CodeBlock crashes when dumping op_push_name_scope
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-02-25  Benjamin Poulain  <bpoulain@apple.com>
2
3         CodeBlock crashes when dumping op_push_name_scope
4         https://bugs.webkit.org/show_bug.cgi?id=141953
5
6         Reviewed by Filip Pizlo and Csaba Osztrogonác.
7
8         * bytecode/CodeBlock.cpp:
9         (JSC::CodeBlock::dumpBytecode):
10         * tests/stress/op-push-name-scope-crashes-profiler.js: Added.
11
12 2015-02-25  Benjamin Poulain  <benjamin@webkit.org>
13
14         Make ParserError immutable by design
15         https://bugs.webkit.org/show_bug.cgi?id=141955
16
17         Reviewed by Geoffrey Garen.
18
19         This patch enforce that no field of ParserError can
20         be modified after the constructor.
21
22         * parser/ParserError.h:
23         Move the attributes to pack the integer + 2 bytes together.
24         This is irrelevant for memory impact, it is to remve a load-store
25         when copying by value.
26
27         Also move the attributes to be private.
28
29         (JSC::ParserError::isValid):
30         To client of the interface cared about the type of the error,
31         the only information needed was: is there an error.
32
33         (JSC::ParserError::ParserError):
34         (JSC::ParserError::syntaxErrorType):
35         (JSC::ParserError::token):
36         (JSC::ParserError::message):
37         (JSC::ParserError::line):
38         (JSC::ParserError::toErrorObject):
39         * API/JSScriptRef.cpp:
40         * builtins/BuiltinExecutables.cpp:
41         (JSC::BuiltinExecutables::createBuiltinExecutable):
42         * bytecode/UnlinkedCodeBlock.cpp:
43         (JSC::generateFunctionCodeBlock):
44         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
45         (JSC::UnlinkedFunctionExecutable::codeBlockFor):
46         * bytecode/UnlinkedCodeBlock.h:
47         * inspector/agents/InspectorRuntimeAgent.cpp:
48         (Inspector::InspectorRuntimeAgent::parse):
49         * jsc.cpp:
50         (runInteractive):
51         * parser/Parser.h:
52         (JSC::parse):
53         * runtime/CodeCache.cpp:
54         (JSC::CodeCache::getGlobalCodeBlock):
55         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
56         * runtime/CodeCache.h:
57         * runtime/Completion.h:
58         * runtime/Executable.cpp:
59         (JSC::ProgramExecutable::checkSyntax):
60         * runtime/JSGlobalObject.cpp:
61         (JSC::JSGlobalObject::createProgramCodeBlock):
62         (JSC::JSGlobalObject::createEvalCodeBlock):
63
64 2015-02-25  Filip Pizlo  <fpizlo@apple.com>
65
66         Need to pass RTLD_DEEPBIND to dlopen() to ensure that our LLVMOverrides take effect on Linux
67         https://bugs.webkit.org/show_bug.cgi?id=142006
68
69         Reviewed by Csaba Osztrogonác.
70
71         This fixes hard-to-reproduce concurrency-related crashes when running stress tests with FTL and
72         concurrent JIT enabled.
73
74         * llvm/InitializeLLVMPOSIX.cpp:
75         (JSC::initializeLLVMPOSIX):
76
77 2015-02-24  Filip Pizlo  <fpizlo@apple.com>
78
79         CMake build of libllvmForJSC.so should limit its export list like the Xcode build does
80         https://bugs.webkit.org/show_bug.cgi?id=141989
81
82         Reviewed by Gyuyoung Kim.
83
84         * CMakeLists.txt:
85         * llvm/library/libllvmForJSC.version: Added.
86
87 2015-02-24  Alexey Proskuryakov  <ap@apple.com>
88
89         More iOS build fix after r180602.
90
91         * heap/Heap.h: Export Heap::machineThreads().
92
93 2015-02-24  Brent Fulgham  <bfulgham@apple.com>
94
95         Unreviewed build fix after r180602.
96
97         * heap/MachineStackMarker.h: Add missing 'no return'
98         declaration for Windows.
99
100 2015-02-24  Commit Queue  <commit-queue@webkit.org>
101
102         Unreviewed, rolling out r180599.
103         https://bugs.webkit.org/show_bug.cgi?id=141998
104
105         Lots of new test failures (Requested by smfr on #webkit).
106
107         Reverted changeset:
108
109         "Parsing support for -webkit-trailing-word"
110         https://bugs.webkit.org/show_bug.cgi?id=141939
111         http://trac.webkit.org/changeset/180599
112
113 2015-02-24  Mark Lam  <mark.lam@apple.com>
114
115         MachineThreads::Thread clean up has a use after free race condition.
116         <https://webkit.org/b/141990>
117
118         Reviewed by Michael Saboff.
119
120         MachineThreads::Thread clean up relies on the clean up mechanism
121         implemented in _pthread_tsd_cleanup_key(), which looks like this:
122
123         void _pthread_tsd_cleanup_key(pthread_t self, pthread_key_t key)
124         {
125             void (*destructor)(void *);
126             if (_pthread_key_get_destructor(key, &destructor)) {
127                 void **ptr = &self->tsd[key];
128                 void *value = *ptr;
129
130                 // At this point, this thread has cached "destructor" and "value"
131                 // (which is a MachineThreads*).  If the VM gets destructed (along
132                 // with its MachineThreads registry) by another thread, then this
133                 // thread will have no way of knowing that the MachineThreads* is
134                 // now pointing to freed memory.  Calling the destructor below will
135                 // therefore result in a use after free scenario when it tries to
136                 // access the MachineThreads' data members.
137
138                 if (value) {
139                     *ptr = NULL;
140                     if (destructor) {
141                         destructor(value);
142                     }
143                 }
144             }
145         }
146
147         The solution is simply to change MachineThreads from a per VM thread
148         registry to a process global singleton thread registry i.e. the
149         MachineThreads registry is now immortal and we cannot have a use after
150         free scenario since we never free it.
151
152         The cost of this change is that all VM instances will have to scan
153         stacks of all threads ever touched by a VM, and not just those that
154         touched a specific VM.  However, stacks tend to be shallow.  Hence,
155         those additional scans will tend to be cheap.
156
157         Secondly, it is not common for there to be multiple JSC VMs in use
158         concurrently on multiple threads.  Hence, this cost should rarely
159         manifest in real world applications.
160
161         * heap/Heap.cpp:
162         (JSC::Heap::Heap):
163         (JSC::Heap::machineThreads):
164         (JSC::Heap::gatherStackRoots):
165         * heap/Heap.h:
166         (JSC::Heap::machineThreads): Deleted.
167         * heap/MachineStackMarker.cpp:
168         (JSC::MachineThreads::MachineThreads):
169         (JSC::MachineThreads::~MachineThreads):
170         (JSC::MachineThreads::addCurrentThread):
171         * heap/MachineStackMarker.h:
172         * runtime/JSLock.cpp:
173         (JSC::JSLock::didAcquireLock):
174
175 2015-02-24  Myles C. Maxfield  <mmaxfield@apple.com>
176
177         [Mac] [iOS] Parsing support for -apple-trailing-word
178         https://bugs.webkit.org/show_bug.cgi?id=141939
179
180         Reviewed by Andreas Kling.
181
182         * Configurations/FeatureDefines.xcconfig:
183
184 2015-02-24  Ryosuke Niwa  <rniwa@webkit.org>
185
186         Use "this" instead of "callee" to get the constructor
187         https://bugs.webkit.org/show_bug.cgi?id=141019
188
189         Reviewed by Filip Pizlo.
190
191         This patch uses "this" register to pass the constructor (newTarget) to op_create_this from
192         op_construct or op_construct_varargs. This will allow future patches that implement ES6 class
193         to pass in the most derived class' constructor through "this" argument.
194
195         BytecodeGenerator's emitConstruct and emitConstructVarargs now passes thisRegister like
196         regular calls and emitCreateThis passes in this register to op_create_this as constructor.
197
198         The rest of the code change removes the code for special casing "this" register not being used
199         in call to construct.
200
201         * bytecode/BytecodeUseDef.h:
202         (JSC::computeUsesForBytecodeOffset):
203         * bytecompiler/BytecodeGenerator.cpp:
204         (JSC::BytecodeGenerator::emitCreateThis):
205         (JSC::BytecodeGenerator::emitConstructVarargs):
206         (JSC::BytecodeGenerator::emitConstruct):
207         * bytecompiler/BytecodeGenerator.h:
208         * bytecompiler/NodesCodegen.cpp:
209         (JSC::NewExprNode::emitBytecode):
210         * dfg/DFGByteCodeParser.cpp:
211         (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
212         (JSC::DFG::ByteCodeParser::handleVarargsCall):
213         (JSC::DFG::ByteCodeParser::emitArgumentPhantoms):
214         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
215         (JSC::DFG::ByteCodeParser::handleInlining):
216         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
217         (JSC::DFG::ByteCodeParser::parseBlock):
218         * dfg/DFGJITCode.cpp:
219         (JSC::DFG::JITCode::reconstruct):
220         * dfg/DFGSpeculativeJIT32_64.cpp:
221         (JSC::DFG::SpeculativeJIT::emitCall):
222         * dfg/DFGSpeculativeJIT64.cpp:
223         (JSC::DFG::SpeculativeJIT::emitCall):
224         * ftl/FTLJSCallVarargs.cpp:
225         (JSC::FTL::JSCallVarargs::emit):
226         * ftl/FTLLowerDFGToLLVM.cpp:
227         (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct):
228         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
229         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstructVarargs):
230         * interpreter/Interpreter.cpp:
231         (JSC::Interpreter::executeConstruct):
232         * jit/JITOperations.cpp:
233
234 2015-02-24  Joseph Pecoraro  <pecoraro@apple.com>
235
236         Web Inspector: Make Getter/Setter RemoteObject property and ObjectPreview handling consistent
237         https://bugs.webkit.org/show_bug.cgi?id=141587
238
239         Reviewed by Timothy Hatcher.
240
241         Convert getProperties(ownAndGetterProperties) to getDisplayableProperties().
242         Mark PropertyDescriptors that are presumed to be native getters / bindings
243         separately so that the frontend may display them differently.
244
245         * inspector/InjectedScript.cpp:
246         (Inspector::InjectedScript::getProperties):
247         (Inspector::InjectedScript::getDisplayableProperties):
248         * inspector/InjectedScript.h:
249         * inspector/InjectedScriptSource.js:
250         * inspector/agents/InspectorRuntimeAgent.cpp:
251         (Inspector::InspectorRuntimeAgent::getProperties):
252         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
253         * inspector/agents/InspectorRuntimeAgent.h:
254         * inspector/protocol/Runtime.json:
255
256 2015-02-24  Mark Lam  <mark.lam@apple.com>
257
258         Rolling out r179753.  The fix was invalid.
259         <https://webkit.org/b/141990>
260
261         Not reviewed.
262
263         * API/tests/testapi.mm:
264         (threadMain):
265         (useVMFromOtherThread): Deleted.
266         (useVMFromOtherThreadAndOutliveVM): Deleted.
267         * heap/Heap.cpp:
268         (JSC::Heap::Heap):
269         (JSC::Heap::~Heap):
270         (JSC::Heap::gatherStackRoots):
271         * heap/Heap.h:
272         (JSC::Heap::machineThreads):
273         * heap/MachineStackMarker.cpp:
274         (JSC::MachineThreads::Thread::Thread):
275         (JSC::MachineThreads::MachineThreads):
276         (JSC::MachineThreads::~MachineThreads):
277         (JSC::MachineThreads::addCurrentThread):
278         (JSC::MachineThreads::removeThread):
279         (JSC::MachineThreads::removeCurrentThread):
280         * heap/MachineStackMarker.h:
281
282 2015-02-24  Yusuke Suzuki  <utatane.tea@gmail.com>
283
284         Constructor returning null should construct an object instead of null
285         https://bugs.webkit.org/show_bug.cgi?id=141640
286
287         Reviewed by Filip Pizlo.
288
289         When constructor code doesn't return object, constructor should return `this` object instead.
290         Since we used `op_is_object` for this check and `op_is_object` is intended to be used for `typeof`,
291         it allows `null` as an object.
292         This patch fixes it by introducing an new bytecode `op_is_object_or_null` for `typeof` use cases.
293         Instead, constructor uses simplified `is_object`.
294
295         As a result, `op_is_object` becomes fairly simple. So we introduce optimization for `op_is_object`.
296
297         1. LLInt and baseline JIT support `op_is_object` as a fast path.
298         2. DFG abstract interpreter support `op_is_object`. And recognize its speculated type and read-write effects.
299         3. DFG introduces inlined asm for `op_is_object` rather than calling a C++ function.
300         4. FTL lowers DFG's IsObject into LLVM IR.
301
302         And at the same time, this patch fixes isString / isObject predicate used for `op_is_object` and others
303         in LLInt, JIT, DFG and FTL.
304         Before introducing ES6 Symbol, JSCell is only used for object and string in user observable area.
305         So in many places, when the cell is not object, we recognize it as a string, and vice versa.
306         However, now ES6 Symbol is implemented as a JSCell, this assumption is broken.
307         So this patch stop using !isString as isObject.
308         To check whether a cell is an object, instead of seeing that structure ID of a cell is not stringStructure,
309         we examine typeInfo in JSCell.
310
311         * JavaScriptCore.order:
312         * bytecode/BytecodeList.json:
313         * bytecode/BytecodeUseDef.h:
314         (JSC::computeUsesForBytecodeOffset):
315         (JSC::computeDefsForBytecodeOffset):
316         * bytecode/CodeBlock.cpp:
317         (JSC::CodeBlock::dumpBytecode):
318         * bytecode/PutByIdStatus.cpp:
319         (JSC::PutByIdStatus::computeFor):
320         * bytecompiler/BytecodeGenerator.cpp:
321         (JSC::BytecodeGenerator::emitEqualityOp):
322         (JSC::BytecodeGenerator::emitReturn):
323         * dfg/DFGAbstractInterpreterInlines.h:
324         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
325         * dfg/DFGByteCodeParser.cpp:
326         (JSC::DFG::ByteCodeParser::parseBlock):
327         * dfg/DFGCapabilities.cpp:
328         (JSC::DFG::capabilityLevel):
329         * dfg/DFGClobberize.h:
330         (JSC::DFG::clobberize):
331
332         IsObject operation only touches JSCell typeInfoType.
333         And this value would be changed through structure transition.
334         As a result, IsObject can report that it doesn't read any information.
335
336         * dfg/DFGConstantFoldingPhase.cpp:
337         (JSC::DFG::ConstantFoldingPhase::foldConstants):
338         * dfg/DFGDoesGC.cpp:
339         (JSC::DFG::doesGC):
340         * dfg/DFGFixupPhase.cpp:
341         (JSC::DFG::FixupPhase::fixupNode):
342
343         Just like IsString, IsObject is also fixed up.
344
345         * dfg/DFGHeapLocation.cpp:
346         (WTF::printInternal):
347         * dfg/DFGHeapLocation.h:
348         * dfg/DFGNodeType.h:
349         * dfg/DFGOperations.cpp:
350         * dfg/DFGOperations.h:
351         * dfg/DFGPredictionPropagationPhase.cpp:
352         (JSC::DFG::PredictionPropagationPhase::propagate):
353         * dfg/DFGSafeToExecute.h:
354         (JSC::DFG::safeToExecute):
355         * dfg/DFGSpeculativeJIT.cpp:
356         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
357         (JSC::DFG::SpeculativeJIT::compileStringToUntypedEquality):
358         (JSC::DFG::SpeculativeJIT::compileStringIdentToNotStringVarEquality):
359         (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
360         (JSC::DFG::SpeculativeJIT::speculateObject):
361         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
362         (JSC::DFG::SpeculativeJIT::speculateString):
363         (JSC::DFG::SpeculativeJIT::speculateNotStringVar):
364         (JSC::DFG::SpeculativeJIT::emitSwitchChar):
365         (JSC::DFG::SpeculativeJIT::emitSwitchString):
366         (JSC::DFG::SpeculativeJIT::branchIsObject):
367         (JSC::DFG::SpeculativeJIT::branchNotObject):
368         (JSC::DFG::SpeculativeJIT::branchIsString):
369         (JSC::DFG::SpeculativeJIT::branchNotString):
370         * dfg/DFGSpeculativeJIT.h:
371         * dfg/DFGSpeculativeJIT32_64.cpp:
372         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
373         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
374         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
375         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
376         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
377         (JSC::DFG::SpeculativeJIT::compile):
378         * dfg/DFGSpeculativeJIT64.cpp:
379         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
380         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
381         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
382         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
383         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
384         (JSC::DFG::SpeculativeJIT::compile):
385         * ftl/FTLCapabilities.cpp:
386         (JSC::FTL::canCompile):
387         * ftl/FTLLowerDFGToLLVM.cpp:
388         (JSC::FTL::LowerDFGToLLVM::compileNode):
389         (JSC::FTL::LowerDFGToLLVM::compileToString):
390         (JSC::FTL::LowerDFGToLLVM::compileIsObject):
391         (JSC::FTL::LowerDFGToLLVM::compileIsObjectOrNull):
392         (JSC::FTL::LowerDFGToLLVM::speculateTruthyObject):
393         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
394         (JSC::FTL::LowerDFGToLLVM::isObject):
395         (JSC::FTL::LowerDFGToLLVM::isNotObject):
396         (JSC::FTL::LowerDFGToLLVM::isNotString):
397         (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
398         * jit/JIT.cpp:
399         (JSC::JIT::privateCompileMainPass):
400         * jit/JIT.h:
401         * jit/JITInlines.h:
402         (JSC::JIT::emitJumpIfCellObject):
403         * jit/JITOpcodes.cpp:
404         (JSC::JIT::emit_op_is_object):
405         (JSC::JIT::emit_op_to_primitive):
406         * jit/JITOpcodes32_64.cpp:
407         (JSC::JIT::emit_op_is_object):
408         (JSC::JIT::emit_op_to_primitive):
409         (JSC::JIT::compileOpStrictEq):
410         * llint/LowLevelInterpreter.asm:
411         * llint/LowLevelInterpreter32_64.asm:
412         * llint/LowLevelInterpreter64.asm:
413         * runtime/CommonSlowPaths.cpp:
414         (JSC::SLOW_PATH_DECL):
415         * runtime/CommonSlowPaths.h:
416         * runtime/Operations.cpp:
417         (JSC::jsIsObjectTypeOrNull):
418         (JSC::jsIsObjectType): Deleted.
419         * runtime/Operations.h:
420         * tests/stress/constructor-with-return.js: Added.
421         (Test):
422
423         When constructor doesn't return an object, `this` should be returned instead.
424         In this test, we check all primitives. And test object, array and wrappers.
425
426         * tests/stress/dfg-to-primitive-pass-symbol.js: Added.
427         (toPrimitiveTarget):
428         (doToPrimitive):
429
430         op_to_primitive operation passes Symbol in fast path.
431
432 2015-02-24  Yusuke Suzuki  <utatane.tea@gmail.com>
433
434         REGRESSION(r179429): Can't type comments in Facebook
435         https://bugs.webkit.org/show_bug.cgi?id=141859
436
437         Reviewed by Brent Fulgham.
438
439         When window.Symbol is exposed to user-space pages,
440         Facebook's JavaScript use it (maybe, for immutable-js and React.js's unique key).
441         However, to work with Symbols completely, it also requires
442         1) Object.getOwnPropertySymbols (for mixin including Symbols)
443         2) the latest ES6 Iterator interface that uses Iterator.next and it returns { done: boolean, value: value }.
444         Since they are not landed yet, comments in Facebook don't work.
445
446         This patch introduces RuntimeFlags for JavaScriptCore.
447         Specifying SymbolEnabled flag under test runner and inspector to continue to work with Symbol.
448         And drop JavaScriptExperimentsEnabled flag
449         because it is no longer used and use case of this is duplicated to runtime flags.
