[ASan] Disable JSStack::sanitizeStack() to avoid false-positive stack-buffer-overflow...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-02-14  David Kilzer  <ddkilzer@apple.com>
2
3         [ASan] Disable JSStack::sanitizeStack() to avoid false-positive stack-buffer-overflow errors
4         <http://webkit.org/b/128819>
5
6         Reviewed by Filip Pizlo.
7
8         * interpreter/JSStack.cpp:
9         (JSC::JSStack::sanitizeStack): When building with the clang
10         address sanitizer, don't sanitize the stack since it will
11         trigger false-positive stack-buffer-overflow errors.  Disabling
12         this only results in a performance penalty, not a correctness
13         penalty.
14
15 2014-02-14  Andres Gomez  <agomez@igalia.com>
16
17         Cleaning the JSStaticScopeObject files left behind after renaming their objects to JSNameScope
18         https://bugs.webkit.org/show_bug.cgi?id=127595
19
20         Reviewed by Mario Sanchez Prada.
21
22         JSStaticScopeObject was renamed to JSNameScope and removed long
23         ago but the files were left behind empty and the CMake compilation
24         in need of its existance. Now, we are definitely getting rid of
25         them.
26
27         * CMakeLists.txt:
28         * runtime/JSStaticScopeObject.cpp: Removed.
29         * runtime/JSStaticScopeObject.h: Removed.
30
31 2014-02-13  Filip Pizlo  <fpizlo@apple.com>
32
33         Kill some of the last vestiges of the C++ interpreter's PICs
34         https://bugs.webkit.org/show_bug.cgi?id=128796
35
36         Reviewed by Michael Saboff.
37
38         * bytecode/BytecodeUseDef.h:
39         (JSC::computeUsesForBytecodeOffset):
40         (JSC::computeDefsForBytecodeOffset):
41         * bytecode/CodeBlock.cpp:
42         (JSC::CodeBlock::printGetByIdOp):
43         (JSC::CodeBlock::printGetByIdCacheStatus):
44         (JSC::CodeBlock::dumpBytecode):
45         (JSC::CodeBlock::CodeBlock):
46         * bytecode/GetByIdStatus.cpp:
47         (JSC::GetByIdStatus::computeForStubInfo):
48         * bytecode/Opcode.h:
49         (JSC::padOpcodeName):
50         * bytecode/PolymorphicAccessStructureList.h:
51         (JSC::PolymorphicAccessStructureList::PolymorphicStubInfo::PolymorphicStubInfo):
52         (JSC::PolymorphicAccessStructureList::PolymorphicStubInfo::set):
53         (JSC::PolymorphicAccessStructureList::PolymorphicAccessStructureList):
54         (JSC::PolymorphicAccessStructureList::visitWeak):
55         * bytecode/StructureStubInfo.cpp:
56         (JSC::StructureStubInfo::deref):
57         (JSC::StructureStubInfo::visitWeakReferences):
58         * bytecode/StructureStubInfo.h:
59         (JSC::isGetByIdAccess):
60         * jit/JIT.cpp:
61         (JSC::JIT::privateCompileMainPass):
62         * jit/Repatch.cpp:
63         (JSC::getPolymorphicStructureList):
64         (JSC::tryBuildGetByIDList):
65         * llint/LowLevelInterpreter.asm:
66
67 2014-02-13  Mark Lam  <mark.lam@apple.com>
68
69         The JSContainerConvertor and ObjcContainerConvertor need to protect JSValueRefs. Part 2.
70         <https://webkit.org/b/128764>
71
72         Reviewed by Mark Hahnenberg.
73
74         toJS() is the wrong cast function to use. We need to use toJSForGC() instead.
75         Also we need to acquire the JSLock to prevent concurrent accesses to the
76         Strong handle list.
77
78         * API/JSValue.mm:
79         (JSContainerConvertor::add):
80         (containerValueToObject):
81         (ObjcContainerConvertor::add):
82         (objectToValue):
83
84 2014-02-13  Mark Hahnenberg  <mhahnenberg@apple.com>
85
86         JSManagedValue::dealloc modifies NSMapTable while iterating it
87         https://bugs.webkit.org/show_bug.cgi?id=128713
88
89         Reviewed by Geoffrey Garen.
90
91         Having to write a test for this revealed a bug in how addManagedReference:withOwner:
92         actually notifies JSManagedValues of new owners.
93
94         * API/JSManagedValue.mm:
95         (-[JSManagedValue dealloc]):
96         * API/JSVirtualMachine.mm:
97         (-[JSVirtualMachine addManagedReference:withOwner:]):
98         (-[JSVirtualMachine removeManagedReference:withOwner:]):
99         * API/tests/testapi.mm:
100         (testObjectiveCAPI):
101
102 2014-02-13  Filip Pizlo  <fpizlo@apple.com>
103
104         Unreviewed, fix build.
105
106         * ftl/FTLLowerDFGToLLVM.cpp:
107         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
108
109 2014-02-13  Ryosuke Niwa  <rniwa@webkit.org>
110
111         Speculative Release build fix after r164077.
112
113         * API/JSValue.mm:
114
115 2014-02-13  Mark Lam  <mark.lam@apple.com>
116
117         The JSContainerConvertor and ObjcContainerConvertor need to protect JSValueRefs.
118         <https://webkit.org/b/128764>
119
120         Reviewed by Mark Hahnenberg.
121
122         Added a vector of Strong<Unknown> references in the 2 containers, and append
123         the newly created JSValues to those vectors. This will keep all those JS objects
124         alive for the duration of the conversion.
125
126         * API/JSValue.mm:
127         (JSContainerConvertor::add):
128         (ObjcContainerConvertor::add):
129
130 2014-02-13  Matthew Mirman  <mmirman@apple.com>
131
132         Added GetMyArgumentsLength to FTL
133         https://bugs.webkit.org/show_bug.cgi?id=128758
134
135         Reviewed by Filip Pizlo.
136
137         * ftl/FTLCapabilities.cpp:
138         (JSC::FTL::canCompile):
139         * ftl/FTLLowerDFGToLLVM.cpp:
140         (JSC::FTL::LowerDFGToLLVM::compileNode):
141         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
142         * tests/stress/ftl-getmyargumentslength.js: Added.
143         (foo):
144
145 2014-02-13  Filip Pizlo  <fpizlo@apple.com>
146
147         Unreviewed, roll out http://trac.webkit.org/changeset/164066.
148         
149         It broke tests and it was just plain wrong.
150
151         * bytecode/GetByIdStatus.cpp:
152         (JSC::GetByIdStatus::computeFromLLInt):
153         (JSC::GetByIdStatus::computeForStubInfo):
154         * runtime/Structure.h:
155         (JSC::Structure::takesSlowPathInDFGForImpureProperty):
156
157 2014-02-13  Ryuan Choi  <ryuan.choi@samsung.com>
158
159         Unreviewed build fix.
160
161         Fixed typo.
162
163         * dfg/DFGIntegerCheckCombiningPhase.cpp:
164         (JSC::DFG::IntegerCheckCombiningPhase::run):
165
166 2014-02-13  Michael Saboff  <msaboff@apple.com>
167
168         Change FTL stack check to use VM's stackLimit
169         https://bugs.webkit.org/show_bug.cgi?id=128561
170
171         Reviewed by Filip Pizlo.
172
173         Changes FTL function entry to check the call frame register against the FTL
174         specific stack limit (VM::m_ftlStackLimit) and throw an exception if the
175         stack limit has been exceeded.  Updated the exception handling code to have
176         a second entry that will unroll the current frame to the caller, since that
177         is where the exception should be processed.
178
179         * ftl/FTLCompile.cpp:
180         (JSC::FTL::fixFunctionBasedOnStackMaps):
181         * ftl/FTLIntrinsicRepository.h:
182         * ftl/FTLLowerDFGToLLVM.cpp:
183         (JSC::FTL::LowerDFGToLLVM::lower):
184         * ftl/FTLState.h:
185         * runtime/VM.h:
186         (JSC::VM::addressOfFTLStackLimit):
187
188 2014-02-13  Filip Pizlo  <fpizlo@apple.com>
189
190         GetByIdStatus shouldn't call takesSlowPathInDFGForImpureProperty() for self accesses, and calling that method should never assert about anything
191         https://bugs.webkit.org/show_bug.cgi?id=128772
192
193         Reviewed by Mark Hahnenberg.
194
195         * bytecode/GetByIdStatus.cpp:
196         (JSC::GetByIdStatus::computeFromLLInt):
197         (JSC::GetByIdStatus::computeForStubInfo):
198         * runtime/Structure.h:
199         (JSC::Structure::takesSlowPathInDFGForImpureProperty):
200
201 2014-02-13  Mark Hahnenberg  <mhahnenberg@apple.com>
202
203         Add some RELEASE_ASSERTs to catch JSLock bugs earlier
204         https://bugs.webkit.org/show_bug.cgi?id=128762
205
206         Reviewed by Mark Lam.
207
208         * interpreter/Interpreter.cpp:
209         (JSC::Interpreter::execute):
210         * runtime/JSLock.cpp:
211         (JSC::JSLock::DropAllLocks::DropAllLocks):
212
213 2014-02-12  Filip Pizlo  <fpizlo@apple.com>
214
215         Hoist and combine array bounds checks
216         https://bugs.webkit.org/show_bug.cgi?id=125433
217
218         Reviewed by Mark Hahnenberg.
219         
220         This adds a phase for reasoning about overflow checks and array bounds checks. It's
221         block-local, and removes both overflow checks and bounds checks in one go.
222         
223         This also improves reasoning about commutative operations, and CSE between
224         CheckOverflow and Unchecked arithmetic.
225         
226         This strangely uncovered a DFG backend bug where we were trying to extract an int32
227         from a constant even when that constant was just simply a number. I fixed that bug.
228
229         * CMakeLists.txt:
230         * GNUmakefile.list.am:
231         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
232         * JavaScriptCore.xcodeproj/project.pbxproj:
233         * dfg/DFGAbstractInterpreterInlines.h:
234         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
235         * dfg/DFGAbstractValue.cpp:
236         (JSC::DFG::AbstractValue::set):
237         * dfg/DFGArgumentsSimplificationPhase.cpp:
238         (JSC::DFG::ArgumentsSimplificationPhase::run):
239         * dfg/DFGArithMode.h:
240         (JSC::DFG::subsumes):
241         * dfg/DFGByteCodeParser.cpp:
242         (JSC::DFG::ByteCodeParser::handleIntrinsic):
243         * dfg/DFGCSEPhase.cpp:
244         (JSC::DFG::CSEPhase::pureCSE):
245         (JSC::DFG::CSEPhase::int32ToDoubleCSE):
246         (JSC::DFG::CSEPhase::performNodeCSE):
247         * dfg/DFGClobberize.h:
248         (JSC::DFG::clobberize):
249         * dfg/DFGEdge.cpp:
250         (JSC::DFG::Edge::dump):
251         * dfg/DFGEdge.h:
252         (JSC::DFG::Edge::sanitized):
253         (JSC::DFG::Edge::hash):
254         * dfg/DFGFixupPhase.cpp:
255         (JSC::DFG::FixupPhase::fixupNode):
256         * dfg/DFGGraph.h:
257         (JSC::DFG::Graph::valueOfInt32Constant):
258         * dfg/DFGInsertionSet.h:
259         (JSC::DFG::InsertionSet::insertConstant):
260         * dfg/DFGIntegerCheckCombiningPhase.cpp: Added.
261         (JSC::DFG::IntegerCheckCombiningPhase::IntegerCheckCombiningPhase):
262         (JSC::DFG::IntegerCheckCombiningPhase::run):
263         (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
264         (JSC::DFG::IntegerCheckCombiningPhase::rangeKeyAndAddend):
265         (JSC::DFG::IntegerCheckCombiningPhase::isValid):
266         (JSC::DFG::IntegerCheckCombiningPhase::insertAdd):
267         (JSC::DFG::IntegerCheckCombiningPhase::insertMustAdd):
268         (JSC::DFG::performIntegerCheckCombining):
269         * dfg/DFGIntegerCheckCombiningPhase.h: Added.
270         * dfg/DFGNode.h:
271         (JSC::DFG::Node::willHaveCodeGenOrOSR):
272         * dfg/DFGNodeType.h:
273         * dfg/DFGPlan.cpp:
274         (JSC::DFG::Plan::compileInThreadImpl):
275         * dfg/DFGPredictionPropagationPhase.cpp:
276         (JSC::DFG::PredictionPropagationPhase::propagate):
277         * dfg/DFGSafeToExecute.h:
278         (JSC::DFG::safeToExecute):
279         * dfg/DFGSpeculativeJIT.cpp:
280         (JSC::DFG::SpeculativeJIT::compileAdd):
281         * dfg/DFGSpeculativeJIT32_64.cpp:
282         (JSC::DFG::SpeculativeJIT::compile):
283         * dfg/DFGSpeculativeJIT64.cpp:
284         (JSC::DFG::SpeculativeJIT::compile):
285         * dfg/DFGStrengthReductionPhase.cpp:
286         (JSC::DFG::StrengthReductionPhase::handleNode):
287         (JSC::DFG::StrengthReductionPhase::handleCommutativity):
288         * dfg/DFGTypeCheckHoistingPhase.cpp:
289         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
290         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
291         * ftl/FTLCapabilities.cpp:
292         (JSC::FTL::canCompile):
293         * ftl/FTLLowerDFGToLLVM.cpp:
294         (JSC::FTL::LowerDFGToLLVM::compileNode):
295         * jsc.cpp:
296         (GlobalObject::finishCreation):
297         (functionFalse):
298         * runtime/Identifier.h:
299         * runtime/Intrinsic.h:
300         * runtime/JSObject.h:
301         * tests/stress/get-by-id-untyped.js: Added.
302         (foo):
303         * tests/stress/inverted-additive-subsumption.js: Added.
304         (foo):
305         * tests/stress/redundant-add-overflow-checks.js: Added.
306         (foo):
307         * tests/stress/redundant-array-bounds-checks-addition-skip-first.js: Added.
308         (foo):
309         (arraycmp):
310         * tests/stress/redundant-array-bounds-checks-addition.js: Added.
311         (foo):
312         (arraycmp):
313         * tests/stress/redundant-array-bounds-checks-unchecked-addition.js: Added.
314         (foo):
315         (arraycmp):
316         * tests/stress/redundant-array-bounds-checks.js: Added.
317         (foo):
318         (arraycmp):
319         * tests/stress/tricky-array-bounds-checks.js: Added.
320         (foo):
321         (arraycmp):
322
323 2014-02-13  Filip Pizlo  <fpizlo@apple.com>
324
325         FTL should be OK with __compact_unwind in a data section
326         https://bugs.webkit.org/show_bug.cgi?id=128756
327
328         Reviewed by Mark Hahnenberg.
329
330         * ftl/FTLCompile.cpp:
331         (JSC::FTL::mmAllocateCodeSection):
332         (JSC::FTL::mmAllocateDataSection):
333
334 2014-02-13  Michael Saboff  <msaboff@apple.com>
335
336         CStack Branch: VM::currentReturnThunkPC appears to be unused and should be removed
337         https://bugs.webkit.org/show_bug.cgi?id=127205
338
339         Reviewed by Geoffrey Garen.
340
341         Removed ununsed references to VM::currentReturnThunkPC.
342
343         * jit/ThunkGenerators.cpp:
344         (JSC::arityFixup):
345         * runtime/VM.h:
346
347 2014-02-13  Tamas Gergely  <tgergely.u-szeged@partner.samsung.com>
348
349         Code cleanup: remove gcc<4.7 guards.
350         https://bugs.webkit.org/show_bug.cgi?id=128729
351
352         Reviewed by Anders Carlsson.
353
354         Remove GCC_VERSION_AT_LEAST guards when it checks for pre-4.7 versions,
355         as WK does not compile with earlier gcc versions.
356
357         * assembler/MIPSAssembler.h:
358         (JSC::MIPSAssembler::cacheFlush):
359         * interpreter/StackVisitor.cpp:
360         (JSC::printif):
361
362 2014-02-12  Mark Lam  <mark.lam@apple.com>
363
364         No need to save reservedZoneSize when dropping the JSLock.
365         <https://webkit.org/b/128719>
366
367         Reviewed by Geoffrey Garen.
368
369         The reservedZoneSize does not change due to the VM being run on a different
370         thread. Hence, there is no need to save and restore its value. Instead of
371         calling updateReservedZoneSize() to update the stack limit, we now call
372         setStackPointerAtVMEntry() to do the job. setStackPointerAtVMEntry()
373         will update the stackPointerAtVMEntry and delegate to updateStackLimit() to
374         update the stack limit based on the new stackPointerAtVMEntry.
375
376         * runtime/ErrorHandlingScope.cpp:
377         (JSC::ErrorHandlingScope::ErrorHandlingScope):
378         (JSC::ErrorHandlingScope::~ErrorHandlingScope):
379         - Previously, we initialize stackPointerAtVMEntry in VMEntryScope. This
380           means that the stackPointerAtVMEntry may not be initialize when we
381           instantiate the ErrorHandlingScope. And so, we needed to initialize the
382           stackPointerAtVMEntry in the ErrorHandlingScope constructor if it's not
383           already initialized.
384
385           Now that we initialize the stackPointerAtVMEntry when we lock the VM JSLock,
386           we are guaranteed that it will be initialized by the time we instantiate
387           the ErrorHandlingScope. Hence, we can change the ErrorHandlingScope code
388           to just assert that the stackPointerAtVMEntry is initialized instead.
389
390         * runtime/InitializeThreading.cpp:
391         (JSC::initializeThreading):
392         - We no longer need to save the reservedZoneSize. Remove the related code.
393
394         * runtime/JSLock.cpp:
395         (JSC::JSLock::lock):
396         - When we grab the JSLock mutex for the first time, there is no reason why
397           the stackPointerAtVMEntry should be initialized. By definition, grabbing
398           the lock for the first time equates to entering the VM for the first time.
399           Hence, we can just assert that stackPointerAtVMEntry is uninitialized,
400           and initialize it unconditionally.
401
402           The only exception to this is if we're locking to regrab the JSLock in
403           grabAllLocks(), but grabAllLocks() will take care of restoring the
404           stackPointerAtVMEntry in that case after lock() returns. stackPointerAtVMEntry
405           should still be 0 when we've just locked the JSLock. So, the above assertion
406           always holds true.
407
408           Note: VM::setStackPointerAtVMEntry() will take care of calling
409           VM::updateStackLimit() based on the new stackPointerAtVMEntry.
410
411         - There is no need to save the reservedZoneSize. The reservedZoneSize is
412           set to Options::reservedZoneSize() when the VM is initialized. Thereafter,
413           the ErrorHandlingScope will change it to Options::errorModeReservedZoneSize()
414           when we're handling an error, and it will restore it afterwards. There is
415           no other reason we should be changing the reservedZoneSize. Hence, we can
416           remove the unnecessary code to save it here.
417
418         (JSC::JSLock::unlock):
419         - Similarly, when the lockCount reaches 0 in unlock(), it is synonymous with
420           exiting the VM. Hence, we should just clear the stackPointerAtVMEntry and
421           update the stackLimit. Exiting the VM should have no effect on the VM
422           reservedZoneSize. Hence, we can remove the unnecessary code to "restore" it.
423
424         (JSC::JSLock::dropAllLocks):
425         - When dropping locks, we do not need to save the reservedZoneSize because
426           the reservedZoneSize should remain the same regardless of which thread
427           we are executing JS on. Hence, we can remove the unnecessary code to save
428           the reservedZoneSize here.
429
430         (JSC::JSLock::grabAllLocks):
431         - When re-grabbing locks, restoring the stackPointerAtVMEntry via
432           VM::setStackPointerAtVMEntry() will take care of updating the stack limit.
433           As explained above, there's no need to save the reservedZoneSize. Hence,
434           there's no need to "restore" it here.
435
436         * runtime/VM.cpp:
437         (JSC::VM::VM):
438         (JSC::VM::setStackPointerAtVMEntry):
439         - Sets the stackPointerAtVMEntry and delegates to updateStackLimit() to update
440           the stack limit based on the new stackPointerAtVMEntry.
441         (JSC::VM::updateStackLimit):
442         * runtime/VM.h:
443         (JSC::VM::stackPointerAtVMEntry):
444         - Renamed stackPointerAtVMEntry to m_stackPointerAtVMEntry and made it private.
