Adding test case for text-decoration property state change on applying different...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-10-19  Alexey Proskuryakov  <ap@apple.com>
2
3         Some includes in JSC seem to use an incorrect style
4         https://bugs.webkit.org/show_bug.cgi?id=123057
5
6         Reviewed by Geoffrey Garen.
7
8         Changed pseudo-system includes to user ones.
9
10         * API/JSContextRef.cpp:
11         * API/JSStringRefCF.cpp:
12         * API/JSValueRef.cpp:
13         * API/OpaqueJSString.cpp:
14         * jit/JIT.h:
15         * parser/SyntaxChecker.h:
16         * runtime/WeakGCMap.h:
17
18 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
19
20         Baseline JIT and DFG IC code generation should be unified and rationalized
21         https://bugs.webkit.org/show_bug.cgi?id=122939
22
23         Reviewed by Geoffrey Garen.
24         
25         Introduce the JITInlineCacheGenerator, which takes a CodeBlock and a CodeOrigin plus
26         some register info and creates JIT inline caches for you. Used this to even furhter
27         unify the baseline and DFG ICs. In the future we can use this for FTL ICs. And my hope
28         is that we'll be able to use it for cascading ICs: an IC for some instruction may realize
29         that it needs to do the equivalent of get_by_id, so with this generator it will be able
30         to create an IC even though it wasn't associated with a get_by_id bytecode instruction.
31
32         * CMakeLists.txt:
33         * GNUmakefile.list.am:
34         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
35         * JavaScriptCore.xcodeproj/project.pbxproj:
36         * assembler/AbstractMacroAssembler.h:
37         (JSC::AbstractMacroAssembler::DataLabelCompact::label):
38         * bytecode/CodeBlock.h:
39         (JSC::CodeBlock::ecmaMode):
40         * dfg/DFGInlineCacheWrapper.h: Added.
41         (JSC::DFG::InlineCacheWrapper::InlineCacheWrapper):
42         * dfg/DFGInlineCacheWrapperInlines.h: Added.
43         (JSC::DFG::::finalize):
44         * dfg/DFGJITCompiler.cpp:
45         (JSC::DFG::JITCompiler::link):
46         * dfg/DFGJITCompiler.h:
47         (JSC::DFG::JITCompiler::addGetById):
48         (JSC::DFG::JITCompiler::addPutById):
49         * dfg/DFGSpeculativeJIT32_64.cpp:
50         (JSC::DFG::SpeculativeJIT::cachedGetById):
51         (JSC::DFG::SpeculativeJIT::cachedPutById):
52         * dfg/DFGSpeculativeJIT64.cpp:
53         (JSC::DFG::SpeculativeJIT::cachedGetById):
54         (JSC::DFG::SpeculativeJIT::cachedPutById):
55         (JSC::DFG::SpeculativeJIT::compile):
56         * jit/AssemblyHelpers.h:
57         (JSC::AssemblyHelpers::isStrictModeFor):
58         (JSC::AssemblyHelpers::strictModeFor):
59         * jit/GPRInfo.h:
60         (JSC::JSValueRegs::tagGPR):
61         * jit/JIT.cpp:
62         (JSC::JIT::JIT):
63         (JSC::JIT::privateCompileSlowCases):
64         (JSC::JIT::privateCompile):
65         * jit/JIT.h:
66         * jit/JITInlineCacheGenerator.cpp: Added.
67         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
68         (JSC::JITByIdGenerator::JITByIdGenerator):
69         (JSC::JITByIdGenerator::finalize):
70         (JSC::JITByIdGenerator::generateFastPathChecks):
71         (JSC::JITGetByIdGenerator::generateFastPath):
72         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
73         (JSC::JITPutByIdGenerator::generateFastPath):
74         (JSC::JITPutByIdGenerator::slowPathFunction):
75         * jit/JITInlineCacheGenerator.h: Added.
76         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
77         (JSC::JITInlineCacheGenerator::stubInfo):
78         (JSC::JITByIdGenerator::JITByIdGenerator):
79         (JSC::JITByIdGenerator::reportSlowPathCall):
80         (JSC::JITByIdGenerator::slowPathJump):
81         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
82         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
83         * jit/JITPropertyAccess.cpp:
84         (JSC::JIT::emit_op_get_by_id):
85         (JSC::JIT::emitSlow_op_get_by_id):
86         (JSC::JIT::emit_op_put_by_id):
87         (JSC::JIT::emitSlow_op_put_by_id):
88         * jit/JITPropertyAccess32_64.cpp:
89         (JSC::JIT::emit_op_get_by_id):
90         (JSC::JIT::emitSlow_op_get_by_id):
91         (JSC::JIT::emit_op_put_by_id):
92         (JSC::JIT::emitSlow_op_put_by_id):
93         * jit/RegisterSet.h:
94         (JSC::RegisterSet::set):
95
96 2013-10-19  Alexey Proskuryakov  <ap@apple.com>
97
98         APICast.h uses functions from JSCJSValueInlines.h, but doesn't include it
99         https://bugs.webkit.org/show_bug.cgi?id=123067
100
101         Reviewed by Geoffrey Garen.
102
103         * API/APICast.h: Include it.
104
105 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
106
107         FTL::Location should treat the offset as an addend in the case of a Register location
108         https://bugs.webkit.org/show_bug.cgi?id=123062
109
110         Reviewed by Sam Weinig.
111
112         * ftl/FTLLocation.cpp:
113         (JSC::FTL::Location::forStackmaps):
114         (JSC::FTL::Location::dump):
115         (JSC::FTL::Location::restoreInto):
116         * ftl/FTLLocation.h:
117         (JSC::FTL::Location::forRegister):
118         (JSC::FTL::Location::hasAddend):
119         (JSC::FTL::Location::addend):
120
121 2013-10-19  Nadav Rotem  <nrotem@apple.com>
122
123         DFG dominators: document and rename stuff.
124         https://bugs.webkit.org/show_bug.cgi?id=123056
125
126         Reviewed by Filip Pizlo.
127
128         Documented the code and renamed some variables.
129
130         * dfg/DFGDominators.cpp:
131         (JSC::DFG::Dominators::compute):
132         (JSC::DFG::Dominators::pruneDominators):
133         * dfg/DFGDominators.h:
134
135 2013-10-19  Julien Brianceau  <jbriance@cisco.com>
136
137         Fix build failure for architectures with 4 argument registers.
138         https://bugs.webkit.org/show_bug.cgi?id=123060
139
140         Reviewed by Michael Saboff.
141
142         Add missing setupArgumentsWithExecState() prototypes for architecture with 4 argument registers.
143         Remove SH4 specific code no longer needed since callOperation prototype change in r157660.
144
145         * dfg/DFGSpeculativeJIT.h:
146         (JSC::DFG::SpeculativeJIT::callOperation):
147         * jit/CCallHelpers.h:
148         (JSC::CCallHelpers::setupArgumentsWithExecState):
149         * jit/JITInlines.h:
150         (JSC::JIT::callOperation):
151
152 2013-10-18  Filip Pizlo  <fpizlo@apple.com>
153
154         Unreviewed, fix FTL build.
155
156         * ftl/FTLIntrinsicRepository.h:
157         * ftl/FTLLowerDFGToLLVM.cpp:
158         (JSC::FTL::LowerDFGToLLVM::compileGetById):
159
160 2013-10-18  Filip Pizlo  <fpizlo@apple.com>
161
162         A CodeBlock's StructureStubInfos shouldn't be in a Vector that we search using code origins and machine code PCs
163         https://bugs.webkit.org/show_bug.cgi?id=122940
164
165         Reviewed by Oliver Hunt.
166         
167         This accomplishes a number of simplifications. StructureStubInfo is now non-moving,
168         whereas previously it was in a Vector, so it moved. This allows you to use pointers to
169         StructureStubInfo. This also eliminates the use of return PC as a way of finding the
170         StructureStubInfo's. It removes some of the need for the compile-time property access
171         records; for example the DFG no longer has to save information about registers in a
172         property access record only to later save it to the stub info.
173         
174         The main thing is accomplishes is that it makes it easier to add StructureStubInfo's
175         at any stage of compilation.
176
177         * bytecode/CodeBlock.cpp:
178         (JSC::CodeBlock::printGetByIdCacheStatus):
179         (JSC::CodeBlock::dumpBytecode):
180         (JSC::CodeBlock::~CodeBlock):
181         (JSC::CodeBlock::propagateTransitions):
182         (JSC::CodeBlock::finalizeUnconditionally):
183         (JSC::CodeBlock::addStubInfo):
184         (JSC::CodeBlock::getStubInfoMap):
185         (JSC::CodeBlock::shrinkToFit):
186         * bytecode/CodeBlock.h:
187         (JSC::CodeBlock::begin):
188         (JSC::CodeBlock::end):
189         (JSC::CodeBlock::rareCaseProfileForBytecodeOffset):
190         * bytecode/CodeOrigin.h:
191         (JSC::CodeOrigin::CodeOrigin):
192         (JSC::CodeOrigin::isHashTableDeletedValue):
193         (JSC::CodeOrigin::hash):
194         (JSC::CodeOriginHash::hash):
195         (JSC::CodeOriginHash::equal):
196         * bytecode/GetByIdStatus.cpp:
197         (JSC::GetByIdStatus::computeFor):
198         * bytecode/GetByIdStatus.h:
199         * bytecode/PutByIdStatus.cpp:
200         (JSC::PutByIdStatus::computeFor):
201         * bytecode/PutByIdStatus.h:
202         * bytecode/StructureStubInfo.h:
203         (JSC::getStructureStubInfoCodeOrigin):
204         * dfg/DFGByteCodeParser.cpp:
205         (JSC::DFG::ByteCodeParser::parseBlock):
206         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
207         * dfg/DFGJITCompiler.cpp:
208         (JSC::DFG::JITCompiler::link):
209         * dfg/DFGJITCompiler.h:
210         (JSC::DFG::PropertyAccessRecord::PropertyAccessRecord):
211         (JSC::DFG::InRecord::InRecord):
212         * dfg/DFGSpeculativeJIT.cpp:
213         (JSC::DFG::SpeculativeJIT::compileIn):
214         * dfg/DFGSpeculativeJIT.h:
215         (JSC::DFG::SpeculativeJIT::callOperation):
216         * dfg/DFGSpeculativeJIT32_64.cpp:
217         (JSC::DFG::SpeculativeJIT::cachedGetById):
218         (JSC::DFG::SpeculativeJIT::cachedPutById):
219         * dfg/DFGSpeculativeJIT64.cpp:
220         (JSC::DFG::SpeculativeJIT::cachedGetById):
221         (JSC::DFG::SpeculativeJIT::cachedPutById):
222         * jit/CCallHelpers.h:
223         (JSC::CCallHelpers::setupArgumentsWithExecState):
224         * jit/JIT.cpp:
225         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
226         (JSC::JIT::privateCompile):
227         * jit/JIT.h:
228         (JSC::PropertyStubCompilationInfo::slowCaseInfo):
229         * jit/JITInlines.h:
230         (JSC::JIT::callOperation):
231         * jit/JITOperations.cpp:
232         * jit/JITOperations.h:
233         * jit/JITPropertyAccess.cpp:
234         (JSC::JIT::emitSlow_op_get_by_id):
235         (JSC::JIT::emitSlow_op_put_by_id):
236         * jit/JITPropertyAccess32_64.cpp:
237         (JSC::JIT::emitSlow_op_get_by_id):
238         (JSC::JIT::emitSlow_op_put_by_id):
239         * jit/Repatch.cpp:
240         (JSC::appropriateGenericPutByIdFunction):
241         (JSC::appropriateListBuildingPutByIdFunction):
242         (JSC::resetPutByID):
243
244 2013-10-18  Oliver Hunt  <oliver@apple.com>
245
246         Spread operator should be performing direct "puts" and not triggering setters
247         https://bugs.webkit.org/show_bug.cgi?id=123047
248
249         Reviewed by Geoffrey Garen.
250
251         Add a new opcode -- op_put_by_val_directue -- and make use of it in the spread
252         to array construct.  This required a new PutByValDirect node to be introduced to
253         the DFG.  The current implementation simply changes the slow path function that
254         is called, but in future this could be made faster as it does not need to check
255         the prototype chain.
