cpp:
2708         (JSC::ForInNode::emitLoopHeader):
2709         * parser/Parser.cpp:
2710         (JSC::Parser<LexerType>::parseVarDeclarationList):
2711         * tests/typeProfiler/loop.js:
2712         (testForIn):
2713         (testForOf):
2714
2715 2015-02-09  Saam Barati  <saambarati1@gmail.com>
2716
2717         JSC's Type Profiler doesn't profile the type of the looping variable in ForOf/ForIn loops
2718         https://bugs.webkit.org/show_bug.cgi?id=141241
2719
2720         Reviewed by Filip Pizlo.
2721
2722         Type information is now recorded for ForIn and ForOf statements. 
2723         It was an oversight to not have these statements profiled before.
2724
2725         * bytecompiler/NodesCodegen.cpp:
2726         (JSC::ForInNode::emitLoopHeader):
2727         (JSC::ForOfNode::emitBytecode):
2728         * tests/typeProfiler/loop.js: Added.
2729         (testForIn):
2730         (testForOf):
2731
2732 2015-02-09  Filip Pizlo  <fpizlo@apple.com>
2733
2734         DFG::StackLayoutPhase should always set the scopeRegister to VirtualRegister() because the DFG doesn't do anything to make its value valid
2735         https://bugs.webkit.org/show_bug.cgi?id=141412
2736
2737         Reviewed by Michael Saboff.
2738         
2739         StackLayoutPhase was attempting to ensure that the register that
2740         CodeBlock::scopeRegister() points to is the right one for the DFG. But the DFG did nothing
2741         else to maintain the validity of the scopeRegister(). It wasn't captured as far as I can
2742         tell. StackLayoutPhase didn't explicitly mark it live. PreciseLocalClobberize didn't mark
2743         it as being live. So, by the time we got here the register referred to by
2744         CodeBlock::scopeRegister() would have been junk. Moreover, CodeBlock::scopeRegister() was
2745         not used for DFG code blocks, and was hardly ever used outside of bytecode generation.
2746         
2747         So, this patch just removes the code to manipulate this field and replaces it with an
2748         unconditional setScopeRegister(VirtualRegister()). Setting it to the invalid register
2749         ensures that any attempst to read the scopeRegister in a DFG or FTL frame immediately
2750         punts.
2751
2752         * dfg/DFGStackLayoutPhase.cpp:
2753         (JSC::DFG::StackLayoutPhase::run):
2754
2755 2015-02-09  Filip Pizlo  <fpizlo@apple.com>
2756
2757         Varargs frame set-up should be factored out for use by other JITs
2758         https://bugs.webkit.org/show_bug.cgi?id=141388
2759
2760         Reviewed by Michael Saboff.
2761         
2762         Previously the code that dealt with varargs always assumed that we were setting up a varargs call
2763         frame by literally following the execution semantics of op_call_varargs. This isn't how it'll
2764         happen once the DFG and FTL do varargs calls, or when varargs calls get inlined. The DFG and FTL
2765         don't literally execute bytecode; for example their stack frame layout has absolutely nothing in
2766         common with what the bytecode says, and that will never change.
2767         
2768         This patch makes two changes:
2769         
2770         Setting up the varargs callee frame can be done in smaller steps: particularly in the case of a
2771         varargs call that gets inlined, we aren't going to actually want to set up a callee frame in
2772         full - we just want to put the arguments somewhere, and that place will not have much (if
2773         anything) in common with the call frame format. This patch factors that out into something called
2774         a loadVarargs. The thing we used to call loadVarargs is now called setupVarargsFrame. This patch
2775         also separates loading varargs from setting this, since the fact that those two things are done
2776         together is a detail made explicit in bytecode but it's not at all required in the higher-tier
2777         engines. In the process of factoring this code out, I found a bunch of off-by-one errors in the
2778         various calculations. I fixed them. The distance from the caller's frame pointer to the callee
2779         frame pointer is always:
2780         
2781             numUsedCallerSlots + argCount + 1 + CallFrameSize
2782         
2783         where numUsedCallerSlots is toLocal(firstFreeRegister) - 1, which simplifies down to just
2784         -firstFreeRegister. The code now speaks of numUsedCallerSlots rather than firstFreeRegister,
2785         since the latter is a bytecode peculiarity that doesn't apply in the DFG or FTL. In the DFG, the
2786         internally-computed frame size, minus the parameter slots, will be used for numUsedCallerSlots.
2787         In the FTL, we will essentially compute numUsedCallerSlots dynamically by subtracting SP from FP.
2788         Eventually, LLVM might give us some cleaner way of doing this, but it probably doesn't matter
2789         very much.
2790         
2791         The arguments forwarding optimization is factored out of the Baseline JIT: the DFG and FTL will
2792         want to do this optimization as well, but it involves quite a bit of code. So, this code is now
2793         factored out into SetupVarargsFrame.h|cpp, so that other JITs can use it. In the process of factoring
2794         this code out I noticed that the 32-bit and 64-bit code is nearly identical, so I combined them.
2795
2796         * CMakeLists.txt:
2797         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2798         * JavaScriptCore.xcodeproj/project.pbxproj:
2799         * bytecode/CodeBlock.h:
2800         (JSC::ExecState::r):
2801         (JSC::ExecState::uncheckedR):
2802         * bytecode/VirtualRegister.h:
2803         (JSC::VirtualRegister::operator+):
2804         (JSC::VirtualRegister::operator-):
2805         (JSC::VirtualRegister::operator+=):
2806         (JSC::VirtualRegister::operator-=):
2807         * interpreter/CallFrame.h:
2808         * interpreter/Interpreter.cpp:
2809         (JSC::sizeFrameForVarargs):
2810         (JSC::loadVarargs):
2811         (JSC::setupVarargsFrame):
2812         (JSC::setupVarargsFrameAndSetThis):
2813         * interpreter/Interpreter.h:
2814         * jit/AssemblyHelpers.h:
2815         (JSC::AssemblyHelpers::emitGetFromCallFrameHeaderPtr):
2816         (JSC::AssemblyHelpers::emitGetFromCallFrameHeader32):
2817         (JSC::AssemblyHelpers::emitGetFromCallFrameHeader64):
2818         * jit/JIT.h:
2819         * jit/JITCall.cpp:
2820         (JSC::JIT::compileSetupVarargsFrame):
2821         * jit/JITCall32_64.cpp:
2822         (JSC::JIT::compileSetupVarargsFrame):
2823         * jit/JITInlines.h:
2824         (JSC::JIT::callOperation):
2825         (JSC::JIT::emitGetFromCallFrameHeaderPtr): Deleted.
2826         (JSC::JIT::emitGetFromCallFrameHeader32): Deleted.
2827         (JSC::JIT::emitGetFromCallFrameHeader64): Deleted.
2828         * jit/JITOperations.cpp:
2829         * jit/JITOperations.h:
2830         * jit/SetupVarargsFrame.cpp: Added.
2831         (JSC::emitSetupVarargsFrameFastCase):
2832         * jit/SetupVarargsFrame.h: Added.
2833         * llint/LLIntSlowPaths.cpp:
2834         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2835         * runtime/Arguments.cpp:
2836         (JSC::Arguments::copyToArguments):
2837         * runtime/Arguments.h:
2838         * runtime/JSArray.cpp:
2839         (JSC::JSArray::copyToArguments):
2840         * runtime/JSArray.h:
2841
2842 2015-02-09  Filip Pizlo  <fpizlo@apple.com>
2843
2844         DFG call codegen should resolve the callee operand as late as possible
2845         https://bugs.webkit.org/show_bug.cgi?id=141398
2846
2847         Reviewed by Mark Lam.
2848         
2849         This is mostly a benign restructuring to help with the implementation of
2850         https://bugs.webkit.org/show_bug.cgi?id=141332.
