[ARM] Add the necessary setupArgumentsWithExecState after bug141332
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-02-17  Csaba Osztrogonác  <ossy@webkit.org>
2
3         [ARM] Add the necessary setupArgumentsWithExecState after bug141332
4         https://bugs.webkit.org/show_bug.cgi?id=141714
5
6         Reviewed by Michael Saboff.
7
8         * jit/CCallHelpers.h:
9         (JSC::CCallHelpers::setupArgumentsWithExecState):
10
11 2015-02-15  Sam Weinig  <sam@webkit.org>
12
13         Add experimental <attachment> element support
14         https://bugs.webkit.org/show_bug.cgi?id=141626
15
16         Reviewed by Tim Horton.
17
18         * Configurations/FeatureDefines.xcconfig:
19
20 2015-02-16  Michael Saboff  <msaboff@apple.com>
21
22         REGRESSION(r180060): C Loop crashes
23         https://bugs.webkit.org/show_bug.cgi?id=141671
24
25         Reviewed by Geoffrey Garen.
26
27         Fixed a typo that only affected the C Loop in the prologue() macro in LowLevelInterpreter.asm.
28         After the stackHeightOKGetCodeBlock label, codeBlockSetter(t1) should be codeBlockGetter(t1).
29         Fixed the processing of an out of stack exception in llint_stack_check to not get the caller's
30         frame.  This isn't needed, since this helper is only called to check the stack on entry.  Any
31         exception will be handled by a call ancestor.
32
33         * llint/LLIntSlowPaths.cpp:
34         (JSC::LLInt::llint_stack_check): Changed to use the current frame for processing an exception.
35         * llint/LowLevelInterpreter.asm: Fixed a typo.
36
37 2015-02-16  Joseph Pecoraro  <pecoraro@apple.com>
38
39         Web Inspector: Scope details sidebar should label objects with constructor names
40         https://bugs.webkit.org/show_bug.cgi?id=139449
41
42         Reviewed by Timothy Hatcher.
43
44         * inspector/JSInjectedScriptHost.cpp:
45         (Inspector::JSInjectedScriptHost::internalConstructorName):
46         * runtime/Structure.cpp:
47         (JSC::Structure::toStructureShape):
48         Share calculatedClassName.
49
50         * runtime/JSObject.h:        
51         * runtime/JSObject.cpp:
52         (JSC::JSObject::calculatedClassName):
53         Elaborate on a way to get an Object's class name.
54
55 2015-02-16  Filip Pizlo  <fpizlo@apple.com>
56
57         DFG SSA should use GetLocal for arguments, and the GetArgument node type should be removed
58         https://bugs.webkit.org/show_bug.cgi?id=141623
59
60         Reviewed by Oliver Hunt.
61         
62         During development of https://bugs.webkit.org/show_bug.cgi?id=141332, I realized that I
63         needed to use GetArgument for loading something that has magically already appeared on the
64         stack, so currently trunk sort of allows this. But then I realized three things:
65         
66         - A GetArgument with a non-JSValue flush format means speculating that the value on the
67           stack obeys that format, rather than just assuming that that it already has that format.
68           In bug 141332, I want it to assume rather than speculate. That also happens to be more
69           intuitive; I don't think I was wrong to expect that.
70         
71         - The node I really want is GetLocal. I'm just getting the value of the local and I don't
72           want to do anything else.
73         
74         - Maybe it would be easier if we just used GetLocal for all of the cases where we currently
75           use GetArgument.
76         
77         This changes the FTL to do argument speculations in the prologue just like the DFG does.
78         This brings some consistency to our system, and allows us to get rid of the GetArgument
79         node. The speculations that the FTL must do are now made explicit in the m_argumentFormats
80         vector in DFG::Graph. This has natural DCE behavior: even if all uses of the argument are
81         dead we will still speculate. We already have safeguards to ensure we only speculate if
82         there are uses that benefit from speculation (which is a much more conservative criterion
83         than DCE).
84         
85         * dfg/DFGAbstractInterpreterInlines.h:
86         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
87         * dfg/DFGClobberize.h:
88         (JSC::DFG::clobberize):
89         * dfg/DFGDCEPhase.cpp:
90         (JSC::DFG::DCEPhase::run):
91         * dfg/DFGDoesGC.cpp:
92         (JSC::DFG::doesGC):
93         * dfg/DFGFixupPhase.cpp:
94         (JSC::DFG::FixupPhase::fixupNode):
95         * dfg/DFGFlushFormat.h:
96         (JSC::DFG::typeFilterFor):
97         * dfg/DFGGraph.cpp:
98         (JSC::DFG::Graph::dump):
99         * dfg/DFGGraph.h:
100         (JSC::DFG::Graph::valueProfileFor):
101         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
102         * dfg/DFGInPlaceAbstractState.cpp:
103         (JSC::DFG::InPlaceAbstractState::initialize):
104         * dfg/DFGNode.cpp:
105         (JSC::DFG::Node::hasVariableAccessData):
106         * dfg/DFGNodeType.h:
107         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
108         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
109         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
110         * dfg/DFGPredictionPropagationPhase.cpp:
111         (JSC::DFG::PredictionPropagationPhase::propagate):
112         * dfg/DFGPutLocalSinkingPhase.cpp:
113         * dfg/DFGSSAConversionPhase.cpp:
114         (JSC::DFG::SSAConversionPhase::run):
115         * dfg/DFGSafeToExecute.h:
116         (JSC::DFG::safeToExecute):
117         * dfg/DFGSpeculativeJIT32_64.cpp:
118         (JSC::DFG::SpeculativeJIT::compile):
119         * dfg/DFGSpeculativeJIT64.cpp:
120         (JSC::DFG::SpeculativeJIT::compile):
121         * ftl/FTLCapabilities.cpp:
122         (JSC::FTL::canCompile):
123         * ftl/FTLLowerDFGToLLVM.cpp:
124         (JSC::FTL::LowerDFGToLLVM::lower):
125         (JSC::FTL::LowerDFGToLLVM::compileNode):
126         (JSC::FTL::LowerDFGToLLVM::compileGetLocal):
127         (JSC::FTL::LowerDFGToLLVM::compileGetArgument): Deleted.
128         * tests/stress/dead-speculating-argument-use.js: Added.
129         (foo):
130         (o.valueOf):
131
132 2015-02-15  Filip Pizlo  <fpizlo@apple.com>
133
134         Rare case profiling should actually work
135         https://bugs.webkit.org/show_bug.cgi?id=141632
136
137         Reviewed by Michael Saboff.
138         
139         This simple adjustment appears to be a 2% speed-up on Octane. Over time, the slow case
140         heuristic has essentially stopped working because the typical execution count threshold for a
141         bytecode instruction is around 66 while the slow case threshold is 100: virtually
142         guaranteeing that the DFG will never think that a bytecode instruction has taken the slow
143         case even if it took it every single time. So, this changes the slow case threshold to 20.
144         
145         I checked if we could lower this down further, like to 10. That is worse than 20, and about
146         as bad as 100.
147
148         * runtime/Options.h:
149
150 2015-02-15  Brian J. Burg  <burg@cs.washington.edu>
151
152         Web Inspector: remove unused XHR replay code
153         https://bugs.webkit.org/show_bug.cgi?id=141622
154
155         Reviewed by Timothy Hatcher.
156
157         * inspector/protocol/Network.json: remove XHR replay methods.
158
159 2015-02-15  David Kilzer  <ddkilzer@apple.com>
160
161         REGRESSION (r180082): WebCore Debug builds fail on Mavericks due to weak export symbols
162         <http://webkit.org/b/141607>
163
164         More work towards fixing the Mavericks Debug build.
165
166         * inspector/ScriptDebugServer.h:
167         (Inspector::ScriptDebugServer::Task):
168         * inspector/agents/InspectorDebuggerAgent.h:
169         (Inspector::InspectorDebuggerAgent::Listener):
170         - Remove subclass exports. They did not help.
171
172         * runtime/JSCJSValue.h:
173         (JSC::JSValue::toFloat): Do not mark inline method for export.
174
175 2015-02-09  Brian J. Burg  <burg@cs.washington.edu>
176
177         Web Inspector: remove some unnecessary Inspector prefixes from class names in Inspector namespace
178         https://bugs.webkit.org/show_bug.cgi?id=141372
179
180         Reviewed by Joseph Pecoraro.
181
182         * inspector/ConsoleMessage.cpp:
183         (Inspector::ConsoleMessage::addToFrontend):
184         (Inspector::ConsoleMessage::updateRepeatCountInConsole):
185         * inspector/ConsoleMessage.h:
186         * inspector/InspectorAgentBase.h:
187         * inspector/InspectorAgentRegistry.cpp:
188         (Inspector::AgentRegistry::AgentRegistry):
189         (Inspector::AgentRegistry::append):
190         (Inspector::AgentRegistry::appendExtraAgent):
191         (Inspector::AgentRegistry::didCreateFrontendAndBackend):
192         (Inspector::AgentRegistry::willDestroyFrontendAndBackend):
193         (Inspector::AgentRegistry::discardAgents):
194         (Inspector::InspectorAgentRegistry::InspectorAgentRegistry): Deleted.
195         (Inspector::InspectorAgentRegistry::append): Deleted.
196         (Inspector::InspectorAgentRegistry::appendExtraAgent): Deleted.
197         (Inspector::InspectorAgentRegistry::didCreateFrontendAndBackend): Deleted.
198         (Inspector::InspectorAgentRegistry::willDestroyFrontendAndBackend): Deleted.
199         (Inspector::InspectorAgentRegistry::discardAgents): Deleted.
200         * inspector/InspectorAgentRegistry.h:
201         * inspector/InspectorBackendDispatcher.cpp:
202         (Inspector::BackendDispatcher::CallbackBase::CallbackBase):
203         (Inspector::BackendDispatcher::CallbackBase::isActive):
204         (Inspector::BackendDispatcher::CallbackBase::sendFailure):
205         (Inspector::BackendDispatcher::CallbackBase::sendIfActive):
206         (Inspector::BackendDispatcher::create):
207         (Inspector::BackendDispatcher::registerDispatcherForDomain):
208         (Inspector::BackendDispatcher::dispatch):
209         (Inspector::BackendDispatcher::sendResponse):
210         (Inspector::BackendDispatcher::reportProtocolError):
211         (Inspector::BackendDispatcher::getInteger):
212         (Inspector::BackendDispatcher::getDouble):
213         (Inspector::BackendDispatcher::getString):
214         (Inspector::BackendDispatcher::getBoolean):
215         (Inspector::BackendDispatcher::getObject):
216         (Inspector::BackendDispatcher::getArray):
217         (Inspector::BackendDispatcher::getValue):
218         (Inspector::InspectorBackendDispatcher::CallbackBase::CallbackBase): Deleted.
219         (Inspector::InspectorBackendDispatcher::CallbackBase::isActive): Deleted.
220         (Inspector::InspectorBackendDispatcher::CallbackBase::sendFailure): Deleted.
221         (Inspector::InspectorBackendDispatcher::CallbackBase::sendIfActive): Deleted.
222         (Inspector::InspectorBackendDispatcher::create): Deleted.
223         (Inspector::InspectorBackendDispatcher::registerDispatcherForDomain): Deleted.
224         (Inspector::InspectorBackendDispatcher::dispatch): Deleted.
225         (Inspector::InspectorBackendDispatcher::sendResponse): Deleted.
226         (Inspector::InspectorBackendDispatcher::reportProtocolError): Deleted.
227         (Inspector::InspectorBackendDispatcher::getInteger): Deleted.
228         (Inspector::InspectorBackendDispatcher::getDouble): Deleted.
229         (Inspector::InspectorBackendDispatcher::getString): Deleted.
230         (Inspector::InspectorBackendDispatcher::getBoolean): Deleted.
231         (Inspector::InspectorBackendDispatcher::getObject): Deleted.
232         (Inspector::InspectorBackendDispatcher::getArray): Deleted.
233         (Inspector::InspectorBackendDispatcher::getValue): Deleted.
234         * inspector/InspectorBackendDispatcher.h:
235         (Inspector::SupplementalBackendDispatcher::SupplementalBackendDispatcher):
236         (Inspector::SupplementalBackendDispatcher::~SupplementalBackendDispatcher):
237         (Inspector::InspectorSupplementalBackendDispatcher::InspectorSupplementalBackendDispatcher): Deleted.
238         (Inspector::InspectorSupplementalBackendDispatcher::~InspectorSupplementalBackendDispatcher): Deleted.
239         * inspector/InspectorFrontendChannel.h:
240         (Inspector::FrontendChannel::~FrontendChannel):
241         (Inspector::InspectorFrontendChannel::~InspectorFrontendChannel): Deleted.
242         * inspector/JSGlobalObjectInspectorController.cpp:
243         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
244         (Inspector::JSGlobalObjectInspectorController::globalObjectDestroyed):
245         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
246         (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
247         (Inspector::JSGlobalObjectInspectorController::dispatchMessageFromFrontend):
248         (Inspector::JSGlobalObjectInspectorController::appendExtraAgent):
249         * inspector/JSGlobalObjectInspectorController.h:
250         * inspector/agents/InspectorAgent.cpp:
251         (Inspector::InspectorAgent::didCreateFrontendAndBackend):
252         (Inspector::InspectorAgent::willDestroyFrontendAndBackend):
253         * inspector/agents/InspectorAgent.h:
254         * inspector/agents/InspectorConsoleAgent.cpp:
255         (Inspector::InspectorConsoleAgent::didCreateFrontendAndBackend):
256         (Inspector::InspectorConsoleAgent::willDestroyFrontendAndBackend):
257         * inspector/agents/InspectorConsoleAgent.h:
258         * inspector/agents/InspectorDebuggerAgent.cpp:
259         (Inspector::InspectorDebuggerAgent::didCreateFrontendAndBackend):
260         (Inspector::InspectorDebuggerAgent::willDestroyFrontendAndBackend):
261         (Inspector::InspectorDebuggerAgent::handleConsoleAssert):
262         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
263         (Inspector::InspectorDebuggerAgent::pause):
264         (Inspector::InspectorDebuggerAgent::scriptExecutionBlockedByCSP):
265         (Inspector::InspectorDebuggerAgent::didPause):
266         (Inspector::InspectorDebuggerAgent::breakProgram):
267         (Inspector::InspectorDebuggerAgent::clearBreakDetails):
268         * inspector/agents/InspectorDebuggerAgent.h:
269         * inspector/agents/InspectorRuntimeAgent.cpp:
270         (Inspector::InspectorRuntimeAgent::willDestroyFrontendAndBackend):
271         * inspector/agents/InspectorRuntimeAgent.h:
272         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
273         (Inspector::JSGlobalObjectRuntimeAgent::didCreateFrontendAndBackend):
274         (Inspector::JSGlobalObjectRuntimeAgent::willDestroyFrontendAndBackend):
275         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
276         * inspector/augmentable/AlternateDispatchableAgent.h:
277         * inspector/augmentable/AugmentableInspectorController.h:
278         * inspector/remote/RemoteInspectorDebuggable.h:
279         * inspector/remote/RemoteInspectorDebuggableConnection.h:
280         * inspector/scripts/codegen/cpp_generator.py:
281         (CppGenerator.cpp_type_for_formal_out_parameter):
282         (CppGenerator.cpp_type_for_stack_out_parameter):
283         * inspector/scripts/codegen/cpp_generator_templates.py:
284         (AlternateBackendDispatcher):
285         (Alternate):
286         (void):
287         (AlternateInspectorBackendDispatcher): Deleted.
288         (AlternateInspector): Deleted.
289         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
290         (CppBackendDispatcherHeaderGenerator._generate_alternate_handler_forward_declarations_for_domains.Alternate):
291         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
292         (CppBackendDispatcherHeaderGenerator._generate_alternate_handler_forward_declarations_for_domains.AlternateInspector): Deleted.
293         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
294         (CppBackendDispatcherImplementationGenerator._generate_handler_class_destructor_for_domain):
295         (CppBackendDispatcherImplementationGenerator._generate_large_dispatcher_switch_implementation_for_domain):
296         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
297         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
298         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
299         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
300         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
301         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
302         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
303         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
304         * inspector/scripts/tests/expected/enum-values.json-result:
305         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
306         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
307         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
308         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
309         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
310         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
311         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
312         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
313         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
314         * runtime/JSGlobalObjectDebuggable.cpp:
315         (JSC::JSGlobalObjectDebuggable::connect):
316         (JSC::JSGlobalObjectDebuggable::disconnect):
317         * runtime/JSGlobalObjectDebuggable.h:
318
319 2015-02-14  David Kilzer  <ddkilzer@apple.com>
320
321         REGRESSION (r180082): WebCore Debug builds fail on Mavericks due to weak export symbols
322         <http://webkit.org/b/141607>
323
324         Work towards fixing the Mavericks Debug build.
325
326         * inspector/ScriptDebugServer.h:
327         (Inspector::ScriptDebugServer::Task): Export class.
328         * inspector/agents/InspectorDebuggerAgent.h:
329         (Inspector::InspectorDebuggerAgent::Listener): Export class.
330         * runtime/JSGlobalObject.h:
331         (JSC::JSGlobalObject::setConsoleClient): Do not mark inline
332         method for export.
333
334 2015-02-14  Joseph Pecoraro  <pecoraro@apple.com>
335
336         Web Inspector: Symbol RemoteObject should not send sub-type
337         https://bugs.webkit.org/show_bug.cgi?id=141604
338
339         Reviewed by Brian Burg.
340
341         * inspector/InjectedScriptSource.js:
342
343 2015-02-13  Benjamin Poulain  <bpoulain@apple.com>
344
345         Attempt to fix 32bits build after r180098
346
347         * jit/JITOperations.cpp:
348         * jit/JITOperations.h:
349         I copied the attribute from the MathObject version of that function when I moved
350         it over. DFG has no version of a function call taking those attributes.
351
352 2015-02-13  Joseph Pecoraro  <pecoraro@apple.com>
353
354         JSContext Inspector: Do not stash console messages for non-debuggable JSContext
355         https://bugs.webkit.org/show_bug.cgi?id=141589
356
357         Reviewed by Timothy Hatcher.
358
359         Consider developer extras disabled for JSContext inspection if the
360         RemoteInspector server is not enabled (typically a non-debuggable
361         process rejected by webinspectord) or if remote debugging on the
362         JSContext was explicitly disabled via SPI.
363
364         When developer extras are disabled, console message will not be stashed.
365
366         * inspector/JSGlobalObjectInspectorController.cpp:
367         (Inspector::JSGlobalObjectInspectorController::developerExtrasEnabled):
368         * inspector/JSGlobalObjectInspectorController.h:
369
370 2015-02-13  Benjamin Poulain  <bpoulain@apple.com>
371
372         Add a DFG node for the Pow Intrinsics
373         https://bugs.webkit.org/show_bug.cgi?id=141540
374
375         Reviewed by Filip Pizlo.
376
377         Add a DFG Node for PowIntrinsic. This patch covers the basic cases
378         need to avoid massive regression. I will iterate over the node to cover
379         the missing types.
380
381         With this patch I get the following progressions on benchmarks:
382         -LongSpider's math-partial-sums: +5%.
383         -Kraken's imaging-darkroom: +17%
384         -AsmBench's cray.c: +6.6%
385         -CompressionBench: +2.2% globally.
386
387         * dfg/DFGAbstractInterpreterInlines.h:
388         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
389         Cover a couple of trivial cases:
390         -If the exponent is zero, the result is always one, regardless of the base.
391         -If both arguments are constants, compute the result at compile time.
392
393         * dfg/DFGByteCodeParser.cpp:
394         (JSC::DFG::ByteCodeParser::handleIntrinsic):
395         * dfg/DFGClobberize.h:
396         (JSC::DFG::clobberize):
397         * dfg/DFGDoesGC.cpp:
398         (JSC::DFG::doesGC):
399
400         * dfg/DFGFixupPhase.cpp:
401         (JSC::DFG::FixupPhase::fixupNode):
402         We only support 2 basic cases at this time:
403         -Math.pow(double, int)
404         -Math.pow(double, double).
