LLVM asserts in internal-js-tests.yaml/Octane/stress-tests/mandreel.js
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-11-02  Filip Pizlo  <fpizlo@apple.com>
2
3         LLVM asserts in internal-js-tests.yaml/Octane/stress-tests/mandreel.js
4         https://bugs.webkit.org/show_bug.cgi?id=123535
5
6         Reviewed by Geoffrey Garen.
7         
8         Use double comparisons for doubles.
9
10         * ftl/FTLLowerDFGToLLVM.cpp:
11         (JSC::FTL::LowerDFGToLLVM::doubleToInt32):
12
13 2013-11-02  Patrick Gansterer  <paroga@webkit.org>
14
15         Various small WinCE build fixes
16
17         * jsc.cpp:
18         (main):
19
20 2013-11-02  Patrick Gansterer  <paroga@webkit.org>
21
22         Fix MSVC ARM build after r157581.
23
24         * jit/JITStubsARM.h:
25
26 2013-11-01  Filip Pizlo  <fpizlo@apple.com>
27
28         FTL should use a simple optimization pipeline by default
29         https://bugs.webkit.org/show_bug.cgi?id=123638
30
31         Reviewed by Geoffrey Garen.
32         
33         20% speed-up on imagine-gaussian-blur, when combined with --ftlUsesStackmaps=true.
34
35         * ftl/FTLCompile.cpp:
36         (JSC::FTL::compile):
37         * runtime/Options.h:
38
39 2013-11-01  Andreas Kling  <akling@apple.com>
40
41         Neuter WTF_MAKE_FAST_ALLOCATED in GLOBAL_FASTMALLOC_NEW builds.
42         <https://webkit.org/b/123639>
43
44         JSC::ParserArenaRefCounted really needed to have the new/delete
45         operators overridden, in order for JSC::ScopeNode to be able to
46         choose that "operator new" out of the two it inherits.
47
48         Reviewed by Anders Carlsson.
49
50 2013-11-01  Filip Pizlo  <fpizlo@apple.com>
51
52         OSR exit profiling should be robust against all code being cleared
53         https://bugs.webkit.org/show_bug.cgi?id=123629
54         <rdar://problem/15365476>
55
56         Reviewed by Michael Saboff.
57         
58         The problem here is two-fold:
59
60         1) A watchpoint (i.e. ProfiledCodeBlockJettisoningWatchpoint) may be fired after we
61         have cleared the CodeBlock for all or some Executables.  This means that doing
62         codeBlock->baselineVersion() would either crash or return a bogus CodeBlock, since
63         there wasn't a baseline code block reachable from the Executable anymore.  The
64         solution is that we shouldn't be asking for the baseline code block reachable from
65         the owning executable (what baselineVersion did), but instead we should be asking
66         for the baseline version reachable from the code block being watchpointed (basically
67         what CodeBlock::alternative() did).
68
69         2) If dealing with inlined code, baselienCodeBlockForOriginAndBaselineCodeBlock()
70         may return null, for the same reason as above - we might have cleared the baseline
71         codeblock for the executable that was inlined.  The solution is to just not do
72         profiling if there isn't a baseline code block anymore.
73
74         * bytecode/CodeBlock.cpp:
75         (JSC::CodeBlock::baselineAlternative):
76         (JSC::CodeBlock::baselineVersion):
77         (JSC::CodeBlock::jettison):
78         * bytecode/CodeBlock.h:
79         * bytecode/CodeBlockJettisoningWatchpoint.cpp:
80         (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
81         * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp:
82         (JSC::ProfiledCodeBlockJettisoningWatchpoint::fireInternal):
83         * dfg/DFGOSRExitBase.cpp:
84         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
85         * jit/AssemblyHelpers.h:
86         (JSC::AssemblyHelpers::AssemblyHelpers):
87         * runtime/Executable.cpp:
88         (JSC::FunctionExecutable::baselineCodeBlockFor):
89
90 2013-10-31  Oliver Hunt  <oliver@apple.com>
91
92         JavaScript parser bug
93         https://bugs.webkit.org/show_bug.cgi?id=123506
94
95         Reviewed by Mark Lam.
96
97         Add ParserState as an abstraction and use that to save and restore
98         the parser state around nested functions (We'll need to use this in
99         more places in future).  Also fix a minor error typo this testcases
100         hit.
101
102         * parser/Parser.cpp:
103         (JSC::::parseFunctionInfo):
104         (JSC::::parseAssignmentExpression):
105         * parser/Parser.h:
106         (JSC::Parser::saveState):
107         (JSC::Parser::restoreState):
108
109 2013-10-31  Filip Pizlo  <fpizlo@apple.com>
110
111         FTL Int32ToDouble should handle the forward type check case where you need a recovery
112         https://bugs.webkit.org/show_bug.cgi?id=123605
113
114         Reviewed by Mark Hahnenberg.
115         
116         If you have a Int32ToDouble that needs to do a type check and it's required to do a
117         forward exit, then it needs to manually pass in a value recovery for itself in the
118         OSR exit - since this is one of those forward-exiting nodes that doesn't have a
119         preceding MovHint.
120
121         * ftl/FTLLowerDFGToLLVM.cpp:
122         (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble):
123         (JSC::FTL::LowerDFGToLLVM::forwardTypeCheck):
124
125 2013-10-31  Filip Pizlo  <fpizlo@apple.com>
126
127         FTL should implement InvalidationPoint in terms of llvm.stackmap
128         https://bugs.webkit.org/show_bug.cgi?id=113647
129
130         Reviewed by Mark Hahnenberg.
131         
132         This is pretty straightforward now that InvalidationPoint has exactly the semantics
133         that agree with llvm.stackmap.
134
135         * ftl/FTLCompile.cpp:
136         (JSC::FTL::fixFunctionBasedOnStackMaps):
137         * ftl/FTLLowerDFGToLLVM.cpp:
138         (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
139         (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
140         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
141         (JSC::FTL::LowerDFGToLLVM::callStackmap):
142         * ftl/FTLOSRExitCompilationInfo.h:
143         (JSC::FTL::OSRExitCompilationInfo::OSRExitCompilationInfo):
144
145 2013-10-30  Oliver Hunt  <oliver@apple.com>
146
147         Implement basic ES6 Math functions
148         https://bugs.webkit.org/show_bug.cgi?id=123536
149
150         Reviewed by Michael Saboff.
151
152         Fairly trivial patch to implement the core ES6 Math functions.
153
154         This doesn't implement Math.hypot as it is not a trivial function.
155         I've also skipped Math.sign as I am yet to be convinced the spec
156         behaviour is good.  Everything else is trivial.
157
158         * runtime/MathObject.cpp:
159         (JSC::MathObject::finishCreation):
160         (JSC::mathProtoFuncACosh):
161         (JSC::mathProtoFuncASinh):
162         (JSC::mathProtoFuncATanh):
163         (JSC::mathProtoFuncCbrt):
164         (JSC::mathProtoFuncCosh):
165         (JSC::mathProtoFuncExpm1):
166         (JSC::mathProtoFuncFround):
167         (JSC::mathProtoFuncLog1p):
168         (JSC::mathProtoFuncLog10):
169         (JSC::mathProtoFuncLog2):
170         (JSC::mathProtoFuncSinh):
171         (JSC::mathProtoFuncTanh):
172         (JSC::mathProtoFuncTrunc):
173
174 2013-10-31  Filip Pizlo  <fpizlo@apple.com>
175
176         FTL::Location::restoreInto() doesn't handle stack-related registers correctly if you're using it after pushing a new stack frame
177         https://bugs.webkit.org/show_bug.cgi?id=123591
178
179         Reviewed by Mark Hahnenberg.
180         
181         This gets us to pass more tests with ftlUsesStackmaps.
182
183         * ftl/FTLLocation.cpp:
184         (JSC::FTL::Location::restoreInto):
185         * ftl/FTLLocation.h:
186         * ftl/FTLThunks.cpp:
187         (JSC::FTL::osrExitGenerationWithStackMapThunkGenerator):
188
189 2013-10-31  Alexey Proskuryakov  <ap@apple.com>
190
191         Enable WebCrypto on Mac
192         https://bugs.webkit.org/show_bug.cgi?id=123587
193
194         Reviewed by Anders Carlsson.
195
196         * Configurations/FeatureDefines.xcconfig: Do it.
197
198 2013-10-31  Filip Pizlo  <fpizlo@apple.com>
199
200         Unreviewed, really remove CachedTranscendentalFunction.h.
201
202         * GNUmakefile.list.am:
203         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
204
205 2013-10-31  Filip Pizlo  <fpizlo@apple.com>
206
207         Remove CachedTranscendentalFunction because caching math functions is an ugly idea
208         https://bugs.webkit.org/show_bug.cgi?id=123574
209
210         Reviewed by Mark Hahnenberg.
211         
212         This is performance-neutral because I also make Math.cos/sin intrinsic. This means that
213         we gain the "overhead" of actually computing sin and cos but we lose the overhead of
214         going through the native call thunks.
215         
216         Caching transcendental functions is a really ugly idea. It works for SunSpider because
217         that benchmark makes very predictable calls into Math.sin. But I don't believe that this
218         is representative of any kind of reality, and so for sensible uses of Math.sin/cos all
219         that this was doing was adding more call overhead and some hashing overhead.
220
221         * JavaScriptCore.xcodeproj/project.pbxproj:
222         * dfg/DFGAbstractInterpreterInlines.h:
223         (JSC::DFG::::executeEffects):
224         * dfg/DFGBackwardsPropagationPhase.cpp:
225         (JSC::DFG::BackwardsPropagationPhase::propagate):
226         * dfg/DFGByteCodeParser.cpp:
227         (JSC::DFG::ByteCodeParser::handleIntrinsic):
228         * dfg/DFGCSEPhase.cpp:
229         (JSC::DFG::CSEPhase::performNodeCSE):
230         * dfg/DFGClobberize.h:
231         (JSC::DFG::clobberize):
232         * dfg/DFGFixupPhase.cpp:
233         (JSC::DFG::FixupPhase::fixupNode):
234         * dfg/DFGNodeType.h:
235         * dfg/DFGPredictionPropagationPhase.cpp:
236         (JSC::DFG::PredictionPropagationPhase::propagate):
237         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
238         * dfg/DFGSafeToExecute.h:
239         (JSC::DFG::safeToExecute):
240         * dfg/DFGSpeculativeJIT.h:
241         (JSC::DFG::SpeculativeJIT::callOperation):
242         * dfg/DFGSpeculativeJIT32_64.cpp:
243         (JSC::DFG::SpeculativeJIT::compile):
244         * dfg/DFGSpeculativeJIT64.cpp:
245         (JSC::DFG::SpeculativeJIT::compile):
246         * jit/JITOperations.h:
247         * runtime/CachedTranscendentalFunction.h: Removed.
248         * runtime/DateInstanceCache.h:
249         * runtime/Intrinsic.h:
250         * runtime/MathObject.cpp:
251         (JSC::MathObject::finishCreation):
252         (JSC::mathProtoFuncCos):
253         (JSC::mathProtoFuncSin):
254         * runtime/VM.h:
255
256 2013-10-30  Filip Pizlo  <fpizlo@apple.com>
257
258         Assertion failure in js/dom/global-constructors-attributes-dedicated-worker.html
259         https://bugs.webkit.org/show_bug.cgi?id=123551
260         <rdar://problem/15356238>
261
262         Reviewed by Mark Hahnenberg.
263         
264         WatchpointSets have always had this "fire everything on deletion" policy because it
265         seemed like a good fail-safe at the time I first implemented WatchpointSets. But
266         it's actually causing bugs rather than providing safety:
267         
268         - Everyone who registers Watchpoints with WatchpointSets have separate mechanisms
269           for either keeping the WatchpointSets alive or noticing when they are collected.
270           So this wasn't actually providing any safety.
271           
272           One example of this is Structures, where:
273           
274           - CodeBlocks that register Watchpoints on Structure's WatchpointSet will also
275             register weak references to the Structure, and the GC will jettison a CodeBlock
276             if the Structure(s) it cares about dies.
277           
278           - StructureStubInfos that register Watchpoints on Structure's WatchpointSet will
279             also be cleared by GC if the Structures die.
280         
281         - The WatchpointSet destructor would get invoked from finalization/destruction.
282           This would then cause CodeBlock::jettison() to be called on a CodeBlock, but that
283           method requires doing things that access heap objects. This would usually cause
284           problems on VM destruction, since then the CodeBlocks would still be alive but the
285           whole heap would be destroyed.
286         
287         This also ensures that CodeBlock::jettison() cannot cause a GC. This is safe since
288         that method doesn't really allocate objects, and it is likely necessary because
289         jettison() may be called from deep in the stack.
290
291         * bytecode/CodeBlock.cpp:
292         (JSC::CodeBlock::jettison):
293         * bytecode/Watchpoint.cpp:
294         (JSC::WatchpointSet::~WatchpointSet):
295         * bytecode/Watchpoint.h:
296
297 2013-10-30  Mark Lam  <mark.lam@apple.com>
298
299         Unreviewed, fix C Loop LLINT build.
300
301         * bytecode/CodeBlockJettisoningWatchpoint.cpp:
302         (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
303         * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp:
304         (JSC::ProfiledCodeBlockJettisoningWatchpoint::fireInternal):
305
306 2013-10-30  Filip Pizlo  <fpizlo@apple.com>
307
308         Unreviewed, fix FTL build.
309
310         * ftl/FTLAbstractHeapRepository.h:
311         * ftl/FTLLowerDFGToLLVM.cpp:
312         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
313
314 2013-10-30  Alexey Proskuryakov  <ap@apple.com>
315
316         Add a way to fulfill promises from DOM code
317         https://bugs.webkit.org/show_bug.cgi?id=123466
318
319         Reviewed by Sam Weinig.
320
321         * JavaScriptCore.xcodeproj/project.pbxproj: Make JSPromise.h and JSPromiseResolver.h
322         private headers for WebCore to use.
323
324         * runtime/JSPromise.h:
325         * runtime/JSPromiseResolver.h:
326         Export functions that JSDOMPromise will use.
327
328 2013-10-30  Mark Lam  <mark.lam@apple.com>
329
330         Adjust CallFrameHeader's ReturnPC and CallFrame locations to match the native ABI .
331         https://bugs.webkit.org/show_bug.cgi?id=123444.
332
333         Reviewed by Geoffrey Garen.
334
335         - Introduced an explicit CallerFrameAndPC struct.
336         - A CallFrame is expected to start with a CallerFrameAndPC struct. 
337         - The Register class no longer supports CallFrame* and Instruction*.
338
339           These hides the differences between JSVALUE32_64 and JSVALUE64 in
340           terms of managing the callerFrame() and returnPC() values.
341
342         - Convert all uses of JSStack::CallerFrame and JSStack::ReturnPC to
343           go through CallFrame to access the appropriate values and offsets.
344           CallFrame, in turn, will access the callerFrame and returnPC via
345           the CallerFrameAndPC struct.
346
347         - InlineCallFrame will provide offsets for its callerFrame and
348           returnPC. It will make use of CallFrame::callerFrameOffset() and
349           CallerFrame::returnPCOffset() to compute these.
350
351         * bytecode/CodeOrigin.h:
352         (JSC::InlineCallFrame::callerFrameOffset):
353         (JSC::InlineCallFrame::returnPCOffset):
354         * dfg/DFGJITCompiler.cpp:
355         (JSC::DFG::JITCompiler::compileEntry):
356         (JSC::DFG::JITCompiler::compileExceptionHandlers):
357         * dfg/DFGOSRExitCompilerCommon.cpp:
358         (JSC::DFG::reifyInlinedCallFrames):
359         * dfg/DFGSpeculativeJIT.h:
360         (JSC::DFG::SpeculativeJIT::calleeFrameSlot):
361         (JSC::DFG::SpeculativeJIT::calleeArgumentSlot):
362         (JSC::DFG::SpeculativeJIT::calleeFrameTagSlot):
363         (JSC::DFG::SpeculativeJIT::calleeFramePayloadSlot):
364         (JSC::DFG::SpeculativeJIT::calleeArgumentTagSlot):
365         (JSC::DFG::SpeculativeJIT::calleeArgumentPayloadSlot):
366         - Prefixed all the above with callee since they apply to the callee frame.
367         (JSC::DFG::SpeculativeJIT::calleeFrameCallerFrame):
368         - Added to set the callerFrame pointer in the callee frame.
369
370         * dfg/DFGSpeculativeJIT32_64.cpp:
371         (JSC::DFG::SpeculativeJIT::emitCall):
372         (JSC::DFG::SpeculativeJIT::compile):
373         * dfg/DFGSpeculativeJIT64.cpp:
374         (JSC::DFG::SpeculativeJIT::emitCall):
375         (JSC::DFG::SpeculativeJIT::compile):
376         * ftl/FTLLink.cpp:
377         (JSC::FTL::compileEntry):
378         (JSC::FTL::link):
379         * interpreter/CallFrame.h:
380         (JSC::ExecState::callerFrame):
381         (JSC::ExecState::callerFrameOffset):
382         (JSC::ExecState::returnPC):
383         (JSC::ExecState::hasReturnPC):
384         (JSC::ExecState::clearReturnPC):
385         (JSC::ExecState::returnPCOffset):
386         (JSC::ExecState::setCallerFrame):
387         (JSC::ExecState::setReturnPC):
388         (JSC::ExecState::callerFrameAndPC):
389         * interpreter/JSStack.h:
390         * interpreter/Register.h:
391         * jit/AssemblyHelpers.h:
392         (JSC::AssemblyHelpers::emitPutToCallFrameHeader):
393         - Convert to using storePtr() here and simplify the code.
394         (JSC::AssemblyHelpers::emitGetCallerFrameFromCallFrameHeaderPtr):
395         (JSC::AssemblyHelpers::emitPutCallerFrameToCallFrameHeader):
396         (JSC::AssemblyHelpers::emitGetReturnPCFromCallFrameHeaderPtr):
397         (JSC::AssemblyHelpers::emitPutReturnPCToCallFrameHeader):
398         - Helpers to emit gets/puts of the callerFrame and returnPC.
399         (JSC::AssemblyHelpers::addressForByteOffset):
400         * jit/JIT.cpp:
401         (JSC::JIT::JIT):
402         (JSC::JIT::privateCompile):
403         (JSC::JIT::privateCompileExceptionHandlers):
404         * jit/JITCall.cpp:
405         (JSC::JIT::compileCallEval):
406         (JSC::JIT::compileOpCall):
407         * jit/JITCall32_64.cpp:
408         (JSC::JIT::emit_op_ret):
409         (JSC::JIT::emit_op_ret_object_or_this):
410         (JSC::JIT::compileCallEval):
411         (JSC::JIT::compileOpCall):
412         * jit/JITInlines.h:
413         (JSC::JIT::unmap):
414         * jit/JITOpcodes.cpp:
415         (JSC::JIT::emit_op_end):
416         (JSC::JIT::emit_op_ret):
417         (JSC::JIT::emit_op_ret_object_or_this):
418         * jit/JITOpcodes32_64.cpp:
419         (JSC::JIT::privateCompileCTINativeCall):
420         (JSC::JIT::emit_op_end):
421         * jit/JITOperations.cpp:
422         * jit/SpecializedThunkJIT.h:
423         (JSC::SpecializedThunkJIT::returnJSValue):
424         (JSC::SpecializedThunkJIT::returnDouble):
425         (JSC::SpecializedThunkJIT::returnInt32):
426         (JSC::SpecializedThunkJIT::returnJSCell):
427         * jit/ThunkGenerators.cpp:
428         (JSC::throwExceptionFromCallSlowPathGenerator):
429         (JSC::slowPathFor):
430         (JSC::nativeForGenerator):
431
432         * llint/LLIntData.cpp:
433         (JSC::LLInt::Data::performAssertions):
434         * llint/LowLevelInterpreter.asm:
435         - Updated offsets and asserts to match the new CallFrame layout.
436
437 2013-10-30  Filip Pizlo  <fpizlo@apple.com>
438
439         Unreviewed, fix Mac.
440
441         * assembler/AbstractMacroAssembler.h:
442         (JSC::AbstractMacroAssembler::RegisterAllocationOffset::checkOffsets):
443         (JSC::AbstractMacroAssembler::checkRegisterAllocationAgainstBranchRange):
444
445 2013-10-30  Filip Pizlo  <fpizlo@apple.com>
446
447         Unreviewed, fix Windows.
448
449         * bytecode/CodeBlock.cpp:
450         (JSC::CodeBlock::jettison):
451
452 2013-10-30  Filip Pizlo  <fpizlo@apple.com>
453
454         Unreviewed, fix Windows.
455
456         * bytecode/CodeBlock.h:
457         (JSC::CodeBlock::addFrequentExitSite):
458
459 2013-10-29  Filip Pizlo  <fpizlo@apple.com>
460
461         Add InvalidationPoints to the DFG and use them for all watchpoints
462         https://bugs.webkit.org/show_bug.cgi?id=123472
463
464         Reviewed by Mark Hahnenberg.
465         
466         This makes a fundamental change to how watchpoints work in the DFG.
467         
468         Previously, a watchpoint was an instruction whose execution semantics were something
469         like:
470         
471             if (watchpoint->invalidated)
472                 exit
473         
474         We would implement this without any branch by using jump replacement.
475         
476         This is a very good optimization. But it's a bit awkward once you get a lot of
477         watchpoints: semantically we will have lots of these branches in the code, which the
478         compiler needs to reason about even though they don't actually result in any emitted
479         code.
480         
481         Separately, we also had a mechanism for jettisoning a CodeBlock. This mechanism would
482         be invoked if a CodeBlock exited a lot. It would ensure that a CodeBlock wouldn't be
483         called into again, but it would do nothing for CodeBlocks that were already on the
484         stack.
485         
486         This change flips jettisoning and watchpoint invalidation on their heads. Now, the jump
487         replacement has nothing to do with watchpoints; instead it's something that happens if
488         you ever jettison a CodeBlock. Jump replacement is now an all-or-nothing operation over
489         all of the potential call-return safe-exit-points in a CodeBlock. We call these
490         "InvalidationPoint"s. A watchpoint instruction is now "lowered" by having the DFG
491         collect all of the watchpoint sets that the CodeBlock cares about, and then registering
492         a CodeBlockJettisoningWatchpoint with all of them. That is, if the watchpoint fires, it
493         jettisons the CodeBlock, which in turn ensures that the CodeBlock can't be called into
494         (because the entrypoint now points to baseline code) and can't be returned into
495         (because returning exits to baseline before the next bytecode instruction).
496         
497         This will allow for a sensible lowering of watchpoints to LLVM IR. It will also allow
498         for jettison() to be used effectively for things like breakpointing and single-stepping
499         in the debugger.
500         
501         Well, basically, this mechanism just takes us into the HotSpot-style world where anyone
502         can, at any time and for any reason, request that an optimized CodeBlock is rendered
503         immediately invalid. You can use this for many cool things, I'm sure.
504
505         * CMakeLists.txt:
506         * GNUmakefile.list.am:
507         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
508         * JavaScriptCore.xcodeproj/project.pbxproj:
509         * assembler/AbstractMacroAssembler.h:
510         * bytecode/CodeBlock.cpp:
511         (JSC::CodeBlock::jettison):
512         * bytecode/CodeBlock.h:
513         * bytecode/CodeBlockJettisoningWatchpoint.cpp: Added.
