Generated color wheel displays incorrectly (regressed in r155567)
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-11-03  Filip Pizlo  <fpizlo@apple.com>
2
3         Generated color wheel displays incorrectly (regressed in r155567)
4         https://bugs.webkit.org/show_bug.cgi?id=123664
5
6         Reviewed by Andreas Kling.
7
8         Interestingly, r155567 just "un-broke" the attempt to constant-fold ArithMod, but
9         that constant folding was just wrong to begin with. There is no evidence that this
10         constant folding rule is profitable. I'm removing it instead of trying to think
11         about what it means for it to be correct.
12
13         * dfg/DFGAbstractInterpreterInlines.h:
14         (JSC::DFG::::executeEffects):
15
16 2013-11-03  Filip Pizlo  <fpizlo@apple.com>
17
18         Unreviewed, it is no longer necessary to call DisablePrettyStackTrace.
19
20         * llvm/library/LLVMExports.cpp:
21         (initializeAndGetJSCLLVMAPI):
22
23 2013-11-02  Mark Lam  <mark.lam@apple.com>
24
25         Assertion failure in non-JIT'ed LLInt on ARM Thumb.
26         https://bugs.webkit.org/show_bug.cgi?id=97569.
27
28         Reviewed by Geoffrey Garen.
29
30         * assembler/MacroAssemblerCodeRef.h:
31         - Thumb2 alignment assertions do not apply to the C Loop LLINT because
32           the arguments passed to those assertions are actually OpcodeIDs
33           masquerading as addresses.
34         * llint/LLIntOfflineAsmConfig.h:
35         - Some of the #defines belong in the !ENABLE(LLINT_C_LOOP) section.
36           Moving them there.
37         * llint/LowLevelInterpreter.cpp:
38         - Keep the compiler happy from some unreferenced C Loop labels.
39
40 2013-11-02  Filip Pizlo  <fpizlo@apple.com>
41
42         FTL should use LLVM intrinsics for OSR exit, watchpoints, inline caches, and stack layout
43         https://bugs.webkit.org/show_bug.cgi?id=122318
44
45         Reviewed by Geoffrey Garen.
46         
47         This all now works. This patch just updates our implementation to work with LLVM trunk,
48         and removes all of the old code that tried to do OSR exits and heap accesses without
49         the benefit of those intrinsics.
50         
51         In particular:
52         
53         - StackMaps parsing now uses the new, less compact, but more future-proof, format.
54         
55         - Remove the ftlUsesStackmaps() option and hard-code ftlUsesStackmaps = true. Remove
56           all code for ftlUsesStackmaps = false, since that was only there for back when we
57           didn't have the intrinsics.
58         
59         - Remove the other experimental OSR options (useLLVMOSRExitIntrinsic,
60           ftlTrapsOnOSRExit, and FTLOSRExitOmitsMarshalling).
61         
62         - Remove LowerDFGToLLVM's use of the ExitThunkGenerator since we don't need to generate
63           the exit thunks until after we parse the stackmaps.
64         
65         - Remove all of the exit thunk and compiler code for the no-stackmaps case.
66
67         * dfg/DFGDriver.cpp:
68         (JSC::DFG::compileImpl):
69         * ftl/FTLCompile.cpp:
70         (JSC::FTL::mmAllocateDataSection):
71         * ftl/FTLExitThunkGenerator.cpp:
72         (JSC::FTL::ExitThunkGenerator::emitThunk):
73         * ftl/FTLIntrinsicRepository.h:
74         * ftl/FTLLocation.cpp:
75         (JSC::FTL::Location::forStackmaps):
76         * ftl/FTLLowerDFGToLLVM.cpp:
77         (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
78         (JSC::FTL::LowerDFGToLLVM::lower):
79         (JSC::FTL::LowerDFGToLLVM::compileGetById):
80         (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
81         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
82         (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
83         (JSC::FTL::LowerDFGToLLVM::callStackmap):
84         (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
85         * ftl/FTLOSRExitCompilationInfo.h:
86         (JSC::FTL::OSRExitCompilationInfo::OSRExitCompilationInfo):
87         * ftl/FTLOSRExitCompiler.cpp:
88         (JSC::FTL::compileStub):
89         (JSC::FTL::compileFTLOSRExit):
90         * ftl/FTLStackMaps.cpp:
91         (JSC::FTL::StackMaps::Location::parse):
92         (JSC::FTL::StackMaps::parse):
93         (WTF::printInternal):
94         * ftl/FTLStackMaps.h:
95         * ftl/FTLThunks.cpp:
96         (JSC::FTL::osrExitGenerationThunkGenerator):
97         * ftl/FTLThunks.h:
98         (JSC::FTL::Thunks::getOSRExitGenerationThunk):
99         * runtime/Options.h:
100
101 2013-11-02  Patrick Gansterer  <paroga@webkit.org>
102
103         Add missing getHostCallReturnValue() for MSVC ARM
104         https://bugs.webkit.org/show_bug.cgi?id=123685
105
106         Reviewed by Darin Adler.
107
108         * jit/JITStubsARM.h:
109
110 2013-11-02  Patrick Gansterer  <paroga@webkit.org>
111
112         Fix MSVC warning about unary minus operator
113         https://bugs.webkit.org/show_bug.cgi?id=123674
114
115         Reviewed by Darin Adler.
116
117         Change some static_cast<> to silence the following warning of Microsoft compiler:
118         warning C4146: unary minus operator applied to unsigned type, result still unsigned
119
120         * jit/Repatch.cpp:
121         (JSC::emitPutTransitionStub):
122
123 2013-11-02  Filip Pizlo  <fpizlo@apple.com>
124
125         Disable LLVM's pretty stack traces, which involve intercepting fatal signals
126         https://bugs.webkit.org/show_bug.cgi?id=123681
127
128         Reviewed by Geoffrey Garen.
129
130         * llvm/library/LLVMExports.cpp:
131         (initializeAndGetJSCLLVMAPI):
132
133 2013-11-02  Filip Pizlo  <fpizlo@apple.com>
134
135         LLVM assertion failures should funnel into WTF's crash handling
136         https://bugs.webkit.org/show_bug.cgi?id=123682
137
138         Reviewed by Geoffrey Garen.
139         
140         Inside llvmForJSC, we override assertion-related functions and funnel them
141         into g_llvmTrapCallback(). We also now register a fatal error handler inside
142         the library and funnel that into g_llvmTrapCallback, and have
143         initializeAndGetJSCLLVMAPI() take such a callback as an argument.
144         
145         Inside JSC, we no longer call LLVMInstallFatalErrorHandler() but instead we
146         pass WTFLogAlwaysAndCrash() as the trap callback for llvmForJSC.
147
148         * llvm/InitializeLLVM.cpp:
149         (JSC::initializeLLVM):
150         * llvm/InitializeLLVMPOSIX.cpp:
151         (JSC::initializeLLVMPOSIX):
152         * llvm/library/LLVMExports.cpp:
153         (llvmCrash):
154         (initializeAndGetJSCLLVMAPI):
155         * llvm/library/LLVMOverrides.cpp:
156         (raise):
157         (__assert_rtn):
158         (abort):
159         * llvm/library/LLVMTrapCallback.h: Added.
160
161 2013-11-02  Filip Pizlo  <fpizlo@apple.com>
162
163         CodeBlock::jettison() shouldn't call baselineVersion()
164         https://bugs.webkit.org/show_bug.cgi?id=123675
165
166         Reviewed by Geoffrey Garen.
167         
168         Fix more uses of baselineVersion().
169
170         * bytecode/CodeBlock.cpp:
171         (JSC::CodeBlock::jettison):
172         * bytecode/CodeBlock.h:
173         * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp:
174         (JSC::ProfiledCodeBlockJettisoningWatchpoint::fireInternal):
175
176 2013-11-02  Filip Pizlo  <fpizlo@apple.com>
177
178         LLVM asserts in internal-js-tests.yaml/Octane/stress-tests/mandreel.js
179         https://bugs.webkit.org/show_bug.cgi?id=123535
180
181         Reviewed by Geoffrey Garen.
182         
183         Use double comparisons for doubles.
184
185         * ftl/FTLLowerDFGToLLVM.cpp:
186         (JSC::FTL::LowerDFGToLLVM::doubleToInt32):
187
188 2013-11-02  Patrick Gansterer  <paroga@webkit.org>
189
190         Various small WinCE build fixes
191
192         * jsc.cpp:
193         (main):
194
195 2013-11-02  Patrick Gansterer  <paroga@webkit.org>
196
197         Fix MSVC ARM build after r157581.
198
199         * jit/JITStubsARM.h:
200
201 2013-11-01  Filip Pizlo  <fpizlo@apple.com>
202
203         FTL should use a simple optimization pipeline by default
204         https://bugs.webkit.org/show_bug.cgi?id=123638
205
206         Reviewed by Geoffrey Garen.
207         
208         20% speed-up on imagine-gaussian-blur, when combined with --ftlUsesStackmaps=true.
209
210         * ftl/FTLCompile.cpp:
211         (JSC::FTL::compile):
212         * runtime/Options.h:
213
214 2013-11-01  Andreas Kling  <akling@apple.com>
215
216         Neuter WTF_MAKE_FAST_ALLOCATED in GLOBAL_FASTMALLOC_NEW builds.
217         <https://webkit.org/b/123639>
218
219         JSC::ParserArenaRefCounted really needed to have the new/delete
220         operators overridden, in order for JSC::ScopeNode to be able to
221         choose that "operator new" out of the two it inherits.
222
223         Reviewed by Anders Carlsson.
224
225 2013-11-01  Filip Pizlo  <fpizlo@apple.com>
226
227         OSR exit profiling should be robust against all code being cleared
228         https://bugs.webkit.org/show_bug.cgi?id=123629
229         <rdar://problem/15365476>
230
231         Reviewed by Michael Saboff.
232         
233         The problem here is two-fold:
234
235         1) A watchpoint (i.e. ProfiledCodeBlockJettisoningWatchpoint) may be fired after we
236         have cleared the CodeBlock for all or some Executables.  This means that doing
237         codeBlock->baselineVersion() would either crash or return a bogus CodeBlock, since
238         there wasn't a baseline code block reachable from the Executable anymore.  The
239         solution is that we shouldn't be asking for the baseline code block reachable from
240         the owning executable (what baselineVersion did), but instead we should be asking
241         for the baseline version reachable from the code block being watchpointed (basically
242         what CodeBlock::alternative() did).
243
244         2) If dealing with inlined code, baselienCodeBlockForOriginAndBaselineCodeBlock()
245         may return null, for the same reason as above - we might have cleared the baseline
246         codeblock for the executable that was inlined.  The solution is to just not do
247         profiling if there isn't a baseline code block anymore.
248
249         * bytecode/CodeBlock.cpp:
250         (JSC::CodeBlock::baselineAlternative):
251         (JSC::CodeBlock::baselineVersion):
252         (JSC::CodeBlock::jettison):
253         * bytecode/CodeBlock.h:
254         * bytecode/CodeBlockJettisoningWatchpoint.cpp:
255         (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
256         * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp:
257         (JSC::ProfiledCodeBlockJettisoningWatchpoint::fireInternal):
258         * dfg/DFGOSRExitBase.cpp:
259         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
260         * jit/AssemblyHelpers.h:
261         (JSC::AssemblyHelpers::AssemblyHelpers):
262         * runtime/Executable.cpp:
263         (JSC::FunctionExecutable::baselineCodeBlockFor):
264
265 2013-10-31  Oliver Hunt  <oliver@apple.com>
266
267         JavaScript parser bug
268         https://bugs.webkit.org/show_bug.cgi?id=123506
269
270         Reviewed by Mark Lam.
271
272         Add ParserState as an abstraction and use that to save and restore
273         the parser state around nested functions (We'll need to use this in
274         more places in future).  Also fix a minor error typo this testcases
275         hit.
276
277         * parser/Parser.cpp:
278         (JSC::::parseFunctionInfo):
279         (JSC::::parseAssignmentExpression):
280         * parser/Parser.h:
281         (JSC::Parser::saveState):
282         (JSC::Parser::restoreState):
283
284 2013-10-31  Filip Pizlo  <fpizlo@apple.com>
285
286         FTL Int32ToDouble should handle the forward type check case where you need a recovery
287         https://bugs.webkit.org/show_bug.cgi?id=123605
288
289         Reviewed by Mark Hahnenberg.
290         
291         If you have a Int32ToDouble that needs to do a type check and it's required to do a
292         forward exit, then it needs to manually pass in a value recovery for itself in the
293         OSR exit - since this is one of those forward-exiting nodes that doesn't have a
294         preceding MovHint.
295
296         * ftl/FTLLowerDFGToLLVM.cpp:
297         (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble):
298         (JSC::FTL::LowerDFGToLLVM::forwardTypeCheck):
299
300 2013-10-31  Filip Pizlo  <fpizlo@apple.com>
301
302         FTL should implement InvalidationPoint in terms of llvm.stackmap
303         https://bugs.webkit.org/show_bug.cgi?id=113647
304
305         Reviewed by Mark Hahnenberg.
306         
307         This is pretty straightforward now that InvalidationPoint has exactly the semantics
308         that agree with llvm.stackmap.
309
310         * ftl/FTLCompile.cpp:
311         (JSC::FTL::fixFunctionBasedOnStackMaps):
312         * ftl/FTLLowerDFGToLLVM.cpp:
313         (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
314         (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
315         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
316         (JSC::FTL::LowerDFGToLLVM::callStackmap):
317         * ftl/FTLOSRExitCompilationInfo.h:
318         (JSC::FTL::OSRExitCompilationInfo::OSRExitCompilationInfo):
319
320 2013-10-30  Oliver Hunt  <oliver@apple.com>
321
322         Implement basic ES6 Math functions
323         https://bugs.webkit.org/show_bug.cgi?id=123536
324
325         Reviewed by Michael Saboff.
326
327         Fairly trivial patch to implement the core ES6 Math functions.
328
329         This doesn't implement Math.hypot as it is not a trivial function.
330         I've also skipped Math.sign as I am yet to be convinced the spec
331         behaviour is good.  Everything else is trivial.
332
333         * runtime/MathObject.cpp:
334         (JSC::MathObject::finishCreation):
335         (JSC::mathProtoFuncACosh):
336         (JSC::mathProtoFuncASinh):
337         (JSC::mathProtoFuncATanh):
338         (JSC::mathProtoFuncCbrt):
339         (JSC::mathProtoFuncCosh):
340         (JSC::mathProtoFuncExpm1):
341         (JSC::mathProtoFuncFround):
342         (JSC::mathProtoFuncLog1p):
343         (JSC::mathProtoFuncLog10):
344         (JSC::mathProtoFuncLog2):
345         (JSC::mathProtoFuncSinh):
346         (JSC::mathProtoFuncTanh):
347         (JSC::mathProtoFuncTrunc):
348
349 2013-10-31  Filip Pizlo  <fpizlo@apple.com>
350
351         FTL::Location::restoreInto() doesn't handle stack-related registers correctly if you're using it after pushing a new stack frame
352         https://bugs.webkit.org/show_bug.cgi?id=123591
353
354         Reviewed by Mark Hahnenberg.
355         
356         This gets us to pass more tests with ftlUsesStackmaps.
357
358         * ftl/FTLLocation.cpp:
359         (JSC::FTL::Location::restoreInto):
360         * ftl/FTLLocation.h:
361         * ftl/FTLThunks.cpp:
362         (JSC::FTL::osrExitGenerationWithStackMapThunkGenerator):
363
364 2013-10-31  Alexey Proskuryakov  <ap@apple.com>
365
366         Enable WebCrypto on Mac
367         https://bugs.webkit.org/show_bug.cgi?id=123587
368
369         Reviewed by Anders Carlsson.
370
371         * Configurations/FeatureDefines.xcconfig: Do it.
372
373 2013-10-31  Filip Pizlo  <fpizlo@apple.com>
374
375         Unreviewed, really remove CachedTranscendentalFunction.h.
376
377         * GNUmakefile.list.am:
378         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
379
380 2013-10-31  Filip Pizlo  <fpizlo@apple.com>
381
382         Remove CachedTranscendentalFunction because caching math functions is an ugly idea
383         https://bugs.webkit.org/show_bug.cgi?id=123574
384
385         Reviewed by Mark Hahnenberg.
386         
387         This is performance-neutral because I also make Math.cos/sin intrinsic. This means that
388         we gain the "overhead" of actually computing sin and cos but we lose the overhead of
389         going through the native call thunks.
390         
391         Caching transcendental functions is a really ugly idea. It works for SunSpider because
392         that benchmark makes very predictable calls into Math.sin. But I don't believe that this
393         is representative of any kind of reality, and so for sensible uses of Math.sin/cos all
394         that this was doing was adding more call overhead and some hashing overhead.
395
396         * JavaScriptCore.xcodeproj/project.pbxproj:
397         * dfg/DFGAbstractInterpreterInlines.h:
398         (JSC::DFG::::executeEffects):
399         * dfg/DFGBackwardsPropagationPhase.cpp:
400         (JSC::DFG::BackwardsPropagationPhase::propagate):
401         * dfg/DFGByteCodeParser.cpp:
402         (JSC::DFG::ByteCodeParser::handleIntrinsic):
403         * dfg/DFGCSEPhase.cpp:
404         (JSC::DFG::CSEPhase::performNodeCSE):
405         * dfg/DFGClobberize.h:
406         (JSC::DFG::clobberize):
407         * dfg/DFGFixupPhase.cpp:
408         (JSC::DFG::FixupPhase::fixupNode):
409         * dfg/DFGNodeType.h:
410         * dfg/DFGPredictionPropagationPhase.cpp:
411         (JSC::DFG::PredictionPropagationPhase::propagate):
412         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
413         * dfg/DFGSafeToExecute.h:
414         (JSC::DFG::safeToExecute):
415         * dfg/DFGSpeculativeJIT.h:
416         (JSC::DFG::SpeculativeJIT::callOperation):
417         * dfg/DFGSpeculativeJIT32_64.cpp:
418         (JSC::DFG::SpeculativeJIT::compile):
419         * dfg/DFGSpeculativeJIT64.cpp:
420         (JSC::DFG::SpeculativeJIT::compile):
421         * jit/JITOperations.h:
422         * runtime/CachedTranscendentalFunction.h: Removed.
423         * runtime/DateInstanceCache.h:
424         * runtime/Intrinsic.h:
425         * runtime/MathObject.cpp:
426         (JSC::MathObject::finishCreation):
427         (JSC::mathProtoFuncCos):
428         (JSC::mathProtoFuncSin):
429         * runtime/VM.h:
430
431 2013-10-30  Filip Pizlo  <fpizlo@apple.com>
432
433         Assertion failure in js/dom/global-constructors-attributes-dedicated-worker.html
434         https://bugs.webkit.org/show_bug.cgi?id=123551
435         <rdar://problem/15356238>
436
437         Reviewed by Mark Hahnenberg.
438         
439         WatchpointSets have always had this "fire everything on deletion" policy because it
440         seemed like a good fail-safe at the time I first implemented WatchpointSets. But
441         it's actually causing bugs rather than providing safety:
442         
443         - Everyone who registers Watchpoints with WatchpointSets have separate mechanisms
444           for either keeping the WatchpointSets alive or noticing when they are collected.
445           So this wasn't actually providing any safety.
446           
447           One example of this is Structures, where:
448           
449           - CodeBlocks that register Watchpoints on Structure's WatchpointSet will also
450             register weak references to the Structure, and the GC will jettison a CodeBlock
451             if the Structure(s) it cares about dies.
452           
453           - StructureStubInfos that register Watchpoints on Structure's WatchpointSet will
454             also be cleared by GC if the Structures die.
455         
456         - The WatchpointSet destructor would get invoked from finalization/destruction.
457           This would then cause CodeBlock::jettison() to be called on a CodeBlock, but that
458           method requires doing things that access heap objects. This would usually cause
459           problems on VM destruction, since then the CodeBlocks would still be alive but the
460           whole heap would be destroyed.
461         
462         This also ensures that CodeBlock::jettison() cannot cause a GC. This is safe since
463         that method doesn't really allocate objects, and it is likely necessary because
464         jettison() may be called from deep in the stack.
465
466         * bytecode/CodeBlock.cpp:
467         (JSC::CodeBlock::jettison):
468         * bytecode/Watchpoint.cpp:
469         (JSC::WatchpointSet::~WatchpointSet):
470         * bytecode/Watchpoint.h:
471
472 2013-10-30  Mark Lam  <mark.lam@apple.com>
473
474         Unreviewed, fix C Loop LLINT build.
475
476         * bytecode/CodeBlockJettisoningWatchpoint.cpp:
477         (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
478         * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp:
479         (JSC::ProfiledCodeBlockJettisoningWatchpoint::fireInternal):
480
481 2013-10-30  Filip Pizlo  <fpizlo@apple.com>
482
483         Unreviewed, fix FTL build.
484
485         * ftl/FTLAbstractHeapRepository.h:
486         * ftl/FTLLowerDFGToLLVM.cpp:
487         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
488
489 2013-10-30  Alexey Proskuryakov  <ap@apple.com>
490
491         Add a way to fulfill promises from DOM code
492         https://bugs.webkit.org/show_bug.cgi?id=123466
493
494         Reviewed by Sam Weinig.
495
496         * JavaScriptCore.xcodeproj/project.pbxproj: Make JSPromise.h and JSPromiseResolver.h
497         private headers for WebCore to use.
498
499         * runtime/JSPromise.h:
500         * runtime/JSPromiseResolver.h:
501         Export functions that JSDOMPromise will use.
502
503 2013-10-30  Mark Lam  <mark.lam@apple.com>
504
505         Adjust CallFrameHeader's ReturnPC and CallFrame locations to match the native ABI .
506         https://bugs.webkit.org/show_bug.cgi?id=123444.
507
508         Reviewed by Geoffrey Garen.
509
510         - Introduced an explicit CallerFrameAndPC struct.
511         - A CallFrame is expected to start with a CallerFrameAndPC struct. 
512         - The Register class no longer supports CallFrame* and Instruction*.
513
514           These hides the differences between JSVALUE32_64 and JSVALUE64 in
515           terms of managing the callerFrame() and returnPC() values.
516
517         - Convert all uses of JSStack::CallerFrame and JSStack::ReturnPC to
518           go through CallFrame to access the appropriate values and offsets.
519           CallFrame, in turn, will access the callerFrame and returnPC via
520           the CallerFrameAndPC struct.
521
522         - InlineCallFrame will provide offsets for its callerFrame and
523           returnPC. It will make use of CallFrame::callerFrameOffset() and
524           CallerFrame::returnPCOffset() to compute these.
525
526         * bytecode/CodeOrigin.h:
527         (JSC::InlineCallFrame::callerFrameOffset):
528         (JSC::InlineCallFrame::returnPCOffset):
529         * dfg/DFGJITCompiler.cpp:
530         (JSC::DFG::JITCompiler::compileEntry):
531         (JSC::DFG::JITCompiler::compileExceptionHandlers):
532         * dfg/DFGOSRExitCompilerCommon.cpp:
533         (JSC::DFG::reifyInlinedCallFrames):
534         * dfg/DFGSpeculativeJIT.h:
535         (JSC::DFG::SpeculativeJIT::calleeFrameSlot):
536         (JSC::DFG::SpeculativeJIT::calleeArgumentSlot):
537         (JSC::DFG::SpeculativeJIT::calleeFrameTagSlot):
538         (JSC::DFG::SpeculativeJIT::calleeFramePayloadSlot):
539         (JSC::DFG::SpeculativeJIT::calleeArgumentTagSlot):
540         (JSC::DFG::SpeculativeJIT::calleeArgumentPayloadSlot):
541         - Prefixed all the above with callee since they apply to the callee frame.