405
406         I'll cover Math.pow(int, int) in a follow up.
407
408         * dfg/DFGNode.h:
409         (JSC::DFG::Node::convertToArithSqrt):
410         (JSC::DFG::Node::arithNodeFlags):
411         * dfg/DFGNodeType.h:
412         * dfg/DFGPredictionPropagationPhase.cpp:
413         (JSC::DFG::PredictionPropagationPhase::propagate):
414         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
415         * dfg/DFGSafeToExecute.h:
416         (JSC::DFG::safeToExecute):
417         * dfg/DFGSpeculativeJIT.cpp:
418         (JSC::DFG::compileArithPowIntegerFastPath):
419         (JSC::DFG::SpeculativeJIT::compileArithPow):
420         * dfg/DFGSpeculativeJIT.h:
421         * dfg/DFGSpeculativeJIT32_64.cpp:
422         (JSC::DFG::SpeculativeJIT::compile):
423         * dfg/DFGSpeculativeJIT64.cpp:
424         (JSC::DFG::SpeculativeJIT::compile):
425         * dfg/DFGStrengthReductionPhase.cpp:
426         (JSC::DFG::StrengthReductionPhase::handleNode):
427         * dfg/DFGValidate.cpp:
428         (JSC::DFG::Validate::validate):
429         * ftl/FTLCapabilities.cpp:
430         (JSC::FTL::canCompile):
431         * ftl/FTLIntrinsicRepository.h:
432         * ftl/FTLLowerDFGToLLVM.cpp:
433         (JSC::FTL::LowerDFGToLLVM::compileNode):
434         (JSC::FTL::LowerDFGToLLVM::compileArithPow):
435         * ftl/FTLOutput.h:
436         (JSC::FTL::Output::doublePow):
437         (JSC::FTL::Output::doublePowi):
438         * jit/JITOperations.cpp:
439         * jit/JITOperations.h:
440         * runtime/MathObject.cpp:
441         (JSC::mathProtoFuncPow):
442         (JSC::isDenormal): Deleted.
443         (JSC::isEdgeCase): Deleted.
444         (JSC::mathPow): Deleted.
445
446         * tests/stress/math-pow-basics.js: Added.
447         * tests/stress/math-pow-integer-exponent-fastpath.js: Added.
448         * tests/stress/math-pow-nan-behaviors.js: Added.
449         * tests/stress/math-pow-with-constants.js: Added.
450         Start some basic testing of Math.pow().
451         Due to the various transform, the value change when the code tiers up,
452         I covered this by checking for approximate values.
453
454 2015-02-13  Benjamin Poulain  <bpoulain@apple.com>
455
456         ArithSqrt should not be conditional on supportsFloatingPointSqrt
457         https://bugs.webkit.org/show_bug.cgi?id=141546
458
459         Reviewed by Geoffrey Garen and Filip Pizlo.
460
461         Just fallback to the function call in the DFG codegen.
462
463         * dfg/DFGByteCodeParser.cpp:
464         (JSC::DFG::ByteCodeParser::handleIntrinsic):
465         * dfg/DFGSpeculativeJIT.cpp:
466         (JSC::DFG::SpeculativeJIT::compileArithSqrt):
467         * dfg/DFGSpeculativeJIT.h:
468         * dfg/DFGSpeculativeJIT32_64.cpp:
469         (JSC::DFG::SpeculativeJIT::compile):
470         * dfg/DFGSpeculativeJIT64.cpp:
471         (JSC::DFG::SpeculativeJIT::compile):
472         * tests/stress/math-sqrt-basics.js: Added.
473         Basic coverage.
474
475         * tests/stress/math-sqrt-basics-disable-architecture-specific-optimizations.js: Added.
476         Same tests but forcing the function call.
477
478 2015-02-13  Michael Saboff  <msaboff@apple.com>
479
480         REGRESSION(r180060) New js/regress-141098 test crashes when LLInt is disabled.
481         https://bugs.webkit.org/show_bug.cgi?id=141577
482
483         Reviewed by Benjamin Poulain.
484
485         Changed the prologue of the baseline JIT to check for stack space for all
486         types of code blocks.  Previously, it was only checking Function.  Now
487         it checks Program and Eval as well.
488
489         * jit/JIT.cpp:
490         (JSC::JIT::privateCompile):
491
492 2015-02-13  Benjamin Poulain  <bpoulain@apple.com>
493
494         Generate incq instead of addq when the immediate value is one
495         https://bugs.webkit.org/show_bug.cgi?id=141548
496
497         Reviewed by Gavin Barraclough.
498
499         JSC emits "addq #1 (rXX)" *a lot*.
500         This patch replace that by incq, which is one byte shorter
501         and is the adviced form.
502
503         Sunspider: +0.47%
504         Octane: +0.28%
505         Kraken: +0.44%
506         AsmBench, CompressionBench: neutral.
507
508         * assembler/MacroAssemblerX86_64.h:
509         (JSC::MacroAssemblerX86_64::add64):
510         * assembler/X86Assembler.h:
511         (JSC::X86Assembler::incq_m):
512
513 2015-02-13  Benjamin Poulain  <benjamin@webkit.org>
514
515         Little clean up of Bytecode Generator's Label
516         https://bugs.webkit.org/show_bug.cgi?id=141557
517
518         Reviewed by Michael Saboff.
519
520         * bytecompiler/BytecodeGenerator.h:
521         * bytecompiler/BytecodeGenerator.cpp:
522         Label was a friend of BytecodeGenerator in order to access
523         m_instructions. There is no need for that, BytecodeGenerator
524         has a public getter.
525
526         * bytecompiler/Label.h:
527         (JSC::Label::Label):
528         (JSC::Label::setLocation):
529         (JSC::BytecodeGenerator::newLabel):
530         Make it explicit that the generator must exist.
531
532 2015-02-13  Michael Saboff  <msaboff@apple.com>
533
534         Google doc spreadsheet reproducibly crashes when sorting
535         https://bugs.webkit.org/show_bug.cgi?id=141098
536
537         Reviewed by Oliver Hunt.
538
539         Moved the stack check to before the callee registers are allocated in the
540         prologue() by movving it from the functionInitialization() macro.  This
541         way we can check the stack before moving the stack pointer, avoiding a
542         crash during a "call" instruction.  Before this change, we weren't even
543         checking the stack for program and eval execution.
544
545         Made a couple of supporting changes.
546
547         * llint/LLIntSlowPaths.cpp:
548         (JSC::LLInt::llint_stack_check): We can't just go up one frame as we
549         may be processing an exception to an entry frame.
550
551         * llint/LowLevelInterpreter.asm:
552
553         * llint/LowLevelInterpreter32_64.asm:
554         * llint/LowLevelInterpreter64.asm:
555         (llint_throw_from_slow_path_trampoline): Changed method to get the vm
556         from the code block to not use the codeBlock, since we may need to
557         continue from an exception in a native function.
558
559 2015-02-12  Benjamin Poulain  <benjamin@webkit.org>
560
561         Simplify the initialization of BytecodeGenerator a bit
562         https://bugs.webkit.org/show_bug.cgi?id=141505
563
564         Reviewed by Anders Carlsson.
565
566         * bytecompiler/BytecodeGenerator.cpp:
567         (JSC::BytecodeGenerator::BytecodeGenerator):
568         * bytecompiler/BytecodeGenerator.h:
569         Setup the default initialization at the declaration level
570         instead of the constructor.
571
572         Also made m_scopeNode and m_codeType const to make it explicit
573         that they are invariant after construction.
574
575         * parser/Nodes.cpp:
576         * runtime/Executable.cpp:
577         Remove 2 useless #includes.
578
579 2015-02-12  Benjamin Poulain  <benjamin@webkit.org>
580
581         Move the generators for GetScope and SkipScope to the common core in DFGSpeculativeJIT
582         https://bugs.webkit.org/show_bug.cgi?id=141506
583
584         Reviewed by Michael Saboff.
585
586         The generators for the nodes GetScope and SkipScope were
587         completely identical between 32 and 64bits.
588
589         This patch moves the duplicated code to DFGSpeculativeJIT.
590
591         * dfg/DFGSpeculativeJIT.cpp:
592         (JSC::DFG::SpeculativeJIT::compileGetScope):
593         (JSC::DFG::SpeculativeJIT::compileSkipScope):
594         * dfg/DFGSpeculativeJIT.h:
595         * dfg/DFGSpeculativeJIT32_64.cpp:
596         (JSC::DFG::SpeculativeJIT::compile):
597         * dfg/DFGSpeculativeJIT64.cpp:
598         (JSC::DFG::SpeculativeJIT::compile):
599
600 2015-02-11  Brent Fulgham  <bfulgham@apple.com>
601
602         [Win] [64-bit] Work around MSVC2013 Runtime Bug
603         https://bugs.webkit.org/show_bug.cgi?id=141498
604         <rdar://problem/19803642>
605
606         Reviewed by Anders Carlsson.
607
608         Disable FMA3 instruction use in the MSVC math library to
609         work around a VS2013 runtime crash. We can remove this
610         workaround when we switch to VS2015.
611
612         * API/tests/testapi.c: Call _set_FMA3_enable(0) to disable
613         FMA3 support.
614         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add new files.
615         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
616         * JavaScriptCore.vcxproj/JavaScriptCoreDLL.cpp: Added.
617         * JavaScriptCore.vcxproj/jsc/DLLLauncherMain.cpp: Call _set_FMA3_enable(0)
618         to disable FMA3 support.
619         * jsc.cpp: Ditto.
620         * testRegExp.cpp: Ditto.
621
622 2015-02-11  Filip Pizlo  <fpizlo@apple.com>
623
624         The callee frame helpers in DFG::SpeculativeJIT should be available to other JITs
625         https://bugs.webkit.org/show_bug.cgi?id=141493
626
627         Reviewed by Michael Saboff.
628
629         * dfg/DFGSpeculativeJIT.h:
630         (JSC::DFG::SpeculativeJIT::calleeFrameSlot): Deleted.
631         (JSC::DFG::SpeculativeJIT::calleeArgumentSlot): Deleted.
632         (JSC::DFG::SpeculativeJIT::calleeFrameTagSlot): Deleted.
633         (JSC::DFG::SpeculativeJIT::calleeFramePayloadSlot): Deleted.
634         (JSC::DFG::SpeculativeJIT::calleeArgumentTagSlot): Deleted.
635         (JSC::DFG::SpeculativeJIT::calleeArgumentPayloadSlot): Deleted.
636         (JSC::DFG::SpeculativeJIT::calleeFrameCallerFrame): Deleted.
637         * dfg/DFGSpeculativeJIT32_64.cpp:
638         (JSC::DFG::SpeculativeJIT::emitCall):
639         * dfg/DFGSpeculativeJIT64.cpp:
640         (JSC::DFG::SpeculativeJIT::emitCall):
641         * jit/AssemblyHelpers.h:
642         (JSC::AssemblyHelpers::calleeFrameSlot):
643         (JSC::AssemblyHelpers::calleeArgumentSlot):
644         (JSC::AssemblyHelpers::calleeFrameTagSlot):
645         (JSC::AssemblyHelpers::calleeFramePayloadSlot):
646         (JSC::AssemblyHelpers::calleeArgumentTagSlot):
647         (JSC::AssemblyHelpers::calleeArgumentPayloadSlot):
648         (JSC::AssemblyHelpers::calleeFrameCallerFrame):
649
650 2015-02-11  Filip Pizlo  <fpizlo@apple.com>
651
652         SetupVarargsFrame should not assume that an inline stack frame would have identical layout to a normal stack frame
653         https://bugs.webkit.org/show_bug.cgi?id=141485
654
655         Reviewed by Oliver Hunt.
656         
657         The inlineStackOffset argument was meant to make it easy for the DFG to use this helper for
658         vararg calls from inlined code, but that doesn't work since the DFG inline call frame
659         doesn't actually put the argument count at the JSStack::ArgumentCount offset. In fact there
660         is really no such thing as an inlineStackOffset except when we OSR exit; while the code is
661         running the stack layout is compacted so that the stackOffset is not meaningful.
662
663         * jit/JITCall.cpp:
664         (JSC::JIT::compileSetupVarargsFrame):
665         * jit/JITCall32_64.cpp:
666         (JSC::JIT::compileSetupVarargsFrame):
667         * jit/SetupVarargsFrame.cpp:
668         (JSC::emitSetupVarargsFrameFastCase):
669         * jit/SetupVarargsFrame.h:
670
671 2015-02-10  Filip Pizlo  <fpizlo@apple.com>
672
673         Split FTL::JSCall into the part that knows about call inline caching and the part that interacts with LLVM patchpoints
674         https://bugs.webkit.org/show_bug.cgi?id=141455
675
676         Reviewed by Mark Lam.
677         
678         The newly introduced FTL::JSCallBase can be used to build other things, like the FTL portion
679         of https://bugs.webkit.org/show_bug.cgi?id=141332.
680
681         * CMakeLists.txt:
682         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
683         * JavaScriptCore.xcodeproj/project.pbxproj:
684         * bytecode/CallLinkInfo.h:
685         (JSC::CallLinkInfo::specializationKindFor):
686         (JSC::CallLinkInfo::specializationKind):
687         * ftl/FTLJSCall.cpp:
688         (JSC::FTL::JSCall::JSCall):
689         (JSC::FTL::JSCall::emit): Deleted.
690         (JSC::FTL::JSCall::link): Deleted.
691         * ftl/FTLJSCall.h:
692         * ftl/FTLJSCallBase.cpp: Added.
693         (JSC::FTL::JSCallBase::JSCallBase):
694         (JSC::FTL::JSCallBase::emit):
695         (JSC::FTL::JSCallBase::link):
696         * ftl/FTLJSCallBase.h: Added.
697
698 2015-02-10  Filip Pizlo  <fpizlo@apple.com>
699
700         Unreviewed, fix build.
701
702         * jit/CCallHelpers.h:
703         (JSC::CCallHelpers::setupArgumentsWithExecState):
704
705 2015-02-10  Filip Pizlo  <fpizlo@apple.com>
706
707         op_call_varargs should only load the length once
708         https://bugs.webkit.org/show_bug.cgi?id=141440
709         rdar://problem/19761683
710
711         Reviewed by Michael Saboff.
712         
713         Refactors the pair of calls that set up the varargs frame so that the first call returns the
714         length, and the second call uses the length returned by the first one. It turns out that this
715         gave me an opportunity to shorten a lot of the code.
716
717         * interpreter/Interpreter.cpp:
718         (JSC::sizeFrameForVarargs):
719         (JSC::loadVarargs):
720         (JSC::setupVarargsFrame):
721         (JSC::setupVarargsFrameAndSetThis):
722         * interpreter/Interpreter.h:
723         (JSC::calleeFrameForVarargs):
724         * jit/CCallHelpers.h:
725         (JSC::CCallHelpers::setupArgumentsWithExecState):
726         * jit/JIT.h:
727         * jit/JITCall.cpp:
728         (JSC::JIT::compileSetupVarargsFrame):
729         * jit/JITCall32_64.cpp:
730         (JSC::JIT::compileSetupVarargsFrame):
731         * jit/JITInlines.h:
732         (JSC::JIT::callOperation):
733         * jit/JITOperations.cpp:
734         * jit/JITOperations.h:
735         * jit/SetupVarargsFrame.cpp:
736         (JSC::emitSetVarargsFrame):
737         (JSC::emitSetupVarargsFrameFastCase):
738         * jit/SetupVarargsFrame.h:
739         * llint/LLIntSlowPaths.cpp:
740         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
741         * runtime/Arguments.cpp:
742         (JSC::Arguments::copyToArguments):
743         * runtime/Arguments.h:
744         * runtime/JSArray.cpp:
745         (JSC::JSArray::copyToArguments):
746         * runtime/JSArray.h:
747         * runtime/VM.h:
748         * tests/stress/call-varargs-length-effects.js: Added.
749         (foo):
750         (bar):
751
752 2015-02-10  Michael Saboff  <msaboff@apple.com>
753
754         Crash in JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq
755         https://bugs.webkit.org/show_bug.cgi?id=139398
756
757         Reviewed by Filip Pizlo.
758
759         Due to CFA analysis, the CompareStrictEq node was determined to be unreachable, but later
760         was determined to be reachable.  When we go to lower to LLVM, the edges for the CompareStrictEq
761         node are UntypedUse which we can't compile.  Fixed this by checking that the IR before
762         lowering can still be handled by the FTL.
763
764         Had to add GetArgument as a node that the FTL can compile as the SSA conversion phase converts
765         a SetArgument to a GetArgument.  Before this change FTL::canCompile() would never see a GetArgument
766         node.  With the check right before lowering, we see this node.
767
768         * dfg/DFGPlan.cpp:
769         (JSC::DFG::Plan::compileInThreadImpl): Added a final FTL::canCompile() check before lowering
770         to verify that after all the transformations we still have valid IR for the FTL.
771         * ftl/FTLCapabilities.cpp:
772         (JSC::FTL::canCompile): Added GetArgument as a node the FTL can compile.
773
774 2015-02-10  Filip Pizlo  <fpizlo@apple.com>
775
776         Remove unused DFG::SpeculativeJIT::calleeFrameOffset().
777
778         Rubber stamped by Michael Saboff.
779         
780         Not only was this not used, I believe that the math was wrong. The callee frame doesn't
781         actually land past m_nextMachineLocal; instead it lands just below wherever we put SP and
782         that decision is made elsewhere. Also, it makes no sense to subtract 1 from
783         m_nextMachineLocal when trying to deduce the number of in-use stack slots.
784
785         * dfg/DFGSpeculativeJIT.h:
786         (JSC::DFG::SpeculativeJIT::calleeFrameOffset): Deleted.
787
788 2015-02-10  Saam Barati  <saambarati1@gmail.com>
789
790         Parser::parseVarDeclarationList gets the wrong JSToken for the last identifier
791         https://bugs.webkit.org/show_bug.cgi?id=141272
792
793         Reviewed by Oliver Hunt.
794
795         This patch fixes a bug where the wrong text location would be 
796         assigned to a variable declaration inside a ForIn/ForOf loop. 
797         It also fixes a bug in the type profiler where the type profiler 
798         emits the wrong text offset for a ForIn loop's variable declarator 
799         when it's not a pattern node.
800
801         * bytecompiler/NodesCodegen.cpp:
802         (JSC::ForInNode::emitLoopHeader):
803         * parser/Parser.cpp:
804         (JSC::Parser<LexerType>::parseVarDeclarationList):
805         * tests/typeProfiler/loop.js:
806         (testForIn):
807         (testForOf):
808
809 2015-02-09  Saam Barati  <saambarati1@gmail.com>
810
811         JSC's Type Profiler doesn't profile the type of the looping variable in ForOf/ForIn loops
812         https://bugs.webkit.org/show_bug.cgi?id=141241
813
814         Reviewed by Filip Pizlo.
815
816         Type information is now recorded for ForIn and ForOf statements. 
817         It was an oversight to not have these statements profiled before.
818
819         * bytecompiler/NodesCodegen.cpp:
820         (JSC::ForInNode::emitLoopHeader):
821         (JSC::ForOfNode::emitBytecode):
822         * tests/typeProfiler/loop.js: Added.
823         (testForIn):
824         (testForOf):
825
826 2015-02-09  Filip Pizlo  <fpizlo@apple.com>
827
828         DFG::StackLayoutPhase should always set the scopeRegister to VirtualRegister() because the DFG doesn't do anything to make its value valid
829         https://bugs.webkit.org/show_bug.cgi?id=141412
830
831         Reviewed by Michael Saboff.
832         
833         StackLayoutPhase was attempting to ensure that the register that
834         CodeBlock::scopeRegister() points to is the right one for the DFG. But the DFG did nothing
835         else to maintain the validity of the scopeRegister(). It wasn't captured as far as I can
836         tell. StackLayoutPhase didn't explicitly mark it live. PreciseLocalClobberize didn't mark
837         it as being live. So, by the time we got here the register referred to by
838         CodeBlock::scopeRegister() would have been junk. Moreover, CodeBlock::scopeRegister() was
839         not used for DFG code blocks, and was hardly ever used outside of bytecode generation.
840         
841         So, this patch just removes the code to manipulate this field and replaces it with an
842         unconditional setScopeRegister(VirtualRegister()). Setting it to the invalid register
843         ensures that any attempst to read the scopeRegister in a DFG or FTL frame immediately
844         punts.