256
257         * bytecode/CodeBlock.cpp:
258         (JSC::CodeBlock::dumpBytecode):
259         (JSC::CodeBlock::CodeBlock):
260         * bytecode/Opcode.h:
261         (JSC::padOpcodeName):
262         * bytecompiler/BytecodeGenerator.cpp:
263         (JSC::BytecodeGenerator::emitDirectPutByVal):
264         * bytecompiler/BytecodeGenerator.h:
265         * bytecompiler/NodesCodegen.cpp:
266         (JSC::ArrayNode::emitBytecode):
267         * dfg/DFGAbstractInterpreterInlines.h:
268         (JSC::DFG::::executeEffects):
269         * dfg/DFGBackwardsPropagationPhase.cpp:
270         (JSC::DFG::BackwardsPropagationPhase::propagate):
271         * dfg/DFGByteCodeParser.cpp:
272         (JSC::DFG::ByteCodeParser::parseBlock):
273         * dfg/DFGCSEPhase.cpp:
274         (JSC::DFG::CSEPhase::getArrayLengthElimination):
275         (JSC::DFG::CSEPhase::getByValLoadElimination):
276         (JSC::DFG::CSEPhase::checkStructureElimination):
277         (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
278         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
279         (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
280         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
281         (JSC::DFG::CSEPhase::performNodeCSE):
282         * dfg/DFGCapabilities.cpp:
283         (JSC::DFG::capabilityLevel):
284         * dfg/DFGClobberize.h:
285         (JSC::DFG::clobberize):
286         * dfg/DFGFixupPhase.cpp:
287         (JSC::DFG::FixupPhase::fixupNode):
288         * dfg/DFGGraph.h:
289         (JSC::DFG::Graph::clobbersWorld):
290         * dfg/DFGNode.h:
291         (JSC::DFG::Node::hasArrayMode):
292         * dfg/DFGNodeType.h:
293         * dfg/DFGOperations.cpp:
294         (JSC::DFG::putByVal):
295         (JSC::DFG::operationPutByValInternal):
296         * dfg/DFGOperations.h:
297         * dfg/DFGPredictionPropagationPhase.cpp:
298         (JSC::DFG::PredictionPropagationPhase::propagate):
299         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
300         * dfg/DFGSafeToExecute.h:
301         (JSC::DFG::safeToExecute):
302         * dfg/DFGSpeculativeJIT32_64.cpp:
303         (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
304         (JSC::DFG::SpeculativeJIT::compile):
305         * dfg/DFGSpeculativeJIT64.cpp:
306         (JSC::DFG::SpeculativeJIT::compile):
307         * dfg/DFGTypeCheckHoistingPhase.cpp:
308         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
309         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
310         * jit/JIT.cpp:
311         (JSC::JIT::privateCompileMainPass):
312         (JSC::JIT::privateCompileSlowCases):
313         * jit/JIT.h:
314         (JSC::JIT::compileDirectPutByVal):
315         * jit/JITOperations.cpp:
316         * jit/JITOperations.h:
317         * jit/JITPropertyAccess.cpp:
318         (JSC::JIT::emitSlow_op_put_by_val):
319         (JSC::JIT::privateCompilePutByVal):
320         * jit/JITPropertyAccess32_64.cpp:
321         (JSC::JIT::emitSlow_op_put_by_val):
322         * llint/LLIntSlowPaths.cpp:
323         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
324         * llint/LLIntSlowPaths.h:
325         * llint/LowLevelInterpreter32_64.asm:
326         * llint/LowLevelInterpreter64.asm:
327
328 2013-10-18  Daniel Bates  <dabates@apple.com>
329
330         [iOS] Export symbol for VM::sharedInstanceExists()
331         https://bugs.webkit.org/show_bug.cgi?id=123046
332
333         Reviewed by Mark Hahnenberg.
334
335         * runtime/VM.h:
336
337 2013-10-18  Daniel Bates  <dabates@apple.com>
338
339         [iOS] Upstream WebSafe{GCActivityCallback, IncrementalSweeper}IOS
340         https://bugs.webkit.org/show_bug.cgi?id=123049
341
342         Reviewed by Mark Hahnenberg.
343
344         * heap/Heap.cpp:
345         (JSC::Heap::setIncrementalSweeper):
346         * heap/Heap.h:
347         * heap/HeapTimer.h:
348         * heap/IncrementalSweeper.h: Make protected and export CF-variant of constructor.
349         Removed unused include of header RetainPtr.h. Also forward declare class MarkedBlock
350         (we include its header in the .cpp file) and remove include for header wtf/HashSet.h
351         (duplicates the include in the .cpp).
352         * heap/MachineStackMarker.h: Export function makeUsableFromMultipleThreads(). We aren't
353         making use of this now, but we'll make use of it in a subsequent patch.
354
355 2013-10-18  Anders Carlsson  <andersca@apple.com>
356
357         Remove spaces between template angle brackets
358         https://bugs.webkit.org/show_bug.cgi?id=123040
359
360         Reviewed by Andreas Kling.
361
362         * API/JSCallbackObject.cpp:
363         (JSC::::create):
364         * API/JSObjectRef.cpp:
365         * bytecode/CodeBlock.h:
366         (JSC::CodeBlock::constants):
367         (JSC::CodeBlock::setConstantRegisters):
368         * bytecode/DFGExitProfile.h:
369         * bytecode/EvalCodeCache.h:
370         * bytecode/Operands.h:
371         * bytecode/UnlinkedCodeBlock.h:
372         (JSC::UnlinkedCodeBlock::constantRegisters):
373         * bytecode/Watchpoint.h:
374         * bytecompiler/BytecodeGenerator.h:
375         * bytecompiler/StaticPropertyAnalysis.h:
376         * bytecompiler/StaticPropertyAnalyzer.h:
377         * dfg/DFGArgumentsSimplificationPhase.cpp:
378         * dfg/DFGBlockInsertionSet.h:
379         * dfg/DFGCSEPhase.cpp:
380         (JSC::DFG::performCSE):
381         (JSC::DFG::performStoreElimination):
382         * dfg/DFGCommonData.h:
383         * dfg/DFGDesiredStructureChains.h:
384         * dfg/DFGDesiredWatchpoints.h:
385         * dfg/DFGJITCompiler.h:
386         * dfg/DFGOSRExitCompiler32_64.cpp:
387         (JSC::DFG::OSRExitCompiler::compileExit):
388         * dfg/DFGOSRExitCompiler64.cpp:
389         (JSC::DFG::OSRExitCompiler::compileExit):
390         * dfg/DFGWorklist.h:
391         * heap/BlockAllocator.h:
392         (JSC::CopiedBlock):
393         (JSC::MarkedBlock):
394         (JSC::WeakBlock):
395         (JSC::MarkStackSegment):
396         (JSC::CopyWorkListSegment):
397         (JSC::HandleBlock):
398         * heap/Heap.h:
399         * heap/Local.h:
400         * heap/MarkedBlock.h:
401         * heap/Strong.h:
402         * jit/AssemblyHelpers.cpp:
403         (JSC::AssemblyHelpers::decodedCodeMapFor):
404         * jit/AssemblyHelpers.h:
405         * jit/SpecializedThunkJIT.h:
406         * parser/Nodes.h:
407         * parser/Parser.cpp:
408         (JSC::::parseIfStatement):
409         * parser/Parser.h:
410         (JSC::Scope::copyCapturedVariablesToVector):
411         (JSC::parse):
412         * parser/ParserArena.h:
413         * parser/SourceProviderCacheItem.h:
414         * profiler/LegacyProfiler.cpp:
415         (JSC::dispatchFunctionToProfiles):
416         * profiler/LegacyProfiler.h:
417         (JSC::LegacyProfiler::currentProfiles):
418         * profiler/ProfileNode.h:
419         (JSC::ProfileNode::children):
420         * profiler/ProfilerDatabase.h:
421         * runtime/Butterfly.h:
422         (JSC::Butterfly::contiguousInt32):
423         (JSC::Butterfly::contiguous):
424         * runtime/GenericTypedArrayViewInlines.h:
425         (JSC::::create):
426         * runtime/Identifier.h:
427         (JSC::Identifier::add):
428         * runtime/JSPromise.h:
429         * runtime/PropertyMapHashTable.h:
430         * runtime/PropertyNameArray.h:
431         * runtime/RegExpCache.h:
432         * runtime/SparseArrayValueMap.h:
433         * runtime/SymbolTable.h:
434         * runtime/VM.h:
435         * tools/CodeProfile.cpp:
436         (JSC::truncateTrace):
437         * tools/CodeProfile.h:
438         * yarr/YarrInterpreter.cpp:
439         * yarr/YarrInterpreter.h:
440         (JSC::Yarr::BytecodePattern::BytecodePattern):
441         * yarr/YarrJIT.cpp:
442         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
443         (JSC::Yarr::YarrGenerator::opCompileParentheticalAssertion):
444         (JSC::Yarr::YarrGenerator::opCompileBody):
445         * yarr/YarrPattern.cpp:
446         (JSC::Yarr::YarrPatternConstructor::checkForTerminalParentheses):
447         (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
448         * yarr/YarrPattern.h:
449
450 2013-10-18  Mark Lam  <mark.lam@apple.com>
451
452         Remove excess reserved space in ctiTrampoline frames for X86 and X86_64.
453         https://bugs.webkit.org/show_bug.cgi?id=123037.
454
455         Reviewed by Geoffrey Garen.
456
457         * jit/JITStubsMSVC64.asm:
458         * jit/JITStubsX86.h:
459         * jit/JITStubsX86_64.h:
460
461 2013-10-18  Filip Pizlo  <fpizlo@apple.com>
462
463         Frequent RELEASE_ASSERT crashes in Structure::checkOffsetConsistency on WebGL swizzler tests
464         https://bugs.webkit.org/show_bug.cgi?id=121661
465
466         Reviewed by Mark Hahnenberg.
467         
468         This method shouldn't have been called from the concurrent JIT thread. That's hard to prevent
469         so I added a return-early check using isCompilationThread().
470         
471         Here's why this makes sense. Structure has two ways to tell you about the layout of the objects
472         it is describing: m_offset and the property table. Most structures only have m_offset and report
473         null for the property table. If the property table is there, it will tell you additional
474         information and that information subsumes m_offset - but the m_offset is still there. So, when
475         we have a property table, we have to keep it in sync with the m_offset. There is a bunch of
476         machinery to do this.
477         
478         Changing the property table only happens on the main thread.
479         
480         Because the machinery to change the property table is so complex, especially with respect to
481         keeping it in sync with m_offset, we have the checkOffsetConsistency method. It's meant to be
482         called at key points before and after changes to the property table or the offset.
483
484         Most clients of Structure who care about object layout, including the concurrent thread, will
485         want to know m_offset and not the property table. If they want the property table, they will
486         already be super careful. The concurrent thread has special methods for this, like
487         Structure::getConcurrently(), which uses fine-grained locking to ensure that it sees a coherent
488         view of the property table.
489         
490         Adding locking to checkOffsetConsistency() is probably a bad idea since that method may be
491         called when the relevant lock is already held. So, we'd have awkward recursive locking issues.
492         
493         But right now, the concurrent JIT thread may call a method, like Structure::outOfLineCapacity(),
494         which has a call to checkOffsetConsistency(). The call to checkOffsetConsistency() is there
495         because we have found that it helps quickly identify situations where the property table and
496         m_offset get out of sync - mainly because code that changes either of those things will usually
497         also want to know the outOfLineCapacity(). But Structure::outOfLineCapacity() doesn't *actually*
498         need the property table; it uses the m_offset. The concurrent JIT is correct to call
499         outOfLineCapacity(), and is right to do so without holding any locks (since in all cases where
500         it calls outOfLineCapacity() it has already proven that m_offset is immutable). But because
501         outOfLineCapacity() calls checkOffsetConsistency(), and checkOffsetConsistency() doesn't grab
502         locks, and that same structure is having its property table modified by the main thread, we end
503         up with these spurious assertion failures. FWIW, the structure isn't *actually* having *its*
504         property table modified - instead what happens is that some downstream structure steals the
505         property table and then starts adding things to it. The concurrent thread loads the property
506         table before it's stolen, and hence the badness.
507         
508         I suspect there are other code paths that lead to the concurrent JIT calling some Structure
509         method that it is fine and safe to call, but then that method calls checkOffsetConsistency(),
510         and then you have a possible crash.
