VM::discardAllCode() should clear the RegExp cache.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-03-13  Andreas Kling  <akling@apple.com>
2
3         VM::discardAllCode() should clear the RegExp cache.
4         <https://webkit.org/b/130144>
5
6         Reviewed by Michael Saboff.
7
8         * runtime/VM.cpp:
9         (JSC::VM::discardAllCode):
10
11 2014-03-13  Andreas Kling  <akling@apple.com>
12
13         Revert "Short-circuit JSGlobalObjectInspectorController when not inspecting."
14         <https://webkit.org/b/129995>
15
16         This code path is not taken anymore on DYEB, and I can't explain why
17         it was showing up in my profiles. Backing it out per JoePeck's suggestion.
18
19         * inspector/JSGlobalObjectInspectorController.cpp:
20         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
21
22 2014-03-13  Filip Pizlo  <fpizlo@apple.com>
23
24         FTL should support IsBlah
25         https://bugs.webkit.org/show_bug.cgi?id=130202
26
27         Reviewed by Geoffrey Garen.
28
29         * ftl/FTLCapabilities.cpp:
30         (JSC::FTL::canCompile):
31         * ftl/FTLIntrinsicRepository.h:
32         * ftl/FTLLowerDFGToLLVM.cpp:
33         (JSC::FTL::LowerDFGToLLVM::compileNode):
34         (JSC::FTL::LowerDFGToLLVM::compileIsUndefined):
35         (JSC::FTL::LowerDFGToLLVM::compileIsBoolean):
36         (JSC::FTL::LowerDFGToLLVM::compileIsNumber):
37         (JSC::FTL::LowerDFGToLLVM::compileIsString):
38         (JSC::FTL::LowerDFGToLLVM::compileIsObject):
39         (JSC::FTL::LowerDFGToLLVM::compileIsFunction):
40         (JSC::FTL::LowerDFGToLLVM::compileStoreBarrier):
41         (JSC::FTL::LowerDFGToLLVM::compileStoreBarrierWithNullCheck):
42         (JSC::FTL::LowerDFGToLLVM::isNotCellOrMisc):
43         (JSC::FTL::LowerDFGToLLVM::isNumber):
44         (JSC::FTL::LowerDFGToLLVM::isNotNumber):
45         (JSC::FTL::LowerDFGToLLVM::isBoolean):
46         * ftl/FTLOSRExitCompiler.cpp:
47         * tests/stress/is-undefined-exit-on-masquerader.js: Added.
48         (bar):
49         (foo):
50         (test):
51         * tests/stress/is-undefined-jettison-on-masquerader.js: Added.
52         (foo):
53         (test):
54         * tests/stress/is-undefined-masquerader.js: Added.
55         (foo):
56         (test):
57
58 2014-03-13  Mark Lam  <mark.lam@apple.com>
59
60         JS benchmarks crash with a bus error on 32-bit x86.
61         <https://webkit.org/b/130203>
62
63         Reviewed by Geoffrey Garen.
64
65         The issue is that generateGetByIdStub() can potentially use the same register
66         for the JSValue base register and the target tag register.  After loading the
67         tag value into the target tag register, the JSValue base address is lost.
68         The code then proceeds to load the payload value using the base register, and
69         this results in a crash.
70
71         The fix is to check if the base register is the same as the target tag register.
72         If so, we should make a copy the base register first before loading the tag
73         value, and use the copy to load the payload value instead.
74
75         * jit/Repatch.cpp:
76         (JSC::generateGetByIdStub):
77
78 2014-03-12  Filip Pizlo  <fpizlo@apple.com>
79
80         WebKit shouldn't crash on uniprocessor machines
81         https://bugs.webkit.org/show_bug.cgi?id=130176
82
83         Reviewed by Michael Saboff.
84         
85         Previously the math for computing the number of JIT compiler threads would come up with
86         zero threads on uniprocessor machines, and then the Worklist code would assert.
87
88         * runtime/Options.cpp:
89         (JSC::computeNumberOfWorkerThreads):
90         * runtime/Options.h:
91
92 2014-03-13  Radu Stavila  <stavila@adobe.com>
93
94         Webkit not building on XCode 5.1 due to garbage collection no longer being supported
95         https://bugs.webkit.org/show_bug.cgi?id=130087
96
97         Reviewed by Mark Rowe.
98
99         Disable garbage collection on macosx when not using internal SDK.
100
101         * Configurations/Base.xcconfig:
102
103 2014-03-10  Darin Adler  <darin@apple.com>
104
105         Avoid copy-prone idiom "for (auto item : collection)"
106         https://bugs.webkit.org/show_bug.cgi?id=129990
107
108         Reviewed by Geoffrey Garen.
109
110         * heap/CodeBlockSet.h:
111         (JSC::CodeBlockSet::iterate): Use auto& to be sure we don't copy by accident.
112         * inspector/ScriptDebugServer.cpp:
113         (Inspector::ScriptDebugServer::dispatchBreakpointActionLog): Use auto* to
114         make explicit that we are iterating through pointers.
115         (Inspector::ScriptDebugServer::dispatchBreakpointActionSound): Ditto.
116         (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe): Ditto.
117         * inspector/agents/InspectorDebuggerAgent.cpp:
118         (Inspector::InspectorDebuggerAgent::removeBreakpoint): Use auto&, and also
119         get rid of an unneeded local variable.
120
121 2014-03-13  Brian Burg  <bburg@apple.com>
122
123         Web Inspector: Remove unused callId parameter from evaluateInWebInspector
124         https://bugs.webkit.org/show_bug.cgi?id=129744
125
126         Reviewed by Timothy Hatcher.
127
128         * inspector/agents/InspectorAgent.cpp:
129         (Inspector::InspectorAgent::enable):
130         (Inspector::InspectorAgent::evaluateForTestInFrontend):
131         * inspector/agents/InspectorAgent.h:
132         * inspector/protocol/InspectorDomain.json:
133
134 2014-03-11  Filip Pizlo  <fpizlo@apple.com>
135
136         ASSERTION FAILED: node->op() == Phi || node->op() == SetArgument
137         https://bugs.webkit.org/show_bug.cgi?id=130069
138
139         Reviewed by Geoffrey Garen.
140         
141         This was a great assertion, and it represents our strictest interpretation of the rules of
142         our intermediate representation. However, fixing DCE to actually preserve the relevant
143         property would be hard, and it wouldn't have an observable effect right now because nobody
144         actually uses the propery of CPS that this assertion is checking for.
145         
146         In particular, we do always require, and rely on, the fact that non-captured variables
147         have variablesAtTail refer to the last interesting use of the variable: a SetLocal if the
148         block assigns to the variable, a GetLocal if it only reads from it, and a Flush,
149         PhantomLocal, or Phi otherwise. We do preserve this property successfully and DCE was not
150         broken in this regard. But, in the strictest sense, CPS also means that for captured
151         variables, variablesAtTail also continues to point to the last relevant use of the
152         variable. In particular, if there are multiple GetLocals, then it should point to the last
153         one. This is hard for DCE to preserve. Also, nobody relies on variablesAtTail for captured
154         variables, except to check the VariableAccessData; but in that case, we don't really need
155         the *last* relevant use of the variable - any node that mentions the same variable will do
156         just fine.
157         
158         So, this change loosens the assertion and adds a detailed FIXME describing what we would
159         have to do if we wanted to preserve the more strict property.
160         
161         This also makes changes to various debug printing paths so that validation doesn't crash
162         during graph dump. This also adds tests for the interesting cases of DCE failing to
163         preserve CPS in the strictest sense. This also attempts to win the record for longest test
164         name.
165
166         * bytecode/CodeBlock.cpp:
167         (JSC::CodeBlock::hashAsStringIfPossible):
168         (JSC::CodeBlock::dumpAssumingJITType):
169         * bytecode/CodeBlock.h:
170         * bytecode/CodeOrigin.cpp:
171         (JSC::InlineCallFrame::hashAsStringIfPossible):
172         (JSC::InlineCallFrame::dumpBriefFunctionInformation):
173         * bytecode/CodeOrigin.h:
174         * dfg/DFGCPSRethreadingPhase.cpp:
175         (JSC::DFG::CPSRethreadingPhase::run):
176         * dfg/DFGDCEPhase.cpp:
177         (JSC::DFG::DCEPhase::cleanVariables):
178         * dfg/DFGInPlaceAbstractState.cpp:
179         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
180         * runtime/FunctionExecutableDump.cpp:
181         (JSC::FunctionExecutableDump::dump):
182         * tests/stress/dead-access-to-captured-variable-preceded-by-a-live-store-in-function-with-multiple-basic-blocks.js: Added.
183         (foo):
184         * tests/stress/dead-access-to-captured-variable-preceded-by-a-live-store.js: Added.
185         (foo):
186
187 2014-03-12  Brian Burg  <bburg@apple.com>
188
189         Web Replay: add infrastructure for memoizing nondeterministic DOM APIs
190         https://bugs.webkit.org/show_bug.cgi?id=129445
191
192         Reviewed by Timothy Hatcher.
193
194         There was a bug in the replay inputs code generator that would include
195         headers for definitions of enum classes, even though they can be safely
196         forward-declared.
197
198         * replay/scripts/CodeGeneratorReplayInputs.py:
199         (Generator.generate_includes): Only include for copy constructor if the
200         type is a heavy scalar (i.e., String, URL), not a normal scalar
201         (i.e., int, double, enum classes).
202
203         (Generator.generate_type_forward_declarations): Forward-declare scalars
204         that are enums or enum classes.
205
206 2014-03-12  Joseph Pecoraro  <pecoraro@apple.com>
207
208         Web Inspector: Disable REMOTE_INSPECTOR in earlier OS X releases
209         https://bugs.webkit.org/show_bug.cgi?id=130118
210
211         Reviewed by Timothy Hatcher.
212
213         * Configurations/FeatureDefines.xcconfig:
214
215 2014-03-12  Joseph Pecoraro  <pecoraro@apple.com>
216
217         Web Inspector: Hang in Remote Inspection triggering breakpoint from console
218         https://bugs.webkit.org/show_bug.cgi?id=130032
219
220         Reviewed by Timothy Hatcher.
221
222         * inspector/EventLoop.h:
223         * inspector/EventLoop.cpp:
224         (Inspector::EventLoop::remoteInspectorRunLoopMode):
225         (Inspector::EventLoop::cycle):
226         Expose the run loop mode name so it can be used if needed by others.
227
228         * inspector/remote/RemoteInspectorDebuggableConnection.h:
229         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
230         (Inspector::RemoteInspectorBlock::RemoteInspectorBlock):
231         (Inspector::RemoteInspectorBlock::~RemoteInspectorBlock):
232         (Inspector::RemoteInspectorBlock::operator=):
233         (Inspector::RemoteInspectorBlock::operator()):
234         (Inspector::RemoteInspectorQueueTask):
235         Instead of a dispatch_queue, have our own static Vector of debugger tasks.
236
237         (Inspector::RemoteInspectorHandleRunSource):
238         (Inspector::RemoteInspectorInitializeQueue):
239         Initialize the static queue and run loop source. When the run loop source
240         fires, it will exhaust the queue of debugger messages.
241
242         (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
243         (Inspector::RemoteInspectorDebuggableConnection::~RemoteInspectorDebuggableConnection):
244         When we get a debuggable connection add a run loop source for inspector commands.
245
246         (Inspector::RemoteInspectorDebuggableConnection::dispatchAsyncOnDebuggable):
247         (Inspector::RemoteInspectorDebuggableConnection::sendMessageToBackend):
248         Enqueue blocks on our Vector instead of our dispatch_queue.
249
250 2014-03-12  Commit Queue  <commit-queue@webkit.org>
251
252         Unreviewed, rolling out r165482.
253         https://bugs.webkit.org/show_bug.cgi?id=130157
254
255         Broke the windows build; "error C2466: cannot allocate an
256         array of constant size 0" (Requested by jernoble on #webkit).
257
258         Reverted changeset:
259
260         "Reduce memory use for static property maps"
261         https://bugs.webkit.org/show_bug.cgi?id=129986
262         http://trac.webkit.org/changeset/165482
263
264 2014-03-12  Mark Hahnenberg  <mhahnenberg@apple.com>
265
266         Remove HandleSet::m_nextToFinalize
267         https://bugs.webkit.org/show_bug.cgi?id=130109
268
269         Reviewed by Mark Lam.
270
271         This is a remnant of when HandleSet contained things that needed to be finalized. 
272
273         * heap/HandleSet.cpp:
274         (JSC::HandleSet::HandleSet):
275         (JSC::HandleSet::writeBarrier):
276         * heap/HandleSet.h:
277         (JSC::HandleSet::allocate):
278         (JSC::HandleSet::deallocate):
279
280 2014-03-12  Mark Hahnenberg  <mhahnenberg@apple.com>
281
282         Layout Test fast/workers/worker-gc.html is failing
283         https://bugs.webkit.org/show_bug.cgi?id=130135
284
285         Reviewed by Geoffrey Garen.
286
287         When removing MarkedBlocks, we always expect them to be in the MarkedAllocator's 
288         main list of blocks, i.e. not in the retired list. When shutting down the VM this
289         wasn't always the case which was causing ASSERTs to fire. We should rearrange things 
290         so that allocators are notified with lastChanceToFinalize. This will give them 
291         the chance to move their retired blocks back into the main list before removing them all.
292
293         * heap/MarkedAllocator.cpp:
294         (JSC::LastChanceToFinalize::operator()):
295         (JSC::MarkedAllocator::lastChanceToFinalize):
296         * heap/MarkedAllocator.h:
297         * heap/MarkedSpace.cpp:
298         (JSC::LastChanceToFinalize::operator()):
299         (JSC::MarkedSpace::lastChanceToFinalize):
300
301 2014-03-12  Gavin Barraclough  <barraclough@apple.com>
302
303         Reduce memory use for static property maps
304         https://bugs.webkit.org/show_bug.cgi?id=129986
305
306         Reviewed by Andreas Kling.
307
308         Static property tables are currently duplicated on first use from read-only memory into dirty memory
309         in every process, and since the entries are large (48 bytes) and the tables can be unusually sparse
310         (we use a custom hash table without a rehash) a lot of memory may be wasted.
311
312         First, reduce the size of the hashtable. Instead of storing values in the table the hashtable maps
313         from string hashes to indicies into a densely packed array of values. Compute the index table at
314         compile time as a part of the derived sources step, such that this may be read-only data.
315
316         Second, don't copy all data from the HashTableValue array into a HashEntry objects. Instead refer
317         directly to the HashTableValue entries. The only data that needs to be allocated at runtime are the
318         keys, which are Identifiers.
319
320         * create_hash_table:
321             - emit the hash table index into the derived source (we were calculating this already to ensure chaining does not get too deep).
322         * parser/Lexer.cpp:
323         (JSC::Lexer<LChar>::parseIdentifier):
324         (JSC::Lexer<UChar>::parseIdentifier):
325         (JSC::Lexer<T>::parseIdentifierSlowCase):
326             - HashEntry -> HashTableValue.
327         * parser/Lexer.h:
328         (JSC::Keywords::getKeyword):
329             - HashEntry -> HashTableValue.
330         * runtime/ClassInfo.h:
331             - removed HashEntry.
332         * runtime/JSObject.cpp:
333         (JSC::getClassPropertyNames):
334             - use HashTable::ConstIterator.
335         (JSC::JSObject::put):
336         (JSC::JSObject::deleteProperty):
337         (JSC::JSObject::findPropertyHashEntry):
338             - HashEntry -> HashTableValue.
339         (JSC::JSObject::reifyStaticFunctionsForDelete):
340             - changed HashTable::ConstIterator interface.
341         * runtime/JSObject.h:
342             - HashEntry -> HashTableValue.
343         * runtime/Lookup.cpp:
344         (JSC::HashTable::createTable):
345             - table -> keys, keys array is now densely packed.
346         (JSC::HashTable::deleteTable):
347             - table -> keys.
348         (JSC::setUpStaticFunctionSlot):
349             - HashEntry -> HashTableValue.
350         * runtime/Lookup.h:
351         (JSC::HashTableValue::builtinGenerator):
352         (JSC::HashTableValue::function):
353         (JSC::HashTableValue::functionLength):
354         (JSC::HashTableValue::propertyGetter):
355         (JSC::HashTableValue::propertyPutter):
356         (JSC::HashTableValue::lexerValue):
357             - added accessor methods from HashEntry.
358         (JSC::HashTable::copy):
359             - fields changed.
360         (JSC::HashTable::initializeIfNeeded):
361             - table -> keys.
362         (JSC::HashTable::entry):
363             - HashEntry -> HashTableValue.
364         (JSC::HashTable::ConstIterator::ConstIterator):
365             - iterate packed value array, so no need to skipInvalidKeys().
366         (JSC::HashTable::ConstIterator::value):
367         (JSC::HashTable::ConstIterator::key):
368         (JSC::HashTable::ConstIterator::operator->):
369             - accessors now get HashTableValue/StringImpl* separately.
370         (JSC::HashTable::ConstIterator::operator++):
371             - iterate packed value array, so no need to skipInvalidKeys().
372         (JSC::HashTable::end):
373             - end is now size of dense not sparse array.
374         (JSC::getStaticPropertySlot):
375         (JSC::getStaticFunctionSlot):
376         (JSC::getStaticValueSlot):
377         (JSC::putEntry):
378         (JSC::lookupPut):
379             - HashEntry -> HashTableValue.
380
381 2014-03-11  Filip Pizlo  <fpizlo@apple.com>
382
383         It should be possible to build WebKit with FTL on iOS
384         https://bugs.webkit.org/show_bug.cgi?id=130116
385
386         Reviewed by Dan Bernstein.
387
388         * Configurations/Base.xcconfig:
389
390 2014-03-10  Filip Pizlo  <fpizlo@apple.com>
391
392         GetById list caching should use something object-oriented rather than PolymorphicAccessStructureList
393         https://bugs.webkit.org/show_bug.cgi?id=129778
394
395         Reviewed by Geoffrey Garen.
396         
397         Also deduplicate the GetById getter call caching. Also add some small tests for
398         get stubs.
399         
400         This change reduces the amount of code involved in GetById access caching and it
401         creates data structures that can serve as an elegant scaffold for introducing other
402         kinds of caches or improving current caching styles. It will definitely make getter
403         performance improvements easier to implement.
404
405         * CMakeLists.txt:
406         * GNUmakefile.list.am:
407         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
408         * JavaScriptCore.xcodeproj/project.pbxproj:
409         * bytecode/CodeBlock.cpp:
410         (JSC::CodeBlock::printGetByIdCacheStatus):
411         * bytecode/GetByIdStatus.cpp:
412         (JSC::GetByIdStatus::computeForStubInfo):
413         * bytecode/PolymorphicGetByIdList.cpp: Added.
414         (JSC::GetByIdAccess::GetByIdAccess):
415         (JSC::GetByIdAccess::~GetByIdAccess):
416         (JSC::GetByIdAccess::fromStructureStubInfo):
417         (JSC::GetByIdAccess::visitWeak):
418         (JSC::PolymorphicGetByIdList::PolymorphicGetByIdList):
419         (JSC::PolymorphicGetByIdList::from):
420         (JSC::PolymorphicGetByIdList::~PolymorphicGetByIdList):
421         (JSC::PolymorphicGetByIdList::currentSlowPathTarget):
422         (JSC::PolymorphicGetByIdList::addAccess):
423         (JSC::PolymorphicGetByIdList::isFull):
424         (JSC::PolymorphicGetByIdList::isAlmostFull):
425         (JSC::PolymorphicGetByIdList::didSelfPatching):
426         (JSC::PolymorphicGetByIdList::visitWeak):
427         * bytecode/PolymorphicGetByIdList.h: Added.