845
846         * dfg/DFGStackLayoutPhase.cpp:
847         (JSC::DFG::StackLayoutPhase::run):
848
849 2015-02-09  Filip Pizlo  <fpizlo@apple.com>
850
851         Varargs frame set-up should be factored out for use by other JITs
852         https://bugs.webkit.org/show_bug.cgi?id=141388
853
854         Reviewed by Michael Saboff.
855         
856         Previously the code that dealt with varargs always assumed that we were setting up a varargs call
857         frame by literally following the execution semantics of op_call_varargs. This isn't how it'll
858         happen once the DFG and FTL do varargs calls, or when varargs calls get inlined. The DFG and FTL
859         don't literally execute bytecode; for example their stack frame layout has absolutely nothing in
860         common with what the bytecode says, and that will never change.
861         
862         This patch makes two changes:
863         
864         Setting up the varargs callee frame can be done in smaller steps: particularly in the case of a
865         varargs call that gets inlined, we aren't going to actually want to set up a callee frame in
866         full - we just want to put the arguments somewhere, and that place will not have much (if
867         anything) in common with the call frame format. This patch factors that out into something called
868         a loadVarargs. The thing we used to call loadVarargs is now called setupVarargsFrame. This patch
869         also separates loading varargs from setting this, since the fact that those two things are done
870         together is a detail made explicit in bytecode but it's not at all required in the higher-tier
871         engines. In the process of factoring this code out, I found a bunch of off-by-one errors in the
872         various calculations. I fixed them. The distance from the caller's frame pointer to the callee
873         frame pointer is always:
874         
875             numUsedCallerSlots + argCount + 1 + CallFrameSize
876         
877         where numUsedCallerSlots is toLocal(firstFreeRegister) - 1, which simplifies down to just
878         -firstFreeRegister. The code now speaks of numUsedCallerSlots rather than firstFreeRegister,
879         since the latter is a bytecode peculiarity that doesn't apply in the DFG or FTL. In the DFG, the
880         internally-computed frame size, minus the parameter slots, will be used for numUsedCallerSlots.
881         In the FTL, we will essentially compute numUsedCallerSlots dynamically by subtracting SP from FP.
882         Eventually, LLVM might give us some cleaner way of doing this, but it probably doesn't matter
883         very much.
884         
885         The arguments forwarding optimization is factored out of the Baseline JIT: the DFG and FTL will
886         want to do this optimization as well, but it involves quite a bit of code. So, this code is now
887         factored out into SetupVarargsFrame.h|cpp, so that other JITs can use it. In the process of factoring
888         this code out I noticed that the 32-bit and 64-bit code is nearly identical, so I combined them.
889
890         * CMakeLists.txt:
891         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
892         * JavaScriptCore.xcodeproj/project.pbxproj:
893         * bytecode/CodeBlock.h:
894         (JSC::ExecState::r):
895         (JSC::ExecState::uncheckedR):
896         * bytecode/VirtualRegister.h:
897         (JSC::VirtualRegister::operator+):
898         (JSC::VirtualRegister::operator-):
899         (JSC::VirtualRegister::operator+=):
900         (JSC::VirtualRegister::operator-=):
901         * interpreter/CallFrame.h:
902         * interpreter/Interpreter.cpp:
903         (JSC::sizeFrameForVarargs):
904         (JSC::loadVarargs):
905         (JSC::setupVarargsFrame):
906         (JSC::setupVarargsFrameAndSetThis):
907         * interpreter/Interpreter.h:
908         * jit/AssemblyHelpers.h:
909         (JSC::AssemblyHelpers::emitGetFromCallFrameHeaderPtr):
910         (JSC::AssemblyHelpers::emitGetFromCallFrameHeader32):
911         (JSC::AssemblyHelpers::emitGetFromCallFrameHeader64):
912         * jit/JIT.h:
913         * jit/JITCall.cpp:
914         (JSC::JIT::compileSetupVarargsFrame):
915         * jit/JITCall32_64.cpp:
916         (JSC::JIT::compileSetupVarargsFrame):
917         * jit/JITInlines.h:
918         (JSC::JIT::callOperation):
919         (JSC::JIT::emitGetFromCallFrameHeaderPtr): Deleted.
920         (JSC::JIT::emitGetFromCallFrameHeader32): Deleted.
921         (JSC::JIT::emitGetFromCallFrameHeader64): Deleted.
922         * jit/JITOperations.cpp:
923         * jit/JITOperations.h:
924         * jit/SetupVarargsFrame.cpp: Added.
925         (JSC::emitSetupVarargsFrameFastCase):
926         * jit/SetupVarargsFrame.h: Added.
927         * llint/LLIntSlowPaths.cpp:
928         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
929         * runtime/Arguments.cpp:
930         (JSC::Arguments::copyToArguments):
931         * runtime/Arguments.h:
932         * runtime/JSArray.cpp:
933         (JSC::JSArray::copyToArguments):
934         * runtime/JSArray.h:
935
936 2015-02-09  Filip Pizlo  <fpizlo@apple.com>
937
938         DFG call codegen should resolve the callee operand as late as possible
939         https://bugs.webkit.org/show_bug.cgi?id=141398
940
941         Reviewed by Mark Lam.
942         
943         This is mostly a benign restructuring to help with the implementation of
944         https://bugs.webkit.org/show_bug.cgi?id=141332.
945
946         * dfg/DFGSpeculativeJIT32_64.cpp:
947         (JSC::DFG::SpeculativeJIT::emitCall):
948         * dfg/DFGSpeculativeJIT64.cpp:
949         (JSC::DFG::SpeculativeJIT::emitCall):
950
951 2015-02-08  Filip Pizlo  <fpizlo@apple.com>
952
953         DFG should only have two mechanisms for describing effectfulness of nodes; previously there were three
954         https://bugs.webkit.org/show_bug.cgi?id=141369
955
956         Reviewed by Michael Saboff.
957
958         We previously used the NodeMightClobber and NodeClobbersWorld NodeFlags to describe
959         effectfulness.  Starting over a year ago, we introduced a more powerful mechanism - the
960         DFG::clobberize() function.  Now we only have one remaining client of the old NodeFlags,
961         and everyone else uses DFG::clobberize().  We should get rid of those NodeFlags and
962         finally switch everyone over to DFG::clobberize().
963         
964         Unfortunately there is still another place where effectfulness of nodes is described: the
965         AbstractInterpreter. This is because the AbstractInterpreter has special tuning both for
966         compile time performance and there are places where the AI is more precise than
967         clobberize() because of its flow-sensitivity.
968         
969         This means that after this change there will be only two places, rather than three, where
970         the effectfulness of a node has to be described:
971
972         - DFG::clobberize()
973         - DFG::AbstractInterpreter
974
975         * dfg/DFGClobberize.cpp:
976         (JSC::DFG::clobbersWorld):
977         * dfg/DFGClobberize.h:
978         * dfg/DFGDoesGC.cpp:
979         (JSC::DFG::doesGC):
980         * dfg/DFGFixupPhase.cpp:
981         (JSC::DFG::FixupPhase::fixupNode):
982         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
983         (JSC::DFG::FixupPhase::convertToGetArrayLength):
984         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
985         * dfg/DFGGraph.h:
986         (JSC::DFG::Graph::isPredictedNumerical): Deleted.
987         (JSC::DFG::Graph::byValIsPure): Deleted.
988         (JSC::DFG::Graph::clobbersWorld): Deleted.
989         * dfg/DFGNode.h:
990         (JSC::DFG::Node::convertToConstant):
991         (JSC::DFG::Node::convertToGetLocalUnlinked):
992         (JSC::DFG::Node::convertToGetByOffset):
993         (JSC::DFG::Node::convertToMultiGetByOffset):
994         (JSC::DFG::Node::convertToPutByOffset):
995         (JSC::DFG::Node::convertToMultiPutByOffset):
996         * dfg/DFGNodeFlags.cpp:
997         (JSC::DFG::dumpNodeFlags):
998         * dfg/DFGNodeFlags.h:
999         * dfg/DFGNodeType.h:
1000
1001 2015-02-09  Csaba Osztrogonác  <ossy@webkit.org>
1002
1003         Fix the !ENABLE(DFG_JIT) build
1004         https://bugs.webkit.org/show_bug.cgi?id=141387
1005
1006         Reviewed by Darin Adler.
1007
1008         * jit/Repatch.cpp:
1009
1010 2015-02-08  Benjamin Poulain  <benjamin@webkit.org>
1011
1012         Remove a few duplicate propagation steps from the DFG's PredictionPropagation phase
1013         https://bugs.webkit.org/show_bug.cgi?id=141363
1014
1015         Reviewed by Darin Adler.
1016
1017         * dfg/DFGPredictionPropagationPhase.cpp:
1018         (JSC::DFG::PredictionPropagationPhase::propagate):
1019         Some blocks were duplicated, they probably evolved separately
1020         to the same state.
1021
1022 2015-02-08  Benjamin Poulain  <benjamin@webkit.org>
1023
1024         Remove useless declarations and a stale comment from DFGByteCodeParser.h
1025         https://bugs.webkit.org/show_bug.cgi?id=141361
1026
1027         Reviewed by Darin Adler.
1028
1029         The comment refers to the original form of the ByteCodeParser:
1030             parse(Graph&, JSGlobalData*, CodeBlock*, unsigned startIndex);
1031
1032         That form is long dead, the comment is more misleading than anything.
1033
1034         * dfg/DFGByteCodeParser.cpp:
1035         * dfg/DFGByteCodeParser.h:
1036
1037 2015-02-08  Benjamin Poulain  <benjamin@webkit.org>
1038
1039         Encapsulate DFG::Plan's beforeFTL timestamp
1040         https://bugs.webkit.org/show_bug.cgi?id=141360
1041
1042         Reviewed by Darin Adler.
1043
1044         Make the attribute private, it is an internal state.
1045
1046         Rename beforeFTL->timeBeforeFTL for readability.
1047
1048         * dfg/DFGPlan.cpp:
1049         (JSC::DFG::Plan::compileInThread):
1050         (JSC::DFG::Plan::compileInThreadImpl):
1051         * dfg/DFGPlan.h:
1052
1053 2015-02-08  Benjamin Poulain  <bpoulain@apple.com>
1054
1055         Remove DFGNode::hasArithNodeFlags()
1056         https://bugs.webkit.org/show_bug.cgi?id=141319
1057
1058         Reviewed by Michael Saboff.
1059
1060         * dfg/DFGNode.h:
1061         (JSC::DFG::Node::hasArithNodeFlags): Deleted.
1062         Unused code is unused.
1063
1064 2015-02-07  Chris Dumez  <cdumez@apple.com>
1065
1066         Add Vector::removeFirstMatching() / removeAllMatching() methods taking lambda functions
1067         https://bugs.webkit.org/show_bug.cgi?id=141321
1068
1069         Reviewed by Darin Adler.
1070
1071         Use new Vector::removeFirstMatching() / removeAllMatching() methods.
1072
1073 2015-02-06  Filip Pizlo  <fpizlo@apple.com>
1074
1075         DFG SSA shouldn't have SetArgument nodes
1076         https://bugs.webkit.org/show_bug.cgi?id=141342
1077
1078         Reviewed by Mark Lam.
1079
1080         I was wondering why we kept the SetArgument around for captured
1081         variables. It turns out we did so because we thought we had to, even
1082         though we didn't have to. The node is meaningless in SSA.
1083
1084         * dfg/DFGSSAConversionPhase.cpp:
1085         (JSC::DFG::SSAConversionPhase::run):
1086         * ftl/FTLLowerDFGToLLVM.cpp:
1087         (JSC::FTL::LowerDFGToLLVM::compileNode):
1088
1089 2015-02-06  Filip Pizlo  <fpizlo@apple.com>
1090
1091         It should be possible to use the DFG SetArgument node to indicate that someone set the value of a local out-of-band
1092         https://bugs.webkit.org/show_bug.cgi?id=141337
1093
1094         Reviewed by Mark Lam.
1095
1096         This mainly involved ensuring that SetArgument behaves just like SetLocal from a CPS standpoint, but with a special case for those SetArguments that
1097         are associated with the prologue.
1098
1099         * dfg/DFGCPSRethreadingPhase.cpp:
1100         (JSC::DFG::CPSRethreadingPhase::run):
1101         (JSC::DFG::CPSRethreadingPhase::canonicalizeSet):
1102         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
1103         (JSC::DFG::CPSRethreadingPhase::specialCaseArguments):
1104         (JSC::DFG::CPSRethreadingPhase::canonicalizeSetLocal): Deleted.
1105         (JSC::DFG::CPSRethreadingPhase::canonicalizeSetArgument): Deleted.
1106
1107 2015-02-06  Mark Lam  <mark.lam@apple.com>
1108
1109         MachineThreads should be ref counted.
1110         <https://webkit.org/b/141317>
1111
1112         Reviewed by Filip Pizlo.
1113
1114         The VM's MachineThreads registry object is being referenced from other
1115         threads as a raw pointer.  In a scenario where the VM is destructed on
1116         the main thread, there is no guarantee that another thread isn't still
1117         holding a reference to the registry and will eventually invoke
1118         removeThread() on it on thread exit.  Hence, there's a possible use
1119         after free scenario here.
1120
1121         The fix is to make MachineThreads ThreadSafeRefCounted, and have all
1122         threads that references keep a RefPtr to it to ensure that it stays
1123         alive until the very last thread is done with it.
1124
1125         * API/tests/testapi.mm:
1126         (useVMFromOtherThread): - Renamed to be more descriptive.
1127         (useVMFromOtherThreadAndOutliveVM):
1128         - Added a test that has another thread which uses the VM outlive the
1129           VM to confirm that there is no crash.
1130
1131           However, I was not actually able to get the VM to crash without this
1132           patch because I wasn't always able to the thread destructor to be
1133           called.  With this patch applied, I did verify with some logging that
1134           the MachineThreads registry is only destructed after all threads
1135           have removed themselves from it.
1136
1137         (threadMain): Deleted.
1138
1139         * heap/Heap.cpp:
1140         (JSC::Heap::Heap):
1141         (JSC::Heap::~Heap):
1142         (JSC::Heap::gatherStackRoots):
1143         * heap/Heap.h:
1144         (JSC::Heap::machineThreads):
1145         * heap/MachineStackMarker.cpp:
1146         (JSC::MachineThreads::Thread::Thread):
1147         (JSC::MachineThreads::addCurrentThread):
1148         (JSC::MachineThreads::removeCurrentThread):
1149         * heap/MachineStackMarker.h:
1150
1151 2015-02-06  Commit Queue  <commit-queue@webkit.org>
1152
1153         Unreviewed, rolling out r179743.
1154         https://bugs.webkit.org/show_bug.cgi?id=141335
1155
1156         caused missing symbols in non-WebKit clients of WTF::Vector
1157         (Requested by kling on #webkit).
1158
1159         Reverted changeset:
1160
1161         "Remove WTF::fastMallocGoodSize()."
1162         https://bugs.webkit.org/show_bug.cgi?id=141020
1163         http://trac.webkit.org/changeset/179743
1164
1165 2015-02-04  Filip Pizlo  <fpizlo@apple.com>
1166
1167         Remove BytecodeGenerator::preserveLastVar() and replace it with a more robust mechanism for preserving non-temporary registers
1168         https://bugs.webkit.org/show_bug.cgi?id=141211
1169
1170         Reviewed by Mark Lam.
1171
1172         Previously, the way non-temporary registers were preserved (i.e. not reclaimed anytime
1173         we did newTemporary()) by calling preserveLastVar() after all non-temps are created. It
1174         would raise the refcount on the last (highest-numbered) variable created, and rely on
1175         the fact that register reclamation started at higher-numbered registers and worked its
1176         way down. So any retained register would block any lower-numbered registers from being
1177         reclaimed.
1178         
1179         Also, preserveLastVar() sets a thing called m_firstConstantIndex. It's unused.
1180         
1181         This removes preserveLastVar() and makes addVar() retain each register it creates. This
1182         is more explicit, since addVar() is the mechanism for creating non-temporary registers.
1183         
1184         To make this work I had to remove an assertion that Register::setIndex() can only be
1185         called when the refcount is zero. This method might be called after a var is created to
1186         change its index. This previously worked because preserveLastVar() would be called after
1187         we had already made all index changes, so the vars would still have refcount zero. Now
1188         they have refcount 1. I think it's OK to lose this assertion; I can't remember this
1189         assertion ever firing in a way that alerted me to a serious issue.
1190         
1191         * bytecompiler/BytecodeGenerator.cpp:
1192         (JSC::BytecodeGenerator::BytecodeGenerator):
1193         (JSC::BytecodeGenerator::preserveLastVar): Deleted.
1194         * bytecompiler/BytecodeGenerator.h:
1195         (JSC::BytecodeGenerator::addVar):
1196         * bytecompiler/RegisterID.h:
1197         (JSC::RegisterID::setIndex):
1198
1199 2015-02-06  Andreas Kling  <akling@apple.com>
1200
1201         Remove WTF::fastMallocGoodSize().
1202         <https://webkit.org/b/141020>
1203
1204         Reviewed by Anders Carlsson.
1205
1206         * assembler/AssemblerBuffer.h:
1207         (JSC::AssemblerData::AssemblerData):
1208         (JSC::AssemblerData::grow):
1209
1210 2015-02-05  Michael Saboff  <msaboff@apple.com>
1211
1212         CodeCache is not thread safe when adding the same source from two different threads
1213         https://bugs.webkit.org/show_bug.cgi?id=141275
1214
1215         Reviewed by Mark Lam.
1216
1217         The issue for this bug is that one thread, takes a cache miss in CodeCache::getGlobalCodeBlock,
1218         but in the process creates a cache entry with a nullptr UnlinkedCodeBlockType* which it
1219         will fill in later in the function.  During the body of that function, it allocates
1220         objects that may garbage collect.  During that garbage collection, we drop the all locks.
1221         While the locks are released by the first thread, another thread can enter the VM and might
1222         have exactly the same source and enter CodeCache::getGlobalCodeBlock() itself.  When it
1223         looks up the code block, it sees it as a cache it and uses the nullptr UnlinkedCodeBlockType*
1224         and crashes.  This fixes the problem by not dropping the locks during garbage collection.
1225         There are other likely scenarios where we have a data structure like this code cache in an
1226         unsafe state for arbitrary reentrance.
1227
1228         Moved the functionality of DelayedReleaseScope directly into Heap.  Changed it into
1229         a simple list that is cleared with the new function Heap::releaseDelayedReleasedObjects.
1230         Now we accumulate objects to be released and release them when all locks are dropped or
1231         when destroying the Heap.  This eliminated the dropping and reaquiring of locks associated
1232         with the old scope form of this list.
1233
1234         Given that all functionality of DelayedReleaseScope is now used and referenced by Heap
1235         and the lock management no longer needs to be done, just made the list a member of Heap.
1236         We do need to guard against the case that releasing an object can create more objects
1237         by calling into JS.  That is why releaseDelayedReleasedObjects() is written to remove
1238         an object to release so that we aren't recursively in Vector code.  The other thing we
1239         do in releaseDelayedReleasedObjects() is to guard against recursive calls to itself using
1240         the m_delayedReleaseRecursionCount.  We only release at the first entry into the function.
1241         This case is already tested by testapi.mm.
1242
1243         * heap/DelayedReleaseScope.h: Removed file
1244
1245         * API/JSAPIWrapperObject.mm:
1246         * API/ObjCCallbackFunction.mm:
1247         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1248         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1249         * JavaScriptCore.xcodeproj/project.pbxproj:
1250         * heap/IncrementalSweeper.cpp:
1251         (JSC::IncrementalSweeper::doSweep):
1252         * heap/MarkedAllocator.cpp:
1253         (JSC::MarkedAllocator::tryAllocateHelper):
1254         (JSC::MarkedAllocator::tryAllocate):
1255         * heap/MarkedBlock.cpp:
1256         (JSC::MarkedBlock::sweep):
1257         * heap/MarkedSpace.cpp:
1258         (JSC::MarkedSpace::MarkedSpace):
1259         (JSC::MarkedSpace::lastChanceToFinalize):
1260         (JSC::MarkedSpace::didFinishIterating):
1261         * heap/MarkedSpace.h:
1262         * heap/Heap.cpp:
1263         (JSC::Heap::collectAllGarbage):
1264         (JSC::Heap::zombifyDeadObjects):
1265         Removed references to DelayedReleaseScope and DelayedReleaseScope.h.
1266
1267         * heap/Heap.cpp:
1268         (JSC::Heap::Heap): Initialized m_delayedReleaseRecursionCount.