445           Added a stackPointerAtVMEntry() function to read the value.
446
447 2014-02-12  Mark Hahnenberg  <mhahnenberg@apple.com>
448
449         DelayedReleaseScope in MarkedAllocator::tryAllocateHelper is wrong
450         https://bugs.webkit.org/show_bug.cgi?id=128641
451
452         Reviewed by Michael Saboff.
453
454         We were improperly handling the case where the DelayedReleaseScope 
455         in tryAllocateHelper would cause us to drop the API lock, allowing 
456         another thread to sneak in and allocate a new block after we had already 
457         concluded that there were no more blocks to allocate out of.
458
459         The fix is to call tryAllocateHelper in a loop until we know for sure 
460         that this did not happen.
461
462         There was also a race condition with the DelayedReleaseScope in addBlock.
463         We would add the block to the MarkedBlock's list, sweep it, and then return,
464         causing us to drop the API lock momentarily. Another thread could then 
465         grab the lock, and allocate out of the new block to the point where the 
466         free list was empty. Then we would return to the original thread, who thinks 
467         it's impossible to not allocate successfully at this point. 
468         Instead we should just let tryAllocate do all the hard work with correctly 
469         sweeping and getting a valid result.
470
471         There was another race condition in didFinishIterating. We would call resumeAllocating,
472         which would create a DelayedReleaseScope. The DelayedReleaseScope would then release 
473         API lock before we set m_isIterating back to false, which would potentially confuse 
474         other threads.
475
476         * heap/MarkedAllocator.cpp:
477         (JSC::MarkedAllocator::tryAllocateHelper):
478         (JSC::MarkedAllocator::tryPopFreeList):
479         (JSC::MarkedAllocator::tryAllocate):
480         (JSC::MarkedAllocator::addBlock):
481         * heap/MarkedAllocator.h:
482
483 2014-02-12  Brian Burg  <bburg@apple.com>
484
485         Web Replay: capture and replay nondeterminism of Date.now() and Math.random()
486         https://bugs.webkit.org/show_bug.cgi?id=128633
487
488         Reviewed by Filip Pizlo.
489
490         Upstream the only two sources of script-visible nondeterminism in JavaScriptCore.
491
492         The random seed for WeakRandom is memoized when the owning JSGlobalObject is
493         constructed. It is deterministically initialized during replay before any
494         scripts execute with the global object.
495
496         The implementations of `Date.now()` and `new Date()` eventually obtain the
497         current time from jsCurrentTime(). When capturing, we save return values of
498         jsCurrentTime() into the recording. When replaying, we use memoized values from
499         the recording instead of obtaining values from the platform-specific currentTime()
500         implementation. No other code calls jsCurrentTime().
501
502         * DerivedSources.make: Add rules to make JSReplayInputs.h from JSInputs.json.
503         * JavaScriptCore.xcodeproj/project.pbxproj:
504         * replay/JSInputs.json: Added. Includes specifications for replay inputs
505         "GetCurrentTime" and "SetRandomSeed". Tests will be added for both input
506         cases once sufficient replay machinery has been added.
507
508         * replay/NondeterministicInput.h: NondeterministicInput should not have
509         been marked 'final'.
510
511         * runtime/DateConstructor.cpp:
512         (JSC::deterministicCurrentTime): Added. Load or store the current time depending
513         on what kind of InputCursor is attached to the JSGlobalObject.
514
515         (JSC::constructDate): Use deterministicCurrentTime().
516         (JSC::dateNow): Use deterministicCurrentTime().
517         * runtime/JSGlobalObject.cpp:
518         (JSC::JSGlobalObject::setInputCursor): When setting a non-empty input cursor,
519         immediately store or load the "SetRandomSeed" input and initialize WeakRandom's
520         random seed with it. The input cursor (and thus random seed) must be set before
521         any scripts are evaluated with this JSGlobalObject.
522
523         * runtime/WeakRandom.h:
524         (JSC::WeakRandom::WeakRandom): Add JSGlobalObject as a friend class.
525         (JSC::WeakRandom::initializeSeed): Extract the seed initialization into a
526         separate method so it can be called outside of the JSGlobalObject constructor.
527
528 2014-02-12  Joseph Pecoraro  <pecoraro@apple.com>
529
530         Web Inspector: Cleanup JavaScriptCore/inspector
531         https://bugs.webkit.org/show_bug.cgi?id=128662
532
533         Reviewed by Timothy Hatcher.
534
535         Now that the code has settled, do a cleanup pass.
536
537         * inspector/ContentSearchUtilities.cpp:
538         * inspector/InspectorValues.cpp:
539         (Inspector::InspectorValue::asObject):
540         (Inspector::InspectorValue::asArray):
541         (Inspector::InspectorValue::parseJSON):
542         (Inspector::InspectorObjectBase::getObject):
543         (Inspector::InspectorObjectBase::getArray):
544         (Inspector::InspectorObjectBase::get):
545         * inspector/ScriptCallStackFactory.cpp:
546         * inspector/ScriptDebugServer.cpp:
547         * inspector/agents/JSGlobalObjectConsoleAgent.h:
548
549 2014-02-12  Ryosuke Niwa  <rniwa@webkit.org>
550
551         Windows build fix attempt after r163960.
552
553         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
554         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
555
556 2014-02-12  Michael Saboff  <msaboff@apple.com>
557
558         Adjust VM::stackLimit based on the size of the largest FTL stack produced
559         https://bugs.webkit.org/show_bug.cgi?id=128562
560
561         Reviewed by Mark Lam.
562
563         Added VM::m_largestFTLStackSize to track the largest stack size of an FTL compiled
564         function. Added VM::m_ftlStackLimit for FTL functions stack limit.  Renamed
565         VM::updateStackLimitWithReservedZoneSize to VM::updateReservedZoneSize.  Renamed
566         VM::setStackLimit to VM::updateStackLimit and changed it to do the updating of the
567         stack limits, including taking into account m_largestFTLStackSize.
568
569         * ftl/FTLJITFinalizer.cpp:
570         (JSC::FTL::JITFinalizer::finalizeFunction):
571         * runtime/ErrorHandlingScope.cpp:
572         (JSC::ErrorHandlingScope::ErrorHandlingScope):
573         (JSC::ErrorHandlingScope::~ErrorHandlingScope):
574         * runtime/JSLock.cpp:
575         (JSC::JSLock::lock):
576         (JSC::JSLock::unlock):
577         (JSC::JSLock::grabAllLocks):
578         * runtime/VM.cpp:
579         (JSC::VM::VM):
580         (JSC::VM::updateReservedZoneSize):
581         (JSC::VM::updateStackLimit):
582         (JSC::VM::updateFTLLargestStackSize):
583         * runtime/VM.h:
584
585 2014-02-11  Oliver Hunt  <oliver@apple.com>
586
587         Make it possible to implement JS builtins in JS
588         https://bugs.webkit.org/show_bug.cgi?id=127887
589
590         Reviewed by Michael Saboff.
591
592         This patch makes it possible to write builtin functions in JS.
593         The bindings, generators, and definitions are all created automatically
594         based on js files in the builtins/ directory.  This patch includes one
595         such case: Array.prototype.js with an implementation of every().
596
597         There's a lot of refactoring to make it possible for CommonIdentifiers
598         to include the output of the generated files (DerivedSources/JSCBuiltins.{h,cpp})
599         without breaking the offset extractor. The result of this refactoring
600         is that CommonIdentifiers, and a few other miscellaneous headers now
601         need to be included directly as they were formerly captured through other
602         paths.
603
604         In addition this adds a flag to the Lookup table's hashentry to indicate
605         that a static function is actually backed by JS. There is then a lot of
606         logic to thread the special nature of the functon to where it matters.
607         This allows toString(), .caller, etc to mimic the behaviour of a host
608         function.
609
610         Notes on writing builtins:
611          - Each function is compiled independently of the others, and those
612            implementations cannot currently capture all global properties (as
613            that could be potentially unsafe). If a function does capture a
614            global we will deliberately crash.
615          - For those "global" properties that we do want access to, we use
616            the @ prefix, e.g. Object(this) becomes @Object(this). The @ identifiers
617            are private names, and behave just like regular properties, only
618            without the risk of adulteration. Again, in the @Object case, we
619            explicitly duplicate the ObjectConstructor reference on the GlobalObject
620            so that we have guaranteed access to the original version of the
621            constructor.
622          - call, apply, eval, and Function are all rejected identifiers, again
623            to prevent anything from accidentally using an adulterated object.
624            Instead @call and @apply are available, and happily they completely
625            drop the neq_ptr instruction as they're defined as always being the
626            original call/apply functions.
627
628         These restrictions are just intended to make it harder to accidentally
629         make changes that are incorrect (for instance calling whatever has been
630         assigned to global.Object, instead of the original constructor function).
631         However, making a mistake like this should result in a purely semantic
632         error as fundamentally these functions are treated as though they were
633         regular JS code in the host global, and have no more privileges than
634         any other JS.
635
636         The initial proof of concept is Array.prototype.every, this shows a 65%
637         performance improvement, and that improvement is significantly hurt by
638         our poor optimisation of op_in.
639
640         As this is such a limited function, we have not yet exported all symbols
641         that we could possibly need, but as we implement more, the likelihood
642         of encountering missing features will reduce.
643
644
645         * API/JSCallbackObjectFunctions.h:
646         (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
647         (JSC::JSCallbackObject<Parent>::put):
648         (JSC::JSCallbackObject<Parent>::deleteProperty):
649         (JSC::JSCallbackObject<Parent>::getStaticValue):
650         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
651         (JSC::JSCallbackObject<Parent>::callbackGetter):
652         * CMakeLists.txt:
653         * DerivedSources.make:
654         * GNUmakefile.am:
655         * GNUmakefile.list.am:
656         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
657         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
658         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
659         * JavaScriptCore.vcxproj/copy-files.cmd:
660         * JavaScriptCore.xcodeproj/project.pbxproj:
661         * builtins/Array.prototype.js:
662         (every):
663         * builtins/BuiltinExecutables.cpp: Added.
664         (JSC::BuiltinExecutables::BuiltinExecutables):
665         (JSC::BuiltinExecutables::createBuiltinExecutable):
666         * builtins/BuiltinExecutables.h:
667         (JSC::BuiltinExecutables::create):
668         * builtins/BuiltinNames.h: Added.
669         (JSC::BuiltinNames::BuiltinNames):
670         (JSC::BuiltinNames::getPrivateName):
671         (JSC::BuiltinNames::getPublicName):
672         * bytecode/CodeBlock.cpp:
673         (JSC::CodeBlock::CodeBlock):
674         * bytecode/UnlinkedCodeBlock.cpp:
675         (JSC::generateFunctionCodeBlock):
676         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
677         (JSC::UnlinkedFunctionExecutable::codeBlockFor):
678         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
679         * bytecode/UnlinkedCodeBlock.h:
680         (JSC::ExecutableInfo::ExecutableInfo):
681         (JSC::UnlinkedFunctionExecutable::create):
682         (JSC::UnlinkedFunctionExecutable::toStrictness):
683         (JSC::UnlinkedFunctionExecutable::isBuiltinFunction):
684         (JSC::UnlinkedCodeBlock::isBuiltinFunction):
685         * bytecompiler/BytecodeGenerator.cpp:
686         (JSC::BytecodeGenerator::BytecodeGenerator):
687         * bytecompiler/BytecodeGenerator.h:
688         (JSC::BytecodeGenerator::isBuiltinFunction):
689         (JSC::BytecodeGenerator::makeFunction):
690         * bytecompiler/NodesCodegen.cpp:
691         (JSC::CallFunctionCallDotNode::emitBytecode):
692         (JSC::ApplyFunctionCallDotNode::emitBytecode):
693         * create_hash_table:
694         * generate-js-builtins: Added.
695         (getCopyright):
696         (getFunctions):
697         (generateCode):
698         (mangleName):
699         (FunctionExecutable):
700         (Identifier):
701         (JSGlobalObject):
702         (SourceCode):
703         (UnlinkedFunctionExecutable):
704         (VM):
705         * interpreter/CachedCall.h:
706         (JSC::CachedCall::CachedCall):
707         * parser/ASTBuilder.h:
708         (JSC::ASTBuilder::makeFunctionCallNode):
709         * parser/Lexer.cpp:
710         (JSC::Lexer<T>::Lexer):
711         (JSC::isSafeBuiltinIdentifier):
712         (JSC::Lexer<LChar>::parseIdentifier):
713         (JSC::Lexer<UChar>::parseIdentifier):
714         (JSC::Lexer<T>::lex):
715         * parser/Lexer.h:
716         (JSC::isSafeIdentifier):
717         (JSC::Lexer<T>::lexExpectIdentifier):
718         * parser/Nodes.cpp:
719         (JSC::ProgramNode::setClosedVariables):
720         * parser/Nodes.h:
721         (JSC::ScopeNode::capturedVariables):
722         (JSC::ScopeNode::setClosedVariables):
723         (JSC::ProgramNode::closedVariables):
724         * parser/Parser.cpp:
725         (JSC::Parser<LexerType>::Parser):
726         (JSC::Parser<LexerType>::parseInner):
727         (JSC::Parser<LexerType>::didFinishParsing):
728         (JSC::Parser<LexerType>::printUnexpectedTokenText):
729         * parser/Parser.h:
730         (JSC::Scope::getUsedVariables):
731         (JSC::Parser::closedVariables):
732         (JSC::parse):
733         * parser/ParserModes.h:
734         * parser/ParserTokens.h:
735         * runtime/ArrayPrototype.cpp:
736         * runtime/CodeCache.cpp:
737         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
738         * runtime/CommonIdentifiers.cpp:
739         (JSC::CommonIdentifiers::CommonIdentifiers):
740         (JSC::CommonIdentifiers::~CommonIdentifiers):
741         (JSC::CommonIdentifiers::getPrivateName):
742         (JSC::CommonIdentifiers::getPublicName):
743         * runtime/CommonIdentifiers.h:
744         (JSC::CommonIdentifiers::builtinNames):
745         * runtime/ExceptionHelpers.cpp:
746         (JSC::createUndefinedVariableError):
747         * runtime/Executable.h:
748         (JSC::EvalExecutable::executableInfo):
749         (JSC::ProgramExecutable::executableInfo):
750         (JSC::FunctionExecutable::isBuiltinFunction):
751         * runtime/FunctionPrototype.cpp:
752         (JSC::functionProtoFuncToString):
753         * runtime/JSActivation.cpp:
754         (JSC::JSActivation::symbolTableGet):
755         (JSC::JSActivation::symbolTablePut):
756         (JSC::JSActivation::symbolTablePutWithAttributes):
757         * runtime/JSFunction.cpp:
758         (JSC::JSFunction::createBuiltinFunction):
759         (JSC::JSFunction::calculatedDisplayName):
760         (JSC::JSFunction::sourceCode):
761         (JSC::JSFunction::isHostOrBuiltinFunction):
762         (JSC::JSFunction::isBuiltinFunction):
763         (JSC::JSFunction::callerGetter):
764         (JSC::JSFunction::getOwnPropertySlot):
765         (JSC::JSFunction::getOwnNonIndexPropertyNames):
766         (JSC::JSFunction::put):
767         (JSC::JSFunction::defineOwnProperty):
768         * runtime/JSFunction.h:
769         * runtime/JSFunctionInlines.h:
770         (JSC::JSFunction::nativeFunction):
771         (JSC::JSFunction::nativeConstructor):
772         (JSC::isHostFunction):
773         * runtime/JSGlobalObject.cpp:
774         (JSC::JSGlobalObject::reset):
775         (JSC::JSGlobalObject::visitChildren):
776         * runtime/JSGlobalObject.h:
777         (JSC::JSGlobalObject::objectConstructor):
778         (JSC::JSGlobalObject::symbolTableHasProperty):
779         * runtime/JSObject.cpp:
780         (JSC::getClassPropertyNames):
781         (JSC::JSObject::reifyStaticFunctionsForDelete):
782         (JSC::JSObject::putDirectBuiltinFunction):
783         * runtime/JSObject.h:
784         * runtime/JSSymbolTableObject.cpp:
785         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
786         * runtime/JSSymbolTableObject.h:
787         (JSC::symbolTableGet):
788         (JSC::symbolTablePut):
789         (JSC::symbolTablePutWithAttributes):
790         * runtime/Lookup.cpp:
791         (JSC::setUpStaticFunctionSlot):
792         * runtime/Lookup.h:
793         (JSC::HashEntry::builtinGenerator):
794         (JSC::HashEntry::propertyGetter):
795         (JSC::HashEntry::propertyPutter):
796         (JSC::HashTable::entry):
797         (JSC::getStaticPropertySlot):
798         (JSC::getStaticValueSlot):
799         (JSC::putEntry):
800         * runtime/NativeErrorConstructor.cpp:
801         (JSC::NativeErrorConstructor::finishCreation):
802         * runtime/NativeErrorConstructor.h:
803         * runtime/PropertySlot.h:
804         * runtime/VM.cpp:
805         (JSC::VM::VM):
806         * runtime/VM.h:
807         (JSC::VM::builtinExecutables):
808
809 2014-02-11  Brent Fulgham  <bfulgham@apple.com>
810
811         Remove some unintended copies in ranged for loops
812         https://bugs.webkit.org/show_bug.cgi?id=128644
813
814         Reviewed by Anders Carlsson.
815
816         * inspector/InjectedScriptHost.cpp:
817         (Inspector::InjectedScriptHost::clearAllWrappers): Avoid creating/destroying
818         a std::pair<> and pointer each loop iteration.
819         * parser/Parser.cpp:
820         (JSC::Parser<LexerType>::Parser): Avoid copying object containing a string
821         each loop iteration.
822
823 2014-02-11  Ryosuke Niwa  <rniwa@webkit.org>
824
825         Debug build fix after r163946.
826
827         * dfg/DFGByteCodeParser.cpp:
828         (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
829
830 2014-02-11  Filip Pizlo  <fpizlo@apple.com>
831
832         Inserting a node with a codeOrigin "like" another node should copy both the codeOrigin and codeOriginForExitTarget
833         https://bugs.webkit.org/show_bug.cgi?id=128635
834
835         Reviewed by Michael Saboff.
836         
837         Originally nodes just had a codeOrigin. But then we started doing code motion, and we
838         needed to separate the codeOrigin that designated where to exit from the codeOrigin
839         that designated everything else. The "everything else" is actually pretty important:
840         it includes profiling, exception handling, and the actual semantics of the node. For
841         example some nodes use the origin's global object in some way.
842         
843         This all sort of worked except for one quirk: the facilities for creating nodes all
844         assumed that there really was only one origin. LICM would work around this by setting
845         the codeOriginForExitTarget manually. But, that means that:
846         
847         - If we did hoist a node twice, then the second time around, we would forget the node's
848           original exit target.
849         
850         - If we did an insertNode() to insert a node before a hoisted node, the inserted node
851           would have the wrong exit target.
852         
853         Most of the time, if we copy the code origin, we actually want to copy both origins.
854         So, this patch introduces the notion of a NodeOrigin which has two CodeOrigins: a
855         forExit code origin that says where to exit, and a semantic code origin for everything
856         else.
857         
858         This also (annoyingly?) means that we are always more explicit about which code origin
859         we refer to. That means that a lot of "node->codeOrigin" expressions had to change to
860         "node->origin.semantic". This was partly a ploy on my part to ensure that this
861         refactoring was complete: to get the code to compile I really had to audit all uses of
862         CodeOrigin. If, in the future, we find that "node->origin.semantic" is too cumbersome
863         then we can reintroduce the Node::codeOrigin field. For now I kinda like it though.
