Source/JavaScriptCore: Unreviewed, it is no longer necessary to call DisablePrettySta...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-11-03  Filip Pizlo  <fpizlo@apple.com>
2
3         Unreviewed, it is no longer necessary to call DisablePrettyStackTrace.
4
5         * llvm/library/LLVMExports.cpp:
6         (initializeAndGetJSCLLVMAPI):
7
8 2013-11-02  Mark Lam  <mark.lam@apple.com>
9
10         Assertion failure in non-JIT'ed LLInt on ARM Thumb.
11         https://bugs.webkit.org/show_bug.cgi?id=97569.
12
13         Reviewed by Geoffrey Garen.
14
15         * assembler/MacroAssemblerCodeRef.h:
16         - Thumb2 alignment assertions do not apply to the C Loop LLINT because
17           the arguments passed to those assertions are actually OpcodeIDs
18           masquerading as addresses.
19         * llint/LLIntOfflineAsmConfig.h:
20         - Some of the #defines belong in the !ENABLE(LLINT_C_LOOP) section.
21           Moving them there.
22         * llint/LowLevelInterpreter.cpp:
23         - Keep the compiler happy from some unreferenced C Loop labels.
24
25 2013-11-02  Filip Pizlo  <fpizlo@apple.com>
26
27         FTL should use LLVM intrinsics for OSR exit, watchpoints, inline caches, and stack layout
28         https://bugs.webkit.org/show_bug.cgi?id=122318
29
30         Reviewed by Geoffrey Garen.
31         
32         This all now works. This patch just updates our implementation to work with LLVM trunk,
33         and removes all of the old code that tried to do OSR exits and heap accesses without
34         the benefit of those intrinsics.
35         
36         In particular:
37         
38         - StackMaps parsing now uses the new, less compact, but more future-proof, format.
39         
40         - Remove the ftlUsesStackmaps() option and hard-code ftlUsesStackmaps = true. Remove
41           all code for ftlUsesStackmaps = false, since that was only there for back when we
42           didn't have the intrinsics.
43         
44         - Remove the other experimental OSR options (useLLVMOSRExitIntrinsic,
45           ftlTrapsOnOSRExit, and FTLOSRExitOmitsMarshalling).
46         
47         - Remove LowerDFGToLLVM's use of the ExitThunkGenerator since we don't need to generate
48           the exit thunks until after we parse the stackmaps.
49         
50         - Remove all of the exit thunk and compiler code for the no-stackmaps case.
51
52         * dfg/DFGDriver.cpp:
53         (JSC::DFG::compileImpl):
54         * ftl/FTLCompile.cpp:
55         (JSC::FTL::mmAllocateDataSection):
56         * ftl/FTLExitThunkGenerator.cpp:
57         (JSC::FTL::ExitThunkGenerator::emitThunk):
58         * ftl/FTLIntrinsicRepository.h:
59         * ftl/FTLLocation.cpp:
60         (JSC::FTL::Location::forStackmaps):
61         * ftl/FTLLowerDFGToLLVM.cpp:
62         (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
63         (JSC::FTL::LowerDFGToLLVM::lower):
64         (JSC::FTL::LowerDFGToLLVM::compileGetById):
65         (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
66         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
67         (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
68         (JSC::FTL::LowerDFGToLLVM::callStackmap):
69         (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
70         * ftl/FTLOSRExitCompilationInfo.h:
71         (JSC::FTL::OSRExitCompilationInfo::OSRExitCompilationInfo):
72         * ftl/FTLOSRExitCompiler.cpp:
73         (JSC::FTL::compileStub):
74         (JSC::FTL::compileFTLOSRExit):
75         * ftl/FTLStackMaps.cpp:
76         (JSC::FTL::StackMaps::Location::parse):
77         (JSC::FTL::StackMaps::parse):
78         (WTF::printInternal):
79         * ftl/FTLStackMaps.h:
80         * ftl/FTLThunks.cpp:
81         (JSC::FTL::osrExitGenerationThunkGenerator):
82         * ftl/FTLThunks.h:
83         (JSC::FTL::Thunks::getOSRExitGenerationThunk):
84         * runtime/Options.h:
85
86 2013-11-02  Patrick Gansterer  <paroga@webkit.org>
87
88         Add missing getHostCallReturnValue() for MSVC ARM
89         https://bugs.webkit.org/show_bug.cgi?id=123685
90
91         Reviewed by Darin Adler.
92
93         * jit/JITStubsARM.h:
94
95 2013-11-02  Patrick Gansterer  <paroga@webkit.org>
96
97         Fix MSVC warning about unary minus operator
98         https://bugs.webkit.org/show_bug.cgi?id=123674
99
100         Reviewed by Darin Adler.
101
102         Change some static_cast<> to silence the following warning of Microsoft compiler:
103         warning C4146: unary minus operator applied to unsigned type, result still unsigned
104
105         * jit/Repatch.cpp:
106         (JSC::emitPutTransitionStub):
107
108 2013-11-02  Filip Pizlo  <fpizlo@apple.com>
109
110         Disable LLVM's pretty stack traces, which involve intercepting fatal signals
111         https://bugs.webkit.org/show_bug.cgi?id=123681
112
113         Reviewed by Geoffrey Garen.
114
115         * llvm/library/LLVMExports.cpp:
116         (initializeAndGetJSCLLVMAPI):
117
118 2013-11-02  Filip Pizlo  <fpizlo@apple.com>
119
120         LLVM assertion failures should funnel into WTF's crash handling
121         https://bugs.webkit.org/show_bug.cgi?id=123682
122
123         Reviewed by Geoffrey Garen.
124         
125         Inside llvmForJSC, we override assertion-related functions and funnel them
126         into g_llvmTrapCallback(). We also now register a fatal error handler inside
127         the library and funnel that into g_llvmTrapCallback, and have
128         initializeAndGetJSCLLVMAPI() take such a callback as an argument.
129         
130         Inside JSC, we no longer call LLVMInstallFatalErrorHandler() but instead we
131         pass WTFLogAlwaysAndCrash() as the trap callback for llvmForJSC.
132
133         * llvm/InitializeLLVM.cpp:
134         (JSC::initializeLLVM):
135         * llvm/InitializeLLVMPOSIX.cpp:
136         (JSC::initializeLLVMPOSIX):
137         * llvm/library/LLVMExports.cpp:
138         (llvmCrash):
139         (initializeAndGetJSCLLVMAPI):
140         * llvm/library/LLVMOverrides.cpp:
141         (raise):
142         (__assert_rtn):
143         (abort):
144         * llvm/library/LLVMTrapCallback.h: Added.
145
146 2013-11-02  Filip Pizlo  <fpizlo@apple.com>
147
148         CodeBlock::jettison() shouldn't call baselineVersion()
149         https://bugs.webkit.org/show_bug.cgi?id=123675
150
151         Reviewed by Geoffrey Garen.
152         
153         Fix more uses of baselineVersion().
154
155         * bytecode/CodeBlock.cpp:
156         (JSC::CodeBlock::jettison):
157         * bytecode/CodeBlock.h:
158         * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp:
159         (JSC::ProfiledCodeBlockJettisoningWatchpoint::fireInternal):
160
161 2013-11-02  Filip Pizlo  <fpizlo@apple.com>
162
163         LLVM asserts in internal-js-tests.yaml/Octane/stress-tests/mandreel.js
164         https://bugs.webkit.org/show_bug.cgi?id=123535
165
166         Reviewed by Geoffrey Garen.
167         
168         Use double comparisons for doubles.
169
170         * ftl/FTLLowerDFGToLLVM.cpp:
171         (JSC::FTL::LowerDFGToLLVM::doubleToInt32):
172
173 2013-11-02  Patrick Gansterer  <paroga@webkit.org>
174
175         Various small WinCE build fixes
176
177         * jsc.cpp:
178         (main):
179
180 2013-11-02  Patrick Gansterer  <paroga@webkit.org>
181
182         Fix MSVC ARM build after r157581.
183
184         * jit/JITStubsARM.h:
185
186 2013-11-01  Filip Pizlo  <fpizlo@apple.com>
187
188         FTL should use a simple optimization pipeline by default
189         https://bugs.webkit.org/show_bug.cgi?id=123638
190
191         Reviewed by Geoffrey Garen.
192         
193         20% speed-up on imagine-gaussian-blur, when combined with --ftlUsesStackmaps=true.
194
195         * ftl/FTLCompile.cpp:
196         (JSC::FTL::compile):
197         * runtime/Options.h:
198
199 2013-11-01  Andreas Kling  <akling@apple.com>
200
201         Neuter WTF_MAKE_FAST_ALLOCATED in GLOBAL_FASTMALLOC_NEW builds.
202         <https://webkit.org/b/123639>
203
204         JSC::ParserArenaRefCounted really needed to have the new/delete
205         operators overridden, in order for JSC::ScopeNode to be able to
206         choose that "operator new" out of the two it inherits.
207
208         Reviewed by Anders Carlsson.
209
210 2013-11-01  Filip Pizlo  <fpizlo@apple.com>
211
212         OSR exit profiling should be robust against all code being cleared
213         https://bugs.webkit.org/show_bug.cgi?id=123629
214         <rdar://problem/15365476>
215
216         Reviewed by Michael Saboff.
217         
218         The problem here is two-fold:
219
220         1) A watchpoint (i.e. ProfiledCodeBlockJettisoningWatchpoint) may be fired after we
221         have cleared the CodeBlock for all or some Executables.  This means that doing
222         codeBlock->baselineVersion() would either crash or return a bogus CodeBlock, since
223         there wasn't a baseline code block reachable from the Executable anymore.  The
224         solution is that we shouldn't be asking for the baseline code block reachable from
225         the owning executable (what baselineVersion did), but instead we should be asking
226         for the baseline version reachable from the code block being watchpointed (basically
227         what CodeBlock::alternative() did).
228
229         2) If dealing with inlined code, baselienCodeBlockForOriginAndBaselineCodeBlock()
230         may return null, for the same reason as above - we might have cleared the baseline
231         codeblock for the executable that was inlined.  The solution is to just not do
232         profiling if there isn't a baseline code block anymore.
233
234         * bytecode/CodeBlock.cpp:
235         (JSC::CodeBlock::baselineAlternative):
236         (JSC::CodeBlock::baselineVersion):
237         (JSC::CodeBlock::jettison):
238         * bytecode/CodeBlock.h:
239         * bytecode/CodeBlockJettisoningWatchpoint.cpp:
240         (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
241         * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp:
242         (JSC::ProfiledCodeBlockJettisoningWatchpoint::fireInternal):
243         * dfg/DFGOSRExitBase.cpp:
244         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
245         * jit/AssemblyHelpers.h:
246         (JSC::AssemblyHelpers::AssemblyHelpers):
247         * runtime/Executable.cpp:
248         (JSC::FunctionExecutable::baselineCodeBlockFor):
249
250 2013-10-31  Oliver Hunt  <oliver@apple.com>
251
252         JavaScript parser bug
253         https://bugs.webkit.org/show_bug.cgi?id=123506
254
255         Reviewed by Mark Lam.
256
257         Add ParserState as an abstraction and use that to save and restore
258         the parser state around nested functions (We'll need to use this in
259         more places in future).  Also fix a minor error typo this testcases
260         hit.
261
262         * parser/Parser.cpp:
263         (JSC::::parseFunctionInfo):
264         (JSC::::parseAssignmentExpression):
265         * parser/Parser.h:
266         (JSC::Parser::saveState):
267         (JSC::Parser::restoreState):
268
269 2013-10-31  Filip Pizlo  <fpizlo@apple.com>
270
271         FTL Int32ToDouble should handle the forward type check case where you need a recovery
272         https://bugs.webkit.org/show_bug.cgi?id=123605
273
274         Reviewed by Mark Hahnenberg.
275         
276         If you have a Int32ToDouble that needs to do a type check and it's required to do a
277         forward exit, then it needs to manually pass in a value recovery for itself in the
278         OSR exit - since this is one of those forward-exiting nodes that doesn't have a
279         preceding MovHint.
280
281         * ftl/FTLLowerDFGToLLVM.cpp:
282         (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble):
283         (JSC::FTL::LowerDFGToLLVM::forwardTypeCheck):
284
285 2013-10-31  Filip Pizlo  <fpizlo@apple.com>
286
287         FTL should implement InvalidationPoint in terms of llvm.stackmap
288         https://bugs.webkit.org/show_bug.cgi?id=113647
289
290         Reviewed by Mark Hahnenberg.
291         
292         This is pretty straightforward now that InvalidationPoint has exactly the semantics
293         that agree with llvm.stackmap.
294
295         * ftl/FTLCompile.cpp:
296         (JSC::FTL::fixFunctionBasedOnStackMaps):
297         * ftl/FTLLowerDFGToLLVM.cpp:
298         (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
299         (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
300         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
301         (JSC::FTL::LowerDFGToLLVM::callStackmap):
302         * ftl/FTLOSRExitCompilationInfo.h:
303         (JSC::FTL::OSRExitCompilationInfo::OSRExitCompilationInfo):
304
305 2013-10-30  Oliver Hunt  <oliver@apple.com>
306
307         Implement basic ES6 Math functions
308         https://bugs.webkit.org/show_bug.cgi?id=123536
309
310         Reviewed by Michael Saboff.
311
312         Fairly trivial patch to implement the core ES6 Math functions.
313
314         This doesn't implement Math.hypot as it is not a trivial function.
315         I've also skipped Math.sign as I am yet to be convinced the spec
316         behaviour is good.  Everything else is trivial.
317
318         * runtime/MathObject.cpp:
319         (JSC::MathObject::finishCreation):
320         (JSC::mathProtoFuncACosh):
321         (JSC::mathProtoFuncASinh):
322         (JSC::mathProtoFuncATanh):
323         (JSC::mathProtoFuncCbrt):
324         (JSC::mathProtoFuncCosh):
325         (JSC::mathProtoFuncExpm1):
326         (JSC::mathProtoFuncFround):
327         (JSC::mathProtoFuncLog1p):
328         (JSC::mathProtoFuncLog10):
329         (JSC::mathProtoFuncLog2):
330         (JSC::mathProtoFuncSinh):
331         (JSC::mathProtoFuncTanh):
332         (JSC::mathProtoFuncTrunc):
333
334 2013-10-31  Filip Pizlo  <fpizlo@apple.com>
335
336         FTL::Location::restoreInto() doesn't handle stack-related registers correctly if you're using it after pushing a new stack frame
337         https://bugs.webkit.org/show_bug.cgi?id=123591
338
339         Reviewed by Mark Hahnenberg.
340         
341         This gets us to pass more tests with ftlUsesStackmaps.
342
343         * ftl/FTLLocation.cpp:
344         (JSC::FTL::Location::restoreInto):
345         * ftl/FTLLocation.h:
346         * ftl/FTLThunks.cpp:
347         (JSC::FTL::osrExitGenerationWithStackMapThunkGenerator):
348
349 2013-10-31  Alexey Proskuryakov  <ap@apple.com>
350
351         Enable WebCrypto on Mac
352         https://bugs.webkit.org/show_bug.cgi?id=123587
353
354         Reviewed by Anders Carlsson.
355
356         * Configurations/FeatureDefines.xcconfig: Do it.
357
358 2013-10-31  Filip Pizlo  <fpizlo@apple.com>
359
360         Unreviewed, really remove CachedTranscendentalFunction.h.
361
362         * GNUmakefile.list.am:
363         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
364
365 2013-10-31  Filip Pizlo  <fpizlo@apple.com>
366
367         Remove CachedTranscendentalFunction because caching math functions is an ugly idea
368         https://bugs.webkit.org/show_bug.cgi?id=123574
369
370         Reviewed by Mark Hahnenberg.
371         
372         This is performance-neutral because I also make Math.cos/sin intrinsic. This means that
373         we gain the "overhead" of actually computing sin and cos but we lose the overhead of
374         going through the native call thunks.
375         
376         Caching transcendental functions is a really ugly idea. It works for SunSpider because
377         that benchmark makes very predictable calls into Math.sin. But I don't believe that this
378         is representative of any kind of reality, and so for sensible uses of Math.sin/cos all
379         that this was doing was adding more call overhead and some hashing overhead.
380
381         * JavaScriptCore.xcodeproj/project.pbxproj:
382         * dfg/DFGAbstractInterpreterInlines.h:
383         (JSC::DFG::::executeEffects):
384         * dfg/DFGBackwardsPropagationPhase.cpp:
385         (JSC::DFG::BackwardsPropagationPhase::propagate):
386         * dfg/DFGByteCodeParser.cpp:
387         (JSC::DFG::ByteCodeParser::handleIntrinsic):
388         * dfg/DFGCSEPhase.cpp:
389         (JSC::DFG::CSEPhase::performNodeCSE):
390         * dfg/DFGClobberize.h:
391         (JSC::DFG::clobberize):
392         * dfg/DFGFixupPhase.cpp:
393         (JSC::DFG::FixupPhase::fixupNode):
394         * dfg/DFGNodeType.h:
395         * dfg/DFGPredictionPropagationPhase.cpp:
396         (JSC::DFG::PredictionPropagationPhase::propagate):
397         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
398         * dfg/DFGSafeToExecute.h:
399         (JSC::DFG::safeToExecute):
400         * dfg/DFGSpeculativeJIT.h:
401         (JSC::DFG::SpeculativeJIT::callOperation):
402         * dfg/DFGSpeculativeJIT32_64.cpp:
403         (JSC::DFG::SpeculativeJIT::compile):
404         * dfg/DFGSpeculativeJIT64.cpp:
405         (JSC::DFG::SpeculativeJIT::compile):
406         * jit/JITOperations.h:
407         * runtime/CachedTranscendentalFunction.h: Removed.
408         * runtime/DateInstanceCache.h:
409         * runtime/Intrinsic.h:
410         * runtime/MathObject.cpp:
411         (JSC::MathObject::finishCreation):
412         (JSC::mathProtoFuncCos):
413         (JSC::mathProtoFuncSin):
414         * runtime/VM.h:
415
416 2013-10-30  Filip Pizlo  <fpizlo@apple.com>
417
418         Assertion failure in js/dom/global-constructors-attributes-dedicated-worker.html
419         https://bugs.webkit.org/show_bug.cgi?id=123551
420         <rdar://problem/15356238>
421
422         Reviewed by Mark Hahnenberg.
423         
424         WatchpointSets have always had this "fire everything on deletion" policy because it
425         seemed like a good fail-safe at the time I first implemented WatchpointSets. But
426         it's actually causing bugs rather than providing safety:
427         
428         - Everyone who registers Watchpoints with WatchpointSets have separate mechanisms
429           for either keeping the WatchpointSets alive or noticing when they are collected.
430           So this wasn't actually providing any safety.
431           
432           One example of this is Structures, where:
433           
434           - CodeBlocks that register Watchpoints on Structure's WatchpointSet will also
435             register weak references to the Structure, and the GC will jettison a CodeBlock
436             if the Structure(s) it cares about dies.
437           
438           - StructureStubInfos that register Watchpoints on Structure's WatchpointSet will
439             also be cleared by GC if the Structures die.
440         
441         - The WatchpointSet destructor would get invoked from finalization/destruction.
442           This would then cause CodeBlock::jettison() to be called on a CodeBlock, but that
443           method requires doing things that access heap objects. This would usually cause
444           problems on VM destruction, since then the CodeBlocks would still be alive but the
445           whole heap would be destroyed.
446         
447         This also ensures that CodeBlock::jettison() cannot cause a GC. This is safe since
448         that method doesn't really allocate objects, and it is likely necessary because
449         jettison() may be called from deep in the stack.
