9718bf7b35cdc9927c60821d5728c126d5eb29c0
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-03-04  Andreas Kling  <akling@apple.com>
2
3         Streamline JSValue::get().
4         <https://webkit.org/b/129720>
5
6         Fetch each Structure and VM only once when walking the prototype chain
7         in JSObject::getPropertySlot(), then pass it along to the functions
8         we call from there, so they don't have to re-fetch it.
9
10         Reviewed by Geoff Garen.
11
12         * runtime/JSObject.h:
13         (JSC::JSObject::inlineGetOwnPropertySlot):
14         (JSC::JSObject::fastGetOwnPropertySlot):
15         (JSC::JSObject::getPropertySlot):
16
17 2014-03-01  Filip Pizlo  <fpizlo@apple.com>
18
19         DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e. boolean, undefined, or null)
20         https://bugs.webkit.org/show_bug.cgi?id=129563
21
22         Reviewed by Geoffrey Garen.
23         
24         This adds a specialization of CompareStrictEq over Misc. I noticed the need for this
25         when I saw that we didn't support CompareStrictEq(Untyped) in FTL but that the main
26         user of this was EarleyBoyer, and in that benchmark what it was really doing was
27         comparing undefined, null, and booleans to each other.
28         
29         This also adds support for miscellaneous things that I needed to make my various test
30         cases work. This includes comparison over booleans and the various Throw-related node
31         types.
32         
33         This also improves constant folding of CompareStrictEq and CompareEq.
34         
35         Also found a bug where we were claiming that GetByVals on typed arrays are OutOfBounds
36         based on profiling, which caused some downstream badness. We don't actually support
37         compiling OutOfBounds GetByVals on typed arrays. The DFG would ignore the flag and just
38         emit a bounds check, but in the FTL path, the SSA lowering phase would assume that it
39         shouldn't factor out the bounds check since the access is not InBounds but then the
40         backend would ignore the flag and assume that the bounds check was already emitted.
41         This showed up on an existing test but I added a test for this explicitly to have more
42         certain coverage. The fix is to not mark something as OutOfBounds if the semantics are
43         that we'll have a bounds check anyway.
44         
45         This is a 1% speed-up on Octane mostly because of raytrace, but also because of just
46         general progressions across the board. No speed-up yet on EarleyBoyer, since there is
47         still a lot more coverage work to be done there.
48
49         * bytecode/SpeculatedType.cpp:
50         (JSC::speculationToAbbreviatedString):
51         (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
52         (JSC::valuesCouldBeEqual):
53         * bytecode/SpeculatedType.h:
54         (JSC::isMiscSpeculation):
55         * dfg/DFGAbstractInterpreterInlines.h:
56         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
57         * dfg/DFGFixupPhase.cpp:
58         (JSC::DFG::FixupPhase::fixupNode):
59         * dfg/DFGNode.h:
60         (JSC::DFG::Node::shouldSpeculateMisc):
61         * dfg/DFGSafeToExecute.h:
62         (JSC::DFG::SafeToExecuteEdge::operator()):
63         * dfg/DFGSpeculativeJIT.cpp:
64         (JSC::DFG::SpeculativeJIT::compileStrictEq):
65         (JSC::DFG::SpeculativeJIT::speculateMisc):
66         (JSC::DFG::SpeculativeJIT::speculate):
67         * dfg/DFGSpeculativeJIT.h:
68         * dfg/DFGSpeculativeJIT32_64.cpp:
69         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
70         * dfg/DFGSpeculativeJIT64.cpp:
71         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
72         * dfg/DFGUseKind.cpp:
73         (WTF::printInternal):
74         * dfg/DFGUseKind.h:
75         (JSC::DFG::typeFilterFor):
76         * ftl/FTLCapabilities.cpp:
77         (JSC::FTL::canCompile):
78         * ftl/FTLLowerDFGToLLVM.cpp:
79         (JSC::FTL::LowerDFGToLLVM::compileNode):
80         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
81         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
82         (JSC::FTL::LowerDFGToLLVM::compileThrow):
83         (JSC::FTL::LowerDFGToLLVM::isNotMisc):
84         (JSC::FTL::LowerDFGToLLVM::isMisc):
85         (JSC::FTL::LowerDFGToLLVM::speculate):
86         (JSC::FTL::LowerDFGToLLVM::speculateMisc):
87         * tests/stress/float32-array-out-of-bounds.js: Added.
88         * tests/stress/weird-equality-folding-cases.js: Added.
89
90 2014-03-04  Andreas Kling  <akling@apple.com>
91
92         Spam static branch prediction hints on JS bindings.
93         <https://webkit.org/b/129703>
94
95         Add LIKELY hint to jsDynamicCast since it's always used in a context
96         where we expect it to succeed and takes an error path when it doesn't.
97
98         Reviewed by Geoff Garen.
99
100         * runtime/JSCell.h:
101         (JSC::jsDynamicCast):
102
103 2014-03-04  Andreas Kling  <akling@apple.com>
104
105         Get to Structures more efficiently in JSCell::methodTable().
106         <https://webkit.org/b/129702>
107
108         In JSCell::methodTable(), get the VM once and pass that along to
109         structure(VM&) instead of using the heavier structure().
110
111         In JSCell::methodTable(VM&), replace calls to structure() with
112         calls to structure(VM&).
113
114         Reviewed by Mark Hahnenberg.
115
116         * runtime/JSCellInlines.h:
117         (JSC::JSCell::methodTable):
118
119 2014-03-04  Joseph Pecoraro  <pecoraro@apple.com>
120
121         Web Inspector: Listen for the XPC_ERROR_CONNECTION_INVALID event to deref
122         https://bugs.webkit.org/show_bug.cgi?id=129697
123
124         Reviewed by Timothy Hatcher.
125
126         * inspector/remote/RemoteInspectorXPCConnection.mm:
127         (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
128         (Inspector::RemoteInspectorXPCConnection::handleEvent):
129
130 2014-03-04  Mark Hahnenberg  <mhahnenberg@apple.com>
131
132         Merge API shims and JSLock
133         https://bugs.webkit.org/show_bug.cgi?id=129650
134
135         Reviewed by Mark Lam.
136
137         JSLock is now taking on all of APIEntryShim's responsibilities since there is never a reason 
138         to take just the JSLock. Ditto for DropAllLocks and APICallbackShim.
139
140         * API/APICallbackFunction.h:
141         (JSC::APICallbackFunction::call):
142         (JSC::APICallbackFunction::construct):
143         * API/APIShims.h: Removed.
144         * API/JSBase.cpp:
145         (JSEvaluateScript):
146         (JSCheckScriptSyntax):
147         (JSGarbageCollect):
148         (JSReportExtraMemoryCost):
149         (JSSynchronousGarbageCollectForDebugging):
150         * API/JSCallbackConstructor.cpp:
151         * API/JSCallbackFunction.cpp:
152         * API/JSCallbackObjectFunctions.h:
153         (JSC::JSCallbackObject<Parent>::init):
154         (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
155         (JSC::JSCallbackObject<Parent>::put):
156         (JSC::JSCallbackObject<Parent>::putByIndex):
157         (JSC::JSCallbackObject<Parent>::deleteProperty):
158         (JSC::JSCallbackObject<Parent>::construct):
159         (JSC::JSCallbackObject<Parent>::customHasInstance):
160         (JSC::JSCallbackObject<Parent>::call):
161         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
162         (JSC::JSCallbackObject<Parent>::getStaticValue):
163         (JSC::JSCallbackObject<Parent>::callbackGetter):
164         * API/JSContext.mm:
165         (-[JSContext setException:]):
166         (-[JSContext wrapperForObjCObject:]):
167         (-[JSContext wrapperForJSObject:]):
168         * API/JSContextRef.cpp:
169         (JSContextGroupRelease):
170         (JSContextGroupSetExecutionTimeLimit):
171         (JSContextGroupClearExecutionTimeLimit):
172         (JSGlobalContextCreateInGroup):
173         (JSGlobalContextRetain):
174         (JSGlobalContextRelease):
175         (JSContextGetGlobalObject):
176         (JSContextGetGlobalContext):
177         (JSGlobalContextCopyName):
178         (JSGlobalContextSetName):
179         * API/JSManagedValue.mm:
180         (-[JSManagedValue value]):
181         * API/JSObjectRef.cpp:
182         (JSObjectMake):
183         (JSObjectMakeFunctionWithCallback):
184         (JSObjectMakeConstructor):
185         (JSObjectMakeFunction):
186         (JSObjectMakeArray):
187         (JSObjectMakeDate):
188         (JSObjectMakeError):
189         (JSObjectMakeRegExp):
190         (JSObjectGetPrototype):
191         (JSObjectSetPrototype):
192         (JSObjectHasProperty):
193         (JSObjectGetProperty):
194         (JSObjectSetProperty):
195         (JSObjectGetPropertyAtIndex):
196         (JSObjectSetPropertyAtIndex):
197         (JSObjectDeleteProperty):
198         (JSObjectGetPrivateProperty):
199         (JSObjectSetPrivateProperty):
200         (JSObjectDeletePrivateProperty):
201         (JSObjectIsFunction):
202         (JSObjectCallAsFunction):
203         (JSObjectCallAsConstructor):
204         (JSObjectCopyPropertyNames):
205         (JSPropertyNameArrayRelease):
206         (JSPropertyNameAccumulatorAddName):
207         * API/JSScriptRef.cpp:
208         * API/JSValue.mm:
209         (isDate):
210         (isArray):
211         (containerValueToObject):
212         (valueToArray):
213         (valueToDictionary):
214         (objectToValue):
215         * API/JSValueRef.cpp:
216         (JSValueGetType):
217         (JSValueIsUndefined):
218         (JSValueIsNull):
219         (JSValueIsBoolean):
220         (JSValueIsNumber):
221         (JSValueIsString):
222         (JSValueIsObject):
223         (JSValueIsObjectOfClass):
224         (JSValueIsEqual):
225         (JSValueIsStrictEqual):
226         (JSValueIsInstanceOfConstructor):
227         (JSValueMakeUndefined):
228         (JSValueMakeNull):
229         (JSValueMakeBoolean):
230         (JSValueMakeNumber):
231         (JSValueMakeString):
232         (JSValueMakeFromJSONString):
233         (JSValueCreateJSONString):
234         (JSValueToBoolean):
235         (JSValueToNumber):
236         (JSValueToStringCopy):
237         (JSValueToObject):
238         (JSValueProtect):
239         (JSValueUnprotect):
240         * API/JSVirtualMachine.mm:
241         (-[JSVirtualMachine addManagedReference:withOwner:]):
242         (-[JSVirtualMachine removeManagedReference:withOwner:]):
243         * API/JSWeakObjectMapRefPrivate.cpp:
244         * API/JSWrapperMap.mm:
245         (constructorHasInstance):
246         (makeWrapper):
247         (tryUnwrapObjcObject):
248         * API/ObjCCallbackFunction.mm:
249         (JSC::objCCallbackFunctionCallAsFunction):
250         (JSC::objCCallbackFunctionCallAsConstructor):
251         (objCCallbackFunctionForInvocation):
252         * CMakeLists.txt:
253         * ForwardingHeaders/JavaScriptCore/APIShims.h: Removed.
254         * GNUmakefile.list.am:
255         * JavaScriptCore.xcodeproj/project.pbxproj:
256         * dfg/DFGWorklist.cpp:
257         * heap/DelayedReleaseScope.h:
258         (JSC::DelayedReleaseScope::~DelayedReleaseScope):
259         * heap/HeapTimer.cpp:
260         (JSC::HeapTimer::timerDidFire):
261         (JSC::HeapTimer::timerEvent):
262         * heap/IncrementalSweeper.cpp:
263         * inspector/InjectedScriptModule.cpp:
264         (Inspector::InjectedScriptModule::ensureInjected):
265         * jsc.cpp:
266         (jscmain):
267         * runtime/GCActivityCallback.cpp:
268         (JSC::DefaultGCActivityCallback::doWork):
269         * runtime/JSGlobalObjectDebuggable.cpp:
270         (JSC::JSGlobalObjectDebuggable::connect):
271         (JSC::JSGlobalObjectDebuggable::disconnect):
272         (JSC::JSGlobalObjectDebuggable::dispatchMessageFromRemoteFrontend):
273         * runtime/JSLock.cpp:
274         (JSC::JSLock::lock):
275         (JSC::JSLock::didAcquireLock):
276         (JSC::JSLock::unlock):
277         (JSC::JSLock::willReleaseLock):
278         (JSC::JSLock::DropAllLocks::DropAllLocks):
279         (JSC::JSLock::DropAllLocks::~DropAllLocks):
280         * runtime/JSLock.h:
281         * testRegExp.cpp:
282         (realMain):
283
284 2014-03-04  Commit Queue  <commit-queue@webkit.org>
285
286         Unreviewed, rolling out r164812.
287         http://trac.webkit.org/changeset/164812
288         https://bugs.webkit.org/show_bug.cgi?id=129699
289
290         it made things run slower (Requested by pizlo on #webkit).
291
292         * interpreter/Interpreter.cpp:
293         (JSC::Interpreter::execute):
294         * jsc.cpp:
295         (GlobalObject::finishCreation):
296         * runtime/BatchedTransitionOptimizer.h:
297         (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
298         (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer):
299
300 2014-03-02  Filip Pizlo  <fpizlo@apple.com>
301
302         GetMyArgumentByVal in FTL
303         https://bugs.webkit.org/show_bug.cgi?id=128850
304
305         Reviewed by Oliver Hunt.
306         
307         This would have been easy if the OSR exit compiler's arity checks hadn't been wrong.
308         They checked arity by doing "exec->argumentCount == codeBlock->numParameters", which
309         caused it to think that the arity check had failed if the caller had passed more
310         arguments than needed. This would cause the call frame copying to sort of go into
311         reverse (because the amount-by-which-we-failed-arity would have opposite sign,
312         throwing off a bunch of math) and the stack would end up being corrupted.
313         
314         The bug was revealed by two existing tests although as far as I could tell, neither
315         test was intending to cover this case directly. So, I added a new test.
316
317         * ftl/FTLCapabilities.cpp:
318         (JSC::FTL::canCompile):
319         * ftl/FTLLowerDFGToLLVM.cpp:
320         (JSC::FTL::LowerDFGToLLVM::compileNode):
321         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
322         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
323         (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated):
324         (JSC::FTL::LowerDFGToLLVM::checkArgumentsNotCreated):
325         * ftl/FTLOSRExitCompiler.cpp:
326         (JSC::FTL::compileStub):
327         * ftl/FTLState.h:
328         * tests/stress/exit-from-ftl-when-caller-passed-extra-args-then-use-function-dot-arguments.js: Added.
329         * tests/stress/ftl-get-my-argument-by-val-inlined-and-not-inlined.js: Added.
330         * tests/stress/ftl-get-my-argument-by-val-inlined.js: Added.
331         * tests/stress/ftl-get-my-argument-by-val.js: Added.
332
333 2014-03-04  Zan Dobersek  <zdobersek@igalia.com>
334
335         [GTK] Build the Udis86 disassembler
336         https://bugs.webkit.org/show_bug.cgi?id=129679
337
338         Reviewed by Michael Saboff.
339
340         * GNUmakefile.am: Generate the Udis86-related derived sources. Distribute the required files.
341         * GNUmakefile.list.am: Add the Udis86 disassembler files to the build.
342
343 2014-03-04  Andreas Kling  <akling@apple.com>
344
345         Fix too-narrow assertion I added in r165054.
346
347         It's okay for a 1-character string to come in here. This will happen
348         if the VM small string optimization doesn't apply (ch > 0xFF)
349
350         * runtime/JSString.h:
351         (JSC::jsStringWithWeakOwner):
352
353 2014-03-04  Andreas Kling  <akling@apple.com>
354
355         Micro-optimize Strings in JS bindings.
356         <https://webkit.org/b/129673>
357
358         Make jsStringWithWeakOwner() take a StringImpl& instead of a String.
359         This avoids branches in length() and operator[].
360
361         Also call JSString::create() directly instead of jsString() and just
362         assert that the string length is >1. This way we don't duplicate the
363         optimizations for empty and single-character strings.
364
365         Reviewed by Ryosuke Niwa.
366
367         * runtime/JSString.h:
368         (JSC::jsStringWithWeakOwner):
369
370 2014-03-04  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
371
372         Implement Number.prototype.clz()
373         https://bugs.webkit.org/show_bug.cgi?id=129479
374
375         Reviewed by Oliver Hunt.
376
377         Implemented Number.prototype.clz() as specified in the ES6 standard.
378
379         * runtime/NumberPrototype.cpp:
380         (JSC::numberProtoFuncClz):
381
382 2014-03-03  Joseph Pecoraro  <pecoraro@apple.com>
383
384         Web Inspector: Avoid too early deref caused by RemoteInspectorXPCConnection::close
385         https://bugs.webkit.org/show_bug.cgi?id=129631
386
387         Reviewed by Timothy Hatcher.
388
389         Avoid deref() too early if a client calls close(). The xpc_connection_close
390         will cause another XPC_ERROR event to come in from the queue, deref then.
