Object.prototype.toString() should use cached strings for null/undefined.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-05-24  Andreas Kling  <akling@apple.com>
2
3         Object.prototype.toString() should use cached strings for null/undefined.
4         <https://webkit.org/b/133261>
5
6         Normally, when calling Object.prototype.toString() on a regular object,
7         we'd cache the result of the stringification on the object's structure,
8         making repeated calls fast.
9
10         For null and undefined, we were not as smart. We'd instead construct a
11         new string with either "[object Null]" or "[object Undefined]" each time.
12
13         This was exposed by Dromaeo's JS library tests, where some prototype.js
14         subtests generate millions of strings this way.
15
16         This patch adds two VM-permanent cached strings to the SmallStrings.
17         Looks like ~10% speed-up on Dromaeo/jslib-traverse-prototype.html
18
19         Reviewed by Darin Adler.
20
21         * runtime/ObjectPrototype.cpp:
22         (JSC::objectProtoFuncToString):
23         * runtime/SmallStrings.cpp:
24         (JSC::SmallStrings::SmallStrings):
25         (JSC::SmallStrings::initializeCommonStrings):
26         (JSC::SmallStrings::visitStrongReferences):
27         * runtime/SmallStrings.h:
28         (JSC::SmallStrings::nullObjectString):
29         (JSC::SmallStrings::undefinedObjectString):
30
31 2014-05-23  Mark Hahnenberg  <mhahnenberg@apple.com>
32
33         Remove operationCallGetter
34
35         Rubber stamped by Filip Pizlo.
36
37         Nobody calls this function.
38
39         * JavaScriptCore.order:
40         * jit/JITOperations.cpp:
41         * jit/JITOperations.h:
42
43 2014-05-23  Andreas Kling  <akling@apple.com>
44
45         Templatize GC's destructor invocation for dtor type.
46         <https://webkit.org/b/133231>
47
48         Get rid of a branch in callDestructor() by templatizing it for
49         the DestructorType. Removed JSCell::methodTableForDestruction()
50         since this was the only call site and it was jumping through
51         a bunch of unnecessary hoops.
52
53         Reviewed by Geoffrey Garen.
54
55         * heap/MarkedBlock.cpp:
56         (JSC::MarkedBlock::callDestructor):
57         (JSC::MarkedBlock::specializedSweep):
58         * heap/MarkedBlock.h:
59         * runtime/JSCell.h:
60         * runtime/JSCellInlines.h:
61         (JSC::JSCell::methodTableForDestruction): Deleted.
62
63 2014-05-23  Andreas Kling  <akling@apple.com>
64
65         Support inline caching of RegExpMatchesArray.length
66         <https://webkit.org/b/133234>
67
68         Give RegExpMatchesArray.length the same treatment as JSArray in
69         repatch so we don't have to go out of line on every access.
70
71         ~13% speed-up on Octane/regexp.
72
73         Reviewed by Geoffrey Garen.
74
75         * jit/Repatch.cpp:
76         (JSC::tryCacheGetByID):
77         * runtime/RegExpMatchesArray.h:
78         (JSC::isRegExpMatchesArray):
79
80 2014-05-22  Mark Lam  <mark.lam@apple.com>
81
82         REGRESSION(r154797): Debugger crashes when stepping over an uncaught exception.
83         <https://webkit.org/b/133182>
84
85         Reviewed by Oliver Hunt.
86
87         Before r154797, we used to clear the VM exception before calling into the
88         debugger.  After r154797, we don't.  This patch will restore this clearing
89         of the exception before calling into the debugger.
90
91         Also added assertions after returning from calls into the debugger to
92         ensure that the debugger did not introduce any exceptions.
93
94         * interpreter/Interpreter.cpp:
95         (JSC::unwindCallFrame):
96         (JSC::Interpreter::unwind):
97         (JSC::Interpreter::debug):
98         - Fixed the assertion here.  Interpreter::debug() should never be called
99           with a pending exception.  Debugger callbacks for exceptions should be
100           handled by Interpreter::unwind() and Interpreter::unwindCallFrame().
101
102 2014-05-21  Filip Pizlo  <fpizlo@apple.com>
103
104         Store barrier elision should run after DCE in both the DFG path and the FTL path
105         https://bugs.webkit.org/show_bug.cgi?id=129718
106
107         Rubber stamped by Mark Hahnenberg.
108
109         * dfg/DFGPlan.cpp:
110         (JSC::DFG::Plan::compileInThreadImpl):
111
112 2014-05-21  Zsolt Borbely  <zsborbely.u-szeged@partner.samsung.com>
113
114         [EFL] Add include path of compact_unwind_encoding.h if FTL JIT is enabled
115         https://bugs.webkit.org/show_bug.cgi?id=132907
116
117         Reviewed by Gyuyoung Kim.
118
119         * CMakeLists.txt:
120
121 2014-05-16  Martin Robinson  <mrobinson@igalia.com>
122
123         [CMake] Improve handling of LIB_INSTALL_DIR, EXEC_INSTALL_DIR, and LIBEXEC_INSTALL_DIR
124         https://bugs.webkit.org/show_bug.cgi?id=132819
125
126         Reviewed by Carlos Garcia Campos.
127
128         * javascriptcoregtk.pc.in: Instead of using the special pkg-config variables,
129         use the common CMake ones directly.
130
131 2014-05-21  Filip Pizlo  <fpizlo@apple.com>
132
133         Unreviewed, roll out http://trac.webkit.org/changeset/169159.
134         
135         This was a unilateral change and wasn't properly reviewed.
136
137         * tests/mozilla/mozilla-tests.yaml:
138
139 2014-05-21  Antoine Quint  <graouts@webkit.org>
140
141         Array.prototype.find and findIndex should skip holes
142         https://bugs.webkit.org/show_bug.cgi?id=132658
143
144         Reviewed by Geoffrey Garen.
145
146         Skip holes in the array when iterating such that callback isn't called.
147
148         * builtins/Array.prototype.js:
149         (find):
150         (findIndex):
151
152 2014-05-21  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
153
154         REGRESSION(r169092 and r169102): Skip failing JSC tests on ARM64 properly
155         https://bugs.webkit.org/show_bug.cgi?id=133149
156
157         Reviewed by Csaba Osztrogonác.
158
159         * tests/mozilla/mozilla-tests.yaml:
160
161 2014-05-20  Geoffrey Garen  <ggaren@apple.com>
162
163         Rolled out <http://trac.webkit.org/changeset/166184>
164         https://bugs.webkit.org/show_bug.cgi?id=133144
165
166         Reviewed by Gavin Barraclough.
167
168         It caused a performance regression.
169
170         * heap/BlockAllocator.cpp:
171         (JSC::BlockAllocator::blockFreeingThreadStartFunc):
172
173 2014-05-20  Filip Pizlo  <fpizlo@apple.com>
174
175         DFG prediction propagation should agree with fixup phase over the return type of GetByVal
176         https://bugs.webkit.org/show_bug.cgi?id=133134
177
178         Reviewed by Mark Hahnenberg.
179         
180         Make prediction propagator use ArrayMode refinement to decide the return type.
181         
182         Also introduce a heap prediction intrinsic that allows us to test weird corner cases
183         like this. The only way we'll see a mismatch like this in the real world is probably
184         through a gnarly race condition.
185
186         * dfg/DFGByteCodeParser.cpp:
187         (JSC::DFG::ByteCodeParser::handleIntrinsic):
188         * dfg/DFGNode.h:
189         (JSC::DFG::Node::setHeapPrediction):
190         * dfg/DFGPredictionPropagationPhase.cpp:
191         (JSC::DFG::PredictionPropagationPhase::propagate):
192         * jsc.cpp:
193         (GlobalObject::finishCreation):
194         (functionFalse1):
195         (functionFalse2):
196         (functionUndefined1):
197         (functionUndefined2):
198         (functionFalse): Deleted.
199         (functionOtherFalse): Deleted.
200         (functionUndefined): Deleted.
201         * runtime/Intrinsic.h:
202         * tests/stress/get-by-val-double-predicted-int.js: Added.
203         (foo):
204
205 2014-05-20  Mark Hahnenberg  <mhahnenberg@apple.com>
206
207         Watchdog timer should be lazily allocated
208         https://bugs.webkit.org/show_bug.cgi?id=133135
209
210         Reviewed by Geoffrey Garen.
211
212         We incur a noticeable amount of overhead on some benchmarks due to checking if the Watchdog ever fired. 
213         There is no reason to do this checking if we never activated the Watchdog, which can only be done through 
214         JSContextGroupSetExecutionTimeLimit or JSContextGroupClearExecutionTimeLimit. 
215
216         By allocating the Watchdog lazily on the VM we can avoid all of the associated overhead when we don't use 
217         these two API functions (which is true of most clients).
218
219         * API/JSContextRef.cpp:
220         (JSContextGroupSetExecutionTimeLimit):
221         (JSContextGroupClearExecutionTimeLimit):
222         * dfg/DFGByteCodeParser.cpp:
223         (JSC::DFG::ByteCodeParser::parseBlock):
224         * dfg/DFGSpeculativeJIT32_64.cpp:
225         (JSC::DFG::SpeculativeJIT::compile):
226         * dfg/DFGSpeculativeJIT64.cpp:
227         (JSC::DFG::SpeculativeJIT::compile):
228         * interpreter/Interpreter.cpp:
229         (JSC::Interpreter::execute):
230         (JSC::Interpreter::executeCall):
231         (JSC::Interpreter::executeConstruct):
232         * jit/JITOpcodes.cpp:
233         (JSC::JIT::emit_op_loop_hint):
234         (JSC::JIT::emitSlow_op_loop_hint):
235         * jit/JITOperations.cpp:
236         * llint/LLIntSlowPaths.cpp:
237         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
238         * runtime/VM.h:
239         * runtime/Watchdog.cpp:
240         (JSC::Watchdog::Scope::Scope): Deleted.
241         (JSC::Watchdog::Scope::~Scope): Deleted.
242         * runtime/Watchdog.h:
243         (JSC::Watchdog::Scope::Scope):
244         (JSC::Watchdog::Scope::~Scope):
245
246 2014-05-19  Mark Hahnenberg  <mhahnenberg@apple.com>
247
248         JSArray::shiftCountWith* could be more efficient
249         https://bugs.webkit.org/show_bug.cgi?id=133011
250
251         Reviewed by Geoffrey Garen.
252
253         Our current implementations of shiftCountWithAnyIndexingType and shiftCountWithArrayStorage 
254         are scared of the presence of any holes in the array. We can mitigate this somewhat by enabling 
255         them to correctly handle holes, thus avoiding the slowest of slow paths in most cases.
256
257         * runtime/ArrayStorage.h:
258         (JSC::ArrayStorage::indexingHeader):
259         (JSC::ArrayStorage::length):
260         (JSC::ArrayStorage::hasHoles):
261         * runtime/IndexingHeader.h:
262         (JSC::IndexingHeader::publicLength):
263         (JSC::IndexingHeader::from):
264         * runtime/JSArray.cpp:
265         (JSC::JSArray::shiftCountWithArrayStorage):
266         (JSC::JSArray::shiftCountWithAnyIndexingType):
267         (JSC::JSArray::unshiftCountWithArrayStorage):
268         * runtime/JSArray.h:
269         (JSC::JSArray::shiftCountForShift):
270         (JSC::JSArray::shiftCountForSplice):
271         (JSC::JSArray::shiftCount):
272         * runtime/Structure.cpp:
273         (JSC::Structure::holesRequireSpecialBehavior):
274         * runtime/Structure.h:
275
276 2014-05-19  Filip Pizlo  <fpizlo@apple.com>
277
278         Test gardening: skip some failing tests on not-X86.
279
280         * tests/mozilla/mozilla-tests.yaml:
281
282 2014-05-19  Mark Lam  <mark.lam@apple.com>
283
284         operationOptimize() should defer the GC for a while.
285         <https://webkit.org/b/133103>
286
287         Reviewed by Filip Pizlo.
288
289         Currently, operationOptimize() only defers the GC until its end.  As a result,
290         a GC may be triggered just before we return from operationOptimize(), and it may
291         jettison the optimize codeBlock that we're planning to OSR enter into when we
292         return from this function.  This is because the OSR entry on-ramp code hasn't
293         been executed yet, and hence, there is not yet a reference to this new codeBlock
294         from the stack, and there won't be until we've had a chance to return out of
295         operationOptimize() to run the OSR entry on-ramp code.
296
297         This issue is now fixed by using DeferGCForAWhile instead of DeferGC.  This
298         ensures that the GC will be deferred until after the OSR entry on-ramp can be
299         executed.
300
301         * jit/JITOperations.cpp:
302
303 2014-05-19  Filip Pizlo  <fpizlo@apple.com>
304
305         Take care of some ARM64 test failures
306         https://bugs.webkit.org/show_bug.cgi?id=133090
307
308         Reviewed by Geoffrey Garen.
309         
310         Constant blinding on ARM64 cannot use the scratch register.
311
312         * assembler/MacroAssembler.h:
313         (JSC::MacroAssembler::convertInt32ToDouble):
314         (JSC::MacroAssembler::branchPtr):
315         (JSC::MacroAssembler::storePtr):
316         (JSC::MacroAssembler::store64):
317         * assembler/MacroAssemblerARM64.h:
318         (JSC::MacroAssemblerARM64::scratchRegisterForBlinding):
319
320 2014-05-19  Tanay C  <tanay.c@samsung.com>
321
322         Removing some check-webkit-style warnings from ./dfg
323         https://bugs.webkit.org/show_bug.cgi?id=132854
324
325         Reviewed by Darin Adler.
326
327         * dfg/DFGAbstractInterpreter.h:
328         * dfg/DFGAbstractValue.h:
329         * dfg/DFGBlockInsertionSet.h:
330         * dfg/DFGCommonData.h:
331         * dfg/DFGDominators.h:
332         * dfg/DFGGraph.h:
333         * dfg/DFGInPlaceAbstractState.h:
334         * dfg/DFGPredictionPropagationPhase.h:
335
336 2014-05-18  Filip Pizlo  <fpizlo@apple.com>
337
338         Unreviewed, remove bogus comment. We already made the FTL use our calling convention.
339         That was a long time ago.
340
341         * ftl/FTLLowerDFGToLLVM.cpp:
342         (JSC::FTL::LowerDFGToLLVM::compileReturn):
343
344 2014-05-18  Rik Cabanier  <cabanier@adobe.com>
345
346         support for navigator.hardwareConcurrency
347         https://bugs.webkit.org/show_bug.cgi?id=132588
348
349         Reviewed by Filip Pizlo.
350
351         * Configurations/FeatureDefines.xcconfig:
352
353 2014-05-16  Michael Saboff  <msaboff@apple.com>
354
355         Crash in JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::generatePatternCharacterFixed() due to WTF::CrashOnOverflow::overflowed + 9
356         https://bugs.webkit.org/show_bug.cgi?id=133009
357
358         Reviewed by Oliver Hunt.
359
360         If we determine that any alternative requires a minumum match size greater than
361         INT_MAX, we handle the match in the interpreter.
362
363         Check to see if the pattern has unsigned lengths before invoking YARR JIT.
364         * runtime/RegExp.cpp:
365         (JSC::RegExp::compile):
366         (JSC::RegExp::compileMatchOnly):
367
368         * tests/stress/large-regexp.js: New test added.
369
370         Set m_containsUnsignedLengthPattern flag if any alternative's minimum length
371         doesn't fit in an int.
372         * yarr/YarrPattern.cpp:
373         (JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets):
374
375         Clear new m_containsUnsignedLengthPattern flag.
376         * yarr/YarrPattern.cpp:
377         (JSC::Yarr::YarrPattern::YarrPattern):
378         * yarr/YarrPattern.h:
379         (JSC::Yarr::YarrPattern::reset):
380         (JSC::Yarr::YarrPattern::containsUnsignedLengthPattern):
381
382 2014-05-15  Mark Hahnenberg  <mhahnenberg@apple.com>
383
384         JSDOMWindow should not claim HasImpureGetOwnPropertySlot
385         https://bugs.webkit.org/show_bug.cgi?id=132918
386
387         Reviewed by Geoffrey Garen.
388
389         * jit/Repatch.cpp:
390         (JSC::tryRepatchIn): We forgot to check for watchpoints when repatching "in".
391
392 2014-05-15  Alex Christensen  <achristensen@webkit.org>
393
394         Add pointer lock to features without enabling it.
395         https://bugs.webkit.org/show_bug.cgi?id=132961
396
397         Reviewed by Sam Weinig.
398
399         * Configurations/FeatureDefines.xcconfig:
400         Added ENABLE_POINTER_LOCK to list of features.
401
402 2014-05-14  Mark Hahnenberg  <mhahnenberg@apple.com>
403
404         Inline caching for proxies clobbers baseGPR too early
405         https://bugs.webkit.org/show_bug.cgi?id=132916
406
407         Reviewed by Filip Pizlo.
408
409         We clobber baseGPR prior to the Structure checks, so if any of the checks fail then the slow path 
410         gets the target of the proxy rather than the proxy itself. We need to delay the clobbering of baseGPR 
411         until we know the inline cache is going to succeed.
412
413         * jit/Repatch.cpp:
414         (JSC::generateByIdStub):
415
416 2014-05-14  Brent Fulgham  <bfulgham@apple.com>
417
418         [Win] Unreviewed build fix.
419
420         * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: This solution
421         was missing commands to build LLInt portions of JSC.
422         * llint/LLIntData.cpp: 64-bit build fix.
423
424 2014-05-14  Martin Hodovan <mhodovan.u-szeged@partner.samsung.com>
425
426         ARM Traditional buildfix after r168776.
427         https://bugs.webkit.org/show_bug.cgi?id=132903
428
429         Reviewed by Darin Adler.
430
431         * assembler/MacroAssemblerARM.h:
432         (JSC::MacroAssemblerARM::abortWithReason): Added.
433
434 2014-05-14  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>
435
436         Remove CSS_STICKY_POSITION guards
437         https://bugs.webkit.org/show_bug.cgi?id=132676
438
439         Reviewed by Simon Fraser.
440
441         * Configurations/FeatureDefines.xcconfig:
442
443 2014-05-13  Filip Pizlo  <fpizlo@apple.com>
444
445         JIT breakpoints should be more informative
446         https://bugs.webkit.org/show_bug.cgi?id=132882
447
448         Reviewed by Oliver Hunt.
449         
450         Introduce the notion of an AbortReason, which is a nice enumeration of coded assertion
451         failure names. This means that all you need to figure out why the JIT SIGTRAP'd is to look
452         at that platform's abort reason register (r11 on X86-64 for example).
453
454         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
455         * JavaScriptCore.xcodeproj/project.pbxproj:
456         * assembler/AbortReason.h: Added.
457         * assembler/AbstractMacroAssembler.h:
458         * assembler/MacroAssemblerARM64.h:
459         (JSC::MacroAssemblerARM64::abortWithReason):
460         * assembler/MacroAssemblerARMv7.h:
461         (JSC::MacroAssemblerARMv7::abortWithReason):
462         * assembler/MacroAssemblerX86.h:
463         (JSC::MacroAssemblerX86::abortWithReason):
464         * assembler/MacroAssemblerX86_64.h:
465         (JSC::MacroAssemblerX86_64::abortWithReason):
466         * dfg/DFGSlowPathGenerator.h:
467         (JSC::DFG::SlowPathGenerator::generate):
468         * dfg/DFGSpeculativeJIT.cpp:
469         (JSC::DFG::SpeculativeJIT::bail):
470         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
471         (JSC::DFG::SpeculativeJIT::compileMakeRope):
472         * dfg/DFGSpeculativeJIT.h:
473         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):
474         * dfg/DFGSpeculativeJIT32_64.cpp:
475         (JSC::DFG::SpeculativeJIT::compile):
476         * dfg/DFGSpeculativeJIT64.cpp:
477         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
478         (JSC::DFG::SpeculativeJIT::compile):
479         * dfg/DFGThunks.cpp:
480         (JSC::DFG::osrEntryThunkGenerator):
481         * jit/AssemblyHelpers.cpp:
482         (JSC::AssemblyHelpers::jitAssertIsInt32):
483         (JSC::AssemblyHelpers::jitAssertIsJSInt32):
484         (JSC::AssemblyHelpers::jitAssertIsJSNumber):
485         (JSC::AssemblyHelpers::jitAssertIsJSDouble):
486         (JSC::AssemblyHelpers::jitAssertIsCell):
487         (JSC::AssemblyHelpers::jitAssertTagsInPlace):
488         (JSC::AssemblyHelpers::jitAssertHasValidCallFrame):
489         (JSC::AssemblyHelpers::jitAssertIsNull):
490         (JSC::AssemblyHelpers::jitAssertArgumentCountSane):
491         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
492         * jit/AssemblyHelpers.h:
493         (JSC::AssemblyHelpers::checkStackPointerAlignment):
494         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo): Deleted.