514         (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
515         * bytecode/CodeBlockJettisoningWatchpoint.h: Added.
516         (JSC::CodeBlockJettisoningWatchpoint::CodeBlockJettisoningWatchpoint):
517         * bytecode/ExitKind.cpp:
518         (JSC::exitKindToString):
519         * bytecode/ExitKind.h:
520         * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp: Added.
521         (JSC::ProfiledCodeBlockJettisoningWatchpoint::fireInternal):
522         * bytecode/ProfiledCodeBlockJettisoningWatchpoint.h: Added.
523         (JSC::ProfiledCodeBlockJettisoningWatchpoint::ProfiledCodeBlockJettisoningWatchpoint):
524         * dfg/DFGAbstractHeap.h:
525         * dfg/DFGAbstractInterpreterInlines.h:
526         (JSC::DFG::::executeEffects):
527         * dfg/DFGClobberize.cpp:
528         (JSC::DFG::writesOverlap):
529         * dfg/DFGClobberize.h:
530         (JSC::DFG::clobberize):
531         (JSC::DFG::AbstractHeapOverlaps::AbstractHeapOverlaps):
532         (JSC::DFG::AbstractHeapOverlaps::operator()):
533         (JSC::DFG::AbstractHeapOverlaps::result):
534         * dfg/DFGCommonData.cpp:
535         (JSC::DFG::CommonData::invalidate):
536         * dfg/DFGCommonData.h:
537         (JSC::DFG::CommonData::CommonData):
538         * dfg/DFGDesiredWatchpoints.cpp:
539         (JSC::DFG::DesiredWatchpoints::addLazily):
540         (JSC::DFG::DesiredWatchpoints::reallyAdd):
541         * dfg/DFGDesiredWatchpoints.h:
542         (JSC::DFG::WatchpointForGenericWatchpointSet::WatchpointForGenericWatchpointSet):
543         (JSC::DFG::GenericDesiredWatchpoints::addLazily):
544         (JSC::DFG::GenericDesiredWatchpoints::reallyAdd):
545         (JSC::DFG::GenericDesiredWatchpoints::areStillValid):
546         * dfg/DFGFixupPhase.cpp:
547         (JSC::DFG::FixupPhase::fixupNode):
548         * dfg/DFGInvalidationPointInjectionPhase.cpp: Added.
549         (JSC::DFG::InvalidationPointInjectionPhase::InvalidationPointInjectionPhase):
550         (JSC::DFG::InvalidationPointInjectionPhase::run):
551         (JSC::DFG::InvalidationPointInjectionPhase::handle):
552         (JSC::DFG::InvalidationPointInjectionPhase::insertInvalidationCheck):
553         (JSC::DFG::performInvalidationPointInjection):
554         * dfg/DFGInvalidationPointInjectionPhase.h: Added.
555         * dfg/DFGJITCode.h:
556         * dfg/DFGJITCompiler.cpp:
557         (JSC::DFG::JITCompiler::linkOSRExits):
558         (JSC::DFG::JITCompiler::link):
559         * dfg/DFGJITCompiler.h:
560         * dfg/DFGJumpReplacement.cpp: Added.
561         (JSC::DFG::JumpReplacement::fire):
562         * dfg/DFGJumpReplacement.h: Added.
563         (JSC::DFG::JumpReplacement::JumpReplacement):
564         * dfg/DFGNodeType.h:
565         * dfg/DFGOSRExitCompilationInfo.h:
566         * dfg/DFGOperations.cpp:
567         * dfg/DFGPlan.cpp:
568         (JSC::DFG::Plan::compileInThreadImpl):
569         (JSC::DFG::Plan::reallyAdd):
570         * dfg/DFGPredictionPropagationPhase.cpp:
571         (JSC::DFG::PredictionPropagationPhase::propagate):
572         * dfg/DFGSafeToExecute.h:
573         (JSC::DFG::safeToExecute):
574         * dfg/DFGSpeculativeJIT.cpp:
575         (JSC::DFG::SpeculativeJIT::emitInvalidationPoint):
576         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
577         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
578         * dfg/DFGSpeculativeJIT.h:
579         (JSC::DFG::SpeculativeJIT::masqueradesAsUndefinedWatchpointIsStillValid):
580         (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
581         * dfg/DFGSpeculativeJIT32_64.cpp:
582         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
583         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
584         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
585         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
586         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
587         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
588         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
589         (JSC::DFG::SpeculativeJIT::compile):
590         * dfg/DFGSpeculativeJIT64.cpp:
591         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
592         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
593         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
594         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
595         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
596         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
597         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
598         (JSC::DFG::SpeculativeJIT::compile):
599         * dfg/DFGWatchpointCollectionPhase.cpp: Added.
600         (JSC::DFG::WatchpointCollectionPhase::WatchpointCollectionPhase):
601         (JSC::DFG::WatchpointCollectionPhase::run):
602         (JSC::DFG::WatchpointCollectionPhase::handle):
603         (JSC::DFG::WatchpointCollectionPhase::handleEdge):
604         (JSC::DFG::WatchpointCollectionPhase::handleMasqueradesAsUndefined):
605         (JSC::DFG::WatchpointCollectionPhase::handleStringGetByVal):
606         (JSC::DFG::WatchpointCollectionPhase::addLazily):
607         (JSC::DFG::WatchpointCollectionPhase::globalObject):
608         (JSC::DFG::performWatchpointCollection):
609         * dfg/DFGWatchpointCollectionPhase.h: Added.
610         * ftl/FTLCapabilities.cpp:
611         (JSC::FTL::canCompile):
612         * ftl/FTLLowerDFGToLLVM.cpp:
613         (JSC::FTL::LowerDFGToLLVM::compileNode):
614         (JSC::FTL::LowerDFGToLLVM::compileStructureTransitionWatchpoint):
615         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
616         (JSC::FTL::LowerDFGToLLVM::compileGlobalVarWatchpoint):
617         (JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant):
618         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
619         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
620         (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
621         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
622         (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
623         * jit/JITOperations.cpp:
624         * jit/JumpReplacementWatchpoint.cpp: Removed.
625         * jit/JumpReplacementWatchpoint.h: Removed.
626
627 2013-10-25  Mark Hahnenberg  <mhahnenberg@apple.com>
628
629         JSExport doesn't support constructors
630         https://bugs.webkit.org/show_bug.cgi?id=123380
631
632         Reviewed by Geoffrey Garen.
633
634         Support for constructor-style callbacks for the Objective-C API to JSC is currently limited to 
635         Objective-C blocks. Any clients who try to call the constructor of a JSExport-ed Objective-C class 
636         are met with a type error stating that it cannot be called as a constructor.
637
638         It would be nice to expand JSExport's functionality to support this idiom. It is a natural 
639         extension to JSExport and would increase the expressiveness and simplicity in both Objective-C and 
640         JavaScript client code.
641
642         The way we'll do this is to expand the capabilities of ObjCCallbackFunction and associated classes. 
643         Instead of constructing a normal C API object for the constructor, we'll instead allocate a full-blown 
644         ObjCCallbackFunction object which can already properly handle being invoked as a constructor.
645
646         * API/JSWrapperMap.mm:
647         (copyMethodsToObject):
648         (allocateConstructorForCustomClass):
649         (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]):
650         (tryUnwrapObjcObject):
651         * API/ObjCCallbackFunction.h:
652         (JSC::ObjCCallbackFunction::impl):
653         * API/ObjCCallbackFunction.mm:
654         (JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl):
655         (JSC::ObjCCallbackFunctionImpl::wrappedConstructor):
656         (JSC::ObjCCallbackFunctionImpl::isConstructible):
657         (JSC::ObjCCallbackFunction::getConstructData):
658         (JSC::ObjCCallbackFunctionImpl::name):
659         (JSC::ObjCCallbackFunctionImpl::call):
660         (objCCallbackFunctionForInvocation):
661         (objCCallbackFunctionForInit):
662         (tryUnwrapConstructor):
663         * API/tests/testapi.mm:
664         (-[TextXYZ initWithString:]):
665         (-[ClassA initWithA:]):
666         (-[ClassB initWithA:b:]):
667         (-[ClassC initWithA:]):
668         (-[ClassC initWithA:b:]):
669
670 2013-10-30  peavo@outlook.com  <peavo@outlook.com>
671
672         [Win] Compile errors when enabling DFG JIT.
673         https://bugs.webkit.org/show_bug.cgi?id=120998
674
675         Reviewed by Brent Fulgham.
676
677         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added files.
678         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
679         * dfg/DFGAllocator.h: Removed scope.
680         * dfg/DFGWorklist.cpp: Use new ThreadingOnce class instead of pthread_once.
681         (JSC::DFG::globalWorklist):
682         * heap/DeferGC.h: Link fix, member needs to be public.
683         * jit/JITOperationWrappers.h: Added required assembler macros.
684
685 2013-10-30  Iago Toral Quiroga  <itoral@igalia.com>
686
687         Add result caching for Math.cos
688         https://bugs.webkit.org/show_bug.cgi?id=123255
689
690         Reviewed by Brent Fulgham.
691
692         * runtime/MathObject.cpp:
693         (JSC::mathProtoFuncCos):
694         * runtime/VM.h:
695
696 2013-10-30  Alex Christensen  <achristensen@webkit.org>
697
698         Disabled JIT on Win64.
699         https://bugs.webkit.org/show_bug.cgi?id=122472
700
701         Reviewed by Geoffrey Garen.
702
703         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
704         Disabled building JITStubsMSVC64.
705
706 2013-10-29  Michael Saboff  <msaboff@apple.com>
707
708         Change local variable register allocation to start at offset -1
709         https://bugs.webkit.org/show_bug.cgi?id=123182
710
711         Reviewed by Geoffrey Garen.
712
713         Adjusted the virtual register mapping down by one slot.  Reduced
714         the CallFrame header slots offsets by one.  They now start at 0.
715         Changed arity fixup to no longer skip passed register slot 0 as this
716         is now part of the CallFrame header.
717
718         * bytecode/VirtualRegister.h:
719         (JSC::operandIsLocal):
720         (JSC::operandIsArgument):
721         (JSC::VirtualRegister::localToOperand):
722         (JSC::VirtualRegister::operandToLocal):
723           Adjusted functions for shift in mapping from local to register offset.
724
725         * dfg/DFGByteCodeParser.cpp:
726         (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
727         (JSC::DFG::ByteCodeParser::addCall):
728         (JSC::DFG::ByteCodeParser::handleInlining):
729         (JSC::DFG::ByteCodeParser::parseBlock):
730         * dfg/DFGVariableEventStream.cpp:
731         (JSC::DFG::VariableEventStream::reconstruct):
732         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
733         (JSC::DFG::VirtualRegisterAllocationPhase::run):
734         * interpreter/CallFrame.h:
735         (JSC::ExecState::frameExtent):
736         (JSC::ExecState::offsetFor):
737         * interpreter/Interpreter.cpp:
738         (JSC::loadVarargs):
739         (JSC::Interpreter::dumpRegisters):
740         (JSC::Interpreter::executeCall):
741         * llint/LLIntData.cpp:
742         (JSC::LLInt::Data::performAssertions):
743         * llint/LowLevelInterpreter.asm:
744           Adjusted math to accomodate for shift in call frame slots.
745
746         * dfg/DFGJITCompiler.cpp:
747         (JSC::DFG::JITCompiler::compileFunction):
748         * dfg/DFGSpeculativeJIT.h:
749         (JSC::DFG::SpeculativeJIT::calleeFrameOffset):
750         * interpreter/CallFrame.cpp:
751         (JSC::CallFrame::frameExtentInternal):
752         * interpreter/JSStackInlines.h:
753         (JSC::JSStack::pushFrame):
754         * jit/JIT.cpp:
755         (JSC::JIT::privateCompile):
756         * jit/JITOperations.cpp:
757         * llint/LLIntSlowPaths.cpp:
758         (JSC::LLInt::llint_slow_path_stack_check):
759         * runtime/CommonSlowPaths.h:
760         (JSC::CommonSlowPaths::arityCheckFor):
761           Fixed offset calculation to use VirtualRegister and related calculation instead of
762           doing seperate calculations.
763
764         * interpreter/JSStack.h:
765           Adjusted CallFrame slots down by one.  Did some miscellaneous fixing of dumpRegisters()
766           in the process of testing the fixes.
767
768         * jit/ThunkGenerators.cpp:
769         (JSC::arityFixup):
770           Changed arity fixup to no longer skip passed register slot 0 as this
771           is now part of the CallFrame header.
772
773         * llint/LowLevelInterpreter32_64.asm:
774         * llint/LowLevelInterpreter64.asm:
775           Changed arity fixup to no longer skip passed register slot 0 as this
776           is now part of the CallFrame header.  Updated op_enter processing for
777           the change in local registers.
778
779         * runtime/JSGlobalObject.h:
780           Removed the now unneeded extra slot in the global callframe
781
782 2013-10-29  Julien Brianceau  <jbriance@cisco.com>
783
784         [arm] Fix lots of crashes because of 4th argument register trampling.
785         https://bugs.webkit.org/show_bug.cgi?id=123421
786
787         Reviewed by Michael Saboff.
788
789         r3 register is the 4th argument register for ARM and also a scratch
790         register in the baseline JIT for this architecture. We can use r6
791         instead, as this used to be the timeoutCheckRegister and it is no
792         longer used since r148119.
793
794         * assembler/ARMAssembler.h: Temp register is now r6 instead of r3 for ARM.
795         * assembler/MacroAssemblerARMv7.h: Temp register is now r6 instead of r3 for ARMv7.
796         * jit/GPRInfo.h: Add r3 properly in GPRInfo for ARM.
797         (JSC::GPRInfo::toRegister):
798         (JSC::GPRInfo::toIndex):
799         * jit/JITStubsARM.h:
800         (JSC::ctiTrampoline): Remove obsolete timeoutCheckRegister init.
801         * jit/JITStubsARMv7.h:
802         (JSC::ctiTrampoline): Remove obsolete timeoutCheckRegister init.
803         * jit/JSInterfaceJIT.h: Remove useless stuff.
804         * yarr/YarrJIT.cpp: Use r3 and not the new scratch register r6.
805         (JSC::Yarr::YarrGenerator::generateEnter): r8 register doesn't need to be saved.
806         (JSC::Yarr::YarrGenerator::generateReturn):
807
808 2013-10-29  Julien Brianceau  <jbriance@cisco.com>
809
810         Fix CPU(ARM_TRADITIONAL) build after r157690.
811         https://bugs.webkit.org/show_bug.cgi?id=123247
812
813         Reviewed by Michael Saboff.
814
815         Since r157690, the executableCopy function has been removed from AssemblerBuffer.h
816         and the copy of executable code occurs in the linkCode function (in LinkBuffer.cpp).
817         As the constant pool for jumps is updated in the executableCopy function of ARM_TRADITIONAL,
818         this part of code still needs to be called and absolute jumps must be corrected to anticipate
819         the copy of the executable code through memcpy.
820
821         * assembler/ARMAssembler.cpp:
822         (JSC::ARMAssembler::prepareExecutableCopy): Rename executableCopy to prepareExecutableCopy
823         and correct absolute jump values using the delta between the source and destination buffers.
824         * assembler/ARMAssembler.h:
825         * assembler/LinkBuffer.cpp:
826         (JSC::LinkBuffer::linkCode): Call prepareExecutableCopy just before the memcpy.
827
828 2013-10-28  Filip Pizlo  <fpizlo@apple.com>
829
830         OSRExit::m_watchpointIndex should be in OSRExitCompilationInfo
831         https://bugs.webkit.org/show_bug.cgi?id=123423
832
833         Reviewed by Mark Hahnenberg.
834         
835         Also enable ExitKind to tell you if it's a watchpoint.
836
837         * bytecode/ExitKind.cpp:
838         (JSC::exitKindToString):
839         * bytecode/ExitKind.h:
840         (JSC::isWatchpoint):
841         * dfg/DFGByteCodeParser.cpp:
842         (JSC::DFG::ByteCodeParser::setLocal):
843         (JSC::DFG::ByteCodeParser::setArgument):
844         (JSC::DFG::ByteCodeParser::handleCall):
845         (JSC::DFG::ByteCodeParser::handleGetById):
846         (JSC::DFG::ByteCodeParser::parseBlock):
847         * dfg/DFGJITCompiler.cpp:
848         (JSC::DFG::JITCompiler::linkOSRExits):
849         (JSC::DFG::JITCompiler::link):
850         * dfg/DFGJITCompiler.h:
851         (JSC::DFG::JITCompiler::appendExitInfo):
852         * dfg/DFGOSRExit.cpp:
853         (JSC::DFG::OSRExit::OSRExit):
854         * dfg/DFGOSRExit.h:
855         * dfg/DFGOSRExitCompilationInfo.h:
856         (JSC::DFG::OSRExitCompilationInfo::OSRExitCompilationInfo):
857         * dfg/DFGOSRExitCompiler.cpp:
858         * dfg/DFGSpeculativeJIT.cpp:
859         (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
860         * dfg/DFGSpeculativeJIT32_64.cpp:
861         (JSC::DFG::SpeculativeJIT::compile):
862         * dfg/DFGSpeculativeJIT64.cpp:
863         (JSC::DFG::SpeculativeJIT::compile):
864
865 2013-10-28  Myles C. Maxfield  <mmaxfield@apple.com>
866
867         Parsing support for -webkit-text-decoration-skip: ink
868         https://bugs.webkit.org/show_bug.cgi?id=123358
869
870         Reviewed by Dean Jackson.
871
872         Adding ENABLE(CSS3_TEXT_DECORATION)
873
874         * Configurations/FeatureDefines.xcconfig:
875
876 2013-10-24  Filip Pizlo  <fpizlo@apple.com>
877
878         Get rid of InlineStart so that I don't have to implement it in FTL
879         https://bugs.webkit.org/show_bug.cgi?id=123302
880
881         Reviewed by Geoffrey Garen.
882         
883         InlineStart was a special instruction that we would insert at the top of inlined code,
884         so that the backend could capture the OSR state of arguments to an inlined call. It used
885         to be that only the backend had this information, so this instruction was sort of an ugly
886         callback from the backend for filling in some data structures.
887         
888         But in the time since when that code was written (two years ago?), we rationalized how
889         variables work. It's now the case that variables that the runtime must know about are
890         treated specially in IR (they are "flushed") and we know how we will represent them even
891         before we get to the backend. The last place that makes changes to their representation
892         is the StackLayoutPhase.
893         
894         So, this patch gets rid of InlineStart, but keeps around the special meta-data that the
895         instruction had. Instead of handling the bookkeeping in the backend, we handle it in
896         StackLayoutPhase. This means that the DFG and FTL can share code for handling this
897         bookkeeping. This also means that now the FTL can compile code blocks that had inlining.
898         
899         Of course, giving the FTL the ability to handle code blocks that had inlining means that
900         we're going to have new bugs. Sure enough, the FTL's linker didn't handle inline call
901         frames. This patch also fixes that.
902
903         * dfg/DFGAbstractInterpreterInlines.h:
904         (JSC::DFG::::executeEffects):
905         * dfg/DFGByteCodeParser.cpp:
906         (JSC::DFG::ByteCodeParser::handleInlining):
907         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
908         * dfg/DFGClobberize.h:
909         (JSC::DFG::clobberize):
910         * dfg/DFGFixupPhase.cpp:
911         (JSC::DFG::FixupPhase::fixupNode):
912         * dfg/DFGGraph.h:
913         * dfg/DFGNode.h:
914         * dfg/DFGNodeType.h:
915         * dfg/DFGPredictionPropagationPhase.cpp:
916         (JSC::DFG::PredictionPropagationPhase::propagate):
917         * dfg/DFGSafeToExecute.h:
918         (JSC::DFG::safeToExecute):
919         * dfg/DFGSpeculativeJIT.cpp:
920         * dfg/DFGSpeculativeJIT.h:
921         * dfg/DFGSpeculativeJIT32_64.cpp:
922         (JSC::DFG::SpeculativeJIT::compile):
923         * dfg/DFGSpeculativeJIT64.cpp:
924         (JSC::DFG::SpeculativeJIT::compile):
925         * dfg/DFGStackLayoutPhase.cpp:
926         (JSC::DFG::StackLayoutPhase::run):
927         * ftl/FTLLink.cpp:
928         (JSC::FTL::link):
929
930 2013-10-24  Filip Pizlo  <fpizlo@apple.com>
931
932         The GetById->GetByOffset AI-based optimization should actually do things
933         https://bugs.webkit.org/show_bug.cgi?id=123299
934
935         Reviewed by Oliver Hunt.
936         
937         20% speed-up on Octane/gbemu.
938
939         * bytecode/GetByIdStatus.cpp:
940         (JSC::GetByIdStatus::computeFor): Actually finish filling in the Status by setting the state. Previously it would remain set to NoInformation, meaning that this whole method was a no-op.
941
942 2013-10-28  Carlos Garcia Campos  <cgarcia@igalia.com>
943
944         Unreviewed. Fix make distcheck.
945
946         * GNUmakefile.list.am: Add missing files to compilation.
947
948 2013-10-25  Oliver Hunt  <oliver@apple.com>
949
950         Refactor parser rollback logic
951         https://bugs.webkit.org/show_bug.cgi?id=123372
952
953         Reviewed by Brady Eidson.
954
955         Add a sane abstraction for rollbacks in the parser.
956
957         * parser/Parser.cpp:
958         (JSC::::parseSourceElements):
959         (JSC::::parseObjectLiteral):
960         * parser/Parser.h:
961         (JSC::Parser::createSavePoint):
962         (JSC::Parser::restoreSavePoint):
963
964 2013-10-25  peavo@outlook.com  <peavo@outlook.com>
965
966         [Win] Javascript crash with DFG JIT enabled.
967         https://bugs.webkit.org/show_bug.cgi?id=121001
968
969         Reviewed by Geoffrey Garen.
970
971         On windows, using register GPRInfo::regT0 as parameter to e.g. JIT::storeDouble(..., GPRInfo::regT0)),
972         results in a call to JIT::storeDouble(FPRegisterID src, const void* address),
973         where the address parameter gets the value of GPRInfo::regT0, which is 0 (eax on Windows).
974         This causes the register to be written to address 0, hence the crash.
975   
976         * assembler/MacroAssemblerX86.h:
977         (JSC::MacroAssemblerX86::storeDouble): Assert if we try to generate code which writes to a null pointer.
978         * dfg/DFGOSRExitCompiler32_64.cpp:
979         (JSC::DFG::OSRExitCompiler::compileExit): Use address in regT0 as parameter.
980         * dfg/DFGThunks.cpp:
981         (JSC::DFG::osrExitGenerationThunkGenerator): Ditto.
982
983 2013-10-25  Oliver Hunt  <oliver@apple.com>
984
985         Fix a number of problems with destructuring of arguments
986         https://bugs.webkit.org/show_bug.cgi?id=123357
987
988         Reviewed by Filip Pizlo.
989
990         This renames the destructuring node's emitBytecode to bindValue
991         in order to remove the existing confusion over what was happening.
992
993         We then fix an incorrect fall through in the destructuring arguments
994         logic, and fix the then exposed bug where we placed the index rather
995         than value into the bound property.
