[GTK] Clean up compiler optimizations flags for libWTF, libJSC
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-12-23  Zan Dobersek  <zdobersek@igalia.com>
2
3         [GTK] Clean up compiler optimizations flags for libWTF, libJSC
4         https://bugs.webkit.org/show_bug.cgi?id=126157
5
6         Reviewed by Gustavo Noronha Silva.
7
8         * GNUmakefile.am: Remove the -fstrict-aliasing and -O3 compiler flags for libWTF.la. -O3 gets
9         overridden by -O2 that's listed in CXXFLAGS (or -O0 in case of debug builds) and -fstrict-aliasing
10         is enabled when -O2 is used (and shouldn't be enabled in debug builds anyway).
11
12 2013-12-22  Martin Robinson  <mrobinson@igalia.com>
13
14         [CMake] Fix typo from r160812
15         https://bugs.webkit.org/show_bug.cgi?id=126145
16
17         Reviewed by Gustavo Noronha Silva.
18
19         * CMakeLists.txt: Fix typo when detecting the type of library.
20
21 2013-12-22  Martin Robinson  <mrobinson@igalia.com>
22
23         [GTK][CMake] libtool-compatible soversion calculation
24         https://bugs.webkit.org/show_bug.cgi?id=125511
25
26         Reviewed by Gustavo Noronha Silva.
27
28         * CMakeLists.txt: Use the POPULATE_LIBRARY_VERSION macro and the
29         library-specific version information.
30
31 2013-12-23  Gustavo Noronha Silva  <gns@gnome.org>
32
33         [GTK] [CMake] Generate pkg-config files
34         https://bugs.webkit.org/show_bug.cgi?id=125685
35
36         Reviewed by Martin Robinson.
37
38         * PlatformGTK.cmake: Added. Generate javascriptcoregtk-3.0.pc.
39
40 2013-12-22  Benjamin Poulain  <benjamin@webkit.org>
41
42         Create a skeleton for CSS Selector code generation
43         https://bugs.webkit.org/show_bug.cgi?id=126044
44
45         Reviewed by Antti Koivisto and Gavin Barraclough.
46
47         * assembler/LinkBuffer.h:
48         Add a new owner UID for code compiled for CSS.
49         Export the symbols needed to link code from WebCore.
50
51 2013-12-19  Mark Hahnenberg  <mhahnenberg@apple.com>
52
53         Clean up DFG write barriers
54         https://bugs.webkit.org/show_bug.cgi?id=126047
55
56         Reviewed by Filip Pizlo.
57
58         * dfg/DFGSpeculativeJIT.cpp:
59         (JSC::DFG::SpeculativeJIT::storeToWriteBarrierBuffer): Use the register allocator to 
60         determine which registers need saving instead of saving every single one of them.
61         (JSC::DFG::SpeculativeJIT::osrWriteBarrier): We don't need to save live register state 
62         because the write barriers during OSR execute when there are no live registers. Also we  
63         don't need to use pushes to pad the stack pointer for pokes on x86; we can just use an add.
64         (JSC::DFG::SpeculativeJIT::writeBarrier):
65         * dfg/DFGSpeculativeJIT.h:
66         * jit/Repatch.cpp:
67         (JSC::emitPutReplaceStub):
68         (JSC::emitPutTransitionStub):
69         * runtime/VM.h: Get rid of writeBarrierRegisterBuffer since it's no longer used.
70
71 2013-12-20  Balazs Kilvady  <kilvadyb@homejinni.com>
72
73         [MIPS] Missing MacroAssemblerMIPS::branchTest8(ResultCondition, BaseIndex, TrustedImm32)
74         https://bugs.webkit.org/show_bug.cgi?id=126062
75
76         Reviewed by Mark Hahnenberg.
77
78         * assembler/MacroAssemblerMIPS.h:
79         (JSC::MacroAssemblerMIPS::branchTest8):
80
81 2013-12-20  Julien Brianceau  <jbriance@cisco.com>
82
83         [sh4] Add missing implementation in MacroAssembler to fix build.
84         https://bugs.webkit.org/show_bug.cgi?id=126063
85
86         Reviewed by Mark Hahnenberg.
87
88         * assembler/MacroAssemblerSH4.h:
89         (JSC::MacroAssemblerSH4::branchTest8):
90
91 2013-12-20  Julien Brianceau  <jbriance@cisco.com>
92
93         [arm] Add missing implementation in MacroAssembler to fix CPU(ARM_TRADITIONAL) build.
94         https://bugs.webkit.org/show_bug.cgi?id=126064
95
96         Reviewed by Mark Hahnenberg.
97
98         * assembler/MacroAssemblerARM.h:
99         (JSC::MacroAssemblerARM::branchTest8):
100
101 2013-12-19  Joseph Pecoraro  <pecoraro@apple.com>
102
103         Web Inspector: Add InspectorFrontendHost.debuggableType to let the frontend know it's backend is JavaScript or Web
104         https://bugs.webkit.org/show_bug.cgi?id=126016
105
106         Reviewed by Timothy Hatcher.
107
108         * inspector/remote/RemoteInspector.mm:
109         (Inspector::RemoteInspector::listingForDebuggable):
110         * inspector/remote/RemoteInspectorConstants.h:
111         Include a debuggable type identifier in the debuggable listing,
112         so the remote frontend can know if it is debugging a Web Page
113         or JS Context.
114
115 2013-12-19  Benjamin Poulain  <benjamin@webkit.org>
116
117         Add an utility class to simplify generating function calls
118         https://bugs.webkit.org/show_bug.cgi?id=125972
119
120         Reviewed by Geoffrey Garen.
121
122         Split branchTest32 in two functions: test32AndSetFlags and branchOnFlags.
123         This is done to allow code where the flags are set, multiple operation that
124         do not modify the flags occur, then the flags are used.
125
126         This is used for function calls to test the return value while discarding the
127         return register.
128
129         * assembler/MacroAssemblerX86Common.h:
130         (JSC::MacroAssemblerX86Common::test32AndSetFlags):
131         (JSC::MacroAssemblerX86Common::branchOnFlags):
132         (JSC::MacroAssemblerX86Common::branchTest32):
133
134 2013-12-19  Mark Hahnenberg  <mhahnenberg@apple.com>
135
136         Put write barriers in the right places in the baseline JIT
137         https://bugs.webkit.org/show_bug.cgi?id=125975
138
139         Reviewed by Filip Pizlo.
140
141         * jit/JIT.cpp:
142         (JSC::JIT::privateCompileSlowCases):
143         * jit/JIT.h:
144         * jit/JITInlines.h:
145         (JSC::JIT::callOperation):
146         (JSC::JIT::emitArrayProfilingSite):
147         * jit/JITOpcodes.cpp:
148         (JSC::JIT::emit_op_enter):
149         (JSC::JIT::emitSlow_op_enter):
150         * jit/JITOpcodes32_64.cpp:
151         (JSC::JIT::emit_op_enter):
152         (JSC::JIT::emitSlow_op_enter):
153         * jit/JITPropertyAccess.cpp:
154         (JSC::JIT::emit_op_put_by_val):
155         (JSC::JIT::emitGenericContiguousPutByVal):
156         (JSC::JIT::emitArrayStoragePutByVal):
157         (JSC::JIT::emit_op_put_by_id):
158         (JSC::JIT::emitPutGlobalProperty):
159         (JSC::JIT::emitPutGlobalVar):
160         (JSC::JIT::emitPutClosureVar):
161         (JSC::JIT::emit_op_init_global_const):
162         (JSC::JIT::checkMarkWord):
163         (JSC::JIT::emitWriteBarrier):
164         (JSC::JIT::privateCompilePutByVal):
165         * jit/JITPropertyAccess32_64.cpp:
166         (JSC::JIT::emitGenericContiguousPutByVal):
167         (JSC::JIT::emitArrayStoragePutByVal):
168         (JSC::JIT::emit_op_put_by_id):
169         (JSC::JIT::emitSlow_op_put_by_id):
170         (JSC::JIT::emitPutGlobalProperty):
171         (JSC::JIT::emitPutGlobalVar):
172         (JSC::JIT::emitPutClosureVar):
173         (JSC::JIT::emit_op_init_global_const):
174         * jit/Repatch.cpp:
175         (JSC::emitPutReplaceStub):
176         (JSC::emitPutTransitionStub):
177         (JSC::repatchPutByID):
178         * runtime/CommonSlowPaths.cpp:
179         (JSC::SLOW_PATH_DECL):
180         * runtime/CommonSlowPaths.h:
181
182 2013-12-19  Brent Fulgham  <bfulgham@apple.com>
183
184         Implement ArrayBuffer.isView
185         https://bugs.webkit.org/show_bug.cgi?id=126004
186
187         Reviewed by Filip Pizlo.
188
189         Test coverage in webgl/1.0.2/resources/webgl_test_files/conformance/typedarrays/array-unit-tests.html
190
191         * runtime/JSArrayBufferConstructor.cpp:
192         (JSC::JSArrayBufferConstructor::finishCreation): Add 'isView' to object constructor.
193         (JSC::arrayBufferFuncIsView): New method.
194
195 2013-12-19  Mark Lam  <mark.lam@apple.com>
196
197         Fix broken C loop LLINT build.
198         https://bugs.webkit.org/show_bug.cgi?id=126024.
199
200         Reviewed by Oliver Hunt.
201
202         * runtime/VM.h:
203
204 2013-12-18  Mark Hahnenberg  <mhahnenberg@apple.com>
205
206         DelayedReleaseScope is in the wrong place
207         https://bugs.webkit.org/show_bug.cgi?id=125876
208
209         Reviewed by Geoffrey Garen.
210
211         The DelayedReleaseScope needs to be around the free list sweeping in MarkedAllocator::tryAllocateHelper. 
212         This location gives us a good safe point between getting ready to allocate  (i.e. identifying a non-empty 
213         free list) and doing the actual allocation (popping the free list).
214
215         * heap/MarkedAllocator.cpp:
216         (JSC::MarkedAllocator::tryAllocateHelper):
217         (JSC::MarkedAllocator::allocateSlowCase):
218         (JSC::MarkedAllocator::addBlock):
219         * runtime/JSCellInlines.h:
220         (JSC::allocateCell):
221
222 2013-12-18  Gustavo Noronha Silva  <gns@gnome.org>
223
224         [GTK][CMake] make libjavascriptcoregtk a public shared library again
225         https://bugs.webkit.org/show_bug.cgi?id=125512
226
227         Reviewed by Martin Robinson.
228
229         * CMakeLists.txt: use target type instead of SHARED_CORE to decide whether
230         JavaScriptCore is a shared library, since it's always shared for GTK+ regardless
231         of SHARED_CORE.
232
233 2013-12-18  Benjamin Poulain  <benjamin@webkit.org>
234
235         Add a simple stack abstraction for x86_64
236         https://bugs.webkit.org/show_bug.cgi?id=125908
237
238         Reviewed by Geoffrey Garen.
239
240         * assembler/MacroAssemblerX86_64.h:
241         (JSC::MacroAssemblerX86_64::addPtrNoFlags):
242         Add an explicit abstraction for the "lea" instruction. This is needed
243         by the experimental JIT to have add and substract without changing the flags.
244
245         This is useful for function calls to test the return value, restore the registers,
246         then branch on the flags from the return value.
247
248 2013-12-18  Mark Hahnenberg  <mhahnenberg@apple.com>
249
250         DFG should have a separate StoreBarrier node
251         https://bugs.webkit.org/show_bug.cgi?id=125530
252
253         Reviewed by Filip Pizlo.
254
255         This is in preparation for GenGC. We use a separate StoreBarrier node instead of making them implicitly 
256         part of other nodes so that it's easier to run analyses on them, e.g. for the StoreBarrierElisionPhase. 
257         They are inserted during the fixup phase. Initially they do not generate any code.
258
259         * CMakeLists.txt:
260         * GNUmakefile.list.am:
261         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
262         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
263         * JavaScriptCore.xcodeproj/project.pbxproj:
264         * dfg/DFGAbstractHeap.h:
265         * dfg/DFGAbstractInterpreter.h:
266         (JSC::DFG::AbstractInterpreter::isKnownNotCell):
267         * dfg/DFGAbstractInterpreterInlines.h:
268         (JSC::DFG::::executeEffects):
269         * dfg/DFGClobberize.h:
270         (JSC::DFG::clobberizeForAllocation):
271         (JSC::DFG::clobberize):
272         * dfg/DFGConstantFoldingPhase.cpp:
273         (JSC::DFG::ConstantFoldingPhase::foldConstants): Whenever we insert new nodes that require StoreBarriers,
274         we have to add those new StoreBarriers too. It's important to note that AllocatePropertyStorage and 
275         ReallocatePropertyStorage nodes require their StoreBarriers to come after them since they allocate first,
276         which could cause a GC, and then store the resulting buffer into their JSCell, which requires the barrier.
277         If we ever require that write barriers occur before stores, we'll have to split these nodes into 
278         AllocatePropertyStorage + StoreBarrier + PutPropertyStorage.
279         * dfg/DFGFixupPhase.cpp:
280         (JSC::DFG::FixupPhase::fixupNode):
281         (JSC::DFG::FixupPhase::insertStoreBarrier):
282         * dfg/DFGNode.h:
283         (JSC::DFG::Node::isStoreBarrier):
284         * dfg/DFGNodeType.h:
285         * dfg/DFGOSRExitCompiler32_64.cpp:
286         (JSC::DFG::OSRExitCompiler::compileExit):
287         * dfg/DFGOSRExitCompiler64.cpp:
288         (JSC::DFG::OSRExitCompiler::compileExit):
289         * dfg/DFGPlan.cpp:
290         (JSC::DFG::Plan::compileInThreadImpl):
291         * dfg/DFGPredictionPropagationPhase.cpp:
292         (JSC::DFG::PredictionPropagationPhase::propagate):
293         * dfg/DFGSafeToExecute.h:
294         (JSC::DFG::safeToExecute):
295         * dfg/DFGSpeculativeJIT.cpp:
296         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
297         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
298         (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
299         (JSC::DFG::SpeculativeJIT::genericWriteBarrier): The fast path write barrier check. It loads the 
300         byte that contains the mark bit of the object. 
301         (JSC::DFG::SpeculativeJIT::storeToWriteBarrierBuffer): If the fast path check fails we try to store the 
302         cell in the WriteBarrierBuffer so as to avoid frequently flushing all registers in order to make a C call.
303         (JSC::DFG::SpeculativeJIT::writeBarrier):
304         (JSC::DFG::SpeculativeJIT::osrWriteBarrier): More barebones version of the write barrier to be executed 
305         during an OSR exit into baseline code. We must do this so that the baseline JIT object and array profiles 
306         are properly cleared during GC.
307         * dfg/DFGSpeculativeJIT.h:
308         (JSC::DFG::SpeculativeJIT::callOperation):
309         * dfg/DFGSpeculativeJIT32_64.cpp:
310         (JSC::DFG::SpeculativeJIT::cachedPutById):
311         (JSC::DFG::SpeculativeJIT::compileBaseValueStoreBarrier):
312         (JSC::DFG::SpeculativeJIT::compile):
313         (JSC::DFG::SpeculativeJIT::writeBarrier):
314         * dfg/DFGSpeculativeJIT64.cpp:
315         (JSC::DFG::SpeculativeJIT::cachedPutById):
316         (JSC::DFG::SpeculativeJIT::compileBaseValueStoreBarrier):
317         (JSC::DFG::SpeculativeJIT::compile):
318         (JSC::DFG::SpeculativeJIT::writeBarrier):
319         * dfg/DFGStoreBarrierElisionPhase.cpp: Added. New DFG phase that does block-local elision of redundant
320         StoreBarriers. Every time a StoreBarrier on a particular object is executed, a bit is set indicating that 
321         that object doesn't need any more StoreBarriers. 
322         (JSC::DFG::StoreBarrierElisionPhase::StoreBarrierElisionPhase):
323         (JSC::DFG::StoreBarrierElisionPhase::couldCauseGC): Nodes that could cause a GC reset the bits for all of the 
324         objects known in the current block. 
325         (JSC::DFG::StoreBarrierElisionPhase::allocatesFreshObject): A node that creates a new object automatically 
326         sets the bit for that object since if a GC occurred as the result of that object's allocation then that 
327         object would not need a barrier since it would be guaranteed to be a young generation object until the 
328         next GC point.
329         (JSC::DFG::StoreBarrierElisionPhase::noticeFreshObject):
330         (JSC::DFG::StoreBarrierElisionPhase::getBaseOfStore):
331         (JSC::DFG::StoreBarrierElisionPhase::shouldBeElided):
332         (JSC::DFG::StoreBarrierElisionPhase::elideBarrier):
333         (JSC::DFG::StoreBarrierElisionPhase::handleNode):
334         (JSC::DFG::StoreBarrierElisionPhase::handleBlock):
335         (JSC::DFG::StoreBarrierElisionPhase::run):
336         (JSC::DFG::performStoreBarrierElision):
337         * dfg/DFGStoreBarrierElisionPhase.h: Added.
338         * heap/Heap.cpp:
339         (JSC::Heap::Heap):
340         (JSC::Heap::flushWriteBarrierBuffer):
341         * heap/Heap.h:
342         (JSC::Heap::writeBarrier):
343         * heap/MarkedBlock.h:
344         (JSC::MarkedBlock::offsetOfMarks):
345         * heap/WriteBarrierBuffer.cpp: Added. The WriteBarrierBuffer buffers a set of JSCells that are awaiting 
346         a pending WriteBarrier. This buffer is used by the DFG to avoid the overhead of calling out to C repeatedly
347         to invoke a write barrier on a single JSCell. Instead the DFG has inline code to fill the WriteBarrier buffer
348         until its full, and then to call out to C to flush it. The WriteBarrierBuffer will also be flushed prior to 
349         each EdenCollection.
350         (JSC::WriteBarrierBuffer::WriteBarrierBuffer):
351         (JSC::WriteBarrierBuffer::~WriteBarrierBuffer):
352         (JSC::WriteBarrierBuffer::flush):
353         (JSC::WriteBarrierBuffer::reset):
354         (JSC::WriteBarrierBuffer::add):
355         * heap/WriteBarrierBuffer.h: Added.
356         (JSC::WriteBarrierBuffer::currentIndexOffset):
357         (JSC::WriteBarrierBuffer::capacityOffset):
358         (JSC::WriteBarrierBuffer::bufferOffset):
359         * jit/JITOperations.cpp:
360         * jit/JITOperations.h:
361         * runtime/VM.h:
362
363 2013-12-18  Carlos Garcia Campos  <cgarcia@igalia.com>
364
365         Unreviewed. Fix make distcheck.
366
367         * GNUmakefile.am:
368
369 2013-12-17  Julien Brianceau  <jbriance@cisco.com>
370
371         Fix armv7 and sh4 builds.
372         https://bugs.webkit.org/show_bug.cgi?id=125848
373
374         Reviewed by Csaba Osztrogonác.
375
376         * assembler/ARMv7Assembler.h: Include limits.h for INT_MIN.
377         * assembler/SH4Assembler.h: Include limits.h for INT_MIN.
378
379 2013-12-16  Oliver Hunt  <oliver@apple.com>
380
381         Avoid indirect function calls for custom getters
382         https://bugs.webkit.org/show_bug.cgi?id=125821
383
384         Reviewed by Mark Hahnenberg.
385
386         Rather than invoking a helper function to perform an indirect call
387         through a function pointer, just have the JIT call the function directly.
388
389         Unfortunately this only works in JSVALUE64 at the moment as there
390         is not an obvious way to pass two EncodedJSValues uniformly over
391         the various effected JITs.