495         * jit/JIT.h:
496         * jit/JITArithmetic.cpp:
497         (JSC::JIT::emitSlow_op_div):
498         * jit/JITOpcodes.cpp:
499         (JSC::JIT::emitSlow_op_loop_hint):
500         * jit/JITOpcodes32_64.cpp:
501         (JSC::JIT::privateCompileCTINativeCall):
502         * jit/JITPropertyAccess.cpp:
503         (JSC::JIT::emit_op_get_by_val):
504         (JSC::JIT::compileGetDirectOffset):
505         (JSC::JIT::addStructureTransitionCheck): Deleted.
506         (JSC::JIT::testPrototype): Deleted.
507         * jit/JITPropertyAccess32_64.cpp:
508         (JSC::JIT::emit_op_get_by_val):
509         (JSC::JIT::compileGetDirectOffset):
510         * jit/RegisterPreservationWrapperGenerator.cpp:
511         (JSC::generateRegisterRestoration):
512         * jit/Repatch.cpp:
513         (JSC::addStructureTransitionCheck):
514         (JSC::linkClosureCall):
515         * jit/ThunkGenerators.cpp:
516         (JSC::emitPointerValidation):
517         (JSC::nativeForGenerator):
518         * yarr/YarrJIT.cpp:
519         (JSC::Yarr::YarrGenerator::generate):
520
521 2014-05-13  peavo@outlook.com  <peavo@outlook.com>
522
523         [Win] Enum type with value zero is compatible with void*, potential cause of crashes.
524         https://bugs.webkit.org/show_bug.cgi?id=132772
525
526         Reviewed by Geoffrey Garen.
527
528         Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example).
529         This has caused crashes on Windows on two occasions (bug 132683, and bug 121001).
530         This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*.
531         The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr.
532
533         * assembler/MacroAssemblerARM.h:
534         (JSC::MacroAssemblerARM::loadDouble):
535         (JSC::MacroAssemblerARM::storeDouble):
536         * assembler/MacroAssemblerARM64.h:
537         (JSC::MacroAssemblerARM64::loadDouble):
538         (JSC::MacroAssemblerARM64::storeDouble):
539         * assembler/MacroAssemblerARMv7.h:
540         (JSC::MacroAssemblerARMv7::loadDouble):
541         (JSC::MacroAssemblerARMv7::storeDouble):
542         * assembler/MacroAssemblerMIPS.h:
543         (JSC::MacroAssemblerMIPS::loadDouble):
544         (JSC::MacroAssemblerMIPS::storeDouble):
545         * assembler/MacroAssemblerSH4.h:
546         (JSC::MacroAssemblerSH4::loadDouble):
547         (JSC::MacroAssemblerSH4::storeDouble):
548         * assembler/MacroAssemblerX86.h:
549         (JSC::MacroAssemblerX86::storeDouble):
550         * assembler/MacroAssemblerX86Common.h:
551         (JSC::MacroAssemblerX86Common::absDouble):
552         (JSC::MacroAssemblerX86Common::negateDouble):
553         (JSC::MacroAssemblerX86Common::loadDouble):
554         * dfg/DFGSpeculativeJIT.cpp:
555         (JSC::DFG::SpeculativeJIT::silentFill):
556         (JSC::DFG::compileClampDoubleToByte):
557         * dfg/DFGSpeculativeJIT32_64.cpp:
558         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
559         (JSC::DFG::SpeculativeJIT::compile):
560         * jit/AssemblyHelpers.cpp:
561         (JSC::AssemblyHelpers::purifyNaN):
562         * jit/JITInlines.h:
563         (JSC::JIT::emitLoadDouble):
564         * jit/JITPropertyAccess.cpp:
565         (JSC::JIT::emitFloatTypedArrayGetByVal):
566         * jit/ThunkGenerators.cpp:
567         (JSC::floorThunkGenerator):
568         (JSC::roundThunkGenerator):
569         (JSC::powThunkGenerator):
570
571 2014-05-12  Commit Queue  <commit-queue@webkit.org>
572
573         Unreviewed, rolling out r168642.
574         https://bugs.webkit.org/show_bug.cgi?id=132839
575
576         Broke ARM build (Requested by jpfau on #webkit).
577
578         Reverted changeset:
579
580         "[Win] Enum type with value zero is compatible with void*,
581         potential cause of crashes."
582         https://bugs.webkit.org/show_bug.cgi?id=132772
583         http://trac.webkit.org/changeset/168642
584
585 2014-05-12  peavo@outlook.com  <peavo@outlook.com>
586
587         [Win] Enum type with value zero is compatible with void*, potential cause of crashes.
588         https://bugs.webkit.org/show_bug.cgi?id=132772
589
590         Reviewed by Geoffrey Garen.
591
592         Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example).
593         This has caused crashes on Windows on two occasions (bug 132683, and bug 121001).
594         This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*.
595         The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr.
596
597         * assembler/MacroAssemblerARM.h:
598         (JSC::MacroAssemblerARM::loadDouble):
599         (JSC::MacroAssemblerARM::storeDouble):
600         * assembler/MacroAssemblerARM64.h:
601         (JSC::MacroAssemblerARM64::loadDouble):
602         (JSC::MacroAssemblerARM64::storeDouble):
603         * assembler/MacroAssemblerARMv7.h:
604         (JSC::MacroAssemblerARMv7::loadDouble):
605         (JSC::MacroAssemblerARMv7::storeDouble):
606         * assembler/MacroAssemblerMIPS.h:
607         (JSC::MacroAssemblerMIPS::loadDouble):
608         (JSC::MacroAssemblerMIPS::storeDouble):
609         * assembler/MacroAssemblerSH4.h:
610         (JSC::MacroAssemblerSH4::loadDouble):
611         (JSC::MacroAssemblerSH4::storeDouble):
612         * assembler/MacroAssemblerX86.h:
613         (JSC::MacroAssemblerX86::storeDouble):
614         * assembler/MacroAssemblerX86Common.h:
615         (JSC::MacroAssemblerX86Common::absDouble):
616         (JSC::MacroAssemblerX86Common::negateDouble):
617         (JSC::MacroAssemblerX86Common::loadDouble):
618         * dfg/DFGSpeculativeJIT.cpp:
619         (JSC::DFG::SpeculativeJIT::silentFill):
620         (JSC::DFG::compileClampDoubleToByte):
621         * dfg/DFGSpeculativeJIT32_64.cpp:
622         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
623         (JSC::DFG::SpeculativeJIT::compile):
624         * jit/AssemblyHelpers.cpp:
625         (JSC::AssemblyHelpers::purifyNaN):
626         * jit/JITInlines.h:
627         (JSC::JIT::emitLoadDouble):
628         * jit/JITPropertyAccess.cpp:
629         (JSC::JIT::emitFloatTypedArrayGetByVal):
630         * jit/ThunkGenerators.cpp:
631         (JSC::floorThunkGenerator):
632         (JSC::roundThunkGenerator):
633         (JSC::powThunkGenerator):
634
635 2014-05-12  Andreas Kling  <akling@apple.com>
636
637         0.4% of PLT3 in JSCell::structure() below JSObject::visitChildren().
638         <https://webkit.org/b/132828>
639         <rdar://problem/16886285>
640
641         Reviewed by Michael Saboff.
642
643         * runtime/JSObject.cpp:
644         (JSC::JSObject::visitButterfly):
645         (JSC::JSObject::visitChildren):
646
647             Use JSCell::structure(VM&) to reduce the number of hoops we jump
648             through to find Structures during marking.
649
650 2014-05-12  László Langó  <llango.u-szeged@partner.samsung.com>
651
652         [cmake] Add missing FTL source files to the build system.
653
654         Reviewed by Csaba Osztrogonác.
655
656         * CMakeLists.txt:
657
658 2014-05-09  Joseph Pecoraro  <pecoraro@apple.com>
659
660         Web Inspector: Allow Remote Inspector to entitlement check UIProcess through WebProcess
661         https://bugs.webkit.org/show_bug.cgi?id=132409
662
663         Reviewed by Timothy Hatcher.
664
665         Proxy applications are applications which hold WebViews for other
666         applications. The WebProcess (Web Content Service) is a proxy application.
667         For legacy reasons we were supporting a scenario where proxy applications
668         could potentially host WebViews for more then one other application. That
669         was never the case for WebProcess and it is now a scenario we don't need
670         to worry about supporting.
671
672         With this change, a proxy application more naturally only holds WebViews
673         for a single parent / host application. The proxy process can set the
674         parent pid / audit_token data on the RemoteInspector singleton, and
675         that data will be sent on to webinspectord later on to be validated.
676         In the WebProcess<->UIProcess relationship that information is known
677         and set immediately. In the Legacy iOS case that information is set
678         soon after, but not immediately known at the point the WebView is created.
679
680         This allows us to simplify the RemoteInspectorDebuggable interface.
681         We no longer need a pid per-Debuggable.
682
683         * inspector/remote/RemoteInspector.h:
684         * inspector/remote/RemoteInspector.mm:
685         (Inspector::RemoteInspector::RemoteInspector):
686         (Inspector::RemoteInspector::setParentProcessInformation):
687         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
688         (Inspector::RemoteInspector::listingForDebuggable):
689         (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
690         Handle new proxy application setup message, and provide an API
691         for a proxy application to set the parent process information.
692
693         * inspector/remote/RemoteInspectorConstants.h:
694         New setup and response message for proxy applications to pass
695         their parent / host application information to webinspectord.
696
697         * inspector/remote/RemoteInspectorDebuggable.cpp:
698         (Inspector::RemoteInspectorDebuggable::info):
699         * inspector/remote/RemoteInspectorDebuggable.h:
700         (Inspector::RemoteInspectorDebuggableInfo::RemoteInspectorDebuggableInfo):
701         (Inspector::RemoteInspectorDebuggableInfo::hasParentProcess): Deleted.
702         pid per debuggable is no longer needed.
703
704 2014-05-09  Mark Hahnenberg  <mhahnenberg@apple.com>
705
706         JSDOMWindow should disable property caching after a certain point
707         https://bugs.webkit.org/show_bug.cgi?id=132751
708
709         Reviewed by Filip Pizlo.
710
711         This is part of removing HasImpureGetOwnPropertySlot from JSDOMWindow. After the lookup in the static 
712         hash table for JSDOMWindow fails we want to disable property caching even if the code that follows thinks 
713         that it has provided a cacheable value.
714
715         * runtime/PropertySlot.h:
716         (JSC::PropertySlot::PropertySlot):
717         (JSC::PropertySlot::isCacheable):
718         (JSC::PropertySlot::disableCaching):
719
720 2014-05-09  Andreas Kling  <akling@apple.com>
721
722         8.8% spent in Object.prototype.hasOwnProperty() on sbperftest.
723         <https://webkit.org/b/132749>
724
725         Leverage the fast-resolve-to-AtomicString optimization for JSRopeString
726         in Object.prototype.* by using JSString::toIdentifier() in the cases where
727         we are converting JSString -> String -> Identifier.
728
729         This brings time spent in hasOwnProperty() from 8.8% to 1.3% on
730         "The Great HTML5 Gaming Performance Test: 2014 edition"
731         <http://www.scirra.com/demos/c2/sbperftest/>
732
733         Reviewed by Oliver Hunt.
734
735         * runtime/ObjectPrototype.cpp:
736         (JSC::objectProtoFuncHasOwnProperty):
737         (JSC::objectProtoFuncDefineGetter):
738         (JSC::objectProtoFuncDefineSetter):
739         (JSC::objectProtoFuncLookupGetter):
740         (JSC::objectProtoFuncLookupSetter):
741
742 2014-05-08  Mark Hahnenberg  <mhahnenberg@apple.com>
743
744         JSDOMWindow should have a WatchpointSet to fire on window close
745         https://bugs.webkit.org/show_bug.cgi?id=132721
746
747         Reviewed by Filip Pizlo.
748
749         This patch allows us to reset the inline caches that assumed they could skip 
750         the first part of JSDOMWindow::getOwnPropertySlot that checks if the window has 
751         been closed. This is part of getting rid of HasImpureGetOwnPropertySlot on JSDOMWindow.
752
753         PropertySlot now accepts a WatchpointSet which the inline cache code can look for
754         to see if it should create a new Watchpoint for that particular inline cache site.
755
756         * bytecode/Watchpoint.h:
757         * jit/Repatch.cpp:
758         (JSC::generateByIdStub):
759         (JSC::tryBuildGetByIDList):
760         (JSC::tryCachePutByID):
761         (JSC::tryBuildPutByIdList):
762         * runtime/PropertySlot.h:
763         (JSC::PropertySlot::PropertySlot):
764         (JSC::PropertySlot::watchpointSet):
765         (JSC::PropertySlot::setWatchpointSet):
766
767 2014-05-09  Tanay C  <tanay.c@samsung.com>
768
769         Fix build warning (uninitialized variable) in DFGFixupPhase.cpp 
770         https://bugs.webkit.org/show_bug.cgi?id=132331
771
772         Reviewed by Darin Adler.
773
774         * dfg/DFGFixupPhase.cpp:
775         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
776
777 2014-05-09  peavo@outlook.com  <peavo@outlook.com>
778
779         [Win] Crash when enabling DFG JIT.
780         https://bugs.webkit.org/show_bug.cgi?id=132683
781
782         Reviewed by Geoffrey Garen.
783
784         On windows, using register GPRInfo::regT0 as parameter to e.g. JIT::storeDouble(..., GPRInfo::regT0)),
785         results in a call to JIT::storeDouble(FPRegisterID src, const void* address),
786         where the address parameter gets the value of GPRInfo::regT0, which is 0 (eax on Windows).
787         This causes the register to be written to address 0, hence the crash.
788
789         * dfg/DFGOSRExitCompiler32_64.cpp:
790         (JSC::DFG::OSRExitCompiler::compileExit): Use address in regT0 as parameter.
791         * dfg/DFGOSRExitCompiler64.cpp:
792         (JSC::DFG::OSRExitCompiler::compileExit): Ditto.
793
794 2014-05-09  Martin Hodovan <mhodovan.u-szeged@partner.samsung.com>
795
796         REGRESSION(r167094): JSC crashes on ARM Traditional
797         https://bugs.webkit.org/show_bug.cgi?id=132738
798
799         Reviewed by Zoltan Herczeg.
800
801         PC is two instructions ahead of the current instruction
802         on ARM Traditional, so the distance is 8 bytes not 2.
803
804         * llint/LowLevelInterpreter.asm:
805
806 2014-05-09  Alberto Garcia  <berto@igalia.com>
807
808         jsmin.py license header confusing, mentions non-free license
809         https://bugs.webkit.org/show_bug.cgi?id=123665
810
811         Reviewed by Darin Adler.
812
813         Pull the most recent version from upstream, which has a clear
814         license.
815
816         * inspector/scripts/jsmin.py:
817
818 2014-05-08  Mark Hahnenberg  <mhahnenberg@apple.com>
819
820         Base case for get-by-id inline cache doesn't check for HasImpureGetOwnPropertySlot
821         https://bugs.webkit.org/show_bug.cgi?id=132695
822
823         Reviewed by Filip Pizlo.
824
825         We check in the case where we're accessing something other than the base object (e.g. the prototype), 
826         but we fail to do so for the base object.
827
828         * jit/Repatch.cpp:
829         (JSC::tryCacheGetByID):
830         (JSC::tryBuildGetByIDList):
831         * jsc.cpp: Added some infrastructure to support this test. We don't currently trigger this bug anywhere in WebKit
832         because all of the values that are returned that could be impure are set to uncacheable anyways.
833         (WTF::ImpureGetter::ImpureGetter):
834         (WTF::ImpureGetter::createStructure):
835         (WTF::ImpureGetter::create):
836         (WTF::ImpureGetter::finishCreation):
837         (WTF::ImpureGetter::getOwnPropertySlot):
838         (WTF::ImpureGetter::visitChildren):
839         (WTF::ImpureGetter::setDelegate):
840         (GlobalObject::finishCreation):
841         (functionCreateImpureGetter):
842         (functionSetImpureGetterDelegate):
843         * tests/stress/impure-get-own-property-slot-inline-cache.js: Added.
844         (foo):
845
846 2014-05-08  Filip Pizlo  <fpizlo@apple.com>
847
848         deleteAllCompiledCode() shouldn't use the suspension worklist
849         https://bugs.webkit.org/show_bug.cgi?id=132708
850
851         Reviewed by Mark Hahnenberg.
852
853         * bytecode/CodeBlock.cpp:
854         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
855         * dfg/DFGPlan.cpp:
856         (JSC::DFG::Plan::isStillValid):
857         * heap/Heap.cpp:
858         (JSC::Heap::deleteAllCompiledCode):
859
860 2014-05-08  Filip Pizlo  <fpizlo@apple.com>
861
862         SSA conversion should delete PhantomLocals for captured variables
863         https://bugs.webkit.org/show_bug.cgi?id=132693
864
865         Reviewed by Mark Hahnenberg.
866
867         * dfg/DFGCommon.cpp:
868         (JSC::DFG::startCrashing): Parallel JIT and a JIT bug means that we man dump IR in parallel. This is the workaround. This patch uses it in all of the places where we dump IR and crash.
869         * dfg/DFGCommon.h:
870         * dfg/DFGFixupPhase.cpp:
871         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): Use the workaround.
872         * dfg/DFGLivenessAnalysisPhase.cpp:
873         (JSC::DFG::LivenessAnalysisPhase::run): Use the workaround.
874         * dfg/DFGSSAConversionPhase.cpp:
875         (JSC::DFG::SSAConversionPhase::run): Fix the bug - it's true that PhantomLocal for captured variables doesn't need anything done to it, but it's wrong that we didn't delete it outright.
876         * dfg/DFGValidate.cpp: Use the workaround.
877         * tests/stress/phantom-local-captured-but-not-flushed-to-ssa.js: Added.
878         (foo):
879         (bar):
880
881 2014-05-07  Commit Queue  <commit-queue@webkit.org>
882
883         Unreviewed, rolling out r168451.
884         https://bugs.webkit.org/show_bug.cgi?id=132670
885
886         Not a speed-up, just do what other compilers do. (Requested by
887         kling on #webkit).
888
889         Reverted changeset:
890
891         "[X86] Emit BT instruction for single-bit tests."
892         https://bugs.webkit.org/show_bug.cgi?id=132650
893         http://trac.webkit.org/changeset/168451
894
895 2014-05-07  Filip Pizlo  <fpizlo@apple.com>
896
897         Make Executable::clearCode() actually clear all of the entrypoints, and
898         clean up some other FTL-related calling convention stuff.
899         <rdar://problem/16720172>
900
901         Rubber stamped by Mark Hahnenberg.
902
903         * dfg/DFGOperations.cpp:
904         * dfg/DFGOperations.h:
905         * dfg/DFGWorklist.cpp:
906         (JSC::DFG::Worklist::Worklist):
907         (JSC::DFG::Worklist::finishCreation):
908         (JSC::DFG::Worklist::create):
909         (JSC::DFG::ensureGlobalDFGWorklist):
910         (JSC::DFG::ensureGlobalFTLWorklist):
911         * dfg/DFGWorklist.h:
912         * heap/CodeBlockSet.cpp:
913         (JSC::CodeBlockSet::dump):
914         * heap/CodeBlockSet.h:
915         * runtime/Executable.cpp:
916         (JSC::ExecutableBase::clearCode):
917
918 2014-05-07  Andreas Kling  <akling@apple.com>
919
920         [X86] Emit BT instruction for single-bit tests.
