LinkBuffer should not keep a reference to the MacroAssembler
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-07-07  Benjamin Poulain  <benjamin@webkit.org>
2
3         LinkBuffer should not keep a reference to the MacroAssembler
4         https://bugs.webkit.org/show_bug.cgi?id=134668
5
6         Reviewed by Geoffrey Garen.
7
8         In FTL, the LinkBuffer can outlive the MacroAssembler that was used for code generation.
9         When that happens, the pointer m_assembler points to released memory. That was not causing
10         issues because the attribute is not used after linking, but that was not particularily
11         future proof.
12
13         This patch refactors LinkBuffer to avoid any lifetime risk. The MacroAssembler is now passed
14         as a reference, it is used for linking but no reference is ever stored with the LinkBuffer.
15
16         While fixing the call sites to use a reference, I also discovered LinkBuffer.h was included
17         everywhere. I refactored some #include to avoid that.
18
19         * assembler/LinkBuffer.cpp:
20         (JSC::LinkBuffer::copyCompactAndLinkCode):
21         (JSC::LinkBuffer::linkCode):
22         * assembler/LinkBuffer.h:
23         (JSC::LinkBuffer::LinkBuffer):
24         * bytecode/Watchpoint.cpp:
25         * dfg/DFGDisassembler.cpp:
26         * dfg/DFGDisassembler.h:
27         * dfg/DFGJITCompiler.cpp:
28         (JSC::DFG::JITCompiler::link):
29         (JSC::DFG::JITCompiler::linkFunction):
30         * dfg/DFGOSRExitCompiler.cpp:
31         * dfg/DFGPlan.cpp:
32         * dfg/DFGThunks.cpp:
33         (JSC::DFG::osrExitGenerationThunkGenerator):
34         (JSC::DFG::osrEntryThunkGenerator):
35         * ftl/FTLCompile.cpp:
36         (JSC::FTL::generateICFastPath):
37         (JSC::FTL::fixFunctionBasedOnStackMaps):
38         * ftl/FTLJSCall.cpp:
39         * ftl/FTLJSCall.h:
40         * ftl/FTLLink.cpp:
41         (JSC::FTL::link):
42         * ftl/FTLLowerDFGToLLVM.cpp:
43         * ftl/FTLOSRExitCompiler.cpp:
44         (JSC::FTL::compileStub):
45         * ftl/FTLThunks.cpp:
46         (JSC::FTL::osrExitGenerationThunkGenerator):
47         (JSC::FTL::slowPathCallThunkGenerator):
48         * jit/ArityCheckFailReturnThunks.cpp:
49         (JSC::ArityCheckFailReturnThunks::returnPCsFor):
50         * jit/JIT.cpp:
51         (JSC::JIT::privateCompile):
52         * jit/JITCall.cpp:
53         (JSC::JIT::privateCompileClosureCall):
54         * jit/JITCall32_64.cpp:
55         (JSC::JIT::privateCompileClosureCall):
56         * jit/JITDisassembler.cpp:
57         * jit/JITDisassembler.h:
58         * jit/JITOpcodes.cpp:
59         * jit/JITPropertyAccess.cpp:
60         (JSC::JIT::stringGetByValStubGenerator):
61         (JSC::JIT::privateCompileGetByVal):
62         (JSC::JIT::privateCompilePutByVal):
63         * jit/JITPropertyAccess32_64.cpp:
64         (JSC::JIT::stringGetByValStubGenerator):
65         * jit/RegisterPreservationWrapperGenerator.cpp:
66         (JSC::generateRegisterPreservationWrapper):
67         (JSC::registerRestorationThunkGenerator):
68         * jit/Repatch.cpp:
69         (JSC::generateByIdStub):
70         (JSC::tryCacheGetByID):
71         (JSC::emitPutReplaceStub):
72         (JSC::emitPutTransitionStub):
73         (JSC::tryRepatchIn):
74         (JSC::linkClosureCall):
75         * jit/SpecializedThunkJIT.h:
76         (JSC::SpecializedThunkJIT::finalize):
77         * jit/ThunkGenerators.cpp:
78         (JSC::throwExceptionFromCallSlowPathGenerator):
79         (JSC::linkForThunkGenerator):
80         (JSC::linkClosureCallForThunkGenerator):
81         (JSC::virtualForThunkGenerator):
82         (JSC::nativeForGenerator):
83         (JSC::arityFixup):
84         * llint/LLIntThunks.cpp:
85         (JSC::LLInt::generateThunkWithJumpTo):
86         * yarr/YarrJIT.cpp:
87         (JSC::Yarr::YarrGenerator::compile):
88
89 2014-07-07  Andreas Kling  <akling@apple.com>
90
91         Fast path for jsStringWithCache() when asked for the same string repeatedly.
92         <https://webkit.org/b/134635>
93
94         Reviewed by Darin Adler.
95
96         Follow-up to r170818 addressing a review comment by Geoff Garen.
97
98         * runtime/JSString.cpp:
99         (JSC::jsStringWithCacheSlowCase):
100
101 2014-07-07  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>
102
103         Add missing ENABLE(FTL_JIT) guards
104         https://bugs.webkit.org/show_bug.cgi?id=134680
105
106         Reviewed by Darin Adler.
107
108         * ftl/FTLDWARFDebugLineInfo.cpp:
109         * ftl/FTLDWARFDebugLineInfo.h:
110         * ftl/FTLGeneratedFunction.h:
111
112 2014-07-07  Zan Dobersek  <zdobersek@igalia.com>
113
114         Enable ARMv7 disassembler for the GTK port
115         https://bugs.webkit.org/show_bug.cgi?id=134676
116
117         Reviewed by Benjamin Poulain.
118
119         * CMakeLists.txt: Add ARMv7DOpcode.cpp file to the build.
120         * disassembler/ARMv7/ARMv7DOpcode.cpp: Include the string.h header for strlen().
121
122 2014-07-06  Benjamin Poulain  <benjamin@webkit.org>
123
124         [ARMv7] Use 16 bits instructions for push/pop when possible
125         https://bugs.webkit.org/show_bug.cgi?id=134656
126
127         Reviewed by Andreas Kling.
128
129         * assembler/ARMv7Assembler.h:
130         (JSC::ARMv7Assembler::pop):
131         (JSC::ARMv7Assembler::push):
132         (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp7Imm9):
133         Add the 16 bits version of push and pop.
134
135         * assembler/MacroAssemblerARMv7.h:
136         (JSC::MacroAssemblerARMv7::pop):
137         (JSC::MacroAssemblerARMv7::push):
138         Use the new push/pop instead of a regular load/store.
139
140         * disassembler/ARMv7/ARMv7DOpcode.cpp:
141         (JSC::ARMv7Disassembler::ARMv7DOpcode::appendRegisterList):
142         * disassembler/ARMv7/ARMv7DOpcode.h:
143         (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscPushPop::registerMask):
144         Fix the disassembler for push/pop:
145         -The register mask was on 7 bits for some reason.
146         -The code printing the registers was comparing a register ID with a register
147          mask.
148
149 2014-07-06  Yoav Weiss  <yoav@yoav.ws>
150
151         Turn on img@sizes compile flag
152         https://bugs.webkit.org/show_bug.cgi?id=134634
153
154         Reviewed by Benjamin Poulain.
155
156         * Configurations/FeatureDefines.xcconfig: Moved compile flag to alphabetical order.
157
158 2014-07-06  Daewoong Jang  <daewoong.jang@navercorp.com>
159
160         Flags value of SourceCodeKey should be unique for each case.
161         https://bugs.webkit.org/show_bug.cgi?id=134435
162
163         Reviewed by Darin Adler.
164
165         Different combinations of CodeType and JSParserStrictness could generate same m_flags value because
166         the value of CodeType and the value of JSParserStrictness shares a bit inside m_flags member variable.
167         Shift the value of CodeType one bit farther to the left so those values don't overlap.
168
169         * runtime/CodeCache.h:
170         (JSC::SourceCodeKey::SourceCodeKey):
171
172 2014-07-04  Andreas Kling  <akling@apple.com>
173
174         Fast path for jsStringWithCache() when asked for the same string repeatedly.
175         <https://webkit.org/b/134635>
176
177         Also moved the whole thing from WebCore to JavaScriptCore since it
178         makes more sense here, and inline the lightweight checks, leaving only
179         the hashmap stuff out of line.
180
181         Reviewed by Darin Adler.
182
183         * runtime/JSString.cpp:
184         (JSC::jsStringWithCacheSlowCase):
185         * runtime/JSString.h:
186         (JSC::jsStringWithCache):
187         * runtime/VM.h:
188
189 2014-07-03  Daniel Bates  <dabates@apple.com>
190
191         Add WTF::move()
192         https://bugs.webkit.org/show_bug.cgi?id=134500
193
194         Rubber-stamped by Anders Carlsson.
195
196         Substitute WTF::move() for std::move().
197
198         * bytecode/CodeBlock.h:
199         * bytecode/UnlinkedCodeBlock.cpp:
200         * bytecompiler/BytecodeGenerator.cpp:
201         * dfg/DFGGraph.cpp:
202         * dfg/DFGJITCompiler.cpp:
203         * dfg/DFGStackLayoutPhase.cpp:
204         * dfg/DFGWorklist.cpp:
205         * heap/DelayedReleaseScope.h:
206         * heap/HeapInlines.h:
207         [...]
208
209 2014-07-03  Filip Pizlo  <fpizlo@apple.com>
210
211         SSA DCE should process blocks in forward order
212         https://bugs.webkit.org/show_bug.cgi?id=134611
213
214         Reviewed by Andreas Kling.
215
216         * dfg/DFGDCEPhase.cpp:
217         (JSC::DFG::DCEPhase::run):
218         * ftl/FTLLowerDFGToLLVM.cpp:
219         (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
220         * tests/stress/dead-value-with-mov-hint-in-another-block.js: Added.
221         (foo):
222
223 2014-07-03  Filip Pizlo  <fpizlo@apple.com>
224
225         JSActivation::symbolTablePut() should invalidate variable watchpoints
226         https://bugs.webkit.org/show_bug.cgi?id=134602
227
228         Reviewed by Oliver Hunt.
229         
230         Usually stores to captured variables cause us to invalidate the variable watchpoint because CodeBlock does so
231         during linking - we essentially assume that if it's at all possible for an inner function to store to a
232         variable we declare then this variable cannot be a constant. But this misses the dynamic store case, i.e.
233         JSActivation::symbolTablePut(). Part of the problem here is that JSActivation duplicates
234         JSSymbolTableObject's symbolTablePut() logic, which did have the invalidation. This patch keeps that code
235         duplicated, but fixes JSActivation::symbolTablePut() to do the right thing.
236
237         * runtime/JSActivation.cpp:
238         (JSC::JSActivation::symbolTablePut):
239         * runtime/JSSymbolTableObject.h:
240         (JSC::symbolTablePut):
241         * tests/stress/constant-closure-var-with-dynamic-invalidation.js: Added.
242         (.):
243
244 2014-07-01  Mark Lam  <mark.lam@apple.com>
245
246         Debugger's breakpoint list should not be a Vector.
247         <https://webkit.org/b/134514>
248
249         Reviewed by Geoffrey Garen.
250
251         The debugger currently stores breakpoint data as entries in a Vector (see
252         BreakpointsInLine).  It also keeps a fast map look up of breakpoint IDs to
253         the breakpoint data (see m_breakpointIDToBreakpoint).  Because a Vector can
254         compact or reallocate its backing store, this can causes all sorts of havoc.
255         The m_breakpointIDToBreakpoint map assumes that the breakpoint data doesn't
256         move in memory.
257
258         The fix is to replace the BreakpointsInLine Vector with a BreakpointsList
259         doubly linked list.
260
261         * debugger/Breakpoint.h:
262         (JSC::Breakpoint::Breakpoint):
263         (JSC::BreakpointsList::~BreakpointsList):
264         * debugger/Debugger.cpp:
265         (JSC::Debugger::setBreakpoint):
266         (JSC::Debugger::removeBreakpoint):
267         (JSC::Debugger::hasBreakpoint):
268         * debugger/Debugger.h:
269
270 2014-06-30  Michael Saboff  <msaboff@apple.com>
271
272         Add option to run-jsc-stress-testes to filter out tests that use large heaps
273         https://bugs.webkit.org/show_bug.cgi?id=134458
274
275         Reviewed by Filip Pizlo.
276
277         Added test to skip js1_5/Regress/regress-159334.js when testing on a memory limited device.
278
279         * tests/mozilla/mozilla-tests.yaml:
280
281 2014-06-30  Daniel Bates  <dabates@apple.com>
282
283         Avoid copying closed variables vector; actually use move semantics
284
285         Rubber-stamped by Oliver Hunt.
286
287         Currently we always copy the closed variables vector passed by Parser::closedVariables()
288         to ProgramNode::setClosedVariables() because these member functions return and take a const
289         rvalue reference, respectively. Instead, these member functions should take an return a non-
290         constant rvalue reference so that we actually move the closed variables vector from the Parser
291         object to the Node object.
292
293         * parser/Nodes.cpp:
294         (JSC::ProgramNode::setClosedVariables): Remove const qualifier for argument.
295         * parser/Nodes.h:
296         (JSC::ScopeNode::setClosedVariables): Ditto.
297         * parser/Parser.h:
298         (JSC::Parser::closedVariables): Remove const qualifier on return type.
299         (JSC::parse): Remove extraneous call to std::move(). Calling std::move() is unnecessary here
300         because Parser::closedVariables() returns an rvalue reference.
301
302 2014-06-30  Joseph Pecoraro  <pecoraro@apple.com>
303
304         JSContext Inspection: Provide a way to use a non-Main RunLoop for Inspector JavaScript Evaluations
305         https://bugs.webkit.org/show_bug.cgi?id=134371
306
307         Reviewed by Timothy Hatcher.
308
309         * API/JSContextPrivate.h:
310         * API/JSContext.mm:
311         (-[JSContext _debuggerRunLoop]):
312         (-[JSContext _setDebuggerRunLoop:]):
313         Private API for setting the CFRunLoop for a debugger to evaluate in.
314         
315         * API/JSContextRefInternal.h: Added.
316         * API/JSContextRef.cpp:
317         (JSGlobalContextGetDebuggerRunLoop):
318         (JSGlobalContextSetDebuggerRunLoop):
319         Internal API for setting a CFRunLoop on a JSContextRef.
320         Set this on the debuggable.
321         
322         * inspector/remote/RemoteInspectorDebuggable.h:
323         * inspector/remote/RemoteInspectorDebuggableConnection.h:
324         (Inspector::RemoteInspectorBlock::RemoteInspectorBlock):
325         (Inspector::RemoteInspectorBlock::~RemoteInspectorBlock):
326         (Inspector::RemoteInspectorBlock::operator=):
327         (Inspector::RemoteInspectorBlock::operator()):
328         Moved into the header.
329
330         * runtime/JSGlobalObject.h:
331         (JSC::JSGlobalObject::inspectorDebuggable):
332         Lets store the RunLoop on the debuggable instead of this core
333         platform agnostic class, so expose the debuggable.
334
335         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
336         (Inspector::RemoteInspectorHandleRunSourceGlobal):
337         (Inspector::RemoteInspectorQueueTaskOnGlobalQueue):
338         (Inspector::RemoteInspectorInitializeGlobalQueue):
339         Rename the global functions for clarity.
340
341         (Inspector::RemoteInspectorHandleRunSourceWithInfo):
342         Handler for private run loops.
343
344         (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
345         (Inspector::RemoteInspectorDebuggableConnection::~RemoteInspectorDebuggableConnection):
346         (Inspector::RemoteInspectorDebuggableConnection::dispatchAsyncOnDebuggable):
347         (Inspector::RemoteInspectorDebuggableConnection::setupRunLoop):
348         (Inspector::RemoteInspectorDebuggableConnection::teardownRunLoop):
349         (Inspector::RemoteInspectorDebuggableConnection::queueTaskOnPrivateRunLoop):
350         Setup and teardown and use private run loop sources if the debuggable needs it.
351
352 2014-06-30  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>
353
354         Add missing ENABLE(DFG_JIT) guards
355         https://bugs.webkit.org/show_bug.cgi?id=134444
356
357         Reviewed by Darin Adler.
358
359         * dfg/DFGFunctionWhitelist.cpp:
360         * dfg/DFGFunctionWhitelist.h:
361
362 2014-06-29  Yoav Weiss  <yoav@yoav.ws>
363
364         Add support for HTMLImageElement's sizes attribute
365         https://bugs.webkit.org/show_bug.cgi?id=133620
366
367         Reviewed by Dean Jackson.
368
369         Added an ENABLE_PICTURE_SIZES compile flag.
370
371         * Configurations/FeatureDefines.xcconfig:
372
373 2014-06-27  Filip Pizlo  <fpizlo@apple.com>
374
375         Don't fold a UInt32ToNumber with DoOverflow to Identity since that would result in an Identity that takes an Int32 and returns a DoubleRep
376         https://bugs.webkit.org/show_bug.cgi?id=134412
377
378         Reviewed by Mark Hahnenberg.
379
380         * dfg/DFGCSEPhase.cpp:
381         (JSC::DFG::CSEPhase::setReplacement):
382         * dfg/DFGStrengthReductionPhase.cpp:
383         (JSC::DFG::StrengthReductionPhase::handleNode):
384         * dfg/DFGValidate.cpp:
385         (JSC::DFG::Validate::validate):
386         * tests/stress/uint32-to-number-fold-constant-with-do-overflow.js: Added.
387         (foo):
388         (bar):
389         (baz):
390
391 2014-06-27  Peyton Randolph  <prandolph@apple.com>
392
393          Add feature flag for link long-press gesture.                                                                   
394          https://bugs.webkit.org/show_bug.cgi?id=134262                                                                  
395                                                                                                                          
396          Reviewed by Enrica Casucci.                                                                                     
397                                                                                                                          
398          * Configurations/FeatureDefines.xcconfig:                                                                       
399          Add ENABLE_LINK_LONG_PRESS. 
400
401 2014-06-27  László Langó  <llango.u-szeged@partner.samsung.com>
402
403         [JavaScriptCore] FTL buildfix for EFL platform.
404         https://bugs.webkit.org/show_bug.cgi?id=133546
405
406         Reviewed by Darin Adler.
407
408         * ftl/FTLAbstractHeap.cpp:
409         (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap):
410         * ftl/FTLLocation.cpp:
411         (JSC::FTL::Location::forStackmaps):
412         * ftl/FTLLowerDFGToLLVM.cpp:
413         (JSC::FTL::LowerDFGToLLVM::opposite):
414         * ftl/FTLOSRExitCompiler.cpp:
415         (JSC::FTL::compileStub):
416         * ftl/FTLStackMaps.cpp:
417         (JSC::FTL::StackMaps::Constant::dump):
418         * llvm/InitializeLLVMPOSIX.cpp:
419         (JSC::initializeLLVMPOSIX):
420
421 2014-06-26  Benjamin Poulain  <benjamin@webkit.org>
422
423         iOS 8 beta 2 ES6 'Set' clear() broken
424         https://bugs.webkit.org/show_bug.cgi?id=134346
425
426         Reviewed by Oliver Hunt.
427
428         The object map was not cleared :(.
429
430         Kudos to Ashley Gullen for tracking this and making a regression test.
431         Credit to Oliver for finding the missing code.
432
433         * runtime/MapData.h:
434         (JSC::MapData::clear):
435
436 2014-06-25  Brent Fulgham  <bfulgham@apple.com>
437
438         [Win] Expose Cache Information to WinLauncher
439         https://bugs.webkit.org/show_bug.cgi?id=134318
440
441         Reviewed by Dean Jackson.
442
443         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing
444         MemoryStatistics files to the WIndows build.
445         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
446
447 2014-06-26  David Kilzer  <ddkilzer@apple.com>
448
449         DFG::FunctionWhitelist::parseFunctionNamesInFile does not close file
450         <http://webkit.org/b/134343>
451         <rdar://problem/17459487>
452
453         Reviewed by Michael Saboff.
454
455         * dfg/DFGFunctionWhitelist.cpp:
456         (JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile):
457         Close the file handle, and log an error on failure.
458
459 2014-06-25  Dana Burkart  <dburkart@apple.com>
460
461         Add support for 5-tuple versioning.
462
463         Reviewed by David Farler.
464
465         * Configurations/Version.xcconfig:
466
467 2014-06-25  Geoffrey Garen  <ggaren@apple.com>
468
469         Build fix.
470
471         Unreviewed.
472
473         * runtime/JSDateMath.cpp:
474         (JSC::parseDateFromNullTerminatedCharacters):
475         * runtime/VM.cpp:
476         (JSC::VM::resetDateCache): Use std::numeric_limits instead of QNaN
477         constant since that constant doesn't exist anymore.