2851
2852         * dfg/DFGSpeculativeJIT32_64.cpp:
2853         (JSC::DFG::SpeculativeJIT::emitCall):
2854         * dfg/DFGSpeculativeJIT64.cpp:
2855         (JSC::DFG::SpeculativeJIT::emitCall):
2856
2857 2015-02-08  Filip Pizlo  <fpizlo@apple.com>
2858
2859         DFG should only have two mechanisms for describing effectfulness of nodes; previously there were three
2860         https://bugs.webkit.org/show_bug.cgi?id=141369
2861
2862         Reviewed by Michael Saboff.
2863
2864         We previously used the NodeMightClobber and NodeClobbersWorld NodeFlags to describe
2865         effectfulness.  Starting over a year ago, we introduced a more powerful mechanism - the
2866         DFG::clobberize() function.  Now we only have one remaining client of the old NodeFlags,
2867         and everyone else uses DFG::clobberize().  We should get rid of those NodeFlags and
2868         finally switch everyone over to DFG::clobberize().
2869         
2870         Unfortunately there is still another place where effectfulness of nodes is described: the
2871         AbstractInterpreter. This is because the AbstractInterpreter has special tuning both for
2872         compile time performance and there are places where the AI is more precise than
2873         clobberize() because of its flow-sensitivity.
2874         
2875         This means that after this change there will be only two places, rather than three, where
2876         the effectfulness of a node has to be described:
2877
2878         - DFG::clobberize()
2879         - DFG::AbstractInterpreter
2880
2881         * dfg/DFGClobberize.cpp:
2882         (JSC::DFG::clobbersWorld):
2883         * dfg/DFGClobberize.h:
2884         * dfg/DFGDoesGC.cpp:
2885         (JSC::DFG::doesGC):
2886         * dfg/DFGFixupPhase.cpp:
2887         (JSC::DFG::FixupPhase::fixupNode):
2888         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
2889         (JSC::DFG::FixupPhase::convertToGetArrayLength):
2890         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
2891         * dfg/DFGGraph.h:
2892         (JSC::DFG::Graph::isPredictedNumerical): Deleted.
2893         (JSC::DFG::Graph::byValIsPure): Deleted.
2894         (JSC::DFG::Graph::clobbersWorld): Deleted.
2895         * dfg/DFGNode.h:
2896         (JSC::DFG::Node::convertToConstant):
2897         (JSC::DFG::Node::convertToGetLocalUnlinked):
2898         (JSC::DFG::Node::convertToGetByOffset):
2899         (JSC::DFG::Node::convertToMultiGetByOffset):
2900         (JSC::DFG::Node::convertToPutByOffset):
2901         (JSC::DFG::Node::convertToMultiPutByOffset):
2902         * dfg/DFGNodeFlags.cpp:
2903         (JSC::DFG::dumpNodeFlags):
2904         * dfg/DFGNodeFlags.h:
2905         * dfg/DFGNodeType.h:
2906
2907 2015-02-09  Csaba Osztrogonác  <ossy@webkit.org>
2908
2909         Fix the !ENABLE(DFG_JIT) build
2910         https://bugs.webkit.org/show_bug.cgi?id=141387
2911
2912         Reviewed by Darin Adler.
2913
2914         * jit/Repatch.cpp:
2915
2916 2015-02-08  Benjamin Poulain  <benjamin@webkit.org>
2917
2918         Remove a few duplicate propagation steps from the DFG's PredictionPropagation phase
2919         https://bugs.webkit.org/show_bug.cgi?id=141363
2920
2921         Reviewed by Darin Adler.
2922
2923         * dfg/DFGPredictionPropagationPhase.cpp:
2924         (JSC::DFG::PredictionPropagationPhase::propagate):
2925         Some blocks were duplicated, they probably evolved separately
2926         to the same state.
2927
2928 2015-02-08  Benjamin Poulain  <benjamin@webkit.org>
2929
2930         Remove useless declarations and a stale comment from DFGByteCodeParser.h
2931         https://bugs.webkit.org/show_bug.cgi?id=141361
2932
2933         Reviewed by Darin Adler.
2934
2935         The comment refers to the original form of the ByteCodeParser:
2936             parse(Graph&, JSGlobalData*, CodeBlock*, unsigned startIndex);
2937
2938         That form is long dead, the comment is more misleading than anything.
2939
2940         * dfg/DFGByteCodeParser.cpp:
2941         * dfg/DFGByteCodeParser.h:
2942
2943 2015-02-08  Benjamin Poulain  <benjamin@webkit.org>
2944
2945         Encapsulate DFG::Plan's beforeFTL timestamp
2946         https://bugs.webkit.org/show_bug.cgi?id=141360
2947
2948         Reviewed by Darin Adler.
2949
2950         Make the attribute private, it is an internal state.
2951
2952         Rename beforeFTL->timeBeforeFTL for readability.
2953
2954         * dfg/DFGPlan.cpp:
2955         (JSC::DFG::Plan::compileInThread):
2956         (JSC::DFG::Plan::compileInThreadImpl):
2957         * dfg/DFGPlan.h:
2958
2959 2015-02-08  Benjamin Poulain  <bpoulain@apple.com>
2960
2961         Remove DFGNode::hasArithNodeFlags()
2962         https://bugs.webkit.org/show_bug.cgi?id=141319
2963
2964         Reviewed by Michael Saboff.
2965
2966         * dfg/DFGNode.h:
2967         (JSC::DFG::Node::hasArithNodeFlags): Deleted.
2968         Unused code is unused.
2969
2970 2015-02-07  Chris Dumez  <cdumez@apple.com>
2971
2972         Add Vector::removeFirstMatching() / removeAllMatching() methods taking lambda functions
2973         https://bugs.webkit.org/show_bug.cgi?id=141321
2974
2975         Reviewed by Darin Adler.
2976
2977         Use new Vector::removeFirstMatching() / removeAllMatching() methods.
2978
2979 2015-02-06  Filip Pizlo  <fpizlo@apple.com>
2980
2981         DFG SSA shouldn't have SetArgument nodes
2982         https://bugs.webkit.org/show_bug.cgi?id=141342
2983
2984         Reviewed by Mark Lam.
2985
2986         I was wondering why we kept the SetArgument around for captured
2987         variables. It turns out we did so because we thought we had to, even
2988         though we didn't have to. The node is meaningless in SSA.
2989
2990         * dfg/DFGSSAConversionPhase.cpp:
2991         (JSC::DFG::SSAConversionPhase::run):
2992         * ftl/FTLLowerDFGToLLVM.cpp:
2993         (JSC::FTL::LowerDFGToLLVM::compileNode):
2994
2995 2015-02-06  Filip Pizlo  <fpizlo@apple.com>
2996
2997         It should be possible to use the DFG SetArgument node to indicate that someone set the value of a local out-of-band
2998         https://bugs.webkit.org/show_bug.cgi?id=141337
2999
3000         Reviewed by Mark Lam.
3001
3002         This mainly involved ensuring that SetArgument behaves just like SetLocal from a CPS standpoint, but with a special case for those SetArguments that
3003         are associated with the prologue.
