[GTK] [CMake] Improve the way we locate gobject-introspection
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-01-04  Martin Robinson  <mrobinson@igalia.com>
2
3         [GTK] [CMake] Improve the way we locate gobject-introspection
4         https://bugs.webkit.org/show_bug.cgi?id=126452
5
6         Reviewed by Philippe Normand.
7
8         * PlatformGTK.cmake: Use the new introspection variables.
9
10 2014-01-04  Zan Dobersek  <zdobersek@igalia.com>
11
12         Explicitly use the std:: nested name specifier when using std::pair, std::make_pair
13         https://bugs.webkit.org/show_bug.cgi?id=126439
14
15         Reviewed by Andreas Kling.
16
17         Instead of relying on std::pair and std::make_pair symbols being present in the current scope
18         through the pair and make_pair symbols, the std:: specifier should be used explicitly.
19
20         * bytecode/Opcode.cpp:
21         (JSC::compareOpcodePairIndices):
22         (JSC::OpcodeStats::~OpcodeStats):
23         * bytecompiler/BytecodeGenerator.cpp:
24         (JSC::BytecodeGenerator::BytecodeGenerator):
25         * parser/ASTBuilder.h:
26         (JSC::ASTBuilder::makeBinaryNode):
27         * parser/Parser.cpp:
28         (JSC::Parser<LexerType>::parseIfStatement):
29         * runtime/Structure.cpp:
30         (JSC::StructureTransitionTable::contains):
31         (JSC::StructureTransitionTable::get):
32         (JSC::StructureTransitionTable::add):
33
34 2014-01-03  David Farler  <dfarler@apple.com>
35
36         [super dealloc] missing in Source/JavaScriptCore/API/tests/testapi.mm, fails to build with -Werror,-Wobjc-missing-super-calls
37         https://bugs.webkit.org/show_bug.cgi?id=126454
38
39         Reviewed by Geoffrey Garen.
40
41         * API/tests/testapi.mm:
42         (-[TextXYZ dealloc]):
43         add [super dealloc]
44         (-[EvilAllocationObject dealloc]):
45         add [super dealloc]
46
47 2014-01-02  Carlos Garcia Campos  <cgarcia@igalia.com>
48
49         REGRESSION(r160304): [GTK] Disable libtool fast install
50         https://bugs.webkit.org/show_bug.cgi?id=126381
51
52         Reviewed by Martin Robinson.
53
54         Remove -no-fast-install ld flag since fast install is now disabled
55         globally.
56
57         * GNUmakefile.am:
58
59 2014-01-02  Sam Weinig  <sam@webkit.org>
60
61         Update Promises to the https://github.com/domenic/promises-unwrapping spec
62         https://bugs.webkit.org/show_bug.cgi?id=120954
63
64         Reviewed by Filip Pizlo.
65
66         Update Promises to the revised spec. Notable changes:
67         - JSPromiseResolver is gone.
68         - TaskContext has been renamed Microtask and now has a virtual run() function.
69         - Instead of using custom InternalFunction subclasses, JSFunctions are used
70           with PrivateName properties for internal slots.
71
72         * CMakeLists.txt:
73         * DerivedSources.make:
74         * GNUmakefile.list.am:
75         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
76         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
77         * JavaScriptCore.xcodeproj/project.pbxproj:
78         * interpreter/CallFrame.h:
79         (JSC::ExecState::promiseConstructorTable):
80         * runtime/CommonIdentifiers.cpp:
81         (JSC::CommonIdentifiers::CommonIdentifiers):
82         * runtime/CommonIdentifiers.h:
83         * runtime/JSGlobalObject.cpp:
84         (JSC::JSGlobalObject::reset):
85         (JSC::JSGlobalObject::visitChildren):
86         (JSC::JSGlobalObject::queueMicrotask):
87         * runtime/JSGlobalObject.h:
88         (JSC::JSGlobalObject::promiseConstructor):
89         (JSC::JSGlobalObject::promisePrototype):
90         (JSC::JSGlobalObject::promiseStructure):
91         * runtime/JSPromise.cpp:
92         (JSC::JSPromise::create):
93         (JSC::JSPromise::JSPromise):
94         (JSC::JSPromise::finishCreation):
95         (JSC::JSPromise::visitChildren):
96         (JSC::JSPromise::reject):
97         (JSC::JSPromise::resolve):
98         (JSC::JSPromise::appendResolveReaction):
99         (JSC::JSPromise::appendRejectReaction):
100         (JSC::triggerPromiseReactions):
101         * runtime/JSPromise.h:
102         (JSC::JSPromise::status):
103         (JSC::JSPromise::result):
104         (JSC::JSPromise::constructor):
105         * runtime/JSPromiseCallback.cpp: Removed.
106         * runtime/JSPromiseCallback.h: Removed.
107         * runtime/JSPromiseConstructor.cpp:
108         (JSC::constructPromise):
109         (JSC::JSPromiseConstructor::getCallData):
110         (JSC::JSPromiseConstructorFuncCast):
111         (JSC::JSPromiseConstructorFuncResolve):
112         (JSC::JSPromiseConstructorFuncReject):
113         * runtime/JSPromiseConstructor.h:
114         * runtime/JSPromiseDeferred.cpp: Added.
115         (JSC::JSPromiseDeferred::create):
116         (JSC::JSPromiseDeferred::JSPromiseDeferred):
117         (JSC::JSPromiseDeferred::finishCreation):
118         (JSC::JSPromiseDeferred::visitChildren):
119         (JSC::createJSPromiseDeferredFromConstructor):
120         (JSC::updateDeferredFromPotentialThenable):
121         * runtime/JSPromiseDeferred.h: Added.
122         (JSC::JSPromiseDeferred::createStructure):
123         (JSC::JSPromiseDeferred::promise):
124         (JSC::JSPromiseDeferred::resolve):
125         (JSC::JSPromiseDeferred::reject):
126         * runtime/JSPromiseFunctions.cpp: Added.
127         (JSC::deferredConstructionFunction):
128         (JSC::createDeferredConstructionFunction):
129         (JSC::identifyFunction):
130         (JSC::createIdentifyFunction):
131         (JSC::promiseAllCountdownFunction):
132         (JSC::createPromiseAllCountdownFunction):
133         (JSC::promiseResolutionHandlerFunction):
134         (JSC::createPromiseResolutionHandlerFunction):
135         (JSC::rejectPromiseFunction):
136         (JSC::createRejectPromiseFunction):
137         (JSC::resolvePromiseFunction):
138         (JSC::createResolvePromiseFunction):
139         (JSC::throwerFunction):
140         (JSC::createThrowerFunction):
141         * runtime/JSPromiseFunctions.h: Added.
142         * runtime/JSPromisePrototype.cpp:
143         (JSC::JSPromisePrototypeFuncThen):
144         (JSC::JSPromisePrototypeFuncCatch):
145         * runtime/JSPromiseReaction.cpp: Added.
146         (JSC::createExecutePromiseReactionMicroTask):
147         (JSC::ExecutePromiseReactionMicroTask::run):
148         (JSC::JSPromiseReaction::create):
149         (JSC::JSPromiseReaction::JSPromiseReaction):
150         (JSC::JSPromiseReaction::finishCreation):
151         (JSC::JSPromiseReaction::visitChildren):
152         * runtime/JSPromiseReaction.h: Added.
153         (JSC::JSPromiseReaction::createStructure):
154         (JSC::JSPromiseReaction::deferred):
155         (JSC::JSPromiseReaction::handler):
156         * runtime/JSPromiseResolver.cpp: Removed.
157         * runtime/JSPromiseResolver.h: Removed.
158         * runtime/JSPromiseResolverConstructor.cpp: Removed.
159         * runtime/JSPromiseResolverConstructor.h: Removed.
160         * runtime/JSPromiseResolverPrototype.cpp: Removed.
161         * runtime/JSPromiseResolverPrototype.h: Removed.
162         * runtime/Microtask.h: Added.
163         * runtime/VM.cpp:
164         (JSC::VM::VM):
165         (JSC::VM::~VM):
166         * runtime/VM.h:
167
168 2014-01-02  Mark Hahnenberg  <mhahnenberg@apple.com>
169
170         Add support for StoreBarrier and friends to the FTL
171         https://bugs.webkit.org/show_bug.cgi?id=126040
172
173         Reviewed by Filip Pizlo.
174
175         * ftl/FTLAbstractHeapRepository.h:
176         * ftl/FTLCapabilities.cpp:
177         (JSC::FTL::canCompile):
178         * ftl/FTLIntrinsicRepository.h:
179         * ftl/FTLLowerDFGToLLVM.cpp:
180         (JSC::FTL::LowerDFGToLLVM::compileNode):
181         (JSC::FTL::LowerDFGToLLVM::compileStoreBarrier):
182         (JSC::FTL::LowerDFGToLLVM::compileConditionalStoreBarrier):
183         (JSC::FTL::LowerDFGToLLVM::compileStoreBarrierWithNullCheck):
184         (JSC::FTL::LowerDFGToLLVM::loadMarkByte):
185         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
186         * heap/Heap.cpp:
187         (JSC::Heap::Heap):
188         * heap/Heap.h:
189         (JSC::Heap::writeBarrierBuffer):
190
191 2014-01-02  Mark Hahnenberg  <mhahnenberg@apple.com>
192
193         Storing new CopiedSpace memory into a JSObject should fire a write barrier
194         https://bugs.webkit.org/show_bug.cgi?id=126025
195
196         Reviewed by Filip Pizlo.
197
198         Technically this is creating a pointer between a (potentially) old generation object and a young 
199         generation chunk of memory, thus there needs to be a barrier.
200
201         * JavaScriptCore.xcodeproj/project.pbxproj:
202         * dfg/DFGOperations.cpp:
203         * heap/CopyWriteBarrier.h: Added. This class functions similarly to the WriteBarrier class. It 
204         acts as a proxy for pointers to CopiedSpace. Assignments to the field cause a write barrier to 
205         fire for the object that is the owner of the CopiedSpace memory. This is to ensure during nursery 
206         collections that objects with new backing stores are visited, even if they are old generation objects. 
207         (JSC::CopyWriteBarrier::CopyWriteBarrier):
208         (JSC::CopyWriteBarrier::operator!):
209         (JSC::CopyWriteBarrier::operator UnspecifiedBoolType*):
210         (JSC::CopyWriteBarrier::get):
211         (JSC::CopyWriteBarrier::operator*):
212         (JSC::CopyWriteBarrier::operator->):
213         (JSC::CopyWriteBarrier::set):
214         (JSC::CopyWriteBarrier::setWithoutWriteBarrier):
215         (JSC::CopyWriteBarrier::clear):
216         * heap/Heap.h:
217         * runtime/JSArray.cpp:
218         (JSC::JSArray::unshiftCountSlowCase):
219         (JSC::JSArray::shiftCountWithArrayStorage):
220         (JSC::JSArray::unshiftCountWithArrayStorage):
221         * runtime/JSCell.h:
222         (JSC::JSCell::unvalidatedStructure):
223         * runtime/JSGenericTypedArrayViewInlines.h:
224         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
225         * runtime/JSObject.cpp:
226         (JSC::JSObject::copyButterfly):
227         (JSC::JSObject::getOwnPropertySlotByIndex):
228         (JSC::JSObject::putByIndex):
229         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
230         (JSC::JSObject::createInitialIndexedStorage):
231         (JSC::JSObject::createArrayStorage):
232         (JSC::JSObject::deletePropertyByIndex):
233         (JSC::JSObject::getOwnPropertyNames):
234         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
235         (JSC::JSObject::countElements):
236         (JSC::JSObject::increaseVectorLength):
237         (JSC::JSObject::ensureLengthSlow):
238         * runtime/JSObject.h:
239         (JSC::JSObject::butterfly):
240         (JSC::JSObject::setStructureAndButterfly):
241         (JSC::JSObject::setButterflyWithoutChangingStructure):
242         (JSC::JSObject::JSObject):
243         (JSC::JSObject::putDirectInternal):
244         (JSC::JSObject::putDirectWithoutTransition):
245         * runtime/MapData.cpp:
246         (JSC::MapData::ensureSpaceForAppend):
247         * runtime/Structure.cpp:
248         (JSC::Structure::materializePropertyMap):
249
250 2013-12-23  Oliver Hunt  <oliver@apple.com>
251
252         Refactor PutPropertySlot to be aware of custom properties
253         https://bugs.webkit.org/show_bug.cgi?id=126187
254
255         Reviewed by Antti Koivisto.
256
257         Refactor PutPropertySlot, making the constructor take the thisValue
258         used as a target.  This results in a wide range of boilerplate changes
259         to pass the new parameter.
260
261         * API/JSObjectRef.cpp:
262         (JSObjectSetProperty):
263         * dfg/DFGOperations.cpp:
264         (JSC::DFG::operationPutByValInternal):
265         * interpreter/Interpreter.cpp:
266         (JSC::Interpreter::execute):
267         * jit/JITOperations.cpp:
268         * llint/LLIntSlowPaths.cpp:
269         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
270         * runtime/Arguments.cpp:
271         (JSC::Arguments::putByIndex):
272         * runtime/ArrayPrototype.cpp:
273         (JSC::putProperty):
274         (JSC::arrayProtoFuncPush):
275         * runtime/JSCJSValue.cpp:
276         (JSC::JSValue::putToPrimitiveByIndex):
277         * runtime/JSCell.cpp:
278         (JSC::JSCell::putByIndex):
279         * runtime/JSFunction.cpp:
280         (JSC::JSFunction::put):
281         * runtime/JSGenericTypedArrayViewInlines.h:
282         (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
283         * runtime/JSONObject.cpp:
284         (JSC::Walker::walk):
285         * runtime/JSObject.cpp:
286         (JSC::JSObject::putByIndex):
287         (JSC::JSObject::putDirectNonIndexAccessor):
288         (JSC::JSObject::deleteProperty):
289         * runtime/JSObject.h:
290         (JSC::JSObject::putDirect):
291         * runtime/Lookup.h:
292         (JSC::putEntry):
293         (JSC::lookupPut):
294         * runtime/PutPropertySlot.h:
295         (JSC::PutPropertySlot::PutPropertySlot):
296         (JSC::PutPropertySlot::setCustomProperty):
297         (JSC::PutPropertySlot::thisValue):
298         (JSC::PutPropertySlot::isCacheable):
299
300 2014-01-01  Filip Pizlo  <fpizlo@apple.com>
301
302         Rationalize DFG DCE
303         https://bugs.webkit.org/show_bug.cgi?id=125523
304
305         Reviewed by Mark Hahnenberg.
306         
307         Adds the ability to DCE more things. It's now the case that if a node is completely
308         pure, we clear NodeMustGenerate and the node becomes a DCE candidate.
309
310         * dfg/DFGAbstractInterpreterInlines.h:
311         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
312         * dfg/DFGCSEPhase.cpp:
313         (JSC::DFG::CSEPhase::performNodeCSE):
314         * dfg/DFGClobberize.h:
315         (JSC::DFG::clobberize):
316         * dfg/DFGDCEPhase.cpp:
317         (JSC::DFG::DCEPhase::cleanVariables):
318         * dfg/DFGFixupPhase.cpp:
319         (JSC::DFG::FixupPhase::fixupNode):
320         * dfg/DFGGraph.h:
321         (JSC::DFG::Graph::clobbersWorld):
322         * dfg/DFGNodeType.h:
323         * dfg/DFGSpeculativeJIT.cpp:
324         (JSC::DFG::SpeculativeJIT::compileAdd):
325         * dfg/DFGSpeculativeJIT.h:
326         * dfg/DFGSpeculativeJIT32_64.cpp:
327         (JSC::DFG::SpeculativeJIT::compile):
328         * dfg/DFGSpeculativeJIT64.cpp:
329         (JSC::DFG::SpeculativeJIT::compile):
330         * ftl/FTLLowerDFGToLLVM.cpp:
331         (JSC::FTL::LowerDFGToLLVM::compileNode):
332         (JSC::FTL::LowerDFGToLLVM::compileValueAdd):
333
334 2014-01-02  Benjamin Poulain  <benjamin@webkit.org>
335
336         Attempt to fix the build of WebCore's code generator on CMake based system
337         https://bugs.webkit.org/show_bug.cgi?id=126271
338
339         Reviewed by Sam Weinig.
340
341         * CMakeLists.txt:
342
343 2013-12-30  Commit Queue  <commit-queue@webkit.org>
344
345         Unreviewed, rolling out r161157, r161158, r161160, r161161,
346         r161163, and r161165.
347         http://trac.webkit.org/changeset/161157
348         http://trac.webkit.org/changeset/161158
349         http://trac.webkit.org/changeset/161160
350         http://trac.webkit.org/changeset/161161
351         http://trac.webkit.org/changeset/161163
352         http://trac.webkit.org/changeset/161165
353         https://bugs.webkit.org/show_bug.cgi?id=126332
354
355         Broke WebKit2 on Mountain Lion (Requested by ap on #webkit).
356
357         * heap/BlockAllocator.cpp:
358         (JSC::BlockAllocator::~BlockAllocator):
359         (JSC::BlockAllocator::waitForRelativeTimeWhileHoldingLock):
360         (JSC::BlockAllocator::waitForRelativeTime):
361         (JSC::BlockAllocator::blockFreeingThreadMain):
362         * heap/BlockAllocator.h:
363         (JSC::BlockAllocator::deallocate):
364
365 2013-12-30  Anders Carlsson  <andersca@apple.com>
366
367         Fix build.
368
369         * heap/BlockAllocator.h:
370
371 2013-12-30  Anders Carlsson  <andersca@apple.com>
372
373         Stop using ThreadCondition in BlockAllocator
374         https://bugs.webkit.org/show_bug.cgi?id=126313
375
376         Reviewed by Sam Weinig.
377
378         * heap/BlockAllocator.cpp:
379         (JSC::BlockAllocator::~BlockAllocator):
380         (JSC::BlockAllocator::waitForDuration):
381         (JSC::BlockAllocator::blockFreeingThreadMain):
382         * heap/BlockAllocator.h:
383         (JSC::BlockAllocator::deallocate):
384
385 2013-12-30  Anders Carlsson  <andersca@apple.com>
386
387         Stop using ThreadCondition in jsc.cpp
388         https://bugs.webkit.org/show_bug.cgi?id=126311
389
390         Reviewed by Sam Weinig.
391
392         * jsc.cpp:
393         (timeoutThreadMain):
394         (main):
395
396 2013-12-30  Anders Carlsson  <andersca@apple.com>
397
398         Replace WTF::ThreadingOnce with std::call_once
399         https://bugs.webkit.org/show_bug.cgi?id=126215
400
401         Reviewed by Sam Weinig.
402
403         * dfg/DFGWorklist.cpp:
404         (JSC::DFG::globalWorklist):
405         * runtime/InitializeThreading.cpp:
406         (JSC::initializeThreading):
407
408 2013-12-30  Martin Robinson  <mrobinson@igalia.com>
409
410         [CMake] [GTK] Add support for GObject introspection
411         https://bugs.webkit.org/show_bug.cgi?id=126162
412
413         Reviewed by Daniel Bates.
414
415         * PlatformGTK.cmake: Add the GIR targets.
416
417 2013-12-28  Filip Pizlo  <fpizlo@apple.com>
418
419         Get rid of DFG forward exiting
420         https://bugs.webkit.org/show_bug.cgi?id=125531
421
422         Reviewed by Oliver Hunt.
423         
424         This finally gets rid of forward exiting. Forward exiting was always a fragile concept
425         since it involved the compiler trying to figure out how to "roll forward" the
426         execution from some DFG node to the next bytecode index. It was always easy to find
427         counterexamples where it broke, and it has always served as an obstacle to adding
428         compiler improvements - the latest being http://webkit.org/b/125523, which tried to
429         make DCE work for more things.
430         
431         This change finishes the work of removing forward exiting. A lot of forward exiting
432         was already removed in some other bugs, but SetLocal still did forward exits. SetLocal
433         is in many ways the hardest to remove, since the forward exiting of SetLocal also
434         implied that any conversion nodes inserted before the SetLocal would then also be
435         marked as forward-exiting. Hence SetLocal's forward-exiting made a bunch of other
436         things also forward-exiting, and this was always a source of weirdo bugs.
437         
438         SetLocal must be able to exit in case it performs a hoisted type speculation. Nodes
439         inserted just before SetLocal must also be able to exit - for example type check
440         hoisting may insert a CheckStructure, or fixup phase may insert something like
441         Int32ToDouble. But if any of those nodes tried to backward exit, then this could lead
442         to the reexecution of a side-effecting operation, for example:
443         
444             a: Call(...)