996
997         * bytecompiler/BytecodeGenerator.cpp:
998         (JSC::BytecodeGenerator::BytecodeGenerator):
999         * bytecompiler/NodesCodegen.cpp:
1000         (JSC::ForInNode::emitBytecode):
1001         (JSC::ForOfNode::emitBytecode):
1002         (JSC::DeconstructingAssignmentNode::emitBytecode):
1003         (JSC::ArrayPatternNode::bindValue):
1004         (JSC::ArrayPatternNode::emitDirectBinding):
1005         (JSC::ObjectPatternNode::bindValue):
1006         (JSC::BindingNode::bindValue):
1007         * parser/Nodes.h:
1008
1009 2013-10-25  Joseph Pecoraro  <pecoraro@apple.com>
1010
1011         Upstream ENABLE(REMOTE_INSPECTOR) and enable on iOS and Mac
1012         https://bugs.webkit.org/show_bug.cgi?id=123111
1013
1014         Reviewed by Timothy Hatcher.
1015
1016         * Configurations/FeatureDefines.xcconfig:
1017
1018 2013-10-25  Oliver Hunt  <oliver@apple.com>
1019
1020         Fix MSVC again
1021
1022         * parser/Parser.cpp:
1023
1024 2013-10-25  Oliver Hunt  <oliver@apple.com>
1025
1026         Fix MSVC
1027
1028         * parser/Parser.cpp:
1029
1030 2013-10-25  Oliver Hunt  <oliver@apple.com>
1031
1032         Improve JSC Parser error messages
1033         https://bugs.webkit.org/show_bug.cgi?id=123341
1034
1035         Reviewed by Andreas Kling.
1036
1037         This patch moves away from the current cludgy mechanisms used to produce
1038         error messages and moves to something closer to case by case errors.
1039
1040         This results in a large change size as previously we may just have
1041         'failIfFalse(foo)', but now the logic becomes either
1042         'failIfFalseWithMessage(foo, "Cannot do blah with ", foo->thing())'
1043         Or alternatively
1044
1045         if (!foo)
1046             check for 'interesting' errors, before falling back to generic error
1047
1048         This means that this patch is large, but produces no semantic changes, and
1049         only hits slow (e.g. error) paths.
1050
1051         * parser/Parser.cpp:
1052         (JSC::::Parser):
1053         (JSC::::parseSourceElements):
1054         (JSC::::parseVarDeclaration):
1055         (JSC::::parseConstDeclaration):
1056         (JSC::::parseDoWhileStatement):
1057         (JSC::::parseWhileStatement):
1058         (JSC::::parseVarDeclarationList):
1059         (JSC::::createBindingPattern):
1060         (JSC::::parseDeconstructionPattern):
1061         (JSC::::parseConstDeclarationList):
1062         (JSC::::parseForStatement):
1063         (JSC::::parseBreakStatement):
1064         (JSC::::parseContinueStatement):
1065         (JSC::::parseReturnStatement):
1066         (JSC::::parseThrowStatement):
1067         (JSC::::parseWithStatement):
1068         (JSC::::parseSwitchStatement):
1069         (JSC::::parseSwitchClauses):
1070         (JSC::::parseSwitchDefaultClause):
1071         (JSC::::parseTryStatement):
1072         (JSC::::parseDebuggerStatement):
1073         (JSC::::parseBlockStatement):
1074         (JSC::::parseStatement):
1075         (JSC::::parseFormalParameters):
1076         (JSC::::parseFunctionBody):
1077         (JSC::stringForFunctionMode):
1078         (JSC::::parseFunctionInfo):
1079         (JSC::::parseFunctionDeclaration):
1080         (JSC::::parseExpressionOrLabelStatement):
1081         (JSC::::parseExpressionStatement):
1082         (JSC::::parseIfStatement):
1083         (JSC::::parseExpression):
1084         (JSC::::parseAssignmentExpression):
1085         (JSC::::parseConditionalExpression):
1086         (JSC::::parseBinaryExpression):
1087         (JSC::::parseProperty):
1088         (JSC::::parseObjectLiteral):
1089         (JSC::::parseStrictObjectLiteral):
1090         (JSC::::parseArrayLiteral):
1091         (JSC::::parsePrimaryExpression):
1092         (JSC::::parseArguments):
1093         (JSC::::parseMemberExpression):
1094         (JSC::operatorString):
1095         (JSC::::parseUnaryExpression):
1096         (JSC::::printUnexpectedTokenText):
1097         * parser/Parser.h:
1098         (JSC::Scope::hasDeclaredVariable):
1099         (JSC::Scope::hasDeclaredParameter):
1100         (JSC::Parser::hasDeclaredVariable):
1101         (JSC::Parser::hasDeclaredParameter):
1102         (JSC::Parser::setErrorMessage):
1103
1104 2013-10-24  Mark Rowe  <mrowe@apple.com>
1105
1106         Remove references to OS X 10.7 from Xcode configuration settings.
1107
1108         Now that we're not building for OS X 10.7 they're no longer needed.
1109
1110         Reviewed by Anders Carlsson.
1111
1112         * Configurations/Base.xcconfig:
1113         * Configurations/DebugRelease.xcconfig:
1114         * Configurations/FeatureDefines.xcconfig:
1115         * Configurations/Version.xcconfig:
1116
1117 2013-10-24  Mark Rowe  <mrowe@apple.com>
1118
1119         <rdar://problem/15312643> Prepare for the mysterious future.
1120
1121         Reviewed by David Kilzer.
1122
1123         * Configurations/Base.xcconfig:
1124         * Configurations/DebugRelease.xcconfig:
1125         * Configurations/FeatureDefines.xcconfig:
1126         * Configurations/Version.xcconfig:
1127
1128 2013-10-24  Mark Lam  <mark.lam@apple.com>
1129
1130         Better way to fix part of broken C Loop LLINT build.
1131         https://bugs.webkit.org/show_bug.cgi?id=123271.
1132
1133         Reviewed by Geoffrey Garen.
1134
1135         Undoing offline asm hackery.
1136
1137         * llint/LowLevelInterpreter.cpp:
1138         * llint/LowLevelInterpreter32_64.asm:
1139         * llint/LowLevelInterpreter64.asm:
1140         * offlineasm/cloop.rb:
1141         * offlineasm/instructions.rb:
1142
1143 2013-10-24  Mark Lam  <mark.lam@apple.com>
1144
1145         Fix broken C Loop LLINT build.
1146         https://bugs.webkit.org/show_bug.cgi?id=123271.
1147
1148         Reviewed by Michael Saboff.
1149
1150         * bytecode/CodeBlock.cpp:
1151         (JSC::CodeBlock::printGetByIdCacheStatus): Added an UNUSED_PARAM().
1152         (JSC::CodeBlock::dumpBytecode): Added #if ENABLE(JIT) to JIT only code.
1153         * bytecode/GetByIdStatus.cpp:
1154         (JSC::GetByIdStatus::computeFor): Added an UNUSED_PARAM().
1155         * bytecode/PutByIdStatus.cpp:
1156         (JSC::PutByIdStatus::computeFor): Added an UNUSED_PARAM().
1157         * bytecode/StructureStubInfo.h:
1158         - Added a stub StubInfoMap for non-JIT builds. StubInfoMap is still used
1159           in function prototypes even when !ENABLE(JIT). Rather that adding #if's
1160           in many places, we just provide a stub/placeholder implementation that
1161           is unused but keeps the compiler happy.
1162         * jit/JITOperations.h: Added #if ENABLE(JIT).
1163         * llint/LowLevelInterpreter32_64.asm:
1164         * llint/LowLevelInterpreter64.asm:
1165         - The putByVal() macro reifies a slow path which is never taken in one case.
1166           This translates into a label that is never used in the C Loop LLINT. The
1167           C++ compiler doesn't like unused labels. So, we fix this by adding a
1168           cloopUnusedLabel offline asm instruction that synthesizes the following:
1169
1170               if (false) goto unusedLabel;
1171
1172           This keeps the C++ compiler happy without changing code behavior.
1173         * offlineasm/cloop.rb: Implementing cloopUnusedLabel.
1174         * offlineasm/instructions.rb: Declaring cloopUnusedLabel.
1175         * runtime/Executable.cpp:
1176         (JSC::setupJIT): Added UNUSED_PARAM()s.
1177         (JSC::ScriptExecutable::prepareForExecutionImpl):
1178         - run-javascriptcore-tests have phases that forces the LLINT to be off
1179           which in turn asserts that the JIT is enabled. With the C Loop LLINT,
1180           this combination is illegal. So, we override the setup code here to
1181           always use the LLINT if !ENABLE(JIT) regardless of what options are
1182           passed in.
1183
1184 2013-10-24  peavo@outlook.com  <peavo@outlook.com>
1185
1186         Uninitialized member causes crash when DFG JIT is not enabled.
1187         https://bugs.webkit.org/show_bug.cgi?id=123270
1188
1189         Reviewed by Brent Fulgham.
1190
1191         The data member sizeOfLastScratchBuffer in the VM class is only initialized if DFG JIT is enabled, even though it's defined regardless.
1192         This causes an early crash on Windows, which doesn't have DFG JIT enabled.
1193
1194         * runtime/VM.cpp:
1195         (JSC::VM::VM): Initialize sizeOfLastScratchBuffer member regardless of whether DFG JIT is enabled.
1196
1197 2013-10-24  Ryuan Choi  <ryuan.choi@samsung.com>
1198
1199         [EFL] Build break with latest EFL 1.8 libraries.
1200         https://bugs.webkit.org/show_bug.cgi?id=123245
1201
1202         Reviewed by Gyuyoung Kim.
1203
1204         After fixed build break on EFL 1.8 at r138326, EFL libraries are changed
1205         Eo typedef and splitted header files which contain version macro.
1206
1207         * PlatformEfl.cmake: Added EO path to include directories.
1208         * heap/HeapTimer.h: Changed Ecore_Timer typedef when EO exist.
1209
1210 2013-10-23  Filip Pizlo  <fpizlo@apple.com>
1211
1212         Put all uses of LLVM intrinsics behind a single Option
1213         https://bugs.webkit.org/show_bug.cgi?id=123219
1214
1215         Reviewed by Mark Hahnenberg.
1216
1217         * ftl/FTLExitThunkGenerator.cpp:
1218         (JSC::FTL::ExitThunkGenerator::emitThunk):
1219         * ftl/FTLLowerDFGToLLVM.cpp:
1220         (JSC::FTL::generateExitThunks):
1221         (JSC::FTL::LowerDFGToLLVM::compileGetById):
1222         (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
1223         (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
1224         * ftl/FTLOSRExitCompiler.cpp:
1225         (JSC::FTL::compileFTLOSRExit):
1226         * runtime/Options.h:
1227
1228 2013-10-23  Daniel Bates  <dabates@apple.com>
1229
1230         Fix JavaScriptCore build targets following <http://trac.webkit.org/changeset/157864>
1231         (https://bugs.webkit.org/show_bug.cgi?id=123169)
1232
1233         Tell Xcode that the supported platforms for all JavaScriptCore targets are iOS and OS X.
1234
1235         * Configurations/Base.xcconfig:
1236
1237 2013-10-23  Michael Saboff  <msaboff@apple.com>
1238
1239         LLInt arity check exception processing should start unwinding from caller
1240         https://bugs.webkit.org/show_bug.cgi?id=123209
1241
1242         Reviewed by Oliver Hunt.
1243
1244         Use the caller frame returned from slow_path_call_arityCheck to process exceptions.
1245
1246         * llint/LowLevelInterpreter32_64.asm:
1247         * llint/LowLevelInterpreter64.asm:
1248
1249 2013-10-22  Filip Pizlo  <fpizlo@apple.com>
1250
1251         FTL should be able to do some simple inline caches using LLVM patchpoints
1252         https://bugs.webkit.org/show_bug.cgi?id=123164
1253
1254         Reviewed by Mark Hahnenberg.
1255         
1256         This implements GetById inline caches in the FTL using llvm.webkit.patchpoint.
1257         
1258         The idea is that we ask LLVM for a nop slide the size of a GetById inline
1259         cache and then fill in the code after LLVM compilation is complete. For now, we
1260         just use the system calling convention for the arguments and return. We also
1261         still make some assumptions about registers that aren't correct. But, most of
1262         the scaffolding is there and this will successfully patch an inline cache.
1263
1264         * JavaScriptCore.xcodeproj/project.pbxproj:
1265         * assembler/AbstractMacroAssembler.h:
1266         * assembler/LinkBuffer.cpp:
1267         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
1268         (JSC::LinkBuffer::linkCode):
1269         (JSC::LinkBuffer::allocate):
1270         * assembler/LinkBuffer.h:
1271         (JSC::LinkBuffer::LinkBuffer):
1272         (JSC::LinkBuffer::link):
1273         * ftl/FTLAbbreviations.h:
1274         (JSC::FTL::constNull):
1275         (JSC::FTL::buildCall):
1276         * ftl/FTLCapabilities.cpp:
1277         (JSC::FTL::canCompile):
1278         * ftl/FTLCompile.cpp:
1279         (JSC::FTL::fixFunctionBasedOnStackMaps):
1280         * ftl/FTLInlineCacheDescriptor.h: Added.
1281         (JSC::FTL::InlineCacheDescriptor::InlineCacheDescriptor):
1282         (JSC::FTL::GetByIdDescriptor::GetByIdDescriptor):
1283         (JSC::FTL::GetByIdDescriptor::stackmapID):
1284         (JSC::FTL::GetByIdDescriptor::codeOrigin):
1285         (JSC::FTL::GetByIdDescriptor::uid):
1286         * ftl/FTLInlineCacheSize.cpp: Added.
1287         (JSC::FTL::sizeOfGetById):
1288         (JSC::FTL::sizeOfPutById):
1289         * ftl/FTLInlineCacheSize.h: Added.
1290         * ftl/FTLIntrinsicRepository.h:
1291         * ftl/FTLJITFinalizer.cpp:
1292         (JSC::FTL::JITFinalizer::finalizeFunction):
1293         * ftl/FTLJITFinalizer.h:
1294         * ftl/FTLLocation.cpp:
1295         (JSC::FTL::Location::directGPR):
1296         * ftl/FTLLocation.h:
1297         * ftl/FTLLowerDFGToLLVM.cpp:
1298         (JSC::FTL::LowerDFGToLLVM::compileGetById):
1299         * ftl/FTLOutput.h:
1300         (JSC::FTL::Output::call):
1301         * ftl/FTLSlowPathCall.cpp: Added.
1302         (JSC::FTL::callOperation):
1303         * ftl/FTLSlowPathCall.h: Added.
1304         (JSC::FTL::SlowPathCall::SlowPathCall):
1305         (JSC::FTL::SlowPathCall::call):
1306         (JSC::FTL::SlowPathCall::key):
1307         * ftl/FTLSlowPathCallKey.cpp: Added.
1308         (JSC::FTL::SlowPathCallKey::dump):
1309         * ftl/FTLSlowPathCallKey.h: Added.
1310         (JSC::FTL::SlowPathCallKey::SlowPathCallKey):
1311         (JSC::FTL::SlowPathCallKey::usedRegisters):
1312         (JSC::FTL::SlowPathCallKey::callTarget):
1313         (JSC::FTL::SlowPathCallKey::offset):
1314         (JSC::FTL::SlowPathCallKey::isEmptyValue):
1315         (JSC::FTL::SlowPathCallKey::isDeletedValue):
1316         (JSC::FTL::SlowPathCallKey::operator==):
1317         (JSC::FTL::SlowPathCallKey::hash):
1318         (JSC::FTL::SlowPathCallKeyHash::hash):
1319         (JSC::FTL::SlowPathCallKeyHash::equal):
1320         * ftl/FTLStackMaps.cpp:
1321         (JSC::FTL::StackMaps::Location::directGPR):
1322         * ftl/FTLStackMaps.h:
1323         * ftl/FTLState.h:
1324         * ftl/FTLThunks.cpp:
1325         (JSC::FTL::slowPathCallThunkGenerator):
1326         * ftl/FTLThunks.h:
1327         (JSC::FTL::Thunks::getSlowPathCallThunk):
1328         * jit/CCallHelpers.h:
1329         (JSC::CCallHelpers::setupArguments):
1330         * jit/GPRInfo.h:
1331         * jit/JITInlineCacheGenerator.cpp:
1332         (JSC::garbageStubInfo):
1333         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
1334         (JSC::JITByIdGenerator::finalize):
1335         * jit/JITInlineCacheGenerator.h:
1336         (JSC::JITByIdGenerator::slowPathBegin):
1337         * jit/RegisterSet.cpp:
1338         (JSC::RegisterSet::stackRegisters):
1339         (JSC::RegisterSet::specialRegisters):
1340         (JSC::RegisterSet::calleeSaveRegisters):
1341         (JSC::RegisterSet::allGPRs):
1342         (JSC::RegisterSet::allFPRs):
1343         (JSC::RegisterSet::allRegisters):
1344         (JSC::RegisterSet::dump):
1345         * jit/RegisterSet.h:
1346         (JSC::RegisterSet::exclude):
1347         (JSC::RegisterSet::numberOfSetRegisters):
1348         (JSC::RegisterSet::RegisterSet):
1349         (JSC::RegisterSet::isEmptyValue):
1350         (JSC::RegisterSet::isDeletedValue):
1351         (JSC::RegisterSet::operator==):
1352         (JSC::RegisterSet::hash):
1353         (JSC::RegisterSetHash::hash):
1354         (JSC::RegisterSetHash::equal):
1355         * runtime/Options.h:
1356
1357 2013-10-22  Filip Pizlo  <fpizlo@apple.com>
1358
1359         jitCompileAndSetHeuristics should DeferGCForAWhile
1360         https://bugs.webkit.org/show_bug.cgi?id=123196
1361
1362         Reviewed by Mark Hahnenberg.
1363         
1364         This fixes random crashes in V8v7/raytrace. I only see those crashes on exactly one of
1365         my machines. I don't think this is testable; we just need to steadily converge towards
1366         getting our uses of DeferGC to be right and then be careful not to regress. We're not
1367         there yet, obviously.
1368         
1369         * llint/LLIntSlowPaths.cpp:
1370         (JSC::LLInt::jitCompileAndSetHeuristics):
1371
1372 2013-10-23  Daniel Bates  <dabates@apple.com>
1373
1374         [iOS] Upstream more JavaScriptCore build configuration changes
1375         https://bugs.webkit.org/show_bug.cgi?id=123169
1376
1377         Reviewed by David Kilzer.
1378
1379         * Configurations/Base.xcconfig:
1380         * Configurations/Version.xcconfig:
1381         * Configurations/iOS.xcconfig: Added.
1382         * JavaScriptCore.xcodeproj/project.pbxproj:
1383
1384 2013-10-23  Daniel Bates  <dabates@apple.com>
1385
1386         [iOS] Export DefaultGCActivityCallback member functions
1387         https://bugs.webkit.org/show_bug.cgi?id=123175
1388
1389         Reviewed by David Kilzer.
1390
1391         * runtime/GCActivityCallback.h:
1392
1393 2013-10-23  Daniel Bates  <dabates@apple.com>
1394
1395         [iOS] Upstream more ARMv7s bits
1396         https://bugs.webkit.org/show_bug.cgi?id=123052
1397
1398         Reviewed by Joseph Pecoraro.
1399
1400         * Configurations/JavaScriptCore.xcconfig:
1401
1402 2013-10-22  Andreas Kling  <akling@apple.com>
1403
1404         Minor VM* -> VM& cleanups in HashTable and Keywords.
1405         <https://webkit.org/b/123183>
1406
1407         Turn some VM* variables that will never be null into VM&.
1408
1409         Reviewed by Geoffrey Garen.
1410
1411 2013-10-22  Geoffrey Garen  <ggaren@apple.com>
1412
1413         REGRESSION: `if (false === (true && undefined)) console.log("wrong!");` logs "wrong!", shouldn't!
1414         https://bugs.webkit.org/show_bug.cgi?id=123179
1415
1416         Reviewed by Mark Hahnenberg.
1417
1418         * parser/NodeConstructors.h:
1419         (JSC::LogicalOpNode::LogicalOpNode):
1420         * parser/ResultType.h:
1421         (JSC::ResultType::forLogicalOp): Don't assume that && produces a boolean.
1422         This is JavaScript (aka Sparta).
1423
1424 2013-10-22  Commit Queue  <commit-queue@webkit.org>
1425
1426         Unreviewed, rolling out r157819.
1427         http://trac.webkit.org/changeset/157819
1428         https://bugs.webkit.org/show_bug.cgi?id=123180
1429
1430         Broke 32-bit builds (Requested by smfr on #webkit).
1431
1432         * Configurations/JavaScriptCore.xcconfig:
1433         * Configurations/ToolExecutable.xcconfig:
1434
1435 2013-10-22  Daniel Bates  <dabates@apple.com>
1436
1437         [iOS] Upstream more ARMv7s bits
1438         https://bugs.webkit.org/show_bug.cgi?id=123052
1439
1440         Reviewed by Joseph Pecoraro.
1441
1442         * Configurations/JavaScriptCore.xcconfig:
1443         * Configurations/ToolExecutable.xcconfig: Enable CLANG_ENABLE_OBJC_ARC for i386 as I'm
1444         modifying a file in JavaScriptCore/Configurations.
1445
1446 2013-10-22  Daniel Bates  <dabates@apple.com>
1447
1448         [iOS] Upstream JSLock changes
1449         https://bugs.webkit.org/show_bug.cgi?id=123107
1450
1451         Reviewed by Geoffrey Garen.
1452
1453         * runtime/JSLock.cpp:
1454         (JSC::JSLock::unlock):
1455         (JSC::JSLock::dropAllLocks): Modified to take a SpinLock, used only on iOS.
1456         (JSC::JSLock::dropAllLocksUnconditionally): Modified to take a SpinLock, used only on iOS. Also
1457         use pre-increment instead of post-increment when we're not using the return value of the instruction.
1458         (JSC::JSLock::grabAllLocks): Modified to take a SpinLock, used only on iOS. Also change
1459         places where we were using post-increment/post-decrement to use pre-increment/pre-decrement,
1460         since we don't use the return value of such instructions.
1461         (JSC::JSLock::DropAllLocks::DropAllLocks): Modified to support releasing all locks unconditionally.
1462         Take a spin lock before releasing all locks on iOS. Also, use nullptr instead of 0.
1463         (JSC::JSLock::DropAllLocks::~DropAllLocks): Take a spin lock before acquiring all locks on iOS.
1464         * runtime/JSLock.h: Remove extraneous argument name "exec" from DropAllLocks as the data type of
1465         the argument is sufficiently descriptive of its purpose.
1466
1467 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
1468
1469         [arm] Add missing setupArgumentsWithExecState() prototypes to fix build.
1470         https://bugs.webkit.org/show_bug.cgi?id=123166
1471
1472         Reviewed by Michael Saboff.
1473
1474         * jit/CCallHelpers.h:
1475         (JSC::CCallHelpers::setupArgumentsWithExecState):
1476
1477 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
1478
1479         [sh4][mips][arm] Fix crashes in JSC (32-bit only).
1480         https://bugs.webkit.org/show_bug.cgi?id=123165
1481
1482         Reviewed by Michael Saboff.
1483
1484         * jit/JITInlines.h:
1485         (JSC::JIT::callOperationNoExceptionCheck): Add missing EABI_32BIT_DUMMY_ARG.
1486         (JSC::JIT::callOperation): The last TrustedImm32(arg3) is a bit overkill for SH4 :)
1487         (JSC::JIT::callOperation): Add missing EABI_32BIT_DUMMY_ARG.
