76804bcb33e5031ee8938a24ff94d23b5106aff7
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-03-10  Andreas Kling  <akling@apple.com>
2
3         [X86_64] Smaller code for testb_i8r when register is accumulator.
4         <https://webkit.org/b/130026>
5
6         Generate the shorthand version of "test al, imm" when possible.
7
8         Reviewed by Michael Saboff.
9
10         * assembler/X86Assembler.h:
11         (JSC::X86Assembler::testb_i8r):
12
13 2014-03-10  Andreas Kling  <akling@apple.com>
14
15         [X86_64] Smaller code for sub_ir when register is accumulator.
16         <https://webkit.org/b/130025>
17
18         Generate the shorthand version of "sub eax, imm" when possible.
19
20         Reviewed by Michael Saboff.
21
22         * assembler/X86Assembler.h:
23         (JSC::X86Assembler::subl_ir):
24         (JSC::X86Assembler::subq_ir):
25
26 2014-03-10  Andreas Kling  <akling@apple.com>
27
28         [X86_64] Smaller code for add_ir when register is accumulator.
29         <https://webkit.org/b/130024>
30
31         Generate the shorthand version of "add eax, imm" when possible.
32
33         Reviewed by Michael Saboff.
34
35         * assembler/X86Assembler.h:
36         (JSC::X86Assembler::addl_ir):
37         (JSC::X86Assembler::addq_ir):
38
39 2014-03-10  Mark Hahnenberg  <mhahnenberg@apple.com>
40
41         writeBarrier in emitPutReplaceStub is unnecessary
42         https://bugs.webkit.org/show_bug.cgi?id=130030
43
44         Reviewed by Filip Pizlo.
45
46         We already emit write barriers for each put-by-id when they're first compiled, so it's 
47         redundant to emit a write barrier as part of the repatched code.
48
49         * jit/Repatch.cpp:
50         (JSC::emitPutReplaceStub):
51
52 2014-03-10  Andreas Kling  <akling@apple.com>
53
54         [X86_64] Smaller code for xor_ir when register is accumulator.
55         <https://webkit.org/b/130008>
56
57         Generate the shorthand version of "xor eax, imm" when possible.
58
59         Reviewed by Benjamin Poulain.
60
61         * assembler/X86Assembler.h:
62         (JSC::X86Assembler::xorl_ir):
63         (JSC::X86Assembler::xorq_ir):
64
65 2014-03-10  Andreas Kling  <akling@apple.com>
66
67         [X86_64] Smaller code for or_ir when register is accumulator.
68         <https://webkit.org/b/130007>
69
70         Generate the shorthand version of "or eax, imm" when possible.
71
72         Reviewed by Benjamin Poulain.
73
74         * assembler/X86Assembler.h:
75         (JSC::X86Assembler::orl_ir):
76         (JSC::X86Assembler::orq_ir):
77
78 2014-03-10  Andreas Kling  <akling@apple.com>
79
80         [X86_64] Smaller code for test_ir when register is accumulator.
81         <https://webkit.org/b/130006>
82
83         Generate the shorthand version of "test eax, imm" when possible.
84
85         Reviewed by Benjamin Poulain.
86
87         * assembler/X86Assembler.h:
88         (JSC::X86Assembler::testl_i32r):
89         (JSC::X86Assembler::testq_i32r):
90
91 2014-03-10  Andreas Kling  <akling@apple.com>
92
93         [X86_64] Smaller code for cmp_ir when register is accumulator.
94         <https://webkit.org/b/130005>
95
96         Generate the shorthand version of "cmp eax, imm" when possible.
97
98         Reviewed by Benjamin Poulain.
99
100         * assembler/X86Assembler.h:
101         (JSC::X86Assembler::cmpl_ir):
102         (JSC::X86Assembler::cmpq_ir):
103
104 2014-03-10  Andreas Kling  <akling@apple.com>
105
106         [X86_64] Smaller code for store64(imm, address) when imm fits in 32 bits.
107         <https://webkit.org/b/130002>
108
109         Generate this:
110
111             mov [address], imm32
112
113         Instead of this:
114
115             mov scratchRegister, imm32
116             mov [address], scratchRegister
117
118         For store64(imm, address) where the 64-bit immediate can be passed as
119         a sign-extended 32-bit value.
120
121         Reviewed by Benjamin Poulain.
122
123         * assembler/MacroAssemblerX86_64.h:
124         (CAN_SIGN_EXTEND_32_64):
125         (JSC::MacroAssemblerX86_64::store64):
126
127 2014-03-10  Andreas Kling  <akling@apple.com>
128
129         [X86_64] Smaller code for xchg_rr when one register is accumulator.
130         <https://webkit.org/b/130004>
131
132         Generate the 1-byte version of "xchg eax, reg" when possible.
133
134         Reviewed by Benjamin Poulain.
135
136         * assembler/X86Assembler.h:
137         (JSC::X86Assembler::xchgl_rr):
138         (JSC::X86Assembler::xchgq_rr):
139
140 2014-03-09  Filip Pizlo  <fpizlo@apple.com>
141
142         GPRInfo::toIndex should return InvalidIndex for non-temp registers on ARM64
143         https://bugs.webkit.org/show_bug.cgi?id=129998
144
145         Reviewed by Geoffrey Garen.
146         
147         Not only is that the established contract, but this is used to signal to
148         ScratchRegisterAllocator that the register doesn't need locking since it isn't a register
149         that this allocator would use. In the FTL, we may have an inline cache where LLVM had used
150         some non-temp register (i.e. a register that JSC itself wouldn't have used). This is totally
151         fine but previously it would have led to either an assertion failure, or data corruption, in
152         the ScratchRegisterAllocator.
153
154         * jit/GPRInfo.h:
155         (JSC::GPRInfo::toIndex):
156
157 2014-03-09  Filip Pizlo  <fpizlo@apple.com>
158
159         FTL fails the new equals-masquerader strictEqualConstant test
160         https://bugs.webkit.org/show_bug.cgi?id=129996
161
162         Reviewed by Mark Lam.
163         
164         It turns out that the FTL was trying to do the masquerading stuff for ===null. But
165         that's wrong since none of the other engines do it. The DFG even had an ancient
166         FIXME about doing it - but that doesn't make sense since the LLInt and baseline JIT
167         don't do it and JSValue::strictEqual() doesn't do it.
168         
169         Remove the FIXME and remove the extra checks in the FTL.
170         
171         This is a glorious patch: nothing but red and it fixes a test failure.
172
173         * dfg/DFGSpeculativeJIT.cpp:
174         (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
175         * ftl/FTLLowerDFGToLLVM.cpp:
176         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
177
178 2014-03-09  Andreas Kling  <akling@apple.com>
179
180         Short-circuit JSGlobalObjectInspectorController when not inspecting.
181         <https://webkit.org/b/129995>
182
183         Add an early return in reportAPIException() when the console agent
184         is disabled. This avoids expensive symbolication during exceptions
185         if there's nobody expecting the fancy backtrace anyway.
186
187         ~2% progression on DYEB on my MBP.
188
189         Reviewed by Geoff Garen.
190
191         * inspector/JSGlobalObjectInspectorController.cpp:
192         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
193
194 2014-03-09  Andreas Kling  <akling@apple.com>
195
196         Inline the trivial parts of GC deferral.
197         <https://webkit.org/b/129984>
198
199         Made most of the functions called by the DeferGC RAII object inline
200         to avoid function call overhead.
201
202         Looks like ~1% progression on DYEB.
203
204         Reviewed by Geoffrey Garen.
205
206         * heap/Heap.cpp:
207         * heap/Heap.h:
208         (JSC::Heap::incrementDeferralDepth):
209         (JSC::Heap::decrementDeferralDepth):
210         (JSC::Heap::collectIfNecessaryOrDefer):
211         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
212
213 2014-03-08  Mark Lam  <mark.lam@apple.com>
214
215         32-bit x86 handleUncaughtException returns to wrong location after a stack overflow.
216         <https://webkit.org/b/129969>
217
218         Reviewed by Geoffrey Garen.
219
220         The 32-bit version of handleUncaughtException was missing the handling of an
221         edge case for stack overflows where the current frame may already be the
222         sentinel frame.  This edge case was handled in the 64-bit version.  The fix
223         is to bring the 32-bit version up to parity.
224
225         * jit/JIT.cpp:
226         (JSC::JIT::privateCompile):
227         * llint/LowLevelInterpreter32_64.asm:
228
229 2014-03-07  Mark Lam  <mark.lam@apple.com>
230
231         Fix bugs in 32-bit Structure implementation.
232         <https://webkit.org/b/129947>
233
234         Reviewed by Mark Hahnenberg.
235
236         Added the loading of the Structure (from the JSCell) before use that was
237         missing in a few places.  Also added more test cases to equals-masquerader.js.
238
239         * dfg/DFGSpeculativeJIT32_64.cpp:
240         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
241         (JSC::DFG::SpeculativeJIT::compile):
242         * dfg/DFGSpeculativeJIT64.cpp:
243         (JSC::DFG::SpeculativeJIT::compile):
244         * llint/LowLevelInterpreter32_64.asm:
245         * tests/stress/equals-masquerader.js:
246         (equalsNull):
247         (notEqualsNull):
248         (strictEqualsNull):
249         (strictNotEqualsNull):
250         (equalsUndefined):
251         (notEqualsUndefined):
252         (strictEqualsUndefined):
253         (strictNotEqualsUndefined):
254         (isFalsey):
255         (test):
256
257 2014-03-07  Andrew Trick  <atrick@apple.com>
258
259         Temporarily disable repeat-out-of-bounds stress tests pending fix for 129953.
260         https://bugs.webkit.org/show_bug.cgi?id=129954
261
262         Reviewed by Filip Pizlo.
263
264         * tests/stress/float32-repeat-out-of-bounds.js:
265         * tests/stress/int8-repeat-out-of-bounds.js:
266
267 2014-03-07  Michael Saboff  <msaboff@apple.com>
268
269         .cfi directives in LowLevelInterpreter.cpp are providing no benefit
270         https://bugs.webkit.org/show_bug.cgi?id=129945
271
272         Reviewed by Mark Lam.
273
274         Removed .cfi directive.  Verified that stack traces didn't regress in crash reporter
275         or in lldb.
276
277         * llint/LowLevelInterpreter.cpp:
278
279 2014-03-07  Oliver Hunt  <oliver@apple.com>
280
281         Continue hangs when performing for-of over arguments
282         https://bugs.webkit.org/show_bug.cgi?id=129915
283
284         Reviewed by Geoffrey Garen.
285
286         Put the continue label in the right place
287
288         * bytecompiler/BytecodeGenerator.cpp:
289         (JSC::BytecodeGenerator::emitEnumeration):
290
291 2014-03-07  peavo@outlook.com  <peavo@outlook.com>
292
293         [Win64] Compile error after r165128.
294         https://bugs.webkit.org/show_bug.cgi?id=129807
295
296         Reviewed by Mark Lam.
297
298         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: 
299         Check platform environment variable to determine if an assembler file should be generated.
300
301 2014-03-07  Michael Saboff  <msaboff@apple.com>
302
303         Clarify how we deal with "special" registers
304         https://bugs.webkit.org/show_bug.cgi?id=129806
305
306         Already reviewed change being relanded.
307
308         Relanding change set r165196 as it wasn't responsible for the breakage reported in
309         https://bugs.webkit.org/show_bug.cgi?id=129822.  That appears to be a build or
310
311         Reviewed by Michael Saboff.
312         configuration issue.
313
314         * assembler/ARM64Assembler.h:
315         (JSC::ARM64Assembler::lastRegister):
316         * assembler/MacroAssembler.h:
317         (JSC::MacroAssembler::nextRegister):
318         * ftl/FTLLocation.cpp:
319         (JSC::FTL::Location::restoreInto):
320         * ftl/FTLSaveRestore.cpp:
321         (JSC::FTL::saveAllRegisters):
322         (JSC::FTL::restoreAllRegisters):
323         * ftl/FTLSlowPathCall.cpp:
324         * jit/RegisterSet.cpp:
325         (JSC::RegisterSet::reservedHardwareRegisters):
326         (JSC::RegisterSet::runtimeRegisters):
327         (JSC::RegisterSet::specialRegisters):
328         (JSC::RegisterSet::calleeSaveRegisters):
329         * jit/RegisterSet.h:
330
331 2014-03-07  Mark Hahnenberg  <mhahnenberg@apple.com>
332
333         Move GCActivityCallback to heap
334         https://bugs.webkit.org/show_bug.cgi?id=129457
335
336         Reviewed by Geoffrey Garen.
337
338         All the other GC timer related stuff is there already.
339
340         * CMakeLists.txt:
341         * GNUmakefile.list.am:
342         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
343         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
344         * JavaScriptCore.xcodeproj/project.pbxproj:
345         * heap/GCActivityCallback.cpp: Copied from Source/JavaScriptCore/runtime/GCActivityCallback.cpp.
346         * heap/GCActivityCallback.h: Copied from Source/JavaScriptCore/runtime/GCActivityCallback.h.
347         * runtime/GCActivityCallback.cpp: Removed.
348         * runtime/GCActivityCallback.h: Removed.
349
350 2014-03-07  Andrew Trick  <atrick@apple.com>
351
352         Correct a comment typo from:
353         FLT should call fmod directly on platforms where LLVM cannot relocate the libcall
354         https://bugs.webkit.org/show_bug.cgi?id=129865
355
356         Reviewed by Mark Lam.
357
358         * ftl/FTLOutput.h:
359         (JSC::FTL::Output::doubleRem):
360
361 2014-03-07  Mark Hahnenberg  <mhahnenberg@apple.com>
362
363         Use OwnPtr in StructureIDTable
364         https://bugs.webkit.org/show_bug.cgi?id=129828
365
366         Reviewed by Geoffrey Garen.
367
368         This reduces the amount of boilerplate and fixes a memory leak.
369
370         * runtime/StructureIDTable.cpp:
371         (JSC::StructureIDTable::StructureIDTable):
372         (JSC::StructureIDTable::resize):
373         (JSC::StructureIDTable::flushOldTables):
374         (JSC::StructureIDTable::allocateID):
375         (JSC::StructureIDTable::deallocateID):
376         * runtime/StructureIDTable.h:
377         (JSC::StructureIDTable::table):
378         (JSC::StructureIDTable::get):
379
380 2014-03-07  Andrew Trick  <atrick@apple.com>
381
382         FLT should call fmod directly on platforms where LLVM cannot relocate the libcall
383         https://bugs.webkit.org/show_bug.cgi?id=129865
384
385         Reviewed by Filip Pizlo.
386
387         * ftl/FTLIntrinsicRepository.h:
388         * ftl/FTLOutput.h:
389         (JSC::FTL::Output::doubleRem):
390
391 2014-03-06  Filip Pizlo  <fpizlo@apple.com>
392
393         If the FTL is build-time enabled then it should be run-time enabled.
394
395         Rubber stamped by Geoffrey Garen.
396
397         * runtime/Options.cpp:
398         (JSC::recomputeDependentOptions):
399         * runtime/Options.h:
400
401 2014-03-06  Joseph Pecoraro  <pecoraro@apple.com>
402
403         [OS X] Web Inspector: Allow Apps using JavaScriptCore to access "com.apple.webinspector" mach port
404         https://bugs.webkit.org/show_bug.cgi?id=129852
405
406         Reviewed by Geoffrey Garen.
407
408         * framework.sb: Added.
409         Sandbox extension to allow access to "com.apple.webinspector".
410
411         * JavaScriptCore.xcodeproj/project.pbxproj:
412         Add a Copy Resources build phase and include framework.sb.
413
414         * Configurations/JavaScriptCore.xcconfig:
415         Do not copy framework.sb on iOS.
416
417 2014-03-06  Mark Hahnenberg  <mhahnenberg@apple.com>
418
419         JSGlobalContextRelease incorrectly handles saving/restoring IdentifierTable
420         https://bugs.webkit.org/show_bug.cgi?id=129858
421
422         Reviewed by Mark Lam.
423
424         It was correct (but really ugly) prior to the combining of APIEntryShim and JSLock, 
425         but now it ends up overwriting the IdentifierTable that JSLock just restored.
426
427         * API/JSContextRef.cpp:
428         (JSGlobalContextRelease):
429
430 2014-03-06  Oliver Hunt  <oliver@apple.com>
431
432         Fix FTL build.
433
434         * dfg/DFGConstantFoldingPhase.cpp:
435         (JSC::DFG::ConstantFoldingPhase::foldConstants):
436
437 2014-03-06  Brent Fulgham  <bfulgham@apple.com>
438
439         Unreviewed build fix after r165128.
440
441         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: The SEH flag was not getting set when
442         performing 'Production' and 'DebugSuffix' type builds.
443
444 2014-03-06  Julien Brianceau  <jbriance@cisco.com>
445
446         Unreviewed, fix style in my previous commit.
447         https://bugs.webkit.org/show_bug.cgi?id=129833
448
449         * runtime/JSConsole.cpp:
450
451 2014-03-06  Julien Brianceau  <jbriance@cisco.com>
452
453         Build fix: add missing include in JSConole.cpp.
454         https://bugs.webkit.org/show_bug.cgi?id=129833
455
456         Reviewed by Oliver Hunt.
457
458         * runtime/JSConsole.cpp:
459
460 2014-03-06  Oliver Hunt  <oliver@apple.com>
461
462         Fix ARMv7
463
464         * jit/CCallHelpers.h:
465         (JSC::CCallHelpers::setupArgumentsWithExecState):
466
467 2014-03-06  Commit Queue  <commit-queue@webkit.org>
468
469         Unreviewed, rolling out r165196.
470         http://trac.webkit.org/changeset/165196
471         https://bugs.webkit.org/show_bug.cgi?id=129822
472
473         broke arm64 on hardware (Requested by bfulgham on #webkit).
474
475         * assembler/ARM64Assembler.h:
476         (JSC::ARM64Assembler::lastRegister):
477         * assembler/MacroAssembler.h:
478         (JSC::MacroAssembler::isStackRelated):
479         (JSC::MacroAssembler::firstRealRegister):
480         (JSC::MacroAssembler::nextRegister):
481         (JSC::MacroAssembler::secondRealRegister):
482         * ftl/FTLLocation.cpp:
483         (JSC::FTL::Location::restoreInto):
484         * ftl/FTLSaveRestore.cpp:
485         (JSC::FTL::saveAllRegisters):
486         (JSC::FTL::restoreAllRegisters):
487         * ftl/FTLSlowPathCall.cpp:
488         * jit/RegisterSet.cpp:
489         (JSC::RegisterSet::specialRegisters):
490         (JSC::RegisterSet::calleeSaveRegisters):
491         * jit/RegisterSet.h:
492
493 2014-03-06  Mark Lam  <mark.lam@apple.com>
494
495         REGRESSION(r165205): broke the CLOOP build (Requested by smfr on #webkit).
496         <https://webkit.org/b/129813>
497
498         Reviewed by Michael Saboff.
499
500         Fixed broken C loop LLINT build.
501
502         * llint/LowLevelInterpreter.cpp:
503         (JSC::CLoop::execute):
504         * offlineasm/cloop.rb:
505
506 2014-03-03  Oliver Hunt  <oliver@apple.com>
507
508         Support caching of custom setters
509         https://bugs.webkit.org/show_bug.cgi?id=129519
510
511         Reviewed by Filip Pizlo.
512
513         This patch adds caching of assignment to properties that
514         are backed by C functions. This provides most of the leg
515         work required to start supporting setters, and resolves
516         the remaining regressions from moving DOM properties up
517         the prototype chain.
518
519         * JavaScriptCore.xcodeproj/project.pbxproj:
520         * bytecode/PolymorphicPutByIdList.cpp:
521         (JSC::PutByIdAccess::visitWeak):
522         (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
523         (JSC::PolymorphicPutByIdList::from):
524         * bytecode/PolymorphicPutByIdList.h:
525         (JSC::PutByIdAccess::transition):
526         (JSC::PutByIdAccess::replace):
527         (JSC::PutByIdAccess::customSetter):
528         (JSC::PutByIdAccess::isCustom):
529         (JSC::PutByIdAccess::oldStructure):
530         (JSC::PutByIdAccess::chain):
531         (JSC::PutByIdAccess::stubRoutine):
532         * bytecode/PutByIdStatus.cpp:
533         (JSC::PutByIdStatus::computeForStubInfo):
534         (JSC::PutByIdStatus::computeFor):
535         (JSC::PutByIdStatus::dump):
536         * bytecode/PutByIdStatus.h:
537         (JSC::PutByIdStatus::PutByIdStatus):
538         (JSC::PutByIdStatus::takesSlowPath):
539         (JSC::PutByIdStatus::makesCalls):
540         * bytecode/StructureStubInfo.h:
541         * dfg/DFGAbstractInterpreterInlines.h:
542         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
543         * dfg/DFGByteCodeParser.cpp:
544         (JSC::DFG::ByteCodeParser::emitPutById):
545         (JSC::DFG::ByteCodeParser::handlePutById):
546         * dfg/DFGClobberize.h:
547         (JSC::DFG::clobberize):
548         * dfg/DFGCommon.h:
549         * dfg/DFGConstantFoldingPhase.cpp:
550         (JSC::DFG::ConstantFoldingPhase::foldConstants):
551         * dfg/DFGFixupPhase.cpp:
552         (JSC::DFG::FixupPhase::fixupNode):
553         * dfg/DFGNode.h:
554         (JSC::DFG::Node::hasIdentifier):
555         * dfg/DFGNodeType.h:
556         * dfg/DFGPredictionPropagationPhase.cpp:
557         (JSC::DFG::PredictionPropagationPhase::propagate):
558         * dfg/DFGSafeToExecute.h:
559         (JSC::DFG::safeToExecute):
560         * dfg/DFGSpeculativeJIT.cpp:
561         (JSC::DFG::SpeculativeJIT::compileIn):
562         * dfg/DFGSpeculativeJIT.h:
563         * dfg/DFGSpeculativeJIT32_64.cpp:
564         (JSC::DFG::SpeculativeJIT::cachedGetById):
565         (JSC::DFG::SpeculativeJIT::cachedPutById):
566         (JSC::DFG::SpeculativeJIT::compile):
567         * dfg/DFGSpeculativeJIT64.cpp:
568         (JSC::DFG::SpeculativeJIT::cachedGetById):
569         (JSC::DFG::SpeculativeJIT::cachedPutById):
570         (JSC::DFG::SpeculativeJIT::compile):
571         * jit/CCallHelpers.h:
572         (JSC::CCallHelpers::setupArgumentsWithExecState):
573         * jit/JITInlineCacheGenerator.cpp:
574         (JSC::JITByIdGenerator::JITByIdGenerator):
575         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
576         * jit/JITInlineCacheGenerator.h:
577         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
578         * jit/JITOperations.cpp:
579         * jit/JITOperations.h:
580         * jit/JITPropertyAccess.cpp:
581         (JSC::JIT::emit_op_get_by_id):
582         (JSC::JIT::emit_op_put_by_id):
583         * jit/JITPropertyAccess32_64.cpp:
584         (JSC::JIT::emit_op_get_by_id):
585         (JSC::JIT::emit_op_put_by_id):
586         * jit/Repatch.cpp:
587         (JSC::tryCacheGetByID):
588         (JSC::tryBuildGetByIDList):
589         (JSC::emitCustomSetterStub):
590         (JSC::tryCachePutByID):
591         (JSC::tryBuildPutByIdList):
592         * jit/SpillRegistersMode.h: Added.
