6c1d335419057161be4486e943b7ff27258f386e
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
2
3         [sh4][mips][arm] Fix crashes in JSC (32-bit only).
4         https://bugs.webkit.org/show_bug.cgi?id=123165
5
6         Reviewed by Michael Saboff.
7
8         * jit/JITInlines.h:
9         (JSC::JIT::callOperationNoExceptionCheck): Add missing EABI_32BIT_DUMMY_ARG.
10         (JSC::JIT::callOperation): The last TrustedImm32(arg3) is a bit overkill for SH4 :)
11         (JSC::JIT::callOperation): Add missing EABI_32BIT_DUMMY_ARG.
12         (JSC::JIT::callOperation): Fix tag and payload order for V_JITOperation_EJJJ prototype.
13
14 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
15
16         REGRESSION(r157690, r157699) Fix architectures using AssemblerBufferWithConstantPool.
17         https://bugs.webkit.org/show_bug.cgi?id=123092
18
19         Reviewed by Michael Saboff.
20
21         Impacted architectures are SH4 and ARM_TRADITIONAL.
22
23         * assembler/ARMAssembler.h:
24         (JSC::ARMAssembler::buffer):
25         * assembler/AssemblerBufferWithConstantPool.h:
26         (JSC::AssemblerBufferWithConstantPool::flushConstantPool):
27         * assembler/LinkBuffer.cpp:
28         (JSC::LinkBuffer::linkCode):
29         * assembler/SH4Assembler.h:
30         (JSC::SH4Assembler::buffer):
31
32 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
33
34         Remove unused stuff in JIT stubs.
35         https://bugs.webkit.org/show_bug.cgi?id=123155
36
37         Reviewed by Michael Saboff.
38
39         * jit/JITStubs.h:
40         * jit/JITStubsARM.h:
41         (JSC::ctiTrampoline):
42         * jit/JITStubsARM64.h:
43         * jit/JITStubsARMv7.h:
44         * jit/JITStubsMIPS.h:
45         * jit/JITStubsSH4.h:
46         * jit/JITStubsX86.h:
47         * jit/JITStubsX86_64.h:
48
49 2013-10-22  Daniel Bates  <dabates@apple.com>
50
51         [iOS] Upstream OS-version-specific install paths for JavaScriptCore.framework
52         https://bugs.webkit.org/show_bug.cgi?id=123115
53         <rdar://problem/13696872>
54
55         Reviewed by Andy Estes.
56
57         Based on a patch by Mark Hahnenberg.
58
59         Add support for running JavaScriptCore-based apps, built against the iOS 7 SDK, on older versions of iOS.
60
61         * API/JSBase.cpp:
62
63 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
64
65         [sh4] Add missing lastRegister(), firstFPRegister() and lastFPRegister(). 
66         https://bugs.webkit.org/show_bug.cgi?id=123157
67
68         Reviewed by Andreas Kling.
69
70         * assembler/SH4Assembler.h:
71         (JSC::SH4Assembler::lastRegister):
72         (JSC::SH4Assembler::firstFPRegister):
73         (JSC::SH4Assembler::lastFPRegister):
74
75 2013-10-22  Brian Holt  <brian.holt@samsung.com>
76
77         Build break on ARMv7 after r157209
78         https://bugs.webkit.org/show_bug.cgi?id=122890
79
80         Reviewed by Csaba Osztrogon√°c.
81
82         Add framePointerRegister and first/last register helpers for ARM_TRADITIONAL.
83
84         * assembler/ARMAssembler.h:
85         * assembler/MacroAssemblerARM.h:
86         (JSC::MacroAssemblerARM::firstRegister):
87         (JSC::MacroAssemblerARM::lastRegister):
88         (JSC::MacroAssemblerARM::firstFPRegister):
89         (JSC::MacroAssemblerARM::lastFPRegister):
90
91 2013-10-21  Daniel Bates  <dabates@apple.com>
92
93         [iOS] Upstream JSGlobalObject::shouldInterruptScriptBeforeTimeout()
94         https://bugs.webkit.org/show_bug.cgi?id=123045
95
96         Reviewed by Joseph Pecoraro.
97
98         * jsc.cpp: Add function pointer for shouldInterruptScriptBeforeTimeout
99         to global method table.
100         * runtime/JSGlobalObject.cpp: Ditto.
101         * runtime/JSGlobalObject.h:
102         (JSC::JSGlobalObject::shouldInterruptScriptBeforeTimeout): Added.
103
104 2013-10-21  Daniel Bates  <dabates@apple.com>
105
106         [iOS] Upstream JSC Objective-C API compiler warning fixes
107         https://bugs.webkit.org/show_bug.cgi?id=123125
108
109         Reviewed by Mark Hahnenberg.
110
111         Based on a patch by Mark Hahnenberg.
112
113         * API/JSValue.mm:
114         (-[JSValue toPoint]): Cast to CGFloat to fix some compiler warnings about double narrowing to float.
115         (-[JSValue toSize]): Ditto.
116         * API/tests/testapi.mm: Changed a test that was failing due to overflow of 32-bit NSUInteger on armv7.
117
118 2013-10-21  Daniel Bates  <dabates@apple.com>
119
120         [iOS] Mark classes JS{Context, ManagedValue, Value, VirtualMachine} as
121         available since iOS 7.0
122         https://bugs.webkit.org/show_bug.cgi?id=123122
123
124         Reviewed by Dan Bernstein.
125
126         * API/JSContext.h:
127         * API/JSManagedValue.h:
128         * API/JSValue.h:
129         * API/JSVirtualMachine.h:
130
131 2013-10-20  Mark Lam  <mark.lam@apple.com>
132
133         Avoid JSC debugger overhead unless needed.
134         https://bugs.webkit.org/show_bug.cgi?id=123084.
135
136         Reviewed by Geoffrey Garen.
137
138         - If no breakpoints are set, we now avoid calling the debug hook callbacks.
139         - If no break on exception is set, we also avoid exception event debug callbacks.
140         - When we return from the ScriptDebugServer to the JSC::Debugger, we may no
141           longer call the debug hook callbacks if not needed. Hence, the m_currentCallFrame
142           pointer in the ScriptDebugServer may become stale. To avoid this issue, before
143           returning, the ScriptDebugServer will clear its m_currentCallFrame if
144           needsOpDebugCallbacks() is false.
145
146         * debugger/Debugger.cpp:
147         (JSC::Debugger::Debugger):
148         (JSC::Debugger::setNeedsExceptionCallbacks):
149         (JSC::Debugger::setShouldPause):
150         (JSC::Debugger::updateNumberOfBreakpoints):
151         (JSC::Debugger::updateNeedForOpDebugCallbacks):
152         * debugger/Debugger.h:
153         * interpreter/Interpreter.cpp:
154         (JSC::Interpreter::unwind):
155         (JSC::Interpreter::debug):
156         * jit/JITOpcodes.cpp:
157         (JSC::JIT::emit_op_debug):
158         * jit/JITOpcodes32_64.cpp:
159         (JSC::JIT::emit_op_debug):
160         * llint/LLIntOffsetsExtractor.cpp:
161         * llint/LowLevelInterpreter.asm:
162
163 2013-10-21  Brent Fulgham  <bfulgham@apple.com>
164
165         [WIN] Unreviewed build correction.
166
167         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Handle new JIT files as C++ implementation
168           sources, not header files.
169         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
170
171 2013-10-21  Oliver Hunt  <oliver@apple.com>
172
173         Support computed property names in object literals
174         https://bugs.webkit.org/show_bug.cgi?id=123112
175
176         Reviewed by Michael Saboff.
177
178         Add support for computed property names to the parser.
179
180         * bytecompiler/NodesCodegen.cpp:
181         (JSC::PropertyListNode::emitBytecode):
182         * parser/ASTBuilder.h:
183         (JSC::ASTBuilder::createProperty):
184         (JSC::ASTBuilder::getName):
185         * parser/NodeConstructors.h:
186         (JSC::PropertyNode::PropertyNode):
187         * parser/Nodes.h:
188         (JSC::PropertyNode::expressionName):
189         (JSC::PropertyNode::name):
190         * parser/Parser.cpp:
191         (JSC::::parseProperty):
192         (JSC::::parseStrictObjectLiteral):
193         * parser/SyntaxChecker.h:
194         (JSC::SyntaxChecker::Property::Property):
195         (JSC::SyntaxChecker::createProperty):
196         (JSC::SyntaxChecker::operatorStackPop):
197
198 2013-10-21  Michael Saboff  <msaboff@apple.com>
199
200         Add option so that JSC will crash if it can't allocate executable memory for the JITs
201         https://bugs.webkit.org/show_bug.cgi?id=123048
202         <rdar://problem/12856193>
203
204         Reviewed by Geoffrey Garen.
205
206         Added new option, called crashIfCantAllocateJITMemory. If this option is true then we crash
207         when checking the validity of the executable allocator. The default value for this option is
208         false, but jsc sets it to true when built for iOS to make it straightforward to identify whether
209         the app can obtain executable memory.
210
211         * jsc.cpp: Explicitly enable crashIfCantAllocateJITMemory on iOS.
212         (main):
213         * runtime/Options.h: Added option crashIfCantAllocateJITMemory.
214         * runtime/VM.cpp:
215         (JSC::enableAssembler): Modified to crash if option crashIfCantAllocateJITMemory
216         is enabled.
217
218 2013-10-21  Nadav Rotem  <nrotem@apple.com>
219
220         Remove AllInOneFile.cpp
221         https://bugs.webkit.org/show_bug.cgi?id=123055
222
223         Reviewed by Csaba Osztrogon√°c.
224
225         * AllInOneFile.cpp: Removed.
226
227 2013-10-20  Filip Pizlo  <fpizlo@apple.com>
228
229         Unreviewed, cleanup a FIXME comment.
230
231         * jit/Repatch.cpp:
232
233 2013-10-20  Filip Pizlo  <fpizlo@apple.com>
234
235         StructureStubInfo's usedRegisters set should be able to track all registers, not just the ones that our JIT's view as temporaries
236         https://bugs.webkit.org/show_bug.cgi?id=123076
237
238         Reviewed by Sam Weinig.
239         
240         Start preparing for a world in which we are patching code generated by LLVM, which may have
241         very different register usage conventions than our JITs. This requires us being more explicit
242         about the registers we are using. For example, the repatching code shouldn't take for granted
243         that tagMaskRegister holds the TagMask or that the register is even in use.
244
245         * CMakeLists.txt:
246         * GNUmakefile.list.am:
247         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
248         * JavaScriptCore.xcodeproj/project.pbxproj:
249         * assembler/MacroAssembler.h:
250         (JSC::MacroAssembler::numberOfRegisters):
251         (JSC::MacroAssembler::registerIndex):
252         (JSC::MacroAssembler::numberOfFPRegisters):
253         (JSC::MacroAssembler::fpRegisterIndex):
254         (JSC::MacroAssembler::totalNumberOfRegisters):
255         * bytecode/StructureStubInfo.h:
256         * dfg/DFGSpeculativeJIT.cpp:
257         (JSC::DFG::SpeculativeJIT::usedRegisters):
258         * dfg/DFGSpeculativeJIT.h:
259         * ftl/FTLSaveRestore.cpp:
260         (JSC::FTL::bytesForGPRs):
261         (JSC::FTL::bytesForFPRs):
262         (JSC::FTL::offsetOfGPR):
263         (JSC::FTL::offsetOfFPR):
264         * jit/JITInlineCacheGenerator.cpp:
265         (JSC::JITByIdGenerator::JITByIdGenerator):
266         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
267         * jit/JITInlineCacheGenerator.h:
268         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
269         * jit/JITPropertyAccess.cpp:
270         (JSC::JIT::emit_op_get_by_id):
271         (JSC::JIT::emit_op_put_by_id):
272         * jit/JITPropertyAccess32_64.cpp:
273         (JSC::JIT::emit_op_get_by_id):
274         (JSC::JIT::emit_op_put_by_id):
275         * jit/RegisterSet.cpp: Added.
276         (JSC::RegisterSet::specialRegisters):
277         * jit/RegisterSet.h: Added.
278         (JSC::RegisterSet::RegisterSet):
279         (JSC::RegisterSet::set):
280         (JSC::RegisterSet::clear):
281         (JSC::RegisterSet::get):
282         (JSC::RegisterSet::merge):
283         * jit/Repatch.cpp:
284         (JSC::generateProtoChainAccessStub):
285         (JSC::tryCacheGetByID):
286         (JSC::tryBuildGetByIDList):
287         (JSC::emitPutReplaceStub):
288         (JSC::tryRepatchIn):
289         (JSC::linkClosureCall):
290         * jit/TempRegisterSet.cpp: Added.
291         (JSC::TempRegisterSet::TempRegisterSet):
292         * jit/TempRegisterSet.h:
293
294 2013-10-20  Julien Brianceau  <jbriance@cisco.com>
295
296         [sh4] Fix build (broken since r157690).
297         https://bugs.webkit.org/show_bug.cgi?id=123081
298
299         Reviewed by Andreas Kling.
300
301         * assembler/AssemblerBufferWithConstantPool.h:
302         * assembler/SH4Assembler.h:
303         (JSC::SH4Assembler::buffer):
304         (JSC::SH4Assembler::readCallTarget):
305
306 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
307
308         Simplify TempRegisterSet - it no longer needs to be convertible to a POD since it's no longer going to be a member of a union
309         https://bugs.webkit.org/show_bug.cgi?id=123079
310
311         Reviewed by Geoffrey Garen.
312
313         * jit/TempRegisterSet.h:
314
315 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
316
317         Rename RegisterSet to TempRegisterSet
318         https://bugs.webkit.org/show_bug.cgi?id=123077
319
320         Reviewed by Dan Bernstein.
321
322         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
323         * JavaScriptCore.xcodeproj/project.pbxproj:
324         * bytecode/StructureStubInfo.h:
325         * dfg/DFGJITCompiler.h:
326         * dfg/DFGSpeculativeJIT.h:
327         (JSC::DFG::SpeculativeJIT::usedRegisters):
328         * jit/JITInlineCacheGenerator.cpp:
329         (JSC::JITByIdGenerator::JITByIdGenerator):
330         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
331         * jit/JITInlineCacheGenerator.h:
332         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
333         * jit/JITPropertyAccess.cpp:
334         (JSC::JIT::emit_op_get_by_id):
335         (JSC::JIT::emit_op_put_by_id):
336         * jit/JITPropertyAccess32_64.cpp:
337         (JSC::JIT::emit_op_get_by_id):
338         (JSC::JIT::emit_op_put_by_id):
339         * jit/RegisterSet.h: Removed.
340         * jit/ScratchRegisterAllocator.h:
341         (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
342         * jit/TempRegisterSet.h: Copied from Source/JavaScriptCore/jit/RegisterSet.h.
343         (JSC::TempRegisterSet::TempRegisterSet):
344         (JSC::TempRegisterSet::asPOD):
345         (JSC::TempRegisterSet::copyInfo):
346
347 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
348
349         Restructure LinkBuffer to allow for alternate allocation strategies
350         https://bugs.webkit.org/show_bug.cgi?id=123071
351
352         Reviewed by Oliver Hunt.
353         
354         The idea is to eventually allow a LinkBuffer to place the code into an already
355         allocated region of memory.  That region of memory could be the nop-slide left behind
356         by a llvm.webkit.patchpoint.
357
358         * assembler/ARM64Assembler.h:
359         (JSC::ARM64Assembler::buffer):
360         * assembler/AssemblerBuffer.h:
361         * assembler/LinkBuffer.cpp:
362         (JSC::LinkBuffer::copyCompactAndLinkCode):
363         (JSC::LinkBuffer::linkCode):
364         (JSC::LinkBuffer::allocate):
365         (JSC::LinkBuffer::shrink):
366         * assembler/LinkBuffer.h:
367         (JSC::LinkBuffer::LinkBuffer):
368         (JSC::LinkBuffer::didFailToAllocate):
369         * assembler/X86Assembler.h:
370         (JSC::X86Assembler::buffer):
371         (JSC::X86Assembler::X86InstructionFormatter::memoryModRM):
372
373 2013-10-19  Alexey Proskuryakov  <ap@apple.com>
374
375         Some includes in JSC seem to use an incorrect style
376         https://bugs.webkit.org/show_bug.cgi?id=123057
377
378         Reviewed by Geoffrey Garen.
379
380         Changed pseudo-system includes to user ones.
381
382         * API/JSContextRef.cpp:
383         * API/JSStringRefCF.cpp:
384         * API/JSValueRef.cpp:
385         * API/OpaqueJSString.cpp:
386         * jit/JIT.h:
387         * parser/SyntaxChecker.h:
388         * runtime/WeakGCMap.h:
389
390 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
391
392         Baseline JIT and DFG IC code generation should be unified and rationalized
393         https://bugs.webkit.org/show_bug.cgi?id=122939
394
395         Reviewed by Geoffrey Garen.
396         
397         Introduce the JITInlineCacheGenerator, which takes a CodeBlock and a CodeOrigin plus
398         some register info and creates JIT inline caches for you. Used this to even furhter
399         unify the baseline and DFG ICs. In the future we can use this for FTL ICs. And my hope
400         is that we'll be able to use it for cascading ICs: an IC for some instruction may realize
401         that it needs to do the equivalent of get_by_id, so with this generator it will be able
402         to create an IC even though it wasn't associated with a get_by_id bytecode instruction.
403
404         * CMakeLists.txt:
405         * GNUmakefile.list.am:
406         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
407         * JavaScriptCore.xcodeproj/project.pbxproj:
408         * assembler/AbstractMacroAssembler.h:
409         (JSC::AbstractMacroAssembler::DataLabelCompact::label):
410         * bytecode/CodeBlock.h:
411         (JSC::CodeBlock::ecmaMode):
412         * dfg/DFGInlineCacheWrapper.h: Added.
413         (JSC::DFG::InlineCacheWrapper::InlineCacheWrapper):
414         * dfg/DFGInlineCacheWrapperInlines.h: Added.
415         (JSC::DFG::::finalize):
416         * dfg/DFGJITCompiler.cpp:
417         (JSC::DFG::JITCompiler::link):
418         * dfg/DFGJITCompiler.h:
419         (JSC::DFG::JITCompiler::addGetById):
420         (JSC::DFG::JITCompiler::addPutById):
421         * dfg/DFGSpeculativeJIT32_64.cpp:
422         (JSC::DFG::SpeculativeJIT::cachedGetById):
423         (JSC::DFG::SpeculativeJIT::cachedPutById):
424         * dfg/DFGSpeculativeJIT64.cpp:
425         (JSC::DFG::SpeculativeJIT::cachedGetById):
426         (JSC::DFG::SpeculativeJIT::cachedPutById):
427         (JSC::DFG::SpeculativeJIT::compile):
428         * jit/AssemblyHelpers.h:
429         (JSC::AssemblyHelpers::isStrictModeFor):
430         (JSC::AssemblyHelpers::strictModeFor):
431         * jit/GPRInfo.h:
432         (JSC::JSValueRegs::tagGPR):
433         * jit/JIT.cpp:
434         (JSC::JIT::JIT):
435         (JSC::JIT::privateCompileSlowCases):
436         (JSC::JIT::privateCompile):
437         * jit/JIT.h:
438         * jit/JITInlineCacheGenerator.cpp: Added.
439         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
440         (JSC::JITByIdGenerator::JITByIdGenerator):
441         (JSC::JITByIdGenerator::finalize):
442         (JSC::JITByIdGenerator::generateFastPathChecks):
443         (JSC::JITGetByIdGenerator::generateFastPath):
444         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
445         (JSC::JITPutByIdGenerator::generateFastPath):
446         (JSC::JITPutByIdGenerator::slowPathFunction):
447         * jit/JITInlineCacheGenerator.h: Added.
448         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
449         (JSC::JITInlineCacheGenerator::stubInfo):
450         (JSC::JITByIdGenerator::JITByIdGenerator):
451         (JSC::JITByIdGenerator::reportSlowPathCall):
452         (JSC::JITByIdGenerator::slowPathJump):
453         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
454         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
455         * jit/JITPropertyAccess.cpp:
456         (JSC::JIT::emit_op_get_by_id):
457         (JSC::JIT::emitSlow_op_get_by_id):
458         (JSC::JIT::emit_op_put_by_id):
459         (JSC::JIT::emitSlow_op_put_by_id):
460         * jit/JITPropertyAccess32_64.cpp:
461         (JSC::JIT::emit_op_get_by_id):
462         (JSC::JIT::emitSlow_op_get_by_id):
463         (JSC::JIT::emit_op_put_by_id):
464         (JSC::JIT::emitSlow_op_put_by_id):
465         * jit/RegisterSet.h:
466         (JSC::RegisterSet::set):
467
468 2013-10-19  Alexey Proskuryakov  <ap@apple.com>
469
470         APICast.h uses functions from JSCJSValueInlines.h, but doesn't include it
471         https://bugs.webkit.org/show_bug.cgi?id=123067
472
473         Reviewed by Geoffrey Garen.
474
475         * API/APICast.h: Include it.
476
477 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
478
479         FTL::Location should treat the offset as an addend in the case of a Register location
480         https://bugs.webkit.org/show_bug.cgi?id=123062
481
482         Reviewed by Sam Weinig.
483
484         * ftl/FTLLocation.cpp:
485         (JSC::FTL::Location::forStackmaps):
486         (JSC::FTL::Location::dump):
487         (JSC::FTL::Location::restoreInto):
488         * ftl/FTLLocation.h:
489         (JSC::FTL::Location::forRegister):
490         (JSC::FTL::Location::hasAddend):
491         (JSC::FTL::Location::addend):
492
493 2013-10-19  Nadav Rotem  <nrotem@apple.com>
494
495         DFG dominators: document and rename stuff.
496         https://bugs.webkit.org/show_bug.cgi?id=123056
497
498         Reviewed by Filip Pizlo.
499
500         Documented the code and renamed some variables.
501
502         * dfg/DFGDominators.cpp:
503         (JSC::DFG::Dominators::compute):
504         (JSC::DFG::Dominators::pruneDominators):
505         * dfg/DFGDominators.h:
506
507 2013-10-19  Julien Brianceau  <jbriance@cisco.com>
508
509         Fix build failure for architectures with 4 argument registers.
510         https://bugs.webkit.org/show_bug.cgi?id=123060
511
512         Reviewed by Michael Saboff.
513
514         Add missing setupArgumentsWithExecState() prototypes for architecture with 4 argument registers.
515         Remove SH4 specific code no longer needed since callOperation prototype change in r157660.
516
517         * dfg/DFGSpeculativeJIT.h:
518         (JSC::DFG::SpeculativeJIT::callOperation):
519         * jit/CCallHelpers.h:
520         (JSC::CCallHelpers::setupArgumentsWithExecState):
521         * jit/JITInlines.h:
522         (JSC::JIT::callOperation):
523
524 2013-10-18  Filip Pizlo  <fpizlo@apple.com>
525
526         Unreviewed, fix FTL build.
527
528         * ftl/FTLIntrinsicRepository.h:
529         * ftl/FTLLowerDFGToLLVM.cpp:
530         (JSC::FTL::LowerDFGToLLVM::compileGetById):
531
532 2013-10-18  Filip Pizlo  <fpizlo@apple.com>
533
534         A CodeBlock's StructureStubInfos shouldn't be in a Vector that we search using code origins and machine code PCs
535         https://bugs.webkit.org/show_bug.cgi?id=122940
536
537         Reviewed by Oliver Hunt.
538         
539         This accomplishes a number of simplifications. StructureStubInfo is now non-moving,
540         whereas previously it was in a Vector, so it moved. This allows you to use pointers to
541         StructureStubInfo. This also eliminates the use of return PC as a way of finding the
542         StructureStubInfo's. It removes some of the need for the compile-time property access
543         records; for example the DFG no longer has to save information about registers in a
544         property access record only to later save it to the stub info.
545         
546         The main thing is accomplishes is that it makes it easier to add StructureStubInfo's
547         at any stage of compilation.
548
549         * bytecode/CodeBlock.cpp:
550         (JSC::CodeBlock::printGetByIdCacheStatus):
551         (JSC::CodeBlock::dumpBytecode):
552         (JSC::CodeBlock::~CodeBlock):
553         (JSC::CodeBlock::propagateTransitions):
554         (JSC::CodeBlock::finalizeUnconditionally):
555         (JSC::CodeBlock::addStubInfo):
556         (JSC::CodeBlock::getStubInfoMap):
557         (JSC::CodeBlock::shrinkToFit):
558         * bytecode/CodeBlock.h:
559         (JSC::CodeBlock::begin):
560         (JSC::CodeBlock::end):
561         (JSC::CodeBlock::rareCaseProfileForBytecodeOffset):
562         * bytecode/CodeOrigin.h:
563         (JSC::CodeOrigin::CodeOrigin):
564         (JSC::CodeOrigin::isHashTableDeletedValue):
565         (JSC::CodeOrigin::hash):
566         (JSC::CodeOriginHash::hash):
567         (JSC::CodeOriginHash::equal):
568         * bytecode/GetByIdStatus.cpp:
569         (JSC::GetByIdStatus::computeFor):
570         * bytecode/GetByIdStatus.h:
571         * bytecode/PutByIdStatus.cpp:
572         (JSC::PutByIdStatus::computeFor):
573         * bytecode/PutByIdStatus.h:
574         * bytecode/StructureStubInfo.h:
575         (JSC::getStructureStubInfoCodeOrigin):
576         * dfg/DFGByteCodeParser.cpp:
577         (JSC::DFG::ByteCodeParser::parseBlock):
578         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
579         * dfg/DFGJITCompiler.cpp:
580         (JSC::DFG::JITCompiler::link):
581         * dfg/DFGJITCompiler.h:
582         (JSC::DFG::PropertyAccessRecord::PropertyAccessRecord):
583         (JSC::DFG::InRecord::InRecord):
584         * dfg/DFGSpeculativeJIT.cpp:
585         (JSC::DFG::SpeculativeJIT::compileIn):
586         * dfg/DFGSpeculativeJIT.h:
587         (JSC::DFG::SpeculativeJIT::callOperation):
588         * dfg/DFGSpeculativeJIT32_64.cpp:
589         (JSC::DFG::SpeculativeJIT::cachedGetById):
590         (JSC::DFG::SpeculativeJIT::cachedPutById):
591         * dfg/DFGSpeculativeJIT64.cpp:
592         (JSC::DFG::SpeculativeJIT::cachedGetById):
593         (JSC::DFG::SpeculativeJIT::cachedPutById):
594         * jit/CCallHelpers.h:
595         (JSC::CCallHelpers::setupArgumentsWithExecState):
596         * jit/JIT.cpp:
597         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
598         (JSC::JIT::privateCompile):
599         * jit/JIT.h:
600         (JSC::PropertyStubCompilationInfo::slowCaseInfo):
601         * jit/JITInlines.h:
602         (JSC::JIT::callOperation):
603         * jit/JITOperations.cpp:
604         * jit/JITOperations.h:
605         * jit/JITPropertyAccess.cpp:
606         (JSC::JIT::emitSlow_op_get_by_id):
607         (JSC::JIT::emitSlow_op_put_by_id):
608         * jit/JITPropertyAccess32_64.cpp:
609         (JSC::JIT::emitSlow_op_get_by_id):
610         (JSC::JIT::emitSlow_op_put_by_id):
611         * jit/Repatch.cpp:
612         (JSC::appropriateGenericPutByIdFunction):
613         (JSC::appropriateListBuildingPutByIdFunction):
614         (JSC::resetPutByID):
615
616 2013-10-18  Oliver Hunt  <oliver@apple.com>
617
618         Spread operator should be performing direct "puts" and not triggering setters
619         https://bugs.webkit.org/show_bug.cgi?id=123047
620
621         Reviewed by Geoffrey Garen.
622
623         Add a new opcode -- op_put_by_val_directue -- and make use of it in the spread
624         to array construct.  This required a new PutByValDirect node to be introduced to
625         the DFG.  The current implementation simply changes the slow path function that
626         is called, but in future this could be made faster as it does not need to check
627         the prototype chain.
628
629         * bytecode/CodeBlock.cpp:
630         (JSC::CodeBlock::dumpBytecode):
631         (JSC::CodeBlock::CodeBlock):
632         * bytecode/Opcode.h:
633         (JSC::padOpcodeName):
634         * bytecompiler/BytecodeGenerator.cpp:
635         (JSC::BytecodeGenerator::emitDirectPutByVal):
636         * bytecompiler/BytecodeGenerator.h:
637         * bytecompiler/NodesCodegen.cpp:
638         (JSC::ArrayNode::emitBytecode):
639         * dfg/DFGAbstractInterpreterInlines.h:
640         (JSC::DFG::::executeEffects):
641         * dfg/DFGBackwardsPropagationPhase.cpp:
642         (JSC::DFG::BackwardsPropagationPhase::propagate):
643         * dfg/DFGByteCodeParser.cpp:
644         (JSC::DFG::ByteCodeParser::parseBlock):
645         * dfg/DFGCSEPhase.cpp:
646         (JSC::DFG::CSEPhase::getArrayLengthElimination):
647         (JSC::DFG::CSEPhase::getByValLoadElimination):
648         (JSC::DFG::CSEPhase::checkStructureElimination):
649         (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
650         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
651         (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
652         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
653         (JSC::DFG::CSEPhase::performNodeCSE):
654         * dfg/DFGCapabilities.cpp:
655         (JSC::DFG::capabilityLevel):
656         * dfg/DFGClobberize.h:
657         (JSC::DFG::clobberize):
658         * dfg/DFGFixupPhase.cpp:
659         (JSC::DFG::FixupPhase::fixupNode):
660         * dfg/DFGGraph.h:
661         (JSC::DFG::Graph::clobbersWorld):
662         * dfg/DFGNode.h:
663         (JSC::DFG::Node::hasArrayMode):
664         * dfg/DFGNodeType.h:
665         * dfg/DFGOperations.cpp:
666         (JSC::DFG::putByVal):
667         (JSC::DFG::operationPutByValInternal):
668         * dfg/DFGOperations.h:
669         * dfg/DFGPredictionPropagationPhase.cpp:
670         (JSC::DFG::PredictionPropagationPhase::propagate):
671         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
672         * dfg/DFGSafeToExecute.h:
673         (JSC::DFG::safeToExecute):
674         * dfg/DFGSpeculativeJIT32_64.cpp:
675         (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
676         (JSC::DFG::SpeculativeJIT::compile):
677         * dfg/DFGSpeculativeJIT64.cpp:
678         (JSC::DFG::SpeculativeJIT::compile):
679         * dfg/DFGTypeCheckHoistingPhase.cpp:
680         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
681         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
682         * jit/JIT.cpp:
683         (JSC::JIT::privateCompileMainPass):
684         (JSC::JIT::privateCompileSlowCases):
685         * jit/JIT.h:
686         (JSC::JIT::compileDirectPutByVal):
687         * jit/JITOperations.cpp:
688         * jit/JITOperations.h:
689         * jit/JITPropertyAccess.cpp:
690         (JSC::JIT::emitSlow_op_put_by_val):
691         (JSC::JIT::privateCompilePutByVal):
692         * jit/JITPropertyAccess32_64.cpp:
693         (JSC::JIT::emitSlow_op_put_by_val):
694         * llint/LLIntSlowPaths.cpp:
695         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
696         * llint/LLIntSlowPaths.h:
697         * llint/LowLevelInterpreter32_64.asm:
698         * llint/LowLevelInterpreter64.asm:
699
700 2013-10-18  Daniel Bates  <dabates@apple.com>
701
702         [iOS] Export symbol for VM::sharedInstanceExists()
703         https://bugs.webkit.org/show_bug.cgi?id=123046
704
705         Reviewed by Mark Hahnenberg.
706
707         * runtime/VM.h:
708
709 2013-10-18  Daniel Bates  <dabates@apple.com>
710
711         [iOS] Upstream WebSafe{GCActivityCallback, IncrementalSweeper}IOS
712         https://bugs.webkit.org/show_bug.cgi?id=123049
713
714         Reviewed by Mark Hahnenberg.
715
716         * heap/Heap.cpp:
717         (JSC::Heap::setIncrementalSweeper):
718         * heap/Heap.h:
719         * heap/HeapTimer.h:
720         * heap/IncrementalSweeper.h: Make protected and export CF-variant of constructor.
721         Removed unused include of header RetainPtr.h. Also forward declare class MarkedBlock
722         (we include its header in the .cpp file) and remove include for header wtf/HashSet.h
723         (duplicates the include in the .cpp).
724         * heap/MachineStackMarker.h: Export function makeUsableFromMultipleThreads(). We aren't
725         making use of this now, but we'll make use of it in a subsequent patch.
726
727 2013-10-18  Anders Carlsson  <andersca@apple.com>
728
729         Remove spaces between template angle brackets
730         https://bugs.webkit.org/show_bug.cgi?id=123040
731
732         Reviewed by Andreas Kling.
733
734         * API/JSCallbackObject.cpp:
735         (JSC::::create):
736         * API/JSObjectRef.cpp:
737         * bytecode/CodeBlock.h:
738         (JSC::CodeBlock::constants):
739         (JSC::CodeBlock::setConstantRegisters):
740         * bytecode/DFGExitProfile.h:
741         * bytecode/EvalCodeCache.h:
742         * bytecode/Operands.h:
743         * bytecode/UnlinkedCodeBlock.h:
744         (JSC::UnlinkedCodeBlock::constantRegisters):
745         * bytecode/Watchpoint.h:
746         * bytecompiler/BytecodeGenerator.h:
747         * bytecompiler/StaticPropertyAnalysis.h:
748         * bytecompiler/StaticPropertyAnalyzer.h:
749         * dfg/DFGArgumentsSimplificationPhase.cpp:
750         * dfg/DFGBlockInsertionSet.h:
751         * dfg/DFGCSEPhase.cpp:
752         (JSC::DFG::performCSE):
753         (JSC::DFG::performStoreElimination):
754         * dfg/DFGCommonData.h:
755         * dfg/DFGDesiredStructureChains.h:
756         * dfg/DFGDesiredWatchpoints.h:
757         * dfg/DFGJITCompiler.h:
758         * dfg/DFGOSRExitCompiler32_64.cpp:
759         (JSC::DFG::OSRExitCompiler::compileExit):
760         * dfg/DFGOSRExitCompiler64.cpp:
761         (JSC::DFG::OSRExitCompiler::compileExit):
762         * dfg/DFGWorklist.h:
763         * heap/BlockAllocator.h:
764         (JSC::CopiedBlock):
765         (JSC::MarkedBlock):
766         (JSC::WeakBlock):
767         (JSC::MarkStackSegment):
768         (JSC::CopyWorkListSegment):
769         (JSC::HandleBlock):
770         * heap/Heap.h:
771         * heap/Local.h:
772         * heap/MarkedBlock.h:
773         * heap/Strong.h:
774         * jit/AssemblyHelpers.cpp:
775         (JSC::AssemblyHelpers::decodedCodeMapFor):
776         * jit/AssemblyHelpers.h:
777         * jit/SpecializedThunkJIT.h:
778         * parser/Nodes.h:
779         * parser/Parser.cpp:
780         (JSC::::parseIfStatement):
781         * parser/Parser.h:
782         (JSC::Scope::copyCapturedVariablesToVector):
783         (JSC::parse):
784         * parser/ParserArena.h:
785         * parser/SourceProviderCacheItem.h:
786         * profiler/LegacyProfiler.cpp:
787         (JSC::dispatchFunctionToProfiles):
788         * profiler/LegacyProfiler.h:
789         (JSC::LegacyProfiler::currentProfiles):
790         * profiler/ProfileNode.h:
791         (JSC::ProfileNode::children):
792         * profiler/ProfilerDatabase.h:
793         * runtime/Butterfly.h:
794         (JSC::Butterfly::contiguousInt32):
795         (JSC::Butterfly::contiguous):
796         * runtime/GenericTypedArrayViewInlines.h:
797         (JSC::::create):
798         * runtime/Identifier.h:
799         (JSC::Identifier::add):
800         * runtime/JSPromise.h:
801         * runtime/PropertyMapHashTable.h:
802         * runtime/PropertyNameArray.h:
803         * runtime/RegExpCache.h:
804         * runtime/SparseArrayValueMap.h:
805         * runtime/SymbolTable.h:
806         * runtime/VM.h:
807         * tools/CodeProfile.cpp:
808         (JSC::truncateTrace):
809         * tools/CodeProfile.h:
810         * yarr/YarrInterpreter.cpp:
811         * yarr/YarrInterpreter.h:
812         (JSC::Yarr::BytecodePattern::BytecodePattern):
813         * yarr/YarrJIT.cpp:
814         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
815         (JSC::Yarr::YarrGenerator::opCompileParentheticalAssertion):
816         (JSC::Yarr::YarrGenerator::opCompileBody):
817         * yarr/YarrPattern.cpp:
818         (JSC::Yarr::YarrPatternConstructor::checkForTerminalParentheses):
819         (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
820         * yarr/YarrPattern.h:
821
822 2013-10-18  Mark Lam  <mark.lam@apple.com>
823
824         Remove excess reserved space in ctiTrampoline frames for X86 and X86_64.
825         https://bugs.webkit.org/show_bug.cgi?id=123037.
826
827         Reviewed by Geoffrey Garen.
828
829         * jit/JITStubsMSVC64.asm:
830         * jit/JITStubsX86.h:
831         * jit/JITStubsX86_64.h:
832
833 2013-10-18  Filip Pizlo  <fpizlo@apple.com>
834
835         Frequent RELEASE_ASSERT crashes in Structure::checkOffsetConsistency on WebGL swizzler tests
836         https://bugs.webkit.org/show_bug.cgi?id=121661
837
838         Reviewed by Mark Hahnenberg.
839         
840         This method shouldn't have been called from the concurrent JIT thread. That's hard to prevent
841         so I added a return-early check using isCompilationThread().
842         
843         Here's why this makes sense. Structure has two ways to tell you about the layout of the objects
844         it is describing: m_offset and the property table. Most structures only have m_offset and report
845         null for the property table. If the property table is there, it will tell you additional
846         information and that information subsumes m_offset - but the m_offset is still there. So, when
847         we have a property table, we have to keep it in sync with the m_offset. There is a bunch of
848         machinery to do this.
849         
850         Changing the property table only happens on the main thread.
851         
852         Because the machinery to change the property table is so complex, especially with respect to
853         keeping it in sync with m_offset, we have the checkOffsetConsistency method. It's meant to be
854         called at key points before and after changes to the property table or the offset.
855
856         Most clients of Structure who care about object layout, including the concurrent thread, will
857         want to know m_offset and not the property table. If they want the property table, they will
858         already be super careful. The concurrent thread has special methods for this, like
859         Structure::getConcurrently(), which uses fine-grained locking to ensure that it sees a coherent
860         view of the property table.
861         
862         Adding locking to checkOffsetConsistency() is probably a bad idea since that method may be
863         called when the relevant lock is already held. So, we'd have awkward recursive locking issues.
864         
865         But right now, the concurrent JIT thread may call a method, like Structure::outOfLineCapacity(),
866         which has a call to checkOffsetConsistency(). The call to checkOffsetConsistency() is there
867         because we have found that it helps quickly identify situations where the property table and
868         m_offset get out of sync - mainly because code that changes either of those things will usually
869         also want to know the outOfLineCapacity(). But Structure::outOfLineCapacity() doesn't *actually*
870         need the property table; it uses the m_offset. The concurrent JIT is correct to call
871         outOfLineCapacity(), and is right to do so without holding any locks (since in all cases where
872         it calls outOfLineCapacity() it has already proven that m_offset is immutable). But because
873         outOfLineCapacity() calls checkOffsetConsistency(), and checkOffsetConsistency() doesn't grab
874         locks, and that same structure is having its property table modified by the main thread, we end
875         up with these spurious assertion failures. FWIW, the structure isn't *actually* having *its*
876         property table modified - instead what happens is that some downstream structure steals the
877         property table and then starts adding things to it. The concurrent thread loads the property
878         table before it's stolen, and hence the badness.
879         
880         I suspect there are other code paths that lead to the concurrent JIT calling some Structure
881         method that it is fine and safe to call, but then that method calls checkOffsetConsistency(),
882         and then you have a possible crash.
883         
884         The most sensible solution to this appears to be to make sure that checkOffsetConsistency() is
885         aware of its uselessness to the concurrent JIT thread. This change makes it return early if
886         it's in the concurrent JIT.
887         
888         * runtime/StructureInlines.h:
889         (JSC::Structure::checkOffsetConsistency):
890
891 2013-10-18  Daniel Bates  <dabates@apple.com>
892
893         Add SPI to disable the garbage collector timer
894         https://bugs.webkit.org/show_bug.cgi?id=122921
895
896         Add null check to Heap::setGarbageCollectionTimerEnabled() that I inadvertently
897         omitted.
898
899         * heap/Heap.cpp:
900         (JSC::Heap::setGarbageCollectionTimerEnabled):
901
902 2013-10-18  Julien Brianceau  <jbriance@cisco.com>
903
904         Group 64-bit specific and 32-bit specific callOperation implementations.
905         https://bugs.webkit.org/show_bug.cgi?id=123024
906
907         Reviewed by Michael Saboff.
908
909         This is not a big deal, but could be less confusing when reading the code.
910
911         * jit/JITInlines.h:
912         (JSC::JIT::callOperation):
913         (JSC::JIT::callOperationWithCallFrameRollbackOnException):
914         (JSC::JIT::callOperationNoExceptionCheck):
915
916 2013-10-18  Nadav Rotem  <nrotem@apple.com>
917
918         Fix a FlushLiveness problem.
919         https://bugs.webkit.org/show_bug.cgi?id=122984
920
921         Reviewed by Filip Pizlo.
922
923         * dfg/DFGFlushLivenessAnalysisPhase.cpp:
924         (JSC::DFG::FlushLivenessAnalysisPhase::process):
925
926 2013-10-18  Michael Saboff  <msaboff@apple.com>
927
928         Change native function call stubs to use JIT operations instead of ctiVMHandleException
929         https://bugs.webkit.org/show_bug.cgi?id=122982
930
931         Reviewed by Geoffrey Garen.
932
933         Change ctiVMHandleException to operationVMHandleException.  Change all exception operations to
934         return the catch callFrame and entryPC via vm.callFrameForThrow and vm.targetMachinePCForThrow.
935         This removed calling convention headaches, fixing https://bugs.webkit.org/show_bug.cgi?id=122980
936         in the process.
937
938         * dfg/DFGJITCompiler.cpp:
939         (JSC::DFG::JITCompiler::compileExceptionHandlers):
940         * jit/CCallHelpers.h:
941         (JSC::CCallHelpers::jumpToExceptionHandler):
942         * jit/JIT.cpp:
943         (JSC::JIT::privateCompileExceptionHandlers):
944         * jit/JIT.h:
945         * jit/JITExceptions.cpp:
946         (JSC::genericUnwind):
947         * jit/JITExceptions.h:
948         * jit/JITInlines.h:
949         (JSC::JIT::callOperationNoExceptionCheck):
950         * jit/JITOpcodes.cpp:
951         (JSC::JIT::emit_op_throw):
952         * jit/JITOpcodes32_64.cpp:
953         (JSC::JIT::privateCompileCTINativeCall):
954         (JSC::JIT::emit_op_throw):
955         * jit/JITOperations.cpp:
956         * jit/JITOperations.h:
957         * jit/JITStubs.cpp:
958         * jit/JITStubs.h:
959         * jit/JITStubsARM.h:
960         * jit/JITStubsARM64.h:
961         * jit/JITStubsARMv7.h:
962         * jit/JITStubsMIPS.h:
963         * jit/JITStubsMSVC64.asm:
964         * jit/JITStubsSH4.h:
965         * jit/JITStubsX86.h:
966         * jit/JITStubsX86_64.h:
967         * jit/Repatch.cpp:
968         (JSC::tryBuildGetByIDList):
969         * jit/SlowPathCall.h:
970         (JSC::JITSlowPathCall::call):
971         * jit/ThunkGenerators.cpp:
972         (JSC::throwExceptionFromCallSlowPathGenerator):
973         (JSC::nativeForGenerator):
974         * runtime/VM.h:
975         (JSC::VM::callFrameForThrowOffset):
976         (JSC::VM::targetMachinePCForThrowOffset):
977
978 2013-10-18  Julien Brianceau  <jbriance@cisco.com>
979
980         Fix J_JITOperation_EAapJ call for MIPS and ARM EABI.
981         https://bugs.webkit.org/show_bug.cgi?id=123023
982
983         Reviewed by Michael Saboff.
984
985         * jit/JITInlines.h:
986         (JSC::JIT::callOperation): EncodedJSValue parameter do not need alignment
987         using EABI_32BIT_DUMMY_ARG here.
988
989 2013-10-17  Filip Pizlo  <fpizlo@apple.com>
990
991         Unreviewed, another ARM64 build fix.
992         
993         Get rid of andPtr(TrustedImmPtr, blah), since it would take Effort to get it to work
994         on ARM64 and none of its uses are legit - they should all be using
995         andPtr(TrustedImm32, blah) anyway.
996
997         * assembler/MacroAssembler.h:
998         * assembler/MacroAssemblerARM64.h:
999         * dfg/DFGJITCompiler.cpp:
1000         (JSC::DFG::JITCompiler::compileExceptionHandlers):
1001         * jit/JIT.cpp:
1002         (JSC::JIT::privateCompileExceptionHandlers):
1003
1004 2013-10-17  Filip Pizlo  <fpizlo@apple.com>
1005
1006         Unreviewed, speculative ARM64 build fix.
1007         
1008         move(ImmPtr, blah) is only available in MacroAssembler since that's where blinding is
1009         implemented. So, you have to use TrustedImmPtr in the superclasses.
1010
1011         * assembler/MacroAssemblerARM64.h:
1012         (JSC::MacroAssemblerARM64::store8):
1013         (JSC::MacroAssemblerARM64::branchTest8):
1014
1015 2013-10-17  Filip Pizlo  <fpizlo@apple.com>
1016
1017         Unreviewed, speculative ARM build fix.
1018         https://bugs.webkit.org/show_bug.cgi?id=122890
1019         <rdar://problem/15258624>
1020
1021         * assembler/ARM64Assembler.h:
1022         (JSC::ARM64Assembler::firstRegister):
1023         (JSC::ARM64Assembler::lastRegister):
1024         (JSC::ARM64Assembler::firstFPRegister):
1025         (JSC::ARM64Assembler::lastFPRegister):
1026         * assembler/MacroAssemblerARM64.h:
1027         * assembler/MacroAssemblerARMv7.h:
1028
1029 2013-10-17  Andreas Kling  <akling@apple.com>
1030
1031         Pass VM instead of JSGlobalObject to JSONObject constructor.
1032         <https://webkit.org/b/122999>
1033
1034         JSONObject was only use the JSGlobalObject to grab at the VM.
1035         Dodge a few loads by passing the VM directly instead.
1036
1037         Reviewed by Geoffrey Garen.
1038
1039         * runtime/JSONObject.cpp:
1040         (JSC::JSONObject::JSONObject):
1041         (JSC::JSONObject::finishCreation):
1042         * runtime/JSONObject.h:
1043         (JSC::JSONObject::create):
1044
1045 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
1046
1047         Removed the JITStackFrame struct
1048         https://bugs.webkit.org/show_bug.cgi?id=123001
1049
1050         Reviewed by Anders Carlsson.
1051
1052         * jit/JITStubs.h: JITStackFrame and JITStubArg are unused now, since all
1053         our helper functions obey the C function call ABI.
1054
1055 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
1056
1057         Removed an unused #define
1058         https://bugs.webkit.org/show_bug.cgi?id=123000
1059
1060         Reviewed by Anders Carlsson.
1061
1062         * jit/JITStubs.h: Removed the concept of JITSTACKFRAME_ARGS_INDEX,
1063         since it is unused now. This is a step toward using the C stack.
1064
1065 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
1066
1067         Eliminate uses of JITSTACKFRAME_ARGS_INDEX as scratch area for thunks
1068         https://bugs.webkit.org/show_bug.cgi?id=122973
1069
1070         Reviewed by Michael Saboff.
1071
1072         * jit/ThunkGenerators.cpp:
1073         (JSC::throwExceptionFromCallSlowPathGenerator): This was all dead code,
1074         so I removed it.
1075
1076         The code acted as if it needed to pass an argument to
1077         lookupExceptionHandler, and as if it passed that argument to itself
1078         through JITStackFrame. However, lookupExceptionHandler does not take
1079         an argument (other than the default ExecState argument), and the code
1080         did not initialize the thing that it thought it passed to itself!
1081
1082 2013-10-17  Alex Christensen  <achristensen@webkit.org>
1083
1084         Run JavaScriptCore tests again on Windows.
1085         https://bugs.webkit.org/show_bug.cgi?id=122787
1086
1087         Reviewed by Tim Horton.
1088
1089         * JavaScriptCore.vcxproj/JavaScriptCore.sln: Added.
1090         * jit/JITStubsMSVC64.asm: Removed reference to cti_vm_throw unused since r157581.
1091
1092 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
1093
1094         Removed restoreArgumentReference (another use of JITStackFrame)
1095         https://bugs.webkit.org/show_bug.cgi?id=122997
1096
1097         Reviewed by Oliver Hunt.
1098
1099         * jit/JSInterfaceJIT.h: Removed an unused function. This is a step
1100         toward using the C stack.
1101
1102 2013-10-17  Oliver Hunt  <oliver@apple.com>
1103
1104         Remove JITStubCall.h
1105         https://bugs.webkit.org/show_bug.cgi?id=122991
1106
1107         Reviewed by Geoff Garen.
1108
1109         Happily this is no longer used
1110
1111         * GNUmakefile.list.am:
1112         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1113         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1114         * JavaScriptCore.xcodeproj/project.pbxproj:
1115         * jit/JIT.cpp:
1116         * jit/JITArithmetic.cpp:
1117         * jit/JITArithmetic32_64.cpp:
1118         * jit/JITCall.cpp:
1119         * jit/JITCall32_64.cpp:
1120         * jit/JITOpcodes.cpp:
1121         * jit/JITOpcodes32_64.cpp:
1122         * jit/JITPropertyAccess.cpp:
1123         * jit/JITPropertyAccess32_64.cpp:
1124         * jit/JITStubCall.h: Removed.
1125
1126 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
1127
1128         Removed a use of JITSTACKFRAME_ARGS_INDEX
1129         https://bugs.webkit.org/show_bug.cgi?id=122989
1130
1131         Reviewed by Oliver Hunt.
1132
1133         * jit/JITStubCall.h: Removed an unused function. This is one step closer
1134         to using the C stack.
1135
1136 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
1137
1138         Change emit_op_catch to use another method to materialize VM
1139         https://bugs.webkit.org/show_bug.cgi?id=122977
1140
1141         Reviewed by Oliver Hunt.
1142
1143         * jit/JITOpcodes.cpp:
1144         (JSC::JIT::emit_op_catch):
1145         * jit/JITOpcodes32_64.cpp:
1146         (JSC::JIT::emit_op_catch): Use a constant. It removes our dependency
1147         on JITStackFrame. It is also faster and simpler.
1148
1149 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
1150
1151         Eliminate emitGetJITStubArg() - dead code
1152         https://bugs.webkit.org/show_bug.cgi?id=122975
1153
1154         Reviewed by Anders Carlsson.
1155
1156         * jit/JIT.h:
1157         * jit/JITInlines.h: Removed unused, deprecated function.
1158
1159 2013-10-17  Mark Lam  <mark.lam@apple.com>
1160
1161         Eliminate all ASSERT references to OBJECT_OFFSETOF(struct JITStackFrame,...) in JITStubsXXX.h.
1162         https://bugs.webkit.org/show_bug.cgi?id=122979.
1163
1164         Reviewed by Michael Saboff.
1165
1166         * jit/JITStubs.cpp:
1167         * jit/JITStubs.h:
1168         * jit/JITStubsARM.h:
1169         * jit/JITStubsARM64.h:
1170         * jit/JITStubsARMv7.h:
1171         * jit/JITStubsMIPS.h:
1172         * jit/JITStubsSH4.h:
1173         * jit/JITStubsX86.h:
1174         * jit/JITStubsX86_64.h:
1175         * runtime/VM.cpp:
1176         (JSC::VM::VM):
1177
1178 2013-10-17  Michael Saboff  <msaboff@apple.com>
1179
1180         Remove saving callFrameRegister to JITStackFrame in JITCompiler::compileFunction()
1181         https://bugs.webkit.org/show_bug.cgi?id=122974
1182
1183         Reviewed by Geoffrey Garen.
1184
1185         Eliminated unneeded storing to JITStackFrame.
1186
1187         * dfg/DFGJITCompiler.cpp:
1188         (JSC::DFG::JITCompiler::compileFunction):
1189
1190 2013-10-17  Michael Saboff  <msaboff@apple.com>
1191
1192         Transition cti_op_throw and cti_vm_throw to a JIT operation
1193         https://bugs.webkit.org/show_bug.cgi?id=122931
1194
1195         Reviewed by Filip Pizlo.
1196
1197         Moved cti_op_throw to operationThrow.  Made the caller responsible for jumping to the
1198         catch handler.  Eliminated cti_op_throw_static_error, cti_vm_throw, ctiVMThrowTrampoline()
1199         and their callers as it is now dead code.  There is some work needed on the Microsoft X86
1200         callOperation to handle the need to provide space for structure return value.
1201
1202         * jit/JIT.h:
1203         * jit/JITInlines.h:
1204         (JSC::JIT::callOperation):
1205         * jit/JITOpcodes.cpp:
1206         (JSC::JIT::emit_op_throw):
1207         * jit/JITOpcodes32_64.cpp:
1208         (JSC::JIT::emit_op_throw):
1209         (JSC::JIT::emit_op_catch):
1210         * jit/JITOperations.cpp:
1211         * jit/JITOperations.h:
1212         * jit/JITStubs.cpp:
1213         * jit/JITStubs.h:
1214         * jit/JITStubsARM.h:
1215         * jit/JITStubsARM64.h:
1216         * jit/JITStubsARMv7.h:
1217         * jit/JITStubsMIPS.h:
1218         * jit/JITStubsMSVC64.asm:
1219         * jit/JITStubsSH4.h:
1220         * jit/JITStubsX86.h:
1221         * jit/JITStubsX86_64.h:
1222         * jit/JSInterfaceJIT.h:
1223
1224 2013-10-17  Mark Lam  <mark.lam@apple.com>
1225
1226         Remove JITStackFrame references in the C Loop LLINT.
1227         https://bugs.webkit.org/show_bug.cgi?id=122950.
1228
1229         Reviewed by Michael Saboff.
1230
1231         * jit/JITStubs.h:
1232         * llint/LowLevelInterpreter.cpp:
1233         (JSC::CLoop::execute):
1234         * offlineasm/cloop.rb:
1235
1236 2013-10-17  Mark Lam  <mark.lam@apple.com>
1237
1238         Remove JITStackFrame references in JIT probes.
1239         https://bugs.webkit.org/show_bug.cgi?id=122947.
1240
1241         Reviewed by Michael Saboff.
1242
1243         * assembler/MacroAssemblerARM.cpp:
1244         (JSC::MacroAssemblerARM::ProbeContext::dump):
1245         * assembler/MacroAssemblerARM.h:
1246         * assembler/MacroAssemblerARMv7.cpp:
1247         (JSC::MacroAssemblerARMv7::ProbeContext::dump):
1248         * assembler/MacroAssemblerARMv7.h:
1249         * assembler/MacroAssemblerX86Common.cpp:
1250         (JSC::MacroAssemblerX86Common::ProbeContext::dump):
1251         * assembler/MacroAssemblerX86Common.h:
1252         * jit/JITStubsARM.h:
1253         * jit/JITStubsARMv7.h:
1254         * jit/JITStubsX86.h:
1255         * jit/JITStubsX86Common.h:
1256         * jit/JITStubsX86_64.h:
1257
1258 2013-10-17  Julien Brianceau  <jbriance@cisco.com>
1259
1260         Fix build when NUMBER_OF_ARGUMENT_REGISTERS == 4.
1261         https://bugs.webkit.org/show_bug.cgi?id=122949
1262
1263         Reviewed by Andreas Kling.
1264
1265         * jit/CCallHelpers.h:
1266         (JSC::CCallHelpers::setupArgumentsWithExecState):
1267
1268 2013-10-16  Mark Lam  <mark.lam@apple.com>
1269
1270         Transition remaining op_get* JITStubs to JIT operations.
1271         https://bugs.webkit.org/show_bug.cgi?id=122925.