1488         (JSC::JIT::callOperation): Fix tag and payload order for V_JITOperation_EJJJ prototype.
1489
1490 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
1491
1492         REGRESSION(r157690, r157699) Fix architectures using AssemblerBufferWithConstantPool.
1493         https://bugs.webkit.org/show_bug.cgi?id=123092
1494
1495         Reviewed by Michael Saboff.
1496
1497         Impacted architectures are SH4 and ARM_TRADITIONAL.
1498
1499         * assembler/ARMAssembler.h:
1500         (JSC::ARMAssembler::buffer):
1501         * assembler/AssemblerBufferWithConstantPool.h:
1502         (JSC::AssemblerBufferWithConstantPool::flushConstantPool):
1503         * assembler/LinkBuffer.cpp:
1504         (JSC::LinkBuffer::linkCode):
1505         * assembler/SH4Assembler.h:
1506         (JSC::SH4Assembler::buffer):
1507
1508 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
1509
1510         Remove unused stuff in JIT stubs.
1511         https://bugs.webkit.org/show_bug.cgi?id=123155
1512
1513         Reviewed by Michael Saboff.
1514
1515         * jit/JITStubs.h:
1516         * jit/JITStubsARM.h:
1517         (JSC::ctiTrampoline):
1518         * jit/JITStubsARM64.h:
1519         * jit/JITStubsARMv7.h:
1520         * jit/JITStubsMIPS.h:
1521         * jit/JITStubsSH4.h:
1522         * jit/JITStubsX86.h:
1523         * jit/JITStubsX86_64.h:
1524
1525 2013-10-22  Daniel Bates  <dabates@apple.com>
1526
1527         [iOS] Upstream OS-version-specific install paths for JavaScriptCore.framework
1528         https://bugs.webkit.org/show_bug.cgi?id=123115
1529         <rdar://problem/13696872>
1530
1531         Reviewed by Andy Estes.
1532
1533         Based on a patch by Mark Hahnenberg.
1534
1535         Add support for running JavaScriptCore-based apps, built against the iOS 7 SDK, on older versions of iOS.
1536
1537         * API/JSBase.cpp:
1538
1539 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
1540
1541         [sh4] Add missing lastRegister(), firstFPRegister() and lastFPRegister(). 
1542         https://bugs.webkit.org/show_bug.cgi?id=123157
1543
1544         Reviewed by Andreas Kling.
1545
1546         * assembler/SH4Assembler.h:
1547         (JSC::SH4Assembler::lastRegister):
1548         (JSC::SH4Assembler::firstFPRegister):
1549         (JSC::SH4Assembler::lastFPRegister):
1550
1551 2013-10-22  Brian Holt  <brian.holt@samsung.com>
1552
1553         Build break on ARMv7 after r157209
1554         https://bugs.webkit.org/show_bug.cgi?id=122890
1555
1556         Reviewed by Csaba Osztrogon√°c.
1557
1558         Add framePointerRegister and first/last register helpers for ARM_TRADITIONAL.
1559
1560         * assembler/ARMAssembler.h:
1561         * assembler/MacroAssemblerARM.h:
1562         (JSC::MacroAssemblerARM::firstRegister):
1563         (JSC::MacroAssemblerARM::lastRegister):
1564         (JSC::MacroAssemblerARM::firstFPRegister):
1565         (JSC::MacroAssemblerARM::lastFPRegister):
1566
1567 2013-10-21  Daniel Bates  <dabates@apple.com>
1568
1569         [iOS] Upstream JSGlobalObject::shouldInterruptScriptBeforeTimeout()
1570         https://bugs.webkit.org/show_bug.cgi?id=123045
1571
1572         Reviewed by Joseph Pecoraro.
1573
1574         * jsc.cpp: Add function pointer for shouldInterruptScriptBeforeTimeout
1575         to global method table.
1576         * runtime/JSGlobalObject.cpp: Ditto.
1577         * runtime/JSGlobalObject.h:
1578         (JSC::JSGlobalObject::shouldInterruptScriptBeforeTimeout): Added.
1579
1580 2013-10-21  Daniel Bates  <dabates@apple.com>
1581
1582         [iOS] Upstream JSC Objective-C API compiler warning fixes
1583         https://bugs.webkit.org/show_bug.cgi?id=123125
1584
1585         Reviewed by Mark Hahnenberg.
1586
1587         Based on a patch by Mark Hahnenberg.
1588
1589         * API/JSValue.mm:
1590         (-[JSValue toPoint]): Cast to CGFloat to fix some compiler warnings about double narrowing to float.
1591         (-[JSValue toSize]): Ditto.
1592         * API/tests/testapi.mm: Changed a test that was failing due to overflow of 32-bit NSUInteger on armv7.
1593
1594 2013-10-21  Daniel Bates  <dabates@apple.com>
1595
1596         [iOS] Mark classes JS{Context, ManagedValue, Value, VirtualMachine} as
1597         available since iOS 7.0
1598         https://bugs.webkit.org/show_bug.cgi?id=123122
1599
1600         Reviewed by Dan Bernstein.
1601
1602         * API/JSContext.h:
1603         * API/JSManagedValue.h:
1604         * API/JSValue.h:
1605         * API/JSVirtualMachine.h:
1606
1607 2013-10-20  Mark Lam  <mark.lam@apple.com>
1608
1609         Avoid JSC debugger overhead unless needed.
1610         https://bugs.webkit.org/show_bug.cgi?id=123084.
1611
1612         Reviewed by Geoffrey Garen.
1613
1614         - If no breakpoints are set, we now avoid calling the debug hook callbacks.
1615         - If no break on exception is set, we also avoid exception event debug callbacks.
1616         - When we return from the ScriptDebugServer to the JSC::Debugger, we may no
1617           longer call the debug hook callbacks if not needed. Hence, the m_currentCallFrame
1618           pointer in the ScriptDebugServer may become stale. To avoid this issue, before
1619           returning, the ScriptDebugServer will clear its m_currentCallFrame if
1620           needsOpDebugCallbacks() is false.
1621
1622         * debugger/Debugger.cpp:
1623         (JSC::Debugger::Debugger):
1624         (JSC::Debugger::setNeedsExceptionCallbacks):
1625         (JSC::Debugger::setShouldPause):
1626         (JSC::Debugger::updateNumberOfBreakpoints):
1627         (JSC::Debugger::updateNeedForOpDebugCallbacks):
1628         * debugger/Debugger.h:
1629         * interpreter/Interpreter.cpp:
1630         (JSC::Interpreter::unwind):
1631         (JSC::Interpreter::debug):
1632         * jit/JITOpcodes.cpp:
1633         (JSC::JIT::emit_op_debug):
1634         * jit/JITOpcodes32_64.cpp:
1635         (JSC::JIT::emit_op_debug):
1636         * llint/LLIntOffsetsExtractor.cpp:
1637         * llint/LowLevelInterpreter.asm:
1638
1639 2013-10-21  Brent Fulgham  <bfulgham@apple.com>
1640
1641         [WIN] Unreviewed build correction.
1642
1643         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Handle new JIT files as C++ implementation
1644           sources, not header files.
1645         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
1646
1647 2013-10-21  Oliver Hunt  <oliver@apple.com>
1648
1649         Support computed property names in object literals
1650         https://bugs.webkit.org/show_bug.cgi?id=123112
1651
1652         Reviewed by Michael Saboff.
1653
1654         Add support for computed property names to the parser.
1655
1656         * bytecompiler/NodesCodegen.cpp:
1657         (JSC::PropertyListNode::emitBytecode):
1658         * parser/ASTBuilder.h:
1659         (JSC::ASTBuilder::createProperty):
1660         (JSC::ASTBuilder::getName):
1661         * parser/NodeConstructors.h:
1662         (JSC::PropertyNode::PropertyNode):
1663         * parser/Nodes.h:
1664         (JSC::PropertyNode::expressionName):
1665         (JSC::PropertyNode::name):
1666         * parser/Parser.cpp:
1667         (JSC::::parseProperty):
1668         (JSC::::parseStrictObjectLiteral):
1669         * parser/SyntaxChecker.h:
1670         (JSC::SyntaxChecker::Property::Property):
1671         (JSC::SyntaxChecker::createProperty):
1672         (JSC::SyntaxChecker::operatorStackPop):
1673
1674 2013-10-21  Michael Saboff  <msaboff@apple.com>
1675
1676         Add option so that JSC will crash if it can't allocate executable memory for the JITs
1677         https://bugs.webkit.org/show_bug.cgi?id=123048
1678         <rdar://problem/12856193>
1679
1680         Reviewed by Geoffrey Garen.
1681
1682         Added new option, called crashIfCantAllocateJITMemory. If this option is true then we crash
1683         when checking the validity of the executable allocator. The default value for this option is
1684         false, but jsc sets it to true when built for iOS to make it straightforward to identify whether
1685         the app can obtain executable memory.
1686
1687         * jsc.cpp: Explicitly enable crashIfCantAllocateJITMemory on iOS.
1688         (main):
1689         * runtime/Options.h: Added option crashIfCantAllocateJITMemory.
1690         * runtime/VM.cpp:
1691         (JSC::enableAssembler): Modified to crash if option crashIfCantAllocateJITMemory
1692         is enabled.
1693
1694 2013-10-21  Nadav Rotem  <nrotem@apple.com>
1695
1696         Remove AllInOneFile.cpp
1697         https://bugs.webkit.org/show_bug.cgi?id=123055
1698
1699         Reviewed by Csaba Osztrogon√°c.
1700
1701         * AllInOneFile.cpp: Removed.
1702
1703 2013-10-20  Filip Pizlo  <fpizlo@apple.com>
1704
1705         Unreviewed, cleanup a FIXME comment.
1706
1707         * jit/Repatch.cpp:
1708
1709 2013-10-20  Filip Pizlo  <fpizlo@apple.com>
1710
1711         StructureStubInfo's usedRegisters set should be able to track all registers, not just the ones that our JIT's view as temporaries
1712         https://bugs.webkit.org/show_bug.cgi?id=123076
1713
1714         Reviewed by Sam Weinig.
1715         
1716         Start preparing for a world in which we are patching code generated by LLVM, which may have
1717         very different register usage conventions than our JITs. This requires us being more explicit
1718         about the registers we are using. For example, the repatching code shouldn't take for granted
1719         that tagMaskRegister holds the TagMask or that the register is even in use.
1720
1721         * CMakeLists.txt:
1722         * GNUmakefile.list.am:
1723         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1724         * JavaScriptCore.xcodeproj/project.pbxproj:
1725         * assembler/MacroAssembler.h:
1726         (JSC::MacroAssembler::numberOfRegisters):
1727         (JSC::MacroAssembler::registerIndex):
1728         (JSC::MacroAssembler::numberOfFPRegisters):
1729         (JSC::MacroAssembler::fpRegisterIndex):
1730         (JSC::MacroAssembler::totalNumberOfRegisters):
1731         * bytecode/StructureStubInfo.h:
1732         * dfg/DFGSpeculativeJIT.cpp:
1733         (JSC::DFG::SpeculativeJIT::usedRegisters):
1734         * dfg/DFGSpeculativeJIT.h:
1735         * ftl/FTLSaveRestore.cpp:
1736         (JSC::FTL::bytesForGPRs):
1737         (JSC::FTL::bytesForFPRs):
1738         (JSC::FTL::offsetOfGPR):
1739         (JSC::FTL::offsetOfFPR):
1740         * jit/JITInlineCacheGenerator.cpp:
1741         (JSC::JITByIdGenerator::JITByIdGenerator):
1742         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
1743         * jit/JITInlineCacheGenerator.h:
1744         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
1745         * jit/JITPropertyAccess.cpp:
1746         (JSC::JIT::emit_op_get_by_id):
1747         (JSC::JIT::emit_op_put_by_id):
1748         * jit/JITPropertyAccess32_64.cpp:
1749         (JSC::JIT::emit_op_get_by_id):
1750         (JSC::JIT::emit_op_put_by_id):
1751         * jit/RegisterSet.cpp: Added.
1752         (JSC::RegisterSet::specialRegisters):
1753         * jit/RegisterSet.h: Added.
1754         (JSC::RegisterSet::RegisterSet):
1755         (JSC::RegisterSet::set):
1756         (JSC::RegisterSet::clear):
1757         (JSC::RegisterSet::get):
1758         (JSC::RegisterSet::merge):
1759         * jit/Repatch.cpp:
1760         (JSC::generateProtoChainAccessStub):
1761         (JSC::tryCacheGetByID):
1762         (JSC::tryBuildGetByIDList):
1763         (JSC::emitPutReplaceStub):
1764         (JSC::tryRepatchIn):
1765         (JSC::linkClosureCall):
1766         * jit/TempRegisterSet.cpp: Added.
1767         (JSC::TempRegisterSet::TempRegisterSet):
1768         * jit/TempRegisterSet.h:
1769
1770 2013-10-20  Julien Brianceau  <jbriance@cisco.com>
1771
1772         [sh4] Fix build (broken since r157690).
1773         https://bugs.webkit.org/show_bug.cgi?id=123081
1774
1775         Reviewed by Andreas Kling.
1776
1777         * assembler/AssemblerBufferWithConstantPool.h:
1778         * assembler/SH4Assembler.h:
1779         (JSC::SH4Assembler::buffer):
1780         (JSC::SH4Assembler::readCallTarget):
1781
1782 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
1783
1784         Simplify TempRegisterSet - it no longer needs to be convertible to a POD since it's no longer going to be a member of a union
1785         https://bugs.webkit.org/show_bug.cgi?id=123079
1786
1787         Reviewed by Geoffrey Garen.
1788
1789         * jit/TempRegisterSet.h:
1790
1791 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
1792
1793         Rename RegisterSet to TempRegisterSet
1794         https://bugs.webkit.org/show_bug.cgi?id=123077
1795
1796         Reviewed by Dan Bernstein.
1797
1798         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1799         * JavaScriptCore.xcodeproj/project.pbxproj:
1800         * bytecode/StructureStubInfo.h:
1801         * dfg/DFGJITCompiler.h:
1802         * dfg/DFGSpeculativeJIT.h:
1803         (JSC::DFG::SpeculativeJIT::usedRegisters):
1804         * jit/JITInlineCacheGenerator.cpp:
1805         (JSC::JITByIdGenerator::JITByIdGenerator):
1806         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
1807         * jit/JITInlineCacheGenerator.h:
1808         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
1809         * jit/JITPropertyAccess.cpp:
1810         (JSC::JIT::emit_op_get_by_id):
1811         (JSC::JIT::emit_op_put_by_id):
1812         * jit/JITPropertyAccess32_64.cpp:
1813         (JSC::JIT::emit_op_get_by_id):
1814         (JSC::JIT::emit_op_put_by_id):
1815         * jit/RegisterSet.h: Removed.
1816         * jit/ScratchRegisterAllocator.h:
1817         (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
1818         * jit/TempRegisterSet.h: Copied from Source/JavaScriptCore/jit/RegisterSet.h.
1819         (JSC::TempRegisterSet::TempRegisterSet):
1820         (JSC::TempRegisterSet::asPOD):
1821         (JSC::TempRegisterSet::copyInfo):
1822
1823 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
1824
1825         Restructure LinkBuffer to allow for alternate allocation strategies
1826         https://bugs.webkit.org/show_bug.cgi?id=123071
1827
1828         Reviewed by Oliver Hunt.
1829         
1830         The idea is to eventually allow a LinkBuffer to place the code into an already
1831         allocated region of memory.  That region of memory could be the nop-slide left behind
1832         by a llvm.webkit.patchpoint.
1833
1834         * assembler/ARM64Assembler.h:
1835         (JSC::ARM64Assembler::buffer):
1836         * assembler/AssemblerBuffer.h:
1837         * assembler/LinkBuffer.cpp:
1838         (JSC::LinkBuffer::copyCompactAndLinkCode):
1839         (JSC::LinkBuffer::linkCode):
1840         (JSC::LinkBuffer::allocate):
1841         (JSC::LinkBuffer::shrink):
1842         * assembler/LinkBuffer.h:
1843         (JSC::LinkBuffer::LinkBuffer):
1844         (JSC::LinkBuffer::didFailToAllocate):
1845         * assembler/X86Assembler.h:
1846         (JSC::X86Assembler::buffer):
1847         (JSC::X86Assembler::X86InstructionFormatter::memoryModRM):
1848
1849 2013-10-19  Alexey Proskuryakov  <ap@apple.com>
1850
1851         Some includes in JSC seem to use an incorrect style
1852         https://bugs.webkit.org/show_bug.cgi?id=123057
1853
1854         Reviewed by Geoffrey Garen.
1855
1856         Changed pseudo-system includes to user ones.
1857
1858         * API/JSContextRef.cpp:
1859         * API/JSStringRefCF.cpp:
1860         * API/JSValueRef.cpp:
1861         * API/OpaqueJSString.cpp:
1862         * jit/JIT.h:
1863         * parser/SyntaxChecker.h:
1864         * runtime/WeakGCMap.h:
1865
1866 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
1867
1868         Baseline JIT and DFG IC code generation should be unified and rationalized
1869         https://bugs.webkit.org/show_bug.cgi?id=122939
1870
1871         Reviewed by Geoffrey Garen.
1872         
1873         Introduce the JITInlineCacheGenerator, which takes a CodeBlock and a CodeOrigin plus
1874         some register info and creates JIT inline caches for you. Used this to even furhter
1875         unify the baseline and DFG ICs. In the future we can use this for FTL ICs. And my hope
1876         is that we'll be able to use it for cascading ICs: an IC for some instruction may realize
1877         that it needs to do the equivalent of get_by_id, so with this generator it will be able
1878         to create an IC even though it wasn't associated with a get_by_id bytecode instruction.
1879
1880         * CMakeLists.txt:
1881         * GNUmakefile.list.am:
1882         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1883         * JavaScriptCore.xcodeproj/project.pbxproj:
1884         * assembler/AbstractMacroAssembler.h:
1885         (JSC::AbstractMacroAssembler::DataLabelCompact::label):
1886         * bytecode/CodeBlock.h:
1887         (JSC::CodeBlock::ecmaMode):
1888         * dfg/DFGInlineCacheWrapper.h: Added.
1889         (JSC::DFG::InlineCacheWrapper::InlineCacheWrapper):
1890         * dfg/DFGInlineCacheWrapperInlines.h: Added.
1891         (JSC::DFG::::finalize):
1892         * dfg/DFGJITCompiler.cpp:
1893         (JSC::DFG::JITCompiler::link):
1894         * dfg/DFGJITCompiler.h:
1895         (JSC::DFG::JITCompiler::addGetById):
1896         (JSC::DFG::JITCompiler::addPutById):
1897         * dfg/DFGSpeculativeJIT32_64.cpp:
1898         (JSC::DFG::SpeculativeJIT::cachedGetById):
1899         (JSC::DFG::SpeculativeJIT::cachedPutById):
1900         * dfg/DFGSpeculativeJIT64.cpp:
1901         (JSC::DFG::SpeculativeJIT::cachedGetById):
1902         (JSC::DFG::SpeculativeJIT::cachedPutById):
1903         (JSC::DFG::SpeculativeJIT::compile):
1904         * jit/AssemblyHelpers.h:
1905         (JSC::AssemblyHelpers::isStrictModeFor):
1906         (JSC::AssemblyHelpers::strictModeFor):
1907         * jit/GPRInfo.h:
1908         (JSC::JSValueRegs::tagGPR):
1909         * jit/JIT.cpp:
1910         (JSC::JIT::JIT):
1911         (JSC::JIT::privateCompileSlowCases):
1912         (JSC::JIT::privateCompile):
1913         * jit/JIT.h:
1914         * jit/JITInlineCacheGenerator.cpp: Added.
1915         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
1916         (JSC::JITByIdGenerator::JITByIdGenerator):
1917         (JSC::JITByIdGenerator::finalize):
1918         (JSC::JITByIdGenerator::generateFastPathChecks):
1919         (JSC::JITGetByIdGenerator::generateFastPath):
1920         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
1921         (JSC::JITPutByIdGenerator::generateFastPath):
1922         (JSC::JITPutByIdGenerator::slowPathFunction):
1923         * jit/JITInlineCacheGenerator.h: Added.
1924         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
1925         (JSC::JITInlineCacheGenerator::stubInfo):
1926         (JSC::JITByIdGenerator::JITByIdGenerator):
1927         (JSC::JITByIdGenerator::reportSlowPathCall):
1928         (JSC::JITByIdGenerator::slowPathJump):
1929         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
1930         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
1931         * jit/JITPropertyAccess.cpp:
1932         (JSC::JIT::emit_op_get_by_id):
1933         (JSC::JIT::emitSlow_op_get_by_id):
1934         (JSC::JIT::emit_op_put_by_id):
1935         (JSC::JIT::emitSlow_op_put_by_id):
1936         * jit/JITPropertyAccess32_64.cpp:
1937         (JSC::JIT::emit_op_get_by_id):
1938         (JSC::JIT::emitSlow_op_get_by_id):
1939         (JSC::JIT::emit_op_put_by_id):
1940         (JSC::JIT::emitSlow_op_put_by_id):
1941         * jit/RegisterSet.h:
1942         (JSC::RegisterSet::set):
1943
1944 2013-10-19  Alexey Proskuryakov  <ap@apple.com>
1945
1946         APICast.h uses functions from JSCJSValueInlines.h, but doesn't include it
1947         https://bugs.webkit.org/show_bug.cgi?id=123067
1948
1949         Reviewed by Geoffrey Garen.
1950
1951         * API/APICast.h: Include it.
1952
1953 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
1954
1955         FTL::Location should treat the offset as an addend in the case of a Register location
1956         https://bugs.webkit.org/show_bug.cgi?id=123062
1957
1958         Reviewed by Sam Weinig.
1959
1960         * ftl/FTLLocation.cpp:
1961         (JSC::FTL::Location::forStackmaps):
1962         (JSC::FTL::Location::dump):
1963         (JSC::FTL::Location::restoreInto):
1964         * ftl/FTLLocation.h:
1965         (JSC::FTL::Location::forRegister):
1966         (JSC::FTL::Location::hasAddend):
1967         (JSC::FTL::Location::addend):
1968
1969 2013-10-19  Nadav Rotem  <nrotem@apple.com>
1970
1971         DFG dominators: document and rename stuff.
1972         https://bugs.webkit.org/show_bug.cgi?id=123056
1973
1974         Reviewed by Filip Pizlo.
1975
1976         Documented the code and renamed some variables.
1977
1978         * dfg/DFGDominators.cpp:
1979         (JSC::DFG::Dominators::compute):
1980         (JSC::DFG::Dominators::pruneDominators):
1981         * dfg/DFGDominators.h:
1982
1983 2013-10-19  Julien Brianceau  <jbriance@cisco.com>
1984
1985         Fix build failure for architectures with 4 argument registers.
1986         https://bugs.webkit.org/show_bug.cgi?id=123060
1987
1988         Reviewed by Michael Saboff.
1989
1990         Add missing setupArgumentsWithExecState() prototypes for architecture with 4 argument registers.
1991         Remove SH4 specific code no longer needed since callOperation prototype change in r157660.
1992
1993         * dfg/DFGSpeculativeJIT.h:
1994         (JSC::DFG::SpeculativeJIT::callOperation):
1995         * jit/CCallHelpers.h:
1996         (JSC::CCallHelpers::setupArgumentsWithExecState):
1997         * jit/JITInlines.h:
1998         (JSC::JIT::callOperation):
1999
2000 2013-10-18  Filip Pizlo  <fpizlo@apple.com>
2001
2002         Unreviewed, fix FTL build.
2003
2004         * ftl/FTLIntrinsicRepository.h:
2005         * ftl/FTLLowerDFGToLLVM.cpp:
2006         (JSC::FTL::LowerDFGToLLVM::compileGetById):
2007
2008 2013-10-18  Filip Pizlo  <fpizlo@apple.com>
2009
2010         A CodeBlock's StructureStubInfos shouldn't be in a Vector that we search using code origins and machine code PCs
2011         https://bugs.webkit.org/show_bug.cgi?id=122940
2012
2013         Reviewed by Oliver Hunt.
2014         
2015         This accomplishes a number of simplifications. StructureStubInfo is now non-moving,
2016         whereas previously it was in a Vector, so it moved. This allows you to use pointers to
2017         StructureStubInfo. This also eliminates the use of return PC as a way of finding the
2018         StructureStubInfo's. It removes some of the need for the compile-time property access
2019         records; for example the DFG no longer has to save information about registers in a
2020         property access record only to later save it to the stub info.