864
865         * GNUmakefile.list.am:
866         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
867         * JavaScriptCore.xcodeproj/project.pbxproj:
868         * dfg/DFGAbstractInterpreterInlines.h:
869         (JSC::DFG::AbstractInterpreter<AbstractStateType>::booleanResult):
870         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
871         * dfg/DFGArgumentsSimplificationPhase.cpp:
872         (JSC::DFG::ArgumentsSimplificationPhase::run):
873         (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUse):
874         (JSC::DFG::ArgumentsSimplificationPhase::observeProperArgumentsUse):
875         (JSC::DFG::ArgumentsSimplificationPhase::isOKToOptimize):
876         * dfg/DFGArrayMode.cpp:
877         (JSC::DFG::ArrayMode::originalArrayStructure):
878         (JSC::DFG::ArrayMode::alreadyChecked):
879         * dfg/DFGByteCodeParser.cpp:
880         (JSC::DFG::ByteCodeParser::addToGraph):
881         * dfg/DFGCFGSimplificationPhase.cpp:
882         (JSC::DFG::CFGSimplificationPhase::run):
883         (JSC::DFG::CFGSimplificationPhase::convertToJump):
884         (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
885         (JSC::DFG::CFGSimplificationPhase::jettisonBlock):
886         (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
887         * dfg/DFGCPSRethreadingPhase.cpp:
888         (JSC::DFG::CPSRethreadingPhase::addPhiSilently):
889         (JSC::DFG::CPSRethreadingPhase::addPhi):
890         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
891         (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
892         (JSC::DFG::CPSRethreadingPhase::propagatePhis):
893         * dfg/DFGCSEPhase.cpp:
894         (JSC::DFG::CSEPhase::setLocalStoreElimination):
895         * dfg/DFGClobberize.h:
896         (JSC::DFG::clobberize):
897         * dfg/DFGCommonData.cpp:
898         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
899         * dfg/DFGConstantFoldingPhase.cpp:
900         (JSC::DFG::ConstantFoldingPhase::foldConstants):
901         (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
902         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
903         (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
904         * dfg/DFGDCEPhase.cpp:
905         (JSC::DFG::DCEPhase::fixupBlock):
906         * dfg/DFGDisassembler.cpp:
907         (JSC::DFG::Disassembler::createDumpList):
908         * dfg/DFGFixupPhase.cpp:
909         (JSC::DFG::FixupPhase::fixupNode):
910         (JSC::DFG::FixupPhase::createToString):
911         (JSC::DFG::FixupPhase::attemptToForceStringArrayModeByToStringConversion):
912         (JSC::DFG::FixupPhase::convertStringAddUse):
913         (JSC::DFG::FixupPhase::fixupToPrimitive):
914         (JSC::DFG::FixupPhase::fixupToString):
915         (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
916         (JSC::DFG::FixupPhase::checkArray):
917         (JSC::DFG::FixupPhase::blessArrayOperation):
918         (JSC::DFG::FixupPhase::fixEdge):
919         (JSC::DFG::FixupPhase::insertStoreBarrier):
920         (JSC::DFG::FixupPhase::fixIntEdge):
921         (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
922         (JSC::DFG::FixupPhase::truncateConstantToInt32):
923         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
924         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
925         (JSC::DFG::FixupPhase::convertToGetArrayLength):
926         (JSC::DFG::FixupPhase::prependGetArrayLength):
927         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
928         (JSC::DFG::FixupPhase::addPhantomsIfNecessary):
929         * dfg/DFGGraph.cpp:
930         (JSC::DFG::Graph::dumpCodeOrigin):
931         (JSC::DFG::Graph::amountOfNodeWhiteSpace):
932         (JSC::DFG::Graph::dump):
933         (JSC::DFG::Graph::dumpBlockHeader):
934         * dfg/DFGGraph.h:
935         (JSC::DFG::Graph::hasExitSite):
936         (JSC::DFG::Graph::valueProfileFor):
937         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
938         * dfg/DFGInvalidationPointInjectionPhase.cpp:
939         (JSC::DFG::InvalidationPointInjectionPhase::handle):
940         (JSC::DFG::InvalidationPointInjectionPhase::insertInvalidationCheck):
941         * dfg/DFGLICMPhase.cpp:
942         (JSC::DFG::LICMPhase::attemptHoist):
943         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
944         (JSC::DFG::createPreHeader):
945         * dfg/DFGNode.h:
946         (JSC::DFG::Node::Node):
947         (JSC::DFG::Node::isStronglyProvedConstantIn):
948         * dfg/DFGNodeOrigin.h: Added.
949         (JSC::DFG::NodeOrigin::NodeOrigin):
950         (JSC::DFG::NodeOrigin::isSet):
951         * dfg/DFGOSREntrypointCreationPhase.cpp:
952         (JSC::DFG::OSREntrypointCreationPhase::run):
953         * dfg/DFGResurrectionForValidationPhase.cpp:
954         (JSC::DFG::ResurrectionForValidationPhase::run):
955         * dfg/DFGSSAConversionPhase.cpp:
956         (JSC::DFG::SSAConversionPhase::run):
957         * dfg/DFGSSALoweringPhase.cpp:
958         (JSC::DFG::SSALoweringPhase::handleNode):
959         (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
960         * dfg/DFGSpeculativeJIT.cpp:
961         (JSC::DFG::SpeculativeJIT::compileIn):
962         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
963         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
964         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
965         * dfg/DFGSpeculativeJIT.h:
966         (JSC::DFG::SpeculativeJIT::masqueradesAsUndefinedWatchpointIsStillValid):
967         (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheck):
968         (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnException):
969         (JSC::DFG::SpeculativeJIT::appendCallSetResult):
970         (JSC::DFG::SpeculativeJIT::appendCall):
971         (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
972         * dfg/DFGSpeculativeJIT32_64.cpp:
973         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
974         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
975         (JSC::DFG::SpeculativeJIT::emitCall):
976         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
977         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
978         (JSC::DFG::SpeculativeJIT::compile):
979         * dfg/DFGSpeculativeJIT64.cpp:
980         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
981         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
982         (JSC::DFG::SpeculativeJIT::emitCall):
983         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
984         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
985         (JSC::DFG::SpeculativeJIT::compile):
986         * dfg/DFGStrengthReductionPhase.cpp:
987         (JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild):
988         (JSC::DFG::StrengthReductionPhase::prepareToFoldTypedArray):
989         * dfg/DFGTierUpCheckInjectionPhase.cpp:
990         (JSC::DFG::TierUpCheckInjectionPhase::run):
991         * dfg/DFGTypeCheckHoistingPhase.cpp:
992         (JSC::DFG::TypeCheckHoistingPhase::run):
993         * dfg/DFGValidate.cpp:
994         (JSC::DFG::Validate::validateSSA):
995         * dfg/DFGWatchpointCollectionPhase.cpp:
996         (JSC::DFG::WatchpointCollectionPhase::handle):
997         (JSC::DFG::WatchpointCollectionPhase::handleEdge):
998         (JSC::DFG::WatchpointCollectionPhase::handleMasqueradesAsUndefined):
999         (JSC::DFG::WatchpointCollectionPhase::globalObject):
1000         * ftl/FTLJSCall.cpp:
1001         (JSC::FTL::JSCall::link):
1002         * ftl/FTLLink.cpp:
1003         (JSC::FTL::link):
1004         * ftl/FTLLowerDFGToLLVM.cpp:
1005         (JSC::FTL::LowerDFGToLLVM::compileNode):
1006         (JSC::FTL::LowerDFGToLLVM::compileToThis):
1007         (JSC::FTL::LowerDFGToLLVM::compilePutById):
1008         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
1009         (JSC::FTL::LowerDFGToLLVM::compileNewArray):
1010         (JSC::FTL::LowerDFGToLLVM::compileNewArrayBuffer):
1011         (JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize):
1012         (JSC::FTL::LowerDFGToLLVM::compileStringCharAt):
1013         (JSC::FTL::LowerDFGToLLVM::compileGetMyScope):
1014         (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated):
1015         (JSC::FTL::LowerDFGToLLVM::getById):
1016         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
1017         (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructure):
1018         (JSC::FTL::LowerDFGToLLVM::masqueradesAsUndefinedWatchpointIsStillValid):
1019         (JSC::FTL::LowerDFGToLLVM::callPreflight):
1020
1021 2014-02-11  Filip Pizlo  <fpizlo@apple.com>
1022
1023         Fix assertions and incorrect codegen for CompareEq(ObjectOrOther:, Object:)
1024         https://bugs.webkit.org/show_bug.cgi?id=128648
1025
1026         Reviewed by Mark Lam.
1027         
1028         I did CompareEq(Object:, ObjectOrOther:) correctly but the flipped version wrong.
1029         That's what I get for running tests in release mode. It's hard to write a test for
1030         the incorrect codegen; that's kind of why the assertions are there.
1031
1032         * ftl/FTLLowerDFGToLLVM.cpp:
1033         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
1034
1035 2014-02-11  Filip Pizlo  <fpizlo@apple.com>
1036
1037         Unreviewed, trivial change to silence FTL assertions
1038
1039         Normally, lowJSValue() should only be used for UntypedUse only. Here we are using it
1040         on ObjectOrOtherUse because we execute the speculation ourselves. The way you're
1041         supposed to do this is by passing ManualOperandSpeculation to tell lowJSValue() not
1042         to assert.
1043
1044         * ftl/FTLLowerDFGToLLVM.cpp:
1045         (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
1046
1047 2014-02-11  Filip Pizlo  <fpizlo@apple.com>
1048
1049         Use LLVM's dead store elimination
1050         https://bugs.webkit.org/show_bug.cgi?id=128638
1051
1052         Reviewed by Mark Hahnenberg.
1053         
1054         DFG's store elimination was being run too soon for comfort on the FTL path. It's
1055         really only sound when run after all other optimizations. Remove it from the FTL
1056         path.
1057         
1058         Enable LLVM store elimination. It's both easier to reason about and more
1059         comprehensive.
1060
1061         * dfg/DFGPlan.cpp:
1062         (JSC::DFG::Plan::compileInThreadImpl):
1063         * ftl/FTLCompile.cpp:
1064         (JSC::FTL::compile):
1065
1066 2014-02-11  Brian Burg  <bburg@apple.com>
1067
1068         Web Replay: upstream replay input code generator and EncodedValue class
1069         https://bugs.webkit.org/show_bug.cgi?id=128215
1070
1071         Reviewed by Joseph Pecoraro.
1072
1073         Add the replay inputs code generator. Most features of the input generator are
1074         exercised by included generator regression tests, which produce useful but
1075         non-compilable test replay inputs.
1076
1077         Add EncodedValue, the main replay input serialization class that encodes and
1078         decodes inputs and their data between C++ types and the JSON-based replay recording
1079         format. EncodedValue uses EncodingTraits specializations for type-specific encoding.
1080         Relative to other WebKit marshalling mechanisms, EncodedValue is key/value based.
1081         EncodedValue uses InspectorValue subclasses as its backing data structure.
1082
1083         Add some missing numerical conversions to InspectorValue.
1084
1085         * JavaScriptCore.xcodeproj/project.pbxproj:
1086         * inspector/InspectorValues.cpp:
1087         (Inspector::InspectorValue::asNumber):
1088         (Inspector::InspectorBasicValue::asNumber):
1089         * inspector/InspectorValues.h:
1090         * replay/EncodedValue.cpp: Added.
1091         (JSC::EncodedValue::asObject):
1092         (JSC::EncodedValue::asArray):
1093         (JSC::ScalarEncodingTraits<bool>::encodeValue):
1094         (JSC::ScalarEncodingTraits<double>::encodeValue):
1095         (JSC::ScalarEncodingTraits<float>::encodeValue):
1096         (JSC::ScalarEncodingTraits<int32_t>::encodeValue):
1097         (JSC::ScalarEncodingTraits<int64_t>::encodeValue):
1098         (JSC::ScalarEncodingTraits<uint32_t>::encodeValue):
1099         (JSC::ScalarEncodingTraits<uint64_t>::encodeValue):
1100         (JSC::long>::encodeValue):
1101         (JSC::EncodedValue::convertTo<bool>):
1102         (JSC::EncodedValue::convertTo<double>):
1103         (JSC::EncodedValue::convertTo<float>):
1104         (JSC::EncodedValue::convertTo<int32_t>):
1105         (JSC::EncodedValue::convertTo<int64_t>):
1106         (JSC::EncodedValue::convertTo<uint32_t>):
1107         (JSC::EncodedValue::convertTo<uint64_t>):
1108         (JSC::long>):
1109         (JSC::EncodedValue::convertTo<String>):
1110         (JSC::EncodedValue::put<EncodedValue>):
1111         (JSC::EncodedValue::append<EncodedValue>):
1112         (JSC::EncodedValue::get<EncodedValue>):
1113         * replay/EncodedValue.h: Added.
1114         (JSC::EncodedValue::EncodedValue):
1115         (JSC::EncodedValue::createObject):
1116         (JSC::EncodedValue::createArray):
1117         (JSC::EncodedValue::createString):
1118         (JSC::EncodedValue::~EncodedValue):
1119         (JSC::ScalarEncodingTraits::decodeValue):
1120         (JSC::EncodingTraits<String>::encodeValue):
1121         (JSC::EncodedValue::put):
1122         (JSC::EncodedValue::append):
1123         (JSC::EncodedValue::get):
1124         * replay/scripts/CodeGeneratorReplayInputs.py: Added.
1125         (ParseException):
1126         (TypecheckException):
1127         (Framework):
1128         (Framework.__init__):
1129         (Framework.setting):
1130         (Framework.fromString):
1131         (Frameworks):
1132         (InputQueue):
1133         (InputQueue.__init__):
1134         (InputQueue.setting):
1135         (InputQueue.fromString):
1136         (InputQueues):
1137         (Input):
1138         (Input.__init__):
1139         (Input.setting):
1140         (InputMember):
1141         (InputMember.__init__):
1142         (InputMember.has_flag):
1143         (TypeMode):
1144         (TypeMode.__init__):
1145         (TypeMode.fromString):
1146         (TypeModes):
1147         (Type):
1148         (Type.__init__):
1149         (Type.__eq__):
1150         (Type.__hash__):
1151         (Type.has_flag):
1152         (Type.is_struct):
1153         (Type.is_enum):
1154         (Type.is_enum_class):
1155         (Type.declaration_kind):
1156         (Type.qualified_prefix):
1157         (Type.qualified_prefix.is):
1158         (Type.type_name):
1159         (Type.storage_type):
1160         (Type.borrow_type):
1161         (Type.argument_type):
1162         (check_properties):
1163         (VectorType):
1164         (VectorType.__init__):
1165         (VectorType.has_flag):
1166         (VectorType.is_struct):
1167         (VectorType.is_enum):
1168         (VectorType.is_enum_class):
1169         (VectorType.qualified_prefix):
1170         (VectorType.type_name):
1171         (VectorType.argument_type):
1172         (InputsModel):
1173         (InputsModel.__init__):
1174         (InputsModel.enum_types):
1175         (InputsModel.get_type_for_member):
1176         (InputsModel.parse_toplevel):
1177         (InputsModel.parse_type_with_framework_name):
1178         (InputsModel.parse_input):
1179         (InputsModel.typecheck):
1180         (InputsModel.typecheck_type):
1181         (InputsModel.typecheck_input):
1182         (InputsModel.typecheck_input_member):
1183         (IncrementalFileWriter):
1184         (IncrementalFileWriter.__init__):
1185         (IncrementalFileWriter.write):
1186         (IncrementalFileWriter.close):
1187         (lcfirst):
1188         (wrap_with_guard):
1189         (Generator):
1190         (Generator.__init__):
1191         (Generator.setting):
1192         (Generator.output_filename):
1193         (Generator.write_output_files):
1194         (Generator.generate_header):
1195         (Generator.generate_implementation):
1196         (Generator.generate_license):
1197         (Generator.generate_includes):
1198         (Generator.generate_includes.declaration):
1199         (Generator.generate_includes.declaration.is):
1200         (Generator.generate_type_forward_declarations):
1201         (Generator.generate_type_forward_declarations.is):
1202         (Generator.generate_class_declaration):
1203         (Generator.generate_input_constructor_declaration):
1204         (Generator.generate_input_destructor_declaration):
1205         (Generator.generate_input_member_getter):
1206         (Generator.generate_input_member_declaration):
1207         (Generator.generate_input_member_tuples):
1208         (Generator.qualified_input_name):
1209         (Generator.generate_input_trait_declaration):
1210         (Generator.generate_enum_trait_declaration):
1211         (Generator.generate_for_each_macro):
1212         (Generator.generate_class_implementation):
1213         (Generator.generate_enum_trait_implementation):
1214         (Generator.generate_enum_trait_implementation.is):
1215         (Generator.generate_input_trait_implementation):
1216         (Generator.generate_input_encode_implementation):
1217         (Generator.generate_input_decode_implementation):
1218         (Generator.generate_constructor_initializer_list):
1219         (Generator.generate_constructor_formals_list):
1220         (Generator.generate_member_borrow_expression):
1221         (Generator.generate_member_move_expression):
1222         (Generator.generate_constructor_arguments_list):
1223         (generate_from_specification):
1224         * replay/scripts/CodeGeneratorReplayInputsTemplates.py: Added.
1225         (Templates):
1226         * replay/scripts/tests/expected/JSInputs.json-TestReplayInputs.cpp: Added.
1227         * replay/scripts/tests/expected/JSInputs.json-TestReplayInputs.h: Added.
1228         * replay/scripts/tests/expected/fail-on-c-style-enum-no-storage.json-error: Added.
1229         * replay/scripts/tests/expected/fail-on-duplicate-input-names.json-error: Added.
1230         * replay/scripts/tests/expected/fail-on-duplicate-type-names.json-error: Added.
1231         * replay/scripts/tests/expected/fail-on-enum-type-missing-values.json-error: Added.
1232         * replay/scripts/tests/expected/fail-on-missing-input-member-name.json-error: Added.
1233         * replay/scripts/tests/expected/fail-on-missing-input-name.json-error: Added.
1234         * replay/scripts/tests/expected/fail-on-missing-input-queue.json-error: Added.
1235         * replay/scripts/tests/expected/fail-on-missing-type-mode.json-error: Added.
1236         * replay/scripts/tests/expected/fail-on-missing-type-name.json-error: Added.
1237         * replay/scripts/tests/expected/fail-on-no-inputs.json-error: Added.
1238         * replay/scripts/tests/expected/fail-on-no-types.json-error: Added.
1239         * replay/scripts/tests/expected/fail-on-unknown-input-queue.json-error: Added.
1240         * replay/scripts/tests/expected/fail-on-unknown-member-type.json-error: Added.
1241         * replay/scripts/tests/expected/fail-on-unknown-type-mode.json-error: Added.
1242         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp: Added.
1243         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h: Added.
1244         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp: Added.
1245         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h: Added.
1246         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-error: Added.
1247         * replay/scripts/tests/expected/generate-event-loop-shape-types.json-error: Added.
1248         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.cpp: Added.
1249         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h: Added.
1250         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp: Added.
1251         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: Added.
1252         * replay/scripts/tests/expected/generate-inputs-with-flags.json-error: Added.
1253         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp: Added.
1254         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h: Added.
1255         * replay/scripts/tests/fail-on-c-style-enum-no-storage.json: Added.
1256         * replay/scripts/tests/fail-on-duplicate-input-names.json: Added.
1257         * replay/scripts/tests/fail-on-duplicate-type-names.json: Added.
1258         * replay/scripts/tests/fail-on-enum-type-missing-values.json: Added.
1259         * replay/scripts/tests/fail-on-missing-input-member-name.json: Added.
1260         * replay/scripts/tests/fail-on-missing-input-name.json: Added.
1261         * replay/scripts/tests/fail-on-missing-input-queue.json: Added.
1262         * replay/scripts/tests/fail-on-missing-type-mode.json: Added.
1263         * replay/scripts/tests/fail-on-missing-type-name.json: Added.
1264         * replay/scripts/tests/fail-on-no-inputs.json: Added.
1265         * replay/scripts/tests/fail-on-no-types.json: Added.
1266         * replay/scripts/tests/fail-on-unknown-input-queue.json: Added.
1267         * replay/scripts/tests/fail-on-unknown-member-type.json: Added.
1268         * replay/scripts/tests/fail-on-unknown-type-mode.json: Added.
1269         * replay/scripts/tests/generate-enum-encoding-helpers-with-guarded-values.json: Added.
1270         * replay/scripts/tests/generate-enum-encoding-helpers.json: Added.
1271         * replay/scripts/tests/generate-event-loop-shape-types.json: Added.
1272         * replay/scripts/tests/generate-input-with-guard.json: Added.
1273         * replay/scripts/tests/generate-input-with-vector-members.json: Added.
1274         * replay/scripts/tests/generate-inputs-with-flags.json: Added.
1275         * replay/scripts/tests/generate-memoized-type-modes.json: Added.
1276
1277 2014-02-11  Joseph Pecoraro  <pecoraro@apple.com>
1278
1279         Add Availability Macros to new JSC APIs
1280         https://bugs.webkit.org/show_bug.cgi?id=128615
1281
1282         Reviewed by Mark Rowe.
1283
1284         * API/JSContext.h:
1285         * API/JSContextRef.h:
1286
1287 2014-02-11  Filip Pizlo  <fpizlo@apple.com>
1288
1289         FTL should support CompareEq(ObjectOrOther:, Object:)
1290         https://bugs.webkit.org/show_bug.cgi?id=127752
1291
1292         Reviewed by Oliver Hunt.
1293         
1294         Also introduce some helpers for reasoning about nullness and truthyness.
1295
1296         * ftl/FTLCapabilities.cpp:
1297         (JSC::FTL::canCompile):
1298         * ftl/FTLLowerDFGToLLVM.cpp:
1299         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
1300         (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
1301         (JSC::FTL::LowerDFGToLLVM::speculateTruthyObject):
1302         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
1303         (JSC::FTL::LowerDFGToLLVM::isNotNully):
1304         (JSC::FTL::LowerDFGToLLVM::isNully):
1305         (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
1306         * tests/stress/compare-eq-object-or-other-to-object.js: Added.