392
393         * jit/CCallHelpers.h:
394         (JSC::CCallHelpers::setupArguments):
395         * jit/Repatch.cpp:
396         (JSC::generateProtoChainAccessStub):
397         (JSC::tryBuildGetByIDList):
398
399 2013-12-16  Joseph Pecoraro  <pecoraro@apple.com>
400
401         Fix some whitespace issues in inspector code
402         https://bugs.webkit.org/show_bug.cgi?id=125814
403
404         Reviewed by Darin Adler.
405
406         * inspector/protocol/Debugger.json:
407         * inspector/protocol/Runtime.json:
408         * inspector/scripts/CodeGeneratorInspector.py:
409         (Generator.process_command):
410
411 2013-12-16  Mark Hahnenberg  <mhahnenberg@apple.com>
412
413         Add some missing functions to MacroAssembler
414         https://bugs.webkit.org/show_bug.cgi?id=125809
415
416         Reviewed by Oliver Hunt.
417
418         * assembler/AbstractMacroAssembler.h:
419         * assembler/AssemblerBuffer.h:
420         * assembler/LinkBuffer.cpp:
421         * assembler/MacroAssembler.h:
422         (JSC::MacroAssembler::storePtr):
423         (JSC::MacroAssembler::andPtr):
424         * assembler/MacroAssemblerARM64.h:
425         (JSC::MacroAssemblerARM64::and64):
426         (JSC::MacroAssemblerARM64::branchTest8):
427         * assembler/MacroAssemblerARMv7.h:
428         (JSC::MacroAssemblerARMv7::branchTest8):
429         * assembler/X86Assembler.h:
430
431 2013-12-16  Brent Fulgham  <bfulgham@apple.com>
432
433         [Win] Remove dead code after conversion to VS2013
434         https://bugs.webkit.org/show_bug.cgi?id=125795
435
436         Reviewed by Darin Adler.
437
438         * API/tests/testapi.c: Remove local nan implementation
439
440 2013-12-16  Oliver Hunt  <oliver@apple.com>
441
442         Cache getters and custom accessors on the prototype chain
443         https://bugs.webkit.org/show_bug.cgi?id=125602
444
445         Reviewed by Michael Saboff.
446
447         Support caching of custom getters and accessors on the prototype chain.
448         This is relatively trivial and just requires a little work compared to
449         the direct access mode as we're under more register pressure.
450
451         * bytecode/StructureStubInfo.h:
452           Removed the unsued initGetByIdProto as it was confusing to still have it present.
453         * jit/Repatch.cpp:
454         (JSC::generateProtoChainAccessStub):
455         (JSC::tryCacheGetByID):
456         (JSC::tryBuildGetByIDList):
457
458 2013-12-16  Mark Lam  <mark.lam@apple.com>
459
460         Change slow path result to take a void* instead of a ExecState*.
461         https://bugs.webkit.org/show_bug.cgi?id=125802.
462
463         Reviewed by Filip Pizlo.
464
465         This is in preparation for C Stack OSR entry work that is coming soon.
466         In the OSR entry case, we'll be returning a topOfFrame pointer value
467         instead of the ExecState*.
468
469         * offlineasm/cloop.rb:
470         * runtime/CommonSlowPaths.h:
471         (JSC::encodeResult):
472         (JSC::decodeResult):
473
474 2013-12-16  Alex Christensen  <achristensen@webkit.org>
475
476         Fixed Win64 build on VS2013.
477         https://bugs.webkit.org/show_bug.cgi?id=125753
478
479         Reviewed by Brent Fulgham.
480
481         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
482         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj:
483         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
484         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
485         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
486         * JavaScriptCore.vcxproj/jsc/jsc.vcxproj:
487         * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj:
488         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
489         Added correct PlatformToolset for 64-bit builds.
490
491 2013-12-16  Peter Szanka  <h868064@stud.u-szeged.hu>
492
493         Delete RVCT related code parts.
494         https://bugs.webkit.org/show_bug.cgi?id=125626
495
496         Reviewed by Darin Adler.
497
498         * assembler/ARMAssembler.cpp:
499         * assembler/ARMAssembler.h:
500         (JSC::ARMAssembler::cacheFlush):
501         * assembler/MacroAssemblerARM.cpp:
502         (JSC::isVFPPresent):
503         * jit/JITStubsARM.h:
504         * jit/JITStubsARMv7.h:
505
506 2013-12-15  Ryosuke Niwa  <rniwa@webkit.org>
507
508         REGRESSION: 2x regression on Dromaeo DOM query tests
509         https://bugs.webkit.org/show_bug.cgi?id=125377
510
511         Reviewed by Filip Pizlo.
512
513         The bug was caused by JSC not JIT'ing property access on "document" due to its type info having
514         HasImpureGetOwnPropertySlot flag.
515
516         Fixed the bug by new type info flag NewImpurePropertyFiresWatchpoints, which allows the baseline
517         JIT to generate byte code for access properties on an object with named properties (a.k.a.
518         custom name getter) in DOM. When a new named property appears on the object, VM is notified via
519         VM::addImpureProperty and fires StructureStubClearingWatchpoint added during the repatch.
520
521         * bytecode/GetByIdStatus.cpp:
522         (JSC::GetByIdStatus::computeFromLLInt): Take the slow path if we have any object with impure
523         properties in the prototype chain.
524         (JSC::GetByIdStatus::computeForChain): Ditto.
525
526         * jit/Repatch.cpp:
527         (JSC::repatchByIdSelfAccess): Throw away the byte code when a new impure property is added on any
528         object in the prototype chain via StructureStubClearingWatchpoint.
529         (JSC::generateProtoChainAccessStub): Ditto.
530         (JSC::tryCacheGetByID):
531         (JSC::tryBuildGetByIDList):
532         (JSC::tryRepatchIn): Ditto.
533
534         * runtime/JSTypeInfo.h: Added NewImpurePropertyFiresWatchpoints.
535         (JSC::TypeInfo::newImpurePropertyFiresWatchpoints): Added.
536
537         * runtime/Operations.h:
538         (JSC::normalizePrototypeChainForChainAccess): Don't exit early if VM will be notified of new
539         impure property even if the object had impure properties.
540
541         * runtime/Structure.h:
542         (JSC::Structure::takesSlowPathInDFGForImpureProperty): Added. Wraps hasImpureGetOwnPropertySlot and
543         asserts that newImpurePropertyFiresWatchpoints is true whenever hasImpureGetOwnPropertySlot is true.
544
545         * runtime/VM.cpp:
546         (JSC::VM::registerWatchpointForImpureProperty): Added.
547         (JSC::VM::addImpureProperty): Added. HTMLDocument calls it to notify JSC of a new impure property.
548
549         * runtime/VM.h:
550
551 2013-12-15  Andy Estes  <aestes@apple.com>
552
553         [iOS] Upstream changes to FeatureDefines.xcconfig
554         https://bugs.webkit.org/show_bug.cgi?id=125742
555
556         Reviewed by Dan Bernstein.
557
558         * Configurations/FeatureDefines.xcconfig:
559
560 2013-12-14  Filip Pizlo  <fpizlo@apple.com>
561
562         FTL should *really* know when things are flushed
563         https://bugs.webkit.org/show_bug.cgi?id=125747
564
565         Reviewed by Sam Weinig.
566         
567         Fix more codegen badness. This makes V8v7's crypto am3() function run faster in the FTL
568         than in DFG. This means that even if we just compile those functions in V8v7 that don't
569         make calls, the FTL gives us a 2% speed-up over the DFG. That's pretty good considering
570         that we have still more optimizations to fix and we can make calls work.
571
572         * dfg/DFGSSAConversionPhase.cpp:
573         (JSC::DFG::SSAConversionPhase::run):
574         * ftl/FTLCompile.cpp:
575         (JSC::FTL::fixFunctionBasedOnStackMaps):
576
577 2013-12-14  Andy Estes  <aestes@apple.com>
578
579         Unify FeatureDefines.xcconfig
580         https://bugs.webkit.org/show_bug.cgi?id=125741
581
582         Rubber-stamped by Dan Bernstein.
583
584         * Configurations/FeatureDefines.xcconfig: Enable ENABLE_MEDIA_SOURCE.
585
586 2013-12-14  Mark Rowe  <mrowe@apple.com>
587
588         Build fix after r160557.
589
590         r160557 added the first generated header to JavaScriptCore that needs to be installed in to
591         the framework wrapper. Sadly JavaScriptCore's Derived Sources target was not set to generate
592         headers when invoked as part of the installhdrs action. This resulted in the build failing
593         due to Xcode being unable to find the header file to install. The fix for this is to configure
594         the Derived Sources target to use JavaScriptCore.xcconfig, which sets INSTALLHDRS_SCRIPT_PHASE
595         to YES and allows Xcode to generate derived sources during the installhdrs action.
596
597         Enabling INSTALLHDRS_SCRIPT_PHASE required tweaking the Generate Derived Sources script build
598         phase to skip running code related to offlineasm that depends on JSCLLIntOffsetExtractor
599         having been compiled, which isn't the case at installhdrs time.
600
601         * JavaScriptCore.xcodeproj/project.pbxproj:
602
603 2013-12-13  Joseph Pecoraro  <pecoraro@apple.com>
604
605         Some Set and Map prototype functions have incorrect function lengths
606         https://bugs.webkit.org/show_bug.cgi?id=125732
607
608         Reviewed by Oliver Hunt.
609
610         * runtime/MapPrototype.cpp:
611         (JSC::MapPrototype::finishCreation):
612         * runtime/SetPrototype.cpp:
613         (JSC::SetPrototype::finishCreation):
614
615 2013-12-13  Joseph Pecoraro  <pecoraro@apple.com>
616
617         Web Inspector: Move Inspector and Debugger protocol domains into JavaScriptCore
618         https://bugs.webkit.org/show_bug.cgi?id=125707
619
620         Reviewed by Timothy Hatcher.
621
622         * CMakeLists.txt:
623         * DerivedSources.make:
624         * GNUmakefile.am:
625         * inspector/protocol/Debugger.json: Renamed from Source/WebCore/inspector/protocol/Debugger.json.
626         * inspector/protocol/GenericTypes.json: Added.
627         * inspector/protocol/InspectorDomain.json: Renamed from Source/WebCore/inspector/protocol/InspectorDomain.json.
628         Add new files to inspector generation.
629
630         * inspector/scripts/CodeGeneratorInspector.py:
631         (Generator.go):
632         Only build TypeBuilder output if the domain only has types. Avoid
633         backend/frontend dispatchers and backend commands.
634
635         (TypeBindings.create_type_declaration_.EnumBinding.get_setter_value_expression_pattern):
636         (format_setter_value_expression):
637         (Generator.process_command):
638         (Generator.generate_send_method):
639         * inspector/scripts/CodeGeneratorInspectorStrings.py:
640         Export and name the get{JS,Web}EnumConstant function.
641
642 2013-12-11  Filip Pizlo  <fpizlo@apple.com>
643
644         Get rid of forward exit on UInt32ToNumber by adding an op_unsigned bytecode instruction
645         https://bugs.webkit.org/show_bug.cgi?id=125553
646
647         Reviewed by Oliver Hunt.
648         
649         UInt32ToNumber was a super complicated node because it had to do a speculation, but it
650         would do it after we already had computed the urshift. It couldn't just back to the
651         beginning of the urshift because the inputs to the urshift weren't necessarily live
652         anymore. We couldn't jump forward to the beginning of the next instruction because the
653         result of the urshift was not yet unsigned-converted.
654         
655         For a while we solved this by forward-exiting in UInt32ToNumber. But that's really
656         gross and I want to get rid of all forward exits. They cause a lot of bugs.
657         
658         We could also have turned UInt32ToNumber to a backwards exit by forcing the inputs to
659         the urshift to be live. I figure that this might be a bit too extreme.
660         
661         So, I just created a new place that we can exit to: I split op_urshift into op_urshift
662         followed by op_unsigned. op_unsigned is an "unsigned cast" along the lines of what
663         UInt32ToNumber does. This allows me to get rid of all of the nastyness in the DFG for
664         forward exiting in UInt32ToNumber.
665         
666         This patch enables massive code carnage in the DFG and FTL, and brings us closer to
667         eliminating one of the DFG's most confusing concepts. On the flipside, it does make the
668         bytecode slightly more complex (one new instruction). This is a profitable trade. We
669         want the DFG and FTL to trend towards simplicity, since they are both currently too
670         complicated.
671
672         * bytecode/BytecodeUseDef.h:
673         (JSC::computeUsesForBytecodeOffset):
674         (JSC::computeDefsForBytecodeOffset):
675         * bytecode/CodeBlock.cpp:
676         (JSC::CodeBlock::dumpBytecode):
677         * bytecode/Opcode.h:
678         (JSC::padOpcodeName):
679         * bytecode/ValueRecovery.cpp:
680         (JSC::ValueRecovery::dumpInContext):
681         * bytecode/ValueRecovery.h:
682         (JSC::ValueRecovery::gpr):
683         * bytecompiler/NodesCodegen.cpp:
684         (JSC::BinaryOpNode::emitBytecode):
685         (JSC::emitReadModifyAssignment):
686         * dfg/DFGByteCodeParser.cpp:
687         (JSC::DFG::ByteCodeParser::toInt32):
688         (JSC::DFG::ByteCodeParser::parseBlock):
689         * dfg/DFGClobberize.h:
690         (JSC::DFG::clobberize):
691         * dfg/DFGNodeType.h:
692         * dfg/DFGOSRExitCompiler32_64.cpp:
693         (JSC::DFG::OSRExitCompiler::compileExit):
694         * dfg/DFGOSRExitCompiler64.cpp:
695         (JSC::DFG::OSRExitCompiler::compileExit):
696         * dfg/DFGSpeculativeJIT.cpp:
697         (JSC::DFG::SpeculativeJIT::compileMovHint):
698         (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
699         * dfg/DFGSpeculativeJIT.h:
700         * dfg/DFGSpeculativeJIT32_64.cpp:
701         * dfg/DFGSpeculativeJIT64.cpp:
702         * dfg/DFGStrengthReductionPhase.cpp:
703         (JSC::DFG::StrengthReductionPhase::handleNode):
704         (JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild):
705         (JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild1):
706         (JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild2):
707         * ftl/FTLFormattedValue.h:
708         (JSC::FTL::int32Value):
709         * ftl/FTLLowerDFGToLLVM.cpp:
710         (JSC::FTL::LowerDFGToLLVM::compileUInt32ToNumber):
711         * ftl/FTLValueFormat.cpp:
712         (JSC::FTL::reboxAccordingToFormat):
713         (WTF::printInternal):
714         * ftl/FTLValueFormat.h:
715         * jit/JIT.cpp:
716         (JSC::JIT::privateCompileMainPass):
717         (JSC::JIT::privateCompileSlowCases):
718         * jit/JIT.h:
719         * jit/JITArithmetic.cpp:
720         (JSC::JIT::emit_op_urshift):
721         (JSC::JIT::emitSlow_op_urshift):
722         (JSC::JIT::emit_op_unsigned):
723         (JSC::JIT::emitSlow_op_unsigned):
724         * jit/JITArithmetic32_64.cpp:
725         (JSC::JIT::emitRightShift):
726         (JSC::JIT::emitRightShiftSlowCase):
727         (JSC::JIT::emit_op_unsigned):
728         (JSC::JIT::emitSlow_op_unsigned):
729         * llint/LowLevelInterpreter32_64.asm:
730         * llint/LowLevelInterpreter64.asm:
731         * runtime/CommonSlowPaths.cpp:
732         (JSC::SLOW_PATH_DECL):
733         * runtime/CommonSlowPaths.h:
734
735 2013-12-13  Mark Hahnenberg  <mhahnenberg@apple.com>
736
737         LLInt should not conditionally branch to to labels outside of its function
738         https://bugs.webkit.org/show_bug.cgi?id=125713
739
740         Reviewed by Geoffrey Garen.
741
742         Conditional branches are insufficient for jumping to out-of-function labels.
743         The fix is to use an unconditional jmp to the label combined with a conditional branch around the jmp.
744
745         * llint/LowLevelInterpreter32_64.asm:
746         * llint/LowLevelInterpreter64.asm:
747
748 2013-12-13  Joseph Pecoraro  <pecoraro@apple.com>
749
750         [GTK] Remove Warnings in building about duplicate INSPECTOR variables
751         https://bugs.webkit.org/show_bug.cgi?id=125710
752
753         Reviewed by Tim Horton.
754
755         * GNUmakefile.am:
756
757 2013-12-13  Joseph Pecoraro  <pecoraro@apple.com>
758
759         Cleanup CodeGeneratorInspectorStrings a bit
760         https://bugs.webkit.org/show_bug.cgi?id=125705
761
762         Reviewed by Timothy Hatcher.
763
764         * inspector/scripts/CodeGeneratorInspectorStrings.py:
765         Use ${foo} variable syntax and add an ASCIILiteral.
766
767 2013-12-13  Brent Fulgham  <bfulgham@apple.com>
768
769         [Win] Unreviewed build fix after r160563
770
771         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj: Missed the Debug
772         target in my last patch.
773
774 2013-12-13  Brent Fulgham  <bfulgham@apple.com>
775
776         [Win] Unreviewed build fix after r160548
777
778         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj: Specify
779         that we are using the vs12_xp target for Makefile-based projects.
780         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj: Ditto
781         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj: Ditto.
782
783 2013-12-13  Joseph Pecoraro  <pecoraro@apple.com>
784
785         Make inspector folder groups smarter in JavaScriptCore.xcodeproj
786         https://bugs.webkit.org/show_bug.cgi?id=125663
787
788         Reviewed by Darin Adler.
789
790         * JavaScriptCore.xcodeproj/project.pbxproj:
791
792 2013-12-13  Joseph Pecoraro  <pecoraro@apple.com>
793
794         Web Inspector: Add Inspector Code Generation to JavaScriptCore for Runtime Domain
795         https://bugs.webkit.org/show_bug.cgi?id=125595
796
797         Reviewed by Timothy Hatcher.
798
799           - Move CodeGeneration scripts from WebCore into JavaScriptCore/inspector/scripts
800           - For ports that build WebKit frameworks separately, export the scripts as PrivateHeaders
801           - Update CodeGeneratorInspector.py in a few ways:
802             - output dynamic filenames, so JavaScriptCore generates InspectorJSFoo.* and WebCore generates InspectorWebFoo.*
803             - take in more then one protocol JSON file. The first contains domains to generate, the others are dependencies
804               that are generated elsewhere that we can depend on for Types.
805           - Add DerivedSources build step to generate the Inspector Interfaces
806
807         * CMakeLists.txt:
808         * DerivedSources.make:
809         * GNUmakefile.am:
810         * GNUmakefile.list.am:
811         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
812         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
813         * JavaScriptCore.vcxproj/copy-files.cmd:
814         * JavaScriptCore.xcodeproj/project.pbxproj:
815         Add scripts and code generation.
816
817         * inspector/protocol/Runtime.json: Renamed from Source/WebCore/inspector/protocol/Runtime.json.
818         Move protocol file into JavaScriptCore so its types will be generated in JavaScriptCore.
819
820         * inspector/scripts/CodeGeneratorInspector.py: Renamed from Source/WebCore/inspector/CodeGeneratorInspector.py.
821         Updates to the script as listed above.
822
823         * inspector/scripts/CodeGeneratorInspectorStrings.py: Renamed from Source/WebCore/inspector/CodeGeneratorInspectorStrings.py.
824         * inspector/scripts/generate-combined-inspector-json.py: Renamed from Source/WebCore/inspector/Scripts/generate-combined-inspector-json.py.
825         Moved from WebCore into JavaScriptCore for code generation.
826
827 2013-12-13  Peter Szanka  <h868064@stud.u-szeged.hu>
828
829         Delete INTEL C compiler related code parts.
830         https://bugs.webkit.org/show_bug.cgi?id=125625
831
832         Reviewed by Darin Adler.
833
834         * jsc.cpp:
835         * testRegExp.cpp:
836
837 2013-12-13  Brent Fulgham  <bfulgham@apple.com>
838
839         [Win] Switch WebKit solution to Visual Studio 2013
840         https://bugs.webkit.org/show_bug.cgi?id=125192
841
842         Reviewed by Anders Carlsson.
843
844         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Update for VS2013
845         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
846         Ditto
847         * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: Ditto
848         * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj: Ditto
849         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: Ditto
850
851 2013-12-12  Joseph Pecoraro  <pecoraro@apple.com>
852
853         Add a few more ASCIILiterals
854         https://bugs.webkit.org/show_bug.cgi?id=125662
855
856         Reviewed by Darin Adler.
857
858         * inspector/InspectorBackendDispatcher.cpp:
859         (Inspector::InspectorBackendDispatcher::dispatch):
860
861 2013-12-12  Joseph Pecoraro  <pecoraro@apple.com>
862
863         Test new JSContext name APIs
864         https://bugs.webkit.org/show_bug.cgi?id=125607
865
866         Reviewed by Darin Adler.
867
868         * API/JSContext.h:
869         * API/JSContextRef.h:
870         Fix whitespace issues.
871
872         * API/tests/testapi.c:
873         (globalContextNameTest):
874         (main):
875         * API/tests/testapi.mm:
876         Add tests for JSContext set/get name APIs.
877
878 2013-12-11  Filip Pizlo  <fpizlo@apple.com>
879
880         ARM64: Hang running pdfjs test, suspect DFG generated code for "in"
881         https://bugs.webkit.org/show_bug.cgi?id=124727
882         <rdar://problem/15566923>
883
884         Reviewed by Michael Saboff.
885         
886         Get rid of In's hackish use of StructureStubInfo. Previously it was using hotPathBegin,
887         and it was the only IC that used that field, which was wasteful. Moreover, it used it
888         to store two separate locations: the label for patching the jump and the label right
889         after the jump. The code was relying on those two being the same label, which is true
890         on X86 and some other platforms, but it isn't true on ARM64.