1272
1273         Reviewed by Geoffrey Garen.
1274
1275         Transitioning:
1276             cti_op_get_by_id_generic
1277             cti_op_get_by_val
1278             cti_op_get_by_val_generic
1279             cti_op_get_by_val_string
1280
1281         * dfg/DFGOperations.cpp:
1282         * dfg/DFGOperations.h:
1283         * jit/JIT.h:
1284         * jit/JITInlines.h:
1285         (JSC::JIT::callOperation):
1286         * jit/JITOpcodes.cpp:
1287         (JSC::JIT::emitSlow_op_get_arguments_length):
1288         (JSC::JIT::emitSlow_op_get_argument_by_val):
1289         * jit/JITOpcodes32_64.cpp:
1290         (JSC::JIT::emitSlow_op_get_arguments_length):
1291         (JSC::JIT::emitSlow_op_get_argument_by_val):
1292         * jit/JITOperations.cpp:
1293         * jit/JITOperations.h:
1294         * jit/JITPropertyAccess.cpp:
1295         (JSC::JIT::emitSlow_op_get_by_val):
1296         (JSC::JIT::emitSlow_op_get_by_pname):
1297         (JSC::JIT::privateCompileGetByVal):
1298         * jit/JITPropertyAccess32_64.cpp:
1299         (JSC::JIT::emitSlow_op_get_by_val):
1300         (JSC::JIT::emitSlow_op_get_by_pname):
1301         * jit/JITStubs.cpp:
1302         * jit/JITStubs.h:
1303         * runtime/Executable.cpp:
1304         (JSC::setupLLInt): Added some UNUSED_PARAMs to fix the no LLINT build.
1305         * runtime/Options.cpp:
1306         (JSC::Options::initialize):
1307
1308 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
1309
1310         Introduce WTF::Bag and start using it for InlineCallFrameSet
1311         https://bugs.webkit.org/show_bug.cgi?id=122941
1312
1313         Reviewed by Geoffrey Garen.
1314         
1315         Use Bag for InlineCallFrameSet. If this works out then I'll make other
1316         SegmentedVectors into Bags as well.
1317
1318         * bytecode/InlineCallFrameSet.cpp:
1319         (JSC::InlineCallFrameSet::add):
1320         * bytecode/InlineCallFrameSet.h:
1321         (JSC::InlineCallFrameSet::begin):
1322         (JSC::InlineCallFrameSet::end):
1323         * dfg/DFGArgumentsSimplificationPhase.cpp:
1324         (JSC::DFG::ArgumentsSimplificationPhase::run):
1325         * dfg/DFGJITCompiler.cpp:
1326         (JSC::DFG::JITCompiler::link):
1327         * dfg/DFGStackLayoutPhase.cpp:
1328         (JSC::DFG::StackLayoutPhase::run):
1329         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
1330         (JSC::DFG::VirtualRegisterAllocationPhase::run):
1331
1332 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
1333
1334         libllvmForJSC shouldn't call exit(1) on report_fatal_error()
1335         https://bugs.webkit.org/show_bug.cgi?id=122905
1336         <rdar://problem/15237856>
1337
1338         Reviewed by Michael Saboff.
1339         
1340         Expose the new LLVMInstallFatalErrorHandler() API through the soft linking magic and
1341         then always call it to install something that calls CRASH().
1342
1343         * llvm/InitializeLLVM.cpp:
1344         (JSC::llvmCrash):
1345         (JSC::initializeLLVMOnce):
1346         (JSC::initializeLLVM):
1347         * llvm/LLVMAPIFunctions.h:
1348
1349 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
1350
1351         Prototype chain repatching in the polymorphic case fails to check if the receiver is a dictionary
1352         https://bugs.webkit.org/show_bug.cgi?id=122938
1353
1354         Reviewed by Sam Weinig.
1355         
1356         This fixes jsc-layout-tests.yaml/js/script-tests/dictionary-prototype-caching.js.layout-no-llint.
1357
1358         * jit/Repatch.cpp:
1359         (JSC::tryBuildGetByIDList):
1360
1361 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
1362
1363         JIT::appendCall() needs to killLastResultRegister() or equivalent since there's some really bad code that expects it
1364         https://bugs.webkit.org/show_bug.cgi?id=122937
1365
1366         Reviewed by Geoffrey Garen.
1367         
1368         JITStubCall used to do it.
1369         
1370         This makes mozilla-tests.yaml/ecma/Statements/12.10-1.js.mozilla-baseline pass.
1371
1372         * jit/JIT.h:
1373         (JSC::JIT::appendCall):
1374
1375 2013-10-16  Michael Saboff  <msaboff@apple.com>
1376
1377         transition void cti_op_put_by_val* stubs to JIT operations
1378         https://bugs.webkit.org/show_bug.cgi?id=122903
1379
1380         Reviewed by Geoffrey Garen.
1381
1382         Transitioned cti_op_put_by_val and cti_op_put_by_val_generic to operationPutByVal and
1383         operationPutByValGeneric.
1384
1385         * jit/CCallHelpers.h:
1386         (JSC::CCallHelpers::setupArgumentsWithExecState):
1387         * jit/JIT.h:
1388         * jit/JITInlines.h:
1389         (JSC::JIT::callOperation):
1390         * jit/JITOperations.cpp:
1391         * jit/JITOperations.h:
1392         * jit/JITPropertyAccess.cpp:
1393         (JSC::JIT::emitSlow_op_put_by_val):
1394         (JSC::JIT::privateCompilePutByVal):
1395         * jit/JITPropertyAccess32_64.cpp:
1396         (JSC::JIT::emitSlow_op_put_by_val):
1397         * jit/JITStubs.cpp:
1398         * jit/JITStubs.h:
1399         * jit/JSInterfaceJIT.h:
1400
1401 2013-10-16  Oliver Hunt  <oliver@apple.com>
1402
1403         Implement ES6 spread operator
1404         https://bugs.webkit.org/show_bug.cgi?id=122911
1405
1406         Reviewed by Michael Saboff.
1407
1408         Implement the ES6 spread operator
1409
1410         This has a little bit of refactoring to move the enumeration logic out ForOfNode
1411         and into BytecodeGenerator, and then adds the logic to make it nicely callback
1412         driven.
1413
1414         The rest of the logic is just the addition of the SpreadExpressionNode, the parsing,
1415         and actually handling the spread.
1416
1417         * bytecompiler/BytecodeGenerator.cpp:
1418         (JSC::BytecodeGenerator::emitNewArray):
1419         (JSC::BytecodeGenerator::emitCall):
1420         (JSC::BytecodeGenerator::emitEnumeration):
1421         * bytecompiler/BytecodeGenerator.h:
1422         * bytecompiler/NodesCodegen.cpp:
1423         (JSC::ArrayNode::emitBytecode):
1424         (JSC::ForOfNode::emitBytecode):
1425         (JSC::SpreadExpressionNode::emitBytecode):
1426         * parser/ASTBuilder.h:
1427         (JSC::ASTBuilder::createSpreadExpression):
1428         * parser/Lexer.cpp:
1429         (JSC::::lex):
1430         * parser/NodeConstructors.h:
1431         (JSC::SpreadExpressionNode::SpreadExpressionNode):
1432         * parser/Nodes.h:
1433         (JSC::ExpressionNode::isSpreadExpression):
1434         (JSC::SpreadExpressionNode::expression):
1435         * parser/Parser.cpp:
1436         (JSC::::parseArrayLiteral):
1437         (JSC::::parseArguments):
1438         (JSC::::parseMemberExpression):
1439         * parser/Parser.h:
1440         (JSC::Parser::getTokenName):
1441         (JSC::Parser::updateErrorMessageSpecialCase):
1442         * parser/ParserTokens.h:
1443         * parser/SyntaxChecker.h:
1444         (JSC::SyntaxChecker::createSpreadExpression):
1445
1446 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
1447
1448         Add a useLLInt option to jsc
1449         https://bugs.webkit.org/show_bug.cgi?id=122930
1450
1451         Reviewed by Geoffrey Garen.
1452
1453         * runtime/Executable.cpp:
1454         (JSC::setupLLInt):
1455         (JSC::setupJIT):
1456         (JSC::ScriptExecutable::prepareForExecutionImpl):
1457         * runtime/Options.h:
1458
1459 2013-10-16  Mark Hahnenberg  <mhahnenberg@apple.com>
1460
1461         Build fix.
1462
1463         Forgot to svn add DeferGC.cpp
1464
1465         * heap/DeferGC.cpp: Added.
1466
1467 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
1468
1469         r157411 fails run-javascriptcore-tests when run with Baseline JIT
1470         https://bugs.webkit.org/show_bug.cgi?id=122902
1471
1472         Reviewed by Mark Hahnenberg.
1473         
1474         It turns out that this was a long-standing bug in the DFG PutById repatching logic. It's
1475         not legal to patch if the typeInfo tells you that you can't patch. The old JIT's patching
1476         logic did this right, and the DFG's GetById patching logic did it right; but DFG PutById
1477         didn't. Turns out that there's even a helpful method,
1478         Structure::propertyAccessesAreCacheable(), that will even do all of the checks for you!
1479
1480         * jit/Repatch.cpp:
1481         (JSC::tryCachePutByID):
1482
1483 2013-10-16  Mark Hahnenberg  <mhahnenberg@apple.com>
1484
1485         llint_slow_path_put_by_id can deadlock on a ConcurrentJITLock
1486         https://bugs.webkit.org/show_bug.cgi?id=122667
1487
1488         Reviewed by Geoffrey Garen.
1489
1490         The issue this patch is attempting to fix is that there are places in our codebase
1491         where we acquire the ConcurrentJITLock for a particular CodeBlock, then we do some
1492         operations that can initiate a garbage collection. Garbage collection then calls 
1493         some methods of CodeBlock that also take the ConcurrentJITLock (because they don't
1494         always necessarily run during garbage collection). This causes a deadlock.
1495  
1496         To fix this issue, this patch adds a new RAII-style object (DisallowGC) that stores 
1497         into a thread-local field that indicates that it is unsafe to perform any operation 
1498         that could trigger garbage collection on the current thread. In debug builds, 
1499         ConcurrentJITLocker contains one of these DisallowGC objects so that we can eagerly 
1500         detect deadlocks.
1501  
1502         This patch also adds a new type of ConcurrentJITLocker, GCSafeConcurrentJITLocker,
1503         which uses the DeferGC mechanism to prevent collections from occurring while the 
1504         lock is held.
1505
1506         * CMakeLists.txt:
1507         * GNUmakefile.list.am:
1508         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1509         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1510         * JavaScriptCore.xcodeproj/project.pbxproj:
1511         * heap/DeferGC.h:
1512         (JSC::DisallowGC::DisallowGC):
1513         (JSC::DisallowGC::~DisallowGC):
1514         (JSC::DisallowGC::isGCDisallowedOnCurrentThread):
1515         (JSC::DisallowGC::initialize):
1516         * jit/Repatch.cpp:
1517         (JSC::repatchPutByID):
1518         (JSC::buildPutByIdList):
1519         * llint/LLIntSlowPaths.cpp:
1520         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1521         * runtime/ConcurrentJITLock.h:
1522         (JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase):
1523         (JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase):
1524         (JSC::ConcurrentJITLockerBase::unlockEarly):
1525         (JSC::GCSafeConcurrentJITLocker::GCSafeConcurrentJITLocker):
1526         (JSC::GCSafeConcurrentJITLocker::~GCSafeConcurrentJITLocker):
1527         (JSC::GCSafeConcurrentJITLocker::NoDefer::NoDefer):
1528         (JSC::ConcurrentJITLocker::ConcurrentJITLocker):
1529         * runtime/InitializeThreading.cpp:
1530         (JSC::initializeThreadingOnce):
1531         * runtime/JSCellInlines.h:
1532         (JSC::allocateCell):
1533         * runtime/JSSymbolTableObject.h:
1534         (JSC::symbolTablePut):
1535         * runtime/Structure.cpp: materializePropertyMapIfNecessary* now has a problem in that it
1536         can start a garbage collection when the GCSafeConcurrentJITLocker goes out of scope, but 
1537         before the caller has a chance to use the newly created PropertyTable. The garbage collection
1538         clears the PropertyTable, and then the caller uses it assuming it's valid. To avoid this,
1539         we must DeferGC until the caller is done getting the newly materialized PropertyTable from 
1540         the Structure.
1541         (JSC::Structure::materializePropertyMap):
1542         (JSC::Structure::despecifyDictionaryFunction):
1543         (JSC::Structure::changePrototypeTransition):
1544         (JSC::Structure::despecifyFunctionTransition):
1545         (JSC::Structure::attributeChangeTransition):
1546         (JSC::Structure::toDictionaryTransition):
1547         (JSC::Structure::preventExtensionsTransition):
1548         (JSC::Structure::takePropertyTableOrCloneIfPinned):
1549         (JSC::Structure::isSealed):
1550         (JSC::Structure::isFrozen):
1551         (JSC::Structure::addPropertyWithoutTransition):
1552         (JSC::Structure::removePropertyWithoutTransition):
1553         (JSC::Structure::get):
1554         (JSC::Structure::despecifyFunction):
1555         (JSC::Structure::despecifyAllFunctions):
1556         (JSC::Structure::putSpecificValue):
1557         (JSC::Structure::createPropertyMap):
1558         (JSC::Structure::getPropertyNamesFromStructure):
1559         * runtime/Structure.h:
1560         (JSC::Structure::materializePropertyMapIfNecessary):
1561         (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
1562         * runtime/StructureInlines.h:
1563         (JSC::Structure::get):
1564         * runtime/SymbolTable.h:
1565         (JSC::SymbolTable::find):
1566         (JSC::SymbolTable::end):
1567
1568 2013-10-16  Daniel Bates  <dabates@apple.com>
1569
1570         Add SPI to disable the garbage collector timer
1571         https://bugs.webkit.org/show_bug.cgi?id=122921
1572
1573         Reviewed by Geoffrey Garen.
1574
1575         Based on a patch by Mark Hahnenberg.
1576
1577         * API/JSBase.cpp:
1578         (JSDisableGCTimer): Added; SPI function.
1579         * API/JSBasePrivate.h:
1580         * heap/BlockAllocator.cpp:
1581         (JSC::createBlockFreeingThread): Added.
1582         (JSC::BlockAllocator::BlockAllocator): Modified to use JSC::createBlockFreeingThread()
1583         to conditionally create the "block freeing" thread depending on the value of
1584         GCActivityCallback::s_shouldCreateGCTimer.
1585         (JSC::BlockAllocator::~BlockAllocator):
1586         * heap/BlockAllocator.h:
1587         (JSC::BlockAllocator::deallocate):
1588         * heap/Heap.cpp:
1589         (JSC::Heap::didAbandon):
1590         (JSC::Heap::collect):
1591         (JSC::Heap::didAllocate):
1592         * heap/HeapTimer.cpp:
1593         (JSC::HeapTimer::timerDidFire):
1594         * runtime/GCActivityCallback.cpp:
1595         * runtime/GCActivityCallback.h:
1596         (JSC::DefaultGCActivityCallback::create): Only instantiate a DefaultGCActivityCallback object
1597         when GCActivityCallback::s_shouldCreateGCTimer is true so as to prevent allocating a HeapTimer
1598         object (since DefaultGCActivityCallback ultimately extends HeapTimer).
1599
1600 2013-10-16  Commit Queue  <commit-queue@webkit.org>
1601
1602         Unreviewed, rolling out r157529.
1603         http://trac.webkit.org/changeset/157529
1604         https://bugs.webkit.org/show_bug.cgi?id=122919
1605
1606         Caused score test failures and some build failures. (Requested
1607         by rfong on #webkit).
1608
1609         * bytecompiler/BytecodeGenerator.cpp:
1610         (JSC::BytecodeGenerator::emitNewArray):
1611         (JSC::BytecodeGenerator::emitCall):
1612         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
1613         * bytecompiler/BytecodeGenerator.h:
1614         * bytecompiler/NodesCodegen.cpp:
1615         (JSC::ArrayNode::emitBytecode):
1616         (JSC::CallArguments::CallArguments):
1617         (JSC::ForOfNode::emitBytecode):
1618         (JSC::BindingNode::collectBoundIdentifiers):
1619         * parser/ASTBuilder.h:
1620         * parser/Lexer.cpp:
1621         (JSC::::lex):
1622         * parser/NodeConstructors.h:
1623         (JSC::DotAccessorNode::DotAccessorNode):
1624         * parser/Nodes.h:
1625         * parser/Parser.cpp:
1626         (JSC::::parseArrayLiteral):
1627         (JSC::::parseArguments):
1628         (JSC::::parseMemberExpression):
1629         * parser/Parser.h:
1630         (JSC::Parser::getTokenName):
1631         (JSC::Parser::updateErrorMessageSpecialCase):
1632         * parser/ParserTokens.h:
1633         * parser/SyntaxChecker.h:
1634
1635 2013-10-16  Julien Brianceau  <jbriance@cisco.com>
1636
1637         Remove useless architecture specific implementation in DFG.
1638         https://bugs.webkit.org/show_bug.cgi?id=122917.
1639
1640         Reviewed by Michael Saboff.
1641
1642         With CPU(ARM) && CPU(ARM_HARDFP) architecture, the fallback implementation is fine
1643         as FPRInfo::argumentFPR0 == FPRInfo::returnValueFPR in this case.
1644
1645         * dfg/DFGSpeculativeJIT.h:
1646
1647 2013-10-16  Julien Brianceau  <jbriance@cisco.com>
1648
1649         Remove unused JIT::restoreArgumentReferenceForTrampoline function.
1650         https://bugs.webkit.org/show_bug.cgi?id=122916.
1651
1652         Reviewed by Michael Saboff.
1653
1654         This architecture specific function is not used anymore, so get rid of it.
1655
1656         * jit/JIT.h:
1657         * jit/JITInlines.h:
1658
1659 2013-10-16  Oliver Hunt  <oliver@apple.com>
1660
1661         Implement ES6 spread operator
1662         https://bugs.webkit.org/show_bug.cgi?id=122911
1663
1664         Reviewed by Michael Saboff.
1665
1666         Implement the ES6 spread operator
1667
1668         This has a little bit of refactoring to move the enumeration logic out ForOfNode
1669         and into BytecodeGenerator, and then adds the logic to make it nicely callback
1670         driven.
1671
1672         The rest of the logic is just the addition of the SpreadExpressionNode, the parsing,
1673         and actually handling the spread.
1674
1675         * bytecompiler/BytecodeGenerator.cpp:
1676         (JSC::BytecodeGenerator::emitNewArray):
1677         (JSC::BytecodeGenerator::emitCall):
1678         (JSC::BytecodeGenerator::emitEnumeration):
1679         * bytecompiler/BytecodeGenerator.h:
1680         * bytecompiler/NodesCodegen.cpp:
1681         (JSC::ArrayNode::emitBytecode):
1682         (JSC::ForOfNode::emitBytecode):
1683         (JSC::SpreadExpressionNode::emitBytecode):
1684         * parser/ASTBuilder.h:
1685         (JSC::ASTBuilder::createSpreadExpression):
1686         * parser/Lexer.cpp:
1687         (JSC::::lex):
1688         * parser/NodeConstructors.h:
1689         (JSC::SpreadExpressionNode::SpreadExpressionNode):
1690         * parser/Nodes.h:
1691         (JSC::ExpressionNode::isSpreadExpression):
1692         (JSC::SpreadExpressionNode::expression):
1693         * parser/Parser.cpp:
1694         (JSC::::parseArrayLiteral):
1695         (JSC::::parseArguments):
1696         (JSC::::parseMemberExpression):
1697         * parser/Parser.h:
1698         (JSC::Parser::getTokenName):
1699         (JSC::Parser::updateErrorMessageSpecialCase):
1700         * parser/ParserTokens.h:
1701         * parser/SyntaxChecker.h:
1702         (JSC::SyntaxChecker::createSpreadExpression):
1703
1704 2013-10-16  Mark Lam  <mark.lam@apple.com>
1705
1706         Transition void cti_op_tear_off* methods to JIT operations for 32 bit.
1707         https://bugs.webkit.org/show_bug.cgi?id=122899.
1708
1709         Reviewed by Michael Saboff.
1710
1711         * jit/JITOpcodes32_64.cpp:
1712         (JSC::JIT::emit_op_tear_off_activation):
1713         (JSC::JIT::emit_op_tear_off_arguments):
1714         * jit/JITStubs.cpp:
1715         * jit/JITStubs.h:
1716
1717 2013-10-16  Julien Brianceau  <jbriance@cisco.com>
1718
1719         Remove more of the UNINTERRUPTED_SEQUENCE thing
1720         https://bugs.webkit.org/show_bug.cgi?id=122885
1721
1722         Reviewed by Andreas Kling.
1723
1724         It was not completely removed by r157481, leading to build failure for sh4 architecture.
1725
1726         * jit/JIT.h:
1727         * jit/JITInlines.h:
1728
1729 2013-10-15  Filip Pizlo  <fpizlo@apple.com>
1730
1731         Get rid of the StructureStubInfo::patch union
1732         https://bugs.webkit.org/show_bug.cgi?id=122877
1733
1734         Reviewed by Sam Weinig.
1735         
1736         Just simplifying code by getting rid of data structures that ain't used no more.
1737         
1738         Note that I replace the patch union with a patch struct. This means we say things like
1739         stubInfo.patch.valueGPR instead of stubInfo.valueGPR. I think that this extra
1740         encapsulation makes the code more readable: the patch struct contains just those things
1741         that you need to know to perform patching.
1742
1743         * bytecode/StructureStubInfo.h:
1744         * dfg/DFGJITCompiler.cpp:
1745         (JSC::DFG::JITCompiler::link):
1746         * jit/JIT.cpp:
1747         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
1748         * jit/Repatch.cpp:
1749         (JSC::repatchByIdSelfAccess):
1750         (JSC::replaceWithJump):
1751         (JSC::linkRestoreScratch):
1752         (JSC::generateProtoChainAccessStub):
1753         (JSC::tryCacheGetByID):
1754         (JSC::getPolymorphicStructureList):
1755         (JSC::patchJumpToGetByIdStub):
1756         (JSC::tryBuildGetByIDList):
1757         (JSC::emitPutReplaceStub):
1758         (JSC::emitPutTransitionStub):
1759         (JSC::tryCachePutByID):
1760         (JSC::tryBuildPutByIdList):
1761         (JSC::tryRepatchIn):
1762         (JSC::resetGetByID):
1763         (JSC::resetPutByID):
1764         (JSC::resetIn):
1765
1766 2013-10-15  Nadav Rotem  <nrotem@apple.com>
1767
1768         FTL: add support for Int52ToValue and fix putByVal of int52s.
1769         https://bugs.webkit.org/show_bug.cgi?id=122873
1770
1771         Reviewed by Filip Pizlo.
1772
1773         * ftl/FTLCapabilities.cpp:
1774         (JSC::FTL::canCompile):
1775         * ftl/FTLLowerDFGToLLVM.cpp:
1776         (JSC::FTL::LowerDFGToLLVM::compileNode):
1777         (JSC::FTL::LowerDFGToLLVM::compileInt52ToValue):
1778         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
1779
1780 2013-10-15  Filip Pizlo  <fpizlo@apple.com>
1781
1782         Get rid of the UNINTERRUPTED_SEQUENCE thing
1783         https://bugs.webkit.org/show_bug.cgi?id=122876
1784
1785         Reviewed by Mark Hahnenberg.
1786         
1787         It doesn't make sense anymore. We now use the DFG's IC logic, which never needed that.
1788         
1789         Moreover, we should resist the temptation to bring anything like this back. We don't
1790         want to have inline caches that only work if the assembler lays out code in a specific
1791         predetermined way.
1792
1793         * jit/JIT.h:
1794         * jit/JITCall.cpp:
1795         (JSC::JIT::compileOpCall):
1796         * jit/JITCall32_64.cpp:
1797         (JSC::JIT::compileOpCall):
1798
1799 2013-10-15  Filip Pizlo  <fpizlo@apple.com>
1800
1801         Baseline JIT should use the DFG GetById IC
1802         https://bugs.webkit.org/show_bug.cgi?id=122861
1803
1804         Reviewed by Oliver Hunt.
1805         
1806         This mostly just kills a ton of code.
1807         
1808         Note that this doesn't yet do all of the simplifications that can be done, but it does
1809         kill dead code. I'll have another change to simplify StructureStubInfo's unions and such.
1810
1811         * bytecode/CodeBlock.cpp:
1812         (JSC::CodeBlock::resetStubInternal):
1813         * jit/JIT.cpp:
1814         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
1815         * jit/JIT.h:
1816         (JSC::PropertyStubCompilationInfo::PropertyStubCompilationInfo):
1817         * jit/JITInlines.h:
1818         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
1819         (JSC::JIT::callOperation):
1820         * jit/JITPropertyAccess.cpp:
1821         (JSC::JIT::compileGetByIdHotPath):
1822         (JSC::JIT::emitSlow_op_get_by_id):
1823         (JSC::JIT::emitSlow_op_get_from_scope):
1824         * jit/JITPropertyAccess32_64.cpp:
1825         (JSC::JIT::compileGetByIdHotPath):
1826         (JSC::JIT::emitSlow_op_get_by_id):
1827         (JSC::JIT::emitSlow_op_get_from_scope):
1828         * jit/JITStubs.cpp:
1829         * jit/JITStubs.h:
1830         * jit/Repatch.cpp:
1831         (JSC::repatchGetByID):
1832         (JSC::buildGetByIDList):
1833         * jit/ThunkGenerators.cpp:
1834         * jit/ThunkGenerators.h:
1835
1836 2013-10-15  Dean Jackson  <dino@apple.com>
1837
1838         Add ENABLE_WEB_ANIMATIONS flag
1839         https://bugs.webkit.org/show_bug.cgi?id=122871
1840
1841         Reviewed by Tim Horton.
1842
1843         Eventually might be http://dev.w3.org/fxtf/web-animations/
1844         but this is just engine-internal work at the moment.
1845
1846         * Configurations/FeatureDefines.xcconfig:
1847
1848 2013-10-15  Julien Brianceau  <jbriance@cisco.com>
1849
1850         [sh4] Some calls don't match sh4 ABI.
1851         https://bugs.webkit.org/show_bug.cgi?id=122863
1852
1853         Reviewed by Michael Saboff.
1854
1855         * dfg/DFGSpeculativeJIT.h:
1856         (JSC::DFG::SpeculativeJIT::callOperation):
1857         * jit/CCallHelpers.h:
1858         (JSC::CCallHelpers::setupArgumentsWithExecState):
1859         * jit/JITInlines.h:
1860         (JSC::JIT::callOperation):
1861
1862 2013-10-15  Daniel Bates  <dabates@apple.com>
1863
1864         [iOS] Upstream JavaScriptCore support for ARM64
1865         https://bugs.webkit.org/show_bug.cgi?id=122762
1866
1867         Reviewed by Oliver Hunt and Filip Pizlo.
1868
1869         * Configurations/Base.xcconfig:
1870         * Configurations/DebugRelease.xcconfig:
1871         * Configurations/JavaScriptCore.xcconfig:
1872         * Configurations/ToolExecutable.xcconfig:
1873         * JavaScriptCore.xcodeproj/project.pbxproj:
1874         * assembler/ARM64Assembler.h: Added.
1875         * assembler/AbstractMacroAssembler.h:
1876         (JSC::isARM64):
1877         (JSC::AbstractMacroAssembler::Label::Label):
1878         (JSC::AbstractMacroAssembler::Jump::Jump):
1879         (JSC::AbstractMacroAssembler::Jump::link):
1880         (JSC::AbstractMacroAssembler::Jump::linkTo):
1881         (JSC::AbstractMacroAssembler::CachedTempRegister::CachedTempRegister):
1882         (JSC::AbstractMacroAssembler::CachedTempRegister::registerIDInvalidate):
1883         (JSC::AbstractMacroAssembler::CachedTempRegister::registerIDNoInvalidate):
1884         (JSC::AbstractMacroAssembler::CachedTempRegister::value):
1885         (JSC::AbstractMacroAssembler::CachedTempRegister::setValue):
1886         (JSC::AbstractMacroAssembler::CachedTempRegister::invalidate):
1887         (JSC::AbstractMacroAssembler::invalidateAllTempRegisters):
1888         (JSC::AbstractMacroAssembler::isTempRegisterValid):
1889         (JSC::AbstractMacroAssembler::clearTempRegisterValid):
1890         (JSC::AbstractMacroAssembler::setTempRegisterValid):
1891         * assembler/LinkBuffer.cpp:
1892         (JSC::LinkBuffer::copyCompactAndLinkCode):
1893         (JSC::LinkBuffer::linkCode):
1894         * assembler/LinkBuffer.h:
1895         * assembler/MacroAssembler.h:
1896         (JSC::MacroAssembler::isPtrAlignedAddressOffset):
1897         (JSC::MacroAssembler::pushToSave):
1898         (JSC::MacroAssembler::popToRestore):
1899         (JSC::MacroAssembler::patchableBranchTest32):
1900         * assembler/MacroAssemblerARM64.h: Added.
1901         * assembler/MacroAssemblerARMv7.h:
1902         * dfg/DFGFixupPhase.cpp:
1903         (JSC::DFG::FixupPhase::fixupNode):
1904         * dfg/DFGOSRExitCompiler32_64.cpp:
1905         (JSC::DFG::OSRExitCompiler::compileExit):
1906         * dfg/DFGOSRExitCompiler64.cpp:
1907         (JSC::DFG::OSRExitCompiler::compileExit):
1908         * dfg/DFGSpeculativeJIT.cpp:
1909         (JSC::DFG::SpeculativeJIT::compileArithDiv):
1910         (JSC::DFG::SpeculativeJIT::compileArithMod):
1911         * disassembler/ARM64/A64DOpcode.cpp: Added.
1912         * disassembler/ARM64/A64DOpcode.h: Added.
1913         * disassembler/ARM64Disassembler.cpp: Added.
1914         * heap/MachineStackMarker.cpp:
1915         (JSC::getPlatformThreadRegisters):
1916         (JSC::otherThreadStackPointer):
1917         * heap/Region.h:
1918         * jit/AssemblyHelpers.h:
1919         (JSC::AssemblyHelpers::debugCall):
1920         * jit/CCallHelpers.h:
1921         * jit/ExecutableAllocator.h:
1922         * jit/FPRInfo.h:
1923         (JSC::FPRInfo::toRegister):
1924         (JSC::FPRInfo::toIndex):
1925         (JSC::FPRInfo::debugName):
1926         * jit/GPRInfo.h:
1927         (JSC::GPRInfo::toRegister):
1928         (JSC::GPRInfo::toIndex):
1929         (JSC::GPRInfo::debugName):
1930         * jit/JITInlines.h:
1931         (JSC::JIT::restoreArgumentReferenceForTrampoline):
1932         * jit/JITOperationWrappers.h:
1933         * jit/JITOperations.cpp:
1934         * jit/JITStubs.cpp:
1935         (JSC::performPlatformSpecificJITAssertions):
1936         (JSC::tryCachePutByID):
1937         * jit/JITStubs.h:
1938         (JSC::JITStackFrame::returnAddressSlot):
1939         * jit/JITStubsARM64.h: Added.
1940         * jit/JSInterfaceJIT.h:
1941         * jit/Repatch.cpp:
1942         (JSC::emitRestoreScratch):
1943         (JSC::generateProtoChainAccessStub):
1944         (JSC::tryCacheGetByID):
1945         (JSC::emitPutReplaceStub):
1946         (JSC::tryCachePutByID):
1947         (JSC::tryRepatchIn):
1948         * jit/ScratchRegisterAllocator.h:
1949         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
1950         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
1951         * jit/ThunkGenerators.cpp:
1952         (JSC::nativeForGenerator):
1953         (JSC::floorThunkGenerator):
1954         (JSC::ceilThunkGenerator):
1955         * jsc.cpp:
1956         (main):
1957         * llint/LLIntOfflineAsmConfig.h:
1958         * llint/LLIntSlowPaths.cpp:
1959         (JSC::LLInt::handleHostCall):
1960         * llint/LowLevelInterpreter.asm:
1961         * llint/LowLevelInterpreter64.asm:
1962         * offlineasm/arm.rb:
1963         * offlineasm/arm64.rb: Added.
1964         * offlineasm/backends.rb:
1965         * offlineasm/instructions.rb:
1966         * offlineasm/risc.rb:
1967         * offlineasm/transform.rb:
1968         * yarr/YarrJIT.cpp:
1969         (JSC::Yarr::YarrGenerator::alignCallFrameSizeInBytes):
1970         (JSC::Yarr::YarrGenerator::initCallFrame):
1971         (JSC::Yarr::YarrGenerator::removeCallFrame):
1972         (JSC::Yarr::YarrGenerator::generateEnter):
1973         * yarr/YarrJIT.h:
1974
1975 2013-10-15  Mark Lam  <mark.lam@apple.com>
1976
1977         Fix 3 operand sub operation in C loop LLINT.
1978         https://bugs.webkit.org/show_bug.cgi?id=122866.
1979
1980         Reviewed by Geoffrey Garen.
1981
1982         * offlineasm/cloop.rb:
1983
1984 2013-10-15  Mark Hahnenberg  <mhahnenberg@apple.com>
1985
1986         ObjCCallbackFunctionImpl shouldn't store a JSContext
1987         https://bugs.webkit.org/show_bug.cgi?id=122531
1988
1989         Reviewed by Geoffrey Garen.
1990
1991         The m_context field in ObjCCallbackFunctionImpl is vestigial and is only incidentally correct 
1992         in the common case. It's also no longer necessary in that we can look up the current JSContext 
1993         by looking using the globalObject of the callee when the function callback is invoked.
1994  
1995         Also added a new test that would cause us to crash previously. The test required making 
1996         JSContextGetGlobalContext public API so that clients can obtain a JSContext from the JSContextRef
1997         in C API callbacks.
1998
1999         * API/JSContextRef.h:
2000         * API/JSContextRefPrivate.h:
2001         * API/ObjCCallbackFunction.mm:
2002         (JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl):
2003         (JSC::objCCallbackFunctionCallAsFunction):
2004         (objCCallbackFunctionForInvocation):
2005         * API/WebKitAvailability.h:
2006         * API/tests/CurrentThisInsideBlockGetterTest.h: Added.
2007         * API/tests/CurrentThisInsideBlockGetterTest.mm: Added.
2008         (CallAsConstructor):
2009         (ConstructorFinalize):
2010         (ConstructorClass):
2011         (+[JSValue valueWithConstructorDescriptor:inContext:]):
2012         (-[JSContext valueWithConstructorDescriptor:]):
2013         (currentThisInsideBlockGetterTest):
2014         * API/tests/testapi.mm:
2015         * JavaScriptCore.xcodeproj/project.pbxproj:
2016         * debugger/Debugger.cpp: Had to add some fully qualified names to avoid conflicts with Mac OS X headers.
2017
2018 2013-10-15  Julien Brianceau  <jbriance@cisco.com>
2019
2020         Fix build after r157457 for architecture with 4 argument registers.
2021         https://bugs.webkit.org/show_bug.cgi?id=122860
2022
2023         Reviewed by Michael Saboff.
2024
2025         * jit/CCallHelpers.h:
2026         (JSC::CCallHelpers::setupStubArguments134):
2027
2028 2013-10-14  Michael Saboff  <msaboff@apple.com>
2029
2030         transition void cti_op_* methods to JIT operations.
2031         https://bugs.webkit.org/show_bug.cgi?id=122617
2032
2033         Reviewed by Geoffrey Garen.
2034
2035         Converted the follow stubs to JIT operations:
2036             cti_handle_watchdog_timer
2037             cti_op_debug
2038             cti_op_pop_scope
2039             cti_op_profile_did_call
2040             cti_op_profile_will_call
2041             cti_op_put_by_index
2042             cti_op_put_getter_setter
2043             cti_op_tear_off_activation
2044             cti_op_tear_off_arguments
2045             cti_op_throw_static_error
2046             cti_optimize
2047
2048         * dfg/DFGOperations.cpp:
2049         * dfg/DFGOperations.h:
2050         * jit/CCallHelpers.h:
2051         (JSC::CCallHelpers::setupArgumentsWithExecState):
2052         (JSC::CCallHelpers::setupThreeStubArgsGPR):
2053         (JSC::CCallHelpers::setupStubArguments):
2054         (JSC::CCallHelpers::setupStubArguments134):
2055         * jit/JIT.cpp:
2056         (JSC::JIT::emitEnterOptimizationCheck):
2057         * jit/JIT.h:
2058         * jit/JITInlines.h:
2059         (JSC::JIT::callOperation):
2060         * jit/JITOpcodes.cpp:
2061         (JSC::JIT::emit_op_tear_off_activation):
2062         (JSC::JIT::emit_op_tear_off_arguments):
2063         (JSC::JIT::emit_op_push_with_scope):
2064         (JSC::JIT::emit_op_pop_scope):
2065         (JSC::JIT::emit_op_push_name_scope):
2066         (JSC::JIT::emit_op_throw_static_error):
2067         (JSC::JIT::emit_op_debug):
2068         (JSC::JIT::emit_op_profile_will_call):
2069         (JSC::JIT::emit_op_profile_did_call):
2070         (JSC::JIT::emitSlow_op_loop_hint):
2071         * jit/JITOpcodes32_64.cpp:
2072         (JSC::JIT::emit_op_push_with_scope):
2073         (JSC::JIT::emit_op_pop_scope):
2074         (JSC::JIT::emit_op_push_name_scope):
2075         (JSC::JIT::emit_op_throw_static_error):
2076         (JSC::JIT::emit_op_debug):
2077         (JSC::JIT::emit_op_profile_will_call):
2078         (JSC::JIT::emit_op_profile_did_call):
2079         * jit/JITOperations.cpp:
2080         * jit/JITOperations.h:
2081         * jit/JITPropertyAccess.cpp:
2082         (JSC::JIT::emit_op_put_by_index):
2083         (JSC::JIT::emit_op_put_getter_setter):
2084         * jit/JITPropertyAccess32_64.cpp:
2085         (JSC::JIT::emit_op_put_by_index):
2086         (JSC::JIT::emit_op_put_getter_setter):
2087         * jit/JITStubs.cpp:
2088         * jit/JITStubs.h:
2089
2090 2013-10-15  Julien Brianceau  <jbriance@cisco.com>
2091
2092         [sh4] Introduce const pools in LLINT.
2093         https://bugs.webkit.org/show_bug.cgi?id=122746
2094
2095         Reviewed by Michael Saboff.
2096
2097         In current implementation of LLINT for sh4, immediate values outside range -128..127 are
2098         loaded this way:
2099
2100             mov.l .label, rx
2101             bra out
2102             nop
2103             .balign 4
2104             .label: .long immvalue
2105             out:
2106
2107         This change introduces const pools for sh4 implementation to avoid lots of useless branches
2108         and reduce code size. It also removes lines of dirty code, like jmpf and callf.
2109
2110         * offlineasm/instructions.rb: Remove jmpf and callf sh4 specific instructions.
2111         * offlineasm/sh4.rb:
2112
2113 2013-10-15  Mark Lam  <mark.lam@apple.com>
2114
2115         Fix broken C Loop LLINT build.
2116         https://bugs.webkit.org/show_bug.cgi?id=122839.
2117
2118         Reviewed by Michael Saboff.
2119
2120         * dfg/DFGFlushedAt.cpp:
2121         * jit/JITOperations.h:
2122
2123 2013-10-14  Mark Lam  <mark.lam@apple.com>
2124
2125         Transition *switch* and *scope* JITStubs to JIT operations.
2126         https://bugs.webkit.org/show_bug.cgi?id=122757.
2127
2128         Reviewed by Geoffrey Garen.
2129
2130         Transitioning:
2131             cti_op_switch_char
2132             cti_op_switch_imm
2133             cti_op_switch_string
2134             cti_op_resolve_scope
2135             cti_op_get_from_scope
2136             cti_op_put_to_scope
2137
2138         * jit/JIT.h:
2139         * jit/JITInlines.h:
2140         (JSC::JIT::callOperation):
2141         * jit/JITOpcodes.cpp:
2142         (JSC::JIT::emit_op_switch_imm):
2143         (JSC::JIT::emit_op_switch_char):
2144         (JSC::JIT::emit_op_switch_string):
2145         * jit/JITOpcodes32_64.cpp:
2146         (JSC::JIT::emit_op_switch_imm):
2147         (JSC::JIT::emit_op_switch_char):
2148         (JSC::JIT::emit_op_switch_string):
2149         * jit/JITOperations.cpp:
2150         * jit/JITOperations.h:
2151         * jit/JITPropertyAccess.cpp:
2152         (JSC::JIT::emitSlow_op_resolve_scope):
2153         (JSC::JIT::emitSlow_op_get_from_scope):
2154         (JSC::JIT::emitSlow_op_put_to_scope):
2155         * jit/JITPropertyAccess32_64.cpp:
2156         (JSC::JIT::emitSlow_op_resolve_scope):
2157         (JSC::JIT::emitSlow_op_get_from_scope):
2158         (JSC::JIT::emitSlow_op_put_to_scope):
2159         * jit/JITStubs.cpp:
2160         * jit/JITStubs.h:
2161
2162 2013-10-14  Filip Pizlo  <fpizlo@apple.com>
2163
2164         DFG PutById IC should use the ConcurrentJITLocker since it's now dealing with IC's that get read by the compiler thread
2165         https://bugs.webkit.org/show_bug.cgi?id=122786
2166
2167         Reviewed by Mark Hahnenberg.
2168
2169         * bytecode/CodeBlock.cpp:
2170         (JSC::CodeBlock::resetStub): Resetting a stub should acquire the lock since this is observable from the thread; but we should only acquire the lock if we're resetting outside of GC.
2171         * jit/Repatch.cpp:
2172         (JSC::repatchPutByID): Doing the PutById patching should hold the lock.
2173         (JSC::buildPutByIdList): Ditto.
2174
2175 2013-10-14  Nadav Rotem  <nrotem@apple.com>
2176
2177         Add FTL support for LogicalNot(string)
2178         https://bugs.webkit.org/show_bug.cgi?id=122765
2179
2180         Reviewed by Filip Pizlo.
2181
2182         This patch is tested by:
2183         regress/script-tests/emscripten-cube2hash.js.ftl-eager
2184
2185         * ftl/FTLCapabilities.cpp:
2186         (JSC::FTL::canCompile):
2187         * ftl/FTLLowerDFGToLLVM.cpp:
2188         (JSC::FTL::LowerDFGToLLVM::compileLogicalNot):
2189
2190 2013-10-14  Julien Brianceau  <jbriance@cisco.com>
2191
2192         [sh4] Fixes after r157404 and r157411.
2193         https://bugs.webkit.org/show_bug.cgi?id=122782
2194
2195         Reviewed by Michael Saboff.
2196
2197         * dfg/DFGSpeculativeJIT.h:
2198         (JSC::DFG::SpeculativeJIT::callOperation): Add missing SH4_32BIT_DUMMY_ARG.
2199         * jit/CCallHelpers.h:
2200         (JSC::CCallHelpers::setupArgumentsWithExecState):
2201         * jit/JITInlines.h:
2202         (JSC::JIT::callOperation): Add missing SH4_32BIT_DUMMY_ARG.
2203         * jit/JITPropertyAccess32_64.cpp:
2204         (JSC::JIT::emit_op_put_by_id): Remove unwanted BEGIN_UNINTERRUPTED_SEQUENCE.
2205
2206 2013-10-14  Commit Queue  <commit-queue@webkit.org>
2207
2208         Unreviewed, rolling out r157413.
2209         http://trac.webkit.org/changeset/157413
2210         https://bugs.webkit.org/show_bug.cgi?id=122779
2211
2212         Appears to have caused frequent crashes (Requested by ap on
2213         #webkit).
2214
2215         * CMakeLists.txt:
2216         * GNUmakefile.list.am:
2217         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2218         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2219         * JavaScriptCore.xcodeproj/project.pbxproj:
2220         * heap/DeferGC.cpp: Removed.
2221         * heap/DeferGC.h:
2222         * jit/JITStubs.cpp:
2223         (JSC::tryCacheGetByID):
2224         (JSC::DEFINE_STUB_FUNCTION):
2225         * llint/LLIntSlowPaths.cpp:
2226         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2227         * runtime/ConcurrentJITLock.h:
2228         * runtime/InitializeThreading.cpp:
2229         (JSC::initializeThreadingOnce):
2230         * runtime/JSCellInlines.h:
2231         (JSC::allocateCell):
2232         * runtime/Structure.cpp:
2233         (JSC::Structure::materializePropertyMap):
2234         (JSC::Structure::putSpecificValue):
2235         (JSC::Structure::createPropertyMap):
2236         * runtime/Structure.h:
2237
2238 2013-10-14  Mark Hahnenberg  <mhahnenberg@apple.com>
2239
2240         COLLECT_ON_EVERY_ALLOCATION causes assertion failures
2241         https://bugs.webkit.org/show_bug.cgi?id=122652
2242
2243         Reviewed by Filip Pizlo.
2244
2245         COLLECT_ON_EVERY_ALLOCATION wasn't accounting for the new GC deferral mechanism,
2246         so we would end up ASSERTing during garbage collection.
2247
2248         * heap/MarkedAllocator.cpp:
2249         (JSC::MarkedAllocator::allocateSlowCase):
2250
2251 2013-10-11  Oliver Hunt  <oliver@apple.com>
2252
2253         Separate out array iteration intrinsics
2254         https://bugs.webkit.org/show_bug.cgi?id=122656
2255
2256         Reviewed by Michael Saboff.
2257
2258         Separate out the intrinsics for key and values iteration
2259         of arrays.
2260
2261         This requires moving moving array iteration into the iterator
2262         instance, rather than the prototype, but this is essentially
2263         unobservable so we'll live with it for now.
2264
2265         * jit/ThunkGenerators.cpp:
2266         (JSC::arrayIteratorNextThunkGenerator):
2267         (JSC::arrayIteratorNextKeyThunkGenerator):
2268         (JSC::arrayIteratorNextValueThunkGenerator):
2269         * jit/ThunkGenerators.h:
2270         * runtime/ArrayIteratorPrototype.cpp:
2271         (JSC::ArrayIteratorPrototype::finishCreation):
2272         * runtime/Intrinsic.h:
2273         * runtime/JSArrayIterator.cpp:
2274         (JSC::JSArrayIterator::finishCreation):
2275         (JSC::createIteratorResult):
2276         (JSC::arrayIteratorNext):
2277         (JSC::arrayIteratorNextKey):
2278         (JSC::arrayIteratorNextValue):
2279         (JSC::arrayIteratorNextGeneric):
2280         * runtime/VM.cpp:
2281         (JSC::thunkGeneratorForIntrinsic):
2282
2283 2013-10-11  Mark Hahnenberg  <mhahnenberg@apple.com>
2284
2285         llint_slow_path_put_by_id can deadlock on a ConcurrentJITLock
2286         https://bugs.webkit.org/show_bug.cgi?id=122667
2287
2288         Reviewed by Filip Pizlo.
2289
2290         The issue this patch is attempting to fix is that there are places in our codebase
2291         where we acquire the ConcurrentJITLock for a particular CodeBlock, then we do some
2292         operations that can initiate a garbage collection. Garbage collection then calls 
2293         some methods of CodeBlock that also take the ConcurrentJITLock (because they don't
2294         always necessarily run during garbage collection). This causes a deadlock.
2295
2296         To fix this issue, this patch adds a new RAII-style object (DisallowGC) that stores 
2297         into a thread-local field that indicates that it is unsafe to perform any operation 
2298         that could trigger garbage collection on the current thread. In debug builds, 
2299         ConcurrentJITLocker contains one of these DisallowGC objects so that we can eagerly 
2300         detect deadlocks.
2301
2302         This patch also adds a new type of ConcurrentJITLocker, GCSafeConcurrentJITLocker,
2303         which uses the DeferGC mechanism to prevent collections from occurring while the 
2304         lock is held.
2305
2306         * CMakeLists.txt:
2307         * GNUmakefile.list.am:
2308         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2309         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2310         * JavaScriptCore.xcodeproj/project.pbxproj:
2311         * heap/DeferGC.cpp: Added.
2312         * heap/DeferGC.h:
2313         (JSC::DisallowGC::DisallowGC):
2314         (JSC::DisallowGC::~DisallowGC):
2315         (JSC::DisallowGC::isGCDisallowedOnCurrentThread):
2316         (JSC::DisallowGC::initialize):
2317         * jit/JITStubs.cpp:
2318         (JSC::tryCachePutByID):
2319         (JSC::tryCacheGetByID):
2320         (JSC::DEFINE_STUB_FUNCTION):
2321         * llint/LLIntSlowPaths.cpp:
2322         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2323         * runtime/ConcurrentJITLock.h:
2324         (JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase):
2325         (JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase):
2326         (JSC::ConcurrentJITLockerBase::unlockEarly):
2327         (JSC::GCSafeConcurrentJITLocker::GCSafeConcurrentJITLocker):
2328         (JSC::ConcurrentJITLocker::ConcurrentJITLocker):
2329         * runtime/InitializeThreading.cpp:
2330         (JSC::initializeThreadingOnce):
2331         * runtime/JSCellInlines.h:
2332         (JSC::allocateCell):
2333         * runtime/Structure.cpp:
2334         (JSC::Structure::materializePropertyMap):
2335         (JSC::Structure::putSpecificValue):
2336         (JSC::Structure::createPropertyMap):
2337         * runtime/Structure.h:
2338
2339 2013-10-14  Filip Pizlo  <fpizlo@apple.com>
2340
2341         Baseline JIT should use the DFG's PutById IC
2342         https://bugs.webkit.org/show_bug.cgi?id=122704
2343
2344         Reviewed by Mark Hahnenberg.
2345         
2346         Mostly no big deal, just removing the old Baseline JIT's put_by_id IC support and forcing
2347         that JIT to use the DFG's (i.e. JITOperations) PutById IC.
2348         
2349         The only complicated part was that the PutById operations assumed that we first did a
2350         cell speculation, which the baseline JIT obviously won't do. So I changed all of those
2351         slow paths to deal with EncodedJSValue's.
2352
2353         * bytecode/CodeBlock.cpp:
2354         (JSC::CodeBlock::resetStubInternal):
2355         * bytecode/PutByIdStatus.cpp:
2356         (JSC::PutByIdStatus::computeFor):
2357         * dfg/DFGSpeculativeJIT.h:
2358         (JSC::DFG::SpeculativeJIT::callOperation):
2359         * dfg/DFGSpeculativeJIT32_64.cpp:
2360         (JSC::DFG::SpeculativeJIT::cachedPutById):
2361         * dfg/DFGSpeculativeJIT64.cpp:
2362         (JSC::DFG::SpeculativeJIT::cachedPutById):
2363         * jit/CCallHelpers.h:
2364         (JSC::CCallHelpers::setupArgumentsWithExecState):
2365         * jit/JIT.cpp:
2366         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
2367         * jit/JIT.h:
2368         (JSC::PropertyStubCompilationInfo::PropertyStubCompilationInfo):
2369         (JSC::PropertyStubCompilationInfo::slowCaseInfo):
2370         * jit/JITInlines.h:
2371         (JSC::JIT::callOperation):
2372         * jit/JITOperationWrappers.h:
2373         * jit/JITOperations.cpp:
2374         * jit/JITOperations.h:
2375         * jit/JITPropertyAccess.cpp:
2376         (JSC::JIT::compileGetByIdHotPath):
2377         (JSC::JIT::compileGetByIdSlowCase):
2378         (JSC::JIT::emit_op_put_by_id):
2379         (JSC::JIT::emitSlow_op_put_by_id):
2380         * jit/JITPropertyAccess32_64.cpp:
2381         (JSC::JIT::compileGetByIdSlowCase):
2382         (JSC::JIT::emit_op_put_by_id):
2383         (JSC::JIT::emitSlow_op_put_by_id):
2384         * jit/JITStubs.cpp:
2385         * jit/JITStubs.h:
2386         * jit/Repatch.cpp:
2387         (JSC::appropriateGenericPutByIdFunction):
2388         (JSC::appropriateListBuildingPutByIdFunction):
2389         (JSC::resetPutByID):
2390
2391 2013-10-13  Filip Pizlo  <fpizlo@apple.com>
2392
2393         FTL should have an inefficient but correct implementation of GetById
2394         https://bugs.webkit.org/show_bug.cgi?id=122740
2395
2396         Reviewed by Mark Hahnenberg.
2397         
2398         It took some effort to realize that the node->prediction() check in the DFG backends
2399         are completely unnecessary since the ByteCodeParser will always insert a ForceOSRExit
2400         if !prediction.
2401         
2402         But other than that this was an easy patch.
2403
2404         * dfg/DFGByteCodeParser.cpp:
2405         (JSC::DFG::ByteCodeParser::handleGetById):
2406         * dfg/DFGSpeculativeJIT32_64.cpp:
2407         (JSC::DFG::SpeculativeJIT::compile):
2408         * dfg/DFGSpeculativeJIT64.cpp:
2409         (JSC::DFG::SpeculativeJIT::compile):
2410         * ftl/FTLCapabilities.cpp:
2411         (JSC::FTL::canCompile):
2412         * ftl/FTLIntrinsicRepository.h:
2413         * ftl/FTLLowerDFGToLLVM.cpp:
2414         (JSC::FTL::LowerDFGToLLVM::compileNode):
2415         (JSC::FTL::LowerDFGToLLVM::compileGetById):
2416
2417 2013-10-13  Mark Lam  <mark.lam@apple.com>
2418
2419         Transition misc cti_op_* JITStubs to JIT operations.
2420         https://bugs.webkit.org/show_bug.cgi?id=122645.
2421
2422         Reviewed by Michael Saboff.
2423
2424         Stubs converted:
2425             cti_op_check_has_instance
2426             cti_op_create_arguments
2427             cti_op_del_by_id
2428             cti_op_instanceof
2429             cti_to_object
2430             cti_op_push_activation
2431             cti_op_get_pnames
2432             cti_op_load_varargs
2433
2434         * dfg/DFGOperations.cpp:
2435         * dfg/DFGOperations.h:
2436         * jit/CCallHelpers.h:
2437         (JSC::CCallHelpers::setupArgumentsWithExecState):
2438         * jit/JIT.h:
2439         (JSC::JIT::emitStoreCell):
2440         * jit/JITCall.cpp:
2441         (JSC::JIT::compileLoadVarargs):
2442         * jit/JITCall32_64.cpp:
2443         (JSC::JIT::compileLoadVarargs):
2444         * jit/JITInlines.h:
2445         (JSC::JIT::callOperation):
2446         * jit/JITOpcodes.cpp:
2447         (JSC::JIT::emit_op_get_pnames):
2448         (JSC::JIT::emit_op_create_activation):
2449         (JSC::JIT::emit_op_create_arguments):
2450         (JSC::JIT::emitSlow_op_check_has_instance):
2451         (JSC::JIT::emitSlow_op_instanceof):
2452         (JSC::JIT::emitSlow_op_get_argument_by_val):
2453         * jit/JITOpcodes32_64.cpp:
2454         (JSC::JIT::emitSlow_op_check_has_instance):
2455         (JSC::JIT::emitSlow_op_instanceof):
2456         (JSC::JIT::emit_op_get_pnames):
2457         (JSC::JIT::emit_op_create_activation):
2458         (JSC::JIT::emit_op_create_arguments):
2459         (JSC::JIT::emitSlow_op_get_argument_by_val):
2460         * jit/JITOperations.cpp:
2461         * jit/JITOperations.h:
2462         * jit/JITPropertyAccess.cpp:
2463         (JSC::JIT::emit_op_del_by_id):
2464         * jit/JITPropertyAccess32_64.cpp:
2465         (JSC::JIT::emit_op_del_by_id):
2466         * jit/JITStubs.cpp:
2467         * jit/JITStubs.h:
2468
2469 2013-10-13  Filip Pizlo  <fpizlo@apple.com>
2470
2471         FTL OSR exit should perform zero extension on values smaller than 64-bit
2472         https://bugs.webkit.org/show_bug.cgi?id=122688
2473
2474         Reviewed by Gavin Barraclough.
2475         
2476         In the DFG we usually make the simplistic assumption that a 32-bit value in a 64-bit
2477         register will have zeros on the high bits.  In the few cases where the high bits are
2478         non-zero, the DFG sort of tells us this explicitly.
2479
2480         But when working with llvm.webkit.stackmap, it doesn't work that way.  Consider we might
2481         emit LLVM IR like:
2482
2483             %2 = trunc i64 %1 to i32
2484             stuff %2
2485             call @llvm.webkit.stackmap(...., %2)
2486
2487         LLVM may never actually emit a truncation instruction of any kind.  And that's great - in
2488         many cases it won't be needed, like if 'stuff %2' is a 32-bit op that ignores the high
2489         bits anyway.  Hence LLVM may tell us that %2 is in the register that still had the value
2490         from before truncation, and that register may have garbage in the high bits.
2491
2492         This means that on our end, if we want a 32-bit value and we want that value to be
2493         zero-extended, we should zero-extend it ourselves.  This is pretty easy and should be
2494         cheap, so we should just do it and not make it a requirement that LLVM does it on its
2495         end.
2496         
2497         This makes all tests pass with JSC_ftlOSRExitUsesStackmap=true.
2498
2499         * ftl/FTLOSRExitCompiler.cpp:
2500         (JSC::FTL::compileStubWithOSRExitStackmap):
2501         * ftl/FTLValueFormat.cpp:
2502         (JSC::FTL::reboxAccordingToFormat):
2503
2504 == Rolled over to ChangeLog-2013-10-13 ==