1307         (foo):
1308         (test):
1309         * tests/stress/compare-eq-object-to-object-or-other.js: Added.
1310         (foo):
1311         (test):
1312
1313 2014-02-11  Mark Hahnenberg  <mhahnenberg@apple.com>
1314
1315         32-bit LLInt writeBarrierOnGlobalObject is wrong
1316         https://bugs.webkit.org/show_bug.cgi?id=128556
1317
1318         Reviewed by Geoffrey Garen.
1319
1320         * llint/LowLevelInterpreter32_64.asm:
1321         * llint/LowLevelInterpreter64.asm: Also fixed the value check on 64-bit.
1322
1323 2014-02-11  Gabor Rapcsanyi  <rgabor@webkit.org>
1324
1325         LLInt typo error after r139004.
1326         https://bugs.webkit.org/show_bug.cgi?id=128592
1327
1328         Reviewed by Michael Saboff.
1329
1330         * offlineasm/arm.rb: change immediate to register in the condition
1331
1332 2014-02-10  Filip Pizlo  <fpizlo@apple.com>
1333
1334         LICM should gracefully handle unprofiled code
1335         https://bugs.webkit.org/show_bug.cgi?id=127848
1336
1337         Reviewed by Mark Hahnenberg.
1338
1339         * dfg/DFGLICMPhase.cpp:
1340         (JSC::DFG::LICMPhase::run):
1341
1342 2014-02-11  Mark Hahnenberg  <mhahnenberg@apple.com>
1343
1344         Obj-C API: JSExport doesn't work for methods that contain protocols in their type signature
1345         https://bugs.webkit.org/show_bug.cgi?id=128540
1346
1347         Reviewed by Oliver Hunt.
1348
1349         The bug is in parseObjCType in ObjcRuntimeExtras.h. When we see an '@' in the 
1350         type signature of a method, we assume that what follows the '@' is a class name, 
1351         so we call objc_getClass, and if that returns nil then we give up on the method 
1352         and don't export it.
1353
1354         This assumption doesn't work in the case of id<Protocol> because it's the name 
1355         of the protocol that follows the '@', not the name of a class. We should have 
1356         another fallback case for protocol names.
1357
1358         There's another case that also doesn't work, and that's the case of a named class 
1359         with a specified prototype in a method signature (e.g. NSObject<MyProtocol>). 
1360         There the substring of the type signature that represents the class is "NSObject<MyProtocol>", 
1361         which will also cause objc_getClass to return nil.
1362
1363         * API/ObjcRuntimeExtras.h:
1364         (parseObjCType):
1365         * API/tests/DateTests.mm: Also fixed an issue I noticed where we don't use an autorelease pool
1366         for the DateTests.
1367         * API/tests/JSExportTests.h: Added.
1368         * API/tests/JSExportTests.mm: Added.
1369         (-[TruthTeller returnTrue]):
1370         (-[ExportMethodWithIdProtocol methodWithIdProtocol:]):
1371         (-[ExportMethodWithClassProtocol methodWithClassProtocol:]):
1372         (+[JSExportTests exportInstanceMethodWithIdProtocolTest]):
1373         (+[JSExportTests exportInstanceMethodWithClassProtocolTest]):
1374         (runJSExportTests):
1375         * API/tests/testapi.mm:
1376         * JavaScriptCore.xcodeproj/project.pbxproj:
1377
1378 2014-02-10  Michael Saboff  <msaboff@apple.com>
1379
1380         Re-enable ARM Thumb2 disassembler
1381         https://bugs.webkit.org/show_bug.cgi?id=128577
1382
1383         Reviewed by Filip Pizlo.
1384
1385         Changed signature of tryToDisassemble() to match updates.
1386         Fixed typo in disassembler.
1387
1388         * disassembler/ARMv7/ARMv7DOpcode.cpp:
1389         * disassembler/ARMv7Disassembler.cpp:
1390         (JSC::tryToDisassemble):
1391
1392 2014-02-10  Mark Lam  <mark.lam@apple.com>
1393
1394         Removing limitation on JSLock's lockDropDepth.
1395         <https://webkit.org/b/128570>
1396
1397         Reviewed by Geoffrey Garen.
1398
1399         Now that we've switched to using the C stack, we no longer need to limit
1400         the JSLock::lockDropDepth to 2.
1401
1402         For C loop builds which still use the separate JSStack, the JSLock will
1403         enforce ordering for re-grabbing the lock after dropping it. Re-grabbing
1404         must occur in the reverse order of the dropping of the locks.
1405
1406         Ordering is achieved by JSLock::dropAllLocks() stashing away the
1407         JSLock:: m_lockDropDepth in its DropAllLocks instance's m_dropDepth
1408         before unlocking the lock. Subsequently, JSLock::grabAllLocks() will
1409         ensure that JSLocks::m_lockDropDepth equals its DropAllLocks instance's
1410         m_dropDepth before allowing the lock to be re-grabbed. Otherwise, it
1411         will yield execution and retry again later.
1412
1413         Note: because JSLocks::m_lockDropDepth is protected by the JSLock's
1414         mutex, grabAllLocks() will optimistically lock the JSLock before doing
1415         the check on m_lockDropDepth. If the check fails, it will unlock the
1416         JSLock, yield, and then relock it again later before retrying the check.
1417         This ensures that m_lockDropDepth remains under the protection of the
1418         JSLock's mutex.
1419
1420         * runtime/JSLock.cpp:
1421         (JSC::JSLock::dropAllLocks):
1422         (JSC::JSLock::grabAllLocks):
1423         (JSC::JSLock::DropAllLocks::DropAllLocks):
1424         (JSC::JSLock::DropAllLocks::~DropAllLocks):
1425         * runtime/JSLock.h:
1426         (JSC::JSLock::DropAllLocks::setDropDepth):
1427         (JSC::JSLock::DropAllLocks::dropDepth):
1428
1429 2014-02-10  Filip Pizlo  <fpizlo@apple.com>
1430
1431         FTL should support ToThis
1432         https://bugs.webkit.org/show_bug.cgi?id=127751
1433
1434         Reviewed by Oliver Hunt.
1435
1436         * ftl/FTLCapabilities.cpp:
1437         (JSC::FTL::canCompile):
1438         * ftl/FTLIntrinsicRepository.h:
1439         * ftl/FTLLowerDFGToLLVM.cpp:
1440         (JSC::FTL::LowerDFGToLLVM::compileNode):
1441         (JSC::FTL::LowerDFGToLLVM::compileToThis):
1442         * tests/stress/to-this-polymorphic.js: Added.
1443         (foo):
1444
1445 2014-02-10  Filip Pizlo  <fpizlo@apple.com>
1446
1447         Rename Operations.h to JSCInlines.h
1448         https://bugs.webkit.org/show_bug.cgi?id=128543
1449
1450         Rubber stamped by Geoffrey Garen.
1451         
1452         Well, what this actually does is it splits Operations.h into a real Operations.h that
1453         actually contains "operations", and JSCInlines.h, which serves the role of being an
1454         inlines umbrella.
1455         
1456         * API/JSBase.cpp:
1457         * API/JSCTestRunnerUtils.cpp:
1458         * API/JSCallbackConstructor.cpp:
1459         * API/JSCallbackFunction.cpp:
1460         * API/JSCallbackObject.cpp:
1461         * API/JSClassRef.cpp:
1462         * API/JSContext.mm:
1463         * API/JSContextRef.cpp:
1464         * API/JSManagedValue.mm:
1465         * API/JSObjectRef.cpp:
1466         * API/JSScriptRef.cpp:
1467         * API/JSValue.mm:
1468         * API/JSValueRef.cpp:
1469         * API/JSWeakObjectMapRefPrivate.cpp:
1470         * API/JSWrapperMap.mm:
1471         * GNUmakefile.list.am:
1472         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1473         * JavaScriptCore.xcodeproj/project.pbxproj:
1474         * assembler/LinkBuffer.cpp:
1475         * bindings/ScriptFunctionCall.cpp:
1476         * bindings/ScriptObject.cpp:
1477         * bytecode/ArrayAllocationProfile.cpp:
1478         * bytecode/ArrayProfile.cpp:
1479         * bytecode/BytecodeBasicBlock.cpp:
1480         * bytecode/CallLinkInfo.cpp:
1481         * bytecode/CallLinkStatus.cpp:
1482         * bytecode/CodeBlock.cpp:
1483         * bytecode/CodeBlockJettisoningWatchpoint.cpp:
1484         * bytecode/CodeOrigin.cpp:
1485         * bytecode/ExecutionCounter.cpp:
1486         * bytecode/GetByIdStatus.cpp:
1487         * bytecode/LazyOperandValueProfile.cpp:
1488         * bytecode/MethodOfGettingAValueProfile.cpp:
1489         * bytecode/PreciseJumpTargets.cpp:
1490         * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp:
1491         * bytecode/PutByIdStatus.cpp:
1492         * bytecode/SamplingTool.cpp:
1493         * bytecode/SpecialPointer.cpp:
1494         * bytecode/SpeculatedType.cpp:
1495         * bytecode/StructureStubClearingWatchpoint.cpp:
1496         * bytecode/UnlinkedCodeBlock.cpp:
1497         * bytecode/ValueRecovery.cpp:
1498         * bytecompiler/BytecodeGenerator.cpp:
1499         * bytecompiler/NodesCodegen.cpp:
1500         * debugger/Debugger.cpp:
1501         * debugger/DebuggerActivation.cpp:
1502         * debugger/DebuggerCallFrame.cpp:
1503         * dfg/DFGAbstractHeap.cpp:
1504         * dfg/DFGAbstractValue.cpp:
1505         * dfg/DFGArgumentsSimplificationPhase.cpp:
1506         * dfg/DFGArithMode.cpp:
1507         * dfg/DFGArrayMode.cpp:
1508         * dfg/DFGAtTailAbstractState.cpp:
1509         * dfg/DFGAvailability.cpp:
1510         * dfg/DFGBackwardsPropagationPhase.cpp:
1511         * dfg/DFGBasicBlock.cpp:
1512         * dfg/DFGBinarySwitch.cpp:
1513         * dfg/DFGBlockInsertionSet.cpp:
1514         * dfg/DFGByteCodeParser.cpp:
1515         * dfg/DFGCFAPhase.cpp:
1516         * dfg/DFGCFGSimplificationPhase.cpp:
1517         * dfg/DFGCPSRethreadingPhase.cpp:
1518         * dfg/DFGCSEPhase.cpp:
1519         * dfg/DFGCapabilities.cpp:
1520         * dfg/DFGClobberSet.cpp:
1521         * dfg/DFGClobberize.cpp:
1522         * dfg/DFGCommon.cpp:
1523         * dfg/DFGCommonData.cpp:
1524         * dfg/DFGCompilationKey.cpp:
1525         * dfg/DFGCompilationMode.cpp:
1526         * dfg/DFGConstantFoldingPhase.cpp:
1527         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
1528         * dfg/DFGDCEPhase.cpp:
1529         * dfg/DFGDesiredIdentifiers.cpp:
1530         * dfg/DFGDesiredStructureChains.cpp:
1531         * dfg/DFGDesiredTransitions.cpp:
1532         * dfg/DFGDesiredWatchpoints.cpp:
1533         * dfg/DFGDesiredWeakReferences.cpp:
1534         * dfg/DFGDesiredWriteBarriers.cpp:
1535         * dfg/DFGDisassembler.cpp:
1536         * dfg/DFGDominators.cpp:
1537         * dfg/DFGDriver.cpp:
1538         * dfg/DFGEdge.cpp:
1539         * dfg/DFGFailedFinalizer.cpp:
1540         * dfg/DFGFinalizer.cpp:
1541         * dfg/DFGFixupPhase.cpp:
1542         * dfg/DFGFlushFormat.cpp:
1543         * dfg/DFGFlushLivenessAnalysisPhase.cpp:
1544         * dfg/DFGFlushedAt.cpp:
1545         * dfg/DFGGraph.cpp:
1546         * dfg/DFGGraphSafepoint.cpp:
1547         * dfg/DFGInPlaceAbstractState.cpp:
1548         * dfg/DFGInvalidationPointInjectionPhase.cpp:
1549         * dfg/DFGJITCode.cpp:
1550         * dfg/DFGJITCompiler.cpp:
1551         * dfg/DFGJITFinalizer.cpp:
1552         * dfg/DFGJumpReplacement.cpp:
1553         * dfg/DFGLICMPhase.cpp:
1554         * dfg/DFGLazyJSValue.cpp:
1555         * dfg/DFGLivenessAnalysisPhase.cpp:
1556         * dfg/DFGLongLivedState.cpp:
1557         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
1558         * dfg/DFGMinifiedNode.cpp:
1559         * dfg/DFGNaturalLoops.cpp:
1560         * dfg/DFGNode.cpp:
1561         * dfg/DFGNodeFlags.cpp:
1562         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
1563         * dfg/DFGOSREntry.cpp:
1564         * dfg/DFGOSREntrypointCreationPhase.cpp:
1565         * dfg/DFGOSRExit.cpp:
1566         * dfg/DFGOSRExitBase.cpp:
1567         * dfg/DFGOSRExitCompiler.cpp:
1568         * dfg/DFGOSRExitCompiler32_64.cpp:
1569         * dfg/DFGOSRExitCompiler64.cpp:
1570         * dfg/DFGOSRExitCompilerCommon.cpp:
1571         * dfg/DFGOSRExitJumpPlaceholder.cpp:
1572         * dfg/DFGOSRExitPreparation.cpp:
1573         * dfg/DFGOperations.cpp:
1574         * dfg/DFGPhase.cpp:
1575         * dfg/DFGPlan.cpp:
1576         * dfg/DFGPredictionInjectionPhase.cpp:
1577         * dfg/DFGPredictionPropagationPhase.cpp:
1578         * dfg/DFGResurrectionForValidationPhase.cpp:
1579         * dfg/DFGSSAConversionPhase.cpp:
1580         * dfg/DFGSSALoweringPhase.cpp:
1581         * dfg/DFGSafepoint.cpp:
1582         * dfg/DFGSpeculativeJIT.cpp:
1583         * dfg/DFGSpeculativeJIT32_64.cpp:
1584         * dfg/DFGSpeculativeJIT64.cpp:
1585         * dfg/DFGStackLayoutPhase.cpp:
1586         * dfg/DFGStoreBarrierElisionPhase.cpp:
1587         * dfg/DFGStrengthReductionPhase.cpp:
1588         * dfg/DFGThreadData.cpp:
1589         * dfg/DFGThunks.cpp:
1590         * dfg/DFGTierUpCheckInjectionPhase.cpp:
1591         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
1592         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
1593         * dfg/DFGTypeCheckHoistingPhase.cpp:
1594         * dfg/DFGUnificationPhase.cpp:
1595         * dfg/DFGUseKind.cpp:
1596         * dfg/DFGValidate.cpp:
1597         * dfg/DFGValueSource.cpp:
1598         * dfg/DFGVariableAccessDataDump.cpp:
1599         * dfg/DFGVariableEvent.cpp:
1600         * dfg/DFGVariableEventStream.cpp:
1601         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
1602         * dfg/DFGWatchpointCollectionPhase.cpp:
1603         * dfg/DFGWorklist.cpp:
1604         * ftl/FTLAbstractHeap.cpp:
1605         * ftl/FTLAbstractHeapRepository.cpp:
1606         * ftl/FTLExitValue.cpp:
1607         * ftl/FTLLink.cpp:
1608         * ftl/FTLLowerDFGToLLVM.cpp:
1609         * ftl/FTLOSREntry.cpp:
1610         * ftl/FTLOSRExit.cpp:
1611         * ftl/FTLOSRExitCompiler.cpp:
1612         * ftl/FTLSlowPathCall.cpp:
1613         * heap/BlockAllocator.cpp:
1614         * heap/CodeBlockSet.cpp:
1615         * heap/ConservativeRoots.cpp:
1616         * heap/CopiedSpace.cpp:
1617         * heap/CopyVisitor.cpp:
1618         * heap/DeferGC.cpp:
1619         * heap/GCThread.cpp:
1620         * heap/GCThreadSharedData.cpp:
1621         * heap/HandleSet.cpp:
1622         * heap/HandleStack.cpp:
1623         * heap/Heap.cpp:
1624         * heap/HeapStatistics.cpp:
1625         * heap/HeapTimer.cpp:
1626         * heap/IncrementalSweeper.cpp:
1627         * heap/JITStubRoutineSet.cpp:
1628         * heap/MachineStackMarker.cpp:
1629         * heap/MarkStack.cpp:
1630         * heap/MarkedAllocator.cpp:
1631         * heap/MarkedBlock.cpp:
1632         * heap/MarkedSpace.cpp:
1633         * heap/SlotVisitor.cpp:
1634         * heap/SuperRegion.cpp:
1635         * heap/Weak.cpp:
1636         * heap/WeakBlock.cpp:
1637         * heap/WeakHandleOwner.cpp:
1638         * heap/WeakSet.cpp:
1639         * heap/WriteBarrierBuffer.cpp:
1640         * heap/WriteBarrierSupport.cpp:
1641         * inspector/InjectedScript.cpp:
1642         * inspector/InjectedScriptBase.cpp:
1643         * inspector/JSGlobalObjectScriptDebugServer.cpp:
1644         * inspector/JSInjectedScriptHost.cpp:
1645         * inspector/ScriptArguments.cpp:
1646         * inspector/ScriptCallStackFactory.cpp:
1647         * interpreter/AbstractPC.cpp:
1648         * interpreter/CallFrame.cpp:
1649         * interpreter/Interpreter.cpp:
1650         * interpreter/JSStack.cpp:
1651         * interpreter/ProtoCallFrame.cpp:
1652         * interpreter/StackVisitor.cpp:
1653         * interpreter/VMInspector.cpp:
1654         * jit/ArityCheckFailReturnThunks.cpp:
1655         * jit/AssemblyHelpers.cpp:
1656         * jit/ClosureCallStubRoutine.cpp:
1657         * jit/ExecutableAllocator.cpp:
1658         * jit/ExecutableAllocatorFixedVMPool.cpp:
1659         * jit/GCAwareJITStubRoutine.cpp:
1660         * jit/HostCallReturnValue.cpp:
1661         * jit/JIT.cpp:
1662         * jit/JITArithmetic.cpp:
1663         * jit/JITArithmetic32_64.cpp:
1664         * jit/JITCall.cpp:
1665         * jit/JITCall32_64.cpp:
1666         * jit/JITCode.cpp:
1667         * jit/JITDisassembler.cpp:
1668         * jit/JITExceptions.cpp:
1669         * jit/JITInlineCacheGenerator.cpp:
1670         * jit/JITInlines.h:
1671         * jit/JITOperations.cpp:
1672         * jit/JITOperationsMSVC64.cpp:
1673         * jit/JITStubRoutine.cpp:
1674         * jit/JITStubs.cpp:
1675         * jit/JITThunks.cpp:
1676         * jit/JITToDFGDeferredCompilationCallback.cpp:
1677         * jit/RegisterPreservationWrapperGenerator.cpp:
1678         * jit/RegisterSet.cpp:
1679         * jit/Repatch.cpp:
1680         * jit/TempRegisterSet.cpp:
1681         * jit/ThunkGenerators.cpp:
1682         * jsc.cpp:
1683         * llint/LLIntExceptions.cpp:
1684         * llint/LLIntSlowPaths.cpp:
1685         * llint/LowLevelInterpreter.cpp:
1686         * parser/Lexer.cpp:
1687         * parser/Nodes.cpp:
1688         * parser/Parser.cpp:
1689         * parser/ParserArena.cpp:
1690         * parser/SourceCode.cpp:
1691         * parser/SourceProvider.cpp:
1692         * parser/SourceProviderCache.cpp:
1693         * profiler/LegacyProfiler.cpp:
1694         * profiler/ProfileGenerator.cpp:
1695         * profiler/ProfilerBytecode.cpp:
1696         * profiler/ProfilerBytecodeSequence.cpp:
1697         * profiler/ProfilerBytecodes.cpp:
1698         * profiler/ProfilerCompilation.cpp:
1699         * profiler/ProfilerCompiledBytecode.cpp:
1700         * profiler/ProfilerDatabase.cpp:
1701         * profiler/ProfilerOSRExit.cpp:
1702         * profiler/ProfilerOSRExitSite.cpp:
1703         * profiler/ProfilerOrigin.cpp:
1704         * profiler/ProfilerOriginStack.cpp:
1705         * profiler/ProfilerProfiledBytecodes.cpp:
1706         * runtime/ArgList.cpp:
1707         * runtime/Arguments.cpp:
1708         * runtime/ArgumentsIteratorPrototype.cpp:
1709         * runtime/ArrayBuffer.cpp:
1710         * runtime/ArrayBufferNeuteringWatchpoint.cpp:
1711         * runtime/ArrayConstructor.cpp:
1712         * runtime/ArrayPrototype.cpp:
1713         * runtime/BooleanConstructor.cpp:
1714         * runtime/BooleanObject.cpp:
1715         * runtime/BooleanPrototype.cpp:
1716         * runtime/CallData.cpp:
1717         * runtime/CodeCache.cpp:
1718         * runtime/CommonSlowPaths.cpp:
1719         * runtime/CommonSlowPathsExceptions.cpp:
1720         * runtime/Completion.cpp:
1721         * runtime/ConstructData.cpp:
1722         * runtime/DateConstructor.cpp:
1723         * runtime/DateInstance.cpp:
1724         * runtime/DatePrototype.cpp:
1725         * runtime/Error.cpp:
1726         * runtime/ErrorConstructor.cpp:
1727         * runtime/ErrorInstance.cpp:
1728         * runtime/ErrorPrototype.cpp:
1729         * runtime/ExceptionHelpers.cpp:
1730         * runtime/Executable.cpp:
1731         * runtime/FunctionConstructor.cpp:
1732         * runtime/FunctionPrototype.cpp:
1733         * runtime/GetterSetter.cpp:
1734         * runtime/Identifier.cpp:
1735         * runtime/IntendedStructureChain.cpp:
1736         * runtime/InternalFunction.cpp:
1737         * runtime/JSActivation.cpp:
1738         * runtime/JSArgumentsIterator.cpp:
1739         * runtime/JSArray.cpp:
1740         * runtime/JSArrayBuffer.cpp:
1741         * runtime/JSArrayBufferConstructor.cpp:
1742         * runtime/JSArrayBufferPrototype.cpp:
1743         * runtime/JSArrayBufferView.cpp:
1744         * runtime/JSBoundFunction.cpp:
1745         * runtime/JSCInlines.h: Copied from Source/JavaScriptCore/runtime/Operations.h.