511         
512         The most sensible solution to this appears to be to make sure that checkOffsetConsistency() is
513         aware of its uselessness to the concurrent JIT thread. This change makes it return early if
514         it's in the concurrent JIT.
515         
516         * runtime/StructureInlines.h:
517         (JSC::Structure::checkOffsetConsistency):
518
519 2013-10-18  Daniel Bates  <dabates@apple.com>
520
521         Add SPI to disable the garbage collector timer
522         https://bugs.webkit.org/show_bug.cgi?id=122921
523
524         Add null check to Heap::setGarbageCollectionTimerEnabled() that I inadvertently
525         omitted.
526
527         * heap/Heap.cpp:
528         (JSC::Heap::setGarbageCollectionTimerEnabled):
529
530 2013-10-18  Julien Brianceau  <jbriance@cisco.com>
531
532         Group 64-bit specific and 32-bit specific callOperation implementations.
533         https://bugs.webkit.org/show_bug.cgi?id=123024
534
535         Reviewed by Michael Saboff.
536
537         This is not a big deal, but could be less confusing when reading the code.
538
539         * jit/JITInlines.h:
540         (JSC::JIT::callOperation):
541         (JSC::JIT::callOperationWithCallFrameRollbackOnException):
542         (JSC::JIT::callOperationNoExceptionCheck):
543
544 2013-10-18  Nadav Rotem  <nrotem@apple.com>
545
546         Fix a FlushLiveness problem.
547         https://bugs.webkit.org/show_bug.cgi?id=122984
548
549         Reviewed by Filip Pizlo.
550
551         * dfg/DFGFlushLivenessAnalysisPhase.cpp:
552         (JSC::DFG::FlushLivenessAnalysisPhase::process):
553
554 2013-10-18  Michael Saboff  <msaboff@apple.com>
555
556         Change native function call stubs to use JIT operations instead of ctiVMHandleException
557         https://bugs.webkit.org/show_bug.cgi?id=122982
558
559         Reviewed by Geoffrey Garen.
560
561         Change ctiVMHandleException to operationVMHandleException.  Change all exception operations to
562         return the catch callFrame and entryPC via vm.callFrameForThrow and vm.targetMachinePCForThrow.
563         This removed calling convention headaches, fixing https://bugs.webkit.org/show_bug.cgi?id=122980
564         in the process.
565
566         * dfg/DFGJITCompiler.cpp:
567         (JSC::DFG::JITCompiler::compileExceptionHandlers):
568         * jit/CCallHelpers.h:
569         (JSC::CCallHelpers::jumpToExceptionHandler):
570         * jit/JIT.cpp:
571         (JSC::JIT::privateCompileExceptionHandlers):
572         * jit/JIT.h:
573         * jit/JITExceptions.cpp:
574         (JSC::genericUnwind):
575         * jit/JITExceptions.h:
576         * jit/JITInlines.h:
577         (JSC::JIT::callOperationNoExceptionCheck):
578         * jit/JITOpcodes.cpp:
579         (JSC::JIT::emit_op_throw):
580         * jit/JITOpcodes32_64.cpp:
581         (JSC::JIT::privateCompileCTINativeCall):
582         (JSC::JIT::emit_op_throw):
583         * jit/JITOperations.cpp:
584         * jit/JITOperations.h:
585         * jit/JITStubs.cpp:
586         * jit/JITStubs.h:
587         * jit/JITStubsARM.h:
588         * jit/JITStubsARM64.h:
589         * jit/JITStubsARMv7.h:
590         * jit/JITStubsMIPS.h:
591         * jit/JITStubsMSVC64.asm:
592         * jit/JITStubsSH4.h:
593         * jit/JITStubsX86.h:
594         * jit/JITStubsX86_64.h:
595         * jit/Repatch.cpp:
596         (JSC::tryBuildGetByIDList):
597         * jit/SlowPathCall.h:
598         (JSC::JITSlowPathCall::call):
599         * jit/ThunkGenerators.cpp:
600         (JSC::throwExceptionFromCallSlowPathGenerator):
601         (JSC::nativeForGenerator):
602         * runtime/VM.h:
603         (JSC::VM::callFrameForThrowOffset):
604         (JSC::VM::targetMachinePCForThrowOffset):
605
606 2013-10-18  Julien Brianceau  <jbriance@cisco.com>
607
608         Fix J_JITOperation_EAapJ call for MIPS and ARM EABI.
609         https://bugs.webkit.org/show_bug.cgi?id=123023
610
611         Reviewed by Michael Saboff.
612
613         * jit/JITInlines.h:
614         (JSC::JIT::callOperation): EncodedJSValue parameter do not need alignment
615         using EABI_32BIT_DUMMY_ARG here.
616
617 2013-10-17  Filip Pizlo  <fpizlo@apple.com>
618
619         Unreviewed, another ARM64 build fix.
620         
621         Get rid of andPtr(TrustedImmPtr, blah), since it would take Effort to get it to work
622         on ARM64 and none of its uses are legit - they should all be using
623         andPtr(TrustedImm32, blah) anyway.
624
625         * assembler/MacroAssembler.h:
626         * assembler/MacroAssemblerARM64.h:
627         * dfg/DFGJITCompiler.cpp:
628         (JSC::DFG::JITCompiler::compileExceptionHandlers):
629         * jit/JIT.cpp:
630         (JSC::JIT::privateCompileExceptionHandlers):
631
632 2013-10-17  Filip Pizlo  <fpizlo@apple.com>
633
634         Unreviewed, speculative ARM64 build fix.
635         
636         move(ImmPtr, blah) is only available in MacroAssembler since that's where blinding is
637         implemented. So, you have to use TrustedImmPtr in the superclasses.
638
639         * assembler/MacroAssemblerARM64.h:
640         (JSC::MacroAssemblerARM64::store8):
641         (JSC::MacroAssemblerARM64::branchTest8):
642
643 2013-10-17  Filip Pizlo  <fpizlo@apple.com>
644
645         Unreviewed, speculative ARM build fix.
646         https://bugs.webkit.org/show_bug.cgi?id=122890
647         <rdar://problem/15258624>
648
649         * assembler/ARM64Assembler.h:
650         (JSC::ARM64Assembler::firstRegister):
651         (JSC::ARM64Assembler::lastRegister):
652         (JSC::ARM64Assembler::firstFPRegister):
653         (JSC::ARM64Assembler::lastFPRegister):
654         * assembler/MacroAssemblerARM64.h:
655         * assembler/MacroAssemblerARMv7.h:
656
657 2013-10-17  Andreas Kling  <akling@apple.com>
658
659         Pass VM instead of JSGlobalObject to JSONObject constructor.
660         <https://webkit.org/b/122999>
661
662         JSONObject was only use the JSGlobalObject to grab at the VM.
663         Dodge a few loads by passing the VM directly instead.
664
665         Reviewed by Geoffrey Garen.
666
667         * runtime/JSONObject.cpp:
668         (JSC::JSONObject::JSONObject):
669         (JSC::JSONObject::finishCreation):
670         * runtime/JSONObject.h:
671         (JSC::JSONObject::create):
672
673 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
674
675         Removed the JITStackFrame struct
676         https://bugs.webkit.org/show_bug.cgi?id=123001
677
678         Reviewed by Anders Carlsson.
679
680         * jit/JITStubs.h: JITStackFrame and JITStubArg are unused now, since all
681         our helper functions obey the C function call ABI.
682
683 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
684
685         Removed an unused #define
686         https://bugs.webkit.org/show_bug.cgi?id=123000
687
688         Reviewed by Anders Carlsson.
689
690         * jit/JITStubs.h: Removed the concept of JITSTACKFRAME_ARGS_INDEX,
691         since it is unused now. This is a step toward using the C stack.
692
693 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
694
695         Eliminate uses of JITSTACKFRAME_ARGS_INDEX as scratch area for thunks
696         https://bugs.webkit.org/show_bug.cgi?id=122973
697
698         Reviewed by Michael Saboff.
699
700         * jit/ThunkGenerators.cpp:
701         (JSC::throwExceptionFromCallSlowPathGenerator): This was all dead code,
702         so I removed it.
703
704         The code acted as if it needed to pass an argument to
705         lookupExceptionHandler, and as if it passed that argument to itself
706         through JITStackFrame. However, lookupExceptionHandler does not take
707         an argument (other than the default ExecState argument), and the code
708         did not initialize the thing that it thought it passed to itself!
709
710 2013-10-17  Alex Christensen  <achristensen@webkit.org>
711
712         Run JavaScriptCore tests again on Windows.
713         https://bugs.webkit.org/show_bug.cgi?id=122787
714
715         Reviewed by Tim Horton.
716
717         * JavaScriptCore.vcxproj/JavaScriptCore.sln: Added.
718         * jit/JITStubsMSVC64.asm: Removed reference to cti_vm_throw unused since r157581.
719
720 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
721
722         Removed restoreArgumentReference (another use of JITStackFrame)
723         https://bugs.webkit.org/show_bug.cgi?id=122997
724
725         Reviewed by Oliver Hunt.
726
727         * jit/JSInterfaceJIT.h: Removed an unused function. This is a step
728         toward using the C stack.
729
730 2013-10-17  Oliver Hunt  <oliver@apple.com>
731
732         Remove JITStubCall.h
733         https://bugs.webkit.org/show_bug.cgi?id=122991
734
735         Reviewed by Geoff Garen.
736
737         Happily this is no longer used
738
739         * GNUmakefile.list.am:
740         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
741         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
742         * JavaScriptCore.xcodeproj/project.pbxproj:
743         * jit/JIT.cpp:
744         * jit/JITArithmetic.cpp:
745         * jit/JITArithmetic32_64.cpp:
746         * jit/JITCall.cpp:
747         * jit/JITCall32_64.cpp:
748         * jit/JITOpcodes.cpp:
749         * jit/JITOpcodes32_64.cpp:
750         * jit/JITPropertyAccess.cpp:
751         * jit/JITPropertyAccess32_64.cpp:
752         * jit/JITStubCall.h: Removed.
753
754 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
755
756         Removed a use of JITSTACKFRAME_ARGS_INDEX
757         https://bugs.webkit.org/show_bug.cgi?id=122989
758
759         Reviewed by Oliver Hunt.
760
761         * jit/JITStubCall.h: Removed an unused function. This is one step closer
762         to using the C stack.
763
764 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
765
766         Change emit_op_catch to use another method to materialize VM
767         https://bugs.webkit.org/show_bug.cgi?id=122977
768
769         Reviewed by Oliver Hunt.
770
771         * jit/JITOpcodes.cpp:
772         (JSC::JIT::emit_op_catch):
773         * jit/JITOpcodes32_64.cpp:
774         (JSC::JIT::emit_op_catch): Use a constant. It removes our dependency
775         on JITStackFrame. It is also faster and simpler.
776
777 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
778
779         Eliminate emitGetJITStubArg() - dead code
780         https://bugs.webkit.org/show_bug.cgi?id=122975
781
782         Reviewed by Anders Carlsson.
783
784         * jit/JIT.h:
785         * jit/JITInlines.h: Removed unused, deprecated function.
786
787 2013-10-17  Mark Lam  <mark.lam@apple.com>
788
789         Eliminate all ASSERT references to OBJECT_OFFSETOF(struct JITStackFrame,...) in JITStubsXXX.h.
790         https://bugs.webkit.org/show_bug.cgi?id=122979.
791
792         Reviewed by Michael Saboff.
793
794         * jit/JITStubs.cpp:
795         * jit/JITStubs.h:
796         * jit/JITStubsARM.h:
797         * jit/JITStubsARM64.h:
798         * jit/JITStubsARMv7.h:
799         * jit/JITStubsMIPS.h:
800         * jit/JITStubsSH4.h:
801         * jit/JITStubsX86.h:
802         * jit/JITStubsX86_64.h:
803         * runtime/VM.cpp:
804         (JSC::VM::VM):
805
806 2013-10-17  Michael Saboff  <msaboff@apple.com>
807
808         Remove saving callFrameRegister to JITStackFrame in JITCompiler::compileFunction()
809         https://bugs.webkit.org/show_bug.cgi?id=122974
810
811         Reviewed by Geoffrey Garen.
812
813         Eliminated unneeded storing to JITStackFrame.
814
815         * dfg/DFGJITCompiler.cpp:
816         (JSC::DFG::JITCompiler::compileFunction):
817
818 2013-10-17  Michael Saboff  <msaboff@apple.com>
819
820         Transition cti_op_throw and cti_vm_throw to a JIT operation
821         https://bugs.webkit.org/show_bug.cgi?id=122931
822
823         Reviewed by Filip Pizlo.
824
825         Moved cti_op_throw to operationThrow.  Made the caller responsible for jumping to the
826         catch handler.  Eliminated cti_op_throw_static_error, cti_vm_throw, ctiVMThrowTrampoline()
827         and their callers as it is now dead code.  There is some work needed on the Microsoft X86
828         callOperation to handle the need to provide space for structure return value.