1269         (JSC::Heap::lastChanceToFinalize): Call releaseDelayedObjectsNow() as the VM is going away.
1270         (JSC::Heap::releaseDelayedReleasedObjects): New function that released the accumulated
1271         delayed release objects.
1272
1273         * heap/Heap.h:
1274         (JSC::Heap::m_delayedReleaseObjects): List of objects to be released later.
1275         (JSC::Heap::m_delayedReleaseRecursionCount): Counter to indicate that
1276         releaseDelayedReleasedObjects is being called recursively.
1277         * heap/HeapInlines.h:
1278         (JSC::Heap::releaseSoon): Changed location of list to add delayed release objects.
1279         
1280         * runtime/JSLock.cpp:
1281         (JSC::JSLock::willReleaseLock):
1282         Call Heap::releaseDelayedObjectsNow() when releasing the lock.
1283
1284 2015-02-05  Youenn Fablet  <youenn.fablet@crf.canon.fr> and Xabier Rodriguez Calvar <calvaris@igalia.com>
1285
1286         [Streams API] Implement a barebone ReadableStream interface
1287         https://bugs.webkit.org/show_bug.cgi?id=141045
1288
1289         Reviewed by Benjamin Poulain.
1290
1291         * Configurations/FeatureDefines.xcconfig:
1292
1293 2015-02-05  Saam Barati  <saambarati1@gmail.com>
1294
1295         Crash in uninitialized deconstructing variable.
1296         https://bugs.webkit.org/show_bug.cgi?id=141070
1297
1298         Reviewed by Michael Saboff.
1299
1300         According to the ES6 spec, when a destructuring pattern occurs
1301         as the left hand side of an assignment inside a var declaration 
1302         statement, the assignment must also have a right hand side value.
1303         "var {x} = {};" is a legal syntactic statement, but,
1304         "var {x};" is a syntactic error.
1305
1306         Section 13.2.2 of the latest draft ES6 spec specifies this requirement:
1307         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-variable-statement
1308
1309         * parser/Parser.cpp:
1310         (JSC::Parser<LexerType>::parseVarDeclaration):
1311         (JSC::Parser<LexerType>::parseVarDeclarationList):
1312         (JSC::Parser<LexerType>::parseForStatement):
1313         * parser/Parser.h:
1314
1315 2015-02-04  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
1316
1317         Unreviewed, fix a build break on EFL port since r179648.
1318
1319         * heap/MachineStackMarker.cpp: EFL port doesn't use previousThread variable. 
1320         (JSC::MachineThreads::tryCopyOtherThreadStacks):
1321
1322 2015-02-04  Joseph Pecoraro  <pecoraro@apple.com>
1323
1324         Web Inspector: ES6: Improved Console Support for Symbol Objects
1325         https://bugs.webkit.org/show_bug.cgi?id=141173
1326
1327         Reviewed by Timothy Hatcher.
1328
1329         * inspector/protocol/Runtime.json:
1330         New type, "symbol".
1331
1332         * inspector/InjectedScriptSource.js:
1333         Handle Symbol objects in a few places. They don't have properties
1334         and they cannot be implicitly converted to strings.
1335
1336 2015-02-04  Mark Lam  <mark.lam@apple.com>
1337
1338         Undo gardening: Restoring the expected ERROR message since that is not the cause of the bot unhappiness.
1339
1340         Not reviewed.
1341
1342         * heap/MachineStackMarker.cpp:
1343         (JSC::MachineThreads::tryCopyOtherThreadStacks):
1344
1345 2015-02-04  Mark Lam  <mark.lam@apple.com>
1346
1347         Gardening: Changed expected ERROR message to WARNING to make test bots happy.
1348
1349         Rubber stamped by Simon Fraser.
1350
1351         * heap/MachineStackMarker.cpp:
1352         (JSC::MachineThreads::tryCopyOtherThreadStacks):
1353
1354 2015-02-04  Mark Lam  <mark.lam@apple.com>
1355
1356         r179576 introduce a deadlock potential during GC thread suspension.
1357         <https://webkit.org/b/141268>
1358
1359         Reviewed by Michael Saboff.
1360
1361         http://trac.webkit.org/r179576 introduced a potential for deadlocking.
1362         In the GC thread suspension loop, we currently delete
1363         MachineThreads::Thread that we detect to be invalid.  This is unsafe
1364         because we may have already suspended some threads, and one of those
1365         suspended threads may still be holding the C heap lock which we need
1366         for deleting the invalid thread.
1367
1368         The fix is to put the invalid threads in a separate toBeDeleted list,
1369         and delete them only after GC has resumed all threads.
1370
1371         * heap/MachineStackMarker.cpp:
1372         (JSC::MachineThreads::removeCurrentThread):
1373         - Undo refactoring removeThreadWithLockAlreadyAcquired() out of
1374           removeCurrentThread() since it is no longer needed.
1375
1376         (JSC::MachineThreads::tryCopyOtherThreadStacks):
1377         - Put invalid Threads on a threadsToBeDeleted list, and delete those
1378           Threads only after all threads have been resumed.
1379
1380         (JSC::MachineThreads::removeThreadWithLockAlreadyAcquired): Deleted.
1381         * heap/MachineStackMarker.h:
1382
1383 2015-02-04  Joseph Pecoraro  <pecoraro@apple.com>
1384
1385         Web Inspector: Clean up Object Property Descriptor Collection
1386         https://bugs.webkit.org/show_bug.cgi?id=141222
1387
1388         Reviewed by Timothy Hatcher.
1389
1390         * inspector/InjectedScriptSource.js:
1391         Use a list of options when determining which properties to collect
1392         instead of a few booleans with overlapping responsibilities.
1393
1394 2015-02-04  Joseph Pecoraro  <pecoraro@apple.com>
1395
1396         Web Inspector: console.table with columnName filter for non-existent property should still show column
1397         https://bugs.webkit.org/show_bug.cgi?id=141066
1398
1399         Reviewed by Timothy Hatcher.
1400
1401         * inspector/ConsoleMessage.cpp:
1402         (Inspector::ConsoleMessage::addToFrontend):
1403         When a user provides a second argument, e.g. console.table(..., columnNames),
1404         then pass that second argument to the frontend.
1405
1406         * inspector/InjectedScriptSource.js:
1407         Add a FIXME about the old, unused path now.
1408
1409 2015-02-04  Saam Barati  <saambarati1@gmail.com>
1410
1411         TypeSet can use 1 byte instead of 4 bytes for its m_seenTypes member variable
1412         https://bugs.webkit.org/show_bug.cgi?id=141204
1413
1414         Reviewed by Darin Adler.
1415
1416         There is no need to use 32 bits to store a TypeSet::RuntimeType set 
1417         bit-vector when the largest value for a single TypeSet::RuntimeType 
1418         is 0x80. 8 bits is enough to represent the set of seen types.
1419
1420         * dfg/DFGFixupPhase.cpp:
1421         (JSC::DFG::FixupPhase::fixupNode):
1422         * runtime/TypeSet.cpp:
1423         (JSC::TypeSet::doesTypeConformTo):
1424         * runtime/TypeSet.h:
1425         (JSC::TypeSet::seenTypes):
1426
1427 2015-02-04  Mark Lam  <mark.lam@apple.com>
1428
1429         Remove concept of makeUsableFromMultipleThreads().
1430         <https://webkit.org/b/141221>
1431
1432         Reviewed by Mark Hahnenberg.
1433
1434         Currently, we rely on VM::makeUsableFromMultipleThreads() being called before we
1435         start acquiring the JSLock and entering the VM from different threads.
1436         Acquisition of the JSLock will register the acquiring thread with the VM's thread
1437         registry if not already registered.  However, it will only do this if the VM's
1438         thread specific key has been initialized by makeUsableFromMultipleThreads().
1439
1440         This is fragile, and also does not read intuitively because one would expect to
1441         acquire the JSLock before calling any methods on the VM.  This is exactly what
1442         JSGlobalContextCreateInGroup() did (i.e. acquire the lock before calling
1443         makeUsableFromMultipleThreads()), but is wrong.  The result is that the invoking
1444         thread will not have been registered with the VM during that first entry into
1445         the VM.
1446
1447         The fix is to make it so that we initialize the VM's thread specific key on
1448         construction of the VM's MachineThreads registry instead of relying on
1449         makeUsableFromMultipleThreads() being called.  With this, we can eliminate
1450         makeUsableFromMultipleThreads() altogether.
1451
1452         Performance results are neutral in aggregate.
1453
1454         * API/JSContextRef.cpp:
1455         (JSGlobalContextCreateInGroup):
1456         * heap/MachineStackMarker.cpp:
1457         (JSC::MachineThreads::MachineThreads):
1458         (JSC::MachineThreads::~MachineThreads):
1459         (JSC::MachineThreads::addCurrentThread):
1460         (JSC::MachineThreads::removeThread):
1461         (JSC::MachineThreads::gatherConservativeRoots):
1462         (JSC::MachineThreads::makeUsableFromMultipleThreads): Deleted.
1463         * heap/MachineStackMarker.h:
1464         * runtime/VM.cpp:
1465         (JSC::VM::sharedInstance):
1466         * runtime/VM.h:
1467         (JSC::VM::makeUsableFromMultipleThreads): Deleted.
1468
1469 2015-02-04  Chris Dumez  <cdumez@apple.com>
1470
1471         Add removeFirst(value) / removeAll(value) methods to WTF::Vector
1472         https://bugs.webkit.org/show_bug.cgi?id=141192
1473
1474         Reviewed by Benjamin Poulain.
1475
1476         Use new Vector::removeFirst(value) / removeAll(value) API to simplify the
1477         code a bit.
1478
1479         * inspector/InspectorValues.cpp:
1480         (Inspector::InspectorObjectBase::remove):
1481
1482 2015-02-03  Mark Lam  <mark.lam@apple.com>
1483
1484         Workaround a thread library bug where thread destructors may not get called.
1485         <https://webkit.org/b/141209>
1486
1487         Reviewed by Michael Saboff.
1488
1489         There's a bug where thread destructors may not get called.  As far as
1490         we know, this only manifests on darwin ports.  We will work around this
1491         by checking at GC time if the platform thread is still valid.  If not,
1492         we'll purge it from the VM's registeredThreads list before proceeding
1493         with thread scanning activity.
1494
1495         Note: it is important that we do this invalid thread detection during
1496         suspension, because the validity (and liveness) of the other thread is
1497         only guaranteed while it is suspended.
1498
1499         * API/tests/testapi.mm:
1500         (threadMain):
1501         - Added a test to enter the VM from another thread before we GC on
1502           the main thread.
1503
1504         * heap/MachineStackMarker.cpp:
1505         (JSC::MachineThreads::removeThreadWithLockAlreadyAcquired):
1506         (JSC::MachineThreads::removeCurrentThread):
1507         - refactored removeThreadWithLockAlreadyAcquired() out from
1508           removeCurrentThread() so that we can also call it for purging invalid
1509           threads.
1510         (JSC::suspendThread):
1511         - Added a return status to tell if the suspension succeeded or not.
1512         (JSC::MachineThreads::tryCopyOtherThreadStacks):
1513         - Check if the suspension failed, and purge the thread if we can't
1514           suspend it.  Failure to suspend implies that the thread has
1515           terminated without calling its destructor.
1516         * heap/MachineStackMarker.h:
1517
1518 2015-02-03  Joseph Pecoraro  <pecoraro@apple.com>
1519
1520         Web Inspector: ASSERT mainThreadPthread launching remote debuggable JSContext app with Debug JavaScriptCore
1521         https://bugs.webkit.org/show_bug.cgi?id=141189
1522
1523         Reviewed by Michael Saboff.
1524
1525         * inspector/remote/RemoteInspector.mm:
1526         (Inspector::RemoteInspector::singleton):
1527         Ensure we call WTF::initializeMainThread() on the main thread so that
1528         we can perform automatic String <-> NSString conversions.
1529
1530 2015-02-03  Brent Fulgham  <bfulgham@apple.com>
1531
1532         [Win] Project file cleanups after r179429.
1533
1534         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1535         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1536
1537 2015-02-02  Filip Pizlo  <fpizlo@apple.com>
1538
1539         arguments[-1] should have well-defined behavior
1540         https://bugs.webkit.org/show_bug.cgi?id=141183
1541
1542         Reviewed by Mark Lam.
1543         
1544         According to JSC's internal argument numbering, 0 is "this" and 1 is the first argument.
1545         In the "arguments[i]" expression, "this" is not accessible and i = 0 refers to the first
1546         argument. Previously we handled the bounds check in "arguments[i]" - where "arguments" is
1547         statically known to be the current function's arguments object - as follows:
1548         
1549             add 1, i
1550             branchAboveOrEqual i, callFrame.ArgumentCount, slowPath
1551         
1552         The problem with this is that if i = -1, this passes the test, and we end up accessing
1553         what would be the "this" argument slot. That's wrong, since we should really be bottoming
1554         out in arguments["-1"], which is usually undefined but could be anything. It's even worse
1555         if the function is inlined or if we're in a constructor - in that case the "this" slot
1556         could be garbage.
1557         
1558         It turns out that we had this bug in all of our engines.
1559         
1560         This fixes the issue by changing the algorithm to:
1561         
1562             load32 callFrame.ArgumentCount, tmp
1563             sub 1, tmp
1564             branchAboveOrEqual i, tmp, slowPath
1565         
1566         In some engines, we would have used the modified "i" (the one that had 1 added to it) for
1567         the subsequent argument load; since we don't do this anymore I also had to change some of
1568         the offsets on the BaseIndex arguments load.
1569         
1570         This also includes tests that are written in such a way as to get coverage on LLInt and
1571         Baseline JIT (get-my-argument-by-val-wrap-around-no-warm-up), DFG and FTL
1572         (get-my-argument-by-val-wrap-around), and DFG when we're being paranoid about the user
1573         overwriting the "arguments" variable (get-my-argument-by-val-safe-wrap-around). This also
1574         includes off-by-1 out-of-bounds tests for each of these cases, since in the process of
1575         writing the patch I broke the arguments[arguments.length] case in the DFG and didn't see
1576         any test failures.
1577
1578         * dfg/DFGSpeculativeJIT32_64.cpp:
1579         (JSC::DFG::SpeculativeJIT::compile):
1580         * dfg/DFGSpeculativeJIT64.cpp:
1581         (JSC::DFG::SpeculativeJIT::compile):
1582         * ftl/FTLLowerDFGToLLVM.cpp:
1583         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
1584         * jit/AssemblyHelpers.h:
1585         (JSC::AssemblyHelpers::offsetOfArguments):
1586         (JSC::AssemblyHelpers::offsetOfArgumentsIncludingThis): Deleted.
1587         * jit/JITOpcodes.cpp:
1588         (JSC::JIT::emit_op_get_argument_by_val):
1589         * jit/JITOpcodes32_64.cpp:
1590         (JSC::JIT::emit_op_get_argument_by_val):
1591         * llint/LowLevelInterpreter.asm:
1592         * llint/LowLevelInterpreter32_64.asm:
1593         * llint/LowLevelInterpreter64.asm:
1594         * tests/stress/get-my-argument-by-val-out-of-bounds-no-warm-up.js: Added.
1595         (foo):
1596         * tests/stress/get-my-argument-by-val-out-of-bounds.js: Added.
1597         (foo):
1598         * tests/stress/get-my-argument-by-val-safe-out-of-bounds.js: Added.
1599         (foo):
1600         * tests/stress/get-my-argument-by-val-safe-wrap-around.js: Added.
1601         (foo):
1602         * tests/stress/get-my-argument-by-val-wrap-around-no-warm-up.js: Added.
1603         (foo):
1604         * tests/stress/get-my-argument-by-val-wrap-around.js: Added.
1605         (foo):
1606
1607 2015-02-02  Filip Pizlo  <fpizlo@apple.com>
1608
1609         MultiGetByOffset should be marked NodeMustGenerate
1610         https://bugs.webkit.org/show_bug.cgi?id=140137
1611
1612         Reviewed by Michael Saboff.
1613
1614         * dfg/DFGNode.h:
1615         (JSC::DFG::Node::convertToGetByOffset): We were sloppy - we should also clear NodeMustGenerate once it's a GetByOffset.
1616         (JSC::DFG::Node::convertToMultiGetByOffset): Assert that we converted from something that already had NodeMustGenerate.
1617         * dfg/DFGNodeType.h: We shouldn't DCE a node that does checks and could be effectful in baseline. Making MultiGetByOffset as NodeMustGenerate prevents DCE. FTL could still DCE the actual loads, but the checks will stay.
1618         * tests/stress/multi-get-by-offset-dce.js: Added. This previously failed because the getter wasn't called.
1619         (foo):
1620
1621 2015-02-02  Filip Pizlo  <fpizlo@apple.com>
1622
1623         [FTL] inlined GetMyArgumentByVal with no arguments passed causes instant crash
1624         https://bugs.webkit.org/show_bug.cgi?id=141180
1625         rdar://problem/19677552
1626
1627         Reviewed by Benjamin Poulain.
1628         
1629         If we do a GetMyArgumentByVal on an inlined call frame that has no arguments, then the
1630         bounds check already terminates execution. This means we can skip the part where we
1631         previously did an out-of-bound array access on the inlined call frame arguments vector.
1632
1633         * ftl/FTLLowerDFGToLLVM.cpp:
1634         (JSC::FTL::LowerDFGToLLVM::safelyInvalidateAfterTermination):
1635         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
1636         (JSC::FTL::LowerDFGToLLVM::terminate):
1637         (JSC::FTL::LowerDFGToLLVM::didAlreadyTerminate):
1638         (JSC::FTL::LowerDFGToLLVM::crash):
1639         * tests/stress/get-my-argument-by-val-inlined-no-formal-parameters.js: Added.
1640         (foo):
1641         (bar):
1642
1643 2015-02-02  Filip Pizlo  <fpizlo@apple.com>
1644
1645         REGRESSION(r179477): arguments simplification no longer works
1646         https://bugs.webkit.org/show_bug.cgi?id=141169
1647
1648         Reviewed by Mark Lam.
1649         
1650         The operations involved in callee/scope access don't exit and shouldn't get in the way
1651         of strength-reducing a Flush to a PhantomLocal. Then the PhantomLocal shouldn't get in
1652         the way of further such strength-reduction. We also need to canonicalize PhantomLocal
1653         before running arguments simplification.
1654
1655         * dfg/DFGMayExit.cpp:
1656         (JSC::DFG::mayExit):
1657         * dfg/DFGPlan.cpp:
1658         (JSC::DFG::Plan::compileInThreadImpl):
1659         * dfg/DFGStrengthReductionPhase.cpp:
1660         (JSC::DFG::StrengthReductionPhase::handleNode):
1661
1662 2015-02-02  Filip Pizlo  <fpizlo@apple.com>
1663
1664         VirtualRegister should really know how to dump itself
1665         https://bugs.webkit.org/show_bug.cgi?id=141171
1666
1667         Reviewed by Geoffrey Garen.
1668         
1669         Gives VirtualRegister a dump() method that pretty-prints the virtual register. The rest of
1670         the patch is all about using this new power.
1671
1672         * CMakeLists.txt:
1673         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1674         * JavaScriptCore.xcodeproj/project.pbxproj:
1675         * bytecode/CodeBlock.cpp:
1676         (JSC::constantName):
1677         (JSC::CodeBlock::registerName):
1678         * bytecode/CodeBlock.h:
1679         (JSC::missingThisObjectMarker): Deleted.
1680         * bytecode/VirtualRegister.cpp: Added.
1681         (JSC::VirtualRegister::dump):
1682         * bytecode/VirtualRegister.h:
1683         (WTF::printInternal): Deleted.