450
451         * JavaScriptCore.order:
452         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
453         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
454         * JavaScriptCore.xcodeproj/project.pbxproj:
455         * jsc.cpp:
456         (GlobalObject::javaScriptRuntimeFlags):
457         (GlobalObject::javaScriptExperimentsEnabled): Deleted.
458         * runtime/JSGlobalObject.cpp:
459         (JSC::JSGlobalObject::JSGlobalObject):
460         (JSC::JSGlobalObject::init):
461         * runtime/JSGlobalObject.h:
462         (JSC::JSGlobalObject::finishCreation):
463         (JSC::JSGlobalObject::javaScriptRuntimeFlags):
464         (JSC::JSGlobalObject::javaScriptExperimentsEnabled): Deleted.
465         * runtime/RuntimeFlags.h: Added.
466         (JSC::RuntimeFlags::RuntimeFlags):
467         (JSC::RuntimeFlags::createAllEnabled):
468
469 2015-02-23  Filip Pizlo  <fpizlo@apple.com>
470
471         Our bizarre behavior on Arguments::defineOwnProperty should be deliberate rather than a spaghetti incident
472         https://bugs.webkit.org/show_bug.cgi?id=141951
473
474         Reviewed by Benjamin Poulain.
475         
476         This patch has no behavioral change, but it simplifies a bunch of wrong code. The code is
477         still wrong in exactly the same way, but at least it's obvious what's going on. The wrongness
478         is covered by this bug: https://bugs.webkit.org/show_bug.cgi?id=141952.
479
480         * runtime/Arguments.cpp:
481         (JSC::Arguments::copyBackingStore): We should only see the arguments token; assert otherwise. This works because if the GC sees the butterfly token it calls the JSObject::copyBackingStore method directly.
482         (JSC::Arguments::defineOwnProperty): Make our bizarre behavior deliberate rather than an accident of a decade of patches.
483         * tests/stress/arguments-bizarre-behavior.js: Added.
484         (foo):
485         * tests/stress/arguments-bizarre-behaviour-disable-enumerability.js: Added. My choice of spellings of the word "behavio[u]r" is almost as consistent as our implementation of arguments.
486         (foo):
487         * tests/stress/arguments-custom-properties-gc.js: Added. I added this test because at first I was unsure if we GCd arguments correctly.
488         (makeBaseArguments):
489         (makeArray):
490         (cons):
491
492 2015-02-23  Commit Queue  <commit-queue@webkit.org>
493
494         Unreviewed, rolling out r180547 and r180550.
495         https://bugs.webkit.org/show_bug.cgi?id=141957
496
497         Broke 10 Windows tests. (Requested by bfulgham_ on #webkit).
498
499         Reverted changesets:
500
501         "REGRESSION(r179429): Can't type comments in Facebook"
502         https://bugs.webkit.org/show_bug.cgi?id=141859
503         http://trac.webkit.org/changeset/180547
504
505         "Constructor returning null should construct an object instead
506         of null"
507         https://bugs.webkit.org/show_bug.cgi?id=141640
508         http://trac.webkit.org/changeset/180550
509
510 2015-02-23  Yusuke Suzuki  <utatane.tea@gmail.com>
511
512         Constructor returning null should construct an object instead of null
513         https://bugs.webkit.org/show_bug.cgi?id=141640
514
515         Reviewed by Geoffrey Garen.
516
517         When constructor code doesn't return object, constructor should return `this` object instead.
518         Since we used `op_is_object` for this check and `op_is_object` is intended to be used for `typeof`,
519         it allows `null` as an object.
520         This patch fixes it by introducing an new bytecode `op_is_object_or_null` for `typeof` use cases.
521         Instead, constructor uses simplified `is_object`.
522
523         As a result, `op_is_object` becomes fairly simple. So we introduce optimization for `op_is_object`.
524
525         1. LLInt and baseline JIT support `op_is_object` as a fast path.
526         2. DFG abstract interpreter support `op_is_object`. And recognize its speculated type and read-write effects.
527         3. DFG introduces inlined asm for `op_is_object` rather than calling a C++ function.
528         4. FTL lowers DFG's IsObject into LLVM IR.
529
530         And at the same time, this patch fixes isString / isObject predicate used for `op_is_object` and others
531         in LLInt, JIT, DFG and FTL.
532         Before introducing ES6 Symbol, JSCell is only used for object and string in user observable area.
533         So in many places, when the cell is not object, we recognize it as a string, and vice versa.
534         However, now ES6 Symbol is implemented as a JSCell, this assumption is broken.
535         So this patch stop using !isString as isObject.
536         To check whether a cell is an object, instead of seeing that structure ID of a cell is not stringStructure,
537         we examine typeInfo in JSCell.
538
539         * JavaScriptCore.order:
540         * bytecode/BytecodeList.json:
541         * bytecode/BytecodeUseDef.h:
542         (JSC::computeUsesForBytecodeOffset):
543         (JSC::computeDefsForBytecodeOffset):
544         * bytecode/CodeBlock.cpp:
545         (JSC::CodeBlock::dumpBytecode):
546         * bytecode/PutByIdStatus.cpp:
547         (JSC::PutByIdStatus::computeFor):
548         * bytecompiler/BytecodeGenerator.cpp:
549         (JSC::BytecodeGenerator::emitEqualityOp):
550         (JSC::BytecodeGenerator::emitReturn):
551         * dfg/DFGAbstractInterpreterInlines.h:
552         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
553         * dfg/DFGByteCodeParser.cpp:
554         (JSC::DFG::ByteCodeParser::parseBlock):
555         * dfg/DFGCapabilities.cpp:
556         (JSC::DFG::capabilityLevel):
557         * dfg/DFGClobberize.h:
558         (JSC::DFG::clobberize):
559
560         IsObject operation only touches JSCell typeInfoType.
561         And this value would not be changed through structure transition.
562         As a result, IsObject can report that it doesn't read any information.
563
564         * dfg/DFGDoesGC.cpp:
565         (JSC::DFG::doesGC):
566         * dfg/DFGFixupPhase.cpp:
567         (JSC::DFG::FixupPhase::fixupNode):
568
569         Just like IsString, IsObject is also fixed up.
570
571         * dfg/DFGHeapLocation.cpp:
572         (WTF::printInternal):
573         * dfg/DFGHeapLocation.h:
574         * dfg/DFGNodeType.h:
575         * dfg/DFGOperations.cpp:
576         * dfg/DFGOperations.h:
577         * dfg/DFGPredictionPropagationPhase.cpp:
578         (JSC::DFG::PredictionPropagationPhase::propagate):
579         * dfg/DFGSafeToExecute.h:
580         (JSC::DFG::safeToExecute):
581         * dfg/DFGSpeculativeJIT.cpp:
582         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
583         (JSC::DFG::SpeculativeJIT::compileStringToUntypedEquality):
584         (JSC::DFG::SpeculativeJIT::compileStringIdentToNotStringVarEquality):
585         (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
586         (JSC::DFG::SpeculativeJIT::speculateObject):
587         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
588         (JSC::DFG::SpeculativeJIT::speculateString):
589         (JSC::DFG::SpeculativeJIT::speculateNotStringVar):
590         (JSC::DFG::SpeculativeJIT::emitSwitchChar):
591         (JSC::DFG::SpeculativeJIT::emitSwitchString):
592         (JSC::DFG::SpeculativeJIT::branchIsObject):
593         (JSC::DFG::SpeculativeJIT::branchNotObject):
594         (JSC::DFG::SpeculativeJIT::branchIsString):
595         (JSC::DFG::SpeculativeJIT::branchNotString):
596         * dfg/DFGSpeculativeJIT.h:
597         * dfg/DFGSpeculativeJIT32_64.cpp:
598         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
599         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
600         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
601         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
602         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
603         (JSC::DFG::SpeculativeJIT::compile):
604         * dfg/DFGSpeculativeJIT64.cpp:
605         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
606         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
607         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
608         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
609         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
610         (JSC::DFG::SpeculativeJIT::compile):
611         * ftl/FTLCapabilities.cpp:
612         (JSC::FTL::canCompile):
613         * ftl/FTLLowerDFGToLLVM.cpp:
614         (JSC::FTL::LowerDFGToLLVM::compileNode):
615         (JSC::FTL::LowerDFGToLLVM::compileToString):
616         (JSC::FTL::LowerDFGToLLVM::compileIsObject):
617         (JSC::FTL::LowerDFGToLLVM::compileIsObjectOrNull):
618         (JSC::FTL::LowerDFGToLLVM::speculateTruthyObject):
619         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
620         (JSC::FTL::LowerDFGToLLVM::isObject):
621         (JSC::FTL::LowerDFGToLLVM::isNotObject):
622         (JSC::FTL::LowerDFGToLLVM::isNotString):
623         (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
624         * jit/JIT.cpp:
625         (JSC::JIT::privateCompileMainPass):
626         * jit/JIT.h:
627         * jit/JITInlines.h:
628         (JSC::JIT::emitJumpIfCellObject):
629         * jit/JITOpcodes.cpp:
630         (JSC::JIT::emit_op_is_object):
631         (JSC::JIT::emit_op_to_primitive):
632         * jit/JITOpcodes32_64.cpp:
633         (JSC::JIT::emit_op_is_object):
634         (JSC::JIT::emit_op_to_primitive):
635         (JSC::JIT::compileOpStrictEq):
636         * llint/LowLevelInterpreter.asm:
637         * llint/LowLevelInterpreter32_64.asm:
638         * llint/LowLevelInterpreter64.asm:
639         * runtime/CommonSlowPaths.cpp:
640         (JSC::SLOW_PATH_DECL):
641         * runtime/CommonSlowPaths.h:
642         * runtime/Operations.cpp:
643         (JSC::jsIsObjectTypeOrNull):
644         (JSC::jsIsObjectType): Deleted.
645         * runtime/Operations.h:
646
647 2015-02-23  Ryosuke Niwa  <rniwa@webkit.org>
648
649         Disable font loading events until our implementation gets updated to match the latest spec
650         https://bugs.webkit.org/show_bug.cgi?id=141938
651
652         Reviewed by Andreas Kling.
653
654         * Configurations/FeatureDefines.xcconfig:
655
656 2015-02-23  Yusuke Suzuki  <utatane.tea@gmail.com>
657
658         REGRESSION(r179429): Can't type comments in Facebook
659         https://bugs.webkit.org/show_bug.cgi?id=141859
660
661         Reviewed by Geoffrey Garen.
662
663         When window.Symbol is exposed to user-space pages,
664         Facebook's JavaScript use it (maybe, for immutable-js and React.js's unique key).
665         However, to work with Symbols completely, it also requires
666         1) Object.getOwnPropertySymbols (for mixin including Symbols)
667         2) the latest ES6 Iterator interface that uses Iterator.next and it returns { done: boolean, value: value }.
668         Since they are not landed yet, comments in Facebook don't work.
669
670         This patch introduces RuntimeFlags for JavaScriptCore.
671         Specifying SymbolEnabled flag under test runner and inspector to continue to work with Symbol.
672         And drop JavaScriptExperimentsEnabled flag
673         because it is no longer used and use case of this is duplicated to runtime flags.
674
675         * JavaScriptCore.order:
676         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
677         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
678         * JavaScriptCore.xcodeproj/project.pbxproj:
679         * jsc.cpp:
680         (GlobalObject::javaScriptRuntimeFlags):
681         (GlobalObject::javaScriptExperimentsEnabled): Deleted.
682         * runtime/JSGlobalObject.cpp:
683         (JSC::JSGlobalObject::JSGlobalObject):
684         (JSC::JSGlobalObject::init):
685         * runtime/JSGlobalObject.h:
686         (JSC::JSGlobalObject::finishCreation):
687         (JSC::JSGlobalObject::javaScriptRuntimeFlags):
688         (JSC::JSGlobalObject::javaScriptExperimentsEnabled): Deleted.
689         * runtime/RuntimeFlags.h: Added.
690         (JSC::RuntimeFlags::RuntimeFlags):
691         (JSC::RuntimeFlags::createAllEnabled):
692
693 2015-02-23  Benjamin Poulain  <bpoulain@apple.com>
694
695         Set the semantic origin of delayed SetLocal to the Bytecode that originated it
696         https://bugs.webkit.org/show_bug.cgi?id=141727
697
698         Reviewed by Filip Pizlo.
699
700         Previously, delayed SetLocals would have the NodeOrigin of the next
701         bytecode. This was because delayed SetLocal are...delayed... and
702         currentCodeOrigin() is the one where the node is emitted.
703
704         This made debugging a little awkward since the OSR exits on SetLocal
705         were reported for the next bytecode. This patch changes the semantic
706         origin to keep the original bytecode.
707
708         From benchmarks, this looks like it could be a tiny bit faster
709         but it likely just noise.
710
711         * dfg/DFGByteCodeParser.cpp:
712         (JSC::DFG::ByteCodeParser::setDirect):
713         (JSC::DFG::ByteCodeParser::setLocal):
714         (JSC::DFG::ByteCodeParser::setArgument):
715         (JSC::DFG::ByteCodeParser::currentNodeOrigin):
716         (JSC::DFG::ByteCodeParser::addToGraph):
717         (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal):
718         (JSC::DFG::ByteCodeParser::DelayedSetLocal::execute):
719
720 2015-02-23  Benjamin Poulain  <bpoulain@apple.com>
721
722         Remove DFGNode::predictHeap()
723         https://bugs.webkit.org/show_bug.cgi?id=141864
724
725         Reviewed by Geoffrey Garen.
726
727         * dfg/DFGNode.h:
728         (JSC::DFG::Node::predictHeap): Deleted.
729         Unused code.
730
731 2015-02-23  Filip Pizlo  <fpizlo@apple.com>
732
733         Get rid of JSLexicalEnvironment::argumentsGetter
734         https://bugs.webkit.org/show_bug.cgi?id=141930
735
736         Reviewed by Mark Lam.
737         
738         This function is unused, and the way it's written is bizarre - it's a return statement that
739         dominates a bunch of dead code.
740
741         * runtime/JSLexicalEnvironment.cpp:
742         (JSC::JSLexicalEnvironment::argumentsGetter): Deleted.
743         * runtime/JSLexicalEnvironment.h:
744
745 2015-02-23  Filip Pizlo  <fpizlo@apple.com>
746
747         Remove unused activationCount and allTheThingsCount variable declarations.
748
749         Rubber stamped by Mark Lam and Michael Saboff.
750
751         * runtime/JSLexicalEnvironment.h:
752
753 2015-02-23  Saam Barati  <saambarati1@gmail.com>
754
755         Adjust the ranges of basic block statements in JSC's control flow profiler to be mutually exclusive
756         https://bugs.webkit.org/show_bug.cgi?id=141095
757
758         Reviewed by Mark Lam.
759
760         Suppose the control flow of a program forms basic block A with successor block
761         B. A's end offset will be the *same* as B's start offset in the current architecture 
762         of the control flow profiler. This makes reasoning about the text offsets of
763         the control flow profiler unsound. To make reasoning about offsets sound, all 
764         basic block ranges should be mutually exclusive.  All calls to emitProfileControlFlow 
765         now pass in the *start* of a basic block as the text offset argument. This simplifies 
766         all calls to emitProfileControlFlow because the previous implementation had a
767         lot of edge cases for getting the desired basic block text boundaries.
768
769         This patch also ensures that the basic block boundary of a block statement 
770         is the exactly the block's open and close brace offsets (inclusive). For example,
771         in if/for/while statements. This also has the consequence that for statements 
772         like "if (cond) foo();", the whitespace preceding "foo()" is not part of 
773         the "foo()" basic block, but instead is part of the "if (cond) " basic block. 
774         This is okay because these text offsets aren't meant to be human readable.
775         Instead, they reflect the text offsets of JSC's AST nodes. The Web Inspector 
776         is the only client of this API and user of these text offsets and it is 
777         not negatively effected by this new behavior.
778
779         * bytecode/CodeBlock.cpp:
780         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
781         When computing basic block boundaries in CodeBlock, we ensure that every
782         block's end offset is one less than its successor's start offset to
783         maintain that boundaries' ranges should be mutually exclusive.
784
785         * bytecompiler/BytecodeGenerator.cpp:
786         (JSC::BytecodeGenerator::BytecodeGenerator):
787         Because the control flow profiler needs to know which functions
788         have executed, we can't lazily create functions. This was a bug 
789         from before that was hidden because the Type Profiler was always 
790         enabled when the control flow profiler was enabled when profiling 
791         was turned on from the Web Inspector. But, JSC allows for Control 
792         Flow profiling to be turned on without Type Profiling, so we need 
793         to ensure the Control Flow profiler has all the data it needs.
794
795         * bytecompiler/NodesCodegen.cpp:
796         (JSC::ConditionalNode::emitBytecode):
797         (JSC::IfElseNode::emitBytecode):
798         (JSC::WhileNode::emitBytecode):
799         (JSC::ForNode::emitBytecode):
800         (JSC::ForInNode::emitMultiLoopBytecode):
801         (JSC::ForOfNode::emitBytecode):
802         (JSC::TryNode::emitBytecode):
803         * jsc.cpp:
804         (functionHasBasicBlockExecuted):
805         We now assert that the substring argument is indeed a substring
806         of the function argument's text because subtle bugs could be
807         introduced otherwise.
808
809         * parser/ASTBuilder.h:
810         (JSC::ASTBuilder::setStartOffset):
811         * parser/Nodes.h:
812         (JSC::Node::setStartOffset):
813         * parser/Parser.cpp:
814         (JSC::Parser<LexerType>::parseBlockStatement):
815         (JSC::Parser<LexerType>::parseStatement):
816         (JSC::Parser<LexerType>::parseMemberExpression):
817         For the various function call AST nodes, their m_position member 
818         variable is now the start of the entire function call expression 
819         and not at the start of the open paren of the arguments list.
820
821         * runtime/BasicBlockLocation.cpp:
822         (JSC::BasicBlockLocation::getExecutedRanges):
823         * runtime/ControlFlowProfiler.cpp:
824         (JSC::ControlFlowProfiler::getBasicBlocksForSourceID):
825         Function ranges inserted as gaps should follow the same criteria
826         that the bytecode generator uses to ensure that basic blocks
827         start and end offsets are mutually exclusive.
828
829         * tests/controlFlowProfiler/brace-location.js: Added.
830         (foo):
831         (bar):
832         (baz):
833         (testIf):
834         (testForRegular):
835         (testForIn):
836         (testForOf):
837         (testWhile):
838         (testIfNoBraces):
839         (testForRegularNoBraces):
840         (testForInNoBraces):
841         (testForOfNoBraces):
842         (testWhileNoBraces):
843         * tests/controlFlowProfiler/conditional-expression.js: Added.
844         (foo):
845         (bar):
846         (baz):
847         (testConditionalBasic):
848         (testConditionalFunctionCall):
849         * tests/controlFlowProfiler/driver/driver.js:
850         (checkBasicBlock):
851
852 2015-02-23  Matthew Mirman  <mmirman@apple.com>
853
854         r9 is volatile on ARMv7 for iOS 3 and up. 
855         https://bugs.webkit.org/show_bug.cgi?id=141489
856         rdar://problem/19432916
857
858         Reviewed by Michael Saboff.
859
860         * jit/RegisterSet.cpp: 
861         (JSC::RegisterSet::calleeSaveRegisters): removed r9 from the list of ARMv7 callee save registers.
862         * tests/stress/regress-141489.js: Added.
863         (foo):
864
865 2015-02-23  Csaba Osztrogonác  <ossy@webkit.org>
866
867         [ARM] Add the necessary setupArgumentsWithExecState after bug141915
868         https://bugs.webkit.org/show_bug.cgi?id=141921
869
870         Reviewed by Michael Saboff.
871
872         * jit/CCallHelpers.h:
873         (JSC::CCallHelpers::setupArgumentsWithExecState):
874
875 2015-02-23  Filip Pizlo  <fpizlo@apple.com>
876
877         Scopes should always be created with a previously-created symbol table rather than creating one on the fly
878         https://bugs.webkit.org/show_bug.cgi?id=141915
879
880         Reviewed by Mark Lam.
881         
882         The main effect of this change is that pushing name scopes no longer requires creating symbol
883         tables on the fly.