2021         
2022         The main thing is accomplishes is that it makes it easier to add StructureStubInfo's
2023         at any stage of compilation.
2024
2025         * bytecode/CodeBlock.cpp:
2026         (JSC::CodeBlock::printGetByIdCacheStatus):
2027         (JSC::CodeBlock::dumpBytecode):
2028         (JSC::CodeBlock::~CodeBlock):
2029         (JSC::CodeBlock::propagateTransitions):
2030         (JSC::CodeBlock::finalizeUnconditionally):
2031         (JSC::CodeBlock::addStubInfo):
2032         (JSC::CodeBlock::getStubInfoMap):
2033         (JSC::CodeBlock::shrinkToFit):
2034         * bytecode/CodeBlock.h:
2035         (JSC::CodeBlock::begin):
2036         (JSC::CodeBlock::end):
2037         (JSC::CodeBlock::rareCaseProfileForBytecodeOffset):
2038         * bytecode/CodeOrigin.h:
2039         (JSC::CodeOrigin::CodeOrigin):
2040         (JSC::CodeOrigin::isHashTableDeletedValue):
2041         (JSC::CodeOrigin::hash):
2042         (JSC::CodeOriginHash::hash):
2043         (JSC::CodeOriginHash::equal):
2044         * bytecode/GetByIdStatus.cpp:
2045         (JSC::GetByIdStatus::computeFor):
2046         * bytecode/GetByIdStatus.h:
2047         * bytecode/PutByIdStatus.cpp:
2048         (JSC::PutByIdStatus::computeFor):
2049         * bytecode/PutByIdStatus.h:
2050         * bytecode/StructureStubInfo.h:
2051         (JSC::getStructureStubInfoCodeOrigin):
2052         * dfg/DFGByteCodeParser.cpp:
2053         (JSC::DFG::ByteCodeParser::parseBlock):
2054         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2055         * dfg/DFGJITCompiler.cpp:
2056         (JSC::DFG::JITCompiler::link):
2057         * dfg/DFGJITCompiler.h:
2058         (JSC::DFG::PropertyAccessRecord::PropertyAccessRecord):
2059         (JSC::DFG::InRecord::InRecord):
2060         * dfg/DFGSpeculativeJIT.cpp:
2061         (JSC::DFG::SpeculativeJIT::compileIn):
2062         * dfg/DFGSpeculativeJIT.h:
2063         (JSC::DFG::SpeculativeJIT::callOperation):
2064         * dfg/DFGSpeculativeJIT32_64.cpp:
2065         (JSC::DFG::SpeculativeJIT::cachedGetById):
2066         (JSC::DFG::SpeculativeJIT::cachedPutById):
2067         * dfg/DFGSpeculativeJIT64.cpp:
2068         (JSC::DFG::SpeculativeJIT::cachedGetById):
2069         (JSC::DFG::SpeculativeJIT::cachedPutById):
2070         * jit/CCallHelpers.h:
2071         (JSC::CCallHelpers::setupArgumentsWithExecState):
2072         * jit/JIT.cpp:
2073         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
2074         (JSC::JIT::privateCompile):
2075         * jit/JIT.h:
2076         (JSC::PropertyStubCompilationInfo::slowCaseInfo):
2077         * jit/JITInlines.h:
2078         (JSC::JIT::callOperation):
2079         * jit/JITOperations.cpp:
2080         * jit/JITOperations.h:
2081         * jit/JITPropertyAccess.cpp:
2082         (JSC::JIT::emitSlow_op_get_by_id):
2083         (JSC::JIT::emitSlow_op_put_by_id):
2084         * jit/JITPropertyAccess32_64.cpp:
2085         (JSC::JIT::emitSlow_op_get_by_id):
2086         (JSC::JIT::emitSlow_op_put_by_id):
2087         * jit/Repatch.cpp:
2088         (JSC::appropriateGenericPutByIdFunction):
2089         (JSC::appropriateListBuildingPutByIdFunction):
2090         (JSC::resetPutByID):
2091
2092 2013-10-18  Oliver Hunt  <oliver@apple.com>
2093
2094         Spread operator should be performing direct "puts" and not triggering setters
2095         https://bugs.webkit.org/show_bug.cgi?id=123047
2096
2097         Reviewed by Geoffrey Garen.
2098
2099         Add a new opcode -- op_put_by_val_directue -- and make use of it in the spread
2100         to array construct.  This required a new PutByValDirect node to be introduced to
2101         the DFG.  The current implementation simply changes the slow path function that
2102         is called, but in future this could be made faster as it does not need to check
2103         the prototype chain.
2104
2105         * bytecode/CodeBlock.cpp:
2106         (JSC::CodeBlock::dumpBytecode):
2107         (JSC::CodeBlock::CodeBlock):
2108         * bytecode/Opcode.h:
2109         (JSC::padOpcodeName):
2110         * bytecompiler/BytecodeGenerator.cpp:
2111         (JSC::BytecodeGenerator::emitDirectPutByVal):
2112         * bytecompiler/BytecodeGenerator.h:
2113         * bytecompiler/NodesCodegen.cpp:
2114         (JSC::ArrayNode::emitBytecode):
2115         * dfg/DFGAbstractInterpreterInlines.h:
2116         (JSC::DFG::::executeEffects):
2117         * dfg/DFGBackwardsPropagationPhase.cpp:
2118         (JSC::DFG::BackwardsPropagationPhase::propagate):
2119         * dfg/DFGByteCodeParser.cpp:
2120         (JSC::DFG::ByteCodeParser::parseBlock):
2121         * dfg/DFGCSEPhase.cpp:
2122         (JSC::DFG::CSEPhase::getArrayLengthElimination):
2123         (JSC::DFG::CSEPhase::getByValLoadElimination):
2124         (JSC::DFG::CSEPhase::checkStructureElimination):
2125         (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
2126         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
2127         (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
2128         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
2129         (JSC::DFG::CSEPhase::performNodeCSE):
2130         * dfg/DFGCapabilities.cpp:
2131         (JSC::DFG::capabilityLevel):
2132         * dfg/DFGClobberize.h:
2133         (JSC::DFG::clobberize):
2134         * dfg/DFGFixupPhase.cpp:
2135         (JSC::DFG::FixupPhase::fixupNode):
2136         * dfg/DFGGraph.h:
2137         (JSC::DFG::Graph::clobbersWorld):
2138         * dfg/DFGNode.h:
2139         (JSC::DFG::Node::hasArrayMode):
2140         * dfg/DFGNodeType.h:
2141         * dfg/DFGOperations.cpp:
2142         (JSC::DFG::putByVal):
2143         (JSC::DFG::operationPutByValInternal):
2144         * dfg/DFGOperations.h:
2145         * dfg/DFGPredictionPropagationPhase.cpp:
2146         (JSC::DFG::PredictionPropagationPhase::propagate):
2147         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
2148         * dfg/DFGSafeToExecute.h:
2149         (JSC::DFG::safeToExecute):
2150         * dfg/DFGSpeculativeJIT32_64.cpp:
2151         (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
2152         (JSC::DFG::SpeculativeJIT::compile):
2153         * dfg/DFGSpeculativeJIT64.cpp:
2154         (JSC::DFG::SpeculativeJIT::compile):
2155         * dfg/DFGTypeCheckHoistingPhase.cpp:
2156         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
2157         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
2158         * jit/JIT.cpp:
2159         (JSC::JIT::privateCompileMainPass):
2160         (JSC::JIT::privateCompileSlowCases):
2161         * jit/JIT.h:
2162         (JSC::JIT::compileDirectPutByVal):
2163         * jit/JITOperations.cpp:
2164         * jit/JITOperations.h:
2165         * jit/JITPropertyAccess.cpp:
2166         (JSC::JIT::emitSlow_op_put_by_val):
2167         (JSC::JIT::privateCompilePutByVal):
2168         * jit/JITPropertyAccess32_64.cpp:
2169         (JSC::JIT::emitSlow_op_put_by_val):
2170         * llint/LLIntSlowPaths.cpp:
2171         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2172         * llint/LLIntSlowPaths.h:
2173         * llint/LowLevelInterpreter32_64.asm:
2174         * llint/LowLevelInterpreter64.asm:
2175
2176 2013-10-18  Daniel Bates  <dabates@apple.com>
2177
2178         [iOS] Export symbol for VM::sharedInstanceExists()
2179         https://bugs.webkit.org/show_bug.cgi?id=123046
2180
2181         Reviewed by Mark Hahnenberg.
2182
2183         * runtime/VM.h:
2184
2185 2013-10-18  Daniel Bates  <dabates@apple.com>
2186
2187         [iOS] Upstream WebSafe{GCActivityCallback, IncrementalSweeper}IOS
2188         https://bugs.webkit.org/show_bug.cgi?id=123049
2189
2190         Reviewed by Mark Hahnenberg.
2191
2192         * heap/Heap.cpp:
2193         (JSC::Heap::setIncrementalSweeper):
2194         * heap/Heap.h:
2195         * heap/HeapTimer.h:
2196         * heap/IncrementalSweeper.h: Make protected and export CF-variant of constructor.
2197         Removed unused include of header RetainPtr.h. Also forward declare class MarkedBlock
2198         (we include its header in the .cpp file) and remove include for header wtf/HashSet.h
2199         (duplicates the include in the .cpp).
2200         * heap/MachineStackMarker.h: Export function makeUsableFromMultipleThreads(). We aren't
2201         making use of this now, but we'll make use of it in a subsequent patch.
2202
2203 2013-10-18  Anders Carlsson  <andersca@apple.com>
2204
2205         Remove spaces between template angle brackets
2206         https://bugs.webkit.org/show_bug.cgi?id=123040
2207
2208         Reviewed by Andreas Kling.
2209
2210         * API/JSCallbackObject.cpp:
2211         (JSC::::create):
2212         * API/JSObjectRef.cpp:
2213         * bytecode/CodeBlock.h:
2214         (JSC::CodeBlock::constants):
2215         (JSC::CodeBlock::setConstantRegisters):
2216         * bytecode/DFGExitProfile.h:
2217         * bytecode/EvalCodeCache.h:
2218         * bytecode/Operands.h:
2219         * bytecode/UnlinkedCodeBlock.h:
2220         (JSC::UnlinkedCodeBlock::constantRegisters):
2221         * bytecode/Watchpoint.h:
2222         * bytecompiler/BytecodeGenerator.h:
2223         * bytecompiler/StaticPropertyAnalysis.h:
2224         * bytecompiler/StaticPropertyAnalyzer.h:
2225         * dfg/DFGArgumentsSimplificationPhase.cpp:
2226         * dfg/DFGBlockInsertionSet.h:
2227         * dfg/DFGCSEPhase.cpp:
2228         (JSC::DFG::performCSE):
2229         (JSC::DFG::performStoreElimination):
2230         * dfg/DFGCommonData.h:
2231         * dfg/DFGDesiredStructureChains.h:
2232         * dfg/DFGDesiredWatchpoints.h:
2233         * dfg/DFGJITCompiler.h:
2234         * dfg/DFGOSRExitCompiler32_64.cpp:
2235         (JSC::DFG::OSRExitCompiler::compileExit):
2236         * dfg/DFGOSRExitCompiler64.cpp:
2237         (JSC::DFG::OSRExitCompiler::compileExit):
2238         * dfg/DFGWorklist.h:
2239         * heap/BlockAllocator.h:
2240         (JSC::CopiedBlock):
2241         (JSC::MarkedBlock):
2242         (JSC::WeakBlock):
2243         (JSC::MarkStackSegment):
2244         (JSC::CopyWorkListSegment):
2245         (JSC::HandleBlock):
2246         * heap/Heap.h:
2247         * heap/Local.h:
2248         * heap/MarkedBlock.h:
2249         * heap/Strong.h:
2250         * jit/AssemblyHelpers.cpp:
2251         (JSC::AssemblyHelpers::decodedCodeMapFor):
2252         * jit/AssemblyHelpers.h:
2253         * jit/SpecializedThunkJIT.h:
2254         * parser/Nodes.h:
2255         * parser/Parser.cpp:
2256         (JSC::::parseIfStatement):
2257         * parser/Parser.h:
2258         (JSC::Scope::copyCapturedVariablesToVector):
2259         (JSC::parse):
2260         * parser/ParserArena.h:
2261         * parser/SourceProviderCacheItem.h:
2262         * profiler/LegacyProfiler.cpp:
2263         (JSC::dispatchFunctionToProfiles):
2264         * profiler/LegacyProfiler.h:
2265         (JSC::LegacyProfiler::currentProfiles):
2266         * profiler/ProfileNode.h:
2267         (JSC::ProfileNode::children):
2268         * profiler/ProfilerDatabase.h:
2269         * runtime/Butterfly.h:
2270         (JSC::Butterfly::contiguousInt32):
2271         (JSC::Butterfly::contiguous):
2272         * runtime/GenericTypedArrayViewInlines.h:
2273         (JSC::::create):
2274         * runtime/Identifier.h:
2275         (JSC::Identifier::add):
2276         * runtime/JSPromise.h:
2277         * runtime/PropertyMapHashTable.h:
2278         * runtime/PropertyNameArray.h:
2279         * runtime/RegExpCache.h:
2280         * runtime/SparseArrayValueMap.h:
2281         * runtime/SymbolTable.h:
2282         * runtime/VM.h:
2283         * tools/CodeProfile.cpp:
2284         (JSC::truncateTrace):
2285         * tools/CodeProfile.h:
2286         * yarr/YarrInterpreter.cpp:
2287         * yarr/YarrInterpreter.h:
2288         (JSC::Yarr::BytecodePattern::BytecodePattern):
2289         * yarr/YarrJIT.cpp:
2290         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
2291         (JSC::Yarr::YarrGenerator::opCompileParentheticalAssertion):
2292         (JSC::Yarr::YarrGenerator::opCompileBody):
2293         * yarr/YarrPattern.cpp:
2294         (JSC::Yarr::YarrPatternConstructor::checkForTerminalParentheses):
2295         (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
2296         * yarr/YarrPattern.h:
2297
2298 2013-10-18  Mark Lam  <mark.lam@apple.com>
2299
2300         Remove excess reserved space in ctiTrampoline frames for X86 and X86_64.
2301         https://bugs.webkit.org/show_bug.cgi?id=123037.
2302
2303         Reviewed by Geoffrey Garen.
2304
2305         * jit/JITStubsMSVC64.asm:
2306         * jit/JITStubsX86.h:
2307         * jit/JITStubsX86_64.h:
2308
2309 2013-10-18  Filip Pizlo  <fpizlo@apple.com>
2310
2311         Frequent RELEASE_ASSERT crashes in Structure::checkOffsetConsistency on WebGL swizzler tests
2312         https://bugs.webkit.org/show_bug.cgi?id=121661
2313
2314         Reviewed by Mark Hahnenberg.
2315         
2316         This method shouldn't have been called from the concurrent JIT thread. That's hard to prevent
2317         so I added a return-early check using isCompilationThread().
2318         
2319         Here's why this makes sense. Structure has two ways to tell you about the layout of the objects
2320         it is describing: m_offset and the property table. Most structures only have m_offset and report
2321         null for the property table. If the property table is there, it will tell you additional
2322         information and that information subsumes m_offset - but the m_offset is still there. So, when
2323         we have a property table, we have to keep it in sync with the m_offset. There is a bunch of
2324         machinery to do this.
2325         
2326         Changing the property table only happens on the main thread.
2327         
2328         Because the machinery to change the property table is so complex, especially with respect to
2329         keeping it in sync with m_offset, we have the checkOffsetConsistency method. It's meant to be
2330         called at key points before and after changes to the property table or the offset.
2331
2332         Most clients of Structure who care about object layout, including the concurrent thread, will
2333         want to know m_offset and not the property table. If they want the property table, they will
2334         already be super careful. The concurrent thread has special methods for this, like
2335         Structure::getConcurrently(), which uses fine-grained locking to ensure that it sees a coherent
2336         view of the property table.
2337         
2338         Adding locking to checkOffsetConsistency() is probably a bad idea since that method may be
2339         called when the relevant lock is already held. So, we'd have awkward recursive locking issues.
2340         
2341         But right now, the concurrent JIT thread may call a method, like Structure::outOfLineCapacity(),
2342         which has a call to checkOffsetConsistency(). The call to checkOffsetConsistency() is there
2343         because we have found that it helps quickly identify situations where the property table and
2344         m_offset get out of sync - mainly because code that changes either of those things will usually
2345         also want to know the outOfLineCapacity(). But Structure::outOfLineCapacity() doesn't *actually*
2346         need the property table; it uses the m_offset. The concurrent JIT is correct to call
2347         outOfLineCapacity(), and is right to do so without holding any locks (since in all cases where
2348         it calls outOfLineCapacity() it has already proven that m_offset is immutable). But because
2349         outOfLineCapacity() calls checkOffsetConsistency(), and checkOffsetConsistency() doesn't grab
2350         locks, and that same structure is having its property table modified by the main thread, we end
2351         up with these spurious assertion failures. FWIW, the structure isn't *actually* having *its*
2352         property table modified - instead what happens is that some downstream structure steals the
2353         property table and then starts adding things to it. The concurrent thread loads the property
2354         table before it's stolen, and hence the badness.
2355         
2356         I suspect there are other code paths that lead to the concurrent JIT calling some Structure
2357         method that it is fine and safe to call, but then that method calls checkOffsetConsistency(),
2358         and then you have a possible crash.
2359         
2360         The most sensible solution to this appears to be to make sure that checkOffsetConsistency() is
2361         aware of its uselessness to the concurrent JIT thread. This change makes it return early if
2362         it's in the concurrent JIT.
2363         
2364         * runtime/StructureInlines.h:
2365         (JSC::Structure::checkOffsetConsistency):
2366
2367 2013-10-18  Daniel Bates  <dabates@apple.com>
2368
2369         Add SPI to disable the garbage collector timer
2370         https://bugs.webkit.org/show_bug.cgi?id=122921
2371
2372         Add null check to Heap::setGarbageCollectionTimerEnabled() that I inadvertently
2373         omitted.
2374
2375         * heap/Heap.cpp:
2376         (JSC::Heap::setGarbageCollectionTimerEnabled):
2377
2378 2013-10-18  Julien Brianceau  <jbriance@cisco.com>
2379
2380         Group 64-bit specific and 32-bit specific callOperation implementations.
2381         https://bugs.webkit.org/show_bug.cgi?id=123024
2382
2383         Reviewed by Michael Saboff.
2384
2385         This is not a big deal, but could be less confusing when reading the code.
2386
2387         * jit/JITInlines.h:
2388         (JSC::JIT::callOperation):
2389         (JSC::JIT::callOperationWithCallFrameRollbackOnException):
2390         (JSC::JIT::callOperationNoExceptionCheck):
2391
2392 2013-10-18  Nadav Rotem  <nrotem@apple.com>
2393
2394         Fix a FlushLiveness problem.
2395         https://bugs.webkit.org/show_bug.cgi?id=122984
2396
2397         Reviewed by Filip Pizlo.
2398
2399         * dfg/DFGFlushLivenessAnalysisPhase.cpp:
2400         (JSC::DFG::FlushLivenessAnalysisPhase::process):
2401
2402 2013-10-18  Michael Saboff  <msaboff@apple.com>
2403
2404         Change native function call stubs to use JIT operations instead of ctiVMHandleException
2405         https://bugs.webkit.org/show_bug.cgi?id=122982
2406
2407         Reviewed by Geoffrey Garen.
2408
2409         Change ctiVMHandleException to operationVMHandleException.  Change all exception operations to
2410         return the catch callFrame and entryPC via vm.callFrameForThrow and vm.targetMachinePCForThrow.
2411         This removed calling convention headaches, fixing https://bugs.webkit.org/show_bug.cgi?id=122980
2412         in the process.
2413
2414         * dfg/DFGJITCompiler.cpp:
2415         (JSC::DFG::JITCompiler::compileExceptionHandlers):
2416         * jit/CCallHelpers.h:
2417         (JSC::CCallHelpers::jumpToExceptionHandler):
2418         * jit/JIT.cpp:
2419         (JSC::JIT::privateCompileExceptionHandlers):
2420         * jit/JIT.h:
2421         * jit/JITExceptions.cpp:
2422         (JSC::genericUnwind):
2423         * jit/JITExceptions.h:
2424         * jit/JITInlines.h:
2425         (JSC::JIT::callOperationNoExceptionCheck):
2426         * jit/JITOpcodes.cpp:
2427         (JSC::JIT::emit_op_throw):
2428         * jit/JITOpcodes32_64.cpp:
2429         (JSC::JIT::privateCompileCTINativeCall):
2430         (JSC::JIT::emit_op_throw):
2431         * jit/JITOperations.cpp:
2432         * jit/JITOperations.h:
2433         * jit/JITStubs.cpp:
2434         * jit/JITStubs.h:
2435         * jit/JITStubsARM.h:
2436         * jit/JITStubsARM64.h:
2437         * jit/JITStubsARMv7.h:
2438         * jit/JITStubsMIPS.h:
2439         * jit/JITStubsMSVC64.asm:
2440         * jit/JITStubsSH4.h:
2441         * jit/JITStubsX86.h:
2442         * jit/JITStubsX86_64.h:
2443         * jit/Repatch.cpp:
2444         (JSC::tryBuildGetByIDList):
2445         * jit/SlowPathCall.h:
2446         (JSC::JITSlowPathCall::call):
2447         * jit/ThunkGenerators.cpp:
2448         (JSC::throwExceptionFromCallSlowPathGenerator):
2449         (JSC::nativeForGenerator):
2450         * runtime/VM.h:
2451         (JSC::VM::callFrameForThrowOffset):
2452         (JSC::VM::targetMachinePCForThrowOffset):
2453
2454 2013-10-18  Julien Brianceau  <jbriance@cisco.com>
2455
2456         Fix J_JITOperation_EAapJ call for MIPS and ARM EABI.
2457         https://bugs.webkit.org/show_bug.cgi?id=123023
2458
2459         Reviewed by Michael Saboff.
2460
2461         * jit/JITInlines.h:
2462         (JSC::JIT::callOperation): EncodedJSValue parameter do not need alignment
2463         using EABI_32BIT_DUMMY_ARG here.