829
830         * jit/JIT.h:
831         * jit/JITInlines.h:
832         (JSC::JIT::callOperation):
833         * jit/JITOpcodes.cpp:
834         (JSC::JIT::emit_op_throw):
835         * jit/JITOpcodes32_64.cpp:
836         (JSC::JIT::emit_op_throw):
837         (JSC::JIT::emit_op_catch):
838         * jit/JITOperations.cpp:
839         * jit/JITOperations.h:
840         * jit/JITStubs.cpp:
841         * jit/JITStubs.h:
842         * jit/JITStubsARM.h:
843         * jit/JITStubsARM64.h:
844         * jit/JITStubsARMv7.h:
845         * jit/JITStubsMIPS.h:
846         * jit/JITStubsMSVC64.asm:
847         * jit/JITStubsSH4.h:
848         * jit/JITStubsX86.h:
849         * jit/JITStubsX86_64.h:
850         * jit/JSInterfaceJIT.h:
851
852 2013-10-17  Mark Lam  <mark.lam@apple.com>
853
854         Remove JITStackFrame references in the C Loop LLINT.
855         https://bugs.webkit.org/show_bug.cgi?id=122950.
856
857         Reviewed by Michael Saboff.
858
859         * jit/JITStubs.h:
860         * llint/LowLevelInterpreter.cpp:
861         (JSC::CLoop::execute):
862         * offlineasm/cloop.rb:
863
864 2013-10-17  Mark Lam  <mark.lam@apple.com>
865
866         Remove JITStackFrame references in JIT probes.
867         https://bugs.webkit.org/show_bug.cgi?id=122947.
868
869         Reviewed by Michael Saboff.
870
871         * assembler/MacroAssemblerARM.cpp:
872         (JSC::MacroAssemblerARM::ProbeContext::dump):
873         * assembler/MacroAssemblerARM.h:
874         * assembler/MacroAssemblerARMv7.cpp:
875         (JSC::MacroAssemblerARMv7::ProbeContext::dump):
876         * assembler/MacroAssemblerARMv7.h:
877         * assembler/MacroAssemblerX86Common.cpp:
878         (JSC::MacroAssemblerX86Common::ProbeContext::dump):
879         * assembler/MacroAssemblerX86Common.h:
880         * jit/JITStubsARM.h:
881         * jit/JITStubsARMv7.h:
882         * jit/JITStubsX86.h:
883         * jit/JITStubsX86Common.h:
884         * jit/JITStubsX86_64.h:
885
886 2013-10-17  Julien Brianceau  <jbriance@cisco.com>
887
888         Fix build when NUMBER_OF_ARGUMENT_REGISTERS == 4.
889         https://bugs.webkit.org/show_bug.cgi?id=122949
890
891         Reviewed by Andreas Kling.
892
893         * jit/CCallHelpers.h:
894         (JSC::CCallHelpers::setupArgumentsWithExecState):
895
896 2013-10-16  Mark Lam  <mark.lam@apple.com>
897
898         Transition remaining op_get* JITStubs to JIT operations.
899         https://bugs.webkit.org/show_bug.cgi?id=122925.
900
901         Reviewed by Geoffrey Garen.
902
903         Transitioning:
904             cti_op_get_by_id_generic
905             cti_op_get_by_val
906             cti_op_get_by_val_generic
907             cti_op_get_by_val_string
908
909         * dfg/DFGOperations.cpp:
910         * dfg/DFGOperations.h:
911         * jit/JIT.h:
912         * jit/JITInlines.h:
913         (JSC::JIT::callOperation):
914         * jit/JITOpcodes.cpp:
915         (JSC::JIT::emitSlow_op_get_arguments_length):
916         (JSC::JIT::emitSlow_op_get_argument_by_val):
917         * jit/JITOpcodes32_64.cpp:
918         (JSC::JIT::emitSlow_op_get_arguments_length):
919         (JSC::JIT::emitSlow_op_get_argument_by_val):
920         * jit/JITOperations.cpp:
921         * jit/JITOperations.h:
922         * jit/JITPropertyAccess.cpp:
923         (JSC::JIT::emitSlow_op_get_by_val):
924         (JSC::JIT::emitSlow_op_get_by_pname):
925         (JSC::JIT::privateCompileGetByVal):
926         * jit/JITPropertyAccess32_64.cpp:
927         (JSC::JIT::emitSlow_op_get_by_val):
928         (JSC::JIT::emitSlow_op_get_by_pname):
929         * jit/JITStubs.cpp:
930         * jit/JITStubs.h:
931         * runtime/Executable.cpp:
932         (JSC::setupLLInt): Added some UNUSED_PARAMs to fix the no LLINT build.
933         * runtime/Options.cpp:
934         (JSC::Options::initialize):
935
936 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
937
938         Introduce WTF::Bag and start using it for InlineCallFrameSet
939         https://bugs.webkit.org/show_bug.cgi?id=122941
940
941         Reviewed by Geoffrey Garen.
942         
943         Use Bag for InlineCallFrameSet. If this works out then I'll make other
944         SegmentedVectors into Bags as well.
945
946         * bytecode/InlineCallFrameSet.cpp:
947         (JSC::InlineCallFrameSet::add):
948         * bytecode/InlineCallFrameSet.h:
949         (JSC::InlineCallFrameSet::begin):
950         (JSC::InlineCallFrameSet::end):
951         * dfg/DFGArgumentsSimplificationPhase.cpp:
952         (JSC::DFG::ArgumentsSimplificationPhase::run):
953         * dfg/DFGJITCompiler.cpp:
954         (JSC::DFG::JITCompiler::link):
955         * dfg/DFGStackLayoutPhase.cpp:
956         (JSC::DFG::StackLayoutPhase::run):
957         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
958         (JSC::DFG::VirtualRegisterAllocationPhase::run):
959
960 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
961
962         libllvmForJSC shouldn't call exit(1) on report_fatal_error()
963         https://bugs.webkit.org/show_bug.cgi?id=122905
964         <rdar://problem/15237856>
965
966         Reviewed by Michael Saboff.
967         
968         Expose the new LLVMInstallFatalErrorHandler() API through the soft linking magic and
969         then always call it to install something that calls CRASH().
970
971         * llvm/InitializeLLVM.cpp:
972         (JSC::llvmCrash):
973         (JSC::initializeLLVMOnce):
974         (JSC::initializeLLVM):
975         * llvm/LLVMAPIFunctions.h:
976
977 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
978
979         Prototype chain repatching in the polymorphic case fails to check if the receiver is a dictionary
980         https://bugs.webkit.org/show_bug.cgi?id=122938
981
982         Reviewed by Sam Weinig.
983         
984         This fixes jsc-layout-tests.yaml/js/script-tests/dictionary-prototype-caching.js.layout-no-llint.
985
986         * jit/Repatch.cpp:
987         (JSC::tryBuildGetByIDList):
988
989 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
990
991         JIT::appendCall() needs to killLastResultRegister() or equivalent since there's some really bad code that expects it
992         https://bugs.webkit.org/show_bug.cgi?id=122937
993
994         Reviewed by Geoffrey Garen.
995         
996         JITStubCall used to do it.
997         
998         This makes mozilla-tests.yaml/ecma/Statements/12.10-1.js.mozilla-baseline pass.
999
1000         * jit/JIT.h:
1001         (JSC::JIT::appendCall):
1002
1003 2013-10-16  Michael Saboff  <msaboff@apple.com>
1004
1005         transition void cti_op_put_by_val* stubs to JIT operations
1006         https://bugs.webkit.org/show_bug.cgi?id=122903
1007
1008         Reviewed by Geoffrey Garen.
1009
1010         Transitioned cti_op_put_by_val and cti_op_put_by_val_generic to operationPutByVal and
1011         operationPutByValGeneric.
1012
1013         * jit/CCallHelpers.h:
1014         (JSC::CCallHelpers::setupArgumentsWithExecState):
1015         * jit/JIT.h:
1016         * jit/JITInlines.h:
1017         (JSC::JIT::callOperation):
1018         * jit/JITOperations.cpp:
1019         * jit/JITOperations.h:
1020         * jit/JITPropertyAccess.cpp:
1021         (JSC::JIT::emitSlow_op_put_by_val):
1022         (JSC::JIT::privateCompilePutByVal):
1023         * jit/JITPropertyAccess32_64.cpp:
1024         (JSC::JIT::emitSlow_op_put_by_val):
1025         * jit/JITStubs.cpp:
1026         * jit/JITStubs.h:
1027         * jit/JSInterfaceJIT.h:
1028
1029 2013-10-16  Oliver Hunt  <oliver@apple.com>
1030
1031         Implement ES6 spread operator
1032         https://bugs.webkit.org/show_bug.cgi?id=122911
1033
1034         Reviewed by Michael Saboff.
1035
1036         Implement the ES6 spread operator
1037
1038         This has a little bit of refactoring to move the enumeration logic out ForOfNode
1039         and into BytecodeGenerator, and then adds the logic to make it nicely callback
1040         driven.
1041
1042         The rest of the logic is just the addition of the SpreadExpressionNode, the parsing,
1043         and actually handling the spread.
1044
1045         * bytecompiler/BytecodeGenerator.cpp:
1046         (JSC::BytecodeGenerator::emitNewArray):
1047         (JSC::BytecodeGenerator::emitCall):
1048         (JSC::BytecodeGenerator::emitEnumeration):
1049         * bytecompiler/BytecodeGenerator.h:
1050         * bytecompiler/NodesCodegen.cpp:
1051         (JSC::ArrayNode::emitBytecode):
1052         (JSC::ForOfNode::emitBytecode):
1053         (JSC::SpreadExpressionNode::emitBytecode):
1054         * parser/ASTBuilder.h:
1055         (JSC::ASTBuilder::createSpreadExpression):
1056         * parser/Lexer.cpp:
1057         (JSC::::lex):
1058         * parser/NodeConstructors.h:
1059         (JSC::SpreadExpressionNode::SpreadExpressionNode):
1060         * parser/Nodes.h:
1061         (JSC::ExpressionNode::isSpreadExpression):
1062         (JSC::SpreadExpressionNode::expression):
1063         * parser/Parser.cpp:
1064         (JSC::::parseArrayLiteral):
1065         (JSC::::parseArguments):
1066         (JSC::::parseMemberExpression):
1067         * parser/Parser.h:
1068         (JSC::Parser::getTokenName):
1069         (JSC::Parser::updateErrorMessageSpecialCase):
1070         * parser/ParserTokens.h:
1071         * parser/SyntaxChecker.h:
1072         (JSC::SyntaxChecker::createSpreadExpression):
1073
1074 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
1075
1076         Add a useLLInt option to jsc
1077         https://bugs.webkit.org/show_bug.cgi?id=122930
1078
1079         Reviewed by Geoffrey Garen.
1080
1081         * runtime/Executable.cpp:
1082         (JSC::setupLLInt):
1083         (JSC::setupJIT):
1084         (JSC::ScriptExecutable::prepareForExecutionImpl):
1085         * runtime/Options.h:
1086
1087 2013-10-16  Mark Hahnenberg  <mhahnenberg@apple.com>
1088
1089         Build fix.
1090
1091         Forgot to svn add DeferGC.cpp
1092
1093         * heap/DeferGC.cpp: Added.
