JSDOMWindow should have a WatchpointSet to fire on window close
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-05-08  Mark Hahnenberg  <mhahnenberg@apple.com>
2
3         JSDOMWindow should have a WatchpointSet to fire on window close
4         https://bugs.webkit.org/show_bug.cgi?id=132721
5
6         Reviewed by Filip Pizlo.
7
8         This patch allows us to reset the inline caches that assumed they could skip 
9         the first part of JSDOMWindow::getOwnPropertySlot that checks if the window has 
10         been closed. This is part of getting rid of HasImpureGetOwnPropertySlot on JSDOMWindow.
11
12         PropertySlot now accepts a WatchpointSet which the inline cache code can look for
13         to see if it should create a new Watchpoint for that particular inline cache site.
14
15         * bytecode/Watchpoint.h:
16         * jit/Repatch.cpp:
17         (JSC::generateByIdStub):
18         (JSC::tryBuildGetByIDList):
19         (JSC::tryCachePutByID):
20         (JSC::tryBuildPutByIdList):
21         * runtime/PropertySlot.h:
22         (JSC::PropertySlot::PropertySlot):
23         (JSC::PropertySlot::watchpointSet):
24         (JSC::PropertySlot::setWatchpointSet):
25
26 2014-05-09  Tanay C  <tanay.c@samsung.com>
27
28         Fix build warning (uninitialized variable) in DFGFixupPhase.cpp 
29         https://bugs.webkit.org/show_bug.cgi?id=132331
30
31         Reviewed by Darin Adler.
32
33         * dfg/DFGFixupPhase.cpp:
34         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
35
36 2014-05-09  peavo@outlook.com  <peavo@outlook.com>
37
38         [Win] Crash when enabling DFG JIT.
39         https://bugs.webkit.org/show_bug.cgi?id=132683
40
41         Reviewed by Geoffrey Garen.
42
43         On windows, using register GPRInfo::regT0 as parameter to e.g. JIT::storeDouble(..., GPRInfo::regT0)),
44         results in a call to JIT::storeDouble(FPRegisterID src, const void* address),
45         where the address parameter gets the value of GPRInfo::regT0, which is 0 (eax on Windows).
46         This causes the register to be written to address 0, hence the crash.
47
48         * dfg/DFGOSRExitCompiler32_64.cpp:
49         (JSC::DFG::OSRExitCompiler::compileExit): Use address in regT0 as parameter.
50         * dfg/DFGOSRExitCompiler64.cpp:
51         (JSC::DFG::OSRExitCompiler::compileExit): Ditto.
52
53 2014-05-09  Martin Hodovan <mhodovan.u-szeged@partner.samsung.com>
54
55         REGRESSION(r167094): JSC crashes on ARM Traditional
56         https://bugs.webkit.org/show_bug.cgi?id=132738
57
58         Reviewed by Zoltan Herczeg.
59
60         PC is two instructions ahead of the current instruction
61         on ARM Traditional, so the distance is 8 bytes not 2.
62
63         * llint/LowLevelInterpreter.asm:
64
65 2014-05-09  Alberto Garcia  <berto@igalia.com>
66
67         jsmin.py license header confusing, mentions non-free license
68         https://bugs.webkit.org/show_bug.cgi?id=123665
69
70         Reviewed by Darin Adler.
71
72         Pull the most recent version from upstream, which has a clear
73         license.
74
75         * inspector/scripts/jsmin.py:
76
77 2014-05-08  Mark Hahnenberg  <mhahnenberg@apple.com>
78
79         Base case for get-by-id inline cache doesn't check for HasImpureGetOwnPropertySlot
80         https://bugs.webkit.org/show_bug.cgi?id=132695
81
82         Reviewed by Filip Pizlo.
83
84         We check in the case where we're accessing something other than the base object (e.g. the prototype), 
85         but we fail to do so for the base object.
86
87         * jit/Repatch.cpp:
88         (JSC::tryCacheGetByID):
89         (JSC::tryBuildGetByIDList):
90         * jsc.cpp: Added some infrastructure to support this test. We don't currently trigger this bug anywhere in WebKit
91         because all of the values that are returned that could be impure are set to uncacheable anyways.
92         (WTF::ImpureGetter::ImpureGetter):
93         (WTF::ImpureGetter::createStructure):
94         (WTF::ImpureGetter::create):
95         (WTF::ImpureGetter::finishCreation):
96         (WTF::ImpureGetter::getOwnPropertySlot):
97         (WTF::ImpureGetter::visitChildren):
98         (WTF::ImpureGetter::setDelegate):
99         (GlobalObject::finishCreation):
100         (functionCreateImpureGetter):
101         (functionSetImpureGetterDelegate):
102         * tests/stress/impure-get-own-property-slot-inline-cache.js: Added.
103         (foo):
104
105 2014-05-08  Filip Pizlo  <fpizlo@apple.com>
106
107         deleteAllCompiledCode() shouldn't use the suspension worklist
108         https://bugs.webkit.org/show_bug.cgi?id=132708
109
110         Reviewed by Mark Hahnenberg.
111
112         * bytecode/CodeBlock.cpp:
113         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
114         * dfg/DFGPlan.cpp:
115         (JSC::DFG::Plan::isStillValid):
116         * heap/Heap.cpp:
117         (JSC::Heap::deleteAllCompiledCode):
118
119 2014-05-08  Filip Pizlo  <fpizlo@apple.com>
120
121         SSA conversion should delete PhantomLocals for captured variables
122         https://bugs.webkit.org/show_bug.cgi?id=132693
123
124         Reviewed by Mark Hahnenberg.
125
126         * dfg/DFGCommon.cpp:
127         (JSC::DFG::startCrashing): Parallel JIT and a JIT bug means that we man dump IR in parallel. This is the workaround. This patch uses it in all of the places where we dump IR and crash.
128         * dfg/DFGCommon.h:
129         * dfg/DFGFixupPhase.cpp:
130         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): Use the workaround.
131         * dfg/DFGLivenessAnalysisPhase.cpp:
132         (JSC::DFG::LivenessAnalysisPhase::run): Use the workaround.
133         * dfg/DFGSSAConversionPhase.cpp:
134         (JSC::DFG::SSAConversionPhase::run): Fix the bug - it's true that PhantomLocal for captured variables doesn't need anything done to it, but it's wrong that we didn't delete it outright.
135         * dfg/DFGValidate.cpp: Use the workaround.
136         * tests/stress/phantom-local-captured-but-not-flushed-to-ssa.js: Added.
137         (foo):
138         (bar):
139
140 2014-05-07  Commit Queue  <commit-queue@webkit.org>
141
142         Unreviewed, rolling out r168451.
143         https://bugs.webkit.org/show_bug.cgi?id=132670
144
145         Not a speed-up, just do what other compilers do. (Requested by
146         kling on #webkit).
147
148         Reverted changeset:
149
150         "[X86] Emit BT instruction for single-bit tests."
151         https://bugs.webkit.org/show_bug.cgi?id=132650
152         http://trac.webkit.org/changeset/168451
153
154 2014-05-07  Filip Pizlo  <fpizlo@apple.com>
155
156         Make Executable::clearCode() actually clear all of the entrypoints, and
157         clean up some other FTL-related calling convention stuff.
158         <rdar://problem/16720172>
159
160         Rubber stamped by Mark Hahnenberg.
161
162         * dfg/DFGOperations.cpp:
163         * dfg/DFGOperations.h:
164         * dfg/DFGWorklist.cpp:
165         (JSC::DFG::Worklist::Worklist):
166         (JSC::DFG::Worklist::finishCreation):
167         (JSC::DFG::Worklist::create):
168         (JSC::DFG::ensureGlobalDFGWorklist):
169         (JSC::DFG::ensureGlobalFTLWorklist):
170         * dfg/DFGWorklist.h:
171         * heap/CodeBlockSet.cpp:
172         (JSC::CodeBlockSet::dump):
173         * heap/CodeBlockSet.h:
174         * runtime/Executable.cpp:
175         (JSC::ExecutableBase::clearCode):
176
177 2014-05-07  Andreas Kling  <akling@apple.com>
178
179         [X86] Emit BT instruction for single-bit tests.
180         <https://webkit.org/b/132650>
181
182         Implement test-bit-and-branch slightly more efficiently by using
183         BT + JC/JNC instead of TEST + JZ/JNZ when we're only testing for
184         a single bit.
185
186         Reviewed by Michael Saboff.
187
188         * assembler/MacroAssemblerX86Common.h:
189         (JSC::MacroAssemblerX86Common::singleBitIndex):
190         (JSC::MacroAssemblerX86Common::branchTest32):
191         * assembler/X86Assembler.h:
192         (JSC::X86Assembler::bt_i8r):
193         (JSC::X86Assembler::bt_i8m):
194
195 2014-05-07  Mark Lam  <mark.lam@apple.com>
196
197         REGRESSION(r166678): Dromaeo/cssquery-dojo.html crashes regularly.
198         <https://webkit.org/b/131356>
199
200         Reviewed by Geoffrey Garen.
201
202         The issue is that GC needs to be made aware of writes to m_inferredValue
203         in the VariableWatchpointSet, but was not.  As a result, if a JSCell*
204         is written to a VariableWatchpointSet m_inferredValue, and that JSCell
205         does not survive an eden GC shortly after, we will end up with a stale
206         JSCell pointer left in the m_inferredValue.
207
208         This issue can be detected more easily by running Dromaeo/cssquery-dojo.html
209         using DumpRenderTree with the VM heap in zombie mode.
210
211         The fix is to change VariableWatchpointSet m_inferredValue to type
212         WriteBarrier<Unknown> and ensure that VariableWatchpointSet::notifyWrite()
213         is executed by all the execution engines so that the WriteBarrier semantics
214         are honored.
215
216         We still check if the value to be written is the same as the one in the
217         inferredValue.  We'll by-pass calling the slow path notifyWrite() if the
218         values are the same.        
219
220         * JavaScriptCore.xcodeproj/project.pbxproj:
221         * bytecode/CodeBlock.cpp:
222         (JSC::CodeBlock::CodeBlock):
223         - need to pass the symbolTable to prepareToWatch() because it will be needed
224           for instantiating the VariableWatchpointSet in prepareToWatch().
225
226         * bytecode/VariableWatchpointSet.h:
227         (JSC::VariableWatchpointSet::VariableWatchpointSet):
228         - VariableWatchpointSet now tracks its owner symbol table for its m_inferredValue
229           write barrier, and yes, m_inferredValue is now of type WriteBarrier<Unknown>.
230         (JSC::VariableWatchpointSet::inferredValue):
231         (JSC::VariableWatchpointSet::invalidate):
232         (JSC::VariableWatchpointSet::finalizeUnconditionally):
233         (JSC::VariableWatchpointSet::addressOfInferredValue):
234         (JSC::VariableWatchpointSet::notifyWrite): Deleted.
235         * bytecode/VariableWatchpointSetInlines.h: Added.
236         (JSC::VariableWatchpointSet::notifyWrite):
237
238         * dfg/DFGByteCodeParser.cpp:
239         (JSC::DFG::ByteCodeParser::cellConstant):
240         - Added an assert in case we try to make constants of zombified JSCells again.
241
242         * dfg/DFGOperations.cpp:
243         * dfg/DFGOperations.h:
244         * dfg/DFGSpeculativeJIT.h:
245         (JSC::DFG::SpeculativeJIT::callOperation):
246         * dfg/DFGSpeculativeJIT32_64.cpp:
247         (JSC::DFG::SpeculativeJIT::compile):
248         * dfg/DFGSpeculativeJIT64.cpp:
249         (JSC::DFG::SpeculativeJIT::compile):
250         - We now let the slow path handle the cases when the VariableWatchpointSet is
251           in state ClearWatchpoint and IsWatched, and the slow path will ensure that
252           we handle the needed write barrier semantics correctly.
253           We will by-pass the slow path if the value being written is the same as the
254           inferred value.
255
256         * ftl/FTLIntrinsicRepository.h:
257         * ftl/FTLLowerDFGToLLVM.cpp:
258         (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):
259         - Let the slow path handle the cases when the VariableWatchpointSet is
260           in state ClearWatchpoint and IsWatched.
261           We will by-pass the slow path if the value being written is the same as the
262           inferred value.
263
264         * heap/Heap.cpp:
265         (JSC::Zombify::operator()):
266         - Use a different value for the zombified bits (to distinguish it from 0xbbadbeef
267           which is used everywhere else).
268         * heap/Heap.h:
269         (JSC::Heap::isZombified):
270         - Provide a convenience test function to check if JSCells are zombified.  This is
271           currently only used in an assertion in the DFG bytecode parser, but the intent
272           it that we'll apply this test in other strategic places later to help with early
273           detection of usage of GC'ed objects when we run in zombie mode.
274
275         * jit/JITOpcodes.cpp:
276         (JSC::JIT::emitSlow_op_captured_mov):
277         * jit/JITOperations.h:
278         * jit/JITPropertyAccess.cpp:
279         (JSC::JIT::emitNotifyWrite):
280         * jit/JITPropertyAccess32_64.cpp:
281         (JSC::JIT::emitNotifyWrite):
282         (JSC::JIT::emitSlow_op_put_to_scope):
283         - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
284           is in state ClearWatchpoint and IsWatched.
285           We will by-pass the slow path if the value being written is the same as the
286           inferred value.
287         
288         * llint/LowLevelInterpreter32_64.asm:
289         * llint/LowLevelInterpreter64.asm:
290         - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
291           is in state ClearWatchpoint and IsWatched.
292           We will by-pass the slow path if the value being written is the same as the
293           inferred value.
294         
295         * runtime/CommonSlowPaths.cpp:
296
297         * runtime/JSCJSValue.h: Fixed some typos in the comments.
298         * runtime/JSGlobalObject.cpp:
299         (JSC::JSGlobalObject::addGlobalVar):
300         (JSC::JSGlobalObject::addFunction):
301         * runtime/JSSymbolTableObject.h:
302         (JSC::symbolTablePut):
303         (JSC::symbolTablePutWithAttributes):
304         * runtime/SymbolTable.cpp:
305         (JSC::SymbolTableEntry::prepareToWatch):
306         (JSC::SymbolTableEntry::notifyWriteSlow):
307         * runtime/SymbolTable.h:
308         (JSC::SymbolTableEntry::notifyWrite):
309
310 2014-05-06  Michael Saboff  <msaboff@apple.com>
311
312         Unreviewd build fix for C-LOOP after r168396.
313
314         * runtime/TestRunnerUtils.cpp:
315         (JSC::optimizeNextInvocation): Wrapped actual call inside #if ENABLE(JIT)
316
317 2014-05-06  Michael Saboff  <msaboff@apple.com>
318
319         Add test for deleteAllCompiledCode
320         https://bugs.webkit.org/show_bug.cgi?id=132632
321
322         Reviewed by Phil Pizlo.
323
324         Added two new hooks to jsc, one to call Heap::deleteAllCompiledCode() and
325         the other to call CodeBlock::optimizeNextInvocation().  Used these two hooks
326         to write a test that will queue up loads of DFG compiles and then call
327         Heap::deleteAllCompiledCode() to make sure that it can handle compiled
328         code as well as code being compiled.
329
330         * jsc.cpp:
331         (GlobalObject::finishCreation):
332         (functionDeleteAllCompiledCode):
333         (functionOptimizeNextInvocation):
334         * runtime/TestRunnerUtils.cpp:
335         (JSC::optimizeNextInvocation):
336         * runtime/TestRunnerUtils.h:
337         * tests/stress/deleteAllCompiledCode.js: Added.
338         (functionList):
339         (runTest):
340
341 2014-05-06  Andreas Kling  <akling@apple.com>
342
343         JSString::toAtomicString() should return AtomicString.
344         <https://webkit.org/b/132627>
345
346         Remove premature optimization where I was trying to avoid refcount
347         churn when returning an already atomicized String.
348
349         Instead of using reinterpret_cast to mangle the String member into
350         a const AtomicString& return value, just return AtomicString.
351
352         Reviewed by Geoff Garen.
353
354         * runtime/JSString.h:
355         (JSC::JSString::toAtomicString):
356
357 2014-05-06  Mark Hahnenberg  <mhahnenberg@apple.com>
358
359         Roll out r167889
360
361         Rubber stamped by Geoff Garen.
362
363         It broke some websites.
364
365         * runtime/JSPropertyNameIterator.cpp:
366         (JSC::JSPropertyNameIterator::create):
367         * runtime/PropertyMapHashTable.h:
368         (JSC::PropertyTable::hasDeletedOffset):
369         (JSC::PropertyTable::hadDeletedOffset): Deleted.
370         * runtime/Structure.cpp:
371         (JSC::Structure::Structure):
372         (JSC::Structure::materializePropertyMap):
373         (JSC::Structure::removePropertyTransition):
374         (JSC::Structure::changePrototypeTransition):
375         (JSC::Structure::despecifyFunctionTransition):
376         (JSC::Structure::attributeChangeTransition):
377         (JSC::Structure::toDictionaryTransition):
378         (JSC::Structure::preventExtensionsTransition):
379         (JSC::Structure::addPropertyWithoutTransition):
380         (JSC::Structure::removePropertyWithoutTransition):
381         (JSC::Structure::pin):
382         (JSC::Structure::pinAndPreventTransitions): Deleted.
383         * runtime/Structure.h:
384         * runtime/StructureInlines.h:
385         (JSC::Structure::setEnumerationCache):
386         (JSC::Structure::propertyTable):
387         (JSC::Structure::checkOffsetConsistency):
388         (JSC::Structure::hadDeletedOffsets): Deleted.
389         * tests/stress/for-in-after-delete.js:
390         (foo): Deleted.
391
392 2014-05-05  Andreas Kling  <akling@apple.com>
393
394         Fix debug build.
395
396         * runtime/JSCellInlines.h:
397         (JSC::JSCell::fastGetOwnProperty):
398
399 2014-05-05  Andreas Kling  <akling@apple.com>
400
401         Optimize GetByVal when subscript is a rope string.
402         <https://webkit.org/b/132590>
403
404         Use JSString::toIdentifier() in the various GetByVal implementations
405         to try and avoid allocating extra strings.
406
407         Added canUseFastGetOwnProperty() and wrap calls to fastGetOwnProperty()
408         in that, to avoid calling JSString::value() which always resolves ropes
409         into new strings and de-optimizes subsequent toIdentifier() calls.
410
411         My iMac says ~9% progression on Dromaeo/dom-attr.html
412
413         Reviewed by Phil Pizlo.
414
415         * dfg/DFGOperations.cpp:
416         * jit/JITOperations.cpp:
417         (JSC::getByVal):
418         * llint/LLIntSlowPaths.cpp:
419         (JSC::LLInt::getByVal):
420         * runtime/JSCell.h:
421         * runtime/JSCellInlines.h:
422         (JSC::JSCell::fastGetOwnProperty):
423         (JSC::JSCell::canUseFastGetOwnProperty):
424
425 2014-05-05  Andreas Kling  <akling@apple.com>
426
427         REGRESSION (r168256): ASSERTION FAILED: (buffer + m_length) == position loading vanityfair.com article.
428         <https://webkit.org/b/168256>
429         <rdar://problem/16816316>
430
431         Make resolveRopeSlowCase8() behave like its 16-bit counterpart and not
432         clear the fibers. The caller takes care of this.
433
434         Test: fast/dom/getElementById-with-rope-string-arg.html
435
436         Reviewed by Geoffrey Garen.
437
438         * runtime/JSString.cpp:
439         (JSC::JSRopeString::resolveRopeSlowCase8):
440
441 2014-05-05  Michael Saboff  <msaboff@apple.com>
442
443         REGRESSION: RELEASE_ASSERT in CodeBlock::baselineVersion @ cnn.com
444         https://bugs.webkit.org/show_bug.cgi?id=132581
445
446         Reviewed by Filip Pizlo.
447
448         * dfg/DFGPlan.cpp:
449         (JSC::DFG::Plan::isStillValid): Check that the alternative codeBlock we
450         started compiling for is still the same at the end of compilation.