884         
885         This also makes it so that JSEnvironmentRecords must always have an a priori symbol table.
886         
887         JSSegmentedVariableObject still does a hack where it creates a blank symbol table on-demand.
888         This is needed because that's what JSGlobalObject and all of its many subclasses want. That's
889         harmless; I mainly needed a prior symbol tables for JSEnvironmentRecords anyway.
890
891         * bytecode/BytecodeList.json:
892         * bytecompiler/BytecodeGenerator.cpp:
893         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
894         (JSC::BytecodeGenerator::emitPushCatchScope):
895         * jit/CCallHelpers.h:
896         (JSC::CCallHelpers::setupArgumentsWithExecState):
897         * jit/JIT.h:
898         * jit/JITInlines.h:
899         (JSC::JIT::callOperation):
900         * jit/JITOpcodes.cpp:
901         (JSC::JIT::emit_op_push_name_scope):
902         * jit/JITOpcodes32_64.cpp:
903         (JSC::JIT::emit_op_push_name_scope):
904         * jit/JITOperations.cpp:
905         (JSC::pushNameScope):
906         * jit/JITOperations.h:
907         * llint/LLIntSlowPaths.cpp:
908         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
909         * llint/LowLevelInterpreter.asm:
910         * runtime/Executable.cpp:
911         (JSC::ScriptExecutable::newCodeBlockFor):
912         * runtime/JSCatchScope.h:
913         (JSC::JSCatchScope::JSCatchScope):
914         (JSC::JSCatchScope::create):
915         * runtime/JSEnvironmentRecord.h:
916         (JSC::JSEnvironmentRecord::JSEnvironmentRecord):
917         * runtime/JSFunctionNameScope.h:
918         (JSC::JSFunctionNameScope::JSFunctionNameScope):
919         (JSC::JSFunctionNameScope::create):
920         * runtime/JSNameScope.cpp:
921         (JSC::JSNameScope::create):
922         * runtime/JSNameScope.h:
923         (JSC::JSNameScope::create):
924         (JSC::JSNameScope::finishCreation):
925         (JSC::JSNameScope::JSNameScope):
926         * runtime/JSSegmentedVariableObject.h:
927         (JSC::JSSegmentedVariableObject::finishCreation):
928         * runtime/JSSymbolTableObject.h:
929         (JSC::JSSymbolTableObject::JSSymbolTableObject):
930         (JSC::JSSymbolTableObject::finishCreation): Deleted.
931         * runtime/SymbolTable.h:
932         (JSC::SymbolTable::createNameScopeTable):
933
934 2015-02-23  Filip Pizlo  <fpizlo@apple.com>
935
936         Add a comment to clarify that the test was taken from the bug report, in response to
937         feedback from Michael Saboff and Benjamin Poulain.
938         
939         * tests/stress/regress-141883.js:
940
941 2015-02-22  Filip Pizlo  <fpizlo@apple.com>
942
943         Function name scope is only created on the function instance that triggered parsing rather than on every function instance that needs it
944         https://bugs.webkit.org/show_bug.cgi?id=141881
945
946         Reviewed by Michael Saboff.
947         
948         Previously we only created the function name scope in a way that made it visible to the
949         function that triggered parsing/linking of the executable/codeBlock, and to the linker for
950         that code block. This was sort of the bare minimum for the feature to appear to work right to
951         synthetic tests.
952
953         There are two valid "times" to create the function name scope. Either it's created for each
954         JSFunction instance that needs a name scope, or it's created for each execution of such a
955         JSFunction. This change chooses the latter, because it happens to be the easiest to implement
956         with what we have right now. I opened a bug for optimizing this if we ever need to:
957         https://bugs.webkit.org/show_bug.cgi?id=141887.
958         
959         * bytecompiler/BytecodeGenerator.cpp:
960         (JSC::BytecodeGenerator::BytecodeGenerator):
961         * interpreter/Interpreter.cpp:
962         (JSC::Interpreter::execute):
963         (JSC::Interpreter::executeCall):
964         (JSC::Interpreter::executeConstruct):
965         (JSC::Interpreter::prepareForRepeatCall):
966         * jit/JITOperations.cpp:
967         * llint/LLIntSlowPaths.cpp:
968         (JSC::LLInt::setUpCall):
969         * runtime/ArrayPrototype.cpp:
970         (JSC::isNumericCompareFunction):
971         * runtime/Executable.cpp:
972         (JSC::ScriptExecutable::newCodeBlockFor):
973         (JSC::ScriptExecutable::prepareForExecutionImpl):
974         (JSC::FunctionExecutable::FunctionExecutable):
975         * runtime/Executable.h:
976         (JSC::ScriptExecutable::prepareForExecution):
977         * runtime/JSFunction.cpp:
978         (JSC::JSFunction::addNameScopeIfNeeded): Deleted.
979         * runtime/JSFunction.h:
980         * tests/stress/function-name-scope.js: Added.
981         (check.verify):
982         (check):
983
984 2015-02-22  Filip Pizlo  <fpizlo@apple.com>
985
986         Crash in DFGFrozenValue
987         https://bugs.webkit.org/show_bug.cgi?id=141883
988
989         Reviewed by Benjamin Poulain.
990         
991         If a value might be a cell, then we have to have Graph freeze it rather than trying to
992         create the FrozenValue directly. Creating it directly is just an optimization for when you
993         know for sure that it cannot be a cell.
994
995         * dfg/DFGAbstractInterpreterInlines.h:
996         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
997         * tests/stress/regress-141883.js: Added. Hacked the original test to be faster while still crashing before this fix.
998
999 2015-02-21  Joseph Pecoraro  <pecoraro@apple.com>
1000
1001         Web Inspector: Generate Previews more often for RemoteObject interaction
1002         https://bugs.webkit.org/show_bug.cgi?id=141875
1003
1004         Reviewed by Timothy Hatcher.
1005
1006         * inspector/protocol/Runtime.json:
1007         Add generatePreview to getProperties.
1008
1009         * inspector/InjectedScript.cpp:
1010         (Inspector::InjectedScript::getProperties):
1011         (Inspector::InjectedScript::getInternalProperties):
1012         * inspector/InjectedScript.h:
1013         * inspector/agents/InspectorRuntimeAgent.cpp:
1014         (Inspector::InspectorRuntimeAgent::getProperties):
1015         * inspector/agents/InspectorRuntimeAgent.h:
1016         Plumb the generatePreview boolean through to the injected script.
1017
1018         * inspector/InjectedScriptSource.js:
1019         Add generatePreview for getProperties.
1020         Fix callFunctionOn to generatePreviews if asked.
1021
1022 2015-02-20  Mark Lam  <mark.lam@apple.com>
1023
1024         Refactor JSWrapperMap.mm to defer creation of the ObjC JSValue until the latest possible moment.
1025         <https://webkit.org/b/141856>
1026
1027         Reviewed by Geoffrey Garen.
1028
1029         1. Make JSObjCClassInfo's -constructor and -wrapperForObject return a
1030            JSC::JSObject* just like -prototype.
1031         2. Defer the creation of the ObjC JSValue from JSC::JSObject* until
1032            the latest moment when it is needed.  This allows us to not have to
1033            keep converting back to a JSC::JSObject* in intermediate code.
1034
1035         * API/JSWrapperMap.mm:
1036         (makeWrapper):
1037         (objectWithCustomBrand):
1038         (constructorWithCustomBrand):
1039         (allocateConstructorForCustomClass):
1040         (-[JSObjCClassInfo allocateConstructorAndPrototype]):
1041         (-[JSObjCClassInfo wrapperForObject:]):
1042         (-[JSObjCClassInfo constructor]):
1043         (-[JSWrapperMap jsWrapperForObject:]):
1044
1045 2015-02-20  Filip Pizlo  <fpizlo@apple.com>
1046
1047         Build fix for gcc.
1048
1049         * runtime/JSNameScope.cpp:
1050         (JSC::JSNameScope::create):
1051
1052 2015-02-20  Filip Pizlo  <fpizlo@apple.com>
1053
1054         Get rid of JSNameScope::m_type
1055         https://bugs.webkit.org/show_bug.cgi?id=141851
1056
1057         Reviewed by Geoffrey Garen.
1058         
1059         This is a big step towards getting rid of JSEnvironmentRecord::m_registers. To do it we need
1060         to ensure that subclasses of JSEnvironmentRecord never have additional C++ fields, so that
1061         JSEnvironmentRecord can always place "registers" right after the end of itself.
1062
1063         * CMakeLists.txt:
1064         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1065         * JavaScriptCore.xcodeproj/project.pbxproj:
1066         * debugger/DebuggerScope.cpp:
1067         (JSC::DebuggerScope::isCatchScope):
1068         (JSC::DebuggerScope::isFunctionNameScope):
1069         * interpreter/Interpreter.cpp:
1070         (JSC::Interpreter::execute):
1071         * jit/JITOperations.cpp:
1072         * llint/LLIntSlowPaths.cpp:
1073         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1074         * runtime/JSCatchScope.cpp: Added.
1075         * runtime/JSCatchScope.h: Added.
1076         (JSC::JSCatchScope::JSCatchScope):
1077         (JSC::JSCatchScope::create):
1078         (JSC::JSCatchScope::createStructure):
1079         * runtime/JSFunction.cpp:
1080         (JSC::JSFunction::addNameScopeIfNeeded):
1081         * runtime/JSFunctionNameScope.cpp: Added.
1082         * runtime/JSFunctionNameScope.h: Added.
1083         (JSC::JSFunctionNameScope::JSFunctionNameScope):
1084         (JSC::JSFunctionNameScope::create):
1085         (JSC::JSFunctionNameScope::createStructure):
1086         * runtime/JSGlobalObject.cpp:
1087         (JSC::JSGlobalObject::init):
1088         (JSC::JSGlobalObject::visitChildren):
1089         * runtime/JSGlobalObject.h:
1090         (JSC::JSGlobalObject::catchScopeStructure):
1091         (JSC::JSGlobalObject::functionNameScopeStructure):
1092         (JSC::JSGlobalObject::nameScopeStructure): Deleted.
1093         * runtime/JSNameScope.cpp:
1094         (JSC::JSNameScope::create):
1095         * runtime/JSNameScope.h:
1096         (JSC::JSNameScope::create):
1097         (JSC::JSNameScope::JSNameScope):
1098         (JSC::JSNameScope::createStructure): Deleted.
1099         (JSC::JSNameScope::isFunctionNameScope): Deleted.
1100         (JSC::JSNameScope::isCatchScope): Deleted.
1101         * runtime/JSObject.cpp:
1102         (JSC::JSObject::isCatchScopeObject):
1103         (JSC::JSObject::isFunctionNameScopeObject):
1104         * runtime/JSObject.h:
1105
1106 2015-02-20  Mark Lam  <mark.lam@apple.com>
1107
1108         [JSObjCClassInfo reallocateConstructorAndOrPrototype] should also reallocate super class prototype chain.
1109         <https://webkit.org/b/141809>
1110
1111         Reviewed by Geoffrey Garen.
1112
1113         A ObjC class that implement the JSExport protocol will have a JS prototype
1114         chain and constructor automatically synthesized for its JS wrapper object.
1115         However, if there are no more instances of that ObjC class reachable by a
1116         JS GC root scan, then its synthesized prototype chain and constructors may
1117         be released by the GC.  If a new instance of that ObjC class is subsequently
1118         instantiated, then [JSObjCClassInfo reallocateConstructorAndOrPrototype]
1119         should re-construct the prototype chain and constructor (if they were
1120         previously released).  However, the current implementation only
1121         re-constructs the immediate prototype, but not every other prototype
1122         object upstream in the prototype chain.
1123
1124         To fix this, we do the following:
1125         1. We no longer allocate the JSObjCClassInfo's prototype and constructor
1126            eagerly.  Hence, -initWithContext:forClass: will no longer call
1127            -allocateConstructorAndPrototypeWithSuperClassInfo:.
1128         2. Instead, we'll always access the prototype and constructor thru
1129            accessor methods.  The accessor methods will call
1130            -allocateConstructorAndPrototype: if needed.
1131         3. -allocateConstructorAndPrototype: will fetch the needed superClassInfo
1132            from the JSWrapperMap itself.  This makes it so that we no longer
1133            need to pass the superClassInfo all over.
1134         4. -allocateConstructorAndPrototype: will get the super class prototype
1135            by invoking -prototype: on the superClassInfo, thereby allowing the
1136            super class to allocate its prototype and constructor if needed and
1137            fixing the issue in this bug.
1138
1139         5. Also removed the GC warning comments, and ensured that needed JS
1140            objects are kept alive by having a local var pointing to it from the
1141            stack (which makes a GC root).
1142
1143         * API/JSWrapperMap.mm:
1144         (-[JSObjCClassInfo initWithContext:forClass:]):
1145         (-[JSObjCClassInfo allocateConstructorAndPrototype]):
1146         (-[JSObjCClassInfo wrapperForObject:]):
1147         (-[JSObjCClassInfo constructor]):
1148         (-[JSObjCClassInfo prototype]):
1149         (-[JSWrapperMap classInfoForClass:]):
1150         (-[JSObjCClassInfo initWithContext:forClass:superClassInfo:]): Deleted.
1151         (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]): Deleted.
1152         (-[JSObjCClassInfo reallocateConstructorAndOrPrototype]): Deleted.
1153         * API/tests/Regress141809.h: Added.
1154         * API/tests/Regress141809.mm: Added.
1155         (-[TestClassB name]):
1156         (-[TestClassC name]):
1157         (runRegress141809):
1158         * API/tests/testapi.mm:
1159         * JavaScriptCore.xcodeproj/project.pbxproj:
1160
1161 2015-02-20  Alexey Proskuryakov  <ap@apple.com>
1162
1163         Remove svn:keywords property.
1164
1165         As far as I can tell, the property had no effect on any of these files, but also,
1166         when it has effect it's likely harmful.
1167
1168         * builtins/ArrayConstructor.js: Removed property svn:keywords.
1169
1170 2015-02-20  Michael Saboff  <msaboff@apple.com>
1171
1172         DFG JIT needs to check for stack overflow at the start of Program and Eval execution
1173         https://bugs.webkit.org/show_bug.cgi?id=141676
1174
1175         Reviewed by Filip Pizlo.
1176
1177         Added stack check to the beginning of the code the DFG copmiler emits for Program and Eval nodes.
1178         To aid in testing the code, I replaced the EvalCodeCache::maxCacheableSourceLength const
1179         a options in runtime/Options.h.  The test script, run-jsc-stress-tests, sets that option
1180         to a huge value when running with the "Eager" options.  This allows the updated test to 
1181         reliably exercise the code in questions.
1182
1183         * dfg/DFGJITCompiler.cpp:
1184         (JSC::DFG::JITCompiler::compile):
1185         Added stack check.
1186
1187         * bytecode/EvalCodeCache.h:
1188         (JSC::EvalCodeCache::tryGet):
1189         (JSC::EvalCodeCache::getSlow):
1190         * runtime/Options.h:
1191         Replaced EvalCodeCache::imaxCacheableSourceLength with Options::maximumEvalCacheableSourceLength
1192         so that it can be configured when running the related test.
1193
1194 2015-02-20  Eric Carlson  <eric.carlson@apple.com>
1195
1196         [iOS] cleanup AirPlay code
1197         https://bugs.webkit.org/show_bug.cgi?id=141811
1198
1199         Reviewed by Jer Noble.
1200
1201         * Configurations/FeatureDefines.xcconfig: IOS_AIRPLAY -> WIRELESS_PLAYBACK_TARGET.
1202
1203 2015-02-19  Dean Jackson  <dino@apple.com>
1204
1205         ES6: Implement Array.from()
1206         https://bugs.webkit.org/show_bug.cgi?id=141054
1207         <rdar://problem/19654521>
1208
1209         Reviewed by Filip Pizlo.
1210
1211         Implement the Array.from() ES6 method
1212         as defined in Section 22.1.2.1 of the specification.
1213
1214         Given that we can't rely on the built-in
1215         global functions or objects to be untainted,
1216         I had to expose a few of them directly to
1217         the function via private names. In particular:
1218         - Math.floor -> @floor
1219         - Math.abs -> @abs
1220         - Number -> @Number
1221         - Array -> @Array
1222         - isFinite -> @isFinite
1223
1224         * builtins/ArrayConstructor.js: Added.
1225         (from): Implementation of Array.from in JavaScript.
1226         * runtime/ArrayConstructor.cpp: Add "from" to the lookup
1227         table for the constructor object.
1228         * runtime/CommonIdentifiers.h: Add the private versions
1229         of the identifiers listed above.
1230         * runtime/JSGlobalObject.cpp: Add the implementations of
1231         those identifiers to the global object (using their
1232         private names).
1233         (JSC::JSGlobalObject::init):
1234         * runtime/JSGlobalObjectFunctions.cpp:
1235         (JSC::globalPrivateFuncAbs): Implementation of the abs function.
1236         (JSC::globalPrivateFuncFloor): Implementation of the floor function.
1237         * runtime/JSGlobalObjectFunctions.h:
1238
1239 2015-02-19  Benjamin Poulain  <bpoulain@apple.com>
1240
1241         Refine the FTL part of ArithPow
1242         https://bugs.webkit.org/show_bug.cgi?id=141792
1243
1244         Reviewed by Filip Pizlo.
1245
1246         This patch refines the FTL lowering of ArithPow. This was left out
1247         of the original patch to keep it simpler.
1248
1249         * ftl/FTLLowerDFGToLLVM.cpp:
1250         (JSC::FTL::LowerDFGToLLVM::compileArithPow):
1251         Two improvements here:
1252         1) Do not generate the NaN check unless we know the exponent might be a NaN.
1253         2) Use one BasicBlock per check with the appropriate weight. Now that we have
1254            one branch per test, move the Infinity check before the check for 1 since
1255            it is the less common case.
1256
1257         * tests/stress/math-pow-becomes-custom-function.js: Added.
1258         Test for changing the Math.pow() function after it has been optimized.
1259
1260         * tests/stress/math-pow-nan-behaviors.js:
1261         The previous tests were only going as far as the DFGAbstractInterpreter
1262         were the operations were replaced by the equivalent constant.
1263
1264         I duplicated the test functions to also test the dynamic behavior of DFG
1265         and FTL.
1266
1267         * tests/stress/math-pow-with-constants.js:
1268         Add cases covering exponent constants. LLVM removes many value
1269         checks for those.
1270
1271         * tests/stress/math-pow-with-never-NaN-exponent.js: Added.
1272         Test for the new optimization removing the NaN check.
1273
1274 2015-02-19  Csaba Osztrogonác  <ossy@webkit.org>
1275
1276         REGRESSION(r180279): It broke 20 tests on ARM Linux
1277         https://bugs.webkit.org/show_bug.cgi?id=141771
1278
1279         Reviewed by Filip Pizlo.
1280
1281         * dfg/DFGSpeculativeJIT.h:
1282         (JSC::DFG::SpeculativeJIT::callOperation): Align 64-bit values to respect ARM EABI.
1283
1284 2015-02-18  Benjamin Poulain  <bpoulain@apple.com>
1285
1286         Remove BytecodeGenerator's numberMap, it is dead code
1287         https://bugs.webkit.org/show_bug.cgi?id=141779
1288
1289         Reviewed by Filip Pizlo.
1290
1291         * bytecompiler/BytecodeGenerator.cpp:
1292         (JSC::BytecodeGenerator::emitLoad): Deleted.
1293         * bytecompiler/BytecodeGenerator.h:
1294         The JSValueMap seems better in every way.
1295
1296         The emitLoad() taking a double was the only way to use numberMap
1297         and that code has no caller.
1298
1299 2015-02-18  Michael Saboff  <msaboff@apple.com>
1300
1301         Rollout r180247 & r180249 from trunk
1302         https://bugs.webkit.org/show_bug.cgi?id=141773
1303
1304         Reviewed by Filip Pizlo.
1305
1306         Theses changes makes sense to fix the crash reported in https://bugs.webkit.org/show_bug.cgi?id=141730
1307         only for branches.  The change to fail the FTL compile but continue running is not comprehensive
1308         enough for general use on trunk.
1309
1310         * dfg/DFGPlan.cpp:
1311         (JSC::DFG::Plan::compileInThreadImpl):
1312         * ftl/FTLLowerDFGToLLVM.cpp:
1313         (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
1314         (JSC::FTL::LowerDFGToLLVM::lower):
1315         (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
1316         (JSC::FTL::LowerDFGToLLVM::compileNode):
1317         (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
1318         (JSC::FTL::LowerDFGToLLVM::compilePhi):
1319         (JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
1320         (JSC::FTL::LowerDFGToLLVM::compileValueRep):
1321         (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
1322         (JSC::FTL::LowerDFGToLLVM::compilePutLocal):
1323         (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub):
1324         (JSC::FTL::LowerDFGToLLVM::compileArithMul):
1325         (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
1326         (JSC::FTL::LowerDFGToLLVM::compileArithMod):
1327         (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
1328         (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
1329         (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
1330         (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
1331         (JSC::FTL::LowerDFGToLLVM::compileGetById):
1332         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
1333         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
1334         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
1335         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
1336         (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
1337         (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
1338         (JSC::FTL::LowerDFGToLLVM::compileNewArray):
1339         (JSC::FTL::LowerDFGToLLVM::compileToString):
1340         (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
1341         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
1342         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
1343         (JSC::FTL::LowerDFGToLLVM::compileSwitch):
1344         (JSC::FTL::LowerDFGToLLVM::compare):
1345         (JSC::FTL::LowerDFGToLLVM::boolify):
1346         (JSC::FTL::LowerDFGToLLVM::opposite):
1347         (JSC::FTL::LowerDFGToLLVM::lowJSValue):
1348         (JSC::FTL::LowerDFGToLLVM::speculate):
1349         (JSC::FTL::LowerDFGToLLVM::isArrayType):
1350         (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
1351         (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
1352         (JSC::FTL::LowerDFGToLLVM::setInt52):
1353         (JSC::FTL::lowerDFGToLLVM):
1354         (JSC::FTL::LowerDFGToLLVM::loweringFailed): Deleted.
1355         * ftl/FTLLowerDFGToLLVM.h:
1356
1357 2015-02-18  Filip Pizlo  <fpizlo@apple.com>
1358
1359         DFG should really support varargs
1360         https://bugs.webkit.org/show_bug.cgi?id=141332
1361
1362         Reviewed by Oliver Hunt.
1363         
1364         This adds comprehensive vararg call support to the DFG and FTL compilers. Previously, if a
1365         function had a varargs call, then it could only be compiled if that varargs call was just
1366         forwarding arguments and we were inlining the function rather than compiling it directly. Also,
1367         only varargs calls were dealt with; varargs constructs were not.
1368         
1369         This lifts all of those restrictions. Every varargs call or construct can now be compiled by both
1370         the DFG and the FTL. Those calls can also be inlined, too - provided that profiling gives us a
1371         sensible bound on arguments list length. When we inline a varargs call, the act of loading the
1372         varargs is now made explicit in IR. I believe that we have enough IR machinery in place that we
1373         would be able to do the arguments forwarding optimization as an IR transformation. This patch
1374         doesn't implement that yet, and keeps the old bytecode-based varargs argument forwarding
1375         optimization for now.
1376         
1377         There are three major IR features introduced in this patch:
1378         
1379         CallVarargs/ConstructVarargs: these are like Call/Construct except that they take an arguments
1380         array rather than a list of arguments. Currently, they splat this arguments array onto the stack
1381         using the same basic technique as the baseline JIT has always done. Except, these nodes indicate
1382         that we are not interested in doing the non-escaping "arguments" optimization.
1383         
1384         CallForwardVarargs: this is a form of CallVarargs that just does the non-escaping "arguments"
1385         optimization, aka forwarding arguments. It's somewhat lazy that this doesn't include
1386         ConstructForwardVarargs, but the reason is that once we eliminate the lazy tear-off for
1387         arguments, this whole thing will have to be tweaked - and for now forwarding on construct is just
1388         not important in benchmarks. ConstructVarargs will still do forwarding, just not inlined.
1389         
1390         LoadVarargs: loads all elements out of an array onto the stack in a manner suitable for a varargs
1391         call. This is used only when a varargs call (or construct) was inlined. The bytecode parser will
1392         make room on the stack for the arguments, and will use LoadVarars to put those arguments into
1393         place.
1394         
1395         In the future, we can consider adding strength reductions like:
1396         
1397         - If CallVarargs/ConstructVarargs see an array of known size with known elements, turn them into
1398           Call/Construct.
1399         
1400         - If CallVarargs/ConstructVarargs are passed an unmodified, unescaped Arguments object, then
1401           turn them into CallForwardVarargs/ConstructForwardVarargs.
1402         
1403         - If LoadVarargs sees an array of known size, then turn it into a sequence of GetByVals and
1404           PutLocals.
1405         
1406         - If LoadVarargs sees an unmodified, unescaped Arguments object, then turn it into something like
1407           LoadForwardVarargs.
1408         
1409         - If CallVarargs/ConstructVarargs/LoadVarargs see the result of a splice (or other Array
1410           prototype function), then do the splice and varargs loading in one go (maybe via a new node
1411           type).
1412
1413         * CMakeLists.txt:
1414         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1415         * JavaScriptCore.xcodeproj/project.pbxproj:
1416         * assembler/MacroAssembler.h:
1417         (JSC::MacroAssembler::rshiftPtr):
1418         (JSC::MacroAssembler::urshiftPtr):
1419         * assembler/MacroAssemblerARM64.h:
1420         (JSC::MacroAssemblerARM64::urshift64):
1421         * assembler/MacroAssemblerX86_64.h:
1422         (JSC::MacroAssemblerX86_64::urshift64):
1423         * assembler/X86Assembler.h:
1424         (JSC::X86Assembler::shrq_i8r):
1425         * bytecode/CallLinkInfo.h:
1426         (JSC::CallLinkInfo::CallLinkInfo):
1427         * bytecode/CallLinkStatus.cpp:
1428         (JSC::CallLinkStatus::computeFor):
1429         (JSC::CallLinkStatus::setProvenConstantCallee):
1430         (JSC::CallLinkStatus::dump):
1431         * bytecode/CallLinkStatus.h:
1432         (JSC::CallLinkStatus::maxNumArguments):
1433         (JSC::CallLinkStatus::setIsProved): Deleted.
1434         * bytecode/CodeOrigin.cpp:
1435         (WTF::printInternal):
1436         * bytecode/CodeOrigin.h:
1437         (JSC::InlineCallFrame::varargsKindFor):
1438         (JSC::InlineCallFrame::specializationKindFor):
1439         (JSC::InlineCallFrame::isVarargs):
1440         (JSC::InlineCallFrame::isNormalCall): Deleted.
1441         * bytecode/ExitKind.cpp:
1442         (JSC::exitKindToString):
1443         * bytecode/ExitKind.h:
1444         * bytecode/ValueRecovery.cpp:
1445         (JSC::ValueRecovery::dumpInContext):
1446         * dfg/DFGAbstractInterpreterInlines.h:
1447         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1448         * dfg/DFGArgumentsSimplificationPhase.cpp:
1449         (JSC::DFG::ArgumentsSimplificationPhase::run):
1450         * dfg/DFGByteCodeParser.cpp:
1451         (JSC::DFG::ByteCodeParser::flush):
1452         (JSC::DFG::ByteCodeParser::addCall):
1453         (JSC::DFG::ByteCodeParser::handleCall):
1454         (JSC::DFG::ByteCodeParser::handleVarargsCall):
1455         (JSC::DFG::ByteCodeParser::emitFunctionChecks):
1456         (JSC::DFG::ByteCodeParser::inliningCost):
1457         (JSC::DFG::ByteCodeParser::inlineCall):
1458         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
1459         (JSC::DFG::ByteCodeParser::handleInlining):
1460         (JSC::DFG::ByteCodeParser::handleMinMax):
1461         (JSC::DFG::ByteCodeParser::handleIntrinsic):
1462         (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
1463         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1464         (JSC::DFG::ByteCodeParser::parseBlock):
1465         (JSC::DFG::ByteCodeParser::removeLastNodeFromGraph): Deleted.
1466         (JSC::DFG::ByteCodeParser::undoFunctionChecks): Deleted.
1467         * dfg/DFGCapabilities.cpp:
1468         (JSC::DFG::capabilityLevel):
1469         * dfg/DFGCapabilities.h:
1470         (JSC::DFG::functionCapabilityLevel):
1471         (JSC::DFG::mightCompileFunctionFor):
1472         * dfg/DFGClobberize.h:
1473         (JSC::DFG::clobberize):
1474         * dfg/DFGCommon.cpp:
1475         (WTF::printInternal):
1476         * dfg/DFGCommon.h:
1477         (JSC::DFG::canInline):
1478         (JSC::DFG::leastUpperBound):
1479         * dfg/DFGDoesGC.cpp:
1480         (JSC::DFG::doesGC):
1481         * dfg/DFGFixupPhase.cpp:
1482         (JSC::DFG::FixupPhase::fixupNode):
1483         * dfg/DFGGraph.cpp:
1484         (JSC::DFG::Graph::dump):
1485         (JSC::DFG::Graph::dumpBlockHeader):
1486         (JSC::DFG::Graph::isLiveInBytecode):
1487         (JSC::DFG::Graph::valueProfileFor):
1488         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
1489         * dfg/DFGGraph.h:
1490         (JSC::DFG::Graph::valueProfileFor): Deleted.
1491         (JSC::DFG::Graph::methodOfGettingAValueProfileFor): Deleted.
1492         * dfg/DFGJITCompiler.cpp:
1493         (JSC::DFG::JITCompiler::compileExceptionHandlers):
1494         (JSC::DFG::JITCompiler::link):
1495         * dfg/DFGMayExit.cpp:
1496         (JSC::DFG::mayExit):
1497         * dfg/DFGNode.h:
1498         (JSC::DFG::Node::hasCallVarargsData):
1499         (JSC::DFG::Node::callVarargsData):
1500         (JSC::DFG::Node::hasLoadVarargsData):
1501         (JSC::DFG::Node::loadVarargsData):
1502         (JSC::DFG::Node::hasHeapPrediction):
1503         * dfg/DFGNodeType.h:
1504         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
1505         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
1506         * dfg/DFGOSRExitCompilerCommon.cpp:
1507         (JSC::DFG::reifyInlinedCallFrames):
1508         * dfg/DFGOperations.cpp:
1509         * dfg/DFGOperations.h:
1510         * dfg/DFGPlan.cpp:
1511         (JSC::DFG::dumpAndVerifyGraph):
1512         (JSC::DFG::Plan::compileInThreadImpl):
1513         * dfg/DFGPreciseLocalClobberize.h:
1514         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
1515         (JSC::DFG::PreciseLocalClobberizeAdaptor::writeTop):
1516         * dfg/DFGPredictionPropagationPhase.cpp:
1517         (JSC::DFG::PredictionPropagationPhase::propagate):
1518         * dfg/DFGSSAConversionPhase.cpp:
1519         * dfg/DFGSafeToExecute.h:
1520         (JSC::DFG::safeToExecute):
1521         * dfg/DFGSpeculativeJIT.h:
1522         (JSC::DFG::SpeculativeJIT::isFlushed):
1523         (JSC::DFG::SpeculativeJIT::callOperation):
1524         * dfg/DFGSpeculativeJIT32_64.cpp:
1525         (JSC::DFG::SpeculativeJIT::emitCall):
1526         (JSC::DFG::SpeculativeJIT::compile):
1527         * dfg/DFGSpeculativeJIT64.cpp:
1528         (JSC::DFG::SpeculativeJIT::emitCall):
1529         (JSC::DFG::SpeculativeJIT::compile):
1530         * dfg/DFGStackLayoutPhase.cpp:
1531         (JSC::DFG::StackLayoutPhase::run):
1532         (JSC::DFG::StackLayoutPhase::assign):
1533         * dfg/DFGStrengthReductionPhase.cpp:
1534         (JSC::DFG::StrengthReductionPhase::handleNode):
1535         * dfg/DFGTypeCheckHoistingPhase.cpp:
1536         (JSC::DFG::TypeCheckHoistingPhase::run):
1537         * dfg/DFGValidate.cpp:
1538         (JSC::DFG::Validate::validateCPS):
1539         * ftl/FTLAbbreviations.h:
1540         (JSC::FTL::functionType):
1541         (JSC::FTL::buildCall):
1542         * ftl/FTLCapabilities.cpp:
1543         (JSC::FTL::canCompile):
1544         * ftl/FTLCompile.cpp:
1545         (JSC::FTL::mmAllocateDataSection):
1546         * ftl/FTLInlineCacheSize.cpp:
1547         (JSC::FTL::sizeOfCall):
1548         (JSC::FTL::sizeOfCallVarargs):
1549         (JSC::FTL::sizeOfCallForwardVarargs):
1550         (JSC::FTL::sizeOfConstructVarargs):
1551         (JSC::FTL::sizeOfIn):
1552         (JSC::FTL::sizeOfICFor):
1553         (JSC::FTL::sizeOfCheckIn): Deleted.
1554         * ftl/FTLInlineCacheSize.h:
1555         * ftl/FTLIntrinsicRepository.h:
1556         * ftl/FTLJSCall.cpp:
1557         (JSC::FTL::JSCall::JSCall):
1558         * ftl/FTLJSCallBase.cpp:
1559         * ftl/FTLJSCallBase.h:
1560         * ftl/FTLJSCallVarargs.cpp: Added.
1561         (JSC::FTL::JSCallVarargs::JSCallVarargs):
1562         (JSC::FTL::JSCallVarargs::numSpillSlotsNeeded):
1563         (JSC::FTL::JSCallVarargs::emit):
1564         (JSC::FTL::JSCallVarargs::link):
1565         * ftl/FTLJSCallVarargs.h: Added.
1566         (JSC::FTL::JSCallVarargs::node):
1567         (JSC::FTL::JSCallVarargs::stackmapID):
1568         (JSC::FTL::JSCallVarargs::operator<):
1569         * ftl/FTLLowerDFGToLLVM.cpp:
1570         (JSC::FTL::LowerDFGToLLVM::lower):
1571         (JSC::FTL::LowerDFGToLLVM::compileNode):
1572         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
1573         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
1574         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstructVarargs):
1575         (JSC::FTL::LowerDFGToLLVM::compileLoadVarargs):
1576         (JSC::FTL::LowerDFGToLLVM::compileIn):
1577         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
1578         (JSC::FTL::LowerDFGToLLVM::vmCall):
1579         (JSC::FTL::LowerDFGToLLVM::vmCallNoExceptions):
1580         (JSC::FTL::LowerDFGToLLVM::callCheck):
1581         * ftl/FTLOutput.h:
1582         (JSC::FTL::Output::call):
1583         * ftl/FTLState.cpp:
1584         (JSC::FTL::State::State):
1585         * ftl/FTLState.h:
1586         * interpreter/Interpreter.cpp:
1587         (JSC::sizeOfVarargs):
1588         (JSC::sizeFrameForVarargs):
1589         * interpreter/Interpreter.h:
1590         * interpreter/StackVisitor.cpp:
1591         (JSC::StackVisitor::readInlinedFrame):
1592         * jit/AssemblyHelpers.cpp:
1593         (JSC::AssemblyHelpers::emitExceptionCheck):
1594         * jit/AssemblyHelpers.h:
1595         (JSC::AssemblyHelpers::addressFor):
1596         (JSC::AssemblyHelpers::calleeFrameSlot):
1597         (JSC::AssemblyHelpers::calleeArgumentSlot):
1598         (JSC::AssemblyHelpers::calleeFrameTagSlot):
1599         (JSC::AssemblyHelpers::calleeFramePayloadSlot):
1600         (JSC::AssemblyHelpers::calleeArgumentTagSlot):
1601         (JSC::AssemblyHelpers::calleeArgumentPayloadSlot):
1602         (JSC::AssemblyHelpers::calleeFrameCallerFrame):
1603         (JSC::AssemblyHelpers::selectScratchGPR):
1604         * jit/CCallHelpers.h:
1605         (JSC::CCallHelpers::setupArgumentsWithExecState):
1606         * jit/GPRInfo.h:
1607         * jit/JIT.cpp:
1608         (JSC::JIT::privateCompile):
1609         * jit/JIT.h:
1610         * jit/JITCall.cpp:
1611         (JSC::JIT::compileSetupVarargsFrame):
1612         (JSC::JIT::compileOpCall):
1613         * jit/JITCall32_64.cpp:
1614         (JSC::JIT::compileSetupVarargsFrame):
1615         (JSC::JIT::compileOpCall):
1616         * jit/JITOperations.h:
1617         * jit/SetupVarargsFrame.cpp:
1618         (JSC::emitSetupVarargsFrameFastCase):
1619         * jit/SetupVarargsFrame.h:
1620         * runtime/Arguments.h:
1621         (JSC::Arguments::create):
1622         (JSC::Arguments::registerArraySizeInBytes):
1623         (JSC::Arguments::finishCreation):
1624         * runtime/Options.h:
1625         * tests/stress/construct-varargs-inline-smaller-Foo.js: Added.
1626         (Foo):
1627         (bar):
1628         (checkEqual):
1629         (test):
1630         * tests/stress/construct-varargs-inline.js: Added.
1631         (Foo):
1632         (bar):
1633         (checkEqual):
1634         (test):
1635         * tests/stress/construct-varargs-no-inline.js: Added.
1636         (Foo):
1637         (bar):
1638         (checkEqual):
1639         (test):
1640         * tests/stress/get-argument-by-val-in-inlined-varargs-call-out-of-bounds.js: Added.
1641         (foo):
1642         (bar):
1643         * tests/stress/get-argument-by-val-safe-in-inlined-varargs-call-out-of-bounds.js: Added.
1644         (foo):
1645         (bar):
1646         * tests/stress/get-my-argument-by-val-creates-arguments.js: Added.
1647         (blah):
1648         (foo):
1649         (bar):
1650         (checkEqual):
1651         (test):
1652         * tests/stress/load-varargs-then-inlined-call-exit-in-foo.js: Added.
1653         (foo):
1654         (bar):
1655         (checkEqual):
1656         * tests/stress/load-varargs-then-inlined-call-inlined.js: Added.
1657         (foo):
1658         (bar):
1659         (baz):
1660         (checkEqual):
1661         (test):
1662         * tests/stress/load-varargs-then-inlined-call.js: Added.
1663         (foo):
1664         (bar):
1665         (checkEqual):
1666         (test):
1667
1668 2015-02-17  Michael Saboff  <msaboff@apple.com>
1669
1670         Unreviewed, Restoring the C LOOP insta-crash fix in r180184.
1671
1672         Fixed a typo that only affected the C Loop in the prologue() macro in LowLevelInterpreter.asm.
1673         After the stackHeightOKGetCodeBlock label, codeBlockSetter(t1) should be codeBlockGetter(t1).
1674
1675         * llint/LowLevelInterpreter.asm: Fixed a typo.
1676
1677 2015-02-18  Csaba Osztrogonác  <ossy@webkit.org>
1678
1679         URTBF after r180258 to fix Windows build.
1680
1681         * runtime/MathCommon.cpp:
1682         (JSC::mathPowInternal):
1683
1684 2015-02-18  Joseph Pecoraro  <pecoraro@apple.com>
1685
1686         REGRESSION(r180235): It broke the !ENABLE(PROMISES) build
1687         https://bugs.webkit.org/show_bug.cgi?id=141746
1688
1689         Unreviewed build fix.
1690
1691         * inspector/JSInjectedScriptHost.cpp:
1692         (Inspector::JSInjectedScriptHost::getInternalProperties):
1693         Wrap JSPromise related code in ENABLE(PROMISES) guard.
1694
1695 2015-02-18  Benjamin Poulain  <benjamin@webkit.org>
1696
1697         Fix the C-Loop LLInt build
1698         https://bugs.webkit.org/show_bug.cgi?id=141618
1699
1700         Reviewed by Filip Pizlo.
1701
1702         I broke C-Loop when moving the common code of pow()
1703         to JITOperations because that file is #ifdefed out
1704         when the JITs are disabled.
1705
1706         It would be weird to move it back to MathObject since
1707         the function needs to know about the calling conventions.
1708
1709         To avoid making a mess, I just gave the function its own file
1710         that is used by both the runtime and the JIT.
1711
1712         * CMakeLists.txt:
1713         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1714         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1715         * JavaScriptCore.xcodeproj/project.pbxproj:
1716         * dfg/DFGAbstractInterpreterInlines.h:
1717         * jit/JITOperations.cpp:
1718         * jit/JITOperations.h:
1719         * runtime/MathCommon.cpp: Added.
1720         (JSC::fdlibmScalbn):
1721         (JSC::fdlibmPow):
1722         (JSC::isDenormal):
1723         (JSC::isEdgeCase):
1724         (JSC::mathPowInternal):
1725         (JSC::operationMathPow):
1726         * runtime/MathCommon.h: Added.
1727         * runtime/MathObject.cpp:
1728
1729 2015-02-17  Benjamin Poulain  <bpoulain@apple.com>
1730
1731         Clean up OSRExit's considerAddingAsFrequentExitSite()
1732         https://bugs.webkit.org/show_bug.cgi?id=141690
1733
1734         Reviewed by Anders Carlsson.
1735
1736         Looks like some code was removed from CodeBlock::tallyFrequentExitSites()
1737         and the OSRExit were left untouched.
1738
1739         This patch cleans up the two loops and remove the boolean return
1740         on considerAddingAsFrequentExitSite().
1741
1742         * bytecode/CodeBlock.cpp:
1743         (JSC::CodeBlock::tallyFrequentExitSites):
1744         * dfg/DFGOSRExit.h:
1745         (JSC::DFG::OSRExit::considerAddingAsFrequentExitSite):
1746         * dfg/DFGOSRExitBase.cpp:
1747         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
1748         * dfg/DFGOSRExitBase.h:
1749         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSite):
1750         * ftl/FTLOSRExit.h:
1751         (JSC::FTL::OSRExit::considerAddingAsFrequentExitSite):
1752
1753 2015-02-17  Alexey Proskuryakov  <ap@apple.com>
1754
1755         Debug build fix after r180247.
1756
1757         * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::loweringFailed):
1758
1759 2015-02-17  Commit Queue  <commit-queue@webkit.org>
1760
1761         Unreviewed, rolling out r180184.
1762         https://bugs.webkit.org/show_bug.cgi?id=141733
1763
1764         Caused infinite recursion on js/function-apply-aliased.html
1765         (Requested by ap_ on #webkit).
1766
1767         Reverted changeset:
1768
1769         "REGRESSION(r180060): C Loop crashes"
1770         https://bugs.webkit.org/show_bug.cgi?id=141671
1771         http://trac.webkit.org/changeset/180184
1772
1773 2015-02-17  Michael Saboff  <msaboff@apple.com>
1774
1775         CrashTracer: DFG_CRASH beneath JSC::FTL::LowerDFGToLLVM::compileNode
1776         https://bugs.webkit.org/show_bug.cgi?id=141730
1777
1778         Reviewed by Geoffrey Garen.
1779
1780         Added a new failure handler, loweringFailed(), to LowerDFGToLLVM that reports failures
1781         while processing DFG lowering.  For debug builds, the failures are logged identical
1782         to the way the DFG_CRASH() reports them.  For release builds, the failures are reported
1783         and that FTL compilation is terminated, but the process is allowed to continue.
1784         Wrapped calls to loweringFailed() in a macro LOWERING_FAILED so the function and
1785         line number are reported at the point of the inconsistancy.
1786
1787         Converted instances of DFG_CRASH to LOWERING_FAILED.
1788
1789         * dfg/DFGPlan.cpp:
1790         (JSC::DFG::Plan::compileInThreadImpl): Added lowerDFGToLLVM() failure check that
1791         will fail the FTL compile.
1792
1793         * ftl/FTLLowerDFGToLLVM.cpp:
1794         (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
1795         Added new member variable, m_loweringSucceeded, to stop compilation on the first
1796         reported failure.
1797
1798         * ftl/FTLLowerDFGToLLVM.cpp:
1799         (JSC::FTL::LowerDFGToLLVM::lower):
1800         * ftl/FTLLowerDFGToLLVM.h:
1801         Added check for compilation failures and now report those failures via a boolean
1802         return value.
1803
1804         * ftl/FTLLowerDFGToLLVM.cpp:
1805         (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
1806         (JSC::FTL::LowerDFGToLLVM::compileNode):
1807         (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
1808         (JSC::FTL::LowerDFGToLLVM::compilePhi):
1809         (JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
1810         (JSC::FTL::LowerDFGToLLVM::compileValueRep):
1811         (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
1812         (JSC::FTL::LowerDFGToLLVM::compilePutLocal):
1813         (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub):
1814         (JSC::FTL::LowerDFGToLLVM::compileArithMul):
1815         (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
1816         (JSC::FTL::LowerDFGToLLVM::compileArithMod):
1817         (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
1818         (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
1819         (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
1820         (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
1821         (JSC::FTL::LowerDFGToLLVM::compileGetById):
1822         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
1823         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
1824         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
1825         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
1826         (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
1827         (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
1828         (JSC::FTL::LowerDFGToLLVM::compileNewArray):
1829         (JSC::FTL::LowerDFGToLLVM::compileToString):
1830         (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
1831         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
1832         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
1833         (JSC::FTL::LowerDFGToLLVM::compileSwitch):
1834         (JSC::FTL::LowerDFGToLLVM::compare):
1835         (JSC::FTL::LowerDFGToLLVM::boolify):
1836         (JSC::FTL::LowerDFGToLLVM::opposite):
1837         (JSC::FTL::LowerDFGToLLVM::lowJSValue):
1838         (JSC::FTL::LowerDFGToLLVM::speculate):
1839         (JSC::FTL::LowerDFGToLLVM::isArrayType):
1840         (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
1841         (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
1842         (JSC::FTL::LowerDFGToLLVM::setInt52):
1843         Changed DFG_CRASH() to LOWERING_FAILED().  Updated related control flow as appropriate.
1844
1845         (JSC::FTL::LowerDFGToLLVM::loweringFailed): New error reporting member function.
1846
1847 2015-02-17  Filip Pizlo  <fpizlo@apple.com>
1848
1849         StackLayoutPhase should use CodeBlock::usesArguments rather than FunctionExecutable::usesArguments
1850         https://bugs.webkit.org/show_bug.cgi?id=141721
1851         rdar://problem/17198633
1852
1853         Reviewed by Michael Saboff.
1854         
1855         I've seen cases where the two are out of sync.  We know we can trust the CodeBlock::usesArguments because
1856         we use it everywhere else.
1857         
1858         No test because I could never reproduce the crash.
1859
1860         * dfg/DFGGraph.h:
1861         (JSC::DFG::Graph::usesArguments):
1862         * dfg/DFGStackLayoutPhase.cpp:
1863         (JSC::DFG::StackLayoutPhase::run):
1864
1865 2015-02-16  Joseph Pecoraro  <pecoraro@apple.com>
1866
1867         Web Inspector: Improved Console Support for Bound Functions
1868         https://bugs.webkit.org/show_bug.cgi?id=141635
1869
1870         Reviewed by Timothy Hatcher.
1871
1872         * inspector/JSInjectedScriptHost.cpp:
1873         (Inspector::JSInjectedScriptHost::getInternalProperties):
1874         Expose internal properties of a JSBoundFunction.
1875
1876 2015-02-16  Joseph Pecoraro  <pecoraro@apple.com>
1877
1878         Web Inspector: ES6: Improved Console Support for Promise Objects
1879         https://bugs.webkit.org/show_bug.cgi?id=141634
1880
1881         Reviewed by Timothy Hatcher.
1882
1883         * inspector/InjectedScript.cpp:
1884         (Inspector::InjectedScript::getInternalProperties):
1885         * inspector/InjectedScriptSource.js:
1886         Include internal properties in previews. Share code
1887         with normal internal property handling.
1888
1889         * inspector/JSInjectedScriptHost.cpp:
1890         (Inspector::constructInternalProperty):
1891         (Inspector::JSInjectedScriptHost::getInternalProperties):
1892         Provide internal state of Promises.
1893
1894         * inspector/protocol/Runtime.json:
1895         Provide an optional field to distinguish if a PropertyPreview
1896         is for an Internal property or not.
1897
1898 2015-02-17  Filip Pizlo  <fpizlo@apple.com>
1899
1900         Throwing from an FTL call IC slow path may result in tag registers being clobbered on 64-bit CPUs
1901         https://bugs.webkit.org/show_bug.cgi?id=141717
1902         rdar://problem/19863382
1903
1904         Reviewed by Geoffrey Garen.
1905         
1906         The best solution is to ensure that the engine catching an exception restores tag registers.
1907         
1908         Each of these new test cases reliably crashed prior to this patch and they don't crash at all now.
1909
1910         * jit/JITOpcodes.cpp:
1911         (JSC::JIT::emit_op_catch):
1912         * llint/LowLevelInterpreter.asm:
1913         * llint/LowLevelInterpreter64.asm:
1914         * tests/stress/throw-from-ftl-call-ic-slow-path-cells.js: Added.
1915         * tests/stress/throw-from-ftl-call-ic-slow-path-undefined.js: Added.
1916         * tests/stress/throw-from-ftl-call-ic-slow-path.js: Added.
1917
1918 2015-02-17  Csaba Osztrogonác  <ossy@webkit.org>
1919
1920         [ARM] Add the necessary setupArgumentsWithExecState after bug141332
1921         https://bugs.webkit.org/show_bug.cgi?id=141714
1922
1923         Reviewed by Michael Saboff.
1924
1925         * jit/CCallHelpers.h:
1926         (JSC::CCallHelpers::setupArgumentsWithExecState):
1927
1928 2015-02-15  Sam Weinig  <sam@webkit.org>
1929
1930         Add experimental <attachment> element support
1931         https://bugs.webkit.org/show_bug.cgi?id=141626
1932
1933         Reviewed by Tim Horton.
1934
1935         * Configurations/FeatureDefines.xcconfig:
1936
1937 2015-02-16  Michael Saboff  <msaboff@apple.com>
1938
1939         REGRESSION(r180060): C Loop crashes
1940         https://bugs.webkit.org/show_bug.cgi?id=141671
1941
1942         Reviewed by Geoffrey Garen.
1943
1944         Fixed a typo that only affected the C Loop in the prologue() macro in LowLevelInterpreter.asm.
1945         After the stackHeightOKGetCodeBlock label, codeBlockSetter(t1) should be codeBlockGetter(t1).
1946         Fixed the processing of an out of stack exception in llint_stack_check to not get the caller's
1947         frame.  This isn't needed, since this helper is only called to check the stack on entry.  Any
1948         exception will be handled by a call ancestor.
1949
1950         * llint/LLIntSlowPaths.cpp:
1951         (JSC::LLInt::llint_stack_check): Changed to use the current frame for processing an exception.
1952         * llint/LowLevelInterpreter.asm: Fixed a typo.
1953
1954 2015-02-16  Joseph Pecoraro  <pecoraro@apple.com>
1955
1956         Web Inspector: Scope details sidebar should label objects with constructor names
1957         https://bugs.webkit.org/show_bug.cgi?id=139449
1958
1959         Reviewed by Timothy Hatcher.
1960
1961         * inspector/JSInjectedScriptHost.cpp:
1962         (Inspector::JSInjectedScriptHost::internalConstructorName):
1963         * runtime/Structure.cpp:
1964         (JSC::Structure::toStructureShape):
1965         Share calculatedClassName.
1966
1967         * runtime/JSObject.h:        
1968         * runtime/JSObject.cpp:
1969         (JSC::JSObject::calculatedClassName):
1970         Elaborate on a way to get an Object's class name.
1971
1972 2015-02-16  Filip Pizlo  <fpizlo@apple.com>
1973
1974         DFG SSA should use GetLocal for arguments, and the GetArgument node type should be removed
1975         https://bugs.webkit.org/show_bug.cgi?id=141623
1976
1977         Reviewed by Oliver Hunt.
1978         
1979         During development of https://bugs.webkit.org/show_bug.cgi?id=141332, I realized that I
1980         needed to use GetArgument for loading something that has magically already appeared on the
1981         stack, so currently trunk sort of allows this. But then I realized three things:
1982         
1983         - A GetArgument with a non-JSValue flush format means speculating that the value on the
1984           stack obeys that format, rather than just assuming that that it already has that format.
1985           In bug 141332, I want it to assume rather than speculate. That also happens to be more
1986           intuitive; I don't think I was wrong to expect that.
1987         
1988         - The node I really want is GetLocal. I'm just getting the value of the local and I don't
1989           want to do anything else.
1990         
1991         - Maybe it would be easier if we just used GetLocal for all of the cases where we currently
1992           use GetArgument.
1993         
1994         This changes the FTL to do argument speculations in the prologue just like the DFG does.
1995         This brings some consistency to our system, and allows us to get rid of the GetArgument
1996         node. The speculations that the FTL must do are now made explicit in the m_argumentFormats
1997         vector in DFG::Graph. This has natural DCE behavior: even if all uses of the argument are
1998         dead we will still speculate. We already have safeguards to ensure we only speculate if
1999         there are uses that benefit from speculation (which is a much more conservative criterion
2000         than DCE).
2001         
2002         * dfg/DFGAbstractInterpreterInlines.h:
2003         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2004         * dfg/DFGClobberize.h:
2005         (JSC::DFG::clobberize):
2006         * dfg/DFGDCEPhase.cpp:
2007         (JSC::DFG::DCEPhase::run):
2008         * dfg/DFGDoesGC.cpp:
2009         (JSC::DFG::doesGC):
2010         * dfg/DFGFixupPhase.cpp:
2011         (JSC::DFG::FixupPhase::fixupNode):
2012         * dfg/DFGFlushFormat.h:
2013         (JSC::DFG::typeFilterFor):
2014         * dfg/DFGGraph.cpp:
2015         (JSC::DFG::Graph::dump):
2016         * dfg/DFGGraph.h:
2017         (JSC::DFG::Graph::valueProfileFor):
2018         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2019         * dfg/DFGInPlaceAbstractState.cpp:
2020         (JSC::DFG::InPlaceAbstractState::initialize):
2021         * dfg/DFGNode.cpp:
2022         (JSC::DFG::Node::hasVariableAccessData):
2023         * dfg/DFGNodeType.h:
2024         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
2025         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
2026         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
2027         * dfg/DFGPredictionPropagationPhase.cpp:
2028         (JSC::DFG::PredictionPropagationPhase::propagate):
2029         * dfg/DFGPutLocalSinkingPhase.cpp:
2030         * dfg/DFGSSAConversionPhase.cpp:
2031         (JSC::DFG::SSAConversionPhase::run):
2032         * dfg/DFGSafeToExecute.h:
2033         (JSC::DFG::safeToExecute):
2034         * dfg/DFGSpeculativeJIT32_64.cpp:
2035         (JSC::DFG::SpeculativeJIT::compile):
2036         * dfg/DFGSpeculativeJIT64.cpp:
2037         (JSC::DFG::SpeculativeJIT::compile):
2038         * ftl/FTLCapabilities.cpp:
2039         (JSC::FTL::canCompile):
2040         * ftl/FTLLowerDFGToLLVM.cpp:
2041         (JSC::FTL::LowerDFGToLLVM::lower):
2042         (JSC::FTL::LowerDFGToLLVM::compileNode):
2043         (JSC::FTL::LowerDFGToLLVM::compileGetLocal):
2044         (JSC::FTL::LowerDFGToLLVM::compileGetArgument): Deleted.
2045         * tests/stress/dead-speculating-argument-use.js: Added.
2046         (foo):
2047         (o.valueOf):
2048
2049 2015-02-15  Filip Pizlo  <fpizlo@apple.com>
2050
2051         Rare case profiling should actually work
2052         https://bugs.webkit.org/show_bug.cgi?id=141632
2053
2054         Reviewed by Michael Saboff.
2055         
2056         This simple adjustment appears to be a 2% speed-up on Octane. Over time, the slow case
2057         heuristic has essentially stopped working because the typical execution count threshold for a
2058         bytecode instruction is around 66 while the slow case threshold is 100: virtually
2059         guaranteeing that the DFG will never think that a bytecode instruction has taken the slow
2060         case even if it took it every single time. So, this changes the slow case threshold to 20.
2061         
2062         I checked if we could lower this down further, like to 10. That is worse than 20, and about
2063         as bad as 100.
2064
2065         * runtime/Options.h:
2066
2067 2015-02-15  Brian J. Burg  <burg@cs.washington.edu>
2068
2069         Web Inspector: remove unused XHR replay code
2070         https://bugs.webkit.org/show_bug.cgi?id=141622
2071
2072         Reviewed by Timothy Hatcher.
2073
2074         * inspector/protocol/Network.json: remove XHR replay methods.
2075
2076 2015-02-15  David Kilzer  <ddkilzer@apple.com>
2077
2078         REGRESSION (r180082): WebCore Debug builds fail on Mavericks due to weak export symbols
2079         <http://webkit.org/b/141607>
2080
2081         More work towards fixing the Mavericks Debug build.
2082
2083         * inspector/ScriptDebugServer.h:
2084         (Inspector::ScriptDebugServer::Task):
2085         * inspector/agents/InspectorDebuggerAgent.h:
2086         (Inspector::InspectorDebuggerAgent::Listener):
2087         - Remove subclass exports. They did not help.
2088
2089         * runtime/JSCJSValue.h:
2090         (JSC::JSValue::toFloat): Do not mark inline method for export.
2091
2092 2015-02-09  Brian J. Burg  <burg@cs.washington.edu>
2093
2094         Web Inspector: remove some unnecessary Inspector prefixes from class names in Inspector namespace
2095         https://bugs.webkit.org/show_bug.cgi?id=141372
2096
2097         Reviewed by Joseph Pecoraro.
2098
2099         * inspector/ConsoleMessage.cpp:
2100         (Inspector::ConsoleMessage::addToFrontend):
2101         (Inspector::ConsoleMessage::updateRepeatCountInConsole):
2102         * inspector/ConsoleMessage.h:
2103         * inspector/InspectorAgentBase.h:
2104         * inspector/InspectorAgentRegistry.cpp:
2105         (Inspector::AgentRegistry::AgentRegistry):
2106         (Inspector::AgentRegistry::append):
2107         (Inspector::AgentRegistry::appendExtraAgent):
2108         (Inspector::AgentRegistry::didCreateFrontendAndBackend):
2109         (Inspector::AgentRegistry::willDestroyFrontendAndBackend):
2110         (Inspector::AgentRegistry::discardAgents):
2111         (Inspector::InspectorAgentRegistry::InspectorAgentRegistry): Deleted.
2112         (Inspector::InspectorAgentRegistry::append): Deleted.
2113         (Inspector::InspectorAgentRegistry::appendExtraAgent): Deleted.
2114         (Inspector::InspectorAgentRegistry::didCreateFrontendAndBackend): Deleted.
2115         (Inspector::InspectorAgentRegistry::willDestroyFrontendAndBackend): Deleted.
2116         (Inspector::InspectorAgentRegistry::discardAgents): Deleted.
2117         * inspector/InspectorAgentRegistry.h:
2118         * inspector/InspectorBackendDispatcher.cpp:
2119         (Inspector::BackendDispatcher::CallbackBase::CallbackBase):
2120         (Inspector::BackendDispatcher::CallbackBase::isActive):
2121         (Inspector::BackendDispatcher::CallbackBase::sendFailure):
2122         (Inspector::BackendDispatcher::CallbackBase::sendIfActive):
2123         (Inspector::BackendDispatcher::create):
2124         (Inspector::BackendDispatcher::registerDispatcherForDomain):
2125         (Inspector::BackendDispatcher::dispatch):
2126         (Inspector::BackendDispatcher::sendResponse):
2127         (Inspector::BackendDispatcher::reportProtocolError):
2128         (Inspector::BackendDispatcher::getInteger):
2129         (Inspector::BackendDispatcher::getDouble):
2130         (Inspector::BackendDispatcher::getString):
2131         (Inspector::BackendDispatcher::getBoolean):
2132         (Inspector::BackendDispatcher::getObject):
2133         (Inspector::BackendDispatcher::getArray):
2134         (Inspector::BackendDispatcher::getValue):
2135         (Inspector::InspectorBackendDispatcher::CallbackBase::CallbackBase): Deleted.
2136         (Inspector::InspectorBackendDispatcher::CallbackBase::isActive): Deleted.
2137         (Inspector::InspectorBackendDispatcher::CallbackBase::sendFailure): Deleted.
2138         (Inspector::InspectorBackendDispatcher::CallbackBase::sendIfActive): Deleted.
2139         (Inspector::InspectorBackendDispatcher::create): Deleted.
2140         (Inspector::InspectorBackendDispatcher::registerDispatcherForDomain): Deleted.
2141         (Inspector::InspectorBackendDispatcher::dispatch): Deleted.
2142         (Inspector::InspectorBackendDispatcher::sendResponse): Deleted.
2143         (Inspector::InspectorBackendDispatcher::reportProtocolError): Deleted.
2144         (Inspector::InspectorBackendDispatcher::getInteger): Deleted.
2145         (Inspector::InspectorBackendDispatcher::getDouble): Deleted.
2146         (Inspector::InspectorBackendDispatcher::getString): Deleted.
2147         (Inspector::InspectorBackendDispatcher::getBoolean): Deleted.
2148         (Inspector::InspectorBackendDispatcher::getObject): Deleted.
2149         (Inspector::InspectorBackendDispatcher::getArray): Deleted.
2150         (Inspector::InspectorBackendDispatcher::getValue): Deleted.
2151         * inspector/InspectorBackendDispatcher.h:
2152         (Inspector::SupplementalBackendDispatcher::SupplementalBackendDispatcher):
2153         (Inspector::SupplementalBackendDispatcher::~SupplementalBackendDispatcher):
2154         (Inspector::InspectorSupplementalBackendDispatcher::InspectorSupplementalBackendDispatcher): Deleted.
2155         (Inspector::InspectorSupplementalBackendDispatcher::~InspectorSupplementalBackendDispatcher): Deleted.
2156         * inspector/InspectorFrontendChannel.h:
2157         (Inspector::FrontendChannel::~FrontendChannel):
2158         (Inspector::InspectorFrontendChannel::~InspectorFrontendChannel): Deleted.
2159         * inspector/JSGlobalObjectInspectorController.cpp:
2160         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2161         (Inspector::JSGlobalObjectInspectorController::globalObjectDestroyed):
2162         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
2163         (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
2164         (Inspector::JSGlobalObjectInspectorController::dispatchMessageFromFrontend):
2165         (Inspector::JSGlobalObjectInspectorController::appendExtraAgent):
2166         * inspector/JSGlobalObjectInspectorController.h:
2167         * inspector/agents/InspectorAgent.cpp:
2168         (Inspector::InspectorAgent::didCreateFrontendAndBackend):
2169         (Inspector::InspectorAgent::willDestroyFrontendAndBackend):
2170         * inspector/agents/InspectorAgent.h:
2171         * inspector/agents/InspectorConsoleAgent.cpp:
2172         (Inspector::InspectorConsoleAgent::didCreateFrontendAndBackend):
2173         (Inspector::InspectorConsoleAgent::willDestroyFrontendAndBackend):
2174         * inspector/agents/InspectorConsoleAgent.h:
2175         * inspector/agents/InspectorDebuggerAgent.cpp:
2176         (Inspector::InspectorDebuggerAgent::didCreateFrontendAndBackend):
2177         (Inspector::InspectorDebuggerAgent::willDestroyFrontendAndBackend):
2178         (Inspector::InspectorDebuggerAgent::handleConsoleAssert):
2179         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
2180         (Inspector::InspectorDebuggerAgent::pause):
2181         (Inspector::InspectorDebuggerAgent::scriptExecutionBlockedByCSP):
2182         (Inspector::InspectorDebuggerAgent::didPause):
2183         (Inspector::InspectorDebuggerAgent::breakProgram):
2184         (Inspector::InspectorDebuggerAgent::clearBreakDetails):
2185         * inspector/agents/InspectorDebuggerAgent.h:
2186         * inspector/agents/InspectorRuntimeAgent.cpp:
2187         (Inspector::InspectorRuntimeAgent::willDestroyFrontendAndBackend):
2188         * inspector/agents/InspectorRuntimeAgent.h:
2189         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
2190         (Inspector::JSGlobalObjectRuntimeAgent::didCreateFrontendAndBackend):
2191         (Inspector::JSGlobalObjectRuntimeAgent::willDestroyFrontendAndBackend):
2192         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
2193         * inspector/augmentable/AlternateDispatchableAgent.h:
2194         * inspector/augmentable/AugmentableInspectorController.h:
2195         * inspector/remote/RemoteInspectorDebuggable.h:
2196         * inspector/remote/RemoteInspectorDebuggableConnection.h:
2197         * inspector/scripts/codegen/cpp_generator.py:
2198         (CppGenerator.cpp_type_for_formal_out_parameter):
2199         (CppGenerator.cpp_type_for_stack_out_parameter):
2200         * inspector/scripts/codegen/cpp_generator_templates.py:
2201         (AlternateBackendDispatcher):
2202         (Alternate):
2203         (void):
2204         (AlternateInspectorBackendDispatcher): Deleted.
2205         (AlternateInspector): Deleted.
2206         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
2207         (CppBackendDispatcherHeaderGenerator._generate_alternate_handler_forward_declarations_for_domains.Alternate):
2208         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
2209         (CppBackendDispatcherHeaderGenerator._generate_alternate_handler_forward_declarations_for_domains.AlternateInspector): Deleted.
2210         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
2211         (CppBackendDispatcherImplementationGenerator._generate_handler_class_destructor_for_domain):
2212         (CppBackendDispatcherImplementationGenerator._generate_large_dispatcher_switch_implementation_for_domain):
2213         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
2214         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
2215         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
2216         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
2217         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
2218         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2219         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2220         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2221         * inspector/scripts/tests/expected/enum-values.json-result:
2222         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
2223         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2224         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
2225         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
2226         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
2227         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
2228         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
2229         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2230         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2231         * runtime/JSGlobalObjectDebuggable.cpp:
2232         (JSC::JSGlobalObjectDebuggable::connect):
2233         (JSC::JSGlobalObjectDebuggable::disconnect):
2234         * runtime/JSGlobalObjectDebuggable.h:
2235
2236 2015-02-14  David Kilzer  <ddkilzer@apple.com>
2237
2238         REGRESSION (r180082): WebCore Debug builds fail on Mavericks due to weak export symbols
2239         <http://webkit.org/b/141607>
2240
2241         Work towards fixing the Mavericks Debug build.
2242
2243         * inspector/ScriptDebugServer.h:
2244         (Inspector::ScriptDebugServer::Task): Export class.
2245         * inspector/agents/InspectorDebuggerAgent.h:
2246         (Inspector::InspectorDebuggerAgent::Listener): Export class.
2247         * runtime/JSGlobalObject.h:
2248         (JSC::JSGlobalObject::setConsoleClient): Do not mark inline
2249         method for export.
2250
2251 2015-02-14  Joseph Pecoraro  <pecoraro@apple.com>
2252
2253         Web Inspector: Symbol RemoteObject should not send sub-type
2254         https://bugs.webkit.org/show_bug.cgi?id=141604
2255
2256         Reviewed by Brian Burg.
2257
2258         * inspector/InjectedScriptSource.js:
2259
2260 2015-02-13  Benjamin Poulain  <bpoulain@apple.com>
2261
2262         Attempt to fix 32bits build after r180098
2263
2264         * jit/JITOperations.cpp:
2265         * jit/JITOperations.h:
2266         I copied the attribute from the MathObject version of that function when I moved
2267         it over. DFG has no version of a function call taking those attributes.
2268
2269 2015-02-13  Joseph Pecoraro  <pecoraro@apple.com>
2270
2271         JSContext Inspector: Do not stash console messages for non-debuggable JSContext
2272         https://bugs.webkit.org/show_bug.cgi?id=141589
2273
2274         Reviewed by Timothy Hatcher.
2275
2276         Consider developer extras disabled for JSContext inspection if the
2277         RemoteInspector server is not enabled (typically a non-debuggable
2278         process rejected by webinspectord) or if remote debugging on the
2279         JSContext was explicitly disabled via SPI.
2280
2281         When developer extras are disabled, console message will not be stashed.
2282
2283         * inspector/JSGlobalObjectInspectorController.cpp:
2284         (Inspector::JSGlobalObjectInspectorController::developerExtrasEnabled):
2285         * inspector/JSGlobalObjectInspectorController.h:
2286
2287 2015-02-13  Benjamin Poulain  <bpoulain@apple.com>
2288
2289         Add a DFG node for the Pow Intrinsics
2290         https://bugs.webkit.org/show_bug.cgi?id=141540
2291
2292         Reviewed by Filip Pizlo.
2293
2294         Add a DFG Node for PowIntrinsic. This patch covers the basic cases
2295         need to avoid massive regression. I will iterate over the node to cover
2296         the missing types.
2297
2298         With this patch I get the following progressions on benchmarks:
2299         -LongSpider's math-partial-sums: +5%.
2300         -Kraken's imaging-darkroom: +17%
2301         -AsmBench's cray.c: +6.6%
2302         -CompressionBench: +2.2% globally.
2303
2304         * dfg/DFGAbstractInterpreterInlines.h:
2305         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2306         Cover a couple of trivial cases:
2307         -If the exponent is zero, the result is always one, regardless of the base.
2308         -If both arguments are constants, compute the result at compile time.
2309
2310         * dfg/DFGByteCodeParser.cpp:
2311         (JSC::DFG::ByteCodeParser::handleIntrinsic):
2312         * dfg/DFGClobberize.h:
2313         (JSC::DFG::clobberize):
2314         * dfg/DFGDoesGC.cpp:
2315         (JSC::DFG::doesGC):
2316
2317         * dfg/DFGFixupPhase.cpp:
2318         (JSC::DFG::FixupPhase::fixupNode):
2319         We only support 2 basic cases at this time:
2320         -Math.pow(double, int)
2321         -Math.pow(double, double).
2322
2323         I'll cover Math.pow(int, int) in a follow up.
2324
2325         * dfg/DFGNode.h:
2326         (JSC::DFG::Node::convertToArithSqrt):
2327         (JSC::DFG::Node::arithNodeFlags):
2328         * dfg/DFGNodeType.h:
2329         * dfg/DFGPredictionPropagationPhase.cpp:
2330         (JSC::DFG::PredictionPropagationPhase::propagate):
2331         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
2332         * dfg/DFGSafeToExecute.h:
2333         (JSC::DFG::safeToExecute):
2334         * dfg/DFGSpeculativeJIT.cpp:
2335         (JSC::DFG::compileArithPowIntegerFastPath):
2336         (JSC::DFG::SpeculativeJIT::compileArithPow):
2337         * dfg/DFGSpeculativeJIT.h:
2338         * dfg/DFGSpeculativeJIT32_64.cpp:
2339         (JSC::DFG::SpeculativeJIT::compile):
2340         * dfg/DFGSpeculativeJIT64.cpp:
2341         (JSC::DFG::SpeculativeJIT::compile):
2342         * dfg/DFGStrengthReductionPhase.cpp:
2343         (JSC::DFG::StrengthReductionPhase::handleNode):
2344         * dfg/DFGValidate.cpp:
2345         (JSC::DFG::Validate::validate):
2346         * ftl/FTLCapabilities.cpp:
2347         (JSC::FTL::canCompile):
2348         * ftl/FTLIntrinsicRepository.h:
2349         * ftl/FTLLowerDFGToLLVM.cpp:
2350         (JSC::FTL::LowerDFGToLLVM::compileNode):
2351         (JSC::FTL::LowerDFGToLLVM::compileArithPow):
2352         * ftl/FTLOutput.h:
2353         (JSC::FTL::Output::doublePow):
2354         (JSC::FTL::Output::doublePowi):
2355         * jit/JITOperations.cpp:
2356         * jit/JITOperations.h:
2357         * runtime/MathObject.cpp:
2358         (JSC::mathProtoFuncPow):
2359         (JSC::isDenormal): Deleted.
2360         (JSC::isEdgeCase): Deleted.
2361         (JSC::mathPow): Deleted.
2362
2363         * tests/stress/math-pow-basics.js: Added.
2364         * tests/stress/math-pow-integer-exponent-fastpath.js: Added.
2365         * tests/stress/math-pow-nan-behaviors.js: Added.
2366         * tests/stress/math-pow-with-constants.js: Added.
2367         Start some basic testing of Math.pow().
2368         Due to the various transform, the value change when the code tiers up,
2369         I covered this by checking for approximate values.
2370
2371 2015-02-13  Benjamin Poulain  <bpoulain@apple.com>
2372
2373         ArithSqrt should not be conditional on supportsFloatingPointSqrt
2374         https://bugs.webkit.org/show_bug.cgi?id=141546
2375
2376         Reviewed by Geoffrey Garen and Filip Pizlo.
2377
2378         Just fallback to the function call in the DFG codegen.
2379
2380         * dfg/DFGByteCodeParser.cpp:
2381         (JSC::DFG::ByteCodeParser::handleIntrinsic):
2382         * dfg/DFGSpeculativeJIT.cpp:
2383         (JSC::DFG::SpeculativeJIT::compileArithSqrt):
2384         * dfg/DFGSpeculativeJIT.h:
2385         * dfg/DFGSpeculativeJIT32_64.cpp:
2386         (JSC::DFG::SpeculativeJIT::compile):
2387         * dfg/DFGSpeculativeJIT64.cpp:
2388         (JSC::DFG::SpeculativeJIT::compile):
2389         * tests/stress/math-sqrt-basics.js: Added.
2390         Basic coverage.
2391
2392         * tests/stress/math-sqrt-basics-disable-architecture-specific-optimizations.js: Added.
2393         Same tests but forcing the function call.
2394
2395 2015-02-13  Michael Saboff  <msaboff@apple.com>
2396
2397         REGRESSION(r180060) New js/regress-141098 test crashes when LLInt is disabled.
2398         https://bugs.webkit.org/show_bug.cgi?id=141577
2399
2400         Reviewed by Benjamin Poulain.
2401
2402         Changed the prologue of the baseline JIT to check for stack space for all
2403         types of code blocks.  Previously, it was only checking Function.  Now
2404         it checks Program and Eval as well.
2405
2406         * jit/JIT.cpp:
2407         (JSC::JIT::privateCompile):
2408
2409 2015-02-13  Benjamin Poulain  <bpoulain@apple.com>
2410
2411         Generate incq instead of addq when the immediate value is one
2412         https://bugs.webkit.org/show_bug.cgi?id=141548
2413
2414         Reviewed by Gavin Barraclough.
2415
2416         JSC emits "addq #1 (rXX)" *a lot*.
2417         This patch replace that by incq, which is one byte shorter
2418         and is the adviced form.
2419
2420         Sunspider: +0.47%
2421         Octane: +0.28%
2422         Kraken: +0.44%
2423         AsmBench, CompressionBench: neutral.
2424
2425         * assembler/MacroAssemblerX86_64.h:
2426         (JSC::MacroAssemblerX86_64::add64):
2427         * assembler/X86Assembler.h:
2428         (JSC::X86Assembler::incq_m):
2429
2430 2015-02-13  Benjamin Poulain  <benjamin@webkit.org>
2431
2432         Little clean up of Bytecode Generator's Label
2433         https://bugs.webkit.org/show_bug.cgi?id=141557
2434
2435         Reviewed by Michael Saboff.
2436
2437         * bytecompiler/BytecodeGenerator.h:
2438         * bytecompiler/BytecodeGenerator.cpp:
2439         Label was a friend of BytecodeGenerator in order to access
2440         m_instructions. There is no need for that, BytecodeGenerator
2441         has a public getter.
2442
2443         * bytecompiler/Label.h:
2444         (JSC::Label::Label):
2445         (JSC::Label::setLocation):
2446         (JSC::BytecodeGenerator::newLabel):
2447         Make it explicit that the generator must exist.
2448
2449 2015-02-13  Michael Saboff  <msaboff@apple.com>
2450
2451         Google doc spreadsheet reproducibly crashes when sorting
2452         https://bugs.webkit.org/show_bug.cgi?id=141098
2453
2454         Reviewed by Oliver Hunt.
2455
2456         Moved the stack check to before the callee registers are allocated in the
2457         prologue() by movving it from the functionInitialization() macro.  This
2458         way we can check the stack before moving the stack pointer, avoiding a
2459         crash during a "call" instruction.  Before this change, we weren't even
2460         checking the stack for program and eval execution.
2461
2462         Made a couple of supporting changes.
2463
2464         * llint/LLIntSlowPaths.cpp:
2465         (JSC::LLInt::llint_stack_check): We can't just go up one frame as we
2466         may be processing an exception to an entry frame.
2467
2468         * llint/LowLevelInterpreter.asm:
2469
2470         * llint/LowLevelInterpreter32_64.asm:
2471         * llint/LowLevelInterpreter64.asm:
2472         (llint_throw_from_slow_path_trampoline): Changed method to get the vm
2473         from the code block to not use the codeBlock, since we may need to
2474         continue from an exception in a native function.
2475
2476 2015-02-12  Benjamin Poulain  <benjamin@webkit.org>
2477
2478         Simplify the initialization of BytecodeGenerator a bit
2479         https://bugs.webkit.org/show_bug.cgi?id=141505
2480
2481         Reviewed by Anders Carlsson.
2482
2483         * bytecompiler/BytecodeGenerator.cpp:
2484         (JSC::BytecodeGenerator::BytecodeGenerator):
2485         * bytecompiler/BytecodeGenerator.h:
2486         Setup the default initialization at the declaration level
2487         instead of the constructor.
2488
2489         Also made m_scopeNode and m_codeType const to make it explicit
2490         that they are invariant after construction.
2491
2492         * parser/Nodes.cpp:
2493         * runtime/Executable.cpp:
2494         Remove 2 useless #includes.
2495
2496 2015-02-12  Benjamin Poulain  <benjamin@webkit.org>
2497
2498         Move the generators for GetScope and SkipScope to the common core in DFGSpeculativeJIT
2499         https://bugs.webkit.org/show_bug.cgi?id=141506
2500
2501         Reviewed by Michael Saboff.
2502
2503         The generators for the nodes GetScope and SkipScope were
2504         completely identical between 32 and 64bits.
2505
2506         This patch moves the duplicated code to DFGSpeculativeJIT.
2507
2508         * dfg/DFGSpeculativeJIT.cpp:
2509         (JSC::DFG::SpeculativeJIT::compileGetScope):
2510         (JSC::DFG::SpeculativeJIT::compileSkipScope):
2511         * dfg/DFGSpeculativeJIT.h:
2512         * dfg/DFGSpeculativeJIT32_64.cpp:
2513         (JSC::DFG::SpeculativeJIT::compile):
2514         * dfg/DFGSpeculativeJIT64.cpp:
2515         (JSC::DFG::SpeculativeJIT::compile):
2516
2517 2015-02-11  Brent Fulgham  <bfulgham@apple.com>
2518
2519         [Win] [64-bit] Work around MSVC2013 Runtime Bug
2520         https://bugs.webkit.org/show_bug.cgi?id=141498
2521         <rdar://problem/19803642>
2522
2523         Reviewed by Anders Carlsson.
2524
2525         Disable FMA3 instruction use in the MSVC math library to
2526         work around a VS2013 runtime crash. We can remove this
2527         workaround when we switch to VS2015.
2528
2529         * API/tests/testapi.c: Call _set_FMA3_enable(0) to disable
2530         FMA3 support.
2531         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add new files.
2532         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
2533         * JavaScriptCore.vcxproj/JavaScriptCoreDLL.cpp: Added.
2534         * JavaScriptCore.vcxproj/jsc/DLLLauncherMain.cpp: Call _set_FMA3_enable(0)
2535         to disable FMA3 support.
2536         * jsc.cpp: Ditto.
2537         * testRegExp.cpp: Ditto.
2538
2539 2015-02-11  Filip Pizlo  <fpizlo@apple.com>
2540
2541         The callee frame helpers in DFG::SpeculativeJIT should be available to other JITs
2542         https://bugs.webkit.org/show_bug.cgi?id=141493
2543
2544         Reviewed by Michael Saboff.
2545
2546         * dfg/DFGSpeculativeJIT.h:
2547         (JSC::DFG::SpeculativeJIT::calleeFrameSlot): Deleted.
2548         (JSC::DFG::SpeculativeJIT::calleeArgumentSlot): Deleted.
2549         (JSC::DFG::SpeculativeJIT::calleeFrameTagSlot): Deleted.
2550         (JSC::DFG::SpeculativeJIT::calleeFramePayloadSlot): Deleted.
2551         (JSC::DFG::SpeculativeJIT::calleeArgumentTagSlot): Deleted.
2552         (JSC::DFG::SpeculativeJIT::calleeArgumentPayloadSlot): Deleted.
2553         (JSC::DFG::SpeculativeJIT::calleeFrameCallerFrame): Deleted.
2554         * dfg/DFGSpeculativeJIT32_64.cpp:
2555         (JSC::DFG::SpeculativeJIT::emitCall):
2556         * dfg/DFGSpeculativeJIT64.cpp:
2557         (JSC::DFG::SpeculativeJIT::emitCall):
2558         * jit/AssemblyHelpers.h:
2559         (JSC::AssemblyHelpers::calleeFrameSlot):
2560         (JSC::AssemblyHelpers::calleeArgumentSlot):
2561         (JSC::AssemblyHelpers::calleeFrameTagSlot):
2562         (JSC::AssemblyHelpers::calleeFramePayloadSlot):
2563         (JSC::AssemblyHelpers::calleeArgumentTagSlot):
2564         (JSC::AssemblyHelpers::calleeArgumentPayloadSlot):
2565         (JSC::AssemblyHelpers::calleeFrameCallerFrame):
2566
2567 2015-02-11  Filip Pizlo  <fpizlo@apple.com>
2568
2569         SetupVarargsFrame should not assume that an inline stack frame would have identical layout to a normal stack frame
2570         https://bugs.webkit.org/show_bug.cgi?id=141485
2571
2572         Reviewed by Oliver Hunt.
2573         
2574         The inlineStackOffset argument was meant to make it easy for the DFG to use this helper for
2575         vararg calls from inlined code, but that doesn't work since the DFG inline call frame
2576         doesn't actually put the argument count at the JSStack::ArgumentCount offset. In fact there
2577         is really no such thing as an inlineStackOffset except when we OSR exit; while the code is
2578         running the stack layout is compacted so that the stackOffset is not meaningful.
2579
2580         * jit/JITCall.cpp:
2581         (JSC::JIT::compileSetupVarargsFrame):
2582         * jit/JITCall32_64.cpp:
2583         (JSC::JIT::compileSetupVarargsFrame):
2584         * jit/SetupVarargsFrame.cpp:
2585         (JSC::emitSetupVarargsFrameFastCase):
2586         * jit/SetupVarargsFrame.h:
2587
2588 2015-02-10  Filip Pizlo  <fpizlo@apple.com>
2589
2590         Split FTL::JSCall into the part that knows about call inline caching and the part that interacts with LLVM patchpoints
2591         https://bugs.webkit.org/show_bug.cgi?id=141455
2592
2593         Reviewed by Mark Lam.
2594         
2595         The newly introduced FTL::JSCallBase can be used to build other things, like the FTL portion
2596         of https://bugs.webkit.org/show_bug.cgi?id=141332.
2597
2598         * CMakeLists.txt:
2599         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2600         * JavaScriptCore.xcodeproj/project.pbxproj:
2601         * bytecode/CallLinkInfo.h:
2602         (JSC::CallLinkInfo::specializationKindFor):
2603         (JSC::CallLinkInfo::specializationKind):
2604         * ftl/FTLJSCall.cpp:
2605         (JSC::FTL::JSCall::JSCall):
2606         (JSC::FTL::JSCall::emit): Deleted.
2607         (JSC::FTL::JSCall::link): Deleted.
2608         * ftl/FTLJSCall.h:
2609         * ftl/FTLJSCallBase.cpp: Added.
2610         (JSC::FTL::JSCallBase::JSCallBase):
2611         (JSC::FTL::JSCallBase::emit):
2612         (JSC::FTL::JSCallBase::link):
2613         * ftl/FTLJSCallBase.h: Added.
2614
2615 2015-02-10  Filip Pizlo  <fpizlo@apple.com>
2616
2617         Unreviewed, fix build.
2618
2619         * jit/CCallHelpers.h:
2620         (JSC::CCallHelpers::setupArgumentsWithExecState):
2621
2622 2015-02-10  Filip Pizlo  <fpizlo@apple.com>
2623
2624         op_call_varargs should only load the length once
2625         https://bugs.webkit.org/show_bug.cgi?id=141440
2626         rdar://problem/19761683
2627
2628         Reviewed by Michael Saboff.
2629         
2630         Refactors the pair of calls that set up the varargs frame so that the first call returns the
2631         length, and the second call uses the length returned by the first one. It turns out that this
2632         gave me an opportunity to shorten a lot of the code.
2633
2634         * interpreter/Interpreter.cpp:
2635         (JSC::sizeFrameForVarargs):
2636         (JSC::loadVarargs):
2637         (JSC::setupVarargsFrame):
2638         (JSC::setupVarargsFrameAndSetThis):
2639         * interpreter/Interpreter.h:
2640         (JSC::calleeFrameForVarargs):
2641         * jit/CCallHelpers.h:
2642         (JSC::CCallHelpers::setupArgumentsWithExecState):
2643         * jit/JIT.h:
2644         * jit/JITCall.cpp:
2645         (JSC::JIT::compileSetupVarargsFrame):
2646         * jit/JITCall32_64.cpp:
2647         (JSC::JIT::compileSetupVarargsFrame):
2648         * jit/JITInlines.h:
2649         (JSC::JIT::callOperation):
2650         * jit/JITOperations.cpp:
2651         * jit/JITOperations.h:
2652         * jit/SetupVarargsFrame.cpp:
2653         (JSC::emitSetVarargsFrame):
2654         (JSC::emitSetupVarargsFrameFastCase):
2655         * jit/SetupVarargsFrame.h:
2656         * llint/LLIntSlowPaths.cpp:
2657         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2658         * runtime/Arguments.cpp:
2659         (JSC::Arguments::copyToArguments):
2660         * runtime/Arguments.h:
2661         * runtime/JSArray.cpp:
2662         (JSC::JSArray::copyToArguments):
2663         * runtime/JSArray.h:
2664         * runtime/VM.h:
2665         * tests/stress/call-varargs-length-effects.js: Added.
2666         (foo):
2667         (bar):
2668
2669 2015-02-10  Michael Saboff  <msaboff@apple.com>
2670
2671         Crash in JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq
2672         https://bugs.webkit.org/show_bug.cgi?id=139398
2673
2674         Reviewed by Filip Pizlo.
2675
2676         Due to CFA analysis, the CompareStrictEq node was determined to be unreachable, but later
2677         was determined to be reachable.  When we go to lower to LLVM, the edges for the CompareStrictEq
2678         node are UntypedUse which we can't compile.  Fixed this by checking that the IR before
2679         lowering can still be handled by the FTL.
2680
2681         Had to add GetArgument as a node that the FTL can compile as the SSA conversion phase converts
2682         a SetArgument to a GetArgument.  Before this change FTL::canCompile() would never see a GetArgument
2683         node.  With the check right before lowering, we see this node.
2684
2685         * dfg/DFGPlan.cpp:
2686         (JSC::DFG::Plan::compileInThreadImpl): Added a final FTL::canCompile() check before lowering
2687         to verify that after all the transformations we still have valid IR for the FTL.
2688         * ftl/FTLCapabilities.cpp:
2689         (JSC::FTL::canCompile): Added GetArgument as a node the FTL can compile.
2690
2691 2015-02-10  Filip Pizlo  <fpizlo@apple.com>
2692
2693         Remove unused DFG::SpeculativeJIT::calleeFrameOffset().
2694
2695         Rubber stamped by Michael Saboff.
2696         
2697         Not only was this not used, I believe that the math was wrong. The callee frame doesn't
2698         actually land past m_nextMachineLocal; instead it lands just below wherever we put SP and
2699         that decision is made elsewhere. Also, it makes no sense to subtract 1 from
2700         m_nextMachineLocal when trying to deduce the number of in-use stack slots.
2701
2702         * dfg/DFGSpeculativeJIT.h:
2703         (JSC::DFG::SpeculativeJIT::calleeFrameOffset): Deleted.
2704
2705 2015-02-10  Saam Barati  <saambarati1@gmail.com>
2706
2707         Parser::parseVarDeclarationList gets the wrong JSToken for the last identifier
2708         https://bugs.webkit.org/show_bug.cgi?id=141272
2709
2710         Reviewed by Oliver Hunt.
2711
2712         This patch fixes a bug where the wrong text location would be 
2713         assigned to a variable declaration inside a ForIn/ForOf loop. 
2714         It also fixes a bug in the type profiler where the type profiler 
2715         emits the wrong text offset for a ForIn loop's variable declarator 
2716         when it's not a pattern node.
2717
2718         * bytecompiler/NodesCodegen.cpp:
2719         (JSC::ForInNode::emitLoopHeader):
2720         * parser/Parser.cpp:
2721         (JSC::Parser<LexerType>::parseVarDeclarationList):
2722         * tests/typeProfiler/loop.js:
2723         (testForIn):
2724         (testForOf):
2725
2726 2015-02-09  Saam Barati  <saambarati1@gmail.com>
2727
2728         JSC's Type Profiler doesn't profile the type of the looping variable in ForOf/ForIn loops
2729         https://bugs.webkit.org/show_bug.cgi?id=141241
2730
2731         Reviewed by Filip Pizlo.
2732
2733         Type information is now recorded for ForIn and ForOf statements. 
2734         It was an oversight to not have these statements profiled before.
2735
2736         * bytecompiler/NodesCodegen.cpp:
2737         (JSC::ForInNode::emitLoopHeader):
2738         (JSC::ForOfNode::emitBytecode):
2739         * tests/typeProfiler/loop.js: Added.
2740         (testForIn):
2741         (testForOf):
2742
2743 2015-02-09  Filip Pizlo  <fpizlo@apple.com>
2744
2745         DFG::StackLayoutPhase should always set the scopeRegister to VirtualRegister() because the DFG doesn't do anything to make its value valid
2746         https://bugs.webkit.org/show_bug.cgi?id=141412
2747
2748         Reviewed by Michael Saboff.
2749         
2750         StackLayoutPhase was attempting to ensure that the register that
2751         CodeBlock::scopeRegister() points to is the right one for the DFG. But the DFG did nothing
2752         else to maintain the validity of the scopeRegister(). It wasn't captured as far as I can
2753         tell. StackLayoutPhase didn't explicitly mark it live. PreciseLocalClobberize didn't mark
2754         it as being live. So, by the time we got here the register referred to by
2755         CodeBlock::scopeRegister() would have been junk. Moreover, CodeBlock::scopeRegister() was
2756         not used for DFG code blocks, and was hardly ever used outside of bytecode generation.
2757         
2758         So, this patch just removes the code to manipulate this field and replaces it with an
2759         unconditional setScopeRegister(VirtualRegister()). Setting it to the invalid register
2760         ensures that any attempst to read the scopeRegister in a DFG or FTL frame immediately
2761         punts.
2762
2763         * dfg/DFGStackLayoutPhase.cpp:
2764         (JSC::DFG::StackLayoutPhase::run):
2765
2766 2015-02-09  Filip Pizlo  <fpizlo@apple.com>
2767
2768         Varargs frame set-up should be factored out for use by other JITs
2769         https://bugs.webkit.org/show_bug.cgi?id=141388
2770
2771         Reviewed by Michael Saboff.
2772         
2773         Previously the code that dealt with varargs always assumed that we were setting up a varargs call
2774         frame by literally following the execution semantics of op_call_varargs. This isn't how it'll
2775         happen once the DFG and FTL do varargs calls, or when varargs calls get inlined. The DFG and FTL
2776         don't literally execute bytecode; for example their stack frame layout has absolutely nothing in
2777         common with what the bytecode says, and that will never change.
2778         
2779         This patch makes two changes:
2780         
2781         Setting up the varargs callee frame can be done in smaller steps: particularly in the case of a
2782         varargs call that gets inlined, we aren't going to actually want to set up a callee frame in
2783         full - we just want to put the arguments somewhere, and that place will not have much (if
2784         anything) in common with the call frame format. This patch factors that out into something called
2785         a loadVarargs. The thing we used to call loadVarargs is now called setupVarargsFrame. This patch
2786         also separates loading varargs from setting this, since the fact that those two things are done
2787         together is a detail made explicit in bytecode but it's not at all required in the higher-tier
2788         engines. In the process of factoring this code out, I found a bunch of off-by-one errors in the
2789         various calculations. I fixed them. The distance from the caller's frame pointer to the callee
2790         frame pointer is always:
2791         
2792             numUsedCallerSlots + argCount + 1 + CallFrameSize
2793         
2794         where numUsedCallerSlots is toLocal(firstFreeRegister) - 1, which simplifies down to just
2795         -firstFreeRegister. The code now speaks of numUsedCallerSlots rather than firstFreeRegister,
2796         since the latter is a bytecode peculiarity that doesn't apply in the DFG or FTL. In the DFG, the
2797         internally-computed frame size, minus the parameter slots, will be used for numUsedCallerSlots.
2798         In the FTL, we will essentially compute numUsedCallerSlots dynamically by subtracting SP from FP.
2799         Eventually, LLVM might give us some cleaner way of doing this, but it probably doesn't matter
2800         very much.
2801         
2802         The arguments forwarding optimization is factored out of the Baseline JIT: the DFG and FTL will
2803         want to do this optimization as well, but it involves quite a bit of code. So, this code is now
2804         factored out into SetupVarargsFrame.h|cpp, so that other JITs can use it. In the process of factoring
2805         this code out I noticed that the 32-bit and 64-bit code is nearly identical, so I combined them.
2806
2807         * CMakeLists.txt:
2808         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2809         * JavaScriptCore.xcodeproj/project.pbxproj:
2810         * bytecode/CodeBlock.h:
2811         (JSC::ExecState::r):
2812         (JSC::ExecState::uncheckedR):
2813         * bytecode/VirtualRegister.h:
2814         (JSC::VirtualRegister::operator+):
2815         (JSC::VirtualRegister::operator-):
2816         (JSC::VirtualRegister::operator+=):
2817         (JSC::VirtualRegister::operator-=):
2818         * interpreter/CallFrame.h:
2819         * interpreter/Interpreter.cpp:
2820         (JSC::sizeFrameForVarargs):
2821         (JSC::loadVarargs):
2822         (JSC::setupVarargsFrame):
2823         (JSC::setupVarargsFrameAndSetThis):
2824         * interpreter/Interpreter.h:
2825         * jit/AssemblyHelpers.h:
2826         (JSC::AssemblyHelpers::emitGetFromCallFrameHeaderPtr):
2827         (JSC::AssemblyHelpers::emitGetFromCallFrameHeader32):
2828         (JSC::AssemblyHelpers::emitGetFromCallFrameHeader64):
2829         * jit/JIT.h:
2830         * jit/JITCall.cpp:
2831         (JSC::JIT::compileSetupVarargsFrame):
2832         * jit/JITCall32_64.cpp:
2833         (JSC::JIT::compileSetupVarargsFrame):
2834         * jit/JITInlines.h:
2835         (JSC::JIT::callOperation):
2836         (JSC::JIT::emitGetFromCallFrameHeaderPtr): Deleted.
2837         (JSC::JIT::emitGetFromCallFrameHeader32): Deleted.
2838         (JSC::JIT::emitGetFromCallFrameHeader64): Deleted.
2839         * jit/JITOperations.cpp:
2840         * jit/JITOperations.h:
2841         * jit/SetupVarargsFrame.cpp: Added.
2842         (JSC::emitSetupVarargsFrameFastCase):
2843         * jit/SetupVarargsFrame.h: Added.
2844         * llint/LLIntSlowPaths.cpp:
2845         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2846         * runtime/Arguments.cpp:
2847         (JSC::Arguments::copyToArguments):
2848         * runtime/Arguments.h:
2849         * runtime/JSArray.cpp:
2850         (JSC::JSArray::copyToArguments):
2851         * runtime/JSArray.h:
2852
2853 2015-02-09  Filip Pizlo  <fpizlo@apple.com>
2854
2855         DFG call codegen should resolve the callee operand as late as possible
2856         https://bugs.webkit.org/show_bug.cgi?id=141398
2857
2858         Reviewed by Mark Lam.
2859         
2860         This is mostly a benign restructuring to help with the implementation of
2861         https://bugs.webkit.org/show_bug.cgi?id=141332.
2862
2863         * dfg/DFGSpeculativeJIT32_64.cpp:
2864         (JSC::DFG::SpeculativeJIT::emitCall):
2865         * dfg/DFGSpeculativeJIT64.cpp:
2866         (JSC::DFG::SpeculativeJIT::emitCall):
2867
2868 2015-02-08  Filip Pizlo  <fpizlo@apple.com>
2869
2870         DFG should only have two mechanisms for describing effectfulness of nodes; previously there were three
2871         https://bugs.webkit.org/show_bug.cgi?id=141369
2872
2873         Reviewed by Michael Saboff.
2874
2875         We previously used the NodeMightClobber and NodeClobbersWorld NodeFlags to describe
2876         effectfulness.  Starting over a year ago, we introduced a more powerful mechanism - the
2877         DFG::clobberize() function.  Now we only have one remaining client of the old NodeFlags,
2878         and everyone else uses DFG::clobberize().  We should get rid of those NodeFlags and
2879         finally switch everyone over to DFG::clobberize().
2880         
2881         Unfortunately there is still another place where effectfulness of nodes is described: the
2882         AbstractInterpreter. This is because the AbstractInterpreter has special tuning both for
2883         compile time performance and there are places where the AI is more precise than
2884         clobberize() because of its flow-sensitivity.
2885         
2886         This means that after this change there will be only two places, rather than three, where
2887         the effectfulness of a node has to be described:
2888
2889         - DFG::clobberize()
2890         - DFG::AbstractInterpreter
2891
2892         * dfg/DFGClobberize.cpp:
2893         (JSC::DFG::clobbersWorld):
2894         * dfg/DFGClobberize.h:
2895         * dfg/DFGDoesGC.cpp:
2896         (JSC::DFG::doesGC):
2897         * dfg/DFGFixupPhase.cpp:
2898         (JSC::DFG::FixupPhase::fixupNode):
2899         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
2900         (JSC::DFG::FixupPhase::convertToGetArrayLength):
2901         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
2902         * dfg/DFGGraph.h:
2903         (JSC::DFG::Graph::isPredictedNumerical): Deleted.
2904         (JSC::DFG::Graph::byValIsPure): Deleted.
2905         (JSC::DFG::Graph::clobbersWorld): Deleted.
2906         * dfg/DFGNode.h:
2907         (JSC::DFG::Node::convertToConstant):
2908         (JSC::DFG::Node::convertToGetLocalUnlinked):
2909         (JSC::DFG::Node::convertToGetByOffset):
2910         (JSC::DFG::Node::convertToMultiGetByOffset):
2911         (JSC::DFG::Node::convertToPutByOffset):
2912         (JSC::DFG::Node::convertToMultiPutByOffset):
2913         * dfg/DFGNodeFlags.cpp:
2914         (JSC::DFG::dumpNodeFlags):
2915         * dfg/DFGNodeFlags.h:
2916         * dfg/DFGNodeType.h:
2917
2918 2015-02-09  Csaba Osztrogonác  <ossy@webkit.org>
2919
2920         Fix the !ENABLE(DFG_JIT) build
2921         https://bugs.webkit.org/show_bug.cgi?id=141387
2922
2923         Reviewed by Darin Adler.
2924
2925         * jit/Repatch.cpp:
2926
2927 2015-02-08  Benjamin Poulain  <benjamin@webkit.org>
2928
2929         Remove a few duplicate propagation steps from the DFG's PredictionPropagation phase
2930         https://bugs.webkit.org/show_bug.cgi?id=141363
2931
2932         Reviewed by Darin Adler.
2933
2934         * dfg/DFGPredictionPropagationPhase.cpp:
2935         (JSC::DFG::PredictionPropagationPhase::propagate):
2936         Some blocks were duplicated, they probably evolved separately
2937         to the same state.
2938
2939 2015-02-08  Benjamin Poulain  <benjamin@webkit.org>
2940
2941         Remove useless declarations and a stale comment from DFGByteCodeParser.h
2942         https://bugs.webkit.org/show_bug.cgi?id=141361
2943
2944         Reviewed by Darin Adler.
2945
2946         The comment refers to the original form of the ByteCodeParser:
2947             parse(Graph&, JSGlobalData*, CodeBlock*, unsigned startIndex);
2948
2949         That form is long dead, the comment is more misleading than anything.
2950
2951         * dfg/DFGByteCodeParser.cpp:
2952         * dfg/DFGByteCodeParser.h:
2953
2954 2015-02-08  Benjamin Poulain  <benjamin@webkit.org>
2955
2956         Encapsulate DFG::Plan's beforeFTL timestamp
2957         https://bugs.webkit.org/show_bug.cgi?id=141360
2958
2959         Reviewed by Darin Adler.
2960
2961         Make the attribute private, it is an internal state.
2962
2963         Rename beforeFTL->timeBeforeFTL for readability.
2964
2965         * dfg/DFGPlan.cpp:
2966         (JSC::DFG::Plan::compileInThread):
2967         (JSC::DFG::Plan::compileInThreadImpl):
2968         * dfg/DFGPlan.h:
2969
2970 2015-02-08  Benjamin Poulain  <bpoulain@apple.com>
2971
2972         Remove DFGNode::hasArithNodeFlags()
2973         https://bugs.webkit.org/show_bug.cgi?id=141319
2974
2975         Reviewed by Michael Saboff.
2976
2977         * dfg/DFGNode.h:
2978         (JSC::DFG::Node::hasArithNodeFlags): Deleted.
2979         Unused code is unused.
2980
2981 2015-02-07  Chris Dumez  <cdumez@apple.com>
2982
2983         Add Vector::removeFirstMatching() / removeAllMatching() methods taking lambda functions
2984         https://bugs.webkit.org/show_bug.cgi?id=141321
2985
2986         Reviewed by Darin Adler.
2987
2988         Use new Vector::removeFirstMatching() / removeAllMatching() methods.
2989
2990 2015-02-06  Filip Pizlo  <fpizlo@apple.com>
2991
2992         DFG SSA shouldn't have SetArgument nodes
2993         https://bugs.webkit.org/show_bug.cgi?id=141342
2994
2995         Reviewed by Mark Lam.
2996
2997         I was wondering why we kept the SetArgument around for captured
2998         variables. It turns out we did so because we thought we had to, even
2999         though we didn't have to. The node is meaningless in SSA.
3000
3001         * dfg/DFGSSAConversionPhase.cpp:
3002         (JSC::DFG::SSAConversionPhase::run):
3003         * ftl/FTLLowerDFGToLLVM.cpp:
3004         (JSC::FTL::LowerDFGToLLVM::compileNode):
3005
3006 2015-02-06  Filip Pizlo  <fpizlo@apple.com>
3007
3008         It should be possible to use the DFG SetArgument node to indicate that someone set the value of a local out-of-band
3009         https://bugs.webkit.org/show_bug.cgi?id=141337
3010
3011         Reviewed by Mark Lam.
3012
3013         This mainly involved ensuring that SetArgument behaves just like SetLocal from a CPS standpoint, but with a special case for those SetArguments that
3014         are associated with the prologue.
3015
3016         * dfg/DFGCPSRethreadingPhase.cpp:
3017         (JSC::DFG::CPSRethreadingPhase::run):
3018         (JSC::DFG::CPSRethreadingPhase::canonicalizeSet):
3019         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
3020         (JSC::DFG::CPSRethreadingPhase::specialCaseArguments):
3021         (JSC::DFG::CPSRethreadingPhase::canonicalizeSetLocal): Deleted.
3022         (JSC::DFG::CPSRethreadingPhase::canonicalizeSetArgument): Deleted.
3023
3024 2015-02-06  Mark Lam  <mark.lam@apple.com>
3025
3026         MachineThreads should be ref counted.
3027         <https://webkit.org/b/141317>
3028
3029         Reviewed by Filip Pizlo.
3030
3031         The VM's MachineThreads registry object is being referenced from other
3032         threads as a raw pointer.  In a scenario where the VM is destructed on
3033         the main thread, there is no guarantee that another thread isn't still
3034         holding a reference to the registry and will eventually invoke
3035         removeThread() on it on thread exit.  Hence, there's a possible use
3036         after free scenario here.
3037
3038         The fix is to make MachineThreads ThreadSafeRefCounted, and have all
3039         threads that references keep a RefPtr to it to ensure that it stays
3040         alive until the very last thread is done with it.
3041
3042         * API/tests/testapi.mm:
3043         (useVMFromOtherThread): - Renamed to be more descriptive.
3044         (useVMFromOtherThreadAndOutliveVM):
3045         - Added a test that has another thread which uses the VM outlive the
3046           VM to confirm that there is no crash.
3047
3048           However, I was not actually able to get the VM to crash without this
3049           patch because I wasn't always able to the thread destructor to be
3050           called.  With this patch applied, I did verify with some logging that
3051           the MachineThreads registry is only destructed after all threads
3052           have removed themselves from it.
3053
3054         (threadMain): Deleted.
3055
3056         * heap/Heap.cpp:
3057         (JSC::Heap::Heap):
3058         (JSC::Heap::~Heap):
3059         (JSC::Heap::gatherStackRoots):
3060         * heap/Heap.h:
3061         (JSC::Heap::machineThreads):
3062         * heap/MachineStackMarker.cpp:
3063         (JSC::MachineThreads::Thread::Thread):
3064         (JSC::MachineThreads::addCurrentThread):
3065         (JSC::MachineThreads::removeCurrentThread):
3066         * heap/MachineStackMarker.h:
3067
3068 2015-02-06  Commit Queue  <commit-queue@webkit.org>
3069
3070         Unreviewed, rolling out r179743.
3071         https://bugs.webkit.org/show_bug.cgi?id=141335
3072
3073         caused missing symbols in non-WebKit clients of WTF::Vector
3074         (Requested by kling on #webkit).
3075
3076         Reverted changeset:
3077
3078         "Remove WTF::fastMallocGoodSize()."
3079         https://bugs.webkit.org/show_bug.cgi?id=141020
3080         http://trac.webkit.org/changeset/179743
3081
3082 2015-02-04  Filip Pizlo  <fpizlo@apple.com>
3083
3084         Remove BytecodeGenerator::preserveLastVar() and replace it with a more robust mechanism for preserving non-temporary registers
3085         https://bugs.webkit.org/show_bug.cgi?id=141211
3086
3087         Reviewed by Mark Lam.
3088
3089         Previously, the way non-temporary registers were preserved (i.e. not reclaimed anytime
3090         we did newTemporary()) by calling preserveLastVar() after all non-temps are created. It
3091         would raise the refcount on the last (highest-numbered) variable created, and rely on
3092         the fact that register reclamation started at higher-numbered registers and worked its
3093         way down. So any retained register would block any lower-numbered registers from being
3094         reclaimed.
3095         
3096         Also, preserveLastVar() sets a thing called m_firstConstantIndex. It's unused.
3097         
3098         This removes preserveLastVar() and makes addVar() retain each register it creates. This
3099         is more explicit, since addVar() is the mechanism for creating non-temporary registers.
3100         
3101         To make this work I had to remove an assertion that Register::setIndex() can only be
3102         called when the refcount is zero. This method might be called after a var is created to
3103         change its index. This previously worked because preserveLastVar() would be called after
3104         we had already made all index changes, so the vars would still have refcount zero. Now
3105         they have refcount 1. I think it's OK to lose this assertion; I can't remember this
3106         assertion ever firing in a way that alerted me to a serious issue.
3107         
3108         * bytecompiler/BytecodeGenerator.cpp:
3109         (JSC::BytecodeGenerator::BytecodeGenerator):
3110         (JSC::BytecodeGenerator::preserveLastVar): Deleted.
3111         * bytecompiler/BytecodeGenerator.h:
3112         (JSC::BytecodeGenerator::addVar):
3113         * bytecompiler/RegisterID.h:
3114         (JSC::RegisterID::setIndex):
3115
3116 2015-02-06  Andreas Kling  <akling@apple.com>
3117
3118         Remove WTF::fastMallocGoodSize().
3119         <https://webkit.org/b/141020>
3120
3121         Reviewed by Anders Carlsson.
3122
3123         * assembler/AssemblerBuffer.h:
3124         (JSC::AssemblerData::AssemblerData):
3125         (JSC::AssemblerData::grow):
3126
3127 2015-02-05  Michael Saboff  <msaboff@apple.com>
3128
3129         CodeCache is not thread safe when adding the same source from two different threads
3130         https://bugs.webkit.org/show_bug.cgi?id=141275
3131
3132         Reviewed by Mark Lam.
3133
3134         The issue for this bug is that one thread, takes a cache miss in CodeCache::getGlobalCodeBlock,
3135         but in the process creates a cache entry with a nullptr UnlinkedCodeBlockType* which it
3136         will fill in later in the function.  During the body of that function, it allocates
3137         objects that may garbage collect.  During that garbage collection, we drop the all locks.
3138         While the locks are released by the first thread, another thread can enter the VM and might
3139         have exactly the same source and enter CodeCache::getGlobalCodeBlock() itself.  When it
3140         looks up the code block, it sees it as a cache it and uses the nullptr UnlinkedCodeBlockType*
3141         and crashes.  This fixes the problem by not dropping the locks during garbage collection.
3142         There are other likely scenarios where we have a data structure like this code cache in an
3143         unsafe state for arbitrary reentrance.
3144
3145         Moved the functionality of DelayedReleaseScope directly into Heap.  Changed it into
3146         a simple list that is cleared with the new function Heap::releaseDelayedReleasedObjects.
3147         Now we accumulate objects to be released and release them when all locks are dropped or
3148         when destroying the Heap.  This eliminated the dropping and reaquiring of locks associated
3149         with the old scope form of this list.
3150
3151         Given that all functionality of DelayedReleaseScope is now used and referenced by Heap
3152         and the lock management no longer needs to be done, just made the list a member of Heap.
3153         We do need to guard against the case that releasing an object can create more objects
3154         by calling into JS.  That is why releaseDelayedReleasedObjects() is written to remove
3155         an object to release so that we aren't recursively in Vector code.  The other thing we
3156         do in releaseDelayedReleasedObjects() is to guard against recursive calls to itself using
3157         the m_delayedReleaseRecursionCount.  We only release at the first entry into the function.
3158         This case is already tested by testapi.mm.
3159
3160         * heap/DelayedReleaseScope.h: Removed file
3161
3162         * API/JSAPIWrapperObject.mm:
3163         * API/ObjCCallbackFunction.mm:
3164         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3165         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3166         * JavaScriptCore.xcodeproj/project.pbxproj:
3167         * heap/IncrementalSweeper.cpp:
3168         (JSC::IncrementalSweeper::doSweep):
3169         * heap/MarkedAllocator.cpp:
3170         (JSC::MarkedAllocator::tryAllocateHelper):
3171         (JSC::MarkedAllocator::tryAllocate):
3172         * heap/MarkedBlock.cpp:
3173         (JSC::MarkedBlock::sweep):
3174         * heap/MarkedSpace.cpp:
3175         (JSC::MarkedSpace::MarkedSpace):
3176         (JSC::MarkedSpace::lastChanceToFinalize):
3177         (JSC::MarkedSpace::didFinishIterating):
3178         * heap/MarkedSpace.h:
3179         * heap/Heap.cpp:
3180         (JSC::Heap::collectAllGarbage):
3181         (JSC::Heap::zombifyDeadObjects):
3182         Removed references to DelayedReleaseScope and DelayedReleaseScope.h.
3183
3184         * heap/Heap.cpp:
3185         (JSC::Heap::Heap): Initialized m_delayedReleaseRecursionCount.
3186         (JSC::Heap::lastChanceToFinalize): Call releaseDelayedObjectsNow() as the VM is going away.
3187         (JSC::Heap::releaseDelayedReleasedObjects): New function that released the accumulated
3188         delayed release objects.
3189
3190         * heap/Heap.h:
3191         (JSC::Heap::m_delayedReleaseObjects): List of objects to be released later.
3192         (JSC::Heap::m_delayedReleaseRecursionCount): Counter to indicate that
3193         releaseDelayedReleasedObjects is being called recursively.
3194         * heap/HeapInlines.h:
3195         (JSC::Heap::releaseSoon): Changed location of list to add delayed release objects.
3196         
3197         * runtime/JSLock.cpp:
3198         (JSC::JSLock::willReleaseLock):
3199         Call Heap::releaseDelayedObjectsNow() when releasing the lock.
3200
3201 2015-02-05  Youenn Fablet  <youenn.fablet@crf.canon.fr> and Xabier Rodriguez Calvar <calvaris@igalia.com>
3202
3203         [Streams API] Implement a barebone ReadableStream interface
3204         https://bugs.webkit.org/show_bug.cgi?id=141045
3205
3206         Reviewed by Benjamin Poulain.
3207
3208         * Configurations/FeatureDefines.xcconfig:
3209
3210 2015-02-05  Saam Barati  <saambarati1@gmail.com>
3211
3212         Crash in uninitialized deconstructing variable.
3213         https://bugs.webkit.org/show_bug.cgi?id=141070
3214
3215         Reviewed by Michael Saboff.
3216
3217         According to the ES6 spec, when a destructuring pattern occurs
3218         as the left hand side of an assignment inside a var declaration 
3219         statement, the assignment must also have a right hand side value.
3220         "var {x} = {};" is a legal syntactic statement, but,
3221         "var {x};" is a syntactic error.
3222
3223         Section 13.2.2 of the latest draft ES6 spec specifies this requirement:
3224         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-variable-statement
3225
3226         * parser/Parser.cpp:
3227         (JSC::Parser<LexerType>::parseVarDeclaration):
3228         (JSC::Parser<LexerType>::parseVarDeclarationList):
3229         (JSC::Parser<LexerType>::parseForStatement):
3230         * parser/Parser.h:
3231
3232 2015-02-04  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
3233
3234         Unreviewed, fix a build break on EFL port since r179648.
3235
3236         * heap/MachineStackMarker.cpp: EFL port doesn't use previousThread variable. 
3237         (JSC::MachineThreads::tryCopyOtherThreadStacks):
3238
3239 2015-02-04  Joseph Pecoraro  <pecoraro@apple.com>
3240
3241         Web Inspector: ES6: Improved Console Support for Symbol Objects
3242         https://bugs.webkit.org/show_bug.cgi?id=141173
3243
3244         Reviewed by Timothy Hatcher.
3245
3246         * inspector/protocol/Runtime.json:
3247         New type, "symbol".
3248
3249         * inspector/InjectedScriptSource.js:
3250         Handle Symbol objects in a few places. They don't have properties
3251         and they cannot be implicitly converted to strings.
3252
3253 2015-02-04  Mark Lam  <mark.lam@apple.com>
3254
3255         Undo gardening: Restoring the expected ERROR message since that is not the cause of the bot unhappiness.
3256
3257         Not reviewed.
3258
3259         * heap/MachineStackMarker.cpp:
3260         (JSC::MachineThreads::tryCopyOtherThreadStacks):
3261
3262 2015-02-04  Mark Lam  <mark.lam@apple.com>
3263
3264         Gardening: Changed expected ERROR message to WARNING to make test bots happy.
3265
3266         Rubber stamped by Simon Fraser.
3267
3268         * heap/MachineStackMarker.cpp:
3269         (JSC::MachineThreads::tryCopyOtherThreadStacks):
3270
3271 2015-02-04  Mark Lam  <mark.lam@apple.com>
3272
3273         r179576 introduce a deadlock potential during GC thread suspension.
3274         <https://webkit.org/b/141268>
3275
3276         Reviewed by Michael Saboff.
3277
3278         http://trac.webkit.org/r179576 introduced a potential for deadlocking.
3279         In the GC thread suspension loop, we currently delete
3280         MachineThreads::Thread that we detect to be invalid.  This is unsafe
3281         because we may have already suspended some threads, and one of those
3282         suspended threads may still be holding the C heap lock which we need
3283         for deleting the invalid thread.
3284
3285         The fix is to put the invalid threads in a separate toBeDeleted list,
3286         and delete them only after GC has resumed all threads.
3287
3288         * heap/MachineStackMarker.cpp:
3289         (JSC::MachineThreads::removeCurrentThread):
3290         - Undo refactoring removeThreadWithLockAlreadyAcquired() out of
3291           removeCurrentThread() since it is no longer needed.
3292
3293         (JSC::MachineThreads::tryCopyOtherThreadStacks):
3294         - Put invalid Threads on a threadsToBeDeleted list, and delete those
3295           Threads only after all threads have been resumed.
3296
3297         (JSC::MachineThreads::removeThreadWithLockAlreadyAcquired): Deleted.
3298         * heap/MachineStackMarker.h:
3299
3300 2015-02-04  Joseph Pecoraro  <pecoraro@apple.com>
3301
3302         Web Inspector: Clean up Object Property Descriptor Collection
3303         https://bugs.webkit.org/show_bug.cgi?id=141222
3304
3305         Reviewed by Timothy Hatcher.
3306
3307         * inspector/InjectedScriptSource.js:
3308         Use a list of options when determining which properties to collect
3309         instead of a few booleans with overlapping responsibilities.
3310
3311 2015-02-04  Joseph Pecoraro  <pecoraro@apple.com>
3312
3313         Web Inspector: console.table with columnName filter for non-existent property should still show column
3314         https://bugs.webkit.org/show_bug.cgi?id=141066
3315
3316         Reviewed by Timothy Hatcher.
3317
3318         * inspector/ConsoleMessage.cpp:
3319         (Inspector::ConsoleMessage::addToFrontend):
3320         When a user provides a second argument, e.g. console.table(..., columnNames),
3321         then pass that second argument to the frontend.
3322
3323         * inspector/InjectedScriptSource.js:
3324         Add a FIXME about the old, unused path now.
3325
3326 2015-02-04  Saam Barati  <saambarati1@gmail.com>
3327
3328         TypeSet can use 1 byte instead of 4 bytes for its m_seenTypes member variable
3329         https://bugs.webkit.org/show_bug.cgi?id=141204
3330
3331         Reviewed by Darin Adler.
3332
3333         There is no need to use 32 bits to store a TypeSet::RuntimeType set 
3334         bit-vector when the largest value for a single TypeSet::RuntimeType 
3335         is 0x80. 8 bits is enough to represent the set of seen types.
3336
3337         * dfg/DFGFixupPhase.cpp:
3338         (JSC::DFG::FixupPhase::fixupNode):
3339         * runtime/TypeSet.cpp:
3340         (JSC::TypeSet::doesTypeConformTo):
3341         * runtime/TypeSet.h:
3342         (JSC::TypeSet::seenTypes):
3343
3344 2015-02-04  Mark Lam  <mark.lam@apple.com>
3345
3346         Remove concept of makeUsableFromMultipleThreads().
3347         <https://webkit.org/b/141221>
3348
3349         Reviewed by Mark Hahnenberg.
3350