1094
1095 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
1096
1097         r157411 fails run-javascriptcore-tests when run with Baseline JIT
1098         https://bugs.webkit.org/show_bug.cgi?id=122902
1099
1100         Reviewed by Mark Hahnenberg.
1101         
1102         It turns out that this was a long-standing bug in the DFG PutById repatching logic. It's
1103         not legal to patch if the typeInfo tells you that you can't patch. The old JIT's patching
1104         logic did this right, and the DFG's GetById patching logic did it right; but DFG PutById
1105         didn't. Turns out that there's even a helpful method,
1106         Structure::propertyAccessesAreCacheable(), that will even do all of the checks for you!
1107
1108         * jit/Repatch.cpp:
1109         (JSC::tryCachePutByID):
1110
1111 2013-10-16  Mark Hahnenberg  <mhahnenberg@apple.com>
1112
1113         llint_slow_path_put_by_id can deadlock on a ConcurrentJITLock
1114         https://bugs.webkit.org/show_bug.cgi?id=122667
1115
1116         Reviewed by Geoffrey Garen.
1117
1118         The issue this patch is attempting to fix is that there are places in our codebase
1119         where we acquire the ConcurrentJITLock for a particular CodeBlock, then we do some
1120         operations that can initiate a garbage collection. Garbage collection then calls 
1121         some methods of CodeBlock that also take the ConcurrentJITLock (because they don't
1122         always necessarily run during garbage collection). This causes a deadlock.
1123  
1124         To fix this issue, this patch adds a new RAII-style object (DisallowGC) that stores 
1125         into a thread-local field that indicates that it is unsafe to perform any operation 
1126         that could trigger garbage collection on the current thread. In debug builds, 
1127         ConcurrentJITLocker contains one of these DisallowGC objects so that we can eagerly 
1128         detect deadlocks.
1129  
1130         This patch also adds a new type of ConcurrentJITLocker, GCSafeConcurrentJITLocker,
1131         which uses the DeferGC mechanism to prevent collections from occurring while the 
1132         lock is held.
1133
1134         * CMakeLists.txt:
1135         * GNUmakefile.list.am:
1136         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1137         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1138         * JavaScriptCore.xcodeproj/project.pbxproj:
1139         * heap/DeferGC.h:
1140         (JSC::DisallowGC::DisallowGC):
1141         (JSC::DisallowGC::~DisallowGC):
1142         (JSC::DisallowGC::isGCDisallowedOnCurrentThread):
1143         (JSC::DisallowGC::initialize):
1144         * jit/Repatch.cpp:
1145         (JSC::repatchPutByID):
1146         (JSC::buildPutByIdList):
1147         * llint/LLIntSlowPaths.cpp:
1148         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1149         * runtime/ConcurrentJITLock.h:
1150         (JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase):
1151         (JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase):
1152         (JSC::ConcurrentJITLockerBase::unlockEarly):
1153         (JSC::GCSafeConcurrentJITLocker::GCSafeConcurrentJITLocker):
1154         (JSC::GCSafeConcurrentJITLocker::~GCSafeConcurrentJITLocker):
1155         (JSC::GCSafeConcurrentJITLocker::NoDefer::NoDefer):
1156         (JSC::ConcurrentJITLocker::ConcurrentJITLocker):
1157         * runtime/InitializeThreading.cpp:
1158         (JSC::initializeThreadingOnce):
1159         * runtime/JSCellInlines.h:
1160         (JSC::allocateCell):
1161         * runtime/JSSymbolTableObject.h:
1162         (JSC::symbolTablePut):
1163         * runtime/Structure.cpp: materializePropertyMapIfNecessary* now has a problem in that it
1164         can start a garbage collection when the GCSafeConcurrentJITLocker goes out of scope, but 
1165         before the caller has a chance to use the newly created PropertyTable. The garbage collection
1166         clears the PropertyTable, and then the caller uses it assuming it's valid. To avoid this,
1167         we must DeferGC until the caller is done getting the newly materialized PropertyTable from 
1168         the Structure.
1169         (JSC::Structure::materializePropertyMap):
1170         (JSC::Structure::despecifyDictionaryFunction):
1171         (JSC::Structure::changePrototypeTransition):
1172         (JSC::Structure::despecifyFunctionTransition):
1173         (JSC::Structure::attributeChangeTransition):
1174         (JSC::Structure::toDictionaryTransition):
1175         (JSC::Structure::preventExtensionsTransition):
1176         (JSC::Structure::takePropertyTableOrCloneIfPinned):
1177         (JSC::Structure::isSealed):
1178         (JSC::Structure::isFrozen):
1179         (JSC::Structure::addPropertyWithoutTransition):
1180         (JSC::Structure::removePropertyWithoutTransition):
1181         (JSC::Structure::get):
1182         (JSC::Structure::despecifyFunction):
1183         (JSC::Structure::despecifyAllFunctions):
1184         (JSC::Structure::putSpecificValue):
1185         (JSC::Structure::createPropertyMap):
1186         (JSC::Structure::getPropertyNamesFromStructure):
1187         * runtime/Structure.h:
1188         (JSC::Structure::materializePropertyMapIfNecessary):
1189         (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
1190         * runtime/StructureInlines.h:
1191         (JSC::Structure::get):
1192         * runtime/SymbolTable.h:
1193         (JSC::SymbolTable::find):
1194         (JSC::SymbolTable::end):
1195
1196 2013-10-16  Daniel Bates  <dabates@apple.com>
1197
1198         Add SPI to disable the garbage collector timer
1199         https://bugs.webkit.org/show_bug.cgi?id=122921
1200
1201         Reviewed by Geoffrey Garen.
1202
1203         Based on a patch by Mark Hahnenberg.
1204
1205         * API/JSBase.cpp:
1206         (JSDisableGCTimer): Added; SPI function.
1207         * API/JSBasePrivate.h:
1208         * heap/BlockAllocator.cpp:
1209         (JSC::createBlockFreeingThread): Added.
1210         (JSC::BlockAllocator::BlockAllocator): Modified to use JSC::createBlockFreeingThread()
1211         to conditionally create the "block freeing" thread depending on the value of
1212         GCActivityCallback::s_shouldCreateGCTimer.
1213         (JSC::BlockAllocator::~BlockAllocator):
1214         * heap/BlockAllocator.h:
1215         (JSC::BlockAllocator::deallocate):
1216         * heap/Heap.cpp:
1217         (JSC::Heap::didAbandon):
1218         (JSC::Heap::collect):
1219         (JSC::Heap::didAllocate):
1220         * heap/HeapTimer.cpp:
1221         (JSC::HeapTimer::timerDidFire):
1222         * runtime/GCActivityCallback.cpp:
1223         * runtime/GCActivityCallback.h:
1224         (JSC::DefaultGCActivityCallback::create): Only instantiate a DefaultGCActivityCallback object
1225         when GCActivityCallback::s_shouldCreateGCTimer is true so as to prevent allocating a HeapTimer
1226         object (since DefaultGCActivityCallback ultimately extends HeapTimer).
1227
1228 2013-10-16  Commit Queue  <commit-queue@webkit.org>
1229
1230         Unreviewed, rolling out r157529.
1231         http://trac.webkit.org/changeset/157529
1232         https://bugs.webkit.org/show_bug.cgi?id=122919
1233
1234         Caused score test failures and some build failures. (Requested
1235         by rfong on #webkit).
1236
1237         * bytecompiler/BytecodeGenerator.cpp:
1238         (JSC::BytecodeGenerator::emitNewArray):
1239         (JSC::BytecodeGenerator::emitCall):
1240         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
1241         * bytecompiler/BytecodeGenerator.h:
1242         * bytecompiler/NodesCodegen.cpp:
1243         (JSC::ArrayNode::emitBytecode):
1244         (JSC::CallArguments::CallArguments):
1245         (JSC::ForOfNode::emitBytecode):
1246         (JSC::BindingNode::collectBoundIdentifiers):
1247         * parser/ASTBuilder.h:
1248         * parser/Lexer.cpp:
1249         (JSC::::lex):
1250         * parser/NodeConstructors.h:
1251         (JSC::DotAccessorNode::DotAccessorNode):
1252         * parser/Nodes.h:
1253         * parser/Parser.cpp:
1254         (JSC::::parseArrayLiteral):
1255         (JSC::::parseArguments):
1256         (JSC::::parseMemberExpression):
1257         * parser/Parser.h:
1258         (JSC::Parser::getTokenName):
1259         (JSC::Parser::updateErrorMessageSpecialCase):
1260         * parser/ParserTokens.h:
1261         * parser/SyntaxChecker.h:
1262
1263 2013-10-16  Julien Brianceau  <jbriance@cisco.com>
1264
1265         Remove useless architecture specific implementation in DFG.
1266         https://bugs.webkit.org/show_bug.cgi?id=122917.
1267
1268         Reviewed by Michael Saboff.
1269
1270         With CPU(ARM) && CPU(ARM_HARDFP) architecture, the fallback implementation is fine
1271         as FPRInfo::argumentFPR0 == FPRInfo::returnValueFPR in this case.
1272
1273         * dfg/DFGSpeculativeJIT.h:
1274
1275 2013-10-16  Julien Brianceau  <jbriance@cisco.com>
1276
1277         Remove unused JIT::restoreArgumentReferenceForTrampoline function.
1278         https://bugs.webkit.org/show_bug.cgi?id=122916.
1279
1280         Reviewed by Michael Saboff.
1281
1282         This architecture specific function is not used anymore, so get rid of it.
1283
1284         * jit/JIT.h:
1285         * jit/JITInlines.h:
1286
1287 2013-10-16  Oliver Hunt  <oliver@apple.com>
1288
1289         Implement ES6 spread operator
1290         https://bugs.webkit.org/show_bug.cgi?id=122911
1291
1292         Reviewed by Michael Saboff.
1293
1294         Implement the ES6 spread operator
1295
1296         This has a little bit of refactoring to move the enumeration logic out ForOfNode
1297         and into BytecodeGenerator, and then adds the logic to make it nicely callback
1298         driven.
1299
1300         The rest of the logic is just the addition of the SpreadExpressionNode, the parsing,
1301         and actually handling the spread.
1302
1303         * bytecompiler/BytecodeGenerator.cpp:
1304         (JSC::BytecodeGenerator::emitNewArray):
1305         (JSC::BytecodeGenerator::emitCall):
1306         (JSC::BytecodeGenerator::emitEnumeration):
1307         * bytecompiler/BytecodeGenerator.h:
1308         * bytecompiler/NodesCodegen.cpp:
1309         (JSC::ArrayNode::emitBytecode):
1310         (JSC::ForOfNode::emitBytecode):
1311         (JSC::SpreadExpressionNode::emitBytecode):
1312         * parser/ASTBuilder.h:
1313         (JSC::ASTBuilder::createSpreadExpression):
1314         * parser/Lexer.cpp:
1315         (JSC::::lex):
1316         * parser/NodeConstructors.h:
1317         (JSC::SpreadExpressionNode::SpreadExpressionNode):
1318         * parser/Nodes.h:
1319         (JSC::ExpressionNode::isSpreadExpression):
1320         (JSC::SpreadExpressionNode::expression):
1321         * parser/Parser.cpp:
1322         (JSC::::parseArrayLiteral):
1323         (JSC::::parseArguments):
1324         (JSC::::parseMemberExpression):
1325         * parser/Parser.h:
1326         (JSC::Parser::getTokenName):
1327         (JSC::Parser::updateErrorMessageSpecialCase):
1328         * parser/ParserTokens.h:
1329         * parser/SyntaxChecker.h:
1330         (JSC::SyntaxChecker::createSpreadExpression):
1331
1332 2013-10-16  Mark Lam  <mark.lam@apple.com>
1333
1334         Transition void cti_op_tear_off* methods to JIT operations for 32 bit.
1335         https://bugs.webkit.org/show_bug.cgi?id=122899.
1336
1337         Reviewed by Michael Saboff.
1338
1339         * jit/JITOpcodes32_64.cpp:
1340         (JSC::JIT::emit_op_tear_off_activation):
1341         (JSC::JIT::emit_op_tear_off_arguments):
1342         * jit/JITStubs.cpp:
1343         * jit/JITStubs.h:
1344
1345 2013-10-16  Julien Brianceau  <jbriance@cisco.com>
1346
1347         Remove more of the UNINTERRUPTED_SEQUENCE thing
1348         https://bugs.webkit.org/show_bug.cgi?id=122885
1349
1350         Reviewed by Andreas Kling.
1351
1352         It was not completely removed by r157481, leading to build failure for sh4 architecture.
1353
1354         * jit/JIT.h:
1355         * jit/JITInlines.h:
1356
1357 2013-10-15  Filip Pizlo  <fpizlo@apple.com>
1358
1359         Get rid of the StructureStubInfo::patch union
1360         https://bugs.webkit.org/show_bug.cgi?id=122877
1361
1362         Reviewed by Sam Weinig.
1363         
1364         Just simplifying code by getting rid of data structures that ain't used no more.
1365         
1366         Note that I replace the patch union with a patch struct. This means we say things like
1367         stubInfo.patch.valueGPR instead of stubInfo.valueGPR. I think that this extra
1368         encapsulation makes the code more readable: the patch struct contains just those things
1369         that you need to know to perform patching.
1370
1371         * bytecode/StructureStubInfo.h:
1372         * dfg/DFGJITCompiler.cpp:
1373         (JSC::DFG::JITCompiler::link):
1374         * jit/JIT.cpp:
1375         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
1376         * jit/Repatch.cpp:
1377         (JSC::repatchByIdSelfAccess):
1378         (JSC::replaceWithJump):
1379         (JSC::linkRestoreScratch):
1380         (JSC::generateProtoChainAccessStub):
1381         (JSC::tryCacheGetByID):
1382         (JSC::getPolymorphicStructureList):
1383         (JSC::patchJumpToGetByIdStub):
1384         (JSC::tryBuildGetByIDList):
1385         (JSC::emitPutReplaceStub):
1386         (JSC::emitPutTransitionStub):
1387         (JSC::tryCachePutByID):
1388         (JSC::tryBuildPutByIdList):
1389         (JSC::tryRepatchIn):
1390         (JSC::resetGetByID):
1391         (JSC::resetPutByID):
1392         (JSC::resetIn):
1393
1394 2013-10-15  Nadav Rotem  <nrotem@apple.com>
1395
1396         FTL: add support for Int52ToValue and fix putByVal of int52s.
1397         https://bugs.webkit.org/show_bug.cgi?id=122873
1398
1399         Reviewed by Filip Pizlo.
1400
1401         * ftl/FTLCapabilities.cpp:
1402         (JSC::FTL::canCompile):
1403         * ftl/FTLLowerDFGToLLVM.cpp:
1404         (JSC::FTL::LowerDFGToLLVM::compileNode):
1405         (JSC::FTL::LowerDFGToLLVM::compileInt52ToValue):
1406         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
1407
1408 2013-10-15  Filip Pizlo  <fpizlo@apple.com>
1409
1410         Get rid of the UNINTERRUPTED_SEQUENCE thing
1411         https://bugs.webkit.org/show_bug.cgi?id=122876
1412
1413         Reviewed by Mark Hahnenberg.
1414         
1415         It doesn't make sense anymore. We now use the DFG's IC logic, which never needed that.
1416         
1417         Moreover, we should resist the temptation to bring anything like this back. We don't
1418         want to have inline caches that only work if the assembler lays out code in a specific
1419         predetermined way.
1420
1421         * jit/JIT.h:
1422         * jit/JITCall.cpp:
1423         (JSC::JIT::compileOpCall):
1424         * jit/JITCall32_64.cpp:
1425         (JSC::JIT::compileOpCall):
1426
1427 2013-10-15  Filip Pizlo  <fpizlo@apple.com>
1428
1429         Baseline JIT should use the DFG GetById IC
1430         https://bugs.webkit.org/show_bug.cgi?id=122861
1431
1432         Reviewed by Oliver Hunt.
1433         
1434         This mostly just kills a ton of code.
1435         
1436         Note that this doesn't yet do all of the simplifications that can be done, but it does
1437         kill dead code. I'll have another change to simplify StructureStubInfo's unions and such.
1438
1439         * bytecode/CodeBlock.cpp:
1440         (JSC::CodeBlock::resetStubInternal):
1441         * jit/JIT.cpp:
1442         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
1443         * jit/JIT.h:
1444         (JSC::PropertyStubCompilationInfo::PropertyStubCompilationInfo):
1445         * jit/JITInlines.h:
1446         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
1447         (JSC::JIT::callOperation):
1448         * jit/JITPropertyAccess.cpp:
1449         (JSC::JIT::compileGetByIdHotPath):
1450         (JSC::JIT::emitSlow_op_get_by_id):
1451         (JSC::JIT::emitSlow_op_get_from_scope):
1452         * jit/JITPropertyAccess32_64.cpp:
1453         (JSC::JIT::compileGetByIdHotPath):
1454         (JSC::JIT::emitSlow_op_get_by_id):
1455         (JSC::JIT::emitSlow_op_get_from_scope):
1456         * jit/JITStubs.cpp:
1457         * jit/JITStubs.h:
1458         * jit/Repatch.cpp:
1459         (JSC::repatchGetByID):
1460         (JSC::buildGetByIDList):
1461         * jit/ThunkGenerators.cpp:
1462         * jit/ThunkGenerators.h:
1463
1464 2013-10-15  Dean Jackson  <dino@apple.com>
1465
1466         Add ENABLE_WEB_ANIMATIONS flag
1467         https://bugs.webkit.org/show_bug.cgi?id=122871
1468
1469         Reviewed by Tim Horton.
1470
1471         Eventually might be http://dev.w3.org/fxtf/web-animations/
1472         but this is just engine-internal work at the moment.
1473
1474         * Configurations/FeatureDefines.xcconfig:
1475
1476 2013-10-15  Julien Brianceau  <jbriance@cisco.com>
1477
1478         [sh4] Some calls don't match sh4 ABI.
1479         https://bugs.webkit.org/show_bug.cgi?id=122863
1480
1481         Reviewed by Michael Saboff.
1482
1483         * dfg/DFGSpeculativeJIT.h:
1484         (JSC::DFG::SpeculativeJIT::callOperation):
1485         * jit/CCallHelpers.h:
1486         (JSC::CCallHelpers::setupArgumentsWithExecState):
1487         * jit/JITInlines.h:
1488         (JSC::JIT::callOperation):
1489
1490 2013-10-15  Daniel Bates  <dabates@apple.com>
1491
1492         [iOS] Upstream JavaScriptCore support for ARM64
1493         https://bugs.webkit.org/show_bug.cgi?id=122762
1494
1495         Reviewed by Oliver Hunt and Filip Pizlo.
1496
1497         * Configurations/Base.xcconfig:
1498         * Configurations/DebugRelease.xcconfig:
1499         * Configurations/JavaScriptCore.xcconfig:
1500         * Configurations/ToolExecutable.xcconfig:
1501         * JavaScriptCore.xcodeproj/project.pbxproj:
1502         * assembler/ARM64Assembler.h: Added.
1503         * assembler/AbstractMacroAssembler.h:
1504         (JSC::isARM64):
1505         (JSC::AbstractMacroAssembler::Label::Label):
1506         (JSC::AbstractMacroAssembler::Jump::Jump):
1507         (JSC::AbstractMacroAssembler::Jump::link):
1508         (JSC::AbstractMacroAssembler::Jump::linkTo):
1509         (JSC::AbstractMacroAssembler::CachedTempRegister::CachedTempRegister):
1510         (JSC::AbstractMacroAssembler::CachedTempRegister::registerIDInvalidate):
1511         (JSC::AbstractMacroAssembler::CachedTempRegister::registerIDNoInvalidate):
1512         (JSC::AbstractMacroAssembler::CachedTempRegister::value):
1513         (JSC::AbstractMacroAssembler::CachedTempRegister::setValue):
1514         (JSC::AbstractMacroAssembler::CachedTempRegister::invalidate):
1515         (JSC::AbstractMacroAssembler::invalidateAllTempRegisters):
1516         (JSC::AbstractMacroAssembler::isTempRegisterValid):
1517         (JSC::AbstractMacroAssembler::clearTempRegisterValid):
1518         (JSC::AbstractMacroAssembler::setTempRegisterValid):
1519         * assembler/LinkBuffer.cpp:
1520         (JSC::LinkBuffer::copyCompactAndLinkCode):
1521         (JSC::LinkBuffer::linkCode):
1522         * assembler/LinkBuffer.h:
1523         * assembler/MacroAssembler.h:
1524         (JSC::MacroAssembler::isPtrAlignedAddressOffset):
1525         (JSC::MacroAssembler::pushToSave):
1526         (JSC::MacroAssembler::popToRestore):
1527         (JSC::MacroAssembler::patchableBranchTest32):
1528         * assembler/MacroAssemblerARM64.h: Added.
1529         * assembler/MacroAssemblerARMv7.h:
1530         * dfg/DFGFixupPhase.cpp:
1531         (JSC::DFG::FixupPhase::fixupNode):
1532         * dfg/DFGOSRExitCompiler32_64.cpp:
1533         (JSC::DFG::OSRExitCompiler::compileExit):
1534         * dfg/DFGOSRExitCompiler64.cpp:
1535         (JSC::DFG::OSRExitCompiler::compileExit):
1536         * dfg/DFGSpeculativeJIT.cpp:
1537         (JSC::DFG::SpeculativeJIT::compileArithDiv):
1538         (JSC::DFG::SpeculativeJIT::compileArithMod):
1539         * disassembler/ARM64/A64DOpcode.cpp: Added.
1540         * disassembler/ARM64/A64DOpcode.h: Added.
1541         * disassembler/ARM64Disassembler.cpp: Added.
1542         * heap/MachineStackMarker.cpp:
1543         (JSC::getPlatformThreadRegisters):
1544         (JSC::otherThreadStackPointer):
1545         * heap/Region.h:
1546         * jit/AssemblyHelpers.h:
1547         (JSC::AssemblyHelpers::debugCall):
1548         * jit/CCallHelpers.h:
1549         * jit/ExecutableAllocator.h:
1550         * jit/FPRInfo.h:
1551         (JSC::FPRInfo::toRegister):
1552         (JSC::FPRInfo::toIndex):
1553         (JSC::FPRInfo::debugName):
1554         * jit/GPRInfo.h:
1555         (JSC::GPRInfo::toRegister):
1556         (JSC::GPRInfo::toIndex):
1557         (JSC::GPRInfo::debugName):
1558         * jit/JITInlines.h:
1559         (JSC::JIT::restoreArgumentReferenceForTrampoline):
1560         * jit/JITOperationWrappers.h:
1561         * jit/JITOperations.cpp:
1562         * jit/JITStubs.cpp:
1563         (JSC::performPlatformSpecificJITAssertions):
1564         (JSC::tryCachePutByID):
1565         * jit/JITStubs.h:
1566         (JSC::JITStackFrame::returnAddressSlot):
1567         * jit/JITStubsARM64.h: Added.
1568         * jit/JSInterfaceJIT.h:
1569         * jit/Repatch.cpp:
1570         (JSC::emitRestoreScratch):
1571         (JSC::generateProtoChainAccessStub):
1572         (JSC::tryCacheGetByID):
1573         (JSC::emitPutReplaceStub):
1574         (JSC::tryCachePutByID):
1575         (JSC::tryRepatchIn):
1576         * jit/ScratchRegisterAllocator.h:
1577         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
1578         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
1579         * jit/ThunkGenerators.cpp:
1580         (JSC::nativeForGenerator):
1581         (JSC::floorThunkGenerator):
1582         (JSC::ceilThunkGenerator):
1583         * jsc.cpp:
1584         (main):
1585         * llint/LLIntOfflineAsmConfig.h:
1586         * llint/LLIntSlowPaths.cpp:
1587         (JSC::LLInt::handleHostCall):
1588         * llint/LowLevelInterpreter.asm:
1589         * llint/LowLevelInterpreter64.asm:
1590         * offlineasm/arm.rb:
1591         * offlineasm/arm64.rb: Added.
1592         * offlineasm/backends.rb:
1593         * offlineasm/instructions.rb:
1594         * offlineasm/risc.rb:
1595         * offlineasm/transform.rb:
1596         * yarr/YarrJIT.cpp:
1597         (JSC::Yarr::YarrGenerator::alignCallFrameSizeInBytes):
1598         (JSC::Yarr::YarrGenerator::initCallFrame):
1599         (JSC::Yarr::YarrGenerator::removeCallFrame):
1600         (JSC::Yarr::YarrGenerator::generateEnter):
1601         * yarr/YarrJIT.h:
1602
1603 2013-10-15  Mark Lam  <mark.lam@apple.com>
1604
1605         Fix 3 operand sub operation in C loop LLINT.
1606         https://bugs.webkit.org/show_bug.cgi?id=122866.
1607
1608         Reviewed by Geoffrey Garen.
1609
1610         * offlineasm/cloop.rb:
1611
1612 2013-10-15  Mark Hahnenberg  <mhahnenberg@apple.com>
1613
1614         ObjCCallbackFunctionImpl shouldn't store a JSContext
1615         https://bugs.webkit.org/show_bug.cgi?id=122531
1616
1617         Reviewed by Geoffrey Garen.
1618
1619         The m_context field in ObjCCallbackFunctionImpl is vestigial and is only incidentally correct 
1620         in the common case. It's also no longer necessary in that we can look up the current JSContext 
1621         by looking using the globalObject of the callee when the function callback is invoked.