445             b: SetLocal(@a, r1)
446         
447         For a long time it seemed like SetLocal *had* to exit forward because of this. But
448         this change side-steps the problem by changing the ByteCodeParser to always emit a
449         kind of "two-phase commit" for stores to local variables. Now when the ByteCodeParser
450         wishes to store to a local, it first emits a MovHint and then enqueues a SetLocal.
451         The SetLocal isn't actually emitted until the beginning of the next bytecode
452         instruction (which the exception of op_enter and op_ret, which emit theirs immediately
453         since it's always safe to reexecute those bytecode instructions and since deferring
454         SetLocals would be weird there - op_enter has many SetLocals and op_ret is a set
455         followed by a jump in case of inlining, so we'd have to emit the SetLocal "after" the
456         jump and that would be awkward). This means that the above IR snippet would look
457         something like:
458         
459             a: Call(..., bc#42)
460             b: MovHint(@a, r1, bc#42)
461             c: SetLocal(@a, r1, bc#47)
462         
463         Where the SetLocal exits "backwards" but appears at the beginning of the next bytecode
464         instruction. This means that by the time we get to that SetLocal, the OSR exit
465         analysis already knows that r1 is associated with @a, and it means that the SetLocal
466         or anything hoisted above it can exit backwards as normal.
467         
468         This change also means that the "forward rewiring" can be killed. Previously, we might
469         have inserted a conversion node on SetLocal and then the SetLocal died (i.e. turned
470         into a MovHint) and the conversion node either died completely or had its lifetime
471         truncated to be less than the actual value's bytecode lifetime. This no longer happens
472         since conversion nodes are only inserted at SetLocals.
473         
474         More precisely, this change introduces two laws that we were basically already
475         following anyway:
476         
477         1) A MovHint's child should never be changed except if all other uses of that child
478            are also replaced. Specifically, this prohibits insertion of conversion nodes at
479            MovHints.
480         
481         2) Anytime any child is replaced with something else, and all other uses aren't also
482            replaced, we must insert a Phantom use of the original child.
483
484         This is a slight compile-time regression but has no effect on code-gen. It unlocks a
485         bunch of optimization opportunities so I think it's worth it.
486
487         * bytecode/CodeBlock.cpp:
488         (JSC::CodeBlock::dumpAssumingJITType):
489         * bytecode/CodeBlock.h:
490         (JSC::CodeBlock::instructionCount):
491         * dfg/DFGAbstractInterpreterInlines.h:
492         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
493         * dfg/DFGArgumentsSimplificationPhase.cpp:
494         (JSC::DFG::ArgumentsSimplificationPhase::run):
495         * dfg/DFGArrayifySlowPathGenerator.h:
496         (JSC::DFG::ArrayifySlowPathGenerator::ArrayifySlowPathGenerator):
497         * dfg/DFGBackwardsPropagationPhase.cpp:
498         (JSC::DFG::BackwardsPropagationPhase::propagate):
499         * dfg/DFGByteCodeParser.cpp:
500         (JSC::DFG::ByteCodeParser::setDirect):
501         (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal):
502         (JSC::DFG::ByteCodeParser::DelayedSetLocal::execute):
503         (JSC::DFG::ByteCodeParser::handleInlining):
504         (JSC::DFG::ByteCodeParser::parseBlock):
505         * dfg/DFGCSEPhase.cpp:
506         (JSC::DFG::CSEPhase::eliminate):
507         * dfg/DFGClobberize.h:
508         (JSC::DFG::clobberize):
509         * dfg/DFGCommon.h:
510         * dfg/DFGConstantFoldingPhase.cpp:
511         (JSC::DFG::ConstantFoldingPhase::foldConstants):
512         * dfg/DFGDCEPhase.cpp:
513         (JSC::DFG::DCEPhase::run):
514         (JSC::DFG::DCEPhase::fixupBlock):
515         (JSC::DFG::DCEPhase::cleanVariables):
516         * dfg/DFGFixupPhase.cpp:
517         (JSC::DFG::FixupPhase::fixupNode):
518         (JSC::DFG::FixupPhase::fixEdge):
519         (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
520         * dfg/DFGLICMPhase.cpp:
521         (JSC::DFG::LICMPhase::run):
522         (JSC::DFG::LICMPhase::attemptHoist):
523         * dfg/DFGMinifiedNode.cpp:
524         (JSC::DFG::MinifiedNode::fromNode):
525         * dfg/DFGMinifiedNode.h:
526         (JSC::DFG::belongsInMinifiedGraph):
527         (JSC::DFG::MinifiedNode::constantNumber):
528         (JSC::DFG::MinifiedNode::weakConstant):
529         * dfg/DFGNode.cpp:
530         (JSC::DFG::Node::hasVariableAccessData):
531         * dfg/DFGNode.h:
532         (JSC::DFG::Node::convertToPhantom):
533         (JSC::DFG::Node::convertToPhantomUnchecked):
534         (JSC::DFG::Node::convertToIdentity):
535         (JSC::DFG::Node::containsMovHint):
536         (JSC::DFG::Node::hasUnlinkedLocal):
537         (JSC::DFG::Node::willHaveCodeGenOrOSR):
538         * dfg/DFGNodeFlags.cpp:
539         (JSC::DFG::dumpNodeFlags):
540         * dfg/DFGNodeFlags.h:
541         * dfg/DFGNodeType.h:
542         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
543         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
544         * dfg/DFGOSREntrypointCreationPhase.cpp:
545         (JSC::DFG::OSREntrypointCreationPhase::run):
546         * dfg/DFGOSRExit.cpp:
547         * dfg/DFGOSRExit.h:
548         * dfg/DFGOSRExitBase.cpp:
549         * dfg/DFGOSRExitBase.h:
550         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSite):
551         * dfg/DFGPredictionPropagationPhase.cpp:
552         (JSC::DFG::PredictionPropagationPhase::propagate):
553         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
554         * dfg/DFGSSAConversionPhase.cpp:
555         (JSC::DFG::SSAConversionPhase::run):
556         * dfg/DFGSafeToExecute.h:
557         (JSC::DFG::safeToExecute):
558         * dfg/DFGSpeculativeJIT.cpp:
559         (JSC::DFG::SpeculativeJIT::speculationCheck):
560         (JSC::DFG::SpeculativeJIT::emitInvalidationPoint):
561         (JSC::DFG::SpeculativeJIT::typeCheck):
562         (JSC::DFG::SpeculativeJIT::compileMovHint):
563         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
564         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
565         (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
566         * dfg/DFGSpeculativeJIT.h:
567         (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch):
568         (JSC::DFG::SpeculativeJIT::needsTypeCheck):
569         * dfg/DFGSpeculativeJIT32_64.cpp:
570         (JSC::DFG::SpeculativeJIT::compile):
571         * dfg/DFGSpeculativeJIT64.cpp:
572         (JSC::DFG::SpeculativeJIT::compile):
573         * dfg/DFGTypeCheckHoistingPhase.cpp:
574         (JSC::DFG::TypeCheckHoistingPhase::run):
575         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
576         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
577         * dfg/DFGValidate.cpp:
578         (JSC::DFG::Validate::validateCPS):
579         * dfg/DFGVariableAccessData.h:
580         (JSC::DFG::VariableAccessData::VariableAccessData):
581         * dfg/DFGVariableEventStream.cpp:
582         (JSC::DFG::VariableEventStream::reconstruct):
583         * ftl/FTLCapabilities.cpp:
584         (JSC::FTL::canCompile):
585         * ftl/FTLLowerDFGToLLVM.cpp:
586         (JSC::FTL::LowerDFGToLLVM::compileNode):
587         (JSC::FTL::LowerDFGToLLVM::compileGetArgument):
588         (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
589         (JSC::FTL::LowerDFGToLLVM::compileMovHint):
590         (JSC::FTL::LowerDFGToLLVM::compileZombieHint):
591         (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble):
592         (JSC::FTL::LowerDFGToLLVM::speculate):
593         (JSC::FTL::LowerDFGToLLVM::typeCheck):
594         (JSC::FTL::LowerDFGToLLVM::appendTypeCheck):
595         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
596         (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
597         * ftl/FTLOSRExit.cpp:
598         * ftl/FTLOSRExit.h:
599         * tests/stress/dead-int32-to-double.js: Added.
600         (foo):
601         * tests/stress/dead-uint32-to-number.js: Added.
602         (foo):
603
604 2013-12-25  Commit Queue  <commit-queue@webkit.org>
605
606         Unreviewed, rolling out r161033 and r161074.
607         http://trac.webkit.org/changeset/161033
608         http://trac.webkit.org/changeset/161074
609         https://bugs.webkit.org/show_bug.cgi?id=126240
610
611         Oliver says that a rollout would be better (Requested by ap on
612         #webkit).
613
614         * API/JSObjectRef.cpp:
615         (JSObjectSetProperty):
616         * dfg/DFGOperations.cpp:
617         (JSC::DFG::operationPutByValInternal):
618         * interpreter/Interpreter.cpp:
619         (JSC::Interpreter::execute):
620         * jit/JITOperations.cpp:
621         * llint/LLIntSlowPaths.cpp:
622         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
623         * runtime/Arguments.cpp:
624         (JSC::Arguments::putByIndex):
625         * runtime/ArrayPrototype.cpp:
626         (JSC::putProperty):
627         (JSC::arrayProtoFuncPush):
628         * runtime/JSCJSValue.cpp:
629         (JSC::JSValue::putToPrimitiveByIndex):
630         * runtime/JSCell.cpp:
631         (JSC::JSCell::putByIndex):
632         * runtime/JSFunction.cpp:
633         (JSC::JSFunction::put):
634         * runtime/JSGenericTypedArrayViewInlines.h:
635         (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
636         * runtime/JSONObject.cpp:
637         (JSC::Walker::walk):
638         * runtime/JSObject.cpp:
639         (JSC::JSObject::putByIndex):
640         (JSC::JSObject::putDirectNonIndexAccessor):
641         (JSC::JSObject::deleteProperty):
642         * runtime/JSObject.h:
643         (JSC::JSObject::putDirect):
644         * runtime/Lookup.h:
645         (JSC::putEntry):
646         (JSC::lookupPut):
647         * runtime/PutPropertySlot.h:
648         (JSC::PutPropertySlot::PutPropertySlot):
649         (JSC::PutPropertySlot::setNewProperty):
650         (JSC::PutPropertySlot::isCacheable):
651
652 2013-12-25  Filip Pizlo  <fpizlo@apple.com>
653
654         DFG PhantomArguments shouldn't rely on a dead Phi graph
655         https://bugs.webkit.org/show_bug.cgi?id=126218
656
657         Reviewed by Oliver Hunt.
658         
659         This change dramatically rationalizes our handling of PhantomArguments (i.e.
660         speculative elision of arguments object allocation).
661         
662         It's now the case that if we decide that we can elide arguments allocation, we just
663         turn the arguments-creating node into a PhantomArguments and mark all locals that
664         it's stored to as being arguments aliases. Being an arguments alias and being a
665         PhantomArguments means basically the same thing: in DFG execution you have the empty
666         value, on OSR exit an arguments object is allocated in your place, and all operations
667         that use the value now just refer directly to the actual arguments in the call frame
668         header (or the arguments we know that we passed to the call, in case of inlining).
669         
670         This means that we no longer have arguments simplification creating a dead Phi graph
671         that then has to be interpreted by the OSR exit logic. That sort of never made any
672         sense.
673         
674         This means that PhantomArguments now has a clear story in SSA: basically SSA just
675         gets rid of the "locals" but everything else is the same.
676         
677         Finally, this means that we can more easily get rid of forward exiting. As I was
678         working on the code to get rid of forward exiting, I realized that I'd have to
679         carefully preserve the special meanings of MovHint and SetLocal in the case of
680         PhantomArguments. It was really bizarre: even the semantics of MovHint were tied to
681         our specific treatment of PhantomArguments. After this change this is no longer the
682         case.
683         
684         One of the really cool things about this change is that arguments reification now
685         just becomes a special kind of FlushFormat. This further unifies things: it means
686         that a MovHint(PhantomArguments) and a SetLocal(PhantomArguments) both have the same
687         meaning, since both of them dictate that the way we recover the local on exit is by
688         reifying arguments. Previously, the SetLocal(PhantomArguments) case needed some
689         special handling to accomplish this.
690         
691         A downside of this approach is that we will now emit code to store the empty value
692         into aliased arguments variables, and we will even emit code to load that empty value
693         as well. As far as I can tell this doesn't cost anything, since PhantomArguments are
694         most profitable in cases where it allows us to simplify control flow and kill the
695         arguments locals entirely. Of course, this isn't an issue in SSA form since SSA form
696         also eliminates the locals.
697
698         * dfg/DFGArgumentsSimplificationPhase.cpp:
699         (JSC::DFG::ArgumentsSimplificationPhase::run):
700         (JSC::DFG::ArgumentsSimplificationPhase::detypeArgumentsReferencingPhantomChild):
701         * dfg/DFGFlushFormat.cpp:
702         (WTF::printInternal):
703         * dfg/DFGFlushFormat.h:
704         (JSC::DFG::resultFor):
705         (JSC::DFG::useKindFor):
706         (JSC::DFG::dataFormatFor):
707         * dfg/DFGSpeculativeJIT.cpp:
708         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
709         * dfg/DFGSpeculativeJIT32_64.cpp:
710         (JSC::DFG::SpeculativeJIT::compile):
711         * dfg/DFGSpeculativeJIT64.cpp:
712         (JSC::DFG::SpeculativeJIT::compile):
713         * dfg/DFGValueSource.h:
714         (JSC::DFG::ValueSource::ValueSource):
715         (JSC::DFG::ValueSource::forFlushFormat):
716         * dfg/DFGVariableAccessData.h:
717         (JSC::DFG::VariableAccessData::flushFormat):
718         * ftl/FTLLowerDFGToLLVM.cpp:
719         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
720
721 2013-12-23  Oliver Hunt  <oliver@apple.com>
722
723         Refactor PutPropertySlot to be aware of custom properties
724         https://bugs.webkit.org/show_bug.cgi?id=126187
725
726         Reviewed by msaboff.
727
728         Refactor PutPropertySlot, making the constructor take the thisValue
729         used as a target.  This results in a wide range of boilerplate changes
730         to pass the new parameter.
731
732         * API/JSObjectRef.cpp:
733         (JSObjectSetProperty):
734         * dfg/DFGOperations.cpp:
735         (JSC::DFG::operationPutByValInternal):
736         * interpreter/Interpreter.cpp:
737         (JSC::Interpreter::execute):
738         * jit/JITOperations.cpp:
739         * llint/LLIntSlowPaths.cpp:
740         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
741         * runtime/Arguments.cpp:
742         (JSC::Arguments::putByIndex):
743         * runtime/ArrayPrototype.cpp:
744         (JSC::putProperty):
745         (JSC::arrayProtoFuncPush):
746         * runtime/JSCJSValue.cpp:
747         (JSC::JSValue::putToPrimitiveByIndex):
748         * runtime/JSCell.cpp:
749         (JSC::JSCell::putByIndex):
750         * runtime/JSFunction.cpp:
751         (JSC::JSFunction::put):
752         * runtime/JSGenericTypedArrayViewInlines.h:
753         (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
754         * runtime/JSONObject.cpp:
755         (JSC::Walker::walk):
756         * runtime/JSObject.cpp:
757         (JSC::JSObject::putByIndex):
758         (JSC::JSObject::putDirectNonIndexAccessor):
759         (JSC::JSObject::deleteProperty):
760         * runtime/JSObject.h:
761         (JSC::JSObject::putDirect):
762         * runtime/Lookup.h:
763         (JSC::putEntry):
764         (JSC::lookupPut):
765         * runtime/PutPropertySlot.h:
766         (JSC::PutPropertySlot::PutPropertySlot):
767         (JSC::PutPropertySlot::setCustomProperty):
768         (JSC::PutPropertySlot::thisValue):
769         (JSC::PutPropertySlot::isCacheable):
770
771 2013-12-23  Benjamin Poulain  <benjamin@webkit.org>
772
773         Add class matching to the Selector Code Generator
774         https://bugs.webkit.org/show_bug.cgi?id=126176
775
776         Reviewed by Antti Koivisto and Oliver Hunt.
777
778         Add test and branch based on BaseIndex addressing for x86_64.
779         Fast loops are needed to compete with clang on tight loops.
780
781         * assembler/MacroAssembler.h:
782         * assembler/MacroAssemblerX86_64.h:
783         (JSC::MacroAssemblerX86_64::branch64):
784         (JSC::MacroAssemblerX86_64::branchPtr):
785         * assembler/X86Assembler.h:
786         (JSC::X86Assembler::cmpq_rm):
787
788 2013-12-23  Oliver Hunt  <oliver@apple.com>
789
790         Update custom setter implementations to perform type checks
791         https://bugs.webkit.org/show_bug.cgi?id=126171
792
793         Reviewed by Daniel Bates.
794
795         Modify the setter function signature to take encoded values
796         as we're changing the setter usage everywhere anyway.
797
798         * runtime/Lookup.h:
799         (JSC::putEntry):
800
801 2013-12-23  Lucas Forschler  <lforschler@apple.com>
802
803         <rdar://problem/15682948> Update copyright strings
804         
805         Reviewed by Dan Bernstein.
806
807         * Info.plist:
808         * JavaScriptCore.vcxproj/JavaScriptCore.resources/Info.plist:
809
810 2013-12-23  Zan Dobersek  <zdobersek@igalia.com>
811
812         [GTK] Clean up compiler optimizations flags for libWTF, libJSC
813         https://bugs.webkit.org/show_bug.cgi?id=126157
814
815         Reviewed by Gustavo Noronha Silva.
816
817         * GNUmakefile.am: Remove the -fstrict-aliasing and -O3 compiler flags for libWTF.la. -O3 gets
818         overridden by -O2 that's listed in CXXFLAGS (or -O0 in case of debug builds) and -fstrict-aliasing
819         is enabled when -O2 is used (and shouldn't be enabled in debug builds anyway).
820
821 2013-12-22  Martin Robinson  <mrobinson@igalia.com>
822
823         [CMake] Fix typo from r160812
824         https://bugs.webkit.org/show_bug.cgi?id=126145
825
826         Reviewed by Gustavo Noronha Silva.
827
828         * CMakeLists.txt: Fix typo when detecting the type of library.
829
830 2013-12-22  Martin Robinson  <mrobinson@igalia.com>
831
832         [GTK][CMake] libtool-compatible soversion calculation
833         https://bugs.webkit.org/show_bug.cgi?id=125511
834
835         Reviewed by Gustavo Noronha Silva.
836
837         * CMakeLists.txt: Use the POPULATE_LIBRARY_VERSION macro and the
838         library-specific version information.
839
840 2013-12-23  Gustavo Noronha Silva  <gns@gnome.org>
841
842         [GTK] [CMake] Generate pkg-config files
843         https://bugs.webkit.org/show_bug.cgi?id=125685
844
845         Reviewed by Martin Robinson.
846
847         * PlatformGTK.cmake: Added. Generate javascriptcoregtk-3.0.pc.
848
849 2013-12-22  Benjamin Poulain  <benjamin@webkit.org>
850
851         Create a skeleton for CSS Selector code generation
852         https://bugs.webkit.org/show_bug.cgi?id=126044
853
854         Reviewed by Antti Koivisto and Gavin Barraclough.
855
856         * assembler/LinkBuffer.h:
857         Add a new owner UID for code compiled for CSS.
858         Export the symbols needed to link code from WebCore.
859
860 2013-12-19  Mark Hahnenberg  <mhahnenberg@apple.com>
861
862         Clean up DFG write barriers
863         https://bugs.webkit.org/show_bug.cgi?id=126047
864
865         Reviewed by Filip Pizlo.
866
867         * dfg/DFGSpeculativeJIT.cpp:
868         (JSC::DFG::SpeculativeJIT::storeToWriteBarrierBuffer): Use the register allocator to 
869         determine which registers need saving instead of saving every single one of them.
870         (JSC::DFG::SpeculativeJIT::osrWriteBarrier): We don't need to save live register state 
871         because the write barriers during OSR execute when there are no live registers. Also we  
872         don't need to use pushes to pad the stack pointer for pokes on x86; we can just use an add.
