Uninitialized member causes crash when DFG JIT is not enabled.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-10-24  peavo@outlook.com  <peavo@outlook.com>
2
3         Uninitialized member causes crash when DFG JIT is not enabled.
4         https://bugs.webkit.org/show_bug.cgi?id=123270
5
6         Reviewed by Brent Fulgham.
7
8         The data member sizeOfLastScratchBuffer in the VM class is only initialized if DFG JIT is enabled, even though it's defined regardless.
9         This causes an early crash on Windows, which doesn't have DFG JIT enabled.
10
11         * runtime/VM.cpp:
12         (JSC::VM::VM): Initialize sizeOfLastScratchBuffer member regardless of whether DFG JIT is enabled.
13
14 2013-10-24  Ryuan Choi  <ryuan.choi@samsung.com>
15
16         [EFL] Build break with latest EFL 1.8 libraries.
17         https://bugs.webkit.org/show_bug.cgi?id=123245
18
19         Reviewed by Gyuyoung Kim.
20
21         After fixed build break on EFL 1.8 at r138326, EFL libraries are changed
22         Eo typedef and splitted header files which contain version macro.
23
24         * PlatformEfl.cmake: Added EO path to include directories.
25         * heap/HeapTimer.h: Changed Ecore_Timer typedef when EO exist.
26
27 2013-10-23  Filip Pizlo  <fpizlo@apple.com>
28
29         Put all uses of LLVM intrinsics behind a single Option
30         https://bugs.webkit.org/show_bug.cgi?id=123219
31
32         Reviewed by Mark Hahnenberg.
33
34         * ftl/FTLExitThunkGenerator.cpp:
35         (JSC::FTL::ExitThunkGenerator::emitThunk):
36         * ftl/FTLLowerDFGToLLVM.cpp:
37         (JSC::FTL::generateExitThunks):
38         (JSC::FTL::LowerDFGToLLVM::compileGetById):
39         (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
40         (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
41         * ftl/FTLOSRExitCompiler.cpp:
42         (JSC::FTL::compileFTLOSRExit):
43         * runtime/Options.h:
44
45 2013-10-23  Daniel Bates  <dabates@apple.com>
46
47         Fix JavaScriptCore build targets following <http://trac.webkit.org/changeset/157864>
48         (https://bugs.webkit.org/show_bug.cgi?id=123169)
49
50         Tell Xcode that the supported platforms for all JavaScriptCore targets are iOS and OS X.
51
52         * Configurations/Base.xcconfig:
53
54 2013-10-23  Michael Saboff  <msaboff@apple.com>
55
56         LLInt arity check exception processing should start unwinding from caller
57         https://bugs.webkit.org/show_bug.cgi?id=123209
58
59         Reviewed by Oliver Hunt.
60
61         Use the caller frame returned from slow_path_call_arityCheck to process exceptions.
62
63         * llint/LowLevelInterpreter32_64.asm:
64         * llint/LowLevelInterpreter64.asm:
65
66 2013-10-22  Filip Pizlo  <fpizlo@apple.com>
67
68         FTL should be able to do some simple inline caches using LLVM patchpoints
69         https://bugs.webkit.org/show_bug.cgi?id=123164
70
71         Reviewed by Mark Hahnenberg.
72         
73         This implements GetById inline caches in the FTL using llvm.webkit.patchpoint.
74         
75         The idea is that we ask LLVM for a nop slide the size of a GetById inline
76         cache and then fill in the code after LLVM compilation is complete. For now, we
77         just use the system calling convention for the arguments and return. We also
78         still make some assumptions about registers that aren't correct. But, most of
79         the scaffolding is there and this will successfully patch an inline cache.
80
81         * JavaScriptCore.xcodeproj/project.pbxproj:
82         * assembler/AbstractMacroAssembler.h:
83         * assembler/LinkBuffer.cpp:
84         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
85         (JSC::LinkBuffer::linkCode):
86         (JSC::LinkBuffer::allocate):
87         * assembler/LinkBuffer.h:
88         (JSC::LinkBuffer::LinkBuffer):
89         (JSC::LinkBuffer::link):
90         * ftl/FTLAbbreviations.h:
91         (JSC::FTL::constNull):
92         (JSC::FTL::buildCall):
93         * ftl/FTLCapabilities.cpp:
94         (JSC::FTL::canCompile):
95         * ftl/FTLCompile.cpp:
96         (JSC::FTL::fixFunctionBasedOnStackMaps):
97         * ftl/FTLInlineCacheDescriptor.h: Added.
98         (JSC::FTL::InlineCacheDescriptor::InlineCacheDescriptor):
99         (JSC::FTL::GetByIdDescriptor::GetByIdDescriptor):
100         (JSC::FTL::GetByIdDescriptor::stackmapID):
101         (JSC::FTL::GetByIdDescriptor::codeOrigin):
102         (JSC::FTL::GetByIdDescriptor::uid):
103         * ftl/FTLInlineCacheSize.cpp: Added.
104         (JSC::FTL::sizeOfGetById):
105         (JSC::FTL::sizeOfPutById):
106         * ftl/FTLInlineCacheSize.h: Added.
107         * ftl/FTLIntrinsicRepository.h:
108         * ftl/FTLJITFinalizer.cpp:
109         (JSC::FTL::JITFinalizer::finalizeFunction):
110         * ftl/FTLJITFinalizer.h:
111         * ftl/FTLLocation.cpp:
112         (JSC::FTL::Location::directGPR):
113         * ftl/FTLLocation.h:
114         * ftl/FTLLowerDFGToLLVM.cpp:
115         (JSC::FTL::LowerDFGToLLVM::compileGetById):
116         * ftl/FTLOutput.h:
117         (JSC::FTL::Output::call):
118         * ftl/FTLSlowPathCall.cpp: Added.
119         (JSC::FTL::callOperation):
120         * ftl/FTLSlowPathCall.h: Added.
121         (JSC::FTL::SlowPathCall::SlowPathCall):
122         (JSC::FTL::SlowPathCall::call):
123         (JSC::FTL::SlowPathCall::key):
124         * ftl/FTLSlowPathCallKey.cpp: Added.
125         (JSC::FTL::SlowPathCallKey::dump):
126         * ftl/FTLSlowPathCallKey.h: Added.
127         (JSC::FTL::SlowPathCallKey::SlowPathCallKey):
128         (JSC::FTL::SlowPathCallKey::usedRegisters):
129         (JSC::FTL::SlowPathCallKey::callTarget):
130         (JSC::FTL::SlowPathCallKey::offset):
131         (JSC::FTL::SlowPathCallKey::isEmptyValue):
132         (JSC::FTL::SlowPathCallKey::isDeletedValue):
133         (JSC::FTL::SlowPathCallKey::operator==):
134         (JSC::FTL::SlowPathCallKey::hash):
135         (JSC::FTL::SlowPathCallKeyHash::hash):
136         (JSC::FTL::SlowPathCallKeyHash::equal):
137         * ftl/FTLStackMaps.cpp:
138         (JSC::FTL::StackMaps::Location::directGPR):
139         * ftl/FTLStackMaps.h:
140         * ftl/FTLState.h:
141         * ftl/FTLThunks.cpp:
142         (JSC::FTL::slowPathCallThunkGenerator):
143         * ftl/FTLThunks.h:
144         (JSC::FTL::Thunks::getSlowPathCallThunk):
145         * jit/CCallHelpers.h:
146         (JSC::CCallHelpers::setupArguments):
147         * jit/GPRInfo.h:
148         * jit/JITInlineCacheGenerator.cpp:
149         (JSC::garbageStubInfo):
150         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
151         (JSC::JITByIdGenerator::finalize):
152         * jit/JITInlineCacheGenerator.h:
153         (JSC::JITByIdGenerator::slowPathBegin):
154         * jit/RegisterSet.cpp:
155         (JSC::RegisterSet::stackRegisters):
156         (JSC::RegisterSet::specialRegisters):
157         (JSC::RegisterSet::calleeSaveRegisters):
158         (JSC::RegisterSet::allGPRs):
159         (JSC::RegisterSet::allFPRs):
160         (JSC::RegisterSet::allRegisters):
161         (JSC::RegisterSet::dump):
162         * jit/RegisterSet.h:
163         (JSC::RegisterSet::exclude):
164         (JSC::RegisterSet::numberOfSetRegisters):
165         (JSC::RegisterSet::RegisterSet):
166         (JSC::RegisterSet::isEmptyValue):
167         (JSC::RegisterSet::isDeletedValue):
168         (JSC::RegisterSet::operator==):
169         (JSC::RegisterSet::hash):
170         (JSC::RegisterSetHash::hash):
171         (JSC::RegisterSetHash::equal):
172         * runtime/Options.h:
173
174 2013-10-22  Filip Pizlo  <fpizlo@apple.com>
175
176         jitCompileAndSetHeuristics should DeferGCForAWhile
177         https://bugs.webkit.org/show_bug.cgi?id=123196
178
179         Reviewed by Mark Hahnenberg.
180         
181         This fixes random crashes in V8v7/raytrace. I only see those crashes on exactly one of
182         my machines. I don't think this is testable; we just need to steadily converge towards
183         getting our uses of DeferGC to be right and then be careful not to regress. We're not
184         there yet, obviously.
185         
186         * llint/LLIntSlowPaths.cpp:
187         (JSC::LLInt::jitCompileAndSetHeuristics):
188
189 2013-10-23  Daniel Bates  <dabates@apple.com>
190
191         [iOS] Upstream more JavaScriptCore build configuration changes
192         https://bugs.webkit.org/show_bug.cgi?id=123169
193
194         Reviewed by David Kilzer.
195
196         * Configurations/Base.xcconfig:
197         * Configurations/Version.xcconfig:
198         * Configurations/iOS.xcconfig: Added.
199         * JavaScriptCore.xcodeproj/project.pbxproj:
200
201 2013-10-23  Daniel Bates  <dabates@apple.com>
202
203         [iOS] Export DefaultGCActivityCallback member functions
204         https://bugs.webkit.org/show_bug.cgi?id=123175
205
206         Reviewed by David Kilzer.
207
208         * runtime/GCActivityCallback.h:
209
210 2013-10-23  Daniel Bates  <dabates@apple.com>
211
212         [iOS] Upstream more ARMv7s bits
213         https://bugs.webkit.org/show_bug.cgi?id=123052
214
215         Reviewed by Joseph Pecoraro.
216
217         * Configurations/JavaScriptCore.xcconfig:
218
219 2013-10-22  Andreas Kling  <akling@apple.com>
220
221         Minor VM* -> VM& cleanups in HashTable and Keywords.
222         <https://webkit.org/b/123183>
223
224         Turn some VM* variables that will never be null into VM&.
225
226         Reviewed by Geoffrey Garen.
227
228 2013-10-22  Geoffrey Garen  <ggaren@apple.com>
229
230         REGRESSION: `if (false === (true && undefined)) console.log("wrong!");` logs "wrong!", shouldn't!
231         https://bugs.webkit.org/show_bug.cgi?id=123179
232
233         Reviewed by Mark Hahnenberg.
234
235         * parser/NodeConstructors.h:
236         (JSC::LogicalOpNode::LogicalOpNode):
237         * parser/ResultType.h:
238         (JSC::ResultType::forLogicalOp): Don't assume that && produces a boolean.
239         This is JavaScript (aka Sparta).
240
241 2013-10-22  Commit Queue  <commit-queue@webkit.org>
242
243         Unreviewed, rolling out r157819.
244         http://trac.webkit.org/changeset/157819
245         https://bugs.webkit.org/show_bug.cgi?id=123180
246
247         Broke 32-bit builds (Requested by smfr on #webkit).
248
249         * Configurations/JavaScriptCore.xcconfig:
250         * Configurations/ToolExecutable.xcconfig:
251
252 2013-10-22  Daniel Bates  <dabates@apple.com>
253
254         [iOS] Upstream more ARMv7s bits
255         https://bugs.webkit.org/show_bug.cgi?id=123052
256
257         Reviewed by Joseph Pecoraro.
258
259         * Configurations/JavaScriptCore.xcconfig:
260         * Configurations/ToolExecutable.xcconfig: Enable CLANG_ENABLE_OBJC_ARC for i386 as I'm
261         modifying a file in JavaScriptCore/Configurations.
262
263 2013-10-22  Daniel Bates  <dabates@apple.com>
264
265         [iOS] Upstream JSLock changes
266         https://bugs.webkit.org/show_bug.cgi?id=123107
267
268         Reviewed by Geoffrey Garen.
269
270         * runtime/JSLock.cpp:
271         (JSC::JSLock::unlock):
272         (JSC::JSLock::dropAllLocks): Modified to take a SpinLock, used only on iOS.
273         (JSC::JSLock::dropAllLocksUnconditionally): Modified to take a SpinLock, used only on iOS. Also
274         use pre-increment instead of post-increment when we're not using the return value of the instruction.
275         (JSC::JSLock::grabAllLocks): Modified to take a SpinLock, used only on iOS. Also change
276         places where we were using post-increment/post-decrement to use pre-increment/pre-decrement,
277         since we don't use the return value of such instructions.
278         (JSC::JSLock::DropAllLocks::DropAllLocks): Modified to support releasing all locks unconditionally.
279         Take a spin lock before releasing all locks on iOS. Also, use nullptr instead of 0.
280         (JSC::JSLock::DropAllLocks::~DropAllLocks): Take a spin lock before acquiring all locks on iOS.
281         * runtime/JSLock.h: Remove extraneous argument name "exec" from DropAllLocks as the data type of
282         the argument is sufficiently descriptive of its purpose.
283
284 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
285
286         [arm] Add missing setupArgumentsWithExecState() prototypes to fix build.
287         https://bugs.webkit.org/show_bug.cgi?id=123166
288
289         Reviewed by Michael Saboff.
290
291         * jit/CCallHelpers.h:
292         (JSC::CCallHelpers::setupArgumentsWithExecState):
293
294 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
295
296         [sh4][mips][arm] Fix crashes in JSC (32-bit only).
297         https://bugs.webkit.org/show_bug.cgi?id=123165
298
299         Reviewed by Michael Saboff.
300
301         * jit/JITInlines.h:
302         (JSC::JIT::callOperationNoExceptionCheck): Add missing EABI_32BIT_DUMMY_ARG.
303         (JSC::JIT::callOperation): The last TrustedImm32(arg3) is a bit overkill for SH4 :)
304         (JSC::JIT::callOperation): Add missing EABI_32BIT_DUMMY_ARG.
305         (JSC::JIT::callOperation): Fix tag and payload order for V_JITOperation_EJJJ prototype.
306
307 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
308
309         REGRESSION(r157690, r157699) Fix architectures using AssemblerBufferWithConstantPool.
310         https://bugs.webkit.org/show_bug.cgi?id=123092
311
312         Reviewed by Michael Saboff.
313
314         Impacted architectures are SH4 and ARM_TRADITIONAL.
315
316         * assembler/ARMAssembler.h:
317         (JSC::ARMAssembler::buffer):
318         * assembler/AssemblerBufferWithConstantPool.h:
319         (JSC::AssemblerBufferWithConstantPool::flushConstantPool):
320         * assembler/LinkBuffer.cpp:
321         (JSC::LinkBuffer::linkCode):
322         * assembler/SH4Assembler.h:
323         (JSC::SH4Assembler::buffer):
324
325 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
326
327         Remove unused stuff in JIT stubs.
328         https://bugs.webkit.org/show_bug.cgi?id=123155
329
330         Reviewed by Michael Saboff.
331
332         * jit/JITStubs.h:
333         * jit/JITStubsARM.h:
334         (JSC::ctiTrampoline):
335         * jit/JITStubsARM64.h:
336         * jit/JITStubsARMv7.h:
337         * jit/JITStubsMIPS.h:
338         * jit/JITStubsSH4.h:
339         * jit/JITStubsX86.h:
340         * jit/JITStubsX86_64.h:
341
342 2013-10-22  Daniel Bates  <dabates@apple.com>
343
344         [iOS] Upstream OS-version-specific install paths for JavaScriptCore.framework
345         https://bugs.webkit.org/show_bug.cgi?id=123115
346         <rdar://problem/13696872>
347
348         Reviewed by Andy Estes.
349
350         Based on a patch by Mark Hahnenberg.
351
352         Add support for running JavaScriptCore-based apps, built against the iOS 7 SDK, on older versions of iOS.
353
354         * API/JSBase.cpp:
355
356 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
357
358         [sh4] Add missing lastRegister(), firstFPRegister() and lastFPRegister(). 
