Unreviewed, rolling out r166876.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-06-25  Geoffrey Garen  <ggaren@apple.com>
2
3         Unreviewed, rolling out r166876.
4
5         Caused some ECMA test262 failures
6
7         Reverted changeset:
8
9         "Date object needs to check for ES5 15.9.1.14 TimeClip limit."
10         https://bugs.webkit.org/show_bug.cgi?id=131248
11         http://trac.webkit.org/changeset/166876
12
13 2014-06-25  Brent Fulgham  <bfulgham@apple.com>
14
15         [Win] Unreviewed gardening.
16
17         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Update to
18         put various files in proper IDE categories.
19
20 2014-06-25  peavo@outlook.com  <peavo@outlook.com>
21
22         [Win64] ASM LLINT is not enabled.
23         https://bugs.webkit.org/show_bug.cgi?id=130638
24
25         This patch adds a new LLINT assembler backend for Win64, and implements it.
26         It makes adjustments to follow the Win64 ABI spec. where it's found to be needed.
27         Also, LLINT and JIT is enabled for Win64.
28
29         Reviewed by Mark Lam.
30
31         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added JITStubsMSVC64.asm.
32         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
33         * JavaScriptCore/JavaScriptCore.vcxproj/jsc/jscCommon.props: Increased stack size to avoid stack overflow in tests.
34         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Generate assembler source file for Win64.
35         * assembler/MacroAssemblerX86_64.h: 
36         (JSC::MacroAssemblerX86_64::call): Follow Win64 ABI spec.
37         * jit/JITStubsMSVC64.asm: Added.
38         * jit/Repatch.cpp:
39         (JSC::emitPutTransitionStub): Compile fix.
40         * jit/ThunkGenerators.cpp:
41         (JSC::nativeForGenerator): Follow Win64 ABI spec.
42         * llint/LLIntData.cpp:
43         (JSC::LLInt::Data::performAssertions): Ditto.
44         * llint/LLIntOfflineAsmConfig.h: Enable new llint backend for Win64.
45         * llint/LowLevelInterpreter.asm: Implement new Win64 backend, and follow Win64 ABI spec.
46         * llint/LowLevelInterpreter64.asm: Ditto.
47         * offlineasm/asm.rb: Compile fix.
48         * offlineasm/backends.rb: Add new llint backend for Win64.
49         * offlineasm/settings.rb: Compile fix.
50         * offlineasm/x86.rb: Implement new llint Win64 backend.
51
52 2014-06-25  Laszlo Gombos  <l.gombos@samsung.com>
53
54         Remove build guard for progress element
55         https://bugs.webkit.org/show_bug.cgi?id=134292
56
57         Reviewed by Benjamin Poulain.
58
59         * Configurations/FeatureDefines.xcconfig:
60
61 2014-06-24  Michael Saboff  <msaboff@apple.com>
62
63         Add support routines to provide descriptive JavaScript backtraces
64         https://bugs.webkit.org/show_bug.cgi?id=134278
65
66         Reviewed by Mark Lam.
67
68         * interpreter/CallFrame.cpp:
69         (JSC::CallFrame::dump):
70         (JSC::CallFrame::describeFrame):
71         * interpreter/CallFrame.h:
72         * runtime/JSCJSValue.cpp:
73         (JSC::JSValue::dumpForBacktrace):
74         * runtime/JSCJSValue.h:
75
76 2014-06-24  Brady Eidson  <beidson@apple.com>
77
78         Enable GAMEPAD in the Mac build, but disabled at runtime.
79         https://bugs.webkit.org/show_bug.cgi?id=134255
80
81         Reviewed by Dean Jackson.
82
83         * Configurations/FeatureDefines.xcconfig:
84
85         * runtime/JSObject.h: Export JSObject::removeDirect() to allow disabling
86           functions at runtime.
87
88 2014-06-24  Mark Hahnenberg  <mhahnenberg@apple.com>
89
90         REGRESSION (r169703): Invalid cast in JSC::asGetterSetter / JSC::JSObject::defineOwnNonIndexProperty
91         https://bugs.webkit.org/show_bug.cgi?id=134046
92
93         Reviewed by Filip Pizlo.
94
95         * runtime/GetterSetter.h:
96         (JSC::asGetterSetter):
97         * runtime/JSObject.cpp:
98         (JSC::JSObject::defineOwnNonIndexProperty): We need to check for a CustomGetterSetter here as well as
99         a normal GetterSetter. If we encounter a CustomGetterSetter, we delete it, create a new normal GetterSetter,
100         and insert it like normal. We also need to check for CustomAccessors when checking for unconfigurable properties.
101
102 2014-06-24  Brent Fulgham  <bfulgham@apple.com>
103
104         [Win] MSVC mishandles enums in bitfields
105         https://bugs.webkit.org/show_bug.cgi?id=134237
106
107         Reviewed by Michael Saboff.
108
109         Replace uses of enum types in bit fields with unsigned to
110         avoid losing a bit to hold the sign value. This can result
111         in Windows interpreting the value of the field improperly.
112
113         * bytecode/StructureStubInfo.h:
114         * parser/Nodes.h:
115
116 2014-06-23  Andreas Kling  <akling@apple.com>
117
118         Inline the UnlinkedInstructionStream::Reader logic.
119         <https://webkit.org/b/134203>
120
121         This class is only used by CodeBlock to unpack the unlinked instructions,
122         and we were spending 0.5% of total time on PLT calling Reader::next().
123         Move the logic to the header file and mark it ALWAYS_INLINE.
124
125         Reviewed by Geoffrey Garen.
126
127         * bytecode/UnlinkedInstructionStream.cpp:
128         * bytecode/UnlinkedInstructionStream.h:
129         (JSC::UnlinkedInstructionStream::Reader::Reader):
130         (JSC::UnlinkedInstructionStream::Reader::read8):
131         (JSC::UnlinkedInstructionStream::Reader::read32):
132         (JSC::UnlinkedInstructionStream::Reader::next):
133
134 2014-06-20  Sam Weinig  <sam@webkit.org>
135
136         Remove static tables for bindings that use eager reification
137         https://bugs.webkit.org/show_bug.cgi?id=134126
138
139         Reviewed by Oliver Hunt.
140
141         * runtime/JSObject.cpp:
142         (JSC::JSObject::putDirectCustomAccessor):
143         * runtime/Structure.h:
144         (JSC::Structure::setHasCustomGetterSetterProperties):
145         Change setHasCustomGetterSetterProperties to behave like setHasGetterSetterProperties, and set
146         the m_hasReadOnlyOrGetterSetterPropertiesExcludingProto bit if the property is not __proto__.
147         Without this, JSObject::put() won't think there are any setters on the prototype chain of an
148         object that has no static lookup table and uses eagerly reified custom getter/setter properties.
149
150 2014-06-21  Brady Eidson  <beidson@apple.com>
151
152         Gamepad API - Deprecate the existing implementation
153         https://bugs.webkit.org/show_bug.cgi?id=134108
154
155         Reviewed by Timothy Hatcher.
156
157         -Add new "GAMEPAD_DEPRECATED" build flag, moving the existing implementation to use it
158         -Move some implementation files into a "deprecated" subdirectory.
159
160         * Configurations/FeatureDefines.xcconfig:
161
162 2014-06-21  Commit Queue  <commit-queue@webkit.org>
163
164         Unreviewed, rolling out r170244.
165         https://bugs.webkit.org/show_bug.cgi?id=134157
166
167         GTK/EFL bindings generator works differently, making this
168         patch not work there.  Will fix entire patch after a rollout.
169         (Requested by bradee-oh on #webkit).
170
171         Reverted changeset:
172
173         "Gamepad API - Deprecate the existing implementation"
174         https://bugs.webkit.org/show_bug.cgi?id=134108
175         http://trac.webkit.org/changeset/170244
176
177 2014-06-21  Brady Eidson  <beidson@apple.com>
178
179         Gamepad API - Deprecate the existing implementation
180         https://bugs.webkit.org/show_bug.cgi?id=134108
181
182         Reviewed by Timothy Hatcher.
183
184         -Add new "GAMEPAD_DEPRECATED" build flag, moving the existing implementation to use it
185         -Add the "Deprecated" suffix to some implementation files
186
187         * Configurations/FeatureDefines.xcconfig:
188
189 2014-06-21  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
190
191         Removing PAGE_VISIBILITY_API compile guard.
192         https://bugs.webkit.org/show_bug.cgi?id=133844
193
194         Reviewed by Gavin Barraclough.
195
196         * Configurations/FeatureDefines.xcconfig:
197
198 2014-06-21  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
199
200         ARM traditional buildfix after r169942.
201         https://bugs.webkit.org/show_bug.cgi?id=134100
202
203         Reviewed by Zoltan Herczeg.
204
205         * assembler/MacroAssemblerARM.h:
206         (JSC::MacroAssemblerARM::abortWithReason): Added.
207
208 2014-06-20  Andreas Kling  <akling@apple.com>
209
210         [Cocoa] Release freed up blocks from the JS heap after simulated memory pressure.
211         <https://webkit.org/b/134112>
212
213         Reviewed by Mark Hahnenberg.
214
215         * heap/BlockAllocator.h:
216
217 2014-06-19  Alex Christensen  <achristensen@webkit.org>
218
219         Unreviewed fix after r170130.
220
221         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj:
222         Corrected directory so it can find common.props when opening Visual Studio.
223
224 2014-06-19  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
225
226         Remove ENABLE(LLINT) and ENABLE(LLINT_C_LOOP) guards
227         https://bugs.webkit.org/show_bug.cgi?id=130389
228
229         Reviewed by Mark Lam.
230
231         Removed ENABLE(LLINT) since we always build with it, and changed ENABLE(LLINT_C_LOOP)
232         into !ENABLE(JIT) since they are mutually exclusive.
233
234         * CMakeLists.txt:
235         * assembler/MacroAssemblerCodeRef.h:
236         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
237         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
238         * assembler/MaxFrameExtentForSlowPathCall.h:
239         * bytecode/CallLinkStatus.cpp:
240         (JSC::CallLinkStatus::computeFromLLInt):
241         * bytecode/CodeBlock.cpp:
242         (JSC::dumpStructure):
243         (JSC::CodeBlock::printGetByIdCacheStatus):
244         (JSC::CodeBlock::printCallOp):
245         (JSC::CodeBlock::CodeBlock):
246         (JSC::CodeBlock::~CodeBlock):
247         (JSC::CodeBlock::propagateTransitions):
248         (JSC::CodeBlock::finalizeUnconditionally):
249         (JSC::CodeBlock::unlinkCalls):
250         (JSC::CodeBlock::unlinkIncomingCalls):
251         (JSC::CodeBlock::linkIncomingCall):
252         (JSC::CodeBlock::frameRegisterCount):
253         * bytecode/CodeBlock.h:
254         * bytecode/GetByIdStatus.cpp:
255         (JSC::GetByIdStatus::computeFromLLInt):
256         * bytecode/Opcode.h:
257         (JSC::padOpcodeName):
258         * bytecode/PutByIdStatus.cpp:
259         (JSC::PutByIdStatus::computeFromLLInt):
260         * bytecompiler/BytecodeGenerator.cpp:
261         (JSC::BytecodeGenerator::emitCall):
262         (JSC::BytecodeGenerator::emitConstruct):
263         * heap/Heap.cpp:
264         (JSC::Heap::gatherJSStackRoots):
265         * interpreter/Interpreter.cpp:
266         (JSC::Interpreter::initialize):
267         (JSC::Interpreter::isOpcode):
268         * interpreter/Interpreter.h:
269         (JSC::Interpreter::getOpcodeID):
270         * interpreter/JSStack.cpp:
271         (JSC::JSStack::JSStack):
272         (JSC::JSStack::committedByteCount):
273         * interpreter/JSStack.h:
274         * interpreter/JSStackInlines.h:
275         (JSC::JSStack::ensureCapacityFor):
276         (JSC::JSStack::topOfFrameFor):
277         (JSC::JSStack::setStackLimit):
278         * jit/ExecutableAllocatorFixedVMPool.cpp:
279         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
280         * jit/JIT.h:
281         (JSC::JIT::compileCTINativeCall):
282         * jit/JITExceptions.h:
283         * jit/JITThunks.cpp:
284         (JSC::JITThunks::ctiNativeCall):
285         (JSC::JITThunks::ctiNativeConstruct):
286         * llint/LLIntCLoop.cpp:
287         * llint/LLIntCLoop.h:
288         * llint/LLIntData.cpp:
289         (JSC::LLInt::initialize):
290         (JSC::LLInt::Data::performAssertions):
291         * llint/LLIntData.h:
292         (JSC::LLInt::Data::performAssertions): Deleted.
293         * llint/LLIntEntrypoint.cpp:
294         * llint/LLIntEntrypoint.h:
295         * llint/LLIntExceptions.cpp:
296         * llint/LLIntExceptions.h:
297         * llint/LLIntOfflineAsmConfig.h:
298         * llint/LLIntOffsetsExtractor.cpp:
299         (JSC::LLIntOffsetsExtractor::dummy):
300         * llint/LLIntOpcode.h:
301         * llint/LLIntSlowPaths.cpp:
302         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
303         * llint/LLIntSlowPaths.h:
304         * llint/LLIntThunks.cpp:
305         * llint/LLIntThunks.h:
306         * llint/LowLevelInterpreter.cpp:
307         * llint/LowLevelInterpreter.h:
308         * runtime/CommonSlowPaths.cpp:
309         * runtime/CommonSlowPaths.h:
310         * runtime/ErrorHandlingScope.cpp:
311         (JSC::ErrorHandlingScope::ErrorHandlingScope):
312         (JSC::ErrorHandlingScope::~ErrorHandlingScope):
313         * runtime/Executable.cpp:
314         (JSC::setupLLInt):
315         * runtime/InitializeThreading.cpp:
316         (JSC::initializeThreading):
317         * runtime/JSCJSValue.h:
318         * runtime/JSCJSValueInlines.h:
319         * runtime/Options.cpp:
320         (JSC::recomputeDependentOptions):
321         * runtime/VM.cpp:
322         (JSC::VM::VM):
323         (JSC::sanitizeStackForVM):
324         * runtime/VM.h:
325         (JSC::VM::canUseJIT): Deleted.
326
327 2014-06-18  Alex Christensen  <achristensen@webkit.org>
328
329         Add FTL to Windows build.
330         https://bugs.webkit.org/show_bug.cgi?id=134015
331
332         Reviewed by Filip Pizlo.
333
334         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
335         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
336         Added ftl source files.
337         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
338         Added ftl and llvm directories to include path.
339         * JavaScriptCore.vcxproj/libllvmForJSC: Added.
340         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.props: Added.
341         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj: Added.
342         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj.filters: Added.
343         * ftl/FTLLowerDFGToLLVM.cpp:
344         (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
345         MSVC doesn't like to divide by zero while compiling.  Use std::nan instead.
346         * llvm/InitializeLLVMWin.cpp: Added.
347         (JSC::initializeLLVMImpl):
348         Implemented dynamic loading and linking for Windows.
349
350 2014-06-18  Alex Christensen  <achristensen@webkit.org>
351
352         Unreviewed build fix after r170107.
353
354         * dfg/DFGSpeculativeJIT.cpp:
355         (JSC::DFG::SpeculativeJIT::compileArithMod):
356         Use non-template sub for armv7s.
357
358 2014-06-18  David Kilzer  <ddkilzer@apple.com>
359
360         -[JSContext setName:] leaks NSString
361         <http://webkit.org/b/134038>
362
363         Reviewed by Joseph Pecoraro.
364
365         Fixes the following static analyzer warning:
366
367             JavaScriptCore/API/JSContext.mm:200:73: warning: Potential leak of an object
368                 JSStringRef nameJS = name ? JSStringCreateWithCFString((CFStringRef)[name copy]) : nullptr;
369                                                                                     ^
370
371         * API/JSContext.mm:
372         (-[JSContext setName:]): Autorelease the copy of |name|.
373
374 2014-06-18  Mark Lam  <mark.lam@apple.com>
375
376         DFGGraph::m_doubleConstantMap will not map 0 values correctly.
377         <https://webkit.org/b/133994>
378
379         Reviewed by Geoffrey Garen.
380
381         DFGGraph::m_doubleConstantsMap should not use a double as a key to its HashMap,
382         because it means two unfortunate things:
383         - It will probably break for zero.
384         - It will think that -0 is the same as +0 under some circumstances, size
385           -0==+0 even though they are distinct values (for example 1/-0 != 1/+0).
386
387         The fix is to use std::unordered_map which does not require special empty
388         and deleted values, and to use the raw bits instead of the double value as
389         the key.
390
391         * dfg/DFGGraph.h:
392         * dfg/DFGJITCompiler.cpp:
393         (JSC::DFG::JITCompiler::addressOfDoubleConstant):
394
395 2014-06-18  Alex Christensen  <achristensen@webkit.org>
396
397         Remove duplicate code using sdiv.
398         https://bugs.webkit.org/show_bug.cgi?id=133764
399
400         Reviewed by Daniel Bates.
401
402         * assembler/ARMv7Assembler.h:
403         (JSC::ARMv7Assembler::sdiv):
404         Make sdiv a template to match arm64.
405         * dfg/DFGSpeculativeJIT.cpp:
406         (JSC::DFG::SpeculativeJIT::compileArithDiv):
407         (JSC::DFG::SpeculativeJIT::compileArithMod):
408         Remove duplicate code that was identical except for sdiv not being a template.
409
410 2014-06-17  Commit Queue  <commit-queue@webkit.org>
411
412         Unreviewed, rolling out r170082.
413         https://bugs.webkit.org/show_bug.cgi?id=134006
414
415         Breaks build. (Requested by mlam on #webkit).
416
417         Reverted changeset:
418
419         "DFGGraph::m_doubleConstantMap will not map 0 values
420         correctly."
421         https://bugs.webkit.org/show_bug.cgi?id=133994
422         http://trac.webkit.org/changeset/170082
423
424 2014-06-17  Mark Lam  <mark.lam@apple.com>
425
426         DFGGraph::m_doubleConstantMap will not map 0 values correctly.
427         <https://webkit.org/b/133994>
428
429         Reviewed by Geoffrey Garen.
430
431         DFGGraph::m_doubleConstantsMap should not use a double as a key to its HashMap,
432         because it means two unfortunate things:
433         - It will probably break for zero.
434         - It will think that -0 is the same as +0 under some circumstances, size
435           -0==+0 even though they are distinct values (for example 1/-0 != 1/+0).
436
437         The fix is to use std::unordered_map which does not require special empty
438         and deleted values, and to use the raw bits instead of the double value as
439         the key.
440
441         * dfg/DFGGraph.h:
442         * dfg/DFGJITCompiler.cpp:
443         (JSC::DFG::JITCompiler::addressOfDoubleConstant):
444
445 2014-06-17  Oliver Hunt  <oliver@apple.com>
446
447         Fix error messages for incorrect hex literals
448         https://bugs.webkit.org/show_bug.cgi?id=133998
449
450         Reviewed by Mark Lam.
451
452         Ensure that the error messages for bogus hex literals actually
453         make sense.
454
455         * parser/Lexer.cpp:
456         (JSC::Lexer<T>::lex):
457         * parser/ParserTokens.h:
458
459 2014-06-17  Matthew Mirman  <mmirman@apple.com>
460
461         Fixes bug where building JSC sometimes crashes at build-symbol-table-index.py. Also adds licenses. 
462         https://bugs.webkit.org/show_bug.cgi?id=133814
463
464         Reviewed by Filip Pizlo.
465         
466         Adds the "shopt -s nullglob" line necessary to prevent the loop in the shell 
467         script from using "*.o" as a file when no other files in the directory exist. 