921         <https://webkit.org/b/132650>
922
923         Implement test-bit-and-branch slightly more efficiently by using
924         BT + JC/JNC instead of TEST + JZ/JNZ when we're only testing for
925         a single bit.
926
927         Reviewed by Michael Saboff.
928
929         * assembler/MacroAssemblerX86Common.h:
930         (JSC::MacroAssemblerX86Common::singleBitIndex):
931         (JSC::MacroAssemblerX86Common::branchTest32):
932         * assembler/X86Assembler.h:
933         (JSC::X86Assembler::bt_i8r):
934         (JSC::X86Assembler::bt_i8m):
935
936 2014-05-07  Mark Lam  <mark.lam@apple.com>
937
938         REGRESSION(r166678): Dromaeo/cssquery-dojo.html crashes regularly.
939         <https://webkit.org/b/131356>
940
941         Reviewed by Geoffrey Garen.
942
943         The issue is that GC needs to be made aware of writes to m_inferredValue
944         in the VariableWatchpointSet, but was not.  As a result, if a JSCell*
945         is written to a VariableWatchpointSet m_inferredValue, and that JSCell
946         does not survive an eden GC shortly after, we will end up with a stale
947         JSCell pointer left in the m_inferredValue.
948
949         This issue can be detected more easily by running Dromaeo/cssquery-dojo.html
950         using DumpRenderTree with the VM heap in zombie mode.
951
952         The fix is to change VariableWatchpointSet m_inferredValue to type
953         WriteBarrier<Unknown> and ensure that VariableWatchpointSet::notifyWrite()
954         is executed by all the execution engines so that the WriteBarrier semantics
955         are honored.
956
957         We still check if the value to be written is the same as the one in the
958         inferredValue.  We'll by-pass calling the slow path notifyWrite() if the
959         values are the same.        
960
961         * JavaScriptCore.xcodeproj/project.pbxproj:
962         * bytecode/CodeBlock.cpp:
963         (JSC::CodeBlock::CodeBlock):
964         - need to pass the symbolTable to prepareToWatch() because it will be needed
965           for instantiating the VariableWatchpointSet in prepareToWatch().
966
967         * bytecode/VariableWatchpointSet.h:
968         (JSC::VariableWatchpointSet::VariableWatchpointSet):
969         - VariableWatchpointSet now tracks its owner symbol table for its m_inferredValue
970           write barrier, and yes, m_inferredValue is now of type WriteBarrier<Unknown>.
971         (JSC::VariableWatchpointSet::inferredValue):
972         (JSC::VariableWatchpointSet::invalidate):
973         (JSC::VariableWatchpointSet::finalizeUnconditionally):
974         (JSC::VariableWatchpointSet::addressOfInferredValue):
975         (JSC::VariableWatchpointSet::notifyWrite): Deleted.
976         * bytecode/VariableWatchpointSetInlines.h: Added.
977         (JSC::VariableWatchpointSet::notifyWrite):
978
979         * dfg/DFGByteCodeParser.cpp:
980         (JSC::DFG::ByteCodeParser::cellConstant):
981         - Added an assert in case we try to make constants of zombified JSCells again.
982
983         * dfg/DFGOperations.cpp:
984         * dfg/DFGOperations.h:
985         * dfg/DFGSpeculativeJIT.h:
986         (JSC::DFG::SpeculativeJIT::callOperation):
987         * dfg/DFGSpeculativeJIT32_64.cpp:
988         (JSC::DFG::SpeculativeJIT::compile):
989         * dfg/DFGSpeculativeJIT64.cpp:
990         (JSC::DFG::SpeculativeJIT::compile):
991         - We now let the slow path handle the cases when the VariableWatchpointSet is
992           in state ClearWatchpoint and IsWatched, and the slow path will ensure that
993           we handle the needed write barrier semantics correctly.
994           We will by-pass the slow path if the value being written is the same as the
995           inferred value.
996
997         * ftl/FTLIntrinsicRepository.h:
998         * ftl/FTLLowerDFGToLLVM.cpp:
999         (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):
1000         - Let the slow path handle the cases when the VariableWatchpointSet is
1001           in state ClearWatchpoint and IsWatched.
1002           We will by-pass the slow path if the value being written is the same as the
1003           inferred value.
1004
1005         * heap/Heap.cpp:
1006         (JSC::Zombify::operator()):
1007         - Use a different value for the zombified bits (to distinguish it from 0xbbadbeef
1008           which is used everywhere else).
1009         * heap/Heap.h:
1010         (JSC::Heap::isZombified):
1011         - Provide a convenience test function to check if JSCells are zombified.  This is
1012           currently only used in an assertion in the DFG bytecode parser, but the intent
1013           it that we'll apply this test in other strategic places later to help with early
1014           detection of usage of GC'ed objects when we run in zombie mode.
1015
1016         * jit/JITOpcodes.cpp:
1017         (JSC::JIT::emitSlow_op_captured_mov):
1018         * jit/JITOperations.h:
1019         * jit/JITPropertyAccess.cpp:
1020         (JSC::JIT::emitNotifyWrite):
1021         * jit/JITPropertyAccess32_64.cpp:
1022         (JSC::JIT::emitNotifyWrite):
1023         (JSC::JIT::emitSlow_op_put_to_scope):
1024         - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
1025           is in state ClearWatchpoint and IsWatched.
1026           We will by-pass the slow path if the value being written is the same as the
1027           inferred value.
1028         
1029         * llint/LowLevelInterpreter32_64.asm:
1030         * llint/LowLevelInterpreter64.asm:
1031         - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
1032           is in state ClearWatchpoint and IsWatched.
1033           We will by-pass the slow path if the value being written is the same as the
1034           inferred value.
1035         
1036         * runtime/CommonSlowPaths.cpp:
1037
1038         * runtime/JSCJSValue.h: Fixed some typos in the comments.
1039         * runtime/JSGlobalObject.cpp:
1040         (JSC::JSGlobalObject::addGlobalVar):
1041         (JSC::JSGlobalObject::addFunction):
1042         * runtime/JSSymbolTableObject.h:
1043         (JSC::symbolTablePut):
1044         (JSC::symbolTablePutWithAttributes):
1045         * runtime/SymbolTable.cpp:
1046         (JSC::SymbolTableEntry::prepareToWatch):
1047         (JSC::SymbolTableEntry::notifyWriteSlow):
1048         * runtime/SymbolTable.h:
1049         (JSC::SymbolTableEntry::notifyWrite):
1050
1051 2014-05-06  Michael Saboff  <msaboff@apple.com>
1052
1053         Unreviewd build fix for C-LOOP after r168396.
1054
1055         * runtime/TestRunnerUtils.cpp:
1056         (JSC::optimizeNextInvocation): Wrapped actual call inside #if ENABLE(JIT)
1057
1058 2014-05-06  Michael Saboff  <msaboff@apple.com>
1059
1060         Add test for deleteAllCompiledCode
1061         https://bugs.webkit.org/show_bug.cgi?id=132632
1062
1063         Reviewed by Phil Pizlo.
1064
1065         Added two new hooks to jsc, one to call Heap::deleteAllCompiledCode() and
1066         the other to call CodeBlock::optimizeNextInvocation().  Used these two hooks
1067         to write a test that will queue up loads of DFG compiles and then call
1068         Heap::deleteAllCompiledCode() to make sure that it can handle compiled
1069         code as well as code being compiled.
1070
1071         * jsc.cpp:
1072         (GlobalObject::finishCreation):
1073         (functionDeleteAllCompiledCode):
1074         (functionOptimizeNextInvocation):
1075         * runtime/TestRunnerUtils.cpp:
1076         (JSC::optimizeNextInvocation):
1077         * runtime/TestRunnerUtils.h:
1078         * tests/stress/deleteAllCompiledCode.js: Added.
1079         (functionList):
1080         (runTest):
1081
1082 2014-05-06  Andreas Kling  <akling@apple.com>
1083
1084         JSString::toAtomicString() should return AtomicString.
1085         <https://webkit.org/b/132627>
1086
1087         Remove premature optimization where I was trying to avoid refcount
1088         churn when returning an already atomicized String.
1089
1090         Instead of using reinterpret_cast to mangle the String member into
1091         a const AtomicString& return value, just return AtomicString.
1092
1093         Reviewed by Geoff Garen.
1094
1095         * runtime/JSString.h:
1096         (JSC::JSString::toAtomicString):
1097
1098 2014-05-06  Mark Hahnenberg  <mhahnenberg@apple.com>
1099
1100         Roll out r167889
1101
1102         Rubber stamped by Geoff Garen.
1103
1104         It broke some websites.
1105
1106         * runtime/JSPropertyNameIterator.cpp:
1107         (JSC::JSPropertyNameIterator::create):
1108         * runtime/PropertyMapHashTable.h:
1109         (JSC::PropertyTable::hasDeletedOffset):
1110         (JSC::PropertyTable::hadDeletedOffset): Deleted.
1111         * runtime/Structure.cpp:
1112         (JSC::Structure::Structure):
1113         (JSC::Structure::materializePropertyMap):
1114         (JSC::Structure::removePropertyTransition):
1115         (JSC::Structure::changePrototypeTransition):
1116         (JSC::Structure::despecifyFunctionTransition):
1117         (JSC::Structure::attributeChangeTransition):
1118         (JSC::Structure::toDictionaryTransition):
1119         (JSC::Structure::preventExtensionsTransition):
1120         (JSC::Structure::addPropertyWithoutTransition):
1121         (JSC::Structure::removePropertyWithoutTransition):
1122         (JSC::Structure::pin):
1123         (JSC::Structure::pinAndPreventTransitions): Deleted.
1124         * runtime/Structure.h:
1125         * runtime/StructureInlines.h:
1126         (JSC::Structure::setEnumerationCache):
1127         (JSC::Structure::propertyTable):
1128         (JSC::Structure::checkOffsetConsistency):
1129         (JSC::Structure::hadDeletedOffsets): Deleted.
1130         * tests/stress/for-in-after-delete.js:
1131         (foo): Deleted.
1132
1133 2014-05-05  Andreas Kling  <akling@apple.com>
1134
1135         Fix debug build.
1136
1137         * runtime/JSCellInlines.h:
1138         (JSC::JSCell::fastGetOwnProperty):
1139
1140 2014-05-05  Andreas Kling  <akling@apple.com>
1141
1142         Optimize GetByVal when subscript is a rope string.
1143         <https://webkit.org/b/132590>
1144
1145         Use JSString::toIdentifier() in the various GetByVal implementations
1146         to try and avoid allocating extra strings.
1147
1148         Added canUseFastGetOwnProperty() and wrap calls to fastGetOwnProperty()
1149         in that, to avoid calling JSString::value() which always resolves ropes
1150         into new strings and de-optimizes subsequent toIdentifier() calls.
1151
1152         My iMac says ~9% progression on Dromaeo/dom-attr.html
1153
1154         Reviewed by Phil Pizlo.
1155
1156         * dfg/DFGOperations.cpp:
1157         * jit/JITOperations.cpp:
1158         (JSC::getByVal):
1159         * llint/LLIntSlowPaths.cpp:
1160         (JSC::LLInt::getByVal):
1161         * runtime/JSCell.h:
1162         * runtime/JSCellInlines.h:
1163         (JSC::JSCell::fastGetOwnProperty):
1164         (JSC::JSCell::canUseFastGetOwnProperty):
1165
1166 2014-05-05  Andreas Kling  <akling@apple.com>
1167
1168         REGRESSION (r168256): ASSERTION FAILED: (buffer + m_length) == position loading vanityfair.com article.
1169         <https://webkit.org/b/168256>
1170         <rdar://problem/16816316>
1171
1172         Make resolveRopeSlowCase8() behave like its 16-bit counterpart and not
1173         clear the fibers. The caller takes care of this.
1174
1175         Test: fast/dom/getElementById-with-rope-string-arg.html
1176
1177         Reviewed by Geoffrey Garen.
1178
1179         * runtime/JSString.cpp:
1180         (JSC::JSRopeString::resolveRopeSlowCase8):
1181
1182 2014-05-05  Michael Saboff  <msaboff@apple.com>
1183
1184         REGRESSION: RELEASE_ASSERT in CodeBlock::baselineVersion @ cnn.com
1185         https://bugs.webkit.org/show_bug.cgi?id=132581
1186
1187         Reviewed by Filip Pizlo.
1188
1189         * dfg/DFGPlan.cpp:
1190         (JSC::DFG::Plan::isStillValid): Check that the alternative codeBlock we
1191         started compiling for is still the same at the end of compilation.
1192         Also did some minor restructuring.
1193
1194 2014-05-05  Andreas Kling  <akling@apple.com>
1195
1196         Optimize PutByVal when subscript is a rope string.
1197         <https://webkit.org/b/132572>
1198
1199         Add a JSString::toIdentifier() that is smarter when the JSString is
1200         really a rope string. Use this in baseline & DFG's PutByVal to avoid
1201         allocating new StringImpls that we immediately deduplicate anyway.
1202
1203         Reviewed by Antti Koivisto.
1204
1205         * dfg/DFGOperations.cpp:
1206         (JSC::DFG::operationPutByValInternal):
1207         * jit/JITOperations.cpp:
1208         * runtime/JSString.h:
1209         (JSC::JSString::toIdentifier):
1210
1211 2014-05-05  Andreas Kling  <akling@apple.com>
1212
1213         Remove two now-incorrect assertions after r168256.
1214
1215         * runtime/JSString.cpp:
1216         (JSC::JSRopeString::resolveRopeSlowCase8):
1217         (JSC::JSRopeString::resolveRopeSlowCase):
1218
1219 2014-05-04  Andreas Kling  <akling@apple.com>
1220
1221         Optimize JSRopeString for resolving directly to AtomicString.
1222         <https://webkit.org/b/132548>
1223
1224         If we know that the JSRopeString we are resolving is going to be used
1225         as an AtomicString, we can try to avoid creating a new string.
1226
1227         We do this by first resolving the rope into a stack buffer, and using
1228         that buffer as a key into the AtomicString table. If there is already
1229         an AtomicString with the same characters, we reuse that instead of
1230         constructing a new StringImpl.
1231
1232         JSString gains these two public functions:
1233
1234         - AtomicString toAtomicString()
1235
1236             Returns an AtomicString, tries to avoid allocating a new string
1237             if possible.
1238
1239         - AtomicStringImpl* toExistingAtomicString()
1240
1241             Returns a non-null AtomicStringImpl* if one already exists in the
1242             AtomicString table. If none is found, the rope is left unresolved.
1243
1244         Reviewed by Filip Pizlo.
1245
1246         * runtime/JSString.cpp:
1247         (JSC::JSRopeString::resolveRopeInternal8):
1248         (JSC::JSRopeString::resolveRopeInternal16):
1249         (JSC::JSRopeString::resolveRopeToAtomicString):
1250         (JSC::JSRopeString::clearFibers):
1251         (JSC::JSRopeString::resolveRopeToExistingAtomicString):
1252         (JSC::JSRopeString::resolveRope):
1253         (JSC::JSRopeString::outOfMemory):
1254         * runtime/JSString.h:
1255         (JSC::JSString::toAtomicString):
1256         (JSC::JSString::toExistingAtomicString):
1257
1258 2014-05-04  Andreas Kling  <akling@apple.com>
1259
1260         Unreviewed, rolling out r168254.
1261
1262         Very crashy on debug JSC tests.
1263
1264         Reverted changeset:
1265
1266         "jsSubstring() should be lazy"
1267         https://bugs.webkit.org/show_bug.cgi?id=132556
1268         http://trac.webkit.org/changeset/168254
1269
1270 2014-05-04  Filip Pizlo  <fpizlo@apple.com>
1271
1272         jsSubstring() should be lazy
1273         https://bugs.webkit.org/show_bug.cgi?id=132556
1274
1275         Reviewed by Andreas Kling.
1276         
1277         jsSubstring() is now lazy by using a special rope that is a substring instead of a
1278         concatenation. To make this patch super simple, we require that a substring's base is
1279         never a rope. Hence, when resolving a rope, we either go down a non-recursive substring
1280         path, or we go down a concatenation path which may see exactly one level of substrings in
1281         its fibers.
1282         
1283         This is up to a 50% speed-up on microbenchmarks and a 10% speed-up on Octane/regexp.
1284
1285         * heap/MarkedBlock.cpp:
1286         (JSC::MarkedBlock::specializedSweep):
1287         * runtime/JSString.cpp:
1288         (JSC::JSRopeString::visitFibers):
1289         (JSC::JSRopeString::resolveRope):
1290         (JSC::JSRopeString::resolveRopeSlowCase8):
1291         (JSC::JSRopeString::resolveRopeSlowCase):
1292         (JSC::JSRopeString::outOfMemory):
1293         * runtime/JSString.h:
1294         (JSC::JSRopeString::finishCreation):
1295         (JSC::JSRopeString::append):
1296         (JSC::JSRopeString::create):
1297         (JSC::JSRopeString::offsetOfFibers):
1298         (JSC::JSRopeString::fiber):
1299         (JSC::JSRopeString::substringBase):
1300         (JSC::JSRopeString::substringOffset):
1301         (JSC::JSRopeString::substringSentinel):
1302         (JSC::JSRopeString::isSubstring):
1303         (JSC::jsSubstring):
1304         * runtime/RegExpMatchesArray.cpp:
1305         (JSC::RegExpMatchesArray::reifyAllProperties):
1306         * runtime/StringPrototype.cpp:
1307         (JSC::stringProtoFuncSubstring):
1308
1309 2014-05-02  Michael Saboff  <msaboff@apple.com>
1310
1311         "arm64 function not 4-byte aligned" warnings when building JSC
1312         https://bugs.webkit.org/show_bug.cgi?id=132495
1313
1314         Reviewed by Geoffrey Garen.
1315
1316         Added ".align 4" for both ARM Thumb2 and ARM 64 to silence the linker.
1317
1318         * llint/LowLevelInterpreter.cpp:
1319
1320 2014-05-02  Mark Hahnenberg  <mhahnenberg@apple.com>
1321
1322         Fix cloop build after r168178
1323
1324         * bytecode/CodeBlock.cpp:
1325
1326 2014-05-01  Mark Hahnenberg  <mhahnenberg@apple.com>
1327
1328         Add a DFG function whitelist
1329         https://bugs.webkit.org/show_bug.cgi?id=132437
1330
1331         Reviewed by Geoffrey Garen.
1332
1333         Often times when debugging, using bytecode ranges isn't enough to narrow down to the 
1334         particular DFG block that's causing issues. This patch adds the ability to whitelist 
1335         specific functions specified in a file to enable further filtering without having to recompile.
1336
1337         * CMakeLists.txt:
1338         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1339         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1340         * JavaScriptCore.xcodeproj/project.pbxproj:
1341         * dfg/DFGCapabilities.cpp:
1342         (JSC::DFG::isSupported):
1343         (JSC::DFG::mightInlineFunctionForCall):
1344         (JSC::DFG::mightInlineFunctionForClosureCall):
1345         (JSC::DFG::mightInlineFunctionForConstruct):
1346         * dfg/DFGFunctionWhitelist.cpp: Added.
1347         (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
1348         (JSC::DFG::FunctionWhitelist::FunctionWhitelist):
1349         (JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile):
1350         (JSC::DFG::FunctionWhitelist::contains):
1351         * dfg/DFGFunctionWhitelist.h: Added.