428         (JSC::GetByIdAccess::GetByIdAccess):
429         (JSC::GetByIdAccess::isSet):
430         (JSC::GetByIdAccess::operator!):
431         (JSC::GetByIdAccess::type):
432         (JSC::GetByIdAccess::structure):
433         (JSC::GetByIdAccess::chain):
434         (JSC::GetByIdAccess::chainCount):
435         (JSC::GetByIdAccess::stubRoutine):
436         (JSC::GetByIdAccess::doesCalls):
437         (JSC::PolymorphicGetByIdList::isEmpty):
438         (JSC::PolymorphicGetByIdList::size):
439         (JSC::PolymorphicGetByIdList::at):
440         (JSC::PolymorphicGetByIdList::operator[]):
441         * bytecode/StructureStubInfo.cpp:
442         (JSC::StructureStubInfo::deref):
443         (JSC::StructureStubInfo::visitWeakReferences):
444         * bytecode/StructureStubInfo.h:
445         (JSC::isGetByIdAccess):
446         (JSC::StructureStubInfo::initGetByIdList):
447         * jit/Repatch.cpp:
448         (JSC::generateGetByIdStub):
449         (JSC::tryCacheGetByID):
450         (JSC::patchJumpToGetByIdStub):
451         (JSC::tryBuildGetByIDList):
452         (JSC::tryBuildPutByIdList):
453         * tests/stress/getter.js: Added.
454         (foo):
455         (.o):
456         * tests/stress/polymorphic-prototype-accesses.js: Added.
457         (Foo):
458         (Bar):
459         (foo):
460         * tests/stress/prototype-getter.js: Added.
461         (Foo):
462         (foo):
463         * tests/stress/simple-prototype-accesses.js: Added.
464         (Foo):
465         (foo):
466
467 2014-03-11  Mark Hahnenberg  <mhahnenberg@apple.com>
468
469         MarkedBlocks that are "full enough" shouldn't be swept after EdenCollections
470         https://bugs.webkit.org/show_bug.cgi?id=129920
471
472         Reviewed by Geoffrey Garen.
473
474         This patch introduces the notion of "retiring" MarkedBlocks. We retire a MarkedBlock
475         when the amount of free space in a MarkedBlock drops below a certain threshold.
476         Retired blocks are not considered for sweeping.
477
478         This is profitable because it reduces churn during sweeping. To build a free list, 
479         we have to scan through each cell in a block. After a collection, all objects that 
480         are live in the block will remain live until the next FullCollection, at which time
481         we un-retire all previously retired blocks. Thus, a small number of objects in a block
482         that die during each EdenCollection could cause us to do a disproportiante amount of 
483         sweeping for how much free memory we get back.
484
485         This patch looks like a consistent ~2% progression on boyer and is neutral everywhere else.
486
487         * heap/Heap.h:
488         (JSC::Heap::didRetireBlockWithFreeListSize):
489         * heap/MarkedAllocator.cpp:
490         (JSC::MarkedAllocator::tryAllocateHelper):
491         (JSC::MarkedAllocator::removeBlock):
492         (JSC::MarkedAllocator::reset):
493         * heap/MarkedAllocator.h:
494         (JSC::MarkedAllocator::MarkedAllocator):
495         (JSC::MarkedAllocator::forEachBlock):
496         * heap/MarkedBlock.cpp:
497         (JSC::MarkedBlock::sweepHelper):
498         (JSC::MarkedBlock::clearMarksWithCollectionType):
499         (JSC::MarkedBlock::didRetireBlock):
500         * heap/MarkedBlock.h:
501         (JSC::MarkedBlock::willRemoveBlock):
502         (JSC::MarkedBlock::isLive):
503         * heap/MarkedSpace.cpp:
504         (JSC::MarkedSpace::clearNewlyAllocated):
505         (JSC::MarkedSpace::clearMarks):
506         * runtime/Options.h:
507
508 2014-03-11  Andreas Kling  <akling@apple.com>
509
510         Streamline PropertyTable for lookup-only access.
511         <https://webkit.org/b/130060>
512
513         The PropertyTable lookup algorithm was written to support both read
514         and write access. This wasn't actually needed in most places.
515
516         This change adds a PropertyTable::get() that just returns the value
517         type (instead of an insertion iterator.) It also adds an early return
518         for empty tables.
519
520         Finally, up the minimum table capacity from 8 to 16. It was lowered
521         to 8 in order to save memory, but that was before PropertyTables were
522         GC allocated. Nowadays we don't have nearly as many tables, since all
523         the unpinned transitions die off.
524
525         Reviewed by Darin Adler.
526
527         * runtime/PropertyMapHashTable.h:
528         (JSC::PropertyTable::get):
529         * runtime/Structure.cpp:
530         (JSC::Structure::despecifyDictionaryFunction):
531         (JSC::Structure::attributeChangeTransition):
532         (JSC::Structure::get):
533         (JSC::Structure::despecifyFunction):
534         * runtime/StructureInlines.h:
535         (JSC::Structure::get):
536
537 2014-03-10  Mark Hahnenberg  <mhahnenberg@apple.com>
538
539         REGRESSION(r165407): DoYouEvenBench crashes in DRT
540         https://bugs.webkit.org/show_bug.cgi?id=130066
541
542         Reviewed by Geoffrey Garen.
543
544         The baseline JIT does a conditional store barrier for the put_by_id, but we need 
545         an unconditional store barrier so that we cover the butterfly case as well in emitPutTransitionStub.
546
547         * jit/JIT.h:
548         * jit/JITPropertyAccess.cpp:
549         (JSC::JIT::emit_op_put_by_id):
550         (JSC::JIT::emitWriteBarrier):
551
552 2014-03-10  Mark Lam  <mark.lam@apple.com>
553
554         Resurrect bit-rotted JIT::probe() mechanism.
555         <https://webkit.org/b/130067>
556
557         Reviewed by Geoffrey Garen.
558
559         * jit/JITStubs.cpp:
560         - Added the needed #include <wtf/InlineASM.h>.
561
562 2014-03-10  Joseph Pecoraro  <pecoraro@apple.com>
563
564         Fix typo in EXCLUDED_SOURCE_FILE_NAMES_iphoneos.
565
566         Rubber-stamped by Dan Bernstein.
567
568         * Configurations/JavaScriptCore.xcconfig:
569
570 2014-03-10  Mark Lam  <mark.lam@apple.com>
571
572         r165414 broke the 32-bit x86 tests: ASSERTION FAILED: result != InvalidIndex @ GPRInfo.h:330.
573         <https://webkit.org/b/130065>
574
575         Reviewed by Michael Saboff.
576
577         There is code in ScratchRegisterAllocator.cpp that is relying on GPRInfo::toIndex()
578         being able to return InvalidIndex.  Hence, the assertion is invalid.  Ditto for
579         FPRInfo::toIndex().
580
581         The fix is to remove the "result != InvalidIndex" assertions.
582
583         * jit/FPRInfo.h:
584         (JSC::FPRInfo::toIndex):
585         * jit/GPRInfo.h:
586         (JSC::GPRInfo::toIndex):
587
588 2014-03-10  Mark Lam  <mark.lam@apple.com>
589
590         Crash on a stack overflow on 32-bit x86 in http/tests/websocket/tests/hybi/workers/no-onmessage-in-sync-op.html.
591         <https://webkit.org/b/129955>
592
593         Reviewed by Geoffrey Garen.
594
595         The 32-bit x86 version of getHostCallReturnValue() was leaking 16 bytes
596         stack memory every time it was called.  This is now fixed.
597
598         * jit/JITOperations.cpp:
599
600 2014-03-10  Joseph Pecoraro  <pecoraro@apple.com>
601
602         Better JSContext API for named evaluations (other than //# sourceURL)
603         https://bugs.webkit.org/show_bug.cgi?id=129911
604
605         Reviewed by Geoffrey Garen.
606
607         * API/JSBase.h:
608         * API/JSContext.h:
609         * API/JSContext.mm:
610         (-[JSContext evaluateScript:]):
611         (-[JSContext evaluateScript:withSourceURL:]):
612         Add new evaluateScript:withSourceURL:.
613
614         * API/tests/testapi.c:
615         (main):
616         * API/tests/testapi.mm:
617         (testObjectiveCAPI):
618         Add tests for sourceURL in evaluate APIs. It should
619         affect the exception objects.
620
621 2014-03-10  Filip Pizlo  <fpizlo@apple.com>
622
623         Repatch should save and restore all used registers - not just temp ones - when making a call
624         https://bugs.webkit.org/show_bug.cgi?id=130041
625
626         Reviewed by Geoffrey Garen and Mark Hahnenberg.
627         
628         The save/restore code was written back when the only client was the DFG, which only uses a
629         subset of hardware registers: the "temp" registers in our lingo. But the FTL may use many
630         other registers, especially on ARM64. The fact that Repatch doesn't know to save those can
631         lead to data corruption on ARM64. 
632
633         * jit/RegisterSet.cpp:
634         (JSC::RegisterSet::calleeSaveRegisters):
635         (JSC::RegisterSet::numberOfSetGPRs):
636         (JSC::RegisterSet::numberOfSetFPRs):
637         * jit/RegisterSet.h:
638         * jit/Repatch.cpp:
639         (JSC::storeToWriteBarrierBuffer):
640         (JSC::emitPutTransitionStub):
641         * jit/ScratchRegisterAllocator.cpp:
642         (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
643         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
644         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
645         (JSC::ScratchRegisterAllocator::usedRegistersForCall):
646         (JSC::ScratchRegisterAllocator::desiredScratchBufferSizeForCall):
647         (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
648         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
649         * jit/ScratchRegisterAllocator.h:
650
651 2014-03-10  Mark Hahnenberg  <mhahnenberg@apple.com>
652
653         Remove ConditionalStore barrier
654         https://bugs.webkit.org/show_bug.cgi?id=130040
655
656         Reviewed by Geoffrey Garen.
657
658         ConditionalStoreBarrier was created when barriers were much more expensive. Now that 
659         they're cheap(er), we can get rid of them. This also allows us to get rid of the write 
660         barrier logic in emitPutTransitionStub because we always will have executed a write barrier 
661         on the base object in the case where we are allocating and storing a new Butterfly into it. 
662         Previously, a ConditionalStoreBarrier might or might not have barrier-ed the base object, 
663         so we'd have to emit a write barrier in the transition case.
664
665         This is performance neutral on the benchmarks we track.
666
667         * dfg/DFGAbstractInterpreterInlines.h:
668         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
669         * dfg/DFGClobberize.h:
670         (JSC::DFG::clobberize):
671         * dfg/DFGConstantFoldingPhase.cpp:
672         (JSC::DFG::ConstantFoldingPhase::foldConstants):
673         (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
674         * dfg/DFGFixupPhase.cpp:
675         (JSC::DFG::FixupPhase::fixupNode):
676         (JSC::DFG::FixupPhase::insertStoreBarrier):
677         * dfg/DFGNode.h:
678         (JSC::DFG::Node::isStoreBarrier):
679         * dfg/DFGNodeType.h:
680         * dfg/DFGPredictionPropagationPhase.cpp:
681         (JSC::DFG::PredictionPropagationPhase::propagate):
682         * dfg/DFGSafeToExecute.h:
683         (JSC::DFG::safeToExecute):
684         * dfg/DFGSpeculativeJIT.cpp:
685         (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
686         * dfg/DFGSpeculativeJIT32_64.cpp:
687         (JSC::DFG::SpeculativeJIT::compile):
688         * dfg/DFGSpeculativeJIT64.cpp:
689         (JSC::DFG::SpeculativeJIT::compile):
690         * ftl/FTLCapabilities.cpp:
691         (JSC::FTL::canCompile):
692         * ftl/FTLLowerDFGToLLVM.cpp:
693         (JSC::FTL::LowerDFGToLLVM::compileNode):
694         * jit/Repatch.cpp:
695         (JSC::emitPutTransitionStub):
696
697 2014-03-10  Filip Pizlo  <fpizlo@apple.com>
698
699         DFG and FTL should know that comparing anything to Misc is cheap and easy
700         https://bugs.webkit.org/show_bug.cgi?id=130001
701
702         Reviewed by Geoffrey Garen.
703         
704         - Expand CompareStrictEq(Misc:, Misc:) to work for cases where either side of the
705           comparison is just Untyped:.
706         
707         - This obviates the need for CompareStrictEqConstant, so remove it.
708         
709         - FTL had a thing called "Nully" which is really "Other". Rename it and add
710           OtherUse.
711         
712         9% speed-up on box2d.
713
714         * dfg/DFGAbstractInterpreterInlines.h:
715         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
716         * dfg/DFGByteCodeParser.cpp:
717         (JSC::DFG::ByteCodeParser::parseBlock):
718         * dfg/DFGClobberize.h:
719         (JSC::DFG::clobberize):
720         * dfg/DFGFixupPhase.cpp:
721         (JSC::DFG::FixupPhase::fixupNode):
722         * dfg/DFGNode.h:
723         (JSC::DFG::Node::isBinaryUseKind):
724         (JSC::DFG::Node::shouldSpeculateOther):
725         * dfg/DFGNodeType.h:
726         * dfg/DFGPredictionPropagationPhase.cpp:
727         (JSC::DFG::PredictionPropagationPhase::propagate):
728         * dfg/DFGSafeToExecute.h:
729         (JSC::DFG::safeToExecute):
730         * dfg/DFGSpeculativeJIT.cpp:
731         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
732         (JSC::DFG::SpeculativeJIT::compare):
733         (JSC::DFG::SpeculativeJIT::compileStrictEq):
734         * dfg/DFGSpeculativeJIT.h:
735         * dfg/DFGSpeculativeJIT32_64.cpp:
736         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
737         (JSC::DFG::SpeculativeJIT::compile):
738         * dfg/DFGSpeculativeJIT64.cpp:
739         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
740         (JSC::DFG::SpeculativeJIT::compile):
741         * ftl/FTLCapabilities.cpp:
742         (JSC::FTL::canCompile):
743         * ftl/FTLLowerDFGToLLVM.cpp:
744         (JSC::FTL::LowerDFGToLLVM::compileNode):
745         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
746         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
747         (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
748         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
749         (JSC::FTL::LowerDFGToLLVM::isNotOther):
750         (JSC::FTL::LowerDFGToLLVM::isOther):
751         (JSC::FTL::LowerDFGToLLVM::speculate):
752         (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
753         (JSC::FTL::LowerDFGToLLVM::speculateNotCell):
754         (JSC::FTL::LowerDFGToLLVM::speculateOther):
755         (JSC::FTL::LowerDFGToLLVM::speculateMisc):
756         * tests/stress/compare-strict-eq-integer-to-misc.js: Added.
757
758 2014-03-10  Filip Pizlo  <fpizlo@apple.com>
759
760         Unreviewed, remove unintended change.
761
762         * dfg/DFGDriver.cpp:
763         (JSC::DFG::compileImpl):
764
765 2014-03-10  Filip Pizlo  <fpizlo@apple.com>
766
767         jsc commandline shouldn't have a "console" because that confuses some tests into thinking
768         that they're running in the browser.
769
770         Rubber stamped by Mark Hahnenberg.
771
772         * jsc.cpp:
773         (GlobalObject::finishCreation):
774
775 2014-03-10  Filip Pizlo  <fpizlo@apple.com>
776
777         Out-line ScratchRegisterAllocator
778
779         Rubber stamped by Mark Hahnenberg.
780
781         * CMakeLists.txt:
782         * GNUmakefile.list.am:
783         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
784         * JavaScriptCore.xcodeproj/project.pbxproj:
785         * dfg/DFGDriver.cpp:
786         (JSC::DFG::compileImpl):
787         * jit/ScratchRegisterAllocator.cpp: Added.
788         (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
789         (JSC::ScratchRegisterAllocator::~ScratchRegisterAllocator):
790         (JSC::ScratchRegisterAllocator::lock):
791         (JSC::ScratchRegisterAllocator::allocateScratch):
792         (JSC::ScratchRegisterAllocator::allocateScratchGPR):
793         (JSC::ScratchRegisterAllocator::allocateScratchFPR):
794         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
795         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
796         (JSC::ScratchRegisterAllocator::desiredScratchBufferSize):
797         (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer):
798         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer):
799         * jit/ScratchRegisterAllocator.h:
800
801 2014-03-10  Brent Fulgham  <bfulgham@apple.com>
802
803         [Win] Pass environment to Pre-Build, Pre-link, and Post-Build Stages.
804         https://bugs.webkit.org/show_bug.cgi?id=130023
805
806         Reviewed by Dean Jackson.
807
808         * JavaScriptCore.vcxproj/JavaScriptCore.proj: Avoid trailing backslashes in
809         path names to avoid accidental escaping of later string substitutions.
810
811 2014-03-10  Andreas Kling  <akling@apple.com>
812
813         [X86_64] Smaller code for testb_i8r when register is accumulator.
814         <https://webkit.org/b/130026>
815
816         Generate the shorthand version of "test al, imm" when possible.
817
818         Reviewed by Michael Saboff.
819
820         * assembler/X86Assembler.h:
821         (JSC::X86Assembler::testb_i8r):
822
823 2014-03-10  Andreas Kling  <akling@apple.com>
824
825         [X86_64] Smaller code for sub_ir when register is accumulator.
826         <https://webkit.org/b/130025>
827
828         Generate the shorthand version of "sub eax, imm" when possible.
829
830         Reviewed by Michael Saboff.
831
832         * assembler/X86Assembler.h:
833         (JSC::X86Assembler::subl_ir):
834         (JSC::X86Assembler::subq_ir):
835
836 2014-03-10  Andreas Kling  <akling@apple.com>
837
838         [X86_64] Smaller code for add_ir when register is accumulator.
839         <https://webkit.org/b/130024>
840
841         Generate the shorthand version of "add eax, imm" when possible.
842
843         Reviewed by Michael Saboff.
844
845         * assembler/X86Assembler.h:
846         (JSC::X86Assembler::addl_ir):
847         (JSC::X86Assembler::addq_ir):
848
849 2014-03-10  Mark Hahnenberg  <mhahnenberg@apple.com>
850
851         writeBarrier in emitPutReplaceStub is unnecessary
852         https://bugs.webkit.org/show_bug.cgi?id=130030
853
854         Reviewed by Filip Pizlo.
855
856         We already emit write barriers for each put-by-id when they're first compiled, so it's 
857         redundant to emit a write barrier as part of the repatched code.
858
859         * jit/Repatch.cpp:
860         (JSC::emitPutReplaceStub):
861
862 2014-03-10  Andreas Kling  <akling@apple.com>
863
864         [X86_64] Smaller code for xor_ir when register is accumulator.
865         <https://webkit.org/b/130008>
866
867         Generate the shorthand version of "xor eax, imm" when possible.
868
869         Reviewed by Benjamin Poulain.
870
871         * assembler/X86Assembler.h:
872         (JSC::X86Assembler::xorl_ir):
873         (JSC::X86Assembler::xorq_ir):
874
875 2014-03-10  Andreas Kling  <akling@apple.com>
876
877         [X86_64] Smaller code for or_ir when register is accumulator.
