Restructure LinkBuffer to allow for alternate allocation strategies
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
2
3         Restructure LinkBuffer to allow for alternate allocation strategies
4         https://bugs.webkit.org/show_bug.cgi?id=123071
5
6         Reviewed by Oliver Hunt.
7         
8         The idea is to eventually allow a LinkBuffer to place the code into an already
9         allocated region of memory.  That region of memory could be the nop-slide left behind
10         by a llvm.webkit.patchpoint.
11
12         * assembler/ARM64Assembler.h:
13         (JSC::ARM64Assembler::buffer):
14         * assembler/AssemblerBuffer.h:
15         * assembler/LinkBuffer.cpp:
16         (JSC::LinkBuffer::copyCompactAndLinkCode):
17         (JSC::LinkBuffer::linkCode):
18         (JSC::LinkBuffer::allocate):
19         (JSC::LinkBuffer::shrink):
20         * assembler/LinkBuffer.h:
21         (JSC::LinkBuffer::LinkBuffer):
22         (JSC::LinkBuffer::didFailToAllocate):
23         * assembler/X86Assembler.h:
24         (JSC::X86Assembler::buffer):
25         (JSC::X86Assembler::X86InstructionFormatter::memoryModRM):
26
27 2013-10-19  Alexey Proskuryakov  <ap@apple.com>
28
29         Some includes in JSC seem to use an incorrect style
30         https://bugs.webkit.org/show_bug.cgi?id=123057
31
32         Reviewed by Geoffrey Garen.
33
34         Changed pseudo-system includes to user ones.
35
36         * API/JSContextRef.cpp:
37         * API/JSStringRefCF.cpp:
38         * API/JSValueRef.cpp:
39         * API/OpaqueJSString.cpp:
40         * jit/JIT.h:
41         * parser/SyntaxChecker.h:
42         * runtime/WeakGCMap.h:
43
44 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
45
46         Baseline JIT and DFG IC code generation should be unified and rationalized
47         https://bugs.webkit.org/show_bug.cgi?id=122939
48
49         Reviewed by Geoffrey Garen.
50         
51         Introduce the JITInlineCacheGenerator, which takes a CodeBlock and a CodeOrigin plus
52         some register info and creates JIT inline caches for you. Used this to even furhter
53         unify the baseline and DFG ICs. In the future we can use this for FTL ICs. And my hope
54         is that we'll be able to use it for cascading ICs: an IC for some instruction may realize
55         that it needs to do the equivalent of get_by_id, so with this generator it will be able
56         to create an IC even though it wasn't associated with a get_by_id bytecode instruction.
57
58         * CMakeLists.txt:
59         * GNUmakefile.list.am:
60         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
61         * JavaScriptCore.xcodeproj/project.pbxproj:
62         * assembler/AbstractMacroAssembler.h:
63         (JSC::AbstractMacroAssembler::DataLabelCompact::label):
64         * bytecode/CodeBlock.h:
65         (JSC::CodeBlock::ecmaMode):
66         * dfg/DFGInlineCacheWrapper.h: Added.
67         (JSC::DFG::InlineCacheWrapper::InlineCacheWrapper):
68         * dfg/DFGInlineCacheWrapperInlines.h: Added.
69         (JSC::DFG::::finalize):
70         * dfg/DFGJITCompiler.cpp:
71         (JSC::DFG::JITCompiler::link):
72         * dfg/DFGJITCompiler.h:
73         (JSC::DFG::JITCompiler::addGetById):
74         (JSC::DFG::JITCompiler::addPutById):
75         * dfg/DFGSpeculativeJIT32_64.cpp:
76         (JSC::DFG::SpeculativeJIT::cachedGetById):
77         (JSC::DFG::SpeculativeJIT::cachedPutById):
78         * dfg/DFGSpeculativeJIT64.cpp:
79         (JSC::DFG::SpeculativeJIT::cachedGetById):
80         (JSC::DFG::SpeculativeJIT::cachedPutById):
81         (JSC::DFG::SpeculativeJIT::compile):
82         * jit/AssemblyHelpers.h:
83         (JSC::AssemblyHelpers::isStrictModeFor):
84         (JSC::AssemblyHelpers::strictModeFor):
85         * jit/GPRInfo.h:
86         (JSC::JSValueRegs::tagGPR):
87         * jit/JIT.cpp:
88         (JSC::JIT::JIT):
89         (JSC::JIT::privateCompileSlowCases):
90         (JSC::JIT::privateCompile):
91         * jit/JIT.h:
92         * jit/JITInlineCacheGenerator.cpp: Added.
93         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
94         (JSC::JITByIdGenerator::JITByIdGenerator):
95         (JSC::JITByIdGenerator::finalize):
96         (JSC::JITByIdGenerator::generateFastPathChecks):
97         (JSC::JITGetByIdGenerator::generateFastPath):
98         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
99         (JSC::JITPutByIdGenerator::generateFastPath):
100         (JSC::JITPutByIdGenerator::slowPathFunction):
101         * jit/JITInlineCacheGenerator.h: Added.
102         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
103         (JSC::JITInlineCacheGenerator::stubInfo):
104         (JSC::JITByIdGenerator::JITByIdGenerator):
105         (JSC::JITByIdGenerator::reportSlowPathCall):
106         (JSC::JITByIdGenerator::slowPathJump):
107         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
108         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
109         * jit/JITPropertyAccess.cpp:
110         (JSC::JIT::emit_op_get_by_id):
111         (JSC::JIT::emitSlow_op_get_by_id):
112         (JSC::JIT::emit_op_put_by_id):
113         (JSC::JIT::emitSlow_op_put_by_id):
114         * jit/JITPropertyAccess32_64.cpp:
115         (JSC::JIT::emit_op_get_by_id):
116         (JSC::JIT::emitSlow_op_get_by_id):
117         (JSC::JIT::emit_op_put_by_id):
118         (JSC::JIT::emitSlow_op_put_by_id):
119         * jit/RegisterSet.h:
120         (JSC::RegisterSet::set):
121
122 2013-10-19  Alexey Proskuryakov  <ap@apple.com>
123
124         APICast.h uses functions from JSCJSValueInlines.h, but doesn't include it
125         https://bugs.webkit.org/show_bug.cgi?id=123067
126
127         Reviewed by Geoffrey Garen.
128
129         * API/APICast.h: Include it.
130
131 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
132
133         FTL::Location should treat the offset as an addend in the case of a Register location
134         https://bugs.webkit.org/show_bug.cgi?id=123062
135
136         Reviewed by Sam Weinig.
137
138         * ftl/FTLLocation.cpp:
139         (JSC::FTL::Location::forStackmaps):
140         (JSC::FTL::Location::dump):
141         (JSC::FTL::Location::restoreInto):
142         * ftl/FTLLocation.h:
143         (JSC::FTL::Location::forRegister):
144         (JSC::FTL::Location::hasAddend):
145         (JSC::FTL::Location::addend):
146
147 2013-10-19  Nadav Rotem  <nrotem@apple.com>
148
149         DFG dominators: document and rename stuff.
150         https://bugs.webkit.org/show_bug.cgi?id=123056
151
152         Reviewed by Filip Pizlo.
153
154         Documented the code and renamed some variables.
155
156         * dfg/DFGDominators.cpp:
157         (JSC::DFG::Dominators::compute):
158         (JSC::DFG::Dominators::pruneDominators):
159         * dfg/DFGDominators.h:
160
161 2013-10-19  Julien Brianceau  <jbriance@cisco.com>
162
163         Fix build failure for architectures with 4 argument registers.
164         https://bugs.webkit.org/show_bug.cgi?id=123060
165
166         Reviewed by Michael Saboff.
167
168         Add missing setupArgumentsWithExecState() prototypes for architecture with 4 argument registers.
169         Remove SH4 specific code no longer needed since callOperation prototype change in r157660.
170
171         * dfg/DFGSpeculativeJIT.h:
172         (JSC::DFG::SpeculativeJIT::callOperation):
173         * jit/CCallHelpers.h:
174         (JSC::CCallHelpers::setupArgumentsWithExecState):
175         * jit/JITInlines.h:
176         (JSC::JIT::callOperation):
177
178 2013-10-18  Filip Pizlo  <fpizlo@apple.com>
179
180         Unreviewed, fix FTL build.
181
182         * ftl/FTLIntrinsicRepository.h:
183         * ftl/FTLLowerDFGToLLVM.cpp:
184         (JSC::FTL::LowerDFGToLLVM::compileGetById):
185
186 2013-10-18  Filip Pizlo  <fpizlo@apple.com>
187
188         A CodeBlock's StructureStubInfos shouldn't be in a Vector that we search using code origins and machine code PCs
189         https://bugs.webkit.org/show_bug.cgi?id=122940
190
191         Reviewed by Oliver Hunt.
192         
193         This accomplishes a number of simplifications. StructureStubInfo is now non-moving,
194         whereas previously it was in a Vector, so it moved. This allows you to use pointers to
195         StructureStubInfo. This also eliminates the use of return PC as a way of finding the
196         StructureStubInfo's. It removes some of the need for the compile-time property access
197         records; for example the DFG no longer has to save information about registers in a
198         property access record only to later save it to the stub info.
199         
200         The main thing is accomplishes is that it makes it easier to add StructureStubInfo's
201         at any stage of compilation.
202
203         * bytecode/CodeBlock.cpp:
204         (JSC::CodeBlock::printGetByIdCacheStatus):
205         (JSC::CodeBlock::dumpBytecode):
206         (JSC::CodeBlock::~CodeBlock):
207         (JSC::CodeBlock::propagateTransitions):
208         (JSC::CodeBlock::finalizeUnconditionally):
209         (JSC::CodeBlock::addStubInfo):
210         (JSC::CodeBlock::getStubInfoMap):
211         (JSC::CodeBlock::shrinkToFit):
212         * bytecode/CodeBlock.h:
213         (JSC::CodeBlock::begin):
214         (JSC::CodeBlock::end):
215         (JSC::CodeBlock::rareCaseProfileForBytecodeOffset):
216         * bytecode/CodeOrigin.h:
217         (JSC::CodeOrigin::CodeOrigin):
218         (JSC::CodeOrigin::isHashTableDeletedValue):
219         (JSC::CodeOrigin::hash):
220         (JSC::CodeOriginHash::hash):
221         (JSC::CodeOriginHash::equal):
222         * bytecode/GetByIdStatus.cpp:
223         (JSC::GetByIdStatus::computeFor):
224         * bytecode/GetByIdStatus.h:
225         * bytecode/PutByIdStatus.cpp:
226         (JSC::PutByIdStatus::computeFor):
227         * bytecode/PutByIdStatus.h:
228         * bytecode/StructureStubInfo.h:
229         (JSC::getStructureStubInfoCodeOrigin):
230         * dfg/DFGByteCodeParser.cpp:
231         (JSC::DFG::ByteCodeParser::parseBlock):
232         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
233         * dfg/DFGJITCompiler.cpp:
234         (JSC::DFG::JITCompiler::link):
235         * dfg/DFGJITCompiler.h:
236         (JSC::DFG::PropertyAccessRecord::PropertyAccessRecord):
237         (JSC::DFG::InRecord::InRecord):
238         * dfg/DFGSpeculativeJIT.cpp:
239         (JSC::DFG::SpeculativeJIT::compileIn):
240         * dfg/DFGSpeculativeJIT.h:
241         (JSC::DFG::SpeculativeJIT::callOperation):
242         * dfg/DFGSpeculativeJIT32_64.cpp:
243         (JSC::DFG::SpeculativeJIT::cachedGetById):
244         (JSC::DFG::SpeculativeJIT::cachedPutById):
245         * dfg/DFGSpeculativeJIT64.cpp:
246         (JSC::DFG::SpeculativeJIT::cachedGetById):
247         (JSC::DFG::SpeculativeJIT::cachedPutById):
248         * jit/CCallHelpers.h:
249         (JSC::CCallHelpers::setupArgumentsWithExecState):
250         * jit/JIT.cpp:
251         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
252         (JSC::JIT::privateCompile):
253         * jit/JIT.h:
254         (JSC::PropertyStubCompilationInfo::slowCaseInfo):
255         * jit/JITInlines.h:
256         (JSC::JIT::callOperation):
257         * jit/JITOperations.cpp:
258         * jit/JITOperations.h:
259         * jit/JITPropertyAccess.cpp:
260         (JSC::JIT::emitSlow_op_get_by_id):
261         (JSC::JIT::emitSlow_op_put_by_id):
262         * jit/JITPropertyAccess32_64.cpp:
263         (JSC::JIT::emitSlow_op_get_by_id):
264         (JSC::JIT::emitSlow_op_put_by_id):
265         * jit/Repatch.cpp:
266         (JSC::appropriateGenericPutByIdFunction):
267         (JSC::appropriateListBuildingPutByIdFunction):
268         (JSC::resetPutByID):
269
270 2013-10-18  Oliver Hunt  <oliver@apple.com>
271
272         Spread operator should be performing direct "puts" and not triggering setters
273         https://bugs.webkit.org/show_bug.cgi?id=123047
274
275         Reviewed by Geoffrey Garen.
276
277         Add a new opcode -- op_put_by_val_directue -- and make use of it in the spread
278         to array construct.  This required a new PutByValDirect node to be introduced to
279         the DFG.  The current implementation simply changes the slow path function that
280         is called, but in future this could be made faster as it does not need to check
281         the prototype chain.
282
283         * bytecode/CodeBlock.cpp:
284         (JSC::CodeBlock::dumpBytecode):
285         (JSC::CodeBlock::CodeBlock):
286         * bytecode/Opcode.h:
287         (JSC::padOpcodeName):
288         * bytecompiler/BytecodeGenerator.cpp:
289         (JSC::BytecodeGenerator::emitDirectPutByVal):
290         * bytecompiler/BytecodeGenerator.h:
291         * bytecompiler/NodesCodegen.cpp:
292         (JSC::ArrayNode::emitBytecode):
293         * dfg/DFGAbstractInterpreterInlines.h:
294         (JSC::DFG::::executeEffects):
295         * dfg/DFGBackwardsPropagationPhase.cpp:
296         (JSC::DFG::BackwardsPropagationPhase::propagate):
297         * dfg/DFGByteCodeParser.cpp:
298         (JSC::DFG::ByteCodeParser::parseBlock):
299         * dfg/DFGCSEPhase.cpp:
300         (JSC::DFG::CSEPhase::getArrayLengthElimination):
301         (JSC::DFG::CSEPhase::getByValLoadElimination):
302         (JSC::DFG::CSEPhase::checkStructureElimination):
303         (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
304         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
305         (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
306         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
307         (JSC::DFG::CSEPhase::performNodeCSE):
308         * dfg/DFGCapabilities.cpp:
309         (JSC::DFG::capabilityLevel):
310         * dfg/DFGClobberize.h:
311         (JSC::DFG::clobberize):
312         * dfg/DFGFixupPhase.cpp:
313         (JSC::DFG::FixupPhase::fixupNode):
314         * dfg/DFGGraph.h:
315         (JSC::DFG::Graph::clobbersWorld):
316         * dfg/DFGNode.h:
317         (JSC::DFG::Node::hasArrayMode):
318         * dfg/DFGNodeType.h:
319         * dfg/DFGOperations.cpp:
320         (JSC::DFG::putByVal):
321         (JSC::DFG::operationPutByValInternal):
322         * dfg/DFGOperations.h:
323         * dfg/DFGPredictionPropagationPhase.cpp:
324         (JSC::DFG::PredictionPropagationPhase::propagate):
325         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
326         * dfg/DFGSafeToExecute.h:
327         (JSC::DFG::safeToExecute):
328         * dfg/DFGSpeculativeJIT32_64.cpp:
329         (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
330         (JSC::DFG::SpeculativeJIT::compile):
331         * dfg/DFGSpeculativeJIT64.cpp:
332         (JSC::DFG::SpeculativeJIT::compile):
333         * dfg/DFGTypeCheckHoistingPhase.cpp:
334         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
335         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
336         * jit/JIT.cpp:
337         (JSC::JIT::privateCompileMainPass):
338         (JSC::JIT::privateCompileSlowCases):
339         * jit/JIT.h:
340         (JSC::JIT::compileDirectPutByVal):
341         * jit/JITOperations.cpp:
342         * jit/JITOperations.h:
343         * jit/JITPropertyAccess.cpp:
344         (JSC::JIT::emitSlow_op_put_by_val):
345         (JSC::JIT::privateCompilePutByVal):
346         * jit/JITPropertyAccess32_64.cpp:
347         (JSC::JIT::emitSlow_op_put_by_val):
348         * llint/LLIntSlowPaths.cpp:
349         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
350         * llint/LLIntSlowPaths.h:
351         * llint/LowLevelInterpreter32_64.asm:
352         * llint/LowLevelInterpreter64.asm:
353
354 2013-10-18  Daniel Bates  <dabates@apple.com>
355
356         [iOS] Export symbol for VM::sharedInstanceExists()
357         https://bugs.webkit.org/show_bug.cgi?id=123046
358
359         Reviewed by Mark Hahnenberg.
360
361         * runtime/VM.h:
362
363 2013-10-18  Daniel Bates  <dabates@apple.com>
364
365         [iOS] Upstream WebSafe{GCActivityCallback, IncrementalSweeper}IOS
366         https://bugs.webkit.org/show_bug.cgi?id=123049
367
368         Reviewed by Mark Hahnenberg.
369
370         * heap/Heap.cpp:
371         (JSC::Heap::setIncrementalSweeper):
372         * heap/Heap.h:
373         * heap/HeapTimer.h:
374         * heap/IncrementalSweeper.h: Make protected and export CF-variant of constructor.
375         Removed unused include of header RetainPtr.h. Also forward declare class MarkedBlock
376         (we include its header in the .cpp file) and remove include for header wtf/HashSet.h
377         (duplicates the include in the .cpp).
378         * heap/MachineStackMarker.h: Export function makeUsableFromMultipleThreads(). We aren't
379         making use of this now, but we'll make use of it in a subsequent patch.
380
381 2013-10-18  Anders Carlsson  <andersca@apple.com>
382
383         Remove spaces between template angle brackets
384         https://bugs.webkit.org/show_bug.cgi?id=123040
385
386         Reviewed by Andreas Kling.
387
388         * API/JSCallbackObject.cpp:
389         (JSC::::create):
390         * API/JSObjectRef.cpp:
391         * bytecode/CodeBlock.h:
392         (JSC::CodeBlock::constants):
393         (JSC::CodeBlock::setConstantRegisters):
394         * bytecode/DFGExitProfile.h:
395         * bytecode/EvalCodeCache.h:
396         * bytecode/Operands.h:
397         * bytecode/UnlinkedCodeBlock.h:
398         (JSC::UnlinkedCodeBlock::constantRegisters):
399         * bytecode/Watchpoint.h:
400         * bytecompiler/BytecodeGenerator.h:
401         * bytecompiler/StaticPropertyAnalysis.h:
402         * bytecompiler/StaticPropertyAnalyzer.h:
403         * dfg/DFGArgumentsSimplificationPhase.cpp:
404         * dfg/DFGBlockInsertionSet.h:
405         * dfg/DFGCSEPhase.cpp:
406         (JSC::DFG::performCSE):
407         (JSC::DFG::performStoreElimination):
408         * dfg/DFGCommonData.h:
409         * dfg/DFGDesiredStructureChains.h:
410         * dfg/DFGDesiredWatchpoints.h:
411         * dfg/DFGJITCompiler.h:
412         * dfg/DFGOSRExitCompiler32_64.cpp:
413         (JSC::DFG::OSRExitCompiler::compileExit):
414         * dfg/DFGOSRExitCompiler64.cpp:
415         (JSC::DFG::OSRExitCompiler::compileExit):
416         * dfg/DFGWorklist.h:
417         * heap/BlockAllocator.h:
418         (JSC::CopiedBlock):
419         (JSC::MarkedBlock):
420         (JSC::WeakBlock):
421         (JSC::MarkStackSegment):
422         (JSC::CopyWorkListSegment):
423         (JSC::HandleBlock):
424         * heap/Heap.h:
425         * heap/Local.h:
426         * heap/MarkedBlock.h:
427         * heap/Strong.h:
428         * jit/AssemblyHelpers.cpp:
429         (JSC::AssemblyHelpers::decodedCodeMapFor):
430         * jit/AssemblyHelpers.h:
431         * jit/SpecializedThunkJIT.h:
432         * parser/Nodes.h:
433         * parser/Parser.cpp:
434         (JSC::::parseIfStatement):
435         * parser/Parser.h:
436         (JSC::Scope::copyCapturedVariablesToVector):
437         (JSC::parse):
438         * parser/ParserArena.h:
439         * parser/SourceProviderCacheItem.h:
440         * profiler/LegacyProfiler.cpp:
441         (JSC::dispatchFunctionToProfiles):
442         * profiler/LegacyProfiler.h:
443         (JSC::LegacyProfiler::currentProfiles):
444         * profiler/ProfileNode.h:
445         (JSC::ProfileNode::children):
446         * profiler/ProfilerDatabase.h:
447         * runtime/Butterfly.h:
448         (JSC::Butterfly::contiguousInt32):
449         (JSC::Butterfly::contiguous):
450         * runtime/GenericTypedArrayViewInlines.h:
451         (JSC::::create):
452         * runtime/Identifier.h:
453         (JSC::Identifier::add):
454         * runtime/JSPromise.h:
455         * runtime/PropertyMapHashTable.h:
456         * runtime/PropertyNameArray.h:
457         * runtime/RegExpCache.h:
458         * runtime/SparseArrayValueMap.h:
459         * runtime/SymbolTable.h:
460         * runtime/VM.h:
461         * tools/CodeProfile.cpp:
462         (JSC::truncateTrace):
463         * tools/CodeProfile.h:
464         * yarr/YarrInterpreter.cpp:
465         * yarr/YarrInterpreter.h:
466         (JSC::Yarr::BytecodePattern::BytecodePattern):
467         * yarr/YarrJIT.cpp:
468         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
469         (JSC::Yarr::YarrGenerator::opCompileParentheticalAssertion):
470         (JSC::Yarr::YarrGenerator::opCompileBody):
471         * yarr/YarrPattern.cpp:
472         (JSC::Yarr::YarrPatternConstructor::checkForTerminalParentheses):
473         (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
474         * yarr/YarrPattern.h:
475
476 2013-10-18  Mark Lam  <mark.lam@apple.com>
477
478         Remove excess reserved space in ctiTrampoline frames for X86 and X86_64.
479         https://bugs.webkit.org/show_bug.cgi?id=123037.
480
481         Reviewed by Geoffrey Garen.
482
483         * jit/JITStubsMSVC64.asm:
484         * jit/JITStubsX86.h:
485         * jit/JITStubsX86_64.h:
486
487 2013-10-18  Filip Pizlo  <fpizlo@apple.com>
488
489         Frequent RELEASE_ASSERT crashes in Structure::checkOffsetConsistency on WebGL swizzler tests
490         https://bugs.webkit.org/show_bug.cgi?id=121661
491
492         Reviewed by Mark Hahnenberg.
493         
494         This method shouldn't have been called from the concurrent JIT thread. That's hard to prevent
495         so I added a return-early check using isCompilationThread().
496         
497         Here's why this makes sense. Structure has two ways to tell you about the layout of the objects
498         it is describing: m_offset and the property table. Most structures only have m_offset and report
499         null for the property table. If the property table is there, it will tell you additional
500         information and that information subsumes m_offset - but the m_offset is still there. So, when
501         we have a property table, we have to keep it in sync with the m_offset. There is a bunch of
502         machinery to do this.
503         
504         Changing the property table only happens on the main thread.
505         
506         Because the machinery to change the property table is so complex, especially with respect to
507         keeping it in sync with m_offset, we have the checkOffsetConsistency method. It's meant to be
508         called at key points before and after changes to the property table or the offset.
509
510         Most clients of Structure who care about object layout, including the concurrent thread, will
511         want to know m_offset and not the property table. If they want the property table, they will
512         already be super careful. The concurrent thread has special methods for this, like
513         Structure::getConcurrently(), which uses fine-grained locking to ensure that it sees a coherent
514         view of the property table.
515         
516         Adding locking to checkOffsetConsistency() is probably a bad idea since that method may be
517         called when the relevant lock is already held. So, we'd have awkward recursive locking issues.
518         
519         But right now, the concurrent JIT thread may call a method, like Structure::outOfLineCapacity(),
520         which has a call to checkOffsetConsistency(). The call to checkOffsetConsistency() is there
521         because we have found that it helps quickly identify situations where the property table and
522         m_offset get out of sync - mainly because code that changes either of those things will usually
523         also want to know the outOfLineCapacity(). But Structure::outOfLineCapacity() doesn't *actually*
524         need the property table; it uses the m_offset. The concurrent JIT is correct to call
525         outOfLineCapacity(), and is right to do so without holding any locks (since in all cases where
526         it calls outOfLineCapacity() it has already proven that m_offset is immutable). But because
527         outOfLineCapacity() calls checkOffsetConsistency(), and checkOffsetConsistency() doesn't grab
528         locks, and that same structure is having its property table modified by the main thread, we end
529         up with these spurious assertion failures. FWIW, the structure isn't *actually* having *its*
530         property table modified - instead what happens is that some downstream structure steals the
531         property table and then starts adding things to it. The concurrent thread loads the property
532         table before it's stolen, and hence the badness.
533         
534         I suspect there are other code paths that lead to the concurrent JIT calling some Structure
535         method that it is fine and safe to call, but then that method calls checkOffsetConsistency(),
536         and then you have a possible crash.
537         
538         The most sensible solution to this appears to be to make sure that checkOffsetConsistency() is
539         aware of its uselessness to the concurrent JIT thread. This change makes it return early if
540         it's in the concurrent JIT.
541         
542         * runtime/StructureInlines.h:
543         (JSC::Structure::checkOffsetConsistency):
544
545 2013-10-18  Daniel Bates  <dabates@apple.com>
546
547         Add SPI to disable the garbage collector timer
548         https://bugs.webkit.org/show_bug.cgi?id=122921
549
550         Add null check to Heap::setGarbageCollectionTimerEnabled() that I inadvertently
551         omitted.
552
553         * heap/Heap.cpp:
554         (JSC::Heap::setGarbageCollectionTimerEnabled):
555
556 2013-10-18  Julien Brianceau  <jbriance@cisco.com>
557
558         Group 64-bit specific and 32-bit specific callOperation implementations.
559         https://bugs.webkit.org/show_bug.cgi?id=123024
560
561         Reviewed by Michael Saboff.
562
563         This is not a big deal, but could be less confusing when reading the code.
564
565         * jit/JITInlines.h:
566         (JSC::JIT::callOperation):
567         (JSC::JIT::callOperationWithCallFrameRollbackOnException):
568         (JSC::JIT::callOperationNoExceptionCheck):
569
570 2013-10-18  Nadav Rotem  <nrotem@apple.com>
571
572         Fix a FlushLiveness problem.
573         https://bugs.webkit.org/show_bug.cgi?id=122984
574
575         Reviewed by Filip Pizlo.
576
577         * dfg/DFGFlushLivenessAnalysisPhase.cpp:
578         (JSC::DFG::FlushLivenessAnalysisPhase::process):
579
580 2013-10-18  Michael Saboff  <msaboff@apple.com>
581
582         Change native function call stubs to use JIT operations instead of ctiVMHandleException
583         https://bugs.webkit.org/show_bug.cgi?id=122982
584
585         Reviewed by Geoffrey Garen.
586
587         Change ctiVMHandleException to operationVMHandleException.  Change all exception operations to
588         return the catch callFrame and entryPC via vm.callFrameForThrow and vm.targetMachinePCForThrow.
589         This removed calling convention headaches, fixing https://bugs.webkit.org/show_bug.cgi?id=122980
590         in the process.
591
592         * dfg/DFGJITCompiler.cpp:
593         (JSC::DFG::JITCompiler::compileExceptionHandlers):
594         * jit/CCallHelpers.h:
595         (JSC::CCallHelpers::jumpToExceptionHandler):
596         * jit/JIT.cpp:
597         (JSC::JIT::privateCompileExceptionHandlers):
598         * jit/JIT.h:
599         * jit/JITExceptions.cpp:
600         (JSC::genericUnwind):
601         * jit/JITExceptions.h:
602         * jit/JITInlines.h:
603         (JSC::JIT::callOperationNoExceptionCheck):
604         * jit/JITOpcodes.cpp:
605         (JSC::JIT::emit_op_throw):
606         * jit/JITOpcodes32_64.cpp:
607         (JSC::JIT::privateCompileCTINativeCall):
608         (JSC::JIT::emit_op_throw):
609         * jit/JITOperations.cpp:
610         * jit/JITOperations.h:
611         * jit/JITStubs.cpp:
612         * jit/JITStubs.h:
613         * jit/JITStubsARM.h:
614         * jit/JITStubsARM64.h:
615         * jit/JITStubsARMv7.h:
616         * jit/JITStubsMIPS.h:
617         * jit/JITStubsMSVC64.asm:
618         * jit/JITStubsSH4.h:
619         * jit/JITStubsX86.h:
620         * jit/JITStubsX86_64.h:
621         * jit/Repatch.cpp:
622         (JSC::tryBuildGetByIDList):
623         * jit/SlowPathCall.h:
624         (JSC::JITSlowPathCall::call):
625         * jit/ThunkGenerators.cpp:
626         (JSC::throwExceptionFromCallSlowPathGenerator):
627         (JSC::nativeForGenerator):
628         * runtime/VM.h:
629         (JSC::VM::callFrameForThrowOffset):
630         (JSC::VM::targetMachinePCForThrowOffset):
631
632 2013-10-18  Julien Brianceau  <jbriance@cisco.com>
633
634         Fix J_JITOperation_EAapJ call for MIPS and ARM EABI.
635         https://bugs.webkit.org/show_bug.cgi?id=123023
636
637         Reviewed by Michael Saboff.
638
639         * jit/JITInlines.h:
640         (JSC::JIT::callOperation): EncodedJSValue parameter do not need alignment
641         using EABI_32BIT_DUMMY_ARG here.
642
643 2013-10-17  Filip Pizlo  <fpizlo@apple.com>
644
645         Unreviewed, another ARM64 build fix.
646         
647         Get rid of andPtr(TrustedImmPtr, blah), since it would take Effort to get it to work
648         on ARM64 and none of its uses are legit - they should all be using
649         andPtr(TrustedImm32, blah) anyway.
650
651         * assembler/MacroAssembler.h:
652         * assembler/MacroAssemblerARM64.h:
653         * dfg/DFGJITCompiler.cpp:
654         (JSC::DFG::JITCompiler::compileExceptionHandlers):
655         * jit/JIT.cpp:
656         (JSC::JIT::privateCompileExceptionHandlers):
657
658 2013-10-17  Filip Pizlo  <fpizlo@apple.com>
659
660         Unreviewed, speculative ARM64 build fix.
661         
662         move(ImmPtr, blah) is only available in MacroAssembler since that's where blinding is
663         implemented. So, you have to use TrustedImmPtr in the superclasses.
664
665         * assembler/MacroAssemblerARM64.h:
666         (JSC::MacroAssemblerARM64::store8):
667         (JSC::MacroAssemblerARM64::branchTest8):
668
669 2013-10-17  Filip Pizlo  <fpizlo@apple.com>
670
671         Unreviewed, speculative ARM build fix.
672         https://bugs.webkit.org/show_bug.cgi?id=122890
673         <rdar://problem/15258624>
674
675         * assembler/ARM64Assembler.h:
676         (JSC::ARM64Assembler::firstRegister):
677         (JSC::ARM64Assembler::lastRegister):
678         (JSC::ARM64Assembler::firstFPRegister):
679         (JSC::ARM64Assembler::lastFPRegister):
680         * assembler/MacroAssemblerARM64.h:
681         * assembler/MacroAssemblerARMv7.h:
682
683 2013-10-17  Andreas Kling  <akling@apple.com>
684
685         Pass VM instead of JSGlobalObject to JSONObject constructor.
686         <https://webkit.org/b/122999>
687
688         JSONObject was only use the JSGlobalObject to grab at the VM.
689         Dodge a few loads by passing the VM directly instead.
690
691         Reviewed by Geoffrey Garen.
692
693         * runtime/JSONObject.cpp:
694         (JSC::JSONObject::JSONObject):
695         (JSC::JSONObject::finishCreation):
696         * runtime/JSONObject.h:
697         (JSC::JSONObject::create):
698
699 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
700
701         Removed the JITStackFrame struct
702         https://bugs.webkit.org/show_bug.cgi?id=123001
703
704         Reviewed by Anders Carlsson.
705
706         * jit/JITStubs.h: JITStackFrame and JITStubArg are unused now, since all
707         our helper functions obey the C function call ABI.
708
709 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
710
711         Removed an unused #define
712         https://bugs.webkit.org/show_bug.cgi?id=123000
713
714         Reviewed by Anders Carlsson.
715
716         * jit/JITStubs.h: Removed the concept of JITSTACKFRAME_ARGS_INDEX,
717         since it is unused now. This is a step toward using the C stack.
718
719 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
720
721         Eliminate uses of JITSTACKFRAME_ARGS_INDEX as scratch area for thunks
722         https://bugs.webkit.org/show_bug.cgi?id=122973
723
724         Reviewed by Michael Saboff.
725
726         * jit/ThunkGenerators.cpp:
727         (JSC::throwExceptionFromCallSlowPathGenerator): This was all dead code,
728         so I removed it.
729
730         The code acted as if it needed to pass an argument to
731         lookupExceptionHandler, and as if it passed that argument to itself
732         through JITStackFrame. However, lookupExceptionHandler does not take
733         an argument (other than the default ExecState argument), and the code
734         did not initialize the thing that it thought it passed to itself!
735
736 2013-10-17  Alex Christensen  <achristensen@webkit.org>
737
738         Run JavaScriptCore tests again on Windows.
739         https://bugs.webkit.org/show_bug.cgi?id=122787
740
741         Reviewed by Tim Horton.
742
743         * JavaScriptCore.vcxproj/JavaScriptCore.sln: Added.
744         * jit/JITStubsMSVC64.asm: Removed reference to cti_vm_throw unused since r157581.
745
746 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
747
748         Removed restoreArgumentReference (another use of JITStackFrame)
749         https://bugs.webkit.org/show_bug.cgi?id=122997
750
751         Reviewed by Oliver Hunt.
752
753         * jit/JSInterfaceJIT.h: Removed an unused function. This is a step
754         toward using the C stack.
755
756 2013-10-17  Oliver Hunt  <oliver@apple.com>
757
758         Remove JITStubCall.h
759         https://bugs.webkit.org/show_bug.cgi?id=122991
760
761         Reviewed by Geoff Garen.
762
763         Happily this is no longer used
764
765         * GNUmakefile.list.am:
766         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
767         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
768         * JavaScriptCore.xcodeproj/project.pbxproj:
769         * jit/JIT.cpp:
770         * jit/JITArithmetic.cpp:
771         * jit/JITArithmetic32_64.cpp:
772         * jit/JITCall.cpp:
773         * jit/JITCall32_64.cpp:
774         * jit/JITOpcodes.cpp:
775         * jit/JITOpcodes32_64.cpp:
776         * jit/JITPropertyAccess.cpp:
777         * jit/JITPropertyAccess32_64.cpp:
778         * jit/JITStubCall.h: Removed.
779
780 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
781
782         Removed a use of JITSTACKFRAME_ARGS_INDEX
783         https://bugs.webkit.org/show_bug.cgi?id=122989
784
785         Reviewed by Oliver Hunt.
786
787         * jit/JITStubCall.h: Removed an unused function. This is one step closer
788         to using the C stack.
789
790 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
791
792         Change emit_op_catch to use another method to materialize VM
793         https://bugs.webkit.org/show_bug.cgi?id=122977
794
795         Reviewed by Oliver Hunt.
796
797         * jit/JITOpcodes.cpp:
798         (JSC::JIT::emit_op_catch):
799         * jit/JITOpcodes32_64.cpp:
800         (JSC::JIT::emit_op_catch): Use a constant. It removes our dependency
801         on JITStackFrame. It is also faster and simpler.
802
803 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
804
805         Eliminate emitGetJITStubArg() - dead code
806         https://bugs.webkit.org/show_bug.cgi?id=122975
807
808         Reviewed by Anders Carlsson.
809
810         * jit/JIT.h:
811         * jit/JITInlines.h: Removed unused, deprecated function.
812
813 2013-10-17  Mark Lam  <mark.lam@apple.com>
814
815         Eliminate all ASSERT references to OBJECT_OFFSETOF(struct JITStackFrame,...) in JITStubsXXX.h.
816         https://bugs.webkit.org/show_bug.cgi?id=122979.
817
818         Reviewed by Michael Saboff.
819
820         * jit/JITStubs.cpp:
821         * jit/JITStubs.h:
822         * jit/JITStubsARM.h:
823         * jit/JITStubsARM64.h:
824         * jit/JITStubsARMv7.h:
825         * jit/JITStubsMIPS.h:
826         * jit/JITStubsSH4.h:
827         * jit/JITStubsX86.h:
828         * jit/JITStubsX86_64.h:
829         * runtime/VM.cpp:
830         (JSC::VM::VM):
831
832 2013-10-17  Michael Saboff  <msaboff@apple.com>
833
834         Remove saving callFrameRegister to JITStackFrame in JITCompiler::compileFunction()
835         https://bugs.webkit.org/show_bug.cgi?id=122974
836
837         Reviewed by Geoffrey Garen.
838
839         Eliminated unneeded storing to JITStackFrame.
840
841         * dfg/DFGJITCompiler.cpp:
842         (JSC::DFG::JITCompiler::compileFunction):
843
844 2013-10-17  Michael Saboff  <msaboff@apple.com>
845
846         Transition cti_op_throw and cti_vm_throw to a JIT operation
847         https://bugs.webkit.org/show_bug.cgi?id=122931
848
849         Reviewed by Filip Pizlo.
850
851         Moved cti_op_throw to operationThrow.  Made the caller responsible for jumping to the
852         catch handler.  Eliminated cti_op_throw_static_error, cti_vm_throw, ctiVMThrowTrampoline()
853         and their callers as it is now dead code.  There is some work needed on the Microsoft X86
854         callOperation to handle the need to provide space for structure return value.
855
856         * jit/JIT.h:
857         * jit/JITInlines.h:
858         (JSC::JIT::callOperation):
859         * jit/JITOpcodes.cpp:
860         (JSC::JIT::emit_op_throw):
861         * jit/JITOpcodes32_64.cpp:
862         (JSC::JIT::emit_op_throw):
863         (JSC::JIT::emit_op_catch):
864         * jit/JITOperations.cpp:
865         * jit/JITOperations.h:
866         * jit/JITStubs.cpp:
867         * jit/JITStubs.h:
868         * jit/JITStubsARM.h:
869         * jit/JITStubsARM64.h:
870         * jit/JITStubsARMv7.h:
871         * jit/JITStubsMIPS.h:
872         * jit/JITStubsMSVC64.asm:
873         * jit/JITStubsSH4.h:
874         * jit/JITStubsX86.h:
875         * jit/JITStubsX86_64.h:
876         * jit/JSInterfaceJIT.h:
877
878 2013-10-17  Mark Lam  <mark.lam@apple.com>
879
880         Remove JITStackFrame references in the C Loop LLINT.
881         https://bugs.webkit.org/show_bug.cgi?id=122950.
882
883         Reviewed by Michael Saboff.
884
885         * jit/JITStubs.h:
886         * llint/LowLevelInterpreter.cpp:
887         (JSC::CLoop::execute):
888         * offlineasm/cloop.rb:
889
890 2013-10-17  Mark Lam  <mark.lam@apple.com>
891
892         Remove JITStackFrame references in JIT probes.
893         https://bugs.webkit.org/show_bug.cgi?id=122947.
894
895         Reviewed by Michael Saboff.
896
897         * assembler/MacroAssemblerARM.cpp:
898         (JSC::MacroAssemblerARM::ProbeContext::dump):
899         * assembler/MacroAssemblerARM.h:
900         * assembler/MacroAssemblerARMv7.cpp:
901         (JSC::MacroAssemblerARMv7::ProbeContext::dump):
902         * assembler/MacroAssemblerARMv7.h:
903         * assembler/MacroAssemblerX86Common.cpp:
904         (JSC::MacroAssemblerX86Common::ProbeContext::dump):
905         * assembler/MacroAssemblerX86Common.h:
906         * jit/JITStubsARM.h:
907         * jit/JITStubsARMv7.h:
908         * jit/JITStubsX86.h:
909         * jit/JITStubsX86Common.h:
910         * jit/JITStubsX86_64.h:
911
912 2013-10-17  Julien Brianceau  <jbriance@cisco.com>
913
914         Fix build when NUMBER_OF_ARGUMENT_REGISTERS == 4.
915         https://bugs.webkit.org/show_bug.cgi?id=122949
916
917         Reviewed by Andreas Kling.
918
919         * jit/CCallHelpers.h:
920         (JSC::CCallHelpers::setupArgumentsWithExecState):
921
922 2013-10-16  Mark Lam  <mark.lam@apple.com>
923
924         Transition remaining op_get* JITStubs to JIT operations.
925         https://bugs.webkit.org/show_bug.cgi?id=122925.
926
927         Reviewed by Geoffrey Garen.
928
929         Transitioning:
930             cti_op_get_by_id_generic
931             cti_op_get_by_val
932             cti_op_get_by_val_generic
933             cti_op_get_by_val_string
934
935         * dfg/DFGOperations.cpp:
936         * dfg/DFGOperations.h:
937         * jit/JIT.h:
938         * jit/JITInlines.h:
939         (JSC::JIT::callOperation):
940         * jit/JITOpcodes.cpp:
941         (JSC::JIT::emitSlow_op_get_arguments_length):
942         (JSC::JIT::emitSlow_op_get_argument_by_val):
943         * jit/JITOpcodes32_64.cpp:
944         (JSC::JIT::emitSlow_op_get_arguments_length):
945         (JSC::JIT::emitSlow_op_get_argument_by_val):
946         * jit/JITOperations.cpp:
947         * jit/JITOperations.h:
948         * jit/JITPropertyAccess.cpp:
949         (JSC::JIT::emitSlow_op_get_by_val):
950         (JSC::JIT::emitSlow_op_get_by_pname):
951         (JSC::JIT::privateCompileGetByVal):
952         * jit/JITPropertyAccess32_64.cpp:
953         (JSC::JIT::emitSlow_op_get_by_val):
954         (JSC::JIT::emitSlow_op_get_by_pname):
955         * jit/JITStubs.cpp:
956         * jit/JITStubs.h:
957         * runtime/Executable.cpp:
958         (JSC::setupLLInt): Added some UNUSED_PARAMs to fix the no LLINT build.
959         * runtime/Options.cpp:
960         (JSC::Options::initialize):
961
962 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
963
964         Introduce WTF::Bag and start using it for InlineCallFrameSet
965         https://bugs.webkit.org/show_bug.cgi?id=122941
966
967         Reviewed by Geoffrey Garen.
968         
969         Use Bag for InlineCallFrameSet. If this works out then I'll make other
970         SegmentedVectors into Bags as well.
971
972         * bytecode/InlineCallFrameSet.cpp:
973         (JSC::InlineCallFrameSet::add):
974         * bytecode/InlineCallFrameSet.h:
975         (JSC::InlineCallFrameSet::begin):
976         (JSC::InlineCallFrameSet::end):
977         * dfg/DFGArgumentsSimplificationPhase.cpp:
978         (JSC::DFG::ArgumentsSimplificationPhase::run):
979         * dfg/DFGJITCompiler.cpp:
980         (JSC::DFG::JITCompiler::link):
981         * dfg/DFGStackLayoutPhase.cpp:
982         (JSC::DFG::StackLayoutPhase::run):
983         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
984         (JSC::DFG::VirtualRegisterAllocationPhase::run):
985
986 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
987
988         libllvmForJSC shouldn't call exit(1) on report_fatal_error()
989         https://bugs.webkit.org/show_bug.cgi?id=122905
990         <rdar://problem/15237856>
991
992         Reviewed by Michael Saboff.
993         
994         Expose the new LLVMInstallFatalErrorHandler() API through the soft linking magic and
995         then always call it to install something that calls CRASH().
996
997         * llvm/InitializeLLVM.cpp:
998         (JSC::llvmCrash):
999         (JSC::initializeLLVMOnce):
1000         (JSC::initializeLLVM):
1001         * llvm/LLVMAPIFunctions.h:
1002
1003 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
1004
1005         Prototype chain repatching in the polymorphic case fails to check if the receiver is a dictionary
1006         https://bugs.webkit.org/show_bug.cgi?id=122938
1007
1008         Reviewed by Sam Weinig.
1009         
1010         This fixes jsc-layout-tests.yaml/js/script-tests/dictionary-prototype-caching.js.layout-no-llint.
1011
1012         * jit/Repatch.cpp:
1013         (JSC::tryBuildGetByIDList):
1014
1015 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
1016
1017         JIT::appendCall() needs to killLastResultRegister() or equivalent since there's some really bad code that expects it
1018         https://bugs.webkit.org/show_bug.cgi?id=122937
1019
1020         Reviewed by Geoffrey Garen.
1021         
1022         JITStubCall used to do it.
1023         
1024         This makes mozilla-tests.yaml/ecma/Statements/12.10-1.js.mozilla-baseline pass.
1025
1026         * jit/JIT.h:
1027         (JSC::JIT::appendCall):
1028
1029 2013-10-16  Michael Saboff  <msaboff@apple.com>
1030
1031         transition void cti_op_put_by_val* stubs to JIT operations
1032         https://bugs.webkit.org/show_bug.cgi?id=122903
1033
1034         Reviewed by Geoffrey Garen.
1035
1036         Transitioned cti_op_put_by_val and cti_op_put_by_val_generic to operationPutByVal and
1037         operationPutByValGeneric.
1038
1039         * jit/CCallHelpers.h:
1040         (JSC::CCallHelpers::setupArgumentsWithExecState):
1041         * jit/JIT.h:
1042         * jit/JITInlines.h:
1043         (JSC::JIT::callOperation):
1044         * jit/JITOperations.cpp:
1045         * jit/JITOperations.h:
1046         * jit/JITPropertyAccess.cpp:
1047         (JSC::JIT::emitSlow_op_put_by_val):
1048         (JSC::JIT::privateCompilePutByVal):
1049         * jit/JITPropertyAccess32_64.cpp:
1050         (JSC::JIT::emitSlow_op_put_by_val):
1051         * jit/JITStubs.cpp:
1052         * jit/JITStubs.h:
1053         * jit/JSInterfaceJIT.h:
1054
1055 2013-10-16  Oliver Hunt  <oliver@apple.com>
1056
1057         Implement ES6 spread operator
1058         https://bugs.webkit.org/show_bug.cgi?id=122911
1059
1060         Reviewed by Michael Saboff.
1061
1062         Implement the ES6 spread operator
1063
1064         This has a little bit of refactoring to move the enumeration logic out ForOfNode
1065         and into BytecodeGenerator, and then adds the logic to make it nicely callback
1066         driven.
1067
1068         The rest of the logic is just the addition of the SpreadExpressionNode, the parsing,
1069         and actually handling the spread.
1070
1071         * bytecompiler/BytecodeGenerator.cpp:
1072         (JSC::BytecodeGenerator::emitNewArray):
1073         (JSC::BytecodeGenerator::emitCall):
1074         (JSC::BytecodeGenerator::emitEnumeration):
1075         * bytecompiler/BytecodeGenerator.h:
1076         * bytecompiler/NodesCodegen.cpp:
1077         (JSC::ArrayNode::emitBytecode):
1078         (JSC::ForOfNode::emitBytecode):
1079         (JSC::SpreadExpressionNode::emitBytecode):
1080         * parser/ASTBuilder.h:
1081         (JSC::ASTBuilder::createSpreadExpression):
1082         * parser/Lexer.cpp:
1083         (JSC::::lex):
1084         * parser/NodeConstructors.h:
1085         (JSC::SpreadExpressionNode::SpreadExpressionNode):
1086         * parser/Nodes.h:
1087         (JSC::ExpressionNode::isSpreadExpression):
1088         (JSC::SpreadExpressionNode::expression):
1089         * parser/Parser.cpp:
1090         (JSC::::parseArrayLiteral):
1091         (JSC::::parseArguments):
1092         (JSC::::parseMemberExpression):
1093         * parser/Parser.h:
1094         (JSC::Parser::getTokenName):
1095         (JSC::Parser::updateErrorMessageSpecialCase):
1096         * parser/ParserTokens.h:
1097         * parser/SyntaxChecker.h:
1098         (JSC::SyntaxChecker::createSpreadExpression):
1099
1100 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
1101
1102         Add a useLLInt option to jsc
1103         https://bugs.webkit.org/show_bug.cgi?id=122930
1104
1105         Reviewed by Geoffrey Garen.
1106
1107         * runtime/Executable.cpp:
1108         (JSC::setupLLInt):
1109         (JSC::setupJIT):
1110         (JSC::ScriptExecutable::prepareForExecutionImpl):
1111         * runtime/Options.h:
1112
1113 2013-10-16  Mark Hahnenberg  <mhahnenberg@apple.com>
1114
1115         Build fix.
1116
1117         Forgot to svn add DeferGC.cpp
1118
1119         * heap/DeferGC.cpp: Added.
1120
1121 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
1122
1123         r157411 fails run-javascriptcore-tests when run with Baseline JIT
1124         https://bugs.webkit.org/show_bug.cgi?id=122902
1125
1126         Reviewed by Mark Hahnenberg.
1127         
1128         It turns out that this was a long-standing bug in the DFG PutById repatching logic. It's
1129         not legal to patch if the typeInfo tells you that you can't patch. The old JIT's patching
1130         logic did this right, and the DFG's GetById patching logic did it right; but DFG PutById
1131         didn't. Turns out that there's even a helpful method,
1132         Structure::propertyAccessesAreCacheable(), that will even do all of the checks for you!
1133
1134         * jit/Repatch.cpp:
1135         (JSC::tryCachePutByID):
1136
1137 2013-10-16  Mark Hahnenberg  <mhahnenberg@apple.com>
1138
1139         llint_slow_path_put_by_id can deadlock on a ConcurrentJITLock
1140         https://bugs.webkit.org/show_bug.cgi?id=122667
1141
1142         Reviewed by Geoffrey Garen.
1143
1144         The issue this patch is attempting to fix is that there are places in our codebase
1145         where we acquire the ConcurrentJITLock for a particular CodeBlock, then we do some
1146         operations that can initiate a garbage collection. Garbage collection then calls 
1147         some methods of CodeBlock that also take the ConcurrentJITLock (because they don't
1148         always necessarily run during garbage collection). This causes a deadlock.
1149  
1150         To fix this issue, this patch adds a new RAII-style object (DisallowGC) that stores 
1151         into a thread-local field that indicates that it is unsafe to perform any operation 
1152         that could trigger garbage collection on the current thread. In debug builds, 
1153         ConcurrentJITLocker contains one of these DisallowGC objects so that we can eagerly 
1154         detect deadlocks.
1155  
1156         This patch also adds a new type of ConcurrentJITLocker, GCSafeConcurrentJITLocker,
1157         which uses the DeferGC mechanism to prevent collections from occurring while the 
1158         lock is held.
1159
1160         * CMakeLists.txt:
1161         * GNUmakefile.list.am:
1162         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1163         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1164         * JavaScriptCore.xcodeproj/project.pbxproj:
1165         * heap/DeferGC.h:
1166         (JSC::DisallowGC::DisallowGC):
1167         (JSC::DisallowGC::~DisallowGC):
1168         (JSC::DisallowGC::isGCDisallowedOnCurrentThread):
1169         (JSC::DisallowGC::initialize):
1170         * jit/Repatch.cpp:
1171         (JSC::repatchPutByID):
1172         (JSC::buildPutByIdList):
1173         * llint/LLIntSlowPaths.cpp:
1174         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1175         * runtime/ConcurrentJITLock.h:
1176         (JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase):
1177         (JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase):
1178         (JSC::ConcurrentJITLockerBase::unlockEarly):
1179         (JSC::GCSafeConcurrentJITLocker::GCSafeConcurrentJITLocker):
1180         (JSC::GCSafeConcurrentJITLocker::~GCSafeConcurrentJITLocker):
1181         (JSC::GCSafeConcurrentJITLocker::NoDefer::NoDefer):
1182         (JSC::ConcurrentJITLocker::ConcurrentJITLocker):
1183         * runtime/InitializeThreading.cpp:
1184         (JSC::initializeThreadingOnce):
1185         * runtime/JSCellInlines.h:
1186         (JSC::allocateCell):
1187         * runtime/JSSymbolTableObject.h:
1188         (JSC::symbolTablePut):
1189         * runtime/Structure.cpp: materializePropertyMapIfNecessary* now has a problem in that it
1190         can start a garbage collection when the GCSafeConcurrentJITLocker goes out of scope, but 
1191         before the caller has a chance to use the newly created PropertyTable. The garbage collection
1192         clears the PropertyTable, and then the caller uses it assuming it's valid. To avoid this,
1193         we must DeferGC until the caller is done getting the newly materialized PropertyTable from 
1194         the Structure.
1195         (JSC::Structure::materializePropertyMap):
1196         (JSC::Structure::despecifyDictionaryFunction):
1197         (JSC::Structure::changePrototypeTransition):
1198         (JSC::Structure::despecifyFunctionTransition):
1199         (JSC::Structure::attributeChangeTransition):
1200         (JSC::Structure::toDictionaryTransition):
1201         (JSC::Structure::preventExtensionsTransition):
1202         (JSC::Structure::takePropertyTableOrCloneIfPinned):
1203         (JSC::Structure::isSealed):
1204         (JSC::Structure::isFrozen):
1205         (JSC::Structure::addPropertyWithoutTransition):
1206         (JSC::Structure::removePropertyWithoutTransition):
1207         (JSC::Structure::get):
1208         (JSC::Structure::despecifyFunction):
1209         (JSC::Structure::despecifyAllFunctions):
1210         (JSC::Structure::putSpecificValue):
1211         (JSC::Structure::createPropertyMap):
1212         (JSC::Structure::getPropertyNamesFromStructure):
1213         * runtime/Structure.h:
1214         (JSC::Structure::materializePropertyMapIfNecessary):
1215         (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
1216         * runtime/StructureInlines.h:
1217         (JSC::Structure::get):
1218         * runtime/SymbolTable.h:
1219         (JSC::SymbolTable::find):
1220         (JSC::SymbolTable::end):
1221
1222 2013-10-16  Daniel Bates  <dabates@apple.com>
1223
1224         Add SPI to disable the garbage collector timer
1225         https://bugs.webkit.org/show_bug.cgi?id=122921
1226
1227         Reviewed by Geoffrey Garen.
1228
1229         Based on a patch by Mark Hahnenberg.
1230
1231         * API/JSBase.cpp:
1232         (JSDisableGCTimer): Added; SPI function.
1233         * API/JSBasePrivate.h:
1234         * heap/BlockAllocator.cpp:
1235         (JSC::createBlockFreeingThread): Added.
1236         (JSC::BlockAllocator::BlockAllocator): Modified to use JSC::createBlockFreeingThread()
1237         to conditionally create the "block freeing" thread depending on the value of
1238         GCActivityCallback::s_shouldCreateGCTimer.
1239         (JSC::BlockAllocator::~BlockAllocator):
1240         * heap/BlockAllocator.h:
1241         (JSC::BlockAllocator::deallocate):
1242         * heap/Heap.cpp:
1243         (JSC::Heap::didAbandon):
1244         (JSC::Heap::collect):
1245         (JSC::Heap::didAllocate):
1246         * heap/HeapTimer.cpp:
1247         (JSC::HeapTimer::timerDidFire):
1248         * runtime/GCActivityCallback.cpp:
1249         * runtime/GCActivityCallback.h:
1250         (JSC::DefaultGCActivityCallback::create): Only instantiate a DefaultGCActivityCallback object
1251         when GCActivityCallback::s_shouldCreateGCTimer is true so as to prevent allocating a HeapTimer
1252         object (since DefaultGCActivityCallback ultimately extends HeapTimer).
1253
1254 2013-10-16  Commit Queue  <commit-queue@webkit.org>
1255
1256         Unreviewed, rolling out r157529.
1257         http://trac.webkit.org/changeset/157529
1258         https://bugs.webkit.org/show_bug.cgi?id=122919
1259
1260         Caused score test failures and some build failures. (Requested
1261         by rfong on #webkit).
1262
1263         * bytecompiler/BytecodeGenerator.cpp:
1264         (JSC::BytecodeGenerator::emitNewArray):
1265         (JSC::BytecodeGenerator::emitCall):
1266         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
1267         * bytecompiler/BytecodeGenerator.h:
1268         * bytecompiler/NodesCodegen.cpp:
1269         (JSC::ArrayNode::emitBytecode):
1270         (JSC::CallArguments::CallArguments):
1271         (JSC::ForOfNode::emitBytecode):
1272         (JSC::BindingNode::collectBoundIdentifiers):
1273         * parser/ASTBuilder.h:
1274         * parser/Lexer.cpp:
1275         (JSC::::lex):
1276         * parser/NodeConstructors.h:
1277         (JSC::DotAccessorNode::DotAccessorNode):
1278         * parser/Nodes.h:
1279         * parser/Parser.cpp:
1280         (JSC::::parseArrayLiteral):
1281         (JSC::::parseArguments):
1282         (JSC::::parseMemberExpression):
1283         * parser/Parser.h:
1284         (JSC::Parser::getTokenName):
1285         (JSC::Parser::updateErrorMessageSpecialCase):
1286         * parser/ParserTokens.h:
1287         * parser/SyntaxChecker.h:
1288
1289 2013-10-16  Julien Brianceau  <jbriance@cisco.com>
1290
1291         Remove useless architecture specific implementation in DFG.
1292         https://bugs.webkit.org/show_bug.cgi?id=122917.
1293
1294         Reviewed by Michael Saboff.
1295
1296         With CPU(ARM) && CPU(ARM_HARDFP) architecture, the fallback implementation is fine
1297         as FPRInfo::argumentFPR0 == FPRInfo::returnValueFPR in this case.
1298
1299         * dfg/DFGSpeculativeJIT.h:
1300
1301 2013-10-16  Julien Brianceau  <jbriance@cisco.com>
1302
1303         Remove unused JIT::restoreArgumentReferenceForTrampoline function.
1304         https://bugs.webkit.org/show_bug.cgi?id=122916.
1305
1306         Reviewed by Michael Saboff.
1307
1308         This architecture specific function is not used anymore, so get rid of it.
1309
1310         * jit/JIT.h:
1311         * jit/JITInlines.h:
1312
1313 2013-10-16  Oliver Hunt  <oliver@apple.com>
1314
1315         Implement ES6 spread operator
1316         https://bugs.webkit.org/show_bug.cgi?id=122911
1317
1318         Reviewed by Michael Saboff.
1319
1320         Implement the ES6 spread operator
1321
1322         This has a little bit of refactoring to move the enumeration logic out ForOfNode
1323         and into BytecodeGenerator, and then adds the logic to make it nicely callback
1324         driven.
1325
1326         The rest of the logic is just the addition of the SpreadExpressionNode, the parsing,
1327         and actually handling the spread.
1328
1329         * bytecompiler/BytecodeGenerator.cpp:
1330         (JSC::BytecodeGenerator::emitNewArray):
1331         (JSC::BytecodeGenerator::emitCall):
1332         (JSC::BytecodeGenerator::emitEnumeration):
1333         * bytecompiler/BytecodeGenerator.h:
1334         * bytecompiler/NodesCodegen.cpp:
1335         (JSC::ArrayNode::emitBytecode):
1336         (JSC::ForOfNode::emitBytecode):
1337         (JSC::SpreadExpressionNode::emitBytecode):
1338         * parser/ASTBuilder.h:
1339         (JSC::ASTBuilder::createSpreadExpression):
1340         * parser/Lexer.cpp:
1341         (JSC::::lex):
1342         * parser/NodeConstructors.h:
1343         (JSC::SpreadExpressionNode::SpreadExpressionNode):
1344         * parser/Nodes.h:
1345         (JSC::ExpressionNode::isSpreadExpression):
1346         (JSC::SpreadExpressionNode::expression):
1347         * parser/Parser.cpp:
1348         (JSC::::parseArrayLiteral):
1349         (JSC::::parseArguments):
1350         (JSC::::parseMemberExpression):
1351         * parser/Parser.h:
1352         (JSC::Parser::getTokenName):
1353         (JSC::Parser::updateErrorMessageSpecialCase):
1354         * parser/ParserTokens.h:
1355         * parser/SyntaxChecker.h:
1356         (JSC::SyntaxChecker::createSpreadExpression):
1357
1358 2013-10-16  Mark Lam  <mark.lam@apple.com>
1359
1360         Transition void cti_op_tear_off* methods to JIT operations for 32 bit.
1361         https://bugs.webkit.org/show_bug.cgi?id=122899.
1362
1363         Reviewed by Michael Saboff.
1364
1365         * jit/JITOpcodes32_64.cpp:
1366         (JSC::JIT::emit_op_tear_off_activation):
1367         (JSC::JIT::emit_op_tear_off_arguments):
1368         * jit/JITStubs.cpp:
1369         * jit/JITStubs.h:
1370
1371 2013-10-16  Julien Brianceau  <jbriance@cisco.com>
1372
1373         Remove more of the UNINTERRUPTED_SEQUENCE thing
1374         https://bugs.webkit.org/show_bug.cgi?id=122885
1375
1376         Reviewed by Andreas Kling.
1377
1378         It was not completely removed by r157481, leading to build failure for sh4 architecture.
1379
1380         * jit/JIT.h:
1381         * jit/JITInlines.h:
1382
1383 2013-10-15  Filip Pizlo  <fpizlo@apple.com>
1384
1385         Get rid of the StructureStubInfo::patch union
1386         https://bugs.webkit.org/show_bug.cgi?id=122877
1387
1388         Reviewed by Sam Weinig.
1389         
1390         Just simplifying code by getting rid of data structures that ain't used no more.
1391         
1392         Note that I replace the patch union with a patch struct. This means we say things like
1393         stubInfo.patch.valueGPR instead of stubInfo.valueGPR. I think that this extra
1394         encapsulation makes the code more readable: the patch struct contains just those things
1395         that you need to know to perform patching.
1396
1397         * bytecode/StructureStubInfo.h:
1398         * dfg/DFGJITCompiler.cpp:
1399         (JSC::DFG::JITCompiler::link):
1400         * jit/JIT.cpp:
1401         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
1402         * jit/Repatch.cpp:
1403         (JSC::repatchByIdSelfAccess):
1404         (JSC::replaceWithJump):
1405         (JSC::linkRestoreScratch):
1406         (JSC::generateProtoChainAccessStub):
1407         (JSC::tryCacheGetByID):
1408         (JSC::getPolymorphicStructureList):
1409         (JSC::patchJumpToGetByIdStub):
1410         (JSC::tryBuildGetByIDList):
1411         (JSC::emitPutReplaceStub):
1412         (JSC::emitPutTransitionStub):
1413         (JSC::tryCachePutByID):
1414         (JSC::tryBuildPutByIdList):
1415         (JSC::tryRepatchIn):
1416         (JSC::resetGetByID):
1417         (JSC::resetPutByID):
1418         (JSC::resetIn):
1419
1420 2013-10-15  Nadav Rotem  <nrotem@apple.com>
1421
1422         FTL: add support for Int52ToValue and fix putByVal of int52s.
1423         https://bugs.webkit.org/show_bug.cgi?id=122873
1424
1425         Reviewed by Filip Pizlo.
1426
1427         * ftl/FTLCapabilities.cpp:
1428         (JSC::FTL::canCompile):
1429         * ftl/FTLLowerDFGToLLVM.cpp:
1430         (JSC::FTL::LowerDFGToLLVM::compileNode):
1431         (JSC::FTL::LowerDFGToLLVM::compileInt52ToValue):
1432         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
1433
1434 2013-10-15  Filip Pizlo  <fpizlo@apple.com>
1435
1436         Get rid of the UNINTERRUPTED_SEQUENCE thing
1437         https://bugs.webkit.org/show_bug.cgi?id=122876
1438
1439         Reviewed by Mark Hahnenberg.
1440         
1441         It doesn't make sense anymore. We now use the DFG's IC logic, which never needed that.
1442         
1443         Moreover, we should resist the temptation to bring anything like this back. We don't
1444         want to have inline caches that only work if the assembler lays out code in a specific
1445         predetermined way.
1446
1447         * jit/JIT.h:
1448         * jit/JITCall.cpp:
1449         (JSC::JIT::compileOpCall):
1450         * jit/JITCall32_64.cpp:
1451         (JSC::JIT::compileOpCall):
1452
1453 2013-10-15  Filip Pizlo  <fpizlo@apple.com>
1454
1455         Baseline JIT should use the DFG GetById IC
1456         https://bugs.webkit.org/show_bug.cgi?id=122861
1457
1458         Reviewed by Oliver Hunt.
1459         
1460         This mostly just kills a ton of code.
1461         
1462         Note that this doesn't yet do all of the simplifications that can be done, but it does
1463         kill dead code. I'll have another change to simplify StructureStubInfo's unions and such.
1464
1465         * bytecode/CodeBlock.cpp:
1466         (JSC::CodeBlock::resetStubInternal):
1467         * jit/JIT.cpp:
1468         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
1469         * jit/JIT.h:
1470         (JSC::PropertyStubCompilationInfo::PropertyStubCompilationInfo):
1471         * jit/JITInlines.h:
1472         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
1473         (JSC::JIT::callOperation):
1474         * jit/JITPropertyAccess.cpp:
1475         (JSC::JIT::compileGetByIdHotPath):
1476         (JSC::JIT::emitSlow_op_get_by_id):
1477         (JSC::JIT::emitSlow_op_get_from_scope):
1478         * jit/JITPropertyAccess32_64.cpp:
1479         (JSC::JIT::compileGetByIdHotPath):
1480         (JSC::JIT::emitSlow_op_get_by_id):
1481         (JSC::JIT::emitSlow_op_get_from_scope):
1482         * jit/JITStubs.cpp:
1483         * jit/JITStubs.h:
1484         * jit/Repatch.cpp:
1485         (JSC::repatchGetByID):
1486         (JSC::buildGetByIDList):
1487         * jit/ThunkGenerators.cpp:
1488         * jit/ThunkGenerators.h:
1489
1490 2013-10-15  Dean Jackson  <dino@apple.com>
1491
1492         Add ENABLE_WEB_ANIMATIONS flag
1493         https://bugs.webkit.org/show_bug.cgi?id=122871
1494
1495         Reviewed by Tim Horton.
1496
1497         Eventually might be http://dev.w3.org/fxtf/web-animations/
1498         but this is just engine-internal work at the moment.
1499
1500         * Configurations/FeatureDefines.xcconfig:
1501
1502 2013-10-15  Julien Brianceau  <jbriance@cisco.com>
1503
1504         [sh4] Some calls don't match sh4 ABI.
1505         https://bugs.webkit.org/show_bug.cgi?id=122863
1506
1507         Reviewed by Michael Saboff.
1508
1509         * dfg/DFGSpeculativeJIT.h:
1510         (JSC::DFG::SpeculativeJIT::callOperation):
1511         * jit/CCallHelpers.h:
1512         (JSC::CCallHelpers::setupArgumentsWithExecState):
1513         * jit/JITInlines.h:
1514         (JSC::JIT::callOperation):
1515
1516 2013-10-15  Daniel Bates  <dabates@apple.com>
1517
1518         [iOS] Upstream JavaScriptCore support for ARM64
1519         https://bugs.webkit.org/show_bug.cgi?id=122762
1520
1521         Reviewed by Oliver Hunt and Filip Pizlo.
1522
1523         * Configurations/Base.xcconfig:
1524         * Configurations/DebugRelease.xcconfig:
1525         * Configurations/JavaScriptCore.xcconfig:
1526         * Configurations/ToolExecutable.xcconfig:
1527         * JavaScriptCore.xcodeproj/project.pbxproj:
1528         * assembler/ARM64Assembler.h: Added.
1529         * assembler/AbstractMacroAssembler.h:
1530         (JSC::isARM64):
1531         (JSC::AbstractMacroAssembler::Label::Label):
1532         (JSC::AbstractMacroAssembler::Jump::Jump):
1533         (JSC::AbstractMacroAssembler::Jump::link):
1534         (JSC::AbstractMacroAssembler::Jump::linkTo):
1535         (JSC::AbstractMacroAssembler::CachedTempRegister::CachedTempRegister):
1536         (JSC::AbstractMacroAssembler::CachedTempRegister::registerIDInvalidate):
1537         (JSC::AbstractMacroAssembler::CachedTempRegister::registerIDNoInvalidate):
1538         (JSC::AbstractMacroAssembler::CachedTempRegister::value):
1539         (JSC::AbstractMacroAssembler::CachedTempRegister::setValue):
1540         (JSC::AbstractMacroAssembler::CachedTempRegister::invalidate):
1541         (JSC::AbstractMacroAssembler::invalidateAllTempRegisters):
1542         (JSC::AbstractMacroAssembler::isTempRegisterValid):
1543         (JSC::AbstractMacroAssembler::clearTempRegisterValid):
1544         (JSC::AbstractMacroAssembler::setTempRegisterValid):
1545         * assembler/LinkBuffer.cpp:
1546         (JSC::LinkBuffer::copyCompactAndLinkCode):
1547         (JSC::LinkBuffer::linkCode):
1548         * assembler/LinkBuffer.h:
1549         * assembler/MacroAssembler.h:
1550         (JSC::MacroAssembler::isPtrAlignedAddressOffset):
1551         (JSC::MacroAssembler::pushToSave):
1552         (JSC::MacroAssembler::popToRestore):
1553         (JSC::MacroAssembler::patchableBranchTest32):
1554         * assembler/MacroAssemblerARM64.h: Added.
1555         * assembler/MacroAssemblerARMv7.h:
1556         * dfg/DFGFixupPhase.cpp:
1557         (JSC::DFG::FixupPhase::fixupNode):
1558         * dfg/DFGOSRExitCompiler32_64.cpp:
1559         (JSC::DFG::OSRExitCompiler::compileExit):
1560         * dfg/DFGOSRExitCompiler64.cpp:
1561         (JSC::DFG::OSRExitCompiler::compileExit):
1562         * dfg/DFGSpeculativeJIT.cpp:
1563         (JSC::DFG::SpeculativeJIT::compileArithDiv):
1564         (JSC::DFG::SpeculativeJIT::compileArithMod):
1565         * disassembler/ARM64/A64DOpcode.cpp: Added.
1566         * disassembler/ARM64/A64DOpcode.h: Added.
1567         * disassembler/ARM64Disassembler.cpp: Added.
1568         * heap/MachineStackMarker.cpp:
1569         (JSC::getPlatformThreadRegisters):
1570         (JSC::otherThreadStackPointer):
1571         * heap/Region.h:
1572         * jit/AssemblyHelpers.h:
1573         (JSC::AssemblyHelpers::debugCall):
1574         * jit/CCallHelpers.h:
1575         * jit/ExecutableAllocator.h:
1576         * jit/FPRInfo.h:
1577         (JSC::FPRInfo::toRegister):
1578         (JSC::FPRInfo::toIndex):
1579         (JSC::FPRInfo::debugName):
1580         * jit/GPRInfo.h:
1581         (JSC::GPRInfo::toRegister):
1582         (JSC::GPRInfo::toIndex):
1583         (JSC::GPRInfo::debugName):
1584         * jit/JITInlines.h:
1585         (JSC::JIT::restoreArgumentReferenceForTrampoline):
1586         * jit/JITOperationWrappers.h:
1587         * jit/JITOperations.cpp:
1588         * jit/JITStubs.cpp:
1589         (JSC::performPlatformSpecificJITAssertions):
1590         (JSC::tryCachePutByID):
1591         * jit/JITStubs.h:
1592         (JSC::JITStackFrame::returnAddressSlot):
1593         * jit/JITStubsARM64.h: Added.
1594         * jit/JSInterfaceJIT.h:
1595         * jit/Repatch.cpp:
1596         (JSC::emitRestoreScratch):
1597         (JSC::generateProtoChainAccessStub):
1598         (JSC::tryCacheGetByID):
1599         (JSC::emitPutReplaceStub):
1600         (JSC::tryCachePutByID):
1601         (JSC::tryRepatchIn):
1602         * jit/ScratchRegisterAllocator.h:
1603         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
1604         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
1605         * jit/ThunkGenerators.cpp:
1606         (JSC::nativeForGenerator):
1607         (JSC::floorThunkGenerator):
1608         (JSC::ceilThunkGenerator):
1609         * jsc.cpp:
1610         (main):
1611         * llint/LLIntOfflineAsmConfig.h:
1612         * llint/LLIntSlowPaths.cpp:
1613         (JSC::LLInt::handleHostCall):
1614         * llint/LowLevelInterpreter.asm:
1615         * llint/LowLevelInterpreter64.asm:
1616         * offlineasm/arm.rb:
1617         * offlineasm/arm64.rb: Added.
1618         * offlineasm/backends.rb:
1619         * offlineasm/instructions.rb:
1620         * offlineasm/risc.rb:
1621         * offlineasm/transform.rb:
1622         * yarr/YarrJIT.cpp:
1623         (JSC::Yarr::YarrGenerator::alignCallFrameSizeInBytes):
1624         (JSC::Yarr::YarrGenerator::initCallFrame):
1625         (JSC::Yarr::YarrGenerator::removeCallFrame):
1626         (JSC::Yarr::YarrGenerator::generateEnter):
1627         * yarr/YarrJIT.h:
1628
1629 2013-10-15  Mark Lam  <mark.lam@apple.com>
1630
1631         Fix 3 operand sub operation in C loop LLINT.
1632         https://bugs.webkit.org/show_bug.cgi?id=122866.
1633
1634         Reviewed by Geoffrey Garen.
1635
1636         * offlineasm/cloop.rb:
1637
1638 2013-10-15  Mark Hahnenberg  <mhahnenberg@apple.com>
1639
1640         ObjCCallbackFunctionImpl shouldn't store a JSContext
1641         https://bugs.webkit.org/show_bug.cgi?id=122531
1642
1643         Reviewed by Geoffrey Garen.
1644
1645         The m_context field in ObjCCallbackFunctionImpl is vestigial and is only incidentally correct 
1646         in the common case. It's also no longer necessary in that we can look up the current JSContext 
1647         by looking using the globalObject of the callee when the function callback is invoked.
1648  
1649         Also added a new test that would cause us to crash previously. The test required making 
1650         JSContextGetGlobalContext public API so that clients can obtain a JSContext from the JSContextRef
1651         in C API callbacks.
1652
1653         * API/JSContextRef.h:
1654         * API/JSContextRefPrivate.h:
1655         * API/ObjCCallbackFunction.mm:
1656         (JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl):
1657         (JSC::objCCallbackFunctionCallAsFunction):
1658         (objCCallbackFunctionForInvocation):
1659         * API/WebKitAvailability.h:
1660         * API/tests/CurrentThisInsideBlockGetterTest.h: Added.
1661         * API/tests/CurrentThisInsideBlockGetterTest.mm: Added.
1662         (CallAsConstructor):
1663         (ConstructorFinalize):
1664         (ConstructorClass):
1665         (+[JSValue valueWithConstructorDescriptor:inContext:]):
1666         (-[JSContext valueWithConstructorDescriptor:]):
1667         (currentThisInsideBlockGetterTest):
1668         * API/tests/testapi.mm:
1669         * JavaScriptCore.xcodeproj/project.pbxproj:
1670         * debugger/Debugger.cpp: Had to add some fully qualified names to avoid conflicts with Mac OS X headers.
1671
1672 2013-10-15  Julien Brianceau  <jbriance@cisco.com>
1673
1674         Fix build after r157457 for architecture with 4 argument registers.
1675         https://bugs.webkit.org/show_bug.cgi?id=122860
1676
1677         Reviewed by Michael Saboff.
1678
1679         * jit/CCallHelpers.h:
1680         (JSC::CCallHelpers::setupStubArguments134):
1681
1682 2013-10-14  Michael Saboff  <msaboff@apple.com>
1683
1684         transition void cti_op_* methods to JIT operations.
1685         https://bugs.webkit.org/show_bug.cgi?id=122617
1686
1687         Reviewed by Geoffrey Garen.
1688
1689         Converted the follow stubs to JIT operations:
1690             cti_handle_watchdog_timer
1691             cti_op_debug
1692             cti_op_pop_scope
1693             cti_op_profile_did_call
1694             cti_op_profile_will_call
1695             cti_op_put_by_index
1696             cti_op_put_getter_setter
1697             cti_op_tear_off_activation
1698             cti_op_tear_off_arguments
1699             cti_op_throw_static_error
1700             cti_optimize
1701
1702         * dfg/DFGOperations.cpp:
1703         * dfg/DFGOperations.h:
1704         * jit/CCallHelpers.h:
1705         (JSC::CCallHelpers::setupArgumentsWithExecState):
1706         (JSC::CCallHelpers::setupThreeStubArgsGPR):
1707         (JSC::CCallHelpers::setupStubArguments):
1708         (JSC::CCallHelpers::setupStubArguments134):
1709         * jit/JIT.cpp:
1710         (JSC::JIT::emitEnterOptimizationCheck):
1711         * jit/JIT.h:
1712         * jit/JITInlines.h:
1713         (JSC::JIT::callOperation):
1714         * jit/JITOpcodes.cpp:
1715         (JSC::JIT::emit_op_tear_off_activation):
1716         (JSC::JIT::emit_op_tear_off_arguments):
1717         (JSC::JIT::emit_op_push_with_scope):
1718         (JSC::JIT::emit_op_pop_scope):
1719         (JSC::JIT::emit_op_push_name_scope):
1720         (JSC::JIT::emit_op_throw_static_error):
1721         (JSC::JIT::emit_op_debug):
1722         (JSC::JIT::emit_op_profile_will_call):
1723         (JSC::JIT::emit_op_profile_did_call):
1724         (JSC::JIT::emitSlow_op_loop_hint):
1725         * jit/JITOpcodes32_64.cpp:
1726         (JSC::JIT::emit_op_push_with_scope):
1727         (JSC::JIT::emit_op_pop_scope):
1728         (JSC::JIT::emit_op_push_name_scope):
1729         (JSC::JIT::emit_op_throw_static_error):
1730         (JSC::JIT::emit_op_debug):
1731         (JSC::JIT::emit_op_profile_will_call):
1732         (JSC::JIT::emit_op_profile_did_call):
1733         * jit/JITOperations.cpp:
1734         * jit/JITOperations.h:
1735         * jit/JITPropertyAccess.cpp:
1736         (JSC::JIT::emit_op_put_by_index):
1737         (JSC::JIT::emit_op_put_getter_setter):
1738         * jit/JITPropertyAccess32_64.cpp:
1739         (JSC::JIT::emit_op_put_by_index):
1740         (JSC::JIT::emit_op_put_getter_setter):
1741         * jit/JITStubs.cpp:
1742         * jit/JITStubs.h:
1743
1744 2013-10-15  Julien Brianceau  <jbriance@cisco.com>
1745
1746         [sh4] Introduce const pools in LLINT.
1747         https://bugs.webkit.org/show_bug.cgi?id=122746
1748
1749         Reviewed by Michael Saboff.
1750
1751         In current implementation of LLINT for sh4, immediate values outside range -128..127 are
1752         loaded this way:
1753
1754             mov.l .label, rx
1755             bra out
1756             nop
1757             .balign 4
1758             .label: .long immvalue
1759             out:
1760
1761         This change introduces const pools for sh4 implementation to avoid lots of useless branches
1762         and reduce code size. It also removes lines of dirty code, like jmpf and callf.
1763
1764         * offlineasm/instructions.rb: Remove jmpf and callf sh4 specific instructions.
1765         * offlineasm/sh4.rb:
1766
1767 2013-10-15  Mark Lam  <mark.lam@apple.com>
1768
1769         Fix broken C Loop LLINT build.
1770         https://bugs.webkit.org/show_bug.cgi?id=122839.
1771
1772         Reviewed by Michael Saboff.
1773
1774         * dfg/DFGFlushedAt.cpp:
1775         * jit/JITOperations.h:
1776
1777 2013-10-14  Mark Lam  <mark.lam@apple.com>
1778
1779         Transition *switch* and *scope* JITStubs to JIT operations.
1780         https://bugs.webkit.org/show_bug.cgi?id=122757.
1781
1782         Reviewed by Geoffrey Garen.
1783
1784         Transitioning:
1785             cti_op_switch_char
1786             cti_op_switch_imm
1787             cti_op_switch_string
1788             cti_op_resolve_scope
1789             cti_op_get_from_scope
1790             cti_op_put_to_scope
1791
1792         * jit/JIT.h:
1793         * jit/JITInlines.h:
1794         (JSC::JIT::callOperation):
1795         * jit/JITOpcodes.cpp:
1796         (JSC::JIT::emit_op_switch_imm):
1797         (JSC::JIT::emit_op_switch_char):
1798         (JSC::JIT::emit_op_switch_string):
1799         * jit/JITOpcodes32_64.cpp:
1800         (JSC::JIT::emit_op_switch_imm):
1801         (JSC::JIT::emit_op_switch_char):
1802         (JSC::JIT::emit_op_switch_string):
1803         * jit/JITOperations.cpp:
1804         * jit/JITOperations.h:
1805         * jit/JITPropertyAccess.cpp:
1806         (JSC::JIT::emitSlow_op_resolve_scope):
1807         (JSC::JIT::emitSlow_op_get_from_scope):
1808         (JSC::JIT::emitSlow_op_put_to_scope):
1809         * jit/JITPropertyAccess32_64.cpp:
1810         (JSC::JIT::emitSlow_op_resolve_scope):
1811         (JSC::JIT::emitSlow_op_get_from_scope):
1812         (JSC::JIT::emitSlow_op_put_to_scope):
1813         * jit/JITStubs.cpp:
1814         * jit/JITStubs.h:
1815
1816 2013-10-14  Filip Pizlo  <fpizlo@apple.com>
1817
1818         DFG PutById IC should use the ConcurrentJITLocker since it's now dealing with IC's that get read by the compiler thread
1819         https://bugs.webkit.org/show_bug.cgi?id=122786
1820
1821         Reviewed by Mark Hahnenberg.
1822
1823         * bytecode/CodeBlock.cpp:
1824         (JSC::CodeBlock::resetStub): Resetting a stub should acquire the lock since this is observable from the thread; but we should only acquire the lock if we're resetting outside of GC.
1825         * jit/Repatch.cpp:
1826         (JSC::repatchPutByID): Doing the PutById patching should hold the lock.
1827         (JSC::buildPutByIdList): Ditto.
1828
1829 2013-10-14  Nadav Rotem  <nrotem@apple.com>
1830
1831         Add FTL support for LogicalNot(string)
1832         https://bugs.webkit.org/show_bug.cgi?id=122765
1833
1834         Reviewed by Filip Pizlo.
1835
1836         This patch is tested by:
1837         regress/script-tests/emscripten-cube2hash.js.ftl-eager
1838
1839         * ftl/FTLCapabilities.cpp:
1840         (JSC::FTL::canCompile):
1841         * ftl/FTLLowerDFGToLLVM.cpp:
1842         (JSC::FTL::LowerDFGToLLVM::compileLogicalNot):
1843
1844 2013-10-14  Julien Brianceau  <jbriance@cisco.com>
1845
1846         [sh4] Fixes after r157404 and r157411.
1847         https://bugs.webkit.org/show_bug.cgi?id=122782
1848
1849         Reviewed by Michael Saboff.
1850
1851         * dfg/DFGSpeculativeJIT.h:
1852         (JSC::DFG::SpeculativeJIT::callOperation): Add missing SH4_32BIT_DUMMY_ARG.
1853         * jit/CCallHelpers.h:
1854         (JSC::CCallHelpers::setupArgumentsWithExecState):
1855         * jit/JITInlines.h:
1856         (JSC::JIT::callOperation): Add missing SH4_32BIT_DUMMY_ARG.
1857         * jit/JITPropertyAccess32_64.cpp:
1858         (JSC::JIT::emit_op_put_by_id): Remove unwanted BEGIN_UNINTERRUPTED_SEQUENCE.
1859
1860 2013-10-14  Commit Queue  <commit-queue@webkit.org>
1861
1862         Unreviewed, rolling out r157413.
1863         http://trac.webkit.org/changeset/157413
1864         https://bugs.webkit.org/show_bug.cgi?id=122779
1865
1866         Appears to have caused frequent crashes (Requested by ap on
1867         #webkit).
1868
1869         * CMakeLists.txt:
1870         * GNUmakefile.list.am:
1871         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1872         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1873         * JavaScriptCore.xcodeproj/project.pbxproj:
1874         * heap/DeferGC.cpp: Removed.
1875         * heap/DeferGC.h:
1876         * jit/JITStubs.cpp:
1877         (JSC::tryCacheGetByID):
1878         (JSC::DEFINE_STUB_FUNCTION):
1879         * llint/LLIntSlowPaths.cpp:
1880         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1881         * runtime/ConcurrentJITLock.h:
1882         * runtime/InitializeThreading.cpp:
1883         (JSC::initializeThreadingOnce):
1884         * runtime/JSCellInlines.h:
1885         (JSC::allocateCell):
1886         * runtime/Structure.cpp:
1887         (JSC::Structure::materializePropertyMap):
1888         (JSC::Structure::putSpecificValue):
1889         (JSC::Structure::createPropertyMap):
1890         * runtime/Structure.h:
1891
1892 2013-10-14  Mark Hahnenberg  <mhahnenberg@apple.com>
1893
1894         COLLECT_ON_EVERY_ALLOCATION causes assertion failures
1895         https://bugs.webkit.org/show_bug.cgi?id=122652
1896
1897         Reviewed by Filip Pizlo.
1898
1899         COLLECT_ON_EVERY_ALLOCATION wasn't accounting for the new GC deferral mechanism,
1900         so we would end up ASSERTing during garbage collection.