450
451         * bytecode/CodeBlock.cpp:
452         (JSC::CodeBlock::jettison):
453         * bytecode/Watchpoint.cpp:
454         (JSC::WatchpointSet::~WatchpointSet):
455         * bytecode/Watchpoint.h:
456
457 2013-10-30  Mark Lam  <mark.lam@apple.com>
458
459         Unreviewed, fix C Loop LLINT build.
460
461         * bytecode/CodeBlockJettisoningWatchpoint.cpp:
462         (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
463         * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp:
464         (JSC::ProfiledCodeBlockJettisoningWatchpoint::fireInternal):
465
466 2013-10-30  Filip Pizlo  <fpizlo@apple.com>
467
468         Unreviewed, fix FTL build.
469
470         * ftl/FTLAbstractHeapRepository.h:
471         * ftl/FTLLowerDFGToLLVM.cpp:
472         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
473
474 2013-10-30  Alexey Proskuryakov  <ap@apple.com>
475
476         Add a way to fulfill promises from DOM code
477         https://bugs.webkit.org/show_bug.cgi?id=123466
478
479         Reviewed by Sam Weinig.
480
481         * JavaScriptCore.xcodeproj/project.pbxproj: Make JSPromise.h and JSPromiseResolver.h
482         private headers for WebCore to use.
483
484         * runtime/JSPromise.h:
485         * runtime/JSPromiseResolver.h:
486         Export functions that JSDOMPromise will use.
487
488 2013-10-30  Mark Lam  <mark.lam@apple.com>
489
490         Adjust CallFrameHeader's ReturnPC and CallFrame locations to match the native ABI .
491         https://bugs.webkit.org/show_bug.cgi?id=123444.
492
493         Reviewed by Geoffrey Garen.
494
495         - Introduced an explicit CallerFrameAndPC struct.
496         - A CallFrame is expected to start with a CallerFrameAndPC struct. 
497         - The Register class no longer supports CallFrame* and Instruction*.
498
499           These hides the differences between JSVALUE32_64 and JSVALUE64 in
500           terms of managing the callerFrame() and returnPC() values.
501
502         - Convert all uses of JSStack::CallerFrame and JSStack::ReturnPC to
503           go through CallFrame to access the appropriate values and offsets.
504           CallFrame, in turn, will access the callerFrame and returnPC via
505           the CallerFrameAndPC struct.
506
507         - InlineCallFrame will provide offsets for its callerFrame and
508           returnPC. It will make use of CallFrame::callerFrameOffset() and
509           CallerFrame::returnPCOffset() to compute these.
510
511         * bytecode/CodeOrigin.h:
512         (JSC::InlineCallFrame::callerFrameOffset):
513         (JSC::InlineCallFrame::returnPCOffset):
514         * dfg/DFGJITCompiler.cpp:
515         (JSC::DFG::JITCompiler::compileEntry):
516         (JSC::DFG::JITCompiler::compileExceptionHandlers):
517         * dfg/DFGOSRExitCompilerCommon.cpp:
518         (JSC::DFG::reifyInlinedCallFrames):
519         * dfg/DFGSpeculativeJIT.h:
520         (JSC::DFG::SpeculativeJIT::calleeFrameSlot):
521         (JSC::DFG::SpeculativeJIT::calleeArgumentSlot):
522         (JSC::DFG::SpeculativeJIT::calleeFrameTagSlot):
523         (JSC::DFG::SpeculativeJIT::calleeFramePayloadSlot):
524         (JSC::DFG::SpeculativeJIT::calleeArgumentTagSlot):
525         (JSC::DFG::SpeculativeJIT::calleeArgumentPayloadSlot):
526         - Prefixed all the above with callee since they apply to the callee frame.
527         (JSC::DFG::SpeculativeJIT::calleeFrameCallerFrame):
528         - Added to set the callerFrame pointer in the callee frame.
529
530         * dfg/DFGSpeculativeJIT32_64.cpp:
531         (JSC::DFG::SpeculativeJIT::emitCall):
532         (JSC::DFG::SpeculativeJIT::compile):
533         * dfg/DFGSpeculativeJIT64.cpp:
534         (JSC::DFG::SpeculativeJIT::emitCall):
535         (JSC::DFG::SpeculativeJIT::compile):
536         * ftl/FTLLink.cpp:
537         (JSC::FTL::compileEntry):
538         (JSC::FTL::link):
539         * interpreter/CallFrame.h:
540         (JSC::ExecState::callerFrame):
541         (JSC::ExecState::callerFrameOffset):
542         (JSC::ExecState::returnPC):
543         (JSC::ExecState::hasReturnPC):
544         (JSC::ExecState::clearReturnPC):
545         (JSC::ExecState::returnPCOffset):
546         (JSC::ExecState::setCallerFrame):
547         (JSC::ExecState::setReturnPC):
548         (JSC::ExecState::callerFrameAndPC):
549         * interpreter/JSStack.h:
550         * interpreter/Register.h:
551         * jit/AssemblyHelpers.h:
552         (JSC::AssemblyHelpers::emitPutToCallFrameHeader):
553         - Convert to using storePtr() here and simplify the code.
554         (JSC::AssemblyHelpers::emitGetCallerFrameFromCallFrameHeaderPtr):
555         (JSC::AssemblyHelpers::emitPutCallerFrameToCallFrameHeader):
556         (JSC::AssemblyHelpers::emitGetReturnPCFromCallFrameHeaderPtr):
557         (JSC::AssemblyHelpers::emitPutReturnPCToCallFrameHeader):
558         - Helpers to emit gets/puts of the callerFrame and returnPC.
559         (JSC::AssemblyHelpers::addressForByteOffset):
560         * jit/JIT.cpp:
561         (JSC::JIT::JIT):
562         (JSC::JIT::privateCompile):
563         (JSC::JIT::privateCompileExceptionHandlers):
564         * jit/JITCall.cpp:
565         (JSC::JIT::compileCallEval):
566         (JSC::JIT::compileOpCall):
567         * jit/JITCall32_64.cpp:
568         (JSC::JIT::emit_op_ret):
569         (JSC::JIT::emit_op_ret_object_or_this):
570         (JSC::JIT::compileCallEval):
571         (JSC::JIT::compileOpCall):
572         * jit/JITInlines.h:
573         (JSC::JIT::unmap):
574         * jit/JITOpcodes.cpp:
575         (JSC::JIT::emit_op_end):
576         (JSC::JIT::emit_op_ret):
577         (JSC::JIT::emit_op_ret_object_or_this):
578         * jit/JITOpcodes32_64.cpp:
579         (JSC::JIT::privateCompileCTINativeCall):
580         (JSC::JIT::emit_op_end):
581         * jit/JITOperations.cpp:
582         * jit/SpecializedThunkJIT.h:
583         (JSC::SpecializedThunkJIT::returnJSValue):
584         (JSC::SpecializedThunkJIT::returnDouble):
585         (JSC::SpecializedThunkJIT::returnInt32):
586         (JSC::SpecializedThunkJIT::returnJSCell):
587         * jit/ThunkGenerators.cpp:
588         (JSC::throwExceptionFromCallSlowPathGenerator):
589         (JSC::slowPathFor):
590         (JSC::nativeForGenerator):
591
592         * llint/LLIntData.cpp:
593         (JSC::LLInt::Data::performAssertions):
594         * llint/LowLevelInterpreter.asm:
595         - Updated offsets and asserts to match the new CallFrame layout.
596
597 2013-10-30  Filip Pizlo  <fpizlo@apple.com>
598
599         Unreviewed, fix Mac.
600
601         * assembler/AbstractMacroAssembler.h:
602         (JSC::AbstractMacroAssembler::RegisterAllocationOffset::checkOffsets):
603         (JSC::AbstractMacroAssembler::checkRegisterAllocationAgainstBranchRange):
604
605 2013-10-30  Filip Pizlo  <fpizlo@apple.com>
606
607         Unreviewed, fix Windows.
608
609         * bytecode/CodeBlock.cpp:
610         (JSC::CodeBlock::jettison):
611
612 2013-10-30  Filip Pizlo  <fpizlo@apple.com>
613
614         Unreviewed, fix Windows.
615
616         * bytecode/CodeBlock.h:
617         (JSC::CodeBlock::addFrequentExitSite):
618
619 2013-10-29  Filip Pizlo  <fpizlo@apple.com>
620
621         Add InvalidationPoints to the DFG and use them for all watchpoints
622         https://bugs.webkit.org/show_bug.cgi?id=123472
623
624         Reviewed by Mark Hahnenberg.
625         
626         This makes a fundamental change to how watchpoints work in the DFG.
627         
628         Previously, a watchpoint was an instruction whose execution semantics were something
629         like:
630         
631             if (watchpoint->invalidated)
632                 exit
633         
634         We would implement this without any branch by using jump replacement.
635         
636         This is a very good optimization. But it's a bit awkward once you get a lot of
637         watchpoints: semantically we will have lots of these branches in the code, which the
638         compiler needs to reason about even though they don't actually result in any emitted
639         code.
640         
641         Separately, we also had a mechanism for jettisoning a CodeBlock. This mechanism would
642         be invoked if a CodeBlock exited a lot. It would ensure that a CodeBlock wouldn't be
643         called into again, but it would do nothing for CodeBlocks that were already on the
644         stack.
645         
646         This change flips jettisoning and watchpoint invalidation on their heads. Now, the jump
647         replacement has nothing to do with watchpoints; instead it's something that happens if
648         you ever jettison a CodeBlock. Jump replacement is now an all-or-nothing operation over
649         all of the potential call-return safe-exit-points in a CodeBlock. We call these
650         "InvalidationPoint"s. A watchpoint instruction is now "lowered" by having the DFG
651         collect all of the watchpoint sets that the CodeBlock cares about, and then registering
652         a CodeBlockJettisoningWatchpoint with all of them. That is, if the watchpoint fires, it
653         jettisons the CodeBlock, which in turn ensures that the CodeBlock can't be called into
654         (because the entrypoint now points to baseline code) and can't be returned into
655         (because returning exits to baseline before the next bytecode instruction).
656         
657         This will allow for a sensible lowering of watchpoints to LLVM IR. It will also allow
658         for jettison() to be used effectively for things like breakpointing and single-stepping
659         in the debugger.
660         
661         Well, basically, this mechanism just takes us into the HotSpot-style world where anyone
662         can, at any time and for any reason, request that an optimized CodeBlock is rendered
663         immediately invalid. You can use this for many cool things, I'm sure.
664
665         * CMakeLists.txt:
666         * GNUmakefile.list.am:
667         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
668         * JavaScriptCore.xcodeproj/project.pbxproj:
669         * assembler/AbstractMacroAssembler.h:
670         * bytecode/CodeBlock.cpp:
671         (JSC::CodeBlock::jettison):
672         * bytecode/CodeBlock.h:
673         * bytecode/CodeBlockJettisoningWatchpoint.cpp: Added.
674         (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
675         * bytecode/CodeBlockJettisoningWatchpoint.h: Added.
676         (JSC::CodeBlockJettisoningWatchpoint::CodeBlockJettisoningWatchpoint):
677         * bytecode/ExitKind.cpp:
678         (JSC::exitKindToString):
679         * bytecode/ExitKind.h:
680         * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp: Added.
681         (JSC::ProfiledCodeBlockJettisoningWatchpoint::fireInternal):
682         * bytecode/ProfiledCodeBlockJettisoningWatchpoint.h: Added.
683         (JSC::ProfiledCodeBlockJettisoningWatchpoint::ProfiledCodeBlockJettisoningWatchpoint):
684         * dfg/DFGAbstractHeap.h:
685         * dfg/DFGAbstractInterpreterInlines.h:
686         (JSC::DFG::::executeEffects):
687         * dfg/DFGClobberize.cpp:
688         (JSC::DFG::writesOverlap):
689         * dfg/DFGClobberize.h:
690         (JSC::DFG::clobberize):
691         (JSC::DFG::AbstractHeapOverlaps::AbstractHeapOverlaps):
692         (JSC::DFG::AbstractHeapOverlaps::operator()):
693         (JSC::DFG::AbstractHeapOverlaps::result):
694         * dfg/DFGCommonData.cpp:
695         (JSC::DFG::CommonData::invalidate):
696         * dfg/DFGCommonData.h:
697         (JSC::DFG::CommonData::CommonData):
698         * dfg/DFGDesiredWatchpoints.cpp:
699         (JSC::DFG::DesiredWatchpoints::addLazily):
700         (JSC::DFG::DesiredWatchpoints::reallyAdd):
701         * dfg/DFGDesiredWatchpoints.h:
702         (JSC::DFG::WatchpointForGenericWatchpointSet::WatchpointForGenericWatchpointSet):
703         (JSC::DFG::GenericDesiredWatchpoints::addLazily):
704         (JSC::DFG::GenericDesiredWatchpoints::reallyAdd):
705         (JSC::DFG::GenericDesiredWatchpoints::areStillValid):
706         * dfg/DFGFixupPhase.cpp:
707         (JSC::DFG::FixupPhase::fixupNode):
708         * dfg/DFGInvalidationPointInjectionPhase.cpp: Added.
709         (JSC::DFG::InvalidationPointInjectionPhase::InvalidationPointInjectionPhase):
710         (JSC::DFG::InvalidationPointInjectionPhase::run):
711         (JSC::DFG::InvalidationPointInjectionPhase::handle):
712         (JSC::DFG::InvalidationPointInjectionPhase::insertInvalidationCheck):
713         (JSC::DFG::performInvalidationPointInjection):
714         * dfg/DFGInvalidationPointInjectionPhase.h: Added.
715         * dfg/DFGJITCode.h:
716         * dfg/DFGJITCompiler.cpp:
717         (JSC::DFG::JITCompiler::linkOSRExits):
718         (JSC::DFG::JITCompiler::link):
719         * dfg/DFGJITCompiler.h:
720         * dfg/DFGJumpReplacement.cpp: Added.
721         (JSC::DFG::JumpReplacement::fire):
722         * dfg/DFGJumpReplacement.h: Added.
723         (JSC::DFG::JumpReplacement::JumpReplacement):
724         * dfg/DFGNodeType.h:
725         * dfg/DFGOSRExitCompilationInfo.h:
726         * dfg/DFGOperations.cpp:
727         * dfg/DFGPlan.cpp:
728         (JSC::DFG::Plan::compileInThreadImpl):
729         (JSC::DFG::Plan::reallyAdd):
730         * dfg/DFGPredictionPropagationPhase.cpp:
731         (JSC::DFG::PredictionPropagationPhase::propagate):
732         * dfg/DFGSafeToExecute.h:
733         (JSC::DFG::safeToExecute):
734         * dfg/DFGSpeculativeJIT.cpp:
735         (JSC::DFG::SpeculativeJIT::emitInvalidationPoint):
736         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
737         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
738         * dfg/DFGSpeculativeJIT.h:
739         (JSC::DFG::SpeculativeJIT::masqueradesAsUndefinedWatchpointIsStillValid):
740         (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
741         * dfg/DFGSpeculativeJIT32_64.cpp:
742         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
743         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
744         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
745         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
746         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
747         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
748         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
749         (JSC::DFG::SpeculativeJIT::compile):
750         * dfg/DFGSpeculativeJIT64.cpp:
751         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
752         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
753         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
754         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
755         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
756         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
757         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
758         (JSC::DFG::SpeculativeJIT::compile):
759         * dfg/DFGWatchpointCollectionPhase.cpp: Added.
760         (JSC::DFG::WatchpointCollectionPhase::WatchpointCollectionPhase):
761         (JSC::DFG::WatchpointCollectionPhase::run):
762         (JSC::DFG::WatchpointCollectionPhase::handle):
763         (JSC::DFG::WatchpointCollectionPhase::handleEdge):
764         (JSC::DFG::WatchpointCollectionPhase::handleMasqueradesAsUndefined):
765         (JSC::DFG::WatchpointCollectionPhase::handleStringGetByVal):
766         (JSC::DFG::WatchpointCollectionPhase::addLazily):
767         (JSC::DFG::WatchpointCollectionPhase::globalObject):
768         (JSC::DFG::performWatchpointCollection):
769         * dfg/DFGWatchpointCollectionPhase.h: Added.
770         * ftl/FTLCapabilities.cpp:
771         (JSC::FTL::canCompile):
772         * ftl/FTLLowerDFGToLLVM.cpp:
773         (JSC::FTL::LowerDFGToLLVM::compileNode):
774         (JSC::FTL::LowerDFGToLLVM::compileStructureTransitionWatchpoint):
775         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
776         (JSC::FTL::LowerDFGToLLVM::compileGlobalVarWatchpoint):
777         (JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant):
778         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
779         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
780         (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
781         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
782         (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
783         * jit/JITOperations.cpp:
784         * jit/JumpReplacementWatchpoint.cpp: Removed.
785         * jit/JumpReplacementWatchpoint.h: Removed.
786
787 2013-10-25  Mark Hahnenberg  <mhahnenberg@apple.com>
788
789         JSExport doesn't support constructors
790         https://bugs.webkit.org/show_bug.cgi?id=123380
791
792         Reviewed by Geoffrey Garen.
793
794         Support for constructor-style callbacks for the Objective-C API to JSC is currently limited to 
795         Objective-C blocks. Any clients who try to call the constructor of a JSExport-ed Objective-C class 
796         are met with a type error stating that it cannot be called as a constructor.
797
798         It would be nice to expand JSExport's functionality to support this idiom. It is a natural 
799         extension to JSExport and would increase the expressiveness and simplicity in both Objective-C and 
800         JavaScript client code.
801
802         The way we'll do this is to expand the capabilities of ObjCCallbackFunction and associated classes. 
803         Instead of constructing a normal C API object for the constructor, we'll instead allocate a full-blown 
804         ObjCCallbackFunction object which can already properly handle being invoked as a constructor.
805
806         * API/JSWrapperMap.mm:
807         (copyMethodsToObject):
808         (allocateConstructorForCustomClass):
809         (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]):
810         (tryUnwrapObjcObject):
811         * API/ObjCCallbackFunction.h:
812         (JSC::ObjCCallbackFunction::impl):
813         * API/ObjCCallbackFunction.mm:
814         (JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl):
815         (JSC::ObjCCallbackFunctionImpl::wrappedConstructor):
816         (JSC::ObjCCallbackFunctionImpl::isConstructible):
817         (JSC::ObjCCallbackFunction::getConstructData):
818         (JSC::ObjCCallbackFunctionImpl::name):
819         (JSC::ObjCCallbackFunctionImpl::call):
820         (objCCallbackFunctionForInvocation):
821         (objCCallbackFunctionForInit):
822         (tryUnwrapConstructor):
823         * API/tests/testapi.mm:
824         (-[TextXYZ initWithString:]):
825         (-[ClassA initWithA:]):
826         (-[ClassB initWithA:b:]):
827         (-[ClassC initWithA:]):
828         (-[ClassC initWithA:b:]):
829
830 2013-10-30  peavo@outlook.com  <peavo@outlook.com>
831
832         [Win] Compile errors when enabling DFG JIT.
833         https://bugs.webkit.org/show_bug.cgi?id=120998
834
835         Reviewed by Brent Fulgham.
836
837         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added files.
838         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
839         * dfg/DFGAllocator.h: Removed scope.
840         * dfg/DFGWorklist.cpp: Use new ThreadingOnce class instead of pthread_once.
841         (JSC::DFG::globalWorklist):
842         * heap/DeferGC.h: Link fix, member needs to be public.
843         * jit/JITOperationWrappers.h: Added required assembler macros.
844
845 2013-10-30  Iago Toral Quiroga  <itoral@igalia.com>
846
847         Add result caching for Math.cos
848         https://bugs.webkit.org/show_bug.cgi?id=123255
849
850         Reviewed by Brent Fulgham.
851
852         * runtime/MathObject.cpp:
853         (JSC::mathProtoFuncCos):
854         * runtime/VM.h:
855
856 2013-10-30  Alex Christensen  <achristensen@webkit.org>
857
858         Disabled JIT on Win64.
859         https://bugs.webkit.org/show_bug.cgi?id=122472
860
861         Reviewed by Geoffrey Garen.
862
863         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
864         Disabled building JITStubsMSVC64.
865
866 2013-10-29  Michael Saboff  <msaboff@apple.com>
867
868         Change local variable register allocation to start at offset -1
869         https://bugs.webkit.org/show_bug.cgi?id=123182
870
871         Reviewed by Geoffrey Garen.
872
873         Adjusted the virtual register mapping down by one slot.  Reduced
874         the CallFrame header slots offsets by one.  They now start at 0.