878         <https://webkit.org/b/130007>
879
880         Generate the shorthand version of "or eax, imm" when possible.
881
882         Reviewed by Benjamin Poulain.
883
884         * assembler/X86Assembler.h:
885         (JSC::X86Assembler::orl_ir):
886         (JSC::X86Assembler::orq_ir):
887
888 2014-03-10  Andreas Kling  <akling@apple.com>
889
890         [X86_64] Smaller code for test_ir when register is accumulator.
891         <https://webkit.org/b/130006>
892
893         Generate the shorthand version of "test eax, imm" when possible.
894
895         Reviewed by Benjamin Poulain.
896
897         * assembler/X86Assembler.h:
898         (JSC::X86Assembler::testl_i32r):
899         (JSC::X86Assembler::testq_i32r):
900
901 2014-03-10  Andreas Kling  <akling@apple.com>
902
903         [X86_64] Smaller code for cmp_ir when register is accumulator.
904         <https://webkit.org/b/130005>
905
906         Generate the shorthand version of "cmp eax, imm" when possible.
907
908         Reviewed by Benjamin Poulain.
909
910         * assembler/X86Assembler.h:
911         (JSC::X86Assembler::cmpl_ir):
912         (JSC::X86Assembler::cmpq_ir):
913
914 2014-03-10  Andreas Kling  <akling@apple.com>
915
916         [X86_64] Smaller code for store64(imm, address) when imm fits in 32 bits.
917         <https://webkit.org/b/130002>
918
919         Generate this:
920
921             mov [address], imm32
922
923         Instead of this:
924
925             mov scratchRegister, imm32
926             mov [address], scratchRegister
927
928         For store64(imm, address) where the 64-bit immediate can be passed as
929         a sign-extended 32-bit value.
930
931         Reviewed by Benjamin Poulain.
932
933         * assembler/MacroAssemblerX86_64.h:
934         (CAN_SIGN_EXTEND_32_64):
935         (JSC::MacroAssemblerX86_64::store64):
936
937 2014-03-10  Andreas Kling  <akling@apple.com>
938
939         [X86_64] Smaller code for xchg_rr when one register is accumulator.
940         <https://webkit.org/b/130004>
941
942         Generate the 1-byte version of "xchg eax, reg" when possible.
943
944         Reviewed by Benjamin Poulain.
945
946         * assembler/X86Assembler.h:
947         (JSC::X86Assembler::xchgl_rr):
948         (JSC::X86Assembler::xchgq_rr):
949
950 2014-03-09  Filip Pizlo  <fpizlo@apple.com>
951
952         GPRInfo::toIndex should return InvalidIndex for non-temp registers on ARM64
953         https://bugs.webkit.org/show_bug.cgi?id=129998
954
955         Reviewed by Geoffrey Garen.
956         
957         Not only is that the established contract, but this is used to signal to
958         ScratchRegisterAllocator that the register doesn't need locking since it isn't a register
959         that this allocator would use. In the FTL, we may have an inline cache where LLVM had used
960         some non-temp register (i.e. a register that JSC itself wouldn't have used). This is totally
961         fine but previously it would have led to either an assertion failure, or data corruption, in
962         the ScratchRegisterAllocator.
963
964         * jit/GPRInfo.h:
965         (JSC::GPRInfo::toIndex):
966
967 2014-03-09  Filip Pizlo  <fpizlo@apple.com>
968
969         FTL fails the new equals-masquerader strictEqualConstant test
970         https://bugs.webkit.org/show_bug.cgi?id=129996
971
972         Reviewed by Mark Lam.
973         
974         It turns out that the FTL was trying to do the masquerading stuff for ===null. But
975         that's wrong since none of the other engines do it. The DFG even had an ancient
976         FIXME about doing it - but that doesn't make sense since the LLInt and baseline JIT
977         don't do it and JSValue::strictEqual() doesn't do it.
978         
979         Remove the FIXME and remove the extra checks in the FTL.
980         
981         This is a glorious patch: nothing but red and it fixes a test failure.
982
983         * dfg/DFGSpeculativeJIT.cpp:
984         (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
985         * ftl/FTLLowerDFGToLLVM.cpp:
986         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
987
988 2014-03-09  Andreas Kling  <akling@apple.com>
989
990         Short-circuit JSGlobalObjectInspectorController when not inspecting.
991         <https://webkit.org/b/129995>
992
993         Add an early return in reportAPIException() when the console agent
994         is disabled. This avoids expensive symbolication during exceptions
995         if there's nobody expecting the fancy backtrace anyway.
996
997         ~2% progression on DYEB on my MBP.
998
999         Reviewed by Geoff Garen.
1000
1001         * inspector/JSGlobalObjectInspectorController.cpp:
1002         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
1003
1004 2014-03-09  Andreas Kling  <akling@apple.com>
1005
1006         Inline the trivial parts of GC deferral.
1007         <https://webkit.org/b/129984>
1008
1009         Made most of the functions called by the DeferGC RAII object inline
1010         to avoid function call overhead.
1011
1012         Looks like ~1% progression on DYEB.
1013
1014         Reviewed by Geoffrey Garen.
1015
1016         * heap/Heap.cpp:
1017         * heap/Heap.h:
1018         (JSC::Heap::incrementDeferralDepth):
1019         (JSC::Heap::decrementDeferralDepth):
1020         (JSC::Heap::collectIfNecessaryOrDefer):
1021         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
1022
1023 2014-03-08  Mark Lam  <mark.lam@apple.com>
1024
1025         32-bit x86 handleUncaughtException returns to wrong location after a stack overflow.
1026         <https://webkit.org/b/129969>
1027
1028         Reviewed by Geoffrey Garen.
1029
1030         The 32-bit version of handleUncaughtException was missing the handling of an
1031         edge case for stack overflows where the current frame may already be the
1032         sentinel frame.  This edge case was handled in the 64-bit version.  The fix
1033         is to bring the 32-bit version up to parity.
1034
1035         * jit/JIT.cpp:
1036         (JSC::JIT::privateCompile):
1037         * llint/LowLevelInterpreter32_64.asm:
1038
1039 2014-03-07  Mark Lam  <mark.lam@apple.com>
1040
1041         Fix bugs in 32-bit Structure implementation.
1042         <https://webkit.org/b/129947>
1043
1044         Reviewed by Mark Hahnenberg.
1045
1046         Added the loading of the Structure (from the JSCell) before use that was
1047         missing in a few places.  Also added more test cases to equals-masquerader.js.
1048
1049         * dfg/DFGSpeculativeJIT32_64.cpp:
1050         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
1051         (JSC::DFG::SpeculativeJIT::compile):
1052         * dfg/DFGSpeculativeJIT64.cpp:
1053         (JSC::DFG::SpeculativeJIT::compile):
1054         * llint/LowLevelInterpreter32_64.asm:
1055         * tests/stress/equals-masquerader.js:
1056         (equalsNull):
1057         (notEqualsNull):
1058         (strictEqualsNull):
1059         (strictNotEqualsNull):
1060         (equalsUndefined):
1061         (notEqualsUndefined):
1062         (strictEqualsUndefined):
1063         (strictNotEqualsUndefined):
1064         (isFalsey):
1065         (test):
1066
1067 2014-03-07  Andrew Trick  <atrick@apple.com>
1068
1069         Temporarily disable repeat-out-of-bounds stress tests pending fix for 129953.
1070         https://bugs.webkit.org/show_bug.cgi?id=129954
1071
1072         Reviewed by Filip Pizlo.
1073
1074         * tests/stress/float32-repeat-out-of-bounds.js:
1075         * tests/stress/int8-repeat-out-of-bounds.js:
1076
1077 2014-03-07  Michael Saboff  <msaboff@apple.com>
1078
1079         .cfi directives in LowLevelInterpreter.cpp are providing no benefit
1080         https://bugs.webkit.org/show_bug.cgi?id=129945
1081
1082         Reviewed by Mark Lam.
1083
1084         Removed .cfi directive.  Verified that stack traces didn't regress in crash reporter
1085         or in lldb.
1086
1087         * llint/LowLevelInterpreter.cpp:
1088
1089 2014-03-07  Oliver Hunt  <oliver@apple.com>
1090
1091         Continue hangs when performing for-of over arguments
1092         https://bugs.webkit.org/show_bug.cgi?id=129915
1093
1094         Reviewed by Geoffrey Garen.
1095
1096         Put the continue label in the right place
1097
1098         * bytecompiler/BytecodeGenerator.cpp:
1099         (JSC::BytecodeGenerator::emitEnumeration):
1100
1101 2014-03-07  peavo@outlook.com  <peavo@outlook.com>
1102
1103         [Win64] Compile error after r165128.
1104         https://bugs.webkit.org/show_bug.cgi?id=129807
1105
1106         Reviewed by Mark Lam.
1107
1108         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: 
1109         Check platform environment variable to determine if an assembler file should be generated.
1110
1111 2014-03-07  Michael Saboff  <msaboff@apple.com>
1112
1113         Clarify how we deal with "special" registers
1114         https://bugs.webkit.org/show_bug.cgi?id=129806
1115
1116         Already reviewed change being relanded.
1117
1118         Relanding change set r165196 as it wasn't responsible for the breakage reported in
1119         https://bugs.webkit.org/show_bug.cgi?id=129822.  That appears to be a build or
1120
1121         Reviewed by Michael Saboff.
1122         configuration issue.
1123
1124         * assembler/ARM64Assembler.h:
1125         (JSC::ARM64Assembler::lastRegister):
1126         * assembler/MacroAssembler.h:
1127         (JSC::MacroAssembler::nextRegister):
1128         * ftl/FTLLocation.cpp:
1129         (JSC::FTL::Location::restoreInto):
1130         * ftl/FTLSaveRestore.cpp:
1131         (JSC::FTL::saveAllRegisters):
1132         (JSC::FTL::restoreAllRegisters):
1133         * ftl/FTLSlowPathCall.cpp:
1134         * jit/RegisterSet.cpp:
1135         (JSC::RegisterSet::reservedHardwareRegisters):
1136         (JSC::RegisterSet::runtimeRegisters):
1137         (JSC::RegisterSet::specialRegisters):
1138         (JSC::RegisterSet::calleeSaveRegisters):
1139         * jit/RegisterSet.h:
1140
1141 2014-03-07  Mark Hahnenberg  <mhahnenberg@apple.com>
1142
1143         Move GCActivityCallback to heap
1144         https://bugs.webkit.org/show_bug.cgi?id=129457
1145
1146         Reviewed by Geoffrey Garen.
1147
1148         All the other GC timer related stuff is there already.
1149
1150         * CMakeLists.txt:
1151         * GNUmakefile.list.am:
1152         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1153         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1154         * JavaScriptCore.xcodeproj/project.pbxproj:
1155         * heap/GCActivityCallback.cpp: Copied from Source/JavaScriptCore/runtime/GCActivityCallback.cpp.
1156         * heap/GCActivityCallback.h: Copied from Source/JavaScriptCore/runtime/GCActivityCallback.h.
1157         * runtime/GCActivityCallback.cpp: Removed.
1158         * runtime/GCActivityCallback.h: Removed.
1159
1160 2014-03-07  Andrew Trick  <atrick@apple.com>
1161
1162         Correct a comment typo from:
1163         FLT should call fmod directly on platforms where LLVM cannot relocate the libcall
1164         https://bugs.webkit.org/show_bug.cgi?id=129865
1165
1166         Reviewed by Mark Lam.
1167
1168         * ftl/FTLOutput.h:
1169         (JSC::FTL::Output::doubleRem):
1170
1171 2014-03-07  Mark Hahnenberg  <mhahnenberg@apple.com>
1172
1173         Use OwnPtr in StructureIDTable
1174         https://bugs.webkit.org/show_bug.cgi?id=129828
1175
1176         Reviewed by Geoffrey Garen.
1177
1178         This reduces the amount of boilerplate and fixes a memory leak.
1179
1180         * runtime/StructureIDTable.cpp:
1181         (JSC::StructureIDTable::StructureIDTable):
1182         (JSC::StructureIDTable::resize):
1183         (JSC::StructureIDTable::flushOldTables):
1184         (JSC::StructureIDTable::allocateID):
1185         (JSC::StructureIDTable::deallocateID):
1186         * runtime/StructureIDTable.h:
1187         (JSC::StructureIDTable::table):
1188         (JSC::StructureIDTable::get):
1189
1190 2014-03-07  Andrew Trick  <atrick@apple.com>
1191
1192         FLT should call fmod directly on platforms where LLVM cannot relocate the libcall
1193         https://bugs.webkit.org/show_bug.cgi?id=129865
1194
1195         Reviewed by Filip Pizlo.
1196
1197         * ftl/FTLIntrinsicRepository.h:
1198         * ftl/FTLOutput.h:
1199         (JSC::FTL::Output::doubleRem):
1200
1201 2014-03-06  Filip Pizlo  <fpizlo@apple.com>
1202
1203         If the FTL is build-time enabled then it should be run-time enabled.
1204
1205         Rubber stamped by Geoffrey Garen.
1206
1207         * runtime/Options.cpp:
1208         (JSC::recomputeDependentOptions):
1209         * runtime/Options.h:
1210
1211 2014-03-06  Joseph Pecoraro  <pecoraro@apple.com>
1212
1213         [OS X] Web Inspector: Allow Apps using JavaScriptCore to access "com.apple.webinspector" mach port
1214         https://bugs.webkit.org/show_bug.cgi?id=129852
1215
1216         Reviewed by Geoffrey Garen.
1217
1218         * framework.sb: Added.
1219         Sandbox extension to allow access to "com.apple.webinspector".
1220
1221         * JavaScriptCore.xcodeproj/project.pbxproj:
1222         Add a Copy Resources build phase and include framework.sb.
1223
1224         * Configurations/JavaScriptCore.xcconfig:
1225         Do not copy framework.sb on iOS.
1226
1227 2014-03-06  Mark Hahnenberg  <mhahnenberg@apple.com>
1228
1229         JSGlobalContextRelease incorrectly handles saving/restoring IdentifierTable
1230         https://bugs.webkit.org/show_bug.cgi?id=129858
1231
1232         Reviewed by Mark Lam.
1233
1234         It was correct (but really ugly) prior to the combining of APIEntryShim and JSLock, 
1235         but now it ends up overwriting the IdentifierTable that JSLock just restored.
1236
1237         * API/JSContextRef.cpp:
1238         (JSGlobalContextRelease):
1239
1240 2014-03-06  Oliver Hunt  <oliver@apple.com>
1241
1242         Fix FTL build.
1243
1244         * dfg/DFGConstantFoldingPhase.cpp:
1245         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1246
1247 2014-03-06  Brent Fulgham  <bfulgham@apple.com>
1248
1249         Unreviewed build fix after r165128.
1250
1251         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: The SEH flag was not getting set when
1252         performing 'Production' and 'DebugSuffix' type builds.
1253
1254 2014-03-06  Julien Brianceau  <jbriance@cisco.com>
1255
1256         Unreviewed, fix style in my previous commit.
1257         https://bugs.webkit.org/show_bug.cgi?id=129833
1258
1259         * runtime/JSConsole.cpp:
1260
1261 2014-03-06  Julien Brianceau  <jbriance@cisco.com>
1262
1263         Build fix: add missing include in JSConole.cpp.
1264         https://bugs.webkit.org/show_bug.cgi?id=129833
1265
1266         Reviewed by Oliver Hunt.
1267
1268         * runtime/JSConsole.cpp:
1269
1270 2014-03-06  Oliver Hunt  <oliver@apple.com>
1271
1272         Fix ARMv7
1273
1274         * jit/CCallHelpers.h:
1275         (JSC::CCallHelpers::setupArgumentsWithExecState):
1276
1277 2014-03-06  Commit Queue  <commit-queue@webkit.org>
1278
1279         Unreviewed, rolling out r165196.
1280         http://trac.webkit.org/changeset/165196
1281         https://bugs.webkit.org/show_bug.cgi?id=129822
1282
1283         broke arm64 on hardware (Requested by bfulgham on #webkit).
1284
1285         * assembler/ARM64Assembler.h:
1286         (JSC::ARM64Assembler::lastRegister):
1287         * assembler/MacroAssembler.h:
1288         (JSC::MacroAssembler::isStackRelated):
1289         (JSC::MacroAssembler::firstRealRegister):
1290         (JSC::MacroAssembler::nextRegister):
1291         (JSC::MacroAssembler::secondRealRegister):
1292         * ftl/FTLLocation.cpp:
1293         (JSC::FTL::Location::restoreInto):
1294         * ftl/FTLSaveRestore.cpp:
1295         (JSC::FTL::saveAllRegisters):
1296         (JSC::FTL::restoreAllRegisters):
1297         * ftl/FTLSlowPathCall.cpp:
1298         * jit/RegisterSet.cpp:
1299         (JSC::RegisterSet::specialRegisters):
1300         (JSC::RegisterSet::calleeSaveRegisters):
1301         * jit/RegisterSet.h:
1302
1303 2014-03-06  Mark Lam  <mark.lam@apple.com>
1304
1305         REGRESSION(r165205): broke the CLOOP build (Requested by smfr on #webkit).
1306         <https://webkit.org/b/129813>
1307
1308         Reviewed by Michael Saboff.
1309
1310         Fixed broken C loop LLINT build.
1311
1312         * llint/LowLevelInterpreter.cpp:
1313         (JSC::CLoop::execute):
1314         * offlineasm/cloop.rb:
1315
1316 2014-03-03  Oliver Hunt  <oliver@apple.com>
1317
1318         Support caching of custom setters
1319         https://bugs.webkit.org/show_bug.cgi?id=129519
1320
1321         Reviewed by Filip Pizlo.
1322
1323         This patch adds caching of assignment to properties that
1324         are backed by C functions. This provides most of the leg
1325         work required to start supporting setters, and resolves
1326         the remaining regressions from moving DOM properties up
1327         the prototype chain.
