REGRESSION (r168256): ASSERTION FAILED: (buffer + m_length) == position loading vanit...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-05-05  Andreas Kling  <akling@apple.com>
2
3         REGRESSION (r168256): ASSERTION FAILED: (buffer + m_length) == position loading vanityfair.com article.
4         <https://webkit.org/b/168256>
5         <rdar://problem/16816316>
6
7         Make resolveRopeSlowCase8() behave like its 16-bit counterpart and not
8         clear the fibers. The caller takes care of this.
9
10         Test: fast/dom/getElementById-with-rope-string-arg.html
11
12         Reviewed by Geoffrey Garen.
13
14         * runtime/JSString.cpp:
15         (JSC::JSRopeString::resolveRopeSlowCase8):
16
17 2014-05-05  Michael Saboff  <msaboff@apple.com>
18
19         REGRESSION: RELEASE_ASSERT in CodeBlock::baselineVersion @ cnn.com
20         https://bugs.webkit.org/show_bug.cgi?id=132581
21
22         Reviewed by Filip Pizlo.
23
24         * dfg/DFGPlan.cpp:
25         (JSC::DFG::Plan::isStillValid): Check that the alternative codeBlock we
26         started compiling for is still the same at the end of compilation.
27         Also did some minor restructuring.
28
29 2014-05-05  Andreas Kling  <akling@apple.com>
30
31         Optimize PutByVal when subscript is a rope string.
32         <https://webkit.org/b/132572>
33
34         Add a JSString::toIdentifier() that is smarter when the JSString is
35         really a rope string. Use this in baseline & DFG's PutByVal to avoid
36         allocating new StringImpls that we immediately deduplicate anyway.
37
38         Reviewed by Antti Koivisto.
39
40         * dfg/DFGOperations.cpp:
41         (JSC::DFG::operationPutByValInternal):
42         * jit/JITOperations.cpp:
43         * runtime/JSString.h:
44         (JSC::JSString::toIdentifier):
45
46 2014-05-05  Andreas Kling  <akling@apple.com>
47
48         Remove two now-incorrect assertions after r168256.
49
50         * runtime/JSString.cpp:
51         (JSC::JSRopeString::resolveRopeSlowCase8):
52         (JSC::JSRopeString::resolveRopeSlowCase):
53
54 2014-05-04  Andreas Kling  <akling@apple.com>
55
56         Optimize JSRopeString for resolving directly to AtomicString.
57         <https://webkit.org/b/132548>
58
59         If we know that the JSRopeString we are resolving is going to be used
60         as an AtomicString, we can try to avoid creating a new string.
61
62         We do this by first resolving the rope into a stack buffer, and using
63         that buffer as a key into the AtomicString table. If there is already
64         an AtomicString with the same characters, we reuse that instead of
65         constructing a new StringImpl.
66
67         JSString gains these two public functions:
68
69         - AtomicString toAtomicString()
70
71             Returns an AtomicString, tries to avoid allocating a new string
72             if possible.
73
74         - AtomicStringImpl* toExistingAtomicString()
75
76             Returns a non-null AtomicStringImpl* if one already exists in the
77             AtomicString table. If none is found, the rope is left unresolved.
78
79         Reviewed by Filip Pizlo.
80
81         * runtime/JSString.cpp:
82         (JSC::JSRopeString::resolveRopeInternal8):
83         (JSC::JSRopeString::resolveRopeInternal16):
84         (JSC::JSRopeString::resolveRopeToAtomicString):
85         (JSC::JSRopeString::clearFibers):
86         (JSC::JSRopeString::resolveRopeToExistingAtomicString):
87         (JSC::JSRopeString::resolveRope):
88         (JSC::JSRopeString::outOfMemory):
89         * runtime/JSString.h:
90         (JSC::JSString::toAtomicString):
91         (JSC::JSString::toExistingAtomicString):
92
93 2014-05-04  Andreas Kling  <akling@apple.com>
94
95         Unreviewed, rolling out r168254.
96
97         Very crashy on debug JSC tests.
98
99         Reverted changeset:
100
101         "jsSubstring() should be lazy"
102         https://bugs.webkit.org/show_bug.cgi?id=132556
103         http://trac.webkit.org/changeset/168254
104
105 2014-05-04  Filip Pizlo  <fpizlo@apple.com>
106
107         jsSubstring() should be lazy
108         https://bugs.webkit.org/show_bug.cgi?id=132556
109
110         Reviewed by Andreas Kling.
111         
112         jsSubstring() is now lazy by using a special rope that is a substring instead of a
113         concatenation. To make this patch super simple, we require that a substring's base is
114         never a rope. Hence, when resolving a rope, we either go down a non-recursive substring
115         path, or we go down a concatenation path which may see exactly one level of substrings in
116         its fibers.
117         
118         This is up to a 50% speed-up on microbenchmarks and a 10% speed-up on Octane/regexp.
119
120         * heap/MarkedBlock.cpp:
121         (JSC::MarkedBlock::specializedSweep):
122         * runtime/JSString.cpp:
123         (JSC::JSRopeString::visitFibers):
124         (JSC::JSRopeString::resolveRope):
125         (JSC::JSRopeString::resolveRopeSlowCase8):
126         (JSC::JSRopeString::resolveRopeSlowCase):
127         (JSC::JSRopeString::outOfMemory):
128         * runtime/JSString.h:
129         (JSC::JSRopeString::finishCreation):
130         (JSC::JSRopeString::append):
131         (JSC::JSRopeString::create):
132         (JSC::JSRopeString::offsetOfFibers):
133         (JSC::JSRopeString::fiber):
134         (JSC::JSRopeString::substringBase):
135         (JSC::JSRopeString::substringOffset):
136         (JSC::JSRopeString::substringSentinel):
137         (JSC::JSRopeString::isSubstring):
138         (JSC::jsSubstring):
139         * runtime/RegExpMatchesArray.cpp:
140         (JSC::RegExpMatchesArray::reifyAllProperties):
141         * runtime/StringPrototype.cpp:
142         (JSC::stringProtoFuncSubstring):
143
144 2014-05-02  Michael Saboff  <msaboff@apple.com>
145
146         "arm64 function not 4-byte aligned" warnings when building JSC
147         https://bugs.webkit.org/show_bug.cgi?id=132495
148
149         Reviewed by Geoffrey Garen.
150
151         Added ".align 4" for both ARM Thumb2 and ARM 64 to silence the linker.
152
153         * llint/LowLevelInterpreter.cpp:
154
155 2014-05-02  Mark Hahnenberg  <mhahnenberg@apple.com>
156
157         Fix cloop build after r168178
158
159         * bytecode/CodeBlock.cpp:
160
161 2014-05-01  Mark Hahnenberg  <mhahnenberg@apple.com>
162
163         Add a DFG function whitelist
164         https://bugs.webkit.org/show_bug.cgi?id=132437
165
166         Reviewed by Geoffrey Garen.
167
168         Often times when debugging, using bytecode ranges isn't enough to narrow down to the 
169         particular DFG block that's causing issues. This patch adds the ability to whitelist 
170         specific functions specified in a file to enable further filtering without having to recompile.
171
172         * CMakeLists.txt:
173         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
174         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
175         * JavaScriptCore.xcodeproj/project.pbxproj:
176         * dfg/DFGCapabilities.cpp:
177         (JSC::DFG::isSupported):
178         (JSC::DFG::mightInlineFunctionForCall):
179         (JSC::DFG::mightInlineFunctionForClosureCall):
180         (JSC::DFG::mightInlineFunctionForConstruct):
181         * dfg/DFGFunctionWhitelist.cpp: Added.
182         (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
183         (JSC::DFG::FunctionWhitelist::FunctionWhitelist):
184         (JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile):
185         (JSC::DFG::FunctionWhitelist::contains):
186         * dfg/DFGFunctionWhitelist.h: Added.
187         * runtime/Options.cpp:
188         (JSC::parse):
189         (JSC::Options::dumpOption):
190         * runtime/Options.h:
191
192 2014-05-02  Filip Pizlo  <fpizlo@apple.com>
193
194         DFGAbstractInterpreter should not claim Int52 arithmetic creates Int52s
195         https://bugs.webkit.org/show_bug.cgi?id=132446
196
197         Reviewed by Mark Hahnenberg.
198         
199         Basically any arithmetic operation can turn an Int52 into an Int32 or vice-versa, and
200         our modeling of Int52Rep nodes is such that they can have either Int32 or Int52 type
201         to indicate a bound on the value. This is useful for knowing, for example, that
202         Int52Rep(Int32:) returns a value that cannot be outside the Int32 range. Also,
203         ValueRep(Int52Rep:) uses this to determine whether it may return a double or an int.
204         But this means that all arithmetic operations must be careful to note that they may
205         turn Int32 inputs into an Int52 output or vice-versa, as these new tests show.
206
207         * dfg/DFGAbstractInterpreterInlines.h:
208         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
209         * dfg/DFGByteCodeParser.cpp:
210         (JSC::DFG::ByteCodeParser::makeSafe):
211         * tests/stress/int52-ai-add-then-filter-int32.js: Added.
212         (foo):
213         * tests/stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js: Added.
214         (foo):
215         * tests/stress/int52-ai-mul-then-filter-int32-directly.js: Added.
216         (foo):
217         * tests/stress/int52-ai-mul-then-filter-int32.js: Added.
218         (foo):
219         * tests/stress/int52-ai-neg-then-filter-int32.js: Added.
220         (foo):
221         * tests/stress/int52-ai-sub-then-filter-int32.js: Added.
222         (foo):
223
224 2014-05-01  Geoffrey Garen  <ggaren@apple.com>
225
226         JavaScriptCore fails to build with some versions of clang
227         https://bugs.webkit.org/show_bug.cgi?id=132436
228
229         Reviewed by Anders Carlsson.
230
231         * runtime/ArgumentsIteratorConstructor.cpp: Since we call
232         putDirectWithoutTransition, and it calls putWillGrowOutOfLineStorage,
233         and both are marked inline, it's valid for the compiler to decide
234         to inline both and emit neither in the binary. Therefore, we need
235         both inline definitions to be available in the translation unit at
236         compile time, or we'll try to link against a function that doesn't exist.
237
238 2014-05-01  Commit Queue  <commit-queue@webkit.org>
239
240         Unreviewed, rolling out r167964.
241         https://bugs.webkit.org/show_bug.cgi?id=132431
242
243         Memory improvements should not regress memory usage (Requested
244         by olliej on #webkit).
245
246         Reverted changeset:
247
248         "Don't hold on to parameter BindingNodes forever"
249         https://bugs.webkit.org/show_bug.cgi?id=132360
250         http://trac.webkit.org/changeset/167964
251
252 2014-05-01  Filip Pizlo  <fpizlo@apple.com>
253
254         Fix trivial debug-only race-that-crashes in CallLinkStatus and explain why the remaining races are totally awesome
255         https://bugs.webkit.org/show_bug.cgi?id=132427
256
257         Reviewed by Mark Hahnenberg.
258
259         * bytecode/CallLinkStatus.cpp:
260         (JSC::CallLinkStatus::computeFor):
261
262 2014-04-30  Simon Fraser  <simon.fraser@apple.com>
263
264         Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO
265         https://bugs.webkit.org/show_bug.cgi?id=132396
266
267         Reviewed by Eric Carlson.
268
269         Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO and related code.
270
271         * Configurations/FeatureDefines.xcconfig:
272
273 2014-04-30  Filip Pizlo  <fpizlo@apple.com>
274
275         Argument flush formats should not be presumed to be JSValue since 'this' is weird
276         https://bugs.webkit.org/show_bug.cgi?id=132404
277
278         Reviewed by Michael Saboff.
279
280         * dfg/DFGSpeculativeJIT.cpp:
281         (JSC::DFG::SpeculativeJIT::compileCurrentBlock): Don't assume that arguments are flushed as JSValue. Use the logic for locals instead.
282         * dfg/DFGSpeculativeJIT32_64.cpp:
283         (JSC::DFG::SpeculativeJIT::compile): SetArgument "changes" the format because before this we wouldn't know we had arguments.
284         * dfg/DFGSpeculativeJIT64.cpp:
285         (JSC::DFG::SpeculativeJIT::compile): Ditto.
286         * dfg/DFGValueSource.cpp:
287         (JSC::DFG::ValueSource::dumpInContext): Make this easier to dump.
288         * dfg/DFGValueSource.h:
289         (JSC::DFG::ValueSource::operator!): Make this easier to dump because Operands<T> uses T::operator!().
290         * ftl/FTLOSREntry.cpp:
291         (JSC::FTL::prepareOSREntry): This had a useful assertion for everything except 'this'.
292         * tests/stress/strict-to-this-int.js: Added.
293         (foo):
294         (Number.prototype.valueOf):
295         (test):
296
297 2014-04-29  Oliver Hunt  <oliver@apple.com>
298
299         Don't hold on to parameterBindingNodes forever
300         https://bugs.webkit.org/show_bug.cgi?id=132360
301
302         Reviewed by Geoffrey Garen.
303
304         Don't keep the parameter nodes anymore. Instead we store the
305         original parameter string and reparse whenever we actually
306         need them. Because we only actually need them for compilation
307         this only results in a single extra parse.
308
309         * bytecode/UnlinkedCodeBlock.cpp:
310         (JSC::generateFunctionCodeBlock):
311         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
312         (JSC::UnlinkedFunctionExecutable::visitChildren):
313         (JSC::UnlinkedFunctionExecutable::finishCreation):
314         (JSC::UnlinkedFunctionExecutable::paramString):
315         (JSC::UnlinkedFunctionExecutable::parameters):
316         (JSC::UnlinkedFunctionExecutable::parameterCount): Deleted.
317         * bytecode/UnlinkedCodeBlock.h:
318         (JSC::UnlinkedFunctionExecutable::create):
319         (JSC::UnlinkedFunctionExecutable::parameterCount):
320         (JSC::UnlinkedFunctionExecutable::parameters): Deleted.
321         (JSC::UnlinkedFunctionExecutable::finishCreation): Deleted.
322         * parser/ASTBuilder.h:
323         (JSC::ASTBuilder::ASTBuilder):
324         (JSC::ASTBuilder::setFunctionBodyParameters):
325         * parser/Nodes.h:
326         (JSC::FunctionBodyNode::parametersStartOffset):
327         (JSC::FunctionBodyNode::parametersEndOffset):
328         (JSC::FunctionBodyNode::setParameterLocation):
329         * parser/Parser.cpp:
330         (JSC::Parser<LexerType>::parseFunctionInfo):
331         (JSC::parseParameters):
332         * parser/Parser.h:
333         (JSC::parse):
334         * parser/SourceCode.h:
335         (JSC::SourceCode::subExpression):
336         * parser/SyntaxChecker.h:
337         (JSC::SyntaxChecker::setFunctionBodyParameters):
338
339 2014-04-29  Mark Hahnenberg  <mhahnenberg@apple.com>
340
341         JSProxies should be cacheable
342         https://bugs.webkit.org/show_bug.cgi?id=132351
343
344         Reviewed by Geoffrey Garen.
345
346         Whenever we encounter a proxy in an inline cache we should try to cache on the 
347         proxy's target instead of giving up.
348
349         This patch adds support for a simple "recursive" inline cache if the base object
350         we're accessing is a pure forwarding proxy. JSGlobalObject and its subclasses 
351         are the only ones to benefit from this right now.
352
353         This is performance neutral on the benchmarks we track. Currently we won't
354         cache on JSDOMWindow due to HasImpureGetOwnPropertySlot, but this issue will be fixed soon.
355
356         * jit/Repatch.cpp:
357         (JSC::generateByIdStub):
358         (JSC::tryBuildGetByIDList):
359         (JSC::tryCachePutByID):
360         (JSC::tryBuildPutByIdList):
361         * jsc.cpp:
362         (GlobalObject::finishCreation):
363         (functionCreateProxy):
364         * runtime/IntendedStructureChain.cpp:
365         (JSC::IntendedStructureChain::isNormalized):
366         * runtime/JSCellInlines.h:
367         (JSC::JSCell::isProxy):
368         * runtime/JSGlobalObject.h:
369         (JSC::JSGlobalObject::finishCreation):
370         * runtime/JSProxy.h:
371         (JSC::JSProxy::createStructure):
372         (JSC::JSProxy::targetOffset):
373         * runtime/JSType.h:
374         * runtime/Operations.h:
375         (JSC::isPrototypeChainNormalized):
376         * runtime/Structure.h:
377         (JSC::Structure::isProxy):
378         * tests/stress/proxy-inline-cache.js: Added.
379         (cacheOnTarget.getX):
380         (cacheOnTarget):
381         (cacheOnPrototypeOfTarget.getX):
382         (cacheOnPrototypeOfTarget):
383         (dontCacheOnProxyInPrototypeChain.getX):
384         (dontCacheOnProxyInPrototypeChain):
385         (dontCacheOnTargetOfProxyInPrototypeChainOfTarget.getX):
386         (dontCacheOnTargetOfProxyInPrototypeChainOfTarget):
387
388 2014-04-29  Filip Pizlo  <fpizlo@apple.com>
389
390         Use LLVM as a backend for the fourth-tier DFG JIT (a.k.a. the FTL JIT)
391         https://bugs.webkit.org/show_bug.cgi?id=112840
392
393         Rubber stamped by Geoffrey Garen.
394
395         * Configurations/FeatureDefines.xcconfig:
396
397 2014-04-29  Geoffrey Garen  <ggaren@apple.com>
398
399         String.prototype.trim removes U+200B from strings.
400         https://bugs.webkit.org/show_bug.cgi?id=130184
401
402         Reviewed by Michael Saboff.
403
404         * runtime/StringPrototype.cpp:
405         (JSC::trimString):
406         (JSC::isTrimWhitespace): Deleted.
407
408 2014-04-29  Mark Lam  <mark.lam@apple.com>
409
410         Zombifying sweep should ignore retired blocks.
411         <https://webkit.org/b/132344>
412
413         Reviewed by Mark Hahnenberg.
414
415         By definition, retired blocks do not have "dead" objects, or at least
416         none that we know of yet until the next marking phase has been run
417         over it.  So, we should not be sweeping them (even for zombie mode).
418
419         * heap/Heap.cpp:
420         (JSC::Heap::zombifyDeadObjects):
421         * heap/MarkedSpace.cpp:
422         (JSC::MarkedSpace::zombifySweep):
423         * heap/MarkedSpace.h:
424         (JSC::ZombifySweep::operator()):
425
426 2014-04-29  Mark Lam  <mark.lam@apple.com>
427
428         Fix bit rot in zombie mode heap code.
429         <https://webkit.org/b/132342>
430
431         Reviewed by Mark Hahnenberg.
432
433         Need to enter a DelayedReleaseScope before doing a sweep.
434
435         * heap/Heap.cpp:
436         (JSC::Heap::zombifyDeadObjects):
437
438 2014-04-29  Tomas Popela  <tpopela@redhat.com>
439
440         LLINT loadisFromInstruction doesn't need special case for big endians
441         https://bugs.webkit.org/show_bug.cgi?id=132330
442
443         Reviewed by Mark Lam.
444
445         The change introduced in r167076 was wrong. We should not apply the offset
446         adjustment on loadisFromInstruction usage as the instruction
447         (UnlinkedInstruction) is declared as an union (i.e. with the int32_t
448         operand variable). The offset of the other union members will be the
449         same as the offset of the first one, that is 0. The behavior here is the
450         same on little and big endian architectures. Thus we don't need
451         special case for big endians.
452
453         * llint/LowLevelInterpreter.asm:
454
455 2014-04-28  Mark Hahnenberg  <mhahnenberg@apple.com>
456
457         Simplify tryCacheGetById
458         https://bugs.webkit.org/show_bug.cgi?id=132314
459
460         Reviewed by Oliver Hunt and Filip Pizlo.
461
462         This is neutral across all benchmarks we track, although it looks like a wee 0.5% progression on sunspider.
463
464         * jit/Repatch.cpp:
465         (JSC::tryCacheGetByID): If we fail to cache on self, we just repatch to call tryBuildGetByIDList next time.
466
467 2014-04-28  Michael Saboff  <msaboff@apple.com>
468
469         REGRESSION(r153142) ASSERT from CodeBlock::dumpBytecode dumping String Switch Jump Tables
470         https://bugs.webkit.org/show_bug.cgi?id=132315
471
472         Reviewed by Mark Hahnenberg.
473
474         Used the StringImpl version of utf8() instead of creating a String first.
475
476         * bytecode/CodeBlock.cpp:
477         (JSC::CodeBlock::dumpBytecode):
478
479 2014-04-28  Filip Pizlo  <fpizlo@apple.com>
480
481         The LLInt is awesome and it should get more of the action.
482
483         Rubber stamped by Geoffrey Garen.
484         
485         5% speed-up on JSBench and no meaningful regressions.  Should be a PLT/DYE speed-up also.
486
487         * runtime/Options.h:
488
489 2014-04-27  Filip Pizlo  <fpizlo@apple.com>
490
491         GC should be able to remove things from the DFG worklist and cancel on-going compilations if it knows that the compilation would already be invalidated
492         https://bugs.webkit.org/show_bug.cgi?id=132166
493
494         Reviewed by Oliver Hunt and Mark Hahnenberg.
495         
496         The GC can aid type inference by removing structures that are dead and jettisoning
497         code that relies on those structures. This can dramatically accelerate type inference
498         for some tricky programs.
499         
500         Unfortunately, we previously pinned any structures that enqueued compilations depended
501         on. This means that if you're on a machine that only runs a single compilation thread
502         and where compilations are relatively slow, you have a high chance of large numbers of
503         structures being pinned during any GC since the compilation queue is likely to be full
504         of random stuff.
505         
506         This comprehensively fixes this issue by allowing the GC to remove compilation plans
507         if the things they depend on are dead, and to even cancel safepointed compilations.
508         
509         * bytecode/CodeBlock.cpp:
510         (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan):
511         (JSC::CodeBlock::isKnownToBeLiveDuringGC):
512         (JSC::CodeBlock::finalizeUnconditionally):
513         * bytecode/CodeBlock.h:
514         (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan): Deleted.
515         * dfg/DFGDesiredIdentifiers.cpp:
516         (JSC::DFG::DesiredIdentifiers::DesiredIdentifiers):
517         * dfg/DFGDesiredIdentifiers.h:
518         * dfg/DFGDesiredWatchpoints.h:
519         * dfg/DFGDesiredWeakReferences.cpp:
520         (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
521         * dfg/DFGDesiredWeakReferences.h:
522         * dfg/DFGGraphSafepoint.cpp:
523         (JSC::DFG::GraphSafepoint::GraphSafepoint):
524         * dfg/DFGGraphSafepoint.h:
525         * dfg/DFGPlan.cpp:
526         (JSC::DFG::Plan::Plan):
527         (JSC::DFG::Plan::compileInThread):
528         (JSC::DFG::Plan::compileInThreadImpl):
529         (JSC::DFG::Plan::notifyCompiling):
530         (JSC::DFG::Plan::notifyCompiled):
531         (JSC::DFG::Plan::notifyReady):
532         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
533         (JSC::DFG::Plan::isKnownToBeLiveDuringGC):
534         (JSC::DFG::Plan::cancel):
535         (JSC::DFG::Plan::visitChildren): Deleted.
536         * dfg/DFGPlan.h:
537         * dfg/DFGSafepoint.cpp:
538         (JSC::DFG::Safepoint::Result::~Result):
539         (JSC::DFG::Safepoint::Result::didGetCancelled):
540         (JSC::DFG::Safepoint::Safepoint):
541         (JSC::DFG::Safepoint::~Safepoint):
542         (JSC::DFG::Safepoint::checkLivenessAndVisitChildren):
543         (JSC::DFG::Safepoint::isKnownToBeLiveDuringGC):
544         (JSC::DFG::Safepoint::cancel):
545         (JSC::DFG::Safepoint::visitChildren): Deleted.
546         * dfg/DFGSafepoint.h:
547         (JSC::DFG::Safepoint::Result::Result):
548         * dfg/DFGWorklist.cpp:
549         (JSC::DFG::Worklist::compilationState):
550         (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
551         (JSC::DFG::Worklist::removeAllReadyPlansForVM):
552         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
553         (JSC::DFG::Worklist::visitWeakReferences):
554         (JSC::DFG::Worklist::removeDeadPlans):
555         (JSC::DFG::Worklist::runThread):
556         (JSC::DFG::Worklist::visitChildren): Deleted.
557         * dfg/DFGWorklist.h:
558         * ftl/FTLCompile.cpp:
559         (JSC::FTL::compile):
560         * ftl/FTLCompile.h:
561         * heap/CodeBlockSet.cpp:
562         (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks):
563         * heap/Heap.cpp:
564         (JSC::Heap::markRoots):
565         (JSC::Heap::visitCompilerWorklistWeakReferences):
566         (JSC::Heap::removeDeadCompilerWorklistEntries):
567         (JSC::Heap::visitWeakHandles):
568         (JSC::Heap::collect):
569         (JSC::Heap::visitCompilerWorklists): Deleted.
570         * heap/Heap.h:
571
572 2014-04-28  Mark Hahnenberg  <mhahnenberg@apple.com>
573
574         Deleting properties poisons objects
575         https://bugs.webkit.org/show_bug.cgi?id=131551
576
577         Reviewed by Oliver Hunt.
578
579         This is ~3% progression on Dromaeo with a ~6% progression on the jslib portion of Dromaeo in particular.
580
581         * runtime/JSPropertyNameIterator.cpp:
582         (JSC::JSPropertyNameIterator::create):
583         * runtime/PropertyMapHashTable.h:
584         (JSC::PropertyTable::hasDeletedOffset):
585         (JSC::PropertyTable::hadDeletedOffset): If we ever had deleted properties we can no longer cache offsets when 
586         iterating properties because we're required to iterate properties in insertion order.
587         * runtime/Structure.cpp:
588         (JSC::Structure::Structure):
589         (JSC::Structure::materializePropertyMap): We now re-use deleted properties when materializing the property map.
590         (JSC::Structure::removePropertyTransition): We allow up to 5 deletes for a particular path through the tree of 
591         Structure transitions. After that, we convert to an uncacheable dictionary like we used to. We don't cache 
592         delete transitions, but we allow transitioning from them.
593         (JSC::Structure::changePrototypeTransition):
594         (JSC::Structure::despecifyFunctionTransition):
595         (JSC::Structure::attributeChangeTransition):
596         (JSC::Structure::toDictionaryTransition):
597         (JSC::Structure::preventExtensionsTransition):
598         (JSC::Structure::addPropertyWithoutTransition):
599         (JSC::Structure::removePropertyWithoutTransition):
600         (JSC::Structure::pin): Now does only what it says it does--marks the property table as pinned.
601         (JSC::Structure::pinAndPreventTransitions): More descriptive version of what the old pin() was doing.
602         * runtime/Structure.h:
603         * runtime/StructureInlines.h:
604         (JSC::Structure::setEnumerationCache):
605         (JSC::Structure::hadDeletedOffsets):
606         (JSC::Structure::propertyTable):
607         (JSC::Structure::checkOffsetConsistency): Rearranged variables to be more sensible.
608         * tests/stress/for-in-after-delete.js: Added.
609         (foo):
610
611 2014-04-25  Andreas Kling  <akling@apple.com>
612
613         Inline (C++) GetByVal with numeric indices more aggressively.
614         <https://webkit.org/b/132218>
615
616         We were already inlining the string indexed GetByVal path pretty well,
617         while the path for numeric indices got neglected. No more!
618
619         ~9.5% improvement on Dromaeo/dom-traverse.html on my MBP:
620
621             Before: 199.50 runs/s
622              After: 218.58 runs/s
623
624         Reviewed by Phil Pizlo.
625
626         * dfg/DFGOperations.cpp:
627         * runtime/JSCJSValueInlines.h:
628         (JSC::JSValue::get):
629
630             ALWAYS_INLINE all the things.
631
632         * runtime/JSObject.h:
633         (JSC::JSObject::getPropertySlot):
634
635             Avoid fetching the Structure more than once. We have the same
636             optimization in the string-indexed code path.
637
638 2014-04-25  Oliver Hunt  <oliver@apple.com>
639
640         Need earlier cell test
641         https://bugs.webkit.org/show_bug.cgi?id=132211
642
643         Reviewed by Mark Lam.
644
645         Move cell test to before the function call repatch
646         location, as the repatch logic for 32bit assumes that the
647         caller will already have performed a cell check.
648
649         * jit/JITCall32_64.cpp:
650         (JSC::JIT::compileOpCall):
651
652 2014-04-25  Andreas Kling  <akling@apple.com>
653
654         Un-fast-allocate JSGlobalObjectRareData because Windows doesn't build and I'm not in the mood.
655
656         * runtime/JSGlobalObject.h:
657         (JSC::JSGlobalObject::JSGlobalObjectRareData::JSGlobalObjectRareData):
658         (JSC::JSGlobalObject::JSGlobalObjectRareData::~JSGlobalObjectRareData): Deleted.
659
660 2014-04-25  Andreas Kling  <akling@apple.com>
661
662         Windows build fix attempt.
663
664         * runtime/JSGlobalObject.h:
665         (JSC::JSGlobalObject::JSGlobalObjectRareData::~JSGlobalObjectRareData):
666
667 2014-04-25  Mark Lam  <mark.lam@apple.com>
668
669         Refactor debugging code to use BreakpointActions instead of Vector<ScriptBreakpointAction>.
670         <https://webkit.org/b/132201>
671
672         Reviewed by Joseph Pecoraro.
673
674         BreakpointActions is Vector<ScriptBreakpointAction>.  Let's just consistently use
675         BreakpointActions everywhere.
676
677         * inspector/ScriptBreakpoint.h:
678         (Inspector::ScriptBreakpoint::ScriptBreakpoint):
679         * inspector/ScriptDebugServer.cpp:
680         (Inspector::ScriptDebugServer::setBreakpoint):
681         (Inspector::ScriptDebugServer::getActionsForBreakpoint):
682         * inspector/ScriptDebugServer.h:
683         * inspector/agents/InspectorDebuggerAgent.cpp:
684         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
685         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
686         (Inspector::InspectorDebuggerAgent::setBreakpoint):
687         (Inspector::InspectorDebuggerAgent::removeBreakpoint):
688         * inspector/agents/InspectorDebuggerAgent.h:
689
690 2014-04-24  Filip Pizlo  <fpizlo@apple.com>
691
692         DFG worklist scanning should not treat the key as a separate entity
693         https://bugs.webkit.org/show_bug.cgi?id=132167
694
695         Reviewed by Mark Hahnenberg.
696         
697         This simplifies the interface to the GC and will enable more optimizations.
698
699         * dfg/DFGCompilationKey.cpp:
700         (JSC::DFG::CompilationKey::visitChildren): Deleted.
701         * dfg/DFGCompilationKey.h:
702         * dfg/DFGPlan.cpp:
703         (JSC::DFG::Plan::visitChildren):
704         * dfg/DFGWorklist.cpp:
705         (JSC::DFG::Worklist::visitChildren):
706
707 2014-04-25  Oliver Hunt  <oliver@apple.com>
708
709         Remove unused parameter from codeblock linking function
710         https://bugs.webkit.org/show_bug.cgi?id=132199
711
712         Reviewed by Anders Carlsson.
713
714         No change in behaviour. This is just a small change to make it
715         slightly easier to reason about what the offsets in UnlinkedFunctionExecutable
716         actually mean.
717
718         * bytecode/UnlinkedCodeBlock.cpp:
719         (JSC::UnlinkedFunctionExecutable::link):
720         * bytecode/UnlinkedCodeBlock.h:
721         * runtime/Executable.cpp:
722         (JSC::ProgramExecutable::initializeGlobalProperties):
723
724 2014-04-25  Andreas Kling  <akling@apple.com>
725
726         Mark some things with WTF_MAKE_FAST_ALLOCATED.
727         <https://webkit.org/b/132198>
728
729         Use FastMalloc for more things.
730
731         Reviewed by Anders Carlsson.
732
733         * builtins/BuiltinExecutables.h:
734         * heap/GCThreadSharedData.h:
735         * inspector/JSConsoleClient.h:
736         * inspector/agents/InspectorAgent.h:
737         * runtime/CodeCache.h:
738         * runtime/JSGlobalObject.h:
739         * runtime/Lookup.cpp:
740         (JSC::HashTable::createTable):
741         (JSC::HashTable::deleteTable):
742         * runtime/WeakGCMap.h:
743
744 2014-04-25  Antoine Quint  <graouts@webkit.org>
745
746         Implement Array.prototype.find()
747         https://bugs.webkit.org/show_bug.cgi?id=130966
748
749         Reviewed by Oliver Hunt.
750
751         Implement Array.prototype.find() and Array.prototype.findIndex() as proposed in the Harmony spec.
752
753         * builtins/Array.prototype.js:
754         (find):
755         (findIndex):
756         * runtime/ArrayPrototype.cpp:
757
758 2014-04-24  Brady Eidson  <beidson@apple.com>
759
760         Rename "IMAGE_CONTROLS" feature to "SERVICE_CONTROLS"
761         https://bugs.webkit.org/show_bug.cgi?id=132155
762
763         Reviewed by Tim Horton.
764
765         * Configurations/FeatureDefines.xcconfig:
766
767 2014-04-24  Michael Saboff  <msaboff@apple.com>
768
769         REGRESSION: Apparent hang of PCE.js Mac OS System 7.0.1 on ARM64 devices
770         https://bugs.webkit.org/show_bug.cgi?id=132147
771
772         Reviewed by Mark Lam.
773
774         Fixed or64(), eor32( ) and eor64() to use "src" register when we have a valid logicalImm.
775
776         * assembler/MacroAssemblerARM64.h:
777         (JSC::MacroAssemblerARM64::or64):
778         (JSC::MacroAssemblerARM64::xor32):
779         (JSC::MacroAssemblerARM64::xor64):
780         * tests/stress/regress-132147.js: Added test.
781
782 2014-04-24  Mark Lam  <mark.lam@apple.com>
783
784         Make slowPathAllocsBetweenGCs a runtime option.
785         <https://webkit.org/b/132137>
786
787         Reviewed by Mark Hahnenberg.
788
789         This will make it easier to more casually run tests with this configuration
790         as well as to reproduce issues (instead of requiring a code mod and rebuild).
791         We will now take --slowPathAllocsBetweenGCs=N where N is the number of
792         slow path allocations before we trigger a collection.
793
794         The option defaults to 0, which is reserved to mean that we will not trigger
795         any collections there.
796
797         * heap/Heap.h:
798         * heap/MarkedAllocator.cpp:
799         (JSC::MarkedAllocator::doTestCollectionsIfNeeded):
800         (JSC::MarkedAllocator::allocateSlowCase):
801         * heap/MarkedAllocator.h:
802         * runtime/Options.h:
803
804 2014-04-23  Mark Lam  <mark.lam@apple.com>
805
806         The GC should only resume compiler threads that it suspended in the same GC pass.
807         <https://webkit.org/b/132088>
808
809         Reviewed by Mark Hahnenberg.
810
811         Previously, this scenario can occur:
812         1. Thread 1 starts a GC and tries to suspend DFG worklist threads.  However,
813            no worklists were created yet at the that time.
814         2. Thread 2 starts to compile some functions and creates a DFG worklist, and
815            acquires the worklist thread's lock.
816         3. Thread 1's GC completes and tries to resume suspended DFG worklist thread.
817            This time, it sees the worklist created by Thread 2 and ends up unlocking
818            the worklist thread's lock that is supposedly held by Thread 2.
819         Thereafter, chaos ensues.
820
821         The fix is to cache the worklists that were actually suspended by each GC pass,
822         and only resume those when the GC is done.
823
824         This issue was discovered by enabling COLLECT_ON_EVERY_ALLOCATION and running
825         the fast/workers layout tests.
826
827         * heap/Heap.cpp:
828         (JSC::Heap::visitCompilerWorklists):
829         (JSC::Heap::deleteAllCompiledCode):
830         (JSC::Heap::suspendCompilerThreads):
831         (JSC::Heap::resumeCompilerThreads):
832         * heap/Heap.h:
833
834 2014-04-23  Mark Hahnenberg  <mhahnenberg@apple.com>
835
836         Arguments::copyBackingStore needs to update m_registers in tandem with m_registerArray
837         https://bugs.webkit.org/show_bug.cgi?id=132079
838
839         Reviewed by Michael Saboff.
840
841         Since we're moving the register backing store, we don't want to leave a dangling pointer into a random CopiedBlock.
842
843         Also added a test that previously triggered this bug.
844
845         * runtime/Arguments.cpp:
846         (JSC::Arguments::copyBackingStore): D'oh!
847         * tests/stress/arguments-copy-register-array-backing-store.js: Added.
848         (foo):
849         (bar):
850
851 2014-04-23  Mark Rowe  <mrowe@apple.com>
852
853         [Mac] REGRESSION (r164823): Building JavaScriptCore creates files under /tmp/JavaScriptCore.dst
854         <https://webkit.org/b/132053>
855
856         Reviewed by Dan Bernstein.
857
858         * JavaScriptCore.xcodeproj/project.pbxproj: Don't try to create a symlink at /usr/local/bin/jsc inside
859         the DSTROOT unless we're building to the deployment location. Also remove the unnecessary -x argument
860         from /bin/sh since that generates unnecessary output.
861
862 2014-04-22  Mark Lam  <mark.lam@apple.com>
863
864         DFG::Worklist should acquire the m_lock before iterating DFG plans.
865         <https://webkit.org/b/132032>
866
867         Reviewed by Filip Pizlo.
868
869         Currently, there's a rightToRun mechanism that ensures that no compilation
870         threads are running when the GC is iterating through the DFG worklists.
871         However, this does not prevent a Worker thread from doing a DFG compilation
872         and modifying the plans in the worklists thereby invalidating the plan
873         iterator that the GC is using.  This patch fixes the issue by acquiring
874         the worklist m_lock before iterating the worklist plans.
875
876         This issue was uncovered by running the fast/workers layout tests with
877         COLLECT_ON_EVERY_ALLOCATION enabled.
878
879         * dfg/DFGWorklist.cpp:
880         (JSC::DFG::Worklist::isActiveForVM):
881         (JSC::DFG::Worklist::visitChildren):
882
883 2014-04-22  Brent Fulgham  <bfulgham@apple.com>
884
885         [Win] Support Python 2.7 in Cygwin
886         https://bugs.webkit.org/show_bug.cgi?id=132023
887
888         Reviewed by Michael Saboff.
889
890         * DerivedSources.make: Use a conditional variable to define
891         the path to Python/Perl.
892
893 2014-04-22  Filip Pizlo  <fpizlo@apple.com>
894
895         Switch the LLVMForJSC target to using the LLVM in /usr/local rather than /usr/local/LLVMForJavaScriptCore on iOS
896         https://bugs.webkit.org/show_bug.cgi?id=130867
897         <rdar://problem/16432456> 
898
899         Reviewed by Mark Hahnenberg.
900
901         * Configurations/Base.xcconfig:
902         * Configurations/LLVMForJSC.xcconfig:
903
904 2014-04-22  Alex Christensen  <achristensen@webkit.org>
905
906         [Win] Unreviewed build fix after my r167666.
907
908         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
909         Added ../../../ again to include headers in Source/JavaScriptCore.
910
911 2014-04-22  Alex Christensen  <achristensen@webkit.org>
912
913         Removed old stdbool and inttypes headers.
914         https://bugs.webkit.org/show_bug.cgi?id=131966
915
916         Reviewed by Brent Fulgham.
917
918         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
919         * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
920         Removed references to os-win32 directory.
921         * os-win32: Removed.
922         * os-win32/inttypes.h: Removed.
923         * os-win32/stdbool.h: Removed.
924
925 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
926
927         DFG::clobberize() should honestly admit that profiler and debugger nodes are effectful
928         https://bugs.webkit.org/show_bug.cgi?id=131971
929         <rdar://problem/16676511>
930
931         Reviewed by Mark Lam.
932
933         * dfg/DFGClobberize.h:
934         (JSC::DFG::clobberize):
935
936 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
937
938         Switch statements that skip the baseline JIT should work
939         https://bugs.webkit.org/show_bug.cgi?id=131965
940
941         Reviewed by Mark Hahnenberg.
942
943         * bytecode/JumpTable.h:
944         (JSC::SimpleJumpTable::ensureCTITable):
945         * dfg/DFGSpeculativeJIT.cpp:
946         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
947         * jit/JITOpcodes.cpp:
948         (JSC::JIT::emit_op_switch_imm):
949         (JSC::JIT::emit_op_switch_char):
950         * jit/JITOpcodes32_64.cpp:
951         (JSC::JIT::emit_op_switch_imm):
952         (JSC::JIT::emit_op_switch_char):
953         * tests/stress/inline-llint-with-switch.js: Added.
954         (foo):
955         (bar):
956         (test):
957
958 2014-04-21  Mark Hahnenberg  <mhahnenberg@apple.com>
959
960         Arguments objects shouldn't need a destructor
961         https://bugs.webkit.org/show_bug.cgi?id=131899
962
963         Reviewed by Oliver Hunt.
964
965         This patch rids Arguments objects of their destructors. It does this by 
966         switching their backing stores to use CopiedSpace rather than malloc memory.
967
968         * dfg/DFGSpeculativeJIT.cpp:
969         (JSC::DFG::SpeculativeJIT::emitAllocateArguments): Fix the code emitted for inline
970         Arguments allocation so that it only emits an extra write for strict mode code rather
971         than unconditionally.
972         * heap/CopyToken.h: New CopyTokens for the two different types of Arguments backing stores.
973         * runtime/Arguments.cpp:
974         (JSC::Arguments::visitChildren): We need to tell the collector to copy the back stores now.
975         (JSC::Arguments::copyBackingStore): Do the actual copying of the backing stores.
976         (JSC::Arguments::deletePropertyByIndex): Update all the accesses to SlowArgumentData and m_registerArray.
977         (JSC::Arguments::deleteProperty):
978         (JSC::Arguments::defineOwnProperty):
979         (JSC::Arguments::allocateRegisterArray):
980         (JSC::Arguments::tearOff):
981         (JSC::Arguments::destroy): Deleted. We don't need the destructor any more.
982         * runtime/Arguments.h:
983         (JSC::Arguments::registerArraySizeInBytes):
984         (JSC::Arguments::SlowArgumentData::SlowArgumentData): Switch SlowArgumentData to being allocated
985         in CopiedSpace. Now the SlowArgumentData and its backing store are a single contiguous CopiedSpace
986         allocation.
987         (JSC::Arguments::SlowArgumentData::slowArguments):
988         (JSC::Arguments::SlowArgumentData::bytecodeToMachineCaptureOffset):
989         (JSC::Arguments::SlowArgumentData::setBytecodeToMachineCaptureOffset):
990         (JSC::Arguments::SlowArgumentData::sizeForNumArguments):
991         (JSC::Arguments::Arguments):
992         (JSC::Arguments::allocateSlowArguments):
993         (JSC::Arguments::tryDeleteArgument):
994         (JSC::Arguments::isDeletedArgument):
995         (JSC::Arguments::isArgument):
996         (JSC::Arguments::argument):
997         (JSC::Arguments::finishCreation):
998         * runtime/SymbolTable.h:
999
1000 2014-04-21  Eric Carlson  <eric.carlson@apple.com>
1001
1002         [Mac] implement WebKitDataCue
1003         https://bugs.webkit.org/show_bug.cgi?id=131799
1004
1005         Reviewed by Dean Jackson.
1006
1007         * Configurations/FeatureDefines.xcconfig: Define ENABLE_DATACUE_VALUE.
1008
1009 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
1010
1011         Unreviewed test gardening, run the repeat-out-of-bounds tests again.
1012
1013         * tests/stress/float32-repeat-out-of-bounds.js:
1014         * tests/stress/int8-repeat-out-of-bounds.js:
1015
1016 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
1017
1018         OSR exit should know about Int52 and Double constants
1019         https://bugs.webkit.org/show_bug.cgi?id=131945
1020
1021         Reviewed by Oliver Hunt.
1022         
1023         The DFG OSR exit machinery's ignorance would lead to some constants becoming
1024         jsUndefined() after OSR exit.
1025         
1026         The FTL OSR exit machinery's ignorance just meant that we would sometimes use a
1027         stackmap constant rather than baking the constant into the OSRExit data structure.
1028         So, not a big deal, but worth fixing.
1029         
1030         Also added some helpful hacks to jsc.cpp for testing such OSR exit pathologies.
1031
1032         * dfg/DFGByteCodeParser.cpp:
1033         (JSC::DFG::ByteCodeParser::handleIntrinsic):
1034         * dfg/DFGMinifiedNode.h:
1035         (JSC::DFG::belongsInMinifiedGraph):
1036         (JSC::DFG::MinifiedNode::hasConstantNumber):
1037         * ftl/FTLLowerDFGToLLVM.cpp:
1038         (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
1039         * jsc.cpp:
1040         (GlobalObject::finishCreation):
1041         (functionOtherFalse):
1042         (functionUndefined):
1043         * runtime/Intrinsic.h:
1044         * tests/stress/fold-to-double-constant-then-exit.js: Added.
1045         (foo):
1046         * tests/stress/fold-to-int52-constant-then-exit.js: Added.
1047         (foo):
1048
1049 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
1050
1051         Provide feedback when we encounter an unrecognied node in the FTL backend.
1052
1053         Rubber stamped by Alexey Proskuryakov.
1054
1055         * ftl/FTLLowerDFGToLLVM.cpp:
1056         (JSC::FTL::LowerDFGToLLVM::compileNode):
1057
1058 2014-04-21  Andreas Kling  <akling@apple.com>
1059
1060         Move the JSString cache from DOMWrapperWorld to VM.
1061         <https://webkit.org/b/131940>
1062
1063         Reviewed by Geoff Garen.
1064
1065         * runtime/VM.h:
1066
1067 2014-04-19  Filip Pizlo  <fpizlo@apple.com>
1068
1069         Take block execution count estimates into account when voting double
1070         https://bugs.webkit.org/show_bug.cgi?id=131906
1071
1072         Reviewed by Geoffrey Garen.
1073         
1074         This was a drama in three acts.
1075         
1076         Act I: Slurp in BasicBlock::executionCount and use it as a weight when counting the
1077             number of uses of a variable that want double or non-double. Easy as pie. This
1078             gave me a huge speed-up on FloatMM and a huge slow-down on basically everything
1079             else.
1080         
1081         Act II: Realize that there were some programs where our previous double voting was
1082             just on the edge of disaster and making it more precise tipped it over. In
1083             particular, if you had an integer variable that would infrequently be used in a
1084             computation that resulted in a variable that was frequently used as an array index,
1085             the outer infrequentness would be the thing we'd use in the vote. So, an array
1086             index would become double. We fix this by reviving global backwards propagation
1087             and introducing the concept of ReallyWantsInt, which is used just for array
1088             indices. Any variable transitively flagged as ReallyWantsInt will never be forced
1089             double. We need that flag to be separate from UsedAsInt, since UsedAsInt needs to
1090             be set in bitops for RageConversion but using it for double forcing is too much.
1091             Basically, it's cheaper to have to convert a double to an int for a bitop than it
1092             is to convert a double to an int for an array index; also a variable being used as
1093             an array index is a much stronger hint that it ought to be an int. This recovered
1094             performance on everything except programs that used FTL OSR entry.
1095         
1096         Act III: Realize that OSR entrypoint creation creates blocks that have NaN execution
1097             count, which then completely pollutes the weighting - essentially all votes go
1098             NaN. Fix this with some surgical defenses. Basically, any client of execution
1099             counts should allow for them to be NaN and shouldn't completely fall off a cliff
1100             when it happens.
1101         
1102         This is awesome. 75% speed-up on FloatMM. 11% speed-up on audio-dft. This leads to
1103         7% speed-up on AsmBench and 2% speed-up on Kraken.
1104
1105         * CMakeLists.txt:
1106         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1107         * JavaScriptCore.xcodeproj/project.pbxproj:
1108         * dfg/DFGBackwardsPropagationPhase.cpp:
1109         (JSC::DFG::BackwardsPropagationPhase::run):
1110         (JSC::DFG::BackwardsPropagationPhase::propagate):
1111         * dfg/DFGGraph.cpp:
1112         (JSC::DFG::Graph::dumpBlockHeader):
1113         * dfg/DFGGraph.h:
1114         (JSC::DFG::Graph::voteNode):
1115         (JSC::DFG::Graph::voteChildren):
1116         * dfg/DFGNodeFlags.cpp:
1117         (JSC::DFG::dumpNodeFlags):
1118         * dfg/DFGNodeFlags.h:
1119         * dfg/DFGOSREntrypointCreationPhase.cpp:
1120         (JSC::DFG::OSREntrypointCreationPhase::run):
1121         * dfg/DFGPlan.cpp:
1122         (JSC::DFG::Plan::compileInThreadImpl):
1123         * dfg/DFGPredictionPropagationPhase.cpp:
1124         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
1125         (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
1126         * dfg/DFGVariableAccessData.cpp: Added.
1127         (JSC::DFG::VariableAccessData::VariableAccessData):
1128         (JSC::DFG::VariableAccessData::mergeIsCaptured):
1129         (JSC::DFG::VariableAccessData::mergeShouldNeverUnbox):
1130         (JSC::DFG::VariableAccessData::predict):
1131         (JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction):
1132         (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
1133         (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat):
1134         (JSC::DFG::VariableAccessData::mergeDoubleFormatState):
1135         (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
1136         (JSC::DFG::VariableAccessData::flushFormat):
1137         * dfg/DFGVariableAccessData.h:
1138         (JSC::DFG::VariableAccessData::vote):
1139         (JSC::DFG::VariableAccessData::VariableAccessData): Deleted.
1140         (JSC::DFG::VariableAccessData::mergeIsCaptured): Deleted.
1141         (JSC::DFG::VariableAccessData::mergeShouldNeverUnbox): Deleted.
1142         (JSC::DFG::VariableAccessData::predict): Deleted.
1143         (JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction): Deleted.
1144         (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote): Deleted.
1145         (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat): Deleted.
1146         (JSC::DFG::VariableAccessData::mergeDoubleFormatState): Deleted.
1147         (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat): Deleted.
1148         (JSC::DFG::VariableAccessData::flushFormat): Deleted.
1149
1150 2014-04-21  Michael Saboff  <msaboff@apple.com>
1151
1152         REGRESSION(r167591): ARM64 and ARM traditional builds broken
1153         https://bugs.webkit.org/show_bug.cgi?id=131935
1154
1155         Reviewed by Mark Hahnenberg.
1156
1157         Added store8(TrustedImm32, MacroAssembler::Address) to the ARM traditional and ARM64
1158         macro assemblers.  Added a new test for the original patch.
1159
1160         * assembler/MacroAssemblerARM.h:
1161         (JSC::MacroAssemblerARM::store8):
1162         * assembler/MacroAssemblerARM64.h:
1163         (JSC::MacroAssemblerARM64::store8):
1164         * tests/stress/dfg-create-arguments-inline-alloc.js: New test.
1165
1166 2014-04-21  Mark Hahnenberg  <mhahnenberg@apple.com>
1167
1168         Inline allocate Arguments objects in the DFG
1169         https://bugs.webkit.org/show_bug.cgi?id=131897
1170
1171         Reviewed by Geoffrey Garen.
1172
1173         Many libraries/frameworks depend on the arguments object for overloaded API entry points. 
1174         This is the first step to making Arguments fast(er). We'll duplicate the logic in Arguments::create 
1175         for now and take the slow path for complicated cases like slow arguments, tearing off for strict mode, etc.
1176
1177         * dfg/DFGSpeculativeJIT.cpp:
1178         (JSC::DFG::SpeculativeJIT::emitAllocateArguments):
1179         * dfg/DFGSpeculativeJIT.h:
1180         (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject):
1181         * dfg/DFGSpeculativeJIT32_64.cpp:
1182         (JSC::DFG::SpeculativeJIT::compile):
1183         * dfg/DFGSpeculativeJIT64.cpp:
1184         (JSC::DFG::SpeculativeJIT::compile):
1185         * runtime/Arguments.h:
1186         (JSC::Arguments::offsetOfActivation):
1187         (JSC::Arguments::offsetOfOverrodeLength):
1188         (JSC::Arguments::offsetOfIsStrictMode):
1189         (JSC::Arguments::offsetOfRegisterArray):
1190         (JSC::Arguments::offsetOfCallee):
1191         (JSC::Arguments::allocationSize):
1192
1193 2014-04-20  Andreas Kling  <akling@apple.com>
1194
1195         Speed up jsStringWithCache() through WeakGCMap inlining.
1196         <https://webkit.org/b/131923>
1197
1198         Always inline WeakGCMap::add() but move the slow garbage collecting
1199         path out-of-line.
1200
1201         Reviewed by Darin Adler.
1202
1203         * runtime/WeakGCMap.h:
1204         (JSC::WeakGCMap::add):
1205         (JSC::WeakGCMap::gcMap):
1206
1207 2014-04-20  László Langó  <llango.u-szeged@partner.samsung.com>
1208
1209         JavaScriptCore: ARM build fix after r167094.
1210         https://bugs.webkit.org/show_bug.cgi?id=131612
1211
1212         Reviewed by Michael Saboff.
1213
1214         After r167094 there are many build errors on ARM like these:
1215
1216             /tmp/ccgtHRno.s:370: Error: invalid constant (425a) after fixup
1217             /tmp/ccgtHRno.s:374: Error: invalid constant (426e) after fixup
1218             /tmp/ccgtHRno.s:378: Error: invalid constant (4282) after fixup
1219             /tmp/ccgtHRno.s:382: Error: invalid constant (4296) after fixup
1220
1221         Problem is caused by the wrong generated assembly like:
1222             "\tmov r2, (" LOCAL_LABEL_STRING(llint_op_strcat) " - " LOCAL_LABEL_STRING(relativePCBase) ")\n" // /home/webkit/WebKit/Source/JavaScriptCore/llint/LowLevelInterpreter.asm:741
1223
1224         `mov` can only move 8 bit immediate, but not every constant fit into 8 bit. Clang converts
1225         the mov to a single movw or a movw and a movt, depending on the immediate, but binutils doesn't.
1226         Add a new ARM specific offline assembler instruction (`mvlbl`) for the following llint_entry
1227         use case: move rn, (label1-label2) which is translated to movw and movt.
1228
1229         * llint/LowLevelInterpreter.asm:
1230         * offlineasm/arm.rb:
1231         * offlineasm/instructions.rb:
1232
1233 2014-04-20  Csaba Osztrogonác  <ossy@webkit.org>
1234
1235         [ARM] Unreviewed build fix after r167336.
1236
1237         * assembler/MacroAssemblerARM.h:
1238         (JSC::MacroAssemblerARM::branchAdd32):
1239
1240 2014-04-20  Commit Queue  <commit-queue@webkit.org>
1241
1242         Unreviewed, rolling out r167501.
1243         https://bugs.webkit.org/show_bug.cgi?id=131913
1244
1245         It broke DYEBench (Requested by mhahnenberg on #webkit).
1246
1247         Reverted changeset:
1248
1249         "Deleting properties poisons objects"
1250         https://bugs.webkit.org/show_bug.cgi?id=131551
1251         http://trac.webkit.org/changeset/167501
1252
1253 2014-04-19  Filip Pizlo  <fpizlo@apple.com>
1254
1255         It should be OK to store new fields into objects that have no prototypes
1256         https://bugs.webkit.org/show_bug.cgi?id=131905
1257
1258         Reviewed by Mark Hahnenberg.
1259
1260         * dfg/DFGByteCodeParser.cpp:
1261         (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
1262         * tests/stress/put-by-id-transition-null-prototype.js: Added.
1263         (foo):
1264
1265 2014-04-19  Benjamin Poulain  <bpoulain@apple.com>
1266
1267         Make the CSS JIT compile for ARM64
1268         https://bugs.webkit.org/show_bug.cgi?id=131834
1269
1270         Reviewed by Gavin Barraclough.
1271
1272         Extend the ARM64 MacroAssembler to support the code generation required by
1273         the CSS JIT.
1274
1275         * assembler/MacroAssembler.h:
1276         * assembler/MacroAssemblerARM64.h:
1277         (JSC::MacroAssemblerARM64::addPtrNoFlags):
1278         (JSC::MacroAssemblerARM64::or32):
1279         (JSC::MacroAssemblerARM64::branchPtr):
1280         (JSC::MacroAssemblerARM64::test32):
1281         (JSC::MacroAssemblerARM64::branch):
1282         * assembler/MacroAssemblerX86Common.h:
1283         (JSC::MacroAssemblerX86Common::test32):
1284
1285 2014-04-19  Andreas Kling  <akling@apple.com>
1286
1287         Two little shortcuts to the JSType.
1288         <https://webkit.org/b/131896>
1289
1290         Tweak two sites that take the long road through JSCell::structure()->typeInfo()
1291         to look at data that's already in JSCell::type().
1292
1293         Reviewed by Darin Adler.
1294
1295         * runtime/NameInstance.h:
1296         (JSC::isName):
1297         * runtime/NumberPrototype.cpp:
1298         (JSC::toThisNumber):
1299
1300 2014-04-19  Filip Pizlo  <fpizlo@apple.com>
1301
1302         Make it easier to check if an integer sum would overflow
1303         https://bugs.webkit.org/show_bug.cgi?id=131900
1304
1305         Reviewed by Darin Adler.
1306
1307         * dfg/DFGOperations.cpp:
1308         * runtime/Operations.h:
1309         (JSC::jsString):
1310
1311 2014-04-19  Filip Pizlo  <fpizlo@apple.com>
1312
1313         Address some feedback on https://bugs.webkit.org/show_bug.cgi?id=130684.
1314
1315         * dfg/DFGOperations.cpp:
1316         * runtime/JSString.h:
1317         (JSC::JSRopeString::RopeBuilder::append):
1318
1319 2014-04-18  Mark Lam  <mark.lam@apple.com>
1320
1321         REGRESSION(r164205): WebKit crash @StructureIDTable::get.
1322         <https://webkit.org/b/130539>
1323
1324         Reviewed by Geoffrey Garen.
1325
1326         prepareOSREntry() prepares for OSR entry by first copying the local var
1327         values from the baseline frame to a scartch buffer, which is then used
1328         to fill in the locals in their new position in the DFG frame.  Unfortunately,
1329         prepareOSREntry() was using the DFG frame's frameRegisterCount as the frame
1330         size of the baseline frame.  As a result, some values of locals in the
1331         baseline frame were not saved off, and the DFG frame may get initialized
1332         with random content that happened to be in the uninitialized (and possibly
1333         unallocated) portions of the scratch buffer.
1334
1335         The fix is to use OSREntryData::m_expectedValues.numberOfLocals() as the
1336         number of locals in the baseline frame that we want to copy to the scratch
1337         buffer.
1338
1339         Note: osrEntryThunkGenerator() is expecting the DFG frameRegisterCount
1340         at offset 0 in the scratch buffer.  So, we continue to write that value
1341         there, not the baseline frame size.
1342
1343         * dfg/DFGOSREntry.cpp:
1344         (JSC::DFG::prepareOSREntry):
1345
1346 2014-04-18  Timothy Hatcher  <timothy@apple.com>
1347
1348         Web Inspector: Move InspectorProfilerAgent to JavaScriptCore
1349         https://bugs.webkit.org/show_bug.cgi?id=131673
1350
1351         Passes existing profiler and inspector tests.
1352
1353         Reviewed by Joseph Pecoraro.
1354
1355         * CMakeLists.txt:
1356         * DerivedSources.make:
1357         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1358         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1359         * JavaScriptCore.xcodeproj/project.pbxproj:
1360         * inspector/JSConsoleClient.cpp:
1361         (Inspector::JSConsoleClient::JSConsoleClient):
1362         (Inspector::JSConsoleClient::profile):
1363         (Inspector::JSConsoleClient::profileEnd):
1364         (Inspector::JSConsoleClient::count): Deleted.
1365         * inspector/JSConsoleClient.h:
1366         * inspector/JSGlobalObjectInspectorController.cpp:
1367         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1368         * inspector/agents/InspectorProfilerAgent.cpp: Added.
1369         (Inspector::InspectorProfilerAgent::InspectorProfilerAgent):
1370         (Inspector::InspectorProfilerAgent::~InspectorProfilerAgent):
1371         (Inspector::InspectorProfilerAgent::addProfile):
1372         (Inspector::InspectorProfilerAgent::createProfileHeader):
1373         (Inspector::InspectorProfilerAgent::enable):
1374         (Inspector::InspectorProfilerAgent::disable):
1375         (Inspector::InspectorProfilerAgent::getUserInitiatedProfileName):
1376         (Inspector::InspectorProfilerAgent::getProfileHeaders):
1377         (Inspector::buildInspectorObject):
1378         (Inspector::InspectorProfilerAgent::buildProfileInspectorObject):
1379         (Inspector::InspectorProfilerAgent::getCPUProfile):
1380         (Inspector::InspectorProfilerAgent::removeProfile):
1381         (Inspector::InspectorProfilerAgent::reset):
1382         (Inspector::InspectorProfilerAgent::didCreateFrontendAndBackend):
1383         (Inspector::InspectorProfilerAgent::willDestroyFrontendAndBackend):
1384         (Inspector::InspectorProfilerAgent::start):
1385         (Inspector::InspectorProfilerAgent::stop):
1386         (Inspector::InspectorProfilerAgent::setRecordingProfile):
1387         (Inspector::InspectorProfilerAgent::startProfiling):
1388         (Inspector::InspectorProfilerAgent::stopProfiling):
1389         * inspector/agents/InspectorProfilerAgent.h: Added.
1390         * inspector/agents/JSGlobalObjectProfilerAgent.cpp: Copied from Source/WebCore/inspector/ScriptProfile.idl.
1391         (Inspector::JSGlobalObjectProfilerAgent::JSGlobalObjectProfilerAgent):
1392         (Inspector::JSGlobalObjectProfilerAgent::profilingGlobalExecState):
1393         * inspector/agents/JSGlobalObjectProfilerAgent.h: Copied from Source/WebCore/inspector/ScriptProfile.idl.
1394         * inspector/protocol/Profiler.json: Renamed from Source/WebCore/inspector/protocol/Profiler.json.
1395         * profiler/Profile.h:
1396         * runtime/ConsoleClient.h:
1397
1398 2014-04-18  Commit Queue  <commit-queue@webkit.org>
1399
1400         Unreviewed, rolling out r167527.
1401         https://bugs.webkit.org/show_bug.cgi?id=131883
1402
1403         Broke 32-bit build (Requested by ap on #webkit).
1404
1405         Reverted changeset:
1406
1407         "[Mac] implement WebKitDataCue"
1408         https://bugs.webkit.org/show_bug.cgi?id=131799
1409         http://trac.webkit.org/changeset/167527
1410
1411 2014-04-18  Eric Carlson  <eric.carlson@apple.com>
1412
1413         [Mac] implement WebKitDataCue
1414         https://bugs.webkit.org/show_bug.cgi?id=131799
1415
1416         Reviewed by Dean Jackson.
1417
1418         * Configurations/FeatureDefines.xcconfig: Define ENABLE_DATACUE_VALUE.
1419
1420 2014-04-18  Filip Pizlo  <fpizlo@apple.com>
1421
1422         Actually address Mark's review feedback.
1423
1424         * dfg/DFGOSRExitCompilerCommon.cpp:
1425         (JSC::DFG::handleExitCounts):
1426
1427 2014-04-18  Filip Pizlo  <fpizlo@apple.com>
1428
1429         Options::maximumExecutionCountsBetweenCheckpoints() should be higher for DFG->FTL tier-up but the same for other tier-ups
1430         https://bugs.webkit.org/show_bug.cgi?id=131850
1431
1432         Reviewed by Mark Hahnenberg.
1433         
1434         Templatize ExecutionCounter to allow for two different styles of calculating the
1435         checkpoint threshold.
1436         
1437         Appears to be a slight speed-up on DYEBench.
1438
1439         * bytecode/CodeBlock.h:
1440         (JSC::CodeBlock::llintExecuteCounter):
1441         (JSC::CodeBlock::offsetOfJITExecuteCounter):
1442         (JSC::CodeBlock::offsetOfJITExecutionActiveThreshold):
1443         (JSC::CodeBlock::offsetOfJITExecutionTotalCount):
1444         (JSC::CodeBlock::jitExecuteCounter):
1445         * bytecode/ExecutionCounter.cpp:
1446         (JSC::ExecutionCounter<countingVariant>::ExecutionCounter):
1447         (JSC::ExecutionCounter<countingVariant>::forceSlowPathConcurrently):
1448         (JSC::ExecutionCounter<countingVariant>::checkIfThresholdCrossedAndSet):
1449         (JSC::ExecutionCounter<countingVariant>::setNewThreshold):
1450         (JSC::ExecutionCounter<countingVariant>::deferIndefinitely):
1451         (JSC::applyMemoryUsageHeuristics):
1452         (JSC::applyMemoryUsageHeuristicsAndConvertToInt):
1453         (JSC::ExecutionCounter<countingVariant>::hasCrossedThreshold):
1454         (JSC::ExecutionCounter<countingVariant>::setThreshold):
1455         (JSC::ExecutionCounter<countingVariant>::reset):
1456         (JSC::ExecutionCounter<countingVariant>::dump):
1457         (JSC::ExecutionCounter::ExecutionCounter): Deleted.
1458         (JSC::ExecutionCounter::forceSlowPathConcurrently): Deleted.
1459         (JSC::ExecutionCounter::checkIfThresholdCrossedAndSet): Deleted.
1460         (JSC::ExecutionCounter::setNewThreshold): Deleted.
1461         (JSC::ExecutionCounter::deferIndefinitely): Deleted.
1462         (JSC::ExecutionCounter::applyMemoryUsageHeuristics): Deleted.
1463         (JSC::ExecutionCounter::applyMemoryUsageHeuristicsAndConvertToInt): Deleted.
1464         (JSC::ExecutionCounter::hasCrossedThreshold): Deleted.
1465         (JSC::ExecutionCounter::setThreshold): Deleted.
1466         (JSC::ExecutionCounter::reset): Deleted.
1467         (JSC::ExecutionCounter::dump): Deleted.
1468         * bytecode/ExecutionCounter.h:
1469         (JSC::formattedTotalExecutionCount):
1470         (JSC::ExecutionCounter::maximumExecutionCountsBetweenCheckpoints):
1471         (JSC::ExecutionCounter::clippedThreshold):
1472         (JSC::ExecutionCounter::formattedTotalCount): Deleted.
1473         * dfg/DFGJITCode.h:
1474         * dfg/DFGOSRExitCompilerCommon.cpp:
1475         (JSC::DFG::handleExitCounts):
1476         * llint/LowLevelInterpreter.asm:
1477         * runtime/Options.h:
1478
1479 2014-04-17  Mark Hahnenberg  <mhahnenberg@apple.com>
1480
1481         Deleting properties poisons objects
1482         https://bugs.webkit.org/show_bug.cgi?id=131551
1483
1484         Reviewed by Geoffrey Garen.
1485
1486         This is ~3% progression on Dromaeo with a ~6% progression on the jslib portion of Dromaeo in particular.
1487
1488         * runtime/Structure.cpp:
1489         (JSC::Structure::Structure):
1490         (JSC::Structure::materializePropertyMap): We now re-use deleted properties when materializing the property map.
1491         (JSC::Structure::removePropertyTransition): We allow up to 5 deletes for a particular path through the tree of 
1492         Structure transitions. After that, we convert to an uncacheable dictionary like we used to. We don't cache 
1493         delete transitions, but we allow transitioning from them.
1494         (JSC::Structure::changePrototypeTransition):
1495         (JSC::Structure::despecifyFunctionTransition):
1496         (JSC::Structure::attributeChangeTransition):
1497         (JSC::Structure::toDictionaryTransition):
1498         (JSC::Structure::preventExtensionsTransition):
1499         (JSC::Structure::addPropertyWithoutTransition):
1500         (JSC::Structure::removePropertyWithoutTransition):
1501         (JSC::Structure::pin): Now does only what it says it does--marks the property table as pinned.
1502         (JSC::Structure::pinAndPreventTransitions): More descriptive version of what the old pin() was doing.
1503         * runtime/Structure.h:
1504         * runtime/StructureInlines.h:
1505         (JSC::Structure::checkOffsetConsistency): Rearranged variables to be more sensible.
1506
1507 2014-04-17  Filip Pizlo  <fpizlo@apple.com>
1508
1509         InlineCallFrameSet should be refcounted
1510         https://bugs.webkit.org/show_bug.cgi?id=131829
1511
1512         Reviewed by Geoffrey Garen.
1513         
1514         And DFG::Plan should hold a ref to it. Previously it was owned by Graph until it
1515         became owned by JITCode. Except that if we're "failing" to compile, JITCode may die.
1516         Even as it dies, the GC may still want to scan the DFG::Plan, which leads to scanning
1517         the DesiredWriteBarriers, which leads to scanning the InlineCallFrameSet.
1518         
1519         So, just make the darn thing refcounted.
1520
1521         * bytecode/InlineCallFrameSet.h:
1522         * dfg/DFGArgumentsSimplificationPhase.cpp:
1523         (JSC::DFG::ArgumentsSimplificationPhase::run):
1524         * dfg/DFGByteCodeParser.cpp:
1525         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1526         * dfg/DFGCommonData.h:
1527         * dfg/DFGGraph.cpp:
1528         (JSC::DFG::Graph::Graph):
1529         (JSC::DFG::Graph::requiredRegisterCountForExit):
1530         * dfg/DFGGraph.h:
1531         * dfg/DFGJITCompiler.cpp:
1532         (JSC::DFG::JITCompiler::link):
1533         * dfg/DFGPlan.cpp:
1534         (JSC::DFG::Plan::Plan):
1535         * dfg/DFGPlan.h:
1536         * dfg/DFGStackLayoutPhase.cpp:
1537         (JSC::DFG::StackLayoutPhase::run):
1538         * ftl/FTLFail.cpp:
1539         (JSC::FTL::fail):
1540         * ftl/FTLLink.cpp:
1541         (JSC::FTL::link):
1542
1543 2014-04-17  Filip Pizlo  <fpizlo@apple.com>
1544
1545         FTL::fail() should manage memory "correctly"
1546         https://bugs.webkit.org/show_bug.cgi?id=131823
1547         <rdar://problem/16384297>
1548
1549         Reviewed by Oliver Hunt.
1550
1551         * ftl/FTLFail.cpp:
1552         (JSC::FTL::fail):
1553
1554 2014-04-17  Filip Pizlo  <fpizlo@apple.com>
1555
1556         Prediction propagator should correctly model Int52s flowing through arguments
1557         https://bugs.webkit.org/show_bug.cgi?id=131822
1558         <rdar://problem/16641408>
1559
1560         Reviewed by Oliver Hunt.
1561
1562         * dfg/DFGPredictionPropagationPhase.cpp:
1563         (JSC::DFG::PredictionPropagationPhase::propagate):
1564         * tests/stress/int52-argument.js: Added.
1565         (foo):
1566         * tests/stress/int52-variable.js: Added.
1567         (foo):
1568
1569 2014-04-17  Filip Pizlo  <fpizlo@apple.com>
1570
1571         REGRESSION: ASSERT(!typeInfo().hasImpureGetOwnPropertySlot() || typeInfo().newImpurePropertyFiresWatchpoints()) on jquery tests
1572         https://bugs.webkit.org/show_bug.cgi?id=131798
1573
1574         Reviewed by Alexey Proskuryakov.
1575         
1576         Some day, we will fix https://bugs.webkit.org/show_bug.cgi?id=131810 and some version
1577         of this assertion can return. For now, it's not clear that the assertion is guarding
1578         any truly undesirable behavior - so it should just go away and be replaced with a
1579         FIXME.
1580
1581         * bytecode/GetByIdStatus.cpp:
1582         (JSC::GetByIdStatus::computeForStubInfo):
1583         * runtime/Structure.h:
1584         (JSC::Structure::takesSlowPathInDFGForImpureProperty):
1585
1586 2014-04-17  David Kilzer  <ddkilzer@apple.com>
1587
1588         Blind attempt to fix Windows build after r166837
1589         <http://webkit.org/b/131246>
1590
1591         Hoping to fix this build error:
1592
1593             warning MSB8027: Two or more files with the name of GCLogging.cpp will produce outputs to the same location. This can lead to an incorrect build result.  The files involved are ..\heap\GCLogging.cpp, ..\heap\GCLogging.cpp.
1594
1595         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Fix copy-paste
1596         boo-boo by changing the GCLogging.cpp ClCompile entry to a
1597         GCLogging.h ClInclude entry.
1598
1599 2014-04-16  Filip Pizlo  <fpizlo@apple.com>
1600
1601         AI for GetLocal should match the DFG backend, and in this case, the best way to do that is to get rid of the "exit if empty prediction" thing since it's a vestige of a time long gone
1602         https://bugs.webkit.org/show_bug.cgi?id=131764
1603
1604         Reviewed by Geoffrey Garen.
1605         
1606         The attached test case can be made to not crash by deleting old code. It used to be
1607         the case that the DFG needed empty prediction guards, for shady reasons. We fixed that
1608         long ago. At this point, these guards just make life difficult. So get rid of them.
1609
1610         * dfg/DFGAbstractInterpreterInlines.h:
1611         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1612         * dfg/DFGSpeculativeJIT32_64.cpp:
1613         (JSC::DFG::SpeculativeJIT::compile):
1614         * dfg/DFGSpeculativeJIT64.cpp:
1615         (JSC::DFG::SpeculativeJIT::compile):
1616         * tests/stress/bug-131764.js: Added.
1617         (test1):
1618         (test2):
1619
1620 2014-04-17  Darin Adler  <darin@apple.com>
1621
1622         Add separate flag for IndexedDatabase in workers since the current implementation is not threadsafe
1623         https://bugs.webkit.org/show_bug.cgi?id=131785
1624         rdar://problem/16003108
1625
1626         Reviewed by Brady Eidson.
1627
1628         * Configurations/FeatureDefines.xcconfig: Added INDEXED_DATABASE_IN_WORKERS.
1629
1630 2014-04-16  Alexey Proskuryakov  <ap@apple.com>
1631
1632         Build fix after http://trac.webkit.org/changeset/167416 (Sink NaN sanitization)
1633
1634         * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::speculate):
1635
1636 2014-04-16  Filip Pizlo  <fpizlo@apple.com>
1637
1638         Extra error reporting for invalid value conversions
1639         https://bugs.webkit.org/show_bug.cgi?id=131786
1640
1641         Rubber stamped by Ryosuke Niwa.
1642
1643         * dfg/DFGFixupPhase.cpp:
1644         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
1645
1646 2014-04-16  Filip Pizlo  <fpizlo@apple.com>
1647
1648         Sink NaN sanitization to uses and remove it when it's unnecessary
1649         https://bugs.webkit.org/show_bug.cgi?id=131419
1650
1651         Reviewed by Oliver Hunt.
1652         
1653         This moves NaN purification to stores that could see an impure NaN.
1654         
1655         5% speed-up on AsmBench, 50% speed-up on AsmBench/n-body. It is a regression on FloatMM
1656         though, because of the other bug that causes that benchmark to box doubles in a loop.
1657
1658         * bytecode/SpeculatedType.h:
1659         (JSC::isInt32SpeculationForArithmetic):
1660         (JSC::isMachineIntSpeculationForArithmetic):
1661         (JSC::isDoubleSpeculation):
1662         (JSC::isDoubleSpeculationForArithmetic):
1663         * dfg/DFGAbstractInterpreterInlines.h:
1664         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1665         * dfg/DFGAbstractValue.cpp:
1666         (JSC::DFG::AbstractValue::fixTypeForRepresentation):
1667         * dfg/DFGFixupPhase.cpp:
1668         (JSC::DFG::FixupPhase::fixupNode):
1669         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
1670         * dfg/DFGInPlaceAbstractState.cpp:
1671         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
1672         * dfg/DFGPredictionPropagationPhase.cpp:
1673         (JSC::DFG::PredictionPropagationPhase::propagate):
1674         * dfg/DFGSpeculativeJIT.cpp:
1675         (JSC::DFG::SpeculativeJIT::compileValueRep):
1676         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
1677         * dfg/DFGUseKind.h:
1678         (JSC::DFG::typeFilterFor):
1679         * ftl/FTLLowerDFGToLLVM.cpp:
1680         (JSC::FTL::LowerDFGToLLVM::compileValueRep):
1681         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
1682         * runtime/PureNaN.h:
1683         * tests/stress/float32-array-nan-inlined.js: Added.
1684         (foo):
1685         (test):
1686         * tests/stress/float32-array-nan.js: Added.
1687         (foo):
1688         (test):
1689         * tests/stress/float64-array-nan-inlined.js: Added.
1690         (foo):
1691         (isBigEndian):
1692         (test):
1693         * tests/stress/float64-array-nan.js: Added.
1694         (foo):
1695         (isBigEndian):
1696         (test):
1697
1698 2014-04-16  Brent Fulgham  <bfulgham@apple.com>
1699
1700         [Win] Unreviewed Windows gardening. Restrict our new 'isinf' check
1701         to 32-bit builds, and revise the comment to explain what we are
1702         doing.
1703
1704         * runtime/JSCJSValueInlines.h:
1705         (JSC::JSValue::isMachineInt): Provide motivation for the new
1706         'isinf' check for our 32-bit code path.
1707
1708 2014-04-16  Juergen Ributzka  <juergen@apple.com>
1709
1710         Allocate the data section on the heap again for FTL on ARM64
1711         https://bugs.webkit.org/show_bug.cgi?id=130156
1712
1713         Reviewed by Geoffrey Garen and Filip Pizlo.
1714
1715         * ftl/FTLCompile.cpp:
1716         (JSC::FTL::mmAllocateDataSection):
1717         * ftl/FTLDataSection.cpp:
1718         (JSC::FTL::DataSection::DataSection):
1719         (JSC::FTL::DataSection::~DataSection):
1720         * ftl/FTLDataSection.h:
1721
1722 2014-04-16  Mark Lam  <mark.lam@apple.com>
1723
1724         Crash in CodeBlock::setOptimizationThresholdBasedOnCompilationResult() when the debugger activates.
1725         <https://webkit.org/b/131747>
1726
1727         Reviewed by Filip Pizlo.
1728
1729         When the debugger is about to activate (e.g. enter stepping mode), it first
1730         waits for all DFG compilations to complete.  However, when the DFG completes,
1731         if compilation is successful, it will install a new DFG codeBlock.  The
1732         CodeBlock installation process is required to register codeBlocks with the
1733         debugger.  Debugger::registerCodeBlock() will eventually call
1734         CodeBlock::setSteppingMode() which may jettison the DFG codeBlock that we're
1735         trying to install.  Thereafter, chaos ensues.
1736
1737         This jettison'ing only happens because the debugger currently set its
1738         m_steppingMode flag before waiting for compilation to complete.  The fix is
1739         simply to set that flag only after compilation is complete.
1740
1741         * debugger/Debugger.cpp:
1742         (JSC::Debugger::setSteppingMode):
1743         (JSC::Debugger::registerCodeBlock):
1744
1745 2014-04-16  Filip Pizlo  <fpizlo@apple.com>
1746
1747         Discern between NaNs that would be safe to tag and NaNs that need some purification before tagging
1748         https://bugs.webkit.org/show_bug.cgi?id=131420
1749
1750         Reviewed by Oliver Hunt.
1751         
1752         Rationalizes our handling of NaNs. We now have the notion of pureNaN(), or PNaN, which
1753         replaces QNaN and represents a "safe" NaN for our tagging purposes. NaN purification now
1754         goes through the purifyNaN() API.
1755         
1756         SpeculatedType and its clients can now distinguish between a PureNaN and an ImpureNaN.
1757         
1758         Prediction propagator is made slightly more cautious when dealing with NaNs. It doesn't
1759         have to be too cautious since most prediction-based logic only cares about whether or not
1760         a value could be an integer.
1761         
1762         AI is made much more cautious when dealing with NaNs. We don't yet introduce ImpureNaN
1763         anywhere in the compiler, but when we do, we ought to be able to trust AI to propagate it
1764         soundly and precisely.
1765         
1766         No performance change because this just unblocks
1767         https://bugs.webkit.org/show_bug.cgi?id=131419.
1768
1769         * API/JSValueRef.cpp:
1770         (JSValueMakeNumber):
1771         (JSValueToNumber):
1772         * JavaScriptCore.xcodeproj/project.pbxproj:
1773         * bytecode/SpeculatedType.cpp:
1774         (JSC::dumpSpeculation):
1775         (JSC::speculationFromValue):
1776         (JSC::typeOfDoubleSum):
1777         (JSC::typeOfDoubleDifference):
1778         (JSC::typeOfDoubleProduct):
1779         (JSC::polluteDouble):
1780         (JSC::typeOfDoubleQuotient):
1781         (JSC::typeOfDoubleMinMax):
1782         (JSC::typeOfDoubleNegation):
1783         (JSC::typeOfDoubleAbs):
1784         (JSC::typeOfDoubleFRound):
1785         (JSC::typeOfDoubleBinaryOp):
1786         (JSC::typeOfDoubleUnaryOp):
1787         * bytecode/SpeculatedType.h:
1788         * dfg/DFGAbstractInterpreterInlines.h:
1789         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1790         * dfg/DFGByteCodeParser.cpp:
1791         (JSC::DFG::ByteCodeParser::handleInlining):
1792         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1793         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
1794         (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
1795         * dfg/DFGInPlaceAbstractState.cpp:
1796         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
1797         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
1798         (JSC::DFG::createPreHeader):
1799         * dfg/DFGNode.h:
1800         (JSC::DFG::BranchTarget::BranchTarget):
1801         * dfg/DFGOSREntrypointCreationPhase.cpp:
1802         (JSC::DFG::OSREntrypointCreationPhase::run):
1803         * dfg/DFGOSRExitCompiler32_64.cpp:
1804         (JSC::DFG::OSRExitCompiler::compileExit):
1805         * dfg/DFGOSRExitCompiler64.cpp:
1806         (JSC::DFG::OSRExitCompiler::compileExit):
1807         * dfg/DFGPredictionPropagationPhase.cpp:
1808         (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
1809         (JSC::DFG::PredictionPropagationPhase::propagate):
1810         * dfg/DFGSpeculativeJIT.cpp:
1811         (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
1812         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
1813         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
1814         * dfg/DFGSpeculativeJIT32_64.cpp:
1815         (JSC::DFG::SpeculativeJIT::compile):
1816         * dfg/DFGSpeculativeJIT64.cpp:
1817         (JSC::DFG::SpeculativeJIT::compile):
1818         * dfg/DFGVariableAccessData.h:
1819         (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
1820         * ftl/FTLLowerDFGToLLVM.cpp:
1821         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
1822         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
1823         (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
1824         (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
1825         (JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize):
1826         (JSC::FTL::LowerDFGToLLVM::numberOrNotCellToInt32):
1827         (JSC::FTL::LowerDFGToLLVM::allocateJSArray):
1828         * ftl/FTLValueFormat.cpp:
1829         (JSC::FTL::reboxAccordingToFormat):
1830         * jit/AssemblyHelpers.cpp:
1831         (JSC::AssemblyHelpers::purifyNaN):
1832         (JSC::AssemblyHelpers::sanitizeDouble): Deleted.
1833         * jit/AssemblyHelpers.h:
1834         * jit/JITPropertyAccess.cpp:
1835         (JSC::JIT::emitFloatTypedArrayGetByVal):
1836         * runtime/DateConstructor.cpp:
1837         (JSC::constructDate):
1838         * runtime/DateInstanceCache.h:
1839         (JSC::DateInstanceData::DateInstanceData):
1840         (JSC::DateInstanceCache::reset):
1841         * runtime/ExceptionHelpers.cpp:
1842         (JSC::TerminatedExecutionError::defaultValue):
1843         * runtime/JSArray.cpp:
1844         (JSC::JSArray::setLength):
1845         (JSC::JSArray::pop):
1846         (JSC::JSArray::shiftCountWithAnyIndexingType):
1847         (JSC::JSArray::sortVector):
1848         (JSC::JSArray::compactForSorting):
1849         * runtime/JSArray.h:
1850         (JSC::JSArray::create):
1851         (JSC::JSArray::tryCreateUninitialized):
1852         * runtime/JSCJSValue.cpp:
1853         (JSC::JSValue::toNumberSlowCase):
1854         * runtime/JSCJSValue.h:
1855         * runtime/JSCJSValueInlines.h:
1856         (JSC::jsNaN):
1857         (JSC::JSValue::JSValue):
1858         (JSC::JSValue::getPrimitiveNumber):
1859         * runtime/JSGlobalObjectFunctions.cpp:
1860         (JSC::parseInt):
1861         (JSC::jsStrDecimalLiteral):
1862         (JSC::toDouble):
1863         (JSC::jsToNumber):
1864         (JSC::parseFloat):
1865         * runtime/JSObject.cpp:
1866         (JSC::JSObject::createInitialDouble):
1867         (JSC::JSObject::convertUndecidedToDouble):
1868         (JSC::JSObject::convertInt32ToDouble):
1869         (JSC::JSObject::deletePropertyByIndex):
1870         (JSC::JSObject::ensureLengthSlow):
1871         * runtime/MathObject.cpp:
1872         (JSC::mathProtoFuncMax):
1873         (JSC::mathProtoFuncMin):
1874         * runtime/PureNaN.h: Added.
1875         (JSC::pureNaN):
1876         (JSC::isImpureNaN):
1877         (JSC::purifyNaN):
1878         * runtime/TypedArrayAdaptors.h:
1879         (JSC::FloatTypedArrayAdaptor::toJSValue):
1880
1881 2014-04-16  Juergen Ributzka  <juergen@apple.com>
1882
1883         Enable system library calls in FTL for ARM64
1884         https://bugs.webkit.org/show_bug.cgi?id=130154
1885
1886         Reviewed by Geoffrey Garen and Filip Pizlo.
1887
1888         * ftl/FTLIntrinsicRepository.h:
1889         * ftl/FTLOutput.h:
1890         (JSC::FTL::Output::doubleRem):
1891         (JSC::FTL::Output::doubleSin):
1892         (JSC::FTL::Output::doubleCos):
1893
1894 2014-04-16  peavo@outlook.com  <peavo@outlook.com>
1895
1896         Fix JSC Debug Regressions on Windows
1897         https://bugs.webkit.org/show_bug.cgi?id=131182
1898
1899         Reviewed by Brent Fulgham.
1900
1901         The cast static_cast<int64_t>(number) in JSValue::isMachineInt() can generate a floating point error,
1902         and set the st floating point register tags, if the value of the number parameter is infinite.
1903         If the st floating point register tags are not cleared, this can cause strange floating point behavior later on.
1904         This can be avoided by checking for infinity first.
1905
1906         * runtime/JSCJSValueInlines.h:
1907         (JSC::JSValue::isMachineInt): Avoid floating point error by checking for infinity first.
1908         * runtime/Options.cpp:
1909         (JSC::recomputeDependentOptions): Re-enable jit for Windows.
1910
1911 2014-04-16  Oliver Hunt  <oliver@apple.com>
1912
1913         Simple ES6 feature:Array.prototype.fill
1914         https://bugs.webkit.org/show_bug.cgi?id=131703
1915
1916         Reviewed by David Hyatt.
1917
1918         Add support for Array.prototype.fill
1919
1920         * builtins/Array.prototype.js:
1921         (fill):
1922         * runtime/ArrayPrototype.cpp:
1923
1924 2014-04-16  Mark Hahnenberg  <mhahnenberg@apple.com>
1925
1926         [WebKit] Cleanup the build from uninitialized variable in JavaScriptCore
1927         https://bugs.webkit.org/show_bug.cgi?id=131728
1928
1929         Reviewed by Darin Adler.
1930
1931         * runtime/JSObject.cpp:
1932         (JSC::JSObject::genericConvertDoubleToContiguous): Add a RELEASE_ASSERT on the 
1933         path we expect to never take. Also shut up confused compilers about uninitialized things.
1934
1935 2014-04-16  Filip Pizlo  <fpizlo@apple.com>
1936
1937         Unreviewed, ARMv7 build fix after r167336.
1938
1939         * assembler/MacroAssemblerARMv7.h:
1940         (JSC::MacroAssemblerARMv7::branchAdd32):
1941
1942 2014-04-16  Gabor Rapcsanyi  <rgabor@webkit.org>
1943
1944         Unreviewed, ARM64 buildfix after r167336.
1945
1946         * assembler/MacroAssemblerARM64.h:
1947         (JSC::MacroAssemblerARM64::branchAdd32): Add missing function.
1948
1949 2014-04-15  Filip Pizlo  <fpizlo@apple.com>
1950
1951         Unreviewed, add the obvious thing that marks MakeRope as exiting since it can exit.
1952
1953         * dfg/DFGAbstractInterpreterInlines.h:
1954         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1955
1956 2014-04-15  Filip Pizlo  <fpizlo@apple.com>
1957
1958         compileMakeRope does not emit necessary bounds checks
1959         https://bugs.webkit.org/show_bug.cgi?id=130684
1960         <rdar://problem/16398388>
1961
1962         Reviewed by Oliver Hunt.
1963         
1964         Add string length bounds checks in a bunch of places. We should never allow a string
1965         to have a length greater than 2^31-1 because it's not clear that the language has
1966         semantics for it and because there is code that assumes that this cannot happen.
1967         
1968         Also add a bunch of tests to that effect to cover the various ways in which this was
1969         previously allowed to happen.
1970
1971         * dfg/DFGOperations.cpp:
1972         * dfg/DFGSpeculativeJIT.cpp:
1973         (JSC::DFG::SpeculativeJIT::compileMakeRope):
1974         * ftl/FTLLowerDFGToLLVM.cpp:
1975         (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
1976         * runtime/JSString.cpp:
1977         (JSC::JSRopeString::RopeBuilder::expand):
1978         * runtime/JSString.h:
1979         (JSC::JSString::create):
1980         (JSC::JSRopeString::RopeBuilder::append):
1981         (JSC::JSRopeString::RopeBuilder::release):
1982         (JSC::JSRopeString::append):
1983         * runtime/Operations.h:
1984         (JSC::jsString):
1985         (JSC::jsStringFromRegisterArray):
1986         (JSC::jsStringFromArguments):
1987         * runtime/StringPrototype.cpp:
1988         (JSC::stringProtoFuncIndexOf):
1989         (JSC::stringProtoFuncSlice):
1990         (JSC::stringProtoFuncSubstring):
1991         (JSC::stringProtoFuncToLowerCase):
1992         * tests/stress/make-large-string-jit-strcat.js: Added.
1993         (foo):
1994         * tests/stress/make-large-string-jit.js: Added.
1995         (foo):
1996         * tests/stress/make-large-string-strcat.js: Added.
1997         * tests/stress/make-large-string.js: Added.
1998
1999 2014-04-15  Julien Brianceau  <jbriance@cisco.com>
2000
2001         Remove invalid sh4 specific code in JITInlines header.
2002         https://bugs.webkit.org/show_bug.cgi?id=131692
2003
2004         Reviewed by Geoffrey Garen.
2005
2006         * jit/JITInlines.h:
2007         (JSC::JIT::callOperation): Prototype is not F_JITOperation_EJJZ
2008         anymore since r160244, so the sh4 specific code is invalid now
2009         and has to be removed.
2010
2011 2014-04-15  Mark Hahnenberg  <mhahnenberg@apple.com>
2012
2013         Fix precedence issue in JSCell:setRemembered
2014
2015         Rubber stamped by Filip Pizlo.
2016
2017         * runtime/JSCell.h:
2018         (JSC::JSCell::setRemembered):
2019
2020 2014-04-15  Mark Hahnenberg  <mhahnenberg@apple.com>
2021
2022         Objective-C API external object graphs don't handle generational collection properly
2023         https://bugs.webkit.org/show_bug.cgi?id=131634
2024
2025         Reviewed by Geoffrey Garen.
2026
2027         If the set of Objective-C objects transitively reachable through an object changes, we 
2028         need to update the set of opaque roots accordingly. If we don't, the next EdenCollection 
2029         won't rescan the external object graph, which would lead us to consider a newly allocated 
2030         JSManagedValue to be dead.
2031
2032         * API/JSBase.cpp:
2033         (JSSynchronousEdenCollectForDebugging):
2034         * API/JSVirtualMachine.mm:
2035         (-[JSVirtualMachine initWithContextGroupRef:]):
2036         (-[JSVirtualMachine dealloc]):
2037         (-[JSVirtualMachine isOldExternalObject:]):
2038         (-[JSVirtualMachine addExternalRememberedObject:]):
2039         (-[JSVirtualMachine addManagedReference:withOwner:]):
2040         (-[JSVirtualMachine removeManagedReference:withOwner:]):
2041         (-[JSVirtualMachine externalRememberedSet]):
2042         (scanExternalObjectGraph):
2043         (scanExternalRememberedSet):
2044         * API/JSVirtualMachineInternal.h:
2045         * API/tests/testapi.mm:
2046         * heap/Heap.cpp:
2047         (JSC::Heap::markRoots):
2048         * heap/Heap.h:
2049         (JSC::Heap::slotVisitor):
2050         * heap/SlotVisitor.h:
2051         * heap/SlotVisitorInlines.h:
2052         (JSC::SlotVisitor::containsOpaqueRoot):
2053         (JSC::SlotVisitor::containsOpaqueRootTriState):
2054
2055 2014-04-15  Filip Pizlo  <fpizlo@apple.com>
2056
2057         DFG IR should keep the data flow of doubles and int52's separate from the data flow of JSValue's
2058         https://bugs.webkit.org/show_bug.cgi?id=131423
2059
2060         Reviewed by Geoffrey Garen.
2061         
2062         This introduces more static typing into DFG IR. Previously we just had the notion of
2063         JSValues and Storage. This was weird because doubles weren't always convertible to
2064         JSValues, and Int52s weren't always convertible to either doubles or JSValues. We would
2065         sort of insert explicit conversion nodes just for the places where we knew that an
2066         implicit conversion wouldn't have been possible -- but there was no hard and fast rule so
2067         we'd get bugs from forgetting to do the right conversion.
2068         
2069         This patch introduces a hard and fast rule: doubles can never be implicitly converted to
2070         anything but doubles, and likewise Int52's can never be implicitly converted. Conversion
2071         nodes are used for all of the conversions. Int52Rep, DoubleRep, and ValueRep are the
2072         conversions. They are like Identity but return the same value using a different
2073         representation. Likewise, constants may now be represented using either JSConstant,
2074         Int52Constant, or DoubleConstant. UseKinds have been adjusted accordingly, as well.
2075         Int52RepUse and DoubleRepUse are node uses that mean "the node must be of Int52 (or
2076         Double) type". They don't imply checks. There is also DoubleRepRealUse, which means that
2077         we speculate DoubleReal and expect Double representation.
2078         
2079         In addition to simplifying a bunch of rules in the IR and making the IR more verifiable,
2080         this also makes it easier to introduce optimizations in the future. It's now possible for
2081         AI to model when/how conversion take place. For example if doing a conversion results in
2082         NaN sanitization, then AI can model this and can allow us to sink sanitizations. That's
2083         what https://bugs.webkit.org/show_bug.cgi?id=131419 will be all about.
2084         
2085         This was a big change, so I had to do some interesting things, like finally get rid of
2086         the DFG's weird variadic template macro hacks and use real C++11 variadic templates. Also
2087         the ByteCodeParser no longer emits Identity nodes since that was always pointless.
2088         
2089         No performance change because this mostly just rationalizes preexisting behavior.
2090
2091         * JavaScriptCore.xcodeproj/project.pbxproj:
2092         * assembler/MacroAssemblerX86.h:
2093         * bytecode/CodeBlock.cpp:
2094         * bytecode/CodeBlock.h:
2095         * dfg/DFGAbstractInterpreter.h:
2096         (JSC::DFG::AbstractInterpreter::setBuiltInConstant):
2097         (JSC::DFG::AbstractInterpreter::setConstant):
2098         * dfg/DFGAbstractInterpreterInlines.h:
2099         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2100         * dfg/DFGAbstractValue.cpp:
2101         (JSC::DFG::AbstractValue::set):
2102         (JSC::DFG::AbstractValue::fixTypeForRepresentation):
2103         (JSC::DFG::AbstractValue::checkConsistency):
2104         * dfg/DFGAbstractValue.h:
2105         * dfg/DFGBackwardsPropagationPhase.cpp:
2106         (JSC::DFG::BackwardsPropagationPhase::propagate):
2107         * dfg/DFGBasicBlock.h:
2108         * dfg/DFGBasicBlockInlines.h:
2109         (JSC::DFG::BasicBlock::appendNode):
2110         (JSC::DFG::BasicBlock::appendNonTerminal):
2111         * dfg/DFGByteCodeParser.cpp:
2112         (JSC::DFG::ByteCodeParser::parseBlock):
2113         * dfg/DFGCSEPhase.cpp:
2114         (JSC::DFG::CSEPhase::constantCSE):
2115         (JSC::DFG::CSEPhase::performNodeCSE):
2116         (JSC::DFG::CSEPhase::int32ToDoubleCSE): Deleted.
2117         * dfg/DFGCapabilities.h:
2118         * dfg/DFGClobberize.h:
2119         (JSC::DFG::clobberize):
2120         * dfg/DFGConstantFoldingPhase.cpp:
2121         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2122         * dfg/DFGDCEPhase.cpp:
2123         (JSC::DFG::DCEPhase::fixupBlock):
2124         * dfg/DFGEdge.h:
2125         (JSC::DFG::Edge::willNotHaveCheck):
2126         * dfg/DFGFixupPhase.cpp:
2127         (JSC::DFG::FixupPhase::run):
2128         (JSC::DFG::FixupPhase::fixupNode):
2129         (JSC::DFG::FixupPhase::fixupGetAndSetLocalsInBlock):
2130         (JSC::DFG::FixupPhase::observeUseKindOnNode):
2131         (JSC::DFG::FixupPhase::fixIntEdge):
2132         (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
2133         (JSC::DFG::FixupPhase::injectTypeConversionsInBlock):
2134         (JSC::DFG::FixupPhase::tryToRelaxRepresentation):
2135         (JSC::DFG::FixupPhase::fixEdgeRepresentation):
2136         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
2137         (JSC::DFG::FixupPhase::addRequiredPhantom):
2138         (JSC::DFG::FixupPhase::addPhantomsIfNecessary):
2139         (JSC::DFG::FixupPhase::clearPhantomsAtEnd):
2140         (JSC::DFG::FixupPhase::fixupSetLocalsInBlock): Deleted.
2141         * dfg/DFGFlushFormat.h:
2142         (JSC::DFG::resultFor):
2143         (JSC::DFG::useKindFor):
2144         * dfg/DFGGraph.cpp:
2145         (JSC::DFG::Graph::dump):
2146         * dfg/DFGGraph.h:
2147         (JSC::DFG::Graph::addNode):
2148         * dfg/DFGInPlaceAbstractState.cpp:
2149         (JSC::DFG::InPlaceAbstractState::initialize):
2150         * dfg/DFGInsertionSet.h:
2151         (JSC::DFG::InsertionSet::insertNode):
2152         (JSC::DFG::InsertionSet::insertConstant):
2153         (JSC::DFG::InsertionSet::insertConstantForUse):
2154         * dfg/DFGIntegerCheckCombiningPhase.cpp:
2155         (JSC::DFG::IntegerCheckCombiningPhase::insertAdd):
2156         (JSC::DFG::IntegerCheckCombiningPhase::insertMustAdd):
2157         * dfg/DFGNode.cpp:
2158         (JSC::DFG::Node::convertToIdentity):
2159         (WTF::printInternal):
2160         * dfg/DFGNode.h:
2161         (JSC::DFG::Node::Node):
2162         (JSC::DFG::Node::setResult):
2163         (JSC::DFG::Node::result):
2164         (JSC::DFG::Node::isConstant):
2165         (JSC::DFG::Node::hasConstant):
2166         (JSC::DFG::Node::convertToConstant):
2167         (JSC::DFG::Node::valueOfJSConstant):
2168         (JSC::DFG::Node::hasResult):
2169         (JSC::DFG::Node::hasInt32Result):
2170         (JSC::DFG::Node::hasInt52Result):
2171         (JSC::DFG::Node::hasNumberResult):
2172         (JSC::DFG::Node::hasDoubleResult):
2173         (JSC::DFG::Node::hasJSResult):
2174         (JSC::DFG::Node::hasBooleanResult):
2175         (JSC::DFG::Node::hasStorageResult):
2176         (JSC::DFG::Node::defaultUseKind):
2177         (JSC::DFG::Node::defaultEdge):
2178         (JSC::DFG::Node::convertToIdentity): Deleted.
2179         * dfg/DFGNodeFlags.cpp:
2180         (JSC::DFG::dumpNodeFlags):
2181         * dfg/DFGNodeFlags.h:
2182         (JSC::DFG::canonicalResultRepresentation):
2183         * dfg/DFGNodeType.h:
2184         * dfg/DFGOSRExitCompiler32_64.cpp:
2185         (JSC::DFG::OSRExitCompiler::compileExit):
2186         * dfg/DFGOSRExitCompiler64.cpp:
2187         (JSC::DFG::OSRExitCompiler::compileExit):
2188         * dfg/DFGPredictionPropagationPhase.cpp:
2189         (JSC::DFG::PredictionPropagationPhase::propagate):
2190         * dfg/DFGResurrectionForValidationPhase.cpp:
2191         (JSC::DFG::ResurrectionForValidationPhase::run):
2192         * dfg/DFGSSAConversionPhase.cpp:
2193         (JSC::DFG::SSAConversionPhase::run):
2194         * dfg/DFGSafeToExecute.h:
2195         (JSC::DFG::SafeToExecuteEdge::operator()):
2196         (JSC::DFG::safeToExecute):
2197         * dfg/DFGSpeculativeJIT.cpp:
2198         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
2199         (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR):
2200         (JSC::DFG::SpeculativeJIT::silentFill):
2201         (JSC::DFG::JSValueRegsTemporary::JSValueRegsTemporary):
2202         (JSC::DFG::JSValueRegsTemporary::~JSValueRegsTemporary):
2203         (JSC::DFG::JSValueRegsTemporary::regs):
2204         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
2205         (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
2206         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
2207         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
2208         (JSC::DFG::SpeculativeJIT::compileValueRep):
2209         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
2210         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
2211         (JSC::DFG::SpeculativeJIT::compileAdd):
2212         (JSC::DFG::SpeculativeJIT::compileArithSub):
2213         (JSC::DFG::SpeculativeJIT::compileArithNegate):
2214         (JSC::DFG::SpeculativeJIT::compileArithMul):
2215         (JSC::DFG::SpeculativeJIT::compileArithDiv):
2216         (JSC::DFG::SpeculativeJIT::compileArithMod):
2217         (JSC::DFG::SpeculativeJIT::compare):
2218         (JSC::DFG::SpeculativeJIT::compileStrictEq):
2219         (JSC::DFG::SpeculativeJIT::speculateNumber):
2220         (JSC::DFG::SpeculativeJIT::speculateDoubleReal):
2221         (JSC::DFG::SpeculativeJIT::speculate):
2222         (JSC::DFG::SpeculativeJIT::compileInt32ToDouble): Deleted.
2223         (JSC::DFG::SpeculativeJIT::speculateMachineInt): Deleted.
2224         (JSC::DFG::SpeculativeJIT::speculateRealNumber): Deleted.
2225         * dfg/DFGSpeculativeJIT.h:
2226         (JSC::DFG::SpeculativeJIT::allocate):
2227         (JSC::DFG::SpeculativeJIT::use):
2228         (JSC::DFG::SpeculativeJIT::boxDouble):
2229         (JSC::DFG::SpeculativeJIT::spill):
2230         (JSC::DFG::SpeculativeJIT::jsValueResult):
2231         (JSC::DFG::SpeculateInt52Operand::SpeculateInt52Operand):
2232         (JSC::DFG::SpeculateStrictInt52Operand::SpeculateStrictInt52Operand):
2233         (JSC::DFG::SpeculateWhicheverInt52Operand::SpeculateWhicheverInt52Operand):
2234         (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
2235         * dfg/DFGSpeculativeJIT32_64.cpp:
2236         (JSC::DFG::SpeculativeJIT::fillJSValue):
2237         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2238         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2239         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2240         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2241         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
2242         (JSC::DFG::SpeculativeJIT::emitBranch):
2243         (JSC::DFG::SpeculativeJIT::compile):
2244         (JSC::DFG::SpeculativeJIT::convertToDouble): Deleted.
2245         * dfg/DFGSpeculativeJIT64.cpp:
2246         (JSC::DFG::SpeculativeJIT::fillJSValue):
2247         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2248         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
2249         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2250         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2251         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2252         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
2253         (JSC::DFG::SpeculativeJIT::emitBranch):
2254         (JSC::DFG::SpeculativeJIT::compile):
2255         (JSC::DFG::SpeculativeJIT::convertToDouble): Deleted.
2256         * dfg/DFGStrengthReductionPhase.cpp:
2257         (JSC::DFG::StrengthReductionPhase::handleNode):
2258         * dfg/DFGUseKind.cpp:
2259         (WTF::printInternal):
2260         * dfg/DFGUseKind.h:
2261         (JSC::DFG::typeFilterFor):
2262         (JSC::DFG::shouldNotHaveTypeCheck):
2263         (JSC::DFG::mayHaveTypeCheck):
2264         (JSC::DFG::isNumerical):
2265         (JSC::DFG::isDouble):
2266         (JSC::DFG::isCell):
2267         (JSC::DFG::usesStructure):
2268         (JSC::DFG::useKindForResult):
2269         * dfg/DFGValidate.cpp:
2270         (JSC::DFG::Validate::validate):
2271         * dfg/DFGVariadicFunction.h: Removed.
2272         * ftl/FTLCapabilities.cpp:
2273         (JSC::FTL::canCompile):
2274         * ftl/FTLLowerDFGToLLVM.cpp:
2275         (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
2276         (JSC::FTL::LowerDFGToLLVM::compileNode):
2277         (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
2278         (JSC::FTL::LowerDFGToLLVM::compilePhi):
2279         (JSC::FTL::LowerDFGToLLVM::compileDoubleConstant):
2280         (JSC::FTL::LowerDFGToLLVM::compileInt52Constant):
2281         (JSC::FTL::LowerDFGToLLVM::compileWeakJSConstant):
2282         (JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
2283         (JSC::FTL::LowerDFGToLLVM::compileValueRep):
2284         (JSC::FTL::LowerDFGToLLVM::compileInt52Rep):
2285         (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
2286         (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub):
2287         (JSC::FTL::LowerDFGToLLVM::compileArithMul):
2288         (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
2289         (JSC::FTL::LowerDFGToLLVM::compileArithMod):
2290         (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
2291         (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
2292         (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
2293         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2294         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
2295         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
2296         (JSC::FTL::LowerDFGToLLVM::compare):
2297         (JSC::FTL::LowerDFGToLLVM::boolify):
2298         (JSC::FTL::LowerDFGToLLVM::lowInt52):
2299         (JSC::FTL::LowerDFGToLLVM::lowStrictInt52):
2300         (JSC::FTL::LowerDFGToLLVM::lowWhicheverInt52):
2301         (JSC::FTL::LowerDFGToLLVM::lowDouble):
2302         (JSC::FTL::LowerDFGToLLVM::lowJSValue):
2303         (JSC::FTL::LowerDFGToLLVM::strictInt52ToDouble):
2304         (JSC::FTL::LowerDFGToLLVM::jsValueToDouble):
2305         (JSC::FTL::LowerDFGToLLVM::speculate):
2306         (JSC::FTL::LowerDFGToLLVM::speculateNumber):
2307         (JSC::FTL::LowerDFGToLLVM::speculateDoubleReal):
2308         (JSC::FTL::LowerDFGToLLVM::compileInt52ToValue): Deleted.
2309         (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble): Deleted.
2310         (JSC::FTL::LowerDFGToLLVM::setInt52WithStrictValue): Deleted.
2311         (JSC::FTL::LowerDFGToLLVM::speculateRealNumber): Deleted.
2312         (JSC::FTL::LowerDFGToLLVM::speculateMachineInt): Deleted.
2313         * ftl/FTLValueFormat.cpp:
2314         (JSC::FTL::reboxAccordingToFormat):
2315         * jit/AssemblyHelpers.cpp:
2316         (JSC::AssemblyHelpers::sanitizeDouble):
2317         * jit/AssemblyHelpers.h:
2318         (JSC::AssemblyHelpers::boxDouble):
2319
2320 2014-04-15  Commit Queue  <commit-queue@webkit.org>
2321
2322         Unreviewed, rolling out r167199 and r167251.
2323         https://bugs.webkit.org/show_bug.cgi?id=131678
2324
2325         Caused a DYEBench regression and does not seem to improve perf
2326         on relevant websites (Requested by rniwa on #webkit).
2327
2328         Reverted changesets:
2329
2330         "Rewrite Function.bind as a builtin"
2331         https://bugs.webkit.org/show_bug.cgi?id=131083
2332         http://trac.webkit.org/changeset/167199
2333
2334         "Update test result"
2335         http://trac.webkit.org/changeset/167251
2336
2337 2014-04-14  Commit Queue  <commit-queue@webkit.org>
2338
2339         Unreviewed, rolling out r167272.
2340         https://bugs.webkit.org/show_bug.cgi?id=131666
2341
2342         Broke multiple tests (Requested by ap on #webkit).
2343
2344         Reverted changeset:
2345
2346         "Function.bind itself is too slow"
2347         https://bugs.webkit.org/show_bug.cgi?id=131636
2348         http://trac.webkit.org/changeset/167272
2349
2350 2014-04-14  Geoffrey Garen  <ggaren@apple.com>
2351
2352         ASSERT when firing low memory warning
2353         https://bugs.webkit.org/show_bug.cgi?id=131659
2354
2355         Reviewed by Mark Hahnenberg.
2356
2357         * heap/Heap.cpp:
2358         (JSC::Heap::deleteAllCompiledCode): Allow deleteAllCompiledCode to be
2359         called when no GC is happening because that is what we do when a low
2360         memory warning fires, and it is harmless.
2361
2362 2014-04-14  Mark Hahnenberg  <mhahnenberg@apple.com>
2363
2364         emit_op_put_by_id should not emit a write barrier that filters on value
2365         https://bugs.webkit.org/show_bug.cgi?id=131654
2366
2367         Reviewed by Filip Pizlo.
2368
2369         The 32-bit implementation does this, and it can cause crashes if we later repatch the 
2370         code to allocate and store new Butterflies.
2371
2372         * jit/JITPropertyAccess.cpp:
2373         (JSC::JIT::emitWriteBarrier): We also weren't verifying that the base was a cell on 
2374         32-bit if we were passed ShouldFilterBase. I also took the liberty of sinking the tag 
2375         load down into the if statement so that we don't do it if we're not filtering on the value.
2376         * jit/JITPropertyAccess32_64.cpp:
2377         (JSC::JIT::emit_op_put_by_id):
2378
2379 2014-04-14  Oliver Hunt  <oliver@apple.com>
2380
2381         Function.bind itself is too slow
2382         https://bugs.webkit.org/show_bug.cgi?id=131636
2383
2384         Reviewed by Geoffrey Garen.
2385
2386         Rather than forcing creation of an activation, we now store
2387         bound function properties directly on the returned closure.
2388         This is necessary to deal with code that creates many function
2389         bindings, but does not call them very often.
2390
2391         This is a 60% speed up in the included js/regress test.
2392
2393         * builtins/BuiltinExecutables.cpp:
2394         (JSC::BuiltinExecutables::createBuiltinExecutable):
2395         * builtins/Function.prototype.js:
2396         (bind.bindingFunction):
2397         (bind.else.switch.case.1.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk):
2398         (bind.else.switch.case.1.bindingFunction):
2399         (bind.else.switch.case.2.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk):
2400         (bind.else.switch.case.2.bindingFunction):
2401         (bind.else.switch.case.3.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk):
2402         (bind.else.switch.case.3.bindingFunction):
2403         (bind.else.switch.bindingFunction):
2404         (bind):
2405         (bind.else.switch.case.1.bindingFunction.oversizedCall): Deleted.
2406         (bind.else.switch.case.2.bindingFunction.oversizedCall): Deleted.
2407         (bind.else.switch.case.3.bindingFunction.oversizedCall): Deleted.
2408         * runtime/CommonIdentifiers.h:
2409
2410 2014-04-14  Julien Brianceau  <jbriance@cisco.com>
2411
2412         [sh4] Allow use of SubImmediates in LLINT.
2413         https://bugs.webkit.org/show_bug.cgi?id=131608
2414
2415         Reviewed by Mark Lam.
2416
2417         Allow use of SubImmediates with const pool so the sh4 architecture can
2418         share the arm path for setEntryAddress macro. It reduces architecture
2419         specific code and lead to a more optimal generated code for sh4.
2420
2421         * llint/LowLevelInterpreter.asm:
2422         * offlineasm/sh4.rb:
2423
2424 2014-04-14  Andreas Kling  <akling@apple.com>
2425
2426         Array.prototype.concat should allocate output storage only once.
2427         <https://webkit.org/b/131609>
2428
2429         Do a first pass across 'this' and any arguments to compute the
2430         final size of the resulting array from Array.prototype.concat.
2431         This avoids having to grow the output incrementally as we go.
2432
2433         This also includes two other micro-optimizations:
2434
2435         - Mark getProperty() with ALWAYS_INLINE.
2436
2437         - Use JSArray::length() instead of taking the generic property
2438           lookup path when we know an argument is an Array.
2439
2440         My MBP says ~3% progression on Dromaeo/jslib-traverse-jquery.
2441
2442         Reviewed by Oliver & Darin.
2443
2444         * runtime/ArrayPrototype.cpp:
2445         (JSC::getProperty):
2446         (JSC::arrayProtoFuncConcat):
2447
2448 2014-04-14  Commit Queue  <commit-queue@webkit.org>
2449
2450         Unreviewed, rolling out r167249.
2451         https://bugs.webkit.org/show_bug.cgi?id=131621
2452
2453         broke 3 tests on cloop (Requested by kling on #webkit).
2454
2455         Reverted changeset:
2456
2457         "Array.prototype.concat should allocate output storage only
2458         once."
2459         https://bugs.webkit.org/show_bug.cgi?id=131609
2460         http://trac.webkit.org/changeset/167249
2461
2462 2014-04-14  Alex Christensen  <achristensen@webkit.org>
2463
2464         Fixed potential integer truncation.
2465         https://bugs.webkit.org/show_bug.cgi?id=131615
2466
2467         Reviewed by Darin Adler.
2468
2469         * assembler/X86Assembler.h:
2470         (JSC::X86Assembler::fillNops):
2471         Truncate the size_t to an unsigned after it is limited to 15 instead of before.
2472
2473 2014-04-14  Andreas Kling  <akling@apple.com>
2474
2475         Array.prototype.concat should allocate output storage only once.
2476         <https://webkit.org/b/131609>
2477
2478         Do a first pass across 'this' and any arguments to compute the
2479         final size of the resulting array from Array.prototype.concat.
2480         This avoids having to grow the output incrementally as we go.
2481
2482         This also includes two other micro-optimizations:
2483
2484         - Mark getProperty() with ALWAYS_INLINE.
2485
2486         - Use JSArray::length() instead of taking the generic property
2487           lookup path when we know an argument is an Array.
2488
2489         My MBP says ~3% progression on Dromaeo/jslib-traverse-jquery.
2490
2491         Reviewed by Darin Adler.
2492
2493         * runtime/ArrayPrototype.cpp:
2494         (JSC::getProperty):
2495         (JSC::arrayProtoFuncConcat):
2496
2497 2014-04-14  Benjamin Poulain  <benjamin@webkit.org>
2498
2499         [JSC] Improve the call site of string comparison in some hot path
2500         https://bugs.webkit.org/show_bug.cgi?id=131605
2501
2502         Reviewed by Darin Adler.
2503
2504         When resolved, the String of a JSString is never null. It can be empty but not null.
2505         The null value is reserved for ropes but those would be resolved when getting the value.
2506
2507         Consequently, we should use the equal() operation that do not handle null values.
2508         Using the StringImpl directly is already common in StringPrototype but it was not used here for some reason.
2509
2510         * jit/JITOperations.cpp:
2511         * runtime/JSCJSValueInlines.h:
2512         (JSC::JSValue::equalSlowCaseInline):
2513         (JSC::JSValue::strictEqualSlowCaseInline):
2514         (JSC::JSValue::pureStrictEqual):
2515
2516 2014-04-08  Oliver Hunt  <oliver@apple.com>
2517
2518         Rewrite Function.bind as a builtin
2519         https://bugs.webkit.org/show_bug.cgi?id=131083
2520
2521         Reviewed by Geoffrey Garen.
2522
2523         This change removes the existing function.bind implementation
2524         entirely so JSBoundFunction is no more.
2525
2526         Instead we just return a regular JS closure with a few
2527         private properties hanging off it that allow us to perform
2528         the necessary bound function fakery.  While most of this is
2529         simple, a couple of key changes:
2530
2531         - The parser and lexer now directly track whether they're
2532           parsing code for call or construct and convert the private
2533           name @IsConstructor into TRUETOK or FALSETOK as appropriate.
2534           This automatically gives us the ability to vary behaviour
2535           from within the builtin. It also leaves a lot of headroom
2536           for trivial future improvements.
2537         - The instanceof operator now uses the prototypeForHasInstance
2538           private name, and we have a helper function to ensure that
2539           all objects that need to can update their magical 'prototype'
2540           property pair correctly.
2541
2542         * API/JSScriptRef.cpp:
2543         (parseScript):
2544         * JavaScriptCore.xcodeproj/project.pbxproj:
2545         * builtins/BuiltinExecutables.cpp:
2546         (JSC::BuiltinExecutables::createBuiltinExecutable):
2547         * builtins/Function.prototype.js:
2548         (bind.bindingFunction):
2549         (bind.else.bindingFunction):
2550         (bind):
2551         * bytecode/UnlinkedCodeBlock.cpp:
2552         (JSC::generateFunctionCodeBlock):
2553         * bytecompiler/NodesCodegen.cpp:
2554         (JSC::InstanceOfNode::emitBytecode):
2555         * interpreter/Interpreter.cpp:
2556         * parser/Lexer.cpp:
2557         (JSC::Lexer<T>::Lexer):
2558         (JSC::Lexer<LChar>::parseIdentifier):
2559         (JSC::Lexer<UChar>::parseIdentifier):
2560         * parser/Lexer.h:
2561         * parser/Parser.cpp:
2562         (JSC::Parser<LexerType>::Parser):
2563         (JSC::Parser<LexerType>::parseInner):
2564         * parser/Parser.h:
2565         (JSC::parse):
2566         * parser/ParserModes.h:
2567         * runtime/CodeCache.cpp:
2568         (JSC::CodeCache::getGlobalCodeBlock):
2569         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
2570         * runtime/CommonIdentifiers.h:
2571         * runtime/Completion.cpp:
2572         (JSC::checkSyntax):
2573         * runtime/Executable.cpp:
2574         (JSC::ProgramExecutable::checkSyntax):
2575         * runtime/FunctionPrototype.cpp:
2576         (JSC::FunctionPrototype::addFunctionProperties):
2577         (JSC::functionProtoFuncBind): Deleted.
2578         * runtime/JSBoundFunction.cpp: Removed.
2579         * runtime/JSBoundFunction.h: Removed.
2580         * runtime/JSFunction.cpp:
2581         (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor):
2582         (JSC::RetrieveCallerFunctionFunctor::operator()):
2583         (JSC::retrieveCallerFunction):
2584         (JSC::JSFunction::getOwnPropertySlot):
2585         (JSC::JSFunction::defineOwnProperty):
2586         * runtime/JSGlobalObject.cpp:
2587         (JSC::JSGlobalObject::reset):
2588         * runtime/JSGlobalObjectFunctions.cpp:
2589         (JSC::globalFuncSetTypeErrorAccessor):
2590         * runtime/JSGlobalObjectFunctions.h:
2591         * runtime/JSObject.h:
2592         (JSC::JSObject::inlineGetOwnPropertySlot):
2593
2594 2014-04-12  Filip Pizlo  <fpizlo@apple.com>
2595
2596         Math.fround() should be an intrinsic
2597         https://bugs.webkit.org/show_bug.cgi?id=131583
2598
2599         Reviewed by Geoffrey Garen.
2600         
2601         Makes programs that use Math.fround() run up to 6x faster.
2602
2603         * dfg/DFGAbstractInterpreterInlines.h:
2604         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2605         * dfg/DFGByteCodeParser.cpp:
2606         (JSC::DFG::ByteCodeParser::handleIntrinsic):
2607         * dfg/DFGCSEPhase.cpp:
2608         (JSC::DFG::CSEPhase::performNodeCSE):
2609         * dfg/DFGClobberize.h:
2610         (JSC::DFG::clobberize):
2611         * dfg/DFGFixupPhase.cpp:
2612         (JSC::DFG::FixupPhase::fixupNode):
2613         * dfg/DFGNodeType.h:
2614         * dfg/DFGPredictionPropagationPhase.cpp:
2615         (JSC::DFG::PredictionPropagationPhase::propagate):
2616         * dfg/DFGSafeToExecute.h:
2617         (JSC::DFG::safeToExecute):
2618         * dfg/DFGSpeculativeJIT32_64.cpp:
2619         (JSC::DFG::SpeculativeJIT::compile):
2620         * dfg/DFGSpeculativeJIT64.cpp:
2621         (JSC::DFG::SpeculativeJIT::compile):
2622         * ftl/FTLCapabilities.cpp:
2623         (JSC::FTL::canCompile):
2624         * ftl/FTLLowerDFGToLLVM.cpp:
2625         (JSC::FTL::LowerDFGToLLVM::compileNode):
2626         (JSC::FTL::LowerDFGToLLVM::compileArithFRound):
2627         * runtime/Intrinsic.h:
2628         * runtime/MathObject.cpp:
2629         (JSC::MathObject::finishCreation):
2630
2631 2014-04-12  Filip Pizlo  <fpizlo@apple.com>
2632
2633         FTL should use stackmap register liveness
2634         https://bugs.webkit.org/show_bug.cgi?id=130791
2635
2636         Reviewed by Goeffrey Garen.
2637         
2638         Enable the stackmap register liveness support by fixing the two last bugs:
2639         
2640         - If everything is dead after the patchpoint - a good possibility for a put_by_id -
2641           then we shouldn't crash due to a null scratch buffer.
2642         
2643         - Always consider callee-saves as if they were live. More precisely, we should
2644           consider those callee-saves that are not saved by the enclosing function to be live.
2645           For now we do the much simpler thing and consider callee-saves to be always live
2646           since it has minimal impact on the scratch register allocator. It will know not to
2647           preserve those for calls, anyway.
2648         
2649         I tried writing a test for the null scratch buffer thing, but failed. I will land the
2650         test anyway since it seems useful.
2651
2652         * ftl/FTLCompile.cpp:
2653         (JSC::FTL::usedRegistersFor):
2654         * jit/ScratchRegisterAllocator.cpp:
2655         (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
2656         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
2657         * runtime/Options.h:
2658         * tests/stress/repeated-put-by-id-reallocating-transition.js: Added.
2659         (foo):
2660
2661 2014-04-11  Filip Pizlo  <fpizlo@apple.com>
2662
2663         DFG::FixupPhase should insert conversion nodes after the rest of fixup so that we know how the types settled
2664         https://bugs.webkit.org/show_bug.cgi?id=131424
2665
2666         Reviewed by Geoffrey Garen.
2667         
2668         This defers type conversion injection until we've decided on types. This makes the
2669         process of deciding types a bit more flexible - for example we can naturally fixpoint
2670         and change our minds. Only when things are settled do we actually insert conversions.
2671         
2672         This is a necessary prerequisite for keeping double, int52, and JSValue data flow
2673         separate. A SetLocal/GetLocal will appear to be JSValue until we fixpoint and realize
2674         that there are typed uses. If we were eagerly inserting type conversions then we would
2675         first insert a to/from-JSValue conversion in some cases only to then replace it by
2676         the other conversions. It's probably trivial to remove those redundant conversions later
2677         but I think it's better if we don't insert them to begin with.
2678
2679         * bytecode/CodeOrigin.h:
2680         (JSC::CodeOrigin::operator!):
2681         * dfg/DFGFixupPhase.cpp:
2682         (JSC::DFG::FixupPhase::run):
2683         (JSC::DFG::FixupPhase::fixupBlock):
2684         (JSC::DFG::FixupPhase::fixupNode):
2685         (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
2686         (JSC::DFG::FixupPhase::fixEdge):
2687         (JSC::DFG::FixupPhase::fixIntEdge):
2688         (JSC::DFG::FixupPhase::injectTypeConversionsInBlock):
2689         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
2690         (JSC::DFG::FixupPhase::addRequiredPhantom):
2691         (JSC::DFG::FixupPhase::addPhantomsIfNecessary):
2692         (JSC::DFG::FixupPhase::clearPhantomsAtEnd):
2693         (JSC::DFG::FixupPhase::observeUntypedEdge): Deleted.
2694         (JSC::DFG::FixupPhase::fixupUntypedSetLocalsInBlock): Deleted.
2695         (JSC::DFG::FixupPhase::injectInt32ToDoubleNode): Deleted.
2696
2697 2014-04-11  Brian J. Burg  <burg@cs.washington.edu>
2698
2699         Web Replay: code generator should consider enclosing class when computing duplicate type names
2700         https://bugs.webkit.org/show_bug.cgi?id=131554
2701
2702         Reviewed by Timothy Hatcher.
2703
2704         We need to prepend an enum's enclosing class, if any, so that multiple enums with the same name
2705         can coexist without triggering a "duplicate types" error. Now, such enums must be referenced
2706         by the enclosing class and enum name.
2707
2708         Added tests for the new syntax, and rebaselined one test to reflect a previous patch's change.
2709
2710         * replay/scripts/CodeGeneratorReplayInputs.py:
2711         (Type.type_name): Prepend the enclosing class name.
2712         (Type.type_name.is):
2713         * replay/scripts/tests/expected/fail-on-duplicate-enum-type.json-error: Added.
2714         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Added.
2715         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Added.
2716         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: Rebaseline.
2717         * replay/scripts/tests/fail-on-duplicate-enum-type.json: Added.
2718         * replay/scripts/tests/generate-enums-with-same-base-name.json: Added.
2719
2720 2014-04-11  Gavin Barraclough  <baraclough@apple.com>
2721
2722         Rollout - Rewrite Function.bind as a builtin
2723         https://bugs.webkit.org/show_bug.cgi?id=131083
2724
2725         Unreviewed.
2726
2727         Rolling out r167020 while investigating a performance regression.
2728
2729         * API/JSObjectRef.cpp:
2730         (JSObjectMakeConstructor):
2731         * API/JSScriptRef.cpp:
2732         (parseScript):
2733         * CMakeLists.txt:
2734         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2735         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2736         * JavaScriptCore.xcodeproj/project.pbxproj:
2737         * builtins/BuiltinExecutables.cpp:
2738         (JSC::BuiltinExecutables::createBuiltinExecutable):
2739         * builtins/Function.prototype.js:
2740         (apply):
2741         (bind.bindingFunction): Deleted.
2742         (bind.else.bindingFunction): Deleted.
2743         (bind): Deleted.
2744         * bytecode/UnlinkedCodeBlock.cpp:
2745         (JSC::generateFunctionCodeBlock):
2746         * bytecompiler/NodesCodegen.cpp:
2747         (JSC::InstanceOfNode::emitBytecode):
2748         * interpreter/Interpreter.cpp:
2749         * parser/Lexer.cpp:
2750         (JSC::Lexer<T>::Lexer):
2751         (JSC::Lexer<LChar>::parseIdentifier):
2752         (JSC::Lexer<UChar>::parseIdentifier):
2753         * parser/Lexer.h:
2754         * parser/Parser.cpp:
2755         (JSC::Parser<LexerType>::Parser):
2756         (JSC::Parser<LexerType>::parseInner):
2757         * parser/Parser.h:
2758         (JSC::parse):
2759         * parser/ParserModes.h:
2760         * runtime/ArgumentsIteratorConstructor.cpp:
2761         (JSC::ArgumentsIteratorConstructor::finishCreation):
2762         * runtime/ArrayConstructor.cpp:
2763         (JSC::ArrayConstructor::finishCreation):
2764         * runtime/BooleanConstructor.cpp:
2765         (JSC::BooleanConstructor::finishCreation):
2766         * runtime/CodeCache.cpp:
2767         (JSC::CodeCache::getGlobalCodeBlock):
2768         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
2769         * runtime/CommonIdentifiers.h:
2770         * runtime/Completion.cpp:
2771         (JSC::checkSyntax):
2772         * runtime/DateConstructor.cpp:
2773         (JSC::DateConstructor::finishCreation):
2774         * runtime/ErrorConstructor.cpp:
2775         (JSC::ErrorConstructor::finishCreation):
2776         * runtime/Executable.cpp:
2777         (JSC::ProgramExecutable::checkSyntax):
2778         * runtime/FunctionConstructor.cpp:
2779         (JSC::FunctionConstructor::finishCreation):
2780         * runtime/FunctionPrototype.cpp:
2781         (JSC::FunctionPrototype::addFunctionProperties):
2782         (JSC::functionProtoFuncBind):
2783         * runtime/JSArrayBufferConstructor.cpp:
2784         (JSC::JSArrayBufferConstructor::finishCreation):
2785         * runtime/JSBoundFunction.cpp: Added.
2786         (JSC::boundFunctionCall):
2787         (JSC::boundFunctionConstruct):
2788         (JSC::JSBoundFunction::create):
2789         (JSC::JSBoundFunction::destroy):
2790         (JSC::JSBoundFunction::customHasInstance):
2791         (JSC::JSBoundFunction::JSBoundFunction):
2792         (JSC::JSBoundFunction::finishCreation):
2793         (JSC::JSBoundFunction::visitChildren):
2794         * runtime/JSBoundFunction.h: Added.
2795         (JSC::JSBoundFunction::targetFunction):
2796         (JSC::JSBoundFunction::boundThis):
2797         (JSC::JSBoundFunction::boundArgs):
2798         (JSC::JSBoundFunction::createStructure):
2799         * runtime/JSFunction.cpp:
2800         (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor):
2801         (JSC::RetrieveCallerFunctionFunctor::operator()):
2802         (JSC::retrieveCallerFunction):
2803         (JSC::JSFunction::getOwnPropertySlot):
2804         (JSC::JSFunction::getOwnNonIndexPropertyNames):
2805         (JSC::JSFunction::put):
2806         (JSC::JSFunction::defineOwnProperty):
2807         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2808         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::finishCreation):
2809         * runtime/JSGlobalObject.cpp:
2810         (JSC::JSGlobalObject::reset):
2811         * runtime/JSGlobalObjectFunctions.cpp:
2812         (JSC::globalFuncSetTypeErrorAccessor): Deleted.
2813         * runtime/JSGlobalObjectFunctions.h:
2814         * runtime/JSObject.cpp:
2815         (JSC::JSObject::putDirectPrototypeProperty): Deleted.
2816         (JSC::JSObject::putDirectPrototypePropertyWithoutTransitions): Deleted.
2817         * runtime/JSObject.h:
2818         * runtime/JSPromiseConstructor.cpp:
2819         (JSC::JSPromiseConstructor::finishCreation):
2820         * runtime/MapConstructor.cpp:
2821         (JSC::MapConstructor::finishCreation):
2822         * runtime/MapIteratorConstructor.cpp:
2823         (JSC::MapIteratorConstructor::finishCreation):
2824         * runtime/NameConstructor.cpp:
2825         (JSC::NameConstructor::finishCreation):
2826         * runtime/NativeErrorConstructor.cpp:
2827         (JSC::NativeErrorConstructor::finishCreation):
2828         * runtime/NumberConstructor.cpp:
2829         (JSC::NumberConstructor::finishCreation):
2830         * runtime/ObjectConstructor.cpp:
2831         (JSC::ObjectConstructor::finishCreation):
2832         * runtime/RegExpConstructor.cpp:
2833         (JSC::RegExpConstructor::finishCreation):
2834         * runtime/SetConstructor.cpp:
2835         (JSC::SetConstructor::finishCreation):
2836         * runtime/SetIteratorConstructor.cpp:
2837         (JSC::SetIteratorConstructor::finishCreation):
2838         * runtime/StringConstructor.cpp:
2839         (JSC::StringConstructor::finishCreation):
2840         * runtime/WeakMapConstructor.cpp:
2841         (JSC::WeakMapConstructor::finishCreation):
2842
2843 2014-04-11  David Kilzer  <ddkilzer@apple.com>
2844
2845         [ASan] Build broke because libCompileRuntimeToLLVMIR.a links to libclang_rt.asan_osx_dynamic.dylib
2846         <http://webkit.org/b/131556>
2847         <rdar://problem/16591856>
2848
2849         Reviewed by Brent Fulgham.
2850
2851         * Configurations/CompileRuntimeToLLVMIR.xcconfig: Clear
2852         OTHER_LDFLAGS so the ASan build does not try to link to
2853         libclang_rt.asan_osx_dynamic.dylib.
2854
2855 2014-04-11  Mark Lam  <mark.lam@apple.com>
2856
2857         JSMainThreadExecState::call() should clear exceptions before returning.
2858         <https://webkit.org/b/131530>
2859
2860         Reviewed by Geoffrey Garen.
2861
2862         Added a version of JSC::call() that return any uncaught exception instead
2863         of leaving it pending in the VM.
2864
2865         As part of this change, I updated various parts of the code base to use the
2866         new API as needed.
2867
2868         * bindings/ScriptFunctionCall.cpp:
2869         (Deprecated::ScriptFunctionCall::call):
2870         - ScriptFunctionCall::call() is only used by the inspector to inject scripts.
2871           The injected scripts that will include Inspector scripts that should catch
2872           and handle any exceptions that were thrown.  We should not be seeing any
2873           exceptions returned from this call.  However, we do have checks for
2874           exceptions in case there are bugs in the Inspector scripts which allowed
2875           the exception to leak through.  Hence, it is proper to clear the exception
2876           here, and only record the fact that an exception was seen (if present).
2877
2878         * bindings/ScriptFunctionCall.h:
2879         * inspector/InspectorEnvironment.h:
2880         * runtime/CallData.cpp:
2881         (JSC::call):
2882         * runtime/CallData.h:
2883
2884 2014-04-11  Oliver Hunt  <oliver@apple.com>
2885
2886         Add BuiltinLog function to make debugging builtins easier
2887         https://bugs.webkit.org/show_bug.cgi?id=131550
2888
2889         Reviewed by Andreas Kling.
2890
2891         Add a logging function that builtins can use for debugging.
2892
2893         * runtime/CommonIdentifiers.h:
2894         * runtime/JSGlobalObject.cpp:
2895         (JSC::JSGlobalObject::reset):
2896         * runtime/JSGlobalObjectFunctions.cpp:
2897         (JSC::globalFuncBuiltinLog):
2898         * runtime/JSGlobalObjectFunctions.h:
2899
2900 2014-04-11  Julien Brianceau  <jbriance@cisco.com>
2901
2902         Fix LLInt for sh4 architecture (broken since C stack merge).
2903         https://bugs.webkit.org/show_bug.cgi?id=131532
2904
2905         Reviewed by Mark Lam.
2906
2907         This patch fixes build and also implements sh4 parts for initPCRelative and
2908         setEntryAddress macros introduced in http://trac.webkit.org/changeset/167094.
2909
2910         * llint/LowLevelInterpreter.asm:
2911         * llint/LowLevelInterpreter32_64.asm:
2912         * offlineasm/instructions.rb:
2913         * offlineasm/sh4.rb:
2914
2915 2014-04-10  Michael Saboff  <msaboff@apple.com>
2916
2917         Crash beneath DFG JIT code @ video.disney.com
2918         https://bugs.webkit.org/show_bug.cgi?id=131447
2919
2920         Reviewed by Geoffrey Garen.
2921
2922         The 32-bit path of speculateMisc() uses an 'is not int32' check followed by
2923         'tag not less than Undefined' check.  The first check was incorrectly elided if we
2924         knew that the value *was* an int32, when it should have been elided if we already
2925         knew that the value *was not* an int32.
2926
2927         * dfg/DFGSpeculativeJIT.cpp:
2928         (JSC::DFG::SpeculativeJIT::speculateMisc):
2929         * tests/stress/test-spec-misc.js: Added test.
2930         (getX):
2931         (foo):
2932         (bar):
2933
2934 2014-04-08  Filip Pizlo  <fpizlo@apple.com>
2935
2936         Make room for additional types in SpeculatedType.h
2937         https://bugs.webkit.org/show_bug.cgi?id=131422
2938
2939         Reviewed by Sam Weinig.
2940         
2941         This'll make it easier to add DoubleHeavyNaN and DoubleEmptyNaN.
2942
2943         * bytecode/SpeculatedType.h:
2944
2945 2014-04-10  Alex Christensen  <achristensen@webkit.org>
2946
2947         Compile fix for Win64.
2948         https://bugs.webkit.org/show_bug.cgi?id=131508
2949
2950         Reviewed by Geoffrey Garen.
2951
2952         * assembler/X86Assembler.h:
2953         (JSC::X86Assembler::fillNops):
2954         Added unsigned template parameter to distinguish between size_t and unsigned long.
2955
2956 2014-04-10  Michael Saboff  <msaboff@apple.com>
2957
2958         LLInt interpreter code should be generated as part of one function
2959         https://bugs.webkit.org/show_bug.cgi?id=131205
2960
2961         Reviewed by Mark Lam.
2962
2963         Changed the generation of llint opcodes so that they are all part of the same
2964         global function, llint_entry.  That function is used to fill in an entry point
2965         table that includes each of the opcodes and helpers.
2966
2967         * CMakeLists.txt:
2968         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
2969         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
2970         * JavaScriptCore.xcodeproj/project.pbxproj:
2971         Added appropriate use of new -I option to offline assembler and offset
2972         generator scripts.
2973
2974         * llint/LowLevelInterpreter.asm:
2975         * llint/LowLevelInterpreter.cpp:
2976         * llint/LowLevelInterpreter.h:
2977         * offlineasm/arm.rb:
2978         * offlineasm/arm64.rb:
2979         * offlineasm/asm.rb:
2980         * offlineasm/ast.rb:
2981         * offlineasm/backends.rb:
2982         * offlineasm/cloop.rb:
2983         * offlineasm/generate_offset_extractor.rb:
2984         * offlineasm/instructions.rb:
2985         * offlineasm/parser.rb:
2986         * offlineasm/registers.rb:
2987         * offlineasm/self_hash.rb:
2988         * offlineasm/settings.rb:
2989         * offlineasm/transform.rb:
2990         * offlineasm/x86.rb:
2991         Added a new "global" keyword to the offline assembler that denotes a label that
2992         should be exported.  Added opcode and operand support to get the absolute
2993         address of a local label using position independent calculations.  Updated the
2994         offline assembler to handle included files, both when generating the checksum
2995         as well as including files from other than the local directory via a newly
2996         added -I option.  The offline assembler now automatically determines external
2997         functions by keeping track of referenced functions that are defined within the
2998         assembly source.  This is used both for choosing the correct macro for external
2999         references as well as generating the needed EXTERN directives for masm.
3000         Updated the generation of the masm only .sym file to be written once at the end
3001         of the offline assembler.
3002
3003         * assembler/MacroAssemblerCodeRef.h:
3004         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
3005         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
3006         * bytecode/CodeBlock.cpp:
3007         (JSC::CodeBlock::dumpBytecode):
3008         (JSC::CodeBlock::CodeBlock):
3009         * bytecode/GetByIdStatus.cpp:
3010         (JSC::GetByIdStatus::computeFromLLInt):
3011         * bytecode/Opcode.h:
3012         (JSC::padOpcodeName):
3013         * bytecode/PutByIdStatus.cpp:
3014         (JSC::PutByIdStatus::computeFromLLInt):
3015         * jit/JIT.cpp:
3016         (JSC::JIT::privateCompileMainPass):
3017         * jit/JITStubs.h:
3018         * llint/LLIntCLoop.cpp:
3019         (JSC::LLInt::initialize):
3020         * llint/LLIntData.h:
3021         (JSC::LLInt::getCodeFunctionPtr):
3022         (JSC::LLInt::getOpcode): Deleted.
3023         (JSC::LLInt::getCodePtr): Deleted.
3024         * llint/LLIntOpcode.h:
3025         * llint/LLIntSlowPaths.cpp:
3026         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3027         * llint/LLIntThunks.cpp:
3028         (JSC::LLInt::functionForCallEntryThunkGenerator):
3029         (JSC::LLInt::functionForConstructEntryThunkGenerator):
3030         (JSC::LLInt::functionForCallArityCheckThunkGenerator):
3031         (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
3032         (JSC::LLInt::evalEntryThunkGenerator):
3033         (JSC::LLInt::programEntryThunkGenerator):
3034         * llint/LLIntThunks.h:
3035         Changed references to llint helpers to go through the entry point table populated
3036         by llint_entry.  Added helpers to OpcodeID enum for all builds.
3037
3038         * bytecode/BytecodeList.json:
3039         * generate-bytecode-files:
3040         * llint/LLIntCLoop.cpp:
3041         (JSC::LLInt::CLoop::initialize):
3042         Reordered sections to match the order that the functions are added to the entry point
3043         table.  Added new "asmPrefix" property for symbols that have one name but are generated
3044         with a prefix, e.g. op_enter -> llint_op_enter.  Eliminated the "emitDefineID" property
3045         as we are using enums for all bytecode references.  Changed the C Loop only
3046         llint_c_loop_init to llint_entry.
3047
3048 2014-04-10  Matthew Mirman  <mmirman@apple.com>
3049
3050         WIP for inlining C++.  Added a build target to produce LLVM IR.
3051         https://bugs.webkit.org/show_bug.cgi?id=130523
3052
3053         Reviewed by Mark Rowe.
3054
3055         * JavaScriptCore.xcodeproj/project.pbxproj:
3056         * build-symbol-table-index.py: Added.
3057         * build-symbol-table-index.sh: Added.
3058         * Configurations/CompileRuntimeToLLVMIR.xcconfig: Added.
3059         * copy-llvm-ir-to-derived-sources.sh: Added.
3060
3061 2014-04-10  Brian J. Burg  <burg@cs.washington.edu>
3062
3063         Web Replay: memoize plugin data for navigator.mimeTypes and navigator.plugins
3064         https://bugs.webkit.org/show_bug.cgi?id=131341
3065
3066         Reviewed by Timothy Hatcher.
3067
3068         Add support for encoding/decoding unsigned long with EncodedValue.
3069         It is a distinct type from uint32_t and uint64_t.
3070
3071         * replay/EncodedValue.cpp:
3072         (JSC::EncodedValue::convertTo<unsigned long>):
3073         * replay/EncodedValue.h:
3074
3075 2014-04-10  Mark Lam  <mark.lam@apple.com>
3076
3077         LLINT loadisFromInstruction should handle the big endian case.
3078         <https://webkit.org/b/131495>
3079
3080         Reviewed by Mark Hahnenberg.
3081
3082         The LLINT loadisFromInstruction macro aims to load the least significant
3083         32-bit word from the 64-bit bytecode instruction stream and sign extend
3084         it.  For big endian machines, the current implementation would load the
3085         wrong 32-bit word.
3086
3087         Without this fix, the JSC tests will crash on big endian machines.
3088         Thanks to Tomas Popela for diagnosing this issue.
3089
3090         * llint/LowLevelInterpreter.asm:
3091
3092 2014-04-09  Mark Lam  <mark.lam@apple.com>
3093
3094         Temporarily disable the JIT for the Windows port.
3095         <https://webkit.org/b/131470>
3096
3097         Reviewed by Brent Fulgham.
3098
3099         This is a temporary stop gap measure to green the Windows bots until
3100         we have a fix for https://webkit.org/b/131182.
3101
3102         * runtime/Options.cpp:
3103         (JSC::recomputeDependentOptions):
3104
3105 2014-04-09  Juergen Ributzka  <juergen@apple.com>
3106
3107         [FTL] Emit multibyte NOPs on X86-64
3108         https://bugs.webkit.org/show_bug.cgi?id=131394
3109
3110         Reviewed by Michael Saboff.
3111
3112         * assembler/X86Assembler.h:
3113         (JSC::X86Assembler::fillNops):
3114
3115 2014-04-09  Julien Brianceau  <jbriance@cisco.com>
3116
3117         Get rid of JITOperationWrappers.h header file.
3118         https://bugs.webkit.org/show_bug.cgi?id=131450
3119
3120         Reviewed by Michael Saboff.
3121
3122         JITOperationWrappers header file contains architecture specific code that is
3123         not needed anymore, so get rid of it.
3124
3125         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3126         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3127         * JavaScriptCore.xcodeproj/project.pbxproj:
3128         * dfg/DFGOperations.cpp:
3129         * jit/JITOperationWrappers.h: Removed.
3130         * jit/JITOperations.cpp:
3131
3132 2014-04-09  Mark Lam  <mark.lam@apple.com>
3133
3134         Ensure that LLINT accessing of the ProtoCallFrame is big endian friendly.
3135         <https://webkit.org/b/131449>
3136
3137         Reviewed by Mark Hahnenberg.
3138
3139         Change ProtoCallFrame::paddedArgCount to be of type uint32_t.  The argCount
3140         that it pads is of type int anyway.  It doesn't need to be 64 bit.  This
3141         also makes it work with the LLINT which is loading it with a loadi
3142         instruction.
3143
3144         We should add the PayLoadOffset to ProtoCallFrame::argCountAndCodeOriginValue
3145         when loading the argCount.
3146
3147         The paddedArgCount issue was causing failures when running the JSC tests on a
3148         64-bit big endian machine.  In this case, the paddedArgCount in the
3149         ProtoCallFrame has the value 2.  However, because the paddedArgCount was stored
3150         as a 64-bit size_t and the LLINT was loading only the low address 32-bits of
3151         that field, the LLINT got a value of 0 instead of the expected 2.  With this
3152         patch, we now have a matching store and load of a 32-bit value, and endianness
3153         no longer comes into play.
3154
3155         As for ProtoCallFrame::argCountAndCodeOriginValue, the argCount is stored in
3156         the payload field of the Register.  In the definition of EncodedValueDescriptor,
3157         We already ensure that that the payload is in the least significant 32-bits for
3158         little endian machines, and in the most significant 32-bits for big endian
3159         machines.  This means that there is no endianness bug when loading this value
3160         using loadi.  However, adding the PayLoadOffset clarifies the intent of the
3161         code to load the payload part of the Register value.
3162
3163         * interpreter/ProtoCallFrame.h:
3164         (JSC::ProtoCallFrame::setPaddedArgCount):
3165         * llint/LowLevelInterpreter32_64.asm:
3166         * llint/LowLevelInterpreter64.asm:
3167
3168 2014-04-08  Oliver Hunt  <oliver@apple.com>
3169
3170         Rewrite Function.bind as a builtin
3171         https://bugs.webkit.org/show_bug.cgi?id=131083
3172
3173         Reviewed by Geoffrey Garen.
3174
3175         This change removes the existing function.bind implementation
3176         entirely so JSBoundFunction is no more.
3177
3178         Instead we just return a regular JS closure with a few
3179         private properties hanging off it that allow us to perform
3180         the necessary bound function fakery.  While most of this is
3181         simple, a couple of key changes:
3182
3183         - The parser and lexer now directly track whether they're
3184           parsing code for call or construct and convert the private
3185           name @IsConstructor into TRUETOK or FALSETOK as appropriate.
3186           This automatically gives us the ability to vary behaviour
3187           from within the builtin. It also leaves a lot of headroom
3188           for trivial future improvements.
3189         - The instanceof operator now uses the prototypeForHasInstance
3190           private name, and we have a helper function to ensure that
3191           all objects that need to can update their magical 'prototype'
3192           property pair correctly.
3193
3194         * API/JSScriptRef.cpp:
3195         (parseScript):
3196         * JavaScriptCore.xcodeproj/project.pbxproj:
3197         * builtins/BuiltinExecutables.cpp:
3198         (JSC::BuiltinExecutables::createBuiltinExecutable):
3199         * builtins/Function.prototype.js:
3200         (bind.bindingFunction):
3201         (bind.else.bindingFunction):
3202         (bind):
3203         * bytecode/UnlinkedCodeBlock.cpp:
3204         (JSC::generateFunctionCodeBlock):
3205         * bytecompiler/NodesCodegen.cpp:
3206         (JSC::InstanceOfNode::emitBytecode):
3207         * interpreter/Interpreter.cpp:
3208         * parser/Lexer.cpp:
3209         (JSC::Lexer<T>::Lexer):
3210         (JSC::Lexer<LChar>::parseIdentifier):
3211         (JSC::Lexer<UChar>::parseIdentifier):
3212         * parser/Lexer.h:
3213         * parser/Parser.cpp:
3214         (JSC::Parser<LexerType>::Parser):
3215         (JSC::Parser<LexerType>::parseInner):
3216         * parser/Parser.h:
3217         (JSC::parse):
3218         * parser/ParserModes.h:
3219         * runtime/CodeCache.cpp:
3220         (JSC::CodeCache::getGlobalCodeBlock):
3221         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
3222         * runtime/CommonIdentifiers.h:
3223         * runtime/Completion.cpp:
3224         (JSC::checkSyntax):
3225         * runtime/Executable.cpp:
3226         (JSC::ProgramExecutable::checkSyntax):
3227         * runtime/FunctionPrototype.cpp:
3228         (JSC::FunctionPrototype::addFunctionProperties):
3229         (JSC::functionProtoFuncBind): Deleted.
3230         * runtime/JSBoundFunction.cpp: Removed.
3231         * runtime/JSBoundFunction.h: Removed.
3232         * runtime/JSFunction.cpp:
3233         (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor):
3234         (JSC::RetrieveCallerFunctionFunctor::operator()):
3235         (JSC::retrieveCallerFunction):
3236         (JSC::JSFunction::getOwnPropertySlot):
3237         (JSC::JSFunction::defineOwnProperty):
3238         * runtime/JSGlobalObject.cpp:
3239         (JSC::JSGlobalObject::reset):
3240         * runtime/JSGlobalObjectFunctions.cpp:
3241         (JSC::globalFuncSetTypeErrorAccessor):
3242         * runtime/JSGlobalObjectFunctions.h:
3243         * runtime/JSObject.h:
3244         (JSC::JSObject::inlineGetOwnPropertySlot):
3245
3246 2014-04-08  Jon Lee  <jonlee@apple.com>
3247
3248         Turn MSE on by default
3249         https://bugs.webkit.org/show_bug.cgi?id=131313
3250         <rdar://problem/16525223>
3251
3252         Reviewed by Jer Noble.
3253
3254         * Configurations/FeatureDefines.xcconfig:
3255
3256 2014-04-08  Joseph Pecoraro  <pecoraro@apple.com>
3257
3258         Web Inspector: Prevent deadlocks receiving WIRPermissionDenied message
3259         https://bugs.webkit.org/show_bug.cgi?id=131406
3260
3261         Reviewed by Timothy Hatcher.
3262
3263         * inspector/remote/RemoteInspector.h:
3264         * inspector/remote/RemoteInspector.mm:
3265         (Inspector::RemoteInspector::stop):
3266         (Inspector::RemoteInspector::stopInternal):
3267         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
3268         Provide a way to stop externally and a path to stop when in
3269         the middle of handling a message already with the locked mutex.
3270
3271         * inspector/remote/RemoteInspectorXPCConnection.h:
3272         * inspector/remote/RemoteInspectorXPCConnection.mm:
3273         (Inspector::RemoteInspectorXPCConnection::close):
3274         (Inspector::RemoteInspectorXPCConnection::closeFromMessage):
3275         Provide a way to close externally and a path to close when in
3276         the middle of handling a message already with a mutex.
3277
3278 2014-04-08  Joseph Pecoraro  <pecoraro@apple.com>
3279
3280         Web Inspector: Address stale FIXMEs concerning console in JSContext inspection
3281         https://bugs.webkit.org/show_bug.cgi?id=131398
3282
3283         Reviewed by Timothy Hatcher.
3284
3285         * inspector/InjectedScriptSource.js:
3286         The console object can be deleted from a page or JSContext,
3287         so keep code that expects that it could have been deleted
3288         to be resilient in those cases.
3289
3290         * inspector/JSGlobalObjectScriptDebugServer.h:
3291         * inspector/agents/JSGlobalObjectDebuggerAgent.h:
3292         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
3293         Change the FIXMEs to NOTEs that explain why these functions
3294         have empty implementations for JSContext inspection.
3295
3296 2014-04-08  Filip Pizlo  <fpizlo@apple.com>
3297
3298         Unreviewed, fix a goofy assertion to fix debug.
3299
3300         * bytecode/PolymorphicPutByIdList.h:
3301         (JSC::PutByIdAccess::isSetter):
3302         (JSC::PutByIdAccess::oldStructure):
3303         (JSC::PutByIdAccess::chain):
3304         (JSC::PutByIdAccess::stubRoutine):
3305         (JSC::PutByIdAccess::customSetter):
3306
3307 2014-04-08  Filip Pizlo  <fpizlo@apple.com>
3308
3309         Fail silently if the LLVM dylib isn't found
3310         https://bugs.webkit.org/show_bug.cgi?id=131385
3311
3312         Reviewed by Mark Hahnenberg.
3313
3314         * dfg/DFGPlan.cpp:
3315         (JSC::DFG::Plan::compileInThreadImpl):
3316         * llvm/InitializeLLVM.cpp:
3317         (JSC::initializeLLVM):
3318         * llvm/InitializeLLVM.h:
3319         * llvm/InitializeLLVMPOSIX.cpp:
3320         (JSC::initializeLLVMPOSIX):
3321
3322 2014-04-07  Filip Pizlo  <fpizlo@apple.com>
3323
3324         Repatch should support setters and plant calls to them directly
3325         https://bugs.webkit.org/show_bug.cgi?id=130750
3326
3327         Reviewed by Geoffrey Garen.
3328         
3329         All of the infrastructure was in place so this just enables setter optimization.
3330         
3331         This is a 12x speed-up on setter microbenchmarks. This is a 1% speed-up on Octane.
3332
3333         * bytecode/PolymorphicPutByIdList.cpp:
3334         (JSC::PutByIdAccess::visitWeak):
3335         * bytecode/PolymorphicPutByIdList.h:
3336         (JSC::PutByIdAccess::setter):
3337         (JSC::PutByIdAccess::customSetter): Deleted.
3338         * bytecode/PutByIdStatus.cpp:
3339         (JSC::PutByIdStatus::computeForStubInfo):
3340         * jit/Repatch.cpp:
3341         (JSC::toString):
3342         (JSC::kindFor):
3343         (JSC::customFor):
3344         (JSC::generateByIdStub):
3345         (JSC::tryCachePutByID):
3346         (JSC::tryBuildPutByIdList):
3347         * runtime/JSObject.cpp:
3348         (JSC::JSObject::put):
3349         * runtime/Lookup.h:
3350         (JSC::putEntry):
3351         * runtime/PutPropertySlot.h:
3352         (JSC::PutPropertySlot::setCacheableSetter):
3353         (JSC::PutPropertySlot::isCacheableSetter):
3354         (JSC::PutPropertySlot::isCacheableCustom):
3355         (JSC::PutPropertySlot::setCacheableCustomProperty): Deleted.
3356         (JSC::PutPropertySlot::isCacheableCustomProperty): Deleted.
3357         * tests/stress/setter.js: Added.
3358         (foo):
3359
3360 2014-04-07  Filip Pizlo  <fpizlo@apple.com>
3361
3362         Setters are just getters that take an extra argument and don't return a value
3363         https://bugs.webkit.org/show_bug.cgi?id=131336
3364
3365         Reviewed by Geoffrey Garen.
3366         
3367         Other than that, they're totally the same thing.
3368         
3369         This isn't as dumb as it sounds.        
3370
3371         Most of the work in calling an accessor has to do with emitting the necessary checks for
3372         figuring out whether we're calling the accessor we expected, followed by the boilerplate
3373         needed for setting up a call inside of a stub. It makes sense for the code to be totally
3374         common.
3375
3376         * jit/AssemblyHelpers.h:
3377         (JSC::AssemblyHelpers::storeValue):
3378         (JSC::AssemblyHelpers::moveTrustedValue):
3379         * jit/CCallHelpers.h:
3380         (JSC::CCallHelpers::setupResults):
3381         * jit/Repatch.cpp:
3382         (JSC::kindFor):
3383         (JSC::customFor):
3384         (JSC::generateByIdStub):
3385         (JSC::tryCacheGetByID):
3386         (JSC::tryBuildGetByIDList):
3387         (JSC::tryCachePutByID):
3388         (JSC::tryBuildPutByIdList):
3389         (JSC::generateGetByIdStub): Deleted.
3390         (JSC::emitCustomSetterStub): Deleted.
3391         * runtime/JSCJSValue.h:
3392         (JSC::JSValue::asValue):
3393         * runtime/PutPropertySlot.h:
3394         (JSC::PutPropertySlot::cachedOffset):
3395
3396 2014-04-07  Joseph Pecoraro  <pecoraro@apple.com>
3397
3398         Web Inspector: Hang in debuggable application after receiving WIRPermissionDenied
3399         https://bugs.webkit.org/show_bug.cgi?id=131321