873         (JSC::DFG::SpeculativeJIT::writeBarrier):
874         * dfg/DFGSpeculativeJIT.h:
875         * jit/Repatch.cpp:
876         (JSC::emitPutReplaceStub):
877         (JSC::emitPutTransitionStub):
878         * runtime/VM.h: Get rid of writeBarrierRegisterBuffer since it's no longer used.
879
880 2013-12-20  Balazs Kilvady  <kilvadyb@homejinni.com>
881
882         [MIPS] Missing MacroAssemblerMIPS::branchTest8(ResultCondition, BaseIndex, TrustedImm32)
883         https://bugs.webkit.org/show_bug.cgi?id=126062
884
885         Reviewed by Mark Hahnenberg.
886
887         * assembler/MacroAssemblerMIPS.h:
888         (JSC::MacroAssemblerMIPS::branchTest8):
889
890 2013-12-20  Julien Brianceau  <jbriance@cisco.com>
891
892         [sh4] Add missing implementation in MacroAssembler to fix build.
893         https://bugs.webkit.org/show_bug.cgi?id=126063
894
895         Reviewed by Mark Hahnenberg.
896
897         * assembler/MacroAssemblerSH4.h:
898         (JSC::MacroAssemblerSH4::branchTest8):
899
900 2013-12-20  Julien Brianceau  <jbriance@cisco.com>
901
902         [arm] Add missing implementation in MacroAssembler to fix CPU(ARM_TRADITIONAL) build.
903         https://bugs.webkit.org/show_bug.cgi?id=126064
904
905         Reviewed by Mark Hahnenberg.
906
907         * assembler/MacroAssemblerARM.h:
908         (JSC::MacroAssemblerARM::branchTest8):
909
910 2013-12-19  Joseph Pecoraro  <pecoraro@apple.com>
911
912         Web Inspector: Add InspectorFrontendHost.debuggableType to let the frontend know it's backend is JavaScript or Web
913         https://bugs.webkit.org/show_bug.cgi?id=126016
914
915         Reviewed by Timothy Hatcher.
916
917         * inspector/remote/RemoteInspector.mm:
918         (Inspector::RemoteInspector::listingForDebuggable):
919         * inspector/remote/RemoteInspectorConstants.h:
920         Include a debuggable type identifier in the debuggable listing,
921         so the remote frontend can know if it is debugging a Web Page
922         or JS Context.
923
924 2013-12-19  Benjamin Poulain  <benjamin@webkit.org>
925
926         Add an utility class to simplify generating function calls
927         https://bugs.webkit.org/show_bug.cgi?id=125972
928
929         Reviewed by Geoffrey Garen.
930
931         Split branchTest32 in two functions: test32AndSetFlags and branchOnFlags.
932         This is done to allow code where the flags are set, multiple operation that
933         do not modify the flags occur, then the flags are used.
934
935         This is used for function calls to test the return value while discarding the
936         return register.
937
938         * assembler/MacroAssemblerX86Common.h:
939         (JSC::MacroAssemblerX86Common::test32AndSetFlags):
940         (JSC::MacroAssemblerX86Common::branchOnFlags):
941         (JSC::MacroAssemblerX86Common::branchTest32):
942
943 2013-12-19  Mark Hahnenberg  <mhahnenberg@apple.com>
944
945         Put write barriers in the right places in the baseline JIT
946         https://bugs.webkit.org/show_bug.cgi?id=125975
947
948         Reviewed by Filip Pizlo.
949
950         * jit/JIT.cpp:
951         (JSC::JIT::privateCompileSlowCases):
952         * jit/JIT.h:
953         * jit/JITInlines.h:
954         (JSC::JIT::callOperation):
955         (JSC::JIT::emitArrayProfilingSite):
956         * jit/JITOpcodes.cpp:
957         (JSC::JIT::emit_op_enter):
958         (JSC::JIT::emitSlow_op_enter):
959         * jit/JITOpcodes32_64.cpp:
960         (JSC::JIT::emit_op_enter):
961         (JSC::JIT::emitSlow_op_enter):
962         * jit/JITPropertyAccess.cpp:
963         (JSC::JIT::emit_op_put_by_val):
964         (JSC::JIT::emitGenericContiguousPutByVal):
965         (JSC::JIT::emitArrayStoragePutByVal):
966         (JSC::JIT::emit_op_put_by_id):
967         (JSC::JIT::emitPutGlobalProperty):
968         (JSC::JIT::emitPutGlobalVar):
969         (JSC::JIT::emitPutClosureVar):
970         (JSC::JIT::emit_op_init_global_const):
971         (JSC::JIT::checkMarkWord):
972         (JSC::JIT::emitWriteBarrier):
973         (JSC::JIT::privateCompilePutByVal):
974         * jit/JITPropertyAccess32_64.cpp:
975         (JSC::JIT::emitGenericContiguousPutByVal):
976         (JSC::JIT::emitArrayStoragePutByVal):
977         (JSC::JIT::emit_op_put_by_id):
978         (JSC::JIT::emitSlow_op_put_by_id):
979         (JSC::JIT::emitPutGlobalProperty):
980         (JSC::JIT::emitPutGlobalVar):
981         (JSC::JIT::emitPutClosureVar):
982         (JSC::JIT::emit_op_init_global_const):
983         * jit/Repatch.cpp:
984         (JSC::emitPutReplaceStub):
985         (JSC::emitPutTransitionStub):
986         (JSC::repatchPutByID):
987         * runtime/CommonSlowPaths.cpp:
988         (JSC::SLOW_PATH_DECL):
989         * runtime/CommonSlowPaths.h:
990
991 2013-12-19  Brent Fulgham  <bfulgham@apple.com>
992
993         Implement ArrayBuffer.isView
994         https://bugs.webkit.org/show_bug.cgi?id=126004
995
996         Reviewed by Filip Pizlo.
997
998         Test coverage in webgl/1.0.2/resources/webgl_test_files/conformance/typedarrays/array-unit-tests.html
999
1000         * runtime/JSArrayBufferConstructor.cpp:
1001         (JSC::JSArrayBufferConstructor::finishCreation): Add 'isView' to object constructor.
1002         (JSC::arrayBufferFuncIsView): New method.
1003
1004 2013-12-19  Mark Lam  <mark.lam@apple.com>
1005
1006         Fix broken C loop LLINT build.
1007         https://bugs.webkit.org/show_bug.cgi?id=126024.
1008
1009         Reviewed by Oliver Hunt.
1010
1011         * runtime/VM.h:
1012
1013 2013-12-18  Mark Hahnenberg  <mhahnenberg@apple.com>
1014
1015         DelayedReleaseScope is in the wrong place
1016         https://bugs.webkit.org/show_bug.cgi?id=125876
1017
1018         Reviewed by Geoffrey Garen.
1019
1020         The DelayedReleaseScope needs to be around the free list sweeping in MarkedAllocator::tryAllocateHelper. 
1021         This location gives us a good safe point between getting ready to allocate  (i.e. identifying a non-empty 
1022         free list) and doing the actual allocation (popping the free list).
1023
1024         * heap/MarkedAllocator.cpp:
1025         (JSC::MarkedAllocator::tryAllocateHelper):
1026         (JSC::MarkedAllocator::allocateSlowCase):
1027         (JSC::MarkedAllocator::addBlock):
1028         * runtime/JSCellInlines.h:
1029         (JSC::allocateCell):
1030
1031 2013-12-18  Gustavo Noronha Silva  <gns@gnome.org>
1032
1033         [GTK][CMake] make libjavascriptcoregtk a public shared library again
1034         https://bugs.webkit.org/show_bug.cgi?id=125512
1035
1036         Reviewed by Martin Robinson.
1037
1038         * CMakeLists.txt: use target type instead of SHARED_CORE to decide whether
1039         JavaScriptCore is a shared library, since it's always shared for GTK+ regardless
1040         of SHARED_CORE.
1041
1042 2013-12-18  Benjamin Poulain  <benjamin@webkit.org>
1043
1044         Add a simple stack abstraction for x86_64
1045         https://bugs.webkit.org/show_bug.cgi?id=125908
1046
1047         Reviewed by Geoffrey Garen.
1048
1049         * assembler/MacroAssemblerX86_64.h:
1050         (JSC::MacroAssemblerX86_64::addPtrNoFlags):
1051         Add an explicit abstraction for the "lea" instruction. This is needed
1052         by the experimental JIT to have add and substract without changing the flags.
1053
1054         This is useful for function calls to test the return value, restore the registers,
1055         then branch on the flags from the return value.
1056
1057 2013-12-18  Mark Hahnenberg  <mhahnenberg@apple.com>
1058
1059         DFG should have a separate StoreBarrier node
1060         https://bugs.webkit.org/show_bug.cgi?id=125530
1061
1062         Reviewed by Filip Pizlo.
1063
1064         This is in preparation for GenGC. We use a separate StoreBarrier node instead of making them implicitly 
1065         part of other nodes so that it's easier to run analyses on them, e.g. for the StoreBarrierElisionPhase. 
1066         They are inserted during the fixup phase. Initially they do not generate any code.
1067
1068         * CMakeLists.txt:
1069         * GNUmakefile.list.am:
1070         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1071         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1072         * JavaScriptCore.xcodeproj/project.pbxproj:
1073         * dfg/DFGAbstractHeap.h:
1074         * dfg/DFGAbstractInterpreter.h:
1075         (JSC::DFG::AbstractInterpreter::isKnownNotCell):
1076         * dfg/DFGAbstractInterpreterInlines.h:
1077         (JSC::DFG::::executeEffects):
1078         * dfg/DFGClobberize.h:
1079         (JSC::DFG::clobberizeForAllocation):
1080         (JSC::DFG::clobberize):
1081         * dfg/DFGConstantFoldingPhase.cpp:
1082         (JSC::DFG::ConstantFoldingPhase::foldConstants): Whenever we insert new nodes that require StoreBarriers,
1083         we have to add those new StoreBarriers too. It's important to note that AllocatePropertyStorage and 
1084         ReallocatePropertyStorage nodes require their StoreBarriers to come after them since they allocate first,
1085         which could cause a GC, and then store the resulting buffer into their JSCell, which requires the barrier.
1086         If we ever require that write barriers occur before stores, we'll have to split these nodes into 
1087         AllocatePropertyStorage + StoreBarrier + PutPropertyStorage.
1088         * dfg/DFGFixupPhase.cpp:
1089         (JSC::DFG::FixupPhase::fixupNode):
1090         (JSC::DFG::FixupPhase::insertStoreBarrier):
1091         * dfg/DFGNode.h:
1092         (JSC::DFG::Node::isStoreBarrier):
1093         * dfg/DFGNodeType.h:
1094         * dfg/DFGOSRExitCompiler32_64.cpp:
1095         (JSC::DFG::OSRExitCompiler::compileExit):
1096         * dfg/DFGOSRExitCompiler64.cpp:
1097         (JSC::DFG::OSRExitCompiler::compileExit):
1098         * dfg/DFGPlan.cpp:
1099         (JSC::DFG::Plan::compileInThreadImpl):
1100         * dfg/DFGPredictionPropagationPhase.cpp:
1101         (JSC::DFG::PredictionPropagationPhase::propagate):
1102         * dfg/DFGSafeToExecute.h:
1103         (JSC::DFG::safeToExecute):
1104         * dfg/DFGSpeculativeJIT.cpp:
1105         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1106         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1107         (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
1108         (JSC::DFG::SpeculativeJIT::genericWriteBarrier): The fast path write barrier check. It loads the 
1109         byte that contains the mark bit of the object. 
1110         (JSC::DFG::SpeculativeJIT::storeToWriteBarrierBuffer): If the fast path check fails we try to store the 
1111         cell in the WriteBarrierBuffer so as to avoid frequently flushing all registers in order to make a C call.
1112         (JSC::DFG::SpeculativeJIT::writeBarrier):
1113         (JSC::DFG::SpeculativeJIT::osrWriteBarrier): More barebones version of the write barrier to be executed 
1114         during an OSR exit into baseline code. We must do this so that the baseline JIT object and array profiles 
1115         are properly cleared during GC.
1116         * dfg/DFGSpeculativeJIT.h:
1117         (JSC::DFG::SpeculativeJIT::callOperation):
1118         * dfg/DFGSpeculativeJIT32_64.cpp:
1119         (JSC::DFG::SpeculativeJIT::cachedPutById):
1120         (JSC::DFG::SpeculativeJIT::compileBaseValueStoreBarrier):
1121         (JSC::DFG::SpeculativeJIT::compile):
1122         (JSC::DFG::SpeculativeJIT::writeBarrier):
1123         * dfg/DFGSpeculativeJIT64.cpp:
1124         (JSC::DFG::SpeculativeJIT::cachedPutById):
1125         (JSC::DFG::SpeculativeJIT::compileBaseValueStoreBarrier):
1126         (JSC::DFG::SpeculativeJIT::compile):
1127         (JSC::DFG::SpeculativeJIT::writeBarrier):
1128         * dfg/DFGStoreBarrierElisionPhase.cpp: Added. New DFG phase that does block-local elision of redundant
1129         StoreBarriers. Every time a StoreBarrier on a particular object is executed, a bit is set indicating that 
1130         that object doesn't need any more StoreBarriers. 
1131         (JSC::DFG::StoreBarrierElisionPhase::StoreBarrierElisionPhase):
1132         (JSC::DFG::StoreBarrierElisionPhase::couldCauseGC): Nodes that could cause a GC reset the bits for all of the 
1133         objects known in the current block. 
1134         (JSC::DFG::StoreBarrierElisionPhase::allocatesFreshObject): A node that creates a new object automatically 
1135         sets the bit for that object since if a GC occurred as the result of that object's allocation then that 
1136         object would not need a barrier since it would be guaranteed to be a young generation object until the 
1137         next GC point.
1138         (JSC::DFG::StoreBarrierElisionPhase::noticeFreshObject):
1139         (JSC::DFG::StoreBarrierElisionPhase::getBaseOfStore):
1140         (JSC::DFG::StoreBarrierElisionPhase::shouldBeElided):
1141         (JSC::DFG::StoreBarrierElisionPhase::elideBarrier):
1142         (JSC::DFG::StoreBarrierElisionPhase::handleNode):
1143         (JSC::DFG::StoreBarrierElisionPhase::handleBlock):
1144         (JSC::DFG::StoreBarrierElisionPhase::run):
1145         (JSC::DFG::performStoreBarrierElision):
1146         * dfg/DFGStoreBarrierElisionPhase.h: Added.
1147         * heap/Heap.cpp:
1148         (JSC::Heap::Heap):
1149         (JSC::Heap::flushWriteBarrierBuffer):
1150         * heap/Heap.h:
1151         (JSC::Heap::writeBarrier):
1152         * heap/MarkedBlock.h:
1153         (JSC::MarkedBlock::offsetOfMarks):
1154         * heap/WriteBarrierBuffer.cpp: Added. The WriteBarrierBuffer buffers a set of JSCells that are awaiting 
1155         a pending WriteBarrier. This buffer is used by the DFG to avoid the overhead of calling out to C repeatedly
1156         to invoke a write barrier on a single JSCell. Instead the DFG has inline code to fill the WriteBarrier buffer
1157         until its full, and then to call out to C to flush it. The WriteBarrierBuffer will also be flushed prior to 
1158         each EdenCollection.
1159         (JSC::WriteBarrierBuffer::WriteBarrierBuffer):
1160         (JSC::WriteBarrierBuffer::~WriteBarrierBuffer):
1161         (JSC::WriteBarrierBuffer::flush):
1162         (JSC::WriteBarrierBuffer::reset):
1163         (JSC::WriteBarrierBuffer::add):
1164         * heap/WriteBarrierBuffer.h: Added.
1165         (JSC::WriteBarrierBuffer::currentIndexOffset):
1166         (JSC::WriteBarrierBuffer::capacityOffset):
1167         (JSC::WriteBarrierBuffer::bufferOffset):
1168         * jit/JITOperations.cpp:
1169         * jit/JITOperations.h:
1170         * runtime/VM.h:
1171
1172 2013-12-18  Carlos Garcia Campos  <cgarcia@igalia.com>
1173
1174         Unreviewed. Fix make distcheck.
1175
1176         * GNUmakefile.am:
1177
1178 2013-12-17  Julien Brianceau  <jbriance@cisco.com>
1179
1180         Fix armv7 and sh4 builds.
1181         https://bugs.webkit.org/show_bug.cgi?id=125848
1182
1183         Reviewed by Csaba Osztrogonác.
1184
1185         * assembler/ARMv7Assembler.h: Include limits.h for INT_MIN.
1186         * assembler/SH4Assembler.h: Include limits.h for INT_MIN.
1187
1188 2013-12-16  Oliver Hunt  <oliver@apple.com>
1189
1190         Avoid indirect function calls for custom getters
1191         https://bugs.webkit.org/show_bug.cgi?id=125821
1192
1193         Reviewed by Mark Hahnenberg.
1194
1195         Rather than invoking a helper function to perform an indirect call
1196         through a function pointer, just have the JIT call the function directly.
1197
1198         Unfortunately this only works in JSVALUE64 at the moment as there
1199         is not an obvious way to pass two EncodedJSValues uniformly over
1200         the various effected JITs.
1201
1202         * jit/CCallHelpers.h:
1203         (JSC::CCallHelpers::setupArguments):
1204         * jit/Repatch.cpp:
1205         (JSC::generateProtoChainAccessStub):
1206         (JSC::tryBuildGetByIDList):
1207
1208 2013-12-16  Joseph Pecoraro  <pecoraro@apple.com>
1209
1210         Fix some whitespace issues in inspector code
1211         https://bugs.webkit.org/show_bug.cgi?id=125814
1212
1213         Reviewed by Darin Adler.
1214
1215         * inspector/protocol/Debugger.json:
1216         * inspector/protocol/Runtime.json:
1217         * inspector/scripts/CodeGeneratorInspector.py:
1218         (Generator.process_command):
1219
1220 2013-12-16  Mark Hahnenberg  <mhahnenberg@apple.com>
1221
1222         Add some missing functions to MacroAssembler
1223         https://bugs.webkit.org/show_bug.cgi?id=125809
1224
1225         Reviewed by Oliver Hunt.
1226
1227         * assembler/AbstractMacroAssembler.h:
1228         * assembler/AssemblerBuffer.h:
1229         * assembler/LinkBuffer.cpp:
1230         * assembler/MacroAssembler.h:
1231         (JSC::MacroAssembler::storePtr):
1232         (JSC::MacroAssembler::andPtr):
1233         * assembler/MacroAssemblerARM64.h:
1234         (JSC::MacroAssemblerARM64::and64):
1235         (JSC::MacroAssemblerARM64::branchTest8):
1236         * assembler/MacroAssemblerARMv7.h:
1237         (JSC::MacroAssemblerARMv7::branchTest8):
1238         * assembler/X86Assembler.h:
1239
1240 2013-12-16  Brent Fulgham  <bfulgham@apple.com>
1241
1242         [Win] Remove dead code after conversion to VS2013
1243         https://bugs.webkit.org/show_bug.cgi?id=125795
1244
1245         Reviewed by Darin Adler.
1246
1247         * API/tests/testapi.c: Remove local nan implementation
1248
1249 2013-12-16  Oliver Hunt  <oliver@apple.com>
1250
1251         Cache getters and custom accessors on the prototype chain
1252         https://bugs.webkit.org/show_bug.cgi?id=125602
1253
1254         Reviewed by Michael Saboff.
1255
1256         Support caching of custom getters and accessors on the prototype chain.
1257         This is relatively trivial and just requires a little work compared to
1258         the direct access mode as we're under more register pressure.
1259
1260         * bytecode/StructureStubInfo.h:
1261           Removed the unsued initGetByIdProto as it was confusing to still have it present.
1262         * jit/Repatch.cpp:
1263         (JSC::generateProtoChainAccessStub):
1264         (JSC::tryCacheGetByID):
1265         (JSC::tryBuildGetByIDList):
1266
1267 2013-12-16  Mark Lam  <mark.lam@apple.com>
1268
1269         Change slow path result to take a void* instead of a ExecState*.
1270         https://bugs.webkit.org/show_bug.cgi?id=125802.
1271
1272         Reviewed by Filip Pizlo.
1273
1274         This is in preparation for C Stack OSR entry work that is coming soon.
1275         In the OSR entry case, we'll be returning a topOfFrame pointer value
1276         instead of the ExecState*.