1684         * dfg/DFGArgumentPosition.h:
1685         (JSC::DFG::ArgumentPosition::dump):
1686         * dfg/DFGFlushedAt.cpp:
1687         (JSC::DFG::FlushedAt::dump):
1688         * dfg/DFGGraph.cpp:
1689         (JSC::DFG::Graph::dump):
1690         * dfg/DFGPutLocalSinkingPhase.cpp:
1691         * dfg/DFGSSAConversionPhase.cpp:
1692         (JSC::DFG::SSAConversionPhase::run):
1693         * dfg/DFGValidate.cpp:
1694         (JSC::DFG::Validate::reportValidationContext):
1695         * dfg/DFGValueSource.cpp:
1696         (JSC::DFG::ValueSource::dump):
1697         * dfg/DFGVariableEvent.cpp:
1698         (JSC::DFG::VariableEvent::dump):
1699         (JSC::DFG::VariableEvent::dumpSpillInfo):
1700         * ftl/FTLExitArgumentForOperand.cpp:
1701         (JSC::FTL::ExitArgumentForOperand::dump):
1702         * ftl/FTLExitValue.cpp:
1703         (JSC::FTL::ExitValue::dumpInContext):
1704         * profiler/ProfilerBytecodeSequence.cpp:
1705         (JSC::Profiler::BytecodeSequence::BytecodeSequence):
1706
1707 2015-02-02  Geoffrey Garen  <ggaren@apple.com>
1708
1709         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
1710         https://bugs.webkit.org/show_bug.cgi?id=140900
1711
1712         Reviewed by Mark Hahnenberg.
1713
1714         Re-landing just the HandleBlock piece of this patch.
1715
1716         * heap/HandleBlock.h:
1717         * heap/HandleBlockInlines.h:
1718         (JSC::HandleBlock::create):
1719         (JSC::HandleBlock::destroy):
1720         (JSC::HandleBlock::HandleBlock):
1721         (JSC::HandleBlock::payloadEnd):
1722         * heap/HandleSet.cpp:
1723         (JSC::HandleSet::~HandleSet):
1724         (JSC::HandleSet::grow):
1725
1726 2015-02-02  Joseph Pecoraro  <pecoraro@apple.com>
1727
1728         Web Inspector: Support console.table
1729         https://bugs.webkit.org/show_bug.cgi?id=141058
1730
1731         Reviewed by Timothy Hatcher.
1732
1733         * inspector/InjectedScriptSource.js:
1734         Include the firstLevelKeys filter when generating previews.
1735
1736         * runtime/ConsoleClient.cpp:
1737         (JSC::appendMessagePrefix):
1738         Differentiate console.table logs to system log.
1739
1740 2015-01-31  Filip Pizlo  <fpizlo@apple.com>
1741
1742         BinarySwitch should be faster on average
1743         https://bugs.webkit.org/show_bug.cgi?id=141046
1744
1745         Reviewed by Anders Carlsson.
1746         
1747         This optimizes our binary switch using math. It's strictly better than what we had before
1748         assuming we bottom out in some case (rather than fall through), assuming all cases get
1749         hit with equal probability. The difference is particularly large for large switch
1750         statements. For example, a switch statement with 1000 cases would previously require on
1751         average 13.207 branches to get to some case, while now it just requires 10.464.
1752         
1753         This is also a progression for the fall-through case, though we could shave off another
1754         1/6 branch on average if we wanted to - though it would regress taking a case (not falling
1755         through) by 1/6 branch. I believe it's better to bias the BinarySwitch for not falling
1756         through.
1757         
1758         This also adds some randomness to the algorithm to minimize the likelihood of us
1759         generating a switch statement that is always particularly bad for some input. Note that
1760         the randomness has no effect on average-case performance assuming all cases are equally
1761         likely.
1762         
1763         This ought to have no actual performance change because we don't rely on binary switches
1764         that much. The main reason why this change is interesting is that I'm finding myself
1765         increasingly relying on BinarySwitch, and I'd like to know that it's optimal.
1766
1767         * jit/BinarySwitch.cpp:
1768         (JSC::BinarySwitch::BinarySwitch):
1769         (JSC::BinarySwitch::~BinarySwitch):
1770         (JSC::BinarySwitch::build):
1771         * jit/BinarySwitch.h:
1772
1773 2015-02-02  Joseph Pecoraro  <pecoraro@apple.com>
1774
1775         Web Inspector: Extend CSS.getSupportedCSSProperties to provide values for properties for CSS Augmented JSContext
1776         https://bugs.webkit.org/show_bug.cgi?id=141064
1777
1778         Reviewed by Timothy Hatcher.
1779
1780         * inspector/protocol/CSS.json:
1781
1782 2015-02-02  Daniel Bates  <dabates@apple.com>
1783
1784         [iOS] ASSERTION FAILED: m_scriptExecutionContext->isContextThread() in ContextDestructionObserver::observeContext
1785         https://bugs.webkit.org/show_bug.cgi?id=141057
1786         <rdar://problem/19068790>
1787
1788         Reviewed by Alexey Proskuryakov.
1789
1790         * inspector/remote/RemoteInspector.mm:
1791         (Inspector::RemoteInspector::receivedIndicateMessage): Modified to call WTF::callOnWebThreadOrDispatchAsyncOnMainThread().
1792         (Inspector::dispatchAsyncOnQueueSafeForAnyDebuggable): Deleted; moved logic to common helper function,
1793         WTF::callOnWebThreadOrDispatchAsyncOnMainThread() so that it can be called from both RemoteInspector::receivedIndicateMessage()
1794         and CryptoKeyRSA::generatePair().
1795
1796 2015-02-02  Saam Barati  <saambarati1@gmail.com>
1797
1798         Create tests for JSC's Control Flow Profiler
1799         https://bugs.webkit.org/show_bug.cgi?id=141123
1800
1801         Reviewed by Filip Pizlo.
1802
1803         This patch creates a control flow profiler testing API in jsc.cpp 
1804         that accepts a function and a string as arguments. The string must 
1805         be a substring of the text of the function argument. The API returns 
1806         a boolean indicating whether or not the basic block that encloses the 
1807         substring has executed.
1808
1809         This patch uses this API to test that the control flow profiler
1810         behaves as expected on basic block boundaries. These tests do not
1811         provide full coverage for all JavaScript statements that can create
1812         basic blocks boundaries. Full coverage will come in a later patch.
1813
1814         * jsc.cpp:
1815         (GlobalObject::finishCreation):
1816         (functionHasBasicBlockExecuted):
1817         * runtime/ControlFlowProfiler.cpp:
1818         (JSC::ControlFlowProfiler::hasBasicBlockAtTextOffsetBeenExecuted):
1819         * runtime/ControlFlowProfiler.h:
1820         * tests/controlFlowProfiler: Added.
1821         * tests/controlFlowProfiler.yaml: Added.
1822         * tests/controlFlowProfiler/driver: Added.
1823         * tests/controlFlowProfiler/driver/driver.js: Added.
1824         (assert):
1825         * tests/controlFlowProfiler/if-statement.js: Added.
1826         (testIf):
1827         (noMatches):
1828         * tests/controlFlowProfiler/loop-statements.js: Added.
1829         (forRegular):
1830         (forIn):
1831         (forOf):
1832         (whileLoop):
1833         * tests/controlFlowProfiler/switch-statements.js: Added.
1834         (testSwitch):
1835         * tests/controlFlowProfiler/test-jit.js: Added.
1836         (tierUpToBaseline):
1837         (tierUpToDFG):
1838         (baselineTest):
1839         (dfgTest):
1840
1841 2015-01-28  Filip Pizlo  <fpizlo@apple.com>
1842
1843         Polymorphic call inlining should be based on polymorphic call inline caching rather than logging
1844         https://bugs.webkit.org/show_bug.cgi?id=140660
1845
1846         Reviewed by Geoffrey Garen.
1847         
1848         When we first implemented polymorphic call inlining, we did the profiling based on a call
1849         edge log. The idea was to store each call edge (a tuple of call site and callee) into a
1850         global log that was processed lazily. Processing the log would give precise counts of call
1851         edges, and could be used to drive well-informed inlining decisions - polymorphic or not.
1852         This was a speed-up on throughput tests but a slow-down for latency tests. It was a net win
1853         nonetheless.
1854         
1855         Experience with this code shows three things. First, the call edge profiler is buggy and
1856         complex. It would take work to fix the bugs. Second, the call edge profiler incurs lots of
1857         overhead for latency code that we care deeply about. Third, it's not at all clear that
1858         having call edge counts for every possible callee is any better than just having call edge
1859         counts for the limited number of callees that an inline cache would catch.
1860         
1861         So, this patch removes the call edge profiler and replaces it with a polymorphic call inline
1862         cache. If we miss the basic call inline cache, we inflate the cache to be a jump to an
1863         out-of-line stub that cases on the previously known callees. If that misses again, then we
1864         rewrite that stub to include the new callee. We do this up to some number of callees. If we
1865         hit the limit then we switch to using a plain virtual call.
1866         
1867         Substantial speed-up on V8Spider; undoes the slow-down that the original call edge profiler
1868         caused. Might be a SunSpider speed-up (below 1%), depending on hardware.
1869         
1870         Rolling this back in after fixing https://bugs.webkit.org/show_bug.cgi?id=141107.
1871
1872         * CMakeLists.txt:
1873         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1874         * JavaScriptCore.xcodeproj/project.pbxproj:
1875         * bytecode/CallEdge.h:
1876         (JSC::CallEdge::count):
1877         (JSC::CallEdge::CallEdge):
1878         * bytecode/CallEdgeProfile.cpp: Removed.
1879         * bytecode/CallEdgeProfile.h: Removed.
1880         * bytecode/CallEdgeProfileInlines.h: Removed.
1881         * bytecode/CallLinkInfo.cpp:
1882         (JSC::CallLinkInfo::unlink):
1883         (JSC::CallLinkInfo::visitWeak):
1884         * bytecode/CallLinkInfo.h:
1885         * bytecode/CallLinkStatus.cpp:
1886         (JSC::CallLinkStatus::CallLinkStatus):
1887         (JSC::CallLinkStatus::computeFor):
1888         (JSC::CallLinkStatus::computeFromCallLinkInfo):
1889         (JSC::CallLinkStatus::isClosureCall):
1890         (JSC::CallLinkStatus::makeClosureCall):
1891         (JSC::CallLinkStatus::dump):
1892         (JSC::CallLinkStatus::computeFromCallEdgeProfile): Deleted.
1893         * bytecode/CallLinkStatus.h:
1894         (JSC::CallLinkStatus::CallLinkStatus):
1895         (JSC::CallLinkStatus::isSet):
1896         (JSC::CallLinkStatus::variants):
1897         (JSC::CallLinkStatus::size):
1898         (JSC::CallLinkStatus::at):
1899         (JSC::CallLinkStatus::operator[]):
1900         (JSC::CallLinkStatus::canOptimize):
1901         (JSC::CallLinkStatus::edges): Deleted.
1902         (JSC::CallLinkStatus::canTrustCounts): Deleted.
1903         * bytecode/CallVariant.cpp:
1904         (JSC::variantListWithVariant):
1905         (JSC::despecifiedVariantList):
1906         * bytecode/CallVariant.h:
1907         * bytecode/CodeBlock.cpp:
1908         (JSC::CodeBlock::~CodeBlock):
1909         (JSC::CodeBlock::linkIncomingPolymorphicCall):
1910         (JSC::CodeBlock::unlinkIncomingCalls):
1911         (JSC::CodeBlock::noticeIncomingCall):
1912         * bytecode/CodeBlock.h:
1913         (JSC::CodeBlock::isIncomingCallAlreadyLinked): Deleted.
1914         * dfg/DFGAbstractInterpreterInlines.h:
1915         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1916         * dfg/DFGByteCodeParser.cpp:
1917         (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
1918         (JSC::DFG::ByteCodeParser::handleCall):
1919         (JSC::DFG::ByteCodeParser::handleInlining):
1920         * dfg/DFGClobberize.h:
1921         (JSC::DFG::clobberize):
1922         * dfg/DFGConstantFoldingPhase.cpp:
1923         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1924         * dfg/DFGDoesGC.cpp:
1925         (JSC::DFG::doesGC):
1926         * dfg/DFGDriver.cpp:
1927         (JSC::DFG::compileImpl):
1928         * dfg/DFGFixupPhase.cpp:
1929         (JSC::DFG::FixupPhase::fixupNode):
1930         * dfg/DFGNode.h:
1931         (JSC::DFG::Node::hasHeapPrediction):
1932         * dfg/DFGNodeType.h:
1933         * dfg/DFGOperations.cpp:
1934         * dfg/DFGPredictionPropagationPhase.cpp:
1935         (JSC::DFG::PredictionPropagationPhase::propagate):
1936         * dfg/DFGSafeToExecute.h:
1937         (JSC::DFG::safeToExecute):
1938         * dfg/DFGSpeculativeJIT32_64.cpp:
1939         (JSC::DFG::SpeculativeJIT::emitCall):
1940         (JSC::DFG::SpeculativeJIT::compile):
1941         * dfg/DFGSpeculativeJIT64.cpp:
1942         (JSC::DFG::SpeculativeJIT::emitCall):
1943         (JSC::DFG::SpeculativeJIT::compile):
1944         * dfg/DFGTierUpCheckInjectionPhase.cpp:
1945         (JSC::DFG::TierUpCheckInjectionPhase::run):
1946         (JSC::DFG::TierUpCheckInjectionPhase::removeFTLProfiling): Deleted.
1947         * ftl/FTLCapabilities.cpp:
1948         (JSC::FTL::canCompile):
1949         * heap/Heap.cpp:
1950         (JSC::Heap::collect):
1951         * jit/BinarySwitch.h:
1952         * jit/ClosureCallStubRoutine.cpp: Removed.
1953         * jit/ClosureCallStubRoutine.h: Removed.
1954         * jit/JITCall.cpp:
1955         (JSC::JIT::compileOpCall):
1956         * jit/JITCall32_64.cpp:
1957         (JSC::JIT::compileOpCall):
1958         * jit/JITOperations.cpp:
1959         * jit/JITOperations.h:
1960         (JSC::operationLinkPolymorphicCallFor):
1961         (JSC::operationLinkClosureCallFor): Deleted.
1962         * jit/JITStubRoutine.h:
1963         * jit/JITWriteBarrier.h:
1964         * jit/PolymorphicCallStubRoutine.cpp: Added.
1965         (JSC::PolymorphicCallNode::~PolymorphicCallNode):
1966         (JSC::PolymorphicCallNode::unlink):
1967         (JSC::PolymorphicCallCase::dump):
1968         (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
1969         (JSC::PolymorphicCallStubRoutine::~PolymorphicCallStubRoutine):
1970         (JSC::PolymorphicCallStubRoutine::variants):
1971         (JSC::PolymorphicCallStubRoutine::edges):
1972         (JSC::PolymorphicCallStubRoutine::visitWeak):
1973         (JSC::PolymorphicCallStubRoutine::markRequiredObjectsInternal):
1974         * jit/PolymorphicCallStubRoutine.h: Added.
1975         (JSC::PolymorphicCallNode::PolymorphicCallNode):
1976         (JSC::PolymorphicCallCase::PolymorphicCallCase):
1977         (JSC::PolymorphicCallCase::variant):
1978         (JSC::PolymorphicCallCase::codeBlock):
1979         * jit/Repatch.cpp:
1980         (JSC::linkSlowFor):
1981         (JSC::linkFor):
1982         (JSC::revertCall):
1983         (JSC::unlinkFor):
1984         (JSC::linkVirtualFor):
1985         (JSC::linkPolymorphicCall):
1986         (JSC::linkClosureCall): Deleted.
1987         * jit/Repatch.h:
1988         * jit/ThunkGenerators.cpp:
1989         (JSC::linkPolymorphicCallForThunkGenerator):
1990         (JSC::linkPolymorphicCallThunkGenerator):
1991         (JSC::linkPolymorphicCallThatPreservesRegsThunkGenerator):
1992         (JSC::linkClosureCallForThunkGenerator): Deleted.
1993         (JSC::linkClosureCallThunkGenerator): Deleted.
1994         (JSC::linkClosureCallThatPreservesRegsThunkGenerator): Deleted.
1995         * jit/ThunkGenerators.h:
1996         (JSC::linkPolymorphicCallThunkGeneratorFor):
1997         (JSC::linkClosureCallThunkGeneratorFor): Deleted.
1998         * llint/LLIntSlowPaths.cpp:
1999         (JSC::LLInt::jitCompileAndSetHeuristics):
2000         * runtime/Options.h:
2001         * runtime/VM.cpp:
2002         (JSC::VM::prepareToDiscardCode):
2003         (JSC::VM::ensureCallEdgeLog): Deleted.
2004         * runtime/VM.h:
2005
2006 2015-01-30  Filip Pizlo  <fpizlo@apple.com>
2007
2008         Converting Flushes and PhantomLocals to Phantoms requires an OSR availability analysis rather than just using the SetLocal's child
2009         https://bugs.webkit.org/show_bug.cgi?id=141107
2010
2011         Reviewed by Michael Saboff.
2012         
2013         See the bugzilla for a discussion of the problem. This addresses the problem by ensuring
2014         that Flushes are always strength-reduced to PhantomLocals, and CPS rethreading does a mini
2015         OSR availability analysis to determine the right MovHint value to use for the Phantom.
2016
2017         * dfg/DFGCPSRethreadingPhase.cpp:
2018         (JSC::DFG::CPSRethreadingPhase::CPSRethreadingPhase):
2019         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
2020         (JSC::DFG::CPSRethreadingPhase::clearVariables):
2021         (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
2022         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
2023         (JSC::DFG::CPSRethreadingPhase::clearVariablesAtHeadAndTail): Deleted.
2024         * dfg/DFGNode.h:
2025         (JSC::DFG::Node::convertPhantomToPhantomLocal):
2026         (JSC::DFG::Node::convertFlushToPhantomLocal):
2027         (JSC::DFG::Node::convertToPhantomLocal): Deleted.
2028         * dfg/DFGStrengthReductionPhase.cpp:
2029         (JSC::DFG::StrengthReductionPhase::handleNode):
2030         * tests/stress/inline-call-that-doesnt-use-all-args.js: Added.
2031         (foo):
2032         (bar):
2033         (baz):
2034
2035 2015-01-31  Michael Saboff  <msaboff@apple.com>
2036
2037         Crash (DFG assertion) beneath AbstractInterpreter::verifyEdge() @ http://experilous.com/1/planet-generator/2014-09-28/version-1
2038         https://bugs.webkit.org/show_bug.cgi?id=141111
2039
2040         Reviewed by Filip Pizlo.
2041
2042         In LowerDFGToLLVM::compileNode(), if we determine while compiling a node that we would have
2043         exited, we don't need to process the OSR availability or abstract interpreter.
2044
2045         * ftl/FTLLowerDFGToLLVM.cpp:
2046         (JSC::FTL::LowerDFGToLLVM::safelyInvalidateAfterTermination): Broke this out a a separate
2047         method since we need to call it at the top and near the bottom of compileNode().
2048         (JSC::FTL::LowerDFGToLLVM::compileNode):
2049
2050 2015-01-31  Sam Weinig  <sam@webkit.org>
2051
2052         Remove even more Mountain Lion support
2053         https://bugs.webkit.org/show_bug.cgi?id=141124
2054
2055         Reviewed by Alexey Proskuryakov.
2056
2057         * API/tests/DateTests.mm:
2058         * Configurations/Base.xcconfig:
2059         * Configurations/DebugRelease.xcconfig:
2060         * Configurations/FeatureDefines.xcconfig:
2061         * Configurations/Version.xcconfig:
2062         * jit/ExecutableAllocatorFixedVMPool.cpp:
2063
2064 2015-01-31  Commit Queue  <commit-queue@webkit.org>
2065
2066         Unreviewed, rolling out r179426.
2067         https://bugs.webkit.org/show_bug.cgi?id=141119
2068
2069         "caused a memory use regression" (Requested by Guest45 on
2070         #webkit).
2071
2072         Reverted changeset:
2073
2074         "Use FastMalloc (bmalloc) instead of BlockAllocator for GC
2075         pages"
2076         https://bugs.webkit.org/show_bug.cgi?id=140900
2077         http://trac.webkit.org/changeset/179426
2078
2079 2015-01-30  Daniel Bates  <dabates@apple.com>
2080
2081         Clean up: Remove unnecessary <dispatch/dispatch.h> header from RemoteInspectorDebuggableConnection.h
2082         https://bugs.webkit.org/show_bug.cgi?id=141067
2083
2084         Reviewed by Timothy Hatcher.
2085
2086         Remove the header <dispatch/dispatch.h> from RemoteInspectorDebuggableConnection.h as we
2087         do not make use of its functionality. Instead, include this header in RemoteInspectorDebuggableConnection.mm
2088         and RemoteInspector.mm. The latter depended on <dispatch/dispatch.h> being included via
2089         header RemoteInspectorDebuggableConnection.h.