542         (JSC::DFG::SpeculativeJIT::calleeFrameCallerFrame):
543         - Added to set the callerFrame pointer in the callee frame.
544
545         * dfg/DFGSpeculativeJIT32_64.cpp:
546         (JSC::DFG::SpeculativeJIT::emitCall):
547         (JSC::DFG::SpeculativeJIT::compile):
548         * dfg/DFGSpeculativeJIT64.cpp:
549         (JSC::DFG::SpeculativeJIT::emitCall):
550         (JSC::DFG::SpeculativeJIT::compile):
551         * ftl/FTLLink.cpp:
552         (JSC::FTL::compileEntry):
553         (JSC::FTL::link):
554         * interpreter/CallFrame.h:
555         (JSC::ExecState::callerFrame):
556         (JSC::ExecState::callerFrameOffset):
557         (JSC::ExecState::returnPC):
558         (JSC::ExecState::hasReturnPC):
559         (JSC::ExecState::clearReturnPC):
560         (JSC::ExecState::returnPCOffset):
561         (JSC::ExecState::setCallerFrame):
562         (JSC::ExecState::setReturnPC):
563         (JSC::ExecState::callerFrameAndPC):
564         * interpreter/JSStack.h:
565         * interpreter/Register.h:
566         * jit/AssemblyHelpers.h:
567         (JSC::AssemblyHelpers::emitPutToCallFrameHeader):
568         - Convert to using storePtr() here and simplify the code.
569         (JSC::AssemblyHelpers::emitGetCallerFrameFromCallFrameHeaderPtr):
570         (JSC::AssemblyHelpers::emitPutCallerFrameToCallFrameHeader):
571         (JSC::AssemblyHelpers::emitGetReturnPCFromCallFrameHeaderPtr):
572         (JSC::AssemblyHelpers::emitPutReturnPCToCallFrameHeader):
573         - Helpers to emit gets/puts of the callerFrame and returnPC.
574         (JSC::AssemblyHelpers::addressForByteOffset):
575         * jit/JIT.cpp:
576         (JSC::JIT::JIT):
577         (JSC::JIT::privateCompile):
578         (JSC::JIT::privateCompileExceptionHandlers):
579         * jit/JITCall.cpp:
580         (JSC::JIT::compileCallEval):
581         (JSC::JIT::compileOpCall):
582         * jit/JITCall32_64.cpp:
583         (JSC::JIT::emit_op_ret):
584         (JSC::JIT::emit_op_ret_object_or_this):
585         (JSC::JIT::compileCallEval):
586         (JSC::JIT::compileOpCall):
587         * jit/JITInlines.h:
588         (JSC::JIT::unmap):
589         * jit/JITOpcodes.cpp:
590         (JSC::JIT::emit_op_end):
591         (JSC::JIT::emit_op_ret):
592         (JSC::JIT::emit_op_ret_object_or_this):
593         * jit/JITOpcodes32_64.cpp:
594         (JSC::JIT::privateCompileCTINativeCall):
595         (JSC::JIT::emit_op_end):
596         * jit/JITOperations.cpp:
597         * jit/SpecializedThunkJIT.h:
598         (JSC::SpecializedThunkJIT::returnJSValue):
599         (JSC::SpecializedThunkJIT::returnDouble):
600         (JSC::SpecializedThunkJIT::returnInt32):
601         (JSC::SpecializedThunkJIT::returnJSCell):
602         * jit/ThunkGenerators.cpp:
603         (JSC::throwExceptionFromCallSlowPathGenerator):
604         (JSC::slowPathFor):
605         (JSC::nativeForGenerator):
606
607         * llint/LLIntData.cpp:
608         (JSC::LLInt::Data::performAssertions):
609         * llint/LowLevelInterpreter.asm:
610         - Updated offsets and asserts to match the new CallFrame layout.
611
612 2013-10-30  Filip Pizlo  <fpizlo@apple.com>
613
614         Unreviewed, fix Mac.
615
616         * assembler/AbstractMacroAssembler.h:
617         (JSC::AbstractMacroAssembler::RegisterAllocationOffset::checkOffsets):
618         (JSC::AbstractMacroAssembler::checkRegisterAllocationAgainstBranchRange):
619
620 2013-10-30  Filip Pizlo  <fpizlo@apple.com>
621
622         Unreviewed, fix Windows.
623
624         * bytecode/CodeBlock.cpp:
625         (JSC::CodeBlock::jettison):
626
627 2013-10-30  Filip Pizlo  <fpizlo@apple.com>
628
629         Unreviewed, fix Windows.
630
631         * bytecode/CodeBlock.h:
632         (JSC::CodeBlock::addFrequentExitSite):
633
634 2013-10-29  Filip Pizlo  <fpizlo@apple.com>
635
636         Add InvalidationPoints to the DFG and use them for all watchpoints
637         https://bugs.webkit.org/show_bug.cgi?id=123472
638
639         Reviewed by Mark Hahnenberg.
640         
641         This makes a fundamental change to how watchpoints work in the DFG.
642         
643         Previously, a watchpoint was an instruction whose execution semantics were something
644         like:
645         
646             if (watchpoint->invalidated)
647                 exit
648         
649         We would implement this without any branch by using jump replacement.
650         
651         This is a very good optimization. But it's a bit awkward once you get a lot of
652         watchpoints: semantically we will have lots of these branches in the code, which the
653         compiler needs to reason about even though they don't actually result in any emitted
654         code.
655         
656         Separately, we also had a mechanism for jettisoning a CodeBlock. This mechanism would
657         be invoked if a CodeBlock exited a lot. It would ensure that a CodeBlock wouldn't be
658         called into again, but it would do nothing for CodeBlocks that were already on the
659         stack.
660         
661         This change flips jettisoning and watchpoint invalidation on their heads. Now, the jump
662         replacement has nothing to do with watchpoints; instead it's something that happens if
663         you ever jettison a CodeBlock. Jump replacement is now an all-or-nothing operation over
664         all of the potential call-return safe-exit-points in a CodeBlock. We call these
665         "InvalidationPoint"s. A watchpoint instruction is now "lowered" by having the DFG
666         collect all of the watchpoint sets that the CodeBlock cares about, and then registering
667         a CodeBlockJettisoningWatchpoint with all of them. That is, if the watchpoint fires, it
668         jettisons the CodeBlock, which in turn ensures that the CodeBlock can't be called into
669         (because the entrypoint now points to baseline code) and can't be returned into
670         (because returning exits to baseline before the next bytecode instruction).
671         
672         This will allow for a sensible lowering of watchpoints to LLVM IR. It will also allow
673         for jettison() to be used effectively for things like breakpointing and single-stepping
674         in the debugger.
675         
676         Well, basically, this mechanism just takes us into the HotSpot-style world where anyone
677         can, at any time and for any reason, request that an optimized CodeBlock is rendered
678         immediately invalid. You can use this for many cool things, I'm sure.
679
680         * CMakeLists.txt:
681         * GNUmakefile.list.am:
682         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
683         * JavaScriptCore.xcodeproj/project.pbxproj:
684         * assembler/AbstractMacroAssembler.h:
685         * bytecode/CodeBlock.cpp:
686         (JSC::CodeBlock::jettison):
687         * bytecode/CodeBlock.h:
688         * bytecode/CodeBlockJettisoningWatchpoint.cpp: Added.
689         (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
690         * bytecode/CodeBlockJettisoningWatchpoint.h: Added.
691         (JSC::CodeBlockJettisoningWatchpoint::CodeBlockJettisoningWatchpoint):
692         * bytecode/ExitKind.cpp:
693         (JSC::exitKindToString):
694         * bytecode/ExitKind.h:
695         * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp: Added.
696         (JSC::ProfiledCodeBlockJettisoningWatchpoint::fireInternal):
697         * bytecode/ProfiledCodeBlockJettisoningWatchpoint.h: Added.
698         (JSC::ProfiledCodeBlockJettisoningWatchpoint::ProfiledCodeBlockJettisoningWatchpoint):
699         * dfg/DFGAbstractHeap.h:
700         * dfg/DFGAbstractInterpreterInlines.h:
701         (JSC::DFG::::executeEffects):
702         * dfg/DFGClobberize.cpp:
703         (JSC::DFG::writesOverlap):
704         * dfg/DFGClobberize.h:
705         (JSC::DFG::clobberize):
706         (JSC::DFG::AbstractHeapOverlaps::AbstractHeapOverlaps):
707         (JSC::DFG::AbstractHeapOverlaps::operator()):
708         (JSC::DFG::AbstractHeapOverlaps::result):
709         * dfg/DFGCommonData.cpp:
710         (JSC::DFG::CommonData::invalidate):
711         * dfg/DFGCommonData.h:
712         (JSC::DFG::CommonData::CommonData):
713         * dfg/DFGDesiredWatchpoints.cpp:
714         (JSC::DFG::DesiredWatchpoints::addLazily):
715         (JSC::DFG::DesiredWatchpoints::reallyAdd):
716         * dfg/DFGDesiredWatchpoints.h:
717         (JSC::DFG::WatchpointForGenericWatchpointSet::WatchpointForGenericWatchpointSet):
718         (JSC::DFG::GenericDesiredWatchpoints::addLazily):
719         (JSC::DFG::GenericDesiredWatchpoints::reallyAdd):
720         (JSC::DFG::GenericDesiredWatchpoints::areStillValid):
721         * dfg/DFGFixupPhase.cpp:
722         (JSC::DFG::FixupPhase::fixupNode):
723         * dfg/DFGInvalidationPointInjectionPhase.cpp: Added.
724         (JSC::DFG::InvalidationPointInjectionPhase::InvalidationPointInjectionPhase):
725         (JSC::DFG::InvalidationPointInjectionPhase::run):
726         (JSC::DFG::InvalidationPointInjectionPhase::handle):
727         (JSC::DFG::InvalidationPointInjectionPhase::insertInvalidationCheck):
728         (JSC::DFG::performInvalidationPointInjection):
729         * dfg/DFGInvalidationPointInjectionPhase.h: Added.
730         * dfg/DFGJITCode.h:
731         * dfg/DFGJITCompiler.cpp:
732         (JSC::DFG::JITCompiler::linkOSRExits):
733         (JSC::DFG::JITCompiler::link):
734         * dfg/DFGJITCompiler.h:
735         * dfg/DFGJumpReplacement.cpp: Added.
736         (JSC::DFG::JumpReplacement::fire):
737         * dfg/DFGJumpReplacement.h: Added.
738         (JSC::DFG::JumpReplacement::JumpReplacement):
739         * dfg/DFGNodeType.h:
740         * dfg/DFGOSRExitCompilationInfo.h:
741         * dfg/DFGOperations.cpp:
742         * dfg/DFGPlan.cpp:
743         (JSC::DFG::Plan::compileInThreadImpl):
744         (JSC::DFG::Plan::reallyAdd):
745         * dfg/DFGPredictionPropagationPhase.cpp:
746         (JSC::DFG::PredictionPropagationPhase::propagate):
747         * dfg/DFGSafeToExecute.h:
748         (JSC::DFG::safeToExecute):
749         * dfg/DFGSpeculativeJIT.cpp:
750         (JSC::DFG::SpeculativeJIT::emitInvalidationPoint):
751         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
752         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
753         * dfg/DFGSpeculativeJIT.h:
754         (JSC::DFG::SpeculativeJIT::masqueradesAsUndefinedWatchpointIsStillValid):
755         (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
756         * dfg/DFGSpeculativeJIT32_64.cpp:
757         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
758         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
759         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
760         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
761         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
762         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
763         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
764         (JSC::DFG::SpeculativeJIT::compile):
765         * dfg/DFGSpeculativeJIT64.cpp:
766         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
767         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
768         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
769         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
770         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
771         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
772         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
773         (JSC::DFG::SpeculativeJIT::compile):
774         * dfg/DFGWatchpointCollectionPhase.cpp: Added.
775         (JSC::DFG::WatchpointCollectionPhase::WatchpointCollectionPhase):
776         (JSC::DFG::WatchpointCollectionPhase::run):
777         (JSC::DFG::WatchpointCollectionPhase::handle):
778         (JSC::DFG::WatchpointCollectionPhase::handleEdge):
779         (JSC::DFG::WatchpointCollectionPhase::handleMasqueradesAsUndefined):
780         (JSC::DFG::WatchpointCollectionPhase::handleStringGetByVal):
781         (JSC::DFG::WatchpointCollectionPhase::addLazily):
782         (JSC::DFG::WatchpointCollectionPhase::globalObject):
783         (JSC::DFG::performWatchpointCollection):
784         * dfg/DFGWatchpointCollectionPhase.h: Added.
785         * ftl/FTLCapabilities.cpp:
786         (JSC::FTL::canCompile):
787         * ftl/FTLLowerDFGToLLVM.cpp:
788         (JSC::FTL::LowerDFGToLLVM::compileNode):
789         (JSC::FTL::LowerDFGToLLVM::compileStructureTransitionWatchpoint):
790         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
791         (JSC::FTL::LowerDFGToLLVM::compileGlobalVarWatchpoint):
792         (JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant):
793         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
794         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
795         (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
796         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
797         (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
798         * jit/JITOperations.cpp:
799         * jit/JumpReplacementWatchpoint.cpp: Removed.
800         * jit/JumpReplacementWatchpoint.h: Removed.
801
802 2013-10-25  Mark Hahnenberg  <mhahnenberg@apple.com>
803
804         JSExport doesn't support constructors
805         https://bugs.webkit.org/show_bug.cgi?id=123380
806
807         Reviewed by Geoffrey Garen.
808
809         Support for constructor-style callbacks for the Objective-C API to JSC is currently limited to 
810         Objective-C blocks. Any clients who try to call the constructor of a JSExport-ed Objective-C class 
811         are met with a type error stating that it cannot be called as a constructor.
812
813         It would be nice to expand JSExport's functionality to support this idiom. It is a natural 
814         extension to JSExport and would increase the expressiveness and simplicity in both Objective-C and 
815         JavaScript client code.
816
817         The way we'll do this is to expand the capabilities of ObjCCallbackFunction and associated classes. 
818         Instead of constructing a normal C API object for the constructor, we'll instead allocate a full-blown 
819         ObjCCallbackFunction object which can already properly handle being invoked as a constructor.
820
821         * API/JSWrapperMap.mm:
822         (copyMethodsToObject):
823         (allocateConstructorForCustomClass):
824         (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]):
825         (tryUnwrapObjcObject):
826         * API/ObjCCallbackFunction.h:
827         (JSC::ObjCCallbackFunction::impl):
828         * API/ObjCCallbackFunction.mm:
829         (JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl):
830         (JSC::ObjCCallbackFunctionImpl::wrappedConstructor):
831         (JSC::ObjCCallbackFunctionImpl::isConstructible):
832         (JSC::ObjCCallbackFunction::getConstructData):
833         (JSC::ObjCCallbackFunctionImpl::name):
834         (JSC::ObjCCallbackFunctionImpl::call):
835         (objCCallbackFunctionForInvocation):
836         (objCCallbackFunctionForInit):
837         (tryUnwrapConstructor):
838         * API/tests/testapi.mm:
839         (-[TextXYZ initWithString:]):
840         (-[ClassA initWithA:]):
841         (-[ClassB initWithA:b:]):
842         (-[ClassC initWithA:]):
843         (-[ClassC initWithA:b:]):
844
845 2013-10-30  peavo@outlook.com  <peavo@outlook.com>
846
847         [Win] Compile errors when enabling DFG JIT.
848         https://bugs.webkit.org/show_bug.cgi?id=120998
849
850         Reviewed by Brent Fulgham.
851
852         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added files.
853         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
854         * dfg/DFGAllocator.h: Removed scope.
855         * dfg/DFGWorklist.cpp: Use new ThreadingOnce class instead of pthread_once.
856         (JSC::DFG::globalWorklist):
857         * heap/DeferGC.h: Link fix, member needs to be public.
858         * jit/JITOperationWrappers.h: Added required assembler macros.
859
860 2013-10-30  Iago Toral Quiroga  <itoral@igalia.com>
861
862         Add result caching for Math.cos
863         https://bugs.webkit.org/show_bug.cgi?id=123255
864
865         Reviewed by Brent Fulgham.
866
867         * runtime/MathObject.cpp:
868         (JSC::mathProtoFuncCos):
869         * runtime/VM.h:
870
871 2013-10-30  Alex Christensen  <achristensen@webkit.org>
872
873         Disabled JIT on Win64.
874         https://bugs.webkit.org/show_bug.cgi?id=122472
875
876         Reviewed by Geoffrey Garen.
877
878         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
879         Disabled building JITStubsMSVC64.
880
881 2013-10-29  Michael Saboff  <msaboff@apple.com>
882
883         Change local variable register allocation to start at offset -1
884         https://bugs.webkit.org/show_bug.cgi?id=123182
885
886         Reviewed by Geoffrey Garen.
887
888         Adjusted the virtual register mapping down by one slot.  Reduced
889         the CallFrame header slots offsets by one.  They now start at 0.
890         Changed arity fixup to no longer skip passed register slot 0 as this
891         is now part of the CallFrame header.
892
893         * bytecode/VirtualRegister.h:
894         (JSC::operandIsLocal):
895         (JSC::operandIsArgument):
896         (JSC::VirtualRegister::localToOperand):
897         (JSC::VirtualRegister::operandToLocal):
898           Adjusted functions for shift in mapping from local to register offset.
899
900         * dfg/DFGByteCodeParser.cpp:
901         (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
902         (JSC::DFG::ByteCodeParser::addCall):
903         (JSC::DFG::ByteCodeParser::handleInlining):
904         (JSC::DFG::ByteCodeParser::parseBlock):
905         * dfg/DFGVariableEventStream.cpp:
906         (JSC::DFG::VariableEventStream::reconstruct):
907         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
908         (JSC::DFG::VirtualRegisterAllocationPhase::run):
909         * interpreter/CallFrame.h:
910         (JSC::ExecState::frameExtent):
911         (JSC::ExecState::offsetFor):
912         * interpreter/Interpreter.cpp:
913         (JSC::loadVarargs):
914         (JSC::Interpreter::dumpRegisters):
915         (JSC::Interpreter::executeCall):
916         * llint/LLIntData.cpp:
917         (JSC::LLInt::Data::performAssertions):
918         * llint/LowLevelInterpreter.asm:
919           Adjusted math to accomodate for shift in call frame slots.
920
921         * dfg/DFGJITCompiler.cpp:
922         (JSC::DFG::JITCompiler::compileFunction):
923         * dfg/DFGSpeculativeJIT.h:
924         (JSC::DFG::SpeculativeJIT::calleeFrameOffset):
925         * interpreter/CallFrame.cpp:
926         (JSC::CallFrame::frameExtentInternal):
927         * interpreter/JSStackInlines.h:
928         (JSC::JSStack::pushFrame):
929         * jit/JIT.cpp:
930         (JSC::JIT::privateCompile):
931         * jit/JITOperations.cpp:
932         * llint/LLIntSlowPaths.cpp:
933         (JSC::LLInt::llint_slow_path_stack_check):
934         * runtime/CommonSlowPaths.h:
935         (JSC::CommonSlowPaths::arityCheckFor):
936           Fixed offset calculation to use VirtualRegister and related calculation instead of
937           doing seperate calculations.
938
939         * interpreter/JSStack.h:
940           Adjusted CallFrame slots down by one.  Did some miscellaneous fixing of dumpRegisters()
941           in the process of testing the fixes.
942
943         * jit/ThunkGenerators.cpp:
944         (JSC::arityFixup):
945           Changed arity fixup to no longer skip passed register slot 0 as this
946           is now part of the CallFrame header.
947
948         * llint/LowLevelInterpreter32_64.asm:
949         * llint/LowLevelInterpreter64.asm:
950           Changed arity fixup to no longer skip passed register slot 0 as this
951           is now part of the CallFrame header.  Updated op_enter processing for
952           the change in local registers.
953
954         * runtime/JSGlobalObject.h:
955           Removed the now unneeded extra slot in the global callframe
956
957 2013-10-29  Julien Brianceau  <jbriance@cisco.com>
958
959         [arm] Fix lots of crashes because of 4th argument register trampling.
960         https://bugs.webkit.org/show_bug.cgi?id=123421
961
962         Reviewed by Michael Saboff.
963
964         r3 register is the 4th argument register for ARM and also a scratch
965         register in the baseline JIT for this architecture. We can use r6
966         instead, as this used to be the timeoutCheckRegister and it is no
967         longer used since r148119.
968
969         * assembler/ARMAssembler.h: Temp register is now r6 instead of r3 for ARM.
970         * assembler/MacroAssemblerARMv7.h: Temp register is now r6 instead of r3 for ARMv7.
971         * jit/GPRInfo.h: Add r3 properly in GPRInfo for ARM.
972         (JSC::GPRInfo::toRegister):
973         (JSC::GPRInfo::toIndex):
974         * jit/JITStubsARM.h:
975         (JSC::ctiTrampoline): Remove obsolete timeoutCheckRegister init.
976         * jit/JITStubsARMv7.h:
977         (JSC::ctiTrampoline): Remove obsolete timeoutCheckRegister init.
978         * jit/JSInterfaceJIT.h: Remove useless stuff.
979         * yarr/YarrJIT.cpp: Use r3 and not the new scratch register r6.
980         (JSC::Yarr::YarrGenerator::generateEnter): r8 register doesn't need to be saved.
981         (JSC::Yarr::YarrGenerator::generateReturn):
982
983 2013-10-29  Julien Brianceau  <jbriance@cisco.com>
984
985         Fix CPU(ARM_TRADITIONAL) build after r157690.
986         https://bugs.webkit.org/show_bug.cgi?id=123247
987
988         Reviewed by Michael Saboff.
989
990         Since r157690, the executableCopy function has been removed from AssemblerBuffer.h
991         and the copy of executable code occurs in the linkCode function (in LinkBuffer.cpp).
992         As the constant pool for jumps is updated in the executableCopy function of ARM_TRADITIONAL,
993         this part of code still needs to be called and absolute jumps must be corrected to anticipate
994         the copy of the executable code through memcpy.
995
996         * assembler/ARMAssembler.cpp:
997         (JSC::ARMAssembler::prepareExecutableCopy): Rename executableCopy to prepareExecutableCopy
998         and correct absolute jump values using the delta between the source and destination buffers.
999         * assembler/ARMAssembler.h:
1000         * assembler/LinkBuffer.cpp:
1001         (JSC::LinkBuffer::linkCode): Call prepareExecutableCopy just before the memcpy.