3004
3005         * dfg/DFGCPSRethreadingPhase.cpp:
3006         (JSC::DFG::CPSRethreadingPhase::run):
3007         (JSC::DFG::CPSRethreadingPhase::canonicalizeSet):
3008         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
3009         (JSC::DFG::CPSRethreadingPhase::specialCaseArguments):
3010         (JSC::DFG::CPSRethreadingPhase::canonicalizeSetLocal): Deleted.
3011         (JSC::DFG::CPSRethreadingPhase::canonicalizeSetArgument): Deleted.
3012
3013 2015-02-06  Mark Lam  <mark.lam@apple.com>
3014
3015         MachineThreads should be ref counted.
3016         <https://webkit.org/b/141317>
3017
3018         Reviewed by Filip Pizlo.
3019
3020         The VM's MachineThreads registry object is being referenced from other
3021         threads as a raw pointer.  In a scenario where the VM is destructed on
3022         the main thread, there is no guarantee that another thread isn't still
3023         holding a reference to the registry and will eventually invoke
3024         removeThread() on it on thread exit.  Hence, there's a possible use
3025         after free scenario here.
3026
3027         The fix is to make MachineThreads ThreadSafeRefCounted, and have all
3028         threads that references keep a RefPtr to it to ensure that it stays
3029         alive until the very last thread is done with it.
3030
3031         * API/tests/testapi.mm:
3032         (useVMFromOtherThread): - Renamed to be more descriptive.
3033         (useVMFromOtherThreadAndOutliveVM):
3034         - Added a test that has another thread which uses the VM outlive the
3035           VM to confirm that there is no crash.
3036
3037           However, I was not actually able to get the VM to crash without this
3038           patch because I wasn't always able to the thread destructor to be
3039           called.  With this patch applied, I did verify with some logging that
3040           the MachineThreads registry is only destructed after all threads
3041           have removed themselves from it.
3042
3043         (threadMain): Deleted.
3044
3045         * heap/Heap.cpp:
3046         (JSC::Heap::Heap):
3047         (JSC::Heap::~Heap):
3048         (JSC::Heap::gatherStackRoots):
3049         * heap/Heap.h:
3050         (JSC::Heap::machineThreads):
3051         * heap/MachineStackMarker.cpp:
3052         (JSC::MachineThreads::Thread::Thread):
3053         (JSC::MachineThreads::addCurrentThread):
3054         (JSC::MachineThreads::removeCurrentThread):
3055         * heap/MachineStackMarker.h:
3056
3057 2015-02-06  Commit Queue  <commit-queue@webkit.org>
3058
3059         Unreviewed, rolling out r179743.
3060         https://bugs.webkit.org/show_bug.cgi?id=141335
3061
3062         caused missing symbols in non-WebKit clients of WTF::Vector
3063         (Requested by kling on #webkit).
3064
3065         Reverted changeset:
3066
3067         "Remove WTF::fastMallocGoodSize()."
3068         https://bugs.webkit.org/show_bug.cgi?id=141020
3069         http://trac.webkit.org/changeset/179743
3070
3071 2015-02-04  Filip Pizlo  <fpizlo@apple.com>
3072
3073         Remove BytecodeGenerator::preserveLastVar() and replace it with a more robust mechanism for preserving non-temporary registers
3074         https://bugs.webkit.org/show_bug.cgi?id=141211
3075
3076         Reviewed by Mark Lam.
3077
3078         Previously, the way non-temporary registers were preserved (i.e. not reclaimed anytime
3079         we did newTemporary()) by calling preserveLastVar() after all non-temps are created. It
3080         would raise the refcount on the last (highest-numbered) variable created, and rely on
3081         the fact that register reclamation started at higher-numbered registers and worked its
3082         way down. So any retained register would block any lower-numbered registers from being
3083         reclaimed.
3084         
3085         Also, preserveLastVar() sets a thing called m_firstConstantIndex. It's unused.
3086         
3087         This removes preserveLastVar() and makes addVar() retain each register it creates. This
3088         is more explicit, since addVar() is the mechanism for creating non-temporary registers.
3089         
3090         To make this work I had to remove an assertion that Register::setIndex() can only be
3091         called when the refcount is zero. This method might be called after a var is created to
3092         change its index. This previously worked because preserveLastVar() would be called after
3093         we had already made all index changes, so the vars would still have refcount zero. Now
3094         they have refcount 1. I think it's OK to lose this assertion; I can't remember this
3095         assertion ever firing in a way that alerted me to a serious issue.
3096         
3097         * bytecompiler/BytecodeGenerator.cpp:
3098         (JSC::BytecodeGenerator::BytecodeGenerator):
3099         (JSC::BytecodeGenerator::preserveLastVar): Deleted.
3100         * bytecompiler/BytecodeGenerator.h:
3101         (JSC::BytecodeGenerator::addVar):
3102         * bytecompiler/RegisterID.h:
3103         (JSC::RegisterID::setIndex):
3104
3105 2015-02-06  Andreas Kling  <akling@apple.com>
3106
3107         Remove WTF::fastMallocGoodSize().
3108         <https://webkit.org/b/141020>
3109
3110         Reviewed by Anders Carlsson.
3111
3112         * assembler/AssemblerBuffer.h:
3113         (JSC::AssemblerData::AssemblerData):
3114         (JSC::AssemblerData::grow):
3115
3116 2015-02-05  Michael Saboff  <msaboff@apple.com>
3117
3118         CodeCache is not thread safe when adding the same source from two different threads
3119         https://bugs.webkit.org/show_bug.cgi?id=141275
3120
3121         Reviewed by Mark Lam.
3122
3123         The issue for this bug is that one thread, takes a cache miss in CodeCache::getGlobalCodeBlock,
3124         but in the process creates a cache entry with a nullptr UnlinkedCodeBlockType* which it
3125         will fill in later in the function.  During the body of that function, it allocates
3126         objects that may garbage collect.  During that garbage collection, we drop the all locks.
3127         While the locks are released by the first thread, another thread can enter the VM and might
3128         have exactly the same source and enter CodeCache::getGlobalCodeBlock() itself.  When it
3129         looks up the code block, it sees it as a cache it and uses the nullptr UnlinkedCodeBlockType*
3130         and crashes.  This fixes the problem by not dropping the locks during garbage collection.
3131         There are other likely scenarios where we have a data structure like this code cache in an
3132         unsafe state for arbitrary reentrance.
3133
3134         Moved the functionality of DelayedReleaseScope directly into Heap.  Changed it into
3135         a simple list that is cleared with the new function Heap::releaseDelayedReleasedObjects.
3136         Now we accumulate objects to be released and release them when all locks are dropped or
3137         when destroying the Heap.  This eliminated the dropping and reaquiring of locks associated
3138         with the old scope form of this list.
3139
3140         Given that all functionality of DelayedReleaseScope is now used and referenced by Heap
3141         and the lock management no longer needs to be done, just made the list a member of Heap.
3142         We do need to guard against the case that releasing an object can create more objects
3143         by calling into JS.  That is why releaseDelayedReleasedObjects() is written to remove
3144         an object to release so that we aren't recursively in Vector code.  The other thing we
3145         do in releaseDelayedReleasedObjects() is to guard against recursive calls to itself using
3146         the m_delayedReleaseRecursionCount.  We only release at the first entry into the function.