1352         * runtime/Options.cpp:
1353         (JSC::parse):
1354         (JSC::Options::dumpOption):
1355         * runtime/Options.h:
1356
1357 2014-05-02  Filip Pizlo  <fpizlo@apple.com>
1358
1359         DFGAbstractInterpreter should not claim Int52 arithmetic creates Int52s
1360         https://bugs.webkit.org/show_bug.cgi?id=132446
1361
1362         Reviewed by Mark Hahnenberg.
1363         
1364         Basically any arithmetic operation can turn an Int52 into an Int32 or vice-versa, and
1365         our modeling of Int52Rep nodes is such that they can have either Int32 or Int52 type
1366         to indicate a bound on the value. This is useful for knowing, for example, that
1367         Int52Rep(Int32:) returns a value that cannot be outside the Int32 range. Also,
1368         ValueRep(Int52Rep:) uses this to determine whether it may return a double or an int.
1369         But this means that all arithmetic operations must be careful to note that they may
1370         turn Int32 inputs into an Int52 output or vice-versa, as these new tests show.
1371
1372         * dfg/DFGAbstractInterpreterInlines.h:
1373         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1374         * dfg/DFGByteCodeParser.cpp:
1375         (JSC::DFG::ByteCodeParser::makeSafe):
1376         * tests/stress/int52-ai-add-then-filter-int32.js: Added.
1377         (foo):
1378         * tests/stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js: Added.
1379         (foo):
1380         * tests/stress/int52-ai-mul-then-filter-int32-directly.js: Added.
1381         (foo):
1382         * tests/stress/int52-ai-mul-then-filter-int32.js: Added.
1383         (foo):
1384         * tests/stress/int52-ai-neg-then-filter-int32.js: Added.
1385         (foo):
1386         * tests/stress/int52-ai-sub-then-filter-int32.js: Added.
1387         (foo):
1388
1389 2014-05-01  Geoffrey Garen  <ggaren@apple.com>
1390
1391         JavaScriptCore fails to build with some versions of clang
1392         https://bugs.webkit.org/show_bug.cgi?id=132436
1393
1394         Reviewed by Anders Carlsson.
1395
1396         * runtime/ArgumentsIteratorConstructor.cpp: Since we call
1397         putDirectWithoutTransition, and it calls putWillGrowOutOfLineStorage,
1398         and both are marked inline, it's valid for the compiler to decide
1399         to inline both and emit neither in the binary. Therefore, we need
1400         both inline definitions to be available in the translation unit at
1401         compile time, or we'll try to link against a function that doesn't exist.
1402
1403 2014-05-01  Commit Queue  <commit-queue@webkit.org>
1404
1405         Unreviewed, rolling out r167964.
1406         https://bugs.webkit.org/show_bug.cgi?id=132431
1407
1408         Memory improvements should not regress memory usage (Requested
1409         by olliej on #webkit).
1410
1411         Reverted changeset:
1412
1413         "Don't hold on to parameter BindingNodes forever"
1414         https://bugs.webkit.org/show_bug.cgi?id=132360
1415         http://trac.webkit.org/changeset/167964
1416
1417 2014-05-01  Filip Pizlo  <fpizlo@apple.com>
1418
1419         Fix trivial debug-only race-that-crashes in CallLinkStatus and explain why the remaining races are totally awesome
1420         https://bugs.webkit.org/show_bug.cgi?id=132427
1421
1422         Reviewed by Mark Hahnenberg.
1423
1424         * bytecode/CallLinkStatus.cpp:
1425         (JSC::CallLinkStatus::computeFor):
1426
1427 2014-04-30  Simon Fraser  <simon.fraser@apple.com>
1428
1429         Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO
1430         https://bugs.webkit.org/show_bug.cgi?id=132396
1431
1432         Reviewed by Eric Carlson.
1433
1434         Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO and related code.
1435
1436         * Configurations/FeatureDefines.xcconfig:
1437
1438 2014-04-30  Filip Pizlo  <fpizlo@apple.com>
1439
1440         Argument flush formats should not be presumed to be JSValue since 'this' is weird
1441         https://bugs.webkit.org/show_bug.cgi?id=132404
1442
1443         Reviewed by Michael Saboff.
1444
1445         * dfg/DFGSpeculativeJIT.cpp:
1446         (JSC::DFG::SpeculativeJIT::compileCurrentBlock): Don't assume that arguments are flushed as JSValue. Use the logic for locals instead.
1447         * dfg/DFGSpeculativeJIT32_64.cpp:
1448         (JSC::DFG::SpeculativeJIT::compile): SetArgument "changes" the format because before this we wouldn't know we had arguments.
1449         * dfg/DFGSpeculativeJIT64.cpp:
1450         (JSC::DFG::SpeculativeJIT::compile): Ditto.
1451         * dfg/DFGValueSource.cpp:
1452         (JSC::DFG::ValueSource::dumpInContext): Make this easier to dump.
1453         * dfg/DFGValueSource.h:
1454         (JSC::DFG::ValueSource::operator!): Make this easier to dump because Operands<T> uses T::operator!().
1455         * ftl/FTLOSREntry.cpp:
1456         (JSC::FTL::prepareOSREntry): This had a useful assertion for everything except 'this'.
1457         * tests/stress/strict-to-this-int.js: Added.
1458         (foo):
1459         (Number.prototype.valueOf):
1460         (test):
1461
1462 2014-04-29  Oliver Hunt  <oliver@apple.com>
1463
1464         Don't hold on to parameterBindingNodes forever
1465         https://bugs.webkit.org/show_bug.cgi?id=132360
1466
1467         Reviewed by Geoffrey Garen.
1468
1469         Don't keep the parameter nodes anymore. Instead we store the
1470         original parameter string and reparse whenever we actually
1471         need them. Because we only actually need them for compilation
1472         this only results in a single extra parse.
1473
1474         * bytecode/UnlinkedCodeBlock.cpp:
1475         (JSC::generateFunctionCodeBlock):
1476         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1477         (JSC::UnlinkedFunctionExecutable::visitChildren):
1478         (JSC::UnlinkedFunctionExecutable::finishCreation):
1479         (JSC::UnlinkedFunctionExecutable::paramString):
1480         (JSC::UnlinkedFunctionExecutable::parameters):
1481         (JSC::UnlinkedFunctionExecutable::parameterCount): Deleted.
1482         * bytecode/UnlinkedCodeBlock.h:
1483         (JSC::UnlinkedFunctionExecutable::create):
1484         (JSC::UnlinkedFunctionExecutable::parameterCount):
1485         (JSC::UnlinkedFunctionExecutable::parameters): Deleted.
1486         (JSC::UnlinkedFunctionExecutable::finishCreation): Deleted.
1487         * parser/ASTBuilder.h:
1488         (JSC::ASTBuilder::ASTBuilder):
1489         (JSC::ASTBuilder::setFunctionBodyParameters):
1490         * parser/Nodes.h:
1491         (JSC::FunctionBodyNode::parametersStartOffset):
1492         (JSC::FunctionBodyNode::parametersEndOffset):
1493         (JSC::FunctionBodyNode::setParameterLocation):
1494         * parser/Parser.cpp:
1495         (JSC::Parser<LexerType>::parseFunctionInfo):
1496         (JSC::parseParameters):
1497         * parser/Parser.h:
1498         (JSC::parse):
1499         * parser/SourceCode.h:
1500         (JSC::SourceCode::subExpression):
1501         * parser/SyntaxChecker.h:
1502         (JSC::SyntaxChecker::setFunctionBodyParameters):
1503
1504 2014-04-29  Mark Hahnenberg  <mhahnenberg@apple.com>
1505
1506         JSProxies should be cacheable
1507         https://bugs.webkit.org/show_bug.cgi?id=132351
1508
1509         Reviewed by Geoffrey Garen.
1510
1511         Whenever we encounter a proxy in an inline cache we should try to cache on the 
1512         proxy's target instead of giving up.
1513
1514         This patch adds support for a simple "recursive" inline cache if the base object
1515         we're accessing is a pure forwarding proxy. JSGlobalObject and its subclasses 
1516         are the only ones to benefit from this right now.
1517
1518         This is performance neutral on the benchmarks we track. Currently we won't
1519         cache on JSDOMWindow due to HasImpureGetOwnPropertySlot, but this issue will be fixed soon.
1520
1521         * jit/Repatch.cpp:
1522         (JSC::generateByIdStub):
1523         (JSC::tryBuildGetByIDList):
1524         (JSC::tryCachePutByID):
1525         (JSC::tryBuildPutByIdList):
1526         * jsc.cpp:
1527         (GlobalObject::finishCreation):
1528         (functionCreateProxy):
1529         * runtime/IntendedStructureChain.cpp:
1530         (JSC::IntendedStructureChain::isNormalized):
1531         * runtime/JSCellInlines.h:
1532         (JSC::JSCell::isProxy):
1533         * runtime/JSGlobalObject.h:
1534         (JSC::JSGlobalObject::finishCreation):
1535         * runtime/JSProxy.h:
1536         (JSC::JSProxy::createStructure):
1537         (JSC::JSProxy::targetOffset):
1538         * runtime/JSType.h:
1539         * runtime/Operations.h:
1540         (JSC::isPrototypeChainNormalized):
1541         * runtime/Structure.h:
1542         (JSC::Structure::isProxy):
1543         * tests/stress/proxy-inline-cache.js: Added.
1544         (cacheOnTarget.getX):
1545         (cacheOnTarget):
1546         (cacheOnPrototypeOfTarget.getX):
1547         (cacheOnPrototypeOfTarget):
1548         (dontCacheOnProxyInPrototypeChain.getX):
1549         (dontCacheOnProxyInPrototypeChain):
1550         (dontCacheOnTargetOfProxyInPrototypeChainOfTarget.getX):
1551         (dontCacheOnTargetOfProxyInPrototypeChainOfTarget):
1552
1553 2014-04-29  Filip Pizlo  <fpizlo@apple.com>
1554
1555         Use LLVM as a backend for the fourth-tier DFG JIT (a.k.a. the FTL JIT)
1556         https://bugs.webkit.org/show_bug.cgi?id=112840
1557
1558         Rubber stamped by Geoffrey Garen.
1559
1560         * Configurations/FeatureDefines.xcconfig:
1561
1562 2014-04-29  Geoffrey Garen  <ggaren@apple.com>
1563
1564         String.prototype.trim removes U+200B from strings.
1565         https://bugs.webkit.org/show_bug.cgi?id=130184
1566
1567         Reviewed by Michael Saboff.
1568
1569         * runtime/StringPrototype.cpp:
1570         (JSC::trimString):
1571         (JSC::isTrimWhitespace): Deleted.
1572
1573 2014-04-29  Mark Lam  <mark.lam@apple.com>
1574
1575         Zombifying sweep should ignore retired blocks.
1576         <https://webkit.org/b/132344>
1577
1578         Reviewed by Mark Hahnenberg.
1579
1580         By definition, retired blocks do not have "dead" objects, or at least
1581         none that we know of yet until the next marking phase has been run
1582         over it.  So, we should not be sweeping them (even for zombie mode).
1583
1584         * heap/Heap.cpp:
1585         (JSC::Heap::zombifyDeadObjects):
1586         * heap/MarkedSpace.cpp:
1587         (JSC::MarkedSpace::zombifySweep):
1588         * heap/MarkedSpace.h:
1589         (JSC::ZombifySweep::operator()):
1590
1591 2014-04-29  Mark Lam  <mark.lam@apple.com>
1592
1593         Fix bit rot in zombie mode heap code.
1594         <https://webkit.org/b/132342>
1595
1596         Reviewed by Mark Hahnenberg.
1597
1598         Need to enter a DelayedReleaseScope before doing a sweep.
1599
1600         * heap/Heap.cpp:
1601         (JSC::Heap::zombifyDeadObjects):
1602
1603 2014-04-29  Tomas Popela  <tpopela@redhat.com>
1604
1605         LLINT loadisFromInstruction doesn't need special case for big endians
1606         https://bugs.webkit.org/show_bug.cgi?id=132330
1607
1608         Reviewed by Mark Lam.
1609
1610         The change introduced in r167076 was wrong. We should not apply the offset
1611         adjustment on loadisFromInstruction usage as the instruction
1612         (UnlinkedInstruction) is declared as an union (i.e. with the int32_t
1613         operand variable). The offset of the other union members will be the
1614         same as the offset of the first one, that is 0. The behavior here is the
1615         same on little and big endian architectures. Thus we don't need
1616         special case for big endians.
1617
1618         * llint/LowLevelInterpreter.asm:
1619
1620 2014-04-28  Mark Hahnenberg  <mhahnenberg@apple.com>
1621
1622         Simplify tryCacheGetById
1623         https://bugs.webkit.org/show_bug.cgi?id=132314
1624
1625         Reviewed by Oliver Hunt and Filip Pizlo.
1626
1627         This is neutral across all benchmarks we track, although it looks like a wee 0.5% progression on sunspider.
1628
1629         * jit/Repatch.cpp:
1630         (JSC::tryCacheGetByID): If we fail to cache on self, we just repatch to call tryBuildGetByIDList next time.
1631
1632 2014-04-28  Michael Saboff  <msaboff@apple.com>
1633
1634         REGRESSION(r153142) ASSERT from CodeBlock::dumpBytecode dumping String Switch Jump Tables
1635         https://bugs.webkit.org/show_bug.cgi?id=132315
1636
1637         Reviewed by Mark Hahnenberg.
1638
1639         Used the StringImpl version of utf8() instead of creating a String first.
1640
1641         * bytecode/CodeBlock.cpp:
1642         (JSC::CodeBlock::dumpBytecode):
1643
1644 2014-04-28  Filip Pizlo  <fpizlo@apple.com>
1645
1646         The LLInt is awesome and it should get more of the action.
1647
1648         Rubber stamped by Geoffrey Garen.
1649         
1650         5% speed-up on JSBench and no meaningful regressions.  Should be a PLT/DYE speed-up also.
1651
1652         * runtime/Options.h:
1653
1654 2014-04-27  Filip Pizlo  <fpizlo@apple.com>
1655
1656         GC should be able to remove things from the DFG worklist and cancel on-going compilations if it knows that the compilation would already be invalidated
1657         https://bugs.webkit.org/show_bug.cgi?id=132166
1658
1659         Reviewed by Oliver Hunt and Mark Hahnenberg.
1660         
1661         The GC can aid type inference by removing structures that are dead and jettisoning
1662         code that relies on those structures. This can dramatically accelerate type inference
1663         for some tricky programs.
1664         
1665         Unfortunately, we previously pinned any structures that enqueued compilations depended
1666         on. This means that if you're on a machine that only runs a single compilation thread
1667         and where compilations are relatively slow, you have a high chance of large numbers of
1668         structures being pinned during any GC since the compilation queue is likely to be full
1669         of random stuff.
1670         
1671         This comprehensively fixes this issue by allowing the GC to remove compilation plans
1672         if the things they depend on are dead, and to even cancel safepointed compilations.
1673         
1674         * bytecode/CodeBlock.cpp:
1675         (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan):
1676         (JSC::CodeBlock::isKnownToBeLiveDuringGC):
1677         (JSC::CodeBlock::finalizeUnconditionally):
1678         * bytecode/CodeBlock.h:
1679         (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan): Deleted.
1680         * dfg/DFGDesiredIdentifiers.cpp:
1681         (JSC::DFG::DesiredIdentifiers::DesiredIdentifiers):
1682         * dfg/DFGDesiredIdentifiers.h:
1683         * dfg/DFGDesiredWatchpoints.h:
1684         * dfg/DFGDesiredWeakReferences.cpp:
1685         (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
1686         * dfg/DFGDesiredWeakReferences.h:
1687         * dfg/DFGGraphSafepoint.cpp:
1688         (JSC::DFG::GraphSafepoint::GraphSafepoint):
1689         * dfg/DFGGraphSafepoint.h:
1690         * dfg/DFGPlan.cpp:
1691         (JSC::DFG::Plan::Plan):
1692         (JSC::DFG::Plan::compileInThread):
1693         (JSC::DFG::Plan::compileInThreadImpl):
1694         (JSC::DFG::Plan::notifyCompiling):
1695         (JSC::DFG::Plan::notifyCompiled):
1696         (JSC::DFG::Plan::notifyReady):
1697         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
1698         (JSC::DFG::Plan::isKnownToBeLiveDuringGC):
1699         (JSC::DFG::Plan::cancel):
1700         (JSC::DFG::Plan::visitChildren): Deleted.
1701         * dfg/DFGPlan.h:
1702         * dfg/DFGSafepoint.cpp:
1703         (JSC::DFG::Safepoint::Result::~Result):
1704         (JSC::DFG::Safepoint::Result::didGetCancelled):
1705         (JSC::DFG::Safepoint::Safepoint):
1706         (JSC::DFG::Safepoint::~Safepoint):
1707         (JSC::DFG::Safepoint::checkLivenessAndVisitChildren):
1708         (JSC::DFG::Safepoint::isKnownToBeLiveDuringGC):
1709         (JSC::DFG::Safepoint::cancel):
1710         (JSC::DFG::Safepoint::visitChildren): Deleted.
1711         * dfg/DFGSafepoint.h:
1712         (JSC::DFG::Safepoint::Result::Result):
1713         * dfg/DFGWorklist.cpp:
1714         (JSC::DFG::Worklist::compilationState):
1715         (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
1716         (JSC::DFG::Worklist::removeAllReadyPlansForVM):
1717         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
1718         (JSC::DFG::Worklist::visitWeakReferences):
1719         (JSC::DFG::Worklist::removeDeadPlans):
1720         (JSC::DFG::Worklist::runThread):
1721         (JSC::DFG::Worklist::visitChildren): Deleted.
1722         * dfg/DFGWorklist.h:
1723         * ftl/FTLCompile.cpp:
1724         (JSC::FTL::compile):
1725         * ftl/FTLCompile.h:
1726         * heap/CodeBlockSet.cpp:
1727         (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks):
1728         * heap/Heap.cpp:
1729         (JSC::Heap::markRoots):
1730         (JSC::Heap::visitCompilerWorklistWeakReferences):
1731         (JSC::Heap::removeDeadCompilerWorklistEntries):
1732         (JSC::Heap::visitWeakHandles):
1733         (JSC::Heap::collect):
1734         (JSC::Heap::visitCompilerWorklists): Deleted.
1735         * heap/Heap.h:
1736
1737 2014-04-28  Mark Hahnenberg  <mhahnenberg@apple.com>
1738
1739         Deleting properties poisons objects
1740         https://bugs.webkit.org/show_bug.cgi?id=131551
1741
1742         Reviewed by Oliver Hunt.
1743
1744         This is ~3% progression on Dromaeo with a ~6% progression on the jslib portion of Dromaeo in particular.
1745
1746         * runtime/JSPropertyNameIterator.cpp:
1747         (JSC::JSPropertyNameIterator::create):
1748         * runtime/PropertyMapHashTable.h:
1749         (JSC::PropertyTable::hasDeletedOffset):
1750         (JSC::PropertyTable::hadDeletedOffset): If we ever had deleted properties we can no longer cache offsets when 
1751         iterating properties because we're required to iterate properties in insertion order.
1752         * runtime/Structure.cpp:
1753         (JSC::Structure::Structure):
1754         (JSC::Structure::materializePropertyMap): We now re-use deleted properties when materializing the property map.
1755         (JSC::Structure::removePropertyTransition): We allow up to 5 deletes for a particular path through the tree of 
1756         Structure transitions. After that, we convert to an uncacheable dictionary like we used to. We don't cache 
1757         delete transitions, but we allow transitioning from them.
1758         (JSC::Structure::changePrototypeTransition):
1759         (JSC::Structure::despecifyFunctionTransition):
1760         (JSC::Structure::attributeChangeTransition):
1761         (JSC::Structure::toDictionaryTransition):
1762         (JSC::Structure::preventExtensionsTransition):
1763         (JSC::Structure::addPropertyWithoutTransition):
1764         (JSC::Structure::removePropertyWithoutTransition):
1765         (JSC::Structure::pin): Now does only what it says it does--marks the property table as pinned.
1766         (JSC::Structure::pinAndPreventTransitions): More descriptive version of what the old pin() was doing.