891         
892         This gets rid of hotPathBegin and makes In express those two locations as offsets from
893         the callReturnLocation, which is analogous to what the other IC's do.
894         
895         This fixes a bug where any successful In patching would result in a trivially infinite
896         loop - and hence a hang - on ARM64.
897
898         * bytecode/StructureStubInfo.h:
899         * dfg/DFGJITCompiler.cpp:
900         (JSC::DFG::JITCompiler::link):
901         * dfg/DFGJITCompiler.h:
902         (JSC::DFG::InRecord::InRecord):
903         * dfg/DFGSpeculativeJIT.cpp:
904         (JSC::DFG::SpeculativeJIT::compileIn):
905         * jit/JITInlineCacheGenerator.cpp:
906         (JSC::JITByIdGenerator::finalize):
907         * jit/Repatch.cpp:
908         (JSC::replaceWithJump):
909         (JSC::patchJumpToGetByIdStub):
910         (JSC::tryCachePutByID):
911         (JSC::tryBuildPutByIdList):
912         (JSC::tryRepatchIn):
913         (JSC::resetGetByID):
914         (JSC::resetPutByID):
915         (JSC::resetIn):
916
917 2013-12-11  Joseph Pecoraro  <pecoraro@apple.com>
918
919         Web Inspector: Push More Inspector Required Classes Down into JavaScriptCore
920         https://bugs.webkit.org/show_bug.cgi?id=125324
921
922         Reviewed by Timothy Hatcher.
923
924         * CMakeLists.txt:
925         * GNUmakefile.am:
926         * GNUmakefile.list.am:
927         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
928         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
929         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
930         * JavaScriptCore.vcxproj/copy-files.cmd:
931         * JavaScriptCore.xcodeproj/project.pbxproj:
932         * bindings/ScriptFunctionCall.cpp: Renamed from Source/WebCore/bindings/js/ScriptFunctionCall.cpp.
933         * bindings/ScriptFunctionCall.h: Renamed from Source/WebCore/bindings/js/ScriptFunctionCall.h.
934         * bindings/ScriptObject.cpp: Copied from Source/WebCore/inspector/WorkerConsoleAgent.cpp.
935         * bindings/ScriptObject.h: Renamed from Source/WebCore/inspector/InspectorBaseAgent.h.
936         * bindings/ScriptValue.cpp: Renamed from Source/WebCore/bindings/js/ScriptValue.cpp.
937         * bindings/ScriptValue.h: Renamed from Source/WebCore/bindings/js/ScriptValue.h.
938         * inspector/InspectorAgentBase.h: Copied from Source/WebCore/inspector/InspectorAgentRegistry.h.
939         * inspector/InspectorAgentRegistry.cpp: Renamed from Source/WebCore/inspector/InspectorAgentRegistry.cpp.
940         * inspector/InspectorBackendDispatcher.h: Renamed from Source/WebCore/inspector/InspectorBackendDispatcher.h.
941         (Inspector::InspectorSupplementalBackendDispatcher::InspectorSupplementalBackendDispatcher):
942         (Inspector::InspectorSupplementalBackendDispatcher::~InspectorSupplementalBackendDispatcher):
943         * inspector/InspectorValues.cpp: Renamed from Source/WebCore/inspector/InspectorValues.cpp.
944         * inspector/InspectorValues.h: Renamed from Source/WebCore/inspector/InspectorValues.h.
945
946 2013-12-11  Laszlo Vidacs  <lac@inf.u-szeged.hu>
947
948         Store SHA1 hash in std::array
949         https://bugs.webkit.org/show_bug.cgi?id=125446
950
951         Reviewed by Darin Adler.
952
953         Change Vector to std::array and use typedef.
954
955         * bytecode/CodeBlockHash.cpp:
956         (JSC::CodeBlockHash::CodeBlockHash):
957
958 2013-12-11  Mark Rowe  <mrowe@apple.com>
959
960         <https://webkit.org/b/125141> Modernize the JavaScriptCore API headers
961         <rdar://problem/15540121>
962
963         This consists of three main changes:
964         1) Converting the return type of initializer methods to instancetype.
965         2) Declaring properties rather than getters and setters.
966         3) Tagging C API methods with information about their memory management semantics.
967
968         Changing the declarations from getters and setters to properties also required
969         updating the headerdoc in a number of places.
970
971         Reviewed by Anders Carlsson.
972
973         * API/JSContext.h:
974         * API/JSContext.mm:
975         * API/JSManagedValue.h:
976         * API/JSManagedValue.mm:
977         * API/JSStringRefCF.h:
978         * API/JSValue.h:
979         * API/JSVirtualMachine.h:
980         * API/JSVirtualMachine.mm:
981
982 2013-12-11  Mark Rowe  <mrowe@apple.com>
983
984         <https://webkit.org/b/125559> Move JavaScriptCore off the legacy WebKit availability macros
985
986         The legacy WebKit availability macros are verbose, confusing, and provide no benefit over
987         using the system availability macros directly. The original vision was that they'd serve
988         a cross-platform purpose but that never came to be.
989
990         Map from WebKit version to OS X version based on the mapping in WebKitAvailability.h.
991         All iOS versions are specified as 7.0 as that is when the JavaScriptCore C API was made
992         public.
993
994         Part of <rdar://problem/15512304>.
995
996         Reviewed by Anders Carlsson.
997
998         * API/JSBasePrivate.h:
999         * API/JSContextRef.h:
1000         * API/JSContextRefPrivate.h:
1001         * API/JSObjectRef.h:
1002         * API/JSValueRef.h:
1003
1004 2013-12-10  Filip Pizlo  <fpizlo@apple.com>
1005
1006         Get rid of forward exit on DoubleAsInt32
1007         https://bugs.webkit.org/show_bug.cgi?id=125552
1008
1009         Reviewed by Oliver Hunt.
1010         
1011         The forward exit was just there so that we wouldn't have to keep the inputs alive up to
1012         the DoubleAsInt32. That's dumb. Forward exits are a complicated piece of machinery and
1013         we shouldn't have it just for a bit of liveness micro-optimization.
1014         
1015         Also add a bunch of machinery to test this case on X86.
1016
1017         * assembler/AbstractMacroAssembler.h:
1018         (JSC::optimizeForARMv7s):
1019         (JSC::optimizeForARM64):
1020         (JSC::optimizeForX86):
1021         * dfg/DFGFixupPhase.cpp:
1022         (JSC::DFG::FixupPhase::fixupNode):
1023         * dfg/DFGNodeType.h:
1024         * dfg/DFGSpeculativeJIT.cpp:
1025         (JSC::DFG::SpeculativeJIT::compileDoubleAsInt32):
1026         * runtime/Options.h:
1027         * tests/stress/double-as-int32.js: Added.
1028         (foo):
1029         (test):
1030
1031 2013-12-10  Filip Pizlo  <fpizlo@apple.com>
1032
1033         Simplify CSE's treatment of NodeRelevantToOSR
1034         https://bugs.webkit.org/show_bug.cgi?id=125538
1035
1036         Reviewed by Oliver Hunt.
1037         
1038         Make the NodeRelevantToOSR thing obvious: if there is any MovHint on a node then the
1039         node is relevant to OSR.
1040
1041         * dfg/DFGCSEPhase.cpp:
1042         (JSC::DFG::CSEPhase::run):
1043         (JSC::DFG::CSEPhase::performNodeCSE):
1044         (JSC::DFG::CSEPhase::performBlockCSE):
1045
1046 2013-12-10  Filip Pizlo  <fpizlo@apple.com>
1047
1048         Get rid of forward exit in GetByVal on Uint32Array
1049         https://bugs.webkit.org/show_bug.cgi?id=125543
1050
1051         Reviewed by Oliver Hunt.
1052
1053         * dfg/DFGSpeculativeJIT.cpp:
1054         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
1055         * ftl/FTLLowerDFGToLLVM.cpp:
1056         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
1057
1058 2013-12-10  Balazs Kilvady  <kilvadyb@homejinni.com>
1059
1060         [MIPS] Redundant instructions in code generated from offlineasm.
1061         https://bugs.webkit.org/show_bug.cgi?id=125528
1062
1063         Reviewed by Michael Saboff.
1064
1065         Optimize lowering of offlineasm BaseIndex Addresses.
1066
1067         * offlineasm/mips.rb:
1068
1069 2013-12-10  Oliver Hunt  <oliver@apple.com>
1070
1071         Reduce the mass templatizing of the JS parser
1072         https://bugs.webkit.org/show_bug.cgi?id=125535
1073
1074         Reviewed by Michael Saboff.
1075
1076         The various caches we have now have removed the need for many of
1077         the template vs. regular parameters.  This patch converts those
1078         template parameters to regular parameters and updates the call
1079         sites.  This reduces the code size of the parser by around 15%.
1080
1081         * parser/ASTBuilder.h:
1082         (JSC::ASTBuilder::createGetterOrSetterProperty):
1083         (JSC::ASTBuilder::createProperty):
1084         * parser/Parser.cpp:
1085         (JSC::::parseInner):
1086         (JSC::::parseSourceElements):
1087         (JSC::::parseVarDeclarationList):
1088         (JSC::::createBindingPattern):
1089         (JSC::::tryParseDeconstructionPatternExpression):
1090         (JSC::::parseDeconstructionPattern):
1091         (JSC::::parseSwitchClauses):
1092         (JSC::::parseSwitchDefaultClause):
1093         (JSC::::parseBlockStatement):
1094         (JSC::::parseFormalParameters):
1095         (JSC::::parseFunctionInfo):
1096         (JSC::::parseFunctionDeclaration):
1097         (JSC::::parseProperty):
1098         (JSC::::parseObjectLiteral):
1099         (JSC::::parseStrictObjectLiteral):
1100         (JSC::::parseMemberExpression):
1101         * parser/Parser.h:
1102         * parser/SyntaxChecker.h:
1103         (JSC::SyntaxChecker::createProperty):
1104         (JSC::SyntaxChecker::createGetterOrSetterProperty):
1105
1106 2013-12-10  Mark Hahnenberg  <mhahnenberg@apple.com>
1107
1108         ASSERT !heap.vm()->isInitializingObject() when finishing DFG compilation at beginning of GC
1109         https://bugs.webkit.org/show_bug.cgi?id=125472
1110
1111         Reviewed by Geoff Garen.
1112
1113         This patch makes it look like it's okay to allocate so that the DFG plan finalization stuff 
1114         can do what it needs to do. We already expected that we might do allocation during plan 
1115         finalization and we increased the deferral depth to handle this, but we need to fix this other 
1116         ASSERT stuff too.
1117
1118         * GNUmakefile.list.am:
1119         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1120         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1121         * JavaScriptCore.xcodeproj/project.pbxproj:
1122         * heap/Heap.cpp:
1123         (JSC::Heap::collect):
1124         * heap/Heap.h:
1125         * heap/RecursiveAllocationScope.h: Added.
1126         (JSC::RecursiveAllocationScope::RecursiveAllocationScope):
1127         (JSC::RecursiveAllocationScope::~RecursiveAllocationScope):
1128         * runtime/VM.h:
1129
1130 2013-12-09  Filip Pizlo  <fpizlo@apple.com>
1131
1132         Impose and enforce some basic rules of sanity for where Phi functions are allowed to occur and where their (optional) corresponding MovHints can be
1133         https://bugs.webkit.org/show_bug.cgi?id=125480
1134
1135         Reviewed by Geoffrey Garen.
1136         
1137         Previously, if you wanted to insert some speculation right after where a value was
1138         produced, you'd get super confused if that value was produced by a Phi node.  You can't
1139         necessarily insert speculations after a Phi node because Phi nodes appear in this
1140         special sequence of Phis and MovHints that establish the OSR exit state for a block.
1141         So, you'd probably want to search for the next place where it's safe to insert things.
1142         We already do this "search for beginning of next bytecode instruction" search by
1143         looking at the next node that has a different CodeOrigin.  But this would be hard for a
1144         Phi because those Phis and MovHints have basically random CodeOrigins and they can all
1145         have different CodeOrigins.
1146
1147         This change imposes some sanity for this situation:
1148
1149         - Phis must have unset CodeOrigins.
1150
1151         - In each basic block, all nodes that have unset CodeOrigins must come before all nodes
1152           that have set CodeOrigins.
1153
1154         This all ends up working out just great because prior to this change we didn't have a 
1155         use for unset CodeOrigins.  I think it's appropriate to make "unset CodeOrigin" mean
1156         that we're in the prologue of a basic block.
1157
1158         It's interesting what this means for block merging, which we don't yet do in SSA.
1159         Consider merging the edge A->B.  One possibility is that the block merger is now
1160         required to clean up Phi/Upsilons, and reascribe the MovHints to have the CodeOrigin of
1161         the A's block terminal.  But an answer that might be better is that the originless
1162         nodes at the top of the B are just given the origin of the terminal and we keep the
1163         Phis.  That would require changing the above rules.  We'll see how it goes, and what we
1164         end up picking...
1165
1166         Overall, this special-things-at-the-top rule is analogous to what other SSA-based
1167         compilers do.  For example, LLVM has rules mandating that Phis appear at the top of a
1168         block.
1169
1170         * bytecode/CodeOrigin.cpp:
1171         (JSC::CodeOrigin::dump):
1172         * dfg/DFGOSRExitBase.h:
1173         (JSC::DFG::OSRExitBase::OSRExitBase):
1174         * dfg/DFGSSAConversionPhase.cpp:
1175         (JSC::DFG::SSAConversionPhase::run):
1176         * dfg/DFGValidate.cpp:
1177         (JSC::DFG::Validate::validate):
1178         (JSC::DFG::Validate::validateSSA):
1179
1180 2013-12-08  Filip Pizlo  <fpizlo@apple.com>
1181
1182         Reveal array bounds checks in DFG IR
1183         https://bugs.webkit.org/show_bug.cgi?id=125253
1184
1185         Reviewed by Oliver Hunt and Mark Hahnenberg.
1186         
1187         In SSA mode, this reveals array bounds checks and the load of array length in DFG IR,
1188         making this a candidate for LICM.
1189
1190         This also fixes a long-standing performance bug where the JSObject slow paths would
1191         always create contiguous storage, rather than type-specialized storage, when doing a
1192         "storage creating" storage, like:
1193         
1194             var o = {};
1195             o[0] = 42;
1196
1197         * CMakeLists.txt:
1198         * GNUmakefile.list.am:
1199         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1200         * JavaScriptCore.xcodeproj/project.pbxproj:
1201         * bytecode/ExitKind.cpp:
1202         (JSC::exitKindToString):
1203         (JSC::exitKindIsCountable):
1204         * bytecode/ExitKind.h:
1205         * dfg/DFGAbstractInterpreterInlines.h:
1206         (JSC::DFG::::executeEffects):
1207         * dfg/DFGArrayMode.cpp:
1208         (JSC::DFG::permitsBoundsCheckLowering):
1209         (JSC::DFG::ArrayMode::permitsBoundsCheckLowering):
1210         * dfg/DFGArrayMode.h:
1211         (JSC::DFG::ArrayMode::lengthNeedsStorage):
1212         * dfg/DFGClobberize.h:
1213         (JSC::DFG::clobberize):
1214         * dfg/DFGConstantFoldingPhase.cpp:
1215         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1216         * dfg/DFGFixupPhase.cpp:
1217         (JSC::DFG::FixupPhase::fixupNode):
1218         * dfg/DFGNodeType.h:
1219         * dfg/DFGPlan.cpp:
1220         (JSC::DFG::Plan::compileInThreadImpl):
1221         * dfg/DFGPredictionPropagationPhase.cpp:
1222         (JSC::DFG::PredictionPropagationPhase::propagate):
1223         * dfg/DFGSSALoweringPhase.cpp: Added.
1224         (JSC::DFG::SSALoweringPhase::SSALoweringPhase):
1225         (JSC::DFG::SSALoweringPhase::run):
1226         (JSC::DFG::SSALoweringPhase::handleNode):
1227         (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
1228         (JSC::DFG::performSSALowering):
1229         * dfg/DFGSSALoweringPhase.h: Added.
1230         * dfg/DFGSafeToExecute.h:
1231         (JSC::DFG::safeToExecute):
1232         * dfg/DFGSpeculativeJIT.cpp:
1233         (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
1234         * dfg/DFGSpeculativeJIT32_64.cpp:
1235         (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
1236         (JSC::DFG::SpeculativeJIT::compile):
1237         * dfg/DFGSpeculativeJIT64.cpp:
1238         (JSC::DFG::SpeculativeJIT::compile):
1239         * ftl/FTLCapabilities.cpp:
1240         (JSC::FTL::canCompile):
1241         * ftl/FTLLowerDFGToLLVM.cpp:
1242         (JSC::FTL::LowerDFGToLLVM::compileNode):
1243         (JSC::FTL::LowerDFGToLLVM::compileCheckInBounds):
1244         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
1245         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
1246         (JSC::FTL::LowerDFGToLLVM::contiguousPutByValOutOfBounds):
1247         * runtime/JSObject.cpp:
1248         (JSC::JSObject::convertUndecidedForValue):
1249         (JSC::JSObject::createInitialForValueAndSet):
1250         (JSC::JSObject::putByIndexBeyondVectorLength):
1251         (JSC::JSObject::putDirectIndexBeyondVectorLength):
1252         * runtime/JSObject.h:
1253         * tests/stress/float32array-out-of-bounds.js: Added.
1254         (make):
1255         (foo):
1256         (test):
1257         * tests/stress/int32-object-out-of-bounds.js: Added.
1258         (make):
1259         (foo):
1260         (test):
1261         * tests/stress/int32-out-of-bounds.js: Added.
1262         (foo):
1263         (test):
1264
1265 2013-12-09  Sam Weinig  <sam@webkit.org>
1266
1267         Replace use of WTF::FixedArray with std::array
1268         https://bugs.webkit.org/show_bug.cgi?id=125475
1269
1270         Reviewed by Anders Carlsson.
1271
1272         * bytecode/CodeBlockHash.cpp:
1273         (JSC::CodeBlockHash::dump):
1274         * bytecode/Opcode.cpp:
1275         (JSC::OpcodeStats::~OpcodeStats):
1276         * dfg/DFGCSEPhase.cpp:
1277         * ftl/FTLAbstractHeap.h:
1278         * heap/MarkedSpace.h:
1279         * parser/ParserArena.h:
1280         * runtime/CodeCache.h:
1281         * runtime/DateInstanceCache.h:
1282         * runtime/JSGlobalObject.cpp:
1283         (JSC::JSGlobalObject::reset):
1284         * runtime/JSGlobalObject.h:
1285         * runtime/JSString.h:
1286         * runtime/LiteralParser.h:
1287         * runtime/NumericStrings.h:
1288         * runtime/RegExpCache.h:
1289         * runtime/SmallStrings.h:
1290
1291 2013-12-09  Joseph Pecoraro  <pecoraro@apple.com>
1292
1293         Remove miscellaneous unnecessary build statements
1294         https://bugs.webkit.org/show_bug.cgi?id=125466
1295
1296         Reviewed by Darin Adler.
1297
1298         * DerivedSources.make:
1299         * JavaScriptCore.vcxproj/build-generated-files.sh:
1300         * JavaScriptCore.xcodeproj/project.pbxproj:
1301         * make-generated-sources.sh:
1302
1303 2013-12-08  Filip Pizlo  <fpizlo@apple.com>
1304
1305         CSE should work in SSA
1306         https://bugs.webkit.org/show_bug.cgi?id=125430
1307
1308         Reviewed by Oliver Hunt and Mark Hahnenberg.
1309
1310         * dfg/DFGCSEPhase.cpp:
1311         (JSC::DFG::CSEPhase::run):
1312         (JSC::DFG::CSEPhase::performNodeCSE):
1313         * dfg/DFGPlan.cpp:
1314         (JSC::DFG::Plan::compileInThreadImpl):
1315
1316 2013-12-09  Joseph Pecoraro  <pecoraro@apple.com>
1317
1318         Remove docs/make-bytecode-docs.pl
1319         https://bugs.webkit.org/show_bug.cgi?id=125462
1320
1321         This sript is very old and no longer outputs useful data since the
1322         op code definitions have moved from Interpreter.cpp.
