aa4ca5c2a1f0b58e146f337b026124b0befbb149
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-08-01  Carlos Alberto Lopez Perez  <clopez@igalia.com>
2
3         REGRESSION(r171942): [CMAKE] [GTK] build broken (clean build).
4         https://bugs.webkit.org/show_bug.cgi?id=135522
5
6         Reviewed by Martin Robinson.
7
8         * CMakeLists.txt: Output the inspector headers inside inspector
9         subdirectory.
10
11 2014-08-01  Mark Lam  <mark.lam@apple.com>
12
13         Add some structure related assertions.
14         <https://webkit.org/b/135523>
15
16         Reviewed by Geoffrey Garen.
17
18         Adding 2 assertions:
19         1. assert that we don't index pass the end of the StructureIDTable.
20            This should never happen, but this assertion will help catch bugs
21            where a bad structureID gets passed in.
22         2. assert that cells in MarkedBlock::callDestructor() that are not
23            zapped should have a non-null StructureID.  This will help us catch
24            bugs where the other cell header flag bits get set after the cell is
25            zapped, thereby making the cell look like an unzapped cell but has a
26            null structureID.
27
28         * heap/MarkedBlock.cpp:
29         (JSC::MarkedBlock::callDestructor):
30         * runtime/StructureIDTable.h:
31         (JSC::StructureIDTable::get):
32
33 2014-08-01  Csaba Osztrogonác  <ossy@webkit.org>
34
35         URTBF after r171946 to fix non-Apple builds.
36
37         * bytecode/InlineCallFrameSet.cpp:
38
39 2014-08-01  Mark Hahnenberg  <mhahnenberg@apple.com>
40
41         CodeBlock fails to visit the Executables of its InlineCallFrames
42         https://bugs.webkit.org/show_bug.cgi?id=135471
43
44         Reviewed by Geoffrey Garen.
45
46         CodeBlock needs to visit its InlineCallFrames' owner Executables. If it doesn't, they 
47         can be prematurely collected and cause crashes.
48
49         * bytecode/CodeBlock.cpp:
50         (JSC::CodeBlock::stronglyVisitStrongReferences):
51         * bytecode/CodeOrigin.h:
52         (JSC::InlineCallFrame::visitAggregate):
53         * bytecode/InlineCallFrameSet.cpp:
54         (JSC::InlineCallFrameSet::visitAggregate):
55         * bytecode/InlineCallFrameSet.h:
56
57 2014-08-01  Alex Christensen  <achristensen@webkit.org>
58
59         Progress towards cmake on Windows.
60         https://bugs.webkit.org/show_bug.cgi?id=135484
61
62         Reviewed by Martin Robinson.
63
64         * CMakeLists.txt:
65         Generate code directly to inspector directory to avoid using the cp command
66         which is not available on Windows.
67         * PlatformWin.cmake: Added.
68
69 2014-07-31  Andreas Kling  <akling@apple.com>
70
71         Remove the JSC::OverridesVisitChildren flag.
72         <https://webkit.org/b/135489>
73
74         Except for 3 special classes, the visitChildren() call is always
75         dispatched through the method table (see SlotVisitor.cpp.)
76
77         The OverridesVisitChildren flag doesn't actually do anything.
78         It could be used to implement a non-virtual direct call to
79         JSCell::visitChildren, bypassing the method table for some objects,
80         but such a micro-optimization seems like a weak trade for all this
81         code complexity. Instead, just remove the flag.
82
83         This change frees up an inline flag bit in JSCell.
84
85         Reviewed by Geoffrey Garen.
86
87         * API/JSAPIWrapperObject.h:
88         * API/JSAPIWrapperObject.mm:
89         (JSC::JSAPIWrapperObject::visitChildren):
90         * API/JSCallbackObject.h:
91         (JSC::JSCallbackObject::visitChildren):
92         * bytecode/UnlinkedCodeBlock.cpp:
93         (JSC::UnlinkedFunctionExecutable::visitChildren):
94         (JSC::UnlinkedCodeBlock::visitChildren):
95         (JSC::UnlinkedProgramCodeBlock::visitChildren):
96         * bytecode/UnlinkedCodeBlock.h:
97         * debugger/DebuggerScope.cpp:
98         (JSC::DebuggerScope::visitChildren):
99         * debugger/DebuggerScope.h:
100         * jsc.cpp:
101         * runtime/Arguments.cpp:
102         (JSC::Arguments::visitChildren):
103         * runtime/Arguments.h:
104         * runtime/Executable.cpp:
105         (JSC::EvalExecutable::visitChildren):
106         (JSC::ProgramExecutable::visitChildren):
107         (JSC::FunctionExecutable::visitChildren):
108         * runtime/Executable.h:
109         * runtime/GetterSetter.cpp:
110         (JSC::GetterSetter::visitChildren):
111         * runtime/GetterSetter.h:
112         (JSC::GetterSetter::createStructure):
113         * runtime/JSAPIValueWrapper.h:
114         (JSC::JSAPIValueWrapper::createStructure):
115         * runtime/JSActivation.cpp:
116         (JSC::JSActivation::visitChildren):
117         * runtime/JSActivation.h:
118         * runtime/JSArrayIterator.cpp:
119         (JSC::JSArrayIterator::visitChildren):
120         * runtime/JSArrayIterator.h:
121         * runtime/JSBoundFunction.cpp:
122         (JSC::JSBoundFunction::visitChildren):
123         * runtime/JSBoundFunction.h:
124         * runtime/JSCellInlines.h:
125         (JSC::JSCell::setStructure):
126         * runtime/JSFunction.cpp:
127         (JSC::JSFunction::visitChildren):
128         * runtime/JSFunction.h:
129         * runtime/JSGlobalObject.cpp:
130         (JSC::JSGlobalObject::visitChildren):
131         * runtime/JSGlobalObject.h:
132         * runtime/JSMap.h:
133         * runtime/JSMapIterator.cpp:
134         (JSC::JSMapIterator::visitChildren):
135         * runtime/JSMapIterator.h:
136         * runtime/JSNameScope.cpp:
137         (JSC::JSNameScope::visitChildren):
138         * runtime/JSNameScope.h:
139         * runtime/JSPromise.cpp:
140         (JSC::JSPromise::visitChildren):
141         * runtime/JSPromise.h:
142         * runtime/JSPromiseDeferred.cpp:
143         (JSC::JSPromiseDeferred::visitChildren):
144         * runtime/JSPromiseDeferred.h:
145         * runtime/JSPromiseReaction.cpp:
146         (JSC::JSPromiseReaction::visitChildren):
147         * runtime/JSPromiseReaction.h:
148         * runtime/JSPropertyNameIterator.cpp:
149         (JSC::JSPropertyNameIterator::visitChildren):
150         * runtime/JSPropertyNameIterator.h:
151         * runtime/JSProxy.cpp:
152         (JSC::JSProxy::visitChildren):
153         * runtime/JSProxy.h:
154         * runtime/JSScope.cpp:
155         (JSC::JSScope::visitChildren):
156         * runtime/JSScope.h:
157         * runtime/JSSegmentedVariableObject.cpp:
158         (JSC::JSSegmentedVariableObject::visitChildren):
159         * runtime/JSSegmentedVariableObject.h:
160         * runtime/JSSet.h:
161         * runtime/JSSetIterator.cpp:
162         (JSC::JSSetIterator::visitChildren):
163         * runtime/JSSetIterator.h:
164         * runtime/JSSymbolTableObject.cpp:
165         (JSC::JSSymbolTableObject::visitChildren):
166         * runtime/JSSymbolTableObject.h:
167         * runtime/JSTypeInfo.h:
168         (JSC::TypeInfo::overridesVisitChildren): Deleted.
169         * runtime/JSWeakMap.h:
170         * runtime/JSWithScope.cpp:
171         (JSC::JSWithScope::visitChildren):
172         * runtime/JSWithScope.h:
173         * runtime/JSWrapperObject.cpp:
174         (JSC::JSWrapperObject::visitChildren):
175         * runtime/JSWrapperObject.h:
176         * runtime/MapData.h:
177         * runtime/NativeErrorConstructor.cpp:
178         (JSC::NativeErrorConstructor::visitChildren):
179         * runtime/NativeErrorConstructor.h:
180         * runtime/PropertyMapHashTable.h:
181         * runtime/PropertyTable.cpp:
182         (JSC::PropertyTable::visitChildren):
183         * runtime/RegExpConstructor.cpp:
184         (JSC::RegExpConstructor::visitChildren):
185         * runtime/RegExpConstructor.h:
186         * runtime/RegExpMatchesArray.cpp:
187         (JSC::RegExpMatchesArray::visitChildren):
188         * runtime/RegExpMatchesArray.h:
189         * runtime/RegExpObject.cpp:
190         (JSC::RegExpObject::visitChildren):
191         * runtime/RegExpObject.h:
192         * runtime/SparseArrayValueMap.h:
193         * runtime/Structure.cpp:
194         (JSC::Structure::Structure):
195         (JSC::Structure::visitChildren):
196         * runtime/StructureChain.cpp:
197         (JSC::StructureChain::visitChildren):
198         * runtime/StructureChain.h:
199         * runtime/StructureRareData.cpp:
200         (JSC::StructureRareData::visitChildren):
201         * runtime/StructureRareData.h:
202         * runtime/WeakMapData.h:
203
204 2014-07-31  Mark Lam  <mark.lam@apple.com>
205
206         JSCell::classInfo() belongs in JSCellInlines.h.
207         <https://webkit.org/b/135475>
208
209         Reviewed by Mark Hahnenberg.
210
211         * runtime/JSCellInlines.h:
212         (JSC::JSCell::classInfo):
213         * runtime/JSDestructibleObject.h:
214         (JSC::JSCell::classInfo): Deleted.
215
216 2014-07-31  Tanay C  <tanay.c@samsung.com>
217
218         Build warning in webkit/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
219         https://bugs.webkit.org/show_bug.cgi?id=135414
220
221         Reviewed by Csaba Osztrogonác.
222
223         * llint/LLIntSlowPaths.cpp:
224         (JSC::LLInt::putToScopeCommon):removed unused parameter from function definition
225
226 2014-07-30  Filip Pizlo  <fpizlo@apple.com>
227
228         NewFunctionExpression and NewFunctionNoCheck should setHaveStructures(true)
229         https://bugs.webkit.org/show_bug.cgi?id=135430
230
231         Reviewed by Mark Hahnenberg.
232
233         We already handled this correctly after the ftlopt merge, but it's useful to have the test.
234
235         * tests/stress/new-function-expression-has-structures.js: Added.
236         (foo.f):
237         (foo.f.prototype.f):
238         (foo):
239
240 2014-07-30  Andreas Kling  <akling@apple.com>
241
242         Speculative Windows build fix.
243
244         Try to dllimport the dllexported global object HashTable.
245
246         * jsc.cpp:
247         * testRegExp.cpp:
248
249 2014-07-30  Andreas Kling  <akling@apple.com>
250
251         PropertyName's internal string is always atomic.
252         <https://webkit.org/b/135451>
253
254         Now that we've merged the JSC::Identifier and WTF::AtomicString tables,
255         we know that any string that's an Identifier is guaranteed to be atomic.
256
257         A PropertyName can be either an Identifier or a PrivateName, and the
258         private names are also guaranteed to be atomic internally.
259
260         Make PropertyName vend AtomicStringImpl* instead of StringImpl*.
261
262         Reviewed by Benjamin Poulain.
263
264         * runtime/PropertyName.h:
265         (JSC::PropertyName::PropertyName):
266         (JSC::PropertyName::uid):
267         (JSC::PropertyName::publicName):
268
269 2014-07-30  Andy Estes  <aestes@apple.com>
270
271         USE(CONTENT_FILTERING) should be ENABLE(CONTENT_FILTERING)
272         https://bugs.webkit.org/show_bug.cgi?id=135439
273
274         Reviewed by Tim Horton.
275
276         We now support two different platform content filters, and will soon support a mock content filter (as part of
277         webkit.org/b/128858). This makes content filtering a feature of WebKit, not just an adoption of a third-party
278         library. ENABLE() is the correct macro to use for such a feature.
279
280         * Configurations/FeatureDefines.xcconfig:
281
282 2014-07-30  Andreas Kling  <akling@apple.com>
283
284         Static hash tables no longer need to be coupled with a VM.
285         <https://webkit.org/b/135421>
286
287         Now that the static hash tables are using char** instead of StringImpl**,
288         it's no longer necessary to make them per-VM.
289
290         This patch removes the hook in ClassInfo for providing your own static
291         hash table getter. Everyone now uses ClassInfo::staticPropHashTable.
292         Most of this patch is tweaking ClassInfo construction sites to pass one
293         less null pointer.
294
295         Also simplified Lookup.h to stop requiring ExecState/VM to access the
296         static hash tables.
297
298         Reviewed by Geoffrey Garen.
299
300         * API/JSAPIWrapperObject.mm:
301         * API/JSCallbackConstructor.cpp:
302         * API/JSCallbackFunction.cpp:
303         * API/JSCallbackObject.cpp:
304         * API/ObjCCallbackFunction.mm:
305         * bytecode/UnlinkedCodeBlock.cpp:
306         * create_hash_table:
307         * debugger/DebuggerScope.cpp:
308         * inspector/JSInjectedScriptHost.cpp:
309         * inspector/JSInjectedScriptHostPrototype.cpp:
310         * inspector/JSJavaScriptCallFrame.cpp:
311         * inspector/JSJavaScriptCallFramePrototype.cpp:
312         * interpreter/CallFrame.h:
313         (JSC::ExecState::arrayConstructorTable): Deleted.
314         (JSC::ExecState::arrayPrototypeTable): Deleted.
315         (JSC::ExecState::booleanPrototypeTable): Deleted.
316         (JSC::ExecState::dataViewTable): Deleted.
317         (JSC::ExecState::dateTable): Deleted.
318         (JSC::ExecState::dateConstructorTable): Deleted.
319         (JSC::ExecState::errorPrototypeTable): Deleted.
320         (JSC::ExecState::globalObjectTable): Deleted.
321         (JSC::ExecState::jsonTable): Deleted.
322         (JSC::ExecState::numberConstructorTable): Deleted.
323         (JSC::ExecState::numberPrototypeTable): Deleted.
324         (JSC::ExecState::objectConstructorTable): Deleted.
325         (JSC::ExecState::privateNamePrototypeTable): Deleted.
326         (JSC::ExecState::regExpTable): Deleted.
327         (JSC::ExecState::regExpConstructorTable): Deleted.
328         (JSC::ExecState::regExpPrototypeTable): Deleted.
329         (JSC::ExecState::stringConstructorTable): Deleted.
330         (JSC::ExecState::promisePrototypeTable): Deleted.
331         (JSC::ExecState::promiseConstructorTable): Deleted.
332         * jsc.cpp:
333         * parser/Lexer.h:
334         (JSC::Keywords::isKeyword):
335         (JSC::Keywords::getKeyword):
336         * runtime/Arguments.cpp:
337         * runtime/ArgumentsIteratorConstructor.cpp:
338         * runtime/ArgumentsIteratorPrototype.cpp:
339         * runtime/ArrayBufferNeuteringWatchpoint.cpp:
340         * runtime/ArrayConstructor.cpp:
341         (JSC::ArrayConstructor::getOwnPropertySlot):
342         * runtime/ArrayIteratorConstructor.cpp:
343         * runtime/ArrayIteratorPrototype.cpp:
344         * runtime/ArrayPrototype.cpp:
345         (JSC::ArrayPrototype::getOwnPropertySlot):
346         * runtime/BooleanConstructor.cpp:
347         * runtime/BooleanObject.cpp:
348         * runtime/BooleanPrototype.cpp:
349         (JSC::BooleanPrototype::getOwnPropertySlot):
350         * runtime/ClassInfo.h:
351         (JSC::ClassInfo::hasStaticProperties):
352         (JSC::ClassInfo::propHashTable): Deleted.
353         * runtime/ConsolePrototype.cpp:
354         * runtime/CustomGetterSetter.cpp:
355         * runtime/DateConstructor.cpp:
356         (JSC::DateConstructor::getOwnPropertySlot):
357         * runtime/DateInstance.cpp:
358         * runtime/DatePrototype.cpp:
359         (JSC::DatePrototype::getOwnPropertySlot):
360         * runtime/Error.cpp:
361         * runtime/ErrorConstructor.cpp:
362         * runtime/ErrorInstance.cpp:
363         * runtime/ErrorPrototype.cpp:
364         (JSC::ErrorPrototype::getOwnPropertySlot):
365         * runtime/ExceptionHelpers.cpp:
366         * runtime/Executable.cpp:
367         * runtime/FunctionConstructor.cpp:
368         * runtime/FunctionPrototype.cpp:
369         * runtime/GetterSetter.cpp:
370         * runtime/InternalFunction.cpp:
371         * runtime/JSAPIValueWrapper.cpp:
372         * runtime/JSActivation.cpp:
373         * runtime/JSArgumentsIterator.cpp:
374         * runtime/JSArray.cpp:
375         * runtime/JSArrayBuffer.cpp:
376         * runtime/JSArrayBufferConstructor.cpp:
377         * runtime/JSArrayBufferPrototype.cpp:
378         * runtime/JSArrayBufferView.cpp:
379         * runtime/JSArrayIterator.cpp:
380         * runtime/JSBoundFunction.cpp:
381         * runtime/JSConsole.cpp:
382         * runtime/JSDataView.cpp:
383         * runtime/JSDataViewPrototype.cpp:
384         (JSC::JSDataViewPrototype::getOwnPropertySlot):
385         * runtime/JSFunction.cpp:
386         * runtime/JSGlobalObject.cpp:
387         (JSC::JSGlobalObject::getOwnPropertySlot):
388         * runtime/JSMap.cpp:
389         * runtime/JSMapIterator.cpp:
390         * runtime/JSNameScope.cpp:
391         * runtime/JSNotAnObject.cpp:
392         * runtime/JSONObject.cpp:
393         (JSC::JSONObject::getOwnPropertySlot):
394         * runtime/JSObject.cpp:
395         (JSC::getClassPropertyNames):
396         (JSC::JSObject::put):
397         (JSC::JSObject::deleteProperty):
398         (JSC::JSObject::findPropertyHashEntry):
399         (JSC::JSObject::reifyStaticFunctionsForDelete):
400         * runtime/JSObject.h:
401         * runtime/JSPromise.cpp:
402         * runtime/JSPromiseConstructor.cpp:
403         (JSC::JSPromiseConstructor::getOwnPropertySlot):
404         * runtime/JSPromiseDeferred.cpp:
405         * runtime/JSPromisePrototype.cpp:
406         (JSC::JSPromisePrototype::getOwnPropertySlot):
407         * runtime/JSPromiseReaction.cpp:
408         * runtime/JSPropertyNameIterator.cpp:
409         * runtime/JSProxy.cpp:
410         * runtime/JSSet.cpp:
411         * runtime/JSSetIterator.cpp:
412         * runtime/JSString.cpp:
413         * runtime/JSTypedArrayConstructors.cpp:
414         * runtime/JSTypedArrayPrototypes.cpp:
415         * runtime/JSTypedArrays.cpp:
416         * runtime/JSVariableObject.cpp:
417         * runtime/JSWeakMap.cpp:
418         * runtime/JSWithScope.cpp:
419         * runtime/Lookup.cpp:
420         (JSC::HashTable::createTable):
421         * runtime/Lookup.h:
422         (JSC::HashTable::initializeIfNeeded):
423         (JSC::HashTable::entry):
424         (JSC::HashTable::begin):
425         (JSC::HashTable::end):
426         (JSC::getStaticPropertySlot):
427         (JSC::getStaticFunctionSlot):
428         (JSC::getStaticValueSlot):
429         (JSC::lookupPut):
430         * runtime/MapConstructor.cpp:
431         * runtime/MapData.cpp:
432         * runtime/MapIteratorConstructor.cpp:
433         * runtime/MapIteratorPrototype.cpp:
434         * runtime/MapPrototype.cpp:
435         * runtime/MathObject.cpp:
436         * runtime/NameConstructor.cpp:
437         * runtime/NameInstance.cpp:
438         * runtime/NamePrototype.cpp:
439         (JSC::NamePrototype::getOwnPropertySlot):
440         * runtime/NativeErrorConstructor.cpp:
441         * runtime/NumberConstructor.cpp:
442         (JSC::NumberConstructor::getOwnPropertySlot):
443         * runtime/NumberObject.cpp:
444         * runtime/NumberPrototype.cpp:
445         (JSC::NumberPrototype::getOwnPropertySlot):
446         * runtime/ObjectConstructor.cpp:
447         (JSC::ObjectConstructor::getOwnPropertySlot):
448         * runtime/ObjectPrototype.cpp:
449         * runtime/PropertyTable.cpp:
450         * runtime/RegExp.cpp:
451         * runtime/RegExpConstructor.cpp:
452         (JSC::RegExpConstructor::getOwnPropertySlot):
453         * runtime/RegExpMatchesArray.cpp:
454         * runtime/RegExpObject.cpp:
455         (JSC::RegExpObject::getOwnPropertySlot):
456         * runtime/RegExpPrototype.cpp:
457         (JSC::RegExpPrototype::getOwnPropertySlot):
458         * runtime/SetConstructor.cpp:
459         * runtime/SetIteratorConstructor.cpp:
460         * runtime/SetIteratorPrototype.cpp:
461         * runtime/SetPrototype.cpp:
462         * runtime/SparseArrayValueMap.cpp:
463         * runtime/StrictEvalActivation.cpp:
464         * runtime/StringConstructor.cpp:
465         (JSC::StringConstructor::getOwnPropertySlot):
466         * runtime/StringObject.cpp:
467         * runtime/StringPrototype.cpp:
468         * runtime/Structure.cpp:
469         (JSC::Structure::Structure):
470         (JSC::Structure::freezeTransition):
471         (JSC::ClassInfo::hasStaticSetterOrReadonlyProperties):
472         * runtime/StructureChain.cpp:
473         * runtime/StructureRareData.cpp:
474         * runtime/SymbolTable.cpp:
475         * runtime/VM.cpp:
476         (JSC::VM::VM):
477         (JSC::VM::~VM):
478         * runtime/VM.h:
479         * runtime/WeakMapConstructor.cpp:
480         * runtime/WeakMapData.cpp:
481         * runtime/WeakMapPrototype.cpp:
482         * testRegExp.cpp:
483
484 2014-07-29  Brent Fulgham  <bfulgham@apple.com>
485
486         [Win] Modify version numbering scheme to support 5-tuple versions
487         https://bugs.webkit.org/show_bug.cgi?id=135400
488         <rdar://problem/17849033>
489
490         Reviewed by David Kilzer.
491
492         * JavaScriptCore.vcxproj/JavaScriptCorePostBuild.cmd: Use the
493         new version-stamp.pl script to version JavaScriptCore.dll.
494
495 2014-07-29  Daniel Bates  <dabates@apple.com>
496
497         Use WTF::move() instead of std::move() to help ensure move semantics
498         https://bugs.webkit.org/show_bug.cgi?id=135351
499
500         Reviewed by Alexey Proskuryakov.
501
502         * bytecode/GetByIdStatus.cpp:
503         (JSC::GetByIdStatus::computeForStubInfo):
504         * bytecode/GetByIdVariant.cpp:
505         (JSC::GetByIdVariant::GetByIdVariant):
506
507 2014-07-28  Tamas Gergely  <tgergely.u-szeged@partner.samsung.com>
508
509         BuildFix: JavaScriptCore/bytecode/StructureSet.h:262:77: warning.
510         https://bugs.webkit.org/show_bug.cgi?id=135287
511
512         Reviewed by Darin Adler.
513
514         The set() method tries to use a part of the old value (the reservedFlag bit) which
515         was not defined when the constructor is called. Initialize m_pointer to 0 explicitely.