478
479 2014-06-25  Geoffrey Garen  <ggaren@apple.com>
480
481         Unreviewed, rolling out r166876.
482
483         Caused some ECMA test262 failures
484
485         Reverted changeset:
486
487         "Date object needs to check for ES5 15.9.1.14 TimeClip limit."
488         https://bugs.webkit.org/show_bug.cgi?id=131248
489         http://trac.webkit.org/changeset/166876
490
491 2014-06-25  Brent Fulgham  <bfulgham@apple.com>
492
493         [Win] Unreviewed gardening.
494
495         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Update to
496         put various files in proper IDE categories.
497
498 2014-06-25  peavo@outlook.com  <peavo@outlook.com>
499
500         [Win64] ASM LLINT is not enabled.
501         https://bugs.webkit.org/show_bug.cgi?id=130638
502
503         This patch adds a new LLINT assembler backend for Win64, and implements it.
504         It makes adjustments to follow the Win64 ABI spec. where it's found to be needed.
505         Also, LLINT and JIT is enabled for Win64.
506
507         Reviewed by Mark Lam.
508
509         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added JITStubsMSVC64.asm.
510         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
511         * JavaScriptCore/JavaScriptCore.vcxproj/jsc/jscCommon.props: Increased stack size to avoid stack overflow in tests.
512         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Generate assembler source file for Win64.
513         * assembler/MacroAssemblerX86_64.h: 
514         (JSC::MacroAssemblerX86_64::call): Follow Win64 ABI spec.
515         * jit/JITStubsMSVC64.asm: Added.
516         * jit/Repatch.cpp:
517         (JSC::emitPutTransitionStub): Compile fix.
518         * jit/ThunkGenerators.cpp:
519         (JSC::nativeForGenerator): Follow Win64 ABI spec.
520         * llint/LLIntData.cpp:
521         (JSC::LLInt::Data::performAssertions): Ditto.
522         * llint/LLIntOfflineAsmConfig.h: Enable new llint backend for Win64.
523         * llint/LowLevelInterpreter.asm: Implement new Win64 backend, and follow Win64 ABI spec.
524         * llint/LowLevelInterpreter64.asm: Ditto.
525         * offlineasm/asm.rb: Compile fix.
526         * offlineasm/backends.rb: Add new llint backend for Win64.
527         * offlineasm/settings.rb: Compile fix.
528         * offlineasm/x86.rb: Implement new llint Win64 backend.
529
530 2014-06-25  Laszlo Gombos  <l.gombos@samsung.com>
531
532         Remove build guard for progress element
533         https://bugs.webkit.org/show_bug.cgi?id=134292
534
535         Reviewed by Benjamin Poulain.
536
537         * Configurations/FeatureDefines.xcconfig:
538
539 2014-06-24  Michael Saboff  <msaboff@apple.com>
540
541         Add support routines to provide descriptive JavaScript backtraces
542         https://bugs.webkit.org/show_bug.cgi?id=134278
543
544         Reviewed by Mark Lam.
545
546         * interpreter/CallFrame.cpp:
547         (JSC::CallFrame::dump):
548         (JSC::CallFrame::describeFrame):
549         * interpreter/CallFrame.h:
550         * runtime/JSCJSValue.cpp:
551         (JSC::JSValue::dumpForBacktrace):
552         * runtime/JSCJSValue.h:
553
554 2014-06-24  Brady Eidson  <beidson@apple.com>
555
556         Enable GAMEPAD in the Mac build, but disabled at runtime.
557         https://bugs.webkit.org/show_bug.cgi?id=134255
558
559         Reviewed by Dean Jackson.
560
561         * Configurations/FeatureDefines.xcconfig:
562
563         * runtime/JSObject.h: Export JSObject::removeDirect() to allow disabling
564           functions at runtime.
565
566 2014-06-24  Mark Hahnenberg  <mhahnenberg@apple.com>
567
568         REGRESSION (r169703): Invalid cast in JSC::asGetterSetter / JSC::JSObject::defineOwnNonIndexProperty
569         https://bugs.webkit.org/show_bug.cgi?id=134046
570
571         Reviewed by Filip Pizlo.
572
573         * runtime/GetterSetter.h:
574         (JSC::asGetterSetter):
575         * runtime/JSObject.cpp:
576         (JSC::JSObject::defineOwnNonIndexProperty): We need to check for a CustomGetterSetter here as well as
577         a normal GetterSetter. If we encounter a CustomGetterSetter, we delete it, create a new normal GetterSetter,
578         and insert it like normal. We also need to check for CustomAccessors when checking for unconfigurable properties.
579
580 2014-06-24  Brent Fulgham  <bfulgham@apple.com>
581
582         [Win] MSVC mishandles enums in bitfields
583         https://bugs.webkit.org/show_bug.cgi?id=134237
584
585         Reviewed by Michael Saboff.
586
587         Replace uses of enum types in bit fields with unsigned to
588         avoid losing a bit to hold the sign value. This can result
589         in Windows interpreting the value of the field improperly.
590
591         * bytecode/StructureStubInfo.h:
592         * parser/Nodes.h:
593
594 2014-06-23  Andreas Kling  <akling@apple.com>
595
596         Inline the UnlinkedInstructionStream::Reader logic.
597         <https://webkit.org/b/134203>
598
599         This class is only used by CodeBlock to unpack the unlinked instructions,
600         and we were spending 0.5% of total time on PLT calling Reader::next().
601         Move the logic to the header file and mark it ALWAYS_INLINE.
602
603         Reviewed by Geoffrey Garen.
604
605         * bytecode/UnlinkedInstructionStream.cpp:
606         * bytecode/UnlinkedInstructionStream.h:
607         (JSC::UnlinkedInstructionStream::Reader::Reader):
608         (JSC::UnlinkedInstructionStream::Reader::read8):
609         (JSC::UnlinkedInstructionStream::Reader::read32):
610         (JSC::UnlinkedInstructionStream::Reader::next):
611
612 2014-06-20  Sam Weinig  <sam@webkit.org>
613
614         Remove static tables for bindings that use eager reification
615         https://bugs.webkit.org/show_bug.cgi?id=134126
616
617         Reviewed by Oliver Hunt.
618
619         * runtime/JSObject.cpp:
620         (JSC::JSObject::putDirectCustomAccessor):
621         * runtime/Structure.h:
622         (JSC::Structure::setHasCustomGetterSetterProperties):
623         Change setHasCustomGetterSetterProperties to behave like setHasGetterSetterProperties, and set
624         the m_hasReadOnlyOrGetterSetterPropertiesExcludingProto bit if the property is not __proto__.
625         Without this, JSObject::put() won't think there are any setters on the prototype chain of an
626         object that has no static lookup table and uses eagerly reified custom getter/setter properties.
627
628 2014-06-21  Brady Eidson  <beidson@apple.com>
629
630         Gamepad API - Deprecate the existing implementation
631         https://bugs.webkit.org/show_bug.cgi?id=134108
632
633         Reviewed by Timothy Hatcher.
634
635         -Add new "GAMEPAD_DEPRECATED" build flag, moving the existing implementation to use it
636         -Move some implementation files into a "deprecated" subdirectory.
637
638         * Configurations/FeatureDefines.xcconfig:
639
640 2014-06-21  Commit Queue  <commit-queue@webkit.org>
641
642         Unreviewed, rolling out r170244.
643         https://bugs.webkit.org/show_bug.cgi?id=134157
644
645         GTK/EFL bindings generator works differently, making this
646         patch not work there.  Will fix entire patch after a rollout.
647         (Requested by bradee-oh on #webkit).
648
649         Reverted changeset:
650
651         "Gamepad API - Deprecate the existing implementation"
652         https://bugs.webkit.org/show_bug.cgi?id=134108
653         http://trac.webkit.org/changeset/170244
654
655 2014-06-21  Brady Eidson  <beidson@apple.com>
656
657         Gamepad API - Deprecate the existing implementation
658         https://bugs.webkit.org/show_bug.cgi?id=134108
659
660         Reviewed by Timothy Hatcher.
661
662         -Add new "GAMEPAD_DEPRECATED" build flag, moving the existing implementation to use it
663         -Add the "Deprecated" suffix to some implementation files
664
665         * Configurations/FeatureDefines.xcconfig:
666
667 2014-06-21  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
668
669         Removing PAGE_VISIBILITY_API compile guard.
670         https://bugs.webkit.org/show_bug.cgi?id=133844
671
672         Reviewed by Gavin Barraclough.
673
674         * Configurations/FeatureDefines.xcconfig:
675
676 2014-06-21  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
677
678         ARM traditional buildfix after r169942.
679         https://bugs.webkit.org/show_bug.cgi?id=134100
680
681         Reviewed by Zoltan Herczeg.
682
683         * assembler/MacroAssemblerARM.h:
684         (JSC::MacroAssemblerARM::abortWithReason): Added.
685
686 2014-06-20  Andreas Kling  <akling@apple.com>
687
688         [Cocoa] Release freed up blocks from the JS heap after simulated memory pressure.
689         <https://webkit.org/b/134112>
690
691         Reviewed by Mark Hahnenberg.
692
693         * heap/BlockAllocator.h:
694
695 2014-06-19  Alex Christensen  <achristensen@webkit.org>
696
697         Unreviewed fix after r170130.
698
699         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj:
700         Corrected directory so it can find common.props when opening Visual Studio.
701
702 2014-06-19  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
703
704         Remove ENABLE(LLINT) and ENABLE(LLINT_C_LOOP) guards
705         https://bugs.webkit.org/show_bug.cgi?id=130389
706
707         Reviewed by Mark Lam.
708
709         Removed ENABLE(LLINT) since we always build with it, and changed ENABLE(LLINT_C_LOOP)
710         into !ENABLE(JIT) since they are mutually exclusive.
711
712         * CMakeLists.txt:
713         * assembler/MacroAssemblerCodeRef.h:
714         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
715         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
716         * assembler/MaxFrameExtentForSlowPathCall.h:
717         * bytecode/CallLinkStatus.cpp:
718         (JSC::CallLinkStatus::computeFromLLInt):
719         * bytecode/CodeBlock.cpp:
720         (JSC::dumpStructure):
721         (JSC::CodeBlock::printGetByIdCacheStatus):
722         (JSC::CodeBlock::printCallOp):
723         (JSC::CodeBlock::CodeBlock):
724         (JSC::CodeBlock::~CodeBlock):
725         (JSC::CodeBlock::propagateTransitions):
726         (JSC::CodeBlock::finalizeUnconditionally):
727         (JSC::CodeBlock::unlinkCalls):
728         (JSC::CodeBlock::unlinkIncomingCalls):
729         (JSC::CodeBlock::linkIncomingCall):
730         (JSC::CodeBlock::frameRegisterCount):
731         * bytecode/CodeBlock.h:
732         * bytecode/GetByIdStatus.cpp:
733         (JSC::GetByIdStatus::computeFromLLInt):
734         * bytecode/Opcode.h:
735         (JSC::padOpcodeName):
736         * bytecode/PutByIdStatus.cpp:
737         (JSC::PutByIdStatus::computeFromLLInt):
738         * bytecompiler/BytecodeGenerator.cpp:
739         (JSC::BytecodeGenerator::emitCall):
740         (JSC::BytecodeGenerator::emitConstruct):
741         * heap/Heap.cpp:
742         (JSC::Heap::gatherJSStackRoots):
743         * interpreter/Interpreter.cpp:
744         (JSC::Interpreter::initialize):
745         (JSC::Interpreter::isOpcode):
746         * interpreter/Interpreter.h:
747         (JSC::Interpreter::getOpcodeID):
748         * interpreter/JSStack.cpp:
749         (JSC::JSStack::JSStack):
750         (JSC::JSStack::committedByteCount):
751         * interpreter/JSStack.h:
752         * interpreter/JSStackInlines.h:
753         (JSC::JSStack::ensureCapacityFor):
754         (JSC::JSStack::topOfFrameFor):
755         (JSC::JSStack::setStackLimit):
756         * jit/ExecutableAllocatorFixedVMPool.cpp:
757         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
758         * jit/JIT.h:
759         (JSC::JIT::compileCTINativeCall):
760         * jit/JITExceptions.h:
761         * jit/JITThunks.cpp:
762         (JSC::JITThunks::ctiNativeCall):
763         (JSC::JITThunks::ctiNativeConstruct):
764         * llint/LLIntCLoop.cpp:
765         * llint/LLIntCLoop.h:
766         * llint/LLIntData.cpp:
767         (JSC::LLInt::initialize):
768         (JSC::LLInt::Data::performAssertions):
769         * llint/LLIntData.h:
770         (JSC::LLInt::Data::performAssertions): Deleted.
771         * llint/LLIntEntrypoint.cpp:
772         * llint/LLIntEntrypoint.h:
773         * llint/LLIntExceptions.cpp:
774         * llint/LLIntExceptions.h:
775         * llint/LLIntOfflineAsmConfig.h:
776         * llint/LLIntOffsetsExtractor.cpp:
777         (JSC::LLIntOffsetsExtractor::dummy):
778         * llint/LLIntOpcode.h:
779         * llint/LLIntSlowPaths.cpp:
780         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
781         * llint/LLIntSlowPaths.h:
782         * llint/LLIntThunks.cpp:
783         * llint/LLIntThunks.h:
784         * llint/LowLevelInterpreter.cpp:
785         * llint/LowLevelInterpreter.h:
786         * runtime/CommonSlowPaths.cpp:
787         * runtime/CommonSlowPaths.h:
788         * runtime/ErrorHandlingScope.cpp:
789         (JSC::ErrorHandlingScope::ErrorHandlingScope):
790         (JSC::ErrorHandlingScope::~ErrorHandlingScope):
791         * runtime/Executable.cpp:
792         (JSC::setupLLInt):
793         * runtime/InitializeThreading.cpp:
794         (JSC::initializeThreading):
795         * runtime/JSCJSValue.h:
796         * runtime/JSCJSValueInlines.h:
797         * runtime/Options.cpp:
798         (JSC::recomputeDependentOptions):
799         * runtime/VM.cpp:
800         (JSC::VM::VM):
801         (JSC::sanitizeStackForVM):
802         * runtime/VM.h:
803         (JSC::VM::canUseJIT): Deleted.
804
805 2014-06-18  Alex Christensen  <achristensen@webkit.org>
806
807         Add FTL to Windows build.
808         https://bugs.webkit.org/show_bug.cgi?id=134015
809
810         Reviewed by Filip Pizlo.
811
812         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
813         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
814         Added ftl source files.
815         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
816         Added ftl and llvm directories to include path.
817         * JavaScriptCore.vcxproj/libllvmForJSC: Added.
818         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.props: Added.
819         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj: Added.
820         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj.filters: Added.
821         * ftl/FTLLowerDFGToLLVM.cpp:
822         (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
823         MSVC doesn't like to divide by zero while compiling.  Use std::nan instead.
824         * llvm/InitializeLLVMWin.cpp: Added.
825         (JSC::initializeLLVMImpl):
826         Implemented dynamic loading and linking for Windows.
827
828 2014-06-18  Alex Christensen  <achristensen@webkit.org>
829
830         Unreviewed build fix after r170107.
831
832         * dfg/DFGSpeculativeJIT.cpp:
833         (JSC::DFG::SpeculativeJIT::compileArithMod):
834         Use non-template sub for armv7s.
835
836 2014-06-18  David Kilzer  <ddkilzer@apple.com>
837
838         -[JSContext setName:] leaks NSString
839         <http://webkit.org/b/134038>
840
841         Reviewed by Joseph Pecoraro.
842
843         Fixes the following static analyzer warning:
844
845             JavaScriptCore/API/JSContext.mm:200:73: warning: Potential leak of an object
846                 JSStringRef nameJS = name ? JSStringCreateWithCFString((CFStringRef)[name copy]) : nullptr;
847                                                                                     ^
848
849         * API/JSContext.mm:
850         (-[JSContext setName:]): Autorelease the copy of |name|.
851
852 2014-06-18  Mark Lam  <mark.lam@apple.com>
853
854         DFGGraph::m_doubleConstantMap will not map 0 values correctly.
855         <https://webkit.org/b/133994>
856
857         Reviewed by Geoffrey Garen.
858
859         DFGGraph::m_doubleConstantsMap should not use a double as a key to its HashMap,
860         because it means two unfortunate things:
861         - It will probably break for zero.
862         - It will think that -0 is the same as +0 under some circumstances, size
863           -0==+0 even though they are distinct values (for example 1/-0 != 1/+0).
864
865         The fix is to use std::unordered_map which does not require special empty
866         and deleted values, and to use the raw bits instead of the double value as
867         the key.
868
869         * dfg/DFGGraph.h:
870         * dfg/DFGJITCompiler.cpp:
871         (JSC::DFG::JITCompiler::addressOfDoubleConstant):
872
873 2014-06-18  Alex Christensen  <achristensen@webkit.org>
874
875         Remove duplicate code using sdiv.
876         https://bugs.webkit.org/show_bug.cgi?id=133764
877
878         Reviewed by Daniel Bates.
879
880         * assembler/ARMv7Assembler.h:
881         (JSC::ARMv7Assembler::sdiv):
882         Make sdiv a template to match arm64.
883         * dfg/DFGSpeculativeJIT.cpp:
884         (JSC::DFG::SpeculativeJIT::compileArithDiv):
885         (JSC::DFG::SpeculativeJIT::compileArithMod):
886         Remove duplicate code that was identical except for sdiv not being a template.
887
888 2014-06-17  Commit Queue  <commit-queue@webkit.org>
889
890         Unreviewed, rolling out r170082.
891         https://bugs.webkit.org/show_bug.cgi?id=134006
892
893         Breaks build. (Requested by mlam on #webkit).
894
895         Reverted changeset:
896
897         "DFGGraph::m_doubleConstantMap will not map 0 values
898         correctly."
899         https://bugs.webkit.org/show_bug.cgi?id=133994
900         http://trac.webkit.org/changeset/170082
901
902 2014-06-17  Mark Lam  <mark.lam@apple.com>
903
904         DFGGraph::m_doubleConstantMap will not map 0 values correctly.
905         <https://webkit.org/b/133994>
906
907         Reviewed by Geoffrey Garen.
908
909         DFGGraph::m_doubleConstantsMap should not use a double as a key to its HashMap,
910         because it means two unfortunate things:
911         - It will probably break for zero.