2464
2465 2013-10-17  Filip Pizlo  <fpizlo@apple.com>
2466
2467         Unreviewed, another ARM64 build fix.
2468         
2469         Get rid of andPtr(TrustedImmPtr, blah), since it would take Effort to get it to work
2470         on ARM64 and none of its uses are legit - they should all be using
2471         andPtr(TrustedImm32, blah) anyway.
2472
2473         * assembler/MacroAssembler.h:
2474         * assembler/MacroAssemblerARM64.h:
2475         * dfg/DFGJITCompiler.cpp:
2476         (JSC::DFG::JITCompiler::compileExceptionHandlers):
2477         * jit/JIT.cpp:
2478         (JSC::JIT::privateCompileExceptionHandlers):
2479
2480 2013-10-17  Filip Pizlo  <fpizlo@apple.com>
2481
2482         Unreviewed, speculative ARM64 build fix.
2483         
2484         move(ImmPtr, blah) is only available in MacroAssembler since that's where blinding is
2485         implemented. So, you have to use TrustedImmPtr in the superclasses.
2486
2487         * assembler/MacroAssemblerARM64.h:
2488         (JSC::MacroAssemblerARM64::store8):
2489         (JSC::MacroAssemblerARM64::branchTest8):
2490
2491 2013-10-17  Filip Pizlo  <fpizlo@apple.com>
2492
2493         Unreviewed, speculative ARM build fix.
2494         https://bugs.webkit.org/show_bug.cgi?id=122890
2495         <rdar://problem/15258624>
2496
2497         * assembler/ARM64Assembler.h:
2498         (JSC::ARM64Assembler::firstRegister):
2499         (JSC::ARM64Assembler::lastRegister):
2500         (JSC::ARM64Assembler::firstFPRegister):
2501         (JSC::ARM64Assembler::lastFPRegister):
2502         * assembler/MacroAssemblerARM64.h:
2503         * assembler/MacroAssemblerARMv7.h:
2504
2505 2013-10-17  Andreas Kling  <akling@apple.com>
2506
2507         Pass VM instead of JSGlobalObject to JSONObject constructor.
2508         <https://webkit.org/b/122999>
2509
2510         JSONObject was only use the JSGlobalObject to grab at the VM.
2511         Dodge a few loads by passing the VM directly instead.
2512
2513         Reviewed by Geoffrey Garen.
2514
2515         * runtime/JSONObject.cpp:
2516         (JSC::JSONObject::JSONObject):
2517         (JSC::JSONObject::finishCreation):
2518         * runtime/JSONObject.h:
2519         (JSC::JSONObject::create):
2520
2521 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2522
2523         Removed the JITStackFrame struct
2524         https://bugs.webkit.org/show_bug.cgi?id=123001
2525
2526         Reviewed by Anders Carlsson.
2527
2528         * jit/JITStubs.h: JITStackFrame and JITStubArg are unused now, since all
2529         our helper functions obey the C function call ABI.
2530
2531 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2532
2533         Removed an unused #define
2534         https://bugs.webkit.org/show_bug.cgi?id=123000
2535
2536         Reviewed by Anders Carlsson.
2537
2538         * jit/JITStubs.h: Removed the concept of JITSTACKFRAME_ARGS_INDEX,
2539         since it is unused now. This is a step toward using the C stack.
2540
2541 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2542
2543         Eliminate uses of JITSTACKFRAME_ARGS_INDEX as scratch area for thunks
2544         https://bugs.webkit.org/show_bug.cgi?id=122973
2545
2546         Reviewed by Michael Saboff.
2547
2548         * jit/ThunkGenerators.cpp:
2549         (JSC::throwExceptionFromCallSlowPathGenerator): This was all dead code,
2550         so I removed it.
2551
2552         The code acted as if it needed to pass an argument to
2553         lookupExceptionHandler, and as if it passed that argument to itself
2554         through JITStackFrame. However, lookupExceptionHandler does not take
2555         an argument (other than the default ExecState argument), and the code
2556         did not initialize the thing that it thought it passed to itself!
2557
2558 2013-10-17  Alex Christensen  <achristensen@webkit.org>
2559
2560         Run JavaScriptCore tests again on Windows.
2561         https://bugs.webkit.org/show_bug.cgi?id=122787
2562
2563         Reviewed by Tim Horton.
2564
2565         * JavaScriptCore.vcxproj/JavaScriptCore.sln: Added.
2566         * jit/JITStubsMSVC64.asm: Removed reference to cti_vm_throw unused since r157581.
2567
2568 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2569
2570         Removed restoreArgumentReference (another use of JITStackFrame)
2571         https://bugs.webkit.org/show_bug.cgi?id=122997
2572
2573         Reviewed by Oliver Hunt.
2574
2575         * jit/JSInterfaceJIT.h: Removed an unused function. This is a step
2576         toward using the C stack.
2577
2578 2013-10-17  Oliver Hunt  <oliver@apple.com>
2579
2580         Remove JITStubCall.h
2581         https://bugs.webkit.org/show_bug.cgi?id=122991
2582
2583         Reviewed by Geoff Garen.
2584
2585         Happily this is no longer used
2586
2587         * GNUmakefile.list.am:
2588         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2589         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2590         * JavaScriptCore.xcodeproj/project.pbxproj:
2591         * jit/JIT.cpp:
2592         * jit/JITArithmetic.cpp:
2593         * jit/JITArithmetic32_64.cpp:
2594         * jit/JITCall.cpp:
2595         * jit/JITCall32_64.cpp:
2596         * jit/JITOpcodes.cpp:
2597         * jit/JITOpcodes32_64.cpp:
2598         * jit/JITPropertyAccess.cpp:
2599         * jit/JITPropertyAccess32_64.cpp:
2600         * jit/JITStubCall.h: Removed.
2601
2602 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2603
2604         Removed a use of JITSTACKFRAME_ARGS_INDEX
2605         https://bugs.webkit.org/show_bug.cgi?id=122989
2606
2607         Reviewed by Oliver Hunt.
2608
2609         * jit/JITStubCall.h: Removed an unused function. This is one step closer
2610         to using the C stack.
2611
2612 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2613
2614         Change emit_op_catch to use another method to materialize VM
2615         https://bugs.webkit.org/show_bug.cgi?id=122977
2616
2617         Reviewed by Oliver Hunt.
2618
2619         * jit/JITOpcodes.cpp:
2620         (JSC::JIT::emit_op_catch):
2621         * jit/JITOpcodes32_64.cpp:
2622         (JSC::JIT::emit_op_catch): Use a constant. It removes our dependency
2623         on JITStackFrame. It is also faster and simpler.
2624
2625 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2626
2627         Eliminate emitGetJITStubArg() - dead code
2628         https://bugs.webkit.org/show_bug.cgi?id=122975
2629
2630         Reviewed by Anders Carlsson.
2631
2632         * jit/JIT.h:
2633         * jit/JITInlines.h: Removed unused, deprecated function.
2634
2635 2013-10-17  Mark Lam  <mark.lam@apple.com>
2636
2637         Eliminate all ASSERT references to OBJECT_OFFSETOF(struct JITStackFrame,...) in JITStubsXXX.h.
2638         https://bugs.webkit.org/show_bug.cgi?id=122979.
2639
2640         Reviewed by Michael Saboff.
2641
2642         * jit/JITStubs.cpp:
2643         * jit/JITStubs.h:
2644         * jit/JITStubsARM.h:
2645         * jit/JITStubsARM64.h:
2646         * jit/JITStubsARMv7.h:
2647         * jit/JITStubsMIPS.h:
2648         * jit/JITStubsSH4.h:
2649         * jit/JITStubsX86.h:
2650         * jit/JITStubsX86_64.h:
2651         * runtime/VM.cpp:
2652         (JSC::VM::VM):
2653
2654 2013-10-17  Michael Saboff  <msaboff@apple.com>
2655
2656         Remove saving callFrameRegister to JITStackFrame in JITCompiler::compileFunction()
2657         https://bugs.webkit.org/show_bug.cgi?id=122974
2658
2659         Reviewed by Geoffrey Garen.
2660
2661         Eliminated unneeded storing to JITStackFrame.
2662
2663         * dfg/DFGJITCompiler.cpp:
2664         (JSC::DFG::JITCompiler::compileFunction):
2665
2666 2013-10-17  Michael Saboff  <msaboff@apple.com>
2667
2668         Transition cti_op_throw and cti_vm_throw to a JIT operation
2669         https://bugs.webkit.org/show_bug.cgi?id=122931
2670
2671         Reviewed by Filip Pizlo.
2672
2673         Moved cti_op_throw to operationThrow.  Made the caller responsible for jumping to the
2674         catch handler.  Eliminated cti_op_throw_static_error, cti_vm_throw, ctiVMThrowTrampoline()
2675         and their callers as it is now dead code.  There is some work needed on the Microsoft X86
2676         callOperation to handle the need to provide space for structure return value.
2677
2678         * jit/JIT.h:
2679         * jit/JITInlines.h:
2680         (JSC::JIT::callOperation):
2681         * jit/JITOpcodes.cpp:
2682         (JSC::JIT::emit_op_throw):
2683         * jit/JITOpcodes32_64.cpp:
2684         (JSC::JIT::emit_op_throw):
2685         (JSC::JIT::emit_op_catch):
2686         * jit/JITOperations.cpp:
2687         * jit/JITOperations.h:
2688         * jit/JITStubs.cpp:
2689         * jit/JITStubs.h:
2690         * jit/JITStubsARM.h:
2691         * jit/JITStubsARM64.h:
2692         * jit/JITStubsARMv7.h:
2693         * jit/JITStubsMIPS.h:
2694         * jit/JITStubsMSVC64.asm:
2695         * jit/JITStubsSH4.h:
2696         * jit/JITStubsX86.h:
2697         * jit/JITStubsX86_64.h:
2698         * jit/JSInterfaceJIT.h:
2699
2700 2013-10-17  Mark Lam  <mark.lam@apple.com>
2701
2702         Remove JITStackFrame references in the C Loop LLINT.
2703         https://bugs.webkit.org/show_bug.cgi?id=122950.
2704
2705         Reviewed by Michael Saboff.
2706
2707         * jit/JITStubs.h:
2708         * llint/LowLevelInterpreter.cpp:
2709         (JSC::CLoop::execute):
2710         * offlineasm/cloop.rb:
2711
2712 2013-10-17  Mark Lam  <mark.lam@apple.com>
2713
2714         Remove JITStackFrame references in JIT probes.
2715         https://bugs.webkit.org/show_bug.cgi?id=122947.
2716
2717         Reviewed by Michael Saboff.
2718
2719         * assembler/MacroAssemblerARM.cpp:
2720         (JSC::MacroAssemblerARM::ProbeContext::dump):
2721         * assembler/MacroAssemblerARM.h:
2722         * assembler/MacroAssemblerARMv7.cpp:
2723         (JSC::MacroAssemblerARMv7::ProbeContext::dump):
2724         * assembler/MacroAssemblerARMv7.h:
2725         * assembler/MacroAssemblerX86Common.cpp:
2726         (JSC::MacroAssemblerX86Common::ProbeContext::dump):
2727         * assembler/MacroAssemblerX86Common.h:
2728         * jit/JITStubsARM.h:
2729         * jit/JITStubsARMv7.h:
2730         * jit/JITStubsX86.h:
2731         * jit/JITStubsX86Common.h:
2732         * jit/JITStubsX86_64.h:
2733
2734 2013-10-17  Julien Brianceau  <jbriance@cisco.com>
2735
2736         Fix build when NUMBER_OF_ARGUMENT_REGISTERS == 4.
2737         https://bugs.webkit.org/show_bug.cgi?id=122949
2738
2739         Reviewed by Andreas Kling.
2740
2741         * jit/CCallHelpers.h:
2742         (JSC::CCallHelpers::setupArgumentsWithExecState):
2743
2744 2013-10-16  Mark Lam  <mark.lam@apple.com>
2745
2746         Transition remaining op_get* JITStubs to JIT operations.
2747         https://bugs.webkit.org/show_bug.cgi?id=122925.
2748
2749         Reviewed by Geoffrey Garen.
2750
2751         Transitioning:
2752             cti_op_get_by_id_generic
2753             cti_op_get_by_val
2754             cti_op_get_by_val_generic
2755             cti_op_get_by_val_string
2756
2757         * dfg/DFGOperations.cpp:
2758         * dfg/DFGOperations.h:
2759         * jit/JIT.h:
2760         * jit/JITInlines.h:
2761         (JSC::JIT::callOperation):
2762         * jit/JITOpcodes.cpp:
2763         (JSC::JIT::emitSlow_op_get_arguments_length):
2764         (JSC::JIT::emitSlow_op_get_argument_by_val):
2765         * jit/JITOpcodes32_64.cpp:
2766         (JSC::JIT::emitSlow_op_get_arguments_length):
2767         (JSC::JIT::emitSlow_op_get_argument_by_val):
2768         * jit/JITOperations.cpp:
2769         * jit/JITOperations.h:
2770         * jit/JITPropertyAccess.cpp:
2771         (JSC::JIT::emitSlow_op_get_by_val):
2772         (JSC::JIT::emitSlow_op_get_by_pname):
2773         (JSC::JIT::privateCompileGetByVal):
2774         * jit/JITPropertyAccess32_64.cpp:
2775         (JSC::JIT::emitSlow_op_get_by_val):
2776         (JSC::JIT::emitSlow_op_get_by_pname):
2777         * jit/JITStubs.cpp:
2778         * jit/JITStubs.h:
2779         * runtime/Executable.cpp:
2780         (JSC::setupLLInt): Added some UNUSED_PARAMs to fix the no LLINT build.
2781         * runtime/Options.cpp:
2782         (JSC::Options::initialize):
2783
2784 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
2785
2786         Introduce WTF::Bag and start using it for InlineCallFrameSet
2787         https://bugs.webkit.org/show_bug.cgi?id=122941
2788
2789         Reviewed by Geoffrey Garen.
2790         
2791         Use Bag for InlineCallFrameSet. If this works out then I'll make other
2792         SegmentedVectors into Bags as well.
2793
2794         * bytecode/InlineCallFrameSet.cpp:
2795         (JSC::InlineCallFrameSet::add):
2796         * bytecode/InlineCallFrameSet.h:
2797         (JSC::InlineCallFrameSet::begin):
2798         (JSC::InlineCallFrameSet::end):
2799         * dfg/DFGArgumentsSimplificationPhase.cpp:
2800         (JSC::DFG::ArgumentsSimplificationPhase::run):
2801         * dfg/DFGJITCompiler.cpp:
2802         (JSC::DFG::JITCompiler::link):
2803         * dfg/DFGStackLayoutPhase.cpp:
2804         (JSC::DFG::StackLayoutPhase::run):
2805         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
2806         (JSC::DFG::VirtualRegisterAllocationPhase::run):
2807
2808 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
2809
2810         libllvmForJSC shouldn't call exit(1) on report_fatal_error()
2811         https://bugs.webkit.org/show_bug.cgi?id=122905
2812         <rdar://problem/15237856>
2813
2814         Reviewed by Michael Saboff.
2815         
2816         Expose the new LLVMInstallFatalErrorHandler() API through the soft linking magic and
2817         then always call it to install something that calls CRASH().
2818
2819         * llvm/InitializeLLVM.cpp:
2820         (JSC::llvmCrash):
2821         (JSC::initializeLLVMOnce):
2822         (JSC::initializeLLVM):
2823         * llvm/LLVMAPIFunctions.h:
2824
2825 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
2826
2827         Prototype chain repatching in the polymorphic case fails to check if the receiver is a dictionary
2828         https://bugs.webkit.org/show_bug.cgi?id=122938
2829
2830         Reviewed by Sam Weinig.
2831         
2832         This fixes jsc-layout-tests.yaml/js/script-tests/dictionary-prototype-caching.js.layout-no-llint.
2833
2834         * jit/Repatch.cpp:
2835         (JSC::tryBuildGetByIDList):
2836
2837 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
2838
2839         JIT::appendCall() needs to killLastResultRegister() or equivalent since there's some really bad code that expects it
2840         https://bugs.webkit.org/show_bug.cgi?id=122937
2841
2842         Reviewed by Geoffrey Garen.
2843         
2844         JITStubCall used to do it.
2845         
2846         This makes mozilla-tests.yaml/ecma/Statements/12.10-1.js.mozilla-baseline pass.
2847
2848         * jit/JIT.h:
2849         (JSC::JIT::appendCall):
2850
2851 2013-10-16  Michael Saboff  <msaboff@apple.com>
2852
2853         transition void cti_op_put_by_val* stubs to JIT operations
2854         https://bugs.webkit.org/show_bug.cgi?id=122903
2855
2856         Reviewed by Geoffrey Garen.
2857
2858         Transitioned cti_op_put_by_val and cti_op_put_by_val_generic to operationPutByVal and
2859         operationPutByValGeneric.
2860
2861         * jit/CCallHelpers.h:
2862         (JSC::CCallHelpers::setupArgumentsWithExecState):
2863         * jit/JIT.h:
2864         * jit/JITInlines.h:
2865         (JSC::JIT::callOperation):
2866         * jit/JITOperations.cpp:
2867         * jit/JITOperations.h:
2868         * jit/JITPropertyAccess.cpp:
2869         (JSC::JIT::emitSlow_op_put_by_val):
2870         (JSC::JIT::privateCompilePutByVal):
2871         * jit/JITPropertyAccess32_64.cpp:
2872         (JSC::JIT::emitSlow_op_put_by_val):
2873         * jit/JITStubs.cpp:
2874         * jit/JITStubs.h:
2875         * jit/JSInterfaceJIT.h:
2876
2877 2013-10-16  Oliver Hunt  <oliver@apple.com>
2878
2879         Implement ES6 spread operator
2880         https://bugs.webkit.org/show_bug.cgi?id=122911
2881
2882         Reviewed by Michael Saboff.
2883
2884         Implement the ES6 spread operator
2885
2886         This has a little bit of refactoring to move the enumeration logic out ForOfNode
2887         and into BytecodeGenerator, and then adds the logic to make it nicely callback
2888         driven.
2889
2890         The rest of the logic is just the addition of the SpreadExpressionNode, the parsing,
2891         and actually handling the spread.
2892
2893         * bytecompiler/BytecodeGenerator.cpp:
2894         (JSC::BytecodeGenerator::emitNewArray):
2895         (JSC::BytecodeGenerator::emitCall):
2896         (JSC::BytecodeGenerator::emitEnumeration):
2897         * bytecompiler/BytecodeGenerator.h:
2898         * bytecompiler/NodesCodegen.cpp:
2899         (JSC::ArrayNode::emitBytecode):
2900         (JSC::ForOfNode::emitBytecode):
2901         (JSC::SpreadExpressionNode::emitBytecode):
2902         * parser/ASTBuilder.h:
2903         (JSC::ASTBuilder::createSpreadExpression):
2904         * parser/Lexer.cpp:
2905         (JSC::::lex):
2906         * parser/NodeConstructors.h:
2907         (JSC::SpreadExpressionNode::SpreadExpressionNode):
2908         * parser/Nodes.h:
2909         (JSC::ExpressionNode::isSpreadExpression):
2910         (JSC::SpreadExpressionNode::expression):
2911         * parser/Parser.cpp:
2912         (JSC::::parseArrayLiteral):
2913         (JSC::::parseArguments):
2914         (JSC::::parseMemberExpression):
2915         * parser/Parser.h:
2916         (JSC::Parser::getTokenName):
2917         (JSC::Parser::updateErrorMessageSpecialCase):
2918         * parser/ParserTokens.h:
2919         * parser/SyntaxChecker.h:
2920         (JSC::SyntaxChecker::createSpreadExpression):
2921
2922 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
2923
2924         Add a useLLInt option to jsc
2925         https://bugs.webkit.org/show_bug.cgi?id=122930
2926
2927         Reviewed by Geoffrey Garen.
2928
2929         * runtime/Executable.cpp:
2930         (JSC::setupLLInt):
2931         (JSC::setupJIT):
2932         (JSC::ScriptExecutable::prepareForExecutionImpl):
2933         * runtime/Options.h:
2934
2935 2013-10-16  Mark Hahnenberg  <mhahnenberg@apple.com>
2936
2937         Build fix.
2938
2939         Forgot to svn add DeferGC.cpp
2940
2941         * heap/DeferGC.cpp: Added.
2942
2943 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
2944
2945         r157411 fails run-javascriptcore-tests when run with Baseline JIT
2946         https://bugs.webkit.org/show_bug.cgi?id=122902
2947
2948         Reviewed by Mark Hahnenberg.
2949         
2950         It turns out that this was a long-standing bug in the DFG PutById repatching logic. It's
2951         not legal to patch if the typeInfo tells you that you can't patch. The old JIT's patching
2952         logic did this right, and the DFG's GetById patching logic did it right; but DFG PutById
2953         didn't. Turns out that there's even a helpful method,
2954         Structure::propertyAccessesAreCacheable(), that will even do all of the checks for you!
2955
2956         * jit/Repatch.cpp:
2957         (JSC::tryCachePutByID):
2958
2959 2013-10-16  Mark Hahnenberg  <mhahnenberg@apple.com>
2960
2961         llint_slow_path_put_by_id can deadlock on a ConcurrentJITLock
2962         https://bugs.webkit.org/show_bug.cgi?id=122667
2963
2964         Reviewed by Geoffrey Garen.
2965
2966         The issue this patch is attempting to fix is that there are places in our codebase
2967         where we acquire the ConcurrentJITLock for a particular CodeBlock, then we do some
2968         operations that can initiate a garbage collection. Garbage collection then calls 
2969         some methods of CodeBlock that also take the ConcurrentJITLock (because they don't
2970         always necessarily run during garbage collection). This causes a deadlock.
2971  
2972         To fix this issue, this patch adds a new RAII-style object (DisallowGC) that stores 
2973         into a thread-local field that indicates that it is unsafe to perform any operation 
2974         that could trigger garbage collection on the current thread. In debug builds, 
2975         ConcurrentJITLocker contains one of these DisallowGC objects so that we can eagerly 
2976         detect deadlocks.
2977  
2978         This patch also adds a new type of ConcurrentJITLocker, GCSafeConcurrentJITLocker,
2979         which uses the DeferGC mechanism to prevent collections from occurring while the 
2980         lock is held.
2981
2982         * CMakeLists.txt:
2983         * GNUmakefile.list.am:
2984         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2985         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2986         * JavaScriptCore.xcodeproj/project.pbxproj:
2987         * heap/DeferGC.h:
2988         (JSC::DisallowGC::DisallowGC):
2989         (JSC::DisallowGC::~DisallowGC):
2990         (JSC::DisallowGC::isGCDisallowedOnCurrentThread):
2991         (JSC::DisallowGC::initialize):
2992         * jit/Repatch.cpp:
2993         (JSC::repatchPutByID):
2994         (JSC::buildPutByIdList):
2995         * llint/LLIntSlowPaths.cpp:
2996         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2997         * runtime/ConcurrentJITLock.h:
2998         (JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase):
2999         (JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase):
3000         (JSC::ConcurrentJITLockerBase::unlockEarly):
3001         (JSC::GCSafeConcurrentJITLocker::GCSafeConcurrentJITLocker):
3002         (JSC::GCSafeConcurrentJITLocker::~GCSafeConcurrentJITLocker):
3003         (JSC::GCSafeConcurrentJITLocker::NoDefer::NoDefer):
3004         (JSC::ConcurrentJITLocker::ConcurrentJITLocker):
3005         * runtime/InitializeThreading.cpp:
3006         (JSC::initializeThreadingOnce):
3007         * runtime/JSCellInlines.h:
3008         (JSC::allocateCell):
3009         * runtime/JSSymbolTableObject.h:
3010         (JSC::symbolTablePut):
3011         * runtime/Structure.cpp: materializePropertyMapIfNecessary* now has a problem in that it
3012         can start a garbage collection when the GCSafeConcurrentJITLocker goes out of scope, but 
3013         before the caller has a chance to use the newly created PropertyTable. The garbage collection
3014         clears the PropertyTable, and then the caller uses it assuming it's valid. To avoid this,
3015         we must DeferGC until the caller is done getting the newly materialized PropertyTable from 
3016         the Structure.