1767         * runtime/Structure.h:
1768         * runtime/StructureInlines.h:
1769         (JSC::Structure::setEnumerationCache):
1770         (JSC::Structure::hadDeletedOffsets):
1771         (JSC::Structure::propertyTable):
1772         (JSC::Structure::checkOffsetConsistency): Rearranged variables to be more sensible.
1773         * tests/stress/for-in-after-delete.js: Added.
1774         (foo):
1775
1776 2014-04-25  Andreas Kling  <akling@apple.com>
1777
1778         Inline (C++) GetByVal with numeric indices more aggressively.
1779         <https://webkit.org/b/132218>
1780
1781         We were already inlining the string indexed GetByVal path pretty well,
1782         while the path for numeric indices got neglected. No more!
1783
1784         ~9.5% improvement on Dromaeo/dom-traverse.html on my MBP:
1785
1786             Before: 199.50 runs/s
1787              After: 218.58 runs/s
1788
1789         Reviewed by Phil Pizlo.
1790
1791         * dfg/DFGOperations.cpp:
1792         * runtime/JSCJSValueInlines.h:
1793         (JSC::JSValue::get):
1794
1795             ALWAYS_INLINE all the things.
1796
1797         * runtime/JSObject.h:
1798         (JSC::JSObject::getPropertySlot):
1799
1800             Avoid fetching the Structure more than once. We have the same
1801             optimization in the string-indexed code path.
1802
1803 2014-04-25  Oliver Hunt  <oliver@apple.com>
1804
1805         Need earlier cell test
1806         https://bugs.webkit.org/show_bug.cgi?id=132211
1807
1808         Reviewed by Mark Lam.
1809
1810         Move cell test to before the function call repatch
1811         location, as the repatch logic for 32bit assumes that the
1812         caller will already have performed a cell check.
1813
1814         * jit/JITCall32_64.cpp:
1815         (JSC::JIT::compileOpCall):
1816
1817 2014-04-25  Andreas Kling  <akling@apple.com>
1818
1819         Un-fast-allocate JSGlobalObjectRareData because Windows doesn't build and I'm not in the mood.
1820
1821         * runtime/JSGlobalObject.h:
1822         (JSC::JSGlobalObject::JSGlobalObjectRareData::JSGlobalObjectRareData):
1823         (JSC::JSGlobalObject::JSGlobalObjectRareData::~JSGlobalObjectRareData): Deleted.
1824
1825 2014-04-25  Andreas Kling  <akling@apple.com>
1826
1827         Windows build fix attempt.
1828
1829         * runtime/JSGlobalObject.h:
1830         (JSC::JSGlobalObject::JSGlobalObjectRareData::~JSGlobalObjectRareData):
1831
1832 2014-04-25  Mark Lam  <mark.lam@apple.com>
1833
1834         Refactor debugging code to use BreakpointActions instead of Vector<ScriptBreakpointAction>.
1835         <https://webkit.org/b/132201>
1836
1837         Reviewed by Joseph Pecoraro.
1838
1839         BreakpointActions is Vector<ScriptBreakpointAction>.  Let's just consistently use
1840         BreakpointActions everywhere.
1841
1842         * inspector/ScriptBreakpoint.h:
1843         (Inspector::ScriptBreakpoint::ScriptBreakpoint):
1844         * inspector/ScriptDebugServer.cpp:
1845         (Inspector::ScriptDebugServer::setBreakpoint):
1846         (Inspector::ScriptDebugServer::getActionsForBreakpoint):
1847         * inspector/ScriptDebugServer.h:
1848         * inspector/agents/InspectorDebuggerAgent.cpp:
1849         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
1850         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
1851         (Inspector::InspectorDebuggerAgent::setBreakpoint):
1852         (Inspector::InspectorDebuggerAgent::removeBreakpoint):
1853         * inspector/agents/InspectorDebuggerAgent.h:
1854
1855 2014-04-24  Filip Pizlo  <fpizlo@apple.com>
1856
1857         DFG worklist scanning should not treat the key as a separate entity
1858         https://bugs.webkit.org/show_bug.cgi?id=132167
1859
1860         Reviewed by Mark Hahnenberg.
1861         
1862         This simplifies the interface to the GC and will enable more optimizations.
1863
1864         * dfg/DFGCompilationKey.cpp:
1865         (JSC::DFG::CompilationKey::visitChildren): Deleted.
1866         * dfg/DFGCompilationKey.h:
1867         * dfg/DFGPlan.cpp:
1868         (JSC::DFG::Plan::visitChildren):
1869         * dfg/DFGWorklist.cpp:
1870         (JSC::DFG::Worklist::visitChildren):
1871
1872 2014-04-25  Oliver Hunt  <oliver@apple.com>
1873
1874         Remove unused parameter from codeblock linking function
1875         https://bugs.webkit.org/show_bug.cgi?id=132199
1876
1877         Reviewed by Anders Carlsson.
1878
1879         No change in behaviour. This is just a small change to make it
1880         slightly easier to reason about what the offsets in UnlinkedFunctionExecutable
1881         actually mean.
1882
1883         * bytecode/UnlinkedCodeBlock.cpp:
1884         (JSC::UnlinkedFunctionExecutable::link):
1885         * bytecode/UnlinkedCodeBlock.h:
1886         * runtime/Executable.cpp:
1887         (JSC::ProgramExecutable::initializeGlobalProperties):
1888
1889 2014-04-25  Andreas Kling  <akling@apple.com>
1890
1891         Mark some things with WTF_MAKE_FAST_ALLOCATED.
1892         <https://webkit.org/b/132198>
1893
1894         Use FastMalloc for more things.
1895
1896         Reviewed by Anders Carlsson.
1897
1898         * builtins/BuiltinExecutables.h:
1899         * heap/GCThreadSharedData.h:
1900         * inspector/JSConsoleClient.h:
1901         * inspector/agents/InspectorAgent.h:
1902         * runtime/CodeCache.h:
1903         * runtime/JSGlobalObject.h:
1904         * runtime/Lookup.cpp:
1905         (JSC::HashTable::createTable):
1906         (JSC::HashTable::deleteTable):
1907         * runtime/WeakGCMap.h:
1908
1909 2014-04-25  Antoine Quint  <graouts@webkit.org>
1910
1911         Implement Array.prototype.find()
1912         https://bugs.webkit.org/show_bug.cgi?id=130966
1913
1914         Reviewed by Oliver Hunt.
1915
1916         Implement Array.prototype.find() and Array.prototype.findIndex() as proposed in the Harmony spec.
1917
1918         * builtins/Array.prototype.js:
1919         (find):
1920         (findIndex):
1921         * runtime/ArrayPrototype.cpp:
1922
1923 2014-04-24  Brady Eidson  <beidson@apple.com>
1924
1925         Rename "IMAGE_CONTROLS" feature to "SERVICE_CONTROLS"
1926         https://bugs.webkit.org/show_bug.cgi?id=132155
1927
1928         Reviewed by Tim Horton.
1929
1930         * Configurations/FeatureDefines.xcconfig:
1931
1932 2014-04-24  Michael Saboff  <msaboff@apple.com>
1933
1934         REGRESSION: Apparent hang of PCE.js Mac OS System 7.0.1 on ARM64 devices
1935         https://bugs.webkit.org/show_bug.cgi?id=132147
1936
1937         Reviewed by Mark Lam.
1938
1939         Fixed or64(), eor32( ) and eor64() to use "src" register when we have a valid logicalImm.
1940
1941         * assembler/MacroAssemblerARM64.h:
1942         (JSC::MacroAssemblerARM64::or64):
1943         (JSC::MacroAssemblerARM64::xor32):
1944         (JSC::MacroAssemblerARM64::xor64):
1945         * tests/stress/regress-132147.js: Added test.
1946
1947 2014-04-24  Mark Lam  <mark.lam@apple.com>
1948
1949         Make slowPathAllocsBetweenGCs a runtime option.
1950         <https://webkit.org/b/132137>
1951
1952         Reviewed by Mark Hahnenberg.
1953
1954         This will make it easier to more casually run tests with this configuration
1955         as well as to reproduce issues (instead of requiring a code mod and rebuild).
1956         We will now take --slowPathAllocsBetweenGCs=N where N is the number of
1957         slow path allocations before we trigger a collection.
1958
1959         The option defaults to 0, which is reserved to mean that we will not trigger
1960         any collections there.
1961
1962         * heap/Heap.h:
1963         * heap/MarkedAllocator.cpp:
1964         (JSC::MarkedAllocator::doTestCollectionsIfNeeded):
1965         (JSC::MarkedAllocator::allocateSlowCase):
1966         * heap/MarkedAllocator.h:
1967         * runtime/Options.h:
1968
1969 2014-04-23  Mark Lam  <mark.lam@apple.com>
1970
1971         The GC should only resume compiler threads that it suspended in the same GC pass.
1972         <https://webkit.org/b/132088>
1973
1974         Reviewed by Mark Hahnenberg.
1975
1976         Previously, this scenario can occur:
1977         1. Thread 1 starts a GC and tries to suspend DFG worklist threads.  However,
1978            no worklists were created yet at the that time.
1979         2. Thread 2 starts to compile some functions and creates a DFG worklist, and
1980            acquires the worklist thread's lock.
1981         3. Thread 1's GC completes and tries to resume suspended DFG worklist thread.
1982            This time, it sees the worklist created by Thread 2 and ends up unlocking
1983            the worklist thread's lock that is supposedly held by Thread 2.
1984         Thereafter, chaos ensues.
1985
1986         The fix is to cache the worklists that were actually suspended by each GC pass,
1987         and only resume those when the GC is done.
1988
1989         This issue was discovered by enabling COLLECT_ON_EVERY_ALLOCATION and running
1990         the fast/workers layout tests.
1991
1992         * heap/Heap.cpp:
1993         (JSC::Heap::visitCompilerWorklists):
1994         (JSC::Heap::deleteAllCompiledCode):
1995         (JSC::Heap::suspendCompilerThreads):
1996         (JSC::Heap::resumeCompilerThreads):
1997         * heap/Heap.h:
1998
1999 2014-04-23  Mark Hahnenberg  <mhahnenberg@apple.com>
2000
2001         Arguments::copyBackingStore needs to update m_registers in tandem with m_registerArray
2002         https://bugs.webkit.org/show_bug.cgi?id=132079
2003
2004         Reviewed by Michael Saboff.
2005
2006         Since we're moving the register backing store, we don't want to leave a dangling pointer into a random CopiedBlock.
2007
2008         Also added a test that previously triggered this bug.
2009
2010         * runtime/Arguments.cpp:
2011         (JSC::Arguments::copyBackingStore): D'oh!
2012         * tests/stress/arguments-copy-register-array-backing-store.js: Added.
2013         (foo):
2014         (bar):
2015
2016 2014-04-23  Mark Rowe  <mrowe@apple.com>
2017
2018         [Mac] REGRESSION (r164823): Building JavaScriptCore creates files under /tmp/JavaScriptCore.dst
2019         <https://webkit.org/b/132053>
2020
2021         Reviewed by Dan Bernstein.
2022
2023         * JavaScriptCore.xcodeproj/project.pbxproj: Don't try to create a symlink at /usr/local/bin/jsc inside
2024         the DSTROOT unless we're building to the deployment location. Also remove the unnecessary -x argument
2025         from /bin/sh since that generates unnecessary output.
2026
2027 2014-04-22  Mark Lam  <mark.lam@apple.com>
2028
2029         DFG::Worklist should acquire the m_lock before iterating DFG plans.
2030         <https://webkit.org/b/132032>
2031
2032         Reviewed by Filip Pizlo.
2033
2034         Currently, there's a rightToRun mechanism that ensures that no compilation
2035         threads are running when the GC is iterating through the DFG worklists.
2036         However, this does not prevent a Worker thread from doing a DFG compilation
2037         and modifying the plans in the worklists thereby invalidating the plan
2038         iterator that the GC is using.  This patch fixes the issue by acquiring
2039         the worklist m_lock before iterating the worklist plans.
2040
2041         This issue was uncovered by running the fast/workers layout tests with
2042         COLLECT_ON_EVERY_ALLOCATION enabled.
2043
2044         * dfg/DFGWorklist.cpp:
2045         (JSC::DFG::Worklist::isActiveForVM):
2046         (JSC::DFG::Worklist::visitChildren):
2047
2048 2014-04-22  Brent Fulgham  <bfulgham@apple.com>
2049
2050         [Win] Support Python 2.7 in Cygwin
2051         https://bugs.webkit.org/show_bug.cgi?id=132023
2052
2053         Reviewed by Michael Saboff.
2054
2055         * DerivedSources.make: Use a conditional variable to define
2056         the path to Python/Perl.
2057
2058 2014-04-22  Filip Pizlo  <fpizlo@apple.com>
2059
2060         Switch the LLVMForJSC target to using the LLVM in /usr/local rather than /usr/local/LLVMForJavaScriptCore on iOS
2061         https://bugs.webkit.org/show_bug.cgi?id=130867
2062         <rdar://problem/16432456> 
2063
2064         Reviewed by Mark Hahnenberg.
2065
2066         * Configurations/Base.xcconfig:
2067         * Configurations/LLVMForJSC.xcconfig:
2068
2069 2014-04-22  Alex Christensen  <achristensen@webkit.org>
2070
2071         [Win] Unreviewed build fix after my r167666.
2072
2073         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
2074         Added ../../../ again to include headers in Source/JavaScriptCore.
2075
2076 2014-04-22  Alex Christensen  <achristensen@webkit.org>
2077
2078         Removed old stdbool and inttypes headers.
2079         https://bugs.webkit.org/show_bug.cgi?id=131966
2080
2081         Reviewed by Brent Fulgham.
2082
2083         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
2084         * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
2085         Removed references to os-win32 directory.
2086         * os-win32: Removed.
2087         * os-win32/inttypes.h: Removed.
2088         * os-win32/stdbool.h: Removed.
2089
2090 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
2091
2092         DFG::clobberize() should honestly admit that profiler and debugger nodes are effectful
2093         https://bugs.webkit.org/show_bug.cgi?id=131971
2094         <rdar://problem/16676511>
2095
2096         Reviewed by Mark Lam.
2097
2098         * dfg/DFGClobberize.h:
2099         (JSC::DFG::clobberize):
2100
2101 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
2102
2103         Switch statements that skip the baseline JIT should work
2104         https://bugs.webkit.org/show_bug.cgi?id=131965
2105
2106         Reviewed by Mark Hahnenberg.
2107
2108         * bytecode/JumpTable.h:
2109         (JSC::SimpleJumpTable::ensureCTITable):
2110         * dfg/DFGSpeculativeJIT.cpp:
2111         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
2112         * jit/JITOpcodes.cpp:
2113         (JSC::JIT::emit_op_switch_imm):
2114         (JSC::JIT::emit_op_switch_char):
2115         * jit/JITOpcodes32_64.cpp:
2116         (JSC::JIT::emit_op_switch_imm):
2117         (JSC::JIT::emit_op_switch_char):
2118         * tests/stress/inline-llint-with-switch.js: Added.
2119         (foo):
2120         (bar):
2121         (test):
2122
2123 2014-04-21  Mark Hahnenberg  <mhahnenberg@apple.com>
2124
2125         Arguments objects shouldn't need a destructor
2126         https://bugs.webkit.org/show_bug.cgi?id=131899
2127
2128         Reviewed by Oliver Hunt.
2129
2130         This patch rids Arguments objects of their destructors. It does this by 
2131         switching their backing stores to use CopiedSpace rather than malloc memory.
2132
2133         * dfg/DFGSpeculativeJIT.cpp:
2134         (JSC::DFG::SpeculativeJIT::emitAllocateArguments): Fix the code emitted for inline
2135         Arguments allocation so that it only emits an extra write for strict mode code rather
2136         than unconditionally.
2137         * heap/CopyToken.h: New CopyTokens for the two different types of Arguments backing stores.
2138         * runtime/Arguments.cpp:
2139         (JSC::Arguments::visitChildren): We need to tell the collector to copy the back stores now.
2140         (JSC::Arguments::copyBackingStore): Do the actual copying of the backing stores.
2141         (JSC::Arguments::deletePropertyByIndex): Update all the accesses to SlowArgumentData and m_registerArray.
2142         (JSC::Arguments::deleteProperty):
2143         (JSC::Arguments::defineOwnProperty):
2144         (JSC::Arguments::allocateRegisterArray):
2145         (JSC::Arguments::tearOff):
2146         (JSC::Arguments::destroy): Deleted. We don't need the destructor any more.
2147         * runtime/Arguments.h:
2148         (JSC::Arguments::registerArraySizeInBytes):
2149         (JSC::Arguments::SlowArgumentData::SlowArgumentData): Switch SlowArgumentData to being allocated
2150         in CopiedSpace. Now the SlowArgumentData and its backing store are a single contiguous CopiedSpace
2151         allocation.
2152         (JSC::Arguments::SlowArgumentData::slowArguments):
2153         (JSC::Arguments::SlowArgumentData::bytecodeToMachineCaptureOffset):
2154         (JSC::Arguments::SlowArgumentData::setBytecodeToMachineCaptureOffset):
2155         (JSC::Arguments::SlowArgumentData::sizeForNumArguments):
2156         (JSC::Arguments::Arguments):
2157         (JSC::Arguments::allocateSlowArguments):
2158         (JSC::Arguments::tryDeleteArgument):
2159         (JSC::Arguments::isDeletedArgument):
2160         (JSC::Arguments::isArgument):
2161         (JSC::Arguments::argument):
2162         (JSC::Arguments::finishCreation):
2163         * runtime/SymbolTable.h:
2164
2165 2014-04-21  Eric Carlson  <eric.carlson@apple.com>
2166
2167         [Mac] implement WebKitDataCue
2168         https://bugs.webkit.org/show_bug.cgi?id=131799
2169
2170         Reviewed by Dean Jackson.
2171
2172         * Configurations/FeatureDefines.xcconfig: Define ENABLE_DATACUE_VALUE.
2173
2174 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
2175
2176         Unreviewed test gardening, run the repeat-out-of-bounds tests again.
2177
2178         * tests/stress/float32-repeat-out-of-bounds.js:
2179         * tests/stress/int8-repeat-out-of-bounds.js:
2180
2181 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
2182
2183         OSR exit should know about Int52 and Double constants
2184         https://bugs.webkit.org/show_bug.cgi?id=131945
2185
2186         Reviewed by Oliver Hunt.
2187         
2188         The DFG OSR exit machinery's ignorance would lead to some constants becoming
2189         jsUndefined() after OSR exit.
2190         
2191         The FTL OSR exit machinery's ignorance just meant that we would sometimes use a
2192         stackmap constant rather than baking the constant into the OSRExit data structure.
2193         So, not a big deal, but worth fixing.
2194         
2195         Also added some helpful hacks to jsc.cpp for testing such OSR exit pathologies.
2196
2197         * dfg/DFGByteCodeParser.cpp:
2198         (JSC::DFG::ByteCodeParser::handleIntrinsic):
2199         * dfg/DFGMinifiedNode.h:
2200         (JSC::DFG::belongsInMinifiedGraph):
2201         (JSC::DFG::MinifiedNode::hasConstantNumber):
2202         * ftl/FTLLowerDFGToLLVM.cpp:
2203         (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
2204         * jsc.cpp:
2205         (GlobalObject::finishCreation):
2206         (functionOtherFalse):
2207         (functionUndefined):
2208         * runtime/Intrinsic.h:
2209         * tests/stress/fold-to-double-constant-then-exit.js: Added.
2210         (foo):
2211         * tests/stress/fold-to-int52-constant-then-exit.js: Added.