593         * llint/LLIntSlowPaths.cpp:
594         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
595         * runtime/Lookup.h:
596         (JSC::putEntry):
597         * runtime/PutPropertySlot.h:
598         (JSC::PutPropertySlot::setCacheableCustomProperty):
599         (JSC::PutPropertySlot::customSetter):
600         (JSC::PutPropertySlot::isCacheablePut):
601         (JSC::PutPropertySlot::isCacheableCustomProperty):
602         (JSC::PutPropertySlot::cachedOffset):
603
604 2014-03-06  Filip Pizlo  <fpizlo@apple.com>
605
606         FTL arity fixup should work on ARM64
607         https://bugs.webkit.org/show_bug.cgi?id=129810
608
609         Reviewed by Michael Saboff.
610         
611         - Using regT5 to pass the thunk return address to arityFixup is shady since that's a
612           callee-save.
613         
614         - The FTL path was assuming X86 conventions for where SP points at the top of the prologue.
615         
616         This makes some more tests pass.
617
618         * dfg/DFGJITCompiler.cpp:
619         (JSC::DFG::JITCompiler::compileFunction):
620         * ftl/FTLLink.cpp:
621         (JSC::FTL::link):
622         * jit/AssemblyHelpers.h:
623         (JSC::AssemblyHelpers::prologueStackPointerDelta):
624         * jit/JIT.cpp:
625         (JSC::JIT::privateCompile):
626         * jit/ThunkGenerators.cpp:
627         (JSC::arityFixup):
628         * llint/LowLevelInterpreter64.asm:
629         * offlineasm/arm64.rb:
630         * offlineasm/x86.rb: In addition to the t7 change, make t6 agree with GPRInfo.h.
631
632 2014-03-06  Mark Hahnenberg  <mhahnenberg@apple.com>
633
634         Fix write barriers in Repatch.cpp for !ENABLE(DFG_JIT) platforms after r165128
635         https://bugs.webkit.org/show_bug.cgi?id=129760
636
637         Reviewed by Geoffrey Garen.
638
639         r165128 disabled the write barrier fast path for inline caches on !ENABLE(DFG_JIT) platforms. 
640         The fix is to refactor the write barrier code into AssemblyHelpers and use that everywhere.
641
642         * dfg/DFGSpeculativeJIT.cpp:
643         (JSC::DFG::SpeculativeJIT::writeBarrier):
644         * dfg/DFGSpeculativeJIT.h:
645         * dfg/DFGSpeculativeJIT32_64.cpp:
646         (JSC::DFG::SpeculativeJIT::writeBarrier):
647         * dfg/DFGSpeculativeJIT64.cpp:
648         (JSC::DFG::SpeculativeJIT::writeBarrier):
649         * jit/AssemblyHelpers.h:
650         (JSC::AssemblyHelpers::checkMarkByte):
651         * jit/JIT.h:
652         * jit/JITPropertyAccess.cpp:
653         * jit/Repatch.cpp:
654         (JSC::writeBarrier):
655
656 2014-03-06  Joseph Pecoraro  <pecoraro@apple.com>
657
658         Web Inspector: Expose the console object in JSContexts to interact with Web Inspector
659         https://bugs.webkit.org/show_bug.cgi?id=127944
660
661         Reviewed by Geoffrey Garen.
662
663         Always expose the Console object in JSContexts, just like we
664         do for web pages. The default behavior will route to an
665         attached JSContext inspector. This can be overriden by
666         setting the ConsoleClient on the JSGlobalObject, which WebCore
667         does to get slightly different behavior.
668
669         * CMakeLists.txt:
670         * GNUmakefile.list.am:
671         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
672         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
673         * JavaScriptCore.xcodeproj/project.pbxproj:
674         Update build systems.
675
676         * API/tests/testapi.js:
677         * API/tests/testapi.mm:
678         Test that "console" exists in C and ObjC contexts.
679
680         * runtime/ConsoleClient.cpp: Added.
681         (JSC::ConsoleClient::printURLAndPosition):
682         (JSC::ConsoleClient::printMessagePrefix):
683         (JSC::ConsoleClient::printConsoleMessage):
684         (JSC::ConsoleClient::printConsoleMessageWithArguments):
685         (JSC::ConsoleClient::internalMessageWithTypeAndLevel):
686         (JSC::ConsoleClient::logWithLevel):
687         (JSC::ConsoleClient::clear):
688         (JSC::ConsoleClient::dir):
689         (JSC::ConsoleClient::dirXML):
690         (JSC::ConsoleClient::table):
691         (JSC::ConsoleClient::trace):
692         (JSC::ConsoleClient::assertCondition):
693         (JSC::ConsoleClient::group):
694         (JSC::ConsoleClient::groupCollapsed):
695         (JSC::ConsoleClient::groupEnd):
696         * runtime/ConsoleClient.h: Added.
697         (JSC::ConsoleClient::~ConsoleClient):
698         New private interface for handling the console object's methods.
699         A lot of the methods funnel through messageWithTypeAndLevel.
700
701         * runtime/ConsoleTypes.h: Renamed from Source/JavaScriptCore/inspector/ConsoleTypes.h.
702         Moved to JSC namespace.
703
704         * runtime/JSGlobalObject.cpp:
705         (JSC::JSGlobalObject::JSGlobalObject):
706         (JSC::JSGlobalObject::init):
707         (JSC::JSGlobalObject::reset):
708         (JSC::JSGlobalObject::visitChildren):
709         Create the "console" object when initializing the environment.
710         Also set the default console client to be the JS context inspector.
711
712         * runtime/JSGlobalObject.h:
713         (JSC::JSGlobalObject::setConsoleClient):
714         (JSC::JSGlobalObject::consoleClient):
715         Ability to change the console client, so WebCore can set a custom client.
716
717         * runtime/ConsolePrototype.cpp: Added.
718         (JSC::ConsolePrototype::finishCreation):
719         (JSC::valueToStringWithUndefinedOrNullCheck):
720         (JSC::consoleLogWithLevel):
721         (JSC::consoleProtoFuncDebug):
722         (JSC::consoleProtoFuncError):
723         (JSC::consoleProtoFuncLog):
724         (JSC::consoleProtoFuncWarn):
725         (JSC::consoleProtoFuncClear):
726         (JSC::consoleProtoFuncDir):
727         (JSC::consoleProtoFuncDirXML):
728         (JSC::consoleProtoFuncTable):
729         (JSC::consoleProtoFuncTrace):
730         (JSC::consoleProtoFuncAssert):
731         (JSC::consoleProtoFuncCount):
732         (JSC::consoleProtoFuncProfile):
733         (JSC::consoleProtoFuncProfileEnd):
734         (JSC::consoleProtoFuncTime):
735         (JSC::consoleProtoFuncTimeEnd):
736         (JSC::consoleProtoFuncTimeStamp):
737         (JSC::consoleProtoFuncGroup):
738         (JSC::consoleProtoFuncGroupCollapsed):
739         (JSC::consoleProtoFuncGroupEnd):
740         * runtime/ConsolePrototype.h: Added.
741         (JSC::ConsolePrototype::create):
742         (JSC::ConsolePrototype::createStructure):
743         (JSC::ConsolePrototype::ConsolePrototype):
744         Define the console object interface. Parse out required / expected
745         arguments and throw expcetions when methods are misused.
746
747         * runtime/JSConsole.cpp: Added.
748         * runtime/JSConsole.h: Added.
749         (JSC::JSConsole::createStructure):
750         (JSC::JSConsole::create):
751         (JSC::JSConsole::JSConsole):
752         Empty "console" object. Everything is in the prototype.
753
754         * inspector/JSConsoleClient.cpp: Added.
755         (Inspector::JSConsoleClient::JSGlobalObjectConsole):
756         (Inspector::JSConsoleClient::count):
757         (Inspector::JSConsoleClient::profile):
758         (Inspector::JSConsoleClient::profileEnd):
759         (Inspector::JSConsoleClient::time):
760         (Inspector::JSConsoleClient::timeEnd):
761         (Inspector::JSConsoleClient::timeStamp):
762         (Inspector::JSConsoleClient::warnUnimplemented):
763         (Inspector::JSConsoleClient::internalAddMessage):
764         * inspector/JSConsoleClient.h: Added.
765         * inspector/JSGlobalObjectInspectorController.cpp:
766         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
767         (Inspector::JSGlobalObjectInspectorController::consoleClient):
768         * inspector/JSGlobalObjectInspectorController.h:
769         Default JSContext ConsoleClient implementation. Handle nearly
770         everything exception profile/profileEnd and timeStamp.
771
772 2014-03-06  Andreas Kling  <akling@apple.com>
773
774         Drop unlinked function code on memory pressure.
775         <https://webkit.org/b/129789>
776
777         Make VM::discardAllCode() also drop UnlinkedFunctionCodeBlocks that
778         are not currently being compiled.
779
780         4.5 MB progression on Membuster.
781
782         Reviewed by Geoffrey Garen.
783
784         * heap/Heap.cpp:
785         (JSC::Heap::deleteAllUnlinkedFunctionCode):
786         * heap/Heap.h:
787         * runtime/VM.cpp:
788         (JSC::VM::discardAllCode):
789
790 2014-03-06  Filip Pizlo  <fpizlo@apple.com>
791
792         Clarify how we deal with "special" registers
793         https://bugs.webkit.org/show_bug.cgi?id=129806
794
795         Reviewed by Michael Saboff.
796         
797         Previously we had two different places that defined what "stack" registers are, a thing
798         called "specialRegisters" that had unclear meaning, and a really weird "firstRealRegister"/
799         "secondRealRegister"/"nextRegister" idiom in MacroAssembler that appeared to only be used by
800         one place and had a baked-in notion of what it meant for a register to be "real" or not.
801         
802         It's not cool to use words like "real" and "special" to describe registers, especially if you
803         fail to qualify what that means. This originally made sense on X86 - "real" registers were
804         the ones that weren't "stack related" (so "real" was the opposite of "stack"). But on ARM64,
805         you also have to worry about the LR register, which we'd want to say is "not real" but it's
806         also not a "stack" register. This got super confusing.
807         
808         So, this patch removes any mention of "real" registers, consolidates the knowledge of what is
809         a "stack" register, and uses the word special only in places where it's clearly defined and
810         where no better word comes to mind.
811         
812         This cleans up the code and fixes what seems like it was probably a harmless ARM64 bug: the
813         Reg and RegisterSet data structures would sometimes think that FP was Q0. Somehow this
814         magically didn't break anything because you never need to save/restore either FP or Q0, but
815         it was still super weird.
816
817         * assembler/ARM64Assembler.h:
818         (JSC::ARM64Assembler::lastRegister):
819         * assembler/MacroAssembler.h:
820         (JSC::MacroAssembler::nextRegister):
821         * ftl/FTLLocation.cpp:
822         (JSC::FTL::Location::restoreInto):
823         * ftl/FTLSaveRestore.cpp:
824         (JSC::FTL::saveAllRegisters):
825         (JSC::FTL::restoreAllRegisters):
826         * ftl/FTLSlowPathCall.cpp:
827         * jit/RegisterSet.cpp:
828         (JSC::RegisterSet::reservedHardwareRegisters):
829         (JSC::RegisterSet::runtimeRegisters):
830         (JSC::RegisterSet::specialRegisters):
831         (JSC::RegisterSet::calleeSaveRegisters):
832         * jit/RegisterSet.h:
833
834 2014-03-06  Filip Pizlo  <fpizlo@apple.com>
835
836         Unreviewed, fix build.
837
838         * disassembler/ARM64Disassembler.cpp:
839
840 2014-03-06  Filip Pizlo  <fpizlo@apple.com>
841
842         Use the LLVM disassembler on ARM64 if we are enabling the FTL
843         https://bugs.webkit.org/show_bug.cgi?id=129785
844
845         Reviewed by Geoffrey Garen.
846         
847         Our disassembler can't handle some of the code sequences that LLVM emits. LLVM's disassembler
848         is strictly more capable at this point. Use it if it's available.
849
850         * disassembler/ARM64Disassembler.cpp:
851         (JSC::tryToDisassemble):
852
853 2014-03-05  Joseph Pecoraro  <pecoraro@apple.com>
854
855         Web Inspector: Reduce RWI message frequency
856         https://bugs.webkit.org/show_bug.cgi?id=129767
857
858         Reviewed by Timothy Hatcher.
859
860         This used to be 0.2s and changed by accident to 0.02s.
861
862         * inspector/remote/RemoteInspector.mm:
863         (Inspector::RemoteInspector::pushListingSoon):
864
865 2014-03-05  Commit Queue  <commit-queue@webkit.org>
866
867         Unreviewed, rolling out r165141, r165157, and r165158.
868         http://trac.webkit.org/changeset/165141
869         http://trac.webkit.org/changeset/165157
870         http://trac.webkit.org/changeset/165158
871         https://bugs.webkit.org/show_bug.cgi?id=129772
872
873         "broke ftl" (Requested by olliej_ on #webkit).
874
875         * JavaScriptCore.xcodeproj/project.pbxproj:
876         * bytecode/PolymorphicPutByIdList.cpp:
877         (JSC::PutByIdAccess::visitWeak):
878         (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
879         (JSC::PolymorphicPutByIdList::from):
880         * bytecode/PolymorphicPutByIdList.h:
881         (JSC::PutByIdAccess::transition):
882         (JSC::PutByIdAccess::replace):
883         (JSC::PutByIdAccess::oldStructure):
884         (JSC::PutByIdAccess::chain):
885         (JSC::PutByIdAccess::stubRoutine):
886         * bytecode/PutByIdStatus.cpp:
887         (JSC::PutByIdStatus::computeForStubInfo):
888         (JSC::PutByIdStatus::computeFor):
889         (JSC::PutByIdStatus::dump):
890         * bytecode/PutByIdStatus.h:
891         (JSC::PutByIdStatus::PutByIdStatus):
892         (JSC::PutByIdStatus::takesSlowPath):
893         * bytecode/StructureStubInfo.h:
894         * dfg/DFGAbstractInterpreterInlines.h:
895         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
896         * dfg/DFGByteCodeParser.cpp:
897         (JSC::DFG::ByteCodeParser::emitPutById):
898         (JSC::DFG::ByteCodeParser::handlePutById):
899         * dfg/DFGClobberize.h:
900         (JSC::DFG::clobberize):
901         * dfg/DFGCommon.h:
902         * dfg/DFGConstantFoldingPhase.cpp:
903         (JSC::DFG::ConstantFoldingPhase::foldConstants):
904         * dfg/DFGFixupPhase.cpp:
905         (JSC::DFG::FixupPhase::fixupNode):
906         * dfg/DFGNode.h:
907         (JSC::DFG::Node::hasIdentifier):
908         * dfg/DFGNodeType.h:
909         * dfg/DFGPredictionPropagationPhase.cpp:
910         (JSC::DFG::PredictionPropagationPhase::propagate):
911         * dfg/DFGSafeToExecute.h:
912         (JSC::DFG::safeToExecute):
913         * dfg/DFGSpeculativeJIT.cpp:
914         (JSC::DFG::SpeculativeJIT::compileIn):
915         * dfg/DFGSpeculativeJIT.h:
916         * dfg/DFGSpeculativeJIT32_64.cpp:
917         (JSC::DFG::SpeculativeJIT::cachedGetById):
918         (JSC::DFG::SpeculativeJIT::cachedPutById):
919         (JSC::DFG::SpeculativeJIT::compile):
920         * dfg/DFGSpeculativeJIT64.cpp:
921         (JSC::DFG::SpeculativeJIT::cachedGetById):
922         (JSC::DFG::SpeculativeJIT::cachedPutById):
923         (JSC::DFG::SpeculativeJIT::compile):
924         * ftl/FTLCompile.cpp:
925         (JSC::FTL::fixFunctionBasedOnStackMaps):
926         * jit/CCallHelpers.h:
927         (JSC::CCallHelpers::setupArgumentsWithExecState):
928         * jit/JITInlineCacheGenerator.cpp:
929         (JSC::JITByIdGenerator::JITByIdGenerator):
930         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
931         * jit/JITInlineCacheGenerator.h:
932         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
933         * jit/JITOperations.cpp:
934         * jit/JITOperations.h:
935         * jit/JITPropertyAccess.cpp:
936         (JSC::JIT::emit_op_get_by_id):
937         (JSC::JIT::emit_op_put_by_id):
938         * jit/JITPropertyAccess32_64.cpp:
939         (JSC::JIT::emit_op_get_by_id):
940         (JSC::JIT::emit_op_put_by_id):
941         * jit/Repatch.cpp:
942         (JSC::tryCacheGetByID):
943         (JSC::tryBuildGetByIDList):
944         (JSC::tryCachePutByID):
945         (JSC::tryBuildPutByIdList):
946         * jit/SpillRegistersMode.h: Removed.
947         * llint/LLIntSlowPaths.cpp:
948         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
949         * runtime/Lookup.h:
950         (JSC::putEntry):
951         * runtime/PutPropertySlot.h:
952         (JSC::PutPropertySlot::isCacheable):
953         (JSC::PutPropertySlot::cachedOffset):
954
955 2014-03-05  Joseph Pecoraro  <pecoraro@apple.com>
956
957         Web Inspector: Prevent possible deadlock in view indication
958         https://bugs.webkit.org/show_bug.cgi?id=129766
959
960         Reviewed by Geoffrey Garen.
961
962         * inspector/remote/RemoteInspector.mm:
963         (Inspector::RemoteInspector::receivedIndicateMessage):
964
965 2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>
966
967         JSObject::fastGetOwnPropertySlot does a slow check for OverridesGetOwnPropertySlot
968         https://bugs.webkit.org/show_bug.cgi?id=129754
969
970         Reviewed by Geoffrey Garen.
971
972         InlineTypeFlags are stored in JSCell, so we can just load those instead of going through the TypeInfo.
973
974         * runtime/JSCell.h:
975         (JSC::JSCell::inlineTypeFlags):
976         * runtime/JSObject.h:
977         (JSC::JSObject::fastGetOwnPropertySlot):
978         * runtime/JSTypeInfo.h:
979         (JSC::TypeInfo::TypeInfo):
980         (JSC::TypeInfo::overridesGetOwnPropertySlot):
981
982 2014-03-05  Joseph Pecoraro  <pecoraro@apple.com>
983
984         Web Inspector: ASSERTION FAILED: m_javaScriptBreakpoints.isEmpty()
985         https://bugs.webkit.org/show_bug.cgi?id=129763
986
987         Reviewed by Geoffrey Garen.
988
989         Clear the list of all breakpoints, including unresolved breakpoints.
990
991         * inspector/agents/InspectorDebuggerAgent.cpp:
992         (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):
993
994 2014-03-05  Mark Lam  <mark.lam@apple.com>
995
996         llint_slow_path_check_has_instance() should not adjust PC before accessing operands.
997         <https://webkit.org/b/129768>
998
999         Reviewed by Mark Hahnenberg.
1000
1001         When evaluating "a instanceof b" where b is an object that ImplementsHasInstance
1002         and OverridesHasInstance (e.g. a bound function), the LLINT will take the slow
1003         path llint_slow_path_check_has_instance(), and execute a code path that does the
1004         following:
1005         1. Adjusts the byte code PC to the jump target PC.
1006         2. For the purpose of storing the result, get the result registerIndex from the
1007            1st operand using the PC as if the PC is still pointing to op_check_has_instance
1008            bytecode.
1009
1010         The result is that whatever value resides after where the jump target PC is will
1011         be used as a result register value.  Depending on what that value is, the result
1012         can be:
1013         1. the code coincidently works correctly
1014         2. memory corruption
1015         3. crashes
1016
1017         The fix is to only adjust the byte code PC after we have stored the result.
1018         
1019         * llint/LLIntSlowPaths.cpp:
1020         (llint_slow_path_check_has_instance):
1021
1022 2014-03-05  Ryosuke Niwa  <rniwa@webkit.org>
1023
1024         Another build fix attempt after r165141.
1025
1026         * ftl/FTLCompile.cpp:
1027         (JSC::FTL::fixFunctionBasedOnStackMaps):
1028
1029 2014-03-05  Ryosuke Niwa  <rniwa@webkit.org>
1030
1031         FTL build fix attempt after r165141.
1032
1033         * ftl/FTLCompile.cpp:
1034         (JSC::FTL::fixFunctionBasedOnStackMaps):
1035
1036 2014-03-05  Gavin Barraclough  <barraclough@apple.com>
1037
1038         https://bugs.webkit.org/show_bug.cgi?id=128625
1039         Add fast mapping from StringImpl to JSString
1040
1041         Unreviewed roll-out.
1042
1043         Reverting r164347, r165054, r165066 - not clear the performance tradeoff was right.
1044
1045         * runtime/JSString.cpp:
1046         * runtime/JSString.h:
1047         * runtime/VM.cpp:
1048         (JSC::VM::createLeaked):
1049         * runtime/VM.h:
1050
1051 2014-03-03  Oliver Hunt  <oliver@apple.com>
1052
1053         Support caching of custom setters
1054         https://bugs.webkit.org/show_bug.cgi?id=129519
1055
1056         Reviewed by Filip Pizlo.
1057
1058         This patch adds caching of assignment to properties that
1059         are backed by C functions. This provides most of the leg
1060         work required to start supporting setters, and resolves
1061         the remaining regressions from moving DOM properties up
1062         the prototype chain.