1746         * runtime/JSCell.cpp:
1747         * runtime/JSDataView.cpp:
1748         * runtime/JSDataViewPrototype.cpp:
1749         * runtime/JSDateMath.cpp:
1750         * runtime/JSFunction.cpp:
1751         * runtime/JSGlobalObject.cpp:
1752         * runtime/JSGlobalObjectFunctions.cpp:
1753         * runtime/JSLock.cpp:
1754         * runtime/JSNameScope.cpp:
1755         * runtime/JSNotAnObject.cpp:
1756         * runtime/JSONObject.cpp:
1757         * runtime/JSObject.cpp:
1758         * runtime/JSPropertyNameIterator.cpp:
1759         * runtime/JSPropertyNameIterator.h:
1760         * runtime/JSProxy.cpp:
1761         * runtime/JSScope.cpp:
1762         * runtime/JSSegmentedVariableObject.cpp:
1763         * runtime/JSString.cpp:
1764         * runtime/JSStringJoiner.cpp:
1765         * runtime/JSSymbolTableObject.cpp:
1766         * runtime/JSTypedArrayConstructors.cpp:
1767         * runtime/JSTypedArrayPrototypes.cpp:
1768         * runtime/JSTypedArrays.cpp:
1769         * runtime/JSVariableObject.cpp:
1770         * runtime/JSWithScope.cpp:
1771         * runtime/JSWrapperObject.cpp:
1772         * runtime/LiteralParser.cpp:
1773         * runtime/Lookup.cpp:
1774         * runtime/MathObject.cpp:
1775         * runtime/NameConstructor.cpp:
1776         * runtime/NameInstance.cpp:
1777         * runtime/NamePrototype.cpp:
1778         * runtime/NativeErrorConstructor.cpp:
1779         * runtime/NativeErrorPrototype.cpp:
1780         * runtime/NumberConstructor.cpp:
1781         * runtime/NumberObject.cpp:
1782         * runtime/NumberPrototype.cpp:
1783         * runtime/ObjectConstructor.cpp:
1784         * runtime/ObjectPrototype.cpp:
1785         * runtime/Operations.cpp:
1786         * runtime/Operations.h:
1787         * runtime/PropertyDescriptor.cpp:
1788         * runtime/PrototypeMap.cpp:
1789         * runtime/RegExp.cpp:
1790         * runtime/RegExpCache.cpp:
1791         * runtime/RegExpCachedResult.cpp:
1792         * runtime/RegExpConstructor.cpp:
1793         * runtime/RegExpMatchesArray.cpp:
1794         * runtime/RegExpObject.cpp:
1795         * runtime/RegExpPrototype.cpp:
1796         * runtime/SimpleTypedArrayController.cpp:
1797         * runtime/SmallStrings.cpp:
1798         * runtime/SparseArrayValueMap.cpp:
1799         * runtime/StrictEvalActivation.cpp:
1800         * runtime/StringConstructor.cpp:
1801         * runtime/StringObject.cpp:
1802         * runtime/StringPrototype.cpp:
1803         * runtime/StringRecursionChecker.cpp:
1804         * runtime/Structure.cpp:
1805         * runtime/StructureChain.cpp:
1806         * runtime/StructureRareData.cpp:
1807         * runtime/SymbolTable.cpp:
1808         * runtime/TestRunnerUtils.cpp:
1809         * runtime/VM.cpp:
1810         * testRegExp.cpp:
1811
1812 2014-02-10  Matthew Mirman  <mmirman@apple.com>
1813
1814         Removes the inline assert from SpeculativeJIT's ReallocatePropertyStorage
1815         https://bugs.webkit.org/show_bug.cgi?id=128566
1816
1817         Reviewed by Filip Pizlo.
1818
1819         * dfg/DFGSpeculativeJIT.cpp:
1820         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1821
1822 2014-02-10  Filip Pizlo  <fpizlo@apple.com>
1823
1824         Rename getRecordMap to computeRecordMap.
1825
1826         Rubber stamped by Michael Saboff.
1827         
1828         "get" is such a weird prefix. It implies a getter. We don't prefix our getters with
1829         anything in WebKit. Also, this isn't a getter. It actually does work to transform
1830         the stackmaps into a hashmap. So, computeRecordMap is a much better name.
1831
1832         * ftl/FTLCompile.cpp:
1833         (JSC::FTL::compile):
1834         * ftl/FTLJITFinalizer.cpp:
1835         (JSC::FTL::JITFinalizer::finalizeFunction):
1836         * ftl/FTLStackMaps.cpp:
1837         (JSC::FTL::StackMaps::computeRecordMap):
1838         * ftl/FTLStackMaps.h:
1839
1840 2014-02-10  Matthew Mirman  <mmirman@apple.com>
1841
1842         ReallocatePropertyStorage in FTL
1843         https://bugs.webkit.org/show_bug.cgi?id=128352
1844
1845         Reviewed by Filip Pizlo.
1846
1847         * ftl/FTLCapabilities.cpp:
1848         (JSC::FTL::canCompile):
1849         * ftl/FTLIntrinsicRepository.h:
1850         * ftl/FTLLowerDFGToLLVM.cpp:
1851         (JSC::FTL::LowerDFGToLLVM::compileNode):
1852         (JSC::FTL::LowerDFGToLLVM::compileReallocatePropertyStorage):
1853         * tests/stress/ftl-reallocatepropertystorage.js: Added.
1854         (foo):
1855
1856 2014-02-10  Michael Saboff  <msaboff@apple.com>
1857
1858         Fail FTL compilation if the required stack is too big
1859         https://bugs.webkit.org/show_bug.cgi?id=128560
1860
1861         Reviewed by Filip Pizlo.
1862
1863         Added StackSize struct to FTLStackMaps and populated it.  Added and updated
1864         related dump functions.  Use the stack size found at the end of the compilation
1865         to compare against the value of a new option, llvmMaxStackSize.  We fail the
1866         compile if the function's stack size is greater than llvmMaxStackSize.
1867
1868         * dfg/DFGPlan.cpp:
1869         (JSC::DFG::Plan::compileInThreadImpl):
1870         * ftl/FTLStackMaps.cpp:
1871         (JSC::FTL::StackMaps::StackSize::parse):
1872         (JSC::FTL::StackMaps::StackSize::dump):
1873         (JSC::FTL::StackMaps::parse):
1874         (JSC::FTL::StackMaps::dump):
1875         (JSC::FTL::StackMaps::dumpMultiline):
1876         (JSC::FTL::StackMaps::getStackSize):
1877         * ftl/FTLStackMaps.h:
1878         * runtime/Options.h:
1879
1880 2014-02-10  Mark Lam  <mark.lam@apple.com>
1881
1882         Change JSLock::dropAllLocks() and friends to use lock() and unlock().
1883         <https://webkit.org/b/128451>
1884
1885         Reviewed by Geoffrey Garen.
1886
1887         Currently, JSLock's dropAllLocks(), dropAllLocksUnconditionally(), and
1888         grabAllLocks() implement locking / unlocking by duplicating the code from
1889         lock() and unlock(). Instead, they should just call lock() and unlock().
1890
1891         * runtime/JSLock.cpp:
1892         (JSC::JSLock::lock):
1893         (JSC::JSLock::unlock):
1894         - Modified lock() and unlock() into a version that takes an entry count
1895           to lock / unlock. The previous lock() and unlock() now calls these
1896           new versions with an entry count of 1.
1897
1898         (JSC::JSLock::dropAllLocks):
1899         (JSC::JSLock::dropAllLocksUnconditionally):
1900         (JSC::JSLock::grabAllLocks):
1901         - Delegate to unlock() and lock() instead of duplicating the lock / unlock
1902           code.
1903         - There a some differences with calling lock() instead of duplicating its
1904           code in grabAllLock() i.e. lock() does the following additional work:
1905
1906           1. lock() does a re-entry check that is not needed by grabAllLocks().
1907              However, this is effectively a no-op since we never own the JSLock
1908              before calling grabAllLocks().
1909
1910           2. set VM stackPointerAtVMEntry.
1911           3. update VM stackLimit and reservedZoneSize.
1912           4. set VM lastStackTop.
1913              These 3 steps are just busy work which are also effective no-ops
1914              because immediately after lock() returns, grabAllLocks() will write
1915              over those values with their saved versions in the threadData.
1916
1917         * runtime/JSLock.h:
1918
1919 2014-02-10  Anders Carlsson  <andersca@apple.com>
1920
1921         Try to fix the Windows build.
1922
1923         * heap/UnconditionalFinalizer.h:
1924         * runtime/SymbolTable.h:
1925
1926 2014-02-10  Andreas Kling  <akling@apple.com>
1927
1928         Make the Identifier::add() family return PassRef<StringImpl>.
1929         <https://webkit.org/b/128542>
1930
1931         This knocks one branch off of creating an Identifier from another
1932         string source.
1933
1934         Reviewed by Oliver Hunt.
1935
1936         * runtime/Identifier.cpp:
1937         (JSC::Identifier::add):
1938         (JSC::Identifier::add8):
1939         (JSC::Identifier::addSlowCase):
1940         * runtime/Identifier.h:
1941         (JSC::Identifier::add):
1942         * runtime/Lookup.cpp:
1943         (JSC::HashTable::createTable):
1944
1945 2014-02-09  Mark Lam  <mark.lam@apple.com>
1946
1947         Remove unnecessary spinLock in JSLock.
1948         <https://webkit.org/b/128450>
1949
1950         Reviewed by Filip Pizlo.
1951
1952         The JSLock's mutex already provides protection for write access to
1953         JSLock's internal state. The only JSLock state that needs to be read
1954         from any thread including threads that don't own the JSLock is
1955         m_ownerThread, which is used in currentThreadIsHoldingLock() to do an
1956         ownership test on the lock.
1957
1958         It is safe for other threads to read from m_ownerThread because they
1959         only need to know whether its value matches their own thread id
1960         (provided by WTF::currentThread()).
1961
1962         Here are the scenarios for how the ownership test can go:
1963
1964         1. The JSLock has just been initialized and is not owned by any thread.
1965
1966            In this case, m_ownerThread will be 0 and will not match any thread's
1967            thread id. The checking thread will know that it needs to lock the
1968            JSLock before using the VM.
1969
1970         2. The JSLock was previously locked, but now is unlocked.
1971
1972            When we unlock it in JSLock::unlock(), the owner thread clears
1973            m_ownerThread to 0. Hence, this case is the same as (1) above.
1974
1975         3. The JSLock is locked by Thread A. Thread B is checking ownership.
1976
1977            In this case, m_ownerThread will contains the Thread A's thread id.
1978            Thread B will see that the thread id does not match its own and will
1979            proceed to block on the JSLock's mutex to wait for its turn to use
1980            the VM.
1981
1982            With Weak Memory Ordering architectures, Thread A's thread id may
1983            not get written out to memory before Thread B inspects m_ownerThread.
1984            However, though Thread B may not see Thread A's thread id in
1985            m_ownerThread, it will see 0 which is the last value written to it
1986            before the JSLock mutex was unlocked. The mutex unlock would have
1987            executed a memory fence which would have flushed the 0 to
1988            m_ownerThread in memory. Hence, Thread B will know that it does not
1989            own the lock.
1990
1991         Apart from removing the unneeded spin lock code, I also changed the
1992         JSLock code to use currentThreadIsHoldingLock() and setOwnerThread()
1993         instead of accessing m_ownerThread directly.
1994
1995         * runtime/JSLock.cpp:
1996         (JSC::JSLock::JSLock):
1997
1998         (JSC::JSLock::lock):
1999         - Removed spinLock but left the indentation as is to keep the diff to a
2000           minimum for better readability. Will unindent in a subsequent patch.
2001
2002         (JSC::JSLock::unlock):
2003         - Before unlocking the mutex, clear m_ownerThread to indicate that the
2004           lock is no longer owned.
2005
2006         (JSC::JSLock::currentThreadIsHoldingLock):
2007         - Removed the check of m_lockCount for determining ownership. Checking
2008           m_ownerThread is sufficient.
2009
2010         (JSC::JSLock::dropAllLocks):
2011         (JSC::JSLock::dropAllLocksUnconditionally):
2012         - Renamed local locksToDrop to the better name droppedLockCount.
2013         - Clear m_ownerThread since we're unlocking the JSLock.
2014
2015         (JSC::JSLock::grabAllLocks):
2016         - Removed unneeded lock ownership test for lock re-entry case because
2017           grabAllLocks() is never used to re-enter a locked JSLock.
2018
2019         (JSC::JSLock::DropAllLocks::DropAllLocks):
2020         (JSC::JSLock::DropAllLocks::~DropAllLocks):
2021
2022         * runtime/JSLock.h:
2023         (JSC::JSLock::setOwnerThread):
2024
2025 2014-02-10  Filip Pizlo  <fpizlo@apple.com>
2026
2027         Unreviewed, roll out http://trac.webkit.org/changeset/163796
2028
2029         The change was not justified in any way and it has a net negative effect on the code.
2030
2031         * dfg/DFGAbstractInterpreter.h:
2032         * dfg/DFGAbstractValue.h:
2033         * dfg/DFGAdjacencyList.h:
2034         * dfg/DFGArgumentPosition.h:
2035         * dfg/DFGArgumentsSimplificationPhase.cpp:
2036         * dfg/DFGArrayMode.cpp:
2037         * dfg/DFGArrayifySlowPathGenerator.h:
2038         * dfg/DFGAtTailAbstractState.h:
2039         * dfg/DFGAvailability.h:
2040         * dfg/DFGBackwardsPropagationPhase.cpp:
2041         * dfg/DFGBasicBlock.h:
2042         * dfg/DFGBasicBlockInlines.h:
2043         * dfg/DFGByteCodeParser.cpp:
2044         * dfg/DFGCFAPhase.cpp:
2045         * dfg/DFGCFGSimplificationPhase.cpp:
2046         * dfg/DFGCPSRethreadingPhase.cpp:
2047         * dfg/DFGCSEPhase.cpp:
2048         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
2049         * dfg/DFGCapabilities.cpp:
2050         * dfg/DFGCapabilities.h:
2051         * dfg/DFGClobberize.h:
2052         * dfg/DFGCommonData.cpp:
2053         * dfg/DFGConstantFoldingPhase.cpp:
2054         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
2055         * dfg/DFGDCEPhase.cpp:
2056         * dfg/DFGDominators.h:
2057         * dfg/DFGDriver.cpp:
2058         * dfg/DFGDriver.h:
2059         * dfg/DFGFixupPhase.cpp:
2060         * dfg/DFGFlushLivenessAnalysisPhase.cpp:
2061         * dfg/DFGGenerationInfo.h:
2062         * dfg/DFGGraph.cpp:
2063         * dfg/DFGGraph.h:
2064         * dfg/DFGInPlaceAbstractState.cpp:
2065         * dfg/DFGInPlaceAbstractState.h:
2066         * dfg/DFGInlineCacheWrapperInlines.h:
2067         * dfg/DFGInvalidationPointInjectionPhase.cpp:
2068         * dfg/DFGJITCode.h:
2069         * dfg/DFGJITCompiler.cpp:
2070         * dfg/DFGJITCompiler.h:
2071         * dfg/DFGJITFinalizer.cpp:
2072         * dfg/DFGJITFinalizer.h:
2073         * dfg/DFGLICMPhase.cpp:
2074         * dfg/DFGLivenessAnalysisPhase.cpp:
2075         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
2076         * dfg/DFGMinifiedNode.h:
2077         * dfg/DFGNaturalLoops.h:
2078         * dfg/DFGNode.cpp:
2079         * dfg/DFGNode.h:
2080         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
2081         * dfg/DFGOSREntry.cpp:
2082         * dfg/DFGOSREntrypointCreationPhase.cpp:
2083         * dfg/DFGOSRExit.cpp:
2084         * dfg/DFGOSRExit.h:
2085         * dfg/DFGOSRExitBase.cpp:
2086         * dfg/DFGOSRExitCompilationInfo.h:
2087         * dfg/DFGOSRExitCompiler.cpp:
2088         * dfg/DFGOSRExitCompiler32_64.cpp:
2089         * dfg/DFGOSRExitCompiler64.cpp:
2090         * dfg/DFGOSRExitJumpPlaceholder.cpp:
2091         * dfg/DFGOperations.cpp:
2092         * dfg/DFGPhase.h:
2093         * dfg/DFGPlan.h:
2094         * dfg/DFGPredictionInjectionPhase.cpp:
2095         * dfg/DFGPredictionPropagationPhase.cpp:
2096         * dfg/DFGResurrectionForValidationPhase.cpp:
2097         * dfg/DFGSSAConversionPhase.cpp:
2098         * dfg/DFGSSALoweringPhase.cpp:
2099         * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
2100         * dfg/DFGSlowPathGenerator.h:
2101         * dfg/DFGSpeculativeJIT.cpp:
2102         * dfg/DFGSpeculativeJIT.h:
2103         * dfg/DFGSpeculativeJIT32_64.cpp:
2104         * dfg/DFGSpeculativeJIT64.cpp:
2105         * dfg/DFGStackLayoutPhase.cpp:
2106         * dfg/DFGStoreBarrierElisionPhase.cpp:
2107         * dfg/DFGStrengthReductionPhase.cpp:
2108         * dfg/DFGThunks.cpp:
2109         * dfg/DFGTierUpCheckInjectionPhase.cpp:
2110         * dfg/DFGTypeCheckHoistingPhase.cpp:
2111         * dfg/DFGUnificationPhase.cpp:
2112         * dfg/DFGValidate.h:
2113         * dfg/DFGValueSource.h:
2114         * dfg/DFGVariableAccessData.h:
2115         * dfg/DFGVariableAccessDataDump.cpp:
2116         * dfg/DFGVariableEvent.h:
2117         * dfg/DFGVariableEventStream.h:
2118         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
2119         * dfg/DFGWatchpointCollectionPhase.cpp:
2120         * dfg/DFGWorklist.cpp:
2121
2122 2014-02-10  Peter Molnar  <pmolnar.u-szeged@partner.samsung.com> 
2123  
2124         Remove extra includes from DFG 
2125         https://bugs.webkit.org/show_bug.cgi?id=126983 
2126  
2127         Reviewed by Andreas Kling. 
2128
2129         * dfg/DFGAbstractInterpreter.h:
2130         * dfg/DFGAbstractValue.h:
2131         * dfg/DFGAdjacencyList.h:
2132         * dfg/DFGArgumentPosition.h:
2133         * dfg/DFGArgumentsSimplificationPhase.cpp:
2134         * dfg/DFGArrayMode.cpp:
2135         * dfg/DFGArrayifySlowPathGenerator.h:
2136         * dfg/DFGAtTailAbstractState.h:
2137         * dfg/DFGAvailability.h:
2138         * dfg/DFGBackwardsPropagationPhase.cpp:
2139         * dfg/DFGBasicBlock.h:
2140         * dfg/DFGBasicBlockInlines.h:
2141         * dfg/DFGByteCodeParser.cpp:
2142         * dfg/DFGCFAPhase.cpp:
2143         * dfg/DFGCFGSimplificationPhase.cpp:
2144         * dfg/DFGCPSRethreadingPhase.cpp:
2145         * dfg/DFGCSEPhase.cpp:
2146         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
2147         * dfg/DFGCapabilities.cpp:
2148         * dfg/DFGCapabilities.h:
2149         * dfg/DFGClobberize.h:
2150         * dfg/DFGCommonData.cpp:
2151         * dfg/DFGConstantFoldingPhase.cpp:
2152         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
2153         * dfg/DFGDCEPhase.cpp:
2154         * dfg/DFGDominators.h:
2155         * dfg/DFGDriver.cpp:
2156         * dfg/DFGDriver.h:
2157         * dfg/DFGFixupPhase.cpp:
2158         * dfg/DFGFlushLivenessAnalysisPhase.cpp:
2159         * dfg/DFGGenerationInfo.h:
2160         * dfg/DFGGraph.cpp:
2161         * dfg/DFGGraph.h:
2162         * dfg/DFGInPlaceAbstractState.cpp:
2163         * dfg/DFGInPlaceAbstractState.h:
2164         * dfg/DFGInlineCacheWrapperInlines.h:
2165         * dfg/DFGInvalidationPointInjectionPhase.cpp:
2166         * dfg/DFGJITCode.h:
2167         * dfg/DFGJITCompiler.cpp:
2168         * dfg/DFGJITCompiler.h:
2169         * dfg/DFGJITFinalizer.cpp:
2170         * dfg/DFGJITFinalizer.h:
2171         * dfg/DFGLICMPhase.cpp:
2172         * dfg/DFGLivenessAnalysisPhase.cpp:
2173         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
2174         * dfg/DFGMinifiedNode.h:
2175         * dfg/DFGNaturalLoops.h:
2176         * dfg/DFGNode.cpp:
2177         * dfg/DFGNode.h:
2178         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
2179         * dfg/DFGOSREntry.cpp:
2180         * dfg/DFGOSREntrypointCreationPhase.cpp:
2181         * dfg/DFGOSRExit.cpp:
2182         * dfg/DFGOSRExit.h:
2183         * dfg/DFGOSRExitBase.cpp:
2184         * dfg/DFGOSRExitCompilationInfo.h:
2185         * dfg/DFGOSRExitCompiler.cpp:
2186         * dfg/DFGOSRExitCompiler32_64.cpp:
2187         * dfg/DFGOSRExitCompiler64.cpp:
2188         * dfg/DFGOSRExitJumpPlaceholder.cpp:
2189         * dfg/DFGOperations.cpp:
2190         * dfg/DFGPhase.h:
2191         * dfg/DFGPlan.h:
2192         * dfg/DFGPredictionInjectionPhase.cpp:
2193         * dfg/DFGPredictionPropagationPhase.cpp:
2194         * dfg/DFGResurrectionForValidationPhase.cpp:
2195         * dfg/DFGSSAConversionPhase.cpp:
2196         * dfg/DFGSSALoweringPhase.cpp:
2197         * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
2198         * dfg/DFGSlowPathGenerator.h:
2199         * dfg/DFGSpeculativeJIT.cpp:
2200         * dfg/DFGSpeculativeJIT.h:
2201         * dfg/DFGSpeculativeJIT32_64.cpp:
2202         * dfg/DFGSpeculativeJIT64.cpp:
2203         * dfg/DFGStackLayoutPhase.cpp:
2204         * dfg/DFGStoreBarrierElisionPhase.cpp:
2205         * dfg/DFGStrengthReductionPhase.cpp:
2206         * dfg/DFGThunks.cpp:
2207         * dfg/DFGTierUpCheckInjectionPhase.cpp:
2208         * dfg/DFGTypeCheckHoistingPhase.cpp:
2209         * dfg/DFGUnificationPhase.cpp:
2210         * dfg/DFGValidate.h:
2211         * dfg/DFGValueSource.h:
2212         * dfg/DFGVariableAccessData.h:
2213         * dfg/DFGVariableAccessDataDump.cpp:
2214         * dfg/DFGVariableEvent.h:
2215         * dfg/DFGVariableEventStream.h:
2216         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
2217         * dfg/DFGWatchpointCollectionPhase.cpp:
2218         * dfg/DFGWorklist.cpp:
2219
2220 2014-02-10  Filip Pizlo  <fpizlo@apple.com>
2221
2222         JSC environment variables should override other mechanisms for setting options
2223         https://bugs.webkit.org/show_bug.cgi?id=128511
2224
2225         Reviewed by Geoffrey Garen.
2226
2227         * runtime/Options.cpp:
2228         (JSC::Options::setOption):
2229         * runtime/Options.h:
2230
2231 2014-02-10  Darin Adler  <darin@apple.com>
2232
2233         Stop using String::deprecatedCharacters to call WTF::Collator
2234         https://bugs.webkit.org/show_bug.cgi?id=128517
2235
2236         Reviewed by Alexey Proskuryakov.
2237
2238         * runtime/StringPrototype.cpp:
2239         (JSC::stringProtoFuncLocaleCompare): Use the default constructor for Collator, which now
2240         gives the default locale collation rules. Use the new arguments for Collator::collate, which
2241         are now StringView. These two changes together eliminate the need for a separate helper function.
2242
2243 2014-02-10  Filip Pizlo  <fpizlo@apple.com>
2244
2245         <1/100 probability FTL failure: v8-v6/v8-deltablue.js.ftl-eager: Exception: TypeError: undefined is not an object (evaluating 'c.isInput')
2246         https://bugs.webkit.org/show_bug.cgi?id=128278
2247
2248         Reviewed by Mark Hahnenberg.
2249         
2250         Fix another FTL flake due to bytecode liveness corner cases. Hopefully it's the last
2251         one.
2252
2253         * dfg/DFGByteCodeParser.cpp:
2254         (JSC::DFG::ByteCodeParser::parseBlock): Make sure that inside a constructor, the 'this' result is always set. This makes it easier to unify the treatment of 'this' for OSR exit: we just say that it's always live.
2255         * dfg/DFGGraph.cpp:
2256         (JSC::DFG::Graph::isLiveInBytecode): Assume that 'this' is live. We were already sort of doing this for calls because the callsite would claim it to be live. But we didn't do it for constructors. It's true that *at the callsite* 'this' won't be live, but inside the inlined constructor, it almost certainly will be.
2257         * dfg/DFGTierUpCheckInjectionPhase.cpp:
2258         (JSC::DFG::TierUpCheckInjectionPhase::run): I just noticed this benign bug. We should only return 'true' if we actually injected checks.
2259         * ftl/FTLOSRExitCompiler.cpp:
2260         (JSC::FTL::compileStub): Make it easier to just dump disassembly for FTL OSR exits.
2261         * runtime/Options.h: Ditto.
2262         * tests/stress/inlined-constructor-this-liveness.js: Added.
2263         (Foo):
2264         (foo):
2265         * tests/stress/inlined-function-this-liveness.js: Added.
2266         (bar):
2267         (foo):
2268
2269 2014-02-10  Filip Pizlo  <fpizlo@apple.com>
2270
2271         Actually register those DFG::Safepoints
2272         https://bugs.webkit.org/show_bug.cgi?id=128521
2273
2274         Reviewed by Mark Hahnenberg.
2275         
2276         No test because GC + thread + JIT = ???.
2277
2278         * dfg/DFGSafepoint.cpp:
2279         (JSC::DFG::Safepoint::~Safepoint):
2280         (JSC::DFG::Safepoint::begin):
2281
2282 2014-02-10  Peter Molnar  <pmolnar.u-szeged@partner.samsung.com>
2283
2284         Fix EFL build with INSPECTOR disabled
2285         https://bugs.webkit.org/show_bug.cgi?id=125064
2286
2287         Reviewed by Csaba Osztrogon√°c.
2288
2289         * inspector/InjectedScriptManager.h:
2290         * inspector/ScriptDebugServer.cpp:
2291         * inspector/agents/InspectorAgent.h:
2292         * inspector/scripts/CodeGeneratorInspectorStrings.py:
2293         (Inspector):
2294
2295 2014-02-09  Filip Pizlo  <fpizlo@apple.com>
2296
2297         GC blocks on FTL and then badness
2298         https://bugs.webkit.org/show_bug.cgi?id=128291
2299
2300         Reviewed by Oliver Hunt.
2301         
2302         Introduce the notion of a DFG::Safepoint, which allows you to unlock the rightToRun
2303         mutex for your JIT thread, while supplying the GC with all of the information it would
2304         need to scan you at that moment in time. The default way of using this is
2305         DFG::GraphSafepoint, where you just supply the Graph. There's a lot of machinery in
2306         this patch just to make the Graph scannable.
2307         
2308         We then use DFG::GraphSafepoint in just two places for now: (1) while initializing LLVM
2309         and (2) while invoking LLVM' optimizer and backend.
2310         
2311         This is a 30% speed-up on Octane/typescript and a 10% speed-up on Octane/gbemu. 2-3%
2312         speed-up overall on Octane.
2313         
2314         * CMakeLists.txt:
2315         * GNUmakefile.list.am:
2316         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2317         * JavaScriptCore.xcodeproj/project.pbxproj:
2318         * dfg/DFGDriver.cpp:
2319         (JSC::DFG::compileImpl):
2320         * dfg/DFGGraph.cpp:
2321         (JSC::DFG::Graph::visitChildren):
2322         * dfg/DFGGraph.h:
2323         * dfg/DFGGraphSafepoint.cpp: Added.
2324         (JSC::DFG::GraphSafepoint::GraphSafepoint):
2325         (JSC::DFG::GraphSafepoint::~GraphSafepoint):
2326         * dfg/DFGGraphSafepoint.h: Added.
2327         * dfg/DFGOperations.h:
2328         * dfg/DFGPlan.cpp:
2329         (JSC::DFG::Plan::compileInThread):
2330         (JSC::DFG::Plan::compileInThreadImpl):
2331         * dfg/DFGPlan.h:
2332         * dfg/DFGSafepoint.cpp: Added.
2333         (JSC::DFG::Safepoint::Safepoint):
2334         (JSC::DFG::Safepoint::~Safepoint):
2335         (JSC::DFG::Safepoint::add):
2336         (JSC::DFG::Safepoint::begin):
2337         (JSC::DFG::Safepoint::visitChildren):
2338         * dfg/DFGSafepoint.h: Added.
2339         * dfg/DFGScannable.h: Added.
2340         (JSC::DFG::Scannable::Scannable):
2341         (JSC::DFG::Scannable::~Scannable):
2342         * dfg/DFGThreadData.cpp: Added.
2343         (JSC::DFG::ThreadData::ThreadData):
2344         (JSC::DFG::ThreadData::~ThreadData):
2345         * dfg/DFGThreadData.h: Added.
2346         * dfg/DFGWorklist.cpp:
2347         (JSC::DFG::Worklist::finishCreation):
2348         (JSC::DFG::Worklist::visitChildren):
2349         (JSC::DFG::Worklist::runThread):
2350         * dfg/DFGWorklist.h:
2351         * ftl/FTLCompile.cpp:
2352         (JSC::FTL::compile):
2353         * heap/SlotVisitor.h:
2354         * heap/SlotVisitorInlines.h:
2355         (JSC::SlotVisitor::appendUnbarrieredReadOnlyPointer):
2356         (JSC::SlotVisitor::appendUnbarrieredReadOnlyValue):
2357
2358 2014-02-09  Filip Pizlo  <fpizlo@apple.com>
2359
2360         Never include *Inlines.h files in interface headers, and never include *Inlines.h when you could include Operations.h instead
2361         https://bugs.webkit.org/show_bug.cgi?id=128505
2362
2363         Reviewed by Mark Hahnenberg and Oliver Hunt.
2364
2365         * API/JSContextRef.cpp:
2366         * assembler/LinkBuffer.cpp:
2367         * bytecode/ArrayProfile.cpp:
2368         * bytecode/BytecodeBasicBlock.cpp:
2369         * bytecode/BytecodeLivenessAnalysisInlines.h:
2370         * bytecode/CallLinkInfo.cpp:
2371         * bytecode/CodeBlock.cpp:
2372         * bytecode/CodeBlock.h:
2373         * bytecode/CodeBlockJettisoningWatchpoint.cpp:
2374         * bytecode/ExecutionCounter.cpp:
2375         * bytecode/MethodOfGettingAValueProfile.cpp:
2376         * bytecode/PreciseJumpTargets.cpp:
2377         * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp:
2378         * bytecode/SamplingTool.cpp:
2379         * bytecode/SpecialPointer.cpp:
2380         * bytecode/StructureStubClearingWatchpoint.cpp:
2381         * debugger/DebuggerCallFrame.cpp:
2382         * dfg/DFGAbstractHeap.cpp:
2383         * dfg/DFGAbstractValue.cpp:
2384         * dfg/DFGArgumentsSimplificationPhase.cpp:
2385         * dfg/DFGArithMode.cpp:
2386         * dfg/DFGArrayMode.cpp:
2387         * dfg/DFGAtTailAbstractState.cpp:
2388         * dfg/DFGAvailability.cpp:
2389         * dfg/DFGBackwardsPropagationPhase.cpp:
2390         * dfg/DFGBasicBlock.cpp:
2391         * dfg/DFGBinarySwitch.cpp:
2392         * dfg/DFGBlockInsertionSet.cpp:
2393         * dfg/DFGByteCodeParser.cpp:
2394         * dfg/DFGCFAPhase.cpp:
2395         * dfg/DFGCFGSimplificationPhase.cpp:
2396         * dfg/DFGCPSRethreadingPhase.cpp:
2397         * dfg/DFGCSEPhase.cpp:
2398         * dfg/DFGCapabilities.cpp:
2399         * dfg/DFGClobberSet.cpp:
2400         * dfg/DFGClobberize.cpp:
2401         * dfg/DFGCommon.cpp:
2402         * dfg/DFGCommonData.cpp:
2403         * dfg/DFGCompilationKey.cpp:
2404         * dfg/DFGCompilationMode.cpp:
2405         * dfg/DFGConstantFoldingPhase.cpp:
2406         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
2407         * dfg/DFGDCEPhase.cpp:
2408         * dfg/DFGDesiredIdentifiers.cpp:
2409         * dfg/DFGDesiredStructureChains.cpp:
2410         * dfg/DFGDesiredTransitions.cpp:
2411         * dfg/DFGDesiredWatchpoints.cpp:
2412         * dfg/DFGDisassembler.cpp:
2413         * dfg/DFGDisassembler.h:
2414         * dfg/DFGDominators.cpp:
2415         * dfg/DFGEdge.cpp:
2416         * dfg/DFGFailedFinalizer.cpp:
2417         * dfg/DFGFinalizer.cpp:
2418         * dfg/DFGFixupPhase.cpp:
2419         * dfg/DFGFlushFormat.cpp:
2420         * dfg/DFGFlushLivenessAnalysisPhase.cpp:
2421         * dfg/DFGFlushedAt.cpp:
2422         * dfg/DFGGraph.cpp:
2423         * dfg/DFGInPlaceAbstractState.cpp:
2424         * dfg/DFGInvalidationPointInjectionPhase.cpp:
2425         * dfg/DFGJITCode.cpp:
2426         * dfg/DFGJITCompiler.cpp:
2427         * dfg/DFGJITCompiler.h:
2428         * dfg/DFGJITFinalizer.cpp:
2429         * dfg/DFGJumpReplacement.cpp:
2430         * dfg/DFGLICMPhase.cpp:
2431         * dfg/DFGLazyJSValue.cpp:
2432         * dfg/DFGLivenessAnalysisPhase.cpp:
2433         * dfg/DFGLongLivedState.cpp:
2434         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
2435         * dfg/DFGMinifiedNode.cpp:
2436         * dfg/DFGNaturalLoops.cpp:
2437         * dfg/DFGNode.cpp:
2438         * dfg/DFGNodeFlags.cpp:
2439         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
2440         * dfg/DFGOSREntry.cpp:
2441         * dfg/DFGOSREntrypointCreationPhase.cpp:
2442         * dfg/DFGOSRExit.cpp:
2443         * dfg/DFGOSRExitBase.cpp:
2444         * dfg/DFGOSRExitCompiler.cpp:
2445         * dfg/DFGOSRExitCompiler32_64.cpp:
2446         * dfg/DFGOSRExitCompiler64.cpp:
2447         * dfg/DFGOSRExitCompilerCommon.cpp:
2448         * dfg/DFGOSRExitJumpPlaceholder.cpp:
2449         * dfg/DFGOSRExitPreparation.cpp:
2450         * dfg/DFGOperations.cpp:
2451         * dfg/DFGOperations.h:
2452         * dfg/DFGPhase.cpp:
2453         * dfg/DFGPlan.cpp:
2454         * dfg/DFGPredictionInjectionPhase.cpp:
2455         * dfg/DFGPredictionPropagationPhase.cpp:
2456         * dfg/DFGResurrectionForValidationPhase.cpp:
2457         * dfg/DFGSSAConversionPhase.cpp:
2458         * dfg/DFGSSALoweringPhase.cpp:
2459         * dfg/DFGSpeculativeJIT.cpp:
2460         * dfg/DFGSpeculativeJIT32_64.cpp:
2461         * dfg/DFGSpeculativeJIT64.cpp:
2462         * dfg/DFGStackLayoutPhase.cpp:
2463         * dfg/DFGStoreBarrierElisionPhase.cpp:
2464         * dfg/DFGStrengthReductionPhase.cpp:
2465         * dfg/DFGThunks.cpp:
2466         * dfg/DFGTierUpCheckInjectionPhase.cpp:
2467         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
2468         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
2469         * dfg/DFGTypeCheckHoistingPhase.cpp:
2470         * dfg/DFGUnificationPhase.cpp:
2471         * dfg/DFGUseKind.cpp:
2472         * dfg/DFGValidate.cpp:
2473         * dfg/DFGValueSource.cpp:
2474         * dfg/DFGVariableAccessDataDump.cpp:
2475         * dfg/DFGVariableEvent.cpp:
2476         * dfg/DFGVariableEventStream.cpp:
2477         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
2478         * dfg/DFGWatchpointCollectionPhase.cpp:
2479         * dfg/DFGWorklist.cpp:
2480         * disassembler/Disassembler.cpp:
2481         * ftl/FTLLink.cpp:
2482         * ftl/FTLOSRExitCompiler.cpp:
2483         * ftl/FTLSlowPathCall.cpp:
2484         * ftl/FTLThunks.cpp:
2485         (JSC::FTL::slowPathCallThunkGenerator):
2486         * heap/BlockAllocator.cpp:
2487         * heap/CodeBlockSet.cpp:
2488         * heap/ConservativeRoots.cpp:
2489         * heap/DeferGC.cpp:
2490         * heap/GCThread.cpp:
2491         * heap/GCThreadSharedData.cpp:
2492         * heap/HeapTimer.cpp:
2493         * heap/IncrementalSweeper.cpp:
2494         * heap/JITStubRoutineSet.cpp:
2495         * heap/MachineStackMarker.cpp:
2496         * heap/MarkStack.cpp:
2497         * heap/MarkedAllocator.cpp:
2498         * heap/MarkedSpace.cpp:
2499         * heap/SuperRegion.cpp:
2500         * heap/Weak.cpp:
2501         * heap/WeakHandleOwner.cpp:
2502         * heap/WeakSet.cpp:
2503         * heap/WriteBarrierBuffer.cpp:
2504         * heap/WriteBarrierSupport.cpp:
2505         * inspector/ScriptCallStackFactory.cpp:
2506         * interpreter/AbstractPC.cpp:
2507         * interpreter/JSStack.cpp:
2508         * interpreter/ProtoCallFrame.cpp:
2509         * interpreter/VMInspector.cpp:
2510         * jit/ArityCheckFailReturnThunks.cpp:
2511         * jit/AssemblyHelpers.cpp:
2512         * jit/ExecutableAllocator.cpp:
2513         * jit/ExecutableAllocatorFixedVMPool.cpp:
2514         * jit/GCAwareJITStubRoutine.cpp:
2515         * jit/HostCallReturnValue.cpp:
2516         * jit/JITDisassembler.cpp:
2517         * jit/JITDisassembler.h:
2518         * jit/JITExceptions.cpp:
2519         * jit/JITInlines.h:
2520         * jit/JITOperations.cpp:
2521         * jit/JITOperationsMSVC64.cpp:
2522         * jit/JITStubRoutine.cpp:
2523         * jit/JITStubs.cpp:
2524         * jit/JITToDFGDeferredCompilationCallback.cpp:
2525         * jit/RegisterPreservationWrapperGenerator.cpp:
2526         * jit/RegisterSet.cpp:
2527         * jit/Repatch.cpp:
2528         * jit/TempRegisterSet.cpp:
2529         * jsc.cpp:
2530         * parser/Lexer.cpp:
2531         * parser/Parser.cpp:
2532         * parser/ParserArena.cpp:
2533         * parser/SourceCode.cpp:
2534         * parser/SourceProvider.cpp:
2535         * parser/SourceProviderCache.cpp:
2536         * profiler/ProfileGenerator.cpp:
2537         * runtime/Arguments.cpp:
2538         * runtime/ArgumentsIteratorPrototype.cpp:
2539         * runtime/CommonSlowPathsExceptions.cpp:
2540         * runtime/JSArgumentsIterator.cpp:
2541         * runtime/JSFunction.cpp:
2542         * runtime/JSGlobalObjectFunctions.cpp:
2543         * runtime/ObjectConstructor.cpp:
2544         * runtime/Operations.h:
2545         * runtime/VM.cpp:
2546
2547 2014-02-09  Filip Pizlo  <fpizlo@apple.com>
2548
2549         Unreviewed, don't mark isHostFunction() inline in the header file because that really confuses EFL.
2550
2551         * runtime/JSFunction.h:
2552
2553 2014-02-09  Anders Carlsson  <andersca@apple.com>
2554
2555         Add WTF_MAKE_FAST_ALLOCATED to more classes
2556         https://bugs.webkit.org/show_bug.cgi?id=128506
2557
2558         Reviewed by Andreas Kling.
2559
2560         * bytecode/UnlinkedInstructionStream.h:
2561         * runtime/SymbolTable.h:
2562         * runtime/WriteBarrier.h:
2563
2564 2014-02-09  Mark Hahnenberg  <mhahnenberg@apple.com>
2565
2566         Objective-C API NSDate conversion is off by 1000x (ms vs s)
2567         https://bugs.webkit.org/show_bug.cgi?id=128386
2568
2569         Reviewed by Michael Saboff.
2570
2571         * API/JSValue.mm:
2572         (valueToObjectWithoutCopy):
2573         (valueToDate):
2574         (objectToValueWithoutCopy):
2575         * API/tests/DateTests.h: Added.