451         Also did some minor restructuring.
452
453 2014-05-05  Andreas Kling  <akling@apple.com>
454
455         Optimize PutByVal when subscript is a rope string.
456         <https://webkit.org/b/132572>
457
458         Add a JSString::toIdentifier() that is smarter when the JSString is
459         really a rope string. Use this in baseline & DFG's PutByVal to avoid
460         allocating new StringImpls that we immediately deduplicate anyway.
461
462         Reviewed by Antti Koivisto.
463
464         * dfg/DFGOperations.cpp:
465         (JSC::DFG::operationPutByValInternal):
466         * jit/JITOperations.cpp:
467         * runtime/JSString.h:
468         (JSC::JSString::toIdentifier):
469
470 2014-05-05  Andreas Kling  <akling@apple.com>
471
472         Remove two now-incorrect assertions after r168256.
473
474         * runtime/JSString.cpp:
475         (JSC::JSRopeString::resolveRopeSlowCase8):
476         (JSC::JSRopeString::resolveRopeSlowCase):
477
478 2014-05-04  Andreas Kling  <akling@apple.com>
479
480         Optimize JSRopeString for resolving directly to AtomicString.
481         <https://webkit.org/b/132548>
482
483         If we know that the JSRopeString we are resolving is going to be used
484         as an AtomicString, we can try to avoid creating a new string.
485
486         We do this by first resolving the rope into a stack buffer, and using
487         that buffer as a key into the AtomicString table. If there is already
488         an AtomicString with the same characters, we reuse that instead of
489         constructing a new StringImpl.
490
491         JSString gains these two public functions:
492
493         - AtomicString toAtomicString()
494
495             Returns an AtomicString, tries to avoid allocating a new string
496             if possible.
497
498         - AtomicStringImpl* toExistingAtomicString()
499
500             Returns a non-null AtomicStringImpl* if one already exists in the
501             AtomicString table. If none is found, the rope is left unresolved.
502
503         Reviewed by Filip Pizlo.
504
505         * runtime/JSString.cpp:
506         (JSC::JSRopeString::resolveRopeInternal8):
507         (JSC::JSRopeString::resolveRopeInternal16):
508         (JSC::JSRopeString::resolveRopeToAtomicString):
509         (JSC::JSRopeString::clearFibers):
510         (JSC::JSRopeString::resolveRopeToExistingAtomicString):
511         (JSC::JSRopeString::resolveRope):
512         (JSC::JSRopeString::outOfMemory):
513         * runtime/JSString.h:
514         (JSC::JSString::toAtomicString):
515         (JSC::JSString::toExistingAtomicString):
516
517 2014-05-04  Andreas Kling  <akling@apple.com>
518
519         Unreviewed, rolling out r168254.
520
521         Very crashy on debug JSC tests.
522
523         Reverted changeset:
524
525         "jsSubstring() should be lazy"
526         https://bugs.webkit.org/show_bug.cgi?id=132556
527         http://trac.webkit.org/changeset/168254
528
529 2014-05-04  Filip Pizlo  <fpizlo@apple.com>
530
531         jsSubstring() should be lazy
532         https://bugs.webkit.org/show_bug.cgi?id=132556
533
534         Reviewed by Andreas Kling.
535         
536         jsSubstring() is now lazy by using a special rope that is a substring instead of a
537         concatenation. To make this patch super simple, we require that a substring's base is
538         never a rope. Hence, when resolving a rope, we either go down a non-recursive substring
539         path, or we go down a concatenation path which may see exactly one level of substrings in
540         its fibers.
541         
542         This is up to a 50% speed-up on microbenchmarks and a 10% speed-up on Octane/regexp.
543
544         * heap/MarkedBlock.cpp:
545         (JSC::MarkedBlock::specializedSweep):
546         * runtime/JSString.cpp:
547         (JSC::JSRopeString::visitFibers):
548         (JSC::JSRopeString::resolveRope):
549         (JSC::JSRopeString::resolveRopeSlowCase8):
550         (JSC::JSRopeString::resolveRopeSlowCase):
551         (JSC::JSRopeString::outOfMemory):
552         * runtime/JSString.h:
553         (JSC::JSRopeString::finishCreation):
554         (JSC::JSRopeString::append):
555         (JSC::JSRopeString::create):
556         (JSC::JSRopeString::offsetOfFibers):
557         (JSC::JSRopeString::fiber):
558         (JSC::JSRopeString::substringBase):
559         (JSC::JSRopeString::substringOffset):
560         (JSC::JSRopeString::substringSentinel):
561         (JSC::JSRopeString::isSubstring):
562         (JSC::jsSubstring):
563         * runtime/RegExpMatchesArray.cpp:
564         (JSC::RegExpMatchesArray::reifyAllProperties):
565         * runtime/StringPrototype.cpp:
566         (JSC::stringProtoFuncSubstring):
567
568 2014-05-02  Michael Saboff  <msaboff@apple.com>
569
570         "arm64 function not 4-byte aligned" warnings when building JSC
571         https://bugs.webkit.org/show_bug.cgi?id=132495
572
573         Reviewed by Geoffrey Garen.
574
575         Added ".align 4" for both ARM Thumb2 and ARM 64 to silence the linker.
576
577         * llint/LowLevelInterpreter.cpp:
578
579 2014-05-02  Mark Hahnenberg  <mhahnenberg@apple.com>
580
581         Fix cloop build after r168178
582
583         * bytecode/CodeBlock.cpp:
584
585 2014-05-01  Mark Hahnenberg  <mhahnenberg@apple.com>
586
587         Add a DFG function whitelist
588         https://bugs.webkit.org/show_bug.cgi?id=132437
589
590         Reviewed by Geoffrey Garen.
591
592         Often times when debugging, using bytecode ranges isn't enough to narrow down to the 
593         particular DFG block that's causing issues. This patch adds the ability to whitelist 
594         specific functions specified in a file to enable further filtering without having to recompile.
595
596         * CMakeLists.txt:
597         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
598         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
599         * JavaScriptCore.xcodeproj/project.pbxproj:
600         * dfg/DFGCapabilities.cpp:
601         (JSC::DFG::isSupported):
602         (JSC::DFG::mightInlineFunctionForCall):
603         (JSC::DFG::mightInlineFunctionForClosureCall):
604         (JSC::DFG::mightInlineFunctionForConstruct):
605         * dfg/DFGFunctionWhitelist.cpp: Added.
606         (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
607         (JSC::DFG::FunctionWhitelist::FunctionWhitelist):
608         (JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile):
609         (JSC::DFG::FunctionWhitelist::contains):
610         * dfg/DFGFunctionWhitelist.h: Added.
611         * runtime/Options.cpp:
612         (JSC::parse):
613         (JSC::Options::dumpOption):
614         * runtime/Options.h:
615
616 2014-05-02  Filip Pizlo  <fpizlo@apple.com>
617
618         DFGAbstractInterpreter should not claim Int52 arithmetic creates Int52s
619         https://bugs.webkit.org/show_bug.cgi?id=132446
620
621         Reviewed by Mark Hahnenberg.
622         
623         Basically any arithmetic operation can turn an Int52 into an Int32 or vice-versa, and
624         our modeling of Int52Rep nodes is such that they can have either Int32 or Int52 type
625         to indicate a bound on the value. This is useful for knowing, for example, that
626         Int52Rep(Int32:) returns a value that cannot be outside the Int32 range. Also,
627         ValueRep(Int52Rep:) uses this to determine whether it may return a double or an int.
628         But this means that all arithmetic operations must be careful to note that they may
629         turn Int32 inputs into an Int52 output or vice-versa, as these new tests show.
630
631         * dfg/DFGAbstractInterpreterInlines.h:
632         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
633         * dfg/DFGByteCodeParser.cpp:
634         (JSC::DFG::ByteCodeParser::makeSafe):
635         * tests/stress/int52-ai-add-then-filter-int32.js: Added.
636         (foo):
637         * tests/stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js: Added.
638         (foo):
639         * tests/stress/int52-ai-mul-then-filter-int32-directly.js: Added.
640         (foo):
641         * tests/stress/int52-ai-mul-then-filter-int32.js: Added.
642         (foo):
643         * tests/stress/int52-ai-neg-then-filter-int32.js: Added.
644         (foo):
645         * tests/stress/int52-ai-sub-then-filter-int32.js: Added.
646         (foo):
647
648 2014-05-01  Geoffrey Garen  <ggaren@apple.com>
649
650         JavaScriptCore fails to build with some versions of clang
651         https://bugs.webkit.org/show_bug.cgi?id=132436
652
653         Reviewed by Anders Carlsson.
654
655         * runtime/ArgumentsIteratorConstructor.cpp: Since we call
656         putDirectWithoutTransition, and it calls putWillGrowOutOfLineStorage,
657         and both are marked inline, it's valid for the compiler to decide
658         to inline both and emit neither in the binary. Therefore, we need
659         both inline definitions to be available in the translation unit at
660         compile time, or we'll try to link against a function that doesn't exist.
661
662 2014-05-01  Commit Queue  <commit-queue@webkit.org>
663
664         Unreviewed, rolling out r167964.
665         https://bugs.webkit.org/show_bug.cgi?id=132431
666
667         Memory improvements should not regress memory usage (Requested
668         by olliej on #webkit).
669
670         Reverted changeset:
671
672         "Don't hold on to parameter BindingNodes forever"
673         https://bugs.webkit.org/show_bug.cgi?id=132360
674         http://trac.webkit.org/changeset/167964
675
676 2014-05-01  Filip Pizlo  <fpizlo@apple.com>
677
678         Fix trivial debug-only race-that-crashes in CallLinkStatus and explain why the remaining races are totally awesome
679         https://bugs.webkit.org/show_bug.cgi?id=132427
680
681         Reviewed by Mark Hahnenberg.
682
683         * bytecode/CallLinkStatus.cpp:
684         (JSC::CallLinkStatus::computeFor):
685
686 2014-04-30  Simon Fraser  <simon.fraser@apple.com>
687
688         Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO
689         https://bugs.webkit.org/show_bug.cgi?id=132396
690
691         Reviewed by Eric Carlson.
692
693         Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO and related code.
694
695         * Configurations/FeatureDefines.xcconfig:
696
697 2014-04-30  Filip Pizlo  <fpizlo@apple.com>
698
699         Argument flush formats should not be presumed to be JSValue since 'this' is weird
700         https://bugs.webkit.org/show_bug.cgi?id=132404
701
702         Reviewed by Michael Saboff.
703
704         * dfg/DFGSpeculativeJIT.cpp:
705         (JSC::DFG::SpeculativeJIT::compileCurrentBlock): Don't assume that arguments are flushed as JSValue. Use the logic for locals instead.
706         * dfg/DFGSpeculativeJIT32_64.cpp:
707         (JSC::DFG::SpeculativeJIT::compile): SetArgument "changes" the format because before this we wouldn't know we had arguments.
708         * dfg/DFGSpeculativeJIT64.cpp:
709         (JSC::DFG::SpeculativeJIT::compile): Ditto.
710         * dfg/DFGValueSource.cpp:
711         (JSC::DFG::ValueSource::dumpInContext): Make this easier to dump.
712         * dfg/DFGValueSource.h:
713         (JSC::DFG::ValueSource::operator!): Make this easier to dump because Operands<T> uses T::operator!().
714         * ftl/FTLOSREntry.cpp:
715         (JSC::FTL::prepareOSREntry): This had a useful assertion for everything except 'this'.
716         * tests/stress/strict-to-this-int.js: Added.
717         (foo):
718         (Number.prototype.valueOf):
719         (test):
720
721 2014-04-29  Oliver Hunt  <oliver@apple.com>
722
723         Don't hold on to parameterBindingNodes forever
724         https://bugs.webkit.org/show_bug.cgi?id=132360
725
726         Reviewed by Geoffrey Garen.
727
728         Don't keep the parameter nodes anymore. Instead we store the
729         original parameter string and reparse whenever we actually
730         need them. Because we only actually need them for compilation
731         this only results in a single extra parse.
732
733         * bytecode/UnlinkedCodeBlock.cpp:
734         (JSC::generateFunctionCodeBlock):
735         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
736         (JSC::UnlinkedFunctionExecutable::visitChildren):
737         (JSC::UnlinkedFunctionExecutable::finishCreation):
738         (JSC::UnlinkedFunctionExecutable::paramString):
739         (JSC::UnlinkedFunctionExecutable::parameters):
740         (JSC::UnlinkedFunctionExecutable::parameterCount): Deleted.
741         * bytecode/UnlinkedCodeBlock.h:
742         (JSC::UnlinkedFunctionExecutable::create):
743         (JSC::UnlinkedFunctionExecutable::parameterCount):
744         (JSC::UnlinkedFunctionExecutable::parameters): Deleted.
745         (JSC::UnlinkedFunctionExecutable::finishCreation): Deleted.
746         * parser/ASTBuilder.h:
747         (JSC::ASTBuilder::ASTBuilder):
748         (JSC::ASTBuilder::setFunctionBodyParameters):
749         * parser/Nodes.h:
750         (JSC::FunctionBodyNode::parametersStartOffset):
751         (JSC::FunctionBodyNode::parametersEndOffset):
752         (JSC::FunctionBodyNode::setParameterLocation):
753         * parser/Parser.cpp:
754         (JSC::Parser<LexerType>::parseFunctionInfo):
755         (JSC::parseParameters):
756         * parser/Parser.h:
757         (JSC::parse):
758         * parser/SourceCode.h:
759         (JSC::SourceCode::subExpression):
760         * parser/SyntaxChecker.h:
761         (JSC::SyntaxChecker::setFunctionBodyParameters):
762
763 2014-04-29  Mark Hahnenberg  <mhahnenberg@apple.com>
764
765         JSProxies should be cacheable
766         https://bugs.webkit.org/show_bug.cgi?id=132351
767
768         Reviewed by Geoffrey Garen.
769
770         Whenever we encounter a proxy in an inline cache we should try to cache on the 
771         proxy's target instead of giving up.
772
773         This patch adds support for a simple "recursive" inline cache if the base object
774         we're accessing is a pure forwarding proxy. JSGlobalObject and its subclasses 
775         are the only ones to benefit from this right now.
776
777         This is performance neutral on the benchmarks we track. Currently we won't
778         cache on JSDOMWindow due to HasImpureGetOwnPropertySlot, but this issue will be fixed soon.
779
780         * jit/Repatch.cpp:
781         (JSC::generateByIdStub):
782         (JSC::tryBuildGetByIDList):
783         (JSC::tryCachePutByID):
784         (JSC::tryBuildPutByIdList):
785         * jsc.cpp:
786         (GlobalObject::finishCreation):
787         (functionCreateProxy):
788         * runtime/IntendedStructureChain.cpp:
789         (JSC::IntendedStructureChain::isNormalized):
790         * runtime/JSCellInlines.h:
791         (JSC::JSCell::isProxy):
792         * runtime/JSGlobalObject.h:
793         (JSC::JSGlobalObject::finishCreation):
794         * runtime/JSProxy.h:
795         (JSC::JSProxy::createStructure):
796         (JSC::JSProxy::targetOffset):
797         * runtime/JSType.h:
798         * runtime/Operations.h:
799         (JSC::isPrototypeChainNormalized):
800         * runtime/Structure.h:
801         (JSC::Structure::isProxy):
802         * tests/stress/proxy-inline-cache.js: Added.
803         (cacheOnTarget.getX):
804         (cacheOnTarget):
805         (cacheOnPrototypeOfTarget.getX):
806         (cacheOnPrototypeOfTarget):
807         (dontCacheOnProxyInPrototypeChain.getX):
808         (dontCacheOnProxyInPrototypeChain):
809         (dontCacheOnTargetOfProxyInPrototypeChainOfTarget.getX):
810         (dontCacheOnTargetOfProxyInPrototypeChainOfTarget):
811
812 2014-04-29  Filip Pizlo  <fpizlo@apple.com>
813
814         Use LLVM as a backend for the fourth-tier DFG JIT (a.k.a. the FTL JIT)
815         https://bugs.webkit.org/show_bug.cgi?id=112840
816
817         Rubber stamped by Geoffrey Garen.
818
819         * Configurations/FeatureDefines.xcconfig:
820
821 2014-04-29  Geoffrey Garen  <ggaren@apple.com>
822
823         String.prototype.trim removes U+200B from strings.
824         https://bugs.webkit.org/show_bug.cgi?id=130184
825
826         Reviewed by Michael Saboff.
827
828         * runtime/StringPrototype.cpp:
829         (JSC::trimString):
830         (JSC::isTrimWhitespace): Deleted.
831
832 2014-04-29  Mark Lam  <mark.lam@apple.com>
833
834         Zombifying sweep should ignore retired blocks.
835         <https://webkit.org/b/132344>
836
837         Reviewed by Mark Hahnenberg.
838
839         By definition, retired blocks do not have "dead" objects, or at least
840         none that we know of yet until the next marking phase has been run
841         over it.  So, we should not be sweeping them (even for zombie mode).
842
843         * heap/Heap.cpp:
844         (JSC::Heap::zombifyDeadObjects):
845         * heap/MarkedSpace.cpp:
846         (JSC::MarkedSpace::zombifySweep):
847         * heap/MarkedSpace.h:
848         (JSC::ZombifySweep::operator()):
849
850 2014-04-29  Mark Lam  <mark.lam@apple.com>
851
852         Fix bit rot in zombie mode heap code.
853         <https://webkit.org/b/132342>
854
855         Reviewed by Mark Hahnenberg.
856
857         Need to enter a DelayedReleaseScope before doing a sweep.
858
859         * heap/Heap.cpp:
860         (JSC::Heap::zombifyDeadObjects):
861
862 2014-04-29  Tomas Popela  <tpopela@redhat.com>
863
864         LLINT loadisFromInstruction doesn't need special case for big endians
865         https://bugs.webkit.org/show_bug.cgi?id=132330
866
867         Reviewed by Mark Lam.
868
869         The change introduced in r167076 was wrong. We should not apply the offset
870         adjustment on loadisFromInstruction usage as the instruction
871         (UnlinkedInstruction) is declared as an union (i.e. with the int32_t
872         operand variable). The offset of the other union members will be the
873         same as the offset of the first one, that is 0. The behavior here is the
874         same on little and big endian architectures. Thus we don't need
875         special case for big endians.
876
877         * llint/LowLevelInterpreter.asm:
878
879 2014-04-28  Mark Hahnenberg  <mhahnenberg@apple.com>
880
881         Simplify tryCacheGetById
882         https://bugs.webkit.org/show_bug.cgi?id=132314
883
884         Reviewed by Oliver Hunt and Filip Pizlo.
885
886         This is neutral across all benchmarks we track, although it looks like a wee 0.5% progression on sunspider.
887
888         * jit/Repatch.cpp:
889         (JSC::tryCacheGetByID): If we fail to cache on self, we just repatch to call tryBuildGetByIDList next time.
890
891 2014-04-28  Michael Saboff  <msaboff@apple.com>
892
893         REGRESSION(r153142) ASSERT from CodeBlock::dumpBytecode dumping String Switch Jump Tables
894         https://bugs.webkit.org/show_bug.cgi?id=132315
895
896         Reviewed by Mark Hahnenberg.
897
898         Used the StringImpl version of utf8() instead of creating a String first.
899
900         * bytecode/CodeBlock.cpp:
901         (JSC::CodeBlock::dumpBytecode):
902
903 2014-04-28  Filip Pizlo  <fpizlo@apple.com>
904
905         The LLInt is awesome and it should get more of the action.
906
907         Rubber stamped by Geoffrey Garen.
908         
909         5% speed-up on JSBench and no meaningful regressions.  Should be a PLT/DYE speed-up also.