359         https://bugs.webkit.org/show_bug.cgi?id=123157
360
361         Reviewed by Andreas Kling.
362
363         * assembler/SH4Assembler.h:
364         (JSC::SH4Assembler::lastRegister):
365         (JSC::SH4Assembler::firstFPRegister):
366         (JSC::SH4Assembler::lastFPRegister):
367
368 2013-10-22  Brian Holt  <brian.holt@samsung.com>
369
370         Build break on ARMv7 after r157209
371         https://bugs.webkit.org/show_bug.cgi?id=122890
372
373         Reviewed by Csaba Osztrogon√°c.
374
375         Add framePointerRegister and first/last register helpers for ARM_TRADITIONAL.
376
377         * assembler/ARMAssembler.h:
378         * assembler/MacroAssemblerARM.h:
379         (JSC::MacroAssemblerARM::firstRegister):
380         (JSC::MacroAssemblerARM::lastRegister):
381         (JSC::MacroAssemblerARM::firstFPRegister):
382         (JSC::MacroAssemblerARM::lastFPRegister):
383
384 2013-10-21  Daniel Bates  <dabates@apple.com>
385
386         [iOS] Upstream JSGlobalObject::shouldInterruptScriptBeforeTimeout()
387         https://bugs.webkit.org/show_bug.cgi?id=123045
388
389         Reviewed by Joseph Pecoraro.
390
391         * jsc.cpp: Add function pointer for shouldInterruptScriptBeforeTimeout
392         to global method table.
393         * runtime/JSGlobalObject.cpp: Ditto.
394         * runtime/JSGlobalObject.h:
395         (JSC::JSGlobalObject::shouldInterruptScriptBeforeTimeout): Added.
396
397 2013-10-21  Daniel Bates  <dabates@apple.com>
398
399         [iOS] Upstream JSC Objective-C API compiler warning fixes
400         https://bugs.webkit.org/show_bug.cgi?id=123125
401
402         Reviewed by Mark Hahnenberg.
403
404         Based on a patch by Mark Hahnenberg.
405
406         * API/JSValue.mm:
407         (-[JSValue toPoint]): Cast to CGFloat to fix some compiler warnings about double narrowing to float.
408         (-[JSValue toSize]): Ditto.
409         * API/tests/testapi.mm: Changed a test that was failing due to overflow of 32-bit NSUInteger on armv7.
410
411 2013-10-21  Daniel Bates  <dabates@apple.com>
412
413         [iOS] Mark classes JS{Context, ManagedValue, Value, VirtualMachine} as
414         available since iOS 7.0
415         https://bugs.webkit.org/show_bug.cgi?id=123122
416
417         Reviewed by Dan Bernstein.
418
419         * API/JSContext.h:
420         * API/JSManagedValue.h:
421         * API/JSValue.h:
422         * API/JSVirtualMachine.h:
423
424 2013-10-20  Mark Lam  <mark.lam@apple.com>
425
426         Avoid JSC debugger overhead unless needed.
427         https://bugs.webkit.org/show_bug.cgi?id=123084.
428
429         Reviewed by Geoffrey Garen.
430
431         - If no breakpoints are set, we now avoid calling the debug hook callbacks.
432         - If no break on exception is set, we also avoid exception event debug callbacks.
433         - When we return from the ScriptDebugServer to the JSC::Debugger, we may no
434           longer call the debug hook callbacks if not needed. Hence, the m_currentCallFrame
435           pointer in the ScriptDebugServer may become stale. To avoid this issue, before
436           returning, the ScriptDebugServer will clear its m_currentCallFrame if
437           needsOpDebugCallbacks() is false.
438
439         * debugger/Debugger.cpp:
440         (JSC::Debugger::Debugger):
441         (JSC::Debugger::setNeedsExceptionCallbacks):
442         (JSC::Debugger::setShouldPause):
443         (JSC::Debugger::updateNumberOfBreakpoints):
444         (JSC::Debugger::updateNeedForOpDebugCallbacks):
445         * debugger/Debugger.h:
446         * interpreter/Interpreter.cpp:
447         (JSC::Interpreter::unwind):
448         (JSC::Interpreter::debug):
449         * jit/JITOpcodes.cpp:
450         (JSC::JIT::emit_op_debug):
451         * jit/JITOpcodes32_64.cpp:
452         (JSC::JIT::emit_op_debug):
453         * llint/LLIntOffsetsExtractor.cpp:
454         * llint/LowLevelInterpreter.asm:
455
456 2013-10-21  Brent Fulgham  <bfulgham@apple.com>
457
458         [WIN] Unreviewed build correction.
459
460         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Handle new JIT files as C++ implementation
461           sources, not header files.
462         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
463
464 2013-10-21  Oliver Hunt  <oliver@apple.com>
465
466         Support computed property names in object literals
467         https://bugs.webkit.org/show_bug.cgi?id=123112
468
469         Reviewed by Michael Saboff.
470
471         Add support for computed property names to the parser.
472
473         * bytecompiler/NodesCodegen.cpp:
474         (JSC::PropertyListNode::emitBytecode):
475         * parser/ASTBuilder.h:
476         (JSC::ASTBuilder::createProperty):
477         (JSC::ASTBuilder::getName):
478         * parser/NodeConstructors.h:
479         (JSC::PropertyNode::PropertyNode):
480         * parser/Nodes.h:
481         (JSC::PropertyNode::expressionName):
482         (JSC::PropertyNode::name):
483         * parser/Parser.cpp:
484         (JSC::::parseProperty):
485         (JSC::::parseStrictObjectLiteral):
486         * parser/SyntaxChecker.h:
487         (JSC::SyntaxChecker::Property::Property):
488         (JSC::SyntaxChecker::createProperty):
489         (JSC::SyntaxChecker::operatorStackPop):
490
491 2013-10-21  Michael Saboff  <msaboff@apple.com>
492
493         Add option so that JSC will crash if it can't allocate executable memory for the JITs
494         https://bugs.webkit.org/show_bug.cgi?id=123048
495         <rdar://problem/12856193>
496
497         Reviewed by Geoffrey Garen.
498
499         Added new option, called crashIfCantAllocateJITMemory. If this option is true then we crash
500         when checking the validity of the executable allocator. The default value for this option is
501         false, but jsc sets it to true when built for iOS to make it straightforward to identify whether
502         the app can obtain executable memory.
503
504         * jsc.cpp: Explicitly enable crashIfCantAllocateJITMemory on iOS.
505         (main):
506         * runtime/Options.h: Added option crashIfCantAllocateJITMemory.
507         * runtime/VM.cpp:
508         (JSC::enableAssembler): Modified to crash if option crashIfCantAllocateJITMemory
509         is enabled.
510
511 2013-10-21  Nadav Rotem  <nrotem@apple.com>
512
513         Remove AllInOneFile.cpp
514         https://bugs.webkit.org/show_bug.cgi?id=123055
515
516         Reviewed by Csaba Osztrogon√°c.
517
518         * AllInOneFile.cpp: Removed.
519
520 2013-10-20  Filip Pizlo  <fpizlo@apple.com>
521
522         Unreviewed, cleanup a FIXME comment.
523
524         * jit/Repatch.cpp:
525
526 2013-10-20  Filip Pizlo  <fpizlo@apple.com>
527
528         StructureStubInfo's usedRegisters set should be able to track all registers, not just the ones that our JIT's view as temporaries
529         https://bugs.webkit.org/show_bug.cgi?id=123076
530
531         Reviewed by Sam Weinig.
532         
533         Start preparing for a world in which we are patching code generated by LLVM, which may have
534         very different register usage conventions than our JITs. This requires us being more explicit
535         about the registers we are using. For example, the repatching code shouldn't take for granted
536         that tagMaskRegister holds the TagMask or that the register is even in use.
537
538         * CMakeLists.txt:
539         * GNUmakefile.list.am:
540         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
541         * JavaScriptCore.xcodeproj/project.pbxproj:
542         * assembler/MacroAssembler.h:
543         (JSC::MacroAssembler::numberOfRegisters):
544         (JSC::MacroAssembler::registerIndex):
545         (JSC::MacroAssembler::numberOfFPRegisters):
546         (JSC::MacroAssembler::fpRegisterIndex):
547         (JSC::MacroAssembler::totalNumberOfRegisters):
548         * bytecode/StructureStubInfo.h:
549         * dfg/DFGSpeculativeJIT.cpp:
550         (JSC::DFG::SpeculativeJIT::usedRegisters):
551         * dfg/DFGSpeculativeJIT.h:
552         * ftl/FTLSaveRestore.cpp:
553         (JSC::FTL::bytesForGPRs):
554         (JSC::FTL::bytesForFPRs):
555         (JSC::FTL::offsetOfGPR):
556         (JSC::FTL::offsetOfFPR):
557         * jit/JITInlineCacheGenerator.cpp:
558         (JSC::JITByIdGenerator::JITByIdGenerator):
559         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
560         * jit/JITInlineCacheGenerator.h:
561         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
562         * jit/JITPropertyAccess.cpp:
563         (JSC::JIT::emit_op_get_by_id):
564         (JSC::JIT::emit_op_put_by_id):
565         * jit/JITPropertyAccess32_64.cpp:
566         (JSC::JIT::emit_op_get_by_id):
567         (JSC::JIT::emit_op_put_by_id):
568         * jit/RegisterSet.cpp: Added.
569         (JSC::RegisterSet::specialRegisters):
570         * jit/RegisterSet.h: Added.
571         (JSC::RegisterSet::RegisterSet):
572         (JSC::RegisterSet::set):
573         (JSC::RegisterSet::clear):
574         (JSC::RegisterSet::get):
575         (JSC::RegisterSet::merge):
576         * jit/Repatch.cpp:
577         (JSC::generateProtoChainAccessStub):
578         (JSC::tryCacheGetByID):
579         (JSC::tryBuildGetByIDList):
580         (JSC::emitPutReplaceStub):
581         (JSC::tryRepatchIn):
582         (JSC::linkClosureCall):
583         * jit/TempRegisterSet.cpp: Added.
584         (JSC::TempRegisterSet::TempRegisterSet):
585         * jit/TempRegisterSet.h:
586
587 2013-10-20  Julien Brianceau  <jbriance@cisco.com>
588
589         [sh4] Fix build (broken since r157690).
590         https://bugs.webkit.org/show_bug.cgi?id=123081
591
592         Reviewed by Andreas Kling.
593
594         * assembler/AssemblerBufferWithConstantPool.h:
595         * assembler/SH4Assembler.h:
596         (JSC::SH4Assembler::buffer):
597         (JSC::SH4Assembler::readCallTarget):
598
599 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
600
601         Simplify TempRegisterSet - it no longer needs to be convertible to a POD since it's no longer going to be a member of a union
602         https://bugs.webkit.org/show_bug.cgi?id=123079
603
604         Reviewed by Geoffrey Garen.
605
606         * jit/TempRegisterSet.h:
607
608 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
609
610         Rename RegisterSet to TempRegisterSet
611         https://bugs.webkit.org/show_bug.cgi?id=123077
612
613         Reviewed by Dan Bernstein.
614
615         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
616         * JavaScriptCore.xcodeproj/project.pbxproj:
617         * bytecode/StructureStubInfo.h:
618         * dfg/DFGJITCompiler.h:
619         * dfg/DFGSpeculativeJIT.h:
620         (JSC::DFG::SpeculativeJIT::usedRegisters):
621         * jit/JITInlineCacheGenerator.cpp:
622         (JSC::JITByIdGenerator::JITByIdGenerator):
623         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
624         * jit/JITInlineCacheGenerator.h:
625         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
626         * jit/JITPropertyAccess.cpp:
627         (JSC::JIT::emit_op_get_by_id):
628         (JSC::JIT::emit_op_put_by_id):
629         * jit/JITPropertyAccess32_64.cpp:
630         (JSC::JIT::emit_op_get_by_id):
631         (JSC::JIT::emit_op_put_by_id):
632         * jit/RegisterSet.h: Removed.
633         * jit/ScratchRegisterAllocator.h:
634         (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
635         * jit/TempRegisterSet.h: Copied from Source/JavaScriptCore/jit/RegisterSet.h.
636         (JSC::TempRegisterSet::TempRegisterSet):
637         (JSC::TempRegisterSet::asPOD):
638         (JSC::TempRegisterSet::copyInfo):
639
640 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
641
642         Restructure LinkBuffer to allow for alternate allocation strategies
643         https://bugs.webkit.org/show_bug.cgi?id=123071
644
645         Reviewed by Oliver Hunt.
646         
647         The idea is to eventually allow a LinkBuffer to place the code into an already
648         allocated region of memory.  That region of memory could be the nop-slide left behind
649         by a llvm.webkit.patchpoint.
650
651         * assembler/ARM64Assembler.h:
652         (JSC::ARM64Assembler::buffer):
653         * assembler/AssemblerBuffer.h:
654         * assembler/LinkBuffer.cpp:
655         (JSC::LinkBuffer::copyCompactAndLinkCode):
656         (JSC::LinkBuffer::linkCode):
657         (JSC::LinkBuffer::allocate):
658         (JSC::LinkBuffer::shrink):
659         * assembler/LinkBuffer.h:
660         (JSC::LinkBuffer::LinkBuffer):
661         (JSC::LinkBuffer::didFailToAllocate):
662         * assembler/X86Assembler.h:
663         (JSC::X86Assembler::buffer):
664         (JSC::X86Assembler::X86InstructionFormatter::memoryModRM):
665
666 2013-10-19  Alexey Proskuryakov  <ap@apple.com>
667
668         Some includes in JSC seem to use an incorrect style
669         https://bugs.webkit.org/show_bug.cgi?id=123057
670
671         Reviewed by Geoffrey Garen.
672
673         Changed pseudo-system includes to user ones.
674
675         * API/JSContextRef.cpp:
676         * API/JSStringRefCF.cpp:
677         * API/JSValueRef.cpp:
678         * API/OpaqueJSString.cpp:
679         * jit/JIT.h:
680         * parser/SyntaxChecker.h:
681         * runtime/WeakGCMap.h:
682
683 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
684
685         Baseline JIT and DFG IC code generation should be unified and rationalized
686         https://bugs.webkit.org/show_bug.cgi?id=122939
687
688         Reviewed by Geoffrey Garen.
689         
690         Introduce the JITInlineCacheGenerator, which takes a CodeBlock and a CodeOrigin plus
691         some register info and creates JIT inline caches for you. Used this to even furhter
692         unify the baseline and DFG ICs. In the future we can use this for FTL ICs. And my hope
693         is that we'll be able to use it for cascading ICs: an IC for some instruction may realize
694         that it needs to do the equivalent of get_by_id, so with this generator it will be able
695         to create an IC even though it wasn't associated with a get_by_id bytecode instruction.
696
697         * CMakeLists.txt:
698         * GNUmakefile.list.am:
699         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
700         * JavaScriptCore.xcodeproj/project.pbxproj:
701         * assembler/AbstractMacroAssembler.h:
702         (JSC::AbstractMacroAssembler::DataLabelCompact::label):
703         * bytecode/CodeBlock.h:
704         (JSC::CodeBlock::ecmaMode):
705         * dfg/DFGInlineCacheWrapper.h: Added.
706         (JSC::DFG::InlineCacheWrapper::InlineCacheWrapper):
707         * dfg/DFGInlineCacheWrapperInlines.h: Added.