1277
1278         * offlineasm/cloop.rb:
1279         * runtime/CommonSlowPaths.h:
1280         (JSC::encodeResult):
1281         (JSC::decodeResult):
1282
1283 2013-12-16  Alex Christensen  <achristensen@webkit.org>
1284
1285         Fixed Win64 build on VS2013.
1286         https://bugs.webkit.org/show_bug.cgi?id=125753
1287
1288         Reviewed by Brent Fulgham.
1289
1290         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1291         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj:
1292         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
1293         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
1294         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
1295         * JavaScriptCore.vcxproj/jsc/jsc.vcxproj:
1296         * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj:
1297         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
1298         Added correct PlatformToolset for 64-bit builds.
1299
1300 2013-12-16  Peter Szanka  <h868064@stud.u-szeged.hu>
1301
1302         Delete RVCT related code parts.
1303         https://bugs.webkit.org/show_bug.cgi?id=125626
1304
1305         Reviewed by Darin Adler.
1306
1307         * assembler/ARMAssembler.cpp:
1308         * assembler/ARMAssembler.h:
1309         (JSC::ARMAssembler::cacheFlush):
1310         * assembler/MacroAssemblerARM.cpp:
1311         (JSC::isVFPPresent):
1312         * jit/JITStubsARM.h:
1313         * jit/JITStubsARMv7.h:
1314
1315 2013-12-15  Ryosuke Niwa  <rniwa@webkit.org>
1316
1317         REGRESSION: 2x regression on Dromaeo DOM query tests
1318         https://bugs.webkit.org/show_bug.cgi?id=125377
1319
1320         Reviewed by Filip Pizlo.
1321
1322         The bug was caused by JSC not JIT'ing property access on "document" due to its type info having
1323         HasImpureGetOwnPropertySlot flag.
1324
1325         Fixed the bug by new type info flag NewImpurePropertyFiresWatchpoints, which allows the baseline
1326         JIT to generate byte code for access properties on an object with named properties (a.k.a.
1327         custom name getter) in DOM. When a new named property appears on the object, VM is notified via
1328         VM::addImpureProperty and fires StructureStubClearingWatchpoint added during the repatch.
1329
1330         * bytecode/GetByIdStatus.cpp:
1331         (JSC::GetByIdStatus::computeFromLLInt): Take the slow path if we have any object with impure
1332         properties in the prototype chain.
1333         (JSC::GetByIdStatus::computeForChain): Ditto.
1334
1335         * jit/Repatch.cpp:
1336         (JSC::repatchByIdSelfAccess): Throw away the byte code when a new impure property is added on any
1337         object in the prototype chain via StructureStubClearingWatchpoint.
1338         (JSC::generateProtoChainAccessStub): Ditto.
1339         (JSC::tryCacheGetByID):
1340         (JSC::tryBuildGetByIDList):
1341         (JSC::tryRepatchIn): Ditto.
1342
1343         * runtime/JSTypeInfo.h: Added NewImpurePropertyFiresWatchpoints.
1344         (JSC::TypeInfo::newImpurePropertyFiresWatchpoints): Added.
1345
1346         * runtime/Operations.h:
1347         (JSC::normalizePrototypeChainForChainAccess): Don't exit early if VM will be notified of new
1348         impure property even if the object had impure properties.
1349
1350         * runtime/Structure.h:
1351         (JSC::Structure::takesSlowPathInDFGForImpureProperty): Added. Wraps hasImpureGetOwnPropertySlot and
1352         asserts that newImpurePropertyFiresWatchpoints is true whenever hasImpureGetOwnPropertySlot is true.
1353
1354         * runtime/VM.cpp:
1355         (JSC::VM::registerWatchpointForImpureProperty): Added.
1356         (JSC::VM::addImpureProperty): Added. HTMLDocument calls it to notify JSC of a new impure property.
1357
1358         * runtime/VM.h:
1359
1360 2013-12-15  Andy Estes  <aestes@apple.com>
1361
1362         [iOS] Upstream changes to FeatureDefines.xcconfig
1363         https://bugs.webkit.org/show_bug.cgi?id=125742
1364
1365         Reviewed by Dan Bernstein.
1366
1367         * Configurations/FeatureDefines.xcconfig:
1368
1369 2013-12-14  Filip Pizlo  <fpizlo@apple.com>
1370
1371         FTL should *really* know when things are flushed
1372         https://bugs.webkit.org/show_bug.cgi?id=125747
1373
1374         Reviewed by Sam Weinig.
1375         
1376         Fix more codegen badness. This makes V8v7's crypto am3() function run faster in the FTL
1377         than in DFG. This means that even if we just compile those functions in V8v7 that don't
1378         make calls, the FTL gives us a 2% speed-up over the DFG. That's pretty good considering
1379         that we have still more optimizations to fix and we can make calls work.
1380
1381         * dfg/DFGSSAConversionPhase.cpp:
1382         (JSC::DFG::SSAConversionPhase::run):
1383         * ftl/FTLCompile.cpp:
1384         (JSC::FTL::fixFunctionBasedOnStackMaps):
1385
1386 2013-12-14  Andy Estes  <aestes@apple.com>
1387
1388         Unify FeatureDefines.xcconfig
1389         https://bugs.webkit.org/show_bug.cgi?id=125741
1390
1391         Rubber-stamped by Dan Bernstein.
1392
1393         * Configurations/FeatureDefines.xcconfig: Enable ENABLE_MEDIA_SOURCE.
1394
1395 2013-12-14  Mark Rowe  <mrowe@apple.com>
1396
1397         Build fix after r160557.
1398
1399         r160557 added the first generated header to JavaScriptCore that needs to be installed in to
1400         the framework wrapper. Sadly JavaScriptCore's Derived Sources target was not set to generate
1401         headers when invoked as part of the installhdrs action. This resulted in the build failing
1402         due to Xcode being unable to find the header file to install. The fix for this is to configure
1403         the Derived Sources target to use JavaScriptCore.xcconfig, which sets INSTALLHDRS_SCRIPT_PHASE
1404         to YES and allows Xcode to generate derived sources during the installhdrs action.
1405
1406         Enabling INSTALLHDRS_SCRIPT_PHASE required tweaking the Generate Derived Sources script build
1407         phase to skip running code related to offlineasm that depends on JSCLLIntOffsetExtractor
1408         having been compiled, which isn't the case at installhdrs time.
1409
1410         * JavaScriptCore.xcodeproj/project.pbxproj:
1411
1412 2013-12-13  Joseph Pecoraro  <pecoraro@apple.com>
1413
1414         Some Set and Map prototype functions have incorrect function lengths
1415         https://bugs.webkit.org/show_bug.cgi?id=125732
1416
1417         Reviewed by Oliver Hunt.
1418
1419         * runtime/MapPrototype.cpp:
1420         (JSC::MapPrototype::finishCreation):
1421         * runtime/SetPrototype.cpp:
1422         (JSC::SetPrototype::finishCreation):
1423
1424 2013-12-13  Joseph Pecoraro  <pecoraro@apple.com>
1425
1426         Web Inspector: Move Inspector and Debugger protocol domains into JavaScriptCore
1427         https://bugs.webkit.org/show_bug.cgi?id=125707
1428
1429         Reviewed by Timothy Hatcher.
1430
1431         * CMakeLists.txt:
1432         * DerivedSources.make:
1433         * GNUmakefile.am:
1434         * inspector/protocol/Debugger.json: Renamed from Source/WebCore/inspector/protocol/Debugger.json.
1435         * inspector/protocol/GenericTypes.json: Added.
1436         * inspector/protocol/InspectorDomain.json: Renamed from Source/WebCore/inspector/protocol/InspectorDomain.json.
1437         Add new files to inspector generation.
1438
1439         * inspector/scripts/CodeGeneratorInspector.py:
1440         (Generator.go):
1441         Only build TypeBuilder output if the domain only has types. Avoid
1442         backend/frontend dispatchers and backend commands.
1443
1444         (TypeBindings.create_type_declaration_.EnumBinding.get_setter_value_expression_pattern):
1445         (format_setter_value_expression):
1446         (Generator.process_command):
1447         (Generator.generate_send_method):
1448         * inspector/scripts/CodeGeneratorInspectorStrings.py:
1449         Export and name the get{JS,Web}EnumConstant function.
1450
1451 2013-12-11  Filip Pizlo  <fpizlo@apple.com>
1452
1453         Get rid of forward exit on UInt32ToNumber by adding an op_unsigned bytecode instruction
1454         https://bugs.webkit.org/show_bug.cgi?id=125553
1455
1456         Reviewed by Oliver Hunt.
1457         
1458         UInt32ToNumber was a super complicated node because it had to do a speculation, but it
1459         would do it after we already had computed the urshift. It couldn't just back to the
1460         beginning of the urshift because the inputs to the urshift weren't necessarily live
1461         anymore. We couldn't jump forward to the beginning of the next instruction because the
1462         result of the urshift was not yet unsigned-converted.
1463         
1464         For a while we solved this by forward-exiting in UInt32ToNumber. But that's really
1465         gross and I want to get rid of all forward exits. They cause a lot of bugs.
1466         
1467         We could also have turned UInt32ToNumber to a backwards exit by forcing the inputs to
1468         the urshift to be live. I figure that this might be a bit too extreme.
1469         
1470         So, I just created a new place that we can exit to: I split op_urshift into op_urshift
1471         followed by op_unsigned. op_unsigned is an "unsigned cast" along the lines of what
1472         UInt32ToNumber does. This allows me to get rid of all of the nastyness in the DFG for
1473         forward exiting in UInt32ToNumber.
1474         
1475         This patch enables massive code carnage in the DFG and FTL, and brings us closer to
1476         eliminating one of the DFG's most confusing concepts. On the flipside, it does make the
1477         bytecode slightly more complex (one new instruction). This is a profitable trade. We
1478         want the DFG and FTL to trend towards simplicity, since they are both currently too
1479         complicated.
1480
1481         * bytecode/BytecodeUseDef.h:
1482         (JSC::computeUsesForBytecodeOffset):
1483         (JSC::computeDefsForBytecodeOffset):
1484         * bytecode/CodeBlock.cpp:
1485         (JSC::CodeBlock::dumpBytecode):
1486         * bytecode/Opcode.h:
1487         (JSC::padOpcodeName):
1488         * bytecode/ValueRecovery.cpp:
1489         (JSC::ValueRecovery::dumpInContext):
1490         * bytecode/ValueRecovery.h:
1491         (JSC::ValueRecovery::gpr):
1492         * bytecompiler/NodesCodegen.cpp:
1493         (JSC::BinaryOpNode::emitBytecode):
1494         (JSC::emitReadModifyAssignment):
1495         * dfg/DFGByteCodeParser.cpp:
1496         (JSC::DFG::ByteCodeParser::toInt32):
1497         (JSC::DFG::ByteCodeParser::parseBlock):
1498         * dfg/DFGClobberize.h:
1499         (JSC::DFG::clobberize):
1500         * dfg/DFGNodeType.h:
1501         * dfg/DFGOSRExitCompiler32_64.cpp:
1502         (JSC::DFG::OSRExitCompiler::compileExit):
1503         * dfg/DFGOSRExitCompiler64.cpp:
1504         (JSC::DFG::OSRExitCompiler::compileExit):
1505         * dfg/DFGSpeculativeJIT.cpp:
1506         (JSC::DFG::SpeculativeJIT::compileMovHint):
1507         (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
1508         * dfg/DFGSpeculativeJIT.h:
1509         * dfg/DFGSpeculativeJIT32_64.cpp:
1510         * dfg/DFGSpeculativeJIT64.cpp:
1511         * dfg/DFGStrengthReductionPhase.cpp:
1512         (JSC::DFG::StrengthReductionPhase::handleNode):
1513         (JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild):
1514         (JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild1):
1515         (JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild2):
1516         * ftl/FTLFormattedValue.h:
1517         (JSC::FTL::int32Value):
1518         * ftl/FTLLowerDFGToLLVM.cpp:
1519         (JSC::FTL::LowerDFGToLLVM::compileUInt32ToNumber):
1520         * ftl/FTLValueFormat.cpp:
1521         (JSC::FTL::reboxAccordingToFormat):
1522         (WTF::printInternal):
1523         * ftl/FTLValueFormat.h:
1524         * jit/JIT.cpp:
1525         (JSC::JIT::privateCompileMainPass):
1526         (JSC::JIT::privateCompileSlowCases):
1527         * jit/JIT.h:
1528         * jit/JITArithmetic.cpp:
1529         (JSC::JIT::emit_op_urshift):
1530         (JSC::JIT::emitSlow_op_urshift):
1531         (JSC::JIT::emit_op_unsigned):
1532         (JSC::JIT::emitSlow_op_unsigned):
1533         * jit/JITArithmetic32_64.cpp:
1534         (JSC::JIT::emitRightShift):
1535         (JSC::JIT::emitRightShiftSlowCase):
1536         (JSC::JIT::emit_op_unsigned):
1537         (JSC::JIT::emitSlow_op_unsigned):
1538         * llint/LowLevelInterpreter32_64.asm:
1539         * llint/LowLevelInterpreter64.asm:
1540         * runtime/CommonSlowPaths.cpp:
1541         (JSC::SLOW_PATH_DECL):
1542         * runtime/CommonSlowPaths.h:
1543
1544 2013-12-13  Mark Hahnenberg  <mhahnenberg@apple.com>
1545
1546         LLInt should not conditionally branch to to labels outside of its function
1547         https://bugs.webkit.org/show_bug.cgi?id=125713
1548
1549         Reviewed by Geoffrey Garen.
1550
1551         Conditional branches are insufficient for jumping to out-of-function labels.
1552         The fix is to use an unconditional jmp to the label combined with a conditional branch around the jmp.
1553
1554         * llint/LowLevelInterpreter32_64.asm:
1555         * llint/LowLevelInterpreter64.asm:
1556
1557 2013-12-13  Joseph Pecoraro  <pecoraro@apple.com>
1558
1559         [GTK] Remove Warnings in building about duplicate INSPECTOR variables
1560         https://bugs.webkit.org/show_bug.cgi?id=125710
1561
1562         Reviewed by Tim Horton.
1563
1564         * GNUmakefile.am:
1565
1566 2013-12-13  Joseph Pecoraro  <pecoraro@apple.com>
1567
1568         Cleanup CodeGeneratorInspectorStrings a bit
1569         https://bugs.webkit.org/show_bug.cgi?id=125705
1570
1571         Reviewed by Timothy Hatcher.
1572
1573         * inspector/scripts/CodeGeneratorInspectorStrings.py:
1574         Use ${foo} variable syntax and add an ASCIILiteral.
1575
1576 2013-12-13  Brent Fulgham  <bfulgham@apple.com>
1577
1578         [Win] Unreviewed build fix after r160563
1579
1580         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj: Missed the Debug
1581         target in my last patch.
1582
1583 2013-12-13  Brent Fulgham  <bfulgham@apple.com>
1584
1585         [Win] Unreviewed build fix after r160548
1586
1587         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj: Specify
1588         that we are using the vs12_xp target for Makefile-based projects.
1589         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj: Ditto
1590         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj: Ditto.
1591
1592 2013-12-13  Joseph Pecoraro  <pecoraro@apple.com>
1593
1594         Make inspector folder groups smarter in JavaScriptCore.xcodeproj
1595         https://bugs.webkit.org/show_bug.cgi?id=125663
1596
1597         Reviewed by Darin Adler.
1598
1599         * JavaScriptCore.xcodeproj/project.pbxproj:
1600
1601 2013-12-13  Joseph Pecoraro  <pecoraro@apple.com>
1602
1603         Web Inspector: Add Inspector Code Generation to JavaScriptCore for Runtime Domain
1604         https://bugs.webkit.org/show_bug.cgi?id=125595
1605
1606         Reviewed by Timothy Hatcher.
1607
1608           - Move CodeGeneration scripts from WebCore into JavaScriptCore/inspector/scripts
1609           - For ports that build WebKit frameworks separately, export the scripts as PrivateHeaders
1610           - Update CodeGeneratorInspector.py in a few ways:
1611             - output dynamic filenames, so JavaScriptCore generates InspectorJSFoo.* and WebCore generates InspectorWebFoo.*
1612             - take in more then one protocol JSON file. The first contains domains to generate, the others are dependencies
1613               that are generated elsewhere that we can depend on for Types.
1614           - Add DerivedSources build step to generate the Inspector Interfaces
1615
1616         * CMakeLists.txt:
1617         * DerivedSources.make:
1618         * GNUmakefile.am:
1619         * GNUmakefile.list.am:
1620         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1621         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1622         * JavaScriptCore.vcxproj/copy-files.cmd:
1623         * JavaScriptCore.xcodeproj/project.pbxproj:
1624         Add scripts and code generation.
1625
1626         * inspector/protocol/Runtime.json: Renamed from Source/WebCore/inspector/protocol/Runtime.json.
1627         Move protocol file into JavaScriptCore so its types will be generated in JavaScriptCore.
1628
1629         * inspector/scripts/CodeGeneratorInspector.py: Renamed from Source/WebCore/inspector/CodeGeneratorInspector.py.
1630         Updates to the script as listed above.
1631
1632         * inspector/scripts/CodeGeneratorInspectorStrings.py: Renamed from Source/WebCore/inspector/CodeGeneratorInspectorStrings.py.
1633         * inspector/scripts/generate-combined-inspector-json.py: Renamed from Source/WebCore/inspector/Scripts/generate-combined-inspector-json.py.
1634         Moved from WebCore into JavaScriptCore for code generation.
1635
1636 2013-12-13  Peter Szanka  <h868064@stud.u-szeged.hu>
1637
1638         Delete INTEL C compiler related code parts.
1639         https://bugs.webkit.org/show_bug.cgi?id=125625
1640
1641         Reviewed by Darin Adler.
1642
1643         * jsc.cpp:
1644         * testRegExp.cpp:
1645
1646 2013-12-13  Brent Fulgham  <bfulgham@apple.com>
1647
1648         [Win] Switch WebKit solution to Visual Studio 2013
1649         https://bugs.webkit.org/show_bug.cgi?id=125192
1650
1651         Reviewed by Anders Carlsson.
1652
1653         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Update for VS2013
1654         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
1655         Ditto
1656         * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: Ditto
1657         * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj: Ditto
1658         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: Ditto
1659
1660 2013-12-12  Joseph Pecoraro  <pecoraro@apple.com>
1661
1662         Add a few more ASCIILiterals
1663         https://bugs.webkit.org/show_bug.cgi?id=125662
1664
1665         Reviewed by Darin Adler.
1666
1667         * inspector/InspectorBackendDispatcher.cpp:
1668         (Inspector::InspectorBackendDispatcher::dispatch):
1669
1670 2013-12-12  Joseph Pecoraro  <pecoraro@apple.com>
1671
1672         Test new JSContext name APIs
1673         https://bugs.webkit.org/show_bug.cgi?id=125607
1674
1675         Reviewed by Darin Adler.
1676
1677         * API/JSContext.h:
1678         * API/JSContextRef.h:
1679         Fix whitespace issues.
1680
1681         * API/tests/testapi.c:
1682         (globalContextNameTest):
1683         (main):
1684         * API/tests/testapi.mm:
1685         Add tests for JSContext set/get name APIs.
1686
1687 2013-12-11  Filip Pizlo  <fpizlo@apple.com>
1688
1689         ARM64: Hang running pdfjs test, suspect DFG generated code for "in"
1690         https://bugs.webkit.org/show_bug.cgi?id=124727
1691         <rdar://problem/15566923>
1692
1693         Reviewed by Michael Saboff.
1694         
1695         Get rid of In's hackish use of StructureStubInfo. Previously it was using hotPathBegin,
1696         and it was the only IC that used that field, which was wasteful. Moreover, it used it
1697         to store two separate locations: the label for patching the jump and the label right
1698         after the jump. The code was relying on those two being the same label, which is true
1699         on X86 and some other platforms, but it isn't true on ARM64.
1700         
1701         This gets rid of hotPathBegin and makes In express those two locations as offsets from
1702         the callReturnLocation, which is analogous to what the other IC's do.
1703         
1704         This fixes a bug where any successful In patching would result in a trivially infinite
1705         loop - and hence a hang - on ARM64.
1706
1707         * bytecode/StructureStubInfo.h:
1708         * dfg/DFGJITCompiler.cpp:
1709         (JSC::DFG::JITCompiler::link):
1710         * dfg/DFGJITCompiler.h:
1711         (JSC::DFG::InRecord::InRecord):
1712         * dfg/DFGSpeculativeJIT.cpp:
1713         (JSC::DFG::SpeculativeJIT::compileIn):
1714         * jit/JITInlineCacheGenerator.cpp:
1715         (JSC::JITByIdGenerator::finalize):
1716         * jit/Repatch.cpp:
1717         (JSC::replaceWithJump):
1718         (JSC::patchJumpToGetByIdStub):
1719         (JSC::tryCachePutByID):
1720         (JSC::tryBuildPutByIdList):
1721         (JSC::tryRepatchIn):
1722         (JSC::resetGetByID):
1723         (JSC::resetPutByID):
1724         (JSC::resetIn):
1725
1726 2013-12-11  Joseph Pecoraro  <pecoraro@apple.com>
1727
1728         Web Inspector: Push More Inspector Required Classes Down into JavaScriptCore
1729         https://bugs.webkit.org/show_bug.cgi?id=125324
1730
1731         Reviewed by Timothy Hatcher.
1732
1733         * CMakeLists.txt:
1734         * GNUmakefile.am:
1735         * GNUmakefile.list.am:
1736         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1737         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1738         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
1739         * JavaScriptCore.vcxproj/copy-files.cmd:
1740         * JavaScriptCore.xcodeproj/project.pbxproj:
1741         * bindings/ScriptFunctionCall.cpp: Renamed from Source/WebCore/bindings/js/ScriptFunctionCall.cpp.
1742         * bindings/ScriptFunctionCall.h: Renamed from Source/WebCore/bindings/js/ScriptFunctionCall.h.
1743         * bindings/ScriptObject.cpp: Copied from Source/WebCore/inspector/WorkerConsoleAgent.cpp.
1744         * bindings/ScriptObject.h: Renamed from Source/WebCore/inspector/InspectorBaseAgent.h.
1745         * bindings/ScriptValue.cpp: Renamed from Source/WebCore/bindings/js/ScriptValue.cpp.
1746         * bindings/ScriptValue.h: Renamed from Source/WebCore/bindings/js/ScriptValue.h.
1747         * inspector/InspectorAgentBase.h: Copied from Source/WebCore/inspector/InspectorAgentRegistry.h.
1748         * inspector/InspectorAgentRegistry.cpp: Renamed from Source/WebCore/inspector/InspectorAgentRegistry.cpp.
1749         * inspector/InspectorBackendDispatcher.h: Renamed from Source/WebCore/inspector/InspectorBackendDispatcher.h.
1750         (Inspector::InspectorSupplementalBackendDispatcher::InspectorSupplementalBackendDispatcher):
1751         (Inspector::InspectorSupplementalBackendDispatcher::~InspectorSupplementalBackendDispatcher):
1752         * inspector/InspectorValues.cpp: Renamed from Source/WebCore/inspector/InspectorValues.cpp.
1753         * inspector/InspectorValues.h: Renamed from Source/WebCore/inspector/InspectorValues.h.
1754
1755 2013-12-11  Laszlo Vidacs  <lac@inf.u-szeged.hu>
1756
1757         Store SHA1 hash in std::array
1758         https://bugs.webkit.org/show_bug.cgi?id=125446
1759
1760         Reviewed by Darin Adler.
1761
1762         Change Vector to std::array and use typedef.
1763
1764         * bytecode/CodeBlockHash.cpp:
1765         (JSC::CodeBlockHash::CodeBlockHash):
1766
1767 2013-12-11  Mark Rowe  <mrowe@apple.com>
1768
1769         <https://webkit.org/b/125141> Modernize the JavaScriptCore API headers
1770         <rdar://problem/15540121>
1771
1772         This consists of three main changes:
1773         1) Converting the return type of initializer methods to instancetype.
1774         2) Declaring properties rather than getters and setters.
1775         3) Tagging C API methods with information about their memory management semantics.
1776
1777         Changing the declarations from getters and setters to properties also required
1778         updating the headerdoc in a number of places.
1779
1780         Reviewed by Anders Carlsson.
1781
1782         * API/JSContext.h:
1783         * API/JSContext.mm:
1784         * API/JSManagedValue.h:
1785         * API/JSManagedValue.mm:
1786         * API/JSStringRefCF.h:
1787         * API/JSValue.h:
1788         * API/JSVirtualMachine.h:
1789         * API/JSVirtualMachine.mm:
1790
1791 2013-12-11  Mark Rowe  <mrowe@apple.com>
1792
1793         <https://webkit.org/b/125559> Move JavaScriptCore off the legacy WebKit availability macros
1794
1795         The legacy WebKit availability macros are verbose, confusing, and provide no benefit over
1796         using the system availability macros directly. The original vision was that they'd serve
1797         a cross-platform purpose but that never came to be.
1798
1799         Map from WebKit version to OS X version based on the mapping in WebKitAvailability.h.
1800         All iOS versions are specified as 7.0 as that is when the JavaScriptCore C API was made
1801         public.
1802
1803         Part of <rdar://problem/15512304>.
1804
1805         Reviewed by Anders Carlsson.
1806
1807         * API/JSBasePrivate.h:
1808         * API/JSContextRef.h:
1809         * API/JSContextRefPrivate.h:
1810         * API/JSObjectRef.h:
1811         * API/JSValueRef.h:
1812
1813 2013-12-10  Filip Pizlo  <fpizlo@apple.com>
1814
1815         Get rid of forward exit on DoubleAsInt32
1816         https://bugs.webkit.org/show_bug.cgi?id=125552
1817
1818         Reviewed by Oliver Hunt.
1819         
1820         The forward exit was just there so that we wouldn't have to keep the inputs alive up to
1821         the DoubleAsInt32. That's dumb. Forward exits are a complicated piece of machinery and
1822         we shouldn't have it just for a bit of liveness micro-optimization.
1823         
1824         Also add a bunch of machinery to test this case on X86.
1825
1826         * assembler/AbstractMacroAssembler.h:
1827         (JSC::optimizeForARMv7s):
1828         (JSC::optimizeForARM64):
1829         (JSC::optimizeForX86):
1830         * dfg/DFGFixupPhase.cpp:
1831         (JSC::DFG::FixupPhase::fixupNode):
1832         * dfg/DFGNodeType.h:
1833         * dfg/DFGSpeculativeJIT.cpp:
1834         (JSC::DFG::SpeculativeJIT::compileDoubleAsInt32):
1835         * runtime/Options.h:
1836         * tests/stress/double-as-int32.js: Added.
1837         (foo):
1838         (test):
1839
1840 2013-12-10  Filip Pizlo  <fpizlo@apple.com>
1841
1842         Simplify CSE's treatment of NodeRelevantToOSR
1843         https://bugs.webkit.org/show_bug.cgi?id=125538
1844
1845         Reviewed by Oliver Hunt.
1846         
1847         Make the NodeRelevantToOSR thing obvious: if there is any MovHint on a node then the
1848         node is relevant to OSR.
1849
1850         * dfg/DFGCSEPhase.cpp:
1851         (JSC::DFG::CSEPhase::run):
1852         (JSC::DFG::CSEPhase::performNodeCSE):
1853         (JSC::DFG::CSEPhase::performBlockCSE):
1854
1855 2013-12-10  Filip Pizlo  <fpizlo@apple.com>
1856
1857         Get rid of forward exit in GetByVal on Uint32Array
1858         https://bugs.webkit.org/show_bug.cgi?id=125543
1859
1860         Reviewed by Oliver Hunt.
1861
1862         * dfg/DFGSpeculativeJIT.cpp:
1863         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
1864         * ftl/FTLLowerDFGToLLVM.cpp:
1865         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
1866
1867 2013-12-10  Balazs Kilvady  <kilvadyb@homejinni.com>
1868
1869         [MIPS] Redundant instructions in code generated from offlineasm.
1870         https://bugs.webkit.org/show_bug.cgi?id=125528
1871
1872         Reviewed by Michael Saboff.
1873
1874         Optimize lowering of offlineasm BaseIndex Addresses.
1875
1876         * offlineasm/mips.rb:
1877
1878 2013-12-10  Oliver Hunt  <oliver@apple.com>
1879
1880         Reduce the mass templatizing of the JS parser
1881         https://bugs.webkit.org/show_bug.cgi?id=125535
1882
1883         Reviewed by Michael Saboff.
1884
1885         The various caches we have now have removed the need for many of
1886         the template vs. regular parameters.  This patch converts those
1887         template parameters to regular parameters and updates the call
1888         sites.  This reduces the code size of the parser by around 15%.
1889
1890         * parser/ASTBuilder.h:
1891         (JSC::ASTBuilder::createGetterOrSetterProperty):
1892         (JSC::ASTBuilder::createProperty):
1893         * parser/Parser.cpp:
1894         (JSC::::parseInner):
1895         (JSC::::parseSourceElements):
1896         (JSC::::parseVarDeclarationList):
1897         (JSC::::createBindingPattern):
1898         (JSC::::tryParseDeconstructionPatternExpression):
1899         (JSC::::parseDeconstructionPattern):
1900         (JSC::::parseSwitchClauses):
1901         (JSC::::parseSwitchDefaultClause):
1902         (JSC::::parseBlockStatement):
1903         (JSC::::parseFormalParameters):
1904         (JSC::::parseFunctionInfo):
1905         (JSC::::parseFunctionDeclaration):
1906         (JSC::::parseProperty):
1907         (JSC::::parseObjectLiteral):
1908         (JSC::::parseStrictObjectLiteral):
1909         (JSC::::parseMemberExpression):
1910         * parser/Parser.h:
1911         * parser/SyntaxChecker.h:
1912         (JSC::SyntaxChecker::createProperty):
1913         (JSC::SyntaxChecker::createGetterOrSetterProperty):
1914
1915 2013-12-10  Mark Hahnenberg  <mhahnenberg@apple.com>
1916
1917         ASSERT !heap.vm()->isInitializingObject() when finishing DFG compilation at beginning of GC
1918         https://bugs.webkit.org/show_bug.cgi?id=125472
1919
1920         Reviewed by Geoff Garen.
1921
1922         This patch makes it look like it's okay to allocate so that the DFG plan finalization stuff 
1923         can do what it needs to do. We already expected that we might do allocation during plan 
1924         finalization and we increased the deferral depth to handle this, but we need to fix this other 
1925         ASSERT stuff too.
1926
1927         * GNUmakefile.list.am:
1928         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1929         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1930         * JavaScriptCore.xcodeproj/project.pbxproj:
1931         * heap/Heap.cpp:
1932         (JSC::Heap::collect):
1933         * heap/Heap.h:
1934         * heap/RecursiveAllocationScope.h: Added.
1935         (JSC::RecursiveAllocationScope::RecursiveAllocationScope):
1936         (JSC::RecursiveAllocationScope::~RecursiveAllocationScope):
1937         * runtime/VM.h:
1938
1939 2013-12-09  Filip Pizlo  <fpizlo@apple.com>
1940
1941         Impose and enforce some basic rules of sanity for where Phi functions are allowed to occur and where their (optional) corresponding MovHints can be
1942         https://bugs.webkit.org/show_bug.cgi?id=125480
1943
1944         Reviewed by Geoffrey Garen.
1945         
1946         Previously, if you wanted to insert some speculation right after where a value was
1947         produced, you'd get super confused if that value was produced by a Phi node.  You can't
1948         necessarily insert speculations after a Phi node because Phi nodes appear in this
1949         special sequence of Phis and MovHints that establish the OSR exit state for a block.
1950         So, you'd probably want to search for the next place where it's safe to insert things.
1951         We already do this "search for beginning of next bytecode instruction" search by
1952         looking at the next node that has a different CodeOrigin.  But this would be hard for a
1953         Phi because those Phis and MovHints have basically random CodeOrigins and they can all
1954         have different CodeOrigins.
1955
1956         This change imposes some sanity for this situation:
1957
1958         - Phis must have unset CodeOrigins.
1959
1960         - In each basic block, all nodes that have unset CodeOrigins must come before all nodes
1961           that have set CodeOrigins.
1962
1963         This all ends up working out just great because prior to this change we didn't have a 
1964         use for unset CodeOrigins.  I think it's appropriate to make "unset CodeOrigin" mean
1965         that we're in the prologue of a basic block.
1966
1967         It's interesting what this means for block merging, which we don't yet do in SSA.
1968         Consider merging the edge A->B.  One possibility is that the block merger is now
1969         required to clean up Phi/Upsilons, and reascribe the MovHints to have the CodeOrigin of
1970         the A's block terminal.  But an answer that might be better is that the originless
1971         nodes at the top of the B are just given the origin of the terminal and we keep the
1972         Phis.  That would require changing the above rules.  We'll see how it goes, and what we
1973         end up picking...
1974
1975         Overall, this special-things-at-the-top rule is analogous to what other SSA-based
1976         compilers do.  For example, LLVM has rules mandating that Phis appear at the top of a
1977         block.
1978
1979         * bytecode/CodeOrigin.cpp:
1980         (JSC::CodeOrigin::dump):
1981         * dfg/DFGOSRExitBase.h:
1982         (JSC::DFG::OSRExitBase::OSRExitBase):
1983         * dfg/DFGSSAConversionPhase.cpp:
1984         (JSC::DFG::SSAConversionPhase::run):
1985         * dfg/DFGValidate.cpp:
1986         (JSC::DFG::Validate::validate):
1987         (JSC::DFG::Validate::validateSSA):
1988
1989 2013-12-08  Filip Pizlo  <fpizlo@apple.com>
1990
1991         Reveal array bounds checks in DFG IR
1992         https://bugs.webkit.org/show_bug.cgi?id=125253
1993
1994         Reviewed by Oliver Hunt and Mark Hahnenberg.
1995         
1996         In SSA mode, this reveals array bounds checks and the load of array length in DFG IR,
1997         making this a candidate for LICM.
1998
1999         This also fixes a long-standing performance bug where the JSObject slow paths would
2000         always create contiguous storage, rather than type-specialized storage, when doing a
2001         "storage creating" storage, like:
2002         
2003             var o = {};
2004             o[0] = 42;
2005
2006         * CMakeLists.txt:
2007         * GNUmakefile.list.am:
2008         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2009         * JavaScriptCore.xcodeproj/project.pbxproj:
2010         * bytecode/ExitKind.cpp:
2011         (JSC::exitKindToString):
2012         (JSC::exitKindIsCountable):
2013         * bytecode/ExitKind.h:
2014         * dfg/DFGAbstractInterpreterInlines.h:
2015         (JSC::DFG::::executeEffects):
2016         * dfg/DFGArrayMode.cpp:
2017         (JSC::DFG::permitsBoundsCheckLowering):
2018         (JSC::DFG::ArrayMode::permitsBoundsCheckLowering):
2019         * dfg/DFGArrayMode.h:
2020         (JSC::DFG::ArrayMode::lengthNeedsStorage):
2021         * dfg/DFGClobberize.h:
2022         (JSC::DFG::clobberize):
2023         * dfg/DFGConstantFoldingPhase.cpp:
2024         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2025         * dfg/DFGFixupPhase.cpp:
2026         (JSC::DFG::FixupPhase::fixupNode):
2027         * dfg/DFGNodeType.h:
2028         * dfg/DFGPlan.cpp:
2029         (JSC::DFG::Plan::compileInThreadImpl):
2030         * dfg/DFGPredictionPropagationPhase.cpp:
2031         (JSC::DFG::PredictionPropagationPhase::propagate):
2032         * dfg/DFGSSALoweringPhase.cpp: Added.
2033         (JSC::DFG::SSALoweringPhase::SSALoweringPhase):
2034         (JSC::DFG::SSALoweringPhase::run):
2035         (JSC::DFG::SSALoweringPhase::handleNode):
2036         (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
2037         (JSC::DFG::performSSALowering):
2038         * dfg/DFGSSALoweringPhase.h: Added.
2039         * dfg/DFGSafeToExecute.h:
2040         (JSC::DFG::safeToExecute):
2041         * dfg/DFGSpeculativeJIT.cpp:
2042         (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
2043         * dfg/DFGSpeculativeJIT32_64.cpp:
2044         (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
2045         (JSC::DFG::SpeculativeJIT::compile):
2046         * dfg/DFGSpeculativeJIT64.cpp:
2047         (JSC::DFG::SpeculativeJIT::compile):
2048         * ftl/FTLCapabilities.cpp:
2049         (JSC::FTL::canCompile):
2050         * ftl/FTLLowerDFGToLLVM.cpp:
2051         (JSC::FTL::LowerDFGToLLVM::compileNode):
2052         (JSC::FTL::LowerDFGToLLVM::compileCheckInBounds):
2053         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
2054         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2055         (JSC::FTL::LowerDFGToLLVM::contiguousPutByValOutOfBounds):
2056         * runtime/JSObject.cpp:
2057         (JSC::JSObject::convertUndecidedForValue):
2058         (JSC::JSObject::createInitialForValueAndSet):
2059         (JSC::JSObject::putByIndexBeyondVectorLength):
2060         (JSC::JSObject::putDirectIndexBeyondVectorLength):
2061         * runtime/JSObject.h:
2062         * tests/stress/float32array-out-of-bounds.js: Added.
2063         (make):
2064         (foo):
2065         (test):
2066         * tests/stress/int32-object-out-of-bounds.js: Added.
2067         (make):
2068         (foo):
2069         (test):
2070         * tests/stress/int32-out-of-bounds.js: Added.
2071         (foo):
2072         (test):
2073
2074 2013-12-09  Sam Weinig  <sam@webkit.org>
2075
2076         Replace use of WTF::FixedArray with std::array
2077         https://bugs.webkit.org/show_bug.cgi?id=125475
2078
2079         Reviewed by Anders Carlsson.
2080
2081         * bytecode/CodeBlockHash.cpp:
2082         (JSC::CodeBlockHash::dump):
2083         * bytecode/Opcode.cpp:
2084         (JSC::OpcodeStats::~OpcodeStats):
2085         * dfg/DFGCSEPhase.cpp:
2086         * ftl/FTLAbstractHeap.h:
2087         * heap/MarkedSpace.h:
2088         * parser/ParserArena.h:
2089         * runtime/CodeCache.h:
2090         * runtime/DateInstanceCache.h:
2091         * runtime/JSGlobalObject.cpp:
2092         (JSC::JSGlobalObject::reset):
2093         * runtime/JSGlobalObject.h:
2094         * runtime/JSString.h:
2095         * runtime/LiteralParser.h:
2096         * runtime/NumericStrings.h:
2097         * runtime/RegExpCache.h:
2098         * runtime/SmallStrings.h:
2099
2100 2013-12-09  Joseph Pecoraro  <pecoraro@apple.com>
2101
2102         Remove miscellaneous unnecessary build statements
2103         https://bugs.webkit.org/show_bug.cgi?id=125466
2104
2105         Reviewed by Darin Adler.
2106
2107         * DerivedSources.make:
2108         * JavaScriptCore.vcxproj/build-generated-files.sh:
2109         * JavaScriptCore.xcodeproj/project.pbxproj:
2110         * make-generated-sources.sh:
2111
2112 2013-12-08  Filip Pizlo  <fpizlo@apple.com>
2113
2114         CSE should work in SSA
2115         https://bugs.webkit.org/show_bug.cgi?id=125430
2116
2117         Reviewed by Oliver Hunt and Mark Hahnenberg.
2118
2119         * dfg/DFGCSEPhase.cpp:
2120         (JSC::DFG::CSEPhase::run):
2121         (JSC::DFG::CSEPhase::performNodeCSE):
2122         * dfg/DFGPlan.cpp:
2123         (JSC::DFG::Plan::compileInThreadImpl):
2124
2125 2013-12-09  Joseph Pecoraro  <pecoraro@apple.com>
2126
2127         Remove docs/make-bytecode-docs.pl
2128         https://bugs.webkit.org/show_bug.cgi?id=125462
2129
2130         This sript is very old and no longer outputs useful data since the
2131         op code definitions have moved from Interpreter.cpp.
2132
2133         Reviewed by Darin Adler.
2134
2135         * DerivedSources.make:
2136         * docs/make-bytecode-docs.pl: Removed.
2137
2138 2013-12-09  Julien Brianceau  <jbriance@cisco.com>
2139
2140         Fix sh4 LLINT build.
2141         https://bugs.webkit.org/show_bug.cgi?id=125454
2142
2143         Reviewed by Michael Saboff.
2144
2145         In LLINT, sh4 backend implementation didn't handle properly conditional jumps using
2146         a LabelReference instance. This patch fixes it through sh4LowerMisplacedLabels phase.
2147         Also, to avoid the need of a 4th temporary gpr, this phase is triggered later in
2148         getModifiedListSH4.
2149
2150         * offlineasm/sh4.rb:
2151
2152 2013-12-08  Filip Pizlo  <fpizlo@apple.com>
2153
2154         Add the notion of ConstantStoragePointer to DFG IR
2155         https://bugs.webkit.org/show_bug.cgi?id=125395
2156
2157         Reviewed by Oliver Hunt.
2158         
2159         This pushes more typed array folding into StrengthReductionPhase, and enables CSE on
2160         storage pointers. Previously, you might have separate nodes for the same storage
2161         pointer and this would cause some bad register pressure in the DFG. Note that this
2162         was really a theoretical problem and not, to my knowledge a practical one - so this
2163         patch is basically just a clean-up.
2164
2165         * dfg/DFGAbstractInterpreterInlines.h:
2166         (JSC::DFG::::executeEffects):
2167         * dfg/DFGCSEPhase.cpp:
2168         (JSC::DFG::CSEPhase::constantStoragePointerCSE):
2169         (JSC::DFG::CSEPhase::performNodeCSE):
2170         * dfg/DFGClobberize.h:
2171         (JSC::DFG::clobberize):
2172         * dfg/DFGFixupPhase.cpp:
2173         (JSC::DFG::FixupPhase::fixupNode):
2174         * dfg/DFGGraph.cpp:
2175         (JSC::DFG::Graph::dump):
2176         * dfg/DFGNode.h:
2177         (JSC::DFG::Node::convertToConstantStoragePointer):
2178         (JSC::DFG::Node::hasStoragePointer):
2179         (JSC::DFG::Node::storagePointer):
2180         * dfg/DFGNodeType.h:
2181         * dfg/DFGPredictionPropagationPhase.cpp:
2182         (JSC::DFG::PredictionPropagationPhase::propagate):
2183         * dfg/DFGSafeToExecute.h:
2184         (JSC::DFG::safeToExecute):
2185         * dfg/DFGSpeculativeJIT.cpp:
2186         (JSC::DFG::SpeculativeJIT::compileConstantStoragePointer):
2187         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
2188         * dfg/DFGSpeculativeJIT.h:
2189         * dfg/DFGSpeculativeJIT32_64.cpp:
2190         (JSC::DFG::SpeculativeJIT::compile):
2191         * dfg/DFGSpeculativeJIT64.cpp:
2192         (JSC::DFG::SpeculativeJIT::compile):
2193         * dfg/DFGStrengthReductionPhase.cpp:
2194         (JSC::DFG::StrengthReductionPhase::handleNode):
2195         (JSC::DFG::StrengthReductionPhase::foldTypedArrayPropertyToConstant):
2196         (JSC::DFG::StrengthReductionPhase::prepareToFoldTypedArray):
2197         * dfg/DFGWatchpointCollectionPhase.cpp:
2198         (JSC::DFG::WatchpointCollectionPhase::handle):
2199         * ftl/FTLLowerDFGToLLVM.cpp:
2200         (JSC::FTL::LowerDFGToLLVM::compileNode):
2201         (JSC::FTL::LowerDFGToLLVM::compileConstantStoragePointer):
2202         (JSC::FTL::LowerDFGToLLVM::compileGetIndexedPropertyStorage):
2203
2204 2013-12-08  Filip Pizlo  <fpizlo@apple.com>
2205
2206         FTL should support UntypedUse versions of Compare nodes
2207         https://bugs.webkit.org/show_bug.cgi?id=125426
2208
2209         Reviewed by Oliver Hunt.
2210         
2211         This adds UntypedUse versions of all comparisons except CompareStrictEq, which is
2212         sufficiently different that I thought I'd do it in another patch.
2213         
2214         This also extends our ability to abstract over comparison kind and removes a bunch of
2215         copy-paste code.
2216
2217         * dfg/DFGSpeculativeJIT64.cpp:
2218         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
2219         * ftl/FTLCapabilities.cpp:
2220         (JSC::FTL::canCompile):
2221         * ftl/FTLIntrinsicRepository.h:
2222         * ftl/FTLLowerDFGToLLVM.cpp:
2223         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
2224         (JSC::FTL::LowerDFGToLLVM::compileCompareLess):
2225         (JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
2226         (JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
2227         (JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):
2228         (JSC::FTL::LowerDFGToLLVM::compare):
2229         (JSC::FTL::LowerDFGToLLVM::nonSpeculativeCompare):
2230         * ftl/FTLOutput.h:
2231         (JSC::FTL::Output::icmp):
2232         (JSC::FTL::Output::equal):
2233         (JSC::FTL::Output::notEqual):
2234         (JSC::FTL::Output::above):
2235         (JSC::FTL::Output::aboveOrEqual):
2236         (JSC::FTL::Output::below):
2237         (JSC::FTL::Output::belowOrEqual):
2238         (JSC::FTL::Output::greaterThan):
2239         (JSC::FTL::Output::greaterThanOrEqual):
2240         (JSC::FTL::Output::lessThan):
2241         (JSC::FTL::Output::lessThanOrEqual):
2242         (JSC::FTL::Output::fcmp):
2243         (JSC::FTL::Output::doubleEqual):
2244         (JSC::FTL::Output::doubleNotEqualOrUnordered):
2245         (JSC::FTL::Output::doubleLessThan):
2246         (JSC::FTL::Output::doubleLessThanOrEqual):
2247         (JSC::FTL::Output::doubleGreaterThan):
2248         (JSC::FTL::Output::doubleGreaterThanOrEqual):
2249         (JSC::FTL::Output::doubleEqualOrUnordered):
2250         (JSC::FTL::Output::doubleNotEqual):
2251         (JSC::FTL::Output::doubleLessThanOrUnordered):
2252         (JSC::FTL::Output::doubleLessThanOrEqualOrUnordered):
2253         (JSC::FTL::Output::doubleGreaterThanOrUnordered):
2254         (JSC::FTL::Output::doubleGreaterThanOrEqualOrUnordered):
2255         * tests/stress/untyped-equality.js: Added.
2256         (foo):
2257         * tests/stress/untyped-less-than.js: Added.
2258         (foo):
2259
2260 2013-12-07  Filip Pizlo  <fpizlo@apple.com>
2261
2262         Fold typedArray.length if typedArray is constant
2263         https://bugs.webkit.org/show_bug.cgi?id=125252
2264
2265         Reviewed by Sam Weinig.
2266         
2267         This was meant to be easy. The problem is that there was no good place for putting
2268         the folding of typedArray.length to a constant. You can't quite do it in the
2269         bytecode parser because at that point you don't yet know if typedArray is really
2270         a typed array. You can't do it as part of constant folding because the folder
2271         assumes that it can opportunistically forward-flow a constant value without changing
2272         the IR; this doesn't work since we need to first change the IR to register a
2273         desired watchpoint and only after that can we introduce that constant. We could have
2274         done it in Fixup but that would have been awkward since Fixup's code for turning a
2275         GetById of "length" into GetArrayLength is already somewhat complex. We could have
2276         done it in CSE but CSE is already fairly gnarly and will probably get rewritten.
2277         
2278         So I introduced a new phase, called StrengthReduction. This phase should have any
2279         transformations that don't requite CFA or CSE and that it would be weird to put into
2280         those other phases.
2281         
2282         I also took the opportunity to refactor some of the other folding code.
2283         
2284         This also adds a test, but the test couldn't quite be a LayoutTests/js/regress so I
2285         introduced the notion of JavaScriptCore/tests/stress.
2286         
2287         The goal of this patch isn't really to improve performance or anything like that.
2288         It adds an optimization for completeness, and in doing so it unlocks a bunch of new
2289         possibilities. The one that I'm most excited about is revealing array length checks
2290         in DFG IR, which will allow for array bounds check hoisting and elimination.
2291
2292         * CMakeLists.txt:
2293         * GNUmakefile.list.am:
2294         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2295         * JavaScriptCore.xcodeproj/project.pbxproj:
2296         * dfg/DFGAbstractInterpreterInlines.h:
2297         (JSC::DFG::::executeEffects):
2298         * dfg/DFGClobberize.h:
2299         (JSC::DFG::clobberize):
2300         * dfg/DFGFixupPhase.cpp:
2301         (JSC::DFG::FixupPhase::fixupNode):
2302         * dfg/DFGGraph.cpp:
2303         (JSC::DFG::Graph::tryGetFoldableView):
2304         (JSC::DFG::Graph::tryGetFoldableViewForChild1):
2305         * dfg/DFGGraph.h:
2306         * dfg/DFGNode.h:
2307         (JSC::DFG::Node::hasTypedArray):
2308         (JSC::DFG::Node::typedArray):
2309         * dfg/DFGNodeType.h:
2310         * dfg/DFGPlan.cpp:
2311         (JSC::DFG::Plan::compileInThreadImpl):
2312         * dfg/DFGPredictionPropagationPhase.cpp:
2313         (JSC::DFG::PredictionPropagationPhase::propagate):
2314         * dfg/DFGSafeToExecute.h:
2315         (JSC::DFG::safeToExecute):
2316         * dfg/DFGSpeculativeJIT.cpp:
2317         (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
2318         (JSC::DFG::SpeculativeJIT::compileConstantIndexedPropertyStorage):
2319         * dfg/DFGSpeculativeJIT32_64.cpp:
2320         (JSC::DFG::SpeculativeJIT::compile):
2321         * dfg/DFGSpeculativeJIT64.cpp:
2322         (JSC::DFG::SpeculativeJIT::compile):
2323         * dfg/DFGStrengthReductionPhase.cpp: Added.
2324         (JSC::DFG::StrengthReductionPhase::StrengthReductionPhase):
2325         (JSC::DFG::StrengthReductionPhase::run):
2326         (JSC::DFG::StrengthReductionPhase::handleNode):
2327         (JSC::DFG::StrengthReductionPhase::foldTypedArrayPropertyToConstant):
2328         (JSC::DFG::performStrengthReduction):
2329         * dfg/DFGStrengthReductionPhase.h: Added.
2330         * dfg/DFGWatchpointCollectionPhase.cpp:
2331         (JSC::DFG::WatchpointCollectionPhase::handle):
2332         * ftl/FTLCapabilities.cpp:
2333         (JSC::FTL::canCompile):
2334         * ftl/FTLLowerDFGToLLVM.cpp:
2335         (JSC::FTL::LowerDFGToLLVM::compileNode):
2336         (JSC::FTL::LowerDFGToLLVM::compileGetIndexedPropertyStorage):
2337         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2338         (JSC::FTL::LowerDFGToLLVM::typedArrayLength):
2339         * jsc.cpp:
2340         (GlobalObject::finishCreation):
2341         (functionTransferArrayBuffer):
2342         * runtime/ArrayBufferView.h:
2343         * tests/stress: Added.
2344         * tests/stress/fold-typed-array-properties.js: Added.
2345         (foo):
2346
2347 2013-12-07  peavo@outlook.com  <peavo@outlook.com>
2348
2349         [Win][64-bit] Hitting breakpoint assembler instruction in callToJavaScript.
2350         https://bugs.webkit.org/show_bug.cgi?id=125382
2351
2352         Reviewed by Michael Saboff.
2353
2354         The WinCairo results from run-javascriptcore-tests are the same as the WinCairo 32-bits results, when removing these breakpoints.
2355
2356         * jit/JITStubsMSVC64.asm: Remove breakpoint instructions.
2357
2358 2013-12-06  Filip Pizlo  <fpizlo@apple.com>
2359
2360         FTL should support all of Branch/LogicalNot
2361         https://bugs.webkit.org/show_bug.cgi?id=125370
2362
2363         Reviewed by Mark Hahnenberg.
2364
2365         * ftl/FTLCapabilities.cpp:
2366         (JSC::FTL::canCompile):
2367         * ftl/FTLIntrinsicRepository.h:
2368         * ftl/FTLLowerDFGToLLVM.cpp:
2369         (JSC::FTL::LowerDFGToLLVM::boolify):
2370
2371 2013-12-06  Roger Fong <roger_fong@apple.com> and Brent Fulgham  <bfulgham@apple.com>
2372
2373         [Win] Support compiling with VS2013
2374         https://bugs.webkit.org/show_bug.cgi?id=125353
2375
2376         Reviewed by Anders Carlsson.
2377
2378         * API/tests/testapi.c: Use C99 defines if available.
2379         * jit/JITOperations.cpp: Don't attempt to define C linkage when
2380         returning a C++ object.
2381
2382 2013-12-06  Filip Pizlo  <fpizlo@apple.com>
2383
2384         FTL should support generic ByVal accesses
2385         https://bugs.webkit.org/show_bug.cgi?id=125368
2386
2387         Reviewed by Mark Hahnenberg.
2388
2389         * dfg/DFGGraph.h:
2390         (JSC::DFG::Graph::isStrictModeFor):
2391         (JSC::DFG::Graph::ecmaModeFor):
2392         * ftl/FTLCapabilities.cpp:
2393         (JSC::FTL::canCompile):
2394         * ftl/FTLIntrinsicRepository.h:
2395         * ftl/FTLLowerDFGToLLVM.cpp:
2396         (JSC::FTL::LowerDFGToLLVM::compileNode):
2397         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
2398         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2399
2400 2013-12-06  Filip Pizlo  <fpizlo@apple.com>
2401
2402         FTL should support hole/OOB array accesses
2403         https://bugs.webkit.org/show_bug.cgi?id=118077
2404
2405         Reviewed by Oliver Hunt and Mark Hahnenberg.
2406
2407         * ftl/FTLCapabilities.cpp:
2408         (JSC::FTL::canCompile):
2409         * ftl/FTLIntrinsicRepository.h:
2410         * ftl/FTLLowerDFGToLLVM.cpp:
2411         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
2412         (JSC::FTL::LowerDFGToLLVM::baseIndex):
2413
2414 2013-12-06  Michael Saboff  <msaboff@apple.com>
2415
2416         Split sizing of VarArgs frames from loading arguments for the frame
2417         https://bugs.webkit.org/show_bug.cgi?id=125331
2418
2419         Reviewed by Filip Pizlo.
2420
2421         Split loadVarargs into sizeAndAllocFrameForVarargs() and loadVarargs() in
2422         preparation for moving onto the C stack.  sizeAndAllocFrameForVarargs() will
2423         compute the size of the callee frame and allocate it, while loadVarargs()
2424         actually loads the argument values.
2425
2426         As part of moving onto the C stack, sizeAndAllocFrameForVarargs() will be
2427         changed to a function that just computes the size.  The caller will use that
2428         size to allocate the new frame on the stack before calling loadVargs() and
2429         actually making the call.
2430
2431         * interpreter/Interpreter.cpp:
2432         (JSC::sizeAndAllocFrameForVarargs):
2433         (JSC::loadVarargs):
2434         * interpreter/Interpreter.h:
2435         * jit/JIT.h:
2436         * jit/JITCall.cpp:
2437         (JSC::JIT::compileLoadVarargs):
2438         * jit/JITCall32_64.cpp:
2439         (JSC::JIT::compileLoadVarargs):
2440         * jit/JITInlines.h:
2441         (JSC::JIT::callOperation):
2442         * jit/JITOperations.cpp:
2443         * jit/JITOperations.h:
2444         * llint/LLIntSlowPaths.cpp:
2445         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2446         * llint/LLIntSlowPaths.h:
2447         * llint/LowLevelInterpreter.asm:
2448         * llint/LowLevelInterpreter32_64.asm:
2449         * llint/LowLevelInterpreter64.asm:
2450         * runtime/VM.h:
2451
2452 2013-12-06  Filip Pizlo  <fpizlo@apple.com>
2453
2454         FTL should support all of ValueToInt32
2455         https://bugs.webkit.org/show_bug.cgi?id=125283
2456
2457         Reviewed by Mark Hahnenberg.
2458
2459         * ftl/FTLCapabilities.cpp:
2460         (JSC::FTL::canCompile):
2461         * ftl/FTLLowerDFGToLLVM.cpp:
2462         (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
2463         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2464         (JSC::FTL::LowerDFGToLLVM::lowCell):
2465         (JSC::FTL::LowerDFGToLLVM::isCell):
2466
2467 2013-12-06  Filip Pizlo  <fpizlo@apple.com>
2468
2469         FTL shouldn't have a doubleToUInt32 path
2470         https://bugs.webkit.org/show_bug.cgi?id=125360
2471
2472         Reviewed by Mark Hahnenberg.
2473         
2474         This code existed because I incorrectly thought it was necessary. It's now basically
2475         dead.
2476
2477         * ftl/FTLLowerDFGToLLVM.cpp:
2478         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2479
2480 2013-12-06  Laszlo Vidacs  <lac@inf.u-szeged.hu>
2481
2482         Define SHA1 hash size in SHA1.h and use it at various places.
2483         https://bugs.webkit.org/show_bug.cgi?id=125345
2484
2485         Reviewed by Darin Adler.
2486
2487         Use SHA1::hashSize instead of local variables.
2488
2489         * bytecode/CodeBlockHash.cpp:
2490         (JSC::CodeBlockHash::CodeBlockHash): use SHA1::hashSize
2491
2492 2013-12-05  Michael Saboff  <msaboff@apple.com>
2493
2494         REGRESSION(r160213): Crash in js/dom/JSON-parse.html
2495         https://bugs.webkit.org/show_bug.cgi?id=125335
2496
2497         Reviewed by Mark Lam.
2498
2499         Changed _llint_op_catch to materialize the VM via the scope chain instead of 
2500         the CodeBlock.  CallFrames always have a scope chain, but may have a null CodeBlock.
2501
2502         * llint/LowLevelInterpreter32_64.asm:
2503         (_llint_op_catch):
2504         * llint/LowLevelInterpreter64.asm:
2505         (_llint_op_catch):
2506
2507 2013-12-05  Michael Saboff  <msaboff@apple.com>
2508
2509         JSC: Simplify interface between throw and catch handler
2510         https://bugs.webkit.org/show_bug.cgi?id=125328
2511
2512         Reviewed by Geoffrey Garen.
2513
2514         Simplified the throw - catch interface.  The throw side is only responsible for
2515         jumping to the appropriate op_catch handler or returnFromJavaScript for uncaught
2516         exceptions.  The handler uses the exception values like VM.callFrameForThrow
2517         as appropriate and no longer relies on the throw side putting anything in
2518         registers.
2519
2520         * jit/CCallHelpers.h:
2521         (JSC::CCallHelpers::jumpToExceptionHandler):
2522         * jit/JITOpcodes.cpp:
2523         (JSC::JIT::emit_op_catch):
2524         * jit/JITOpcodes32_64.cpp:
2525         (JSC::JIT::emit_op_catch):
2526         * llint/LowLevelInterpreter32_64.asm:
2527         (_llint_op_catch):
2528         (_llint_throw_from_slow_path_trampoline):
2529         * llint/LowLevelInterpreter64.asm:
2530         (_llint_op_catch):
2531         (_llint_throw_from_slow_path_trampoline):
2532
2533 2013-12-04  Oliver Hunt  <oliver@apple.com>
2534
2535         Refactor static getter function prototype to include thisValue in addition to the base object
2536         https://bugs.webkit.org/show_bug.cgi?id=124461
2537
2538         Reviewed by Geoffrey Garen.
2539
2540         Add thisValue parameter to static getter prototype, and switch
2541         from JSValue to EncodedJSValue for parameters and return value.
2542
2543         Currently none of the static getters use the thisValue, but
2544         separating out the refactoring will prevent future changes
2545         from getting lost in the noise of refactoring.  This means
2546         that this patch does not result in any change in behaviour.