391         Likewise, protect multithreaded access to m_client. If a client calls
392         close() we want to immediately clear the pointer to prevent calls to it.
393
394         Overall the multi-threading aspects of RemoteInspectorXPCConnection are
395         growing too complicated for probably little benefit. We may want to
396         clean this up later.
397
398         * inspector/remote/RemoteInspector.mm:
399         (Inspector::RemoteInspector::xpcConnectionFailed):
400         * inspector/remote/RemoteInspectorXPCConnection.h:
401         * inspector/remote/RemoteInspectorXPCConnection.mm:
402         (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
403         (Inspector::RemoteInspectorXPCConnection::close):
404         (Inspector::RemoteInspectorXPCConnection::closeOnQueue):
405         (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
406         (Inspector::RemoteInspectorXPCConnection::handleEvent):
407         (Inspector::RemoteInspectorXPCConnection::sendMessage):
408
409 2014-03-03  Michael Saboff  <msaboff@apple.com>
410
411         AbstractMacroAssembler::CachedTempRegister should start out invalid
412         https://bugs.webkit.org/show_bug.cgi?id=129657
413
414         Reviewed by Filip Pizlo.
415
416         * assembler/AbstractMacroAssembler.h:
417         (JSC::AbstractMacroAssembler::AbstractMacroAssembler):
418         - Invalidate all cached registers in constructor as we don't know the
419           contents of any register at the entry to the code we are going to
420           generate.
421
422 2014-03-03  Andreas Kling  <akling@apple.com>
423
424         StructureOrOffset should be fastmalloced.
425         <https://webkit.org/b/129640>
426
427         Reviewed by Geoffrey Garen.
428
429         * runtime/StructureIDTable.h:
430
431 2014-03-03  Michael Saboff  <msaboff@apple.com>
432
433         Crash in JIT code while watching a video @ storyboard.tumblr.com
434         https://bugs.webkit.org/show_bug.cgi?id=129635
435
436         Reviewed by Filip Pizlo.
437
438         Clear m_set before we set bits in the TempRegisterSet(const RegisterSet& other)
439         construtor.
440
441         * jit/TempRegisterSet.cpp:
442         (JSC::TempRegisterSet::TempRegisterSet): Clear map before setting it.
443         * jit/TempRegisterSet.h:
444         (JSC::TempRegisterSet::TempRegisterSet): Use new clearAll() helper.
445         (JSC::TempRegisterSet::clearAll): New private helper.
446
447 2014-03-03  Benjamin Poulain  <benjamin@webkit.org>
448
449         [x86] Improve code generation of byte test
450         https://bugs.webkit.org/show_bug.cgi?id=129597
451
452         Reviewed by Geoffrey Garen.
453
454         When possible, test the 8 bit register to itself instead of comparing it
455         to a literal.
456
457         * assembler/MacroAssemblerX86Common.h:
458         (JSC::MacroAssemblerX86Common::test32):
459
460 2014-03-03  Mark Lam  <mark.lam@apple.com>
461
462         Web Inspector: debugger statements do not break.
463         <https://webkit.org/b/129524>
464
465         Reviewed by Geoff Garen.
466
467         Since we no longer call op_debug hooks unless there is a debugger request
468         made on the CodeBlock, the op_debug for the debugger statement never gets
469         serviced.
470
471         With this fix, we check in the CodeBlock constructor if any debugger
472         statements are present.  If so, we set a m_hasDebuggerStatement flag that
473         causes the CodeBlock to show as having debugger requests.  Hence,
474         breaking at debugger statements is now restored.
475
476         * bytecode/CodeBlock.cpp:
477         (JSC::CodeBlock::CodeBlock):
478         * bytecode/CodeBlock.h:
479         (JSC::CodeBlock::hasDebuggerRequests):
480         (JSC::CodeBlock::clearDebuggerRequests):
481
482 2014-03-03  Mark Lam  <mark.lam@apple.com>
483
484         ASSERTION FAILED: m_numBreakpoints >= numBreakpoints when deleting breakpoints.
485         <https://webkit.org/b/129393>
486
487         Reviewed by Geoffrey Garen.
488
489         The issue manifests because the debugger will iterate all CodeBlocks in
490         the heap when setting / clearing breakpoints, but it is possible for a
491         CodeBlock to have been instantiate but is not yet registered with the
492         debugger.  This can happen because of the following:
493
494         1. DFG worklist compilation is still in progress, and the target
495            codeBlock is not ready for installation in its executable yet.
496
497         2. DFG compilation failed and we have a codeBlock that will never be
498            installed in its executable, and the codeBlock has not been cleaned
499            up by the GC yet.
500
501         The code for installing the codeBlock in its executable is the same code
502         that registers it with the debugger.  Hence, these codeBlocks are not
503         registered with the debugger, and any pending breakpoints that would map
504         to that CodeBlock is as yet unset or will never be set.  As such, an
505         attempt to remove a breakpoint in that CodeBlock will fail that assertion.
506
507         To fix this, we do the following:
508
509         1. We'll eagerly clean up any zombie CodeBlocks due to failed DFG / FTL
510            compilation.  This is achieved by providing a
511            DeferredCompilationCallback::compilationDidComplete() that does this
512            clean up, and have all sub classes call it at the end of their
513            compilationDidComplete() methods.
514
515         2. Before the debugger or profiler iterates CodeBlocks in the heap, they
516            will wait for all compilations to complete before proceeding.  This
517            ensures that:
518            1. any zombie CodeBlocks would have been cleaned up, and won't be
519               seen by the debugger or profiler.
520            2. all CodeBlocks that the debugger and profiler needs to operate on
521               will be "ready" for whatever needs to be done to them e.g.
522               jettison'ing of DFG codeBlocks.
523
524         * bytecode/DeferredCompilationCallback.cpp:
525         (JSC::DeferredCompilationCallback::compilationDidComplete):
526         * bytecode/DeferredCompilationCallback.h:
527         - Provide default implementation method to clean up zombie CodeBlocks.
528
529         * debugger/Debugger.cpp:
530         (JSC::Debugger::forEachCodeBlock):
531         - Utility function to iterate CodeBlocks.  It ensures that all compilations
532           are complete before proceeding.
533         (JSC::Debugger::setSteppingMode):
534         (JSC::Debugger::toggleBreakpoint):
535         (JSC::Debugger::recompileAllJSFunctions):
536         (JSC::Debugger::clearBreakpoints):
537         (JSC::Debugger::clearDebuggerRequests):
538         - Use the utility iterator function.
539
540         * debugger/Debugger.h:
541         * dfg/DFGOperations.cpp:
542         - Added an assert to ensure that zombie CodeBlocks will be imminently cleaned up.
543
544         * dfg/DFGPlan.cpp:
545         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
546         - Remove unneeded code (that was not the best solution anyway) for ensuring
547           that we don't generate new DFG codeBlocks after enabling the debugger or
548           profiler.  Now that we wait for compilations to complete before proceeding
549           with debugger and profiler work, this scenario will never happen.
550
551         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
552         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
553         - Call the super class method to clean up zombie codeBlocks.
554
555         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
556         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete):
557         - Call the super class method to clean up zombie codeBlocks.
558
559         * heap/CodeBlockSet.cpp:
560         (JSC::CodeBlockSet::remove):
561         * heap/CodeBlockSet.h:
562         * heap/Heap.h:
563         (JSC::Heap::removeCodeBlock):
564         - New method to remove a codeBlock from the codeBlock set.
565
566         * jit/JITOperations.cpp:
567         - Added an assert to ensure that zombie CodeBlocks will be imminently cleaned up.
568
569         * jit/JITToDFGDeferredCompilationCallback.cpp:
570         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
571         - Call the super class method to clean up zombie codeBlocks.
572
573         * runtime/VM.cpp:
574         (JSC::VM::waitForCompilationsToComplete):
575         - Renamed from prepareToDiscardCode() to be clearer about what it does.
576
577         (JSC::VM::discardAllCode):
578         (JSC::VM::releaseExecutableMemory):
579         (JSC::VM::setEnabledProfiler):
580         - Wait for compilation to complete before enabling the profiler.
581
582         * runtime/VM.h:
583
584 2014-03-03  Brian Burg  <bburg@apple.com>
585
586         Another unreviewed build fix attempt for Windows after r164986.
587
588         We never told Visual Studio to copy over the web replay code generator scripts
589         and the generated headers for JavaScriptCore replay inputs as if they were
590         private headers.
591
592         * JavaScriptCore.vcxproj/copy-files.cmd:
593
594 2014-03-03  Brian Burg  <bburg@apple.com>
595
596         Web Replay: upstream input storage, capture/replay machinery, and inspector domain
597         https://bugs.webkit.org/show_bug.cgi?id=128782
598
599         Reviewed by Timothy Hatcher.
600
601         Alter the replay inputs code generator so that it knows when it is necessary to
602         to include headers for HEAVY_SCALAR types such as WTF::String and WebCore::URL.
603
604         * JavaScriptCore.xcodeproj/project.pbxproj:
605         * replay/scripts/CodeGeneratorReplayInputs.py:
606         (Framework.fromString):
607         (Frameworks): Add WTF as an allowed framework for code generation.
608         (Generator.generate_includes): Include headers for HEAVY_SCALAR types in the header file.
609         (Generator.generate_includes.declaration):
610         (Generator.generate_includes.or):
611         (Generator.generate_type_forward_declarations): Skip HEAVY_SCALAR types.
612
613 2014-03-02  Filip Pizlo  <fpizlo@apple.com>
614
615         PolymorphicPutByIdList should have a simpler construction API with basically a single entrypoint
616         https://bugs.webkit.org/show_bug.cgi?id=129591
617
618         Reviewed by Michael Saboff.
619
620         * bytecode/PolymorphicPutByIdList.cpp:
621         (JSC::PutByIdAccess::fromStructureStubInfo): This function can figure out the slow path target for itself.
622         (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList): This constuctor should be private, only from() should call it.
623         (JSC::PolymorphicPutByIdList::from):
624         * bytecode/PolymorphicPutByIdList.h:
625         (JSC::PutByIdAccess::stubRoutine):
626         * jit/Repatch.cpp:
627         (JSC::tryBuildPutByIdList): Don't pass the slow path target since it can be derived from the stubInfo.
628
629 2014-03-02  Filip Pizlo  <fpizlo@apple.com>
630
631         Debugging improvements from my gbemu investigation session
632         https://bugs.webkit.org/show_bug.cgi?id=129599
633
634         Reviewed by Mark Lam.
635         
636         Various improvements from when I was investigating bug 129411.
637
638         * bytecode/CodeBlock.cpp:
639         (JSC::CodeBlock::optimizationThresholdScalingFactor): Make the dataLog() statement print the actual multiplier.
640         * jsc.cpp:
641         (GlobalObject::finishCreation):
642         (functionDescribe): Make describe() return a string rather than printing the string.
643         (functionDescribeArray): Like describe(), but prints details about arrays.
644
645 2014-02-25  Andreas Kling  <akling@apple.com>
646
647         JSDOMWindow::commonVM() should return a reference.
648         <https://webkit.org/b/129293>
649
650         Added a DropAllLocks constructor that takes VM& without null checks.
651
652         Reviewed by Geoff Garen.
653
654 2014-03-02  Mark Lam  <mark.lam@apple.com>
655
656         CodeBlock::hasDebuggerRequests() should returning a bool instead of an int.
657         <https://webkit.org/b/129584>
658
659         Reviewed by Darin Adler.
660
661         * bytecode/CodeBlock.h:
662         (JSC::CodeBlock::hasDebuggerRequests):
663
664 2014-03-02  Mark Lam  <mark.lam@apple.com>
665
666         Clean up use of Options::enableConcurrentJIT().
667         <https://webkit.org/b/129582>
668
669         Reviewed by Filip Pizlo.
670
671         DFG Driver was conditionally checking Options::enableConcurrentJIT()
672         only if ENABLE(CONCURRENT_JIT).  Otherwise, it bypasses it with a local
673         enableConcurrentJIT set to false.
674
675         Instead we should configure Options::enableConcurrentJIT() to be false
676         in Options.cpp if !ENABLE(CONCURRENT_JIT), and DFG Driver should always
677         check Options::enableConcurrentJIT().  This makes the code read a little
678         cleaner.
679
680         * dfg/DFGDriver.cpp:
681         (JSC::DFG::compileImpl):
682         * runtime/Options.cpp:
683         (JSC::recomputeDependentOptions):
684
685 2014-03-01  Filip Pizlo  <fpizlo@apple.com>
686
687         This shouldn't have been a layout test since it runs only under jsc. Moving it to JSC
688         stress tests.
689
690         * tests/stress/generational-opaque-roots.js: Copied from LayoutTests/js/script-tests/generational-opaque-roots.js.
691
692 2014-03-01  Andreas Kling  <akling@apple.com>
693
694         JSCell::fastGetOwnProperty() should get the Structure more efficiently.
695         <https://webkit.org/b/129560>
696
697         Now that structure() is nontrivial and we have a faster structure(VM&),
698         make use of that in fastGetOwnProperty() since we already have VM.
699
700         Reviewed by Sam Weinig.
701
702         * runtime/JSCellInlines.h:
703         (JSC::JSCell::fastGetOwnProperty):
704
705 2014-03-01  Andreas Kling  <akling@apple.com>
706
707         Avoid going through ExecState for VM when we already have it (in some places.)
708         <https://webkit.org/b/129554>
709
710         Tweak some places that jump through unnecessary hoops to get the VM.
711         There are many more like this.
712
713         Reviewed by Sam Weinig.
714
715         * runtime/JSObject.cpp:
716         (JSC::JSObject::putByIndexBeyondVectorLength):
717         (JSC::JSObject::putDirectIndexBeyondVectorLength):
718         * runtime/ObjectPrototype.cpp:
719         (JSC::objectProtoFuncToString):
720
721 2014-02-28  Filip Pizlo  <fpizlo@apple.com>
722
723         FTL should support PhantomArguments
724         https://bugs.webkit.org/show_bug.cgi?id=113986
725
726         Reviewed by Oliver Hunt.
727         
728         Adding PhantomArguments to the FTL mostly means wiring the recovery of the Arguments
729         object into the FTL's OSR exit compiler.
730         
731         This isn't a speed-up yet, since there is still more to be done to fully support
732         all of the arguments craziness that our varargs benchmarks do.
733
734         * dfg/DFGOSRExitCompiler32_64.cpp:
735         (JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp
736         * dfg/DFGOSRExitCompiler64.cpp:
737         (JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp
738         * dfg/DFGOSRExitCompilerCommon.cpp:
739         (JSC::DFG::ArgumentsRecoveryGenerator::ArgumentsRecoveryGenerator):
740         (JSC::DFG::ArgumentsRecoveryGenerator::~ArgumentsRecoveryGenerator):
741         (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): this is the common place for the recovery code
742         * dfg/DFGOSRExitCompilerCommon.h:
743         * ftl/FTLCapabilities.cpp:
744         (JSC::FTL::canCompile):
745         * ftl/FTLExitValue.cpp:
746         (JSC::FTL::ExitValue::dumpInContext):
747         * ftl/FTLExitValue.h:
748         (JSC::FTL::ExitValue::argumentsObjectThatWasNotCreated):
749         (JSC::FTL::ExitValue::isArgumentsObjectThatWasNotCreated):
750         (JSC::FTL::ExitValue::valueFormat):
751         * ftl/FTLLowerDFGToLLVM.cpp:
752         (JSC::FTL::LowerDFGToLLVM::compileNode):
753         (JSC::FTL::LowerDFGToLLVM::compilePhantomArguments):
754         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
755         (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
756         * ftl/FTLOSRExitCompiler.cpp:
757         (JSC::FTL::compileStub): Call into the ArgumentsRecoveryGenerator
758         * tests/stress/slightly-more-difficult-to-fold-reflective-arguments-access.js: Added.
759         * tests/stress/trivially-foldable-reflective-arguments-access.js: Added.
760
761 2014-02-28  Filip Pizlo  <fpizlo@apple.com>
762
763         Unreviewed, uncomment some code. It wasn't meant to be commented in the first place.
764
765         * dfg/DFGCSEPhase.cpp:
766         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
767
768 2014-02-28  Andreas Kling  <akling@apple.com>
769
770         JSObject::findPropertyHashEntry() should take VM instead of ExecState.
771         <https://webkit.org/b/129529>
772
773         Callers already have VM in a local, and findPropertyHashEntry() only
774         uses the VM, no need to go all the way through ExecState.
775
776         Reviewed by Geoffrey Garen.
777
778         * runtime/JSObject.cpp:
779         (JSC::JSObject::put):
780         (JSC::JSObject::deleteProperty):
781         (JSC::JSObject::findPropertyHashEntry):
782         * runtime/JSObject.h:
783
784 2014-02-28  Joseph Pecoraro  <pecoraro@apple.com>
785
786         Deadlock remotely inspecting iOS Simulator
787         https://bugs.webkit.org/show_bug.cgi?id=129511
788
789         Reviewed by Timothy Hatcher.
790
791         Avoid synchronous setup. Do it asynchronously, and let
792         the RemoteInspector singleton know later if it failed.