1063
1064         * JavaScriptCore.xcodeproj/project.pbxproj:
1065         * bytecode/PolymorphicPutByIdList.cpp:
1066         (JSC::PutByIdAccess::visitWeak):
1067         (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
1068         (JSC::PolymorphicPutByIdList::from):
1069         * bytecode/PolymorphicPutByIdList.h:
1070         (JSC::PutByIdAccess::transition):
1071         (JSC::PutByIdAccess::replace):
1072         (JSC::PutByIdAccess::customSetter):
1073         (JSC::PutByIdAccess::isCustom):
1074         (JSC::PutByIdAccess::oldStructure):
1075         (JSC::PutByIdAccess::chain):
1076         (JSC::PutByIdAccess::stubRoutine):
1077         * bytecode/PutByIdStatus.cpp:
1078         (JSC::PutByIdStatus::computeForStubInfo):
1079         (JSC::PutByIdStatus::computeFor):
1080         (JSC::PutByIdStatus::dump):
1081         * bytecode/PutByIdStatus.h:
1082         (JSC::PutByIdStatus::PutByIdStatus):
1083         (JSC::PutByIdStatus::takesSlowPath):
1084         (JSC::PutByIdStatus::makesCalls):
1085         * bytecode/StructureStubInfo.h:
1086         * dfg/DFGAbstractInterpreterInlines.h:
1087         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1088         * dfg/DFGByteCodeParser.cpp:
1089         (JSC::DFG::ByteCodeParser::emitPutById):
1090         (JSC::DFG::ByteCodeParser::handlePutById):
1091         * dfg/DFGClobberize.h:
1092         (JSC::DFG::clobberize):
1093         * dfg/DFGCommon.h:
1094         * dfg/DFGConstantFoldingPhase.cpp:
1095         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1096         * dfg/DFGFixupPhase.cpp:
1097         (JSC::DFG::FixupPhase::fixupNode):
1098         * dfg/DFGNode.h:
1099         (JSC::DFG::Node::hasIdentifier):
1100         * dfg/DFGNodeType.h:
1101         * dfg/DFGPredictionPropagationPhase.cpp:
1102         (JSC::DFG::PredictionPropagationPhase::propagate):
1103         * dfg/DFGSafeToExecute.h:
1104         (JSC::DFG::safeToExecute):
1105         * dfg/DFGSpeculativeJIT.cpp:
1106         (JSC::DFG::SpeculativeJIT::compileIn):
1107         * dfg/DFGSpeculativeJIT.h:
1108         * dfg/DFGSpeculativeJIT32_64.cpp:
1109         (JSC::DFG::SpeculativeJIT::cachedGetById):
1110         (JSC::DFG::SpeculativeJIT::cachedPutById):
1111         (JSC::DFG::SpeculativeJIT::compile):
1112         * dfg/DFGSpeculativeJIT64.cpp:
1113         (JSC::DFG::SpeculativeJIT::cachedGetById):
1114         (JSC::DFG::SpeculativeJIT::cachedPutById):
1115         (JSC::DFG::SpeculativeJIT::compile):
1116         * jit/CCallHelpers.h:
1117         (JSC::CCallHelpers::setupArgumentsWithExecState):
1118         * jit/JITInlineCacheGenerator.cpp:
1119         (JSC::JITByIdGenerator::JITByIdGenerator):
1120         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
1121         * jit/JITInlineCacheGenerator.h:
1122         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
1123         * jit/JITOperations.cpp:
1124         * jit/JITOperations.h:
1125         * jit/JITPropertyAccess.cpp:
1126         (JSC::JIT::emit_op_get_by_id):
1127         (JSC::JIT::emit_op_put_by_id):
1128         * jit/JITPropertyAccess32_64.cpp:
1129         (JSC::JIT::emit_op_get_by_id):
1130         (JSC::JIT::emit_op_put_by_id):
1131         * jit/Repatch.cpp:
1132         (JSC::tryCacheGetByID):
1133         (JSC::tryBuildGetByIDList):
1134         (JSC::emitCustomSetterStub):
1135         (JSC::tryCachePutByID):
1136         (JSC::tryBuildPutByIdList):
1137         * jit/SpillRegistersMode.h: Added.
1138         * llint/LLIntSlowPaths.cpp:
1139         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1140         * runtime/Lookup.h:
1141         (JSC::putEntry):
1142         * runtime/PutPropertySlot.h:
1143         (JSC::PutPropertySlot::setCacheableCustomProperty):
1144         (JSC::PutPropertySlot::customSetter):
1145         (JSC::PutPropertySlot::isCacheablePut):
1146         (JSC::PutPropertySlot::isCacheableCustomProperty):
1147         (JSC::PutPropertySlot::cachedOffset):
1148
1149 2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>
1150
1151         JSCell::m_gcData should encode its information differently
1152         https://bugs.webkit.org/show_bug.cgi?id=129741
1153
1154         Reviewed by Geoffrey Garen.
1155
1156         We want to keep track of three GC states for an object:
1157
1158         1. Not marked (which implies not in the remembered set)
1159         2. Marked but not in the remembered set
1160         3. Marked and in the remembered set
1161         
1162         Currently we only indicate marked vs. not marked in JSCell::m_gcData. During a write 
1163         barrier, we only want to take the slow path if the object being stored to is in state #2. 
1164         We'd like to make the test for state #2 as fast as possible, which means making it a 
1165         compare against 0.
1166
1167         * dfg/DFGOSRExitCompilerCommon.cpp:
1168         (JSC::DFG::osrWriteBarrier):
1169         * dfg/DFGSpeculativeJIT.cpp:
1170         (JSC::DFG::SpeculativeJIT::checkMarkByte):
1171         (JSC::DFG::SpeculativeJIT::writeBarrier):
1172         * dfg/DFGSpeculativeJIT.h:
1173         * dfg/DFGSpeculativeJIT32_64.cpp:
1174         (JSC::DFG::SpeculativeJIT::writeBarrier):
1175         * dfg/DFGSpeculativeJIT64.cpp:
1176         (JSC::DFG::SpeculativeJIT::writeBarrier):
1177         * ftl/FTLLowerDFGToLLVM.cpp:
1178         (JSC::FTL::LowerDFGToLLVM::allocateCell):
1179         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
1180         * heap/Heap.cpp:
1181         (JSC::Heap::clearRememberedSet):
1182         (JSC::Heap::addToRememberedSet):
1183         * jit/AssemblyHelpers.h:
1184         (JSC::AssemblyHelpers::checkMarkByte):
1185         * jit/JIT.h:
1186         * jit/JITPropertyAccess.cpp:
1187         (JSC::JIT::checkMarkByte):
1188         (JSC::JIT::emitWriteBarrier):
1189         * jit/Repatch.cpp:
1190         (JSC::writeBarrier):
1191         * llint/LowLevelInterpreter.asm:
1192         * llint/LowLevelInterpreter32_64.asm:
1193         * llint/LowLevelInterpreter64.asm:
1194         * runtime/JSCell.h:
1195         (JSC::JSCell::mark):
1196         (JSC::JSCell::remember):
1197         (JSC::JSCell::forget):
1198         (JSC::JSCell::isMarked):
1199         (JSC::JSCell::isRemembered):
1200         * runtime/JSCellInlines.h:
1201         (JSC::JSCell::JSCell):
1202         * runtime/StructureIDBlob.h:
1203         (JSC::StructureIDBlob::StructureIDBlob):
1204
1205 2014-03-05  Filip Pizlo  <fpizlo@apple.com>
1206
1207         More FTL ARM fixes
1208         https://bugs.webkit.org/show_bug.cgi?id=129755
1209
1210         Reviewed by Geoffrey Garen.
1211         
1212         - Be more defensive about inline caches that have degenerate chains.
1213         
1214         - Temporarily switch to allocating all MCJIT memory in the executable pool on non-x86
1215           platforms. The bug tracking the real fix is: https://bugs.webkit.org/show_bug.cgi?id=129756
1216         
1217         - Don't even emit intrinsic declarations on non-x86 platforms.
1218         
1219         - More debug printing support.
1220         
1221         - Don't use vmCall() in the prologue. This should have crashed on all platforms all the time
1222           but somehow it gets lucky on x86.
1223
1224         * bytecode/GetByIdStatus.cpp:
1225         (JSC::GetByIdStatus::appendVariant):
1226         (JSC::GetByIdStatus::computeForChain):
1227         (JSC::GetByIdStatus::computeForStubInfo):
1228         * bytecode/GetByIdStatus.h:
1229         * bytecode/PutByIdStatus.cpp:
1230         (JSC::PutByIdStatus::appendVariant):
1231         (JSC::PutByIdStatus::computeForStubInfo):
1232         * bytecode/PutByIdStatus.h:
1233         * bytecode/StructureSet.h:
1234         (JSC::StructureSet::overlaps):
1235         * ftl/FTLCompile.cpp:
1236         (JSC::FTL::mmAllocateDataSection):
1237         * ftl/FTLDataSection.cpp:
1238         (JSC::FTL::DataSection::DataSection):
1239         (JSC::FTL::DataSection::~DataSection):
1240         * ftl/FTLDataSection.h:
1241         * ftl/FTLLowerDFGToLLVM.cpp:
1242         (JSC::FTL::LowerDFGToLLVM::lower):
1243         * ftl/FTLOutput.h:
1244         (JSC::FTL::Output::doubleSin):
1245         (JSC::FTL::Output::doubleCos):
1246         * runtime/JSCJSValue.cpp:
1247         (JSC::JSValue::dumpInContext):
1248         * runtime/JSCell.h:
1249         (JSC::JSCell::structureID):
1250
1251 2014-03-05  peavo@outlook.com  <peavo@outlook.com>
1252
1253         [Win32][LLINT] Crash when running JSC stress tests.
1254         https://bugs.webkit.org/show_bug.cgi?id=129429
1255
1256         On Windows the reserved stack space consists of committed memory, a guard page, and uncommitted memory,
1257         where the guard page is a barrier between committed and uncommitted memory.
1258         When data from the guard page is read or written, the guard page is moved, and memory is committed.
1259         This is how the system grows the stack.
1260         When using the C stack on Windows we need to precommit the needed stack space.
1261         Otherwise we might crash later if we access uncommitted stack memory.
1262         This can happen if we allocate stack space larger than the page guard size (4K).
1263         The system does not get the chance to move the guard page, and commit more memory,
1264         and we crash if uncommitted memory is accessed.
1265         The MSVC compiler fixes this by inserting a call to the _chkstk() function,
1266         when needed, see http://support.microsoft.com/kb/100775.
1267
1268         Reviewed by Geoffrey Garen.
1269
1270         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Enable LLINT.
1271         * jit/Repatch.cpp:
1272         (JSC::writeBarrier): Compile fix when DFG_JIT is not enabled.
1273         * offlineasm/x86.rb: Compile fix, and small simplification.
1274         * runtime/VM.cpp:
1275         (JSC::preCommitStackMemory): Added function to precommit stack memory.
1276         (JSC::VM::updateStackLimit): Call function to precommit stack memory when stack limit is updated.
1277
1278 2014-03-05  Michael Saboff  <msaboff@apple.com>
1279
1280         JSDataViewPrototype::getData() and setData() crash on platforms that don't allow unaligned accesses
1281         https://bugs.webkit.org/show_bug.cgi?id=129746
1282
1283         Reviewed by Filip Pizlo.
1284
1285         Changed to use a union to manually assemble or disassemble the various types
1286         from / to the corresponding bytes.  All memory access is now done using
1287         byte accesses.
1288
1289         * runtime/JSDataViewPrototype.cpp:
1290         (JSC::getData):
1291         (JSC::setData):
1292
1293 2014-03-05  Filip Pizlo  <fpizlo@apple.com>
1294
1295         FTL loadStructure always generates invalid IR
1296         https://bugs.webkit.org/show_bug.cgi?id=129747
1297
1298         Reviewed by Mark Hahnenberg.
1299
1300         As the comment at the top of FTL::Output states, the FTL doesn't use LLVM's notion
1301         of pointers. LLVM's notion of pointers tries to model C, in the sense that you have
1302         to have a pointer to a type, and you can only load things of that type from that
1303         pointer. Pointer arithmetic is basically not possible except through the bizarre
1304         getelementptr operator. This doesn't fit with how the JS object model works since
1305         the JS object model doesn't consist of nice and tidy C types placed in C arrays.
1306         Also, it would be impossible to use getelementptr and LLVM pointers for accessing
1307         any of JSC's C or C++ objects unless we went through the exercise of redeclaring
1308         all of our fundamental data structures in LLVM IR as LLVM types. Clang could do
1309         this for us, but that would require that to use the FTL, JSC itself would have to
1310         be compiled with clang. Worse, it would have to be compiled with a clang that uses
1311         a version of LLVM that is compatible with the one against which the FTL is linked.
1312         Yuck!
1313
1314         The solution is to NEVER use LLVM pointers. This has always been the case in the
1315         FTL. But it causes some confusion.
1316         
1317         Not using LLVM pointers means that if the FTL has a "pointer", it's actually a
1318         pointer-wide integer (m_out.intPtr in FTL-speak). The act of "loading" and
1319         "storing" from or to a pointer involves first bitcasting the intPtr to a real LLVM
1320         pointer that has the type that we want. The load and store operations over pointers
1321         are called Output::load* and Output::store*, where * is one of "8", "16", "32",
1322         "64", "Ptr", "Float", or "Double.
1323         
1324         There is unavoidable confusion here. It would be bizarre for the FTL to call its
1325         "pointer-wide integers" anything other than "pointers", since they are, in all
1326         respects that we care about, simply pointers. But they are *not* LLVM pointers and
1327         they never will be that.
1328         
1329         There is one exception to this "no pointers" rule. The FTL does use actual LLVM
1330         pointers for refering to LLVM alloca's - i.e. local variables. To try to reduce
1331         confusion, we call these "references". So an "FTL reference" is actually an "LLVM
1332         pointer", while an "FTL pointer" is actually an "LLVM integer". FTL references have
1333         methods for access called Output::get and Output::set. These lower to LLVM load
1334         and store, since FTL references are just LLVM pointers.
1335         
1336         This confusion appears to have led to incorrect code in loadStructure().
1337         loadStructure() was using get() and set() to access FTL pointers. But those methods
1338         don't work on FTL pointers and never will, since they are for FTL references.
1339         
1340         The worst part of this is that it was previously impossible to have test coverage
1341         for the relevant path (MasqueradesAsUndefined) without writing a DRT test. This
1342         patch fixes this by introducing a Masquerader object to jsc.cpp.
1343         
1344         * ftl/FTLAbstractHeapRepository.h: Add an abstract heap for the structure table.
1345         * ftl/FTLLowerDFGToLLVM.cpp:
1346         (JSC::FTL::LowerDFGToLLVM::loadStructure): This was wrong.
1347         * ftl/FTLOutput.h: Add a comment to disuade people from using get() and set().
1348         * jsc.cpp: Give us the power to test for MasqueradesAsUndefined.
1349         (WTF::Masquerader::Masquerader):
1350         (WTF::Masquerader::create):
1351         (WTF::Masquerader::createStructure):
1352         (GlobalObject::finishCreation):
1353         (functionMakeMasquerader):
1354         * tests/stress/equals-masquerader.js: Added.
1355         (foo):
1356         (test):
1357
1358 2014-03-05  Anders Carlsson  <andersca@apple.com>
1359
1360         Tweak after r165109 to avoid extra copies
1361         https://bugs.webkit.org/show_bug.cgi?id=129745
1362
1363         Reviewed by Geoffrey Garen.
1364
1365         * heap/Heap.cpp:
1366         (JSC::Heap::visitProtectedObjects):
1367         (JSC::Heap::visitTempSortVectors):
1368         (JSC::Heap::clearRememberedSet):
1369         * heap/Heap.h:
1370         (JSC::Heap::forEachProtectedCell):
1371
1372 2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>
1373
1374         DFGStoreBarrierElisionPhase should should GCState directly instead of m_gcClobberSet when calling writesOverlap()
1375         https://bugs.webkit.org/show_bug.cgi?id=129717
1376
1377         Reviewed by Filip Pizlo.
1378
1379         * dfg/DFGStoreBarrierElisionPhase.cpp:
1380         (JSC::DFG::StoreBarrierElisionPhase::StoreBarrierElisionPhase):
1381         (JSC::DFG::StoreBarrierElisionPhase::couldCauseGC):
1382
1383 2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>
1384
1385         Use range-based loops where possible in Heap methods
1386         https://bugs.webkit.org/show_bug.cgi?id=129513
1387
1388         Reviewed by Mark Lam.
1389
1390         Replace old school iterator based loops with the new range-based loop hotness
1391         for a better tomorrow.
1392
1393         * heap/CodeBlockSet.cpp:
1394         (JSC::CodeBlockSet::~CodeBlockSet):
1395         (JSC::CodeBlockSet::clearMarks):
1396         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
1397         (JSC::CodeBlockSet::traceMarked):
1398         * heap/Heap.cpp:
1399         (JSC::Heap::visitProtectedObjects):
1400         (JSC::Heap::visitTempSortVectors):
1401         (JSC::Heap::clearRememberedSet):
1402         * heap/Heap.h:
1403         (JSC::Heap::forEachProtectedCell):
1404
1405 2014-03-04  Filip Pizlo  <fpizlo@apple.com>
1406
1407         DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e. boolean, undefined, or null)
1408         https://bugs.webkit.org/show_bug.cgi?id=129563
1409
1410         Reviewed by Geoffrey Garen.
1411         
1412         Rolling this back in after fixing an assertion failure. speculateMisc() should have
1413         said DFG_TYPE_CHECK instead of typeCheck.
1414         
1415         This adds a specialization of CompareStrictEq over Misc. I noticed the need for this
1416         when I saw that we didn't support CompareStrictEq(Untyped) in FTL but that the main
1417         user of this was EarleyBoyer, and in that benchmark what it was really doing was
1418         comparing undefined, null, and booleans to each other.
1419         
1420         This also adds support for miscellaneous things that I needed to make my various test
1421         cases work. This includes comparison over booleans and the various Throw-related node
1422         types.
1423         
1424         This also improves constant folding of CompareStrictEq and CompareEq.
1425         
1426         Also found a bug where we were claiming that GetByVals on typed arrays are OutOfBounds
1427         based on profiling, which caused some downstream badness. We don't actually support
1428         compiling OutOfBounds GetByVals on typed arrays. The DFG would ignore the flag and just
1429         emit a bounds check, but in the FTL path, the SSA lowering phase would assume that it
1430         shouldn't factor out the bounds check since the access is not InBounds but then the
1431         backend would ignore the flag and assume that the bounds check was already emitted.
1432         This showed up on an existing test but I added a test for this explicitly to have more
1433         certain coverage. The fix is to not mark something as OutOfBounds if the semantics are
1434         that we'll have a bounds check anyway.
1435         
1436         This is a 1% speed-up on Octane mostly because of raytrace, but also because of just
1437         general progressions across the board. No speed-up yet on EarleyBoyer, since there is
1438         still a lot more coverage work to be done there.
1439
1440         * bytecode/SpeculatedType.cpp:
1441         (JSC::speculationToAbbreviatedString):
1442         (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
1443         (JSC::valuesCouldBeEqual):
1444         * bytecode/SpeculatedType.h:
1445         (JSC::isMiscSpeculation):
1446         * dfg/DFGAbstractInterpreterInlines.h:
1447         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1448         * dfg/DFGArrayMode.cpp:
1449         (JSC::DFG::ArrayMode::refine):
1450         * dfg/DFGArrayMode.h:
1451         * dfg/DFGFixupPhase.cpp:
1452         (JSC::DFG::FixupPhase::fixupNode):
1453         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
1454         * dfg/DFGNode.h:
1455         (JSC::DFG::Node::shouldSpeculateMisc):
1456         * dfg/DFGSafeToExecute.h:
1457         (JSC::DFG::SafeToExecuteEdge::operator()):
1458         * dfg/DFGSpeculativeJIT.cpp:
1459         (JSC::DFG::SpeculativeJIT::compileStrictEq):
1460         (JSC::DFG::SpeculativeJIT::speculateMisc):
1461         (JSC::DFG::SpeculativeJIT::speculate):
1462         * dfg/DFGSpeculativeJIT.h:
1463         * dfg/DFGSpeculativeJIT32_64.cpp:
1464         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
1465         * dfg/DFGSpeculativeJIT64.cpp:
1466         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
1467         * dfg/DFGUseKind.cpp:
1468         (WTF::printInternal):
1469         * dfg/DFGUseKind.h:
1470         (JSC::DFG::typeFilterFor):
1471         * ftl/FTLCapabilities.cpp:
1472         (JSC::FTL::canCompile):
1473         * ftl/FTLLowerDFGToLLVM.cpp:
1474         (JSC::FTL::LowerDFGToLLVM::compileNode):
1475         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
1476         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
1477         (JSC::FTL::LowerDFGToLLVM::compileThrow):
1478         (JSC::FTL::LowerDFGToLLVM::isNotMisc):
1479         (JSC::FTL::LowerDFGToLLVM::isMisc):
1480         (JSC::FTL::LowerDFGToLLVM::speculate):
1481         (JSC::FTL::LowerDFGToLLVM::speculateMisc):
1482         * tests/stress/float32-array-out-of-bounds.js: Added.
1483         * tests/stress/weird-equality-folding-cases.js: Added.
1484
1485 2014-03-04  Commit Queue  <commit-queue@webkit.org>
1486
1487         Unreviewed, rolling out r165085.
1488         http://trac.webkit.org/changeset/165085
1489         https://bugs.webkit.org/show_bug.cgi?id=129729
1490
1491         Broke imported/w3c/html-templates/template-element/template-
1492         content.html (Requested by ap on #webkit).
1493
1494         * bytecode/SpeculatedType.cpp:
1495         (JSC::speculationToAbbreviatedString):
1496         * bytecode/SpeculatedType.h:
1497         * dfg/DFGAbstractInterpreterInlines.h:
1498         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1499         * dfg/DFGArrayMode.cpp:
1500         (JSC::DFG::ArrayMode::refine):
1501         * dfg/DFGArrayMode.h:
1502         * dfg/DFGFixupPhase.cpp:
1503         (JSC::DFG::FixupPhase::fixupNode):
1504         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
1505         * dfg/DFGNode.h:
1506         (JSC::DFG::Node::shouldSpeculateBoolean):
1507         * dfg/DFGSafeToExecute.h:
1508         (JSC::DFG::SafeToExecuteEdge::operator()):
1509         * dfg/DFGSpeculativeJIT.cpp:
1510         (JSC::DFG::SpeculativeJIT::compileStrictEq):
1511         (JSC::DFG::SpeculativeJIT::speculate):
1512         * dfg/DFGSpeculativeJIT.h:
1513         * dfg/DFGSpeculativeJIT32_64.cpp:
1514         * dfg/DFGSpeculativeJIT64.cpp:
1515         * dfg/DFGUseKind.cpp:
1516         (WTF::printInternal):
1517         * dfg/DFGUseKind.h:
1518         (JSC::DFG::typeFilterFor):
1519         * ftl/FTLCapabilities.cpp:
1520         (JSC::FTL::canCompile):
1521         * ftl/FTLLowerDFGToLLVM.cpp:
1522         (JSC::FTL::LowerDFGToLLVM::compileNode):
1523         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
1524         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
1525         (JSC::FTL::LowerDFGToLLVM::speculate):
1526         * tests/stress/float32-array-out-of-bounds.js: Removed.
1527         * tests/stress/weird-equality-folding-cases.js: Removed.
1528
1529 2014-03-04  Brian Burg  <bburg@apple.com>
1530
1531         Inspector does not restore breakpoints after a page reload
1532         https://bugs.webkit.org/show_bug.cgi?id=129655
1533
1534         Reviewed by Joseph Pecoraro.
1535
1536         Fix a regression introduced by r162096 that erroneously removed
1537         the inspector backend's mapping of files to breakpoints whenever the
1538         global object was cleared.
1539
1540         The inspector's breakpoint mappings should only be cleared when the
1541         debugger agent is disabled or destroyed. We should only clear the
1542         debugger's breakpoint state when the global object is cleared.
1543
1544         To make it clearer what state is being cleared, the two cases have
1545         been split into separate methods.
1546
1547         * inspector/agents/InspectorDebuggerAgent.cpp:
1548         (Inspector::InspectorDebuggerAgent::disable):
1549         (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):
1550         (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
1551         (Inspector::InspectorDebuggerAgent::didClearGlobalObject):
1552         * inspector/agents/InspectorDebuggerAgent.h:
1553
1554 2014-03-04  Andreas Kling  <akling@apple.com>
1555
1556         Streamline JSValue::get().
1557         <https://webkit.org/b/129720>
1558
1559         Fetch each Structure and VM only once when walking the prototype chain
1560         in JSObject::getPropertySlot(), then pass it along to the functions
1561         we call from there, so they don't have to re-fetch it.