912         - It will think that -0 is the same as +0 under some circumstances, size
913           -0==+0 even though they are distinct values (for example 1/-0 != 1/+0).
914
915         The fix is to use std::unordered_map which does not require special empty
916         and deleted values, and to use the raw bits instead of the double value as
917         the key.
918
919         * dfg/DFGGraph.h:
920         * dfg/DFGJITCompiler.cpp:
921         (JSC::DFG::JITCompiler::addressOfDoubleConstant):
922
923 2014-06-17  Oliver Hunt  <oliver@apple.com>
924
925         Fix error messages for incorrect hex literals
926         https://bugs.webkit.org/show_bug.cgi?id=133998
927
928         Reviewed by Mark Lam.
929
930         Ensure that the error messages for bogus hex literals actually
931         make sense.
932
933         * parser/Lexer.cpp:
934         (JSC::Lexer<T>::lex):
935         * parser/ParserTokens.h:
936
937 2014-06-17  Matthew Mirman  <mmirman@apple.com>
938
939         Fixes bug where building JSC sometimes crashes at build-symbol-table-index.py. Also adds licenses. 
940         https://bugs.webkit.org/show_bug.cgi?id=133814
941
942         Reviewed by Filip Pizlo.
943         
944         Adds the "shopt -s nullglob" line necessary to prevent the loop in the shell 
945         script from using "*.o" as a file when no other files in the directory exist. 
946         
947         * build-symbol-table-index.sh: Added license.
948         * copy-llvm-ir-to-derived-sources.sh: Added license and "shopt -s nullglob" line.
949
950 2014-06-16  Sam Weinig  <sam@webkit.org>
951
952         Move forward declaration of bindings static functions into their implementation files
953         https://bugs.webkit.org/show_bug.cgi?id=133943
954
955         Reviewed by Geoffrey Garen.
956
957         * runtime/CommonIdentifiers.h:
958         Add a few identifiers that are needed by the DOM.
959
960 2014-06-16  Mark Lam  <mark.lam@apple.com>
961
962         Parser statementDepth accounting needs to account for when a function body excludes its braces.
963         <https://webkit.org/b/133832>
964
965         Reviewed by Oliver Hunt.
966
967         In some cases (e.g. when a Function object is instantiated from a string), the
968         function body source may not include its braces.  The parser needs to account
969         for this when calculating its statementDepth.
970
971         * bytecode/UnlinkedCodeBlock.cpp:
972         (JSC::generateFunctionCodeBlock):
973         (JSC::UnlinkedFunctionExecutable::codeBlockFor):
974         * bytecode/UnlinkedCodeBlock.h:
975         * parser/Parser.cpp:
976         (JSC::Parser<LexerType>::parseStatement):
977         - Also fixed the error message for declaring nested functions in strict mode
978           to be more accurate.
979         * parser/Parser.h:
980         (JSC::Parser<LexerType>::parse):
981         (JSC::parse):
982         * runtime/Executable.cpp:
983         (JSC::ScriptExecutable::newCodeBlockFor):
984
985 2014-06-16  Juergen Ributzka  <juergen@apple.com>
986
987         Change the order of the alias analysis passes to align with the opt pipeline of LLVM
988         https://bugs.webkit.org/show_bug.cgi?id=133753
989
990         Reviewed by Geoffrey Garen.
991
992         The order in which the alias analysis passes are added affects also the
993         order in which they are utilized. Change the order to align with the
994         one use by LLVM itself. The last alias analysis pass added will be
995         evaluated first. With this change we first perform a basic alias
996         analysis and then use the type-based alias analysis (if required).
997
998         * ftl/FTLCompile.cpp:
999         (JSC::FTL::compile):
1000
1001 2014-06-16  Juergen Ributzka  <juergen@apple.com>
1002
1003         Fix the arguments passed to the LLVM dylib
1004         https://bugs.webkit.org/show_bug.cgi?id=133757
1005
1006         Reviewed by Geoffrey Garen.
1007
1008         The LLVM command line argument parser assumes that the first argument
1009         is the program name. We need to add a fake program name, otherwise the
1010         first argument will be parsed as program name and ignored.
1011
1012         * llvm/library/LLVMExports.cpp:
1013         (initializeAndGetJSCLLVMAPI):
1014
1015 2014-06-16  Michael Saboff  <msaboff@apple.com>
1016
1017         Convert ASSERT in inlineFunctionForCapabilityLevel to early return
1018         https://bugs.webkit.org/show_bug.cgi?id=133903
1019
1020         Reviewed by Mark Hahnenberg.
1021
1022         Hardened code by Converting ASSERT to return CannotCompile.
1023
1024         * dfg/DFGCapabilities.h:
1025         (JSC::DFG::inlineFunctionForCapabilityLevel):
1026
1027 2014-06-13  Sam Weinig  <sam@webkit.org>
1028
1029         Store DOM constants directly in the JS object rather than jumping through a custom accessor
1030         https://bugs.webkit.org/show_bug.cgi?id=133898
1031
1032         Reviewed by Oliver Hunt.
1033
1034         * runtime/Lookup.h:
1035         (JSC::HashTableValue::attributes):
1036         Switch attributes to be stored as an unsigned rather than an unsigned char, since there is no difference in memory use
1037         and will make adding more flags possibles.
1038
1039         (JSC::HashTableValue::propertyGetter):
1040         (JSC::HashTableValue::propertyPutter):
1041         Change assertion to use BuiltinOrFunctionOrConstant.
1042
1043         (JSC::HashTableValue::constantInteger):
1044         Added.
1045
1046         (JSC::getStaticPropertySlot):
1047         (JSC::getStaticValueSlot):
1048         Use PropertySlot::setValue() for constants during static lookup.
1049
1050         (JSC::reifyStaticProperties):
1051         Put the constant directly on the object when eagerly reifying.
1052
1053         * runtime/PropertySlot.h:
1054         Add ConstantInteger flag and BuiltinOrFunctionOrConstant helper.
1055
1056 2014-06-14  Michael Saboff  <msaboff@apple.com>
1057
1058         operationCreateArguments could cause a GC during OSR exit
1059         https://bugs.webkit.org/show_bug.cgi?id=133905
1060
1061         Reviewed by Filip Pizlo.
1062
1063         Defer GC via new wrapper functions for operationCreateArguments and operationCreateInlinedArguments
1064         for use by OSR exit stubs.
1065
1066         * dfg/DFGOSRExitCompilerCommon.cpp:
1067         (JSC::DFG::ArgumentsRecoveryGenerator::generateFor):
1068         * dfg/DFGOperations.cpp:
1069         * dfg/DFGOperations.h:
1070         * jit/JITOperations.cpp:
1071         * jit/JITOperations.h:
1072
1073 2014-06-13  Mark Hahnenberg  <mhahnenberg@apple.com>
1074
1075         OSR exit should barrier the Executables for all InlineCallFrames, not just those on the stack at the time of exit
1076         https://bugs.webkit.org/show_bug.cgi?id=133880
1077
1078         Reviewed by Filip Pizlo.
1079
1080         We could have exited due to a value received from an inlined block that's no longer on 
1081         the stack, so we should just barrier all InlineCallFrames.
1082
1083         * dfg/DFGOSRExitCompilerCommon.cpp:
1084         (JSC::DFG::adjustAndJumpToTarget):
1085
1086 2014-06-13  Alex Christensen  <achristensen@webkit.org>
1087
1088         Make css jit compile for armv7.
1089         https://bugs.webkit.org/show_bug.cgi?id=133596
1090
1091         Reviewed by Benjamin Poulain.
1092
1093         * assembler/MacroAssembler.h:
1094         Use branchPtr on ARM_THUMB2.
1095         * assembler/MacroAssemblerARMv7.h:
1096         (JSC::MacroAssemblerARMv7::addPtrNoFlags):
1097         (JSC::MacroAssemblerARMv7::or32):
1098         (JSC::MacroAssemblerARMv7::test32):
1099         (JSC::MacroAssemblerARMv7::branch):
1100         (JSC::MacroAssemblerARMv7::branchPtr):
1101         Added macros necessary for css jit.
1102
1103 2014-06-13  Filip Pizlo  <fpizlo@apple.com>
1104
1105         Unreviewed, fix ARMv7.
1106
1107         * assembler/MacroAssemblerARMv7.h:
1108         (JSC::MacroAssemblerARMv7::abortWithReason):
1109
1110 2014-06-12  Filip Pizlo  <fpizlo@apple.com>
1111
1112         Even better diagnostics from DFG traps
1113         https://bugs.webkit.org/show_bug.cgi?id=133836
1114
1115         Reviewed by Oliver Hunt.
1116         
1117         We now stuff the DFG::NodeType into a register before bailing. Also made the
1118         DFGBailed abort reason a bit more specific. As planned, the new abort reasons use
1119         different numbers than any previous abort reasons.
1120
1121         * assembler/AbortReason.h:
1122         * assembler/MacroAssemblerARM64.h:
1123         (JSC::MacroAssemblerARM64::abortWithReason):
1124         * assembler/MacroAssemblerARMv7.h:
1125         (JSC::MacroAssemblerARMv7::abortWithReason):
1126         * assembler/MacroAssemblerX86.h:
1127         (JSC::MacroAssemblerX86::abortWithReason):
1128         * assembler/MacroAssemblerX86_64.h:
1129         (JSC::MacroAssemblerX86_64::abortWithReason):
1130         * dfg/DFGSpeculativeJIT.cpp:
1131         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
1132         (JSC::DFG::SpeculativeJIT::bail):
1133         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
1134         * dfg/DFGSpeculativeJIT.h:
1135
1136 2014-06-12  Simon Fraser  <simon.fraser@apple.com>
1137
1138         Fix assertions under JSC::setNeverInline() when running js tests in WebKitTestRunner
1139         https://bugs.webkit.org/show_bug.cgi?id=133840
1140
1141         Reviewed by Filip Pizlo.
1142         
1143         Fix ASSERT(exec->vm().currentThreadIsHoldingAPILock()); under JSC::setNeverInline()
1144         when running DFG tests.
1145
1146         * API/JSCTestRunnerUtils.cpp:
1147         (JSC::numberOfDFGCompiles):
1148         (JSC::setNeverInline):
1149
1150 2014-06-12  Brent Fulgham  <bfulgham@apple.com>
1151
1152         [Win] Avoid fork bomb during build
1153         https://bugs.webkit.org/show_bug.cgi?id=133837
1154         <rdar://problem/17296034>
1155
1156         Reviewed by Tim Horton.
1157
1158         * JavaScriptCore.vcxproj/build-generated-files.sh: Use a
1159         reasonable default value when the 'num-cpus' script is not available.
1160
1161 2014-06-12  Mark Lam  <mark.lam@apple.com>
1162
1163         Remove some dead / unused code.
1164         <https://webkit.org/b/133828>
1165
1166         Reviewed by Filip Pizlo.
1167
1168         * builtins/BuiltinExecutables.cpp:
1169         (JSC::BuiltinExecutables::createBuiltinExecutable):
1170         * bytecode/UnlinkedCodeBlock.cpp:
1171         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1172         * bytecode/UnlinkedCodeBlock.h:
1173         (JSC::UnlinkedFunctionExecutable::create):
1174         * bytecompiler/BytecodeGenerator.h:
1175         (JSC::BytecodeGenerator::makeFunction):
1176         * parser/Parser.h:
1177         (JSC::DepthManager::DepthManager): Deleted.
1178         (JSC::DepthManager::~DepthManager): Deleted.
1179         * runtime/CodeCache.cpp:
1180         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
1181
1182 2014-06-12  Mark Hahnenberg  <mhahnenberg@apple.com>
1183
1184         Move structureHasRareData out of TypeInfo
1185         https://bugs.webkit.org/show_bug.cgi?id=133800
1186
1187         Reviewed by Andreas Kling.
1188
1189         StructureHasRareData was originally put in TypeInfo to avoid making Structure bigger, 
1190         but we have a few spare bits in Structure so it would be nice to remove this hack.
1191
1192         * runtime/JSTypeInfo.h:
1193         (JSC::TypeInfo::newImpurePropertyFiresWatchpoints):
1194         (JSC::TypeInfo::structureHasRareData): Deleted.
1195         * runtime/Structure.cpp:
1196         (JSC::Structure::Structure):
1197         (JSC::Structure::allocateRareData):
1198         (JSC::Structure::cloneRareDataFrom):
1199         * runtime/Structure.h:
1200         (JSC::Structure::previousID):
1201         (JSC::Structure::objectToStringValue):
1202         (JSC::Structure::setObjectToStringValue):
1203         (JSC::Structure::setPreviousID):
1204         (JSC::Structure::clearPreviousID):
1205         (JSC::Structure::previous):
1206         (JSC::Structure::rareData):
1207         * runtime/StructureInlines.h:
1208         (JSC::Structure::setEnumerationCache):
1209         (JSC::Structure::enumerationCache):
1210
1211 2014-06-12  Zsolt Borbely  <zsborbely.u-szeged@partner.samsung.com>
1212
1213         Allow enum guards to be generated from the replay json files
1214         https://bugs.webkit.org/show_bug.cgi?id=133399
1215
1216         Reviewed by Csaba Osztrogonác.
1217
1218         * replay/scripts/CodeGeneratorReplayInputs.py:
1219         (Type.__init__):
1220         (InputsModel.parse_type_with_framework_name):
1221         (Generator.generate_header):
1222         (Generator.generate_implementation):
1223         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp: Added.
1224         (Test::HandleWheelEvent::HandleWheelEvent):
1225         (Test::HandleWheelEvent::~HandleWheelEvent):
1226         (JSC::InputTraits<Test::HandleWheelEvent>::type):
1227         (JSC::InputTraits<Test::HandleWheelEvent>::encode):
1228         (JSC::InputTraits<Test::HandleWheelEvent>::decode):
1229         (JSC::EncodingTraits<WebCore::PlatformWheelEventPhase>::encodeValue):
1230         (JSC::EncodingTraits<WebCore::PlatformWheelEventPhase>::decodeValue):
1231         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h: Added.
1232         (JSC::InputTraits<Test::HandleWheelEvent>::queue):
1233         (Test::HandleWheelEvent::platformEvent):
1234         * replay/scripts/tests/generate-enum-with-guard.json: Added.
1235
1236 2014-06-12  Carlos Garcia Campos  <cgarcia@igalia.com>
1237
1238         Unreviewed. Fix GTK+ build after r169823.
1239
1240         Include StructureInlines.h in a few more files to fix linking
1241         issues due to JSC::Structure::get undefined symbol.
1242
1243         * runtime/ArrayIteratorConstructor.cpp:
1244         * runtime/ArrayIteratorPrototype.cpp:
1245         * runtime/JSConsole.cpp:
1246         * runtime/JSMapIterator.cpp:
1247         * runtime/JSSet.cpp:
1248         * runtime/JSSetIterator.cpp:
1249         * runtime/JSWeakMap.cpp:
1250         * runtime/MapIteratorPrototype.cpp:
1251         * runtime/MapPrototype.cpp:
1252         * runtime/SetIteratorPrototype.cpp:
1253         * runtime/SetPrototype.cpp:
1254         * runtime/WeakMapPrototype.cpp:
1255
1256 2014-06-12  Csaba Osztrogonác  <ossy@webkit.org>
1257
1258         [EFL] One more URTBF after r169823 to make ARM64 build happy too.
1259
1260         * runtime/JSMap.cpp:
1261
1262 2014-06-11  Mark Hahnenberg  <mhahnenberg@apple.com>
1263
1264         Inline caching should try to flatten uncacheable dictionaries
1265         https://bugs.webkit.org/show_bug.cgi?id=133683
1266
1267         Reviewed by Geoffrey Garen.
1268
1269         There exists a body of JS code that deletes properties off of objects (especially function/constructor objects), 
1270         which puts them into an uncacheable dictionary state. This prevents all future inline caching for these objects. 
1271         If properties are deleted out of the object during its initialization, we can enable caching for that object by 
1272         attempting to flatten it when we see we're trying to do inline caching with that object. We then record that we 
1273         performed this flattening optimization in the object's Structure. If it ever re-enters the uncacheable dictionary 
1274         state then we can just give up on caching that object.
1275
1276         In refactoring some of the code in tryCacheGetById and tryBuildGetByIdList to reduce some duplication, I added
1277         the InlineCacheAction enum, a new way to indicate the success or failure of an inline caching attempt. I changed
1278         the other inline caching functions to return this enum rather than the opaque booleans that we were previously 
1279         returning.
1280
1281         * jit/Repatch.cpp:
1282         (JSC::actionForCell):
1283         (JSC::tryCacheGetByID):
1284         (JSC::repatchGetByID):
1285         (JSC::tryBuildGetByIDList):
1286         (JSC::buildGetByIDList):
1287         (JSC::tryCachePutByID):
1288         (JSC::repatchPutByID):
1289         (JSC::tryBuildPutByIdList):
1290         (JSC::buildPutByIdList):
1291         (JSC::tryRepatchIn):
1292         (JSC::repatchIn):
1293         * runtime/Structure.cpp:
1294         (JSC::Structure::Structure):
1295         (JSC::Structure::flattenDictionaryStructure):
1296         * runtime/Structure.h:
1297         (JSC::Structure::hasBeenFlattenedBefore):
1298
1299 2014-06-11  Csaba Osztrogonác  <ossy@webkit.org>
1300
1301         [EFL] URTBF after r169823.
1302
1303         * bindings/ScriptValue.cpp: Missing include added.
1304
1305 2014-06-11  Ryosuke Niwa  <rniwa@webkit.org>
1306
1307         Remove an unnecessary asObject(this) call inside JSObject::fastGetOwnPropertySlot.
1308
1309         Rubber-stamped by Andreas Kling.
1310
1311         * runtime/JSObject.h:
1312         (JSC::JSObject::fastGetOwnPropertySlot):
1313
1314 2014-06-11  Ryosuke Niwa  <rniwa@webkit.org>
1315
1316         Turning on DUMP_PROPERTYMAP_STATS causes a build failure
1317         https://bugs.webkit.org/show_bug.cgi?id=133673
1318
1319         Reviewed by Andreas Kling.
1320
1321         Rewrote the property map statistics code because the old code wasn't building,
1322         and it was also mixing numbers for lookups and insertions/removals.
1323
1324         New logging code records the number of calls to PropertyTable::find (finds) and
1325         PropertyTable::get/PropertyTable::findWithString separately so that we can quantify
1326         the number of probing during updates and lookups.
1327
1328         * jsc.cpp:
1329         * runtime/PropertyMapHashTable.h:
1330         (JSC::PropertyTable::find):
1331         (JSC::PropertyTable::get):
1332         (JSC::PropertyTable::findWithString):
1333         (JSC::PropertyTable::add):
1334         (JSC::PropertyTable::remove):
1335         (JSC::PropertyTable::reinsert):
1336         (JSC::PropertyTable::rehash):
1337         * runtime/Structure.cpp:
1338         (JSC::PropertyMapStatisticsExitLogger::PropertyMapStatisticsExitLogger):
1339         (JSC::PropertyMapStatisticsExitLogger::~PropertyMapStatisticsExitLogger):
1340
1341 2014-06-11  Andreas Kling  <akling@apple.com>
1342
1343         Always inline JSValue::get() and Structure::get().
1344         <https://webkit.org/b/133755>
1345
1346         Reviewed by Ryosuke Niwa.
1347
1348         These functions get really hot, so ask the compiler to be more
1349         aggressive about inlining them.