2547
2548         * API/JSCallbackObject.h:
2549         * API/JSCallbackObjectFunctions.h:
2550         (JSC::::asCallbackObject):
2551         (JSC::::staticFunctionGetter):
2552         (JSC::::callbackGetter):
2553         * jit/JITOperations.cpp:
2554         * runtime/JSActivation.cpp:
2555         (JSC::JSActivation::argumentsGetter):
2556         * runtime/JSActivation.h:
2557         * runtime/JSFunction.cpp:
2558         (JSC::JSFunction::argumentsGetter):
2559         (JSC::JSFunction::callerGetter):
2560         (JSC::JSFunction::lengthGetter):
2561         (JSC::JSFunction::nameGetter):
2562         * runtime/JSFunction.h:
2563         * runtime/JSObject.h:
2564         (JSC::PropertySlot::getValue):
2565         * runtime/NumberConstructor.cpp:
2566         (JSC::numberConstructorNaNValue):
2567         (JSC::numberConstructorNegInfinity):
2568         (JSC::numberConstructorPosInfinity):
2569         (JSC::numberConstructorMaxValue):
2570         (JSC::numberConstructorMinValue):
2571         * runtime/PropertySlot.h:
2572         * runtime/RegExpConstructor.cpp:
2573         (JSC::asRegExpConstructor):
2574         (JSC::regExpConstructorDollar1):
2575         (JSC::regExpConstructorDollar2):
2576         (JSC::regExpConstructorDollar3):
2577         (JSC::regExpConstructorDollar4):
2578         (JSC::regExpConstructorDollar5):
2579         (JSC::regExpConstructorDollar6):
2580         (JSC::regExpConstructorDollar7):
2581         (JSC::regExpConstructorDollar8):
2582         (JSC::regExpConstructorDollar9):
2583         (JSC::regExpConstructorInput):
2584         (JSC::regExpConstructorMultiline):
2585         (JSC::regExpConstructorLastMatch):
2586         (JSC::regExpConstructorLastParen):
2587         (JSC::regExpConstructorLeftContext):
2588         (JSC::regExpConstructorRightContext):
2589         * runtime/RegExpObject.cpp:
2590         (JSC::asRegExpObject):
2591         (JSC::regExpObjectGlobal):
2592         (JSC::regExpObjectIgnoreCase):
2593         (JSC::regExpObjectMultiline):
2594         (JSC::regExpObjectSource):
2595
2596 2013-12-04  Filip Pizlo  <fpizlo@apple.com>
2597
2598         FTL should use cvttsd2si directly for double-to-int32 conversions
2599         https://bugs.webkit.org/show_bug.cgi?id=125275
2600
2601         Reviewed by Michael Saboff.
2602         
2603         Wow. This was an ordeal. Using cvttsd2si was actually easy, but I learned, and
2604         sometimes even fixed, some interesting things:
2605         
2606         - The llvm.x86.sse2.cvttsd2si intrinsic can actually result in LLVM emitting a
2607           vcvttsd2si. I guess the intrinsic doesn't actually imply the instruction.
2608         
2609         - That whole thing about branchTruncateDoubleToUint32? Yeah we don't need that. It's
2610           better to use branchTruncateDoubleToInt32 instead. It has the right semantics for
2611           all of its callers (err, its one-and-only caller), and it's more likely to take
2612           fast path. This patch kills branchTruncateDoubleToUint32.
2613         
2614         - "a[i] = v; v = a[i]". Does this change v? OK, assume that 'a[i]' is a pure-ish
2615           operation - like an array access with 'i' being an integer index and we're not
2616           having a bad time. Now does this change v? CSE assumes that it doesn't. That's
2617           wrong. If 'a' is a typed array - the most sensible and pure kind of array - then
2618           this can be a truncating cast. For example 'v' could be a double and 'a' could be
2619           an integer array.
2620         
2621         - "v1 = a[i]; v2 = a[i]". Is v1 === v2 assuming that 'a[i]' is pure-ish? The answer
2622           is no. You could have a different arrayMode in each access. I know this sounds
2623           weird, but with concurrent JIT that might happen.
2624         
2625         This patch adds tests for all of this stuff, except for the first issue (it's weird
2626         but probably doesn't matter) and the last issue (it's too much of a freakshow).
2627
2628         * assembler/MacroAssemblerARM64.h:
2629         * assembler/MacroAssemblerARMv7.h:
2630         * assembler/MacroAssemblerX86Common.h:
2631         * dfg/DFGCSEPhase.cpp:
2632         (JSC::DFG::CSEPhase::getByValLoadElimination):
2633         (JSC::DFG::CSEPhase::performNodeCSE):
2634         * dfg/DFGSpeculativeJIT.cpp:
2635         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
2636         * ftl/FTLAbbreviations.h:
2637         (JSC::FTL::vectorType):
2638         (JSC::FTL::getUndef):
2639         (JSC::FTL::buildInsertElement):
2640         * ftl/FTLIntrinsicRepository.h:
2641         * ftl/FTLLowerDFGToLLVM.cpp:
2642         (JSC::FTL::LowerDFGToLLVM::doubleToInt32):
2643         (JSC::FTL::LowerDFGToLLVM::doubleToUInt32):
2644         (JSC::FTL::LowerDFGToLLVM::sensibleDoubleToInt32):
2645         * ftl/FTLOutput.h:
2646         (JSC::FTL::Output::insertElement):
2647         (JSC::FTL::Output::hasSensibleDoubleToInt):
2648         (JSC::FTL::Output::sensibleDoubleToInt):
2649
2650 2013-12-05  Commit Queue  <commit-queue@webkit.org>
2651
2652         Unreviewed, rolling out r160133.
2653         http://trac.webkit.org/changeset/160133
2654         https://bugs.webkit.org/show_bug.cgi?id=125325
2655
2656         broke bindings tests on all the bots (Requested by thorton on
2657         #webkit).
2658
2659         * API/JSCallbackObject.h:
2660         * API/JSCallbackObjectFunctions.h:
2661         (JSC::::staticFunctionGetter):
2662         (JSC::::callbackGetter):
2663         * jit/JITOperations.cpp:
2664         * runtime/JSActivation.cpp:
2665         (JSC::JSActivation::argumentsGetter):
2666         * runtime/JSActivation.h:
2667         * runtime/JSFunction.cpp:
2668         (JSC::JSFunction::argumentsGetter):
2669         (JSC::JSFunction::callerGetter):
2670         (JSC::JSFunction::lengthGetter):
2671         (JSC::JSFunction::nameGetter):
2672         * runtime/JSFunction.h:
2673         * runtime/JSObject.h:
2674         (JSC::PropertySlot::getValue):
2675         * runtime/NumberConstructor.cpp:
2676         (JSC::numberConstructorNaNValue):
2677         (JSC::numberConstructorNegInfinity):
2678         (JSC::numberConstructorPosInfinity):
2679         (JSC::numberConstructorMaxValue):
2680         (JSC::numberConstructorMinValue):
2681         * runtime/PropertySlot.h:
2682         * runtime/RegExpConstructor.cpp:
2683         (JSC::regExpConstructorDollar1):
2684         (JSC::regExpConstructorDollar2):
2685         (JSC::regExpConstructorDollar3):
2686         (JSC::regExpConstructorDollar4):
2687         (JSC::regExpConstructorDollar5):
2688         (JSC::regExpConstructorDollar6):
2689         (JSC::regExpConstructorDollar7):
2690         (JSC::regExpConstructorDollar8):
2691         (JSC::regExpConstructorDollar9):
2692         (JSC::regExpConstructorInput):
2693         (JSC::regExpConstructorMultiline):
2694         (JSC::regExpConstructorLastMatch):
2695         (JSC::regExpConstructorLastParen):
2696         (JSC::regExpConstructorLeftContext):
2697         (JSC::regExpConstructorRightContext):
2698         * runtime/RegExpObject.cpp:
2699         (JSC::regExpObjectGlobal):
2700         (JSC::regExpObjectIgnoreCase):
2701         (JSC::regExpObjectMultiline):
2702         (JSC::regExpObjectSource):
2703
2704 2013-12-05  Mark Lam  <mark.lam@apple.com>
2705
2706         Make the C Loop LLINT work with callToJavaScript.
2707         https://bugs.webkit.org/show_bug.cgi?id=125294.
2708
2709         Reviewed by Michael Saboff.
2710
2711         1. Changed the C Loop LLINT to dispatch to an Executable via its JITCode
2712            instance which is consistent with how the ASM LLINT works.
2713         2. Changed CLoop::execute() to take an Opcode instead of an OpcodeID.
2714            This makes it play nice with the use of JITCode for dispatching.
2715         3. Introduce a callToJavaScript and callToNativeFunction for the C Loop
2716            LLINT. These will call JSStack::pushFrame() and popFrame() to setup
2717            and teardown the CallFrame.
2718         4. Also introduced a C Loop returnFromJavaScript which is just a
2719            replacement for ctiOpThrowNotCaught which had the same function.
2720         5. Remove a lot of #if ENABLE(LLINT_C_LOOP) code now that the dispatch
2721            mechanism is consistent.
2722
2723         This patch has been tested with both configurations of COMPUTED_GOTOs
2724         on and off.
2725
2726         * interpreter/CachedCall.h:
2727         (JSC::CachedCall::CachedCall):
2728         (JSC::CachedCall::call):
2729         (JSC::CachedCall::setArgument):
2730         * interpreter/CallFrameClosure.h:
2731         (JSC::CallFrameClosure::setThis):
2732         (JSC::CallFrameClosure::setArgument):
2733         (JSC::CallFrameClosure::resetCallFrame):
2734         * interpreter/Interpreter.cpp:
2735         (JSC::Interpreter::execute):
2736         (JSC::Interpreter::executeCall):
2737         (JSC::Interpreter::executeConstruct):
2738         (JSC::Interpreter::prepareForRepeatCall):
2739         * interpreter/Interpreter.h:
2740         * interpreter/JSStack.h:
2741         * interpreter/JSStackInlines.h:
2742         (JSC::JSStack::pushFrame):
2743         * interpreter/ProtoCallFrame.h:
2744         (JSC::ProtoCallFrame::scope):
2745         (JSC::ProtoCallFrame::callee):
2746         (JSC::ProtoCallFrame::thisValue):
2747         (JSC::ProtoCallFrame::argument):
2748         (JSC::ProtoCallFrame::setArgument):
2749         * jit/JITCode.cpp:
2750         (JSC::JITCode::execute):
2751         * jit/JITCode.h:
2752         * jit/JITExceptions.cpp:
2753         (JSC::genericUnwind):
2754         * llint/LLIntCLoop.cpp:
2755         (JSC::LLInt::CLoop::initialize):
2756         * llint/LLIntCLoop.h:
2757         * llint/LLIntEntrypoint.cpp:
2758         (JSC::LLInt::setFunctionEntrypoint):
2759         (JSC::LLInt::setEvalEntrypoint):
2760         (JSC::LLInt::setProgramEntrypoint):
2761         - Inverted the check for vm.canUseJIT(). This allows the JIT case to be
2762           #if'd out nicely when building the C Loop LLINT.
2763         * llint/LLIntOpcode.h:
2764         * llint/LLIntThunks.cpp:
2765         (JSC::doCallToJavaScript):
2766         (JSC::executeJS):
2767         (JSC::callToJavaScript):
2768         (JSC::executeNative):
2769         (JSC::callToNativeFunction):
2770         * llint/LLIntThunks.h:
2771         * llint/LowLevelInterpreter.cpp:
2772         (JSC::CLoop::execute):
2773         * runtime/Executable.h:
2774         (JSC::ExecutableBase::offsetOfNumParametersFor):
2775         (JSC::ExecutableBase::hostCodeEntryFor):
2776         (JSC::ExecutableBase::jsCodeEntryFor):
2777         (JSC::ExecutableBase::jsCodeWithArityCheckEntryFor):
2778         (JSC::NativeExecutable::create):
2779         (JSC::NativeExecutable::finishCreation):
2780         (JSC::ProgramExecutable::generatedJITCode):
2781         * runtime/JSArray.cpp:
2782         (JSC::AVLTreeAbstractorForArrayCompare::compare_key_key):
2783         * runtime/StringPrototype.cpp:
2784         (JSC::replaceUsingRegExpSearch):
2785         * runtime/VM.cpp:
2786         (JSC::VM::getHostFunction):
2787
2788 2013-12-05  Laszlo Vidacs  <lac@inf.u-szeged.hu>
2789
2790         Fix JavaScriptCore build if cloop is enabled after r160094
2791         https://bugs.webkit.org/show_bug.cgi?id=125292
2792
2793         Reviewed by Michael Saboff.
2794
2795         Move ProtoCallFrame outside the JIT guard.
2796
2797         * jit/JITCode.h:
2798
2799 2013-12-04  Filip Pizlo  <fpizlo@apple.com>
2800
2801         Fold constant typed arrays
2802         https://bugs.webkit.org/show_bug.cgi?id=125205
2803
2804         Reviewed by Oliver Hunt and Mark Hahnenberg.
2805         
2806         If by some other mechanism we have a typed array access on a compile-time constant
2807         typed array pointer, then fold:
2808         
2809         - Array bounds checks. Specifically, fold the load of length.
2810         
2811         - Loading the vector.
2812         
2813         This needs to install a watchpoint on the array itself because of the possibility of
2814         neutering. Neutering is ridiculous. We do this without bloating the size of
2815         ArrayBuffer or JSArrayBufferView in the common case (i.e. the case where you
2816         allocated an array that didn't end up becoming a compile-time constant). To install
2817         the watchpoint, we slowDownAndWasteMemory and then create an incoming reference to
2818         the ArrayBuffer, where that incoming reference is from a watchpoint object. The
2819         ArrayBuffer already knows about such incoming references and can fire the
2820         watchpoints that way.
2821         
2822         * CMakeLists.txt:
2823         * GNUmakefile.list.am:
2824         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2825         * JavaScriptCore.xcodeproj/project.pbxproj:
2826         * dfg/DFGDesiredWatchpoints.cpp:
2827         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
2828         (JSC::DFG::DesiredWatchpoints::addLazily):
2829         * dfg/DFGDesiredWatchpoints.h:
2830         (JSC::DFG::GenericSetAdaptor::add):
2831         (JSC::DFG::GenericSetAdaptor::hasBeenInvalidated):
2832         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::hasBeenInvalidated):
2833         (JSC::DFG::GenericDesiredWatchpoints::reallyAdd):
2834         (JSC::DFG::GenericDesiredWatchpoints::areStillValid):
2835         (JSC::DFG::GenericDesiredWatchpoints::isStillValid):
2836         (JSC::DFG::GenericDesiredWatchpoints::shouldAssumeMixedState):
2837         (JSC::DFG::DesiredWatchpoints::isStillValid):
2838         (JSC::DFG::DesiredWatchpoints::shouldAssumeMixedState):
2839         (JSC::DFG::DesiredWatchpoints::isValidOrMixed):
2840         * dfg/DFGGraph.cpp:
2841         (JSC::DFG::Graph::tryGetFoldableView):
2842         * dfg/DFGGraph.h:
2843         * dfg/DFGSpeculativeJIT.cpp:
2844         (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
2845         (JSC::DFG::SpeculativeJIT::emitTypedArrayBoundsCheck):
2846         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
2847         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
2848         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
2849         (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
2850         (JSC::DFG::SpeculativeJIT::compileConstantIndexedPropertyStorage):
2851         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
2852         * dfg/DFGSpeculativeJIT.h:
2853         * dfg/DFGWatchpointCollectionPhase.cpp:
2854         (JSC::DFG::WatchpointCollectionPhase::handle):
2855         (JSC::DFG::WatchpointCollectionPhase::addLazily):
2856         * ftl/FTLLowerDFGToLLVM.cpp:
2857         (JSC::FTL::LowerDFGToLLVM::compileGetIndexedPropertyStorage):
2858         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
2859         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2860         (JSC::FTL::LowerDFGToLLVM::typedArrayLength):
2861         * runtime/ArrayBuffer.cpp:
2862         (JSC::ArrayBuffer::transfer):
2863         * runtime/ArrayBufferNeuteringWatchpoint.cpp: Added.
2864         (JSC::ArrayBufferNeuteringWatchpoint::ArrayBufferNeuteringWatchpoint):
2865         (JSC::ArrayBufferNeuteringWatchpoint::~ArrayBufferNeuteringWatchpoint):
2866         (JSC::ArrayBufferNeuteringWatchpoint::finishCreation):
2867         (JSC::ArrayBufferNeuteringWatchpoint::destroy):
2868         (JSC::ArrayBufferNeuteringWatchpoint::create):
2869         (JSC::ArrayBufferNeuteringWatchpoint::createStructure):
2870         * runtime/ArrayBufferNeuteringWatchpoint.h: Added.
2871         (JSC::ArrayBufferNeuteringWatchpoint::set):
2872         * runtime/VM.cpp:
2873         (JSC::VM::VM):
2874         * runtime/VM.h:
2875
2876 2013-12-04  Commit Queue  <commit-queue@webkit.org>
2877
2878         Unreviewed, rolling out r160116.
2879         http://trac.webkit.org/changeset/160116
2880         https://bugs.webkit.org/show_bug.cgi?id=125264
2881
2882         Change doesn't work as intended. See bug comments for details.
2883         (Requested by bfulgham on #webkit).
2884
2885         * runtime/InitializeThreading.cpp:
2886         (JSC::initializeThreading):
2887
2888 2013-12-04  Oliver Hunt  <oliver@apple.com>
2889
2890         Refactor static getter function prototype to include thisValue in addition to the base object
2891         https://bugs.webkit.org/show_bug.cgi?id=124461
2892
2893         Reviewed by Geoffrey Garen.
2894
2895         Add thisValue parameter to static getter prototype, and switch
2896         from JSValue to EncodedJSValue for parameters and return value.
2897
2898         Currently none of the static getters use the thisValue, but
2899         separating out the refactoring will prevent future changes
2900         from getting lost in the noise of refactoring.  This means
2901         that this patch does not result in any change in behaviour.
2902
2903         * API/JSCallbackObject.h:
2904         * API/JSCallbackObjectFunctions.h:
2905         (JSC::::asCallbackObject):
2906         (JSC::::staticFunctionGetter):
2907         (JSC::::callbackGetter):
2908         * jit/JITOperations.cpp:
2909         * runtime/JSActivation.cpp:
2910         (JSC::JSActivation::argumentsGetter):
2911         * runtime/JSActivation.h:
2912         * runtime/JSFunction.cpp:
2913         (JSC::JSFunction::argumentsGetter):
2914         (JSC::JSFunction::callerGetter):
2915         (JSC::JSFunction::lengthGetter):
2916         (JSC::JSFunction::nameGetter):
2917         * runtime/JSFunction.h:
2918         * runtime/JSObject.h:
2919         (JSC::PropertySlot::getValue):
2920         * runtime/NumberConstructor.cpp:
2921         (JSC::numberConstructorNaNValue):
2922         (JSC::numberConstructorNegInfinity):
2923         (JSC::numberConstructorPosInfinity):
2924         (JSC::numberConstructorMaxValue):
2925         (JSC::numberConstructorMinValue):
2926         * runtime/PropertySlot.h:
2927         * runtime/RegExpConstructor.cpp:
2928         (JSC::asRegExpConstructor):
2929         (JSC::regExpConstructorDollar1):
2930         (JSC::regExpConstructorDollar2):
2931         (JSC::regExpConstructorDollar3):
2932         (JSC::regExpConstructorDollar4):
2933         (JSC::regExpConstructorDollar5):
2934         (JSC::regExpConstructorDollar6):
2935         (JSC::regExpConstructorDollar7):
2936         (JSC::regExpConstructorDollar8):
2937         (JSC::regExpConstructorDollar9):
2938         (JSC::regExpConstructorInput):
2939         (JSC::regExpConstructorMultiline):
2940         (JSC::regExpConstructorLastMatch):
2941         (JSC::regExpConstructorLastParen):
2942         (JSC::regExpConstructorLeftContext):
2943         (JSC::regExpConstructorRightContext):
2944         * runtime/RegExpObject.cpp:
2945         (JSC::asRegExpObject):
2946         (JSC::regExpObjectGlobal):
2947         (JSC::regExpObjectIgnoreCase):
2948         (JSC::regExpObjectMultiline):
2949         (JSC::regExpObjectSource):
2950
2951 2013-12-04  Daniel Bates  <dabates@apple.com>
2952
2953         [iOS] Enable Objective-C ARC when building JSC tools for iOS simulator
2954         https://bugs.webkit.org/show_bug.cgi?id=125170
2955
2956         Reviewed by Geoffrey Garen.
2957
2958         * API/tests/testapi.mm:
2959         * Configurations/ToolExecutable.xcconfig:
2960
2961 2013-12-04  peavo@outlook.com  <peavo@outlook.com>
2962
2963         Use ThreadingOnce class to encapsulate pthread_once functionality.
2964         https://bugs.webkit.org/show_bug.cgi?id=125228
2965
2966         Reviewed by Brent Fulgham.
2967
2968         * runtime/InitializeThreading.cpp:
2969         (JSC::initializeThreading):
2970
2971 2013-12-04  Mark Lam  <mark.lam@apple.com>
2972
2973         Remove unneeded semicolons.
2974         https://bugs.webkit.org/show_bug.cgi?id=125083.