708         (JSC::DFG::::finalize):
709         * dfg/DFGJITCompiler.cpp:
710         (JSC::DFG::JITCompiler::link):
711         * dfg/DFGJITCompiler.h:
712         (JSC::DFG::JITCompiler::addGetById):
713         (JSC::DFG::JITCompiler::addPutById):
714         * dfg/DFGSpeculativeJIT32_64.cpp:
715         (JSC::DFG::SpeculativeJIT::cachedGetById):
716         (JSC::DFG::SpeculativeJIT::cachedPutById):
717         * dfg/DFGSpeculativeJIT64.cpp:
718         (JSC::DFG::SpeculativeJIT::cachedGetById):
719         (JSC::DFG::SpeculativeJIT::cachedPutById):
720         (JSC::DFG::SpeculativeJIT::compile):
721         * jit/AssemblyHelpers.h:
722         (JSC::AssemblyHelpers::isStrictModeFor):
723         (JSC::AssemblyHelpers::strictModeFor):
724         * jit/GPRInfo.h:
725         (JSC::JSValueRegs::tagGPR):
726         * jit/JIT.cpp:
727         (JSC::JIT::JIT):
728         (JSC::JIT::privateCompileSlowCases):
729         (JSC::JIT::privateCompile):
730         * jit/JIT.h:
731         * jit/JITInlineCacheGenerator.cpp: Added.
732         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
733         (JSC::JITByIdGenerator::JITByIdGenerator):
734         (JSC::JITByIdGenerator::finalize):
735         (JSC::JITByIdGenerator::generateFastPathChecks):
736         (JSC::JITGetByIdGenerator::generateFastPath):
737         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
738         (JSC::JITPutByIdGenerator::generateFastPath):
739         (JSC::JITPutByIdGenerator::slowPathFunction):
740         * jit/JITInlineCacheGenerator.h: Added.
741         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
742         (JSC::JITInlineCacheGenerator::stubInfo):
743         (JSC::JITByIdGenerator::JITByIdGenerator):
744         (JSC::JITByIdGenerator::reportSlowPathCall):
745         (JSC::JITByIdGenerator::slowPathJump):
746         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
747         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
748         * jit/JITPropertyAccess.cpp:
749         (JSC::JIT::emit_op_get_by_id):
750         (JSC::JIT::emitSlow_op_get_by_id):
751         (JSC::JIT::emit_op_put_by_id):
752         (JSC::JIT::emitSlow_op_put_by_id):
753         * jit/JITPropertyAccess32_64.cpp:
754         (JSC::JIT::emit_op_get_by_id):
755         (JSC::JIT::emitSlow_op_get_by_id):
756         (JSC::JIT::emit_op_put_by_id):
757         (JSC::JIT::emitSlow_op_put_by_id):
758         * jit/RegisterSet.h:
759         (JSC::RegisterSet::set):
760
761 2013-10-19  Alexey Proskuryakov  <ap@apple.com>
762
763         APICast.h uses functions from JSCJSValueInlines.h, but doesn't include it
764         https://bugs.webkit.org/show_bug.cgi?id=123067
765
766         Reviewed by Geoffrey Garen.
767
768         * API/APICast.h: Include it.
769
770 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
771
772         FTL::Location should treat the offset as an addend in the case of a Register location
773         https://bugs.webkit.org/show_bug.cgi?id=123062
774
775         Reviewed by Sam Weinig.
776
777         * ftl/FTLLocation.cpp:
778         (JSC::FTL::Location::forStackmaps):
779         (JSC::FTL::Location::dump):
780         (JSC::FTL::Location::restoreInto):
781         * ftl/FTLLocation.h:
782         (JSC::FTL::Location::forRegister):
783         (JSC::FTL::Location::hasAddend):
784         (JSC::FTL::Location::addend):
785
786 2013-10-19  Nadav Rotem  <nrotem@apple.com>
787
788         DFG dominators: document and rename stuff.
789         https://bugs.webkit.org/show_bug.cgi?id=123056
790
791         Reviewed by Filip Pizlo.
792
793         Documented the code and renamed some variables.
794
795         * dfg/DFGDominators.cpp:
796         (JSC::DFG::Dominators::compute):
797         (JSC::DFG::Dominators::pruneDominators):
798         * dfg/DFGDominators.h:
799
800 2013-10-19  Julien Brianceau  <jbriance@cisco.com>
801
802         Fix build failure for architectures with 4 argument registers.
803         https://bugs.webkit.org/show_bug.cgi?id=123060
804
805         Reviewed by Michael Saboff.
806
807         Add missing setupArgumentsWithExecState() prototypes for architecture with 4 argument registers.
808         Remove SH4 specific code no longer needed since callOperation prototype change in r157660.
809
810         * dfg/DFGSpeculativeJIT.h:
811         (JSC::DFG::SpeculativeJIT::callOperation):
812         * jit/CCallHelpers.h:
813         (JSC::CCallHelpers::setupArgumentsWithExecState):
814         * jit/JITInlines.h:
815         (JSC::JIT::callOperation):
816
817 2013-10-18  Filip Pizlo  <fpizlo@apple.com>
818
819         Unreviewed, fix FTL build.
820
821         * ftl/FTLIntrinsicRepository.h:
822         * ftl/FTLLowerDFGToLLVM.cpp:
823         (JSC::FTL::LowerDFGToLLVM::compileGetById):
824
825 2013-10-18  Filip Pizlo  <fpizlo@apple.com>
826
827         A CodeBlock's StructureStubInfos shouldn't be in a Vector that we search using code origins and machine code PCs
828         https://bugs.webkit.org/show_bug.cgi?id=122940
829
830         Reviewed by Oliver Hunt.
831         
832         This accomplishes a number of simplifications. StructureStubInfo is now non-moving,
833         whereas previously it was in a Vector, so it moved. This allows you to use pointers to
834         StructureStubInfo. This also eliminates the use of return PC as a way of finding the
835         StructureStubInfo's. It removes some of the need for the compile-time property access
836         records; for example the DFG no longer has to save information about registers in a
837         property access record only to later save it to the stub info.
838         
839         The main thing is accomplishes is that it makes it easier to add StructureStubInfo's
840         at any stage of compilation.
841
842         * bytecode/CodeBlock.cpp:
843         (JSC::CodeBlock::printGetByIdCacheStatus):
844         (JSC::CodeBlock::dumpBytecode):
845         (JSC::CodeBlock::~CodeBlock):
846         (JSC::CodeBlock::propagateTransitions):
847         (JSC::CodeBlock::finalizeUnconditionally):
848         (JSC::CodeBlock::addStubInfo):
849         (JSC::CodeBlock::getStubInfoMap):
850         (JSC::CodeBlock::shrinkToFit):
851         * bytecode/CodeBlock.h:
852         (JSC::CodeBlock::begin):
853         (JSC::CodeBlock::end):
854         (JSC::CodeBlock::rareCaseProfileForBytecodeOffset):
855         * bytecode/CodeOrigin.h:
856         (JSC::CodeOrigin::CodeOrigin):
857         (JSC::CodeOrigin::isHashTableDeletedValue):
858         (JSC::CodeOrigin::hash):
859         (JSC::CodeOriginHash::hash):
860         (JSC::CodeOriginHash::equal):
861         * bytecode/GetByIdStatus.cpp:
862         (JSC::GetByIdStatus::computeFor):
863         * bytecode/GetByIdStatus.h:
864         * bytecode/PutByIdStatus.cpp:
865         (JSC::PutByIdStatus::computeFor):
866         * bytecode/PutByIdStatus.h:
867         * bytecode/StructureStubInfo.h:
868         (JSC::getStructureStubInfoCodeOrigin):
869         * dfg/DFGByteCodeParser.cpp:
870         (JSC::DFG::ByteCodeParser::parseBlock):
871         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
872         * dfg/DFGJITCompiler.cpp:
873         (JSC::DFG::JITCompiler::link):
874         * dfg/DFGJITCompiler.h:
875         (JSC::DFG::PropertyAccessRecord::PropertyAccessRecord):
876         (JSC::DFG::InRecord::InRecord):
877         * dfg/DFGSpeculativeJIT.cpp:
878         (JSC::DFG::SpeculativeJIT::compileIn):
879         * dfg/DFGSpeculativeJIT.h:
880         (JSC::DFG::SpeculativeJIT::callOperation):
881         * dfg/DFGSpeculativeJIT32_64.cpp:
882         (JSC::DFG::SpeculativeJIT::cachedGetById):
883         (JSC::DFG::SpeculativeJIT::cachedPutById):
884         * dfg/DFGSpeculativeJIT64.cpp:
885         (JSC::DFG::SpeculativeJIT::cachedGetById):
886         (JSC::DFG::SpeculativeJIT::cachedPutById):
887         * jit/CCallHelpers.h:
888         (JSC::CCallHelpers::setupArgumentsWithExecState):
889         * jit/JIT.cpp:
890         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
891         (JSC::JIT::privateCompile):
892         * jit/JIT.h:
893         (JSC::PropertyStubCompilationInfo::slowCaseInfo):
894         * jit/JITInlines.h:
895         (JSC::JIT::callOperation):
896         * jit/JITOperations.cpp:
897         * jit/JITOperations.h:
898         * jit/JITPropertyAccess.cpp:
899         (JSC::JIT::emitSlow_op_get_by_id):
900         (JSC::JIT::emitSlow_op_put_by_id):
901         * jit/JITPropertyAccess32_64.cpp:
902         (JSC::JIT::emitSlow_op_get_by_id):
903         (JSC::JIT::emitSlow_op_put_by_id):
904         * jit/Repatch.cpp:
905         (JSC::appropriateGenericPutByIdFunction):
906         (JSC::appropriateListBuildingPutByIdFunction):
907         (JSC::resetPutByID):
908
909 2013-10-18  Oliver Hunt  <oliver@apple.com>
910
911         Spread operator should be performing direct "puts" and not triggering setters
912         https://bugs.webkit.org/show_bug.cgi?id=123047
913
914         Reviewed by Geoffrey Garen.
915
916         Add a new opcode -- op_put_by_val_directue -- and make use of it in the spread
917         to array construct.  This required a new PutByValDirect node to be introduced to
918         the DFG.  The current implementation simply changes the slow path function that
919         is called, but in future this could be made faster as it does not need to check
920         the prototype chain.
921
922         * bytecode/CodeBlock.cpp:
923         (JSC::CodeBlock::dumpBytecode):
924         (JSC::CodeBlock::CodeBlock):
925         * bytecode/Opcode.h:
926         (JSC::padOpcodeName):
927         * bytecompiler/BytecodeGenerator.cpp:
928         (JSC::BytecodeGenerator::emitDirectPutByVal):
929         * bytecompiler/BytecodeGenerator.h:
930         * bytecompiler/NodesCodegen.cpp:
931         (JSC::ArrayNode::emitBytecode):
932         * dfg/DFGAbstractInterpreterInlines.h:
933         (JSC::DFG::::executeEffects):
934         * dfg/DFGBackwardsPropagationPhase.cpp:
935         (JSC::DFG::BackwardsPropagationPhase::propagate):
936         * dfg/DFGByteCodeParser.cpp:
937         (JSC::DFG::ByteCodeParser::parseBlock):
938         * dfg/DFGCSEPhase.cpp:
939         (JSC::DFG::CSEPhase::getArrayLengthElimination):
940         (JSC::DFG::CSEPhase::getByValLoadElimination):
941         (JSC::DFG::CSEPhase::checkStructureElimination):
942         (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
943         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
944         (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
945         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
946         (JSC::DFG::CSEPhase::performNodeCSE):
947         * dfg/DFGCapabilities.cpp:
948         (JSC::DFG::capabilityLevel):
949         * dfg/DFGClobberize.h:
950         (JSC::DFG::clobberize):
951         * dfg/DFGFixupPhase.cpp:
952         (JSC::DFG::FixupPhase::fixupNode):
953         * dfg/DFGGraph.h:
954         (JSC::DFG::Graph::clobbersWorld):
955         * dfg/DFGNode.h:
956         (JSC::DFG::Node::hasArrayMode):
957         * dfg/DFGNodeType.h:
958         * dfg/DFGOperations.cpp:
959         (JSC::DFG::putByVal):
960         (JSC::DFG::operationPutByValInternal):
961         * dfg/DFGOperations.h:
962         * dfg/DFGPredictionPropagationPhase.cpp:
963         (JSC::DFG::PredictionPropagationPhase::propagate):
964         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
965         * dfg/DFGSafeToExecute.h:
966         (JSC::DFG::safeToExecute):
967         * dfg/DFGSpeculativeJIT32_64.cpp:
968         (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
969         (JSC::DFG::SpeculativeJIT::compile):
970         * dfg/DFGSpeculativeJIT64.cpp:
971         (JSC::DFG::SpeculativeJIT::compile):
972         * dfg/DFGTypeCheckHoistingPhase.cpp:
973         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
974         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
975         * jit/JIT.cpp:
976         (JSC::JIT::privateCompileMainPass):
977         (JSC::JIT::privateCompileSlowCases):
978         * jit/JIT.h:
979         (JSC::JIT::compileDirectPutByVal):
980         * jit/JITOperations.cpp:
981         * jit/JITOperations.h:
982         * jit/JITPropertyAccess.cpp:
983         (JSC::JIT::emitSlow_op_put_by_val):
984         (JSC::JIT::privateCompilePutByVal):
985         * jit/JITPropertyAccess32_64.cpp:
986         (JSC::JIT::emitSlow_op_put_by_val):
987         * llint/LLIntSlowPaths.cpp:
988         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
989         * llint/LLIntSlowPaths.h:
990         * llint/LowLevelInterpreter32_64.asm:
991         * llint/LowLevelInterpreter64.asm:
992
993 2013-10-18  Daniel Bates  <dabates@apple.com>
994
995         [iOS] Export symbol for VM::sharedInstanceExists()
996         https://bugs.webkit.org/show_bug.cgi?id=123046
997
998         Reviewed by Mark Hahnenberg.
999
1000         * runtime/VM.h:
1001
1002 2013-10-18  Daniel Bates  <dabates@apple.com>
1003
1004         [iOS] Upstream WebSafe{GCActivityCallback, IncrementalSweeper}IOS
1005         https://bugs.webkit.org/show_bug.cgi?id=123049
1006
1007         Reviewed by Mark Hahnenberg.
1008
1009         * heap/Heap.cpp:
1010         (JSC::Heap::setIncrementalSweeper):
1011         * heap/Heap.h:
1012         * heap/HeapTimer.h:
1013         * heap/IncrementalSweeper.h: Make protected and export CF-variant of constructor.
1014         Removed unused include of header RetainPtr.h. Also forward declare class MarkedBlock
1015         (we include its header in the .cpp file) and remove include for header wtf/HashSet.h
1016         (duplicates the include in the .cpp).
1017         * heap/MachineStackMarker.h: Export function makeUsableFromMultipleThreads(). We aren't
1018         making use of this now, but we'll make use of it in a subsequent patch.