875         Changed arity fixup to no longer skip passed register slot 0 as this
876         is now part of the CallFrame header.
877
878         * bytecode/VirtualRegister.h:
879         (JSC::operandIsLocal):
880         (JSC::operandIsArgument):
881         (JSC::VirtualRegister::localToOperand):
882         (JSC::VirtualRegister::operandToLocal):
883           Adjusted functions for shift in mapping from local to register offset.
884
885         * dfg/DFGByteCodeParser.cpp:
886         (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
887         (JSC::DFG::ByteCodeParser::addCall):
888         (JSC::DFG::ByteCodeParser::handleInlining):
889         (JSC::DFG::ByteCodeParser::parseBlock):
890         * dfg/DFGVariableEventStream.cpp:
891         (JSC::DFG::VariableEventStream::reconstruct):
892         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
893         (JSC::DFG::VirtualRegisterAllocationPhase::run):
894         * interpreter/CallFrame.h:
895         (JSC::ExecState::frameExtent):
896         (JSC::ExecState::offsetFor):
897         * interpreter/Interpreter.cpp:
898         (JSC::loadVarargs):
899         (JSC::Interpreter::dumpRegisters):
900         (JSC::Interpreter::executeCall):
901         * llint/LLIntData.cpp:
902         (JSC::LLInt::Data::performAssertions):
903         * llint/LowLevelInterpreter.asm:
904           Adjusted math to accomodate for shift in call frame slots.
905
906         * dfg/DFGJITCompiler.cpp:
907         (JSC::DFG::JITCompiler::compileFunction):
908         * dfg/DFGSpeculativeJIT.h:
909         (JSC::DFG::SpeculativeJIT::calleeFrameOffset):
910         * interpreter/CallFrame.cpp:
911         (JSC::CallFrame::frameExtentInternal):
912         * interpreter/JSStackInlines.h:
913         (JSC::JSStack::pushFrame):
914         * jit/JIT.cpp:
915         (JSC::JIT::privateCompile):
916         * jit/JITOperations.cpp:
917         * llint/LLIntSlowPaths.cpp:
918         (JSC::LLInt::llint_slow_path_stack_check):
919         * runtime/CommonSlowPaths.h:
920         (JSC::CommonSlowPaths::arityCheckFor):
921           Fixed offset calculation to use VirtualRegister and related calculation instead of
922           doing seperate calculations.
923
924         * interpreter/JSStack.h:
925           Adjusted CallFrame slots down by one.  Did some miscellaneous fixing of dumpRegisters()
926           in the process of testing the fixes.
927
928         * jit/ThunkGenerators.cpp:
929         (JSC::arityFixup):
930           Changed arity fixup to no longer skip passed register slot 0 as this
931           is now part of the CallFrame header.
932
933         * llint/LowLevelInterpreter32_64.asm:
934         * llint/LowLevelInterpreter64.asm:
935           Changed arity fixup to no longer skip passed register slot 0 as this
936           is now part of the CallFrame header.  Updated op_enter processing for
937           the change in local registers.
938
939         * runtime/JSGlobalObject.h:
940           Removed the now unneeded extra slot in the global callframe
941
942 2013-10-29  Julien Brianceau  <jbriance@cisco.com>
943
944         [arm] Fix lots of crashes because of 4th argument register trampling.
945         https://bugs.webkit.org/show_bug.cgi?id=123421
946
947         Reviewed by Michael Saboff.
948
949         r3 register is the 4th argument register for ARM and also a scratch
950         register in the baseline JIT for this architecture. We can use r6
951         instead, as this used to be the timeoutCheckRegister and it is no
952         longer used since r148119.
953
954         * assembler/ARMAssembler.h: Temp register is now r6 instead of r3 for ARM.
955         * assembler/MacroAssemblerARMv7.h: Temp register is now r6 instead of r3 for ARMv7.
956         * jit/GPRInfo.h: Add r3 properly in GPRInfo for ARM.
957         (JSC::GPRInfo::toRegister):
958         (JSC::GPRInfo::toIndex):
959         * jit/JITStubsARM.h:
960         (JSC::ctiTrampoline): Remove obsolete timeoutCheckRegister init.
961         * jit/JITStubsARMv7.h:
962         (JSC::ctiTrampoline): Remove obsolete timeoutCheckRegister init.
963         * jit/JSInterfaceJIT.h: Remove useless stuff.
964         * yarr/YarrJIT.cpp: Use r3 and not the new scratch register r6.
965         (JSC::Yarr::YarrGenerator::generateEnter): r8 register doesn't need to be saved.
966         (JSC::Yarr::YarrGenerator::generateReturn):
967
968 2013-10-29  Julien Brianceau  <jbriance@cisco.com>
969
970         Fix CPU(ARM_TRADITIONAL) build after r157690.
971         https://bugs.webkit.org/show_bug.cgi?id=123247
972
973         Reviewed by Michael Saboff.
974
975         Since r157690, the executableCopy function has been removed from AssemblerBuffer.h
976         and the copy of executable code occurs in the linkCode function (in LinkBuffer.cpp).
977         As the constant pool for jumps is updated in the executableCopy function of ARM_TRADITIONAL,
978         this part of code still needs to be called and absolute jumps must be corrected to anticipate
979         the copy of the executable code through memcpy.
980
981         * assembler/ARMAssembler.cpp:
982         (JSC::ARMAssembler::prepareExecutableCopy): Rename executableCopy to prepareExecutableCopy
983         and correct absolute jump values using the delta between the source and destination buffers.
984         * assembler/ARMAssembler.h:
985         * assembler/LinkBuffer.cpp:
986         (JSC::LinkBuffer::linkCode): Call prepareExecutableCopy just before the memcpy.
987
988 2013-10-28  Filip Pizlo  <fpizlo@apple.com>
989
990         OSRExit::m_watchpointIndex should be in OSRExitCompilationInfo
991         https://bugs.webkit.org/show_bug.cgi?id=123423
992
993         Reviewed by Mark Hahnenberg.
994         
995         Also enable ExitKind to tell you if it's a watchpoint.
996
997         * bytecode/ExitKind.cpp:
998         (JSC::exitKindToString):
999         * bytecode/ExitKind.h:
1000         (JSC::isWatchpoint):
1001         * dfg/DFGByteCodeParser.cpp:
1002         (JSC::DFG::ByteCodeParser::setLocal):
1003         (JSC::DFG::ByteCodeParser::setArgument):
1004         (JSC::DFG::ByteCodeParser::handleCall):
1005         (JSC::DFG::ByteCodeParser::handleGetById):
1006         (JSC::DFG::ByteCodeParser::parseBlock):
1007         * dfg/DFGJITCompiler.cpp:
1008         (JSC::DFG::JITCompiler::linkOSRExits):
1009         (JSC::DFG::JITCompiler::link):
1010         * dfg/DFGJITCompiler.h:
1011         (JSC::DFG::JITCompiler::appendExitInfo):
1012         * dfg/DFGOSRExit.cpp:
1013         (JSC::DFG::OSRExit::OSRExit):
1014         * dfg/DFGOSRExit.h:
1015         * dfg/DFGOSRExitCompilationInfo.h:
1016         (JSC::DFG::OSRExitCompilationInfo::OSRExitCompilationInfo):
1017         * dfg/DFGOSRExitCompiler.cpp:
1018         * dfg/DFGSpeculativeJIT.cpp:
1019         (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
1020         * dfg/DFGSpeculativeJIT32_64.cpp:
1021         (JSC::DFG::SpeculativeJIT::compile):
1022         * dfg/DFGSpeculativeJIT64.cpp:
1023         (JSC::DFG::SpeculativeJIT::compile):
1024
1025 2013-10-28  Myles C. Maxfield  <mmaxfield@apple.com>
1026
1027         Parsing support for -webkit-text-decoration-skip: ink
1028         https://bugs.webkit.org/show_bug.cgi?id=123358
1029
1030         Reviewed by Dean Jackson.
1031
1032         Adding ENABLE(CSS3_TEXT_DECORATION)
1033
1034         * Configurations/FeatureDefines.xcconfig:
1035
1036 2013-10-24  Filip Pizlo  <fpizlo@apple.com>
1037
1038         Get rid of InlineStart so that I don't have to implement it in FTL
1039         https://bugs.webkit.org/show_bug.cgi?id=123302
1040
1041         Reviewed by Geoffrey Garen.
1042         
1043         InlineStart was a special instruction that we would insert at the top of inlined code,
1044         so that the backend could capture the OSR state of arguments to an inlined call. It used
1045         to be that only the backend had this information, so this instruction was sort of an ugly
1046         callback from the backend for filling in some data structures.
1047         
1048         But in the time since when that code was written (two years ago?), we rationalized how
1049         variables work. It's now the case that variables that the runtime must know about are
1050         treated specially in IR (they are "flushed") and we know how we will represent them even
1051         before we get to the backend. The last place that makes changes to their representation
1052         is the StackLayoutPhase.
1053         
1054         So, this patch gets rid of InlineStart, but keeps around the special meta-data that the
1055         instruction had. Instead of handling the bookkeeping in the backend, we handle it in
1056         StackLayoutPhase. This means that the DFG and FTL can share code for handling this
1057         bookkeeping. This also means that now the FTL can compile code blocks that had inlining.
1058         
1059         Of course, giving the FTL the ability to handle code blocks that had inlining means that
1060         we're going to have new bugs. Sure enough, the FTL's linker didn't handle inline call
1061         frames. This patch also fixes that.
1062
1063         * dfg/DFGAbstractInterpreterInlines.h:
1064         (JSC::DFG::::executeEffects):
1065         * dfg/DFGByteCodeParser.cpp:
1066         (JSC::DFG::ByteCodeParser::handleInlining):
1067         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1068         * dfg/DFGClobberize.h:
1069         (JSC::DFG::clobberize):
1070         * dfg/DFGFixupPhase.cpp:
1071         (JSC::DFG::FixupPhase::fixupNode):
1072         * dfg/DFGGraph.h:
1073         * dfg/DFGNode.h:
1074         * dfg/DFGNodeType.h:
1075         * dfg/DFGPredictionPropagationPhase.cpp:
1076         (JSC::DFG::PredictionPropagationPhase::propagate):
1077         * dfg/DFGSafeToExecute.h:
1078         (JSC::DFG::safeToExecute):
1079         * dfg/DFGSpeculativeJIT.cpp:
1080         * dfg/DFGSpeculativeJIT.h:
1081         * dfg/DFGSpeculativeJIT32_64.cpp:
1082         (JSC::DFG::SpeculativeJIT::compile):
1083         * dfg/DFGSpeculativeJIT64.cpp:
1084         (JSC::DFG::SpeculativeJIT::compile):
1085         * dfg/DFGStackLayoutPhase.cpp:
1086         (JSC::DFG::StackLayoutPhase::run):
1087         * ftl/FTLLink.cpp:
1088         (JSC::FTL::link):
1089
1090 2013-10-24  Filip Pizlo  <fpizlo@apple.com>
1091
1092         The GetById->GetByOffset AI-based optimization should actually do things
1093         https://bugs.webkit.org/show_bug.cgi?id=123299
1094
1095         Reviewed by Oliver Hunt.
1096         
1097         20% speed-up on Octane/gbemu.
1098
1099         * bytecode/GetByIdStatus.cpp:
1100         (JSC::GetByIdStatus::computeFor): Actually finish filling in the Status by setting the state. Previously it would remain set to NoInformation, meaning that this whole method was a no-op.
1101
1102 2013-10-28  Carlos Garcia Campos  <cgarcia@igalia.com>
1103
1104         Unreviewed. Fix make distcheck.
1105
1106         * GNUmakefile.list.am: Add missing files to compilation.
1107
1108 2013-10-25  Oliver Hunt  <oliver@apple.com>
1109
1110         Refactor parser rollback logic
1111         https://bugs.webkit.org/show_bug.cgi?id=123372
1112
1113         Reviewed by Brady Eidson.
1114
1115         Add a sane abstraction for rollbacks in the parser.
1116
1117         * parser/Parser.cpp:
1118         (JSC::::parseSourceElements):
1119         (JSC::::parseObjectLiteral):
1120         * parser/Parser.h:
1121         (JSC::Parser::createSavePoint):
1122         (JSC::Parser::restoreSavePoint):
1123
1124 2013-10-25  peavo@outlook.com  <peavo@outlook.com>
1125
1126         [Win] Javascript crash with DFG JIT enabled.
1127         https://bugs.webkit.org/show_bug.cgi?id=121001
1128
1129         Reviewed by Geoffrey Garen.
1130
1131         On windows, using register GPRInfo::regT0 as parameter to e.g. JIT::storeDouble(..., GPRInfo::regT0)),
1132         results in a call to JIT::storeDouble(FPRegisterID src, const void* address),
1133         where the address parameter gets the value of GPRInfo::regT0, which is 0 (eax on Windows).
1134         This causes the register to be written to address 0, hence the crash.
1135   
1136         * assembler/MacroAssemblerX86.h:
1137         (JSC::MacroAssemblerX86::storeDouble): Assert if we try to generate code which writes to a null pointer.
1138         * dfg/DFGOSRExitCompiler32_64.cpp:
1139         (JSC::DFG::OSRExitCompiler::compileExit): Use address in regT0 as parameter.
1140         * dfg/DFGThunks.cpp:
1141         (JSC::DFG::osrExitGenerationThunkGenerator): Ditto.
1142
1143 2013-10-25  Oliver Hunt  <oliver@apple.com>
1144
1145         Fix a number of problems with destructuring of arguments
1146         https://bugs.webkit.org/show_bug.cgi?id=123357
1147
1148         Reviewed by Filip Pizlo.
1149
1150         This renames the destructuring node's emitBytecode to bindValue
1151         in order to remove the existing confusion over what was happening.
1152
1153         We then fix an incorrect fall through in the destructuring arguments
1154         logic, and fix the then exposed bug where we placed the index rather
1155         than value into the bound property.
1156
1157         * bytecompiler/BytecodeGenerator.cpp:
1158         (JSC::BytecodeGenerator::BytecodeGenerator):
1159         * bytecompiler/NodesCodegen.cpp:
1160         (JSC::ForInNode::emitBytecode):
1161         (JSC::ForOfNode::emitBytecode):
1162         (JSC::DeconstructingAssignmentNode::emitBytecode):
1163         (JSC::ArrayPatternNode::bindValue):
1164         (JSC::ArrayPatternNode::emitDirectBinding):
1165         (JSC::ObjectPatternNode::bindValue):
1166         (JSC::BindingNode::bindValue):
1167         * parser/Nodes.h:
1168
1169 2013-10-25  Joseph Pecoraro  <pecoraro@apple.com>
1170
1171         Upstream ENABLE(REMOTE_INSPECTOR) and enable on iOS and Mac
1172         https://bugs.webkit.org/show_bug.cgi?id=123111
1173
1174         Reviewed by Timothy Hatcher.
1175
1176         * Configurations/FeatureDefines.xcconfig:
1177
1178 2013-10-25  Oliver Hunt  <oliver@apple.com>
1179
1180         Fix MSVC again
1181
1182         * parser/Parser.cpp:
1183
1184 2013-10-25  Oliver Hunt  <oliver@apple.com>
1185
1186         Fix MSVC
1187
1188         * parser/Parser.cpp:
1189
1190 2013-10-25  Oliver Hunt  <oliver@apple.com>
1191
1192         Improve JSC Parser error messages
1193         https://bugs.webkit.org/show_bug.cgi?id=123341
1194
1195         Reviewed by Andreas Kling.
1196
1197         This patch moves away from the current cludgy mechanisms used to produce
1198         error messages and moves to something closer to case by case errors.
1199
1200         This results in a large change size as previously we may just have
1201         'failIfFalse(foo)', but now the logic becomes either
1202         'failIfFalseWithMessage(foo, "Cannot do blah with ", foo->thing())'
1203         Or alternatively
1204
1205         if (!foo)
1206             check for 'interesting' errors, before falling back to generic error
1207
1208         This means that this patch is large, but produces no semantic changes, and
1209         only hits slow (e.g. error) paths.
1210
1211         * parser/Parser.cpp:
1212         (JSC::::Parser):
1213         (JSC::::parseSourceElements):
1214         (JSC::::parseVarDeclaration):
1215         (JSC::::parseConstDeclaration):
1216         (JSC::::parseDoWhileStatement):
1217         (JSC::::parseWhileStatement):
1218         (JSC::::parseVarDeclarationList):
1219         (JSC::::createBindingPattern):
1220         (JSC::::parseDeconstructionPattern):
1221         (JSC::::parseConstDeclarationList):
1222         (JSC::::parseForStatement):
1223         (JSC::::parseBreakStatement):
1224         (JSC::::parseContinueStatement):
1225         (JSC::::parseReturnStatement):
1226         (JSC::::parseThrowStatement):
1227         (JSC::::parseWithStatement):
1228         (JSC::::parseSwitchStatement):
1229         (JSC::::parseSwitchClauses):
1230         (JSC::::parseSwitchDefaultClause):
1231         (JSC::::parseTryStatement):
1232         (JSC::::parseDebuggerStatement):
1233         (JSC::::parseBlockStatement):
1234         (JSC::::parseStatement):
1235         (JSC::::parseFormalParameters):
1236         (JSC::::parseFunctionBody):
1237         (JSC::stringForFunctionMode):
1238         (JSC::::parseFunctionInfo):
1239         (JSC::::parseFunctionDeclaration):
1240         (JSC::::parseExpressionOrLabelStatement):
1241         (JSC::::parseExpressionStatement):
1242         (JSC::::parseIfStatement):
1243         (JSC::::parseExpression):
1244         (JSC::::parseAssignmentExpression):
1245         (JSC::::parseConditionalExpression):
1246         (JSC::::parseBinaryExpression):
1247         (JSC::::parseProperty):
1248         (JSC::::parseObjectLiteral):
1249         (JSC::::parseStrictObjectLiteral):
1250         (JSC::::parseArrayLiteral):
1251         (JSC::::parsePrimaryExpression):
1252         (JSC::::parseArguments):
1253         (JSC::::parseMemberExpression):
1254         (JSC::operatorString):
1255         (JSC::::parseUnaryExpression):
1256         (JSC::::printUnexpectedTokenText):
1257         * parser/Parser.h:
1258         (JSC::Scope::hasDeclaredVariable):
1259         (JSC::Scope::hasDeclaredParameter):
1260         (JSC::Parser::hasDeclaredVariable):
1261         (JSC::Parser::hasDeclaredParameter):
1262         (JSC::Parser::setErrorMessage):
1263
1264 2013-10-24  Mark Rowe  <mrowe@apple.com>
1265
1266         Remove references to OS X 10.7 from Xcode configuration settings.
1267
1268         Now that we're not building for OS X 10.7 they're no longer needed.
1269
1270         Reviewed by Anders Carlsson.
1271
1272         * Configurations/Base.xcconfig:
1273         * Configurations/DebugRelease.xcconfig:
1274         * Configurations/FeatureDefines.xcconfig:
1275         * Configurations/Version.xcconfig:
1276
1277 2013-10-24  Mark Rowe  <mrowe@apple.com>
1278
1279         <rdar://problem/15312643> Prepare for the mysterious future.
1280
1281         Reviewed by David Kilzer.
1282
1283         * Configurations/Base.xcconfig:
1284         * Configurations/DebugRelease.xcconfig:
1285         * Configurations/FeatureDefines.xcconfig:
1286         * Configurations/Version.xcconfig:
1287
1288 2013-10-24  Mark Lam  <mark.lam@apple.com>
1289
1290         Better way to fix part of broken C Loop LLINT build.
1291         https://bugs.webkit.org/show_bug.cgi?id=123271.