516
517         * bytecode/StructureSet.h:
518         (JSC::StructureSet::StructureSet):
519
520 2014-07-28  Benjamin Poulain  <bpoulain@apple.com>
521
522         [JSC] JIT::assertStackPointerOffset() crashes on ARM64
523         https://bugs.webkit.org/show_bug.cgi?id=135316
524
525         Reviewed by Geoffrey Garen.
526
527         JIT::assertStackPointerOffset() does a compare between an arbitrary register
528         and the stack pointer. This was not supported by the ARM64 assembler.
529
530         There are no variation that can take a stack pointer for Xd. There is one version of subs
531         that can take a stack pointer, but only for the Xn: the shift+extend one.
532         To solve the problem, I changed cmp to swap the registers if necessary, and I fixed
533         the implementation of sub.
534
535         * assembler/ARM64Assembler.h:
536         (JSC::ARM64Assembler::sub):
537         In the generic sub(reg, reg), I added assertions to catch the condition that cannot be generated
538         with either version of sub.
539
540         In sub(with shift), I remove the weird special case for SP. First, it was quite misleading because
541         the Rd case only works if "setflag == false". The other confusing part is going to addSubtractShiftedRegister()
542         gives you a reduce shift range, which could create subtle bug that only appear when SP is used.
543
544         Since I removed the weird case, I need to differentiate between the sub() that support SP, and the one that does
545         not elsewhere. That is why that branch has moved to the generic sub(reg, reg). Since at that point we know
546         the shift value must be zero, it is safe to call either variant.
547
548         * assembler/MacroAssemblerARM64.h:
549         (JSC::MacroAssemblerARM64::branch64):
550         With the changes described above, we can now use SP for the left register. What do we do if the rightmost
551         register is SP?
552
553         For the case of JIT::assertStackPointerOffset(), the comparison is Equal so the order really does not matter,
554         we just switch the registers before generating the instruction.
555
556         For the generic case, just move the value of SP to a GPR before doing the CMP.
557
558 2014-07-28  Brian J. Burg  <burg@cs.washington.edu>
559
560         Unreviewed build fix after r171682.
561
562         * replay/EncodedValue.h: Don't mark the inlined Vector<char> specialization
563         as an exported symbol.
564
565 2014-07-28  Mark Hahnenberg  <mhahnenberg@apple.com>
566
567         REGRESSION: JSObjectSetPrototype() does not work on result of JSGetGlobalObject()
568         https://bugs.webkit.org/show_bug.cgi?id=135322
569
570         Reviewed by Oliver Hunt.
571
572         The prototype chain of the JSProxy object should match that of the JSGlobalObject. 
573
574         This is a separate but related issue with JSObjectSetPrototype which doesn't correctly 
575         account for JSProxies. I also audited the rest of the C API to check that we correctly 
576         handle JSProxies in all other situations where we expect a JSCallbackObject of some sort
577         and found some SPI calls (JSObject*PrivateProperty) that didn't behave correctly when 
578         passed a JSProxy.
579
580         I also added some new tests for these cases.
581
582         * API/JSObjectRef.cpp:
583         (JSObjectSetPrototype):
584         (JSObjectGetPrivateProperty):
585         (JSObjectSetPrivateProperty):
586         (JSObjectDeletePrivateProperty):
587         * API/JSWeakObjectMapRefPrivate.cpp:
588         * API/tests/CustomGlobalObjectClassTest.c:
589         (globalObjectSetPrototypeTest):
590         (globalObjectPrivatePropertyTest):
591         * API/tests/CustomGlobalObjectClassTest.h:
592         * API/tests/testapi.c:
593         (main):
594
595 2014-07-28  Filip Pizlo  <fpizlo@apple.com>
596
597         Make sure that we don't use non-speculative BooleanToNumber for a speculative Branch
598         https://bugs.webkit.org/show_bug.cgi?id=135350
599         <rdar://problem/17509889>
600
601         Reviewed by Mark Hahnenberg and Oliver Hunt.
602         
603         If we have an exiting node that uses a conversion node, then that exiting node
604         needs to have a Phantom after it for the the original node. But we can't do that
605         for Branch because https://bugs.webkit.org/show_bug.cgi?id=126778.
606
607         * dfg/DFGFixupPhase.cpp:
608         (JSC::DFG::FixupPhase::fixupNode):
609         (JSC::DFG::FixupPhase::clearPhantomsAtEnd):
610         * tests/stress/branch-check-int32-on-boolean-to-number-untyped.js: Added.
611         (foo):
612         (test):
613         * tests/stress/branch-check-number-on-boolean-to-number-untyped.js: Added.
614         (foo):
615         (test):
616
617 2014-07-28  Joseph Pecoraro  <pecoraro@apple.com>
618
619         JSContext Inspector: crash when using step-into
620         https://bugs.webkit.org/show_bug.cgi?id=135345
621
622         Reviewed by Timothy Hatcher.
623
624         * inspector/agents/InspectorDebuggerAgent.cpp:
625         (Inspector::InspectorDebuggerAgent::stepInto):
626         Null check m_listener since it may not be set.
627
628 2014-07-28  Brian J. Burg  <burg@cs.washington.edu>
629
630         Web Replay: auto-decoding of parameterized vector's elements is incorrect
631         https://bugs.webkit.org/show_bug.cgi?id=135343
632
633         Reviewed by Timothy Hatcher.
634
635         Fix an incorrect type argument in EncodingTraits<Vector<T>>::encodeValue
636         that was using the element's decoded type as the type parameter to
637         EncodedValue::append<T>. It should instead be the raw type T. This
638         causes problems when encoding Vector<RefPtr<T>>, as it later tries to
639         use encoding traits for RefPtr<T> rather than for T.
640
641         Fix incorrect generated encoding traits argument for vectors of
642         RefCounted objects. Updated test to cover this scenario.
643
644         * replay/scripts/CodeGeneratorReplayInputs.py:
645         (Type.encoding_type_argument):
646         (VectorType.type_name):
647         (VectorType):
648         (VectorType.encoding_type_argument):
649         (Generator.generate_input_encode_implementation):
650         (Generator.generate_input_decode_implementation):
651         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp:
652         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h:
653         * replay/scripts/tests/generate-input-with-vector-members.json: Updated.
654
655 2014-07-28  Brian J. Burg  <burg@cs.washington.edu>
656
657         Web Replay: incorrect serialization code generated for enum classes inside class scope
658         https://bugs.webkit.org/show_bug.cgi?id=135342
659
660         Reviewed by Timothy Hatcher.
661
662         If an enum class is defined inside of a class scope, then the enum class
663         cannot be forward-declared and the relevant header should be included.
664         Some generated code used incorrectly-scoped enum values in this situation.
665
666         * replay/scripts/CodeGeneratorReplayInputs.py:
667         (Generator.generate_includes.declaration.is):
668         (Generator.generate_enum_trait_implementation.is):
669         (Generator.generate_enum_trait_implementation):
670
671         Tests:
672
673         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Rebaselined.
674         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Rebaselined.
675         * replay/scripts/tests/generate-enums-with-same-base-name.json: Add enum
676         class types to this test case.
677
678 2014-07-28  Brian J. Burg  <burg@cs.washington.edu>
679
680         Web Replay: vectors of characters should be base64-encoded
681         https://bugs.webkit.org/show_bug.cgi?id=135341
682
683         Reviewed by Timothy Hatcher.
684
685         Without this specialization, encode/decode methods try to create an
686         array of single characters in JSON, rather than treating the
687         vector as a binary blob.
688
689         * replay/EncodedValue.cpp:
690         (JSC::EncodingTraits<Vector<char>>::encodeValue): Added.
691         (JSC::EncodingTraits<Vector<char>>::decodeValue): Added.
692         * replay/EncodedValue.h:
693
694 2014-07-28  Brent Fulgham  <bfulgham@apple.com>
695
696         [Win] Unreviewed build fix.
697
698         * JavaScriptCore.vcxproj/JavaScriptCore.proj: Switch from the 'Rebuild' target for MSBuild
699         builds to the 'Build' target to avoid a spurious 'clean' in between build steps.
700
701 2014-07-27  Ryuan Choi  <ryuan.choi@samsung.com>
702
703         Unreviewed build fix on the EFL port
704
705         Build break because of -Werror=return-type
706
707         * bytecode/PutByIdVariant.cpp:
708         (JSC::PutByIdVariant::oldStructureForTransition):
709         * dfg/DFGValueStrength.h:
710         (JSC::DFG::merge):
711
712 2014-07-27  Filip Pizlo  <fpizlo@apple.com>
713
714         [REGRESSION][ftlopt merge][32-bit] stress/prune-multi-put-by-offset-replace-or-transition-variant.js.dfg-eager hits an assertion in SpeculativeJIT::silentSavePlanForGPR
715         https://bugs.webkit.org/show_bug.cgi?id=135323
716
717         Reviewed by Oliver Hunt.
718         
719         SpeculativeJIT::silentSavePlanForGPR likes to believe that if a node is a constant,
720         then it's a constant that can be represented using that node's current DataFormat.
721         This doesn't work if the constant had been filled as a JSValue, and then one of the
722         fillSpeculateBlah() methods had speculated that it's of some type that the constant
723         isn't. Unless fillSpeculateBlah() specifically defends against this case, we'll have
724         a constant that claims to have a contradictory data format.
725         
726         This patch fixes such a bug in the 32-bit fillSpeculateCell(). The 64-bit
727         fillSpeculateCell() appears to not have this bug, but I added a similar defense
728         mechanism anyway just in case, since this is one of those mistakes that keeps
729         reappearing.
730
731         * dfg/DFGSpeculativeJIT.cpp:
732         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
733         * dfg/DFGSpeculativeJIT32_64.cpp:
734         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
735         * dfg/DFGSpeculativeJIT64.cpp:
736         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
737
738 2014-07-27  Filip Pizlo  <fpizlo@apple.com>
739
740         Merge r170090, r170092, r170129, r170141, r170161, r170215, r170275, r170375, r170376, r170382, r170383, r170399, r170436, r170489, r170490, r170556 from ftlopt.
741         
742         This fixes the previous mismerge and adds test coverage for the thing that went wrong.
743         
744         Additional changes listed here:
745
746         * jsc.cpp:
747         (functionHasCustomProperties): Expose a way of checking hasCustomProperties(), which the DOM relies on. The regression I previously introduced was because this didn't work right. Now we can test it!
748         * runtime/Structure.cpp:
749         (JSC::Structure::Structure): This was supposed to be setDidTransition(true); the last merge had it set to false.
750         * tests/stress/has-custom-properties.js: Added. This test failed with the mismerge.
751
752     2014-06-27  Michael Saboff  <msaboff@apple.com>
753     
754             Unreviewed build fix after r169795.
755     
756             Fixed ASSERT for 32 bit build.
757     
758             * dfg/DFGSpeculativeJIT.cpp:
759             (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
760     
761     2014-06-24  Saam Barati  <sbarati@apple.com>
762     
763             Web Inspector: debugger should be able to show variable types
764             https://bugs.webkit.org/show_bug.cgi?id=133395
765     
766             Reviewed by Filip Pizlo.
767     
768             Increase the amount of type information the VM gathers when directed
769             to do so. This initial commit is working towards the goal of
770             capturing, and then showing (via the Web Inspector) type information for all
771             assignment and load operations. This patch doesn't have the feature fully 
772             implemented, but it ensures the VM has no performance regressions
773             unless the feature is specifically turned on.
774     
775             * JavaScriptCore.xcodeproj/project.pbxproj:
776             * bytecode/BytecodeList.json:
777             * bytecode/BytecodeUseDef.h:
778             (JSC::computeUsesForBytecodeOffset):
779             (JSC::computeDefsForBytecodeOffset):
780             * bytecode/CodeBlock.cpp:
781             (JSC::CodeBlock::dumpBytecode):
782             (JSC::CodeBlock::CodeBlock):
783             (JSC::CodeBlock::finalizeUnconditionally):
784             * bytecode/CodeBlock.h:
785             * bytecode/Instruction.h:
786             * bytecode/TypeLocation.h: Added.
787             (JSC::TypeLocation::TypeLocation):
788             * bytecompiler/BytecodeGenerator.cpp:
789             (JSC::BytecodeGenerator::emitMove):
790             (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity):
791             (JSC::BytecodeGenerator::emitPutToScope):
792             (JSC::BytecodeGenerator::emitPutById):
793             (JSC::BytecodeGenerator::emitPutByVal):
794             * bytecompiler/BytecodeGenerator.h:
795             (JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity):
796             * bytecompiler/NodesCodegen.cpp:
797             (JSC::PostfixNode::emitResolve):
798             (JSC::PrefixNode::emitResolve):
799             (JSC::ReadModifyResolveNode::emitBytecode):
800             (JSC::AssignResolveNode::emitBytecode):
801             (JSC::ConstDeclNode::emitCodeSingle):
802             (JSC::ForInNode::emitBytecode):
803             * heap/Heap.cpp:
804             (JSC::Heap::collect):
805             * inspector/agents/InspectorRuntimeAgent.cpp:
806             (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange):
807             * inspector/agents/InspectorRuntimeAgent.h:
808             * inspector/protocol/Runtime.json:
809             * jsc.cpp:
810             (GlobalObject::finishCreation):
811             (functionDumpTypesForAllVariables):
812             * llint/LLIntSlowPaths.cpp:
813             (JSC::LLInt::LLINT_SLOW_PATH_DECL):
814             (JSC::LLInt::putToScopeCommon):
815             * llint/LLIntSlowPaths.h:
816             * llint/LowLevelInterpreter.asm:
817             * runtime/HighFidelityLog.cpp: Added.
818             (JSC::HighFidelityLog::initializeHighFidelityLog):
819             (JSC::HighFidelityLog::~HighFidelityLog):
820             (JSC::HighFidelityLog::recordTypeInformationForLocation):
821             (JSC::HighFidelityLog::processHighFidelityLog):
822             (JSC::HighFidelityLog::actuallyProcessLogThreadFunction):
823             * runtime/HighFidelityLog.h: Added.
824             (JSC::HighFidelityLog::HighFidelityLog):
825             * runtime/HighFidelityTypeProfiler.cpp: Added.
826             (JSC::HighFidelityTypeProfiler::getTypesForVariableInRange):
827             (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableInRange):
828             (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableInRange):
829             (JSC::HighFidelityTypeProfiler::insertNewLocation):
830             (JSC::HighFidelityTypeProfiler::getLocationBasedHash):
831             * runtime/HighFidelityTypeProfiler.h: Added.
832             * runtime/Options.h:
833             * runtime/Structure.cpp:
834             (JSC::Structure::toStructureShape):
835             * runtime/Structure.h:
836             * runtime/SymbolTable.cpp:
837             (JSC::SymbolTable::SymbolTable):
838             (JSC::SymbolTable::cloneCapturedNames):
839             (JSC::SymbolTable::uniqueIDForVariable):
840             (JSC::SymbolTable::uniqueIDForRegister):
841             (JSC::SymbolTable::globalTypeSetForRegister):
842             (JSC::SymbolTable::globalTypeSetForVariable):
843             * runtime/SymbolTable.h:
844             (JSC::SymbolTable::add):
845             (JSC::SymbolTable::set):
846             * runtime/TypeSet.cpp: Added.
847             (JSC::TypeSet::TypeSet):
848             (JSC::TypeSet::getRuntimeTypeForValue):
849             (JSC::TypeSet::addTypeForValue):
850             (JSC::TypeSet::removeDuplicatesInStructureHistory):
851             (JSC::TypeSet::seenTypes):
852             (JSC::TypeSet::dumpSeenTypes):
853             (JSC::StructureShape::StructureShape):
854             (JSC::StructureShape::markAsFinal):
855             (JSC::StructureShape::addProperty):
856             (JSC::StructureShape::propertyHash):
857             (JSC::StructureShape::leastUpperBound):
858             (JSC::StructureShape::stringRepresentation):
859             * runtime/TypeSet.h: Added.
860             (JSC::StructureShape::create):
861             (JSC::TypeSet::create):
862             * runtime/VM.cpp:
863             (JSC::VM::VM):
864             (JSC::VM::getTypesForVariableInRange):
865             (JSC::VM::updateHighFidelityTypeProfileState):
866             (JSC::VM::dumpHighFidelityProfilingTypes):
867             * runtime/VM.h:
868             (JSC::VM::isProfilingTypesWithHighFidelity):
869             (JSC::VM::highFidelityLog):
870             (JSC::VM::highFidelityTypeProfiler):
871             (JSC::VM::nextLocation):
872             (JSC::VM::getNextUniqueVariableID):
873     
874     2014-06-26  Mark Lam  <mark.lam@apple.com>
875     
876             Remove unused instantiation of the WithScope structure.
877             <https://webkit.org/b/134331>
878     
879             Reviewed by Oliver Hunt.
880     
881             The WithScope structure instance is the VM is unused, and is now removed.
882     
883             * runtime/VM.cpp:
884             (JSC::VM::VM):
885             * runtime/VM.h:
886     
887     2014-06-25  Mark Hahnenberg  <mhahnenberg@apple.com>
888     
889             Structure bit fields should have a consistent format
890             https://bugs.webkit.org/show_bug.cgi?id=134307
891     
892             Reviewed by Filip Pizlo.
893     
894             Currently we use C-style bit fields for a number of member variables in Structure to save space. 
895             This makes it difficult to load these fields in the JIT. We should instead use our own bitfield 
896             format to make it easy to load and test these variables in JIT code.
897     
898             * runtime/JSObject.cpp:
899             (JSC::JSObject::putDirectNonIndexAccessor):
900             (JSC::JSObject::reifyStaticFunctionsForDelete):
901             * runtime/Structure.cpp:
902             (JSC::StructureTransitionTable::contains):
903             (JSC::StructureTransitionTable::get):
904             (JSC::StructureTransitionTable::add):
905             (JSC::Structure::Structure):
906             (JSC::Structure::materializePropertyMap):
907             (JSC::Structure::addPropertyTransition):
908             (JSC::Structure::despecifyFunctionTransition):
909             (JSC::Structure::toDictionaryTransition):
910             (JSC::Structure::freezeTransition):
911             (JSC::Structure::preventExtensionsTransition):
912             (JSC::Structure::takePropertyTableOrCloneIfPinned):
913             (JSC::Structure::nonPropertyTransition):
914             (JSC::Structure::flattenDictionaryStructure):
915             (JSC::Structure::addPropertyWithoutTransition):
916             (JSC::Structure::pin):
917             (JSC::Structure::allocateRareData):
918             (JSC::Structure::cloneRareDataFrom):
919             (JSC::Structure::getConcurrently):
920             (JSC::Structure::putSpecificValue):
921             (JSC::Structure::getPropertyNamesFromStructure):
922             (JSC::Structure::visitChildren):
923             (JSC::Structure::checkConsistency):
924             * runtime/Structure.h:
925             (JSC::Structure::isExtensible):
926             (JSC::Structure::isDictionary):
927             (JSC::Structure::isUncacheableDictionary):
928             (JSC::Structure::propertyAccessesAreCacheable):
929             (JSC::Structure::previousID):
930             (JSC::Structure::setHasGetterSetterPropertiesWithProtoCheck):
931             (JSC::Structure::setContainsReadOnlyProperties):
932             (JSC::Structure::disableSpecificFunctionTracking):
933             (JSC::Structure::objectToStringValue):
934             (JSC::Structure::setObjectToStringValue):
935             (JSC::Structure::setPreviousID):
936             (JSC::Structure::clearPreviousID):
937             (JSC::Structure::previous):
938             (JSC::Structure::rareData):
939             (JSC::Structure::didTransition): Deleted.
940             (JSC::Structure::hasGetterSetterProperties): Deleted.
941             (JSC::Structure::hasReadOnlyOrGetterSetterPropertiesExcludingProto): Deleted.
942             (JSC::Structure::setHasGetterSetterProperties): Deleted.
943             (JSC::Structure::hasNonEnumerableProperties): Deleted.
944             (JSC::Structure::staticFunctionsReified): Deleted.
945             (JSC::Structure::setStaticFunctionsReified): Deleted.
946             * runtime/StructureInlines.h:
947             (JSC::Structure::setEnumerationCache):
948             (JSC::Structure::enumerationCache):
949             (JSC::Structure::checkOffsetConsistency):
950     
951     2014-06-24  Mark Lam  <mark.lam@apple.com>
952     
953             [ftlopt] Renamed DebuggerActivation to DebuggerScope.
954             <https://webkit.org/b/134273>
955     
956             Reviewed by Michael Saboff.
957     
958             * CMakeLists.txt:
959             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
960             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
961             * JavaScriptCore.xcodeproj/project.pbxproj:
962             * debugger/DebuggerActivation.cpp: Removed.
963             * debugger/DebuggerActivation.h: Removed.
964             * debugger/DebuggerScope.cpp: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.cpp.
965             (JSC::DebuggerScope::DebuggerScope):
966             (JSC::DebuggerScope::finishCreation):
967             (JSC::DebuggerScope::visitChildren):
968             (JSC::DebuggerScope::className):
969             (JSC::DebuggerScope::getOwnPropertySlot):
970             (JSC::DebuggerScope::put):
971             (JSC::DebuggerScope::deleteProperty):
972             (JSC::DebuggerScope::getOwnPropertyNames):
973             (JSC::DebuggerScope::defineOwnProperty):
974             (JSC::DebuggerActivation::DebuggerActivation): Deleted.
975             (JSC::DebuggerActivation::finishCreation): Deleted.
976             (JSC::DebuggerActivation::visitChildren): Deleted.
977             (JSC::DebuggerActivation::className): Deleted.
978             (JSC::DebuggerActivation::getOwnPropertySlot): Deleted.
979             (JSC::DebuggerActivation::put): Deleted.
980             (JSC::DebuggerActivation::deleteProperty): Deleted.
981             (JSC::DebuggerActivation::getOwnPropertyNames): Deleted.
982             (JSC::DebuggerActivation::defineOwnProperty): Deleted.
983             * debugger/DebuggerScope.h: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.h.
984             (JSC::DebuggerScope::create):
985             (JSC::DebuggerActivation::create): Deleted.
986             * runtime/VM.cpp:
987             (JSC::VM::VM):
988             * runtime/VM.h:
989     
990     2014-06-24  Filip Pizlo  <fpizlo@apple.com>
991     
992             [ftlopt] PutByIdFlush can also be converted to a PutByOffset so don't assert otherwise
993             https://bugs.webkit.org/show_bug.cgi?id=134265
994     
995             Reviewed by Geoffrey Garen.
996             
997             More assertion fallout from the PutById folding work.
998     
999             * dfg/DFGNode.h:
1000             (JSC::DFG::Node::convertToPutByOffset):
1001     
1002     2014-06-24  Filip Pizlo  <fpizlo@apple.com>
1003     
1004             [ftlopt] GC should notify us if it resets to_this
1005             https://bugs.webkit.org/show_bug.cgi?id=128231
1006     
1007             Reviewed by Geoffrey Garen.
1008     
1009             * CMakeLists.txt:
1010             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1011             * JavaScriptCore.xcodeproj/project.pbxproj:
1012             * bytecode/BytecodeList.json:
1013             * bytecode/CodeBlock.cpp:
1014             (JSC::CodeBlock::dumpBytecode):
1015             (JSC::CodeBlock::finalizeUnconditionally):
1016             * bytecode/Instruction.h:
1017             * bytecode/ToThisStatus.cpp: Added.
1018             (JSC::merge):
1019             (WTF::printInternal):
1020             * bytecode/ToThisStatus.h: Added.