1622  
1623         Also added a new test that would cause us to crash previously. The test required making 
1624         JSContextGetGlobalContext public API so that clients can obtain a JSContext from the JSContextRef
1625         in C API callbacks.
1626
1627         * API/JSContextRef.h:
1628         * API/JSContextRefPrivate.h:
1629         * API/ObjCCallbackFunction.mm:
1630         (JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl):
1631         (JSC::objCCallbackFunctionCallAsFunction):
1632         (objCCallbackFunctionForInvocation):
1633         * API/WebKitAvailability.h:
1634         * API/tests/CurrentThisInsideBlockGetterTest.h: Added.
1635         * API/tests/CurrentThisInsideBlockGetterTest.mm: Added.
1636         (CallAsConstructor):
1637         (ConstructorFinalize):
1638         (ConstructorClass):
1639         (+[JSValue valueWithConstructorDescriptor:inContext:]):
1640         (-[JSContext valueWithConstructorDescriptor:]):
1641         (currentThisInsideBlockGetterTest):
1642         * API/tests/testapi.mm:
1643         * JavaScriptCore.xcodeproj/project.pbxproj:
1644         * debugger/Debugger.cpp: Had to add some fully qualified names to avoid conflicts with Mac OS X headers.
1645
1646 2013-10-15  Julien Brianceau  <jbriance@cisco.com>
1647
1648         Fix build after r157457 for architecture with 4 argument registers.
1649         https://bugs.webkit.org/show_bug.cgi?id=122860
1650
1651         Reviewed by Michael Saboff.
1652
1653         * jit/CCallHelpers.h:
1654         (JSC::CCallHelpers::setupStubArguments134):
1655
1656 2013-10-14  Michael Saboff  <msaboff@apple.com>
1657
1658         transition void cti_op_* methods to JIT operations.
1659         https://bugs.webkit.org/show_bug.cgi?id=122617
1660
1661         Reviewed by Geoffrey Garen.
1662
1663         Converted the follow stubs to JIT operations:
1664             cti_handle_watchdog_timer
1665             cti_op_debug
1666             cti_op_pop_scope
1667             cti_op_profile_did_call
1668             cti_op_profile_will_call
1669             cti_op_put_by_index
1670             cti_op_put_getter_setter
1671             cti_op_tear_off_activation
1672             cti_op_tear_off_arguments
1673             cti_op_throw_static_error
1674             cti_optimize
1675
1676         * dfg/DFGOperations.cpp:
1677         * dfg/DFGOperations.h:
1678         * jit/CCallHelpers.h:
1679         (JSC::CCallHelpers::setupArgumentsWithExecState):
1680         (JSC::CCallHelpers::setupThreeStubArgsGPR):
1681         (JSC::CCallHelpers::setupStubArguments):
1682         (JSC::CCallHelpers::setupStubArguments134):
1683         * jit/JIT.cpp:
1684         (JSC::JIT::emitEnterOptimizationCheck):
1685         * jit/JIT.h:
1686         * jit/JITInlines.h:
1687         (JSC::JIT::callOperation):
1688         * jit/JITOpcodes.cpp:
1689         (JSC::JIT::emit_op_tear_off_activation):
1690         (JSC::JIT::emit_op_tear_off_arguments):
1691         (JSC::JIT::emit_op_push_with_scope):
1692         (JSC::JIT::emit_op_pop_scope):
1693         (JSC::JIT::emit_op_push_name_scope):
1694         (JSC::JIT::emit_op_throw_static_error):
1695         (JSC::JIT::emit_op_debug):
1696         (JSC::JIT::emit_op_profile_will_call):
1697         (JSC::JIT::emit_op_profile_did_call):
1698         (JSC::JIT::emitSlow_op_loop_hint):
1699         * jit/JITOpcodes32_64.cpp:
1700         (JSC::JIT::emit_op_push_with_scope):
1701         (JSC::JIT::emit_op_pop_scope):
1702         (JSC::JIT::emit_op_push_name_scope):
1703         (JSC::JIT::emit_op_throw_static_error):
1704         (JSC::JIT::emit_op_debug):
1705         (JSC::JIT::emit_op_profile_will_call):
1706         (JSC::JIT::emit_op_profile_did_call):
1707         * jit/JITOperations.cpp:
1708         * jit/JITOperations.h:
1709         * jit/JITPropertyAccess.cpp:
1710         (JSC::JIT::emit_op_put_by_index):
1711         (JSC::JIT::emit_op_put_getter_setter):
1712         * jit/JITPropertyAccess32_64.cpp:
1713         (JSC::JIT::emit_op_put_by_index):
1714         (JSC::JIT::emit_op_put_getter_setter):
1715         * jit/JITStubs.cpp:
1716         * jit/JITStubs.h:
1717
1718 2013-10-15  Julien Brianceau  <jbriance@cisco.com>
1719
1720         [sh4] Introduce const pools in LLINT.
1721         https://bugs.webkit.org/show_bug.cgi?id=122746
1722
1723         Reviewed by Michael Saboff.
1724
1725         In current implementation of LLINT for sh4, immediate values outside range -128..127 are
1726         loaded this way:
1727
1728             mov.l .label, rx
1729             bra out
1730             nop
1731             .balign 4
1732             .label: .long immvalue
1733             out:
1734
1735         This change introduces const pools for sh4 implementation to avoid lots of useless branches
1736         and reduce code size. It also removes lines of dirty code, like jmpf and callf.
1737
1738         * offlineasm/instructions.rb: Remove jmpf and callf sh4 specific instructions.
1739         * offlineasm/sh4.rb:
1740
1741 2013-10-15  Mark Lam  <mark.lam@apple.com>
1742
1743         Fix broken C Loop LLINT build.
1744         https://bugs.webkit.org/show_bug.cgi?id=122839.
1745
1746         Reviewed by Michael Saboff.
1747
1748         * dfg/DFGFlushedAt.cpp:
1749         * jit/JITOperations.h:
1750
1751 2013-10-14  Mark Lam  <mark.lam@apple.com>
1752
1753         Transition *switch* and *scope* JITStubs to JIT operations.
1754         https://bugs.webkit.org/show_bug.cgi?id=122757.
1755
1756         Reviewed by Geoffrey Garen.
1757
1758         Transitioning:
1759             cti_op_switch_char
1760             cti_op_switch_imm
1761             cti_op_switch_string
1762             cti_op_resolve_scope
1763             cti_op_get_from_scope
1764             cti_op_put_to_scope
1765
1766         * jit/JIT.h:
1767         * jit/JITInlines.h:
1768         (JSC::JIT::callOperation):
1769         * jit/JITOpcodes.cpp:
1770         (JSC::JIT::emit_op_switch_imm):
1771         (JSC::JIT::emit_op_switch_char):
1772         (JSC::JIT::emit_op_switch_string):
1773         * jit/JITOpcodes32_64.cpp:
1774         (JSC::JIT::emit_op_switch_imm):
1775         (JSC::JIT::emit_op_switch_char):
1776         (JSC::JIT::emit_op_switch_string):
1777         * jit/JITOperations.cpp:
1778         * jit/JITOperations.h:
1779         * jit/JITPropertyAccess.cpp:
1780         (JSC::JIT::emitSlow_op_resolve_scope):
1781         (JSC::JIT::emitSlow_op_get_from_scope):
1782         (JSC::JIT::emitSlow_op_put_to_scope):
1783         * jit/JITPropertyAccess32_64.cpp:
1784         (JSC::JIT::emitSlow_op_resolve_scope):
1785         (JSC::JIT::emitSlow_op_get_from_scope):
1786         (JSC::JIT::emitSlow_op_put_to_scope):
1787         * jit/JITStubs.cpp:
1788         * jit/JITStubs.h:
1789
1790 2013-10-14  Filip Pizlo  <fpizlo@apple.com>
1791
1792         DFG PutById IC should use the ConcurrentJITLocker since it's now dealing with IC's that get read by the compiler thread
1793         https://bugs.webkit.org/show_bug.cgi?id=122786
1794
1795         Reviewed by Mark Hahnenberg.
1796
1797         * bytecode/CodeBlock.cpp:
1798         (JSC::CodeBlock::resetStub): Resetting a stub should acquire the lock since this is observable from the thread; but we should only acquire the lock if we're resetting outside of GC.
1799         * jit/Repatch.cpp:
1800         (JSC::repatchPutByID): Doing the PutById patching should hold the lock.
1801         (JSC::buildPutByIdList): Ditto.
1802
1803 2013-10-14  Nadav Rotem  <nrotem@apple.com>
1804
1805         Add FTL support for LogicalNot(string)
1806         https://bugs.webkit.org/show_bug.cgi?id=122765
1807
1808         Reviewed by Filip Pizlo.
1809
1810         This patch is tested by:
1811         regress/script-tests/emscripten-cube2hash.js.ftl-eager
1812
1813         * ftl/FTLCapabilities.cpp:
1814         (JSC::FTL::canCompile):
1815         * ftl/FTLLowerDFGToLLVM.cpp:
1816         (JSC::FTL::LowerDFGToLLVM::compileLogicalNot):
1817
1818 2013-10-14  Julien Brianceau  <jbriance@cisco.com>
1819
1820         [sh4] Fixes after r157404 and r157411.
1821         https://bugs.webkit.org/show_bug.cgi?id=122782
1822
1823         Reviewed by Michael Saboff.
1824
1825         * dfg/DFGSpeculativeJIT.h:
1826         (JSC::DFG::SpeculativeJIT::callOperation): Add missing SH4_32BIT_DUMMY_ARG.
1827         * jit/CCallHelpers.h:
1828         (JSC::CCallHelpers::setupArgumentsWithExecState):
1829         * jit/JITInlines.h:
1830         (JSC::JIT::callOperation): Add missing SH4_32BIT_DUMMY_ARG.
1831         * jit/JITPropertyAccess32_64.cpp:
1832         (JSC::JIT::emit_op_put_by_id): Remove unwanted BEGIN_UNINTERRUPTED_SEQUENCE.
1833
1834 2013-10-14  Commit Queue  <commit-queue@webkit.org>
1835
1836         Unreviewed, rolling out r157413.
1837         http://trac.webkit.org/changeset/157413
1838         https://bugs.webkit.org/show_bug.cgi?id=122779
1839
1840         Appears to have caused frequent crashes (Requested by ap on
1841         #webkit).
1842
1843         * CMakeLists.txt:
1844         * GNUmakefile.list.am:
1845         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1846         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1847         * JavaScriptCore.xcodeproj/project.pbxproj:
1848         * heap/DeferGC.cpp: Removed.
1849         * heap/DeferGC.h:
1850         * jit/JITStubs.cpp:
1851         (JSC::tryCacheGetByID):
1852         (JSC::DEFINE_STUB_FUNCTION):
1853         * llint/LLIntSlowPaths.cpp:
1854         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1855         * runtime/ConcurrentJITLock.h:
1856         * runtime/InitializeThreading.cpp:
1857         (JSC::initializeThreadingOnce):
1858         * runtime/JSCellInlines.h:
1859         (JSC::allocateCell):
1860         * runtime/Structure.cpp:
1861         (JSC::Structure::materializePropertyMap):
1862         (JSC::Structure::putSpecificValue):
1863         (JSC::Structure::createPropertyMap):
1864         * runtime/Structure.h:
1865
1866 2013-10-14  Mark Hahnenberg  <mhahnenberg@apple.com>
1867
1868         COLLECT_ON_EVERY_ALLOCATION causes assertion failures
1869         https://bugs.webkit.org/show_bug.cgi?id=122652
1870
1871         Reviewed by Filip Pizlo.
1872
1873         COLLECT_ON_EVERY_ALLOCATION wasn't accounting for the new GC deferral mechanism,
1874         so we would end up ASSERTing during garbage collection.
1875
1876         * heap/MarkedAllocator.cpp:
1877         (JSC::MarkedAllocator::allocateSlowCase):
1878
1879 2013-10-11  Oliver Hunt  <oliver@apple.com>
1880
1881         Separate out array iteration intrinsics
1882         https://bugs.webkit.org/show_bug.cgi?id=122656
1883
1884         Reviewed by Michael Saboff.
1885
1886         Separate out the intrinsics for key and values iteration
1887         of arrays.