1323
1324         Reviewed by Darin Adler.
1325
1326         * DerivedSources.make:
1327         * docs/make-bytecode-docs.pl: Removed.
1328
1329 2013-12-09  Julien Brianceau  <jbriance@cisco.com>
1330
1331         Fix sh4 LLINT build.
1332         https://bugs.webkit.org/show_bug.cgi?id=125454
1333
1334         Reviewed by Michael Saboff.
1335
1336         In LLINT, sh4 backend implementation didn't handle properly conditional jumps using
1337         a LabelReference instance. This patch fixes it through sh4LowerMisplacedLabels phase.
1338         Also, to avoid the need of a 4th temporary gpr, this phase is triggered later in
1339         getModifiedListSH4.
1340
1341         * offlineasm/sh4.rb:
1342
1343 2013-12-08  Filip Pizlo  <fpizlo@apple.com>
1344
1345         Add the notion of ConstantStoragePointer to DFG IR
1346         https://bugs.webkit.org/show_bug.cgi?id=125395
1347
1348         Reviewed by Oliver Hunt.
1349         
1350         This pushes more typed array folding into StrengthReductionPhase, and enables CSE on
1351         storage pointers. Previously, you might have separate nodes for the same storage
1352         pointer and this would cause some bad register pressure in the DFG. Note that this
1353         was really a theoretical problem and not, to my knowledge a practical one - so this
1354         patch is basically just a clean-up.
1355
1356         * dfg/DFGAbstractInterpreterInlines.h:
1357         (JSC::DFG::::executeEffects):
1358         * dfg/DFGCSEPhase.cpp:
1359         (JSC::DFG::CSEPhase::constantStoragePointerCSE):
1360         (JSC::DFG::CSEPhase::performNodeCSE):
1361         * dfg/DFGClobberize.h:
1362         (JSC::DFG::clobberize):
1363         * dfg/DFGFixupPhase.cpp:
1364         (JSC::DFG::FixupPhase::fixupNode):
1365         * dfg/DFGGraph.cpp:
1366         (JSC::DFG::Graph::dump):
1367         * dfg/DFGNode.h:
1368         (JSC::DFG::Node::convertToConstantStoragePointer):
1369         (JSC::DFG::Node::hasStoragePointer):
1370         (JSC::DFG::Node::storagePointer):
1371         * dfg/DFGNodeType.h:
1372         * dfg/DFGPredictionPropagationPhase.cpp:
1373         (JSC::DFG::PredictionPropagationPhase::propagate):
1374         * dfg/DFGSafeToExecute.h:
1375         (JSC::DFG::safeToExecute):
1376         * dfg/DFGSpeculativeJIT.cpp:
1377         (JSC::DFG::SpeculativeJIT::compileConstantStoragePointer):
1378         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
1379         * dfg/DFGSpeculativeJIT.h:
1380         * dfg/DFGSpeculativeJIT32_64.cpp:
1381         (JSC::DFG::SpeculativeJIT::compile):
1382         * dfg/DFGSpeculativeJIT64.cpp:
1383         (JSC::DFG::SpeculativeJIT::compile):
1384         * dfg/DFGStrengthReductionPhase.cpp:
1385         (JSC::DFG::StrengthReductionPhase::handleNode):
1386         (JSC::DFG::StrengthReductionPhase::foldTypedArrayPropertyToConstant):
1387         (JSC::DFG::StrengthReductionPhase::prepareToFoldTypedArray):
1388         * dfg/DFGWatchpointCollectionPhase.cpp:
1389         (JSC::DFG::WatchpointCollectionPhase::handle):
1390         * ftl/FTLLowerDFGToLLVM.cpp:
1391         (JSC::FTL::LowerDFGToLLVM::compileNode):
1392         (JSC::FTL::LowerDFGToLLVM::compileConstantStoragePointer):
1393         (JSC::FTL::LowerDFGToLLVM::compileGetIndexedPropertyStorage):
1394
1395 2013-12-08  Filip Pizlo  <fpizlo@apple.com>
1396
1397         FTL should support UntypedUse versions of Compare nodes
1398         https://bugs.webkit.org/show_bug.cgi?id=125426
1399
1400         Reviewed by Oliver Hunt.
1401         
1402         This adds UntypedUse versions of all comparisons except CompareStrictEq, which is
1403         sufficiently different that I thought I'd do it in another patch.
1404         
1405         This also extends our ability to abstract over comparison kind and removes a bunch of
1406         copy-paste code.
1407
1408         * dfg/DFGSpeculativeJIT64.cpp:
1409         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
1410         * ftl/FTLCapabilities.cpp:
1411         (JSC::FTL::canCompile):
1412         * ftl/FTLIntrinsicRepository.h:
1413         * ftl/FTLLowerDFGToLLVM.cpp:
1414         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
1415         (JSC::FTL::LowerDFGToLLVM::compileCompareLess):
1416         (JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
1417         (JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
1418         (JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):
1419         (JSC::FTL::LowerDFGToLLVM::compare):
1420         (JSC::FTL::LowerDFGToLLVM::nonSpeculativeCompare):
1421         * ftl/FTLOutput.h:
1422         (JSC::FTL::Output::icmp):
1423         (JSC::FTL::Output::equal):
1424         (JSC::FTL::Output::notEqual):
1425         (JSC::FTL::Output::above):
1426         (JSC::FTL::Output::aboveOrEqual):
1427         (JSC::FTL::Output::below):
1428         (JSC::FTL::Output::belowOrEqual):
1429         (JSC::FTL::Output::greaterThan):
1430         (JSC::FTL::Output::greaterThanOrEqual):
1431         (JSC::FTL::Output::lessThan):
1432         (JSC::FTL::Output::lessThanOrEqual):
1433         (JSC::FTL::Output::fcmp):
1434         (JSC::FTL::Output::doubleEqual):
1435         (JSC::FTL::Output::doubleNotEqualOrUnordered):
1436         (JSC::FTL::Output::doubleLessThan):
1437         (JSC::FTL::Output::doubleLessThanOrEqual):
1438         (JSC::FTL::Output::doubleGreaterThan):
1439         (JSC::FTL::Output::doubleGreaterThanOrEqual):
1440         (JSC::FTL::Output::doubleEqualOrUnordered):
1441         (JSC::FTL::Output::doubleNotEqual):
1442         (JSC::FTL::Output::doubleLessThanOrUnordered):
1443         (JSC::FTL::Output::doubleLessThanOrEqualOrUnordered):
1444         (JSC::FTL::Output::doubleGreaterThanOrUnordered):
1445         (JSC::FTL::Output::doubleGreaterThanOrEqualOrUnordered):
1446         * tests/stress/untyped-equality.js: Added.
1447         (foo):
1448         * tests/stress/untyped-less-than.js: Added.
1449         (foo):
1450
1451 2013-12-07  Filip Pizlo  <fpizlo@apple.com>
1452
1453         Fold typedArray.length if typedArray is constant
1454         https://bugs.webkit.org/show_bug.cgi?id=125252
1455
1456         Reviewed by Sam Weinig.
1457         
1458         This was meant to be easy. The problem is that there was no good place for putting
1459         the folding of typedArray.length to a constant. You can't quite do it in the
1460         bytecode parser because at that point you don't yet know if typedArray is really
1461         a typed array. You can't do it as part of constant folding because the folder
1462         assumes that it can opportunistically forward-flow a constant value without changing
1463         the IR; this doesn't work since we need to first change the IR to register a
1464         desired watchpoint and only after that can we introduce that constant. We could have
1465         done it in Fixup but that would have been awkward since Fixup's code for turning a
1466         GetById of "length" into GetArrayLength is already somewhat complex. We could have
1467         done it in CSE but CSE is already fairly gnarly and will probably get rewritten.
1468         
1469         So I introduced a new phase, called StrengthReduction. This phase should have any
1470         transformations that don't requite CFA or CSE and that it would be weird to put into
1471         those other phases.
1472         
1473         I also took the opportunity to refactor some of the other folding code.
1474         
1475         This also adds a test, but the test couldn't quite be a LayoutTests/js/regress so I
1476         introduced the notion of JavaScriptCore/tests/stress.
1477         
1478         The goal of this patch isn't really to improve performance or anything like that.
1479         It adds an optimization for completeness, and in doing so it unlocks a bunch of new
1480         possibilities. The one that I'm most excited about is revealing array length checks
1481         in DFG IR, which will allow for array bounds check hoisting and elimination.
1482
1483         * CMakeLists.txt:
1484         * GNUmakefile.list.am:
1485         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1486         * JavaScriptCore.xcodeproj/project.pbxproj:
1487         * dfg/DFGAbstractInterpreterInlines.h:
1488         (JSC::DFG::::executeEffects):
1489         * dfg/DFGClobberize.h:
1490         (JSC::DFG::clobberize):
1491         * dfg/DFGFixupPhase.cpp:
1492         (JSC::DFG::FixupPhase::fixupNode):
1493         * dfg/DFGGraph.cpp:
1494         (JSC::DFG::Graph::tryGetFoldableView):
1495         (JSC::DFG::Graph::tryGetFoldableViewForChild1):
1496         * dfg/DFGGraph.h:
1497         * dfg/DFGNode.h:
1498         (JSC::DFG::Node::hasTypedArray):
1499         (JSC::DFG::Node::typedArray):
1500         * dfg/DFGNodeType.h:
1501         * dfg/DFGPlan.cpp:
1502         (JSC::DFG::Plan::compileInThreadImpl):
1503         * dfg/DFGPredictionPropagationPhase.cpp:
1504         (JSC::DFG::PredictionPropagationPhase::propagate):
1505         * dfg/DFGSafeToExecute.h:
1506         (JSC::DFG::safeToExecute):
1507         * dfg/DFGSpeculativeJIT.cpp:
1508         (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
1509         (JSC::DFG::SpeculativeJIT::compileConstantIndexedPropertyStorage):
1510         * dfg/DFGSpeculativeJIT32_64.cpp:
1511         (JSC::DFG::SpeculativeJIT::compile):
1512         * dfg/DFGSpeculativeJIT64.cpp:
1513         (JSC::DFG::SpeculativeJIT::compile):
1514         * dfg/DFGStrengthReductionPhase.cpp: Added.
1515         (JSC::DFG::StrengthReductionPhase::StrengthReductionPhase):
1516         (JSC::DFG::StrengthReductionPhase::run):
1517         (JSC::DFG::StrengthReductionPhase::handleNode):
1518         (JSC::DFG::StrengthReductionPhase::foldTypedArrayPropertyToConstant):
1519         (JSC::DFG::performStrengthReduction):
1520         * dfg/DFGStrengthReductionPhase.h: Added.
1521         * dfg/DFGWatchpointCollectionPhase.cpp:
1522         (JSC::DFG::WatchpointCollectionPhase::handle):
1523         * ftl/FTLCapabilities.cpp:
1524         (JSC::FTL::canCompile):
1525         * ftl/FTLLowerDFGToLLVM.cpp:
1526         (JSC::FTL::LowerDFGToLLVM::compileNode):
1527         (JSC::FTL::LowerDFGToLLVM::compileGetIndexedPropertyStorage):
1528         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
1529         (JSC::FTL::LowerDFGToLLVM::typedArrayLength):
1530         * jsc.cpp:
1531         (GlobalObject::finishCreation):
1532         (functionTransferArrayBuffer):
1533         * runtime/ArrayBufferView.h:
1534         * tests/stress: Added.
1535         * tests/stress/fold-typed-array-properties.js: Added.
1536         (foo):
1537
1538 2013-12-07  peavo@outlook.com  <peavo@outlook.com>
1539
1540         [Win][64-bit] Hitting breakpoint assembler instruction in callToJavaScript.
1541         https://bugs.webkit.org/show_bug.cgi?id=125382
1542
1543         Reviewed by Michael Saboff.
1544
1545         The WinCairo results from run-javascriptcore-tests are the same as the WinCairo 32-bits results, when removing these breakpoints.
1546
1547         * jit/JITStubsMSVC64.asm: Remove breakpoint instructions.
1548
1549 2013-12-06  Filip Pizlo  <fpizlo@apple.com>
1550
1551         FTL should support all of Branch/LogicalNot
1552         https://bugs.webkit.org/show_bug.cgi?id=125370
1553
1554         Reviewed by Mark Hahnenberg.
1555
1556         * ftl/FTLCapabilities.cpp:
1557         (JSC::FTL::canCompile):
1558         * ftl/FTLIntrinsicRepository.h:
1559         * ftl/FTLLowerDFGToLLVM.cpp:
1560         (JSC::FTL::LowerDFGToLLVM::boolify):
1561
1562 2013-12-06  Roger Fong <roger_fong@apple.com> and Brent Fulgham  <bfulgham@apple.com>
1563
1564         [Win] Support compiling with VS2013
1565         https://bugs.webkit.org/show_bug.cgi?id=125353
1566
1567         Reviewed by Anders Carlsson.
1568
1569         * API/tests/testapi.c: Use C99 defines if available.
1570         * jit/JITOperations.cpp: Don't attempt to define C linkage when
1571         returning a C++ object.
1572
1573 2013-12-06  Filip Pizlo  <fpizlo@apple.com>
1574
1575         FTL should support generic ByVal accesses
1576         https://bugs.webkit.org/show_bug.cgi?id=125368
1577
1578         Reviewed by Mark Hahnenberg.
1579
1580         * dfg/DFGGraph.h:
1581         (JSC::DFG::Graph::isStrictModeFor):
1582         (JSC::DFG::Graph::ecmaModeFor):
1583         * ftl/FTLCapabilities.cpp:
1584         (JSC::FTL::canCompile):
1585         * ftl/FTLIntrinsicRepository.h:
1586         * ftl/FTLLowerDFGToLLVM.cpp:
1587         (JSC::FTL::LowerDFGToLLVM::compileNode):
1588         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
1589         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
1590
1591 2013-12-06  Filip Pizlo  <fpizlo@apple.com>
1592
1593         FTL should support hole/OOB array accesses
1594         https://bugs.webkit.org/show_bug.cgi?id=118077
1595
1596         Reviewed by Oliver Hunt and Mark Hahnenberg.
1597
1598         * ftl/FTLCapabilities.cpp:
1599         (JSC::FTL::canCompile):
1600         * ftl/FTLIntrinsicRepository.h:
1601         * ftl/FTLLowerDFGToLLVM.cpp:
1602         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
1603         (JSC::FTL::LowerDFGToLLVM::baseIndex):
1604
1605 2013-12-06  Michael Saboff  <msaboff@apple.com>
1606
1607         Split sizing of VarArgs frames from loading arguments for the frame
1608         https://bugs.webkit.org/show_bug.cgi?id=125331
1609
1610         Reviewed by Filip Pizlo.
1611
1612         Split loadVarargs into sizeAndAllocFrameForVarargs() and loadVarargs() in
1613         preparation for moving onto the C stack.  sizeAndAllocFrameForVarargs() will
1614         compute the size of the callee frame and allocate it, while loadVarargs()
1615         actually loads the argument values.
1616
1617         As part of moving onto the C stack, sizeAndAllocFrameForVarargs() will be
1618         changed to a function that just computes the size.  The caller will use that
1619         size to allocate the new frame on the stack before calling loadVargs() and
1620         actually making the call.
1621
1622         * interpreter/Interpreter.cpp:
1623         (JSC::sizeAndAllocFrameForVarargs):
1624         (JSC::loadVarargs):
1625         * interpreter/Interpreter.h:
1626         * jit/JIT.h:
1627         * jit/JITCall.cpp:
1628         (JSC::JIT::compileLoadVarargs):
1629         * jit/JITCall32_64.cpp:
1630         (JSC::JIT::compileLoadVarargs):
1631         * jit/JITInlines.h:
1632         (JSC::JIT::callOperation):
1633         * jit/JITOperations.cpp:
1634         * jit/JITOperations.h:
1635         * llint/LLIntSlowPaths.cpp:
1636         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1637         * llint/LLIntSlowPaths.h:
1638         * llint/LowLevelInterpreter.asm:
1639         * llint/LowLevelInterpreter32_64.asm:
1640         * llint/LowLevelInterpreter64.asm:
1641         * runtime/VM.h:
1642
1643 2013-12-06  Filip Pizlo  <fpizlo@apple.com>
1644
1645         FTL should support all of ValueToInt32
1646         https://bugs.webkit.org/show_bug.cgi?id=125283
1647
1648         Reviewed by Mark Hahnenberg.
1649
1650         * ftl/FTLCapabilities.cpp:
1651         (JSC::FTL::canCompile):
1652         * ftl/FTLLowerDFGToLLVM.cpp:
1653         (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
1654         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
1655         (JSC::FTL::LowerDFGToLLVM::lowCell):
1656         (JSC::FTL::LowerDFGToLLVM::isCell):
1657
1658 2013-12-06  Filip Pizlo  <fpizlo@apple.com>
1659
1660         FTL shouldn't have a doubleToUInt32 path
1661         https://bugs.webkit.org/show_bug.cgi?id=125360
1662
1663         Reviewed by Mark Hahnenberg.
1664         
1665         This code existed because I incorrectly thought it was necessary. It's now basically
1666         dead.
1667
1668         * ftl/FTLLowerDFGToLLVM.cpp:
1669         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
1670
1671 2013-12-06  Laszlo Vidacs  <lac@inf.u-szeged.hu>
1672
1673         Define SHA1 hash size in SHA1.h and use it at various places.
1674         https://bugs.webkit.org/show_bug.cgi?id=125345
1675
1676         Reviewed by Darin Adler.
1677
1678         Use SHA1::hashSize instead of local variables.
1679
1680         * bytecode/CodeBlockHash.cpp:
1681         (JSC::CodeBlockHash::CodeBlockHash): use SHA1::hashSize
1682
1683 2013-12-05  Michael Saboff  <msaboff@apple.com>
1684
1685         REGRESSION(r160213): Crash in js/dom/JSON-parse.html
1686         https://bugs.webkit.org/show_bug.cgi?id=125335
1687
1688         Reviewed by Mark Lam.
1689
1690         Changed _llint_op_catch to materialize the VM via the scope chain instead of 
1691         the CodeBlock.  CallFrames always have a scope chain, but may have a null CodeBlock.
1692
1693         * llint/LowLevelInterpreter32_64.asm:
1694         (_llint_op_catch):
1695         * llint/LowLevelInterpreter64.asm:
1696         (_llint_op_catch):
1697
1698 2013-12-05  Michael Saboff  <msaboff@apple.com>
1699
1700         JSC: Simplify interface between throw and catch handler
1701         https://bugs.webkit.org/show_bug.cgi?id=125328
1702
1703         Reviewed by Geoffrey Garen.
1704
1705         Simplified the throw - catch interface.  The throw side is only responsible for
1706         jumping to the appropriate op_catch handler or returnFromJavaScript for uncaught
1707         exceptions.  The handler uses the exception values like VM.callFrameForThrow
1708         as appropriate and no longer relies on the throw side putting anything in
1709         registers.
1710
1711         * jit/CCallHelpers.h:
1712         (JSC::CCallHelpers::jumpToExceptionHandler):
1713         * jit/JITOpcodes.cpp:
1714         (JSC::JIT::emit_op_catch):
1715         * jit/JITOpcodes32_64.cpp:
1716         (JSC::JIT::emit_op_catch):
1717         * llint/LowLevelInterpreter32_64.asm:
1718         (_llint_op_catch):
1719         (_llint_throw_from_slow_path_trampoline):
1720         * llint/LowLevelInterpreter64.asm:
1721         (_llint_op_catch):
1722         (_llint_throw_from_slow_path_trampoline):
1723
1724 2013-12-04  Oliver Hunt  <oliver@apple.com>
1725
1726         Refactor static getter function prototype to include thisValue in addition to the base object
1727         https://bugs.webkit.org/show_bug.cgi?id=124461
1728
1729         Reviewed by Geoffrey Garen.
1730
1731         Add thisValue parameter to static getter prototype, and switch
1732         from JSValue to EncodedJSValue for parameters and return value.
1733
1734         Currently none of the static getters use the thisValue, but
1735         separating out the refactoring will prevent future changes
1736         from getting lost in the noise of refactoring.  This means
1737         that this patch does not result in any change in behaviour.