1021             * bytecompiler/BytecodeGenerator.cpp:
1022             (JSC::BytecodeGenerator::BytecodeGenerator):
1023             * dfg/DFGByteCodeParser.cpp:
1024             (JSC::DFG::ByteCodeParser::parseBlock):
1025             * llint/LowLevelInterpreter32_64.asm:
1026             * llint/LowLevelInterpreter64.asm:
1027             * runtime/CommonSlowPaths.cpp:
1028             (JSC::SLOW_PATH_DECL):
1029     
1030     2014-06-24  Filip Pizlo  <fpizlo@apple.com>
1031     
1032             [ftlopt] StructureAbstractValue::onlyStructure() should return nullptr if isClobbered()
1033             https://bugs.webkit.org/show_bug.cgi?id=134256
1034     
1035             Reviewed by Michael Saboff.
1036             
1037             This isn't testable right now (i.e. it's benign) but we should get it right anyway. The
1038             point is to be able to precisely model what goes on in the snippets of code between a
1039             side-effect and an InvalidationPoint.
1040             
1041             This patch also cleans up onlyStructure() by delegating more work to
1042             StructureSet::onlyStructure().
1043     
1044             * dfg/DFGStructureAbstractValue.h:
1045             (JSC::DFG::StructureAbstractValue::onlyStructure):
1046     
1047     2014-06-24  Filip Pizlo  <fpizlo@apple.com>
1048     
1049             [ftlopt][REGRESSION] PutById AI is introducing watchable structures without watching them
1050             https://bugs.webkit.org/show_bug.cgi?id=134260
1051     
1052             Reviewed by Geoffrey Garen.
1053             
1054             This was causing loads of assertion failures in debug builds.
1055     
1056             * dfg/DFGAbstractInterpreterInlines.h:
1057             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1058     
1059     2014-06-21  Filip Pizlo  <fpizlo@apple.com>
1060     
1061             [ftlopt] Fold GetById/PutById to MultiGetByOffset/GetByOffset or MultiPutByOffset/PutByOffset, which implies handling non-singleton sets
1062             https://bugs.webkit.org/show_bug.cgi?id=134090
1063     
1064             Reviewed by Oliver Hunt.
1065             
1066             This pretty much finishes off the work to eliminate the special-casing of singleton
1067             structure sets by making it possible to fold GetById and PutById to various polymorphic
1068             forms of the ByOffset nodes.
1069             
1070             * bytecode/GetByIdStatus.cpp:
1071             (JSC::GetByIdStatus::computeForStubInfo):
1072             (JSC::GetByIdStatus::computeFor):
1073             * bytecode/GetByIdStatus.h:
1074             * bytecode/PutByIdStatus.cpp:
1075             (JSC::PutByIdStatus::computeFor):
1076             * bytecode/PutByIdStatus.h:
1077             * bytecode/PutByIdVariant.h:
1078             (JSC::PutByIdVariant::constantChecks):
1079             * dfg/DFGAbstractInterpreterInlines.h:
1080             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1081             * dfg/DFGByteCodeParser.cpp:
1082             (JSC::DFG::ByteCodeParser::parseBlock):
1083             * dfg/DFGConstantFoldingPhase.cpp:
1084             (JSC::DFG::ConstantFoldingPhase::foldConstants):
1085             (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
1086             (JSC::DFG::ConstantFoldingPhase::addChecks):
1087             * dfg/DFGNode.h:
1088             (JSC::DFG::Node::convertToMultiGetByOffset):
1089             (JSC::DFG::Node::convertToMultiPutByOffset):
1090             * dfg/DFGSpeculativeJIT64.cpp: Also convert all release assertions to DFG assertions in this file, because I was hitting some of them while debugging.
1091             (JSC::DFG::SpeculativeJIT::fillJSValue):
1092             (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
1093             (JSC::DFG::SpeculativeJIT::emitCall):
1094             (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
1095             (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict):
1096             (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
1097             (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1098             (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1099             (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1100             (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1101             (JSC::DFG::SpeculativeJIT::emitBranch):
1102             (JSC::DFG::SpeculativeJIT::compile):
1103             * dfg/DFGStructureAbstractValue.h:
1104             (JSC::DFG::StructureAbstractValue::set):
1105     
1106     2014-06-19  Filip Pizlo  <fpizlo@apple.com>
1107     
1108             [ftlopt] StructureSet::onlyStructure() should return nullptr if it's not a singleton (instead of asserting)
1109             https://bugs.webkit.org/show_bug.cgi?id=134077
1110     
1111             Reviewed by Sam Weinig.
1112             
1113             This makes StructureSet and StructureAbstractValue more consistent and fixes a debug assert
1114             in the abstract interpreter.
1115     
1116             * bytecode/StructureSet.h:
1117             (JSC::StructureSet::onlyStructure):
1118     
1119     2014-06-18  Filip Pizlo  <fpizlo@apple.com>
1120     
1121             DFG AI and constant folder should be able to precisely prune MultiGetByOffset/MultiPutByOffset even if the base structure abstract value is not a singleton
1122             https://bugs.webkit.org/show_bug.cgi?id=133918
1123     
1124             Reviewed by Mark Hahnenberg.
1125             
1126             This also adds pruning of PutStructure, since I basically had no choice but
1127             to implement such logic within MultiPutByOffset.
1128             
1129             Also adds a bunch of PutById cache status dumping to bytecode dumping.
1130     
1131             * bytecode/GetByIdVariant.cpp:
1132             (JSC::GetByIdVariant::dumpInContext):
1133             * bytecode/GetByIdVariant.h:
1134             (JSC::GetByIdVariant::structureSet):
1135             * bytecode/PutByIdVariant.h:
1136             (JSC::PutByIdVariant::oldStructure):
1137             * bytecode/StructureSet.cpp:
1138             (JSC::StructureSet::filter):
1139             (JSC::StructureSet::filterArrayModes):
1140             * bytecode/StructureSet.h:
1141             * dfg/DFGAbstractInterpreterInlines.h:
1142             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1143             * dfg/DFGAbstractValue.cpp:
1144             (JSC::DFG::AbstractValue::changeStructure):
1145             (JSC::DFG::AbstractValue::contains):
1146             * dfg/DFGAbstractValue.h:
1147             (JSC::DFG::AbstractValue::couldBeType):
1148             (JSC::DFG::AbstractValue::isType):
1149             * dfg/DFGConstantFoldingPhase.cpp:
1150             (JSC::DFG::ConstantFoldingPhase::foldConstants):
1151             (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
1152             (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
1153             (JSC::DFG::ConstantFoldingPhase::addBaseCheck):
1154             * dfg/DFGGraph.cpp:
1155             (JSC::DFG::Graph::freezeStrong):
1156             * dfg/DFGGraph.h:
1157             * dfg/DFGStructureAbstractValue.h:
1158             (JSC::DFG::StructureAbstractValue::operator=):
1159             * ftl/FTLLowerDFGToLLVM.cpp:
1160             (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
1161             * tests/stress/fold-multi-get-by-offset-to-get-by-offset-without-folding-the-structure-check.js: Added.
1162             (foo):
1163             (fu):
1164             (bar):
1165             (baz):
1166             (.bar):
1167             (.baz):
1168             * tests/stress/fold-multi-put-by-offset-to-put-by-offset-without-folding-the-structure-check.js: Added.
1169             (foo):
1170             (fu):
1171             (bar):
1172             (baz):
1173             (.bar):
1174             (.baz):
1175             * tests/stress/prune-multi-put-by-offset-replace-or-transition-variant.js: Added.
1176             (foo):
1177             (fu):
1178             (bar):
1179             (baz):
1180             (.bar):
1181             (.baz):
1182     
1183     2014-06-18  Mark Hahnenberg  <mhahnenberg@apple.com>
1184     
1185             Remove CompoundType and LeafType
1186             https://bugs.webkit.org/show_bug.cgi?id=134037
1187     
1188             Reviewed by Filip Pizlo.
1189     
1190             We don't use them for anything. We'll replace them with a generic CellType type for all 
1191             the objects that are JSCells, aren't JSObjects, and for which we generally don't care about 
1192             their JSType at runtime.
1193     
1194             * llint/LLIntData.cpp:
1195             (JSC::LLInt::Data::performAssertions):
1196             * runtime/ArrayBufferNeuteringWatchpoint.cpp:
1197             (JSC::ArrayBufferNeuteringWatchpoint::createStructure):
1198             * runtime/Executable.h:
1199             (JSC::ExecutableBase::createStructure):
1200             (JSC::NativeExecutable::createStructure):
1201             * runtime/JSPromiseDeferred.h:
1202             (JSC::JSPromiseDeferred::createStructure):
1203             * runtime/JSPromiseReaction.h:
1204             (JSC::JSPromiseReaction::createStructure):
1205             * runtime/JSPropertyNameIterator.h:
1206             (JSC::JSPropertyNameIterator::createStructure):
1207             * runtime/JSType.h:
1208             * runtime/JSTypeInfo.h:
1209             (JSC::TypeInfo::TypeInfo):
1210             * runtime/MapData.h:
1211             (JSC::MapData::createStructure):
1212             * runtime/PropertyMapHashTable.h:
1213             (JSC::PropertyTable::createStructure):
1214             * runtime/RegExp.h:
1215             (JSC::RegExp::createStructure):
1216             * runtime/SparseArrayValueMap.cpp:
1217             (JSC::SparseArrayValueMap::createStructure):
1218             * runtime/Structure.cpp:
1219             (JSC::Structure::Structure):
1220             * runtime/StructureChain.h:
1221             (JSC::StructureChain::createStructure):
1222             * runtime/StructureRareData.cpp:
1223             (JSC::StructureRareData::createStructure):
1224             * runtime/SymbolTable.h:
1225             (JSC::SymbolTable::createStructure):
1226             * runtime/WeakMapData.h:
1227             (JSC::WeakMapData::createStructure):
1228     
1229     2014-06-17  Filip Pizlo  <fpizlo@apple.com>
1230     
1231             [ftlopt] PutStructure and PhantomPutStructure shouldn't leave the world in a clobbered state
1232             https://bugs.webkit.org/show_bug.cgi?id=134002
1233     
1234             Reviewed by Mark Hahnenberg.
1235             
1236             The effect of this bug was that if we had a PutStructure or PhantomPutStructure then any
1237             JSConstants would be in a Clobbered state, so we wouldn't take advantage of our knowledge
1238             of the structure if that structure was watchable.
1239             
1240             Also kill PhantomPutStructure.
1241     
1242             * dfg/DFGAbstractInterpreterInlines.h:
1243             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1244             (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
1245             (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
1246             * dfg/DFGClobberize.h:
1247             (JSC::DFG::clobberize):
1248             * dfg/DFGDoesGC.cpp:
1249             (JSC::DFG::doesGC):
1250             * dfg/DFGFixupPhase.cpp:
1251             (JSC::DFG::FixupPhase::fixupNode):
1252             * dfg/DFGGraph.cpp:
1253             (JSC::DFG::Graph::visitChildren):
1254             * dfg/DFGNode.h:
1255             (JSC::DFG::Node::hasTransition):
1256             * dfg/DFGNodeType.h:
1257             * dfg/DFGPredictionPropagationPhase.cpp:
1258             (JSC::DFG::PredictionPropagationPhase::propagate):
1259             * dfg/DFGSafeToExecute.h:
1260             (JSC::DFG::safeToExecute):
1261             * dfg/DFGSpeculativeJIT32_64.cpp:
1262             (JSC::DFG::SpeculativeJIT::compile):
1263             * dfg/DFGSpeculativeJIT64.cpp:
1264             (JSC::DFG::SpeculativeJIT::compile):
1265             * dfg/DFGStructureAbstractValue.cpp:
1266             (JSC::DFG::StructureAbstractValue::observeTransition):
1267             (JSC::DFG::StructureAbstractValue::observeTransitions):
1268             * dfg/DFGValidate.cpp:
1269             (JSC::DFG::Validate::validate):
1270             * dfg/DFGWatchableStructureWatchingPhase.cpp:
1271             (JSC::DFG::WatchableStructureWatchingPhase::run):
1272             * ftl/FTLCapabilities.cpp:
1273             (JSC::FTL::canCompile):
1274             * ftl/FTLLowerDFGToLLVM.cpp:
1275             (JSC::FTL::LowerDFGToLLVM::compileNode):
1276             (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure): Deleted.
1277     
1278     2014-06-17  Filip Pizlo  <fpizlo@apple.com>
1279     
1280             [ftlopt] DFG put_by_id should inline accesses with a slightly polymorphic base
1281             https://bugs.webkit.org/show_bug.cgi?id=133964
1282     
1283             Reviewed by Mark Hahnenberg.
1284     
1285             * bytecode/PutByIdStatus.cpp:
1286             (JSC::PutByIdStatus::appendVariant):
1287             (JSC::PutByIdStatus::computeForStubInfo):
1288             * bytecode/PutByIdVariant.cpp:
1289             (JSC::PutByIdVariant::oldStructureForTransition):
1290             (JSC::PutByIdVariant::writesStructures):
1291             (JSC::PutByIdVariant::reallocatesStorage):
1292             (JSC::PutByIdVariant::attemptToMerge):
1293             (JSC::PutByIdVariant::attemptToMergeTransitionWithReplace):
1294             (JSC::PutByIdVariant::dumpInContext):
1295             * bytecode/PutByIdVariant.h:
1296             (JSC::PutByIdVariant::PutByIdVariant):
1297             (JSC::PutByIdVariant::replace):
1298             (JSC::PutByIdVariant::transition):
1299             (JSC::PutByIdVariant::structure):
1300             (JSC::PutByIdVariant::oldStructure):
1301             * dfg/DFGAbstractInterpreterInlines.h:
1302             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1303             * dfg/DFGByteCodeParser.cpp:
1304             (JSC::DFG::ByteCodeParser::handlePutById):
1305             (JSC::DFG::ByteCodeParser::parseBlock):
1306             * dfg/DFGConstantFoldingPhase.cpp:
1307             (JSC::DFG::ConstantFoldingPhase::foldConstants):
1308             (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
1309             * dfg/DFGGraph.cpp:
1310             (JSC::DFG::Graph::visitChildren):
1311             * dfg/DFGNode.cpp:
1312             (JSC::DFG::MultiPutByOffsetData::writesStructures):
1313             (JSC::DFG::MultiPutByOffsetData::reallocatesStorage):
1314             * ftl/FTLAbbreviations.h:
1315             (JSC::FTL::getLinkage):
1316             * ftl/FTLLowerDFGToLLVM.cpp:
1317             (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
1318             (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol):
1319     
1320 2014-07-26  Filip Pizlo  <fpizlo@apple.com>
1321
1322         Unreviewed, roll out r171641-r171644. It broke some tests; will investigate and
1323         reland later.
1324
1325         * CMakeLists.txt:
1326         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1327         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1328         * JavaScriptCore.xcodeproj/project.pbxproj:
1329         * bytecode/BytecodeList.json:
1330         * bytecode/BytecodeUseDef.h:
1331         (JSC::computeUsesForBytecodeOffset):
1332         (JSC::computeDefsForBytecodeOffset):
1333         * bytecode/CodeBlock.cpp:
1334         (JSC::CodeBlock::dumpBytecode):
1335         (JSC::CodeBlock::CodeBlock):
1336         (JSC::CodeBlock::finalizeUnconditionally):
1337         (JSC::CodeBlock::printPutByIdCacheStatus): Deleted.
1338         * bytecode/CodeBlock.h:
1339         * bytecode/GetByIdStatus.cpp:
1340         (JSC::GetByIdStatus::computeForStubInfo):
1341         (JSC::GetByIdStatus::computeFor):
1342         * bytecode/GetByIdStatus.h:
1343         * bytecode/GetByIdVariant.cpp:
1344         (JSC::GetByIdVariant::dumpInContext):
1345         * bytecode/GetByIdVariant.h:
1346         (JSC::GetByIdVariant::structureSet):
1347         * bytecode/Instruction.h:
1348         * bytecode/PutByIdStatus.cpp:
1349         (JSC::PutByIdStatus::appendVariant):
1350         (JSC::PutByIdStatus::computeForStubInfo):
1351         (JSC::PutByIdStatus::computeFor):
1352         * bytecode/PutByIdStatus.h:
1353         * bytecode/PutByIdVariant.cpp:
1354         (JSC::PutByIdVariant::dumpInContext):
1355         (JSC::PutByIdVariant::oldStructureForTransition): Deleted.
1356         (JSC::PutByIdVariant::writesStructures): Deleted.
1357         (JSC::PutByIdVariant::reallocatesStorage): Deleted.
1358         (JSC::PutByIdVariant::attemptToMerge): Deleted.
1359         (JSC::PutByIdVariant::attemptToMergeTransitionWithReplace): Deleted.
1360         * bytecode/PutByIdVariant.h:
1361         (JSC::PutByIdVariant::PutByIdVariant):
1362         (JSC::PutByIdVariant::replace):
1363         (JSC::PutByIdVariant::transition):
1364         (JSC::PutByIdVariant::structure):
1365         (JSC::PutByIdVariant::oldStructure):
1366         (JSC::PutByIdVariant::newStructure):
1367         (JSC::PutByIdVariant::constantChecks):
1368         * bytecode/StructureSet.cpp:
1369         (JSC::StructureSet::filter): Deleted.
1370         (JSC::StructureSet::filterArrayModes): Deleted.
1371         * bytecode/StructureSet.h:
1372         (JSC::StructureSet::onlyStructure):
1373         * bytecode/ToThisStatus.cpp: Removed.
1374         * bytecode/ToThisStatus.h: Removed.
1375         * bytecode/TypeLocation.h: Removed.
1376         * bytecompiler/BytecodeGenerator.cpp:
1377         (JSC::BytecodeGenerator::BytecodeGenerator):
1378         (JSC::BytecodeGenerator::emitMove):
1379         (JSC::BytecodeGenerator::emitPutToScope):
1380         (JSC::BytecodeGenerator::emitPutById):
1381         (JSC::BytecodeGenerator::emitPutByVal):
1382         (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity): Deleted.
1383         * bytecompiler/BytecodeGenerator.h:
1384         (JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity): Deleted.
1385         * bytecompiler/NodesCodegen.cpp:
1386         (JSC::PostfixNode::emitResolve):
1387         (JSC::PrefixNode::emitResolve):
1388         (JSC::ReadModifyResolveNode::emitBytecode):
1389         (JSC::AssignResolveNode::emitBytecode):
1390         (JSC::ConstDeclNode::emitCodeSingle):
1391         (JSC::ForInNode::emitBytecode):
1392         * debugger/DebuggerActivation.cpp: Added.
1393         (JSC::DebuggerActivation::DebuggerActivation):
1394         (JSC::DebuggerActivation::finishCreation):
1395         (JSC::DebuggerActivation::visitChildren):
1396         (JSC::DebuggerActivation::className):
1397         (JSC::DebuggerActivation::getOwnPropertySlot):
1398         (JSC::DebuggerActivation::put):
1399         (JSC::DebuggerActivation::deleteProperty):
1400         (JSC::DebuggerActivation::getOwnPropertyNames):
1401         (JSC::DebuggerActivation::defineOwnProperty):
1402         * debugger/DebuggerActivation.h: Added.
1403         (JSC::DebuggerActivation::create):
1404         (JSC::DebuggerActivation::createStructure):
1405         * debugger/DebuggerScope.cpp: Removed.
1406         * debugger/DebuggerScope.h: Removed.
1407         * dfg/DFGAbstractInterpreterInlines.h:
1408         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1409         (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
1410         (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
1411         * dfg/DFGAbstractValue.cpp:
1412         (JSC::DFG::AbstractValue::changeStructure): Deleted.
1413         (JSC::DFG::AbstractValue::contains): Deleted.
1414         * dfg/DFGAbstractValue.h:
1415         (JSC::DFG::AbstractValue::couldBeType):
1416         (JSC::DFG::AbstractValue::isType):
1417         * dfg/DFGByteCodeParser.cpp:
1418         (JSC::DFG::ByteCodeParser::handlePutById):
1419         (JSC::DFG::ByteCodeParser::parseBlock):
1420         * dfg/DFGClobberize.h:
1421         (JSC::DFG::clobberize):
1422         * dfg/DFGConstantFoldingPhase.cpp:
1423         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1424         (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
1425         (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
1426         (JSC::DFG::ConstantFoldingPhase::addBaseCheck): Deleted.
1427         (JSC::DFG::ConstantFoldingPhase::addChecks): Deleted.
1428         * dfg/DFGDoesGC.cpp:
1429         (JSC::DFG::doesGC):
1430         * dfg/DFGFixupPhase.cpp:
1431         (JSC::DFG::FixupPhase::fixupNode):
1432         * dfg/DFGGraph.cpp:
1433         (JSC::DFG::Graph::visitChildren):
1434         (JSC::DFG::Graph::freezeStrong):
1435         * dfg/DFGGraph.h:
1436         * dfg/DFGNode.cpp:
1437         (JSC::DFG::MultiPutByOffsetData::writesStructures):
1438         (JSC::DFG::MultiPutByOffsetData::reallocatesStorage):
1439         * dfg/DFGNode.h:
1440         (JSC::DFG::Node::convertToPutByOffset):
1441         (JSC::DFG::Node::hasTransition):
1442         (JSC::DFG::Node::convertToMultiGetByOffset): Deleted.
1443         (JSC::DFG::Node::convertToMultiPutByOffset): Deleted.
1444         * dfg/DFGNodeType.h:
1445         * dfg/DFGPredictionPropagationPhase.cpp:
1446         (JSC::DFG::PredictionPropagationPhase::propagate):
1447         * dfg/DFGSafeToExecute.h:
1448         (JSC::DFG::safeToExecute):
1449         * dfg/DFGSpeculativeJIT.cpp:
1450         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
1451         * dfg/DFGSpeculativeJIT32_64.cpp:
1452         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1453         (JSC::DFG::SpeculativeJIT::compile):
1454         * dfg/DFGSpeculativeJIT64.cpp:
1455         (JSC::DFG::SpeculativeJIT::fillJSValue):
1456         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
1457         (JSC::DFG::SpeculativeJIT::emitCall):
1458         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
1459         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict):
1460         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
1461         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1462         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1463         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1464         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1465         (JSC::DFG::SpeculativeJIT::emitBranch):
1466         (JSC::DFG::SpeculativeJIT::compile):
1467         * dfg/DFGStructureAbstractValue.cpp:
1468         (JSC::DFG::StructureAbstractValue::observeTransition):
1469         (JSC::DFG::StructureAbstractValue::observeTransitions):
1470         * dfg/DFGStructureAbstractValue.h:
1471         (JSC::DFG::StructureAbstractValue::onlyStructure):
1472         (JSC::DFG::StructureAbstractValue::operator=): Deleted.
1473         (JSC::DFG::StructureAbstractValue::set): Deleted.
1474         * dfg/DFGValidate.cpp:
1475         (JSC::DFG::Validate::validate):
1476         * dfg/DFGWatchableStructureWatchingPhase.cpp:
1477         (JSC::DFG::WatchableStructureWatchingPhase::run):
1478         * ftl/FTLAbbreviations.h:
1479         (JSC::FTL::getLinkage): Deleted.
1480         * ftl/FTLCapabilities.cpp:
1481         (JSC::FTL::canCompile):
1482         * ftl/FTLLowerDFGToLLVM.cpp:
1483         (JSC::FTL::LowerDFGToLLVM::compileNode):
1484         (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure):
1485         (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
1486         (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
1487         (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol):
1488         * heap/Heap.cpp:
1489         (JSC::Heap::collect):
1490         * inspector/agents/InspectorRuntimeAgent.cpp:
1491         (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange): Deleted.
1492         * inspector/agents/InspectorRuntimeAgent.h:
1493         * inspector/protocol/Runtime.json:
1494         * jsc.cpp:
1495         (GlobalObject::finishCreation):
1496         (functionDumpTypesForAllVariables): Deleted.
1497         * llint/LLIntData.cpp:
1498         (JSC::LLInt::Data::performAssertions):
1499         * llint/LLIntSlowPaths.cpp:
1500         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1501         (JSC::LLInt::putToScopeCommon): Deleted.