2090
2091         * inspector/remote/RemoteInspector.mm: Include header <dispatch/dispatch.h>.
2092         * inspector/remote/RemoteInspectorDebuggableConnection.h: Remove header <dispatch/dispatch.h>.
2093         * inspector/remote/RemoteInspectorDebuggableConnection.mm: Include header <dispatch/dispatch.h>.
2094
2095 2015-01-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2096
2097         Implement ES6 Symbol
2098         https://bugs.webkit.org/show_bug.cgi?id=140435
2099
2100         Reviewed by Geoffrey Garen.
2101
2102         This patch implements ES6 Symbol. In this patch, we don't support
2103         Symbol.keyFor, Symbol.for, Object.getOwnPropertySymbols. They will be
2104         supported in the subsequent patches.
2105
2106         Since ES6 Symbol is introduced as new primitive value, we implement
2107         Symbol as a derived class from JSCell. And now JSValue accepts Symbol*
2108         as a new primitive value.
2109
2110         Symbol has a *unique* flagged StringImpl* as an `uid`. Which pointer
2111         value represents the Symbol's identity. So don't compare Symbol's
2112         JSCell pointer value for comparison.
2113         This enables re-producing Symbol primitive value from StringImpl* uid
2114         by executing`Symbol::create(vm, uid)`. This is needed to produce
2115         Symbol primitive values from stored StringImpl* in `Object.getOwnPropertySymbols`.
2116
2117         And Symbol.[[Description]] is folded into the string value of Symbol's uid.
2118         By doing so, we can represent ES6 Symbol without extending current PropertyTable key; StringImpl*.
2119
2120         * CMakeLists.txt:
2121         * DerivedSources.make:
2122         * JavaScriptCore.order:
2123         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2124         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2125         * JavaScriptCore.xcodeproj/project.pbxproj:
2126         * builtins/BuiltinExecutables.cpp:
2127         (JSC::BuiltinExecutables::createBuiltinExecutable):
2128         * builtins/BuiltinNames.h:
2129         * dfg/DFGOperations.cpp:
2130         (JSC::DFG::operationPutByValInternal):
2131         * inspector/JSInjectedScriptHost.cpp:
2132         (Inspector::JSInjectedScriptHost::subtype):
2133         * interpreter/Interpreter.cpp:
2134         * jit/JITOperations.cpp:
2135         (JSC::getByVal):
2136         * llint/LLIntData.cpp:
2137         (JSC::LLInt::Data::performAssertions):
2138         * llint/LLIntSlowPaths.cpp:
2139         (JSC::LLInt::getByVal):
2140         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2141         * llint/LowLevelInterpreter.asm:
2142         * runtime/CommonIdentifiers.h:
2143         * runtime/CommonSlowPaths.cpp:
2144         (JSC::SLOW_PATH_DECL):
2145         * runtime/CommonSlowPaths.h:
2146         (JSC::CommonSlowPaths::opIn):
2147         * runtime/ExceptionHelpers.cpp:
2148         (JSC::createUndefinedVariableError):
2149         * runtime/JSCJSValue.cpp:
2150         (JSC::JSValue::synthesizePrototype):
2151         (JSC::JSValue::dumpInContextAssumingStructure):
2152         (JSC::JSValue::toStringSlowCase):
2153         * runtime/JSCJSValue.h:
2154         * runtime/JSCJSValueInlines.h:
2155         (JSC::JSValue::isSymbol):
2156         (JSC::JSValue::isPrimitive):
2157         (JSC::JSValue::toPropertyKey):
2158
2159         It represents ToPropertyKey abstract operation in the ES6 spec.
2160         It cleans up the old implementation's `isName` checks.
2161         And to prevent performance regressions in
2162             js/regress/fold-get-by-id-to-multi-get-by-offset-rare-int.html
2163             js/regress/fold-get-by-id-to-multi-get-by-offset.html
2164         we annnotate this function as ALWAYS_INLINE.
2165
2166         (JSC::JSValue::getPropertySlot):
2167         (JSC::JSValue::get):
2168         (JSC::JSValue::equalSlowCaseInline):
2169         (JSC::JSValue::strictEqualSlowCaseInline):
2170         * runtime/JSCell.cpp:
2171         (JSC::JSCell::put):
2172         (JSC::JSCell::putByIndex):
2173         (JSC::JSCell::toPrimitive):
2174         (JSC::JSCell::getPrimitiveNumber):
2175         (JSC::JSCell::toNumber):
2176         (JSC::JSCell::toObject):
2177         * runtime/JSCell.h:
2178         * runtime/JSCellInlines.h:
2179         (JSC::JSCell::isSymbol):
2180         (JSC::JSCell::toBoolean):
2181         (JSC::JSCell::pureToBoolean):
2182         * runtime/JSGlobalObject.cpp:
2183         (JSC::JSGlobalObject::init):
2184         (JSC::JSGlobalObject::visitChildren):
2185         * runtime/JSGlobalObject.h:
2186         (JSC::JSGlobalObject::symbolPrototype):
2187         (JSC::JSGlobalObject::symbolObjectStructure):
2188         * runtime/JSONObject.cpp:
2189         (JSC::Stringifier::Stringifier):
2190         * runtime/JSSymbolTableObject.cpp:
2191         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
2192         * runtime/JSType.h:
2193         * runtime/JSTypeInfo.h:
2194         (JSC::TypeInfo::isName): Deleted.
2195         * runtime/MapData.cpp:
2196         (JSC::MapData::find):
2197         (JSC::MapData::add):
2198         (JSC::MapData::remove):
2199         (JSC::MapData::replaceAndPackBackingStore):
2200         * runtime/MapData.h:
2201         (JSC::MapData::clear):
2202         * runtime/NameInstance.h: Removed.
2203         * runtime/NamePrototype.cpp: Removed.
2204         * runtime/ObjectConstructor.cpp:
2205         (JSC::objectConstructorGetOwnPropertyDescriptor):
2206         (JSC::objectConstructorDefineProperty):
2207         * runtime/ObjectPrototype.cpp:
2208         (JSC::objectProtoFuncHasOwnProperty):
2209         (JSC::objectProtoFuncDefineGetter):
2210         (JSC::objectProtoFuncDefineSetter):
2211         (JSC::objectProtoFuncLookupGetter):
2212         (JSC::objectProtoFuncLookupSetter):
2213         (JSC::objectProtoFuncPropertyIsEnumerable):
2214         * runtime/Operations.cpp:
2215         (JSC::jsTypeStringForValue):
2216         (JSC::jsIsObjectType):
2217         * runtime/PrivateName.h:
2218         (JSC::PrivateName::PrivateName):
2219         (JSC::PrivateName::operator==):
2220         (JSC::PrivateName::operator!=):
2221         * runtime/PropertyMapHashTable.h:
2222         (JSC::PropertyTable::find):
2223         (JSC::PropertyTable::get):
2224         * runtime/PropertyName.h:
2225         (JSC::PropertyName::PropertyName):
2226         (JSC::PropertyName::publicName):
2227         * runtime/SmallStrings.h:
2228         * runtime/StringConstructor.cpp:
2229         (JSC::callStringConstructor):
2230
2231         In ES6, String constructor accepts Symbol to execute `String(symbol)`.
2232
2233         * runtime/Structure.cpp:
2234         (JSC::Structure::getPropertyNamesFromStructure):
2235         * runtime/StructureInlines.h:
2236         (JSC::Structure::prototypeForLookup):
2237         * runtime/Symbol.cpp: Added.
2238         (JSC::Symbol::Symbol):
2239         (JSC::SymbolObject::create):
2240         (JSC::Symbol::toPrimitive):
2241         (JSC::Symbol::toBoolean):
2242         (JSC::Symbol::getPrimitiveNumber):
2243         (JSC::Symbol::toObject):
2244         (JSC::Symbol::toNumber):
2245         (JSC::Symbol::destroy):
2246         (JSC::Symbol::descriptiveString):
2247         * runtime/Symbol.h: Added.
2248         (JSC::Symbol::createStructure):
2249         (JSC::Symbol::create):
2250         (JSC::Symbol::privateName):
2251         (JSC::Symbol::finishCreation):
2252         (JSC::asSymbol):
2253         * runtime/SymbolConstructor.cpp: Renamed from Source/JavaScriptCore/runtime/NameConstructor.cpp.
2254         (JSC::SymbolConstructor::SymbolConstructor):
2255         (JSC::SymbolConstructor::finishCreation):
2256         (JSC::callSymbol):
2257         (JSC::SymbolConstructor::getConstructData):
2258         (JSC::SymbolConstructor::getCallData):
2259         * runtime/SymbolConstructor.h: Renamed from Source/JavaScriptCore/runtime/NameConstructor.h.
2260         (JSC::SymbolConstructor::create):
2261         (JSC::SymbolConstructor::createStructure):
2262         * runtime/SymbolObject.cpp: Renamed from Source/JavaScriptCore/runtime/NameInstance.cpp.
2263         (JSC::SymbolObject::SymbolObject):
2264         (JSC::SymbolObject::finishCreation):
2265         (JSC::SymbolObject::defaultValue):
2266
2267         Now JSC doesn't support @@toPrimitive. So instead of it, we implement
2268         Symbol.prototype[@@toPrimitive] as ES5 Symbol.[[DefaultValue]].
2269
2270         * runtime/SymbolObject.h: Added.
2271         (JSC::SymbolObject::create):
2272         (JSC::SymbolObject::internalValue):
2273         (JSC::SymbolObject::createStructure):
2274         * runtime/SymbolPrototype.cpp: Added.
2275         (JSC::SymbolPrototype::SymbolPrototype):
2276         (JSC::SymbolPrototype::finishCreation):
2277         (JSC::SymbolPrototype::getOwnPropertySlot):
2278         (JSC::symbolProtoFuncToString):
2279         (JSC::symbolProtoFuncValueOf):
2280         * runtime/SymbolPrototype.h: Renamed from Source/JavaScriptCore/runtime/NamePrototype.h.
2281         (JSC::SymbolPrototype::create):
2282         (JSC::SymbolPrototype::createStructure):
2283
2284         SymbolPrototype object is ordinary JS object. Not wrapper object of Symbol.
2285         It is tested in js/symbol-prototype-is-ordinary-object.html.
2286
2287         * runtime/VM.cpp:
2288         (JSC::VM::VM):
2289         * runtime/VM.h:
2290
2291 2015-01-30  Geoffrey Garen  <ggaren@apple.com>
2292
2293         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
2294         https://bugs.webkit.org/show_bug.cgi?id=140900
2295
2296         Reviewed by Mark Hahnenberg.
2297
2298         Re-landing just the HandleBlock piece of this patch.
2299
2300         * heap/HandleBlock.h:
2301         * heap/HandleBlockInlines.h:
2302         (JSC::HandleBlock::create):
2303         (JSC::HandleBlock::destroy):
2304         (JSC::HandleBlock::HandleBlock):
2305         (JSC::HandleBlock::payloadEnd):
2306         * heap/HandleSet.cpp:
2307         (JSC::HandleSet::~HandleSet):
2308         (JSC::HandleSet::grow):
2309
2310 2015-01-30  Geoffrey Garen  <ggaren@apple.com>
2311
2312         GC marking threads should clear malloc caches
2313         https://bugs.webkit.org/show_bug.cgi?id=141097
2314
2315         Reviewed by Sam Weinig.
2316
2317         Follow-up based on Mark Hahnenberg's review: Release after the copy
2318         phase, rather than after any phase, since we'd rather not release
2319         between marking and copying.
2320
2321         * heap/GCThread.cpp:
2322         (JSC::GCThread::waitForNextPhase):
2323         (JSC::GCThread::gcThreadMain):
2324
2325 2015-01-30  Geoffrey Garen  <ggaren@apple.com>
2326
2327         GC marking threads should clear malloc caches
2328         https://bugs.webkit.org/show_bug.cgi?id=141097
2329
2330         Reviewed by Andreas Kling.
2331
2332         This is an attempt to ameliorate a potential memory use regression
2333         caused by https://bugs.webkit.org/show_bug.cgi?id=140900
2334         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages.
2335
2336         FastMalloc may accumulate a per-thread cache on each of the 8-ish
2337         GC marking threads, which can be expensive.
2338
2339         * heap/GCThread.cpp:
2340         (JSC::GCThread::waitForNextPhase): Scavenge the current thread before
2341         going to sleep. There's probably not too much value to keeping our
2342         per-thread cache between GCs, and it has some memory footprint.
2343
2344 2015-01-30  Chris Dumez  <cdumez@apple.com>
2345
2346         Rename shared() static member functions to singleton() for singleton classes.
2347         https://bugs.webkit.org/show_bug.cgi?id=141088
2348
2349         Reviewed by Ryosuke Niwa and Benjamin Poulain.
2350
2351         Rename shared() static member functions to singleton() for singleton
2352         classes as per the recent coding style change.
2353
2354         * inspector/remote/RemoteInspector.h:
2355         * inspector/remote/RemoteInspector.mm:
2356         (Inspector::RemoteInspector::singleton):
2357         (Inspector::RemoteInspector::start):
2358         (Inspector::RemoteInspector::shared): Deleted.
2359         * inspector/remote/RemoteInspectorDebuggable.cpp:
2360         (Inspector::RemoteInspectorDebuggable::~RemoteInspectorDebuggable):
2361         (Inspector::RemoteInspectorDebuggable::init):
2362         (Inspector::RemoteInspectorDebuggable::update):
2363         (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed):
2364         (Inspector::RemoteInspectorDebuggable::pauseWaitingForAutomaticInspection):
2365         (Inspector::RemoteInspectorDebuggable::unpauseForInitializedInspector):
2366         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
2367         (Inspector::RemoteInspectorDebuggableConnection::setup):
2368         (Inspector::RemoteInspectorDebuggableConnection::sendMessageToFrontend):
2369
2370 2015-01-30  Geoffrey Garen  <ggaren@apple.com>
2371
2372         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
2373         https://bugs.webkit.org/show_bug.cgi?id=140900
2374
2375         Reviewed by Mark Hahnenberg.
2376
2377         Re-landing just the CopyWorkListSegment piece of this patch.
2378
2379         * heap/CopiedBlockInlines.h:
2380         (JSC::CopiedBlock::reportLiveBytes):
2381         * heap/CopyWorkList.h:
2382         (JSC::CopyWorkListSegment::create):
2383         (JSC::CopyWorkListSegment::destroy):
2384         (JSC::CopyWorkListSegment::CopyWorkListSegment):
2385         (JSC::CopyWorkList::CopyWorkList):
2386         (JSC::CopyWorkList::~CopyWorkList):
2387         (JSC::CopyWorkList::append):
2388
2389 2015-01-29  Commit Queue  <commit-queue@webkit.org>
2390
2391         Unreviewed, rolling out r179357 and r179358.
2392         https://bugs.webkit.org/show_bug.cgi?id=141062
2393
2394         Suspect this caused WebGL tests to start flaking (Requested by
2395         kling on #webkit).
2396
2397         Reverted changesets:
2398
2399         "Polymorphic call inlining should be based on polymorphic call
2400         inline caching rather than logging"
2401         https://bugs.webkit.org/show_bug.cgi?id=140660
2402         http://trac.webkit.org/changeset/179357
2403
2404         "Unreviewed, fix no-JIT build."
2405         http://trac.webkit.org/changeset/179358
2406
2407 2015-01-29  Geoffrey Garen  <ggaren@apple.com>
2408
2409         Removed op_ret_object_or_this
2410         https://bugs.webkit.org/show_bug.cgi?id=141048
2411
2412         Reviewed by Michael Saboff.
2413
2414         op_ret_object_or_this was one opcode that would keep us out of the
2415         optimizing compilers.
2416
2417         We don't need a special-purpose opcode; we can just use a branch.
2418
2419         * bytecode/BytecodeBasicBlock.cpp:
2420         (JSC::isTerminal): Removed.
2421         * bytecode/BytecodeList.json:
2422         * bytecode/BytecodeUseDef.h:
2423         (JSC::computeUsesForBytecodeOffset):
2424         (JSC::computeDefsForBytecodeOffset): Removed.
2425
2426         * bytecode/CodeBlock.cpp:
2427         (JSC::CodeBlock::dumpBytecode): Removed.
2428
2429         * bytecompiler/BytecodeGenerator.cpp:
2430         (JSC::BytecodeGenerator::emitReturn): Use an explicit branch to determine
2431         if we need to substitute 'this' for the return value. Our engine no longer
2432         benefits from fused opcodes that dispatch less in the interpreter.
2433
2434         * jit/JIT.cpp:
2435         (JSC::JIT::privateCompileMainPass):
2436         * jit/JIT.h:
2437         * jit/JITCall32_64.cpp:
2438         (JSC::JIT::emit_op_ret_object_or_this): Deleted.
2439         * jit/JITOpcodes.cpp:
2440         (JSC::JIT::emit_op_ret_object_or_this): Deleted.
2441         * llint/LowLevelInterpreter32_64.asm:
2442         * llint/LowLevelInterpreter64.asm: Removed.
2443
2444 2015-01-29  Ryosuke Niwa  <rniwa@webkit.org>
2445
2446         Implement ES6 class syntax without inheritance support
2447         https://bugs.webkit.org/show_bug.cgi?id=140918
2448
2449         Reviewed by Geoffrey Garen.
2450
2451         Added the most basic support for ES6 class syntax. After this patch, we support basic class definition like:
2452         class A {
2453             constructor() { }
2454             someMethod() { }
2455         }
2456
2457         We'll add the support for "extends" keyword and automatically generating a constructor in follow up patches.
2458         We also don't support block scoping of a class declaration.
2459
2460         We support both class declaration and class expression. A class expression is implemented by the newly added
2461         ClassExprNode AST node. A class declaration is implemented by ClassDeclNode, which is a thin wrapper around
2462         AssignResolveNode.
2463
2464         Tests: js/class-syntax-declaration.html
2465                js/class-syntax-expression.html
2466
2467         * bytecompiler/NodesCodegen.cpp:
2468         (JSC::ObjectLiteralNode::emitBytecode): Create a new object instead of delegating the work to PropertyListNode.
2469         Also fixed the 5-space indentation.
2470         (JSC::PropertyListNode::emitBytecode): Don't create a new object now that ObjectLiteralNode does this.
2471         (JSC::ClassDeclNode::emitBytecode): Added. Just let the AssignResolveNode node emit the byte code.
2472         (JSC::ClassExprNode::emitBytecode): Create the class constructor and add static methods to the constructor by
2473         emitting the byte code for PropertyListNode. Add instance methods to the class's prototype object the same way.
2474
2475         * parser/ASTBuilder.h:
2476         (JSC::ASTBuilder::createClassExpr): Added. Creates a ClassExprNode.
2477         (JSC::ASTBuilder::createClassDeclStatement): Added. Creates a AssignResolveNode and wraps it by a ClassDeclNode.
2478
2479         * parser/NodeConstructors.h:
2480         (JSC::ClassDeclNode::ClassDeclNode): Added.
2481         (JSC::ClassExprNode::ClassExprNode): Added.
2482
2483         * parser/Nodes.h:
2484         (JSC::ClassExprNode): Added.
2485         (JSC::ClassDeclNode): Added.
2486
2487         * parser/Parser.cpp:
2488         (JSC::Parser<LexerType>::parseStatement): Added the support for class declaration.
2489         (JSC::stringForFunctionMode): Return "method" for MethodMode.
2490         (JSC::Parser<LexerType>::parseClassDeclaration): Added. Uses parseClass to create a class expression and wraps
2491         it with ClassDeclNode as described above.
2492         (JSC::Parser<LexerType>::parseClass): Parses a class expression.
2493         (JSC::Parser<LexerType>::parseProperty):
2494         (JSC::Parser<LexerType>::parseGetterSetter): Extracted from parseProperty to share the code between parseProperty
2495         and parseClass.
2496         (JSC::Parser<LexerType>::parsePrimaryExpression): Added the support for class expression.
2497
2498         * parser/Parser.h:
2499         (FunctionParseMode): Added MethodMode.
2500
2501         * parser/SyntaxChecker.h:
2502         (JSC::SyntaxChecker::createClassExpr): Added.
2503         (JSC::SyntaxChecker::createClassDeclStatement): Added.