3147         This case is already tested by testapi.mm.
3148
3149         * heap/DelayedReleaseScope.h: Removed file
3150
3151         * API/JSAPIWrapperObject.mm:
3152         * API/ObjCCallbackFunction.mm:
3153         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3154         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3155         * JavaScriptCore.xcodeproj/project.pbxproj:
3156         * heap/IncrementalSweeper.cpp:
3157         (JSC::IncrementalSweeper::doSweep):
3158         * heap/MarkedAllocator.cpp:
3159         (JSC::MarkedAllocator::tryAllocateHelper):
3160         (JSC::MarkedAllocator::tryAllocate):
3161         * heap/MarkedBlock.cpp:
3162         (JSC::MarkedBlock::sweep):
3163         * heap/MarkedSpace.cpp:
3164         (JSC::MarkedSpace::MarkedSpace):
3165         (JSC::MarkedSpace::lastChanceToFinalize):
3166         (JSC::MarkedSpace::didFinishIterating):
3167         * heap/MarkedSpace.h:
3168         * heap/Heap.cpp:
3169         (JSC::Heap::collectAllGarbage):
3170         (JSC::Heap::zombifyDeadObjects):
3171         Removed references to DelayedReleaseScope and DelayedReleaseScope.h.
3172
3173         * heap/Heap.cpp:
3174         (JSC::Heap::Heap): Initialized m_delayedReleaseRecursionCount.
3175         (JSC::Heap::lastChanceToFinalize): Call releaseDelayedObjectsNow() as the VM is going away.
3176         (JSC::Heap::releaseDelayedReleasedObjects): New function that released the accumulated
3177         delayed release objects.
3178
3179         * heap/Heap.h:
3180         (JSC::Heap::m_delayedReleaseObjects): List of objects to be released later.
3181         (JSC::Heap::m_delayedReleaseRecursionCount): Counter to indicate that
3182         releaseDelayedReleasedObjects is being called recursively.
3183         * heap/HeapInlines.h:
3184         (JSC::Heap::releaseSoon): Changed location of list to add delayed release objects.
3185         
3186         * runtime/JSLock.cpp:
3187         (JSC::JSLock::willReleaseLock):
3188         Call Heap::releaseDelayedObjectsNow() when releasing the lock.
3189
3190 2015-02-05  Youenn Fablet  <youenn.fablet@crf.canon.fr> and Xabier Rodriguez Calvar <calvaris@igalia.com>
3191
3192         [Streams API] Implement a barebone ReadableStream interface
3193         https://bugs.webkit.org/show_bug.cgi?id=141045
3194
3195         Reviewed by Benjamin Poulain.
3196
3197         * Configurations/FeatureDefines.xcconfig:
3198
3199 2015-02-05  Saam Barati  <saambarati1@gmail.com>
3200
3201         Crash in uninitialized deconstructing variable.
3202         https://bugs.webkit.org/show_bug.cgi?id=141070
3203
3204         Reviewed by Michael Saboff.
3205
3206         According to the ES6 spec, when a destructuring pattern occurs
3207         as the left hand side of an assignment inside a var declaration 
3208         statement, the assignment must also have a right hand side value.
3209         "var {x} = {};" is a legal syntactic statement, but,
3210         "var {x};" is a syntactic error.
3211
3212         Section 13.2.2 of the latest draft ES6 spec specifies this requirement:
3213         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-variable-statement
3214
3215         * parser/Parser.cpp:
3216         (JSC::Parser<LexerType>::parseVarDeclaration):
3217         (JSC::Parser<LexerType>::parseVarDeclarationList):
3218         (JSC::Parser<LexerType>::parseForStatement):
3219         * parser/Parser.h:
3220
3221 2015-02-04  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
3222
3223         Unreviewed, fix a build break on EFL port since r179648.
3224
3225         * heap/MachineStackMarker.cpp: EFL port doesn't use previousThread variable. 
3226         (JSC::MachineThreads::tryCopyOtherThreadStacks):
3227
3228 2015-02-04  Joseph Pecoraro  <pecoraro@apple.com>
3229
3230         Web Inspector: ES6: Improved Console Support for Symbol Objects
3231         https://bugs.webkit.org/show_bug.cgi?id=141173
3232
3233         Reviewed by Timothy Hatcher.
3234
3235         * inspector/protocol/Runtime.json:
3236         New type, "symbol".
3237
3238         * inspector/InjectedScriptSource.js:
3239         Handle Symbol objects in a few places. They don't have properties
3240         and they cannot be implicitly converted to strings.
3241
3242 2015-02-04  Mark Lam  <mark.lam@apple.com>
3243
3244         Undo gardening: Restoring the expected ERROR message since that is not the cause of the bot unhappiness.
3245
3246         Not reviewed.
3247
3248         * heap/MachineStackMarker.cpp:
3249         (JSC::MachineThreads::tryCopyOtherThreadStacks):
3250
3251 2015-02-04  Mark Lam  <mark.lam@apple.com>
3252
3253         Gardening: Changed expected ERROR message to WARNING to make test bots happy.
3254
3255         Rubber stamped by Simon Fraser.
3256
3257         * heap/MachineStackMarker.cpp:
3258         (JSC::MachineThreads::tryCopyOtherThreadStacks):
3259
3260 2015-02-04  Mark Lam  <mark.lam@apple.com>
3261
3262         r179576 introduce a deadlock potential during GC thread suspension.
3263         <https://webkit.org/b/141268>
3264
3265         Reviewed by Michael Saboff.
3266
3267         http://trac.webkit.org/r179576 introduced a potential for deadlocking.
3268         In the GC thread suspension loop, we currently delete
3269         MachineThreads::Thread that we detect to be invalid.  This is unsafe
3270         because we may have already suspended some threads, and one of those
3271         suspended threads may still be holding the C heap lock which we need
3272         for deleting the invalid thread.
3273
3274         The fix is to put the invalid threads in a separate toBeDeleted list,
3275         and delete them only after GC has resumed all threads.
3276
3277         * heap/MachineStackMarker.cpp:
3278         (JSC::MachineThreads::removeCurrentThread):
3279         - Undo refactoring removeThreadWithLockAlreadyAcquired() out of
3280           removeCurrentThread() since it is no longer needed.
3281
3282         (JSC::MachineThreads::tryCopyOtherThreadStacks):
3283         - Put invalid Threads on a threadsToBeDeleted list, and delete those
3284           Threads only after all threads have been resumed.
3285
3286         (JSC::MachineThreads::removeThreadWithLockAlreadyAcquired): Deleted.
3287         * heap/MachineStackMarker.h:
3288
3289 2015-02-04  Joseph Pecoraro  <pecoraro@apple.com>
3290
3291         Web Inspector: Clean up Object Property Descriptor Collection
3292         https://bugs.webkit.org/show_bug.cgi?id=141222
3293
3294         Reviewed by Timothy Hatcher.
3295
3296         * inspector/InjectedScriptSource.js:
3297         Use a list of options when determining which properties to collect
3298         instead of a few booleans with overlapping responsibilities.
3299
3300 2015-02-04  Joseph Pecoraro  <pecoraro@apple.com>
3301
3302         Web Inspector: console.table with columnName filter for non-existent property should still show column
3303         https://bugs.webkit.org/show_bug.cgi?id=141066
3304
3305         Reviewed by Timothy Hatcher.
3306
3307         * inspector/ConsoleMessage.cpp:
3308         (Inspector::ConsoleMessage::addToFrontend):
3309         When a user provides a second argument, e.g. console.table(..., columnNames),
3310         then pass that second argument to the frontend.