1328
1329         * JavaScriptCore.xcodeproj/project.pbxproj:
1330         * bytecode/PolymorphicPutByIdList.cpp:
1331         (JSC::PutByIdAccess::visitWeak):
1332         (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
1333         (JSC::PolymorphicPutByIdList::from):
1334         * bytecode/PolymorphicPutByIdList.h:
1335         (JSC::PutByIdAccess::transition):
1336         (JSC::PutByIdAccess::replace):
1337         (JSC::PutByIdAccess::customSetter):
1338         (JSC::PutByIdAccess::isCustom):
1339         (JSC::PutByIdAccess::oldStructure):
1340         (JSC::PutByIdAccess::chain):
1341         (JSC::PutByIdAccess::stubRoutine):
1342         * bytecode/PutByIdStatus.cpp:
1343         (JSC::PutByIdStatus::computeForStubInfo):
1344         (JSC::PutByIdStatus::computeFor):
1345         (JSC::PutByIdStatus::dump):
1346         * bytecode/PutByIdStatus.h:
1347         (JSC::PutByIdStatus::PutByIdStatus):
1348         (JSC::PutByIdStatus::takesSlowPath):
1349         (JSC::PutByIdStatus::makesCalls):
1350         * bytecode/StructureStubInfo.h:
1351         * dfg/DFGAbstractInterpreterInlines.h:
1352         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1353         * dfg/DFGByteCodeParser.cpp:
1354         (JSC::DFG::ByteCodeParser::emitPutById):
1355         (JSC::DFG::ByteCodeParser::handlePutById):
1356         * dfg/DFGClobberize.h:
1357         (JSC::DFG::clobberize):
1358         * dfg/DFGCommon.h:
1359         * dfg/DFGConstantFoldingPhase.cpp:
1360         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1361         * dfg/DFGFixupPhase.cpp:
1362         (JSC::DFG::FixupPhase::fixupNode):
1363         * dfg/DFGNode.h:
1364         (JSC::DFG::Node::hasIdentifier):
1365         * dfg/DFGNodeType.h:
1366         * dfg/DFGPredictionPropagationPhase.cpp:
1367         (JSC::DFG::PredictionPropagationPhase::propagate):
1368         * dfg/DFGSafeToExecute.h:
1369         (JSC::DFG::safeToExecute):
1370         * dfg/DFGSpeculativeJIT.cpp:
1371         (JSC::DFG::SpeculativeJIT::compileIn):
1372         * dfg/DFGSpeculativeJIT.h:
1373         * dfg/DFGSpeculativeJIT32_64.cpp:
1374         (JSC::DFG::SpeculativeJIT::cachedGetById):
1375         (JSC::DFG::SpeculativeJIT::cachedPutById):
1376         (JSC::DFG::SpeculativeJIT::compile):
1377         * dfg/DFGSpeculativeJIT64.cpp:
1378         (JSC::DFG::SpeculativeJIT::cachedGetById):
1379         (JSC::DFG::SpeculativeJIT::cachedPutById):
1380         (JSC::DFG::SpeculativeJIT::compile):
1381         * jit/CCallHelpers.h:
1382         (JSC::CCallHelpers::setupArgumentsWithExecState):
1383         * jit/JITInlineCacheGenerator.cpp:
1384         (JSC::JITByIdGenerator::JITByIdGenerator):
1385         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
1386         * jit/JITInlineCacheGenerator.h:
1387         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
1388         * jit/JITOperations.cpp:
1389         * jit/JITOperations.h:
1390         * jit/JITPropertyAccess.cpp:
1391         (JSC::JIT::emit_op_get_by_id):
1392         (JSC::JIT::emit_op_put_by_id):
1393         * jit/JITPropertyAccess32_64.cpp:
1394         (JSC::JIT::emit_op_get_by_id):
1395         (JSC::JIT::emit_op_put_by_id):
1396         * jit/Repatch.cpp:
1397         (JSC::tryCacheGetByID):
1398         (JSC::tryBuildGetByIDList):
1399         (JSC::emitCustomSetterStub):
1400         (JSC::tryCachePutByID):
1401         (JSC::tryBuildPutByIdList):
1402         * jit/SpillRegistersMode.h: Added.
1403         * llint/LLIntSlowPaths.cpp:
1404         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1405         * runtime/Lookup.h:
1406         (JSC::putEntry):
1407         * runtime/PutPropertySlot.h:
1408         (JSC::PutPropertySlot::setCacheableCustomProperty):
1409         (JSC::PutPropertySlot::customSetter):
1410         (JSC::PutPropertySlot::isCacheablePut):
1411         (JSC::PutPropertySlot::isCacheableCustomProperty):
1412         (JSC::PutPropertySlot::cachedOffset):
1413
1414 2014-03-06  Filip Pizlo  <fpizlo@apple.com>
1415
1416         FTL arity fixup should work on ARM64
1417         https://bugs.webkit.org/show_bug.cgi?id=129810
1418
1419         Reviewed by Michael Saboff.
1420         
1421         - Using regT5 to pass the thunk return address to arityFixup is shady since that's a
1422           callee-save.
1423         
1424         - The FTL path was assuming X86 conventions for where SP points at the top of the prologue.
1425         
1426         This makes some more tests pass.
1427
1428         * dfg/DFGJITCompiler.cpp:
1429         (JSC::DFG::JITCompiler::compileFunction):
1430         * ftl/FTLLink.cpp:
1431         (JSC::FTL::link):
1432         * jit/AssemblyHelpers.h:
1433         (JSC::AssemblyHelpers::prologueStackPointerDelta):
1434         * jit/JIT.cpp:
1435         (JSC::JIT::privateCompile):
1436         * jit/ThunkGenerators.cpp:
1437         (JSC::arityFixup):
1438         * llint/LowLevelInterpreter64.asm:
1439         * offlineasm/arm64.rb:
1440         * offlineasm/x86.rb: In addition to the t7 change, make t6 agree with GPRInfo.h.
1441
1442 2014-03-06  Mark Hahnenberg  <mhahnenberg@apple.com>
1443
1444         Fix write barriers in Repatch.cpp for !ENABLE(DFG_JIT) platforms after r165128
1445         https://bugs.webkit.org/show_bug.cgi?id=129760
1446
1447         Reviewed by Geoffrey Garen.
1448
1449         r165128 disabled the write barrier fast path for inline caches on !ENABLE(DFG_JIT) platforms. 
1450         The fix is to refactor the write barrier code into AssemblyHelpers and use that everywhere.
1451
1452         * dfg/DFGSpeculativeJIT.cpp:
1453         (JSC::DFG::SpeculativeJIT::writeBarrier):
1454         * dfg/DFGSpeculativeJIT.h:
1455         * dfg/DFGSpeculativeJIT32_64.cpp:
1456         (JSC::DFG::SpeculativeJIT::writeBarrier):
1457         * dfg/DFGSpeculativeJIT64.cpp:
1458         (JSC::DFG::SpeculativeJIT::writeBarrier):
1459         * jit/AssemblyHelpers.h:
1460         (JSC::AssemblyHelpers::checkMarkByte):
1461         * jit/JIT.h:
1462         * jit/JITPropertyAccess.cpp:
1463         * jit/Repatch.cpp:
1464         (JSC::writeBarrier):
1465
1466 2014-03-06  Joseph Pecoraro  <pecoraro@apple.com>
1467
1468         Web Inspector: Expose the console object in JSContexts to interact with Web Inspector
1469         https://bugs.webkit.org/show_bug.cgi?id=127944
1470
1471         Reviewed by Geoffrey Garen.
1472
1473         Always expose the Console object in JSContexts, just like we
1474         do for web pages. The default behavior will route to an
1475         attached JSContext inspector. This can be overriden by
1476         setting the ConsoleClient on the JSGlobalObject, which WebCore
1477         does to get slightly different behavior.
1478
1479         * CMakeLists.txt:
1480         * GNUmakefile.list.am:
1481         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1482         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1483         * JavaScriptCore.xcodeproj/project.pbxproj:
1484         Update build systems.
1485
1486         * API/tests/testapi.js:
1487         * API/tests/testapi.mm:
1488         Test that "console" exists in C and ObjC contexts.
1489
1490         * runtime/ConsoleClient.cpp: Added.
1491         (JSC::ConsoleClient::printURLAndPosition):
1492         (JSC::ConsoleClient::printMessagePrefix):
1493         (JSC::ConsoleClient::printConsoleMessage):
1494         (JSC::ConsoleClient::printConsoleMessageWithArguments):
1495         (JSC::ConsoleClient::internalMessageWithTypeAndLevel):
1496         (JSC::ConsoleClient::logWithLevel):
1497         (JSC::ConsoleClient::clear):
1498         (JSC::ConsoleClient::dir):
1499         (JSC::ConsoleClient::dirXML):
1500         (JSC::ConsoleClient::table):
1501         (JSC::ConsoleClient::trace):
1502         (JSC::ConsoleClient::assertCondition):
1503         (JSC::ConsoleClient::group):
1504         (JSC::ConsoleClient::groupCollapsed):
1505         (JSC::ConsoleClient::groupEnd):
1506         * runtime/ConsoleClient.h: Added.
1507         (JSC::ConsoleClient::~ConsoleClient):
1508         New private interface for handling the console object's methods.
1509         A lot of the methods funnel through messageWithTypeAndLevel.
1510
1511         * runtime/ConsoleTypes.h: Renamed from Source/JavaScriptCore/inspector/ConsoleTypes.h.
1512         Moved to JSC namespace.
1513
1514         * runtime/JSGlobalObject.cpp:
1515         (JSC::JSGlobalObject::JSGlobalObject):
1516         (JSC::JSGlobalObject::init):
1517         (JSC::JSGlobalObject::reset):
1518         (JSC::JSGlobalObject::visitChildren):
1519         Create the "console" object when initializing the environment.
1520         Also set the default console client to be the JS context inspector.
1521
1522         * runtime/JSGlobalObject.h:
1523         (JSC::JSGlobalObject::setConsoleClient):
1524         (JSC::JSGlobalObject::consoleClient):
1525         Ability to change the console client, so WebCore can set a custom client.
1526
1527         * runtime/ConsolePrototype.cpp: Added.
1528         (JSC::ConsolePrototype::finishCreation):
1529         (JSC::valueToStringWithUndefinedOrNullCheck):
1530         (JSC::consoleLogWithLevel):
1531         (JSC::consoleProtoFuncDebug):
1532         (JSC::consoleProtoFuncError):
1533         (JSC::consoleProtoFuncLog):
1534         (JSC::consoleProtoFuncWarn):
1535         (JSC::consoleProtoFuncClear):
1536         (JSC::consoleProtoFuncDir):
1537         (JSC::consoleProtoFuncDirXML):
1538         (JSC::consoleProtoFuncTable):
1539         (JSC::consoleProtoFuncTrace):
1540         (JSC::consoleProtoFuncAssert):
1541         (JSC::consoleProtoFuncCount):
1542         (JSC::consoleProtoFuncProfile):
1543         (JSC::consoleProtoFuncProfileEnd):
1544         (JSC::consoleProtoFuncTime):
1545         (JSC::consoleProtoFuncTimeEnd):
1546         (JSC::consoleProtoFuncTimeStamp):
1547         (JSC::consoleProtoFuncGroup):
1548         (JSC::consoleProtoFuncGroupCollapsed):
1549         (JSC::consoleProtoFuncGroupEnd):
1550         * runtime/ConsolePrototype.h: Added.
1551         (JSC::ConsolePrototype::create):
1552         (JSC::ConsolePrototype::createStructure):
1553         (JSC::ConsolePrototype::ConsolePrototype):
1554         Define the console object interface. Parse out required / expected
1555         arguments and throw expcetions when methods are misused.
1556
1557         * runtime/JSConsole.cpp: Added.
1558         * runtime/JSConsole.h: Added.
1559         (JSC::JSConsole::createStructure):
1560         (JSC::JSConsole::create):
1561         (JSC::JSConsole::JSConsole):
1562         Empty "console" object. Everything is in the prototype.
1563
1564         * inspector/JSConsoleClient.cpp: Added.
1565         (Inspector::JSConsoleClient::JSGlobalObjectConsole):
1566         (Inspector::JSConsoleClient::count):
1567         (Inspector::JSConsoleClient::profile):
1568         (Inspector::JSConsoleClient::profileEnd):
1569         (Inspector::JSConsoleClient::time):
1570         (Inspector::JSConsoleClient::timeEnd):
1571         (Inspector::JSConsoleClient::timeStamp):
1572         (Inspector::JSConsoleClient::warnUnimplemented):
1573         (Inspector::JSConsoleClient::internalAddMessage):
1574         * inspector/JSConsoleClient.h: Added.
1575         * inspector/JSGlobalObjectInspectorController.cpp:
1576         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1577         (Inspector::JSGlobalObjectInspectorController::consoleClient):
1578         * inspector/JSGlobalObjectInspectorController.h:
1579         Default JSContext ConsoleClient implementation. Handle nearly
1580         everything exception profile/profileEnd and timeStamp.
1581
1582 2014-03-06  Andreas Kling  <akling@apple.com>
1583
1584         Drop unlinked function code on memory pressure.
1585         <https://webkit.org/b/129789>
1586
1587         Make VM::discardAllCode() also drop UnlinkedFunctionCodeBlocks that
1588         are not currently being compiled.
1589
1590         4.5 MB progression on Membuster.
1591
1592         Reviewed by Geoffrey Garen.
1593
1594         * heap/Heap.cpp:
1595         (JSC::Heap::deleteAllUnlinkedFunctionCode):
1596         * heap/Heap.h:
1597         * runtime/VM.cpp:
1598         (JSC::VM::discardAllCode):
1599
1600 2014-03-06  Filip Pizlo  <fpizlo@apple.com>
1601
1602         Clarify how we deal with "special" registers
1603         https://bugs.webkit.org/show_bug.cgi?id=129806
1604
1605         Reviewed by Michael Saboff.
1606         
1607         Previously we had two different places that defined what "stack" registers are, a thing
1608         called "specialRegisters" that had unclear meaning, and a really weird "firstRealRegister"/
1609         "secondRealRegister"/"nextRegister" idiom in MacroAssembler that appeared to only be used by
1610         one place and had a baked-in notion of what it meant for a register to be "real" or not.
1611         
1612         It's not cool to use words like "real" and "special" to describe registers, especially if you
1613         fail to qualify what that means. This originally made sense on X86 - "real" registers were
1614         the ones that weren't "stack related" (so "real" was the opposite of "stack"). But on ARM64,
1615         you also have to worry about the LR register, which we'd want to say is "not real" but it's
1616         also not a "stack" register. This got super confusing.
1617         
1618         So, this patch removes any mention of "real" registers, consolidates the knowledge of what is
1619         a "stack" register, and uses the word special only in places where it's clearly defined and
1620         where no better word comes to mind.
1621         
1622         This cleans up the code and fixes what seems like it was probably a harmless ARM64 bug: the
1623         Reg and RegisterSet data structures would sometimes think that FP was Q0. Somehow this
1624         magically didn't break anything because you never need to save/restore either FP or Q0, but
1625         it was still super weird.
1626
1627         * assembler/ARM64Assembler.h:
1628         (JSC::ARM64Assembler::lastRegister):
1629         * assembler/MacroAssembler.h:
1630         (JSC::MacroAssembler::nextRegister):
1631         * ftl/FTLLocation.cpp:
1632         (JSC::FTL::Location::restoreInto):
1633         * ftl/FTLSaveRestore.cpp:
1634         (JSC::FTL::saveAllRegisters):
1635         (JSC::FTL::restoreAllRegisters):
1636         * ftl/FTLSlowPathCall.cpp:
1637         * jit/RegisterSet.cpp:
1638         (JSC::RegisterSet::reservedHardwareRegisters):
1639         (JSC::RegisterSet::runtimeRegisters):
1640         (JSC::RegisterSet::specialRegisters):
1641         (JSC::RegisterSet::calleeSaveRegisters):
1642         * jit/RegisterSet.h:
1643
1644 2014-03-06  Filip Pizlo  <fpizlo@apple.com>
1645
1646         Unreviewed, fix build.
1647
1648         * disassembler/ARM64Disassembler.cpp:
1649
1650 2014-03-06  Filip Pizlo  <fpizlo@apple.com>
1651
1652         Use the LLVM disassembler on ARM64 if we are enabling the FTL
1653         https://bugs.webkit.org/show_bug.cgi?id=129785
1654
1655         Reviewed by Geoffrey Garen.
1656         
1657         Our disassembler can't handle some of the code sequences that LLVM emits. LLVM's disassembler
1658         is strictly more capable at this point. Use it if it's available.
1659
1660         * disassembler/ARM64Disassembler.cpp:
1661         (JSC::tryToDisassemble):
1662
1663 2014-03-05  Joseph Pecoraro  <pecoraro@apple.com>
1664
1665         Web Inspector: Reduce RWI message frequency
1666         https://bugs.webkit.org/show_bug.cgi?id=129767
1667
1668         Reviewed by Timothy Hatcher.
1669
1670         This used to be 0.2s and changed by accident to 0.02s.
1671
1672         * inspector/remote/RemoteInspector.mm:
1673         (Inspector::RemoteInspector::pushListingSoon):
1674
1675 2014-03-05  Commit Queue  <commit-queue@webkit.org>
1676
1677         Unreviewed, rolling out r165141, r165157, and r165158.
1678         http://trac.webkit.org/changeset/165141
1679         http://trac.webkit.org/changeset/165157
1680         http://trac.webkit.org/changeset/165158
1681         https://bugs.webkit.org/show_bug.cgi?id=129772
1682
1683         "broke ftl" (Requested by olliej_ on #webkit).
1684
1685         * JavaScriptCore.xcodeproj/project.pbxproj:
1686         * bytecode/PolymorphicPutByIdList.cpp:
1687         (JSC::PutByIdAccess::visitWeak):
1688         (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
1689         (JSC::PolymorphicPutByIdList::from):
1690         * bytecode/PolymorphicPutByIdList.h:
1691         (JSC::PutByIdAccess::transition):
1692         (JSC::PutByIdAccess::replace):
1693         (JSC::PutByIdAccess::oldStructure):
1694         (JSC::PutByIdAccess::chain):
1695         (JSC::PutByIdAccess::stubRoutine):
1696         * bytecode/PutByIdStatus.cpp:
1697         (JSC::PutByIdStatus::computeForStubInfo):
1698         (JSC::PutByIdStatus::computeFor):
1699         (JSC::PutByIdStatus::dump):
1700         * bytecode/PutByIdStatus.h:
1701         (JSC::PutByIdStatus::PutByIdStatus):
1702         (JSC::PutByIdStatus::takesSlowPath):
1703         * bytecode/StructureStubInfo.h:
1704         * dfg/DFGAbstractInterpreterInlines.h:
1705         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1706         * dfg/DFGByteCodeParser.cpp:
1707         (JSC::DFG::ByteCodeParser::emitPutById):
1708         (JSC::DFG::ByteCodeParser::handlePutById):
1709         * dfg/DFGClobberize.h:
1710         (JSC::DFG::clobberize):
1711         * dfg/DFGCommon.h:
1712         * dfg/DFGConstantFoldingPhase.cpp:
1713         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1714         * dfg/DFGFixupPhase.cpp:
1715         (JSC::DFG::FixupPhase::fixupNode):
1716         * dfg/DFGNode.h:
1717         (JSC::DFG::Node::hasIdentifier):
1718         * dfg/DFGNodeType.h:
1719         * dfg/DFGPredictionPropagationPhase.cpp:
1720         (JSC::DFG::PredictionPropagationPhase::propagate):
1721         * dfg/DFGSafeToExecute.h:
1722         (JSC::DFG::safeToExecute):
1723         * dfg/DFGSpeculativeJIT.cpp:
1724         (JSC::DFG::SpeculativeJIT::compileIn):
1725         * dfg/DFGSpeculativeJIT.h:
1726         * dfg/DFGSpeculativeJIT32_64.cpp:
1727         (JSC::DFG::SpeculativeJIT::cachedGetById):
1728         (JSC::DFG::SpeculativeJIT::cachedPutById):
1729         (JSC::DFG::SpeculativeJIT::compile):
1730         * dfg/DFGSpeculativeJIT64.cpp:
1731         (JSC::DFG::SpeculativeJIT::cachedGetById):
1732         (JSC::DFG::SpeculativeJIT::cachedPutById):
1733         (JSC::DFG::SpeculativeJIT::compile):
1734         * ftl/FTLCompile.cpp:
1735         (JSC::FTL::fixFunctionBasedOnStackMaps):
1736         * jit/CCallHelpers.h:
1737         (JSC::CCallHelpers::setupArgumentsWithExecState):
1738         * jit/JITInlineCacheGenerator.cpp:
1739         (JSC::JITByIdGenerator::JITByIdGenerator):
1740         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
1741         * jit/JITInlineCacheGenerator.h:
1742         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
1743         * jit/JITOperations.cpp:
1744         * jit/JITOperations.h:
1745         * jit/JITPropertyAccess.cpp:
1746         (JSC::JIT::emit_op_get_by_id):
1747         (JSC::JIT::emit_op_put_by_id):
1748         * jit/JITPropertyAccess32_64.cpp:
1749         (JSC::JIT::emit_op_get_by_id):
1750         (JSC::JIT::emit_op_put_by_id):
1751         * jit/Repatch.cpp:
1752         (JSC::tryCacheGetByID):
1753         (JSC::tryBuildGetByIDList):
1754         (JSC::tryCachePutByID):
1755         (JSC::tryBuildPutByIdList):
1756         * jit/SpillRegistersMode.h: Removed.