2212         (foo):
2213
2214 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
2215
2216         Provide feedback when we encounter an unrecognied node in the FTL backend.
2217
2218         Rubber stamped by Alexey Proskuryakov.
2219
2220         * ftl/FTLLowerDFGToLLVM.cpp:
2221         (JSC::FTL::LowerDFGToLLVM::compileNode):
2222
2223 2014-04-21  Andreas Kling  <akling@apple.com>
2224
2225         Move the JSString cache from DOMWrapperWorld to VM.
2226         <https://webkit.org/b/131940>
2227
2228         Reviewed by Geoff Garen.
2229
2230         * runtime/VM.h:
2231
2232 2014-04-19  Filip Pizlo  <fpizlo@apple.com>
2233
2234         Take block execution count estimates into account when voting double
2235         https://bugs.webkit.org/show_bug.cgi?id=131906
2236
2237         Reviewed by Geoffrey Garen.
2238         
2239         This was a drama in three acts.
2240         
2241         Act I: Slurp in BasicBlock::executionCount and use it as a weight when counting the
2242             number of uses of a variable that want double or non-double. Easy as pie. This
2243             gave me a huge speed-up on FloatMM and a huge slow-down on basically everything
2244             else.
2245         
2246         Act II: Realize that there were some programs where our previous double voting was
2247             just on the edge of disaster and making it more precise tipped it over. In
2248             particular, if you had an integer variable that would infrequently be used in a
2249             computation that resulted in a variable that was frequently used as an array index,
2250             the outer infrequentness would be the thing we'd use in the vote. So, an array
2251             index would become double. We fix this by reviving global backwards propagation
2252             and introducing the concept of ReallyWantsInt, which is used just for array
2253             indices. Any variable transitively flagged as ReallyWantsInt will never be forced
2254             double. We need that flag to be separate from UsedAsInt, since UsedAsInt needs to
2255             be set in bitops for RageConversion but using it for double forcing is too much.
2256             Basically, it's cheaper to have to convert a double to an int for a bitop than it
2257             is to convert a double to an int for an array index; also a variable being used as
2258             an array index is a much stronger hint that it ought to be an int. This recovered
2259             performance on everything except programs that used FTL OSR entry.
2260         
2261         Act III: Realize that OSR entrypoint creation creates blocks that have NaN execution
2262             count, which then completely pollutes the weighting - essentially all votes go
2263             NaN. Fix this with some surgical defenses. Basically, any client of execution
2264             counts should allow for them to be NaN and shouldn't completely fall off a cliff
2265             when it happens.
2266         
2267         This is awesome. 75% speed-up on FloatMM. 11% speed-up on audio-dft. This leads to
2268         7% speed-up on AsmBench and 2% speed-up on Kraken.
2269
2270         * CMakeLists.txt:
2271         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2272         * JavaScriptCore.xcodeproj/project.pbxproj:
2273         * dfg/DFGBackwardsPropagationPhase.cpp:
2274         (JSC::DFG::BackwardsPropagationPhase::run):
2275         (JSC::DFG::BackwardsPropagationPhase::propagate):
2276         * dfg/DFGGraph.cpp:
2277         (JSC::DFG::Graph::dumpBlockHeader):
2278         * dfg/DFGGraph.h:
2279         (JSC::DFG::Graph::voteNode):
2280         (JSC::DFG::Graph::voteChildren):
2281         * dfg/DFGNodeFlags.cpp:
2282         (JSC::DFG::dumpNodeFlags):
2283         * dfg/DFGNodeFlags.h:
2284         * dfg/DFGOSREntrypointCreationPhase.cpp:
2285         (JSC::DFG::OSREntrypointCreationPhase::run):
2286         * dfg/DFGPlan.cpp:
2287         (JSC::DFG::Plan::compileInThreadImpl):
2288         * dfg/DFGPredictionPropagationPhase.cpp:
2289         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
2290         (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
2291         * dfg/DFGVariableAccessData.cpp: Added.
2292         (JSC::DFG::VariableAccessData::VariableAccessData):
2293         (JSC::DFG::VariableAccessData::mergeIsCaptured):
2294         (JSC::DFG::VariableAccessData::mergeShouldNeverUnbox):
2295         (JSC::DFG::VariableAccessData::predict):
2296         (JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction):
2297         (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
2298         (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat):
2299         (JSC::DFG::VariableAccessData::mergeDoubleFormatState):
2300         (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
2301         (JSC::DFG::VariableAccessData::flushFormat):
2302         * dfg/DFGVariableAccessData.h:
2303         (JSC::DFG::VariableAccessData::vote):
2304         (JSC::DFG::VariableAccessData::VariableAccessData): Deleted.
2305         (JSC::DFG::VariableAccessData::mergeIsCaptured): Deleted.
2306         (JSC::DFG::VariableAccessData::mergeShouldNeverUnbox): Deleted.
2307         (JSC::DFG::VariableAccessData::predict): Deleted.
2308         (JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction): Deleted.
2309         (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote): Deleted.
2310         (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat): Deleted.
2311         (JSC::DFG::VariableAccessData::mergeDoubleFormatState): Deleted.
2312         (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat): Deleted.
2313         (JSC::DFG::VariableAccessData::flushFormat): Deleted.
2314
2315 2014-04-21  Michael Saboff  <msaboff@apple.com>
2316
2317         REGRESSION(r167591): ARM64 and ARM traditional builds broken
2318         https://bugs.webkit.org/show_bug.cgi?id=131935
2319
2320         Reviewed by Mark Hahnenberg.
2321
2322         Added store8(TrustedImm32, MacroAssembler::Address) to the ARM traditional and ARM64
2323         macro assemblers.  Added a new test for the original patch.
2324
2325         * assembler/MacroAssemblerARM.h:
2326         (JSC::MacroAssemblerARM::store8):
2327         * assembler/MacroAssemblerARM64.h:
2328         (JSC::MacroAssemblerARM64::store8):
2329         * tests/stress/dfg-create-arguments-inline-alloc.js: New test.
2330
2331 2014-04-21  Mark Hahnenberg  <mhahnenberg@apple.com>
2332
2333         Inline allocate Arguments objects in the DFG
2334         https://bugs.webkit.org/show_bug.cgi?id=131897
2335
2336         Reviewed by Geoffrey Garen.
2337
2338         Many libraries/frameworks depend on the arguments object for overloaded API entry points. 
2339         This is the first step to making Arguments fast(er). We'll duplicate the logic in Arguments::create 
2340         for now and take the slow path for complicated cases like slow arguments, tearing off for strict mode, etc.
2341
2342         * dfg/DFGSpeculativeJIT.cpp:
2343         (JSC::DFG::SpeculativeJIT::emitAllocateArguments):
2344         * dfg/DFGSpeculativeJIT.h:
2345         (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject):
2346         * dfg/DFGSpeculativeJIT32_64.cpp:
2347         (JSC::DFG::SpeculativeJIT::compile):
2348         * dfg/DFGSpeculativeJIT64.cpp:
2349         (JSC::DFG::SpeculativeJIT::compile):
2350         * runtime/Arguments.h:
2351         (JSC::Arguments::offsetOfActivation):
2352         (JSC::Arguments::offsetOfOverrodeLength):
2353         (JSC::Arguments::offsetOfIsStrictMode):
2354         (JSC::Arguments::offsetOfRegisterArray):
2355         (JSC::Arguments::offsetOfCallee):
2356         (JSC::Arguments::allocationSize):
2357
2358 2014-04-20  Andreas Kling  <akling@apple.com>
2359
2360         Speed up jsStringWithCache() through WeakGCMap inlining.
2361         <https://webkit.org/b/131923>
2362
2363         Always inline WeakGCMap::add() but move the slow garbage collecting
2364         path out-of-line.
2365
2366         Reviewed by Darin Adler.
2367
2368         * runtime/WeakGCMap.h:
2369         (JSC::WeakGCMap::add):
2370         (JSC::WeakGCMap::gcMap):
2371
2372 2014-04-20  László Langó  <llango.u-szeged@partner.samsung.com>
2373
2374         JavaScriptCore: ARM build fix after r167094.
2375         https://bugs.webkit.org/show_bug.cgi?id=131612
2376
2377         Reviewed by Michael Saboff.
2378
2379         After r167094 there are many build errors on ARM like these:
2380
2381             /tmp/ccgtHRno.s:370: Error: invalid constant (425a) after fixup
2382             /tmp/ccgtHRno.s:374: Error: invalid constant (426e) after fixup
2383             /tmp/ccgtHRno.s:378: Error: invalid constant (4282) after fixup
2384             /tmp/ccgtHRno.s:382: Error: invalid constant (4296) after fixup
2385
2386         Problem is caused by the wrong generated assembly like:
2387             "\tmov r2, (" LOCAL_LABEL_STRING(llint_op_strcat) " - " LOCAL_LABEL_STRING(relativePCBase) ")\n" // /home/webkit/WebKit/Source/JavaScriptCore/llint/LowLevelInterpreter.asm:741
2388
2389         `mov` can only move 8 bit immediate, but not every constant fit into 8 bit. Clang converts
2390         the mov to a single movw or a movw and a movt, depending on the immediate, but binutils doesn't.
2391         Add a new ARM specific offline assembler instruction (`mvlbl`) for the following llint_entry
2392         use case: move rn, (label1-label2) which is translated to movw and movt.
2393
2394         * llint/LowLevelInterpreter.asm:
2395         * offlineasm/arm.rb:
2396         * offlineasm/instructions.rb:
2397
2398 2014-04-20  Csaba Osztrogonác  <ossy@webkit.org>
2399
2400         [ARM] Unreviewed build fix after r167336.
2401
2402         * assembler/MacroAssemblerARM.h:
2403         (JSC::MacroAssemblerARM::branchAdd32):
2404
2405 2014-04-20  Commit Queue  <commit-queue@webkit.org>
2406
2407         Unreviewed, rolling out r167501.
2408         https://bugs.webkit.org/show_bug.cgi?id=131913
2409
2410         It broke DYEBench (Requested by mhahnenberg on #webkit).
2411
2412         Reverted changeset:
2413
2414         "Deleting properties poisons objects"
2415         https://bugs.webkit.org/show_bug.cgi?id=131551
2416         http://trac.webkit.org/changeset/167501
2417
2418 2014-04-19  Filip Pizlo  <fpizlo@apple.com>
2419
2420         It should be OK to store new fields into objects that have no prototypes
2421         https://bugs.webkit.org/show_bug.cgi?id=131905
2422
2423         Reviewed by Mark Hahnenberg.
2424
2425         * dfg/DFGByteCodeParser.cpp:
2426         (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
2427         * tests/stress/put-by-id-transition-null-prototype.js: Added.
2428         (foo):
2429
2430 2014-04-19  Benjamin Poulain  <bpoulain@apple.com>
2431
2432         Make the CSS JIT compile for ARM64
2433         https://bugs.webkit.org/show_bug.cgi?id=131834
2434
2435         Reviewed by Gavin Barraclough.
2436
2437         Extend the ARM64 MacroAssembler to support the code generation required by
2438         the CSS JIT.
2439
2440         * assembler/MacroAssembler.h:
2441         * assembler/MacroAssemblerARM64.h:
2442         (JSC::MacroAssemblerARM64::addPtrNoFlags):
2443         (JSC::MacroAssemblerARM64::or32):
2444         (JSC::MacroAssemblerARM64::branchPtr):
2445         (JSC::MacroAssemblerARM64::test32):
2446         (JSC::MacroAssemblerARM64::branch):
2447         * assembler/MacroAssemblerX86Common.h:
2448         (JSC::MacroAssemblerX86Common::test32):
2449
2450 2014-04-19  Andreas Kling  <akling@apple.com>
2451
2452         Two little shortcuts to the JSType.
2453         <https://webkit.org/b/131896>
2454
2455         Tweak two sites that take the long road through JSCell::structure()->typeInfo()
2456         to look at data that's already in JSCell::type().
2457
2458         Reviewed by Darin Adler.
2459
2460         * runtime/NameInstance.h:
2461         (JSC::isName):
2462         * runtime/NumberPrototype.cpp:
2463         (JSC::toThisNumber):
2464
2465 2014-04-19  Filip Pizlo  <fpizlo@apple.com>
2466
2467         Make it easier to check if an integer sum would overflow
2468         https://bugs.webkit.org/show_bug.cgi?id=131900
2469
2470         Reviewed by Darin Adler.
2471
2472         * dfg/DFGOperations.cpp:
2473         * runtime/Operations.h:
2474         (JSC::jsString):
2475
2476 2014-04-19  Filip Pizlo  <fpizlo@apple.com>
2477
2478         Address some feedback on https://bugs.webkit.org/show_bug.cgi?id=130684.
2479
2480         * dfg/DFGOperations.cpp:
2481         * runtime/JSString.h:
2482         (JSC::JSRopeString::RopeBuilder::append):
2483
2484 2014-04-18  Mark Lam  <mark.lam@apple.com>
2485
2486         REGRESSION(r164205): WebKit crash @StructureIDTable::get.
2487         <https://webkit.org/b/130539>
2488
2489         Reviewed by Geoffrey Garen.
2490
2491         prepareOSREntry() prepares for OSR entry by first copying the local var
2492         values from the baseline frame to a scartch buffer, which is then used
2493         to fill in the locals in their new position in the DFG frame.  Unfortunately,
2494         prepareOSREntry() was using the DFG frame's frameRegisterCount as the frame
2495         size of the baseline frame.  As a result, some values of locals in the
2496         baseline frame were not saved off, and the DFG frame may get initialized
2497         with random content that happened to be in the uninitialized (and possibly
2498         unallocated) portions of the scratch buffer.
2499
2500         The fix is to use OSREntryData::m_expectedValues.numberOfLocals() as the
2501         number of locals in the baseline frame that we want to copy to the scratch
2502         buffer.
2503
2504         Note: osrEntryThunkGenerator() is expecting the DFG frameRegisterCount
2505         at offset 0 in the scratch buffer.  So, we continue to write that value
2506         there, not the baseline frame size.
2507
2508         * dfg/DFGOSREntry.cpp:
2509         (JSC::DFG::prepareOSREntry):
2510
2511 2014-04-18  Timothy Hatcher  <timothy@apple.com>
2512
2513         Web Inspector: Move InspectorProfilerAgent to JavaScriptCore
2514         https://bugs.webkit.org/show_bug.cgi?id=131673
2515
2516         Passes existing profiler and inspector tests.
2517
2518         Reviewed by Joseph Pecoraro.
2519
2520         * CMakeLists.txt:
2521         * DerivedSources.make:
2522         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2523         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2524         * JavaScriptCore.xcodeproj/project.pbxproj:
2525         * inspector/JSConsoleClient.cpp:
2526         (Inspector::JSConsoleClient::JSConsoleClient):
2527         (Inspector::JSConsoleClient::profile):
2528         (Inspector::JSConsoleClient::profileEnd):
2529         (Inspector::JSConsoleClient::count): Deleted.
2530         * inspector/JSConsoleClient.h:
2531         * inspector/JSGlobalObjectInspectorController.cpp:
2532         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2533         * inspector/agents/InspectorProfilerAgent.cpp: Added.
2534         (Inspector::InspectorProfilerAgent::InspectorProfilerAgent):
2535         (Inspector::InspectorProfilerAgent::~InspectorProfilerAgent):
2536         (Inspector::InspectorProfilerAgent::addProfile):
2537         (Inspector::InspectorProfilerAgent::createProfileHeader):
2538         (Inspector::InspectorProfilerAgent::enable):
2539         (Inspector::InspectorProfilerAgent::disable):
2540         (Inspector::InspectorProfilerAgent::getUserInitiatedProfileName):
2541         (Inspector::InspectorProfilerAgent::getProfileHeaders):
2542         (Inspector::buildInspectorObject):
2543         (Inspector::InspectorProfilerAgent::buildProfileInspectorObject):
2544         (Inspector::InspectorProfilerAgent::getCPUProfile):
2545         (Inspector::InspectorProfilerAgent::removeProfile):
2546         (Inspector::InspectorProfilerAgent::reset):
2547         (Inspector::InspectorProfilerAgent::didCreateFrontendAndBackend):
2548         (Inspector::InspectorProfilerAgent::willDestroyFrontendAndBackend):
2549         (Inspector::InspectorProfilerAgent::start):
2550         (Inspector::InspectorProfilerAgent::stop):
2551         (Inspector::InspectorProfilerAgent::setRecordingProfile):
2552         (Inspector::InspectorProfilerAgent::startProfiling):
2553         (Inspector::InspectorProfilerAgent::stopProfiling):
2554         * inspector/agents/InspectorProfilerAgent.h: Added.
2555         * inspector/agents/JSGlobalObjectProfilerAgent.cpp: Copied from Source/WebCore/inspector/ScriptProfile.idl.
2556         (Inspector::JSGlobalObjectProfilerAgent::JSGlobalObjectProfilerAgent):
2557         (Inspector::JSGlobalObjectProfilerAgent::profilingGlobalExecState):
2558         * inspector/agents/JSGlobalObjectProfilerAgent.h: Copied from Source/WebCore/inspector/ScriptProfile.idl.
2559         * inspector/protocol/Profiler.json: Renamed from Source/WebCore/inspector/protocol/Profiler.json.
2560         * profiler/Profile.h:
2561         * runtime/ConsoleClient.h:
2562
2563 2014-04-18  Commit Queue  <commit-queue@webkit.org>
2564
2565         Unreviewed, rolling out r167527.
2566         https://bugs.webkit.org/show_bug.cgi?id=131883
2567
2568         Broke 32-bit build (Requested by ap on #webkit).
2569
2570         Reverted changeset:
2571
2572         "[Mac] implement WebKitDataCue"
2573         https://bugs.webkit.org/show_bug.cgi?id=131799
2574         http://trac.webkit.org/changeset/167527
2575
2576 2014-04-18  Eric Carlson  <eric.carlson@apple.com>
2577
2578         [Mac] implement WebKitDataCue
2579         https://bugs.webkit.org/show_bug.cgi?id=131799
2580
2581         Reviewed by Dean Jackson.
2582
2583         * Configurations/FeatureDefines.xcconfig: Define ENABLE_DATACUE_VALUE.
2584
2585 2014-04-18  Filip Pizlo  <fpizlo@apple.com>
2586
2587         Actually address Mark's review feedback.
2588
2589         * dfg/DFGOSRExitCompilerCommon.cpp:
2590         (JSC::DFG::handleExitCounts):
2591
2592 2014-04-18  Filip Pizlo  <fpizlo@apple.com>
2593
2594         Options::maximumExecutionCountsBetweenCheckpoints() should be higher for DFG->FTL tier-up but the same for other tier-ups
2595         https://bugs.webkit.org/show_bug.cgi?id=131850
2596
2597         Reviewed by Mark Hahnenberg.
2598         
2599         Templatize ExecutionCounter to allow for two different styles of calculating the
2600         checkpoint threshold.
2601         
2602         Appears to be a slight speed-up on DYEBench.
2603
2604         * bytecode/CodeBlock.h:
2605         (JSC::CodeBlock::llintExecuteCounter):
2606         (JSC::CodeBlock::offsetOfJITExecuteCounter):
2607         (JSC::CodeBlock::offsetOfJITExecutionActiveThreshold):
2608         (JSC::CodeBlock::offsetOfJITExecutionTotalCount):
2609         (JSC::CodeBlock::jitExecuteCounter):
2610         * bytecode/ExecutionCounter.cpp:
2611         (JSC::ExecutionCounter<countingVariant>::ExecutionCounter):
2612         (JSC::ExecutionCounter<countingVariant>::forceSlowPathConcurrently):
2613         (JSC::ExecutionCounter<countingVariant>::checkIfThresholdCrossedAndSet):
2614         (JSC::ExecutionCounter<countingVariant>::setNewThreshold):
2615         (JSC::ExecutionCounter<countingVariant>::deferIndefinitely):
2616         (JSC::applyMemoryUsageHeuristics):
2617         (JSC::applyMemoryUsageHeuristicsAndConvertToInt):
2618         (JSC::ExecutionCounter<countingVariant>::hasCrossedThreshold):
2619         (JSC::ExecutionCounter<countingVariant>::setThreshold):
2620         (JSC::ExecutionCounter<countingVariant>::reset):
2621         (JSC::ExecutionCounter<countingVariant>::dump):
2622         (JSC::ExecutionCounter::ExecutionCounter): Deleted.