1002
1003 2013-10-28  Filip Pizlo  <fpizlo@apple.com>
1004
1005         OSRExit::m_watchpointIndex should be in OSRExitCompilationInfo
1006         https://bugs.webkit.org/show_bug.cgi?id=123423
1007
1008         Reviewed by Mark Hahnenberg.
1009         
1010         Also enable ExitKind to tell you if it's a watchpoint.
1011
1012         * bytecode/ExitKind.cpp:
1013         (JSC::exitKindToString):
1014         * bytecode/ExitKind.h:
1015         (JSC::isWatchpoint):
1016         * dfg/DFGByteCodeParser.cpp:
1017         (JSC::DFG::ByteCodeParser::setLocal):
1018         (JSC::DFG::ByteCodeParser::setArgument):
1019         (JSC::DFG::ByteCodeParser::handleCall):
1020         (JSC::DFG::ByteCodeParser::handleGetById):
1021         (JSC::DFG::ByteCodeParser::parseBlock):
1022         * dfg/DFGJITCompiler.cpp:
1023         (JSC::DFG::JITCompiler::linkOSRExits):
1024         (JSC::DFG::JITCompiler::link):
1025         * dfg/DFGJITCompiler.h:
1026         (JSC::DFG::JITCompiler::appendExitInfo):
1027         * dfg/DFGOSRExit.cpp:
1028         (JSC::DFG::OSRExit::OSRExit):
1029         * dfg/DFGOSRExit.h:
1030         * dfg/DFGOSRExitCompilationInfo.h:
1031         (JSC::DFG::OSRExitCompilationInfo::OSRExitCompilationInfo):
1032         * dfg/DFGOSRExitCompiler.cpp:
1033         * dfg/DFGSpeculativeJIT.cpp:
1034         (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
1035         * dfg/DFGSpeculativeJIT32_64.cpp:
1036         (JSC::DFG::SpeculativeJIT::compile):
1037         * dfg/DFGSpeculativeJIT64.cpp:
1038         (JSC::DFG::SpeculativeJIT::compile):
1039
1040 2013-10-28  Myles C. Maxfield  <mmaxfield@apple.com>
1041
1042         Parsing support for -webkit-text-decoration-skip: ink
1043         https://bugs.webkit.org/show_bug.cgi?id=123358
1044
1045         Reviewed by Dean Jackson.
1046
1047         Adding ENABLE(CSS3_TEXT_DECORATION)
1048
1049         * Configurations/FeatureDefines.xcconfig:
1050
1051 2013-10-24  Filip Pizlo  <fpizlo@apple.com>
1052
1053         Get rid of InlineStart so that I don't have to implement it in FTL
1054         https://bugs.webkit.org/show_bug.cgi?id=123302
1055
1056         Reviewed by Geoffrey Garen.
1057         
1058         InlineStart was a special instruction that we would insert at the top of inlined code,
1059         so that the backend could capture the OSR state of arguments to an inlined call. It used
1060         to be that only the backend had this information, so this instruction was sort of an ugly
1061         callback from the backend for filling in some data structures.
1062         
1063         But in the time since when that code was written (two years ago?), we rationalized how
1064         variables work. It's now the case that variables that the runtime must know about are
1065         treated specially in IR (they are "flushed") and we know how we will represent them even
1066         before we get to the backend. The last place that makes changes to their representation
1067         is the StackLayoutPhase.
1068         
1069         So, this patch gets rid of InlineStart, but keeps around the special meta-data that the
1070         instruction had. Instead of handling the bookkeeping in the backend, we handle it in
1071         StackLayoutPhase. This means that the DFG and FTL can share code for handling this
1072         bookkeeping. This also means that now the FTL can compile code blocks that had inlining.
1073         
1074         Of course, giving the FTL the ability to handle code blocks that had inlining means that
1075         we're going to have new bugs. Sure enough, the FTL's linker didn't handle inline call
1076         frames. This patch also fixes that.
1077
1078         * dfg/DFGAbstractInterpreterInlines.h:
1079         (JSC::DFG::::executeEffects):
1080         * dfg/DFGByteCodeParser.cpp:
1081         (JSC::DFG::ByteCodeParser::handleInlining):
1082         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1083         * dfg/DFGClobberize.h:
1084         (JSC::DFG::clobberize):
1085         * dfg/DFGFixupPhase.cpp:
1086         (JSC::DFG::FixupPhase::fixupNode):
1087         * dfg/DFGGraph.h:
1088         * dfg/DFGNode.h:
1089         * dfg/DFGNodeType.h:
1090         * dfg/DFGPredictionPropagationPhase.cpp:
1091         (JSC::DFG::PredictionPropagationPhase::propagate):
1092         * dfg/DFGSafeToExecute.h:
1093         (JSC::DFG::safeToExecute):
1094         * dfg/DFGSpeculativeJIT.cpp:
1095         * dfg/DFGSpeculativeJIT.h:
1096         * dfg/DFGSpeculativeJIT32_64.cpp:
1097         (JSC::DFG::SpeculativeJIT::compile):
1098         * dfg/DFGSpeculativeJIT64.cpp:
1099         (JSC::DFG::SpeculativeJIT::compile):
1100         * dfg/DFGStackLayoutPhase.cpp:
1101         (JSC::DFG::StackLayoutPhase::run):
1102         * ftl/FTLLink.cpp:
1103         (JSC::FTL::link):
1104
1105 2013-10-24  Filip Pizlo  <fpizlo@apple.com>
1106
1107         The GetById->GetByOffset AI-based optimization should actually do things
1108         https://bugs.webkit.org/show_bug.cgi?id=123299
1109
1110         Reviewed by Oliver Hunt.
1111         
1112         20% speed-up on Octane/gbemu.
1113
1114         * bytecode/GetByIdStatus.cpp:
1115         (JSC::GetByIdStatus::computeFor): Actually finish filling in the Status by setting the state. Previously it would remain set to NoInformation, meaning that this whole method was a no-op.
1116
1117 2013-10-28  Carlos Garcia Campos  <cgarcia@igalia.com>
1118
1119         Unreviewed. Fix make distcheck.
1120
1121         * GNUmakefile.list.am: Add missing files to compilation.
1122
1123 2013-10-25  Oliver Hunt  <oliver@apple.com>
1124
1125         Refactor parser rollback logic
1126         https://bugs.webkit.org/show_bug.cgi?id=123372
1127
1128         Reviewed by Brady Eidson.
1129
1130         Add a sane abstraction for rollbacks in the parser.
1131
1132         * parser/Parser.cpp:
1133         (JSC::::parseSourceElements):
1134         (JSC::::parseObjectLiteral):
1135         * parser/Parser.h:
1136         (JSC::Parser::createSavePoint):
1137         (JSC::Parser::restoreSavePoint):
1138
1139 2013-10-25  peavo@outlook.com  <peavo@outlook.com>
1140
1141         [Win] Javascript crash with DFG JIT enabled.
1142         https://bugs.webkit.org/show_bug.cgi?id=121001
1143
1144         Reviewed by Geoffrey Garen.
1145
1146         On windows, using register GPRInfo::regT0 as parameter to e.g. JIT::storeDouble(..., GPRInfo::regT0)),
1147         results in a call to JIT::storeDouble(FPRegisterID src, const void* address),
1148         where the address parameter gets the value of GPRInfo::regT0, which is 0 (eax on Windows).
1149         This causes the register to be written to address 0, hence the crash.
1150   
1151         * assembler/MacroAssemblerX86.h:
1152         (JSC::MacroAssemblerX86::storeDouble): Assert if we try to generate code which writes to a null pointer.
1153         * dfg/DFGOSRExitCompiler32_64.cpp:
1154         (JSC::DFG::OSRExitCompiler::compileExit): Use address in regT0 as parameter.
1155         * dfg/DFGThunks.cpp:
1156         (JSC::DFG::osrExitGenerationThunkGenerator): Ditto.
1157
1158 2013-10-25  Oliver Hunt  <oliver@apple.com>
1159
1160         Fix a number of problems with destructuring of arguments
1161         https://bugs.webkit.org/show_bug.cgi?id=123357
1162
1163         Reviewed by Filip Pizlo.
1164
1165         This renames the destructuring node's emitBytecode to bindValue
1166         in order to remove the existing confusion over what was happening.
1167
1168         We then fix an incorrect fall through in the destructuring arguments
1169         logic, and fix the then exposed bug where we placed the index rather
1170         than value into the bound property.
1171
1172         * bytecompiler/BytecodeGenerator.cpp:
1173         (JSC::BytecodeGenerator::BytecodeGenerator):
1174         * bytecompiler/NodesCodegen.cpp:
1175         (JSC::ForInNode::emitBytecode):
1176         (JSC::ForOfNode::emitBytecode):
1177         (JSC::DeconstructingAssignmentNode::emitBytecode):
1178         (JSC::ArrayPatternNode::bindValue):
1179         (JSC::ArrayPatternNode::emitDirectBinding):
1180         (JSC::ObjectPatternNode::bindValue):
1181         (JSC::BindingNode::bindValue):
1182         * parser/Nodes.h:
1183
1184 2013-10-25  Joseph Pecoraro  <pecoraro@apple.com>
1185
1186         Upstream ENABLE(REMOTE_INSPECTOR) and enable on iOS and Mac
1187         https://bugs.webkit.org/show_bug.cgi?id=123111
1188
1189         Reviewed by Timothy Hatcher.
1190
1191         * Configurations/FeatureDefines.xcconfig:
1192
1193 2013-10-25  Oliver Hunt  <oliver@apple.com>
1194
1195         Fix MSVC again
1196
1197         * parser/Parser.cpp:
1198
1199 2013-10-25  Oliver Hunt  <oliver@apple.com>
1200
1201         Fix MSVC
1202
1203         * parser/Parser.cpp:
1204
1205 2013-10-25  Oliver Hunt  <oliver@apple.com>
1206
1207         Improve JSC Parser error messages
1208         https://bugs.webkit.org/show_bug.cgi?id=123341
1209
1210         Reviewed by Andreas Kling.
1211
1212         This patch moves away from the current cludgy mechanisms used to produce
1213         error messages and moves to something closer to case by case errors.
1214
1215         This results in a large change size as previously we may just have
1216         'failIfFalse(foo)', but now the logic becomes either
1217         'failIfFalseWithMessage(foo, "Cannot do blah with ", foo->thing())'
1218         Or alternatively
1219
1220         if (!foo)
1221             check for 'interesting' errors, before falling back to generic error
1222
1223         This means that this patch is large, but produces no semantic changes, and
1224         only hits slow (e.g. error) paths.
1225
1226         * parser/Parser.cpp:
1227         (JSC::::Parser):
1228         (JSC::::parseSourceElements):
1229         (JSC::::parseVarDeclaration):
1230         (JSC::::parseConstDeclaration):
1231         (JSC::::parseDoWhileStatement):
1232         (JSC::::parseWhileStatement):
1233         (JSC::::parseVarDeclarationList):
1234         (JSC::::createBindingPattern):
1235         (JSC::::parseDeconstructionPattern):
1236         (JSC::::parseConstDeclarationList):
1237         (JSC::::parseForStatement):
1238         (JSC::::parseBreakStatement):
1239         (JSC::::parseContinueStatement):
1240         (JSC::::parseReturnStatement):
1241         (JSC::::parseThrowStatement):
1242         (JSC::::parseWithStatement):
1243         (JSC::::parseSwitchStatement):
1244         (JSC::::parseSwitchClauses):
1245         (JSC::::parseSwitchDefaultClause):
1246         (JSC::::parseTryStatement):
1247         (JSC::::parseDebuggerStatement):
1248         (JSC::::parseBlockStatement):
1249         (JSC::::parseStatement):
1250         (JSC::::parseFormalParameters):
1251         (JSC::::parseFunctionBody):
1252         (JSC::stringForFunctionMode):
1253         (JSC::::parseFunctionInfo):
1254         (JSC::::parseFunctionDeclaration):
1255         (JSC::::parseExpressionOrLabelStatement):
1256         (JSC::::parseExpressionStatement):
1257         (JSC::::parseIfStatement):
1258         (JSC::::parseExpression):
1259         (JSC::::parseAssignmentExpression):
1260         (JSC::::parseConditionalExpression):
1261         (JSC::::parseBinaryExpression):
1262         (JSC::::parseProperty):
1263         (JSC::::parseObjectLiteral):
1264         (JSC::::parseStrictObjectLiteral):
1265         (JSC::::parseArrayLiteral):
1266         (JSC::::parsePrimaryExpression):
1267         (JSC::::parseArguments):
1268         (JSC::::parseMemberExpression):
1269         (JSC::operatorString):
1270         (JSC::::parseUnaryExpression):
1271         (JSC::::printUnexpectedTokenText):
1272         * parser/Parser.h:
1273         (JSC::Scope::hasDeclaredVariable):
1274         (JSC::Scope::hasDeclaredParameter):
1275         (JSC::Parser::hasDeclaredVariable):
1276         (JSC::Parser::hasDeclaredParameter):
1277         (JSC::Parser::setErrorMessage):
1278
1279 2013-10-24  Mark Rowe  <mrowe@apple.com>
1280
1281         Remove references to OS X 10.7 from Xcode configuration settings.
1282
1283         Now that we're not building for OS X 10.7 they're no longer needed.
1284
1285         Reviewed by Anders Carlsson.
1286
1287         * Configurations/Base.xcconfig:
1288         * Configurations/DebugRelease.xcconfig:
1289         * Configurations/FeatureDefines.xcconfig:
1290         * Configurations/Version.xcconfig:
1291
1292 2013-10-24  Mark Rowe  <mrowe@apple.com>
1293
1294         <rdar://problem/15312643> Prepare for the mysterious future.
1295
1296         Reviewed by David Kilzer.
1297
1298         * Configurations/Base.xcconfig:
1299         * Configurations/DebugRelease.xcconfig:
1300         * Configurations/FeatureDefines.xcconfig:
1301         * Configurations/Version.xcconfig:
1302
1303 2013-10-24  Mark Lam  <mark.lam@apple.com>
1304
1305         Better way to fix part of broken C Loop LLINT build.
1306         https://bugs.webkit.org/show_bug.cgi?id=123271.
1307
1308         Reviewed by Geoffrey Garen.
1309
1310         Undoing offline asm hackery.
1311
1312         * llint/LowLevelInterpreter.cpp:
1313         * llint/LowLevelInterpreter32_64.asm:
1314         * llint/LowLevelInterpreter64.asm:
1315         * offlineasm/cloop.rb:
1316         * offlineasm/instructions.rb:
1317
1318 2013-10-24  Mark Lam  <mark.lam@apple.com>
1319
1320         Fix broken C Loop LLINT build.
1321         https://bugs.webkit.org/show_bug.cgi?id=123271.
1322
1323         Reviewed by Michael Saboff.
1324
1325         * bytecode/CodeBlock.cpp:
1326         (JSC::CodeBlock::printGetByIdCacheStatus): Added an UNUSED_PARAM().
1327         (JSC::CodeBlock::dumpBytecode): Added #if ENABLE(JIT) to JIT only code.
1328         * bytecode/GetByIdStatus.cpp:
1329         (JSC::GetByIdStatus::computeFor): Added an UNUSED_PARAM().
1330         * bytecode/PutByIdStatus.cpp:
1331         (JSC::PutByIdStatus::computeFor): Added an UNUSED_PARAM().
1332         * bytecode/StructureStubInfo.h:
1333         - Added a stub StubInfoMap for non-JIT builds. StubInfoMap is still used
1334           in function prototypes even when !ENABLE(JIT). Rather that adding #if's
1335           in many places, we just provide a stub/placeholder implementation that
1336           is unused but keeps the compiler happy.
1337         * jit/JITOperations.h: Added #if ENABLE(JIT).
1338         * llint/LowLevelInterpreter32_64.asm:
1339         * llint/LowLevelInterpreter64.asm:
1340         - The putByVal() macro reifies a slow path which is never taken in one case.
1341           This translates into a label that is never used in the C Loop LLINT. The
1342           C++ compiler doesn't like unused labels. So, we fix this by adding a
1343           cloopUnusedLabel offline asm instruction that synthesizes the following:
1344
1345               if (false) goto unusedLabel;
1346
1347           This keeps the C++ compiler happy without changing code behavior.
1348         * offlineasm/cloop.rb: Implementing cloopUnusedLabel.
1349         * offlineasm/instructions.rb: Declaring cloopUnusedLabel.
1350         * runtime/Executable.cpp:
1351         (JSC::setupJIT): Added UNUSED_PARAM()s.
1352         (JSC::ScriptExecutable::prepareForExecutionImpl):
1353         - run-javascriptcore-tests have phases that forces the LLINT to be off
1354           which in turn asserts that the JIT is enabled. With the C Loop LLINT,
1355           this combination is illegal. So, we override the setup code here to
1356           always use the LLINT if !ENABLE(JIT) regardless of what options are
1357           passed in.
1358
1359 2013-10-24  peavo@outlook.com  <peavo@outlook.com>
1360
1361         Uninitialized member causes crash when DFG JIT is not enabled.
1362         https://bugs.webkit.org/show_bug.cgi?id=123270
1363
1364         Reviewed by Brent Fulgham.
1365
1366         The data member sizeOfLastScratchBuffer in the VM class is only initialized if DFG JIT is enabled, even though it's defined regardless.
1367         This causes an early crash on Windows, which doesn't have DFG JIT enabled.
1368
1369         * runtime/VM.cpp:
1370         (JSC::VM::VM): Initialize sizeOfLastScratchBuffer member regardless of whether DFG JIT is enabled.
1371
1372 2013-10-24  Ryuan Choi  <ryuan.choi@samsung.com>
1373
1374         [EFL] Build break with latest EFL 1.8 libraries.
1375         https://bugs.webkit.org/show_bug.cgi?id=123245
1376
1377         Reviewed by Gyuyoung Kim.
1378
1379         After fixed build break on EFL 1.8 at r138326, EFL libraries are changed
1380         Eo typedef and splitted header files which contain version macro.
1381
1382         * PlatformEfl.cmake: Added EO path to include directories.
1383         * heap/HeapTimer.h: Changed Ecore_Timer typedef when EO exist.
1384
1385 2013-10-23  Filip Pizlo  <fpizlo@apple.com>
1386
1387         Put all uses of LLVM intrinsics behind a single Option
1388         https://bugs.webkit.org/show_bug.cgi?id=123219
1389
1390         Reviewed by Mark Hahnenberg.
1391
1392         * ftl/FTLExitThunkGenerator.cpp:
1393         (JSC::FTL::ExitThunkGenerator::emitThunk):
1394         * ftl/FTLLowerDFGToLLVM.cpp:
1395         (JSC::FTL::generateExitThunks):
1396         (JSC::FTL::LowerDFGToLLVM::compileGetById):
1397         (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
1398         (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
1399         * ftl/FTLOSRExitCompiler.cpp:
1400         (JSC::FTL::compileFTLOSRExit):
1401         * runtime/Options.h:
1402
1403 2013-10-23  Daniel Bates  <dabates@apple.com>
1404
1405         Fix JavaScriptCore build targets following <http://trac.webkit.org/changeset/157864>
1406         (https://bugs.webkit.org/show_bug.cgi?id=123169)
1407
1408         Tell Xcode that the supported platforms for all JavaScriptCore targets are iOS and OS X.
1409
1410         * Configurations/Base.xcconfig:
1411
1412 2013-10-23  Michael Saboff  <msaboff@apple.com>
1413
1414         LLInt arity check exception processing should start unwinding from caller
1415         https://bugs.webkit.org/show_bug.cgi?id=123209
1416
1417         Reviewed by Oliver Hunt.
1418
1419         Use the caller frame returned from slow_path_call_arityCheck to process exceptions.
1420
1421         * llint/LowLevelInterpreter32_64.asm:
1422         * llint/LowLevelInterpreter64.asm:
1423
1424 2013-10-22  Filip Pizlo  <fpizlo@apple.com>
1425
1426         FTL should be able to do some simple inline caches using LLVM patchpoints
1427         https://bugs.webkit.org/show_bug.cgi?id=123164
1428
1429         Reviewed by Mark Hahnenberg.
1430         
1431         This implements GetById inline caches in the FTL using llvm.webkit.patchpoint.
1432         
1433         The idea is that we ask LLVM for a nop slide the size of a GetById inline
1434         cache and then fill in the code after LLVM compilation is complete. For now, we
1435         just use the system calling convention for the arguments and return. We also
1436         still make some assumptions about registers that aren't correct. But, most of
1437         the scaffolding is there and this will successfully patch an inline cache.
1438
1439         * JavaScriptCore.xcodeproj/project.pbxproj:
1440         * assembler/AbstractMacroAssembler.h:
1441         * assembler/LinkBuffer.cpp:
1442         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
1443         (JSC::LinkBuffer::linkCode):
1444         (JSC::LinkBuffer::allocate):
1445         * assembler/LinkBuffer.h:
1446         (JSC::LinkBuffer::LinkBuffer):
1447         (JSC::LinkBuffer::link):
1448         * ftl/FTLAbbreviations.h:
1449         (JSC::FTL::constNull):
1450         (JSC::FTL::buildCall):
1451         * ftl/FTLCapabilities.cpp:
1452         (JSC::FTL::canCompile):
1453         * ftl/FTLCompile.cpp:
1454         (JSC::FTL::fixFunctionBasedOnStackMaps):
1455         * ftl/FTLInlineCacheDescriptor.h: Added.
1456         (JSC::FTL::InlineCacheDescriptor::InlineCacheDescriptor):
1457         (JSC::FTL::GetByIdDescriptor::GetByIdDescriptor):
1458         (JSC::FTL::GetByIdDescriptor::stackmapID):
1459         (JSC::FTL::GetByIdDescriptor::codeOrigin):
1460         (JSC::FTL::GetByIdDescriptor::uid):
1461         * ftl/FTLInlineCacheSize.cpp: Added.
1462         (JSC::FTL::sizeOfGetById):
1463         (JSC::FTL::sizeOfPutById):
1464         * ftl/FTLInlineCacheSize.h: Added.
1465         * ftl/FTLIntrinsicRepository.h:
1466         * ftl/FTLJITFinalizer.cpp:
1467         (JSC::FTL::JITFinalizer::finalizeFunction):
1468         * ftl/FTLJITFinalizer.h:
1469         * ftl/FTLLocation.cpp:
1470         (JSC::FTL::Location::directGPR):
1471         * ftl/FTLLocation.h:
1472         * ftl/FTLLowerDFGToLLVM.cpp:
1473         (JSC::FTL::LowerDFGToLLVM::compileGetById):
1474         * ftl/FTLOutput.h:
1475         (JSC::FTL::Output::call):
1476         * ftl/FTLSlowPathCall.cpp: Added.
1477         (JSC::FTL::callOperation):
1478         * ftl/FTLSlowPathCall.h: Added.
1479         (JSC::FTL::SlowPathCall::SlowPathCall):
1480         (JSC::FTL::SlowPathCall::call):
1481         (JSC::FTL::SlowPathCall::key):
1482         * ftl/FTLSlowPathCallKey.cpp: Added.
1483         (JSC::FTL::SlowPathCallKey::dump):
1484         * ftl/FTLSlowPathCallKey.h: Added.