1019
1020 2013-10-18  Anders Carlsson  <andersca@apple.com>
1021
1022         Remove spaces between template angle brackets
1023         https://bugs.webkit.org/show_bug.cgi?id=123040
1024
1025         Reviewed by Andreas Kling.
1026
1027         * API/JSCallbackObject.cpp:
1028         (JSC::::create):
1029         * API/JSObjectRef.cpp:
1030         * bytecode/CodeBlock.h:
1031         (JSC::CodeBlock::constants):
1032         (JSC::CodeBlock::setConstantRegisters):
1033         * bytecode/DFGExitProfile.h:
1034         * bytecode/EvalCodeCache.h:
1035         * bytecode/Operands.h:
1036         * bytecode/UnlinkedCodeBlock.h:
1037         (JSC::UnlinkedCodeBlock::constantRegisters):
1038         * bytecode/Watchpoint.h:
1039         * bytecompiler/BytecodeGenerator.h:
1040         * bytecompiler/StaticPropertyAnalysis.h:
1041         * bytecompiler/StaticPropertyAnalyzer.h:
1042         * dfg/DFGArgumentsSimplificationPhase.cpp:
1043         * dfg/DFGBlockInsertionSet.h:
1044         * dfg/DFGCSEPhase.cpp:
1045         (JSC::DFG::performCSE):
1046         (JSC::DFG::performStoreElimination):
1047         * dfg/DFGCommonData.h:
1048         * dfg/DFGDesiredStructureChains.h:
1049         * dfg/DFGDesiredWatchpoints.h:
1050         * dfg/DFGJITCompiler.h:
1051         * dfg/DFGOSRExitCompiler32_64.cpp:
1052         (JSC::DFG::OSRExitCompiler::compileExit):
1053         * dfg/DFGOSRExitCompiler64.cpp:
1054         (JSC::DFG::OSRExitCompiler::compileExit):
1055         * dfg/DFGWorklist.h:
1056         * heap/BlockAllocator.h:
1057         (JSC::CopiedBlock):
1058         (JSC::MarkedBlock):
1059         (JSC::WeakBlock):
1060         (JSC::MarkStackSegment):
1061         (JSC::CopyWorkListSegment):
1062         (JSC::HandleBlock):
1063         * heap/Heap.h:
1064         * heap/Local.h:
1065         * heap/MarkedBlock.h:
1066         * heap/Strong.h:
1067         * jit/AssemblyHelpers.cpp:
1068         (JSC::AssemblyHelpers::decodedCodeMapFor):
1069         * jit/AssemblyHelpers.h:
1070         * jit/SpecializedThunkJIT.h:
1071         * parser/Nodes.h:
1072         * parser/Parser.cpp:
1073         (JSC::::parseIfStatement):
1074         * parser/Parser.h:
1075         (JSC::Scope::copyCapturedVariablesToVector):
1076         (JSC::parse):
1077         * parser/ParserArena.h:
1078         * parser/SourceProviderCacheItem.h:
1079         * profiler/LegacyProfiler.cpp:
1080         (JSC::dispatchFunctionToProfiles):
1081         * profiler/LegacyProfiler.h:
1082         (JSC::LegacyProfiler::currentProfiles):
1083         * profiler/ProfileNode.h:
1084         (JSC::ProfileNode::children):
1085         * profiler/ProfilerDatabase.h:
1086         * runtime/Butterfly.h:
1087         (JSC::Butterfly::contiguousInt32):
1088         (JSC::Butterfly::contiguous):
1089         * runtime/GenericTypedArrayViewInlines.h:
1090         (JSC::::create):
1091         * runtime/Identifier.h:
1092         (JSC::Identifier::add):
1093         * runtime/JSPromise.h:
1094         * runtime/PropertyMapHashTable.h:
1095         * runtime/PropertyNameArray.h:
1096         * runtime/RegExpCache.h:
1097         * runtime/SparseArrayValueMap.h:
1098         * runtime/SymbolTable.h:
1099         * runtime/VM.h:
1100         * tools/CodeProfile.cpp:
1101         (JSC::truncateTrace):
1102         * tools/CodeProfile.h:
1103         * yarr/YarrInterpreter.cpp:
1104         * yarr/YarrInterpreter.h:
1105         (JSC::Yarr::BytecodePattern::BytecodePattern):
1106         * yarr/YarrJIT.cpp:
1107         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
1108         (JSC::Yarr::YarrGenerator::opCompileParentheticalAssertion):
1109         (JSC::Yarr::YarrGenerator::opCompileBody):
1110         * yarr/YarrPattern.cpp:
1111         (JSC::Yarr::YarrPatternConstructor::checkForTerminalParentheses):
1112         (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
1113         * yarr/YarrPattern.h:
1114
1115 2013-10-18  Mark Lam  <mark.lam@apple.com>
1116
1117         Remove excess reserved space in ctiTrampoline frames for X86 and X86_64.
1118         https://bugs.webkit.org/show_bug.cgi?id=123037.
1119
1120         Reviewed by Geoffrey Garen.
1121
1122         * jit/JITStubsMSVC64.asm:
1123         * jit/JITStubsX86.h:
1124         * jit/JITStubsX86_64.h:
1125
1126 2013-10-18  Filip Pizlo  <fpizlo@apple.com>
1127
1128         Frequent RELEASE_ASSERT crashes in Structure::checkOffsetConsistency on WebGL swizzler tests
1129         https://bugs.webkit.org/show_bug.cgi?id=121661
1130
1131         Reviewed by Mark Hahnenberg.
1132         
1133         This method shouldn't have been called from the concurrent JIT thread. That's hard to prevent
1134         so I added a return-early check using isCompilationThread().
1135         
1136         Here's why this makes sense. Structure has two ways to tell you about the layout of the objects
1137         it is describing: m_offset and the property table. Most structures only have m_offset and report
1138         null for the property table. If the property table is there, it will tell you additional
1139         information and that information subsumes m_offset - but the m_offset is still there. So, when
1140         we have a property table, we have to keep it in sync with the m_offset. There is a bunch of
1141         machinery to do this.
1142         
1143         Changing the property table only happens on the main thread.
1144         
1145         Because the machinery to change the property table is so complex, especially with respect to
1146         keeping it in sync with m_offset, we have the checkOffsetConsistency method. It's meant to be
1147         called at key points before and after changes to the property table or the offset.
1148
1149         Most clients of Structure who care about object layout, including the concurrent thread, will
1150         want to know m_offset and not the property table. If they want the property table, they will
1151         already be super careful. The concurrent thread has special methods for this, like
1152         Structure::getConcurrently(), which uses fine-grained locking to ensure that it sees a coherent
1153         view of the property table.
1154         
1155         Adding locking to checkOffsetConsistency() is probably a bad idea since that method may be
1156         called when the relevant lock is already held. So, we'd have awkward recursive locking issues.
1157         
1158         But right now, the concurrent JIT thread may call a method, like Structure::outOfLineCapacity(),
1159         which has a call to checkOffsetConsistency(). The call to checkOffsetConsistency() is there
1160         because we have found that it helps quickly identify situations where the property table and
1161         m_offset get out of sync - mainly because code that changes either of those things will usually
1162         also want to know the outOfLineCapacity(). But Structure::outOfLineCapacity() doesn't *actually*
1163         need the property table; it uses the m_offset. The concurrent JIT is correct to call
1164         outOfLineCapacity(), and is right to do so without holding any locks (since in all cases where
1165         it calls outOfLineCapacity() it has already proven that m_offset is immutable). But because
1166         outOfLineCapacity() calls checkOffsetConsistency(), and checkOffsetConsistency() doesn't grab
1167         locks, and that same structure is having its property table modified by the main thread, we end
1168         up with these spurious assertion failures. FWIW, the structure isn't *actually* having *its*
1169         property table modified - instead what happens is that some downstream structure steals the
1170         property table and then starts adding things to it. The concurrent thread loads the property
1171         table before it's stolen, and hence the badness.
1172         
1173         I suspect there are other code paths that lead to the concurrent JIT calling some Structure
1174         method that it is fine and safe to call, but then that method calls checkOffsetConsistency(),
1175         and then you have a possible crash.
1176         
1177         The most sensible solution to this appears to be to make sure that checkOffsetConsistency() is
1178         aware of its uselessness to the concurrent JIT thread. This change makes it return early if
1179         it's in the concurrent JIT.
1180         
1181         * runtime/StructureInlines.h:
1182         (JSC::Structure::checkOffsetConsistency):
1183
1184 2013-10-18  Daniel Bates  <dabates@apple.com>
1185
1186         Add SPI to disable the garbage collector timer
1187         https://bugs.webkit.org/show_bug.cgi?id=122921
1188
1189         Add null check to Heap::setGarbageCollectionTimerEnabled() that I inadvertently
1190         omitted.
1191
1192         * heap/Heap.cpp:
1193         (JSC::Heap::setGarbageCollectionTimerEnabled):
1194
1195 2013-10-18  Julien Brianceau  <jbriance@cisco.com>
1196
1197         Group 64-bit specific and 32-bit specific callOperation implementations.
1198         https://bugs.webkit.org/show_bug.cgi?id=123024
1199
1200         Reviewed by Michael Saboff.
1201
1202         This is not a big deal, but could be less confusing when reading the code.
1203
1204         * jit/JITInlines.h:
1205         (JSC::JIT::callOperation):
1206         (JSC::JIT::callOperationWithCallFrameRollbackOnException):
1207         (JSC::JIT::callOperationNoExceptionCheck):
1208
1209 2013-10-18  Nadav Rotem  <nrotem@apple.com>
1210
1211         Fix a FlushLiveness problem.
1212         https://bugs.webkit.org/show_bug.cgi?id=122984
1213
1214         Reviewed by Filip Pizlo.
1215
1216         * dfg/DFGFlushLivenessAnalysisPhase.cpp:
1217         (JSC::DFG::FlushLivenessAnalysisPhase::process):
1218
1219 2013-10-18  Michael Saboff  <msaboff@apple.com>
1220
1221         Change native function call stubs to use JIT operations instead of ctiVMHandleException
1222         https://bugs.webkit.org/show_bug.cgi?id=122982
1223
1224         Reviewed by Geoffrey Garen.
1225
1226         Change ctiVMHandleException to operationVMHandleException.  Change all exception operations to
1227         return the catch callFrame and entryPC via vm.callFrameForThrow and vm.targetMachinePCForThrow.
1228         This removed calling convention headaches, fixing https://bugs.webkit.org/show_bug.cgi?id=122980
1229         in the process.
1230
1231         * dfg/DFGJITCompiler.cpp:
1232         (JSC::DFG::JITCompiler::compileExceptionHandlers):
1233         * jit/CCallHelpers.h:
1234         (JSC::CCallHelpers::jumpToExceptionHandler):
1235         * jit/JIT.cpp:
1236         (JSC::JIT::privateCompileExceptionHandlers):
1237         * jit/JIT.h:
1238         * jit/JITExceptions.cpp:
1239         (JSC::genericUnwind):
1240         * jit/JITExceptions.h:
1241         * jit/JITInlines.h:
1242         (JSC::JIT::callOperationNoExceptionCheck):
1243         * jit/JITOpcodes.cpp:
1244         (JSC::JIT::emit_op_throw):
1245         * jit/JITOpcodes32_64.cpp:
1246         (JSC::JIT::privateCompileCTINativeCall):
1247         (JSC::JIT::emit_op_throw):
1248         * jit/JITOperations.cpp:
1249         * jit/JITOperations.h:
1250         * jit/JITStubs.cpp:
1251         * jit/JITStubs.h:
1252         * jit/JITStubsARM.h:
1253         * jit/JITStubsARM64.h:
1254         * jit/JITStubsARMv7.h:
1255         * jit/JITStubsMIPS.h:
1256         * jit/JITStubsMSVC64.asm:
1257         * jit/JITStubsSH4.h:
1258         * jit/JITStubsX86.h:
1259         * jit/JITStubsX86_64.h:
1260         * jit/Repatch.cpp:
1261         (JSC::tryBuildGetByIDList):
1262         * jit/SlowPathCall.h:
1263         (JSC::JITSlowPathCall::call):
1264         * jit/ThunkGenerators.cpp:
1265         (JSC::throwExceptionFromCallSlowPathGenerator):
1266         (JSC::nativeForGenerator):
1267         * runtime/VM.h:
1268         (JSC::VM::callFrameForThrowOffset):
1269         (JSC::VM::targetMachinePCForThrowOffset):
1270
1271 2013-10-18  Julien Brianceau  <jbriance@cisco.com>
1272
1273         Fix J_JITOperation_EAapJ call for MIPS and ARM EABI.
1274         https://bugs.webkit.org/show_bug.cgi?id=123023
1275
1276         Reviewed by Michael Saboff.
1277
1278         * jit/JITInlines.h:
1279         (JSC::JIT::callOperation): EncodedJSValue parameter do not need alignment
1280         using EABI_32BIT_DUMMY_ARG here.
1281
1282 2013-10-17  Filip Pizlo  <fpizlo@apple.com>
1283
1284         Unreviewed, another ARM64 build fix.
1285         
1286         Get rid of andPtr(TrustedImmPtr, blah), since it would take Effort to get it to work
1287         on ARM64 and none of its uses are legit - they should all be using
1288         andPtr(TrustedImm32, blah) anyway.
1289
1290         * assembler/MacroAssembler.h:
1291         * assembler/MacroAssemblerARM64.h:
1292         * dfg/DFGJITCompiler.cpp:
1293         (JSC::DFG::JITCompiler::compileExceptionHandlers):
1294         * jit/JIT.cpp:
1295         (JSC::JIT::privateCompileExceptionHandlers):
1296
1297 2013-10-17  Filip Pizlo  <fpizlo@apple.com>
1298
1299         Unreviewed, speculative ARM64 build fix.
1300         
1301         move(ImmPtr, blah) is only available in MacroAssembler since that's where blinding is
1302         implemented. So, you have to use TrustedImmPtr in the superclasses.
1303
1304         * assembler/MacroAssemblerARM64.h:
1305         (JSC::MacroAssemblerARM64::store8):
1306         (JSC::MacroAssemblerARM64::branchTest8):
1307
1308 2013-10-17  Filip Pizlo  <fpizlo@apple.com>
1309
1310         Unreviewed, speculative ARM build fix.
1311         https://bugs.webkit.org/show_bug.cgi?id=122890
1312         <rdar://problem/15258624>
1313
1314         * assembler/ARM64Assembler.h:
1315         (JSC::ARM64Assembler::firstRegister):
1316         (JSC::ARM64Assembler::lastRegister):
1317         (JSC::ARM64Assembler::firstFPRegister):
1318         (JSC::ARM64Assembler::lastFPRegister):
1319         * assembler/MacroAssemblerARM64.h:
1320         * assembler/MacroAssemblerARMv7.h:
1321
1322 2013-10-17  Andreas Kling  <akling@apple.com>
1323
1324         Pass VM instead of JSGlobalObject to JSONObject constructor.
1325         <https://webkit.org/b/122999>
1326
1327         JSONObject was only use the JSGlobalObject to grab at the VM.
1328         Dodge a few loads by passing the VM directly instead.
1329
1330         Reviewed by Geoffrey Garen.
1331
1332         * runtime/JSONObject.cpp:
1333         (JSC::JSONObject::JSONObject):
1334         (JSC::JSONObject::finishCreation):
1335         * runtime/JSONObject.h:
1336         (JSC::JSONObject::create):
1337
1338 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
1339
1340         Removed the JITStackFrame struct
1341         https://bugs.webkit.org/show_bug.cgi?id=123001
1342
1343         Reviewed by Anders Carlsson.
1344
1345         * jit/JITStubs.h: JITStackFrame and JITStubArg are unused now, since all
1346         our helper functions obey the C function call ABI.
1347
1348 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
1349
1350         Removed an unused #define
1351         https://bugs.webkit.org/show_bug.cgi?id=123000
1352
1353         Reviewed by Anders Carlsson.
1354
1355         * jit/JITStubs.h: Removed the concept of JITSTACKFRAME_ARGS_INDEX,
1356         since it is unused now. This is a step toward using the C stack.
1357
1358 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
1359
1360         Eliminate uses of JITSTACKFRAME_ARGS_INDEX as scratch area for thunks
1361         https://bugs.webkit.org/show_bug.cgi?id=122973
1362
1363         Reviewed by Michael Saboff.
1364
1365         * jit/ThunkGenerators.cpp:
1366         (JSC::throwExceptionFromCallSlowPathGenerator): This was all dead code,
1367         so I removed it.
1368
1369         The code acted as if it needed to pass an argument to
1370         lookupExceptionHandler, and as if it passed that argument to itself
1371         through JITStackFrame. However, lookupExceptionHandler does not take
1372         an argument (other than the default ExecState argument), and the code
1373         did not initialize the thing that it thought it passed to itself!
1374
1375 2013-10-17  Alex Christensen  <achristensen@webkit.org>
1376
1377         Run JavaScriptCore tests again on Windows.
1378         https://bugs.webkit.org/show_bug.cgi?id=122787
1379
1380         Reviewed by Tim Horton.
1381
1382         * JavaScriptCore.vcxproj/JavaScriptCore.sln: Added.
1383         * jit/JITStubsMSVC64.asm: Removed reference to cti_vm_throw unused since r157581.
1384
1385 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
1386
1387         Removed restoreArgumentReference (another use of JITStackFrame)
1388         https://bugs.webkit.org/show_bug.cgi?id=122997
1389
1390         Reviewed by Oliver Hunt.
1391
1392         * jit/JSInterfaceJIT.h: Removed an unused function. This is a step
1393         toward using the C stack.
1394
1395 2013-10-17  Oliver Hunt  <oliver@apple.com>
1396
1397         Remove JITStubCall.h
1398         https://bugs.webkit.org/show_bug.cgi?id=122991
1399
1400         Reviewed by Geoff Garen.
1401
1402         Happily this is no longer used
1403
1404         * GNUmakefile.list.am:
1405         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1406         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1407         * JavaScriptCore.xcodeproj/project.pbxproj:
1408         * jit/JIT.cpp:
1409         * jit/JITArithmetic.cpp:
1410         * jit/JITArithmetic32_64.cpp:
1411         * jit/JITCall.cpp:
1412         * jit/JITCall32_64.cpp:
1413         * jit/JITOpcodes.cpp:
1414         * jit/JITOpcodes32_64.cpp:
1415         * jit/JITPropertyAccess.cpp:
1416         * jit/JITPropertyAccess32_64.cpp:
1417         * jit/JITStubCall.h: Removed.