1292
1293         Reviewed by Geoffrey Garen.
1294
1295         Undoing offline asm hackery.
1296
1297         * llint/LowLevelInterpreter.cpp:
1298         * llint/LowLevelInterpreter32_64.asm:
1299         * llint/LowLevelInterpreter64.asm:
1300         * offlineasm/cloop.rb:
1301         * offlineasm/instructions.rb:
1302
1303 2013-10-24  Mark Lam  <mark.lam@apple.com>
1304
1305         Fix broken C Loop LLINT build.
1306         https://bugs.webkit.org/show_bug.cgi?id=123271.
1307
1308         Reviewed by Michael Saboff.
1309
1310         * bytecode/CodeBlock.cpp:
1311         (JSC::CodeBlock::printGetByIdCacheStatus): Added an UNUSED_PARAM().
1312         (JSC::CodeBlock::dumpBytecode): Added #if ENABLE(JIT) to JIT only code.
1313         * bytecode/GetByIdStatus.cpp:
1314         (JSC::GetByIdStatus::computeFor): Added an UNUSED_PARAM().
1315         * bytecode/PutByIdStatus.cpp:
1316         (JSC::PutByIdStatus::computeFor): Added an UNUSED_PARAM().
1317         * bytecode/StructureStubInfo.h:
1318         - Added a stub StubInfoMap for non-JIT builds. StubInfoMap is still used
1319           in function prototypes even when !ENABLE(JIT). Rather that adding #if's
1320           in many places, we just provide a stub/placeholder implementation that
1321           is unused but keeps the compiler happy.
1322         * jit/JITOperations.h: Added #if ENABLE(JIT).
1323         * llint/LowLevelInterpreter32_64.asm:
1324         * llint/LowLevelInterpreter64.asm:
1325         - The putByVal() macro reifies a slow path which is never taken in one case.
1326           This translates into a label that is never used in the C Loop LLINT. The
1327           C++ compiler doesn't like unused labels. So, we fix this by adding a
1328           cloopUnusedLabel offline asm instruction that synthesizes the following:
1329
1330               if (false) goto unusedLabel;
1331
1332           This keeps the C++ compiler happy without changing code behavior.
1333         * offlineasm/cloop.rb: Implementing cloopUnusedLabel.
1334         * offlineasm/instructions.rb: Declaring cloopUnusedLabel.
1335         * runtime/Executable.cpp:
1336         (JSC::setupJIT): Added UNUSED_PARAM()s.
1337         (JSC::ScriptExecutable::prepareForExecutionImpl):
1338         - run-javascriptcore-tests have phases that forces the LLINT to be off
1339           which in turn asserts that the JIT is enabled. With the C Loop LLINT,
1340           this combination is illegal. So, we override the setup code here to
1341           always use the LLINT if !ENABLE(JIT) regardless of what options are
1342           passed in.
1343
1344 2013-10-24  peavo@outlook.com  <peavo@outlook.com>
1345
1346         Uninitialized member causes crash when DFG JIT is not enabled.
1347         https://bugs.webkit.org/show_bug.cgi?id=123270
1348
1349         Reviewed by Brent Fulgham.
1350
1351         The data member sizeOfLastScratchBuffer in the VM class is only initialized if DFG JIT is enabled, even though it's defined regardless.
1352         This causes an early crash on Windows, which doesn't have DFG JIT enabled.
1353
1354         * runtime/VM.cpp:
1355         (JSC::VM::VM): Initialize sizeOfLastScratchBuffer member regardless of whether DFG JIT is enabled.
1356
1357 2013-10-24  Ryuan Choi  <ryuan.choi@samsung.com>
1358
1359         [EFL] Build break with latest EFL 1.8 libraries.
1360         https://bugs.webkit.org/show_bug.cgi?id=123245
1361
1362         Reviewed by Gyuyoung Kim.
1363
1364         After fixed build break on EFL 1.8 at r138326, EFL libraries are changed
1365         Eo typedef and splitted header files which contain version macro.
1366
1367         * PlatformEfl.cmake: Added EO path to include directories.
1368         * heap/HeapTimer.h: Changed Ecore_Timer typedef when EO exist.
1369
1370 2013-10-23  Filip Pizlo  <fpizlo@apple.com>
1371
1372         Put all uses of LLVM intrinsics behind a single Option
1373         https://bugs.webkit.org/show_bug.cgi?id=123219
1374
1375         Reviewed by Mark Hahnenberg.
1376
1377         * ftl/FTLExitThunkGenerator.cpp:
1378         (JSC::FTL::ExitThunkGenerator::emitThunk):
1379         * ftl/FTLLowerDFGToLLVM.cpp:
1380         (JSC::FTL::generateExitThunks):
1381         (JSC::FTL::LowerDFGToLLVM::compileGetById):
1382         (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
1383         (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
1384         * ftl/FTLOSRExitCompiler.cpp:
1385         (JSC::FTL::compileFTLOSRExit):
1386         * runtime/Options.h:
1387
1388 2013-10-23  Daniel Bates  <dabates@apple.com>
1389
1390         Fix JavaScriptCore build targets following <http://trac.webkit.org/changeset/157864>
1391         (https://bugs.webkit.org/show_bug.cgi?id=123169)
1392
1393         Tell Xcode that the supported platforms for all JavaScriptCore targets are iOS and OS X.
1394
1395         * Configurations/Base.xcconfig:
1396
1397 2013-10-23  Michael Saboff  <msaboff@apple.com>
1398
1399         LLInt arity check exception processing should start unwinding from caller
1400         https://bugs.webkit.org/show_bug.cgi?id=123209
1401
1402         Reviewed by Oliver Hunt.
1403
1404         Use the caller frame returned from slow_path_call_arityCheck to process exceptions.
1405
1406         * llint/LowLevelInterpreter32_64.asm:
1407         * llint/LowLevelInterpreter64.asm:
1408
1409 2013-10-22  Filip Pizlo  <fpizlo@apple.com>
1410
1411         FTL should be able to do some simple inline caches using LLVM patchpoints
1412         https://bugs.webkit.org/show_bug.cgi?id=123164
1413
1414         Reviewed by Mark Hahnenberg.
1415         
1416         This implements GetById inline caches in the FTL using llvm.webkit.patchpoint.
1417         
1418         The idea is that we ask LLVM for a nop slide the size of a GetById inline
1419         cache and then fill in the code after LLVM compilation is complete. For now, we
1420         just use the system calling convention for the arguments and return. We also
1421         still make some assumptions about registers that aren't correct. But, most of
1422         the scaffolding is there and this will successfully patch an inline cache.
1423
1424         * JavaScriptCore.xcodeproj/project.pbxproj:
1425         * assembler/AbstractMacroAssembler.h:
1426         * assembler/LinkBuffer.cpp:
1427         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
1428         (JSC::LinkBuffer::linkCode):
1429         (JSC::LinkBuffer::allocate):
1430         * assembler/LinkBuffer.h:
1431         (JSC::LinkBuffer::LinkBuffer):
1432         (JSC::LinkBuffer::link):
1433         * ftl/FTLAbbreviations.h:
1434         (JSC::FTL::constNull):
1435         (JSC::FTL::buildCall):
1436         * ftl/FTLCapabilities.cpp:
1437         (JSC::FTL::canCompile):
1438         * ftl/FTLCompile.cpp:
1439         (JSC::FTL::fixFunctionBasedOnStackMaps):
1440         * ftl/FTLInlineCacheDescriptor.h: Added.
1441         (JSC::FTL::InlineCacheDescriptor::InlineCacheDescriptor):
1442         (JSC::FTL::GetByIdDescriptor::GetByIdDescriptor):
1443         (JSC::FTL::GetByIdDescriptor::stackmapID):
1444         (JSC::FTL::GetByIdDescriptor::codeOrigin):
1445         (JSC::FTL::GetByIdDescriptor::uid):
1446         * ftl/FTLInlineCacheSize.cpp: Added.
1447         (JSC::FTL::sizeOfGetById):
1448         (JSC::FTL::sizeOfPutById):
1449         * ftl/FTLInlineCacheSize.h: Added.
1450         * ftl/FTLIntrinsicRepository.h:
1451         * ftl/FTLJITFinalizer.cpp:
1452         (JSC::FTL::JITFinalizer::finalizeFunction):
1453         * ftl/FTLJITFinalizer.h:
1454         * ftl/FTLLocation.cpp:
1455         (JSC::FTL::Location::directGPR):
1456         * ftl/FTLLocation.h:
1457         * ftl/FTLLowerDFGToLLVM.cpp:
1458         (JSC::FTL::LowerDFGToLLVM::compileGetById):
1459         * ftl/FTLOutput.h:
1460         (JSC::FTL::Output::call):
1461         * ftl/FTLSlowPathCall.cpp: Added.
1462         (JSC::FTL::callOperation):
1463         * ftl/FTLSlowPathCall.h: Added.
1464         (JSC::FTL::SlowPathCall::SlowPathCall):
1465         (JSC::FTL::SlowPathCall::call):
1466         (JSC::FTL::SlowPathCall::key):
1467         * ftl/FTLSlowPathCallKey.cpp: Added.
1468         (JSC::FTL::SlowPathCallKey::dump):
1469         * ftl/FTLSlowPathCallKey.h: Added.
1470         (JSC::FTL::SlowPathCallKey::SlowPathCallKey):
1471         (JSC::FTL::SlowPathCallKey::usedRegisters):
1472         (JSC::FTL::SlowPathCallKey::callTarget):
1473         (JSC::FTL::SlowPathCallKey::offset):
1474         (JSC::FTL::SlowPathCallKey::isEmptyValue):
1475         (JSC::FTL::SlowPathCallKey::isDeletedValue):
1476         (JSC::FTL::SlowPathCallKey::operator==):
1477         (JSC::FTL::SlowPathCallKey::hash):
1478         (JSC::FTL::SlowPathCallKeyHash::hash):
1479         (JSC::FTL::SlowPathCallKeyHash::equal):
1480         * ftl/FTLStackMaps.cpp:
1481         (JSC::FTL::StackMaps::Location::directGPR):
1482         * ftl/FTLStackMaps.h:
1483         * ftl/FTLState.h:
1484         * ftl/FTLThunks.cpp:
1485         (JSC::FTL::slowPathCallThunkGenerator):
1486         * ftl/FTLThunks.h:
1487         (JSC::FTL::Thunks::getSlowPathCallThunk):
1488         * jit/CCallHelpers.h:
1489         (JSC::CCallHelpers::setupArguments):
1490         * jit/GPRInfo.h:
1491         * jit/JITInlineCacheGenerator.cpp:
1492         (JSC::garbageStubInfo):
1493         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
1494         (JSC::JITByIdGenerator::finalize):
1495         * jit/JITInlineCacheGenerator.h:
1496         (JSC::JITByIdGenerator::slowPathBegin):
1497         * jit/RegisterSet.cpp:
1498         (JSC::RegisterSet::stackRegisters):
1499         (JSC::RegisterSet::specialRegisters):
1500         (JSC::RegisterSet::calleeSaveRegisters):
1501         (JSC::RegisterSet::allGPRs):
1502         (JSC::RegisterSet::allFPRs):
1503         (JSC::RegisterSet::allRegisters):
1504         (JSC::RegisterSet::dump):
1505         * jit/RegisterSet.h:
1506         (JSC::RegisterSet::exclude):
1507         (JSC::RegisterSet::numberOfSetRegisters):
1508         (JSC::RegisterSet::RegisterSet):
1509         (JSC::RegisterSet::isEmptyValue):
1510         (JSC::RegisterSet::isDeletedValue):
1511         (JSC::RegisterSet::operator==):
1512         (JSC::RegisterSet::hash):
1513         (JSC::RegisterSetHash::hash):
1514         (JSC::RegisterSetHash::equal):
1515         * runtime/Options.h:
1516
1517 2013-10-22  Filip Pizlo  <fpizlo@apple.com>
1518
1519         jitCompileAndSetHeuristics should DeferGCForAWhile
1520         https://bugs.webkit.org/show_bug.cgi?id=123196
1521
1522         Reviewed by Mark Hahnenberg.
1523         
1524         This fixes random crashes in V8v7/raytrace. I only see those crashes on exactly one of
1525         my machines. I don't think this is testable; we just need to steadily converge towards
1526         getting our uses of DeferGC to be right and then be careful not to regress. We're not
1527         there yet, obviously.
1528         
1529         * llint/LLIntSlowPaths.cpp:
1530         (JSC::LLInt::jitCompileAndSetHeuristics):
1531
1532 2013-10-23  Daniel Bates  <dabates@apple.com>
1533
1534         [iOS] Upstream more JavaScriptCore build configuration changes
1535         https://bugs.webkit.org/show_bug.cgi?id=123169
1536
1537         Reviewed by David Kilzer.
1538
1539         * Configurations/Base.xcconfig:
1540         * Configurations/Version.xcconfig:
1541         * Configurations/iOS.xcconfig: Added.
1542         * JavaScriptCore.xcodeproj/project.pbxproj:
1543
1544 2013-10-23  Daniel Bates  <dabates@apple.com>
1545
1546         [iOS] Export DefaultGCActivityCallback member functions
1547         https://bugs.webkit.org/show_bug.cgi?id=123175
1548
1549         Reviewed by David Kilzer.
1550
1551         * runtime/GCActivityCallback.h:
1552
1553 2013-10-23  Daniel Bates  <dabates@apple.com>
1554
1555         [iOS] Upstream more ARMv7s bits
1556         https://bugs.webkit.org/show_bug.cgi?id=123052
1557
1558         Reviewed by Joseph Pecoraro.
1559
1560         * Configurations/JavaScriptCore.xcconfig:
1561
1562 2013-10-22  Andreas Kling  <akling@apple.com>
1563
1564         Minor VM* -> VM& cleanups in HashTable and Keywords.
1565         <https://webkit.org/b/123183>
1566
1567         Turn some VM* variables that will never be null into VM&.
1568
1569         Reviewed by Geoffrey Garen.
1570
1571 2013-10-22  Geoffrey Garen  <ggaren@apple.com>
1572
1573         REGRESSION: `if (false === (true && undefined)) console.log("wrong!");` logs "wrong!", shouldn't!
1574         https://bugs.webkit.org/show_bug.cgi?id=123179
1575
1576         Reviewed by Mark Hahnenberg.
1577
1578         * parser/NodeConstructors.h:
1579         (JSC::LogicalOpNode::LogicalOpNode):
1580         * parser/ResultType.h:
1581         (JSC::ResultType::forLogicalOp): Don't assume that && produces a boolean.
1582         This is JavaScript (aka Sparta).
1583
1584 2013-10-22  Commit Queue  <commit-queue@webkit.org>
1585
1586         Unreviewed, rolling out r157819.
1587         http://trac.webkit.org/changeset/157819
1588         https://bugs.webkit.org/show_bug.cgi?id=123180
1589
1590         Broke 32-bit builds (Requested by smfr on #webkit).
1591
1592         * Configurations/JavaScriptCore.xcconfig:
1593         * Configurations/ToolExecutable.xcconfig:
1594
1595 2013-10-22  Daniel Bates  <dabates@apple.com>
1596
1597         [iOS] Upstream more ARMv7s bits
1598         https://bugs.webkit.org/show_bug.cgi?id=123052
1599
1600         Reviewed by Joseph Pecoraro.
1601
1602         * Configurations/JavaScriptCore.xcconfig:
1603         * Configurations/ToolExecutable.xcconfig: Enable CLANG_ENABLE_OBJC_ARC for i386 as I'm
1604         modifying a file in JavaScriptCore/Configurations.
1605
1606 2013-10-22  Daniel Bates  <dabates@apple.com>
1607
1608         [iOS] Upstream JSLock changes
1609         https://bugs.webkit.org/show_bug.cgi?id=123107
1610
1611         Reviewed by Geoffrey Garen.
1612
1613         * runtime/JSLock.cpp:
1614         (JSC::JSLock::unlock):
1615         (JSC::JSLock::dropAllLocks): Modified to take a SpinLock, used only on iOS.
1616         (JSC::JSLock::dropAllLocksUnconditionally): Modified to take a SpinLock, used only on iOS. Also
1617         use pre-increment instead of post-increment when we're not using the return value of the instruction.
1618         (JSC::JSLock::grabAllLocks): Modified to take a SpinLock, used only on iOS. Also change
1619         places where we were using post-increment/post-decrement to use pre-increment/pre-decrement,
1620         since we don't use the return value of such instructions.
1621         (JSC::JSLock::DropAllLocks::DropAllLocks): Modified to support releasing all locks unconditionally.
1622         Take a spin lock before releasing all locks on iOS. Also, use nullptr instead of 0.
1623         (JSC::JSLock::DropAllLocks::~DropAllLocks): Take a spin lock before acquiring all locks on iOS.
1624         * runtime/JSLock.h: Remove extraneous argument name "exec" from DropAllLocks as the data type of
1625         the argument is sufficiently descriptive of its purpose.
1626
1627 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
1628
1629         [arm] Add missing setupArgumentsWithExecState() prototypes to fix build.
1630         https://bugs.webkit.org/show_bug.cgi?id=123166
1631
1632         Reviewed by Michael Saboff.
1633
1634         * jit/CCallHelpers.h:
1635         (JSC::CCallHelpers::setupArgumentsWithExecState):
1636
1637 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
1638
1639         [sh4][mips][arm] Fix crashes in JSC (32-bit only).
1640         https://bugs.webkit.org/show_bug.cgi?id=123165
1641
1642         Reviewed by Michael Saboff.
1643
1644         * jit/JITInlines.h:
1645         (JSC::JIT::callOperationNoExceptionCheck): Add missing EABI_32BIT_DUMMY_ARG.
1646         (JSC::JIT::callOperation): The last TrustedImm32(arg3) is a bit overkill for SH4 :)
1647         (JSC::JIT::callOperation): Add missing EABI_32BIT_DUMMY_ARG.
1648         (JSC::JIT::callOperation): Fix tag and payload order for V_JITOperation_EJJJ prototype.
1649
1650 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
1651
1652         REGRESSION(r157690, r157699) Fix architectures using AssemblerBufferWithConstantPool.
1653         https://bugs.webkit.org/show_bug.cgi?id=123092
1654
1655         Reviewed by Michael Saboff.
1656
1657         Impacted architectures are SH4 and ARM_TRADITIONAL.
1658
1659         * assembler/ARMAssembler.h:
1660         (JSC::ARMAssembler::buffer):
1661         * assembler/AssemblerBufferWithConstantPool.h:
1662         (JSC::AssemblerBufferWithConstantPool::flushConstantPool):
1663         * assembler/LinkBuffer.cpp:
1664         (JSC::LinkBuffer::linkCode):
1665         * assembler/SH4Assembler.h:
1666         (JSC::SH4Assembler::buffer):
1667
1668 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
1669
1670         Remove unused stuff in JIT stubs.
1671         https://bugs.webkit.org/show_bug.cgi?id=123155
1672
1673         Reviewed by Michael Saboff.
1674
1675         * jit/JITStubs.h:
1676         * jit/JITStubsARM.h:
1677         (JSC::ctiTrampoline):
1678         * jit/JITStubsARM64.h:
1679         * jit/JITStubsARMv7.h:
1680         * jit/JITStubsMIPS.h:
1681         * jit/JITStubsSH4.h:
1682         * jit/JITStubsX86.h:
1683         * jit/JITStubsX86_64.h:
1684
1685 2013-10-22  Daniel Bates  <dabates@apple.com>
1686
1687         [iOS] Upstream OS-version-specific install paths for JavaScriptCore.framework
1688         https://bugs.webkit.org/show_bug.cgi?id=123115
1689         <rdar://problem/13696872>
1690
1691         Reviewed by Andy Estes.
1692
1693         Based on a patch by Mark Hahnenberg.
1694
1695         Add support for running JavaScriptCore-based apps, built against the iOS 7 SDK, on older versions of iOS.
1696
1697         * API/JSBase.cpp:
1698
1699 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
1700
1701         [sh4] Add missing lastRegister(), firstFPRegister() and lastFPRegister(). 