2623         (JSC::ExecutionCounter::forceSlowPathConcurrently): Deleted.
2624         (JSC::ExecutionCounter::checkIfThresholdCrossedAndSet): Deleted.
2625         (JSC::ExecutionCounter::setNewThreshold): Deleted.
2626         (JSC::ExecutionCounter::deferIndefinitely): Deleted.
2627         (JSC::ExecutionCounter::applyMemoryUsageHeuristics): Deleted.
2628         (JSC::ExecutionCounter::applyMemoryUsageHeuristicsAndConvertToInt): Deleted.
2629         (JSC::ExecutionCounter::hasCrossedThreshold): Deleted.
2630         (JSC::ExecutionCounter::setThreshold): Deleted.
2631         (JSC::ExecutionCounter::reset): Deleted.
2632         (JSC::ExecutionCounter::dump): Deleted.
2633         * bytecode/ExecutionCounter.h:
2634         (JSC::formattedTotalExecutionCount):
2635         (JSC::ExecutionCounter::maximumExecutionCountsBetweenCheckpoints):
2636         (JSC::ExecutionCounter::clippedThreshold):
2637         (JSC::ExecutionCounter::formattedTotalCount): Deleted.
2638         * dfg/DFGJITCode.h:
2639         * dfg/DFGOSRExitCompilerCommon.cpp:
2640         (JSC::DFG::handleExitCounts):
2641         * llint/LowLevelInterpreter.asm:
2642         * runtime/Options.h:
2643
2644 2014-04-17  Mark Hahnenberg  <mhahnenberg@apple.com>
2645
2646         Deleting properties poisons objects
2647         https://bugs.webkit.org/show_bug.cgi?id=131551
2648
2649         Reviewed by Geoffrey Garen.
2650
2651         This is ~3% progression on Dromaeo with a ~6% progression on the jslib portion of Dromaeo in particular.
2652
2653         * runtime/Structure.cpp:
2654         (JSC::Structure::Structure):
2655         (JSC::Structure::materializePropertyMap): We now re-use deleted properties when materializing the property map.
2656         (JSC::Structure::removePropertyTransition): We allow up to 5 deletes for a particular path through the tree of 
2657         Structure transitions. After that, we convert to an uncacheable dictionary like we used to. We don't cache 
2658         delete transitions, but we allow transitioning from them.
2659         (JSC::Structure::changePrototypeTransition):
2660         (JSC::Structure::despecifyFunctionTransition):
2661         (JSC::Structure::attributeChangeTransition):
2662         (JSC::Structure::toDictionaryTransition):
2663         (JSC::Structure::preventExtensionsTransition):
2664         (JSC::Structure::addPropertyWithoutTransition):
2665         (JSC::Structure::removePropertyWithoutTransition):
2666         (JSC::Structure::pin): Now does only what it says it does--marks the property table as pinned.
2667         (JSC::Structure::pinAndPreventTransitions): More descriptive version of what the old pin() was doing.
2668         * runtime/Structure.h:
2669         * runtime/StructureInlines.h:
2670         (JSC::Structure::checkOffsetConsistency): Rearranged variables to be more sensible.
2671
2672 2014-04-17  Filip Pizlo  <fpizlo@apple.com>
2673
2674         InlineCallFrameSet should be refcounted
2675         https://bugs.webkit.org/show_bug.cgi?id=131829
2676
2677         Reviewed by Geoffrey Garen.
2678         
2679         And DFG::Plan should hold a ref to it. Previously it was owned by Graph until it
2680         became owned by JITCode. Except that if we're "failing" to compile, JITCode may die.
2681         Even as it dies, the GC may still want to scan the DFG::Plan, which leads to scanning
2682         the DesiredWriteBarriers, which leads to scanning the InlineCallFrameSet.
2683         
2684         So, just make the darn thing refcounted.
2685
2686         * bytecode/InlineCallFrameSet.h:
2687         * dfg/DFGArgumentsSimplificationPhase.cpp:
2688         (JSC::DFG::ArgumentsSimplificationPhase::run):
2689         * dfg/DFGByteCodeParser.cpp:
2690         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2691         * dfg/DFGCommonData.h:
2692         * dfg/DFGGraph.cpp:
2693         (JSC::DFG::Graph::Graph):
2694         (JSC::DFG::Graph::requiredRegisterCountForExit):
2695         * dfg/DFGGraph.h:
2696         * dfg/DFGJITCompiler.cpp:
2697         (JSC::DFG::JITCompiler::link):
2698         * dfg/DFGPlan.cpp:
2699         (JSC::DFG::Plan::Plan):
2700         * dfg/DFGPlan.h:
2701         * dfg/DFGStackLayoutPhase.cpp:
2702         (JSC::DFG::StackLayoutPhase::run):
2703         * ftl/FTLFail.cpp:
2704         (JSC::FTL::fail):
2705         * ftl/FTLLink.cpp:
2706         (JSC::FTL::link):
2707
2708 2014-04-17  Filip Pizlo  <fpizlo@apple.com>
2709
2710         FTL::fail() should manage memory "correctly"
2711         https://bugs.webkit.org/show_bug.cgi?id=131823
2712         <rdar://problem/16384297>
2713
2714         Reviewed by Oliver Hunt.
2715
2716         * ftl/FTLFail.cpp:
2717         (JSC::FTL::fail):
2718
2719 2014-04-17  Filip Pizlo  <fpizlo@apple.com>
2720
2721         Prediction propagator should correctly model Int52s flowing through arguments
2722         https://bugs.webkit.org/show_bug.cgi?id=131822
2723         <rdar://problem/16641408>
2724
2725         Reviewed by Oliver Hunt.
2726
2727         * dfg/DFGPredictionPropagationPhase.cpp:
2728         (JSC::DFG::PredictionPropagationPhase::propagate):
2729         * tests/stress/int52-argument.js: Added.
2730         (foo):
2731         * tests/stress/int52-variable.js: Added.
2732         (foo):
2733
2734 2014-04-17  Filip Pizlo  <fpizlo@apple.com>
2735
2736         REGRESSION: ASSERT(!typeInfo().hasImpureGetOwnPropertySlot() || typeInfo().newImpurePropertyFiresWatchpoints()) on jquery tests
2737         https://bugs.webkit.org/show_bug.cgi?id=131798
2738
2739         Reviewed by Alexey Proskuryakov.
2740         
2741         Some day, we will fix https://bugs.webkit.org/show_bug.cgi?id=131810 and some version
2742         of this assertion can return. For now, it's not clear that the assertion is guarding
2743         any truly undesirable behavior - so it should just go away and be replaced with a
2744         FIXME.
2745
2746         * bytecode/GetByIdStatus.cpp:
2747         (JSC::GetByIdStatus::computeForStubInfo):
2748         * runtime/Structure.h:
2749         (JSC::Structure::takesSlowPathInDFGForImpureProperty):
2750
2751 2014-04-17  David Kilzer  <ddkilzer@apple.com>
2752
2753         Blind attempt to fix Windows build after r166837
2754         <http://webkit.org/b/131246>
2755
2756         Hoping to fix this build error:
2757
2758             warning MSB8027: Two or more files with the name of GCLogging.cpp will produce outputs to the same location. This can lead to an incorrect build result.  The files involved are ..\heap\GCLogging.cpp, ..\heap\GCLogging.cpp.
2759
2760         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Fix copy-paste
2761         boo-boo by changing the GCLogging.cpp ClCompile entry to a
2762         GCLogging.h ClInclude entry.
2763
2764 2014-04-16  Filip Pizlo  <fpizlo@apple.com>
2765
2766         AI for GetLocal should match the DFG backend, and in this case, the best way to do that is to get rid of the "exit if empty prediction" thing since it's a vestige of a time long gone
2767         https://bugs.webkit.org/show_bug.cgi?id=131764
2768
2769         Reviewed by Geoffrey Garen.
2770         
2771         The attached test case can be made to not crash by deleting old code. It used to be
2772         the case that the DFG needed empty prediction guards, for shady reasons. We fixed that
2773         long ago. At this point, these guards just make life difficult. So get rid of them.
2774
2775         * dfg/DFGAbstractInterpreterInlines.h:
2776         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2777         * dfg/DFGSpeculativeJIT32_64.cpp:
2778         (JSC::DFG::SpeculativeJIT::compile):
2779         * dfg/DFGSpeculativeJIT64.cpp:
2780         (JSC::DFG::SpeculativeJIT::compile):
2781         * tests/stress/bug-131764.js: Added.
2782         (test1):
2783         (test2):
2784
2785 2014-04-17  Darin Adler  <darin@apple.com>
2786
2787         Add separate flag for IndexedDatabase in workers since the current implementation is not threadsafe
2788         https://bugs.webkit.org/show_bug.cgi?id=131785
2789         rdar://problem/16003108
2790
2791         Reviewed by Brady Eidson.
2792
2793         * Configurations/FeatureDefines.xcconfig: Added INDEXED_DATABASE_IN_WORKERS.
2794
2795 2014-04-16  Alexey Proskuryakov  <ap@apple.com>
2796
2797         Build fix after http://trac.webkit.org/changeset/167416 (Sink NaN sanitization)
2798
2799         * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::speculate):
2800
2801 2014-04-16  Filip Pizlo  <fpizlo@apple.com>
2802
2803         Extra error reporting for invalid value conversions
2804         https://bugs.webkit.org/show_bug.cgi?id=131786
2805
2806         Rubber stamped by Ryosuke Niwa.
2807
2808         * dfg/DFGFixupPhase.cpp:
2809         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
2810
2811 2014-04-16  Filip Pizlo  <fpizlo@apple.com>
2812
2813         Sink NaN sanitization to uses and remove it when it's unnecessary
2814         https://bugs.webkit.org/show_bug.cgi?id=131419
2815
2816         Reviewed by Oliver Hunt.
2817         
2818         This moves NaN purification to stores that could see an impure NaN.
2819         
2820         5% speed-up on AsmBench, 50% speed-up on AsmBench/n-body. It is a regression on FloatMM
2821         though, because of the other bug that causes that benchmark to box doubles in a loop.
2822
2823         * bytecode/SpeculatedType.h:
2824         (JSC::isInt32SpeculationForArithmetic):
2825         (JSC::isMachineIntSpeculationForArithmetic):
2826         (JSC::isDoubleSpeculation):
2827         (JSC::isDoubleSpeculationForArithmetic):
2828         * dfg/DFGAbstractInterpreterInlines.h:
2829         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2830         * dfg/DFGAbstractValue.cpp:
2831         (JSC::DFG::AbstractValue::fixTypeForRepresentation):
2832         * dfg/DFGFixupPhase.cpp:
2833         (JSC::DFG::FixupPhase::fixupNode):
2834         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
2835         * dfg/DFGInPlaceAbstractState.cpp:
2836         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
2837         * dfg/DFGPredictionPropagationPhase.cpp:
2838         (JSC::DFG::PredictionPropagationPhase::propagate):
2839         * dfg/DFGSpeculativeJIT.cpp:
2840         (JSC::DFG::SpeculativeJIT::compileValueRep):
2841         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
2842         * dfg/DFGUseKind.h:
2843         (JSC::DFG::typeFilterFor):
2844         * ftl/FTLLowerDFGToLLVM.cpp:
2845         (JSC::FTL::LowerDFGToLLVM::compileValueRep):
2846         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
2847         * runtime/PureNaN.h:
2848         * tests/stress/float32-array-nan-inlined.js: Added.
2849         (foo):
2850         (test):
2851         * tests/stress/float32-array-nan.js: Added.
2852         (foo):
2853         (test):
2854         * tests/stress/float64-array-nan-inlined.js: Added.
2855         (foo):
2856         (isBigEndian):
2857         (test):
2858         * tests/stress/float64-array-nan.js: Added.
2859         (foo):
2860         (isBigEndian):
2861         (test):
2862
2863 2014-04-16  Brent Fulgham  <bfulgham@apple.com>
2864
2865         [Win] Unreviewed Windows gardening. Restrict our new 'isinf' check
2866         to 32-bit builds, and revise the comment to explain what we are
2867         doing.
2868
2869         * runtime/JSCJSValueInlines.h:
2870         (JSC::JSValue::isMachineInt): Provide motivation for the new
2871         'isinf' check for our 32-bit code path.
2872
2873 2014-04-16  Juergen Ributzka  <juergen@apple.com>
2874
2875         Allocate the data section on the heap again for FTL on ARM64
2876         https://bugs.webkit.org/show_bug.cgi?id=130156
2877
2878         Reviewed by Geoffrey Garen and Filip Pizlo.
2879
2880         * ftl/FTLCompile.cpp:
2881         (JSC::FTL::mmAllocateDataSection):
2882         * ftl/FTLDataSection.cpp:
2883         (JSC::FTL::DataSection::DataSection):
2884         (JSC::FTL::DataSection::~DataSection):
2885         * ftl/FTLDataSection.h:
2886
2887 2014-04-16  Mark Lam  <mark.lam@apple.com>
2888
2889         Crash in CodeBlock::setOptimizationThresholdBasedOnCompilationResult() when the debugger activates.
2890         <https://webkit.org/b/131747>
2891
2892         Reviewed by Filip Pizlo.
2893
2894         When the debugger is about to activate (e.g. enter stepping mode), it first
2895         waits for all DFG compilations to complete.  However, when the DFG completes,
2896         if compilation is successful, it will install a new DFG codeBlock.  The
2897         CodeBlock installation process is required to register codeBlocks with the
2898         debugger.  Debugger::registerCodeBlock() will eventually call
2899         CodeBlock::setSteppingMode() which may jettison the DFG codeBlock that we're
2900         trying to install.  Thereafter, chaos ensues.
2901
2902         This jettison'ing only happens because the debugger currently set its
2903         m_steppingMode flag before waiting for compilation to complete.  The fix is
2904         simply to set that flag only after compilation is complete.
2905
2906         * debugger/Debugger.cpp:
2907         (JSC::Debugger::setSteppingMode):
2908         (JSC::Debugger::registerCodeBlock):
2909
2910 2014-04-16  Filip Pizlo  <fpizlo@apple.com>
2911
2912         Discern between NaNs that would be safe to tag and NaNs that need some purification before tagging
2913         https://bugs.webkit.org/show_bug.cgi?id=131420
2914
2915         Reviewed by Oliver Hunt.
2916         
2917         Rationalizes our handling of NaNs. We now have the notion of pureNaN(), or PNaN, which
2918         replaces QNaN and represents a "safe" NaN for our tagging purposes. NaN purification now
2919         goes through the purifyNaN() API.
2920         
2921         SpeculatedType and its clients can now distinguish between a PureNaN and an ImpureNaN.
2922         
2923         Prediction propagator is made slightly more cautious when dealing with NaNs. It doesn't
2924         have to be too cautious since most prediction-based logic only cares about whether or not
2925         a value could be an integer.
2926         
2927         AI is made much more cautious when dealing with NaNs. We don't yet introduce ImpureNaN
2928         anywhere in the compiler, but when we do, we ought to be able to trust AI to propagate it
2929         soundly and precisely.
2930         
2931         No performance change because this just unblocks
2932         https://bugs.webkit.org/show_bug.cgi?id=131419.
2933
2934         * API/JSValueRef.cpp:
2935         (JSValueMakeNumber):
2936         (JSValueToNumber):
2937         * JavaScriptCore.xcodeproj/project.pbxproj:
2938         * bytecode/SpeculatedType.cpp:
2939         (JSC::dumpSpeculation):
2940         (JSC::speculationFromValue):
2941         (JSC::typeOfDoubleSum):
2942         (JSC::typeOfDoubleDifference):
2943         (JSC::typeOfDoubleProduct):
2944         (JSC::polluteDouble):
2945         (JSC::typeOfDoubleQuotient):
2946         (JSC::typeOfDoubleMinMax):
2947         (JSC::typeOfDoubleNegation):
2948         (JSC::typeOfDoubleAbs):
2949         (JSC::typeOfDoubleFRound):
2950         (JSC::typeOfDoubleBinaryOp):
2951         (JSC::typeOfDoubleUnaryOp):
2952         * bytecode/SpeculatedType.h:
2953         * dfg/DFGAbstractInterpreterInlines.h:
2954         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2955         * dfg/DFGByteCodeParser.cpp:
2956         (JSC::DFG::ByteCodeParser::handleInlining):
2957         (JSC::DFG::ByteCodeParser::parseCodeBlock):
2958         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
2959         (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
2960         * dfg/DFGInPlaceAbstractState.cpp:
2961         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
2962         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
2963         (JSC::DFG::createPreHeader):
2964         * dfg/DFGNode.h:
2965         (JSC::DFG::BranchTarget::BranchTarget):
2966         * dfg/DFGOSREntrypointCreationPhase.cpp:
2967         (JSC::DFG::OSREntrypointCreationPhase::run):
2968         * dfg/DFGOSRExitCompiler32_64.cpp:
2969         (JSC::DFG::OSRExitCompiler::compileExit):
2970         * dfg/DFGOSRExitCompiler64.cpp:
2971         (JSC::DFG::OSRExitCompiler::compileExit):
2972         * dfg/DFGPredictionPropagationPhase.cpp:
2973         (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
2974         (JSC::DFG::PredictionPropagationPhase::propagate):
2975         * dfg/DFGSpeculativeJIT.cpp:
2976         (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
2977         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
2978         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
2979         * dfg/DFGSpeculativeJIT32_64.cpp:
2980         (JSC::DFG::SpeculativeJIT::compile):
2981         * dfg/DFGSpeculativeJIT64.cpp:
2982         (JSC::DFG::SpeculativeJIT::compile):
2983         * dfg/DFGVariableAccessData.h:
2984         (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
2985         * ftl/FTLLowerDFGToLLVM.cpp:
2986         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
2987         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2988         (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
2989         (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
2990         (JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize):
2991         (JSC::FTL::LowerDFGToLLVM::numberOrNotCellToInt32):
2992         (JSC::FTL::LowerDFGToLLVM::allocateJSArray):
2993         * ftl/FTLValueFormat.cpp:
2994         (JSC::FTL::reboxAccordingToFormat):
2995         * jit/AssemblyHelpers.cpp:
2996         (JSC::AssemblyHelpers::purifyNaN):
2997         (JSC::AssemblyHelpers::sanitizeDouble): Deleted.
2998         * jit/AssemblyHelpers.h:
2999         * jit/JITPropertyAccess.cpp:
3000         (JSC::JIT::emitFloatTypedArrayGetByVal):
3001         * runtime/DateConstructor.cpp:
3002         (JSC::constructDate):
3003         * runtime/DateInstanceCache.h:
3004         (JSC::DateInstanceData::DateInstanceData):
3005         (JSC::DateInstanceCache::reset):
3006         * runtime/ExceptionHelpers.cpp:
3007         (JSC::TerminatedExecutionError::defaultValue):
3008         * runtime/JSArray.cpp:
3009         (JSC::JSArray::setLength):
3010         (JSC::JSArray::pop):
3011         (JSC::JSArray::shiftCountWithAnyIndexingType):
3012         (JSC::JSArray::sortVector):
3013         (JSC::JSArray::compactForSorting):
3014         * runtime/JSArray.h:
3015         (JSC::JSArray::create):
3016         (JSC::JSArray::tryCreateUninitialized):
3017         * runtime/JSCJSValue.cpp:
3018         (JSC::JSValue::toNumberSlowCase):
3019         * runtime/JSCJSValue.h:
3020         * runtime/JSCJSValueInlines.h:
3021         (JSC::jsNaN):
3022         (JSC::JSValue::JSValue):
3023         (JSC::JSValue::getPrimitiveNumber):
3024         * runtime/JSGlobalObjectFunctions.cpp:
3025         (JSC::parseInt):
3026         (JSC::jsStrDecimalLiteral):
3027         (JSC::toDouble):
3028         (JSC::jsToNumber):
3029         (JSC::parseFloat):
3030         * runtime/JSObject.cpp:
3031         (JSC::JSObject::createInitialDouble):
3032         (JSC::JSObject::convertUndecidedToDouble):
3033         (JSC::JSObject::convertInt32ToDouble):
3034         (JSC::JSObject::deletePropertyByIndex):
3035         (JSC::JSObject::ensureLengthSlow):
3036         * runtime/MathObject.cpp:
3037         (JSC::mathProtoFuncMax):
3038         (JSC::mathProtoFuncMin):
3039         * runtime/PureNaN.h: Added.