3017         (JSC::Structure::materializePropertyMap):
3018         (JSC::Structure::despecifyDictionaryFunction):
3019         (JSC::Structure::changePrototypeTransition):
3020         (JSC::Structure::despecifyFunctionTransition):
3021         (JSC::Structure::attributeChangeTransition):
3022         (JSC::Structure::toDictionaryTransition):
3023         (JSC::Structure::preventExtensionsTransition):
3024         (JSC::Structure::takePropertyTableOrCloneIfPinned):
3025         (JSC::Structure::isSealed):
3026         (JSC::Structure::isFrozen):
3027         (JSC::Structure::addPropertyWithoutTransition):
3028         (JSC::Structure::removePropertyWithoutTransition):
3029         (JSC::Structure::get):
3030         (JSC::Structure::despecifyFunction):
3031         (JSC::Structure::despecifyAllFunctions):
3032         (JSC::Structure::putSpecificValue):
3033         (JSC::Structure::createPropertyMap):
3034         (JSC::Structure::getPropertyNamesFromStructure):
3035         * runtime/Structure.h:
3036         (JSC::Structure::materializePropertyMapIfNecessary):
3037         (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
3038         * runtime/StructureInlines.h:
3039         (JSC::Structure::get):
3040         * runtime/SymbolTable.h:
3041         (JSC::SymbolTable::find):
3042         (JSC::SymbolTable::end):
3043
3044 2013-10-16  Daniel Bates  <dabates@apple.com>
3045
3046         Add SPI to disable the garbage collector timer
3047         https://bugs.webkit.org/show_bug.cgi?id=122921
3048
3049         Reviewed by Geoffrey Garen.
3050
3051         Based on a patch by Mark Hahnenberg.
3052
3053         * API/JSBase.cpp:
3054         (JSDisableGCTimer): Added; SPI function.
3055         * API/JSBasePrivate.h:
3056         * heap/BlockAllocator.cpp:
3057         (JSC::createBlockFreeingThread): Added.
3058         (JSC::BlockAllocator::BlockAllocator): Modified to use JSC::createBlockFreeingThread()
3059         to conditionally create the "block freeing" thread depending on the value of
3060         GCActivityCallback::s_shouldCreateGCTimer.
3061         (JSC::BlockAllocator::~BlockAllocator):
3062         * heap/BlockAllocator.h:
3063         (JSC::BlockAllocator::deallocate):
3064         * heap/Heap.cpp:
3065         (JSC::Heap::didAbandon):
3066         (JSC::Heap::collect):
3067         (JSC::Heap::didAllocate):
3068         * heap/HeapTimer.cpp:
3069         (JSC::HeapTimer::timerDidFire):
3070         * runtime/GCActivityCallback.cpp:
3071         * runtime/GCActivityCallback.h:
3072         (JSC::DefaultGCActivityCallback::create): Only instantiate a DefaultGCActivityCallback object
3073         when GCActivityCallback::s_shouldCreateGCTimer is true so as to prevent allocating a HeapTimer
3074         object (since DefaultGCActivityCallback ultimately extends HeapTimer).
3075
3076 2013-10-16  Commit Queue  <commit-queue@webkit.org>
3077
3078         Unreviewed, rolling out r157529.
3079         http://trac.webkit.org/changeset/157529
3080         https://bugs.webkit.org/show_bug.cgi?id=122919
3081
3082         Caused score test failures and some build failures. (Requested
3083         by rfong on #webkit).
3084
3085         * bytecompiler/BytecodeGenerator.cpp:
3086         (JSC::BytecodeGenerator::emitNewArray):
3087         (JSC::BytecodeGenerator::emitCall):
3088         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
3089         * bytecompiler/BytecodeGenerator.h:
3090         * bytecompiler/NodesCodegen.cpp:
3091         (JSC::ArrayNode::emitBytecode):
3092         (JSC::CallArguments::CallArguments):
3093         (JSC::ForOfNode::emitBytecode):
3094         (JSC::BindingNode::collectBoundIdentifiers):
3095         * parser/ASTBuilder.h:
3096         * parser/Lexer.cpp:
3097         (JSC::::lex):
3098         * parser/NodeConstructors.h:
3099         (JSC::DotAccessorNode::DotAccessorNode):
3100         * parser/Nodes.h:
3101         * parser/Parser.cpp:
3102         (JSC::::parseArrayLiteral):
3103         (JSC::::parseArguments):
3104         (JSC::::parseMemberExpression):
3105         * parser/Parser.h:
3106         (JSC::Parser::getTokenName):
3107         (JSC::Parser::updateErrorMessageSpecialCase):
3108         * parser/ParserTokens.h:
3109         * parser/SyntaxChecker.h:
3110
3111 2013-10-16  Julien Brianceau  <jbriance@cisco.com>
3112
3113         Remove useless architecture specific implementation in DFG.
3114         https://bugs.webkit.org/show_bug.cgi?id=122917.
3115
3116         Reviewed by Michael Saboff.
3117
3118         With CPU(ARM) && CPU(ARM_HARDFP) architecture, the fallback implementation is fine
3119         as FPRInfo::argumentFPR0 == FPRInfo::returnValueFPR in this case.
3120
3121         * dfg/DFGSpeculativeJIT.h:
3122
3123 2013-10-16  Julien Brianceau  <jbriance@cisco.com>
3124
3125         Remove unused JIT::restoreArgumentReferenceForTrampoline function.
3126         https://bugs.webkit.org/show_bug.cgi?id=122916.
3127
3128         Reviewed by Michael Saboff.
3129
3130         This architecture specific function is not used anymore, so get rid of it.
3131
3132         * jit/JIT.h:
3133         * jit/JITInlines.h:
3134
3135 2013-10-16  Oliver Hunt  <oliver@apple.com>
3136
3137         Implement ES6 spread operator
3138         https://bugs.webkit.org/show_bug.cgi?id=122911
3139
3140         Reviewed by Michael Saboff.
3141
3142         Implement the ES6 spread operator
3143
3144         This has a little bit of refactoring to move the enumeration logic out ForOfNode
3145         and into BytecodeGenerator, and then adds the logic to make it nicely callback
3146         driven.
3147
3148         The rest of the logic is just the addition of the SpreadExpressionNode, the parsing,
3149         and actually handling the spread.
3150
3151         * bytecompiler/BytecodeGenerator.cpp:
3152         (JSC::BytecodeGenerator::emitNewArray):
3153         (JSC::BytecodeGenerator::emitCall):
3154         (JSC::BytecodeGenerator::emitEnumeration):
3155         * bytecompiler/BytecodeGenerator.h:
3156         * bytecompiler/NodesCodegen.cpp:
3157         (JSC::ArrayNode::emitBytecode):
3158         (JSC::ForOfNode::emitBytecode):
3159         (JSC::SpreadExpressionNode::emitBytecode):
3160         * parser/ASTBuilder.h:
3161         (JSC::ASTBuilder::createSpreadExpression):
3162         * parser/Lexer.cpp:
3163         (JSC::::lex):
3164         * parser/NodeConstructors.h:
3165         (JSC::SpreadExpressionNode::SpreadExpressionNode):
3166         * parser/Nodes.h:
3167         (JSC::ExpressionNode::isSpreadExpression):
3168         (JSC::SpreadExpressionNode::expression):
3169         * parser/Parser.cpp:
3170         (JSC::::parseArrayLiteral):
3171         (JSC::::parseArguments):
3172         (JSC::::parseMemberExpression):
3173         * parser/Parser.h:
3174         (JSC::Parser::getTokenName):
3175         (JSC::Parser::updateErrorMessageSpecialCase):
3176         * parser/ParserTokens.h:
3177         * parser/SyntaxChecker.h:
3178         (JSC::SyntaxChecker::createSpreadExpression):
3179
3180 2013-10-16  Mark Lam  <mark.lam@apple.com>
3181
3182         Transition void cti_op_tear_off* methods to JIT operations for 32 bit.
3183         https://bugs.webkit.org/show_bug.cgi?id=122899.
3184
3185         Reviewed by Michael Saboff.
3186
3187         * jit/JITOpcodes32_64.cpp:
3188         (JSC::JIT::emit_op_tear_off_activation):
3189         (JSC::JIT::emit_op_tear_off_arguments):
3190         * jit/JITStubs.cpp:
3191         * jit/JITStubs.h:
3192
3193 2013-10-16  Julien Brianceau  <jbriance@cisco.com>
3194
3195         Remove more of the UNINTERRUPTED_SEQUENCE thing
3196         https://bugs.webkit.org/show_bug.cgi?id=122885
3197
3198         Reviewed by Andreas Kling.
3199
3200         It was not completely removed by r157481, leading to build failure for sh4 architecture.
3201
3202         * jit/JIT.h:
3203         * jit/JITInlines.h:
3204
3205 2013-10-15  Filip Pizlo  <fpizlo@apple.com>
3206
3207         Get rid of the StructureStubInfo::patch union
3208         https://bugs.webkit.org/show_bug.cgi?id=122877
3209
3210         Reviewed by Sam Weinig.
3211         
3212         Just simplifying code by getting rid of data structures that ain't used no more.
3213         
3214         Note that I replace the patch union with a patch struct. This means we say things like
3215         stubInfo.patch.valueGPR instead of stubInfo.valueGPR. I think that this extra
3216         encapsulation makes the code more readable: the patch struct contains just those things
3217         that you need to know to perform patching.
3218
3219         * bytecode/StructureStubInfo.h:
3220         * dfg/DFGJITCompiler.cpp:
3221         (JSC::DFG::JITCompiler::link):
3222         * jit/JIT.cpp:
3223         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
3224         * jit/Repatch.cpp:
3225         (JSC::repatchByIdSelfAccess):
3226         (JSC::replaceWithJump):
3227         (JSC::linkRestoreScratch):
3228         (JSC::generateProtoChainAccessStub):
3229         (JSC::tryCacheGetByID):
3230         (JSC::getPolymorphicStructureList):
3231         (JSC::patchJumpToGetByIdStub):
3232         (JSC::tryBuildGetByIDList):
3233         (JSC::emitPutReplaceStub):
3234         (JSC::emitPutTransitionStub):
3235         (JSC::tryCachePutByID):
3236         (JSC::tryBuildPutByIdList):
3237         (JSC::tryRepatchIn):
3238         (JSC::resetGetByID):
3239         (JSC::resetPutByID):
3240         (JSC::resetIn):
3241
3242 2013-10-15  Nadav Rotem  <nrotem@apple.com>
3243
3244         FTL: add support for Int52ToValue and fix putByVal of int52s.
3245         https://bugs.webkit.org/show_bug.cgi?id=122873
3246
3247         Reviewed by Filip Pizlo.
3248
3249         * ftl/FTLCapabilities.cpp:
3250         (JSC::FTL::canCompile):
3251         * ftl/FTLLowerDFGToLLVM.cpp:
3252         (JSC::FTL::LowerDFGToLLVM::compileNode):
3253         (JSC::FTL::LowerDFGToLLVM::compileInt52ToValue):
3254         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
3255
3256 2013-10-15  Filip Pizlo  <fpizlo@apple.com>
3257
3258         Get rid of the UNINTERRUPTED_SEQUENCE thing
3259         https://bugs.webkit.org/show_bug.cgi?id=122876
3260
3261         Reviewed by Mark Hahnenberg.
3262         
3263         It doesn't make sense anymore. We now use the DFG's IC logic, which never needed that.
3264         
3265         Moreover, we should resist the temptation to bring anything like this back. We don't
3266         want to have inline caches that only work if the assembler lays out code in a specific
3267         predetermined way.
3268
3269         * jit/JIT.h:
3270         * jit/JITCall.cpp:
3271         (JSC::JIT::compileOpCall):
3272         * jit/JITCall32_64.cpp:
3273         (JSC::JIT::compileOpCall):
3274
3275 2013-10-15  Filip Pizlo  <fpizlo@apple.com>
3276
3277         Baseline JIT should use the DFG GetById IC
3278         https://bugs.webkit.org/show_bug.cgi?id=122861
3279
3280         Reviewed by Oliver Hunt.
3281         
3282         This mostly just kills a ton of code.
3283         
3284         Note that this doesn't yet do all of the simplifications that can be done, but it does
3285         kill dead code. I'll have another change to simplify StructureStubInfo's unions and such.
3286
3287         * bytecode/CodeBlock.cpp:
3288         (JSC::CodeBlock::resetStubInternal):
3289         * jit/JIT.cpp:
3290         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
3291         * jit/JIT.h:
3292         (JSC::PropertyStubCompilationInfo::PropertyStubCompilationInfo):
3293         * jit/JITInlines.h:
3294         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
3295         (JSC::JIT::callOperation):
3296         * jit/JITPropertyAccess.cpp:
3297         (JSC::JIT::compileGetByIdHotPath):
3298         (JSC::JIT::emitSlow_op_get_by_id):
3299         (JSC::JIT::emitSlow_op_get_from_scope):
3300         * jit/JITPropertyAccess32_64.cpp:
3301         (JSC::JIT::compileGetByIdHotPath):
3302         (JSC::JIT::emitSlow_op_get_by_id):
3303         (JSC::JIT::emitSlow_op_get_from_scope):
3304         * jit/JITStubs.cpp:
3305         * jit/JITStubs.h:
3306         * jit/Repatch.cpp:
3307         (JSC::repatchGetByID):
3308         (JSC::buildGetByIDList):
3309         * jit/ThunkGenerators.cpp:
3310         * jit/ThunkGenerators.h:
3311
3312 2013-10-15  Dean Jackson  <dino@apple.com>
3313
3314         Add ENABLE_WEB_ANIMATIONS flag
3315         https://bugs.webkit.org/show_bug.cgi?id=122871
3316
3317         Reviewed by Tim Horton.
3318
3319         Eventually might be http://dev.w3.org/fxtf/web-animations/
3320         but this is just engine-internal work at the moment.
3321
3322         * Configurations/FeatureDefines.xcconfig:
3323
3324 2013-10-15  Julien Brianceau  <jbriance@cisco.com>
3325
3326         [sh4] Some calls don't match sh4 ABI.
3327         https://bugs.webkit.org/show_bug.cgi?id=122863
3328
3329         Reviewed by Michael Saboff.
3330
3331         * dfg/DFGSpeculativeJIT.h:
3332         (JSC::DFG::SpeculativeJIT::callOperation):
3333         * jit/CCallHelpers.h:
3334         (JSC::CCallHelpers::setupArgumentsWithExecState):
3335         * jit/JITInlines.h:
3336         (JSC::JIT::callOperation):
3337
3338 2013-10-15  Daniel Bates  <dabates@apple.com>
3339
3340         [iOS] Upstream JavaScriptCore support for ARM64
3341         https://bugs.webkit.org/show_bug.cgi?id=122762
3342
3343         Reviewed by Oliver Hunt and Filip Pizlo.
3344
3345         * Configurations/Base.xcconfig:
3346         * Configurations/DebugRelease.xcconfig:
3347         * Configurations/JavaScriptCore.xcconfig:
3348         * Configurations/ToolExecutable.xcconfig:
3349         * JavaScriptCore.xcodeproj/project.pbxproj:
3350         * assembler/ARM64Assembler.h: Added.
3351         * assembler/AbstractMacroAssembler.h:
3352         (JSC::isARM64):
3353         (JSC::AbstractMacroAssembler::Label::Label):
3354         (JSC::AbstractMacroAssembler::Jump::Jump):
3355         (JSC::AbstractMacroAssembler::Jump::link):
3356         (JSC::AbstractMacroAssembler::Jump::linkTo):
3357         (JSC::AbstractMacroAssembler::CachedTempRegister::CachedTempRegister):
3358         (JSC::AbstractMacroAssembler::CachedTempRegister::registerIDInvalidate):
3359         (JSC::AbstractMacroAssembler::CachedTempRegister::registerIDNoInvalidate):
3360         (JSC::AbstractMacroAssembler::CachedTempRegister::value):
3361         (JSC::AbstractMacroAssembler::CachedTempRegister::setValue):
3362         (JSC::AbstractMacroAssembler::CachedTempRegister::invalidate):
3363         (JSC::AbstractMacroAssembler::invalidateAllTempRegisters):
3364         (JSC::AbstractMacroAssembler::isTempRegisterValid):
3365         (JSC::AbstractMacroAssembler::clearTempRegisterValid):
3366         (JSC::AbstractMacroAssembler::setTempRegisterValid):
3367         * assembler/LinkBuffer.cpp:
3368         (JSC::LinkBuffer::copyCompactAndLinkCode):
3369         (JSC::LinkBuffer::linkCode):
3370         * assembler/LinkBuffer.h:
3371         * assembler/MacroAssembler.h:
3372         (JSC::MacroAssembler::isPtrAlignedAddressOffset):
3373         (JSC::MacroAssembler::pushToSave):
3374         (JSC::MacroAssembler::popToRestore):
3375         (JSC::MacroAssembler::patchableBranchTest32):
3376         * assembler/MacroAssemblerARM64.h: Added.
3377         * assembler/MacroAssemblerARMv7.h:
3378         * dfg/DFGFixupPhase.cpp:
3379         (JSC::DFG::FixupPhase::fixupNode):
3380         * dfg/DFGOSRExitCompiler32_64.cpp:
3381         (JSC::DFG::OSRExitCompiler::compileExit):
3382         * dfg/DFGOSRExitCompiler64.cpp:
3383         (JSC::DFG::OSRExitCompiler::compileExit):
3384         * dfg/DFGSpeculativeJIT.cpp:
3385         (JSC::DFG::SpeculativeJIT::compileArithDiv):
3386         (JSC::DFG::SpeculativeJIT::compileArithMod):
3387         * disassembler/ARM64/A64DOpcode.cpp: Added.
3388         * disassembler/ARM64/A64DOpcode.h: Added.
3389         * disassembler/ARM64Disassembler.cpp: Added.
3390         * heap/MachineStackMarker.cpp:
3391         (JSC::getPlatformThreadRegisters):
3392         (JSC::otherThreadStackPointer):
3393         * heap/Region.h:
3394         * jit/AssemblyHelpers.h:
3395         (JSC::AssemblyHelpers::debugCall):
3396         * jit/CCallHelpers.h:
3397         * jit/ExecutableAllocator.h:
3398         * jit/FPRInfo.h:
3399         (JSC::FPRInfo::toRegister):
3400         (JSC::FPRInfo::toIndex):
3401         (JSC::FPRInfo::debugName):
3402         * jit/GPRInfo.h:
3403         (JSC::GPRInfo::toRegister):
3404         (JSC::GPRInfo::toIndex):
3405         (JSC::GPRInfo::debugName):
3406         * jit/JITInlines.h:
3407         (JSC::JIT::restoreArgumentReferenceForTrampoline):
3408         * jit/JITOperationWrappers.h:
3409         * jit/JITOperations.cpp:
3410         * jit/JITStubs.cpp:
3411         (JSC::performPlatformSpecificJITAssertions):
3412         (JSC::tryCachePutByID):
3413         * jit/JITStubs.h:
3414         (JSC::JITStackFrame::returnAddressSlot):
3415         * jit/JITStubsARM64.h: Added.
3416         * jit/JSInterfaceJIT.h:
3417         * jit/Repatch.cpp:
3418         (JSC::emitRestoreScratch):
3419         (JSC::generateProtoChainAccessStub):
3420         (JSC::tryCacheGetByID):
3421         (JSC::emitPutReplaceStub):
3422         (JSC::tryCachePutByID):
3423         (JSC::tryRepatchIn):
3424         * jit/ScratchRegisterAllocator.h:
3425         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
3426         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
3427         * jit/ThunkGenerators.cpp:
3428         (JSC::nativeForGenerator):
3429         (JSC::floorThunkGenerator):
3430         (JSC::ceilThunkGenerator):
3431         * jsc.cpp:
3432         (main):
3433         * llint/LLIntOfflineAsmConfig.h:
3434         * llint/LLIntSlowPaths.cpp:
3435         (JSC::LLInt::handleHostCall):
3436         * llint/LowLevelInterpreter.asm:
3437         * llint/LowLevelInterpreter64.asm:
3438         * offlineasm/arm.rb:
3439         * offlineasm/arm64.rb: Added.
3440         * offlineasm/backends.rb:
3441         * offlineasm/instructions.rb:
3442         * offlineasm/risc.rb:
3443         * offlineasm/transform.rb:
3444         * yarr/YarrJIT.cpp:
3445         (JSC::Yarr::YarrGenerator::alignCallFrameSizeInBytes):
3446         (JSC::Yarr::YarrGenerator::initCallFrame):
3447         (JSC::Yarr::YarrGenerator::removeCallFrame):
3448         (JSC::Yarr::YarrGenerator::generateEnter):
3449         * yarr/YarrJIT.h:
3450
3451 2013-10-15  Mark Lam  <mark.lam@apple.com>
3452
3453         Fix 3 operand sub operation in C loop LLINT.
3454         https://bugs.webkit.org/show_bug.cgi?id=122866.
3455
3456         Reviewed by Geoffrey Garen.
3457
3458         * offlineasm/cloop.rb:
3459
3460 2013-10-15  Mark Hahnenberg  <mhahnenberg@apple.com>
3461
3462         ObjCCallbackFunctionImpl shouldn't store a JSContext
3463         https://bugs.webkit.org/show_bug.cgi?id=122531
3464
3465         Reviewed by Geoffrey Garen.
3466
3467         The m_context field in ObjCCallbackFunctionImpl is vestigial and is only incidentally correct 
3468         in the common case. It's also no longer necessary in that we can look up the current JSContext 
3469         by looking using the globalObject of the callee when the function callback is invoked.
3470  
3471         Also added a new test that would cause us to crash previously. The test required making 
3472         JSContextGetGlobalContext public API so that clients can obtain a JSContext from the JSContextRef
3473         in C API callbacks.
3474
3475         * API/JSContextRef.h:
3476         * API/JSContextRefPrivate.h:
3477         * API/ObjCCallbackFunction.mm:
3478         (JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl):
3479         (JSC::objCCallbackFunctionCallAsFunction):
3480         (objCCallbackFunctionForInvocation):
3481         * API/WebKitAvailability.h:
3482         * API/tests/CurrentThisInsideBlockGetterTest.h: Added.
3483         * API/tests/CurrentThisInsideBlockGetterTest.mm: Added.