793
794         * inspector/remote/RemoteInspector.h:
795         * inspector/remote/RemoteInspector.mm:
796         (Inspector::RemoteInspector::setupFailed):
797         * inspector/remote/RemoteInspectorDebuggableConnection.h:
798         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
799         (Inspector::RemoteInspectorDebuggableConnection::setup):
800
801 2014-02-28  Oliver Hunt  <oliver@apple.com>
802
803         REGRESSION(r164835): It broke 10 JSC stress test on 32 bit platforms
804         https://bugs.webkit.org/show_bug.cgi?id=129488
805
806         Reviewed by Mark Lam.
807
808         Whoops, modify the right register.
809
810         * jit/JITCall32_64.cpp:
811         (JSC::JIT::compileLoadVarargs):
812
813 2014-02-28  Filip Pizlo  <fpizlo@apple.com>
814
815         FTL should be able to call sin/cos directly on platforms where the intrinsic is busted
816         https://bugs.webkit.org/show_bug.cgi?id=129503
817
818         Reviewed by Mark Lam.
819
820         * ftl/FTLIntrinsicRepository.h:
821         * ftl/FTLOutput.h:
822         (JSC::FTL::Output::doubleSin):
823         (JSC::FTL::Output::doubleCos):
824         (JSC::FTL::Output::intrinsicOrOperation):
825
826 2014-02-28  Mark Hahnenberg  <mhahnenberg@apple.com>
827
828         Fix !ENABLE(GGC) builds
829
830         * heap/Heap.cpp:
831         (JSC::Heap::markRoots):
832         (JSC::Heap::gatherJSStackRoots): Also fix one of the names of the GC phases.
833
834 2014-02-27  Mark Hahnenberg  <mhahnenberg@apple.com>
835
836         Clean up Heap::collect and Heap::markRoots
837         https://bugs.webkit.org/show_bug.cgi?id=129464
838
839         Reviewed by Geoffrey Garen.
840
841         These functions have built up a lot of cruft recently. 
842         We should do a bit of cleanup to make them easier to grok.
843
844         * heap/Heap.cpp:
845         (JSC::Heap::finalizeUnconditionalFinalizers):
846         (JSC::Heap::gatherStackRoots):
847         (JSC::Heap::gatherJSStackRoots):
848         (JSC::Heap::gatherScratchBufferRoots):
849         (JSC::Heap::clearLivenessData):
850         (JSC::Heap::visitSmallStrings):
851         (JSC::Heap::visitConservativeRoots):
852         (JSC::Heap::visitCompilerWorklists):
853         (JSC::Heap::markProtectedObjects):
854         (JSC::Heap::markTempSortVectors):
855         (JSC::Heap::markArgumentBuffers):
856         (JSC::Heap::visitException):
857         (JSC::Heap::visitStrongHandles):
858         (JSC::Heap::visitHandleStack):
859         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
860         (JSC::Heap::converge):
861         (JSC::Heap::visitWeakHandles):
862         (JSC::Heap::clearRememberedSet):
863         (JSC::Heap::updateObjectCounts):
864         (JSC::Heap::resetVisitors):
865         (JSC::Heap::markRoots):
866         (JSC::Heap::copyBackingStores):
867         (JSC::Heap::deleteUnmarkedCompiledCode):
868         (JSC::Heap::collect):
869         (JSC::Heap::collectIfNecessaryOrDefer):
870         (JSC::Heap::suspendCompilerThreads):
871         (JSC::Heap::willStartCollection):
872         (JSC::Heap::deleteOldCode):
873         (JSC::Heap::flushOldStructureIDTables):
874         (JSC::Heap::flushWriteBarrierBuffer):
875         (JSC::Heap::stopAllocation):
876         (JSC::Heap::reapWeakHandles):
877         (JSC::Heap::sweepArrayBuffers):
878         (JSC::Heap::snapshotMarkedSpace):
879         (JSC::Heap::deleteSourceProviderCaches):
880         (JSC::Heap::notifyIncrementalSweeper):
881         (JSC::Heap::rememberCurrentlyExecutingCodeBlocks):
882         (JSC::Heap::resetAllocators):
883         (JSC::Heap::updateAllocationLimits):
884         (JSC::Heap::didFinishCollection):
885         (JSC::Heap::resumeCompilerThreads):
886         * heap/Heap.h:
887
888 2014-02-27  Ryosuke Niwa  <rniwa@webkit.org>
889
890         indexOf and lastIndexOf shouldn't resolve ropes when needle is longer than haystack
891         https://bugs.webkit.org/show_bug.cgi?id=129466
892
893         Reviewed by Michael Saboff.
894
895         Refactored the code to avoid calling JSString::value when needle is longer than haystack.
896
897         * runtime/StringPrototype.cpp:
898         (JSC::stringProtoFuncIndexOf):
899         (JSC::stringProtoFuncLastIndexOf):
900
901 2014-02-27  Timothy Hatcher  <timothy@apple.com>
902
903         Improve how ContentSearchUtilities::lineEndings works by supporting the three common line endings.
904
905         https://bugs.webkit.org/show_bug.cgi?id=129458
906
907         Reviewed by Joseph Pecoraro.
908
909         * inspector/ContentSearchUtilities.cpp:
910         (Inspector::ContentSearchUtilities::textPositionFromOffset): Remove assumption about line ending length.
911         (Inspector::ContentSearchUtilities::getRegularExpressionMatchesByLines): Remove assumption about
912         line ending type and don't try to strip the line ending. Use size_t
913         (Inspector::ContentSearchUtilities::lineEndings): Use findNextLineStart to find the lines.
914         This will include the line ending in the lines, but that is okay.
915         (Inspector::ContentSearchUtilities::buildObjectForSearchMatch): Use size_t.
916         (Inspector::ContentSearchUtilities::searchInTextByLines): Modernize.
917
918 2014-02-27  Joseph Pecoraro  <pecoraro@apple.com>
919
920         [Mac] Warning: Multiple build commands for output file GCSegmentedArray and InspectorAgent
921         https://bugs.webkit.org/show_bug.cgi?id=129446
922
923         Reviewed by Timothy Hatcher.
924
925         Remove duplicate header entries in Copy Header build phase.
926
927         * JavaScriptCore.xcodeproj/project.pbxproj:
928
929 2014-02-27  Oliver Hunt  <oliver@apple.com>
930
931         Whoops, include all of last patch.
932
933         * jit/JITCall32_64.cpp:
934         (JSC::JIT::compileLoadVarargs):
935
936 2014-02-27  Oliver Hunt  <oliver@apple.com>
937
938         Slow cases for function.apply and function.call should not require vm re-entry
939         https://bugs.webkit.org/show_bug.cgi?id=129454
940
941         Reviewed by Geoffrey Garen.
942
943         Implement call and apply using builtins. Happily the use
944         of @call and @apply don't perform function equality checks
945         and just plant direct var_args calls. This did expose a few
946         codegen issues, but they're all covered by existing tests
947         once call and apply are implemented in JS.
948
949         * JavaScriptCore.xcodeproj/project.pbxproj:
950         * builtins/Function.prototype.js: Added.
951         (call):
952         (apply):
953         * bytecompiler/NodesCodegen.cpp:
954         (JSC::CallFunctionCallDotNode::emitBytecode):
955         (JSC::ApplyFunctionCallDotNode::emitBytecode):
956         * dfg/DFGCapabilities.cpp:
957         (JSC::DFG::capabilityLevel):
958         * interpreter/Interpreter.cpp:
959         (JSC::sizeFrameForVarargs):
960         (JSC::loadVarargs):
961         * interpreter/Interpreter.h:
962         * jit/JITCall.cpp:
963         (JSC::JIT::compileLoadVarargs):
964         * parser/ASTBuilder.h:
965         (JSC::ASTBuilder::makeFunctionCallNode):
966         * parser/Lexer.cpp:
967         (JSC::isSafeBuiltinIdentifier):
968         * runtime/CommonIdentifiers.h:
969         * runtime/FunctionPrototype.cpp:
970         (JSC::FunctionPrototype::addFunctionProperties):
971         * runtime/JSObject.cpp:
972         (JSC::JSObject::putDirectBuiltinFunction):
973         (JSC::JSObject::putDirectBuiltinFunctionWithoutTransition):
974         * runtime/JSObject.h:
975
976 2014-02-27  Joseph Pecoraro  <pecoraro@apple.com>
977
978         Web Inspector: Better name for RemoteInspectorDebuggableConnection dispatch queue
979         https://bugs.webkit.org/show_bug.cgi?id=129443
980
981         Reviewed by Timothy Hatcher.
982
983         This queue is specific to the JSContext debuggable connections,
984         there is no XPC involved. Give it a better name.
985
986         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
987         (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
988
989 2014-02-27  David Kilzer  <ddkilzer@apple.com>
990
991         Remove jsc symlink if it already exists
992
993         This is a follow-up fix for:
994
995         Create symlink to /usr/local/bin/jsc during installation
996         <http://webkit.org/b/129399>
997         <rdar://problem/16168734>
998
999         * JavaScriptCore.xcodeproj/project.pbxproj:
1000         (Create /usr/local/bin/jsc symlink): If a jsc symlink already
1001         exists where we're about to create the symlink, remove the old
1002         one first.
1003
1004 2014-02-27  Michael Saboff  <msaboff@apple.com>
1005
1006         Unreviewed build fix for Mac tools after r164814
1007
1008         * Configurations/ToolExecutable.xcconfig:
1009         - Added JavaScriptCore.framework/PrivateHeaders to ToolExecutable include path.
1010         * JavaScriptCore.xcodeproj/project.pbxproj:
1011         - Changed productName to testRegExp for testRegExp target.
1012
1013 2014-02-27  Joseph Pecoraro  <pecoraro@apple.com>
1014
1015         Web Inspector: JSContext inspection should report exceptions in the console
1016         https://bugs.webkit.org/show_bug.cgi?id=128776
1017
1018         Reviewed by Timothy Hatcher.
1019
1020         When JavaScript API functions have an exception, let the inspector
1021         know so it can log the JavaScript and Native backtrace that caused
1022         the exception.
1023
1024         Include some clean up of ConsoleMessage and ScriptCallStack construction.
1025
1026         * API/JSBase.cpp:
1027         (JSEvaluateScript):
1028         (JSCheckScriptSyntax):
1029         * API/JSObjectRef.cpp:
1030         (JSObjectMakeFunction):
1031         (JSObjectMakeArray):
1032         (JSObjectMakeDate):
1033         (JSObjectMakeError):
1034         (JSObjectMakeRegExp):
1035         (JSObjectGetProperty):
1036         (JSObjectSetProperty):
1037         (JSObjectGetPropertyAtIndex):
1038         (JSObjectSetPropertyAtIndex):
1039         (JSObjectDeleteProperty):
1040         (JSObjectCallAsFunction):
1041         (JSObjectCallAsConstructor):
1042         * API/JSValue.mm:
1043         (reportExceptionToInspector):
1044         (valueToArray):
1045         (valueToDictionary):
1046         * API/JSValueRef.cpp:
1047         (JSValueIsEqual):
1048         (JSValueIsInstanceOfConstructor):
1049         (JSValueCreateJSONString):
1050         (JSValueToNumber):
1051         (JSValueToStringCopy):
1052         (JSValueToObject):
1053         When seeing an exception, let the inspector know there was an exception.
1054
1055         * inspector/JSGlobalObjectInspectorController.h:
1056         * inspector/JSGlobalObjectInspectorController.cpp:
1057         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1058         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
1059         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
1060         Log API exceptions by also grabbing the native backtrace.
1061
1062         * inspector/ScriptCallStack.h:
1063         * inspector/ScriptCallStack.cpp:
1064         (Inspector::ScriptCallStack::firstNonNativeCallFrame):
1065         (Inspector::ScriptCallStack::append):
1066         Minor extensions to ScriptCallStack to make it easier to work with.
1067
1068         * inspector/ConsoleMessage.cpp:
1069         (Inspector::ConsoleMessage::ConsoleMessage):
1070         (Inspector::ConsoleMessage::autogenerateMetadata):
1071         Provide better default information if the first call frame was native.
1072
1073         * inspector/ScriptCallStackFactory.cpp:
1074         (Inspector::createScriptCallStack):
1075         (Inspector::extractSourceInformationFromException):
1076         (Inspector::createScriptCallStackFromException):
1077         Perform the handling here of inserting a fake call frame for exceptions
1078         if there was no call stack (e.g. a SyntaxError) or if the first call
1079         frame had no information.
1080
1081         * inspector/ConsoleMessage.cpp:
1082         (Inspector::ConsoleMessage::ConsoleMessage):
1083         (Inspector::ConsoleMessage::autogenerateMetadata):
1084         * inspector/ConsoleMessage.h:
1085         * inspector/ScriptCallStackFactory.cpp:
1086         (Inspector::createScriptCallStack):
1087         (Inspector::createScriptCallStackForConsole):
1088         * inspector/ScriptCallStackFactory.h:
1089         * inspector/agents/InspectorConsoleAgent.cpp:
1090         (Inspector::InspectorConsoleAgent::enable):
1091         (Inspector::InspectorConsoleAgent::addMessageToConsole):
1092         (Inspector::InspectorConsoleAgent::count):
1093         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
1094         (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
1095         ConsoleMessage cleanup.
1096
1097 2014-02-27  David Kilzer  <ddkilzer@apple.com>
1098
1099         Create symlink to /usr/local/bin/jsc during installation
1100         <http://webkit.org/b/129399>
1101         <rdar://problem/16168734>
1102
1103         Reviewed by Dan Bernstein.
1104
1105         * JavaScriptCore.xcodeproj/project.pbxproj:
1106         - Add "Create /usr/local/bin/jsc symlink" build phase script to
1107           create the symlink during installation.
1108
1109 2014-02-27  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>
1110
1111         Math.{max, min}() must not return after first NaN value
1112         https://bugs.webkit.org/show_bug.cgi?id=104147
1113
1114         Reviewed by Oliver Hunt.
1115
1116         According to the spec, ToNumber going to be called on each argument
1117         even if a `NaN` value was already found
1118
1119         * runtime/MathObject.cpp:
1120         (JSC::mathProtoFuncMax):
1121         (JSC::mathProtoFuncMin):
1122
1123 2014-02-27  Gergo Balogh  <gbalogh.u-szeged@partner.samsung.com>
1124
1125         JSType upper limit (0xff) assertion can be removed.
1126         https://bugs.webkit.org/show_bug.cgi?id=129424
1127
1128         Reviewed by Geoffrey Garen.
1129
1130         * runtime/JSTypeInfo.h:
1131         (JSC::TypeInfo::TypeInfo):
1132
1133 2014-02-26  Michael Saboff  <msaboff@apple.com>
1134
1135         Auto generate bytecode information for bytecode parser and LLInt
1136         https://bugs.webkit.org/show_bug.cgi?id=129181
1137
1138         Reviewed by Mark Lam.
1139
1140         Added new bytecode/BytecodeList.json that contains a list of bytecodes and related
1141         helpers.  It also includes bytecode length and other information used to generate files.
1142         Added a new generator, generate-bytecode-files that generates Bytecodes.h and InitBytecodes.asm
1143         in DerivedSources/JavaScriptCore/.
1144
1145         Added the generation of these files to the "DerivedSource" build step.
1146         Slighty changed the build order, since the Bytecodes.h file is needed by
1147         JSCLLIntOffsetsExtractor.  Moved the offline assembly to a separate step since it needs
1148         to be run after JSCLLIntOffsetsExtractor.
1149
1150         Made related changes to OPCODE macros and their use.
1151
1152         Added JavaScriptCore.framework/PrivateHeaders to header file search path for building
1153         jsc to resolve Mac build issue.
1154
1155         * CMakeLists.txt:
1156         * Configurations/JSC.xcconfig:
1157         * DerivedSources.make:
1158         * GNUmakefile.am:
1159         * GNUmakefile.list.am:
1160         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1161         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1162         * JavaScriptCore.vcxproj/copy-files.cmd:
1163         * JavaScriptCore.xcodeproj/project.pbxproj:
1164         * bytecode/Opcode.h:
1165         (JSC::padOpcodeName):
1166         * llint/LLIntCLoop.cpp:
1167         (JSC::LLInt::CLoop::initialize):
1168         * llint/LLIntCLoop.h:
1169         * llint/LLIntData.cpp:
1170         (JSC::LLInt::initialize):
1171         * llint/LLIntOpcode.h:
1172         * llint/LowLevelInterpreter.asm:
1173
1174 2014-02-27  Julien Brianceau   <jbriance@cisco.com>
1175
1176         Fix 32-bit V_JITOperation_EJ callOperation introduced in r162652.
1177         https://bugs.webkit.org/show_bug.cgi?id=129420
1178
1179         Reviewed by Geoffrey Garen.
1180
1181         * dfg/DFGSpeculativeJIT.h:
1182         (JSC::DFG::SpeculativeJIT::callOperation): Payload and tag are swapped.