1702         https://bugs.webkit.org/show_bug.cgi?id=123157
1703
1704         Reviewed by Andreas Kling.
1705
1706         * assembler/SH4Assembler.h:
1707         (JSC::SH4Assembler::lastRegister):
1708         (JSC::SH4Assembler::firstFPRegister):
1709         (JSC::SH4Assembler::lastFPRegister):
1710
1711 2013-10-22  Brian Holt  <brian.holt@samsung.com>
1712
1713         Build break on ARMv7 after r157209
1714         https://bugs.webkit.org/show_bug.cgi?id=122890
1715
1716         Reviewed by Csaba Osztrogon√°c.
1717
1718         Add framePointerRegister and first/last register helpers for ARM_TRADITIONAL.
1719
1720         * assembler/ARMAssembler.h:
1721         * assembler/MacroAssemblerARM.h:
1722         (JSC::MacroAssemblerARM::firstRegister):
1723         (JSC::MacroAssemblerARM::lastRegister):
1724         (JSC::MacroAssemblerARM::firstFPRegister):
1725         (JSC::MacroAssemblerARM::lastFPRegister):
1726
1727 2013-10-21  Daniel Bates  <dabates@apple.com>
1728
1729         [iOS] Upstream JSGlobalObject::shouldInterruptScriptBeforeTimeout()
1730         https://bugs.webkit.org/show_bug.cgi?id=123045
1731
1732         Reviewed by Joseph Pecoraro.
1733
1734         * jsc.cpp: Add function pointer for shouldInterruptScriptBeforeTimeout
1735         to global method table.
1736         * runtime/JSGlobalObject.cpp: Ditto.
1737         * runtime/JSGlobalObject.h:
1738         (JSC::JSGlobalObject::shouldInterruptScriptBeforeTimeout): Added.
1739
1740 2013-10-21  Daniel Bates  <dabates@apple.com>
1741
1742         [iOS] Upstream JSC Objective-C API compiler warning fixes
1743         https://bugs.webkit.org/show_bug.cgi?id=123125
1744
1745         Reviewed by Mark Hahnenberg.
1746
1747         Based on a patch by Mark Hahnenberg.
1748
1749         * API/JSValue.mm:
1750         (-[JSValue toPoint]): Cast to CGFloat to fix some compiler warnings about double narrowing to float.
1751         (-[JSValue toSize]): Ditto.
1752         * API/tests/testapi.mm: Changed a test that was failing due to overflow of 32-bit NSUInteger on armv7.
1753
1754 2013-10-21  Daniel Bates  <dabates@apple.com>
1755
1756         [iOS] Mark classes JS{Context, ManagedValue, Value, VirtualMachine} as
1757         available since iOS 7.0
1758         https://bugs.webkit.org/show_bug.cgi?id=123122
1759
1760         Reviewed by Dan Bernstein.
1761
1762         * API/JSContext.h:
1763         * API/JSManagedValue.h:
1764         * API/JSValue.h:
1765         * API/JSVirtualMachine.h:
1766
1767 2013-10-20  Mark Lam  <mark.lam@apple.com>
1768
1769         Avoid JSC debugger overhead unless needed.
1770         https://bugs.webkit.org/show_bug.cgi?id=123084.
1771
1772         Reviewed by Geoffrey Garen.
1773
1774         - If no breakpoints are set, we now avoid calling the debug hook callbacks.
1775         - If no break on exception is set, we also avoid exception event debug callbacks.
1776         - When we return from the ScriptDebugServer to the JSC::Debugger, we may no
1777           longer call the debug hook callbacks if not needed. Hence, the m_currentCallFrame
1778           pointer in the ScriptDebugServer may become stale. To avoid this issue, before
1779           returning, the ScriptDebugServer will clear its m_currentCallFrame if
1780           needsOpDebugCallbacks() is false.
1781
1782         * debugger/Debugger.cpp:
1783         (JSC::Debugger::Debugger):
1784         (JSC::Debugger::setNeedsExceptionCallbacks):
1785         (JSC::Debugger::setShouldPause):
1786         (JSC::Debugger::updateNumberOfBreakpoints):
1787         (JSC::Debugger::updateNeedForOpDebugCallbacks):
1788         * debugger/Debugger.h:
1789         * interpreter/Interpreter.cpp:
1790         (JSC::Interpreter::unwind):
1791         (JSC::Interpreter::debug):
1792         * jit/JITOpcodes.cpp:
1793         (JSC::JIT::emit_op_debug):
1794         * jit/JITOpcodes32_64.cpp:
1795         (JSC::JIT::emit_op_debug):
1796         * llint/LLIntOffsetsExtractor.cpp:
1797         * llint/LowLevelInterpreter.asm:
1798
1799 2013-10-21  Brent Fulgham  <bfulgham@apple.com>
1800
1801         [WIN] Unreviewed build correction.
1802
1803         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Handle new JIT files as C++ implementation
1804           sources, not header files.
1805         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
1806
1807 2013-10-21  Oliver Hunt  <oliver@apple.com>
1808
1809         Support computed property names in object literals
1810         https://bugs.webkit.org/show_bug.cgi?id=123112
1811
1812         Reviewed by Michael Saboff.
1813
1814         Add support for computed property names to the parser.
1815
1816         * bytecompiler/NodesCodegen.cpp:
1817         (JSC::PropertyListNode::emitBytecode):
1818         * parser/ASTBuilder.h:
1819         (JSC::ASTBuilder::createProperty):
1820         (JSC::ASTBuilder::getName):
1821         * parser/NodeConstructors.h:
1822         (JSC::PropertyNode::PropertyNode):
1823         * parser/Nodes.h:
1824         (JSC::PropertyNode::expressionName):
1825         (JSC::PropertyNode::name):
1826         * parser/Parser.cpp:
1827         (JSC::::parseProperty):
1828         (JSC::::parseStrictObjectLiteral):
1829         * parser/SyntaxChecker.h:
1830         (JSC::SyntaxChecker::Property::Property):
1831         (JSC::SyntaxChecker::createProperty):
1832         (JSC::SyntaxChecker::operatorStackPop):
1833
1834 2013-10-21  Michael Saboff  <msaboff@apple.com>
1835
1836         Add option so that JSC will crash if it can't allocate executable memory for the JITs
1837         https://bugs.webkit.org/show_bug.cgi?id=123048
1838         <rdar://problem/12856193>
1839
1840         Reviewed by Geoffrey Garen.
1841
1842         Added new option, called crashIfCantAllocateJITMemory. If this option is true then we crash
1843         when checking the validity of the executable allocator. The default value for this option is
1844         false, but jsc sets it to true when built for iOS to make it straightforward to identify whether
1845         the app can obtain executable memory.
1846
1847         * jsc.cpp: Explicitly enable crashIfCantAllocateJITMemory on iOS.
1848         (main):
1849         * runtime/Options.h: Added option crashIfCantAllocateJITMemory.
1850         * runtime/VM.cpp:
1851         (JSC::enableAssembler): Modified to crash if option crashIfCantAllocateJITMemory
1852         is enabled.
1853
1854 2013-10-21  Nadav Rotem  <nrotem@apple.com>
1855
1856         Remove AllInOneFile.cpp
1857         https://bugs.webkit.org/show_bug.cgi?id=123055
1858
1859         Reviewed by Csaba Osztrogon√°c.
1860
1861         * AllInOneFile.cpp: Removed.
1862
1863 2013-10-20  Filip Pizlo  <fpizlo@apple.com>
1864
1865         Unreviewed, cleanup a FIXME comment.
1866
1867         * jit/Repatch.cpp:
1868
1869 2013-10-20  Filip Pizlo  <fpizlo@apple.com>
1870
1871         StructureStubInfo's usedRegisters set should be able to track all registers, not just the ones that our JIT's view as temporaries
1872         https://bugs.webkit.org/show_bug.cgi?id=123076
1873
1874         Reviewed by Sam Weinig.
1875         
1876         Start preparing for a world in which we are patching code generated by LLVM, which may have
1877         very different register usage conventions than our JITs. This requires us being more explicit
1878         about the registers we are using. For example, the repatching code shouldn't take for granted
1879         that tagMaskRegister holds the TagMask or that the register is even in use.
1880
1881         * CMakeLists.txt:
1882         * GNUmakefile.list.am:
1883         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1884         * JavaScriptCore.xcodeproj/project.pbxproj:
1885         * assembler/MacroAssembler.h:
1886         (JSC::MacroAssembler::numberOfRegisters):
1887         (JSC::MacroAssembler::registerIndex):
1888         (JSC::MacroAssembler::numberOfFPRegisters):
1889         (JSC::MacroAssembler::fpRegisterIndex):
1890         (JSC::MacroAssembler::totalNumberOfRegisters):
1891         * bytecode/StructureStubInfo.h:
1892         * dfg/DFGSpeculativeJIT.cpp:
1893         (JSC::DFG::SpeculativeJIT::usedRegisters):
1894         * dfg/DFGSpeculativeJIT.h:
1895         * ftl/FTLSaveRestore.cpp:
1896         (JSC::FTL::bytesForGPRs):
1897         (JSC::FTL::bytesForFPRs):
1898         (JSC::FTL::offsetOfGPR):
1899         (JSC::FTL::offsetOfFPR):
1900         * jit/JITInlineCacheGenerator.cpp:
1901         (JSC::JITByIdGenerator::JITByIdGenerator):
1902         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
1903         * jit/JITInlineCacheGenerator.h:
1904         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
1905         * jit/JITPropertyAccess.cpp:
1906         (JSC::JIT::emit_op_get_by_id):
1907         (JSC::JIT::emit_op_put_by_id):
1908         * jit/JITPropertyAccess32_64.cpp:
1909         (JSC::JIT::emit_op_get_by_id):
1910         (JSC::JIT::emit_op_put_by_id):
1911         * jit/RegisterSet.cpp: Added.
1912         (JSC::RegisterSet::specialRegisters):
1913         * jit/RegisterSet.h: Added.
1914         (JSC::RegisterSet::RegisterSet):
1915         (JSC::RegisterSet::set):
1916         (JSC::RegisterSet::clear):
1917         (JSC::RegisterSet::get):
1918         (JSC::RegisterSet::merge):
1919         * jit/Repatch.cpp:
1920         (JSC::generateProtoChainAccessStub):
1921         (JSC::tryCacheGetByID):
1922         (JSC::tryBuildGetByIDList):
1923         (JSC::emitPutReplaceStub):
1924         (JSC::tryRepatchIn):
1925         (JSC::linkClosureCall):
1926         * jit/TempRegisterSet.cpp: Added.
1927         (JSC::TempRegisterSet::TempRegisterSet):
1928         * jit/TempRegisterSet.h:
1929
1930 2013-10-20  Julien Brianceau  <jbriance@cisco.com>
1931
1932         [sh4] Fix build (broken since r157690).
1933         https://bugs.webkit.org/show_bug.cgi?id=123081
1934
1935         Reviewed by Andreas Kling.
1936
1937         * assembler/AssemblerBufferWithConstantPool.h:
1938         * assembler/SH4Assembler.h:
1939         (JSC::SH4Assembler::buffer):
1940         (JSC::SH4Assembler::readCallTarget):
1941
1942 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
1943
1944         Simplify TempRegisterSet - it no longer needs to be convertible to a POD since it's no longer going to be a member of a union
1945         https://bugs.webkit.org/show_bug.cgi?id=123079
1946
1947         Reviewed by Geoffrey Garen.
1948
1949         * jit/TempRegisterSet.h:
1950
1951 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
1952
1953         Rename RegisterSet to TempRegisterSet
1954         https://bugs.webkit.org/show_bug.cgi?id=123077
1955
1956         Reviewed by Dan Bernstein.
1957
1958         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1959         * JavaScriptCore.xcodeproj/project.pbxproj:
1960         * bytecode/StructureStubInfo.h:
1961         * dfg/DFGJITCompiler.h:
1962         * dfg/DFGSpeculativeJIT.h:
1963         (JSC::DFG::SpeculativeJIT::usedRegisters):
1964         * jit/JITInlineCacheGenerator.cpp:
1965         (JSC::JITByIdGenerator::JITByIdGenerator):
1966         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
1967         * jit/JITInlineCacheGenerator.h:
1968         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
1969         * jit/JITPropertyAccess.cpp:
1970         (JSC::JIT::emit_op_get_by_id):
1971         (JSC::JIT::emit_op_put_by_id):
1972         * jit/JITPropertyAccess32_64.cpp:
1973         (JSC::JIT::emit_op_get_by_id):
1974         (JSC::JIT::emit_op_put_by_id):
1975         * jit/RegisterSet.h: Removed.
1976         * jit/ScratchRegisterAllocator.h:
1977         (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
1978         * jit/TempRegisterSet.h: Copied from Source/JavaScriptCore/jit/RegisterSet.h.
1979         (JSC::TempRegisterSet::TempRegisterSet):
1980         (JSC::TempRegisterSet::asPOD):
1981         (JSC::TempRegisterSet::copyInfo):
1982
1983 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
1984
1985         Restructure LinkBuffer to allow for alternate allocation strategies
1986         https://bugs.webkit.org/show_bug.cgi?id=123071
1987
1988         Reviewed by Oliver Hunt.
1989         
1990         The idea is to eventually allow a LinkBuffer to place the code into an already
1991         allocated region of memory.  That region of memory could be the nop-slide left behind
1992         by a llvm.webkit.patchpoint.
1993
1994         * assembler/ARM64Assembler.h:
1995         (JSC::ARM64Assembler::buffer):
1996         * assembler/AssemblerBuffer.h:
1997         * assembler/LinkBuffer.cpp:
1998         (JSC::LinkBuffer::copyCompactAndLinkCode):
1999         (JSC::LinkBuffer::linkCode):
2000         (JSC::LinkBuffer::allocate):
2001         (JSC::LinkBuffer::shrink):
2002         * assembler/LinkBuffer.h:
2003         (JSC::LinkBuffer::LinkBuffer):
2004         (JSC::LinkBuffer::didFailToAllocate):
2005         * assembler/X86Assembler.h:
2006         (JSC::X86Assembler::buffer):
2007         (JSC::X86Assembler::X86InstructionFormatter::memoryModRM):
2008
2009 2013-10-19  Alexey Proskuryakov  <ap@apple.com>
2010
2011         Some includes in JSC seem to use an incorrect style
2012         https://bugs.webkit.org/show_bug.cgi?id=123057
2013
2014         Reviewed by Geoffrey Garen.
2015
2016         Changed pseudo-system includes to user ones.
2017
2018         * API/JSContextRef.cpp:
2019         * API/JSStringRefCF.cpp:
2020         * API/JSValueRef.cpp:
2021         * API/OpaqueJSString.cpp:
2022         * jit/JIT.h:
2023         * parser/SyntaxChecker.h:
2024         * runtime/WeakGCMap.h:
2025
2026 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
2027
2028         Baseline JIT and DFG IC code generation should be unified and rationalized
2029         https://bugs.webkit.org/show_bug.cgi?id=122939
2030
2031         Reviewed by Geoffrey Garen.
2032         
2033         Introduce the JITInlineCacheGenerator, which takes a CodeBlock and a CodeOrigin plus
2034         some register info and creates JIT inline caches for you. Used this to even furhter
2035         unify the baseline and DFG ICs. In the future we can use this for FTL ICs. And my hope
2036         is that we'll be able to use it for cascading ICs: an IC for some instruction may realize
2037         that it needs to do the equivalent of get_by_id, so with this generator it will be able
2038         to create an IC even though it wasn't associated with a get_by_id bytecode instruction.
2039
2040         * CMakeLists.txt:
2041         * GNUmakefile.list.am:
2042         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2043         * JavaScriptCore.xcodeproj/project.pbxproj:
2044         * assembler/AbstractMacroAssembler.h:
2045         (JSC::AbstractMacroAssembler::DataLabelCompact::label):
2046         * bytecode/CodeBlock.h:
2047         (JSC::CodeBlock::ecmaMode):
2048         * dfg/DFGInlineCacheWrapper.h: Added.
2049         (JSC::DFG::InlineCacheWrapper::InlineCacheWrapper):
2050         * dfg/DFGInlineCacheWrapperInlines.h: Added.
2051         (JSC::DFG::::finalize):
2052         * dfg/DFGJITCompiler.cpp:
2053         (JSC::DFG::JITCompiler::link):
2054         * dfg/DFGJITCompiler.h:
2055         (JSC::DFG::JITCompiler::addGetById):
2056         (JSC::DFG::JITCompiler::addPutById):
2057         * dfg/DFGSpeculativeJIT32_64.cpp:
2058         (JSC::DFG::SpeculativeJIT::cachedGetById):
2059         (JSC::DFG::SpeculativeJIT::cachedPutById):
2060         * dfg/DFGSpeculativeJIT64.cpp:
2061         (JSC::DFG::SpeculativeJIT::cachedGetById):
2062         (JSC::DFG::SpeculativeJIT::cachedPutById):
2063         (JSC::DFG::SpeculativeJIT::compile):
2064         * jit/AssemblyHelpers.h:
2065         (JSC::AssemblyHelpers::isStrictModeFor):
2066         (JSC::AssemblyHelpers::strictModeFor):
2067         * jit/GPRInfo.h:
2068         (JSC::JSValueRegs::tagGPR):
2069         * jit/JIT.cpp:
2070         (JSC::JIT::JIT):
2071         (JSC::JIT::privateCompileSlowCases):
2072         (JSC::JIT::privateCompile):
2073         * jit/JIT.h:
2074         * jit/JITInlineCacheGenerator.cpp: Added.
2075         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
2076         (JSC::JITByIdGenerator::JITByIdGenerator):
2077         (JSC::JITByIdGenerator::finalize):
2078         (JSC::JITByIdGenerator::generateFastPathChecks):
2079         (JSC::JITGetByIdGenerator::generateFastPath):
2080         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
2081         (JSC::JITPutByIdGenerator::generateFastPath):
2082         (JSC::JITPutByIdGenerator::slowPathFunction):
2083         * jit/JITInlineCacheGenerator.h: Added.
2084         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
2085         (JSC::JITInlineCacheGenerator::stubInfo):
2086         (JSC::JITByIdGenerator::JITByIdGenerator):
2087         (JSC::JITByIdGenerator::reportSlowPathCall):
2088         (JSC::JITByIdGenerator::slowPathJump):
2089         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
2090         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
2091         * jit/JITPropertyAccess.cpp:
2092         (JSC::JIT::emit_op_get_by_id):
2093         (JSC::JIT::emitSlow_op_get_by_id):
2094         (JSC::JIT::emit_op_put_by_id):
2095         (JSC::JIT::emitSlow_op_put_by_id):
2096         * jit/JITPropertyAccess32_64.cpp:
2097         (JSC::JIT::emit_op_get_by_id):
2098         (JSC::JIT::emitSlow_op_get_by_id):
2099         (JSC::JIT::emit_op_put_by_id):
2100         (JSC::JIT::emitSlow_op_put_by_id):
2101         * jit/RegisterSet.h:
2102         (JSC::RegisterSet::set):
2103
2104 2013-10-19  Alexey Proskuryakov  <ap@apple.com>
2105
2106         APICast.h uses functions from JSCJSValueInlines.h, but doesn't include it
2107         https://bugs.webkit.org/show_bug.cgi?id=123067
2108
2109         Reviewed by Geoffrey Garen.
2110
2111         * API/APICast.h: Include it.
2112
2113 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
2114
2115         FTL::Location should treat the offset as an addend in the case of a Register location
2116         https://bugs.webkit.org/show_bug.cgi?id=123062
2117
2118         Reviewed by Sam Weinig.
2119
2120         * ftl/FTLLocation.cpp:
2121         (JSC::FTL::Location::forStackmaps):
2122         (JSC::FTL::Location::dump):
2123         (JSC::FTL::Location::restoreInto):
2124         * ftl/FTLLocation.h:
2125         (JSC::FTL::Location::forRegister):
2126         (JSC::FTL::Location::hasAddend):
2127         (JSC::FTL::Location::addend):
2128
2129 2013-10-19  Nadav Rotem  <nrotem@apple.com>
2130
2131         DFG dominators: document and rename stuff.
2132         https://bugs.webkit.org/show_bug.cgi?id=123056
2133
2134         Reviewed by Filip Pizlo.
2135
2136         Documented the code and renamed some variables.
2137
2138         * dfg/DFGDominators.cpp:
2139         (JSC::DFG::Dominators::compute):
2140         (JSC::DFG::Dominators::pruneDominators):
2141         * dfg/DFGDominators.h:
2142
2143 2013-10-19  Julien Brianceau  <jbriance@cisco.com>
2144
2145         Fix build failure for architectures with 4 argument registers.
2146         https://bugs.webkit.org/show_bug.cgi?id=123060
2147
2148         Reviewed by Michael Saboff.
2149
2150         Add missing setupArgumentsWithExecState() prototypes for architecture with 4 argument registers.
2151         Remove SH4 specific code no longer needed since callOperation prototype change in r157660.
2152
2153         * dfg/DFGSpeculativeJIT.h:
2154         (JSC::DFG::SpeculativeJIT::callOperation):
2155         * jit/CCallHelpers.h:
2156         (JSC::CCallHelpers::setupArgumentsWithExecState):
2157         * jit/JITInlines.h:
2158         (JSC::JIT::callOperation):
2159
2160 2013-10-18  Filip Pizlo  <fpizlo@apple.com>
2161
2162         Unreviewed, fix FTL build.
2163
2164         * ftl/FTLIntrinsicRepository.h:
2165         * ftl/FTLLowerDFGToLLVM.cpp:
2166         (JSC::FTL::LowerDFGToLLVM::compileGetById):
2167
2168 2013-10-18  Filip Pizlo  <fpizlo@apple.com>
2169
2170         A CodeBlock's StructureStubInfos shouldn't be in a Vector that we search using code origins and machine code PCs
2171         https://bugs.webkit.org/show_bug.cgi?id=122940
2172
2173         Reviewed by Oliver Hunt.
2174         
2175         This accomplishes a number of simplifications. StructureStubInfo is now non-moving,
2176         whereas previously it was in a Vector, so it moved. This allows you to use pointers to
2177         StructureStubInfo. This also eliminates the use of return PC as a way of finding the
2178         StructureStubInfo's. It removes some of the need for the compile-time property access
2179         records; for example the DFG no longer has to save information about registers in a
2180         property access record only to later save it to the stub info.
2181         
2182         The main thing is accomplishes is that it makes it easier to add StructureStubInfo's
2183         at any stage of compilation.
2184
2185         * bytecode/CodeBlock.cpp:
2186         (JSC::CodeBlock::printGetByIdCacheStatus):
2187         (JSC::CodeBlock::dumpBytecode):
2188         (JSC::CodeBlock::~CodeBlock):
2189         (JSC::CodeBlock::propagateTransitions):
2190         (JSC::CodeBlock::finalizeUnconditionally):
2191         (JSC::CodeBlock::addStubInfo):
2192         (JSC::CodeBlock::getStubInfoMap):
2193         (JSC::CodeBlock::shrinkToFit):
2194         * bytecode/CodeBlock.h:
2195         (JSC::CodeBlock::begin):
2196         (JSC::CodeBlock::end):
2197         (JSC::CodeBlock::rareCaseProfileForBytecodeOffset):
2198         * bytecode/CodeOrigin.h:
2199         (JSC::CodeOrigin::CodeOrigin):
2200         (JSC::CodeOrigin::isHashTableDeletedValue):
2201         (JSC::CodeOrigin::hash):
2202         (JSC::CodeOriginHash::hash):
2203         (JSC::CodeOriginHash::equal):
2204         * bytecode/GetByIdStatus.cpp:
2205         (JSC::GetByIdStatus::computeFor):
2206         * bytecode/GetByIdStatus.h:
2207         * bytecode/PutByIdStatus.cpp:
2208         (JSC::PutByIdStatus::computeFor):
2209         * bytecode/PutByIdStatus.h:
2210         * bytecode/StructureStubInfo.h:
2211         (JSC::getStructureStubInfoCodeOrigin):
2212         * dfg/DFGByteCodeParser.cpp:
2213         (JSC::DFG::ByteCodeParser::parseBlock):
2214         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2215         * dfg/DFGJITCompiler.cpp:
2216         (JSC::DFG::JITCompiler::link):
2217         * dfg/DFGJITCompiler.h:
2218         (JSC::DFG::PropertyAccessRecord::PropertyAccessRecord):
2219         (JSC::DFG::InRecord::InRecord):
2220         * dfg/DFGSpeculativeJIT.cpp:
2221         (JSC::DFG::SpeculativeJIT::compileIn):
2222         * dfg/DFGSpeculativeJIT.h:
2223         (JSC::DFG::SpeculativeJIT::callOperation):
2224         * dfg/DFGSpeculativeJIT32_64.cpp:
2225         (JSC::DFG::SpeculativeJIT::cachedGetById):
2226         (JSC::DFG::SpeculativeJIT::cachedPutById):
2227         * dfg/DFGSpeculativeJIT64.cpp:
2228         (JSC::DFG::SpeculativeJIT::cachedGetById):
2229         (JSC::DFG::SpeculativeJIT::cachedPutById):
2230         * jit/CCallHelpers.h:
2231         (JSC::CCallHelpers::setupArgumentsWithExecState):
2232         * jit/JIT.cpp:
2233         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
2234         (JSC::JIT::privateCompile):
2235         * jit/JIT.h:
2236         (JSC::PropertyStubCompilationInfo::slowCaseInfo):
2237         * jit/JITInlines.h:
2238         (JSC::JIT::callOperation):
2239         * jit/JITOperations.cpp:
2240         * jit/JITOperations.h:
2241         * jit/JITPropertyAccess.cpp:
2242         (JSC::JIT::emitSlow_op_get_by_id):
2243         (JSC::JIT::emitSlow_op_put_by_id):
2244         * jit/JITPropertyAccess32_64.cpp:
2245         (JSC::JIT::emitSlow_op_get_by_id):
2246         (JSC::JIT::emitSlow_op_put_by_id):
2247         * jit/Repatch.cpp:
2248         (JSC::appropriateGenericPutByIdFunction):
2249         (JSC::appropriateListBuildingPutByIdFunction):
2250         (JSC::resetPutByID):
2251
2252 2013-10-18  Oliver Hunt  <oliver@apple.com>
2253
2254         Spread operator should be performing direct "puts" and not triggering setters
2255         https://bugs.webkit.org/show_bug.cgi?id=123047
2256
2257         Reviewed by Geoffrey Garen.
2258
2259         Add a new opcode -- op_put_by_val_directue -- and make use of it in the spread
2260         to array construct.  This required a new PutByValDirect node to be introduced to
2261         the DFG.  The current implementation simply changes the slow path function that
2262         is called, but in future this could be made faster as it does not need to check
2263         the prototype chain.
2264
2265         * bytecode/CodeBlock.cpp:
2266         (JSC::CodeBlock::dumpBytecode):
2267         (JSC::CodeBlock::CodeBlock):
2268         * bytecode/Opcode.h:
2269         (JSC::padOpcodeName):
2270         * bytecompiler/BytecodeGenerator.cpp:
2271         (JSC::BytecodeGenerator::emitDirectPutByVal):
2272         * bytecompiler/BytecodeGenerator.h:
2273         * bytecompiler/NodesCodegen.cpp:
2274         (JSC::ArrayNode::emitBytecode):
2275         * dfg/DFGAbstractInterpreterInlines.h:
2276         (JSC::DFG::::executeEffects):
2277         * dfg/DFGBackwardsPropagationPhase.cpp:
2278         (JSC::DFG::BackwardsPropagationPhase::propagate):
2279         * dfg/DFGByteCodeParser.cpp:
2280         (JSC::DFG::ByteCodeParser::parseBlock):
2281         * dfg/DFGCSEPhase.cpp:
2282         (JSC::DFG::CSEPhase::getArrayLengthElimination):
2283         (JSC::DFG::CSEPhase::getByValLoadElimination):
2284         (JSC::DFG::CSEPhase::checkStructureElimination):
2285         (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
2286         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
2287         (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
2288         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
2289         (JSC::DFG::CSEPhase::performNodeCSE):
2290         * dfg/DFGCapabilities.cpp:
2291         (JSC::DFG::capabilityLevel):
2292         * dfg/DFGClobberize.h:
2293         (JSC::DFG::clobberize):
2294         * dfg/DFGFixupPhase.cpp:
2295         (JSC::DFG::FixupPhase::fixupNode):
2296         * dfg/DFGGraph.h:
2297         (JSC::DFG::Graph::clobbersWorld):
2298         * dfg/DFGNode.h:
2299         (JSC::DFG::Node::hasArrayMode):
2300         * dfg/DFGNodeType.h:
2301         * dfg/DFGOperations.cpp:
2302         (JSC::DFG::putByVal):
2303         (JSC::DFG::operationPutByValInternal):
2304         * dfg/DFGOperations.h:
2305         * dfg/DFGPredictionPropagationPhase.cpp:
2306         (JSC::DFG::PredictionPropagationPhase::propagate):
2307         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
2308         * dfg/DFGSafeToExecute.h:
2309         (JSC::DFG::safeToExecute):
2310         * dfg/DFGSpeculativeJIT32_64.cpp:
2311         (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
2312         (JSC::DFG::SpeculativeJIT::compile):
2313         * dfg/DFGSpeculativeJIT64.cpp:
2314         (JSC::DFG::SpeculativeJIT::compile):
2315         * dfg/DFGTypeCheckHoistingPhase.cpp:
2316         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
2317         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
2318         * jit/JIT.cpp:
2319         (JSC::JIT::privateCompileMainPass):
2320         (JSC::JIT::privateCompileSlowCases):
2321         * jit/JIT.h:
2322         (JSC::JIT::compileDirectPutByVal):
2323         * jit/JITOperations.cpp:
2324         * jit/JITOperations.h:
2325         * jit/JITPropertyAccess.cpp:
2326         (JSC::JIT::emitSlow_op_put_by_val):
2327         (JSC::JIT::privateCompilePutByVal):
2328         * jit/JITPropertyAccess32_64.cpp:
2329         (JSC::JIT::emitSlow_op_put_by_val):
2330         * llint/LLIntSlowPaths.cpp:
2331         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2332         * llint/LLIntSlowPaths.h:
2333         * llint/LowLevelInterpreter32_64.asm:
2334         * llint/LowLevelInterpreter64.asm:
2335
2336 2013-10-18  Daniel Bates  <dabates@apple.com>
2337
2338         [iOS] Export symbol for VM::sharedInstanceExists()
2339         https://bugs.webkit.org/show_bug.cgi?id=123046
2340
2341         Reviewed by Mark Hahnenberg.
2342
2343         * runtime/VM.h:
2344
2345 2013-10-18  Daniel Bates  <dabates@apple.com>
2346
2347         [iOS] Upstream WebSafe{GCActivityCallback, IncrementalSweeper}IOS
2348         https://bugs.webkit.org/show_bug.cgi?id=123049
2349
2350         Reviewed by Mark Hahnenberg.
2351
2352         * heap/Heap.cpp:
2353         (JSC::Heap::setIncrementalSweeper):
2354         * heap/Heap.h:
2355         * heap/HeapTimer.h:
2356         * heap/IncrementalSweeper.h: Make protected and export CF-variant of constructor.
2357         Removed unused include of header RetainPtr.h. Also forward declare class MarkedBlock
2358         (we include its header in the .cpp file) and remove include for header wtf/HashSet.h
2359         (duplicates the include in the .cpp).
2360         * heap/MachineStackMarker.h: Export function makeUsableFromMultipleThreads(). We aren't
2361         making use of this now, but we'll make use of it in a subsequent patch.
2362
2363 2013-10-18  Anders Carlsson  <andersca@apple.com>
2364
2365         Remove spaces between template angle brackets
2366         https://bugs.webkit.org/show_bug.cgi?id=123040
2367
2368         Reviewed by Andreas Kling.
2369
2370         * API/JSCallbackObject.cpp:
2371         (JSC::::create):
2372         * API/JSObjectRef.cpp:
2373         * bytecode/CodeBlock.h:
2374         (JSC::CodeBlock::constants):
2375         (JSC::CodeBlock::setConstantRegisters):
2376         * bytecode/DFGExitProfile.h:
2377         * bytecode/EvalCodeCache.h:
2378         * bytecode/Operands.h:
2379         * bytecode/UnlinkedCodeBlock.h:
2380         (JSC::UnlinkedCodeBlock::constantRegisters):
2381         * bytecode/Watchpoint.h:
2382         * bytecompiler/BytecodeGenerator.h:
2383         * bytecompiler/StaticPropertyAnalysis.h:
2384         * bytecompiler/StaticPropertyAnalyzer.h:
2385         * dfg/DFGArgumentsSimplificationPhase.cpp:
2386         * dfg/DFGBlockInsertionSet.h:
2387         * dfg/DFGCSEPhase.cpp:
2388         (JSC::DFG::performCSE):
2389         (JSC::DFG::performStoreElimination):
2390         * dfg/DFGCommonData.h:
2391         * dfg/DFGDesiredStructureChains.h:
2392         * dfg/DFGDesiredWatchpoints.h:
2393         * dfg/DFGJITCompiler.h:
2394         * dfg/DFGOSRExitCompiler32_64.cpp:
2395         (JSC::DFG::OSRExitCompiler::compileExit):
2396         * dfg/DFGOSRExitCompiler64.cpp:
2397         (JSC::DFG::OSRExitCompiler::compileExit):
2398         * dfg/DFGWorklist.h:
2399         * heap/BlockAllocator.h:
2400         (JSC::CopiedBlock):
2401         (JSC::MarkedBlock):
2402         (JSC::WeakBlock):
2403         (JSC::MarkStackSegment):
2404         (JSC::CopyWorkListSegment):
2405         (JSC::HandleBlock):
2406         * heap/Heap.h:
2407         * heap/Local.h:
2408         * heap/MarkedBlock.h:
2409         * heap/Strong.h:
2410         * jit/AssemblyHelpers.cpp:
2411         (JSC::AssemblyHelpers::decodedCodeMapFor):
2412         * jit/AssemblyHelpers.h:
2413         * jit/SpecializedThunkJIT.h:
2414         * parser/Nodes.h:
2415         * parser/Parser.cpp:
2416         (JSC::::parseIfStatement):
2417         * parser/Parser.h:
2418         (JSC::Scope::copyCapturedVariablesToVector):
2419         (JSC::parse):
2420         * parser/ParserArena.h:
2421         * parser/SourceProviderCacheItem.h:
2422         * profiler/LegacyProfiler.cpp:
2423         (JSC::dispatchFunctionToProfiles):
2424         * profiler/LegacyProfiler.h:
2425         (JSC::LegacyProfiler::currentProfiles):
2426         * profiler/ProfileNode.h:
2427         (JSC::ProfileNode::children):
2428         * profiler/ProfilerDatabase.h:
2429         * runtime/Butterfly.h:
2430         (JSC::Butterfly::contiguousInt32):
2431         (JSC::Butterfly::contiguous):
2432         * runtime/GenericTypedArrayViewInlines.h:
2433         (JSC::::create):
2434         * runtime/Identifier.h:
2435         (JSC::Identifier::add):
2436         * runtime/JSPromise.h:
2437         * runtime/PropertyMapHashTable.h:
2438         * runtime/PropertyNameArray.h:
2439         * runtime/RegExpCache.h:
2440         * runtime/SparseArrayValueMap.h:
2441         * runtime/SymbolTable.h:
2442         * runtime/VM.h:
2443         * tools/CodeProfile.cpp:
2444         (JSC::truncateTrace):
2445         * tools/CodeProfile.h:
2446         * yarr/YarrInterpreter.cpp:
2447         * yarr/YarrInterpreter.h:
2448         (JSC::Yarr::BytecodePattern::BytecodePattern):
2449         * yarr/YarrJIT.cpp:
2450         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
2451         (JSC::Yarr::YarrGenerator::opCompileParentheticalAssertion):
2452         (JSC::Yarr::YarrGenerator::opCompileBody):
2453         * yarr/YarrPattern.cpp:
2454         (JSC::Yarr::YarrPatternConstructor::checkForTerminalParentheses):
2455         (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
2456         * yarr/YarrPattern.h:
2457
2458 2013-10-18  Mark Lam  <mark.lam@apple.com>
2459
2460         Remove excess reserved space in ctiTrampoline frames for X86 and X86_64.
2461         https://bugs.webkit.org/show_bug.cgi?id=123037.
2462
2463         Reviewed by Geoffrey Garen.
2464
2465         * jit/JITStubsMSVC64.asm:
2466         * jit/JITStubsX86.h:
2467         * jit/JITStubsX86_64.h:
2468
2469 2013-10-18  Filip Pizlo  <fpizlo@apple.com>
2470
2471         Frequent RELEASE_ASSERT crashes in Structure::checkOffsetConsistency on WebGL swizzler tests
2472         https://bugs.webkit.org/show_bug.cgi?id=121661
2473
2474         Reviewed by Mark Hahnenberg.
2475         
2476         This method shouldn't have been called from the concurrent JIT thread. That's hard to prevent
2477         so I added a return-early check using isCompilationThread().
2478         
2479         Here's why this makes sense. Structure has two ways to tell you about the layout of the objects
2480         it is describing: m_offset and the property table. Most structures only have m_offset and report
2481         null for the property table. If the property table is there, it will tell you additional
2482         information and that information subsumes m_offset - but the m_offset is still there. So, when
2483         we have a property table, we have to keep it in sync with the m_offset. There is a bunch of
2484         machinery to do this.
2485         
2486         Changing the property table only happens on the main thread.
2487         
2488         Because the machinery to change the property table is so complex, especially with respect to
2489         keeping it in sync with m_offset, we have the checkOffsetConsistency method. It's meant to be
2490         called at key points before and after changes to the property table or the offset.
2491
2492         Most clients of Structure who care about object layout, including the concurrent thread, will
2493         want to know m_offset and not the property table. If they want the property table, they will
2494         already be super careful. The concurrent thread has special methods for this, like
2495         Structure::getConcurrently(), which uses fine-grained locking to ensure that it sees a coherent
2496         view of the property table.
2497         
2498         Adding locking to checkOffsetConsistency() is probably a bad idea since that method may be
2499         called when the relevant lock is already held. So, we'd have awkward recursive locking issues.
2500         
2501         But right now, the concurrent JIT thread may call a method, like Structure::outOfLineCapacity(),
2502         which has a call to checkOffsetConsistency(). The call to checkOffsetConsistency() is there
2503         because we have found that it helps quickly identify situations where the property table and
2504         m_offset get out of sync - mainly because code that changes either of those things will usually
2505         also want to know the outOfLineCapacity(). But Structure::outOfLineCapacity() doesn't *actually*
2506         need the property table; it uses the m_offset. The concurrent JIT is correct to call
2507         outOfLineCapacity(), and is right to do so without holding any locks (since in all cases where
2508         it calls outOfLineCapacity() it has already proven that m_offset is immutable). But because
2509         outOfLineCapacity() calls checkOffsetConsistency(), and checkOffsetConsistency() doesn't grab
2510         locks, and that same structure is having its property table modified by the main thread, we end
2511         up with these spurious assertion failures. FWIW, the structure isn't *actually* having *its*
2512         property table modified - instead what happens is that some downstream structure steals the
2513         property table and then starts adding things to it. The concurrent thread loads the property
2514         table before it's stolen, and hence the badness.
2515         
2516         I suspect there are other code paths that lead to the concurrent JIT calling some Structure
2517         method that it is fine and safe to call, but then that method calls checkOffsetConsistency(),
2518         and then you have a possible crash.
2519         
2520         The most sensible solution to this appears to be to make sure that checkOffsetConsistency() is
2521         aware of its uselessness to the concurrent JIT thread. This change makes it return early if
2522         it's in the concurrent JIT.
2523         
2524         * runtime/StructureInlines.h:
2525         (JSC::Structure::checkOffsetConsistency):
2526
2527 2013-10-18  Daniel Bates  <dabates@apple.com>
2528
2529         Add SPI to disable the garbage collector timer
2530         https://bugs.webkit.org/show_bug.cgi?id=122921
2531
2532         Add null check to Heap::setGarbageCollectionTimerEnabled() that I inadvertently
2533         omitted.
2534
2535         * heap/Heap.cpp:
2536         (JSC::Heap::setGarbageCollectionTimerEnabled):
2537
2538 2013-10-18  Julien Brianceau  <jbriance@cisco.com>
2539
2540         Group 64-bit specific and 32-bit specific callOperation implementations.
2541         https://bugs.webkit.org/show_bug.cgi?id=123024
2542
2543         Reviewed by Michael Saboff.
2544
2545         This is not a big deal, but could be less confusing when reading the code.
2546
2547         * jit/JITInlines.h:
2548         (JSC::JIT::callOperation):
2549         (JSC::JIT::callOperationWithCallFrameRollbackOnException):
2550         (JSC::JIT::callOperationNoExceptionCheck):
2551
2552 2013-10-18  Nadav Rotem  <nrotem@apple.com>
2553
2554         Fix a FlushLiveness problem.
2555         https://bugs.webkit.org/show_bug.cgi?id=122984
2556
2557         Reviewed by Filip Pizlo.
2558
2559         * dfg/DFGFlushLivenessAnalysisPhase.cpp:
2560         (JSC::DFG::FlushLivenessAnalysisPhase::process):
2561
2562 2013-10-18  Michael Saboff  <msaboff@apple.com>
2563
2564         Change native function call stubs to use JIT operations instead of ctiVMHandleException
2565         https://bugs.webkit.org/show_bug.cgi?id=122982
2566
2567         Reviewed by Geoffrey Garen.
2568
2569         Change ctiVMHandleException to operationVMHandleException.  Change all exception operations to
2570         return the catch callFrame and entryPC via vm.callFrameForThrow and vm.targetMachinePCForThrow.
2571         This removed calling convention headaches, fixing https://bugs.webkit.org/show_bug.cgi?id=122980
2572         in the process.
2573
2574         * dfg/DFGJITCompiler.cpp:
2575         (JSC::DFG::JITCompiler::compileExceptionHandlers):
2576         * jit/CCallHelpers.h:
2577         (JSC::CCallHelpers::jumpToExceptionHandler):
2578         * jit/JIT.cpp:
2579         (JSC::JIT::privateCompileExceptionHandlers):
2580         * jit/JIT.h:
2581         * jit/JITExceptions.cpp:
2582         (JSC::genericUnwind):
2583         * jit/JITExceptions.h:
2584         * jit/JITInlines.h:
2585         (JSC::JIT::callOperationNoExceptionCheck):
2586         * jit/JITOpcodes.cpp:
2587         (JSC::JIT::emit_op_throw):
2588         * jit/JITOpcodes32_64.cpp:
2589         (JSC::JIT::privateCompileCTINativeCall):
2590         (JSC::JIT::emit_op_throw):
2591         * jit/JITOperations.cpp:
2592         * jit/JITOperations.h:
2593         * jit/JITStubs.cpp:
2594         * jit/JITStubs.h:
2595         * jit/JITStubsARM.h:
2596         * jit/JITStubsARM64.h:
2597         * jit/JITStubsARMv7.h:
2598         * jit/JITStubsMIPS.h:
2599         * jit/JITStubsMSVC64.asm:
2600         * jit/JITStubsSH4.h:
2601         * jit/JITStubsX86.h:
2602         * jit/JITStubsX86_64.h:
2603         * jit/Repatch.cpp:
2604         (JSC::tryBuildGetByIDList):
2605         * jit/SlowPathCall.h:
2606         (JSC::JITSlowPathCall::call):
2607         * jit/ThunkGenerators.cpp:
2608         (JSC::throwExceptionFromCallSlowPathGenerator):
2609         (JSC::nativeForGenerator):
2610         * runtime/VM.h:
2611         (JSC::VM::callFrameForThrowOffset):
2612         (JSC::VM::targetMachinePCForThrowOffset):
2613
2614 2013-10-18  Julien Brianceau  <jbriance@cisco.com>
2615
2616         Fix J_JITOperation_EAapJ call for MIPS and ARM EABI.
2617         https://bugs.webkit.org/show_bug.cgi?id=123023
2618
2619         Reviewed by Michael Saboff.
2620
2621         * jit/JITInlines.h:
2622         (JSC::JIT::callOperation): EncodedJSValue parameter do not need alignment
2623         using EABI_32BIT_DUMMY_ARG here.
2624
2625 2013-10-17  Filip Pizlo  <fpizlo@apple.com>
2626
2627         Unreviewed, another ARM64 build fix.
2628         
2629         Get rid of andPtr(TrustedImmPtr, blah), since it would take Effort to get it to work
2630         on ARM64 and none of its uses are legit - they should all be using
2631         andPtr(TrustedImm32, blah) anyway.
2632
2633         * assembler/MacroAssembler.h:
2634         * assembler/MacroAssemblerARM64.h:
2635         * dfg/DFGJITCompiler.cpp:
2636         (JSC::DFG::JITCompiler::compileExceptionHandlers):
2637         * jit/JIT.cpp:
2638         (JSC::JIT::privateCompileExceptionHandlers):
2639
2640 2013-10-17  Filip Pizlo  <fpizlo@apple.com>
2641
2642         Unreviewed, speculative ARM64 build fix.
2643         
2644         move(ImmPtr, blah) is only available in MacroAssembler since that's where blinding is
2645         implemented. So, you have to use TrustedImmPtr in the superclasses.
2646
2647         * assembler/MacroAssemblerARM64.h:
2648         (JSC::MacroAssemblerARM64::store8):
2649         (JSC::MacroAssemblerARM64::branchTest8):
2650
2651 2013-10-17  Filip Pizlo  <fpizlo@apple.com>
2652
2653         Unreviewed, speculative ARM build fix.
2654         https://bugs.webkit.org/show_bug.cgi?id=122890
2655         <rdar://problem/15258624>
2656
2657         * assembler/ARM64Assembler.h:
2658         (JSC::ARM64Assembler::firstRegister):
2659         (JSC::ARM64Assembler::lastRegister):
2660         (JSC::ARM64Assembler::firstFPRegister):
2661         (JSC::ARM64Assembler::lastFPRegister):
2662         * assembler/MacroAssemblerARM64.h:
2663         * assembler/MacroAssemblerARMv7.h:
2664
2665 2013-10-17  Andreas Kling  <akling@apple.com>
2666
2667         Pass VM instead of JSGlobalObject to JSONObject constructor.
2668         <https://webkit.org/b/122999>
2669
2670         JSONObject was only use the JSGlobalObject to grab at the VM.
2671         Dodge a few loads by passing the VM directly instead.
2672
2673         Reviewed by Geoffrey Garen.
2674
2675         * runtime/JSONObject.cpp:
2676         (JSC::JSONObject::JSONObject):
2677         (JSC::JSONObject::finishCreation):
2678         * runtime/JSONObject.h:
2679         (JSC::JSONObject::create):
2680
2681 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2682
2683         Removed the JITStackFrame struct
2684         https://bugs.webkit.org/show_bug.cgi?id=123001
2685
2686         Reviewed by Anders Carlsson.
2687
2688         * jit/JITStubs.h: JITStackFrame and JITStubArg are unused now, since all
2689         our helper functions obey the C function call ABI.
2690
2691 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2692
2693         Removed an unused #define
2694         https://bugs.webkit.org/show_bug.cgi?id=123000
2695
2696         Reviewed by Anders Carlsson.
2697
2698         * jit/JITStubs.h: Removed the concept of JITSTACKFRAME_ARGS_INDEX,
2699         since it is unused now. This is a step toward using the C stack.
2700
2701 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2702
2703         Eliminate uses of JITSTACKFRAME_ARGS_INDEX as scratch area for thunks
2704         https://bugs.webkit.org/show_bug.cgi?id=122973
2705
2706         Reviewed by Michael Saboff.
2707
2708         * jit/ThunkGenerators.cpp:
2709         (JSC::throwExceptionFromCallSlowPathGenerator): This was all dead code,
2710         so I removed it.
2711
2712         The code acted as if it needed to pass an argument to
2713         lookupExceptionHandler, and as if it passed that argument to itself
2714         through JITStackFrame. However, lookupExceptionHandler does not take
2715         an argument (other than the default ExecState argument), and the code
2716         did not initialize the thing that it thought it passed to itself!
2717
2718 2013-10-17  Alex Christensen  <achristensen@webkit.org>
2719
2720         Run JavaScriptCore tests again on Windows.
2721         https://bugs.webkit.org/show_bug.cgi?id=122787
2722
2723         Reviewed by Tim Horton.
2724
2725         * JavaScriptCore.vcxproj/JavaScriptCore.sln: Added.
2726         * jit/JITStubsMSVC64.asm: Removed reference to cti_vm_throw unused since r157581.
2727
2728 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2729
2730         Removed restoreArgumentReference (another use of JITStackFrame)
2731         https://bugs.webkit.org/show_bug.cgi?id=122997
2732
2733         Reviewed by Oliver Hunt.
2734
2735         * jit/JSInterfaceJIT.h: Removed an unused function. This is a step
2736         toward using the C stack.
2737
2738 2013-10-17  Oliver Hunt  <oliver@apple.com>
2739
2740         Remove JITStubCall.h
2741         https://bugs.webkit.org/show_bug.cgi?id=122991
2742
2743         Reviewed by Geoff Garen.
2744
2745         Happily this is no longer used
2746
2747         * GNUmakefile.list.am:
2748         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2749         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2750         * JavaScriptCore.xcodeproj/project.pbxproj:
2751         * jit/JIT.cpp:
2752         * jit/JITArithmetic.cpp:
2753         * jit/JITArithmetic32_64.cpp:
2754         * jit/JITCall.cpp:
2755         * jit/JITCall32_64.cpp:
2756         * jit/JITOpcodes.cpp:
2757         * jit/JITOpcodes32_64.cpp:
2758         * jit/JITPropertyAccess.cpp:
2759         * jit/JITPropertyAccess32_64.cpp:
2760         * jit/JITStubCall.h: Removed.
2761
2762 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2763
2764         Removed a use of JITSTACKFRAME_ARGS_INDEX
2765         https://bugs.webkit.org/show_bug.cgi?id=122989
2766
2767         Reviewed by Oliver Hunt.
2768
2769         * jit/JITStubCall.h: Removed an unused function. This is one step closer
2770         to using the C stack.
2771
2772 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2773
2774         Change emit_op_catch to use another method to materialize VM
2775         https://bugs.webkit.org/show_bug.cgi?id=122977
2776
2777         Reviewed by Oliver Hunt.
2778
2779         * jit/JITOpcodes.cpp:
2780         (JSC::JIT::emit_op_catch):
2781         * jit/JITOpcodes32_64.cpp:
2782         (JSC::JIT::emit_op_catch): Use a constant. It removes our dependency
2783         on JITStackFrame. It is also faster and simpler.
2784
2785 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2786
2787         Eliminate emitGetJITStubArg() - dead code
2788         https://bugs.webkit.org/show_bug.cgi?id=122975
2789
2790         Reviewed by Anders Carlsson.
2791
2792         * jit/JIT.h:
2793         * jit/JITInlines.h: Removed unused, deprecated function.
2794
2795 2013-10-17  Mark Lam  <mark.lam@apple.com>
2796
2797         Eliminate all ASSERT references to OBJECT_OFFSETOF(struct JITStackFrame,...) in JITStubsXXX.h.
2798         https://bugs.webkit.org/show_bug.cgi?id=122979.
2799
2800         Reviewed by Michael Saboff.
2801
2802         * jit/JITStubs.cpp:
2803         * jit/JITStubs.h:
2804         * jit/JITStubsARM.h:
2805         * jit/JITStubsARM64.h:
2806         * jit/JITStubsARMv7.h:
2807         * jit/JITStubsMIPS.h:
2808         * jit/JITStubsSH4.h:
2809         * jit/JITStubsX86.h:
2810         * jit/JITStubsX86_64.h:
2811         * runtime/VM.cpp:
2812         (JSC::VM::VM):
2813
2814 2013-10-17  Michael Saboff  <msaboff@apple.com>
2815
2816         Remove saving callFrameRegister to JITStackFrame in JITCompiler::compileFunction()
2817         https://bugs.webkit.org/show_bug.cgi?id=122974
2818
2819         Reviewed by Geoffrey Garen.
2820
2821         Eliminated unneeded storing to JITStackFrame.
2822
2823         * dfg/DFGJITCompiler.cpp:
2824         (JSC::DFG::JITCompiler::compileFunction):
2825
2826 2013-10-17  Michael Saboff  <msaboff@apple.com>
2827
2828         Transition cti_op_throw and cti_vm_throw to a JIT operation
2829         https://bugs.webkit.org/show_bug.cgi?id=122931
2830
2831         Reviewed by Filip Pizlo.
2832
2833         Moved cti_op_throw to operationThrow.  Made the caller responsible for jumping to the
2834         catch handler.  Eliminated cti_op_throw_static_error, cti_vm_throw, ctiVMThrowTrampoline()
2835         and their callers as it is now dead code.  There is some work needed on the Microsoft X86
2836         callOperation to handle the need to provide space for structure return value.
2837
2838         * jit/JIT.h:
2839         * jit/JITInlines.h:
2840         (JSC::JIT::callOperation):
2841         * jit/JITOpcodes.cpp:
2842         (JSC::JIT::emit_op_throw):
2843         * jit/JITOpcodes32_64.cpp:
2844         (JSC::JIT::emit_op_throw):
2845         (JSC::JIT::emit_op_catch):
2846         * jit/JITOperations.cpp:
2847         * jit/JITOperations.h:
2848         * jit/JITStubs.cpp:
2849         * jit/JITStubs.h:
2850         * jit/JITStubsARM.h:
2851         * jit/JITStubsARM64.h:
2852         * jit/JITStubsARMv7.h:
2853         * jit/JITStubsMIPS.h:
2854         * jit/JITStubsMSVC64.asm:
2855         * jit/JITStubsSH4.h:
2856         * jit/JITStubsX86.h:
2857         * jit/JITStubsX86_64.h:
2858         * jit/JSInterfaceJIT.h:
2859
2860 2013-10-17  Mark Lam  <mark.lam@apple.com>
2861
2862         Remove JITStackFrame references in the C Loop LLINT.
2863         https://bugs.webkit.org/show_bug.cgi?id=122950.
2864
2865         Reviewed by Michael Saboff.
2866
2867         * jit/JITStubs.h:
2868         * llint/LowLevelInterpreter.cpp:
2869         (JSC::CLoop::execute):
2870         * offlineasm/cloop.rb:
2871
2872 2013-10-17  Mark Lam  <mark.lam@apple.com>
2873
2874         Remove JITStackFrame references in JIT probes.
2875         https://bugs.webkit.org/show_bug.cgi?id=122947.
2876
2877         Reviewed by Michael Saboff.
2878
2879         * assembler/MacroAssemblerARM.cpp:
2880         (JSC::MacroAssemblerARM::ProbeContext::dump):
2881         * assembler/MacroAssemblerARM.h:
2882         * assembler/MacroAssemblerARMv7.cpp:
2883         (JSC::MacroAssemblerARMv7::ProbeContext::dump):
2884         * assembler/MacroAssemblerARMv7.h:
2885         * assembler/MacroAssemblerX86Common.cpp:
2886         (JSC::MacroAssemblerX86Common::ProbeContext::dump):
2887         * assembler/MacroAssemblerX86Common.h:
2888         * jit/JITStubsARM.h:
2889         * jit/JITStubsARMv7.h:
2890         * jit/JITStubsX86.h:
2891         * jit/JITStubsX86Common.h:
2892         * jit/JITStubsX86_64.h:
2893
2894 2013-10-17  Julien Brianceau  <jbriance@cisco.com>
2895
2896         Fix build when NUMBER_OF_ARGUMENT_REGISTERS == 4.
2897         https://bugs.webkit.org/show_bug.cgi?id=122949
2898
2899         Reviewed by Andreas Kling.
2900
2901         * jit/CCallHelpers.h:
2902         (JSC::CCallHelpers::setupArgumentsWithExecState):
2903
2904 2013-10-16  Mark Lam  <mark.lam@apple.com>
2905
2906         Transition remaining op_get* JITStubs to JIT operations.
2907         https://bugs.webkit.org/show_bug.cgi?id=122925.
2908
2909         Reviewed by Geoffrey Garen.
2910
2911         Transitioning:
2912             cti_op_get_by_id_generic
2913             cti_op_get_by_val
2914             cti_op_get_by_val_generic
2915             cti_op_get_by_val_string
2916
2917         * dfg/DFGOperations.cpp:
2918         * dfg/DFGOperations.h:
2919         * jit/JIT.h:
2920         * jit/JITInlines.h:
2921         (JSC::JIT::callOperation):
2922         * jit/JITOpcodes.cpp:
2923         (JSC::JIT::emitSlow_op_get_arguments_length):
2924         (JSC::JIT::emitSlow_op_get_argument_by_val):
2925         * jit/JITOpcodes32_64.cpp:
2926         (JSC::JIT::emitSlow_op_get_arguments_length):
2927         (JSC::JIT::emitSlow_op_get_argument_by_val):
2928         * jit/JITOperations.cpp:
2929         * jit/JITOperations.h:
2930         * jit/JITPropertyAccess.cpp:
2931         (JSC::JIT::emitSlow_op_get_by_val):
2932         (JSC::JIT::emitSlow_op_get_by_pname):
2933         (JSC::JIT::privateCompileGetByVal):
2934         * jit/JITPropertyAccess32_64.cpp:
2935         (JSC::JIT::emitSlow_op_get_by_val):
2936         (JSC::JIT::emitSlow_op_get_by_pname):
2937         * jit/JITStubs.cpp:
2938         * jit/JITStubs.h:
2939         * runtime/Executable.cpp:
2940         (JSC::setupLLInt): Added some UNUSED_PARAMs to fix the no LLINT build.
2941         * runtime/Options.cpp:
2942         (JSC::Options::initialize):
2943
2944 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
2945
2946         Introduce WTF::Bag and start using it for InlineCallFrameSet
2947         https://bugs.webkit.org/show_bug.cgi?id=122941
2948
2949         Reviewed by Geoffrey Garen.
2950         
2951         Use Bag for InlineCallFrameSet. If this works out then I'll make other
2952         SegmentedVectors into Bags as well.
2953
2954         * bytecode/InlineCallFrameSet.cpp:
2955         (JSC::InlineCallFrameSet::add):
2956         * bytecode/InlineCallFrameSet.h:
2957         (JSC::InlineCallFrameSet::begin):
2958         (JSC::InlineCallFrameSet::end):
2959         * dfg/DFGArgumentsSimplificationPhase.cpp:
2960         (JSC::DFG::ArgumentsSimplificationPhase::run):
2961         * dfg/DFGJITCompiler.cpp:
2962         (JSC::DFG::JITCompiler::link):
2963         * dfg/DFGStackLayoutPhase.cpp:
2964         (JSC::DFG::StackLayoutPhase::run):
2965         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
2966         (JSC::DFG::VirtualRegisterAllocationPhase::run):
2967
2968 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
2969
2970         libllvmForJSC shouldn't call exit(1) on report_fatal_error()
2971         https://bugs.webkit.org/show_bug.cgi?id=122905
2972         <rdar://problem/15237856>
2973
2974         Reviewed by Michael Saboff.
2975         
2976         Expose the new LLVMInstallFatalErrorHandler() API through the soft linking magic and
2977         then always call it to install something that calls CRASH().
2978
2979         * llvm/InitializeLLVM.cpp:
2980         (JSC::llvmCrash):
2981         (JSC::initializeLLVMOnce):
2982         (JSC::initializeLLVM):
2983         * llvm/LLVMAPIFunctions.h:
2984
2985 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
2986
2987         Prototype chain repatching in the polymorphic case fails to check if the receiver is a dictionary
2988         https://bugs.webkit.org/show_bug.cgi?id=122938
2989
2990         Reviewed by Sam Weinig.
2991         
2992         This fixes jsc-layout-tests.yaml/js/script-tests/dictionary-prototype-caching.js.layout-no-llint.
2993
2994         * jit/Repatch.cpp:
2995         (JSC::tryBuildGetByIDList):
2996
2997 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
2998
2999         JIT::appendCall() needs to killLastResultRegister() or equivalent since there's some really bad code that expects it
3000         https://bugs.webkit.org/show_bug.cgi?id=122937
3001
3002         Reviewed by Geoffrey Garen.
3003         
3004         JITStubCall used to do it.
3005         
3006         This makes mozilla-tests.yaml/ecma/Statements/12.10-1.js.mozilla-baseline pass.
3007
3008         * jit/JIT.h:
3009         (JSC::JIT::appendCall):
3010
3011 2013-10-16  Michael Saboff  <msaboff@apple.com>
3012
3013         transition void cti_op_put_by_val* stubs to JIT operations
3014         https://bugs.webkit.org/show_bug.cgi?id=122903
3015
3016         Reviewed by Geoffrey Garen.
3017
3018         Transitioned cti_op_put_by_val and cti_op_put_by_val_generic to operationPutByVal and
3019         operationPutByValGeneric.
3020
3021         * jit/CCallHelpers.h:
3022         (JSC::CCallHelpers::setupArgumentsWithExecState):
3023         * jit/JIT.h:
3024         * jit/JITInlines.h:
3025         (JSC::JIT::callOperation):
3026         * jit/JITOperations.cpp:
3027         * jit/JITOperations.h:
3028         * jit/JITPropertyAccess.cpp:
3029         (JSC::JIT::emitSlow_op_put_by_val):
3030         (JSC::JIT::privateCompilePutByVal):
3031         * jit/JITPropertyAccess32_64.cpp:
3032         (JSC::JIT::emitSlow_op_put_by_val):
3033         * jit/JITStubs.cpp:
3034         * jit/JITStubs.h:
3035         * jit/JSInterfaceJIT.h:
3036
3037 2013-10-16  Oliver Hunt  <oliver@apple.com>
3038
3039         Implement ES6 spread operator
3040         https://bugs.webkit.org/show_bug.cgi?id=122911
3041
3042         Reviewed by Michael Saboff.
3043
3044         Implement the ES6 spread operator
3045
3046         This has a little bit of refactoring to move the enumeration logic out ForOfNode
3047         and into BytecodeGenerator, and then adds the logic to make it nicely callback
3048         driven.
3049
3050         The rest of the logic is just the addition of the SpreadExpressionNode, the parsing,
3051         and actually handling the spread.
3052
3053         * bytecompiler/BytecodeGenerator.cpp:
3054         (JSC::BytecodeGenerator::emitNewArray):
3055         (JSC::BytecodeGenerator::emitCall):
3056         (JSC::BytecodeGenerator::emitEnumeration):
3057         * bytecompiler/BytecodeGenerator.h:
3058         * bytecompiler/NodesCodegen.cpp:
3059         (JSC::ArrayNode::emitBytecode):
3060         (JSC::ForOfNode::emitBytecode):
3061         (JSC::SpreadExpressionNode::emitBytecode):
3062         * parser/ASTBuilder.h:
3063         (JSC::ASTBuilder::createSpreadExpression):
3064         * parser/Lexer.cpp:
3065         (JSC::::lex):
3066         * parser/NodeConstructors.h:
3067         (JSC::SpreadExpressionNode::SpreadExpressionNode):
3068         * parser/Nodes.h:
3069         (JSC::ExpressionNode::isSpreadExpression):
3070         (JSC::SpreadExpressionNode::expression):
3071         * parser/Parser.cpp:
3072         (JSC::::parseArrayLiteral):
3073         (JSC::::parseArguments):
3074         (JSC::::parseMemberExpression):
3075         * parser/Parser.h:
3076         (JSC::Parser::getTokenName):
3077         (JSC::Parser::updateErrorMessageSpecialCase):
3078         * parser/ParserTokens.h:
3079         * parser/SyntaxChecker.h:
3080         (JSC::SyntaxChecker::createSpreadExpression):
3081
3082 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
3083
3084         Add a useLLInt option to jsc
3085         https://bugs.webkit.org/show_bug.cgi?id=122930
3086
3087         Reviewed by Geoffrey Garen.
3088
3089         * runtime/Executable.cpp:
3090         (JSC::setupLLInt):
3091         (JSC::setupJIT):
3092         (JSC::ScriptExecutable::prepareForExecutionImpl):
3093         * runtime/Options.h:
3094
3095 2013-10-16  Mark Hahnenberg  <mhahnenberg@apple.com>
3096
3097         Build fix.
3098
3099         Forgot to svn add DeferGC.cpp
3100
3101         * heap/DeferGC.cpp: Added.
3102
3103 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
3104
3105         r157411 fails run-javascriptcore-tests when run with Baseline JIT
3106         https://bugs.webkit.org/show_bug.cgi?id=122902
3107
3108         Reviewed by Mark Hahnenberg.
3109         
3110         It turns out that this was a long-standing bug in the DFG PutById repatching logic. It's
3111         not legal to patch if the typeInfo tells you that you can't patch. The old JIT's patching
3112         logic did this right, and the DFG's GetById patching logic did it right; but DFG PutById
3113         didn't. Turns out that there's even a helpful method,
3114         Structure::propertyAccessesAreCacheable(), that will even do all of the checks for you!
3115
3116         * jit/Repatch.cpp:
3117         (JSC::tryCachePutByID):
3118
3119 2013-10-16  Mark Hahnenberg  <mhahnenberg@apple.com>
3120
3121         llint_slow_path_put_by_id can deadlock on a ConcurrentJITLock
3122         https://bugs.webkit.org/show_bug.cgi?id=122667
3123
3124         Reviewed by Geoffrey Garen.
3125
3126         The issue this patch is attempting to fix is that there are places in our codebase
3127         where we acquire the ConcurrentJITLock for a particular CodeBlock, then we do some
3128         operations that can initiate a garbage collection. Garbage collection then calls 
3129         some methods of CodeBlock that also take the ConcurrentJITLock (because they don't
3130         always necessarily run during garbage collection). This causes a deadlock.
3131  
3132         To fix this issue, this patch adds a new RAII-style object (DisallowGC) that stores 
3133         into a thread-local field that indicates that it is unsafe to perform any operation 
3134         that could trigger garbage collection on the current thread. In debug builds, 
3135         ConcurrentJITLocker contains one of these DisallowGC objects so that we can eagerly 
3136         detect deadlocks.
3137  
3138         This patch also adds a new type of ConcurrentJITLocker, GCSafeConcurrentJITLocker,
3139         which uses the DeferGC mechanism to prevent collections from occurring while the 
3140         lock is held.
3141
3142         * CMakeLists.txt:
3143         * GNUmakefile.list.am:
3144         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3145         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3146         * JavaScriptCore.xcodeproj/project.pbxproj:
3147         * heap/DeferGC.h:
3148         (JSC::DisallowGC::DisallowGC):
3149         (JSC::DisallowGC::~DisallowGC):
3150         (JSC::DisallowGC::isGCDisallowedOnCurrentThread):
3151         (JSC::DisallowGC::initialize):
3152         * jit/Repatch.cpp:
3153         (JSC::repatchPutByID):
3154         (JSC::buildPutByIdList):
3155         * llint/LLIntSlowPaths.cpp:
3156         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3157         * runtime/ConcurrentJITLock.h:
3158         (JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase):
3159         (JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase):
3160         (JSC::ConcurrentJITLockerBase::unlockEarly):
3161         (JSC::GCSafeConcurrentJITLocker::GCSafeConcurrentJITLocker):
3162         (JSC::GCSafeConcurrentJITLocker::~GCSafeConcurrentJITLocker):
3163         (JSC::GCSafeConcurrentJITLocker::NoDefer::NoDefer):
3164         (JSC::ConcurrentJITLocker::ConcurrentJITLocker):
3165         * runtime/InitializeThreading.cpp:
3166         (JSC::initializeThreadingOnce):
3167         * runtime/JSCellInlines.h:
3168         (JSC::allocateCell):
3169         * runtime/JSSymbolTableObject.h:
3170         (JSC::symbolTablePut):
3171         * runtime/Structure.cpp: materializePropertyMapIfNecessary* now has a problem in that it
3172         can start a garbage collection when the GCSafeConcurrentJITLocker goes out of scope, but 
3173         before the caller has a chance to use the newly created PropertyTable. The garbage collection
3174         clears the PropertyTable, and then the caller uses it assuming it's valid. To avoid this,
3175         we must DeferGC until the caller is done getting the newly materialized PropertyTable from 
3176         the Structure.
3177         (JSC::Structure::materializePropertyMap):
3178         (JSC::Structure::despecifyDictionaryFunction):
3179         (JSC::Structure::changePrototypeTransition):
3180         (JSC::Structure::despecifyFunctionTransition):
3181         (JSC::Structure::attributeChangeTransition):
3182         (JSC::Structure::toDictionaryTransition):
3183         (JSC::Structure::preventExtensionsTransition):
3184         (JSC::Structure::takePropertyTableOrCloneIfPinned):
3185         (JSC::Structure::isSealed):
3186         (JSC::Structure::isFrozen):
3187         (JSC::Structure::addPropertyWithoutTransition):
3188         (JSC::Structure::removePropertyWithoutTransition):
3189         (JSC::Structure::get):
3190         (JSC::Structure::despecifyFunction):
3191         (JSC::Structure::despecifyAllFunctions):
3192         (JSC::Structure::putSpecificValue):
3193         (JSC::Structure::createPropertyMap):
3194         (JSC::Structure::getPropertyNamesFromStructure):
3195         * runtime/Structure.h:
3196         (JSC::Structure::materializePropertyMapIfNecessary):
3197         (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
3198         * runtime/StructureInlines.h:
3199         (JSC::Structure::get):
3200         * runtime/SymbolTable.h:
3201         (JSC::SymbolTable::find):
3202         (JSC::SymbolTable::end):
3203
3204 2013-10-16  Daniel Bates  <dabates@apple.com>
3205
3206         Add SPI to disable the garbage collector timer
3207         https://bugs.webkit.org/show_bug.cgi?id=122921
3208
3209         Reviewed by Geoffrey Garen.
3210
3211         Based on a patch by Mark Hahnenberg.
3212
3213         * API/JSBase.cpp:
3214         (JSDisableGCTimer): Added; SPI function.
3215         * API/JSBasePrivate.h:
3216         * heap/BlockAllocator.cpp:
3217         (JSC::createBlockFreeingThread): Added.
3218         (JSC::BlockAllocator::BlockAllocator): Modified to use JSC::createBlockFreeingThread()
3219         to conditionally create the "block freeing" thread depending on the value of
3220         GCActivityCallback::s_shouldCreateGCTimer.
3221         (JSC::BlockAllocator::~BlockAllocator):
3222         * heap/BlockAllocator.h:
3223         (JSC::BlockAllocator::deallocate):
3224         * heap/Heap.cpp:
3225         (JSC::Heap::didAbandon):
3226         (JSC::Heap::collect):
3227         (JSC::Heap::didAllocate):
3228         * heap/HeapTimer.cpp:
3229         (JSC::HeapTimer::timerDidFire):
3230         * runtime/GCActivityCallback.cpp:
3231         * runtime/GCActivityCallback.h:
3232         (JSC::DefaultGCActivityCallback::create): Only instantiate a DefaultGCActivityCallback object
3233         when GCActivityCallback::s_shouldCreateGCTimer is true so as to prevent allocating a HeapTimer
3234         object (since DefaultGCActivityCallback ultimately extends HeapTimer).
3235
3236 2013-10-16  Commit Queue  <commit-queue@webkit.org>
3237
3238         Unreviewed, rolling out r157529.
3239         http://trac.webkit.org/changeset/157529
3240         https://bugs.webkit.org/show_bug.cgi?id=122919
3241
3242         Caused score test failures and some build failures. (Requested
3243         by rfong on #webkit).
3244
3245         * bytecompiler/BytecodeGenerator.cpp:
3246         (JSC::BytecodeGenerator::emitNewArray):
3247         (JSC::BytecodeGenerator::emitCall):
3248         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
3249         * bytecompiler/BytecodeGenerator.h:
3250         * bytecompiler/NodesCodegen.cpp:
3251         (JSC::ArrayNode::emitBytecode):
3252         (JSC::CallArguments::CallArguments):
3253         (JSC::ForOfNode::emitBytecode):
3254         (JSC::BindingNode::collectBoundIdentifiers):
3255         * parser/ASTBuilder.h:
3256         * parser/Lexer.cpp:
3257         (JSC::::lex):
3258         * parser/NodeConstructors.h:
3259         (JSC::DotAccessorNode::DotAccessorNode):
3260         * parser/Nodes.h:
3261         * parser/Parser.cpp:
3262         (JSC::::parseArrayLiteral):
3263         (JSC::::parseArguments):
3264         (JSC::::parseMemberExpression):
3265         * parser/Parser.h:
3266         (JSC::Parser::getTokenName):
3267         (JSC::Parser::updateErrorMessageSpecialCase):
3268         * parser/ParserTokens.h:
3269         * parser/SyntaxChecker.h:
3270
3271 2013-10-16  Julien Brianceau  <jbriance@cisco.com>
3272
3273         Remove useless architecture specific implementation in DFG.
3274         https://bugs.webkit.org/show_bug.cgi?id=122917.
3275
3276         Reviewed by Michael Saboff.
3277
3278         With CPU(ARM) && CPU(ARM_HARDFP) architecture, the fallback implementation is fine
3279         as FPRInfo::argumentFPR0 == FPRInfo::returnValueFPR in this case.
3280
3281         * dfg/DFGSpeculativeJIT.h:
3282
3283 2013-10-16  Julien Brianceau  <jbriance@cisco.com>
3284
3285         Remove unused JIT::restoreArgumentReferenceForTrampoline function.
3286         https://bugs.webkit.org/show_bug.cgi?id=122916.
3287
3288         Reviewed by Michael Saboff.
3289
3290         This architecture specific function is not used anymore, so get rid of it.
3291
3292         * jit/JIT.h:
3293         * jit/JITInlines.h:
3294
3295 2013-10-16  Oliver Hunt  <oliver@apple.com>
3296
3297         Implement ES6 spread operator
3298         https://bugs.webkit.org/show_bug.cgi?id=122911
3299
3300         Reviewed by Michael Saboff.
3301
3302         Implement the ES6 spread operator
3303
3304         This has a little bit of refactoring to move the enumeration logic out ForOfNode
3305         and into BytecodeGenerator, and then adds the logic to make it nicely callback
3306         driven.
3307
3308         The rest of the logic is just the addition of the SpreadExpressionNode, the parsing,
3309         and actually handling the spread.
3310
3311         * bytecompiler/BytecodeGenerator.cpp:
3312         (JSC::BytecodeGenerator::emitNewArray):
3313         (JSC::BytecodeGenerator::emitCall):
3314         (JSC::BytecodeGenerator::emitEnumeration):
3315         * bytecompiler/BytecodeGenerator.h:
3316         * bytecompiler/NodesCodegen.cpp:
3317         (JSC::ArrayNode::emitBytecode):
3318         (JSC::ForOfNode::emitBytecode):
3319         (JSC::SpreadExpressionNode::emitBytecode):
3320         * parser/ASTBuilder.h:
3321         (JSC::ASTBuilder::createSpreadExpression):
3322         * parser/Lexer.cpp:
3323         (JSC::::lex):
3324         * parser/NodeConstructors.h:
3325         (JSC::SpreadExpressionNode::SpreadExpressionNode):
3326         * parser/Nodes.h:
3327         (JSC::ExpressionNode::isSpreadExpression):
3328         (JSC::SpreadExpressionNode::expression):
3329         * parser/Parser.cpp:
3330         (JSC::::parseArrayLiteral):
3331         (JSC::::parseArguments):
3332         (JSC::::parseMemberExpression):
3333         * parser/Parser.h:
3334         (JSC::Parser::getTokenName):
3335         (JSC::Parser::updateErrorMessageSpecialCase):
3336         * parser/ParserTokens.h:
3337         * parser/SyntaxChecker.h:
3338         (JSC::SyntaxChecker::createSpreadExpression):
3339
3340 2013-10-16  Mark Lam  <mark.lam@apple.com>
3341
3342         Transition void cti_op_tear_off* methods to JIT operations for 32 bit.
3343         https://bugs.webkit.org/show_bug.cgi?id=122899.
3344
3345         Reviewed by Michael Saboff.
3346
3347         * jit/JITOpcodes32_64.cpp:
3348         (JSC::JIT::emit_op_tear_off_activation):
3349         (JSC::JIT::emit_op_tear_off_arguments):
3350         * jit/JITStubs.cpp:
3351         * jit/JITStubs.h:
3352
3353 2013-10-16  Julien Brianceau  <jbriance@cisco.com>
3354
3355         Remove more of the UNINTERRUPTED_SEQUENCE thing
3356         https://bugs.webkit.org/show_bug.cgi?id=122885
3357
3358         Reviewed by Andreas Kling.
3359
3360         It was not completely removed by r157481, leading to build failure for sh4 architecture.
3361
3362         * jit/JIT.h:
3363         * jit/JITInlines.h:
3364
3365 2013-10-15  Filip Pizlo  <fpizlo@apple.com>
3366
3367         Get rid of the StructureStubInfo::patch union
3368         https://bugs.webkit.org/show_bug.cgi?id=122877
3369
3370         Reviewed by Sam Weinig.
3371         
3372         Just simplifying code by getting rid of data structures that ain't used no more.
3373         
3374         Note that I replace the patch union with a patch struct. This means we say things like
3375         stubInfo.patch.valueGPR instead of stubInfo.valueGPR. I think that this extra
3376         encapsulation makes the code more readable: the patch struct contains just those things
3377         that you need to know to perform patching.
3378
3379         * bytecode/StructureStubInfo.h:
3380         * dfg/DFGJITCompiler.cpp:
3381         (JSC::DFG::JITCompiler::link):
3382         * jit/JIT.cpp:
3383         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
3384         * jit/Repatch.cpp:
3385         (JSC::repatchByIdSelfAccess):
3386         (JSC::replaceWithJump):
3387         (JSC::linkRestoreScratch):
3388         (JSC::generateProtoChainAccessStub):
3389         (JSC::tryCacheGetByID):
3390         (JSC::getPolymorphicStructureList):
3391         (JSC::patchJumpToGetByIdStub):
3392         (JSC::tryBuildGetByIDList):
3393         (JSC::emitPutReplaceStub):
3394         (JSC::emitPutTransitionStub):
3395         (JSC::tryCachePutByID):
3396         (JSC::tryBuildPutByIdList):
3397         (JSC::tryRepatchIn):
3398         (JSC::resetGetByID):
3399         (JSC::resetPutByID):
3400         (JSC::resetIn):
3401
3402 2013-10-15  Nadav Rotem  <nrotem@apple.com>
3403
3404         FTL: add support for Int52ToValue and fix putByVal of int52s.
3405         https://bugs.webkit.org/show_bug.cgi?id=122873
3406
3407         Reviewed by Filip Pizlo.
3408
3409         * ftl/FTLCapabilities.cpp:
3410         (JSC::FTL::canCompile):
3411         * ftl/FTLLowerDFGToLLVM.cpp:
3412         (JSC::FTL::LowerDFGToLLVM::compileNode):
3413         (JSC::FTL::LowerDFGToLLVM::compileInt52ToValue):
3414         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
3415
3416 2013-10-15  Filip Pizlo  <fpizlo@apple.com>
3417
3418         Get rid of the UNINTERRUPTED_SEQUENCE thing
3419         https://bugs.webkit.org/show_bug.cgi?id=122876
3420
3421         Reviewed by Mark Hahnenberg.
3422         
3423         It doesn't make sense anymore. We now use the DFG's IC logic, which never needed that.
3424         
3425         Moreover, we should resist the temptation to bring anything like this back. We don't
3426         want to have inline caches that only work if the assembler lays out code in a specific
3427         predetermined way.