3484         (CallAsConstructor):
3485         (ConstructorFinalize):
3486         (ConstructorClass):
3487         (+[JSValue valueWithConstructorDescriptor:inContext:]):
3488         (-[JSContext valueWithConstructorDescriptor:]):
3489         (currentThisInsideBlockGetterTest):
3490         * API/tests/testapi.mm:
3491         * JavaScriptCore.xcodeproj/project.pbxproj:
3492         * debugger/Debugger.cpp: Had to add some fully qualified names to avoid conflicts with Mac OS X headers.
3493
3494 2013-10-15  Julien Brianceau  <jbriance@cisco.com>
3495
3496         Fix build after r157457 for architecture with 4 argument registers.
3497         https://bugs.webkit.org/show_bug.cgi?id=122860
3498
3499         Reviewed by Michael Saboff.
3500
3501         * jit/CCallHelpers.h:
3502         (JSC::CCallHelpers::setupStubArguments134):
3503
3504 2013-10-14  Michael Saboff  <msaboff@apple.com>
3505
3506         transition void cti_op_* methods to JIT operations.
3507         https://bugs.webkit.org/show_bug.cgi?id=122617
3508
3509         Reviewed by Geoffrey Garen.
3510
3511         Converted the follow stubs to JIT operations:
3512             cti_handle_watchdog_timer
3513             cti_op_debug
3514             cti_op_pop_scope
3515             cti_op_profile_did_call
3516             cti_op_profile_will_call
3517             cti_op_put_by_index
3518             cti_op_put_getter_setter
3519             cti_op_tear_off_activation
3520             cti_op_tear_off_arguments
3521             cti_op_throw_static_error
3522             cti_optimize
3523
3524         * dfg/DFGOperations.cpp:
3525         * dfg/DFGOperations.h:
3526         * jit/CCallHelpers.h:
3527         (JSC::CCallHelpers::setupArgumentsWithExecState):
3528         (JSC::CCallHelpers::setupThreeStubArgsGPR):
3529         (JSC::CCallHelpers::setupStubArguments):
3530         (JSC::CCallHelpers::setupStubArguments134):
3531         * jit/JIT.cpp:
3532         (JSC::JIT::emitEnterOptimizationCheck):
3533         * jit/JIT.h:
3534         * jit/JITInlines.h:
3535         (JSC::JIT::callOperation):
3536         * jit/JITOpcodes.cpp:
3537         (JSC::JIT::emit_op_tear_off_activation):
3538         (JSC::JIT::emit_op_tear_off_arguments):
3539         (JSC::JIT::emit_op_push_with_scope):
3540         (JSC::JIT::emit_op_pop_scope):
3541         (JSC::JIT::emit_op_push_name_scope):
3542         (JSC::JIT::emit_op_throw_static_error):
3543         (JSC::JIT::emit_op_debug):
3544         (JSC::JIT::emit_op_profile_will_call):
3545         (JSC::JIT::emit_op_profile_did_call):
3546         (JSC::JIT::emitSlow_op_loop_hint):
3547         * jit/JITOpcodes32_64.cpp:
3548         (JSC::JIT::emit_op_push_with_scope):
3549         (JSC::JIT::emit_op_pop_scope):
3550         (JSC::JIT::emit_op_push_name_scope):
3551         (JSC::JIT::emit_op_throw_static_error):
3552         (JSC::JIT::emit_op_debug):
3553         (JSC::JIT::emit_op_profile_will_call):
3554         (JSC::JIT::emit_op_profile_did_call):
3555         * jit/JITOperations.cpp:
3556         * jit/JITOperations.h:
3557         * jit/JITPropertyAccess.cpp:
3558         (JSC::JIT::emit_op_put_by_index):
3559         (JSC::JIT::emit_op_put_getter_setter):
3560         * jit/JITPropertyAccess32_64.cpp:
3561         (JSC::JIT::emit_op_put_by_index):
3562         (JSC::JIT::emit_op_put_getter_setter):
3563         * jit/JITStubs.cpp:
3564         * jit/JITStubs.h:
3565
3566 2013-10-15  Julien Brianceau  <jbriance@cisco.com>
3567
3568         [sh4] Introduce const pools in LLINT.
3569         https://bugs.webkit.org/show_bug.cgi?id=122746
3570
3571         Reviewed by Michael Saboff.
3572
3573         In current implementation of LLINT for sh4, immediate values outside range -128..127 are
3574         loaded this way:
3575
3576             mov.l .label, rx
3577             bra out
3578             nop
3579             .balign 4
3580             .label: .long immvalue
3581             out:
3582
3583         This change introduces const pools for sh4 implementation to avoid lots of useless branches
3584         and reduce code size. It also removes lines of dirty code, like jmpf and callf.
3585
3586         * offlineasm/instructions.rb: Remove jmpf and callf sh4 specific instructions.
3587         * offlineasm/sh4.rb:
3588
3589 2013-10-15  Mark Lam  <mark.lam@apple.com>
3590
3591         Fix broken C Loop LLINT build.
3592         https://bugs.webkit.org/show_bug.cgi?id=122839.
3593
3594         Reviewed by Michael Saboff.
3595
3596         * dfg/DFGFlushedAt.cpp:
3597         * jit/JITOperations.h:
3598
3599 2013-10-14  Mark Lam  <mark.lam@apple.com>
3600
3601         Transition *switch* and *scope* JITStubs to JIT operations.
3602         https://bugs.webkit.org/show_bug.cgi?id=122757.
3603
3604         Reviewed by Geoffrey Garen.
3605
3606         Transitioning:
3607             cti_op_switch_char
3608             cti_op_switch_imm
3609             cti_op_switch_string
3610             cti_op_resolve_scope
3611             cti_op_get_from_scope
3612             cti_op_put_to_scope
3613
3614         * jit/JIT.h:
3615         * jit/JITInlines.h:
3616         (JSC::JIT::callOperation):
3617         * jit/JITOpcodes.cpp:
3618         (JSC::JIT::emit_op_switch_imm):
3619         (JSC::JIT::emit_op_switch_char):
3620         (JSC::JIT::emit_op_switch_string):
3621         * jit/JITOpcodes32_64.cpp:
3622         (JSC::JIT::emit_op_switch_imm):
3623         (JSC::JIT::emit_op_switch_char):
3624         (JSC::JIT::emit_op_switch_string):
3625         * jit/JITOperations.cpp:
3626         * jit/JITOperations.h:
3627         * jit/JITPropertyAccess.cpp:
3628         (JSC::JIT::emitSlow_op_resolve_scope):
3629         (JSC::JIT::emitSlow_op_get_from_scope):
3630         (JSC::JIT::emitSlow_op_put_to_scope):
3631         * jit/JITPropertyAccess32_64.cpp:
3632         (JSC::JIT::emitSlow_op_resolve_scope):
3633         (JSC::JIT::emitSlow_op_get_from_scope):
3634         (JSC::JIT::emitSlow_op_put_to_scope):
3635         * jit/JITStubs.cpp:
3636         * jit/JITStubs.h:
3637
3638 2013-10-14  Filip Pizlo  <fpizlo@apple.com>
3639
3640         DFG PutById IC should use the ConcurrentJITLocker since it's now dealing with IC's that get read by the compiler thread
3641         https://bugs.webkit.org/show_bug.cgi?id=122786
3642
3643         Reviewed by Mark Hahnenberg.
3644
3645         * bytecode/CodeBlock.cpp:
3646         (JSC::CodeBlock::resetStub): Resetting a stub should acquire the lock since this is observable from the thread; but we should only acquire the lock if we're resetting outside of GC.
3647         * jit/Repatch.cpp:
3648         (JSC::repatchPutByID): Doing the PutById patching should hold the lock.
3649         (JSC::buildPutByIdList): Ditto.
3650
3651 2013-10-14  Nadav Rotem  <nrotem@apple.com>
3652
3653         Add FTL support for LogicalNot(string)
3654         https://bugs.webkit.org/show_bug.cgi?id=122765
3655
3656         Reviewed by Filip Pizlo.
3657
3658         This patch is tested by:
3659         regress/script-tests/emscripten-cube2hash.js.ftl-eager
3660
3661         * ftl/FTLCapabilities.cpp:
3662         (JSC::FTL::canCompile):
3663         * ftl/FTLLowerDFGToLLVM.cpp:
3664         (JSC::FTL::LowerDFGToLLVM::compileLogicalNot):
3665
3666 2013-10-14  Julien Brianceau  <jbriance@cisco.com>
3667
3668         [sh4] Fixes after r157404 and r157411.
3669         https://bugs.webkit.org/show_bug.cgi?id=122782
3670
3671         Reviewed by Michael Saboff.
3672
3673         * dfg/DFGSpeculativeJIT.h:
3674         (JSC::DFG::SpeculativeJIT::callOperation): Add missing SH4_32BIT_DUMMY_ARG.
3675         * jit/CCallHelpers.h:
3676         (JSC::CCallHelpers::setupArgumentsWithExecState):
3677         * jit/JITInlines.h:
3678         (JSC::JIT::callOperation): Add missing SH4_32BIT_DUMMY_ARG.
3679         * jit/JITPropertyAccess32_64.cpp:
3680         (JSC::JIT::emit_op_put_by_id): Remove unwanted BEGIN_UNINTERRUPTED_SEQUENCE.
3681
3682 2013-10-14  Commit Queue  <commit-queue@webkit.org>
3683
3684         Unreviewed, rolling out r157413.
3685         http://trac.webkit.org/changeset/157413
3686         https://bugs.webkit.org/show_bug.cgi?id=122779
3687
3688         Appears to have caused frequent crashes (Requested by ap on
3689         #webkit).
3690
3691         * CMakeLists.txt:
3692         * GNUmakefile.list.am:
3693         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3694         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3695         * JavaScriptCore.xcodeproj/project.pbxproj:
3696         * heap/DeferGC.cpp: Removed.
3697         * heap/DeferGC.h:
3698         * jit/JITStubs.cpp:
3699         (JSC::tryCacheGetByID):
3700         (JSC::DEFINE_STUB_FUNCTION):
3701         * llint/LLIntSlowPaths.cpp:
3702         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3703         * runtime/ConcurrentJITLock.h:
3704         * runtime/InitializeThreading.cpp:
3705         (JSC::initializeThreadingOnce):
3706         * runtime/JSCellInlines.h:
3707         (JSC::allocateCell):
3708         * runtime/Structure.cpp:
3709         (JSC::Structure::materializePropertyMap):
3710         (JSC::Structure::putSpecificValue):
3711         (JSC::Structure::createPropertyMap):
3712         * runtime/Structure.h:
3713
3714 2013-10-14  Mark Hahnenberg  <mhahnenberg@apple.com>
3715
3716         COLLECT_ON_EVERY_ALLOCATION causes assertion failures
3717         https://bugs.webkit.org/show_bug.cgi?id=122652
3718
3719         Reviewed by Filip Pizlo.
3720
3721         COLLECT_ON_EVERY_ALLOCATION wasn't accounting for the new GC deferral mechanism,
3722         so we would end up ASSERTing during garbage collection.
3723
3724         * heap/MarkedAllocator.cpp:
3725         (JSC::MarkedAllocator::allocateSlowCase):
3726
3727 2013-10-11  Oliver Hunt  <oliver@apple.com>
3728
3729         Separate out array iteration intrinsics
3730         https://bugs.webkit.org/show_bug.cgi?id=122656
3731
3732         Reviewed by Michael Saboff.
3733
3734         Separate out the intrinsics for key and values iteration
3735         of arrays.
3736
3737         This requires moving moving array iteration into the iterator
3738         instance, rather than the prototype, but this is essentially
3739         unobservable so we'll live with it for now.
3740
3741         * jit/ThunkGenerators.cpp:
3742         (JSC::arrayIteratorNextThunkGenerator):
3743         (JSC::arrayIteratorNextKeyThunkGenerator):
3744         (JSC::arrayIteratorNextValueThunkGenerator):
3745         * jit/ThunkGenerators.h:
3746         * runtime/ArrayIteratorPrototype.cpp:
3747         (JSC::ArrayIteratorPrototype::finishCreation):
3748         * runtime/Intrinsic.h:
3749         * runtime/JSArrayIterator.cpp:
3750         (JSC::JSArrayIterator::finishCreation):
3751         (JSC::createIteratorResult):
3752         (JSC::arrayIteratorNext):
3753         (JSC::arrayIteratorNextKey):
3754         (JSC::arrayIteratorNextValue):
3755         (JSC::arrayIteratorNextGeneric):
3756         * runtime/VM.cpp:
3757         (JSC::thunkGeneratorForIntrinsic):
3758
3759 2013-10-11  Mark Hahnenberg  <mhahnenberg@apple.com>
3760
3761         llint_slow_path_put_by_id can deadlock on a ConcurrentJITLock
3762         https://bugs.webkit.org/show_bug.cgi?id=122667
3763
3764         Reviewed by Filip Pizlo.
3765
3766         The issue this patch is attempting to fix is that there are places in our codebase
3767         where we acquire the ConcurrentJITLock for a particular CodeBlock, then we do some
3768         operations that can initiate a garbage collection. Garbage collection then calls 
3769         some methods of CodeBlock that also take the ConcurrentJITLock (because they don't
3770         always necessarily run during garbage collection). This causes a deadlock.
3771
3772         To fix this issue, this patch adds a new RAII-style object (DisallowGC) that stores 
3773         into a thread-local field that indicates that it is unsafe to perform any operation 
3774         that could trigger garbage collection on the current thread. In debug builds, 
3775         ConcurrentJITLocker contains one of these DisallowGC objects so that we can eagerly 
3776         detect deadlocks.
3777
3778         This patch also adds a new type of ConcurrentJITLocker, GCSafeConcurrentJITLocker,
3779         which uses the DeferGC mechanism to prevent collections from occurring while the 
3780         lock is held.
3781
3782         * CMakeLists.txt:
3783         * GNUmakefile.list.am:
3784         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3785         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3786         * JavaScriptCore.xcodeproj/project.pbxproj:
3787         * heap/DeferGC.cpp: Added.
3788         * heap/DeferGC.h:
3789         (JSC::DisallowGC::DisallowGC):
3790         (JSC::DisallowGC::~DisallowGC):
3791         (JSC::DisallowGC::isGCDisallowedOnCurrentThread):
3792         (JSC::DisallowGC::initialize):
3793         * jit/JITStubs.cpp:
3794         (JSC::tryCachePutByID):
3795         (JSC::tryCacheGetByID):
3796         (JSC::DEFINE_STUB_FUNCTION):
3797         * llint/LLIntSlowPaths.cpp:
3798         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3799         * runtime/ConcurrentJITLock.h:
3800         (JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase):
3801         (JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase):
3802         (JSC::ConcurrentJITLockerBase::unlockEarly):
3803         (JSC::GCSafeConcurrentJITLocker::GCSafeConcurrentJITLocker):
3804         (JSC::ConcurrentJITLocker::ConcurrentJITLocker):
3805         * runtime/InitializeThreading.cpp:
3806         (JSC::initializeThreadingOnce):
3807         * runtime/JSCellInlines.h:
3808         (JSC::allocateCell):
3809         * runtime/Structure.cpp:
3810         (JSC::Structure::materializePropertyMap):
3811         (JSC::Structure::putSpecificValue):
3812         (JSC::Structure::createPropertyMap):
3813         * runtime/Structure.h:
3814
3815 2013-10-14  Filip Pizlo  <fpizlo@apple.com>
3816
3817         Baseline JIT should use the DFG's PutById IC
3818         https://bugs.webkit.org/show_bug.cgi?id=122704
3819
3820         Reviewed by Mark Hahnenberg.
3821         
3822         Mostly no big deal, just removing the old Baseline JIT's put_by_id IC support and forcing
3823         that JIT to use the DFG's (i.e. JITOperations) PutById IC.
3824         
3825         The only complicated part was that the PutById operations assumed that we first did a
3826         cell speculation, which the baseline JIT obviously won't do. So I changed all of those
3827         slow paths to deal with EncodedJSValue's.
3828
3829         * bytecode/CodeBlock.cpp:
3830         (JSC::CodeBlock::resetStubInternal):
3831         * bytecode/PutByIdStatus.cpp:
3832         (JSC::PutByIdStatus::computeFor):
3833         * dfg/DFGSpeculativeJIT.h:
3834         (JSC::DFG::SpeculativeJIT::callOperation):
3835         * dfg/DFGSpeculativeJIT32_64.cpp:
3836         (JSC::DFG::SpeculativeJIT::cachedPutById):
3837         * dfg/DFGSpeculativeJIT64.cpp:
3838         (JSC::DFG::SpeculativeJIT::cachedPutById):
3839         * jit/CCallHelpers.h:
3840         (JSC::CCallHelpers::setupArgumentsWithExecState):
3841         * jit/JIT.cpp:
3842         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
3843         * jit/JIT.h:
3844         (JSC::PropertyStubCompilationInfo::PropertyStubCompilationInfo):
3845         (JSC::PropertyStubCompilationInfo::slowCaseInfo):
3846         * jit/JITInlines.h:
3847         (JSC::JIT::callOperation):
3848         * jit/JITOperationWrappers.h:
3849         * jit/JITOperations.cpp:
3850         * jit/JITOperations.h:
3851         * jit/JITPropertyAccess.cpp:
3852         (JSC::JIT::compileGetByIdHotPath):
3853         (JSC::JIT::compileGetByIdSlowCase):
3854         (JSC::JIT::emit_op_put_by_id):
3855         (JSC::JIT::emitSlow_op_put_by_id):
3856         * jit/JITPropertyAccess32_64.cpp:
3857         (JSC::JIT::compileGetByIdSlowCase):
3858         (JSC::JIT::emit_op_put_by_id):
3859         (JSC::JIT::emitSlow_op_put_by_id):
3860         * jit/JITStubs.cpp:
3861         * jit/JITStubs.h:
3862         * jit/Repatch.cpp:
3863         (JSC::appropriateGenericPutByIdFunction):
3864         (JSC::appropriateListBuildingPutByIdFunction):
3865         (JSC::resetPutByID):
3866
3867 2013-10-13  Filip Pizlo  <fpizlo@apple.com>
3868
3869         FTL should have an inefficient but correct implementation of GetById
3870         https://bugs.webkit.org/show_bug.cgi?id=122740
3871
3872         Reviewed by Mark Hahnenberg.
3873         
3874         It took some effort to realize that the node->prediction() check in the DFG backends
3875         are completely unnecessary since the ByteCodeParser will always insert a ForceOSRExit
3876         if !prediction.
3877         
3878         But other than that this was an easy patch.
3879
3880         * dfg/DFGByteCodeParser.cpp:
3881         (JSC::DFG::ByteCodeParser::handleGetById):
3882         * dfg/DFGSpeculativeJIT32_64.cpp:
3883         (JSC::DFG::SpeculativeJIT::compile):
3884         * dfg/DFGSpeculativeJIT64.cpp:
3885         (JSC::DFG::SpeculativeJIT::compile):
3886         * ftl/FTLCapabilities.cpp:
3887         (JSC::FTL::canCompile):
3888         * ftl/FTLIntrinsicRepository.h:
3889         * ftl/FTLLowerDFGToLLVM.cpp:
3890         (JSC::FTL::LowerDFGToLLVM::compileNode):
3891         (JSC::FTL::LowerDFGToLLVM::compileGetById):
3892
3893 2013-10-13  Mark Lam  <mark.lam@apple.com>
3894
3895         Transition misc cti_op_* JITStubs to JIT operations.
3896         https://bugs.webkit.org/show_bug.cgi?id=122645.
3897
3898         Reviewed by Michael Saboff.
3899
3900         Stubs converted:
3901             cti_op_check_has_instance
3902             cti_op_create_arguments
3903             cti_op_del_by_id
3904             cti_op_instanceof
3905             cti_to_object
3906             cti_op_push_activation
3907             cti_op_get_pnames
3908             cti_op_load_varargs
3909
3910         * dfg/DFGOperations.cpp:
3911         * dfg/DFGOperations.h:
3912         * jit/CCallHelpers.h:
3913         (JSC::CCallHelpers::setupArgumentsWithExecState):
3914         * jit/JIT.h:
3915         (JSC::JIT::emitStoreCell):
3916         * jit/JITCall.cpp:
3917         (JSC::JIT::compileLoadVarargs):
3918         * jit/JITCall32_64.cpp:
3919         (JSC::JIT::compileLoadVarargs):
3920         * jit/JITInlines.h:
3921         (JSC::JIT::callOperation):
3922         * jit/JITOpcodes.cpp:
3923         (JSC::JIT::emit_op_get_pnames):
3924         (JSC::JIT::emit_op_create_activation):
3925         (JSC::JIT::emit_op_create_arguments):
3926         (JSC::JIT::emitSlow_op_check_has_instance):
3927         (JSC::JIT::emitSlow_op_instanceof):
3928         (JSC::JIT::emitSlow_op_get_argument_by_val):
3929         * jit/JITOpcodes32_64.cpp:
3930         (JSC::JIT::emitSlow_op_check_has_instance):
3931         (JSC::JIT::emitSlow_op_instanceof):
3932         (JSC::JIT::emit_op_get_pnames):
3933         (JSC::JIT::emit_op_create_activation):
3934         (JSC::JIT::emit_op_create_arguments):
3935         (JSC::JIT::emitSlow_op_get_argument_by_val):
3936         * jit/JITOperations.cpp:
3937         * jit/JITOperations.h:
3938         * jit/JITPropertyAccess.cpp:
3939         (JSC::JIT::emit_op_del_by_id):
3940         * jit/JITPropertyAccess32_64.cpp:
3941         (JSC::JIT::emit_op_del_by_id):
3942         * jit/JITStubs.cpp:
3943         * jit/JITStubs.h:
3944
3945 2013-10-13  Filip Pizlo  <fpizlo@apple.com>
3946
3947         FTL OSR exit should perform zero extension on values smaller than 64-bit
3948         https://bugs.webkit.org/show_bug.cgi?id=122688
3949
3950         Reviewed by Gavin Barraclough.
3951         
3952         In the DFG we usually make the simplistic assumption that a 32-bit value in a 64-bit
3953         register will have zeros on the high bits.  In the few cases where the high bits are
3954         non-zero, the DFG sort of tells us this explicitly.
3955
3956         But when working with llvm.webkit.stackmap, it doesn't work that way.  Consider we might
3957         emit LLVM IR like:
3958
3959             %2 = trunc i64 %1 to i32
3960             stuff %2
3961             call @llvm.webkit.stackmap(...., %2)
3962
3963         LLVM may never actually emit a truncation instruction of any kind.  And that's great - in
3964         many cases it won't be needed, like if 'stuff %2' is a 32-bit op that ignores the high
3965         bits anyway.  Hence LLVM may tell us that %2 is in the register that still had the value
3966         from before truncation, and that register may have garbage in the high bits.
3967
3968         This means that on our end, if we want a 32-bit value and we want that value to be
3969         zero-extended, we should zero-extend it ourselves.  This is pretty easy and should be
3970         cheap, so we should just do it and not make it a requirement that LLVM does it on its
3971         end.
3972         
3973         This makes all tests pass with JSC_ftlOSRExitUsesStackmap=true.
3974
3975         * ftl/FTLOSRExitCompiler.cpp:
3976         (JSC::FTL::compileStubWithOSRExitStackmap):
3977         * ftl/FTLValueFormat.cpp:
3978         (JSC::FTL::reboxAccordingToFormat):
3979
3980 == Rolled over to ChangeLog-2013-10-13 ==