1901
1902         * heap/MarkedAllocator.cpp:
1903         (JSC::MarkedAllocator::allocateSlowCase):
1904
1905 2013-10-11  Oliver Hunt  <oliver@apple.com>
1906
1907         Separate out array iteration intrinsics
1908         https://bugs.webkit.org/show_bug.cgi?id=122656
1909
1910         Reviewed by Michael Saboff.
1911
1912         Separate out the intrinsics for key and values iteration
1913         of arrays.
1914
1915         This requires moving moving array iteration into the iterator
1916         instance, rather than the prototype, but this is essentially
1917         unobservable so we'll live with it for now.
1918
1919         * jit/ThunkGenerators.cpp:
1920         (JSC::arrayIteratorNextThunkGenerator):
1921         (JSC::arrayIteratorNextKeyThunkGenerator):
1922         (JSC::arrayIteratorNextValueThunkGenerator):
1923         * jit/ThunkGenerators.h:
1924         * runtime/ArrayIteratorPrototype.cpp:
1925         (JSC::ArrayIteratorPrototype::finishCreation):
1926         * runtime/Intrinsic.h:
1927         * runtime/JSArrayIterator.cpp:
1928         (JSC::JSArrayIterator::finishCreation):
1929         (JSC::createIteratorResult):
1930         (JSC::arrayIteratorNext):
1931         (JSC::arrayIteratorNextKey):
1932         (JSC::arrayIteratorNextValue):
1933         (JSC::arrayIteratorNextGeneric):
1934         * runtime/VM.cpp:
1935         (JSC::thunkGeneratorForIntrinsic):
1936
1937 2013-10-11  Mark Hahnenberg  <mhahnenberg@apple.com>
1938
1939         llint_slow_path_put_by_id can deadlock on a ConcurrentJITLock
1940         https://bugs.webkit.org/show_bug.cgi?id=122667
1941
1942         Reviewed by Filip Pizlo.
1943
1944         The issue this patch is attempting to fix is that there are places in our codebase
1945         where we acquire the ConcurrentJITLock for a particular CodeBlock, then we do some
1946         operations that can initiate a garbage collection. Garbage collection then calls 
1947         some methods of CodeBlock that also take the ConcurrentJITLock (because they don't
1948         always necessarily run during garbage collection). This causes a deadlock.
1949
1950         To fix this issue, this patch adds a new RAII-style object (DisallowGC) that stores 
1951         into a thread-local field that indicates that it is unsafe to perform any operation 
1952         that could trigger garbage collection on the current thread. In debug builds, 
1953         ConcurrentJITLocker contains one of these DisallowGC objects so that we can eagerly 
1954         detect deadlocks.
1955
1956         This patch also adds a new type of ConcurrentJITLocker, GCSafeConcurrentJITLocker,
1957         which uses the DeferGC mechanism to prevent collections from occurring while the 
1958         lock is held.
1959
1960         * CMakeLists.txt:
1961         * GNUmakefile.list.am:
1962         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1963         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1964         * JavaScriptCore.xcodeproj/project.pbxproj:
1965         * heap/DeferGC.cpp: Added.
1966         * heap/DeferGC.h:
1967         (JSC::DisallowGC::DisallowGC):
1968         (JSC::DisallowGC::~DisallowGC):
1969         (JSC::DisallowGC::isGCDisallowedOnCurrentThread):
1970         (JSC::DisallowGC::initialize):
1971         * jit/JITStubs.cpp:
1972         (JSC::tryCachePutByID):
1973         (JSC::tryCacheGetByID):
1974         (JSC::DEFINE_STUB_FUNCTION):
1975         * llint/LLIntSlowPaths.cpp:
1976         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1977         * runtime/ConcurrentJITLock.h:
1978         (JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase):
1979         (JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase):
1980         (JSC::ConcurrentJITLockerBase::unlockEarly):
1981         (JSC::GCSafeConcurrentJITLocker::GCSafeConcurrentJITLocker):
1982         (JSC::ConcurrentJITLocker::ConcurrentJITLocker):
1983         * runtime/InitializeThreading.cpp:
1984         (JSC::initializeThreadingOnce):
1985         * runtime/JSCellInlines.h:
1986         (JSC::allocateCell):
1987         * runtime/Structure.cpp:
1988         (JSC::Structure::materializePropertyMap):
1989         (JSC::Structure::putSpecificValue):
1990         (JSC::Structure::createPropertyMap):
1991         * runtime/Structure.h:
1992
1993 2013-10-14  Filip Pizlo  <fpizlo@apple.com>
1994
1995         Baseline JIT should use the DFG's PutById IC
1996         https://bugs.webkit.org/show_bug.cgi?id=122704
1997
1998         Reviewed by Mark Hahnenberg.
1999         
2000         Mostly no big deal, just removing the old Baseline JIT's put_by_id IC support and forcing
2001         that JIT to use the DFG's (i.e. JITOperations) PutById IC.
2002         
2003         The only complicated part was that the PutById operations assumed that we first did a
2004         cell speculation, which the baseline JIT obviously won't do. So I changed all of those
2005         slow paths to deal with EncodedJSValue's.
2006
2007         * bytecode/CodeBlock.cpp:
2008         (JSC::CodeBlock::resetStubInternal):
2009         * bytecode/PutByIdStatus.cpp:
2010         (JSC::PutByIdStatus::computeFor):
2011         * dfg/DFGSpeculativeJIT.h:
2012         (JSC::DFG::SpeculativeJIT::callOperation):
2013         * dfg/DFGSpeculativeJIT32_64.cpp:
2014         (JSC::DFG::SpeculativeJIT::cachedPutById):
2015         * dfg/DFGSpeculativeJIT64.cpp:
2016         (JSC::DFG::SpeculativeJIT::cachedPutById):
2017         * jit/CCallHelpers.h:
2018         (JSC::CCallHelpers::setupArgumentsWithExecState):
2019         * jit/JIT.cpp:
2020         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
2021         * jit/JIT.h:
2022         (JSC::PropertyStubCompilationInfo::PropertyStubCompilationInfo):
2023         (JSC::PropertyStubCompilationInfo::slowCaseInfo):
2024         * jit/JITInlines.h:
2025         (JSC::JIT::callOperation):
2026         * jit/JITOperationWrappers.h:
2027         * jit/JITOperations.cpp:
2028         * jit/JITOperations.h:
2029         * jit/JITPropertyAccess.cpp:
2030         (JSC::JIT::compileGetByIdHotPath):
2031         (JSC::JIT::compileGetByIdSlowCase):
2032         (JSC::JIT::emit_op_put_by_id):
2033         (JSC::JIT::emitSlow_op_put_by_id):
2034         * jit/JITPropertyAccess32_64.cpp:
2035         (JSC::JIT::compileGetByIdSlowCase):
2036         (JSC::JIT::emit_op_put_by_id):
2037         (JSC::JIT::emitSlow_op_put_by_id):
2038         * jit/JITStubs.cpp:
2039         * jit/JITStubs.h:
2040         * jit/Repatch.cpp:
2041         (JSC::appropriateGenericPutByIdFunction):
2042         (JSC::appropriateListBuildingPutByIdFunction):
2043         (JSC::resetPutByID):
2044
2045 2013-10-13  Filip Pizlo  <fpizlo@apple.com>
2046
2047         FTL should have an inefficient but correct implementation of GetById
2048         https://bugs.webkit.org/show_bug.cgi?id=122740
2049
2050         Reviewed by Mark Hahnenberg.
2051         
2052         It took some effort to realize that the node->prediction() check in the DFG backends
2053         are completely unnecessary since the ByteCodeParser will always insert a ForceOSRExit
2054         if !prediction.
2055         
2056         But other than that this was an easy patch.
2057
2058         * dfg/DFGByteCodeParser.cpp:
2059         (JSC::DFG::ByteCodeParser::handleGetById):
2060         * dfg/DFGSpeculativeJIT32_64.cpp:
2061         (JSC::DFG::SpeculativeJIT::compile):
2062         * dfg/DFGSpeculativeJIT64.cpp:
2063         (JSC::DFG::SpeculativeJIT::compile):
2064         * ftl/FTLCapabilities.cpp:
2065         (JSC::FTL::canCompile):
2066         * ftl/FTLIntrinsicRepository.h:
2067         * ftl/FTLLowerDFGToLLVM.cpp:
2068         (JSC::FTL::LowerDFGToLLVM::compileNode):
2069         (JSC::FTL::LowerDFGToLLVM::compileGetById):
2070
2071 2013-10-13  Mark Lam  <mark.lam@apple.com>
2072
2073         Transition misc cti_op_* JITStubs to JIT operations.
2074         https://bugs.webkit.org/show_bug.cgi?id=122645.
2075
2076         Reviewed by Michael Saboff.
2077
2078         Stubs converted:
2079             cti_op_check_has_instance
2080             cti_op_create_arguments
2081             cti_op_del_by_id
2082             cti_op_instanceof
2083             cti_to_object
2084             cti_op_push_activation
2085             cti_op_get_pnames
2086             cti_op_load_varargs
2087
2088         * dfg/DFGOperations.cpp:
2089         * dfg/DFGOperations.h:
2090         * jit/CCallHelpers.h:
2091         (JSC::CCallHelpers::setupArgumentsWithExecState):
2092         * jit/JIT.h:
2093         (JSC::JIT::emitStoreCell):
2094         * jit/JITCall.cpp:
2095         (JSC::JIT::compileLoadVarargs):
2096         * jit/JITCall32_64.cpp:
2097         (JSC::JIT::compileLoadVarargs):
2098         * jit/JITInlines.h:
2099         (JSC::JIT::callOperation):
2100         * jit/JITOpcodes.cpp:
2101         (JSC::JIT::emit_op_get_pnames):
2102         (JSC::JIT::emit_op_create_activation):
2103         (JSC::JIT::emit_op_create_arguments):
2104         (JSC::JIT::emitSlow_op_check_has_instance):
2105         (JSC::JIT::emitSlow_op_instanceof):
2106         (JSC::JIT::emitSlow_op_get_argument_by_val):
2107         * jit/JITOpcodes32_64.cpp:
2108         (JSC::JIT::emitSlow_op_check_has_instance):
2109         (JSC::JIT::emitSlow_op_instanceof):
2110         (JSC::JIT::emit_op_get_pnames):
2111         (JSC::JIT::emit_op_create_activation):
2112         (JSC::JIT::emit_op_create_arguments):
2113         (JSC::JIT::emitSlow_op_get_argument_by_val):
2114         * jit/JITOperations.cpp:
2115         * jit/JITOperations.h:
2116         * jit/JITPropertyAccess.cpp:
2117         (JSC::JIT::emit_op_del_by_id):
2118         * jit/JITPropertyAccess32_64.cpp:
2119         (JSC::JIT::emit_op_del_by_id):
2120         * jit/JITStubs.cpp:
2121         * jit/JITStubs.h:
2122
2123 2013-10-13  Filip Pizlo  <fpizlo@apple.com>
2124
2125         FTL OSR exit should perform zero extension on values smaller than 64-bit
2126         https://bugs.webkit.org/show_bug.cgi?id=122688
2127
2128         Reviewed by Gavin Barraclough.
2129         
2130         In the DFG we usually make the simplistic assumption that a 32-bit value in a 64-bit
2131         register will have zeros on the high bits.  In the few cases where the high bits are
2132         non-zero, the DFG sort of tells us this explicitly.
2133
2134         But when working with llvm.webkit.stackmap, it doesn't work that way.  Consider we might
2135         emit LLVM IR like:
2136
2137             %2 = trunc i64 %1 to i32
2138             stuff %2
2139             call @llvm.webkit.stackmap(...., %2)
2140
2141         LLVM may never actually emit a truncation instruction of any kind.  And that's great - in
2142         many cases it won't be needed, like if 'stuff %2' is a 32-bit op that ignores the high
2143         bits anyway.  Hence LLVM may tell us that %2 is in the register that still had the value
2144         from before truncation, and that register may have garbage in the high bits.
2145
2146         This means that on our end, if we want a 32-bit value and we want that value to be
2147         zero-extended, we should zero-extend it ourselves.  This is pretty easy and should be
2148         cheap, so we should just do it and not make it a requirement that LLVM does it on its
2149         end.
2150         
2151         This makes all tests pass with JSC_ftlOSRExitUsesStackmap=true.
2152
2153         * ftl/FTLOSRExitCompiler.cpp:
2154         (JSC::FTL::compileStubWithOSRExitStackmap):
2155         * ftl/FTLValueFormat.cpp:
2156         (JSC::FTL::reboxAccordingToFormat):
2157
2158 == Rolled over to ChangeLog-2013-10-13 ==