1418
1419 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
1420
1421         Removed a use of JITSTACKFRAME_ARGS_INDEX
1422         https://bugs.webkit.org/show_bug.cgi?id=122989
1423
1424         Reviewed by Oliver Hunt.
1425
1426         * jit/JITStubCall.h: Removed an unused function. This is one step closer
1427         to using the C stack.
1428
1429 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
1430
1431         Change emit_op_catch to use another method to materialize VM
1432         https://bugs.webkit.org/show_bug.cgi?id=122977
1433
1434         Reviewed by Oliver Hunt.
1435
1436         * jit/JITOpcodes.cpp:
1437         (JSC::JIT::emit_op_catch):
1438         * jit/JITOpcodes32_64.cpp:
1439         (JSC::JIT::emit_op_catch): Use a constant. It removes our dependency
1440         on JITStackFrame. It is also faster and simpler.
1441
1442 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
1443
1444         Eliminate emitGetJITStubArg() - dead code
1445         https://bugs.webkit.org/show_bug.cgi?id=122975
1446
1447         Reviewed by Anders Carlsson.
1448
1449         * jit/JIT.h:
1450         * jit/JITInlines.h: Removed unused, deprecated function.
1451
1452 2013-10-17  Mark Lam  <mark.lam@apple.com>
1453
1454         Eliminate all ASSERT references to OBJECT_OFFSETOF(struct JITStackFrame,...) in JITStubsXXX.h.
1455         https://bugs.webkit.org/show_bug.cgi?id=122979.
1456
1457         Reviewed by Michael Saboff.
1458
1459         * jit/JITStubs.cpp:
1460         * jit/JITStubs.h:
1461         * jit/JITStubsARM.h:
1462         * jit/JITStubsARM64.h:
1463         * jit/JITStubsARMv7.h:
1464         * jit/JITStubsMIPS.h:
1465         * jit/JITStubsSH4.h:
1466         * jit/JITStubsX86.h:
1467         * jit/JITStubsX86_64.h:
1468         * runtime/VM.cpp:
1469         (JSC::VM::VM):
1470
1471 2013-10-17  Michael Saboff  <msaboff@apple.com>
1472
1473         Remove saving callFrameRegister to JITStackFrame in JITCompiler::compileFunction()
1474         https://bugs.webkit.org/show_bug.cgi?id=122974
1475
1476         Reviewed by Geoffrey Garen.
1477
1478         Eliminated unneeded storing to JITStackFrame.
1479
1480         * dfg/DFGJITCompiler.cpp:
1481         (JSC::DFG::JITCompiler::compileFunction):
1482
1483 2013-10-17  Michael Saboff  <msaboff@apple.com>
1484
1485         Transition cti_op_throw and cti_vm_throw to a JIT operation
1486         https://bugs.webkit.org/show_bug.cgi?id=122931
1487
1488         Reviewed by Filip Pizlo.
1489
1490         Moved cti_op_throw to operationThrow.  Made the caller responsible for jumping to the
1491         catch handler.  Eliminated cti_op_throw_static_error, cti_vm_throw, ctiVMThrowTrampoline()
1492         and their callers as it is now dead code.  There is some work needed on the Microsoft X86
1493         callOperation to handle the need to provide space for structure return value.
1494
1495         * jit/JIT.h:
1496         * jit/JITInlines.h:
1497         (JSC::JIT::callOperation):
1498         * jit/JITOpcodes.cpp:
1499         (JSC::JIT::emit_op_throw):
1500         * jit/JITOpcodes32_64.cpp:
1501         (JSC::JIT::emit_op_throw):
1502         (JSC::JIT::emit_op_catch):
1503         * jit/JITOperations.cpp:
1504         * jit/JITOperations.h:
1505         * jit/JITStubs.cpp:
1506         * jit/JITStubs.h:
1507         * jit/JITStubsARM.h:
1508         * jit/JITStubsARM64.h:
1509         * jit/JITStubsARMv7.h:
1510         * jit/JITStubsMIPS.h:
1511         * jit/JITStubsMSVC64.asm:
1512         * jit/JITStubsSH4.h:
1513         * jit/JITStubsX86.h:
1514         * jit/JITStubsX86_64.h:
1515         * jit/JSInterfaceJIT.h:
1516
1517 2013-10-17  Mark Lam  <mark.lam@apple.com>
1518
1519         Remove JITStackFrame references in the C Loop LLINT.
1520         https://bugs.webkit.org/show_bug.cgi?id=122950.
1521
1522         Reviewed by Michael Saboff.
1523
1524         * jit/JITStubs.h:
1525         * llint/LowLevelInterpreter.cpp:
1526         (JSC::CLoop::execute):
1527         * offlineasm/cloop.rb:
1528
1529 2013-10-17  Mark Lam  <mark.lam@apple.com>
1530
1531         Remove JITStackFrame references in JIT probes.
1532         https://bugs.webkit.org/show_bug.cgi?id=122947.
1533
1534         Reviewed by Michael Saboff.
1535
1536         * assembler/MacroAssemblerARM.cpp:
1537         (JSC::MacroAssemblerARM::ProbeContext::dump):
1538         * assembler/MacroAssemblerARM.h:
1539         * assembler/MacroAssemblerARMv7.cpp:
1540         (JSC::MacroAssemblerARMv7::ProbeContext::dump):
1541         * assembler/MacroAssemblerARMv7.h:
1542         * assembler/MacroAssemblerX86Common.cpp:
1543         (JSC::MacroAssemblerX86Common::ProbeContext::dump):
1544         * assembler/MacroAssemblerX86Common.h:
1545         * jit/JITStubsARM.h:
1546         * jit/JITStubsARMv7.h:
1547         * jit/JITStubsX86.h:
1548         * jit/JITStubsX86Common.h:
1549         * jit/JITStubsX86_64.h:
1550
1551 2013-10-17  Julien Brianceau  <jbriance@cisco.com>
1552
1553         Fix build when NUMBER_OF_ARGUMENT_REGISTERS == 4.
1554         https://bugs.webkit.org/show_bug.cgi?id=122949
1555
1556         Reviewed by Andreas Kling.
1557
1558         * jit/CCallHelpers.h:
1559         (JSC::CCallHelpers::setupArgumentsWithExecState):
1560
1561 2013-10-16  Mark Lam  <mark.lam@apple.com>
1562
1563         Transition remaining op_get* JITStubs to JIT operations.
1564         https://bugs.webkit.org/show_bug.cgi?id=122925.
1565
1566         Reviewed by Geoffrey Garen.
1567
1568         Transitioning:
1569             cti_op_get_by_id_generic
1570             cti_op_get_by_val
1571             cti_op_get_by_val_generic
1572             cti_op_get_by_val_string
1573
1574         * dfg/DFGOperations.cpp:
1575         * dfg/DFGOperations.h:
1576         * jit/JIT.h:
1577         * jit/JITInlines.h:
1578         (JSC::JIT::callOperation):
1579         * jit/JITOpcodes.cpp:
1580         (JSC::JIT::emitSlow_op_get_arguments_length):
1581         (JSC::JIT::emitSlow_op_get_argument_by_val):
1582         * jit/JITOpcodes32_64.cpp:
1583         (JSC::JIT::emitSlow_op_get_arguments_length):
1584         (JSC::JIT::emitSlow_op_get_argument_by_val):
1585         * jit/JITOperations.cpp:
1586         * jit/JITOperations.h:
1587         * jit/JITPropertyAccess.cpp:
1588         (JSC::JIT::emitSlow_op_get_by_val):
1589         (JSC::JIT::emitSlow_op_get_by_pname):
1590         (JSC::JIT::privateCompileGetByVal):
1591         * jit/JITPropertyAccess32_64.cpp:
1592         (JSC::JIT::emitSlow_op_get_by_val):
1593         (JSC::JIT::emitSlow_op_get_by_pname):
1594         * jit/JITStubs.cpp:
1595         * jit/JITStubs.h:
1596         * runtime/Executable.cpp:
1597         (JSC::setupLLInt): Added some UNUSED_PARAMs to fix the no LLINT build.
1598         * runtime/Options.cpp:
1599         (JSC::Options::initialize):
1600
1601 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
1602
1603         Introduce WTF::Bag and start using it for InlineCallFrameSet
1604         https://bugs.webkit.org/show_bug.cgi?id=122941
1605
1606         Reviewed by Geoffrey Garen.
1607         
1608         Use Bag for InlineCallFrameSet. If this works out then I'll make other
1609         SegmentedVectors into Bags as well.
1610
1611         * bytecode/InlineCallFrameSet.cpp:
1612         (JSC::InlineCallFrameSet::add):
1613         * bytecode/InlineCallFrameSet.h:
1614         (JSC::InlineCallFrameSet::begin):
1615         (JSC::InlineCallFrameSet::end):
1616         * dfg/DFGArgumentsSimplificationPhase.cpp:
1617         (JSC::DFG::ArgumentsSimplificationPhase::run):
1618         * dfg/DFGJITCompiler.cpp:
1619         (JSC::DFG::JITCompiler::link):
1620         * dfg/DFGStackLayoutPhase.cpp:
1621         (JSC::DFG::StackLayoutPhase::run):
1622         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
1623         (JSC::DFG::VirtualRegisterAllocationPhase::run):
1624
1625 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
1626
1627         libllvmForJSC shouldn't call exit(1) on report_fatal_error()
1628         https://bugs.webkit.org/show_bug.cgi?id=122905
1629         <rdar://problem/15237856>
1630
1631         Reviewed by Michael Saboff.
1632         
1633         Expose the new LLVMInstallFatalErrorHandler() API through the soft linking magic and
1634         then always call it to install something that calls CRASH().
1635
1636         * llvm/InitializeLLVM.cpp:
1637         (JSC::llvmCrash):
1638         (JSC::initializeLLVMOnce):
1639         (JSC::initializeLLVM):
1640         * llvm/LLVMAPIFunctions.h:
1641
1642 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
1643
1644         Prototype chain repatching in the polymorphic case fails to check if the receiver is a dictionary
1645         https://bugs.webkit.org/show_bug.cgi?id=122938
1646
1647         Reviewed by Sam Weinig.
1648         
1649         This fixes jsc-layout-tests.yaml/js/script-tests/dictionary-prototype-caching.js.layout-no-llint.
1650
1651         * jit/Repatch.cpp:
1652         (JSC::tryBuildGetByIDList):
1653
1654 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
1655
1656         JIT::appendCall() needs to killLastResultRegister() or equivalent since there's some really bad code that expects it
1657         https://bugs.webkit.org/show_bug.cgi?id=122937
1658
1659         Reviewed by Geoffrey Garen.
1660         
1661         JITStubCall used to do it.
1662         
1663         This makes mozilla-tests.yaml/ecma/Statements/12.10-1.js.mozilla-baseline pass.
1664
1665         * jit/JIT.h:
1666         (JSC::JIT::appendCall):
1667
1668 2013-10-16  Michael Saboff  <msaboff@apple.com>
1669
1670         transition void cti_op_put_by_val* stubs to JIT operations
1671         https://bugs.webkit.org/show_bug.cgi?id=122903
1672
1673         Reviewed by Geoffrey Garen.
1674
1675         Transitioned cti_op_put_by_val and cti_op_put_by_val_generic to operationPutByVal and
1676         operationPutByValGeneric.
1677
1678         * jit/CCallHelpers.h:
1679         (JSC::CCallHelpers::setupArgumentsWithExecState):
1680         * jit/JIT.h:
1681         * jit/JITInlines.h:
1682         (JSC::JIT::callOperation):
1683         * jit/JITOperations.cpp:
1684         * jit/JITOperations.h:
1685         * jit/JITPropertyAccess.cpp:
1686         (JSC::JIT::emitSlow_op_put_by_val):
1687         (JSC::JIT::privateCompilePutByVal):
1688         * jit/JITPropertyAccess32_64.cpp:
1689         (JSC::JIT::emitSlow_op_put_by_val):
1690         * jit/JITStubs.cpp:
1691         * jit/JITStubs.h:
1692         * jit/JSInterfaceJIT.h:
1693
1694 2013-10-16  Oliver Hunt  <oliver@apple.com>
1695
1696         Implement ES6 spread operator
1697         https://bugs.webkit.org/show_bug.cgi?id=122911
1698
1699         Reviewed by Michael Saboff.
1700
1701         Implement the ES6 spread operator
1702
1703         This has a little bit of refactoring to move the enumeration logic out ForOfNode
1704         and into BytecodeGenerator, and then adds the logic to make it nicely callback
1705         driven.
1706
1707         The rest of the logic is just the addition of the SpreadExpressionNode, the parsing,
1708         and actually handling the spread.
1709
1710         * bytecompiler/BytecodeGenerator.cpp:
1711         (JSC::BytecodeGenerator::emitNewArray):
1712         (JSC::BytecodeGenerator::emitCall):
1713         (JSC::BytecodeGenerator::emitEnumeration):
1714         * bytecompiler/BytecodeGenerator.h:
1715         * bytecompiler/NodesCodegen.cpp:
1716         (JSC::ArrayNode::emitBytecode):
1717         (JSC::ForOfNode::emitBytecode):
1718         (JSC::SpreadExpressionNode::emitBytecode):
1719         * parser/ASTBuilder.h:
1720         (JSC::ASTBuilder::createSpreadExpression):
1721         * parser/Lexer.cpp:
1722         (JSC::::lex):
1723         * parser/NodeConstructors.h:
1724         (JSC::SpreadExpressionNode::SpreadExpressionNode):
1725         * parser/Nodes.h:
1726         (JSC::ExpressionNode::isSpreadExpression):
1727         (JSC::SpreadExpressionNode::expression):
1728         * parser/Parser.cpp:
1729         (JSC::::parseArrayLiteral):
1730         (JSC::::parseArguments):
1731         (JSC::::parseMemberExpression):
1732         * parser/Parser.h:
1733         (JSC::Parser::getTokenName):
1734         (JSC::Parser::updateErrorMessageSpecialCase):
1735         * parser/ParserTokens.h:
1736         * parser/SyntaxChecker.h:
1737         (JSC::SyntaxChecker::createSpreadExpression):
1738
1739 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
1740
1741         Add a useLLInt option to jsc
1742         https://bugs.webkit.org/show_bug.cgi?id=122930
1743
1744         Reviewed by Geoffrey Garen.
1745
1746         * runtime/Executable.cpp:
1747         (JSC::setupLLInt):
1748         (JSC::setupJIT):
1749         (JSC::ScriptExecutable::prepareForExecutionImpl):
1750         * runtime/Options.h:
1751
1752 2013-10-16  Mark Hahnenberg  <mhahnenberg@apple.com>
1753
1754         Build fix.
1755
1756         Forgot to svn add DeferGC.cpp
1757
1758         * heap/DeferGC.cpp: Added.
1759
1760 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
1761
1762         r157411 fails run-javascriptcore-tests when run with Baseline JIT
1763         https://bugs.webkit.org/show_bug.cgi?id=122902
1764
1765         Reviewed by Mark Hahnenberg.
1766         
1767         It turns out that this was a long-standing bug in the DFG PutById repatching logic. It's
1768         not legal to patch if the typeInfo tells you that you can't patch. The old JIT's patching
1769         logic did this right, and the DFG's GetById patching logic did it right; but DFG PutById
1770         didn't. Turns out that there's even a helpful method,
1771         Structure::propertyAccessesAreCacheable(), that will even do all of the checks for you!
1772
1773         * jit/Repatch.cpp:
1774         (JSC::tryCachePutByID):
1775
1776 2013-10-16  Mark Hahnenberg  <mhahnenberg@apple.com>
1777
1778         llint_slow_path_put_by_id can deadlock on a ConcurrentJITLock
1779         https://bugs.webkit.org/show_bug.cgi?id=122667
1780
1781         Reviewed by Geoffrey Garen.
1782
1783         The issue this patch is attempting to fix is that there are places in our codebase
1784         where we acquire the ConcurrentJITLock for a particular CodeBlock, then we do some
1785         operations that can initiate a garbage collection. Garbage collection then calls 
1786         some methods of CodeBlock that also take the ConcurrentJITLock (because they don't
1787         always necessarily run during garbage collection). This causes a deadlock.