2975
2976         Rubber-stamped by Filip Pizlo.
2977
2978         * debugger/Debugger.h:
2979         (JSC::Debugger::detach):
2980         (JSC::Debugger::sourceParsed):
2981         (JSC::Debugger::exception):
2982         (JSC::Debugger::atStatement):
2983         (JSC::Debugger::callEvent):
2984         (JSC::Debugger::returnEvent):
2985         (JSC::Debugger::willExecuteProgram):
2986         (JSC::Debugger::didExecuteProgram):
2987         (JSC::Debugger::didReachBreakpoint):
2988
2989 2013-12-04  Andy Estes  <aestes@apple.com>
2990
2991         [iOS] Build projects with $(ARCHS_STANDARD_32_64_BIT)
2992         https://bugs.webkit.org/show_bug.cgi?id=125236
2993
2994         Reviewed by Sam Weinig.
2995
2996         $(ARCHS_STANDARD_32_64_BIT) is what we want for both device and simulator builds.
2997
2998         * Configurations/DebugRelease.xcconfig:
2999
3000 2013-12-03  Filip Pizlo  <fpizlo@apple.com>
3001
3002         Infer constant closure variables
3003         https://bugs.webkit.org/show_bug.cgi?id=124630
3004
3005         Reviewed by Geoffrey Garen.
3006         
3007         Captured variables that are assigned once (not counting op_enter's Undefined
3008         initialization) and that are contained within a function that has thus far only been
3009         entered once are now constant folded. It's pretty awesome.
3010         
3011         This involves a watchpoint on the assignment to variables and a watchpoint on entry
3012         into the function. The former is reused from global variable constant inference and the
3013         latter is reused from one-time closure inference.
3014
3015         * GNUmakefile.list.am:
3016         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3017         * JavaScriptCore.xcodeproj/project.pbxproj:
3018         * bytecode/CodeBlock.cpp:
3019         (JSC::CodeBlock::dumpBytecode):
3020         (JSC::CodeBlock::CodeBlock):
3021         * bytecode/Instruction.h:
3022         (JSC::Instruction::Instruction):
3023         * bytecode/Opcode.h:
3024         (JSC::padOpcodeName):
3025         * bytecode/UnlinkedCodeBlock.h:
3026         (JSC::UnlinkedInstruction::UnlinkedInstruction):
3027         * bytecode/VariableWatchpointSet.h:
3028         (JSC::VariableWatchpointSet::invalidate):
3029         * bytecode/Watchpoint.h:
3030         (JSC::WatchpointSet::invalidate):
3031         * bytecompiler/BytecodeGenerator.cpp:
3032         (JSC::BytecodeGenerator::addVar):
3033         (JSC::BytecodeGenerator::BytecodeGenerator):
3034         (JSC::BytecodeGenerator::emitInitLazyRegister):
3035         (JSC::BytecodeGenerator::emitMove):
3036         (JSC::BytecodeGenerator::emitNewFunctionInternal):
3037         (JSC::BytecodeGenerator::createArgumentsIfNecessary):
3038         * bytecompiler/BytecodeGenerator.h:
3039         (JSC::BytecodeGenerator::addVar):
3040         (JSC::BytecodeGenerator::watchableVariable):
3041         * dfg/DFGByteCodeParser.cpp:
3042         (JSC::DFG::ByteCodeParser::getLocal):
3043         (JSC::DFG::ByteCodeParser::inferredConstant):
3044         (JSC::DFG::ByteCodeParser::parseBlock):
3045         (JSC::DFG::ByteCodeParser::parse):
3046         * dfg/DFGGraph.cpp:
3047         (JSC::DFG::Graph::tryGetActivation):
3048         (JSC::DFG::Graph::tryGetRegisters):
3049         * dfg/DFGGraph.h:
3050         * jit/JIT.cpp:
3051         (JSC::JIT::privateCompileMainPass):
3052         (JSC::JIT::privateCompileSlowCases):
3053         * jit/JIT.h:
3054         * jit/JITOpcodes.cpp:
3055         (JSC::JIT::emit_op_mov):
3056         (JSC::JIT::emit_op_captured_mov):
3057         (JSC::JIT::emit_op_new_captured_func):
3058         (JSC::JIT::emitSlow_op_captured_mov):
3059         * jit/JITOpcodes32_64.cpp:
3060         (JSC::JIT::emit_op_mov):
3061         (JSC::JIT::emit_op_captured_mov):
3062         * llint/LowLevelInterpreter32_64.asm:
3063         * llint/LowLevelInterpreter64.asm:
3064         * runtime/CommonSlowPaths.cpp:
3065         (JSC::SLOW_PATH_DECL):
3066         * runtime/CommonSlowPaths.h:
3067         * runtime/ConstantMode.h: Added.
3068         * runtime/JSGlobalObject.h:
3069         * runtime/JSScope.cpp:
3070         (JSC::abstractAccess):
3071         * runtime/SymbolTable.cpp:
3072         (JSC::SymbolTableEntry::prepareToWatch):
3073
3074 2013-12-04  Brent Fulgham  <bfulgham@apple.com>
3075
3076         [Win] Unreviewed project file gardening.
3077
3078         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Remove deleted files from project.
3079         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Put files in proper directory
3080         folders to match the directory structure of the source code.
3081
3082 2013-12-04  Joseph Pecoraro  <pecoraro@apple.com>
3083
3084         Unreviewed Windows Build Fix attempt after r160099.
3085
3086         * JavaScriptCore.vcxproj/copy-files.cmd:
3087
3088 2013-12-04  Julien Brianceau  <jbriance@cisco.com>
3089
3090         REGRESSION (r160094): Fix lots of crashes for sh4 architecture.
3091         https://bugs.webkit.org/show_bug.cgi?id=125227
3092
3093         Reviewed by Michael Saboff.
3094
3095         * llint/LowLevelInterpreter32_64.asm: Do not use t4 and t5 as they match a0 and a1.
3096         * offlineasm/registers.rb: Add t7, t8 and t9 in register list for sh4 port.
3097         * offlineasm/sh4.rb: Rearrange RegisterID list and add the missing ones.
3098
3099 2013-12-03  Joseph Pecoraro  <pecoraro@apple.com>
3100
3101         Web Inspector: Push Remote Inspector debugging connection management into JavaScriptCore
3102         https://bugs.webkit.org/show_bug.cgi?id=124613
3103
3104         Reviewed by Timothy Hatcher.
3105
3106         Move the ENABLE(REMOTE_INSPECTOR) remote debugger connection management
3107         into JavaScriptCore (originally from WebKit/mac). Include enhancements:
3108
3109           * allow for different types of remote debuggable targets,
3110             eventually at least a JSContext, WebView, WKView.
3111           * allow debuggables to be registered and debugged on any thread. Unlike
3112             WebViews, JSContexts may be run entirely off of the main thread.
3113           * move the remote connection (XPC connection) itself off of the main thread,
3114             it doesn't need to be on the main thread.
3115
3116         Make JSContext @class and JavaScriptCore::JSContextRef
3117         "JavaScript" Remote Debuggables.
3118
3119         * inspector/remote/RemoteInspectorDebuggable.h: Added.
3120         * inspector/remote/RemoteInspectorDebuggable.cpp: Added.
3121         (Inspector::RemoteInspectorDebuggable::RemoteInspectorDebuggable):
3122         (Inspector::RemoteInspectorDebuggable::~RemoteInspectorDebuggable):
3123         (Inspector::RemoteInspectorDebuggable::init):
3124         (Inspector::RemoteInspectorDebuggable::update):
3125         (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed):
3126         (Inspector::RemoteInspectorDebuggable::info):
3127         RemoteInspectorDebuggable defines a debuggable target. As long as
3128         something creates a debuggable and is set to allow remote inspection
3129         it will be listed in remote debuggers. For the different types of
3130         debuggables (JavaScript and Web) there is different basic information
3131         that may be listed.
3132
3133         * inspector/InspectorFrontendChannel.h: Added.
3134         (Inspector::InspectorFrontendChannel::~InspectorFrontendChannel):
3135         The only thing a debuggable needs for remote debugging is an
3136         InspectorFrontendChannel a way to send messages to a remote frontend.
3137         This class provides that method, and is vended to the
3138         RemoteInspectorDebuggable when a remote connection is setup.
3139
3140         * inspector/remote/RemoteInspector.h: Added.
3141         * inspector/remote/RemoteInspector.mm: Added.
3142         Singleton, created at least when the first Debuggable is created.
3143         This class manages the list of debuggables, any connection to a
3144         remote debugger proxy (XPC service "com.apple.webinspector").
3145
3146         (Inspector::dispatchAsyncOnQueueSafeForAnyDebuggable):
3147         (Inspector::RemoteInspector::shared):
3148         (Inspector::RemoteInspector::RemoteInspector):
3149         (Inspector::RemoteInspector::nextAvailableIdentifier):
3150         (Inspector::RemoteInspector::registerDebuggable):
3151         (Inspector::RemoteInspector::unregisterDebuggable):
3152         (Inspector::RemoteInspector::updateDebuggable):
3153         Debuggable management. When debuggables are added, removed, or updated
3154         we stash a copy of the debuggable information and push an update to
3155         debuggers. Stashing a copy of the information in the RemoteInspector
3156         is a thread safe way to avoid walking over all debuggables to gather
3157         the information when it is needed.
3158
3159         (Inspector::RemoteInspector::start):
3160         (Inspector::RemoteInspector::stop):
3161         Runtime API to enable / disable the feature.
3162
3163         (Inspector::RemoteInspector::listingForDebuggable):
3164         (Inspector::RemoteInspector::pushListingNow):
3165         (Inspector::RemoteInspector::pushListingSoon):
3166         Pushing a listing to remote debuggers.
3167
3168         (Inspector::RemoteInspector::sendMessageToRemoteFrontend):
3169         (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
3170         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
3171         (Inspector::RemoteInspector::xpcConnectionFailed):
3172         (Inspector::RemoteInspector::xpcConnectionUnhandledMessage):
3173         XPC setup, send, and receive handling.
3174
3175         (Inspector::RemoteInspector::updateHasActiveDebugSession):
3176         Applications being debugged may want to know when a debug
3177         session is active. This provides that notification.
3178
3179         (Inspector::RemoteInspector::receivedSetupMessage):
3180         (Inspector::RemoteInspector::receivedDataMessage):
3181         (Inspector::RemoteInspector::receivedDidCloseMessage):
3182         (Inspector::RemoteInspector::receivedGetListingMessage):
3183         (Inspector::RemoteInspector::receivedIndicateMessage):
3184         (Inspector::RemoteInspector::receivedConnectionDiedMessage):
3185         Dispatching incoming remote debugging protocol messages.
3186         These are wrapping above the inspector protocol messages.
3187
3188         * inspector/remote/RemoteInspectorConstants.h: Added.
3189         Protocol messages and dictionary keys inside the messages.
3190
3191         (Inspector::RemoteInspectorDebuggableInfo::RemoteInspectorDebuggableInfo):
3192         * inspector/remote/RemoteInspectorDebuggableConnection.h: Added.
3193         * inspector/remote/RemoteInspectorDebuggableConnection.mm: Added.
3194         This is a connection between the RemoteInspector singleton and a RemoteInspectorDebuggable.
3195
3196         (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
3197         (Inspector::RemoteInspectorDebuggableConnection::~RemoteInspectorDebuggableConnection):
3198         Allow for dispatching messages on JavaScript debuggables on a dispatch_queue
3199         instead of the main queue.
3200
3201         (Inspector::RemoteInspectorDebuggableConnection::destination):
3202         (Inspector::RemoteInspectorDebuggableConnection::connectionIdentifier):
3203         Needed in the remote debugging protocol to identify the remote debugger.
3204
3205         (Inspector::RemoteInspectorDebuggableConnection::dispatchSyncOnDebuggable):
3206         (Inspector::RemoteInspectorDebuggableConnection::dispatchAsyncOnDebuggable):
3207         (Inspector::RemoteInspectorDebuggableConnection::setup):
3208         (Inspector::RemoteInspectorDebuggableConnection::closeFromDebuggable):
3209         (Inspector::RemoteInspectorDebuggableConnection::close):
3210         (Inspector::RemoteInspectorDebuggableConnection::sendMessageToBackend):
3211         (Inspector::RemoteInspectorDebuggableConnection::sendMessageToFrontend):
3212         The connection is a thin channel between the two sides that can be closed
3213         from either side, so there is some logic around multi-threaded access.
3214
3215         * inspector/remote/RemoteInspectorXPCConnection.h: Added.
3216         (Inspector::RemoteInspectorXPCConnection::Client::~Client):
3217         * inspector/remote/RemoteInspectorXPCConnection.mm: Added.
3218         (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
3219         (Inspector::RemoteInspectorXPCConnection::~RemoteInspectorXPCConnection):
3220         (Inspector::RemoteInspectorXPCConnection::close):
3221         (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
3222         (Inspector::RemoteInspectorXPCConnection::handleEvent):
3223         (Inspector::RemoteInspectorXPCConnection::sendMessage):
3224         This is a connection between the RemoteInspector singleton and an XPC service
3225         named "com.apple.webinspector". This handles serialization of the dictionary
3226         messages to and from the service. The receiving is done on a non-main queue.
3227
3228         * API/JSContext.h:
3229         * API/JSContext.mm:
3230         (-[JSContext name]):
3231         (-[JSContext setName:]):
3232         ObjC API to enable/disable JSContext remote inspection and give a name.
3233
3234         * API/JSContextRef.h:
3235         * API/JSContextRef.cpp:
3236         (JSGlobalContextGetName):
3237         (JSGlobalContextSetName):
3238         C API to give a JSContext a name.
3239
3240         * runtime/JSGlobalObject.cpp:
3241         (JSC::JSGlobalObject::setName):
3242         * runtime/JSGlobalObject.h:
3243         (JSC::JSGlobalObject::name):
3244         Shared handling of the APIs above.
3245
3246         * runtime/JSGlobalObjectDebuggable.cpp: Added.
3247         (JSC::JSGlobalObjectDebuggable::JSGlobalObjectDebuggable):
3248         (JSC::JSGlobalObjectDebuggable::name):
3249         (JSC::JSGlobalObjectDebuggable::connect):
3250         (JSC::JSGlobalObjectDebuggable::disconnect):
3251         (JSC::JSGlobalObjectDebuggable::dispatchMessageFromRemoteFrontend):
3252         * runtime/JSGlobalObjectDebuggable.h: Added.
3253         Stub for the actual remote debugging implementation. We will push
3254         down the appropriate WebCore/inspector peices suitable for debugging
3255         just a JavaScript context.
3256
3257         * CMakeLists.txt:
3258         * JavaScriptCore.xcodeproj/project.pbxproj:
3259         * GNUmakefile.am:
3260         * GNUmakefile.list.am:
3261         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3262         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3263         Update build files.
3264
3265 2013-12-04  Michael Saboff  <msaboff@apple.com>
3266
3267         Move the setting up of callee's callFrame from pushFrame to callToJavaScript thunk
3268         https://bugs.webkit.org/show_bug.cgi?id=123999
3269
3270         Reviewed by Filip Pizlo.
3271
3272         Changed LLInt and/or JIT enabled ports to allocate the stack frame in the
3273         callToJavaScript stub.  Added an additional stub, callToNativeFunction that
3274         allocates a stack frame in a similar way for calling native entry points
3275         that take a single ExecState* argument.  These stubs are implemented
3276         using common macros in LowLevelInterpreter{32_64,64}.asm.  There are also
3277         Windows X86 and X86-64 versions in the corresponding JitStubsXX.h.
3278         The stubs allocate and create a sentinel frame, then create the callee's
3279         frame, populating  the header and arguments from the passed in ProtoCallFrame*.
3280         It is assumed that the caller of either stub does a check for enough stack space
3281         via JSStack::entryCheck().
3282
3283         For ports using the C-Loop interpreter, the prior method for allocating stack
3284         frame and invoking functions is used, namely with JSStack::pushFrame() and
3285         ::popFrame().
3286
3287         Made spelling changes "sentinal" -> "sentinel".
3288
3289         * CMakeLists.txt:
3290         * GNUmakefile.list.am:
3291         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3292         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3293         * JavaScriptCore.xcodeproj/project.pbxproj:
3294         * interpreter/CachedCall.h:
3295         (JSC::CachedCall::CachedCall):
3296         (JSC::CachedCall::setThis):
3297         (JSC::CachedCall::setArgument):
3298         * interpreter/CallFrameClosure.h:
3299         (JSC::CallFrameClosure::resetCallFrame):
3300         * interpreter/Interpreter.cpp:
3301         (JSC::Interpreter::execute):
3302         (JSC::Interpreter::executeCall):
3303         (JSC::Interpreter::executeConstruct):
3304         (JSC::Interpreter::prepareForRepeatCall):
3305         * interpreter/Interpreter.h:
3306         * interpreter/JSStack.h:
3307         * interpreter/JSStackInlines.h:
3308         (JSC::JSStack::entryCheck):
3309         (JSC::JSStack::pushFrame):
3310         (JSC::JSStack::popFrame):
3311         * interpreter/ProtoCallFrame.cpp: Added.
3312         (JSC::ProtoCallFrame::init):
3313         * interpreter/ProtoCallFrame.h: Added.
3314         (JSC::ProtoCallFrame::codeBlock):
3315         (JSC::ProtoCallFrame::setCodeBlock):
3316         (JSC::ProtoCallFrame::setScope):
3317         (JSC::ProtoCallFrame::setCallee):
3318         (JSC::ProtoCallFrame::argumentCountIncludingThis):
3319         (JSC::ProtoCallFrame::argumentCount):
3320         (JSC::ProtoCallFrame::setArgumentCountIncludingThis):
3321         (JSC::ProtoCallFrame::setPaddedArgsCount):
3322         (JSC::ProtoCallFrame::clearCurrentVPC):
3323         (JSC::ProtoCallFrame::setThisValue):
3324         (JSC::ProtoCallFrame::setArgument):
3325         * jit/JITCode.cpp:
3326         (JSC::JITCode::execute):
3327         * jit/JITCode.h:
3328         * jit/JITOperations.cpp:
3329         * jit/JITStubs.h:
3330         * jit/JITStubsMSVC64.asm:
3331         * jit/JITStubsX86.h:
3332         * llint/LLIntOffsetsExtractor.cpp:
3333         * llint/LLIntThunks.h:
3334         * llint/LowLevelInterpreter.asm:
3335         * llint/LowLevelInterpreter32_64.asm:
3336         * llint/LowLevelInterpreter64.asm:
3337         * runtime/ArgList.h:
3338         (JSC::ArgList::data):
3339         * runtime/JSArray.cpp:
3340         (JSC::AVLTreeAbstractorForArrayCompare::compare_key_key):
3341         * runtime/StringPrototype.cpp:
3342         (JSC::replaceUsingRegExpSearch):
3343
3344 2013-12-04  László Langó  <lango@inf.u-szeged.hu>
3345
3346         Remove stdio.h from JSC files.
3347         https://bugs.webkit.org/show_bug.cgi?id=125220
3348
3349         Reviewed by Michael Saboff.
3350
3351         * interpreter/VMInspector.cpp:
3352         * jit/JITArithmetic.cpp:
3353         * jit/JITArithmetic32_64.cpp:
3354         * jit/JITCall.cpp:
3355         * jit/JITCall32_64.cpp:
3356         * jit/JITPropertyAccess.cpp:
3357         * jit/JITPropertyAccess32_64.cpp:
3358         * runtime/Completion.cpp:
3359         * runtime/IndexingType.cpp:
3360         * runtime/Lookup.h:
3361         * runtime/Operations.cpp:
3362         * runtime/Options.cpp:
3363         * runtime/RegExp.cpp:
3364
3365 2013-12-04  László Langó  <lango@inf.u-szeged.hu>
3366
3367         Avoid to add zero offset in BaseIndex.
3368         https://bugs.webkit.org/show_bug.cgi?id=125215
3369
3370         Reviewed by Michael Saboff.
3371
3372         When using cloop do not generate offsets additions for BaseIndex if the offset is zero.
3373
3374         * offlineasm/cloop.rb:
3375
3376 2013-12-04  Peter Molnar  <pmolnar.u-szeged@partner.samsung.com>
3377
3378         Fix !ENABLE(JAVASCRIPT_DEBUGGER) build.
3379         https://bugs.webkit.org/show_bug.cgi?id=125083
3380
3381         Reviewed by Mark Lam.
3382
3383         * debugger/Debugger.cpp:
3384         * debugger/Debugger.h:
3385         (JSC::Debugger::Debugger):
3386         (JSC::Debugger::needsOpDebugCall