1757         * llint/LLIntSlowPaths.cpp:
1758         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1759         * runtime/Lookup.h:
1760         (JSC::putEntry):
1761         * runtime/PutPropertySlot.h:
1762         (JSC::PutPropertySlot::isCacheable):
1763         (JSC::PutPropertySlot::cachedOffset):
1764
1765 2014-03-05  Joseph Pecoraro  <pecoraro@apple.com>
1766
1767         Web Inspector: Prevent possible deadlock in view indication
1768         https://bugs.webkit.org/show_bug.cgi?id=129766
1769
1770         Reviewed by Geoffrey Garen.
1771
1772         * inspector/remote/RemoteInspector.mm:
1773         (Inspector::RemoteInspector::receivedIndicateMessage):
1774
1775 2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>
1776
1777         JSObject::fastGetOwnPropertySlot does a slow check for OverridesGetOwnPropertySlot
1778         https://bugs.webkit.org/show_bug.cgi?id=129754
1779
1780         Reviewed by Geoffrey Garen.
1781
1782         InlineTypeFlags are stored in JSCell, so we can just load those instead of going through the TypeInfo.
1783
1784         * runtime/JSCell.h:
1785         (JSC::JSCell::inlineTypeFlags):
1786         * runtime/JSObject.h:
1787         (JSC::JSObject::fastGetOwnPropertySlot):
1788         * runtime/JSTypeInfo.h:
1789         (JSC::TypeInfo::TypeInfo):
1790         (JSC::TypeInfo::overridesGetOwnPropertySlot):
1791
1792 2014-03-05  Joseph Pecoraro  <pecoraro@apple.com>
1793
1794         Web Inspector: ASSERTION FAILED: m_javaScriptBreakpoints.isEmpty()
1795         https://bugs.webkit.org/show_bug.cgi?id=129763
1796
1797         Reviewed by Geoffrey Garen.
1798
1799         Clear the list of all breakpoints, including unresolved breakpoints.
1800
1801         * inspector/agents/InspectorDebuggerAgent.cpp:
1802         (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):
1803
1804 2014-03-05  Mark Lam  <mark.lam@apple.com>
1805
1806         llint_slow_path_check_has_instance() should not adjust PC before accessing operands.
1807         <https://webkit.org/b/129768>
1808
1809         Reviewed by Mark Hahnenberg.
1810
1811         When evaluating "a instanceof b" where b is an object that ImplementsHasInstance
1812         and OverridesHasInstance (e.g. a bound function), the LLINT will take the slow
1813         path llint_slow_path_check_has_instance(), and execute a code path that does the
1814         following:
1815         1. Adjusts the byte code PC to the jump target PC.
1816         2. For the purpose of storing the result, get the result registerIndex from the
1817            1st operand using the PC as if the PC is still pointing to op_check_has_instance
1818            bytecode.
1819
1820         The result is that whatever value resides after where the jump target PC is will
1821         be used as a result register value.  Depending on what that value is, the result
1822         can be:
1823         1. the code coincidently works correctly
1824         2. memory corruption
1825         3. crashes
1826
1827         The fix is to only adjust the byte code PC after we have stored the result.
1828         
1829         * llint/LLIntSlowPaths.cpp:
1830         (llint_slow_path_check_has_instance):
1831
1832 2014-03-05  Ryosuke Niwa  <rniwa@webkit.org>
1833
1834         Another build fix attempt after r165141.
1835
1836         * ftl/FTLCompile.cpp:
1837         (JSC::FTL::fixFunctionBasedOnStackMaps):
1838
1839 2014-03-05  Ryosuke Niwa  <rniwa@webkit.org>
1840
1841         FTL build fix attempt after r165141.
1842
1843         * ftl/FTLCompile.cpp:
1844         (JSC::FTL::fixFunctionBasedOnStackMaps):
1845
1846 2014-03-05  Gavin Barraclough  <barraclough@apple.com>
1847
1848         https://bugs.webkit.org/show_bug.cgi?id=128625
1849         Add fast mapping from StringImpl to JSString
1850
1851         Unreviewed roll-out.
1852
1853         Reverting r164347, r165054, r165066 - not clear the performance tradeoff was right.
1854
1855         * runtime/JSString.cpp:
1856         * runtime/JSString.h:
1857         * runtime/VM.cpp:
1858         (JSC::VM::createLeaked):
1859         * runtime/VM.h:
1860
1861 2014-03-03  Oliver Hunt  <oliver@apple.com>
1862
1863         Support caching of custom setters
1864         https://bugs.webkit.org/show_bug.cgi?id=129519
1865
1866         Reviewed by Filip Pizlo.
1867
1868         This patch adds caching of assignment to properties that
1869         are backed by C functions. This provides most of the leg
1870         work required to start supporting setters, and resolves
1871         the remaining regressions from moving DOM properties up
1872         the prototype chain.
1873
1874         * JavaScriptCore.xcodeproj/project.pbxproj:
1875         * bytecode/PolymorphicPutByIdList.cpp:
1876         (JSC::PutByIdAccess::visitWeak):
1877         (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
1878         (JSC::PolymorphicPutByIdList::from):
1879         * bytecode/PolymorphicPutByIdList.h:
1880         (JSC::PutByIdAccess::transition):
1881         (JSC::PutByIdAccess::replace):
1882         (JSC::PutByIdAccess::customSetter):
1883         (JSC::PutByIdAccess::isCustom):
1884         (JSC::PutByIdAccess::oldStructure):
1885         (JSC::PutByIdAccess::chain):
1886         (JSC::PutByIdAccess::stubRoutine):
1887         * bytecode/PutByIdStatus.cpp:
1888         (JSC::PutByIdStatus::computeForStubInfo):
1889         (JSC::PutByIdStatus::computeFor):
1890         (JSC::PutByIdStatus::dump):
1891         * bytecode/PutByIdStatus.h:
1892         (JSC::PutByIdStatus::PutByIdStatus):
1893         (JSC::PutByIdStatus::takesSlowPath):
1894         (JSC::PutByIdStatus::makesCalls):
1895         * bytecode/StructureStubInfo.h:
1896         * dfg/DFGAbstractInterpreterInlines.h:
1897         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1898         * dfg/DFGByteCodeParser.cpp:
1899         (JSC::DFG::ByteCodeParser::emitPutById):
1900         (JSC::DFG::ByteCodeParser::handlePutById):
1901         * dfg/DFGClobberize.h:
1902         (JSC::DFG::clobberize):
1903         * dfg/DFGCommon.h:
1904         * dfg/DFGConstantFoldingPhase.cpp:
1905         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1906         * dfg/DFGFixupPhase.cpp:
1907         (JSC::DFG::FixupPhase::fixupNode):
1908         * dfg/DFGNode.h:
1909         (JSC::DFG::Node::hasIdentifier):
1910         * dfg/DFGNodeType.h:
1911         * dfg/DFGPredictionPropagationPhase.cpp:
1912         (JSC::DFG::PredictionPropagationPhase::propagate):
1913         * dfg/DFGSafeToExecute.h:
1914         (JSC::DFG::safeToExecute):
1915         * dfg/DFGSpeculativeJIT.cpp:
1916         (JSC::DFG::SpeculativeJIT::compileIn):
1917         * dfg/DFGSpeculativeJIT.h:
1918         * dfg/DFGSpeculativeJIT32_64.cpp:
1919         (JSC::DFG::SpeculativeJIT::cachedGetById):
1920         (JSC::DFG::SpeculativeJIT::cachedPutById):
1921         (JSC::DFG::SpeculativeJIT::compile):
1922         * dfg/DFGSpeculativeJIT64.cpp:
1923         (JSC::DFG::SpeculativeJIT::cachedGetById):
1924         (JSC::DFG::SpeculativeJIT::cachedPutById):
1925         (JSC::DFG::SpeculativeJIT::compile):
1926         * jit/CCallHelpers.h:
1927         (JSC::CCallHelpers::setupArgumentsWithExecState):
1928         * jit/JITInlineCacheGenerator.cpp:
1929         (JSC::JITByIdGenerator::JITByIdGenerator):
1930         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
1931         * jit/JITInlineCacheGenerator.h:
1932         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
1933         * jit/JITOperations.cpp:
1934         * jit/JITOperations.h:
1935         * jit/JITPropertyAccess.cpp:
1936         (JSC::JIT::emit_op_get_by_id):
1937         (JSC::JIT::emit_op_put_by_id):
1938         * jit/JITPropertyAccess32_64.cpp:
1939         (JSC::JIT::emit_op_get_by_id):
1940         (JSC::JIT::emit_op_put_by_id):
1941         * jit/Repatch.cpp:
1942         (JSC::tryCacheGetByID):
1943         (JSC::tryBuildGetByIDList):
1944         (JSC::emitCustomSetterStub):
1945         (JSC::tryCachePutByID):
1946         (JSC::tryBuildPutByIdList):
1947         * jit/SpillRegistersMode.h: Added.
1948         * llint/LLIntSlowPaths.cpp:
1949         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1950         * runtime/Lookup.h:
1951         (JSC::putEntry):
1952         * runtime/PutPropertySlot.h:
1953         (JSC::PutPropertySlot::setCacheableCustomProperty):
1954         (JSC::PutPropertySlot::customSetter):
1955         (JSC::PutPropertySlot::isCacheablePut):
1956         (JSC::PutPropertySlot::isCacheableCustomProperty):
1957         (JSC::PutPropertySlot::cachedOffset):
1958
1959 2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>
1960
1961         JSCell::m_gcData should encode its information differently
1962         https://bugs.webkit.org/show_bug.cgi?id=129741
1963
1964         Reviewed by Geoffrey Garen.
1965
1966         We want to keep track of three GC states for an object:
1967
1968         1. Not marked (which implies not in the remembered set)
1969         2. Marked but not in the remembered set
1970         3. Marked and in the remembered set
1971         
1972         Currently we only indicate marked vs. not marked in JSCell::m_gcData. During a write 
1973         barrier, we only want to take the slow path if the object being stored to is in state #2. 
1974         We'd like to make the test for state #2 as fast as possible, which means making it a 
1975         compare against 0.
1976
1977         * dfg/DFGOSRExitCompilerCommon.cpp:
1978         (JSC::DFG::osrWriteBarrier):
1979         * dfg/DFGSpeculativeJIT.cpp:
1980         (JSC::DFG::SpeculativeJIT::checkMarkByte):
1981         (JSC::DFG::SpeculativeJIT::writeBarrier):
1982         * dfg/DFGSpeculativeJIT.h:
1983         * dfg/DFGSpeculativeJIT32_64.cpp:
1984         (JSC::DFG::SpeculativeJIT::writeBarrier):
1985         * dfg/DFGSpeculativeJIT64.cpp:
1986         (JSC::DFG::SpeculativeJIT::writeBarrier):
1987         * ftl/FTLLowerDFGToLLVM.cpp:
1988         (JSC::FTL::LowerDFGToLLVM::allocateCell):
1989         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
1990         * heap/Heap.cpp:
1991         (JSC::Heap::clearRememberedSet):
1992         (JSC::Heap::addToRememberedSet):
1993         * jit/AssemblyHelpers.h:
1994         (JSC::AssemblyHelpers::checkMarkByte):
1995         * jit/JIT.h:
1996         * jit/JITPropertyAccess.cpp:
1997         (JSC::JIT::checkMarkByte):
1998         (JSC::JIT::emitWriteBarrier):
1999         * jit/Repatch.cpp:
2000         (JSC::writeBarrier):
2001         * llint/LowLevelInterpreter.asm:
2002         * llint/LowLevelInterpreter32_64.asm:
2003         * llint/LowLevelInterpreter64.asm:
2004         * runtime/JSCell.h:
2005         (JSC::JSCell::mark):
2006         (JSC::JSCell::remember):
2007         (JSC::JSCell::forget):
2008         (JSC::JSCell::isMarked):
2009         (JSC::JSCell::isRemembered):
2010         * runtime/JSCellInlines.h:
2011         (JSC::JSCell::JSCell):
2012         * runtime/StructureIDBlob.h:
2013         (JSC::StructureIDBlob::StructureIDBlob):
2014
2015 2014-03-05  Filip Pizlo  <fpizlo@apple.com>
2016
2017         More FTL ARM fixes
2018         https://bugs.webkit.org/show_bug.cgi?id=129755
2019
2020         Reviewed by Geoffrey Garen.
2021         
2022         - Be more defensive about inline caches that have degenerate chains.
2023         
2024         - Temporarily switch to allocating all MCJIT memory in the executable pool on non-x86
2025           platforms. The bug tracking the real fix is: https://bugs.webkit.org/show_bug.cgi?id=129756
2026         
2027         - Don't even emit intrinsic declarations on non-x86 platforms.
2028         
2029         - More debug printing support.
2030         
2031         - Don't use vmCall() in the prologue. This should have crashed on all platforms all the time
2032           but somehow it gets lucky on x86.
2033
2034         * bytecode/GetByIdStatus.cpp:
2035         (JSC::GetByIdStatus::appendVariant):
2036         (JSC::GetByIdStatus::computeForChain):
2037         (JSC::GetByIdStatus::computeForStubInfo):
2038         * bytecode/GetByIdStatus.h:
2039         * bytecode/PutByIdStatus.cpp:
2040         (JSC::PutByIdStatus::appendVariant):
2041         (JSC::PutByIdStatus::computeForStubInfo):
2042         * bytecode/PutByIdStatus.h:
2043         * bytecode/StructureSet.h:
2044         (JSC::StructureSet::overlaps):
2045         * ftl/FTLCompile.cpp:
2046         (JSC::FTL::mmAllocateDataSection):
2047         * ftl/FTLDataSection.cpp:
2048         (JSC::FTL::DataSection::DataSection):
2049         (JSC::FTL::DataSection::~DataSection):
2050         * ftl/FTLDataSection.h:
2051         * ftl/FTLLowerDFGToLLVM.cpp:
2052         (JSC::FTL::LowerDFGToLLVM::lower):
2053         * ftl/FTLOutput.h:
2054         (JSC::FTL::Output::doubleSin):
2055         (JSC::FTL::Output::doubleCos):
2056         * runtime/JSCJSValue.cpp:
2057         (JSC::JSValue::dumpInContext):
2058         * runtime/JSCell.h:
2059         (JSC::JSCell::structureID):
2060
2061 2014-03-05  peavo@outlook.com  <peavo@outlook.com>
2062
2063         [Win32][LLINT] Crash when running JSC stress tests.
2064         https://bugs.webkit.org/show_bug.cgi?id=129429
2065
2066         On Windows the reserved stack space consists of committed memory, a guard page, and uncommitted memory,
2067         where the guard page is a barrier between committed and uncommitted memory.
2068         When data from the guard page is read or written, the guard page is moved, and memory is committed.
2069         This is how the system grows the stack.
2070         When using the C stack on Windows we need to precommit the needed stack space.
2071         Otherwise we might crash later if we access uncommitted stack memory.
2072         This can happen if we allocate stack space larger than the page guard size (4K).
2073         The system does not get the chance to move the guard page, and commit more memory,
2074         and we crash if uncommitted memory is accessed.
2075         The MSVC compiler fixes this by inserting a call to the _chkstk() function,
2076         when needed, see http://support.microsoft.com/kb/100775.
2077
2078         Reviewed by Geoffrey Garen.
2079
2080         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Enable LLINT.
2081         * jit/Repatch.cpp:
2082         (JSC::writeBarrier): Compile fix when DFG_JIT is not enabled.
2083         * offlineasm/x86.rb: Compile fix, and small simplification.
2084         * runtime/VM.cpp:
2085         (JSC::preCommitStackMemory): Added function to precommit stack memory.
2086         (JSC::VM::updateStackLimit): Call function to precommit stack memory when stack limit is updated.
2087
2088 2014-03-05  Michael Saboff  <msaboff@apple.com>
2089
2090         JSDataViewPrototype::getData() and setData() crash on platforms that don't allow unaligned accesses
2091         https://bugs.webkit.org/show_bug.cgi?id=129746
2092
2093         Reviewed by Filip Pizlo.
2094
2095         Changed to use a union to manually assemble or disassemble the various types
2096         from / to the corresponding bytes.  All memory access is now done using
2097         byte accesses.
2098
2099         * runtime/JSDataViewPrototype.cpp:
2100         (JSC::getData):
2101         (JSC::setData):
2102
2103 2014-03-05  Filip Pizlo  <fpizlo@apple.com>
2104
2105         FTL loadStructure always generates invalid IR
2106         https://bugs.webkit.org/show_bug.cgi?id=129747
2107
2108         Reviewed by Mark Hahnenberg.
2109
2110         As the comment at the top of FTL::Output states, the FTL doesn't use LLVM's notion
2111         of pointers. LLVM's notion of pointers tries to model C, in the sense that you have
2112         to have a pointer to a type, and you can only load things of that type from that
2113         pointer. Pointer arithmetic is basically not possible except through the bizarre
2114         getelementptr operator. This doesn't fit with how the JS object model works since
2115         the JS object model doesn't consist of nice and tidy C types placed in C arrays.
2116         Also, it would be impossible to use getelementptr and LLVM pointers for accessing
2117         any of JSC's C or C++ objects unless we went through the exercise of redeclaring
2118         all of our fundamental data structures in LLVM IR as LLVM types. Clang could do
2119         this for us, but that would require that to use the FTL, JSC itself would have to
2120         be compiled with clang. Worse, it would have to be compiled with a clang that uses
2121         a version of LLVM that is compatible with the one against which the FTL is linked.
2122         Yuck!
2123
2124         The solution is to NEVER use LLVM pointers. This has always been the case in the
2125         FTL. But it causes some confusion.
2126         
2127         Not using LLVM pointers means that if the FTL has a "pointer", it's actually a
2128         pointer-wide integer (m_out.intPtr in FTL-speak). The act of "loading" and
2129         "storing" from or to a pointer involves first bitcasting the intPtr to a real LLVM
2130         pointer that has the type that we want. The load and store operations over pointers
2131         are called Output::load* and Output::store*, where * is one of "8", "16", "32",
2132         "64", "Ptr", "Float", or "Double.
2133         
2134         There is unavoidable confusion here. It would be bizarre for the FTL to call its
2135         "pointer-wide integers" anything other than "pointers", since they are, in all
2136         respects that we care about, simply pointers. But they are *not* LLVM pointers and
2137         they never will be that.
2138         
2139         There is one exception to this "no pointers" rule. The FTL does use actual LLVM
2140         pointers for refering to LLVM alloca's - i.e. local variables. To try to reduce
2141         confusion, we call these "references". So an "FTL reference" is actually an "LLVM
2142         pointer", while an "FTL pointer" is actually an "LLVM integer". FTL references have
2143         methods for access called Output::get and Output::set. These lower to LLVM load
2144         and store, since FTL references are just LLVM pointers.