3040         (JSC::pureNaN):
3041         (JSC::isImpureNaN):
3042         (JSC::purifyNaN):
3043         * runtime/TypedArrayAdaptors.h:
3044         (JSC::FloatTypedArrayAdaptor::toJSValue):
3045
3046 2014-04-16  Juergen Ributzka  <juergen@apple.com>
3047
3048         Enable system library calls in FTL for ARM64
3049         https://bugs.webkit.org/show_bug.cgi?id=130154
3050
3051         Reviewed by Geoffrey Garen and Filip Pizlo.
3052
3053         * ftl/FTLIntrinsicRepository.h:
3054         * ftl/FTLOutput.h:
3055         (JSC::FTL::Output::doubleRem):
3056         (JSC::FTL::Output::doubleSin):
3057         (JSC::FTL::Output::doubleCos):
3058
3059 2014-04-16  peavo@outlook.com  <peavo@outlook.com>
3060
3061         Fix JSC Debug Regressions on Windows
3062         https://bugs.webkit.org/show_bug.cgi?id=131182
3063
3064         Reviewed by Brent Fulgham.
3065
3066         The cast static_cast<int64_t>(number) in JSValue::isMachineInt() can generate a floating point error,
3067         and set the st floating point register tags, if the value of the number parameter is infinite.
3068         If the st floating point register tags are not cleared, this can cause strange floating point behavior later on.
3069         This can be avoided by checking for infinity first.
3070
3071         * runtime/JSCJSValueInlines.h:
3072         (JSC::JSValue::isMachineInt): Avoid floating point error by checking for infinity first.
3073         * runtime/Options.cpp:
3074         (JSC::recomputeDependentOptions): Re-enable jit for Windows.
3075
3076 2014-04-16  Oliver Hunt  <oliver@apple.com>
3077
3078         Simple ES6 feature:Array.prototype.fill
3079         https://bugs.webkit.org/show_bug.cgi?id=131703
3080
3081         Reviewed by David Hyatt.
3082
3083         Add support for Array.prototype.fill
3084
3085         * builtins/Array.prototype.js:
3086         (fill):
3087         * runtime/ArrayPrototype.cpp:
3088
3089 2014-04-16  Mark Hahnenberg  <mhahnenberg@apple.com>
3090
3091         [WebKit] Cleanup the build from uninitialized variable in JavaScriptCore
3092         https://bugs.webkit.org/show_bug.cgi?id=131728
3093
3094         Reviewed by Darin Adler.
3095
3096         * runtime/JSObject.cpp:
3097         (JSC::JSObject::genericConvertDoubleToContiguous): Add a RELEASE_ASSERT on the 
3098         path we expect to never take. Also shut up confused compilers about uninitialized things.
3099
3100 2014-04-16  Filip Pizlo  <fpizlo@apple.com>
3101
3102         Unreviewed, ARMv7 build fix after r167336.
3103
3104         * assembler/MacroAssemblerARMv7.h:
3105         (JSC::MacroAssemblerARMv7::branchAdd32):
3106
3107 2014-04-16  Gabor Rapcsanyi  <rgabor@webkit.org>
3108
3109         Unreviewed, ARM64 buildfix after r167336.
3110
3111         * assembler/MacroAssemblerARM64.h:
3112         (JSC::MacroAssemblerARM64::branchAdd32): Add missing function.
3113
3114 2014-04-15  Filip Pizlo  <fpizlo@apple.com>
3115
3116         Unreviewed, add the obvious thing that marks MakeRope as exiting since it can exit.
3117
3118         * dfg/DFGAbstractInterpreterInlines.h:
3119         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3120
3121 2014-04-15  Filip Pizlo  <fpizlo@apple.com>
3122
3123         compileMakeRope does not emit necessary bounds checks
3124         https://bugs.webkit.org/show_bug.cgi?id=130684
3125         <rdar://problem/16398388>
3126
3127         Reviewed by Oliver Hunt.
3128         
3129         Add string length bounds checks in a bunch of places. We should never allow a string
3130         to have a length greater than 2^31-1 because it's not clear that the language has
3131         semantics for it and because there is code that assumes that this cannot happen.
3132         
3133         Also add a bunch of tests to that effect to cover the various ways in which this was
3134         previously allowed to happen.
3135
3136         * dfg/DFGOperations.cpp:
3137         * dfg/DFGSpeculativeJIT.cpp:
3138         (JSC::DFG::SpeculativeJIT::compileMakeRope):
3139         * ftl/FTLLowerDFGToLLVM.cpp:
3140         (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
3141         * runtime/JSString.cpp:
3142         (JSC::JSRopeString::RopeBuilder::expand):
3143         * runtime/JSString.h:
3144         (JSC::JSString::create):
3145         (JSC::JSRopeString::RopeBuilder::append):
3146         (JSC::JSRopeString::RopeBuilder::release):
3147         (JSC::JSRopeString::append):
3148         * runtime/Operations.h:
3149         (JSC::jsString):
3150         (JSC::jsStringFromRegisterArray):
3151         (JSC::jsStringFromArguments):
3152         * runtime/StringPrototype.cpp:
3153         (JSC::stringProtoFuncIndexOf):
3154         (JSC::stringProtoFuncSlice):
3155         (JSC::stringProtoFuncSubstring):
3156         (JSC::stringProtoFuncToLowerCase):
3157         * tests/stress/make-large-string-jit-strcat.js: Added.
3158         (foo):
3159         * tests/stress/make-large-string-jit.js: Added.
3160         (foo):
3161         * tests/stress/make-large-string-strcat.js: Added.
3162         * tests/stress/make-large-string.js: Added.
3163
3164 2014-04-15  Julien Brianceau  <jbriance@cisco.com>
3165
3166         Remove invalid sh4 specific code in JITInlines header.
3167         https://bugs.webkit.org/show_bug.cgi?id=131692
3168
3169         Reviewed by Geoffrey Garen.
3170
3171         * jit/JITInlines.h:
3172         (JSC::JIT::callOperation): Prototype is not F_JITOperation_EJJZ
3173         anymore since r160244, so the sh4 specific code is invalid now
3174         and has to be removed.
3175
3176 2014-04-15  Mark Hahnenberg  <mhahnenberg@apple.com>
3177
3178         Fix precedence issue in JSCell:setRemembered
3179
3180         Rubber stamped by Filip Pizlo.
3181
3182         * runtime/JSCell.h:
3183         (JSC::JSCell::setRemembered):
3184
3185 2014-04-15  Mark Hahnenberg  <mhahnenberg@apple.com>
3186
3187         Objective-C API external object graphs don't handle generational collection properly
3188         https://bugs.webkit.org/show_bug.cgi?id=131634
3189
3190         Reviewed by Geoffrey Garen.
3191
3192         If the set of Objective-C objects transitively reachable through an object changes, we 
3193         need to update the set of opaque roots accordingly. If we don't, the next EdenCollection 
3194         won't rescan the external object graph, which would lead us to consider a newly allocated 
3195         JSManagedValue to be dead.
3196
3197         * API/JSBase.cpp:
3198         (JSSynchronousEdenCollectForDebugging):
3199         * API/JSVirtualMachine.mm:
3200         (-[JSVirtualMachine initWithContextGroupRef:]):
3201         (-[JSVirtualMachine dealloc]):
3202         (-[JSVirtualMachine isOldExternalObject:]):
3203         (-[JSVirtualMachine addExternalRememberedObject:]):
3204         (-[JSVirtualMachine addManagedReference:withOwner:]):
3205         (-[JSVirtualMachine removeManagedReference:withOwner:]):
3206         (-[JSVirtualMachine externalRememberedSet]):
3207         (scanExternalObjectGraph):
3208         (scanExternalRememberedSet):
3209         * API/JSVirtualMachineInternal.h:
3210         * API/tests/testapi.mm:
3211         * heap/Heap.cpp:
3212         (JSC::Heap::markRoots):
3213         * heap/Heap.h:
3214         (JSC::Heap::slotVisitor):
3215         * heap/SlotVisitor.h:
3216         * heap/SlotVisitorInlines.h:
3217         (JSC::SlotVisitor::containsOpaqueRoot):
3218         (JSC::SlotVisitor::containsOpaqueRootTriState):
3219
3220 2014-04-15  Filip Pizlo  <fpizlo@apple.com>
3221
3222         DFG IR should keep the data flow of doubles and int52's separate from the data flow of JSValue's
3223         https://bugs.webkit.org/show_bug.cgi?id=131423
3224
3225         Reviewed by Geoffrey Garen.
3226         
3227         This introduces more static typing into DFG IR. Previously we just had the notion of
3228         JSValues and Storage. This was weird because doubles weren't always convertible to
3229         JSValues, and Int52s weren't always convertible to either doubles or JSValues. We would
3230         sort of insert explicit conversion nodes just for the places where we knew that an
3231         implicit conversion wouldn't have been possible -- but there was no hard and fast rule so
3232         we'd get bugs from forgetting to do the right conversion.
3233         
3234         This patch introduces a hard and fast rule: doubles can never be implicitly converted to
3235         anything but doubles, and likewise Int52's can never be implicitly converted. Conversion
3236         nodes are used for all of the conversions. Int52Rep, DoubleRep, and ValueRep are the
3237         conversions. They are like Identity but return the same value using a different
3238         representation. Likewise, constants may now be represented using either JSConstant,
3239         Int52Constant, or DoubleConstant. UseKinds have been adjusted accordingly, as well.
3240         Int52RepUse and DoubleRepUse are node uses that mean "the node must be of Int52 (or
3241         Double) type". They don't imply checks. There is also DoubleRepRealUse, which means that
3242         we speculate DoubleReal and expect Double representation.
3243         
3244         In addition to simplifying a bunch of rules in the IR and making the IR more verifiable,
3245         this also makes it easier to introduce optimizations in the future. It's now possible for
3246         AI to model when/how conversion take place. For example if doing a conversion results in
3247         NaN sanitization, then AI can model this and can allow us to sink sanitizations. That's
3248         what https://bugs.webkit.org/show_bug.cgi?id=131419 will be all about.
3249         
3250         This was a big change, so I had to do some interesting things, like finally get rid of
3251         the DFG's weird variadic template macro hacks and use real C++11 variadic templates. Also
3252         the ByteCodeParser no longer emits Identity nodes since that was always pointless.
3253         
3254         No performance change because this mostly just rationalizes preexisting behavior.
3255
3256         * JavaScriptCore.xcodeproj/project.pbxproj:
3257         * assembler/MacroAssemblerX86.h:
3258         * bytecode/CodeBlock.cpp:
3259         * bytecode/CodeBlock.h:
3260         * dfg/DFGAbstractInterpreter.h:
3261         (JSC::DFG::AbstractInterpreter::setBuiltInConstant):
3262         (JSC::DFG::AbstractInterpreter::setConstant):
3263         * dfg/DFGAbstractInterpreterInlines.h:
3264         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3265         * dfg/DFGAbstractValue.cpp:
3266         (JSC::DFG::AbstractValue::set):
3267         (JSC::DFG::AbstractValue::fixTypeForRepresentation):
3268         (JSC::DFG::AbstractValue::checkConsistency):
3269         * dfg/DFGAbstractValue.h:
3270         * dfg/DFGBackwardsPropagationPhase.cpp:
3271         (JSC::DFG::BackwardsPropagationPhase::propagate):
3272         * dfg/DFGBasicBlock.h:
3273         * dfg/DFGBasicBlockInlines.h:
3274         (JSC::DFG::BasicBlock::appendNode):
3275         (JSC::DFG::BasicBlock::appendNonTerminal):
3276         * dfg/DFGByteCodeParser.cpp:
3277         (JSC::DFG::ByteCodeParser::parseBlock):
3278         * dfg/DFGCSEPhase.cpp:
3279         (JSC::DFG::CSEPhase::constantCSE):
3280         (JSC::DFG::CSEPhase::performNodeCSE):
3281         (JSC::DFG::CSEPhase::int32ToDoubleCSE): Deleted.
3282         * dfg/DFGCapabilities.h:
3283         * dfg/DFGClobberize.h:
3284         (JSC::DFG::clobberize):
3285         * dfg/DFGConstantFoldingPhase.cpp:
3286         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3287         * dfg/DFGDCEPhase.cpp:
3288         (JSC::DFG::DCEPhase::fixupBlock):
3289         * dfg/DFGEdge.h:
3290         (JSC::DFG::Edge::willNotHaveCheck):
3291         * dfg/DFGFixupPhase.cpp:
3292         (JSC::DFG::FixupPhase::run):
3293         (JSC::DFG::FixupPhase::fixupNode):
3294         (JSC::DFG::FixupPhase::fixupGetAndSetLocalsInBlock):
3295         (JSC::DFG::FixupPhase::observeUseKindOnNode):
3296         (JSC::DFG::FixupPhase::fixIntEdge):
3297         (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
3298         (JSC::DFG::FixupPhase::injectTypeConversionsInBlock):
3299         (JSC::DFG::FixupPhase::tryToRelaxRepresentation):
3300         (JSC::DFG::FixupPhase::fixEdgeRepresentation):
3301         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
3302         (JSC::DFG::FixupPhase::addRequiredPhantom):
3303         (JSC::DFG::FixupPhase::addPhantomsIfNecessary):
3304         (JSC::DFG::FixupPhase::clearPhantomsAtEnd):
3305         (JSC::DFG::FixupPhase::fixupSetLocalsInBlock): Deleted.
3306         * dfg/DFGFlushFormat.h:
3307         (JSC::DFG::resultFor):
3308         (JSC::DFG::useKindFor):
3309         * dfg/DFGGraph.cpp:
3310         (JSC::DFG::Graph::dump):
3311         * dfg/DFGGraph.h:
3312         (JSC::DFG::Graph::addNode):
3313         * dfg/DFGInPlaceAbstractState.cpp:
3314         (JSC::DFG::InPlaceAbstractState::initialize):
3315         * dfg/DFGInsertionSet.h:
3316         (JSC::DFG::InsertionSet::insertNode):
3317         (JSC::DFG::InsertionSet::insertConstant):
3318         (JSC::DFG::InsertionSet::insertConstantForUse):
3319         * dfg/DFGIntegerCheckCombiningPhase.cpp:
3320         (JSC::DFG::IntegerCheckCombiningPhase::insertAdd):
3321         (JSC::DFG::IntegerCheckCombiningPhase::insertMustAdd):
3322         * dfg/DFGNode.cpp:
3323         (JSC::DFG::Node::convertToIdentity):
3324         (WTF::printInternal):
3325         * dfg/DFGNode.h:
3326         (JSC::DFG::Node::Node):
3327         (JSC::DFG::Node::setResult):
3328         (JSC::DFG::Node::result):
3329         (JSC::DFG::Node::isConstant):
3330         (JSC::DFG::Node::hasConstant):
3331         (JSC::DFG::Node::convertToConstant):
3332         (JSC::DFG::Node::valueOfJSConstant):
3333         (JSC::DFG::Node::hasResult):
3334         (JSC::DFG::Node::hasInt32Result):
3335         (JSC::DFG::Node::hasInt52Result):
3336         (JSC::DFG::Node::hasNumberResult):
3337         (JSC::DFG::Node::hasDoubleResult):
3338         (JSC::DFG::Node::hasJSResult):
3339         (JSC::DFG::Node::hasBooleanResult):
3340         (JSC::DFG::Node::hasStorageResult):
3341         (JSC::DFG::Node::defaultUseKind):
3342         (JSC::DFG::Node::defaultEdge):
3343         (JSC::DFG::Node::convertToIdentity): Deleted.
3344         * dfg/DFGNodeFlags.cpp:
3345         (JSC::DFG::dumpNodeFlags):
3346         * dfg/DFGNodeFlags.h:
3347         (JSC::DFG::canonicalResultRepresentation):
3348         * dfg/DFGNodeType.h:
3349         * dfg/DFGOSRExitCompiler32_64.cpp:
3350         (JSC::DFG::OSRExitCompiler::compileExit):
3351         * dfg/DFGOSRExitCompiler64.cpp:
3352         (JSC::DFG::OSRExitCompiler::compileExit):
3353         * dfg/DFGPredictionPropagationPhase.cpp:
3354         (JSC::DFG::PredictionPropagationPhase::propagate):
3355         * dfg/DFGResurrectionForValidationPhase.cpp:
3356         (JSC::DFG::ResurrectionForValidationPhase::run):
3357         * dfg/DFGSSAConversionPhase.cpp:
3358         (JSC::DFG::SSAConversionPhase::run):
3359         * dfg/DFGSafeToExecute.h:
3360         (JSC::DFG::SafeToExecuteEdge::operator()):
3361         (JSC::DFG::safeToExecute):
3362         * dfg/DFGSpeculativeJIT.cpp:
3363         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
3364         (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR):
3365         (JSC::DFG::SpeculativeJIT::silentFill):
3366         (JSC::DFG::JSValueRegsTemporary::JSValueRegsTemporary):
3367         (JSC::DFG::JSValueRegsTemporary::~JSValueRegsTemporary):
3368         (JSC::DFG::JSValueRegsTemporary::regs):
3369         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
3370         (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
3371         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
3372         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
3373         (JSC::DFG::SpeculativeJIT::compileValueRep):
3374         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
3375         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
3376         (JSC::DFG::SpeculativeJIT::compileAdd):
3377         (JSC::DFG::SpeculativeJIT::compileArithSub):
3378         (JSC::DFG::SpeculativeJIT::compileArithNegate):
3379         (JSC::DFG::SpeculativeJIT::compileArithMul):
3380         (JSC::DFG::SpeculativeJIT::compileArithDiv):
3381         (JSC::DFG::SpeculativeJIT::compileArithMod):
3382         (JSC::DFG::SpeculativeJIT::compare):
3383         (JSC::DFG::SpeculativeJIT::compileStrictEq):
3384         (JSC::DFG::SpeculativeJIT::speculateNumber):
3385         (JSC::DFG::SpeculativeJIT::speculateDoubleReal):
3386         (JSC::DFG::SpeculativeJIT::speculate):
3387         (JSC::DFG::SpeculativeJIT::compileInt32ToDouble): Deleted.
3388         (JSC::DFG::SpeculativeJIT::speculateMachineInt): Deleted.
3389         (JSC::DFG::SpeculativeJIT::speculateRealNumber): Deleted.
3390         * dfg/DFGSpeculativeJIT.h:
3391         (JSC::DFG::SpeculativeJIT::allocate):
3392         (JSC::DFG::SpeculativeJIT::use):
3393         (JSC::DFG::SpeculativeJIT::boxDouble):
3394         (JSC::DFG::SpeculativeJIT::spill):
3395         (JSC::DFG::SpeculativeJIT::jsValueResult):
3396         (JSC::DFG::SpeculateInt52Operand::SpeculateInt52Operand):
3397         (JSC::DFG::SpeculateStrictInt52Operand::SpeculateStrictInt52Operand):
3398         (JSC::DFG::SpeculateWhicheverInt52Operand::SpeculateWhicheverInt52Operand):
3399         (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
3400         * dfg/DFGSpeculativeJIT32_64.cpp:
3401         (JSC::DFG::SpeculativeJIT::fillJSValue):
3402         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
3403         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3404         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3405         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3406         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
3407         (JSC::DFG::SpeculativeJIT::emitBranch):
3408         (JSC::DFG::SpeculativeJIT::compile):
3409         (JSC::DFG::SpeculativeJIT::convertToDouble): Deleted.
3410         * dfg/DFGSpeculativeJIT64.cpp:
3411         (JSC::DFG::SpeculativeJIT::fillJSValue):
3412         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
3413         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):