1738
1739         * API/JSCallbackObject.h:
1740         * API/JSCallbackObjectFunctions.h:
1741         (JSC::::asCallbackObject):
1742         (JSC::::staticFunctionGetter):
1743         (JSC::::callbackGetter):
1744         * jit/JITOperations.cpp:
1745         * runtime/JSActivation.cpp:
1746         (JSC::JSActivation::argumentsGetter):
1747         * runtime/JSActivation.h:
1748         * runtime/JSFunction.cpp:
1749         (JSC::JSFunction::argumentsGetter):
1750         (JSC::JSFunction::callerGetter):
1751         (JSC::JSFunction::lengthGetter):
1752         (JSC::JSFunction::nameGetter):
1753         * runtime/JSFunction.h:
1754         * runtime/JSObject.h:
1755         (JSC::PropertySlot::getValue):
1756         * runtime/NumberConstructor.cpp:
1757         (JSC::numberConstructorNaNValue):
1758         (JSC::numberConstructorNegInfinity):
1759         (JSC::numberConstructorPosInfinity):
1760         (JSC::numberConstructorMaxValue):
1761         (JSC::numberConstructorMinValue):
1762         * runtime/PropertySlot.h:
1763         * runtime/RegExpConstructor.cpp:
1764         (JSC::asRegExpConstructor):
1765         (JSC::regExpConstructorDollar1):
1766         (JSC::regExpConstructorDollar2):
1767         (JSC::regExpConstructorDollar3):
1768         (JSC::regExpConstructorDollar4):
1769         (JSC::regExpConstructorDollar5):
1770         (JSC::regExpConstructorDollar6):
1771         (JSC::regExpConstructorDollar7):
1772         (JSC::regExpConstructorDollar8):
1773         (JSC::regExpConstructorDollar9):
1774         (JSC::regExpConstructorInput):
1775         (JSC::regExpConstructorMultiline):
1776         (JSC::regExpConstructorLastMatch):
1777         (JSC::regExpConstructorLastParen):
1778         (JSC::regExpConstructorLeftContext):
1779         (JSC::regExpConstructorRightContext):
1780         * runtime/RegExpObject.cpp:
1781         (JSC::asRegExpObject):
1782         (JSC::regExpObjectGlobal):
1783         (JSC::regExpObjectIgnoreCase):
1784         (JSC::regExpObjectMultiline):
1785         (JSC::regExpObjectSource):
1786
1787 2013-12-04  Filip Pizlo  <fpizlo@apple.com>
1788
1789         FTL should use cvttsd2si directly for double-to-int32 conversions
1790         https://bugs.webkit.org/show_bug.cgi?id=125275
1791
1792         Reviewed by Michael Saboff.
1793         
1794         Wow. This was an ordeal. Using cvttsd2si was actually easy, but I learned, and
1795         sometimes even fixed, some interesting things:
1796         
1797         - The llvm.x86.sse2.cvttsd2si intrinsic can actually result in LLVM emitting a
1798           vcvttsd2si. I guess the intrinsic doesn't actually imply the instruction.
1799         
1800         - That whole thing about branchTruncateDoubleToUint32? Yeah we don't need that. It's
1801           better to use branchTruncateDoubleToInt32 instead. It has the right semantics for
1802           all of its callers (err, its one-and-only caller), and it's more likely to take
1803           fast path. This patch kills branchTruncateDoubleToUint32.
1804         
1805         - "a[i] = v; v = a[i]". Does this change v? OK, assume that 'a[i]' is a pure-ish
1806           operation - like an array access with 'i' being an integer index and we're not
1807           having a bad time. Now does this change v? CSE assumes that it doesn't. That's
1808           wrong. If 'a' is a typed array - the most sensible and pure kind of array - then
1809           this can be a truncating cast. For example 'v' could be a double and 'a' could be
1810           an integer array.
1811         
1812         - "v1 = a[i]; v2 = a[i]". Is v1 === v2 assuming that 'a[i]' is pure-ish? The answer
1813           is no. You could have a different arrayMode in each access. I know this sounds
1814           weird, but with concurrent JIT that might happen.
1815         
1816         This patch adds tests for all of this stuff, except for the first issue (it's weird
1817         but probably doesn't matter) and the last issue (it's too much of a freakshow).
1818
1819         * assembler/MacroAssemblerARM64.h:
1820         * assembler/MacroAssemblerARMv7.h:
1821         * assembler/MacroAssemblerX86Common.h:
1822         * dfg/DFGCSEPhase.cpp:
1823         (JSC::DFG::CSEPhase::getByValLoadElimination):
1824         (JSC::DFG::CSEPhase::performNodeCSE):
1825         * dfg/DFGSpeculativeJIT.cpp:
1826         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
1827         * ftl/FTLAbbreviations.h:
1828         (JSC::FTL::vectorType):
1829         (JSC::FTL::getUndef):
1830         (JSC::FTL::buildInsertElement):
1831         * ftl/FTLIntrinsicRepository.h:
1832         * ftl/FTLLowerDFGToLLVM.cpp:
1833         (JSC::FTL::LowerDFGToLLVM::doubleToInt32):
1834         (JSC::FTL::LowerDFGToLLVM::doubleToUInt32):
1835         (JSC::FTL::LowerDFGToLLVM::sensibleDoubleToInt32):
1836         * ftl/FTLOutput.h:
1837         (JSC::FTL::Output::insertElement):
1838         (JSC::FTL::Output::hasSensibleDoubleToInt):
1839         (JSC::FTL::Output::sensibleDoubleToInt):
1840
1841 2013-12-05  Commit Queue  <commit-queue@webkit.org>
1842
1843         Unreviewed, rolling out r160133.
1844         http://trac.webkit.org/changeset/160133
1845         https://bugs.webkit.org/show_bug.cgi?id=125325
1846
1847         broke bindings tests on all the bots (Requested by thorton on
1848         #webkit).
1849
1850         * API/JSCallbackObject.h:
1851         * API/JSCallbackObjectFunctions.h:
1852         (JSC::::staticFunctionGetter):
1853         (JSC::::callbackGetter):
1854         * jit/JITOperations.cpp:
1855         * runtime/JSActivation.cpp:
1856         (JSC::JSActivation::argumentsGetter):
1857         * runtime/JSActivation.h:
1858         * runtime/JSFunction.cpp:
1859         (JSC::JSFunction::argumentsGetter):
1860         (JSC::JSFunction::callerGetter):
1861         (JSC::JSFunction::lengthGetter):
1862         (JSC::JSFunction::nameGetter):
1863         * runtime/JSFunction.h:
1864         * runtime/JSObject.h:
1865         (JSC::PropertySlot::getValue):
1866         * runtime/NumberConstructor.cpp:
1867         (JSC::numberConstructorNaNValue):
1868         (JSC::numberConstructorNegInfinity):
1869         (JSC::numberConstructorPosInfinity):
1870         (JSC::numberConstructorMaxValue):
1871         (JSC::numberConstructorMinValue):
1872         * runtime/PropertySlot.h:
1873         * runtime/RegExpConstructor.cpp:
1874         (JSC::regExpConstructorDollar1):
1875         (JSC::regExpConstructorDollar2):
1876         (JSC::regExpConstructorDollar3):
1877         (JSC::regExpConstructorDollar4):
1878         (JSC::regExpConstructorDollar5):
1879         (JSC::regExpConstructorDollar6):
1880         (JSC::regExpConstructorDollar7):
1881         (JSC::regExpConstructorDollar8):
1882         (JSC::regExpConstructorDollar9):
1883         (JSC::regExpConstructorInput):
1884         (JSC::regExpConstructorMultiline):
1885         (JSC::regExpConstructorLastMatch):
1886         (JSC::regExpConstructorLastParen):
1887         (JSC::regExpConstructorLeftContext):
1888         (JSC::regExpConstructorRightContext):
1889         * runtime/RegExpObject.cpp:
1890         (JSC::regExpObjectGlobal):
1891         (JSC::regExpObjectIgnoreCase):
1892         (JSC::regExpObjectMultiline):
1893         (JSC::regExpObjectSource):
1894
1895 2013-12-05  Mark Lam  <mark.lam@apple.com>
1896
1897         Make the C Loop LLINT work with callToJavaScript.
1898         https://bugs.webkit.org/show_bug.cgi?id=125294.
1899
1900         Reviewed by Michael Saboff.
1901
1902         1. Changed the C Loop LLINT to dispatch to an Executable via its JITCode
1903            instance which is consistent with how the ASM LLINT works.
1904         2. Changed CLoop::execute() to take an Opcode instead of an OpcodeID.
1905            This makes it play nice with the use of JITCode for dispatching.
1906         3. Introduce a callToJavaScript and callToNativeFunction for the C Loop
1907            LLINT. These will call JSStack::pushFrame() and popFrame() to setup
1908            and teardown the CallFrame.
1909         4. Also introduced a C Loop returnFromJavaScript which is just a
1910            replacement for ctiOpThrowNotCaught which had the same function.
1911         5. Remove a lot of #if ENABLE(LLINT_C_LOOP) code now that the dispatch
1912            mechanism is consistent.
1913
1914         This patch has been tested with both configurations of COMPUTED_GOTOs
1915         on and off.
1916
1917         * interpreter/CachedCall.h:
1918         (JSC::CachedCall::CachedCall):
1919         (JSC::CachedCall::call):
1920         (JSC::CachedCall::setArgument):
1921         * interpreter/CallFrameClosure.h:
1922         (JSC::CallFrameClosure::setThis):
1923         (JSC::CallFrameClosure::setArgument):
1924         (JSC::CallFrameClosure::resetCallFrame):
1925         * interpreter/Interpreter.cpp:
1926         (JSC::Interpreter::execute):
1927         (JSC::Interpreter::executeCall):
1928         (JSC::Interpreter::executeConstruct):
1929         (JSC::Interpreter::prepareForRepeatCall):
1930         * interpreter/Interpreter.h:
1931         * interpreter/JSStack.h:
1932         * interpreter/JSStackInlines.h:
1933         (JSC::JSStack::pushFrame):
1934         * interpreter/ProtoCallFrame.h:
1935         (JSC::ProtoCallFrame::scope):
1936         (JSC::ProtoCallFrame::callee):
1937         (JSC::ProtoCallFrame::thisValue):
1938         (JSC::ProtoCallFrame::argument):
1939         (JSC::ProtoCallFrame::setArgument):
1940         * jit/JITCode.cpp:
1941         (JSC::JITCode::execute):
1942         * jit/JITCode.h:
1943         * jit/JITExceptions.cpp:
1944         (JSC::genericUnwind):
1945         * llint/LLIntCLoop.cpp:
1946         (JSC::LLInt::CLoop::initialize):
1947         * llint/LLIntCLoop.h:
1948         * llint/LLIntEntrypoint.cpp:
1949         (JSC::LLInt::setFunctionEntrypoint):
1950         (JSC::LLInt::setEvalEntrypoint):
1951         (JSC::LLInt::setProgramEntrypoint):
1952         - Inverted the check for vm.canUseJIT(). This allows the JIT case to be
1953           #if'd out nicely when building the C Loop LLINT.
1954         * llint/LLIntOpcode.h:
1955         * llint/LLIntThunks.cpp:
1956         (JSC::doCallToJavaScript):
1957         (JSC::executeJS):
1958         (JSC::callToJavaScript):
1959         (JSC::executeNative):
1960         (JSC::callToNativeFunction):
1961         * llint/LLIntThunks.h:
1962         * llint/LowLevelInterpreter.cpp:
1963         (JSC::CLoop::execute):
1964         * runtime/Executable.h:
1965         (JSC::ExecutableBase::offsetOfNumParametersFor):
1966         (JSC::ExecutableBase::hostCodeEntryFor):
1967         (JSC::ExecutableBase::jsCodeEntryFor):
1968         (JSC::ExecutableBase::jsCodeWithArityCheckEntryFor):
1969         (JSC::NativeExecutable::create):
1970         (JSC::NativeExecutable::finishCreation):
1971         (JSC::ProgramExecutable::generatedJITCode):
1972         * runtime/JSArray.cpp:
1973         (JSC::AVLTreeAbstractorForArrayCompare::compare_key_key):
1974         * runtime/StringPrototype.cpp:
1975         (JSC::replaceUsingRegExpSearch):
1976         * runtime/VM.cpp:
1977         (JSC::VM::getHostFunction):
1978
1979 2013-12-05  Laszlo Vidacs  <lac@inf.u-szeged.hu>
1980
1981         Fix JavaScriptCore build if cloop is enabled after r160094
1982         https://bugs.webkit.org/show_bug.cgi?id=125292
1983
1984         Reviewed by Michael Saboff.
1985
1986         Move ProtoCallFrame outside the JIT guard.
1987
1988         * jit/JITCode.h:
1989
1990 2013-12-04  Filip Pizlo  <fpizlo@apple.com>
1991
1992         Fold constant typed arrays
1993         https://bugs.webkit.org/show_bug.cgi?id=125205
1994
1995         Reviewed by Oliver Hunt and Mark Hahnenberg.
1996         
1997         If by some other mechanism we have a typed array access on a compile-time constant
1998         typed array pointer, then fold:
1999         
2000         - Array bounds checks. Specifically, fold the load of length.
2001         
2002         - Loading the vector.
2003         
2004         This needs to install a watchpoint on the array itself because of the possibility of
2005         neutering. Neutering is ridiculous. We do this without bloating the size of
2006         ArrayBuffer or JSArrayBufferView in the common case (i.e. the case where you
2007         allocated an array that didn't end up becoming a compile-time constant). To install
2008         the watchpoint, we slowDownAndWasteMemory and then create an incoming reference to
2009         the ArrayBuffer, where that incoming reference is from a watchpoint object. The
2010         ArrayBuffer already knows about such incoming references and can fire the
2011         watchpoints that way.
2012         
2013         * CMakeLists.txt:
2014         * GNUmakefile.list.am:
2015         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2016         * JavaScriptCore.xcodeproj/project.pbxproj:
2017         * dfg/DFGDesiredWatchpoints.cpp:
2018         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
2019         (JSC::DFG::DesiredWatchpoints::addLazily):
2020         * dfg/DFGDesiredWatchpoints.h:
2021         (JSC::DFG::GenericSetAdaptor::add):
2022         (JSC::DFG::GenericSetAdaptor::hasBeenInvalidated):
2023         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::hasBeenInvalidated):
2024         (JSC::DFG::GenericDesiredWatchpoints::reallyAdd):
2025         (JSC::DFG::GenericDesiredWatchpoints::areStillValid):
2026         (JSC::DFG::GenericDesiredWatchpoints::isStillValid):
2027         (JSC::DFG::GenericDesiredWatchpoints::shouldAssumeMixedState):
2028         (JSC::DFG::DesiredWatchpoints::isStillValid):
2029         (JSC::DFG::DesiredWatchpoints::shouldAssumeMixedState):
2030         (JSC::DFG::DesiredWatchpoints::isValidOrMixed):
2031         * dfg/DFGGraph.cpp:
2032         (JSC::DFG::Graph::tryGetFoldableView):
2033         * dfg/DFGGraph.h:
2034         * dfg/DFGSpeculativeJIT.cpp:
2035         (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
2036         (JSC::DFG::SpeculativeJIT::emitTypedArrayBoundsCheck):
2037         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
2038         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
2039         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
2040         (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
2041         (JSC::DFG::SpeculativeJIT::compileConstantIndexedPropertyStorage):
2042         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
2043         * dfg/DFGSpeculativeJIT.h:
2044         * dfg/DFGWatchpointCollectionPhase.cpp:
2045         (JSC::DFG::WatchpointCollectionPhase::handle):
2046         (JSC::DFG::WatchpointCollectionPhase::addLazily):
2047         * ftl/FTLLowerDFGToLLVM.cpp:
2048         (JSC::FTL::LowerDFGToLLVM::compileGetIndexedPropertyStorage):
2049         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
2050         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2051         (JSC::FTL::LowerDFGToLLVM::typedArrayLength):
2052         * runtime/ArrayBuffer.cpp:
2053         (JSC::ArrayBuffer::transfer):
2054         * runtime/ArrayBufferNeuteringWatchpoint.cpp: Added.
2055         (JSC::ArrayBufferNeuteringWatchpoint::ArrayBufferNeuteringWatchpoint):
2056         (JSC::ArrayBufferNeuteringWatchpoint::~ArrayBufferNeuteringWatchpoint):
2057         (JSC::ArrayBufferNeuteringWatchpoint::finishCreation):
2058         (JSC::ArrayBufferNeuteringWatchpoint::destroy):
2059         (JSC::ArrayBufferNeuteringWatchpoint::create):
2060         (JSC::ArrayBufferNeuteringWatchpoint::createStructure):
2061         * runtime/ArrayBufferNeuteringWatchpoint.h: Added.
2062         (JSC::ArrayBufferNeuteringWatchpoint::set):
2063         * runtime/VM.cpp:
2064         (JSC::VM::VM):
2065         * runtime/VM.h:
2066
2067 2013-12-04  Commit Queue  <commit-queue@webkit.org>
2068
2069         Unreviewed, rolling out r160116.
2070         http://trac.webkit.org/changeset/160116
2071         https://bugs.webkit.org/show_bug.cgi?id=125264
2072
2073         Change doesn't work as intended. See bug comments for details.
2074         (Requested by bfulgham on #webkit).
2075
2076         * runtime/InitializeThreading.cpp:
2077         (JSC::initializeThreading):
2078
2079 2013-12-04  Oliver Hunt  <oliver@apple.com>
2080
2081         Refactor static getter function prototype to include thisValue in addition to the base object
2082         https://bugs.webkit.org/show_bug.cgi?id=124461
2083
2084         Reviewed by Geoffrey Garen.
2085
2086         Add thisValue parameter to static getter prototype, and switch
2087         from JSValue to EncodedJSValue for parameters and return value.
2088
2089         Currently none of the static getters use the thisValue, but
2090         separating out the refactoring will prevent future changes
2091         from getting lost in the noise of refactoring.  This means
2092         that this patch does not result in any change in behaviour.
2093
2094         * API/JSCallbackObject.h:
2095         * API/JSCallbackObjectFunctions.h:
2096         (JSC::::asCallbackObject):
2097         (JSC::::staticFunctionGetter):
2098         (JSC::::callbackGetter):
2099         * jit/JITOperations.cpp:
2100         * runtime/JSActivation.cpp:
2101         (JSC::JSActivation::argumentsGetter):
2102         * runtime/JSActivation.h:
2103         * runtime/JSFunction.cpp:
2104         (JSC::JSFunction::argumentsGetter):
2105         (JSC::JSFunction::callerGetter):
2106         (JSC::JSFunction::lengthGetter):
2107         (JSC::JSFunction::nameGetter):
2108         * runtime/JSFunction.h:
2109         * runtime/JSObject.h:
2110         (JSC::PropertySlot::getValue):
2111         * runtime/NumberConstructor.cpp:
2112         (JSC::numberConstructorNaNValue):
2113         (JSC::numberConstructorNegInfinity):
2114         (JSC::numberConstructorPosInfinity):
2115         (JSC::numberConstructorMaxValue):
2116         (JSC::numberConstructorMinValue):
2117         * runtime/PropertySlot.h:
2118         * runtime/RegExpConstructor.cpp:
2119         (JSC::asRegExpConstructor):
2120         (JSC::regExpConstructorDollar1):
2121         (JSC::regExpConstructorDollar2):
2122         (JSC::regExpConstructorDollar3):
2123         (JSC::regExpConstructorDollar4):
2124         (JSC::regExpConstructorDollar5):
2125         (JSC::regExpConstructorDollar6):
2126         (JSC::regExpConstructorDollar7):
2127         (JSC::regExpConstructorDollar8):
2128         (JSC::regExpConstructorDollar9):
2129         (JSC::regExpConstructorInput):
2130         (JSC::regExpConstructorMultiline):
2131         (JSC::regExpConstructorLastMatch):
2132         (JSC::regExpConstructorLastParen):
2133         (JSC::regExpConstructorLeftContext):
2134         (JSC::regExpConstructorRightContext):
2135         * runtime/RegExpObject.cpp:
2136         (JSC::asRegExpObject):
2137         (JSC::regExpObjectGlobal):
2138         (JSC::regExpObjectIgnoreCase):
2139         (JSC::regExpObjectMultiline):
2140         (JSC::regExpObjectSource):
2141
2142 2013-12-04  Daniel Bates  <dabates@apple.com>
2143
2144         [iOS] Enable Objective-C ARC when building JSC tools for iOS simulator
2145         https://bugs.webkit.org/show_bug.cgi?id=125170
2146
2147         Reviewed by Geoffrey Garen.
2148
2149         * API/tests/testapi.mm:
2150         * Configurations/ToolExecutable.xcconfig:
2151
2152 2013-12-04  peavo@outlook.com  <peavo@outlook.com>
2153
2154         Use ThreadingOnce class to encapsulate pthread_once functionality.
2155         https://bugs.webkit.org/show_bug.cgi?id=125228
2156
2157         Reviewed by Brent Fulgham.
2158
2159         * runtime/InitializeThreading.cpp:
2160         (JSC::initializeThreading):
2161
2162 2013-12-04  Mark Lam  <mark.lam@apple.com>
2163
2164         Remove unneeded semicolons.
2165         https://bugs.webkit.org/show_bug.cgi?id=125083.