2576         * API/tests/DateTests.mm: Added.
2577         (+[DateTests NSDateToJSDateTest]):
2578         (+[DateTests JSDateToNSDateTest]):
2579         (+[DateTests roundTripThroughJSDateTest]):
2580         (+[DateTests roundTripThroughObjCDateTest]):
2581         * API/tests/testapi.mm:
2582         (checkResult):
2583         * JavaScriptCore.xcodeproj/project.pbxproj:
2584
2585 2014-02-09  Andreas Kling  <akling@apple.com>
2586
2587         Pass VM instead of ExecState to JSCell::fastGetOwnProperty().
2588         <https://webkit.org/b/128497>
2589
2590         Knocks off a couple of instructions.
2591
2592         Reviewed by Anders Carlsson.
2593
2594         * dfg/DFGOperations.cpp:
2595         * jit/JITOperations.cpp:
2596         (JSC::getByVal):
2597         * llint/LLIntSlowPaths.cpp:
2598         (JSC::LLInt::getByVal):
2599         * runtime/JSCell.h:
2600         * runtime/JSCellInlines.h:
2601         (JSC::JSCell::fastGetOwnProperty):
2602
2603 2014-02-09  Anders Carlsson  <andersca@apple.com>
2604
2605         Convert some JSC code over to std::mutex
2606         https://bugs.webkit.org/show_bug.cgi?id=128500
2607
2608         Reviewed by Dan Bernstein.
2609
2610         * API/JSVirtualMachine.mm:
2611         (wrapperCacheMutex):
2612         (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]):
2613         (+[JSVMWrapperCache wrapperForJSContextGroupRef:]):
2614         * heap/GCThreadSharedData.h:
2615         * heap/SlotVisitor.cpp:
2616         (JSC::SlotVisitor::mergeOpaqueRoots):
2617         * heap/SlotVisitorInlines.h:
2618         (JSC::SlotVisitor::containsOpaqueRootTriState):
2619         * inspector/remote/RemoteInspector.h:
2620         * inspector/remote/RemoteInspector.mm:
2621         (Inspector::RemoteInspector::registerDebuggable):
2622         (Inspector::RemoteInspector::unregisterDebuggable):
2623         (Inspector::RemoteInspector::updateDebuggable):
2624         (Inspector::RemoteInspector::sendMessageToRemoteFrontend):
2625         (Inspector::RemoteInspector::start):
2626         (Inspector::RemoteInspector::stop):
2627         (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
2628         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
2629         (Inspector::RemoteInspector::xpcConnectionFailed):
2630         (Inspector::RemoteInspector::pushListingSoon):
2631         (Inspector::RemoteInspector::receivedIndicateMessage):
2632         * inspector/remote/RemoteInspectorDebuggableConnection.h:
2633         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
2634         (Inspector::RemoteInspectorDebuggableConnection::setup):
2635         (Inspector::RemoteInspectorDebuggableConnection::closeFromDebuggable):
2636         (Inspector::RemoteInspectorDebuggableConnection::close):
2637         (Inspector::RemoteInspectorDebuggableConnection::sendMessageToBackend):
2638         * jit/ExecutableAllocator.cpp:
2639         (JSC::DemandExecutableAllocator::DemandExecutableAllocator):
2640         (JSC::DemandExecutableAllocator::~DemandExecutableAllocator):
2641         (JSC::DemandExecutableAllocator::bytesAllocatedByAllAllocators):
2642         (JSC::DemandExecutableAllocator::bytesCommittedByAllocactors):
2643         (JSC::DemandExecutableAllocator::dumpProfileFromAllAllocators):
2644         (JSC::DemandExecutableAllocator::allocatorsMutex):
2645
2646 2014-02-09  Commit Queue  <commit-queue@webkit.org>
2647
2648         Unreviewed, rolling out r163737.
2649         http://trac.webkit.org/changeset/163737
2650         https://bugs.webkit.org/show_bug.cgi?id=128491
2651
2652         Caused 8+ tests to fail on Mavericks and Mountain Lion bots
2653         (Requested by rniwa on #webkit).
2654
2655         * runtime/JSString.h:
2656         (JSC::jsSingleCharacterString):
2657         (JSC::jsSingleCharacterSubstring):
2658         (JSC::jsString):
2659         (JSC::jsSubstring8):
2660         * runtime/SmallStrings.cpp:
2661         (JSC::SmallStringsStorage::SmallStringsStorage):
2662         (JSC::SmallStrings::SmallStrings):
2663
2664 2014-02-08  Anders Carlsson  <andersca@apple.com>
2665
2666         Simplify single character substrings in JSC
2667         https://bugs.webkit.org/show_bug.cgi?id=128483
2668
2669         Reviewed by Andreas Kling.
2670
2671         With the recent work to make StringImpl occupy less space, it is actually more
2672         efficient to allocate a single character string that it is to use createSubstringSharingImpl!
2673         
2674         * runtime/JSString.h:
2675         (JSC::jsSingleCharacterString):
2676         (JSC::jsSingleCharacterSubstring):
2677         (JSC::jsString):
2678         (JSC::jsSubstring8):
2679         * runtime/SmallStrings.cpp:
2680         (JSC::SmallStringsStorage::SmallStringsStorage):
2681         (JSC::SmallStrings::SmallStrings):
2682
2683 2014-02-08  Mark Hahnenberg  <mhahnenberg@apple.com>
2684
2685         Baseline JIT uses the wrong version of checkMarkWord in emitWriteBarrier
2686         https://bugs.webkit.org/show_bug.cgi?id=128474
2687
2688         Reviewed by Michael Saboff.
2689
2690         * jit/JITPropertyAccess.cpp:
2691         (JSC::JIT::emitWriteBarrier):
2692
2693 2014-02-08  Mark Lam  <mark.lam@apple.com>
2694
2695         Rename a field and some variables in JSLock to better describe what they contain.
2696         <https://webkit.org/b/128475>
2697
2698         Reviewed by Oliver Hunt.
2699
2700         * runtime/JSLock.cpp:
2701         (JSC::JSLock::dropAllLocks):
2702         (JSC::JSLock::dropAllLocksUnconditionally):
2703         (JSC::JSLock::grabAllLocks):
2704         (JSC::JSLock::DropAllLocks::DropAllLocks):
2705         (JSC::JSLock::DropAllLocks::~DropAllLocks):
2706         * runtime/JSLock.h:
2707
2708 2014-02-08  Anders Carlsson  <andersca@apple.com>
2709
2710         Stop using getCharactersWithUpconvert in JavaScriptCore
2711         https://bugs.webkit.org/show_bug.cgi?id=128457
2712
2713         Reviewed by Andreas Kling.
2714
2715         Change substituteBackreferencesSlow to take StringViews and use a StringBuilder instead of upconverting
2716         if the source or replacement strings area 16-bit.
2717
2718         * runtime/StringPrototype.cpp:
2719         (JSC::substituteBackreferencesSlow):
2720         (JSC::substituteBackreferences):
2721
2722 2014-02-08  Mark Rowe  <mrowe@apple.com>
2723
2724         <https://webkit.org/b/128452> Don't duplicate the list of input files for postprocess-headers.sh
2725
2726         Reviewed by Dan Bernstein.
2727
2728         * postprocess-headers.sh: Pull the list of headers to process out of the environment.
2729
2730 2014-02-08  Mark Rowe  <mrowe@apple.com>
2731
2732         Fix the iOS build.
2733
2734         * API/WebKitAvailability.h: Skip the workarounds specific to OS X when we're building for iOS.
2735
2736 2014-02-07  Mark Rowe  <mrowe@apple.com>
2737
2738         <https://webkit.org/b/128448> Fix use of availability macros on recently-added APIs
2739
2740         Reviewed by Dan Bernstein.
2741
2742         * API/JSContext.h: Remove some #ifs.
2743         * API/JSManagedValue.h: Ditto.
2744         * API/WebKitAvailability.h: #define the macros that availability macros mentioning
2745         newer OS X versions would expand to when building on older OS versions.
2746         * JavaScriptCore.xcodeproj/project.pbxproj: Call the new postprocess-headers.sh.
2747         * postprocess-headers.sh: Extracted from the Xcode project. Updated to remove content
2748         from headers based on the __MAC_OS_X_VERSION_MIN_REQUIRED macro, and to
2749         process WebKitAvailability.h.
2750
2751 2014-02-07  Mark Lam  <mark.lam@apple.com>
2752
2753         JSLock should not "restore" VM stack values if it did not re-grab locks.
2754         <https://webkit.org/b/128447>
2755
2756         Reviewed by Geoffrey Garen.
2757
2758         In the existing code, if DropAllLocks is instantiate with DontAlwaysDropLocks
2759         in a thread that does not own the JSLock, then a bug will manifest where:
2760
2761         1. The DropAllLocks constructor will save the VM's stackPointerAtEntry,
2762            lastStackTop, and reservedZoneSize even though it will not drop the JSLock.
2763         2. The DropAllLocks destructor will restore those 3 values to the VM even
2764            though the JSLock will not grab its internal lock.
2765
2766         The former only causes busy work but does not impact correctness. The latter
2767         however, will corrupt those 3 VM values which belong to the thread that
2768         actually owns the JSLock.
2769
2770         The fix is to only save the values when the JSLock will actually drop its
2771         internal lock, and only restore the values if it did re-grab the internal lock.
2772
2773         * runtime/JSLock.cpp:
2774         (JSC::JSLock::dropAllLocks):
2775         (JSC::JSLock::dropAllLocksUnconditionally):
2776         (JSC::JSLock::grabAllLocks):
2777         (JSC::JSLock::DropAllLocks::DropAllLocks):
2778         - Moved the saving of VM stack values to dropAllLocks() and
2779           dropAllLocksUnconditionally().
2780         (JSC::JSLock::DropAllLocks::~DropAllLocks):
2781         - Moved the restoring of VM stack values to grabAllLocks().
2782
2783 2014-02-07  Filip Pizlo  <fpizlo@apple.com>
2784
2785         Don't throw away code if there is code on the worklists
2786         https://bugs.webkit.org/show_bug.cgi?id=128443
2787
2788         Reviewed by Joseph Pecoraro.
2789         
2790         If we throw away compiled code and there is code currently being JITed then the JIT
2791         will get confused after it resumes: it will see a code block that had claimed to belong
2792         to an executable except that it doesn't belong to any executables anymore.
2793
2794         * dfg/DFGWorklist.h:
2795         (JSC::DFG::Worklist::isActive):
2796         * heap/Heap.cpp:
2797         (JSC::Heap::deleteAllCompiledCode):
2798
2799 2014-02-07  Filip Pizlo  <fpizlo@apple.com>
2800
2801         GC should safepoint the DFG worklist in a smarter way rather than just waiting for everything to complete
2802         https://bugs.webkit.org/show_bug.cgi?id=128297
2803
2804         Reviewed by Oliver Hunt.
2805         
2806         This makes DFG worklist threads have a rightToRun lock that gives them the ability to
2807         be safepointed by the GC in much the same way as you'd expect from a fully
2808         multithreaded VM.
2809         
2810         The idea is that the worklist threads's roots are the DFG::Plan. They only touch those
2811         roots when holding the rightToRun lock. They currently grab that lock to run the
2812         compiler, but relinquish it when accessing - and waiting on - the worklist.
2813
2814         * bytecode/CodeBlock.h:
2815         (JSC::CodeBlockSet::mark):
2816         * dfg/DFGCompilationKey.cpp:
2817         (JSC::DFG::CompilationKey::visitChildren):
2818         * dfg/DFGCompilationKey.h:
2819         * dfg/DFGDesiredStructureChains.cpp:
2820         (JSC::DFG::DesiredStructureChains::visitChildren):
2821         * dfg/DFGDesiredStructureChains.h:
2822         * dfg/DFGDesiredTransitions.cpp:
2823         (JSC::DFG::DesiredTransition::visitChildren):
2824         (JSC::DFG::DesiredTransitions::visitChildren):
2825         * dfg/DFGDesiredTransitions.h:
2826         * dfg/DFGDesiredWeakReferences.cpp:
2827         (JSC::DFG::DesiredWeakReferences::visitChildren):
2828         * dfg/DFGDesiredWeakReferences.h:
2829         * dfg/DFGDesiredWriteBarriers.cpp:
2830         (JSC::DFG::DesiredWriteBarrier::visitChildren):
2831         (JSC::DFG::DesiredWriteBarriers::visitChildren):
2832         * dfg/DFGDesiredWriteBarriers.h:
2833         * dfg/DFGPlan.cpp:
2834         (JSC::DFG::Plan::visitChildren):
2835         * dfg/DFGPlan.h:
2836         * dfg/DFGWorklist.cpp:
2837         (JSC::DFG::Worklist::~Worklist):
2838         (JSC::DFG::Worklist::finishCreation):
2839         (JSC::DFG::Worklist::suspendAllThreads):
2840         (JSC::DFG::Worklist::resumeAllThreads):
2841         (JSC::DFG::Worklist::visitChildren):
2842         (JSC::DFG::Worklist::runThread):
2843         (JSC::DFG::Worklist::threadFunction):
2844         * dfg/DFGWorklist.h:
2845         (JSC::DFG::numberOfWorklists):
2846         (JSC::DFG::worklistForIndexOrNull):
2847         * heap/CodeBlockSet.h:
2848         * heap/Heap.cpp:
2849         (JSC::Heap::markRoots):
2850         (JSC::Heap::collect):
2851         * runtime/IntendedStructureChain.cpp:
2852         (JSC::IntendedStructureChain::visitChildren):
2853         * runtime/IntendedStructureChain.h:
2854         * runtime/VM.cpp:
2855         (JSC::VM::~VM):
2856         (JSC::VM::prepareToDiscardCode):
2857
2858 2014-02-07  Mark Lam  <mark.lam@apple.com>
2859
2860         Unify JSLock implementation for iOS and non-iOS ports.
2861         <https://webkit.org/b/128409>
2862
2863         Reviewed by Michael Saboff.
2864
2865         The iOS and non-iOS implementations of dropAllLocks(),
2866         dropAllLocksUnconditionally(), and grabAllLocks() effectively do the
2867         same work. The main difference is that the iOS implementation acquires
2868         the JSLock spin lock in the DropAllLocks class while the other ports
2869         acquire it when it calls JSLock::lock() and unlock().
2870
2871         The other difference is that the iOS implementation will only increment
2872         m_locksDropDepth if it actually drops locks, whereas other ports will
2873         increment it unconditionally. Analogously, iOS decrements the depth only
2874         when needed while other ports will decrement it unconditionally when
2875         re-grabbing locks.
2876
2877         We can unify the 2 implementations by having both use the iOS
2878         implementation for a start.
2879
2880         * runtime/JSLock.cpp:
2881         (JSC::JSLock::dropAllLocks):
2882         (JSC::JSLock::dropAllLocksUnconditionally):
2883         (JSC::JSLock::grabAllLocks):
2884         (JSC::JSLock::DropAllLocks::DropAllLocks):
2885         (JSC::JSLock::DropAllLocks::~DropAllLocks):
2886
2887 2014-02-06  Filip Pizlo  <fpizlo@apple.com>
2888
2889         More FTL build scaffolding
2890         https://bugs.webkit.org/show_bug.cgi?id=128330
2891
2892         Reviewed by Geoffrey Garen.
2893
2894         * Configurations/FeatureDefines.xcconfig:
2895         * llvm/library/LLVMAnchor.cpp:
2896
2897 2014-02-07  Mark Lam  <mark.lam@apple.com>
2898
2899         iOS port needs to clear VM::stackPointerAtVMEntry when it drops locks.
2900         <https://webkit.org/b/128424>
2901
2902         Reviewed by Geoffrey Garen.
2903
2904         The iOS code path for dropping locks differ from the non-iOS code path
2905         in that it (iOS) does not clear m_vm->stackPointerAtVMEntry nor reset the
2906         VM stack limit. This is now fixed by copying that snippit from
2907         JSLock::unlock().
2908
2909         * runtime/JSLock.cpp:
2910         (JSC::JSLock::dropAllLocks):
2911         (JSC::JSLock::dropAllLocksUnconditionally):
2912
2913 2014-02-07  Mark Lam  <mark.lam@apple.com>
2914
2915         Removed superflous JSLock::entryStackPointer field.
2916         <https://webkit.org/b/128413>
2917
2918         Reviewed by Geoffrey Garen.
2919
2920         * runtime/JSLock.cpp:
2921         (JSC::JSLock::lock):
2922         * runtime/JSLock.h:
2923
2924 2014-02-07  Mark Lam  <mark.lam@apple.com>
2925
2926         Revert workaround committed in http://trac.webkit.org/r163595.
2927         <https://webkit.org/b/128408>
2928
2929         Reviewed by Geoffrey Garen.
2930
2931         Now that we have fixed the bugs in JSLock's stack limit adjusments
2932         in https://bugs.webkit.org/show_bug.cgi?id=128406, we can revert the
2933         workaround in r163595.
2934
2935         * API/JSContextRef.cpp:
2936         (JSContextGroupCreate):
2937         (JSGlobalContextCreateInGroup):
2938         * API/tests/testapi.js:
2939         * runtime/VM.cpp:
2940         (JSC::VM::VM):
2941         (JSC::VM::updateStackLimitWithReservedZoneSize):
2942         * runtime/VM.h:
2943
2944 2014-02-07  Mark Lam  <mark.lam@apple.com>
2945
2946         Fix bug in stack limit adjustments in JSLock.
2947         <https://webkit.org/b/128406>
2948
2949         Reviewed by Geoffrey Garen.
2950
2951         1. JSLock::unlock() was only clearing the VM::stackPointerAtEntry when
2952            m_vm->stackPointerAtVMEntry == entryStackPointer. FYI,
2953            entryStackPointer is a field in JSLock.
2954
2955            When DropAllLocks::~DropAllLocks() will call JSLock::grabAllLocks()
2956            to relock the JSLock, JSLock::grabAllLocks() will set a new
2957            entryStackPointer value. Thereafter, DropAllLocks::~DropAllLocks() will
2958            restore the saved VM::stackPointerAtEntry, which will now defer from
2959            the JSLock's entryStackPointer value.
2960
2961            It turns out that when m_vm->stackPointerAtVMEntry was initialized,
2962            it was set to whatever value entryStackPointer is set to. At no time
2963            do we ever expect the 2 values to differ. The only time it differs is
2964            when this bug manifests.
2965
2966            The fix is to remove the entryStackPointer field in JSLock and its uses
2967            altogether.
2968
2969         2. DropAllLocks was unconditionally clearing VM::stackPointerAtEntry in
2970            its constructor instead of letting JSLock::unlock() do the clearing.
2971
2972            However, DropAllLocks will not actually drop locks if it isn't required
2973            to (e.g. when alwaysDropLocks is DontAlwaysDropLocks), and when we've
2974            already drop locks once (i.e. JSLock::m_lockDropDepth is not 0).
2975
2976            We should not have cleared VM::stackPointerAtEntry here if we don't
2977            actually drop the locks.
2978
2979         * runtime/JSLock.cpp:
2980         (JSC::JSLock::unlock):
2981         (JSC::JSLock::DropAllLocks::DropAllLocks):
2982
2983 2014-02-07  Joseph Pecoraro  <pecoraro@apple.com>
2984
2985         [iOS] Eliminate race between XPC connection queue and Notification queue
2986         https://bugs.webkit.org/show_bug.cgi?id=128384
2987
2988         Reviewed by Timothy Hatcher.
2989
2990         * inspector/remote/RemoteInspector.h:
2991         * inspector/remote/RemoteInspector.mm:
2992         (Inspector::RemoteInspector::RemoteInspector):
2993         (Inspector::RemoteInspector::start):
2994         (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
2995         Create the queue to use for RemoteInspector xpc connection
2996         management and the connection itself.
2997
2998         * inspector/remote/RemoteInspectorXPCConnection.h:
2999         * inspector/remote/RemoteInspectorXPCConnection.mm:
3000         (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
3001         Use the passed in queue instead of creating one for itself.
3002
3003 2014-02-07  Oliver Hunt  <oliver@apple.com>
3004
3005         REGRESSION (r160628): LLint does not appear to handle impure get own property properly
3006         https://bugs.webkit.org/show_bug.cgi?id=127943
3007
3008         Reviewed by Filip Pizlo.
3009
3010         Make sure the LLINT doesn't attempt to cache property
3011         access on structures with impureGetOwnPropertySlot set.
3012
3013         * llint/LLIntSlowPaths.cpp:
3014         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3015
3016 2014-02-06  Michael Saboff  <msaboff@apple.com>
3017
3018         Workaround REGRESSION(r163195-r163227): Crash beneath NSErrorUserInfoFromJSException when installing AppleInternal.mpkg
3019         https://bugs.webkit.org/show_bug.cgi?id=128347
3020
3021         Reviewed by Geoffrey Garen.
3022
3023         Added a flag to VM class called m_ignoreStackLimit that disables stack limit checks.
3024         We set this flag in JSContextGroupCreate() and JSGlobalContextCreateInGroup().
3025
3026         Disabled stack overflow tests in testapi.js since it uses these paths.
3027
3028         THis patch will be reverted as part of a comprehensive solution to the problem.
3029
3030         * API/JSContextRef.cpp:
3031         (JSContextGroupCreate):
3032         (JSGlobalContextCreateInGroup):
3033         * API/tests/testapi.js:
3034         * runtime/VM.cpp:
3035         (JSC::VM::VM):
3036         (JSC::VM::updateStackLimitWithReservedZoneSize):
3037         * runtime/VM.h:
3038         (JSC::VM::ignoreStackLimit):
3039
3040 2014-02-06  Mark Hahnenberg  <mhahnenberg@apple.com>
3041
3042         +[JSContext currentCallee] should return the currently executing JS function
3043         https://bugs.webkit.org/show_bug.cgi?id=122621
3044
3045         Reviewed by Geoffrey Garen.
3046
3047         It would be useful if there was a +[JSContext currentObject] API which was 
3048         callable from ObjC API callbacks. Its purpose would be to allow convenient 
3049         access to the JSValue wrapper for the currently-executing block callback.
3050
3051         * API/JSContext.h:
3052         * API/JSContext.mm:
3053         (+[JSContext currentCallee]):
3054         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
3055         * API/JSContextInternal.h:
3056         * API/ObjCCallbackFunction.mm:
3057         (JSC::objCCallbackFunctionCallAsFunction):
3058         (JSC::objCCallbackFunctionCallAsConstructor):
3059         * API/tests/testapi.mm:
3060
3061 2014-02-06  Mark Hahnenberg  <mhahnenberg@apple.com>
3062
3063         Fix iOS builds after r163574
3064
3065         * API/JSManagedValue.h:
3066
3067 2014-02-06  Mark Hahnenberg  <mhahnenberg@apple.com>
3068
3069         Heap::writeBarrier shouldn't be static
3070         https://bugs.webkit.org/show_bug.cgi?id=127807
3071
3072         Reviewed by Geoffrey Garen.
3073
3074         Currently it looks up the Heap in which to fire the write barrier by using 
3075         the cell passed to it. Almost every call site already has a reference to the 
3076         VM or the Heap itself. It seems wasteful to look it up all over again.
3077
3078         * GNUmakefile.list.am:
3079         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3080         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3081         * JavaScriptCore.xcodeproj/project.pbxproj:
3082         * heap/CopyWriteBarrier.h:
3083         (JSC::CopyWriteBarrier::set):
3084         * heap/Heap.cpp:
3085         (JSC::Heap::writeBarrier):
3086         * heap/Heap.h:
3087         (JSC::Heap::writeBarrier):
3088         * jit/JITOperations.cpp:
3089         * jit/JITWriteBarrier.h:
3090         (JSC::JITWriteBarrierBase::set):
3091         * llint/LLIntSlowPaths.cpp:
3092         (JSC::LLInt::llint_write_barrier_slow):
3093         * runtime/Arguments.h:
3094         * runtime/JSWeakMap.cpp:
3095         * runtime/MapData.cpp:
3096         (JSC::MapData::ensureSpaceForAppend):
3097         * runtime/PropertyTable.cpp:
3098         (JSC::PropertyTable::PropertyTable):
3099         * runtime/Structure.h:
3100         * runtime/WriteBarrier.h:
3101         * runtime/WriteBarrierInlines.h: Added.
3102
3103 2014-02-06  Mark Hahnenberg  <mhahnenberg@apple.com>
3104
3105         JSManagedValue should automatically call removeManagedReference:withOwner: upon dealloc
3106         https://bugs.webkit.org/show_bug.cgi?id=124053
3107
3108         Reviewed by Geoffrey Garen.
3109
3110         * API/JSManagedValue.h:
3111         * API/JSManagedValue.mm:
3112         (+[JSManagedValue managedValueWithValue:andOwner:]):
3113         (-[JSManagedValue initWithValue:]):
3114         (-[JSManagedValue dealloc]):
3115         (-[JSManagedValue didAddOwner:]):
3116         (-[JSManagedValue didRemoveOwner:]):
3117         * API/JSManagedValueInternal.h: Added.
3118         * API/JSVirtualMachine.mm:
3119         (-[JSVirtualMachine addManagedReference:withOwner:]):
3120         (-[JSVirtualMachine removeManagedReference:withOwner:]):
3121         * API/WebKitAvailability.h:
3122         * API/tests/testapi.mm:
3123         (-[TextXYZ click]):
3124         * JavaScriptCore.xcodeproj/project.pbxproj:
3125
3126 2014-02-06  Joseph Pecoraro  <pecoraro@apple.com>
3127
3128         Web Inspector: Add Console support to JSContext Inspection
3129         https://bugs.webkit.org/show_bug.cgi?id=127941
3130
3131         Reviewed by Geoffrey Garen.
3132
3133         * CMakeLists.txt:
3134         * DerivedSources.make:
3135         * GNUmakefile.am:
3136         * GNUmakefile.list.am:
3137         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3138         * JavaScriptCore.xcodeproj/project.pbxproj:
3139         Add new files.
3140
3141         * inspector/agents/InspectorConsoleAgent.cpp: Renamed from Source/WebCore/inspector/InspectorConsoleAgent.cpp.
3142         * inspector/agents/InspectorConsoleAgent.h: Added.
3143         New agent moved from WebCore. Rename a method to work in JS only context.
3144
3145         * inspector/JSGlobalObjectInspectorController.cpp:
3146         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3147         Instantiate ConsoleAgent.
3148
3149         * inspector/agents/JSGlobalObjectConsoleAgent.h: Copied from Source/WebCore/inspector/PageInjectedScriptHost.h.
3150         * inspector/agents/JSGlobalObjectConsoleAgent.cpp: Copied from Source/WebCore/inspector/PageInjectedScriptHost.h.
3151         (Inspector::JSGlobalObjectConsoleAgent::JSGlobalObjectConsoleAgent):
3152         (Inspector::JSGlobalObjectConsoleAgent::setMonitoringXHREnabled):
3153         (Inspector::JSGlobalObjectConsoleAgent::addInspectedNode):
3154         (Inspector::JSGlobalObjectConsoleAgent::addInspectedHeapObject):
3155         JSGlobalObject implementation.
3156
3157         * inspector/agents/JSGlobalObjectDebuggerAgent.h:
3158         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
3159         (Inspector::JSGlobalObjectDebuggerAgent::JSGlobalObjectDebuggerAgent):
3160         (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
3161         Use ConsoleAgent to report logs.
3162
3163         * inspector/ConsoleMessage.cpp: Renamed from Source/WebCore/inspector/ConsoleMessage.cpp.
3164         * inspector/ConsoleMessage.h: Renamed from Source/WebCore/inspector/ConsoleMessage.h.
3165         * inspector/ConsoleTypes.h: Copied from Source/WebCore/inspector/ConsoleAPITypes.h.
3166         * inspector/IdentifiersFactory.cpp: Renamed from Source/WebCore/inspector/IdentifiersFactory.cpp.
3167         * inspector/IdentifiersFactory.h: Renamed from Source/WebCore/inspector/IdentifiersFactory.h.
3168         * inspector/ScriptArguments.cpp: Renamed from Source/WebCore/inspector/ScriptArguments.cpp.
3169         * inspector/ScriptArguments.h: Renamed from Source/WebCore/inspector/ScriptArguments.h.
3170         * inspector/ScriptCallFrame.cpp: Renamed from Source/WebCore/inspector/ScriptCallFrame.cpp.
3171         * inspector/ScriptCallFrame.h: Renamed from Source/WebCore/inspector/ScriptCallFrame.h.
3172         * inspector/ScriptCallStack.cpp: Renamed from Source/WebCore/inspector/ScriptCallStack.cpp.
3173         * inspector/ScriptCallStack.h: Renamed from Source/WebCore/inspector/ScriptCallStack.h.
3174         * inspector/ScriptCallStackFactory.cpp: Renamed from Source/WebCore/bindings/js/ScriptCallStackFactory.cpp.
3175         * inspector/ScriptCallStackFactory.h: Renamed from Source/WebCore/bindings/js/ScriptCallStackFactory.h.
3176         * inspector/protocol/Console.json: Renamed from Source/WebCore/inspector/protocol/Console.json.
3177         * inspector/scripts/generate-combined-inspector-json.py:
3178
3179 2014-02-06  Commit Queue  <commit-queue@webkit.org>
3180
3181         Unreviewed, rolling out r163542.
3182         http://trac.webkit.org/changeset/163542
3183         https://bugs.webkit.org/show_bug.cgi?id=128324
3184
3185         Caused many assertion failures (Requested by ap on #webkit).
3186
3187         * GNUmakefile.list.am:
3188         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3189         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3190         * JavaScriptCore.xcodeproj/project.pbxproj:
3191         * heap/CopyWriteBarrier.h:
3192         (JSC::CopyWriteBarrier::set):
3193         * heap/Heap.cpp:
3194         (JSC::Heap::writeBarrier):
3195         * heap/Heap.h:
3196         (JSC::Heap::writeBarrier):
3197         * jit/JITOperations.cpp:
3198         * jit/JITWriteBarrier.h:
3199         (JSC::JITWriteBarrierBase::set):
3200         * llint/LLIntSlowPaths.cpp:
3201         (JSC::LLInt::llint_write_barrier_slow):
3202         * runtime/Arguments.h:
3203         * runtime/JSWeakMap.cpp:
3204         * runtime/MapData.cpp:
3205         (JSC::MapData::ensureSpaceForAppend):
3206         * runtime/PropertyTable.cpp:
3207         (JSC::PropertyTable::PropertyTable):
3208         * runtime/Structure.h:
3209         * runtime/WriteBarrier.h:
3210         (JSC::WriteBarrierBase::set):
3211         (JSC::WriteBarrierBase::setMayBeNull):
3212         (JSC::WriteBarrierBase::setEarlyValue):
3213         (JSC::WriteBarrierBase<Unknown>::set):
3214         * runtime/WriteBarrierInlines.h: Removed.
3215
3216 2014-02-06  Oliver Hunt  <oliver@apple.com>
3217
3218         Make 32bit pass the correct this value to custom getters
3219         https://bugs.webkit.org/show_bug.cgi?id=128313
3220
3221         Reviewed by Mark Lam.
3222
3223         Now that the custom getter calling convetion uses a single register
3224         for the slot base we can easily pass the correct |thisValue| instead
3225         of simply relying on the thisValue not be relevant to existing
3226         custom getters. This also means that 32bit can call custom getters
3227         directly.
3228
3229         * jit/CCallHelpers.h:
3230         (JSC::CCallHelpers::setupArgumentsWithExecState):
3231         * jit/Repatch.cpp:
3232         (JSC::generateProtoChainAccessStub):
3233         (JSC::tryBuildGetByIDList):
3234
3235 2014-02-05  Mark Hahnenberg  <mhahnenberg@apple.com>
3236
3237         Heap::writeBarrier shouldn't be static
3238         https://bugs.webkit.org/show_bug.cgi?id=127807
3239
3240         Reviewed by Geoffrey Garen.
3241
3242         Currently it looks up the Heap in which to fire the write barrier by using 
3243         the cell passed to it. Almost every call site already has a reference to the 
3244         VM or the Heap itself. It seems wasteful to look it up all over again.
3245
3246         * GNUmakefile.list.am:
3247         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3248         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3249         * JavaScriptCore.xcodeproj/project.pbxproj:
3250         * heap/CopyWriteBarrier.h:
3251         (JSC::CopyWriteBarrier::set):
3252         * heap/Heap.cpp:
3253         (JSC::Heap::writeBarrier):
3254         * heap/Heap.h:
3255         (JSC::Heap::writeBarrier):
3256         * jit/JITOperations.cpp:
3257         * jit/JITWriteBarrier.h:
3258         (JSC::JITWriteBarrierBase::set):
3259         * llint/LLIntSlowPaths.cpp:
3260         (JSC::LLInt::llint_write_barrier_slow):
3261         * runtime/Arguments.h:
3262         * runtime/JSWeakMap.cpp:
3263         * runtime/MapData.cpp:
3264         (JSC::MapData::ensureSpaceForAppend):
3265         * runtime/PropertyTable.cpp:
3266         (JSC::PropertyTable::PropertyTable):
3267         * runtime/Structure.h:
3268         * runtime/WriteBarrier.h:
3269         * runtime/WriteBarrierInlines.h: Added.
3270
3271 2014-02-04  Filip Pizlo  <fpizlo@apple.com>
3272
3273         Make FTL OSR entry something we only try after we've already compiled the function with the FTL and it still got stuck in a loop after that without ever returning like a sensible function oughta have
3274         https://bugs.webkit.org/show_bug.cgi?id=128234
3275
3276         Reviewed by Geoffrey Garen.
3277         
3278         Use DFG::JITCode::osrEntryRetry as a counter to decide when to invoke OSR entry. That
3279         comes into play only after we've done a replacement compile.
3280         
3281         This appears to still give us a speed-up on the kinds of things that OSR entry is good
3282         for, while also eliminating pointless OSR entry compilations on other things.
3283
3284         * dfg/DFGJITCode.cpp:
3285         (JSC::DFG::JITCode::JITCode):
3286         * dfg/DFGJITCode.h:
3287         * dfg/DFGOperations.cpp:
3288         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
3289         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete):
3290         * runtime/Options.h:
3291
3292 2014-02-04  Filip Pizlo  <fpizlo@apple.com>
3293
3294         Don't speculate on ToThis if we already know that arg0 has a questionable record with structure checks
3295         https://bugs.webkit.org/show_bug.cgi?id=128229
3296
3297         Reviewed by Geoffrey Garen.
3298
3299         * dfg/DFGByteCodeParser.cpp:
3300         (JSC::DFG::ByteCodeParser::parseBlock):
3301
3302 2014-02-05  Mark Hahnenberg  <mhahnenberg@apple.com>
3303
3304         Handling of opaque roots is wrong in EdenCollections
3305         https://bugs.webkit.org/show_bug.cgi?id=128210
3306
3307         Reviewed by Oliver Hunt.
3308
3309         The set of opaque roots is always cleared during each collection. We should instead persist 
3310         the set of opaque roots across EdenCollections and only clear it at the beginning of FullCollections.
3311
3312         Also added a couple of custom objects to the jsc shell that allow us to test this.
3313
3314         * heap/GCThreadSharedData.cpp:
3315         (JSC::GCThreadSharedData::reset):
3316         (JSC::GCThreadSharedData::didStartMarking):
3317         * heap/Heap.cpp:
3318         (JSC::Heap::markRoots):
3319         * heap/Heap.h:
3320         (JSC::Heap::setShouldDoFullCollection):
3321         * heap/SlotVisitor.cpp:
3322         (JSC::SlotVisitor::didStartMarking):
3323         (JSC::SlotVisitor::reset):
3324         * heap/SlotVisitor.h:
3325         * jsc.cpp:
3326         (WTF::Element::Element):
3327         (WTF::Element::root):
3328         (WTF::Element::setRoot):
3329         (WTF::Element::create):
3330         (WTF::Element::createStructure):
3331         (WTF::ElementHandleOwner::isReachableFromOpaqueRoots):
3332         (WTF::Root::Root):
3333         (WTF::Root::element):
3334         (WTF::Root::setElement):
3335         (WTF::Root::create):
3336         (WTF::Root::createStructure):
3337         (WTF::Root::visitChildren):
3338         (WTF::Element::handleOwner):
3339         (WTF::Element::finishCreation):
3340         (GlobalObject::finishCreation):
3341         (functionCreateRoot):
3342         (functionCreateElement):
3343         (functionGetElement):
3344         (functionSetElementRoot):
3345         (functionGCAndSweep):
3346         (functionFullGC):
3347         (functionEdenGC):
3348
3349 2014-02-05  Anders Carlsson  <andersca@apple.com>
3350
3351         Remove unused functions.
3352
3353         * runtime/RegExpConstructor.cpp:
3354         (JSC::RegExpConstructor::getOwnPropertySlot):
3355         * runtime/RegExpObject.cpp:
3356
3357 2014-02-05  Oliver Hunt  <oliver@apple.com>
3358
3359         Change custom getter signature to make the base reference an object pointer
3360         https://bugs.webkit.org/show_bug.cgi?id=128279
3361
3362         Reviewed by Geoffrey Garen.
3363
3364         Make custom getters take a JSObject* instead of EncodedJSValue as the base
3365         reference.  This allows us to drop one pointer from the JSVALUE32_64 calling
3366         convention.
3367
3368         * API/JSCallbackObject.h:
3369         * API/JSCallbackObjectFunctions.h:
3370         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
3371         (JSC::JSCallbackObject<Parent>::callbackGetter):
3372         * jit/JITOperations.cpp:
3373         * jit/Repatch.cpp:
3374         (JSC::generateProtoChainAccessStub):
3375         (JSC::tryBuildGetByIDList):
3376         * runtime/JSActivation.cpp:
3377         (JSC::JSActivation::argumentsGetter):
3378         * runtime/JSActivation.h:
3379         * runtime/JSFunction.cpp:
3380         (JSC::JSFunction::argumentsGetter):
3381         (JSC::JSFunction::callerGetter):
3382         (JSC::JSFunction::lengthGetter):
3383         (JSC::JSFunction::nameGetter):
3384         * runtime/JSFunction.h:
3385         * runtime/JSObject.h:
3386       &n