1562
1563         Reviewed by Geoff Garen.
1564
1565         * runtime/JSObject.h:
1566         (JSC::JSObject::inlineGetOwnPropertySlot):
1567         (JSC::JSObject::fastGetOwnPropertySlot):
1568         (JSC::JSObject::getPropertySlot):
1569
1570 2014-03-01  Filip Pizlo  <fpizlo@apple.com>
1571
1572         DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e. boolean, undefined, or null)
1573         https://bugs.webkit.org/show_bug.cgi?id=129563
1574
1575         Reviewed by Geoffrey Garen.
1576         
1577         This adds a specialization of CompareStrictEq over Misc. I noticed the need for this
1578         when I saw that we didn't support CompareStrictEq(Untyped) in FTL but that the main
1579         user of this was EarleyBoyer, and in that benchmark what it was really doing was
1580         comparing undefined, null, and booleans to each other.
1581         
1582         This also adds support for miscellaneous things that I needed to make my various test
1583         cases work. This includes comparison over booleans and the various Throw-related node
1584         types.
1585         
1586         This also improves constant folding of CompareStrictEq and CompareEq.
1587         
1588         Also found a bug where we were claiming that GetByVals on typed arrays are OutOfBounds
1589         based on profiling, which caused some downstream badness. We don't actually support
1590         compiling OutOfBounds GetByVals on typed arrays. The DFG would ignore the flag and just
1591         emit a bounds check, but in the FTL path, the SSA lowering phase would assume that it
1592         shouldn't factor out the bounds check since the access is not InBounds but then the
1593         backend would ignore the flag and assume that the bounds check was already emitted.
1594         This showed up on an existing test but I added a test for this explicitly to have more
1595         certain coverage. The fix is to not mark something as OutOfBounds if the semantics are
1596         that we'll have a bounds check anyway.
1597         
1598         This is a 1% speed-up on Octane mostly because of raytrace, but also because of just
1599         general progressions across the board. No speed-up yet on EarleyBoyer, since there is
1600         still a lot more coverage work to be done there.
1601
1602         * bytecode/SpeculatedType.cpp:
1603         (JSC::speculationToAbbreviatedString):
1604         (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
1605         (JSC::valuesCouldBeEqual):
1606         * bytecode/SpeculatedType.h:
1607         (JSC::isMiscSpeculation):
1608         * dfg/DFGAbstractInterpreterInlines.h:
1609         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1610         * dfg/DFGFixupPhase.cpp:
1611         (JSC::DFG::FixupPhase::fixupNode):
1612         * dfg/DFGNode.h:
1613         (JSC::DFG::Node::shouldSpeculateMisc):
1614         * dfg/DFGSafeToExecute.h:
1615         (JSC::DFG::SafeToExecuteEdge::operator()):
1616         * dfg/DFGSpeculativeJIT.cpp:
1617         (JSC::DFG::SpeculativeJIT::compileStrictEq):
1618         (JSC::DFG::SpeculativeJIT::speculateMisc):
1619         (JSC::DFG::SpeculativeJIT::speculate):
1620         * dfg/DFGSpeculativeJIT.h:
1621         * dfg/DFGSpeculativeJIT32_64.cpp:
1622         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
1623         * dfg/DFGSpeculativeJIT64.cpp:
1624         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
1625         * dfg/DFGUseKind.cpp:
1626         (WTF::printInternal):
1627         * dfg/DFGUseKind.h:
1628         (JSC::DFG::typeFilterFor):
1629         * ftl/FTLCapabilities.cpp:
1630         (JSC::FTL::canCompile):
1631         * ftl/FTLLowerDFGToLLVM.cpp:
1632         (JSC::FTL::LowerDFGToLLVM::compileNode):
1633         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
1634         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
1635         (JSC::FTL::LowerDFGToLLVM::compileThrow):
1636         (JSC::FTL::LowerDFGToLLVM::isNotMisc):
1637         (JSC::FTL::LowerDFGToLLVM::isMisc):
1638         (JSC::FTL::LowerDFGToLLVM::speculate):
1639         (JSC::FTL::LowerDFGToLLVM::speculateMisc):
1640         * tests/stress/float32-array-out-of-bounds.js: Added.
1641         * tests/stress/weird-equality-folding-cases.js: Added.
1642
1643 2014-03-04  Andreas Kling  <akling@apple.com>
1644
1645         Spam static branch prediction hints on JS bindings.
1646         <https://webkit.org/b/129703>
1647
1648         Add LIKELY hint to jsDynamicCast since it's always used in a context
1649         where we expect it to succeed and takes an error path when it doesn't.
1650
1651         Reviewed by Geoff Garen.
1652
1653         * runtime/JSCell.h:
1654         (JSC::jsDynamicCast):
1655
1656 2014-03-04  Andreas Kling  <akling@apple.com>
1657
1658         Get to Structures more efficiently in JSCell::methodTable().
1659         <https://webkit.org/b/129702>
1660
1661         In JSCell::methodTable(), get the VM once and pass that along to
1662         structure(VM&) instead of using the heavier structure().
1663
1664         In JSCell::methodTable(VM&), replace calls to structure() with
1665         calls to structure(VM&).
1666
1667         Reviewed by Mark Hahnenberg.
1668
1669         * runtime/JSCellInlines.h:
1670         (JSC::JSCell::methodTable):
1671
1672 2014-03-04  Joseph Pecoraro  <pecoraro@apple.com>
1673
1674         Web Inspector: Listen for the XPC_ERROR_CONNECTION_INVALID event to deref
1675         https://bugs.webkit.org/show_bug.cgi?id=129697
1676
1677         Reviewed by Timothy Hatcher.
1678
1679         * inspector/remote/RemoteInspectorXPCConnection.mm:
1680         (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
1681         (Inspector::RemoteInspectorXPCConnection::handleEvent):
1682
1683 2014-03-04  Mark Hahnenberg  <mhahnenberg@apple.com>
1684
1685         Merge API shims and JSLock
1686         https://bugs.webkit.org/show_bug.cgi?id=129650
1687
1688         Reviewed by Mark Lam.
1689
1690         JSLock is now taking on all of APIEntryShim's responsibilities since there is never a reason 
1691         to take just the JSLock. Ditto for DropAllLocks and APICallbackShim.
1692
1693         * API/APICallbackFunction.h:
1694         (JSC::APICallbackFunction::call):
1695         (JSC::APICallbackFunction::construct):
1696         * API/APIShims.h: Removed.
1697         * API/JSBase.cpp:
1698         (JSEvaluateScript):
1699         (JSCheckScriptSyntax):
1700         (JSGarbageCollect):
1701         (JSReportExtraMemoryCost):
1702         (JSSynchronousGarbageCollectForDebugging):
1703         * API/JSCallbackConstructor.cpp:
1704         * API/JSCallbackFunction.cpp:
1705         * API/JSCallbackObjectFunctions.h:
1706         (JSC::JSCallbackObject<Parent>::init):
1707         (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
1708         (JSC::JSCallbackObject<Parent>::put):
1709         (JSC::JSCallbackObject<Parent>::putByIndex):
1710         (JSC::JSCallbackObject<Parent>::deleteProperty):
1711         (JSC::JSCallbackObject<Parent>::construct):
1712         (JSC::JSCallbackObject<Parent>::customHasInstance):
1713         (JSC::JSCallbackObject<Parent>::call):
1714         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
1715         (JSC::JSCallbackObject<Parent>::getStaticValue):
1716         (JSC::JSCallbackObject<Parent>::callbackGetter):
1717         * API/JSContext.mm:
1718         (-[JSContext setException:]):
1719         (-[JSContext wrapperForObjCObject:]):
1720         (-[JSContext wrapperForJSObject:]):
1721         * API/JSContextRef.cpp:
1722         (JSContextGroupRelease):
1723         (JSContextGroupSetExecutionTimeLimit):
1724         (JSContextGroupClearExecutionTimeLimit):
1725         (JSGlobalContextCreateInGroup):
1726         (JSGlobalContextRetain):
1727         (JSGlobalContextRelease):
1728         (JSContextGetGlobalObject):
1729         (JSContextGetGlobalContext):
1730         (JSGlobalContextCopyName):
1731         (JSGlobalContextSetName):
1732         * API/JSManagedValue.mm:
1733         (-[JSManagedValue value]):
1734         * API/JSObjectRef.cpp:
1735         (JSObjectMake):
1736         (JSObjectMakeFunctionWithCallback):
1737         (JSObjectMakeConstructor):
1738         (JSObjectMakeFunction):
1739         (JSObjectMakeArray):
1740         (JSObjectMakeDate):
1741         (JSObjectMakeError):
1742         (JSObjectMakeRegExp):
1743         (JSObjectGetPrototype):
1744         (JSObjectSetPrototype):
1745         (JSObjectHasProperty):
1746         (JSObjectGetProperty):
1747         (JSObjectSetProperty):
1748         (JSObjectGetPropertyAtIndex):
1749         (JSObjectSetPropertyAtIndex):
1750         (JSObjectDeleteProperty):
1751         (JSObjectGetPrivateProperty):
1752         (JSObjectSetPrivateProperty):
1753         (JSObjectDeletePrivateProperty):
1754         (JSObjectIsFunction):
1755         (JSObjectCallAsFunction):
1756         (JSObjectCallAsConstructor):
1757         (JSObjectCopyPropertyNames):
1758         (JSPropertyNameArrayRelease):
1759         (JSPropertyNameAccumulatorAddName):
1760         * API/JSScriptRef.cpp:
1761         * API/JSValue.mm:
1762         (isDate):
1763         (isArray):
1764         (containerValueToObject):
1765         (valueToArray):
1766         (valueToDictionary):
1767         (objectToValue):
1768         * API/JSValueRef.cpp:
1769         (JSValueGetType):
1770         (JSValueIsUndefined):
1771         (JSValueIsNull):
1772         (JSValueIsBoolean):
1773         (JSValueIsNumber):
1774         (JSValueIsString):
1775         (JSValueIsObject):
1776         (JSValueIsObjectOfClass):
1777         (JSValueIsEqual):
1778         (JSValueIsStrictEqual):
1779         (JSValueIsInstanceOfConstructor):
1780         (JSValueMakeUndefined):
1781         (JSValueMakeNull):
1782         (JSValueMakeBoolean):
1783         (JSValueMakeNumber):
1784         (JSValueMakeString):
1785         (JSValueMakeFromJSONString):
1786         (JSValueCreateJSONString):
1787         (JSValueToBoolean):
1788         (JSValueToNumber):
1789         (JSValueToStringCopy):
1790         (JSValueToObject):
1791         (JSValueProtect):
1792         (JSValueUnprotect):
1793         * API/JSVirtualMachine.mm:
1794         (-[JSVirtualMachine addManagedReference:withOwner:]):
1795         (-[JSVirtualMachine removeManagedReference:withOwner:]):
1796         * API/JSWeakObjectMapRefPrivate.cpp:
1797         * API/JSWrapperMap.mm:
1798         (constructorHasInstance):
1799         (makeWrapper):
1800         (tryUnwrapObjcObject):
1801         * API/ObjCCallbackFunction.mm:
1802         (JSC::objCCallbackFunctionCallAsFunction):
1803         (JSC::objCCallbackFunctionCallAsConstructor):
1804         (objCCallbackFunctionForInvocation):
1805         * CMakeLists.txt:
1806         * ForwardingHeaders/JavaScriptCore/APIShims.h: Removed.
1807         * GNUmakefile.list.am:
1808         * JavaScriptCore.xcodeproj/project.pbxproj:
1809         * dfg/DFGWorklist.cpp:
1810         * heap/DelayedReleaseScope.h:
1811         (JSC::DelayedReleaseScope::~DelayedReleaseScope):
1812         * heap/HeapTimer.cpp:
1813         (JSC::HeapTimer::timerDidFire):
1814         (JSC::HeapTimer::timerEvent):
1815         * heap/IncrementalSweeper.cpp:
1816         * inspector/InjectedScriptModule.cpp:
1817         (Inspector::InjectedScriptModule::ensureInjected):
1818         * jsc.cpp:
1819         (jscmain):
1820         * runtime/GCActivityCallback.cpp:
1821         (JSC::DefaultGCActivityCallback::doWork):
1822         * runtime/JSGlobalObjectDebuggable.cpp:
1823         (JSC::JSGlobalObjectDebuggable::connect):
1824         (JSC::JSGlobalObjectDebuggable::disconnect):
1825         (JSC::JSGlobalObjectDebuggable::dispatchMessageFromRemoteFrontend):
1826         * runtime/JSLock.cpp:
1827         (JSC::JSLock::lock):
1828         (JSC::JSLock::didAcquireLock):
1829         (JSC::JSLock::unlock):
1830         (JSC::JSLock::willReleaseLock):
1831         (JSC::JSLock::DropAllLocks::DropAllLocks):
1832         (JSC::JSLock::DropAllLocks::~DropAllLocks):
1833         * runtime/JSLock.h:
1834         * testRegExp.cpp:
1835         (realMain):
1836
1837 2014-03-04  Commit Queue  <commit-queue@webkit.org>
1838
1839         Unreviewed, rolling out r164812.
1840         http://trac.webkit.org/changeset/164812
1841         https://bugs.webkit.org/show_bug.cgi?id=129699
1842
1843         it made things run slower (Requested by pizlo on #webkit).
1844
1845         * interpreter/Interpreter.cpp:
1846         (JSC::Interpreter::execute):
1847         * jsc.cpp:
1848         (GlobalObject::finishCreation):
1849         * runtime/BatchedTransitionOptimizer.h:
1850         (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
1851         (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer):
1852
1853 2014-03-02  Filip Pizlo  <fpizlo@apple.com>
1854
1855         GetMyArgumentByVal in FTL
1856         https://bugs.webkit.org/show_bug.cgi?id=128850
1857
1858         Reviewed by Oliver Hunt.
1859         
1860         This would have been easy if the OSR exit compiler's arity checks hadn't been wrong.
1861         They checked arity by doing "exec->argumentCount == codeBlock->numParameters", which
1862         caused it to think that the arity check had failed if the caller had passed more
1863         arguments than needed. This would cause the call frame copying to sort of go into
1864         reverse (because the amount-by-which-we-failed-arity would have opposite sign,
1865         throwing off a bunch of math) and the stack would end up being corrupted.
1866         
1867         The bug was revealed by two existing tests although as far as I could tell, neither
1868         test was intending to cover this case directly. So, I added a new test.
1869
1870         * ftl/FTLCapabilities.cpp:
1871         (JSC::FTL::canCompile):
1872         * ftl/FTLLowerDFGToLLVM.cpp:
1873         (JSC::FTL::LowerDFGToLLVM::compileNode):
1874         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
1875         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
1876         (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated):
1877         (JSC::FTL::LowerDFGToLLVM::checkArgumentsNotCreated):
1878         * ftl/FTLOSRExitCompiler.cpp:
1879         (JSC::FTL::compileStub):
1880         * ftl/FTLState.h:
1881         * tests/stress/exit-from-ftl-when-caller-passed-extra-args-then-use-function-dot-arguments.js: Added.
1882         * tests/stress/ftl-get-my-argument-by-val-inlined-and-not-inlined.js: Added.
1883         * tests/stress/ftl-get-my-argument-by-val-inlined.js: Added.
1884         * tests/stress/ftl-get-my-argument-by-val.js: Added.
1885
1886 2014-03-04  Zan Dobersek  <zdobersek@igalia.com>
1887
1888         [GTK] Build the Udis86 disassembler
1889         https://bugs.webkit.org/show_bug.cgi?id=129679
1890
1891         Reviewed by Michael Saboff.
1892
1893         * GNUmakefile.am: Generate the Udis86-related derived sources. Distribute the required files.
1894         * GNUmakefile.list.am: Add the Udis86 disassembler files to the build.
1895
1896 2014-03-04  Andreas Kling  <akling@apple.com>
1897
1898         Fix too-narrow assertion I added in r165054.
1899
1900         It's okay for a 1-character string to come in here. This will happen
1901         if the VM small string optimization doesn't apply (ch > 0xFF)
1902
1903         * runtime/JSString.h:
1904         (JSC::jsStringWithWeakOwner):
1905
1906 2014-03-04  Andreas Kling  <akling@apple.com>
1907
1908         Micro-optimize Strings in JS bindings.
1909         <https://webkit.org/b/129673>
1910
1911         Make jsStringWithWeakOwner() take a StringImpl& instead of a String.
1912         This avoids branches in length() and operator[].
1913
1914         Also call JSString::create() directly instead of jsString() and just
1915         assert that the string length is >1. This way we don't duplicate the
1916         optimizations for empty and single-character strings.
1917
1918         Reviewed by Ryosuke Niwa.
1919
1920         * runtime/JSString.h:
1921         (JSC::jsStringWithWeakOwner):
1922
1923 2014-03-04  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
1924
1925         Implement Number.prototype.clz()
1926         https://bugs.webkit.org/show_bug.cgi?id=129479
1927
1928         Reviewed by Oliver Hunt.
1929
1930         Implemented Number.prototype.clz() as specified in the ES6 standard.
1931
1932         * runtime/NumberPrototype.cpp:
1933         (JSC::numberProtoFuncClz):
1934
1935 2014-03-03  Joseph Pecoraro  <pecoraro@apple.com>
1936
1937         Web Inspector: Avoid too early deref caused by RemoteInspectorXPCConnection::close
1938         https://bugs.webkit.org/show_bug.cgi?id=129631
1939
1940         Reviewed by Timothy Hatcher.
1941
1942         Avoid deref() too early if a client calls close(). The xpc_connection_close
1943         will cause another XPC_ERROR event to come in from the queue, deref then.
1944         Likewise, protect multithreaded access to m_client. If a client calls
1945         close() we want to immediately clear the pointer to prevent calls to it.
1946
1947         Overall the multi-threading aspects of RemoteInspectorXPCConnection are
1948         growing too complicated for probably little benefit. We may want to
1949         clean this up later.
1950
1951         * inspector/remote/RemoteInspector.mm:
1952         (Inspector::RemoteInspector::xpcConnectionFailed):
1953         * inspector/remote/RemoteInspectorXPCConnection.h:
1954         * inspector/remote/RemoteInspectorXPCConnection.mm:
1955         (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
1956         (Inspector::RemoteInspectorXPCConnection::close):
1957         (Inspector::RemoteInspectorXPCConnection::closeOnQueue):
1958         (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
1959         (Inspector::RemoteInspectorXPCConnection::handleEvent):
1960         (Inspector::RemoteInspectorXPCConnection::sendMessage):
1961
1962 2014-03-03  Michael Saboff  <msaboff@apple.com>
1963
1964         AbstractMacroAssembler::CachedTempRegister should start out invalid
1965         https://bugs.webkit.org/show_bug.cgi?id=129657
1966
1967         Reviewed by Filip Pizlo.
1968
1969         * assembler/AbstractMacroAssembler.h:
1970         (JSC::AbstractMacroAssembler::AbstractMacroAssembler):
1971         - Invalidate all cached registers in constructor as we don't know the
1972           contents of any register at the entry to the code we are going to
1973           generate.
1974
1975 2014-03-03  Andreas Kling  <akling@apple.com>
1976
1977         StructureOrOffset should be fastmalloced.
1978         <https://webkit.org/b/129640>
1979
1980         Reviewed by Geoffrey Garen.
1981
1982         * runtime/StructureIDTable.h:
1983
1984 2014-03-03  Michael Saboff  <msaboff@apple.com>
1985
1986         Crash in JIT code while watching a video @ storyboard.tumblr.com
1987         https://bugs.webkit.org/show_bug.cgi?id=129635
1988
1989         Reviewed by Filip Pizlo.
1990
1991         Clear m_set before we set bits in the TempRegisterSet(const RegisterSet& other)
1992         construtor.
1993
1994         * jit/TempRegisterSet.cpp:
1995         (JSC::TempRegisterSet::TempRegisterSet): Clear map before setting it.
1996         * jit/TempRegisterSet.h:
1997         (JSC::TempRegisterSet::TempRegisterSet): Use new clearAll() helper.
1998         (JSC::TempRegisterSet::clearAll): New private helper.
1999
2000 2014-03-03  Benjamin Poulain  <benjamin@webkit.org>
2001
2002         [x86] Improve code generation of byte test
2003         https://bugs.webkit.org/show_bug.cgi?id=129597
2004
2005         Reviewed by Geoffrey Garen.
2006
2007         When possible, test the 8 bit register to itself instead of comparing it
2008         to a literal.
2009
2010         * assembler/MacroAssemblerX86Common.h:
2011         (JSC::MacroAssemblerX86Common::test32):
2012
2013 2014-03-03  Mark Lam  <mark.lam@apple.com>
2014
2015         Web Inspector: debugger statements do not break.
2016         <https://webkit.org/b/129524>
2017
2018         Reviewed by Geoff Garen.
2019
2020         Since we no longer call op_debug hooks unless there is a debugger request
2021         made on the CodeBlock, the op_debug for the debugger statement never gets
2022         serviced.
2023
2024         With this fix, we check in the CodeBlock constructor if any debugger
2025         statements are present.  If so, we set a m_hasDebuggerStatement flag that
2026         causes the CodeBlock to show as having debugger requests.  Hence,
2027         breaking at debugger statements is now restored.
2028
2029         * bytecode/CodeBlock.cpp:
2030         (JSC::CodeBlock::CodeBlock):
2031         * bytecode/CodeBlock.h:
2032         (JSC::CodeBlock::hasDebuggerRequests):
2033         (JSC::CodeBlock::clearDebuggerRequests):
2034
2035 2014-03-03  Mark Lam  <mark.lam@apple.com>
2036
2037         ASSERTION FAILED: m_numBreakpoints >= numBreakpoints when deleting breakpoints.
2038         <https://webkit.org/b/129393>
2039
2040         Reviewed by Geoffrey Garen.
2041
2042         The issue manifests because the debugger will iterate all CodeBlocks in
2043         the heap when setting / clearing breakpoints, but it is possible for a
2044         CodeBlock to have been instantiate but is not yet registered with the
2045         debugger.  This can happen because of the following:
2046
2047         1. DFG worklist compilation is still in progress, and the target
2048            codeBlock is not ready for installation in its executable yet.
2049
2050         2. DFG compilation failed and we have a codeBlock that will never be
2051            installed in its executable, and the codeBlock has not been cleaned
2052            up by the GC yet.
2053
2054         The code for installing the codeBlock in its executable is the same code
2055         that registers it with the debugger.  Hence, these codeBlocks are not
2056         registered with the debugger, and any pending breakpoints that would map
2057         to that CodeBlock is as yet unset or will never be set.  As such, an
2058         attempt to remove a breakpoint in that CodeBlock will fail that assertion.