1502         * llint/LLIntSlowPaths.h:
1503         * llint/LowLevelInterpreter.asm:
1504         * llint/LowLevelInterpreter32_64.asm:
1505         * llint/LowLevelInterpreter64.asm:
1506         * runtime/ArrayBufferNeuteringWatchpoint.cpp:
1507         (JSC::ArrayBufferNeuteringWatchpoint::createStructure):
1508         * runtime/CommonSlowPaths.cpp:
1509         (JSC::SLOW_PATH_DECL):
1510         * runtime/Executable.h:
1511         (JSC::ExecutableBase::createStructure):
1512         (JSC::NativeExecutable::createStructure):
1513         * runtime/HighFidelityLog.cpp: Removed.
1514         * runtime/HighFidelityLog.h: Removed.
1515         * runtime/HighFidelityTypeProfiler.cpp: Removed.
1516         * runtime/HighFidelityTypeProfiler.h: Removed.
1517         * runtime/JSObject.cpp:
1518         (JSC::JSObject::putDirectCustomAccessor):
1519         (JSC::JSObject::putDirectNonIndexAccessor):
1520         (JSC::JSObject::reifyStaticFunctionsForDelete):
1521         * runtime/JSPromiseDeferred.h:
1522         (JSC::JSPromiseDeferred::createStructure):
1523         * runtime/JSPromiseReaction.h:
1524         (JSC::JSPromiseReaction::createStructure):
1525         * runtime/JSPropertyNameIterator.h:
1526         (JSC::JSPropertyNameIterator::createStructure):
1527         * runtime/JSType.h:
1528         * runtime/JSTypeInfo.h:
1529         (JSC::TypeInfo::TypeInfo):
1530         * runtime/MapData.h:
1531         (JSC::MapData::createStructure):
1532         * runtime/Options.h:
1533         * runtime/PropertyMapHashTable.h:
1534         (JSC::PropertyTable::createStructure):
1535         * runtime/RegExp.h:
1536         (JSC::RegExp::createStructure):
1537         * runtime/SparseArrayValueMap.cpp:
1538         (JSC::SparseArrayValueMap::createStructure):
1539         * runtime/Structure.cpp:
1540         (JSC::StructureTransitionTable::contains):
1541         (JSC::StructureTransitionTable::get):
1542         (JSC::StructureTransitionTable::add):
1543         (JSC::Structure::Structure):
1544         (JSC::Structure::materializePropertyMap):
1545         (JSC::Structure::addPropertyTransition):
1546         (JSC::Structure::despecifyFunctionTransition):
1547         (JSC::Structure::toDictionaryTransition):
1548         (JSC::Structure::freezeTransition):
1549         (JSC::Structure::preventExtensionsTransition):
1550         (JSC::Structure::takePropertyTableOrCloneIfPinned):
1551         (JSC::Structure::nonPropertyTransition):
1552         (JSC::Structure::flattenDictionaryStructure):
1553         (JSC::Structure::addPropertyWithoutTransition):
1554         (JSC::Structure::pin):
1555         (JSC::Structure::allocateRareData):
1556         (JSC::Structure::cloneRareDataFrom):
1557         (JSC::Structure::getConcurrently):
1558         (JSC::Structure::putSpecificValue):
1559         (JSC::Structure::getPropertyNamesFromStructure):
1560         (JSC::Structure::visitChildren):
1561         (JSC::Structure::checkConsistency):
1562         (JSC::Structure::toStructureShape): Deleted.
1563         * runtime/Structure.h:
1564         (JSC::Structure::isExtensible):
1565         (JSC::Structure::didTransition):
1566         (JSC::Structure::isDictionary):
1567         (JSC::Structure::isUncacheableDictionary):
1568         (JSC::Structure::hasBeenFlattenedBefore):
1569         (JSC::Structure::propertyAccessesAreCacheable):
1570         (JSC::Structure::previousID):
1571         (JSC::Structure::hasGetterSetterProperties):
1572         (JSC::Structure::hasReadOnlyOrGetterSetterPropertiesExcludingProto):
1573         (JSC::Structure::setHasGetterSetterProperties):
1574         (JSC::Structure::hasCustomGetterSetterProperties):
1575         (JSC::Structure::setHasCustomGetterSetterProperties):
1576         (JSC::Structure::setContainsReadOnlyProperties):
1577         (JSC::Structure::hasNonEnumerableProperties):
1578         (JSC::Structure::disableSpecificFunctionTracking):
1579         (JSC::Structure::objectToStringValue):
1580         (JSC::Structure::setObjectToStringValue):
1581         (JSC::Structure::staticFunctionsReified):
1582         (JSC::Structure::setStaticFunctionsReified):
1583         (JSC::Structure::transitionWatchpointSet):
1584         (JSC::Structure::setPreviousID):
1585         (JSC::Structure::clearPreviousID):
1586         (JSC::Structure::previous):
1587         (JSC::Structure::rareData):
1588         (JSC::Structure::setHasGetterSetterPropertiesWithProtoCheck): Deleted.
1589         (JSC::Structure::setHasCustomGetterSetterPropertiesWithProtoCheck): Deleted.
1590         * runtime/StructureChain.h:
1591         (JSC::StructureChain::createStructure):
1592         * runtime/StructureInlines.h:
1593         (JSC::Structure::setEnumerationCache):
1594         (JSC::Structure::enumerationCache):
1595         (JSC::Structure::checkOffsetConsistency):
1596         * runtime/StructureRareData.cpp:
1597         (JSC::StructureRareData::createStructure):
1598         * runtime/SymbolTable.cpp:
1599         (JSC::SymbolTable::SymbolTable):
1600         (JSC::SymbolTable::cloneCapturedNames):
1601         (JSC::SymbolTable::uniqueIDForVariable): Deleted.
1602         (JSC::SymbolTable::uniqueIDForRegister): Deleted.
1603         (JSC::SymbolTable::globalTypeSetForRegister): Deleted.
1604         (JSC::SymbolTable::globalTypeSetForVariable): Deleted.
1605         * runtime/SymbolTable.h:
1606         (JSC::SymbolTable::createStructure):
1607         (JSC::SymbolTable::add):
1608         (JSC::SymbolTable::set):
1609         * runtime/TypeSet.cpp: Removed.
1610         * runtime/TypeSet.h: Removed.
1611         * runtime/VM.cpp:
1612         (JSC::VM::VM):
1613         (JSC::VM::getTypesForVariableInRange): Deleted.
1614         (JSC::VM::updateHighFidelityTypeProfileState): Deleted.
1615         (JSC::VM::dumpHighFidelityProfilingTypes): Deleted.
1616         * runtime/VM.h:
1617         (JSC::VM::isProfilingTypesWithHighFidelity): Deleted.
1618         (JSC::VM::highFidelityLog): Deleted.
1619         (JSC::VM::highFidelityTypeProfiler): Deleted.
1620         (JSC::VM::nextLocation): Deleted.
1621         (JSC::VM::getNextUniqueVariableID): Deleted.
1622         * runtime/WeakMapData.h:
1623         (JSC::WeakMapData::createStructure):
1624         * tests/stress/fold-multi-get-by-offset-to-get-by-offset-without-folding-the-structure-check.js: Removed.
1625         * tests/stress/fold-multi-put-by-offset-to-put-by-offset-without-folding-the-structure-check.js: Removed.
1626         * tests/stress/prune-multi-put-by-offset-replace-or-transition-variant.js: Removed.
1627
1628 2014-07-25  Filip Pizlo  <fpizlo@apple.com>
1629
1630         Attempt to fix non-Xcode platforms.
1631
1632         * CMakeLists.txt:
1633         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1634
1635 2014-07-25  Filip Pizlo  <fpizlo@apple.com>
1636
1637         Fix cloop.
1638
1639         * bytecode/CodeBlock.cpp:
1640         (JSC::dumpChain):
1641         (JSC::CodeBlock::printPutByIdCacheStatus):
1642         * bytecode/StructureSet.cpp:
1643         * bytecode/StructureSet.h:
1644
1645 2014-07-25  Filip Pizlo  <fpizlo@apple.com>
1646
1647         Merge r170090, r170092, r170129, r170141, r170161, r170215, r170275, r170375, r170376, r170382, r170383, r170399, r170436, r170489, r170490, r170556 from ftlopt.
1648
1649     2014-06-27  Michael Saboff  <msaboff@apple.com>
1650     
1651             Unreviewed build fix after r169795.
1652     
1653             Fixed ASSERT for 32 bit build.
1654     
1655             * dfg/DFGSpeculativeJIT.cpp:
1656             (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
1657     
1658     2014-06-24  Saam Barati  <sbarati@apple.com>
1659     
1660             Web Inspector: debugger should be able to show variable types
1661             https://bugs.webkit.org/show_bug.cgi?id=133395
1662     
1663             Reviewed by Filip Pizlo.
1664     
1665             Increase the amount of type information the VM gathers when directed
1666             to do so. This initial commit is working towards the goal of
1667             capturing, and then showing (via the Web Inspector) type information for all
1668             assignment and load operations. This patch doesn't have the feature fully 
1669             implemented, but it ensures the VM has no performance regressions
1670             unless the feature is specifically turned on.
1671     
1672             * JavaScriptCore.xcodeproj/project.pbxproj:
1673             * bytecode/BytecodeList.json:
1674             * bytecode/BytecodeUseDef.h:
1675             (JSC::computeUsesForBytecodeOffset):
1676             (JSC::computeDefsForBytecodeOffset):
1677             * bytecode/CodeBlock.cpp:
1678             (JSC::CodeBlock::dumpBytecode):
1679             (JSC::CodeBlock::CodeBlock):
1680             (JSC::CodeBlock::finalizeUnconditionally):
1681             * bytecode/CodeBlock.h:
1682             * bytecode/Instruction.h:
1683             * bytecode/TypeLocation.h: Added.
1684             (JSC::TypeLocation::TypeLocation):
1685             * bytecompiler/BytecodeGenerator.cpp:
1686             (JSC::BytecodeGenerator::emitMove):
1687             (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity):
1688             (JSC::BytecodeGenerator::emitPutToScope):
1689             (JSC::BytecodeGenerator::emitPutById):
1690             (JSC::BytecodeGenerator::emitPutByVal):
1691             * bytecompiler/BytecodeGenerator.h:
1692             (JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity):
1693             * bytecompiler/NodesCodegen.cpp:
1694             (JSC::PostfixNode::emitResolve):
1695             (JSC::PrefixNode::emitResolve):
1696             (JSC::ReadModifyResolveNode::emitBytecode):
1697             (JSC::AssignResolveNode::emitBytecode):
1698             (JSC::ConstDeclNode::emitCodeSingle):
1699             (JSC::ForInNode::emitBytecode):
1700             * heap/Heap.cpp:
1701             (JSC::Heap::collect):
1702             * inspector/agents/InspectorRuntimeAgent.cpp:
1703             (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange):
1704             * inspector/agents/InspectorRuntimeAgent.h:
1705             * inspector/protocol/Runtime.json:
1706             * jsc.cpp:
1707             (GlobalObject::finishCreation):
1708             (functionDumpTypesForAllVariables):
1709             * llint/LLIntSlowPaths.cpp:
1710             (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1711             (JSC::LLInt::putToScopeCommon):
1712             * llint/LLIntSlowPaths.h:
1713             * llint/LowLevelInterpreter.asm:
1714             * runtime/HighFidelityLog.cpp: Added.
1715             (JSC::HighFidelityLog::initializeHighFidelityLog):
1716             (JSC::HighFidelityLog::~HighFidelityLog):
1717             (JSC::HighFidelityLog::recordTypeInformationForLocation):
1718             (JSC::HighFidelityLog::processHighFidelityLog):
1719             (JSC::HighFidelityLog::actuallyProcessLogThreadFunction):
1720             * runtime/HighFidelityLog.h: Added.
1721             (JSC::HighFidelityLog::HighFidelityLog):
1722             * runtime/HighFidelityTypeProfiler.cpp: Added.
1723             (JSC::HighFidelityTypeProfiler::getTypesForVariableInRange):
1724             (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableInRange):
1725             (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableInRange):
1726             (JSC::HighFidelityTypeProfiler::insertNewLocation):
1727             (JSC::HighFidelityTypeProfiler::getLocationBasedHash):
1728             * runtime/HighFidelityTypeProfiler.h: Added.
1729             * runtime/Options.h:
1730             * runtime/Structure.cpp:
1731             (JSC::Structure::toStructureShape):
1732             * runtime/Structure.h:
1733             * runtime/SymbolTable.cpp:
1734             (JSC::SymbolTable::SymbolTable):
1735             (JSC::SymbolTable::cloneCapturedNames):
1736             (JSC::SymbolTable::uniqueIDForVariable):
1737             (JSC::SymbolTable::uniqueIDForRegister):
1738             (JSC::SymbolTable::globalTypeSetForRegister):
1739             (JSC::SymbolTable::globalTypeSetForVariable):
1740             * runtime/SymbolTable.h:
1741             (JSC::SymbolTable::add):
1742             (JSC::SymbolTable::set):
1743             * runtime/TypeSet.cpp: Added.
1744             (JSC::TypeSet::TypeSet):
1745             (JSC::TypeSet::getRuntimeTypeForValue):
1746             (JSC::TypeSet::addTypeForValue):
1747             (JSC::TypeSet::removeDuplicatesInStructureHistory):
1748             (JSC::TypeSet::seenTypes):
1749             (JSC::TypeSet::dumpSeenTypes):
1750             (JSC::StructureShape::StructureShape):
1751             (JSC::StructureShape::markAsFinal):
1752             (JSC::StructureShape::addProperty):
1753             (JSC::StructureShape::propertyHash):
1754             (JSC::StructureShape::leastUpperBound):
1755             (JSC::StructureShape::stringRepresentation):
1756             * runtime/TypeSet.h: Added.
1757             (JSC::StructureShape::create):
1758             (JSC::TypeSet::create):
1759             * runtime/VM.cpp:
1760             (JSC::VM::VM):
1761             (JSC::VM::getTypesForVariableInRange):
1762             (JSC::VM::updateHighFidelityTypeProfileState):
1763             (JSC::VM::dumpHighFidelityProfilingTypes):
1764             * runtime/VM.h:
1765             (JSC::VM::isProfilingTypesWithHighFidelity):
1766             (JSC::VM::highFidelityLog):
1767             (JSC::VM::highFidelityTypeProfiler):
1768             (JSC::VM::nextLocation):
1769             (JSC::VM::getNextUniqueVariableID):
1770     
1771     2014-06-26  Mark Lam  <mark.lam@apple.com>
1772     
1773             Remove unused instantiation of the WithScope structure.
1774             <https://webkit.org/b/134331>
1775     
1776             Reviewed by Oliver Hunt.
1777     
1778             The WithScope structure instance is the VM is unused, and is now removed.
1779     
1780             * runtime/VM.cpp:
1781             (JSC::VM::VM):
1782             * runtime/VM.h:
1783     
1784     2014-06-25  Mark Hahnenberg  <mhahnenberg@apple.com>
1785     
1786             Structure bit fields should have a consistent format
1787             https://bugs.webkit.org/show_bug.cgi?id=134307
1788     
1789             Reviewed by Filip Pizlo.
1790     
1791             Currently we use C-style bit fields for a number of member variables in Structure to save space. 
1792             This makes it difficult to load these fields in the JIT. We should instead use our own bitfield 
1793             format to make it easy to load and test these variables in JIT code.
1794     
1795             * runtime/JSObject.cpp:
1796             (JSC::JSObject::putDirectNonIndexAccessor):
1797             (JSC::JSObject::reifyStaticFunctionsForDelete):
1798             * runtime/Structure.cpp:
1799             (JSC::StructureTransitionTable::contains):
1800             (JSC::StructureTransitionTable::get):
1801             (JSC::StructureTransitionTable::add):
1802             (JSC::Structure::Structure):
1803             (JSC::Structure::materializePropertyMap):
1804             (JSC::Structure::addPropertyTransition):
1805             (JSC::Structure::despecifyFunctionTransition):
1806             (JSC::Structure::toDictionaryTransition):
1807             (JSC::Structure::freezeTransition):
1808             (JSC::Structure::preventExtensionsTransition):
1809             (JSC::Structure::takePropertyTableOrCloneIfPinned):
1810             (JSC::Structure::nonPropertyTransition):
1811             (JSC::Structure::flattenDictionaryStructure):
1812             (JSC::Structure::addPropertyWithoutTransition):
1813             (JSC::Structure::pin):
1814             (JSC::Structure::allocateRareData):
1815             (JSC::Structure::cloneRareDataFrom):
1816             (JSC::Structure::getConcurrently):
1817             (JSC::Structure::putSpecificValue):
1818             (JSC::Structure::getPropertyNamesFromStructure):
1819             (JSC::Structure::visitChildren):
1820             (JSC::Structure::checkConsistency):
1821             * runtime/Structure.h:
1822             (JSC::Structure::isExtensible):
1823             (JSC::Structure::isDictionary):
1824             (JSC::Structure::isUncacheableDictionary):
1825             (JSC::Structure::propertyAccessesAreCacheable):
1826             (JSC::Structure::previousID):
1827             (JSC::Structure::setHasGetterSetterPropertiesWithProtoCheck):
1828             (JSC::Structure::setContainsReadOnlyProperties):
1829             (JSC::Structure::disableSpecificFunctionTracking):
1830             (JSC::Structure::objectToStringValue):
1831             (JSC::Structure::setObjectToStringValue):
1832             (JSC::Structure::setPreviousID):
1833             (JSC::Structure::clearPreviousID):
1834             (JSC::Structure::previous):
1835             (JSC::Structure::rareData):
1836             (JSC::Structure::didTransition): Deleted.
1837             (JSC::Structure::hasGetterSetterProperties): Deleted.
1838             (JSC::Structure::hasReadOnlyOrGetterSetterPropertiesExcludingProto): Deleted.
1839             (JSC::Structure::setHasGetterSetterProperties): Deleted.
1840             (JSC::Structure::hasNonEnumerableProperties): Deleted.
1841             (JSC::Structure::staticFunctionsReified): Deleted.
1842             (JSC::Structure::setStaticFunctionsReified): Deleted.
1843             * runtime/StructureInlines.h:
1844             (JSC::Structure::setEnumerationCache):
1845             (JSC::Structure::enumerationCache):
1846             (JSC::Structure::checkOffsetConsistency):
1847     
1848     2014-06-24  Mark Lam  <mark.lam@apple.com>
1849     
1850             [ftlopt] Renamed DebuggerActivation to DebuggerScope.
1851             <https://webkit.org/b/134273>
1852     
1853             Reviewed by Michael Saboff.
1854     
1855             * CMakeLists.txt:
1856             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1857             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1858             * JavaScriptCore.xcodeproj/project.pbxproj:
1859             * debugger/DebuggerActivation.cpp: Removed.
1860             * debugger/DebuggerActivation.h: Removed.
1861             * debugger/DebuggerScope.cpp: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.cpp.
1862             (JSC::DebuggerScope::DebuggerScope):
1863             (JSC::DebuggerScope::finishCreation):
1864             (JSC::DebuggerScope::visitChildren):
1865             (JSC::DebuggerScope::className):
1866             (JSC::DebuggerScope::getOwnPropertySlot):
1867             (JSC::DebuggerScope::put):
1868             (JSC::DebuggerScope::deleteProperty):
1869             (JSC::DebuggerScope::getOwnPropertyNames):
1870             (JSC::DebuggerScope::defineOwnProperty):
1871             (JSC::DebuggerActivation::DebuggerActivation): Deleted.
1872             (JSC::DebuggerActivation::finishCreation): Deleted.
1873             (JSC::DebuggerActivation::visitChildren): Deleted.
1874             (JSC::DebuggerActivation::className): Deleted.
1875             (JSC::DebuggerActivation::getOwnPropertySlot): Deleted.
1876             (JSC::DebuggerActivation::put): Deleted.
1877             (JSC::DebuggerActivation::deleteProperty): Deleted.
1878             (JSC::DebuggerActivation::getOwnPropertyNames): Deleted.
1879             (JSC::DebuggerActivation::defineOwnProperty): Deleted.
1880             * debugger/DebuggerScope.h: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.h.
1881             (JSC::DebuggerScope::create):
1882             (JSC::DebuggerActivation::create): Deleted.
1883             * runtime/VM.cpp:
1884             (JSC::VM::VM):
1885             * runtime/VM.h:
1886     
1887     2014-06-24  Filip Pizlo  <fpizlo@apple.com>
1888     
1889             [ftlopt] PutByIdFlush can also be converted to a PutByOffset so don't assert otherwise
1890             https://bugs.webkit.org/show_bug.cgi?id=134265
1891     
1892             Reviewed by Geoffrey Garen.
1893             
1894             More assertion fallout from the PutById folding work.
1895     
1896             * dfg/DFGNode.h:
1897             (JSC::DFG::Node::convertToPutByOffset):
1898     
1899     2014-06-24  Filip Pizlo  <fpizlo@apple.com>
1900     
1901             [ftlopt] GC should notify us if it resets to_this
1902             https://bugs.webkit.org/show_bug.cgi?id=128231
1903     
1904             Reviewed by Geoffrey Garen.
1905     
1906             * CMakeLists.txt:
1907             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1908             * JavaScriptCore.xcodeproj/project.pbxproj:
1909             * bytecode/BytecodeList.json:
1910             * bytecode/CodeBlock.cpp:
1911             (JSC::CodeBlock::dumpBytecode):
1912             (JSC::CodeBlock::finalizeUnconditionally):
1913             * bytecode/Instruction.h:
1914             * bytecode/ToThisStatus.cpp: Added.
1915             (JSC::merge):
1916             (WTF::printInternal):
1917             * bytecode/ToThisStatus.h: Added.
1918             * bytecompiler/BytecodeGenerator.cpp:
1919             (JSC::BytecodeGenerator::BytecodeGenerator):
1920             * dfg/DFGByteCodeParser.cpp:
1921             (JSC::DFG::ByteCodeParser::parseBlock):
1922             * llint/LowLevelInterpreter32_64.asm:
1923             * llint/LowLevelInterpreter64.asm:
1924             * runtime/CommonSlowPaths.cpp:
1925             (JSC::SLOW_PATH_DECL):
1926     
1927     2014-06-24  Filip Pizlo  <fpizlo@apple.com>
1928     
1929             [ftlopt] StructureAbstractValue::onlyStructure() should return nullptr if isClobbered()
1930             https://bugs.webkit.org/show_bug.cgi?id=134256
1931     
1932             Reviewed by Michael Saboff.
1933             
1934             This isn't testable right now (i.e. it's benign) but we should get it right anyway. The
1935             point is to be able to precisely model what goes on in the snippets of code between a
1936             side-effect and an InvalidationPoint.
1937             
1938             This patch also cleans up onlyStructure() by delegating more work to
1939             StructureSet::onlyStructure().
1940     
1941             * dfg/DFGStructureAbstractValue.h:
1942             (JSC::DFG::StructureAbstractValue::onlyStructure):
1943     
1944     2014-06-24  Filip Pizlo  <fpizlo@apple.com>
1945     
1946             [ftlopt][REGRESSION] PutById AI is introducing watchable structures without watching them
1947             https://bugs.webkit.org/show_bug.cgi?id=134260
1948     
1949             Reviewed by Geoffrey Garen.
1950             
1951             This was causing loads of assertion failures in debug builds.
1952     
1953             * dfg/DFGAbstractInterpreterInlines.h:
1954             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1955     
1956     2014-06-21  Filip Pizlo  <fpizlo@apple.com>
1957     
1958             [ftlopt] Fold GetById/PutById to MultiGetByOffset/GetByOffset or MultiPutByOffset/PutByOffset, which implies handling non-singleton sets
1959             https://bugs.webkit.org/show_bug.cgi?id=134090
1960     
1961             Reviewed by Oliver Hunt.
1962             
1963             This pretty much finishes off the work to eliminate the special-casing of singleton
1964             structure sets by making it possible to fold GetById and PutById to various polymorphic
1965             forms of the ByOffset nodes.