468         
469         * build-symbol-table-index.sh: Added license.
470         * copy-llvm-ir-to-derived-sources.sh: Added license and "shopt -s nullglob" line.
471
472 2014-06-16  Sam Weinig  <sam@webkit.org>
473
474         Move forward declaration of bindings static functions into their implementation files
475         https://bugs.webkit.org/show_bug.cgi?id=133943
476
477         Reviewed by Geoffrey Garen.
478
479         * runtime/CommonIdentifiers.h:
480         Add a few identifiers that are needed by the DOM.
481
482 2014-06-16  Mark Lam  <mark.lam@apple.com>
483
484         Parser statementDepth accounting needs to account for when a function body excludes its braces.
485         <https://webkit.org/b/133832>
486
487         Reviewed by Oliver Hunt.
488
489         In some cases (e.g. when a Function object is instantiated from a string), the
490         function body source may not include its braces.  The parser needs to account
491         for this when calculating its statementDepth.
492
493         * bytecode/UnlinkedCodeBlock.cpp:
494         (JSC::generateFunctionCodeBlock):
495         (JSC::UnlinkedFunctionExecutable::codeBlockFor):
496         * bytecode/UnlinkedCodeBlock.h:
497         * parser/Parser.cpp:
498         (JSC::Parser<LexerType>::parseStatement):
499         - Also fixed the error message for declaring nested functions in strict mode
500           to be more accurate.
501         * parser/Parser.h:
502         (JSC::Parser<LexerType>::parse):
503         (JSC::parse):
504         * runtime/Executable.cpp:
505         (JSC::ScriptExecutable::newCodeBlockFor):
506
507 2014-06-16  Juergen Ributzka  <juergen@apple.com>
508
509         Change the order of the alias analysis passes to align with the opt pipeline of LLVM
510         https://bugs.webkit.org/show_bug.cgi?id=133753
511
512         Reviewed by Geoffrey Garen.
513
514         The order in which the alias analysis passes are added affects also the
515         order in which they are utilized. Change the order to align with the
516         one use by LLVM itself. The last alias analysis pass added will be
517         evaluated first. With this change we first perform a basic alias
518         analysis and then use the type-based alias analysis (if required).
519
520         * ftl/FTLCompile.cpp:
521         (JSC::FTL::compile):
522
523 2014-06-16  Juergen Ributzka  <juergen@apple.com>
524
525         Fix the arguments passed to the LLVM dylib
526         https://bugs.webkit.org/show_bug.cgi?id=133757
527
528         Reviewed by Geoffrey Garen.
529
530         The LLVM command line argument parser assumes that the first argument
531         is the program name. We need to add a fake program name, otherwise the
532         first argument will be parsed as program name and ignored.
533
534         * llvm/library/LLVMExports.cpp:
535         (initializeAndGetJSCLLVMAPI):
536
537 2014-06-16  Michael Saboff  <msaboff@apple.com>
538
539         Convert ASSERT in inlineFunctionForCapabilityLevel to early return
540         https://bugs.webkit.org/show_bug.cgi?id=133903
541
542         Reviewed by Mark Hahnenberg.
543
544         Hardened code by Converting ASSERT to return CannotCompile.
545
546         * dfg/DFGCapabilities.h:
547         (JSC::DFG::inlineFunctionForCapabilityLevel):
548
549 2014-06-13  Sam Weinig  <sam@webkit.org>
550
551         Store DOM constants directly in the JS object rather than jumping through a custom accessor
552         https://bugs.webkit.org/show_bug.cgi?id=133898
553
554         Reviewed by Oliver Hunt.
555
556         * runtime/Lookup.h:
557         (JSC::HashTableValue::attributes):
558         Switch attributes to be stored as an unsigned rather than an unsigned char, since there is no difference in memory use
559         and will make adding more flags possibles.
560
561         (JSC::HashTableValue::propertyGetter):
562         (JSC::HashTableValue::propertyPutter):
563         Change assertion to use BuiltinOrFunctionOrConstant.
564
565         (JSC::HashTableValue::constantInteger):
566         Added.
567
568         (JSC::getStaticPropertySlot):
569         (JSC::getStaticValueSlot):
570         Use PropertySlot::setValue() for constants during static lookup.
571
572         (JSC::reifyStaticProperties):
573         Put the constant directly on the object when eagerly reifying.
574
575         * runtime/PropertySlot.h:
576         Add ConstantInteger flag and BuiltinOrFunctionOrConstant helper.
577
578 2014-06-14  Michael Saboff  <msaboff@apple.com>
579
580         operationCreateArguments could cause a GC during OSR exit
581         https://bugs.webkit.org/show_bug.cgi?id=133905
582
583         Reviewed by Filip Pizlo.
584
585         Defer GC via new wrapper functions for operationCreateArguments and operationCreateInlinedArguments
586         for use by OSR exit stubs.
587
588         * dfg/DFGOSRExitCompilerCommon.cpp:
589         (JSC::DFG::ArgumentsRecoveryGenerator::generateFor):
590         * dfg/DFGOperations.cpp:
591         * dfg/DFGOperations.h:
592         * jit/JITOperations.cpp:
593         * jit/JITOperations.h:
594
595 2014-06-13  Mark Hahnenberg  <mhahnenberg@apple.com>
596
597         OSR exit should barrier the Executables for all InlineCallFrames, not just those on the stack at the time of exit
598         https://bugs.webkit.org/show_bug.cgi?id=133880
599
600         Reviewed by Filip Pizlo.
601
602         We could have exited due to a value received from an inlined block that's no longer on 
603         the stack, so we should just barrier all InlineCallFrames.
604
605         * dfg/DFGOSRExitCompilerCommon.cpp:
606         (JSC::DFG::adjustAndJumpToTarget):
607
608 2014-06-13  Alex Christensen  <achristensen@webkit.org>
609
610         Make css jit compile for armv7.
611         https://bugs.webkit.org/show_bug.cgi?id=133596
612
613         Reviewed by Benjamin Poulain.
614
615         * assembler/MacroAssembler.h:
616         Use branchPtr on ARM_THUMB2.
617         * assembler/MacroAssemblerARMv7.h:
618         (JSC::MacroAssemblerARMv7::addPtrNoFlags):
619         (JSC::MacroAssemblerARMv7::or32):
620         (JSC::MacroAssemblerARMv7::test32):
621         (JSC::MacroAssemblerARMv7::branch):
622         (JSC::MacroAssemblerARMv7::branchPtr):
623         Added macros necessary for css jit.
624
625 2014-06-13  Filip Pizlo  <fpizlo@apple.com>
626
627         Unreviewed, fix ARMv7.
628
629         * assembler/MacroAssemblerARMv7.h:
630         (JSC::MacroAssemblerARMv7::abortWithReason):
631
632 2014-06-12  Filip Pizlo  <fpizlo@apple.com>
633
634         Even better diagnostics from DFG traps
635         https://bugs.webkit.org/show_bug.cgi?id=133836
636
637         Reviewed by Oliver Hunt.
638         
639         We now stuff the DFG::NodeType into a register before bailing. Also made the
640         DFGBailed abort reason a bit more specific. As planned, the new abort reasons use
641         different numbers than any previous abort reasons.
642
643         * assembler/AbortReason.h:
644         * assembler/MacroAssemblerARM64.h:
645         (JSC::MacroAssemblerARM64::abortWithReason):
646         * assembler/MacroAssemblerARMv7.h:
647         (JSC::MacroAssemblerARMv7::abortWithReason):
648         * assembler/MacroAssemblerX86.h:
649         (JSC::MacroAssemblerX86::abortWithReason):
650         * assembler/MacroAssemblerX86_64.h:
651         (JSC::MacroAssemblerX86_64::abortWithReason):
652         * dfg/DFGSpeculativeJIT.cpp:
653         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
654         (JSC::DFG::SpeculativeJIT::bail):
655         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
656         * dfg/DFGSpeculativeJIT.h:
657
658 2014-06-12  Simon Fraser  <simon.fraser@apple.com>
659
660         Fix assertions under JSC::setNeverInline() when running js tests in WebKitTestRunner
661         https://bugs.webkit.org/show_bug.cgi?id=133840
662
663         Reviewed by Filip Pizlo.
664         
665         Fix ASSERT(exec->vm().currentThreadIsHoldingAPILock()); under JSC::setNeverInline()
666         when running DFG tests.
667
668         * API/JSCTestRunnerUtils.cpp:
669         (JSC::numberOfDFGCompiles):
670         (JSC::setNeverInline):
671
672 2014-06-12  Brent Fulgham  <bfulgham@apple.com>
673
674         [Win] Avoid fork bomb during build
675         https://bugs.webkit.org/show_bug.cgi?id=133837
676         <rdar://problem/17296034>
677
678         Reviewed by Tim Horton.
679
680         * JavaScriptCore.vcxproj/build-generated-files.sh: Use a
681         reasonable default value when the 'num-cpus' script is not available.
682
683 2014-06-12  Mark Lam  <mark.lam@apple.com>
684
685         Remove some dead / unused code.
686         <https://webkit.org/b/133828>
687
688         Reviewed by Filip Pizlo.
689
690         * builtins/BuiltinExecutables.cpp:
691         (JSC::BuiltinExecutables::createBuiltinExecutable):
692         * bytecode/UnlinkedCodeBlock.cpp:
693         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
694         * bytecode/UnlinkedCodeBlock.h:
695         (JSC::UnlinkedFunctionExecutable::create):
696         * bytecompiler/BytecodeGenerator.h:
697         (JSC::BytecodeGenerator::makeFunction):
698         * parser/Parser.h:
699         (JSC::DepthManager::DepthManager): Deleted.
700         (JSC::DepthManager::~DepthManager): Deleted.
701         * runtime/CodeCache.cpp:
702         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
703
704 2014-06-12  Mark Hahnenberg  <mhahnenberg@apple.com>
705
706         Move structureHasRareData out of TypeInfo
707         https://bugs.webkit.org/show_bug.cgi?id=133800
708
709         Reviewed by Andreas Kling.
710
711         StructureHasRareData was originally put in TypeInfo to avoid making Structure bigger, 
712         but we have a few spare bits in Structure so it would be nice to remove this hack.
713
714         * runtime/JSTypeInfo.h:
715         (JSC::TypeInfo::newImpurePropertyFiresWatchpoints):
716         (JSC::TypeInfo::structureHasRareData): Deleted.
717         * runtime/Structure.cpp:
718         (JSC::Structure::Structure):
719         (JSC::Structure::allocateRareData):
720         (JSC::Structure::cloneRareDataFrom):
721         * runtime/Structure.h:
722         (JSC::Structure::previousID):
723         (JSC::Structure::objectToStringValue):
724         (JSC::Structure::setObjectToStringValue):
725         (JSC::Structure::setPreviousID):
726         (JSC::Structure::clearPreviousID):
727         (JSC::Structure::previous):
728         (JSC::Structure::rareData):
729         * runtime/StructureInlines.h:
730         (JSC::Structure::setEnumerationCache):
731         (JSC::Structure::enumerationCache):
732
733 2014-06-12  Zsolt Borbely  <zsborbely.u-szeged@partner.samsung.com>
734
735         Allow enum guards to be generated from the replay json files
736         https://bugs.webkit.org/show_bug.cgi?id=133399
737
738         Reviewed by Csaba Osztrogonác.
739
740         * replay/scripts/CodeGeneratorReplayInputs.py:
741         (Type.__init__):
742         (InputsModel.parse_type_with_framework_name):
743         (Generator.generate_header):
744         (Generator.generate_implementation):
745         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp: Added.
746         (Test::HandleWheelEvent::HandleWheelEvent):
747         (Test::HandleWheelEvent::~HandleWheelEvent):
748         (JSC::InputTraits<Test::HandleWheelEvent>::type):
749         (JSC::InputTraits<Test::HandleWheelEvent>::encode):
750         (JSC::InputTraits<Test::HandleWheelEvent>::decode):
751         (JSC::EncodingTraits<WebCore::PlatformWheelEventPhase>::encodeValue):
752         (JSC::EncodingTraits<WebCore::PlatformWheelEventPhase>::decodeValue):
753         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h: Added.
754         (JSC::InputTraits<Test::HandleWheelEvent>::queue):
755         (Test::HandleWheelEvent::platformEvent):
756         * replay/scripts/tests/generate-enum-with-guard.json: Added.
757
758 2014-06-12  Carlos Garcia Campos  <cgarcia@igalia.com>
759
760         Unreviewed. Fix GTK+ build after r169823.
761
762         Include StructureInlines.h in a few more files to fix linking
763         issues due to JSC::Structure::get undefined symbol.
764
765         * runtime/ArrayIteratorConstructor.cpp:
766         * runtime/ArrayIteratorPrototype.cpp:
767         * runtime/JSConsole.cpp:
768         * runtime/JSMapIterator.cpp:
769         * runtime/JSSet.cpp:
770         * runtime/JSSetIterator.cpp:
771         * runtime/JSWeakMap.cpp:
772         * runtime/MapIteratorPrototype.cpp:
773         * runtime/MapPrototype.cpp:
774         * runtime/SetIteratorPrototype.cpp:
775         * runtime/SetPrototype.cpp:
776         * runtime/WeakMapPrototype.cpp:
777
778 2014-06-12  Csaba Osztrogonác  <ossy@webkit.org>
779
780         [EFL] One more URTBF after r169823 to make ARM64 build happy too.
781
782         * runtime/JSMap.cpp:
783
784 2014-06-11  Mark Hahnenberg  <mhahnenberg@apple.com>
785
786         Inline caching should try to flatten uncacheable dictionaries
787         https://bugs.webkit.org/show_bug.cgi?id=133683
788
789         Reviewed by Geoffrey Garen.
790
791         There exists a body of JS code that deletes properties off of objects (especially function/constructor objects), 
792         which puts them into an uncacheable dictionary state. This prevents all future inline caching for these objects. 
793         If properties are deleted out of the object during its initialization, we can enable caching for that object by 
794         attempting to flatten it when we see we're trying to do inline caching with that object. We then record that we 
795         performed this flattening optimization in the object's Structure. If it ever re-enters the uncacheable dictionary 
796         state then we can just give up on caching that object.
797
798         In refactoring some of the code in tryCacheGetById and tryBuildGetByIdList to reduce some duplication, I added
799         the InlineCacheAction enum, a new way to indicate the success or failure of an inline caching attempt. I changed
800         the other inline caching functions to return this enum rather than the opaque booleans that we were previously 
801         returning.
802
803         * jit/Repatch.cpp:
804         (JSC::actionForCell):
805         (JSC::tryCacheGetByID):
806         (JSC::repatchGetByID):
807         (JSC::tryBuildGetByIDList):
808         (JSC::buildGetByIDList):
809         (JSC::tryCachePutByID):
810         (JSC::repatchPutByID):
811         (JSC::tryBuildPutByIdList):
812         (JSC::buildPutByIdList):
813         (JSC::tryRepatchIn):
814         (JSC::repatchIn):
815         * runtime/Structure.cpp:
816         (JSC::Structure::Structure):
817         (JSC::Structure::flattenDictionaryStructure):
818         * runtime/Structure.h:
819         (JSC::Structure::hasBeenFlattenedBefore):
820
821 2014-06-11  Csaba Osztrogonác  <ossy@webkit.org>
822
823         [EFL] URTBF after r169823.
824
825         * bindings/ScriptValue.cpp: Missing include added.
826
827 2014-06-11  Ryosuke Niwa  <rniwa@webkit.org>
828
829         Remove an unnecessary asObject(this) call inside JSObject::fastGetOwnPropertySlot.
830
831         Rubber-stamped by Andreas Kling.
832
833         * runtime/JSObject.h:
834         (JSC::JSObject::fastGetOwnPropertySlot):
835
836 2014-06-11  Ryosuke Niwa  <rniwa@webkit.org>
837
838         Turning on DUMP_PROPERTYMAP_STATS causes a build failure
839         https://bugs.webkit.org/show_bug.cgi?id=133673
840
841         Reviewed by Andreas Kling.
842
843         Rewrote the property map statistics code because the old code wasn't building,
844         and it was also mixing numbers for lookups and insertions/removals.
845
846         New logging code records the number of calls to PropertyTable::find (finds) and
847         PropertyTable::get/PropertyTable::findWithString separately so that we can quantify
848         the number of probing during updates and lookups.
849
850         * jsc.cpp:
851         * runtime/PropertyMapHashTable.h:
852         (JSC::PropertyTable::find):
853         (JSC::PropertyTable::get):
854         (JSC::PropertyTable::findWithString):
855         (JSC::PropertyTable::add):
856         (JSC::PropertyTable::remove):
857         (JSC::PropertyTable::reinsert):
858         (JSC::PropertyTable::rehash):
859         * runtime/Structure.cpp:
860         (JSC::PropertyMapStatisticsExitLogger::PropertyMapStatisticsExitLogger):
861         (JSC::PropertyMapStatisticsExitLogger::~PropertyMapStatisticsExitLogger):
862
863 2014-06-11  Andreas Kling  <akling@apple.com>
864
865         Always inline JSValue::get() and Structure::get().
866         <https://webkit.org/b/133755>
867
868         Reviewed by Ryosuke Niwa.
869
870         These functions get really hot, so ask the compiler to be more
871         aggressive about inlining them.
872
873         ~28% speed-up on Ryosuke's microbenchmark for accessing nextSibling
874         through GetByVal.
875
876         * runtime/JSArrayIterator.cpp:
877         * runtime/JSCJSValue.cpp:
878         * runtime/JSCJSValueInlines.h:
879         (JSC::JSValue::get):
880         * runtime/JSPromiseDeferred.cpp:
881         * runtime/StructureInlines.h:
882         (JSC::Structure::get):
883
884 2014-06-11  Ryosuke Niwa  <rniwa@webkit.org>
885
886         Structure::get should instantiate DeferGC only when materializing property map
887         https://bugs.webkit.org/show_bug.cgi?id=133727
888
889         Rubber-stamped by Andreas Kling.
890
891         Make materializePropertyMapIfNecessary always inline.
892
893         This is ~12% improvement on the microbenchmark attached in the bug.
894
895         * runtime/Structure.h:
896         (JSC::Structure::materializePropertyMapIfNecessary):
897         (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
898
899 2014-06-11  Ryosuke Niwa  <rniwa@webkit.org>
900
901         Structure::get should instantiate DeferGC only when materializing property map
902         https://bugs.webkit.org/show_bug.cgi?id=133727
903
904         Reviewed by Geoffrey Garen.
905
906         DeferGC instances in Structure::get was added in http://trac.webkit.org/r157539 in order to avoid
907         collecting the property table newly created by materializePropertyMapIfNecessary since GC can happen
908         when GCSafeConcurrentJITLocker goes out of scope.
909
910         However, always instantiating DeferGC inside Structure::get introduced a new performance bottleneck
911         in JSObject::getPropertySlot because frequently incrementing and decrementing a counter in vm.m_heap
912         and running a release assertion inside Heap::incrementDeferralDepth() is expensive.
913
914         Work around this by instantiating DeferGC only when we're actually calling materializePropertyMap,
915         and immediately storing a pointer to the newly created property table in the stack before DeferGC
916         goes out of scope so that the property table will be marked.
917
918         This shows 13-16% improvement on the microbenchmark attached in the bug.
919
920         * runtime/JSCJSValue.cpp:
921         * runtime/JSObject.h:
922         (JSC::JSObject::fastGetOwnPropertySlot):
923         * runtime/Structure.h:
924         (JSC::Structure::materializePropertyMapIfNecessary):
925         * runtime/StructureInlines.h:
926         (JSC::Structure::get):
927
928 2014-06-11  Andreas Kling  <akling@apple.com>
929
930         Some JSValue::get() micro-optimzations.
931         <https://webkit.org/b/133739>
932
933         Tighten some of the property lookup code to improve performance of the
934         eagerly reified prototype attributes:
935
936         - Instead of converting the property name to an integer at every step
937           in the prototype chain, move that to a separate pass at the end
938           since it should be a rare case.
939
940         - Cache the StructureIDTable in a local instead of fetching it from
941           the Heap on every step.
942
943         - Make fillCustomGetterPropertySlot inline. It was out-of-lined based
944           on the assumption that clients would mostly be cacheable GetByIds,
945           and it gets pretty hot (~1%) in GetByVal.
946
947         - Pass the Structure directly to fillCustomGetterPropertySlot instead
948           of refetching it from the StructureIDTable.
949
950         Reviewed by Geoff Garen.
951
952         * runtime/JSObject.cpp:
953         (JSC::JSObject::fillCustomGetterPropertySlot): Deleted.
954         * runtime/JSObject.h:
955         (JSC::JSObject::inlineGetOwnPropertySlot):
956         (JSC::JSObject::fillCustomGetterPropertySlot):
957         (JSC::JSObject::getOwnPropertySlot):
958         (JSC::JSObject::fastGetOwnPropertySlot):
959         (JSC::JSObject::getPropertySlot):
960         (JSC::JSObject::getOwnPropertySlotSlow): Deleted.
961
962 2014-06-10  Sam Weinig  <sam@webkit.org>
963
964         Don't create a HashTable for JSObjects that use eager reification
965         https://bugs.webkit.org/show_bug.cgi?id=133705
966
967         Reviewed by Geoffrey Garen.
968
969         * runtime/Lookup.h:
970         (JSC::reifyStaticProperties):
971         Add a version of reifyStaticProperties that takes an array of HashTableValues
972         rather than a HashTable.
973
974 2014-06-10  Filip Pizlo  <fpizlo@apple.com>
975
976         Prediction propagator should make sure everyone knows that a variable that is in an argument position where other versions of that variable are not MachineInts cannot possibly be flushed as Int52
977         https://bugs.webkit.org/show_bug.cgi?id=133698
978
979         Reviewed by Geoffrey Garen and Mark Hahnenberg.
980
981         * dfg/DFGPredictionPropagationPhase.cpp:
982         (JSC::DFG::PredictionPropagationPhase::propagate): Use the new utility to figure out if a variable could ever represent an Int52.
983         * dfg/DFGVariableAccessData.cpp:
984         (JSC::DFG::VariableAccessData::couldRepresentInt52): Add a new utility to detect early on if a variable could possibly be Int52.
985         (JSC::DFG::VariableAccessData::couldRepresentInt52Impl):
986         (JSC::DFG::VariableAccessData::flushFormat):
987         * dfg/DFGVariableAccessData.h:
988         * tests/stress/int52-inlined-call-argument.js: Added.
989         (foo):
990         (bar):
991
992 2014-06-10  Mark Lam  <mark.lam@apple.com>
993
994         Assertion failure at JSC::Structure::checkOffsetConsistency() const + 234.
995         <https://webkit.org/b/133356>
996
997         Reviewed by Mark Hahnenberg.
998
999         The root cause of this issue is that a nonPropertyTransition can transition
1000         a pinned dictionary structure to an unpinned dictionary structure.  The new
1001         structure will get a copy of the property table from the original structure.
1002         However, when a GC occurs, the property table in the new structure will be
1003         cleared because it is unpinned.  This leads to complications in subsequent
1004         derivative structures when flattening occurs, which eventually leads to the
1005         assertion failure in this bug.
1006
1007         The fix is to ensure that the new dictionary structure generated by the
1008         nonPropertyTransition will have a copy of its predecessor's property table
1009         and is pinned.
1010
1011         * runtime/Structure.cpp:
1012         (JSC::Structure::nonPropertyTransition):
1013
1014 2014-06-10  Michael Saboff  <msaboff@apple.com>
1015
1016         In a certain app state, Array.prototype.filter() returns incorrect results
1017         https://bugs.webkit.org/show_bug.cgi?id=133577
1018
1019         Reviewed by Oliver Hunt.
1020
1021         Fixed the LLInt processing of op_put_by_val_direct to have the same hole check as op_put_by_val.
1022
1023         * llint/LowLevelInterpreter32_64.asm:
1024         * llint/LowLevelInterpreter64.asm:
1025
1026 2014-06-09  Mark Hahnenberg  <mhahnenberg@apple.com>
1027
1028         Global HashTables contain references to atomic StringImpls
1029         https://bugs.webkit.org/show_bug.cgi?id=133661
1030
1031         Reviewed by Geoffrey Garen.
1032
1033         This was a long-standing bug revealed by bug 133558. The issue is that the global static HashTables 
1034         cache their set of keys as StringImpls that are associated with a particular VM.  This is obviously 
1035         incompatible with using multiple VMs on multiple threads (e.g. when using workers). The fix is to 
1036         change the "keys" field of the static HashTables to be char** instead of StringImpl**.
1037
1038         * runtime/JSObject.cpp:
1039         (JSC::getClassPropertyNames):
1040         * runtime/Lookup.cpp:
1041         (JSC::HashTable::createTable):
1042         (JSC::HashTable::deleteTable):
1043         * runtime/Lookup.h:
1044         (JSC::HashTable::ConstIterator::key):
1045         (JSC::HashTable::entry):
1046
1047 2014-06-09  Mark Hahnenberg  <mhahnenberg@apple.com>
1048
1049         Build fix after r169703
1050
1051         * JavaScriptCore.xcodeproj/project.pbxproj:
1052
1053 2014-06-05  Mark Hahnenberg  <mhahnenberg@apple.com>
1054
1055         Eagerly reify DOM prototype attributes
1056         https://bugs.webkit.org/show_bug.cgi?id=133558
1057
1058         Reviewed by Oliver Hunt.
1059
1060         This allows us to get rid of a lot of the additional overhead of pushing DOM attributes up into the prototype. 
1061         By eagerly reifying the custom getters and setters into the actual JSObject we avoid having to override 
1062         getOwnPropertySlot for all of the DOM prototypes, which is a lot of the overhead of doing property lookups on 
1063         DOM wrappers.
1064
1065         * CMakeLists.txt:
1066         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1067         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1068         * JavaScriptCore.xcodeproj/project.pbxproj:
1069         * llint/LLIntData.cpp:
1070         (JSC::LLInt::Data::performAssertions):
1071         * llint/LowLevelInterpreter.asm:
1072         * runtime/BatchedTransitionOptimizer.h:
1073         (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
1074         * runtime/CustomGetterSetter.cpp: Added.
1075         (JSC::callCustomSetter):
1076         * runtime/CustomGetterSetter.h: Added.
1077         (JSC::CustomGetterSetter::create):
1078         (JSC::CustomGetterSetter::getter):
1079         (JSC::CustomGetterSetter::setter):
1080         (JSC::CustomGetterSetter::createStructure):
1081         (JSC::CustomGetterSetter::CustomGetterSetter):
1082         * runtime/JSCJSValue.cpp:
1083         (JSC::JSValue::putToPrimitive):
1084         * runtime/JSCJSValue.h:
1085         * runtime/JSCJSValueInlines.h:
1086         (JSC::JSValue::isCustomGetterSetter):
1087         * runtime/JSCell.h:
1088         * runtime/JSCellInlines.h:
1089         (JSC::JSCell::isCustomGetterSetter):
1090         (JSC::JSCell::canUseFastGetOwnProperty):
1091         * runtime/JSFunction.cpp:
1092         (JSC::JSFunction::isHostOrBuiltinFunction): Deleted.
1093         (JSC::JSFunction::isBuiltinFunction): Deleted.
1094         * runtime/JSFunction.h:
1095         * runtime/JSFunctionInlines.h: Inlined some random functions that appeared hot during profiling.
1096         (JSC::JSFunction::isBuiltinFunction):
1097         (JSC::JSFunction::isHostOrBuiltinFunction):
1098         * runtime/JSObject.cpp:
1099         (JSC::JSObject::put):
1100         (JSC::JSObject::putDirectCustomAccessor):
1101         (JSC::JSObject::fillGetterPropertySlot):
1102         (JSC::JSObject::fillCustomGetterPropertySlot):
1103         (JSC::JSObject::getOwnPropertySlotSlow): Deleted.
1104         * runtime/JSObject.h:
1105         (JSC::JSObject::hasCustomGetterSetterProperties):
1106         (JSC::JSObject::convertToDictionary):
1107         (JSC::JSObject::inlineGetOwnPropertySlot):
1108         (JSC::JSObject::getOwnPropertySlotSlow): Inlined because it looked hot during profiling.
1109         (JSC::JSObject::putOwnDataProperty):
1110         (JSC::JSObject::putDirect):
1111         (JSC::JSObject::putDirectWithoutTransition):
1112         * runtime/JSType.h:
1113         * runtime/Lookup.h:
1114         (JSC::reifyStaticProperties):
1115         * runtime/PropertyDescriptor.h:
1116         (JSC::PropertyDescriptor::PropertyDescriptor):
1117         * runtime/Structure.cpp:
1118         (JSC::Structure::Structure):
1119         (JSC::nextOutOfLineStorageCapacity): Deleted.
1120         (JSC::Structure::suggestedNewOutOfLineStorageCapacity): Deleted.
1121         (JSC::Structure::get): Deleted.
1122         * runtime/Structure.h:
1123         (JSC::Structure::hasCustomGetterSetterProperties):
1124         (JSC::Structure::setHasCustomGetterSetterProperties):
1125         * runtime/StructureInlines.h:
1126         (JSC::Structure::get): Inlined due to hotness.
1127         (JSC::nextOutOfLineStorageCapacity): Inlined due to hotness.
1128         (JSC::Structure::suggestedNewOutOfLineStorageCapacity): Inlined due to hotness.
1129         * runtime/VM.cpp:
1130         (JSC::VM::VM):
1131         * runtime/VM.h:
1132         * runtime/WriteBarrier.h:
1133         (JSC::WriteBarrierBase<Unknown>::isCustomGetterSetter):
1134
1135 2014-06-07  Mark Lam  <mark.lam@apple.com>
1136
1137         Structure should initialize its previousID in its constructor.
1138         <https://webkit.org/b/133606>
1139
1140         Reviewed by Mark Hahnenberg.
1141
1142         Currently, the Structure constructor that takes a previous structure will
1143         initialize its previousID to point to the previous structure's previousID.
1144         This is incorrect.  However, the caller of the Structure::create() factory
1145         method (which instantiated the Structure) will later call setPreviousID()
1146         to set the previousID to the correct previous structure.  This makes the
1147         code confusing to read and more error prone in that the structure relies
1148         on client code to fix its invalid previousID.
1149
1150         This patch fixes this by making the Structure constructor initialize
1151         previousID correctly.
1152
1153         * runtime/Structure.cpp:
1154         (JSC::Structure::Structure):
1155         (JSC::Structure::addPropertyTransition):
1156         (JSC::Structure::nonPropertyTransition):
1157         * runtime/Structure.h:
1158         * runtime/StructureInlines.h:
1159         (JSC::Structure::create):
1160
1161 2014-06-06  Andreas Kling  <akling@apple.com>
1162
1163         Indexed getters should return values directly on the PropertySlot.
1164         <https://webkit.org/b/133586>
1165
1166         Remove PropertySlot's custom index mode.
1167
1168         Reviewed by Darin Adler.
1169
1170         * runtime/JSObject.h:
1171         (JSC::PropertySlot::getValue):
1172         * runtime/PropertySlot.h:
1173         (JSC::PropertySlot::setCustomIndex): Deleted.
1174
1175 2014-06-04  Timothy Horton  <timothy_horton@apple.com>
1176
1177         iOS Debug build fix
1178
1179         Rubber-stamped by Filip Pizlo.
1180
1181         * Configurations/LLVMForJSC.xcconfig:
1182         Dead-code strip the llvmForJSC library unconditionally, to work around <rdar://problem/16920916>.
1183
1184 2014-06-04  Oliver Hunt  <oliver@apple.com>
1185
1186         ArrayIterator should not be exposed in Safari 8
1187         https://bugs.webkit.org/show_bug.cgi?id=133494
1188
1189         Reviewed by Michael Saboff.
1190
1191         Separate out types that require constructor objects, and don't
1192         include the iterator types in that list.
1193
1194         * runtime/JSGlobalObject.cpp:
1195         (JSC::JSGlobalObject::reset):
1196         * runtime/JSGlobalObject.h:
1197
1198 2014-06-04  Filip Pizlo  <fpizlo@apple.com>
1199
1200         DFG::Safepoint::begin() should set m_didCallBegin before releasing the rightToRun lock, because otherwise, Safepoint::checkLivenessAndVisitChildren() may assert due to a race
1201         https://bugs.webkit.org/show_bug.cgi?id=133525
1202         <rdar://problem/16790296>
1203
1204         Reviewed by Oliver Hunt.
1205
1206         * dfg/DFGSafepoint.cpp:
1207         (JSC::DFG::Safepoint::begin):
1208
1209 2014-06-03  Filip Pizlo  <fpizlo@apple.com>
1210
1211         LLVM soft-linking should be truly fail-silent
1212         https://bugs.webkit.org/show_bug.cgi?id=133482
1213
1214         Reviewed by Mark Lam.
1215
1216         * llvm/InitializeLLVMPOSIX.cpp:
1217         (JSC::initializeLLVMPOSIX): Missing return statement in the dlsym() returning null case.
1218
1219 2014-06-03  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
1220
1221         REGRESSION(r169092 and r169102): Skip failing JSC tests poperly on non-x86 Darwin platforms
1222         https://bugs.webkit.org/show_bug.cgi?id=133149
1223
1224         Reviewed by Csaba Osztrogonác.
1225
1226         * tests/mozilla/mozilla-tests.yaml: Skip js1_5/Regress/regress-159334.js only if the architecture isn't x86 and the host is Darwin.
1227
1228 2014-05-31  Anders Carlsson  <andersca@apple.com>
1229
1230         Add a LazyNeverDestroyed class template and use it
1231         https://bugs.webkit.org/show_bug.cgi?id=133425
1232
1233         Reviewed by Darin Adler.
1234
1235         * dfg/DFGFunctionWhitelist.cpp:
1236         (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
1237         * dfg/DFGFunctionWhitelist.h:
1238
1239 2014-05-28  Filip Pizlo  <fpizlo@apple.com>
1240
1241         DFG::DCEPhase inserts into an insertion set in reverse, causing hilarious basic block corruption if you kill a lot of NewArrays
1242         https://bugs.webkit.org/show_bug.cgi?id=133368
1243
1244         Reviewed by Mark Lam.
1245
1246         * dfg/DFGDCEPhase.cpp:
1247         (JSC::DFG::DCEPhase::fixupBlock): Loop in the right order so that we insert in the right order.
1248         * tests/stress/new-array-dead.js: Added.
1249         (foo):
1250
1251 2014-05-28  Filip Pizlo  <fpizlo@apple.com>
1252
1253         Unreviewed, fix not-x86 32-bit.
1254
1255         * llint/LowLevelInterpreter32_64.asm:
1256
1257 2014-05-27  Filip Pizlo  <fpizlo@apple.com>
1258
1259         Arrayify neglects to inform the clobberizer that it might fire watchpoints
1260         https://bugs.webkit.org/show_bug.cgi?id=133340
1261
1262         Reviewed by Mark Lam.
1263
1264         * dfg/DFGClobberize.h:
1265         (JSC::DFG::clobberize): Be honest.
1266         * llint/LowLevelInterpreter32_64.asm: Profile the object, not its structure.
1267         * tests/stress/arrayify-fires-watchpoint.js: Added.
1268         (foo):
1269         (test):
1270         (makeObjectArray):
1271         * tests/stress/arrayify-structure-bad-test.js: Added.
1272         (foo):
1273         (test):
1274
1275 2014-05-27  Jon Lee  <jonlee@apple.com>
1276
1277         Update ENABLE(MEDIA_SOURCE) on Mac
1278         https://bugs.webkit.org/show_bug.cgi?id=133141
1279
1280         Reviewed by Darin Adler.
1281
1282         * Configurations/FeatureDefines.xcconfig:
1283
1284 2014-05-27  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>
1285
1286         Remove BLOB guards
1287         https://bugs.webkit.org/show_bug.cgi?id=132863
1288
1289         Reviewed by Csaba Osztrogonác.
1290
1291         * Configurations/FeatureDefines.xcconfig:
1292
1293 2014-05-27  Zsolt Borbely  <zsborbely.u-szeged@partner.samsung.com>
1294
1295         Allow building CMake based ports with WEB_REPLAY
1296         https://bugs.webkit.org/show_bug.cgi?id=133154
1297
1298         Reviewed by Csaba Osztrogonác.
1299
1300         * CMakeLists.txt:
1301
1302 2014-05-25  Filip Pizlo  <fpizlo@apple.com>
1303
1304         Latest emscripten life benchmark is 4x slower because the DFG doesn't realize that arithmetic on booleans is a thing
1305         https://bugs.webkit.org/show_bug.cgi?id=133136
1306
1307         Reviewed by Oliver Hunt.
1308         
1309         Some key concepts:
1310
1311         - Except for the prediction propagation and type fixup phases, which are super early in
1312           the pipeline, nobody has to know about the fact that booleans may flow into numerical
1313           operations because there will just be a BooleanToNumber node that will take a value
1314           and, if that value is a boolean, will convert it to the equivalent numerical value. It
1315           will have a BooleanUse mode where it will also speculate that the input is a boolean
1316           but it can also do UntypedUse in which case it will pass through any non-booleans.
1317           This operation is very easy to model in all of the compiler tiers.
1318
1319         - No changes to the baseline JIT. The Baseline JIT will still believe that boolean
1320           inputs require taking the slow path and it will still report that it took slow path
1321           for any such operations.  The DFG will now be smart enough to ignore baseline JIT slow
1322           path profiling on operations that were known to have had boolean inputs.  That's a
1323           little quirky, but it's probably easier than modifying the baseline JIT to track
1324           booleans correctly.
1325         
1326         4.1x speed-up on the emscripten "life" benchmark. Up to 10x speed-up on microbenchmarks.
1327
1328         * bytecode/SpeculatedType.h:
1329         (JSC::isInt32OrBooleanSpeculation):
1330         (JSC::isInt32SpeculationForArithmetic):
1331         (JSC::isInt32OrBooleanSpeculationForArithmetic):
1332         (JSC::isInt32OrBooleanSpeculationExpectingDefined):
1333         (JSC::isInt52Speculation):
1334         (JSC::isMachineIntSpeculation):
1335         (JSC::isFullNumberOrBooleanSpeculation):
1336         (JSC::isFullNumberOrBooleanSpeculationExpectingDefined):
1337         (JSC::isInt32SpeculationExpectingDefined): Deleted.
1338         (JSC::isMachineIntSpeculationExpectingDefined): Deleted.
1339         (JSC::isMachineIntSpeculationForArithmetic): Deleted.
1340         (JSC::isBytecodeNumberSpeculationExpectingDefined): Deleted.
1341         (JSC::isFullNumberSpeculationExpectingDefined): Deleted.
1342         * dfg/DFGAbstractInterpreterInlines.h:
1343         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1344         * dfg/DFGAllocator.h:
1345         (JSC::DFG::Allocator<T>::indexOf):
1346         * dfg/DFGByteCodeParser.cpp:
1347         (JSC::DFG::ByteCodeParser::makeSafe):
1348         (JSC::DFG::ByteCodeParser::makeDivSafe):
1349         (JSC::DFG::ByteCodeParser::handleIntrinsic):
1350         * dfg/DFGCSEPhase.cpp:
1351         (JSC::DFG::CSEPhase::performNodeCSE):
1352         * dfg/DFGClobberize.h:
1353         (JSC::DFG::clobberize):
1354         * dfg/DFGCommon.h:
1355         * dfg/DFGConstantFoldingPhase.cpp:
1356         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1357         * dfg/DFGFixupPhase.cpp:
1358         (JSC::DFG::FixupPhase::fixupNode):
1359         (JSC::DFG::FixupPhase::fixIntConvertingEdge):
1360         (JSC::DFG::FixupPhase::fixIntOrBooleanEdge):
1361         (JSC::DFG::FixupPhase::fixDoubleOrBooleanEdge):
1362         (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
1363         (JSC::DFG::FixupPhase::fixIntEdge): Deleted.
1364         * dfg/DFGGraph.h:
1365         (JSC::DFG::Graph::addSpeculationMode):
1366         (JSC::DFG::Graph::valueAddSpeculationMode):
1367         (JSC::DFG::Graph::arithAddSpeculationMode):
1368         (JSC::DFG::Graph::addShouldSpeculateInt32):
1369         (JSC::DFG::Graph::mulShouldSpeculateInt32):
1370         (JSC::DFG::Graph::mulShouldSpeculateMachineInt):
1371         (JSC::DFG::Graph::negateShouldSpeculateInt32):
1372         (JSC::DFG::Graph::negateShouldSpeculateMachineInt):
1373         (JSC::DFG::Graph::addImmediateShouldSpeculateInt32):
1374         (JSC::DFG::Graph::mulImmediateShouldSpeculateInt32): Deleted.
1375         * dfg/DFGNode.h:
1376         (JSC::DFG::Node::sawBooleans):
1377         (JSC::DFG::Node::shouldSpeculateInt32OrBoolean):
1378         (JSC::DFG::Node::shouldSpeculateInt32ForArithmetic):
1379         (JSC::DFG::Node::shouldSpeculateInt32OrBooleanForArithmetic):
1380         (JSC::DFG::Node::shouldSpeculateInt32OrBooleanExpectingDefined):
1381         (JSC::DFG::Node::shouldSpeculateMachineInt):
1382         (JSC::DFG::Node::shouldSpeculateDouble):
1383         (JSC::DFG::Node::shouldSpeculateNumberOrBoolean):
1384         (JSC::DFG::Node::shouldSpeculateNumberOrBooleanExpectingDefined):
1385         (JSC::DFG::Node::shouldSpeculateNumber):
1386         (JSC::DFG::Node::canSpeculateInt32):
1387         (JSC::DFG::Node::canSpeculateInt52):
1388         (JSC::DFG::Node::sourceFor):
1389         (JSC::DFG::Node::shouldSpeculateInt32ExpectingDefined): Deleted.
1390         (JSC::DFG::Node::shouldSpeculateMachineIntForArithmetic): Deleted.
1391         (JSC::DFG::Node::shouldSpeculateMachineIntExpectingDefined): Deleted.
1392         (JSC::DFG::Node::shouldSpeculateDoubleForArithmetic): Deleted.
1393         (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined): Deleted.
1394         * dfg/DFGNodeFlags.cpp:
1395         (JSC::DFG::dumpNodeFlags):
1396         * dfg/DFGNodeFlags.h:
1397         (JSC::DFG::nodeMayOverflow):
1398         (JSC::DFG::nodeMayNegZero):
1399         (JSC::DFG::nodeCanSpeculateInt32):
1400         (JSC::DFG::nodeCanSpeculateInt52):
1401         * dfg/DFGNodeType.h:
1402         * dfg/DFGPredictionPropagationPhase.cpp:
1403         (JSC::DFG::PredictionPropagationPhase::run):
1404         (JSC::DFG::PredictionPropagationPhase::propagateToFixpoint):
1405         (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
1406         (JSC::DFG::PredictionPropagationPhase::propagate):
1407         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
1408         * dfg/DFGSafeToExecute.h:
1409         (JSC::DFG::safeToExecute):
1410         * dfg/DFGSpeculativeJIT.cpp:
1411         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
1412         * dfg/DFGSpeculativeJIT32_64.cpp:
1413         (JSC::DFG::SpeculativeJIT::compile):
1414         * dfg/DFGSpeculativeJIT64.cpp:
1415         (JSC::DFG::SpeculativeJIT::compile):
1416         * ftl/FTLCapabilities.cpp:
1417         (JSC::FTL::canCompile):
1418         * ftl/FTLLowerDFGToLLVM.cpp:
1419         (JSC::FTL::LowerDFGToLLVM::compileNode):
1420         (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
1421         (JSC::FTL::LowerDFGToLLVM::compileBooleanToNumber):
1422         * runtime/JSCJSValue.h:
1423         * runtime/JSCJSValueInlines.h:
1424         (JSC::JSValue::asInt32ForArithmetic):
1425         * tests/stress/max-boolean-exit.js: Added.
1426         (foo):
1427         (test):
1428         * tests/stress/mul-boolean-exit.js: Added.
1429         (foo):
1430         (test):
1431         * tests/stress/plus-boolean-exit.js: Added.
1432         (foo):
1433         (test):
1434         * tests/stress/plus-boolean-or-double.js: Added.
1435         (foo):
1436         (test):
1437         * tests/stress/plus-boolean-or-int.js: Added.
1438         (foo):
1439         (test):
1440
1441 2014-05-26  Zsolt Borbely  <zsborbely.u-szeged@partner.samsung.com>
1442
1443         Remove dead code from VM.cpp
1444         https://bugs.webkit.org/show_bug.cgi?id=133284
1445
1446         Reviewed by Darin Adler.
1447
1448         This workaround was added in r127505. Since the clang is the
1449         only used compiler in this case, this workaround is obsolete.
1450
1451         * runtime/VM.cpp:
1452         (JSC::enableAssembler):
1453
1454 2014-05-26  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
1455
1456         JSC CLoop warning fix
1457         https://bugs.webkit.org/show_bug.cgi?id=133259
1458
1459         Reviewed by Darin Adler.
1460
1461         * llint/LLIntSlowPaths.cpp:
1462         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1463
1464 2014-05-24  Andreas Kling  <akling@apple.com>
1465
1466         Object.prototype.toString() should use cached strings for null/undefined.
1467         <https://webkit.org/b/133261>
1468
1469         Normally, when calling Object.prototype.toString() on a regular object,
1470         we'd cache the result of the stringification on the object's structure,
1471         making repeated calls fast.
1472
1473         For null and undefined, we were not as smart. We'd instead construct a
1474         new string with either "[object Null]" or "[object Undefined]" each time.
1475
1476         This was exposed by Dromaeo's JS library tests, where some prototype.js
1477         subtests generate millions of strings this way.
1478
1479         This patch adds two VM-permanent cached strings to the SmallStrings.
1480         Looks like ~10% speed-up on Dromaeo/jslib-traverse-prototype.html
1481
1482         Reviewed by Darin Adler.
1483
1484         * runtime/ObjectPrototype.cpp:
1485         (JSC::objectProtoFuncToString):
1486         * runtime/SmallStrings.cpp:
1487         (JSC::SmallStrings::SmallStrings):
1488         (JSC::SmallStrings::initializeCommonStrings):
1489         (JSC::SmallStrings::visitStrongReferences):
1490         * runtime/SmallStrings.h:
1491         (JSC::SmallStrings::nullObjectString):
1492         (JSC::SmallStrings::undefinedObjectString):
1493
1494 2014-05-23  Mark Hahnenberg  <mhahnenberg@apple.com>
1495
1496         Remove operationCallGetter
1497
1498         Rubber stamped by Filip Pizlo.
1499
1500         Nobody calls this function.
1501
1502         * JavaScriptCore.order:
1503         * jit/JITOperations.cpp:
1504         * jit/JITOperations.h:
1505
1506 2014-05-23  Andreas Kling  <akling@apple.com>
1507
1508         Templatize GC's destructor invocation for dtor type.
1509         <https://webkit.org/b/133231>
1510
1511         Get rid of a branch in callDestructor() by templatizing it for
1512         the DestructorType. Removed JSCell::methodTableForDestruction()
1513         since this was the only call site and it was jumping through
1514         a bunch of unnecessary hoops.
1515
1516         Reviewed by Geoffrey Garen.
1517
1518         * heap/MarkedBlock.cpp:
1519         (JSC::MarkedBlock::callDestructor):
1520         (JSC::MarkedBlock::specializedSweep):
1521         * heap/MarkedBlock.h:
1522         * runtime/JSCell.h:
1523         * runtime/JSCellInlines.h:
1524         (JSC::JSCell::methodTableForDestruction): Deleted.
1525
1526 2014-05-23  Andreas Kling  <akling@apple.com>
1527
1528         Support inline caching of RegExpMatchesArray.length
1529         <https://webkit.org/b/133234>
1530
1531         Give RegExpMatchesArray.length the same treatment as JSArray in
1532         repatch so we don't have to go out of line on every access.
1533
1534         ~13% speed-up on Octane/regexp.
1535
1536         Reviewed by Geoffrey Garen.
1537
1538         * jit/Repatch.cpp:
1539         (JSC::tryCacheGetByID):
1540         * runtime/RegExpMatchesArray.h:
1541         (JSC::isRegExpMatchesArray):
1542
1543 2014-05-22  Mark Lam  <mark.lam@apple.com>
1544
1545         REGRESSION(r154797): Debugger crashes when stepping over an uncaught exception.
1546         <https://webkit.org/b/133182>
1547
1548         Reviewed by Oliver Hunt.
1549
1550         Before r154797, we used to clear the VM exception before calling into the
1551         debugger.  After r154797, we don't.  This patch will restore this clearing
1552         of the exception before calling into the debugger.
1553
1554         Also added assertions after returning from calls into the debugger to
1555         ensure that the debugger did not introduce any exceptions.
1556
1557         * interpreter/Interpreter.cpp:
1558         (JSC::unwindCallFrame):
1559         (JSC::Interpreter::unwind):
1560         (JSC::Interpreter::debug):
1561         - Fixed the assertion here.  Interpreter::debug() should never be called
1562           with a pending exception.  Debugger callbacks for exceptions should be
1563           handled by Interpreter::unwind() and Interpreter::unwindCallFrame().
1564
1565 2014-05-21  Filip Pizlo  <fpizlo@apple.com>
1566
1567         Store barrier elision should run after DCE in both the DFG path and the FTL path
1568         https://bugs.webkit.org/show_bug.cgi?id=129718
1569
1570         Rubber stamped by Mark Hahnenberg.
1571
1572         * dfg/DFGPlan.cpp:
1573         (JSC::DFG::Plan::compileInThreadImpl):
1574
1575 2014-05-21  Zsolt Borbely  <zsborbely.u-szeged@partner.samsung.com>
1576
1577         [EFL] Add include path of compact_unwind_encoding.h if FTL JIT is enabled
1578         https://bugs.webkit.org/show_bug.cgi?id=132907
1579
1580         Reviewed by Gyuyoung Kim.
1581
1582         * CMakeLists.txt:
1583
1584 2014-05-16  Martin Robinson  <mrobinson@igalia.com>
1585
1586         [CMake] Improve handling of LIB_INSTALL_DIR, EXEC_INSTALL_DIR, and LIBEXEC_INSTALL_DIR
1587         https://bugs.webkit.org/show_bug.cgi?id=132819
1588
1589         Reviewed by Carlos Garcia Campos.
1590
1591         * javascriptcoregtk.pc.in: Instead of using the special pkg-config variables,
1592         use the common CMake ones directly.
1593
1594 2014-05-21  Filip Pizlo  <fpizlo@apple.com>
1595
1596         Unreviewed, roll out http://trac.webkit.org/changeset/169159.
1597         
1598         This was a unilateral change and wasn't properly reviewed.
1599
1600         * tests/mozilla/mozilla-tests.yaml:
1601
1602 2014-05-21  Antoine Quint  <graouts@webkit.org>
1603
1604         Array.prototype.find and findIndex should skip holes
1605         https://bugs.webkit.org/show_bug.cgi?id=132658
1606
1607         Reviewed by Geoffrey Garen.
1608
1609         Skip holes in the array when iterating such that callback isn't called.
1610
1611         * builtins/Array.prototype.js:
1612         (find):
1613         (findIndex):
1614
1615 2014-05-21  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
1616
1617         REGRESSION(r169092 and r169102): Skip failing JSC tests on ARM64 properly
1618         https://bugs.webkit.org/show_bug.cgi?id=133149
1619
1620         Reviewed by Csaba Osztrogonác.
1621
1622         * tests/mozilla/mozilla-tests.yaml:
1623
1624 2014-05-20  Geoffrey Garen  <ggaren@apple.com>
1625
1626         Rolled out <http://trac.webkit.org/changeset/166184>
1627         https://bugs.webkit.org/show_bug.cgi?id=133144
1628
1629         Reviewed by Gavin Barraclough.
1630
1631         It caused a performance regression.
1632
1633         * heap/BlockAllocator.cpp:
1634         (JSC::BlockAllocator::blockFreeingThreadStartFunc):
1635
1636 2014-05-20  Filip Pizlo  <fpizlo@apple.com>
1637
1638         DFG prediction propagation should agree with fixup phase over the return type of GetByVal
1639         https://bugs.webkit.org/show_bug.cgi?id=133134
1640
1641         Reviewed by Mark Hahnenberg.
1642         
1643         Make prediction propagator use ArrayMode refinement to decide the return type.
1644         
1645         Also introduce a heap prediction intrinsic that allows us to test weird corner cases
1646         like this. The only way we'll see a mismatch like this in the real world is probably
1647         through a gnarly race condition.
1648
1649         * dfg/DFGByteCodeParser.cpp:
1650         (JSC::DFG::ByteCodeParser::handleIntrinsic):
1651         * dfg/DFGNode.h:
1652         (JSC::DFG::Node::setHeapPrediction):
1653         * dfg/DFGPredictionPropagationPhase.cpp:
1654         (JSC::DFG::PredictionPropagationPhase::propagate):
1655         * jsc.cpp:
1656         (GlobalObject::finishCreation):
1657         (functionFalse1):
1658         (functionFalse2):
1659         (functionUndefined1):
1660         (functionUndefined2):
1661         (functionFalse): Deleted.
1662         (functionOtherFalse): Deleted.
1663         (functionUndefined): Deleted.
1664         * runtime/Intrinsic.h:
1665         * tests/stress/get-by-val-double-predicted-int.js: Added.
1666         (foo):
1667
1668 2014-05-20  Mark Hahnenberg  <mhahnenberg@apple.com>
1669
1670         Watchdog timer should be lazily allocated
1671         https://bugs.webkit.org/show_bug.cgi?id=133135
1672
1673         Reviewed by Geoffrey Garen.
1674
1675         We incur a noticeable amount of overhead on some benchmarks due to checking if the Watchdog ever fired. 
1676         There is no reason to do this checking if we never activated the Watchdog, which can only be done through 
1677         JSContextGroupSetExecutionTimeLimit or JSContextGroupClearExecutionTimeLimit. 
1678
1679         By allocating the Watchdog lazily on the VM we can avoid all of the associated overhead when we don't use 
1680         these two API functions (which is true of most clients).
1681
1682         * API/JSContextRef.cpp:
1683         (JSContextGroupSetExecutionTimeLimit):
1684         (JSContextGroupClearExecutionTimeLimit):
1685         * dfg/DFGByteCodeParser.cpp:
1686         (JSC::DFG::ByteCodeParser::parseBlock):
1687         * dfg/DFGSpeculativeJIT32_64.cpp:
1688         (JSC::DFG::SpeculativeJIT::compile):
1689         * dfg/DFGSpeculativeJIT64.cpp:
1690         (JSC::DFG::SpeculativeJIT::compile):
1691         * interpreter/Interpreter.cpp:
1692         (JSC::Interpreter::execute):
1693         (JSC::Interpreter::executeCall):
1694         (JSC::Interpreter::executeConstruct):
1695         * jit/JITOpcodes.cpp:
1696         (JSC::JIT::emit_op_loop_hint):
1697         (JSC::JIT::emitSlow_op_loop_hint):
1698         * jit/JITOperations.cpp:
1699         * llint/LLIntSlowPaths.cpp:
1700         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1701         * runtime/VM.h:
1702         * runtime/Watchdog.cpp:
1703         (JSC::Watchdog::Scope::Scope): Deleted.
1704         (JSC::Watchdog::Scope::~Scope): Deleted.
1705         * runtime/Watchdog.h:
1706         (JSC::Watchdog::Scope::Scope):
1707         (JSC::Watchdog::Scope::~Scope):
1708
1709 2014-05-19  Mark Hahnenberg  <mhahnenberg@apple.com>
1710
1711         JSArray::shiftCountWith* could be more efficient
1712         https://bugs.webkit.org/show_bug.cgi?id=133011
1713
1714         Reviewed by Geoffrey Garen.
1715
1716         Our current implementations of shiftCountWithAnyIndexingType and shiftCountWithArrayStorage 
1717         are scared of the presence of any holes in the array. We can mitigate this somewhat by enabling 
1718         them to correctly handle holes, thus avoiding the slowest of slow paths in most cases.
1719
1720         * runtime/ArrayStorage.h:
1721         (JSC::ArrayStorage::indexingHeader):
1722         (JSC::ArrayStorage::length):
1723         (JSC::ArrayStorage::hasHoles):
1724         * runtime/IndexingHeader.h:
1725         (JSC::IndexingHeader::publicLength):
1726         (JSC::IndexingHeader::from):
1727         * runtime/JSArray.cpp:
1728         (JSC::JSArray::shiftCountWithArrayStorage):
1729         (JSC::JSArray::shiftCountWithAnyIndexingType):
1730         (JSC::JSArray::unshiftCountWithArrayStorage):
1731         * runtime/JSArray.h:
1732         (JSC::JSArray::shiftCountForShift):
1733         (JSC::JSArray::shiftCountForSplice):
1734         (JSC::JSArray::shiftCount):
1735         * runtime/Structure.cpp:
1736         (JSC::Structure::holesRequireSpecialBehavior):
1737         * runtime/Structure.h:
1738
1739 2014-05-19  Filip Pizlo  <fpizlo@apple.com>
1740
1741         Test gardening: skip some failing tests on not-X86.
1742
1743         * tests/mozilla/mozilla-tests.yaml:
1744
1745 2014-05-19  Mark Lam  <mark.lam@apple.com>
1746
1747         operationOptimize() should defer the GC for a while.
1748         <https://webkit.org/b/133103>
1749
1750         Reviewed by Filip Pizlo.
1751
1752         Currently, operationOptimize() only defers the GC until its end.  As a result,
1753         a GC may be triggered just before we return from operationOptimize(), and it may
1754         jettison the optimize codeBlock that we're planning to OSR enter into when we
1755         return from this function.  This is because the OSR entry on-ramp code hasn't
1756         been executed yet, and hence, there is not yet a reference to this new codeBlock
1757         from the stack, and there won't be until we've had a chance to return out of
1758         operationOptimize() to run the OSR entry on-ramp code.
1759
1760         This issue is now fixed by using DeferGCForAWhile instead of DeferGC.  This
1761         ensures that the GC will be deferred until after the OSR entry on-ramp can be
1762         executed.
1763
1764         * jit/JITOperations.cpp:
1765
1766 2014-05-19  Filip Pizlo  <fpizlo@apple.com>
1767
1768         Take care of some ARM64 test failures
1769         https://bugs.webkit.org/show_bug.cgi?id=133090
1770
1771         Reviewed by Geoffrey Garen.
1772         
1773         Constant blinding on ARM64 cannot use the scratch register.
1774
1775         * assembler/MacroAssembler.h:
1776         (JSC::MacroAssembler::convertInt32ToDouble):
1777         (JSC::MacroAssembler::branchPtr):
1778         (JSC::MacroAssembler::storePtr):
1779         (JSC::MacroAssembler::store64):
1780         * assembler/MacroAssemblerARM64.h:
1781         (JSC::MacroAssemblerARM64::scratchRegisterForBlinding):
1782
1783 2014-05-19  Tanay C  <tanay.c@samsung.com>
1784
1785         Removing some check-webkit-style warnings from ./dfg
1786         https://bugs.webkit.org/show_bug.cgi?id=132854
1787
1788         Reviewed by Darin Adler.
1789
1790         * dfg/DFGAbstractInterpreter.h:
1791         * dfg/DFGAbstractValue.h:
1792         * dfg/DFGBlockInsertionSet.h:
1793         * dfg/DFGCommonData.h:
1794         * dfg/DFGDominators.h:
1795         * dfg/DFGGraph.h:
1796         * dfg/DFGInPlaceAbstractState.h:
1797         * dfg/DFGPredictionPropagationPhase.h:
1798
1799 2014-05-18  Filip Pizlo  <fpizlo@apple.com>
1800
1801         Unreviewed, remove bogus comment. We already made the FTL use our calling convention.
1802         That was a long time ago.
1803
1804         * ftl/FTLLowerDFGToLLVM.cpp:
1805         (JSC::FTL::LowerDFGToLLVM::compileReturn):
1806
1807 2014-05-18  Rik Cabanier  <cabanier@adobe.com>
1808
1809         support for navigator.hardwareConcurrency
1810         https://bugs.webkit.org/show_bug.cgi?id=132588
1811
1812         Reviewed by Filip Pizlo.
1813
1814         * Configurations/FeatureDefines.xcconfig:
1815
1816 2014-05-16  Michael Saboff  <msaboff@apple.com>
1817
1818         Crash in JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::generatePatternCharacterFixed() due to WTF::CrashOnOverflow::overflowed + 9
1819         https://bugs.webkit.org/show_bug.cgi?id=133009
1820
1821         Reviewed by Oliver Hunt.
1822
1823         If we determine that any alternative requires a minumum match size greater than
1824         INT_MAX, we handle the match in the interpreter.
1825
1826         Check to see if the pattern has unsigned lengths before invoking YARR JIT.
1827         * runtime/RegExp.cpp:
1828         (JSC::RegExp::compile):
1829         (JSC::RegExp::compileMatchOnly):
1830
1831         * tests/stress/large-regexp.js: New test added.
1832
1833         Set m_containsUnsignedLengthPattern flag if any alternative's minimum length
1834         doesn't fit in an int.
1835         * yarr/YarrPattern.cpp:
1836         (JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets):
1837
1838         Clear new m_containsUnsignedLengthPattern flag.
1839         * yarr/YarrPattern.cpp:
1840         (JSC::Yarr::YarrPattern::YarrPattern):
1841         * yarr/YarrPattern.h:
1842         (JSC::Yarr::YarrPattern::reset):
1843         (JSC::Yarr::YarrPattern::containsUnsignedLengthPattern):
1844
1845 2014-05-15  Mark Hahnenberg  <mhahnenberg@apple.com>
1846
1847         JSDOMWindow should not claim HasImpureGetOwnPropertySlot
1848         https://bugs.webkit.org/show_bug.cgi?id=132918
1849
1850         Reviewed by Geoffrey Garen.
1851
1852         * jit/Repatch.cpp:
1853         (JSC::tryRepatchIn): We forgot to check for watchpoints when repatching "in".
1854
1855 2014-05-15  Alex Christensen  <achristensen@webkit.org>
1856
1857         Add pointer lock to features without enabling it.
1858         https://bugs.webkit.org/show_bug.cgi?id=132961
1859
1860         Reviewed by Sam Weinig.
1861
1862         * Configurations/FeatureDefines.xcconfig:
1863         Added ENABLE_POINTER_LOCK to list of features.
1864
1865 2014-05-14  Mark Hahnenberg  <mhahnenberg@apple.com>
1866
1867         Inline caching for proxies clobbers baseGPR too early
1868         https://bugs.webkit.org/show_bug.cgi?id=132916
1869
1870         Reviewed by Filip Pizlo.
1871
1872         We clobber baseGPR prior to the Structure checks, so if any of the checks fail then the slow path 
1873         gets the target of the proxy rather than the proxy itself. We need to delay the clobbering of baseGPR 
1874         until we know the inline cache is going to succeed.
1875
1876         * jit/Repatch.cpp:
1877         (JSC::generateByIdStub):
1878
1879 2014-05-14  Brent Fulgham  <bfulgham@apple.com>
1880
1881         [Win] Unreviewed build fix.
1882
1883         * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: This solution
1884         was missing commands to build LLInt portions of JSC.
1885         * llint/LLIntData.cpp: 64-bit build fix.
1886
1887 2014-05-14  Martin Hodovan <mhodovan.u-szeged@partner.samsung.com>
1888
1889         ARM Traditional buildfix after r168776.
1890         https://bugs.webkit.org/show_bug.cgi?id=132903
1891
1892         Reviewed by Darin Adler.
1893
1894         * assembler/MacroAssemblerARM.h:
1895         (JSC::MacroAssemblerARM::abortWithReason): Added.
1896
1897 2014-05-14  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>
1898
1899         Remove CSS_STICKY_POSITION guards
1900         https://bugs.webkit.org/show_bug.cgi?id=132676
1901
1902         Reviewed by Simon Fraser.
1903
1904         * Configurations/FeatureDefines.xcconfig:
1905
1906 2014-05-13  Filip Pizlo  <fpizlo@apple.com>
1907
1908         JIT breakpoints should be more informative
1909         https://bugs.webkit.org/show_bug.cgi?id=132882
1910
1911         Reviewed by Oliver Hunt.
1912         
1913         Introduce the notion of an AbortReason, which is a nice enumeration of coded assertion
1914         failure names. This means that all you need to figure out why the JIT SIGTRAP'd is to look
1915         at that platform's abort reason register (r11 on X86-64 for example).
1916
1917         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1918         * JavaScriptCore.xcodeproj/project.pbxproj:
1919         * assembler/AbortReason.h: Added.
1920         * assembler/AbstractMacroAssembler.h:
1921         * assembler/MacroAssemblerARM64.h:
1922         (JSC::MacroAssemblerARM64::abortWithReason):
1923         * assembler/MacroAssemblerARMv7.h:
1924         (JSC::MacroAssemblerARMv7::abortWithReason):
1925         * assembler/MacroAssemblerX86.h:
1926         (JSC::MacroAssemblerX86::abortWithReason):
1927         * assembler/MacroAssemblerX86_64.h:
1928         (JSC::MacroAssemblerX86_64::abortWithReason):
1929         * dfg/DFGSlowPathGenerator.h:
1930         (JSC::DFG::SlowPathGenerator::generate):
1931         * dfg/DFGSpeculativeJIT.cpp:
1932         (JSC::DFG::SpeculativeJIT::bail):
1933         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
1934         (JSC::DFG::SpeculativeJIT::compileMakeRope):
1935         * dfg/DFGSpeculativeJIT.h:
1936         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):
1937         * dfg/DFGSpeculativeJIT32_64.cpp:
1938         (JSC::DFG::SpeculativeJIT::compile):
1939         * dfg/DFGSpeculativeJIT64.cpp:
1940         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1941         (JSC::DFG::SpeculativeJIT::compile):
1942         * dfg/DFGThunks.cpp:
1943         (JSC::DFG::osrEntryThunkGenerator):
1944         * jit/AssemblyHelpers.cpp:
1945         (JSC::AssemblyHelpers::jitAssertIsInt32):
1946         (JSC::AssemblyHelpers::jitAssertIsJSInt32):
1947         (JSC::AssemblyHelpers::jitAssertIsJSNumber):
1948         (JSC::AssemblyHelpers::jitAssertIsJSDouble):
1949         (JSC::AssemblyHelpers::jitAssertIsCell):
1950         (JSC::AssemblyHelpers::jitAssertTagsInPlace):
1951         (JSC::AssemblyHelpers::jitAssertHasValidCallFrame):
1952         (JSC::AssemblyHelpers::jitAssertIsNull):
1953         (JSC::AssemblyHelpers::jitAssertArgumentCountSane):
1954         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
1955         * jit/AssemblyHelpers.h:
1956         (JSC::AssemblyHelpers::checkStackPointerAlignment):
1957         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo): Deleted.
1958         * jit/JIT.h:
1959         * jit/JITArithmetic.cpp:
1960         (JSC::JIT::emitSlow_op_div):
1961         * jit/JITOpcodes.cpp:
1962         (JSC::JIT::emitSlow_op_loop_hint):
1963         * jit/JITOpcodes32_64.cpp:
1964         (JSC::JIT::privateCompileCTINativeCall):
1965         * jit/JITPropertyAccess.cpp:
1966         (JSC::JIT::emit_op_get_by_val):
1967         (JSC::JIT::compileGetDirectOffset):
1968         (JSC::JIT::addStructureTransitionCheck): Deleted.
1969         (JSC::JIT::testPrototype): Deleted.
1970         * jit/JITPropertyAccess32_64.cpp:
1971         (JSC::JIT::emit_op_get_by_val):
1972         (JSC::JIT::compileGetDirectOffset):
1973         * jit/RegisterPreservationWrapperGenerator.cpp:
1974         (JSC::generateRegisterRestoration):
1975         * jit/Repatch.cpp:
1976         (JSC::addStructureTransitionCheck):
1977         (JSC::linkClosureCall):
1978         * jit/ThunkGenerators.cpp:
1979         (JSC::emitPointerValidation):
1980         (JSC::nativeForGenerator):
1981         * yarr/YarrJIT.cpp:
1982         (JSC::Yarr::YarrGenerator::generate):
1983
1984 2014-05-13  peavo@outlook.com  <peavo@outlook.com>
1985
1986         [Win] Enum type with value zero is compatible with void*, potential cause of crashes.
1987         https://bugs.webkit.org/show_bug.cgi?id=132772
1988
1989         Reviewed by Geoffrey Garen.
1990
1991         Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example).
1992         This has caused crashes on Windows on two occasions (bug 132683, and bug 121001).
1993         This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*.
1994         The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr.
1995
1996         * assembler/MacroAssemblerARM.h:
1997         (JSC::MacroAssemblerARM::loadDouble):
1998         (JSC::MacroAssemblerARM::storeDouble):
1999         * assembler/MacroAssemblerARM64.h:
2000         (JSC::MacroAssemblerARM64::loadDouble):
2001         (JSC::MacroAssemblerARM64::storeDouble):
2002         * assembler/MacroAssemblerARMv7.h:
2003         (JSC::MacroAssemblerARMv7::loadDouble):
2004         (JSC::MacroAssemblerARMv7::storeDouble):
2005         * assembler/MacroAssemblerMIPS.h:
2006         (JSC::MacroAssemblerMIPS::loadDouble):
2007         (JSC::MacroAssemblerMIPS::storeDouble):
2008         * assembler/MacroAssemblerSH4.h:
2009         (JSC::MacroAssemblerSH4::loadDouble):
2010         (JSC::MacroAssemblerSH4::storeDouble):
2011         * assembler/MacroAssemblerX86.h:
2012         (JSC::MacroAssemblerX86::storeDouble):
2013         * assembler/MacroAssemblerX86Common.h:
2014         (JSC::MacroAssemblerX86Common::absDouble):
2015         (JSC::MacroAssemblerX86Common::negateDouble):
2016         (JSC::MacroAssemblerX86Common::loadDouble):
2017         * dfg/DFGSpeculativeJIT.cpp:
2018         (JSC::DFG::SpeculativeJIT::silentFill):
2019         (JSC::DFG::compileClampDoubleToByte):
2020         * dfg/DFGSpeculativeJIT32_64.cpp:
2021         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2022         (JSC::DFG::SpeculativeJIT::compile):
2023         * jit/AssemblyHelpers.cpp:
2024         (JSC::AssemblyHelpers::purifyNaN):
2025         * jit/JITInlines.h:
2026         (JSC::JIT::emitLoadDouble):
2027         * jit/JITPropertyAccess.cpp:
2028         (JSC::JIT::emitFloatTypedArrayGetByVal):
2029         * jit/ThunkGenerators.cpp:
2030         (JSC::floorThunkGenerator):
2031         (JSC::roundThunkGenerator):
2032         (JSC::powThunkGenerator):
2033
2034 2014-05-12  Commit Queue  <commit-queue@webkit.org>
2035
2036         Unreviewed, rolling out r168642.
2037         https://bugs.webkit.org/show_bug.cgi?id=132839
2038
2039         Broke ARM build (Requested by jpfau on #webkit).
2040
2041         Reverted changeset:
2042
2043         "[Win] Enum type with value zero is compatible with void*,
2044         potential cause of crashes."
2045         https://bugs.webkit.org/show_bug.cgi?id=132772
2046         http://trac.webkit.org/changeset/168642
2047
2048 2014-05-12  peavo@outlook.com  <peavo@outlook.com>
2049
2050         [Win] Enum type with value zero is compatible with void*, potential cause of crashes.
2051         https://bugs.webkit.org/show_bug.cgi?id=132772
2052
2053         Reviewed by Geoffrey Garen.
2054
2055         Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example).
2056         This has caused crashes on Windows on two occasions (bug 132683, and bug 121001).
2057         This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*.
2058         The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr.
2059
2060         * assembler/MacroAssemblerARM.h:
2061         (JSC::MacroAssemblerARM::loadDouble):
2062         (JSC::MacroAssemblerARM::storeDouble):
2063         * assembler/MacroAssemblerARM64.h:
2064         (JSC::MacroAssemblerARM64::loadDouble):
2065         (JSC::MacroAssemblerARM64::storeDouble):
2066         * assembler/MacroAssemblerARMv7.h:
2067         (JSC::MacroAssemblerARMv7::loadDouble):
2068         (JSC::MacroAssemblerARMv7::storeDouble):
2069         * assembler/MacroAssemblerMIPS.h:
2070         (JSC::MacroAssemblerMIPS::loadDouble):
2071         (JSC::MacroAssemblerMIPS::storeDouble):
2072         * assembler/MacroAssemblerSH4.h:
2073         (JSC::MacroAssemblerSH4::loadDouble):
2074         (JSC::MacroAssemblerSH4::storeDouble):
2075         * assembler/MacroAssemblerX86.h:
2076         (JSC::MacroAssemblerX86::storeDouble):
2077         * assembler/MacroAssemblerX86Common.h:
2078         (JSC::MacroAssemblerX86Common::absDouble):
2079         (JSC::MacroAssemblerX86Common::negateDouble):
2080         (JSC::MacroAssemblerX86Common::loadDouble):
2081         * dfg/DFGSpeculativeJIT.cpp:
2082         (JSC::DFG::SpeculativeJIT::silentFill):
2083         (JSC::DFG::compileClampDoubleToByte):
2084         * dfg/DFGSpeculativeJIT32_64.cpp:
2085         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2086         (JSC::DFG::SpeculativeJIT::compile):
2087         * jit/AssemblyHelpers.cpp:
2088         (JSC::AssemblyHelpers::purifyNaN):
2089         * jit/JITInlines.h:
2090         (JSC::JIT::emitLoadDouble):
2091         * jit/JITPropertyAccess.cpp:
2092         (JSC::JIT::emitFloatTypedArrayGetByVal):
2093         * jit/ThunkGenerators.cpp:
2094         (JSC::floorThunkGenerator):
2095         (JSC::roundThunkGenerator):
2096         (JSC::powThunkGenerator):
2097
2098 2014-05-12  Andreas Kling  <akling@apple.com>
2099
2100         0.4% of PLT3 in JSCell::structure() below JSObject::visitChildren().
2101         <https://webkit.org/b/132828>
2102         <rdar://problem/16886285>
2103
2104         Reviewed by Michael Saboff.
2105
2106         * runtime/JSObject.cpp:
2107         (JSC::JSObject::visitButterfly):
2108         (JSC::JSObject::visitChildren):
2109
2110             Use JSCell::structure(VM&) to reduce the number of hoops we jump
2111             through to find Structures during marking.
2112
2113 2014-05-12  László Langó  <llango.u-szeged@partner.samsung.com>
2114
2115         [cmake] Add missing FTL source files to the build system.
2116
2117         Reviewed by Csaba Osztrogonác.
2118
2119         * CMakeLists.txt:
2120
2121 2014-05-09  Joseph Pecoraro  <pecoraro@apple.com>
2122
2123         Web Inspector: Allow Remote Inspector to entitlement check UIProcess through WebProcess
2124         https://bugs.webkit.org/show_bug.cgi?id=132409
2125
2126         Reviewed by Timothy Hatcher.
2127
2128         Proxy applications are applications which hold WebViews for other
2129         applications. The WebProcess (Web Content Service) is a proxy application.
2130         For legacy reasons we were supporting a scenario where proxy applications
2131         could potentially host WebViews for more then one other application. That
2132         was never the case for WebProcess and it is now a scenario we don't need
2133         to worry about supporting.
2134
2135         With this change, a proxy application more naturally only holds WebViews
2136         for a single parent / host application. The proxy process can set the
2137         parent pid / audit_token data on the RemoteInspector singleton, and
2138         that data will be sent on to webinspectord later on to be validated.
2139         In the WebProcess<->UIProcess relationship that information is known
2140         and set immediately. In the Legacy iOS case that information is set
2141         soon after, but not immediately known at the point the WebView is created.
2142
2143         This allows us to simplify the RemoteInspectorDebuggable interface.
2144         We no longer need a pid per-Debuggable.
2145
2146         * inspector/remote/RemoteInspector.h:
2147         * inspector/remote/RemoteInspector.mm:
2148         (Inspector::RemoteInspector::RemoteInspector):
2149         (Inspector::RemoteInspector::setParentProcessInformation):
2150         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
2151         (Inspector::RemoteInspector::listingForDebuggable):
2152         (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
2153         Handle new proxy application setup message, and provide an API
2154         for a proxy application to set the parent process information.
2155
2156         * inspector/remote/RemoteInspectorConstants.h:
2157         New setup and response message for proxy applications to pass
2158         their parent / host application information to webinspectord.
2159
2160         * inspector/remote/RemoteInspectorDebuggable.cpp:
2161         (Inspector::RemoteInspectorDebuggable::info):
2162         * inspector/remote/RemoteInspectorDebuggable.h:
2163         (Inspector::RemoteInspectorDebuggableInfo::RemoteInspectorDebuggableInfo):
2164         (Inspector::RemoteInspectorDebuggableInfo::hasParentProcess): Deleted.
2165         pid per debuggable is no longer needed.
2166
2167 2014-05-09  Mark Hahnenberg  <mhahnenberg@apple.com>
2168
2169         JSDOMWindow should disable property caching after a certain point
2170         https://bugs.webkit.org/show_bug.cgi?id=132751
2171
2172         Reviewed by Filip Pizlo.
2173
2174         This is part of removing HasImpureGetOwnPropertySlot from JSDOMWindow. After the lookup in the static 
2175         hash table for JSDOMWindow fails we want to disable property caching even if the code that follows thinks 
2176         that it has provided a cacheable value.
2177
2178         * runtime/PropertySlot.h:
2179         (JSC::PropertySlot::PropertySlot):
2180         (JSC::PropertySlot::isCacheable):
2181         (JSC::PropertySlot::disableCaching):
2182
2183 2014-05-09  Andreas Kling  <akling@apple.com>
2184
2185         8.8% spent in Object.prototype.hasOwnProperty() on sbperftest.
2186         <https://webkit.org/b/132749>
2187
2188         Leverage the fast-resolve-to-AtomicString optimization for JSRopeString
2189         in Object.prototype.* by using JSString::toIdentifier() in the cases where
2190         we are converting JSString -> String -> Identifier.
2191
2192         This brings time spent in hasOwnProperty() from 8.8% to 1.3% on
2193         "The Great HTML5 Gaming Performance Test: 2014 edition"
2194         <http://www.scirra.com/demos/c2/sbperftest/>
2195
2196         Reviewed by Oliver Hunt.
2197
2198         * runtime/ObjectPrototype.cpp:
2199         (JSC::objectProtoFuncHasOwnProperty):
2200         (JSC::objectProtoFuncDefineGetter):
2201         (JSC::objectProtoFuncDefineSetter):
2202         (JSC::objectProtoFuncLookupGetter):
2203         (JSC::objectProtoFuncLookupSetter):
2204
2205 2014-05-08  Mark Hahnenberg  <mhahnenberg@apple.com>
2206
2207         JSDOMWindow should have a WatchpointSet to fire on window close
2208         https://bugs.webkit.org/show_bug.cgi?id=132721
2209
2210         Reviewed by Filip Pizlo.
2211
2212         This patch allows us to reset the inline caches that assumed they could skip 
2213         the first part of JSDOMWindow::getOwnPropertySlot that checks if the window has 
2214         been closed. This is part of getting rid of HasImpureGetOwnPropertySlot on JSDOMWindow.
2215
2216         PropertySlot now accepts a WatchpointSet which the inline cache code can look for
2217         to see if it should create a new Watchpoint for that particular inline cache site.
2218
2219         * bytecode/Watchpoint.h:
2220         * jit/Repatch.cpp:
2221         (JSC::generateByIdStub):
2222         (JSC::tryBuildGetByIDList):
2223         (JSC::tryCachePutByID):
2224         (JSC::tryBuildPutByIdList):
2225         * runtime/PropertySlot.h:
2226         (JSC::PropertySlot::PropertySlot):
2227         (JSC::PropertySlot::watchpointSet):
2228         (JSC::PropertySlot::setWatchpointSet):
2229
2230 2014-05-09  Tanay C  <tanay.c@samsung.com>
2231
2232         Fix build warning (uninitialized variable) in DFGFixupPhase.cpp 
2233         https://bugs.webkit.org/show_bug.cgi?id=132331
2234
2235         Reviewed by Darin Adler.
2236
2237         * dfg/DFGFixupPhase.cpp:
2238         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
2239
2240 2014-05-09  peavo@outlook.com  <peavo@outlook.com>
2241
2242         [Win] Crash when enabling DFG JIT.
2243         https://bugs.webkit.org/show_bug.cgi?id=132683
2244
2245         Reviewed by Geoffrey Garen.
2246
2247         On windows, using register GPRInfo::regT0 as parameter to e.g. JIT::storeDouble(..., GPRInfo::regT0)),
2248         results in a call to JIT::storeDouble(FPRegisterID src, const void* address),
2249         where the address parameter gets the value of GPRInfo::regT0, which is 0 (eax on Windows).
2250         This causes the register to be written to address 0, hence the crash.
2251
2252         * dfg/DFGOSRExitCompiler32_64.cpp:
2253         (JSC::DFG::OSRExitCompiler::compileExit): Use address in regT0 as parameter.
2254         * dfg/DFGOSRExitCompiler64.cpp:
2255         (JSC::DFG::OSRExitCompiler::compileExit): Ditto.
2256
2257 2014-05-09  Martin Hodovan <mhodovan.u-szeged@partner.samsung.com>
2258
2259         REGRESSION(r167094): JSC crashes on ARM Traditional
2260         https://bugs.webkit.org/show_bug.cgi?id=132738
2261
2262         Reviewed by Zoltan Herczeg.
2263
2264         PC is two instructions ahead of the current instruction
2265         on ARM Traditional, so the distance is 8 bytes not 2.
2266
2267         * llint/LowLevelInterpreter.asm:
2268
2269 2014-05-09  Alberto Garcia  <berto@igalia.com>
2270
2271         jsmin.py license header confusing, mentions non-free license
2272         https://bugs.webkit.org/show_bug.cgi?id=123665
2273
2274         Reviewed by Darin Adler.
2275
2276         Pull the most recent version from upstream, which has a clear
2277         license.
2278
2279         * inspector/scripts/jsmin.py:
2280
2281 2014-05-08  Mark Hahnenberg  <mhahnenberg@apple.com>
2282
2283         Base case for get-by-id inline cache doesn't check for HasImpureGetOwnPropertySlot
2284         https://bugs.webkit.org/show_bug.cgi?id=132695
2285
2286         Reviewed by Filip Pizlo.
2287
2288         We check in the case where we're accessing something other than the base object (e.g. the prototype), 
2289         but we fail to do so for the base object.
2290
2291         * jit/Repatch.cpp:
2292         (JSC::tryCacheGetByID):
2293         (JSC::tryBuildGetByIDList):
2294         * jsc.cpp: Added some infrastructure to support this test. We don't currently trigger this bug anywhere in WebKit
2295         because all of the values that are returned that could be impure are set to uncacheable anyways.
2296         (WTF::ImpureGetter::ImpureGetter):
2297         (WTF::ImpureGetter::createStructure):
2298         (WTF::ImpureGetter::create):
2299         (WTF::ImpureGetter::finishCreation):
2300         (WTF::ImpureGetter::getOwnPropertySlot):
2301         (WTF::ImpureGetter::visitChildren):
2302         (WTF::ImpureGetter::setDelegate):
2303         (GlobalObject::finishCreation):
2304         (functionCreateImpureGetter):
2305         (functionSetImpureGetterDelegate):
2306         * tests/stress/impure-get-own-property-slot-inline-cache.js: Added.
2307         (foo):
2308
2309 2014-05-08  Filip Pizlo  <fpizlo@apple.com>
2310
2311         deleteAllCompiledCode() shouldn't use the suspension worklist
2312         https://bugs.webkit.org/show_bug.cgi?id=132708
2313
2314         Reviewed by Mark Hahnenberg.
2315
2316         * bytecode/CodeBlock.cpp:
2317         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
2318         * dfg/DFGPlan.cpp:
2319         (JSC::DFG::Plan::isStillValid):
2320         * heap/Heap.cpp:
2321         (JSC::Heap::deleteAllCompiledCode):
2322
2323 2014-05-08  Filip Pizlo  <fpizlo@apple.com>
2324
2325         SSA conversion should delete PhantomLocals for captured variables
2326         https://bugs.webkit.org/show_bug.cgi?id=132693
2327
2328         Reviewed by Mark Hahnenberg.
2329
2330         * dfg/DFGCommon.cpp:
2331         (JSC::DFG::startCrashing): Parallel JIT and a JIT bug means that we man dump IR in parallel. This is the workaround. This patch uses it in all of the places where we dump IR and crash.
2332         * dfg/DFGCommon.h:
2333         * dfg/DFGFixupPhase.cpp:
2334         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): Use the workaround.
2335         * dfg/DFGLivenessAnalysisPhase.cpp:
2336         (JSC::DFG::LivenessAnalysisPhase::run): Use the workaround.
2337         * dfg/DFGSSAConversionPhase.cpp:
2338         (JSC::DFG::SSAConversionPhase::run): Fix the bug - it's true that PhantomLocal for captured variables doesn't need anything done to it, but it's wrong that we didn't delete it outright.
2339         * dfg/DFGValidate.cpp: Use the workaround.
2340         * tests/stress/phantom-local-captured-but-not-flushed-to-ssa.js: Added.
2341         (foo):
2342         (bar):
2343
2344 2014-05-07  Commit Queue  <commit-queue@webkit.org>
2345
2346         Unreviewed, rolling out r168451.
2347         https://bugs.webkit.org/show_bug.cgi?id=132670
2348
2349         Not a speed-up, just do what other compilers do. (Requested by
2350         kling on #webkit).
2351
2352         Reverted changeset:
2353
2354         "[X86] Emit BT instruction for single-bit tests."
2355         https://bugs.webkit.org/show_bug.cgi?id=132650
2356         http://trac.webkit.org/changeset/168451
2357
2358 2014-05-07  Filip Pizlo  <fpizlo@apple.com>
2359
2360         Make Executable::clearCode() actually clear all of the entrypoints, and
2361         clean up some other FTL-related calling convention stuff.
2362         <rdar://problem/16720172>
2363
2364         Rubber stamped by Mark Hahnenberg.
2365
2366         * dfg/DFGOperations.cpp:
2367         * dfg/DFGOperations.h:
2368         * dfg/DFGWorklist.cpp:
2369         (JSC::DFG::Worklist::Worklist):
2370         (JSC::DFG::Worklist::finishCreation):
2371         (JSC::DFG::Worklist::create):
2372         (JSC::DFG::ensureGlobalDFGWorklist):
2373         (JSC::DFG::ensureGlobalFTLWorklist):
2374         * dfg/DFGWorklist.h:
2375         * heap/CodeBlockSet.cpp:
2376         (JSC::CodeBlockSet::dump):
2377         * heap/CodeBlockSet.h:
2378         * runtime/Executable.cpp:
2379         (JSC::ExecutableBase::clearCode):
2380
2381 2014-05-07  Andreas Kling  <akling@apple.com>
2382
2383         [X86] Emit BT instruction for single-bit tests.
2384         <https://webkit.org/b/132650>
2385
2386         Implement test-bit-and-branch slightly more efficiently by using
2387         BT + JC/JNC instead of TEST + JZ/JNZ when we're only testing for
2388         a single bit.
2389
2390         Reviewed by Michael Saboff.
2391
2392         * assembler/MacroAssemblerX86Common.h:
2393         (JSC::MacroAssemblerX86Common::singleBitIndex):
2394         (JSC::MacroAssemblerX86Common::branchTest32):
2395         * assembler/X86Assembler.h:
2396         (JSC::X86Assembler::bt_i8r):
2397         (JSC::X86Assembler::bt_i8m):
2398
2399 2014-05-07  Mark Lam  <mark.lam@apple.com>
2400
2401         REGRESSION(r166678): Dromaeo/cssquery-dojo.html crashes regularly.
2402         <https://webkit.org/b/131356>
2403
2404         Reviewed by Geoffrey Garen.
2405
2406         The issue is that GC needs to be made aware of writes to m_inferredValue
2407         in the VariableWatchpointSet, but was not.  As a result, if a JSCell*
2408         is written to a VariableWatchpointSet m_inferredValue, and that JSCell
2409         does not survive an eden GC shortly after, we will end up with a stale
2410         JSCell pointer left in the m_inferredValue.
2411
2412         This issue can be detected more easily by running Dromaeo/cssquery-dojo.html
2413         using DumpRenderTree with the VM heap in zombie mode.
2414
2415         The fix is to change VariableWatchpointSet m_inferredValue to type
2416         WriteBarrier<Unknown> and ensure that VariableWatchpointSet::notifyWrite()
2417         is executed by all the execution engines so that the WriteBarrier semantics
2418         are honored.
2419
2420         We still check if the value to be written is the same as the one in the
2421         inferredValue.  We'll by-pass calling the slow path notifyWrite() if the
2422         values are the same.        
2423
2424         * JavaScriptCore.xcodeproj/project.pbxproj:
2425         * bytecode/CodeBlock.cpp:
2426         (JSC::CodeBlock::CodeBlock):
2427         - need to pass the symbolTable to prepareToWatch() because it will be needed
2428           for instantiating the VariableWatchpointSet in prepareToWatch().
2429
2430         * bytecode/VariableWatchpointSet.h:
2431         (JSC::VariableWatchpointSet::VariableWatchpointSet):
2432         - VariableWatchpointSet now tracks its owner symbol table for its m_inferredValue
2433           write barrier, and yes, m_inferredValue is now of type WriteBarrier<Unknown>.
2434         (JSC::VariableWatchpointSet::inferredValue):
2435         (JSC::VariableWatchpointSet::invalidate):
2436         (JSC::VariableWatchpointSet::finalizeUnconditionally):
2437         (JSC::VariableWatchpointSet::addressOfInferredValue):
2438         (JSC::VariableWatchpointSet::notifyWrite): Deleted.
2439         * bytecode/VariableWatchpointSetInlines.h: Added.
2440         (JSC::VariableWatchpointSet::notifyWrite):
2441
2442         * dfg/DFGByteCodeParser.cpp:
2443         (JSC::DFG::ByteCodeParser::cellConstant):
2444         - Added an assert in case we try to make constants of zombified JSCells again.
2445
2446         * dfg/DFGOperations.cpp:
2447         * dfg/DFGOperations.h:
2448         * dfg/DFGSpeculativeJIT.h:
2449         (JSC::DFG::SpeculativeJIT::callOperation):
2450         * dfg/DFGSpeculativeJIT32_64.cpp:
2451         (JSC::DFG::SpeculativeJIT::compile):
2452         * dfg/DFGSpeculativeJIT64.cpp:
2453         (JSC::DFG::SpeculativeJIT::compile):
2454         - We now let the slow path handle the cases when the VariableWatchpointSet is
2455           in state ClearWatchpoint and IsWatched, and the slow path will ensure that
2456           we handle the needed write barrier semantics correctly.
2457           We will by-pass the slow path if the value being written is the same as the
2458           inferred value.
2459
2460         * ftl/FTLIntrinsicRepository.h:
2461         * ftl/FTLLowerDFGToLLVM.cpp:
2462         (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):
2463         - Let the slow path handle the cases when the VariableWatchpointSet is
2464           in state ClearWatchpoint and IsWatched.
2465           We will by-pass the slow path if the value being written is the same as the
2466           inferred value.
2467
2468         * heap/Heap.cpp:
2469         (JSC::Zombify::operator()):
2470         - Use a different value for the zombified bits (to distinguish it from 0xbbadbeef
2471           which is used everywhere else).
2472         * heap/Heap.h:
2473         (JSC::Heap::isZombified):
2474         - Provide a convenience test function to check if JSCells are zombified.  This is
2475           currently only used in an assertion in the DFG bytecode parser, but the intent
2476           it that we'll apply this test in other strategic places later to help with early
2477           detection of usage of GC'ed objects when we run in zombie mode.
2478
2479         * jit/JITOpcodes.cpp:
2480         (JSC::JIT::emitSlow_op_captured_mov):
2481         * jit/JITOperations.h:
2482         * jit/JITPropertyAccess.cpp:
2483         (JSC::JIT::emitNotifyWrite):
2484         * jit/JITPropertyAccess32_64.cpp:
2485         (JSC::JIT::emitNotifyWrite):
2486         (JSC::JIT::emitSlow_op_put_to_scope):
2487         - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
2488           is in state ClearWatchpoint and IsWatched.
2489           We will by-pass the slow path if the value being written is the same as the
2490           inferred value.
2491         
2492         * llint/LowLevelInterpreter32_64.asm:
2493         * llint/LowLevelInterpreter64.asm:
2494         - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
2495           is in state ClearWatchpoint and IsWatched.
2496           We will by-pass the slow path if the value being written is the same as the
2497           inferred value.
2498         
2499         * runtime/CommonSlowPaths.cpp:
2500
2501         * runtime/JSCJSValue.h: Fixed some typos in the comments.
2502         * runtime/JSGlobalObject.cpp:
2503         (JSC::JSGlobalObject::addGlobalVar):
2504         (JSC::JSGlobalObject::addFunction):
2505         * runtime/JSSymbolTableObject.h:
2506         (JSC::symbolTablePut):
2507         (JSC::symbolTablePutWithAttributes):
2508         * runtime/SymbolTable.cpp:
2509         (JSC::SymbolTableEntry::prepareToWatch):
2510         (JSC::SymbolTableEntry::notifyWriteSlow):
2511         * runtime/SymbolTable.h:
2512         (JSC::SymbolTableEntry::notifyWrite):
2513
2514 2014-05-06  Michael Saboff  <msaboff@apple.com>
2515
2516         Unreviewd build fix for C-LOOP after r168396.
2517
2518         * runtime/TestRunnerUtils.cpp:
2519         (JSC::optimizeNextInvocation): Wrapped actual call inside #if ENABLE(JIT)
2520
2521 2014-05-06  Michael Saboff  <msaboff@apple.com>
2522
2523         Add test for deleteAllCompiledCode
2524         https://bugs.webkit.org/show_bug.cgi?id=132632
2525
2526         Reviewed by Phil Pizlo.
2527
2528         Added two new hooks to jsc, one to call Heap::deleteAllCompiledCode() and
2529         the other to call CodeBlock::optimizeNextInvocation().  Used these two hooks
2530         to write a test that will queue up loads of DFG compiles and then call
2531         Heap::deleteAllCompiledCode() to make sure that it can handle compiled
2532         code as well as code being compiled.
2533
2534         * jsc.cpp:
2535         (GlobalObject::finishCreation):
2536         (functionDeleteAllCompiledCode):
2537         (functionOptimizeNextInvocation):
2538         * runtime/TestRunnerUtils.cpp:
2539         (JSC::optimizeNextInvocation):
2540         * runtime/TestRunnerUtils.h:
2541         * tests/stress/deleteAllCompiledCode.js: Added.
2542         (functionList):
2543         (runTest):
2544
2545 2014-05-06  Andreas Kling  <akling@apple.com>
2546
2547         JSString::toAtomicString() should return AtomicString.
2548         <https://webkit.org/b/132627>
2549
2550         Remove premature optimization where I was trying to avoid refcount
2551         churn when returning an already atomicized String.
2552
2553         Instead of using reinterpret_cast to mangle the String member into
2554         a const AtomicString& return value, just return AtomicString.
2555
2556         Reviewed by Geoff Garen.
2557
2558         * runtime/JSString.h:
2559         (JSC::JSString::toAtomicString):
2560
2561 2014-05-06  Mark Hahnenberg  <mhahnenberg@apple.com>
2562
2563         Roll out r167889
2564
2565         Rubber stamped by Geoff Garen.
2566
2567         It broke some websites.
2568
2569         * runtime/JSPropertyNameIterator.cpp:
2570         (JSC::JSPropertyNameIterator::create):
2571         * runtime/PropertyMapHashTable.h:
2572         (JSC::PropertyTable::hasDeletedOffset):
2573         (JSC::PropertyTable::hadDeletedOffset): Deleted.
2574         * runtime/Structure.cpp:
2575         (JSC::Structure::Structure):
2576         (JSC::Structure::materializePropertyMap):
2577         (JSC::Structure::removePropertyTransition):
2578         (JSC::Structure::changePrototypeTransition):
2579         (JSC::Structure::despecifyFunctionTransition):
2580         (JSC::Structure::attributeChangeTransition):
2581         (JSC::Structure::toDictionaryTransition):
2582         (JSC::Structure::preventExtensionsTransition):
2583         (JSC::Structure::addPropertyWithoutTransition):
2584         (JSC::Structure::removePropertyWithoutTransition):
2585         (JSC::Structure::pin):
2586         (JSC::Structure::pinAndPreventTransitions): Deleted.
2587         * runtime/Structure.h:
2588         * runtime/StructureInlines.h:
2589         (JSC::Structure::setEnumerationCache):
2590         (JSC::Structure::propertyTable):
2591         (JSC::Structure::checkOffsetConsistency):
2592         (JSC::Structure::hadDeletedOffsets): Deleted.
2593         * tests/stress/for-in-after-delete.js:
2594         (foo): Deleted.
2595
2596 2014-05-05  Andreas Kling  <akling@apple.com>
2597
2598         Fix debug build.
2599
2600         * runtime/JSCellInlines.h:
2601         (JSC::JSCell::fastGetOwnProperty):
2602
2603 2014-05-05  Andreas Kling  <akling@apple.com>
2604
2605         Optimize GetByVal when subscript is a rope string.
2606         <https://webkit.org/b/132590>
2607
2608         Use JSString::toIdentifier() in the various GetByVal implementations
2609         to try and avoid allocating extra strings.
2610
2611         Added canUseFastGetOwnProperty() and wrap calls to fastGetOwnProperty()
2612         in that, to avoid calling JSString::value() which always resolves ropes
2613         into new strings and de-optimizes subsequent toIdentifier() calls.
2614
2615         My iMac says ~9% progression on Dromaeo/dom-attr.html
2616
2617         Reviewed by Phil Pizlo.
2618
2619         * dfg/DFGOperations.cpp:
2620         * jit/JITOperations.cpp:
2621         (JSC::getByVal):
2622         * llint/LLIntSlowPaths.cpp:
2623         (JSC::LLInt::getByVal):
2624         * runtime/JSCell.h:
2625         * runtime/JSCellInlines.h:
2626         (JSC::JSCell::fastGetOwnProperty):
2627         (JSC::JSCell::canUseFastGetOwnProperty):
2628
2629 2014-05-05  Andreas Kling  <akling@apple.com>
2630
2631         REGRESSION (r168256): ASSERTION FAILED: (buffer + m_length) == position loading vanityfair.com article.
2632         <https://webkit.org/b/168256>
2633         <rdar://problem/16816316>
2634
2635         Make resolveRopeSlowCase8() behave like its 16-bit counterpart and not
2636         clear the fibers. The caller takes care of this.
2637
2638         Test: fast/dom/getElementById-with-rope-string-arg.html
2639
2640         Reviewed by Geoffrey Garen.
2641
2642         * runtime/JSString.cpp:
2643         (JSC::JSRopeString::resolveRopeSlowCase8):
2644
2645 2014-05-05  Michael Saboff  <msaboff@apple.com>
2646
2647         REGRESSION: RELEASE_ASSERT in CodeBlock::baselineVersion @ cnn.com
2648         https://bugs.webkit.org/show_bug.cgi?id=132581
2649
2650         Reviewed by Filip Pizlo.
2651
2652         * dfg/DFGPlan.cpp:
2653         (JSC::DFG::Plan::isStillValid): Check that the alternative codeBlock we
2654         started compiling for is still the same at the end of compilation.
2655         Also did some minor restructuring.
2656
2657 2014-05-05  Andreas Kling  <akling@apple.com>
2658
2659         Optimize PutByVal when subscript is a rope string.
2660         <https://webkit.org/b/132572>
2661
2662         Add a JSString::toIdentifier() that is smarter when the JSString is
2663         really a rope string. Use this in baseline & DFG's PutByVal to avoid
2664         allocating new StringImpls that we immediately deduplicate anyway.
2665
2666         Reviewed by Antti Koivisto.
2667
2668         * dfg/DFGOperations.cpp:
2669         (JSC::DFG::operationPutByValInternal):
2670         * jit/JITOperations.cpp:
2671         * runtime/JSString.h:
2672         (JSC::JSString::toIdentifier):
2673
2674 2014-05-05  Andreas Kling  <akling@apple.com>
2675
2676         Remove two now-incorrect assertions after r168256.
2677
2678         * runtime/JSString.cpp:
2679         (JSC::JSRopeString::resolveRopeSlowCase8):
2680         (JSC::JSRopeString::resolveRopeSlowCase):
2681
2682 2014-05-04  Andreas Kling  <akling@apple.com>
2683
2684         Optimize JSRopeString for resolving directly to AtomicString.
2685         <https://webkit.org/b/132548>
2686
2687         If we know that the JSRopeString we are resolving is going to be used
2688         as an AtomicString, we can try to avoid creating a new string.
2689
2690         We do this by first resolving the rope into a stack buffer, and using
2691         that buffer as a key into the AtomicString table. If there is already
2692         an AtomicString with the same characters, we reuse that instead of
2693         constructing a new StringImpl.
2694
2695         JSString gains these two public functions:
2696
2697         - AtomicString toAtomicString()
2698
2699             Returns an AtomicString, tries to avoid allocating a new string
2700             if possible.
2701
2702         - AtomicStringImpl* toExistingAtomicString()
2703
2704             Returns a non-null AtomicStringImpl* if one already exists in the
2705             AtomicString table. If none is found, the rope is left unresolved.
2706
2707         Reviewed by Filip Pizlo.
2708
2709         * runtime/JSString.cpp:
2710         (JSC::JSRopeString::resolveRopeInternal8):
2711         (JSC::JSRopeString::resolveRopeInternal16):
2712         (JSC::JSRopeString::resolveRopeToAtomicString):
2713         (JSC::JSRopeString::clearFibers):
2714         (JSC::JSRopeString::resolveRopeToExistingAtomicString):
2715         (JSC::JSRopeString::resolveRope):
2716         (JSC::JSRopeString::outOfMemory):
2717         * runtime/JSString.h:
2718         (JSC::JSString::toAtomicString):
2719         (JSC::JSString::toExistingAtomicString):
2720
2721 2014-05-04  Andreas Kling  <akling@apple.com>
2722
2723         Unreviewed, rolling out r168254.
2724
2725         Very crashy on debug JSC tests.
2726
2727         Reverted changeset:
2728
2729         "jsSubstring() should be lazy"
2730         https://bugs.webkit.org/show_bug.cgi?id=132556
2731         http://trac.webkit.org/changeset/168254
2732
2733 2014-05-04  Filip Pizlo  <fpizlo@apple.com>
2734
2735         jsSubstring() should be lazy
2736         https://bugs.webkit.org/show_bug.cgi?id=132556
2737
2738         Reviewed by Andreas Kling.
2739         
2740         jsSubstring() is now lazy by using a special rope that is a substring instead of a
2741         concatenation. To make this patch super simple, we require that a substring's base is
2742         never a rope. Hence, when resolving a rope, we either go down a non-recursive substring
2743         path, or we go down a concatenation path which may see exactly one level of substrings in
2744         its fibers.
2745         
2746         This is up to a 50% speed-up on microbenchmarks and a 10% speed-up on Octane/regexp.
2747
2748         * heap/MarkedBlock.cpp:
2749         (JSC::MarkedBlock::specializedSweep):
2750         * runtime/JSString.cpp:
2751         (JSC::JSRopeString::visitFibers):
2752         (JSC::JSRopeString::resolveRope):
2753         (JSC::JSRopeString::resolveRopeSlowCase8):
2754         (JSC::JSRopeString::resolveRopeSlowCase):
2755         (JSC::JSRopeString::outOfMemory):
2756         * runtime/JSString.h:
2757         (JSC::JSRopeString::finishCreation):
2758         (JSC::JSRopeString::append):
2759         (JSC::JSRopeString::create):
2760         (JSC::JSRopeString::offsetOfFibers):
2761         (JSC::JSRopeString::fiber):
2762         (JSC::JSRopeString::substringBase):
2763         (JSC::JSRopeString::substringOffset):
2764         (JSC::JSRopeString::substringSentinel):
2765         (JSC::JSRopeString::isSubstring):
2766         (JSC::jsSubstring):
2767         * runtime/RegExpMatchesArray.cpp:
2768         (JSC::RegExpMatchesArray::reifyAllProperties):
2769         * runtime/StringPrototype.cpp:
2770         (JSC::stringProtoFuncSubstring):
2771
2772 2014-05-02  Michael Saboff  <msaboff@apple.com>
2773
2774         "arm64 function not 4-byte aligned" warnings when building JSC
2775         https://bugs.webkit.org/show_bug.cgi?id=132495
2776
2777         Reviewed by Geoffrey Garen.
2778
2779         Added ".align 4" for both ARM Thumb2 and ARM 64 to silence the linker.
2780
2781         * llint/LowLevelInterpreter.cpp:
2782
2783 2014-05-02  Mark Hahnenberg  <mhahnenberg@apple.com>
2784
2785         Fix cloop build after r168178
2786
2787         * bytecode/CodeBlock.cpp:
2788
2789 2014-05-01  Mark Hahnenberg  <mhahnenberg@apple.com>
2790
2791         Add a DFG function whitelist
2792         https://bugs.webkit.org/show_bug.cgi?id=132437
2793
2794         Reviewed by Geoffrey Garen.
2795
2796         Often times when debugging, using bytecode ranges isn't enough to narrow down to the 
2797         particular DFG block that's causing issues. This patch adds the ability to whitelist 
2798         specific functions specified in a file to enable further filtering without having to recompile.
2799
2800         * CMakeLists.txt:
2801         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2802         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2803         * JavaScriptCore.xcodeproj/project.pbxproj:
2804         * dfg/DFGCapabilities.cpp:
2805         (JSC::DFG::isSupported):
2806         (JSC::DFG::mightInlineFunctionForCall):
2807         (JSC::DFG::mightInlineFunctionForClosureCall):
2808         (JSC::DFG::mightInlineFunctionForConstruct):
2809         * dfg/DFGFunctionWhitelist.cpp: Added.
2810         (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
2811         (JSC::DFG::FunctionWhitelist::FunctionWhitelist):
2812         (JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile):
2813         (JSC::DFG::FunctionWhitelist::contains):
2814         * dfg/DFGFunctionWhitelist.h: Added.
2815         * runtime/Options.cpp:
2816         (JSC::parse):
2817         (JSC::Options::dumpOption):
2818         * runtime/Options.h:
2819
2820 2014-05-02  Filip Pizlo  <fpizlo@apple.com>
2821
2822         DFGAbstractInterpreter should not claim Int52 arithmetic creates Int52s
2823         https://bugs.webkit.org/show_bug.cgi?id=132446
2824
2825         Reviewed by Mark Hahnenberg.
2826         
2827         Basically any arithmetic operation can turn an Int52 into an Int32 or vice-versa, and
2828         our modeling of Int52Rep nodes is such that they can have either Int32 or Int52 type
2829         to indicate a bound on the value. This is useful for knowing, for example, that
2830         Int52Rep(Int32:) returns a value that cannot be outside the Int32 range. Also,
2831         ValueRep(Int52Rep:) uses this to determine whether it may return a double or an int.
2832         But this means that all arithmetic operations must be careful to note that they may
2833         turn Int32 inputs into an Int52 output or vice-versa, as these new tests show.
2834
2835         * dfg/DFGAbstractInterpreterInlines.h:
2836         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2837         * dfg/DFGByteCodeParser.cpp:
2838         (JSC::DFG::ByteCodeParser::makeSafe):
2839         * tests/stress/int52-ai-add-then-filter-int32.js: Added.
2840         (foo):
2841         * tests/stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js: Added.
2842         (foo):
2843         * tests/stress/int52-ai-mul-then-filter-int32-directly.js: Added.
2844         (foo):
2845         * tests/stress/int52-ai-mul-then-filter-int32.js: Added.
2846         (foo):
2847         * tests/stress/int52-ai-neg-then-filter-int32.js: Added.
2848         (foo):
2849         * tests/stress/int52-ai-sub-then-filter-int32.js: Added.
2850         (foo):
2851
2852 2014-05-01  Geoffrey Garen  <ggaren@apple.com>
2853
2854         JavaScriptCore fails to build with some versions of clang
2855         https://bugs.webkit.org/show_bug.cgi?id=132436
2856
2857         Reviewed by Anders Carlsson.
2858
2859         * runtime/ArgumentsIteratorConstructor.cpp: Since we call
2860         putDirectWithoutTransition, and it calls putWillGrowOutOfLineStorage,
2861         and both are marked inline, it's valid for the compiler to decide
2862         to inline both and emit neither in the binary. Therefore, we need
2863         both inline definitions to be available in the translation unit at
2864         compile time, or we'll try to link against a function that doesn't exist.
2865
2866 2014-05-01  Commit Queue  <commit-queue@webkit.org>
2867
2868         Unreviewed, rolling out r167964.
2869         https://bugs.webkit.org/show_bug.cgi?id=132431
2870
2871         Memory improvements should not regress memory usage (Requested
2872         by olliej on #webkit).
2873
2874         Reverted changeset:
2875
2876         "Don't hold on to parameter BindingNodes forever"
2877         https://bugs.webkit.org/show_bug.cgi?id=132360
2878         http://trac.webkit.org/changeset/167964
2879
2880 2014-05-01  Filip Pizlo  <fpizlo@apple.com>
2881
2882         Fix trivial debug-only race-that-crashes in CallLinkStatus and explain why the remaining races are totally awesome
2883         https://bugs.webkit.org/show_bug.cgi?id=132427
2884
2885         Reviewed by Mark Hahnenberg.
2886
2887         * bytecode/CallLinkStatus.cpp:
2888         (JSC::CallLinkStatus::computeFor):
2889
2890 2014-04-30  Simon Fraser  <simon.fraser@apple.com>
2891
2892         Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO
2893         https://bugs.webkit.org/show_bug.cgi?id=132396
2894
2895         Reviewed by Eric Carlson.
2896
2897         Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO and related code.
2898
2899         * Configurations/FeatureDefines.xcconfig:
2900
2901 2014-04-30  Filip Pizlo  <fpizlo@apple.com>
2902
2903         Argument flush formats should not be presumed to be JSValue since 'this' is weird
2904         https://bugs.webkit.org/show_bug.cgi?id=132404
2905
2906         Reviewed by Michael Saboff.
2907
2908         * dfg/DFGSpeculativeJIT.cpp:
2909         (JSC::DFG::SpeculativeJIT::compileCurrentBlock): Don't assume that arguments are flushed as JSValue. Use the logic for locals instead.
2910         * dfg/DFGSpeculativeJIT32_64.cpp:
2911         (JSC::DFG::SpeculativeJIT::compile): SetArgument "changes" the format because before this we wouldn't know we had arguments.
2912         * dfg/DFGSpeculativeJIT64.cpp:
2913         (JSC::DFG::SpeculativeJIT::compile): Ditto.
2914         * dfg/DFGValueSource.cpp:
2915         (JSC::DFG::ValueSource::dumpInContext): Make this easier to dump.
2916         * dfg/DFGValueSource.h:
2917         (JSC::DFG::ValueSource::operator!): Make this easier to dump because Operands<T> uses T::operator!().
2918         * ftl/FTLOSREntry.cpp:
2919         (JSC::FTL::prepareOSREntry): This had a useful assertion for everything except 'this'.
2920         * tests/stress/strict-to-this-int.js: Added.
2921         (foo):
2922         (Number.prototype.valueOf):
2923         (test):
2924
2925 2014-04-29  Oliver Hunt  <oliver@apple.com>
2926
2927         Don't hold on to parameterBindingNodes forever
2928         https://bugs.webkit.org/show_bug.cgi?id=132360
2929
2930         Reviewed by Geoffrey Garen.
2931
2932         Don't keep the parameter nodes anymore. Instead we store the
2933         original parameter string and reparse whenever we actually
2934         need them. Because we only actually need them for compilation
2935         this only results in a single extra parse.
2936
2937         * bytecode/UnlinkedCodeBlock.cpp:
2938         (JSC::generateFunctionCodeBlock):
2939         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2940         (JSC::UnlinkedFunctionExecutable::visitChildren):
2941         (JSC::UnlinkedFunctionExecutable::finishCreation):
2942         (JSC::UnlinkedFunctionExecutable::paramString):
2943         (JSC::UnlinkedFunctionExecutable::parameters):
2944         (JSC::UnlinkedFunctionExecutable::parameterCount): Deleted.
2945         * bytecode/UnlinkedCodeBlock.h:
2946         (JSC::UnlinkedFunctionExecutable::create):
2947         (JSC::UnlinkedFunctionExecutable::parameterCount):
2948         (JSC::UnlinkedFunctionExecutable::parameters): Deleted.
2949         (JSC::UnlinkedFunctionExecutable::finishCreation): Deleted.
2950         * parser/ASTBuilder.h:
2951         (JSC::ASTBuilder::ASTBuilder):
2952         (JSC::ASTBuilder::setFunctionBodyParameters):
2953         * parser/Nodes.h:
2954         (JSC::FunctionBodyNode::parametersStartOffset):
2955         (JSC::FunctionBodyNode::parametersEndOffset):
2956         (JSC::FunctionBodyNode::setParameterLocation):
2957         * parser/Parser.cpp:
2958         (JSC::Parser<LexerType>::parseFunctionInfo):
2959         (JSC::parseParameters):
2960         * parser/Parser.h:
2961         (JSC::parse):
2962         * parser/SourceCode.h:
2963         (JSC::SourceCode::subExpression):
2964         * parser/SyntaxChecker.h:
2965         (JSC::SyntaxChecker::setFunctionBodyParameters):
2966
2967 2014-04-29  Mark Hahnenberg  <mhahnenberg@apple.com>
2968
2969         JSProxies should be cacheable
2970         https://bugs.webkit.org/show_bug.cgi?id=132351
2971
2972         Reviewed by Geoffrey Garen.
2973
2974         Whenever we encounter a proxy in an inline cache we should try to cache on the 
2975         proxy's target instead of giving up.
2976
2977         This patch adds support for a simple "recursive" inline cache if the base object
2978         we're accessing is a pure forwarding proxy. JSGlobalObject and its subclasses 
2979         are the only ones to benefit from this right now.
2980
2981         This is performance neutral on the benchmarks we track. Currently we won't
2982         cache on JSDOMWindow due to HasImpureGetOwnPropertySlot, but this issue will be fixed soon.
2983
2984         * jit/Repatch.cpp:
2985         (JSC::generateByIdStub):
2986         (JSC::tryBuildGetByIDList):
2987         (JSC::tryCachePutByID):
2988         (JSC::tryBuildPutByIdList):
2989         * jsc.cpp:
2990         (GlobalObject::finishCreation):
2991         (functionCreateProxy):
2992         * runtime/IntendedStructureChain.cpp:
2993         (JSC::IntendedStructureChain::isNormalized):
2994         * runtime/JSCellInlines.h:
2995         (JSC::JSCell::isProxy):
2996         * runtime/JSGlobalObject.h:
2997         (JSC::JSGlobalObject::finishCreation):
2998         * runtime/JSProxy.h:
2999         (JSC::JSProxy::createStructure):
3000         (JSC::JSProxy::targetOffset):
3001         * runtime/JSType.h:
3002         * runtime/Operations.h:
3003         (JSC::isPrototypeChainNormalized):
3004         * runtime/Structure.h:
3005         (JSC::Structure::isProxy):
3006         * tests/stress/proxy-inline-cache.js: Added.
3007         (cacheOnTarget.getX):
3008         (cacheOnTarget):
3009         (cacheOnPrototypeOfTarget.getX):
3010         (cacheOnPrototypeOfTarget):
3011         (dontCacheOnProxyInPrototypeChain.getX):
3012         (dontCacheOnProxyInPrototypeChain):
3013         (dontCacheOnTargetOfProxyInPrototypeChainOfTarget.getX):
3014         (dontCacheOnTargetOfProxyInPrototypeChainOfTarget):
3015
3016 2014-04-29  Filip Pizlo  <fpizlo@apple.com>
3017
3018         Use LLVM as a backend for the fourth-tier DFG JIT (a.k.a. the FTL JIT)
3019         https://bugs.webkit.org/show_bug.cgi?id=112840
3020
3021         Rubber stamped by Geoffrey Garen.
3022
3023         * Configurations/FeatureDefines.xcconfig:
3024
3025 2014-04-29  Geoffrey Garen  <ggaren@apple.com>
3026
3027         String.prototype.trim removes U+200B from strings.
3028         https://bugs.webkit.org/show_bug.cgi?id=130184
3029
3030         Reviewed by Michael Saboff.
3031
3032         * runtime/StringPrototype.cpp:
3033         (JSC::trimString):
3034         (JSC::isTrimWhitespace): Deleted.
3035
3036 2014-04-29  Mark Lam  <mark.lam@apple.com>
3037
3038         Zombifying sweep should ignore retired blocks.
3039         <https://webkit.org/b/132344>
3040
3041         Reviewed by Mark Hahnenberg.
3042
3043         By definition, retired blocks do not have "dead" objects, or at least
3044         none that we know of yet until the next marking phase has been run
3045         over it.  So, we should not be sweeping them (even for zombie mode).
3046
3047         * heap/Heap.cpp:
3048         (JSC::Heap::zombifyDeadObjects):
3049         * heap/MarkedSpace.cpp:
3050         (JSC::MarkedSpace::zombifySweep):
3051         * heap/MarkedSpace.h:
3052         (JSC::ZombifySweep::operator()):
3053
3054 2014-04-29  Mark Lam  <mark.lam@apple.com>
3055
3056         Fix bit rot in zombie mode heap code.
3057         <https://webkit.org/b/132342>
3058
3059         Reviewed by Mark Hahnenberg.
3060
3061         Need to enter a DelayedReleaseScope before doing a sweep.
3062
3063         * heap/Heap.cpp:
3064         (JSC::Heap::zombifyDeadObjects):
3065
3066 2014-04-29  Tomas Popela  <tpopela@redhat.com>
3067
3068         LLINT loadisFromInstruction doesn't need special case for big endians
3069         https://bugs.webkit.org/show_bug.cgi?id=132330
3070
3071         Reviewed by Mark Lam.
3072
3073         The change introduced in r167076 was wrong. We should not apply the offset
3074         adjustment on loadisFromInstruction usage as the instruction
3075         (UnlinkedInstruction) is declared as an union (i.e. with the int32_t
3076         operand variable). The offset of the other union members will be the
3077         same as the offset of the first one, that is 0. The behavior here is the
3078         same on little and big endian architectures. Thus we don't need
3079         special case for big endians.
3080
3081         * llint/LowLevelInterpreter.asm:
3082
3083 2014-04-28  Mark Hahnenberg  <mhahnenberg@apple.com>
3084
3085         Simplify tryCacheGetById
3086         https://bugs.webkit.org/show_bug.cgi?id=132314
3087
3088         Reviewed by Oliver Hunt and Filip Pizlo.
3089
3090         This is neutral across all benchmarks we track, although it looks like a wee 0.5% progression on sunspider.
3091
3092         * jit/Repatch.cpp:
3093         (JSC::tryCacheGetByID): If we fail to cache on self, we just repatch to call tryBuildGetByIDList next time.
3094
3095 2014-04-28  Michael Saboff  <msaboff@apple.com>
3096
3097         REGRESSION(r153142) ASSERT from CodeBlock::dumpBytecode dumping String Switch Jump Tables
3098         https://bugs.webkit.org/show_bug.cgi?id=132315
3099
3100         Reviewed by Mark Hahnenberg.
3101
3102         Used the StringImpl version of utf8() instead of creating a String first.
3103
3104         * bytecode/CodeBlock.cpp:
3105         (JSC::CodeBlock::dumpBytecode):
3106
3107 2014-04-28  Filip Pizlo  <fpizlo@apple.com>
3108
3109         The LLInt is awesome and it should get more of the action.
3110
3111         Rubber stamped by Geoffrey Garen.
3112         
3113         5% speed-up on JSBench and no meaningful regressions.  Should be a PLT/DYE speed-up also.
3114
3115         * runtime/Options.h:
3116
3117 2014-04-27  Filip Pizlo  <fpizlo@apple.com>
3118
3119         GC should be able to remove things from the DFG worklist and cancel on-going compilations if it knows that the compilation would already be invalidated
3120         https://bugs.webkit.org/show_bug.cgi?id=132166
3121
3122         Reviewed by Oliver Hunt and Mark Hahnenberg.
3123         
3124         The GC can aid type inference by removing structures that are dead and jettisoning
3125         code that relies on those structures. This can dramatically accelerate type inference
3126         for some tricky programs.
3127         
3128         Unfortunately, we previously pinned any structures that enqueued compilations depended
3129         on. This means that if you're on a machine that only runs a single compilation thread
3130         and where compilations are relatively slow, you have a high chance of large numbers of
3131         structures being pinned during any GC since the compilation queue is likely to be full
3132         of random stuff.
3133         
3134         This comprehensively fixes this issue by allowing the GC to remove compilation plans
3135         if the things they depend on are dead, and to even cancel safepointed compilations.
3136         
3137         * bytecode/CodeBlock.cpp:
3138         (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan):
3139         (JSC::CodeBlock::isKnownToBeLiveDuringGC):
3140         (JSC::CodeBlock::finalizeUnconditionally):
3141         * bytecode/CodeBlock.h:
3142         (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan): Deleted.
3143         * dfg/DFGDesiredIdentifiers.cpp:
3144         (JSC::DFG::DesiredIdentifiers::DesiredIdentifiers):
3145         * dfg/DFGDesiredIdentifiers.h:
3146         * dfg/DFGDesiredWatchpoints.h:
3147         * dfg/DFGDesiredWeakReferences.cpp:
3148         (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
3149         * dfg/DFGDesiredWeakReferences.h:
3150         * dfg/DFGGraphSafepoint.cpp:
3151         (JSC::DFG::GraphSafepoint::GraphSafepoint):
3152         * dfg/DFGGraphSafepoint.h:
3153         * dfg/DFGPlan.cpp:
3154         (JSC::DFG::Plan::Plan):
3155         (JSC::DFG::Plan::compileInThread):
3156         (JSC::DFG::Plan::compileInThreadImpl):
3157         (JSC::DFG::Plan::notifyCompiling):
3158         (JSC::DFG::Plan::notifyCompiled):
3159         (JSC::DFG::Plan::notifyReady):
3160         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
3161         (JSC::DFG::Plan::isKnownToBeLiveDuringGC):
3162         (JSC::DFG::Plan::cancel):
3163         (JSC::DFG::Plan::visitChildren): Deleted.
3164         * dfg/DFGPlan.h:
3165         * dfg/DFGSafepoint.cpp:
3166         (JSC::DFG::Safepoint::Result::~Result):
3167         (JSC::DFG::Safepoint::Result::didGetCancelled):
3168         (JSC::DFG::Safepoint::Safepoint):
3169         (JSC::DFG::Safepoint::~Safepoint):
3170         (JSC::DFG::Safepoint::checkLivenessAndVisitChildren):
3171         (JSC::DFG::Safepoint::isKnownToBeLiveDuringGC):
3172         (JSC::DFG::Safepoint::cancel):
3173         (JSC::DFG::Safepoint::visitChildren): Deleted.
3174         * dfg/DFGSafepoint.h:
3175         (JSC::DFG::Safepoint::Result::Result):
3176         * dfg/DFGWorklist.cpp:
3177         (JSC::DFG::Worklist::compilationState):
3178         (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
3179         (JSC::DFG::Worklist::removeAllReadyPlansForVM):
3180         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
3181         (JSC::DFG::Worklist::visitWeakReferences):
3182         (JSC::DFG::Worklist::removeDeadPlans):
3183         (JSC::DFG::Worklist::runThread):
3184         (JSC::DFG::Worklist::visitChildren): Deleted.
3185         * dfg/DFGWorklist.h:
3186         * ftl/FTLCompile.cpp:
3187         (JSC::FTL::compile):
3188         * ftl/FTLCompile.h:
3189         * heap/CodeBlockSet.cpp:
3190         (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks):
3191         * heap/Heap.cpp:
3192         (JSC::Heap::markRoots):
3193         (JSC::Heap::visitCompilerWorklistWeakReferences):
3194         (JSC::Heap::removeDeadCompilerWorklistEntries):
3195         (JSC::Heap::visitWeakHandles):
3196         (JSC::Heap::collect):
3197         (JSC::Heap::visitCompilerWorklists): Deleted.
3198         * heap/Heap.h:
3199
3200 2014-04-28  Mark Hahnenberg  <mhahnenberg@apple.com>
3201
3202         Deleting properties poisons objects
3203         https://bugs.webkit.org/show_bug.cgi?id=131551
3204
3205         Reviewed by Oliver Hunt.
3206
3207         This is ~3% progression on Dromaeo with a ~6% progression on the jslib portion of Dromaeo in particular.
3208
3209         * runtime/JSPropertyNameIterator.cpp:
3210         (JSC::JSPropertyNameIterator::create):
3211         * runtime/PropertyMapHashTable.h:
3212         (JSC::PropertyTable::hasDeletedOffset):
3213         (JSC::PropertyTable::hadDeletedOffset): If we ever had deleted properties we can no longer cache offsets when 
3214         iterating properties because we're required to iterate properties in insertion order.
3215         * runtime/Structure.cpp:
3216         (JSC::Structure::Structure):
3217         (JSC::Structure::materializePropertyMap): We now re-use deleted properties when materializing the property map.
3218         (JSC::Structure::removePropertyTransition): We allow up to 5 deletes for a particular path through the tree of 
3219         Structure transitions. After that, we convert to an uncacheable dictionary like we used to. We don't cache 
3220         delete transitions, but we allow transitioning from them.
3221         (JSC::Structure::changePrototypeTransition):
3222         (JSC::Structure::despecifyFunctionTransition):
3223         (JSC::Structure::attributeChangeTransition):
3224         (JSC::Structure::toDictionaryTransition):
3225         (JSC::Structure::preventExtensionsTransition):
3226         (JSC::Structure::addPropertyWithoutTransition):
3227         (JSC::Structure::removePropertyWithoutTransition):
3228         (JSC::Structure::pin): Now does only what it says it does--marks the property table as pinned.
3229         (JSC::Structure::pinAndPreventTransitions): More descriptive version of what the old pin() was doing.
3230         * runtime/Structure.h:
3231         * runtime/StructureInlines.h:
3232         (JSC::Structure::setEnumerationCache):
3233         (JSC::Structure::hadDeletedOffsets):
3234         (JSC::Structure::propertyTable):
3235         (JSC::Structure::checkOffsetConsistency): Rearranged variables to be more sensible.
3236         * tests/stress/for-in-after-delete.js: Added.
3237         (foo):
3238
3239 2014-04-25  Andreas Kling  <akling@apple.com>
3240
3241         Inline (C++) GetByVal with numeric indices more aggressively.
3242         <https://webkit.org/b/132218>
3243
3244         We were already inlining the string indexed GetByVal path pretty well,
3245         while the path for numeric indices got neglected. No more!
3246
3247         ~9.5% improvement on Dromaeo/dom-traverse.html on my MBP:
3248
3249             Before: 199.50 runs/s
3250              After: 218.58 runs/s
3251
3252         Reviewed by Phil Pizlo.
3253
3254         * dfg/DFGOperations.cpp:
3255         * runtime/JSCJSValueInlines.h:
3256         (JSC::JSValue::get):
3257
3258             ALWAYS_INLINE all the things.
3259
3260         * runtime/JSObject.h:
3261         (JSC::JSObject::getPropertySlot):
3262
3263             Avoid fetching the Structure more than once. We have the same
3264             optimization in the string-indexed code path.
3265
3266 2014-04-25  Oliver Hunt  <oliver@apple.com>
3267
3268         Need earlier cell test
3269         https://bugs.webkit.org/show_bug.cgi?id=132211
3270
3271         Reviewed by Mark Lam.
3272
3273         Move cell test to before the function call repatch
3274         location, as the repatch logic for 32bit assumes that the
3275         caller will already have performed a cell check.
3276
3277         * jit/JITCall32_64.cpp:
3278         (JSC::JIT::compileOpCall):
3279
3280 2014-04-25  Andreas Kling  <akling@apple.com>
3281
3282         Un-fast-allocate JSGlobalObjectRareData because Windows doesn't build and I'm not in the mood.
3283
3284         * runtime/JSGlobalObject.h:
3285         (JSC::JSGlobalObject::JSGlobalObjectRareData::JSGlobalObjectRareData):
3286         (JSC::JSGlobalObject::JSGlobalObjectRareData::~JSGlobalObjectRareData): Deleted.
3287
3288 2014-04-25  Andreas Kling  <akling@apple.com>
3289
3290         Windows build fix attempt.
3291
3292         * runtime/JSGlobalObject.h:
3293         (JSC::JSGlobalObject::JSGlobalObjectRareData::~JSGlobalObjectRareData):
3294
3295 2014-04-25  Mark Lam  <mark.lam@apple.com>
3296
3297         Refactor debugging code to use BreakpointActions instead of Vector<ScriptBreakpointAction>.
3298         <https://webkit.org/b/132201>
3299
3300         Reviewed by Joseph Pecoraro.
3301
3302         BreakpointActions is Vector<ScriptBreakpointAction>.  Let's just consistently use
3303         BreakpointActions everywhere.
3304
3305         * inspector/ScriptBreakpoint.h:
3306         (Inspector::ScriptBreakpoint::ScriptBreakpoint):
3307         * inspector/ScriptDebugServer.cpp:
3308         (Inspector::ScriptDebugServer::setBreakpoint):
3309         (Inspector::ScriptDebugServer::getActionsForBreakpoint):
3310         * inspector/ScriptDebugServer.h:
3311         * inspector/agents/InspectorDebuggerAgent.cpp:
3312         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
3313         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
3314         (Inspector::InspectorDebuggerAgent::setBreakpoint):
3315         (Inspector::InspectorDebuggerAgent::removeBreakpoint):
3316         * inspector/agents/InspectorDebuggerAgent.h:
3317
3318 2014-04-24  Filip Pizlo  <fpizlo@apple.com>
3319
3320         DFG worklist scanning should not treat the key as a separate entity
3321         https://bugs.webkit.org/show_bug.cgi?id=132167
3322
3323         Reviewed by Mark Hahnenberg.
3324         
3325         This simplifies the interface to the GC and will enable more optimizations.
3326
3327         * dfg/DFGCompilationKey.cpp:
3328         (JSC::DFG::CompilationKey::visitChildren): Deleted.
3329         * dfg/DFGCompilationKey.h:
3330         * dfg/DFGPlan.cpp:
3331         (JSC::DFG::Plan::visitChildren):
3332         * dfg/DFGWorklist.cpp:
3333         (JSC::DFG::Worklist::visitChildren):
3334
3335 2014-04-25  Oliver Hunt  <oliver@apple.com>
3336
3337         Remove unused parameter from codeblock linking function
3338         https://bugs.webkit.org/show_bug.cgi?id=132199
3339
3340         Reviewed by Anders Carlsson.
3341
3342         No change in behaviour. This is just a small change to make it
3343         slightly easier to reason about what the offsets in UnlinkedFunctionExecutable
3344         actually mean.
3345
3346         * bytecode/UnlinkedCodeBlock.cpp:
3347         (JSC::UnlinkedFunctionExecutable::link):
3348         * bytecode/UnlinkedCodeBlock.h:
3349         * runtime/Executable.cpp:
3350         (JSC::ProgramExecutable::initializeGlobalProperties):
3351
3352 2014-04-25  Andreas Kling  <akling@apple.com>
3353
3354         Mark some things with WTF_MAKE_FAST_ALLOCATED.
3355         <https://webkit.org/b/132198>
3356
3357         Use FastMalloc for more things.
3358
3359         Reviewed by Anders Carlsson.
3360
3361         * builtins/BuiltinExecutables.h:
3362         * heap/GCThreadSharedData.h:
3363         * inspector/JSConsoleClient.h:
3364         * inspector/agents/InspectorAgent.h:
3365         * runtime/CodeCache.h:
3366         * runtime/JSGlobalObject.h:
3367         * runtime/Lookup.cpp:
3368         (JSC::HashTable::createTable):
3369         (JSC::HashTable::deleteTable):
3370         * runtime/WeakGCMap.h:
3371
3372 2014-04-25  Antoine Quint  <graouts@webkit.org>
3373
3374         Implement Array.prototype.find()
3375         https://bugs.webkit.org/show_bug.cgi?id=130966
3376
3377         Reviewed by Oliver Hunt.
3378
3379         Implement Array.prototype.find() and Array.prototype.findIndex() as proposed in the Harmony spec.
3380
3381         * builtins/Array.prototype.js:
3382         (find):
3383         (findIndex):
3384         * runtime/ArrayPrototype.cpp:
3385
3386 2014-04-24  Brady Eidson  <beidson@apple.com>
3387
3388         Rename "IMAGE_CONTROLS" feature to "SERVICE_CONTROLS"
3389         https://bugs.webkit.org/show_bug.cgi?id=132155
3390
3391         Reviewed by Tim Horton.
3392
3393         * Configurations/FeatureDefines.xcconfig:
3394
3395 2014-04-24  Michael Saboff  <msaboff@apple.com>
3396
3397         REGRESSION: Apparent hang of PCE.js Mac OS System 7.0.1 on ARM64 devices
3398         https://bugs.webkit.org/show_bug.cgi?id=132147
3399
3400         Reviewed by Mark Lam.
3401
3402         Fixed or64(), eor32( ) and eor64() to use "src" register when we have a valid logicalImm.
3403
3404         * assembler/MacroAssemblerARM64.h:
3405         (JSC::MacroAssemblerARM64::or64):
3406         (JSC::MacroAssemblerARM64::xor32):
3407         (JSC::MacroAssemblerARM64::xor64):
3408         * tests/stress/regress-132147.js: Added test.
3409
3410 2014-04-24  Mark Lam  <mark.lam@apple.com>
3411
3412         Make slowPathAllocsBetweenGCs a runtime option.
3413         <https://webkit.org/b/132137>
3414
3415         Reviewed by Mark Hahnenberg.
3416
3417         This will make it easier to more casually run tests with this configuration
3418         as well as to reproduce issues (instead of requiring a code mod and rebuild).
3419         We will now take --slowPathAllocsBetweenGCs=N where N is the number of
3420         slow path allocations before we trigger a collection.
3421
3422         The option defaults to 0, which is reserved to mean that we will not trigger
3423         any collections there.
3424
3425         * heap/Heap.h:
3426         * heap/MarkedAllocator.cpp:
3427         (JSC::MarkedAllocator::doTestCollectionsIfNeeded):
3428         (JSC::MarkedAllocator::allocateSlowCase):
3429         * heap/MarkedAllocator.h:
3430         * runtime/Options.h:
3431
3432 2014-04-23  Mark Lam  <mark.lam@apple.com>
3433
3434         The GC should only resume compiler threads that it suspended in the same GC pass.
3435         <https://webkit.org/b/132088>
3436
3437         Reviewed by Mark Hahnenberg.
3438
3439         Previously, this scenario can occur:
3440         1. Thread 1 starts a GC and tries to suspend DFG worklist threads.  However,
3441            no worklists were created yet at the that time.
3442         2. Thread 2 starts to compile some functions and creates a DFG worklist, and
3443       &