1350
1351         ~28% speed-up on Ryosuke's microbenchmark for accessing nextSibling
1352         through GetByVal.
1353
1354         * runtime/JSArrayIterator.cpp:
1355         * runtime/JSCJSValue.cpp:
1356         * runtime/JSCJSValueInlines.h:
1357         (JSC::JSValue::get):
1358         * runtime/JSPromiseDeferred.cpp:
1359         * runtime/StructureInlines.h:
1360         (JSC::Structure::get):
1361
1362 2014-06-11  Ryosuke Niwa  <rniwa@webkit.org>
1363
1364         Structure::get should instantiate DeferGC only when materializing property map
1365         https://bugs.webkit.org/show_bug.cgi?id=133727
1366
1367         Rubber-stamped by Andreas Kling.
1368
1369         Make materializePropertyMapIfNecessary always inline.
1370
1371         This is ~12% improvement on the microbenchmark attached in the bug.
1372
1373         * runtime/Structure.h:
1374         (JSC::Structure::materializePropertyMapIfNecessary):
1375         (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
1376
1377 2014-06-11  Ryosuke Niwa  <rniwa@webkit.org>
1378
1379         Structure::get should instantiate DeferGC only when materializing property map
1380         https://bugs.webkit.org/show_bug.cgi?id=133727
1381
1382         Reviewed by Geoffrey Garen.
1383
1384         DeferGC instances in Structure::get was added in http://trac.webkit.org/r157539 in order to avoid
1385         collecting the property table newly created by materializePropertyMapIfNecessary since GC can happen
1386         when GCSafeConcurrentJITLocker goes out of scope.
1387
1388         However, always instantiating DeferGC inside Structure::get introduced a new performance bottleneck
1389         in JSObject::getPropertySlot because frequently incrementing and decrementing a counter in vm.m_heap
1390         and running a release assertion inside Heap::incrementDeferralDepth() is expensive.
1391
1392         Work around this by instantiating DeferGC only when we're actually calling materializePropertyMap,
1393         and immediately storing a pointer to the newly created property table in the stack before DeferGC
1394         goes out of scope so that the property table will be marked.
1395
1396         This shows 13-16% improvement on the microbenchmark attached in the bug.
1397
1398         * runtime/JSCJSValue.cpp:
1399         * runtime/JSObject.h:
1400         (JSC::JSObject::fastGetOwnPropertySlot):
1401         * runtime/Structure.h:
1402         (JSC::Structure::materializePropertyMapIfNecessary):
1403         * runtime/StructureInlines.h:
1404         (JSC::Structure::get):
1405
1406 2014-06-11  Andreas Kling  <akling@apple.com>
1407
1408         Some JSValue::get() micro-optimzations.
1409         <https://webkit.org/b/133739>
1410
1411         Tighten some of the property lookup code to improve performance of the
1412         eagerly reified prototype attributes:
1413
1414         - Instead of converting the property name to an integer at every step
1415           in the prototype chain, move that to a separate pass at the end
1416           since it should be a rare case.
1417
1418         - Cache the StructureIDTable in a local instead of fetching it from
1419           the Heap on every step.
1420
1421         - Make fillCustomGetterPropertySlot inline. It was out-of-lined based
1422           on the assumption that clients would mostly be cacheable GetByIds,
1423           and it gets pretty hot (~1%) in GetByVal.
1424
1425         - Pass the Structure directly to fillCustomGetterPropertySlot instead
1426           of refetching it from the StructureIDTable.
1427
1428         Reviewed by Geoff Garen.
1429
1430         * runtime/JSObject.cpp:
1431         (JSC::JSObject::fillCustomGetterPropertySlot): Deleted.
1432         * runtime/JSObject.h:
1433         (JSC::JSObject::inlineGetOwnPropertySlot):
1434         (JSC::JSObject::fillCustomGetterPropertySlot):
1435         (JSC::JSObject::getOwnPropertySlot):
1436         (JSC::JSObject::fastGetOwnPropertySlot):
1437         (JSC::JSObject::getPropertySlot):
1438         (JSC::JSObject::getOwnPropertySlotSlow): Deleted.
1439
1440 2014-06-10  Sam Weinig  <sam@webkit.org>
1441
1442         Don't create a HashTable for JSObjects that use eager reification
1443         https://bugs.webkit.org/show_bug.cgi?id=133705
1444
1445         Reviewed by Geoffrey Garen.
1446
1447         * runtime/Lookup.h:
1448         (JSC::reifyStaticProperties):
1449         Add a version of reifyStaticProperties that takes an array of HashTableValues
1450         rather than a HashTable.
1451
1452 2014-06-10  Filip Pizlo  <fpizlo@apple.com>
1453
1454         Prediction propagator should make sure everyone knows that a variable that is in an argument position where other versions of that variable are not MachineInts cannot possibly be flushed as Int52
1455         https://bugs.webkit.org/show_bug.cgi?id=133698
1456
1457         Reviewed by Geoffrey Garen and Mark Hahnenberg.
1458
1459         * dfg/DFGPredictionPropagationPhase.cpp:
1460         (JSC::DFG::PredictionPropagationPhase::propagate): Use the new utility to figure out if a variable could ever represent an Int52.
1461         * dfg/DFGVariableAccessData.cpp:
1462         (JSC::DFG::VariableAccessData::couldRepresentInt52): Add a new utility to detect early on if a variable could possibly be Int52.
1463         (JSC::DFG::VariableAccessData::couldRepresentInt52Impl):
1464         (JSC::DFG::VariableAccessData::flushFormat):
1465         * dfg/DFGVariableAccessData.h:
1466         * tests/stress/int52-inlined-call-argument.js: Added.
1467         (foo):
1468         (bar):
1469
1470 2014-06-10  Mark Lam  <mark.lam@apple.com>
1471
1472         Assertion failure at JSC::Structure::checkOffsetConsistency() const + 234.
1473         <https://webkit.org/b/133356>
1474
1475         Reviewed by Mark Hahnenberg.
1476
1477         The root cause of this issue is that a nonPropertyTransition can transition
1478         a pinned dictionary structure to an unpinned dictionary structure.  The new
1479         structure will get a copy of the property table from the original structure.
1480         However, when a GC occurs, the property table in the new structure will be
1481         cleared because it is unpinned.  This leads to complications in subsequent
1482         derivative structures when flattening occurs, which eventually leads to the
1483         assertion failure in this bug.
1484
1485         The fix is to ensure that the new dictionary structure generated by the
1486         nonPropertyTransition will have a copy of its predecessor's property table
1487         and is pinned.
1488
1489         * runtime/Structure.cpp:
1490         (JSC::Structure::nonPropertyTransition):
1491
1492 2014-06-10  Michael Saboff  <msaboff@apple.com>
1493
1494         In a certain app state, Array.prototype.filter() returns incorrect results
1495         https://bugs.webkit.org/show_bug.cgi?id=133577
1496
1497         Reviewed by Oliver Hunt.
1498
1499         Fixed the LLInt processing of op_put_by_val_direct to have the same hole check as op_put_by_val.
1500
1501         * llint/LowLevelInterpreter32_64.asm:
1502         * llint/LowLevelInterpreter64.asm:
1503
1504 2014-06-09  Mark Hahnenberg  <mhahnenberg@apple.com>
1505
1506         Global HashTables contain references to atomic StringImpls
1507         https://bugs.webkit.org/show_bug.cgi?id=133661
1508
1509         Reviewed by Geoffrey Garen.
1510
1511         This was a long-standing bug revealed by bug 133558. The issue is that the global static HashTables 
1512         cache their set of keys as StringImpls that are associated with a particular VM.  This is obviously 
1513         incompatible with using multiple VMs on multiple threads (e.g. when using workers). The fix is to 
1514         change the "keys" field of the static HashTables to be char** instead of StringImpl**.
1515
1516         * runtime/JSObject.cpp:
1517         (JSC::getClassPropertyNames):
1518         * runtime/Lookup.cpp:
1519         (JSC::HashTable::createTable):
1520         (JSC::HashTable::deleteTable):
1521         * runtime/Lookup.h:
1522         (JSC::HashTable::ConstIterator::key):
1523         (JSC::HashTable::entry):
1524
1525 2014-06-09  Mark Hahnenberg  <mhahnenberg@apple.com>
1526
1527         Build fix after r169703
1528
1529         * JavaScriptCore.xcodeproj/project.pbxproj:
1530
1531 2014-06-05  Mark Hahnenberg  <mhahnenberg@apple.com>
1532
1533         Eagerly reify DOM prototype attributes
1534         https://bugs.webkit.org/show_bug.cgi?id=133558
1535
1536         Reviewed by Oliver Hunt.
1537
1538         This allows us to get rid of a lot of the additional overhead of pushing DOM attributes up into the prototype. 
1539         By eagerly reifying the custom getters and setters into the actual JSObject we avoid having to override 
1540         getOwnPropertySlot for all of the DOM prototypes, which is a lot of the overhead of doing property lookups on 
1541         DOM wrappers.
1542
1543         * CMakeLists.txt:
1544         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1545         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1546         * JavaScriptCore.xcodeproj/project.pbxproj:
1547         * llint/LLIntData.cpp:
1548         (JSC::LLInt::Data::performAssertions):
1549         * llint/LowLevelInterpreter.asm:
1550         * runtime/BatchedTransitionOptimizer.h:
1551         (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
1552         * runtime/CustomGetterSetter.cpp: Added.
1553         (JSC::callCustomSetter):
1554         * runtime/CustomGetterSetter.h: Added.
1555         (JSC::CustomGetterSetter::create):
1556         (JSC::CustomGetterSetter::getter):
1557         (JSC::CustomGetterSetter::setter):
1558         (JSC::CustomGetterSetter::createStructure):
1559         (JSC::CustomGetterSetter::CustomGetterSetter):
1560         * runtime/JSCJSValue.cpp:
1561         (JSC::JSValue::putToPrimitive):
1562         * runtime/JSCJSValue.h:
1563         * runtime/JSCJSValueInlines.h:
1564         (JSC::JSValue::isCustomGetterSetter):
1565         * runtime/JSCell.h:
1566         * runtime/JSCellInlines.h:
1567         (JSC::JSCell::isCustomGetterSetter):
1568         (JSC::JSCell::canUseFastGetOwnProperty):
1569         * runtime/JSFunction.cpp:
1570         (JSC::JSFunction::isHostOrBuiltinFunction): Deleted.
1571         (JSC::JSFunction::isBuiltinFunction): Deleted.
1572         * runtime/JSFunction.h:
1573         * runtime/JSFunctionInlines.h: Inlined some random functions that appeared hot during profiling.
1574         (JSC::JSFunction::isBuiltinFunction):
1575         (JSC::JSFunction::isHostOrBuiltinFunction):
1576         * runtime/JSObject.cpp:
1577         (JSC::JSObject::put):
1578         (JSC::JSObject::putDirectCustomAccessor):
1579         (JSC::JSObject::fillGetterPropertySlot):
1580         (JSC::JSObject::fillCustomGetterPropertySlot):
1581         (JSC::JSObject::getOwnPropertySlotSlow): Deleted.
1582         * runtime/JSObject.h:
1583         (JSC::JSObject::hasCustomGetterSetterProperties):
1584         (JSC::JSObject::convertToDictionary):
1585         (JSC::JSObject::inlineGetOwnPropertySlot):
1586         (JSC::JSObject::getOwnPropertySlotSlow): Inlined because it looked hot during profiling.
1587         (JSC::JSObject::putOwnDataProperty):
1588         (JSC::JSObject::putDirect):
1589         (JSC::JSObject::putDirectWithoutTransition):
1590         * runtime/JSType.h:
1591         * runtime/Lookup.h:
1592         (JSC::reifyStaticProperties):
1593         * runtime/PropertyDescriptor.h:
1594         (JSC::PropertyDescriptor::PropertyDescriptor):
1595         * runtime/Structure.cpp:
1596         (JSC::Structure::Structure):
1597         (JSC::nextOutOfLineStorageCapacity): Deleted.
1598         (JSC::Structure::suggestedNewOutOfLineStorageCapacity): Deleted.
1599         (JSC::Structure::get): Deleted.
1600         * runtime/Structure.h:
1601         (JSC::Structure::hasCustomGetterSetterProperties):
1602         (JSC::Structure::setHasCustomGetterSetterProperties):
1603         * runtime/StructureInlines.h:
1604         (JSC::Structure::get): Inlined due to hotness.
1605         (JSC::nextOutOfLineStorageCapacity): Inlined due to hotness.
1606         (JSC::Structure::suggestedNewOutOfLineStorageCapacity): Inlined due to hotness.
1607         * runtime/VM.cpp:
1608         (JSC::VM::VM):
1609         * runtime/VM.h:
1610         * runtime/WriteBarrier.h:
1611         (JSC::WriteBarrierBase<Unknown>::isCustomGetterSetter):
1612
1613 2014-06-07  Mark Lam  <mark.lam@apple.com>
1614
1615         Structure should initialize its previousID in its constructor.
1616         <https://webkit.org/b/133606>
1617
1618         Reviewed by Mark Hahnenberg.
1619
1620         Currently, the Structure constructor that takes a previous structure will
1621         initialize its previousID to point to the previous structure's previousID.
1622         This is incorrect.  However, the caller of the Structure::create() factory
1623         method (which instantiated the Structure) will later call setPreviousID()
1624         to set the previousID to the correct previous structure.  This makes the
1625         code confusing to read and more error prone in that the structure relies
1626         on client code to fix its invalid previousID.
1627
1628         This patch fixes this by making the Structure constructor initialize
1629         previousID correctly.
1630
1631         * runtime/Structure.cpp:
1632         (JSC::Structure::Structure):
1633         (JSC::Structure::addPropertyTransition):
1634         (JSC::Structure::nonPropertyTransition):
1635         * runtime/Structure.h:
1636         * runtime/StructureInlines.h:
1637         (JSC::Structure::create):
1638
1639 2014-06-06  Andreas Kling  <akling@apple.com>
1640
1641         Indexed getters should return values directly on the PropertySlot.
1642         <https://webkit.org/b/133586>
1643
1644         Remove PropertySlot's custom index mode.
1645
1646         Reviewed by Darin Adler.
1647
1648         * runtime/JSObject.h:
1649         (JSC::PropertySlot::getValue):
1650         * runtime/PropertySlot.h:
1651         (JSC::PropertySlot::setCustomIndex): Deleted.
1652
1653 2014-06-04  Timothy Horton  <timothy_horton@apple.com>
1654
1655         iOS Debug build fix
1656
1657         Rubber-stamped by Filip Pizlo.
1658
1659         * Configurations/LLVMForJSC.xcconfig:
1660         Dead-code strip the llvmForJSC library unconditionally, to work around <rdar://problem/16920916>.
1661
1662 2014-06-04  Oliver Hunt  <oliver@apple.com>
1663
1664         ArrayIterator should not be exposed in Safari 8
1665         https://bugs.webkit.org/show_bug.cgi?id=133494
1666
1667         Reviewed by Michael Saboff.
1668
1669         Separate out types that require constructor objects, and don't
1670         include the iterator types in that list.
1671
1672         * runtime/JSGlobalObject.cpp:
1673         (JSC::JSGlobalObject::reset):
1674         * runtime/JSGlobalObject.h:
1675
1676 2014-06-04  Filip Pizlo  <fpizlo@apple.com>
1677
1678         DFG::Safepoint::begin() should set m_didCallBegin before releasing the rightToRun lock, because otherwise, Safepoint::checkLivenessAndVisitChildren() may assert due to a race
1679         https://bugs.webkit.org/show_bug.cgi?id=133525
1680         <rdar://problem/16790296>
1681
1682         Reviewed by Oliver Hunt.
1683
1684         * dfg/DFGSafepoint.cpp:
1685         (JSC::DFG::Safepoint::begin):
1686
1687 2014-06-03  Filip Pizlo  <fpizlo@apple.com>
1688
1689         LLVM soft-linking should be truly fail-silent
1690         https://bugs.webkit.org/show_bug.cgi?id=133482
1691
1692         Reviewed by Mark Lam.
1693
1694         * llvm/InitializeLLVMPOSIX.cpp:
1695         (JSC::initializeLLVMPOSIX): Missing return statement in the dlsym() returning null case.
1696
1697 2014-06-03  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
1698
1699         REGRESSION(r169092 and r169102): Skip failing JSC tests poperly on non-x86 Darwin platforms
1700         https://bugs.webkit.org/show_bug.cgi?id=133149
1701
1702         Reviewed by Csaba Osztrogonác.
1703
1704         * tests/mozilla/mozilla-tests.yaml: Skip js1_5/Regress/regress-159334.js only if the architecture isn't x86 and the host is Darwin.
1705
1706 2014-05-31  Anders Carlsson  <andersca@apple.com>
1707
1708         Add a LazyNeverDestroyed class template and use it
1709         https://bugs.webkit.org/show_bug.cgi?id=133425
1710
1711         Reviewed by Darin Adler.
1712
1713         * dfg/DFGFunctionWhitelist.cpp:
1714         (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
1715         * dfg/DFGFunctionWhitelist.h:
1716
1717 2014-05-28  Filip Pizlo  <fpizlo@apple.com>
1718
1719         DFG::DCEPhase inserts into an insertion set in reverse, causing hilarious basic block corruption if you kill a lot of NewArrays
1720         https://bugs.webkit.org/show_bug.cgi?id=133368
1721
1722         Reviewed by Mark Lam.
1723
1724         * dfg/DFGDCEPhase.cpp:
1725         (JSC::DFG::DCEPhase::fixupBlock): Loop in the right order so that we insert in the right order.
1726         * tests/stress/new-array-dead.js: Added.
1727         (foo):
1728
1729 2014-05-28  Filip Pizlo  <fpizlo@apple.com>
1730
1731         Unreviewed, fix not-x86 32-bit.
1732
1733         * llint/LowLevelInterpreter32_64.asm:
1734
1735 2014-05-27  Filip Pizlo  <fpizlo@apple.com>
1736
1737         Arrayify neglects to inform the clobberizer that it might fire watchpoints
1738         https://bugs.webkit.org/show_bug.cgi?id=133340
1739
1740         Reviewed by Mark Lam.
1741
1742         * dfg/DFGClobberize.h:
1743         (JSC::DFG::clobberize): Be honest.
1744         * llint/LowLevelInterpreter32_64.asm: Profile the object, not its structure.
1745         * tests/stress/arrayify-fires-watchpoint.js: Added.
1746         (foo):
1747         (test):
1748         (makeObjectArray):
1749         * tests/stress/arrayify-structure-bad-test.js: Added.
1750         (foo):
1751         (test):
1752
1753 2014-05-27  Jon Lee  <jonlee@apple.com>
1754
1755         Update ENABLE(MEDIA_SOURCE) on Mac
1756         https://bugs.webkit.org/show_bug.cgi?id=133141
1757
1758         Reviewed by Darin Adler.
1759
1760         * Configurations/FeatureDefines.xcconfig:
1761
1762 2014-05-27  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>
1763
1764         Remove BLOB guards
1765         https://bugs.webkit.org/show_bug.cgi?id=132863
1766
1767         Reviewed by Csaba Osztrogonác.
1768
1769         * Configurations/FeatureDefines.xcconfig:
1770
1771 2014-05-27  Zsolt Borbely  <zsborbely.u-szeged@partner.samsung.com>
1772
1773         Allow building CMake based ports with WEB_REPLAY
1774         https://bugs.webkit.org/show_bug.cgi?id=133154
1775
1776         Reviewed by Csaba Osztrogonác.
1777
1778         * CMakeLists.txt:
1779
1780 2014-05-25  Filip Pizlo  <fpizlo@apple.com>
1781
1782         Latest emscripten life benchmark is 4x slower because the DFG doesn't realize that arithmetic on booleans is a thing
1783         https://bugs.webkit.org/show_bug.cgi?id=133136
1784
1785         Reviewed by Oliver Hunt.
1786         
1787         Some key concepts:
1788
1789         - Except for the prediction propagation and type fixup phases, which are super early in
1790           the pipeline, nobody has to know about the fact that booleans may flow into numerical
1791           operations because there will just be a BooleanToNumber node that will take a value
1792           and, if that value is a boolean, will convert it to the equivalent numerical value. It
1793           will have a BooleanUse mode where it will also speculate that the input is a boolean
1794           but it can also do UntypedUse in which case it will pass through any non-booleans.
1795           This operation is very easy to model in all of the compiler tiers.
1796
1797         - No changes to the baseline JIT. The Baseline JIT will still believe that boolean
1798           inputs require taking the slow path and it will still report that it took slow path
1799           for any such operations.  The DFG will now be smart enough to ignore baseline JIT slow
1800           path profiling on operations that were known to have had boolean inputs.  That's a
1801           little quirky, but it's probably easier than modifying the baseline JIT to track
1802           booleans correctly.
1803         
1804         4.1x speed-up on the emscripten "life" benchmark. Up to 10x speed-up on microbenchmarks.
1805
1806         * bytecode/SpeculatedType.h:
1807         (JSC::isInt32OrBooleanSpeculation):
1808         (JSC::isInt32SpeculationForArithmetic):
1809         (JSC::isInt32OrBooleanSpeculationForArithmetic):
1810         (JSC::isInt32OrBooleanSpeculationExpectingDefined):
1811         (JSC::isInt52Speculation):
1812         (JSC::isMachineIntSpeculation):
1813         (JSC::isFullNumberOrBooleanSpeculation):
1814         (JSC::isFullNumberOrBooleanSpeculationExpectingDefined):
1815         (JSC::isInt32SpeculationExpectingDefined): Deleted.
1816         (JSC::isMachineIntSpeculationExpectingDefined): Deleted.
1817         (JSC::isMachineIntSpeculationForArithmetic): Deleted.
1818         (JSC::isBytecodeNumberSpeculationExpectingDefined): Deleted.
1819         (JSC::isFullNumberSpeculationExpectingDefined): Deleted.
1820         * dfg/DFGAbstractInterpreterInlines.h:
1821         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1822         * dfg/DFGAllocator.h:
1823         (JSC::DFG::Allocator<T>::indexOf):
1824         * dfg/DFGByteCodeParser.cpp:
1825         (JSC::DFG::ByteCodeParser::makeSafe):
1826         (JSC::DFG::ByteCodeParser::makeDivSafe):
1827         (JSC::DFG::ByteCodeParser::handleIntrinsic):
1828         * dfg/DFGCSEPhase.cpp:
1829         (JSC::DFG::CSEPhase::performNodeCSE):
1830         * dfg/DFGClobberize.h:
1831         (JSC::DFG::clobberize):
1832         * dfg/DFGCommon.h:
1833         * dfg/DFGConstantFoldingPhase.cpp:
1834         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1835         * dfg/DFGFixupPhase.cpp:
1836         (JSC::DFG::FixupPhase::fixupNode):
1837         (JSC::DFG::FixupPhase::fixIntConvertingEdge):
1838         (JSC::DFG::FixupPhase::fixIntOrBooleanEdge):
1839         (JSC::DFG::FixupPhase::fixDoubleOrBooleanEdge):
1840         (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
1841         (JSC::DFG::FixupPhase::fixIntEdge): Deleted.
1842         * dfg/DFGGraph.h:
1843         (JSC::DFG::Graph::addSpeculationMode):
1844         (JSC::DFG::Graph::valueAddSpeculationMode):
1845         (JSC::DFG::Graph::arithAddSpeculationMode):
1846         (JSC::DFG::Graph::addShouldSpeculateInt32):
1847         (JSC::DFG::Graph::mulShouldSpeculateInt32):
1848         (JSC::DFG::Graph::mulShouldSpeculateMachineInt):
1849         (JSC::DFG::Graph::negateShouldSpeculateInt32):
1850         (JSC::DFG::Graph::negateShouldSpeculateMachineInt):
1851         (JSC::DFG::Graph::addImmediateShouldSpeculateInt32):
1852         (JSC::DFG::Graph::mulImmediateShouldSpeculateInt32): Deleted.
1853         * dfg/DFGNode.h:
1854         (JSC::DFG::Node::sawBooleans):
1855         (JSC::DFG::Node::shouldSpeculateInt32OrBoolean):
1856         (JSC::DFG::Node::shouldSpeculateInt32ForArithmetic):
1857         (JSC::DFG::Node::shouldSpeculateInt32OrBooleanForArithmetic):
1858         (JSC::DFG::Node::shouldSpeculateInt32OrBooleanExpectingDefined):
1859         (JSC::DFG::Node::shouldSpeculateMachineInt):
1860         (JSC::DFG::Node::shouldSpeculateDouble):
1861         (JSC::DFG::Node::shouldSpeculateNumberOrBoolean):
1862         (JSC::DFG::Node::shouldSpeculateNumberOrBooleanExpectingDefined):
1863         (JSC::DFG::Node::shouldSpeculateNumber):
1864         (JSC::DFG::Node::canSpeculateInt32):
1865         (JSC::DFG::Node::canSpeculateInt52):
1866         (JSC::DFG::Node::sourceFor):
1867         (JSC::DFG::Node::shouldSpeculateInt32ExpectingDefined): Deleted.
1868         (JSC::DFG::Node::shouldSpeculateMachineIntForArithmetic): Deleted.
1869         (JSC::DFG::Node::shouldSpeculateMachineIntExpectingDefined): Deleted.
1870         (JSC::DFG::Node::shouldSpeculateDoubleForArithmetic): Deleted.
1871         (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined): Deleted.
1872         * dfg/DFGNodeFlags.cpp:
1873         (JSC::DFG::dumpNodeFlags):
1874         * dfg/DFGNodeFlags.h:
1875         (JSC::DFG::nodeMayOverflow):
1876         (JSC::DFG::nodeMayNegZero):
1877         (JSC::DFG::nodeCanSpeculateInt32):
1878         (JSC::DFG::nodeCanSpeculateInt52):
1879         * dfg/DFGNodeType.h:
1880         * dfg/DFGPredictionPropagationPhase.cpp:
1881         (JSC::DFG::PredictionPropagationPhase::run):
1882         (JSC::DFG::PredictionPropagationPhase::propagateToFixpoint):
1883         (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
1884         (JSC::DFG::PredictionPropagationPhase::propagate):
1885         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
1886         * dfg/DFGSafeToExecute.h:
1887         (JSC::DFG::safeToExecute):
1888         * dfg/DFGSpeculativeJIT.cpp:
1889         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
1890         * dfg/DFGSpeculativeJIT32_64.cpp:
1891         (JSC::DFG::SpeculativeJIT::compile):
1892         * dfg/DFGSpeculativeJIT64.cpp:
1893         (JSC::DFG::SpeculativeJIT::compile):
1894         * ftl/FTLCapabilities.cpp:
1895         (JSC::FTL::canCompile):
1896         * ftl/FTLLowerDFGToLLVM.cpp:
1897         (JSC::FTL::LowerDFGToLLVM::compileNode):
1898         (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
1899         (JSC::FTL::LowerDFGToLLVM::compileBooleanToNumber):
1900         * runtime/JSCJSValue.h:
1901         * runtime/JSCJSValueInlines.h:
1902         (JSC::JSValue::asInt32ForArithmetic):
1903         * tests/stress/max-boolean-exit.js: Added.
1904         (foo):
1905         (test):
1906         * tests/stress/mul-boolean-exit.js: Added.
1907         (foo):
1908         (test):
1909         * tests/stress/plus-boolean-exit.js: Added.
1910         (foo):
1911         (test):
1912         * tests/stress/plus-boolean-or-double.js: Added.
1913         (foo):
1914         (test):
1915         * tests/stress/plus-boolean-or-int.js: Added.
1916         (foo):
1917         (test):
1918
1919 2014-05-26  Zsolt Borbely  <zsborbely.u-szeged@partner.samsung.com>
1920
1921         Remove dead code from VM.cpp
1922         https://bugs.webkit.org/show_bug.cgi?id=133284
1923
1924         Reviewed by Darin Adler.
1925
1926         This workaround was added in r127505. Since the clang is the
1927         only used compiler in this case, this workaround is obsolete.
1928
1929         * runtime/VM.cpp:
1930         (JSC::enableAssembler):
1931
1932 2014-05-26  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
1933
1934         JSC CLoop warning fix
1935         https://bugs.webkit.org/show_bug.cgi?id=133259
1936
1937         Reviewed by Darin Adler.
1938
1939         * llint/LLIntSlowPaths.cpp:
1940         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1941
1942 2014-05-24  Andreas Kling  <akling@apple.com>
1943
1944         Object.prototype.toString() should use cached strings for null/undefined.
1945         <https://webkit.org/b/133261>
1946
1947         Normally, when calling Object.prototype.toString() on a regular object,
1948         we'd cache the result of the stringification on the object's structure,
1949         making repeated calls fast.
1950
1951         For null and undefined, we were not as smart. We'd instead construct a
1952         new string with either "[object Null]" or "[object Undefined]" each time.
1953
1954         This was exposed by Dromaeo's JS library tests, where some prototype.js
1955         subtests generate millions of strings this way.
1956
1957         This patch adds two VM-permanent cached strings to the SmallStrings.
1958         Looks like ~10% speed-up on Dromaeo/jslib-traverse-prototype.html
1959
1960         Reviewed by Darin Adler.
1961
1962         * runtime/ObjectPrototype.cpp:
1963         (JSC::objectProtoFuncToString):
1964         * runtime/SmallStrings.cpp:
1965         (JSC::SmallStrings::SmallStrings):
1966         (JSC::SmallStrings::initializeCommonStrings):
1967         (JSC::SmallStrings::visitStrongReferences):
1968         * runtime/SmallStrings.h:
1969         (JSC::SmallStrings::nullObjectString):
1970         (JSC::SmallStrings::undefinedObjectString):
1971
1972 2014-05-23  Mark Hahnenberg  <mhahnenberg@apple.com>
1973
1974         Remove operationCallGetter
1975
1976         Rubber stamped by Filip Pizlo.
1977
1978         Nobody calls this function.
1979
1980         * JavaScriptCore.order:
1981         * jit/JITOperations.cpp:
1982         * jit/JITOperations.h:
1983
1984 2014-05-23  Andreas Kling  <akling@apple.com>
1985
1986         Templatize GC's destructor invocation for dtor type.
1987         <https://webkit.org/b/133231>
1988
1989         Get rid of a branch in callDestructor() by templatizing it for
1990         the DestructorType. Removed JSCell::methodTableForDestruction()
1991         since this was the only call site and it was jumping through
1992         a bunch of unnecessary hoops.
1993
1994         Reviewed by Geoffrey Garen.
1995
1996         * heap/MarkedBlock.cpp:
1997         (JSC::MarkedBlock::callDestructor):
1998         (JSC::MarkedBlock::specializedSweep):
1999         * heap/MarkedBlock.h:
2000         * runtime/JSCell.h:
2001         * runtime/JSCellInlines.h:
2002         (JSC::JSCell::methodTableForDestruction): Deleted.
2003
2004 2014-05-23  Andreas Kling  <akling@apple.com>
2005
2006         Support inline caching of RegExpMatchesArray.length
2007         <https://webkit.org/b/133234>
2008
2009         Give RegExpMatchesArray.length the same treatment as JSArray in
2010         repatch so we don't have to go out of line on every access.
2011
2012         ~13% speed-up on Octane/regexp.
2013
2014         Reviewed by Geoffrey Garen.
2015
2016         * jit/Repatch.cpp:
2017         (JSC::tryCacheGetByID):
2018         * runtime/RegExpMatchesArray.h:
2019         (JSC::isRegExpMatchesArray):
2020
2021 2014-05-22  Mark Lam  <mark.lam@apple.com>
2022
2023         REGRESSION(r154797): Debugger crashes when stepping over an uncaught exception.
2024         <https://webkit.org/b/133182>
2025
2026         Reviewed by Oliver Hunt.
2027
2028         Before r154797, we used to clear the VM exception before calling into the
2029         debugger.  After r154797, we don't.  This patch will restore this clearing
2030         of the exception before calling into the debugger.
2031
2032         Also added assertions after returning from calls into the debugger to
2033         ensure that the debugger did not introduce any exceptions.
2034
2035         * interpreter/Interpreter.cpp:
2036         (JSC::unwindCallFrame):
2037         (JSC::Interpreter::unwind):
2038         (JSC::Interpreter::debug):
2039         - Fixed the assertion here.  Interpreter::debug() should never be called
2040           with a pending exception.  Debugger callbacks for exceptions should be
2041           handled by Interpreter::unwind() and Interpreter::unwindCallFrame().
2042
2043 2014-05-21  Filip Pizlo  <fpizlo@apple.com>
2044
2045         Store barrier elision should run after DCE in both the DFG path and the FTL path
2046         https://bugs.webkit.org/show_bug.cgi?id=129718
2047
2048         Rubber stamped by Mark Hahnenberg.
2049
2050         * dfg/DFGPlan.cpp:
2051         (JSC::DFG::Plan::compileInThreadImpl):
2052
2053 2014-05-21  Zsolt Borbely  <zsborbely.u-szeged@partner.samsung.com>
2054
2055         [EFL] Add include path of compact_unwind_encoding.h if FTL JIT is enabled
2056         https://bugs.webkit.org/show_bug.cgi?id=132907
2057
2058         Reviewed by Gyuyoung Kim.
2059
2060         * CMakeLists.txt:
2061
2062 2014-05-16  Martin Robinson  <mrobinson@igalia.com>
2063
2064         [CMake] Improve handling of LIB_INSTALL_DIR, EXEC_INSTALL_DIR, and LIBEXEC_INSTALL_DIR
2065         https://bugs.webkit.org/show_bug.cgi?id=132819
2066
2067         Reviewed by Carlos Garcia Campos.
2068
2069         * javascriptcoregtk.pc.in: Instead of using the special pkg-config variables,
2070         use the common CMake ones directly.
2071
2072 2014-05-21  Filip Pizlo  <fpizlo@apple.com>
2073
2074         Unreviewed, roll out http://trac.webkit.org/changeset/169159.
2075         
2076         This was a unilateral change and wasn't properly reviewed.
2077
2078         * tests/mozilla/mozilla-tests.yaml:
2079
2080 2014-05-21  Antoine Quint  <graouts@webkit.org>
2081
2082         Array.prototype.find and findIndex should skip holes
2083         https://bugs.webkit.org/show_bug.cgi?id=132658
2084
2085         Reviewed by Geoffrey Garen.
2086
2087         Skip holes in the array when iterating such that callback isn't called.
2088
2089         * builtins/Array.prototype.js:
2090         (find):
2091         (findIndex):
2092
2093 2014-05-21  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
2094
2095         REGRESSION(r169092 and r169102): Skip failing JSC tests on ARM64 properly
2096         https://bugs.webkit.org/show_bug.cgi?id=133149
2097
2098         Reviewed by Csaba Osztrogonác.
2099
2100         * tests/mozilla/mozilla-tests.yaml:
2101
2102 2014-05-20  Geoffrey Garen  <ggaren@apple.com>
2103
2104         Rolled out <http://trac.webkit.org/changeset/166184>
2105         https://bugs.webkit.org/show_bug.cgi?id=133144
2106
2107         Reviewed by Gavin Barraclough.
2108
2109         It caused a performance regression.
2110
2111         * heap/BlockAllocator.cpp:
2112         (JSC::BlockAllocator::blockFreeingThreadStartFunc):
2113
2114 2014-05-20  Filip Pizlo  <fpizlo@apple.com>
2115
2116         DFG prediction propagation should agree with fixup phase over the return type of GetByVal
2117         https://bugs.webkit.org/show_bug.cgi?id=133134
2118
2119         Reviewed by Mark Hahnenberg.
2120         
2121         Make prediction propagator use ArrayMode refinement to decide the return type.
2122         
2123         Also introduce a heap prediction intrinsic that allows us to test weird corner cases
2124         like this. The only way we'll see a mismatch like this in the real world is probably
2125         through a gnarly race condition.
2126
2127         * dfg/DFGByteCodeParser.cpp:
2128         (JSC::DFG::ByteCodeParser::handleIntrinsic):
2129         * dfg/DFGNode.h:
2130         (JSC::DFG::Node::setHeapPrediction):
2131         * dfg/DFGPredictionPropagationPhase.cpp:
2132         (JSC::DFG::PredictionPropagationPhase::propagate):
2133         * jsc.cpp:
2134         (GlobalObject::finishCreation):
2135         (functionFalse1):
2136         (functionFalse2):
2137         (functionUndefined1):
2138         (functionUndefined2):
2139         (functionFalse): Deleted.
2140         (functionOtherFalse): Deleted.
2141         (functionUndefined): Deleted.
2142         * runtime/Intrinsic.h:
2143         * tests/stress/get-by-val-double-predicted-int.js: Added.
2144         (foo):
2145
2146 2014-05-20  Mark Hahnenberg  <mhahnenberg@apple.com>
2147
2148         Watchdog timer should be lazily allocated
2149         https://bugs.webkit.org/show_bug.cgi?id=133135
2150
2151         Reviewed by Geoffrey Garen.
2152
2153         We incur a noticeable amount of overhead on some benchmarks due to checking if the Watchdog ever fired. 
2154         There is no reason to do this checking if we never activated the Watchdog, which can only be done through 
2155         JSContextGroupSetExecutionTimeLimit or JSContextGroupClearExecutionTimeLimit. 
2156
2157         By allocating the Watchdog lazily on the VM we can avoid all of the associated overhead when we don't use 
2158         these two API functions (which is true of most clients).
2159
2160         * API/JSContextRef.cpp:
2161         (JSContextGroupSetExecutionTimeLimit):
2162         (JSContextGroupClearExecutionTimeLimit):
2163         * dfg/DFGByteCodeParser.cpp:
2164         (JSC::DFG::ByteCodeParser::parseBlock):
2165         * dfg/DFGSpeculativeJIT32_64.cpp:
2166         (JSC::DFG::SpeculativeJIT::compile):
2167         * dfg/DFGSpeculativeJIT64.cpp:
2168         (JSC::DFG::SpeculativeJIT::compile):
2169         * interpreter/Interpreter.cpp:
2170         (JSC::Interpreter::execute):
2171         (JSC::Interpreter::executeCall):
2172         (JSC::Interpreter::executeConstruct):
2173         * jit/JITOpcodes.cpp:
2174         (JSC::JIT::emit_op_loop_hint):
2175         (JSC::JIT::emitSlow_op_loop_hint):
2176         * jit/JITOperations.cpp:
2177         * llint/LLIntSlowPaths.cpp:
2178         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2179         * runtime/VM.h:
2180         * runtime/Watchdog.cpp:
2181         (JSC::Watchdog::Scope::Scope): Deleted.
2182         (JSC::Watchdog::Scope::~Scope): Deleted.