2145         
2146         This confusion appears to have led to incorrect code in loadStructure().
2147         loadStructure() was using get() and set() to access FTL pointers. But those methods
2148         don't work on FTL pointers and never will, since they are for FTL references.
2149         
2150         The worst part of this is that it was previously impossible to have test coverage
2151         for the relevant path (MasqueradesAsUndefined) without writing a DRT test. This
2152         patch fixes this by introducing a Masquerader object to jsc.cpp.
2153         
2154         * ftl/FTLAbstractHeapRepository.h: Add an abstract heap for the structure table.
2155         * ftl/FTLLowerDFGToLLVM.cpp:
2156         (JSC::FTL::LowerDFGToLLVM::loadStructure): This was wrong.
2157         * ftl/FTLOutput.h: Add a comment to disuade people from using get() and set().
2158         * jsc.cpp: Give us the power to test for MasqueradesAsUndefined.
2159         (WTF::Masquerader::Masquerader):
2160         (WTF::Masquerader::create):
2161         (WTF::Masquerader::createStructure):
2162         (GlobalObject::finishCreation):
2163         (functionMakeMasquerader):
2164         * tests/stress/equals-masquerader.js: Added.
2165         (foo):
2166         (test):
2167
2168 2014-03-05  Anders Carlsson  <andersca@apple.com>
2169
2170         Tweak after r165109 to avoid extra copies
2171         https://bugs.webkit.org/show_bug.cgi?id=129745
2172
2173         Reviewed by Geoffrey Garen.
2174
2175         * heap/Heap.cpp:
2176         (JSC::Heap::visitProtectedObjects):
2177         (JSC::Heap::visitTempSortVectors):
2178         (JSC::Heap::clearRememberedSet):
2179         * heap/Heap.h:
2180         (JSC::Heap::forEachProtectedCell):
2181
2182 2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>
2183
2184         DFGStoreBarrierElisionPhase should should GCState directly instead of m_gcClobberSet when calling writesOverlap()
2185         https://bugs.webkit.org/show_bug.cgi?id=129717
2186
2187         Reviewed by Filip Pizlo.
2188
2189         * dfg/DFGStoreBarrierElisionPhase.cpp:
2190         (JSC::DFG::StoreBarrierElisionPhase::StoreBarrierElisionPhase):
2191         (JSC::DFG::StoreBarrierElisionPhase::couldCauseGC):
2192
2193 2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>
2194
2195         Use range-based loops where possible in Heap methods
2196         https://bugs.webkit.org/show_bug.cgi?id=129513
2197
2198         Reviewed by Mark Lam.
2199
2200         Replace old school iterator based loops with the new range-based loop hotness
2201         for a better tomorrow.
2202
2203         * heap/CodeBlockSet.cpp:
2204         (JSC::CodeBlockSet::~CodeBlockSet):
2205         (JSC::CodeBlockSet::clearMarks):
2206         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
2207         (JSC::CodeBlockSet::traceMarked):
2208         * heap/Heap.cpp:
2209         (JSC::Heap::visitProtectedObjects):
2210         (JSC::Heap::visitTempSortVectors):
2211         (JSC::Heap::clearRememberedSet):
2212         * heap/Heap.h:
2213         (JSC::Heap::forEachProtectedCell):
2214
2215 2014-03-04  Filip Pizlo  <fpizlo@apple.com>
2216
2217         DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e. boolean, undefined, or null)
2218         https://bugs.webkit.org/show_bug.cgi?id=129563
2219
2220         Reviewed by Geoffrey Garen.
2221         
2222         Rolling this back in after fixing an assertion failure. speculateMisc() should have
2223         said DFG_TYPE_CHECK instead of typeCheck.
2224         
2225         This adds a specialization of CompareStrictEq over Misc. I noticed the need for this
2226         when I saw that we didn't support CompareStrictEq(Untyped) in FTL but that the main
2227         user of this was EarleyBoyer, and in that benchmark what it was really doing was
2228         comparing undefined, null, and booleans to each other.
2229         
2230         This also adds support for miscellaneous things that I needed to make my various test
2231         cases work. This includes comparison over booleans and the various Throw-related node
2232         types.
2233         
2234         This also improves constant folding of CompareStrictEq and CompareEq.
2235         
2236         Also found a bug where we were claiming that GetByVals on typed arrays are OutOfBounds
2237         based on profiling, which caused some downstream badness. We don't actually support
2238         compiling OutOfBounds GetByVals on typed arrays. The DFG would ignore the flag and just
2239         emit a bounds check, but in the FTL path, the SSA lowering phase would assume that it
2240         shouldn't factor out the bounds check since the access is not InBounds but then the
2241         backend would ignore the flag and assume that the bounds check was already emitted.
2242         This showed up on an existing test but I added a test for this explicitly to have more
2243         certain coverage. The fix is to not mark something as OutOfBounds if the semantics are
2244         that we'll have a bounds check anyway.
2245         
2246         This is a 1% speed-up on Octane mostly because of raytrace, but also because of just
2247         general progressions across the board. No speed-up yet on EarleyBoyer, since there is
2248         still a lot more coverage work to be done there.
2249
2250         * bytecode/SpeculatedType.cpp:
2251         (JSC::speculationToAbbreviatedString):
2252         (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
2253         (JSC::valuesCouldBeEqual):
2254         * bytecode/SpeculatedType.h:
2255         (JSC::isMiscSpeculation):
2256         * dfg/DFGAbstractInterpreterInlines.h:
2257         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2258         * dfg/DFGArrayMode.cpp:
2259         (JSC::DFG::ArrayMode::refine):
2260         * dfg/DFGArrayMode.h:
2261         * dfg/DFGFixupPhase.cpp:
2262         (JSC::DFG::FixupPhase::fixupNode):
2263         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
2264         * dfg/DFGNode.h:
2265         (JSC::DFG::Node::shouldSpeculateMisc):
2266         * dfg/DFGSafeToExecute.h:
2267         (JSC::DFG::SafeToExecuteEdge::operator()):
2268         * dfg/DFGSpeculativeJIT.cpp:
2269         (JSC::DFG::SpeculativeJIT::compileStrictEq):
2270         (JSC::DFG::SpeculativeJIT::speculateMisc):
2271         (JSC::DFG::SpeculativeJIT::speculate):
2272         * dfg/DFGSpeculativeJIT.h:
2273         * dfg/DFGSpeculativeJIT32_64.cpp:
2274         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
2275         * dfg/DFGSpeculativeJIT64.cpp:
2276         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
2277         * dfg/DFGUseKind.cpp:
2278         (WTF::printInternal):
2279         * dfg/DFGUseKind.h:
2280         (JSC::DFG::typeFilterFor):
2281         * ftl/FTLCapabilities.cpp:
2282         (JSC::FTL::canCompile):
2283         * ftl/FTLLowerDFGToLLVM.cpp:
2284         (JSC::FTL::LowerDFGToLLVM::compileNode):
2285         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
2286         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
2287         (JSC::FTL::LowerDFGToLLVM::compileThrow):
2288         (JSC::FTL::LowerDFGToLLVM::isNotMisc):
2289         (JSC::FTL::LowerDFGToLLVM::isMisc):
2290         (JSC::FTL::LowerDFGToLLVM::speculate):
2291         (JSC::FTL::LowerDFGToLLVM::speculateMisc):
2292         * tests/stress/float32-array-out-of-bounds.js: Added.
2293         * tests/stress/weird-equality-folding-cases.js: Added.
2294
2295 2014-03-04  Commit Queue  <commit-queue@webkit.org>
2296
2297         Unreviewed, rolling out r165085.
2298         http://trac.webkit.org/changeset/165085
2299         https://bugs.webkit.org/show_bug.cgi?id=129729
2300
2301         Broke imported/w3c/html-templates/template-element/template-
2302         content.html (Requested by ap on #webkit).
2303
2304         * bytecode/SpeculatedType.cpp:
2305         (JSC::speculationToAbbreviatedString):
2306         * bytecode/SpeculatedType.h:
2307         * dfg/DFGAbstractInterpreterInlines.h:
2308         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2309         * dfg/DFGArrayMode.cpp:
2310         (JSC::DFG::ArrayMode::refine):
2311         * dfg/DFGArrayMode.h:
2312         * dfg/DFGFixupPhase.cpp:
2313         (JSC::DFG::FixupPhase::fixupNode):
2314         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
2315         * dfg/DFGNode.h:
2316         (JSC::DFG::Node::shouldSpeculateBoolean):
2317         * dfg/DFGSafeToExecute.h:
2318         (JSC::DFG::SafeToExecuteEdge::operator()):
2319         * dfg/DFGSpeculativeJIT.cpp:
2320         (JSC::DFG::SpeculativeJIT::compileStrictEq):
2321         (JSC::DFG::SpeculativeJIT::speculate):
2322         * dfg/DFGSpeculativeJIT.h:
2323         * dfg/DFGSpeculativeJIT32_64.cpp:
2324         * dfg/DFGSpeculativeJIT64.cpp:
2325         * dfg/DFGUseKind.cpp:
2326         (WTF::printInternal):
2327         * dfg/DFGUseKind.h:
2328         (JSC::DFG::typeFilterFor):
2329         * ftl/FTLCapabilities.cpp:
2330         (JSC::FTL::canCompile):
2331         * ftl/FTLLowerDFGToLLVM.cpp:
2332         (JSC::FTL::LowerDFGToLLVM::compileNode):
2333         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
2334         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
2335         (JSC::FTL::LowerDFGToLLVM::speculate):
2336         * tests/stress/float32-array-out-of-bounds.js: Removed.
2337         * tests/stress/weird-equality-folding-cases.js: Removed.
2338
2339 2014-03-04  Brian Burg  <bburg@apple.com>
2340
2341         Inspector does not restore breakpoints after a page reload
2342         https://bugs.webkit.org/show_bug.cgi?id=129655
2343
2344         Reviewed by Joseph Pecoraro.
2345
2346         Fix a regression introduced by r162096 that erroneously removed
2347         the inspector backend's mapping of files to breakpoints whenever the
2348         global object was cleared.
2349
2350         The inspector's breakpoint mappings should only be cleared when the
2351         debugger agent is disabled or destroyed. We should only clear the
2352         debugger's breakpoint state when the global object is cleared.
2353
2354         To make it clearer what state is being cleared, the two cases have
2355         been split into separate methods.
2356
2357         * inspector/agents/InspectorDebuggerAgent.cpp:
2358         (Inspector::InspectorDebuggerAgent::disable):
2359         (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):
2360         (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
2361         (Inspector::InspectorDebuggerAgent::didClearGlobalObject):
2362         * inspector/agents/InspectorDebuggerAgent.h:
2363
2364 2014-03-04  Andreas Kling  <akling@apple.com>
2365
2366         Streamline JSValue::get().
2367         <https://webkit.org/b/129720>
2368
2369         Fetch each Structure and VM only once when walking the prototype chain
2370         in JSObject::getPropertySlot(), then pass it along to the functions
2371         we call from there, so they don't have to re-fetch it.
2372
2373         Reviewed by Geoff Garen.
2374
2375         * runtime/JSObject.h:
2376         (JSC::JSObject::inlineGetOwnPropertySlot):
2377         (JSC::JSObject::fastGetOwnPropertySlot):
2378         (JSC::JSObject::getPropertySlot):
2379
2380 2014-03-01  Filip Pizlo  <fpizlo@apple.com>
2381
2382         DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e. boolean, undefined, or null)
2383         https://bugs.webkit.org/show_bug.cgi?id=129563
2384
2385         Reviewed by Geoffrey Garen.
2386         
2387         This adds a specialization of CompareStrictEq over Misc. I noticed the need for this
2388         when I saw that we didn't support CompareStrictEq(Untyped) in FTL but that the main
2389         user of this was EarleyBoyer, and in that benchmark what it was really doing was
2390         comparing undefined, null, and booleans to each other.
2391         
2392         This also adds support for miscellaneous things that I needed to make my various test
2393         cases work. This includes comparison over booleans and the various Throw-related node
2394         types.
2395         
2396         This also improves constant folding of CompareStrictEq and CompareEq.
2397         
2398         Also found a bug where we were claiming that GetByVals on typed arrays are OutOfBounds
2399         based on profiling, which caused some downstream badness. We don't actually support
2400         compiling OutOfBounds GetByVals on typed arrays. The DFG would ignore the flag and just
2401         emit a bounds check, but in the FTL path, the SSA lowering phase would assume that it
2402         shouldn't factor out the bounds check since the access is not InBounds but then the
2403         backend would ignore the flag and assume that the bounds check was already emitted.
2404         This showed up on an existing test but I added a test for this explicitly to have more
2405         certain coverage. The fix is to not mark something as OutOfBounds if the semantics are
2406         that we'll have a bounds check anyway.
2407         
2408         This is a 1% speed-up on Octane mostly because of raytrace, but also because of just
2409         general progressions across the board. No speed-up yet on EarleyBoyer, since there is
2410         still a lot more coverage work to be done there.
2411
2412         * bytecode/SpeculatedType.cpp:
2413         (JSC::speculationToAbbreviatedString):
2414         (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
2415         (JSC::valuesCouldBeEqual):
2416         * bytecode/SpeculatedType.h:
2417         (JSC::isMiscSpeculation):
2418         * dfg/DFGAbstractInterpreterInlines.h:
2419         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2420         * dfg/DFGFixupPhase.cpp:
2421         (JSC::DFG::FixupPhase::fixupNode):
2422         * dfg/DFGNode.h:
2423         (JSC::DFG::Node::shouldSpeculateMisc):
2424         * dfg/DFGSafeToExecute.h:
2425         (JSC::DFG::SafeToExecuteEdge::operator()):
2426         * dfg/DFGSpeculativeJIT.cpp:
2427         (JSC::DFG::SpeculativeJIT::compileStrictEq):
2428         (JSC::DFG::SpeculativeJIT::speculateMisc):
2429         (JSC::DFG::SpeculativeJIT::speculate):
2430         * dfg/DFGSpeculativeJIT.h:
2431         * dfg/DFGSpeculativeJIT32_64.cpp:
2432         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
2433         * dfg/DFGSpeculativeJIT64.cpp:
2434         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
2435         * dfg/DFGUseKind.cpp:
2436         (WTF::printInternal):
2437         * dfg/DFGUseKind.h:
2438         (JSC::DFG::typeFilterFor):
2439         * ftl/FTLCapabilities.cpp:
2440         (JSC::FTL::canCompile):
2441         * ftl/FTLLowerDFGToLLVM.cpp:
2442         (JSC::FTL::LowerDFGToLLVM::compileNode):
2443         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
2444         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
2445         (JSC::FTL::LowerDFGToLLVM::compileThrow):
2446         (JSC::FTL::LowerDFGToLLVM::isNotMisc):
2447         (JSC::FTL::LowerDFGToLLVM::isMisc):
2448         (JSC::FTL::LowerDFGToLLVM::speculate):
2449         (JSC::FTL::LowerDFGToLLVM::speculateMisc):
2450         * tests/stress/float32-array-out-of-bounds.js: Added.
2451         * tests/stress/weird-equality-folding-cases.js: Added.
2452
2453 2014-03-04  Andreas Kling  <akling@apple.com>
2454
2455         Spam static branch prediction hints on JS bindings.
2456         <https://webkit.org/b/129703>
2457
2458         Add LIKELY hint to jsDynamicCast since it's always used in a context
2459         where we expect it to succeed and takes an error path when it doesn't.
2460
2461         Reviewed by Geoff Garen.
2462
2463         * runtime/JSCell.h:
2464         (JSC::jsDynamicCast):
2465
2466 2014-03-04  Andreas Kling  <akling@apple.com>
2467
2468         Get to Structures more efficiently in JSCell::methodTable().
2469         <https://webkit.org/b/129702>
2470
2471         In JSCell::methodTable(), get the VM once and pass that along to
2472         structure(VM&) instead of using the heavier structure().
2473
2474         In JSCell::methodTable(VM&), replace calls to structure() with
2475         calls to structure(VM&).
2476
2477         Reviewed by Mark Hahnenberg.
2478
2479         * runtime/JSCellInlines.h:
2480         (JSC::JSCell::methodTable):
2481
2482 2014-03-04  Joseph Pecoraro  <pecoraro@apple.com>
2483
2484         Web Inspector: Listen for the XPC_ERROR_CONNECTION_INVALID event to deref
2485         https://bugs.webkit.org/show_bug.cgi?id=129697
2486
2487         Reviewed by Timothy Hatcher.
2488
2489         * inspector/remote/RemoteInspectorXPCConnection.mm:
2490         (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
2491         (Inspector::RemoteInspectorXPCConnection::handleEvent):
2492
2493 2014-03-04  Mark Hahnenberg  <mhahnenberg@apple.com>
2494
2495         Merge API shims and JSLock
2496         https://bugs.webkit.org/show_bug.cgi?id=129650
2497
2498         Reviewed by Mark Lam.
2499
2500         JSLock is now taking on all of APIEntryShim's responsibilities since there is never a reason 
2501         to take just the JSLock. Ditto for DropAllLocks and APICallbackShim.
2502
2503         * API/APICallbackFunction.h:
2504         (JSC::APICallbackFunction::call):
2505         (JSC::APICallbackFunction::construct):
2506         * API/APIShims.h: Removed.