1485         (JSC::FTL::SlowPathCallKey::SlowPathCallKey):
1486         (JSC::FTL::SlowPathCallKey::usedRegisters):
1487         (JSC::FTL::SlowPathCallKey::callTarget):
1488         (JSC::FTL::SlowPathCallKey::offset):
1489         (JSC::FTL::SlowPathCallKey::isEmptyValue):
1490         (JSC::FTL::SlowPathCallKey::isDeletedValue):
1491         (JSC::FTL::SlowPathCallKey::operator==):
1492         (JSC::FTL::SlowPathCallKey::hash):
1493         (JSC::FTL::SlowPathCallKeyHash::hash):
1494         (JSC::FTL::SlowPathCallKeyHash::equal):
1495         * ftl/FTLStackMaps.cpp:
1496         (JSC::FTL::StackMaps::Location::directGPR):
1497         * ftl/FTLStackMaps.h:
1498         * ftl/FTLState.h:
1499         * ftl/FTLThunks.cpp:
1500         (JSC::FTL::slowPathCallThunkGenerator):
1501         * ftl/FTLThunks.h:
1502         (JSC::FTL::Thunks::getSlowPathCallThunk):
1503         * jit/CCallHelpers.h:
1504         (JSC::CCallHelpers::setupArguments):
1505         * jit/GPRInfo.h:
1506         * jit/JITInlineCacheGenerator.cpp:
1507         (JSC::garbageStubInfo):
1508         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
1509         (JSC::JITByIdGenerator::finalize):
1510         * jit/JITInlineCacheGenerator.h:
1511         (JSC::JITByIdGenerator::slowPathBegin):
1512         * jit/RegisterSet.cpp:
1513         (JSC::RegisterSet::stackRegisters):
1514         (JSC::RegisterSet::specialRegisters):
1515         (JSC::RegisterSet::calleeSaveRegisters):
1516         (JSC::RegisterSet::allGPRs):
1517         (JSC::RegisterSet::allFPRs):
1518         (JSC::RegisterSet::allRegisters):
1519         (JSC::RegisterSet::dump):
1520         * jit/RegisterSet.h:
1521         (JSC::RegisterSet::exclude):
1522         (JSC::RegisterSet::numberOfSetRegisters):
1523         (JSC::RegisterSet::RegisterSet):
1524         (JSC::RegisterSet::isEmptyValue):
1525         (JSC::RegisterSet::isDeletedValue):
1526         (JSC::RegisterSet::operator==):
1527         (JSC::RegisterSet::hash):
1528         (JSC::RegisterSetHash::hash):
1529         (JSC::RegisterSetHash::equal):
1530         * runtime/Options.h:
1531
1532 2013-10-22  Filip Pizlo  <fpizlo@apple.com>
1533
1534         jitCompileAndSetHeuristics should DeferGCForAWhile
1535         https://bugs.webkit.org/show_bug.cgi?id=123196
1536
1537         Reviewed by Mark Hahnenberg.
1538         
1539         This fixes random crashes in V8v7/raytrace. I only see those crashes on exactly one of
1540         my machines. I don't think this is testable; we just need to steadily converge towards
1541         getting our uses of DeferGC to be right and then be careful not to regress. We're not
1542         there yet, obviously.
1543         
1544         * llint/LLIntSlowPaths.cpp:
1545         (JSC::LLInt::jitCompileAndSetHeuristics):
1546
1547 2013-10-23  Daniel Bates  <dabates@apple.com>
1548
1549         [iOS] Upstream more JavaScriptCore build configuration changes
1550         https://bugs.webkit.org/show_bug.cgi?id=123169
1551
1552         Reviewed by David Kilzer.
1553
1554         * Configurations/Base.xcconfig:
1555         * Configurations/Version.xcconfig:
1556         * Configurations/iOS.xcconfig: Added.
1557         * JavaScriptCore.xcodeproj/project.pbxproj:
1558
1559 2013-10-23  Daniel Bates  <dabates@apple.com>
1560
1561         [iOS] Export DefaultGCActivityCallback member functions
1562         https://bugs.webkit.org/show_bug.cgi?id=123175
1563
1564         Reviewed by David Kilzer.
1565
1566         * runtime/GCActivityCallback.h:
1567
1568 2013-10-23  Daniel Bates  <dabates@apple.com>
1569
1570         [iOS] Upstream more ARMv7s bits
1571         https://bugs.webkit.org/show_bug.cgi?id=123052
1572
1573         Reviewed by Joseph Pecoraro.
1574
1575         * Configurations/JavaScriptCore.xcconfig:
1576
1577 2013-10-22  Andreas Kling  <akling@apple.com>
1578
1579         Minor VM* -> VM& cleanups in HashTable and Keywords.
1580         <https://webkit.org/b/123183>
1581
1582         Turn some VM* variables that will never be null into VM&.
1583
1584         Reviewed by Geoffrey Garen.
1585
1586 2013-10-22  Geoffrey Garen  <ggaren@apple.com>
1587
1588         REGRESSION: `if (false === (true && undefined)) console.log("wrong!");` logs "wrong!", shouldn't!
1589         https://bugs.webkit.org/show_bug.cgi?id=123179
1590
1591         Reviewed by Mark Hahnenberg.
1592
1593         * parser/NodeConstructors.h:
1594         (JSC::LogicalOpNode::LogicalOpNode):
1595         * parser/ResultType.h:
1596         (JSC::ResultType::forLogicalOp): Don't assume that && produces a boolean.
1597         This is JavaScript (aka Sparta).
1598
1599 2013-10-22  Commit Queue  <commit-queue@webkit.org>
1600
1601         Unreviewed, rolling out r157819.
1602         http://trac.webkit.org/changeset/157819
1603         https://bugs.webkit.org/show_bug.cgi?id=123180
1604
1605         Broke 32-bit builds (Requested by smfr on #webkit).
1606
1607         * Configurations/JavaScriptCore.xcconfig:
1608         * Configurations/ToolExecutable.xcconfig:
1609
1610 2013-10-22  Daniel Bates  <dabates@apple.com>
1611
1612         [iOS] Upstream more ARMv7s bits
1613         https://bugs.webkit.org/show_bug.cgi?id=123052
1614
1615         Reviewed by Joseph Pecoraro.
1616
1617         * Configurations/JavaScriptCore.xcconfig:
1618         * Configurations/ToolExecutable.xcconfig: Enable CLANG_ENABLE_OBJC_ARC for i386 as I'm
1619         modifying a file in JavaScriptCore/Configurations.
1620
1621 2013-10-22  Daniel Bates  <dabates@apple.com>
1622
1623         [iOS] Upstream JSLock changes
1624         https://bugs.webkit.org/show_bug.cgi?id=123107
1625
1626         Reviewed by Geoffrey Garen.
1627
1628         * runtime/JSLock.cpp:
1629         (JSC::JSLock::unlock):
1630         (JSC::JSLock::dropAllLocks): Modified to take a SpinLock, used only on iOS.
1631         (JSC::JSLock::dropAllLocksUnconditionally): Modified to take a SpinLock, used only on iOS. Also
1632         use pre-increment instead of post-increment when we're not using the return value of the instruction.
1633         (JSC::JSLock::grabAllLocks): Modified to take a SpinLock, used only on iOS. Also change
1634         places where we were using post-increment/post-decrement to use pre-increment/pre-decrement,
1635         since we don't use the return value of such instructions.
1636         (JSC::JSLock::DropAllLocks::DropAllLocks): Modified to support releasing all locks unconditionally.
1637         Take a spin lock before releasing all locks on iOS. Also, use nullptr instead of 0.
1638         (JSC::JSLock::DropAllLocks::~DropAllLocks): Take a spin lock before acquiring all locks on iOS.
1639         * runtime/JSLock.h: Remove extraneous argument name "exec" from DropAllLocks as the data type of
1640         the argument is sufficiently descriptive of its purpose.
1641
1642 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
1643
1644         [arm] Add missing setupArgumentsWithExecState() prototypes to fix build.
1645         https://bugs.webkit.org/show_bug.cgi?id=123166
1646
1647         Reviewed by Michael Saboff.
1648
1649         * jit/CCallHelpers.h:
1650         (JSC::CCallHelpers::setupArgumentsWithExecState):
1651
1652 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
1653
1654         [sh4][mips][arm] Fix crashes in JSC (32-bit only).
1655         https://bugs.webkit.org/show_bug.cgi?id=123165
1656
1657         Reviewed by Michael Saboff.
1658
1659         * jit/JITInlines.h:
1660         (JSC::JIT::callOperationNoExceptionCheck): Add missing EABI_32BIT_DUMMY_ARG.
1661         (JSC::JIT::callOperation): The last TrustedImm32(arg3) is a bit overkill for SH4 :)
1662         (JSC::JIT::callOperation): Add missing EABI_32BIT_DUMMY_ARG.
1663         (JSC::JIT::callOperation): Fix tag and payload order for V_JITOperation_EJJJ prototype.
1664
1665 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
1666
1667         REGRESSION(r157690, r157699) Fix architectures using AssemblerBufferWithConstantPool.
1668         https://bugs.webkit.org/show_bug.cgi?id=123092
1669
1670         Reviewed by Michael Saboff.
1671
1672         Impacted architectures are SH4 and ARM_TRADITIONAL.
1673
1674         * assembler/ARMAssembler.h:
1675         (JSC::ARMAssembler::buffer):
1676         * assembler/AssemblerBufferWithConstantPool.h:
1677         (JSC::AssemblerBufferWithConstantPool::flushConstantPool):
1678         * assembler/LinkBuffer.cpp:
1679         (JSC::LinkBuffer::linkCode):
1680         * assembler/SH4Assembler.h:
1681         (JSC::SH4Assembler::buffer):
1682
1683 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
1684
1685         Remove unused stuff in JIT stubs.
1686         https://bugs.webkit.org/show_bug.cgi?id=123155
1687
1688         Reviewed by Michael Saboff.
1689
1690         * jit/JITStubs.h:
1691         * jit/JITStubsARM.h:
1692         (JSC::ctiTrampoline):
1693         * jit/JITStubsARM64.h:
1694         * jit/JITStubsARMv7.h:
1695         * jit/JITStubsMIPS.h:
1696         * jit/JITStubsSH4.h:
1697         * jit/JITStubsX86.h:
1698         * jit/JITStubsX86_64.h:
1699
1700 2013-10-22  Daniel Bates  <dabates@apple.com>
1701
1702         [iOS] Upstream OS-version-specific install paths for JavaScriptCore.framework
1703         https://bugs.webkit.org/show_bug.cgi?id=123115
1704         <rdar://problem/13696872>
1705
1706         Reviewed by Andy Estes.
1707
1708         Based on a patch by Mark Hahnenberg.
1709
1710         Add support for running JavaScriptCore-based apps, built against the iOS 7 SDK, on older versions of iOS.
1711
1712         * API/JSBase.cpp:
1713
1714 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
1715
1716         [sh4] Add missing lastRegister(), firstFPRegister() and lastFPRegister(). 
1717         https://bugs.webkit.org/show_bug.cgi?id=123157
1718
1719         Reviewed by Andreas Kling.
1720
1721         * assembler/SH4Assembler.h:
1722         (JSC::SH4Assembler::lastRegister):
1723         (JSC::SH4Assembler::firstFPRegister):
1724         (JSC::SH4Assembler::lastFPRegister):
1725
1726 2013-10-22  Brian Holt  <brian.holt@samsung.com>
1727
1728         Build break on ARMv7 after r157209
1729         https://bugs.webkit.org/show_bug.cgi?id=122890
1730
1731         Reviewed by Csaba Osztrogon√°c.
1732
1733         Add framePointerRegister and first/last register helpers for ARM_TRADITIONAL.
1734
1735         * assembler/ARMAssembler.h:
1736         * assembler/MacroAssemblerARM.h:
1737         (JSC::MacroAssemblerARM::firstRegister):
1738         (JSC::MacroAssemblerARM::lastRegister):
1739         (JSC::MacroAssemblerARM::firstFPRegister):
1740         (JSC::MacroAssemblerARM::lastFPRegister):
1741
1742 2013-10-21  Daniel Bates  <dabates@apple.com>
1743
1744         [iOS] Upstream JSGlobalObject::shouldInterruptScriptBeforeTimeout()
1745         https://bugs.webkit.org/show_bug.cgi?id=123045
1746
1747         Reviewed by Joseph Pecoraro.
1748
1749         * jsc.cpp: Add function pointer for shouldInterruptScriptBeforeTimeout
1750         to global method table.
1751         * runtime/JSGlobalObject.cpp: Ditto.
1752         * runtime/JSGlobalObject.h:
1753         (JSC::JSGlobalObject::shouldInterruptScriptBeforeTimeout): Added.
1754
1755 2013-10-21  Daniel Bates  <dabates@apple.com>
1756
1757         [iOS] Upstream JSC Objective-C API compiler warning fixes
1758         https://bugs.webkit.org/show_bug.cgi?id=123125
1759
1760         Reviewed by Mark Hahnenberg.
1761
1762         Based on a patch by Mark Hahnenberg.
1763
1764         * API/JSValue.mm:
1765         (-[JSValue toPoint]): Cast to CGFloat to fix some compiler warnings about double narrowing to float.
1766         (-[JSValue toSize]): Ditto.
1767         * API/tests/testapi.mm: Changed a test that was failing due to overflow of 32-bit NSUInteger on armv7.
1768
1769 2013-10-21  Daniel Bates  <dabates@apple.com>
1770
1771         [iOS] Mark classes JS{Context, ManagedValue, Value, VirtualMachine} as
1772         available since iOS 7.0
1773         https://bugs.webkit.org/show_bug.cgi?id=123122
1774
1775         Reviewed by Dan Bernstein.
1776
1777         * API/JSContext.h:
1778         * API/JSManagedValue.h:
1779         * API/JSValue.h:
1780         * API/JSVirtualMachine.h:
1781
1782 2013-10-20  Mark Lam  <mark.lam@apple.com>
1783
1784         Avoid JSC debugger overhead unless needed.
1785         https://bugs.webkit.org/show_bug.cgi?id=123084.
1786
1787         Reviewed by Geoffrey Garen.
1788
1789         - If no breakpoints are set, we now avoid calling the debug hook callbacks.
1790         - If no break on exception is set, we also avoid exception event debug callbacks.
1791         - When we return from the ScriptDebugServer to the JSC::Debugger, we may no
1792           longer call the debug hook callbacks if not needed. Hence, the m_currentCallFrame
1793           pointer in the ScriptDebugServer may become stale. To avoid this issue, before
1794           returning, the ScriptDebugServer will clear its m_currentCallFrame if
1795           needsOpDebugCallbacks() is false.
1796
1797         * debugger/Debugger.cpp:
1798         (JSC::Debugger::Debugger):
1799         (JSC::Debugger::setNeedsExceptionCallbacks):
1800         (JSC::Debugger::setShouldPause):
1801         (JSC::Debugger::updateNumberOfBreakpoints):
1802         (JSC::Debugger::updateNeedForOpDebugCallbacks):
1803         * debugger/Debugger.h:
1804         * interpreter/Interpreter.cpp:
1805         (JSC::Interpreter::unwind):
1806         (JSC::Interpreter::debug):
1807         * jit/JITOpcodes.cpp:
1808         (JSC::JIT::emit_op_debug):
1809         * jit/JITOpcodes32_64.cpp:
1810         (JSC::JIT::emit_op_debug):
1811         * llint/LLIntOffsetsExtractor.cpp:
1812         * llint/LowLevelInterpreter.asm:
1813
1814 2013-10-21  Brent Fulgham  <bfulgham@apple.com>
1815
1816         [WIN] Unreviewed build correction.
1817
1818         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Handle new JIT files as C++ implementation
1819           sources, not header files.
1820         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
1821
1822 2013-10-21  Oliver Hunt  <oliver@apple.com>
1823
1824         Support computed property names in object literals
1825         https://bugs.webkit.org/show_bug.cgi?id=123112
1826
1827         Reviewed by Michael Saboff.
1828
1829         Add support for computed property names to the parser.
1830
1831         * bytecompiler/NodesCodegen.cpp:
1832         (JSC::PropertyListNode::emitBytecode):
1833         * parser/ASTBuilder.h:
1834         (JSC::ASTBuilder::createProperty):
1835         (JSC::ASTBuilder::getName):
1836         * parser/NodeConstructors.h:
1837         (JSC::PropertyNode::PropertyNode):
1838         * parser/Nodes.h:
1839         (JSC::PropertyNode::expressionName):
1840         (JSC::PropertyNode::name):
1841         * parser/Parser.cpp:
1842         (JSC::::parseProperty):
1843         (JSC::::parseStrictObjectLiteral):
1844         * parser/SyntaxChecker.h:
1845         (JSC::SyntaxChecker::Property::Property):
1846         (JSC::SyntaxChecker::createProperty):
1847         (JSC::SyntaxChecker::operatorStackPop):
1848
1849 2013-10-21  Michael Saboff  <msaboff@apple.com>
1850
1851         Add option so that JSC will crash if it can't allocate executable memory for the JITs
1852         https://bugs.webkit.org/show_bug.cgi?id=123048
1853         <rdar://problem/12856193>
1854
1855         Reviewed by Geoffrey Garen.
1856
1857         Added new option, called crashIfCantAllocateJITMemory. If this option is true then we crash
1858         when checking the validity of the executable allocator. The default value for this option is
1859         false, but jsc sets it to true when built for iOS to make it straightforward to identify whether
1860         the app can obtain executable memory.
1861
1862         * jsc.cpp: Explicitly enable crashIfCantAllocateJITMemory on iOS.
1863         (main):
1864         * runtime/Options.h: Added option crashIfCantAllocateJITMemory.
1865         * runtime/VM.cpp:
1866         (JSC::enableAssembler): Modified to crash if option crashIfCantAllocateJITMemory
1867         is enabled.
1868
1869 2013-10-21  Nadav Rotem  <nrotem@apple.com>
1870
1871         Remove AllInOneFile.cpp
1872         https://bugs.webkit.org/show_bug.cgi?id=123055
1873
1874         Reviewed by Csaba Osztrogon√°c.
1875
1876         * AllInOneFile.cpp: Removed.
1877
1878 2013-10-20  Filip Pizlo  <fpizlo@apple.com>
1879
1880         Unreviewed, cleanup a FIXME comment.
1881
1882         * jit/Repatch.cpp:
1883
1884 2013-10-20  Filip Pizlo  <fpizlo@apple.com>
1885
1886         StructureStubInfo's usedRegisters set should be able to track all registers, not just the ones that our JIT's view as temporaries
1887         https://bugs.webkit.org/show_bug.cgi?id=123076
1888
1889         Reviewed by Sam Weinig.
1890         
1891         Start preparing for a world in which we are patching code generated by LLVM, which may have
1892         very different register usage conventions than our JITs. This requires us being more explicit
1893         about the registers we are using. For example, the repatching code shouldn't take for granted
1894         that tagMaskRegister holds the TagMask or that the register is even in use.
1895
1896         * CMakeLists.txt:
1897         * GNUmakefile.list.am:
1898         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1899         * JavaScriptCore.xcodeproj/project.pbxproj:
1900         * assembler/MacroAssembler.h:
1901         (JSC::MacroAssembler::numberOfRegisters):
1902         (JSC::MacroAssembler::registerIndex):
1903         (JSC::MacroAssembler::numberOfFPRegisters):
1904         (JSC::MacroAssembler::fpRegisterIndex):
1905         (JSC::MacroAssembler::totalNumberOfRegisters):
1906         * bytecode/StructureStubInfo.h:
1907         * dfg/DFGSpeculativeJIT.cpp:
1908         (JSC::DFG::SpeculativeJIT::usedRegisters):
1909         * dfg/DFGSpeculativeJIT.h:
1910         * ftl/FTLSaveRestore.cpp:
1911         (JSC::FTL::bytesForGPRs):
1912         (JSC::FTL::bytesForFPRs):
1913         (JSC::FTL::offsetOfGPR):
1914         (JSC::FTL::offsetOfFPR):
1915         * jit/JITInlineCacheGenerator.cpp:
1916         (JSC::JITByIdGenerator::JITByIdGenerator):
1917         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
1918         * jit/JITInlineCacheGenerator.h:
1919         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
1920         * jit/JITPropertyAccess.cpp:
1921         (JSC::JIT::emit_op_get_by_id):
1922         (JSC::JIT::emit_op_put_by_id):
1923         * jit/JITPropertyAccess32_64.cpp:
1924         (JSC::JIT::emit_op_get_by_id):
1925         (JSC::JIT::emit_op_put_by_id):
1926         * jit/RegisterSet.cpp: Added.
1927         (JSC::RegisterSet::specialRegisters):
1928         * jit/RegisterSet.h: Added.
1929         (JSC::RegisterSet::RegisterSet):
1930         (JSC::RegisterSet::set):
1931         (JSC::RegisterSet::clear):
1932         (JSC::RegisterSet::get):
1933         (JSC::RegisterSet::merge):
1934         * jit/Repatch.cpp:
1935         (JSC::generateProtoChainAccessStub):
1936         (JSC::tryCacheGetByID):
1937         (JSC::tryBuildGetByIDList):
1938         (JSC::emitPutReplaceStub):
1939         (JSC::tryRepatchIn):
1940         (JSC::linkClosureCall):
1941         * jit/TempRegisterSet.cpp: Added.
1942         (JSC::TempRegisterSet::TempRegisterSet):
1943         * jit/TempRegisterSet.h:
1944
1945 2013-10-20  Julien Brianceau  <jbriance@cisco.com>
1946
1947         [sh4] Fix build (broken since r157690).
1948         https://bugs.webkit.org/show_bug.cgi?id=123081
1949
1950         Reviewed by Andreas Kling.
1951
1952         * assembler/AssemblerBufferWithConstantPool.h:
1953         * assembler/SH4Assembler.h:
1954         (JSC::SH4Assembler::buffer):
1955         (JSC::SH4Assembler::readCallTarget):
1956
1957 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
1958
1959         Simplify TempRegisterSet - it no longer needs to be convertible to a POD since it's no longer going to be a member of a union
1960         https://bugs.webkit.org/show_bug.cgi?id=123079
1961
1962         Reviewed by Geoffrey Garen.
1963
1964         * jit/TempRegisterSet.h:
1965
1966 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
1967
1968         Rename RegisterSet to TempRegisterSet
1969         https://bugs.webkit.org/show_bug.cgi?id=123077
1970
1971         Reviewed by Dan Bernstein.
1972
1973         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1974         * JavaScriptCore.xcodeproj/project.pbxproj:
1975         * bytecode/StructureStubInfo.h:
1976         * dfg/DFGJITCompiler.h:
1977         * dfg/DFGSpeculativeJIT.h:
1978         (JSC::DFG::SpeculativeJIT::usedRegisters):
1979         * jit/JITInlineCacheGenerator.cpp:
1980         (JSC::JITByIdGenerator::JITByIdGenerator):
1981         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
1982         * jit/JITInlineCacheGenerator.h:
1983         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
1984         * jit/JITPropertyAccess.cpp:
1985         (JSC::JIT::emit_op_get_by_id):
1986         (JSC::JIT::emit_op_put_by_id):
1987         * jit/JITPropertyAccess32_64.cpp:
1988         (JSC::JIT::emit_op_get_by_id):
1989         (JSC::JIT::emit_op_put_by_id):
1990         * jit/RegisterSet.h: Removed.
1991         * jit/ScratchRegisterAllocator.h:
1992         (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
1993         * jit/TempRegisterSet.h: Copied from Source/JavaScriptCore/jit/RegisterSet.h.
1994         (JSC::TempRegisterSet::TempRegisterSet):
1995         (JSC::TempRegisterSet::asPOD):
1996         (JSC::TempRegisterSet::copyInfo):
1997
1998 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
1999
2000         Restructure LinkBuffer to allow for alternate allocation strategies
2001         https://bugs.webkit.org/show_bug.cgi?id=123071
2002
2003         Reviewed by Oliver Hunt.
2004         
2005         The idea is to eventually allow a LinkBuffer to place the code into an already
2006         allocated region of memory.  That region of memory could be the nop-slide left behind
2007         by a llvm.webkit.patchpoint.