2059
2060         To fix this, we do the following:
2061
2062         1. We'll eagerly clean up any zombie CodeBlocks due to failed DFG / FTL
2063            compilation.  This is achieved by providing a
2064            DeferredCompilationCallback::compilationDidComplete() that does this
2065            clean up, and have all sub classes call it at the end of their
2066            compilationDidComplete() methods.
2067
2068         2. Before the debugger or profiler iterates CodeBlocks in the heap, they
2069            will wait for all compilations to complete before proceeding.  This
2070            ensures that:
2071            1. any zombie CodeBlocks would have been cleaned up, and won't be
2072               seen by the debugger or profiler.
2073            2. all CodeBlocks that the debugger and profiler needs to operate on
2074               will be "ready" for whatever needs to be done to them e.g.
2075               jettison'ing of DFG codeBlocks.
2076
2077         * bytecode/DeferredCompilationCallback.cpp:
2078         (JSC::DeferredCompilationCallback::compilationDidComplete):
2079         * bytecode/DeferredCompilationCallback.h:
2080         - Provide default implementation method to clean up zombie CodeBlocks.
2081
2082         * debugger/Debugger.cpp:
2083         (JSC::Debugger::forEachCodeBlock):
2084         - Utility function to iterate CodeBlocks.  It ensures that all compilations
2085           are complete before proceeding.
2086         (JSC::Debugger::setSteppingMode):
2087         (JSC::Debugger::toggleBreakpoint):
2088         (JSC::Debugger::recompileAllJSFunctions):
2089         (JSC::Debugger::clearBreakpoints):
2090         (JSC::Debugger::clearDebuggerRequests):
2091         - Use the utility iterator function.
2092
2093         * debugger/Debugger.h:
2094         * dfg/DFGOperations.cpp:
2095         - Added an assert to ensure that zombie CodeBlocks will be imminently cleaned up.
2096
2097         * dfg/DFGPlan.cpp:
2098         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
2099         - Remove unneeded code (that was not the best solution anyway) for ensuring
2100           that we don't generate new DFG codeBlocks after enabling the debugger or
2101           profiler.  Now that we wait for compilations to complete before proceeding
2102           with debugger and profiler work, this scenario will never happen.
2103
2104         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
2105         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
2106         - Call the super class method to clean up zombie codeBlocks.
2107
2108         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
2109         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete):
2110         - Call the super class method to clean up zombie codeBlocks.
2111
2112         * heap/CodeBlockSet.cpp:
2113         (JSC::CodeBlockSet::remove):
2114         * heap/CodeBlockSet.h:
2115         * heap/Heap.h:
2116         (JSC::Heap::removeCodeBlock):
2117         - New method to remove a codeBlock from the codeBlock set.
2118
2119         * jit/JITOperations.cpp:
2120         - Added an assert to ensure that zombie CodeBlocks will be imminently cleaned up.
2121
2122         * jit/JITToDFGDeferredCompilationCallback.cpp:
2123         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
2124         - Call the super class method to clean up zombie codeBlocks.
2125
2126         * runtime/VM.cpp:
2127         (JSC::VM::waitForCompilationsToComplete):
2128         - Renamed from prepareToDiscardCode() to be clearer about what it does.
2129
2130         (JSC::VM::discardAllCode):
2131         (JSC::VM::releaseExecutableMemory):
2132         (JSC::VM::setEnabledProfiler):
2133         - Wait for compilation to complete before enabling the profiler.
2134
2135         * runtime/VM.h:
2136
2137 2014-03-03  Brian Burg  <bburg@apple.com>
2138
2139         Another unreviewed build fix attempt for Windows after r164986.
2140
2141         We never told Visual Studio to copy over the web replay code generator scripts
2142         and the generated headers for JavaScriptCore replay inputs as if they were
2143         private headers.
2144
2145         * JavaScriptCore.vcxproj/copy-files.cmd:
2146
2147 2014-03-03  Brian Burg  <bburg@apple.com>
2148
2149         Web Replay: upstream input storage, capture/replay machinery, and inspector domain
2150         https://bugs.webkit.org/show_bug.cgi?id=128782
2151
2152         Reviewed by Timothy Hatcher.
2153
2154         Alter the replay inputs code generator so that it knows when it is necessary to
2155         to include headers for HEAVY_SCALAR types such as WTF::String and WebCore::URL.
2156
2157         * JavaScriptCore.xcodeproj/project.pbxproj:
2158         * replay/scripts/CodeGeneratorReplayInputs.py:
2159         (Framework.fromString):
2160         (Frameworks): Add WTF as an allowed framework for code generation.
2161         (Generator.generate_includes): Include headers for HEAVY_SCALAR types in the header file.
2162         (Generator.generate_includes.declaration):
2163         (Generator.generate_includes.or):
2164         (Generator.generate_type_forward_declarations): Skip HEAVY_SCALAR types.
2165
2166 2014-03-02  Filip Pizlo  <fpizlo@apple.com>
2167
2168         PolymorphicPutByIdList should have a simpler construction API with basically a single entrypoint
2169         https://bugs.webkit.org/show_bug.cgi?id=129591
2170
2171         Reviewed by Michael Saboff.
2172
2173         * bytecode/PolymorphicPutByIdList.cpp:
2174         (JSC::PutByIdAccess::fromStructureStubInfo): This function can figure out the slow path target for itself.
2175         (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList): This constuctor should be private, only from() should call it.
2176         (JSC::PolymorphicPutByIdList::from):
2177         * bytecode/PolymorphicPutByIdList.h:
2178         (JSC::PutByIdAccess::stubRoutine):
2179         * jit/Repatch.cpp:
2180         (JSC::tryBuildPutByIdList): Don't pass the slow path target since it can be derived from the stubInfo.
2181
2182 2014-03-02  Filip Pizlo  <fpizlo@apple.com>
2183
2184         Debugging improvements from my gbemu investigation session
2185         https://bugs.webkit.org/show_bug.cgi?id=129599
2186
2187         Reviewed by Mark Lam.
2188         
2189         Various improvements from when I was investigating bug 129411.
2190
2191         * bytecode/CodeBlock.cpp:
2192         (JSC::CodeBlock::optimizationThresholdScalingFactor): Make the dataLog() statement print the actual multiplier.
2193         * jsc.cpp:
2194         (GlobalObject::finishCreation):
2195         (functionDescribe): Make describe() return a string rather than printing the string.
2196         (functionDescribeArray): Like describe(), but prints details about arrays.
2197
2198 2014-02-25  Andreas Kling  <akling@apple.com>
2199
2200         JSDOMWindow::commonVM() should return a reference.
2201         <https://webkit.org/b/129293>
2202
2203         Added a DropAllLocks constructor that takes VM& without null checks.
2204
2205         Reviewed by Geoff Garen.
2206
2207 2014-03-02  Mark Lam  <mark.lam@apple.com>
2208
2209         CodeBlock::hasDebuggerRequests() should returning a bool instead of an int.
2210         <https://webkit.org/b/129584>
2211
2212         Reviewed by Darin Adler.
2213
2214         * bytecode/CodeBlock.h:
2215         (JSC::CodeBlock::hasDebuggerRequests):
2216
2217 2014-03-02  Mark Lam  <mark.lam@apple.com>
2218
2219         Clean up use of Options::enableConcurrentJIT().
2220         <https://webkit.org/b/129582>
2221
2222         Reviewed by Filip Pizlo.
2223
2224         DFG Driver was conditionally checking Options::enableConcurrentJIT()
2225         only if ENABLE(CONCURRENT_JIT).  Otherwise, it bypasses it with a local
2226         enableConcurrentJIT set to false.
2227
2228         Instead we should configure Options::enableConcurrentJIT() to be false
2229         in Options.cpp if !ENABLE(CONCURRENT_JIT), and DFG Driver should always
2230         check Options::enableConcurrentJIT().  This makes the code read a little
2231         cleaner.
2232
2233         * dfg/DFGDriver.cpp:
2234         (JSC::DFG::compileImpl):
2235         * runtime/Options.cpp:
2236         (JSC::recomputeDependentOptions):
2237
2238 2014-03-01  Filip Pizlo  <fpizlo@apple.com>
2239
2240         This shouldn't have been a layout test since it runs only under jsc. Moving it to JSC
2241         stress tests.
2242
2243         * tests/stress/generational-opaque-roots.js: Copied from LayoutTests/js/script-tests/generational-opaque-roots.js.
2244
2245 2014-03-01  Andreas Kling  <akling@apple.com>
2246
2247         JSCell::fastGetOwnProperty() should get the Structure more efficiently.
2248         <https://webkit.org/b/129560>
2249
2250         Now that structure() is nontrivial and we have a faster structure(VM&),
2251         make use of that in fastGetOwnProperty() since we already have VM.
2252
2253         Reviewed by Sam Weinig.
2254
2255         * runtime/JSCellInlines.h:
2256         (JSC::JSCell::fastGetOwnProperty):
2257
2258 2014-03-01  Andreas Kling  <akling@apple.com>
2259
2260         Avoid going through ExecState for VM when we already have it (in some places.)
2261         <https://webkit.org/b/129554>
2262
2263         Tweak some places that jump through unnecessary hoops to get the VM.
2264         There are many more like this.
2265
2266         Reviewed by Sam Weinig.
2267
2268         * runtime/JSObject.cpp:
2269         (JSC::JSObject::putByIndexBeyondVectorLength):
2270         (JSC::JSObject::putDirectIndexBeyondVectorLength):
2271         * runtime/ObjectPrototype.cpp:
2272         (JSC::objectProtoFuncToString):
2273
2274 2014-02-28  Filip Pizlo  <fpizlo@apple.com>
2275
2276         FTL should support PhantomArguments
2277         https://bugs.webkit.org/show_bug.cgi?id=113986
2278
2279         Reviewed by Oliver Hunt.
2280         
2281         Adding PhantomArguments to the FTL mostly means wiring the recovery of the Arguments
2282         object into the FTL's OSR exit compiler.
2283         
2284         This isn't a speed-up yet, since there is still more to be done to fully support
2285         all of the arguments craziness that our varargs benchmarks do.
2286
2287         * dfg/DFGOSRExitCompiler32_64.cpp:
2288         (JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp
2289         * dfg/DFGOSRExitCompiler64.cpp:
2290         (JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp
2291         * dfg/DFGOSRExitCompilerCommon.cpp:
2292         (JSC::DFG::ArgumentsRecoveryGenerator::ArgumentsRecoveryGenerator):
2293         (JSC::DFG::ArgumentsRecoveryGenerator::~ArgumentsRecoveryGenerator):
2294         (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): this is the common place for the recovery code
2295         * dfg/DFGOSRExitCompilerCommon.h:
2296         * ftl/FTLCapabilities.cpp:
2297         (JSC::FTL::canCompile):
2298         * ftl/FTLExitValue.cpp:
2299         (JSC::FTL::ExitValue::dumpInContext):
2300         * ftl/FTLExitValue.h:
2301         (JSC::FTL::ExitValue::argumentsObjectThatWasNotCreated):
2302         (JSC::FTL::ExitValue::isArgumentsObjectThatWasNotCreated):
2303         (JSC::FTL::ExitValue::valueFormat):
2304         * ftl/FTLLowerDFGToLLVM.cpp:
2305         (JSC::FTL::LowerDFGToLLVM::compileNode):
2306         (JSC::FTL::LowerDFGToLLVM::compilePhantomArguments):
2307         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
2308         (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
2309         * ftl/FTLOSRExitCompiler.cpp:
2310         (JSC::FTL::compileStub): Call into the ArgumentsRecoveryGenerator
2311         * tests/stress/slightly-more-difficult-to-fold-reflective-arguments-access.js: Added.
2312         * tests/stress/trivially-foldable-reflective-arguments-access.js: Added.
2313
2314 2014-02-28  Filip Pizlo  <fpizlo@apple.com>
2315
2316         Unreviewed, uncomment some code. It wasn't meant to be commented in the first place.
2317
2318         * dfg/DFGCSEPhase.cpp:
2319         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
2320
2321 2014-02-28  Andreas Kling  <akling@apple.com>
2322
2323         JSObject::findPropertyHashEntry() should take VM instead of ExecState.
2324         <https://webkit.org/b/129529>
2325
2326         Callers already have VM in a local, and findPropertyHashEntry() only
2327         uses the VM, no need to go all the way through ExecState.
2328
2329         Reviewed by Geoffrey Garen.
2330
2331         * runtime/JSObject.cpp:
2332         (JSC::JSObject::put):
2333         (JSC::JSObject::deleteProperty):
2334         (JSC::JSObject::findPropertyHashEntry):
2335         * runtime/JSObject.h:
2336
2337 2014-02-28  Joseph Pecoraro  <pecoraro@apple.com>
2338
2339         Deadlock remotely inspecting iOS Simulator
2340         https://bugs.webkit.org/show_bug.cgi?id=129511
2341
2342         Reviewed by Timothy Hatcher.
2343
2344         Avoid synchronous setup. Do it asynchronously, and let
2345         the RemoteInspector singleton know later if it failed.
2346
2347         * inspector/remote/RemoteInspector.h:
2348         * inspector/remote/RemoteInspector.mm:
2349         (Inspector::RemoteInspector::setupFailed):
2350         * inspector/remote/RemoteInspectorDebuggableConnection.h:
2351         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
2352         (Inspector::RemoteInspectorDebuggableConnection::setup):
2353
2354 2014-02-28  Oliver Hunt  <oliver@apple.com>
2355
2356         REGRESSION(r164835): It broke 10 JSC stress test on 32 bit platforms
2357         https://bugs.webkit.org/show_bug.cgi?id=129488
2358
2359         Reviewed by Mark Lam.
2360
2361         Whoops, modify the right register.
2362
2363         * jit/JITCall32_64.cpp:
2364         (JSC::JIT::compileLoadVarargs):
2365
2366 2014-02-28  Filip Pizlo  <fpizlo@apple.com>
2367
2368         FTL should be able to call sin/cos directly on platforms where the intrinsic is busted
2369         https://bugs.webkit.org/show_bug.cgi?id=129503
2370
2371         Reviewed by Mark Lam.
2372
2373         * ftl/FTLIntrinsicRepository.h:
2374         * ftl/FTLOutput.h:
2375         (JSC::FTL::Output::doubleSin):
2376         (JSC::FTL::Output::doubleCos):
2377         (JSC::FTL::Output::intrinsicOrOperation):
2378
2379 2014-02-28  Mark Hahnenberg  <mhahnenberg@apple.com>
2380
2381         Fix !ENABLE(GGC) builds
2382
2383         * heap/Heap.cpp:
2384         (JSC::Heap::markRoots):
2385         (JSC::Heap::gatherJSStackRoots): Also fix one of the names of the GC phases.
2386
2387 2014-02-27  Mark Hahnenberg  <mhahnenberg@apple.com>
2388
2389         Clean up Heap::collect and Heap::markRoots
2390         https://bugs.webkit.org/show_bug.cgi?id=129464
2391
2392         Reviewed by Geoffrey Garen.
2393
2394         These functions have built up a lot of cruft recently. 
2395         We should do a bit of cleanup to make them easier to grok.
2396
2397         * heap/Heap.cpp:
2398         (JSC::Heap::finalizeUnconditionalFinalizers):
2399         (JSC::Heap::gatherStackRoots):
2400         (JSC::Heap::gatherJSStackRoots):
2401         (JSC::Heap::gatherScratchBufferRoots):
2402         (JSC::Heap::clearLivenessData):
2403         (JSC::Heap::visitSmallStrings):
2404         (JSC::Heap::visitConservativeRoots):
2405         (JSC::Heap::visitCompilerWorklists):
2406         (JSC::Heap::markProtectedObjects):
2407         (JSC::Heap::markTempSortVectors):
2408         (JSC::Heap::markArgumentBuffers):
2409         (JSC::Heap::visitException):
2410         (JSC::Heap::visitStrongHandles):
2411         (JSC::Heap::visitHandleStack):
2412         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
2413         (JSC::Heap::converge):
2414         (JSC::Heap::visitWeakHandles):
2415         (JSC::Heap::clearRememberedSet):
2416         (JSC::Heap::updateObjectCounts):
2417         (JSC::Heap::resetVisitors):
2418         (JSC::Heap::markRoots):
2419         (JSC::Heap::copyBackingStores):
2420         (JSC::Heap::deleteUnmarkedCompiledCode):
2421         (JSC::Heap::collect):
2422         (JSC::Heap::collectIfNecessaryOrDefer):
2423         (JSC::Heap::suspendCompilerThreads):
2424         (JSC::Heap::willStartCollection):
2425         (JSC::Heap::deleteOldCode):
2426         (JSC::Heap::flushOldStructureIDTables):
2427         (JSC::Heap::flushWriteBarrierBuffer):
2428         (JSC::Heap::stopAllocation):
2429         (JSC::Heap::reapWeakHandles):
2430         (JSC::Heap::sweepArrayBuffers):
2431         (JSC::Heap::snapshotMarkedSpace):
2432         (JSC::Heap::deleteSourceProviderCaches):
2433         (JSC::Heap::notifyIncrementalSweeper):
2434         (JSC::Heap::rememberCurrentlyExecutingCodeBlocks):
2435         (JSC::Heap::resetAllocators):
2436         (JSC::Heap::updateAllocationLimits):
2437         (JSC::Heap::didFinishCollection):
2438         (JSC::Heap::resumeCompilerThreads):
2439         * heap/Heap.h:
2440
2441 2014-02-27  Ryosuke Niwa  <rniwa@webkit.org>
2442
2443         indexOf and lastIndexOf shouldn't resolve ropes when needle is longer than haystack
2444         https://bugs.webkit.org/show_bug.cgi?id=129466
2445
2446         Reviewed by Michael Saboff.
2447
2448         Refactored the code to avoid calling JSString::value when needle is longer than haystack.
2449
2450         * runtime/StringPrototype.cpp:
2451         (JSC::stringProtoFuncIndexOf):
2452         (JSC::stringProtoFuncLastIndexOf):
2453
2454 2014-02-27  Timothy Hatcher  <timothy@apple.com>
2455
2456         Improve how ContentSearchUtilities::lineEndings works by supporting the three common line endings.
2457
2458         https://bugs.webkit.org/show_bug.cgi?id=129458
2459
2460         Reviewed by Joseph Pecoraro.
2461
2462         * inspector/ContentSearchUtilities.cpp:
2463         (Inspector::ContentSearchUtilities::textPositionFromOffset): Remove assumption about line ending length.
2464         (Inspector::ContentSearchUtilities::getRegularExpressionMatchesByLines): Remove assumption about
2465         line ending type and don't try to strip the line ending. Use size_t
2466         (Inspector::ContentSearchUtilities::lineEndings): Use findNextLineStart to find the lines.
2467         This will include the line ending in the lines, but that is okay.
2468         (Inspector::ContentSearchUtilities::buildObjectForSearchMatch): Use size_t.
2469         (Inspector::ContentSearchUtilities::searchInTextByLines): Modernize.
2470
2471 2014-02-27  Joseph Pecoraro  <pecoraro@apple.com>
2472
2473         [Mac] Warning: Multiple build commands for output file GCSegmentedArray and InspectorAgent
2474         https://bugs.webkit.org/show_bug.cgi?id=129446
2475
2476         Reviewed by Timothy Hatcher.
2477
2478         Remove duplicate header entries in Copy Header build phase.
2479
2480         * JavaScriptCore.xcodeproj/project.pbxproj:
2481
2482 2014-02-27  Oliver Hunt  <oliver@apple.com>
2483
2484         Whoops, include all of last patch.
2485
2486         * jit/JITCall32_64.cpp:
2487         (JSC::JIT::compileLoadVarargs):
2488
2489 2014-02-27  Oliver Hunt  <oliver@apple.com>
2490
2491         Slow cases for function.apply and function.call should not require vm re-entry
2492         https://bugs.webkit.org/show_bug.cgi?id=129454
2493
2494         Reviewed by Geoffrey Garen.
2495
2496         Implement call and apply using builtins. Happily the use
2497         of @call and @apply don't perform function equality checks
2498         and just plant direct var_args calls. This did expose a few
2499         codegen issues, but they're all covered by existing tests
2500         once call and apply are implemented in JS.
2501
2502         * JavaScriptCore.xcodeproj/project.pbxproj:
2503         * builtins/Function.prototype.js: Added.
2504         (call):
2505         (apply):
2506         * bytecompiler/NodesCodegen.cpp:
2507         (JSC::CallFunctionCallDotNode::emitBytecode):
2508         (JSC::ApplyFunctionCallDotNode::emitBytecode):
2509         * dfg/DFGCapabilities.cpp:
2510         (JSC::DFG::capabilityLevel):
2511         * interpreter/Interpreter.cpp:
2512         (JSC::sizeFrameForVarargs):
2513         (JSC::loadVarargs):
2514         * interpreter/Interpreter.h:
2515         * jit/JITCall.cpp:
2516         (JSC::JIT::compileLoadVarargs):
2517         * parser/ASTBuilder.h:
2518         (JSC::ASTBuilder::makeFunctionCallNode):
2519         * parser/Lexer.cpp:
2520         (JSC::isSafeBuiltinIdentifier):
2521         * runtime/CommonIdentifiers.h:
2522         * runtime/FunctionPrototype.cpp:
2523         (JSC::FunctionPrototype::addFunctionProperties):
2524         * runtime/JSObject.cpp:
2525         (JSC::JSObject::putDirectBuiltinFunction):
2526         (JSC::JSObject::putDirectBuiltinFunctionWithoutTransition):
2527         * runtime/JSObject.h:
2528
2529 2014-02-27  Joseph Pecoraro  <pecoraro@apple.com>
2530
2531         Web Inspector: Better name for RemoteInspectorDebuggableConnection dispatch queue
2532         https://bugs.webkit.org/show_bug.cgi?id=129443
2533
2534         Reviewed by Timothy Hatcher.
2535
2536         This queue is specific to the JSContext debuggable connections,
2537         there is no XPC involved. Give it a better name.
2538
2539         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
2540         (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
2541
2542 2014-02-27  David Kilzer  <ddkilzer@apple.com>
2543
2544         Remove jsc symlink if it already exists
2545
2546         This is a follow-up fix for:
2547
2548         Create symlink to /usr/local/bin/jsc during installation
2549         <http://webkit.org/b/129399>
2550         <rdar://problem/16168734>
2551
2552         * JavaScriptCore.xcodeproj/project.pbxproj:
2553         (Create /usr/local/bin/jsc symlink): If a jsc symlink already
2554         exists where we're about to create the symlink, remove the old
2555         one first.
2556
2557 2014-02-27  Michael Saboff  <msaboff@apple.com>
2558
2559         Unreviewed build fix for Mac tools after r164814
2560
2561         * Configurations/ToolExecutable.xcconfig:
2562         - Added JavaScriptCore.framework/PrivateHeaders to ToolExecutable include path.
2563         * JavaScriptCore.xcodeproj/project.pbxproj:
2564         - Changed productName to testRegExp for testRegExp target.
2565
2566 2014-02-27  Joseph Pecoraro  <pecoraro@apple.com>
2567
2568         Web Inspector: JSContext inspection should report exceptions in the console
2569         https://bugs.webkit.org/show_bug.cgi?id=128776
2570
2571         Reviewed by Timothy Hatcher.
2572
2573         When JavaScript API functions have an exception, let the inspector
2574         know so it can log the JavaScript and Native backtrace that caused
2575         the exception.