1183         Also, EABI_32BIT_DUMMY_ARG is missing for arm EABI and mips.
1184
1185 2014-02-27  Filip Pizlo  <fpizlo@apple.com>
1186
1187         Octane/closure thrashes between flattening dictionaries during global object initialization in a global eval
1188         https://bugs.webkit.org/show_bug.cgi?id=129435
1189
1190         Reviewed by Oliver Hunt.
1191         
1192         This is a 5-10% speed-up on Octane/closure.
1193
1194         * interpreter/Interpreter.cpp:
1195         (JSC::Interpreter::execute):
1196         * jsc.cpp:
1197         (GlobalObject::finishCreation):
1198         (functionClearCodeCache):
1199         * runtime/BatchedTransitionOptimizer.h:
1200         (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
1201         (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer):
1202
1203 2014-02-27  Alexey Proskuryakov  <ap@apple.com>
1204
1205         Added svn:ignore to two directories, so that .pyc files don't show up as unversioned.
1206
1207         * inspector/scripts: Added property svn:ignore.
1208         * replay/scripts: Added property svn:ignore.
1209
1210 2014-02-27  Gabor Rapcsanyi  <rgabor@webkit.org>
1211
1212         r164764 broke the ARM build
1213         https://bugs.webkit.org/show_bug.cgi?id=129415
1214
1215         Reviewed by Zoltan Herczeg.
1216
1217         * assembler/MacroAssemblerARM.h:
1218         (JSC::MacroAssemblerARM::moveWithPatch): Change reinterpret_cast to static_cast.
1219         (JSC::MacroAssemblerARM::canJumpReplacePatchableBranch32WithPatch): Add missing function.
1220         (JSC::MacroAssemblerARM::startOfPatchableBranch32WithPatchOnAddress): Add missing function.
1221         (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranch32WithPatch): Add missing function.
1222
1223 2014-02-27  Mark Hahnenberg  <mhahnenberg@apple.com>
1224
1225         r164764 broke the ARM build
1226         https://bugs.webkit.org/show_bug.cgi?id=129415
1227
1228         Reviewed by Geoffrey Garen.
1229
1230         * assembler/MacroAssemblerARM.h:
1231         (JSC::MacroAssemblerARM::moveWithPatch):
1232
1233 2014-02-26  Mark Hahnenberg  <mhahnenberg@apple.com>
1234
1235         r164764 broke the ARM build
1236         https://bugs.webkit.org/show_bug.cgi?id=129415
1237
1238         Reviewed by Geoffrey Garen.
1239
1240         * assembler/MacroAssemblerARM.h:
1241         (JSC::MacroAssemblerARM::branch32WithPatch): Missing this function.
1242
1243 2014-02-26  Mark Hahnenberg  <mhahnenberg@apple.com>
1244
1245         EFL build fix
1246
1247         * dfg/DFGSpeculativeJIT32_64.cpp: Remove unused variables.
1248         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
1249         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
1250
1251 2014-02-25  Mark Hahnenberg  <mhahnenberg@apple.com>
1252
1253         Make JSCells have 32-bit Structure pointers
1254         https://bugs.webkit.org/show_bug.cgi?id=123195
1255
1256         Reviewed by Filip Pizlo.
1257
1258         This patch changes JSCells such that they no longer have a full 64-bit Structure
1259         pointer in their header. Instead they now have a 32-bit index into
1260         a per-VM table of Structure pointers. 32-bit platforms still use normal Structure
1261         pointers.
1262
1263         This change frees up an additional 32 bits of information in our object headers.
1264         We then use this extra space to store the indexing type of the object, the JSType
1265         of the object, some various type flags, and garbage collection data (e.g. mark bit).
1266         Because this inline type information is now faster to read, it pays for the slowdown 
1267         incurred by having to perform an extra indirection through the StructureIDTable.
1268
1269         This patch also threads a reference to the current VM through more of the C++ runtime
1270         to offset the cost of having to look up the VM to get the actual Structure pointer.
1271
1272         * API/JSContext.mm:
1273         (-[JSContext setException:]):
1274         (-[JSContext wrapperForObjCObject:]):
1275         (-[JSContext wrapperForJSObject:]):
1276         * API/JSContextRef.cpp:
1277         (JSContextGroupRelease):
1278         (JSGlobalContextRelease):
1279         * API/JSObjectRef.cpp:
1280         (JSObjectIsFunction):
1281         (JSObjectCopyPropertyNames):
1282         * API/JSValue.mm:
1283         (containerValueToObject):
1284         * API/JSWrapperMap.mm:
1285         (tryUnwrapObjcObject):
1286         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1287         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1288         * JavaScriptCore.xcodeproj/project.pbxproj:
1289         * assembler/AbstractMacroAssembler.h:
1290         * assembler/MacroAssembler.h:
1291         (JSC::MacroAssembler::patchableBranch32WithPatch):
1292         (JSC::MacroAssembler::patchableBranch32):
1293         * assembler/MacroAssemblerARM64.h:
1294         (JSC::MacroAssemblerARM64::branchPtrWithPatch):
1295         (JSC::MacroAssemblerARM64::patchableBranch32WithPatch):
1296         (JSC::MacroAssemblerARM64::canJumpReplacePatchableBranch32WithPatch):
1297         (JSC::MacroAssemblerARM64::startOfPatchableBranch32WithPatchOnAddress):
1298         (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranch32WithPatch):
1299         * assembler/MacroAssemblerARMv7.h:
1300         (JSC::MacroAssemblerARMv7::store8):
1301         (JSC::MacroAssemblerARMv7::branch32WithPatch):
1302         (JSC::MacroAssemblerARMv7::patchableBranch32WithPatch):
1303         (JSC::MacroAssemblerARMv7::canJumpReplacePatchableBranch32WithPatch):
1304         (JSC::MacroAssemblerARMv7::startOfPatchableBranch32WithPatchOnAddress):
1305         (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranch32WithPatch):
1306         * assembler/MacroAssemblerX86.h:
1307         (JSC::MacroAssemblerX86::branch32WithPatch):
1308         (JSC::MacroAssemblerX86::canJumpReplacePatchableBranch32WithPatch):
1309         (JSC::MacroAssemblerX86::startOfPatchableBranch32WithPatchOnAddress):
1310         (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranch32WithPatch):
1311         * assembler/MacroAssemblerX86_64.h:
1312         (JSC::MacroAssemblerX86_64::store32):
1313         (JSC::MacroAssemblerX86_64::moveWithPatch):
1314         (JSC::MacroAssemblerX86_64::branch32WithPatch):
1315         (JSC::MacroAssemblerX86_64::canJumpReplacePatchableBranch32WithPatch):
1316         (JSC::MacroAssemblerX86_64::startOfBranch32WithPatchOnRegister):
1317         (JSC::MacroAssemblerX86_64::startOfPatchableBranch32WithPatchOnAddress):
1318         (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranch32WithPatch):
1319         * assembler/RepatchBuffer.h:
1320         (JSC::RepatchBuffer::startOfPatchableBranch32WithPatchOnAddress):
1321         (JSC::RepatchBuffer::revertJumpReplacementToPatchableBranch32WithPatch):
1322         * assembler/X86Assembler.h:
1323         (JSC::X86Assembler::revertJumpTo_movq_i64r):
1324         (JSC::X86Assembler::revertJumpTo_movl_i32r):
1325         * bytecode/ArrayProfile.cpp:
1326         (JSC::ArrayProfile::computeUpdatedPrediction):
1327         * bytecode/ArrayProfile.h:
1328         (JSC::ArrayProfile::ArrayProfile):
1329         (JSC::ArrayProfile::addressOfLastSeenStructureID):
1330         (JSC::ArrayProfile::observeStructure):
1331         * bytecode/CodeBlock.h:
1332         (JSC::CodeBlock::heap):
1333         * bytecode/UnlinkedCodeBlock.h:
1334         * debugger/Debugger.h:
1335         * dfg/DFGAbstractHeap.h:
1336         * dfg/DFGArrayifySlowPathGenerator.h:
1337         * dfg/DFGClobberize.h:
1338         (JSC::DFG::clobberize):
1339         * dfg/DFGJITCompiler.h:
1340         (JSC::DFG::JITCompiler::branchWeakStructure):
1341         (JSC::DFG::JITCompiler::branchStructurePtr):
1342         * dfg/DFGOSRExitCompiler32_64.cpp:
1343         (JSC::DFG::OSRExitCompiler::compileExit):
1344         * dfg/DFGOSRExitCompiler64.cpp:
1345         (JSC::DFG::OSRExitCompiler::compileExit):
1346         * dfg/DFGOSRExitCompilerCommon.cpp:
1347         (JSC::DFG::osrWriteBarrier):
1348         (JSC::DFG::adjustAndJumpToTarget):
1349         * dfg/DFGOperations.cpp:
1350         (JSC::DFG::putByVal):
1351         * dfg/DFGSpeculativeJIT.cpp:
1352         (JSC::DFG::SpeculativeJIT::checkArray):
1353         (JSC::DFG::SpeculativeJIT::arrayify):
1354         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
1355         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
1356         (JSC::DFG::SpeculativeJIT::compileInstanceOf):
1357         (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
1358         (JSC::DFG::SpeculativeJIT::speculateObject):
1359         (JSC::DFG::SpeculativeJIT::speculateFinalObject):
1360         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
1361         (JSC::DFG::SpeculativeJIT::speculateString):
1362         (JSC::DFG::SpeculativeJIT::speculateStringObject):
1363         (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
1364         (JSC::DFG::SpeculativeJIT::emitSwitchChar):
1365         (JSC::DFG::SpeculativeJIT::emitSwitchString):
1366         (JSC::DFG::SpeculativeJIT::genericWriteBarrier):
1367         (JSC::DFG::SpeculativeJIT::writeBarrier):
1368         * dfg/DFGSpeculativeJIT.h:
1369         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
1370         (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
1371         * dfg/DFGSpeculativeJIT32_64.cpp:
1372         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
1373         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
1374         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
1375         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
1376         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
1377         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
1378         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
1379         (JSC::DFG::SpeculativeJIT::compile):
1380         (JSC::DFG::SpeculativeJIT::writeBarrier):
1381         * dfg/DFGSpeculativeJIT64.cpp:
1382         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
1383         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
1384         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
1385         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
1386         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
1387         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
1388         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
1389         (JSC::DFG::SpeculativeJIT::compile):
1390         (JSC::DFG::SpeculativeJIT::writeBarrier):
1391         * dfg/DFGWorklist.cpp:
1392         * ftl/FTLAbstractHeapRepository.cpp:
1393         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
1394         * ftl/FTLAbstractHeapRepository.h:
1395         * ftl/FTLLowerDFGToLLVM.cpp:
1396         (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
1397         (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
1398         (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
1399         (JSC::FTL::LowerDFGToLLVM::compileToString):
1400         (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
1401         (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
1402         (JSC::FTL::LowerDFGToLLVM::speculateTruthyObject):
1403         (JSC::FTL::LowerDFGToLLVM::allocateCell):
1404         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
1405         (JSC::FTL::LowerDFGToLLVM::isObject):
1406         (JSC::FTL::LowerDFGToLLVM::isString):
1407         (JSC::FTL::LowerDFGToLLVM::isArrayType):
1408         (JSC::FTL::LowerDFGToLLVM::hasClassInfo):
1409         (JSC::FTL::LowerDFGToLLVM::isType):
1410         (JSC::FTL::LowerDFGToLLVM::speculateStringOrStringObject):
1411         (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForCell):
1412         (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructureID):
1413         (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
1414         (JSC::FTL::LowerDFGToLLVM::loadMarkByte):
1415         (JSC::FTL::LowerDFGToLLVM::loadStructure):
1416         (JSC::FTL::LowerDFGToLLVM::weakStructure):
1417         * ftl/FTLOSRExitCompiler.cpp:
1418         (JSC::FTL::compileStub):
1419         * ftl/FTLOutput.h:
1420         (JSC::FTL::Output::store8):
1421         * heap/GCAssertions.h:
1422         * heap/Heap.cpp:
1423         (JSC::Heap::getConservativeRegisterRoots):
1424         (JSC::Heap::collect):
1425         (JSC::Heap::writeBarrier):
1426         * heap/Heap.h:
1427         (JSC::Heap::structureIDTable):
1428         * heap/MarkedSpace.h:
1429         (JSC::MarkedSpace::forEachBlock):
1430         * heap/SlotVisitorInlines.h:
1431         (JSC::SlotVisitor::internalAppend):
1432         * jit/AssemblyHelpers.h:
1433         (JSC::AssemblyHelpers::branchIfCellNotObject):
1434         (JSC::AssemblyHelpers::genericWriteBarrier):
1435         (JSC::AssemblyHelpers::emitLoadStructure):
1436         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
1437         * jit/JIT.h:
1438         * jit/JITCall.cpp:
1439         (JSC::JIT::compileOpCall):
1440         (JSC::JIT::privateCompileClosureCall):
1441         * jit/JITCall32_64.cpp:
1442         (JSC::JIT::emit_op_ret_object_or_this):
1443         (JSC::JIT::compileOpCall):
1444         (JSC::JIT::privateCompileClosureCall):
1445         * jit/JITInlineCacheGenerator.cpp:
1446         (JSC::JITByIdGenerator::generateFastPathChecks):
1447         * jit/JITInlineCacheGenerator.h:
1448         * jit/JITInlines.h:
1449         (JSC::JIT::emitLoadCharacterString):
1450         (JSC::JIT::checkStructure):
1451         (JSC::JIT::emitJumpIfCellNotObject):
1452         (JSC::JIT::emitAllocateJSObject):
1453         (JSC::JIT::emitArrayProfilingSiteWithCell):
1454         (JSC::JIT::emitArrayProfilingSiteForBytecodeIndexWithCell):
1455         (JSC::JIT::branchStructure):
1456         (JSC::branchStructure):
1457         * jit/JITOpcodes.cpp:
1458         (JSC::JIT::emit_op_check_has_instance):
1459         (JSC::JIT::emit_op_instanceof):
1460         (JSC::JIT::emit_op_is_undefined):
1461         (JSC::JIT::emit_op_is_string):
1462         (JSC::JIT::emit_op_ret_object_or_this):
1463         (JSC::JIT::emit_op_to_primitive):
1464         (JSC::JIT::emit_op_jeq_null):
1465         (JSC::JIT::emit_op_jneq_null):
1466         (JSC::JIT::emit_op_get_pnames):
1467         (JSC::JIT::emit_op_next_pname):
1468         (JSC::JIT::emit_op_eq_null):
1469         (JSC::JIT::emit_op_neq_null):
1470         (JSC::JIT::emit_op_to_this):
1471         (JSC::JIT::emitSlow_op_to_this):
1472         * jit/JITOpcodes32_64.cpp:
1473         (JSC::JIT::emit_op_check_has_instance):
1474         (JSC::JIT::emit_op_instanceof):
1475         (JSC::JIT::emit_op_is_undefined):
1476         (JSC::JIT::emit_op_is_string):
1477         (JSC::JIT::emit_op_to_primitive):
1478         (JSC::JIT::emit_op_jeq_null):
1479         (JSC::JIT::emit_op_jneq_null):
1480         (JSC::JIT::emitSlow_op_eq):
1481         (JSC::JIT::emitSlow_op_neq):
1482         (JSC::JIT::compileOpStrictEq):
1483         (JSC::JIT::emit_op_eq_null):
1484         (JSC::JIT::emit_op_neq_null):
1485         (JSC::JIT::emit_op_get_pnames):
1486         (JSC::JIT::emit_op_next_pname):
1487         (JSC::JIT::emit_op_to_this):
1488         * jit/JITOperations.cpp:
1489         * jit/JITPropertyAccess.cpp:
1490         (JSC::JIT::stringGetByValStubGenerator):
1491         (JSC::JIT::emit_op_get_by_val):
1492         (JSC::JIT::emitSlow_op_get_by_val):
1493         (JSC::JIT::emit_op_get_by_pname):
1494         (JSC::JIT::emit_op_put_by_val):
1495         (JSC::JIT::emit_op_get_by_id):
1496         (JSC::JIT::emitLoadWithStructureCheck):
1497         (JSC::JIT::emitSlow_op_get_from_scope):