2008
2009         * assembler/ARM64Assembler.h:
2010         (JSC::ARM64Assembler::buffer):
2011         * assembler/AssemblerBuffer.h:
2012         * assembler/LinkBuffer.cpp:
2013         (JSC::LinkBuffer::copyCompactAndLinkCode):
2014         (JSC::LinkBuffer::linkCode):
2015         (JSC::LinkBuffer::allocate):
2016         (JSC::LinkBuffer::shrink):
2017         * assembler/LinkBuffer.h:
2018         (JSC::LinkBuffer::LinkBuffer):
2019         (JSC::LinkBuffer::didFailToAllocate):
2020         * assembler/X86Assembler.h:
2021         (JSC::X86Assembler::buffer):
2022         (JSC::X86Assembler::X86InstructionFormatter::memoryModRM):
2023
2024 2013-10-19  Alexey Proskuryakov  <ap@apple.com>
2025
2026         Some includes in JSC seem to use an incorrect style
2027         https://bugs.webkit.org/show_bug.cgi?id=123057
2028
2029         Reviewed by Geoffrey Garen.
2030
2031         Changed pseudo-system includes to user ones.
2032
2033         * API/JSContextRef.cpp:
2034         * API/JSStringRefCF.cpp:
2035         * API/JSValueRef.cpp:
2036         * API/OpaqueJSString.cpp:
2037         * jit/JIT.h:
2038         * parser/SyntaxChecker.h:
2039         * runtime/WeakGCMap.h:
2040
2041 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
2042
2043         Baseline JIT and DFG IC code generation should be unified and rationalized
2044         https://bugs.webkit.org/show_bug.cgi?id=122939
2045
2046         Reviewed by Geoffrey Garen.
2047         
2048         Introduce the JITInlineCacheGenerator, which takes a CodeBlock and a CodeOrigin plus
2049         some register info and creates JIT inline caches for you. Used this to even furhter
2050         unify the baseline and DFG ICs. In the future we can use this for FTL ICs. And my hope
2051         is that we'll be able to use it for cascading ICs: an IC for some instruction may realize
2052         that it needs to do the equivalent of get_by_id, so with this generator it will be able
2053         to create an IC even though it wasn't associated with a get_by_id bytecode instruction.
2054
2055         * CMakeLists.txt:
2056         * GNUmakefile.list.am:
2057         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2058         * JavaScriptCore.xcodeproj/project.pbxproj:
2059         * assembler/AbstractMacroAssembler.h:
2060         (JSC::AbstractMacroAssembler::DataLabelCompact::label):
2061         * bytecode/CodeBlock.h:
2062         (JSC::CodeBlock::ecmaMode):
2063         * dfg/DFGInlineCacheWrapper.h: Added.
2064         (JSC::DFG::InlineCacheWrapper::InlineCacheWrapper):
2065         * dfg/DFGInlineCacheWrapperInlines.h: Added.
2066         (JSC::DFG::::finalize):
2067         * dfg/DFGJITCompiler.cpp:
2068         (JSC::DFG::JITCompiler::link):
2069         * dfg/DFGJITCompiler.h:
2070         (JSC::DFG::JITCompiler::addGetById):
2071         (JSC::DFG::JITCompiler::addPutById):
2072         * dfg/DFGSpeculativeJIT32_64.cpp:
2073         (JSC::DFG::SpeculativeJIT::cachedGetById):
2074         (JSC::DFG::SpeculativeJIT::cachedPutById):
2075         * dfg/DFGSpeculativeJIT64.cpp:
2076         (JSC::DFG::SpeculativeJIT::cachedGetById):
2077         (JSC::DFG::SpeculativeJIT::cachedPutById):
2078         (JSC::DFG::SpeculativeJIT::compile):
2079         * jit/AssemblyHelpers.h:
2080         (JSC::AssemblyHelpers::isStrictModeFor):
2081         (JSC::AssemblyHelpers::strictModeFor):
2082         * jit/GPRInfo.h:
2083         (JSC::JSValueRegs::tagGPR):
2084         * jit/JIT.cpp:
2085         (JSC::JIT::JIT):
2086         (JSC::JIT::privateCompileSlowCases):
2087         (JSC::JIT::privateCompile):
2088         * jit/JIT.h:
2089         * jit/JITInlineCacheGenerator.cpp: Added.
2090         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
2091         (JSC::JITByIdGenerator::JITByIdGenerator):
2092         (JSC::JITByIdGenerator::finalize):
2093         (JSC::JITByIdGenerator::generateFastPathChecks):
2094         (JSC::JITGetByIdGenerator::generateFastPath):
2095         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
2096         (JSC::JITPutByIdGenerator::generateFastPath):
2097         (JSC::JITPutByIdGenerator::slowPathFunction):
2098         * jit/JITInlineCacheGenerator.h: Added.
2099         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
2100         (JSC::JITInlineCacheGenerator::stubInfo):
2101         (JSC::JITByIdGenerator::JITByIdGenerator):
2102         (JSC::JITByIdGenerator::reportSlowPathCall):
2103         (JSC::JITByIdGenerator::slowPathJump):
2104         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
2105         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
2106         * jit/JITPropertyAccess.cpp:
2107         (JSC::JIT::emit_op_get_by_id):
2108         (JSC::JIT::emitSlow_op_get_by_id):
2109         (JSC::JIT::emit_op_put_by_id):
2110         (JSC::JIT::emitSlow_op_put_by_id):
2111         * jit/JITPropertyAccess32_64.cpp:
2112         (JSC::JIT::emit_op_get_by_id):
2113         (JSC::JIT::emitSlow_op_get_by_id):
2114         (JSC::JIT::emit_op_put_by_id):
2115         (JSC::JIT::emitSlow_op_put_by_id):
2116         * jit/RegisterSet.h:
2117         (JSC::RegisterSet::set):
2118
2119 2013-10-19  Alexey Proskuryakov  <ap@apple.com>
2120
2121         APICast.h uses functions from JSCJSValueInlines.h, but doesn't include it
2122         https://bugs.webkit.org/show_bug.cgi?id=123067
2123
2124         Reviewed by Geoffrey Garen.
2125
2126         * API/APICast.h: Include it.
2127
2128 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
2129
2130         FTL::Location should treat the offset as an addend in the case of a Register location
2131         https://bugs.webkit.org/show_bug.cgi?id=123062
2132
2133         Reviewed by Sam Weinig.
2134
2135         * ftl/FTLLocation.cpp:
2136         (JSC::FTL::Location::forStackmaps):
2137         (JSC::FTL::Location::dump):
2138         (JSC::FTL::Location::restoreInto):
2139         * ftl/FTLLocation.h:
2140         (JSC::FTL::Location::forRegister):
2141         (JSC::FTL::Location::hasAddend):
2142         (JSC::FTL::Location::addend):
2143
2144 2013-10-19  Nadav Rotem  <nrotem@apple.com>
2145
2146         DFG dominators: document and rename stuff.
2147         https://bugs.webkit.org/show_bug.cgi?id=123056
2148
2149         Reviewed by Filip Pizlo.
2150
2151         Documented the code and renamed some variables.
2152
2153         * dfg/DFGDominators.cpp:
2154         (JSC::DFG::Dominators::compute):
2155         (JSC::DFG::Dominators::pruneDominators):
2156         * dfg/DFGDominators.h:
2157
2158 2013-10-19  Julien Brianceau  <jbriance@cisco.com>
2159
2160         Fix build failure for architectures with 4 argument registers.
2161         https://bugs.webkit.org/show_bug.cgi?id=123060
2162
2163         Reviewed by Michael Saboff.
2164
2165         Add missing setupArgumentsWithExecState() prototypes for architecture with 4 argument registers.
2166         Remove SH4 specific code no longer needed since callOperation prototype change in r157660.
2167
2168         * dfg/DFGSpeculativeJIT.h:
2169         (JSC::DFG::SpeculativeJIT::callOperation):
2170         * jit/CCallHelpers.h:
2171         (JSC::CCallHelpers::setupArgumentsWithExecState):
2172         * jit/JITInlines.h:
2173         (JSC::JIT::callOperation):
2174
2175 2013-10-18  Filip Pizlo  <fpizlo@apple.com>
2176
2177         Unreviewed, fix FTL build.
2178
2179         * ftl/FTLIntrinsicRepository.h:
2180         * ftl/FTLLowerDFGToLLVM.cpp:
2181         (JSC::FTL::LowerDFGToLLVM::compileGetById):
2182
2183 2013-10-18  Filip Pizlo  <fpizlo@apple.com>
2184
2185         A CodeBlock's StructureStubInfos shouldn't be in a Vector that we search using code origins and machine code PCs
2186         https://bugs.webkit.org/show_bug.cgi?id=122940
2187
2188         Reviewed by Oliver Hunt.
2189         
2190         This accomplishes a number of simplifications. StructureStubInfo is now non-moving,
2191         whereas previously it was in a Vector, so it moved. This allows you to use pointers to
2192         StructureStubInfo. This also eliminates the use of return PC as a way of finding the
2193         StructureStubInfo's. It removes some of the need for the compile-time property access
2194         records; for example the DFG no longer has to save information about registers in a
2195         property access record only to later save it to the stub info.
2196         
2197         The main thing is accomplishes is that it makes it easier to add StructureStubInfo's
2198         at any stage of compilation.
2199
2200         * bytecode/CodeBlock.cpp:
2201         (JSC::CodeBlock::printGetByIdCacheStatus):
2202         (JSC::CodeBlock::dumpBytecode):
2203         (JSC::CodeBlock::~CodeBlock):
2204         (JSC::CodeBlock::propagateTransitions):
2205         (JSC::CodeBlock::finalizeUnconditionally):
2206         (JSC::CodeBlock::addStubInfo):
2207         (JSC::CodeBlock::getStubInfoMap):
2208         (JSC::CodeBlock::shrinkToFit):
2209         * bytecode/CodeBlock.h:
2210         (JSC::CodeBlock::begin):
2211         (JSC::CodeBlock::end):
2212         (JSC::CodeBlock::rareCaseProfileForBytecodeOffset):
2213         * bytecode/CodeOrigin.h:
2214         (JSC::CodeOrigin::CodeOrigin):
2215         (JSC::CodeOrigin::isHashTableDeletedValue):
2216         (JSC::CodeOrigin::hash):
2217         (JSC::CodeOriginHash::hash):
2218         (JSC::CodeOriginHash::equal):
2219         * bytecode/GetByIdStatus.cpp:
2220         (JSC::GetByIdStatus::computeFor):
2221         * bytecode/GetByIdStatus.h:
2222         * bytecode/PutByIdStatus.cpp:
2223         (JSC::PutByIdStatus::computeFor):
2224         * bytecode/PutByIdStatus.h:
2225         * bytecode/StructureStubInfo.h:
2226         (JSC::getStructureStubInfoCodeOrigin):
2227         * dfg/DFGByteCodeParser.cpp:
2228         (JSC::DFG::ByteCodeParser::parseBlock):
2229         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2230         * dfg/DFGJITCompiler.cpp:
2231         (JSC::DFG::JITCompiler::link):
2232         * dfg/DFGJITCompiler.h:
2233         (JSC::DFG::PropertyAccessRecord::PropertyAccessRecord):
2234         (JSC::DFG::InRecord::InRecord):
2235         * dfg/DFGSpeculativeJIT.cpp:
2236         (JSC::DFG::SpeculativeJIT::compileIn):
2237         * dfg/DFGSpeculativeJIT.h:
2238         (JSC::DFG::SpeculativeJIT::callOperation):
2239         * dfg/DFGSpeculativeJIT32_64.cpp:
2240         (JSC::DFG::SpeculativeJIT::cachedGetById):
2241         (JSC::DFG::SpeculativeJIT::cachedPutById):
2242         * dfg/DFGSpeculativeJIT64.cpp:
2243         (JSC::DFG::SpeculativeJIT::cachedGetById):
2244         (JSC::DFG::SpeculativeJIT::cachedPutById):
2245         * jit/CCallHelpers.h:
2246         (JSC::CCallHelpers::setupArgumentsWithExecState):
2247         * jit/JIT.cpp:
2248         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
2249         (JSC::JIT::privateCompile):
2250         * jit/JIT.h:
2251         (JSC::PropertyStubCompilationInfo::slowCaseInfo):
2252         * jit/JITInlines.h:
2253         (JSC::JIT::callOperation):
2254         * jit/JITOperations.cpp:
2255         * jit/JITOperations.h:
2256         * jit/JITPropertyAccess.cpp:
2257         (JSC::JIT::emitSlow_op_get_by_id):
2258         (JSC::JIT::emitSlow_op_put_by_id):
2259         * jit/JITPropertyAccess32_64.cpp:
2260         (JSC::JIT::emitSlow_op_get_by_id):
2261         (JSC::JIT::emitSlow_op_put_by_id):
2262         * jit/Repatch.cpp:
2263         (JSC::appropriateGenericPutByIdFunction):
2264         (JSC::appropriateListBuildingPutByIdFunction):
2265         (JSC::resetPutByID):
2266
2267 2013-10-18  Oliver Hunt  <oliver@apple.com>
2268
2269         Spread operator should be performing direct "puts" and not triggering setters
2270         https://bugs.webkit.org/show_bug.cgi?id=123047
2271
2272         Reviewed by Geoffrey Garen.
2273
2274         Add a new opcode -- op_put_by_val_directue -- and make use of it in the spread
2275         to array construct.  This required a new PutByValDirect node to be introduced to
2276         the DFG.  The current implementation simply changes the slow path function that
2277         is called, but in future this could be made faster as it does not need to check
2278         the prototype chain.
2279
2280         * bytecode/CodeBlock.cpp:
2281         (JSC::CodeBlock::dumpBytecode):
2282         (JSC::CodeBlock::CodeBlock):
2283         * bytecode/Opcode.h:
2284         (JSC::padOpcodeName):
2285         * bytecompiler/BytecodeGenerator.cpp:
2286         (JSC::BytecodeGenerator::emitDirectPutByVal):
2287         * bytecompiler/BytecodeGenerator.h:
2288         * bytecompiler/NodesCodegen.cpp:
2289         (JSC::ArrayNode::emitBytecode):
2290         * dfg/DFGAbstractInterpreterInlines.h:
2291         (JSC::DFG::::executeEffects):
2292         * dfg/DFGBackwardsPropagationPhase.cpp:
2293         (JSC::DFG::BackwardsPropagationPhase::propagate):
2294         * dfg/DFGByteCodeParser.cpp:
2295         (JSC::DFG::ByteCodeParser::parseBlock):
2296         * dfg/DFGCSEPhase.cpp:
2297         (JSC::DFG::CSEPhase::getArrayLengthElimination):
2298         (JSC::DFG::CSEPhase::getByValLoadElimination):
2299         (JSC::DFG::CSEPhase::checkStructureElimination):
2300         (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
2301         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
2302         (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
2303         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
2304         (JSC::DFG::CSEPhase::performNodeCSE):
2305         * dfg/DFGCapabilities.cpp:
2306         (JSC::DFG::capabilityLevel):
2307         * dfg/DFGClobberize.h:
2308         (JSC::DFG::clobberize):
2309         * dfg/DFGFixupPhase.cpp:
2310         (JSC::DFG::FixupPhase::fixupNode):
2311         * dfg/DFGGraph.h:
2312         (JSC::DFG::Graph::clobbersWorld):
2313         * dfg/DFGNode.h:
2314         (JSC::DFG::Node::hasArrayMode):
2315         * dfg/DFGNodeType.h:
2316         * dfg/DFGOperations.cpp:
2317         (JSC::DFG::putByVal):
2318         (JSC::DFG::operationPutByValInternal):
2319         * dfg/DFGOperations.h:
2320         * dfg/DFGPredictionPropagationPhase.cpp:
2321         (JSC::DFG::PredictionPropagationPhase::propagate):
2322         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
2323         * dfg/DFGSafeToExecute.h:
2324         (JSC::DFG::safeToExecute):
2325         * dfg/DFGSpeculativeJIT32_64.cpp:
2326         (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
2327         (JSC::DFG::SpeculativeJIT::compile):
2328         * dfg/DFGSpeculativeJIT64.cpp:
2329         (JSC::DFG::SpeculativeJIT::compile):
2330         * dfg/DFGTypeCheckHoistingPhase.cpp:
2331         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
2332         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
2333         * jit/JIT.cpp:
2334         (JSC::JIT::privateCompileMainPass):
2335         (JSC::JIT::privateCompileSlowCases):
2336         * jit/JIT.h:
2337         (JSC::JIT::compileDirectPutByVal):
2338         * jit/JITOperations.cpp:
2339         * jit/JITOperations.h:
2340         * jit/JITPropertyAccess.cpp:
2341         (JSC::JIT::emitSlow_op_put_by_val):
2342         (JSC::JIT::privateCompilePutByVal):
2343         * jit/JITPropertyAccess32_64.cpp:
2344         (JSC::JIT::emitSlow_op_put_by_val):
2345         * llint/LLIntSlowPaths.cpp:
2346         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2347         * llint/LLIntSlowPaths.h:
2348         * llint/LowLevelInterpreter32_64.asm:
2349         * llint/LowLevelInterpreter64.asm:
2350
2351 2013-10-18  Daniel Bates  <dabates@apple.com>
2352
2353         [iOS] Export symbol for VM::sharedInstanceExists()
2354         https://bugs.webkit.org/show_bug.cgi?id=123046
2355
2356         Reviewed by Mark Hahnenberg.
2357
2358         * runtime/VM.h:
2359
2360 2013-10-18  Daniel Bates  <dabates@apple.com>
2361
2362         [iOS] Upstream WebSafe{GCActivityCallback, IncrementalSweeper}IOS
2363         https://bugs.webkit.org/show_bug.cgi?id=123049
2364
2365         Reviewed by Mark Hahnenberg.
2366
2367         * heap/Heap.cpp:
2368         (JSC::Heap::setIncrementalSweeper):
2369         * heap/Heap.h:
2370         * heap/HeapTimer.h:
2371         * heap/IncrementalSweeper.h: Make protected and export CF-variant of constructor.
2372         Removed unused include of header RetainPtr.h. Also forward declare class MarkedBlock
2373         (we include its header in the .cpp file) and remove include for header wtf/HashSet.h
2374         (duplicates the include in the .cpp).
2375         * heap/MachineStackMarker.h: Export function makeUsableFromMultipleThreads(). We aren't
2376         making use of this now, but we'll make use of it in a subsequent patch.
2377
2378 2013-10-18  Anders Carlsson  <andersca@apple.com>
2379
2380         Remove spaces between template angle brackets
2381         https://bugs.webkit.org/show_bug.cgi?id=123040
2382
2383         Reviewed by Andreas Kling.
2384
2385         * API/JSCallbackObject.cpp:
2386         (JSC::::create):
2387         * API/JSObjectRef.cpp:
2388         * bytecode/CodeBlock.h:
2389         (JSC::CodeBlock::constants):
2390         (JSC::CodeBlock::setConstantRegisters):
2391         * bytecode/DFGExitProfile.h:
2392         * bytecode/EvalCodeCache.h:
2393         * bytecode/Operands.h:
2394         * bytecode/UnlinkedCodeBlock.h:
2395         (JSC::UnlinkedCodeBlock::constantRegisters):
2396         * bytecode/Watchpoint.h:
2397         * bytecompiler/BytecodeGenerator.h:
2398         * bytecompiler/StaticPropertyAnalysis.h:
2399         * bytecompiler/StaticPropertyAnalyzer.h:
2400         * dfg/DFGArgumentsSimplificationPhase.cpp:
2401         * dfg/DFGBlockInsertionSet.h:
2402         * dfg/DFGCSEPhase.cpp:
2403         (JSC::DFG::performCSE):
2404         (JSC::DFG::performStoreElimination):
2405         * dfg/DFGCommonData.h:
2406         * dfg/DFGDesiredStructureChains.h:
2407         * dfg/DFGDesiredWatchpoints.h:
2408         * dfg/DFGJITCompiler.h:
2409         * dfg/DFGOSRExitCompiler32_64.cpp:
2410         (JSC::DFG::OSRExitCompiler::compileExit):
2411         * dfg/DFGOSRExitCompiler64.cpp:
2412         (JSC::DFG::OSRExitCompiler::compileExit):
2413         * dfg/DFGWorklist.h:
2414         * heap/BlockAllocator.h:
2415         (JSC::CopiedBlock):
2416         (JSC::MarkedBlock):
2417         (JSC::WeakBlock):
2418         (JSC::MarkStackSegment):
2419         (JSC::CopyWorkListSegment):
2420         (JSC::HandleBlock):
2421         * heap/Heap.h:
2422         * heap/Local.h:
2423         * heap/MarkedBlock.h:
2424         * heap/Strong.h:
2425         * jit/AssemblyHelpers.cpp:
2426         (JSC::AssemblyHelpers::decodedCodeMapFor):
2427         * jit/AssemblyHelpers.h:
2428         * jit/SpecializedThunkJIT.h:
2429         * parser/Nodes.h:
2430         * parser/Parser.cpp:
2431         (JSC::::parseIfStatement):
2432         * parser/Parser.h:
2433         (JSC::Scope::copyCapturedVariablesToVector):
2434         (JSC::parse):
2435         * parser/ParserArena.h:
2436         * parser/SourceProviderCacheItem.h:
2437         * profiler/LegacyProfiler.cpp:
2438         (JSC::dispatchFunctionToProfiles):
2439         * profiler/LegacyProfiler.h:
2440         (JSC::LegacyProfiler::currentProfiles):
2441         * profiler/ProfileNode.h:
2442         (JSC::ProfileNode::children):
2443         * profiler/ProfilerDatabase.h:
2444         * runtime/Butterfly.h:
2445         (JSC::Butterfly::contiguousInt32):
2446         (JSC::Butterfly::contiguous):
2447         * runtime/GenericTypedArrayViewInlines.h:
2448         (JSC::::create):
2449         * runtime/Identifier.h:
2450         (JSC::Identifier::add):
2451         * runtime/JSPromise.h:
2452         * runtime/PropertyMapHashTable.h:
2453         * runtime/PropertyNameArray.h:
2454         * runtime/RegExpCache.h:
2455         * runtime/SparseArrayValueMap.h:
2456         * runtime/SymbolTable.h:
2457         * runtime/VM.h:
2458         * tools/CodeProfile.cpp:
2459         (JSC::truncateTrace):
2460         * tools/CodeProfile.h:
2461         * yarr/YarrInterpreter.cpp:
2462         * yarr/YarrInterpreter.h:
2463         (JSC::Yarr::BytecodePattern::BytecodePattern):
2464         * yarr/YarrJIT.cpp:
2465         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
2466         (JSC::Yarr::YarrGenerator::opCompileParentheticalAssertion):
2467         (JSC::Yarr::YarrGenerator::opCompileBody):
2468         * yarr/YarrPattern.cpp:
2469         (JSC::Yarr::YarrPatternConstructor::checkForTerminalParentheses):
2470         (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
2471         * yarr/YarrPattern.h:
2472
2473 2013-10-18  Mark Lam  <mark.lam@apple.com>
2474
2475         Remove excess reserved space in ctiTrampoline frames for X86 and X86_64.
2476         https://bugs.webkit.org/show_bug.cgi?id=123037.
2477
2478         Reviewed by Geoffrey Garen.
2479
2480         * jit/JITStubsMSVC64.asm:
2481         * jit/JITStubsX86.h:
2482         * jit/JITStubsX86_64.h:
2483
2484 2013-10-18  Filip Pizlo  <fpizlo@apple.com>
2485
2486         Frequent RELEASE_ASSERT crashes in Structure::checkOffsetConsistency on WebGL swizzler tests
2487         https://bugs.webkit.org/show_bug.cgi?id=121661
2488
2489         Reviewed by Mark Hahnenberg.
2490         
2491         This method shouldn't have been called from the concurrent JIT thread. That's hard to prevent
2492         so I added a return-early check using isCompilationThread().
2493         
2494         Here's why this makes sense. Structure has two ways to tell you about the layout of the objects
2495         it is describing: m_offset and the property table. Most structures only have m_offset and report
2496         null for the property table. If the property table is there, it will tell you additional
2497         information and that information subsumes m_offset - but the m_offset is still there. So, when
2498         we have a property table, we have to keep it in sync with the m_offset. There is a bunch of
2499         machinery to do this.
2500         
2501         Changing the property table only happens on the main thread.
2502         
2503         Because the machinery to change the property table is so complex, especially with respect to
2504         keeping it in sync with m_offset, we have the checkOffsetConsistency method. It's meant to be
2505         called at key points before and after changes to the property table or the offset.
2506
2507         Most clients of Structure who care about object layout, including the concurrent thread, will
2508         want to know m_offset and not the property table. If they want the property table, they will
2509         already be super careful. The concurrent thread has special methods for this, like
2510         Structure::getConcurrently(), which uses fine-grained locking to ensure that it sees a coherent
2511         view of the property table.
2512         
2513         Adding locking to checkOffsetConsistency() is probably a bad idea since that method may be
2514         called when the relevant lock is already held. So, we'd have awkward recursive locking issues.
2515         
2516         But right now, the concurrent JIT thread may call a method, like Structure::outOfLineCapacity(),
2517         which has a call to checkOffsetConsistency(). The call to checkOffsetConsistency() is there
2518         because we have found that it helps quickly identify situations where the property table and
2519         m_offset get out of sync - mainly because code that changes either of those things will usually
2520         also want to know the outOfLineCapacity(). But Structure::outOfLineCapacity() doesn't *actually*
2521         need the property table; it uses the m_offset. The concurrent JIT is correct to call
2522         outOfLineCapacity(), and is right to do so without holding any locks (since in all cases where
2523         it calls outOfLineCapacity() it has already proven that m_offset is immutable). But because
2524         outOfLineCapacity() calls checkOffsetConsistency(), and checkOffsetConsistency() doesn't grab
2525         locks, and that same structure is having its property table modified by the main thread, we end
2526         up with these spurious assertion failures. FWIW, the structure isn't *actually* having *its*
2527         property table modified - instead what happens is that some downstream structure steals the
2528         property table and then starts adding things to it. The concurrent thread loads the property
2529         table before it's stolen, and hence the badness.
2530         
2531         I suspect there are other code paths that lead to the concurrent JIT calling some Structure
2532         method that it is fine and safe to call, but then that method calls checkOffsetConsistency(),
2533         and then you have a possible crash.
2534         
2535         The most sensible solution to this appears to be to make sure that checkOffsetConsistency() is
2536         aware of its uselessness to the concurrent JIT thread. This change makes it return early if
2537         it's in the concurrent JIT.
2538         
2539         * runtime/StructureInlines.h:
2540         (JSC::Structure::checkOffsetConsistency):
2541
2542 2013-10-18  Daniel Bates  <dabates@apple.com>
2543
2544         Add SPI to disable the garbage collector timer
2545         https://bugs.webkit.org/show_bug.cgi?id=122921
2546
2547         Add null check to Heap::setGarbageCollectionTimerEnabled() that I inadvertently
2548         omitted.
2549
2550         * heap/Heap.cpp:
2551         (JSC::Heap::setGarbageCollectionTimerEnabled):
2552
2553 2013-10-18  Julien Brianceau  <jbriance@cisco.com>
2554
2555         Group 64-bit specific and 32-bit specific callOperation implementations.
2556         https://bugs.webkit.org/show_bug.cgi?id=123024
2557
2558         Reviewed by Michael Saboff.
2559
2560         This is not a big deal, but could be less confusing when reading the code.
2561
2562         * jit/JITInlines.h:
2563         (JSC::JIT::callOperation):
2564         (JSC::JIT::callOperationWithCallFrameRollbackOnException):
2565         (JSC::JIT::callOperationNoExceptionCheck):
2566
2567 2013-10-18  Nadav Rotem  <nrotem@apple.com>
2568
2569         Fix a FlushLiveness problem.
2570         https://bugs.webkit.org/show_bug.cgi?id=122984
2571
2572         Reviewed by Filip Pizlo.
2573
2574         * dfg/DFGFlushLivenessAnalysisPhase.cpp:
2575         (JSC::DFG::FlushLivenessAnalysisPhase::process):
2576
2577 2013-10-18  Michael Saboff  <msaboff@apple.com>
2578
2579         Change native function call stubs to use JIT operations instead of ctiVMHandleException
2580         https://bugs.webkit.org/show_bug.cgi?id=122982
2581
2582         Reviewed by Geoffrey Garen.
2583
2584         Change ctiVMHandleException to operationVMHandleException.  Change all exception operations to
2585         return the catch callFrame and entryPC via vm.callFrameForThrow and vm.targetMachinePCForThrow.
2586         This removed calling convention headaches, fixing https://bugs.webkit.org/show_bug.cgi?id=122980
2587         in the process.
2588
2589         * dfg/DFGJITCompiler.cpp:
2590         (JSC::DFG::JITCompiler::compileExceptionHandlers):
2591         * jit/CCallHelpers.h:
2592         (JSC::CCallHelpers::jumpToExceptionHandler):
2593         * jit/JIT.cpp:
2594         (JSC::JIT::privateCompileExceptionHandlers):
2595         * jit/JIT.h:
2596         * jit/JITExceptions.cpp:
2597         (JSC::genericUnwind):
2598         * jit/JITExceptions.h:
2599         * jit/JITInlines.h:
2600         (JSC::JIT::callOperationNoExceptionCheck):
2601         * jit/JITOpcodes.cpp:
2602         (JSC::JIT::emit_op_throw):
2603         * jit/JITOpcodes32_64.cpp:
2604         (JSC::JIT::privateCompileCTINativeCall):
2605         (JSC::JIT::emit_op_throw):
2606         * jit/JITOperations.cpp:
2607         * jit/JITOperations.h:
2608         * jit/JITStubs.cpp:
2609         * jit/JITStubs.h:
2610         * jit/JITStubsARM.h:
2611         * jit/JITStubsARM64.h:
2612         * jit/JITStubsARMv7.h:
2613         * jit/JITStubsMIPS.h:
2614         * jit/JITStubsMSVC64.asm:
2615         * jit/JITStubsSH4.h:
2616         * jit/JITStubsX86.h:
2617         * jit/JITStubsX86_64.h:
2618         * jit/Repatch.cpp:
2619         (JSC::tryBuildGetByIDList):
2620         * jit/SlowPathCall.h:
2621         (JSC::JITSlowPathCall::call):
2622         * jit/ThunkGenerators.cpp:
2623         (JSC::throwExceptionFromCallSlowPathGenerator):
2624         (JSC::nativeForGenerator):
2625         * runtime/VM.h:
2626         (JSC::VM::callFrameForThrowOffset):
2627         (JSC::VM::targetMachinePCForThrowOffset):
2628
2629 2013-10-18  Julien Brianceau  <jbriance@cisco.com>
2630
2631         Fix J_JITOperation_EAapJ call for MIPS and ARM EABI.
2632         https://bugs.webkit.org/show_bug.cgi?id=123023
2633
2634         Reviewed by Michael Saboff.
2635
2636         * jit/JITInlines.h:
2637         (JSC::JIT::callOperation): EncodedJSValue parameter do not need alignment
2638         using EABI_32BIT_DUMMY_ARG here.
2639
2640 2013-10-17  Filip Pizlo  <fpizlo@apple.com>
2641
2642         Unreviewed, another ARM64 build fix.
2643         
2644         Get rid of andPtr(TrustedImmPtr, blah), since it would take Effort to get it to work
2645         on ARM64 and none of its uses are legit - they should all be using
2646         andPtr(TrustedImm32, blah) anyway.
2647
2648         * assembler/MacroAssembler.h:
2649         * assembler/MacroAssemblerARM64.h:
2650         * dfg/DFGJITCompiler.cpp:
2651         (JSC::DFG::JITCompiler::compileExceptionHandlers):
2652         * jit/JIT.cpp:
2653         (JSC::JIT::privateCompileExceptionHandlers):
2654
2655 2013-10-17  Filip Pizlo  <fpizlo@apple.com>
2656
2657         Unreviewed, speculative ARM64 build fix.
2658         
2659         move(ImmPtr, blah) is only available in MacroAssembler since that's where blinding is
2660         implemented. So, you have to use TrustedImmPtr in the superclasses.
2661
2662         * assembler/MacroAssemblerARM64.h:
2663         (JSC::MacroAssemblerARM64::store8):
2664         (JSC::MacroAssemblerARM64::branchTest8):
2665
2666 2013-10-17  Filip Pizlo  <fpizlo@apple.com>
2667
2668         Unreviewed, speculative ARM build fix.
2669         https://bugs.webkit.org/show_bug.cgi?id=122890
2670         <rdar://problem/15258624>
2671
2672         * assembler/ARM64Assembler.h:
2673         (JSC::ARM64Assembler::firstRegister):
2674         (JSC::ARM64Assembler::lastRegister):
2675         (JSC::ARM64Assembler::firstFPRegister):
2676         (JSC::ARM64Assembler::lastFPRegister):
2677         * assembler/MacroAssemblerARM64.h:
2678         * assembler/MacroAssemblerARMv7.h:
2679
2680 2013-10-17  Andreas Kling  <akling@apple.com>
2681
2682         Pass VM instead of JSGlobalObject to JSONObject constructor.
2683         <https://webkit.org/b/122999>
2684
2685         JSONObject was only use the JSGlobalObject to grab at the VM.
2686         Dodge a few loads by passing the VM directly instead.
2687
2688         Reviewed by Geoffrey Garen.
2689
2690         * runtime/JSONObject.cpp:
2691         (JSC::JSONObject::JSONObject):
2692         (JSC::JSONObject::finishCreation):
2693         * runtime/JSONObject.h:
2694         (JSC::JSONObject::create):
2695
2696 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2697
2698         Removed the JITStackFrame struct
2699         https://bugs.webkit.org/show_bug.cgi?id=123001
2700
2701         Reviewed by Anders Carlsson.
2702
2703         * jit/JITStubs.h: JITStackFrame and JITStubArg are unused now, since all
2704         our helper functions obey the C function call ABI.
2705
2706 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2707
2708         Removed an unused #define
2709         https://bugs.webkit.org/show_bug.cgi?id=123000
2710
2711         Reviewed by Anders Carlsson.
2712
2713         * jit/JITStubs.h: Removed the concept of JITSTACKFRAME_ARGS_INDEX,
2714         since it is unused now. This is a step toward using the C stack.
2715
2716 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2717
2718         Eliminate uses of JITSTACKFRAME_ARGS_INDEX as scratch area for thunks
2719         https://bugs.webkit.org/show_bug.cgi?id=122973
2720
2721         Reviewed by Michael Saboff.
2722
2723         * jit/ThunkGenerators.cpp:
2724         (JSC::throwExceptionFromCallSlowPathGenerator): This was all dead code,
2725         so I removed it.
2726
2727         The code acted as if it needed to pass an argument to
2728         lookupExceptionHandler, and as if it passed that argument to itself
2729         through JITStackFrame. However, lookupExceptionHandler does not take
2730         an argument (other than the default ExecState argument), and the code
2731         did not initialize the thing that it thought it passed to itself!
2732
2733 2013-10-17  Alex Christensen  <achristensen@webkit.org>
2734
2735         Run JavaScriptCore tests again on Windows.
2736         https://bugs.webkit.org/show_bug.cgi?id=122787
2737
2738         Reviewed by Tim Horton.
2739
2740         * JavaScriptCore.vcxproj/JavaScriptCore.sln: Added.
2741         * jit/JITStubsMSVC64.asm: Removed reference to cti_vm_throw unused since r157581.
2742
2743 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2744
2745         Removed restoreArgumentReference (another use of JITStackFrame)
2746         https://bugs.webkit.org/show_bug.cgi?id=122997
2747
2748         Reviewed by Oliver Hunt.
2749
2750         * jit/JSInterfaceJIT.h: Removed an unused function. This is a step
2751         toward using the C stack.
2752
2753 2013-10-17  Oliver Hunt  <oliver@apple.com>
2754
2755         Remove JITStubCall.h
2756         https://bugs.webkit.org/show_bug.cgi?id=122991
2757
2758         Reviewed by Geoff Garen.
2759
2760         Happily this is no longer used
2761
2762         * GNUmakefile.list.am:
2763         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2764         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2765         * JavaScriptCore.xcodeproj/project.pbxproj:
2766         * jit/JIT.cpp:
2767         * jit/JITArithmetic.cpp:
2768         * jit/JITArithmetic32_64.cpp:
2769         * jit/JITCall.cpp:
2770         * jit/JITCall32_64.cpp:
2771         * jit/JITOpcodes.cpp:
2772         * jit/JITOpcodes32_64.cpp:
2773         * jit/JITPropertyAccess.cpp:
2774         * jit/JITPropertyAccess32_64.cpp:
2775         * jit/JITStubCall.h: Removed.
2776
2777 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2778
2779         Removed a use of JITSTACKFRAME_ARGS_INDEX
2780         https://bugs.webkit.org/show_bug.cgi?id=122989
2781
2782         Reviewed by Oliver Hunt.
2783
2784         * jit/JITStubCall.h: Removed an unused function. This is one step closer
2785         to using the C stack.
2786
2787 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2788
2789         Change emit_op_catch to use another method to materialize VM
2790         https://bugs.webkit.org/show_bug.cgi?id=122977
2791
2792         Reviewed by Oliver Hunt.
2793
2794         * jit/JITOpcodes.cpp:
2795         (JSC::JIT::emit_op_catch):
2796         * jit/JITOpcodes32_64.cpp:
2797         (JSC::JIT::emit_op_catch): Use a constant. It removes our dependency
2798         on JITStackFrame. It is also faster and simpler.
2799
2800 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2801
2802         Eliminate emitGetJITStubArg() - dead code
2803         https://bugs.webkit.org/show_bug.cgi?id=122975
2804
2805         Reviewed by Anders Carlsson.
2806
2807         * jit/JIT.h:
2808         * jit/JITInlines.h: Removed unused, deprecated function.
2809
2810 2013-10-17  Mark Lam  <mark.lam@apple.com>
2811
2812         Eliminate all ASSERT references to OBJECT_OFFSETOF(struct JITStackFrame,...) in JITStubsXXX.h.
2813         https://bugs.webkit.org/show_bug.cgi?id=122979.
2814
2815         Reviewed by Michael Saboff.
2816
2817         * jit/JITStubs.cpp:
2818         * jit/JITStubs.h:
2819         * jit/JITStubsARM.h:
2820         * jit/JITStubsARM64.h:
2821         * jit/JITStubsARMv7.h:
2822         * jit/JITStubsMIPS.h:
2823         * jit/JITStubsSH4.h:
2824         * jit/JITStubsX86.h:
2825         * jit/JITStubsX86_64.h:
2826         * runtime/VM.cpp:
2827         (JSC::VM::VM):
2828
2829 2013-10-17  Michael Saboff  <msaboff@apple.com>
2830
2831         Remove saving callFrameRegister to JITStackFrame in JITCompiler::compileFunction()
2832         https://bugs.webkit.org/show_bug.cgi?id=122974
2833
2834         Reviewed by Geoffrey Garen.
2835
2836         Eliminated unneeded storing to JITStackFrame.
2837
2838         * dfg/DFGJITCompiler.cpp:
2839         (JSC::DFG::JITCompiler::compileFunction):
2840
2841 2013-10-17  Michael Saboff  <msaboff@apple.com>
2842
2843         Transition cti_op_throw and cti_vm_throw to a JIT operation
2844         https://bugs.webkit.org/show_bug.cgi?id=122931
2845
2846         Reviewed by Filip Pizlo.
2847
2848         Moved cti_op_throw to operationThrow.  Made the caller responsible for jumping to the
2849         catch handler.  Eliminated cti_op_throw_static_error, cti_vm_throw, ctiVMThrowTrampoline()
2850         and their callers as it is now dead code.  There is some work needed on the Microsoft X86
2851         callOperation to handle the need to provide space for structure return value.
2852
2853         * jit/JIT.h:
2854         * jit/JITInlines.h:
2855         (JSC::JIT::callOperation):
2856         * jit/JITOpcodes.cpp:
2857         (JSC::JIT::emit_op_throw):
2858         * jit/JITOpcodes32_64.cpp:
2859         (JSC::JIT::emit_op_throw):
2860         (JSC::JIT::emit_op_catch):
2861         * jit/JITOperations.cpp:
2862         * jit/JITOperations.h:
2863         * jit/JITStubs.cpp:
2864         * jit/JITStubs.h:
2865         * jit/JITStubsARM.h:
2866         * jit/JITStubsARM64.h:
2867         * jit/JITStubsARMv7.h:
2868         * jit/JITStubsMIPS.h:
2869         * jit/JITStubsMSVC64.asm:
2870         * jit/JITStubsSH4.h:
2871         * jit/JITStubsX86.h:
2872         * jit/JITStubsX86_64.h:
2873         * jit/JSInterfaceJIT.h:
2874
2875 2013-10-17  Mark Lam  <mark.lam@apple.com>
2876
2877         Remove JITStackFrame references in the C Loop LLINT.
2878         https://bugs.webkit.org/show_bug.cgi?id=122950.
2879
2880         Reviewed by Michael Saboff.
2881
2882         * jit/JITStubs.h:
2883         * llint/LowLevelInterpreter.cpp:
2884         (JSC::CLoop::execute):
2885         * offlineasm/cloop.rb:
2886
2887 2013-10-17  Mark Lam  <mark.lam@apple.com>
2888
2889         Remove JITStackFrame references in JIT probes.
2890         https://bugs.webkit.org/show_bug.cgi?id=122947.
2891
2892         Reviewed by Michael Saboff.
2893
2894         * assembler/MacroAssemblerARM.cpp:
2895         (JSC::MacroAssemblerARM::ProbeContext::dump):
2896         * assembler/MacroAssemblerARM.h:
2897         * assembler/MacroAssemblerARMv7.cpp:
2898         (JSC::MacroAssemblerARMv7::ProbeContext::dump):
2899         * assembler/MacroAssemblerARMv7.h:
2900         * assembler/MacroAssemblerX86Common.cpp:
2901         (JSC::MacroAssemblerX86Common::ProbeContext::dump):
2902         * assembler/MacroAssemblerX86Common.h:
2903         * jit/JITStubsARM.h:
2904         * jit/JITStubsARMv7.h:
2905         * jit/JITStubsX86.h:
2906         * jit/JITStubsX86Common.h:
2907         * jit/JITStubsX86_64.h:
2908
2909 2013-10-17  Julien Brianceau  <jbriance@cisco.com>
2910
2911         Fix build when NUMBER_OF_ARGUMENT_REGISTERS == 4.
2912         https://bugs.webkit.org/show_bug.cgi?id=122949
2913
2914         Reviewed by Andreas Kling.
2915
2916         * jit/CCallHelpers.h:
2917         (JSC::CCallHelpers::setupArgumentsWithExecState):
2918
2919 2013-10-16  Mark Lam  <mark.lam@apple.com>
2920
2921         Transition remaining op_get* JITStubs to JIT operations.
2922         https://bugs.webkit.org/show_bug.cgi?id=122925.
2923
2924         Reviewed by Geoffrey Garen.
2925
2926         Transitioning:
2927             cti_op_get_by_id_generic
2928             cti_op_get_by_val
2929             cti_op_get_by_val_generic
2930             cti_op_get_by_val_string
2931
2932         * dfg/DFGOperations.cpp:
2933         * dfg/DFGOperations.h:
2934         * jit/JIT.h:
2935         * jit/JITInlines.h:
2936         (JSC::JIT::callOperation):
2937         * jit/JITOpcodes.cpp:
2938         (JSC::JIT::emitSlow_op_get_arguments_length):
2939         (JSC::JIT::emitSlow_op_get_argument_by_val):
2940         * jit/JITOpcodes32_64.cpp:
2941         (JSC::JIT::emitSlow_op_get_arguments_length):
2942         (JSC::JIT::emitSlow_op_get_argument_by_val):
2943         * jit/JITOperations.cpp:
2944         * jit/JITOperations.h:
2945         * jit/JITPropertyAccess.cpp:
2946         (JSC::JIT::emitSlow_op_get_by_val):
2947         (JSC::JIT::emitSlow_op_get_by_pname):
2948         (JSC::JIT::privateCompileGetByVal):
2949         * jit/JITPropertyAccess32_64.cpp:
2950         (JSC::JIT::emitSlow_op_get_by_val):
2951         (JSC::JIT::emitSlow_op_get_by_pname):
2952         * jit/JITStubs.cpp:
2953         * jit/JITStubs.h:
2954         * runtime/Executable.cpp:
2955         (JSC::setupLLInt): Added some UNUSED_PARAMs to fix the no LLINT build.
2956         * runtime/Options.cpp:
2957         (JSC::Options::initialize):
2958
2959 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
2960
2961         Introduce WTF::Bag and start using it for InlineCallFrameSet
2962         https://bugs.webkit.org/show_bug.cgi?id=122941
2963
2964         Reviewed by Geoffrey Garen.
2965         
2966         Use Bag for InlineCallFrameSet. If this works out then I'll make other
2967         SegmentedVectors into Bags as well.
2968
2969         * bytecode/InlineCallFrameSet.cpp:
2970         (JSC::InlineCallFrameSet::add):
2971         * bytecode/InlineCallFrameSet.h:
2972         (JSC::InlineCallFrameSet::begin):
2973         (JSC::InlineCallFrameSet::end):
2974         * dfg/DFGArgumentsSimplificationPhase.cpp:
2975         (JSC::DFG::ArgumentsSimplificationPhase::run):
2976         * dfg/DFGJITCompiler.cpp:
2977         (JSC::DFG::JITCompiler::link):
2978         * dfg/DFGStackLayoutPhase.cpp:
2979         (JSC::DFG::StackLayoutPhase::run):
2980         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
2981         (JSC::DFG::VirtualRegisterAllocationPhase::run):
2982
2983 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
2984
2985         libllvmForJSC shouldn't call exit(1) on report_fatal_error()
2986         https://bugs.webkit.org/show_bug.cgi?id=122905
2987         <rdar://problem/15237856>
2988
2989         Reviewed by Michael Saboff.
2990         
2991         Expose the new LLVMInstallFatalErrorHandler() API through the soft linking magic and
2992         then always call it to install something that calls CRASH().