2166
2167         Rubber-stamped by Filip Pizlo.
2168
2169         * debugger/Debugger.h:
2170         (JSC::Debugger::detach):
2171         (JSC::Debugger::sourceParsed):
2172         (JSC::Debugger::exception):
2173         (JSC::Debugger::atStatement):
2174         (JSC::Debugger::callEvent):
2175         (JSC::Debugger::returnEvent):
2176         (JSC::Debugger::willExecuteProgram):
2177         (JSC::Debugger::didExecuteProgram):
2178         (JSC::Debugger::didReachBreakpoint):
2179
2180 2013-12-04  Andy Estes  <aestes@apple.com>
2181
2182         [iOS] Build projects with $(ARCHS_STANDARD_32_64_BIT)
2183         https://bugs.webkit.org/show_bug.cgi?id=125236
2184
2185         Reviewed by Sam Weinig.
2186
2187         $(ARCHS_STANDARD_32_64_BIT) is what we want for both device and simulator builds.
2188
2189         * Configurations/DebugRelease.xcconfig:
2190
2191 2013-12-03  Filip Pizlo  <fpizlo@apple.com>
2192
2193         Infer constant closure variables
2194         https://bugs.webkit.org/show_bug.cgi?id=124630
2195
2196         Reviewed by Geoffrey Garen.
2197         
2198         Captured variables that are assigned once (not counting op_enter's Undefined
2199         initialization) and that are contained within a function that has thus far only been
2200         entered once are now constant folded. It's pretty awesome.
2201         
2202         This involves a watchpoint on the assignment to variables and a watchpoint on entry
2203         into the function. The former is reused from global variable constant inference and the
2204         latter is reused from one-time closure inference.
2205
2206         * GNUmakefile.list.am:
2207         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2208         * JavaScriptCore.xcodeproj/project.pbxproj:
2209         * bytecode/CodeBlock.cpp:
2210         (JSC::CodeBlock::dumpBytecode):
2211         (JSC::CodeBlock::CodeBlock):
2212         * bytecode/Instruction.h:
2213         (JSC::Instruction::Instruction):
2214         * bytecode/Opcode.h:
2215         (JSC::padOpcodeName):
2216         * bytecode/UnlinkedCodeBlock.h:
2217         (JSC::UnlinkedInstruction::UnlinkedInstruction):
2218         * bytecode/VariableWatchpointSet.h:
2219         (JSC::VariableWatchpointSet::invalidate):
2220         * bytecode/Watchpoint.h:
2221         (JSC::WatchpointSet::invalidate):
2222         * bytecompiler/BytecodeGenerator.cpp:
2223         (JSC::BytecodeGenerator::addVar):
2224         (JSC::BytecodeGenerator::BytecodeGenerator):
2225         (JSC::BytecodeGenerator::emitInitLazyRegister):
2226         (JSC::BytecodeGenerator::emitMove):
2227         (JSC::BytecodeGenerator::emitNewFunctionInternal):
2228         (JSC::BytecodeGenerator::createArgumentsIfNecessary):
2229         * bytecompiler/BytecodeGenerator.h:
2230         (JSC::BytecodeGenerator::addVar):
2231         (JSC::BytecodeGenerator::watchableVariable):
2232         * dfg/DFGByteCodeParser.cpp:
2233         (JSC::DFG::ByteCodeParser::getLocal):
2234         (JSC::DFG::ByteCodeParser::inferredConstant):
2235         (JSC::DFG::ByteCodeParser::parseBlock):
2236         (JSC::DFG::ByteCodeParser::parse):
2237         * dfg/DFGGraph.cpp:
2238         (JSC::DFG::Graph::tryGetActivation):
2239         (JSC::DFG::Graph::tryGetRegisters):
2240         * dfg/DFGGraph.h:
2241         * jit/JIT.cpp:
2242         (JSC::JIT::privateCompileMainPass):
2243         (JSC::JIT::privateCompileSlowCases):
2244         * jit/JIT.h:
2245         * jit/JITOpcodes.cpp:
2246         (JSC::JIT::emit_op_mov):
2247         (JSC::JIT::emit_op_captured_mov):
2248         (JSC::JIT::emit_op_new_captured_func):
2249         (JSC::JIT::emitSlow_op_captured_mov):
2250         * jit/JITOpcodes32_64.cpp:
2251         (JSC::JIT::emit_op_mov):
2252         (JSC::JIT::emit_op_captured_mov):
2253         * llint/LowLevelInterpreter32_64.asm:
2254         * llint/LowLevelInterpreter64.asm:
2255         * runtime/CommonSlowPaths.cpp:
2256         (JSC::SLOW_PATH_DECL):
2257         * runtime/CommonSlowPaths.h:
2258         * runtime/ConstantMode.h: Added.
2259         * runtime/JSGlobalObject.h:
2260         * runtime/JSScope.cpp:
2261         (JSC::abstractAccess):
2262         * runtime/SymbolTable.cpp:
2263         (JSC::SymbolTableEntry::prepareToWatch):
2264
2265 2013-12-04  Brent Fulgham  <bfulgham@apple.com>
2266
2267         [Win] Unreviewed project file gardening.
2268
2269         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Remove deleted files from project.
2270         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Put files in proper directory
2271         folders to match the directory structure of the source code.
2272
2273 2013-12-04  Joseph Pecoraro  <pecoraro@apple.com>
2274
2275         Unreviewed Windows Build Fix attempt after r160099.
2276
2277         * JavaScriptCore.vcxproj/copy-files.cmd:
2278
2279 2013-12-04  Julien Brianceau  <jbriance@cisco.com>
2280
2281         REGRESSION (r160094): Fix lots of crashes for sh4 architecture.
2282         https://bugs.webkit.org/show_bug.cgi?id=125227
2283
2284         Reviewed by Michael Saboff.
2285
2286         * llint/LowLevelInterpreter32_64.asm: Do not use t4 and t5 as they match a0 and a1.
2287         * offlineasm/registers.rb: Add t7, t8 and t9 in register list for sh4 port.
2288         * offlineasm/sh4.rb: Rearrange RegisterID list and add the missing ones.
2289
2290 2013-12-03  Joseph Pecoraro  <pecoraro@apple.com>
2291
2292         Web Inspector: Push Remote Inspector debugging connection management into JavaScriptCore
2293         https://bugs.webkit.org/show_bug.cgi?id=124613
2294
2295         Reviewed by Timothy Hatcher.
2296
2297         Move the ENABLE(REMOTE_INSPECTOR) remote debugger connection management
2298         into JavaScriptCore (originally from WebKit/mac). Include enhancements:
2299
2300           * allow for different types of remote debuggable targets,
2301             eventually at least a JSContext, WebView, WKView.
2302           * allow debuggables to be registered and debugged on any thread. Unlike
2303             WebViews, JSContexts may be run entirely off of the main thread.
2304           * move the remote connection (XPC connection) itself off of the main thread,
2305             it doesn't need to be on the main thread.
2306
2307         Make JSContext @class and JavaScriptCore::JSContextRef
2308         "JavaScript" Remote Debuggables.
2309
2310         * inspector/remote/RemoteInspectorDebuggable.h: Added.
2311         * inspector/remote/RemoteInspectorDebuggable.cpp: Added.
2312         (Inspector::RemoteInspectorDebuggable::RemoteInspectorDebuggable):
2313         (Inspector::RemoteInspectorDebuggable::~RemoteInspectorDebuggable):
2314         (Inspector::RemoteInspectorDebuggable::init):
2315         (Inspector::RemoteInspectorDebuggable::update):
2316         (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed):
2317         (Inspector::RemoteInspectorDebuggable::info):
2318         RemoteInspectorDebuggable defines a debuggable target. As long as
2319         something creates a debuggable and is set to allow remote inspection
2320         it will be listed in remote debuggers. For the different types of
2321         debuggables (JavaScript and Web) there is different basic information
2322         that may be listed.
2323
2324         * inspector/InspectorFrontendChannel.h: Added.
2325         (Inspector::InspectorFrontendChannel::~InspectorFrontendChannel):
2326         The only thing a debuggable needs for remote debugging is an
2327         InspectorFrontendChannel a way to send messages to a remote frontend.
2328         This class provides that method, and is vended to the
2329         RemoteInspectorDebuggable when a remote connection is setup.
2330
2331         * inspector/remote/RemoteInspector.h: Added.
2332         * inspector/remote/RemoteInspector.mm: Added.
2333         Singleton, created at least when the first Debuggable is created.
2334         This class manages the list of debuggables, any connection to a
2335         remote debugger proxy (XPC service "com.apple.webinspector").
2336
2337         (Inspector::dispatchAsyncOnQueueSafeForAnyDebuggable):
2338         (Inspector::RemoteInspector::shared):
2339         (Inspector::RemoteInspector::RemoteInspector):
2340         (Inspector::RemoteInspector::nextAvailableIdentifier):
2341         (Inspector::RemoteInspector::registerDebuggable):
2342         (Inspector::RemoteInspector::unregisterDebuggable):
2343         (Inspector::RemoteInspector::updateDebuggable):
2344         Debuggable management. When debuggables are added, removed, or updated
2345         we stash a copy of the debuggable information and push an update to
2346         debuggers. Stashing a copy of the information in the RemoteInspector
2347         is a thread safe way to avoid walking over all debuggables to gather
2348         the information when it is needed.
2349
2350         (Inspector::RemoteInspector::start):
2351         (Inspector::RemoteInspector::stop):
2352         Runtime API to enable / disable the feature.
2353
2354         (Inspector::RemoteInspector::listingForDebuggable):
2355         (Inspector::RemoteInspector::pushListingNow):
2356         (Inspector::RemoteInspector::pushListingSoon):
2357         Pushing a listing to remote debuggers.
2358
2359         (Inspector::RemoteInspector::sendMessageToRemoteFrontend):
2360         (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
2361         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
2362         (Inspector::RemoteInspector::xpcConnectionFailed):
2363         (Inspector::RemoteInspector::xpcConnectionUnhandledMessage):
2364         XPC setup, send, and receive handling.
2365
2366         (Inspector::RemoteInspector::updateHasActiveDebugSession):
2367         Applications being debugged may want to know when a debug
2368         session is active. This provides that notification.
2369
2370         (Inspector::RemoteInspector::receivedSetupMessage):
2371         (Inspector::RemoteInspector::receivedDataMessage):
2372         (Inspector::RemoteInspector::receivedDidCloseMessage):
2373         (Inspector::RemoteInspector::receivedGetListingMessage):
2374         (Inspector::RemoteInspector::receivedIndicateMessage):
2375         (Inspector::RemoteInspector::receivedConnectionDiedMessage):
2376         Dispatching incoming remote debugging protocol messages.
2377         These are wrapping above the inspector protocol messages.
2378
2379         * inspector/remote/RemoteInspectorConstants.h: Added.
2380         Protocol messages and dictionary keys inside the messages.
2381
2382         (Inspector::RemoteInspectorDebuggableInfo::RemoteInspectorDebuggableInfo):
2383         * inspector/remote/RemoteInspectorDebuggableConnection.h: Added.
2384         * inspector/remote/RemoteInspectorDebuggableConnection.mm: Added.
2385         This is a connection between the RemoteInspector singleton and a RemoteInspectorDebuggable.
2386
2387         (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
2388         (Inspector::RemoteInspectorDebuggableConnection::~RemoteInspectorDebuggableConnection):
2389         Allow for dispatching messages on JavaScript debuggables on a dispatch_queue
2390         instead of the main queue.
2391
2392         (Inspector::RemoteInspectorDebuggableConnection::destination):
2393         (Inspector::RemoteInspectorDebuggableConnection::connectionIdentifier):
2394         Needed in the remote debugging protocol to identify the remote debugger.
2395
2396         (Inspector::RemoteInspectorDebuggableConnection::dispatchSyncOnDebuggable):
2397         (Inspector::RemoteInspectorDebuggableConnection::dispatchAsyncOnDebuggable):
2398         (Inspector::RemoteInspectorDebuggableConnection::setup):
2399         (Inspector::RemoteInspectorDebuggableConnection::closeFromDebuggable):
2400         (Inspector::RemoteInspectorDebuggableConnection::close):
2401         (Inspector::RemoteInspectorDebuggableConnection::sendMessageToBackend):
2402         (Inspector::RemoteInspectorDebuggableConnection::sendMessageToFrontend):
2403         The connection is a thin channel between the two sides that can be closed
2404         from either side, so there is some logic around multi-threaded access.
2405
2406         * inspector/remote/RemoteInspectorXPCConnection.h: Added.
2407         (Inspector::RemoteInspectorXPCConnection::Client::~Client):
2408         * inspector/remote/RemoteInspectorXPCConnection.mm: Added.
2409         (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
2410         (Inspector::RemoteInspectorXPCConnection::~RemoteInspectorXPCConnection):
2411         (Inspector::RemoteInspectorXPCConnection::close):
2412         (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
2413         (Inspector::RemoteInspectorXPCConnection::handleEvent):
2414         (Inspector::RemoteInspectorXPCConnection::sendMessage):
2415         This is a connection between the RemoteInspector singleton and an XPC service
2416         named "com.apple.webinspector". This handles serialization of the dictionary
2417         messages to and from the service. The receiving is done on a non-main queue.
2418
2419         * API/JSContext.h:
2420         * API/JSContext.mm:
2421         (-[JSContext name]):
2422         (-[JSContext setName:]):
2423         ObjC API to enable/disable JSContext remote inspection and give a name.
2424
2425         * API/JSContextRef.h:
2426         * API/JSContextRef.cpp:
2427         (JSGlobalContextGetName):
2428         (JSGlobalContextSetName):
2429         C API to give a JSContext a name.
2430
2431         * runtime/JSGlobalObject.cpp:
2432         (JSC::JSGlobalObject::setName):
2433         * runtime/JSGlobalObject.h:
2434         (JSC::JSGlobalObject::name):
2435         Shared handling of the APIs above.
2436
2437         * runtime/JSGlobalObjectDebuggable.cpp: Added.
2438         (JSC::JSGlobalObjectDebuggable::JSGlobalObjectDebuggable):
2439         (JSC::JSGlobalObjectDebuggable::name):
2440         (JSC::JSGlobalObjectDebuggable::connect):
2441         (JSC::JSGlobalObjectDebuggable::disconnect):
2442         (JSC::JSGlobalObjectDebuggable::dispatchMessageFromRemoteFrontend):
2443         * runtime/JSGlobalObjectDebuggable.h: Added.
2444         Stub for the actual remote debugging implementation. We will push
2445         down the appropriate WebCore/inspector peices suitable for debugging
2446         just a JavaScript context.
2447
2448         * CMakeLists.txt:
2449         * JavaScriptCore.xcodeproj/project.pbxproj:
2450         * GNUmakefile.am:
2451         * GNUmakefile.list.am:
2452         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2453         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2454         Update build files.
2455
2456 2013-12-04  Michael Saboff  <msaboff@apple.com>
2457
2458         Move the setting up of callee's callFrame from pushFrame to callToJavaScript thunk
2459         https://bugs.webkit.org/show_bug.cgi?id=123999
2460
2461         Reviewed by Filip Pizlo.
2462
2463         Changed LLInt and/or JIT enabled ports to allocate the stack frame in the
2464         callToJavaScript stub.  Added an additional stub, callToNativeFunction that
2465         allocates a stack frame in a similar way for calling native entry points
2466         that take a single ExecState* argument.  These stubs are implemented
2467         using common macros in LowLevelInterpreter{32_64,64}.asm.  There are also
2468         Windows X86 and X86-64 versions in the corresponding JitStubsXX.h.
2469         The stubs allocate and create a sentinel frame, then create the callee's
2470         frame, populating  the header and arguments from the passed in ProtoCallFrame*.
2471         It is assumed that the caller of either stub does a check for enough stack space
2472         via JSStack::entryCheck().
2473
2474         For ports using the C-Loop interpreter, the prior method for allocating stack
2475         frame and invoking functions is used, namely with JSStack::pushFrame() and
2476         ::popFrame().
2477
2478         Made spelling changes "sentinal" -> "sentinel".
2479
2480         * CMakeLists.txt:
2481         * GNUmakefile.list.am:
2482         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2483         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2484         * JavaScriptCore.xcodeproj/project.pbxproj:
2485         * interpreter/CachedCall.h:
2486         (JSC::CachedCall::CachedCall):
2487         (JSC::CachedCall::setThis):
2488         (JSC::CachedCall::setArgument):
2489         * interpreter/CallFrameClosure.h:
2490         (JSC::CallFrameClosure::resetCallFrame):
2491         * interpreter/Interpreter.cpp:
2492         (JSC::Interpreter::execute):
2493         (JSC::Interpreter::executeCall):
2494         (JSC::Interpreter::executeConstruct):
2495         (JSC::Interpreter::prepareForRepeatCall):
2496         * interpreter/Interpreter.h:
2497         * interpreter/JSStack.h:
2498         * interpreter/JSStackInlines.h:
2499         (JSC::JSStack::entryCheck):
2500         (JSC::JSStack::pushFrame):
2501         (JSC::JSStack::popFrame):
2502         * interpreter/ProtoCallFrame.cpp: Added.
2503         (JSC::ProtoCallFrame::init):
2504         * interpreter/ProtoCallFrame.h: Added.
2505         (JSC::ProtoCallFrame::codeBlock):
2506         (JSC::ProtoCallFrame::setCodeBlock):
2507         (JSC::ProtoCallFrame::setScope):
2508         (JSC::ProtoCallFrame::setCallee):
2509         (JSC::ProtoCallFrame::argumentCountIncludingThis):
2510         (JSC::ProtoCallFrame::argumentCount):
2511         (JSC::ProtoCallFrame::setArgumentCountIncludingThis):
2512         (JSC::ProtoCallFrame::setPaddedArgsCount):
2513         (JSC::ProtoCallFrame::clearCurrentVPC):
2514         (JSC::ProtoCallFrame::setThisValue):
2515         (JSC::ProtoCallFrame::setArgument):
2516         * jit/JITCode.cpp:
2517         (JSC::JITCode::execute):
2518         * jit/JITCode.h:
2519         * jit/JITOperations.cpp:
2520         * jit/JITStubs.h:
2521         * jit/JITStubsMSVC64.asm:
2522         * jit/JITStubsX86.h:
2523         * llint/LLIntOffsetsExtractor.cpp:
2524         * llint/LLIntThunks.h:
2525         * llint/LowLevelInterpreter.asm:
2526         * llint/LowLevelInterpreter32_64.asm:
2527         * llint/LowLevelInterpreter64.asm:
2528         * runtime/ArgList.h:
2529         (JSC::ArgList::data):
2530         * runtime/JSArray.cpp:
2531         (JSC::AVLTreeAbstractorForArrayCompare::compare_key_key):
2532         * runtime/StringPrototype.cpp:
2533         (JSC::replaceUsingRegExpSearch):
2534
2535 2013-12-04  László Langó  <lango@inf.u-szeged.hu>
2536
2537         Remove stdio.h from JSC files.
2538         https://bugs.webkit.org/show_bug.cgi?id=125220
2539
2540         Reviewed by Michael Saboff.
2541
2542         * interpreter/VMInspector.cpp:
2543         * jit/JITArithmetic.cpp:
2544         * jit/JITArithmetic32_64.cpp:
2545         * jit/JITCall.cpp:
2546         * jit/JITCall32_64.cpp:
2547         * jit/JITPropertyAccess.cpp:
2548         * jit/JITPropertyAccess32_64.cpp:
2549         * runtime/Completion.cpp:
2550         * runtime/IndexingType.cpp:
2551         * runtime/Lookup.h:
2552         * runtime/Operations.cpp:
2553         * runtime/Options.cpp:
2554         * runtime/RegExp.cpp:
2555
2556 2013-12-04  László Langó  <lango@inf.u-szeged.hu>
2557
2558         Avoid to add zero offset in BaseIndex.
2559         https://bugs.webkit.org/show_bug.cgi?id=125215
2560
2561         Reviewed by Michael Saboff.
2562
2563         When using cloop do not generate offsets additions for BaseIndex if the offset is zero.
2564
2565         * offlineasm/cloop.rb:
2566
2567 2013-12-04  Peter Molnar  <pmolnar.u-szeged@partner.samsung.com>
2568
2569         Fix !ENABLE(JAVASCRIPT_DEBUGGER) build.
2570         https://bugs.webkit.org/show_bug.cgi?id=125083
2571
2572         Reviewed by Mark Lam.
2573
2574         * debugger/Debugger.cpp:
2575         * debugger/Debugger.h:
2576         (JSC::Debugger::Debugger):
2577         (JSC::Debugger::needsOpDebugCallbacks):
2578         (JSC::Debugger::needsExceptionCallbacks):
2579         (JSC::Debugger::detach):
2580         (JSC::Debugger::sourceParsed):
2581         (JSC::Debugger::exception):
2582         (JSC::Debugger::atStatement):
2583         (JSC::Debugger::callEvent):
2584         (JSC::Debugger::returnEvent):
2585         (JSC::Debugger::willExecuteProgram):
2586         (JSC::Debugger::didExecuteProgram):
2587         (JSC::Debugger::didReachBreakpoint):
2588         * debugger/DebuggerPrimitives.h:
2589         * jit/JITOpcodes.cpp:
2590         (JSC::JIT::emit_op_debug):
2591         * jit/JITOpcodes32_64.cpp:
2592         (JSC::JIT::emit_op_debug):
2593         * llint/LLIntOfflineAsmConfig.h:
2594         * llint/LowLevelInterpreter.asm:
2595
2596 2013-12-03  Mark Lam  <mark.lam@apple.com>
2597
2598         testapi test crashes on Windows in WTF::Vector<wchar_t,64,WTF::UnsafeVectorOverflow>::size().
2599         https://bugs.webkit.org/show_bug.cgi?id=121972.
2600
2601         Reviewed by Brent Fulgham.
2602
2603         * interpreter/JSStack.cpp:
2604         (JSC::JSStack::~JSStack):
2605         - Reverting the change from r160004 since it's better to fix OSAllocatorWin
2606           to be consistent with OSAllocatorPosix.
2607
2608 2013-12-03  Mark Lam  <mark.lam@apple.com>
2609
2610         Fix LLINT_C_LOOP build for Win64.
2611         https://bugs.webkit.org/show_bug.cgi?id=125186.
2612
2613         Reviewed by Michael Saboff.
2614
2615         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2616         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2617         * jit/JITOperationsMSVC64.cpp: Added.
2618         (JSC::getHostCallReturnValueWithExecState):
2619         - Win64 will build JITStubMSVC64.asm even when !ENABLE(JIT). This results
2620           in a linkage error due to a missing getHostCallReturnValueWithExecState().
2621           So, we add a stub getHostCallReturnValueWithExecState() here to satisfy
2622           that linkage. This function will never be called.
2623           The alternative to providing such a stub is to make the MSVC project
2624           recognize if the JIT is enabled or not, and exclude JITStubMSVC64.asm
2625           if it's not enabled. We don't currently set ENABLE(JIT) via the MSVC
2626           project and the work to do that is too much trouble for what we're trying
2627           to achieve here. So, we're opting for this simpler workaround instead.
2628
2629         * llint/LowLevelInterpreter.asm:
2630         * llint/LowLevelInterpreter.cpp:
2631         (JSC::CLoop::execute):
2632         - Don't build callToJavaScript if we're building the C loop. Otherwise,
2633           the C loop won't build if !ENABLE(COMPUTE_GOTO_OPCODES). 
2634
2635 2013-12-03  Michael Saboff  <msaboff@apple.com>
2636
2637         ARM64: Crash in JIT code due to improper reuse of cached memory temp register
2638         https://bugs.webkit.org/show_bug.cgi?id=125181
2639
2640         Reviewed by Geoffrey Garen.
2641
2642         Changed load8() and load() to invalidate the memory temp CachedTempRegister when the
2643         destination of an absolute load is the memory temp register since the source address
2644         is also the memory temp register.  Change branch{8,32,64} of an AbsoluteAddress with
2645         a register to use the dataTempRegister as the destinate of the absolute load to
2646         reduce the chance that we need to invalidate the memory temp register cache.
2647         In the process, found and fixed an outright bug in branch8() where we'd load into
2648         the data temp register and then compare and branch on the memory temp register.
2649
2650         * assembler/MacroAssemblerARM64.h:
2651         (JSC::MacroAssemblerARM64::load8):
2652         (JSC::MacroAssemblerARM64::branch32):
2653         (JSC::MacroAssemblerARM64::branch64):
2654         (JSC::MacroAssemblerARM64::branch8):
2655         (JSC::MacroAssemblerARM64::load):
2656
2657 2013-12-03  Michael Saboff  <msaboff@apple.com>
2658
2659         jit/JITArithmetic.cpp doesn't build for non-X86 ports
2660         https://bugs.webkit.org/show_bug.cgi?id=125185
2661
2662         Rubber stamped by Mark Hahnenberg.
2663
2664         Removed unused declarations and related UNUSED_PARAM().
2665
2666         * jit/JITArithmetic.cpp:
2667         (JSC::JIT::emit_op_mod):
2668
2669 2013-12-03  Filip Pizlo  <fpizlo@apple.com>
2670
2671         ObjectAllocationProfile is racy and the DFG should be cool with that
2672         https://bugs.webkit.org/show_bug.cgi?id=125172
2673         <rdar://problem/15233487>
2674
2675         Reviewed by Mark Hahnenberg.
2676         
2677         We would previously sometimes get a null Structure because checking if the profile is non-null and loading
2678         the structure from it were two separate operations.
2679
2680         * dfg/DFGAbstractInterpreterInlines.h:
2681         (JSC::DFG::::executeEffects):
2682         * dfg/DFGAbstractValue.cpp:
2683         (JSC::DFG::AbstractValue::setFuturePossibleStructure):
2684         * dfg/DFGByteCodeParser.cpp:
2685         (JSC::DFG::ByteCodeParser::parseBlock):
2686         * runtime/JSFunction.h:
2687         (JSC::JSFunction::allocationProfile):
2688         (JSC::JSFunction::allocationStructure):
2689
2690 2013-12-03  peavo@outlook.com  <peavo@outlook.com>
2691
2692         testapi test crashes on Windows in WTF::Vector<wchar_t,64,WTF::UnsafeVectorOverflow>::size()
2693         https://bugs.webkit.org/show_bug.cgi?id=121972
2694
2695         Reviewed by Michael Saboff.
2696
2697         The reason for the crash is that the wrong memory block is decommitted.
2698         This can happen if no memory has been committed in the reserved block before the JSStack object is destroyed.
2699         In the JSStack destructor, the pointer to decommit then points to the end of the block (or the start of the next), and the decommit size is zero.
2700         If there is a block just after the block we are trying to decommit, this block will be decommitted, since Windows will decommit the whole block,
2701         if the decommit size is zero (see VirtualFree). When somebody tries to read/write to this block later, we crash.
2702
2703         * interpreter/JSStack.cpp:
2704         (JSC::JSStack::~JSStack): Don't decommit memory if nothing has been committed.
2705
2706 2013-12-03  László Langó  <lango@inf.u-szeged.hu>
2707
2708         Guard JIT include.
2709         https://bugs.webkit.org/show_bug.cgi?id=125063
2710
2711         Reviewed by Filip Pizlo.
2712
2713         * llint/LLIntThunks.cpp:
2714
2715 2013-12-03  Julien Brianceau  <jbriance@cisco.com>
2716
2717         Merge mips and arm/sh4 paths in nativeForGenerator and privateCompileCTINativeCall functions.
2718         https://bugs.webkit.org/show_bug.cgi?id=125067
2719
2720         Reviewed by Michael Saboff.
2721
2722         * jit/JITOpcodes32_64.cpp:
2723         (JSC::JIT::privateCompileCTINativeCall):
2724         * jit/ThunkGenerators.cpp:
2725         (JSC::nativeForGenerator):
2726
2727 2013-12-02  Mark Lam  <mark.lam@apple.com>
2728
2729         Build failure when disabling JIT, YARR_JIT, and ASSEMBLER.
2730         https://bugs.webkit.org/show_bug.cgi?id=123809.
2731
2732         Reviewed by Geoffrey Garen.
2733
2734         Also fixed build when disabling the DISASSEMBLER.
2735         Added some needed #if's and some comments.
2736
2737         * assembler/LinkBuffer.cpp:
2738         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
2739         * dfg/DFGDisassembler.cpp:
2740         * dfg/DFGDisassembler.h:
2741         (JSC::DFG::Disassembler::Disassembler):
2742         (JSC::DFG::Disassembler::setStartOfCode):
2743         (JSC::DFG::Disassembler::setForBlockIndex):
2744         (JSC::DFG::Disassembler::setForNode):
2745         (JSC::DFG::Disassembler::setEndOfMainPath):
2746         (JSC::DFG::Disassembler::setEndOfCode):
2747         (JSC::DFG::Disassembler::dump):
2748         (JSC::DFG::Disassembler::reportToProfiler):
2749         * disassembler/Disassembler.cpp:
2750         * disassembler/X86Disassembler.cpp:
2751         * jit/FPRInfo.h:
2752         * jit/GPRInfo.h:
2753         * jit/JITDisassembler.cpp:
2754         * jit/JITDisassembler.h:
2755         (JSC::JITDisassembler::JITDisassembler):
2756         (JSC::JITDisassembler::setStartOfCode):
2757         (JSC::JITDisassembler::setForBytecodeMainPath):
2758         (JSC::JITDisassembler::setForBytecodeSlowPath):
2759         (JSC::JITDisassembler::setEndOfSlowPath):
2760         (JSC::JITDisassembler::setEndOfCode):
2761         (JSC::JITDisassembler::dump):
2762         (JSC::JITDisassembler::reportToProfiler):
2763
2764 2013-12-02  Filip Pizlo  <fpizlo@apple.com>
2765
2766         Baseline JIT calls to CommonSlowPaths shouldn't restore the last result
2767         https://bugs.webkit.org/show_bug.cgi?id=125107
2768
2769         Reviewed by Mark Hahnenberg.
2770
2771         Just killing dead code.
2772
2773         * jit/JITArithmetic.cpp:
2774         (JSC::JIT::emitSlow_op_negate):
2775         (JSC::JIT::emitSlow_op_lshift):
2776         (JSC::JIT::emitSlow_op_rshift):
2777         (JSC::JIT::emitSlow_op_urshift):
2778         (JSC::JIT::emitSlow_op_bitand):
2779         (JSC::JIT::emitSlow_op_inc):
2780         (JSC::JIT::emitSlow_op_dec):
2781         (JSC::JIT::emitSlow_op_mod):
2782         (JSC::JIT::emit_op_mod):
2783         (JSC::JIT::compileBinaryArithOpSlowCase):
2784         (JSC::JIT::emitSlow_op_div):
2785         * jit/JITArithmetic32_64.cpp:
2786         (JSC::JIT::emitSlow_op_negate):
2787         (JSC::JIT::emitSlow_op_lshift):
2788         (JSC::JIT::emitRightShiftSlowCase):
2789         (JSC::JIT::emitSlow_op_bitand):
2790         (JSC::JIT::emitSlow_op_bitor):
2791         (JSC::JIT::emitSlow_op_bitxor):
2792         (JSC::JIT::emitSlow_op_inc):
2793         (JSC::JIT::emitSlow_op_dec):
2794         (JSC::JIT::emitSlow_op_add):
2795         (JSC::JIT::emitSlow_op_sub):
2796         (JSC::JIT::emitSlow_op_mul):
2797         (JSC::JIT::emitSlow_op_div):
2798         * jit/JITOpcodes.cpp:
2799         (JSC::JIT::emit_op_strcat):
2800         (JSC::JIT::emitSlow_op_get_callee):
2801         (JSC::JIT::emitSlow_op_create_this):
2802         (JSC::JIT::emitSlow_op_to_this):
2803         (JSC::JIT::emitSlow_op_to_primitive):
2804         (JSC::JIT::emitSlow_op_not):
2805         (JSC::JIT::emitSlow_op_bitxor):
2806         (JSC::JIT::emitSlow_op_bitor):
2807         (JSC::JIT::emitSlow_op_stricteq):
2808         (JSC::JIT::emitSlow_op_nstricteq):
2809         (JSC::JIT::emitSlow_op_to_number):
2810         * jit/JITOpcodes32_64.cpp:
2811         (JSC::JIT::emitSlow_op_to_primitive):
2812         (JSC::JIT::emitSlow_op_not):
2813         (JSC::JIT::emitSlow_op_stricteq):
2814         (JSC::JIT::emitSlow_op_nstricteq):
2815         (JSC::JIT::emitSlow_op_to_number):
2816         (JSC::JIT::emitSlow_op_get_callee):
2817         (JSC::JIT::emitSlow_op_create_this):
2818         (JSC::JIT::emitSlow_op_to_this):
2819
2820 2013-12-01  Filip Pizlo  <fpizlo@apple.com>
2821
2822         Stores to local captured variables should be intercepted
2823         https://bugs.webkit.org/show_bug.cgi?id=124883
2824
2825         Reviewed by Mark Hahnenberg.
2826         
2827         Previously, in bytecode, you could assign to a captured variable just as you would
2828         assign to any other kind of variable. This complicates closure variable constant
2829         inference because we don't have any place where we can intercept stores to captured
2830         variables in the LLInt.
2831         
2832         This patch institutes a policy that only certain instructions can store to captured
2833         variables. If you interpret those instructions and you are required to notifyWrite()
2834         then you need to check if the relevant variable is captured. Those instructions are
2835         tracked in CodeBlock.cpp's VerifyCapturedDef. The main one is simply op_captured_mov.
2836         In the future, we'll probably modify those instructions to have a pointer directly to
2837         the VariableWatchpointSet; but for now we just introduce the captured instructions as
2838         placeholders.
2839         
2840         In order to validate that the placeholders are inserted correctly, this patch improves
2841         the CodeBlock validation to be able to inspect every def in the bytecode. To do that,
2842         this patch refactors the liveness analysis' use/def calculator to be reusable; it now
2843         takes a functor for each use or def.
2844         
2845         In the process of refactoring the liveness analysis, I noticed that op_enter was
2846         claiming to def all callee registers. That's wrong; it only defs the non-temporary
2847         variables. Making that change revealed preexisting bugs in the liveness analysis, since
2848         now the validator would pick up cases where the bytecode claimed to use a temporary and
2849         the def calculator never noticed the definition (or the converse - where the bytecode
2850         was actually not using a temporary but the liveness analysis thought that it was a
2851         use). This patch fixes a few of those bugs.
2852
2853         * GNUmakefile.list.am:
2854         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2855         * JavaScriptCore.xcodeproj/project.pbxproj:
2856         * bytecode/BytecodeLivenessAnalysis.cpp:
2857         (JSC::stepOverInstruction):
2858         * bytecode/BytecodeUseDef.h: Added.
2859         (JSC::computeUsesForBytecodeOffset):
2860         (JSC::computeDefsForBytecodeOffset):
2861         * bytecode/CodeBlock.cpp:
2862         (JSC::CodeBlock::dumpBytecode):
2863         (JSC::CodeBlock::isCaptured):
2864         (JSC::CodeBlock::validate):
2865         * bytecode/CodeBlock.h:
2866         * bytecode/Opcode.h:
2867         (JSC::padOpcodeName):
2868         * bytecompiler/BytecodeGenerator.cpp:
2869         (JSC::BytecodeGenerator::BytecodeGenerator):
2870         (JSC::BytecodeGenerator::resolveCallee):
2871         (JSC::BytecodeGenerator::emitMove):
2872         (JSC::BytecodeGenerator::isCaptured):
2873         (JSC::BytecodeGenerator::local):
2874         (JSC::BytecodeGenerator::constLocal):
2875         (JSC::BytecodeGenerator::emitNewFunction):
2876         (JSC::BytecodeGenerator::emitLazyNewFunction):
2877         (JSC::BytecodeGenerator::emitNewFunctionInternal):
2878         * bytecompiler/BytecodeGenerator.h:
2879         (JSC::Local::Local):
2880         (JSC::Local::isCaptured):
2881         (JSC::Local::captureMode):
2882         (JSC::BytecodeGenerator::captureMode):
2883         (JSC::BytecodeGenerator::emitNode):
2884         (JSC::BytecodeGenerator::pushOptimisedForIn):
2885         * bytecompiler/NodesCodegen.cpp:
2886         (JSC::PostfixNode::emitResolve):
2887         (JSC::PrefixNode::emitResolve):
2888         (JSC::ReadModifyResolveNode::emitBytecode):
2889         (JSC::AssignResolveNode::emitBytecode):
2890         (JSC::ConstDeclNode::emitCodeSingle):
2891         (JSC::ForInNode::emitBytecode):
2892         * dfg/DFGByteCodeParser.cpp:
2893         (JSC::DFG::ByteCodeParser::parseBlock):
2894         * dfg/DFGCapabilities.cpp:
2895         (JSC::DFG::capabilityLevel):
2896         * jit/JIT.cpp:
2897         (JSC::JIT::privateCompileMainPass):
2898         * llint/LowLevelInterpreter32_64.asm:
2899         * llint/LowLevelInterpreter64.asm:
2900         * runtime/SymbolTable.h:
2901         (JSC::SymbolTable::isCaptured):
2902
2903 2013-12-02  Filip Pizlo  <fpizlo@apple.com>
2904
2905         Instead of watchpointing activation allocation, we should watchpoint entry into functions that have captured variables
2906         https://bugs.webkit.org/show_bug.cgi?id=125052
2907
2908         Reviewed by Mark Hahnenberg.
2909         
2910         This makes us watch function entry rather than activation creation. We only incur the
2911         costs of doing so for functions that have captured variables, and only on the first two
2912         entries into the function. This means that closure variable constant inference will
2913         naturally work even for local uses of the captured variable, like:
2914         
2915             (function(){
2916                 var blah = 42;
2917                 ... // stuff
2918                 function () { ... blah /* we can fold this to 42 */ }
2919                 ... blah // we can also fold this to 42.
2920             })();
2921         
2922         Previously, only the nested use would have been foldable.
2923
2924         * bytecode/BytecodeLivenessAnalysis.cpp:
2925         (JSC::computeUsesForBytecodeOffset):
2926         (JSC::computeDefsForBytecodeOffset):
2927         * bytecode/CodeBlock.cpp:
2928         (JSC::CodeBlock::dumpBytecode):
2929         * bytecode/Opcode.h:
2930         (JSC::padOpcodeName):
2931         * bytecode/Watchpoint.h:
2932         (JSC::WatchpointSet::touch):
2933         (JSC::InlineWatchpointSet::touch):
2934         * bytecompiler/BytecodeGenerator.cpp:
2935         (JSC::BytecodeGenerator::BytecodeGenerator):
2936         * dfg/DFGAbstractInterpreterInlines.h:
2937         (JSC::DFG::::executeEffects):
2938         * dfg/DFGByteCodeParser.cpp:
2939         (JSC::DFG::ByteCodeParser::parseBlock):
2940         * dfg/DFGCapabilities.cpp:
2941         (JSC::DFG::capabilityLevel):
2942         * dfg/DFGClobberize.h:
2943         (JSC::DFG::clobberize):
2944         * dfg/DFGFixupPhase.cpp:
2945         (JSC::DFG::FixupPhase::fixupNode):
2946         * dfg/DFGNode.h:
2947         (JSC::DFG::Node::hasSymbolTable):
2948         * dfg/DFGNodeType.h:
2949         * dfg/DFGPredictionPropagationPhase.cpp:
2950         (JSC::DFG::PredictionPropagationPhase::propagate):
2951         * dfg/DFGSafeToExecute.h:
2952         (JSC::DFG::safeToExecute):
2953         * dfg/DFGSpeculativeJIT32_64.cpp:
2954         (JSC::DFG::SpeculativeJIT::compile):
2955         * dfg/DFGSpeculativeJIT64.cpp:
2956         (JSC::DFG::SpeculativeJIT::compile):
2957         * dfg/DFGWatchpointCollectionPhase.cpp:
2958         (JSC::DFG::WatchpointCollectionPhase::handle):
2959         * ftl/FTLCapabilities.cpp:
2960         (JSC::FTL::canCompile):
2961         * ftl/FTLLowerDFGToLLVM.cpp:
2962         (JSC::FTL::LowerDFGToLLVM::compileNode):
2963         * jit/JIT.cpp:
2964         (JSC::JIT::privateCompileMainPass):
2965         * jit/JIT.h:
2966         * jit/JITOpcodes.cpp:
2967         (JSC::JIT::emit_op_touch_entry):
2968         * llint/LowLevelInterpreter.asm:
2969         * runtime/CommonSlowPaths.cpp:
2970         (JSC::SLOW_PATH_DECL):
2971         * runtime/CommonSlowPaths.h:
2972         * runtime/JSActivation.h:
2973         (JSC::JSActivation::create):
2974         * runtime/SymbolTable.cpp:
2975         (JSC::SymbolTable::SymbolTable):
2976         * runtime/SymbolTable.h:
2977
2978 2013-12-02  Nick Diego Yamane  <nick.yamane@openbossa.org>
2979
2980         [JSC] Get rid of some unused parameters in LLIntSlowPaths.cpp macros
2981         https://bugs.webkit.org/show_bug.cgi?id=125075
2982
2983         Reviewed by Michael Saboff.
2984
2985         * llint/LLIntSlowPaths.cpp:
2986         (JSC::LLInt::handleHostCall): added UNUSED_PARAM(pc).
2987         (JSC::LLInt::setUpCall): Doesn't pass 'pc' to LLINT_CALL macros.
2988         (JSC::LLInt::LLINT_SLOW_PATH_DECL): Ditto.
2989
2990 2013-12-02  László Langó  <lango@inf.u-szeged.hu>
2991
2992         Remove stdio.h from JSC files.
2993         https://bugs.webkit.org/show_bug.cgi?id=125066
2994
2995         Reviewed by Michael Saboff.
2996
2997         Remove stdio.h, when it is not necessary to be included.
2998
2999         * bytecode/CodeBlock.cpp:
3000         * bytecode/StructureSet.h:
3001         * profiler/LegacyProfiler.cpp:
3002         * profiler/Profile.cpp:
3003         * profiler/ProfileNode.cpp:
3004         * yarr/YarrInterpreter.cpp:
3005
3006 2013-12-02  László Langó  <lango@inf.u-szeged.hu>
3007
3008         Unused include files when building without JIT.
3009         https://bugs.webkit.org/show_bug.cgi?id=125062
3010
3011         Reviewed by Michael Saboff.
3012
3013         We should organize the includes, and guard JIT methods
3014         in ValueRecovery.
3015
3016         * bytecode/ValueRecovery.cpp: Guard include files.
3017         * bytecode/ValueRecovery.h: Guard JIT methods.
3018
3019 2013-12-02  Balazs Kilvady  <kilvadyb@homejinni.com>
3020
3021         [MIPS] Small stack frame causes regressions.
3022         https://bugs.webkit.org/show_bug.cgi?id=124945
3023
3024         Reviewed by Michael Saboff.
3025
3026         Fix stack space for LLInt on MIPS.
3027
3028         * llint/LowLevelInterpreter32_64.asm:
3029
3030 2013-12-02  Brian J. Burg  <burg@cs.washington.edu>
3031
3032         jsc: implement a native readFile function
3033         https://bugs.webkit.org/show_bug.cgi?id=125059
3034
3035         Reviewed by Filip Pizlo.
3036
3037         This adds a native readFile() function to jsc, used to slurp
3038         an entire file into a JavaScript string.
3039
3040         * jsc.cpp:
3041         (GlobalObject::finishCreation): Add readFile() to globals.
3042         (functionReadFile): Added.
3043
3044 2013-12-02  László Langó  <lango@inf.u-szeged.hu>
3045
3046         JSC does not build if OPCODE_STATS is enabled.
3047         https://bugs.webkit.org/show_bug.cgi?id=125011
3048
3049         Reviewed by Filip Pizlo.
3050
3051         * bytecode/Opcode.cpp:
3052
3053 2013-11-29  Filip Pizlo  <fpizlo@apple.com>
3054
3055         Finally remove those DFG_ENABLE things
3056         https://bugs.webkit.org/show_bug.cgi?id=125025
3057
3058         Rubber stamped by Sam Weinig.
3059         
3060         This removes a bunch of unused and untested insanity.
3061
3062         * bytecode/CodeBlock.cpp:
3063         (JSC::CodeBlock::tallyFrequentExitSites):
3064         * dfg/DFGArgumentsSimplificationPhase.cpp:
3065         (JSC::DFG::ArgumentsSimplificationPhase::run):
3066         * dfg/DFGByteCodeParser.cpp:
3067         (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
3068         (JSC::DFG::ByteCodeParser::getArrayModeConsideringSlowPath):
3069         (JSC::DFG::ByteCodeParser::makeSafe):
3070         (JSC::DFG::ByteCodeParser::makeDivSafe):
3071         (JSC::DFG::ByteCodeParser::handleCall):
3072         (JSC::DFG::ByteCodeParser::handleInlining):
3073         (JSC::DFG::ByteCodeParser::parseBlock):
3074         (JSC::DFG::ByteCodeParser::linkBlock):
3075         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
3076         (JSC::DFG::ByteCodeParser::parseCodeBlock):
3077         (JSC::DFG::ByteCodeParser::parse):
3078         (JSC::DFG::parse):
3079         * dfg/DFGCFGSimplificationPhase.cpp:
3080         (JSC::DFG::CFGSimplificationPhase::run):
3081         (JSC::DFG::CFGSimplificationPhase::convertToJump):
3082         (JSC::DFG::CFGSimplificationPhase::fixJettisonedPredecessors):
3083         * dfg/DFGCSEPhase.cpp:
3084         (JSC::DFG::CSEPhase::endIndexForPureCSE):
3085         (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren):
3086         (JSC::DFG::CSEPhase::setReplacement):
3087         (JSC::DFG::CSEPhase::eliminate):
3088         (JSC::DFG::CSEPhase::performNodeCSE):
3089         * dfg/DFGCommon.h:
3090         (JSC::DFG::verboseCompilationEnabled):
3091         (JSC::DFG::logCompilationChanges):
3092         (JSC::DFG::shouldDumpGraphAtEachPhase):
3093         * dfg/DFGConstantFoldingPhase.cpp:
3094         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3095         * dfg/DFGFixupPhase.cpp:
3096         (JSC::DFG::FixupPhase::fixupNode):
3097         (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
3098         * dfg/DFGInPlaceAbstractState.cpp:
3099         (JSC::DFG::InPlaceAbstractState::initialize):
3100         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
3101         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
3102         (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
3103         * dfg/DFGJITCompiler.cpp:
3104         (JSC::DFG::JITCompiler::compileBody):
3105         (JSC::DFG::JITCompiler::link):
3106         * dfg/DFGOSRExitCompiler.cpp:
3107         * dfg/DFGOSRExitCompiler32_64.cpp:
3108         (JSC::DFG::OSRExitCompiler::compileExit):
3109         * dfg/DFGOSRExitCompiler64.cpp:
3110         (JSC::DFG::OSRExitCompiler::compileExit):
3111         * dfg/DFGOSRExitCompilerCommon.cpp:
3112         (JSC::DFG::adjustAndJumpToTarget):
3113         * dfg/DFGPredictionInjectionPhase.cpp:
3114         (JSC::DFG::PredictionInjectionPhase::run):
3115         * dfg/DFGPredictionPropagationPhase.cpp:
3116         (JSC::DFG::PredictionPropagationPhase::run):
3117         (JSC::DFG::PredictionPropagationPhase::propagate):
3118         (JSC::DFG::PredictionPropagationPhase::propagateForward):
3119         (JSC::DFG::PredictionPropagationPhase::propagateBackward):
3120         (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
3121         * dfg/DFGScoreBoard.h:
3122         (JSC::DFG::ScoreBoard::use):
3123         * dfg/DFGSlowPathGenerator.h:
3124         (JSC::DFG::SlowPathGenerator::generate):
3125         * dfg/DFGSpeculativeJIT.cpp:
3126         (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
3127         (JSC::DFG::SpeculativeJIT::runSlowPathGenerators):
3128         (JSC::DFG::SpeculativeJIT::dump):
3129         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
3130         (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
3131         * dfg/DFGSpeculativeJIT.h:
3132         * dfg/DFGSpeculativeJIT32_64.cpp:
3133         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
3134         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3135         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3136         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3137         (JSC::DFG::SpeculativeJIT::compile):
3138         * dfg/DFGSpeculativeJIT64.cpp:
3139         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
3140         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3141         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3142         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3143         (JSC::DFG::SpeculativeJIT::compile):
3144         * dfg/DFGVariableEventStream.cpp:
3145         (JSC::DFG::VariableEventStream::reconstruct):
3146         * dfg/DFGVariableEventStream.h:
3147         (JSC::DFG::VariableEventStream::appendAndLog):
3148         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
3149         (JSC::DFG::VirtualRegisterAllocationPhase::run):
3150         * jit/JIT.cpp:
3151         (JSC::JIT::privateCompile):
3152
3153 2013-11-29  Filip Pizlo  <fpizlo@apple.com>
3154
3155         FTL IC should nop-fill to make up the difference between the actual IC size and the requested patchpoint size
3156         https://bugs.webkit.org/show_bug.cgi?id=124960
3157
3158         Reviewed by Sam Weinig.
3159
3160         * assembler/LinkBuffer.h:
3161         (JSC::LinkBuffer::size):
3162         * assembler/X86Assembler.h:
3163         (JSC::X86Assembler::fillNops):
3164         * dfg/DFGDisassembler.cpp:
3165         (JSC::DFG::Disassembler::dumpHeader):
3166         * ftl/FTLCompile.cpp:
3167         (JSC::FTL::generateICFastPath):
3168         * jit/JITDisassembler.cpp:
3169         (JSC::JITDisassembler::dumpHeader):
3170
3171 2013-11-29  Julien Brianceau  <jbriance@cisco.com>
3172
3173         Use moveDoubleToInts in SpecializedThunkJIT::returnDouble for non-X86 JSVALUE32_64 ports.
3174         https://bugs.webkit.org/show_bug.cgi?id=124936
3175
3176         Reviewed by Zoltan Herczeg.
3177
3178         The moveDoubleToInts implementations in ARM, MIPS and SH4 macro assemblers do not clobber
3179         src FPRegister and are likely to be more efficient than the current generic implementation
3180         using the stack.
3181
3182         * jit/SpecializedThunkJIT.h:
3183         (JSC::SpecializedThunkJIT::returnDouble):
3184
3185 2013-11-29  Julien Brianceau  <jbriance@cisco.com>
3186
3187         Merge arm and sh4 paths in nativeForGenerator and privateCompileCTINativeCall functions.
3188         https://bugs.webkit.org/show_bug.cgi?id=124892
3189
3190         Reviewed by Zoltan Herczeg.
3191
3192         * assembler/MacroAssemblerSH4.h:
3193         (JSC::MacroAssemblerSH4::call): Pick a scratch register instead of getting it as a
3194         parameter. The sh4 port was the only one to have this call(Address, RegisterID) prototype.
3195         * jit/JITOpcodes32_64.cpp:
3196         (JSC::JIT::privateCompileCTINativeCall): Use argumentGPRx and merge arm and sh4 paths.
3197         * jit/ThunkGenerators.cpp:
3198         (JSC::nativeForGenerator): Use argumentGPRx and merge arm and sh4 paths.
3199
3200 2013-11-28  Nadav Rotem  <nrotem@apple.com>
3201
3202         Revert the X86 assembler peephole changes
3203         https://bugs.webkit.org/show_bug.cgi?id=124988
3204
3205         Reviewed by Csaba Osztrogonác.
3206
3207         * assembler/MacroAssemblerX86.h:
3208         (JSC::MacroAssemblerX86::add32):
3209         (JSC::MacroAssemblerX86::add64):
3210         (JSC::MacroAssemblerX86::or32):
3211         * assembler/MacroAssemblerX86Common.h:
3212         (JSC::MacroAssemblerX86Common::add32):
3213         (JSC::MacroAssemblerX86Common::or32):
3214         (JSC::MacroAssemblerX86Common::branchAdd32):
3215         * assembler/MacroAssemblerX86_64.h:
3216         (JSC::MacroAssemblerX86_64::add32):
3217         (JSC::MacroAssemblerX86_64::or32):
3218         (JSC::MacroAssemblerX86_64::add64):
3219         (JSC::MacroAssemblerX86_64::or64):
3220         (JSC::MacroAssemblerX86_64::xor64):
3221
3222 2013-11-28  Antti Koivisto  <antti@apple.com>
3223
3224         Remove feature: CSS variables
3225         https://bugs.webkit.org/show_bug.cgi?id=114119
3226
3227         Reviewed by Andreas Kling.
3228
3229         * Configurations/FeatureDefines.xcconfig:
3230
3231 2013-11-28  Peter Gal  <galpeter@inf.u-szeged.hu>
3232
3233         Typo fix after r159834 to fix 32 bit builds.
3234
3235         Reviewed by Csaba Osztrogonác.
3236
3237         * dfg/DFGSpeculativeJIT32_64.cpp:
3238         (JSC::DFG::SpeculativeJIT::compile):
3239
3240 2013-11-27  Nadav Rotem  <nrotem@apple.com>
3241
3242         Add a bunch of early exits and local optimizations to the x86 assembler.
3243         https://bugs.webkit.org/show_bug.cgi?id=124904
3244
3245         Reviewed by Filip Pizlo.
3246
3247         * assembler/MacroAssemblerX86.h:
3248         (JSC::MacroAssemblerX86::add32):
3249         (JSC::MacroAssemblerX86::add64):
3250         (JSC::MacroAssemblerX86::or32):
3251         * assembler/MacroAssemblerX86Common.h:
3252         (JSC::MacroAssemblerX86Common::add32):
3253         (JSC::MacroAssemblerX86Common::or32):
3254         * assembler/MacroAssemblerX86_64.h:
3255         (JSC::MacroAssemblerX86_64::add32):
3256         (JSC::MacroAssemblerX86_64::or32):
3257         (JSC::MacroAssemblerX86_64::add64):
3258         (JSC::MacroAssemblerX86_64::or64):
3259         (JSC::MacroAssemblerX86_64::xor64):
3260
3261 2013-11-27  Filip Pizlo  <fpizlo@apple.com>
3262
3263         Infer one-time scopes
3264         https://bugs.webkit.org/show_bug.cgi?id=124812
3265
3266         Reviewed by Oliver Hunt.
3267         
3268         This detects JSActivations that are created only once. The JSActivation pointer is then
3269         baked into the machine code.
3270         
3271         This takes advantage of the one-time scope inference to reduce the number of
3272         indirections needed to get to a closure variable in case where the scope is only
3273         allocated once. This isn't really a speed-up since in the common case the total number
3274         of instruction bytes needed to load the scope from the stack is about equal to the
3275         number of instruction bytes needed to materialize the absolute address of a scoped
3276         variable. But, this is a necessary prerequisite to
3277         https://bugs.webkit.org/show_bug.cgi?id=124630, so it's probably a good idea anyway.
3278
3279         * bytecode/CodeBlock.cpp:
3280         (JSC::CodeBlock::dumpBytecode):
3281         (JSC::CodeBlock::CodeBlock):
3282         (JSC::CodeBlock::finalizeUnconditionally):
3283         * bytecode/Instruction.h:
3284         * bytecode/Opcode.h:
3285         (JSC::padOpcodeName):
3286         * bytecode/Watchpoint.h:
3287         (JSC::WatchpointSet::notifyWrite):
3288         (JSC::InlineWatchpointSet::notifyWrite):
3289         * bytecompiler/BytecodeGenerator.cpp:
3290         (JSC::BytecodeGenerator::emitResolveScope):
3291         * dfg/DFGAbstractInterpreterInlines.h:
3292         (JSC::DFG::::executeEffects):
3293         * dfg/DFGByteCodeParser.cpp:
3294         (JSC::DFG::ByteCodeParser::parseBlock):
3295         * dfg/DFGCSEPhase.cpp:
3296         (JSC::DFG::CSEPhase::scopedVarLoadElimination):
3297         (JSC::DFG::CSEPhase::scopedVarStoreElimination):
3298         (JSC::DFG::CSEPhase::getLocalLoadElimination):
3299         (JSC::DFG::CSEPhase::setLocalStoreElimination):
3300         * dfg/DFGClobberize.h:
3301         (JSC::DFG::clobberize):
3302         * dfg/DFGFixupPhase.cpp:
3303         (JSC::DFG::FixupPhase::fixupNode):
3304         * dfg/DFGGraph.cpp:
3305         (JSC::DFG::Graph::tryGetRegisters):
3306         * dfg/DFGGraph.h:
3307         * dfg/DFGNode.h:
3308         (JSC::DFG::Node::varNumber):
3309         (JSC::DFG::Node::hasSymbolTable):
3310         (JSC::DFG::Node::symbolTable):
3311         * dfg/DFGNodeType.h:
3312         * dfg/DFGPredictionPropagationPhase.cpp:
3313         (JSC::DFG::PredictionPropagationPhase::propagate):
3314         * dfg/DFGSafeToExecute.h:
3315         (JSC::DFG::safeToExecute):
3316         * dfg/DFGSpeculativeJIT32_64.cpp:
3317         (JSC::DFG::SpeculativeJIT::compile):
3318         * dfg/DFGSpeculativeJIT64.cpp:
3319         (JSC::DFG::SpeculativeJIT::compile):
3320         * dfg/DFGWatchpointCollectionPhase.cpp:
3321         (JSC::DFG::WatchpointCollectionPhase::handle):
3322         * ftl/FTLCapabilities.cpp:
3323         (JSC::FTL::canCompile):
3324         * ftl/FTLLowerDFGToLLVM.cpp:
3325         (JSC::FTL::LowerDFGToLLVM::compileNode):
3326         (JSC::FTL::LowerDFGToLLVM::compileGetClosureRegisters):
3327         * llint/LowLevelInterpreter32_64.asm:
3328         * llint/LowLevelInterpreter64.asm:
3329         * runtime/JSActivation.h:
3330         (JSC::JSActivation::create):
3331         * runtime/JSScope.cpp:
3332         (JSC::abstractAccess):
3333         (JSC::JSScope::abstractResolve):
3334         * runtime/JSScope.h:
3335         (JSC::ResolveOp::ResolveOp):
3336         * runtime/JSVariableObject.h:
3337         (JSC::JSVariableObject::registers):
3338         * runtime/SymbolTable.cpp:
3339         (JSC::SymbolTable::SymbolTable):
3340         * runtime/SymbolTable.h:
3341
3342 2013-11-27  Filip Pizlo  <fpizlo@apple.com>
3343
3344         Finally fix some obvious Bartlett bugs
3345         https://bugs.webkit.org/show_bug.cgi?id=124951
3346
3347         Reviewed by Mark Hahnenberg.
3348         
3349         Sanitize the stack (i.e. zero parts of it known to be dead) at three key points:
3350         
3351         - GC.
3352         
3353         - At beginning of OSR entry.
3354         
3355         - Just as we finish preparing OSR entry. This clears those slots on the stack that
3356           could have been live in baseline but that are known to be dead in DFG.
3357         
3358         This is as much as a 2x speed-up on splay if you run it in certain modes, and run it
3359         for a long enough interval. It appears to fix all instances of the dreaded exponential
3360         heap growth that splay gets into when some stale pointer stays around.
3361         
3362         This doesn't have much of an effect on real-world programs. This bug has only ever
3363         manifested in splay and for that reason we thus far opted against fixing it. But splay
3364         is, for what it's worth, the premiere GC stress test in JavaScript - so making sure we
3365         can run it without pathologies - even when you tweak its configuration - is probably
3366         fairly important.
3367
3368         * dfg/DFGJITCompiler.h:
3369         (JSC::DFG::JITCompiler::noticeOSREntry):
3370         * dfg/DFGOSREntry.cpp:
3371         (JSC::DFG::prepareOSREntry):
3372         * dfg/DFGOSREntry.h:
3373         * heap/Heap.cpp:
3374         (JSC::Heap::markRoots):
3375         * interpreter/JSStack.cpp:
3376         (JSC::JSStack::JSStack):
3377         (JSC::JSStack::sanitizeStack):
3378         * interpreter/JSStack.h:
3379
3380 2013-11-26  Filip Pizlo  <fpizlo@apple.com>
3381
3382         Do bytecode validation as part of testing
3383         https://bugs.webkit.org/show_bug.cgi?id=124913
3384
3385         Reviewed by Oliver Hunt.
3386         
3387         Also fix some small bugs in the bytecode liveness analysis that I found by doing
3388         this validation thingy.
3389
3390         * bytecode/BytecodeLivenessAnalysis.cpp:
3391         (JSC::isValidRegisterForLiveness):
3392         (JSC::BytecodeLivenessAnalysis::runLivenessFixpoint):
3393         * bytecode/CodeBlock.cpp:
3394         (JSC::CodeBlock::validate):