2504
2505 2015-01-29  Geoffrey Garen  <ggaren@apple.com>
2506
2507         Try to fix the Windows build.
2508
2509         Not reviewed.
2510
2511         * heap/WeakBlock.h: Use the fully qualified name when declaring our friend.
2512
2513 2015-01-29  Geoffrey Garen  <ggaren@apple.com>
2514
2515         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
2516         https://bugs.webkit.org/show_bug.cgi?id=140900
2517
2518         Reviewed by Mark Hahnenberg.
2519
2520         Re-landing just the WeakBlock piece of this patch.
2521
2522         * heap/WeakBlock.cpp:
2523         (JSC::WeakBlock::create):
2524         (JSC::WeakBlock::destroy):
2525         (JSC::WeakBlock::WeakBlock):
2526         * heap/WeakBlock.h:
2527         * heap/WeakSet.cpp:
2528         (JSC::WeakSet::~WeakSet):
2529         (JSC::WeakSet::addAllocator):
2530         (JSC::WeakSet::removeAllocator):
2531
2532 2015-01-29  Geoffrey Garen  <ggaren@apple.com>
2533
2534         Use Vector instead of GCSegmentedArray in CodeBlockSet
2535         https://bugs.webkit.org/show_bug.cgi?id=141044
2536
2537         Reviewed by Ryosuke Niwa.
2538
2539         This is allowed now that we've gotten rid of fastMallocForbid.
2540
2541         4kB was a bit overkill for just storing a few pointers.
2542
2543         * heap/CodeBlockSet.cpp:
2544         (JSC::CodeBlockSet::CodeBlockSet):
2545         * heap/CodeBlockSet.h:
2546         * heap/Heap.cpp:
2547         (JSC::Heap::Heap):
2548
2549 2015-01-29  Filip Pizlo  <fpizlo@apple.com>
2550
2551         Unreviewed, fix no-JIT build.
2552
2553         * jit/PolymorphicCallStubRoutine.cpp:
2554
2555 2015-01-28  Filip Pizlo  <fpizlo@apple.com>
2556
2557         Polymorphic call inlining should be based on polymorphic call inline caching rather than logging
2558         https://bugs.webkit.org/show_bug.cgi?id=140660
2559
2560         Reviewed by Geoffrey Garen.
2561         
2562         When we first implemented polymorphic call inlining, we did the profiling based on a call
2563         edge log. The idea was to store each call edge (a tuple of call site and callee) into a
2564         global log that was processed lazily. Processing the log would give precise counts of call
2565         edges, and could be used to drive well-informed inlining decisions - polymorphic or not.
2566         This was a speed-up on throughput tests but a slow-down for latency tests. It was a net win
2567         nonetheless.
2568         
2569         Experience with this code shows three things. First, the call edge profiler is buggy and
2570         complex. It would take work to fix the bugs. Second, the call edge profiler incurs lots of
2571         overhead for latency code that we care deeply about. Third, it's not at all clear that
2572         having call edge counts for every possible callee is any better than just having call edge
2573         counts for the limited number of callees that an inline cache would catch.
2574         
2575         So, this patch removes the call edge profiler and replaces it with a polymorphic call inline
2576         cache. If we miss the basic call inline cache, we inflate the cache to be a jump to an
2577         out-of-line stub that cases on the previously known callees. If that misses again, then we
2578         rewrite that stub to include the new callee. We do this up to some number of callees. If we
2579         hit the limit then we switch to using a plain virtual call.
2580         
2581         Substantial speed-up on V8Spider; undoes the slow-down that the original call edge profiler
2582         caused. Might be a SunSpider speed-up (below 1%), depending on hardware.
2583
2584         * CMakeLists.txt:
2585         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2586         * JavaScriptCore.xcodeproj/project.pbxproj:
2587         * bytecode/CallEdge.h:
2588         (JSC::CallEdge::count):
2589         (JSC::CallEdge::CallEdge):
2590         * bytecode/CallEdgeProfile.cpp: Removed.
2591         * bytecode/CallEdgeProfile.h: Removed.
2592         * bytecode/CallEdgeProfileInlines.h: Removed.
2593         * bytecode/CallLinkInfo.cpp:
2594         (JSC::CallLinkInfo::unlink):
2595         (JSC::CallLinkInfo::visitWeak):
2596         * bytecode/CallLinkInfo.h:
2597         * bytecode/CallLinkStatus.cpp:
2598         (JSC::CallLinkStatus::CallLinkStatus):
2599         (JSC::CallLinkStatus::computeFor):
2600         (JSC::CallLinkStatus::computeFromCallLinkInfo):
2601         (JSC::CallLinkStatus::isClosureCall):
2602         (JSC::CallLinkStatus::makeClosureCall):
2603         (JSC::CallLinkStatus::dump):
2604         (JSC::CallLinkStatus::computeFromCallEdgeProfile): Deleted.
2605         * bytecode/CallLinkStatus.h:
2606         (JSC::CallLinkStatus::CallLinkStatus):
2607         (JSC::CallLinkStatus::isSet):
2608         (JSC::CallLinkStatus::variants):
2609         (JSC::CallLinkStatus::size):
2610         (JSC::CallLinkStatus::at):
2611         (JSC::CallLinkStatus::operator[]):
2612         (JSC::CallLinkStatus::canOptimize):
2613         (JSC::CallLinkStatus::edges): Deleted.
2614         (JSC::CallLinkStatus::canTrustCounts): Deleted.
2615         * bytecode/CallVariant.cpp:
2616         (JSC::variantListWithVariant):
2617         (JSC::despecifiedVariantList):
2618         * bytecode/CallVariant.h:
2619         * bytecode/CodeBlock.cpp:
2620         (JSC::CodeBlock::~CodeBlock):
2621         (JSC::CodeBlock::linkIncomingPolymorphicCall):
2622         (JSC::CodeBlock::unlinkIncomingCalls):
2623         (JSC::CodeBlock::noticeIncomingCall):
2624         * bytecode/CodeBlock.h:
2625         (JSC::CodeBlock::isIncomingCallAlreadyLinked): Deleted.
2626         * dfg/DFGAbstractInterpreterInlines.h:
2627         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2628         * dfg/DFGByteCodeParser.cpp:
2629         (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
2630         (JSC::DFG::ByteCodeParser::handleCall):
2631         (JSC::DFG::ByteCodeParser::handleInlining):
2632         * dfg/DFGClobberize.h:
2633         (JSC::DFG::clobberize):
2634         * dfg/DFGConstantFoldingPhase.cpp:
2635         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2636         * dfg/DFGDoesGC.cpp:
2637         (JSC::DFG::doesGC):
2638         * dfg/DFGDriver.cpp:
2639         (JSC::DFG::compileImpl):
2640         * dfg/DFGFixupPhase.cpp:
2641         (JSC::DFG::FixupPhase::fixupNode):
2642         * dfg/DFGNode.h:
2643         (JSC::DFG::Node::hasHeapPrediction):
2644         * dfg/DFGNodeType.h:
2645         * dfg/DFGOperations.cpp:
2646         * dfg/DFGPredictionPropagationPhase.cpp:
2647         (JSC::DFG::PredictionPropagationPhase::propagate):
2648         * dfg/DFGSafeToExecute.h:
2649         (JSC::DFG::safeToExecute):
2650         * dfg/DFGSpeculativeJIT32_64.cpp:
2651         (JSC::DFG::SpeculativeJIT::emitCall):
2652         (JSC::DFG::SpeculativeJIT::compile):
2653         * dfg/DFGSpeculativeJIT64.cpp:
2654         (JSC::DFG::SpeculativeJIT::emitCall):
2655         (JSC::DFG::SpeculativeJIT::compile):
2656         * dfg/DFGTierUpCheckInjectionPhase.cpp:
2657         (JSC::DFG::TierUpCheckInjectionPhase::run):
2658         (JSC::DFG::TierUpCheckInjectionPhase::removeFTLProfiling): Deleted.
2659         * ftl/FTLCapabilities.cpp:
2660         (JSC::FTL::canCompile):
2661         * heap/Heap.cpp:
2662         (JSC::Heap::collect):
2663         * jit/BinarySwitch.h:
2664         * jit/ClosureCallStubRoutine.cpp: Removed.
2665         * jit/ClosureCallStubRoutine.h: Removed.
2666         * jit/JITCall.cpp:
2667         (JSC::JIT::compileOpCall):
2668         * jit/JITCall32_64.cpp:
2669         (JSC::JIT::compileOpCall):
2670         * jit/JITOperations.cpp:
2671         * jit/JITOperations.h:
2672         (JSC::operationLinkPolymorphicCallFor):
2673         (JSC::operationLinkClosureCallFor): Deleted.
2674         * jit/JITStubRoutine.h:
2675         * jit/JITWriteBarrier.h:
2676         * jit/PolymorphicCallStubRoutine.cpp: Added.
2677         (JSC::PolymorphicCallNode::~PolymorphicCallNode):
2678         (JSC::PolymorphicCallNode::unlink):
2679         (JSC::PolymorphicCallCase::dump):
2680         (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
2681         (JSC::PolymorphicCallStubRoutine::~PolymorphicCallStubRoutine):
2682         (JSC::PolymorphicCallStubRoutine::variants):
2683         (JSC::PolymorphicCallStubRoutine::edges):
2684         (JSC::PolymorphicCallStubRoutine::visitWeak):
2685         (JSC::PolymorphicCallStubRoutine::markRequiredObjectsInternal):
2686         * jit/PolymorphicCallStubRoutine.h: Added.
2687         (JSC::PolymorphicCallNode::PolymorphicCallNode):
2688         (JSC::PolymorphicCallCase::PolymorphicCallCase):
2689         (JSC::PolymorphicCallCase::variant):
2690         (JSC::PolymorphicCallCase::codeBlock):
2691         * jit/Repatch.cpp:
2692         (JSC::linkSlowFor):
2693         (JSC::linkFor):
2694         (JSC::revertCall):
2695         (JSC::unlinkFor):
2696         (JSC::linkVirtualFor):
2697         (JSC::linkPolymorphicCall):
2698         (JSC::linkClosureCall): Deleted.
2699         * jit/Repatch.h:
2700         * jit/ThunkGenerators.cpp:
2701         (JSC::linkPolymorphicCallForThunkGenerator):
2702         (JSC::linkPolymorphicCallThunkGenerator):
2703         (JSC::linkPolymorphicCallThatPreservesRegsThunkGenerator):
2704         (JSC::linkClosureCallForThunkGenerator): Deleted.
2705         (JSC::linkClosureCallThunkGenerator): Deleted.
2706         (JSC::linkClosureCallThatPreservesRegsThunkGenerator): Deleted.
2707         * jit/ThunkGenerators.h:
2708         (JSC::linkPolymorphicCallThunkGeneratorFor):
2709         (JSC::linkClosureCallThunkGeneratorFor): Deleted.
2710         * llint/LLIntSlowPaths.cpp:
2711         (JSC::LLInt::jitCompileAndSetHeuristics):
2712         * runtime/Options.h:
2713         * runtime/VM.cpp:
2714         (JSC::VM::prepareToDiscardCode):
2715         (JSC::VM::ensureCallEdgeLog): Deleted.
2716         * runtime/VM.h:
2717
2718 2015-01-29  Joseph Pecoraro  <pecoraro@apple.com>
2719
2720         Web Inspector: ES6: Improved Console Format for Set and Map Objects (like Arrays)
2721         https://bugs.webkit.org/show_bug.cgi?id=122867
2722
2723         Reviewed by Timothy Hatcher.
2724
2725         Add new Runtime.RemoteObject object subtypes for "map", "set", and "weakmap".
2726
2727         Upgrade Runtime.ObjectPreview to include type/subtype information. Now,
2728         an ObjectPreview can be used for any value, in place of a RemoteObject,
2729         and not capture / hold a reference to the value. The value will be in
2730         the string description.
2731
2732         Adding this information to ObjectPreview can duplicate some information
2733         in the protocol messages if a preview is provided, but simplifies
2734         previews, so that all the information you need for any RemoteObject
2735         preview is available. To slim messages further, make "overflow" and
2736         "properties" only available on previews that may contain properties.
2737         So, not primitives or null.
2738
2739         Finally, for "Map/Set/WeakMap" add an "entries" list to the preview
2740         that will return previews with "key" and "value" properties depending
2741         on the collection type. To get live, non-preview objects from a
2742         collection, use Runtime.getCollectionEntries.
2743
2744         In order to keep the WeakMap's values Weak the frontend may provide
2745         a unique object group name when getting collection entries. It may
2746         then release that object group, e.g. when not showing the WeakMap's
2747         values to the user, and thus remove the strong reference to the keys
2748         so they may be garbage collected.
2749
2750         * runtime/WeakMapData.h:
2751         (JSC::WeakMapData::begin):
2752         (JSC::WeakMapData::end):
2753         Expose iterators so the Inspector may access WeakMap keys/values.
2754
2755         * inspector/JSInjectedScriptHostPrototype.cpp:
2756         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
2757         (Inspector::jsInjectedScriptHostPrototypeFunctionWeakMapEntries):
2758         * inspector/JSInjectedScriptHost.h:
2759         * inspector/JSInjectedScriptHost.cpp:
2760         (Inspector::JSInjectedScriptHost::subtype):
2761         Discern "map", "set", and "weakmap" object subtypes.
2762
2763         (Inspector::JSInjectedScriptHost::weakMapEntries):
2764         Return a list of WeakMap entries. These are strong references
2765         that the Inspector code is responsible for releasing.
2766
2767         * inspector/protocol/Runtime.json:
2768         Update types and expose the new getCollectionEntries command.
2769
2770         * inspector/agents/InspectorRuntimeAgent.h:
2771         * inspector/agents/InspectorRuntimeAgent.cpp:
2772         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
2773         * inspector/InjectedScript.h:
2774         * inspector/InjectedScript.cpp:
2775         (Inspector::InjectedScript::getInternalProperties):
2776         (Inspector::InjectedScript::getCollectionEntries):
2777         Pass through to the InjectedScript and call getCollectionEntries.
2778
2779         * inspector/scripts/codegen/generator.py:
2780         Add another type with runtime casting.
2781
2782         * inspector/InjectedScriptSource.js:
2783         - Implement getCollectionEntries to get a range of values from a
2784         collection. The non-Weak collections have an order to their keys (in
2785         order of added) so range'd gets are okay. WeakMap does not have an
2786         order, so only allow fetching a number of values.
2787         - Update preview generation to address the Runtime.ObjectPreview
2788         type changes.
2789
2790 2015-01-28  Geoffrey Garen  <ggaren@apple.com>
2791
2792         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
2793         https://bugs.webkit.org/show_bug.cgi?id=140900
2794
2795         Reviewed by Mark Hahnenberg.
2796
2797         Re-landing just the GCArraySegment piece of this patch.
2798
2799         * heap/CodeBlockSet.cpp:
2800         (JSC::CodeBlockSet::CodeBlockSet):
2801         * heap/CodeBlockSet.h:
2802         * heap/GCSegmentedArray.h:
2803         (JSC::GCArraySegment::GCArraySegment):
2804         * heap/GCSegmentedArrayInlines.h:
2805         (JSC::GCSegmentedArray<T>::GCSegmentedArray):
2806         (JSC::GCSegmentedArray<T>::~GCSegmentedArray):
2807         (JSC::GCSegmentedArray<T>::clear):
2808         (JSC::GCSegmentedArray<T>::expand):
2809         (JSC::GCSegmentedArray<T>::refill):
2810         (JSC::GCArraySegment<T>::create):
2811         (JSC::GCArraySegment<T>::destroy):
2812         * heap/GCThreadSharedData.cpp:
2813         (JSC::GCThreadSharedData::GCThreadSharedData):
2814         * heap/Heap.cpp:
2815         (JSC::Heap::Heap):
2816         * heap/MarkStack.cpp:
2817         (JSC::MarkStackArray::MarkStackArray):
2818         * heap/MarkStack.h:
2819         * heap/SlotVisitor.cpp:
2820         (JSC::SlotVisitor::SlotVisitor):
2821
2822 2015-01-29  Csaba Osztrogonác  <ossy@webkit.org>
2823
2824         Move HAVE_DTRACE definition back to Platform.h
2825         https://bugs.webkit.org/show_bug.cgi?id=141033
2826
2827         Reviewed by Dan Bernstein.
2828
2829         * Configurations/Base.xcconfig:
2830         * JavaScriptCore.xcodeproj/project.pbxproj:
2831
2832 2015-01-28  Geoffrey Garen  <ggaren@apple.com>
2833
2834         Removed fastMallocForbid / fastMallocAllow
2835         https://bugs.webkit.org/show_bug.cgi?id=141012
2836
2837         Reviewed by Mark Hahnenberg.
2838
2839         Copy non-current thread stacks before scanning them instead of scanning
2840         them in-place.
2841
2842         This operation is uncommon (i.e., never in the web content process),
2843         and even in a stress test with 4 threads it only copies about 27kB,
2844         so I think the performance cost is OK.
2845
2846         Scanning in-place requires a complex dance where we constrain our GC
2847         data structures not to use malloc, free, or any other interesting functions
2848         that might acquire locks. We've gotten this wrong many times in the past,
2849         and I just got it wrong again yesterday. Since this code path is rarely
2850         tested, I want it to just make sense, and not depend on or constrain the
2851         details of the rest of the GC heap's design.
2852
2853         * heap/MachineStackMarker.cpp:
2854         (JSC::otherThreadStack): Factored out a helper function for dealing with
2855         unaligned and/or backwards pointers.
2856
2857         (JSC::MachineThreads::tryCopyOtherThreadStack): This is now the only
2858         constrained function, and it only calls memcpy and low-level thread APIs.
2859
2860         (JSC::MachineThreads::tryCopyOtherThreadStacks): The design here is that
2861         you do one pass over all the threads to compute their combined size,
2862         and then a second pass to do all the copying. In theory, the threads may
2863         grow in between passes, in which case you'll continue until the threads
2864         stop growing. In practice, you never continue.
2865
2866         (JSC::growBuffer): Helper function for growing.
2867
2868         (JSC::MachineThreads::gatherConservativeRoots):
2869         (JSC::MachineThreads::gatherFromOtherThread): Deleted.
2870         * heap/MachineStackMarker.h: Updated for interface changes.
2871
2872 2015-01-28  Brian J. Burg  <burg@cs.washington.edu>
2873
2874         Web Inspector: remove CSS.setPropertyText, CSS.toggleProperty and related dead code
2875         https://bugs.webkit.org/show_bug.cgi?id=140961
2876
2877         Reviewed by Timothy Hatcher.
2878
2879         * inspector/protocol/CSS.json: Remove unused protocol methods.
2880
2881 2015-01-28  Dana Burkart  <dburkart@apple.com>
2882
2883         Move ASan flag settings from DebugRelease.xcconfig to Base.xcconfig
2884         https://bugs.webkit.org/show_bug.cgi?id=136765
2885
2886         Reviewed by Alexey Proskuryakov.
2887
2888         * Configurations/Base.xcconfig:
2889         * Configurations/DebugRelease.xcconfig:
2890
2891 2015-01-27  Filip Pizlo  <fpizlo@apple.com>
2892
2893         ExitSiteData saying m_takesSlowPath shouldn't mean early returning takesSlowPath() since for the non-LLInt case we later set m_couldTakeSlowPath, which is more precise
2894         https://bugs.webkit.org/show_bug.cgi?id=140980
2895
2896         Reviewed by Oliver Hunt.
2897
2898         * bytecode/CallLinkStatus.cpp:
2899         (JSC::CallLinkStatus::computeFor):
2900
2901 2015-01-27  Filip Pizlo  <fpizlo@apple.com>
2902
2903         Move DFGBinarySwitch out of the DFG so that all of the JITs can use it
2904         https://bugs.webkit.org/show_bug.cgi?id=140959
2905
2906         Rubber stamped by Geoffrey Garen.
2907         
2908         I want to use this for polymorphic stubs for https://bugs.webkit.org/show_bug.cgi?id=140660.
2909         This code no longer has DFG dependencies so this is a very clean move.
2910
2911         * CMakeLists.txt:
2912         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2913         * JavaScriptCore.xcodeproj/project.pbxproj:
2914         * dfg/DFGBinarySwitch.cpp: Removed.
2915         * dfg/DFGBinarySwitch.h: Removed.