2993
2994         * llvm/InitializeLLVM.cpp:
2995         (JSC::llvmCrash):
2996         (JSC::initializeLLVMOnce):
2997         (JSC::initializeLLVM):
2998         * llvm/LLVMAPIFunctions.h:
2999
3000 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
3001
3002         Prototype chain repatching in the polymorphic case fails to check if the receiver is a dictionary
3003         https://bugs.webkit.org/show_bug.cgi?id=122938
3004
3005         Reviewed by Sam Weinig.
3006         
3007         This fixes jsc-layout-tests.yaml/js/script-tests/dictionary-prototype-caching.js.layout-no-llint.
3008
3009         * jit/Repatch.cpp:
3010         (JSC::tryBuildGetByIDList):
3011
3012 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
3013
3014         JIT::appendCall() needs to killLastResultRegister() or equivalent since there's some really bad code that expects it
3015         https://bugs.webkit.org/show_bug.cgi?id=122937
3016
3017         Reviewed by Geoffrey Garen.
3018         
3019         JITStubCall used to do it.
3020         
3021         This makes mozilla-tests.yaml/ecma/Statements/12.10-1.js.mozilla-baseline pass.
3022
3023         * jit/JIT.h:
3024         (JSC::JIT::appendCall):
3025
3026 2013-10-16  Michael Saboff  <msaboff@apple.com>
3027
3028         transition void cti_op_put_by_val* stubs to JIT operations
3029         https://bugs.webkit.org/show_bug.cgi?id=122903
3030
3031         Reviewed by Geoffrey Garen.
3032
3033         Transitioned cti_op_put_by_val and cti_op_put_by_val_generic to operationPutByVal and
3034         operationPutByValGeneric.
3035
3036         * jit/CCallHelpers.h:
3037         (JSC::CCallHelpers::setupArgumentsWithExecState):
3038         * jit/JIT.h:
3039         * jit/JITInlines.h:
3040         (JSC::JIT::callOperation):
3041         * jit/JITOperations.cpp:
3042         * jit/JITOperations.h:
3043         * jit/JITPropertyAccess.cpp:
3044         (JSC::JIT::emitSlow_op_put_by_val):
3045         (JSC::JIT::privateCompilePutByVal):
3046         * jit/JITPropertyAccess32_64.cpp:
3047         (JSC::JIT::emitSlow_op_put_by_val):
3048         * jit/JITStubs.cpp:
3049         * jit/JITStubs.h:
3050         * jit/JSInterfaceJIT.h:
3051
3052 2013-10-16  Oliver Hunt  <oliver@apple.com>
3053
3054         Implement ES6 spread operator
3055         https://bugs.webkit.org/show_bug.cgi?id=122911
3056
3057         Reviewed by Michael Saboff.
3058
3059         Implement the ES6 spread operator
3060
3061         This has a little bit of refactoring to move the enumeration logic out ForOfNode
3062         and into BytecodeGenerator, and then adds the logic to make it nicely callback
3063         driven.
3064
3065         The rest of the logic is just the addition of the SpreadExpressionNode, the parsing,
3066         and actually handling the spread.
3067
3068         * bytecompiler/BytecodeGenerator.cpp:
3069         (JSC::BytecodeGenerator::emitNewArray):
3070         (JSC::BytecodeGenerator::emitCall):
3071         (JSC::BytecodeGenerator::emitEnumeration):
3072         * bytecompiler/BytecodeGenerator.h:
3073         * bytecompiler/NodesCodegen.cpp:
3074         (JSC::ArrayNode::emitBytecode):
3075         (JSC::ForOfNode::emitBytecode):
3076         (JSC::SpreadExpressionNode::emitBytecode):
3077         * parser/ASTBuilder.h:
3078         (JSC::ASTBuilder::createSpreadExpression):
3079         * parser/Lexer.cpp:
3080         (JSC::::lex):
3081         * parser/NodeConstructors.h:
3082         (JSC::SpreadExpressionNode::SpreadExpressionNode):
3083         * parser/Nodes.h:
3084         (JSC::ExpressionNode::isSpreadExpression):
3085         (JSC::SpreadExpressionNode::expression):
3086         * parser/Parser.cpp:
3087         (JSC::::parseArrayLiteral):
3088         (JSC::::parseArguments):
3089         (JSC::::parseMemberExpression):
3090         * parser/Parser.h:
3091         (JSC::Parser::getTokenName):
3092         (JSC::Parser::updateErrorMessageSpecialCase):
3093         * parser/ParserTokens.h:
3094         * parser/SyntaxChecker.h:
3095         (JSC::SyntaxChecker::createSpreadExpression):
3096
3097 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
3098
3099         Add a useLLInt option to jsc
3100         https://bugs.webkit.org/show_bug.cgi?id=122930
3101
3102         Reviewed by Geoffrey Garen.
3103
3104         * runtime/Executable.cpp:
3105         (JSC::setupLLInt):
3106         (JSC::setupJIT):
3107         (JSC::ScriptExecutable::prepareForExecutionImpl):
3108         * runtime/Options.h:
3109
3110 2013-10-16  Mark Hahnenberg  <mhahnenberg@apple.com>
3111
3112         Build fix.
3113
3114         Forgot to svn add DeferGC.cpp
3115
3116         * heap/DeferGC.cpp: Added.
3117
3118 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
3119
3120         r157411 fails run-javascriptcore-tests when run with Baseline JIT
3121         https://bugs.webkit.org/show_bug.cgi?id=122902
3122
3123         Reviewed by Mark Hahnenberg.
3124         
3125         It turns out that this was a long-standing bug in the DFG PutById repatching logic. It's
3126         not legal to patch if the typeInfo tells you that you can't patch. The old JIT's patching
3127         logic did this right, and the DFG's GetById patching logic did it right; but DFG PutById
3128         didn't. Turns out that there's even a helpful method,
3129         Structure::propertyAccessesAreCacheable(), that will even do all of the checks for you!
3130
3131         * jit/Repatch.cpp:
3132         (JSC::tryCachePutByID):
3133
3134 2013-10-16  Mark Hahnenberg  <mhahnenberg@apple.com>
3135
3136         llint_slow_path_put_by_id can deadlock on a ConcurrentJITLock
3137         https://bugs.webkit.org/show_bug.cgi?id=122667
3138
3139         Reviewed by Geoffrey Garen.
3140
3141         The issue this patch is attempting to fix is that there are places in our codebase
3142         where we acquire the ConcurrentJITLock for a particular CodeBlock, then we do some
3143         operations that can initiate a garbage collection. Garbage collection then calls 
3144         some methods of CodeBlock that also take the ConcurrentJITLock (because they don't
3145         always necessarily run during garbage collection). This causes a deadlock.
3146  
3147         To fix this issue, this patch adds a new RAII-style object (DisallowGC) that stores 
3148         into a thread-local field that indicates that it is unsafe to perform any operation 
3149         that could trigger garbage collection on the current thread. In debug builds, 
3150         ConcurrentJITLocker contains one of these DisallowGC objects so that we can eagerly 
3151         detect deadlocks.
3152  
3153         This patch also adds a new type of ConcurrentJITLocker, GCSafeConcurrentJITLocker,
3154         which uses the DeferGC mechanism to prevent collections from occurring while the 
3155         lock is held.
3156
3157         * CMakeLists.txt:
3158         * GNUmakefile.list.am:
3159         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3160         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3161         * JavaScriptCore.xcodeproj/project.pbxproj:
3162         * heap/DeferGC.h:
3163         (JSC::DisallowGC::DisallowGC):
3164         (JSC::DisallowGC::~DisallowGC):
3165         (JSC::DisallowGC::isGCDisallowedOnCurrentThread):
3166         (JSC::DisallowGC::initialize):
3167         * jit/Repatch.cpp:
3168         (JSC::repatchPutByID):
3169         (JSC::buildPutByIdList):
3170         * llint/LLIntSlowPaths.cpp:
3171         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3172         * runtime/ConcurrentJITLock.h:
3173         (JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase):
3174         (JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase):
3175         (JSC::ConcurrentJITLockerBase::unlockEarly):
3176         (JSC::GCSafeConcurrentJITLocker::GCSafeConcurrentJITLocker):
3177         (JSC::GCSafeConcurrentJITLocker::~GCSafeConcurrentJITLocker):
3178         (JSC::GCSafeConcurrentJITLocker::NoDefer::NoDefer):
3179         (JSC::ConcurrentJITLocker::ConcurrentJITLocker):
3180         * runtime/InitializeThreading.cpp:
3181         (JSC::initializeThreadingOnce):
3182         * runtime/JSCellInlines.h:
3183         (JSC::allocateCell):
3184         * runtime/JSSymbolTableObject.h:
3185         (JSC::symbolTablePut):
3186         * runtime/Structure.cpp: materializePropertyMapIfNecessary* now has a problem in that it
3187         can start a garbage collection when the GCSafeConcurrentJITLocker goes out of scope, but 
3188         before the caller has a chance to use the newly created PropertyTable. The garbage collection
3189         clears the PropertyTable, and then the caller uses it assuming it's valid. To avoid this,
3190         we must DeferGC until the caller is done getting the newly materialized PropertyTable from 
3191         the Structure.
3192         (JSC::Structure::materializePropertyMap):
3193         (JSC::Structure::despecifyDictionaryFunction):
3194         (JSC::Structure::changePrototypeTransition):
3195         (JSC::Structure::despecifyFunctionTransition):
3196         (JSC::Structure::attributeChangeTransition):
3197         (JSC::Structure::toDictionaryTransition):
3198         (JSC::Structure::preventExtensionsTransition):
3199         (JSC::Structure::takePropertyTableOrCloneIfPinned):
3200         (JSC::Structure::isSealed):
3201         (JSC::Structure::isFrozen):
3202         (JSC::Structure::addPropertyWithoutTransition):
3203         (JSC::Structure::removePropertyWithoutTransition):
3204         (JSC::Structure::get):
3205         (JSC::Structure::despecifyFunction):
3206         (JSC::Structure::despecifyAllFunctions):
3207         (JSC::Structure::putSpecificValue):
3208         (JSC::Structure::createPropertyMap):
3209         (JSC::Structure::getPropertyNamesFromStructure):
3210         * runtime/Structure.h:
3211         (JSC::Structure::materializePropertyMapIfNecessary):
3212         (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
3213         * runtime/StructureInlines.h:
3214         (JSC::Structure::get):
3215         * runtime/SymbolTable.h:
3216         (JSC::SymbolTable::find):
3217         (JSC::SymbolTable::end):
3218
3219 2013-10-16  Daniel Bates  <dabates@apple.com>
3220
3221         Add SPI to disable the garbage collector timer
3222         https://bugs.webkit.org/show_bug.cgi?id=122921
3223
3224         Reviewed by Geoffrey Garen.
3225
3226         Based on a patch by Mark Hahnenberg.
3227
3228         * API/JSBase.cpp:
3229         (JSDisableGCTimer): Added; SPI function.
3230         * API/JSBasePrivate.h:
3231         * heap/BlockAllocator.cpp:
3232         (JSC::createBlockFreeingThread): Added.
3233         (JSC::BlockAllocator::BlockAllocator): Modified to use JSC::createBlockFreeingThread()
3234         to conditionally create the "block freeing" thread depending on the value of
3235         GCActivityCallback::s_shouldCreateGCTimer.
3236         (JSC::BlockAllocator::~BlockAllocator):
3237         * heap/BlockAllocator.h:
3238         (JSC::BlockAllocator::deallocate):
3239         * heap/Heap.cpp:
3240         (JSC::Heap::didAbandon):
3241         (JSC::Heap::collect):
3242         (JSC::Heap::didAllocate):
3243         * heap/HeapTimer.cpp:
3244         (JSC::HeapTimer::timerDidFire):
3245         * runtime/GCActivityCallback.cpp:
3246         * runtime/GCActivityCallback.h:
3247         (JSC::DefaultGCActivityCallback::create): Only instantiate a DefaultGCActivityCallback object
3248         when GCActivityCallback::s_shouldCreateGCTimer is true so as to prevent allocating a HeapTimer
3249         object (since DefaultGCActivityCallback ultimately extends HeapTimer).
3250
3251 2013-10-16  Commit Queue  <commit-queue@webkit.org>
3252
3253         Unreviewed, rolling out r157529.
3254         http://trac.webkit.org/changeset/157529
3255         https://bugs.webkit.org/show_bug.cgi?id=122919
3256
3257         Caused score test failures and some build failures. (Requested
3258         by rfong on #webkit).
3259
3260         * bytecompiler/BytecodeGenerator.cpp:
3261         (JSC::BytecodeGenerator::emitNewArray):
3262         (JSC::BytecodeGenerator::emitCall):
3263         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
3264         * bytecompiler/BytecodeGenerator.h:
3265         * bytecompiler/NodesCodegen.cpp:
3266         (JSC::ArrayNode::emitBytecode):
3267         (JSC::CallArguments::CallArguments):
3268         (JSC::ForOfNode::emitBytecode):
3269         (JSC::BindingNode::collectBoundIdentifiers):
3270         * parser/ASTBuilder.h:
3271         * parser/Lexer.cpp:
3272         (JSC::::lex):
3273         * parser/NodeConstructors.h:
3274         (JSC::DotAccessorNode::DotAccessorNode):
3275         * parser/Nodes.h:
3276         * parser/Parser.cpp:
3277         (JSC::::parseArrayLiteral):
3278         (JSC::::parseArguments):
3279         (JSC::::parseMemberExpression):
3280         * parser/Parser.h:
3281         (JSC::Parser::getTokenName):
3282         (JSC::Parser::updateErrorMessageSpecialCase):
3283         * parser/ParserTokens.h:
3284         * parser/SyntaxChecker.h:
3285
3286 2013-10-16  Julien Brianceau  <jbriance@cisco.com>
3287
3288         Remove useless architecture specific implementation in DFG.
3289         https://bugs.webkit.org/show_bug.cgi?id=122917.
3290
3291         Reviewed by Michael Saboff.
3292
3293         With CPU(ARM) && CPU(ARM_HARDFP) architecture, the fallback implementation is fine
3294         as FPRInfo::argumentFPR0 == FPRInfo::returnValueFPR in this case.
3295
3296         * dfg/DFGSpeculativeJIT.h:
3297
3298 2013-10-16  Julien Brianceau  <jbriance@cisco.com>
3299
3300         Remove unused JIT::restoreArgumentReferenceForTrampoline function.
3301         https://bugs.webkit.org/show_bug.cgi?id=122916.
3302
3303         Reviewed by Michael Saboff.
3304
3305         This architecture specific function is not used anymore, so get rid of it.
3306
3307         * jit/JIT.h:
3308         * jit/JITInlines.h:
3309
3310 2013-10-16  Oliver Hunt  <oliver@apple.com>
3311
3312         Implement ES6 spread operator
3313         https://bugs.webkit.org/show_bug.cgi?id=122911
3314
3315         Reviewed by Michael Saboff.
3316
3317         Implement the ES6 spread operator
3318
3319         This has a little bit of refactoring to move the enumeration logic out ForOfNode
3320         and into BytecodeGenerator, and then adds the logic to make it nicely callback
3321         driven.
3322
3323         The rest of the logic is just the addition of the SpreadExpressionNode, the parsing,
3324         and actually handling the spread.
3325
3326         * bytecompiler/BytecodeGenerator.cpp:
3327         (JSC::BytecodeGenerator::emitNewArray):
3328         (JSC::BytecodeGenerator::emitCall):
3329         (JSC::BytecodeGenerator::emitEnumeration):
3330         * bytecompiler/BytecodeGenerator.h:
3331         * bytecompiler/NodesCodegen.cpp:
3332         (JSC::ArrayNode::emitBytecode):
3333         (JSC::ForOfNode::emitBytecode):
3334         (JSC::SpreadExpressionNode::emitBytecode):
3335         * parser/ASTBuilder.h:
3336         (JSC::ASTBuilder::createSpreadExpression):
3337         * parser/Lexer.cpp:
3338         (JSC::::lex):
3339         * parser/NodeConstructors.h:
3340         (JSC::SpreadExpressionNode::SpreadExpressionNode):
3341         * parser/Nodes.h:
3342         (JSC::ExpressionNode::isSpreadExpression):
3343         (JSC::SpreadExpressionNode::expression):
3344         * parser/Parser.cpp:
3345         (JSC::::parseArrayLiteral):
3346         (JSC::::parseArguments):
3347         (JSC::::parseMemberExpression):
3348         * parser/Parser.h:
3349         (JSC::Parser::getTokenName):
3350         (JSC::Parser::updateErrorMessageSpecialCase):
3351         * parser/ParserTokens.h:
3352         * parser/SyntaxChecker.h:
3353         (JSC::SyntaxChecker::createSpreadExpression):
3354
3355 2013-10-16  Mark Lam  <mark.lam@apple.com>
3356
3357         Transition void cti_op_tear_off* methods to JIT operations for 32 bit.
3358         https://bugs.webkit.org/show_bug.cgi?id=122899.
3359
3360         Reviewed by Michael Saboff.
3361
3362         * jit/JITOpcodes32_64.cpp:
3363         (JSC::JIT::emit_op_tear_off_activation):
3364         (JSC::JIT::emit_op_tear_off_arguments):
3365         * jit/JITStubs.cpp:
3366         * jit/JITStubs.h:
3367
3368 2013-10-16  Julien Brianceau  <jbriance@cisco.com>
3369
3370         Remove more of the UNINTERRUPTED_SEQUENCE thing
3371         https://bugs.webkit.org/show_bug.cgi?id=122885
3372
3373         Reviewed by Andreas Kling.
3374
3375         It was not completely removed by r157481, leading to build failure for sh4 architecture.
3376
3377         * jit/JIT.h:
3378         * jit/JITInlines.h:
3379
3380 2013-10-15  Filip Pizlo  <fpizlo@apple.com>
3381
3382         Get rid of the StructureStubInfo::patch union
3383         https://bugs.webkit.org/show_bug.cgi?id=122877
3384
3385         Reviewed by Sam Weinig.
3386         
3387         Just simplifying code by getting rid of data structures that ain't used no more.
3388         
3389         Note that I replace the patch union with a patch struct. This means we say things like
3390         stubInfo.patch.valueGPR instead of stubInfo.valueGPR. I think that this extra
3391         encapsulation makes the code more readable: the patch struct contains just those things
3392         that you need to know to perform patching.
3393
3394         * bytecode/StructureStubInfo.h:
3395         * dfg/DFGJITCompiler.cpp:
3396         (JSC::DFG::JITCompiler::link):
3397         * jit/JIT.cpp:
3398         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
3399         * jit/Repatch.cpp:
3400         (JSC::repatchByIdSelfAccess):
3401         (JSC::replaceWithJump):
3402         (JSC::linkRestoreScratch):
3403         (JSC::generateProtoChainAccessStub):
3404         (JSC::tryCacheGetByID):
3405         (JSC::getPolymorphicStructureList):
3406         (JSC::patchJumpToGetByIdStub):
3407         (JSC::tryBuildGetByIDList):
3408         (JSC::emitPutReplaceStub):
3409         (JSC::emitPutTransitionStub):
3410         (JSC::tryCachePutByID):
3411         (JSC::tryBuildPutByIdList):
3412         (JSC::tryRepatchIn):
3413         (JSC::resetGetByID):
3414         (JSC::resetPutByID):
3415         (JSC::resetIn):
3416
3417 2013-10-15  Nadav Rotem  <nrotem@apple.com>
3418
3419         FTL: add support for Int52ToValue and fix putByVal of int52s.
3420         https://bugs.webkit.org/show_bug.cgi?id=122873
3421
3422         Reviewed by Filip Pizlo.
3423
3424         * ftl/FTLCapabilities.cpp:
3425         (JSC::FTL::canCompile):
3426         * ftl/FTLLowerDFGToLLVM.cpp:
3427         (JSC::FTL::LowerDFGToLLVM::compileNode):
3428         (JSC::FTL::LowerDFGToLLVM::compileInt52ToValue):
3429         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
3430
3431 2013-10-15  Filip Pizlo  <fpizlo@apple.com>
3432
3433         Get rid of the UNINTERRUPTED_SEQUENCE thing
3434         https://bugs.webkit.org/show_bug.cgi?id=122876
3435
3436         Reviewed by Mark Hahnenberg.
3437         
3438         It doesn't make sense anymore. We now use the DFG's IC logic, which never needed that.
3439         
3440         Moreover, we should resist the temptation to bring anything like this back. We don't
3441         want to have inline caches that only work if the assembler lays out code in a specific
3442         predetermined way.
3443
3444         * jit/JIT.h:
3445         * jit/JITCall.cpp:
3446         (JSC::JIT::compileOpCall):
3447         * jit/JITCall32_64.cpp:
3448         (JSC::JIT::compileOpCall):
3449
3450 2013-10-15  Filip Pizlo  <fpizlo@apple.com>
3451
3452         Baseline JIT should use the DFG GetById IC
3453         https://bugs.webkit.org/show_bug.cgi?id=122861
3454
3455         Reviewed by Oliver Hunt.
3456         
3457         This mostly just kills a ton of code.
3458         
3459         Note that this doesn't yet do all of the simplifications that can be done, but it does
3460         kill dead code. I'll have another change to simplify StructureStubInfo's unions and such.
3461
3462         * bytecode/CodeBlock.cpp:
3463         (JSC::CodeBlock::resetStubInternal):
3464         * jit/JIT.cpp:
3465         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
3466         * jit/JIT.h:
3467         (JSC::PropertyStubCompilationInfo::PropertyStubCompilationInfo):
3468         * jit/JITInlines.h:
3469         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
3470         (JSC::JIT::callOperation):
3471         * jit/JITPropertyAccess.cpp:
3472         (JSC::JIT::compileGetByIdHotPath):
3473         (JSC::JIT::emitSlow_op_get_by_id):
3474         (JSC::JIT::emitSlow_op_get_from_scope):
3475         * jit/JITPropertyAccess32_64.cpp:
3476         (JSC::JIT::compileGetByIdHotPath):
3477         (JSC::JIT::emitSlow_op_get_by_id):
3478         (JSC::JIT::emitSlow_op_get_from_scope):
3479         * jit/JITStubs.cpp:
3480         * jit/JITStubs.h:
3481         * jit/Repatch.cpp:
3482         (JSC::repatchGetByID):
3483         (JSC::buildGetByIDList):
3484         * jit/ThunkGenerators.cpp:
3485         * jit/ThunkGenerators.h:
3486
3487 2013-10-15  Dean Jackson  <dino@apple.com>
3488
3489         Add ENABLE_WEB_ANIMATIONS flag
3490         https://bugs.webkit.org/show_bug.cgi?id=122871
3491
3492         Reviewed by Tim Horton.
3493
3494         Eventually might be http://dev.w3.org/fxtf/web-animations/
3495         but this is just engine-internal work at the moment.
3496
3497         * Configurations/FeatureDefines.xcconfig:
3498
3499 2013-10-15  Julien Brianceau  <jbriance@cisco.com>
3500
3501         [sh4] Some calls don't match sh4 ABI.
3502         https://bugs.webkit.org/show_bug.cgi?id=122863
3503
3504         Reviewed by Michael Saboff.
3505
3506         * dfg/DFGSpeculativeJIT.h:
3507         (JSC::DFG::SpeculativeJIT::callOperation):
3508         * jit/CCallHelpers.h:
3509         (JSC::CCallHelpers::setupArgumentsWithExecState):
3510         * jit/JITInlines.h:
3511         (JSC::JIT::callOperation):
3512
3513 2013-10-15  Daniel Bates  <dabates@apple.com>
3514
3515         [iOS] Upstream JavaScriptCore support for ARM64
3516         https://bugs.webkit.org/show_bug.cgi?id=122762
3517
3518         Reviewed by Oliver Hunt and Filip Pizlo.
3519
3520         * Configurations/Base.xcconfig:
3521         * Configurations/DebugRelease.xcconfig:
3522         * Configurations/JavaScriptCore.xcconfig:
3523         * Configurations/ToolExecutable.xcconfig:
3524         * JavaScriptCore.xcodeproj/project.pbxproj:
3525         * assembler/ARM64Assembler.h: Added.
3526         * assembler/AbstractMacroAssembler.h:
3527         (JSC::isARM64):
3528         (JSC::AbstractMacroAssembler::Label::Label):
3529         (JSC::AbstractMacroAssembler::Jump::Jump):
3530         (JSC::AbstractMacroAssembler::Jump::link):
3531         (JSC::AbstractMacroAssembler::Jump::linkTo):
3532         (JSC::AbstractMacroAssembler::CachedTempRegister::CachedTempRegister):
3533         (JSC::AbstractMacroAssembler::CachedTempRegister::registerIDInvalidate):
3534         (JSC::AbstractMacroAssembler::CachedTempRegister::registerIDNoInvalidate):
3535         (JSC::AbstractMacroAssembler::CachedTempRegister::value):
3536         (JSC::AbstractMacroAssembler::CachedTempRegister::setValue):
3537         (JSC::AbstractMacroAssembler::CachedTempRegister::invalidate):
3538         (JSC::AbstractMacroAssembler::invalidateAllTempRegisters):
3539         (JSC::AbstractMacroAssembler::isTempRegisterValid):
3540         (JSC::AbstractMacroAssembler::clearTempRegisterValid):
3541         (JSC::AbstractMacroAssembler::setTempRegisterValid):
3542         * assembler/LinkBuffer.cpp:
3543         (JSC::LinkBuffer::copyCompactAndLinkCode):
3544         (JSC::LinkBuffer::linkCode):
3545         * assembler/LinkBuffer.h:
3546         * assembler/MacroAssembler.h:
3547         (JSC::MacroAssembler::isPtrAlignedAddressOffset):
3548         (JSC::MacroAssembler::pushToSave):
3549         (JSC::MacroAssembler::popToRestore):
3550         (JSC::MacroAssembler::patchableBranchTest32):
3551         * assembler/MacroAssemblerARM64.h: Added.
3552         * assembler/MacroAssemblerARMv7.h:
3553         * dfg/DFGFixupPhase.cpp:
3554         (JSC::DFG::FixupPhase::fixupNode):
3555         * dfg/DFGOSRExitCompiler32_64.cpp:
3556         (JSC::DFG::OSRExitCompiler::compileExit):
3557         * dfg/DFGOSRExitCompiler64.cpp:
3558         (JSC::DFG::OSRExitCompiler::compileExit):
3559         * dfg/DFGSpeculativeJIT.cpp:
3560         (JSC::DFG::SpeculativeJIT::compileArithDiv):
3561         (JSC::DFG::SpeculativeJIT::compileArithMod):
3562         * disassembler/ARM64/A64DOpcode.cpp: Added.
3563         * disassembler/ARM64/A64DOpcode.h: Added.
3564         * disassembler/ARM64Disassembler.cpp: Added.
3565         * heap/MachineStackMarker.cpp:
3566         (JSC::getPlatformThreadRegisters):
3567         (JSC::otherThreadStackPointer):
3568         * heap/Region.h:
3569         * jit/AssemblyHelpers.h:
3570         (JSC::AssemblyHelpers::debugCall):
3571         * jit/CCallHelpers.h:
3572         * jit/ExecutableAllocator.h:
3573         * jit/FPRInfo.h:
3574         (JSC::FPRInfo::toRegister):
3575         (JSC::FPRInfo::toIndex):
3576         (JSC::FPRInfo::debugName):
3577         * jit/GPRInfo.h:
3578         (JSC::GPRInfo::toRegister):
3579         (JSC::GPRInfo::toIndex):
3580         (JSC::GPRInfo::debugName):
3581         * jit/JITInlines.h:
3582         (JSC::JIT::restoreArgumentReferenceForTrampoline):
3583         * jit/JITOperationWrappers.h:
3584         * jit/JITOperations.cpp:
3585         * jit/JITStubs.cpp:
3586         (JSC::performPlatformSpecificJITAssertions):
3587         (JSC::tryCachePutByID):
3588         * jit/JITStubs.h:
3589         (JSC::JITStackFrame::returnAddressSlot):
3590         * jit/JITStubsARM64.h: Added.
3591         * jit/JSInterfaceJIT.h:
3592         * jit/Repatch.cpp:
3593         (JSC::emitRestoreScratch):
3594         (JSC::generateProtoChainAccessStub):
3595         (JSC::tryCacheGetByID):
3596         (JSC::emitPutReplaceStub):
3597         (JSC::tryCachePutByID):
3598         (JSC::tryRepatchIn):
3599         * jit/ScratchRegisterAllocator.h:
3600         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
3601         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
3602         * jit/ThunkGenerators.cpp:
3603         (JSC::nativeForGenerator):
3604         (JSC::floorThunkGenerator):
3605         (JSC::ceilThunkGenerator):
3606         * jsc.cpp:
3607         (main):
3608         * llint/LLIntOfflineAsmConfig.h:
3609         * llint/LLIntSlowPaths.cpp:
3610         (JSC::LLInt::handleHostCall):
3611         * llint/LowLevelInterpreter.asm:
3612         * llint/LowLevelInterpreter64.asm:
3613         * offlineasm/arm.rb:
3614         * offlineasm/arm64.rb: Added.
3615         * offlineasm/backends.rb:
3616         * offlineasm/instructions.rb:
3617         * offlineasm/risc.rb:
3618         * offlineasm/transform.rb:
3619         * yarr/YarrJIT.cpp:
3620         (JSC::Yarr::YarrGenerator::alignCallFrameSizeInBytes):
3621         (JSC::Yarr::YarrGenerator::initCallFrame):
3622         (JSC::Yarr::YarrGenerator::removeCallFrame):
3623         (JSC::Yarr::YarrGenerator::generateEnter):
3624         * yarr/YarrJIT.h:
3625
3626 2013-10-15  Mark Lam  <mark.lam@apple.com>
3627
3628         Fix 3 operand sub operation in C loop LLINT.
3629         https://bugs.webkit.org/show_bug.cgi?id=122866.
3630
3631         Reviewed by Geoffrey Garen.
3632
3633         * offlineasm/cloop.rb:
3634
3635 2013-10-15  Mark Hahnenberg  <mhahnenberg@apple.com>
3636
3637         ObjCCallbackFunctionImpl shouldn't store a JSContext
3638         https://bugs.webkit.org/show_bug.cgi?id=122531
3639
3640         Reviewed by Geoffrey Garen.
3641
3642         The m_context field in ObjCCallbackFunctionImpl is vestigial and is only incidentally correct 
3643         in the common case. It's also no longer necessary in that we can look up the current JSContext 
3644         by looking using the globalObject of the callee when the function callback is invoked.
3645  
3646         Also added a new test that would cause us to crash previously. The test required making 
3647         JSContextGetGlobalContext public API so that clients can obtain a JSContext from the JSContextRef
3648         in C API callbacks.
3649
3650         * API/JSContextRef.h:
3651         * API/JSContextRefPrivate.h:
3652         * API/ObjCCallbackFunction.mm:
3653         (JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl):
3654         (JSC::objCCallbackFunctionCallAsFunction):
3655         (objCCallbackFunctionForInvocation):
3656         * API/WebKitAvailability.h:
3657         * API/tests/CurrentThisInsideBlockGetterTest.h: Added.
3658         * API/tests/CurrentThisInsideBlockGetterTest.mm: Added.
3659         (CallAsConstructor):
3660         (ConstructorFinalize):
3661         (ConstructorClass):
3662         (+[JSValue valueWithConstructorDescriptor:inContext:]):
3663         (-[JSContext valueWithConstructorDescriptor:]):
3664         (currentThisInsideBlockGetterTest):
3665         * API/tests/testapi.mm:
3666         * JavaScriptCore.xcodeproj/project.pbxproj:
3667         * debugger/Debugger.cpp: Had to add some fully qualified names to avoid conflicts with Mac OS X headers.
3668
3669 2013-10-15  Julien Brianceau  <jbriance@cisco.com>
3670
3671         Fix build after r157457 for architecture with 4 argument registers.
3672         https://bugs.webkit.org/show_bug.cgi?id=122860
3673
3674         Reviewed by Michael Saboff.
3675
3676         * jit/CCallHelpers.h:
3677         (JSC::CCallHelpers::setupStubArguments134):
3678
3679 2013-10-14  Michael Saboff  <msaboff@apple.com>
3680
3681         transition void cti_op_* methods to JIT operations.
3682         https://bugs.webkit.org/show_bug.cgi?id=122617
3683
3684         Reviewed by Geoffrey Garen.
3685
3686         Converted the follow stubs to JIT operations:
3687             cti_handle_watchdog_timer
3688             cti_op_debug
3689             cti_op_pop_scope
3690             cti_op_profile_did_call
3691             cti_op_profile_will_call
3692             cti_op_put_by_index
3693             cti_op_put_getter_setter
3694             cti_op_tear_off_activation
3695             cti_op_tear_off_arguments
3696             cti_op_throw_static_error
3697             cti_optimize
3698
3699         * dfg/DFGOperations.cpp:
3700         * dfg/DFGOperations.h:
3701         * jit/CCallHelpers.h:
3702         (JSC::CCallHelpers::setupArgumentsWithExecState):
3703         (JSC::CCallHelpers::setupThreeStubArgsGPR):
3704         (JSC::CCallHelpers::setupStubArguments):
3705         (JSC::CCallHelpers::setupStubArguments134):
3706         * jit/JIT.cpp:
3707         (JSC::JIT::emitEnterOptimizationCheck):
3708         * jit/JIT.h:
3709         * jit/JITInlines.h:
3710         (JSC::JIT::callOperation):
3711         * jit/JITOpcodes.cpp:
3712         (JSC::JIT::emit_op_tear_off_activation):
3713         (JSC::JIT::emit_op_tear_off_arguments):
3714         (JSC::JIT::emit_op_push_with_scope):
3715         (JSC::JIT::emit_op_pop_scope):
3716         (JSC::JIT::emit_op_push_name_scope):
3717         (JSC::JIT::emit_op_throw_static_error):
3718         (JSC::JIT::emit_op_debug):
3719         (JSC::JIT::emit_op_profile_will_call):
3720         (JSC::JIT::emit_op_profile_did_call):
3721         (JSC::JIT::emitSlow_op_loop_hint):
3722         * jit/JITOpcodes32_64.cpp:
3723         (JSC::JIT::emit_op_push_with_scope):
3724         (JSC::JIT::emit_op_pop_scope):
3725         (JSC::JIT::emit_op_push_name_scope):
3726         (JSC::JIT::emit_op_throw_static_error):
3727         (JSC::JIT::emit_op_debug):
3728         (JSC::JIT::emit_op_profile_will_call):
3729         (JSC::JIT::emit_op_profile_did_call):
3730         * jit/JITOperations.cpp:
3731         * jit/JITOperations.h:
3732         * jit/JITPropertyAccess.cpp:
3733         (JSC::JIT::emit_op_put_by_index):
3734         (JSC::JIT::emit_op_put_getter_setter):
3735         * jit/JITPropertyAccess32_64.cpp:
3736         (JSC::JIT::emit_op_put_by_index):
3737         (JSC::JIT::emit_op_put_getter_setter):
3738         * jit/JITStubs.cpp:
3739         * jit/JITStubs.h:
3740
3741 2013-10-15  Julien Brianceau  <jbriance@cisco.com>
3742
3743         [sh4] Introduce const pools in LLINT.
3744         https://bugs.webkit.org/show_bug.cgi?id=122746
3745
3746         Reviewed by Michael Saboff.
3747
3748         In current implementation of LLINT for sh4, immediate values outside range -128..127 are
3749         loaded this way:
3750
3751             mov.l .label, rx
3752             bra out
3753             nop
3754             .balign 4
3755             .label: .long immvalue
3756             out:
3757
3758         This change introduces const pools for sh4 implementation to avoid lots of useless branches
3759         and reduce code size. It also removes lines of dirty code, like jmpf and callf.
3760
3761         * offlineasm/instructions.rb: Remove jmpf and callf sh4 specific instructions.
3762         * offlineasm/sh4.rb:
3763
3764 2013-10-15  Mark Lam  <mark.lam@apple.com>
3765
3766         Fix broken C Loop LLINT build.
3767         https://bugs.webkit.org/show_bug.cgi?id=122839.
3768
3769         Reviewed by Michael Saboff.
3770
3771         * dfg/DFGFlushedAt.cpp:
3772         * jit/JITOperations.h:
3773
3774 2013-10-14  Mark Lam  <mark.lam@apple.com>
3775
3776         Transition *switch* and *scope* JITStubs to JIT operations.
3777         https://bugs.webkit.org/show_bug.cgi?id=122757.
3778
3779         Reviewed by Geoffrey Garen.
3780
3781         Transitioning:
3782             cti_op_switch_char
3783             cti_op_switch_imm
3784             cti_op_switch_string
3785             cti_op_resolve_scope
3786             cti_op_get_from_scope
3787             cti_op_put_to_scope
3788
3789         * jit/JIT.h:
3790         * jit/JITInlines.h:
3791         (JSC::JIT::callOperation):
3792         * jit/JITOpcodes.cpp:
3793         (JSC::JIT::emit_op_switch_imm):
3794         (JSC::JIT::emit_op_switch_char):
3795         (JSC::JIT::emit_op_switch_string):
3796         * jit/JITOpcodes32_64.cpp:
3797         (JSC::JIT::emit_op_switch_imm):
3798         (JSC::JIT::emit_op_switch_char):
3799         (JSC::JIT::emit_op_switch_string):
3800         * jit/JITOperations.cpp:
3801         * jit/JITOperations.h:
3802         * jit/JITPropertyAccess.cpp:
3803         (JSC::JIT::emitSlow_op_resolve_scope):
3804         (JSC::JIT::emitSlow_op_get_from_scope):
3805         (JSC::JIT::emitSlow_op_put_to_scope):
3806         * jit/JITPropertyAccess32_64.cpp:
3807         (JSC::JIT::emitSlow_op_resolve_scope):
3808         (JSC::JIT::emitSlow_op_get_from_scope):
3809         (JSC::JIT::emitSlow_op_put_to_scope):
3810         * jit/JITStubs.cpp:
3811         * jit/JITStubs.h:
3812
3813 2013-10-14  Filip Pizlo  <fpizlo@apple.com>
3814
3815         DFG PutById IC should use the ConcurrentJITLocker since it's now dealing with IC's that get read by the compiler thread
3816         https://bugs.webkit.org/show_bug.cgi?id=122786
3817
3818         Reviewed by Mark Hahnenberg.
3819
3820         * bytecode/CodeBlock.cpp:
3821         (JSC::CodeBlock::resetStub): Resetting a stub should acquire the lock since this is observable from the thread; but we should only acquire the lock if we're resetting outside of GC.
3822         * jit/Repatch.cpp:
3823         (JSC::repatchPutByID): Doing the PutById patching should hold the lock.
3824         (JSC::buildPutByIdList): Ditto.
3825
3826 2013-10-14  Nadav Rotem  <nrotem@apple.com>
3827
3828         Add FTL support for LogicalNot(string)
3829         https://bugs.webkit.org/show_bug.cgi?id=122765
3830
3831         Reviewed by Filip Pizlo.
3832
3833         This patch is tested by:
3834         regress/script-tests/emscripten-cube2hash.js.ftl-eager
3835
3836         * ftl/FTLCapabilities.cpp:
3837         (JSC::FTL::canCompile):
3838         * ftl/FTLLowerDFGToLLVM.cpp:
3839         (JSC::FTL::LowerDFGToLLVM::compileLogicalNot):
3840
3841 2013-10-14  Julien Brianceau  <jbriance@cisco.com>
3842
3843         [sh4] Fixes after r157404 and r157411.
3844         https://bugs.webkit.org/show_bug.cgi?id=122782
3845
3846         Reviewed by Michael Saboff.
3847
3848         * dfg/DFGSpeculativeJIT.h:
3849         (JSC::DFG::SpeculativeJIT::callOperation): Add missing SH4_32BIT_DUMMY_ARG.
3850         * jit/CCallHelpers.h:
3851         (JSC::CCallHelpers::setupArgumentsWithExecState):
3852         * jit/JITInlines.h:
3853         (JSC::JIT::callOperation): Add missing SH4_32BIT_DUMMY_ARG.
3854         * jit/JITPropertyAccess32_64.cpp:
3855         (JSC::JIT::emit_op_put_by_id): Remove unwanted BEGIN_UNINTERRUPTED_SEQUENCE.
3856
3857 2013-10-14  Commit Queue  <commit-queue@webkit.org>
3858
3859         Unreviewed, rolling out r157413.
3860         http://trac.webkit.org/changeset/157413
3861         https://bugs.webkit.org/show_bug.cgi?id=122779
3862
3863         Appears to have caused frequent crashes (Requested by ap on
3864         #webkit).
3865
3866         * CMakeLists.txt:
3867         * GNUmakefile.list.am:
3868         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3869         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3870         * JavaScriptCore.xcodeproj/project.pbxproj:
3871         * heap/DeferGC.cpp: Removed.
3872         * heap/DeferGC.h:
3873         * jit/JITStubs.cpp:
3874         (JSC::tryCacheGetByID):
3875         (JSC::DEFINE_STUB_FUNCTION):
3876         * llint/LLIntSlowPaths.cpp:
3877         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3878         * runtime/ConcurrentJITLock.h:
3879         * runtime/InitializeThreading.cpp:
3880         (JSC::initializeThreadingOnce):
3881         * runtime/JSCellInlines.h:
3882         (JSC::allocateCell):
3883         * runtime/Structure.cpp:
3884         (JSC::Structure::materializePropertyMap):
3885         (JSC::Structure::putSpecificValue):
3886         (JSC::Structure::createPropertyMap):
3887         * runtime/Structure.h:
3888
3889 2013-10-14  Mark Hahnenberg  <mhahnenberg@apple.com>
3890
3891         COLLECT_ON_EVERY_ALLOCATION causes assertion failures
3892         https://bugs.webkit.org/show_bug.cgi?id=122652
3893
3894         Reviewed by Filip Pizlo.
3895
3896         COLLECT_ON_EVERY_ALLOCATION wasn't accounting for the new GC deferral mechanism,
3897         so we would end up ASSERTing during garbage collection.
3898
3899         * heap/MarkedAllocator.cpp:
3900         (JSC::MarkedAllocator::allocateSlowCase):
3901
3902 2013-10-11  Oliver Hunt  <oliver@apple.com>
3903
3904         Separate out array iteration intrinsics
3905         https://bugs.webkit.org/show_bug.cgi?id=122656
3906
3907         Reviewed by Michael Saboff.
3908
3909         Separate out the intrinsics for key and values iteration
3910         of arrays.
3911
3912         This requires moving moving array iteration into the iterator
3913         instance, rather than the prototype, but this is essentially
3914         unobservable so we'll live with it for now.
3915
3916         * jit/ThunkGenerators.cpp:
3917         (JSC::arrayIteratorNextThunkGenerator):
3918         (JSC::arrayIteratorNextKeyThunkGenerator):
3919         (JSC::arrayIteratorNextValueThunkGenerator):
3920         * jit/ThunkGenerators.h:
3921         * runtime/ArrayIteratorPrototype.cpp:
3922         (JSC::ArrayIteratorPrototype::finishCreation):
3923         * runtime/Intrinsic.h:
3924         * runtime/JSArrayIterator.cpp:
3925         (JSC::JSArrayIterator::finishCreation):
3926         (JSC::createIteratorResult):
3927         (JSC::arrayIteratorNext):
3928         (JSC::arrayIteratorNextKey):
3929         (JSC::arrayIteratorNextValue):
3930         (JSC::arrayIteratorNextGeneric):
3931         * runtime/VM.cpp:
3932         (JSC::thunkGeneratorForIntrinsic):
3933
3934 2013-10-11  Mark Hahnenberg  <mhahnenberg@apple.com>
3935
3936         llint_slow_path_put_by_id can deadlock on a ConcurrentJITLock
3937         https://bugs.webkit.org/show_bug.cgi?id=122667
3938
3939         Reviewed by Filip Pizlo.
3940
3941         The issue this patch is attempting to fix is that there are places in our codebase
3942         where we acquire the ConcurrentJITLock for a particular CodeBlock, then we do some
3943         operations that can initiate a garbage collection. Garbage collection then calls 
3944         some methods of CodeBlock that also take the ConcurrentJITLock (because they don't
3945         always necessarily run during garbage collection). This causes a deadlock.
3946
3947         To fix this issue, this patch adds a new RAII-style object (DisallowGC) that stores 
3948         into a thread-local field that indicates that it is unsafe to perform any operation 
3949         that could trigger garbage collection on the current thread. In debug builds, 
3950         ConcurrentJITLocker contains one of these DisallowGC objects so that we can eagerly 
3951         detect deadlocks.
3952
3953         This patch also adds a new type of ConcurrentJITLocker, GCSafeConcurrentJITLocker,
3954         which uses the DeferGC mechanism to prevent collections from occurring while the 
3955         lock is held.
3956
3957         * CMakeLists.txt:
3958         * GNUmakefile.list.am:
3959         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3960         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3961         * JavaScriptCore.xcodeproj/project.pbxproj:
3962         * heap/DeferGC.cpp: Added.
3963         * heap/DeferGC.h:
3964         (JSC::DisallowGC::DisallowGC):
3965         (JSC::DisallowGC::~DisallowGC):
3966         (JSC::DisallowGC::isGCDisallowedOnCurrentThread):
3967         (JSC::DisallowGC::initialize):
3968         * jit/JITStubs.cpp:
3969         (JSC::tryCachePutByID):
3970         (JSC::tryCacheGetByID):
3971         (JSC::DEFINE_STUB_FUNCTION):
3972         * llint/LLIntSlowPaths.cpp:
3973         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3974         * runtime/ConcurrentJITLock.h:
3975         (JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase):
3976         (JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase):
3977         (JSC::ConcurrentJITLockerBase::unlockEarly):
3978         (JSC::GCSafeConcurrentJITLocker::GCSafeConcurrentJITLocker):
3979         (JSC::ConcurrentJITLocker::ConcurrentJITLocker):
3980         * runtime/InitializeThreading.cpp:
3981         (JSC::initializeThreadingOnce):
3982         * runtime/JSCellInlines.h:
3983         (JSC::allocateCell):
3984         * runtime/Structure.cpp:
3985         (JSC::Structure::materializePropertyMap):
3986         (JSC::Structure::putSpecificValue):
3987         (JSC::Structure::createPropertyMap):
3988         * runtime/Structure.h:
3989
3990 2013-10-14  Filip Pizlo  <fpizlo@apple.com>
3991
3992         Baseline JIT should use the DFG's PutById IC
3993         https://bugs.webkit.org/show_bug.cgi?id=122704
3994
3995         Reviewed by Mark Hahnenberg.
3996