1788  
1789         To fix this issue, this patch adds a new RAII-style object (DisallowGC) that stores 
1790         into a thread-local field that indicates that it is unsafe to perform any operation 
1791         that could trigger garbage collection on the current thread. In debug builds, 
1792         ConcurrentJITLocker contains one of these DisallowGC objects so that we can eagerly 
1793         detect deadlocks.
1794  
1795         This patch also adds a new type of ConcurrentJITLocker, GCSafeConcurrentJITLocker,
1796         which uses the DeferGC mechanism to prevent collections from occurring while the 
1797         lock is held.
1798
1799         * CMakeLists.txt:
1800         * GNUmakefile.list.am:
1801         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1802         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1803         * JavaScriptCore.xcodeproj/project.pbxproj:
1804         * heap/DeferGC.h:
1805         (JSC::DisallowGC::DisallowGC):
1806         (JSC::DisallowGC::~DisallowGC):
1807         (JSC::DisallowGC::isGCDisallowedOnCurrentThread):
1808         (JSC::DisallowGC::initialize):
1809         * jit/Repatch.cpp:
1810         (JSC::repatchPutByID):
1811         (JSC::buildPutByIdList):
1812         * llint/LLIntSlowPaths.cpp:
1813         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1814         * runtime/ConcurrentJITLock.h:
1815         (JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase):
1816         (JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase):
1817         (JSC::ConcurrentJITLockerBase::unlockEarly):
1818         (JSC::GCSafeConcurrentJITLocker::GCSafeConcurrentJITLocker):
1819         (JSC::GCSafeConcurrentJITLocker::~GCSafeConcurrentJITLocker):
1820         (JSC::GCSafeConcurrentJITLocker::NoDefer::NoDefer):
1821         (JSC::ConcurrentJITLocker::ConcurrentJITLocker):
1822         * runtime/InitializeThreading.cpp:
1823         (JSC::initializeThreadingOnce):
1824         * runtime/JSCellInlines.h:
1825         (JSC::allocateCell):
1826         * runtime/JSSymbolTableObject.h:
1827         (JSC::symbolTablePut):
1828         * runtime/Structure.cpp: materializePropertyMapIfNecessary* now has a problem in that it
1829         can start a garbage collection when the GCSafeConcurrentJITLocker goes out of scope, but 
1830         before the caller has a chance to use the newly created PropertyTable. The garbage collection
1831         clears the PropertyTable, and then the caller uses it assuming it's valid. To avoid this,
1832         we must DeferGC until the caller is done getting the newly materialized PropertyTable from 
1833         the Structure.
1834         (JSC::Structure::materializePropertyMap):
1835         (JSC::Structure::despecifyDictionaryFunction):
1836         (JSC::Structure::changePrototypeTransition):
1837         (JSC::Structure::despecifyFunctionTransition):
1838         (JSC::Structure::attributeChangeTransition):
1839         (JSC::Structure::toDictionaryTransition):
1840         (JSC::Structure::preventExtensionsTransition):
1841         (JSC::Structure::takePropertyTableOrCloneIfPinned):
1842         (JSC::Structure::isSealed):
1843         (JSC::Structure::isFrozen):
1844         (JSC::Structure::addPropertyWithoutTransition):
1845         (JSC::Structure::removePropertyWithoutTransition):
1846         (JSC::Structure::get):
1847         (JSC::Structure::despecifyFunction):
1848         (JSC::Structure::despecifyAllFunctions):
1849         (JSC::Structure::putSpecificValue):
1850         (JSC::Structure::createPropertyMap):
1851         (JSC::Structure::getPropertyNamesFromStructure):
1852         * runtime/Structure.h:
1853         (JSC::Structure::materializePropertyMapIfNecessary):
1854         (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
1855         * runtime/StructureInlines.h:
1856         (JSC::Structure::get):
1857         * runtime/SymbolTable.h:
1858         (JSC::SymbolTable::find):
1859         (JSC::SymbolTable::end):
1860
1861 2013-10-16  Daniel Bates  <dabates@apple.com>
1862
1863         Add SPI to disable the garbage collector timer
1864         https://bugs.webkit.org/show_bug.cgi?id=122921
1865
1866         Reviewed by Geoffrey Garen.
1867
1868         Based on a patch by Mark Hahnenberg.
1869
1870         * API/JSBase.cpp:
1871         (JSDisableGCTimer): Added; SPI function.
1872         * API/JSBasePrivate.h:
1873         * heap/BlockAllocator.cpp:
1874         (JSC::createBlockFreeingThread): Added.
1875         (JSC::BlockAllocator::BlockAllocator): Modified to use JSC::createBlockFreeingThread()
1876         to conditionally create the "block freeing" thread depending on the value of
1877         GCActivityCallback::s_shouldCreateGCTimer.
1878         (JSC::BlockAllocator::~BlockAllocator):
1879         * heap/BlockAllocator.h:
1880         (JSC::BlockAllocator::deallocate):
1881         * heap/Heap.cpp:
1882         (JSC::Heap::didAbandon):
1883         (JSC::Heap::collect):
1884         (JSC::Heap::didAllocate):
1885         * heap/HeapTimer.cpp:
1886         (JSC::HeapTimer::timerDidFire):
1887         * runtime/GCActivityCallback.cpp:
1888         * runtime/GCActivityCallback.h:
1889         (JSC::DefaultGCActivityCallback::create): Only instantiate a DefaultGCActivityCallback object
1890         when GCActivityCallback::s_shouldCreateGCTimer is true so as to prevent allocating a HeapTimer
1891         object (since DefaultGCActivityCallback ultimately extends HeapTimer).
1892
1893 2013-10-16  Commit Queue  <commit-queue@webkit.org>
1894
1895         Unreviewed, rolling out r157529.
1896         http://trac.webkit.org/changeset/157529
1897         https://bugs.webkit.org/show_bug.cgi?id=122919
1898
1899         Caused score test failures and some build failures. (Requested
1900         by rfong on #webkit).
1901
1902         * bytecompiler/BytecodeGenerator.cpp:
1903         (JSC::BytecodeGenerator::emitNewArray):
1904         (JSC::BytecodeGenerator::emitCall):
1905         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
1906         * bytecompiler/BytecodeGenerator.h:
1907         * bytecompiler/NodesCodegen.cpp:
1908         (JSC::ArrayNode::emitBytecode):
1909         (JSC::CallArguments::CallArguments):
1910         (JSC::ForOfNode::emitBytecode):
1911         (JSC::BindingNode::collectBoundIdentifiers):
1912         * parser/ASTBuilder.h:
1913         * parser/Lexer.cpp:
1914         (JSC::::lex):
1915         * parser/NodeConstructors.h:
1916         (JSC::DotAccessorNode::DotAccessorNode):
1917         * parser/Nodes.h:
1918         * parser/Parser.cpp:
1919         (JSC::::parseArrayLiteral):
1920         (JSC::::parseArguments):
1921         (JSC::::parseMemberExpression):
1922         * parser/Parser.h:
1923         (JSC::Parser::getTokenName):
1924         (JSC::Parser::updateErrorMessageSpecialCase):
1925         * parser/ParserTokens.h:
1926         * parser/SyntaxChecker.h:
1927
1928 2013-10-16  Julien Brianceau  <jbriance@cisco.com>
1929
1930         Remove useless architecture specific implementation in DFG.
1931         https://bugs.webkit.org/show_bug.cgi?id=122917.
1932
1933         Reviewed by Michael Saboff.
1934
1935         With CPU(ARM) && CPU(ARM_HARDFP) architecture, the fallback implementation is fine
1936         as FPRInfo::argumentFPR0 == FPRInfo::returnValueFPR in this case.
1937
1938         * dfg/DFGSpeculativeJIT.h:
1939
1940 2013-10-16  Julien Brianceau  <jbriance@cisco.com>
1941
1942         Remove unused JIT::restoreArgumentReferenceForTrampoline function.
1943         https://bugs.webkit.org/show_bug.cgi?id=122916.
1944
1945         Reviewed by Michael Saboff.
1946
1947         This architecture specific function is not used anymore, so get rid of it.
1948
1949         * jit/JIT.h:
1950         * jit/JITInlines.h:
1951
1952 2013-10-16  Oliver Hunt  <oliver@apple.com>
1953
1954         Implement ES6 spread operator
1955         https://bugs.webkit.org/show_bug.cgi?id=122911
1956
1957         Reviewed by Michael Saboff.
1958
1959         Implement the ES6 spread operator
1960
1961         This has a little bit of refactoring to move the enumeration logic out ForOfNode
1962         and into BytecodeGenerator, and then adds the logic to make it nicely callback
1963         driven.
1964
1965         The rest of the logic is just the addition of the SpreadExpressionNode, the parsing,
1966         and actually handling the spread.
1967
1968         * bytecompiler/BytecodeGenerator.cpp:
1969         (JSC::BytecodeGenerator::emitNewArray):
1970         (JSC::BytecodeGenerator::emitCall):
1971         (JSC::BytecodeGenerator::emitEnumeration):
1972         * bytecompiler/BytecodeGenerator.h:
1973         * bytecompiler/NodesCodegen.cpp:
1974         (JSC::ArrayNode::emitBytecode):
1975         (JSC::ForOfNode::emitBytecode):
1976         (JSC::SpreadExpressionNode::emitBytecode):
1977         * parser/ASTBuilder.h:
1978         (JSC::ASTBuilder::createSpreadExpression):
1979         * parser/Lexer.cpp:
1980         (JSC::::lex):
1981         * parser/NodeConstructors.h:
1982         (JSC::SpreadExpressionNode::SpreadExpressionNode):
1983         * parser/Nodes.h:
1984         (JSC::ExpressionNode::isSpreadExpression):
1985         (JSC::SpreadExpressionNode::expression):
1986         * parser/Parser.cpp:
1987         (JSC::::parseArrayLiteral):
1988         (JSC::::parseArguments):
1989         (JSC::::parseMemberExpression):
1990         * parser/Parser.h:
1991         (JSC::Parser::getTokenName):
1992         (JSC::Parser::updateErrorMessageSpecialCase):
1993         * parser/ParserTokens.h:
1994         * parser/SyntaxChecker.h:
1995         (JSC::SyntaxChecker::createSpreadExpression):
1996
1997 2013-10-16  Mark Lam  <mark.lam@apple.com>
1998
1999         Transition void cti_op_tear_off* methods to JIT operations for 32 bit.
2000         https://bugs.webkit.org/show_bug.cgi?id=122899.
2001
2002         Reviewed by Michael Saboff.
2003
2004         * jit/JITOpcodes32_64.cpp:
2005         (JSC::JIT::emit_op_tear_off_activation):
2006         (JSC::JIT::emit_op_tear_off_arguments):
2007         * jit/JITStubs.cpp:
2008         * jit/JITStubs.h:
2009
2010 2013-10-16  Julien Brianceau  <jbriance@cisco.com>
2011
2012         Remove more of the UNINTERRUPTED_SEQUENCE thing
2013         https://bugs.webkit.org/show_bug.cgi?id=122885
2014
2015         Reviewed by Andreas Kling.
2016
2017         It was not completely removed by r157481, leading to build failure for sh4 architecture.
2018
2019         * jit/JIT.h:
2020         * jit/JITInlines.h:
2021
2022 2013-10-15  Filip Pizlo  <fpizlo@apple.com>
2023
2024         Get rid of the StructureStubInfo::patch union
2025         https://bugs.webkit.org/show_bug.cgi?id=122877
2026
2027         Reviewed by Sam Weinig.
2028         
2029         Just simplifying code by getting rid of data structures that ain't used no more.
2030         
2031         Note that I replace the patch union with a patch struct. This means we say things like
2032         stubInfo.patch.valueGPR instead of stubInfo.valueGPR. I think that this extra
2033         encapsulation makes the code more readable: the patch struct contains just those things
2034         that you need to know to perform patching.
2035
2036         * bytecode/StructureStubInfo.h:
2037         * dfg/DFGJITCompiler.cpp:
2038         (JSC::DFG::JITCompiler::link):
2039         * jit/JIT.cpp:
2040         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
2041         * jit/Repatch.cpp:
2042         (JSC::repatchByIdSelfAccess):
2043         (JSC::replaceWithJump):
2044         (JSC::linkRestoreScratch):
2045         (JSC::generateProtoChainAccessStub):
2046         (JSC::tryCacheGetByID):
2047         (JSC::getPolymorphicStructureList):
2048         (JSC::patchJumpToGetByIdStub):
2049         (JSC::tryBuildGetByIDList):
2050         (JSC::emitPutReplaceStub):
2051         (JSC::emitPutTransitionStub):
2052         (JSC::tryCachePutByID):
2053         (JSC::tryBuildPutByIdList):
2054         (JSC::tryRepatchIn):
2055         (JSC::resetGetByID):
2056         (JSC::resetPutByID):
2057         (JSC::resetIn):
2058
2059 2013-10-15  Nadav Rotem  <nrotem@apple.com>
2060
2061         FTL: add support for Int52ToValue and fix putByVal of int52s.
2062         https://bugs.webkit.org/show_bug.cgi?id=122873
2063
2064         Reviewed by Filip Pizlo.
2065
2066         * ftl/FTLCapabilities.cpp:
2067         (JSC::FTL::canCompile):
2068         * ftl/FTLLowerDFGToLLVM.cpp:
2069         (JSC::FTL::LowerDFGToLLVM::compileNode):
2070         (JSC::FTL::LowerDFGToLLVM::compileInt52ToValue):
2071         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2072
2073 2013-10-15  Filip Pizlo  <fpizlo@apple.com>
2074
2075         Get rid of the UNINTERRUPTED_SEQUENCE thing
2076         https://bugs.webkit.org/show_bug.cgi?id=122876
2077
2078         Reviewed by Mark Hahnenberg.
2079         
2080         It doesn't make sense anymore. We now use the DFG's IC logic, which never needed that.
2081         
2082         Moreover, we should resist the temptation to bring anything like this back. We don't
2083         want to have inline caches that only work if the assembler lays out code in a specific
2084         predetermined way.
2085
2086         * jit/JIT.h:
2087         * jit/JITCall.cpp:
2088         (JSC::JIT::compileOpCall):
2089         * jit/JITCall32_64.cpp:
2090         (JSC::JIT::compileOpCall):
2091
2092 2013-10-15  Filip Pizlo  <fpizlo@apple.com>
2093
2094         Baseline JIT should use the DFG GetById IC
2095         https://bugs.webkit.org/show_bug.cgi?id=122861
2096
2097         Reviewed by Oliver Hunt.
2098         
2099         This mostly just kills a ton of code.
2100         
2101         Note that this doesn't yet do all of the simplifications that can be done, but it does
2102         kill dead code. I'll have another change to simplify StructureStubInfo's unions and such.
2103
2104         * bytecode/CodeBlock.cpp:
2105         (JSC::CodeBlock::resetStubInternal):
2106         * jit/JIT.cpp:
2107         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
2108         * jit/JIT.h:
2109         (JSC::PropertyStubCompilationInfo::PropertyStubCompilationInfo):
2110         * jit/JITInlines.h:
2111         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
2112         (JSC::JIT::callOperation):
2113         * jit/JITPropertyAccess.cpp:
2114         (JSC::JIT::compileGetByIdHotPath):
2115         (JSC::JIT::emitSlow_op_get_by_id):
2116         (JSC::JIT::emitSlow_op_get_from_scope):
2117         * jit/JITPropertyAccess32_64.cpp:
2118         (JSC::JIT::compileGetByIdHotPath):
2119         (JSC::JIT::emitSlow_op_get_by_id):
2120         (JSC::JIT::emitSlow_op_get_from_scope):
2121         * jit/JITStubs.cpp:
2122         * jit/JITStubs.h:
2123         * jit/Repatch.cpp:
2124         (JSC::repatchGetByID):
2125         (JSC::buildGetByIDList):
2126         * jit/ThunkGenerators.cpp:
2127         * jit/ThunkGenerators.h:
2128
2129 2013-10-15  Dean Jackson  <dino@apple.com>
2130
2131         Add ENABLE_WEB_ANIMATIONS flag
2132         https://bugs.webkit.org/show_bug.cgi?id=122871
2133
2134         Reviewed by Tim Horton.
2135
2136         Eventually might be http://dev.w3.org/fxtf/web-animations/
2137         but this is just engine-internal work at the moment.
2138
2139         * Configurations/FeatureDefines.xcconfig:
2140
2141 2013-10-15  Julien Brianceau  <jbriance@cisco.com>
2142
2143         [sh4] Some calls don't match sh4 ABI.
2144         https://bugs.webkit.org/show_bug.cgi?id=122863
2145
2146         Reviewed by Michael Saboff.
2147
2148         * dfg/DFGSpeculativeJIT.h:
2149         (JSC::DFG::SpeculativeJIT::callOperation):
2150         * jit/CCallHelpers.h:
2151         (JSC::CCallHelpers::setupArgumentsWithExecState):
2152         * jit/JITInlines.h:
2153         (JSC::JIT::callOperation):
2154
2155 2013-10-15  Daniel Bates  <dabates@apple.com>
2156
2157         [iOS] Upstream JavaScriptCore support for ARM64
2158         https://bugs.webkit.org/show_bug.cgi?id=122762
2159
2160         Reviewed by Oliver Hunt and Filip Pizlo.
2161
2162         * Configurations/Base.xcconfig:
2163         * Configurations/DebugRelease.xcconfig:
2164         * Configurations/JavaScriptCore.xcconfig:
2165         * Configurations/ToolExecutable.xcconfig:
2166         * JavaScriptCore.xcodeproj/project.pbxproj:
2167         * assembler/ARM64Assembler.h: Added.
2168         * assembler/AbstractMacroAssembler.h:
2169         (JSC::isARM64):
2170         (JSC::AbstractMacroAssembler::Label::Label):
2171         (JSC::AbstractMacroAssembler::Jump::Jump):
2172         (JSC::AbstractMacroAssembler::Jump::link):
2173         (JSC::AbstractMacroAssembler::Jump::linkTo):
2174         (JSC::AbstractMacroAssembler::CachedTempRegister::CachedTempRegister):
2175         (JSC::AbstractMacroAssembler::CachedTempRegister::registerIDInvalidate):
2176         (JSC::AbstractMacroAssembler::CachedTempRegister::registerIDNoInvalidate):
2177         (JSC::AbstractMacroAssembler::CachedTempRegister::value):
2178         (JSC::AbstractMacroAssembler::CachedTempRegister::setValue):
2179         (JSC::AbstractMacroAssembler::CachedTempRegister::invalidate):
2180         (JSC::AbstractMacroAssembler::invalidateAllTempRegisters):
2181         (JSC::AbstractMacroAssembler::isTempRegisterValid):
2182         (JSC::AbstractMacroAssembler::clearTempRegisterValid):
2183         (JSC::AbstractMacroAssembler::setTempRegisterValid):
2184         * assembler/LinkBuffer.cpp:
2185         (JSC::LinkBuffer::copyCompactAndLinkCode):
2186         (JSC::LinkBuffer::linkCode):
2187         * assembler/LinkBuffer.h:
2188         * assembler/MacroAssembler.h:
2189         (JSC::MacroAssembler::isPtrAlignedAddressOffset):
2190         (JSC::MacroAssembler::pushToSave):
2191         (JSC::MacroAssembler::popToRestore):
2192         (JSC::MacroAssembler::patchableBranchTest32):
2193         * assembler/MacroAssemblerARM64.h: Added.
2194         * assembler/MacroAssemblerARMv7.h:
2195         * dfg/DFGFixupPhase.cpp:
2196         (JSC::DFG::FixupPhase::fixupNode):
2197         * dfg/DFGOSRExitCompiler32_64.cpp:
2198         (JSC::DFG::OSRExitCompiler::compileExit):
2199         * dfg/DFGOSRExitCompiler64.cpp:
2200         (JSC::DFG::OSRExitCompiler::compileExit):
2201         * dfg/DFGSpeculativeJIT.cpp:
2202         (JSC::DFG::SpeculativeJIT::compileArithDiv):
2203         (JSC::DFG::SpeculativeJIT::compileArithMod):
2204         * disassembler/ARM64/A64DOpcode.cpp: Added.
2205         * disassembler/ARM64/A64DOpcode.h: Added.
2206         * disassembler/ARM64Disassembler.cpp: Added.
2207         * heap/MachineStackMarker.cpp:
2208         (JSC::getPlatformThreadRegisters):
2209         (JSC::otherThreadStackPointer):
2210         * heap/Region.h:
2211         * jit/AssemblyHelpers.h:
2212         (JSC::AssemblyHelpers::debugCall):
2213         * jit/CCallHelpers.h:
2214         * jit/ExecutableAllocator.h:
2215         * jit/FPRInfo.h:
2216         (JSC::FPRInfo::toRegister):
2217         (JSC::FPRInfo::toIndex):
2218         (JSC::FPRInfo::debugName):
2219         * jit/GPRInfo.h:
2220         (JSC::GPRInfo::toRegister):
2221         (JSC::GPRInfo::toIndex):
2222         (JSC::GPRInfo::debugName):
2223         * jit/JITInlines.h:
2224         (JSC::JIT::restoreArgumentReferenceForTrampoline):
2225         * jit/JITOperationWrappers.h:
2226         * jit/JITOperations.cpp:
2227         * jit/JITStubs.cpp:
2228         (JSC::performPlatformSpecificJITAssertions):
2229         (JSC::tryCachePutByID):
2230         * jit/JITStubs.h:
2231         (JSC::JITStackFrame::returnAddressSlot):
2232         * jit/JITStubsARM64.h: Added.
2233         * jit/JSInterfaceJIT.h:
2234         * jit/Repatch.cpp:
2235         (JSC::emitRestoreScratch):
2236         (JSC::generateProtoChainAccessStub):
2237         (JSC::tryCacheGetByID):
2238         (JSC::emitPutReplaceStub):
2239         (JSC::tryCachePutByID):
2240         (JSC::tryRepatchIn):
2241         * jit/ScratchRegisterAllocator.h:
2242         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
2243         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
2244         * jit/ThunkGenerators.cpp:
2245         (JSC::nativeForGenerator):
2246         (JSC::floorThunkGenerator):
2247         (JSC::ceilThunkGenerator):
2248         * jsc.cpp:
2249         (main):
2250         * llint/LLIntOfflineAsmConfig.h:
2251         * llint/LLIntSlowPaths.cpp:
2252         (JSC::LLInt::handleHostCall):
2253         * llint/LowLevelInterpreter.asm:
2254         * llint/LowLevelInterpreter64.asm:
2255         * offlineasm/arm.rb:
2256         * offlineasm/arm64.rb: Added.
2257         * offlineasm/backends.rb:
2258         * offlineasm/instructions.rb:
2259         * offlineasm/risc.rb:
2260         * offlineasm/transform.rb:
2261         * yarr/YarrJIT.cpp:
2262         (JSC::Yarr::YarrGenerator::alignCallFrameSizeInBytes):
2263         (JSC::Yarr::YarrGenerator::initCallFrame):
2264         (JSC::Yarr::YarrGenerator::removeCallFrame):
2265         (JSC::Yarr::YarrGenerator::generateEnter):
2266         * yarr/YarrJIT.h:
2267
2268 2013-10-15  Mark Lam  <mark.lam@apple.com>
2269
2270         Fix 3 operand sub operation in C loop LLINT.
2271         https://bugs.webkit.org/show_bug.cgi?id=122866.
2272
2273         Reviewed by Geoffrey Garen.
2274
2275         * offlineasm/cloop.rb:
2276
2277 2013-10-15  Mark Hahnenberg  <mhahnenberg@apple.com>
2278
2279         ObjCCallbackFunctionImpl shouldn't store a JSContext
2280         https://bugs.webkit.org/show_bug.cgi?id=122531
2281
2282         Reviewed by Geoffrey Garen.
2283
2284         The m_context field in ObjCCallbackFunctionImpl is vestigial and is only incidentally correct 
2285         in the common case. It's also no longer necessary in that we can look up the current JSContext 
2286         by looking using the globalObject of the callee when the function callback is invoked.
2287  
2288         Also added a new test that would cause us to crash previously. The test required making 
2289         JSContextGetGlobalContext public API so that clients can obtain a JSContext from the JSContextRef
2290         in C API callbacks.
2291
2292         * API/JSContextRef.h:
2293         * API/JSContextRefPrivate.h:
2294         * API/ObjCCallbackFunction.mm:
2295         (JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl):
2296         (JSC::objCCallbackFunctionCallAsFunction):
2297         (objCCallbackFunctionForInvocation):
2298         * API/WebKitAvailability.h:
2299         * API/tests/CurrentThisInsideBlockGetterTest.h: Added.
2300         * API/tests/CurrentThisInsideBlockGetterTest.mm: Added.
2301         (CallAsConstructor):
2302         (ConstructorFinalize):
2303         (ConstructorClass):
2304         (+[JSValue valueWithConstructorDescriptor:inContext:]):
2305         (-[JSContext valueWithConstructorDescriptor:]):
2306         (currentThisInsideBlockGetterTest):
2307         * API/tests/testapi.mm:
2308         * JavaScriptCore.xcodeproj/project.pbxproj:
2309         * debugger/Debugger.cpp: Had to add some fully qualified names to avoid conflicts with Mac OS X headers.
2310
2311 2013-10-15  Julien Brianceau  <jbriance@cisco.com>
2312
2313         Fix build after r157457 for architecture with 4 argument registers.
2314         https://bugs.webkit.org/show_bug.cgi?id=122860
2315
2316         Reviewed by Michael Saboff.
2317
2318         * jit/CCallHelpers.h:
2319         (JSC::CCallHelpers::setupStubArguments134):
2320
2321 2013-10-14  Michael Saboff  <msaboff@apple.com>
2322
2323         transition void cti_op_* methods to JIT operations.
2324         https://bugs.webkit.org/show_bug.cgi?id=122617
2325
2326         Reviewed by Geoffrey Garen.
2327
2328         Converted the follow stubs to JIT operations:
2329             cti_handle_watchdog_timer
2330             cti_op_debug
2331             cti_op_pop_scope
2332             cti_op_profile_did_call
2333             cti_op_profile_will_call
2334             cti_op_put_by_index
2335             cti_op_put_getter_setter
2336             cti_op_tear_off_activation
2337             cti_op_tear_off_arguments
2338             cti_op_throw_static_error
2339             cti_optimize
2340
2341         * dfg/DFGOperations.cpp:
2342         * dfg/DFGOperations.h:
2343         * jit/CCallHelpers.h:
2344         (JSC::CCallHelpers::setupArgumentsWithExecState):
2345         (JSC::CCallHelpers::setupThreeStubArgsGPR):
2346         (JSC::CCallHelpers::setupStubArguments):
2347         (JSC::CCallHelpers::setupStubArguments134):
2348         * jit/JIT.cpp:
2349         (JSC::JIT::emitEnterOptimizationCheck):
2350         * jit/JIT.h:
2351         * jit/JITInlines.h:
2352         (JSC::JIT::callOperation):
2353         * jit/JITOpcodes.cpp:
2354         (JSC::JIT::emit_op_tear_off_activation):
2355         (JSC::JIT::emit_op_tear_off_arguments):
2356         (JSC::JIT::emit_op_push_with_scope):
2357         (JSC::JIT::emit_op_pop_scope):
2358         (JSC::JIT::emit_op_push_name_scope):
2359         (JSC::JIT::emit_op_throw_static_error):
2360         (JSC::JIT::emit_op_debug):
2361         (JSC::JIT::emit_op_profile_will_call):
2362         (JSC::JIT::emit_op_profile_did_call):
2363         (JSC::JIT::emitSlow_op_loop_hint):
2364         * jit/JITOpcodes32_64.cpp:
2365         (JSC::JIT::emit_op_push_with_scope):
2366         (JSC::JIT::emit_op_pop_scope):
2367         (JSC::JIT::emit_op_push_name_scope):
2368         (JSC::JIT::emit_op_throw_static_error):
2369         (JSC::JIT::emit_op_debug):
2370         (JSC::JIT::emit_op_profile_will_call):
2371         (JSC::JIT::emit_op_profile_did_call):
2372         * jit/JITOperations.cpp:
2373         * jit/JITOperations.h:
2374         * jit/JITPropertyAccess.cpp:
2375         (JSC::JIT::emit_op_put_by_index):
2376         (JSC::JIT::emit_op_put_getter_setter):
2377         * jit/JITPropertyAccess32_64.cpp:
2378         (JSC::JIT::emit_op_put_by_index):
2379         (JSC::JIT::emit_op_put_getter_setter):
2380         * jit/JITStubs.cpp:
2381         * jit/JITStubs.h:
2382
2383 2013-10-15  Julien Brianceau  <jbriance@cisco.com>
2384
2385         [sh4] Introduce const pools in LLINT.
2386         https://bugs.webkit.org/show_bug.cgi?id=122746
2387
2388         Reviewed by Michael Saboff.
2389
2390         In current implementation of LLINT for sh4, immediate values outside range -128..127 are
2391         loaded this way:
2392
2393             mov.l .label, rx
2394             bra out
2395             nop
2396             .balign 4
2397             .label: .long immvalue
2398             out:
2399
2400         This change introduces const pools for sh4 implementation to avoid lots of useless branches
2401         and reduce code size. It also removes lines of dirty code, like jmpf and callf.
2402
2403         * offlineasm/instructions.rb: Remove jmpf and callf sh4 specific instructions.
2404         * offlineasm/sh4.rb:
2405
2406 2013-10-15  Mark Lam  <mark.lam@apple.com>
2407
2408         Fix broken C Loop LLINT build.
2409         https://bugs.webkit.org/show_bug.cgi?id=122839.
2410
2411         Reviewed by Michael Saboff.
2412
2413         * dfg/DFGFlushedAt.cpp:
2414         * jit/JITOperations.h:
2415
2416 2013-10-14  Mark Lam  <mark.lam@apple.com>
2417
2418         Transition *switch* and *scope* JITStubs to JIT operations.
2419         https://bugs.webkit.org/show_bug.cgi?id=122757.
2420
2421         Reviewed by Geoffrey Garen.
2422
2423         Transitioning:
2424             cti_op_switch_char
2425             cti_op_switch_imm
2426             cti_op_switch_string
2427             cti_op_resolve_scope
2428             cti_op_get_from_scope
2429             cti_op_put_to_scope
2430
2431         * jit/JIT.h:
2432         * jit/JITInlines.h:
2433         (JSC::JIT::callOperation):
2434         * jit/JITOpcodes.cpp:
2435         (JSC::JIT::emit_op_switch_imm):
2436         (JSC::JIT::emit_op_switch_char):
2437         (JSC::JIT::emit_op_switch_string):
2438         * jit/JITOpcodes32_64.cpp:
2439         (JSC::JIT::emit_op_switch_imm):
2440         (JSC::JIT::emit_op_switch_char):
2441         (JSC::JIT::emit_op_switch_string):
2442         * jit/JITOperations.cpp:
2443         * jit/JITOperations.h:
2444         * jit/JITPropertyAccess.cpp:
2445         (JSC::JIT::emitSlow_op_resolve_scope):
2446         (JSC::JIT::emitSlow_op_get_from_scope):
2447         (JSC::JIT::emitSlow_op_put_to_scope):
2448         * jit/JITPropertyAccess32_64.cpp:
2449         (JSC::JIT::emitSlow_op_resolve_scope):
2450         (JSC::JIT::emitSlow_op_get_from_scope):
2451         (JSC::JIT::emitSlow_op_put_to_scope):
2452         * jit/JITStubs.cpp:
2453         * jit/JITStubs.h:
2454
2455 2013-10-14  Filip Pizlo  <fpizlo@apple.com>
2456
2457         DFG PutById IC should use the ConcurrentJITLocker since it's now dealing with IC's that get read by the compiler thread
2458         https://bugs.webkit.org/show_bug.cgi?id=122786
2459
2460         Reviewed by Mark Hahnenberg.
2461
2462         * bytecode/CodeBlock.cpp:
2463         (JSC::CodeBlock::resetStub): Resetting a stub should acquire the lock since this is observable from the thread; but we should only acquire the lock if we're resetting outside of GC.
2464         * jit/Repatch.cpp:
2465         (JSC::repatchPutByID): Doing the PutById patching should hold the lock.
2466         (JSC::buildPutByIdList): Ditto.
2467
2468 2013-10-14  Nadav Rotem  <nrotem@apple.com>
2469
2470         Add FTL support for LogicalNot(string)
2471         https://bugs.webkit.org/show_bug.cgi?id=122765
2472
2473         Reviewed by Filip Pizlo.
2474
2475         This patch is tested by:
2476         regress/script-tests/emscripten-cube2hash.js.ftl-eager
2477
2478         * ftl/FTLCapabilities.cpp:
2479         (JSC::FTL::canCompile):
2480         * ftl/FTLLowerDFGToLLVM.cpp:
2481         (JSC::FTL::LowerDFGToLLVM::compileLogicalNot):
2482
2483 2013-10-14  Julien Brianceau  <jbriance@cisco.com>
2484
2485         [sh4] Fixes after r157404 and r157411.
2486         https://bugs.webkit.org/show_bug.cgi?id=122782
2487
2488         Reviewed by Michael Saboff.
2489
2490         * dfg/DFGSpeculativeJIT.h:
2491         (JSC::DFG::SpeculativeJIT::callOperation): Add missing SH4_32BIT_DUMMY_ARG.
2492         * jit/CCallHelpers.h:
2493         (JSC::CCallHelpers::setupArgumentsWithExecState):
2494         * jit/JITInlines.h:
2495         (JSC::JIT::callOperation): Add missing SH4_32BIT_DUMMY_ARG.
2496         * jit/JITPropertyAccess32_64.cpp:
2497         (JSC::JIT::emit_op_put_by_id): Remove unwanted BEGIN_UNINTERRUPTED_SEQUENCE.
2498
2499 2013-10-14  Commit Queue  <commit-queue@webkit.org>
2500
2501         Unreviewed, rolling out r157413.
2502         http://trac.webkit.org/changeset/157413
2503         https://bugs.webkit.org/show_bug.cgi?id=122779
2504
2505         Appears to have caused frequent crashes (Requested by ap on
2506         #webkit).
2507
2508         * CMakeLists.txt:
2509         * GNUmakefile.list.am:
2510         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2511         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2512         * JavaScriptCore.xcodeproj/project.pbxproj:
2513         * heap/DeferGC.cpp: Removed.
2514         * heap/DeferGC.h:
2515         * jit/JITStubs.cpp:
2516         (JSC::tryCacheGetByID):
2517         (JSC::DEFINE_STUB_FUNCTION):
2518         * llint/LLIntSlowPaths.cpp:
2519         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2520         * runtime/ConcurrentJITLock.h:
2521         * runtime/InitializeThreading.cpp:
2522         (JSC::initializeThreadingOnce):
2523         * runtime/JSCellInlines.h:
2524         (JSC::allocateCell):
2525         * runtime/Structure.cpp:
2526         (JSC::Structure::materializePropertyMap):
2527         (JSC::Structure::putSpecificValue):
2528         (JSC::Structure::createPropertyMap):
2529         * runtime/Structure.h:
2530
2531 2013-10-14  Mark Hahnenberg  <mhahnenberg@apple.com>
2532
2533         COLLECT_ON_EVERY_ALLOCATION causes assertion failures
2534         https://bugs.webkit.org/show_bug.cgi?id=122652
2535
2536         Reviewed by Filip Pizlo.
2537
2538         COLLECT_ON_EVERY_ALLOCATION wasn't accounting for the new GC deferral mechanism,
2539         so we would end up ASSERTing during garbage collection.
2540
2541         * heap/MarkedAllocator.cpp:
2542         (JSC::MarkedAllocator::allocateSlowCase):
2543
2544 2013-10-11  Oliver Hunt  <oliver@apple.com>
2545
2546         Separate out array iteration intrinsics
2547         https://bugs.webkit.org/show_bug.cgi?id=122656
2548
2549         Reviewed by Michael Saboff.
2550
2551         Separate out the intrinsics for key and values iteration
2552         of arrays.
2553
2554         This requires moving moving array iteration into the iterator
2555         instance, rather than the prototype, but this is essentially
2556         unobservable so we'll live with it for now.
2557
2558         * jit/ThunkGenerators.cpp:
2559         (JSC::arrayIteratorNextThunkGenerator):
2560         (JSC::arrayIteratorNextKeyThunkGenerator):
2561         (JSC::arrayIteratorNextValueThunkGenerator):
2562         * jit/ThunkGenerators.h:
2563         * runtime/ArrayIteratorPrototype.cpp:
2564         (JSC::ArrayIteratorPrototype::finishCreation):
2565         * runtime/Intrinsic.h:
2566         * runtime/JSArrayIterator.cpp:
2567         (JSC::JSArrayIterator::finishCreation):
2568         (JSC::createIteratorResult):
2569         (JSC::arrayIteratorNext):
2570         (JSC::arrayIteratorNextKey):
2571         (JSC::arrayIteratorNextValue):
2572         (JSC::arrayIteratorNextGeneric):
2573         * runtime/VM.cpp:
2574         (JSC::thunkGeneratorForIntrinsic):
2575
2576 2013-10-11  Mark Hahnenberg  <mhahnenberg@apple.com>
2577
2578         llint_slow_path_put_by_id can deadlock on a ConcurrentJITLock
2579         https://bugs.webkit.org/show_bug.cgi?id=122667
2580
2581         Reviewed by Filip Pizlo.
2582
2583         The issue this patch is attempting to fix is that there are places in our codebase
2584         where we acquire the ConcurrentJITLock for a particular CodeBlock, then we do some
2585         operations that can initiate a garbage collection. Garbage collection then calls 
2586         some methods of CodeBlock that also take the ConcurrentJITLock (because they don't
2587         always necessarily run during garbage collection). This causes a deadlock.
2588
2589         To fix this issue, this patch adds a new RAII-style object (DisallowGC) that stores 
2590         into a thread-local field that indicates that it is unsafe to perform any operation 
2591         that could trigger garbage collection on the current thread. In debug builds, 
2592         ConcurrentJITLocker contains one of these DisallowGC objects so that we can eagerly 
2593         detect deadlocks.
2594
2595         This patch also adds a new type of ConcurrentJITLocker, GCSafeConcurrentJITLocker,
2596         which uses the DeferGC mechanism to prevent collections from occurring while the 
2597         lock is held.
2598
2599         * CMakeLists.txt:
2600         * GNUmakefile.list.am:
2601         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2602         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2603         * JavaScriptCore.xcodeproj/project.pbxproj:
2604         * heap/DeferGC.cpp: Added.
2605         * heap/DeferGC.h:
2606         (JSC::DisallowGC::DisallowGC):
2607         (JSC::DisallowGC::~DisallowGC):
2608         (JSC::DisallowGC::isGCDisallowedOnCurrentThread):
2609         (JSC::DisallowGC::initialize):
2610         * jit/JITStubs.cpp:
2611         (JSC::tryCachePutByID):
2612         (JSC::tryCacheGetByID):
2613         (JSC::DEFINE_STUB_FUNCTION):
2614         * llint/LLIntSlowPaths.cpp:
2615         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2616         * runtime/ConcurrentJITLock.h:
2617         (JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase):
2618         (JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase):
2619         (JSC::ConcurrentJITLockerBase::unlockEarly):
2620         (JSC::GCSafeConcurrentJITLocker::GCSafeConcurrentJITLocker):
2621         (JSC::ConcurrentJITLocker::ConcurrentJITLocker):
2622         * runtime/InitializeThreading.cpp:
2623         (JSC::initializeThreadingOnce):
2624         * runtime/JSCellInlines.h:
2625         (JSC::allocateCell):
2626         * runtime/Structure.cpp:
2627         (JSC::Structure::materializePropertyMap):
2628         (JSC::Structure::putSpecificValue):
2629         (JSC::Structure::createPropertyMap):
2630         * runtime/Structure.h:
2631
2632 2013-10-14  Filip Pizlo  <fpizlo@apple.com>
2633
2634         Baseline JIT should use the DFG's PutById IC
2635         https://bugs.webkit.org/show_bug.cgi?id=122704
2636
2637         Reviewed by Mark Hahnenberg.
2638         
2639         Mostly no big deal, just removing the old Baseline JIT's put_by_id IC support and forcing
2640         that JIT to use the DFG's (i.e. JITOperations) PutById IC.
2641         
2642         The only complicated part was that the PutById operations assumed that we first did a
2643         cell speculation, which the baseline JIT obviously won't do. So I changed all of those
2644         slow paths to deal with EncodedJSValue's.
2645
2646         * bytecode/CodeBlock.cpp:
2647         (JSC::CodeBlock::resetStubInternal):
2648         * bytecode/PutByIdStatus.cpp:
2649         (JSC::PutByIdStatus::computeFor):
2650         * dfg/DFGSpeculativeJIT.h:
2651         (JSC::DFG::SpeculativeJIT::callOperation):
2652         * dfg/DFGSpeculativeJIT32_64.cpp:
2653         (JSC::DFG::SpeculativeJIT::cachedPutById):
2654         * dfg/DFGSpeculativeJIT64.cpp:
2655         (JSC::DFG::SpeculativeJIT::cachedPutById):
2656         * jit/CCallHelpers.h:
2657         (JSC::CCallHelpers::setupArgumentsWithExecState):
2658         * jit/JIT.cpp:
2659         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
2660         * jit/JIT.h:
2661         (JSC::PropertyStubCompilationInfo::PropertyStubCompilationInfo):
2662         (JSC::PropertyStubCompilationInfo::slowCaseInfo):
2663         * jit/JITInlines.h:
2664         (JSC::JIT::callOperation):
2665         * jit/JITOperationWrappers.h:
2666         * jit/JITOperations.cpp:
2667         * jit/JITOperations.h:
2668         * jit/JITPropertyAccess.cpp:
2669         (JSC::JIT::compileGetByIdHotPath):
2670         (JSC::JIT::compileGetByIdSlowCase):
2671         (JSC::JIT::emit_op_put_by_id):
2672         (JSC::JIT::emitSlow_op_put_by_id):
2673         * jit/JITPropertyAccess32_64.cpp:
2674         (JSC::JIT::compileGetByIdSlowCase):
2675         (JSC::JIT::emit_op_put_by_id):
2676         (JSC::JIT::emitSlow_op_put_by_id):
2677         * jit/JITStubs.cpp:
2678         * jit/JITStubs.h:
2679         * jit/Repatch.cpp:
2680         (JSC::appropriateGenericPutByIdFunction):
2681         (JSC::appropriateListBuildingPutByIdFunction):
2682         (JSC::resetPutByID):
2683
2684 2013-10-13  Filip Pizlo  <fpizlo@apple.com>
2685
2686         FTL should have an inefficient but correct implementation of GetById
2687         https://bugs.webkit.org/show_bug.cgi?id=122740
2688
2689         Reviewed by Mark Hahnenberg.
2690         
2691         It took some effort to realize that the node->prediction() check in the DFG backends
2692         are completely unnecessary since the ByteCodeParser will always insert a ForceOSRExit
2693         if !prediction.
2694         
2695         But other than that this was an easy patch.
2696
2697         * dfg/DFGByteCodeParser.cpp:
2698         (JSC::DFG::ByteCodeParser::handleGetById):
2699         * dfg/DFGSpeculativeJIT32_64.cpp:
2700         (JSC::DFG::SpeculativeJIT::compile):
2701         * dfg/DFGSpeculativeJIT64.cpp:
2702         (JSC::DFG::SpeculativeJIT::compile):
2703         * ftl/FTLCapabilities.cpp:
2704         (JSC::FTL::canCompile):
2705         * ftl/FTLIntrinsicRepository.h:
2706         * ftl/FTLLowerDFGToLLVM.cpp:
2707         (JSC::FTL::LowerDFGToLLVM::compileNode):
2708         (JSC::FTL::LowerDFGToLLVM::compileGetById):
2709
2710 2013-10-13  Mark Lam  <mark.lam@apple.com>
2711
2712         Transition misc cti_op_* JITStubs to JIT operations.
2713         https://bugs.webkit.org/show_bug.cgi?id=122645.
2714
2715         Reviewed by Michael Saboff.
2716
2717         Stubs converted:
2718             cti_op_check_has_instance
2719             cti_op_create_arguments
2720             cti_op_del_by_id
2721             cti_op_instanceof
2722             cti_to_object
2723             cti_op_push_activation
2724             cti_op_get_pnames
2725             cti_op_load_varargs
2726
2727         * dfg/DFGOperations.cpp:
2728         * dfg/DFGOperations.h:
2729         * jit/CCallHelpers.h:
2730         (JSC::CCallHelpers::setupArgumentsWithExecState):
2731         * jit/JIT.h:
2732         (JSC::JIT::emitStoreCell):
2733         * jit/JITCall.cpp:
2734         (JSC::JIT::compileLoadVarargs):
2735         * jit/JITCall32_64.cpp:
2736         (JSC::JIT::compileLoadVarargs):
2737         * jit/JITInlines.h:
2738         (JSC::JIT::callOperation):
2739         * jit/JITOpcodes.cpp:
2740         (JSC::JIT::emit_op_get_pnames):
2741         (JSC::JIT::emit_op_create_activation):
2742         (JSC::JIT::emit_op_create_arguments):
2743         (JSC::JIT::emitSlow_op_check_has_instance):
2744         (JSC::JIT::emitSlow_op_instanceof):
2745         (JSC::JIT::emitSlow_op_get_argument_by_val):
2746         * jit/JITOpcodes32_64.cpp:
2747         (JSC::JIT::emitSlow_op_check_has_instance):
2748         (JSC::JIT::emitSlow_op_instanceof):
2749         (JSC::JIT::emit_op_get_pnames):
2750         (JSC::JIT::emit_op_create_activation):
2751         (JSC::JIT::emit_op_create_arguments):
2752         (JSC::JIT::emitSlow_op_get_argument_by_val):
2753         * jit/JITOperations.cpp:
2754         * jit/JITOperations.h:
2755         * jit/JITPropertyAccess.cpp:
2756         (JSC::JIT::emit_op_del_by_id):
2757         * jit/JITPropertyAccess32_64.cpp:
2758         (JSC::JIT::emit_op_del_by_id):
2759         * jit/JITStubs.cpp:
2760         * jit/JITStubs.h:
2761
2762 2013-10-13  Filip Pizlo  <fpizlo@apple.com>
2763
2764         FTL OSR exit should perform zero extension on values smaller than 64-bit
2765         https://bugs.webkit.org/show_bug.cgi?id=122688
2766
2767         Reviewed by Gavin Barraclough.
2768         
2769         In the DFG we usually make the simplistic assumption that a 32-bit value in a 64-bit
2770         register will have zeros on the high bits.  In the few cases where the high bits are
2771         non-zero, the DFG sort of tells us this explicitly.
2772
2773         But when working with llvm.webkit.stackmap, it doesn't work that way.  Consider we might
2774         emit LLVM IR like:
2775
2776             %2 = trunc i64 %1 to i32
2777             stuff %2
2778             call @llvm.webkit.stackmap(...., %2)
2779
2780         LLVM may never actually emit a truncation instruction of any kind.  And that's great - in
2781         many cases it won't be needed, like if 'stuff %2' is a 32-bit op that ignores the high
2782         bits anyway.  Hence LLVM may tell us that %2 is in the register that still had the value
2783         from before truncation, and that register may have garbage in the high bits.
2784
2785         This means that on our end, if we want a 32-bit value and we want that value to be
2786         zero-extended, we should zero-extend it ourselves.  This is pretty easy and should be
2787         cheap, so we should just do it and not make it a requirement that LLVM does it on its
2788         end.
2789         
2790         This makes all tests pass with JSC_ftlOSRExitUsesStackmap=true.
2791
2792         * ftl/FTLOSRExitCompiler.cpp:
2793         (JSC::FTL::compileStubWithOSRExitStackmap):
2794         * ftl/FTLValueFormat.cpp:
2795         (JSC::FTL::reboxAccordingToFormat):
2796
2797 == Rolled over to ChangeLog-2013-10-13 ==