2183         * runtime/Watchdog.h:
2184         (JSC::Watchdog::Scope::Scope):
2185         (JSC::Watchdog::Scope::~Scope):
2186
2187 2014-05-19  Mark Hahnenberg  <mhahnenberg@apple.com>
2188
2189         JSArray::shiftCountWith* could be more efficient
2190         https://bugs.webkit.org/show_bug.cgi?id=133011
2191
2192         Reviewed by Geoffrey Garen.
2193
2194         Our current implementations of shiftCountWithAnyIndexingType and shiftCountWithArrayStorage 
2195         are scared of the presence of any holes in the array. We can mitigate this somewhat by enabling 
2196         them to correctly handle holes, thus avoiding the slowest of slow paths in most cases.
2197
2198         * runtime/ArrayStorage.h:
2199         (JSC::ArrayStorage::indexingHeader):
2200         (JSC::ArrayStorage::length):
2201         (JSC::ArrayStorage::hasHoles):
2202         * runtime/IndexingHeader.h:
2203         (JSC::IndexingHeader::publicLength):
2204         (JSC::IndexingHeader::from):
2205         * runtime/JSArray.cpp:
2206         (JSC::JSArray::shiftCountWithArrayStorage):
2207         (JSC::JSArray::shiftCountWithAnyIndexingType):
2208         (JSC::JSArray::unshiftCountWithArrayStorage):
2209         * runtime/JSArray.h:
2210         (JSC::JSArray::shiftCountForShift):
2211         (JSC::JSArray::shiftCountForSplice):
2212         (JSC::JSArray::shiftCount):
2213         * runtime/Structure.cpp:
2214         (JSC::Structure::holesRequireSpecialBehavior):
2215         * runtime/Structure.h:
2216
2217 2014-05-19  Filip Pizlo  <fpizlo@apple.com>
2218
2219         Test gardening: skip some failing tests on not-X86.
2220
2221         * tests/mozilla/mozilla-tests.yaml:
2222
2223 2014-05-19  Mark Lam  <mark.lam@apple.com>
2224
2225         operationOptimize() should defer the GC for a while.
2226         <https://webkit.org/b/133103>
2227
2228         Reviewed by Filip Pizlo.
2229
2230         Currently, operationOptimize() only defers the GC until its end.  As a result,
2231         a GC may be triggered just before we return from operationOptimize(), and it may
2232         jettison the optimize codeBlock that we're planning to OSR enter into when we
2233         return from this function.  This is because the OSR entry on-ramp code hasn't
2234         been executed yet, and hence, there is not yet a reference to this new codeBlock
2235         from the stack, and there won't be until we've had a chance to return out of
2236         operationOptimize() to run the OSR entry on-ramp code.
2237
2238         This issue is now fixed by using DeferGCForAWhile instead of DeferGC.  This
2239         ensures that the GC will be deferred until after the OSR entry on-ramp can be
2240         executed.
2241
2242         * jit/JITOperations.cpp:
2243
2244 2014-05-19  Filip Pizlo  <fpizlo@apple.com>
2245
2246         Take care of some ARM64 test failures
2247         https://bugs.webkit.org/show_bug.cgi?id=133090
2248
2249         Reviewed by Geoffrey Garen.
2250         
2251         Constant blinding on ARM64 cannot use the scratch register.
2252
2253         * assembler/MacroAssembler.h:
2254         (JSC::MacroAssembler::convertInt32ToDouble):
2255         (JSC::MacroAssembler::branchPtr):
2256         (JSC::MacroAssembler::storePtr):
2257         (JSC::MacroAssembler::store64):
2258         * assembler/MacroAssemblerARM64.h:
2259         (JSC::MacroAssemblerARM64::scratchRegisterForBlinding):
2260
2261 2014-05-19  Tanay C  <tanay.c@samsung.com>
2262
2263         Removing some check-webkit-style warnings from ./dfg
2264         https://bugs.webkit.org/show_bug.cgi?id=132854
2265
2266         Reviewed by Darin Adler.
2267
2268         * dfg/DFGAbstractInterpreter.h:
2269         * dfg/DFGAbstractValue.h:
2270         * dfg/DFGBlockInsertionSet.h:
2271         * dfg/DFGCommonData.h:
2272         * dfg/DFGDominators.h:
2273         * dfg/DFGGraph.h:
2274         * dfg/DFGInPlaceAbstractState.h:
2275         * dfg/DFGPredictionPropagationPhase.h:
2276
2277 2014-05-18  Filip Pizlo  <fpizlo@apple.com>
2278
2279         Unreviewed, remove bogus comment. We already made the FTL use our calling convention.
2280         That was a long time ago.
2281
2282         * ftl/FTLLowerDFGToLLVM.cpp:
2283         (JSC::FTL::LowerDFGToLLVM::compileReturn):
2284
2285 2014-05-18  Rik Cabanier  <cabanier@adobe.com>
2286
2287         support for navigator.hardwareConcurrency
2288         https://bugs.webkit.org/show_bug.cgi?id=132588
2289
2290         Reviewed by Filip Pizlo.
2291
2292         * Configurations/FeatureDefines.xcconfig:
2293
2294 2014-05-16  Michael Saboff  <msaboff@apple.com>
2295
2296         Crash in JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::generatePatternCharacterFixed() due to WTF::CrashOnOverflow::overflowed + 9
2297         https://bugs.webkit.org/show_bug.cgi?id=133009
2298
2299         Reviewed by Oliver Hunt.
2300
2301         If we determine that any alternative requires a minumum match size greater than
2302         INT_MAX, we handle the match in the interpreter.
2303
2304         Check to see if the pattern has unsigned lengths before invoking YARR JIT.
2305         * runtime/RegExp.cpp:
2306         (JSC::RegExp::compile):
2307         (JSC::RegExp::compileMatchOnly):
2308
2309         * tests/stress/large-regexp.js: New test added.
2310
2311         Set m_containsUnsignedLengthPattern flag if any alternative's minimum length
2312         doesn't fit in an int.
2313         * yarr/YarrPattern.cpp:
2314         (JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets):
2315
2316         Clear new m_containsUnsignedLengthPattern flag.
2317         * yarr/YarrPattern.cpp:
2318         (JSC::Yarr::YarrPattern::YarrPattern):
2319         * yarr/YarrPattern.h:
2320         (JSC::Yarr::YarrPattern::reset):
2321         (JSC::Yarr::YarrPattern::containsUnsignedLengthPattern):
2322
2323 2014-05-15  Mark Hahnenberg  <mhahnenberg@apple.com>
2324
2325         JSDOMWindow should not claim HasImpureGetOwnPropertySlot
2326         https://bugs.webkit.org/show_bug.cgi?id=132918
2327
2328         Reviewed by Geoffrey Garen.
2329
2330         * jit/Repatch.cpp:
2331         (JSC::tryRepatchIn): We forgot to check for watchpoints when repatching "in".
2332
2333 2014-05-15  Alex Christensen  <achristensen@webkit.org>
2334
2335         Add pointer lock to features without enabling it.
2336         https://bugs.webkit.org/show_bug.cgi?id=132961
2337
2338         Reviewed by Sam Weinig.
2339
2340         * Configurations/FeatureDefines.xcconfig:
2341         Added ENABLE_POINTER_LOCK to list of features.
2342
2343 2014-05-14  Mark Hahnenberg  <mhahnenberg@apple.com>
2344
2345         Inline caching for proxies clobbers baseGPR too early
2346         https://bugs.webkit.org/show_bug.cgi?id=132916
2347
2348         Reviewed by Filip Pizlo.
2349
2350         We clobber baseGPR prior to the Structure checks, so if any of the checks fail then the slow path 
2351         gets the target of the proxy rather than the proxy itself. We need to delay the clobbering of baseGPR 
2352         until we know the inline cache is going to succeed.
2353
2354         * jit/Repatch.cpp:
2355         (JSC::generateByIdStub):
2356
2357 2014-05-14  Brent Fulgham  <bfulgham@apple.com>
2358
2359         [Win] Unreviewed build fix.
2360
2361         * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: This solution
2362         was missing commands to build LLInt portions of JSC.
2363         * llint/LLIntData.cpp: 64-bit build fix.
2364
2365 2014-05-14  Martin Hodovan <mhodovan.u-szeged@partner.samsung.com>
2366
2367         ARM Traditional buildfix after r168776.
2368         https://bugs.webkit.org/show_bug.cgi?id=132903
2369
2370         Reviewed by Darin Adler.
2371
2372         * assembler/MacroAssemblerARM.h:
2373         (JSC::MacroAssemblerARM::abortWithReason): Added.
2374
2375 2014-05-14  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>
2376
2377         Remove CSS_STICKY_POSITION guards
2378         https://bugs.webkit.org/show_bug.cgi?id=132676
2379
2380         Reviewed by Simon Fraser.
2381
2382         * Configurations/FeatureDefines.xcconfig:
2383
2384 2014-05-13  Filip Pizlo  <fpizlo@apple.com>
2385
2386         JIT breakpoints should be more informative
2387         https://bugs.webkit.org/show_bug.cgi?id=132882
2388
2389         Reviewed by Oliver Hunt.
2390         
2391         Introduce the notion of an AbortReason, which is a nice enumeration of coded assertion
2392         failure names. This means that all you need to figure out why the JIT SIGTRAP'd is to look
2393         at that platform's abort reason register (r11 on X86-64 for example).
2394
2395         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2396         * JavaScriptCore.xcodeproj/project.pbxproj:
2397         * assembler/AbortReason.h: Added.
2398         * assembler/AbstractMacroAssembler.h:
2399         * assembler/MacroAssemblerARM64.h:
2400         (JSC::MacroAssemblerARM64::abortWithReason):
2401         * assembler/MacroAssemblerARMv7.h:
2402         (JSC::MacroAssemblerARMv7::abortWithReason):
2403         * assembler/MacroAssemblerX86.h:
2404         (JSC::MacroAssemblerX86::abortWithReason):
2405         * assembler/MacroAssemblerX86_64.h:
2406         (JSC::MacroAssemblerX86_64::abortWithReason):
2407         * dfg/DFGSlowPathGenerator.h:
2408         (JSC::DFG::SlowPathGenerator::generate):
2409         * dfg/DFGSpeculativeJIT.cpp:
2410         (JSC::DFG::SpeculativeJIT::bail):
2411         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
2412         (JSC::DFG::SpeculativeJIT::compileMakeRope):
2413         * dfg/DFGSpeculativeJIT.h:
2414         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):
2415         * dfg/DFGSpeculativeJIT32_64.cpp:
2416         (JSC::DFG::SpeculativeJIT::compile):
2417         * dfg/DFGSpeculativeJIT64.cpp:
2418         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2419         (JSC::DFG::SpeculativeJIT::compile):
2420         * dfg/DFGThunks.cpp:
2421         (JSC::DFG::osrEntryThunkGenerator):
2422         * jit/AssemblyHelpers.cpp:
2423         (JSC::AssemblyHelpers::jitAssertIsInt32):
2424         (JSC::AssemblyHelpers::jitAssertIsJSInt32):
2425         (JSC::AssemblyHelpers::jitAssertIsJSNumber):
2426         (JSC::AssemblyHelpers::jitAssertIsJSDouble):
2427         (JSC::AssemblyHelpers::jitAssertIsCell):
2428         (JSC::AssemblyHelpers::jitAssertTagsInPlace):
2429         (JSC::AssemblyHelpers::jitAssertHasValidCallFrame):
2430         (JSC::AssemblyHelpers::jitAssertIsNull):
2431         (JSC::AssemblyHelpers::jitAssertArgumentCountSane):
2432         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
2433         * jit/AssemblyHelpers.h:
2434         (JSC::AssemblyHelpers::checkStackPointerAlignment):
2435         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo): Deleted.
2436         * jit/JIT.h:
2437         * jit/JITArithmetic.cpp:
2438         (JSC::JIT::emitSlow_op_div):
2439         * jit/JITOpcodes.cpp:
2440         (JSC::JIT::emitSlow_op_loop_hint):
2441         * jit/JITOpcodes32_64.cpp:
2442         (JSC::JIT::privateCompileCTINativeCall):
2443         * jit/JITPropertyAccess.cpp:
2444         (JSC::JIT::emit_op_get_by_val):
2445         (JSC::JIT::compileGetDirectOffset):
2446         (JSC::JIT::addStructureTransitionCheck): Deleted.
2447         (JSC::JIT::testPrototype): Deleted.
2448         * jit/JITPropertyAccess32_64.cpp:
2449         (JSC::JIT::emit_op_get_by_val):
2450         (JSC::JIT::compileGetDirectOffset):
2451         * jit/RegisterPreservationWrapperGenerator.cpp:
2452         (JSC::generateRegisterRestoration):
2453         * jit/Repatch.cpp:
2454         (JSC::addStructureTransitionCheck):
2455         (JSC::linkClosureCall):
2456         * jit/ThunkGenerators.cpp:
2457         (JSC::emitPointerValidation):
2458         (JSC::nativeForGenerator):
2459         * yarr/YarrJIT.cpp:
2460         (JSC::Yarr::YarrGenerator::generate):
2461
2462 2014-05-13  peavo@outlook.com  <peavo@outlook.com>
2463
2464         [Win] Enum type with value zero is compatible with void*, potential cause of crashes.
2465         https://bugs.webkit.org/show_bug.cgi?id=132772
2466
2467         Reviewed by Geoffrey Garen.
2468
2469         Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example).
2470         This has caused crashes on Windows on two occasions (bug 132683, and bug 121001).
2471         This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*.
2472         The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr.
2473
2474         * assembler/MacroAssemblerARM.h:
2475         (JSC::MacroAssemblerARM::loadDouble):
2476         (JSC::MacroAssemblerARM::storeDouble):
2477         * assembler/MacroAssemblerARM64.h:
2478         (JSC::MacroAssemblerARM64::loadDouble):
2479         (JSC::MacroAssemblerARM64::storeDouble):
2480         * assembler/MacroAssemblerARMv7.h:
2481         (JSC::MacroAssemblerARMv7::loadDouble):
2482         (JSC::MacroAssemblerARMv7::storeDouble):
2483         * assembler/MacroAssemblerMIPS.h:
2484         (JSC::MacroAssemblerMIPS::loadDouble):
2485         (JSC::MacroAssemblerMIPS::storeDouble):
2486         * assembler/MacroAssemblerSH4.h:
2487         (JSC::MacroAssemblerSH4::loadDouble):
2488         (JSC::MacroAssemblerSH4::storeDouble):
2489         * assembler/MacroAssemblerX86.h:
2490         (JSC::MacroAssemblerX86::storeDouble):
2491         * assembler/MacroAssemblerX86Common.h:
2492         (JSC::MacroAssemblerX86Common::absDouble):
2493         (JSC::MacroAssemblerX86Common::negateDouble):
2494         (JSC::MacroAssemblerX86Common::loadDouble):
2495         * dfg/DFGSpeculativeJIT.cpp:
2496         (JSC::DFG::SpeculativeJIT::silentFill):
2497         (JSC::DFG::compileClampDoubleToByte):
2498         * dfg/DFGSpeculativeJIT32_64.cpp:
2499         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2500         (JSC::DFG::SpeculativeJIT::compile):
2501         * jit/AssemblyHelpers.cpp:
2502         (JSC::AssemblyHelpers::purifyNaN):
2503         * jit/JITInlines.h:
2504         (JSC::JIT::emitLoadDouble):
2505         * jit/JITPropertyAccess.cpp:
2506         (JSC::JIT::emitFloatTypedArrayGetByVal):
2507         * jit/ThunkGenerators.cpp:
2508         (JSC::floorThunkGenerator):
2509         (JSC::roundThunkGenerator):
2510         (JSC::powThunkGenerator):
2511
2512 2014-05-12  Commit Queue  <commit-queue@webkit.org>
2513
2514         Unreviewed, rolling out r168642.
2515         https://bugs.webkit.org/show_bug.cgi?id=132839
2516
2517         Broke ARM build (Requested by jpfau on #webkit).
2518
2519         Reverted changeset:
2520
2521         "[Win] Enum type with value zero is compatible with void*,
2522         potential cause of crashes."
2523         https://bugs.webkit.org/show_bug.cgi?id=132772
2524         http://trac.webkit.org/changeset/168642
2525
2526 2014-05-12  peavo@outlook.com  <peavo@outlook.com>
2527
2528         [Win] Enum type with value zero is compatible with void*, potential cause of crashes.
2529         https://bugs.webkit.org/show_bug.cgi?id=132772
2530
2531         Reviewed by Geoffrey Garen.
2532
2533         Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example).
2534         This has caused crashes on Windows on two occasions (bug 132683, and bug 121001).
2535         This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*.
2536         The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr.
2537
2538         * assembler/MacroAssemblerARM.h:
2539         (JSC::MacroAssemblerARM::loadDouble):
2540         (JSC::MacroAssemblerARM::storeDouble):
2541         * assembler/MacroAssemblerARM64.h:
2542         (JSC::MacroAssemblerARM64::loadDouble):
2543         (JSC::MacroAssemblerARM64::storeDouble):
2544         * assembler/MacroAssemblerARMv7.h:
2545         (JSC::MacroAssemblerARMv7::loadDouble):
2546         (JSC::MacroAssemblerARMv7::storeDouble):
2547         * assembler/MacroAssemblerMIPS.h:
2548         (JSC::MacroAssemblerMIPS::loadDouble):
2549         (JSC::MacroAssemblerMIPS::storeDouble):
2550         * assembler/MacroAssemblerSH4.h:
2551         (JSC::MacroAssemblerSH4::loadDouble):
2552         (JSC::MacroAssemblerSH4::storeDouble):
2553         * assembler/MacroAssemblerX86.h:
2554         (JSC::MacroAssemblerX86::storeDouble):
2555         * assembler/MacroAssemblerX86Common.h:
2556         (JSC::MacroAssemblerX86Common::absDouble):
2557         (JSC::MacroAssemblerX86Common::negateDouble):
2558         (JSC::MacroAssemblerX86Common::loadDouble):
2559         * dfg/DFGSpeculativeJIT.cpp:
2560         (JSC::DFG::SpeculativeJIT::silentFill):
2561         (JSC::DFG::compileClampDoubleToByte):
2562         * dfg/DFGSpeculativeJIT32_64.cpp:
2563         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2564         (JSC::DFG::SpeculativeJIT::compile):
2565         * jit/AssemblyHelpers.cpp:
2566         (JSC::AssemblyHelpers::purifyNaN):
2567         * jit/JITInlines.h:
2568         (JSC::JIT::emitLoadDouble):
2569         * jit/JITPropertyAccess.cpp:
2570         (JSC::JIT::emitFloatTypedArrayGetByVal):
2571         * jit/ThunkGenerators.cpp:
2572         (JSC::floorThunkGenerator):
2573         (JSC::roundThunkGenerator):
2574         (JSC::powThunkGenerator):
2575
2576 2014-05-12  Andreas Kling  <akling@apple.com>
2577
2578         0.4% of PLT3 in JSCell::structure() below JSObject::visitChildren().
2579         <https://webkit.org/b/132828>
2580         <rdar://problem/16886285>
2581
2582         Reviewed by Michael Saboff.
2583
2584         * runtime/JSObject.cpp:
2585         (JSC::JSObject::visitButterfly):
2586         (JSC::JSObject::visitChildren):
2587
2588             Use JSCell::structure(VM&) to reduce the number of hoops we jump
2589             through to find Structures during marking.
2590
2591 2014-05-12  László Langó  <llango.u-szeged@partner.samsung.com>
2592
2593         [cmake] Add missing FTL source files to the build system.
2594
2595         Reviewed by Csaba Osztrogonác.
2596
2597         * CMakeLists.txt:
2598
2599 2014-05-09  Joseph Pecoraro  <pecoraro@apple.com>
2600
2601         Web Inspector: Allow Remote Inspector to entitlement check UIProcess through WebProcess
2602         https://bugs.webkit.org/show_bug.cgi?id=132409
2603
2604         Reviewed by Timothy Hatcher.
2605
2606         Proxy applications are applications which hold WebViews for other
2607         applications. The WebProcess (Web Content Service) is a proxy application.
2608         For legacy reasons we were supporting a scenario where proxy applications
2609         could potentially host WebViews for more then one other application. That
2610         was never the case for WebProcess and it is now a scenario we don't need
2611         to worry about supporting.
2612
2613         With this change, a proxy application more naturally only holds WebViews
2614         for a single parent / host application. The proxy process can set the
2615         parent pid / audit_token data on the RemoteInspector singleton, and
2616         that data will be sent on to webinspectord later on to be validated.
2617         In the WebProcess<->UIProcess relationship that information is known
2618         and set immediately. In the Legacy iOS case that information is set
2619         soon after, but not immediately known at the point the WebView is created.
2620
2621         This allows us to simplify the RemoteInspectorDebuggable interface.
2622         We no longer need a pid per-Debuggable.
2623
2624         * inspector/remote/RemoteInspector.h:
2625         * inspector/remote/RemoteInspector.mm:
2626         (Inspector::RemoteInspector::RemoteInspector):
2627         (Inspector::RemoteInspector::setParentProcessInformation):
2628         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
2629         (Inspector::RemoteInspector::listingForDebuggable):
2630         (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
2631         Handle new proxy application setup message, and provide an API
2632         for a proxy application to set the parent process information.
2633
2634         * inspector/remote/RemoteInspectorConstants.h:
2635         New setup and response message for proxy applications to pass
2636         their parent / host application information to webinspectord.
2637
2638         * inspector/remote/RemoteInspectorDebuggable.cpp:
2639         (Inspector::RemoteInspectorDebuggable::info):
2640         * inspector/remote/RemoteInspectorDebuggable.h:
2641         (Inspector::RemoteInspectorDebuggableInfo::RemoteInspectorDebuggableInfo):
2642         (Inspector::RemoteInspectorDebuggableInfo::hasParentProcess): Deleted.
2643         pid per debuggable is no longer needed.
2644
2645 2014-05-09  Mark Hahnenberg  <mhahnenberg@apple.com>
2646
2647         JSDOMWindow should disable property caching after a certain point
2648         https://bugs.webkit.org/show_bug.cgi?id=132751
2649
2650         Reviewed by Filip Pizlo.
2651
2652         This is part of removing HasImpureGetOwnPropertySlot from JSDOMWindow. After the lookup in the static 
2653         hash table for JSDOMWindow fails we want to disable property caching even if the code that follows thinks 
2654         that it has provided a cacheable value.
2655
2656         * runtime/PropertySlot.h:
2657         (JSC::PropertySlot::PropertySlot):
2658         (JSC::PropertySlot::isCacheable):
2659         (JSC::PropertySlot::disableCaching):
2660
2661 2014-05-09  Andreas Kling  <akling@apple.com>
2662
2663         8.8% spent in Object.prototype.hasOwnProperty() on sbperftest.
2664         <https://webkit.org/b/132749>
2665
2666         Leverage the fast-resolve-to-AtomicString optimization for JSRopeString
2667         in Object.prototype.* by using JSString::toIdentifier() in the cases where
2668         we are converting JSString -> String -> Identifier.
2669
2670         This brings time spent in hasOwnProperty() from 8.8% to 1.3% on
2671         "The Great HTML5 Gaming Performance Test: 2014 edition"
2672         <http://www.scirra.com/demos/c2/sbperftest/>
2673
2674         Reviewed by Oliver Hunt.
2675
2676         * runtime/ObjectPrototype.cpp:
2677         (JSC::objectProtoFuncHasOwnProperty):
2678         (JSC::objectProtoFuncDefineGetter):
2679         (JSC::objectProtoFuncDefineSetter):
2680         (JSC::objectProtoFuncLookupGetter):
2681         (JSC::objectProtoFuncLookupSetter):
2682
2683 2014-05-08  Mark Hahnenberg  <mhahnenberg@apple.com>
2684
2685         JSDOMWindow should have a WatchpointSet to fire on window close
2686         https://bugs.webkit.org/show_bug.cgi?id=132721
2687
2688         Reviewed by Filip Pizlo.
2689
2690         This patch allows us to reset the inline caches that assumed they could skip 
2691         the first part of JSDOMWindow::getOwnPropertySlot that checks if the window has 
2692         been closed. This is part of getting rid of HasImpureGetOwnPropertySlot on JSDOMWindow.
2693
2694         PropertySlot now accepts a WatchpointSet which the inline cache code can look for
2695         to see if it should create a new Watchpoint for that particular inline cache site.
2696
2697         * bytecode/Watchpoint.h:
2698         * jit/Repatch.cpp:
2699         (JSC::generateByIdStub):
2700         (JSC::tryBuildGetByIDList):
2701         (JSC::tryCachePutByID):
2702         (JSC::tryBuildPutByIdList):
2703         * runtime/PropertySlot.h:
2704         (JSC::PropertySlot::PropertySlot):
2705         (JSC::PropertySlot::watchpointSet):
2706         (JSC::PropertySlot::setWatchpointSet):
2707
2708 2014-05-09  Tanay C  <tanay.c@samsung.com>
2709
2710         Fix build warning (uninitialized variable) in DFGFixupPhase.cpp 
2711         https://bugs.webkit.org/show_bug.cgi?id=132331
2712
2713         Reviewed by Darin Adler.
2714
2715         * dfg/DFGFixupPhase.cpp:
2716         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
2717
2718 2014-05-09  peavo@outlook.com  <peavo@outlook.com>
2719
2720         [Win] Crash when enabling DFG JIT.
2721         https://bugs.webkit.org/show_bug.cgi?id=132683
2722
2723         Reviewed by Geoffrey Garen.
2724
2725         On windows, using register GPRInfo::regT0 as parameter to e.g. JIT::storeDouble(..., GPRInfo::regT0)),
2726         results in a call to JIT::storeDouble(FPRegisterID src, const void* address),
2727         where the address parameter gets the value of GPRInfo::regT0, which is 0 (eax on Windows).
2728         This causes the register to be written to address 0, hence the crash.
2729
2730         * dfg/DFGOSRExitCompiler32_64.cpp:
2731         (JSC::DFG::OSRExitCompiler::compileExit): Use address in regT0 as parameter.
2732         * dfg/DFGOSRExitCompiler64.cpp:
2733         (JSC::DFG::OSRExitCompiler::compileExit): Ditto.
2734
2735 2014-05-09  Martin Hodovan <mhodovan.u-szeged@partner.samsung.com>
2736
2737         REGRESSION(r167094): JSC crashes on ARM Traditional
2738         https://bugs.webkit.org/show_bug.cgi?id=132738
2739
2740         Reviewed by Zoltan Herczeg.
2741
2742         PC is two instructions ahead of the current instruction
2743         on ARM Traditional, so the distance is 8 bytes not 2.
2744
2745         * llint/LowLevelInterpreter.asm:
2746
2747 2014-05-09  Alberto Garcia  <berto@igalia.com>
2748
2749         jsmin.py license header confusing, mentions non-free license
2750         https://bugs.webkit.org/show_bug.cgi?id=123665
2751
2752         Reviewed by Darin Adler.
2753
2754         Pull the most recent version from upstream, which has a clear
2755         license.
2756
2757         * inspector/scripts/jsmin.py:
2758
2759 2014-05-08  Mark Hahnenberg  <mhahnenberg@apple.com>
2760
2761         Base case for get-by-id inline cache doesn't check for HasImpureGetOwnPropertySlot
2762         https://bugs.webkit.org/show_bug.cgi?id=132695
2763
2764         Reviewed by Filip Pizlo.
2765
2766         We check in the case where we're accessing something other than the base object (e.g. the prototype), 
2767         but we fail to do so for the base object.
2768
2769         * jit/Repatch.cpp:
2770         (JSC::tryCacheGetByID):
2771         (JSC::tryBuildGetByIDList):
2772         * jsc.cpp: Added some infrastructure to support this test. We don't currently trigger this bug anywhere in WebKit
2773         because all of the values that are returned that could be impure are set to uncacheable anyways.
2774         (WTF::ImpureGetter::ImpureGetter):
2775         (WTF::ImpureGetter::createStructure):
2776         (WTF::ImpureGetter::create):
2777         (WTF::ImpureGetter::finishCreation):
2778         (WTF::ImpureGetter::getOwnPropertySlot):
2779         (WTF::ImpureGetter::visitChildren):
2780         (WTF::ImpureGetter::setDelegate):
2781         (GlobalObject::finishCreation):
2782         (functionCreateImpureGetter):
2783         (functionSetImpureGetterDelegate):
2784         * tests/stress/impure-get-own-property-slot-inline-cache.js: Added.
2785         (foo):
2786
2787 2014-05-08  Filip Pizlo  <fpizlo@apple.com>
2788
2789         deleteAllCompiledCode() shouldn't use the suspension worklist
2790         https://bugs.webkit.org/show_bug.cgi?id=132708
2791
2792         Reviewed by Mark Hahnenberg.
2793
2794         * bytecode/CodeBlock.cpp:
2795         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
2796         * dfg/DFGPlan.cpp:
2797         (JSC::DFG::Plan::isStillValid):
2798         * heap/Heap.cpp:
2799         (JSC::Heap::deleteAllCompiledCode):
2800
2801 2014-05-08  Filip Pizlo  <fpizlo@apple.com>
2802
2803         SSA conversion should delete PhantomLocals for captured variables
2804         https://bugs.webkit.org/show_bug.cgi?id=132693
2805
2806         Reviewed by Mark Hahnenberg.
2807
2808         * dfg/DFGCommon.cpp:
2809         (JSC::DFG::startCrashing): Parallel JIT and a JIT bug means that we man dump IR in parallel. This is the workaround. This patch uses it in all of the places where we dump IR and crash.
2810         * dfg/DFGCommon.h:
2811         * dfg/DFGFixupPhase.cpp:
2812         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): Use the workaround.
2813         * dfg/DFGLivenessAnalysisPhase.cpp:
2814         (JSC::DFG::LivenessAnalysisPhase::run): Use the workaround.
2815         * dfg/DFGSSAConversionPhase.cpp:
2816         (JSC::DFG::SSAConversionPhase::run): Fix the bug - it's true that PhantomLocal for captured variables doesn't need anything done to it, but it's wrong that we didn't delete it outright.
2817         * dfg/DFGValidate.cpp: Use the workaround.
2818         * tests/stress/phantom-local-captured-but-not-flushed-to-ssa.js: Added.
2819         (foo):
2820         (bar):
2821
2822 2014-05-07  Commit Queue  <commit-queue@webkit.org>
2823
2824         Unreviewed, rolling out r168451.
2825         https://bugs.webkit.org/show_bug.cgi?id=132670
2826
2827         Not a speed-up, just do what other compilers do. (Requested by
2828         kling on #webkit).
2829
2830         Reverted changeset:
2831
2832         "[X86] Emit BT instruction for single-bit tests."
2833         https://bugs.webkit.org/show_bug.cgi?id=132650
2834         http://trac.webkit.org/changeset/168451
2835
2836 2014-05-07  Filip Pizlo  <fpizlo@apple.com>
2837
2838         Make Executable::clearCode() actually clear all of the entrypoints, and
2839         clean up some other FTL-related calling convention stuff.
2840         <rdar://problem/16720172>
2841
2842         Rubber stamped by Mark Hahnenberg.
2843
2844         * dfg/DFGOperations.cpp:
2845         * dfg/DFGOperations.h:
2846         * dfg/DFGWorklist.cpp:
2847         (JSC::DFG::Worklist::Worklist):
2848         (JSC::DFG::Worklist::finishCreation):
2849         (JSC::DFG::Worklist::create):
2850         (JSC::DFG::ensureGlobalDFGWorklist):
2851         (JSC::DFG::ensureGlobalFTLWorklist):
2852         * dfg/DFGWorklist.h:
2853         * heap/CodeBlockSet.cpp:
2854         (JSC::CodeBlockSet::dump):
2855         * heap/CodeBlockSet.h:
2856         * runtime/Executable.cpp:
2857         (JSC::ExecutableBase::clearCode):
2858
2859 2014-05-07  Andreas Kling  <akling@apple.com>
2860
2861         [X86] Emit BT instruction for single-bit tests.
2862         <https://webkit.org/b/132650>
2863
2864         Implement test-bit-and-branch slightly more efficiently by using
2865         BT + JC/JNC instead of TEST + JZ/JNZ when we're only testing for
2866         a single bit.
2867
2868         Reviewed by Michael Saboff.
2869
2870         * assembler/MacroAssemblerX86Common.h:
2871         (JSC::MacroAssemblerX86Common::singleBitIndex):
2872         (JSC::MacroAssemblerX86Common::branchTest32):
2873         * assembler/X86Assembler.h:
2874         (JSC::X86Assembler::bt_i8r):
2875         (JSC::X86Assembler::bt_i8m):
2876
2877 2014-05-07  Mark Lam  <mark.lam@apple.com>
2878
2879         REGRESSION(r166678): Dromaeo/cssquery-dojo.html crashes regularly.
2880         <https://webkit.org/b/131356>
2881
2882         Reviewed by Geoffrey Garen.
2883
2884         The issue is that GC needs to be made aware of writes to m_inferredValue
2885         in the VariableWatchpointSet, but was not.  As a result, if a JSCell*
2886         is written to a VariableWatchpointSet m_inferredValue, and that JSCell
2887         does not survive an eden GC shortly after, we will end up with a stale
2888         JSCell pointer left in the m_inferredValue.
2889
2890         This issue can be detected more easily by running Dromaeo/cssquery-dojo.html
2891         using DumpRenderTree with the VM heap in zombie mode.
2892
2893         The fix is to change VariableWatchpointSet m_inferredValue to type
2894         WriteBarrier<Unknown> and ensure that VariableWatchpointSet::notifyWrite()
2895         is executed by all the execution engines so that the WriteBarrier semantics
2896         are honored.
2897
2898         We still check if the value to be written is the same as the one in the
2899         inferredValue.  We'll by-pass calling the slow path notifyWrite() if the
2900         values are the same.        
2901
2902         * JavaScriptCore.xcodeproj/project.pbxproj:
2903         * bytecode/CodeBlock.cpp:
2904         (JSC::CodeBlock::CodeBlock):
2905         - need to pass the symbolTable to prepareToWatch() because it will be needed
2906           for instantiating the VariableWatchpointSet in prepareToWatch().
2907
2908         * bytecode/VariableWatchpointSet.h:
2909         (JSC::VariableWatchpointSet::VariableWatchpointSet):
2910         - VariableWatchpointSet now tracks its owner symbol table for its m_inferredValue
2911           write barrier, and yes, m_inferredValue is now of type WriteBarrier<Unknown>.
2912         (JSC::VariableWatchpointSet::inferredValue):
2913         (JSC::VariableWatchpointSet::invalidate):
2914         (JSC::VariableWatchpointSet::finalizeUnconditionally):
2915         (JSC::VariableWatchpointSet::addressOfInferredValue):
2916         (JSC::VariableWatchpointSet::notifyWrite): Deleted.
2917         * bytecode/VariableWatchpointSetInlines.h: Added.
2918         (JSC::VariableWatchpointSet::notifyWrite):
2919
2920         * dfg/DFGByteCodeParser.cpp:
2921         (JSC::DFG::ByteCodeParser::cellConstant):
2922         - Added an assert in case we try to make constants of zombified JSCells again.
2923
2924         * dfg/DFGOperations.cpp:
2925         * dfg/DFGOperations.h:
2926         * dfg/DFGSpeculativeJIT.h:
2927         (JSC::DFG::SpeculativeJIT::callOperation):
2928         * dfg/DFGSpeculativeJIT32_64.cpp:
2929         (JSC::DFG::SpeculativeJIT::compile):
2930         * dfg/DFGSpeculativeJIT64.cpp:
2931         (JSC::DFG::SpeculativeJIT::compile):
2932         - We now let the slow path handle the cases when the VariableWatchpointSet is
2933           in state ClearWatchpoint and IsWatched, and the slow path will ensure that
2934           we handle the needed write barrier semantics correctly.
2935           We will by-pass the slow path if the value being written is the same as the
2936           inferred value.
2937
2938         * ftl/FTLIntrinsicRepository.h:
2939         * ftl/FTLLowerDFGToLLVM.cpp:
2940         (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):
2941         - Let the slow path handle the cases when the VariableWatchpointSet is
2942           in state ClearWatchpoint and IsWatched.
2943           We will by-pass the slow path if the value being written is the same as the
2944           inferred value.
2945
2946         * heap/Heap.cpp:
2947         (JSC::Zombify::operator()):
2948         - Use a different value for the zombified bits (to distinguish it from 0xbbadbeef
2949           which is used everywhere else).
2950         * heap/Heap.h:
2951         (JSC::Heap::isZombified):
2952         - Provide a convenience test function to check if JSCells are zombified.  This is
2953           currently only used in an assertion in the DFG bytecode parser, but the intent
2954           it that we'll apply this test in other strategic places later to help with early
2955           detection of usage of GC'ed objects when we run in zombie mode.
2956
2957         * jit/JITOpcodes.cpp:
2958         (JSC::JIT::emitSlow_op_captured_mov):
2959         * jit/JITOperations.h:
2960         * jit/JITPropertyAccess.cpp:
2961         (JSC::JIT::emitNotifyWrite):
2962         * jit/JITPropertyAccess32_64.cpp:
2963         (JSC::JIT::emitNotifyWrite):
2964         (JSC::JIT::emitSlow_op_put_to_scope):
2965         - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
2966           is in state ClearWatchpoint and IsWatched.
2967           We will by-pass the slow path if the value being written is the same as the
2968           inferred value.
2969         
2970         * llint/LowLevelInterpreter32_64.asm:
2971         * llint/LowLevelInterpreter64.asm:
2972         - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
2973           is in state ClearWatchpoint and IsWatched.
2974           We will by-pass the slow path if the value being written is the same as the
2975           inferred value.
2976         
2977         * runtime/CommonSlowPaths.cpp:
2978
2979         * runtime/JSCJSValue.h: Fixed some typos in the comments.
2980         * runtime/JSGlobalObject.cpp:
2981         (JSC::JSGlobalObject::addGlobalVar):
2982         (JSC::JSGlobalObject::addFunction):
2983         * runtime/JSSymbolTableObject.h:
2984         (JSC::symbolTablePut):
2985         (JSC::symbolTablePutWithAttributes):
2986         * runtime/SymbolTable.cpp:
2987         (JSC::SymbolTableEntry::prepareToWatch):
2988         (JSC::SymbolTableEntry::notifyWriteSlow):
2989         * runtime/SymbolTable.h:
2990         (JSC::SymbolTableEntry::notifyWrite):
2991
2992 2014-05-06  Michael Saboff  <msaboff@apple.com>
2993
2994         Unreviewd build fix for C-LOOP after r168396.
2995
2996         * runtime/TestRunnerUtils.cpp:
2997         (JSC::optimizeNextInvocation): Wrapped actual call inside #if ENABLE(JIT)
2998
2999 2014-05-06  Michael Saboff  <msaboff@apple.com>
3000
3001         Add test for deleteAllCompiledCode
3002         https://bugs.webkit.org/show_bug.cgi?id=132632
3003
3004         Reviewed by Phil Pizlo.
3005
3006         Added two new hooks to jsc, one to call Heap::deleteAllCompiledCode() and
3007         the other to call CodeBlock::optimizeNextInvocation().  Used these two hooks
3008         to write a test that will queue up loads of DFG compiles and then call
3009         Heap::deleteAllCompiledCode() to make sure that it can handle compiled
3010         code as well as code being compiled.
3011
3012         * jsc.cpp:
3013         (GlobalObject::finishCreation):
3014         (functionDeleteAllCompiledCode):
3015         (functionOptimizeNextInvocation):
3016         * runtime/TestRunnerUtils.cpp:
3017         (JSC::optimizeNextInvocation):
3018         * runtime/TestRunnerUtils.h:
3019         * tests/stress/deleteAllCompiledCode.js: Added.
3020         (functionList):
3021         (runTest):
3022
3023 2014-05-06  Andreas Kling  <akling@apple.com>
3024
3025         JSString::toAtomicString() should return AtomicString.
3026         <https://webkit.org/b/132627>
3027
3028         Remove premature optimization where I was trying to avoid refcount
3029         churn when returning an already atomicized String.
3030
3031         Instead of using reinterpret_cast to mangle the String member into
3032         a const AtomicString& return value, just return AtomicString.
3033
3034         Reviewed by Geoff Garen.
3035
3036         * runtime/JSString.h:
3037         (JSC::JSString::toAtomicString):
3038
3039 2014-05-06  Mark Hahnenberg  <mhahnenberg@apple.com>
3040
3041         Roll out r167889
3042
3043         Rubber stamped by Geoff Garen.
3044
3045         It broke some websites.
3046
3047         * runtime/JSPropertyNameIterator.cpp:
3048         (JSC::JSPropertyNameIterator::create):
3049         * runtime/PropertyMapHashTable.h:
3050         (JSC::PropertyTable::hasDeletedOffset):
3051         (JSC::PropertyTable::hadDeletedOffset): Deleted.
3052         * runtime/Structure.cpp:
3053         (JSC::Structure::Structure):
3054         (JSC::Structure::materializePropertyMap):
3055         (JSC::Structure::removePropertyTransition):
3056         (JSC::Structure::changePrototypeTransition):
3057         (JSC::Structure::despecifyFunctionTransition):
3058         (JSC::Structure::attributeChangeTransition):
3059         (JSC::Structure::toDictionaryTransition):
3060         (JSC::Structure::preventExtensionsTransition):
3061         (JSC::Structure::addPropertyWithoutTransition):
3062         (JSC::Structure::removePropertyWithoutTransition):
3063         (JSC::Structure::pin):
3064         (JSC::Structure::pinAndPreventTransitions): Deleted.
3065         * runtime/Structure.h:
3066         * runtime/StructureInlines.h:
3067         (JSC::Structure::setEnumerationCache):
3068         (JSC::Structure::propertyTable):
3069         (JSC::Structure::checkOffsetConsistency):
3070         (JSC::Structure::hadDeletedOffsets): Deleted.
3071         * tests/stress/for-in-after-delete.js:
3072         (foo): Deleted.
3073
3074 2014-05-05  Andreas Kling  <akling@apple.com>
3075
3076         Fix debug build.
3077
3078         * runtime/JSCellInlines.h:
3079         (JSC::JSCell::fastGetOwnProperty):
3080
3081 2014-05-05  Andreas Kling  <akling@apple.com>
3082
3083         Optimize GetByVal when subscript is a rope string.
3084         <https://webkit.org/b/132590>
3085
3086         Use JSString::toIdentifier() in the various GetByVal implementations
3087         to try and avoid allocating extra strings.
3088
3089         Added canUseFastGetOwnProperty() and wrap calls to fastGetOwnProperty()
3090         in that, to avoid calling JSString::value() which always resolves ropes
3091         into new strings and de-optimizes subsequent toIdentifier() calls.
3092
3093         My iMac says ~9% progression on Dromaeo/dom-attr.html
3094
3095         Reviewed by Phil Pizlo.
3096
3097         * dfg/DFGOperations.cpp:
3098         * jit/JITOperations.cpp:
3099         (JSC::getByVal):
3100         * llint/LLIntSlowPaths.cpp:
3101         (JSC::LLInt::getByVal):
3102         * runtime/JSCell.h:
3103         * runtime/JSCellInlines.h:
3104         (JSC::JSCell::fastGetOwnProperty):
3105         (JSC::JSCell::canUseFastGetOwnProperty):
3106
3107 2014-05-05  Andreas Kling  <akling@apple.com>
3108
3109         REGRESSION (r168256): ASSERTION FAILED: (buffer + m_length) == position loading vanityfair.com article.
3110         <https://webkit.org/b/168256>
3111         <rdar://problem/16816316>
3112
3113         Make resolveRopeSlowCase8() behave like its 16-bit counterpart and not
3114         clear the fibers. The caller takes care of this.
3115
3116         Test: fast/dom/getElementById-with-rope-string-arg.html
3117
3118         Reviewed by Geoffrey Garen.
3119
3120         * runtime/JSString.cpp:
3121         (JSC::JSRopeString::resolveRopeSlowCase8):
3122
3123 2014-05-05  Michael Saboff  <msaboff@apple.com>
3124
3125         REGRESSION: RELEASE_ASSERT in CodeBlock::baselineVersion @ cnn.com
3126         https://bugs.webkit.org/show_bug.cgi?id=132581
3127
3128         Reviewed by Filip Pizlo.
3129
3130         * dfg/DFGPlan.cpp:
3131         (JSC::DFG::Plan::isStillValid): Check that the alternative codeBlock we
3132         started compiling for is still the same at the end of compilation.
3133         Also did some minor restructuring.
3134
3135 2014-05-05  Andreas Kling  <akling@apple.com>
3136
3137         Optimize PutByVal when subscript is a rope string.
3138         <https://webkit.org/b/132572>
3139
3140         Add a JSString::toIdentifier() that is smarter when the JSString is
3141         really a rope string. Use this in baseline & DFG's PutByVal to avoid
3142         allocating new StringImpls that we immediately deduplicate anyway.
3143
3144         Reviewed by Antti Koivisto.
3145
3146         * dfg/DFGOperations.cpp:
3147         (JSC::DFG::operationPutByValInternal):
3148         * jit/JITOperations.cpp:
3149         * runtime/JSString.h:
3150         (JSC::JSString::toIdentifier):
3151
3152 2014-05-05  Andreas Kling  <akling@apple.com>
3153
3154         Remove two now-incorrect assertions after r168256.
3155
3156         * runtime/JSString.cpp:
3157         (JSC::JSRopeString::resolveRopeSlowCase8):
3158         (JSC::JSRopeString::resolveRopeSlowCase):
3159
3160 2014-05-04  Andreas Kling  <akling@apple.com>
3161
3162         Optimize JSRopeString for resolving directly to AtomicString.
3163         <https://webkit.org/b/132548>
3164
3165         If we know that the JSRopeString we are resolving is going to be used
3166         as an AtomicString, we can try to avoid creating a new string.
3167
3168         We do this by first resolving the rope into a stack buffer, and using
3169         that buffer as a key into the AtomicString table. If there is already
3170         an AtomicString with the same characters, we reuse that instead of
3171         constructing a new StringImpl.
3172
3173         JSString gains these two public functions:
3174
3175         - AtomicString toAtomicString()
3176
3177             Returns an AtomicString, tries to avoid allocating a new string
3178             if possible.
3179
3180         - AtomicStringImpl* toExistingAtomicString()
3181
3182             Returns a non-null AtomicStringImpl* if one already exists in the
3183             AtomicString table. If none is found, the rope is left unresolved.
3184
3185         Reviewed by Filip Pizlo.
3186
3187         * runtime/JSString.cpp:
3188         (JSC::JSRopeString::resolveRopeInternal8):
3189         (JSC::JSRopeString::resolveRopeInternal16):
3190         (JSC::JSRopeString::resolveRopeToAtomicString):
3191         (JSC::JSRopeString::clearFibers):
3192         (JSC::JSRopeString::resolveRopeToExistingAtomicString):
3193         (JSC::JSRopeString::resolveRope):
3194         (JSC::JSRopeString::outOfMemory):
3195         * runtime/JSString.h:
3196         (JSC::JSString::toAtomicString):
3197         (JSC::JSString::toExistingAtomicString):
3198
3199 2014-05-04  Andreas Kling  <akling@apple.com>
3200
3201         Unreviewed, rolling out r168254.
3202
3203         Very crashy on debug JSC tests.
3204
3205         Reverted changeset:
3206
3207         "jsSubstring() should be lazy"
3208         https://bugs.webkit.org/show_bug.cgi?id=132556
3209         http://trac.webkit.org/changeset/168254
3210
3211 2014-05-04  Filip Pizlo  <fpizlo@apple.com>
3212
3213         jsSubstring() should be lazy
3214         https://bugs.webkit.org/show_bug.cgi?id=132556
3215
3216         Reviewed by Andreas Kling.
3217         
3218         jsSubstring() is now lazy by using a special rope that is a substring instead of a
3219         concatenation. To make this patch super simple, we require that a substring's base is
3220         never a rope. Hence, when resolving a rope, we either go down a non-recursive substring
3221         path, or we go down a concatenation path which may see exactly one level of substrings in
3222         its fibers.
3223         
3224         This is up to a 50% speed-up on microbenchmarks and a 10% speed-up on Octane/regexp.
3225
3226         * heap/MarkedBlock.cpp:
3227         (JSC::MarkedBlock::specializedSweep):
3228         * runtime/JSString.cpp:
3229         (JSC::JSRopeString::visitFibers):
3230         (JSC::JSRopeString::resolveRope):
3231         (JSC::JSRopeString::resolveRopeSlowCase8):
3232         (JSC::JSRopeString::resolveRopeSlowCase):
3233         (JSC::JSRopeString::outOfMemory):
3234         * runtime/JSString.h:
3235         (JSC::JSRopeString::finishCreation):
3236         (JSC::JSRopeString::append):
3237         (JSC::JSRopeString::create):
3238         (JSC::JSRopeString::offsetOfFibers):
3239         (JSC::JSRopeString::fiber):
3240         (JSC::JSRopeString::substringBase):
3241         (JSC::JSRopeString::substringOffset):
3242         (JSC::JSRopeString::substringSentinel):
3243         (JSC::JSRopeString::isSubstring):
3244         (JSC::jsSubstring):
3245         * runtime/RegExpMatchesArray.cpp:
3246         (JSC::RegExpMatchesArray::reifyAllProperties):
3247         * runtime/StringPrototype.cpp:
3248         (JSC::stringProtoFuncSubstring):
3249
3250 2014-05-02  Michael Saboff  <msaboff@apple.com>
3251
3252         "arm64 function not 4-byte aligned" warnings when building JSC
3253         https://bugs.webkit.org/show_bug.cgi?id=132495
3254
3255         Reviewed by Geoffrey Garen.
3256
3257         Added ".align 4" for both ARM Thumb2 and ARM 64 to silence the linker.
3258
3259         * llint/LowLevelInterpreter.cpp:
3260
3261 2014-05-02  Mark Hahnenberg  <mhahnenberg@apple.com>
3262
3263         Fix cloop build after r168178
3264
3265         * bytecode/CodeBlock.cpp:
3266
3267 2014-05-01  Mark Hahnenberg  <mhahnenberg@apple.com>
3268
3269         Add a DFG function whitelist
3270         https://bugs.webkit.org/show_bug.cgi?id=132437
3271
3272         Reviewed by Geoffrey Garen.
3273
3274         Often times when debugging, using bytecode ranges isn't enough to narrow down to the 
3275         particular DFG block that's causing issues. This patch adds the ability to whitelist 
3276         specific functions specified in a file to enable further filtering without having to recompile.
3277
3278         * CMakeLists.txt:
3279         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3280         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3281         * JavaScriptCore.xcodeproj/project.pbxproj:
3282         * dfg/DFGCapabilities.cpp:
3283         (JSC::DFG::isSupported):
3284         (JSC::DFG::mightInlineFunctionForCall):
3285         (JSC::DFG::mightInlineFunctionForClosureCall):
3286         (JSC::DFG::mightInlineFunctionForConstruct):
3287         * dfg/DFGFunctionWhitelist.cpp: Added.
3288         (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
3289         (JSC::DFG::FunctionWhitelist::FunctionWhitelist):
3290         (JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile):
3291         (JSC::DFG::FunctionWhitelist::contains):
3292         * dfg/DFGFunctionWhitelist.h: Added.
3293         * runtime/Options.cpp:
3294         (JSC::parse):
3295         (JSC::Options::dumpOption):
3296         * runtime/Options.h:
3297
3298 2014-05-02  Filip Pizlo  <fpizlo@apple.com>
3299
3300         DFGAbstractInterpreter should not claim Int52 arithmetic creates Int52s
3301         https://bugs.webkit.org/show_bug.cgi?id=132446
3302
3303         Reviewed by Mark Hahnenberg.
3304         
3305         Basically any arithmetic operation can turn an Int52 into an Int32 or vice-versa, and
3306         our modeling of Int52Rep nodes is such that they can have either Int32 or Int52 type
3307         to indicate a bound on the value. This is useful for knowing, for example, that
3308         Int52Rep(Int32:) returns a value that cannot be outside the Int32 range. Also,
3309         ValueRep(Int52Rep:) uses this to determine whether it may return a double or an int.
3310         But this means that all arithmetic operations must be careful to note that they may
3311         turn Int32 inputs into an Int52 output or vice-versa, as these new tests show.
3312
3313         * dfg/DFGAbstractInterpreterInlines.h:
3314         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3315         * dfg/DFGByteCodeParser.cpp:
3316         (JSC::DFG::ByteCodeParser::makeSafe):
3317         * tests/stress/int52-ai-add-then-filter-int32.js: Added.
3318         (foo):
3319         * tests/stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js: Added.
3320         (foo):
3321         * tests/stress/int52-ai-mul-then-filter-int32-directly.js: Added.
3322         (foo):
3323         * tests/stress/int52-ai-mul-then-filter-int32.js: Added.
3324         (foo):
3325         * tests/stress/int52-ai-neg-then-filter-int32.js: Added.
3326         (foo):
3327         * tests/stress/int52-ai-sub-then-filter-int32.js: Added.
3328         (foo):
3329
3330 2014-05-01  Geoffrey Garen  <ggaren@apple.com>
3331
3332         JavaScriptCore fails to build with some versions of clang
3333         https://bugs.webkit.org/show_bug.cgi?id=132436
3334
3335         Reviewed by Anders Carlsson.
3336
3337         * runtime/ArgumentsIteratorConstructor.cpp: Since we call
3338         putDirectWithoutTransition, and it calls putWillGrowOutOfLineStorage,
3339         and both are marked inline, it's valid for the compiler to decide
3340         to inline both and emit neither in the binary. Therefore, we need
3341         both inline definitions to be available in the translation unit at
3342         compile time, or we'll try to link against a function that doesn't exist.
3343
3344 2014-05-01  Commit Queue  <commit-queue@webkit.org>
3345
3346         Unreviewed, rolling out r167964.
3347         https://bugs.webkit.org/show_bug.cgi?id=132431
3348
3349         Memory improvements should not regress memory usage (Requested
3350         by olliej on #webkit).
3351
3352         Reverted changeset:
3353
3354         "Don't hold on to parameter BindingNodes forever"
3355         https://bugs.webkit.org/show_bug.cgi?id=132360
3356         http://trac.webkit.org/changeset/167964
3357
3358 2014-05-01  Filip Pizlo  <fpizlo@apple.com>
3359
3360         Fix trivial debug-only race-that-crashes in CallLinkStatus and explain why the remaining races are totally awesome
3361         https://bugs.webkit.org/show_bug.cgi?id=132427
3362
3363         Reviewed by Mark Hahnenberg.
3364
3365         * bytecode/CallLinkStatus.cpp:
3366         (JSC::CallLinkStatus::computeFor):
3367
3368 2014-04-30  Simon Fraser  <simon.fraser@apple.com>
3369
3370         Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO
3371         https://bugs.webkit.org/show_bug.cgi?id=132396
3372
3373         Reviewed by Eric Carlson.
3374
3375         Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO and related code.
3376
3377         * Configurations/FeatureDefines.xcconfig:
3378
3379 2014-04-30  Filip Pizlo  <fpizlo@apple.com>
3380
3381         Argument flush formats should not be presumed to be JSValue since 'this' is weird
3382         https://bugs.webkit.org/show_bug.cgi?id=132404
3383
3384         Reviewed by Michael Saboff.
3385
3386         * dfg/DFGSpeculativeJIT.cpp:
3387         (JSC::DFG::SpeculativeJIT::compileCurrentBlock): Don't assume that arguments are flushed as JSValue. Use the logic for locals instead.
3388         * dfg/DFGSpeculativeJIT32_64.cpp:
3389         (JSC::DFG::SpeculativeJIT::compile): SetArgument "changes" the format because before this we wouldn't know we had arguments.
3390         * dfg/DFGSpeculativeJIT64.cpp:
3391         (JSC::DFG::SpeculativeJIT::compile): Ditto.
3392         * dfg/DFGValueSource.cpp:
3393         (JSC::DFG::ValueSource::dumpInContext): Make this easier to dump.
3394         * dfg/DFGValueSource.h:
3395         (JSC::DFG::ValueSource::operator!): Make this easier to dump because Operands<T> uses T::operator!().
3396         * ftl/FTLOSREntry.cpp:
3397         (JSC::FTL::prepareOSREntry): This had a useful assertion for everything except 'this'.
3398         * tests/stress/strict-to-this-int.js: Added.
3399         (foo):
3400         (Number.prototype.valueOf):
3401         (test):
3402
3403 2014-04-29  Oliver Hunt  <oliver@apple.com>
3404
3405         Don't hold on to parameterBindingNodes forever
3406         https://bugs.webkit.org/show_bug.cgi?id=132360
3407
3408         Reviewed by Geoffrey Garen.
3409
3410         Don't keep the parameter nodes anymore. Instead we store the
3411         original parameter string and reparse whenever we actually
3412         need them. Because we only actually need them for compilation
3413         this only results in a single extra parse.
3414
3415         * bytecode/UnlinkedCodeBlock.cpp:
3416         (JSC::generateFunctionCodeBlock):
3417         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3418         (JSC::UnlinkedFunctionExecutable::visitChildren):
3419         (JSC::UnlinkedFunctionExecutable::finishCreation):
3420         (JSC::UnlinkedFunctionExecutable::paramString):
3421         (JSC::UnlinkedFunctionExecutable::parameters):
3422         (JSC::UnlinkedFunctionExecutable::parameterCount): Deleted.
3423         * bytecode/UnlinkedCodeBlock.h:
3424         (JSC::UnlinkedFunctionExecutable::create):
3425         (JSC::UnlinkedFunctionExecutable::parameterCount):
3426         (JSC::UnlinkedFunctionExecutable::parameters): Deleted.
3427         (JSC::UnlinkedFunctionExecutable::finishCreation): Deleted.
3428         * parser/ASTBuilder.h:
3429         (JSC::ASTBuilder::ASTBuilder):
3430         (JSC::ASTBuilder::setFunctionBodyParameters):
3431         * parser/Nodes.h:
3432         (JSC::FunctionBodyNode::parametersStartOffset):
3433         (JSC::FunctionBodyNode::parametersEndOffset):
3434         (JSC::FunctionBodyNode::setParameterLocation):
3435         * parser/Parser.cpp:
3436         (JSC::Parser<LexerType>::parseFunctionInfo):
3437         (JSC::parseParameters):