1966             
1967             * bytecode/GetByIdStatus.cpp:
1968             (JSC::GetByIdStatus::computeForStubInfo):
1969             (JSC::GetByIdStatus::computeFor):
1970             * bytecode/GetByIdStatus.h:
1971             * bytecode/PutByIdStatus.cpp:
1972             (JSC::PutByIdStatus::computeFor):
1973             * bytecode/PutByIdStatus.h:
1974             * bytecode/PutByIdVariant.h:
1975             (JSC::PutByIdVariant::constantChecks):
1976             * dfg/DFGAbstractInterpreterInlines.h:
1977             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1978             * dfg/DFGByteCodeParser.cpp:
1979             (JSC::DFG::ByteCodeParser::parseBlock):
1980             * dfg/DFGConstantFoldingPhase.cpp:
1981             (JSC::DFG::ConstantFoldingPhase::foldConstants):
1982             (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
1983             (JSC::DFG::ConstantFoldingPhase::addChecks):
1984             * dfg/DFGNode.h:
1985             (JSC::DFG::Node::convertToMultiGetByOffset):
1986             (JSC::DFG::Node::convertToMultiPutByOffset):
1987             * dfg/DFGSpeculativeJIT64.cpp: Also convert all release assertions to DFG assertions in this file, because I was hitting some of them while debugging.
1988             (JSC::DFG::SpeculativeJIT::fillJSValue):
1989             (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
1990             (JSC::DFG::SpeculativeJIT::emitCall):
1991             (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
1992             (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict):
1993             (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
1994             (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1995             (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1996             (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1997             (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1998             (JSC::DFG::SpeculativeJIT::emitBranch):
1999             (JSC::DFG::SpeculativeJIT::compile):
2000             * dfg/DFGStructureAbstractValue.h:
2001             (JSC::DFG::StructureAbstractValue::set):
2002     
2003     2014-06-19  Filip Pizlo  <fpizlo@apple.com>
2004     
2005             [ftlopt] StructureSet::onlyStructure() should return nullptr if it's not a singleton (instead of asserting)
2006             https://bugs.webkit.org/show_bug.cgi?id=134077
2007     
2008             Reviewed by Sam Weinig.
2009             
2010             This makes StructureSet and StructureAbstractValue more consistent and fixes a debug assert
2011             in the abstract interpreter.
2012     
2013             * bytecode/StructureSet.h:
2014             (JSC::StructureSet::onlyStructure):
2015     
2016     2014-06-18  Filip Pizlo  <fpizlo@apple.com>
2017     
2018             DFG AI and constant folder should be able to precisely prune MultiGetByOffset/MultiPutByOffset even if the base structure abstract value is not a singleton
2019             https://bugs.webkit.org/show_bug.cgi?id=133918
2020     
2021             Reviewed by Mark Hahnenberg.
2022             
2023             This also adds pruning of PutStructure, since I basically had no choice but
2024             to implement such logic within MultiPutByOffset.
2025             
2026             Also adds a bunch of PutById cache status dumping to bytecode dumping.
2027     
2028             * bytecode/GetByIdVariant.cpp:
2029             (JSC::GetByIdVariant::dumpInContext):
2030             * bytecode/GetByIdVariant.h:
2031             (JSC::GetByIdVariant::structureSet):
2032             * bytecode/PutByIdVariant.h:
2033             (JSC::PutByIdVariant::oldStructure):
2034             * bytecode/StructureSet.cpp:
2035             (JSC::StructureSet::filter):
2036             (JSC::StructureSet::filterArrayModes):
2037             * bytecode/StructureSet.h:
2038             * dfg/DFGAbstractInterpreterInlines.h:
2039             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2040             * dfg/DFGAbstractValue.cpp:
2041             (JSC::DFG::AbstractValue::changeStructure):
2042             (JSC::DFG::AbstractValue::contains):
2043             * dfg/DFGAbstractValue.h:
2044             (JSC::DFG::AbstractValue::couldBeType):
2045             (JSC::DFG::AbstractValue::isType):
2046             * dfg/DFGConstantFoldingPhase.cpp:
2047             (JSC::DFG::ConstantFoldingPhase::foldConstants):
2048             (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
2049             (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
2050             (JSC::DFG::ConstantFoldingPhase::addBaseCheck):
2051             * dfg/DFGGraph.cpp:
2052             (JSC::DFG::Graph::freezeStrong):
2053             * dfg/DFGGraph.h:
2054             * dfg/DFGStructureAbstractValue.h:
2055             (JSC::DFG::StructureAbstractValue::operator=):
2056             * ftl/FTLLowerDFGToLLVM.cpp:
2057             (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
2058             * tests/stress/fold-multi-get-by-offset-to-get-by-offset-without-folding-the-structure-check.js: Added.
2059             (foo):
2060             (fu):
2061             (bar):
2062             (baz):
2063             (.bar):
2064             (.baz):
2065             * tests/stress/fold-multi-put-by-offset-to-put-by-offset-without-folding-the-structure-check.js: Added.
2066             (foo):
2067             (fu):
2068             (bar):
2069             (baz):
2070             (.bar):
2071             (.baz):
2072             * tests/stress/prune-multi-put-by-offset-replace-or-transition-variant.js: Added.
2073             (foo):
2074             (fu):
2075             (bar):
2076             (baz):
2077             (.bar):
2078             (.baz):
2079     
2080     2014-06-18  Mark Hahnenberg  <mhahnenberg@apple.com>
2081     
2082             Remove CompoundType and LeafType
2083             https://bugs.webkit.org/show_bug.cgi?id=134037
2084     
2085             Reviewed by Filip Pizlo.
2086     
2087             We don't use them for anything. We'll replace them with a generic CellType type for all 
2088             the objects that are JSCells, aren't JSObjects, and for which we generally don't care about 
2089             their JSType at runtime.
2090     
2091             * llint/LLIntData.cpp:
2092             (JSC::LLInt::Data::performAssertions):
2093             * runtime/ArrayBufferNeuteringWatchpoint.cpp:
2094             (JSC::ArrayBufferNeuteringWatchpoint::createStructure):
2095             * runtime/Executable.h:
2096             (JSC::ExecutableBase::createStructure):
2097             (JSC::NativeExecutable::createStructure):
2098             * runtime/JSPromiseDeferred.h:
2099             (JSC::JSPromiseDeferred::createStructure):
2100             * runtime/JSPromiseReaction.h:
2101             (JSC::JSPromiseReaction::createStructure):
2102             * runtime/JSPropertyNameIterator.h:
2103             (JSC::JSPropertyNameIterator::createStructure):
2104             * runtime/JSType.h:
2105             * runtime/JSTypeInfo.h:
2106             (JSC::TypeInfo::TypeInfo):
2107             * runtime/MapData.h:
2108             (JSC::MapData::createStructure):
2109             * runtime/PropertyMapHashTable.h:
2110             (JSC::PropertyTable::createStructure):
2111             * runtime/RegExp.h:
2112             (JSC::RegExp::createStructure):
2113             * runtime/SparseArrayValueMap.cpp:
2114             (JSC::SparseArrayValueMap::createStructure):
2115             * runtime/Structure.cpp:
2116             (JSC::Structure::Structure):
2117             * runtime/StructureChain.h:
2118             (JSC::StructureChain::createStructure):
2119             * runtime/StructureRareData.cpp:
2120             (JSC::StructureRareData::createStructure):
2121             * runtime/SymbolTable.h:
2122             (JSC::SymbolTable::createStructure):
2123             * runtime/WeakMapData.h:
2124             (JSC::WeakMapData::createStructure):
2125     
2126     2014-06-17  Filip Pizlo  <fpizlo@apple.com>
2127     
2128             [ftlopt] PutStructure and PhantomPutStructure shouldn't leave the world in a clobbered state
2129             https://bugs.webkit.org/show_bug.cgi?id=134002
2130     
2131             Reviewed by Mark Hahnenberg.
2132             
2133             The effect of this bug was that if we had a PutStructure or PhantomPutStructure then any
2134             JSConstants would be in a Clobbered state, so we wouldn't take advantage of our knowledge
2135             of the structure if that structure was watchable.
2136             
2137             Also kill PhantomPutStructure.
2138     
2139             * dfg/DFGAbstractInterpreterInlines.h:
2140             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2141             (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
2142             (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
2143             * dfg/DFGClobberize.h:
2144             (JSC::DFG::clobberize):
2145             * dfg/DFGDoesGC.cpp:
2146             (JSC::DFG::doesGC):
2147             * dfg/DFGFixupPhase.cpp:
2148             (JSC::DFG::FixupPhase::fixupNode):
2149             * dfg/DFGGraph.cpp:
2150             (JSC::DFG::Graph::visitChildren):
2151             * dfg/DFGNode.h:
2152             (JSC::DFG::Node::hasTransition):
2153             * dfg/DFGNodeType.h:
2154             * dfg/DFGPredictionPropagationPhase.cpp:
2155             (JSC::DFG::PredictionPropagationPhase::propagate):
2156             * dfg/DFGSafeToExecute.h:
2157             (JSC::DFG::safeToExecute):
2158             * dfg/DFGSpeculativeJIT32_64.cpp:
2159             (JSC::DFG::SpeculativeJIT::compile):
2160             * dfg/DFGSpeculativeJIT64.cpp:
2161             (JSC::DFG::SpeculativeJIT::compile):
2162             * dfg/DFGStructureAbstractValue.cpp:
2163             (JSC::DFG::StructureAbstractValue::observeTransition):
2164             (JSC::DFG::StructureAbstractValue::observeTransitions):
2165             * dfg/DFGValidate.cpp:
2166             (JSC::DFG::Validate::validate):
2167             * dfg/DFGWatchableStructureWatchingPhase.cpp:
2168             (JSC::DFG::WatchableStructureWatchingPhase::run):
2169             * ftl/FTLCapabilities.cpp:
2170             (JSC::FTL::canCompile):
2171             * ftl/FTLLowerDFGToLLVM.cpp:
2172             (JSC::FTL::LowerDFGToLLVM::compileNode):
2173             (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure): Deleted.
2174     
2175     2014-06-17  Filip Pizlo  <fpizlo@apple.com>
2176     
2177             [ftlopt] DFG put_by_id should inline accesses with a slightly polymorphic base
2178             https://bugs.webkit.org/show_bug.cgi?id=133964
2179     
2180             Reviewed by Mark Hahnenberg.
2181     
2182             * bytecode/PutByIdStatus.cpp:
2183             (JSC::PutByIdStatus::appendVariant):
2184             (JSC::PutByIdStatus::computeForStubInfo):
2185             * bytecode/PutByIdVariant.cpp:
2186             (JSC::PutByIdVariant::oldStructureForTransition):
2187             (JSC::PutByIdVariant::writesStructures):
2188             (JSC::PutByIdVariant::reallocatesStorage):
2189             (JSC::PutByIdVariant::attemptToMerge):
2190             (JSC::PutByIdVariant::attemptToMergeTransitionWithReplace):
2191             (JSC::PutByIdVariant::dumpInContext):
2192             * bytecode/PutByIdVariant.h:
2193             (JSC::PutByIdVariant::PutByIdVariant):
2194             (JSC::PutByIdVariant::replace):
2195             (JSC::PutByIdVariant::transition):
2196             (JSC::PutByIdVariant::structure):
2197             (JSC::PutByIdVariant::oldStructure):
2198             * dfg/DFGAbstractInterpreterInlines.h:
2199             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2200             * dfg/DFGByteCodeParser.cpp:
2201             (JSC::DFG::ByteCodeParser::handlePutById):
2202             (JSC::DFG::ByteCodeParser::parseBlock):
2203             * dfg/DFGConstantFoldingPhase.cpp:
2204             (JSC::DFG::ConstantFoldingPhase::foldConstants):
2205             (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
2206             * dfg/DFGGraph.cpp:
2207             (JSC::DFG::Graph::visitChildren):
2208             * dfg/DFGNode.cpp:
2209             (JSC::DFG::MultiPutByOffsetData::writesStructures):
2210             (JSC::DFG::MultiPutByOffsetData::reallocatesStorage):
2211             * ftl/FTLAbbreviations.h:
2212             (JSC::FTL::getLinkage):
2213             * ftl/FTLLowerDFGToLLVM.cpp:
2214             (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
2215             (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol):
2216     
2217 2014-07-25  Filip Pizlo  <fpizlo@apple.com>
2218
2219         Add an option to disable native call inlining. Disable it for now to see how it
2220         affects the bots.
2221
2222         * dfg/DFGByteCodeParser.cpp:
2223         (JSC::DFG::ByteCodeParser::handleCall):
2224         * runtime/Options.h:
2225
2226 2014-07-25  Filip Pizlo  <fpizlo@apple.com>
2227
2228         Fix cloop.
2229
2230         * dfg/DFGMayExit.cpp:
2231
2232 2014-07-25  Filip Pizlo  <fpizlo@apple.com>
2233
2234         Merge r169795, r169819, r169864, r169902, r169949, r169950, r170016, r170017, r170060, r170064 from ftlopt.
2235
2236     2014-06-17  Filip Pizlo  <fpizlo@apple.com>
2237     
2238             [ftlopt] Fold constant Phis
2239             https://bugs.webkit.org/show_bug.cgi?id=133967
2240     
2241             Reviewed by Mark Hahnenberg.
2242             
2243             It's surprising but we didn't really do this before. Or, rather, we only did it
2244             incidentally when we would likely crash if it ever happened.
2245             
2246             Making this work required cleaning up the validater a bit, so I did that too. I also added
2247             mayExit() validation for nodes that didn't have origin.forExit (i.e. nodes that end up in
2248             the Phi header of basic blocks). But this required beefing up mayExit() a bit.
2249     
2250             * dfg/DFGAbstractInterpreterInlines.h:
2251             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2252             * dfg/DFGAdjacencyList.h:
2253             (JSC::DFG::AdjacencyList::isEmpty):
2254             * dfg/DFGConstantFoldingPhase.cpp:
2255             (JSC::DFG::ConstantFoldingPhase::run):
2256             (JSC::DFG::ConstantFoldingPhase::foldConstants):
2257             (JSC::DFG::ConstantFoldingPhase::fixUpsilons):
2258             * dfg/DFGInPlaceAbstractState.h:
2259             * dfg/DFGLICMPhase.cpp:
2260             (JSC::DFG::LICMPhase::run):
2261             (JSC::DFG::LICMPhase::attemptHoist):
2262             * dfg/DFGMayExit.cpp:
2263             (JSC::DFG::mayExit):
2264             * dfg/DFGValidate.cpp:
2265             (JSC::DFG::Validate::validate):
2266             (JSC::DFG::Validate::validateSSA):
2267     
2268     2014-06-17  Filip Pizlo  <fpizlo@apple.com>
2269     
2270             [ftlopt] Get rid of NodeDoesNotExit and also get rid of StoreEliminationPhase
2271             https://bugs.webkit.org/show_bug.cgi?id=133985
2272     
2273             Reviewed by Michael Saboff and Mark Hahnenberg.
2274             
2275             Store elimination phase has never been very profitable, and now that LLVM can do dead
2276             store elimination for us, this phase is just completely pointless.
2277             
2278             This phase is also the primary user of NodeDoesNotExit, which is a flag that the CFA
2279             computes. It computes it poorly and we often get bugs in it. It's also a lot of code to
2280             maintain.
2281             
2282             This patch does introduce a new mayExit() calculator that is independent of the CFA and
2283             should be enough for most of the previous NodeDoesNotExit users. Currently it's only used
2284             for assertions in the DFG backend, but we could use it if we ever brought back any of the
2285             other optimizations that previously relied upon NodeDoesNotExit.
2286             
2287             This is performance-neutral, except for SunSpider, where it's a speed-up.
2288     
2289             * CMakeLists.txt:
2290             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2291             * JavaScriptCore.xcodeproj/project.pbxproj:
2292             * dfg/DFGAbstractInterpreter.h:
2293             (JSC::DFG::AbstractInterpreter::filterEdgeByUse):
2294             (JSC::DFG::AbstractInterpreter::filterByType):
2295             * dfg/DFGAbstractInterpreterInlines.h:
2296             (JSC::DFG::AbstractInterpreter<AbstractStateType>::startExecuting):
2297             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2298             * dfg/DFGCSEPhase.cpp:
2299             (JSC::DFG::CSEPhase::CSEPhase):
2300             (JSC::DFG::CSEPhase::invalidationPointElimination):
2301             (JSC::DFG::CSEPhase::setLocalStoreElimination):
2302             (JSC::DFG::CSEPhase::performNodeCSE):
2303             (JSC::DFG::CSEPhase::performBlockCSE):
2304             (JSC::DFG::performCSE):
2305             (JSC::DFG::CSEPhase::globalVarStoreElimination): Deleted.
2306             (JSC::DFG::CSEPhase::scopedVarStoreElimination): Deleted.
2307             (JSC::DFG::CSEPhase::putStructureStoreElimination): Deleted.
2308             (JSC::DFG::CSEPhase::putByOffsetStoreElimination): Deleted.
2309             (JSC::DFG::CSEPhase::SetLocalStoreEliminationResult::SetLocalStoreEliminationResult): Deleted.
2310             (JSC::DFG::performStoreElimination): Deleted.
2311             * dfg/DFGCSEPhase.h:
2312             * dfg/DFGFixupPhase.cpp:
2313             (JSC::DFG::FixupPhase::fixupNode):
2314             * dfg/DFGGraph.cpp:
2315             (JSC::DFG::Graph::resetExitStates): Deleted.
2316             * dfg/DFGGraph.h:
2317             * dfg/DFGMayExit.cpp: Added.
2318             (JSC::DFG::mayExit):
2319             * dfg/DFGMayExit.h: Added.
2320             * dfg/DFGNode.h:
2321             (JSC::DFG::Node::mergeFlags):
2322             (JSC::DFG::Node::filterFlags):
2323             (JSC::DFG::Node::setCanExit): Deleted.
2324             (JSC::DFG::Node::canExit): Deleted.
2325             * dfg/DFGNodeFlags.cpp:
2326             (JSC::DFG::dumpNodeFlags):
2327             * dfg/DFGNodeFlags.h:
2328             * dfg/DFGNodeType.h:
2329             * dfg/DFGPlan.cpp:
2330             (JSC::DFG::Plan::compileInThreadImpl):
2331             * dfg/DFGSpeculativeJIT.cpp:
2332             (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
2333             (JSC::DFG::SpeculativeJIT::bail):
2334             (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
2335             * dfg/DFGSpeculativeJIT32_64.cpp:
2336             (JSC::DFG::SpeculativeJIT::compile):
2337             * dfg/DFGSpeculativeJIT64.cpp:
2338             (JSC::DFG::SpeculativeJIT::compile):
2339     
2340     2014-06-15  Filip Pizlo  <fpizlo@apple.com>
2341     
2342             [ftlopt] Remove the DFG optimization fixpoint and remove some obvious reasons why we previously benefited from it
2343             https://bugs.webkit.org/show_bug.cgi?id=133931
2344     
2345             Reviewed by Oliver Hunt.
2346     
2347             * dfg/DFGAbstractInterpreterInlines.h:
2348             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Trigger constant-folding for GetMyArgumentByVal (which means turning it into GetLocalUnlinked) and correct the handling of Upsilon so we don't fold them away.
2349             * dfg/DFGConstantFoldingPhase.cpp:
2350             (JSC::DFG::ConstantFoldingPhase::foldConstants): Implement constant-folding for GetMyArgumentByVal.
2351             * dfg/DFGPlan.cpp:
2352             (JSC::DFG::Plan::compileInThreadImpl): Remove the fixpoint.
2353     
2354     2014-06-15  Filip Pizlo  <fpizlo@apple.com>
2355     
2356             [ftlopt] DFG OSR entry should have a crystal-clear story for when it's safe to enter at a block with a set of values
2357             https://bugs.webkit.org/show_bug.cgi?id=133935
2358     
2359             Reviewed by Oliver Hunt.
2360     
2361             * bytecode/Operands.h:
2362             (JSC::Operands::Operands):
2363             (JSC::Operands::ensureLocals):
2364             * dfg/DFGAbstractValue.cpp:
2365             (JSC::DFG::AbstractValue::filter): Now we can compute intersections of abstract values!
2366             * dfg/DFGAbstractValue.h:
2367             (JSC::DFG::AbstractValue::makeFullTop): Completeness.
2368             (JSC::DFG::AbstractValue::bytecodeTop): Completeness.
2369             (JSC::DFG::AbstractValue::fullTop): Completeness. We end up using this one.
2370             * dfg/DFGBasicBlock.cpp:
2371             (JSC::DFG::BasicBlock::BasicBlock):
2372             (JSC::DFG::BasicBlock::ensureLocals):
2373             * dfg/DFGBasicBlock.h: Remember the intersection of all things ever proven.
2374             * dfg/DFGCFAPhase.cpp:
2375             (JSC::DFG::CFAPhase::run): Compute the intersection.
2376             * dfg/DFGConstantFoldingPhase.cpp:
2377             (JSC::DFG::ConstantFoldingPhase::foldConstants): No need for the weirdo merge check since this fixes the root of the problem.
2378             * dfg/DFGGraph.cpp:
2379             (JSC::DFG::Graph::dumpBlockHeader): Better dumping.
2380             (JSC::DFG::Graph::dump): Better dumping.
2381             * dfg/DFGJITCompiler.h:
2382             (JSC::DFG::JITCompiler::noticeOSREntry): Use the intersected abstract value.
2383             * dfg/DFGSpeculativeJIT.cpp:
2384             (JSC::DFG::SpeculativeJIT::compileCurrentBlock): Assert if the intersected state indicates the block shouldn't execute.
2385     
2386     2014-06-12  Filip Pizlo  <fpizlo@apple.com>
2387     
2388             [ftlopt] A DFG inlined ById access variant should not speak of a chain, but only of what structures to test the base for, whether to use a constant as an alternate base for the actual access, and what structures to check on what additional cell constants
2389             https://bugs.webkit.org/show_bug.cgi?id=133821
2390     
2391             Reviewed by Mark Hahnenberg.
2392             
2393             This allows us to efficiently cache accesses that differ only in the prototypes on the path
2394             from the base to the prototype that has the field.
2395             
2396             It also simplifies a bunch of code - IntendedStructureChain is now just an intermediate
2397             data structure.
2398     
2399             * CMakeLists.txt:
2400             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2401             * JavaScriptCore.xcodeproj/project.pbxproj:
2402             * bytecode/ConstantStructureCheck.cpp: Added.
2403             (JSC::ConstantStructureCheck::dumpInContext):
2404             (JSC::ConstantStructureCheck::dump):
2405             (JSC::structureFor):
2406             (JSC::areCompatible):
2407             (JSC::mergeInto):
2408             * bytecode/ConstantStructureCheck.h: Added.
2409             (JSC::ConstantStructureCheck::ConstantStructureCheck):
2410             (JSC::ConstantStructureCheck::operator!):
2411             (JSC::ConstantStructureCheck::constant):
2412             (JSC::ConstantStructureCheck::structure):
2413             * bytecode/GetByIdStatus.cpp:
2414             (JSC::GetByIdStatus::computeForStubInfo):
2415             * bytecode/GetByIdVariant.cpp:
2416             (JSC::GetByIdVariant::GetByIdVariant):
2417             (JSC::GetByIdVariant::operator=):
2418             (JSC::GetByIdVariant::attemptToMerge):
2419             (JSC::GetByIdVariant::dumpInContext):
2420             * bytecode/GetByIdVariant.h:
2421             (JSC::GetByIdVariant::constantChecks):
2422             (JSC::GetByIdVariant::alternateBase):
2423             (JSC::GetByIdVariant::GetByIdVariant): Deleted.
2424             (JSC::GetByIdVariant::chain): Deleted.