1498         (JSC::JIT::emitSlow_op_put_to_scope):
1499         (JSC::JIT::checkMarkWord):
1500         (JSC::JIT::emitWriteBarrier):
1501         (JSC::JIT::addStructureTransitionCheck):
1502         (JSC::JIT::emitIntTypedArrayGetByVal):
1503         (JSC::JIT::emitFloatTypedArrayGetByVal):
1504         (JSC::JIT::emitIntTypedArrayPutByVal):
1505         (JSC::JIT::emitFloatTypedArrayPutByVal):
1506         * jit/JITPropertyAccess32_64.cpp:
1507         (JSC::JIT::stringGetByValStubGenerator):
1508         (JSC::JIT::emit_op_get_by_val):
1509         (JSC::JIT::emitSlow_op_get_by_val):
1510         (JSC::JIT::emit_op_put_by_val):
1511         (JSC::JIT::emit_op_get_by_id):
1512         (JSC::JIT::emit_op_get_by_pname):
1513         (JSC::JIT::emitLoadWithStructureCheck):
1514         * jit/JSInterfaceJIT.h:
1515         (JSC::JSInterfaceJIT::emitJumpIfNotType):
1516         * jit/Repatch.cpp:
1517         (JSC::repatchByIdSelfAccess):
1518         (JSC::addStructureTransitionCheck):
1519         (JSC::replaceWithJump):
1520         (JSC::generateProtoChainAccessStub):
1521         (JSC::tryCacheGetByID):
1522         (JSC::tryBuildGetByIDList):
1523         (JSC::writeBarrier):
1524         (JSC::emitPutReplaceStub):
1525         (JSC::emitPutTransitionStub):
1526         (JSC::tryBuildPutByIdList):
1527         (JSC::tryRepatchIn):
1528         (JSC::linkClosureCall):
1529         (JSC::resetGetByID):
1530         (JSC::resetPutByID):
1531         * jit/SpecializedThunkJIT.h:
1532         (JSC::SpecializedThunkJIT::loadJSStringArgument):
1533         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
1534         * jit/ThunkGenerators.cpp:
1535         (JSC::virtualForThunkGenerator):
1536         (JSC::arrayIteratorNextThunkGenerator):
1537         * jit/UnusedPointer.h:
1538         * llint/LowLevelInterpreter.asm:
1539         * llint/LowLevelInterpreter32_64.asm:
1540         * llint/LowLevelInterpreter64.asm:
1541         * runtime/Arguments.cpp:
1542         (JSC::Arguments::createStrictModeCallerIfNecessary):
1543         (JSC::Arguments::createStrictModeCalleeIfNecessary):
1544         * runtime/Arguments.h:
1545         (JSC::Arguments::createStructure):
1546         * runtime/ArrayPrototype.cpp:
1547         (JSC::shift):
1548         (JSC::unshift):
1549         (JSC::arrayProtoFuncToString):
1550         (JSC::arrayProtoFuncPop):
1551         (JSC::arrayProtoFuncReverse):
1552         (JSC::performSlowSort):
1553         (JSC::arrayProtoFuncSort):
1554         (JSC::arrayProtoFuncSplice):
1555         (JSC::arrayProtoFuncUnShift):
1556         * runtime/CommonSlowPaths.cpp:
1557         (JSC::SLOW_PATH_DECL):
1558         * runtime/Executable.h:
1559         (JSC::ExecutableBase::isFunctionExecutable):
1560         (JSC::ExecutableBase::clearCodeVirtual):
1561         (JSC::ScriptExecutable::unlinkCalls):
1562         * runtime/GetterSetter.cpp:
1563         (JSC::callGetter):
1564         (JSC::callSetter):
1565         * runtime/InitializeThreading.cpp:
1566         * runtime/JSArray.cpp:
1567         (JSC::JSArray::unshiftCountSlowCase):
1568         (JSC::JSArray::setLength):
1569         (JSC::JSArray::pop):
1570         (JSC::JSArray::push):
1571         (JSC::JSArray::shiftCountWithArrayStorage):
1572         (JSC::JSArray::shiftCountWithAnyIndexingType):
1573         (JSC::JSArray::unshiftCountWithArrayStorage):
1574         (JSC::JSArray::unshiftCountWithAnyIndexingType):
1575         (JSC::JSArray::sortNumericVector):
1576         (JSC::JSArray::sortNumeric):
1577         (JSC::JSArray::sortCompactedVector):
1578         (JSC::JSArray::sort):
1579         (JSC::JSArray::sortVector):
1580         (JSC::JSArray::fillArgList):
1581         (JSC::JSArray::copyToArguments):
1582         (JSC::JSArray::compactForSorting):
1583         * runtime/JSCJSValueInlines.h:
1584         (JSC::JSValue::toThis):
1585         (JSC::JSValue::put):
1586         (JSC::JSValue::putByIndex):
1587         (JSC::JSValue::equalSlowCaseInline):
1588         * runtime/JSCell.cpp:
1589         (JSC::JSCell::put):
1590         (JSC::JSCell::putByIndex):
1591         (JSC::JSCell::deleteProperty):
1592         (JSC::JSCell::deletePropertyByIndex):
1593         * runtime/JSCell.h:
1594         (JSC::JSCell::clearStructure):
1595         (JSC::JSCell::mark):
1596         (JSC::JSCell::isMarked):
1597         (JSC::JSCell::structureIDOffset):
1598         (JSC::JSCell::typeInfoFlagsOffset):
1599         (JSC::JSCell::typeInfoTypeOffset):
1600         (JSC::JSCell::indexingTypeOffset):
1601         (JSC::JSCell::gcDataOffset):
1602         * runtime/JSCellInlines.h:
1603         (JSC::JSCell::JSCell):
1604         (JSC::JSCell::finishCreation):
1605         (JSC::JSCell::type):
1606         (JSC::JSCell::indexingType):
1607         (JSC::JSCell::structure):
1608         (JSC::JSCell::visitChildren):
1609         (JSC::JSCell::isObject):
1610         (JSC::JSCell::isString):
1611         (JSC::JSCell::isGetterSetter):
1612         (JSC::JSCell::isProxy):
1613         (JSC::JSCell::isAPIValueWrapper):
1614         (JSC::JSCell::setStructure):
1615         (JSC::JSCell::methodTable):
1616         (JSC::Heap::writeBarrier):
1617         * runtime/JSDataView.cpp:
1618         (JSC::JSDataView::createStructure):
1619         * runtime/JSDestructibleObject.h:
1620         (JSC::JSCell::classInfo):
1621         * runtime/JSFunction.cpp:
1622         (JSC::JSFunction::getOwnNonIndexPropertyNames):
1623         (JSC::JSFunction::put):
1624         (JSC::JSFunction::defineOwnProperty):
1625         * runtime/JSGenericTypedArrayView.h:
1626         (JSC::JSGenericTypedArrayView::createStructure):
1627         * runtime/JSObject.cpp:
1628         (JSC::getCallableObjectSlow):
1629         (JSC::JSObject::copyButterfly):
1630         (JSC::JSObject::visitButterfly):
1631         (JSC::JSFinalObject::visitChildren):
1632         (JSC::JSObject::getOwnPropertySlotByIndex):
1633         (JSC::JSObject::put):
1634         (JSC::JSObject::putByIndex):
1635         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
1636         (JSC::JSObject::enterDictionaryIndexingMode):
1637         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
1638         (JSC::JSObject::createInitialIndexedStorage):
1639         (JSC::JSObject::createInitialUndecided):
1640         (JSC::JSObject::createInitialInt32):
1641         (JSC::JSObject::createInitialDouble):
1642         (JSC::JSObject::createInitialContiguous):
1643         (JSC::JSObject::createArrayStorage):
1644         (JSC::JSObject::convertUndecidedToInt32):
1645         (JSC::JSObject::convertUndecidedToDouble):
1646         (JSC::JSObject::convertUndecidedToContiguous):
1647         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
1648         (JSC::JSObject::convertUndecidedToArrayStorage):
1649         (JSC::JSObject::convertInt32ToDouble):
1650         (JSC::JSObject::convertInt32ToContiguous):
1651         (JSC::JSObject::convertInt32ToArrayStorage):
1652         (JSC::JSObject::genericConvertDoubleToContiguous):
1653         (JSC::JSObject::convertDoubleToArrayStorage):
1654         (JSC::JSObject::convertContiguousToArrayStorage):
1655         (JSC::JSObject::ensureInt32Slow):
1656         (JSC::JSObject::ensureDoubleSlow):
1657         (JSC::JSObject::ensureContiguousSlow):
1658         (JSC::JSObject::ensureArrayStorageSlow):
1659         (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
1660         (JSC::JSObject::switchToSlowPutArrayStorage):
1661         (JSC::JSObject::setPrototype):
1662         (JSC::JSObject::setPrototypeWithCycleCheck):
1663         (JSC::JSObject::putDirectNonIndexAccessor):
1664         (JSC::JSObject::deleteProperty):
1665         (JSC::JSObject::hasOwnProperty):
1666         (JSC::JSObject::deletePropertyByIndex):
1667         (JSC::JSObject::getPrimitiveNumber):
1668         (JSC::JSObject::hasInstance):
1669         (JSC::JSObject::getPropertySpecificValue):
1670         (JSC::JSObject::getPropertyNames):
1671         (JSC::JSObject::getOwnPropertyNames):
1672         (JSC::JSObject::getOwnNonIndexPropertyNames):
1673         (JSC::JSObject::seal):
1674         (JSC::JSObject::freeze):
1675         (JSC::JSObject::preventExtensions):
1676         (JSC::JSObject::reifyStaticFunctionsForDelete):
1677         (JSC::JSObject::removeDirect):
1678         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
1679         (JSC::JSObject::putByIndexBeyondVectorLength):
1680         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
1681         (JSC::JSObject::putDirectIndexBeyondVectorLength):
1682         (JSC::JSObject::getNewVectorLength):
1683         (JSC::JSObject::countElements):
1684         (JSC::JSObject::increaseVectorLength):
1685         (JSC::JSObject::ensureLengthSlow):
1686         (JSC::JSObject::growOutOfLineStorage):
1687         (JSC::JSObject::getOwnPropertyDescriptor):
1688         (JSC::putDescriptor):
1689         (JSC::JSObject::defineOwnNonIndexProperty):
1690         * runtime/JSObject.h:
1691         (JSC::getJSFunction):
1692         (JSC::JSObject::getArrayLength):
1693         (JSC::JSObject::getVectorLength):
1694         (JSC::JSObject::putByIndexInline):
1695         (JSC::JSObject::canGetIndexQuickly):
1696         (JSC::JSObject::getIndexQuickly):
1697         (JSC::JSObject::tryGetIndexQuickly):
1698         (JSC::JSObject::getDirectIndex):
1699         (JSC::JSObject::canSetIndexQuickly):
1700         (JSC::JSObject::canSetIndexQuicklyForPutDirect):
1701         (JSC::JSObject::setIndexQuickly):
1702         (JSC::JSObject::initializeIndex):
1703         (JSC::JSObject::hasSparseMap):
1704         (JSC::JSObject::inSparseIndexingMode):
1705         (JSC::JSObject::getDirect):
1706         (JSC::JSObject::getDirectOffset):
1707         (JSC::JSObject::isSealed):
1708         (JSC::JSObject::isFrozen):
1709         (JSC::JSObject::flattenDictionaryObject):
1710         (JSC::JSObject::ensureInt32):
1711         (JSC::JSObject::ensureDouble):
1712         (JSC::JSObject::ensureContiguous):
1713         (JSC::JSObject::rageEnsureContiguous):
1714         (JSC::JSObject::ensureArrayStorage):
1715         (JSC::JSObject::arrayStorage):
1716         (JSC::JSObject::arrayStorageOrNull):
1717         (JSC::JSObject::ensureLength):
1718         (JSC::JSObject::currentIndexingData):
1719         (JSC::JSObject::getHolyIndexQuickly):
1720         (JSC::JSObject::currentRelevantLength):
1721         (JSC::JSObject::isGlobalObject):
1722         (JSC::JSObject::isVariableObject):
1723         (JSC::JSObject::isStaticScopeObject):
1724         (JSC::JSObject::isNameScopeObject):
1725         (JSC::JSObject::isActivationObject):
1726         (JSC::JSObject::isErrorInstance):
1727         (JSC::JSObject::inlineGetOwnPropertySlot):
1728         (JSC::JSObject::fastGetOwnPropertySlot):
1729         (JSC::JSObject::getPropertySlot):
1730         (JSC::JSObject::putDirectInternal):
1731         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
1732         * runtime/JSPropertyNameIterator.h:
1733         (JSC::JSPropertyNameIterator::createStructure):
1734         * runtime/JSProxy.cpp:
1735         (JSC::JSProxy::getOwnPropertySlot):
1736         (JSC::JSProxy::getOwnPropertySlotByIndex):
1737         (JSC::JSProxy::put):
1738         (JSC::JSProxy::putByIndex):
1739         (JSC::JSProxy::defineOwnProperty):
1740         (JSC::JSProxy::deleteProperty):
1741         (JSC::JSProxy::deletePropertyByIndex):
1742         (JSC::JSProxy::getPropertyNames):
1743         (JSC::JSProxy::getOwnPropertyNames):
1744         * runtime/JSScope.cpp:
1745         (JSC::JSScope::objectAtScope):
1746         * runtime/JSString.h:
1747         (JSC::JSString::createStructure):
1748         (JSC::isJSString):
1749         * runtime/JSType.h:
1750         * runtime/JSTypeInfo.h:
1751         (JSC::TypeInfo::TypeInfo):
1752         (JSC::TypeInfo::isObject):
1753         (JSC::TypeInfo::structureIsImmortal):
1754         (JSC::TypeInfo::zeroedGCDataOffset):
1755         (JSC::TypeInfo::inlineTypeFlags):
1756         * runtime/MapData.h:
1757         * runtime/ObjectConstructor.cpp:
1758         (JSC::objectConstructorGetOwnPropertyNames):
1759         (JSC::objectConstructorKeys):
1760         (JSC::objectConstructorDefineProperty):
1761         (JSC::defineProperties):
1762         (JSC::objectConstructorSeal):
1763         (JSC::objectConstructorFreeze):
1764         (JSC::objectConstructorIsSealed):
1765         (JSC::objectConstructorIsFrozen):
1766         * runtime/ObjectPrototype.cpp:
1767         (JSC::objectProtoFuncDefineGetter):
1768         (JSC::objectProtoFuncDefineSetter):
1769         (JSC::objectProtoFuncToString):
1770         * runtime/Operations.cpp:
1771         (JSC::jsTypeStringForValue):
1772         (JSC::jsIsObjectType):
1773         * runtime/Operations.h:
1774         (JSC::normalizePrototypeChainForChainAccess):
1775         (JSC::normalizePrototypeChain):
1776         * runtime/PropertyMapHashTable.h:
1777         (JSC::PropertyTable::createStructure):
1778         * runtime/RegExp.h:
1779         (JSC::RegExp::createStructure):
1780         * runtime/SparseArrayValueMap.h:
1781         * runtime/Structure.cpp:
1782         (JSC::Structure::Structure):
1783         (JSC::Structure::~Structure):
1784         (JSC::Structure::prototypeChainMayInterceptStoreTo):
1785         * runtime/Structure.h:
1786         (JSC::Structure::id):
1787         (JSC::Structure::idBlob):
1788         (JSC::Structure::objectInitializationFields):
1789         (JSC::Structure::structureIDOffset):
1790         * runtime/StructureChain.h:
1791         (JSC::StructureChain::createStructure):
1792         * runtime/StructureIDTable.cpp: Added.
1793         (JSC::StructureIDTable::StructureIDTable):
1794         (JSC::StructureIDTable::~StructureIDTable):
1795         (JSC::StructureIDTable::resize):
1796         (JSC::StructureIDTable::flushOldTables):
1797         (JSC::StructureIDTable::allocateID):
1798         (JSC::StructureIDTable::deallocateID):
1799         * runtime/StructureIDTable.h: Added.
1800         (JSC::StructureIDTable::base):
1801         (JSC::StructureIDTable::get):
1802         * runtime/SymbolTable.h:
1803         * runtime/TypedArrayType.cpp:
1804         (JSC::typeForTypedArrayType):
1805         * runtime/TypedArrayType.h:
1806         * runtime/WeakMapData.h:
1807
1808 2014-02-26  Mark Hahnenberg  <mhahnenberg@apple.com>
1809
1810         Unconditional logging in compileFTLOSRExit
1811         https://bugs.webkit.org/show_bug.cgi?id=129407
1812
1813         Reviewed by Michael Saboff.
1814
1815         This was causing tests to fail with the FTL enabled.
1816
1817         * ftl/FTLOSRExitCompiler.cpp:
1818         (JSC::FTL::compileFTLOSRExit):
1819
1820 2014-02-26  Oliver Hunt  <oliver@apple.com>
1821
1822         Remove unused access types
1823         https://bugs.webkit.org/show_bug.cgi?id=129385
1824
1825         Reviewed by Filip Pizlo.
1826
1827         Remove unused cruft.
1828
1829         * bytecode/CodeBlock.cpp:
1830         (JSC::CodeBlock::printGetByIdCacheStatus):
1831         * bytecode/StructureStubInfo.cpp:
1832         (JSC::StructureStubInfo::deref):
1833         * bytecode/StructureStubInfo.h:
1834         (JSC::isGetByIdAccess):
1835         (JSC::isPutByIdAccess):
1836
1837 2014-02-26  Oliver Hunt  <oliver@apple.com>
1838
1839         Function.prototype.apply has a bad time with the spread operator
1840         https://bugs.webkit.org/show_bug.cgi?id=129381
1841
1842         Reviewed by Mark Hahnenberg.
1843
1844         Make sure our apply logic handle the spread operator correctly.
1845         To do this we simply emit the enumeration logic that we'd normally
1846         use for other enumerations, but only store the first two results
1847         to registers.  Then perform a varargs call.
1848
1849         * bytecompiler/NodesCodegen.cpp:
1850         (JSC::ApplyFunctionCallDotNode::emitBytecode):
1851
1852 2014-02-26  Mark Lam  <mark.lam@apple.com>
1853
1854         Compilation policy management belongs in operationOptimize(), not the DFG Driver.
1855         <https://webkit.org/b/129355>
1856
1857         Reviewed by Filip Pizlo.
1858
1859         By compilation policy, I mean the rules for determining whether to
1860         compile, when to compile, when to attempt compilation again, etc.  The
1861         few of these policy decisions that were previously being made in the
1862         DFG driver are now moved to operationOptimize() where we keep the rest
1863         of the policy logic.  Decisions that are based on the capabilities
1864         supported by the DFG are moved to DFG capabiliityLevel().
1865
1866         I've run the following benchmarks:
1867         1. the collection of jsc benchmarks on the jsc executable vs. its
1868            baseline.
1869         2. Octane 2.0 in browser without the WebInspector.
1870         3. Octane 2.0 in browser with the WebInspector open and a breakpoint
1871            set somewhere where it won't break.
1872
1873         In all of these, the results came out to be a wash as expected.
1874
1875         * dfg/DFGCapabilities.cpp:
1876         (JSC::DFG::isSupported):
1877         (JSC::DFG::mightCompileEval):
1878         (JSC::DFG::mightCompileProgram):
1879         (JSC::DFG::mightCompileFunctionForCall):
1880         (JSC::DFG::mightCompileFunctionForConstruct):
1881         (JSC::DFG::mightInlineFunctionForCall):
1882         (JSC::DFG::mightInlineFunctionForClosureCall):
1883         (JSC::DFG::mightInlineFunctionForConstruct):
1884         * dfg/DFGCapabilities.h:
1885         * dfg/DFGDriver.cpp:
1886         (JSC::DFG::compileImpl):
1887         * jit/JITOperations.cpp:
1888
1889 2014-02-26  Mark Lam  <mark.lam@apple.com>
1890
1891         ASSERTION FAILED: m_heap->vm()->currentThreadIsHoldingAPILock() in inspector-protocol/*.
1892         <https://webkit.org/b/129364>
1893
1894         Reviewed by Alexey Proskuryakov.
1895
1896         InjectedScriptModule::ensureInjected() needs an APIEntryShim.
1897
1898         * inspector/InjectedScriptModule.cpp:
1899         (Inspector::InjectedScriptModule::ensureInjected):
1900         - Added the needed but missing APIEntryShim. 
1901
1902 2014-02-25  Mark Lam  <mark.lam@apple.com>
1903
1904         Web Inspector: CRASH when evaluating in console of JSContext RWI with disabled breakpoints.
1905         <https://webkit.org/b/128766>
1906
1907         Reviewed by Geoffrey Garen.
1908
1909         Make the JSLock::grabAllLocks() work the same way as for the C loop LLINT.
1910         The reasoning is that we don't know of any clients that need unordered
1911         re-entry into the VM from different threads. So, we're enforcing ordered
1912         re-entry i.e. we must re-grab locks in the reverse order of dropping locks.
1913
1914         The crash in this bug happened because we were allowing unordered re-entry,
1915         and the following type of scenario occurred:
1916
1917         1. Thread T1 locks the VM, and enters the VM to execute some JS code.
1918         2. On entry, T1 detects that VM::m_entryScope is null i.e. this is the
1919            first time it entered the VM.
1920            T1 sets VM::m_entryScope to T1's entryScope.
1921         3. T1 drops all locks.
1922
1923         4. Thread T2 locks the VM, and enters the VM to execute some JS code.
1924            On entry, T2 sees that VM::m_entryScope is NOT null, and therefore
1925            does not set the entryScope.
1926         5. T2 drops all locks.
1927
1928         6. T1 re-grabs locks.
1929         7. T1 returns all the way out of JS code. On exit from the outer most
1930            JS function, T1 clears VM::m_entryScope (because T1 was the one who
1931            set it).
1932         8. T1 unlocks the VM.
1933
1934         9. T2 re-grabs locks.
1935         10. T2 proceeds to execute some code and expects VM::m_entryScope to be
1936             NOT null, but it turns out to be null. Assertion failures and
1937             crashes ensue.
1938
1939         With ordered re-entry, at step 6, T1 will loop and yield until T2 exits
1940         the VM. Hence, the issue will no longer manifest.
1941
1942         * runtime/JSLock.cpp:
1943         (JSC::JSLock::dropAllLocks):
1944         (JSC::JSLock::grabAllLocks):
1945         * runtime/JSLock.h:
1946         (JSC::JSLock::DropAllLocks::dropDepth):
1947
1948 2014-02-25  Mark Lam  <mark.lam@apple.com>
1949
1950         Need to initialize VM stack data even when the VM is on an exclusive thread.
1951         <https://webkit.org/b/129265>
1952
1953         Not reviewed.
1954
1955         Relanding r164627 now that <https://webkit.org/b/129341> is fixed.
1956
1957         * API/APIShims.h:
1958         (JSC::APIEntryShim::APIEntryShim):
1959         (JSC::APICallbackShim::shouldDropAllLocks):
1960         * heap/MachineStackMarker.cpp:
1961         (JSC::MachineThreads::addCurrentThread):
1962         * runtime/JSLock.cpp:
1963         (JSC::JSLockHolder::JSLockHolder):
1964         (JSC::JSLockHolder::init):
1965         (JSC::JSLockHolder::~JSLockHolder):
1966         (JSC::JSLock::JSLock):
1967         (JSC::JSLock::setExclusiveThread):
1968         (JSC::JSLock::lock):
1969         (JSC::JSLock::unlock):
1970         (JSC::JSLock::currentThreadIsHoldingLock):
1971         (JSC::JSLock::dropAllLocks):
1972         (JSC::JSLock::grabAllLocks):
1973         * runtime/JSLock.h:
1974         (JSC::JSLock::hasExclusiveThread):
1975         (JSC::JSLock::exclusiveThread):
1976         * runtime/VM.cpp:
1977         (JSC::VM::VM):
1978         * runtime/VM.h:
1979         (JSC::VM::hasExclusiveThread):
1980         (JSC::VM::exclusiveThread):
1981         (JSC::VM::setExclusiveThread):
1982         (JSC::VM::currentThreadIsHoldingAPILock):
1983
1984 2014-02-25  Filip Pizlo  <fpizlo@apple.com>
1985
1986         Inline caching in the FTL on ARM64 should "work"
1987         https://bugs.webkit.org/show_bug.cgi?id=129334
1988
1989         Reviewed by Mark Hahnenberg.
1990         
1991         Gets us to the point where simple tests that use inline caching are passing.
1992
1993         * assembler/LinkBuffer.cpp:
1994         (JSC::LinkBuffer::copyCompactAndLinkCode):
1995         (JSC::LinkBuffer::shrink):
1996         * ftl/FTLInlineCacheSize.cpp:
1997         (JSC::FTL::sizeOfGetById):
1998         (JSC::FTL::sizeOfPutById):
1999         (JSC::FTL::sizeOfCall):
2000         * ftl/FTLOSRExitCompiler.cpp:
2001         (JSC::FTL::compileFTLOSRExit):
2002         * ftl/FTLThunks.cpp:
2003         (JSC::FTL::osrExitGenerationThunkGenerator):
2004         * jit/GPRInfo.h:
2005         * offlineasm/arm64.rb:
2006
2007 2014-02-25  Commit Queue  <commit-queue@webkit.org>
2008
2009         Unreviewed, rolling out r164627.
2010         http://trac.webkit.org/changeset/164627
2011         https://bugs.webkit.org/show_bug.cgi?id=129325
2012
2013         Broke SubtleCrypto tests (Requested by ap on #webkit).
2014
2015         * API/APIShims.h:
2016         (JSC::APIEntryShim::APIEntryShim):
2017         (JSC::APICallbackShim::shouldDropAllLocks):
2018         * heap/MachineStackMarker.cpp:
2019         (JSC::MachineThreads::addCurrentThread):
2020         * runtime/JSLock.cpp:
2021         (JSC::JSLockHolder::JSLockHolder):
2022         (JSC::JSLockHolder::init):
2023         (JSC::JSLockHolder::~JSLockHolder):
2024         (JSC::JSLock::JSLock):
2025         (JSC::JSLock::lock):
2026         (JSC::JSLock::unlock):
2027         (JSC::JSLock::currentThreadIsHoldingLock):
2028         (JSC::JSLock::dropAllLocks):
2029         (JSC::JSLock::grabAllLocks):
2030         * runtime/JSLock.h:
2031         * runtime/VM.cpp:
2032         (JSC::VM::VM):
2033         * runtime/VM.h:
2034         (JSC::VM::currentThreadIsHoldingAPILock):
2035
2036 2014-02-25  Filip Pizlo  <fpizlo@apple.com>
2037
2038         ARM64 rshift64 should be an arithmetic shift
2039         https://bugs.webkit.org/show_bug.cgi?id=129323
2040
2041         Reviewed by Mark Hahnenberg.
2042
2043         * assembler/MacroAssemblerARM64.h:
2044         (JSC::MacroAssemblerARM64::rshift64):
2045
2046 2014-02-25  Sergio Villar Senin  <svillar@igalia.com>
2047
2048         [CSS Grid Layout] Add ENABLE flag
2049         https://bugs.webkit.org/show_bug.cgi?id=129153
2050
2051         Reviewed by Simon Fraser.
2052
2053         * Configurations/FeatureDefines.xcconfig: added ENABLE_CSS_GRID_LAYOUT feature flag.
2054
2055 2014-02-25  Michael Saboff  <msaboff@apple.com>
2056
2057         JIT Engines use the wrong stack limit for stack checks
2058         https://bugs.webkit.org/show_bug.cgi?id=129314
2059
2060         Reviewed by Filip Pizlo.
2061
2062         Change the Baseline and DFG code to use VM::m_stackLimit for stack limit checks.
2063
2064         * dfg/DFGJITCompiler.cpp:
2065         (JSC::DFG::JITCompiler::compileFunction):
2066         * jit/JIT.cpp:
2067         (JSC::JIT::privateCompile):
2068         * jit/JITCall.cpp:
2069         (JSC::JIT::compileLoadVarargs):
2070         * jit/JITCall32_64.cpp:
2071         (JSC::JIT::compileLoadVarargs):
2072         * runtime/VM.h:
2073         (JSC::VM::addressOfStackLimit):
2074
2075 2014-02-25  Filip Pizlo  <fpizlo@apple.com>
2076
2077         Unreviewed, roll out http://trac.webkit.org/changeset/164493.
2078         
2079         It causes crashes, apparently because it's removing too many barriers. I will investigate
2080         later.
2081
2082         * bytecode/SpeculatedType.cpp:
2083         (JSC::speculationToAbbreviatedString):
2084         * bytecode/SpeculatedType.h:
2085         * dfg/DFGFixupPhase.cpp:
2086         (JSC::DFG::FixupPhase::fixupNode):
2087         (JSC::DFG::FixupPhase::insertStoreBarrier):
2088         * dfg/DFGNode.h:
2089         * ftl/FTLCapabilities.cpp:
2090         (JSC::FTL::canCompile):
2091         * ftl/FTLLowerDFGToLLVM.cpp:
2092         (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
2093         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
2094         (JSC::FTL::LowerDFGToLLVM::isNotNully):
2095         (JSC::FTL::LowerDFGToLLVM::isNully):
2096         (JSC::FTL::LowerDFGToLLVM::speculate):
2097         (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
2098         (JSC::FTL::LowerDFGToLLVM::speculateNotCell):
2099
2100 2014-02-24  Oliver Hunt  <oliver@apple.com>
2101
2102         Fix build.
2103
2104         * jit/CCallHelpers.h:
2105         (JSC::CCallHelpers::setupArgumentsWithExecState):
2106
2107 2014-02-24  Oliver Hunt  <oliver@apple.com>
2108
2109         Spread operator has a bad time when applied to call function
2110         https://bugs.webkit.org/show_bug.cgi?id=128853
2111
2112         Reviewed by Geoffrey Garen.
2113
2114         Follow on from the previous patch the added an extra slot to
2115         op_call_varargs (and _call, _call_eval, _construct).  We now
2116         use the slot as an offset to in effect act as a 'slice' on
2117         the spread subject.  This allows us to automatically retain
2118         all our existing argument and array optimisatons.  Most of
2119         this patch is simply threading the offset around.
2120
2121         * bytecode/CodeBlock.cpp:
2122         (JSC::CodeBlock::dumpBytecode):
2123         * bytecompiler/BytecodeGenerator.cpp:
2124         (JSC::BytecodeGenerator::emitCall):
2125         (JSC::BytecodeGenerator::emitCallVarargs):
2126         * bytecompiler/BytecodeGenerator.h:
2127         * bytecompiler/NodesCodegen.cpp:
2128         (JSC::getArgumentByVal):
2129         (JSC::CallFunctionCallDotNode::emitBytecode):
2130         (JSC::ApplyFunctionCallDotNode::emitBytecode):
2131         * interpreter/Interpreter.cpp:
2132         (JSC::sizeFrameForVarargs):
2133         (JSC::loadVarargs):
2134         * interpreter/Interpreter.h:
2135         * jit/CCallHelpers.h:
2136         (JSC::CCallHelpers::setupArgumentsWithExecState):
2137         * jit/JIT.h:
2138         * jit/JITCall.cpp:
2139         (JSC::JIT::compileLoadVarargs):
2140         * jit/JITInlines.h:
2141         (JSC::JIT::callOperation):
2142         * jit/JITOperations.cpp:
2143         * jit/JITOperations.h:
2144         * llint/LLIntSlowPaths.cpp:
2145         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2146         * runtime/Arguments.cpp:
2147         (JSC::Arguments::copyToArguments):
2148         * runtime/Arguments.h:
2149         * runtime/JSArray.cpp:
2150         (JSC::JSArray::copyToArguments):
2151         * runtime/JSArray.h:
2152
2153 2014-02-24  Mark Lam  <mark.lam@apple.com>
2154
2155         Need to initialize VM stack data even when the VM is on an exclusive thread.
2156         <https://webkit.org/b/129265>
2157
2158         Reviewed by Geoffrey Garen.
2159
2160         We check VM::exclusiveThread as an optimization to forego the need to do
2161         JSLock locking. However, we recently started piggy backing on JSLock's
2162         lock() and unlock() to initialize VM stack data (stackPointerAtVMEntry
2163         and lastStackTop) to appropriate values for the current thread. This is
2164         needed because we may be acquiring the lock to enter the VM on a different
2165         thread.
2166
2167         As a result, we ended up not initializing the VM stack data when
2168         VM::exclusiveThread causes us to bypass the locking activity. Even though
2169         the VM::exclusiveThread will not have to deal with the VM being entered
2170         on a different thread, it still needs to initialize the VM stack data.
2171         The VM relies on that data being initialized properly once it has been
2172         entered.
2173
2174         With this fix, we push the check for exclusiveThread down into the JSLock,
2175         and handle the bypassing of unneeded locking activity there while still
2176         executing the necessary the VM stack data initialization.
2177
2178         * API/APIShims.h:
2179         (JSC::APIEntryShim::APIEntryShim):
2180         (JSC::APICallbackShim::shouldDropAllLocks):
2181         * heap/MachineStackMarker.cpp:
2182         (JSC::MachineThreads::addCurrentThread):
2183         * runtime/JSLock.cpp:
2184         (JSC::JSLockHolder::JSLockHolder):
2185         (JSC::JSLockHolder::init):
2186         (JSC::JSLockHolder::~JSLockHolder):
2187         (JSC::JSLock::JSLock):
2188         (JSC::JSLock::setExclusiveThread):
2189         (JSC::JSLock::lock):
2190         (JSLock::unlock):
2191         (JSLock::currentThreadIsHoldingLock):
2192         (JSLock::dropAllLocks):
2193         (JSLock::grabAllLocks):
2194         * runtime/JSLock.h:
2195         (JSC::JSLock::exclusiveThread):
2196         * runtime/VM.cpp:
2197         (JSC::VM::VM):
2198         * runtime/VM.h:
2199         (JSC::VM::exclusiveThread):
2200         (JSC::VM::setExclusiveThread):
2201         (JSC::VM::currentThreadIsHoldingAPILock):
2202
2203 2014-02-24  Filip Pizlo  <fpizlo@apple.com>
2204
2205         FTL should do polymorphic PutById inlining
2206         https://bugs.webkit.org/show_bug.cgi?id=129210
2207
2208         Reviewed by Mark Hahnenberg and Oliver Hunt.
2209         
2210         This makes PutByIdStatus inform us about polymorphic cases by returning an array of
2211         PutByIdVariants. The DFG now has a node called MultiPutByOffset that indicates a
2212         selection of multiple inlined PutByIdVariants.
2213         
2214         MultiPutByOffset is almost identical to MultiGetByOffset, which we added in
2215         http://trac.webkit.org/changeset/164207.
2216         
2217         This also does some FTL refactoring to make MultiPutByOffset share code with some nodes
2218         that generate similar code.
2219         
2220         1% speed-up on V8v7 due to splay improving by 6.8%. Splay does the thing where it
2221         sometimes swaps field insertion order, creating fake polymorphism.
2222
2223         * CMakeLists.txt:
2224         * GNUmakefile.list.am:
2225         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2226         * JavaScriptCore.xcodeproj/project.pbxproj:
2227         * bytecode/PutByIdStatus.cpp:
2228         (JSC::PutByIdStatus::computeFromLLInt):
2229         (JSC::PutByIdStatus::computeFor):
2230         (JSC::PutByIdStatus::computeForStubInfo):
2231         (JSC::PutByIdStatus::dump):
2232         * bytecode/PutByIdStatus.h:
2233         (JSC::PutByIdStatus::PutByIdStatus):
2234         (JSC::PutByIdStatus::isSimple):
2235         (JSC::PutByIdStatus::numVariants):
2236         (JSC::PutByIdStatus::variants):
2237         (JSC::PutByIdStatus::at):
2238         (JSC::PutByIdStatus::operator[]):
2239         * bytecode/PutByIdVariant.cpp: Added.
2240         (JSC::PutByIdVariant::dump):
2241         (JSC::PutByIdVariant::dumpInContext):
2242         * bytecode/PutByIdVariant.h: Added.
2243         (JSC::PutByIdVariant::PutByIdVariant):
2244         (JSC::PutByIdVariant::replace):
2245         (JSC::PutByIdVariant::transition):
2246         (JSC::PutByIdVariant::kind):
2247         (JSC::PutByIdVariant::isSet):
2248         (JSC::PutByIdVariant::operator!):
2249         (JSC::PutByIdVariant::structure):
2250         (JSC::PutByIdVariant::oldStructure):
2251         (JSC::PutByIdVariant::newStructure):
2252         (JSC::PutByIdVariant::structureChain):
2253         (JSC::PutByIdVariant::offset):
2254         * dfg/DFGAbstractInterpreterInlines.h:
2255         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2256         * dfg/DFGByteCodeParser.cpp:
2257         (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
2258         (JSC::DFG::ByteCodeParser::handleGetById):
2259         (JSC::DFG::ByteCodeParser::emitPutById):
2260         (JSC::DFG::ByteCodeParser::handlePutById):
2261         (JSC::DFG::ByteCodeParser::parseBlock):
2262         * dfg/DFGCSEPhase.cpp:
2263         (JSC::DFG::CSEPhase::checkStructureElimination):
2264         (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
2265         (JSC::DFG::CSEPhase::putStructureStoreElimination):
2266         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
2267         (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
2268         * dfg/DFGClobberize.h:
2269         (JSC::DFG::clobberize):
2270         * dfg/DFGConstantFoldingPhase.cpp:
2271         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2272         (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
2273         * dfg/DFGFixupPhase.cpp:
2274         (JSC::DFG::FixupPhase::fixupNode):
2275         * dfg/DFGGraph.cpp:
2276         (JSC::DFG::Graph::dump):
2277         * dfg/DFGGraph.h:
2278         * dfg/DFGNode.cpp:
2279         (JSC::DFG::MultiPutByOffsetData::writesStructures):
2280         (JSC::DFG::MultiPutByOffsetData::reallocatesStorage):
2281         * dfg/DFGNode.h:
2282         (JSC::DFG::Node::convertToPutByOffset):
2283         (JSC::DFG::Node::hasMultiPutByOffsetData):
2284         (JSC::DFG::Node::multiPutByOffsetData):
2285         * dfg/DFGNodeType.h:
2286         * dfg/DFGPredictionPropagationPhase.cpp:
2287         (JSC::DFG::PredictionPropagationPhase::propagate):
2288         * dfg/DFGSafeToExecute.h:
2289         (JSC::DFG::safeToExecute):
2290         * dfg/DFGSpeculativeJIT32_64.cpp:
2291         (JSC::DFG::SpeculativeJIT::compile):
2292         * dfg/DFGSpeculativeJIT64.cpp:
2293         (JSC::DFG::SpeculativeJIT::compile):
2294         * dfg/DFGTypeCheckHoistingPhase.cpp:
2295         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
2296         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
2297         * ftl/FTLCapabilities.cpp:
2298         (JSC::FTL::canCompile):
2299         * ftl/FTLLowerDFGToLLVM.cpp:
2300         (JSC::FTL::LowerDFGToLLVM::compileNode):
2301         (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
2302         (JSC::FTL::LowerDFGToLLVM::compileAllocatePropertyStorage):
2303         (JSC::FTL::LowerDFGToLLVM::compileReallocatePropertyStorage):
2304         (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
2305         (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
2306         (JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
2307         (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
2308         (JSC::FTL::LowerDFGToLLVM::loadProperty):
2309         (JSC::FTL::LowerDFGToLLVM::storeProperty):
2310         (JSC::FTL::LowerDFGToLLVM::addressOfProperty):
2311         (JSC::FTL::LowerDFGToLLVM::storageForTransition):
2312         (JSC::FTL::LowerDFGToLLVM::allocatePropertyStorage):
2313         (JSC::FTL::LowerDFGToLLVM::reallocatePropertyStorage):
2314         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
2315         * tests/stress/fold-multi-put-by-offset-to-put-by-offset.js: Added.
2316         * tests/stress/multi-put-by-offset-reallocation-butterfly-cse.js: Added.
2317         * tests/stress/multi-put-by-offset-reallocation-cases.js: Added.
2318
2319 2014-02-24  peavo@outlook.com  <peavo@outlook.com>
2320
2321         JSC regressions after r164494
2322         https://bugs.webkit.org/show_bug.cgi?id=129272
2323
2324         Reviewed by Mark Lam.
2325
2326         * offlineasm/x86.rb: Only avoid reverse opcode (fdivr) for Windows.
2327
2328 2014-02-24  Tamas Gergely  <tgergely.u-szeged@partner.samsung.com>
2329
2330         Code cleanup: remove leftover ENABLE(WORKERS) macros and support.
2331         https://bugs.webkit.org/show_bug.cgi?id=129255
2332
2333         Reviewed by Csaba Osztrogonác.
2334
2335         ENABLE_WORKERS macro was removed in r159679.
2336         Support is now also removed from xcconfig files.
2337
2338         * Configurations/FeatureDefines.xcconfig:
2339
2340 2014-02-24  David Kilzer  <ddkilzer@apple.com>
2341
2342         Remove redundant setting in FeatureDefines.xcconfig
2343
2344         * Configurations/FeatureDefines.xcconfig:
2345
2346 2014-02-23  Sam Weinig  <sam@webkit.org>
2347
2348         Update FeatureDefines.xcconfig
2349
2350         Rubber-stamped by Anders Carlsson.
2351
2352         * Configurations/FeatureDefines.xcconfig:
2353
2354 2014-02-23  Dean Jackson  <dino@apple.com>
2355
2356         Sort the project file with sort-Xcode-project-file.
2357
2358         Rubber-stamped by Sam Weinig.
2359
2360         * JavaScriptCore.xcodeproj/project.pbxproj:
2361
2362 2014-02-23  Sam Weinig  <sam@webkit.org>
2363
2364         Move telephone number detection behind its own ENABLE macro
2365         https://bugs.webkit.org/show_bug.cgi?id=129236
2366
2367         Reviewed by Dean Jackson.
2368
2369         * Configurations/FeatureDefines.xcconfig:
2370         Add ENABLE_TELEPHONE_NUMBER_DETECTION.
2371
2372 2014-02-22  Filip Pizlo  <fpizlo@apple.com>
2373
2374         Refine DFG+FTL inlining and compilation limits
2375         https://bugs.webkit.org/show_bug.cgi?id=129212
2376
2377         Reviewed by Mark Hahnenberg.
2378         
2379         Allow larger functions to be DFG-compiled. Institute a limit on FTL compilation,
2380         and set that limit quite high. Institute a limit on inlining-into. The idea here is
2381         that large functions tend to be autogenerated, and code generators like emscripten
2382         appear to leave few inlining opportunities anyway. Also, we don't want the code
2383         size explosion that we would risk if we allowed compilation of a large function and
2384         then inlined a ton of stuff into it.
2385         
2386         This is a 0.5% speed-up on Octane v2 and almost eliminates the typescript
2387         regression. This is a 9% speed-up on AsmBench.
2388
2389         * bytecode/CodeBlock.cpp:
2390         (JSC::CodeBlock::noticeIncomingCall):
2391         * dfg/DFGByteCodeParser.cpp:
2392         (JSC::DFG::ByteCodeParser::handleInlining):
2393         * dfg/DFGCapabilities.h:
2394         (JSC::DFG::isSmallEnoughToInlineCodeInto):
2395         * ftl/FTLCapabilities.cpp:
2396         (JSC::FTL::canCompile):
2397         * ftl/FTLState.h:
2398         (JSC::FTL::shouldShowDisassembly):
2399         * runtime/Options.h:
2400
2401 2014-02-22  Dan Bernstein  <mitz@apple.com>
2402
2403         REGRESSION (r164507): Crash beneath JSGlobalObjectInspectorController::reportAPIException at facebook.com, twitter.com, youtube.com
2404         https://bugs.webkit.org/show_bug.cgi?id=129227
2405
2406         Reviewed by Eric Carlson.
2407
2408         Reverted r164507.
2409
2410         * API/JSBase.cpp:
2411         (JSEvaluateScript):
2412         (JSCheckScriptSyntax):
2413         * API/JSObjectRef.cpp:
2414         (JSObjectMakeFunction):
2415         (JSObjectMakeArray):
2416         (JSObjectMakeDate):
2417         (JSObjectMakeError):
2418         (JSObjectMakeRegExp):
2419         (JSObjectGetProperty):
2420         (JSObjectSetProperty):
2421         (JSObjectGetPropertyAtIndex):
2422         (JSObjectSetPropertyAtIndex):
2423         (JSObjectDeleteProperty):
2424         (JSObjectCallAsFunction):
2425         (JSObjectCallAsConstructor):
2426         * API/JSValue.mm:
2427         (valueToArray):
2428         (valueToDictionary):
2429         * API/JSValueRef.cpp:
2430         (JSValueIsEqual):
2431         (JSValueIsInstanceOfConstructor):
2432         (JSValueCreateJSONString):
2433         (JSValueToNumber):
2434         (JSValueToStringCopy):
2435         (JSValueToObject):
2436         * inspector/ConsoleMessage.cpp:
2437         (Inspector::ConsoleMessage::ConsoleMessage):
2438         (Inspector::ConsoleMessage::autogenerateMetadata):
2439         * inspector/ConsoleMessage.h:
2440         * inspector/JSGlobalObjectInspectorController.cpp:
2441         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2442         * inspector/JSGlobalObjectInspectorController.h:
2443         * inspector/ScriptCallStack.cpp:
2444         * inspector/ScriptCallStack.h:
2445         * inspector/ScriptCallStackFactory.cpp:
2446         (Inspector::createScriptCallStack):
2447         (Inspector::createScriptCallStackForConsole):
2448         (Inspector::createScriptCallStackFromException):
2449         * inspector/ScriptCallStackFactory.h:
2450         * inspector/agents/InspectorConsoleAgent.cpp:
2451         (Inspector::InspectorConsoleAgent::enable):
2452         (Inspector::InspectorConsoleAgent::addMessageToConsole):
2453         (Inspector::InspectorConsoleAgent::count):
2454         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
2455         (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
2456
2457 2014-02-22  Joseph Pecoraro  <pecoraro@apple.com>
2458
2459         Remove some unreachable code (-Wunreachable-code)
2460         https://bugs.webkit.org/show_bug.cgi?id=129220
2461
2462         Reviewed by Eric Carlson.
2463
2464         * API/tests/testapi.c:
2465         (EvilExceptionObject_convertToType):
2466         * disassembler/udis86/udis86_decode.c:
2467         (decode_operand):
2468
2469 2014-02-22  Filip Pizlo  <fpizlo@apple.com>
2470
2471         Unreviewed, ARMv7 build fix.
2472
2473         * assembler/ARMv7Assembler.h:
2474
2475 2014-02-21  Filip Pizlo  <fpizlo@apple.com>
2476
2477         It should be possible for a LinkBuffer to outlive the MacroAssembler and still be useful
2478         https://bugs.webkit.org/show_bug.cgi?id=124733
2479
2480         Reviewed by Oliver Hunt.
2481         
2482         This also takes the opportunity to de-duplicate some branch compaction code.
2483
2484         * assembler/ARM64Assembler.h:
2485         * assembler/ARMv7Assembler.h:
2486         (JSC::ARMv7Assembler::buffer):
2487         * assembler/AssemblerBuffer.h:
2488         (JSC::AssemblerData::AssemblerData):
2489         (JSC::AssemblerBuffer::AssemblerBuffer):
2490         (JSC::AssemblerBuffer::storage):
2491         (JSC::AssemblerBuffer::grow):
2492         * assembler/LinkBuffer.h:
2493         (JSC::LinkBuffer::LinkBuffer):
2494         (JSC::LinkBuffer::executableOffsetFor):
2495         (JSC::LinkBuffer::applyOffset):
2496         * assembler/MacroAssemblerARM64.h:
2497         (JSC::MacroAssemblerARM64::link):
2498         * assembler/MacroAssemblerARMv7.h:
2499
2500 2014-02-21  Brent Fulgham  <bfulgham@apple.com>
2501
2502         Extend media support for WebVTT sources
2503         https://bugs.webkit.org/show_bug.cgi?id=129156
2504
2505         Reviewed by Eric Carlson.
2506
2507         * Configurations/FeatureDefines.xcconfig: Add new feature define for AVF_CAPTIONS
2508
2509 2014-02-21  Joseph Pecoraro  <pecoraro@apple.com>
2510
2511         Web Inspector: JSContext inspection should report exceptions in the console
2512         https://bugs.webkit.org/show_bug.cgi?id=128776
2513
2514         Reviewed by Timothy Hatcher.
2515
2516         When JavaScript API functions have an exception, let the inspector
2517         know so it can log the JavaScript and Native backtrace that caused
2518         the exception.
2519
2520         Include some clean up of ConsoleMessage and ScriptCallStack construction.
2521
2522         * API/JSBase.cpp:
2523         (JSEvaluateScript):
2524         (JSCheckScriptSyntax):
2525         * API/JSObjectRef.cpp:
2526         (JSObjectMakeFunction):
2527         (JSObjectMakeArray):
2528         (JSObjectMakeDate):
2529         (JSObjectMakeError):
2530         (JSObjectMakeRegExp):
2531         (JSObjectGetProperty):
2532         (JSObjectSetProperty):
2533         (JSObjectGetPropertyAtIndex):
2534         (JSObjectSetPropertyAtIndex):
2535         (JSObjectDeleteProperty):
2536         (JSObjectCallAsFunction):
2537         (JSObjectCallAsConstructor):
2538         * API/JSValue.mm:
2539         (reportExceptionToInspector):
2540         (valueToArray):
2541         (valueToDictionary):
2542         * API/JSValueRef.cpp:
2543         (JSValueIsEqual):
2544         (JSValueIsInstanceOfConstructor):
2545         (JSValueCreateJSONString):
2546         (JSValueToNumber):
2547         (JSValueToStringCopy):
2548         (JSValueToObject):
2549         When seeing an exception, let the inspector know there was an exception.
2550
2551         * inspector/JSGlobalObjectInspectorController.h:
2552         * inspector/JSGlobalObjectInspectorController.cpp:
2553         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2554         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
2555         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
2556         Log API exceptions by also grabbing the native backtrace.
2557
2558         * inspector/ScriptCallStack.h:
2559         * inspector/ScriptCallStack.cpp:
2560         (Inspector::ScriptCallStack::firstNonNativeCallFrame):
2561         (Inspector::ScriptCallStack::append):
2562         Minor extensions to ScriptCallStack to make it easier to work with.
2563
2564         * inspector/ConsoleMessage.cpp:
2565         (Inspector::ConsoleMessage::ConsoleMessage):
2566         (Inspector::ConsoleMessage::autogenerateMetadata):
2567         Provide better default information if the first call frame was native.
2568
2569         * inspector/ScriptCallStackFactory.cpp:
2570         (Inspector::createScriptCallStack):
2571         (Inspector::extractSourceInformationFromException):
2572         (Inspector::createScriptCallStackFromException):
2573         Perform the handling here of inserting a fake call frame for exceptions
2574         if there was no call stack (e.g. a SyntaxError) or if the first call
2575         frame had no information.
2576
2577         * inspector/ConsoleMessage.cpp:
2578         (Inspector::ConsoleMessage::ConsoleMessage):
2579         (Inspector::ConsoleMessage::autogenerateMetadata):
2580         * inspector/ConsoleMessage.h:
2581         * inspector/ScriptCallStackFactory.cpp:
2582         (Inspector::createScriptCallStack):
2583         (Inspector::createScriptCallStackForConsole):
2584         * inspector/ScriptCallStackFactory.h:
2585         * inspector/agents/InspectorConsoleAgent.cpp:
2586         (Inspector::InspectorConsoleAgent::enable):
2587         (Inspector::InspectorConsoleAgent::addMessageToConsole):
2588         (Inspector::InspectorConsoleAgent::count):
2589         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
2590         (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
2591         ConsoleMessage cleanup.
2592
2593 2014-02-21  Oliver Hunt  <oliver@apple.com>
2594
2595         Add extra space to op_call and related opcodes
2596         https://bugs.webkit.org/show_bug.cgi?id=129170
2597
2598         Reviewed by Mark Lam.
2599
2600         No change in behaviour, just some refactoring to add an extra
2601         slot to the op_call instructions, and refactoring to make similar
2602         changes easier in future.
2603
2604         * bytecode/CodeBlock.cpp:
2605         (JSC::CodeBlock::printCallOp):
2606         * bytecode/Opcode.h:
2607         (JSC::padOpcodeName):
2608         * bytecompiler/BytecodeGenerator.cpp:
2609         (JSC::BytecodeGenerator::emitCall):
2610         (JSC::BytecodeGenerator::emitCallVarargs):
2611         (JSC::BytecodeGenerator::emitConstruct):
2612         * dfg/DFGByteCodeParser.cpp:
2613         (JSC::DFG::ByteCodeParser::handleIntrinsic):
2614         * jit/JITCall.cpp:
2615         (JSC::JIT::compileOpCall):
2616         * jit/JITCall32_64.cpp:
2617         (JSC::JIT::compileOpCall):
2618         * llint/LowLevelInterpreter.asm:
2619         * llint/LowLevelInterpreter32_64.asm:
2620         * llint/LowLevelInterpreter64.asm:
2621
2622 2014-02-21  Mark Lam  <mark.lam@apple.com>
2623
2624         gatherFromOtherThread() needs to align the sp before gathering roots.
2625         <https://webkit.org/b/129169>
2626
2627         Reviewed by Geoffrey Garen.
2628
2629         The GC scans the stacks of other threads using MachineThreads::gatherFromOtherThread().
2630         gatherFromOtherThread() defines the range of the other thread's stack as
2631         being bounded by the other thread's stack pointer and stack base. While
2632         the stack base will always be aligned to sizeof(void*), the stack pointer
2633         may not be. This is because the other thread may have just pushed a 32-bit
2634         value on its stack before we suspended it for scanning.
2635
2636         The fix is to round the stack pointer up to the next aligned address of
2637         sizeof(void*) and start scanning from there. On 64-bit systems, we will
2638         effectively ignore the 32-bit word at the bottom of the stack (top of the
2639         stack for stacks growing up) because it cannot be a 64-bit pointer anyway.
2640         64-bit pointers should always be stored on 64-bit aligned boundaries (our
2641         conservative scan algorithm already depends on this assumption).
2642
2643         On 32-bit systems, the rounding is effectively a no-op.
2644
2645         * heap/ConservativeRoots.cpp:
2646         (JSC::ConservativeRoots::genericAddSpan):
2647         - Hardened somne assertions so that we can catch misalignment issues on
2648           release builds as well.
2649         * heap/MachineStackMarker.cpp:
2650         (JSC::MachineThreads::gatherFromOtherThread):
2651
2652 2014-02-21  Matthew Mirman  <mmirman@apple.com>
2653
2654         Added a GetMyArgumentsLengthSafe and added a speculation check.
2655         https://bugs.webkit.org/show_bug.cgi?id=129051
2656
2657         Reviewed by Filip Pizlo.
2658
2659         * ftl/FTLLowerDFGToLLVM.cpp:
2660         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
2661
2662 2014-02-21  peavo@outlook.com  <peavo@outlook.com>
2663
2664         [Win][LLINT] Many JSC stress test failures.
2665         https://bugs.webkit.org/show_bug.cgi?id=129155
2666
2667         Reviewed by Michael Saboff.
2668
2669         Intel syntax has reversed operand order compared to AT&T syntax, so we need to swap the operand order, in this case on floating point operations.
2670         Also avoid using the reverse opcode (e.g. fdivr), as this puts the result at the wrong position in the floating point stack.
2671         E.g. "divd ft0, ft1" would translate to fdivr st, st(1) (Intel syntax) on Windows, but this puts the result in st, when it should be in st(1).
2672
2673         * offlineasm/x86.rb: Swap operand order on Windows.
2674
2675 2014-02-21  Filip Pizlo  <fpizlo@apple.com>
2676
2677         DFG write barriers should do more speculations
2678         https://bugs.webkit.org/show_bug.cgi?id=129160
2679
2680         Reviewed by Mark Hahnenberg.
2681         
2682         Replace ConditionalStoreBarrier with the cheapest speculation that you could do
2683         instead.
2684         
2685         Miniscule speed-up on some things. It's a decent difference in code size, though.
2686
2687         * bytecode/SpeculatedType.cpp:
2688         (JSC::speculationToAbbreviatedString):
2689         * bytecode/SpeculatedType.h:
2690         (JSC::isNotCellSpeculation):
2691         * dfg/DFGFixupPhase.cpp:
2692         (JSC::DFG::FixupPhase::fixupNode):
2693         (JSC::DFG::FixupPhase::insertStoreBarrier):
2694         (JSC::DFG::FixupPhase::insertPhantomCheck):
2695         * dfg/DFGNode.h:
2696         (JSC::DFG::Node::shouldSpeculateOther):
2697         (JSC::DFG::Node::shouldSpeculateNotCell):
2698         * ftl/FTLCapabilities.cpp:
2699         (JSC::FTL::canCompile):
2700         * ftl/FTLLowerDFGToLLVM.cpp:
2701         (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
2702         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
2703         (JSC::FTL::LowerDFGToLLVM::isNotOther):
2704         (JSC::FTL::LowerDFGToLLVM::isOther):
2705         (JSC::FTL::LowerDFGToLLVM::speculate):
2706         (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
2707         (JSC::FTL::LowerDFGToLLVM::speculateOther):
2708         (JSC::FTL::LowerDFGToLLVM::speculateNotCell):
2709
2710 2014-02-21  Joseph Pecoraro  <pecoraro@apple.com>
2711
2712         Revert r164486, causing a number of test failures.
2713
2714         Unreviewed rollout.
2715
2716 2014-02-21  Filip Pizlo  <fpizlo@apple.com>
2717
2718         Revive SABI (aka shouldAlwaysBeInlined)
2719         https://bugs.webkit.org/show_bug.cgi?id=129159
2720
2721         Reviewed by Mark Hahnenberg.
2722         
2723         This is a small Octane speed-up.
2724
2725         * jit/Repatch.cpp:
2726         (JSC::linkFor): This code was assuming that if it's invoked then the caller is a DFG code block. That's wrong, since it's now used by all of the JITs.
2727
2728 2014-02-21  Joseph Pecoraro  <pecoraro@apple.com>
2729
2730         Web Inspector: JSContext inspection should report exceptions in the console
2731         https://bugs.webkit.org/show_bug.cgi?id=128776
2732
2733         Reviewed by Timothy Hatcher.
2734
2735         When JavaScript API functions have an exception, let the inspector
2736         know so it can log the JavaScript and Native backtrace that caused
2737         the exception.
2738
2739         Include some clean up of ConsoleMessage and ScriptCallStack construction.
2740
2741         * API/JSBase.cpp:
2742         (JSEvaluateScript):
2743         (JSCheckScriptSyntax):
2744         * API/JSObjectRef.cpp:
2745         (JSObjectMakeFunction):
2746         (JSObjectMakeArray):
2747         (JSObjectMakeDate):
2748         (JSObjectMakeError):
2749         (JSObjectMakeRegExp):
2750         (JSObjectGetProperty):
2751         (JSObjectSetProperty):
2752         (JSObjectGetPropertyAtIndex):
2753         (JSObjectSetPropertyAtIndex):
2754         (JSObjectDeleteProperty):
2755         (JSObjectCallAsFunction):
2756         (JSObjectCallAsConstructor):
2757         * API/JSValue.mm:
2758         (reportExceptionToInspector):
2759         (valueToArray):
2760         (valueToDictionary):
2761         * API/JSValueRef.cpp:
2762         (JSValueIsEqual):
2763         (JSValueIsInstanceOfConstructor):
2764         (JSValueCreateJSONString):
2765         (JSValueToNumber):
2766         (JSValueToStringCopy):
2767         (JSValueToObject):
2768         When seeing an exception, let the inspector know there was an exception.
2769
2770         * inspector/JSGlobalObjectInspectorController.h:
2771         * inspector/JSGlobalObjectInspectorController.cpp:
2772         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2773         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
2774         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
2775         Log API exceptions by also grabbing the native backtrace.
2776
2777         * inspector/ScriptCallStack.h:
2778         * inspector/ScriptCallStack.cpp:
2779         (Inspector::ScriptCallStack::firstNonNativeCallFrame):
2780         (Inspector::ScriptCallStack::append):
2781         Minor extensions to ScriptCallStack to make it easier to work with.
2782
2783         * inspector/ConsoleMessage.cpp:
2784         (Inspector::ConsoleMessage::ConsoleMessage):
2785         (Inspector::ConsoleMessage::autogenerateMetadata):
2786         Provide better default information if the first call frame was native.
2787
2788         * inspector/ScriptCallStackFactory.cpp:
2789         (Inspector::createScriptCallStack):
2790         (Inspector::extractSourceInformationFromException):
2791         (Inspector::createScriptCallStackFromException):
2792         Perform the handling here of inserting a fake call frame for exceptions
2793         if there was no call stack (e.g. a SyntaxError) or if the first call
2794         frame had no information.
2795
2796         * inspector/ConsoleMessage.cpp:
2797         (Inspector::ConsoleMessage::ConsoleMessage):
2798         (Inspector::ConsoleMessage::autogenerateMetadata):
2799         * inspector/ConsoleMessage.h:
2800         * inspector/ScriptCallStackFactory.cpp:
2801         (Inspector::createScriptCallStack):
2802         (Inspector::createScriptCallStackForConsole):
2803         * inspector/ScriptCallStackFactory.h:
2804         * inspector/agents/InspectorConsoleAgent.cpp:
2805         (Inspector::InspectorConsoleAgent::enable):
2806         (Inspector::InspectorConsoleAgent::addMessageToConsole):
2807         (Inspector::InspectorConsoleAgent::count):
2808         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
2809         (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
2810         ConsoleMessage cleanup.
2811
2812 2014-02-20  Anders Carlsson  <andersca@apple.com>
2813
2814         Modernize JSGlobalLock and JSLockHolder
2815         https://bugs.webkit.org/show_bug.cgi?id=129105
2816
2817         Reviewed by Michael Saboff.
2818
2819         Use std::mutex and std::thread::id where possible.
2820
2821         * runtime/JSLock.cpp:
2822         (JSC::GlobalJSLock::GlobalJSLock):
2823         (JSC::GlobalJSLock::~GlobalJSLock):
2824         (JSC::GlobalJSLock::initialize):
2825         (JSC::JSLock::JSLock):
2826         (JSC::JSLock::lock):
2827         (JSC::JSLock::unlock):
2828         (JSC::JSLock::currentThreadIsHoldingLock):
2829         * runtime/JSLock.h:
2830
2831 2014-02-20  Mark Lam  <mark.lam@apple.com>
2832
2833         virtualForWithFunction() should not throw an exception with a partially initialized frame.
2834         <https://webkit.org/b/129134>
2835
2836         Reviewed by Michael Saboff.
2837
2838         Currently, when JITOperations.cpp's virtualForWithFunction() fails to
2839         prepare the callee function for execution, it proceeds to throw the
2840         exception using the callee frame which is only partially initialized
2841         thus far. Instead, it should be throwing the exception using the caller
2842         frame because:
2843         1. the error happened "in" the caller while preparing the callee for
2844            execution i.e. the caller frame is the top fully initialized frame
2845            on the stack.
2846         2. the callee frame is not fully initialized yet, and the unwind
2847            mechanism cannot depend on the data in it.
2848
2849         * jit/JITOperations.cpp:
2850
2851 2014-02-20  Mark Lam  <mark.lam@apple.com>
2852
2853         DefaultGCActivityCallback::doWork() should reschedule if GC is deferred.
2854         <https://webkit.org/b/129131>
2855
2856         Reviewed by Mark Hahnenberg.
2857
2858         Currently, DefaultGCActivityCallback::doWork() does not check if the GC
2859         needs to be deferred before commencing. As a result, the GC may crash
2860         and/or corrupt data because the VM is not in the consistent state needed
2861         for the GC to run. With this fix, doWork() now checks if the GC is
2862         supposed to be deferred and re-schedules if needed. It only commences
2863         with GC'ing when it's safe to do so.
2864
2865         * runtime/GCActivityCallback.cpp:
2866         (JSC::DefaultGCActivityCallback::doWork):
2867
2868 2014-02-20  Geoffrey Garen  <ggaren@apple.com>
2869
2870         Math.imul gives wrong results
2871         https://bugs.webkit.org/show_bug.cgi?id=126345
2872
2873         Reviewed by Mark Hahnenberg.
2874
2875         Don't truncate non-int doubles to 0 -- that's just not how ToInt32 works.
2876         Instead, take a slow path that will do the right thing.
2877
2878         * jit/ThunkGenerators.cpp:
2879         (JSC::imulThunkGenerator):
2880
2881 2014-02-20  Filip Pizlo  <fpizlo@apple.com>
2882
2883         DFG should do its own static estimates of execution frequency before it starts creating OSR entrypoints
2884         https://bugs.webkit.org/show_bug.cgi?id=129129
2885
2886         Reviewed by Geoffrey Garen.
2887         
2888         We estimate execution counts based on loop depth, and then use those to estimate branch
2889         weights. These weights then get carried all the way down to LLVM prof branch_weights
2890         meta-data.
2891         
2892         This is better than letting LLVM do its own static estimates, since by the time we
2893         generate LLVM IR, we may have messed up the CFG due to OSR entrypoint creation. Of
2894         course, it would be even better if we just slurped in some kind of execution counts
2895         from profiling, but we don't do that, yet.
2896
2897         * CMakeLists.txt:
2898         * GNUmakefile.list.am:
2899         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2900         * JavaScriptCore.xcodeproj/project.pbxproj:
2901         * dfg/DFGBasicBlock.cpp:
2902         (JSC::DFG::BasicBlock::BasicBlock):
2903         * dfg/DFGBasicBlock.h:
2904         * dfg/DFGBlockInsertionSet.cpp:
2905         (JSC::DFG::BlockInsertionSet::insert):
2906         (JSC::DFG::BlockInsertionSet::insertBefore):
2907         * dfg/DFGBlockInsertionSet.h:
2908         * dfg/DFGByteCodeParser.cpp:
2909         (JSC::DFG::ByteCodeParser::handleInlining):
2910         (JSC::DFG::ByteCodeParser::parseCodeBlock):
2911         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
2912         (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
2913         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
2914         (JSC::DFG::createPreHeader):
2915         * dfg/DFGNaturalLoops.h:
2916         (JSC::DFG::NaturalLoops::loopDepth):
2917         * dfg/DFGOSREntrypointCreationPhase.cpp:
2918         (JSC::DFG::OSREntrypointCreationPhase::run):
2919         * dfg/DFGPlan.cpp:
2920         (JSC::DFG::Plan::compileInThreadImpl):
2921         * dfg/DFGStaticExecutionCountEstimationPhase.cpp: Added.
2922         (JSC::DFG::StaticExecutionCountEstimationPhase::StaticExecutionCountEstimationPhase):
2923         (JSC::DFG::StaticExecutionCountEstimationPhase::run):
2924         (JSC::DFG::StaticExecutionCountEstimationPhase::applyCounts):
2925         (JSC::DFG::performStaticExecutionCountEstimation):
2926         * dfg/DFGStaticExecutionCountEstimationPhase.h: Added.
2927
2928 2014-02-20  Filip Pizlo  <fpizlo@apple.com>
2929
2930         FTL may not see a compact_unwind section if there weren't any stackmaps
2931         https://bugs.webkit.org/show_bug.cgi?id=129125
2932
2933         Reviewed by Geoffrey Garen.
2934         
2935         It's OK to not have an unwind section, so long as the function also doesn't have any
2936         OSR exits.
2937
2938         * ftl/FTLCompile.cpp:
2939         (JSC::FTL::fixFunctionBasedOnStackMaps):
2940         (JSC::FTL::compile):
2941         * ftl/FTLUnwindInfo.cpp:
2942         (JSC::FTL::UnwindInfo::parse):
2943         * ftl/FTLUnwindInfo.h:
2944
2945 == Rolled over to ChangeLog-2014-02-20 ==