2507         * API/JSBase.cpp:
2508         (JSEvaluateScript):
2509         (JSCheckScriptSyntax):
2510         (JSGarbageCollect):
2511         (JSReportExtraMemoryCost):
2512         (JSSynchronousGarbageCollectForDebugging):
2513         * API/JSCallbackConstructor.cpp:
2514         * API/JSCallbackFunction.cpp:
2515         * API/JSCallbackObjectFunctions.h:
2516         (JSC::JSCallbackObject<Parent>::init):
2517         (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
2518         (JSC::JSCallbackObject<Parent>::put):
2519         (JSC::JSCallbackObject<Parent>::putByIndex):
2520         (JSC::JSCallbackObject<Parent>::deleteProperty):
2521         (JSC::JSCallbackObject<Parent>::construct):
2522         (JSC::JSCallbackObject<Parent>::customHasInstance):
2523         (JSC::JSCallbackObject<Parent>::call):
2524         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
2525         (JSC::JSCallbackObject<Parent>::getStaticValue):
2526         (JSC::JSCallbackObject<Parent>::callbackGetter):
2527         * API/JSContext.mm:
2528         (-[JSContext setException:]):
2529         (-[JSContext wrapperForObjCObject:]):
2530         (-[JSContext wrapperForJSObject:]):
2531         * API/JSContextRef.cpp:
2532         (JSContextGroupRelease):
2533         (JSContextGroupSetExecutionTimeLimit):
2534         (JSContextGroupClearExecutionTimeLimit):
2535         (JSGlobalContextCreateInGroup):
2536         (JSGlobalContextRetain):
2537         (JSGlobalContextRelease):
2538         (JSContextGetGlobalObject):
2539         (JSContextGetGlobalContext):
2540         (JSGlobalContextCopyName):
2541         (JSGlobalContextSetName):
2542         * API/JSManagedValue.mm:
2543         (-[JSManagedValue value]):
2544         * API/JSObjectRef.cpp:
2545         (JSObjectMake):
2546         (JSObjectMakeFunctionWithCallback):
2547         (JSObjectMakeConstructor):
2548         (JSObjectMakeFunction):
2549         (JSObjectMakeArray):
2550         (JSObjectMakeDate):
2551         (JSObjectMakeError):
2552         (JSObjectMakeRegExp):
2553         (JSObjectGetPrototype):
2554         (JSObjectSetPrototype):
2555         (JSObjectHasProperty):
2556         (JSObjectGetProperty):
2557         (JSObjectSetProperty):
2558         (JSObjectGetPropertyAtIndex):
2559         (JSObjectSetPropertyAtIndex):
2560         (JSObjectDeleteProperty):
2561         (JSObjectGetPrivateProperty):
2562         (JSObjectSetPrivateProperty):
2563         (JSObjectDeletePrivateProperty):
2564         (JSObjectIsFunction):
2565         (JSObjectCallAsFunction):
2566         (JSObjectCallAsConstructor):
2567         (JSObjectCopyPropertyNames):
2568         (JSPropertyNameArrayRelease):
2569         (JSPropertyNameAccumulatorAddName):
2570         * API/JSScriptRef.cpp:
2571         * API/JSValue.mm:
2572         (isDate):
2573         (isArray):
2574         (containerValueToObject):
2575         (valueToArray):
2576         (valueToDictionary):
2577         (objectToValue):
2578         * API/JSValueRef.cpp:
2579         (JSValueGetType):
2580         (JSValueIsUndefined):
2581         (JSValueIsNull):
2582         (JSValueIsBoolean):
2583         (JSValueIsNumber):
2584         (JSValueIsString):
2585         (JSValueIsObject):
2586         (JSValueIsObjectOfClass):
2587         (JSValueIsEqual):
2588         (JSValueIsStrictEqual):
2589         (JSValueIsInstanceOfConstructor):
2590         (JSValueMakeUndefined):
2591         (JSValueMakeNull):
2592         (JSValueMakeBoolean):
2593         (JSValueMakeNumber):
2594         (JSValueMakeString):
2595         (JSValueMakeFromJSONString):
2596         (JSValueCreateJSONString):
2597         (JSValueToBoolean):
2598         (JSValueToNumber):
2599         (JSValueToStringCopy):
2600         (JSValueToObject):
2601         (JSValueProtect):
2602         (JSValueUnprotect):
2603         * API/JSVirtualMachine.mm:
2604         (-[JSVirtualMachine addManagedReference:withOwner:]):
2605         (-[JSVirtualMachine removeManagedReference:withOwner:]):
2606         * API/JSWeakObjectMapRefPrivate.cpp:
2607         * API/JSWrapperMap.mm:
2608         (constructorHasInstance):
2609         (makeWrapper):
2610         (tryUnwrapObjcObject):
2611         * API/ObjCCallbackFunction.mm:
2612         (JSC::objCCallbackFunctionCallAsFunction):
2613         (JSC::objCCallbackFunctionCallAsConstructor):
2614         (objCCallbackFunctionForInvocation):
2615         * CMakeLists.txt:
2616         * ForwardingHeaders/JavaScriptCore/APIShims.h: Removed.
2617         * GNUmakefile.list.am:
2618         * JavaScriptCore.xcodeproj/project.pbxproj:
2619         * dfg/DFGWorklist.cpp:
2620         * heap/DelayedReleaseScope.h:
2621         (JSC::DelayedReleaseScope::~DelayedReleaseScope):
2622         * heap/HeapTimer.cpp:
2623         (JSC::HeapTimer::timerDidFire):
2624         (JSC::HeapTimer::timerEvent):
2625         * heap/IncrementalSweeper.cpp:
2626         * inspector/InjectedScriptModule.cpp:
2627         (Inspector::InjectedScriptModule::ensureInjected):
2628         * jsc.cpp:
2629         (jscmain):
2630         * runtime/GCActivityCallback.cpp:
2631         (JSC::DefaultGCActivityCallback::doWork):
2632         * runtime/JSGlobalObjectDebuggable.cpp:
2633         (JSC::JSGlobalObjectDebuggable::connect):
2634         (JSC::JSGlobalObjectDebuggable::disconnect):
2635         (JSC::JSGlobalObjectDebuggable::dispatchMessageFromRemoteFrontend):
2636         * runtime/JSLock.cpp:
2637         (JSC::JSLock::lock):
2638         (JSC::JSLock::didAcquireLock):
2639         (JSC::JSLock::unlock):
2640         (JSC::JSLock::willReleaseLock):
2641         (JSC::JSLock::DropAllLocks::DropAllLocks):
2642         (JSC::JSLock::DropAllLocks::~DropAllLocks):
2643         * runtime/JSLock.h:
2644         * testRegExp.cpp:
2645         (realMain):
2646
2647 2014-03-04  Commit Queue  <commit-queue@webkit.org>
2648
2649         Unreviewed, rolling out r164812.
2650         http://trac.webkit.org/changeset/164812
2651         https://bugs.webkit.org/show_bug.cgi?id=129699
2652
2653         it made things run slower (Requested by pizlo on #webkit).
2654
2655         * interpreter/Interpreter.cpp:
2656         (JSC::Interpreter::execute):
2657         * jsc.cpp:
2658         (GlobalObject::finishCreation):
2659         * runtime/BatchedTransitionOptimizer.h:
2660         (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
2661         (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer):
2662
2663 2014-03-02  Filip Pizlo  <fpizlo@apple.com>
2664
2665         GetMyArgumentByVal in FTL
2666         https://bugs.webkit.org/show_bug.cgi?id=128850
2667
2668         Reviewed by Oliver Hunt.
2669         
2670         This would have been easy if the OSR exit compiler's arity checks hadn't been wrong.
2671         They checked arity by doing "exec->argumentCount == codeBlock->numParameters", which
2672         caused it to think that the arity check had failed if the caller had passed more
2673         arguments than needed. This would cause the call frame copying to sort of go into
2674         reverse (because the amount-by-which-we-failed-arity would have opposite sign,
2675         throwing off a bunch of math) and the stack would end up being corrupted.
2676         
2677         The bug was revealed by two existing tests although as far as I could tell, neither
2678         test was intending to cover this case directly. So, I added a new test.
2679
2680         * ftl/FTLCapabilities.cpp:
2681         (JSC::FTL::canCompile):
2682         * ftl/FTLLowerDFGToLLVM.cpp:
2683         (JSC::FTL::LowerDFGToLLVM::compileNode):
2684         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
2685         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
2686         (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated):
2687         (JSC::FTL::LowerDFGToLLVM::checkArgumentsNotCreated):
2688         * ftl/FTLOSRExitCompiler.cpp:
2689         (JSC::FTL::compileStub):
2690         * ftl/FTLState.h:
2691         * tests/stress/exit-from-ftl-when-caller-passed-extra-args-then-use-function-dot-arguments.js: Added.
2692         * tests/stress/ftl-get-my-argument-by-val-inlined-and-not-inlined.js: Added.
2693         * tests/stress/ftl-get-my-argument-by-val-inlined.js: Added.
2694         * tests/stress/ftl-get-my-argument-by-val.js: Added.
2695
2696 2014-03-04  Zan Dobersek  <zdobersek@igalia.com>
2697
2698         [GTK] Build the Udis86 disassembler
2699         https://bugs.webkit.org/show_bug.cgi?id=129679
2700
2701         Reviewed by Michael Saboff.
2702
2703         * GNUmakefile.am: Generate the Udis86-related derived sources. Distribute the required files.
2704         * GNUmakefile.list.am: Add the Udis86 disassembler files to the build.
2705
2706 2014-03-04  Andreas Kling  <akling@apple.com>
2707
2708         Fix too-narrow assertion I added in r165054.
2709
2710         It's okay for a 1-character string to come in here. This will happen
2711         if the VM small string optimization doesn't apply (ch > 0xFF)
2712
2713         * runtime/JSString.h:
2714         (JSC::jsStringWithWeakOwner):
2715
2716 2014-03-04  Andreas Kling  <akling@apple.com>
2717
2718         Micro-optimize Strings in JS bindings.
2719         <https://webkit.org/b/129673>
2720
2721         Make jsStringWithWeakOwner() take a StringImpl& instead of a String.
2722         This avoids branches in length() and operator[].
2723
2724         Also call JSString::create() directly instead of jsString() and just
2725         assert that the string length is >1. This way we don't duplicate the
2726         optimizations for empty and single-character strings.
2727
2728         Reviewed by Ryosuke Niwa.
2729
2730         * runtime/JSString.h:
2731         (JSC::jsStringWithWeakOwner):
2732
2733 2014-03-04  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
2734
2735         Implement Number.prototype.clz()
2736         https://bugs.webkit.org/show_bug.cgi?id=129479
2737
2738         Reviewed by Oliver Hunt.
2739
2740         Implemented Number.prototype.clz() as specified in the ES6 standard.
2741
2742         * runtime/NumberPrototype.cpp:
2743         (JSC::numberProtoFuncClz):
2744
2745 2014-03-03  Joseph Pecoraro  <pecoraro@apple.com>
2746
2747         Web Inspector: Avoid too early deref caused by RemoteInspectorXPCConnection::close
2748         https://bugs.webkit.org/show_bug.cgi?id=129631
2749
2750         Reviewed by Timothy Hatcher.
2751
2752         Avoid deref() too early if a client calls close(). The xpc_connection_close
2753         will cause another XPC_ERROR event to come in from the queue, deref then.
2754         Likewise, protect multithreaded access to m_client. If a client calls
2755         close() we want to immediately clear the pointer to prevent calls to it.
2756
2757         Overall the multi-threading aspects of RemoteInspectorXPCConnection are
2758         growing too complicated for probably little benefit. We may want to
2759         clean this up later.
2760
2761         * inspector/remote/RemoteInspector.mm:
2762         (Inspector::RemoteInspector::xpcConnectionFailed):
2763         * inspector/remote/RemoteInspectorXPCConnection.h:
2764         * inspector/remote/RemoteInspectorXPCConnection.mm:
2765         (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
2766         (Inspector::RemoteInspectorXPCConnection::close):
2767         (Inspector::RemoteInspectorXPCConnection::closeOnQueue):
2768         (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
2769         (Inspector::RemoteInspectorXPCConnection::handleEvent):
2770         (Inspector::RemoteInspectorXPCConnection::sendMessage):
2771
2772 2014-03-03  Michael Saboff  <msaboff@apple.com>
2773
2774         AbstractMacroAssembler::CachedTempRegister should start out invalid
2775         https://bugs.webkit.org/show_bug.cgi?id=129657
2776
2777         Reviewed by Filip Pizlo.
2778
2779         * assembler/AbstractMacroAssembler.h:
2780         (JSC::AbstractMacroAssembler::AbstractMacroAssembler):
2781         - Invalidate all cached registers in constructor as we don't know the
2782           contents of any register at the entry to the code we are going to
2783           generate.
2784
2785 2014-03-03  Andreas Kling  <akling@apple.com>
2786
2787         StructureOrOffset should be fastmalloced.
2788         <https://webkit.org/b/129640>
2789
2790         Reviewed by Geoffrey Garen.
2791
2792         * runtime/StructureIDTable.h:
2793
2794 2014-03-03  Michael Saboff  <msaboff@apple.com>
2795
2796         Crash in JIT code while watching a video @ storyboard.tumblr.com
2797         https://bugs.webkit.org/show_bug.cgi?id=129635
2798
2799         Reviewed by Filip Pizlo.
2800
2801         Clear m_set before we set bits in the TempRegisterSet(const RegisterSet& other)
2802         construtor.
2803
2804         * jit/TempRegisterSet.cpp:
2805         (JSC::TempRegisterSet::TempRegisterSet): Clear map before setting it.
2806         * jit/TempRegisterSet.h:
2807         (JSC::TempRegisterSet::TempRegisterSet): Use new clearAll() helper.
2808         (JSC::TempRegisterSet::clearAll): New private helper.
2809
2810 2014-03-03  Benjamin Poulain  <benjamin@webkit.org>
2811
2812         [x86] Improve code generation of byte test
2813         https://bugs.webkit.org/show_bug.cgi?id=129597
2814
2815         Reviewed by Geoffrey Garen.
2816
2817         When possible, test the 8 bit register to itself instead of comparing it
2818         to a literal.
2819
2820         * assembler/MacroAssemblerX86Common.h:
2821         (JSC::MacroAssemblerX86Common::test32):
2822
2823 2014-03-03  Mark Lam  <mark.lam@apple.com>
2824
2825         Web Inspector: debugger statements do not break.
2826         <https://webkit.org/b/129524>
2827
2828         Reviewed by Geoff Garen.
2829
2830         Since we no longer call op_debug hooks unless there is a debugger request
2831         made on the CodeBlock, the op_debug for the debugger statement never gets
2832         serviced.
2833
2834         With this fix, we check in the CodeBlock constructor if any debugger
2835         statements are present.  If so, we set a m_hasDebuggerStatement flag that
2836         causes the CodeBlock to show as having debugger requests.  Hence,
2837         breaking at debugger statements is now restored.
2838
2839         * bytecode/CodeBlock.cpp:
2840         (JSC::CodeBlock::CodeBlock):
2841         * bytecode/CodeBlock.h:
2842         (JSC::CodeBlock::hasDebuggerRequests):
2843         (JSC::CodeBlock::clearDebuggerRequests):
2844
2845 2014-03-03  Mark Lam  <mark.lam@apple.com>
2846
2847         ASSERTION FAILED: m_numBreakpoints >= numBreakpoints when deleting breakpoints.
2848         <https://webkit.org/b/129393>
2849
2850         Reviewed by Geoffrey Garen.
2851
2852         The issue manifests because the debugger will iterate all CodeBlocks in
2853         the heap when setting / clearing breakpoints, but it is possible for a
2854         CodeBlock to have been instantiate but is not yet registered with the
2855         debugger.  This can happen because of the following:
2856
2857         1. DFG worklist compilation is still in progress, and the target
2858            codeBlock is not ready for installation in its executable yet.
2859
2860         2. DFG compilation failed and we have a codeBlock that will never be
2861            installed in its executable, and the codeBlock has not been cleaned
2862            up by the GC yet.
2863
2864         The code for installing the codeBlock in its executable is the same code
2865         that registers it with the debugger.  Hence, these codeBlocks are not
2866         registered with the debugger, and any pending breakpoints that would map
2867         to that CodeBlock is as yet unset or will never be set.  As such, an
2868         attempt to remove a breakpoint in that CodeBlock will fail that assertion.
2869
2870         To fix this, we do the following:
2871
2872         1. We'll eagerly clean up any zombie CodeBlocks due to failed DFG / FTL
2873            compilation.  This is achieved by providing a
2874            DeferredCompilationCallback::compilationDidComplete() that does this
2875            clean up, and have all sub classes call it at the end of their
2876            compilationDidComplete() methods.
2877
2878         2. Before the debugger or profiler iterates CodeBlocks in the heap, they
2879            will wait for all compilations to complete before proceeding.  This
2880            ensures that:
2881            1. any zombie CodeBlocks would have been cleaned up, and won't be
2882               seen by the debugger or profiler.
2883            2. all CodeBlocks that the debugger and profiler needs to operate on
2884               will be "ready" for whatever needs to be done to them e.g.
2885               jettison'ing of DFG codeBlocks.
2886
2887         * bytecode/DeferredCompilationCallback.cpp:
2888         (JSC::DeferredCompilationCallback::compilationDidComplete):
2889         * bytecode/DeferredCompilationCallback.h:
2890         - Provide default implementation method to clean up zombie CodeBlocks.
2891
2892         * debugger/Debugger.cpp:
2893         (JSC::Debugger::forEachCodeBlock):
2894         - Utility function to iterate CodeBlocks.  It ensures that all compilations
2895           are complete before proceeding.
2896         (JSC::Debugger::setSteppingMode):
2897         (JSC::Debugger::toggleBreakpoint):
2898         (JSC::Debugger::recompileAllJSFunctions):
2899         (JSC::Debugger::clearBreakpoints):
2900         (JSC::Debugger::clearDebuggerRequests):
2901         - Use the utility iterator function.
2902
2903         * debugger/Debugger.h:
2904         * dfg/DFGOperations.cpp:
2905         - Added an assert to ensure that zombie CodeBlocks will be imminently cleaned up.
2906
2907         * dfg/DFGPlan.cpp:
2908         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
2909         - Remove unneeded code (that was not the best solution anyway) for ensuring
2910           that we don't generate new DFG codeBlocks after enabling the debugger or
2911           profiler.  Now that we wait for compilations to complete before proceeding
2912           with debugger and profiler work, this scenario will never happen.
2913
2914         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
2915         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
2916         - Call the super class method to clean up zombie codeBlocks.
2917
2918         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
2919         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete):
2920         - Call the super class method to clean up zombie codeBlocks.
2921
2922         * heap/CodeBlockSet.cpp:
2923         (JSC::CodeBlockSet::remove):
2924         * heap/CodeBlockSet.h:
2925         * heap/Heap.h:
2926         (JSC::Heap::removeCodeBlock):
2927         - New method to remove a codeBlock from the codeBlock set.
2928
2929         * jit/JITOperations.cpp:
2930         - Added an assert to ensure that zombie CodeBlocks will be imminently cleaned up.
2931
2932         * jit/JITToDFGDeferredCompilationCallback.cpp:
2933         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
2934         - Call the super class method to clean up zombie codeBlocks.
2935
2936         * runtime/VM.cpp:
2937         (JSC::VM::waitForCompilationsToComplete):
2938         - Renamed from prepareToDiscardCode() to be clearer about what it does.
2939
2940         (JSC::VM::discardAllCode):
2941         (JSC::VM::releaseExecutableMemory):
2942         (JSC::VM::setEnabledProfiler):
2943         - Wait for compilation to complete before enabling the profiler.
2944
2945         * runtime/VM.h:
2946
2947 2014-03-03  Brian Burg  <bburg@apple.com>
2948
2949         Another unreviewed build fix attempt for Windows after r164986.
2950
2951         We never told Visual Studio to copy over the web replay code generator scripts
2952         and the generated headers for JavaScriptCore replay inputs as if they were
2953         private headers.
2954
2955         * JavaScriptCore.vcxproj/copy-files.cmd:
2956
2957 2014-03-03  Brian Burg  <bburg@apple.com>
2958
2959         Web Replay: upstream input storage, capture/replay machinery, and inspector domain
2960         https://bugs.webkit.org/show_bug.cgi?id=128782
2961
2962         Reviewed by Timothy Hatcher.
2963
2964         Alter the replay inputs code generator so that it knows when it is necessary to
2965         to include headers for HEAVY_SCALAR types such as WTF::String and WebCore::URL.
2966
2967         * JavaScriptCore.xcodeproj/project.pbxproj:
2968         * replay/scripts/CodeGeneratorReplayInputs.py:
2969         (Framework.fromString):
2970         (Frameworks): Add WTF as an allowed framework for code generation.
2971         (Generator.generate_includes): Include headers for HEAVY_SCALAR types in the header file.
2972         (Generator.generate_includes.declaration):
2973         (Generator.generate_includes.or):
2974         (Generator.generate_type_forward_declarations): Skip HEAVY_SCALAR types.
2975
2976 2014-03-02  Filip Pizlo  <fpizlo@apple.com>
2977
2978         PolymorphicPutByIdList should have a simpler construction API with basically a single entrypoint
2979         https://bugs.webkit.org/show_bug.cgi?id=129591
2980
2981         Reviewed by Michael Saboff.
2982
2983         * bytecode/PolymorphicPutByIdList.cpp:
2984         (JSC::PutByIdAccess::fromStructureStubInfo): This function can figure out the slow path target for itself.
2985         (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList): This constuctor should be private, only from() should call it.