2425             * bytecode/PutByIdVariant.cpp:
2426             (JSC::PutByIdVariant::dumpInContext):
2427             * bytecode/PutByIdVariant.h:
2428             (JSC::PutByIdVariant::transition):
2429             (JSC::PutByIdVariant::constantChecks):
2430             (JSC::PutByIdVariant::structureChain): Deleted.
2431             * dfg/DFGAbstractInterpreterInlines.h:
2432             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2433             * dfg/DFGByteCodeParser.cpp:
2434             (JSC::DFG::ByteCodeParser::emitChecks):
2435             (JSC::DFG::ByteCodeParser::handleGetById):
2436             (JSC::DFG::ByteCodeParser::handlePutById):
2437             (JSC::DFG::ByteCodeParser::cellConstantWithStructureCheck): Deleted.
2438             (JSC::DFG::ByteCodeParser::structureChainIsStillValid): Deleted.
2439             (JSC::DFG::ByteCodeParser::emitPrototypeChecks): Deleted.
2440             * dfg/DFGConstantFoldingPhase.cpp:
2441             (JSC::DFG::ConstantFoldingPhase::foldConstants):
2442             (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
2443             (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
2444             (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
2445             * dfg/DFGDesiredStructureChains.cpp: Removed.
2446             * dfg/DFGDesiredStructureChains.h: Removed.
2447             * dfg/DFGGraph.h:
2448             (JSC::DFG::Graph::watchpoints):
2449             (JSC::DFG::Graph::chains): Deleted.
2450             * dfg/DFGPlan.cpp:
2451             (JSC::DFG::Plan::isStillValid):
2452             (JSC::DFG::Plan::checkLivenessAndVisitChildren):
2453             (JSC::DFG::Plan::cancel):
2454             * dfg/DFGPlan.h:
2455             * ftl/FTLLowerDFGToLLVM.cpp:
2456             (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
2457             * runtime/IntendedStructureChain.cpp:
2458             (JSC::IntendedStructureChain::gatherChecks):
2459             * runtime/IntendedStructureChain.h:
2460             (JSC::IntendedStructureChain::at):
2461             (JSC::IntendedStructureChain::operator[]):
2462     
2463     2014-06-12  Filip Pizlo  <fpizlo@apple.com>
2464     
2465             [ftlopt] Constant folding and strength reduction should work in SSA
2466             https://bugs.webkit.org/show_bug.cgi?id=133839
2467     
2468             Reviewed by Oliver Hunt.
2469     
2470             * dfg/DFGAtTailAbstractState.cpp:
2471             (JSC::DFG::AtTailAbstractState::AtTailAbstractState):
2472             (JSC::DFG::AtTailAbstractState::forNode):
2473             * dfg/DFGAtTailAbstractState.h:
2474             * dfg/DFGConstantFoldingPhase.cpp:
2475             (JSC::DFG::ConstantFoldingPhase::foldConstants):
2476             * dfg/DFGGraph.cpp:
2477             (JSC::DFG::Graph::convertToConstant):
2478             * dfg/DFGIntegerCheckCombiningPhase.cpp:
2479             (JSC::DFG::IntegerCheckCombiningPhase::rangeKeyAndAddend): Fix an unrelated regression that this uncovered.
2480             * dfg/DFGLICMPhase.cpp:
2481             (JSC::DFG::LICMPhase::LICMPhase):
2482             * dfg/DFGPlan.cpp:
2483             (JSC::DFG::Plan::compileInThreadImpl):
2484     
2485     2014-06-11  Filip Pizlo  <fpizlo@apple.com>
2486     
2487             [ftlopt] DFG get_by_id should inline chain accesses with a slightly polymorphic base
2488             https://bugs.webkit.org/show_bug.cgi?id=133751
2489     
2490             Reviewed by Mark Hahnenberg.
2491     
2492             * bytecode/GetByIdStatus.cpp:
2493             (JSC::GetByIdStatus::appendVariant):
2494             (JSC::GetByIdStatus::computeForStubInfo):
2495             * bytecode/GetByIdVariant.cpp:
2496             (JSC::GetByIdVariant::attemptToMerge):
2497             * bytecode/GetByIdVariant.h:
2498             * bytecode/PutByIdStatus.cpp:
2499             (JSC::PutByIdStatus::computeFor):
2500             * dfg/DFGByteCodeParser.cpp:
2501             (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
2502             (JSC::DFG::ByteCodeParser::handleGetById):
2503             (JSC::DFG::ByteCodeParser::handlePutById):
2504             * runtime/IntendedStructureChain.cpp:
2505             (JSC::IntendedStructureChain::IntendedStructureChain):
2506             (JSC::IntendedStructureChain::isStillValid):
2507             (JSC::IntendedStructureChain::isNormalized):
2508             (JSC::IntendedStructureChain::terminalPrototype):
2509             (JSC::IntendedStructureChain::operator==):
2510             (JSC::IntendedStructureChain::visitChildren):
2511             (JSC::IntendedStructureChain::dumpInContext):
2512             (JSC::IntendedStructureChain::chain): Deleted.
2513             * runtime/IntendedStructureChain.h:
2514             (JSC::IntendedStructureChain::prototype):
2515             (JSC::IntendedStructureChain::operator!=):
2516             (JSC::IntendedStructureChain::head): Deleted.
2517     
2518     2014-06-11  Matthew Mirman  <mmirman@apple.com>
2519     
2520            Readded native calling to the FTL and Split the DFG nodes 
2521            Call and Construct into NativeCall and NativeConstruct 
2522            to better represent their semantics.
2523            https://bugs.webkit.org/show_bug.cgi?id=133660
2524     
2525            Reviewed by Filip Pizlo.
2526     
2527            * dfg/DFGAbstractInterpreterInlines.h:
2528            (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): 
2529            Added NativeCall and NativeConstruct case
2530            * dfg/DFGByteCodeParser.cpp:
2531            (JSC::DFG::ByteCodeParser::addCall): added NativeCall case. 
2532            (JSC::DFG::ByteCodeParser::handleCall): 
2533            set to return NativeCall or NativeConstruct instead of Call or Construct
2534            in the presence of a native function.
2535            * dfg/DFGClobberize.h:
2536            (JSC::DFG::clobberize): added NativeCall and NativeConstruct case.
2537            * dfg/DFGDoesGC.cpp:
2538            (JSC::DFG::doesGC): added NativeCall and NativeConstruct case.
2539            * dfg/DFGFixupPhase.cpp:
2540            (JSC::DFG::FixupPhase::fixupNode): added NativeCall and NativeConstruct case.
2541            * dfg/DFGNode.h:
2542            (JSC::DFG::Node::hasHeapPrediction): added NativeCall and NativeConstruct case.
2543            (JSC::DFG::Node::canBeKnownFunction): changed to NativeCall and NativeConstruct.
2544            (JSC::DFG::Node::hasKnownFunction): changed to NativeCall and NativeConstruct.
2545            * dfg/DFGNodeType.h: added NativeCall and NativeConstruct.
2546            * dfg/DFGPredictionPropagationPhase.cpp:
2547            (JSC::DFG::PredictionPropagationPhase::propagate): added NativeCall and NativeConstruct case.
2548            * dfg/DFGSafeToExecute.h:
2549            (JSC::DFG::safeToExecute): added NativeCall and NativeConstruct case.
2550            * dfg/DFGSpeculativeJIT32_64.cpp:
2551            (JSC::DFG::SpeculativeJIT::emitCall): ditto
2552            (JSC::DFG::SpeculativeJIT::compile): ditto
2553            * dfg/DFGSpeculativeJIT64.cpp:
2554            (JSC::DFG::SpeculativeJIT::emitCall): ditto
2555            (JSC::DFG::SpeculativeJIT::compile): ditto
2556            * ftl/FTLCapabilities.cpp:
2557            (JSC::FTL::canCompile): ditto
2558            * ftl/FTLLowerDFGToLLVM.cpp:  
2559            (JSC::FTL::LowerDFGToLLVM::lower): ditto
2560            (JSC::FTL::LowerDFGToLLVM::compileNode): ditto.
2561            (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct): Added.
2562            (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct): removed NativeCall and NativeConstruct functionality.
2563            (JSC::FTL::LowerDFGToLLVM::didOverflowStack): added NativeCall and NativeConstruct case.
2564            * runtime/JSCJSValue.h: added JS_EXPORT_PRIVATE to toInteger as it is apparently needed.
2565            
2566     2014-06-11  Matthew Mirman  <mmirman@apple.com>
2567     
2568             Ensured Native Calls and Construct and associated checks 
2569             are only emitted during ftl mode.
2570             https://bugs.webkit.org/show_bug.cgi?id=133718
2571             
2572             Reviewed by Filip Pizlo.
2573             
2574             * dfg/DFGByteCodeParser.cpp:
2575             (JSC::DFG::ByteCodeParser::handleCall): Added check for ftl mode 
2576             before attaching the native function to Call or Construct.
2577             
2578     2014-06-10  Filip Pizlo  <fpizlo@apple.com>
2579     
2580             [ftlopt] DFG should use its own notion of JSValue, which we should call FrozenValue, that will carry around a copy of its structure
2581             https://bugs.webkit.org/show_bug.cgi?id=133426
2582     
2583             Reviewed by Geoffrey Garen.
2584             
2585             The impetus for this was to provide some sense and reason to race conditions arising from
2586             cell constants having their structure changed on the main thread - this is harmess because
2587             we defend against it, but when it goes wrong, it can be difficult to reproduce because it
2588             requires a race. Giving the DFG the ability to "freeze" a cell's structure fixes this.
2589             
2590             But this patch goes quite a bit further, and completely rationalizes how the DFG reasons
2591             about constants. It no longer relies on the CodeBlock constant pool at all, which allows
2592             for a more object-oriented approach: for example a Node that has a constant can tell you
2593             what constant it has without needing a CodeBlock.
2594     
2595             * CMakeLists.txt:
2596             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2597             * JavaScriptCore.xcodeproj/project.pbxproj:
2598             * bytecode/CallLinkStatus.cpp:
2599             (JSC::CallLinkStatus::computeExitSiteData):
2600             * bytecode/ExitKind.cpp:
2601             (JSC::exitKindToString):
2602             (JSC::exitKindIsCountable):
2603             * bytecode/ExitKind.h:
2604             (JSC::isWatchpoint): Deleted.
2605             * bytecode/GetByIdStatus.cpp:
2606             (JSC::GetByIdStatus::hasExitSite):
2607             * bytecode/PutByIdStatus.cpp:
2608             (JSC::PutByIdStatus::hasExitSite):
2609             * dfg/DFGAbstractInterpreter.h:
2610             (JSC::DFG::AbstractInterpreter::filterByValue):
2611             (JSC::DFG::AbstractInterpreter::setBuiltInConstant):
2612             (JSC::DFG::AbstractInterpreter::setConstant):
2613             * dfg/DFGAbstractInterpreterInlines.h:
2614             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2615             (JSC::DFG::AbstractInterpreter<AbstractStateType>::filterByValue):
2616             * dfg/DFGAbstractValue.cpp:
2617             (JSC::DFG::AbstractValue::setOSREntryValue):
2618             (JSC::DFG::AbstractValue::set):
2619             (JSC::DFG::AbstractValue::filterByValue):
2620             (JSC::DFG::AbstractValue::setMostSpecific): Deleted.
2621             * dfg/DFGAbstractValue.h:
2622             * dfg/DFGArgumentsSimplificationPhase.cpp:
2623             (JSC::DFG::ArgumentsSimplificationPhase::run):
2624             * dfg/DFGBackwardsPropagationPhase.cpp:
2625             (JSC::DFG::BackwardsPropagationPhase::isNotNegZero):
2626             (JSC::DFG::BackwardsPropagationPhase::isNotPosZero):
2627             (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwoForConstant):
2628             (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
2629             * dfg/DFGByteCodeParser.cpp:
2630             (JSC::DFG::ByteCodeParser::ByteCodeParser):
2631             (JSC::DFG::ByteCodeParser::getDirect):
2632             (JSC::DFG::ByteCodeParser::get):
2633             (JSC::DFG::ByteCodeParser::getLocal):
2634             (JSC::DFG::ByteCodeParser::setLocal):
2635             (JSC::DFG::ByteCodeParser::setArgument):
2636             (JSC::DFG::ByteCodeParser::jsConstant):
2637             (JSC::DFG::ByteCodeParser::weakJSConstant):
2638             (JSC::DFG::ByteCodeParser::cellConstantWithStructureCheck):
2639             (JSC::DFG::ByteCodeParser::InlineStackEntry::remapOperand):
2640             (JSC::DFG::ByteCodeParser::handleCall):
2641             (JSC::DFG::ByteCodeParser::emitFunctionChecks):
2642             (JSC::DFG::ByteCodeParser::handleInlining):
2643             (JSC::DFG::ByteCodeParser::handleMinMax):
2644             (JSC::DFG::ByteCodeParser::handleIntrinsic):
2645             (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2646             (JSC::DFG::ByteCodeParser::handleGetById):
2647             (JSC::DFG::ByteCodeParser::prepareToParseBlock):
2648             (JSC::DFG::ByteCodeParser::parseBlock):
2649             (JSC::DFG::ByteCodeParser::buildOperandMapsIfNecessary):
2650             (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2651             (JSC::DFG::ByteCodeParser::parseCodeBlock):
2652             (JSC::DFG::ByteCodeParser::addConstant): Deleted.
2653             (JSC::DFG::ByteCodeParser::getJSConstantForValue): Deleted.
2654             (JSC::DFG::ByteCodeParser::getJSConstant): Deleted.
2655             (JSC::DFG::ByteCodeParser::isJSConstant): Deleted.
2656             (JSC::DFG::ByteCodeParser::isInt32Constant): Deleted.
2657             (JSC::DFG::ByteCodeParser::valueOfJSConstant): Deleted.
2658             (JSC::DFG::ByteCodeParser::valueOfInt32Constant): Deleted.
2659             (JSC::DFG::ByteCodeParser::constantUndefined): Deleted.
2660             (JSC::DFG::ByteCodeParser::constantNull): Deleted.
2661             (JSC::DFG::ByteCodeParser::one): Deleted.
2662             (JSC::DFG::ByteCodeParser::constantNaN): Deleted.
2663             (JSC::DFG::ByteCodeParser::cellConstant): Deleted.
2664             (JSC::DFG::ByteCodeParser::inferredConstant): Deleted.
2665             (JSC::DFG::ByteCodeParser::ConstantRecord::ConstantRecord): Deleted.
2666             * dfg/DFGCFGSimplificationPhase.cpp:
2667             (JSC::DFG::CFGSimplificationPhase::run):
2668             * dfg/DFGCSEPhase.cpp:
2669             (JSC::DFG::CSEPhase::constantCSE):
2670             (JSC::DFG::CSEPhase::checkFunctionElimination):
2671             (JSC::DFG::CSEPhase::performNodeCSE):
2672             (JSC::DFG::CSEPhase::weakConstantCSE): Deleted.
2673             * dfg/DFGClobberize.h:
2674             (JSC::DFG::clobberize):
2675             * dfg/DFGCommon.h:
2676             * dfg/DFGConstantFoldingPhase.cpp:
2677             (JSC::DFG::ConstantFoldingPhase::foldConstants):
2678             (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
2679             (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
2680             * dfg/DFGDoesGC.cpp:
2681             (JSC::DFG::doesGC):
2682             * dfg/DFGFixupPhase.cpp:
2683             (JSC::DFG::FixupPhase::fixupNode):
2684             (JSC::DFG::FixupPhase::fixupMakeRope):
2685             (JSC::DFG::FixupPhase::truncateConstantToInt32):
2686             (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
2687             (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
2688             * dfg/DFGFrozenValue.cpp: Added.
2689             (JSC::DFG::FrozenValue::emptySingleton):
2690             (JSC::DFG::FrozenValue::dumpInContext):
2691             (JSC::DFG::FrozenValue::dump):
2692             * dfg/DFGFrozenValue.h: Added.
2693             (JSC::DFG::FrozenValue::FrozenValue):
2694             (JSC::DFG::FrozenValue::operator!):
2695             (JSC::DFG::FrozenValue::value):
2696             (JSC::DFG::FrozenValue::structure):
2697             (JSC::DFG::FrozenValue::strengthenTo):
2698             (JSC::DFG::FrozenValue::strength):
2699             (JSC::DFG::FrozenValue::freeze):
2700             * dfg/DFGGraph.cpp:
2701             (JSC::DFG::Graph::Graph):
2702             (JSC::DFG::Graph::dump):
2703             (JSC::DFG::Graph::tryGetActivation):
2704             (JSC::DFG::Graph::tryGetFoldableView):
2705             (JSC::DFG::Graph::registerFrozenValues):
2706             (JSC::DFG::Graph::visitChildren):
2707             (JSC::DFG::Graph::freezeFragile):
2708             (JSC::DFG::Graph::freeze):
2709             (JSC::DFG::Graph::freezeStrong):
2710             (JSC::DFG::Graph::convertToConstant):
2711             (JSC::DFG::Graph::convertToStrongConstant):
2712             (JSC::DFG::Graph::assertIsWatched):
2713             * dfg/DFGGraph.h:
2714             (JSC::DFG::Graph::addImmediateShouldSpeculateInt32):
2715             (JSC::DFG::Graph::convertToConstant): Deleted.
2716             (JSC::DFG::Graph::constantRegisterForConstant): Deleted.
2717             (JSC::DFG::Graph::getJSConstantSpeculation): Deleted.
2718             (JSC::DFG::Graph::isConstant): Deleted.
2719             (JSC::DFG::Graph::isJSConstant): Deleted.
2720             (JSC::DFG::Graph::isInt32Constant): Deleted.
2721             (JSC::DFG::Graph::isDoubleConstant): Deleted.
2722             (JSC::DFG::Graph::isNumberConstant): Deleted.
2723             (JSC::DFG::Graph::isBooleanConstant): Deleted.
2724             (JSC::DFG::Graph::isCellConstant): Deleted.
2725             (JSC::DFG::Graph::isFunctionConstant): Deleted.
2726             (JSC::DFG::Graph::isInternalFunctionConstant): Deleted.
2727             (JSC::DFG::Graph::valueOfJSConstant): Deleted.
2728             (JSC::DFG::Graph::valueOfInt32Constant): Deleted.
2729             (JSC::DFG::Graph::valueOfNumberConstant): Deleted.
2730             (JSC::DFG::Graph::valueOfBooleanConstant): Deleted.
2731             (JSC::DFG::Graph::valueOfFunctionConstant): Deleted.
2732             (JSC::DFG::Graph::mulImmediateShouldSpeculateInt32): Deleted.
2733             * dfg/DFGInPlaceAbstractState.cpp:
2734             (JSC::DFG::InPlaceAbstractState::initialize):
2735             * dfg/DFGInsertionSet.h:
2736             (JSC::DFG::InsertionSet::insertConstant):
2737             (JSC::DFG::InsertionSet::insertConstantForUse):
2738             * dfg/DFGIntegerCheckCombiningPhase.cpp:
2739             (JSC::DFG::IntegerCheckCombiningPhase::rangeKeyAndAddend):
2740             * dfg/DFGJITCompiler.cpp:
2741             (JSC::DFG::JITCompiler::link):
2742             * dfg/DFGLazyJSValue.cpp:
2743             (JSC::DFG::LazyJSValue::getValue):
2744             (JSC::DFG::LazyJSValue::strictEqual):
2745             (JSC::DFG::LazyJSValue::dumpInContext):
2746             * dfg/DFGLazyJSValue.h:
2747             (JSC::DFG::LazyJSValue::LazyJSValue):
2748             (JSC::DFG::LazyJSValue::tryGetValue):
2749             (JSC::DFG::LazyJSValue::value):
2750             (JSC::DFG::LazyJSValue::switchLookupValue):
2751             * dfg/DFGMinifiedNode.cpp:
2752             (JSC::DFG::MinifiedNode::fromNode):
2753             * dfg/DFGMinifiedNode.h:
2754             (JSC::DFG::belongsInMinifiedGraph):
2755             (JSC::DFG::MinifiedNode::hasConstant):
2756             (JSC::DFG::MinifiedNode::constant):
2757             (JSC::DFG::MinifiedNode::hasConstantNumber): Deleted.
2758             (JSC::DFG::MinifiedNode::constantNumber): Deleted.
2759             (JSC::DFG::MinifiedNode::hasWeakConstant): Deleted.
2760             (JSC::DFG::MinifiedNode::weakConstant): Deleted.
2761             * dfg/DFGNode.h:
2762             (JSC::DFG::Node::hasConstant):
2763             (JSC::DFG::Node::constant):
2764             (JSC::DFG::Node::convertToConstant):
2765             (JSC::DFG::Node::asJSValue):
2766             (JSC::DFG::Node::isInt32Constant):
2767             (JSC::DFG::Node::asInt32):
2768             (JSC::DFG::Node::asUInt32):
2769             (JSC::DFG::Node::isDoubleConstant):
2770             (JSC::DFG::Node::isNumberConstant):
2771             (JSC::DFG::Node::asNumber):
2772             (JSC::DFG::Node::isMachineIntConstant):
2773             (JSC::DFG::Node::asMachineInt):
2774             (JSC::DFG::Node::isBooleanConstant):
2775             (JSC::DFG::Node::asBoolean):
2776             (JSC::DFG::Node::isCellConstant):
2777             (JSC::DFG::Node::asCell):
2778             (JSC::DFG::Node::dynamicCastConstant):
2779             (JSC::DFG::Node::function):
2780             (JSC::DFG::Node::isWeakConstant): Deleted.
2781             (JSC::DFG::Node::constantNumber): Deleted.
2782             (JSC::DFG::Node::convertToWeakConstant): Deleted.
2783             (JSC::DFG::Node::weakConstant): Deleted.
2784             (JSC::DFG::Node::valueOfJSConstant): Deleted.
2785             * dfg/DFGNodeType.h:
2786             * dfg/DFGOSRExitCompiler.cpp:
2787             * dfg/DFGPredictionPropagationPhase.cpp:
2788             (JSC::DFG::PredictionPropagationPhase::propagate):
2789             * dfg/DFGSafeToExecute.h:
2790             (JSC::DFG::safeToExecute):
2791             * dfg/DFGSpeculativeJIT.cpp:
2792             (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
2793             (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR):
2794             (JSC::DFG::SpeculativeJIT::silentFill):
2795             (JSC::DFG::SpeculativeJIT::compileIn):
2796             (JSC::DFG::SpeculativeJIT::compilePeepHoleBooleanBranch):
2797             (JSC::DFG::SpeculativeJIT::compilePeepHoleInt32Branch):
2798             (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
2799             (JSC::DFG::SpeculativeJIT::compileDoubleRep):
2800             (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
2801             (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
2802             (JSC::DFG::SpeculativeJIT::compileAdd):
2803             (JSC::DFG::SpeculativeJIT::compileArithSub):
2804             (JSC::DFG::SpeculativeJIT::compileArithMod):
2805             * dfg/DFGSpeculativeJIT.h:
2806             (JSC::DFG::SpeculativeJIT::valueOfJSConstantAsImm64):
2807             (JSC::DFG::SpeculativeJIT::initConstantInfo):
2808             (JSC::DFG::SpeculativeJIT::isConstant): Deleted.
2809             (JSC::DFG::SpeculativeJIT::isJSConstant): Deleted.
2810             (JSC::DFG::SpeculativeJIT::isInt32Constant): Deleted.
2811             (JSC::DFG::SpeculativeJIT::isDoubleConstant): Deleted.
2812             (JSC::DFG::SpeculativeJIT::isNumberConstant): Deleted.
2813             (JSC::DFG::SpeculativeJIT::isBooleanConstant): Deleted.
2814             (JSC::DFG::SpeculativeJIT::isFunctionConstant): Deleted.
2815             (JSC::DFG::SpeculativeJIT::valueOfInt32Constant): Deleted.
2816             (JSC::DFG::SpeculativeJIT::valueOfNumberConstant): Deleted.
2817             (JSC::DFG::SpeculativeJIT::addressOfDoubleConstant): Deleted.
2818             (JSC::DFG::SpeculativeJIT::valueOfJSConstant): Deleted.
2819             (JSC::DFG::SpeculativeJIT::valueOfBooleanConstant): Deleted.
2820             (JSC::DFG::SpeculativeJIT::valueOfFunctionConstant): Deleted.
2821             (JSC::DFG::SpeculativeJIT::isNullConstant): Deleted.
2822             (JSC::DFG::SpeculativeJIT::isInteger): Deleted.
2823             * dfg/DFGSpeculativeJIT32_64.cpp:
2824             (JSC::DFG::SpeculativeJIT::fillJSValue):
2825             (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2826             (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2827             (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2828             (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2829             (JSC::DFG::SpeculativeJIT::compile):
2830             * dfg/DFGSpeculativeJIT64.cpp:
2831             (JSC::DFG::SpeculativeJIT::fillJSValue):
2832             (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2833             (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
2834             (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2835             (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2836             (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2837             (JSC::DFG::SpeculativeJIT::compile):
2838             * dfg/DFGStrengthReductionPhase.cpp:
2839             (JSC::DFG::StrengthReductionPhase::handleNode):
2840             * dfg/DFGValidate.cpp:
2841             (JSC::DFG::Validate::validate):
2842             * dfg/DFGValueStrength.cpp: Added.
2843             (WTF::printInternal):
2844             * dfg/DFGValueStrength.h: Added.
2845             (JSC::DFG::merge):
2846             * dfg/DFGVariableEventStream.cpp:
2847             (JSC::DFG::VariableEventStream::tryToSetConstantRecovery):
2848             (JSC::DFG::VariableEventStream::reconstruct):
2849             * dfg/DFGVariableEventStream.h:
2850             * dfg/DFGWatchableStructureWatchingPhase.cpp:
2851             (JSC::DFG::WatchableStructureWatchingPhase::run):
2852             (JSC::DFG::WatchableStructureWatchingPhase::tryWatch):
2853             * dfg/DFGWatchpointCollectionPhase.cpp:
2854             (JSC::DFG::WatchpointCollectionPhase::handle):
2855             * ftl/FTLCapabilities.cpp:
2856             (JSC::FTL::canCompile):
2857             * ftl/FTLLink.cpp:
2858             (JSC::FTL::link):
2859             * ftl/FTLLowerDFGToLLVM.cpp:
2860             (JSC::FTL::LowerDFGToLLVM::compileNode):
2861             (JSC::FTL::LowerDFGToLLVM::compileDoubleConstant):
2862             (JSC::FTL::LowerDFGToLLVM::compileInt52Constant):
2863             (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
2864             (JSC::FTL::LowerDFGToLLVM::compileCheckFunction):
2865             (JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant):
2866             (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
2867             (JSC::FTL::LowerDFGToLLVM::lowInt32):
2868             (JSC::FTL::LowerDFGToLLVM::lowCell):
2869             (JSC::FTL::LowerDFGToLLVM::lowBoolean):
2870             (JSC::FTL::LowerDFGToLLVM::lowJSValue):
2871             (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
2872             (JSC::FTL::LowerDFGToLLVM::compileWeakJSConstant): Deleted.
2873             * ftl/FTLOSRExitCompiler.cpp:
2874             (JSC::FTL::compileStub):
2875             * runtime/JSCJSValue.cpp:
2876             (JSC::JSValue::dumpInContext):
2877             (JSC::JSValue::dumpInContextAssumingStructure):
2878             * runtime/JSCJSValue.h:
2879     
2880 2014-07-24  Brent Fulgham  <bfulgham@apple.com>
2881
2882         [Win] Correct build order in JavaScriptCore.submit.sln
2883         https://bugs.webkit.org/show_bug.cgi?id=135282
2884         <rdar://problem/17805592>
2885
2886         Unreviewed build fix.
2887
2888         * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: Correct build order
2889         such that LLIntDesiredOffset is built prior to the rest of JSC.
2890
2891 2014-07-24  Mark Lam  <mark.lam@apple.com>
2892
2893         JSWrapperMap's jsWrapperForObject() needs to keep weak prototype and constructors from being GCed.
2894         <https://webkit.org/b/135258>
2895
2896         Reviewed by Mark Hahnenberg.
2897
2898         Where needed, we cache the prototype object pointer in a stack local var.
2899         This allows it to be scanned by the GC, and hence be kept alive until
2900         we use it.  The constructor object will in turn be kept alive by the
2901         prototype object.
2902
2903         Also added some comments to warn against future code additions that could
2904         regress this issue.
2905
2906         * API/JSWrapperMap.mm:
2907         (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]):
2908         (-[JSObjCClassInfo reallocateConstructorAndOrPrototype]):
2909         (-[JSObjCClassInfo wrapperForObject:]):
2910         (-[JSObjCClassInfo constructor]):
2911
2912 2014-07-24  Joseph Pecoraro  <pecoraro@apple.com>
2913
2914         JSLock release should only modify the AtomicStringTable if it modified in acquire
2915         https://bugs.webkit.org/show_bug.cgi?id=135143
2916
2917         Reviewed by Darin Adler.
2918
2919         * runtime/JSLock.cpp:
2920         (JSC::JSLock::JSLock):
2921         Initialize the member variable to nullptr.
2922
2923         (JSC::JSLock::willDestroyVM):
2924         Update style to use nullptr instead of 0.
2925
2926         (JSC::JSLock::willReleaseLock):
2927         We should only reset the thread data's atomic string table if
2928         didAcquireLock changed it. m_entryAtomicStringTable will have
2929         been set by didAcquireLock if it changed, or nullptr if it didn't.
2930         This way we are sure we are balanced, regardless of m_vm changes.
2931
2932 2014-07-24  Peyton Randolph  <prandolph@apple.com>
2933
2934         Rename feature flag for long-press gesture on Mac.                                                                   
2935         https://bugs.webkit.org/show_bug.cgi?id=135259                                                                 
2936
2937         Reviewed by Beth Dakin.
2938
2939         * Configurations/FeatureDefines.xcconfig:
2940         Rename LINK_LONG_PRESS to MAC_LONG_PRESS.
2941
2942 2014-07-24  Commit Queue  <commit-queue@webkit.org>
2943
2944         Unreviewed, rolling out r171527.
2945         https://bugs.webkit.org/show_bug.cgi?id=135265
2946
2947         Breaks JSC API tests (Requested by mlam on #webkit).
2948
2949         Reverted changeset:
2950
2951         "JSWrapperMap's jsWrapperForObject() needs to defer GC."
2952         https://bugs.webkit.org/show_bug.cgi?id=135258
2953         http://trac.webkit.org/changeset/171527
2954
2955 2014-07-24  Mark Hahnenberg  <mhahnenberg@apple.com>
2956
2957         Creating a JSGlobalObject with a custom JSClassRef results in a JSProxy with the wrong prototype
2958         https://bugs.webkit.org/show_bug.cgi?id=135250
2959
2960         Reviewed by Geoffrey Garen.
2961
2962         JSGlobalObject::resetPrototype (which is called from JSGlobalContextCreateInGroup) doesn't change its 
2963         JSProxy's prototype as well. This results in a JSProxy where no properties in the original prototype 
2964         chain (as created from the JSClassRef hierarchy) are accessible. Changing resetPrototype to also change
2965         the JSProxy's prototype fixes the issue.
2966
2967         * API/JSValueRef.cpp:
2968         (JSValueIsObjectOfClass): Also fixed a bug where a JSProxy for a JSGlobalObject with a custom JSClassRef
2969         would claim it wasn't of the specified class, even if the target was of the specified class.
2970         * API/tests/CustomGlobalObjectClassTest.c: Added.
2971         (jsDoSomething):
2972         (customGlobalObjectClassTest):
2973         * API/tests/CustomGlobalObjectClassTest.h: Added.
2974         * API/tests/testapi.c:
2975         (assertTrue):
2976         (main):
2977         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
2978         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters:
2979         * JavaScriptCore.xcodeproj/project.pbxproj:
2980         * runtime/JSGlobalObject.cpp:
2981         (JSC::JSGlobalObject::resetPrototype):
2982
2983 2014-07-24  Brian J. Burg  <burg@cs.washington.edu>
2984
2985         Web Replay: don't encode/decode primitive types that lack explicit sizes
2986         https://bugs.webkit.org/show_bug.cgi?id=133430
2987
2988         Reviewed by Anders Carlsson.
2989
2990         Don't support encode/decode of unsigned long, since its size is compiler-dependent.
2991
2992         * replay/EncodedValue.cpp:
2993         (JSC::EncodedValue::convertTo<unsigned long>):
2994         (JSC::unsigned long>::encodeValue): Deleted.
2995         * replay/EncodedValue.h:
2996
2997 2014-07-24  Mark Lam  <mark.lam@apple.com>
2998
2999         JSWrapperMap's jsWrapperForObject() needs to defer GC.
3000         <https://webkit.org/b/135258>
3001
3002         Reviewed by Oliver Hunt.
3003
3004         In the process of creating a JS wrapper, jsWrapperForObject() will create
3005         the prototype and constructor of the corresponding ObjC class, as well as
3006         for classes in its inheritance chain.  These prototypes and constructors
3007         are stored in Weak references in the JSObjCClassInfo objects.  During all
3008         the allocation that is being done to create all the prototypes and
3009         constructors as well as the wrapper objects, a GC may occur thereby
3010         collecting one or more of these newly created prototype and constructor
3011         objects.
3012
3013         One example of where this problem can manifest is in wrapperForObject()
3014         which is called from jsWrapperForObject().  In wrapperFoObject(), we do
3015         the following steps:
3016
3017         1. reallocateConstructorAndOrPrototype() which creates the prototype
3018            object and store it in JSObjCClassInfo's m_prototype which is a Weak
3019            ref.
3020         2. makeWrapper() to create the wrapper object, which may trigger a GC.
3021            GC will collect the prototype object and nullify the corresponding
3022            JSObjCClassInfo's m_prototype Weak ref.
3023         3. call JSObjectSetPrototype() to set the JSObjCClassInfo's m_prototype
3024            in the newly created wrapper.  This results in the wrapper getting a
3025            jsNull as a prototype instead of the expected prototype object.
3026
3027         To ensure that the prototype and constructor objects are retained until
3028         they can be referenced properly from the wrapper object,
3029         jsWrapperForObject() should defer GC until it's done with its work.
3030
3031         * API/JSWrapperMap.mm:
3032         (-[JSWrapperMap jsWrapperForObject:]):
3033
3034 2014-07-23  Brent Fulgham  <bfulgham@apple.com>
3035
3036         Build fix after r171482.
3037
3038         Rubberstamped by Joe Pecoraro.
3039
3040         * runtime/Identifier.h: Make header declarations match
3041         implementation file.
3042
3043 2014-07-23  Brent Fulgham  <bfulgham@apple.com>
3044
3045         [Win] Use NO_RETURN_DUE_TO_CRASH on Windows
3046         https://bugs.webkit.org/show_bug.cgi?id=135199
3047
3048         Reviewed by Mark Lam.
3049
3050         * jsc.cpp:
3051         (WTF::RuntimeArray::deleteProperty): Stop using ugly
3052         compiler work-around on Windows; use NO_RETURN_DUE_TO_CRASH
3053         codepath instead.
3054         * runtime/Identifier.h: Add NO_RETURN_DUE_TO_CRASH
3055         to header so function declaration matches implementation.
3056
3057 2014-07-23  Bem Jones-Bey  <bjonesbe@adobe.com>
3058
3059         Remove CSS_EXCLUSIONS compile flag and leftover code
3060         https://bugs.webkit.org/show_bug.cgi?id=135175
3061
3062         Reviewed by Zoltan Horvath.
3063
3064         At this point, the CSS_EXCLUSIONS flag guards nothing but some useless
3065         stubs. This removes the flag and the useless code.
3066
3067         * Configurations/FeatureDefines.xcconfig:
3068
3069 2014-07-23  Commit Queue  <commit-queue@webkit.org>
3070
3071         Unreviewed, rolling out r171367.
3072         https://bugs.webkit.org/show_bug.cgi?id=135192
3073
3074         broke three API tests (Requested by thorton on #webkit).
3075
3076         Reverted changeset:
3077
3078         "JSLock release should only modify the AtomicStringTable if it
3079         modified in acquire"
3080         https://bugs.webkit.org/show_bug.cgi?id=135143
3081         http://trac.webkit.org/changeset/171367
3082
3083 2014-07-22  László Langó  <llango.u-szeged@partner.samsung.com>
3084
3085         [EFL] Build fix after the [ftlopt] branch merge.
3086
3087         Reviewed by Csaba Osztrogonác.
3088
3089         * dfg/DFGBranchDirection.h:
3090         (JSC::DFG::branchDirectionToString):
3091         * dfg/DFGStructureClobberState.h:
3092         (JSC::DFG::merge):
3093
3094 2014-07-22  Brent Fulgham  <bfulgham@apple.com>
3095
3096         Build fix for non-clang compile.
3097
3098         * jsc.cpp:
3099         (WTF::RuntimeArray::put): Remove incorrect return statement
3100         I added.
3101
3102 2014-07-22  Brent Fulgham  <bfulgham@apple.com>
3103
3104         Build fix for non-clang compile.
3105
3106         * jsc.cpp:
3107         (WTF::RuntimeArray::deleteProperty): Need (fake) return
3108         value when NO_RETURN_DUE_TO_CRASH is not defined.
3109
3110 2014-07-22  Filip Pizlo  <fpizlo@apple.com>
3111
3112         Merge r169628 from ftlopt.
3113
3114     2014-06-04  Matthew Mirman  <mmirman@apple.com>
3115     
3116             Added system for inlining native functions via the FTL.
3117             https://bugs.webkit.org/show_bug.cgi?id=131515
3118     
3119             Reviewed by Filip Pizlo.
3120     
3121             Also fixed the build to not compress the bitcode and to 
3122             include all of the relevant runtime. With GCC_GENERATE_DEBUGGING_SYMBOLS = NO, 
3123             the produced bitcode files are a 100th the size they were before.  
3124             Now we can include all of the relevant runtime files with only a 3mb overhead. 
3125             This is the same overhead as for two compressed files before, 
3126             but done more efficiently (on both ends) and with less code.
3127             
3128             Deciding whether to inline native functions is left up to LLVM. 
3129             The entire module containing the function is linked into the current 
3130             compiled JS so that inlining the native functions shouldn't make them smaller.
3131             
3132             Rather than loading Runtime.symtbl at runtime FTLState.cpp now generates a file 
3133             InlineRuntimeSymbolTable.h which statically builds the symbol table hash table.  
3134             
3135             * JavaScriptCore.xcodeproj/project.pbxproj: Added back runtime files to compile.
3136             * build-symbol-table-index.py: Changed bitcode suffix. 
3137             Added inclusion of only tested symbols.  
3138             Added output to InlineRuntimeSymbolTable.h. 
3139             * build-symbol-table-index.sh: Changed bitcode suffix.
3140             * copy-llvm-ir-to-derived-sources.sh: Removed gzip compression.
3141             * tested-symbols.symlst: Added.
3142             * dfg/DFGByteCodeParser.cpp:
3143             (JSC::DFG::ByteCodeParser::handleCall):  
3144             Now sets the knownFunction of the call node if such a function exists 
3145             and emits a check that during runtime the callee is in fact known.
3146             * dfg/DFGNode.h:
3147             Added functions to set the known function of a call node.
3148             (JSC::DFG::Node::canBeKnownFunction): Added.
3149             (JSC::DFG::Node::hasKnownFunction): Added.
3150             (JSC::DFG::Node::knownFunction): Added.
3151             (JSC::DFG::Node::giveKnownFunction): Added.
3152             * ftl/FTLAbbreviatedTypes.h: Added a typedef for LLVMMemoryBufferRef
3153             * ftl/FTLAbbreviations.h: Added some abbreviations.
3154             * ftl/FTLLowerDFGToLLVM.cpp:
3155             (JSC::FTL::LowerDFGToLLVM::isInlinableSize): Added. Hardcoded threshold to 275.
3156             (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol): Added.
3157             (JSC::FTL::LowerDFGToLLVM::getFunctionBySymbol): Added.
3158             (JSC::FTL::LowerDFGToLLVM::possiblyCompileInlineableNativeCall): Added.
3159             (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):  
3160             Added call to possiblyCompileInlineableNativeCall
3161             * ftl/FTLOutput.h:
3162             (JSC::FTL::Output::allocaName):  Added. Useful for debugging.
3163             * ftl/FTLState.cpp:
3164             (JSC::FTL::State::State): Added an include for InlineRuntimeSymbolTable.h
3165             * ftl/FTLState.h: Added symbol table hash table.
3166             * ftl/FTLCompile.cpp:
3167             (JSC::FTL::compile): Added inlining and dead function elimination passes.
3168             * heap/HandleStack.h: Added JS_EXPORT_PRIVATE to a few functions to get inlining to compile.
3169             * llvm/InitializeLLVMMac.mm: Deleted.
3170             * llvm/InitializeLLVMMac.cpp: Added.
3171             * llvm/LLVMAPIFunctions.h: Added macros to include Bitcode parsing and linking functions.
3172             * llvm/LLVMHeaders.h: Added includes for Bitcode parsing and linking.
3173             * runtime/BundlePath.h: Added.
3174             * runtime/BundlePath.mm: Added.
3175             * runtime/DateInstance.h: Added JS_EXPORT_PRIVATE to a few functions to get inlining to compile.
3176             * runtime/DateInstance.h: ditto.
3177             * runtime/DateConversion.h: ditto.
3178             * runtime/ExceptionHelpers.h: ditto.
3179             * runtime/JSCJSValue.h: ditto.
3180             * runtime/JSArray.h: ditto.
3181             * runtime/JSDateMath.h: ditto.
3182             * runtime/JSObject.h: ditto.
3183             * runtime/JSObject.h: ditto.
3184             * runtime/RegExp.h: ditto.
3185             * runtime/Structure.h: ditto.
3186             * runtime/Options.h:  Added maximumLLVMInstructionCountForNativeInlining.
3187     
3188 2014-07-22  Mark Lam  <mark.lam@apple.com>
3189
3190         Array.concat() should work on runtime arrays too.
3191         <https://webkit.org/b/135179>
3192
3193         Reviewed by Geoffrey Garen.
3194
3195         * jsc.cpp:
3196         (WTF::RuntimeArray::create):
3197         (WTF::RuntimeArray::~RuntimeArray):
3198         (WTF::RuntimeArray::destroy):
3199         (WTF::RuntimeArray::getOwnPropertySlot):
3200         (WTF::RuntimeArray::getOwnPropertySlotByIndex):
3201         (WTF::RuntimeArray::put):
3202         (WTF::RuntimeArray::deleteProperty):
3203         (WTF::RuntimeArray::getLength):
3204         (WTF::RuntimeArray::createPrototype):
3205         (WTF::RuntimeArray::createStructure):
3206         (WTF::RuntimeArray::finishCreation):
3207         (WTF::RuntimeArray::RuntimeArray):
3208         (WTF::RuntimeArray::lengthGetter):
3209         (GlobalObject::finishCreation):
3210         (functionCreateRuntimeArray):
3211         - Added support to create a runtime array for testing purpose.
3212         * runtime/ArrayPrototype.cpp:
3213         (JSC::getLength):
3214         - Added fast case for when the array object is a JSArray.
3215         (JSC::arrayProtoFuncJoin):
3216         - Added a needed but missing exception check.
3217         (JSC::arrayProtoFuncConcat):
3218         - Use getLength() to compute the array length instead of assuming that
3219           the array is a JSArray instance.
3220         * tests/stress/regexp-matches-array.js: Added.
3221         (testArrayConcat):
3222         * tests/stress/runtime-array.js: Added.
3223         (testArrayConcat):
3224
3225 2014-07-22  Brent Fulgham  <bfulgham@apple.com>
3226
3227         Fix Windows (return a value!)
3228
3229         * jsc.cpp:
3230         (functionQuit): Satisfy compiler's need for
3231         a return value.
3232
3233 2014-07-22  Brent Fulgham  <bfulgham@apple.com>
3234
3235         Fix Windows (sleep -> Sleep)
3236
3237         * jsc.cpp:
3238         (WTF::jscExit):
3239
3240 2014-07-22  Filip Pizlo  <fpizlo@apple.com>
3241
3242         Fix Windows.
3243
3244         * jsc.cpp:
3245         (WTF::jscExit):
3246
3247 2014-07-22  Filip Pizlo  <fpizlo@apple.com>
3248
3249         Fix 32-bit.
3250
3251         * dfg/DFGSpeculativeJIT32_64.cpp:
3252         (JSC::DFG::SpeculativeJIT::compile):
3253
3254 2014-07-22  Filip Pizlo  <fpizlo@apple.com>
3255
3256         Merge r169148, r169185, r169188, r169578, r169582, r169584, r169588, r169753 from ftlopt.
3257         
3258         Note that r169753 is merged out of order because it fixes a bug in r169588.
3259
3260     2014-06-10  Filip Pizlo  <fpizlo@apple.com>
3261     
3262             [ftlopt] Structure::dfgShouldWatchIfPossible() is unsound
3263             https://bugs.webkit.org/show_bug.cgi?id=133624
3264     
3265             Reviewed by Mark Hahnenberg.
3266     
3267             * runtime/Structure.h:
3268             (JSC::Structure::dfgShouldWatchIfPossible): Make it sound and add some verbiage.
3269     
3270     2014-06-04  Filip Pizlo  <fpizlo@apple.com>
3271     
3272             [ftlopt] AI should be able track structure sets larger than 1
3273             https://bugs.webkit.org/show_bug.cgi?id=128073
3274     
3275             Reviewed by Oliver Hunt.
3276             
3277             This makes two major changes to how AI (abstract interpreter) proves that a value has
3278             some structure:
3279             
3280             - StructureAbstractValue can now track an arbitrary number of structures. A set whose
3281               size is greater than one means that the value may have any of the structures, and we
3282               don't know which - but we do know that it cannot be any structure not in the set. The
3283               structure abstract value can still be TOP, which means the set of all structures. We
3284               artificially limit the set size to StructureAbstractValue::polymorphismLimit to guard
3285               memory explosion on pathological programs. This limit is big enough that it wouldn't
3286               kick in for normal code, since we have other heuristics that limit the number of
3287               structures that we would allow an inline cache to know about.
3288             
3289             - We eagerly set watchpoints on all watchable structures and then we assume that
3290               watchable structures are being watched, and that the watchpoint will jettison the code.
3291               This allows tracking of watchable structures to be far simpler than before. Previously,
3292               a structure being tracked as "future possible" was predicated on it being watchable but
3293               we might not actually watch it. This makes algebra over sets of future possible
3294               structures quite weird. But watching all watchable structures means that we simple say
3295               that a structure set can be in the following states: unclobbered, which means it's just
3296               a set of structures and it doesn't matter what is watchable or what isn't because we've
3297               proven that the value must have one of these structures right now; and clobbered, which
3298               means that we have a set of structures, plus all possible structures temporarily, with
3299               invalidation removing the "plus all possible structures". Clobbering a set means that
3300               if any of its structures are unwatchable, the set just becomes TOP; but if all
3301               structures in the set are watchable then we just set the clobbered bit to add the "plus
3302               all possible structures temporarily" thing. This precisely tracks the exact meaning of
3303               watchability and invalidation points.
3304             
3305             Slight SunSpider slow-down, neutral on Octane, slight AsmBench speed-up. I believe that
3306             we will ultimately undo the SunSpider slow-down by making further improvements to the set
3307             representation. I believe that Octane perfromance will ultimately improve once we remove
3308             remaining singleton special-cases. The ultimate goal of this is to remove the need to
3309             try quite so desperately hard to make everything monomorphic as we do currently.
3310     
3311             * CMakeLists.txt:
3312             * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3313             * JavaScriptCore.xcodeproj/project.pbxproj:
3314             * bytecode/StructureSet.cpp:
3315             (JSC::StructureSet::clear):
3316             (JSC::StructureSet::remove):
3317             (JSC::StructureSet::filter):
3318             (JSC::StructureSet::copyFromOutOfLine):
3319             (JSC::StructureSet::StructureSet): Deleted.
3320             (JSC::StructureSet::operator=): Deleted.
3321             (JSC::StructureSet::copyFrom): Deleted.
3322             * bytecode/StructureSet.h:
3323             (JSC::StructureSet::StructureSet):
3324             (JSC::StructureSet::operator=):
3325             (JSC::StructureSet::isEmpty):
3326             (JSC::StructureSet::genericFilter):
3327             (JSC::StructureSet::ContainsOutOfLine::ContainsOutOfLine):
3328             (JSC::StructureSet::ContainsOutOfLine::operator()):
3329             (JSC::StructureSet::copyFrom):
3330             (JSC::StructureSet::deleteStructureListIfNecessary):
3331             (JSC::StructureSet::setEmpty):
3332             (JSC::StructureSet::getReservedFlag):
3333             (JSC::StructureSet::setReservedFlag):
3334             * dfg/DFGAbstractInterpreter.h:
3335             (JSC::DFG::AbstractInterpreter::setBuiltInConstant):
3336             * dfg/DFGAbstractInterpreterInlines.h:
3337             (JSC::DFG::AbstractInterpreter<AbstractStateType>::booleanResult):
3338             (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
3339             (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3340             (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberCapturedVars):
3341             (JSC::DFG::AbstractInterpreter<AbstractStateType>::forAllValues):
3342             (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberStructures):
3343             (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
3344             (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
3345             (JSC::DFG::AbstractInterpreter<AbstractStateType>::setDidClobber):
3346             (JSC::DFG::AbstractInterpreter<AbstractStateType>::dump):
3347             * dfg/DFGAbstractValue.cpp:
3348             (JSC::DFG::AbstractValue::observeTransitions):
3349             (JSC::DFG::AbstractValue::setMostSpecific):
3350             (JSC::DFG::AbstractValue::set):
3351             (JSC::DFG::AbstractValue::filter):
3352             (JSC::DFG::AbstractValue::shouldBeClear):
3353             (JSC::DFG::AbstractValue::normalizeClarity):
3354             (JSC::DFG::AbstractValue::checkConsistency):
3355             (JSC::DFG::AbstractValue::assertIsWatched):
3356             (JSC::DFG::AbstractValue::dumpInContext):
3357             (JSC::DFG::AbstractValue::setFuturePossibleStructure): Deleted.
3358             * dfg/DFGAbstractValue.h:
3359             (JSC::DFG::AbstractValue::clear):
3360             (JSC::DFG::AbstractValue::clobberStructures):
3361             (JSC::DFG::AbstractValue::clobberStructuresFor):
3362             (JSC::DFG::AbstractValue::observeInvalidationPoint):
3363             (JSC::DFG::AbstractValue::observeInvalidationPointFor):
3364             (JSC::DFG::AbstractValue::observeTransition):
3365             (JSC::DFG::AbstractValue::TransitionObserver::TransitionObserver):
3366             (JSC::DFG::AbstractValue::TransitionObserver::operator()):
3367             (JSC::DFG::AbstractValue::TransitionsObserver::TransitionsObserver):
3368             (JSC::DFG::AbstractValue::TransitionsObserver::operator()):
3369             (JSC::DFG::AbstractValue::isHeapTop):
3370             (JSC::DFG::AbstractValue::setType):
3371             (JSC::DFG::AbstractValue::operator==):
3372             (JSC::DFG::AbstractValue::merge):
3373             (JSC::DFG::AbstractValue::validate):
3374             (JSC::DFG::AbstractValue::hasClobberableState):
3375             (JSC::DFG::AbstractValue::assertIsWatched):
3376             (JSC::DFG::AbstractValue::observeIndexingTypeTransition):
3377             (JSC::DFG::AbstractValue::makeTop):
3378             (JSC::DFG::AbstractValue::bestProvenStructure): Deleted.
3379             * dfg/DFGAllocator.h:
3380             * dfg/DFGArgumentsSimplificationPhase.cpp:
3381             (JSC::DFG::ArgumentsSimplificationPhase::run):
3382             * dfg/DFGArrayMode.cpp:
3383             (JSC::DFG::ArrayMode::alreadyChecked):
3384             * dfg/DFGAtTailAbstractState.h:
3385             (JSC::DFG::AtTailAbstractState::structureClobberState):
3386             (JSC::DFG::AtTailAbstractState::setStructureClobberState):
3387             (JSC::DFG::AtTailAbstractState::setFoundConstants):
3388             (JSC::DFG::AtTailAbstractState::haveStructures): Deleted.
3389             (JSC::DFG::AtTailAbstractState::setHaveStructures): Deleted.
3390             * dfg/DFGBasicBlock.cpp:
3391             (JSC::DFG::BasicBlock::BasicBlock):
3392             * dfg/DFGBasicBlock.h:
3393             * dfg/DFGBranchDirection.h:
3394             (JSC::DFG::branchDirectionToString):
3395             (WTF::printInternal):
3396             * dfg/DFGByteCodeParser.cpp:
3397             (JSC::DFG::ByteCodeParser::handlePutById):
3398             * dfg/DFGCFAPhase.cpp:
3399             (JSC::DFG::CFAPhase::performBlockCFA):
3400             * dfg/DFGCSEPhase.cpp:
3401             (JSC::DFG::CSEPhase::checkStructureElimination):
3402             (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
3403             (JSC::DFG::CSEPhase::performNodeCSE):
3404             * dfg/DFGClobberize.h:
3405             (JSC::DFG::clobberize):
3406             * dfg/DFGCommon.cpp:
3407             (JSC::DFG::startCrashing):
3408             (JSC::DFG::isCrashing):
3409             * dfg/DFGCommon.h:
3410             * dfg/DFGCommonData.cpp:
3411             (JSC::DFG::CommonData::notifyCompilingStructureTransition):
3412             * dfg/DFGConstantFoldingPhase.cpp:
3413             (JSC::DFG::ConstantFoldingPhase::foldConstants):
3414             (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
3415             (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
3416             (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
3417             * dfg/DFGDesiredWatchpoints.cpp:
3418             (JSC::DFG::DesiredWatchpoints::consider):
3419             (JSC::DFG::DesiredWatchpoints::addLazily): Deleted.
3420             * dfg/DFGDesiredWatchpoints.h:
3421             (JSC::DFG::GenericDesiredWatchpoints::reallyAdd):
3422             (JSC::DFG::GenericDesiredWatchpoints::areStillValid):
3423             (JSC::DFG::GenericDesiredWatchpoints::isWatched):
3424             (JSC::DFG::DesiredWatchpoints::isWatched):
3425             (JSC::DFG::WatchpointForGenericWatchpointSet::WatchpointForGenericWatchpointSet): Deleted.
3426             (JSC::DFG::GenericDesiredWatchpoints::addLazily): Deleted.
3427             (JSC::DFG::GenericDesiredWatchpoints::isStillValid): Deleted.
3428             (JSC::DFG::GenericDesiredWatchpoints::shouldAssumeMixedState): Deleted.
3429             (JSC::DFG::GenericDesiredWatchpoints::isValidOrMixed): Deleted.
3430             (JSC::DFG::DesiredWatchpoints::isStillValid): Deleted.
3431             (JSC::DFG::DesiredWatchpoints::shouldAssumeMixedState): Deleted.
3432             (JSC::DFG::DesiredWatchpoints::isValidOrMixed): Deleted.
3433             * dfg/DFGDoesGC.cpp:
3434             (JSC::DFG::doesGC):
3435             * dfg/DFGFixupPhase.cpp:
3436             (JSC::DFG::FixupPhase::fixupNode):
3437             (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
3438             (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
3439             * dfg/DFGGraph.cpp:
3440             (JSC::DFG::Graph::~Graph):
3441             (JSC::DFG::Graph::dump):
3442             (JSC::DFG::Graph::dumpBlockHeader):
3443             (JSC::DFG::Graph::tryGetFoldableView):
3444             (JSC::DFG::Graph::visitChildren):
3445             (JSC::DFG::Graph::assertIsWatched):
3446             (JSC::DFG::Graph::handleAssertionFailure):
3447             * dfg/DFGGraph.h:
3448             (JSC::DFG::Graph::convertToConstant):
3449             (JSC::DFG::Graph::masqueradesAsUndefinedWatchpointIsStillValid):
3450             (JSC::DFG::Graph::addStructureTransitionData): Deleted.
3451             * dfg/DFGInPlaceAbstractState.cpp:
3452             (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
3453             (JSC::DFG::InPlaceAbstractState::initialize):
3454             (JSC::DFG::InPlaceAbstractState::endBasicBlock):
3455             (JSC::DFG::InPlaceAbstractState::reset):
3456             (JSC::DFG::InPlaceAbstractState::merge):
3457             * dfg/DFGInPlaceAbstractState.h:
3458             (JSC::DFG::InPlaceAbstractState::structureClobberState):
3459             (JSC::DFG::InPlaceAbstractState::setStructureClobberState):
3460             (JSC::DFG::InPlaceAbstractState::setFoundConstants):
3461             (JSC::DFG::InPlaceAbstractState::haveStructures): Deleted.
3462             (JSC::DFG::InPlaceAbstractState::setHaveStructures): Deleted.
3463             * dfg/DFGLivenessAnalysisPhase.cpp:
3464             (JSC::DFG::LivenessAnalysisPhase::run):
3465             * dfg/DFGNode.h:
3466             (JSC::DFG::Node::hasTransition):
3467             (JSC::DFG::Node::transition):
3468             (JSC::DFG::Node::hasStructure):
3469             (JSC::DFG::StructureTransitionData::StructureTransitionData): Deleted.
3470             (JSC::DFG::Node::convertToStructureTransitionWatchpoint): Deleted.
3471             (JSC::DFG::Node::hasStructureTransitionData): Deleted.
3472             (JSC::DFG::Node::structureTransitionData): Deleted.
3473             * dfg/DFGNodeType.h:
3474             * dfg/DFGPlan.cpp:
3475             (JSC::DFG::Plan::compileInThreadImpl):
3476             * dfg/DFGPredictionPropagationPhase.cpp:
3477             (JSC::DFG::PredictionPropagationPhase::propagate):
3478             * dfg/DFGSafeToExecute.h:
3479             (JSC::DFG::safeToExecute):
3480             * dfg/DFGSpeculativeJIT.cpp:
3481             (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
3482             (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
3483             * dfg/DFGSpeculativeJIT.h:
3484             (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
3485             * dfg/DFGSpeculativeJIT32_64.cpp:
3486             (JSC::DFG::SpeculativeJIT::compile):
3487             * dfg/DFGSpeculativeJIT64.cpp:
3488             (JSC::DFG::SpeculativeJIT::compile):
3489             * dfg/DFGStructureAbstractValue.cpp: Added.
3490             (JSC::DFG::StructureAbstractValue::assertIsWatched):
3491             (JSC::DFG::StructureAbstractValue::clobber):
3492             (JSC::DFG::StructureAbstractValue::observeTransition):
3493             (JSC::DFG::StructureAbstractValue::observeTransitions):
3494             (JSC::DFG::StructureAbstractValue::add):
3495             (JSC::DFG::StructureAbstractValue::merge):
3496             (JSC::DFG::StructureAbstractValue::mergeSlow):
3497             (JSC::DFG::StructureAbstractValue::mergeNotTop):
3498             (JSC::DFG::StructureAbstractValue::filter):
3499             (JSC::DFG::StructureAbstractValue::filterSlow):
3500             (JSC::DFG::StructureAbstractValue::contains):
3501             (JSC::DFG::StructureAbstractValue::isSubsetOf):
3502             (JSC::DFG::StructureAbstractValue::isSupersetOf):
3503             (JSC::DFG::StructureAbstractValue::overlaps):
3504             (JSC::DFG::StructureAbstractValue::equalsSlow):
3505             (JSC::DFG::StructureAbstractValue::dumpInContext):
3506             (JSC::DFG::StructureAbstractValue::dump):
3507             * dfg/DFGStructureAbstractValue.h:
3508             (JSC::DFG::StructureAbstractValue::StructureAbstractValue):
3509             (JSC::DFG::StructureAbstractValue::operator=):
3510             (JSC::DFG::StructureAbstractValue::clear):
3511             (JSC::DFG::StructureAbstractValue::makeTop):
3512             (JSC::DFG::StructureAbstractValue::assertIsWatched):
3513             (JSC::DFG::StructureAbstractValue::observeInvalidationPoint):
3514             (JSC::DFG::StructureAbstractValue::top):
3515             (JSC::DFG::StructureAbstractValue::isClear):
3516             (JSC::DFG::StructureAbstractValue::isTop):
3517             (JSC::DFG::StructureAbstractValue::isNeitherClearNorTop):
3518             (JSC::DFG::StructureAbstractValue::isClobbered):
3519             (JSC::DFG::StructureAbstractValue::merge):
3520             (JSC::DFG::StructureAbstractValue::filter):
3521             (JSC::DFG::StructureAbstractValue::operator==):
3522             (JSC::DFG::StructureAbstractValue::size):
3523             (JSC::DFG::StructureAbstractValue::at):
3524             (JSC::DFG::StructureAbstractValue::operator[]):
3525             (JSC::DFG::StructureAbstractValue::onlyStructure):
3526             (JSC::DFG::StructureAbstractValue::isSupersetOf):
3527             (JSC::DFG::StructureAbstractValue::makeTopWhenThin):
3528             (JSC::DFG::StructureAbstractValue::setClobbered):
3529             (JSC::DFG::StructureAbstractValue::add): Deleted.
3530             (JSC::DFG::StructureAbstractValue::addAll): Deleted.
3531             (JSC::DFG::StructureAbstractValue::contains): Deleted.
3532             (JSC::DFG::StructureAbstractValue::isSubsetOf): Deleted.
3533             (JSC::DFG::StructureAbstractValue::doesNotContainAnyOtherThan): Deleted.
3534             (JSC::DFG::StructureAbstractValue::isClearOrTop): Deleted.
3535             (JSC::DFG::StructureAbstractValue::last): Deleted.
3536             (JSC::DFG::StructureAbstractValue::speculationFromStructures): Deleted.
3537             (JSC::DFG::StructureAbstractValue::isValidOffset): Deleted.
3538             (JSC::DFG::StructureAbstractValue::hasSingleton): Deleted.
3539             (JSC::DFG::StructureAbstractValue::singleton): Deleted.
3540             (JSC::DFG::StructureAbstractValue::dumpInContext): Deleted.
3541             (JSC::DFG::StructureAbstractValue::dump): Deleted.
3542             (JSC::DFG::StructureAbstractValue::topValue): Deleted.
3543             * dfg/DFGStructureClobberState.h: Added.
3544             (JSC::DFG::merge):
3545             (WTF::printInternal):
3546             * dfg/DFGTransition.cpp: Added.
3547             (JSC::DFG::Transition::dumpInContext):
3548             (JSC::DFG::Transition::dump):
3549             * dfg/DFGTransition.h: Added.
3550             (JSC::DFG::Transition::Transition):
3551             * dfg/DFGTypeCheckHoistingPhase.cpp:
3552             (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
3553             (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
3554             * dfg/DFGWatchableStructureWatchingPhase.cpp: Added.
3555             (JSC::DFG::WatchableStructureWatchingPhase::WatchableStructureWatchingPhase):
3556             (JSC::DFG::WatchableStructureWatchingPhase::run):
3557             (JSC::DFG::WatchableStructureWatchingPhase::tryWatch):
3558             (JSC::DFG::performWatchableStructureWatching):
3559             * dfg/DFGWatchableStructureWatchingPhase.h: Added.
3560             * dfg/DFGWatchpointCollectionPhase.cpp:
3561             (JSC::DFG::WatchpointCollectionPhase::handle):
3562             (JSC::DFG::WatchpointCollectionPhase::handleEdge): Deleted.
3563             * ftl/FTLCapabilities.cpp:
3564             (JSC::FTL::canCompile):
3565             * ftl/FTLIntrinsicRepository.h:
3566             * ftl/FTLLowerDFGToLLVM.cpp:
3567             (JSC::FTL::ftlUnreachable):
3568             (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
3569             (JSC::FTL::LowerDFGToLLVM::compileBlock):
3570             (JSC::FTL::LowerDFGToLLVM::compileNode):
3571             (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
3572             (JSC::FTL::LowerDFGToLLVM::compilePhi):
3573             (JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
3574             (JSC::FTL::LowerDFGToLLVM::compileValueRep):
3575             (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
3576             (JSC::FTL::LowerDFGToLLVM::compileGetArgument):
3577             (JSC::FTL::LowerDFGToLLVM::compileGetLocal):
3578             (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
3579             (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub):
3580             (JSC::FTL::LowerDFGToLLVM::compileArithMul):
3581             (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
3582             (JSC::FTL::LowerDFGToLLVM::compileArithMod):
3583             (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
3584             (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
3585             (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
3586             (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
3587             (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
3588             (JSC::FTL::LowerDFGToLLVM::compileGetById):
3589             (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
3590             (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
3591             (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
3592             (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
3593             (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
3594             (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
3595             (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
3596             (JSC::FTL::LowerDFGToLLVM::compileNewArray):
3597             (JSC::FTL::LowerDFGToLLVM::compileNewArrayBuffer):
3598             (JSC::FTL::LowerDFGToLLVM::compileAllocatePropertyStorage):
3599             (JSC::FTL::LowerDFGToLLVM::compileReallocatePropertyStorage):
3600             (JSC::FTL::LowerDFGToLLVM::compileToString):
3601             (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
3602             (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
3603             (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
3604             (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
3605             (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
3606             (JSC::FTL::LowerDFGToLLVM::compileSwitch):
3607             (JSC::FTL::LowerDFGToLLVM::compare):
3608             (JSC::FTL::LowerDFGToLLVM::boolify):
3609             (JSC::FTL::LowerDFGToLLVM::terminate):
3610             (JSC::FTL::LowerDFGToLLVM::lowInt32):
3611             (JSC::FTL::LowerDFGToLLVM::lowInt52):
3612             (JSC::FTL::LowerDFGToLLVM::opposite):
3613             (JSC::FTL::LowerDFGToLLVM::lowCell):
3614             (JSC::FTL::LowerDFGToLLVM::lowBoolean):
3615             (JSC::FTL::LowerDFGToLLVM::lowDouble):
3616             (JSC::FTL::LowerDFGToLLVM::lowJSValue):
3617             (JSC::FTL::LowerDFGToLLVM::speculate):
3618             (JSC::FTL::LowerDFGToLLVM::isArrayType):
3619             (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructureID):
3620             (JSC::FTL::LowerDFGToLLVM::callCheck):
3621             (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
3622             (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
3623             (JSC::FTL::LowerDFGToLLVM::setInt52):
3624             (JSC::FTL::LowerDFGToLLVM::crash):
3625             (JSC::FTL::LowerDFGToLLVM::compileStructureTransitionWatchpoint): Deleted.
3626             * ftl/FTLOutput.cpp:
3627             (JSC::FTL::Output::crashNonTerminal): Deleted.
3628             * ftl/FTLOutput.h:
3629             (JSC::FTL::Output::crash): Deleted.
3630             * jit/JITOperations.h:
3631             * jsc.cpp:
3632             (WTF::jscExit):
3633             (functionQuit):
3634             (main):
3635             (printUsageStatement):
3636             (CommandLine::parseArguments):
3637             * runtime/Structure.h:
3638             (JSC::Structure::dfgShouldWatchIfPossible):
3639             (JSC::Structure::dfgShouldWatch):
3640             * tests/stress/arrayify-to-structure-contradiction.js: Added.
3641             (foo):
3642             * tests/stress/ftl-getmyargumentslength-inline.js: Added.
3643             (foo):
3644             * tests/stress/multi-put-by-offset-multiple-transitions.js: Added.
3645             (foo):
3646             (Foo):
3647             * tests/stress/throw-from-ftl-in-loop.js: Added.
3648             * tests/stress/throw-from-ftl.js: Added.
3649             (foo):
3650     
3651     2014-06-03  Filip Pizlo  <fpizlo@apple.com>
3652     
3653             [ftlopt] Unreviewed, roll out r169578. The build system needs some more love.
3654     
3655             * InlineRuntimeSymbolTable.h: Removed.
3656             * JavaScriptCore.xcodeproj/project.pbxproj:
3657             * build-symbol-table-index.py:
3658             * build-symbol-table-index.sh:
3659             * copy-llvm-ir-to-derived-sources.sh:
3660             * dfg/DFGByteCodeParser.cpp:
3661             (JSC::DFG::ByteCodeParser::handleCall):
3662             * dfg/DFGNode.h:
3663             (JSC::DFG::Node::canBeKnownFunction): Deleted.
3664             (JSC::DFG::Node::hasKnownFunction): Deleted.
3665             (JSC::DFG::Node::knownFunction): Deleted.
3666             (JSC::DFG::Node::giveKnownFunction): Deleted.
3667             * ftl/FTLAbbreviatedTypes.h:
3668             * ftl/FTLCompile.cpp:
3669             (JSC::FTL::compile):
3670             * ftl/FTLLowerDFGToLLVM.cpp:
3671             (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
3672             (JSC::FTL::LowerDFGToLLVM::lower):
3673             (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
3674             (JSC::FTL::LowerDFGToLLVM::possiblyCompileInlineableNativeCall): Deleted.
3675             (JSC::FTL::LowerDFGToLLVM::getFunctionBySymbol): Deleted.
3676             (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol): Deleted.
3677             (JSC::FTL::LowerDFGToLLVM::isInlinableSize): Deleted.
3678             * ftl/FTLState.cpp:
3679             (JSC::FTL::State::State):
3680             * ftl/FTLState.h:
3681             * heap/HandleStack.h:
3682             * llvm/InitializeLLVM.h:
3683             * llvm/InitializeLLVMMac.cpp: Removed.
3684             * llvm/InitializeLLVMMac.mm: Added.
3685             (JSC::initializeLLVMImpl):
3686             * llvm/LLVMAPIFunctions.h:
3687             * llvm/LLVMHeaders.h:
3688             * runtime/BundlePath.h: Removed.
3689             * runtime/BundlePath.mm: Removed.
3690             * runtime/DateConversion.h:
3691             * runtime/DateInstance.h:
3692             * runtime/ExceptionHelpers.h:
3693             * runtime/JSArray.h:
3694             * runtime/JSCJSValue.h:
3695             (JSC::JSValue::toFloat):
3696             * runtime/JSDateMath.h:
3697             * runtime/JSObject.h:
3698             * runtime/JSWrapperObject.h:
3699             * runtime/Options.h:
3700             * runtime/RegExp.h:
3701             * runtime/StringObject.h:
3702             * runtime/Structure.h:
3703             * tested-symbols.symlst: Removed.
3704     
3705     2014-06-03  Filip Pizlo  <fpizlo@apple.com>
3706     
3707             [ftlopt] FTL native inlining tests take far too long
3708             https://bugs.webkit.org/show_bug.cgi?id=133498
3709     
3710             Unreviewed test gardening.
3711             
3712             Added a new exceptions test since the other one appears to not work.
3713     
3714             * tests/stress/ftl-library-exception.js:
3715             * tests/stress/ftl-library-inline-gettimezoneoffset.js: Added.
3716             (foo):
3717             * tests/stress/ftl-library-inlining-exceptions-dataview.js: Added.
3718             (foo):
3719             * tests/stress/ftl-library-inlining-exceptions.js: Copied from LayoutTests/js/regress/script-tests/