2576
2577         Include some clean up of ConsoleMessage and ScriptCallStack construction.
2578
2579         * API/JSBase.cpp:
2580         (JSEvaluateScript):
2581         (JSCheckScriptSyntax):
2582         * API/JSObjectRef.cpp:
2583         (JSObjectMakeFunction):
2584         (JSObjectMakeArray):
2585         (JSObjectMakeDate):
2586         (JSObjectMakeError):
2587         (JSObjectMakeRegExp):
2588         (JSObjectGetProperty):
2589         (JSObjectSetProperty):
2590         (JSObjectGetPropertyAtIndex):
2591         (JSObjectSetPropertyAtIndex):
2592         (JSObjectDeleteProperty):
2593         (JSObjectCallAsFunction):
2594         (JSObjectCallAsConstructor):
2595         * API/JSValue.mm:
2596         (reportExceptionToInspector):
2597         (valueToArray):
2598         (valueToDictionary):
2599         * API/JSValueRef.cpp:
2600         (JSValueIsEqual):
2601         (JSValueIsInstanceOfConstructor):
2602         (JSValueCreateJSONString):
2603         (JSValueToNumber):
2604         (JSValueToStringCopy):
2605         (JSValueToObject):
2606         When seeing an exception, let the inspector know there was an exception.
2607
2608         * inspector/JSGlobalObjectInspectorController.h:
2609         * inspector/JSGlobalObjectInspectorController.cpp:
2610         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2611         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
2612         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
2613         Log API exceptions by also grabbing the native backtrace.
2614
2615         * inspector/ScriptCallStack.h:
2616         * inspector/ScriptCallStack.cpp:
2617         (Inspector::ScriptCallStack::firstNonNativeCallFrame):
2618         (Inspector::ScriptCallStack::append):
2619         Minor extensions to ScriptCallStack to make it easier to work with.
2620
2621         * inspector/ConsoleMessage.cpp:
2622         (Inspector::ConsoleMessage::ConsoleMessage):
2623         (Inspector::ConsoleMessage::autogenerateMetadata):
2624         Provide better default information if the first call frame was native.
2625
2626         * inspector/ScriptCallStackFactory.cpp:
2627         (Inspector::createScriptCallStack):
2628         (Inspector::extractSourceInformationFromException):
2629         (Inspector::createScriptCallStackFromException):
2630         Perform the handling here of inserting a fake call frame for exceptions
2631         if there was no call stack (e.g. a SyntaxError) or if the first call
2632         frame had no information.
2633
2634         * inspector/ConsoleMessage.cpp:
2635         (Inspector::ConsoleMessage::ConsoleMessage):
2636         (Inspector::ConsoleMessage::autogenerateMetadata):
2637         * inspector/ConsoleMessage.h:
2638         * inspector/ScriptCallStackFactory.cpp:
2639         (Inspector::createScriptCallStack):
2640         (Inspector::createScriptCallStackForConsole):
2641         * inspector/ScriptCallStackFactory.h:
2642         * inspector/agents/InspectorConsoleAgent.cpp:
2643         (Inspector::InspectorConsoleAgent::enable):
2644         (Inspector::InspectorConsoleAgent::addMessageToConsole):
2645         (Inspector::InspectorConsoleAgent::count):
2646         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
2647         (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
2648         ConsoleMessage cleanup.
2649
2650 2014-02-27  David Kilzer  <ddkilzer@apple.com>
2651
2652         Create symlink to /usr/local/bin/jsc during installation
2653         <http://webkit.org/b/129399>
2654         <rdar://problem/16168734>
2655
2656         Reviewed by Dan Bernstein.
2657
2658         * JavaScriptCore.xcodeproj/project.pbxproj:
2659         - Add "Create /usr/local/bin/jsc symlink" build phase script to
2660           create the symlink during installation.
2661
2662 2014-02-27  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>
2663
2664         Math.{max, min}() must not return after first NaN value
2665         https://bugs.webkit.org/show_bug.cgi?id=104147
2666
2667         Reviewed by Oliver Hunt.
2668
2669         According to the spec, ToNumber going to be called on each argument
2670         even if a `NaN` value was already found
2671
2672         * runtime/MathObject.cpp:
2673         (JSC::mathProtoFuncMax):
2674         (JSC::mathProtoFuncMin):
2675
2676 2014-02-27  Gergo Balogh  <gbalogh.u-szeged@partner.samsung.com>
2677
2678         JSType upper limit (0xff) assertion can be removed.
2679         https://bugs.webkit.org/show_bug.cgi?id=129424
2680
2681         Reviewed by Geoffrey Garen.
2682
2683         * runtime/JSTypeInfo.h:
2684         (JSC::TypeInfo::TypeInfo):
2685
2686 2014-02-26  Michael Saboff  <msaboff@apple.com>
2687
2688         Auto generate bytecode information for bytecode parser and LLInt
2689         https://bugs.webkit.org/show_bug.cgi?id=129181
2690
2691         Reviewed by Mark Lam.
2692
2693         Added new bytecode/BytecodeList.json that contains a list of bytecodes and related
2694         helpers.  It also includes bytecode length and other information used to generate files.
2695         Added a new generator, generate-bytecode-files that generates Bytecodes.h and InitBytecodes.asm
2696         in DerivedSources/JavaScriptCore/.
2697
2698         Added the generation of these files to the "DerivedSource" build step.
2699         Slighty changed the build order, since the Bytecodes.h file is needed by
2700         JSCLLIntOffsetsExtractor.  Moved the offline assembly to a separate step since it needs
2701         to be run after JSCLLIntOffsetsExtractor.
2702
2703         Made related changes to OPCODE macros and their use.
2704
2705         Added JavaScriptCore.framework/PrivateHeaders to header file search path for building
2706         jsc to resolve Mac build issue.
2707
2708         * CMakeLists.txt:
2709         * Configurations/JSC.xcconfig:
2710         * DerivedSources.make:
2711         * GNUmakefile.am:
2712         * GNUmakefile.list.am:
2713         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2714         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2715         * JavaScriptCore.vcxproj/copy-files.cmd:
2716         * JavaScriptCore.xcodeproj/project.pbxproj:
2717         * bytecode/Opcode.h:
2718         (JSC::padOpcodeName):
2719         * llint/LLIntCLoop.cpp:
2720         (JSC::LLInt::CLoop::initialize):
2721         * llint/LLIntCLoop.h:
2722         * llint/LLIntData.cpp:
2723         (JSC::LLInt::initialize):
2724         * llint/LLIntOpcode.h:
2725         * llint/LowLevelInterpreter.asm:
2726
2727 2014-02-27  Julien Brianceau   <jbriance@cisco.com>
2728
2729         Fix 32-bit V_JITOperation_EJ callOperation introduced in r162652.
2730         https://bugs.webkit.org/show_bug.cgi?id=129420
2731
2732         Reviewed by Geoffrey Garen.
2733
2734         * dfg/DFGSpeculativeJIT.h:
2735         (JSC::DFG::SpeculativeJIT::callOperation): Payload and tag are swapped.
2736         Also, EABI_32BIT_DUMMY_ARG is missing for arm EABI and mips.
2737
2738 2014-02-27  Filip Pizlo  <fpizlo@apple.com>
2739
2740         Octane/closure thrashes between flattening dictionaries during global object initialization in a global eval
2741         https://bugs.webkit.org/show_bug.cgi?id=129435
2742
2743         Reviewed by Oliver Hunt.
2744         
2745         This is a 5-10% speed-up on Octane/closure.
2746
2747         * interpreter/Interpreter.cpp:
2748         (JSC::Interpreter::execute):
2749         * jsc.cpp:
2750         (GlobalObject::finishCreation):
2751         (functionClearCodeCache):
2752         * runtime/BatchedTransitionOptimizer.h:
2753         (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
2754         (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer):
2755
2756 2014-02-27  Alexey Proskuryakov  <ap@apple.com>
2757
2758         Added svn:ignore to two directories, so that .pyc files don't show up as unversioned.
2759
2760         * inspector/scripts: Added property svn:ignore.
2761         * replay/scripts: Added property svn:ignore.
2762
2763 2014-02-27  Gabor Rapcsanyi  <rgabor@webkit.org>
2764
2765         r164764 broke the ARM build
2766         https://bugs.webkit.org/show_bug.cgi?id=129415
2767
2768         Reviewed by Zoltan Herczeg.
2769
2770         * assembler/MacroAssemblerARM.h:
2771         (JSC::MacroAssemblerARM::moveWithPatch): Change reinterpret_cast to static_cast.
2772         (JSC::MacroAssemblerARM::canJumpReplacePatchableBranch32WithPatch): Add missing function.
2773         (JSC::MacroAssemblerARM::startOfPatchableBranch32WithPatchOnAddress): Add missing function.
2774         (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranch32WithPatch): Add missing function.
2775
2776 2014-02-27  Mark Hahnenberg  <mhahnenberg@apple.com>
2777
2778         r164764 broke the ARM build
2779         https://bugs.webkit.org/show_bug.cgi?id=129415
2780
2781         Reviewed by Geoffrey Garen.
2782
2783         * assembler/MacroAssemblerARM.h:
2784         (JSC::MacroAssemblerARM::moveWithPatch):
2785
2786 2014-02-26  Mark Hahnenberg  <mhahnenberg@apple.com>
2787
2788         r164764 broke the ARM build
2789         https://bugs.webkit.org/show_bug.cgi?id=129415
2790
2791         Reviewed by Geoffrey Garen.
2792
2793         * assembler/MacroAssemblerARM.h:
2794         (JSC::MacroAssemblerARM::branch32WithPatch): Missing this function.
2795
2796 2014-02-26  Mark Hahnenberg  <mhahnenberg@apple.com>
2797
2798         EFL build fix
2799
2800         * dfg/DFGSpeculativeJIT32_64.cpp: Remove unused variables.
2801         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
2802         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
2803
2804 2014-02-25  Mark Hahnenberg  <mhahnenberg@apple.com>
2805
2806         Make JSCells have 32-bit Structure pointers
2807         https://bugs.webkit.org/show_bug.cgi?id=123195
2808
2809         Reviewed by Filip Pizlo.
2810
2811         This patch changes JSCells such that they no longer have a full 64-bit Structure
2812         pointer in their header. Instead they now have a 32-bit index into
2813         a per-VM table of Structure pointers. 32-bit platforms still use normal Structure
2814         pointers.
2815
2816         This change frees up an additional 32 bits of information in our object headers.
2817         We then use this extra space to store the indexing type of the object, the JSType
2818         of the object, some various type flags, and garbage collection data (e.g. mark bit).
2819         Because this inline type information is now faster to read, it pays for the slowdown 
2820         incurred by having to perform an extra indirection through the StructureIDTable.
2821
2822         This patch also threads a reference to the current VM through more of the C++ runtime
2823         to offset the cost of having to look up the VM to get the actual Structure pointer.
2824
2825         * API/JSContext.mm:
2826         (-[JSContext setException:]):
2827         (-[JSContext wrapperForObjCObject:]):
2828         (-[JSContext wrapperForJSObject:]):
2829         * API/JSContextRef.cpp:
2830         (JSContextGroupRelease):
2831         (JSGlobalContextRelease):
2832         * API/JSObjectRef.cpp:
2833         (JSObjectIsFunction):
2834         (JSObjectCopyPropertyNames):
2835         * API/JSValue.mm:
2836         (containerValueToObject):
2837         * API/JSWrapperMap.mm:
2838         (tryUnwrapObjcObject):
2839         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2840         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2841         * JavaScriptCore.xcodeproj/project.pbxproj:
2842         * assembler/AbstractMacroAssembler.h:
2843         * assembler/MacroAssembler.h:
2844         (JSC::MacroAssembler::patchableBranch32WithPatch):
2845         (JSC::MacroAssembler::patchableBranch32):
2846         * assembler/MacroAssemblerARM64.h:
2847         (JSC::MacroAssemblerARM64::branchPtrWithPatch):
2848         (JSC::MacroAssemblerARM64::patchableBranch32WithPatch):
2849         (JSC::MacroAssemblerARM64::canJumpReplacePatchableBranch32WithPatch):
2850         (JSC::MacroAssemblerARM64::startOfPatchableBranch32WithPatchOnAddress):
2851         (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranch32WithPatch):
2852         * assembler/MacroAssemblerARMv7.h:
2853         (JSC::MacroAssemblerARMv7::store8):
2854         (JSC::MacroAssemblerARMv7::branch32WithPatch):
2855         (JSC::MacroAssemblerARMv7::patchableBranch32WithPatch):
2856         (JSC::MacroAssemblerARMv7::canJumpReplacePatchableBranch32WithPatch):
2857         (JSC::MacroAssemblerARMv7::startOfPatchableBranch32WithPatchOnAddress):
2858         (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranch32WithPatch):
2859         * assembler/MacroAssemblerX86.h:
2860         (JSC::MacroAssemblerX86::branch32WithPatch):
2861         (JSC::MacroAssemblerX86::canJumpReplacePatchableBranch32WithPatch):
2862         (JSC::MacroAssemblerX86::startOfPatchableBranch32WithPatchOnAddress):
2863         (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranch32WithPatch):
2864         * assembler/MacroAssemblerX86_64.h:
2865         (JSC::MacroAssemblerX86_64::store32):
2866         (JSC::MacroAssemblerX86_64::moveWithPatch):
2867         (JSC::MacroAssemblerX86_64::branch32WithPatch):
2868         (JSC::MacroAssemblerX86_64::canJumpReplacePatchableBranch32WithPatch):
2869         (JSC::MacroAssemblerX86_64::startOfBranch32WithPatchOnRegister):
2870         (JSC::MacroAssemblerX86_64::startOfPatchableBranch32WithPatchOnAddress):
2871         (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranch32WithPatch):
2872         * assembler/RepatchBuffer.h:
2873         (JSC::RepatchBuffer::startOfPatchableBranch32WithPatchOnAddress):
2874         (JSC::RepatchBuffer::revertJumpReplacementToPatchableBranch32WithPatch):
2875         * assembler/X86Assembler.h:
2876         (JSC::X86Assembler::revertJumpTo_movq_i64r):
2877         (JSC::X86Assembler::revertJumpTo_movl_i32r):
2878         * bytecode/ArrayProfile.cpp:
2879         (JSC::ArrayProfile::computeUpdatedPrediction):
2880         * bytecode/ArrayProfile.h:
2881         (JSC::ArrayProfile::ArrayProfile):
2882         (JSC::ArrayProfile::addressOfLastSeenStructureID):
2883         (JSC::ArrayProfile::observeStructure):
2884         * bytecode/CodeBlock.h:
2885         (JSC::CodeBlock::heap):
2886         * bytecode/UnlinkedCodeBlock.h:
2887         * debugger/Debugger.h:
2888         * dfg/DFGAbstractHeap.h:
2889         * dfg/DFGArrayifySlowPathGenerator.h:
2890         * dfg/DFGClobberize.h:
2891         (JSC::DFG::clobberize):
2892         * dfg/DFGJITCompiler.h:
2893         (JSC::DFG::JITCompiler::branchWeakStructure):
2894         (JSC::DFG::JITCompiler::branchStructurePtr):
2895         * dfg/DFGOSRExitCompiler32_64.cpp:
2896         (JSC::DFG::OSRExitCompiler::compileExit):
2897         * dfg/DFGOSRExitCompiler64.cpp:
2898         (JSC::DFG::OSRExitCompiler::compileExit):
2899         * dfg/DFGOSRExitCompilerCommon.cpp:
2900         (JSC::DFG::osrWriteBarrier):
2901         (JSC::DFG::adjustAndJumpToTarget):
2902         * dfg/DFGOperations.cpp:
2903         (JSC::DFG::putByVal):
2904         * dfg/DFGSpeculativeJIT.cpp:
2905         (JSC::DFG::SpeculativeJIT::checkArray):
2906         (JSC::DFG::SpeculativeJIT::arrayify):
2907         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
2908         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
2909         (JSC::DFG::SpeculativeJIT::compileInstanceOf):
2910         (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
2911         (JSC::DFG::SpeculativeJIT::speculateObject):
2912         (JSC::DFG::SpeculativeJIT::speculateFinalObject):
2913         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
2914         (JSC::DFG::SpeculativeJIT::speculateString):
2915         (JSC::DFG::SpeculativeJIT::speculateStringObject):
2916         (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
2917         (JSC::DFG::SpeculativeJIT::emitSwitchChar):
2918         (JSC::DFG::SpeculativeJIT::emitSwitchString):
2919         (JSC::DFG::SpeculativeJIT::genericWriteBarrier):
2920         (JSC::DFG::SpeculativeJIT::writeBarrier):
2921         * dfg/DFGSpeculativeJIT.h:
2922         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
2923         (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
2924         * dfg/DFGSpeculativeJIT32_64.cpp:
2925         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
2926         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
2927         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
2928         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
2929         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
2930         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
2931         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
2932         (JSC::DFG::SpeculativeJIT::compile):
2933         (JSC::DFG::SpeculativeJIT::writeBarrier):
2934         * dfg/DFGSpeculativeJIT64.cpp:
2935         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
2936         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
2937         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
2938         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
2939         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
2940         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
2941         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
2942         (JSC::DFG::SpeculativeJIT::compile):
2943         (JSC::DFG::SpeculativeJIT::writeBarrier):
2944         * dfg/DFGWorklist.cpp:
2945         * ftl/FTLAbstractHeapRepository.cpp:
2946         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
2947         * ftl/FTLAbstractHeapRepository.h:
2948         * ftl/FTLLowerDFGToLLVM.cpp:
2949         (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
2950         (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
2951         (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
2952         (JSC::FTL::LowerDFGToLLVM::compileToString):
2953         (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
2954         (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
2955         (JSC::FTL::LowerDFGToLLVM::speculateTruthyObject):
2956         (JSC::FTL::LowerDFGToLLVM::allocateCell):
2957         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
2958         (JSC::FTL::LowerDFGToLLVM::isObject):
2959         (JSC::FTL::LowerDFGToLLVM::isString):
2960         (JSC::FTL::LowerDFGToLLVM::isArrayType):
2961         (JSC::FTL::LowerDFGToLLVM::hasClassInfo):
2962         (JSC::FTL::LowerDFGToLLVM::isType):
2963         (JSC::FTL::LowerDFGToLLVM::speculateStringOrStringObject):
2964         (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForCell):
2965         (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructureID):
2966         (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
2967         (JSC::FTL::LowerDFGToLLVM::loadMarkByte):
2968         (JSC::FTL::LowerDFGToLLVM::loadStructure):
2969         (JSC::FTL::LowerDFGToLLVM::weakStructure):
2970         * ftl/FTLOSRExitCompiler.cpp:
2971         (JSC::FTL::compileStub):
2972         * ftl/FTLOutput.h:
2973         (JSC::FTL::Output::store8):
2974         * heap/GCAssertions.h:
2975         * heap/Heap.cpp:
2976         (JSC::Heap::getConservativeRegisterRoots):
2977         (JSC::Heap::collect):
2978         (JSC::Heap::writeBarrier):
2979         * heap/Heap.h:
2980         (JSC::Heap::structureIDTable):
2981         * heap/MarkedSpace.h:
2982         (JSC::MarkedSpace::forEachBlock):
2983         * heap/SlotVisitorInlines.h:
2984         (JSC::SlotVisitor::internalAppend):
2985         * jit/AssemblyHelpers.h:
2986         (JSC::AssemblyHelpers::branchIfCellNotObject):
2987         (JSC::AssemblyHelpers::genericWriteBarrier):
2988         (JSC::AssemblyHelpers::emitLoadStructure):
2989         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
2990         * jit/JIT.h:
2991         * jit/JITCall.cpp:
2992         (JSC::JIT::compileOpCall):
2993         (JSC::JIT::privateCompileClosureCall):
2994         * jit/JITCall32_64.cpp:
2995         (JSC::JIT::emit_op_ret_object_or_this):
2996         (JSC::JIT::compileOpCall):
2997         (JSC::JIT::privateCompileClosureCall):
2998         * jit/JITInlineCacheGenerator.cpp:
2999         (JSC::JITByIdGenerator::generateFastPathChecks):
3000         * jit/JITInlineCacheGenerator.h:
3001         * jit/JITInlines.h:
3002         (JSC::JIT::emitLoadCharacterString):
3003         (JSC::JIT::checkStructure):
3004         (JSC::JIT::emitJumpIfCellNotObject):
3005         (JSC::JIT::emitAllocateJSObject):
3006         (JSC::JIT::emitArrayProfilingSiteWithCell):
3007         (JSC::JIT::emitArrayProfilingSiteForBytecodeIndexWithCell):
3008         (JSC::JIT::branchStructure):
3009         (JSC::branchStructure):
3010         * jit/JITOpcodes.cpp:
3011         (JSC::JIT::emit_op_check_has_instance):
3012         (JSC::JIT::emit_op_instanceof):
3013         (JSC::JIT::emit_op_is_undefined):
3014         (JSC::JIT::emit_op_is_string):
3015         (JSC::JIT::emit_op_ret_object_or_this):
3016         (JSC::JIT::emit_op_to_primitive):
3017         (JSC::JIT::emit_op_jeq_null):
3018         (JSC::JIT::emit_op_jneq_null):
3019         (JSC::JIT::emit_op_get_pnames):
3020         (JSC::JIT::emit_op_next_pname):
3021         (JSC::JIT::emit_op_eq_null):
3022         (JSC::JIT::emit_op_neq_null):
3023         (JSC::JIT::emit_op_to_this):
3024         (JSC::JIT::emitSlow_op_to_this):
3025         * jit/JITOpcodes32_64.cpp:
3026         (JSC::JIT::emit_op_check_has_instance):
3027         (JSC::JIT::emit_op_instanceof):
3028         (JSC::JIT::emit_op_is_undefined):
3029         (JSC::JIT::emit_op_is_string):
3030         (JSC::JIT::emit_op_to_primitive):
3031         (JSC::JIT::emit_op_jeq_null):
3032         (JSC::JIT::emit_op_jneq_null):
3033         (JSC::JIT::emitSlow_op_eq):
3034         (JSC::JIT::emitSlow_op_neq):
3035         (JSC::JIT::compileOpStrictEq):
3036         (JSC::JIT::emit_op_eq_null):
3037         (JSC::JIT::emit_op_neq_null):
3038         (JSC::JIT::emit_op_get_pnames):
3039         (JSC::JIT::emit_op_next_pname):
3040         (JSC::JIT::emit_op_to_this):
3041         * jit/JITOperations.cpp:
3042         * jit/JITPropertyAccess.cpp:
3043         (JSC::JIT::stringGetByValStubGenerator):
3044         (JSC::JIT::emit_op_get_by_val):
3045         (JSC::JIT::emitSlow_op_get_by_val):
3046         (JSC::JIT::emit_op_get_by_pname):
3047         (JSC::JIT::emit_op_put_by_val):
3048         (JSC::JIT::emit_op_get_by_id):
3049         (JSC::JIT::emitLoadWithStructureCheck):
3050         (JSC::JIT::emitSlow_op_get_from_scope):
3051         (JSC::JIT::emitSlow_op_put_to_scope):
3052         (JSC::JIT::checkMarkWord):
3053         (JSC::JIT::emitWriteBarrier):
3054         (JSC::JIT::addStructureTransitionCheck):
3055         (JSC::JIT::emitIntTypedArrayGetByVal):
3056         (JSC::JIT::emitFloatTypedArrayGetByVal):
3057         (JSC::JIT::emitIntTypedArrayPutByVal):
3058         (JSC::JIT::emitFloatTypedArrayPutByVal):
3059         * jit/JITPropertyAccess32_64.cpp:
3060         (JSC::JIT::stringGetByValStubGenerator):
3061         (JSC::JIT::emit_op_get_by_val):
3062         (JSC::JIT::emitSlow_op_get_by_val):
3063         (JSC::JIT::emit_op_put_by_val):
3064         (JSC::JIT::emit_op_get_by_id):
3065         (JSC::JIT::emit_op_get_by_pname):
3066         (JSC::JIT::emitLoadWithStructureCheck):
3067         * jit/JSInterfaceJIT.h:
3068         (JSC::JSInterfaceJIT::emitJumpIfNotType):
3069         * jit/Repatch.cpp:
3070         (JSC::repatchByIdSelfAccess):
3071         (JSC::addStructureTransitionCheck):
3072         (JSC::replaceWithJump):
3073         (JSC::generateProtoChainAccessStub):
3074         (JSC::tryCacheGetByID):
3075         (JSC::tryBuildGetByIDList):
3076         (JSC::writeBarrier):
3077         (JSC::emitPutReplaceStub):
3078         (JSC::emitPutTransitionStub):
3079         (JSC::tryBuildPutByIdList):
3080         (JSC::tryRepatchIn):
3081         (JSC::linkClosureCall):
3082         (JSC::resetGetByID):
3083         (JSC::resetPutByID):
3084         * jit/SpecializedThunkJIT.h:
3085         (JSC::SpecializedThunkJIT::loadJSStringArgument):
3086         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
3087         * jit/ThunkGenerators.cpp:
3088         (JSC::virtualForThunkGenerator):
3089         (JSC::arrayIteratorNextThunkGenerator):
3090         * jit/UnusedPointer.h:
3091         * llint/LowLevelInterpreter.asm:
3092         * llint/LowLevelInterpreter32_64.asm:
3093         * llint/LowLevelInterpreter64.asm:
3094         * runtime/Arguments.cpp:
3095         (JSC::Arguments::createStrictModeCallerIfNecessary):
3096         (JSC::Arguments::createStrictModeCalleeIfNecessary):
3097         * runtime/Arguments.h:
3098         (JSC::Arguments::createStructure):
3099         * runtime/ArrayPrototype.cpp:
3100         (JSC::shift):
3101         (JSC::unshift):
3102         (JSC::arrayProtoFuncToString):
3103         (JSC::arrayProtoFuncPop):
3104         (JSC::arrayProtoFuncReverse):
3105         (JSC::performSlowSort):
3106         (JSC::arrayProtoFuncSort):
3107         (JSC::arrayProtoFuncSplice):
3108         (JSC::arrayProtoFuncUnShift):
3109         * runtime/CommonSlowPaths.cpp:
3110         (JSC::SLOW_PATH_DECL):
3111         * runtime/Executable.h:
3112         (JSC::ExecutableBase::isFunctionExecutable):
3113         (JSC::ExecutableBase::clearCodeVirtual):
3114         (JSC::ScriptExecutable::unlinkCalls):
3115         * runtime/GetterSetter.cpp:
3116         (JSC::callGetter):
3117         (JSC::callSetter):
3118         * runtime/InitializeThreading.cpp:
3119         * runtime/JSArray.cpp:
3120         (JSC::JSArray::unshiftCountSlowCase):
3121         (JSC::JSArray::setLength):
3122         (JSC::JSArray::pop):
3123         (JSC::JSArray::push):
3124         (JSC::JSArray::shiftCountWithArrayStorage):
3125         (JSC::JSArray::shiftCountWithAnyIndexingType):
3126         (JSC::JSArray::unshiftCountWithArrayStorage):
3127         (JSC::JSArray::unshiftCountWithAnyIndexingType):
3128         (JSC::JSArray::sortNumericVector):
3129         (JSC::JSArray::sortNumeric):
3130         (JSC::JSArray::sortCompactedVector):
3131         (JSC::JSArray::sort):
3132         (JSC::JSArray::sortVector):
3133         (JSC::JSArray::fillArgList):
3134         (JSC::JSArray::copyToArguments):
3135         (JSC::JSArray::compactForSorting):
3136         * runtime/JSCJSValueInlines.h:
3137         (JSC::JSValue::toThis):
3138         (JSC::JSValue::put):
3139         (JSC::JSValue::putByIndex):
3140         (JSC::JSValue::equalSlowCaseInline):
3141         * runtime/JSCell.cpp:
3142         (JSC::JSCell::put):
3143         (JSC::JSCell::putByIndex):
3144         (JSC::JSCell::deleteProperty):
3145         (JSC::JSCell::deletePropertyByIndex):
3146         * runtime/JSCell.h:
3147         (JSC::JSCell::clearStructure):
3148         (JSC::JSCell::mark):
3149         (JSC::JSCell::isMarked):
3150         (JSC::JSCell::structureIDOffset):
3151         (JSC::JSCell::typeInfoFlagsOffset):
3152         (JSC::JSCell::typeInfoTypeOffset):
3153         (JSC::JSCell::indexingTypeOffset):
3154         (JSC::JSCell::gcDataOffset):
3155         * runtime/JSCellInlines.h:
3156         (JSC::JSCell::JSCell):
3157         (JSC::JSCell::finishCreation):
3158         (JSC::JSCell::type):
3159         (JSC::JSCell::indexingType):
3160         (JSC::JSCell::structure):
3161         (JSC::JSCell::visitChildren):
3162         (JSC::JSCell::isObject):
3163         (JSC::JSCell::isString):
3164         (JSC::JSCell::isGetterSetter):
3165         (JSC::JSCell::isProxy):
3166         (JSC::JSCell::isAPIValueWrapper):
3167         (JSC::JSCell::setStructure):
3168         (JSC::JSCell::methodTable):
3169         (JSC::Heap::writeBarrier):
3170         * runtime/JSDataView.cpp:
3171         (JSC::JSDataView::createStructure):
3172         * runtime/JSDestructibleObject.h:
3173         (JSC::JSCell::classInfo):
3174         * runtime/JSFunction.cpp:
3175         (JSC::JSFunction::getOwnNonIndexPropertyNames):
3176         (JSC::JSFunction::put):
3177         (JSC::JSFunction::defineOwnProperty):
3178         * runtime/JSGenericTypedArrayView.h:
3179         (JSC::JSGenericTypedArrayView::createStructure):
3180         * runtime/JSObject.cpp:
3181         (JSC::getCallableObjectSlow):
3182         (JSC::JSObject::copyButterfly):
3183         (JSC::JSObject::visitButterfly):
3184         (JSC::JSFinalObject::visitChildren):
3185         (JSC::JSObject::getOwnPropertySlotByIndex):
3186         (JSC::JSObject::put):
3187         (JSC::JSObject::putByIndex):
3188         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
3189         (JSC::JSObject::enterDictionaryIndexingMode):
3190         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
3191         (JSC::JSObject::createInitialIndexedStorage):
3192         (JSC::JSObject::createInitialUndecided):
3193         (JSC::JSObject::createInitialInt32):
3194         (JSC::JSObject::createInitialDouble):
3195         (JSC::JSObject::createInitialContiguous):
3196         (JSC::JSObject::createArrayStorage):
3197         (JSC::JSObject::convertUndecidedToInt32):
3198         (JSC::JSObject::convertUndecidedToDouble):
3199         (JSC::JSObject::convertUndecidedToContiguous):
3200         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
3201         (JSC::JSObject::convertUndecidedToArrayStorage):
3202         (JSC::JSObject::convertInt32ToDouble):
3203         (JSC::JSObject::convertInt32ToContiguous):
3204         (JSC::JSObject::convertInt32ToArrayStorage):
3205         (JSC::JSObject::genericConvertDoubleToContiguous):
3206         (JSC::JSObject::convertDoubleToArrayStorage):
3207         (JSC::JSObject::convertContiguousToArrayStorage):
3208         (JSC::JSObject::ensureInt32Slow):
3209         (JSC::JSObject::ensureDoubleSlow):
3210         (JSC::JSObject::ensureContiguousSlow):
3211         (JSC::JSObject::ensureArrayStorageSlow):
3212         (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
3213         (JSC::JSObject::switchToSlowPutArrayStorage):
3214         (JSC::JSObject::setPrototype):
3215         (JSC::JSObject::setPrototypeWithCycleCheck):
3216         (JSC::JSObject::putDirectNonIndexAccessor):
3217         (JSC::JSObject::deleteProperty):
3218         (JSC::JSObject::hasOwnProperty):
3219         (JSC::JSObject::deletePropertyByIndex):
3220         (JSC::JSObject::getPrimitiveNumber):
3221         (JSC::JSObject::hasInstance):
3222         (JSC::JSObject::getPropertySpecificValue):
3223         (JSC::JSObject::getPropertyNames):
3224         (JSC::JSObject::getOwnPropertyNames):
3225         (JSC::JSObject::getOwnNonIndexPropertyNames):
3226         (JSC::JSObject::seal):
3227         (JSC::JSObject::freeze):
3228         (JSC::JSObject::preventExtensions):
3229         (JSC::JSObject::reifyStaticFunctionsForDelete):
3230         (JSC::JSObject::removeDirect):
3231         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
3232         (JSC::JSObject::putByIndexBeyondVectorLength):
3233         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
3234         (JSC::JSObject::putDirectIndexBeyondVectorLength):
3235         (JSC::JSObject::getNewVectorLength):
3236         (JSC::JSObject::countElements):
3237         (JSC::JSObject::increaseVectorLength):
3238         (JSC::JSObject::ensureLengthSlow):
3239         (JSC::JSObject::growOutOfLineStorage):
3240         (JSC::JSObject::getOwnPropertyDescriptor):
3241         (JSC::putDescriptor):
3242         (JSC::JSObject::defineOwnNonIndexProperty):
3243         * runtime/JSObject.h:
3244         (JSC::getJSFunction):
3245         (JSC::JSObject::getArrayLength):
3246         (JSC::JSObject::getVectorLength):
3247         (JSC::JSObject::putByIndexInline):
3248         (JSC::JSObject::canGetIndexQuickly):
3249         (JSC::JSObject::getIndexQuickly):
3250         (JSC::JSObject::tryGetIndexQuickly):
3251         (JSC::JSObject::getDirectIndex):
3252         (JSC::JSObject::canSetIndexQuickly):
3253         (JSC::JSObject::canSetIndexQuicklyForPutDirect):
3254         (JSC::JSObject::setIndexQuickly):
3255         (JSC::JSObject::initializeIndex):
3256         (JSC::JSObject::hasSparseMap):
3257         (JSC::JSObject::inSparseIndexingMode):
3258         (JSC::JSObject::getDirect):
3259         (JSC::JSObject::getDirectOffset):
3260         (JSC::JSObject::isSealed):
3261         (JSC::JSObject::isFrozen):
3262         (JSC::JSObject::flattenDictionaryObject):
3263         (JSC::JSObject::ensureInt32):
3264         (JSC::JSObject::ensureDouble):
3265         (JSC::JSObject::ensureContiguous):
3266         (JSC::JSObject::rageEnsureContiguous):
3267         (JSC::JSObject::ensureArrayStorage):
3268         (JSC::JSObject::arrayStorage):
3269         (JSC::JSObject::arrayStorageOrNull):
3270         (JSC::JSObject::ensureLength):
3271         (JSC::JSObject::currentIndexingData):
3272         (JSC::JSObject::getHolyIndexQuickly):
3273         (JSC::JSObject::currentRelevantLength):
3274         (JSC::JSObject::isGlobalObject):
3275         (JSC::JSObject::isVariableObject):
3276         (JSC::JSObject::isStaticScopeObject):
3277         (JSC::JSObject::isNameScopeObject):
3278         (JSC::JSObject::isActivationObject):
3279         (JSC::JSObject::isErrorInstance):
3280         (JSC::JSObject::inlineGetOwnPropertySlot):
3281         (JSC::JSObject::fastGetOwnPropertySlot):
3282         (JSC::JSObject::getPropertySlot):
3283         (JSC::JSObject::putDirectInternal):
3284         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
3285         * runtime/JSPropertyNameIterator.h:
3286         (JSC::JSPropertyNameIterator::createStructure):
3287         * runtime/JSProxy.cpp:
3288         (JSC::JSProxy::getOwnPropertySlot):
3289         (JSC::JSProxy::getOwnPropertySlotByIndex):
3290         (JSC::JSProxy::put):
3291         (JSC::JSProxy::putByIndex):
3292         (JSC::JSProxy::defineOwnProperty):
3293         (JSC::JSProxy::deleteProperty):
3294         (JSC::JSProxy::deletePropertyByIndex):
3295         (JSC::JSProxy::getPropertyNames):
3296         (JSC::JSProxy::getOwnPropertyNames):
3297         * runtime/JSScope.cpp:
3298         (JSC::JSScope::objectAtScope):
3299         * runtime/JSString.h:
3300         (JSC::JSString::createStructure):
3301         (JSC::isJSString):
3302         * runtime/JSType.h:
3303         * runtime/JSTypeInfo.h:
3304         (JSC::TypeInfo::TypeInfo):
3305         (JSC::TypeInfo::isObject):
3306         (JSC::TypeInfo::structureIsImmortal):
3307         (JSC::TypeInfo::zeroedGCDataOffset):
3308         (JSC::TypeInfo::inlineTypeFlags):
3309         * runtime/MapData.h:
3310         * runtime/ObjectConstructor.cpp:
3311         (JSC::objectConstructorGetOwnPropertyNames):
3312         (JSC::objectConstructorKeys):
3313         (JSC::objectConstructorDefineProperty):
3314         (JSC::defineProperties):
3315         (JSC::objectConstructorSeal):
3316         (JSC::objectConstructorFreeze):
3317         (JSC::objectConstructorIsSealed):
3318         (JSC::objectConstructorIsFrozen):
3319         * runtime/ObjectPrototype.cpp:
3320         (JSC::objectProtoFuncDefineGetter):
3321         (JSC::objectProtoFuncDefineSetter):
3322         (JSC::objectProtoFuncToString):
3323         * runtime/Operations.cpp:
3324         (JSC::jsTypeStringForValue):
3325         (JSC::jsIsObjectType):
3326         * runtime/Operations.h:
3327         (JSC::normalizePrototypeChainForChainAccess):
3328         (JSC::normalizePrototypeChain):
3329         * runtime/PropertyMapHashTable.h:
3330         (JSC::PropertyTable::createStructure):
3331         * runtime/RegExp.h:
3332         (JSC::RegExp::createStructure):
3333         * runtime/SparseArrayValueMap.h:
3334         * runtime/Structure.cpp:
3335         (JSC::Structure::Structure):
3336         (JSC::Structure::~Structure):
3337         (JSC::Structure::prototypeChainMayInterceptStoreTo):
3338         * runtime/Structure.h:
3339         (JSC::Structure::id):
3340         (JSC::Structure::idBlob):
3341         (JSC::Structure::objectInitializationFields):
3342         (JSC::Structure::structureIDOffset):
3343         * runtime/StructureChain.h:
3344         (JSC::StructureChain::createStructure):
3345         * runtime/StructureIDTable.cpp: Added.
3346         (JSC::StructureIDTable::StructureIDTable):
3347         (JSC::StructureIDTable::~StructureIDTable):
3348         (JSC::StructureIDTable::resize):
3349         (JSC::StructureIDTable::flushOldTables):
3350         (JSC::StructureIDTable::allocateID):
3351         (JSC::StructureIDTable::deallocateID):
3352         * runtime/StructureIDTable.h: Added.
3353         (JSC::StructureIDTable::base):
3354         (JSC::StructureIDTable::get):
3355         * runtime/SymbolTable.h:
3356         * runtime/TypedArrayType.cpp:
3357         (JSC::typeForTypedArrayType):
3358         * runtime/TypedArrayType.h:
3359         * runtime/WeakMapData.h:
3360
3361 2014-02-26  Mark Hahnenberg  <mhahnenberg@apple.com>
3362
3363         Unconditional logging in compileFTLOSRExit
3364         https://bugs.webkit.org/show_bug.cgi?id=129407
3365
3366         Reviewed by Michael Saboff.
3367
3368         This was causing tests to fail with the FTL enabled.
3369
3370         * ftl/FTLOSRExitCompiler.cpp:
3371         (JSC::FTL::compileFTLOSRExit):
3372
3373 2014-02-26  Oliver Hunt  <oliver@apple.com>
3374
3375         Remove unused access types
3376         https://bugs.webkit.org/show_bug.cgi?id=129385
3377
3378         Reviewed by Filip Pizlo.
3379
3380         Remove unused cruft.
3381
3382         * bytecode/CodeBlock.cpp:
3383         (JSC::CodeBlock::printGetByIdCacheStatus):
3384         * bytecode/StructureStubInfo.cpp:
3385         (JSC::StructureStubInfo::deref):
3386         * bytecode/StructureStubInfo.h:
3387         (JSC::isGetByIdAccess):
3388         (JSC::isPutByIdAccess):
3389
3390 2014-02-26  Oliver Hunt  <oliver@apple.com>
3391
3392         Function.prototype.apply has a bad time with the spread operator
3393         https://bugs.webkit.org/show_bug.cgi?id=129381
3394
3395         Reviewed by Mark Hahnenberg.
3396
3397         Make sure our apply logic handle the spread operator correctly.
3398         To do this we simply emit the enumeration logic that we'd normally
3399         use for other enumerations, but only store the first two results
3400         to registers.  Then perform a varargs call.
3401
3402         * bytecompiler/NodesCodegen.cpp:
3403         (JSC::ApplyFunctionCallDotNode::emitBytecode):
3404
3405 2014-02-26  Mark Lam  <mark.lam@apple.com>
3406
3407         Compilation policy management belongs in operationOptimize(), not the DFG Driver.
3408         <https://webkit.org/b/129355>
3409
3410         Reviewed by Filip Pizlo.
3411
3412         By compilation policy, I mean the rules for determining whether to
3413         compile, when to compile, when to attempt compilation again, etc.  The
3414         few of these policy decisions that were previously being made in the
3415         DFG driver are now moved to operationOptimize() where we keep the rest
3416         of the policy logic.  Decisions that are based on the capabilities
3417         supported by the DFG are moved to DFG capabiliityLevel().
3418
3419         I've run the following benchmarks:
3420         1. the collection of jsc benchmarks on the jsc executable vs. its
3421            baseline.
3422         2. Octane 2.0 in browser without the WebInspector.
3423         3. Octane 2.0 in browser with the WebInspector open and a breakpoint
3424            set somewhere where it won't break.
3425
3426         In all of these, the results came out to be a wash as expected.
3427
3428         * dfg/DFGCapabilities.cpp:
3429         (JSC::DFG::isSupported):
3430         (JSC::DFG::mightCompileEval):
3431         (JSC::DFG::mightCompileProgram):
3432         (JSC::DFG::mightCompileFunctionForCall):
3433         (JSC::DFG::mightCompileFunctionForConstruct):
3434         (JSC::DFG::mightInlineFunctionForCall):
3435         (JSC::DFG::mightInlineFunctionForClosureCall):
3436         (JSC::DFG::mightInlineFunctionForConstruct):
3437         * dfg/DFGCapabilities.h:
3438         * dfg/DFGDriver.cpp:
3439         (JSC::DFG::compileImpl):
3440         * jit/JITOperations.cpp:
3441
3442 2014-02-26  Mark Lam  <mark.lam@apple.com>
3443
3444         ASSERTION FAILED: m_heap->vm()->currentThreadIsHoldingAPILock() in inspector-protocol/*.
3445         <https://webkit.org/b/129364>
3446
3447         Reviewed by Alexey Proskuryakov.
3448
3449         InjectedScriptModule::ensureInjected() needs an APIEntryShim.
3450
3451         * inspector/InjectedScriptModule.cpp:
3452         (Inspector::InjectedScriptModule::ensureInjected):
3453         - Added the needed but missing APIEntryShim. 
3454
3455 2014-02-25  Mark Lam  <mark.lam@apple.com>
3456
3457         Web Inspector: CRASH when evaluating in console of JSContext RWI with disabled breakpoints.
3458         <https://webkit.org/b/128766>
3459
3460         Reviewed by Geoffrey Garen.
3461
3462         Make the JSLock::grabAllLocks() work the same way as for the C loop LLINT.
3463         The reasoning is that we don't know of any clients that need unordered
3464         re-entry into the VM from different threads. So, we're enforcing ordered
3465         re-entry i.e. we must re-grab locks in the reverse order of dropping locks.
3466
3467         The crash in this bug happened because we were allowing unordered re-entry,
3468         and the following type of scenario occurred:
3469
3470         1. Thread T1 locks the VM, and enters the VM to execute some JS code.
3471         2. On entry, T1 detects that VM::m_entryScope is null i.e. this is the
3472            first time it entered the VM.
3473            T1 sets VM::m_entryScope to T1's entryScope.
3474         3. T1 drops all locks.
3475
3476         4. Thread T2 locks the VM, and enters the VM to execute some JS code.
3477            On entry, T2 sees that VM::m_entryScope is NOT null, and therefore
3478            does not set the entryScope.
3479         5. T2 drops all locks.
3480
3481         6. T1 re-grabs locks.
3482         7. T1 returns all the way out of JS code. On exit from the outer most
3483            JS function, T1 clears VM::m_entryScope (because T1 was the one who
3484            set it).
3485         8. T1 unlocks the VM.
3486
3487         9. T2 re-grabs locks.
3488         10. T2 proceeds to execute some code and expects VM::m_entryScope to be
3489             NOT null, but it turns out to be null. Assertion failures and
3490             crashes ensue.
3491
3492         With ordered re-entry, at step 6, T1 will loop and yield until T2 exits
3493         the VM. Hence, the issue will no longer manifest.