2986         (JSC::PolymorphicPutByIdList::from):
2987         * bytecode/PolymorphicPutByIdList.h:
2988         (JSC::PutByIdAccess::stubRoutine):
2989         * jit/Repatch.cpp:
2990         (JSC::tryBuildPutByIdList): Don't pass the slow path target since it can be derived from the stubInfo.
2991
2992 2014-03-02  Filip Pizlo  <fpizlo@apple.com>
2993
2994         Debugging improvements from my gbemu investigation session
2995         https://bugs.webkit.org/show_bug.cgi?id=129599
2996
2997         Reviewed by Mark Lam.
2998         
2999         Various improvements from when I was investigating bug 129411.
3000
3001         * bytecode/CodeBlock.cpp:
3002         (JSC::CodeBlock::optimizationThresholdScalingFactor): Make the dataLog() statement print the actual multiplier.
3003         * jsc.cpp:
3004         (GlobalObject::finishCreation):
3005         (functionDescribe): Make describe() return a string rather than printing the string.
3006         (functionDescribeArray): Like describe(), but prints details about arrays.
3007
3008 2014-02-25  Andreas Kling  <akling@apple.com>
3009
3010         JSDOMWindow::commonVM() should return a reference.
3011         <https://webkit.org/b/129293>
3012
3013         Added a DropAllLocks constructor that takes VM& without null checks.
3014
3015         Reviewed by Geoff Garen.
3016
3017 2014-03-02  Mark Lam  <mark.lam@apple.com>
3018
3019         CodeBlock::hasDebuggerRequests() should returning a bool instead of an int.
3020         <https://webkit.org/b/129584>
3021
3022         Reviewed by Darin Adler.
3023
3024         * bytecode/CodeBlock.h:
3025         (JSC::CodeBlock::hasDebuggerRequests):
3026
3027 2014-03-02  Mark Lam  <mark.lam@apple.com>
3028
3029         Clean up use of Options::enableConcurrentJIT().
3030         <https://webkit.org/b/129582>
3031
3032         Reviewed by Filip Pizlo.
3033
3034         DFG Driver was conditionally checking Options::enableConcurrentJIT()
3035         only if ENABLE(CONCURRENT_JIT).  Otherwise, it bypasses it with a local
3036         enableConcurrentJIT set to false.
3037
3038         Instead we should configure Options::enableConcurrentJIT() to be false
3039         in Options.cpp if !ENABLE(CONCURRENT_JIT), and DFG Driver should always
3040         check Options::enableConcurrentJIT().  This makes the code read a little
3041         cleaner.
3042
3043         * dfg/DFGDriver.cpp:
3044         (JSC::DFG::compileImpl):
3045         * runtime/Options.cpp:
3046         (JSC::recomputeDependentOptions):
3047
3048 2014-03-01  Filip Pizlo  <fpizlo@apple.com>
3049
3050         This shouldn't have been a layout test since it runs only under jsc. Moving it to JSC
3051         stress tests.
3052
3053         * tests/stress/generational-opaque-roots.js: Copied from LayoutTests/js/script-tests/generational-opaque-roots.js.
3054
3055 2014-03-01  Andreas Kling  <akling@apple.com>
3056
3057         JSCell::fastGetOwnProperty() should get the Structure more efficiently.
3058         <https://webkit.org/b/129560>
3059
3060         Now that structure() is nontrivial and we have a faster structure(VM&),
3061         make use of that in fastGetOwnProperty() since we already have VM.
3062
3063         Reviewed by Sam Weinig.
3064
3065         * runtime/JSCellInlines.h:
3066         (JSC::JSCell::fastGetOwnProperty):
3067
3068 2014-03-01  Andreas Kling  <akling@apple.com>
3069
3070         Avoid going through ExecState for VM when we already have it (in some places.)
3071         <https://webkit.org/b/129554>
3072
3073         Tweak some places that jump through unnecessary hoops to get the VM.
3074         There are many more like this.
3075
3076         Reviewed by Sam Weinig.
3077
3078         * runtime/JSObject.cpp:
3079         (JSC::JSObject::putByIndexBeyondVectorLength):
3080         (JSC::JSObject::putDirectIndexBeyondVectorLength):
3081         * runtime/ObjectPrototype.cpp:
3082         (JSC::objectProtoFuncToString):
3083
3084 2014-02-28  Filip Pizlo  <fpizlo@apple.com>
3085
3086         FTL should support PhantomArguments
3087         https://bugs.webkit.org/show_bug.cgi?id=113986
3088
3089         Reviewed by Oliver Hunt.
3090         
3091         Adding PhantomArguments to the FTL mostly means wiring the recovery of the Arguments
3092         object into the FTL's OSR exit compiler.
3093         
3094         This isn't a speed-up yet, since there is still more to be done to fully support
3095         all of the arguments craziness that our varargs benchmarks do.
3096
3097         * dfg/DFGOSRExitCompiler32_64.cpp:
3098         (JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp
3099         * dfg/DFGOSRExitCompiler64.cpp:
3100         (JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp
3101         * dfg/DFGOSRExitCompilerCommon.cpp:
3102         (JSC::DFG::ArgumentsRecoveryGenerator::ArgumentsRecoveryGenerator):
3103         (JSC::DFG::ArgumentsRecoveryGenerator::~ArgumentsRecoveryGenerator):
3104         (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): this is the common place for the recovery code
3105         * dfg/DFGOSRExitCompilerCommon.h:
3106         * ftl/FTLCapabilities.cpp:
3107         (JSC::FTL::canCompile):
3108         * ftl/FTLExitValue.cpp:
3109         (JSC::FTL::ExitValue::dumpInContext):
3110         * ftl/FTLExitValue.h:
3111         (JSC::FTL::ExitValue::argumentsObjectThatWasNotCreated):
3112         (JSC::FTL::ExitValue::isArgumentsObjectThatWasNotCreated):
3113         (JSC::FTL::ExitValue::valueFormat):
3114         * ftl/FTLLowerDFGToLLVM.cpp:
3115         (JSC::FTL::LowerDFGToLLVM::compileNode):
3116         (JSC::FTL::LowerDFGToLLVM::compilePhantomArguments):
3117         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
3118         (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
3119         * ftl/FTLOSRExitCompiler.cpp:
3120         (JSC::FTL::compileStub): Call into the ArgumentsRecoveryGenerator
3121         * tests/stress/slightly-more-difficult-to-fold-reflective-arguments-access.js: Added.
3122         * tests/stress/trivially-foldable-reflective-arguments-access.js: Added.
3123
3124 2014-02-28  Filip Pizlo  <fpizlo@apple.com>
3125
3126         Unreviewed, uncomment some code. It wasn't meant to be commented in the first place.
3127
3128         * dfg/DFGCSEPhase.cpp:
3129         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
3130
3131 2014-02-28  Andreas Kling  <akling@apple.com>
3132
3133         JSObject::findPropertyHashEntry() should take VM instead of ExecState.
3134         <https://webkit.org/b/129529>
3135
3136         Callers already have VM in a local, and findPropertyHashEntry() only
3137         uses the VM, no need to go all the way through ExecState.
3138
3139         Reviewed by Geoffrey Garen.
3140
3141         * runtime/JSObject.cpp:
3142         (JSC::JSObject::put):
3143         (JSC::JSObject::deleteProperty):
3144         (JSC::JSObject::findPropertyHashEntry):
3145         * runtime/JSObject.h:
3146
3147 2014-02-28  Joseph Pecoraro  <pecoraro@apple.com>
3148
3149         Deadlock remotely inspecting iOS Simulator
3150         https://bugs.webkit.org/show_bug.cgi?id=129511
3151
3152         Reviewed by Timothy Hatcher.
3153
3154         Avoid synchronous setup. Do it asynchronously, and let
3155         the RemoteInspector singleton know later if it failed.
3156
3157         * inspector/remote/RemoteInspector.h:
3158         * inspector/remote/RemoteInspector.mm:
3159         (Inspector::RemoteInspector::setupFailed):
3160         * inspector/remote/RemoteInspectorDebuggableConnection.h:
3161         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
3162         (Inspector::RemoteInspectorDebuggableConnection::setup):
3163
3164 2014-02-28  Oliver Hunt  <oliver@apple.com>
3165
3166         REGRESSION(r164835): It broke 10 JSC stress test on 32 bit platforms
3167         https://bugs.webkit.org/show_bug.cgi?id=129488
3168
3169         Reviewed by Mark Lam.
3170
3171         Whoops, modify the right register.
3172
3173         * jit/JITCall32_64.cpp:
3174         (JSC::JIT::compileLoadVarargs):
3175
3176 2014-02-28  Filip Pizlo  <fpizlo@apple.com>
3177
3178         FTL should be able to call sin/cos directly on platforms where the intrinsic is busted
3179         https://bugs.webkit.org/show_bug.cgi?id=129503
3180
3181         Reviewed by Mark Lam.
3182
3183         * ftl/FTLIntrinsicRepository.h:
3184         * ftl/FTLOutput.h:
3185         (JSC::FTL::Output::doubleSin):
3186         (JSC::FTL::Output::doubleCos):
3187         (JSC::FTL::Output::intrinsicOrOperation):
3188
3189 2014-02-28  Mark Hahnenberg  <mhahnenberg@apple.com>
3190
3191         Fix !ENABLE(GGC) builds
3192
3193         * heap/Heap.cpp:
3194         (JSC::Heap::markRoots):
3195         (JSC::Heap::gatherJSStackRoots): Also fix one of the names of the GC phases.
3196
3197 2014-02-27  Mark Hahnenberg  <mhahnenberg@apple.com>
3198
3199         Clean up Heap::collect and Heap::markRoots
3200         https://bugs.webkit.org/show_bug.cgi?id=129464
3201
3202         Reviewed by Geoffrey Garen.
3203
3204         These functions have built up a lot of cruft recently. 
3205         We should do a bit of cleanup to make them easier to grok.
3206
3207         * heap/Heap.cpp:
3208         (JSC::Heap::finalizeUnconditionalFinalizers):
3209         (JSC::Heap::gatherStackRoots):
3210         (JSC::Heap::gatherJSStackRoots):
3211         (JSC::Heap::gatherScratchBufferRoots):
3212         (JSC::Heap::clearLivenessData):
3213         (JSC::Heap::visitSmallStrings):
3214         (JSC::Heap::visitConservativeRoots):
3215         (JSC::Heap::visitCompilerWorklists):
3216         (JSC::Heap::markProtectedObjects):
3217         (JSC::Heap::markTempSortVectors):
3218         (JSC::Heap::markArgumentBuffers):
3219         (JSC::Heap::visitException):
3220         (JSC::Heap::visitStrongHandles):
3221         (JSC::Heap::visitHandleStack):
3222         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
3223         (JSC::Heap::converge):
3224         (JSC::Heap::visitWeakHandles):
3225         (JSC::Heap::clearRememberedSet):
3226         (JSC::Heap::updateObjectCounts):
3227         (JSC::Heap::resetVisitors):
3228         (JSC::Heap::markRoots):
3229         (JSC::Heap::copyBackingStores):
3230         (JSC::Heap::deleteUnmarkedCompiledCode):
3231         (JSC::Heap::collect):
3232         (JSC::Heap::collectIfNecessaryOrDefer):
3233         (JSC::Heap::suspendCompilerThreads):
3234         (JSC::Heap::willStartCollection):
3235         (JSC::Heap::deleteOldCode):
3236         (JSC::Heap::flushOldStructureIDTables):
3237         (JSC::Heap::flushWriteBarrierBuffer):
3238         (JSC::Heap::stopAllocation):
3239         (JSC::Heap::reapWeakHandles):
3240         (JSC::Heap::sweepArrayBuffers):
3241         (JSC::Heap::snapshotMarkedSpace):
3242         (JSC::Heap::deleteSourceProviderCaches):
3243         (JSC::Heap::notifyIncrementalSweeper):
3244         (JSC::Heap::rememberCurrentlyExecutingCodeBlocks):
3245         (JSC::Heap::resetAllocators):
3246         (JSC::Heap::updateAllocationLimits):
3247         (JSC::Heap::didFinishCollection):
3248         (JSC::Heap::resumeCompilerThreads):
3249         * heap/Heap.h:
3250
3251 2014-02-27  Ryosuke Niwa  <rniwa@webkit.org>
3252
3253         indexOf and lastIndexOf shouldn't resolve ropes when needle is longer than haystack
3254         https://bugs.webkit.org/show_bug.cgi?id=129466
3255
3256         Reviewed by Michael Saboff.
3257
3258         Refactored the code to avoid calling JSString::value when needle is longer than haystack.
3259
3260         * runtime/StringPrototype.cpp:
3261         (JSC::stringProtoFuncIndexOf):
3262         (JSC::stringProtoFuncLastIndexOf):
3263
3264 2014-02-27  Timothy Hatcher  <timothy@apple.com>
3265
3266         Improve how ContentSearchUtilities::lineEndings works by supporting the three common line endings.
3267
3268         https://bugs.webkit.org/show_bug.cgi?id=129458
3269
3270         Reviewed by Joseph Pecoraro.
3271
3272         * inspector/ContentSearchUtilities.cpp:
3273         (Inspector::ContentSearchUtilities::textPositionFromOffset): Remove assumption about line ending length.
3274         (Inspector::ContentSearchUtilities::getRegularExpressionMatchesByLines): Remove assumption about
3275         line ending type and don't try to strip the line ending. Use size_t
3276         (Inspector::ContentSearchUtilities::lineEndings): Use findNextLineStart to find the lines.
3277         This will include the line ending in the lines, but that is okay.
3278         (Inspector::ContentSearchUtilities::buildObjectForSearchMatch): Use size_t.
3279         (Inspector::ContentSearchUtilities::searchInTextByLines): Modernize.
3280
3281 2014-02-27  Joseph Pecoraro  <pecoraro@apple.com>
3282
3283         [Mac] Warning: Multiple build commands for output file GCSegmentedArray and InspectorAgent
3284         https://bugs.webkit.org/show_bug.cgi?id=129446
3285
3286         Reviewed by Timothy Hatcher.
3287
3288         Remove duplicate header entries in Copy Header build phase.
3289
3290         * JavaScriptCore.xcodeproj/project.pbxproj:
3291
3292 2014-02-27  Oliver Hunt  <oliver@apple.com>
3293
3294         Whoops, include all of last patch.
3295
3296         * jit/JITCall32_64.cpp:
3297         (JSC::JIT::compileLoadVarargs):
3298
3299 2014-02-27  Oliver Hunt  <oliver@apple.com>
3300
3301         Slow cases for function.apply and function.call should not require vm re-entry
3302         https://bugs.webkit.org/show_bug.cgi?id=129454
3303
3304         Reviewed by Geoffrey Garen.
3305
3306         Implement call and apply using builtins. Happily the use
3307         of @call and @apply don't perform function equality checks
3308         and just plant direct var_args calls. This did expose a few
3309         codegen issues, but they're all covered by existing tests
3310         once call and apply are implemented in JS.
3311
3312         * JavaScriptCore.xcodeproj/project.pbxproj:
3313         * builtins/Function.prototype.js: Added.
3314         (call):
3315         (apply):
3316         * bytecompiler/NodesCodegen.cpp:
3317         (JSC::CallFunctionCallDotNode::emitBytecode):
3318         (JSC::ApplyFunctionCallDotNode::emitBytecode):
3319         * dfg/DFGCapabilities.cpp:
3320         (JSC::DFG::capabilityLevel):
3321         * interpreter/Interpreter.cpp:
3322         (JSC::sizeFrameForVarargs):
3323         (JSC::loadVarargs):
3324         * interpreter/Interpreter.h:
3325         * jit/JITCall.cpp:
3326         (JSC::JIT::compileLoadVarargs):
3327         * parser/ASTBuilder.h:
3328         (JSC::ASTBuilder::makeFunctionCallNode):
3329         * parser/Lexer.cpp:
3330         (JSC::isSafeBuiltinIdentifier):
3331         * runtime/CommonIdentifiers.h:
3332         * runtime/FunctionPrototype.cpp:
3333         (JSC::FunctionPrototype::addFunctionProperties):
3334         * runtime/JSObject.cpp:
3335         (JSC::JSObject::putDirectBuiltinFunction):
3336         (JSC::JSObject::putDirectBuiltinFunctionWithoutTransition):
3337         * runtime/JSObject.h:
3338
3339 2014-02-27  Joseph Pecoraro  <pecoraro@apple.com>
3340
3341         Web Inspector: Better name for RemoteInspectorDebuggableConnection dispatch queue
3342         https://bugs.webkit.org/show_bug.cgi?id=129443
3343
3344         Reviewed by Timothy Hatcher.
3345
3346         This queue is specific to the JSContext debuggable connections,
3347         there is no XPC involved. Give it a better name.
3348
3349         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
3350         (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
3351
3352 2014-02-27  David Kilzer  <ddkilzer@apple.com>
3353
3354         Remove jsc symlink if it already exists
3355
3356         This is a follow-up fix for:
3357
3358         Create symlink to /usr/local/bin/jsc during installation
3359         <http://webkit.org/b/129399>
3360         <rdar://problem/16168734>
3361
3362         * JavaScriptCore.xcodeproj/project.pbxproj:
3363         (Create /usr/local/bin/jsc symlink): If a jsc symlink already
3364         exists where we're about to create the symlink, remove the old
3365         one first.
3366
3367 2014-02-27  Michael Saboff  <msaboff@apple.com>
3368
3369         Unreviewed build fix for Mac tools after r164814
3370
3371         * Configurations/ToolExecutable.xcconfig:
3372         - Added JavaScriptCore.framework/PrivateHeaders to ToolExecutable include path.
3373         * JavaScriptCore.xcodeproj/project.pbxproj:
3374         - Changed productName to testRegExp for testRegExp target.
3375
3376 2014-02-27  Joseph Pecoraro  <pecoraro@apple.com>
3377
3378         Web Inspector: JSContext inspection should report exceptions in the console
3379         https://bugs.webkit.org/show_bug.cgi?id=128776
3380
3381         Reviewed by Timothy Hatcher.
3382
3383         When JavaScript API functions have an exception, let the inspector
3384         know so it can log the JavaScript and Native backtrace that caused
3385         the exception.
3386
3387         Include some clean up of ConsoleMessage and ScriptCallStack construction.
3388
3389         * API/JSBase.cpp:
3390         (JSEvaluateScript):
3391         (JSCheckScriptSyntax):
3392         * API/JSObjectRef.cpp:
3393         (JSObjectMakeFunction):
3394         (JSObjectMakeArray):
3395         (JSObjectMakeDate):
3396         (JSObjectMakeError):
3397         (JSObjectMakeRegExp):
3398         (JSObjectGetProperty):
3399         (JSObjectSetProperty):
3400         (JSObjectGetPropertyAtIndex):
3401         (JSObjectSetPropertyAtIndex):
3402         (JSObjectDeleteProperty):
3403         (JSObjectCallAsFunction):
3404         (JSObjectCallAsConstructor):
3405         * API/JSValue.mm:
3406         (reportExceptionToInspector):
3407         (valueToArray):
3408         (valueToDictionary):
3409         * API/JSValueRef.cpp:
3410         (JSValueIsEqual):
3411         (JSValueIsInstanceOfConstructor):
3412         (JSValueCreateJSONString):
3413         (JSValueToNumber):
3414         (JSValueToStringCopy):
3415         (JSValueToObject):
3416         When seeing an exception, let the inspector know there was an exception.
3417