910
911         * runtime/Options.h:
912
913 2014-04-27  Filip Pizlo  <fpizlo@apple.com>
914
915         GC should be able to remove things from the DFG worklist and cancel on-going compilations if it knows that the compilation would already be invalidated
916         https://bugs.webkit.org/show_bug.cgi?id=132166
917
918         Reviewed by Oliver Hunt and Mark Hahnenberg.
919         
920         The GC can aid type inference by removing structures that are dead and jettisoning
921         code that relies on those structures. This can dramatically accelerate type inference
922         for some tricky programs.
923         
924         Unfortunately, we previously pinned any structures that enqueued compilations depended
925         on. This means that if you're on a machine that only runs a single compilation thread
926         and where compilations are relatively slow, you have a high chance of large numbers of
927         structures being pinned during any GC since the compilation queue is likely to be full
928         of random stuff.
929         
930         This comprehensively fixes this issue by allowing the GC to remove compilation plans
931         if the things they depend on are dead, and to even cancel safepointed compilations.
932         
933         * bytecode/CodeBlock.cpp:
934         (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan):
935         (JSC::CodeBlock::isKnownToBeLiveDuringGC):
936         (JSC::CodeBlock::finalizeUnconditionally):
937         * bytecode/CodeBlock.h:
938         (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan): Deleted.
939         * dfg/DFGDesiredIdentifiers.cpp:
940         (JSC::DFG::DesiredIdentifiers::DesiredIdentifiers):
941         * dfg/DFGDesiredIdentifiers.h:
942         * dfg/DFGDesiredWatchpoints.h:
943         * dfg/DFGDesiredWeakReferences.cpp:
944         (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
945         * dfg/DFGDesiredWeakReferences.h:
946         * dfg/DFGGraphSafepoint.cpp:
947         (JSC::DFG::GraphSafepoint::GraphSafepoint):
948         * dfg/DFGGraphSafepoint.h:
949         * dfg/DFGPlan.cpp:
950         (JSC::DFG::Plan::Plan):
951         (JSC::DFG::Plan::compileInThread):
952         (JSC::DFG::Plan::compileInThreadImpl):
953         (JSC::DFG::Plan::notifyCompiling):
954         (JSC::DFG::Plan::notifyCompiled):
955         (JSC::DFG::Plan::notifyReady):
956         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
957         (JSC::DFG::Plan::isKnownToBeLiveDuringGC):
958         (JSC::DFG::Plan::cancel):
959         (JSC::DFG::Plan::visitChildren): Deleted.
960         * dfg/DFGPlan.h:
961         * dfg/DFGSafepoint.cpp:
962         (JSC::DFG::Safepoint::Result::~Result):
963         (JSC::DFG::Safepoint::Result::didGetCancelled):
964         (JSC::DFG::Safepoint::Safepoint):
965         (JSC::DFG::Safepoint::~Safepoint):
966         (JSC::DFG::Safepoint::checkLivenessAndVisitChildren):
967         (JSC::DFG::Safepoint::isKnownToBeLiveDuringGC):
968         (JSC::DFG::Safepoint::cancel):
969         (JSC::DFG::Safepoint::visitChildren): Deleted.
970         * dfg/DFGSafepoint.h:
971         (JSC::DFG::Safepoint::Result::Result):
972         * dfg/DFGWorklist.cpp:
973         (JSC::DFG::Worklist::compilationState):
974         (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
975         (JSC::DFG::Worklist::removeAllReadyPlansForVM):
976         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
977         (JSC::DFG::Worklist::visitWeakReferences):
978         (JSC::DFG::Worklist::removeDeadPlans):
979         (JSC::DFG::Worklist::runThread):
980         (JSC::DFG::Worklist::visitChildren): Deleted.
981         * dfg/DFGWorklist.h:
982         * ftl/FTLCompile.cpp:
983         (JSC::FTL::compile):
984         * ftl/FTLCompile.h:
985         * heap/CodeBlockSet.cpp:
986         (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks):
987         * heap/Heap.cpp:
988         (JSC::Heap::markRoots):
989         (JSC::Heap::visitCompilerWorklistWeakReferences):
990         (JSC::Heap::removeDeadCompilerWorklistEntries):
991         (JSC::Heap::visitWeakHandles):
992         (JSC::Heap::collect):
993         (JSC::Heap::visitCompilerWorklists): Deleted.
994         * heap/Heap.h:
995
996 2014-04-28  Mark Hahnenberg  <mhahnenberg@apple.com>
997
998         Deleting properties poisons objects
999         https://bugs.webkit.org/show_bug.cgi?id=131551
1000
1001         Reviewed by Oliver Hunt.
1002
1003         This is ~3% progression on Dromaeo with a ~6% progression on the jslib portion of Dromaeo in particular.
1004
1005         * runtime/JSPropertyNameIterator.cpp:
1006         (JSC::JSPropertyNameIterator::create):
1007         * runtime/PropertyMapHashTable.h:
1008         (JSC::PropertyTable::hasDeletedOffset):
1009         (JSC::PropertyTable::hadDeletedOffset): If we ever had deleted properties we can no longer cache offsets when 
1010         iterating properties because we're required to iterate properties in insertion order.
1011         * runtime/Structure.cpp:
1012         (JSC::Structure::Structure):
1013         (JSC::Structure::materializePropertyMap): We now re-use deleted properties when materializing the property map.
1014         (JSC::Structure::removePropertyTransition): We allow up to 5 deletes for a particular path through the tree of 
1015         Structure transitions. After that, we convert to an uncacheable dictionary like we used to. We don't cache 
1016         delete transitions, but we allow transitioning from them.
1017         (JSC::Structure::changePrototypeTransition):
1018         (JSC::Structure::despecifyFunctionTransition):
1019         (JSC::Structure::attributeChangeTransition):
1020         (JSC::Structure::toDictionaryTransition):
1021         (JSC::Structure::preventExtensionsTransition):
1022         (JSC::Structure::addPropertyWithoutTransition):
1023         (JSC::Structure::removePropertyWithoutTransition):
1024         (JSC::Structure::pin): Now does only what it says it does--marks the property table as pinned.
1025         (JSC::Structure::pinAndPreventTransitions): More descriptive version of what the old pin() was doing.
1026         * runtime/Structure.h:
1027         * runtime/StructureInlines.h:
1028         (JSC::Structure::setEnumerationCache):
1029         (JSC::Structure::hadDeletedOffsets):
1030         (JSC::Structure::propertyTable):
1031         (JSC::Structure::checkOffsetConsistency): Rearranged variables to be more sensible.
1032         * tests/stress/for-in-after-delete.js: Added.
1033         (foo):
1034
1035 2014-04-25  Andreas Kling  <akling@apple.com>
1036
1037         Inline (C++) GetByVal with numeric indices more aggressively.
1038         <https://webkit.org/b/132218>
1039
1040         We were already inlining the string indexed GetByVal path pretty well,
1041         while the path for numeric indices got neglected. No more!
1042
1043         ~9.5% improvement on Dromaeo/dom-traverse.html on my MBP:
1044
1045             Before: 199.50 runs/s
1046              After: 218.58 runs/s
1047
1048         Reviewed by Phil Pizlo.
1049
1050         * dfg/DFGOperations.cpp:
1051         * runtime/JSCJSValueInlines.h:
1052         (JSC::JSValue::get):
1053
1054             ALWAYS_INLINE all the things.
1055
1056         * runtime/JSObject.h:
1057         (JSC::JSObject::getPropertySlot):
1058
1059             Avoid fetching the Structure more than once. We have the same
1060             optimization in the string-indexed code path.
1061
1062 2014-04-25  Oliver Hunt  <oliver@apple.com>
1063
1064         Need earlier cell test
1065         https://bugs.webkit.org/show_bug.cgi?id=132211
1066
1067         Reviewed by Mark Lam.
1068
1069         Move cell test to before the function call repatch
1070         location, as the repatch logic for 32bit assumes that the
1071         caller will already have performed a cell check.
1072
1073         * jit/JITCall32_64.cpp:
1074         (JSC::JIT::compileOpCall):
1075
1076 2014-04-25  Andreas Kling  <akling@apple.com>
1077
1078         Un-fast-allocate JSGlobalObjectRareData because Windows doesn't build and I'm not in the mood.
1079
1080         * runtime/JSGlobalObject.h:
1081         (JSC::JSGlobalObject::JSGlobalObjectRareData::JSGlobalObjectRareData):
1082         (JSC::JSGlobalObject::JSGlobalObjectRareData::~JSGlobalObjectRareData): Deleted.
1083
1084 2014-04-25  Andreas Kling  <akling@apple.com>
1085
1086         Windows build fix attempt.
1087
1088         * runtime/JSGlobalObject.h:
1089         (JSC::JSGlobalObject::JSGlobalObjectRareData::~JSGlobalObjectRareData):
1090
1091 2014-04-25  Mark Lam  <mark.lam@apple.com>
1092
1093         Refactor debugging code to use BreakpointActions instead of Vector<ScriptBreakpointAction>.
1094         <https://webkit.org/b/132201>
1095
1096         Reviewed by Joseph Pecoraro.
1097
1098         BreakpointActions is Vector<ScriptBreakpointAction>.  Let's just consistently use
1099         BreakpointActions everywhere.
1100
1101         * inspector/ScriptBreakpoint.h:
1102         (Inspector::ScriptBreakpoint::ScriptBreakpoint):
1103         * inspector/ScriptDebugServer.cpp:
1104         (Inspector::ScriptDebugServer::setBreakpoint):
1105         (Inspector::ScriptDebugServer::getActionsForBreakpoint):
1106         * inspector/ScriptDebugServer.h:
1107         * inspector/agents/InspectorDebuggerAgent.cpp:
1108         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
1109         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
1110         (Inspector::InspectorDebuggerAgent::setBreakpoint):
1111         (Inspector::InspectorDebuggerAgent::removeBreakpoint):
1112         * inspector/agents/InspectorDebuggerAgent.h:
1113
1114 2014-04-24  Filip Pizlo  <fpizlo@apple.com>
1115
1116         DFG worklist scanning should not treat the key as a separate entity
1117         https://bugs.webkit.org/show_bug.cgi?id=132167
1118
1119         Reviewed by Mark Hahnenberg.
1120         
1121         This simplifies the interface to the GC and will enable more optimizations.
1122
1123         * dfg/DFGCompilationKey.cpp:
1124         (JSC::DFG::CompilationKey::visitChildren): Deleted.
1125         * dfg/DFGCompilationKey.h:
1126         * dfg/DFGPlan.cpp:
1127         (JSC::DFG::Plan::visitChildren):
1128         * dfg/DFGWorklist.cpp:
1129         (JSC::DFG::Worklist::visitChildren):
1130
1131 2014-04-25  Oliver Hunt  <oliver@apple.com>
1132
1133         Remove unused parameter from codeblock linking function
1134         https://bugs.webkit.org/show_bug.cgi?id=132199
1135
1136         Reviewed by Anders Carlsson.
1137
1138         No change in behaviour. This is just a small change to make it
1139         slightly easier to reason about what the offsets in UnlinkedFunctionExecutable
1140         actually mean.
1141
1142         * bytecode/UnlinkedCodeBlock.cpp:
1143         (JSC::UnlinkedFunctionExecutable::link):
1144         * bytecode/UnlinkedCodeBlock.h:
1145         * runtime/Executable.cpp:
1146         (JSC::ProgramExecutable::initializeGlobalProperties):
1147
1148 2014-04-25  Andreas Kling  <akling@apple.com>
1149
1150         Mark some things with WTF_MAKE_FAST_ALLOCATED.
1151         <https://webkit.org/b/132198>
1152
1153         Use FastMalloc for more things.
1154
1155         Reviewed by Anders Carlsson.
1156
1157         * builtins/BuiltinExecutables.h:
1158         * heap/GCThreadSharedData.h:
1159         * inspector/JSConsoleClient.h:
1160         * inspector/agents/InspectorAgent.h:
1161         * runtime/CodeCache.h:
1162         * runtime/JSGlobalObject.h:
1163         * runtime/Lookup.cpp:
1164         (JSC::HashTable::createTable):
1165         (JSC::HashTable::deleteTable):
1166         * runtime/WeakGCMap.h:
1167
1168 2014-04-25  Antoine Quint  <graouts@webkit.org>
1169
1170         Implement Array.prototype.find()
1171         https://bugs.webkit.org/show_bug.cgi?id=130966
1172
1173         Reviewed by Oliver Hunt.
1174
1175         Implement Array.prototype.find() and Array.prototype.findIndex() as proposed in the Harmony spec.
1176
1177         * builtins/Array.prototype.js:
1178         (find):
1179         (findIndex):
1180         * runtime/ArrayPrototype.cpp:
1181
1182 2014-04-24  Brady Eidson  <beidson@apple.com>
1183
1184         Rename "IMAGE_CONTROLS" feature to "SERVICE_CONTROLS"
1185         https://bugs.webkit.org/show_bug.cgi?id=132155
1186
1187         Reviewed by Tim Horton.
1188
1189         * Configurations/FeatureDefines.xcconfig:
1190
1191 2014-04-24  Michael Saboff  <msaboff@apple.com>
1192
1193         REGRESSION: Apparent hang of PCE.js Mac OS System 7.0.1 on ARM64 devices
1194         https://bugs.webkit.org/show_bug.cgi?id=132147
1195
1196         Reviewed by Mark Lam.
1197
1198         Fixed or64(), eor32( ) and eor64() to use "src" register when we have a valid logicalImm.
1199
1200         * assembler/MacroAssemblerARM64.h:
1201         (JSC::MacroAssemblerARM64::or64):
1202         (JSC::MacroAssemblerARM64::xor32):
1203         (JSC::MacroAssemblerARM64::xor64):
1204         * tests/stress/regress-132147.js: Added test.
1205
1206 2014-04-24  Mark Lam  <mark.lam@apple.com>
1207
1208         Make slowPathAllocsBetweenGCs a runtime option.
1209         <https://webkit.org/b/132137>
1210
1211         Reviewed by Mark Hahnenberg.
1212
1213         This will make it easier to more casually run tests with this configuration
1214         as well as to reproduce issues (instead of requiring a code mod and rebuild).
1215         We will now take --slowPathAllocsBetweenGCs=N where N is the number of
1216         slow path allocations before we trigger a collection.
1217
1218         The option defaults to 0, which is reserved to mean that we will not trigger
1219         any collections there.
1220
1221         * heap/Heap.h:
1222         * heap/MarkedAllocator.cpp:
1223         (JSC::MarkedAllocator::doTestCollectionsIfNeeded):
1224         (JSC::MarkedAllocator::allocateSlowCase):
1225         * heap/MarkedAllocator.h:
1226         * runtime/Options.h:
1227
1228 2014-04-23  Mark Lam  <mark.lam@apple.com>
1229
1230         The GC should only resume compiler threads that it suspended in the same GC pass.
1231         <https://webkit.org/b/132088>
1232
1233         Reviewed by Mark Hahnenberg.
1234
1235         Previously, this scenario can occur:
1236         1. Thread 1 starts a GC and tries to suspend DFG worklist threads.  However,
1237            no worklists were created yet at the that time.
1238         2. Thread 2 starts to compile some functions and creates a DFG worklist, and
1239            acquires the worklist thread's lock.
1240         3. Thread 1's GC completes and tries to resume suspended DFG worklist thread.
1241            This time, it sees the worklist created by Thread 2 and ends up unlocking
1242            the worklist thread's lock that is supposedly held by Thread 2.
1243         Thereafter, chaos ensues.
1244
1245         The fix is to cache the worklists that were actually suspended by each GC pass,
1246         and only resume those when the GC is done.
1247
1248         This issue was discovered by enabling COLLECT_ON_EVERY_ALLOCATION and running
1249         the fast/workers layout tests.
1250
1251         * heap/Heap.cpp:
1252         (JSC::Heap::visitCompilerWorklists):
1253         (JSC::Heap::deleteAllCompiledCode):
1254         (JSC::Heap::suspendCompilerThreads):
1255         (JSC::Heap::resumeCompilerThreads):
1256         * heap/Heap.h:
1257
1258 2014-04-23  Mark Hahnenberg  <mhahnenberg@apple.com>
1259
1260         Arguments::copyBackingStore needs to update m_registers in tandem with m_registerArray
1261         https://bugs.webkit.org/show_bug.cgi?id=132079
1262
1263         Reviewed by Michael Saboff.
1264
1265         Since we're moving the register backing store, we don't want to leave a dangling pointer into a random CopiedBlock.
1266
1267         Also added a test that previously triggered this bug.
1268
1269         * runtime/Arguments.cpp:
1270         (JSC::Arguments::copyBackingStore): D'oh!
1271         * tests/stress/arguments-copy-register-array-backing-store.js: Added.
1272         (foo):
1273         (bar):
1274
1275 2014-04-23  Mark Rowe  <mrowe@apple.com>
1276
1277         [Mac] REGRESSION (r164823): Building JavaScriptCore creates files under /tmp/JavaScriptCore.dst
1278         <https://webkit.org/b/132053>
1279
1280         Reviewed by Dan Bernstein.
1281
1282         * JavaScriptCore.xcodeproj/project.pbxproj: Don't try to create a symlink at /usr/local/bin/jsc inside
1283         the DSTROOT unless we're building to the deployment location. Also remove the unnecessary -x argument
1284         from /bin/sh since that generates unnecessary output.
1285
1286 2014-04-22  Mark Lam  <mark.lam@apple.com>
1287
1288         DFG::Worklist should acquire the m_lock before iterating DFG plans.
1289         <https://webkit.org/b/132032>
1290
1291         Reviewed by Filip Pizlo.
1292
1293         Currently, there's a rightToRun mechanism that ensures that no compilation
1294         threads are running when the GC is iterating through the DFG worklists.
1295         However, this does not prevent a Worker thread from doing a DFG compilation
1296         and modifying the plans in the worklists thereby invalidating the plan
1297         iterator that the GC is using.  This patch fixes the issue by acquiring
1298         the worklist m_lock before iterating the worklist plans.
1299
1300         This issue was uncovered by running the fast/workers layout tests with
1301         COLLECT_ON_EVERY_ALLOCATION enabled.
1302
1303         * dfg/DFGWorklist.cpp:
1304         (JSC::DFG::Worklist::isActiveForVM):
1305         (JSC::DFG::Worklist::visitChildren):
1306
1307 2014-04-22  Brent Fulgham  <bfulgham@apple.com>
1308
1309         [Win] Support Python 2.7 in Cygwin
1310         https://bugs.webkit.org/show_bug.cgi?id=132023
1311
1312         Reviewed by Michael Saboff.
1313
1314         * DerivedSources.make: Use a conditional variable to define
1315         the path to Python/Perl.
1316
1317 2014-04-22  Filip Pizlo  <fpizlo@apple.com>
1318
1319         Switch the LLVMForJSC target to using the LLVM in /usr/local rather than /usr/local/LLVMForJavaScriptCore on iOS
1320         https://bugs.webkit.org/show_bug.cgi?id=130867
1321         <rdar://problem/16432456> 
1322
1323         Reviewed by Mark Hahnenberg.
1324
1325         * Configurations/Base.xcconfig:
1326         * Configurations/LLVMForJSC.xcconfig:
1327
1328 2014-04-22  Alex Christensen  <achristensen@webkit.org>
1329
1330         [Win] Unreviewed build fix after my r167666.
1331
1332         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
1333         Added ../../../ again to include headers in Source/JavaScriptCore.
1334
1335 2014-04-22  Alex Christensen  <achristensen@webkit.org>
1336
1337         Removed old stdbool and inttypes headers.
1338         https://bugs.webkit.org/show_bug.cgi?id=131966
1339
1340         Reviewed by Brent Fulgham.
1341
1342         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
1343         * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
1344         Removed references to os-win32 directory.
1345         * os-win32: Removed.
1346         * os-win32/inttypes.h: Removed.
1347         * os-win32/stdbool.h: Removed.