3494
3495         * runtime/JSLock.cpp:
3496         (JSC::JSLock::dropAllLocks):
3497         (JSC::JSLock::grabAllLocks):
3498         * runtime/JSLock.h:
3499         (JSC::JSLock::DropAllLocks::dropDepth):
3500
3501 2014-02-25  Mark Lam  <mark.lam@apple.com>
3502
3503         Need to initialize VM stack data even when the VM is on an exclusive thread.
3504         <https://webkit.org/b/129265>
3505
3506         Not reviewed.
3507
3508         Relanding r164627 now that <https://webkit.org/b/129341> is fixed.
3509
3510         * API/APIShims.h:
3511         (JSC::APIEntryShim::APIEntryShim):
3512         (JSC::APICallbackShim::shouldDropAllLocks):
3513         * heap/MachineStackMarker.cpp:
3514         (JSC::MachineThreads::addCurrentThread):
3515         * runtime/JSLock.cpp:
3516         (JSC::JSLockHolder::JSLockHolder):
3517         (JSC::JSLockHolder::init):
3518         (JSC::JSLockHolder::~JSLockHolder):
3519         (JSC::JSLock::JSLock):
3520         (JSC::JSLock::setExclusiveThread):
3521         (JSC::JSLock::lock):
3522         (JSC::JSLock::unlock):
3523         (JSC::JSLock::currentThreadIsHoldingLock):
3524         (JSC::JSLock::dropAllLocks):
3525         (JSC::JSLock::grabAllLocks):
3526         * runtime/JSLock.h:
3527         (JSC::JSLock::hasExclusiveThread):
3528         (JSC::JSLock::exclusiveThread):
3529         * runtime/VM.cpp:
3530         (JSC::VM::VM):
3531         * runtime/VM.h:
3532         (JSC::VM::hasExclusiveThread):
3533         (JSC::VM::exclusiveThread):
3534         (JSC::VM::setExclusiveThread):
3535         (JSC::VM::currentThreadIsHoldingAPILock):
3536
3537 2014-02-25  Filip Pizlo  <fpizlo@apple.com>
3538
3539         Inline caching in the FTL on ARM64 should "work"
3540         https://bugs.webkit.org/show_bug.cgi?id=129334
3541
3542         Reviewed by Mark Hahnenberg.
3543         
3544         Gets us to the point where simple tests that use inline caching are passing.
3545
3546         * assembler/LinkBuffer.cpp:
3547         (JSC::LinkBuffer::copyCompactAndLinkCode):
3548         (JSC::LinkBuffer::shrink):
3549         * ftl/FTLInlineCacheSize.cpp:
3550         (JSC::FTL::sizeOfGetById):
3551         (JSC::FTL::sizeOfPutById):
3552         (JSC::FTL::sizeOfCall):
3553         * ftl/FTLOSRExitCompiler.cpp:
3554         (JSC::FTL::compileFTLOSRExit):
3555         * ftl/FTLThunks.cpp:
3556         (JSC::FTL::osrExitGenerationThunkGenerator):
3557         * jit/GPRInfo.h:
3558         * offlineasm/arm64.rb:
3559
3560 2014-02-25  Commit Queue  <commit-queue@webkit.org>
3561
3562         Unreviewed, rolling out r164627.
3563         http://trac.webkit.org/changeset/164627
3564         https://bugs.webkit.org/show_bug.cgi?id=129325
3565
3566         Broke SubtleCrypto tests (Requested by ap on #webkit).
3567
3568         * API/APIShims.h:
3569         (JSC::APIEntryShim::APIEntryShim):
3570         (JSC::APICallbackShim::shouldDropAllLocks):
3571         * heap/MachineStackMarker.cpp:
3572         (JSC::MachineThreads::addCurrentThread):
3573         * runtime/JSLock.cpp:
3574         (JSC::JSLockHolder::JSLockHolder):
3575         (JSC::JSLockHolder::init):
3576         (JSC::JSLockHolder::~JSLockHolder):
3577         (JSC::JSLock::JSLock):
3578         (JSC::JSLock::lock):
3579         (JSC::JSLock::unlock):
3580         (JSC::JSLock::currentThreadIsHoldingLock):
3581         (JSC::JSLock::dropAllLocks):
3582         (JSC::JSLock::grabAllLocks):
3583         * runtime/JSLock.h:
3584         * runtime/VM.cpp:
3585         (JSC::VM::VM):
3586         * runtime/VM.h:
3587         (JSC::VM::currentThreadIsHoldingAPILock):
3588
3589 2014-02-25  Filip Pizlo  <fpizlo@apple.com>
3590
3591         ARM64 rshift64 should be an arithmetic shift
3592         https://bugs.webkit.org/show_bug.cgi?id=129323
3593
3594         Reviewed by Mark Hahnenberg.
3595
3596         * assembler/MacroAssemblerARM64.h:
3597         (JSC::MacroAssemblerARM64::rshift64):
3598
3599 2014-02-25  Sergio Villar Senin  <svillar@igalia.com>
3600
3601         [CSS Grid Layout] Add ENABLE flag
3602         https://bugs.webkit.org/show_bug.cgi?id=129153
3603
3604         Reviewed by Simon Fraser.
3605
3606         * Configurations/FeatureDefines.xcconfig: added ENABLE_CSS_GRID_LAYOUT feature flag.
3607
3608 2014-02-25  Michael Saboff  <msaboff@apple.com>
3609
3610         JIT Engines use the wrong stack limit for stack checks
3611         https://bugs.webkit.org/show_bug.cgi?id=129314
3612
3613         Reviewed by Filip Pizlo.
3614
3615         Change the Baseline and DFG code to use VM::m_stackLimit for stack limit checks.
3616
3617         * dfg/DFGJITCompiler.cpp:
3618         (JSC::DFG::JITCompiler::compileFunction):
3619         * jit/JIT.cpp:
3620         (JSC::JIT::privateCompile):
3621         * jit/JITCall.cpp:
3622         (JSC::JIT::compileLoadVarargs):
3623         * jit/JITCall32_64.cpp:
3624         (JSC::JIT::compileLoadVarargs):
3625         * runtime/VM.h:
3626         (JSC::VM::addressOfStackLimit):
3627
3628 2014-02-25  Filip Pizlo  <fpizlo@apple.com>
3629
3630         Unreviewed, roll out http://trac.webkit.org/changeset/164493.
3631         
3632         It causes crashes, apparently because it's removing too many barriers. I will investigate
3633         later.
3634
3635         * bytecode/SpeculatedType.cpp:
3636         (JSC::speculationToAbbreviatedString):
3637         * bytecode/SpeculatedType.h:
3638         * dfg/DFGFixupPhase.cpp:
3639         (JSC::DFG::FixupPhase::fixupNode):
3640         (JSC::DFG::FixupPhase::insertStoreBarrier):
3641         * dfg/DFGNode.h:
3642         * ftl/FTLCapabilities.cpp:
3643         (JSC::FTL::canCompile):
3644         * ftl/FTLLowerDFGToLLVM.cpp:
3645         (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
3646         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
3647         (JSC::FTL::LowerDFGToLLVM::isNotNully):
3648         (JSC::FTL::LowerDFGToLLVM::isNully):
3649         (JSC::FTL::LowerDFGToLLVM::speculate):
3650         (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
3651         (JSC::FTL::LowerDFGToLLVM::speculateNotCell):
3652
3653 2014-02-24  Oliver Hunt  <oliver@apple.com>
3654
3655         Fix build.
3656
3657         * jit/CCallHelpers.h:
3658         (JSC::CCallHelpers::setupArgumentsWithExecState):
3659
3660 2014-02-24  Oliver Hunt  <oliver@apple.com>
3661
3662         Spread operator has a bad time when applied to call function
3663         https://bugs.webkit.org/show_bug.cgi?id=128853
3664
3665         Reviewed by Geoffrey Garen.
3666
3667         Follow on from the previous patch the added an extra slot to
3668         op_call_varargs (and _call, _call_eval, _construct).  We now
3669         use the slot as an offset to in effect act as a 'slice' on
3670         the spread subject.  This allows us to automatically retain
3671         all our existing argument and array optimisatons.  Most of
3672         this patch is simply threading the offset around.
3673
3674         * bytecode/CodeBlock.cpp:
3675         (JSC::CodeBlock::dumpBytecode):
3676         * bytecompiler/BytecodeGenerator.cpp:
3677         (JSC::BytecodeGenerator::emitCall):
3678         (JSC::BytecodeGenerator::emitCallVarargs):
3679         * bytecompiler/BytecodeGenerator.h:
3680         * bytecompiler/NodesCodegen.cpp:
3681         (JSC::getArgumentByVal):
3682         (JSC::CallFunctionCallDotNode::emitBytecode):
3683         (JSC::ApplyFunctionCallDotNode::emitBytecode):
3684         * interpreter/Interpreter.cpp:
3685         (JSC::sizeFrameForVarargs):
3686         (JSC::loadVarargs):
3687         * interpreter/Interpreter.h:
3688         * jit/CCallHelpers.h:
3689         (JSC::CCallHelpers::setupArgumentsWithExecState):
3690         * jit/JIT.h:
3691         * jit/JITCall.cpp:
3692         (JSC::JIT::compileLoadVarargs):
3693         * jit/JITInlines.h:
3694         (JSC::JIT::callOperation):
3695         * jit/JITOperations.cpp:
3696         * jit/JITOperations.h:
3697         * llint/LLIntSlowPaths.cpp:
3698         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3699         * runtime/Arguments.cpp:
3700         (JSC::Arguments::copyToArguments):
3701         * runtime/Arguments.h:
3702         * runtime/JSArray.cpp:
3703         (JSC::JSArray::copyToArguments):
3704         * runtime/JSArray.h:
3705
3706 2014-02-24  Mark Lam  <mark.lam@apple.com>
3707
3708         Need to initialize VM stack data even when the VM is on an exclusive thread.
3709         <https://webkit.org/b/129265>
3710
3711         Reviewed by Geoffrey Garen.
3712
3713         We check VM::exclusiveThread as an optimization to forego the need to do
3714         JSLock locking. However, we recently started piggy backing on JSLock's
3715         lock() and unlock() to initialize VM stack data (stackPointerAtVMEntry
3716         and lastStackTop) to appropriate values for the current thread. This is
3717         needed because we may be acquiring the lock to enter the VM on a different
3718         thread.
3719
3720         As a result, we ended up not initializing the VM stack data when
3721         VM::exclusiveThread causes us to bypass the locking activity. Even though
3722         the VM::exclusiveThread will not have to deal with the VM being entered
3723         on a different thread, it still needs to initialize the VM stack data.
3724         The VM relies on that data being initialized properly once it has been
3725         entered.
3726
3727         With this fix, we push the check for exclusiveThread down into the JSLock,
3728         and handle the bypassing of unneeded locking activity there while still
3729         executing the necessary the VM stack data initialization.
3730
3731         * API/APIShims.h:
3732         (JSC::APIEntryShim::APIEntryShim):
3733         (JSC::APICallbackShim::shouldDropAllLocks):
3734         * heap/MachineStackMarker.cpp:
3735         (JSC::MachineThreads::addCurrentThread):
3736         * runtime/JSLock.cpp:
3737         (JSC::JSLockHolder::JSLockHolder):
3738         (JSC::JSLockHolder::init):
3739         (JSC::JSLockHolder::~JSLockHolder):
3740         (JSC::JSLock::JSLock):
3741         (JSC::JSLock::setExclusiveThread):
3742         (JSC::JSLock::lock):
3743         (JSLock::unlock):
3744         (JSLock::currentThreadIsHoldingLock):
3745         (JSLock::dropAllLocks):
3746         (JSLock::grabAllLocks):
3747         * runtime/JSLock.h:
3748         (JSC::JSLock::exclusiveThread):
3749         * runtime/VM.cpp:
3750         (JSC::VM::VM):
3751         * runtime/VM.h:
3752         (JSC::VM::exclusiveThread):
3753         (JSC::VM::setExclusiveThread):
3754         (JSC::VM::currentThreadIsHoldingAPILock):
3755
3756 2014-02-24  Filip Pizlo  <fpizlo@apple.com>
3757
3758         FTL should do polymorphic PutById inlining
3759         https://bugs.webkit.org/show_bug.cgi?id=129210
3760
3761         Reviewed by Mark Hahnenberg and Oliver Hunt.
3762         
3763         This makes PutByIdStatus inform us about polymorphic cases by returning an array of
3764         PutByIdVariants. The DFG now has a node called MultiPutByOffset that indicates a
3765         selection of multiple inlined PutByIdVariants.
3766         
3767         MultiPutByOffset is almost identical to MultiGetByOffset, which we added in
3768         http://trac.webkit.org/changeset/164207.
3769         
3770         This also does some FTL refactoring to make MultiPutByOffset share code with some nodes
3771         that generate similar code.
3772         
3773         1% speed-up on V8v7 due to splay improving by 6.8%. Splay does the thing where it
3774         sometimes swaps field insertion order, creating fake polymorphism.
3775
3776         * CMakeLists.txt:
3777         * GNUmakefile.list.am:
3778         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3779         * JavaScriptCore.xcodeproj/project.pbxproj:
3780         * bytecode/PutByIdStatus.cpp:
3781         (JSC::PutByIdStatus::computeFromLLInt):
3782         (JSC::PutByIdStatus::computeFor):
3783         (JSC::PutByIdStatus::computeForStubInfo):
3784         (JSC::PutByIdStatus::dump):
3785         * bytecode/PutByIdStatus.h:
3786         (JSC::PutByIdStatus::PutByIdStatus):
3787         (JSC::PutByIdStatus::isSimple):
3788         (JSC::PutByIdStatus::numVariants):
3789         (JSC::PutByIdStatus::variants):
3790         (JSC::PutByIdStatus::at):
3791         (JSC::PutByIdStatus::operator[]):
3792         * bytecode/PutByIdVariant.cpp: Added.
3793         (JSC::PutByIdVariant::dump):
3794         (JSC::PutByIdVariant::dumpInContext):
3795         * bytecode/PutByIdVariant.h: Added.
3796         (JSC::PutByIdVariant::PutByIdVariant):
3797         (JSC::PutByIdVariant::replace):
3798         (JSC::PutByIdVariant::transition):
3799         (JSC::PutByIdVariant::kind):
3800         (JSC::PutByIdVariant::isSet):
3801         (JSC::PutByIdVariant::operator!):
3802         (JSC::PutByIdVariant::structure):
3803         (JSC::PutByIdVariant::oldStructure):
3804         (JSC::PutByIdVariant::newStructure):
3805         (JSC::PutByIdVariant::structureChain):
3806         (JSC::PutByIdVariant::offset):
3807         * dfg/DFGAbstractInterpreterInlines.h:
3808         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3809         * dfg/DFGByteCodeParser.cpp:
3810         (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
3811         (JSC::DFG::ByteCodeParser::handleGetById):
3812         (JSC::DFG::ByteCodeParser::emitPutById):
3813         (JSC::DFG::ByteCodeParser::handlePutById):
3814         (JSC::DFG::ByteCodeParser::parseBlock):
3815         * dfg/DFGCSEPhase.cpp:
3816         (JSC::DFG::CSEPhase::checkStructureElimination):
3817         (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
3818         (JSC::DFG::CSEPhase::putStructureStoreElimination):
3819         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
3820         (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
3821         * dfg/DFGClobberize.h:
3822         (JSC::DFG::clobberize):
3823         * dfg/DFGConstantFoldingPhase.cpp:
3824         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3825         (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
3826         * dfg/DFGFixupPhase.cpp:
3827         (JSC::DFG::FixupPhase::fixupNode):
3828         * dfg/DFGGraph.cpp:
3829         (JSC::DFG::Graph::dump):
3830         * dfg/DFGGraph.h:
3831         * dfg/DFGNode.cpp:
3832         (JSC::DFG::MultiPutByOffsetData::writesStructures):
3833         (JSC::DFG::MultiPutByOffsetData::reallocatesStorage):
3834         * dfg/DFGNode.h:
3835         (JSC::DFG::Node::convertToPutByOffset):
3836         (JSC::DFG::Node::hasMultiPutByOffsetData):
3837         (JSC::DFG::Node::multiPutByOffsetData):
3838         * dfg/DFGNodeType.h:
3839         * dfg/DFGPredictionPropagationPhase.cpp:
3840         (JSC::DFG::PredictionPropagationPhase::propagate):
3841         * dfg/DFGSafeToExecute.h:
3842         (JSC::DFG::safeToExecute):
3843         * dfg/DFGSpeculativeJIT32_64.cpp:
3844         (JSC::DFG::SpeculativeJIT::compile):
3845         * dfg/DFGSpeculativeJIT64.cpp:
3846         (JSC::DFG::SpeculativeJIT::compile):
3847         * dfg/DFGTypeCheckHoistingPhase.cpp:
3848         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
3849         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
3850         * ftl/FTLCapabilities.cpp:
3851         (JSC::FTL::canCompile):
3852         * ftl/FTLLowerDFGToLLVM.cpp:
3853         (JSC::FTL::LowerDFGToLLVM::compileNode):
3854         (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
3855         (JSC::FTL::LowerDFGToLLVM::compileAllocatePropertyStorage):
3856         (JSC::FTL::LowerDFGToLLVM::compileReallocatePropertyStorage):
3857         (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
3858         (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
3859         (JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
3860         (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
3861         (JSC::FTL::LowerDFGToLLVM::loadProperty):
3862         (JSC::FTL::LowerDFGToLLVM::storeProperty):
3863         (JSC::FTL::LowerDFGToLLVM::addressOfProperty):
3864         (JSC::FTL::LowerDFGToLLVM::storageForTransition):
3865         (JSC::FTL::LowerDFGToLLVM::allocatePropertyStorage):
3866         (JSC::FTL::LowerDFGToLLVM::reallocatePropertyStorage):
3867         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
3868         * tests/stress/fold-multi-put-by-offset-to-put-by-offset.js: Added.
3869         * tests/stress/multi-put-by-offset-reallocation-butterfly-cse.js: Added.
3870         * tests/stress/multi-put-by-offset-reallocation-cases.js: Added.
3871
3872 2014-02-24  peavo@outlook.com  <peavo@outlook.com>
3873
3874         JSC regressions after r164494
3875         https://bugs.webkit.org/show_bug.cgi?id=129272
3876
3877         Reviewed by Mark Lam.
3878
3879         * offlineasm/x86.rb: Only avoid reverse opcode (fdivr) for Windows.
3880
3881 2014-02-24  Tamas Gergely  <tgergely.u-szeged@partner.samsung.com>
3882
3883         Code cleanup: remove leftover ENABLE(WORKERS) macros and support.
3884         https://bugs.webkit.org/show_bug.cgi?id=129255
3885
3886         Reviewed by Csaba Osztrogonác.
3887
3888         ENABLE_WORKERS macro was removed in r159679.
3889         Support is now also removed from xcconfig files.
3890
3891         * Configurations/FeatureDefines.xcconfig:
3892
3893 2014-02-24  David Kilzer  <ddkilzer@apple.com>
3894
3895         Remove redundant setting in FeatureDefines.xcconfig
3896
3897         * Configurations/FeatureDefines.xcconfig:
3898
3899 2014-02-23  Sam Weinig  <sam@webkit.org>
3900
3901         Update FeatureDefines.xcconfig
3902
3903         Rubber-stamped by Anders Carlsson.
3904
3905         * Configurations/FeatureDefines.xcconfig:
3906
3907 2014-02-23  Dean Jackson  <dino@apple.com>
3908
3909         Sort the project file with sort-Xcode-project-file.
3910
3911         Rubber-stamped by Sam Weinig.
3912
3913         * JavaScriptCore.xcodeproj/project.pbxproj:
3914
3915 2014-02-23  Sam Weinig  <sam@webkit.org>
3916
3917         Move telephone number detection behind its own ENABLE macro
3918         https://bugs.webkit.org/show_bug.cgi?id=129236
3919
3920         Reviewed by Dean Jackson.
3921
3922         * Configurations/FeatureDefines.xcconfig:
3923         Add ENABLE_TELEPHONE_NUMBER_DETECTION.
3924
3925 2014-02-22  Filip Pizlo  <fpizlo@apple.com>
3926
3927         Refine DFG+FTL inlining and compilation limits
3928         https://bugs.webkit.org/show_bug.cgi?id=129212
3929
3930         Reviewed by Mark Hahnenberg.
3931         
3932         Allow larger functions to be DFG-compiled. Institute a limit on FTL compilation,
3933         and set that limit quite high. Institute a limit on inlining-into. The idea here is
3934         that large functions tend to be autogenerated, and code generators like emscripten
3935         appear to leave few inlining opportunities anyway. Also, we don't want the code
3936         size explosion that we would risk if we allowed compilation of a large function and
3937         then inlined a ton of stuff into it.
3938         
3939         This is a 0.5% speed-up on Octane v2 and almost eliminates the typescript
3940         regression. This is a 9% speed-up on AsmBench.
3941
3942         * bytecode/CodeBlock.cpp:
3943         (JSC::CodeBlock::noticeIncomingCall):
3944         * dfg/DFGByteCodeParser.cpp:
3945         (JSC::DFG::ByteCodeParser::handleInlining):
3946         * dfg/DFGCapabilities.h:
3947         (JSC::DFG::isSmallEnoughToInlineCodeInto):
3948         * ftl/FTLCapabilities.cpp:
3949         (JSC::FTL::canCompile):
3950         * ftl/FTLState.h:
3951         (JSC::FTL::shouldShowDisassembly):
3952         * runtime/Options.h:
3953
3954 2014-02-22  Dan Bernstein  <mitz@apple.com>
3955
3956         REGRESSION (r164507): Crash beneath JSGlobalObjectInspectorController::reportAPIException at facebook.com, twitter.com, youtube.com
3957         https://bugs.webkit.org/show_bug.cgi?id=129227
3958
3959         Reviewed by Eric Carlson.
3960
3961         Reverted r164507.
3962
3963         * API/JSBase.cpp:
3964         (JSEvaluateScript):
3965         (JSCheckScriptSyntax):
3966         * API/JSObjectRef.cpp:
3967         (JSObjectMakeFunction):
3968         (JSObjectMakeArray):
3969         (JSObjectMakeDate):
3970         (JSObjectMakeError):
3971         (JSObjectMakeRegExp):
3972         (JSObjectGetProperty):
3973         (JSObjectSetProperty):
3974         (JSObjectGetPropertyAtIndex):
3975         (JSObjectSetPropertyAtIndex):
3976         (JSObjectDeleteProperty):
3977         (JSObjectCallAsFunction):
3978         (JSObjectCallAsConstructor):
3979         * API/JSValue.mm:
3980         (valueToArray):
3981         (valueToDictionary):
3982         * API/JSValueRef.cpp:
3983         (JSValueIsEqual):
3984         (JSValueIsInstanceOfConstructor):
3985         (JSValueCreateJSONString):
3986         (JSValueToNumber):
3987         (JSValueToStringCopy):
3988         (JSValueToObject):
3989         * inspector/ConsoleMessage.cpp:
3990         (Inspector::ConsoleMessage::ConsoleMessage):
3991         (Inspector::ConsoleMessage::autogenerateMetadata):
3992         * inspector/ConsoleMessage.h:
3993         * inspector/JSGlobalObjectInspectorController.cpp:
3994         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3995         * inspector/JSGlobalObjectInspectorController.h:
3996         * inspector/ScriptCallStack.cpp:
3997         * inspector/ScriptCallStack.h:
3998         * inspector/ScriptCallStackFactory.cpp:
3999         (Inspector::createScriptCallStack):
4000         (Inspector::createScriptCallStackForConsole):
4001         (Inspector::createScriptCallStackFromException):
4002         * inspector/ScriptCallStackFactory.h:
4003         * inspector/agents/InspectorConsoleAgent.cpp:
4004         (Inspector::InspectorConsoleAgent::enable):
4005         (Inspector::InspectorConsoleAgent::addMessageToConsole):
4006         (Inspector::InspectorConsoleAgent::count):
4007         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
4008         (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
4009