1888
1889         This requires moving moving array iteration into the iterator
1890         instance, rather than the prototype, but this is essentially
1891         unobservable so we'll live with it for now.
1892
1893         * jit/ThunkGenerators.cpp:
1894         (JSC::arrayIteratorNextThunkGenerator):
1895         (JSC::arrayIteratorNextKeyThunkGenerator):
1896         (JSC::arrayIteratorNextValueThunkGenerator):
1897         * jit/ThunkGenerators.h:
1898         * runtime/ArrayIteratorPrototype.cpp:
1899         (JSC::ArrayIteratorPrototype::finishCreation):
1900         * runtime/Intrinsic.h:
1901         * runtime/JSArrayIterator.cpp:
1902         (JSC::JSArrayIterator::finishCreation):
1903         (JSC::createIteratorResult):
1904         (JSC::arrayIteratorNext):
1905         (JSC::arrayIteratorNextKey):
1906         (JSC::arrayIteratorNextValue):
1907         (JSC::arrayIteratorNextGeneric):
1908         * runtime/VM.cpp:
1909         (JSC::thunkGeneratorForIntrinsic):
1910
1911 2013-10-11  Mark Hahnenberg  <mhahnenberg@apple.com>
1912
1913         llint_slow_path_put_by_id can deadlock on a ConcurrentJITLock
1914         https://bugs.webkit.org/show_bug.cgi?id=122667
1915
1916         Reviewed by Filip Pizlo.
1917
1918         The issue this patch is attempting to fix is that there are places in our codebase
1919         where we acquire the ConcurrentJITLock for a particular CodeBlock, then we do some
1920         operations that can initiate a garbage collection. Garbage collection then calls 
1921         some methods of CodeBlock that also take the ConcurrentJITLock (because they don't
1922         always necessarily run during garbage collection). This causes a deadlock.
1923
1924         To fix this issue, this patch adds a new RAII-style object (DisallowGC) that stores 
1925         into a thread-local field that indicates that it is unsafe to perform any operation 
1926         that could trigger garbage collection on the current thread. In debug builds, 
1927         ConcurrentJITLocker contains one of these DisallowGC objects so that we can eagerly 
1928         detect deadlocks.
1929
1930         This patch also adds a new type of ConcurrentJITLocker, GCSafeConcurrentJITLocker,
1931         which uses the DeferGC mechanism to prevent collections from occurring while the 
1932         lock is held.
1933
1934         * CMakeLists.txt:
1935         * GNUmakefile.list.am:
1936         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1937         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1938         * JavaScriptCore.xcodeproj/project.pbxproj:
1939         * heap/DeferGC.cpp: Added.
1940         * heap/DeferGC.h:
1941         (JSC::DisallowGC::DisallowGC):
1942         (JSC::DisallowGC::~DisallowGC):
1943         (JSC::DisallowGC::isGCDisallowedOnCurrentThread):
1944         (JSC::DisallowGC::initialize):
1945         * jit/JITStubs.cpp:
1946         (JSC::tryCachePutByID):
1947         (JSC::tryCacheGetByID):
1948         (JSC::DEFINE_STUB_FUNCTION):
1949         * llint/LLIntSlowPaths.cpp:
1950         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1951         * runtime/ConcurrentJITLock.h:
1952         (JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase):
1953         (JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase):
1954         (JSC::ConcurrentJITLockerBase::unlockEarly):
1955         (JSC::GCSafeConcurrentJITLocker::GCSafeConcurrentJITLocker):
1956         (JSC::ConcurrentJITLocker::ConcurrentJITLocker):
1957         * runtime/InitializeThreading.cpp:
1958         (JSC::initializeThreadingOnce):
1959         * runtime/JSCellInlines.h:
1960         (JSC::allocateCell):
1961         * runtime/Structure.cpp:
1962         (JSC::Structure::materializePropertyMap):
1963         (JSC::Structure::putSpecificValue):
1964         (JSC::Structure::createPropertyMap):
1965         * runtime/Structure.h:
1966
1967 2013-10-14  Filip Pizlo  <fpizlo@apple.com>
1968
1969         Baseline JIT should use the DFG's PutById IC
1970         https://bugs.webkit.org/show_bug.cgi?id=122704
1971
1972         Reviewed by Mark Hahnenberg.
1973         
1974         Mostly no big deal, just removing the old Baseline JIT's put_by_id IC support and forcing
1975         that JIT to use the DFG's (i.e. JITOperations) PutById IC.
1976         
1977         The only complicated part was that the PutById operations assumed that we first did a
1978         cell speculation, which the baseline JIT obviously won't do. So I changed all of those
1979         slow paths to deal with EncodedJSValue's.
1980
1981         * bytecode/CodeBlock.cpp:
1982         (JSC::CodeBlock::resetStubInternal):
1983         * bytecode/PutByIdStatus.cpp:
1984         (JSC::PutByIdStatus::computeFor):
1985         * dfg/DFGSpeculativeJIT.h:
1986         (JSC::DFG::SpeculativeJIT::callOperation):
1987         * dfg/DFGSpeculativeJIT32_64.cpp:
1988         (JSC::DFG::SpeculativeJIT::cachedPutById):
1989         * dfg/DFGSpeculativeJIT64.cpp:
1990         (JSC::DFG::SpeculativeJIT::cachedPutById):
1991         * jit/CCallHelpers.h:
1992         (JSC::CCallHelpers::setupArgumentsWithExecState):
1993         * jit/JIT.cpp:
1994         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
1995         * jit/JIT.h:
1996         (JSC::PropertyStubCompilationInfo::PropertyStubCompilationInfo):
1997         (JSC::PropertyStubCompilationInfo::slowCaseInfo):
1998         * jit/JITInlines.h:
1999         (JSC::JIT::callOperation):
2000         * jit/JITOperationWrappers.h:
2001         * jit/JITOperations.cpp:
2002         * jit/JITOperations.h:
2003         * jit/JITPropertyAccess.cpp:
2004         (JSC::JIT::compileGetByIdHotPath):
2005         (JSC::JIT::compileGetByIdSlowCase):
2006         (JSC::JIT::emit_op_put_by_id):
2007         (JSC::JIT::emitSlow_op_put_by_id):
2008         * jit/JITPropertyAccess32_64.cpp:
2009         (JSC::JIT::compileGetByIdSlowCase):
2010         (JSC::JIT::emit_op_put_by_id):
2011         (JSC::JIT::emitSlow_op_put_by_id):
2012         * jit/JITStubs.cpp:
2013         * jit/JITStubs.h:
2014         * jit/Repatch.cpp:
2015         (JSC::appropriateGenericPutByIdFunction):
2016         (JSC::appropriateListBuildingPutByIdFunction):
2017         (JSC::resetPutByID):
2018
2019 2013-10-13  Filip Pizlo  <fpizlo@apple.com>
2020
2021         FTL should have an inefficient but correct implementation of GetById
2022         https://bugs.webkit.org/show_bug.cgi?id=122740
2023
2024         Reviewed by Mark Hahnenberg.
2025         
2026         It took some effort to realize that the node->prediction() check in the DFG backends
2027         are completely unnecessary since the ByteCodeParser will always insert a ForceOSRExit
2028         if !prediction.
2029         
2030         But other than that this was an easy patch.
2031
2032         * dfg/DFGByteCodeParser.cpp:
2033         (JSC::DFG::ByteCodeParser::handleGetById):
2034         * dfg/DFGSpeculativeJIT32_64.cpp:
2035         (JSC::DFG::SpeculativeJIT::compile):
2036         * dfg/DFGSpeculativeJIT64.cpp:
2037         (JSC::DFG::SpeculativeJIT::compile):
2038         * ftl/FTLCapabilities.cpp:
2039         (JSC::FTL::canCompile):
2040         * ftl/FTLIntrinsicRepository.h:
2041         * ftl/FTLLowerDFGToLLVM.cpp:
2042         (JSC::FTL::LowerDFGToLLVM::compileNode):
2043         (JSC::FTL::LowerDFGToLLVM::compileGetById):
2044
2045 2013-10-13  Mark Lam  <mark.lam@apple.com>
2046
2047         Transition misc cti_op_* JITStubs to JIT operations.
2048         https://bugs.webkit.org/show_bug.cgi?id=122645.
2049
2050         Reviewed by Michael Saboff.
2051
2052         Stubs converted:
2053             cti_op_check_has_instance
2054             cti_op_create_arguments
2055             cti_op_del_by_id
2056             cti_op_instanceof
2057             cti_to_object
2058             cti_op_push_activation
2059             cti_op_get_pnames
2060             cti_op_load_varargs
2061
2062         * dfg/DFGOperations.cpp:
2063         * dfg/DFGOperations.h:
2064         * jit/CCallHelpers.h:
2065         (JSC::CCallHelpers::setupArgumentsWithExecState):
2066         * jit/JIT.h:
2067         (JSC::JIT::emitStoreCell):
2068         * jit/JITCall.cpp:
2069         (JSC::JIT::compileLoadVarargs):
2070         * jit/JITCall32_64.cpp:
2071         (JSC::JIT::compileLoadVarargs):
2072         * jit/JITInlines.h:
2073         (JSC::JIT::callOperation):
2074         * jit/JITOpcodes.cpp:
2075         (JSC::JIT::emit_op_get_pnames):
2076         (JSC::JIT::emit_op_create_activation):
2077         (JSC::JIT::emit_op_create_arguments):
2078         (JSC::JIT::emitSlow_op_check_has_instance):
2079         (JSC::JIT::emitSlow_op_instanceof):
2080         (JSC::JIT::emitSlow_op_get_argument_by_val):
2081         * jit/JITOpcodes32_64.cpp:
2082         (JSC::JIT::emitSlow_op_check_has_instance):
2083         (JSC::JIT::emitSlow_op_instanceof):
2084         (JSC::JIT::emit_op_get_pnames):
2085         (JSC::JIT::emit_op_create_activation):
2086         (JSC::JIT::emit_op_create_arguments):
2087         (JSC::JIT::emitSlow_op_get_argument_by_val):
2088         * jit/JITOperations.cpp:
2089         * jit/JITOperations.h:
2090         * jit/JITPropertyAccess.cpp:
2091         (JSC::JIT::emit_op_del_by_id):
2092         * jit/JITPropertyAccess32_64.cpp:
2093         (JSC::JIT::emit_op_del_by_id):
2094         * jit/JITStubs.cpp:
2095         * jit/JITStubs.h:
2096
2097 2013-10-13  Filip Pizlo  <fpizlo@apple.com>
2098
2099         FTL OSR exit should perform zero extension on values smaller than 64-bit
2100         https://bugs.webkit.org/show_bug.cgi?id=122688
2101
2102         Reviewed by Gavin Barraclough.
2103         
2104         In the DFG we usually make the simplistic assumption that a 32-bit value in a 64-bit
2105         register will have zeros on the high bits.  In the few cases where the high bits are
2106         non-zero, the DFG sort of tells us this explicitly.
2107
2108         But when working with llvm.webkit.stackmap, it doesn't work that way.  Consider we might
2109         emit LLVM IR like:
2110
2111             %2 = trunc i64 %1 to i32
2112             stuff %2
2113             call @llvm.webkit.stackmap(...., %2)
2114
2115         LLVM may never actually emit a truncation instruction of any kind.  And that's great - in
2116         many cases it won't be needed, like if 'stuff %2' is a 32-bit op that ignores the high
2117         bits anyway.  Hence LLVM may tell us that %2 is in the register that still had the value
2118         from before truncation, and that register may have garbage in the high bits.
2119
2120         This means that on our end, if we want a 32-bit value and we want that value to be
2121         zero-extended, we should zero-extend it ourselves.  This is pretty easy and should be
2122         cheap, so we should just do it and not make it a requirement that LLVM does it on its
2123         end.
2124         
2125         This makes all tests pass with JSC_ftlOSRExitUsesStackmap=true.
2126
2127         * ftl/FTLOSRExitCompiler.cpp:
2128         (JSC::FTL::compileStubWithOSRExitStackmap):
2129         * ftl/FTLValueFormat.cpp:
2130         (JSC::FTL::reboxAccordingToFormat):
2131
2132 == Rolled over to ChangeLog-2013-10-13 ==