3311
3312         * inspector/InjectedScriptSource.js:
3313         Add a FIXME about the old, unused path now.
3314
3315 2015-02-04  Saam Barati  <saambarati1@gmail.com>
3316
3317         TypeSet can use 1 byte instead of 4 bytes for its m_seenTypes member variable
3318         https://bugs.webkit.org/show_bug.cgi?id=141204
3319
3320         Reviewed by Darin Adler.
3321
3322         There is no need to use 32 bits to store a TypeSet::RuntimeType set 
3323         bit-vector when the largest value for a single TypeSet::RuntimeType 
3324         is 0x80. 8 bits is enough to represent the set of seen types.
3325
3326         * dfg/DFGFixupPhase.cpp:
3327         (JSC::DFG::FixupPhase::fixupNode):
3328         * runtime/TypeSet.cpp:
3329         (JSC::TypeSet::doesTypeConformTo):
3330         * runtime/TypeSet.h:
3331         (JSC::TypeSet::seenTypes):
3332
3333 2015-02-04  Mark Lam  <mark.lam@apple.com>
3334
3335         Remove concept of makeUsableFromMultipleThreads().
3336         <https://webkit.org/b/141221>
3337
3338         Reviewed by Mark Hahnenberg.
3339
3340         Currently, we rely on VM::makeUsableFromMultipleThreads() being called before we
3341         start acquiring the JSLock and entering the VM from different threads.
3342         Acquisition of the JSLock will register the acquiring thread with the VM's thread
3343         registry if not already registered.  However, it will only do this if the VM's
3344         thread specific key has been initialized by makeUsableFromMultipleThreads().
3345
3346         This is fragile, and also does not read intuitively because one would expect to
3347         acquire the JSLock before calling any methods on the VM.  This is exactly what
3348         JSGlobalContextCreateInGroup() did (i.e. acquire the lock before calling
3349         makeUsableFromMultipleThreads()), but is wrong.  The result is that the invoking
3350         thread will not have been registered with the VM during that first entry into
3351         the VM.
3352
3353         The fix is to make it so that we initialize the VM's thread specific key on
3354         construction of the VM's MachineThreads registry instead of relying on
3355         makeUsableFromMultipleThreads() being called.  With this, we can eliminate
3356         makeUsableFromMultipleThreads() altogether.
3357
3358         Performance results are neutral in aggregate.
3359
3360         * API/JSContextRef.cpp:
3361         (JSGlobalContextCreateInGroup):
3362         * heap/MachineStackMarker.cpp:
3363         (JSC::MachineThreads::MachineThreads):
3364         (JSC::MachineThreads::~MachineThreads):
3365         (JSC::MachineThreads::addCurrentThread):
3366         (JSC::MachineThreads::removeThread):
3367         (JSC::MachineThreads::gatherConservativeRoots):
3368         (JSC::MachineThreads::makeUsableFromMultipleThreads): Deleted.
3369         * heap/MachineStackMarker.h:
3370         * runtime/VM.cpp:
3371         (JSC::VM::sharedInstance):
3372         * runtime/VM.h:
3373         (JSC::VM::makeUsableFromMultipleThreads): Deleted.
3374
3375 2015-02-04  Chris Dumez  <cdumez@apple.com>
3376
3377         Add removeFirst(value) / removeAll(value) methods to WTF::Vector
3378         https://bugs.webkit.org/show_bug.cgi?id=141192
3379
3380         Reviewed by Benjamin Poulain.
3381
3382         Use new Vector::removeFirst(value) / removeAll(value) API to simplify the
3383         code a bit.
3384
3385         * inspector/InspectorValues.cpp:
3386         (Inspector::InspectorObjectBase::remove):
3387
3388 2015-02-03  Mark Lam  <mark.lam@apple.com>
3389
3390         Workaround a thread library bug where thread destructors may not get called.
3391         <https://webkit.org/b/141209>
3392
3393         Reviewed by Michael Saboff.
3394
3395         There's a bug where thread destructors may not get called.  As far as
3396         we know, this only manifests on darwin ports.  We will work around this
3397         by checking at GC time if the platform thread is still valid.  If not,
3398         we'll purge it from the VM's registeredThreads list before proceeding
3399         with thread scanning activity.
3400
3401         Note: it is important that we do this invalid thread detection during
3402         suspension, because the validity (and liveness) of the other thread is
3403         only guaranteed while it is suspended.
3404
3405         * API/tests/testapi.mm:
3406         (threadMain):
3407         - Added a test to enter the VM from another thread before we GC on
3408           the main thread.
3409
3410         * heap/MachineStackMarker.cpp:
3411         (JSC::MachineThreads::removeThreadWithLockAlreadyAcquired):
3412         (JSC::MachineThreads::removeCurrentThread):
3413         - refactored removeThreadWithLockAlreadyAcquired() out from
3414           removeCurrentThread() so that we can also call it for purging invalid
3415           threads.
3416         (JSC::suspendThread):
3417         - Added a return status to tell if the suspension succeeded or not.
3418         (JSC::MachineThreads::tryCopyOtherThreadStacks):
3419         - Check if the suspension failed, and purge the thread if we can't
3420           suspend it.  Failure to suspend implies that the thread has
3421           terminated without calling its destructor.
3422         * heap/MachineStackMarker.h:
3423
3424 2015-02-03  Joseph Pecoraro  <pecoraro@apple.com>
3425
3426         Web Inspector: ASSERT mainThreadPthread launching remote debuggable JSContext app with Debug JavaScriptCore
3427         https://bugs.webkit.org/show_bug.cgi?id=141189
3428
3429         Reviewed by Michael Saboff.
3430
3431         * inspector/remote/RemoteInspector.mm:
3432         (Inspector::RemoteInspector::singleton):
3433         Ensure we call WTF::initializeMainThread() on the main thread so that
3434         we can perform automatic String <-> NSString conversions.
3435
3436 2015-02-03  Brent Fulgham  <bfulgham@apple.com>
3437
3438         [Win] Project file cleanups after r179429.
3439
3440         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3441         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3442
3443 2015-02-02  Filip Pizlo  <fpizlo@apple.com>
3444
3445         arguments[-1] should have well-defined behavior
3446         https://bugs.webkit.org/show_bug.cgi?id=141183
3447
3448         Reviewed by Mark Lam.
3449         
3450         According to JSC's internal argument numbering, 0 is "this" and 1 is the first argument.
3451         In the "arguments[i]" expression, "this" is not accessible and i = 0 refers to the first
3452         argument. Previously we handled the bounds check in "arguments[i]" - where "arguments" is
3453         statically known to be the current function's arguments object - as follows:
3454         
3455             add 1, i
3456             branchAboveOrEqual i, callFrame.ArgumentCount, slowPath
3457         
3458         The problem with this is that if i = -1, this passes the test, and we end up accessing
3459         what would be the "this" argument slot. That's wrong, since we should really be bottoming
3460         out in arguments["-1"], which is usually undefined but could be anything. It's even worse
3461         if the function is inlined or if we're in a constructor - in that case the "this" slot
3462         could be garbage.
3463         
3464         It turns out that we had this bug in all of our engines.
3465         
3466         This fixes the issue by changing the algorithm to:
3467         
3468             load32 callFrame.ArgumentCount, tmp
3469             sub 1, tmp
3470             branchAboveOrEqual i, tmp, slowPath
3471         
3472         In some engines, we would have used the modified "i" (the one that had 1 added to it) for
3473         the subsequent argument load; since we don't do this anymore I also had to change some of
3474         the offsets on the BaseIndex arguments load.
3475         
3476         This also includes tests that are written in such a way as to get coverage on LLInt and
3477         Baseline JIT (get-my-argument-by-val-wrap-around-no-warm-up), DFG and FTL
3478         (get-my-argument-by-val-wrap-around), and DFG when we're being paranoid about the user
3479         overwriting the "arguments" variable (get-my-argument-by-val-safe-wrap-around). This also
3480         includes off-by-1 out-of-bounds tests for each of these cases, since in the process of
3481         writing the patch I broke the arguments[arguments.length] case in the DFG and didn't see
3482         any test failures.
3483
3484         * dfg/DFGSpeculativeJIT32_64.cpp:
3485         (JSC::DFG::SpeculativeJIT::compile):
3486         * dfg/DFGSpeculativeJIT64.cpp:
3487         (JSC::DFG::SpeculativeJIT::compile):
3488         * ftl/FTLLowerDFGToLLVM.cpp:
3489         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
3490         * jit/AssemblyHelpers.h:
3491         (JSC::AssemblyHelpers::offsetOfArguments):
3492         (JSC::AssemblyHelpers::offsetOfArgumentsIncludingThis): Deleted.
3493         * jit/JITOpcodes.cpp:
3494         (JSC::JIT::emit_op_get_argument_by_val):
3495         * jit/JITOpcodes32_64.cpp:
3496         (JSC::JIT::emit_op_get_argument_by_val):
3497         * llint/LowLevelInterpreter.asm:
3498         * llint/LowLevelInterpreter32_64.asm:
3499         * llint/LowLevelInterpreter64.asm:
3500         * tests/stress/get-my-argument-by-val-out-of-bounds-no-warm-up.js: Added.
3501         (foo):
3502         * tests/stress/get-my-argument-by-val-out-of-bounds.js: Added.
3503         (foo):
3504         * tests/stress/get-my-argument-by-val-safe-out-of-bounds.js: Added.
3505         (foo):
3506         * tests/stress/get-my-argument-by-val-safe-wrap-around.js: Added.
3507         (foo):
3508         * tests/stress/get-my-argument-by-val-wrap-around-no-warm-up.js: Added.
3509         (foo):
3510         * tests/stress/get-my-argument-by-val-wrap-around.js: Added.
3511         (foo):
3512
3513 2015-02-02  Filip Pizlo  <fpizlo@apple.com>
3514
3515         MultiGetByOffset should be marked NodeMustGenerate
3516         https://bugs.webkit.org/show_bug.cgi?id=140137
3517
3518         Reviewed by Michael Saboff.
3519
3520         * dfg/DFGNode.h:
3521         (JSC::DFG::Node::convertToGetByOffset): We were sloppy - we should also clear NodeMustGenerate once it's a GetByOffset.
3522         (JSC::DFG::Node::convertToMultiGetByOffset): Assert that we converted from something that already had NodeMustGenerate.
3523         * dfg/DFGNodeType.h: We shouldn't DCE a node that does checks and could be effectful in baseline. Making MultiGetByOffset as NodeMustGenerate prevents DCE. FTL could still DCE the actual loads, but the checks will stay.
3524         * tests/stress/multi-get-by-offset-dce.js: Added. This previously failed because the getter wasn't called.
3525         (foo):
3526
3527 2015-02-02  Filip Pizlo  <fpizlo@apple.com>
3528
3529         [FTL] inlined GetMyArgumentByVal with no arguments passed causes instant crash
3530         https://bugs.webkit.org/show_bug.cgi?id=141180
3531         rdar://problem/19677552
3532
3533         Reviewed by Benjamin Poulain.
3534         
3535         If we do a GetMyArgumentByVal on an inlined call frame that has no arguments, then the
3536         bounds check already terminates execution. This means we can skip the part where we
3537         previously did an out-of-bound array access on the inlined call frame arguments vector.
3538
3539         * ftl/FTLLowerDFGToLLVM.cpp:
3540         (JSC::FTL::LowerDFGToLLVM::safelyInvalidateAfterTermination):
3541         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
3542         (JSC::FTL::LowerDFGToLLVM::terminate):
3543         (JSC::FTL::LowerDFGToLLVM::didAlreadyTerminate):
3544         (JSC::FTL::LowerDFGToLLVM::crash):
3545         * tests/stress/get-my-argument-by-val-inlined-no-formal-parameters.js: Added.
3546         (foo):
3547         (bar):
3548
3549 2015-02-02  Filip Pizlo  <fpizlo@apple.com>
3550
3551         REGRESSION(r179477): arguments simplification no longer works
3552         https://bugs.webkit.org/show_bug.cgi?id=141169
3553
3554         Reviewed by Mark Lam.
3555         
3556         The operations involved in callee/scope access don't exit and shouldn't get in the way
3557         of strength-reducing a Flush to a PhantomLocal. Then the PhantomLocal shouldn't get in
3558         the way of further such strength-reduction. We also need to canonicalize PhantomLocal
3559         before running arguments simplification.
3560
3561         * dfg/DFGMayExit.cpp:
3562         (JSC::DFG::mayExit):
3563         * dfg/DFGPlan.cpp:
3564         (JSC::DFG::Plan::compileInThreadImpl):
3565         * dfg/DFGStrengthReductionPhase.cpp:
3566         (JSC::DFG::StrengthReductionPhase::handleNode):
3567
3568 2015-02-02  Filip Pizlo  <fpizlo@apple.com>
3569
3570         VirtualRegister should really know how to dump itself
3571         https://bugs.webkit.org/show_bug.cgi?id=141171
3572
3573         Reviewed by Geoffrey Garen.
3574         
3575         Gives VirtualRegister a dump() method that pretty-prints the virtual register. The rest of
3576         the patch is all about using this new power.
3577
3578         * CMakeLists.txt:
3579         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3580         * JavaScriptCore.xcodeproj/project.pbxproj:
3581         * bytecode/CodeBlock.cpp:
3582         (JSC::constantName):
3583         (JSC::CodeBlock::registerName):
3584         * bytecode/CodeBlock.h:
3585         (JSC::missingThisObjectMarker): Deleted.
3586         * bytecode/VirtualRegister.cpp: Added.
3587         (JSC::VirtualRegister::dump):
3588         * bytecode/VirtualRegister.h:
3589         (WTF::printInternal): Deleted.
3590         * dfg/DFGArgumentPosition.h:
3591         (JSC::DFG::ArgumentPosition::dump):
3592         * dfg/DFGFlushedAt.cpp:
3593         (JSC::DFG::FlushedAt::dump):
3594         * dfg/DFGGraph.cpp:
3595         (JSC::DFG::Graph::dump):
3596         * dfg/DFGPutLocalSinkingPhase.cpp:
3597         * dfg/DFGSSAConversionPhase.cpp:
3598         (JSC::DFG::SSAConversionPhase::run):
3599         * dfg/DFGValidate.cpp:
3600         (JSC::DFG::Validate::reportValidationContext):
3601         * dfg/DFGValueSource.cpp:
3602         (JSC::DFG::ValueSource::dump):
3603         * dfg/DFGVariableEvent.cpp:
3604         (JSC::DFG::VariableEvent::dump):
3605         (JSC::DFG::VariableEvent::dumpSpillInfo):
3606         * ftl/FTLExitArgumentForOperand.cpp:
3607         (JSC::FTL::ExitArgumentForOperand::dump):
3608         * ftl/FTLExitValue.cpp:
3609         (JSC::FTL::ExitValue::dumpInContext):
3610         * profiler/ProfilerBytecodeSequence.cpp:
3611         (JSC::Profiler::BytecodeSequence::BytecodeSequence):
3612
3613 2015-02-02  Geoffrey Garen  <ggaren@apple.com>
3614
3615         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
3616         https://bugs.webkit.org/show_bug.cgi?id=140900
3617
3618         Reviewed by Mark Hahnenberg.
3619
3620         Re-landing just the HandleBlock piece of this patch.
3621
3622         * heap/HandleBlock.h:
3623         * heap/HandleBlockInlines.h:
3624         (JSC::HandleBlock::create):
3625         (JSC::HandleBlock::destroy):
3626         (JSC::HandleBlock::HandleBlock):
3627         (JSC::HandleBlock::payloadEnd):
3628         * heap/HandleSet.cpp:
3629         (JSC::HandleSet::~HandleSet):
3630         (JSC::HandleSet::grow):
3631
3632 2015-02-02  Joseph Pecoraro  <pecoraro@apple.com>
3633
3634         Web Inspector: Support console.table
3635         https://bugs.webkit.org/show_bug.cgi?id=141058
3636
3637         Reviewed by Timothy Hatcher.
3638
3639         * inspector/InjectedScriptSource.js:
3640         Include the firstLevelKeys filter when generating previews.
3641
3642         * runtime/ConsoleClient.cpp:
3643         (JSC::appendMessagePrefix):
3644         Differentiate console.table logs to system log.
3645
3646 2015-01-31  Filip Pizlo  <fpizlo@apple.com>
3647
3648         BinarySwitch should be faster on average
3649         https://bugs.webkit.org/show_bug.cgi?id=141046
3650
3651         Reviewed by Anders Carlsson.
3652         
3653         This optimizes our binary switch using math. It's strictly better than what we had before
3654         assuming we bottom out in some case (rather than fall through), assuming all cases get
3655         hit with equal probability. The difference is particularly large for large switch
3656         statements. For example, a switch statement with 1000 cases would previously require on
3657         average 13.207 branches to get to some case, while now it just requires 10.464.
3658         
3659         This is also a progression for the fall-through case, though we could shave off another
3660         1/6 branch on average if we wanted to - though it would regress taking a case (not falling
3661         through) by 1/6 branch. I believe it's better to bias the BinarySwitch for not falling
3662         through.
3663         
3664         This also adds some randomness to the algorithm to minimize the likelihood of us
3665         generating a switch statement that is always particularly bad for some input. Note that
3666         the randomness has no effect on average-case performance assuming all cases are equally
3667         likely.
3668         
3669         This ought to have no actual performance change because we don't rely on binary switches
3670         that much. The main reason why this change is interesting is that I'm finding myself
3671         increasingly relying on BinarySwitch, and I'd like to know that it's optimal.
3672
3673         * jit/BinarySwitch.cpp:
3674         (JSC::BinarySwitch::BinarySwitch):
3675         (JSC::BinarySwitch::~BinarySwitch):
3676         (JSC::BinarySwitch::build):
3677         * jit/BinarySwitch.h:
3678
3679 2015-02-02  Joseph Pecoraro  <pecoraro@apple.com>
3680
3681         Web Inspector: Extend CSS.getSupportedCSSProperties to provide values for properties for CSS Augmented JSContext
3682         https://bugs.webkit.org/show_bug.cgi?id=141064
3683
3684         Reviewed by Timothy Hatcher.
3685
3686         * inspector/protocol/CSS.json:
3687
3688 2015-02-02  Daniel Bates  <dabates@apple.com>
3689
3690         [iOS] ASSERTION FAILED: m_scriptExecutionContext->isContextThread() in ContextDestructionObserver::observeContext
3691         https://bugs.webkit.org/show_bug.cgi?id=141057
3692         <rdar://problem/19068790>
3693
3694         Reviewed by Alexey Proskuryakov.
3695
3696         * inspector/remote/RemoteInspector.mm:
3697         (Inspector::RemoteInspector::receivedIndicateMessage): Modified to call WTF::callOnWebThreadOrDispatchAsyncOnMainThread().
3698         (Inspector::dispatchAsyncOnQueueSafeForAnyDebuggable): Deleted; moved logic to common helper function,
3699         WTF::callOnWebThreadOrDispatchAsyncOnMainThread() so that it can be called from both RemoteInspector::receivedIndicateMessage()
3700         and CryptoKeyRSA::generatePair().
3701
3702 2015-02-02  Saam Barati  <saambarati1@gmail.com>
3703
3704         Create tests for JSC's Control Flow Profiler
3705         https://bugs.webkit.org/show_bug.cgi?id=141123
3706
3707         Reviewed by Filip Pizlo.
3708
3709         This patch creates a control flow profiler testing API in jsc.cpp 
3710         that accepts a function and a string as arguments. The string must 
3711         be a substring of the text of the function argument. The API returns 
3712         a boolean indicating whether or not the basic block that encloses the 
3713         substring has executed.
3714
3715         This patch uses this API to test that the control flow profiler
3716         behaves as expected on basic block boundaries. These tests do not
3717         provide full coverage for all JavaScript statements that can create
3718         basic blocks boundaries. Full coverage will come in a later patch.
3719
3720         * jsc.cpp:
3721         (GlobalObject::finishCreation):
3722         (functionHasBasicBlockExecuted):
3723         * runtime/ControlFlowProfiler.cpp:
3724         (JSC::ControlFlowProfiler::hasBasicBlockAtTextOffsetBeenExecuted):
3725         * runtime/ControlFlowProfiler.h:
3726         * tests/controlFlowProfiler: Added.
3727         * tests/controlFlowProfiler.yaml: Added.
3728         * tests/controlFlowProfiler/driver: Added.
3729         * tests/controlFlowProfiler/driver/driver.js: Added.
3730         (assert):
3731         * tests/controlFlowProfiler/if-statement.js: Added.
3732         (testIf):
3733         (noMatches):
3734         * tests/controlFlowProfiler/loop-statements.js: Added.
3735         (forRegular):
3736         (forIn):
3737         (forOf):
3738         (whileLoop):
3739         * tests/controlFlowProfiler/switch-statements.js: Added.
3740         (testSwitch):
3741         * tests/controlFlowProfiler/test-jit.js: Added.
3742         (tierUpToBaseline):
3743         (tierUpToDFG):
3744         (baselineTest):
3745         (dfgTest):
3746
3747 2015-01-28  Filip Pizlo  <fpizlo@apple.com>
3748
3749         Polymorphic call inlining should be based on polymorphic call inline caching rather than logging
3750         https://bugs.webkit.org/show_bug.cgi?id=140660
3751
3752         Reviewed by Geoffrey Garen.
3753         
3754         When we first implemented polymorphic call inlining, we did the profiling based on a call
3755         edge log. The idea was to store each call edge (a tuple of call site and callee) into a
3756         global log that was processed lazily. Processing the log would give precise counts of call
3757         edges, and could be used to drive well-informed inlining decisions - polymorphic or not.
3758         This was a speed-up on throughput tests but a slow-down for latency tests. It was a net win
3759         nonetheless.
3760         
3761         Experience with this code shows three things. First, the call edge profiler is buggy and
3762         complex. It would take work to fix the bugs. Second, the call edge profiler incurs lots of
3763         overhead for latency code that we care deeply about. Third, it's not at all clear that
3764         having call edge counts for every possible callee is any better than just having call edge
3765         counts for the limited number of callees that an inline cache would catch.
3766         
3767         So, this patch removes the call edge profiler and replaces it with a polymorphic call inline
3768         cache. If we miss the basic call inline cache, we inflate the cache to be a jump to an
3769         out-of-line stub that cases on the previously known callees. If that misses again, then we
3770         rewrite that stub to include the new callee. We do this up to some number of callees. If we
3771         hit the limit then we switch to using a plain virtual call.
3772         
3773         Substantial speed-up on V8Spider; undoes the slow-down that the original call edge profiler
3774         caused. Might be a SunSpider speed-up (below 1%), depending on hardware.
3775         
3776         Rolling this back in after fixing https://bugs.webkit.org/show_bug.cgi?id=141107.
3777
3778         * CMakeLists.txt:
3779         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3780         * JavaScriptCore.xcodeproj/project.pbxproj:
3781         * bytecode/CallEdge.h:
3782         (JSC::CallEdge::count):
3783         (JSC::CallEdge::CallEdge):
3784         * bytecode/CallEdgeProfile.cpp: Removed.
3785         * bytecode/CallEdgeProfile.h: Removed.
3786         * bytecode/CallEdgeProfileInlines.h: Removed.
3787         * bytecode/CallLinkInfo.cpp:
3788         (JSC::CallLinkInfo::unlink):
3789         (JSC::CallLinkInfo::visitWeak):
3790         * bytecode/CallLinkInfo.h:
3791         * bytecode/CallLinkStatus.cpp:
3792         (JSC::CallLinkStatus::CallLinkStatus):
3793         (JSC::CallLinkStatus::computeFor):
3794         (JSC::CallLinkStatus::computeFromCallLinkInfo):
3795         (JSC::CallLinkStatus::isClosureCall):
3796         (JSC::CallLinkStatus::makeClosureCall):
3797         (JSC::CallLinkStatus::dump):
3798         (JSC::CallLinkStatus::computeFromCallEdgeProfile): Deleted.
3799         * bytecode/CallLinkStatus.h:
3800         (JSC::CallLinkStatus::CallLinkStatus):
3801         (JSC::CallLinkStatus::isSet):
3802         (JSC::CallLinkStatus::variants):
3803         (JSC::CallLinkStatus::size):
3804         (JSC::CallLinkStatus::at):
3805         (JSC::CallLinkStatus::operator[]):
3806         (JSC::CallLinkStatus::canOptimize):
3807         (JSC::CallLinkStatus::edges): Deleted.
3808         (JSC::CallLinkStatus::canTrustCounts): Deleted.
3809         * bytecode/CallVariant.cpp:
3810         (JSC::variantListWithVariant):
3811         (JSC::despecifiedVariantList):
3812         * bytecode/CallVariant.h:
3813         * bytecode/CodeBlock.cpp:
3814         (JSC::CodeBlock::~CodeBlock):
3815         (JSC::CodeBlock::linkIncomingPolymorphicCall):
3816         (JSC::CodeBlock::unlinkIncomingCalls):
3817         (JSC::CodeBlock::noticeIncomingCall):
3818         * bytecode/CodeBlock.h:
3819         (JSC::CodeBlock::isIncomingCallAlreadyLinked): Deleted.
3820         * dfg/DFGAbstractInterpreterInlines.h:
3821         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3822         * dfg/DFGByteCodeParser.cpp:
3823         (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
3824         (JSC::DFG::ByteCodeParser::handleCall):
3825         (JSC::DFG::ByteCodeParser::handleInlining):
3826         * dfg/DFGClobberize.h:
3827         (JSC::DFG::clobberize):
3828         * dfg/DFGConstantFoldingPhase.cpp:
3829         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3830         * dfg/DFGDoesGC.cpp:
3831         (JSC::DFG::doesGC):
3832         * dfg/DFGDriver.cpp:
3833         (JSC::DFG::compileImpl):
3834         * dfg/DFGFixupPhase.cpp:
3835         (JSC::DFG::FixupPhase::fixupNode):
3836         * dfg/DFGNode.h:
3837         (JSC::DFG::Node::hasHeapPrediction):
3838         * dfg/DFGNodeType.h:
3839         * dfg/DFGOperations.cpp:
3840         * dfg/DFGPredictionPropagationPhase.cpp:
3841         (JSC::DFG::PredictionPropagationPhase::propagate):
3842         * dfg/DFGSafeToExecute.h:
3843         (JSC::DFG::safeToExecute):
3844         * dfg/DFGSpeculativeJIT32_64.cpp:
3845         (JSC::DFG::SpeculativeJIT::emitCall):
3846         (JSC::DFG::SpeculativeJIT::compile):
3847         * dfg/DFGSpeculativeJIT64.cpp:
3848         (JSC::DFG::SpeculativeJIT::emitCall):
3849         (JSC::DFG::SpeculativeJIT::compile):
3850         * dfg/DFGTierUpCheckInjectionPhase.cpp:
3851         (JSC::DFG::TierUpCheckInjectionPhase::run):
3852         (JSC::DFG::TierUpCheckInjectionPhase::removeFTLProfiling): Deleted.
3853         * ftl/FTLCapabilities.cpp:
3854         (JSC::FTL::canCompile):
3855         * heap/Heap.cpp:
3856         (JSC::Heap::collect):
3857         * jit/BinarySwitch.h:
3858         * jit/ClosureCallStubRoutine.cpp: Removed.
3859         * jit/ClosureCallStubRoutine.h: Removed.
3860         * jit/JITCall.cpp:
3861         (JSC::JIT::compileOpCall):
3862         * jit/JITCall32_64.cpp:
3863         (JSC::JIT::compileOpCall):
3864         * jit/JITOperations.cpp:
3865         * jit/JITOperations.h:
3866         (JSC::operationLinkPolymorphicCallFor):
3867         (JSC::operationLinkClosureCallFor): Deleted.
3868         * jit/JITStubRoutine.h:
3869         * jit/JITWriteBarrier.h:
3870         * jit/PolymorphicCallStubRoutine.cpp: Added.
3871         (JSC::PolymorphicCallNode::~PolymorphicCallNode):
3872         (JSC::PolymorphicCallNode::unlink):
3873         (JSC::PolymorphicCallCase::dump):
3874         (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
3875         (JSC::PolymorphicCallStubRoutine::~PolymorphicCallStubRoutine):
3876         (JSC::PolymorphicCallStubRoutine::variants):
3877         (JSC::PolymorphicCallStubRoutine::edges):
3878         (JSC::PolymorphicCallStubRoutine::visitWeak):
3879         (JSC::PolymorphicCallStubRoutine::markRequiredObjectsInternal):
3880         * jit/PolymorphicCallStubRoutine.h: Added.
3881         (JSC::PolymorphicCallNode::PolymorphicCallNode):
3882         (JSC::PolymorphicCallCase::PolymorphicCallCase):
3883         (JSC::PolymorphicCallCase::variant):
3884         (JSC::PolymorphicCallCase::codeBlock):
3885         * jit/Repatch.cpp:
3886         (JSC::linkSlowFor):
3887         (JSC::linkFor):
3888         (JSC::revertCall):
3889         (JSC::unlinkFor):
3890         (JSC::linkVirtualFor):
3891         (JSC::linkPolymorphicCall):
3892         (JSC::linkClosureCall): Deleted.