1348
1349 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
1350
1351         DFG::clobberize() should honestly admit that profiler and debugger nodes are effectful
1352         https://bugs.webkit.org/show_bug.cgi?id=131971
1353         <rdar://problem/16676511>
1354
1355         Reviewed by Mark Lam.
1356
1357         * dfg/DFGClobberize.h:
1358         (JSC::DFG::clobberize):
1359
1360 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
1361
1362         Switch statements that skip the baseline JIT should work
1363         https://bugs.webkit.org/show_bug.cgi?id=131965
1364
1365         Reviewed by Mark Hahnenberg.
1366
1367         * bytecode/JumpTable.h:
1368         (JSC::SimpleJumpTable::ensureCTITable):
1369         * dfg/DFGSpeculativeJIT.cpp:
1370         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
1371         * jit/JITOpcodes.cpp:
1372         (JSC::JIT::emit_op_switch_imm):
1373         (JSC::JIT::emit_op_switch_char):
1374         * jit/JITOpcodes32_64.cpp:
1375         (JSC::JIT::emit_op_switch_imm):
1376         (JSC::JIT::emit_op_switch_char):
1377         * tests/stress/inline-llint-with-switch.js: Added.
1378         (foo):
1379         (bar):
1380         (test):
1381
1382 2014-04-21  Mark Hahnenberg  <mhahnenberg@apple.com>
1383
1384         Arguments objects shouldn't need a destructor
1385         https://bugs.webkit.org/show_bug.cgi?id=131899
1386
1387         Reviewed by Oliver Hunt.
1388
1389         This patch rids Arguments objects of their destructors. It does this by 
1390         switching their backing stores to use CopiedSpace rather than malloc memory.
1391
1392         * dfg/DFGSpeculativeJIT.cpp:
1393         (JSC::DFG::SpeculativeJIT::emitAllocateArguments): Fix the code emitted for inline
1394         Arguments allocation so that it only emits an extra write for strict mode code rather
1395         than unconditionally.
1396         * heap/CopyToken.h: New CopyTokens for the two different types of Arguments backing stores.
1397         * runtime/Arguments.cpp:
1398         (JSC::Arguments::visitChildren): We need to tell the collector to copy the back stores now.
1399         (JSC::Arguments::copyBackingStore): Do the actual copying of the backing stores.
1400         (JSC::Arguments::deletePropertyByIndex): Update all the accesses to SlowArgumentData and m_registerArray.
1401         (JSC::Arguments::deleteProperty):
1402         (JSC::Arguments::defineOwnProperty):
1403         (JSC::Arguments::allocateRegisterArray):
1404         (JSC::Arguments::tearOff):
1405         (JSC::Arguments::destroy): Deleted. We don't need the destructor any more.
1406         * runtime/Arguments.h:
1407         (JSC::Arguments::registerArraySizeInBytes):
1408         (JSC::Arguments::SlowArgumentData::SlowArgumentData): Switch SlowArgumentData to being allocated
1409         in CopiedSpace. Now the SlowArgumentData and its backing store are a single contiguous CopiedSpace
1410         allocation.
1411         (JSC::Arguments::SlowArgumentData::slowArguments):
1412         (JSC::Arguments::SlowArgumentData::bytecodeToMachineCaptureOffset):
1413         (JSC::Arguments::SlowArgumentData::setBytecodeToMachineCaptureOffset):
1414         (JSC::Arguments::SlowArgumentData::sizeForNumArguments):
1415         (JSC::Arguments::Arguments):
1416         (JSC::Arguments::allocateSlowArguments):
1417         (JSC::Arguments::tryDeleteArgument):
1418         (JSC::Arguments::isDeletedArgument):
1419         (JSC::Arguments::isArgument):
1420         (JSC::Arguments::argument):
1421         (JSC::Arguments::finishCreation):
1422         * runtime/SymbolTable.h:
1423
1424 2014-04-21  Eric Carlson  <eric.carlson@apple.com>
1425
1426         [Mac] implement WebKitDataCue
1427         https://bugs.webkit.org/show_bug.cgi?id=131799
1428
1429         Reviewed by Dean Jackson.
1430
1431         * Configurations/FeatureDefines.xcconfig: Define ENABLE_DATACUE_VALUE.
1432
1433 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
1434
1435         Unreviewed test gardening, run the repeat-out-of-bounds tests again.
1436
1437         * tests/stress/float32-repeat-out-of-bounds.js:
1438         * tests/stress/int8-repeat-out-of-bounds.js:
1439
1440 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
1441
1442         OSR exit should know about Int52 and Double constants
1443         https://bugs.webkit.org/show_bug.cgi?id=131945
1444
1445         Reviewed by Oliver Hunt.
1446         
1447         The DFG OSR exit machinery's ignorance would lead to some constants becoming
1448         jsUndefined() after OSR exit.
1449         
1450         The FTL OSR exit machinery's ignorance just meant that we would sometimes use a
1451         stackmap constant rather than baking the constant into the OSRExit data structure.
1452         So, not a big deal, but worth fixing.
1453         
1454         Also added some helpful hacks to jsc.cpp for testing such OSR exit pathologies.
1455
1456         * dfg/DFGByteCodeParser.cpp:
1457         (JSC::DFG::ByteCodeParser::handleIntrinsic):
1458         * dfg/DFGMinifiedNode.h:
1459         (JSC::DFG::belongsInMinifiedGraph):
1460         (JSC::DFG::MinifiedNode::hasConstantNumber):
1461         * ftl/FTLLowerDFGToLLVM.cpp:
1462         (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
1463         * jsc.cpp:
1464         (GlobalObject::finishCreation):
1465         (functionOtherFalse):
1466         (functionUndefined):
1467         * runtime/Intrinsic.h:
1468         * tests/stress/fold-to-double-constant-then-exit.js: Added.
1469         (foo):
1470         * tests/stress/fold-to-int52-constant-then-exit.js: Added.
1471         (foo):
1472
1473 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
1474
1475         Provide feedback when we encounter an unrecognied node in the FTL backend.
1476
1477         Rubber stamped by Alexey Proskuryakov.
1478
1479         * ftl/FTLLowerDFGToLLVM.cpp:
1480         (JSC::FTL::LowerDFGToLLVM::compileNode):
1481
1482 2014-04-21  Andreas Kling  <akling@apple.com>
1483
1484         Move the JSString cache from DOMWrapperWorld to VM.
1485         <https://webkit.org/b/131940>
1486
1487         Reviewed by Geoff Garen.
1488
1489         * runtime/VM.h:
1490
1491 2014-04-19  Filip Pizlo  <fpizlo@apple.com>
1492
1493         Take block execution count estimates into account when voting double
1494         https://bugs.webkit.org/show_bug.cgi?id=131906
1495
1496         Reviewed by Geoffrey Garen.
1497         
1498         This was a drama in three acts.
1499         
1500         Act I: Slurp in BasicBlock::executionCount and use it as a weight when counting the
1501             number of uses of a variable that want double or non-double. Easy as pie. This
1502             gave me a huge speed-up on FloatMM and a huge slow-down on basically everything
1503             else.
1504         
1505         Act II: Realize that there were some programs where our previous double voting was
1506             just on the edge of disaster and making it more precise tipped it over. In
1507             particular, if you had an integer variable that would infrequently be used in a
1508             computation that resulted in a variable that was frequently used as an array index,
1509             the outer infrequentness would be the thing we'd use in the vote. So, an array
1510             index would become double. We fix this by reviving global backwards propagation
1511             and introducing the concept of ReallyWantsInt, which is used just for array
1512             indices. Any variable transitively flagged as ReallyWantsInt will never be forced
1513             double. We need that flag to be separate from UsedAsInt, since UsedAsInt needs to
1514             be set in bitops for RageConversion but using it for double forcing is too much.
1515             Basically, it's cheaper to have to convert a double to an int for a bitop than it
1516             is to convert a double to an int for an array index; also a variable being used as
1517             an array index is a much stronger hint that it ought to be an int. This recovered
1518             performance on everything except programs that used FTL OSR entry.
1519         
1520         Act III: Realize that OSR entrypoint creation creates blocks that have NaN execution
1521             count, which then completely pollutes the weighting - essentially all votes go
1522             NaN. Fix this with some surgical defenses. Basically, any client of execution
1523             counts should allow for them to be NaN and shouldn't completely fall off a cliff
1524             when it happens.
1525         
1526         This is awesome. 75% speed-up on FloatMM. 11% speed-up on audio-dft. This leads to
1527         7% speed-up on AsmBench and 2% speed-up on Kraken.
1528
1529         * CMakeLists.txt:
1530         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1531         * JavaScriptCore.xcodeproj/project.pbxproj:
1532         * dfg/DFGBackwardsPropagationPhase.cpp:
1533         (JSC::DFG::BackwardsPropagationPhase::run):
1534         (JSC::DFG::BackwardsPropagationPhase::propagate):
1535         * dfg/DFGGraph.cpp:
1536         (JSC::DFG::Graph::dumpBlockHeader):
1537         * dfg/DFGGraph.h:
1538         (JSC::DFG::Graph::voteNode):
1539         (JSC::DFG::Graph::voteChildren):
1540         * dfg/DFGNodeFlags.cpp:
1541         (JSC::DFG::dumpNodeFlags):
1542         * dfg/DFGNodeFlags.h:
1543         * dfg/DFGOSREntrypointCreationPhase.cpp:
1544         (JSC::DFG::OSREntrypointCreationPhase::run):
1545         * dfg/DFGPlan.cpp:
1546         (JSC::DFG::Plan::compileInThreadImpl):
1547         * dfg/DFGPredictionPropagationPhase.cpp:
1548         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
1549         (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
1550         * dfg/DFGVariableAccessData.cpp: Added.
1551         (JSC::DFG::VariableAccessData::VariableAccessData):
1552         (JSC::DFG::VariableAccessData::mergeIsCaptured):
1553         (JSC::DFG::VariableAccessData::mergeShouldNeverUnbox):
1554         (JSC::DFG::VariableAccessData::predict):
1555         (JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction):
1556         (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
1557         (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat):
1558         (JSC::DFG::VariableAccessData::mergeDoubleFormatState):
1559         (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
1560         (JSC::DFG::VariableAccessData::flushFormat):
1561         * dfg/DFGVariableAccessData.h:
1562         (JSC::DFG::VariableAccessData::vote):
1563         (JSC::DFG::VariableAccessData::VariableAccessData): Deleted.
1564         (JSC::DFG::VariableAccessData::mergeIsCaptured): Deleted.
1565         (JSC::DFG::VariableAccessData::mergeShouldNeverUnbox): Deleted.
1566         (JSC::DFG::VariableAccessData::predict): Deleted.
1567         (JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction): Deleted.
1568         (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote): Deleted.
1569         (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat): Deleted.
1570         (JSC::DFG::VariableAccessData::mergeDoubleFormatState): Deleted.
1571         (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat): Deleted.
1572         (JSC::DFG::VariableAccessData::flushFormat): Deleted.
1573
1574 2014-04-21  Michael Saboff  <msaboff@apple.com>
1575
1576         REGRESSION(r167591): ARM64 and ARM traditional builds broken
1577         https://bugs.webkit.org/show_bug.cgi?id=131935
1578
1579         Reviewed by Mark Hahnenberg.
1580
1581         Added store8(TrustedImm32, MacroAssembler::Address) to the ARM traditional and ARM64
1582         macro assemblers.  Added a new test for the original patch.
1583
1584         * assembler/MacroAssemblerARM.h:
1585         (JSC::MacroAssemblerARM::store8):
1586         * assembler/MacroAssemblerARM64.h:
1587         (JSC::MacroAssemblerARM64::store8):
1588         * tests/stress/dfg-create-arguments-inline-alloc.js: New test.
1589
1590 2014-04-21  Mark Hahnenberg  <mhahnenberg@apple.com>
1591
1592         Inline allocate Arguments objects in the DFG
1593         https://bugs.webkit.org/show_bug.cgi?id=131897
1594
1595         Reviewed by Geoffrey Garen.
1596
1597         Many libraries/frameworks depend on the arguments object for overloaded API entry points. 
1598         This is the first step to making Arguments fast(er). We'll duplicate the logic in Arguments::create 
1599         for now and take the slow path for complicated cases like slow arguments, tearing off for strict mode, etc.
1600
1601         * dfg/DFGSpeculativeJIT.cpp:
1602         (JSC::DFG::SpeculativeJIT::emitAllocateArguments):
1603         * dfg/DFGSpeculativeJIT.h:
1604         (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject):
1605         * dfg/DFGSpeculativeJIT32_64.cpp:
1606         (JSC::DFG::SpeculativeJIT::compile):
1607         * dfg/DFGSpeculativeJIT64.cpp:
1608         (JSC::DFG::SpeculativeJIT::compile):
1609         * runtime/Arguments.h:
1610         (JSC::Arguments::offsetOfActivation):
1611         (JSC::Arguments::offsetOfOverrodeLength):
1612         (JSC::Arguments::offsetOfIsStrictMode):
1613         (JSC::Arguments::offsetOfRegisterArray):
1614         (JSC::Arguments::offsetOfCallee):
1615         (JSC::Arguments::allocationSize):
1616
1617 2014-04-20  Andreas Kling  <akling@apple.com>
1618
1619         Speed up jsStringWithCache() through WeakGCMap inlining.
1620         <https://webkit.org/b/131923>
1621
1622         Always inline WeakGCMap::add() but move the slow garbage collecting
1623         path out-of-line.
1624
1625         Reviewed by Darin Adler.
1626
1627         * runtime/WeakGCMap.h:
1628         (JSC::WeakGCMap::add):
1629         (JSC::WeakGCMap::gcMap):
1630
1631 2014-04-20  László Langó  <llango.u-szeged@partner.samsung.com>
1632
1633         JavaScriptCore: ARM build fix after r167094.
1634         https://bugs.webkit.org/show_bug.cgi?id=131612
1635
1636         Reviewed by Michael Saboff.
1637
1638         After r167094 there are many build errors on ARM like these:
1639
1640             /tmp/ccgtHRno.s:370: Error: invalid constant (425a) after fixup
1641             /tmp/ccgtHRno.s:374: Error: invalid constant (426e) after fixup
1642             /tmp/ccgtHRno.s:378: Error: invalid constant (4282) after fixup
1643             /tmp/ccgtHRno.s:382: Error: invalid constant (4296) after fixup
1644
1645         Problem is caused by the wrong generated assembly like:
1646             "\tmov r2, (" LOCAL_LABEL_STRING(llint_op_strcat) " - " LOCAL_LABEL_STRING(relativePCBase) ")\n" // /home/webkit/WebKit/Source/JavaScriptCore/llint/LowLevelInterpreter.asm:741
1647
1648         `mov` can only move 8 bit immediate, but not every constant fit into 8 bit. Clang converts
1649         the mov to a single movw or a movw and a movt, depending on the immediate, but binutils doesn't.
1650         Add a new ARM specific offline assembler instruction (`mvlbl`) for the following llint_entry
1651         use case: move rn, (label1-label2) which is translated to movw and movt.
1652
1653         * llint/LowLevelInterpreter.asm:
1654         * offlineasm/arm.rb:
1655         * offlineasm/instructions.rb:
1656
1657 2014-04-20  Csaba Osztrogonác  <ossy@webkit.org>
1658
1659         [ARM] Unreviewed build fix after r167336.
1660
1661         * assembler/MacroAssemblerARM.h:
1662         (JSC::MacroAssemblerARM::branchAdd32):
1663
1664 2014-04-20  Commit Queue  <commit-queue@webkit.org>
1665
1666         Unreviewed, rolling out r167501.
1667         https://bugs.webkit.org/show_bug.cgi?id=131913
1668
1669         It broke DYEBench (Requested by mhahnenberg on #webkit).
1670
1671         Reverted changeset:
1672
1673         "Deleting properties poisons objects"
1674         https://bugs.webkit.org/show_bug.cgi?id=131551
1675         http://trac.webkit.org/changeset/167501
1676
1677 2014-04-19  Filip Pizlo  <fpizlo@apple.com>
1678
1679         It should be OK to store new fields into objects that have no prototypes
1680         https://bugs.webkit.org/show_bug.cgi?id=131905
1681
1682         Reviewed by Mark Hahnenberg.
1683
1684         * dfg/DFGByteCodeParser.cpp:
1685         (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
1686         * tests/stress/put-by-id-transition-null-prototype.js: Added.
1687         (foo):
1688
1689 2014-04-19  Benjamin Poulain  <bpoulain@apple.com>
1690
1691         Make the CSS JIT compile for ARM64
1692         https://bugs.webkit.org/show_bug.cgi?id=131834
1693
1694         Reviewed by Gavin Barraclough.
1695
1696         Extend the ARM64 MacroAssembler to support the code generation required by
1697         the CSS JIT.
1698
1699         * assembler/MacroAssembler.h:
1700         * assembler/MacroAssemblerARM64.h:
1701         (JSC::MacroAssemblerARM64::addPtrNoFlags):
1702         (JSC::MacroAssemblerARM64::or32):
1703         (JSC::MacroAssemblerARM64::branchPtr):
1704         (JSC::MacroAssemblerARM64::test32):
1705         (JSC::MacroAssemblerARM64::branch):
1706         * assembler/MacroAssemblerX86Common.h:
1707         (JSC::MacroAssemblerX86Common::test32):
1708
1709 2014-04-19  Andreas Kling  <akling@apple.com>
1710
1711         Two little shortcuts to the JSType.
1712         <https://webkit.org/b/131896>
1713
1714         Tweak two sites that take the long road through JSCell::structure()->typeInfo()
1715         to look at data that's already in JSCell::type().
1716
1717         Reviewed by Darin Adler.
1718
1719         * runtime/NameInstance.h:
1720         (JSC::isName):
1721         * runtime/NumberPrototype.cpp:
1722         (JSC::toThisNumber):
1723
1724 2014-04-19  Filip Pizlo  <fpizlo@apple.com>
1725
1726         Make it easier to check if an integer sum would overflow
1727         https://bugs.webkit.org/show_bug.cgi?id=131900
1728
1729         Reviewed by Darin Adler.
1730
1731         * dfg/DFGOperations.cpp:
1732         * runtime/Operations.h:
1733         (JSC::jsString):
1734
1735 2014-04-19  Filip Pizlo  <fpizlo@apple.com>
1736
1737         Address some feedback on https://bugs.webkit.org/show_bug.cgi?id=130684.
1738
1739         * dfg/DFGOperations.cpp:
1740         * runtime/JSString.h:
1741         (JSC::JSRopeString::RopeBuilder::append):
1742
1743 2014-04-18  Mark Lam  <mark.lam@apple.com>
1744
1745         REGRESSION(r164205): WebKit crash @StructureIDTable::get.
1746         <https://webkit.org/b/130539>
1747
1748         Reviewed by Geoffrey Garen.
1749
1750         prepareOSREntry() prepares for OSR entry by first copying the local var
1751         values from the baseline frame to a scartch buffer, which is then used
1752         to fill in the locals in their new position in the DFG frame.  Unfortunately,
1753         prepareOSREntry() was using the DFG frame's frameRegisterCount as the frame
1754         size of the baseline frame.  As a result, some values of locals in the
1755         baseline frame were not saved off, and the DFG frame may get initialized
1756         with random content that happened to be in the uninitialized (and possibly
1757         unallocated) portions of the scratch buffer.
1758
1759         The fix is to use OSREntryData::m_expectedValues.numberOfLocals() as the
1760         number of locals in the baseline frame that we want to copy to the scratch
1761         buffer.
1762
1763         Note: osrEntryThunkGenerator() is expecting the DFG frameRegisterCount
1764         at offset 0 in the scratch buffer.  So, we continue to write that value
1765         there, not the baseline frame size.
1766
1767         * dfg/DFGOSREntry.cpp:
1768         (JSC::DFG::prepareOSREntry):
1769
1770 2014-04-18  Timothy Hatcher  <timothy@apple.com>
1771
1772         Web Inspector: Move InspectorProfilerAgent to JavaScriptCore
1773         https://bugs.webkit.org/show_bug.cgi?id=131673
1774
1775         Passes existing profiler and inspector tests.
1776
1777         Reviewed by Joseph Pecoraro.
1778
1779         * CMakeLists.txt:
1780         * DerivedSources.make:
1781         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1782         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1783         * JavaScriptCore.xcodeproj/project.pbxproj:
1784         * inspector/JSConsoleClient.cpp:
1785         (Inspector::JSConsoleClient::JSConsoleClient):
1786         (Inspector::JSConsoleClient::profile):
1787         (Inspector::JSConsoleClient::profileEnd):
1788         (Inspector::JSConsoleClient::count): Deleted.
1789         * inspector/JSConsoleClient.h:
1790         * inspector/JSGlobalObjectInspectorController.cpp:
1791         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1792         * inspector/agents/InspectorProfilerAgent.cpp: Added.
1793         (Inspector::InspectorProfilerAgent::InspectorProfilerAgent):
1794         (Inspector::InspectorProfilerAgent::~InspectorProfilerAgent):
1795         (Inspector::InspectorProfilerAgent::addProfile):
1796         (Inspector::InspectorProfilerAgent::createProfileHeader):
1797         (Inspector::InspectorProfilerAgent::enable):
1798         (Inspector::InspectorProfilerAgent::disable):
1799         (Inspector::InspectorProfilerAgent::getUserInitiatedProfileName):
1800         (Inspector::InspectorProfilerAgent::getProfileHeaders):
1801         (Inspector::buildInspectorObject):
1802         (Inspector::InspectorProfilerAgent::buildProfileInspectorObject):
1803         (Inspector::InspectorProfilerAgent::getCPUProfile):
1804         (Inspector::InspectorProfilerAgent::removeProfile):
1805         (Inspector::InspectorProfilerAgent::reset):
1806         (Inspector::InspectorProfilerAgent::didCreateFrontendAndBackend):
1807         (Inspector::InspectorProfilerAgent::willDestroyFrontendAndBackend):
1808         (Inspector::InspectorProfilerAgent::start):
1809         (Inspector::InspectorProfilerAgent::stop):
1810         (Inspector::InspectorProfilerAgent::setRecordingProfile):
1811         (Inspector::InspectorProfilerAgent::startProfiling):
1812         (Inspector::InspectorProfilerAgent::stopProfiling):
1813         * inspector/agents/InspectorProfilerAgent.h: Added.
1814         * inspector/agents/JSGlobalObjectProfilerAgent.cpp: Copied from Source/WebCore/inspector/ScriptProfile.idl.
1815         (Inspector::JSGlobalObjectProfilerAgent::JSGlobalObjectProfilerAgent):
1816         (Inspector::JSGlobalObjectProfilerAgent::profilingGlobalExecState):
1817         * inspector/agents/JSGlobalObjectProfilerAgent.h: Copied from Source/WebCore/inspector/ScriptProfile.idl.
1818         * inspector/protocol/Profiler.json: Renamed from Source/WebCore/inspector/protocol/Profiler.json.
1819         * profiler/Profile.h:
1820         * runtime/ConsoleClient.h:
1821
1822 2014-04-18  Commit Queue  <commit-queue@webkit.org>
1823
1824         Unreviewed, rolling out r167527.
1825         https://bugs.webkit.org/show_bug.cgi?id=131883
1826
1827         Broke 32-bit build (Requested by ap on #webkit).
1828
1829         Reverted changeset:
1830
1831         "[Mac] implement WebKitDataCue"
1832         https://bugs.webkit.org/show_bug.cgi?id=131799
1833         http://trac.webkit.org/changeset/167527
1834
1835 2014-04-18  Eric Carlson  <eric.carlson@apple.com>
1836
1837         [Mac] implement WebKitDataCue
1838         https://bugs.webkit.org/show_bug.cgi?id=131799
1839
1840         Reviewed by Dean Jackson.
1841
1842         * Configurations/FeatureDefines.xcconfig: Define ENABLE_DATACUE_VALUE.
1843
1844 2014-04-18  Filip Pizlo  <fpizlo@apple.com>
1845
1846         Actually address Mark's review feedback.
1847
1848         * dfg/DFGOSRExitCompilerCommon.cpp:
1849         (JSC::DFG::handleExitCounts):
1850
1851 2014-04-18  Filip Pizlo  <fpizlo@apple.com>
1852
1853         Options::maximumExecutionCountsBetweenCheckpoints() should be higher for DFG->FTL tier-up but the same for other tier-ups
1854         https://bugs.webkit.org/show_bug.cgi?id=131850
1855
1856         Reviewed by Mark Hahnenberg.
1857         
1858         Templatize ExecutionCounter to allow for two different styles of calculating the
1859         checkpoint threshold.
1860         
1861         Appears to be a slight speed-up on DYEBench.
1862
1863         * bytecode/CodeBlock.h:
1864         (JSC::CodeBlock::llintExecuteCounter):
1865         (JSC::CodeBlock::offsetOfJITExecuteCounter):
1866         (JSC::CodeBlock::offsetOfJITExecutionActiveThreshold):
1867         (JSC::CodeBlock::offsetOfJITExecutionTotalCount):
1868         (JSC::CodeBlock::jitExecuteCounter):
1869         * bytecode/ExecutionCounter.cpp:
1870         (JSC::ExecutionCounter<countingVariant>::ExecutionCounter):
1871         (JSC::ExecutionCounter<countingVariant>::forceSlowPathConcurrently):
1872         (JSC::ExecutionCounter<countingVariant>::checkIfThresholdCrossedAndSet):
1873         (JSC::ExecutionCounter<countingVariant>::setNewThreshold):
1874         (JSC::ExecutionCounter<countingVariant>::deferIndefinitely):
1875         (JSC::applyMemoryUsageHeuristics):
1876         (JSC::applyMemoryUsageHeuristicsAndConvertToInt):
1877         (JSC::ExecutionCounter<countingVariant>::hasCrossedThreshold):
1878         (JSC::ExecutionCounter<countingVariant>::setThreshold):
1879         (JSC::ExecutionCounter<countingVariant>::reset):
1880         (JSC::ExecutionCounter<countingVariant>::dump):
1881         (JSC::ExecutionCounter::ExecutionCounter): Deleted.
1882         (JSC::ExecutionCounter::forceSlowPathConcurrently): Deleted.
1883         (JSC::ExecutionCounter::checkIfThresholdCrossedAndSet): Deleted.
1884         (JSC::ExecutionCounter::setNewThreshold): Deleted.
1885         (JSC::ExecutionCounter::deferIndefinitely): Deleted.
1886         (JSC::ExecutionCounter::applyMemoryUsageHeuristics): Deleted.
1887         (JSC::ExecutionCounter::applyMemoryUsageHeuristicsAndConvertToInt): Deleted.
1888         (JSC::ExecutionCounter::hasCrossedThreshold): Deleted.
1889         (JSC::ExecutionCounter::setThreshold): Deleted.
1890         (JSC::ExecutionCounter::reset): Deleted.
1891         (JSC::ExecutionCounter::dump): Deleted.
1892         * bytecode/ExecutionCounter.h:
1893         (JSC::formattedTotalExecutionCount):
1894         (JSC::ExecutionCounter::maximumExecutionCountsBetweenCheckpoints):
1895         (JSC::ExecutionCounter::clippedThreshold):
1896         (JSC::ExecutionCounter::formattedTotalCount): Deleted.
1897         * dfg/DFGJITCode.h:
1898         * dfg/DFGOSRExitCompilerCommon.cpp:
1899         (JSC::DFG::handleExitCounts):
1900         * llint/LowLevelInterpreter.asm:
1901         * runtime/Options.h:
1902
1903 2014-04-17  Mark Hahnenberg  <mhahnenberg@apple.com>
1904
1905         Deleting properties poisons objects
1906         https://bugs.webkit.org/show_bug.cgi?id=131551
1907
1908         Reviewed by Geoffrey Garen.
1909
1910         This is ~3% progression on Dromaeo with a ~6% progression on the jslib portion of Dromaeo in particular.
1911
1912         * runtime/Structure.cpp:
1913         (JSC::Structure::Structure):
1914         (JSC::Structure::materializePropertyMap): We now re-use deleted properties when materializing the property map.
1915         (JSC::Structure::removePropertyTransition): We allow up to 5 deletes for a particular path through the tree of 
1916         Structure transitions. After that, we convert to an uncacheable dictionary like we used to. We don't cache 
1917         delete transitions, but we allow transitioning from them.
1918         (JSC::Structure::changePrototypeTransition):
1919         (JSC::Structure::despecifyFunctionTransition):
1920         (JSC::Structure::attributeChangeTransition):
1921         (JSC::Structure::toDictionaryTransition):
1922         (JSC::Structure::preventExtensionsTransition):
1923         (JSC::Structure::addPropertyWithoutTransition):
1924         (JSC::Structure::removePropertyWithoutTransition):
1925         (JSC::Structure::pin): Now does only what it says it does--marks the property table as pinned.
1926         (JSC::Structure::pinAndPreventTransitions): More descriptive version of what the old pin() was doing.
1927         * runtime/Structure.h:
1928         * runtime/StructureInlines.h:
1929         (JSC::Structure::checkOffsetConsistency): Rearranged variables to be more sensible.
1930
1931 2014-04-17  Filip Pizlo  <fpizlo@apple.com>
1932
1933         InlineCallFrameSet should be refcounted
1934         https://bugs.webkit.org/show_bug.cgi?id=131829
1935
1936         Reviewed by Geoffrey Garen.
1937         
1938         And DFG::Plan should hold a ref to it. Previously it was owned by Graph until it
1939         became owned by JITCode. Except that if we're "failing" to compile, JITCode may die.
1940         Even as it dies, the GC may still want to scan the DFG::Plan, which leads to scanning
1941         the DesiredWriteBarriers, which leads to scanning the InlineCallFrameSet.
1942         
1943         So, just make the darn thing refcounted.
1944
1945         * bytecode/InlineCallFrameSet.h:
1946         * dfg/DFGArgumentsSimplificationPhase.cpp:
1947         (JSC::DFG::ArgumentsSimplificationPhase::run):
1948         * dfg/DFGByteCodeParser.cpp:
1949         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1950         * dfg/DFGCommonData.h:
1951         * dfg/DFGGraph.cpp:
1952         (JSC::DFG::Graph::Graph):
1953         (JSC::DFG::Graph::requiredRegisterCountForExit):
1954         * dfg/DFGGraph.h:
1955         * dfg/DFGJITCompiler.cpp:
1956         (JSC::DFG::JITCompiler::link):
1957         * dfg/DFGPlan.cpp:
1958         (JSC::DFG::Plan::Plan):
1959         * dfg/DFGPlan.h:
1960         * dfg/DFGStackLayoutPhase.cpp:
1961         (JSC::DFG::StackLayoutPhase::run):
1962         * ftl/FTLFail.cpp:
1963         (JSC::FTL::fail):
1964         * ftl/FTLLink.cpp:
1965         (JSC::FTL::link):
1966
1967 2014-04-17  Filip Pizlo  <fpizlo@apple.com>
1968
1969         FTL::fail() should manage memory "correctly"
1970         https://bugs.webkit.org/show_bug.cgi?id=131823
1971         <rdar://problem/16384297>
1972
1973         Reviewed by Oliver Hunt.
1974
1975         * ftl/FTLFail.cpp:
1976         (JSC::FTL::fail):
1977
1978 2014-04-17  Filip Pizlo  <fpizlo@apple.com>
1979
1980         Prediction propagator should correctly model Int52s flowing through arguments
1981         https://bugs.webkit.org/show_bug.cgi?id=131822
1982         <rdar://problem/16641408>
1983
1984         Reviewed by Oliver Hunt.
1985
1986         * dfg/DFGPredictionPropagationPhase.cpp:
1987         (JSC::DFG::PredictionPropagationPhase::propagate):
1988         * tests/stress/int52-argument.js: Added.
1989         (foo):
1990         * tests/stress/int52-variable.js: Added.
1991         (foo):
1992
1993 2014-04-17  Filip Pizlo  <fpizlo@apple.com>
1994
1995         REGRESSION: ASSERT(!typeInfo().hasImpureGetOwnPropertySlot() || typeInfo().newImpurePropertyFiresWatchpoints()) on jquery tests
1996         https://bugs.webkit.org/show_bug.cgi?id=131798
1997
1998         Reviewed by Alexey Proskuryakov.
1999         
2000         Some day, we will fix https://bugs.webkit.org/show_bug.cgi?id=131810 and some version
2001         of this assertion can return. For now, it's not clear that the assertion is guarding
2002         any truly undesirable behavior - so it should just go away and be replaced with a
2003         FIXME.
2004
2005         * bytecode/GetByIdStatus.cpp:
2006         (JSC::GetByIdStatus::computeForStubInfo):
2007         * runtime/Structure.h:
2008         (JSC::Structure::takesSlowPathInDFGForImpureProperty):
2009
2010 2014-04-17  David Kilzer  <ddkilzer@apple.com>
2011
2012         Blind attempt to fix Windows build after r166837
2013         <http://webkit.org/b/131246>
2014
2015         Hoping to fix this build error:
2016
2017             warning MSB8027: Two or more files with the name of GCLogging.cpp will produce outputs to the same location. This can lead to an incorrect build result.  The files involved are ..\heap\GCLogging.cpp, ..\heap\GCLogging.cpp.
2018
2019         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Fix copy-paste
2020         boo-boo by changing the GCLogging.cpp ClCompile entry to a
2021         GCLogging.h ClInclude entry.
2022
2023 2014-04-16  Filip Pizlo  <fpizlo@apple.com>
2024
2025         AI for GetLocal should match the DFG backend, and in this case, the best way to do that is to get rid of the "exit if empty prediction" thing since it's a vestige of a time long gone
2026         https://bugs.webkit.org/show_bug.cgi?id=131764
2027
2028         Reviewed by Geoffrey Garen.
2029         
2030         The attached test case can be made to not crash by deleting old code. It used to be
2031         the case that the DFG needed empty prediction guards, for shady reasons. We fixed that
2032         long ago. At this point, these guards just make life difficult. So get rid of them.
2033
2034         * dfg/DFGAbstractInterpreterInlines.h:
2035         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2036         * dfg/DFGSpeculativeJIT32_64.cpp:
2037         (JSC::DFG::SpeculativeJIT::compile):
2038         * dfg/DFGSpeculativeJIT64.cpp:
2039         (JSC::DFG::SpeculativeJIT::compile):
2040         * tests/stress/bug-131764.js: Added.
2041         (test1):
2042         (test2):
2043
2044 2014-04-17  Darin Adler  <darin@apple.com>
2045
2046         Add separate flag for IndexedDatabase in workers since the current implementation is not threadsafe
2047         https://bugs.webkit.org/show_bug.cgi?id=131785
2048         rdar://problem/16003108
2049
2050         Reviewed by Brady Eidson.
2051
2052         * Configurations/FeatureDefines.xcconfig: Added INDEXED_DATABASE_IN_WORKERS.
2053
2054 2014-04-16  Alexey Proskuryakov  <ap@apple.com>
2055
2056         Build fix after http://trac.webkit.org/changeset/167416 (Sink NaN sanitization)
2057
2058         * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::speculate):
2059
2060 2014-04-16  Filip Pizlo  <fpizlo@apple.com>
2061
2062         Extra error reporting for invalid value conversions
2063         https://bugs.webkit.org/show_bug.cgi?id=131786
2064
2065         Rubber stamped by Ryosuke Niwa.
2066
2067         * dfg/DFGFixupPhase.cpp:
2068         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
2069
2070 2014-04-16  Filip Pizlo  <fpizlo@apple.com>
2071
2072         Sink NaN sanitization to uses and remove it when it's unnecessary
2073         https://bugs.webkit.org/show_bug.cgi?id=131419
2074
2075         Reviewed by Oliver Hunt.
2076         
2077         This moves NaN purification to stores that could see an impure NaN.
2078         
2079         5% speed-up on AsmBench, 50% speed-up on AsmBench/n-body. It is a regression on FloatMM
2080         though, because of the other bug that causes that benchmark to box doubles in a loop.
2081
2082         * bytecode/SpeculatedType.h:
2083         (JSC::isInt32SpeculationForArithmetic):
2084         (JSC::isMachineIntSpeculationForArithmetic):
2085         (JSC::isDoubleSpeculation):
2086         (JSC::isDoubleSpeculationForArithmetic):
2087         * dfg/DFGAbstractInterpreterInlines.h:
2088         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2089         * dfg/DFGAbstractValue.cpp:
2090         (JSC::DFG::AbstractValue::fixTypeForRepresentation):
2091         * dfg/DFGFixupPhase.cpp:
2092         (JSC::DFG::FixupPhase::fixupNode):
2093         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
2094         * dfg/DFGInPlaceAbstractState.cpp:
2095         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
2096         * dfg/DFGPredictionPropagationPhase.cpp:
2097         (JSC::DFG::PredictionPropagationPhase::propagate):
2098         * dfg/DFGSpeculativeJIT.cpp:
2099         (JSC::DFG::SpeculativeJIT::compileValueRep):
2100         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
2101         * dfg/DFGUseKind.h:
2102         (JSC::DFG::typeFilterFor):
2103         * ftl/FTLLowerDFGToLLVM.cpp:
2104         (JSC::FTL::LowerDFGToLLVM::compileValueRep):
2105         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
2106         * runtime/PureNaN.h:
2107         * tests/stress/float32-array-nan-inlined.js: Added.
2108         (foo):
2109         (test):
2110         * tests/stress/float32-array-nan.js: Added.
2111         (foo):
2112         (test):
2113         * tests/stress/float64-array-nan-inlined.js: Added.
2114         (foo):
2115         (isBigEndian):
2116         (test):
2117         * tests/stress/float64-array-nan.js: Added.
2118         (foo):
2119         (isBigEndian):
2120         (test):
2121
2122 2014-04-16  Brent Fulgham  <bfulgham@apple.com>
2123
2124         [Win] Unreviewed Windows gardening. Restrict our new 'isinf' check
2125         to 32-bit builds, and revise the comment to explain what we are
2126         doing.
2127
2128         * runtime/JSCJSValueInlines.h:
2129         (JSC::JSValue::isMachineInt): Provide motivation for the new
2130         'isinf' check for our 32-bit code path.
2131
2132 2014-04-16  Juergen Ributzka  <juergen@apple.com>
2133
2134         Allocate the data section on the heap again for FTL on ARM64
2135         https://bugs.webkit.org/show_bug.cgi?id=130156
2136
2137         Reviewed by Geoffrey Garen and Filip Pizlo.
2138
2139         * ftl/FTLCompile.cpp:
2140         (JSC::FTL::mmAllocateDataSection):
2141         * ftl/FTLDataSection.cpp:
2142         (JSC::FTL::DataSection::DataSection):
2143         (JSC::FTL::DataSection::~DataSection):
2144         * ftl/FTLDataSection.h:
2145
2146 2014-04-16  Mark Lam  <mark.lam@apple.com>
2147
2148         Crash in CodeBlock::setOptimizationThresholdBasedOnCompilationResult() when the debugger activates.
2149         <https://webkit.org/b/131747>
2150
2151         Reviewed by Filip Pizlo.
2152
2153         When the debugger is about to activate (e.g. enter stepping mode), it first
2154         waits for all DFG compilations to complete.  However, when the DFG completes,
2155         if compilation is successful, it will install a new DFG codeBlock.  The
2156         CodeBlock installation process is required to register codeBlocks with the
2157         debugger.  Debugger::registerCodeBlock() will eventually call
2158         CodeBlock::setSteppingMode() which may jettison the DFG codeBlock that we're
2159         trying to install.  Thereafter, chaos ensues.
2160
2161         This jettison'ing only happens because the debugger currently set its
2162         m_steppingMode flag before waiting for compilation to complete.  The fix is
2163         simply to set that flag only after compilation is complete.
2164
2165         * debugger/Debugger.cpp:
2166         (JSC::Debugger::setSteppingMode):
2167         (JSC::Debugger::registerCodeBlock):
2168
2169 2014-04-16  Filip Pizlo  <fpizlo@apple.com>
2170
2171         Discern between NaNs that would be safe to tag and NaNs that need some purification before tagging
2172         https://bugs.webkit.org/show_bug.cgi?id=131420
2173
2174         Reviewed by Oliver Hunt.
2175         
2176         Rationalizes our handling of NaNs. We now have the notion of pureNaN(), or PNaN, which
2177         replaces QNaN and represents a "safe" NaN for our tagging purposes. NaN purification now
2178         goes through the purifyNaN() API.
2179         
2180         SpeculatedType and its clients can now distinguish between a PureNaN and an ImpureNaN.
2181         
2182         Prediction propagator is made slightly more cautious when dealing with NaNs. It doesn't
2183         have to be too cautious since most prediction-based logic only cares about whether or not
2184         a value could be an integer.
2185         
2186         AI is made much more cautious when dealing with NaNs. We don't yet introduce ImpureNaN
2187         anywhere in the compiler, but when we do, we ought to be able to trust AI to propagate it
2188         soundly and precisely.
2189         
2190         No performance change because this just unblocks
2191         https://bugs.webkit.org/show_bug.cgi?id=131419.
2192
2193         * API/JSValueRef.cpp:
2194         (JSValueMakeNumber):
2195         (JSValueToNumber):
2196         * JavaScriptCore.xcodeproj/project.pbxproj:
2197         * bytecode/SpeculatedType.cpp:
2198         (JSC::dumpSpeculation):
2199         (JSC::speculationFromValue):
2200         (JSC::typeOfDoubleSum):
2201         (JSC::typeOfDoubleDifference):
2202         (JSC::typeOfDoubleProduct):
2203         (JSC::polluteDouble):
2204         (JSC::typeOfDoubleQuotient):
2205         (JSC::typeOfDoubleMinMax):
2206         (JSC::typeOfDoubleNegation):
2207         (JSC::typeOfDoubleAbs):
2208         (JSC::typeOfDoubleFRound):
2209         (JSC::typeOfDoubleBinaryOp):
2210         (JSC::typeOfDoubleUnaryOp):
2211         * bytecode/SpeculatedType.h:
2212         * dfg/DFGAbstractInterpreterInlines.h:
2213         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2214         * dfg/DFGByteCodeParser.cpp:
2215         (JSC::DFG::ByteCodeParser::handleInlining):
2216         (JSC::DFG::ByteCodeParser::parseCodeBlock):
2217         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
2218         (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
2219         * dfg/DFGInPlaceAbstractState.cpp:
2220         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
2221         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
2222         (JSC::DFG::createPreHeader):
2223         * dfg/DFGNode.h:
2224         (JSC::DFG::BranchTarget::BranchTarget):
2225         * dfg/DFGOSREntrypointCreationPhase.cpp:
2226         (JSC::DFG::OSREntrypointCreationPhase::run):
2227         * dfg/DFGOSRExitCompiler32_64.cpp:
2228         (JSC::DFG::OSRExitCompiler::compileExit):
2229         * dfg/DFGOSRExitCompiler64.cpp:
2230         (JSC::DFG::OSRExitCompiler::compileExit):
2231         * dfg/DFGPredictionPropagationPhase.cpp:
2232         (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
2233         (JSC::DFG::PredictionPropagationPhase::propagate):
2234         * dfg/DFGSpeculativeJIT.cpp:
2235         (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
2236         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
2237         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
2238         * dfg/DFGSpeculativeJIT32_64.cpp:
2239         (JSC::DFG::SpeculativeJIT::compile):
2240         * dfg/DFGSpeculativeJIT64.cpp:
2241         (JSC::DFG::SpeculativeJIT::compile):
2242         * dfg/DFGVariableAccessData.h:
2243         (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
2244         * ftl/FTLLowerDFGToLLVM.cpp:
2245         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
2246         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2247         (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
2248         (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
2249         (JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize):
2250         (JSC::FTL::LowerDFGToLLVM::numberOrNotCellToInt32):
2251         (JSC::FTL::LowerDFGToLLVM::allocateJSArray):
2252         * ftl/FTLValueFormat.cpp:
2253         (JSC::FTL::reboxAccordingToFormat):
2254         * jit/AssemblyHelpers.cpp:
2255         (JSC::AssemblyHelpers::purifyNaN):
2256         (JSC::AssemblyHelpers::sanitizeDouble): Deleted.
2257         * jit/AssemblyHelpers.h:
2258         * jit/JITPropertyAccess.cpp:
2259         (JSC::JIT::emitFloatTypedArrayGetByVal):
2260         * runtime/DateConstructor.cpp:
2261         (JSC::constructDate):
2262         * runtime/DateInstanceCache.h:
2263         (JSC::DateInstanceData::DateInstanceData):
2264         (JSC::DateInstanceCache::reset):
2265         * runtime/ExceptionHelpers.cpp:
2266         (JSC::TerminatedExecutionError::defaultValue):
2267         * runtime/JSArray.cpp:
2268         (JSC::JSArray::setLength):
2269         (JSC::JSArray::pop):
2270         (JSC::JSArray::shiftCountWithAnyIndexingType):
2271         (JSC::JSArray::sortVector):
2272         (JSC::JSArray::compactForSorting):
2273         * runtime/JSArray.h:
2274         (JSC::JSArray::create):
2275         (JSC::JSArray::tryCreateUninitialized):
2276         * runtime/JSCJSValue.cpp:
2277         (JSC::JSValue::toNumberSlowCase):
2278         * runtime/JSCJSValue.h:
2279         * runtime/JSCJSValueInlines.h:
2280         (JSC::jsNaN):
2281         (JSC::JSValue::JSValue):
2282         (JSC::JSValue::getPrimitiveNumber):
2283         * runtime/JSGlobalObjectFunctions.cpp:
2284         (JSC::parseInt):
2285         (JSC::jsStrDecimalLiteral):
2286         (JSC::toDouble):
2287         (JSC::jsToNumber):
2288         (JSC::parseFloat):
2289         * runtime/JSObject.cpp:
2290         (JSC::JSObject::createInitialDouble):
2291         (JSC::JSObject::convertUndecidedToDouble):
2292         (JSC::JSObject::convertInt32ToDouble):
2293         (JSC::JSObject::deletePropertyByIndex):
2294         (JSC::JSObject::ensureLengthSlow):
2295         * runtime/MathObject.cpp:
2296         (JSC::mathProtoFuncMax):
2297         (JSC::mathProtoFuncMin):
2298         * runtime/PureNaN.h: Added.
2299         (JSC::pureNaN):
2300         (JSC::isImpureNaN):
2301         (JSC::purifyNaN):
2302         * runtime/TypedArrayAdaptors.h:
2303         (JSC::FloatTypedArrayAdaptor::toJSValue):
2304
2305 2014-04-16  Juergen Ributzka  <juergen@apple.com>
2306
2307         Enable system library calls in FTL for ARM64
2308         https://bugs.webkit.org/show_bug.cgi?id=130154
2309
2310         Reviewed by Geoffrey Garen and Filip Pizlo.
2311
2312         * ftl/FTLIntrinsicRepository.h:
2313         * ftl/FTLOutput.h:
2314         (JSC::FTL::Output::doubleRem):
2315         (JSC::FTL::Output::doubleSin):
2316         (JSC::FTL::Output::doubleCos):
2317
2318 2014-04-16  peavo@outlook.com  <peavo@outlook.com>
2319
2320         Fix JSC Debug Regressions on Windows
2321         https://bugs.webkit.org/show_bug.cgi?id=131182
2322
2323         Reviewed by Brent Fulgham.
2324
2325         The cast static_cast<int64_t>(number) in JSValue::isMachineInt() can generate a floating point error,
2326         and set the st floating point register tags, if the value of the number parameter is infinite.
2327         If the st floating point register tags are not cleared, this can cause strange floating point behavior later on.
2328         This can be avoided by checking for infinity first.
2329
2330         * runtime/JSCJSValueInlines.h:
2331         (JSC::JSValue::isMachineInt): Avoid floating point error by checking for infinity first.
2332         * runtime/Options.cpp:
2333         (JSC::recomputeDependentOptions): Re-enable jit for Windows.
2334
2335 2014-04-16  Oliver Hunt  <oliver@apple.com>
2336
2337         Simple ES6 feature:Array.prototype.fill
2338         https://bugs.webkit.org/show_bug.cgi?id=131703
2339
2340         Reviewed by David Hyatt.
2341
2342         Add support for Array.prototype.fill
2343
2344         * builtins/Array.prototype.js:
2345         (fill):
2346         * runtime/ArrayPrototype.cpp:
2347
2348 2014-04-16  Mark Hahnenberg  <mhahnenberg@apple.com>
2349
2350         [WebKit] Cleanup the build from uninitialized variable in JavaScriptCore
2351         https://bugs.webkit.org/show_bug.cgi?id=131728
2352
2353         Reviewed by Darin Adler.
2354
2355         * runtime/JSObject.cpp:
2356         (JSC::JSObject::genericConvertDoubleToContiguous): Add a RELEASE_ASSERT on the 
2357         path we expect to never take. Also shut up confused compilers about uninitialized things.
2358
2359 2014-04-16  Filip Pizlo  <fpizlo@apple.com>
2360
2361         Unreviewed, ARMv7 build fix after r167336.
2362
2363         * assembler/MacroAssemblerARMv7.h:
2364         (JSC::MacroAssemblerARMv7::branchAdd32):
2365
2366 2014-04-16  Gabor Rapcsanyi  <rgabor@webkit.org>
2367
2368         Unreviewed, ARM64 buildfix after r167336.
2369
2370         * assembler/MacroAssemblerARM64.h:
2371         (JSC::MacroAssemblerARM64::branchAdd32): Add missing function.
2372
2373 2014-04-15  Filip Pizlo  <fpizlo@apple.com>
2374
2375         Unreviewed, add the obvious thing that marks MakeRope as exiting since it can exit.
2376
2377         * dfg/DFGAbstractInterpreterInlines.h:
2378         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2379
2380 2014-04-15  Filip Pizlo  <fpizlo@apple.com>
2381
2382         compileMakeRope does not emit necessary bounds checks
2383         https://bugs.webkit.org/show_bug.cgi?id=130684
2384         <rdar://problem/16398388>
2385
2386         Reviewed by Oliver Hunt.
2387         
2388         Add string length bounds checks in a bunch of places. We should never allow a string
2389         to have a length greater than 2^31-1 because it's not clear that the language has
2390         semantics for it and because there is code that assumes that this cannot happen.
2391         
2392         Also add a bunch of tests to that effect to cover the various ways in which this was
2393         previously allowed to happen.
2394
2395         * dfg/DFGOperations.cpp:
2396         * dfg/DFGSpeculativeJIT.cpp:
2397         (JSC::DFG::SpeculativeJIT::compileMakeRope):
2398         * ftl/FTLLowerDFGToLLVM.cpp:
2399         (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
2400         * runtime/JSString.cpp:
2401         (JSC::JSRopeString::RopeBuilder::expand):
2402         * runtime/JSString.h:
2403         (JSC::JSString::create):
2404         (JSC::JSRopeString::RopeBuilder::append):
2405         (JSC::JSRopeString::RopeBuilder::release):
2406         (JSC::JSRopeString::append):
2407         * runtime/Operations.h:
2408         (JSC::jsString):
2409         (JSC::jsStringFromRegisterArray):
2410         (JSC::jsStringFromArguments):
2411         * runtime/StringPrototype.cpp:
2412         (JSC::stringProtoFuncIndexOf):
2413         (JSC::stringProtoFuncSlice):
2414         (JSC::stringProtoFuncSubstring):
2415         (JSC::stringProtoFuncToLowerCase):
2416         * tests/stress/make-large-string-jit-strcat.js: Added.
2417         (foo):
2418         * tests/stress/make-large-string-jit.js: Added.
2419         (foo):
2420         * tests/stress/make-large-string-strcat.js: Added.
2421         * tests/stress/make-large-string.js: Added.
2422
2423 2014-04-15  Julien Brianceau  <jbriance@cisco.com>
2424
2425         Remove invalid sh4 specific code in JITInlines header.
2426         https://bugs.webkit.org/show_bug.cgi?id=131692
2427
2428         Reviewed by Geoffrey Garen.
2429
2430         * jit/JITInlines.h:
2431         (JSC::JIT::callOperation): Prototype is not F_JITOperation_EJJZ
2432         anymore since r160244, so the sh4 specific code is invalid now
2433         and has to be removed.
2434
2435 2014-04-15  Mark Hahnenberg  <mhahnenberg@apple.com>
2436
2437         Fix precedence issue in JSCell:setRemembered
2438
2439         Rubber stamped by Filip Pizlo.
2440
2441         * runtime/JSCell.h:
2442         (JSC::JSCell::setRemembered):
2443
2444 2014-04-15  Mark Hahnenberg  <mhahnenberg@apple.com>
2445
2446         Objective-C API external object graphs don't handle generational collection properly
2447         https://bugs.webkit.org/show_bug.cgi?id=131634
2448
2449         Reviewed by Geoffrey Garen.
2450
2451         If the set of Objective-C objects transitively reachable through an object changes, we 
2452         need to update the set of opaque roots accordingly. If we don't, the next EdenCollection 
2453         won't rescan the external object graph, which would lead us to consider a newly allocated 
2454         JSManagedValue to be dead.
2455
2456         * API/JSBase.cpp:
2457         (JSSynchronousEdenCollectForDebugging):
2458         * API/JSVirtualMachine.mm:
2459         (-[JSVirtualMachine initWithContextGroupRef:]):
2460         (-[JSVirtualMachine dealloc]):
2461         (-[JSVirtualMachine isOldExternalObject:]):
2462         (-[JSVirtualMachine addExternalRememberedObject:]):
2463         (-[JSVirtualMachine addManagedReference:withOwner:]):
2464         (-[JSVirtualMachine removeManagedReference:withOwner:]):
2465         (-[JSVirtualMachine externalRememberedSet]):
2466         (scanExternalObjectGraph):
2467         (scanExternalRememberedSet):
2468         * API/JSVirtualMachineInternal.h:
2469         * API/tests/testapi.mm:
2470         * heap/Heap.cpp:
2471         (JSC::Heap::markRoots):
2472         * heap/Heap.h:
2473         (JSC::Heap::slotVisitor):
2474         * heap/SlotVisitor.h:
2475         * heap/SlotVisitorInlines.h:
2476         (JSC::SlotVisitor::containsOpaqueRoot):
2477         (JSC::SlotVisitor::containsOpaqueRootTriState):
2478
2479 2014-04-15  Filip Pizlo  <fpizlo@apple.com>
2480
2481         DFG IR should keep the data flow of doubles and int52's separate from the data flow of JSValue's
2482         https://bugs.webkit.org/show_bug.cgi?id=131423
2483
2484         Reviewed by Geoffrey Garen.
2485         
2486         This introduces more static typing into DFG IR. Previously we just had the notion of
2487         JSValues and Storage. This was weird because doubles weren't always convertible to
2488         JSValues, and Int52s weren't always convertible to either doubles or JSValues. We would
2489         sort of insert explicit conversion nodes just for the places where we knew that an
2490         implicit conversion wouldn't have been possible -- but there was no hard and fast rule so
2491         we'd get bugs from forgetting to do the right conversion.
2492         
2493         This patch introduces a hard and fast rule: doubles can never be implicitly converted to
2494         anything but doubles, and likewise Int52's can never be implicitly converted. Conversion
2495         nodes are used for all of the conversions. Int52Rep, DoubleRep, and ValueRep are the
2496         conversions. They are like Identity but return the same value using a different
2497         representation. Likewise, constants may now be represented using either JSConstant,
2498         Int52Constant, or DoubleConstant. UseKinds have been adjusted accordingly, as well.
2499         Int52RepUse and DoubleRepUse are node uses that mean "the node must be of Int52 (or
2500         Double) type". They don't imply checks. There is also DoubleRepRealUse, which means that
2501         we speculate DoubleReal and expect Double representation.
2502         
2503         In addition to simplifying a bunch of rules in the IR and making the IR more verifiable,
2504         this also makes it easier to introduce optimizations in the future. It's now possible for
2505         AI to model when/how conversion take place. For example if doing a conversion results in
2506         NaN sanitization, then AI can model this and can allow us to sink sanitizations. That's
2507         what https://bugs.webkit.org/show_bug.cgi?id=131419 will be all about.
2508         
2509         This was a big change, so I had to do some interesting things, like finally get rid of
2510         the DFG's weird variadic template macro hacks and use real C++11 variadic templates. Also
2511         the ByteCodeParser no longer emits Identity nodes since that was always pointless.
2512         
2513         No performance change because this mostly just rationalizes preexisting behavior.
2514
2515         * JavaScriptCore.xcodeproj/project.pbxproj:
2516         * assembler/MacroAssemblerX86.h:
2517         * bytecode/CodeBlock.cpp:
2518         * bytecode/CodeBlock.h:
2519         * dfg/DFGAbstractInterpreter.h:
2520         (JSC::DFG::AbstractInterpreter::setBuiltInConstant):
2521         (JSC::DFG::AbstractInterpreter::setConstant):
2522         * dfg/DFGAbstractInterpreterInlines.h:
2523         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2524         * dfg/DFGAbstractValue.cpp:
2525         (JSC::DFG::AbstractValue::set):
2526         (JSC::DFG::AbstractValue::fixTypeForRepresentation):
2527         (JSC::DFG::AbstractValue::checkConsistency):
2528         * dfg/DFGAbstractValue.h:
2529         * dfg/DFGBackwardsPropagationPhase.cpp:
2530         (JSC::DFG::BackwardsPropagationPhase::propagate):
2531         * dfg/DFGBasicBlock.h:
2532         * dfg/DFGBasicBlockInlines.h:
2533         (JSC::DFG::BasicBlock::appendNode):
2534         (JSC::DFG::BasicBlock::appendNonTerminal):
2535         * dfg/DFGByteCodeParser.cpp:
2536         (JSC::DFG::ByteCodeParser::parseBlock):
2537         * dfg/DFGCSEPhase.cpp:
2538         (JSC::DFG::CSEPhase::constantCSE):
2539         (JSC::DFG::CSEPhase::performNodeCSE):
2540         (JSC::DFG::CSEPhase::int32ToDoubleCSE): Deleted.
2541         * dfg/DFGCapabilities.h:
2542         * dfg/DFGClobberize.h:
2543         (JSC::DFG::clobberize):
2544         * dfg/DFGConstantFoldingPhase.cpp:
2545         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2546         * dfg/DFGDCEPhase.cpp:
2547         (JSC::DFG::DCEPhase::fixupBlock):
2548         * dfg/DFGEdge.h:
2549         (JSC::DFG::Edge::willNotHaveCheck):
2550         * dfg/DFGFixupPhase.cpp:
2551         (JSC::DFG::FixupPhase::run):
2552         (JSC::DFG::FixupPhase::fixupNode):
2553         (JSC::DFG::FixupPhase::fixupGetAndSetLocalsInBlock):
2554         (JSC::DFG::FixupPhase::observeUseKindOnNode):
2555         (JSC::DFG::FixupPhase::fixIntEdge):
2556         (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
2557         (JSC::DFG::FixupPhase::injectTypeConversionsInBlock):
2558         (JSC::DFG::FixupPhase::tryToRelaxRepresentation):
2559         (JSC::DFG::FixupPhase::fixEdgeRepresentation):
2560         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
2561         (JSC::DFG::FixupPhase::addRequiredPhantom):
2562         (JSC::DFG::FixupPhase::addPhantomsIfNecessary):
2563         (JSC::DFG::FixupPhase::clearPhantomsAtEnd):
2564         (JSC::DFG::FixupPhase::fixupSetLocalsInBlock): Deleted.
2565         * dfg/DFGFlushFormat.h:
2566         (JSC::DFG::resultFor):
2567         (JSC::DFG::useKindFor):
2568         * dfg/DFGGraph.cpp:
2569         (JSC::DFG::Graph::dump):
2570         * dfg/DFGGraph.h:
2571         (JSC::DFG::Graph::addNode):
2572         * dfg/DFGInPlaceAbstractState.cpp:
2573         (JSC::DFG::InPlaceAbstractState::initialize):
2574         * dfg/DFGInsertionSet.h:
2575         (JSC::DFG::InsertionSet::insertNode):
2576         (JSC::DFG::InsertionSet::insertConstant):
2577         (JSC::DFG::InsertionSet::insertConstantForUse):
2578         * dfg/DFGIntegerCheckCombiningPhase.cpp:
2579         (JSC::DFG::IntegerCheckCombiningPhase::insertAdd):
2580         (JSC::DFG::IntegerCheckCombiningPhase::insertMustAdd):
2581         * dfg/DFGNode.cpp:
2582         (JSC::DFG::Node::convertToIdentity):
2583         (WTF::printInternal):
2584         * dfg/DFGNode.h:
2585         (JSC::DFG::Node::Node):
2586         (JSC::DFG::Node::setResult):
2587         (JSC::DFG::Node::result):
2588         (JSC::DFG::Node::isConstant):
2589         (JSC::DFG::Node::hasConstant):
2590         (JSC::DFG::Node::convertToConstant):
2591         (JSC::DFG::Node::valueOfJSConstant):
2592         (JSC::DFG::Node::hasResult):
2593         (JSC::DFG::Node::hasInt32Result):
2594         (JSC::DFG::Node::hasInt52Result):
2595         (JSC::DFG::Node::hasNumberResult):
2596         (JSC::DFG::Node::hasDoubleResult):
2597         (JSC::DFG::Node::hasJSResult):
2598         (JSC::DFG::Node::hasBooleanResult):
2599         (JSC::DFG::Node::hasStorageResult):
2600         (JSC::DFG::Node::defaultUseKind):
2601         (JSC::DFG::Node::defaultEdge):
2602         (JSC::DFG::Node::convertToIdentity): Deleted.
2603         * dfg/DFGNodeFlags.cpp:
2604         (JSC::DFG::dumpNodeFlags):
2605         * dfg/DFGNodeFlags.h:
2606         (JSC::DFG::canonicalResultRepresentation):
2607         * dfg/DFGNodeType.h:
2608         * dfg/DFGOSRExitCompiler32_64.cpp:
2609         (JSC::DFG::OSRExitCompiler::compileExit):
2610         * dfg/DFGOSRExitCompiler64.cpp:
2611         (JSC::DFG::OSRExitCompiler::compileExit):
2612         * dfg/DFGPredictionPropagationPhase.cpp:
2613         (JSC::DFG::PredictionPropagationPhase::propagate):
2614         * dfg/DFGResurrectionForValidationPhase.cpp:
2615         (JSC::DFG::ResurrectionForValidationPhase::run):
2616         * dfg/DFGSSAConversionPhase.cpp:
2617         (JSC::DFG::SSAConversionPhase::run):
2618         * dfg/DFGSafeToExecute.h:
2619         (JSC::DFG::SafeToExecuteEdge::operator()):
2620         (JSC::DFG::safeToExecute):
2621         * dfg/DFGSpeculativeJIT.cpp:
2622         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
2623         (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR):
2624         (JSC::DFG::SpeculativeJIT::silentFill):
2625         (JSC::DFG::JSValueRegsTemporary::JSValueRegsTemporary):
2626         (JSC::DFG::JSValueRegsTemporary::~JSValueRegsTemporary):
2627         (JSC::DFG::JSValueRegsTemporary::regs):
2628         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
2629         (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
2630         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
2631         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
2632         (JSC::DFG::SpeculativeJIT::compileValueRep):
2633         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
2634         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
2635         (JSC::DFG::SpeculativeJIT::compileAdd):
2636         (JSC::DFG::SpeculativeJIT::compileArithSub):
2637         (JSC::DFG::SpeculativeJIT::compileArithNegate):
2638         (JSC::DFG::SpeculativeJIT::compileArithMul):
2639         (JSC::DFG::SpeculativeJIT::compileArithDiv):
2640         (JSC::DFG::SpeculativeJIT::compileArithMod):
2641         (JSC::DFG::SpeculativeJIT::compare):
2642         (JSC::DFG::SpeculativeJIT::compileStrictEq):
2643         (JSC::DFG::SpeculativeJIT::speculateNumber):
2644         (JSC::DFG::SpeculativeJIT::speculateDoubleReal):
2645         (JSC::DFG::SpeculativeJIT::speculate):
2646         (JSC::DFG::SpeculativeJIT::compileInt32ToDouble): Deleted.
2647         (JSC::DFG::SpeculativeJIT::speculateMachineInt): Deleted.
2648         (JSC::DFG::SpeculativeJIT::speculateRealNumber): Deleted.
2649         * dfg/DFGSpeculativeJIT.h:
2650         (JSC::DFG::SpeculativeJIT::allocate):
2651         (JSC::DFG::SpeculativeJIT::use):
2652         (JSC::DFG::SpeculativeJIT::boxDouble):
2653         (JSC::DFG::SpeculativeJIT::spill):
2654         (JSC::DFG::SpeculativeJIT::jsValueResult):
2655         (JSC::DFG::SpeculateInt52Operand::SpeculateInt52Operand):
2656         (JSC::DFG::SpeculateStrictInt52Operand::SpeculateStrictInt52Operand):
2657         (JSC::DFG::SpeculateWhicheverInt52Operand::SpeculateWhicheverInt52Operand):
2658         (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
2659         * dfg/DFGSpeculativeJIT32_64.cpp:
2660         (JSC::DFG::SpeculativeJIT::fillJSValue):
2661         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2662         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2663         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2664         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2665         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
2666         (JSC::DFG::SpeculativeJIT::emitBranch):
2667         (JSC::DFG::SpeculativeJIT::compile):
2668         (JSC::DFG::SpeculativeJIT::convertToDouble): Deleted.
2669         * dfg/DFGSpeculativeJIT64.cpp:
2670         (JSC::DFG::SpeculativeJIT::fillJSValue):
2671         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2672         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
2673         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2674         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2675         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2676         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
2677         (JSC::DFG::SpeculativeJIT::emitBranch):
2678         (JSC::DFG::SpeculativeJIT::compile):
2679         (JSC::DFG::SpeculativeJIT::convertToDouble): Deleted.
2680         * dfg/DFGStrengthReductionPhase.cpp:
2681         (JSC::DFG::StrengthReductionPhase::handleNode):
2682         * dfg/DFGUseKind.cpp:
2683         (WTF::printInternal):
2684         * dfg/DFGUseKind.h:
2685         (JSC::DFG::typeFilterFor):
2686         (JSC::DFG::shouldNotHaveTypeCheck):
2687         (JSC::DFG::mayHaveTypeCheck):
2688         (JSC::DFG::isNumerical):
2689         (JSC::DFG::isDouble):
2690         (JSC::DFG::isCell):
2691         (JSC::DFG::usesStructure):
2692         (JSC::DFG::useKindForResult):
2693         * dfg/DFGValidate.cpp:
2694         (JSC::DFG::Validate::validate):
2695         * dfg/DFGVariadicFunction.h: Removed.
2696         * ftl/FTLCapabilities.cpp:
2697         (JSC::FTL::canCompile):
2698         * ftl/FTLLowerDFGToLLVM.cpp:
2699         (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
2700         (JSC::FTL::LowerDFGToLLVM::compileNode):
2701         (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
2702         (JSC::FTL::LowerDFGToLLVM::compilePhi):
2703         (JSC::FTL::LowerDFGToLLVM::compileDoubleConstant):
2704         (JSC::FTL::LowerDFGToLLVM::compileInt52Constant):
2705         (JSC::FTL::LowerDFGToLLVM::compileWeakJSConstant):
2706         (JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
2707         (JSC::FTL::LowerDFGToLLVM::compileValueRep):
2708         (JSC::FTL::LowerDFGToLLVM::compileInt52Rep):
2709         (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
2710         (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub):
2711         (JSC::FTL::LowerDFGToLLVM::compileArithMul):
2712         (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
2713         (JSC::FTL::LowerDFGToLLVM::compileArithMod):
2714         (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
2715         (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
2716         (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
2717         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2718         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
2719         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
2720         (JSC::FTL::LowerDFGToLLVM::compare):
2721         (JSC::FTL::LowerDFGToLLVM::boolify):
2722         (JSC::FTL::LowerDFGToLLVM::lowInt52):
2723         (JSC::FTL::LowerDFGToLLVM::lowStrictInt52):
2724         (JSC::FTL::LowerDFGToLLVM::lowWhicheverInt52):
2725         (JSC::FTL::LowerDFGToLLVM::lowDouble):
2726         (JSC::FTL::LowerDFGToLLVM::lowJSValue):
2727         (JSC::FTL::LowerDFGToLLVM::strictInt52ToDouble):
2728         (JSC::FTL::LowerDFGToLLVM::jsValueToDouble):
2729         (JSC::FTL::LowerDFGToLLVM::speculate):
2730         (JSC::FTL::LowerDFGToLLVM::speculateNumber):
2731         (JSC::FTL::LowerDFGToLLVM::speculateDoubleReal):
2732         (JSC::FTL::LowerDFGToLLVM::compileInt52ToValue): Deleted.
2733         (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble): Deleted.
2734         (JSC::FTL::LowerDFGToLLVM::setInt52WithStrictValue): Deleted.
2735         (JSC::FTL::LowerDFGToLLVM::speculateRealNumber): Deleted.
2736         (JSC::FTL::LowerDFGToLLVM::speculateMachineInt): Deleted.
2737         * ftl/FTLValueFormat.cpp:
2738         (JSC::FTL::reboxAccordingToFormat):
2739         * jit/AssemblyHelpers.cpp:
2740         (JSC::AssemblyHelpers::sanitizeDouble):
2741         * jit/AssemblyHelpers.h:
2742         (JSC::AssemblyHelpers::boxDouble):
2743
2744 2014-04-15  Commit Queue  <commit-queue@webkit.org>
2745
2746         Unreviewed, rolling out r167199 and r167251.
2747         https://bugs.webkit.org/show_bug.cgi?id=131678
2748
2749         Caused a DYEBench regression and does not seem to improve perf
2750         on relevant websites (Requested by rniwa on #webkit).
2751
2752         Reverted changesets:
2753
2754         "Rewrite Function.bind as a builtin"
2755         https://bugs.webkit.org/show_bug.cgi?id=131083
2756         http://trac.webkit.org/changeset/167199
2757
2758         "Update test result"
2759         http://trac.webkit.org/changeset/167251
2760
2761 2014-04-14  Commit Queue  <commit-queue@webkit.org>
2762
2763         Unreviewed, rolling out r167272.
2764         https://bugs.webkit.org/show_bug.cgi?id=131666
2765
2766         Broke multiple tests (Requested by ap on #webkit).
2767
2768         Reverted changeset:
2769
2770         "Function.bind itself is too slow"
2771         https://bugs.webkit.org/show_bug.cgi?id=131636
2772         http://trac.webkit.org/changeset/167272
2773
2774 2014-04-14  Geoffrey Garen  <ggaren@apple.com>
2775
2776         ASSERT when firing low memory warning
2777         https://bugs.webkit.org/show_bug.cgi?id=131659
2778
2779         Reviewed by Mark Hahnenberg.
2780
2781         * heap/Heap.cpp:
2782         (JSC::Heap::deleteAllCompiledCode): Allow deleteAllCompiledCode to be
2783         called when no GC is happening because that is what we do when a low
2784         memory warning fires, and it is harmless.
2785
2786 2014-04-14  Mark Hahnenberg  <mhahnenberg@apple.com>
2787
2788         emit_op_put_by_id should not emit a write barrier that filters on value
2789         https://bugs.webkit.org/show_bug.cgi?id=131654
2790
2791         Reviewed by Filip Pizlo.
2792
2793         The 32-bit implementation does this, and it can cause crashes if we later repatch the 
2794         code to allocate and store new Butterflies.
2795
2796         * jit/JITPropertyAccess.cpp:
2797         (JSC::JIT::emitWriteBarrier): We also weren't verifying that the base was a cell on 
2798         32-bit if we were passed ShouldFilterBase. I also took the liberty of sinking the tag 
2799         load down into the if statement so that we don't do it if we're not filtering on the value.
2800         * jit/JITPropertyAccess32_64.cpp:
2801         (JSC::JIT::emit_op_put_by_id):
2802
2803 2014-04-14  Oliver Hunt  <oliver@apple.com>
2804
2805         Function.bind itself is too slow
2806         https://bugs.webkit.org/show_bug.cgi?id=131636
2807
2808         Reviewed by Geoffrey Garen.
2809
2810         Rather than forcing creation of an activation, we now store
2811         bound function properties directly on the returned closure.
2812         This is necessary to deal with code that creates many function
2813         bindings, but does not call them very often.
2814
2815         This is a 60% speed up in the included js/regress test.
2816
2817         * builtins/BuiltinExecutables.cpp:
2818         (JSC::BuiltinExecutables::createBuiltinExecutable):
2819         * builtins/Function.prototype.js:
2820         (bind.bindingFunction):
2821         (bind.else.switch.case.1.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk):
2822         (bind.else.switch.case.1.bindingFunction):
2823         (bind.else.switch.case.2.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk):
2824         (bind.else.switch.case.2.bindingFunction):
2825         (bind.else.switch.case.3.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk):
2826         (bind.else.switch.case.3.bindingFunction):
2827         (bind.else.switch.bindingFunction):
2828         (bind):
2829         (bind.else.switch.case.1.bindingFunction.oversizedCall): Deleted.
2830         (bind.else.switch.case.2.bindingFunction.oversizedCall): Deleted.
2831         (bind.else.switch.case.3.bindingFunction.oversizedCall): Deleted.
2832         * runtime/CommonIdentifiers.h:
2833
2834 2014-04-14  Julien Brianceau  <jbriance@cisco.com>
2835
2836         [sh4] Allow use of SubImmediates in LLINT.
2837         https://bugs.webkit.org/show_bug.cgi?id=131608
2838
2839         Reviewed by Mark Lam.
2840
2841         Allow use of SubImmediates with const pool so the sh4 architecture can
2842         share the arm path for setEntryAddress macro. It reduces architecture
2843         specific code and lead to a more optimal generated code for sh4.
2844
2845         * llint/LowLevelInterpreter.asm:
2846         * offlineasm/sh4.rb:
2847
2848 2014-04-14  Andreas Kling  <akling@apple.com>
2849
2850         Array.prototype.concat should allocate output storage only once.
2851         <https://webkit.org/b/131609>
2852
2853         Do a first pass across 'this' and any arguments to compute the
2854         final size of the resulting array from Array.prototype.concat.
2855         This avoids having to grow the output incrementally as we go.
2856
2857         This also includes two other micro-optimizations:
2858
2859         - Mark getProperty() with ALWAYS_INLINE.
2860
2861         - Use JSArray::length() instead of taking the generic property
2862           lookup path when we know an argument is an Array.
2863
2864         My MBP says ~3% progression on Dromaeo/jslib-traverse-jquery.
2865
2866         Reviewed by Oliver & Darin.
2867
2868         * runtime/ArrayPrototype.cpp:
2869         (JSC::getProperty):
2870         (JSC::arrayProtoFuncConcat):
2871
2872 2014-04-14  Commit Queue  <commit-queue@webkit.org>
2873
2874         Unreviewed, rolling out r167249.
2875         https://bugs.webkit.org/show_bug.cgi?id=131621
2876
2877         broke 3 tests on cloop (Requested by kling on #webkit).
2878
2879         Reverted changeset:
2880
2881         "Array.prototype.concat should allocate output storage only
2882         once."
2883         https://bugs.webkit.org/show_bug.cgi?id=131609
2884         http://trac.webkit.org/changeset/167249
2885
2886 2014-04-14  Alex Christensen  <achristensen@webkit.org>
2887
2888         Fixed potential integer truncation.
2889         https://bugs.webkit.org/show_bug.cgi?id=131615
2890
2891         Reviewed by Darin Adler.
2892
2893         * assembler/X86Assembler.h:
2894         (JSC::X86Assembler::fillNops):
2895         Truncate the size_t to an unsigned after it is limited to 15 instead of before.
2896
2897 2014-04-14  Andreas Kling  <akling@apple.com>
2898
2899         Array.prototype.concat should allocate output storage only once.
2900         <https://webkit.org/b/131609>
2901
2902         Do a first pass across 'this' and any arguments to compute the
2903         final size of the resulting array from Array.prototype.concat.
2904         This avoids having to grow the output incrementally as we go.
2905
2906         This also includes two other micro-optimizations:
2907
2908         - Mark getProperty() with ALWAYS_INLINE.
2909
2910         - Use JSArray::length() instead of taking the generic property
2911           lookup path when we know an argument is an Array.
2912
2913         My MBP says ~3% progression on Dromaeo/jslib-traverse-jquery.
2914
2915         Reviewed by Darin Adler.
2916
2917         * runtime/ArrayPrototype.cpp:
2918         (JSC::getProperty):
2919         (JSC::arrayProtoFuncConcat):
2920
2921 2014-04-14  Benjamin Poulain  <benjamin@webkit.org>
2922
2923         [JSC] Improve the call site of string comparison in some hot path
2924         https://bugs.webkit.org/show_bug.cgi?id=131605
2925
2926         Reviewed by Darin Adler.
2927
2928         When resolved, the String of a JSString is never null. It can be empty but not null.
2929         The null value is reserved for ropes but those would be resolved when getting the value.
2930
2931         Consequently, we should use the equal() operation that do not handle null values.
2932         Using the StringImpl directly is already common in StringPrototype but it was not used here for some reason.
2933
2934         * jit/JITOperations.cpp:
2935         * runtime/JSCJSValueInlines.h:
2936         (JSC::JSValue::equalSlowCaseInline):
2937         (JSC::JSValue::strictEqualSlowCaseInline):
2938         (JSC::JSValue::pureStrictEqual):
2939
2940 2014-04-08  Oliver Hunt  <oliver@apple.com>
2941
2942         Rewrite Function.bind as a builtin
2943         https://bugs.webkit.org/show_bug.cgi?id=131083
2944
2945         Reviewed by Geoffrey Garen.
2946
2947         This change removes the existing function.bind implementation
2948         entirely so JSBoundFunction is no more.
2949
2950         Instead we just return a regular JS closure with a few
2951         private properties hanging off it that allow us to perform
2952         the necessary bound function fakery.  While most of this is
2953         simple, a couple of key changes:
2954
2955         - The parser and lexer now directly track whether they're
2956           parsing code for call or construct and convert the private
2957           name @IsConstructor into TRUETOK or FALSETOK as appropriate.
2958           This automatically gives us the ability to vary behaviour
2959           from within the builtin. It also leaves a lot of headroom
2960           for trivial future improvements.
2961         - The instanceof operator now uses the prototypeForHasInstance
2962           private name, and we have a helper function to ensure that
2963           all objects that need to can update their magical 'prototype'
2964           property pair correctly.
2965
2966         * API/JSScriptRef.cpp:
2967         (parseScript):
2968         * JavaScriptCore.xcodeproj/project.pbxproj:
2969         * builtins/BuiltinExecutables.cpp:
2970         (JSC::BuiltinExecutables::createBuiltinExecutable):
2971         * builtins/Function.prototype.js:
2972         (bind.bindingFunction):
2973         (bind.else.bindingFunction):
2974         (bind):
2975         * bytecode/UnlinkedCodeBlock.cpp:
2976         (JSC::generateFunctionCodeBlock):
2977         * bytecompiler/NodesCodegen.cpp:
2978         (JSC::InstanceOfNode::emitBytecode):
2979         * interpreter/Interpreter.cpp:
2980         * parser/Lexer.cpp:
2981         (JSC::Lexer<T>::Lexer):
2982         (JSC::Lexer<LChar>::parseIdentifier):
2983         (JSC::Lexer<UChar>::parseIdentifier):
2984         * parser/Lexer.h:
2985         * parser/Parser.cpp:
2986         (JSC::Parser<LexerType>::Parser):
2987         (JSC::Parser<LexerType>::parseInner):
2988         * parser/Parser.h:
2989         (JSC::parse):
2990         * parser/ParserModes.h:
2991         * runtime/CodeCache.cpp:
2992         (JSC::CodeCache::getGlobalCodeBlock):
2993         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
2994         * runtime/CommonIdentifiers.h:
2995         * runtime/Completion.cpp:
2996         (JSC::checkSyntax):
2997         * runtime/Executable.cpp:
2998         (JSC::ProgramExecutable::checkSyntax):
2999         * runtime/FunctionPrototype.cpp:
3000         (JSC::FunctionPrototype::addFunctionProperties):
3001         (JSC::functionProtoFuncBind): Deleted.
3002         * runtime/JSBoundFunction.cpp: Removed.
3003         * runtime/JSBoundFunction.h: Removed.
3004         * runtime/JSFunction.cpp:
3005         (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor):
3006         (JSC::RetrieveCallerFunctionFunctor::operator()):
3007         (JSC::retrieveCallerFunction):
3008         (JSC::JSFunction::getOwnPropertySlot):
3009         (JSC::JSFunction::defineOwnProperty):
3010         * runtime/JSGlobalObject.cpp:
3011         (JSC::JSGlobalObject::reset):
3012         * runtime/JSGlobalObjectFunctions.cpp:
3013         (JSC::globalFuncSetTypeErrorAccessor):
3014         * runtime/JSGlobalObjectFunctions.h:
3015         * runtime/JSObject.h:
3016         (JSC::JSObject::inlineGetOwnPropertySlot):
3017
3018 2014-04-12  Filip Pizlo  <fpizlo@apple.com>
3019
3020         Math.fround() should be an intrinsic
3021         https://bugs.webkit.org/show_bug.cgi?id=131583
3022
3023         Reviewed by Geoffrey Garen.
3024         
3025         Makes programs that use Math.fround() run up to 6x faster.
3026
3027         * dfg/DFGAbstractInterpreterInlines.h:
3028         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3029         * dfg/DFGByteCodeParser.cpp:
3030         (JSC::DFG::ByteCodeParser::handleIntrinsic):
3031         * dfg/DFGCSEPhase.cpp:
3032         (JSC::DFG::CSEPhase::performNodeCSE):
3033         * dfg/DFGClobberize.h:
3034         (JSC::DFG::clobberize):
3035         * dfg/DFGFixupPhase.cpp:
3036         (JSC::DFG::FixupPhase::fixupNode):
3037         * dfg/DFGNodeType.h:
3038         * dfg/DFGPredictionPropagationPhase.cpp:
3039         (JSC::DFG::PredictionPropagationPhase::propagate):
3040         * dfg/DFGSafeToExecute.h:
3041         (JSC::DFG::safeToExecute):
3042         * dfg/DFGSpeculativeJIT32_64.cpp:
3043         (JSC::DFG::SpeculativeJIT::compile):
3044         * dfg/DFGSpeculativeJIT64.cpp:
3045         (JSC::DFG::SpeculativeJIT::compile):
3046         * ftl/FTLCapabilities.cpp:
3047         (JSC::FTL::canCompile):
3048         * ftl/FTLLowerDFGToLLVM.cpp:
3049         (JSC::FTL::LowerDFGToLLVM::compileNode):
3050         (JSC::FTL::LowerDFGToLLVM::compileArithFRound):
3051         * runtime/Intrinsic.h:
3052         * runtime/MathObject.cpp:
3053         (JSC::MathObject::finishCreation):
3054
3055 2014-04-12  Filip Pizlo  <fpizlo@apple.com>
3056
3057         FTL should use stackmap register liveness
3058         https://bugs.webkit.org/show_bug.cgi?id=130791
3059
3060         Reviewed by Goeffrey Garen.
3061         
3062         Enable the stackmap register liveness support by fixing the two last bugs:
3063         
3064         - If everything is dead after the patchpoint - a good possibility for a put_by_id -
3065           then we shouldn't crash due to a null scratch buffer.
3066         
3067         - Always consider callee-saves as if they were live. More precisely, we should
3068           consider those callee-saves that are not saved by the enclosing function to be live.
3069           For now we do the much simpler thing and consider callee-saves to be always live
3070           since it has minimal impact on the scratch register allocator. It will know not to
3071           preserve those for calls, anyway.
3072         
3073         I tried writing a test for the null scratch buffer thing, but failed. I will land the
3074         test anyway since it seems useful.
3075
3076         * ftl/FTLCompile.cpp:
3077         (JSC::FTL::usedRegistersFor):
3078         * jit/ScratchRegisterAllocator.cpp:
3079         (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
3080         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
3081         * runtime/Options.h:
3082         * tests/stress/repeated-put-by-id-reallocating-transition.js: Added.
3083         (foo):
3084
3085 2014-04-11  Filip Pizlo  <fpizlo@apple.com>
3086
3087         DFG::FixupPhase should insert conversion nodes after the rest of fixup so that we know how the types settled
3088         https://bugs.webkit.org/show_bug.cgi?id=131424
3089
3090         Reviewed by Geoffrey Garen.
3091         
3092         This defers type conversion injection until we've decided on types. This makes the
3093         process of deciding types a bit more flexible - for example we can naturally fixpoint
3094         and change our minds. Only when things are settled do we actually insert conversions.
3095         
3096         This is a necessary prerequisite for keeping double, int52, and JSValue data flow
3097         separate. A SetLocal/GetLocal will appear to be JSValue until we fixpoint and realize
3098         that there are typed uses. If we were eagerly inserting type conversions then we would
3099         first insert a to/from-JSValue conversion in some cases only to then replace it by
3100         the other conversions. It's probably trivial to remove those redundant conversions later
3101         but I think it's better if we don't insert them to begin with.
3102
3103         * bytecode/CodeOrigin.h:
3104         (JSC::CodeOrigin::operator!):
3105         * dfg/DFGFixupPhase.cpp:
3106         (JSC::DFG::FixupPhase::run):
3107         (JSC::DFG::FixupPhase::fixupBlock):
3108         (JSC::DFG::FixupPhase::fixupNode):
3109         (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
3110         (JSC::DFG::FixupPhase::fixEdge):
3111         (JSC::DFG::FixupPhase::fixIntEdge):
3112         (JSC::DFG::FixupPhase::injectTypeConversionsInBlock):
3113         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
3114         (JSC::DFG::FixupPhase::addRequiredPhantom):
3115         (JSC::DFG::FixupPhase::addPhantomsIfNecessary):
3116         (JSC::DFG::FixupPhase::clearPhantomsAtEnd):
3117         (JSC::DFG::FixupPhase::observeUntypedEdge): Deleted.
3118         (JSC::DFG::FixupPhase::fixupUntypedSetLocalsInBlock): Deleted.
3119         (JSC::DFG::FixupPhase::injectInt32ToDoubleNode): Deleted.
3120
3121 2014-04-11  Brian J. Burg  <burg@cs.washington.edu>
3122
3123         Web Replay: code generator should consider enclosing class when computing duplicate type names
3124         https://bugs.webkit.org/show_bug.cgi?id=131554
3125
3126         Reviewed by Timothy Hatcher.
3127
3128         We need to prepend an enum's enclosing class, if any, so that multiple enums with the same name
3129         can coexist without triggering a "duplicate types" error. Now, such enums must be referenced
3130         by the enclosing class and enum name.
3131
3132         Added tests for the new syntax, and rebaselined one test to reflect a previous patch's change.
3133
3134         * replay/scripts/CodeGeneratorReplayInputs.py:
3135         (Type.type_name): Prepend the enclosing class name.
3136         (Type.type_name.is):
3137         * replay/scripts/tests/expected/fail-on-duplicate-enum-type.json-error: Added.
3138         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Added.
3139         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Added.
3140         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: Rebaseline.
3141         * replay/scripts/tests/fail-on-duplicate-enum-type.json: Added.
3142         * replay/scripts/tests/generate-enums-with-same-base-name.json: Added.
3143
3144 2014-04-11  Gavin Barraclough  <baraclough@apple.com>
3145
3146         Rollout - Rewrite Function.bind as a builtin
3147         https://bugs.webkit.org/show_bug.cgi?id=131083
3148
3149         Unreviewed.
3150
3151         Rolling out r167020 while investigating a performance regression.
3152
3153         * API/JSObjectRef.cpp:
3154         (JSObjectMakeConstructor):
3155         * API/JSScriptRef.cpp:
3156         (parseScript):
3157         * CMakeLists.txt:
3158         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3159         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3160         * JavaScriptCore.xcodeproj/project.pbxproj:
3161         * builtins/BuiltinExecutables.cpp:
3162         (JSC::BuiltinExecutables::createBuiltinExecutable):
3163         * builtins/Function.prototype.js:
3164         (apply):
3165         (bind.bindingFunction): Deleted.
3166         (bind.else.bindingFunction): Deleted.
3167         (bind): Deleted.
3168         * bytecode/UnlinkedCodeBlock.cpp:
3169         (JSC::generateFunctionCodeBlock):
3170         * bytecompiler/NodesCodegen.cpp:
3171         (JSC::InstanceOfNode::emitBytecode):
3172         * interpreter/Interpreter.cpp:
3173         * parser/Lexer.cpp:
3174         (JSC::Lexer<T>::Lexer):
3175         (JSC::Lexer<LChar>::parseIdentifier):
3176         (JSC::Lexer<UChar>::parseIdentifier):
3177         * parser/Lexer.h:
3178         * parser/Parser.cpp:
3179         (JSC::Parser<LexerType>::Parser):
3180         (JSC::Parser<LexerType>::parseInner):
3181         * parser/Parser.h:
3182         (JSC::parse):
3183         * parser/ParserModes.h:
3184         * runtime/ArgumentsIteratorConstructor.cpp:
3185         (JSC::ArgumentsIteratorConstructor::finishCreation):
3186         * runtime/ArrayConstructor.cpp:
3187         (JSC::ArrayConstructor::finishCreation):
3188         * runtime/BooleanConstructor.cpp:
3189         (JSC::BooleanConstructor::finishCreation):
3190         * runtime/CodeCache.cpp:
3191         (JSC::CodeCache::getGlobalCodeBlock):
3192         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
3193         * runtime/CommonIdentifiers.h:
3194         * runtime/Completion.cpp:
3195         (JSC::checkSyntax):
3196         * runtime/DateConstructor.cpp:
3197         (JSC::DateConstructor::finishCreation):
3198         * runtime/ErrorConstructor.cpp:
3199         (JSC::ErrorConstructor::finishCreation):
3200         * runtime/Executable.cpp:
3201         (JSC::ProgramExecutable::checkSyntax):
3202         * runtime/FunctionConstructor.cpp:
3203         (JSC::FunctionConstructor::finishCreation):
3204         * runtime/FunctionPrototype.cpp:
3205         (JSC::FunctionPrototype::addFunctionProperties):
3206         (JSC::functionProtoFuncBind):
3207         * runtime/JSArrayBufferConstructor.cpp:
3208         (JSC::JSArrayBufferConstructor::finishCreation):
3209         * runtime/JSBoundFunction.cpp: Added.
3210         (JSC::boundFunctionCall):
3211         (JSC::boundFunctionConstruct):
3212         (JSC::JSBoundFunction::create):
3213         (JSC::JSBoundFunction::destroy):
3214         (JSC::JSBoundFunction::customHasInstance):
3215         (JSC::JSBoundFunction::JSBoundFunction):
3216         (JSC::JSBoundFunction::finishCreation):
3217         (JSC::JSBoundFunction::visitChildren):
3218         * runtime/JSBoundFunction.h: Added.
3219         (JSC::JSBoundFunction::targetFunction):
3220         (JSC::JSBoundFunction::boundThis):
3221         (JSC::JSBoundFunction::boundArgs):
3222         (JSC::JSBoundFunction::createStructure):
3223         * runtime/JSFunction.cpp:
3224         (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor):
3225         (JSC::RetrieveCallerFunctionFunctor::operator()):
3226         (JSC::retrieveCallerFunction):
3227         (JSC::JSFunction::getOwnPropertySlot):
3228         (JSC::JSFunction::getOwnNonIndexPropertyNames):
3229         (JSC::JSFunction::put):
3230         (JSC::JSFunction::defineOwnProperty):
3231         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
3232         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::finishCreation):
3233         * runtime/JSGlobalObject.cpp:
3234         (JSC::JSGlobalObject::reset):
3235         * runtime/JSGlobalObjectFunctions.cpp:
3236         (JSC::globalFuncSetTypeErrorAccessor): Deleted.
3237         * runtime/JSGlobalObjectFunctions.h:
3238         * runtime/JSObject.cpp:
3239         (JSC::JSObject::putDirectPrototypeProperty): Deleted.
3240         (JSC::JSObject::putDirectPrototypePropertyWithoutTransitions): Deleted.
3241         * runtime/JSObject.h:
3242         * runtime/JSPromiseConstructor.cpp:
3243         (JSC::JSPromiseConstructor::finishCreation):
3244         * runtime/MapConstructor.cpp:
3245         (JSC::MapConstructor::finishCreation):
3246         * runtime/MapIteratorConstructor.cpp:
3247         (JSC::MapIteratorConstructor::finishCreation):
3248         * runtime/NameConstructor.cpp:
3249         (JSC::NameConstructor::finishCreation):
3250         * runtime/NativeErrorConstructor.cpp:
3251         (JSC::NativeErrorConstructor::finishCreation):
3252         * runtime/NumberConstructor.cpp:
3253         (JSC::NumberConstructor::finishCreation):
3254         * runtime/ObjectConstructor.cpp:
3255         (JSC::ObjectConstructor::finishCreation):
3256         * runtime/RegExpConstructor.cpp:
3257         (JSC::RegExpConstructor::finishCreation):
3258         * runtime/SetConstructor.cpp:
3259         (JSC::SetConstructor::finishCreation):
3260         * runtime/SetIteratorConstructor.cpp:
3261         (JSC::SetIteratorConstructor::finishCreation):
3262         * runtime/StringConstructor.cpp:
3263         (JSC::StringConstructor::finishCreation):
3264         * runtime/WeakMapConstructor.cpp:
3265         (JSC::WeakMapConstructor::finishCreation):
3266
3267 2014-04-11  David Kilzer  <ddkilzer@apple.com>
3268
3269         [ASan] Build broke because libCompileRuntimeToLLVMIR.a links to libclang_rt.asan_osx_dynamic.dylib
3270         <http://webkit.org/b/131556>
3271         <rdar://problem/16591856>
3272
3273         Reviewed by Brent Fulgham.
3274
3275         * Configurations/CompileRuntimeToLLVMIR.xcconfig: Clear
3276         OTHER_LDFLAGS so the ASan build does not try to link to
3277         libclang_rt.asan_osx_dynamic.dylib.
3278
3279 2014-04-11  Mark Lam  <mark.lam@apple.com>
3280
3281         JSMainThreadExecState::call() should clear exceptions before returning.
3282         <https://webkit.org/b/131530>
3283
3284         Reviewed by Geoffrey Garen.
3285
3286         Added a version of JSC::call() that return any uncaught exception instead
3287         of leaving it pending in the VM.
3288
3289         As part of this change, I updated various parts of the code base to use the
3290         new API as needed.
3291
3292         * bindings/ScriptFunctionCall.cpp:
3293         (Deprecated::ScriptFunctionCall::call):
3294         - ScriptFunctionCall::call() is only used by the inspector to inject scripts.
3295           The injected scripts that will include Inspector scripts that should catch
3296           and handle any exceptions that were thrown.  We should not be seeing any
3297           exceptions returned from this call.  However, we do have checks for
3298           exceptions in case there are bugs in the Inspector scripts which allowed
3299           the exception to leak through.  Hence, it is proper to clear the exception
3300           here, and only record the fact that an exception was seen (if present).
3301
3302         * bindings/ScriptFunctionCall.h:
3303         * inspector/InspectorEnvironment.h:
3304         * runtime/CallData.cpp:
3305         (JSC::call):
3306         * runtime/CallData.h:
3307
3308 2014-04-11  Oliver Hunt  <oliver@apple.com>
3309
3310         Add BuiltinLog function to make debugging builtins easier
3311         https://bugs.webkit.org/show_bug.cgi?id=131550
3312
3313         Reviewed by Andreas Kling.
3314
3315         Add a logging function that builtins can use for debugging.
3316
3317         * runtime/CommonIdentifiers.h:
3318         * runtime/JSGlobalObject.cpp:
3319         (JSC::JSGlobalObject::reset):
3320         * runtime/JSGlobalObjectFunctions.cpp:
3321         (JSC::globalFuncBuiltinLog):
3322         * runtime/JSGlobalObjectFunctions.h:
3323
3324 2014-04-11  Julien Brianceau  <jbriance@cisco.com>
3325
3326         Fix LLInt for sh4 architecture (broken since C stack merge).
3327         https://bugs.webkit.org/show_bug.cgi?id=131532
3328
3329         Reviewed by Mark Lam.
3330
3331         This patch fixes build and also implements sh4 parts for initPCRelative and
3332         setEntryAddress macros introduced in http://trac.webkit.org/changeset/167094.
3333
3334         * llint/LowLevelInterpreter.asm:
3335         * llint/LowLevelInterpreter32_64.asm:
3336         * offlineasm/instructions.rb:
3337         * offlineasm/sh4.rb:
3338
3339 2014-04-10  Michael Saboff  <msaboff@apple.com>
3340
3341         Crash beneath DFG JIT code @ video.disney.com
3342         https://bugs.webkit.org/show_bug.cgi?id=131447
3343
3344         Reviewed by Geoffrey Garen.
3345
3346         The 32-bit path of speculateMisc() uses an 'is not int32' check followed by
3347         'tag not less than Undefined' check.  The first check was incorrectly elided if we
3348         knew that the value *was* an int32, when it should have been elided if we already
3349         knew that the value *was not* an int32.
3350
3351         * dfg/DFGSpeculativeJIT.cpp:
3352         (JSC::DFG::SpeculativeJIT::speculateMisc):
3353         * tests/stress/test-spec-misc.js: Added test.
3354         (getX):
3355         (foo):
3356         (bar):
3357
3358 2014-04-08  Filip Pizlo  <fpizlo@apple.com>
3359
3360         Make room for additional types in SpeculatedType.h
3361         https://bugs.webkit.org/show_bug.cgi?id=131422
3362
3363         Reviewed by Sam Weinig.
3364         
3365         This'll make it easier to add DoubleHeavyNaN and DoubleEmptyNaN.
3366
3367         * bytecode/SpeculatedType.h:
3368
3369 2014-04-10  Alex Christensen  <achristensen@webkit.org>
3370
3371         Compile fix for Win64.
3372         https://bugs.webkit.org/show_bug.cgi?id=131508
3373
3374         Reviewed by Geoffrey Garen.
3375
3376         * assembler/X86Assembler.h:
3377         (JSC::X86Assembler::fillNops):
3378         Added unsigned template parameter to distinguish between size_t and unsigned long.
3379
3380 2014-04-10  Michael Saboff  <msaboff@apple.com>
3381
3382         LLInt interpreter code should be generated as part of one function
3383         https://bugs.webkit.org/show_bug.cgi?id=131205
3384
3385         Reviewed by Mark Lam.
3386
3387         Changed the generation of llint opcodes so that they are all part of the same
3388         global function, llint_entry.  That function is used to fill in an entry point
3389         table that includes each of the opcodes and helpers.
3390
3391         * CMakeLists.txt:
3392         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
3393         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
3394         * JavaScriptCore.xcodeproj/project.pbxproj:
3395         Added appropriate use of new -I option to offline assembler and offset
3396         generator scripts.
3397
3398         * llint/LowLevelInterpreter.asm:
3399         * llint/LowLevelInterpreter.cpp:
3400         * llint/LowLevelInterpreter.h:
3401         * offlineasm/arm.rb:
3402         * offlineasm/arm64.rb: