82f71e5c4968a33fb860207349d484c0898f532d
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-02-16  Filip Pizlo  <fpizlo@apple.com>
2
3         FTL OSR exit shouldn't make X86-specific assumptions
4         https://bugs.webkit.org/show_bug.cgi?id=128890
5
6         Reviewed by Mark Hahnenberg.
7
8         Mostly this is about not using push/pop, but instead using the more abstract pushToSave() and popToRestore() while reflecting on the stack alignment.
9
10         * assembler/MacroAssembler.h:
11         (JSC::MacroAssembler::pushToSaveImmediateWithoutTouchingRegisters):
12         (JSC::MacroAssembler::pushToSaveByteOffset):
13         * assembler/MacroAssemblerARM64.h:
14         (JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters):
15         (JSC::MacroAssemblerARM64::pushToSaveByteOffset):
16         * ftl/FTLExitThunkGenerator.cpp:
17         (JSC::FTL::ExitThunkGenerator::emitThunk):
18         * ftl/FTLOSRExitCompiler.cpp:
19         (JSC::FTL::compileStub):
20         * ftl/FTLThunks.cpp:
21         (JSC::FTL::osrExitGenerationThunkGenerator):
22
23 2014-02-17  Filip Pizlo  <fpizlo@apple.com>
24
25         Unreviewed, make this test pass without DFG. It was assuming that you always have DFG
26         and that it would always tier-up to the DFG - both wrong assumptions.
27
28         * tests/stress/tricky-array-bounds-checks.js:
29         (foo):
30
31 2014-02-17  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
32
33         Fix the CLoop build after r163760
34         https://bugs.webkit.org/show_bug.cgi?id=128900
35
36         Reviewed by Csaba Osztrogonác.
37
38         * llint/LLIntThunks.cpp:
39
40 2014-02-17  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
41
42         CLoop buildfix after r164207
43         https://bugs.webkit.org/show_bug.cgi?id=128899
44
45         Reviewed by Csaba Osztrogonác.
46
47         * dfg/DFGCommon.h:
48         (JSC::DFG::shouldShowDisassembly):
49
50 2014-02-16  Filip Pizlo  <fpizlo@apple.com>
51
52         Unreviewed, 32-bit build fix.
53
54         * assembler/MacroAssembler.h:
55         (JSC::MacroAssembler::lshiftPtr):
56
57 2014-02-15  Filip Pizlo  <fpizlo@apple.com>
58
59         FTL should inline polymorphic heap accesses
60         https://bugs.webkit.org/show_bug.cgi?id=128795
61
62         Reviewed by Oliver Hunt.
63         
64         We now inline GetByIds that we know are pure but polymorphic. They manifest in DFG IR
65         as MultiGetByOffset, and in LLVM IR as a switch with a basic block for each kind of
66         read.
67         
68         2% speed-up on Octane mostly due to a 18% speed-up on deltablue.
69
70         * CMakeLists.txt:
71         * GNUmakefile.list.am:
72         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
73         * JavaScriptCore.xcodeproj/project.pbxproj:
74         * bytecode/CodeBlock.cpp:
75         (JSC::CodeBlock::dumpBytecode):
76         * bytecode/ExitingJITType.cpp: Added.
77         (WTF::printInternal):
78         * bytecode/ExitingJITType.h:
79         * bytecode/GetByIdStatus.cpp:
80         (JSC::GetByIdStatus::computeFromLLInt):
81         (JSC::GetByIdStatus::computeForChain):
82         (JSC::GetByIdStatus::computeForStubInfo):
83         (JSC::GetByIdStatus::computeFor):
84         (JSC::GetByIdStatus::dump):
85         * bytecode/GetByIdStatus.h:
86         (JSC::GetByIdStatus::GetByIdStatus):
87         (JSC::GetByIdStatus::numVariants):
88         (JSC::GetByIdStatus::variants):
89         (JSC::GetByIdStatus::at):
90         (JSC::GetByIdStatus::operator[]):
91         * bytecode/GetByIdVariant.cpp: Added.
92         (JSC::GetByIdVariant::dump):
93         (JSC::GetByIdVariant::dumpInContext):
94         * bytecode/GetByIdVariant.h: Added.
95         (JSC::GetByIdVariant::GetByIdVariant):
96         (JSC::GetByIdVariant::isSet):
97         (JSC::GetByIdVariant::operator!):
98         (JSC::GetByIdVariant::structureSet):
99         (JSC::GetByIdVariant::chain):
100         (JSC::GetByIdVariant::specificValue):
101         (JSC::GetByIdVariant::offset):
102         * dfg/DFGAbstractInterpreterInlines.h:
103         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
104         * dfg/DFGByteCodeParser.cpp:
105         (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
106         (JSC::DFG::ByteCodeParser::handleGetById):
107         (JSC::DFG::ByteCodeParser::parseBlock):
108         * dfg/DFGCSEPhase.cpp:
109         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
110         (JSC::DFG::CSEPhase::performNodeCSE):
111         * dfg/DFGClobberize.h:
112         (JSC::DFG::clobberize):
113         * dfg/DFGCommon.h:
114         (JSC::DFG::verboseCompilationEnabled):
115         (JSC::DFG::logCompilationChanges):
116         (JSC::DFG::shouldShowDisassembly):
117         * dfg/DFGConstantFoldingPhase.cpp:
118         (JSC::DFG::ConstantFoldingPhase::foldConstants):
119         (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
120         * dfg/DFGDriver.cpp:
121         (JSC::DFG::compileImpl):
122         * dfg/DFGFixupPhase.cpp:
123         (JSC::DFG::FixupPhase::fixupNode):
124         * dfg/DFGGraph.cpp:
125         (JSC::DFG::Graph::dump):
126         * dfg/DFGGraph.h:
127         (JSC::DFG::Graph::convertToConstant):
128         * dfg/DFGNode.h:
129         (JSC::DFG::Node::convertToGetByOffset):
130         (JSC::DFG::Node::hasHeapPrediction):
131         (JSC::DFG::Node::hasMultiGetByOffsetData):
132         (JSC::DFG::Node::multiGetByOffsetData):
133         * dfg/DFGNodeType.h:
134         * dfg/DFGPhase.h:
135         (JSC::DFG::Phase::graph):
136         (JSC::DFG::runAndLog):
137         * dfg/DFGPlan.cpp:
138         (JSC::DFG::dumpAndVerifyGraph):
139         (JSC::DFG::Plan::compileInThread):
140         (JSC::DFG::Plan::compileInThreadImpl):
141         * dfg/DFGPredictionPropagationPhase.cpp:
142         (JSC::DFG::PredictionPropagationPhase::propagate):
143         * dfg/DFGSafeToExecute.h:
144         (JSC::DFG::safeToExecute):
145         * dfg/DFGSpeculativeJIT32_64.cpp:
146         (JSC::DFG::SpeculativeJIT::compile):
147         * dfg/DFGSpeculativeJIT64.cpp:
148         (JSC::DFG::SpeculativeJIT::compile):
149         * dfg/DFGTypeCheckHoistingPhase.cpp:
150         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
151         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
152         * ftl/FTLCapabilities.cpp:
153         (JSC::FTL::canCompile):
154         * ftl/FTLCompile.cpp:
155         (JSC::FTL::fixFunctionBasedOnStackMaps):
156         (JSC::FTL::compile):
157         * ftl/FTLLowerDFGToLLVM.cpp:
158         (JSC::FTL::LowerDFGToLLVM::compileNode):
159         (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
160         * ftl/FTLState.h:
161         (JSC::FTL::verboseCompilationEnabled):
162         (JSC::FTL::showDisassembly):
163         * jsc.cpp:
164         (GlobalObject::finishCreation):
165         (functionEffectful42):
166         * runtime/IntendedStructureChain.cpp:
167         (JSC::IntendedStructureChain::dump):
168         (JSC::IntendedStructureChain::dumpInContext):
169         * runtime/IntendedStructureChain.h:
170         * runtime/Options.cpp:
171         (JSC::recomputeDependentOptions):
172         * runtime/Options.h:
173         * tests/stress/fold-multi-get-by-offset-to-get-by-offset-with-watchpoint.js: Added.
174         (foo):
175         (bar):
176         * tests/stress/fold-multi-get-by-offset-to-get-by-offset.js: Added.
177         (foo):
178         (bar):
179         * tests/stress/multi-get-by-offset-proto-and-self.js: Added.
180         (foo):
181         (Foo):
182
183 2014-02-16  Filip Pizlo  <fpizlo@apple.com>
184
185         DFG::prepareOSREntry should be nice to the stack
186         https://bugs.webkit.org/show_bug.cgi?id=128883
187
188         Reviewed by Oliver Hunt.
189         
190         Previously OSR entry had some FIXME's and some really badly commented-out code for
191         clearing stack entries to help GC. It also did some permutations on a stack frame
192         above us, in such a way that it wasn't obviously that we wouldn't clobber our own
193         stack frame. This function also crashed in ASan.
194         
195         It just seems like there was too much badness to the whole idea of prepareOSREntry
196         directly editing the stack. So, I changed it to create a stack frame in a scratch
197         buffer on the side and then have some assembly code just copy it into place. This
198         works fine, fixes a FIXME, possibly fixes some stack clobbering, and might help us
199         make more progress with ASan.
200
201         * dfg/DFGOSREntry.cpp:
202         (JSC::DFG::prepareOSREntry):
203         * dfg/DFGOSREntry.h:
204         * dfg/DFGThunks.cpp:
205         (JSC::DFG::osrEntryThunkGenerator):
206         * dfg/DFGThunks.h:
207         * jit/JITOpcodes.cpp:
208         (JSC::JIT::emitSlow_op_loop_hint):
209         * jit/JITOperations.cpp:
210
211 2014-02-15  Filip Pizlo  <fpizlo@apple.com>
212
213         Vector with inline capacity should work with non-PODs
214         https://bugs.webkit.org/show_bug.cgi?id=128864
215
216         Reviewed by Michael Saboff.
217         
218         Deques no longer have inline capacity because it was broken, and we didn't need it
219         here anyway.
220
221         * dfg/DFGWorklist.h:
222
223 2014-02-15  Filip Pizlo  <fpizlo@apple.com>
224
225         Unreviewed, roll out r164166.
226
227         This broke three unique tests:
228
229         ** The following JSC stress test failures have been introduced:
230             regress/script-tests/variadic-closure-call.js.default-ftl
231             regress/script-tests/variadic-closure-call.js.ftl-no-cjit-validate
232             regress/script-tests/variadic-closure-call.js.ftl-no-cjit-osr-validation
233             regress/script-tests/variadic-closure-call.js.ftl-eager
234             regress/script-tests/variadic-closure-call.js.ftl-eager-no-cjit
235             regress/script-tests/variadic-closure-call.js.ftl-eager-no-cjit-osr-validation
236             jsc-layout-tests.yaml/js/script-tests/unmatching-argument-count.js.layout-ftl-eager-no-cjit
237             regress/script-tests/direct-arguments-getbyval.js.ftl-eager-no-cjit
238             regress/script-tests/direct-arguments-getbyval.js.ftl-eager-no-cjit-osr-validation
239
240         * bytecode/PolymorphicAccessStructureList.h:
241         * ftl/FTLCapabilities.cpp:
242         (JSC::FTL::canCompile):
243         * ftl/FTLLowerDFGToLLVM.cpp:
244         (JSC::FTL::LowerDFGToLLVM::compileNode):
245         * tests/stress/ftl-getbyval-arguments.js:
246
247 2014-02-15  Matthew Mirman  <mmirman@apple.com>
248
249         Added GetMyArgumentByVal to FTL
250         https://bugs.webkit.org/show_bug.cgi?id=128850
251
252         Reviewed by Filip Pizlo.
253
254         * ftl/FTLCapabilities.cpp:
255         (JSC::FTL::canCompile):
256         * ftl/FTLLowerDFGToLLVM.cpp:
257         (JSC::FTL::LowerDFGToLLVM::compileNode):
258         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
259         * tests/stress/ftl-getbyval-arguments.js: Added.
260         (foo):
261
262 2014-02-15  peavo@outlook.com  <peavo@outlook.com>
263
264         [Win] LLINT is not working.
265         https://bugs.webkit.org/show_bug.cgi?id=128115
266
267         Reviewed by Mark Lam.
268
269         This patch will generate assembly code with Intel syntax, which can be processed by the Microsoft assembler (MASM).
270         By creating an asm file instead of a header file with inline assembly, we can support 64-bit.
271         Only 32-bit compilation has been tested, not 64-bit.
272         The aim of this patch is to get LLINT up and running on Windows.
273
274         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added new files, and generated asm file.
275         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
276         * LLIntAssembly/build-LLIntAssembly.sh: Generate dummy asm file in case we're using C backend.
277         * bytecode/CallLinkStatus.cpp:
278         (JSC::CallLinkStatus::computeFor): Compile fix when DFG is disabled.
279         * bytecode/GetByIdStatus.cpp:
280         (JSC::GetByIdStatus::computeFor): Ditto.
281         * bytecode/GetByIdStatus.h: Ditto.
282         * bytecode/PutByIdStatus.cpp:
283         (JSC::PutByIdStatus::computeFor): Ditto.
284         * bytecode/PutByIdStatus.h: Ditto.
285         * llint/LLIntData.cpp:
286         (JSC::LLInt::initialize): Compile fix.
287         * llint/LLIntSlowPaths.h: Added llint_crash function.
288         * llint/LLIntSlowPaths.cpp: Ditto.        
289         * llint/LowLevelInterpreter.cpp: Disable code for Windows.
290         * llint/LowLevelInterpreter.asm: Remove instruction which generates incorrect assembly code on Windows (MOV 0xbbadbeef, register), call llint_crash instead.
291         Make local labels visible to MASM on Windows.
292         * llint/LowLevelInterpreter32_64.asm: Make local labels visible to MASM on Windows.
293         * offlineasm/asm.rb: Generate asm file with Intel assembly syntax.
294         * offlineasm/settings.rb: Ditto.
295         * offlineasm/x86.rb: Ditto.
296
297 2014-02-14  Joseph Pecoraro  <pecoraro@apple.com>
298
299         Web Inspector: CRASH when debugger closes while paused and remote inspecting a JSContext
300         https://bugs.webkit.org/show_bug.cgi?id=127757
301
302         Reviewed by Timothy Hatcher.
303
304         The problem was that the lifetime of the InspectorController and all agents
305         was tied to the remote inspector session. So, if a remote inspector was
306         disconnected while in the nested run loop, everything would get torn
307         down and when execution continued out of the nested runloop we would be
308         back in the original call stack of destroyed objects.
309
310         This patch changes the lifetime of the InspectorController and agents to
311         the JSGlobalObject. This way the agents are always alive, just the
312         frontend and backend channels are destroyed and recreated each remote
313         inspector session. This matches the agent lifetime for WebCore agents.
314         We can also later take advantage of the agents being alive before
315         and between inspector debug sessions to stash exception messages to
316         pass on to a debugger if a debugger is connected later.
317
318         * inspector/JSGlobalObjectInspectorController.h:
319         * inspector/JSGlobalObjectInspectorController.cpp:
320         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
321         Cleaner initialization of agents. Easier to follow.
322
323         (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
324         Move InjectedScript disconnection only once the global object is destroyed.
325         This way if a developer has attached once and included an injected script,
326         we will keep it around with any state it might want to remember until
327         the global object is destroyed.
328
329         (Inspector::JSGlobalObjectInspectorController::globalObjectDestroyed):
330         Disconnect agents and injected scripts when the global object is destroyed.
331
332         * inspector/InjectedScriptManager.cpp:
333         (Inspector::InjectedScriptManager::disconnect):
334         Now that the injected script manager is reused between remote
335         inspector sessions, don't clear the pointer on disconnect calls.
336         We now only call this once when the global object is getting
337         destroyed anyways so it doesn't matter. But if we wanted to call
338         disconnect multiple times, e.g. once per session, we could.
339
340         * inspector/ScriptDebugServer.cpp:
341         (Inspector::ScriptDebugServer::dispatchFunctionToListeners):
342         If the only listener was removed during the nested runloop, then when
343         we dispatch an event after the nested runloop the listener list will
344         be empty. Instead of asserting, just pass by an empty list.
345
346         * runtime/JSGlobalObject.h:
347         (JSC::JSGlobalObject::inspectorController):
348         Tie the inspector controller lifetime to the JSGlobalObject.
349
350         * runtime/JSGlobalObject.cpp:
351         (JSC::JSGlobalObject::~JSGlobalObject):
352         (JSC::JSGlobalObject::init):
353         Create the inspector controller, and eagerly signal teardown
354         in destruction.
355
356         * runtime/JSGlobalObjectDebuggable.h:
357         * runtime/JSGlobalObjectDebuggable.cpp:
358         (JSC::JSGlobalObjectDebuggable::connect):
359         (JSC::JSGlobalObjectDebuggable::disconnect):
360         (JSC::JSGlobalObjectDebuggable::dispatchMessageFromRemoteFrontend):
361         Simplify by using the inspector controller on JSGlobalObject.
362
363 2014-02-14  Mark Hahnenberg  <mhahnenberg@apple.com>
364
365         -[JSManagedValue value] needs to be protected by the API lock
366         https://bugs.webkit.org/show_bug.cgi?id=128857
367
368         Reviewed by Mark Lam.
369
370         * API/APICast.h:
371         (toRef): Added an ASSERT so that we can detect these sorts of errors earlier. On 32-bit, toRef
372         can allocate objects so we need to be holding the lock.
373         * API/APIShims.h: Removed outdated comments.
374         * API/JSManagedValue.mm: Added RefPtr<JSLock> to JSManagedValue.
375         (-[JSManagedValue initWithValue:]): Initialize the m_lock field.
376         (-[JSManagedValue value]): Lock the JSLock, check the VM*, return nil if invalid, take the APIEntryShim otherwise.
377         * runtime/JSLock.cpp: Bug fix in JSLock. We were assuming that the VM was always non-null in JSLock::lock.
378         (JSC::JSLock::lock):
379
380 2014-02-14  Oliver Hunt  <oliver@apple.com>
381
382         Implement a few more Array prototype functions in JS
383         https://bugs.webkit.org/show_bug.cgi?id=128788
384
385         Reviewed by Gavin Barraclough.
386
387         Remove a pile of awful C++, and rewrite in simple JS.
388
389         Needed to make a few other changes to get fully builtins
390         behavior to more accurately match a host function's.
391
392         * builtins/Array.prototype.js:
393         (every):
394         (forEach):
395         (filter):
396         (map):
397         (some):
398         * builtins/BuiltinExecutables.cpp:
399         (JSC::BuiltinExecutables::BuiltinExecutables):
400         (JSC::BuiltinExecutables::createBuiltinExecutable):
401         * bytecompiler/BytecodeGenerator.cpp:
402         (JSC::BytecodeGenerator::BytecodeGenerator):
403         (JSC::BytecodeGenerator::emitPutByVal):
404         * bytecompiler/BytecodeGenerator.h:
405         (JSC::BytecodeGenerator::emitExpressionInfo):
406         * interpreter/Interpreter.cpp:
407         (JSC::GetStackTraceFunctor::operator()):
408         * parser/Nodes.h:
409         (JSC::FunctionBodyNode::overrideName):
410         * profiler/LegacyProfiler.cpp:
411         (JSC::createCallIdentifierFromFunctionImp):
412         * runtime/ArrayPrototype.cpp:
413         * runtime/JSFunction.cpp:
414         (JSC::JSFunction::deleteProperty):
415         * runtime/JSFunction.h:
416
417 2014-02-14  Mark Hahnenberg  <mhahnenberg@apple.com>
418
419         ASSERT(isValidAllocation(bytes)) when ObjC API creates custom errors
420         https://bugs.webkit.org/show_bug.cgi?id=128840
421
422         Reviewed by Joseph Pecoraro.
423
424         We need to add APIEntryShims around places where we allocate errors in JSC.
425         Also converted some of the createTypeError call sites to use ASCIILiteral.
426
427         * API/JSValue.mm:
428         (valueToArray):
429         (valueToDictionary):
430         * API/ObjCCallbackFunction.mm:
431         (JSC::objCCallbackFunctionCallAsConstructor):
432         (JSC::ObjCCallbackFunctionImpl::call):
433         * API/tests/testapi.mm:
434
435 2014-02-14  Mark Hahnenberg  <mhahnenberg@apple.com>
436
437         Baseline JIT should have a fast path to bypass the write barrier on op_enter
438         https://bugs.webkit.org/show_bug.cgi?id=128832
439
440         Reviewed by Filip Pizlo.
441
442         * jit/JIT.h: Removed some random commented out functions.h
443         * jit/JITOpcodes.cpp:
444         (JSC::JIT::emit_op_enter):
445         * jit/JITPropertyAccess.cpp:
446         (JSC::JIT::emitWriteBarrier):
447
448 2014-02-14  Filip Pizlo  <fpizlo@apple.com>
449
450         Don't optimize variadic closure calls
451         https://bugs.webkit.org/show_bug.cgi?id=128835
452
453         Reviewed by Gavin Barraclough.
454         
455         Read the check that had been in JITStubs.cpp, back in the day. This code came
456         from the DFG and the DFG didn't need these checks.
457
458         * jit/JITOperations.cpp:
459
460 2014-02-14  David Kilzer  <ddkilzer@apple.com>
461
462         [ASan] Disable JSStack::sanitizeStack() to avoid false-positive stack-buffer-overflow errors
463         <http://webkit.org/b/128819>
464
465         Reviewed by Filip Pizlo.
466
467         * interpreter/JSStack.cpp:
468         (JSC::JSStack::sanitizeStack): When building with the clang
469         address sanitizer, don't sanitize the stack since it will
470         trigger false-positive stack-buffer-overflow errors.  Disabling
471         this only results in a performance penalty, not a correctness
472         penalty.
473
474 2014-02-14  Andres Gomez  <agomez@igalia.com>
475
476         Cleaning the JSStaticScopeObject files left behind after renaming their objects to JSNameScope
477         https://bugs.webkit.org/show_bug.cgi?id=127595
478
479         Reviewed by Mario Sanchez Prada.
480
481         JSStaticScopeObject was renamed to JSNameScope and removed long
482         ago but the files were left behind empty and the CMake compilation
483         in need of its existance. Now, we are definitely getting rid of
484         them.
485
486         * CMakeLists.txt:
487         * runtime/JSStaticScopeObject.cpp: Removed.
488         * runtime/JSStaticScopeObject.h: Removed.
489
490 2014-02-13  Filip Pizlo  <fpizlo@apple.com>
491
492         Kill some of the last vestiges of the C++ interpreter's PICs
493         https://bugs.webkit.org/show_bug.cgi?id=128796
494
495         Reviewed by Michael Saboff.
496
497         * bytecode/BytecodeUseDef.h:
498         (JSC::computeUsesForBytecodeOffset):
499         (JSC::computeDefsForBytecodeOffset):
500         * bytecode/CodeBlock.cpp:
501         (JSC::CodeBlock::printGetByIdOp):
502         (JSC::CodeBlock::printGetByIdCacheStatus):
503         (JSC::CodeBlock::dumpBytecode):
504         (JSC::CodeBlock::CodeBlock):
505         * bytecode/GetByIdStatus.cpp:
506         (JSC::GetByIdStatus::computeForStubInfo):
507         * bytecode/Opcode.h:
508         (JSC::padOpcodeName):
509         * bytecode/PolymorphicAccessStructureList.h:
510         (JSC::PolymorphicAccessStructureList::PolymorphicStubInfo::PolymorphicStubInfo):
511         (JSC::PolymorphicAccessStructureList::PolymorphicStubInfo::set):
512         (JSC::PolymorphicAccessStructureList::PolymorphicAccessStructureList):
513         (JSC::PolymorphicAccessStructureList::visitWeak):
514         * bytecode/StructureStubInfo.cpp:
515         (JSC::StructureStubInfo::deref):
516         (JSC::StructureStubInfo::visitWeakReferences):
517         * bytecode/StructureStubInfo.h:
518         (JSC::isGetByIdAccess):
519         * jit/JIT.cpp:
520         (JSC::JIT::privateCompileMainPass):
521         * jit/Repatch.cpp:
522         (JSC::getPolymorphicStructureList):
523         (JSC::tryBuildGetByIDList):
524         * llint/LowLevelInterpreter.asm:
525
526 2014-02-13  Mark Lam  <mark.lam@apple.com>
527
528         The JSContainerConvertor and ObjcContainerConvertor need to protect JSValueRefs. Part 2.
529         <https://webkit.org/b/128764>
530
531         Reviewed by Mark Hahnenberg.
532
533         toJS() is the wrong cast function to use. We need to use toJSForGC() instead.
534         Also we need to acquire the JSLock to prevent concurrent accesses to the
535         Strong handle list.
536
537         * API/JSValue.mm:
538         (JSContainerConvertor::add):
539         (containerValueToObject):
540         (ObjcContainerConvertor::add):
541         (objectToValue):
542
543 2014-02-13  Mark Hahnenberg  <mhahnenberg@apple.com>
544
545         JSManagedValue::dealloc modifies NSMapTable while iterating it
546         https://bugs.webkit.org/show_bug.cgi?id=128713
547
548         Reviewed by Geoffrey Garen.
549
550         Having to write a test for this revealed a bug in how addManagedReference:withOwner:
551         actually notifies JSManagedValues of new owners.
552
553         * API/JSManagedValue.mm:
554         (-[JSManagedValue dealloc]):
555         * API/JSVirtualMachine.mm:
556         (-[JSVirtualMachine addManagedReference:withOwner:]):
557         (-[JSVirtualMachine removeManagedReference:withOwner:]):
558         * API/tests/testapi.mm:
559         (testObjectiveCAPI):
560
561 2014-02-13  Filip Pizlo  <fpizlo@apple.com>
562
563         Unreviewed, fix build.
564
565         * ftl/FTLLowerDFGToLLVM.cpp:
566         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
567
568 2014-02-13  Ryosuke Niwa  <rniwa@webkit.org>
569
570         Speculative Release build fix after r164077.
571
572         * API/JSValue.mm:
573
574 2014-02-13  Mark Lam  <mark.lam@apple.com>
575
576         The JSContainerConvertor and ObjcContainerConvertor need to protect JSValueRefs.
577         <https://webkit.org/b/128764>
578
579         Reviewed by Mark Hahnenberg.
580
581         Added a vector of Strong<Unknown> references in the 2 containers, and append
582         the newly created JSValues to those vectors. This will keep all those JS objects
583         alive for the duration of the conversion.
584
585         * API/JSValue.mm:
586         (JSContainerConvertor::add):
587         (ObjcContainerConvertor::add):
588
589 2014-02-13  Matthew Mirman  <mmirman@apple.com>
590
591         Added GetMyArgumentsLength to FTL
592         https://bugs.webkit.org/show_bug.cgi?id=128758
593
594         Reviewed by Filip Pizlo.
595
596         * ftl/FTLCapabilities.cpp:
597         (JSC::FTL::canCompile):
598         * ftl/FTLLowerDFGToLLVM.cpp:
599         (JSC::FTL::LowerDFGToLLVM::compileNode):
600         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
601         * tests/stress/ftl-getmyargumentslength.js: Added.
602         (foo):
603
604 2014-02-13  Filip Pizlo  <fpizlo@apple.com>
605
606         Unreviewed, roll out http://trac.webkit.org/changeset/164066.
607         
608         It broke tests and it was just plain wrong.
609
610         * bytecode/GetByIdStatus.cpp:
611         (JSC::GetByIdStatus::computeFromLLInt):
612         (JSC::GetByIdStatus::computeForStubInfo):
613         * runtime/Structure.h:
614         (JSC::Structure::takesSlowPathInDFGForImpureProperty):
615
616 2014-02-13  Ryuan Choi  <ryuan.choi@samsung.com>
617
618         Unreviewed build fix.
619
620         Fixed typo.
621
622         * dfg/DFGIntegerCheckCombiningPhase.cpp:
623         (JSC::DFG::IntegerCheckCombiningPhase::run):
624
625 2014-02-13  Michael Saboff  <msaboff@apple.com>
626
627         Change FTL stack check to use VM's stackLimit
628         https://bugs.webkit.org/show_bug.cgi?id=128561
629
630         Reviewed by Filip Pizlo.
631
632         Changes FTL function entry to check the call frame register against the FTL
633         specific stack limit (VM::m_ftlStackLimit) and throw an exception if the
634         stack limit has been exceeded.  Updated the exception handling code to have
635         a second entry that will unroll the current frame to the caller, since that
636         is where the exception should be processed.
637
638         * ftl/FTLCompile.cpp:
639         (JSC::FTL::fixFunctionBasedOnStackMaps):
640         * ftl/FTLIntrinsicRepository.h:
641         * ftl/FTLLowerDFGToLLVM.cpp:
642         (JSC::FTL::LowerDFGToLLVM::lower):
643         * ftl/FTLState.h:
644         * runtime/VM.h:
645         (JSC::VM::addressOfFTLStackLimit):
646
647 2014-02-13  Filip Pizlo  <fpizlo@apple.com>
648
649         GetByIdStatus shouldn't call takesSlowPathInDFGForImpureProperty() for self accesses, and calling that method should never assert about anything
650         https://bugs.webkit.org/show_bug.cgi?id=128772
651
652         Reviewed by Mark Hahnenberg.
653
654         * bytecode/GetByIdStatus.cpp:
655         (JSC::GetByIdStatus::computeFromLLInt):
656         (JSC::GetByIdStatus::computeForStubInfo):
657         * runtime/Structure.h:
658         (JSC::Structure::takesSlowPathInDFGForImpureProperty):
659
660 2014-02-13  Mark Hahnenberg  <mhahnenberg@apple.com>
661
662         Add some RELEASE_ASSERTs to catch JSLock bugs earlier
663         https://bugs.webkit.org/show_bug.cgi?id=128762
664
665         Reviewed by Mark Lam.
666
667         * interpreter/Interpreter.cpp:
668         (JSC::Interpreter::execute):
669         * runtime/JSLock.cpp:
670         (JSC::JSLock::DropAllLocks::DropAllLocks):
671
672 2014-02-12  Filip Pizlo  <fpizlo@apple.com>
673
674         Hoist and combine array bounds checks
675         https://bugs.webkit.org/show_bug.cgi?id=125433
676
677         Reviewed by Mark Hahnenberg.
678         
679         This adds a phase for reasoning about overflow checks and array bounds checks. It's
680         block-local, and removes both overflow checks and bounds checks in one go.
681         
682         This also improves reasoning about commutative operations, and CSE between
683         CheckOverflow and Unchecked arithmetic.
684         
685         This strangely uncovered a DFG backend bug where we were trying to extract an int32
686         from a constant even when that constant was just simply a number. I fixed that bug.
687
688         * CMakeLists.txt:
689         * GNUmakefile.list.am:
690         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
691         * JavaScriptCore.xcodeproj/project.pbxproj:
692         * dfg/DFGAbstractInterpreterInlines.h:
693         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
694         * dfg/DFGAbstractValue.cpp:
695         (JSC::DFG::AbstractValue::set):
696         * dfg/DFGArgumentsSimplificationPhase.cpp:
697         (JSC::DFG::ArgumentsSimplificationPhase::run):
698         * dfg/DFGArithMode.h:
699         (JSC::DFG::subsumes):
700         * dfg/DFGByteCodeParser.cpp:
701         (JSC::DFG::ByteCodeParser::handleIntrinsic):
702         * dfg/DFGCSEPhase.cpp:
703         (JSC::DFG::CSEPhase::pureCSE):
704         (JSC::DFG::CSEPhase::int32ToDoubleCSE):
705         (JSC::DFG::CSEPhase::performNodeCSE):
706         * dfg/DFGClobberize.h:
707         (JSC::DFG::clobberize):
708         * dfg/DFGEdge.cpp:
709         (JSC::DFG::Edge::dump):
710         * dfg/DFGEdge.h:
711         (JSC::DFG::Edge::sanitized):
712         (JSC::DFG::Edge::hash):
713         * dfg/DFGFixupPhase.cpp:
714         (JSC::DFG::FixupPhase::fixupNode):
715         * dfg/DFGGraph.h:
716         (JSC::DFG::Graph::valueOfInt32Constant):
717         * dfg/DFGInsertionSet.h:
718         (JSC::DFG::InsertionSet::insertConstant):
719         * dfg/DFGIntegerCheckCombiningPhase.cpp: Added.
720         (JSC::DFG::IntegerCheckCombiningPhase::IntegerCheckCombiningPhase):
721         (JSC::DFG::IntegerCheckCombiningPhase::run):
722         (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
723         (JSC::DFG::IntegerCheckCombiningPhase::rangeKeyAndAddend):
724         (JSC::DFG::IntegerCheckCombiningPhase::isValid):
725         (JSC::DFG::IntegerCheckCombiningPhase::insertAdd):
726         (JSC::DFG::IntegerCheckCombiningPhase::insertMustAdd):
727         (JSC::DFG::performIntegerCheckCombining):
728         * dfg/DFGIntegerCheckCombiningPhase.h: Added.
729         * dfg/DFGNode.h:
730         (JSC::DFG::Node::willHaveCodeGenOrOSR):
731         * dfg/DFGNodeType.h:
732         * dfg/DFGPlan.cpp:
733         (JSC::DFG::Plan::compileInThreadImpl):
734         * dfg/DFGPredictionPropagationPhase.cpp:
735         (JSC::DFG::PredictionPropagationPhase::propagate):
736         * dfg/DFGSafeToExecute.h:
737         (JSC::DFG::safeToExecute):
738         * dfg/DFGSpeculativeJIT.cpp:
739         (JSC::DFG::SpeculativeJIT::compileAdd):
740         * dfg/DFGSpeculativeJIT32_64.cpp:
741         (JSC::DFG::SpeculativeJIT::compile):
742         * dfg/DFGSpeculativeJIT64.cpp:
743         (JSC::DFG::SpeculativeJIT::compile):
744         * dfg/DFGStrengthReductionPhase.cpp:
745         (JSC::DFG::StrengthReductionPhase::handleNode):
746         (JSC::DFG::StrengthReductionPhase::handleCommutativity):
747         * dfg/DFGTypeCheckHoistingPhase.cpp:
748         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
749         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
750         * ftl/FTLCapabilities.cpp:
751         (JSC::FTL::canCompile):
752         * ftl/FTLLowerDFGToLLVM.cpp:
753         (JSC::FTL::LowerDFGToLLVM::compileNode):
754         * jsc.cpp:
755         (GlobalObject::finishCreation):
756         (functionFalse):
757         * runtime/Identifier.h:
758         * runtime/Intrinsic.h:
759         * runtime/JSObject.h:
760         * tests/stress/get-by-id-untyped.js: Added.
761         (foo):
762         * tests/stress/inverted-additive-subsumption.js: Added.
763         (foo):
764         * tests/stress/redundant-add-overflow-checks.js: Added.
765         (foo):
766         * tests/stress/redundant-array-bounds-checks-addition-skip-first.js: Added.
767         (foo):
768         (arraycmp):
769         * tests/stress/redundant-array-bounds-checks-addition.js: Added.
770         (foo):
771         (arraycmp):
772         * tests/stress/redundant-array-bounds-checks-unchecked-addition.js: Added.
773         (foo):
774         (arraycmp):
775         * tests/stress/redundant-array-bounds-checks.js: Added.
776         (foo):
777         (arraycmp):
778         * tests/stress/tricky-array-bounds-checks.js: Added.
779         (foo):
780         (arraycmp):
781
782 2014-02-13  Filip Pizlo  <fpizlo@apple.com>
783
784         FTL should be OK with __compact_unwind in a data section
785         https://bugs.webkit.org/show_bug.cgi?id=128756
786
787         Reviewed by Mark Hahnenberg.
788
789         * ftl/FTLCompile.cpp:
790         (JSC::FTL::mmAllocateCodeSection):
791         (JSC::FTL::mmAllocateDataSection):
792
793 2014-02-13  Michael Saboff  <msaboff@apple.com>
794
795         CStack Branch: VM::currentReturnThunkPC appears to be unused and should be removed
796         https://bugs.webkit.org/show_bug.cgi?id=127205
797
798         Reviewed by Geoffrey Garen.
799
800         Removed ununsed references to VM::currentReturnThunkPC.
801
802         * jit/ThunkGenerators.cpp:
803         (JSC::arityFixup):
804         * runtime/VM.h:
805
806 2014-02-13  Tamas Gergely  <tgergely.u-szeged@partner.samsung.com>
807
808         Code cleanup: remove gcc<4.7 guards.
809         https://bugs.webkit.org/show_bug.cgi?id=128729
810
811         Reviewed by Anders Carlsson.
812
813         Remove GCC_VERSION_AT_LEAST guards when it checks for pre-4.7 versions,
814         as WK does not compile with earlier gcc versions.
815
816         * assembler/MIPSAssembler.h:
817         (JSC::MIPSAssembler::cacheFlush):
818         * interpreter/StackVisitor.cpp:
819         (JSC::printif):
820
821 2014-02-12  Mark Lam  <mark.lam@apple.com>
822
823         No need to save reservedZoneSize when dropping the JSLock.
824         <https://webkit.org/b/128719>
825
826         Reviewed by Geoffrey Garen.
827
828         The reservedZoneSize does not change due to the VM being run on a different
829         thread. Hence, there is no need to save and restore its value. Instead of
830         calling updateReservedZoneSize() to update the stack limit, we now call
831         setStackPointerAtVMEntry() to do the job. setStackPointerAtVMEntry()
832         will update the stackPointerAtVMEntry and delegate to updateStackLimit() to
833         update the stack limit based on the new stackPointerAtVMEntry.
834
835         * runtime/ErrorHandlingScope.cpp:
836         (JSC::ErrorHandlingScope::ErrorHandlingScope):
837         (JSC::ErrorHandlingScope::~ErrorHandlingScope):
838         - Previously, we initialize stackPointerAtVMEntry in VMEntryScope. This
839           means that the stackPointerAtVMEntry may not be initialize when we
840           instantiate the ErrorHandlingScope. And so, we needed to initialize the
841           stackPointerAtVMEntry in the ErrorHandlingScope constructor if it's not
842           already initialized.
843
844           Now that we initialize the stackPointerAtVMEntry when we lock the VM JSLock,
845           we are guaranteed that it will be initialized by the time we instantiate
846           the ErrorHandlingScope. Hence, we can change the ErrorHandlingScope code
847           to just assert that the stackPointerAtVMEntry is initialized instead.
848
849         * runtime/InitializeThreading.cpp:
850         (JSC::initializeThreading):
851         - We no longer need to save the reservedZoneSize. Remove the related code.
852
853         * runtime/JSLock.cpp:
854         (JSC::JSLock::lock):
855         - When we grab the JSLock mutex for the first time, there is no reason why
856           the stackPointerAtVMEntry should be initialized. By definition, grabbing
857           the lock for the first time equates to entering the VM for the first time.
858           Hence, we can just assert that stackPointerAtVMEntry is uninitialized,
859           and initialize it unconditionally.
860
861           The only exception to this is if we're locking to regrab the JSLock in
862           grabAllLocks(), but grabAllLocks() will take care of restoring the
863           stackPointerAtVMEntry in that case after lock() returns. stackPointerAtVMEntry
864           should still be 0 when we've just locked the JSLock. So, the above assertion
865           always holds true.
866
867           Note: VM::setStackPointerAtVMEntry() will take care of calling
868           VM::updateStackLimit() based on the new stackPointerAtVMEntry.
869
870         - There is no need to save the reservedZoneSize. The reservedZoneSize is
871           set to Options::reservedZoneSize() when the VM is initialized. Thereafter,
872           the ErrorHandlingScope will change it to Options::errorModeReservedZoneSize()
873           when we're handling an error, and it will restore it afterwards. There is
874           no other reason we should be changing the reservedZoneSize. Hence, we can
875           remove the unnecessary code to save it here.
876
877         (JSC::JSLock::unlock):
878         - Similarly, when the lockCount reaches 0 in unlock(), it is synonymous with
879           exiting the VM. Hence, we should just clear the stackPointerAtVMEntry and
880           update the stackLimit. Exiting the VM should have no effect on the VM
881           reservedZoneSize. Hence, we can remove the unnecessary code to "restore" it.
882
883         (JSC::JSLock::dropAllLocks):
884         - When dropping locks, we do not need to save the reservedZoneSize because
885           the reservedZoneSize should remain the same regardless of which thread
886           we are executing JS on. Hence, we can remove the unnecessary code to save
887           the reservedZoneSize here.
888
889         (JSC::JSLock::grabAllLocks):
890         - When re-grabbing locks, restoring the stackPointerAtVMEntry via
891           VM::setStackPointerAtVMEntry() will take care of updating the stack limit.
892           As explained above, there's no need to save the reservedZoneSize. Hence,
893           there's no need to "restore" it here.
894
895         * runtime/VM.cpp:
896         (JSC::VM::VM):
897         (JSC::VM::setStackPointerAtVMEntry):
898         - Sets the stackPointerAtVMEntry and delegates to updateStackLimit() to update
899           the stack limit based on the new stackPointerAtVMEntry.
900         (JSC::VM::updateStackLimit):
901         * runtime/VM.h:
902         (JSC::VM::stackPointerAtVMEntry):
903         - Renamed stackPointerAtVMEntry to m_stackPointerAtVMEntry and made it private.
904           Added a stackPointerAtVMEntry() function to read the value.
905
906 2014-02-12  Mark Hahnenberg  <mhahnenberg@apple.com>
907
908         DelayedReleaseScope in MarkedAllocator::tryAllocateHelper is wrong
909         https://bugs.webkit.org/show_bug.cgi?id=128641
910
911         Reviewed by Michael Saboff.
912
913         We were improperly handling the case where the DelayedReleaseScope 
914         in tryAllocateHelper would cause us to drop the API lock, allowing 
915         another thread to sneak in and allocate a new block after we had already 
916         concluded that there were no more blocks to allocate out of.
917
918         The fix is to call tryAllocateHelper in a loop until we know for sure 
919         that this did not happen.
920
921         There was also a race condition with the DelayedReleaseScope in addBlock.
922         We would add the block to the MarkedBlock's list, sweep it, and then return,
923         causing us to drop the API lock momentarily. Another thread could then 
924         grab the lock, and allocate out of the new block to the point where the 
925         free list was empty. Then we would return to the original thread, who thinks 
926         it's impossible to not allocate successfully at this point. 
927         Instead we should just let tryAllocate do all the hard work with correctly 
928         sweeping and getting a valid result.
929
930         There was another race condition in didFinishIterating. We would call resumeAllocating,
931         which would create a DelayedReleaseScope. The DelayedReleaseScope would then release 
932         API lock before we set m_isIterating back to false, which would potentially confuse 
933         other threads.
934
935         * heap/MarkedAllocator.cpp:
936         (JSC::MarkedAllocator::tryAllocateHelper):
937         (JSC::MarkedAllocator::tryPopFreeList):
938         (JSC::MarkedAllocator::tryAllocate):
939         (JSC::MarkedAllocator::addBlock):
940         * heap/MarkedAllocator.h:
941
942 2014-02-12  Brian Burg  <bburg@apple.com>
943
944         Web Replay: capture and replay nondeterminism of Date.now() and Math.random()
945         https://bugs.webkit.org/show_bug.cgi?id=128633
946
947         Reviewed by Filip Pizlo.
948
949         Upstream the only two sources of script-visible nondeterminism in JavaScriptCore.
950
951         The random seed for WeakRandom is memoized when the owning JSGlobalObject is
952         constructed. It is deterministically initialized during replay before any
953         scripts execute with the global object.
954
955         The implementations of `Date.now()` and `new Date()` eventually obtain the
956         current time from jsCurrentTime(). When capturing, we save return values of
957         jsCurrentTime() into the recording. When replaying, we use memoized values from
958         the recording instead of obtaining values from the platform-specific currentTime()
959         implementation. No other code calls jsCurrentTime().
960
961         * DerivedSources.make: Add rules to make JSReplayInputs.h from JSInputs.json.
962         * JavaScriptCore.xcodeproj/project.pbxproj:
963         * replay/JSInputs.json: Added. Includes specifications for replay inputs
964         "GetCurrentTime" and "SetRandomSeed". Tests will be added for both input
965         cases once sufficient replay machinery has been added.
966
967         * replay/NondeterministicInput.h: NondeterministicInput should not have
968         been marked 'final'.
969
970         * runtime/DateConstructor.cpp:
971         (JSC::deterministicCurrentTime): Added. Load or store the current time depending
972         on what kind of InputCursor is attached to the JSGlobalObject.
973
974         (JSC::constructDate): Use deterministicCurrentTime().
975         (JSC::dateNow): Use deterministicCurrentTime().
976         * runtime/JSGlobalObject.cpp:
977         (JSC::JSGlobalObject::setInputCursor): When setting a non-empty input cursor,
978         immediately store or load the "SetRandomSeed" input and initialize WeakRandom's
979         random seed with it. The input cursor (and thus random seed) must be set before
980         any scripts are evaluated with this JSGlobalObject.
981
982         * runtime/WeakRandom.h:
983         (JSC::WeakRandom::WeakRandom): Add JSGlobalObject as a friend class.
984         (JSC::WeakRandom::initializeSeed): Extract the seed initialization into a
985         separate method so it can be called outside of the JSGlobalObject constructor.
986
987 2014-02-12  Joseph Pecoraro  <pecoraro@apple.com>
988
989         Web Inspector: Cleanup JavaScriptCore/inspector
990         https://bugs.webkit.org/show_bug.cgi?id=128662
991
992         Reviewed by Timothy Hatcher.
993
994         Now that the code has settled, do a cleanup pass.
995
996         * inspector/ContentSearchUtilities.cpp:
997         * inspector/InspectorValues.cpp:
998         (Inspector::InspectorValue::asObject):
999         (Inspector::InspectorValue::asArray):
1000         (Inspector::InspectorValue::parseJSON):
1001         (Inspector::InspectorObjectBase::getObject):
1002         (Inspector::InspectorObjectBase::getArray):
1003         (Inspector::InspectorObjectBase::get):
1004         * inspector/ScriptCallStackFactory.cpp:
1005         * inspector/ScriptDebugServer.cpp:
1006         * inspector/agents/JSGlobalObjectConsoleAgent.h:
1007
1008 2014-02-12  Ryosuke Niwa  <rniwa@webkit.org>
1009
1010         Windows build fix attempt after r163960.
1011
1012         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1013         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1014
1015 2014-02-12  Michael Saboff  <msaboff@apple.com>
1016
1017         Adjust VM::stackLimit based on the size of the largest FTL stack produced
1018         https://bugs.webkit.org/show_bug.cgi?id=128562
1019
1020         Reviewed by Mark Lam.
1021
1022         Added VM::m_largestFTLStackSize to track the largest stack size of an FTL compiled
1023         function. Added VM::m_ftlStackLimit for FTL functions stack limit.  Renamed
1024         VM::updateStackLimitWithReservedZoneSize to VM::updateReservedZoneSize.  Renamed
1025         VM::setStackLimit to VM::updateStackLimit and changed it to do the updating of the
1026         stack limits, including taking into account m_largestFTLStackSize.
1027
1028         * ftl/FTLJITFinalizer.cpp:
1029         (JSC::FTL::JITFinalizer::finalizeFunction):
1030         * runtime/ErrorHandlingScope.cpp:
1031         (JSC::ErrorHandlingScope::ErrorHandlingScope):
1032         (JSC::ErrorHandlingScope::~ErrorHandlingScope):
1033         * runtime/JSLock.cpp:
1034         (JSC::JSLock::lock):
1035         (JSC::JSLock::unlock):
1036         (JSC::JSLock::grabAllLocks):
1037         * runtime/VM.cpp:
1038         (JSC::VM::VM):
1039         (JSC::VM::updateReservedZoneSize):
1040         (JSC::VM::updateStackLimit):
1041         (JSC::VM::updateFTLLargestStackSize):
1042         * runtime/VM.h:
1043
1044 2014-02-11  Oliver Hunt  <oliver@apple.com>
1045
1046         Make it possible to implement JS builtins in JS
1047         https://bugs.webkit.org/show_bug.cgi?id=127887
1048
1049         Reviewed by Michael Saboff.
1050
1051         This patch makes it possible to write builtin functions in JS.
1052         The bindings, generators, and definitions are all created automatically
1053         based on js files in the builtins/ directory.  This patch includes one
1054         such case: Array.prototype.js with an implementation of every().
1055
1056         There's a lot of refactoring to make it possible for CommonIdentifiers
1057         to include the output of the generated files (DerivedSources/JSCBuiltins.{h,cpp})
1058         without breaking the offset extractor. The result of this refactoring
1059         is that CommonIdentifiers, and a few other miscellaneous headers now
1060         need to be included directly as they were formerly captured through other
1061         paths.
1062
1063         In addition this adds a flag to the Lookup table's hashentry to indicate
1064         that a static function is actually backed by JS. There is then a lot of
1065         logic to thread the special nature of the functon to where it matters.
1066         This allows toString(), .caller, etc to mimic the behaviour of a host
1067         function.
1068
1069         Notes on writing builtins:
1070          - Each function is compiled independently of the others, and those
1071            implementations cannot currently capture all global properties (as
1072            that could be potentially unsafe). If a function does capture a
1073            global we will deliberately crash.
1074          - For those "global" properties that we do want access to, we use
1075            the @ prefix, e.g. Object(this) becomes @Object(this). The @ identifiers
1076            are private names, and behave just like regular properties, only
1077            without the risk of adulteration. Again, in the @Object case, we
1078            explicitly duplicate the ObjectConstructor reference on the GlobalObject
1079            so that we have guaranteed access to the original version of the
1080            constructor.
1081          - call, apply, eval, and Function are all rejected identifiers, again
1082            to prevent anything from accidentally using an adulterated object.
1083            Instead @call and @apply are available, and happily they completely
1084            drop the neq_ptr instruction as they're defined as always being the
1085            original call/apply functions.
1086
1087         These restrictions are just intended to make it harder to accidentally
1088         make changes that are incorrect (for instance calling whatever has been
1089         assigned to global.Object, instead of the original constructor function).
1090         However, making a mistake like this should result in a purely semantic
1091         error as fundamentally these functions are treated as though they were
1092         regular JS code in the host global, and have no more privileges than
1093         any other JS.
1094
1095         The initial proof of concept is Array.prototype.every, this shows a 65%
1096         performance improvement, and that improvement is significantly hurt by
1097         our poor optimisation of op_in.
1098
1099         As this is such a limited function, we have not yet exported all symbols
1100         that we could possibly need, but as we implement more, the likelihood
1101         of encountering missing features will reduce.
1102
1103
1104         * API/JSCallbackObjectFunctions.h:
1105         (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
1106         (JSC::JSCallbackObject<Parent>::put):
1107         (JSC::JSCallbackObject<Parent>::deleteProperty):
1108         (JSC::JSCallbackObject<Parent>::getStaticValue):
1109         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
1110         (JSC::JSCallbackObject<Parent>::callbackGetter):
1111         * CMakeLists.txt:
1112         * DerivedSources.make:
1113         * GNUmakefile.am:
1114         * GNUmakefile.list.am:
1115         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1116         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1117         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
1118         * JavaScriptCore.vcxproj/copy-files.cmd:
1119         * JavaScriptCore.xcodeproj/project.pbxproj:
1120         * builtins/Array.prototype.js:
1121         (every):
1122         * builtins/BuiltinExecutables.cpp: Added.
1123         (JSC::BuiltinExecutables::BuiltinExecutables):
1124         (JSC::BuiltinExecutables::createBuiltinExecutable):
1125         * builtins/BuiltinExecutables.h:
1126         (JSC::BuiltinExecutables::create):
1127         * builtins/BuiltinNames.h: Added.
1128         (JSC::BuiltinNames::BuiltinNames):
1129         (JSC::BuiltinNames::getPrivateName):
1130         (JSC::BuiltinNames::getPublicName):
1131         * bytecode/CodeBlock.cpp:
1132         (JSC::CodeBlock::CodeBlock):
1133         * bytecode/UnlinkedCodeBlock.cpp:
1134         (JSC::generateFunctionCodeBlock):
1135         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1136         (JSC::UnlinkedFunctionExecutable::codeBlockFor):
1137         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1138         * bytecode/UnlinkedCodeBlock.h:
1139         (JSC::ExecutableInfo::ExecutableInfo):
1140         (JSC::UnlinkedFunctionExecutable::create):
1141         (JSC::UnlinkedFunctionExecutable::toStrictness):
1142         (JSC::UnlinkedFunctionExecutable::isBuiltinFunction):
1143         (JSC::UnlinkedCodeBlock::isBuiltinFunction):
1144         * bytecompiler/BytecodeGenerator.cpp:
1145         (JSC::BytecodeGenerator::BytecodeGenerator):
1146         * bytecompiler/BytecodeGenerator.h:
1147         (JSC::BytecodeGenerator::isBuiltinFunction):
1148         (JSC::BytecodeGenerator::makeFunction):
1149         * bytecompiler/NodesCodegen.cpp:
1150         (JSC::CallFunctionCallDotNode::emitBytecode):
1151         (JSC::ApplyFunctionCallDotNode::emitBytecode):
1152         * create_hash_table:
1153         * generate-js-builtins: Added.
1154         (getCopyright):
1155         (getFunctions):
1156         (generateCode):
1157         (mangleName):
1158         (FunctionExecutable):
1159         (Identifier):
1160         (JSGlobalObject):
1161         (SourceCode):
1162         (UnlinkedFunctionExecutable):
1163         (VM):
1164         * interpreter/CachedCall.h:
1165         (JSC::CachedCall::CachedCall):
1166         * parser/ASTBuilder.h:
1167         (JSC::ASTBuilder::makeFunctionCallNode):
1168         * parser/Lexer.cpp:
1169         (JSC::Lexer<T>::Lexer):
1170         (JSC::isSafeBuiltinIdentifier):
1171         (JSC::Lexer<LChar>::parseIdentifier):
1172         (JSC::Lexer<UChar>::parseIdentifier):
1173         (JSC::Lexer<T>::lex):
1174         * parser/Lexer.h:
1175         (JSC::isSafeIdentifier):
1176         (JSC::Lexer<T>::lexExpectIdentifier):
1177         * parser/Nodes.cpp:
1178         (JSC::ProgramNode::setClosedVariables):
1179         * parser/Nodes.h:
1180         (JSC::ScopeNode::capturedVariables):
1181         (JSC::ScopeNode::setClosedVariables):
1182         (JSC::ProgramNode::closedVariables):
1183         * parser/Parser.cpp:
1184         (JSC::Parser<LexerType>::Parser):
1185         (JSC::Parser<LexerType>::parseInner):
1186         (JSC::Parser<LexerType>::didFinishParsing):
1187         (JSC::Parser<LexerType>::printUnexpectedTokenText):
1188         * parser/Parser.h:
1189         (JSC::Scope::getUsedVariables):
1190         (JSC::Parser::closedVariables):
1191         (JSC::parse):
1192         * parser/ParserModes.h:
1193         * parser/ParserTokens.h:
1194         * runtime/ArrayPrototype.cpp:
1195         * runtime/CodeCache.cpp:
1196         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
1197         * runtime/CommonIdentifiers.cpp:
1198         (JSC::CommonIdentifiers::CommonIdentifiers):
1199         (JSC::CommonIdentifiers::~CommonIdentifiers):
1200         (JSC::CommonIdentifiers::getPrivateName):
1201         (JSC::CommonIdentifiers::getPublicName):
1202         * runtime/CommonIdentifiers.h:
1203         (JSC::CommonIdentifiers::builtinNames):
1204         * runtime/ExceptionHelpers.cpp:
1205         (JSC::createUndefinedVariableError):
1206         * runtime/Executable.h:
1207         (JSC::EvalExecutable::executableInfo):
1208         (JSC::ProgramExecutable::executableInfo):
1209         (JSC::FunctionExecutable::isBuiltinFunction):
1210         * runtime/FunctionPrototype.cpp:
1211         (JSC::functionProtoFuncToString):
1212         * runtime/JSActivation.cpp:
1213         (JSC::JSActivation::symbolTableGet):
1214         (JSC::JSActivation::symbolTablePut):
1215         (JSC::JSActivation::symbolTablePutWithAttributes):
1216         * runtime/JSFunction.cpp:
1217         (JSC::JSFunction::createBuiltinFunction):
1218         (JSC::JSFunction::calculatedDisplayName):
1219         (JSC::JSFunction::sourceCode):
1220         (JSC::JSFunction::isHostOrBuiltinFunction):
1221         (JSC::JSFunction::isBuiltinFunction):
1222         (JSC::JSFunction::callerGetter):
1223         (JSC::JSFunction::getOwnPropertySlot):
1224         (JSC::JSFunction::getOwnNonIndexPropertyNames):
1225         (JSC::JSFunction::put):
1226         (JSC::JSFunction::defineOwnProperty):
1227         * runtime/JSFunction.h:
1228         * runtime/JSFunctionInlines.h:
1229         (JSC::JSFunction::nativeFunction):
1230         (JSC::JSFunction::nativeConstructor):
1231         (JSC::isHostFunction):
1232         * runtime/JSGlobalObject.cpp:
1233         (JSC::JSGlobalObject::reset):
1234         (JSC::JSGlobalObject::visitChildren):
1235         * runtime/JSGlobalObject.h:
1236         (JSC::JSGlobalObject::objectConstructor):
1237         (JSC::JSGlobalObject::symbolTableHasProperty):
1238         * runtime/JSObject.cpp:
1239         (JSC::getClassPropertyNames):
1240         (JSC::JSObject::reifyStaticFunctionsForDelete):
1241         (JSC::JSObject::putDirectBuiltinFunction):
1242         * runtime/JSObject.h:
1243         * runtime/JSSymbolTableObject.cpp:
1244         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
1245         * runtime/JSSymbolTableObject.h:
1246         (JSC::symbolTableGet):
1247         (JSC::symbolTablePut):
1248         (JSC::symbolTablePutWithAttributes):
1249         * runtime/Lookup.cpp:
1250         (JSC::setUpStaticFunctionSlot):
1251         * runtime/Lookup.h:
1252         (JSC::HashEntry::builtinGenerator):
1253         (JSC::HashEntry::propertyGetter):
1254         (JSC::HashEntry::propertyPutter):
1255         (JSC::HashTable::entry):
1256         (JSC::getStaticPropertySlot):
1257         (JSC::getStaticValueSlot):
1258         (JSC::putEntry):
1259         * runtime/NativeErrorConstructor.cpp:
1260         (JSC::NativeErrorConstructor::finishCreation):
1261         * runtime/NativeErrorConstructor.h:
1262         * runtime/PropertySlot.h:
1263         * runtime/VM.cpp:
1264         (JSC::VM::VM):
1265         * runtime/VM.h:
1266         (JSC::VM::builtinExecutables):
1267
1268 2014-02-11  Brent Fulgham  <bfulgham@apple.com>
1269
1270         Remove some unintended copies in ranged for loops
1271         https://bugs.webkit.org/show_bug.cgi?id=128644
1272
1273         Reviewed by Anders Carlsson.
1274
1275         * inspector/InjectedScriptHost.cpp:
1276         (Inspector::InjectedScriptHost::clearAllWrappers): Avoid creating/destroying
1277         a std::pair<> and pointer each loop iteration.
1278         * parser/Parser.cpp:
1279         (JSC::Parser<LexerType>::Parser): Avoid copying object containing a string
1280         each loop iteration.
1281
1282 2014-02-11  Ryosuke Niwa  <rniwa@webkit.org>
1283
1284         Debug build fix after r163946.
1285
1286         * dfg/DFGByteCodeParser.cpp:
1287         (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
1288
1289 2014-02-11  Filip Pizlo  <fpizlo@apple.com>
1290
1291         Inserting a node with a codeOrigin "like" another node should copy both the codeOrigin and codeOriginForExitTarget
1292         https://bugs.webkit.org/show_bug.cgi?id=128635
1293
1294         Reviewed by Michael Saboff.
1295         
1296         Originally nodes just had a codeOrigin. But then we started doing code motion, and we
1297         needed to separate the codeOrigin that designated where to exit from the codeOrigin
1298         that designated everything else. The "everything else" is actually pretty important:
1299         it includes profiling, exception handling, and the actual semantics of the node. For
1300         example some nodes use the origin's global object in some way.
1301         
1302         This all sort of worked except for one quirk: the facilities for creating nodes all
1303         assumed that there really was only one origin. LICM would work around this by setting
1304         the codeOriginForExitTarget manually. But, that means that:
1305         
1306         - If we did hoist a node twice, then the second time around, we would forget the node's
1307           original exit target.
1308         
1309         - If we did an insertNode() to insert a node before a hoisted node, the inserted node
1310           would have the wrong exit target.
1311         
1312         Most of the time, if we copy the code origin, we actually want to copy both origins.
1313         So, this patch introduces the notion of a NodeOrigin which has two CodeOrigins: a
1314         forExit code origin that says where to exit, and a semantic code origin for everything
1315         else.
1316         
1317         This also (annoyingly?) means that we are always more explicit about which code origin
1318         we refer to. That means that a lot of "node->codeOrigin" expressions had to change to
1319         "node->origin.semantic". This was partly a ploy on my part to ensure that this
1320         refactoring was complete: to get the code to compile I really had to audit all uses of
1321         CodeOrigin. If, in the future, we find that "node->origin.semantic" is too cumbersome
1322         then we can reintroduce the Node::codeOrigin field. For now I kinda like it though.
1323
1324         * GNUmakefile.list.am:
1325         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1326         * JavaScriptCore.xcodeproj/project.pbxproj:
1327         * dfg/DFGAbstractInterpreterInlines.h:
1328         (JSC::DFG::AbstractInterpreter<AbstractStateType>::booleanResult):
1329         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1330         * dfg/DFGArgumentsSimplificationPhase.cpp:
1331         (JSC::DFG::ArgumentsSimplificationPhase::run):
1332         (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUse):
1333         (JSC::DFG::ArgumentsSimplificationPhase::observeProperArgumentsUse):
1334         (JSC::DFG::ArgumentsSimplificationPhase::isOKToOptimize):
1335         * dfg/DFGArrayMode.cpp:
1336         (JSC::DFG::ArrayMode::originalArrayStructure):
1337         (JSC::DFG::ArrayMode::alreadyChecked):
1338         * dfg/DFGByteCodeParser.cpp:
1339         (JSC::DFG::ByteCodeParser::addToGraph):
1340         * dfg/DFGCFGSimplificationPhase.cpp:
1341         (JSC::DFG::CFGSimplificationPhase::run):
1342         (JSC::DFG::CFGSimplificationPhase::convertToJump):
1343         (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
1344         (JSC::DFG::CFGSimplificationPhase::jettisonBlock):
1345         (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
1346         * dfg/DFGCPSRethreadingPhase.cpp:
1347         (JSC::DFG::CPSRethreadingPhase::addPhiSilently):
1348         (JSC::DFG::CPSRethreadingPhase::addPhi):
1349         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
1350         (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
1351         (JSC::DFG::CPSRethreadingPhase::propagatePhis):
1352         * dfg/DFGCSEPhase.cpp:
1353         (JSC::DFG::CSEPhase::setLocalStoreElimination):
1354         * dfg/DFGClobberize.h:
1355         (JSC::DFG::clobberize):
1356         * dfg/DFGCommonData.cpp:
1357         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
1358         * dfg/DFGConstantFoldingPhase.cpp:
1359         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1360         (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
1361         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
1362         (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
1363         * dfg/DFGDCEPhase.cpp:
1364         (JSC::DFG::DCEPhase::fixupBlock):
1365         * dfg/DFGDisassembler.cpp:
1366         (JSC::DFG::Disassembler::createDumpList):
1367         * dfg/DFGFixupPhase.cpp:
1368         (JSC::DFG::FixupPhase::fixupNode):
1369         (JSC::DFG::FixupPhase::createToString):
1370         (JSC::DFG::FixupPhase::attemptToForceStringArrayModeByToStringConversion):
1371         (JSC::DFG::FixupPhase::convertStringAddUse):
1372         (JSC::DFG::FixupPhase::fixupToPrimitive):
1373         (JSC::DFG::FixupPhase::fixupToString):
1374         (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
1375         (JSC::DFG::FixupPhase::checkArray):
1376         (JSC::DFG::FixupPhase::blessArrayOperation):
1377         (JSC::DFG::FixupPhase::fixEdge):
1378         (JSC::DFG::FixupPhase::insertStoreBarrier):
1379         (JSC::DFG::FixupPhase::fixIntEdge):
1380         (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
1381         (JSC::DFG::FixupPhase::truncateConstantToInt32):
1382         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
1383         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
1384         (JSC::DFG::FixupPhase::convertToGetArrayLength):
1385         (JSC::DFG::FixupPhase::prependGetArrayLength):
1386         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
1387         (JSC::DFG::FixupPhase::addPhantomsIfNecessary):
1388         * dfg/DFGGraph.cpp:
1389         (JSC::DFG::Graph::dumpCodeOrigin):
1390         (JSC::DFG::Graph::amountOfNodeWhiteSpace):
1391         (JSC::DFG::Graph::dump):
1392         (JSC::DFG::Graph::dumpBlockHeader):
1393         * dfg/DFGGraph.h:
1394         (JSC::DFG::Graph::hasExitSite):
1395         (JSC::DFG::Graph::valueProfileFor):
1396         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
1397         * dfg/DFGInvalidationPointInjectionPhase.cpp:
1398         (JSC::DFG::InvalidationPointInjectionPhase::handle):
1399         (JSC::DFG::InvalidationPointInjectionPhase::insertInvalidationCheck):
1400         * dfg/DFGLICMPhase.cpp:
1401         (JSC::DFG::LICMPhase::attemptHoist):
1402         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
1403         (JSC::DFG::createPreHeader):
1404         * dfg/DFGNode.h:
1405         (JSC::DFG::Node::Node):
1406         (JSC::DFG::Node::isStronglyProvedConstantIn):
1407         * dfg/DFGNodeOrigin.h: Added.
1408         (JSC::DFG::NodeOrigin::NodeOrigin):
1409         (JSC::DFG::NodeOrigin::isSet):
1410         * dfg/DFGOSREntrypointCreationPhase.cpp:
1411         (JSC::DFG::OSREntrypointCreationPhase::run):
1412         * dfg/DFGResurrectionForValidationPhase.cpp:
1413         (JSC::DFG::ResurrectionForValidationPhase::run):
1414         * dfg/DFGSSAConversionPhase.cpp:
1415         (JSC::DFG::SSAConversionPhase::run):
1416         * dfg/DFGSSALoweringPhase.cpp:
1417         (JSC::DFG::SSALoweringPhase::handleNode):
1418         (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
1419         * dfg/DFGSpeculativeJIT.cpp:
1420         (JSC::DFG::SpeculativeJIT::compileIn):
1421         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
1422         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1423         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
1424         * dfg/DFGSpeculativeJIT.h:
1425         (JSC::DFG::SpeculativeJIT::masqueradesAsUndefinedWatchpointIsStillValid):
1426         (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheck):
1427         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnException):
1428         (JSC::DFG::SpeculativeJIT::appendCallSetResult):
1429         (JSC::DFG::SpeculativeJIT::appendCall):
1430         (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
1431         * dfg/DFGSpeculativeJIT32_64.cpp:
1432         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
1433         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
1434         (JSC::DFG::SpeculativeJIT::emitCall):
1435         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
1436         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
1437         (JSC::DFG::SpeculativeJIT::compile):
1438         * dfg/DFGSpeculativeJIT64.cpp:
1439         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
1440         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
1441         (JSC::DFG::SpeculativeJIT::emitCall):
1442         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
1443         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
1444         (JSC::DFG::SpeculativeJIT::compile):
1445         * dfg/DFGStrengthReductionPhase.cpp:
1446         (JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild):
1447         (JSC::DFG::StrengthReductionPhase::prepareToFoldTypedArray):
1448         * dfg/DFGTierUpCheckInjectionPhase.cpp:
1449         (JSC::DFG::TierUpCheckInjectionPhase::run):
1450         * dfg/DFGTypeCheckHoistingPhase.cpp:
1451         (JSC::DFG::TypeCheckHoistingPhase::run):
1452         * dfg/DFGValidate.cpp:
1453         (JSC::DFG::Validate::validateSSA):
1454         * dfg/DFGWatchpointCollectionPhase.cpp:
1455         (JSC::DFG::WatchpointCollectionPhase::handle):
1456         (JSC::DFG::WatchpointCollectionPhase::handleEdge):
1457         (JSC::DFG::WatchpointCollectionPhase::handleMasqueradesAsUndefined):
1458         (JSC::DFG::WatchpointCollectionPhase::globalObject):
1459         * ftl/FTLJSCall.cpp:
1460         (JSC::FTL::JSCall::link):
1461         * ftl/FTLLink.cpp:
1462         (JSC::FTL::link):
1463         * ftl/FTLLowerDFGToLLVM.cpp:
1464         (JSC::FTL::LowerDFGToLLVM::compileNode):
1465         (JSC::FTL::LowerDFGToLLVM::compileToThis):
1466         (JSC::FTL::LowerDFGToLLVM::compilePutById):
1467         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
1468         (JSC::FTL::LowerDFGToLLVM::compileNewArray):
1469         (JSC::FTL::LowerDFGToLLVM::compileNewArrayBuffer):
1470         (JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize):
1471         (JSC::FTL::LowerDFGToLLVM::compileStringCharAt):
1472         (JSC::FTL::LowerDFGToLLVM::compileGetMyScope):
1473         (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated):
1474         (JSC::FTL::LowerDFGToLLVM::getById):
1475         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
1476         (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructure):
1477         (JSC::FTL::LowerDFGToLLVM::masqueradesAsUndefinedWatchpointIsStillValid):
1478         (JSC::FTL::LowerDFGToLLVM::callPreflight):
1479
1480 2014-02-11  Filip Pizlo  <fpizlo@apple.com>
1481
1482         Fix assertions and incorrect codegen for CompareEq(ObjectOrOther:, Object:)
1483         https://bugs.webkit.org/show_bug.cgi?id=128648
1484
1485         Reviewed by Mark Lam.
1486         
1487         I did CompareEq(Object:, ObjectOrOther:) correctly but the flipped version wrong.
1488         That's what I get for running tests in release mode. It's hard to write a test for
1489         the incorrect codegen; that's kind of why the assertions are there.
1490
1491         * ftl/FTLLowerDFGToLLVM.cpp:
1492         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
1493
1494 2014-02-11  Filip Pizlo  <fpizlo@apple.com>
1495
1496         Unreviewed, trivial change to silence FTL assertions
1497
1498         Normally, lowJSValue() should only be used for UntypedUse only. Here we are using it
1499         on ObjectOrOtherUse because we execute the speculation ourselves. The way you're
1500         supposed to do this is by passing ManualOperandSpeculation to tell lowJSValue() not
1501         to assert.
1502
1503         * ftl/FTLLowerDFGToLLVM.cpp:
1504         (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
1505
1506 2014-02-11  Filip Pizlo  <fpizlo@apple.com>
1507
1508         Use LLVM's dead store elimination
1509         https://bugs.webkit.org/show_bug.cgi?id=128638
1510
1511         Reviewed by Mark Hahnenberg.
1512         
1513         DFG's store elimination was being run too soon for comfort on the FTL path. It's
1514         really only sound when run after all other optimizations. Remove it from the FTL
1515         path.
1516         
1517         Enable LLVM store elimination. It's both easier to reason about and more
1518         comprehensive.
1519
1520         * dfg/DFGPlan.cpp:
1521         (JSC::DFG::Plan::compileInThreadImpl):
1522         * ftl/FTLCompile.cpp:
1523         (JSC::FTL::compile):
1524
1525 2014-02-11  Brian Burg  <bburg@apple.com>
1526
1527         Web Replay: upstream replay input code generator and EncodedValue class
1528         https://bugs.webkit.org/show_bug.cgi?id=128215
1529
1530         Reviewed by Joseph Pecoraro.
1531
1532         Add the replay inputs code generator. Most features of the input generator are
1533         exercised by included generator regression tests, which produce useful but
1534         non-compilable test replay inputs.
1535
1536         Add EncodedValue, the main replay input serialization class that encodes and
1537         decodes inputs and their data between C++ types and the JSON-based replay recording
1538         format. EncodedValue uses EncodingTraits specializations for type-specific encoding.
1539         Relative to other WebKit marshalling mechanisms, EncodedValue is key/value based.
1540         EncodedValue uses InspectorValue subclasses as its backing data structure.
1541
1542         Add some missing numerical conversions to InspectorValue.
1543
1544         * JavaScriptCore.xcodeproj/project.pbxproj:
1545         * inspector/InspectorValues.cpp:
1546         (Inspector::InspectorValue::asNumber):
1547         (Inspector::InspectorBasicValue::asNumber):
1548         * inspector/InspectorValues.h:
1549         * replay/EncodedValue.cpp: Added.
1550         (JSC::EncodedValue::asObject):
1551         (JSC::EncodedValue::asArray):
1552         (JSC::ScalarEncodingTraits<bool>::encodeValue):
1553         (JSC::ScalarEncodingTraits<double>::encodeValue):
1554         (JSC::ScalarEncodingTraits<float>::encodeValue):
1555         (JSC::ScalarEncodingTraits<int32_t>::encodeValue):
1556         (JSC::ScalarEncodingTraits<int64_t>::encodeValue):
1557         (JSC::ScalarEncodingTraits<uint32_t>::encodeValue):
1558         (JSC::ScalarEncodingTraits<uint64_t>::encodeValue):
1559         (JSC::long>::encodeValue):
1560         (JSC::EncodedValue::convertTo<bool>):
1561         (JSC::EncodedValue::convertTo<double>):
1562         (JSC::EncodedValue::convertTo<float>):
1563         (JSC::EncodedValue::convertTo<int32_t>):
1564         (JSC::EncodedValue::convertTo<int64_t>):
1565         (JSC::EncodedValue::convertTo<uint32_t>):
1566         (JSC::EncodedValue::convertTo<uint64_t>):
1567         (JSC::long>):
1568         (JSC::EncodedValue::convertTo<String>):
1569         (JSC::EncodedValue::put<EncodedValue>):
1570         (JSC::EncodedValue::append<EncodedValue>):
1571         (JSC::EncodedValue::get<EncodedValue>):
1572         * replay/EncodedValue.h: Added.
1573         (JSC::EncodedValue::EncodedValue):
1574         (JSC::EncodedValue::createObject):
1575         (JSC::EncodedValue::createArray):
1576         (JSC::EncodedValue::createString):
1577         (JSC::EncodedValue::~EncodedValue):
1578         (JSC::ScalarEncodingTraits::decodeValue):
1579         (JSC::EncodingTraits<String>::encodeValue):
1580         (JSC::EncodedValue::put):
1581         (JSC::EncodedValue::append):
1582         (JSC::EncodedValue::get):
1583         * replay/scripts/CodeGeneratorReplayInputs.py: Added.
1584         (ParseException):
1585         (TypecheckException):
1586         (Framework):
1587         (Framework.__init__):
1588         (Framework.setting):
1589         (Framework.fromString):
1590         (Frameworks):
1591         (InputQueue):
1592         (InputQueue.__init__):
1593         (InputQueue.setting):
1594         (InputQueue.fromString):
1595         (InputQueues):
1596         (Input):
1597         (Input.__init__):
1598         (Input.setting):
1599         (InputMember):
1600         (InputMember.__init__):
1601         (InputMember.has_flag):
1602         (TypeMode):
1603         (TypeMode.__init__):
1604         (TypeMode.fromString):
1605         (TypeModes):
1606         (Type):
1607         (Type.__init__):
1608         (Type.__eq__):
1609         (Type.__hash__):
1610         (Type.has_flag):
1611         (Type.is_struct):
1612         (Type.is_enum):
1613         (Type.is_enum_class):
1614         (Type.declaration_kind):
1615         (Type.qualified_prefix):
1616         (Type.qualified_prefix.is):
1617         (Type.type_name):
1618         (Type.storage_type):
1619         (Type.borrow_type):
1620         (Type.argument_type):
1621         (check_properties):
1622         (VectorType):
1623         (VectorType.__init__):
1624         (VectorType.has_flag):
1625         (VectorType.is_struct):
1626         (VectorType.is_enum):
1627         (VectorType.is_enum_class):
1628         (VectorType.qualified_prefix):
1629         (VectorType.type_name):
1630         (VectorType.argument_type):
1631         (InputsModel):
1632         (InputsModel.__init__):
1633         (InputsModel.enum_types):
1634         (InputsModel.get_type_for_member):
1635         (InputsModel.parse_toplevel):
1636         (InputsModel.parse_type_with_framework_name):
1637         (InputsModel.parse_input):
1638         (InputsModel.typecheck):
1639         (InputsModel.typecheck_type):
1640         (InputsModel.typecheck_input):
1641         (InputsModel.typecheck_input_member):
1642         (IncrementalFileWriter):
1643         (IncrementalFileWriter.__init__):
1644         (IncrementalFileWriter.write):
1645         (IncrementalFileWriter.close):
1646         (lcfirst):
1647         (wrap_with_guard):
1648         (Generator):
1649         (Generator.__init__):
1650         (Generator.setting):
1651         (Generator.output_filename):
1652         (Generator.write_output_files):
1653         (Generator.generate_header):
1654         (Generator.generate_implementation):
1655         (Generator.generate_license):
1656         (Generator.generate_includes):
1657         (Generator.generate_includes.declaration):
1658         (Generator.generate_includes.declaration.is):
1659         (Generator.generate_type_forward_declarations):
1660         (Generator.generate_type_forward_declarations.is):
1661         (Generator.generate_class_declaration):
1662         (Generator.generate_input_constructor_declaration):
1663         (Generator.generate_input_destructor_declaration):
1664         (Generator.generate_input_member_getter):
1665         (Generator.generate_input_member_declaration):
1666         (Generator.generate_input_member_tuples):
1667         (Generator.qualified_input_name):
1668         (Generator.generate_input_trait_declaration):
1669         (Generator.generate_enum_trait_declaration):
1670         (Generator.generate_for_each_macro):
1671         (Generator.generate_class_implementation):
1672         (Generator.generate_enum_trait_implementation):
1673         (Generator.generate_enum_trait_implementation.is):
1674         (Generator.generate_input_trait_implementation):
1675         (Generator.generate_input_encode_implementation):
1676         (Generator.generate_input_decode_implementation):
1677         (Generator.generate_constructor_initializer_list):
1678         (Generator.generate_constructor_formals_list):
1679         (Generator.generate_member_borrow_expression):
1680         (Generator.generate_member_move_expression):
1681         (Generator.generate_constructor_arguments_list):
1682         (generate_from_specification):
1683         * replay/scripts/CodeGeneratorReplayInputsTemplates.py: Added.
1684         (Templates):
1685         * replay/scripts/tests/expected/JSInputs.json-TestReplayInputs.cpp: Added.
1686         * replay/scripts/tests/expected/JSInputs.json-TestReplayInputs.h: Added.
1687         * replay/scripts/tests/expected/fail-on-c-style-enum-no-storage.json-error: Added.
1688         * replay/scripts/tests/expected/fail-on-duplicate-input-names.json-error: Added.
1689         * replay/scripts/tests/expected/fail-on-duplicate-type-names.json-error: Added.
1690         * replay/scripts/tests/expected/fail-on-enum-type-missing-values.json-error: Added.
1691         * replay/scripts/tests/expected/fail-on-missing-input-member-name.json-error: Added.
1692         * replay/scripts/tests/expected/fail-on-missing-input-name.json-error: Added.
1693         * replay/scripts/tests/expected/fail-on-missing-input-queue.json-error: Added.
1694         * replay/scripts/tests/expected/fail-on-missing-type-mode.json-error: Added.
1695         * replay/scripts/tests/expected/fail-on-missing-type-name.json-error: Added.
1696         * replay/scripts/tests/expected/fail-on-no-inputs.json-error: Added.
1697         * replay/scripts/tests/expected/fail-on-no-types.json-error: Added.
1698         * replay/scripts/tests/expected/fail-on-unknown-input-queue.json-error: Added.
1699         * replay/scripts/tests/expected/fail-on-unknown-member-type.json-error: Added.
1700         * replay/scripts/tests/expected/fail-on-unknown-type-mode.json-error: Added.
1701         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp: Added.
1702         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h: Added.
1703         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp: Added.
1704         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h: Added.
1705         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-error: Added.
1706         * replay/scripts/tests/expected/generate-event-loop-shape-types.json-error: Added.
1707         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.cpp: Added.
1708         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h: Added.
1709         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp: Added.
1710         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: Added.
1711         * replay/scripts/tests/expected/generate-inputs-with-flags.json-error: Added.
1712         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp: Added.
1713         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h: Added.
1714         * replay/scripts/tests/fail-on-c-style-enum-no-storage.json: Added.
1715         * replay/scripts/tests/fail-on-duplicate-input-names.json: Added.
1716         * replay/scripts/tests/fail-on-duplicate-type-names.json: Added.
1717         * replay/scripts/tests/fail-on-enum-type-missing-values.json: Added.
1718         * replay/scripts/tests/fail-on-missing-input-member-name.json: Added.
1719         * replay/scripts/tests/fail-on-missing-input-name.json: Added.
1720         * replay/scripts/tests/fail-on-missing-input-queue.json: Added.
1721         * replay/scripts/tests/fail-on-missing-type-mode.json: Added.
1722         * replay/scripts/tests/fail-on-missing-type-name.json: Added.
1723         * replay/scripts/tests/fail-on-no-inputs.json: Added.
1724         * replay/scripts/tests/fail-on-no-types.json: Added.
1725         * replay/scripts/tests/fail-on-unknown-input-queue.json: Added.
1726         * replay/scripts/tests/fail-on-unknown-member-type.json: Added.
1727         * replay/scripts/tests/fail-on-unknown-type-mode.json: Added.
1728         * replay/scripts/tests/generate-enum-encoding-helpers-with-guarded-values.json: Added.
1729         * replay/scripts/tests/generate-enum-encoding-helpers.json: Added.
1730         * replay/scripts/tests/generate-event-loop-shape-types.json: Added.
1731         * replay/scripts/tests/generate-input-with-guard.json: Added.
1732         * replay/scripts/tests/generate-input-with-vector-members.json: Added.
1733         * replay/scripts/tests/generate-inputs-with-flags.json: Added.
1734         * replay/scripts/tests/generate-memoized-type-modes.json: Added.
1735
1736 2014-02-11  Joseph Pecoraro  <pecoraro@apple.com>
1737
1738         Add Availability Macros to new JSC APIs
1739         https://bugs.webkit.org/show_bug.cgi?id=128615
1740
1741         Reviewed by Mark Rowe.
1742
1743         * API/JSContext.h:
1744         * API/JSContextRef.h:
1745
1746 2014-02-11  Filip Pizlo  <fpizlo@apple.com>
1747
1748         FTL should support CompareEq(ObjectOrOther:, Object:)
1749         https://bugs.webkit.org/show_bug.cgi?id=127752
1750
1751         Reviewed by Oliver Hunt.
1752         
1753         Also introduce some helpers for reasoning about nullness and truthyness.
1754
1755         * ftl/FTLCapabilities.cpp:
1756         (JSC::FTL::canCompile):
1757         * ftl/FTLLowerDFGToLLVM.cpp:
1758         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
1759         (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
1760         (JSC::FTL::LowerDFGToLLVM::speculateTruthyObject):
1761         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
1762         (JSC::FTL::LowerDFGToLLVM::isNotNully):
1763         (JSC::FTL::LowerDFGToLLVM::isNully):
1764         (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
1765         * tests/stress/compare-eq-object-or-other-to-object.js: Added.
1766         (foo):
1767         (test):
1768         * tests/stress/compare-eq-object-to-object-or-other.js: Added.
1769         (foo):
1770         (test):
1771
1772 2014-02-11  Mark Hahnenberg  <mhahnenberg@apple.com>
1773
1774         32-bit LLInt writeBarrierOnGlobalObject is wrong
1775         https://bugs.webkit.org/show_bug.cgi?id=128556
1776
1777         Reviewed by Geoffrey Garen.
1778
1779         * llint/LowLevelInterpreter32_64.asm:
1780         * llint/LowLevelInterpreter64.asm: Also fixed the value check on 64-bit.
1781
1782 2014-02-11  Gabor Rapcsanyi  <rgabor@webkit.org>
1783
1784         LLInt typo error after r139004.
1785         https://bugs.webkit.org/show_bug.cgi?id=128592
1786
1787         Reviewed by Michael Saboff.
1788
1789         * offlineasm/arm.rb: change immediate to register in the condition
1790
1791 2014-02-10  Filip Pizlo  <fpizlo@apple.com>
1792
1793         LICM should gracefully handle unprofiled code
1794         https://bugs.webkit.org/show_bug.cgi?id=127848
1795
1796         Reviewed by Mark Hahnenberg.
1797
1798         * dfg/DFGLICMPhase.cpp:
1799         (JSC::DFG::LICMPhase::run):
1800
1801 2014-02-11  Mark Hahnenberg  <mhahnenberg@apple.com>
1802
1803         Obj-C API: JSExport doesn't work for methods that contain protocols in their type signature
1804         https://bugs.webkit.org/show_bug.cgi?id=128540
1805
1806         Reviewed by Oliver Hunt.
1807
1808         The bug is in parseObjCType in ObjcRuntimeExtras.h. When we see an '@' in the 
1809         type signature of a method, we assume that what follows the '@' is a class name, 
1810         so we call objc_getClass, and if that returns nil then we give up on the method 
1811         and don't export it.
1812
1813         This assumption doesn't work in the case of id<Protocol> because it's the name 
1814         of the protocol that follows the '@', not the name of a class. We should have 
1815         another fallback case for protocol names.
1816
1817         There's another case that also doesn't work, and that's the case of a named class 
1818         with a specified prototype in a method signature (e.g. NSObject<MyProtocol>). 
1819         There the substring of the type signature that represents the class is "NSObject<MyProtocol>", 
1820         which will also cause objc_getClass to return nil.
1821
1822         * API/ObjcRuntimeExtras.h:
1823         (parseObjCType):
1824         * API/tests/DateTests.mm: Also fixed an issue I noticed where we don't use an autorelease pool
1825         for the DateTests.
1826         * API/tests/JSExportTests.h: Added.
1827         * API/tests/JSExportTests.mm: Added.
1828         (-[TruthTeller returnTrue]):
1829         (-[ExportMethodWithIdProtocol methodWithIdProtocol:]):
1830         (-[ExportMethodWithClassProtocol methodWithClassProtocol:]):
1831         (+[JSExportTests exportInstanceMethodWithIdProtocolTest]):
1832         (+[JSExportTests exportInstanceMethodWithClassProtocolTest]):
1833         (runJSExportTests):
1834         * API/tests/testapi.mm:
1835         * JavaScriptCore.xcodeproj/project.pbxproj:
1836
1837 2014-02-10  Michael Saboff  <msaboff@apple.com>
1838
1839         Re-enable ARM Thumb2 disassembler
1840         https://bugs.webkit.org/show_bug.cgi?id=128577
1841
1842         Reviewed by Filip Pizlo.
1843
1844         Changed signature of tryToDisassemble() to match updates.
1845         Fixed typo in disassembler.
1846
1847         * disassembler/ARMv7/ARMv7DOpcode.cpp:
1848         * disassembler/ARMv7Disassembler.cpp:
1849         (JSC::tryToDisassemble):
1850
1851 2014-02-10  Mark Lam  <mark.lam@apple.com>
1852
1853         Removing limitation on JSLock's lockDropDepth.
1854         <https://webkit.org/b/128570>
1855
1856         Reviewed by Geoffrey Garen.
1857
1858         Now that we've switched to using the C stack, we no longer need to limit
1859         the JSLock::lockDropDepth to 2.
1860
1861         For C loop builds which still use the separate JSStack, the JSLock will
1862         enforce ordering for re-grabbing the lock after dropping it. Re-grabbing
1863         must occur in the reverse order of the dropping of the locks.
1864
1865         Ordering is achieved by JSLock::dropAllLocks() stashing away the
1866         JSLock:: m_lockDropDepth in its DropAllLocks instance's m_dropDepth
1867         before unlocking the lock. Subsequently, JSLock::grabAllLocks() will
1868         ensure that JSLocks::m_lockDropDepth equals its DropAllLocks instance's
1869         m_dropDepth before allowing the lock to be re-grabbed. Otherwise, it
1870         will yield execution and retry again later.
1871
1872         Note: because JSLocks::m_lockDropDepth is protected by the JSLock's
1873         mutex, grabAllLocks() will optimistically lock the JSLock before doing
1874         the check on m_lockDropDepth. If the check fails, it will unlock the
1875         JSLock, yield, and then relock it again later before retrying the check.
1876         This ensures that m_lockDropDepth remains under the protection of the
1877         JSLock's mutex.
1878
1879         * runtime/JSLock.cpp:
1880         (JSC::JSLock::dropAllLocks):
1881         (JSC::JSLock::grabAllLocks):
1882         (JSC::JSLock::DropAllLocks::DropAllLocks):
1883         (JSC::JSLock::DropAllLocks::~DropAllLocks):
1884         * runtime/JSLock.h:
1885         (JSC::JSLock::DropAllLocks::setDropDepth):
1886         (JSC::JSLock::DropAllLocks::dropDepth):
1887
1888 2014-02-10  Filip Pizlo  <fpizlo@apple.com>
1889
1890         FTL should support ToThis
1891         https://bugs.webkit.org/show_bug.cgi?id=127751
1892
1893         Reviewed by Oliver Hunt.
1894
1895         * ftl/FTLCapabilities.cpp:
1896         (JSC::FTL::canCompile):
1897         * ftl/FTLIntrinsicRepository.h:
1898         * ftl/FTLLowerDFGToLLVM.cpp:
1899         (JSC::FTL::LowerDFGToLLVM::compileNode):
1900         (JSC::FTL::LowerDFGToLLVM::compileToThis):
1901         * tests/stress/to-this-polymorphic.js: Added.
1902         (foo):
1903
1904 2014-02-10  Filip Pizlo  <fpizlo@apple.com>
1905
1906         Rename Operations.h to JSCInlines.h
1907         https://bugs.webkit.org/show_bug.cgi?id=128543
1908
1909         Rubber stamped by Geoffrey Garen.
1910         
1911         Well, what this actually does is it splits Operations.h into a real Operations.h that
1912         actually contains "operations", and JSCInlines.h, which serves the role of being an
1913         inlines umbrella.
1914         
1915         * API/JSBase.cpp:
1916         * API/JSCTestRunnerUtils.cpp:
1917         * API/JSCallbackConstructor.cpp:
1918         * API/JSCallbackFunction.cpp:
1919         * API/JSCallbackObject.cpp:
1920         * API/JSClassRef.cpp:
1921         * API/JSContext.mm:
1922         * API/JSContextRef.cpp:
1923         * API/JSManagedValue.mm:
1924         * API/JSObjectRef.cpp:
1925         * API/JSScriptRef.cpp:
1926         * API/JSValue.mm:
1927         * API/JSValueRef.cpp:
1928         * API/JSWeakObjectMapRefPrivate.cpp:
1929         * API/JSWrapperMap.mm:
1930         * GNUmakefile.list.am:
1931         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1932         * JavaScriptCore.xcodeproj/project.pbxproj:
1933         * assembler/LinkBuffer.cpp:
1934         * bindings/ScriptFunctionCall.cpp:
1935         * bindings/ScriptObject.cpp:
1936         * bytecode/ArrayAllocationProfile.cpp:
1937         * bytecode/ArrayProfile.cpp:
1938         * bytecode/BytecodeBasicBlock.cpp:
1939         * bytecode/CallLinkInfo.cpp:
1940         * bytecode/CallLinkStatus.cpp:
1941         * bytecode/CodeBlock.cpp:
1942         * bytecode/CodeBlockJettisoningWatchpoint.cpp:
1943         * bytecode/CodeOrigin.cpp:
1944         * bytecode/ExecutionCounter.cpp:
1945         * bytecode/GetByIdStatus.cpp:
1946         * bytecode/LazyOperandValueProfile.cpp:
1947         * bytecode/MethodOfGettingAValueProfile.cpp:
1948         * bytecode/PreciseJumpTargets.cpp:
1949         * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp:
1950         * bytecode/PutByIdStatus.cpp:
1951         * bytecode/SamplingTool.cpp:
1952         * bytecode/SpecialPointer.cpp:
1953         * bytecode/SpeculatedType.cpp:
1954         * bytecode/StructureStubClearingWatchpoint.cpp:
1955         * bytecode/UnlinkedCodeBlock.cpp:
1956         * bytecode/ValueRecovery.cpp:
1957         * bytecompiler/BytecodeGenerator.cpp:
1958         * bytecompiler/NodesCodegen.cpp:
1959         * debugger/Debugger.cpp:
1960         * debugger/DebuggerActivation.cpp:
1961         * debugger/DebuggerCallFrame.cpp:
1962         * dfg/DFGAbstractHeap.cpp:
1963         * dfg/DFGAbstractValue.cpp:
1964         * dfg/DFGArgumentsSimplificationPhase.cpp:
1965         * dfg/DFGArithMode.cpp:
1966         * dfg/DFGArrayMode.cpp:
1967         * dfg/DFGAtTailAbstractState.cpp:
1968         * dfg/DFGAvailability.cpp:
1969         * dfg/DFGBackwardsPropagationPhase.cpp:
1970         * dfg/DFGBasicBlock.cpp:
1971         * dfg/DFGBinarySwitch.cpp:
1972         * dfg/DFGBlockInsertionSet.cpp:
1973         * dfg/DFGByteCodeParser.cpp:
1974         * dfg/DFGCFAPhase.cpp:
1975         * dfg/DFGCFGSimplificationPhase.cpp:
1976         * dfg/DFGCPSRethreadingPhase.cpp:
1977         * dfg/DFGCSEPhase.cpp:
1978         * dfg/DFGCapabilities.cpp:
1979         * dfg/DFGClobberSet.cpp:
1980         * dfg/DFGClobberize.cpp:
1981         * dfg/DFGCommon.cpp:
1982         * dfg/DFGCommonData.cpp:
1983         * dfg/DFGCompilationKey.cpp:
1984         * dfg/DFGCompilationMode.cpp:
1985         * dfg/DFGConstantFoldingPhase.cpp:
1986         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
1987         * dfg/DFGDCEPhase.cpp:
1988         * dfg/DFGDesiredIdentifiers.cpp:
1989         * dfg/DFGDesiredStructureChains.cpp:
1990         * dfg/DFGDesiredTransitions.cpp:
1991         * dfg/DFGDesiredWatchpoints.cpp:
1992         * dfg/DFGDesiredWeakReferences.cpp:
1993         * dfg/DFGDesiredWriteBarriers.cpp:
1994         * dfg/DFGDisassembler.cpp:
1995         * dfg/DFGDominators.cpp:
1996         * dfg/DFGDriver.cpp:
1997         * dfg/DFGEdge.cpp:
1998         * dfg/DFGFailedFinalizer.cpp:
1999         * dfg/DFGFinalizer.cpp:
2000         * dfg/DFGFixupPhase.cpp:
2001         * dfg/DFGFlushFormat.cpp:
2002         * dfg/DFGFlushLivenessAnalysisPhase.cpp:
2003         * dfg/DFGFlushedAt.cpp:
2004         * dfg/DFGGraph.cpp:
2005         * dfg/DFGGraphSafepoint.cpp:
2006         * dfg/DFGInPlaceAbstractState.cpp:
2007         * dfg/DFGInvalidationPointInjectionPhase.cpp:
2008         * dfg/DFGJITCode.cpp:
2009         * dfg/DFGJITCompiler.cpp:
2010         * dfg/DFGJITFinalizer.cpp:
2011         * dfg/DFGJumpReplacement.cpp:
2012         * dfg/DFGLICMPhase.cpp:
2013         * dfg/DFGLazyJSValue.cpp:
2014         * dfg/DFGLivenessAnalysisPhase.cpp:
2015         * dfg/DFGLongLivedState.cpp:
2016         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
2017         * dfg/DFGMinifiedNode.cpp:
2018         * dfg/DFGNaturalLoops.cpp:
2019         * dfg/DFGNode.cpp:
2020         * dfg/DFGNodeFlags.cpp:
2021         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
2022         * dfg/DFGOSREntry.cpp:
2023         * dfg/DFGOSREntrypointCreationPhase.cpp:
2024         * dfg/DFGOSRExit.cpp:
2025         * dfg/DFGOSRExitBase.cpp:
2026         * dfg/DFGOSRExitCompiler.cpp:
2027         * dfg/DFGOSRExitCompiler32_64.cpp:
2028         * dfg/DFGOSRExitCompiler64.cpp:
2029         * dfg/DFGOSRExitCompilerCommon.cpp:
2030         * dfg/DFGOSRExitJumpPlaceholder.cpp:
2031         * dfg/DFGOSRExitPreparation.cpp:
2032         * dfg/DFGOperations.cpp:
2033         * dfg/DFGPhase.cpp:
2034         * dfg/DFGPlan.cpp:
2035         * dfg/DFGPredictionInjectionPhase.cpp:
2036         * dfg/DFGPredictionPropagationPhase.cpp:
2037         * dfg/DFGResurrectionForValidationPhase.cpp:
2038         * dfg/DFGSSAConversionPhase.cpp:
2039         * dfg/DFGSSALoweringPhase.cpp:
2040         * dfg/DFGSafepoint.cpp:
2041         * dfg/DFGSpeculativeJIT.cpp:
2042         * dfg/DFGSpeculativeJIT32_64.cpp:
2043         * dfg/DFGSpeculativeJIT64.cpp:
2044         * dfg/DFGStackLayoutPhase.cpp:
2045         * dfg/DFGStoreBarrierElisionPhase.cpp:
2046         * dfg/DFGStrengthReductionPhase.cpp:
2047         * dfg/DFGThreadData.cpp:
2048         * dfg/DFGThunks.cpp:
2049         * dfg/DFGTierUpCheckInjectionPhase.cpp:
2050         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
2051         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
2052         * dfg/DFGTypeCheckHoistingPhase.cpp:
2053         * dfg/DFGUnificationPhase.cpp:
2054         * dfg/DFGUseKind.cpp:
2055         * dfg/DFGValidate.cpp:
2056         * dfg/DFGValueSource.cpp:
2057         * dfg/DFGVariableAccessDataDump.cpp:
2058         * dfg/DFGVariableEvent.cpp:
2059         * dfg/DFGVariableEventStream.cpp:
2060         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
2061         * dfg/DFGWatchpointCollectionPhase.cpp:
2062         * dfg/DFGWorklist.cpp:
2063         * ftl/FTLAbstractHeap.cpp:
2064         * ftl/FTLAbstractHeapRepository.cpp:
2065         * ftl/FTLExitValue.cpp:
2066         * ftl/FTLLink.cpp:
2067         * ftl/FTLLowerDFGToLLVM.cpp:
2068         * ftl/FTLOSREntry.cpp:
2069         * ftl/FTLOSRExit.cpp:
2070         * ftl/FTLOSRExitCompiler.cpp:
2071         * ftl/FTLSlowPathCall.cpp:
2072         * heap/BlockAllocator.cpp:
2073         * heap/CodeBlockSet.cpp:
2074         * heap/ConservativeRoots.cpp:
2075         * heap/CopiedSpace.cpp:
2076         * heap/CopyVisitor.cpp:
2077         * heap/DeferGC.cpp:
2078         * heap/GCThread.cpp:
2079         * heap/GCThreadSharedData.cpp:
2080         * heap/HandleSet.cpp:
2081         * heap/HandleStack.cpp:
2082         * heap/Heap.cpp:
2083         * heap/HeapStatistics.cpp:
2084         * heap/HeapTimer.cpp:
2085         * heap/IncrementalSweeper.cpp:
2086         * heap/JITStubRoutineSet.cpp:
2087         * heap/MachineStackMarker.cpp:
2088         * heap/MarkStack.cpp:
2089         * heap/MarkedAllocator.cpp:
2090         * heap/MarkedBlock.cpp:
2091         * heap/MarkedSpace.cpp:
2092         * heap/SlotVisitor.cpp:
2093         * heap/SuperRegion.cpp:
2094         * heap/Weak.cpp:
2095         * heap/WeakBlock.cpp:
2096         * heap/WeakHandleOwner.cpp:
2097         * heap/WeakSet.cpp:
2098         * heap/WriteBarrierBuffer.cpp:
2099         * heap/WriteBarrierSupport.cpp:
2100         * inspector/InjectedScript.cpp:
2101         * inspector/InjectedScriptBase.cpp:
2102         * inspector/JSGlobalObjectScriptDebugServer.cpp:
2103         * inspector/JSInjectedScriptHost.cpp:
2104         * inspector/ScriptArguments.cpp:
2105         * inspector/ScriptCallStackFactory.cpp:
2106         * interpreter/AbstractPC.cpp:
2107         * interpreter/CallFrame.cpp:
2108         * interpreter/Interpreter.cpp:
2109         * interpreter/JSStack.cpp:
2110         * interpreter/ProtoCallFrame.cpp:
2111         * interpreter/StackVisitor.cpp:
2112         * interpreter/VMInspector.cpp:
2113         * jit/ArityCheckFailReturnThunks.cpp:
2114         * jit/AssemblyHelpers.cpp:
2115         * jit/ClosureCallStubRoutine.cpp:
2116         * jit/ExecutableAllocator.cpp:
2117         * jit/ExecutableAllocatorFixedVMPool.cpp:
2118         * jit/GCAwareJITStubRoutine.cpp:
2119         * jit/HostCallReturnValue.cpp:
2120         * jit/JIT.cpp:
2121         * jit/JITArithmetic.cpp:
2122         * jit/JITArithmetic32_64.cpp:
2123         * jit/JITCall.cpp:
2124         * jit/JITCall32_64.cpp:
2125         * jit/JITCode.cpp:
2126         * jit/JITDisassembler.cpp:
2127         * jit/JITExceptions.cpp:
2128         * jit/JITInlineCacheGenerator.cpp:
2129         * jit/JITInlines.h:
2130         * jit/JITOperations.cpp:
2131         * jit/JITOperationsMSVC64.cpp:
2132         * jit/JITStubRoutine.cpp:
2133         * jit/JITStubs.cpp:
2134         * jit/JITThunks.cpp:
2135         * jit/JITToDFGDeferredCompilationCallback.cpp:
2136         * jit/RegisterPreservationWrapperGenerator.cpp:
2137         * jit/RegisterSet.cpp:
2138         * jit/Repatch.cpp:
2139         * jit/TempRegisterSet.cpp:
2140         * jit/ThunkGenerators.cpp:
2141         * jsc.cpp:
2142         * llint/LLIntExceptions.cpp:
2143         * llint/LLIntSlowPaths.cpp:
2144         * llint/LowLevelInterpreter.cpp:
2145         * parser/Lexer.cpp:
2146         * parser/Nodes.cpp:
2147         * parser/Parser.cpp:
2148         * parser/ParserArena.cpp:
2149         * parser/SourceCode.cpp:
2150         * parser/SourceProvider.cpp:
2151         * parser/SourceProviderCache.cpp:
2152         * profiler/LegacyProfiler.cpp:
2153         * profiler/ProfileGenerator.cpp:
2154         * profiler/ProfilerBytecode.cpp:
2155         * profiler/ProfilerBytecodeSequence.cpp:
2156         * profiler/ProfilerBytecodes.cpp:
2157         * profiler/ProfilerCompilation.cpp:
2158         * profiler/ProfilerCompiledBytecode.cpp:
2159         * profiler/ProfilerDatabase.cpp:
2160         * profiler/ProfilerOSRExit.cpp:
2161         * profiler/ProfilerOSRExitSite.cpp:
2162         * profiler/ProfilerOrigin.cpp:
2163         * profiler/ProfilerOriginStack.cpp:
2164         * profiler/ProfilerProfiledBytecodes.cpp:
2165         * runtime/ArgList.cpp:
2166         * runtime/Arguments.cpp:
2167         * runtime/ArgumentsIteratorPrototype.cpp:
2168         * runtime/ArrayBuffer.cpp:
2169         * runtime/ArrayBufferNeuteringWatchpoint.cpp:
2170         * runtime/ArrayConstructor.cpp:
2171         * runtime/ArrayPrototype.cpp:
2172         * runtime/BooleanConstructor.cpp:
2173         * runtime/BooleanObject.cpp:
2174         * runtime/BooleanPrototype.cpp:
2175         * runtime/CallData.cpp:
2176         * runtime/CodeCache.cpp:
2177         * runtime/CommonSlowPaths.cpp:
2178         * runtime/CommonSlowPathsExceptions.cpp:
2179         * runtime/Completion.cpp:
2180         * runtime/ConstructData.cpp:
2181         * runtime/DateConstructor.cpp:
2182         * runtime/DateInstance.cpp:
2183         * runtime/DatePrototype.cpp:
2184         * runtime/Error.cpp:
2185         * runtime/ErrorConstructor.cpp:
2186         * runtime/ErrorInstance.cpp:
2187         * runtime/ErrorPrototype.cpp:
2188         * runtime/ExceptionHelpers.cpp:
2189         * runtime/Executable.cpp:
2190         * runtime/FunctionConstructor.cpp:
2191         * runtime/FunctionPrototype.cpp:
2192         * runtime/GetterSetter.cpp:
2193         * runtime/Identifier.cpp:
2194         * runtime/IntendedStructureChain.cpp:
2195         * runtime/InternalFunction.cpp:
2196         * runtime/JSActivation.cpp:
2197         * runtime/JSArgumentsIterator.cpp:
2198         * runtime/JSArray.cpp:
2199         * runtime/JSArrayBuffer.cpp:
2200         * runtime/JSArrayBufferConstructor.cpp:
2201         * runtime/JSArrayBufferPrototype.cpp:
2202         * runtime/JSArrayBufferView.cpp:
2203         * runtime/JSBoundFunction.cpp:
2204         * runtime/JSCInlines.h: Copied from Source/JavaScriptCore/runtime/Operations.h.
2205         * runtime/JSCell.cpp:
2206         * runtime/JSDataView.cpp:
2207         * runtime/JSDataViewPrototype.cpp:
2208         * runtime/JSDateMath.cpp:
2209         * runtime/JSFunction.cpp:
2210         * runtime/JSGlobalObject.cpp:
2211         * runtime/JSGlobalObjectFunctions.cpp:
2212         * runtime/JSLock.cpp:
2213         * runtime/JSNameScope.cpp:
2214         * runtime/JSNotAnObject.cpp:
2215         * runtime/JSONObject.cpp:
2216         * runtime/JSObject.cpp:
2217         * runtime/JSPropertyNameIterator.cpp:
2218         * runtime/JSPropertyNameIterator.h:
2219         * runtime/JSProxy.cpp:
2220         * runtime/JSScope.cpp:
2221         * runtime/JSSegmentedVariableObject.cpp:
2222         * runtime/JSString.cpp:
2223         * runtime/JSStringJoiner.cpp:
2224         * runtime/JSSymbolTableObject.cpp:
2225         * runtime/JSTypedArrayConstructors.cpp:
2226         * runtime/JSTypedArrayPrototypes.cpp:
2227         * runtime/JSTypedArrays.cpp:
2228         * runtime/JSVariableObject.cpp:
2229         * runtime/JSWithScope.cpp:
2230         * runtime/JSWrapperObject.cpp:
2231         * runtime/LiteralParser.cpp:
2232         * runtime/Lookup.cpp:
2233         * runtime/MathObject.cpp:
2234         * runtime/NameConstructor.cpp:
2235         * runtime/NameInstance.cpp:
2236         * runtime/NamePrototype.cpp:
2237         * runtime/NativeErrorConstructor.cpp:
2238         * runtime/NativeErrorPrototype.cpp:
2239         * runtime/NumberConstructor.cpp:
2240         * runtime/NumberObject.cpp:
2241         * runtime/NumberPrototype.cpp:
2242         * runtime/ObjectConstructor.cpp:
2243         * runtime/ObjectPrototype.cpp:
2244         * runtime/Operations.cpp:
2245         * runtime/Operations.h:
2246         * runtime/PropertyDescriptor.cpp:
2247         * runtime/PrototypeMap.cpp:
2248         * runtime/RegExp.cpp:
2249         * runtime/RegExpCache.cpp:
2250         * runtime/RegExpCachedResult.cpp:
2251         * runtime/RegExpConstructor.cpp:
2252         * runtime/RegExpMatchesArray.cpp:
2253         * runtime/RegExpObject.cpp:
2254         * runtime/RegExpPrototype.cpp:
2255         * runtime/SimpleTypedArrayController.cpp:
2256         * runtime/SmallStrings.cpp:
2257         * runtime/SparseArrayValueMap.cpp:
2258         * runtime/StrictEvalActivation.cpp:
2259         * runtime/StringConstructor.cpp:
2260         * runtime/StringObject.cpp:
2261         * runtime/StringPrototype.cpp:
2262         * runtime/StringRecursionChecker.cpp:
2263         * runtime/Structure.cpp:
2264         * runtime/StructureChain.cpp:
2265         * runtime/StructureRareData.cpp:
2266         * runtime/SymbolTable.cpp:
2267         * runtime/TestRunnerUtils.cpp:
2268         * runtime/VM.cpp:
2269         * testRegExp.cpp:
2270
2271 2014-02-10  Matthew Mirman  <mmirman@apple.com>
2272
2273         Removes the inline assert from SpeculativeJIT's ReallocatePropertyStorage
2274         https://bugs.webkit.org/show_bug.cgi?id=128566
2275
2276         Reviewed by Filip Pizlo.
2277
2278         * dfg/DFGSpeculativeJIT.cpp:
2279         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2280
2281 2014-02-10  Filip Pizlo  <fpizlo@apple.com>
2282
2283         Rename getRecordMap to computeRecordMap.
2284
2285         Rubber stamped by Michael Saboff.
2286         
2287         "get" is such a weird prefix. It implies a getter. We don't prefix our getters with
2288         anything in WebKit. Also, this isn't a getter. It actually does work to transform
2289         the stackmaps into a hashmap. So, computeRecordMap is a much better name.
2290
2291         * ftl/FTLCompile.cpp:
2292         (JSC::FTL::compile):
2293         * ftl/FTLJITFinalizer.cpp:
2294         (JSC::FTL::JITFinalizer::finalizeFunction):
2295         * ftl/FTLStackMaps.cpp:
2296         (JSC::FTL::StackMaps::computeRecordMap):
2297         * ftl/FTLStackMaps.h:
2298
2299 2014-02-10  Matthew Mirman  <mmirman@apple.com>
2300
2301         ReallocatePropertyStorage in FTL
2302         https://bugs.webkit.org/show_bug.cgi?id=128352
2303
2304         Reviewed by Filip Pizlo.
2305
2306         * ftl/FTLCapabilities.cpp:
2307         (JSC::FTL::canCompile):
2308         * ftl/FTLIntrinsicRepository.h:
2309         * ftl/FTLLowerDFGToLLVM.cpp:
2310         (JSC::FTL::LowerDFGToLLVM::compileNode):
2311         (JSC::FTL::LowerDFGToLLVM::compileReallocatePropertyStorage):
2312         * tests/stress/ftl-reallocatepropertystorage.js: Added.
2313         (foo):
2314
2315 2014-02-10  Michael Saboff  <msaboff@apple.com>
2316
2317         Fail FTL compilation if the required stack is too big
2318         https://bugs.webkit.org/show_bug.cgi?id=128560
2319
2320         Reviewed by Filip Pizlo.
2321
2322         Added StackSize struct to FTLStackMaps and populated it.  Added and updated
2323         related dump functions.  Use the stack size found at the end of the compilation
2324         to compare against the value of a new option, llvmMaxStackSize.  We fail the
2325         compile if the function's stack size is greater than llvmMaxStackSize.
2326
2327         * dfg/DFGPlan.cpp:
2328         (JSC::DFG::Plan::compileInThreadImpl):
2329         * ftl/FTLStackMaps.cpp:
2330         (JSC::FTL::StackMaps::StackSize::parse):
2331         (JSC::FTL::StackMaps::StackSize::dump):
2332         (JSC::FTL::StackMaps::parse):
2333         (JSC::FTL::StackMaps::dump):
2334         (JSC::FTL::StackMaps::dumpMultiline):
2335         (JSC::FTL::StackMaps::getStackSize):
2336         * ftl/FTLStackMaps.h:
2337         * runtime/Options.h:
2338
2339 2014-02-10  Mark Lam  <mark.lam@apple.com>
2340
2341         Change JSLock::dropAllLocks() and friends to use lock() and unlock().
2342         <https://webkit.org/b/128451>
2343
2344         Reviewed by Geoffrey Garen.
2345
2346         Currently, JSLock's dropAllLocks(), dropAllLocksUnconditionally(), and
2347         grabAllLocks() implement locking / unlocking by duplicating the code from
2348         lock() and unlock(). Instead, they should just call lock() and unlock().
2349
2350         * runtime/JSLock.cpp:
2351         (JSC::JSLock::lock):
2352         (JSC::JSLock::unlock):
2353         - Modified lock() and unlock() into a version that takes an entry count
2354           to lock / unlock. The previous lock() and unlock() now calls these
2355           new versions with an entry count of 1.
2356
2357         (JSC::JSLock::dropAllLocks):
2358         (JSC::JSLock::dropAllLocksUnconditionally):
2359         (JSC::JSLock::grabAllLocks):
2360         - Delegate to unlock() and lock() instead of duplicating the lock / unlock
2361           code.
2362         - There a some differences with calling lock() instead of duplicating its
2363           code in grabAllLock() i.e. lock() does the following additional work:
2364
2365           1. lock() does a re-entry check that is not needed by grabAllLocks().
2366              However, this is effectively a no-op since we never own the JSLock
2367              before calling grabAllLocks().
2368
2369           2. set VM stackPointerAtVMEntry.
2370           3. update VM stackLimit and reservedZoneSize.
2371           4. set VM lastStackTop.
2372              These 3 steps are just busy work which are also effective no-ops
2373              because immediately after lock() returns, grabAllLocks() will write
2374              over those values with their saved versions in the threadData.
2375
2376         * runtime/JSLock.h:
2377
2378 2014-02-10  Anders Carlsson  <andersca@apple.com>
2379
2380         Try to fix the Windows build.
2381
2382         * heap/UnconditionalFinalizer.h:
2383         * runtime/SymbolTable.h:
2384
2385 2014-02-10  Andreas Kling  <akling@apple.com>
2386
2387         Make the Identifier::add() family return PassRef<StringImpl>.
2388         <https://webkit.org/b/128542>
2389
2390         This knocks one branch off of creating an Identifier from another
2391         string source.
2392
2393         Reviewed by Oliver Hunt.
2394
2395         * runtime/Identifier.cpp:
2396         (JSC::Identifier::add):
2397         (JSC::Identifier::add8):
2398         (JSC::Identifier::addSlowCase):
2399         * runtime/Identifier.h:
2400         (JSC::Identifier::add):
2401         * runtime/Lookup.cpp:
2402         (JSC::HashTable::createTable):
2403
2404 2014-02-09  Mark Lam  <mark.lam@apple.com>
2405
2406         Remove unnecessary spinLock in JSLock.
2407         <https://webkit.org/b/128450>
2408
2409         Reviewed by Filip Pizlo.
2410
2411         The JSLock's mutex already provides protection for write access to
2412         JSLock's internal state. The only JSLock state that needs to be read
2413         from any thread including threads that don't own the JSLock is
2414         m_ownerThread, which is used in currentThreadIsHoldingLock() to do an
2415         ownership test on the lock.
2416
2417         It is safe for other threads to read from m_ownerThread because they
2418         only need to know whether its value matches their own thread id
2419         (provided by WTF::currentThread()).
2420
2421         Here are the scenarios for how the ownership test can go:
2422
2423         1. The JSLock has just been initialized and is not owned by any thread.
2424
2425            In this case, m_ownerThread will be 0 and will not match any thread's
2426            thread id. The checking thread will know that it needs to lock the
2427            JSLock before using the VM.
2428
2429         2. The JSLock was previously locked, but now is unlocked.
2430
2431            When we unlock it in JSLock::unlock(), the owner thread clears
2432            m_ownerThread to 0. Hence, this case is the same as (1) above.
2433
2434         3. The JSLock is locked by Thread A. Thread B is checking ownership.
2435
2436            In this case, m_ownerThread will contains the Thread A's thread id.
2437            Thread B will see that the thread id does not match its own and will
2438            proceed to block on the JSLock's mutex to wait for its turn to use
2439            the VM.
2440
2441            With Weak Memory Ordering architectures, Thread A's thread id may
2442            not get written out to memory before Thread B inspects m_ownerThread.
2443            However, though Thread B may not see Thread A's thread id in
2444            m_ownerThread, it will see 0 which is the last value written to it
2445            before the JSLock mutex was unlocked. The mutex unlock would have
2446            executed a memory fence which would have flushed the 0 to
2447            m_ownerThread in memory. Hence, Thread B will know that it does not
2448            own the lock.
2449
2450         Apart from removing the unneeded spin lock code, I also changed the
2451         JSLock code to use currentThreadIsHoldingLock() and setOwnerThread()
2452         instead of accessing m_ownerThread directly.
2453
2454         * runtime/JSLock.cpp:
2455         (JSC::JSLock::JSLock):
2456
2457         (JSC::JSLock::lock):
2458         - Removed spinLock but left the indentation as is to keep the diff to a
2459           minimum for better readability. Will unindent in a subsequent patch.
2460
2461         (JSC::JSLock::unlock):
2462         - Before unlocking the mutex, clear m_ownerThread to indicate that the
2463           lock is no longer owned.
2464
2465         (JSC::JSLock::currentThreadIsHoldingLock):
2466         - Removed the check of m_lockCount for determining ownership. Checking
2467           m_ownerThread is sufficient.
2468
2469         (JSC::JSLock::dropAllLocks):
2470         (JSC::JSLock::dropAllLocksUnconditionally):
2471         - Renamed local locksToDrop to the better name droppedLockCount.
2472         - Clear m_ownerThread since we're unlocking the JSLock.
2473
2474         (JSC::JSLock::grabAllLocks):
2475         - Removed unneeded lock ownership test for lock re-entry case because
2476           grabAllLocks() is never used to re-enter a locked JSLock.
2477
2478         (JSC::JSLock::DropAllLocks::DropAllLocks):
2479         (JSC::JSLock::DropAllLocks::~DropAllLocks):
2480
2481         * runtime/JSLock.h:
2482         (JSC::JSLock::setOwnerThread):
2483
2484 2014-02-10  Filip Pizlo  <fpizlo@apple.com>
2485
2486         Unreviewed, roll out http://trac.webkit.org/changeset/163796
2487
2488         The change was not justified in any way and it has a net negative effect on the code.
2489
2490         * dfg/DFGAbstractInterpreter.h:
2491         * dfg/DFGAbstractValue.h:
2492         * dfg/DFGAdjacencyList.h:
2493         * dfg/DFGArgumentPosition.h:
2494         * dfg/DFGArgumentsSimplificationPhase.cpp:
2495         * dfg/DFGArrayMode.cpp:
2496         * dfg/DFGArrayifySlowPathGenerator.h:
2497         * dfg/DFGAtTailAbstractState.h:
2498         * dfg/DFGAvailability.h:
2499         * dfg/DFGBackwardsPropagationPhase.cpp:
2500         * dfg/DFGBasicBlock.h:
2501         * dfg/DFGBasicBlockInlines.h:
2502         * dfg/DFGByteCodeParser.cpp:
2503         * dfg/DFGCFAPhase.cpp:
2504         * dfg/DFGCFGSimplificationPhase.cpp:
2505         * dfg/DFGCPSRethreadingPhase.cpp:
2506         * dfg/DFGCSEPhase.cpp:
2507         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
2508         * dfg/DFGCapabilities.cpp:
2509         * dfg/DFGCapabilities.h:
2510         * dfg/DFGClobberize.h:
2511         * dfg/DFGCommonData.cpp:
2512         * dfg/DFGConstantFoldingPhase.cpp:
2513         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
2514         * dfg/DFGDCEPhase.cpp:
2515         * dfg/DFGDominators.h:
2516         * dfg/DFGDriver.cpp:
2517         * dfg/DFGDriver.h:
2518         * dfg/DFGFixupPhase.cpp:
2519         * dfg/DFGFlushLivenessAnalysisPhase.cpp:
2520         * dfg/DFGGenerationInfo.h:
2521         * dfg/DFGGraph.cpp:
2522         * dfg/DFGGraph.h:
2523         * dfg/DFGInPlaceAbstractState.cpp:
2524         * dfg/DFGInPlaceAbstractState.h:
2525         * dfg/DFGInlineCacheWrapperInlines.h:
2526         * dfg/DFGInvalidationPointInjectionPhase.cpp:
2527         * dfg/DFGJITCode.h:
2528         * dfg/DFGJITCompiler.cpp:
2529         * dfg/DFGJITCompiler.h:
2530         * dfg/DFGJITFinalizer.cpp:
2531         * dfg/DFGJITFinalizer.h:
2532         * dfg/DFGLICMPhase.cpp:
2533         * dfg/DFGLivenessAnalysisPhase.cpp:
2534         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
2535         * dfg/DFGMinifiedNode.h:
2536         * dfg/DFGNaturalLoops.h:
2537         * dfg/DFGNode.cpp:
2538         * dfg/DFGNode.h:
2539         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
2540         * dfg/DFGOSREntry.cpp:
2541         * dfg/DFGOSREntrypointCreationPhase.cpp:
2542         * dfg/DFGOSRExit.cpp:
2543         * dfg/DFGOSRExit.h:
2544         * dfg/DFGOSRExitBase.cpp:
2545         * dfg/DFGOSRExitCompilationInfo.h:
2546         * dfg/DFGOSRExitCompiler.cpp:
2547         * dfg/DFGOSRExitCompiler32_64.cpp:
2548         * dfg/DFGOSRExitCompiler64.cpp:
2549         * dfg/DFGOSRExitJumpPlaceholder.cpp:
2550         * dfg/DFGOperations.cpp:
2551         * dfg/DFGPhase.h:
2552         * dfg/DFGPlan.h:
2553         * dfg/DFGPredictionInjectionPhase.cpp:
2554         * dfg/DFGPredictionPropagationPhase.cpp:
2555         * dfg/DFGResurrectionForValidationPhase.cpp:
2556         * dfg/DFGSSAConversionPhase.cpp:
2557         * dfg/DFGSSALoweringPhase.cpp:
2558         * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
2559         * dfg/DFGSlowPathGenerator.h:
2560         * dfg/DFGSpeculativeJIT.cpp:
2561         * dfg/DFGSpeculativeJIT.h:
2562         * dfg/DFGSpeculativeJIT32_64.cpp:
2563         * dfg/DFGSpeculativeJIT64.cpp:
2564         * dfg/DFGStackLayoutPhase.cpp:
2565         * dfg/DFGStoreBarrierElisionPhase.cpp:
2566         * dfg/DFGStrengthReductionPhase.cpp:
2567         * dfg/DFGThunks.cpp:
2568         * dfg/DFGTierUpCheckInjectionPhase.cpp:
2569         * dfg/DFGTypeCheckHoistingPhase.cpp:
2570         * dfg/DFGUnificationPhase.cpp:
2571         * dfg/DFGValidate.h:
2572         * dfg/DFGValueSource.h:
2573         * dfg/DFGVariableAccessData.h:
2574         * dfg/DFGVariableAccessDataDump.cpp:
2575         * dfg/DFGVariableEvent.h:
2576         * dfg/DFGVariableEventStream.h:
2577         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
2578         * dfg/DFGWatchpointCollectionPhase.cpp:
2579         * dfg/DFGWorklist.cpp:
2580
2581 2014-02-10  Peter Molnar  <pmolnar.u-szeged@partner.samsung.com> 
2582  
2583         Remove extra includes from DFG 
2584         https://bugs.webkit.org/show_bug.cgi?id=126983 
2585  
2586         Reviewed by Andreas Kling. 
2587
2588         * dfg/DFGAbstractInterpreter.h:
2589         * dfg/DFGAbstractValue.h:
2590         * dfg/DFGAdjacencyList.h:
2591         * dfg/DFGArgumentPosition.h:
2592         * dfg/DFGArgumentsSimplificationPhase.cpp:
2593         * dfg/DFGArrayMode.cpp:
2594         * dfg/DFGArrayifySlowPathGenerator.h:
2595         * dfg/DFGAtTailAbstractState.h:
2596         * dfg/DFGAvailability.h:
2597         * dfg/DFGBackwardsPropagationPhase.cpp:
2598         * dfg/DFGBasicBlock.h:
2599         * dfg/DFGBasicBlockInlines.h:
2600         * dfg/DFGByteCodeParser.cpp:
2601         * dfg/DFGCFAPhase.cpp:
2602         * dfg/DFGCFGSimplificationPhase.cpp:
2603         * dfg/DFGCPSRethreadingPhase.cpp:
2604         * dfg/DFGCSEPhase.cpp:
2605         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
2606         * dfg/DFGCapabilities.cpp:
2607         * dfg/DFGCapabilities.h:
2608         * dfg/DFGClobberize.h:
2609         * dfg/DFGCommonData.cpp:
2610         * dfg/DFGConstantFoldingPhase.cpp:
2611         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
2612         * dfg/DFGDCEPhase.cpp:
2613         * dfg/DFGDominators.h:
2614         * dfg/DFGDriver.cpp:
2615         * dfg/DFGDriver.h:
2616         * dfg/DFGFixupPhase.cpp:
2617         * dfg/DFGFlushLivenessAnalysisPhase.cpp:
2618         * dfg/DFGGenerationInfo.h:
2619         * dfg/DFGGraph.cpp:
2620         * dfg/DFGGraph.h:
2621         * dfg/DFGInPlaceAbstractState.cpp:
2622         * dfg/DFGInPlaceAbstractState.h:
2623         * dfg/DFGInlineCacheWrapperInlines.h:
2624         * dfg/DFGInvalidationPointInjectionPhase.cpp:
2625         * dfg/DFGJITCode.h:
2626         * dfg/DFGJITCompiler.cpp:
2627         * dfg/DFGJITCompiler.h:
2628         * dfg/DFGJITFinalizer.cpp:
2629         * dfg/DFGJITFinalizer.h:
2630         * dfg/DFGLICMPhase.cpp:
2631         * dfg/DFGLivenessAnalysisPhase.cpp:
2632         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
2633         * dfg/DFGMinifiedNode.h:
2634         * dfg/DFGNaturalLoops.h:
2635         * dfg/DFGNode.cpp:
2636         * dfg/DFGNode.h:
2637         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
2638         * dfg/DFGOSREntry.cpp:
2639         * dfg/DFGOSREntrypointCreationPhase.cpp:
2640         * dfg/DFGOSRExit.cpp:
2641         * dfg/DFGOSRExit.h:
2642         * dfg/DFGOSRExitBase.cpp:
2643         * dfg/DFGOSRExitCompilationInfo.h:
2644         * dfg/DFGOSRExitCompiler.cpp:
2645         * dfg/DFGOSRExitCompiler32_64.cpp:
2646         * dfg/DFGOSRExitCompiler64.cpp:
2647         * dfg/DFGOSRExitJumpPlaceholder.cpp:
2648         * dfg/DFGOperations.cpp:
2649         * dfg/DFGPhase.h:
2650         * dfg/DFGPlan.h:
2651         * dfg/DFGPredictionInjectionPhase.cpp:
2652         * dfg/DFGPredictionPropagationPhase.cpp:
2653         * dfg/DFGResurrectionForValidationPhase.cpp:
2654         * dfg/DFGSSAConversionPhase.cpp:
2655         * dfg/DFGSSALoweringPhase.cpp:
2656         * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
2657         * dfg/DFGSlowPathGenerator.h:
2658         * dfg/DFGSpeculativeJIT.cpp:
2659         * dfg/DFGSpeculativeJIT.h:
2660         * dfg/DFGSpeculativeJIT32_64.cpp:
2661         * dfg/DFGSpeculativeJIT64.cpp:
2662         * dfg/DFGStackLayoutPhase.cpp:
2663         * dfg/DFGStoreBarrierElisionPhase.cpp:
2664         * dfg/DFGStrengthReductionPhase.cpp:
2665         * dfg/DFGThunks.cpp:
2666         * dfg/DFGTierUpCheckInjectionPhase.cpp:
2667         * dfg/DFGTypeCheckHoistingPhase.cpp:
2668         * dfg/DFGUnificationPhase.cpp:
2669         * dfg/DFGValidate.h:
2670         * dfg/DFGValueSource.h:
2671         * dfg/DFGVariableAccessData.h:
2672         * dfg/DFGVariableAccessDataDump.cpp:
2673         * dfg/DFGVariableEvent.h:
2674         * dfg/DFGVariableEventStream.h:
2675         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
2676         * dfg/DFGWatchpointCollectionPhase.cpp:
2677         * dfg/DFGWorklist.cpp:
2678
2679 2014-02-10  Filip Pizlo  <fpizlo@apple.com>
2680
2681         JSC environment variables should override other mechanisms for setting options
2682         https://bugs.webkit.org/show_bug.cgi?id=128511
2683
2684         Reviewed by Geoffrey Garen.
2685
2686         * runtime/Options.cpp:
2687         (JSC::Options::setOption):
2688         * runtime/Options.h:
2689
2690 2014-02-10  Darin Adler  <darin@apple.com>
2691
2692         Stop using String::deprecatedCharacters to call WTF::Collator
2693         https://bugs.webkit.org/show_bug.cgi?id=128517
2694
2695         Reviewed by Alexey Proskuryakov.
2696
2697         * runtime/StringPrototype.cpp:
2698         (JSC::stringProtoFuncLocaleCompare): Use the default constructor for Collator, which now
2699         gives the default locale collation rules. Use the new arguments for Collator::collate, which
2700         are now StringView. These two changes together eliminate the need for a separate helper function.
2701
2702 2014-02-10  Filip Pizlo  <fpizlo@apple.com>
2703
2704         <1/100 probability FTL failure: v8-v6/v8-deltablue.js.ftl-eager: Exception: TypeError: undefined is not an object (evaluating 'c.isInput')
2705         https://bugs.webkit.org/show_bug.cgi?id=128278
2706
2707         Reviewed by Mark Hahnenberg.
2708         
2709         Fix another FTL flake due to bytecode liveness corner cases. Hopefully it's the last
2710         one.
2711
2712         * dfg/DFGByteCodeParser.cpp:
2713         (JSC::DFG::ByteCodeParser::parseBlock): Make sure that inside a constructor, the 'this' result is always set. This makes it easier to unify the treatment of 'this' for OSR exit: we just say that it's always live.
2714         * dfg/DFGGraph.cpp:
2715         (JSC::DFG::Graph::isLiveInBytecode): Assume that 'this' is live. We were already sort of doing this for calls because the callsite would claim it to be live. But we didn't do it for constructors. It's true that *at the callsite* 'this' won't be live, but inside the inlined constructor, it almost certainly will be.
2716         * dfg/DFGTierUpCheckInjectionPhase.cpp:
2717         (JSC::DFG::TierUpCheckInjectionPhase::run): I just noticed this benign bug. We should only return 'true' if we actually injected checks.
2718         * ftl/FTLOSRExitCompiler.cpp:
2719         (JSC::FTL::compileStub): Make it easier to just dump disassembly for FTL OSR exits.
2720         * runtime/Options.h: Ditto.
2721         * tests/stress/inlined-constructor-this-liveness.js: Added.
2722         (Foo):
2723         (foo):
2724         * tests/stress/inlined-function-this-liveness.js: Added.
2725         (bar):
2726         (foo):
2727
2728 2014-02-10  Filip Pizlo  <fpizlo@apple.com>
2729
2730         Actually register those DFG::Safepoints
2731         https://bugs.webkit.org/show_bug.cgi?id=128521
2732
2733         Reviewed by Mark Hahnenberg.
2734         
2735         No test because GC + thread + JIT = ???.
2736
2737         * dfg/DFGSafepoint.cpp:
2738         (JSC::DFG::Safepoint::~Safepoint):
2739         (JSC::DFG::Safepoint::begin):
2740
2741 2014-02-10  Peter Molnar  <pmolnar.u-szeged@partner.samsung.com>
2742
2743         Fix EFL build with INSPECTOR disabled
2744         https://bugs.webkit.org/show_bug.cgi?id=125064
2745
2746         Reviewed by Csaba Osztrogonác.
2747
2748         * inspector/InjectedScriptManager.h:
2749         * inspector/ScriptDebugServer.cpp:
2750         * inspector/agents/InspectorAgent.h:
2751         * inspector/scripts/CodeGeneratorInspectorStrings.py:
2752         (Inspector):
2753
2754 2014-02-09  Filip Pizlo  <fpizlo@apple.com>
2755
2756         GC blocks on FTL and then badness
2757         https://bugs.webkit.org/show_bug.cgi?id=128291
2758
2759         Reviewed by Oliver Hunt.
2760         
2761         Introduce the notion of a DFG::Safepoint, which allows you to unlock the rightToRun
2762         mutex for your JIT thread, while supplying the GC with all of the information it would
2763         need to scan you at that moment in time. The default way of using this is
2764         DFG::GraphSafepoint, where you just supply the Graph. There's a lot of machinery in
2765         this patch just to make the Graph scannable.
2766         
2767         We then use DFG::GraphSafepoint in just two places for now: (1) while initializing LLVM
2768         and (2) while invoking LLVM' optimizer and backend.
2769         
2770         This is a 30% speed-up on Octane/typescript and a 10% speed-up on Octane/gbemu. 2-3%
2771         speed-up overall on Octane.
2772         
2773         * CMakeLists.txt:
2774         * GNUmakefile.list.am:
2775         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2776         * JavaScriptCore.xcodeproj/project.pbxproj:
2777         * dfg/DFGDriver.cpp:
2778         (JSC::DFG::compileImpl):
2779         * dfg/DFGGraph.cpp:
2780         (JSC::DFG::Graph::visitChildren):
2781         * dfg/DFGGraph.h:
2782         * dfg/DFGGraphSafepoint.cpp: Added.
2783         (JSC::DFG::GraphSafepoint::GraphSafepoint):
2784         (JSC::DFG::GraphSafepoint::~GraphSafepoint):
2785         * dfg/DFGGraphSafepoint.h: Added.
2786         * dfg/DFGOperations.h:
2787         * dfg/DFGPlan.cpp:
2788         (JSC::DFG::Plan::compileInThread):
2789         (JSC::DFG::Plan::compileInThreadImpl):
2790         * dfg/DFGPlan.h:
2791         * dfg/DFGSafepoint.cpp: Added.
2792         (JSC::DFG::Safepoint::Safepoint):
2793         (JSC::DFG::Safepoint::~Safepoint):
2794         (JSC::DFG::Safepoint::add):
2795         (JSC::DFG::Safepoint::begin):
2796         (JSC::DFG::Safepoint::visitChildren):
2797         * dfg/DFGSafepoint.h: Added.
2798         * dfg/DFGScannable.h: Added.
2799         (JSC::DFG::Scannable::Scannable):
2800         (JSC::DFG::Scannable::~Scannable):
2801         * dfg/DFGThreadData.cpp: Added.
2802         (JSC::DFG::ThreadData::ThreadData):
2803         (JSC::DFG::ThreadData::~ThreadData):
2804         * dfg/DFGThreadData.h: Added.
2805         * dfg/DFGWorklist.cpp:
2806         (JSC::DFG::Worklist::finishCreation):
2807         (JSC::DFG::Worklist::visitChildren):
2808         (JSC::DFG::Worklist::runThread):
2809         * dfg/DFGWorklist.h:
2810         * ftl/FTLCompile.cpp:
2811         (JSC::FTL::compile):
2812         * heap/SlotVisitor.h:
2813         * heap/SlotVisitorInlines.h:
2814         (JSC::SlotVisitor::appendUnbarrieredReadOnlyPointer):
2815         (JSC::SlotVisitor::appendUnbarrieredReadOnlyValue):
2816
2817 2014-02-09  Filip Pizlo  <fpizlo@apple.com>
2818
2819         Never include *Inlines.h files in interface headers, and never include *Inlines.h when you could include Operations.h instead
2820         https://bugs.webkit.org/show_bug.cgi?id=128505
2821
2822         Reviewed by Mark Hahnenberg and Oliver Hunt.
2823
2824         * API/JSContextRef.cpp:
2825         * assembler/LinkBuffer.cpp:
2826         * bytecode/ArrayProfile.cpp:
2827         * bytecode/BytecodeBasicBlock.cpp:
2828         * bytecode/BytecodeLivenessAnalysisInlines.h:
2829         * bytecode/CallLinkInfo.cpp:
2830         * bytecode/CodeBlock.cpp:
2831         * bytecode/CodeBlock.h:
2832         * bytecode/CodeBlockJettisoningWatchpoint.cpp:
2833         * bytecode/ExecutionCounter.cpp:
2834         * bytecode/MethodOfGettingAValueProfile.cpp:
2835         * bytecode/PreciseJumpTargets.cpp:
2836         * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp:
2837         * bytecode/SamplingTool.cpp:
2838         * bytecode/SpecialPointer.cpp:
2839         * bytecode/StructureStubClearingWatchpoint.cpp:
2840         * debugger/DebuggerCallFrame.cpp:
2841         * dfg/DFGAbstractHeap.cpp:
2842         * dfg/DFGAbstractValue.cpp:
2843         * dfg/DFGArgumentsSimplificationPhase.cpp:
2844         * dfg/DFGArithMode.cpp:
2845         * dfg/DFGArrayMode.cpp:
2846         * dfg/DFGAtTailAbstractState.cpp:
2847         * dfg/DFGAvailability.cpp:
2848         * dfg/DFGBackwardsPropagationPhase.cpp:
2849         * dfg/DFGBasicBlock.cpp:
2850         * dfg/DFGBinarySwitch.cpp:
2851         * dfg/DFGBlockInsertionSet.cpp:
2852         * dfg/DFGByteCodeParser.cpp:
2853         * dfg/DFGCFAPhase.cpp:
2854         * dfg/DFGCFGSimplificationPhase.cpp:
2855         * dfg/DFGCPSRethreadingPhase.cpp:
2856         * dfg/DFGCSEPhase.cpp:
2857         * dfg/DFGCapabilities.cpp:
2858         * dfg/DFGClobberSet.cpp:
2859         * dfg/DFGClobberize.cpp:
2860         * dfg/DFGCommon.cpp:
2861         * dfg/DFGCommonData.cpp:
2862         * dfg/DFGCompilationKey.cpp:
2863         * dfg/DFGCompilationMode.cpp:
2864         * dfg/DFGConstantFoldingPhase.cpp:
2865         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
2866         * dfg/DFGDCEPhase.cpp:
2867         * dfg/DFGDesiredIdentifiers.cpp:
2868         * dfg/DFGDesiredStructureChains.cpp:
2869         * dfg/DFGDesiredTransitions.cpp:
2870         * dfg/DFGDesiredWatchpoints.cpp:
2871         * dfg/DFGDisassembler.cpp:
2872         * dfg/DFGDisassembler.h:
2873         * dfg/DFGDominators.cpp:
2874         * dfg/DFGEdge.cpp:
2875         * dfg/DFGFailedFinalizer.cpp:
2876         * dfg/DFGFinalizer.cpp:
2877         * dfg/DFGFixupPhase.cpp:
2878         * dfg/DFGFlushFormat.cpp:
2879         * dfg/DFGFlushLivenessAnalysisPhase.cpp:
2880         * dfg/DFGFlushedAt.cpp:
2881         * dfg/DFGGraph.cpp:
2882         * dfg/DFGInPlaceAbstractState.cpp:
2883         * dfg/DFGInvalidationPointInjectionPhase.cpp:
2884         * dfg/DFGJITCode.cpp:
2885         * dfg/DFGJITCompiler.cpp:
2886         * dfg/DFGJITCompiler.h:
2887         * dfg/DFGJITFinalizer.cpp:
2888         * dfg/DFGJumpReplacement.cpp:
2889         * dfg/DFGLICMPhase.cpp:
2890         * dfg/DFGLazyJSValue.cpp:
2891         * dfg/DFGLivenessAnalysisPhase.cpp:
2892         * dfg/DFGLongLivedState.cpp:
2893         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
2894         * dfg/DFGMinifiedNode.cpp:
2895         * dfg/DFGNaturalLoops.cpp:
2896         * dfg/DFGNode.cpp:
2897         * dfg/DFGNodeFlags.cpp:
2898         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
2899         * dfg/DFGOSREntry.cpp:
2900         * dfg/DFGOSREntrypointCreationPhase.cpp:
2901         * dfg/DFGOSRExit.cpp:
2902         * dfg/DFGOSRExitBase.cpp:
2903         * dfg/DFGOSRExitCompiler.cpp:
2904         * dfg/DFGOSRExitCompiler32_64.cpp:
2905         * dfg/DFGOSRExitCompiler64.cpp:
2906         * dfg/DFGOSRExitCompilerCommon.cpp:
2907         * dfg/DFGOSRExitJumpPlaceholder.cpp:
2908         * dfg/DFGOSRExitPreparation.cpp:
2909         * dfg/DFGOperations.cpp:
2910         * dfg/DFGOperations.h:
2911         * dfg/DFGPhase.cpp:
2912         * dfg/DFGPlan.cpp:
2913         * dfg/DFGPredictionInjectionPhase.cpp:
2914         * dfg/DFGPredictionPropagationPhase.cpp:
2915         * dfg/DFGResurrectionForValidationPhase.cpp:
2916         * dfg/DFGSSAConversionPhase.cpp:
2917         * dfg/DFGSSALoweringPhase.cpp:
2918         * dfg/DFGSpeculativeJIT.cpp:
2919         * dfg/DFGSpeculativeJIT32_64.cpp:
2920         * dfg/DFGSpeculativeJIT64.cpp:
2921         * dfg/DFGStackLayoutPhase.cpp:
2922         * dfg/DFGStoreBarrierElisionPhase.cpp:
2923         * dfg/DFGStrengthReductionPhase.cpp:
2924         * dfg/DFGThunks.cpp:
2925         * dfg/DFGTierUpCheckInjectionPhase.cpp:
2926         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
2927         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
2928         * dfg/DFGTypeCheckHoistingPhase.cpp:
2929         * dfg/DFGUnificationPhase.cpp:
2930         * dfg/DFGUseKind.cpp:
2931         * dfg/DFGValidate.cpp:
2932         * dfg/DFGValueSource.cpp:
2933         * dfg/DFGVariableAccessDataDump.cpp:
2934         * dfg/DFGVariableEvent.cpp:
2935         * dfg/DFGVariableEventStream.cpp:
2936         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
2937         * dfg/DFGWatchpointCollectionPhase.cpp:
2938         * dfg/DFGWorklist.cpp:
2939         * disassembler/Disassembler.cpp:
2940         * ftl/FTLLink.cpp:
2941         * ftl/FTLOSRExitCompiler.cpp:
2942         * ftl/FTLSlowPathCall.cpp:
2943         * ftl/FTLThunks.cpp:
2944         (JSC::FTL::slowPathCallThunkGenerator):
2945         * heap/BlockAllocator.cpp:
2946         * heap/CodeBlockSet.cpp:
2947         * heap/ConservativeRoots.cpp:
2948         * heap/DeferGC.cpp:
2949         * heap/GCThread.cpp:
2950         * heap/GCThreadSharedData.cpp:
2951         * heap/HeapTimer.cpp:
2952         * heap/IncrementalSweeper.cpp:
2953         * heap/JITStubRoutineSet.cpp:
2954         * heap/MachineStackMarker.cpp:
2955         * heap/MarkStack.cpp:
2956         * heap/MarkedAllocator.cpp:
2957         * heap/MarkedSpace.cpp:
2958         * heap/SuperRegion.cpp:
2959         * heap/Weak.cpp:
2960         * heap/WeakHandleOwner.cpp:
2961         * heap/WeakSet.cpp:
2962         * heap/WriteBarrierBuffer.cpp:
2963         * heap/WriteBarrierSupport.cpp:
2964         * inspector/ScriptCallStackFactory.cpp:
2965         * interpreter/AbstractPC.cpp:
2966         * interpreter/JSStack.cpp:
2967         * interpreter/ProtoCallFrame.cpp:
2968         * interpreter/VMInspector.cpp:
2969         * jit/ArityCheckFailReturnThunks.cpp:
2970         * jit/AssemblyHelpers.cpp:
2971         * jit/ExecutableAllocator.cpp:
2972         * jit/ExecutableAllocatorFixedVMPool.cpp:
2973         * jit/GCAwareJITStubRoutine.cpp:
2974         * jit/HostCallReturnValue.cpp:
2975         * jit/JITDisassembler.cpp:
2976         * jit/JITDisassembler.h:
2977         * jit/JITExceptions.cpp:
2978         * jit/JITInlines.h:
2979         * jit/JITOperations.cpp:
2980         * jit/JITOperationsMSVC64.cpp:
2981         * jit/JITStubRoutine.cpp:
2982         * jit/JITStubs.cpp:
2983         * jit/JITToDFGDeferredCompilationCallback.cpp:
2984         * jit/RegisterPreservationWrapperGenerator.cpp:
2985         * jit/RegisterSet.cpp:
2986         * jit/Repatch.cpp:
2987         * jit/TempRegisterSet.cpp:
2988         * jsc.cpp:
2989         * parser/Lexer.cpp:
2990         * parser/Parser.cpp:
2991         * parser/ParserArena.cpp:
2992         * parser/SourceCode.cpp:
2993         * parser/SourceProvider.cpp:
2994         * parser/SourceProviderCache.cpp:
2995         * profiler/ProfileGenerator.cpp:
2996         * runtime/Arguments.cpp:
2997         * runtime/ArgumentsIteratorPrototype.cpp:
2998         * runtime/CommonSlowPathsExceptions.cpp:
2999         * runtime/JSArgumentsIterator.cpp:
3000         * runtime/JSFunction.cpp:
3001         * runtime/JSGlobalObjectFunctions.cpp:
3002         * runtime/ObjectConstructor.cpp:
3003         * runtime/Operations.h:
3004         * runtime/VM.cpp:
3005
3006 2014-02-09  Filip Pizlo  <fpizlo@apple.com>
3007
3008         Unreviewed, don't mark isHostFunction() inline in the header file because that really confuses EFL.
3009
3010         * runtime/JSFunction.h:
3011
3012 2014-02-09  Anders Carlsson  <andersca@apple.com>
3013
3014         Add WTF_MAKE_FAST_ALLOCATED to more classes
3015         https://bugs.webkit.org/show_bug.cgi?id=128506
3016
3017         Reviewed by Andreas Kling.
3018
3019         * bytecode/UnlinkedInstructionStream.h:
3020         * runtime/SymbolTable.h:
3021         * runtime/WriteBarrier.h:
3022
3023 2014-02-09  Mark Hahnenberg  <mhahnenberg@apple.com>
3024
3025         Objective-C API NSDate conversion is off by 1000x (ms vs s)
3026         https://bugs.webkit.org/show_bug.cgi?id=128386
3027
3028         Reviewed by Michael Saboff.
3029
3030         * API/JSValue.mm:
3031         (valueToObjectWithoutCopy):
3032         (valueToDate):
3033         (objectToValueWithoutCopy):
3034         * API/tests/DateTests.h: Added.
3035         * API/tests/DateTests.mm: Added.
3036         (+[DateTests NSDateToJSDateTest]):
3037         (+[DateTests JSDateToNSDateTest]):
3038         (+[DateTests roundTripThroughJSDateTest]):
3039         (+[DateTests roundTripThroughObjCDateTest]):
3040         * API/tests/testapi.mm:
3041         (checkResult):
3042         * JavaScriptCore.xcodeproj/project.pbxproj:
3043
3044 2014-02-09  Andreas Kling  <akling@apple.com>
3045
3046         Pass VM instead of ExecState to JSCell::fastGetOwnProperty().
3047         <https://webkit.org/b/128497>
3048
3049         Knocks off a couple of instructions.
3050
3051         Reviewed by Anders Carlsson.
3052
3053         * dfg/DFGOperations.cpp:
3054         * jit/JITOperations.cpp:
3055         (JSC::getByVal):
3056         * llint/LLIntSlowPaths.cpp:
3057         (JSC::LLInt::getByVal):
3058         * runtime/JSCell.h:
3059         * runtime/JSCellInlines.h:
3060         (JSC::JSCell::fastGetOwnProperty):
3061
3062 2014-02-09  Anders Carlsson  <andersca@apple.com>
3063
3064         Convert some JSC code over to std::mutex
3065         https://bugs.webkit.org/show_bug.cgi?id=128500
3066
3067         Reviewed by Dan Bernstein.
3068
3069         * API/JSVirtualMachine.mm:
3070         (wrapperCacheMutex):
3071         (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]):
3072         (+[JSVMWrapperCache wrapperForJSContextGroupRef:]):
3073         * heap/GCThreadSharedData.h:
3074         * heap/SlotVisitor.cpp:
3075         (JSC::SlotVisitor::mergeOpaqueRoots):
3076         * heap/SlotVisitorInlines.h:
3077         (JSC::SlotVisitor::containsOpaqueRootTriState):
3078         * inspector/remote/RemoteInspector.h:
3079         * inspector/remote/RemoteInspector.mm:
3080         (Inspector::RemoteInspector::registerDebuggable):
3081         (Inspector::RemoteInspector::unregisterDebuggable):
3082         (Inspector::RemoteInspector::updateDebuggable):
3083         (Inspector::RemoteInspector::sendMessageToRemoteFrontend):
3084         (Inspector::RemoteInspector::start):
3085         (Inspector::RemoteInspector::stop):
3086         (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
3087         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
3088         (Inspector::RemoteInspector::xpcConnectionFailed):
3089         (Inspector::RemoteInspector::pushListingSoon):
3090         (Inspector::RemoteInspector::receivedIndicateMessage):
3091         * inspector/remote/RemoteInspectorDebuggableConnection.h:
3092         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
3093         (Inspector::RemoteInspectorDebuggableConnection::setup):
3094         (Inspector::RemoteInspectorDebuggableConnection::closeFromDebuggable):
3095         (Inspector::RemoteInspectorDebuggableConnection::close):
3096         (Inspector::RemoteInspectorDebuggableConnection::sendMessageToBackend):
3097         * jit/ExecutableAllocator.cpp:
3098         (JSC::DemandExecutableAllocator::DemandExecutableAllocator):
3099         (JSC::DemandExecutableAllocator::~DemandExecutableAllocator):
3100         (JSC::DemandExecutableAllocator::bytesAllocatedByAllAllocators):
3101         (JSC::DemandExecutableAllocator::bytesCommittedByAllocactors):
3102         (JSC::DemandExecutableAllocator::dumpProfileFromAllAllocators):
3103         (JSC::DemandExecutableAllocator::allocatorsMutex):
3104
3105 2014-02-09  Commit Queue  <commit-queue@webkit.org>
3106
3107         Unreviewed, rolling out r163737.
3108         http://trac.webkit.org/changeset/163737
3109         https://bugs.webkit.org/show_bug.cgi?id=128491
3110
3111         Caused 8+ tests to fail on Mavericks and Mountain Lion bots
3112         (Requested by rniwa on #webkit).
3113
3114         * runtime/JSString.h:
3115         (JSC::jsSingleCharacterString):
3116         (JSC::jsSingleCharacterSubstring):
3117         (JSC::jsString):
3118         (JSC::jsSubstring8):
3119         * runtime/SmallStrings.cpp:
3120         (JSC::SmallStringsStorage::SmallStringsStorage):
3121         (JSC::SmallStrings::SmallStrings):
3122
3123 2014-02-08  Anders Carlsson  <andersca@apple.com>
3124
3125         Simplify single character substrings in JSC
3126         https://bugs.webkit.org/show_bug.cgi?id=128483
3127
3128         Reviewed by Andreas Kling.
3129
3130         With the recent work to make StringImpl occupy less space, it is actually more
3131         efficient to allocate a single character string that it is to use createSubstringSharingImpl!
3132         
3133         * runtime/JSString.h:
3134         (JSC::jsSingleCharacterString):
3135         (JSC::jsSingleCharacterSubstring):
3136         (JSC::jsString):
3137         (JSC::jsSubstring8):
3138         * runtime/SmallStrings.cpp:
3139         (JSC::SmallStringsStorage::SmallStringsStorage):
3140         (JSC::SmallStrings::SmallStrings):
3141
3142 2014-02-08  Mark Hahnenberg  <mhahnenberg@apple.com>
3143
3144         Baseline JIT uses the wrong version of checkMarkWord in emitWriteBarrier
3145         https://bugs.webkit.org/show_bug.cgi?id=128474
3146
3147         Reviewed by Michael Saboff.
3148
3149         * jit/JITPropertyAccess.cpp:
3150         (JSC::JIT::emitWriteBarrier):
3151
3152 2014-02-08  Mark Lam  <mark.lam@apple.com>
3153
3154         Rename a field and some variables in JSLock to better describe what they contain.
3155         <https://webkit.org/b/128475>
3156
3157         Reviewed by Oliver Hunt.
3158
3159         * runtime/JSLock.cpp:
3160         (JSC::JSLock::dropAllLocks):
3161         (JSC::JSLock::dropAllLocksUnconditionally):
3162         (JSC::JSLock::grabAllLocks):
3163         (JSC::JSLock::DropAllLocks::DropAllLocks):
3164         (JSC::JSLock::DropAllLocks::~DropAllLocks):
3165         * runtime/JSLock.h:
3166
3167 2014-02-08  Anders Carlsson  <andersca@apple.com>
3168
3169         Stop using getCharactersWithUpconvert in JavaScriptCore
3170         https://bugs.webkit.org/show_bug.cgi?id=128457
3171
3172         Reviewed by Andreas Kling.
3173
3174         Change substituteBackreferencesSlow to take StringViews and use a StringBuilder instead of upconverting
3175         if the source or replacement strings area 16-bit.
3176
3177         * runtime/StringPrototype.cpp:
3178         (JSC::substituteBackreferencesSlow):
3179         (JSC::substituteBackreferences):
3180
3181 2014-02-08  Mark Rowe  <mrowe@apple.com>
3182
3183         <https://webkit.org/b/128452> Don't duplicate the list of input files for postprocess-headers.sh
3184
3185         Reviewed by Dan Bernstein.
3186
3187         * postprocess-headers.sh: Pull the list of headers to process out of the environment.
3188
3189 2014-02-08  Mark Rowe  <mrowe@apple.com>
3190
3191         Fix the iOS build.
3192
3193         * API/WebKitAvailability.h: Skip the workarounds specific to OS X when we're building for iOS.
3194
3195 2014-02-07  Mark Rowe  <mrowe@apple.com>
3196
3197         <https://webkit.org/b/128448> Fix use of availability macros on recently-added APIs
3198
3199         Reviewed by Dan Bernstein.
3200
3201         * API/JSContext.h: Remove some #ifs.
3202         * API/JSManagedValue.h: Ditto.
3203         * API/WebKitAvailability.h: #define the macros that availability macros mentioning
3204         newer OS X versions would expand to when building on older OS versions.
3205         * JavaScriptCore.xcodeproj/project.pbxproj: Call the new postprocess-headers.sh.
3206         * postprocess-headers.sh: Extracted from the Xcode project. Updated to remove content
3207         from headers based on the __MAC_OS_X_VERSION_MIN_REQUIRED macro, and to
3208         process WebKitAvailability.h.
3209
3210 2014-02-07  Mark Lam  <mark.lam@apple.com>
3211
3212         JSLock should not "restore" VM stack values if it did not re-grab locks.
3213         <https://webkit.org/b/128447>
3214
3215         Reviewed by Geoffrey Garen.
3216
3217         In the existing code, if DropAllLocks is instantiate with DontAlwaysDropLocks
3218         in a thread that does not own the JSLock, then a bug will manifest where:
3219
3220         1. The DropAllLocks constructor will save the VM's stackPointerAtEntry,
3221            lastStackTop, and reservedZoneSize even though it will not drop the JSLock.
3222         2. The DropAllLocks destructor will restore those 3 values to the VM even
3223            though the JSLock will not grab its internal lock.
3224
3225         The former only causes busy work but does not impact correctness. The latter
3226         however, will corrupt those 3 VM values which belong to the thread that
3227         actually owns the JSLock.
3228
3229         The fix is to only save the values when the JSLock will actually drop its
3230         internal lock, and only restore the values if it did re-grab the internal lock.
3231
3232         * runtime/JSLock.cpp:
3233         (JSC::JSLock::dropAllLocks):
3234         (JSC::JSLock::dropAllLocksUnconditionally):
3235         (JSC::JSLock::grabAllLocks):
3236         (JSC::JSLock::DropAllLocks::DropAllLocks):
3237         - Moved the saving of VM stack values to dropAllLocks() and
3238           dropAllLocksUnconditionally().
3239         (JSC::JSLock::DropAllLocks::~DropAllLocks):
3240         - Moved the restoring of VM stack values to grabAllLocks().
3241
3242 2014-02-07  Filip Pizlo  <fpizlo@apple.com>
3243
3244         Don't throw away code if there is code on the worklists
3245         https://bugs.webkit.org/show_bug.cgi?id=128443
3246
3247         Reviewed by Joseph Pecoraro.
3248         
3249         If we throw away compiled code and there is code currently being JITed then the JIT
3250         will get confused after it resumes: it will see a code block that had claimed to belong
3251         to an executable except that it doesn't belong to any executables anymore.
3252
3253         * dfg/DFGWorklist.h:
3254         (JSC::DFG::Worklist::isActive):
3255         * heap/Heap.cpp:
3256         (JSC::Heap::deleteAllCompiledCode):
3257
3258 2014-02-07  Filip Pizlo  <fpizlo@apple.com>
3259
3260         GC should safepoint the DFG worklist in a smarter way rather than just waiting for everything to complete
3261         https://bugs.webkit.org/show_bug.cgi?id=128297
3262
3263         Reviewed by Oliver Hunt.
3264         
3265         This makes DFG worklist threads have a rightToRun lock that gives them the ability to
3266         be safepointed by the GC in much the same way as you'd expect from a fully
3267         multithreaded VM.
3268         
3269         The idea is that the worklist threads's roots are the DFG::Plan. They only touch those
3270         roots when holding the rightToRun lock. They currently grab that lock to run the
3271         compiler, but relinquish it when accessing - and waiting on - the worklist.
3272
3273         * bytecode/CodeBlock.h:
3274         (JSC::CodeBlockSet::mark):
3275         * dfg/DFGCompilationKey.cpp:
3276         (JSC::DFG::CompilationKey::visitChildren):
3277         * dfg/DFGCompilationKey.h:
3278         * dfg/DFGDesiredStructureChains.cpp:
3279         (JSC::DFG::DesiredStructureChains::visitChildren):
3280         * dfg/DFGDesiredStructureChains.h:
3281         * dfg/DFGDesiredTransitions.cpp:
3282         (JSC::DFG::DesiredTransition::visitChildren):
3283         (JSC::DFG::DesiredTransitions::visitChildren):
3284         * dfg/DFGDesiredTransitions.h:
3285         * dfg/DFGDesiredWeakReferences.cpp:
3286         (JSC::DFG::DesiredWeakReferences::visitChildren):
3287         * dfg/DFGDesiredWeakReferences.h:
3288         * dfg/DFGDesiredWriteBarriers.cpp:
3289         (JSC::DFG::DesiredWriteBarrier::visitChildren):
3290         (JSC::DFG::DesiredWriteBarriers::visitChildren):
3291         * dfg/DFGDesiredWriteBarriers.h:
3292         * dfg/DFGPlan.cpp:
3293         (JSC::DFG::Plan::visitChildren):
3294         * dfg/DFGPlan.h:
3295         * dfg/DFGWorklist.cpp:
3296         (JSC::DFG::Worklist::~Worklist):
3297         (JSC::DFG::Worklist::finishCreation):
3298         (JSC::DFG::Worklist::suspendAllThreads):
3299         (JSC::DFG::Worklist::resumeAllThreads):
3300         (JSC::DFG::Worklist::visitChildren):
3301         (JSC::DFG::Worklist::runThread):
3302         (JSC::DFG::Worklist::threadFunction):
3303         * dfg/DFGWorklist.h:
3304         (JSC::DFG::numberOfWorklists):
3305         (JSC::DFG::worklistForIndexOrNull):
3306         * heap/CodeBlockSet.h:
3307         * heap/Heap.cpp:
3308         (JSC::Heap::markRoots):
3309         (JSC::Heap::collect):
3310         * runtime/IntendedStructureChain.cpp:
3311         (JSC::IntendedStructureChain::visitChildren):
3312         * runtime/IntendedStructureChain.h:
3313         * runtime/VM.cpp:
3314         (JSC::VM::~VM):
3315         (JSC::VM::prepareToDiscardCode):
3316
3317 2014-02-07  Mark Lam  <mark.lam@apple.com>
3318
3319         Unify JSLock implementation for iOS and non-iOS ports.
3320         <https://webkit.org/b/128409>
3321
3322         Reviewed by Michael Saboff.
3323
3324         The iOS and non-iOS implementations of dropAllLocks(),
3325         dropAllLocksUnconditionally(), and grabAllLocks() effectively do the
3326         same work. The main difference is that the iOS implementation acquires
3327         the JSLock spin lock in the DropAllLocks class while the other ports
3328         acquire it when it calls JSLock::lock() and unlock().
3329
3330         The other difference is that the iOS implementation will only increment
3331         m_locksDropDepth if it actually drops locks, whereas other ports will
3332         increment it unconditionally. Analogously, iOS decrements the depth only
3333         when needed while other ports will decrement it unconditionally when
3334         re-grabbing locks.
3335
3336         We can unify the 2 implementations by having both use the iOS
3337         implementation for a start.
3338
3339         * runtime/JSLock.cpp:
3340         (JSC::JSLock::dropAllLocks):
3341         (JSC::JSLock::dropAllLocksUnconditionally):
3342         (JSC::JSLock::grabAllLocks):
3343         (JSC::JSLock::DropAllLocks::DropAllLocks):
3344         (JSC::JSLock::DropAllLocks::~DropAllLocks):
3345
3346 2014-02-06  Filip Pizlo  <fpizlo@apple.com>
3347
3348         More FTL build scaffolding
3349         https://bugs.webkit.org/show_bug.cgi?id=128330
3350
3351         Reviewed by Geoffrey Garen.
3352
3353         * Configurations/FeatureDefines.xcconfig:
3354         * llvm/library/LLVMAnchor.cpp:
3355
3356 2014-02-07  Mark Lam  <mark.lam@apple.com>
3357
3358         iOS port needs to clear VM::stackPointerAtVMEntry when it drops locks.
3359         <https://webkit.org/b/128424>
3360
3361         Reviewed by Geoffrey Garen.
3362
3363         The iOS code path for dropping locks differ from the non-iOS code path
3364         in that it (iOS) does not clear m_vm->stackPointerAtVMEntry nor reset the
3365         VM stack limit. This is now fixed by copying that snippit from
3366         JSLock::unlock().
3367
3368         * runtime/JSLock.cpp:
3369         (JSC::JSLock::dropAllLocks):
3370         (JSC::JSLock::dropAllLocksUnconditionally):
3371
3372 2014-02-07  Mark Lam  <mark.lam@apple.com>
3373
3374         Removed superflous JSLock::entryStackPointer field.
3375         <https://webkit.org/b/128413>
3376
3377         Reviewed by Geoffrey Garen.
3378
3379         * runtime/JSLock.cpp:
3380         (JSC::JSLock::lock):
3381         * runtime/JSLock.h:
3382
3383 2014-02-07  Mark Lam  <mark.lam@apple.com>
3384
3385         Revert workaround committed in http://trac.webkit.org/r163595.
3386         <https://webkit.org/b/128408>
3387
3388         Reviewed by Geoffrey Garen.
3389
3390         Now that we have fixed the bugs in JSLock's stack limit adjusments
3391         in https://bugs.webkit.org/show_bug.cgi?id=128406, we can revert the
3392         workaround in r163595.
3393
3394         * API/JSContextRef.cpp:
3395         (JSContextGroupCreate):
3396         (JSGlobalContextCreateInGroup):
3397         * API/tests/testapi.js:
3398         * runtime/VM.cpp:
3399         (JSC::VM::VM):
3400         (JSC::VM::updateStackLimitWithReservedZoneSize):
3401         * runtime/VM.h:
3402
3403 2014-02-07  Mark Lam  <mark.lam@apple.com>
3404
3405         Fix bug in stack limit adjustments in JSLock.
3406         <https://webkit.org/b/128406>
3407
3408         Reviewed by Geoffrey Garen.
3409
3410         1. JSLock::unlock() was only clearing the VM::stackPointerAtEntry when
3411            m_vm->stackPointerAtVMEntry == entryStackPointer. FYI,
3412            entryStackPointer is a field in JSLock.
3413
3414            When DropAllLocks::~DropAllLocks() will call JSLock::grabAllLocks()
3415            to relock the JSLock, JSLock::grabAllLocks() will set a new
3416            entryStackPointer value. Thereafter, DropAllLocks::~DropAllLocks() will
3417            restore the saved VM::stackPointerAtEntry, which will now defer from
3418            the JSLock's entryStackPointer value.
3419
3420            It turns out that when m_vm->stackPointerAtVMEntry was initialized,
3421            it was set to whatever value entryStackPointer is set to. At no time
3422            do we ever expect the 2 values to differ. The only time it differs is
3423            when this bug manifests.
3424
3425            The fix is to remove the entryStackPointer field in JSLock and its uses
3426            altogether.
3427
3428         2. DropAllLocks was unconditionally clearing VM::stackPointerAtEntry in
3429            its constructor instead of letting JSLock::unlock() do the clearing.
3430
3431            However, DropAllLocks will not actually drop locks if it isn't required
3432            to (e.g. when alwaysDropLocks is DontAlwaysDropLocks), and when we've
3433            already drop locks once (i.e. JSLock::m_lockDropDepth is not 0).
3434
3435            We should not have cleared VM::stackPointerAtEntry here if we don't
3436            actually drop the locks.
3437
3438         * runtime/JSLock.cpp:
3439         (JSC::JSLock::unlock):
3440         (JSC::JSLock::DropAllLocks::DropAllLocks):
3441
3442 2014-02-07  Joseph Pecoraro  <pecoraro@apple.com>
3443
3444         [iOS] Eliminate race between XPC connection queue and Notification queue
3445         https://bugs.webkit.org/show_bug.cgi?id=128384
3446
3447         Reviewed by Timothy Hatcher.
3448
3449         * inspector/remote/RemoteInspector.h:
3450         * inspector/remote/RemoteInspector.mm:
3451         (Inspector::RemoteInspector::RemoteInspector):
3452         (Inspector::RemoteInspector::start):
3453         (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
3454         Create the queue to use for RemoteInspector xpc connection
3455         management and the connection itself.
3456
3457         * inspector/remote/RemoteInspectorXPCConnection.h:
3458         * inspector/remote/RemoteInspectorXPCConnection.mm:
3459         (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
3460         Use the passed in queue instead of creating one for itself.
3461
3462 2014-02-07  Oliver Hunt  <oliver@apple.com>
3463
3464         REGRESSION (r160628): LLint does not appear to handle impure get own property properly
3465         https://bugs.webkit.org/show_bug.cgi?id=127943
3466
3467         Reviewed by Filip Pizlo.
3468
3469         Make sure the LLINT doesn't attempt to cache property
3470         access on structures with impureGetOwnPropertySlot set.
3471
3472         * llint/LLIntSlowPaths.cpp:
3473         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3474
3475 2014-02-06  Michael Saboff  <msaboff@apple.com>
3476
3477         Workaround REGRESSION(r163195-r163227): Crash beneath NSErrorUserInfoFromJSException when installing AppleInternal.mpkg
3478         https://bugs.webkit.org/show_bug.cgi?id=128347
3479
3480         Reviewed by Geoffrey Garen.
3481
3482         Added a flag to VM class called m_ignoreStackLimit that disables stack limit checks.
3483         We set this flag in JSContextGroupCreate() and JSGlobalContextCreateInGroup().
3484
3485         Disabled stack overflow tests in testapi.js since it uses these paths.
3486
3487         THis patch will be reverted as part of a comprehensive solution to the problem.
3488
3489         * API/JSContextRef.cpp:
3490         (JSContextGroupCreate):
3491         (JSGlobalContextCreateInGroup):
3492         * API/tests/testapi.js:
3493         * runtime/VM.cpp:
3494         (JSC::VM::VM):
3495         (JSC::VM::updateStackLimitWithReservedZoneSize):
3496         * runtime/VM.h:
3497         (JSC::VM::ignoreStackLimit):
3498
3499 2014-02-06  Mark Hahnenberg  <mhahnenberg@apple.com>
3500
3501         +[JSContext currentCallee] should return the currently executing JS function
3502         https://bugs.webkit.org/show_bug.cgi?id=122621
3503
3504         Reviewed by Geoffrey Garen.
3505
3506         It would be useful if there was a +[JSContext currentObject] API which was 
3507         callable from ObjC API callbacks. Its purpose would be to allow convenient 
3508         access to the JSValue wrapper for the currently-executing block callback.
3509
3510         * API/JSContext.h:
3511         * API/JSContext.mm:
3512         (+[JSContext currentCallee]):
3513         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
3514         * API/JSContextInternal.h:
3515         * API/ObjCCallbackFunction.mm:
3516         (JSC::objCCallbackFunctionCallAsFunction):
3517         (JSC::objCCallbackFunctionCallAsConstructor):
3518         * API/tests/testapi.mm:
3519
3520 2014-02-06  Mark Hahnenberg  <mhahnenberg@apple.com>
3521
3522         Fix iOS builds after r163574
3523
3524         * API/JSManagedValue.h:
3525
3526 2014-02-06  Mark Hahnenberg  <mhahnenberg@apple.com>
3527
3528         Heap::writeBarrier shouldn't be static
3529         https://bugs.webkit.org/show_bug.cgi?id=127807
3530
3531         Reviewed by Geoffrey Garen.
3532
3533         Currently it looks up the Heap in which to fire the write barrier by using 
3534         the cell passed to it. Almost every call site already has a reference to the 
3535         VM or the Heap itself. It seems wasteful to look it up all over again.
3536
3537         * GNUmakefile.list.am:
3538         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3539         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3540         * JavaScriptCore.xcodeproj/project.pbxproj:
3541         * heap/CopyWriteBarrier.h:
3542         (JSC::CopyWriteBarrier::set):
3543         * heap/Heap.cpp:
3544         (JSC::Heap::writeBarrier):
3545         * heap/Heap.h:
3546         (JSC::Heap::writeBarrier):
3547         * jit/JITOperations.cpp:
3548         * jit/JITWriteBarrier.h:
3549         (JSC::JITWriteBarrierBase::set):
3550         * llint/LLIntSlowPaths.cpp:
3551         (JSC::LLInt::llint_write_barrier_slow):
3552         * runtime/Arguments.h:
3553         * runtime/JSWeakMap.cpp:
3554         * runtime/MapData.cpp:
3555         (JSC::MapData::ensureSpaceForAppend):
3556         * runtime/PropertyTable.cpp:
3557         (JSC::PropertyTable::PropertyTable):
3558         * runtime/Structure.h:
3559         * runtime/WriteBarrier.h:
3560         * runtime/WriteBarrierInlines.h: Added.
3561
3562 2014-02-06  Mark Hahnenberg  <mhahnenberg@apple.com>
3563
3564         JSManagedValue should automatically call removeManagedReference:withOwner: upon dealloc
3565         https://bugs.webkit.org/show_bug.cgi?id=124053
3566
3567         Reviewed by Geoffrey Garen.
3568
3569         * API/JSManagedValue.h:
3570         * API/JSManagedValue.mm:
3571         (+[JSManagedValue managedValueWithValue:andOwner:]):
3572         (-[JSManagedValue initWithValue:]):
3573         (-[JSManagedValue dealloc]):
3574         (-[JSManagedValue didAddOwner:]):
3575         (-[JSManagedValue didRemoveOwner:]):
3576         * API/JSManagedValueInternal.h: Added.
3577         * API/JSVirtualMachine.mm:
3578         (-[JSVirtualMachine addManagedReference:withOwner:]):
3579         (-[JSVirtualMachine removeManagedReference:withOwner:]):
3580         * API/WebKitAvailability.h:
3581         * API/tests/testapi.mm:
3582         (-[TextXYZ click]):
3583         * JavaScriptCore.xcodeproj/project.pbxproj:
3584
3585 2014-02-06  Joseph Pecoraro  <pecoraro@apple.com>
3586
3587         Web Inspector: Add Console support to JSContext Inspection
3588         https://bugs.webkit.org/show_bug.cgi?id=127941
3589
3590         Reviewed by Geoffrey Garen.
3591
3592         * CMakeLists.txt:
3593         * DerivedSources.make:
3594         * GNUmakefile.am:
3595         * GNUmakefile.list.am:
3596         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3597         * JavaScriptCore.xcodeproj/project.pbxproj:
3598         Add new files.
3599
3600         * inspector/agents/InspectorConsoleAgent.cpp: Renamed from Source/WebCore/inspector/InspectorConsoleAgent.cpp.
3601         * inspector/agents/InspectorConsoleAgent.h: Added.
3602         New agent moved from WebCore. Rename a method to work in JS only context.
3603
3604         * inspector/JSGlobalObjectInspectorController.cpp:
3605         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3606         Instantiate ConsoleAgent.
3607
3608         * inspector/agents/JSGlobalObjectConsoleAgent.h: Copied from Source/WebCore/inspector/PageInjectedScriptHost.h.
3609         * inspector/agents/JSGlobalObjectConsoleAgent.cpp: Copied from Source/WebCore/inspector/PageInjectedScriptHost.h.
3610         (Inspector::JSGlobalObjectConsoleAgent::JSGlobalObjectConsoleAgent):
3611         (Inspector::JSGlobalObjectConsoleAgent::setMonitoringXHREnabled):
3612         (Inspector::JSGlobalObjectConsoleAgent::addInspectedNode):
3613         (Inspector::JSGlobalObjectConsoleAgent::addInspectedHeapObject):
3614         JSGlobalObject implementation.
3615
3616         * inspector/agents/JSGlobalObjectDebuggerAgent.h:
3617         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
3618         (Inspector::JSGlobalObjectDebuggerAgent::JSGlobalObjectDebuggerAgent):
3619         (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
3620         Use ConsoleAgent to report logs.
3621
3622         * inspector/ConsoleMessage.cpp: Renamed from Source/WebCore/inspector/ConsoleMessage.cpp.
3623         * inspector/ConsoleMessage.h: Renamed from Source/WebCore/inspector/ConsoleMessage.h.
3624         * inspector/ConsoleTypes.h: Copied from Source/WebCore/inspector/ConsoleAPITypes.h.
3625         * inspector/IdentifiersFactory.cpp: Renamed from Source/WebCore/inspector/IdentifiersFactory.cpp.
3626         * inspector/IdentifiersFactory.h: Renamed from Source/WebCore/inspector/IdentifiersFactory.h.
3627         * inspector/ScriptArguments.cpp: Renamed from Source/WebCore/inspector/ScriptArguments.cpp.
3628         * inspector/ScriptArguments.h: Renamed from Source/WebCore/inspector/ScriptArguments.h.
3629         * inspector/ScriptCallFrame.cpp: Renamed from Source/WebCore/inspector/ScriptCallFrame.cpp.
3630         * inspector/ScriptCallFrame.h: Renamed from Source/WebCore/inspector/ScriptCallFrame.h.
3631         * inspector/ScriptCallStack.cpp: Renamed from Source/WebCore/inspector/ScriptCallStack.cpp.
3632         * inspector/ScriptCallStack.h: Renamed from Source/WebCore/inspector/ScriptCallStack.h.
3633         * inspector/ScriptCallStackFactory.cpp: Renamed from Source/WebCore/bindings/js/ScriptCallStackFactory.cpp.
3634         * inspector/ScriptCallStackFactory.h: Renamed from Source/WebCore/bindings/js/ScriptCallStackFactory.h.
3635         * inspector/protocol/Console.json: Renamed from Source/WebCore/inspector/protocol/Console.json.
3636         * inspector/scripts/generate-combined-inspector-json.py:
3637
3638 2014-02-06  Commit Queue  <commit-queue@webkit.org>
3639
3640         Unreviewed, rolling out r163542.
3641         http://trac.webkit.org/changeset/163542
3642         https://bugs.webkit.org/show_bug.cgi?id=128324
3643
3644         Caused many assertion failures (Requested by ap on #webkit).
3645
3646         * GNUmakefile.list.am:
3647         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3648         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3649         * JavaScriptCore.xcodeproj/project.pbxproj:
3650         * heap/CopyWriteBarrier.h:
3651         (JSC::CopyWriteBarrier::set):
3652         * heap/Heap.cpp:
3653         (JSC::Heap::writeBarrier):
3654         * heap/Heap.h:
3655         (JSC::Heap::writeBarrier):
3656         * jit/JITOperations.cpp:
3657         * jit/JITWriteBarrier.h:
3658         (JSC::JITWriteBarrierBase::set):
3659         * llint/LLIntSlowPaths.cpp:
3660         (JSC::LLInt::llint_write_barrier_slow):
3661         * runtime/Arguments.h:
3662         * runtime/JSWeakMap.cpp:
3663         * runtime/MapData.cpp:
3664         (JSC::MapData::ensureSpaceForAppend):
3665         * runtime/PropertyTable.cpp:
3666         (JSC::PropertyTable::PropertyTable):
3667         * runtime/Structure.h:
3668         * runtime/WriteBarrier.h:
3669         (JSC::WriteBarrierBase::set):
3670         (JSC::WriteBarrierBase::setMayBeNull):
3671         (JSC::WriteBarrierBase::setEarlyValue):
3672         (JSC::WriteBarrierBase<Unknown>::set):
3673         * runtime/WriteBarrierInlines.h: Removed.
3674
3675 2014-02-06  Oliver Hunt  <oliver@apple.com>
3676
3677         Make 32bit pass the correct this value to custom getters
3678         https://bugs.webkit.org/show_bug.cgi?id=128313
3679
3680         Reviewed by Mark Lam.
3681
3682         Now that the custom getter calling convetion uses a single register
3683         for the slot base we can easily pass the correct |thisValue| instead
3684         of simply relying on the thisValue not be relevant to existing
3685         custom getters. This also means that 32bit can call custom getters
3686         directly.
3687
3688         * jit/CCallHelpers.h:
3689         (JSC::CCallHelpers::setupArgumentsWithExecState):
3690         * jit/Repatch.cpp:
3691         (JSC::generateProtoChainAccessStub):
3692         (JSC::tryBuildGetByIDList):
3693
3694 2014-02-05  Mark Hahnenberg  <mhahnenberg@apple.com>
3695
3696         Heap::writeBarrier shouldn't be static
3697         https://bugs.webkit.org/show_bug.cgi?id=127807
3698
3699         Reviewed by Geoffrey Garen.
3700
3701         Currently it looks up the Heap in which to fire the write barrier by using 
3702         the cell passed to it. Almost every call site already has a reference to the 
3703         VM or the Heap itself. It seems wasteful to look it up all over again.
3704
3705         * GNUmakefile.list.am:
3706         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3707         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3708         * JavaScriptCore.xcodeproj/project.pbxproj:
3709         * heap/CopyWriteBarrier.h:
3710         (JSC::CopyWriteBarrier::set):
3711         * heap/Heap.cpp:
3712         (JSC::Heap::writeBarrier):
3713         * heap/Heap.h:
3714         (JSC::Heap::writeBarrier):
3715         * jit/JITOperations.cpp:
3716         * jit/JITWriteBarrier.h:
3717         (JSC::JITWriteBarrierBase::set):
3718         * llint/LLIntSlowPaths.cpp:
3719         (JSC::LLInt::llint_write_barrier_slow):
3720         * runtime/Arguments.h:
3721         * runtime/JSWeakMap.cpp:
3722         * runtime/MapData.cpp:
3723         (JSC::MapData::ensureSpaceForAppend):
3724         * runtime/PropertyTable.cpp:
3725         (JSC::PropertyTable::PropertyTable):
3726         * runtime/Structure.h:
3727         * runtime/WriteBarrier.h:
3728         * runtime/WriteBarrierInlines.h: Added.
3729
3730 2014-02-04  Filip Pizlo  <fpizlo@apple.com>
3731
3732         Make FTL OSR entry something we only try after we've already compiled the function with the FTL and it still got stuck in a loop after that without ever returning like a sensible function oughta have
3733         https://bugs.webkit.org/show_bug.cgi?id=128234
3734
3735         Reviewed by Geoffrey Garen.
3736         
3737         Use DFG::JITCode::osrEntryRetry as a counter to decide when to invoke OSR entry. That
3738         comes into play only after we've done a replacement compile.
3739         
3740         This appears to still give us a speed-up on the kinds of things that OSR entry is good
3741         for, while also eliminating pointless OSR entry compilations on other things.
3742
3743         * dfg/DFGJITCode.cpp:
3744         (JSC::DFG::JITCode::JITCode):
3745         * dfg/DFGJITCode.h:
3746         * dfg/DFGOperations.cpp:
3747         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
3748         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete):
3749         * runtime/Options.h:
3750
3751 2014-02-04  Filip Pizlo  <fpizlo@apple.com>
3752
3753         Don't speculate on ToThis if we already know that arg0 has a questionable record with structure checks
3754         https://bugs.webkit.org/show_bug.cgi?id=128229
3755
3756         Reviewed by Geoffrey Garen.
3757
3758         * dfg/DFGByteCodeParser.cpp:
3759         (JSC::DFG::ByteCodeParser::parseBlock):
3760
3761 2014-02-05  Mark Hahnenberg  <mhahnenberg@apple.com>
3762
3763         Handling of opaque roots is wrong in EdenCollections
3764         https://bugs.webkit.org/show_bug.cgi?id=128210
3765
3766         Reviewed by Oliver Hunt.
3767
3768         The set of opaque roots is always cleared during each collection. We should instead persist 
3769         the set of opaque roots across EdenCollections and only clear it at the beginning of FullCollections.
3770
3771         Also added a couple of custom objects to the jsc shell that allow us to test this.
3772
3773         * heap/GCThreadSharedData.cpp:
3774         (JSC::GCThreadSharedData::reset):
3775         (JSC::GCThreadSharedData::didStartMarking):
3776         * heap/Heap.cpp:
3777         (JSC::Heap::markRoots):
3778         * heap/Heap.h:
3779         (JSC::Heap::setShouldDoFullCollection):
3780         * heap/SlotVisitor.cpp:
3781         (JSC::SlotVisitor::didStartMarking):
3782         (JSC::SlotVisitor::reset):
3783         * heap/SlotVisitor.h:
3784         * jsc.cpp:
3785         (WTF::Element::Element):
3786         (WTF::Element::root):
3787         (WTF::Element::setRoot):
3788         (WTF::Element::create):
3789         (WTF::Element::createStructure):
3790         (WTF::ElementHandleOwner::isReachableFromOpaqueRoots):
3791         (WTF::Root::Root):
3792         (WTF::Root::element):
3793         (WTF::Root::setElement):
3794         (WTF::Root::create):
3795         (WTF::Root::createStructure):
3796         (WTF::Root::visitChildren):
3797         (WTF::Element::handleOwner):
3798         (WTF::Element::finishCreation):
3799         (GlobalObject::finishCreation):
3800         (functionCreateRoot):
3801         (functionCreateElement):
3802         (functionGetElement):
3803         (functionSetElementRoot):
3804         (functionGCAndSweep):
3805         (functionFullGC):
3806         (functionEdenGC):
3807
3808 2014-02-05  Anders Carlsson  <andersca@apple.com>
3809
3810         Remove unused functions.
3811
3812         * runtime/RegExpConstructor.cpp:
3813         (JSC::RegExpConstructor::getOwnPropertySlot):
3814         * runtime/RegExpObject.cpp:
3815
3816 2014-02-05  Oliver Hunt  <oliver@apple.com>
3817
3818         Change custom getter signature to make the base reference an object pointer
3819         https://bugs.webkit.org/show_bug.cgi?id=128279
3820
3821         Reviewed by Geoffrey Garen.
3822
3823         Make custom getters take a JSObject* instead of EncodedJSValue as the base
3824         reference.  This allows us to drop one pointer from the JSVALUE32_64 calling
3825         convention.
3826
3827         * API/JSCallbackObject.h:
3828         * API/JSCallbackObjectFunctions.h:
3829         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
3830         (JSC::JSCallbackObject<Parent>::callbackGetter):
3831         * jit/JITOperations.cpp:
3832         * jit/Repatch.cpp:
3833         (JSC::generateProtoChainAccessStub):
3834         (JSC::tryBuildGetByIDList):
3835         * runtime/JSActivation.cpp:
3836         (JSC::JSActivation::argumentsGetter):
3837         * runtime/JSActivation.h:
3838         * runtime/JSFunction.cpp:
3839         (JSC::JSFunction::argumentsGetter):
3840         (JSC::JSFunction::callerGetter):
3841         (JSC::JSFunction::lengthGetter):
3842         (JSC::JSFunction::nameGetter):
3843         * runtime/JSFunction.h:
3844         * runtime/JSObject.h:
3845         (JSC::PropertySlot::getValue):
3846         * runtime/NumberConstructor.cpp:
3847         (JSC::numberConstructorNaNValue):
3848         (JSC::numberConstructorNegInfinity):
3849         (JSC::numberConstructorPosInfinity):
3850         (JSC::numberConstructorMaxValue):
3851         (JSC::numberConstructorMinValue):
3852         * runtime/PropertySlot.h:
3853         * runtime/RegExpConstructor.cpp:
3854         (JSC::regExpConstructorDollar1):
3855         (JSC::regExpConstructorDollar2):
3856         (JSC::regExpConstructorDollar3):
3857         (JSC::regExpConstructorDollar4):
3858         (JSC::regExpConstructorDollar5):
3859         (JSC::regExpConstructorDollar6):
3860         (JSC::regExpConstructorDollar7):
3861         (JSC::regExpConstructorDollar8):
3862         (JSC::regExpConstructorDollar9):
3863         (JSC::regExpConstructorInput):
3864         (JSC::regExpConstructorMultiline):
3865         (JSC::regExpConstructorLastMatch):
3866         (JSC::regExpConstructorLastParen):
3867         (JSC::regExpConstructorLeftContext):
3868         (JSC::regExpConstructorRightContext):
3869         * runtime/RegExpObject.cpp:
3870         (JSC::regExpObjectGlobal):
3871         (JSC::regExpObjectIgnoreCase):
3872         (JSC::regExpObjectMultiline):
3873         (JSC::regExpObjectSource):
3874
3875 2014-02-05  Andreas Kling  <akling@apple.com>
3876
3877         Remove ENABLE(DIRECTORY_UPLOAD).
3878         <https://webkit.org/b/128275>
3879
3880         Rubber-stamped by Ryosuke Niwa.
3881
3882         * Configurations/FeatureDefines.xcconfig:
3883
3884 2014-02-05  Filip Pizlo  <fpizlo@apple.com>
3885
3886         Rename useExperimentalFTL to useFTLJIT.
3887
3888         Rubber stamped by Mark Hahnenberg.
3889
3890         * dfg/DFGTierUpCheckInjectionPhase.cpp:
3891         (JSC::DFG::TierUpCheckInjectionPhase::run):
3892         * runtime/Options.h:
3893
3894 2014-02-05  Brian Burg  <bburg@apple.com>
3895
3896         Web Inspector: add probe manager and model objects to the frontend
3897         https://bugs.webkit.org/show_bug.cgi?id=127117
3898
3899         Reviewed by Timothy Hatcher.
3900
3901         The inspector frontend now assigns breakpoint action identifiers,
3902         rather than the backend. Remove return values containing breakpoint
3903         identifiers, and remove tracking and assignment of action identifiers.
3904
3905         * inspector/ScriptDebugListener.h:
3906         * inspector/ScriptDebugServer.cpp:
3907         (Inspector::ScriptDebugServer::evaluateBreakpointAction):
3908         (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe):
3909         Pass BreakpointAction by reference rather than just the action identifier.
3910
3911         * inspector/ScriptDebugServer.h:
3912         * inspector/agents/InspectorDebuggerAgent.cpp:
3913         (Inspector::objectGroupForBreakpointAction):
3914         (Inspector::InspectorDebuggerAgent::InspectorDebuggerAgent):
3915         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
3916         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
3917         (Inspector::InspectorDebuggerAgent::setBreakpoint):
3918         (Inspector::InspectorDebuggerAgent::removeBreakpoint):
3919         (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
3920         * inspector/agents/InspectorDebuggerAgent.h:
3921         * inspector/protocol/Debugger.json: Revert change to setBreakpoint return values. Add optional identifier to breakpoint actions.
3922
3923 2014-02-05  Filip Pizlo  <fpizlo@apple.com>
3924
3925         JSC on Mac should pull LLVM from prefix=/usr/local/LLVMForJavaScriptCore and not /usr/local
3926         https://bugs.webkit.org/show_bug.cgi?id=128269
3927
3928         Reviewed by Mark Hahnenberg.
3929
3930         * Configurations/Base.xcconfig:
3931         * Configurations/LLVMForJSC.xcconfig:
3932
3933 2014-02-05  Mark Hahnenberg  <mhahnenberg@apple.com>
3934
3935         Fix 32-bit builds after r163471
3936
3937         * dfg/DFGOSRExitCompilerCommon.cpp:
3938
3939 2014-02-05  Mark Hahnenberg  <mhahnenberg@apple.com>
3940
3941         Can no longer run OctaneV2 in browser, crashes in speculationFromCell
3942         https://bugs.webkit.org/show_bug.cgi?id=128266
3943
3944         Reviewed by Filip Pizlo.
3945
3946         Move the OSR exit write barriers into OSRExitCompilerCommon. Also reorganize some 
3947         of the code to be in more appropriate places.
3948
3949         * dfg/DFGOSRExitCompiler32_64.cpp:
3950         (JSC::DFG::OSRExitCompiler::compileExit):
3951         * dfg/DFGOSRExitCompiler64.cpp:
3952         (JSC::DFG::OSRExitCompiler::compileExit):
3953         * dfg/DFGOSRExitCompilerCommon.cpp:
3954         (JSC::DFG::osrWriteBarrier):
3955         (JSC::DFG::adjustAndJumpToTarget):
3956         * dfg/DFGSpeculativeJIT.cpp:
3957   &