2916         * dfg/DFGSpeculativeJIT.cpp:
2917         * jit/BinarySwitch.cpp: Copied from Source/JavaScriptCore/dfg/DFGBinarySwitch.cpp.
2918         * jit/BinarySwitch.h: Copied from Source/JavaScriptCore/dfg/DFGBinarySwitch.h.
2919
2920 2015-01-27  Commit Queue  <commit-queue@webkit.org>
2921
2922         Unreviewed, rolling out r179192.
2923         https://bugs.webkit.org/show_bug.cgi?id=140953
2924
2925         Caused numerous layout test failures (Requested by mattbaker_
2926         on #webkit).
2927
2928         Reverted changeset:
2929
2930         "Use FastMalloc (bmalloc) instead of BlockAllocator for GC
2931         pages"
2932         https://bugs.webkit.org/show_bug.cgi?id=140900
2933         http://trac.webkit.org/changeset/179192
2934
2935 2015-01-27  Michael Saboff  <msaboff@apple.com>
2936
2937         REGRESSION(r178591): 20% regression in Octane box2d
2938         https://bugs.webkit.org/show_bug.cgi?id=140948
2939
2940         Reviewed by Geoffrey Garen.
2941
2942         Added check that we have a lexical environment to the arguments is captured check.
2943         It doesn't make sense to resolve "arguments" when it really isn't captured.
2944
2945         * bytecompiler/BytecodeGenerator.cpp:
2946         (JSC::BytecodeGenerator::willResolveToArgumentsRegister):
2947
2948 2015-01-26  Geoffrey Garen  <ggaren@apple.com>
2949
2950         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
2951         https://bugs.webkit.org/show_bug.cgi?id=140900
2952
2953         Reviewed by Mark Hahnenberg.
2954
2955         Removes some more custom allocation code.
2956
2957         Looks like a speedup. (See results attached to bugzilla.)
2958
2959         Will hopefully reduce memory use by improving sharing between the GC and
2960         malloc heaps.
2961
2962         * API/JSBase.cpp:
2963         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2964         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2965         * JavaScriptCore.xcodeproj/project.pbxproj: Feed the compiler.
2966
2967         * heap/BlockAllocator.cpp: Removed.
2968         * heap/BlockAllocator.h: Removed. No need for a custom allocator anymore.
2969
2970         * heap/CodeBlockSet.cpp:
2971         (JSC::CodeBlockSet::CodeBlockSet):
2972         * heap/CodeBlockSet.h: Feed the compiler.
2973
2974         * heap/CopiedBlock.h:
2975         (JSC::CopiedBlock::createNoZeroFill):
2976         (JSC::CopiedBlock::create):
2977         (JSC::CopiedBlock::CopiedBlock):
2978         (JSC::CopiedBlock::isOversize):
2979         (JSC::CopiedBlock::payloadEnd):
2980         (JSC::CopiedBlock::capacity):
2981         * heap/CopiedBlockInlines.h:
2982         (JSC::CopiedBlock::reportLiveBytes): Each copied block now tracks its
2983         own size, since we can't rely on Region to tell us our size anymore.
2984
2985         * heap/CopiedSpace.cpp:
2986         (JSC::CopiedSpace::~CopiedSpace):
2987         (JSC::CopiedSpace::tryAllocateOversize):
2988         (JSC::CopiedSpace::tryReallocateOversize):
2989         * heap/CopiedSpaceInlines.h:
2990         (JSC::CopiedSpace::recycleEvacuatedBlock):
2991         (JSC::CopiedSpace::recycleBorrowedBlock):
2992         (JSC::CopiedSpace::allocateBlockForCopyingPhase):
2993         (JSC::CopiedSpace::allocateBlock):
2994         (JSC::CopiedSpace::startedCopying): Deallocate blocks directly, rather
2995         than pushing them onto the block allocator's free list; the block
2996         allocator doesn't exist anymore.
2997
2998         * heap/CopyWorkList.h:
2999         (JSC::CopyWorkListSegment::create):
3000         (JSC::CopyWorkListSegment::CopyWorkListSegment):
3001         (JSC::CopyWorkList::~CopyWorkList):
3002         (JSC::CopyWorkList::append):
3003         (JSC::CopyWorkList::CopyWorkList): Deleted.
3004         * heap/GCSegmentedArray.h:
3005         (JSC::GCArraySegment::GCArraySegment):
3006         * heap/GCSegmentedArrayInlines.h:
3007         (JSC::GCSegmentedArray<T>::GCSegmentedArray):
3008         (JSC::GCSegmentedArray<T>::~GCSegmentedArray):
3009         (JSC::GCSegmentedArray<T>::clear):
3010         (JSC::GCSegmentedArray<T>::expand):
3011         (JSC::GCSegmentedArray<T>::refill):
3012         (JSC::GCArraySegment<T>::create):
3013         * heap/GCThreadSharedData.cpp:
3014         (JSC::GCThreadSharedData::GCThreadSharedData):
3015         * heap/GCThreadSharedData.h: Feed the compiler.
3016
3017         * heap/HandleBlock.h:
3018         * heap/HandleBlockInlines.h:
3019         (JSC::HandleBlock::create):
3020         (JSC::HandleBlock::HandleBlock):
3021         (JSC::HandleBlock::payloadEnd):
3022         * heap/HandleSet.cpp:
3023         (JSC::HandleSet::~HandleSet):
3024         (JSC::HandleSet::grow): Same as above.
3025
3026         * heap/Heap.cpp:
3027         (JSC::Heap::Heap):
3028         * heap/Heap.h: Removed the block allocator since it is unused now.
3029
3030         * heap/HeapBlock.h:
3031         (JSC::HeapBlock::destroy):
3032         (JSC::HeapBlock::HeapBlock):
3033         (JSC::HeapBlock::region): Deleted. Removed the Region pointer from each
3034         HeapBlock since a HeapBlock is just a normal allocation now.
3035
3036         * heap/HeapInlines.h:
3037         (JSC::Heap::blockAllocator): Deleted.
3038
3039         * heap/HeapTimer.cpp:
3040         * heap/MarkStack.cpp:
3041         (JSC::MarkStackArray::MarkStackArray):
3042         * heap/MarkStack.h: Feed the compiler.
3043
3044         * heap/MarkedAllocator.cpp:
3045         (JSC::MarkedAllocator::allocateBlock): No need to use a custom code path
3046         based on size, since we use a general purpose allocator now.
3047
3048         * heap/MarkedBlock.cpp:
3049         (JSC::MarkedBlock::create):
3050         (JSC::MarkedBlock::destroy):
3051         (JSC::MarkedBlock::MarkedBlock):
3052         * heap/MarkedBlock.h:
3053         (JSC::MarkedBlock::capacity): Track block size explicitly, like CopiedBlock.
3054
3055         * heap/MarkedSpace.cpp:
3056         (JSC::MarkedSpace::freeBlock):
3057         * heap/MarkedSpace.h:
3058
3059         * heap/Region.h: Removed.
3060
3061         * heap/SlotVisitor.cpp:
3062         (JSC::SlotVisitor::SlotVisitor): Removed reference to block allocator.
3063
3064         * heap/SuperRegion.cpp: Removed.
3065         * heap/SuperRegion.h: Removed.
3066
3067         * heap/WeakBlock.cpp:
3068         (JSC::WeakBlock::create):
3069         (JSC::WeakBlock::WeakBlock):
3070         * heap/WeakBlock.h:
3071         * heap/WeakSet.cpp:
3072         (JSC::WeakSet::~WeakSet):
3073         (JSC::WeakSet::addAllocator):
3074         (JSC::WeakSet::removeAllocator): Removed reference to block allocator.
3075
3076 2015-01-27  Csaba Osztrogonác  <ossy@webkit.org>
3077
3078         [ARM] Typo fix after r176083
3079         https://bugs.webkit.org/show_bug.cgi?id=140937
3080
3081         Reviewed by Anders Carlsson.
3082
3083         * assembler/ARMv7Assembler.h:
3084         (JSC::ARMv7Assembler::ldrh):
3085
3086 2015-01-27  Csaba Osztrogonác  <ossy@webkit.org>
3087
3088         [Win] Unreviewed gardening, skip failing tests.
3089
3090         * tests/exceptionFuzz.yaml: Skip exception fuzz tests due to bug140928.
3091         * tests/mozilla/mozilla-tests.yaml: Skip ecma/Date/15.9.5.28-1.js due to bug140927.
3092
3093 2015-01-26  Csaba Osztrogonác  <ossy@webkit.org>
3094
3095         [Win] Enable JSC stress tests by default
3096         https://bugs.webkit.org/show_bug.cgi?id=128307
3097
3098         Unreviewed typo fix after r179165.
3099
3100         * tests/mozilla/mozilla-tests.yaml:
3101
3102 2015-01-26  Csaba Osztrogonác  <ossy@webkit.org>
3103
3104         [Win] Enable JSC stress tests by default
3105         https://bugs.webkit.org/show_bug.cgi?id=128307
3106
3107         Reviewed by Brent Fulgham.
3108
3109         * tests/mozilla/mozilla-tests.yaml: Skipped on Windows.
3110         * tests/stress/ftl-arithcos.js: Skipped on Windows.
3111
3112 2015-01-26  Ryosuke Niwa  <rniwa@webkit.org>
3113
3114         Parse a function expression as a primary expression
3115         https://bugs.webkit.org/show_bug.cgi?id=140908
3116
3117         Reviewed by Mark Lam.
3118
3119         Moved the code to generate an AST node for a function expression from parseMemberExpression
3120         to parsePrimaryExpression to match the ES6 specification terminology:
3121         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-primary-expression
3122
3123         There should be no behavior change from this change since parsePrimaryExpression is only
3124         called in parseMemberExpression other than the fact failIfStackOverflow() is called.
3125
3126         * parser/Parser.cpp:
3127         (JSC::Parser<LexerType>::parsePrimaryExpression):
3128         (JSC::Parser<LexerType>::parseMemberExpression):
3129
3130 2015-01-26  Myles C. Maxfield  <mmaxfield@apple.com>
3131
3132         [iOS] [SVG -> OTF Converter] Flip the switch off on iOS
3133         https://bugs.webkit.org/show_bug.cgi?id=140860
3134
3135         Reviewed by Darin Adler.
3136
3137         The fonts it makes are grotesque. (See what I did there? Typographic
3138         humor is the best humor.)
3139
3140         * Configurations/FeatureDefines.xcconfig:
3141
3142 2015-01-23  Joseph Pecoraro  <pecoraro@apple.com>
3143
3144         Web Inspector: Rename InjectedScriptHost::type to subtype
3145         https://bugs.webkit.org/show_bug.cgi?id=140841
3146
3147         Reviewed by Timothy Hatcher.
3148
3149         We were using this to set the subtype of an "object" type RemoteObject
3150         so we should clean up the name and call it subtype.
3151
3152         * inspector/InjectedScriptHost.h:
3153         * inspector/InjectedScriptSource.js:
3154         * inspector/JSInjectedScriptHost.cpp:
3155         (Inspector::JSInjectedScriptHost::subtype):
3156         (Inspector::JSInjectedScriptHost::type): Deleted.
3157         * inspector/JSInjectedScriptHost.h:
3158         * inspector/JSInjectedScriptHostPrototype.cpp:
3159         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
3160         (Inspector::jsInjectedScriptHostPrototypeFunctionSubtype):
3161         (Inspector::jsInjectedScriptHostPrototypeFunctionType): Deleted.
3162
3163 2015-01-23  Michael Saboff  <msaboff@apple.com>
3164
3165         LayoutTests/js/script-tests/reentrant-caching.js crashing on 32 bit builds
3166         https://bugs.webkit.org/show_bug.cgi?id=140843
3167
3168         Reviewed by Oliver Hunt.
3169
3170         When we are in vmEntryToJavaScript, we keep the stack pointer at an
3171         alignment sutiable for pointing to a call frame header, which is the
3172         alignment post making a call.  We adjust the sp when calling to JS code,
3173         but don't adjust it before calling the out of stack handler.
3174
3175         * llint/LowLevelInterpreter32_64.asm:
3176         Moved stack point down 8 bytes to get it aligned.
3177
3178 2015-01-23  Joseph Pecoraro  <pecoraro@apple.com>
3179
3180         Web Inspector: Object Previews in the Console
3181         https://bugs.webkit.org/show_bug.cgi?id=129204
3182
3183         Reviewed by Timothy Hatcher.
3184
3185         Update the very old, unused object preview code. Part of this comes from
3186         the earlier WebKit legacy implementation, and the Blink implementation.
3187
3188         A RemoteObject may include a preview, if it is asked for, and if the
3189         RemoteObject is an object. Previews are a shallow (single level) list
3190         of a limited number of properties on the object. The previewed
3191         properties are always stringified (even if primatives). Previews are
3192         limited to just 5 properties or 100 indices. Previews are marked
3193         as lossless if they are a complete snapshot of the object.
3194
3195         There is a path to make previews two levels deep, that is currently
3196         unused but should soon be used for tables (e.g. IndexedDB).
3197
3198         * inspector/InjectedScriptSource.js:
3199         - Move some code off of InjectedScript to be generic functions
3200         usable by RemoteObject as well.
3201         - Update preview generation to use 
3202
3203         * inspector/protocol/Runtime.json:
3204         - Add a new type, "accessor" for preview objects. This represents
3205         a getter / setter. We currently don't get the value.
3206
3207 2015-01-23  Michael Saboff  <msaboff@apple.com>
3208
3209         Immediate crash when setting JS breakpoint
3210         https://bugs.webkit.org/show_bug.cgi?id=140811
3211
3212         Reviewed by Mark Lam.
3213
3214         When the DFG stack layout phase doesn't allocate a register for the scope register,
3215         it incorrectly sets the scope register in the code block to a bad value, one with
3216         an offset of 0.  Changed it so that we set the code block's scope register to the 
3217         invalid VirtualRegister instead.
3218
3219         No tests needed as adding the ASSERT in setScopeRegister() was used to find the bug.
3220         We crash with that ASSERT in testapi and likely many other tests as well.
3221
3222         * bytecode/CodeBlock.cpp:
3223         (JSC::CodeBlock::CodeBlock):
3224         * bytecode/CodeBlock.h:
3225         (JSC::CodeBlock::setScopeRegister):
3226         (JSC::CodeBlock::scopeRegister):
3227         Added ASSERTs to catch any future improper setting of the code block's scope register.
3228
3229         * dfg/DFGStackLayoutPhase.cpp:
3230         (JSC::DFG::StackLayoutPhase::run):
3231
3232 2015-01-22  Mark Hahnenberg  <mhahnenb@gmail.com>
3233
3234         EdenCollections unnecessarily visit SmallStrings
3235         https://bugs.webkit.org/show_bug.cgi?id=140762
3236
3237         Reviewed by Geoffrey Garen.
3238
3239         * heap/Heap.cpp:
3240         (JSC::Heap::copyBackingStores): Also added a GCPhase for copying
3241         backing stores, which is a significant portion of garbage collection.
3242         (JSC::Heap::visitSmallStrings): Check to see if we need to visit
3243         SmallStrings based on the collection type.
3244         * runtime/SmallStrings.cpp:
3245         (JSC::SmallStrings::SmallStrings):
3246         (JSC::SmallStrings::visitStrongReferences): Set the fact that we have
3247         visited the SmallStrings since the last modification.
3248         * runtime/SmallStrings.h:
3249         (JSC::SmallStrings::needsToBeVisited): If we're doing a
3250         FullCollection, we need to visit. Otherwise, it depends on whether
3251         we've been visited since the last modification/allocation.
3252
3253 2015-01-22  Ryosuke Niwa  <rniwa@webkit.org>
3254
3255         Add a build flag for ES6 class syntax
3256         https://bugs.webkit.org/show_bug.cgi?id=140760
3257
3258         Reviewed by Michael Saboff.
3259
3260         Added ES6_CLASS_SYNTAX build flag and used it in tokenizer to recognize
3261         "class", "extends", "static" and "super" keywords.
3262
3263         * Configurations/FeatureDefines.xcconfig:
3264         * parser/Keywords.table:
3265         * parser/ParserTokens.h:
3266
3267 2015-01-22  Commit Queue  <commit-queue@webkit.org>
3268
3269         Unreviewed, rolling out r178894.
3270         https://bugs.webkit.org/show_bug.cgi?id=140775
3271
3272         Broke JSC and bindings tests (Requested by ap_ on #webkit).
3273
3274         Reverted changeset:
3275
3276         "put_by_val_direct need to check the property is index or not
3277         for using putDirect / putDirectIndex"
3278         https://bugs.webkit.org/show_bug.cgi?id=140426
3279         http://trac.webkit.org/changeset/178894
3280
3281 2015-01-22  Mark Lam  <mark.lam@apple.com>
3282
3283         BytecodeGenerator::initializeCapturedVariable() sets a misleading value for the 5th operand of op_put_to_scope.
3284         <https://webkit.org/b/140743>
3285
3286         Reviewed by Oliver Hunt.
3287
3288         BytecodeGenerator::initializeCapturedVariable() was setting the 5th operand to
3289         op_put_to_scope to an inappropriate value (i.e. 0).  As a result, the execution
3290         of put_to_scope could store a wrong inferred value into the VariableWatchpointSet
3291         for which ever captured variable is at local index 0.  In practice, this turns
3292         out to be the local for the Arguments object.  In this reproduction case in the
3293         bug, the wrong inferred value written there is the boolean true.
3294
3295         Subsequently, DFG compilation occurs and CreateArguments is emitted to first do
3296         a check of the local for the Arguments object.  But because that local has a
3297         wrong inferred value, the check always discovers a non-null value and we never
3298         actually create the Arguments object.  Immediately after this, an OSR exit
3299         occurs leaving the Arguments object local uninitialized.  Later on at arguments
3300         tear off, we run into a boolean true where we had expected to find an Arguments
3301         object, which in turn, leads to the crash.
3302
3303         The fix is to:
3304         1. In the case where the resolveModeType is LocalClosureVar, change the
3305            5th operand of op_put_to_scope to be a boolean.  True means that the
3306            local var is watchable.  False means it is not watchable.  We no longer
3307            pass the local index (instead of true) and UINT_MAX (instead of false).
3308
3309            This allows us to express more clearer in the code what that value means,
3310            as well as remove the redundant way of getting the local's identifier.
3311            The identifier is always the one passed in the 2nd operand. 
3312
3313         2. Previously, though intuitively, we know that the watchable variable
3314            identifier should be the same as the one that is passed in operand 2, this
3315            relationship was not clear in the code.  By code analysis, I confirmed that 
3316            the callers of BytecodeGenerator::emitPutToScope() always use the same
3317            identifier for operand 2 and for filling out the ResolveScopeInfo from
3318            which we get the watchable variable identifier later.  I've changed the
3319            code to make this clear now by always using the identifier passed in
3320            operand 2.
3321
3322         3. In the case where the resolveModeType is LocalClosureVar,
3323            initializeCapturedVariable() and emitPutToScope() will now query
3324            hasWatchableVariable() to determine if the local is watchable or not.
3325            Accordingly, we pass the boolean result of hasWatchableVariable() as
3326            operand 5 of op_put_to_scope.
3327
3328         Also added some assertions.
3329
3330         * bytecode/CodeBlock.cpp:
3331         (JSC::CodeBlock::CodeBlock):
3332         * bytecompiler/BytecodeGenerator.cpp:
3333         (JSC::BytecodeGenerator::initializeCapturedVariable):
3334         (JSC::BytecodeGenerator::hasConstant):
3335         (JSC::BytecodeGenerator::emitPutToScope):
3336         * bytecompiler/BytecodeGenerator.h:
3337         (JSC::BytecodeGenerator::hasWatchableVariable):
3338         (JSC::BytecodeGenerator::watchableVariableIdentifier):
3339         (JSC::BytecodeGenerator::watchableVariable): Deleted.
3340
3341 2015-01-22  Ryosuke Niwa  <rniwa@webkit.org>
3342
3343         PropertyListNode::emitNode duplicates the code to put a constant property
3344         https://bugs.webkit.org/show_bug.cgi?id=140761
3345
3346         Reviewed by Geoffrey Garen.
3347
3348         Extracted PropertyListNode::emitPutConstantProperty to share the code.
3349
3350         Also made PropertyListNode::emitBytecode private since nobody is calling this function directly.
3351
3352         * bytecompiler/NodesCodegen.cpp: