Remove CachedTranscendentalFunction because caching math functions is an ugly idea
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-10-31  Filip Pizlo  <fpizlo@apple.com>
2
3         Remove CachedTranscendentalFunction because caching math functions is an ugly idea
4         https://bugs.webkit.org/show_bug.cgi?id=123574
5
6         Reviewed by Mark Hahnenberg.
7         
8         This is performance-neutral because I also make Math.cos/sin intrinsic. This means that
9         we gain the "overhead" of actually computing sin and cos but we lose the overhead of
10         going through the native call thunks.
11         
12         Caching transcendental functions is a really ugly idea. It works for SunSpider because
13         that benchmark makes very predictable calls into Math.sin. But I don't believe that this
14         is representative of any kind of reality, and so for sensible uses of Math.sin/cos all
15         that this was doing was adding more call overhead and some hashing overhead.
16
17         * JavaScriptCore.xcodeproj/project.pbxproj:
18         * dfg/DFGAbstractInterpreterInlines.h:
19         (JSC::DFG::::executeEffects):
20         * dfg/DFGBackwardsPropagationPhase.cpp:
21         (JSC::DFG::BackwardsPropagationPhase::propagate):
22         * dfg/DFGByteCodeParser.cpp:
23         (JSC::DFG::ByteCodeParser::handleIntrinsic):
24         * dfg/DFGCSEPhase.cpp:
25         (JSC::DFG::CSEPhase::performNodeCSE):
26         * dfg/DFGClobberize.h:
27         (JSC::DFG::clobberize):
28         * dfg/DFGFixupPhase.cpp:
29         (JSC::DFG::FixupPhase::fixupNode):
30         * dfg/DFGNodeType.h:
31         * dfg/DFGPredictionPropagationPhase.cpp:
32         (JSC::DFG::PredictionPropagationPhase::propagate):
33         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
34         * dfg/DFGSafeToExecute.h:
35         (JSC::DFG::safeToExecute):
36         * dfg/DFGSpeculativeJIT.h:
37         (JSC::DFG::SpeculativeJIT::callOperation):
38         * dfg/DFGSpeculativeJIT32_64.cpp:
39         (JSC::DFG::SpeculativeJIT::compile):
40         * dfg/DFGSpeculativeJIT64.cpp:
41         (JSC::DFG::SpeculativeJIT::compile):
42         * jit/JITOperations.h:
43         * runtime/CachedTranscendentalFunction.h: Removed.
44         * runtime/DateInstanceCache.h:
45         * runtime/Intrinsic.h:
46         * runtime/MathObject.cpp:
47         (JSC::MathObject::finishCreation):
48         (JSC::mathProtoFuncCos):
49         (JSC::mathProtoFuncSin):
50         * runtime/VM.h:
51
52 2013-10-30  Filip Pizlo  <fpizlo@apple.com>
53
54         Assertion failure in js/dom/global-constructors-attributes-dedicated-worker.html
55         https://bugs.webkit.org/show_bug.cgi?id=123551
56         <rdar://problem/15356238>
57
58         Reviewed by Mark Hahnenberg.
59         
60         WatchpointSets have always had this "fire everything on deletion" policy because it
61         seemed like a good fail-safe at the time I first implemented WatchpointSets. But
62         it's actually causing bugs rather than providing safety:
63         
64         - Everyone who registers Watchpoints with WatchpointSets have separate mechanisms
65           for either keeping the WatchpointSets alive or noticing when they are collected.
66           So this wasn't actually providing any safety.
67           
68           One example of this is Structures, where:
69           
70           - CodeBlocks that register Watchpoints on Structure's WatchpointSet will also
71             register weak references to the Structure, and the GC will jettison a CodeBlock
72             if the Structure(s) it cares about dies.
73           
74           - StructureStubInfos that register Watchpoints on Structure's WatchpointSet will
75             also be cleared by GC if the Structures die.
76         
77         - The WatchpointSet destructor would get invoked from finalization/destruction.
78           This would then cause CodeBlock::jettison() to be called on a CodeBlock, but that
79           method requires doing things that access heap objects. This would usually cause
80           problems on VM destruction, since then the CodeBlocks would still be alive but the
81           whole heap would be destroyed.
82         
83         This also ensures that CodeBlock::jettison() cannot cause a GC. This is safe since
84         that method doesn't really allocate objects, and it is likely necessary because
85         jettison() may be called from deep in the stack.
86
87         * bytecode/CodeBlock.cpp:
88         (JSC::CodeBlock::jettison):
89         * bytecode/Watchpoint.cpp:
90         (JSC::WatchpointSet::~WatchpointSet):
91         * bytecode/Watchpoint.h:
92
93 2013-10-30  Mark Lam  <mark.lam@apple.com>
94
95         Unreviewed, fix C Loop LLINT build.
96
97         * bytecode/CodeBlockJettisoningWatchpoint.cpp:
98         (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
99         * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp:
100         (JSC::ProfiledCodeBlockJettisoningWatchpoint::fireInternal):
101
102 2013-10-30  Filip Pizlo  <fpizlo@apple.com>
103
104         Unreviewed, fix FTL build.
105
106         * ftl/FTLAbstractHeapRepository.h:
107         * ftl/FTLLowerDFGToLLVM.cpp:
108         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
109
110 2013-10-30  Alexey Proskuryakov  <ap@apple.com>
111
112         Add a way to fulfill promises from DOM code
113         https://bugs.webkit.org/show_bug.cgi?id=123466
114
115         Reviewed by Sam Weinig.
116
117         * JavaScriptCore.xcodeproj/project.pbxproj: Make JSPromise.h and JSPromiseResolver.h
118         private headers for WebCore to use.
119
120         * runtime/JSPromise.h:
121         * runtime/JSPromiseResolver.h:
122         Export functions that JSDOMPromise will use.
123
124 2013-10-30  Mark Lam  <mark.lam@apple.com>
125
126         Adjust CallFrameHeader's ReturnPC and CallFrame locations to match the native ABI .
127         https://bugs.webkit.org/show_bug.cgi?id=123444.
128
129         Reviewed by Geoffrey Garen.
130
131         - Introduced an explicit CallerFrameAndPC struct.
132         - A CallFrame is expected to start with a CallerFrameAndPC struct. 
133         - The Register class no longer supports CallFrame* and Instruction*.
134
135           These hides the differences between JSVALUE32_64 and JSVALUE64 in
136           terms of managing the callerFrame() and returnPC() values.
137
138         - Convert all uses of JSStack::CallerFrame and JSStack::ReturnPC to
139           go through CallFrame to access the appropriate values and offsets.
140           CallFrame, in turn, will access the callerFrame and returnPC via
141           the CallerFrameAndPC struct.
142
143         - InlineCallFrame will provide offsets for its callerFrame and
144           returnPC. It will make use of CallFrame::callerFrameOffset() and
145           CallerFrame::returnPCOffset() to compute these.
146
147         * bytecode/CodeOrigin.h:
148         (JSC::InlineCallFrame::callerFrameOffset):
149         (JSC::InlineCallFrame::returnPCOffset):
150         * dfg/DFGJITCompiler.cpp:
151         (JSC::DFG::JITCompiler::compileEntry):
152         (JSC::DFG::JITCompiler::compileExceptionHandlers):
153         * dfg/DFGOSRExitCompilerCommon.cpp:
154         (JSC::DFG::reifyInlinedCallFrames):
155         * dfg/DFGSpeculativeJIT.h:
156         (JSC::DFG::SpeculativeJIT::calleeFrameSlot):
157         (JSC::DFG::SpeculativeJIT::calleeArgumentSlot):
158         (JSC::DFG::SpeculativeJIT::calleeFrameTagSlot):
159         (JSC::DFG::SpeculativeJIT::calleeFramePayloadSlot):
160         (JSC::DFG::SpeculativeJIT::calleeArgumentTagSlot):
161         (JSC::DFG::SpeculativeJIT::calleeArgumentPayloadSlot):
162         - Prefixed all the above with callee since they apply to the callee frame.
163         (JSC::DFG::SpeculativeJIT::calleeFrameCallerFrame):
164         - Added to set the callerFrame pointer in the callee frame.
165
166         * dfg/DFGSpeculativeJIT32_64.cpp:
167         (JSC::DFG::SpeculativeJIT::emitCall):
168         (JSC::DFG::SpeculativeJIT::compile):
169         * dfg/DFGSpeculativeJIT64.cpp:
170         (JSC::DFG::SpeculativeJIT::emitCall):
171         (JSC::DFG::SpeculativeJIT::compile):
172         * ftl/FTLLink.cpp:
173         (JSC::FTL::compileEntry):
174         (JSC::FTL::link):
175         * interpreter/CallFrame.h:
176         (JSC::ExecState::callerFrame):
177         (JSC::ExecState::callerFrameOffset):
178         (JSC::ExecState::returnPC):
179         (JSC::ExecState::hasReturnPC):
180         (JSC::ExecState::clearReturnPC):
181         (JSC::ExecState::returnPCOffset):
182         (JSC::ExecState::setCallerFrame):
183         (JSC::ExecState::setReturnPC):
184         (JSC::ExecState::callerFrameAndPC):
185         * interpreter/JSStack.h:
186         * interpreter/Register.h:
187         * jit/AssemblyHelpers.h:
188         (JSC::AssemblyHelpers::emitPutToCallFrameHeader):
189         - Convert to using storePtr() here and simplify the code.
190         (JSC::AssemblyHelpers::emitGetCallerFrameFromCallFrameHeaderPtr):
191         (JSC::AssemblyHelpers::emitPutCallerFrameToCallFrameHeader):
192         (JSC::AssemblyHelpers::emitGetReturnPCFromCallFrameHeaderPtr):
193         (JSC::AssemblyHelpers::emitPutReturnPCToCallFrameHeader):
194         - Helpers to emit gets/puts of the callerFrame and returnPC.
195         (JSC::AssemblyHelpers::addressForByteOffset):
196         * jit/JIT.cpp:
197         (JSC::JIT::JIT):
198         (JSC::JIT::privateCompile):
199         (JSC::JIT::privateCompileExceptionHandlers):
200         * jit/JITCall.cpp:
201         (JSC::JIT::compileCallEval):
202         (JSC::JIT::compileOpCall):
203         * jit/JITCall32_64.cpp:
204         (JSC::JIT::emit_op_ret):
205         (JSC::JIT::emit_op_ret_object_or_this):
206         (JSC::JIT::compileCallEval):
207         (JSC::JIT::compileOpCall):
208         * jit/JITInlines.h:
209         (JSC::JIT::unmap):
210         * jit/JITOpcodes.cpp:
211         (JSC::JIT::emit_op_end):
212         (JSC::JIT::emit_op_ret):
213         (JSC::JIT::emit_op_ret_object_or_this):
214         * jit/JITOpcodes32_64.cpp:
215         (JSC::JIT::privateCompileCTINativeCall):
216         (JSC::JIT::emit_op_end):
217         * jit/JITOperations.cpp:
218         * jit/SpecializedThunkJIT.h:
219         (JSC::SpecializedThunkJIT::returnJSValue):
220         (JSC::SpecializedThunkJIT::returnDouble):
221         (JSC::SpecializedThunkJIT::returnInt32):
222         (JSC::SpecializedThunkJIT::returnJSCell):
223         * jit/ThunkGenerators.cpp:
224         (JSC::throwExceptionFromCallSlowPathGenerator):
225         (JSC::slowPathFor):
226         (JSC::nativeForGenerator):
227
228         * llint/LLIntData.cpp:
229         (JSC::LLInt::Data::performAssertions):
230         * llint/LowLevelInterpreter.asm:
231         - Updated offsets and asserts to match the new CallFrame layout.
232
233 2013-10-30  Filip Pizlo  <fpizlo@apple.com>
234
235         Unreviewed, fix Mac.
236
237         * assembler/AbstractMacroAssembler.h:
238         (JSC::AbstractMacroAssembler::RegisterAllocationOffset::checkOffsets):
239         (JSC::AbstractMacroAssembler::checkRegisterAllocationAgainstBranchRange):
240
241 2013-10-30  Filip Pizlo  <fpizlo@apple.com>
242
243         Unreviewed, fix Windows.
244
245         * bytecode/CodeBlock.cpp:
246         (JSC::CodeBlock::jettison):
247
248 2013-10-30  Filip Pizlo  <fpizlo@apple.com>
249
250         Unreviewed, fix Windows.
251
252         * bytecode/CodeBlock.h:
253         (JSC::CodeBlock::addFrequentExitSite):
254
255 2013-10-29  Filip Pizlo  <fpizlo@apple.com>
256
257         Add InvalidationPoints to the DFG and use them for all watchpoints
258         https://bugs.webkit.org/show_bug.cgi?id=123472
259
260         Reviewed by Mark Hahnenberg.
261         
262         This makes a fundamental change to how watchpoints work in the DFG.
263         
264         Previously, a watchpoint was an instruction whose execution semantics were something
265         like:
266         
267             if (watchpoint->invalidated)
268                 exit
269         
270         We would implement this without any branch by using jump replacement.
271         
272         This is a very good optimization. But it's a bit awkward once you get a lot of
273         watchpoints: semantically we will have lots of these branches in the code, which the
274         compiler needs to reason about even though they don't actually result in any emitted
275         code.
276         
277         Separately, we also had a mechanism for jettisoning a CodeBlock. This mechanism would
278         be invoked if a CodeBlock exited a lot. It would ensure that a CodeBlock wouldn't be
279         called into again, but it would do nothing for CodeBlocks that were already on the
280         stack.
281         
282         This change flips jettisoning and watchpoint invalidation on their heads. Now, the jump
283         replacement has nothing to do with watchpoints; instead it's something that happens if
284         you ever jettison a CodeBlock. Jump replacement is now an all-or-nothing operation over
285         all of the potential call-return safe-exit-points in a CodeBlock. We call these
286         "InvalidationPoint"s. A watchpoint instruction is now "lowered" by having the DFG
287         collect all of the watchpoint sets that the CodeBlock cares about, and then registering
288         a CodeBlockJettisoningWatchpoint with all of them. That is, if the watchpoint fires, it
289         jettisons the CodeBlock, which in turn ensures that the CodeBlock can't be called into
290         (because the entrypoint now points to baseline code) and can't be returned into
291         (because returning exits to baseline before the next bytecode instruction).
292         
293         This will allow for a sensible lowering of watchpoints to LLVM IR. It will also allow
294         for jettison() to be used effectively for things like breakpointing and single-stepping
295         in the debugger.
296         
297         Well, basically, this mechanism just takes us into the HotSpot-style world where anyone
298         can, at any time and for any reason, request that an optimized CodeBlock is rendered
299         immediately invalid. You can use this for many cool things, I'm sure.
300
301         * CMakeLists.txt:
302         * GNUmakefile.list.am:
303         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
304         * JavaScriptCore.xcodeproj/project.pbxproj:
305         * assembler/AbstractMacroAssembler.h:
306         * bytecode/CodeBlock.cpp:
307         (JSC::CodeBlock::jettison):
308         * bytecode/CodeBlock.h:
309         * bytecode/CodeBlockJettisoningWatchpoint.cpp: Added.
310         (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
311         * bytecode/CodeBlockJettisoningWatchpoint.h: Added.
312         (JSC::CodeBlockJettisoningWatchpoint::CodeBlockJettisoningWatchpoint):
313         * bytecode/ExitKind.cpp:
314         (JSC::exitKindToString):
315         * bytecode/ExitKind.h:
316         * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp: Added.
317         (JSC::ProfiledCodeBlockJettisoningWatchpoint::fireInternal):
318         * bytecode/ProfiledCodeBlockJettisoningWatchpoint.h: Added.
319         (JSC::ProfiledCodeBlockJettisoningWatchpoint::ProfiledCodeBlockJettisoningWatchpoint):
320         * dfg/DFGAbstractHeap.h:
321         * dfg/DFGAbstractInterpreterInlines.h:
322         (JSC::DFG::::executeEffects):
323         * dfg/DFGClobberize.cpp:
324         (JSC::DFG::writesOverlap):
325         * dfg/DFGClobberize.h:
326         (JSC::DFG::clobberize):
327         (JSC::DFG::AbstractHeapOverlaps::AbstractHeapOverlaps):
328         (JSC::DFG::AbstractHeapOverlaps::operator()):
329         (JSC::DFG::AbstractHeapOverlaps::result):
330         * dfg/DFGCommonData.cpp:
331         (JSC::DFG::CommonData::invalidate):
332         * dfg/DFGCommonData.h:
333         (JSC::DFG::CommonData::CommonData):
334         * dfg/DFGDesiredWatchpoints.cpp:
335         (JSC::DFG::DesiredWatchpoints::addLazily):
336         (JSC::DFG::DesiredWatchpoints::reallyAdd):
337         * dfg/DFGDesiredWatchpoints.h:
338         (JSC::DFG::WatchpointForGenericWatchpointSet::WatchpointForGenericWatchpointSet):
339         (JSC::DFG::GenericDesiredWatchpoints::addLazily):
340         (JSC::DFG::GenericDesiredWatchpoints::reallyAdd):
341         (JSC::DFG::GenericDesiredWatchpoints::areStillValid):
342         * dfg/DFGFixupPhase.cpp:
343         (JSC::DFG::FixupPhase::fixupNode):
344         * dfg/DFGInvalidationPointInjectionPhase.cpp: Added.
345         (JSC::DFG::InvalidationPointInjectionPhase::InvalidationPointInjectionPhase):
346         (JSC::DFG::InvalidationPointInjectionPhase::run):
347         (JSC::DFG::InvalidationPointInjectionPhase::handle):
348         (JSC::DFG::InvalidationPointInjectionPhase::insertInvalidationCheck):
349         (JSC::DFG::performInvalidationPointInjection):
350         * dfg/DFGInvalidationPointInjectionPhase.h: Added.
351         * dfg/DFGJITCode.h:
352         * dfg/DFGJITCompiler.cpp:
353         (JSC::DFG::JITCompiler::linkOSRExits):
354         (JSC::DFG::JITCompiler::link):
355         * dfg/DFGJITCompiler.h:
356         * dfg/DFGJumpReplacement.cpp: Added.
357         (JSC::DFG::JumpReplacement::fire):
358         * dfg/DFGJumpReplacement.h: Added.
359         (JSC::DFG::JumpReplacement::JumpReplacement):
360         * dfg/DFGNodeType.h:
361         * dfg/DFGOSRExitCompilationInfo.h:
362         * dfg/DFGOperations.cpp:
363         * dfg/DFGPlan.cpp:
364         (JSC::DFG::Plan::compileInThreadImpl):
365         (JSC::DFG::Plan::reallyAdd):
366         * dfg/DFGPredictionPropagationPhase.cpp:
367         (JSC::DFG::PredictionPropagationPhase::propagate):
368         * dfg/DFGSafeToExecute.h:
369         (JSC::DFG::safeToExecute):
370         * dfg/DFGSpeculativeJIT.cpp:
371         (JSC::DFG::SpeculativeJIT::emitInvalidationPoint):
372         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
373         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
374         * dfg/DFGSpeculativeJIT.h:
375         (JSC::DFG::SpeculativeJIT::masqueradesAsUndefinedWatchpointIsStillValid):
376         (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
377         * dfg/DFGSpeculativeJIT32_64.cpp:
378         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
379         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
380         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
381         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
382         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
383         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
384         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
385         (JSC::DFG::SpeculativeJIT::compile):
386         * dfg/DFGSpeculativeJIT64.cpp:
387         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
388         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
389         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
390         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
391         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
392         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
393         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
394         (JSC::DFG::SpeculativeJIT::compile):
395         * dfg/DFGWatchpointCollectionPhase.cpp: Added.
396         (JSC::DFG::WatchpointCollectionPhase::WatchpointCollectionPhase):
397         (JSC::DFG::WatchpointCollectionPhase::run):
398         (JSC::DFG::WatchpointCollectionPhase::handle):
399         (JSC::DFG::WatchpointCollectionPhase::handleEdge):
400         (JSC::DFG::WatchpointCollectionPhase::handleMasqueradesAsUndefined):
401         (JSC::DFG::WatchpointCollectionPhase::handleStringGetByVal):
402         (JSC::DFG::WatchpointCollectionPhase::addLazily):
403         (JSC::DFG::WatchpointCollectionPhase::globalObject):
404         (JSC::DFG::performWatchpointCollection):
405         * dfg/DFGWatchpointCollectionPhase.h: Added.
406         * ftl/FTLCapabilities.cpp:
407         (JSC::FTL::canCompile):
408         * ftl/FTLLowerDFGToLLVM.cpp:
409         (JSC::FTL::LowerDFGToLLVM::compileNode):
410         (JSC::FTL::LowerDFGToLLVM::compileStructureTransitionWatchpoint):
411         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
412         (JSC::FTL::LowerDFGToLLVM::compileGlobalVarWatchpoint):
413         (JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant):
414         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
415         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
416         (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
417         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
418         (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
419         * jit/JITOperations.cpp:
420         * jit/JumpReplacementWatchpoint.cpp: Removed.
421         * jit/JumpReplacementWatchpoint.h: Removed.
422
423 2013-10-25  Mark Hahnenberg  <mhahnenberg@apple.com>
424
425         JSExport doesn't support constructors
426         https://bugs.webkit.org/show_bug.cgi?id=123380
427
428         Reviewed by Geoffrey Garen.
429
430         Support for constructor-style callbacks for the Objective-C API to JSC is currently limited to 
431         Objective-C blocks. Any clients who try to call the constructor of a JSExport-ed Objective-C class 
432         are met with a type error stating that it cannot be called as a constructor.
433
434         It would be nice to expand JSExport's functionality to support this idiom. It is a natural 
435         extension to JSExport and would increase the expressiveness and simplicity in both Objective-C and 
436         JavaScript client code.
437
438         The way we'll do this is to expand the capabilities of ObjCCallbackFunction and associated classes. 
439         Instead of constructing a normal C API object for the constructor, we'll instead allocate a full-blown 
440         ObjCCallbackFunction object which can already properly handle being invoked as a constructor.
441
442         * API/JSWrapperMap.mm:
443         (copyMethodsToObject):
444         (allocateConstructorForCustomClass):
445         (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]):
446         (tryUnwrapObjcObject):
447         * API/ObjCCallbackFunction.h:
448         (JSC::ObjCCallbackFunction::impl):
449         * API/ObjCCallbackFunction.mm:
450         (JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl):
451         (JSC::ObjCCallbackFunctionImpl::wrappedConstructor):
452         (JSC::ObjCCallbackFunctionImpl::isConstructible):
453         (JSC::ObjCCallbackFunction::getConstructData):
454         (JSC::ObjCCallbackFunctionImpl::name):
455         (JSC::ObjCCallbackFunctionImpl::call):
456         (objCCallbackFunctionForInvocation):
457         (objCCallbackFunctionForInit):
458         (tryUnwrapConstructor):
459         * API/tests/testapi.mm:
460         (-[TextXYZ initWithString:]):
461         (-[ClassA initWithA:]):
462         (-[ClassB initWithA:b:]):
463         (-[ClassC initWithA:]):
464         (-[ClassC initWithA:b:]):
465
466 2013-10-30  peavo@outlook.com  <peavo@outlook.com>
467
468         [Win] Compile errors when enabling DFG JIT.
469         https://bugs.webkit.org/show_bug.cgi?id=120998
470
471         Reviewed by Brent Fulgham.
472
473         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added files.
474         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
475         * dfg/DFGAllocator.h: Removed scope.
476         * dfg/DFGWorklist.cpp: Use new ThreadingOnce class instead of pthread_once.
477         (JSC::DFG::globalWorklist):
478         * heap/DeferGC.h: Link fix, member needs to be public.
479         * jit/JITOperationWrappers.h: Added required assembler macros.
480
481 2013-10-30  Iago Toral Quiroga  <itoral@igalia.com>
482
483         Add result caching for Math.cos
484         https://bugs.webkit.org/show_bug.cgi?id=123255
485
486         Reviewed by Brent Fulgham.
487
488         * runtime/MathObject.cpp:
489         (JSC::mathProtoFuncCos):
490         * runtime/VM.h:
491
492 2013-10-30  Alex Christensen  <achristensen@webkit.org>
493
494         Disabled JIT on Win64.
495         https://bugs.webkit.org/show_bug.cgi?id=122472
496
497         Reviewed by Geoffrey Garen.
498
499         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
500         Disabled building JITStubsMSVC64.
501
502 2013-10-29  Michael Saboff  <msaboff@apple.com>
503
504         Change local variable register allocation to start at offset -1
505         https://bugs.webkit.org/show_bug.cgi?id=123182
506
507         Reviewed by Geoffrey Garen.
508
509         Adjusted the virtual register mapping down by one slot.  Reduced
510         the CallFrame header slots offsets by one.  They now start at 0.
511         Changed arity fixup to no longer skip passed register slot 0 as this
512         is now part of the CallFrame header.
513
514         * bytecode/VirtualRegister.h:
515         (JSC::operandIsLocal):
516         (JSC::operandIsArgument):
517         (JSC::VirtualRegister::localToOperand):
518         (JSC::VirtualRegister::operandToLocal):
519           Adjusted functions for shift in mapping from local to register offset.
520
521         * dfg/DFGByteCodeParser.cpp:
522         (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
523         (JSC::DFG::ByteCodeParser::addCall):
524         (JSC::DFG::ByteCodeParser::handleInlining):
525         (JSC::DFG::ByteCodeParser::parseBlock):
526         * dfg/DFGVariableEventStream.cpp:
527         (JSC::DFG::VariableEventStream::reconstruct):
528         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
529         (JSC::DFG::VirtualRegisterAllocationPhase::run):
530         * interpreter/CallFrame.h:
531         (JSC::ExecState::frameExtent):
532         (JSC::ExecState::offsetFor):
533         * interpreter/Interpreter.cpp:
534         (JSC::loadVarargs):
535         (JSC::Interpreter::dumpRegisters):
536         (JSC::Interpreter::executeCall):
537         * llint/LLIntData.cpp:
538         (JSC::LLInt::Data::performAssertions):
539         * llint/LowLevelInterpreter.asm:
540           Adjusted math to accomodate for shift in call frame slots.
541
542         * dfg/DFGJITCompiler.cpp:
543         (JSC::DFG::JITCompiler::compileFunction):
544         * dfg/DFGSpeculativeJIT.h:
545         (JSC::DFG::SpeculativeJIT::calleeFrameOffset):
546         * interpreter/CallFrame.cpp:
547         (JSC::CallFrame::frameExtentInternal):
548         * interpreter/JSStackInlines.h:
549         (JSC::JSStack::pushFrame):
550         * jit/JIT.cpp:
551         (JSC::JIT::privateCompile):
552         * jit/JITOperations.cpp:
553         * llint/LLIntSlowPaths.cpp:
554         (JSC::LLInt::llint_slow_path_stack_check):
555         * runtime/CommonSlowPaths.h:
556         (JSC::CommonSlowPaths::arityCheckFor):
557           Fixed offset calculation to use VirtualRegister and related calculation instead of
558           doing seperate calculations.
559
560         * interpreter/JSStack.h:
561           Adjusted CallFrame slots down by one.  Did some miscellaneous fixing of dumpRegisters()
562           in the process of testing the fixes.
563
564         * jit/ThunkGenerators.cpp:
565         (JSC::arityFixup):
566           Changed arity fixup to no longer skip passed register slot 0 as this
567           is now part of the CallFrame header.
568
569         * llint/LowLevelInterpreter32_64.asm:
570         * llint/LowLevelInterpreter64.asm:
571           Changed arity fixup to no longer skip passed register slot 0 as this
572           is now part of the CallFrame header.  Updated op_enter processing for
573           the change in local registers.
574
575         * runtime/JSGlobalObject.h:
576           Removed the now unneeded extra slot in the global callframe
577
578 2013-10-29  Julien Brianceau  <jbriance@cisco.com>
579
580         [arm] Fix lots of crashes because of 4th argument register trampling.
581         https://bugs.webkit.org/show_bug.cgi?id=123421
582
583         Reviewed by Michael Saboff.
584
585         r3 register is the 4th argument register for ARM and also a scratch
586         register in the baseline JIT for this architecture. We can use r6
587         instead, as this used to be the timeoutCheckRegister and it is no
588         longer used since r148119.
589
590         * assembler/ARMAssembler.h: Temp register is now r6 instead of r3 for ARM.
591         * assembler/MacroAssemblerARMv7.h: Temp register is now r6 instead of r3 for ARMv7.
592         * jit/GPRInfo.h: Add r3 properly in GPRInfo for ARM.
593         (JSC::GPRInfo::toRegister):
594         (JSC::GPRInfo::toIndex):
595         * jit/JITStubsARM.h:
596         (JSC::ctiTrampoline): Remove obsolete timeoutCheckRegister init.
597         * jit/JITStubsARMv7.h:
598         (JSC::ctiTrampoline): Remove obsolete timeoutCheckRegister init.
599         * jit/JSInterfaceJIT.h: Remove useless stuff.
600         * yarr/YarrJIT.cpp: Use r3 and not the new scratch register r6.
601         (JSC::Yarr::YarrGenerator::generateEnter): r8 register doesn't need to be saved.
602         (JSC::Yarr::YarrGenerator::generateReturn):
603
604 2013-10-29  Julien Brianceau  <jbriance@cisco.com>
605
606         Fix CPU(ARM_TRADITIONAL) build after r157690.
607         https://bugs.webkit.org/show_bug.cgi?id=123247
608
609         Reviewed by Michael Saboff.
610
611         Since r157690, the executableCopy function has been removed from AssemblerBuffer.h
612         and the copy of executable code occurs in the linkCode function (in LinkBuffer.cpp).
613         As the constant pool for jumps is updated in the executableCopy function of ARM_TRADITIONAL,
614         this part of code still needs to be called and absolute jumps must be corrected to anticipate
615         the copy of the executable code through memcpy.
616
617         * assembler/ARMAssembler.cpp:
618         (JSC::ARMAssembler::prepareExecutableCopy): Rename executableCopy to prepareExecutableCopy
619         and correct absolute jump values using the delta between the source and destination buffers.
620         * assembler/ARMAssembler.h:
621         * assembler/LinkBuffer.cpp:
622         (JSC::LinkBuffer::linkCode): Call prepareExecutableCopy just before the memcpy.
623
624 2013-10-28  Filip Pizlo  <fpizlo@apple.com>
625
626         OSRExit::m_watchpointIndex should be in OSRExitCompilationInfo
627         https://bugs.webkit.org/show_bug.cgi?id=123423
628
629         Reviewed by Mark Hahnenberg.
630         
631         Also enable ExitKind to tell you if it's a watchpoint.
632
633         * bytecode/ExitKind.cpp:
634         (JSC::exitKindToString):
635         * bytecode/ExitKind.h:
636         (JSC::isWatchpoint):
637         * dfg/DFGByteCodeParser.cpp:
638         (JSC::DFG::ByteCodeParser::setLocal):
639         (JSC::DFG::ByteCodeParser::setArgument):
640         (JSC::DFG::ByteCodeParser::handleCall):
641         (JSC::DFG::ByteCodeParser::handleGetById):
642         (JSC::DFG::ByteCodeParser::parseBlock):
643         * dfg/DFGJITCompiler.cpp:
644         (JSC::DFG::JITCompiler::linkOSRExits):
645         (JSC::DFG::JITCompiler::link):
646         * dfg/DFGJITCompiler.h:
647         (JSC::DFG::JITCompiler::appendExitInfo):
648         * dfg/DFGOSRExit.cpp:
649         (JSC::DFG::OSRExit::OSRExit):
650         * dfg/DFGOSRExit.h:
651         * dfg/DFGOSRExitCompilationInfo.h:
652         (JSC::DFG::OSRExitCompilationInfo::OSRExitCompilationInfo):
653         * dfg/DFGOSRExitCompiler.cpp:
654         * dfg/DFGSpeculativeJIT.cpp:
655         (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
656         * dfg/DFGSpeculativeJIT32_64.cpp:
657         (JSC::DFG::SpeculativeJIT::compile):
658         * dfg/DFGSpeculativeJIT64.cpp:
659         (JSC::DFG::SpeculativeJIT::compile):
660
661 2013-10-28  Myles C. Maxfield  <mmaxfield@apple.com>
662
663         Parsing support for -webkit-text-decoration-skip: ink
664         https://bugs.webkit.org/show_bug.cgi?id=123358
665
666         Reviewed by Dean Jackson.
667
668         Adding ENABLE(CSS3_TEXT_DECORATION)
669
670         * Configurations/FeatureDefines.xcconfig:
671
672 2013-10-24  Filip Pizlo  <fpizlo@apple.com>
673
674         Get rid of InlineStart so that I don't have to implement it in FTL
675         https://bugs.webkit.org/show_bug.cgi?id=123302
676
677         Reviewed by Geoffrey Garen.
678         
679         InlineStart was a special instruction that we would insert at the top of inlined code,
680         so that the backend could capture the OSR state of arguments to an inlined call. It used
681         to be that only the backend had this information, so this instruction was sort of an ugly
682         callback from the backend for filling in some data structures.
683         
684         But in the time since when that code was written (two years ago?), we rationalized how
685         variables work. It's now the case that variables that the runtime must know about are
686         treated specially in IR (they are "flushed") and we know how we will represent them even
687         before we get to the backend. The last place that makes changes to their representation
688         is the StackLayoutPhase.
689         
690         So, this patch gets rid of InlineStart, but keeps around the special meta-data that the
691         instruction had. Instead of handling the bookkeeping in the backend, we handle it in
692         StackLayoutPhase. This means that the DFG and FTL can share code for handling this
693         bookkeeping. This also means that now the FTL can compile code blocks that had inlining.
694         
695         Of course, giving the FTL the ability to handle code blocks that had inlining means that
696         we're going to have new bugs. Sure enough, the FTL's linker didn't handle inline call
697         frames. This patch also fixes that.
698
699         * dfg/DFGAbstractInterpreterInlines.h:
700         (JSC::DFG::::executeEffects):
701         * dfg/DFGByteCodeParser.cpp:
702         (JSC::DFG::ByteCodeParser::handleInlining):
703         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
704         * dfg/DFGClobberize.h:
705         (JSC::DFG::clobberize):
706         * dfg/DFGFixupPhase.cpp:
707         (JSC::DFG::FixupPhase::fixupNode):
708         * dfg/DFGGraph.h:
709         * dfg/DFGNode.h:
710         * dfg/DFGNodeType.h:
711         * dfg/DFGPredictionPropagationPhase.cpp:
712         (JSC::DFG::PredictionPropagationPhase::propagate):
713         * dfg/DFGSafeToExecute.h:
714         (JSC::DFG::safeToExecute):
715         * dfg/DFGSpeculativeJIT.cpp:
716         * dfg/DFGSpeculativeJIT.h:
717         * dfg/DFGSpeculativeJIT32_64.cpp:
718         (JSC::DFG::SpeculativeJIT::compile):
719         * dfg/DFGSpeculativeJIT64.cpp:
720         (JSC::DFG::SpeculativeJIT::compile):
721         * dfg/DFGStackLayoutPhase.cpp:
722         (JSC::DFG::StackLayoutPhase::run):
723         * ftl/FTLLink.cpp:
724         (JSC::FTL::link):
725
726 2013-10-24  Filip Pizlo  <fpizlo@apple.com>
727
728         The GetById->GetByOffset AI-based optimization should actually do things
729         https://bugs.webkit.org/show_bug.cgi?id=123299
730
731         Reviewed by Oliver Hunt.
732         
733         20% speed-up on Octane/gbemu.
734
735         * bytecode/GetByIdStatus.cpp:
736         (JSC::GetByIdStatus::computeFor): Actually finish filling in the Status by setting the state. Previously it would remain set to NoInformation, meaning that this whole method was a no-op.
737
738 2013-10-28  Carlos Garcia Campos  <cgarcia@igalia.com>
739
740         Unreviewed. Fix make distcheck.
741
742         * GNUmakefile.list.am: Add missing files to compilation.
743
744 2013-10-25  Oliver Hunt  <oliver@apple.com>
745
746         Refactor parser rollback logic
747         https://bugs.webkit.org/show_bug.cgi?id=123372
748
749         Reviewed by Brady Eidson.
750
751         Add a sane abstraction for rollbacks in the parser.
752
753         * parser/Parser.cpp:
754         (JSC::::parseSourceElements):
755         (JSC::::parseObjectLiteral):
756         * parser/Parser.h:
757         (JSC::Parser::createSavePoint):
758         (JSC::Parser::restoreSavePoint):
759
760 2013-10-25  peavo@outlook.com  <peavo@outlook.com>
761
762         [Win] Javascript crash with DFG JIT enabled.
763         https://bugs.webkit.org/show_bug.cgi?id=121001
764
765         Reviewed by Geoffrey Garen.
766
767         On windows, using register GPRInfo::regT0 as parameter to e.g. JIT::storeDouble(..., GPRInfo::regT0)),
768         results in a call to JIT::storeDouble(FPRegisterID src, const void* address),
769         where the address parameter gets the value of GPRInfo::regT0, which is 0 (eax on Windows).
770         This causes the register to be written to address 0, hence the crash.
771   
772         * assembler/MacroAssemblerX86.h:
773         (JSC::MacroAssemblerX86::storeDouble): Assert if we try to generate code which writes to a null pointer.
774         * dfg/DFGOSRExitCompiler32_64.cpp:
775         (JSC::DFG::OSRExitCompiler::compileExit): Use address in regT0 as parameter.
776         * dfg/DFGThunks.cpp:
777         (JSC::DFG::osrExitGenerationThunkGenerator): Ditto.
778
779 2013-10-25  Oliver Hunt  <oliver@apple.com>
780
781         Fix a number of problems with destructuring of arguments
782         https://bugs.webkit.org/show_bug.cgi?id=123357
783
784         Reviewed by Filip Pizlo.
785
786         This renames the destructuring node's emitBytecode to bindValue
787         in order to remove the existing confusion over what was happening.
788
789         We then fix an incorrect fall through in the destructuring arguments
790         logic, and fix the then exposed bug where we placed the index rather
791         than value into the bound property.
792
793         * bytecompiler/BytecodeGenerator.cpp:
794         (JSC::BytecodeGenerator::BytecodeGenerator):
795         * bytecompiler/NodesCodegen.cpp:
796         (JSC::ForInNode::emitBytecode):
797         (JSC::ForOfNode::emitBytecode):
798         (JSC::DeconstructingAssignmentNode::emitBytecode):
799         (JSC::ArrayPatternNode::bindValue):
800         (JSC::ArrayPatternNode::emitDirectBinding):
801         (JSC::ObjectPatternNode::bindValue):
802         (JSC::BindingNode::bindValue):
803         * parser/Nodes.h:
804
805 2013-10-25  Joseph Pecoraro  <pecoraro@apple.com>
806
807         Upstream ENABLE(REMOTE_INSPECTOR) and enable on iOS and Mac
808         https://bugs.webkit.org/show_bug.cgi?id=123111
809
810         Reviewed by Timothy Hatcher.
811
812         * Configurations/FeatureDefines.xcconfig:
813
814 2013-10-25  Oliver Hunt  <oliver@apple.com>
815
816         Fix MSVC again
817
818         * parser/Parser.cpp:
819
820 2013-10-25  Oliver Hunt  <oliver@apple.com>
821
822         Fix MSVC
823
824         * parser/Parser.cpp:
825
826 2013-10-25  Oliver Hunt  <oliver@apple.com>
827
828         Improve JSC Parser error messages
829         https://bugs.webkit.org/show_bug.cgi?id=123341
830
831         Reviewed by Andreas Kling.
832
833         This patch moves away from the current cludgy mechanisms used to produce
834         error messages and moves to something closer to case by case errors.
835
836         This results in a large change size as previously we may just have
837         'failIfFalse(foo)', but now the logic becomes either
838         'failIfFalseWithMessage(foo, "Cannot do blah with ", foo->thing())'
839         Or alternatively
840
841         if (!foo)
842             check for 'interesting' errors, before falling back to generic error
843
844         This means that this patch is large, but produces no semantic changes, and
845         only hits slow (e.g. error) paths.
846
847         * parser/Parser.cpp:
848         (JSC::::Parser):
849         (JSC::::parseSourceElements):
850         (JSC::::parseVarDeclaration):
851         (JSC::::parseConstDeclaration):
852         (JSC::::parseDoWhileStatement):
853         (JSC::::parseWhileStatement):
854         (JSC::::parseVarDeclarationList):
855         (JSC::::createBindingPattern):
856         (JSC::::parseDeconstructionPattern):
857         (JSC::::parseConstDeclarationList):
858         (JSC::::parseForStatement):
859         (JSC::::parseBreakStatement):
860         (JSC::::parseContinueStatement):
861         (JSC::::parseReturnStatement):
862         (JSC::::parseThrowStatement):
863         (JSC::::parseWithStatement):
864         (JSC::::parseSwitchStatement):
865         (JSC::::parseSwitchClauses):
866         (JSC::::parseSwitchDefaultClause):
867         (JSC::::parseTryStatement):
868         (JSC::::parseDebuggerStatement):
869         (JSC::::parseBlockStatement):
870         (JSC::::parseStatement):
871         (JSC::::parseFormalParameters):
872         (JSC::::parseFunctionBody):
873         (JSC::stringForFunctionMode):
874         (JSC::::parseFunctionInfo):
875         (JSC::::parseFunctionDeclaration):
876         (JSC::::parseExpressionOrLabelStatement):
877         (JSC::::parseExpressionStatement):
878         (JSC::::parseIfStatement):
879         (JSC::::parseExpression):
880         (JSC::::parseAssignmentExpression):
881         (JSC::::parseConditionalExpression):
882         (JSC::::parseBinaryExpression):
883         (JSC::::parseProperty):
884         (JSC::::parseObjectLiteral):
885         (JSC::::parseStrictObjectLiteral):
886         (JSC::::parseArrayLiteral):
887         (JSC::::parsePrimaryExpression):
888         (JSC::::parseArguments):
889         (JSC::::parseMemberExpression):
890         (JSC::operatorString):
891         (JSC::::parseUnaryExpression):
892         (JSC::::printUnexpectedTokenText):
893         * parser/Parser.h:
894         (JSC::Scope::hasDeclaredVariable):
895         (JSC::Scope::hasDeclaredParameter):
896         (JSC::Parser::hasDeclaredVariable):
897         (JSC::Parser::hasDeclaredParameter):
898         (JSC::Parser::setErrorMessage):
899
900 2013-10-24  Mark Rowe  <mrowe@apple.com>
901
902         Remove references to OS X 10.7 from Xcode configuration settings.
903
904         Now that we're not building for OS X 10.7 they're no longer needed.
905
906         Reviewed by Anders Carlsson.
907
908         * Configurations/Base.xcconfig:
909         * Configurations/DebugRelease.xcconfig:
910         * Configurations/FeatureDefines.xcconfig:
911         * Configurations/Version.xcconfig:
912
913 2013-10-24  Mark Rowe  <mrowe@apple.com>
914
915         <rdar://problem/15312643> Prepare for the mysterious future.
916
917         Reviewed by David Kilzer.
918
919         * Configurations/Base.xcconfig:
920         * Configurations/DebugRelease.xcconfig:
921         * Configurations/FeatureDefines.xcconfig:
922         * Configurations/Version.xcconfig:
923
924 2013-10-24  Mark Lam  <mark.lam@apple.com>
925
926         Better way to fix part of broken C Loop LLINT build.
927         https://bugs.webkit.org/show_bug.cgi?id=123271.
928
929         Reviewed by Geoffrey Garen.
930
931         Undoing offline asm hackery.
932
933         * llint/LowLevelInterpreter.cpp:
934         * llint/LowLevelInterpreter32_64.asm:
935         * llint/LowLevelInterpreter64.asm:
936         * offlineasm/cloop.rb:
937         * offlineasm/instructions.rb:
938
939 2013-10-24  Mark Lam  <mark.lam@apple.com>
940
941         Fix broken C Loop LLINT build.
942         https://bugs.webkit.org/show_bug.cgi?id=123271.
943
944         Reviewed by Michael Saboff.
945
946         * bytecode/CodeBlock.cpp:
947         (JSC::CodeBlock::printGetByIdCacheStatus): Added an UNUSED_PARAM().
948         (JSC::CodeBlock::dumpBytecode): Added #if ENABLE(JIT) to JIT only code.
949         * bytecode/GetByIdStatus.cpp:
950         (JSC::GetByIdStatus::computeFor): Added an UNUSED_PARAM().
951         * bytecode/PutByIdStatus.cpp:
952         (JSC::PutByIdStatus::computeFor): Added an UNUSED_PARAM().
953         * bytecode/StructureStubInfo.h:
954         - Added a stub StubInfoMap for non-JIT builds. StubInfoMap is still used
955           in function prototypes even when !ENABLE(JIT). Rather that adding #if's
956           in many places, we just provide a stub/placeholder implementation that
957           is unused but keeps the compiler happy.
958         * jit/JITOperations.h: Added #if ENABLE(JIT).
959         * llint/LowLevelInterpreter32_64.asm:
960         * llint/LowLevelInterpreter64.asm:
961         - The putByVal() macro reifies a slow path which is never taken in one case.
962           This translates into a label that is never used in the C Loop LLINT. The
963           C++ compiler doesn't like unused labels. So, we fix this by adding a
964           cloopUnusedLabel offline asm instruction that synthesizes the following:
965
966               if (false) goto unusedLabel;
967
968           This keeps the C++ compiler happy without changing code behavior.
969         * offlineasm/cloop.rb: Implementing cloopUnusedLabel.
970         * offlineasm/instructions.rb: Declaring cloopUnusedLabel.
971         * runtime/Executable.cpp:
972         (JSC::setupJIT): Added UNUSED_PARAM()s.
973         (JSC::ScriptExecutable::prepareForExecutionImpl):
974         - run-javascriptcore-tests have phases that forces the LLINT to be off
975           which in turn asserts that the JIT is enabled. With the C Loop LLINT,
976           this combination is illegal. So, we override the setup code here to
977           always use the LLINT if !ENABLE(JIT) regardless of what options are
978           passed in.
979
980 2013-10-24  peavo@outlook.com  <peavo@outlook.com>
981
982         Uninitialized member causes crash when DFG JIT is not enabled.
983         https://bugs.webkit.org/show_bug.cgi?id=123270
984
985         Reviewed by Brent Fulgham.
986
987         The data member sizeOfLastScratchBuffer in the VM class is only initialized if DFG JIT is enabled, even though it's defined regardless.
988         This causes an early crash on Windows, which doesn't have DFG JIT enabled.
989
990         * runtime/VM.cpp:
991         (JSC::VM::VM): Initialize sizeOfLastScratchBuffer member regardless of whether DFG JIT is enabled.
992
993 2013-10-24  Ryuan Choi  <ryuan.choi@samsung.com>
994
995         [EFL] Build break with latest EFL 1.8 libraries.
996         https://bugs.webkit.org/show_bug.cgi?id=123245
997
998         Reviewed by Gyuyoung Kim.
999
1000         After fixed build break on EFL 1.8 at r138326, EFL libraries are changed
1001         Eo typedef and splitted header files which contain version macro.
1002
1003         * PlatformEfl.cmake: Added EO path to include directories.
1004         * heap/HeapTimer.h: Changed Ecore_Timer typedef when EO exist.
1005
1006 2013-10-23  Filip Pizlo  <fpizlo@apple.com>
1007
1008         Put all uses of LLVM intrinsics behind a single Option
1009         https://bugs.webkit.org/show_bug.cgi?id=123219
1010
1011         Reviewed by Mark Hahnenberg.
1012
1013         * ftl/FTLExitThunkGenerator.cpp:
1014         (JSC::FTL::ExitThunkGenerator::emitThunk):
1015         * ftl/FTLLowerDFGToLLVM.cpp:
1016         (JSC::FTL::generateExitThunks):
1017         (JSC::FTL::LowerDFGToLLVM::compileGetById):
1018         (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
1019         (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
1020         * ftl/FTLOSRExitCompiler.cpp:
1021         (JSC::FTL::compileFTLOSRExit):
1022         * runtime/Options.h:
1023
1024 2013-10-23  Daniel Bates  <dabates@apple.com>
1025
1026         Fix JavaScriptCore build targets following <http://trac.webkit.org/changeset/157864>
1027         (https://bugs.webkit.org/show_bug.cgi?id=123169)
1028
1029         Tell Xcode that the supported platforms for all JavaScriptCore targets are iOS and OS X.
1030
1031         * Configurations/Base.xcconfig:
1032
1033 2013-10-23  Michael Saboff  <msaboff@apple.com>
1034
1035         LLInt arity check exception processing should start unwinding from caller
1036         https://bugs.webkit.org/show_bug.cgi?id=123209
1037
1038         Reviewed by Oliver Hunt.
1039
1040         Use the caller frame returned from slow_path_call_arityCheck to process exceptions.
1041
1042         * llint/LowLevelInterpreter32_64.asm:
1043         * llint/LowLevelInterpreter64.asm:
1044
1045 2013-10-22  Filip Pizlo  <fpizlo@apple.com>
1046
1047         FTL should be able to do some simple inline caches using LLVM patchpoints
1048         https://bugs.webkit.org/show_bug.cgi?id=123164
1049
1050         Reviewed by Mark Hahnenberg.
1051         
1052         This implements GetById inline caches in the FTL using llvm.webkit.patchpoint.
1053         
1054         The idea is that we ask LLVM for a nop slide the size of a GetById inline
1055         cache and then fill in the code after LLVM compilation is complete. For now, we
1056         just use the system calling convention for the arguments and return. We also
1057         still make some assumptions about registers that aren't correct. But, most of
1058         the scaffolding is there and this will successfully patch an inline cache.
1059
1060         * JavaScriptCore.xcodeproj/project.pbxproj:
1061         * assembler/AbstractMacroAssembler.h:
1062         * assembler/LinkBuffer.cpp:
1063         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
1064         (JSC::LinkBuffer::linkCode):
1065         (JSC::LinkBuffer::allocate):
1066         * assembler/LinkBuffer.h:
1067         (JSC::LinkBuffer::LinkBuffer):
1068         (JSC::LinkBuffer::link):
1069         * ftl/FTLAbbreviations.h:
1070         (JSC::FTL::constNull):
1071         (JSC::FTL::buildCall):
1072         * ftl/FTLCapabilities.cpp:
1073         (JSC::FTL::canCompile):
1074         * ftl/FTLCompile.cpp:
1075         (JSC::FTL::fixFunctionBasedOnStackMaps):
1076         * ftl/FTLInlineCacheDescriptor.h: Added.
1077         (JSC::FTL::InlineCacheDescriptor::InlineCacheDescriptor):
1078         (JSC::FTL::GetByIdDescriptor::GetByIdDescriptor):
1079         (JSC::FTL::GetByIdDescriptor::stackmapID):
1080         (JSC::FTL::GetByIdDescriptor::codeOrigin):
1081         (JSC::FTL::GetByIdDescriptor::uid):
1082         * ftl/FTLInlineCacheSize.cpp: Added.
1083         (JSC::FTL::sizeOfGetById):
1084         (JSC::FTL::sizeOfPutById):
1085         * ftl/FTLInlineCacheSize.h: Added.
1086         * ftl/FTLIntrinsicRepository.h:
1087         * ftl/FTLJITFinalizer.cpp:
1088         (JSC::FTL::JITFinalizer::finalizeFunction):
1089         * ftl/FTLJITFinalizer.h:
1090         * ftl/FTLLocation.cpp:
1091         (JSC::FTL::Location::directGPR):
1092         * ftl/FTLLocation.h:
1093         * ftl/FTLLowerDFGToLLVM.cpp:
1094         (JSC::FTL::LowerDFGToLLVM::compileGetById):
1095         * ftl/FTLOutput.h:
1096         (JSC::FTL::Output::call):
1097         * ftl/FTLSlowPathCall.cpp: Added.
1098         (JSC::FTL::callOperation):
1099         * ftl/FTLSlowPathCall.h: Added.
1100         (JSC::FTL::SlowPathCall::SlowPathCall):
1101         (JSC::FTL::SlowPathCall::call):
1102         (JSC::FTL::SlowPathCall::key):
1103         * ftl/FTLSlowPathCallKey.cpp: Added.
1104         (JSC::FTL::SlowPathCallKey::dump):
1105         * ftl/FTLSlowPathCallKey.h: Added.
1106         (JSC::FTL::SlowPathCallKey::SlowPathCallKey):
1107         (JSC::FTL::SlowPathCallKey::usedRegisters):
1108         (JSC::FTL::SlowPathCallKey::callTarget):
1109         (JSC::FTL::SlowPathCallKey::offset):
1110         (JSC::FTL::SlowPathCallKey::isEmptyValue):
1111         (JSC::FTL::SlowPathCallKey::isDeletedValue):
1112         (JSC::FTL::SlowPathCallKey::operator==):
1113         (JSC::FTL::SlowPathCallKey::hash):
1114         (JSC::FTL::SlowPathCallKeyHash::hash):
1115         (JSC::FTL::SlowPathCallKeyHash::equal):
1116         * ftl/FTLStackMaps.cpp:
1117         (JSC::FTL::StackMaps::Location::directGPR):
1118         * ftl/FTLStackMaps.h:
1119         * ftl/FTLState.h:
1120         * ftl/FTLThunks.cpp:
1121         (JSC::FTL::slowPathCallThunkGenerator):
1122         * ftl/FTLThunks.h:
1123         (JSC::FTL::Thunks::getSlowPathCallThunk):
1124         * jit/CCallHelpers.h:
1125         (JSC::CCallHelpers::setupArguments):
1126         * jit/GPRInfo.h:
1127         * jit/JITInlineCacheGenerator.cpp:
1128         (JSC::garbageStubInfo):
1129         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
1130         (JSC::JITByIdGenerator::finalize):
1131         * jit/JITInlineCacheGenerator.h:
1132         (JSC::JITByIdGenerator::slowPathBegin):
1133         * jit/RegisterSet.cpp:
1134         (JSC::RegisterSet::stackRegisters):
1135         (JSC::RegisterSet::specialRegisters):
1136         (JSC::RegisterSet::calleeSaveRegisters):
1137         (JSC::RegisterSet::allGPRs):
1138         (JSC::RegisterSet::allFPRs):
1139         (JSC::RegisterSet::allRegisters):
1140         (JSC::RegisterSet::dump):
1141         * jit/RegisterSet.h:
1142         (JSC::RegisterSet::exclude):
1143         (JSC::RegisterSet::numberOfSetRegisters):
1144         (JSC::RegisterSet::RegisterSet):
1145         (JSC::RegisterSet::isEmptyValue):
1146         (JSC::RegisterSet::isDeletedValue):
1147         (JSC::RegisterSet::operator==):
1148         (JSC::RegisterSet::hash):
1149         (JSC::RegisterSetHash::hash):
1150         (JSC::RegisterSetHash::equal):
1151         * runtime/Options.h:
1152
1153 2013-10-22  Filip Pizlo  <fpizlo@apple.com>
1154
1155         jitCompileAndSetHeuristics should DeferGCForAWhile
1156         https://bugs.webkit.org/show_bug.cgi?id=123196
1157
1158         Reviewed by Mark Hahnenberg.
1159         
1160         This fixes random crashes in V8v7/raytrace. I only see those crashes on exactly one of
1161         my machines. I don't think this is testable; we just need to steadily converge towards
1162         getting our uses of DeferGC to be right and then be careful not to regress. We're not
1163         there yet, obviously.
1164         
1165         * llint/LLIntSlowPaths.cpp:
1166         (JSC::LLInt::jitCompileAndSetHeuristics):
1167
1168 2013-10-23  Daniel Bates  <dabates@apple.com>
1169
1170         [iOS] Upstream more JavaScriptCore build configuration changes
1171         https://bugs.webkit.org/show_bug.cgi?id=123169
1172
1173         Reviewed by David Kilzer.
1174
1175         * Configurations/Base.xcconfig:
1176         * Configurations/Version.xcconfig:
1177         * Configurations/iOS.xcconfig: Added.
1178         * JavaScriptCore.xcodeproj/project.pbxproj:
1179
1180 2013-10-23  Daniel Bates  <dabates@apple.com>
1181
1182         [iOS] Export DefaultGCActivityCallback member functions
1183         https://bugs.webkit.org/show_bug.cgi?id=123175
1184
1185         Reviewed by David Kilzer.
1186
1187         * runtime/GCActivityCallback.h:
1188
1189 2013-10-23  Daniel Bates  <dabates@apple.com>
1190
1191         [iOS] Upstream more ARMv7s bits
1192         https://bugs.webkit.org/show_bug.cgi?id=123052
1193
1194         Reviewed by Joseph Pecoraro.
1195
1196         * Configurations/JavaScriptCore.xcconfig:
1197
1198 2013-10-22  Andreas Kling  <akling@apple.com>
1199
1200         Minor VM* -> VM& cleanups in HashTable and Keywords.
1201         <https://webkit.org/b/123183>
1202
1203         Turn some VM* variables that will never be null into VM&.
1204
1205         Reviewed by Geoffrey Garen.
1206
1207 2013-10-22  Geoffrey Garen  <ggaren@apple.com>
1208
1209         REGRESSION: `if (false === (true && undefined)) console.log("wrong!");` logs "wrong!", shouldn't!
1210         https://bugs.webkit.org/show_bug.cgi?id=123179
1211
1212         Reviewed by Mark Hahnenberg.
1213
1214         * parser/NodeConstructors.h:
1215         (JSC::LogicalOpNode::LogicalOpNode):
1216         * parser/ResultType.h:
1217         (JSC::ResultType::forLogicalOp): Don't assume that && produces a boolean.
1218         This is JavaScript (aka Sparta).
1219
1220 2013-10-22  Commit Queue  <commit-queue@webkit.org>
1221
1222         Unreviewed, rolling out r157819.
1223         http://trac.webkit.org/changeset/157819
1224         https://bugs.webkit.org/show_bug.cgi?id=123180
1225
1226         Broke 32-bit builds (Requested by smfr on #webkit).
1227
1228         * Configurations/JavaScriptCore.xcconfig:
1229         * Configurations/ToolExecutable.xcconfig:
1230
1231 2013-10-22  Daniel Bates  <dabates@apple.com>
1232
1233         [iOS] Upstream more ARMv7s bits
1234         https://bugs.webkit.org/show_bug.cgi?id=123052
1235
1236         Reviewed by Joseph Pecoraro.
1237
1238         * Configurations/JavaScriptCore.xcconfig:
1239         * Configurations/ToolExecutable.xcconfig: Enable CLANG_ENABLE_OBJC_ARC for i386 as I'm
1240         modifying a file in JavaScriptCore/Configurations.
1241
1242 2013-10-22  Daniel Bates  <dabates@apple.com>
1243
1244         [iOS] Upstream JSLock changes
1245         https://bugs.webkit.org/show_bug.cgi?id=123107
1246
1247         Reviewed by Geoffrey Garen.
1248
1249         * runtime/JSLock.cpp:
1250         (JSC::JSLock::unlock):
1251         (JSC::JSLock::dropAllLocks): Modified to take a SpinLock, used only on iOS.
1252         (JSC::JSLock::dropAllLocksUnconditionally): Modified to take a SpinLock, used only on iOS. Also
1253         use pre-increment instead of post-increment when we're not using the return value of the instruction.
1254         (JSC::JSLock::grabAllLocks): Modified to take a SpinLock, used only on iOS. Also change
1255         places where we were using post-increment/post-decrement to use pre-increment/pre-decrement,
1256         since we don't use the return value of such instructions.
1257         (JSC::JSLock::DropAllLocks::DropAllLocks): Modified to support releasing all locks unconditionally.
1258         Take a spin lock before releasing all locks on iOS. Also, use nullptr instead of 0.
1259         (JSC::JSLock::DropAllLocks::~DropAllLocks): Take a spin lock before acquiring all locks on iOS.
1260         * runtime/JSLock.h: Remove extraneous argument name "exec" from DropAllLocks as the data type of
1261         the argument is sufficiently descriptive of its purpose.
1262
1263 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
1264
1265         [arm] Add missing setupArgumentsWithExecState() prototypes to fix build.
1266         https://bugs.webkit.org/show_bug.cgi?id=123166
1267
1268         Reviewed by Michael Saboff.
1269
1270         * jit/CCallHelpers.h:
1271         (JSC::CCallHelpers::setupArgumentsWithExecState):
1272
1273 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
1274
1275         [sh4][mips][arm] Fix crashes in JSC (32-bit only).
1276         https://bugs.webkit.org/show_bug.cgi?id=123165
1277
1278         Reviewed by Michael Saboff.
1279
1280         * jit/JITInlines.h:
1281         (JSC::JIT::callOperationNoExceptionCheck): Add missing EABI_32BIT_DUMMY_ARG.
1282         (JSC::JIT::callOperation): The last TrustedImm32(arg3) is a bit overkill for SH4 :)
1283         (JSC::JIT::callOperation): Add missing EABI_32BIT_DUMMY_ARG.
1284         (JSC::JIT::callOperation): Fix tag and payload order for V_JITOperation_EJJJ prototype.
1285
1286 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
1287
1288         REGRESSION(r157690, r157699) Fix architectures using AssemblerBufferWithConstantPool.
1289         https://bugs.webkit.org/show_bug.cgi?id=123092
1290
1291         Reviewed by Michael Saboff.
1292
1293         Impacted architectures are SH4 and ARM_TRADITIONAL.
1294
1295         * assembler/ARMAssembler.h:
1296         (JSC::ARMAssembler::buffer):
1297         * assembler/AssemblerBufferWithConstantPool.h:
1298         (JSC::AssemblerBufferWithConstantPool::flushConstantPool):
1299         * assembler/LinkBuffer.cpp:
1300         (JSC::LinkBuffer::linkCode):
1301         * assembler/SH4Assembler.h:
1302         (JSC::SH4Assembler::buffer):
1303
1304 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
1305
1306         Remove unused stuff in JIT stubs.
1307         https://bugs.webkit.org/show_bug.cgi?id=123155
1308
1309         Reviewed by Michael Saboff.
1310
1311         * jit/JITStubs.h:
1312         * jit/JITStubsARM.h:
1313         (JSC::ctiTrampoline):
1314         * jit/JITStubsARM64.h:
1315         * jit/JITStubsARMv7.h:
1316         * jit/JITStubsMIPS.h:
1317         * jit/JITStubsSH4.h:
1318         * jit/JITStubsX86.h:
1319         * jit/JITStubsX86_64.h:
1320
1321 2013-10-22  Daniel Bates  <dabates@apple.com>
1322
1323         [iOS] Upstream OS-version-specific install paths for JavaScriptCore.framework
1324         https://bugs.webkit.org/show_bug.cgi?id=123115
1325         <rdar://problem/13696872>
1326
1327         Reviewed by Andy Estes.
1328
1329         Based on a patch by Mark Hahnenberg.
1330
1331         Add support for running JavaScriptCore-based apps, built against the iOS 7 SDK, on older versions of iOS.
1332
1333         * API/JSBase.cpp:
1334
1335 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
1336
1337         [sh4] Add missing lastRegister(), firstFPRegister() and lastFPRegister(). 
1338         https://bugs.webkit.org/show_bug.cgi?id=123157
1339
1340         Reviewed by Andreas Kling.
1341
1342         * assembler/SH4Assembler.h:
1343         (JSC::SH4Assembler::lastRegister):
1344         (JSC::SH4Assembler::firstFPRegister):
1345         (JSC::SH4Assembler::lastFPRegister):
1346
1347 2013-10-22  Brian Holt  <brian.holt@samsung.com>
1348
1349         Build break on ARMv7 after r157209
1350         https://bugs.webkit.org/show_bug.cgi?id=122890
1351
1352         Reviewed by Csaba Osztrogon√°c.
1353
1354         Add framePointerRegister and first/last register helpers for ARM_TRADITIONAL.
1355
1356         * assembler/ARMAssembler.h:
1357         * assembler/MacroAssemblerARM.h:
1358         (JSC::MacroAssemblerARM::firstRegister):
1359         (JSC::MacroAssemblerARM::lastRegister):
1360         (JSC::MacroAssemblerARM::firstFPRegister):
1361         (JSC::MacroAssemblerARM::lastFPRegister):
1362
1363 2013-10-21  Daniel Bates  <dabates@apple.com>
1364
1365         [iOS] Upstream JSGlobalObject::shouldInterruptScriptBeforeTimeout()
1366         https://bugs.webkit.org/show_bug.cgi?id=123045
1367
1368         Reviewed by Joseph Pecoraro.
1369
1370         * jsc.cpp: Add function pointer for shouldInterruptScriptBeforeTimeout
1371         to global method table.
1372         * runtime/JSGlobalObject.cpp: Ditto.
1373         * runtime/JSGlobalObject.h:
1374         (JSC::JSGlobalObject::shouldInterruptScriptBeforeTimeout): Added.
1375
1376 2013-10-21  Daniel Bates  <dabates@apple.com>
1377
1378         [iOS] Upstream JSC Objective-C API compiler warning fixes
1379         https://bugs.webkit.org/show_bug.cgi?id=123125
1380
1381         Reviewed by Mark Hahnenberg.
1382
1383         Based on a patch by Mark Hahnenberg.
1384
1385         * API/JSValue.mm:
1386         (-[JSValue toPoint]): Cast to CGFloat to fix some compiler warnings about double narrowing to float.
1387         (-[JSValue toSize]): Ditto.
1388         * API/tests/testapi.mm: Changed a test that was failing due to overflow of 32-bit NSUInteger on armv7.
1389
1390 2013-10-21  Daniel Bates  <dabates@apple.com>
1391
1392         [iOS] Mark classes JS{Context, ManagedValue, Value, VirtualMachine} as
1393         available since iOS 7.0
1394         https://bugs.webkit.org/show_bug.cgi?id=123122
1395
1396         Reviewed by Dan Bernstein.
1397
1398         * API/JSContext.h:
1399         * API/JSManagedValue.h:
1400         * API/JSValue.h:
1401         * API/JSVirtualMachine.h:
1402
1403 2013-10-20  Mark Lam  <mark.lam@apple.com>
1404
1405         Avoid JSC debugger overhead unless needed.
1406         https://bugs.webkit.org/show_bug.cgi?id=123084.
1407
1408         Reviewed by Geoffrey Garen.
1409
1410         - If no breakpoints are set, we now avoid calling the debug hook callbacks.
1411         - If no break on exception is set, we also avoid exception event debug callbacks.
1412         - When we return from the ScriptDebugServer to the JSC::Debugger, we may no
1413           longer call the debug hook callbacks if not needed. Hence, the m_currentCallFrame
1414           pointer in the ScriptDebugServer may become stale. To avoid this issue, before
1415           returning, the ScriptDebugServer will clear its m_currentCallFrame if
1416           needsOpDebugCallbacks() is false.
1417
1418         * debugger/Debugger.cpp:
1419         (JSC::Debugger::Debugger):
1420         (JSC::Debugger::setNeedsExceptionCallbacks):
1421         (JSC::Debugger::setShouldPause):
1422         (JSC::Debugger::updateNumberOfBreakpoints):
1423         (JSC::Debugger::updateNeedForOpDebugCallbacks):
1424         * debugger/Debugger.h:
1425         * interpreter/Interpreter.cpp:
1426         (JSC::Interpreter::unwind):
1427         (JSC::Interpreter::debug):
1428         * jit/JITOpcodes.cpp:
1429         (JSC::JIT::emit_op_debug):
1430         * jit/JITOpcodes32_64.cpp:
1431         (JSC::JIT::emit_op_debug):
1432         * llint/LLIntOffsetsExtractor.cpp:
1433         * llint/LowLevelInterpreter.asm:
1434
1435 2013-10-21  Brent Fulgham  <bfulgham@apple.com>
1436
1437         [WIN] Unreviewed build correction.
1438
1439         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Handle new JIT files as C++ implementation
1440           sources, not header files.
1441         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
1442
1443 2013-10-21  Oliver Hunt  <oliver@apple.com>
1444
1445         Support computed property names in object literals
1446         https://bugs.webkit.org/show_bug.cgi?id=123112
1447
1448         Reviewed by Michael Saboff.
1449
1450         Add support for computed property names to the parser.
1451
1452         * bytecompiler/NodesCodegen.cpp:
1453         (JSC::PropertyListNode::emitBytecode):
1454         * parser/ASTBuilder.h:
1455         (JSC::ASTBuilder::createProperty):
1456         (JSC::ASTBuilder::getName):
1457         * parser/NodeConstructors.h:
1458         (JSC::PropertyNode::PropertyNode):
1459         * parser/Nodes.h:
1460         (JSC::PropertyNode::expressionName):
1461         (JSC::PropertyNode::name):
1462         * parser/Parser.cpp:
1463         (JSC::::parseProperty):
1464         (JSC::::parseStrictObjectLiteral):
1465         * parser/SyntaxChecker.h:
1466         (JSC::SyntaxChecker::Property::Property):
1467         (JSC::SyntaxChecker::createProperty):
1468         (JSC::SyntaxChecker::operatorStackPop):
1469
1470 2013-10-21  Michael Saboff  <msaboff@apple.com>
1471
1472         Add option so that JSC will crash if it can't allocate executable memory for the JITs
1473         https://bugs.webkit.org/show_bug.cgi?id=123048
1474         <rdar://problem/12856193>
1475
1476         Reviewed by Geoffrey Garen.
1477
1478         Added new option, called crashIfCantAllocateJITMemory. If this option is true then we crash
1479         when checking the validity of the executable allocator. The default value for this option is
1480         false, but jsc sets it to true when built for iOS to make it straightforward to identify whether
1481         the app can obtain executable memory.
1482
1483         * jsc.cpp: Explicitly enable crashIfCantAllocateJITMemory on iOS.
1484         (main):
1485         * runtime/Options.h: Added option crashIfCantAllocateJITMemory.
1486         * runtime/VM.cpp:
1487         (JSC::enableAssembler): Modified to crash if option crashIfCantAllocateJITMemory
1488         is enabled.
1489
1490 2013-10-21  Nadav Rotem  <nrotem@apple.com>
1491
1492         Remove AllInOneFile.cpp
1493         https://bugs.webkit.org/show_bug.cgi?id=123055
1494
1495         Reviewed by Csaba Osztrogon√°c.
1496
1497         * AllInOneFile.cpp: Removed.
1498
1499 2013-10-20  Filip Pizlo  <fpizlo@apple.com>
1500
1501         Unreviewed, cleanup a FIXME comment.
1502
1503         * jit/Repatch.cpp:
1504
1505 2013-10-20  Filip Pizlo  <fpizlo@apple.com>
1506
1507         StructureStubInfo's usedRegisters set should be able to track all registers, not just the ones that our JIT's view as temporaries
1508         https://bugs.webkit.org/show_bug.cgi?id=123076
1509
1510         Reviewed by Sam Weinig.
1511         
1512         Start preparing for a world in which we are patching code generated by LLVM, which may have
1513         very different register usage conventions than our JITs. This requires us being more explicit
1514         about the registers we are using. For example, the repatching code shouldn't take for granted
1515         that tagMaskRegister holds the TagMask or that the register is even in use.
1516
1517         * CMakeLists.txt:
1518         * GNUmakefile.list.am:
1519         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1520         * JavaScriptCore.xcodeproj/project.pbxproj:
1521         * assembler/MacroAssembler.h:
1522         (JSC::MacroAssembler::numberOfRegisters):
1523         (JSC::MacroAssembler::registerIndex):
1524         (JSC::MacroAssembler::numberOfFPRegisters):
1525         (JSC::MacroAssembler::fpRegisterIndex):
1526         (JSC::MacroAssembler::totalNumberOfRegisters):
1527         * bytecode/StructureStubInfo.h:
1528         * dfg/DFGSpeculativeJIT.cpp:
1529         (JSC::DFG::SpeculativeJIT::usedRegisters):
1530         * dfg/DFGSpeculativeJIT.h:
1531         * ftl/FTLSaveRestore.cpp:
1532         (JSC::FTL::bytesForGPRs):
1533         (JSC::FTL::bytesForFPRs):
1534         (JSC::FTL::offsetOfGPR):
1535         (JSC::FTL::offsetOfFPR):
1536         * jit/JITInlineCacheGenerator.cpp:
1537         (JSC::JITByIdGenerator::JITByIdGenerator):
1538         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
1539         * jit/JITInlineCacheGenerator.h:
1540         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
1541         * jit/JITPropertyAccess.cpp:
1542         (JSC::JIT::emit_op_get_by_id):
1543         (JSC::JIT::emit_op_put_by_id):
1544         * jit/JITPropertyAccess32_64.cpp:
1545         (JSC::JIT::emit_op_get_by_id):
1546         (JSC::JIT::emit_op_put_by_id):
1547         * jit/RegisterSet.cpp: Added.
1548         (JSC::RegisterSet::specialRegisters):
1549         * jit/RegisterSet.h: Added.
1550         (JSC::RegisterSet::RegisterSet):
1551         (JSC::RegisterSet::set):
1552         (JSC::RegisterSet::clear):
1553         (JSC::RegisterSet::get):
1554         (JSC::RegisterSet::merge):
1555         * jit/Repatch.cpp:
1556         (JSC::generateProtoChainAccessStub):
1557         (JSC::tryCacheGetByID):
1558         (JSC::tryBuildGetByIDList):
1559         (JSC::emitPutReplaceStub):
1560         (JSC::tryRepatchIn):
1561         (JSC::linkClosureCall):
1562         * jit/TempRegisterSet.cpp: Added.
1563         (JSC::TempRegisterSet::TempRegisterSet):
1564         * jit/TempRegisterSet.h:
1565
1566 2013-10-20  Julien Brianceau  <jbriance@cisco.com>
1567
1568         [sh4] Fix build (broken since r157690).
1569         https://bugs.webkit.org/show_bug.cgi?id=123081
1570
1571         Reviewed by Andreas Kling.
1572
1573         * assembler/AssemblerBufferWithConstantPool.h:
1574         * assembler/SH4Assembler.h:
1575         (JSC::SH4Assembler::buffer):
1576         (JSC::SH4Assembler::readCallTarget):
1577
1578 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
1579
1580         Simplify TempRegisterSet - it no longer needs to be convertible to a POD since it's no longer going to be a member of a union
1581         https://bugs.webkit.org/show_bug.cgi?id=123079
1582
1583         Reviewed by Geoffrey Garen.
1584
1585         * jit/TempRegisterSet.h:
1586
1587 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
1588
1589         Rename RegisterSet to TempRegisterSet
1590         https://bugs.webkit.org/show_bug.cgi?id=123077
1591
1592         Reviewed by Dan Bernstein.
1593
1594         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1595         * JavaScriptCore.xcodeproj/project.pbxproj:
1596         * bytecode/StructureStubInfo.h:
1597         * dfg/DFGJITCompiler.h:
1598         * dfg/DFGSpeculativeJIT.h:
1599         (JSC::DFG::SpeculativeJIT::usedRegisters):
1600         * jit/JITInlineCacheGenerator.cpp:
1601         (JSC::JITByIdGenerator::JITByIdGenerator):
1602         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
1603         * jit/JITInlineCacheGenerator.h:
1604         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
1605         * jit/JITPropertyAccess.cpp:
1606         (JSC::JIT::emit_op_get_by_id):
1607         (JSC::JIT::emit_op_put_by_id):
1608         * jit/JITPropertyAccess32_64.cpp:
1609         (JSC::JIT::emit_op_get_by_id):
1610         (JSC::JIT::emit_op_put_by_id):
1611         * jit/RegisterSet.h: Removed.
1612         * jit/ScratchRegisterAllocator.h:
1613         (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
1614         * jit/TempRegisterSet.h: Copied from Source/JavaScriptCore/jit/RegisterSet.h.
1615         (JSC::TempRegisterSet::TempRegisterSet):
1616         (JSC::TempRegisterSet::asPOD):
1617         (JSC::TempRegisterSet::copyInfo):
1618
1619 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
1620
1621         Restructure LinkBuffer to allow for alternate allocation strategies
1622         https://bugs.webkit.org/show_bug.cgi?id=123071
1623
1624         Reviewed by Oliver Hunt.
1625         
1626         The idea is to eventually allow a LinkBuffer to place the code into an already
1627         allocated region of memory.  That region of memory could be the nop-slide left behind
1628         by a llvm.webkit.patchpoint.
1629
1630         * assembler/ARM64Assembler.h:
1631         (JSC::ARM64Assembler::buffer):
1632         * assembler/AssemblerBuffer.h:
1633         * assembler/LinkBuffer.cpp:
1634         (JSC::LinkBuffer::copyCompactAndLinkCode):
1635         (JSC::LinkBuffer::linkCode):
1636         (JSC::LinkBuffer::allocate):
1637         (JSC::LinkBuffer::shrink):
1638         * assembler/LinkBuffer.h:
1639         (JSC::LinkBuffer::LinkBuffer):
1640         (JSC::LinkBuffer::didFailToAllocate):
1641         * assembler/X86Assembler.h:
1642         (JSC::X86Assembler::buffer):
1643         (JSC::X86Assembler::X86InstructionFormatter::memoryModRM):
1644
1645 2013-10-19  Alexey Proskuryakov  <ap@apple.com>
1646
1647         Some includes in JSC seem to use an incorrect style
1648         https://bugs.webkit.org/show_bug.cgi?id=123057
1649
1650         Reviewed by Geoffrey Garen.
1651
1652         Changed pseudo-system includes to user ones.
1653
1654         * API/JSContextRef.cpp:
1655         * API/JSStringRefCF.cpp:
1656         * API/JSValueRef.cpp:
1657         * API/OpaqueJSString.cpp:
1658         * jit/JIT.h:
1659         * parser/SyntaxChecker.h:
1660         * runtime/WeakGCMap.h:
1661
1662 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
1663
1664         Baseline JIT and DFG IC code generation should be unified and rationalized
1665         https://bugs.webkit.org/show_bug.cgi?id=122939
1666
1667         Reviewed by Geoffrey Garen.
1668         
1669         Introduce the JITInlineCacheGenerator, which takes a CodeBlock and a CodeOrigin plus
1670         some register info and creates JIT inline caches for you. Used this to even furhter
1671         unify the baseline and DFG ICs. In the future we can use this for FTL ICs. And my hope
1672         is that we'll be able to use it for cascading ICs: an IC for some instruction may realize
1673         that it needs to do the equivalent of get_by_id, so with this generator it will be able
1674         to create an IC even though it wasn't associated with a get_by_id bytecode instruction.
1675
1676         * CMakeLists.txt:
1677         * GNUmakefile.list.am:
1678         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1679         * JavaScriptCore.xcodeproj/project.pbxproj:
1680         * assembler/AbstractMacroAssembler.h:
1681         (JSC::AbstractMacroAssembler::DataLabelCompact::label):
1682         * bytecode/CodeBlock.h:
1683         (JSC::CodeBlock::ecmaMode):
1684         * dfg/DFGInlineCacheWrapper.h: Added.
1685         (JSC::DFG::InlineCacheWrapper::InlineCacheWrapper):
1686         * dfg/DFGInlineCacheWrapperInlines.h: Added.
1687         (JSC::DFG::::finalize):
1688         * dfg/DFGJITCompiler.cpp:
1689         (JSC::DFG::JITCompiler::link):
1690         * dfg/DFGJITCompiler.h:
1691         (JSC::DFG::JITCompiler::addGetById):
1692         (JSC::DFG::JITCompiler::addPutById):
1693         * dfg/DFGSpeculativeJIT32_64.cpp:
1694         (JSC::DFG::SpeculativeJIT::cachedGetById):
1695         (JSC::DFG::SpeculativeJIT::cachedPutById):
1696         * dfg/DFGSpeculativeJIT64.cpp:
1697         (JSC::DFG::SpeculativeJIT::cachedGetById):
1698         (JSC::DFG::SpeculativeJIT::cachedPutById):
1699         (JSC::DFG::SpeculativeJIT::compile):
1700         * jit/AssemblyHelpers.h:
1701         (JSC::AssemblyHelpers::isStrictModeFor):
1702         (JSC::AssemblyHelpers::strictModeFor):
1703         * jit/GPRInfo.h:
1704         (JSC::JSValueRegs::tagGPR):
1705         * jit/JIT.cpp:
1706         (JSC::JIT::JIT):
1707         (JSC::JIT::privateCompileSlowCases):
1708         (JSC::JIT::privateCompile):
1709         * jit/JIT.h:
1710         * jit/JITInlineCacheGenerator.cpp: Added.
1711         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
1712         (JSC::JITByIdGenerator::JITByIdGenerator):
1713         (JSC::JITByIdGenerator::finalize):
1714         (JSC::JITByIdGenerator::generateFastPathChecks):
1715         (JSC::JITGetByIdGenerator::generateFastPath):
1716         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
1717         (JSC::JITPutByIdGenerator::generateFastPath):
1718         (JSC::JITPutByIdGenerator::slowPathFunction):
1719         * jit/JITInlineCacheGenerator.h: Added.
1720         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
1721         (JSC::JITInlineCacheGenerator::stubInfo):
1722         (JSC::JITByIdGenerator::JITByIdGenerator):
1723         (JSC::JITByIdGenerator::reportSlowPathCall):
1724         (JSC::JITByIdGenerator::slowPathJump):
1725         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
1726         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
1727         * jit/JITPropertyAccess.cpp:
1728         (JSC::JIT::emit_op_get_by_id):
1729         (JSC::JIT::emitSlow_op_get_by_id):
1730         (JSC::JIT::emit_op_put_by_id):
1731         (JSC::JIT::emitSlow_op_put_by_id):
1732         * jit/JITPropertyAccess32_64.cpp:
1733         (JSC::JIT::emit_op_get_by_id):
1734         (JSC::JIT::emitSlow_op_get_by_id):
1735         (JSC::JIT::emit_op_put_by_id):
1736         (JSC::JIT::emitSlow_op_put_by_id):
1737         * jit/RegisterSet.h:
1738         (JSC::RegisterSet::set):
1739
1740 2013-10-19  Alexey Proskuryakov  <ap@apple.com>
1741
1742         APICast.h uses functions from JSCJSValueInlines.h, but doesn't include it
1743         https://bugs.webkit.org/show_bug.cgi?id=123067
1744
1745         Reviewed by Geoffrey Garen.
1746
1747         * API/APICast.h: Include it.
1748
1749 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
1750
1751         FTL::Location should treat the offset as an addend in the case of a Register location
1752         https://bugs.webkit.org/show_bug.cgi?id=123062
1753
1754         Reviewed by Sam Weinig.
1755
1756         * ftl/FTLLocation.cpp:
1757         (JSC::FTL::Location::forStackmaps):
1758         (JSC::FTL::Location::dump):
1759         (JSC::FTL::Location::restoreInto):
1760         * ftl/FTLLocation.h:
1761         (JSC::FTL::Location::forRegister):
1762         (JSC::FTL::Location::hasAddend):
1763         (JSC::FTL::Location::addend):
1764
1765 2013-10-19  Nadav Rotem  <nrotem@apple.com>
1766
1767         DFG dominators: document and rename stuff.
1768         https://bugs.webkit.org/show_bug.cgi?id=123056
1769
1770         Reviewed by Filip Pizlo.
1771
1772         Documented the code and renamed some variables.
1773
1774         * dfg/DFGDominators.cpp:
1775         (JSC::DFG::Dominators::compute):
1776         (JSC::DFG::Dominators::pruneDominators):
1777         * dfg/DFGDominators.h:
1778
1779 2013-10-19  Julien Brianceau  <jbriance@cisco.com>
1780
1781         Fix build failure for architectures with 4 argument registers.
1782         https://bugs.webkit.org/show_bug.cgi?id=123060
1783
1784         Reviewed by Michael Saboff.
1785
1786         Add missing setupArgumentsWithExecState() prototypes for architecture with 4 argument registers.
1787         Remove SH4 specific code no longer needed since callOperation prototype change in r157660.
1788
1789         * dfg/DFGSpeculativeJIT.h:
1790         (JSC::DFG::SpeculativeJIT::callOperation):
1791         * jit/CCallHelpers.h:
1792         (JSC::CCallHelpers::setupArgumentsWithExecState):
1793         * jit/JITInlines.h:
1794         (JSC::JIT::callOperation):
1795
1796 2013-10-18  Filip Pizlo  <fpizlo@apple.com>
1797
1798         Unreviewed, fix FTL build.
1799
1800         * ftl/FTLIntrinsicRepository.h:
1801         * ftl/FTLLowerDFGToLLVM.cpp:
1802         (JSC::FTL::LowerDFGToLLVM::compileGetById):
1803
1804 2013-10-18  Filip Pizlo  <fpizlo@apple.com>
1805
1806         A CodeBlock's StructureStubInfos shouldn't be in a Vector that we search using code origins and machine code PCs
1807         https://bugs.webkit.org/show_bug.cgi?id=122940
1808
1809         Reviewed by Oliver Hunt.
1810         
1811         This accomplishes a number of simplifications. StructureStubInfo is now non-moving,
1812         whereas previously it was in a Vector, so it moved. This allows you to use pointers to
1813         StructureStubInfo. This also eliminates the use of return PC as a way of finding the
1814         StructureStubInfo's. It removes some of the need for the compile-time property access
1815         records; for example the DFG no longer has to save information about registers in a
1816         property access record only to later save it to the stub info.
1817         
1818         The main thing is accomplishes is that it makes it easier to add StructureStubInfo's
1819         at any stage of compilation.
1820
1821         * bytecode/CodeBlock.cpp:
1822         (JSC::CodeBlock::printGetByIdCacheStatus):
1823         (JSC::CodeBlock::dumpBytecode):
1824         (JSC::CodeBlock::~CodeBlock):
1825         (JSC::CodeBlock::propagateTransitions):
1826         (JSC::CodeBlock::finalizeUnconditionally):
1827         (JSC::CodeBlock::addStubInfo):
1828         (JSC::CodeBlock::getStubInfoMap):
1829         (JSC::CodeBlock::shrinkToFit):
1830         * bytecode/CodeBlock.h:
1831         (JSC::CodeBlock::begin):
1832         (JSC::CodeBlock::end):
1833         (JSC::CodeBlock::rareCaseProfileForBytecodeOffset):
1834         * bytecode/CodeOrigin.h:
1835         (JSC::CodeOrigin::CodeOrigin):
1836         (JSC::CodeOrigin::isHashTableDeletedValue):
1837         (JSC::CodeOrigin::hash):
1838         (JSC::CodeOriginHash::hash):
1839         (JSC::CodeOriginHash::equal):
1840         * bytecode/GetByIdStatus.cpp:
1841         (JSC::GetByIdStatus::computeFor):
1842         * bytecode/GetByIdStatus.h:
1843         * bytecode/PutByIdStatus.cpp:
1844         (JSC::PutByIdStatus::computeFor):
1845         * bytecode/PutByIdStatus.h:
1846         * bytecode/StructureStubInfo.h:
1847         (JSC::getStructureStubInfoCodeOrigin):
1848         * dfg/DFGByteCodeParser.cpp:
1849         (JSC::DFG::ByteCodeParser::parseBlock):
1850         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1851         * dfg/DFGJITCompiler.cpp:
1852         (JSC::DFG::JITCompiler::link):
1853         * dfg/DFGJITCompiler.h:
1854         (JSC::DFG::PropertyAccessRecord::PropertyAccessRecord):
1855         (JSC::DFG::InRecord::InRecord):
1856         * dfg/DFGSpeculativeJIT.cpp:
1857         (JSC::DFG::SpeculativeJIT::compileIn):
1858         * dfg/DFGSpeculativeJIT.h:
1859         (JSC::DFG::SpeculativeJIT::callOperation):
1860         * dfg/DFGSpeculativeJIT32_64.cpp:
1861         (JSC::DFG::SpeculativeJIT::cachedGetById):
1862         (JSC::DFG::SpeculativeJIT::cachedPutById):
1863         * dfg/DFGSpeculativeJIT64.cpp:
1864         (JSC::DFG::SpeculativeJIT::cachedGetById):
1865         (JSC::DFG::SpeculativeJIT::cachedPutById):
1866         * jit/CCallHelpers.h:
1867         (JSC::CCallHelpers::setupArgumentsWithExecState):
1868         * jit/JIT.cpp:
1869         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
1870         (JSC::JIT::privateCompile):
1871         * jit/JIT.h:
1872         (JSC::PropertyStubCompilationInfo::slowCaseInfo):
1873         * jit/JITInlines.h:
1874         (JSC::JIT::callOperation):
1875         * jit/JITOperations.cpp:
1876         * jit/JITOperations.h:
1877         * jit/JITPropertyAccess.cpp:
1878         (JSC::JIT::emitSlow_op_get_by_id):
1879         (JSC::JIT::emitSlow_op_put_by_id):
1880         * jit/JITPropertyAccess32_64.cpp:
1881         (JSC::JIT::emitSlow_op_get_by_id):
1882         (JSC::JIT::emitSlow_op_put_by_id):
1883         * jit/Repatch.cpp:
1884         (JSC::appropriateGenericPutByIdFunction):
1885         (JSC::appropriateListBuildingPutByIdFunction):
1886         (JSC::resetPutByID):
1887
1888 2013-10-18  Oliver Hunt  <oliver@apple.com>
1889
1890         Spread operator should be performing direct "puts" and not triggering setters
1891         https://bugs.webkit.org/show_bug.cgi?id=123047
1892
1893         Reviewed by Geoffrey Garen.
1894
1895         Add a new opcode -- op_put_by_val_directue -- and make use of it in the spread
1896         to array construct.  This required a new PutByValDirect node to be introduced to
1897         the DFG.  The current implementation simply changes the slow path function that
1898         is called, but in future this could be made faster as it does not need to check
1899         the prototype chain.
1900
1901         * bytecode/CodeBlock.cpp:
1902         (JSC::CodeBlock::dumpBytecode):
1903         (JSC::CodeBlock::CodeBlock):
1904         * bytecode/Opcode.h:
1905         (JSC::padOpcodeName):
1906         * bytecompiler/BytecodeGenerator.cpp:
1907         (JSC::BytecodeGenerator::emitDirectPutByVal):
1908         * bytecompiler/BytecodeGenerator.h:
1909         * bytecompiler/NodesCodegen.cpp:
1910         (JSC::ArrayNode::emitBytecode):
1911         * dfg/DFGAbstractInterpreterInlines.h:
1912         (JSC::DFG::::executeEffects):
1913         * dfg/DFGBackwardsPropagationPhase.cpp:
1914         (JSC::DFG::BackwardsPropagationPhase::propagate):
1915         * dfg/DFGByteCodeParser.cpp:
1916         (JSC::DFG::ByteCodeParser::parseBlock):
1917         * dfg/DFGCSEPhase.cpp:
1918         (JSC::DFG::CSEPhase::getArrayLengthElimination):
1919         (JSC::DFG::CSEPhase::getByValLoadElimination):
1920         (JSC::DFG::CSEPhase::checkStructureElimination):
1921         (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
1922         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
1923         (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
1924         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
1925         (JSC::DFG::CSEPhase::performNodeCSE):
1926         * dfg/DFGCapabilities.cpp:
1927         (JSC::DFG::capabilityLevel):
1928         * dfg/DFGClobberize.h:
1929         (JSC::DFG::clobberize):
1930         * dfg/DFGFixupPhase.cpp:
1931         (JSC::DFG::FixupPhase::fixupNode):
1932         * dfg/DFGGraph.h:
1933         (JSC::DFG::Graph::clobbersWorld):
1934         * dfg/DFGNode.h:
1935         (JSC::DFG::Node::hasArrayMode):
1936         * dfg/DFGNodeType.h:
1937         * dfg/DFGOperations.cpp:
1938         (JSC::DFG::putByVal):
1939         (JSC::DFG::operationPutByValInternal):
1940         * dfg/DFGOperations.h:
1941         * dfg/DFGPredictionPropagationPhase.cpp:
1942         (JSC::DFG::PredictionPropagationPhase::propagate):
1943         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
1944         * dfg/DFGSafeToExecute.h:
1945         (JSC::DFG::safeToExecute):
1946         * dfg/DFGSpeculativeJIT32_64.cpp:
1947         (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
1948         (JSC::DFG::SpeculativeJIT::compile):
1949         * dfg/DFGSpeculativeJIT64.cpp:
1950         (JSC::DFG::SpeculativeJIT::compile):
1951         * dfg/DFGTypeCheckHoistingPhase.cpp:
1952         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
1953         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
1954         * jit/JIT.cpp:
1955         (JSC::JIT::privateCompileMainPass):
1956         (JSC::JIT::privateCompileSlowCases):
1957         * jit/JIT.h:
1958         (JSC::JIT::compileDirectPutByVal):
1959         * jit/JITOperations.cpp:
1960         * jit/JITOperations.h:
1961         * jit/JITPropertyAccess.cpp:
1962         (JSC::JIT::emitSlow_op_put_by_val):
1963         (JSC::JIT::privateCompilePutByVal):
1964         * jit/JITPropertyAccess32_64.cpp:
1965         (JSC::JIT::emitSlow_op_put_by_val):
1966         * llint/LLIntSlowPaths.cpp:
1967         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1968         * llint/LLIntSlowPaths.h:
1969         * llint/LowLevelInterpreter32_64.asm:
1970         * llint/LowLevelInterpreter64.asm:
1971
1972 2013-10-18  Daniel Bates  <dabates@apple.com>
1973
1974         [iOS] Export symbol for VM::sharedInstanceExists()
1975         https://bugs.webkit.org/show_bug.cgi?id=123046
1976
1977         Reviewed by Mark Hahnenberg.
1978
1979         * runtime/VM.h:
1980
1981 2013-10-18  Daniel Bates  <dabates@apple.com>
1982
1983         [iOS] Upstream WebSafe{GCActivityCallback, IncrementalSweeper}IOS
1984         https://bugs.webkit.org/show_bug.cgi?id=123049
1985
1986         Reviewed by Mark Hahnenberg.
1987
1988         * heap/Heap.cpp:
1989         (JSC::Heap::setIncrementalSweeper):
1990         * heap/Heap.h:
1991         * heap/HeapTimer.h:
1992         * heap/IncrementalSweeper.h: Make protected and export CF-variant of constructor.
1993         Removed unused include of header RetainPtr.h. Also forward declare class MarkedBlock
1994         (we include its header in the .cpp file) and remove include for header wtf/HashSet.h
1995         (duplicates the include in the .cpp).
1996         * heap/MachineStackMarker.h: Export function makeUsableFromMultipleThreads(). We aren't
1997         making use of this now, but we'll make use of it in a subsequent patch.
1998
1999 2013-10-18  Anders Carlsson  <andersca@apple.com>
2000
2001         Remove spaces between template angle brackets
2002         https://bugs.webkit.org/show_bug.cgi?id=123040
2003
2004         Reviewed by Andreas Kling.
2005
2006         * API/JSCallbackObject.cpp:
2007         (JSC::::create):
2008         * API/JSObjectRef.cpp:
2009         * bytecode/CodeBlock.h:
2010         (JSC::CodeBlock::constants):
2011         (JSC::CodeBlock::setConstantRegisters):
2012         * bytecode/DFGExitProfile.h:
2013         * bytecode/EvalCodeCache.h:
2014         * bytecode/Operands.h:
2015         * bytecode/UnlinkedCodeBlock.h:
2016         (JSC::UnlinkedCodeBlock::constantRegisters):
2017         * bytecode/Watchpoint.h:
2018         * bytecompiler/BytecodeGenerator.h:
2019         * bytecompiler/StaticPropertyAnalysis.h:
2020         * bytecompiler/StaticPropertyAnalyzer.h:
2021         * dfg/DFGArgumentsSimplificationPhase.cpp:
2022         * dfg/DFGBlockInsertionSet.h:
2023         * dfg/DFGCSEPhase.cpp:
2024         (JSC::DFG::performCSE):
2025         (JSC::DFG::performStoreElimination):
2026         * dfg/DFGCommonData.h:
2027         * dfg/DFGDesiredStructureChains.h:
2028         * dfg/DFGDesiredWatchpoints.h:
2029         * dfg/DFGJITCompiler.h:
2030         * dfg/DFGOSRExitCompiler32_64.cpp:
2031         (JSC::DFG::OSRExitCompiler::compileExit):
2032         * dfg/DFGOSRExitCompiler64.cpp:
2033         (JSC::DFG::OSRExitCompiler::compileExit):
2034         * dfg/DFGWorklist.h:
2035         * heap/BlockAllocator.h:
2036         (JSC::CopiedBlock):
2037         (JSC::MarkedBlock):
2038         (JSC::WeakBlock):
2039         (JSC::MarkStackSegment):
2040         (JSC::CopyWorkListSegment):
2041         (JSC::HandleBlock):
2042         * heap/Heap.h:
2043         * heap/Local.h:
2044         * heap/MarkedBlock.h:
2045         * heap/Strong.h:
2046         * jit/AssemblyHelpers.cpp:
2047         (JSC::AssemblyHelpers::decodedCodeMapFor):
2048         * jit/AssemblyHelpers.h:
2049         * jit/SpecializedThunkJIT.h:
2050         * parser/Nodes.h:
2051         * parser/Parser.cpp:
2052         (JSC::::parseIfStatement):
2053         * parser/Parser.h:
2054         (JSC::Scope::copyCapturedVariablesToVector):
2055         (JSC::parse):
2056         * parser/ParserArena.h:
2057         * parser/SourceProviderCacheItem.h:
2058         * profiler/LegacyProfiler.cpp:
2059         (JSC::dispatchFunctionToProfiles):
2060         * profiler/LegacyProfiler.h:
2061         (JSC::LegacyProfiler::currentProfiles):
2062         * profiler/ProfileNode.h:
2063         (JSC::ProfileNode::children):
2064         * profiler/ProfilerDatabase.h:
2065         * runtime/Butterfly.h:
2066         (JSC::Butterfly::contiguousInt32):
2067         (JSC::Butterfly::contiguous):
2068         * runtime/GenericTypedArrayViewInlines.h:
2069         (JSC::::create):
2070         * runtime/Identifier.h:
2071         (JSC::Identifier::add):
2072         * runtime/JSPromise.h:
2073         * runtime/PropertyMapHashTable.h:
2074         * runtime/PropertyNameArray.h:
2075         * runtime/RegExpCache.h:
2076         * runtime/SparseArrayValueMap.h:
2077         * runtime/SymbolTable.h:
2078         * runtime/VM.h:
2079         * tools/CodeProfile.cpp:
2080         (JSC::truncateTrace):
2081         * tools/CodeProfile.h:
2082         * yarr/YarrInterpreter.cpp:
2083         * yarr/YarrInterpreter.h:
2084         (JSC::Yarr::BytecodePattern::BytecodePattern):
2085         * yarr/YarrJIT.cpp:
2086         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
2087         (JSC::Yarr::YarrGenerator::opCompileParentheticalAssertion):
2088         (JSC::Yarr::YarrGenerator::opCompileBody):
2089         * yarr/YarrPattern.cpp:
2090         (JSC::Yarr::YarrPatternConstructor::checkForTerminalParentheses):
2091         (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
2092         * yarr/YarrPattern.h:
2093
2094 2013-10-18  Mark Lam  <mark.lam@apple.com>
2095
2096         Remove excess reserved space in ctiTrampoline frames for X86 and X86_64.
2097         https://bugs.webkit.org/show_bug.cgi?id=123037.
2098
2099         Reviewed by Geoffrey Garen.
2100
2101         * jit/JITStubsMSVC64.asm:
2102         * jit/JITStubsX86.h:
2103         * jit/JITStubsX86_64.h:
2104
2105 2013-10-18  Filip Pizlo  <fpizlo@apple.com>
2106
2107         Frequent RELEASE_ASSERT crashes in Structure::checkOffsetConsistency on WebGL swizzler tests
2108         https://bugs.webkit.org/show_bug.cgi?id=121661
2109
2110         Reviewed by Mark Hahnenberg.
2111         
2112         This method shouldn't have been called from the concurrent JIT thread. That's hard to prevent
2113         so I added a return-early check using isCompilationThread().
2114         
2115         Here's why this makes sense. Structure has two ways to tell you about the layout of the objects
2116         it is describing: m_offset and the property table. Most structures only have m_offset and report
2117         null for the property table. If the property table is there, it will tell you additional
2118         information and that information subsumes m_offset - but the m_offset is still there. So, when
2119         we have a property table, we have to keep it in sync with the m_offset. There is a bunch of
2120         machinery to do this.
2121         
2122         Changing the property table only happens on the main thread.
2123         
2124         Because the machinery to change the property table is so complex, especially with respect to
2125         keeping it in sync with m_offset, we have the checkOffsetConsistency method. It's meant to be
2126         called at key points before and after changes to the property table or the offset.
2127
2128         Most clients of Structure who care about object layout, including the concurrent thread, will
2129         want to know m_offset and not the property table. If they want the property table, they will
2130         already be super careful. The concurrent thread has special methods for this, like
2131         Structure::getConcurrently(), which uses fine-grained locking to ensure that it sees a coherent
2132         view of the property table.
2133         
2134         Adding locking to checkOffsetConsistency() is probably a bad idea since that method may be
2135         called when the relevant lock is already held. So, we'd have awkward recursive locking issues.
2136         
2137         But right now, the concurrent JIT thread may call a method, like Structure::outOfLineCapacity(),
2138         which has a call to checkOffsetConsistency(). The call to checkOffsetConsistency() is there
2139         because we have found that it helps quickly identify situations where the property table and
2140         m_offset get out of sync - mainly because code that changes either of those things will usually
2141         also want to know the outOfLineCapacity(). But Structure::outOfLineCapacity() doesn't *actually*
2142         need the property table; it uses the m_offset. The concurrent JIT is correct to call
2143         outOfLineCapacity(), and is right to do so without holding any locks (since in all cases where
2144         it calls outOfLineCapacity() it has already proven that m_offset is immutable). But because
2145         outOfLineCapacity() calls checkOffsetConsistency(), and checkOffsetConsistency() doesn't grab
2146         locks, and that same structure is having its property table modified by the main thread, we end
2147         up with these spurious assertion failures. FWIW, the structure isn't *actually* having *its*
2148         property table modified - instead what happens is that some downstream structure steals the
2149         property table and then starts adding things to it. The concurrent thread loads the property
2150         table before it's stolen, and hence the badness.
2151         
2152         I suspect there are other code paths that lead to the concurrent JIT calling some Structure
2153         method that it is fine and safe to call, but then that method calls checkOffsetConsistency(),
2154         and then you have a possible crash.
2155         
2156         The most sensible solution to this appears to be to make sure that checkOffsetConsistency() is
2157         aware of its uselessness to the concurrent JIT thread. This change makes it return early if
2158         it's in the concurrent JIT.
2159         
2160         * runtime/StructureInlines.h:
2161         (JSC::Structure::checkOffsetConsistency):
2162
2163 2013-10-18  Daniel Bates  <dabates@apple.com>
2164
2165         Add SPI to disable the garbage collector timer
2166         https://bugs.webkit.org/show_bug.cgi?id=122921
2167
2168         Add null check to Heap::setGarbageCollectionTimerEnabled() that I inadvertently
2169         omitted.
2170
2171         * heap/Heap.cpp:
2172         (JSC::Heap::setGarbageCollectionTimerEnabled):
2173
2174 2013-10-18  Julien Brianceau  <jbriance@cisco.com>
2175
2176         Group 64-bit specific and 32-bit specific callOperation implementations.
2177         https://bugs.webkit.org/show_bug.cgi?id=123024
2178
2179         Reviewed by Michael Saboff.
2180
2181         This is not a big deal, but could be less confusing when reading the code.
2182
2183         * jit/JITInlines.h:
2184         (JSC::JIT::callOperation):
2185         (JSC::JIT::callOperationWithCallFrameRollbackOnException):
2186         (JSC::JIT::callOperationNoExceptionCheck):
2187
2188 2013-10-18  Nadav Rotem  <nrotem@apple.com>
2189
2190         Fix a FlushLiveness problem.
2191         https://bugs.webkit.org/show_bug.cgi?id=122984
2192
2193         Reviewed by Filip Pizlo.
2194
2195         * dfg/DFGFlushLivenessAnalysisPhase.cpp:
2196         (JSC::DFG::FlushLivenessAnalysisPhase::process):
2197
2198 2013-10-18  Michael Saboff  <msaboff@apple.com>
2199
2200         Change native function call stubs to use JIT operations instead of ctiVMHandleException
2201         https://bugs.webkit.org/show_bug.cgi?id=122982
2202
2203         Reviewed by Geoffrey Garen.
2204
2205         Change ctiVMHandleException to operationVMHandleException.  Change all exception operations to
2206         return the catch callFrame and entryPC via vm.callFrameForThrow and vm.targetMachinePCForThrow.
2207         This removed calling convention headaches, fixing https://bugs.webkit.org/show_bug.cgi?id=122980
2208         in the process.
2209
2210         * dfg/DFGJITCompiler.cpp:
2211         (JSC::DFG::JITCompiler::compileExceptionHandlers):
2212         * jit/CCallHelpers.h:
2213         (JSC::CCallHelpers::jumpToExceptionHandler):
2214         * jit/JIT.cpp:
2215         (JSC::JIT::privateCompileExceptionHandlers):
2216         * jit/JIT.h:
2217         * jit/JITExceptions.cpp:
2218         (JSC::genericUnwind):
2219         * jit/JITExceptions.h:
2220         * jit/JITInlines.h:
2221         (JSC::JIT::callOperationNoExceptionCheck):
2222         * jit/JITOpcodes.cpp:
2223         (JSC::JIT::emit_op_throw):
2224         * jit/JITOpcodes32_64.cpp:
2225         (JSC::JIT::privateCompileCTINativeCall):
2226         (JSC::JIT::emit_op_throw):
2227         * jit/JITOperations.cpp:
2228         * jit/JITOperations.h:
2229         * jit/JITStubs.cpp:
2230         * jit/JITStubs.h:
2231         * jit/JITStubsARM.h:
2232         * jit/JITStubsARM64.h:
2233         * jit/JITStubsARMv7.h:
2234         * jit/JITStubsMIPS.h:
2235         * jit/JITStubsMSVC64.asm:
2236         * jit/JITStubsSH4.h:
2237         * jit/JITStubsX86.h:
2238         * jit/JITStubsX86_64.h:
2239         * jit/Repatch.cpp:
2240         (JSC::tryBuildGetByIDList):
2241         * jit/SlowPathCall.h:
2242         (JSC::JITSlowPathCall::call):
2243         * jit/ThunkGenerators.cpp:
2244         (JSC::throwExceptionFromCallSlowPathGenerator):
2245         (JSC::nativeForGenerator):
2246         * runtime/VM.h:
2247         (JSC::VM::callFrameForThrowOffset):
2248         (JSC::VM::targetMachinePCForThrowOffset):
2249
2250 2013-10-18  Julien Brianceau  <jbriance@cisco.com>
2251
2252         Fix J_JITOperation_EAapJ call for MIPS and ARM EABI.
2253         https://bugs.webkit.org/show_bug.cgi?id=123023
2254
2255         Reviewed by Michael Saboff.
2256
2257         * jit/JITInlines.h:
2258         (JSC::JIT::callOperation): EncodedJSValue parameter do not need alignment
2259         using EABI_32BIT_DUMMY_ARG here.
2260
2261 2013-10-17  Filip Pizlo  <fpizlo@apple.com>
2262
2263         Unreviewed, another ARM64 build fix.
2264         
2265         Get rid of andPtr(TrustedImmPtr, blah), since it would take Effort to get it to work
2266         on ARM64 and none of its uses are legit - they should all be using
2267         andPtr(TrustedImm32, blah) anyway.
2268
2269         * assembler/MacroAssembler.h:
2270         * assembler/MacroAssemblerARM64.h:
2271         * dfg/DFGJITCompiler.cpp:
2272         (JSC::DFG::JITCompiler::compileExceptionHandlers):
2273         * jit/JIT.cpp:
2274         (JSC::JIT::privateCompileExceptionHandlers):
2275
2276 2013-10-17  Filip Pizlo  <fpizlo@apple.com>
2277
2278         Unreviewed, speculative ARM64 build fix.
2279         
2280         move(ImmPtr, blah) is only available in MacroAssembler since that's where blinding is
2281         implemented. So, you have to use TrustedImmPtr in the superclasses.
2282
2283         * assembler/MacroAssemblerARM64.h:
2284         (JSC::MacroAssemblerARM64::store8):
2285         (JSC::MacroAssemblerARM64::branchTest8):
2286
2287 2013-10-17  Filip Pizlo  <fpizlo@apple.com>
2288
2289         Unreviewed, speculative ARM build fix.
2290         https://bugs.webkit.org/show_bug.cgi?id=122890
2291         <rdar://problem/15258624>
2292
2293         * assembler/ARM64Assembler.h:
2294         (JSC::ARM64Assembler::firstRegister):
2295         (JSC::ARM64Assembler::lastRegister):
2296         (JSC::ARM64Assembler::firstFPRegister):
2297         (JSC::ARM64Assembler::lastFPRegister):
2298         * assembler/MacroAssemblerARM64.h:
2299         * assembler/MacroAssemblerARMv7.h:
2300
2301 2013-10-17  Andreas Kling  <akling@apple.com>
2302
2303         Pass VM instead of JSGlobalObject to JSONObject constructor.
2304         <https://webkit.org/b/122999>
2305
2306         JSONObject was only use the JSGlobalObject to grab at the VM.
2307         Dodge a few loads by passing the VM directly instead.
2308
2309         Reviewed by Geoffrey Garen.
2310
2311         * runtime/JSONObject.cpp:
2312         (JSC::JSONObject::JSONObject):
2313         (JSC::JSONObject::finishCreation):
2314         * runtime/JSONObject.h:
2315         (JSC::JSONObject::create):
2316
2317 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2318
2319         Removed the JITStackFrame struct
2320         https://bugs.webkit.org/show_bug.cgi?id=123001
2321
2322         Reviewed by Anders Carlsson.
2323
2324         * jit/JITStubs.h: JITStackFrame and JITStubArg are unused now, since all
2325         our helper functions obey the C function call ABI.
2326
2327 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2328
2329         Removed an unused #define
2330         https://bugs.webkit.org/show_bug.cgi?id=123000
2331
2332         Reviewed by Anders Carlsson.
2333
2334         * jit/JITStubs.h: Removed the concept of JITSTACKFRAME_ARGS_INDEX,
2335         since it is unused now. This is a step toward using the C stack.
2336
2337 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2338
2339         Eliminate uses of JITSTACKFRAME_ARGS_INDEX as scratch area for thunks
2340         https://bugs.webkit.org/show_bug.cgi?id=122973
2341
2342         Reviewed by Michael Saboff.
2343
2344         * jit/ThunkGenerators.cpp:
2345         (JSC::throwExceptionFromCallSlowPathGenerator): This was all dead code,
2346         so I removed it.
2347
2348         The code acted as if it needed to pass an argument to
2349         lookupExceptionHandler, and as if it passed that argument to itself
2350         through JITStackFrame. However, lookupExceptionHandler does not take
2351         an argument (other than the default ExecState argument), and the code
2352         did not initialize the thing that it thought it passed to itself!
2353
2354 2013-10-17  Alex Christensen  <achristensen@webkit.org>
2355
2356         Run JavaScriptCore tests again on Windows.
2357         https://bugs.webkit.org/show_bug.cgi?id=122787
2358
2359         Reviewed by Tim Horton.
2360
2361         * JavaScriptCore.vcxproj/JavaScriptCore.sln: Added.
2362         * jit/JITStubsMSVC64.asm: Removed reference to cti_vm_throw unused since r157581.
2363
2364 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2365
2366         Removed restoreArgumentReference (another use of JITStackFrame)
2367         https://bugs.webkit.org/show_bug.cgi?id=122997
2368
2369         Reviewed by Oliver Hunt.
2370
2371         * jit/JSInterfaceJIT.h: Removed an unused function. This is a step
2372         toward using the C stack.
2373
2374 2013-10-17  Oliver Hunt  <oliver@apple.com>
2375
2376         Remove JITStubCall.h
2377         https://bugs.webkit.org/show_bug.cgi?id=122991
2378
2379         Reviewed by Geoff Garen.
2380
2381         Happily this is no longer used
2382
2383         * GNUmakefile.list.am:
2384         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2385         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2386         * JavaScriptCore.xcodeproj/project.pbxproj:
2387         * jit/JIT.cpp:
2388         * jit/JITArithmetic.cpp:
2389         * jit/JITArithmetic32_64.cpp:
2390         * jit/JITCall.cpp:
2391         * jit/JITCall32_64.cpp:
2392         * jit/JITOpcodes.cpp:
2393         * jit/JITOpcodes32_64.cpp:
2394         * jit/JITPropertyAccess.cpp:
2395         * jit/JITPropertyAccess32_64.cpp:
2396         * jit/JITStubCall.h: Removed.
2397
2398 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2399
2400         Removed a use of JITSTACKFRAME_ARGS_INDEX
2401         https://bugs.webkit.org/show_bug.cgi?id=122989
2402
2403         Reviewed by Oliver Hunt.
2404
2405         * jit/JITStubCall.h: Removed an unused function. This is one step closer
2406         to using the C stack.
2407
2408 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2409
2410         Change emit_op_catch to use another method to materialize VM
2411         https://bugs.webkit.org/show_bug.cgi?id=122977
2412
2413         Reviewed by Oliver Hunt.
2414
2415         * jit/JITOpcodes.cpp:
2416         (JSC::JIT::emit_op_catch):
2417         * jit/JITOpcodes32_64.cpp:
2418         (JSC::JIT::emit_op_catch): Use a constant. It removes our dependency
2419         on JITStackFrame. It is also faster and simpler.
2420
2421 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2422
2423         Eliminate emitGetJITStubArg() - dead code
2424         https://bugs.webkit.org/show_bug.cgi?id=122975
2425
2426         Reviewed by Anders Carlsson.
2427
2428         * jit/JIT.h:
2429         * jit/JITInlines.h: Removed unused, deprecated function.
2430
2431 2013-10-17  Mark Lam  <mark.lam@apple.com>
2432
2433         Eliminate all ASSERT references to OBJECT_OFFSETOF(struct JITStackFrame,...) in JITStubsXXX.h.
2434         https://bugs.webkit.org/show_bug.cgi?id=122979.
2435
2436         Reviewed by Michael Saboff.
2437
2438         * jit/JITStubs.cpp:
2439         * jit/JITStubs.h:
2440         * jit/JITStubsARM.h:
2441         * jit/JITStubsARM64.h:
2442         * jit/JITStubsARMv7.h:
2443         * jit/JITStubsMIPS.h:
2444         * jit/JITStubsSH4.h:
2445         * jit/JITStubsX86.h:
2446         * jit/JITStubsX86_64.h:
2447         * runtime/VM.cpp:
2448         (JSC::VM::VM):
2449
2450 2013-10-17  Michael Saboff  <msaboff@apple.com>
2451
2452         Remove saving callFrameRegister to JITStackFrame in JITCompiler::compileFunction()
2453         https://bugs.webkit.org/show_bug.cgi?id=122974
2454
2455         Reviewed by Geoffrey Garen.
2456
2457         Eliminated unneeded storing to JITStackFrame.
2458
2459         * dfg/DFGJITCompiler.cpp:
2460         (JSC::DFG::JITCompiler::compileFunction):
2461
2462 2013-10-17  Michael Saboff  <msaboff@apple.com>
2463
2464         Transition cti_op_throw and cti_vm_throw to a JIT operation
2465         https://bugs.webkit.org/show_bug.cgi?id=122931
2466
2467         Reviewed by Filip Pizlo.
2468
2469         Moved cti_op_throw to operationThrow.  Made the caller responsible for jumping to the
2470         catch handler.  Eliminated cti_op_throw_static_error, cti_vm_throw, ctiVMThrowTrampoline()
2471         and their callers as it is now dead code.  There is some work needed on the Microsoft X86
2472         callOperation to handle the need to provide space for structure return value.
2473
2474         * jit/JIT.h:
2475         * jit/JITInlines.h:
2476         (JSC::JIT::callOperation):
2477         * jit/JITOpcodes.cpp:
2478         (JSC::JIT::emit_op_throw):
2479         * jit/JITOpcodes32_64.cpp:
2480         (JSC::JIT::emit_op_throw):
2481         (JSC::JIT::emit_op_catch):
2482         * jit/JITOperations.cpp:
2483         * jit/JITOperations.h:
2484         * jit/JITStubs.cpp:
2485         * jit/JITStubs.h:
2486         * jit/JITStubsARM.h:
2487         * jit/JITStubsARM64.h:
2488         * jit/JITStubsARMv7.h:
2489         * jit/JITStubsMIPS.h:
2490         * jit/JITStubsMSVC64.asm:
2491         * jit/JITStubsSH4.h:
2492         * jit/JITStubsX86.h:
2493         * jit/JITStubsX86_64.h:
2494         * jit/JSInterfaceJIT.h:
2495
2496 2013-10-17  Mark Lam  <mark.lam@apple.com>
2497
2498         Remove JITStackFrame references in the C Loop LLINT.
2499         https://bugs.webkit.org/show_bug.cgi?id=122950.
2500
2501         Reviewed by Michael Saboff.
2502
2503         * jit/JITStubs.h:
2504         * llint/LowLevelInterpreter.cpp:
2505         (JSC::CLoop::execute):
2506         * offlineasm/cloop.rb:
2507
2508 2013-10-17  Mark Lam  <mark.lam@apple.com>
2509
2510         Remove JITStackFrame references in JIT probes.
2511         https://bugs.webkit.org/show_bug.cgi?id=122947.
2512
2513         Reviewed by Michael Saboff.
2514
2515         * assembler/MacroAssemblerARM.cpp:
2516         (JSC::MacroAssemblerARM::ProbeContext::dump):
2517         * assembler/MacroAssemblerARM.h:
2518         * assembler/MacroAssemblerARMv7.cpp:
2519         (JSC::MacroAssemblerARMv7::ProbeContext::dump):
2520         * assembler/MacroAssemblerARMv7.h:
2521         * assembler/MacroAssemblerX86Common.cpp:
2522         (JSC::MacroAssemblerX86Common::ProbeContext::dump):
2523         * assembler/MacroAssemblerX86Common.h:
2524         * jit/JITStubsARM.h:
2525         * jit/JITStubsARMv7.h:
2526         * jit/JITStubsX86.h:
2527         * jit/JITStubsX86Common.h:
2528         * jit/JITStubsX86_64.h:
2529
2530 2013-10-17  Julien Brianceau  <jbriance@cisco.com>
2531
2532         Fix build when NUMBER_OF_ARGUMENT_REGISTERS == 4.
2533         https://bugs.webkit.org/show_bug.cgi?id=122949
2534
2535         Reviewed by Andreas Kling.
2536
2537         * jit/CCallHelpers.h:
2538         (JSC::CCallHelpers::setupArgumentsWithExecState):
2539
2540 2013-10-16  Mark Lam  <mark.lam@apple.com>
2541
2542         Transition remaining op_get* JITStubs to JIT operations.
2543         https://bugs.webkit.org/show_bug.cgi?id=122925.
2544
2545         Reviewed by Geoffrey Garen.
2546
2547         Transitioning:
2548             cti_op_get_by_id_generic
2549             cti_op_get_by_val
2550             cti_op_get_by_val_generic
2551             cti_op_get_by_val_string
2552
2553         * dfg/DFGOperations.cpp:
2554         * dfg/DFGOperations.h:
2555         * jit/JIT.h:
2556         * jit/JITInlines.h:
2557         (JSC::JIT::callOperation):
2558         * jit/JITOpcodes.cpp:
2559         (JSC::JIT::emitSlow_op_get_arguments_length):
2560         (JSC::JIT::emitSlow_op_get_argument_by_val):
2561         * jit/JITOpcodes32_64.cpp:
2562         (JSC::JIT::emitSlow_op_get_arguments_length):
2563         (JSC::JIT::emitSlow_op_get_argument_by_val):
2564         * jit/JITOperations.cpp:
2565         * jit/JITOperations.h:
2566         * jit/JITPropertyAccess.cpp:
2567         (JSC::JIT::emitSlow_op_get_by_val):
2568         (JSC::JIT::emitSlow_op_get_by_pname):
2569         (JSC::JIT::privateCompileGetByVal):
2570         * jit/JITPropertyAccess32_64.cpp:
2571         (JSC::JIT::emitSlow_op_get_by_val):
2572         (JSC::JIT::emitSlow_op_get_by_pname):
2573         * jit/JITStubs.cpp:
2574         * jit/JITStubs.h:
2575         * runtime/Executable.cpp:
2576         (JSC::setupLLInt): Added some UNUSED_PARAMs to fix the no LLINT build.
2577         * runtime/Options.cpp:
2578         (JSC::Options::initialize):
2579
2580 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
2581
2582         Introduce WTF::Bag and start using it for InlineCallFrameSet
2583         https://bugs.webkit.org/show_bug.cgi?id=122941
2584
2585         Reviewed by Geoffrey Garen.
2586         
2587         Use Bag for InlineCallFrameSet. If this works out then I'll make other
2588         SegmentedVectors into Bags as well.
2589
2590         * bytecode/InlineCallFrameSet.cpp:
2591         (JSC::InlineCallFrameSet::add):
2592         * bytecode/InlineCallFrameSet.h:
2593         (JSC::InlineCallFrameSet::begin):
2594         (JSC::InlineCallFrameSet::end):
2595         * dfg/DFGArgumentsSimplificationPhase.cpp:
2596         (JSC::DFG::ArgumentsSimplificationPhase::run):
2597         * dfg/DFGJITCompiler.cpp:
2598         (JSC::DFG::JITCompiler::link):
2599         * dfg/DFGStackLayoutPhase.cpp:
2600         (JSC::DFG::StackLayoutPhase::run):
2601         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
2602         (JSC::DFG::VirtualRegisterAllocationPhase::run):
2603
2604 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
2605
2606         libllvmForJSC shouldn't call exit(1) on report_fatal_error()
2607         https://bugs.webkit.org/show_bug.cgi?id=122905
2608         <rdar://problem/15237856>
2609
2610         Reviewed by Michael Saboff.
2611         
2612         Expose the new LLVMInstallFatalErrorHandler() API through the soft linking magic and
2613         then always call it to install something that calls CRASH().
2614
2615         * llvm/InitializeLLVM.cpp:
2616         (JSC::llvmCrash):
2617         (JSC::initializeLLVMOnce):
2618         (JSC::initializeLLVM):
2619         * llvm/LLVMAPIFunctions.h:
2620
2621 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
2622
2623         Prototype chain repatching in the polymorphic case fails to check if the receiver is a dictionary
2624         https://bugs.webkit.org/show_bug.cgi?id=122938
2625
2626         Reviewed by Sam Weinig.
2627         
2628         This fixes jsc-layout-tests.yaml/js/script-tests/dictionary-prototype-caching.js.layout-no-llint.
2629
2630         * jit/Repatch.cpp:
2631         (JSC::tryBuildGetByIDList):
2632
2633 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
2634
2635         JIT::appendCall() needs to killLastResultRegister() or equivalent since there's some really bad code that expects it
2636         https://bugs.webkit.org/show_bug.cgi?id=122937
2637
2638         Reviewed by Geoffrey Garen.
2639         
2640         JITStubCall used to do it.
2641         
2642         This makes mozilla-tests.yaml/ecma/Statements/12.10-1.js.mozilla-baseline pass.
2643
2644         * jit/JIT.h:
2645         (JSC::JIT::appendCall):
2646
2647 2013-10-16  Michael Saboff  <msaboff@apple.com>
2648
2649         transition void cti_op_put_by_val* stubs to JIT operations
2650         https://bugs.webkit.org/show_bug.cgi?id=122903
2651
2652         Reviewed by Geoffrey Garen.
2653
2654         Transitioned cti_op_put_by_val and cti_op_put_by_val_generic to operationPutByVal and
2655         operationPutByValGeneric.
2656
2657         * jit/CCallHelpers.h:
2658         (JSC::CCallHelpers::setupArgumentsWithExecState):
2659         * jit/JIT.h:
2660         * jit/JITInlines.h:
2661         (JSC::JIT::callOperation):
2662         * jit/JITOperations.cpp:
2663         * jit/JITOperations.h:
2664         * jit/JITPropertyAccess.cpp:
2665         (JSC::JIT::emitSlow_op_put_by_val):
2666         (JSC::JIT::privateCompilePutByVal):
2667         * jit/JITPropertyAccess32_64.cpp:
2668         (JSC::JIT::emitSlow_op_put_by_val):
2669         * jit/JITStubs.cpp:
2670         * jit/JITStubs.h:
2671         * jit/JSInterfaceJIT.h:
2672
2673 2013-10-16  Oliver Hunt  <oliver@apple.com>
2674
2675         Implement ES6 spread operator
2676         https://bugs.webkit.org/show_bug.cgi?id=122911
2677
2678         Reviewed by Michael Saboff.
2679
2680         Implement the ES6 spread operator
2681
2682         This has a little bit of refactoring to move the enumeration logic out ForOfNode
2683         and into BytecodeGenerator, and then adds the logic to make it nicely callback
2684         driven.
2685
2686         The rest of the logic is just the addition of the SpreadExpressionNode, the parsing,
2687         and actually handling the spread.
2688
2689         * bytecompiler/BytecodeGenerator.cpp:
2690         (JSC::BytecodeGenerator::emitNewArray):
2691         (JSC::BytecodeGenerator::emitCall):
2692         (JSC::BytecodeGenerator::emitEnumeration):
2693         * bytecompiler/BytecodeGenerator.h:
2694         * bytecompiler/NodesCodegen.cpp:
2695         (JSC::ArrayNode::emitBytecode):
2696         (JSC::ForOfNode::emitBytecode):
2697         (JSC::SpreadExpressionNode::emitBytecode):
2698         * parser/ASTBuilder.h:
2699         (JSC::ASTBuilder::createSpreadExpression):
2700         * parser/Lexer.cpp:
2701         (JSC::::lex):
2702         * parser/NodeConstructors.h:
2703         (JSC::SpreadExpressionNode::SpreadExpressionNode):
2704         * parser/Nodes.h:
2705         (JSC::ExpressionNode::isSpreadExpression):
2706         (JSC::SpreadExpressionNode::expression):
2707         * parser/Parser.cpp:
2708         (JSC::::parseArrayLiteral):
2709         (JSC::::parseArguments):
2710         (JSC::::parseMemberExpression):
2711         * parser/Parser.h:
2712         (JSC::Parser::getTokenName):
2713         (JSC::Parser::updateErrorMessageSpecialCase):
2714         * parser/ParserTokens.h:
2715         * parser/SyntaxChecker.h:
2716         (JSC::SyntaxChecker::createSpreadExpression):
2717
2718 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
2719
2720         Add a useLLInt option to jsc
2721         https://bugs.webkit.org/show_bug.cgi?id=122930
2722
2723         Reviewed by Geoffrey Garen.
2724
2725         * runtime/Executable.cpp:
2726         (JSC::setupLLInt):
2727         (JSC::setupJIT):
2728         (JSC::ScriptExecutable::prepareForExecutionImpl):
2729         * runtime/Options.h:
2730
2731 2013-10-16  Mark Hahnenberg  <mhahnenberg@apple.com>
2732
2733         Build fix.
2734
2735         Forgot to svn add DeferGC.cpp
2736
2737         * heap/DeferGC.cpp: Added.
2738
2739 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
2740
2741         r157411 fails run-javascriptcore-tests when run with Baseline JIT
2742         https://bugs.webkit.org/show_bug.cgi?id=122902
2743
2744         Reviewed by Mark Hahnenberg.
2745         
2746         It turns out that this was a long-standing bug in the DFG PutById repatching logic. It's
2747         not legal to patch if the typeInfo tells you that you can't patch. The old JIT's patching
2748         logic did this right, and the DFG's GetById patching logic did it right; but DFG PutById
2749         didn't. Turns out that there's even a helpful method,
2750         Structure::propertyAccessesAreCacheable(), that will even do all of the checks for you!
2751
2752         * jit/Repatch.cpp:
2753         (JSC::tryCachePutByID):
2754
2755 2013-10-16  Mark Hahnenberg  <mhahnenberg@apple.com>
2756
2757         llint_slow_path_put_by_id can deadlock on a ConcurrentJITLock
2758         https://bugs.webkit.org/show_bug.cgi?id=122667
2759
2760         Reviewed by Geoffrey Garen.
2761
2762         The issue this patch is attempting to fix is that there are places in our codebase
2763         where we acquire the ConcurrentJITLock for a particular CodeBlock, then we do some
2764         operations that can initiate a garbage collection. Garbage collection then calls 
2765         some methods of CodeBlock that also take the ConcurrentJITLock (because they don't
2766         always necessarily run during garbage collection). This causes a deadlock.
2767  
2768         To fix this issue, this patch adds a new RAII-style object (DisallowGC) that stores 
2769         into a thread-local field that indicates that it is unsafe to perform any operation 
2770         that could trigger garbage collection on the current thread. In debug builds, 
2771         ConcurrentJITLocker contains one of these DisallowGC objects so that we can eagerly 
2772         detect deadlocks.
2773  
2774         This patch also adds a new type of ConcurrentJITLocker, GCSafeConcurrentJITLocker,
2775         which uses the DeferGC mechanism to prevent collections from occurring while the 
2776         lock is held.
2777
2778         * CMakeLists.txt:
2779         * GNUmakefile.list.am:
2780         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2781         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2782         * JavaScriptCore.xcodeproj/project.pbxproj:
2783         * heap/DeferGC.h:
2784         (JSC::DisallowGC::DisallowGC):
2785         (JSC::DisallowGC::~DisallowGC):
2786         (JSC::DisallowGC::isGCDisallowedOnCurrentThread):
2787         (JSC::DisallowGC::initialize):
2788         * jit/Repatch.cpp:
2789         (JSC::repatchPutByID):
2790         (JSC::buildPutByIdList):
2791         * llint/LLIntSlowPaths.cpp:
2792         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2793         * runtime/ConcurrentJITLock.h:
2794         (JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase):
2795         (JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase):
2796         (JSC::ConcurrentJITLockerBase::unlockEarly):
2797         (JSC::GCSafeConcurrentJITLocker::GCSafeConcurrentJITLocker):
2798         (JSC::GCSafeConcurrentJITLocker::~GCSafeConcurrentJITLocker):
2799         (JSC::GCSafeConcurrentJITLocker::NoDefer::NoDefer):
2800         (JSC::ConcurrentJITLocker::ConcurrentJITLocker):
2801         * runtime/InitializeThreading.cpp:
2802         (JSC::initializeThreadingOnce):
2803         * runtime/JSCellInlines.h:
2804         (JSC::allocateCell):
2805         * runtime/JSSymbolTableObject.h:
2806         (JSC::symbolTablePut):
2807         * runtime/Structure.cpp: materializePropertyMapIfNecessary* now has a problem in that it
2808         can start a garbage collection when the GCSafeConcurrentJITLocker goes out of scope, but 
2809         before the caller has a chance to use the newly created PropertyTable. The garbage collection
2810         clears the PropertyTable, and then the caller uses it assuming it's valid. To avoid this,
2811         we must DeferGC until the caller is done getting the newly materialized PropertyTable from 
2812         the Structure.
2813         (JSC::Structure::materializePropertyMap):
2814         (JSC::Structure::despecifyDictionaryFunction):
2815         (JSC::Structure::changePrototypeTransition):
2816         (JSC::Structure::despecifyFunctionTransition):
2817         (JSC::Structure::attributeChangeTransition):
2818         (JSC::Structure::toDictionaryTransition):
2819         (JSC::Structure::preventExtensionsTransition):
2820         (JSC::Structure::takePropertyTableOrCloneIfPinned):
2821         (JSC::Structure::isSealed):
2822         (JSC::Structure::isFrozen):
2823         (JSC::Structure::addPropertyWithoutTransition):
2824         (JSC::Structure::removePropertyWithoutTransition):
2825         (JSC::Structure::get):
2826         (JSC::Structure::despecifyFunction):
2827         (JSC::Structure::despecifyAllFunctions):
2828         (JSC::Structure::putSpecificValue):
2829         (JSC::Structure::createPropertyMap):
2830         (JSC::Structure::getPropertyNamesFromStructure):
2831         * runtime/Structure.h:
2832         (JSC::Structure::materializePropertyMapIfNecessary):
2833         (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
2834         * runtime/StructureInlines.h:
2835         (JSC::Structure::get):
2836         * runtime/SymbolTable.h:
2837         (JSC::SymbolTable::find):
2838         (JSC::SymbolTable::end):
2839
2840 2013-10-16  Daniel Bates  <dabates@apple.com>
2841
2842         Add SPI to disable the garbage collector timer
2843         https://bugs.webkit.org/show_bug.cgi?id=122921
2844
2845         Reviewed by Geoffrey Garen.
2846
2847         Based on a patch by Mark Hahnenberg.
2848
2849         * API/JSBase.cpp:
2850         (JSDisableGCTimer): Added; SPI function.
2851         * API/JSBasePrivate.h:
2852         * heap/BlockAllocator.cpp:
2853         (JSC::createBlockFreeingThread): Added.
2854         (JSC::BlockAllocator::BlockAllocator): Modified to use JSC::createBlockFreeingThread()
2855         to conditionally create the "block freeing" thread depending on the value of
2856         GCActivityCallback::s_shouldCreateGCTimer.
2857         (JSC::BlockAllocator::~BlockAllocator):
2858         * heap/BlockAllocator.h:
2859         (JSC::BlockAllocator::deallocate):
2860         * heap/Heap.cpp:
2861         (JSC::Heap::didAbandon):
2862         (JSC::Heap::collect):
2863         (JSC::Heap::didAllocate):
2864         * heap/HeapTimer.cpp:
2865         (JSC::HeapTimer::timerDidFire):
2866         * runtime/GCActivityCallback.cpp:
2867         * runtime/GCActivityCallback.h:
2868         (JSC::DefaultGCActivityCallback::create): Only instantiate a DefaultGCActivityCallback object
2869         when GCActivityCallback::s_shouldCreateGCTimer is true so as to prevent allocating a HeapTimer
2870         object (since DefaultGCActivityCallback ultimately extends HeapTimer).
2871
2872 2013-10-16  Commit Queue  <commit-queue@webkit.org>
2873
2874         Unreviewed, rolling out r157529.
2875         http://trac.webkit.org/changeset/157529
2876         https://bugs.webkit.org/show_bug.cgi?id=122919
2877
2878         Caused score test failures and some build failures. (Requested
2879         by rfong on #webkit).
2880
2881         * bytecompiler/BytecodeGenerator.cpp:
2882         (JSC::BytecodeGenerator::emitNewArray):
2883         (JSC::BytecodeGenerator::emitCall):
2884         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
2885         * bytecompiler/BytecodeGenerator.h:
2886         * bytecompiler/NodesCodegen.cpp:
2887         (JSC::ArrayNode::emitBytecode):
2888         (JSC::CallArguments::CallArguments):
2889         (JSC::ForOfNode::emitBytecode):
2890         (JSC::BindingNode::collectBoundIdentifiers):
2891         * parser/ASTBuilder.h:
2892         * parser/Lexer.cpp:
2893         (JSC::::lex):
2894         * parser/NodeConstructors.h:
2895         (JSC::DotAccessorNode::DotAccessorNode):
2896         * parser/Nodes.h:
2897         * parser/Parser.cpp:
2898         (JSC::::parseArrayLiteral):
2899         (JSC::::parseArguments):
2900         (JSC::::parseMemberExpression):
2901         * parser/Parser.h:
2902         (JSC::Parser::getTokenName):
2903         (JSC::Parser::updateErrorMessageSpecialCase):
2904         * parser/ParserTokens.h:
2905         * parser/SyntaxChecker.h:
2906
2907 2013-10-16  Julien Brianceau  <jbriance@cisco.com>
2908
2909         Remove useless architecture specific implementation in DFG.
2910         https://bugs.webkit.org/show_bug.cgi?id=122917.
2911
2912         Reviewed by Michael Saboff.
2913
2914         With CPU(ARM) && CPU(ARM_HARDFP) architecture, the fallback implementation is fine
2915         as FPRInfo::argumentFPR0 == FPRInfo::returnValueFPR in this case.
2916
2917         * dfg/DFGSpeculativeJIT.h:
2918
2919 2013-10-16  Julien Brianceau  <jbriance@cisco.com>
2920
2921         Remove unused JIT::restoreArgumentReferenceForTrampoline function.
2922         https://bugs.webkit.org/show_bug.cgi?id=122916.
2923
2924         Reviewed by Michael Saboff.
2925
2926         This architecture specific function is not used anymore, so get rid of it.
2927
2928         * jit/JIT.h:
2929         * jit/JITInlines.h:
2930
2931 2013-10-16  Oliver Hunt  <oliver@apple.com>
2932
2933         Implement ES6 spread operator
2934         https://bugs.webkit.org/show_bug.cgi?id=122911
2935
2936         Reviewed by Michael Saboff.
2937
2938         Implement the ES6 spread operator
2939
2940         This has a little bit of refactoring to move the enumeration logic out ForOfNode
2941         and into BytecodeGenerator, and then adds the logic to make it nicely callback
2942         driven.
2943
2944         The rest of the logic is just the addition of the SpreadExpressionNode, the parsing,
2945         and actually handling the spread.
2946
2947         * bytecompiler/BytecodeGenerator.cpp:
2948         (JSC::BytecodeGenerator::emitNewArray):
2949         (JSC::BytecodeGenerator::emitCall):
2950         (JSC::BytecodeGenerator::emitEnumeration):
2951         * bytecompiler/BytecodeGenerator.h:
2952         * bytecompiler/NodesCodegen.cpp:
2953         (JSC::ArrayNode::emitBytecode):
2954         (JSC::ForOfNode::emitBytecode):
2955         (JSC::SpreadExpressionNode::emitBytecode):
2956         * parser/ASTBuilder.h:
2957         (JSC::ASTBuilder::createSpreadExpression):
2958         * parser/Lexer.cpp:
2959         (JSC::::lex):
2960         * parser/NodeConstructors.h:
2961         (JSC::SpreadExpressionNode::SpreadExpressionNode):
2962         * parser/Nodes.h:
2963         (JSC::ExpressionNode::isSpreadExpression):
2964         (JSC::SpreadExpressionNode::expression):
2965         * parser/Parser.cpp:
2966         (JSC::::parseArrayLiteral):
2967         (JSC::::parseArguments):
2968         (JSC::::parseMemberExpression):
2969         * parser/Parser.h:
2970         (JSC::Parser::getTokenName):
2971         (JSC::Parser::updateErrorMessageSpecialCase):
2972         * parser/ParserTokens.h:
2973         * parser/SyntaxChecker.h:
2974         (JSC::SyntaxChecker::createSpreadExpression):
2975
2976 2013-10-16  Mark Lam  <mark.lam@apple.com>
2977
2978         Transition void cti_op_tear_off* methods to JIT operations for 32 bit.
2979         https://bugs.webkit.org/show_bug.cgi?id=122899.
2980
2981         Reviewed by Michael Saboff.
2982
2983         * jit/JITOpcodes32_64.cpp:
2984         (JSC::JIT::emit_op_tear_off_activation):
2985         (JSC::JIT::emit_op_tear_off_arguments):
2986         * jit/JITStubs.cpp:
2987         * jit/JITStubs.h:
2988
2989 2013-10-16  Julien Brianceau  <jbriance@cisco.com>
2990
2991         Remove more of the UNINTERRUPTED_SEQUENCE thing
2992         https://bugs.webkit.org/show_bug.cgi?id=122885
2993
2994         Reviewed by Andreas Kling.
2995
2996         It was not completely removed by r157481, leading to build failure for sh4 architecture.
2997
2998         * jit/JIT.h:
2999         * jit/JITInlines.h:
3000
3001 2013-10-15  Filip Pizlo  <fpizlo@apple.com>
3002
3003         Get rid of the StructureStubInfo::patch union
3004         https://bugs.webkit.org/show_bug.cgi?id=122877
3005
3006         Reviewed by Sam Weinig.
3007         
3008         Just simplifying code by getting rid of data structures that ain't used no more.
3009         
3010         Note that I replace the patch union with a patch struct. This means we say things like
3011         stubInfo.patch.valueGPR instead of stubInfo.valueGPR. I think that this extra
3012         encapsulation makes the code more readable: the patch struct contains just those things
3013         that you need to know to perform patching.
3014
3015         * bytecode/StructureStubInfo.h:
3016         * dfg/DFGJITCompiler.cpp:
3017         (JSC::DFG::JITCompiler::link):
3018         * jit/JIT.cpp:
3019         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
3020         * jit/Repatch.cpp:
3021         (JSC::repatchByIdSelfAccess):
3022         (JSC::replaceWithJump):
3023         (JSC::linkRestoreScratch):
3024         (JSC::generateProtoChainAccessStub):
3025         (JSC::tryCacheGetByID):
3026         (JSC::getPolymorphicStructureList):
3027         (JSC::patchJumpToGetByIdStub):
3028         (JSC::tryBuildGetByIDList):
3029         (JSC::emitPutReplaceStub):
3030         (JSC::emitPutTransitionStub):
3031         (JSC::tryCachePutByID):
3032         (JSC::tryBuildPutByIdList):
3033         (JSC::tryRepatchIn):
3034         (JSC::resetGetByID):
3035         (JSC::resetPutByID):
3036         (JSC::resetIn):
3037
3038 2013-10-15  Nadav Rotem  <nrotem@apple.com>
3039
3040         FTL: add support for Int52ToValue and fix putByVal of int52s.
3041         https://bugs.webkit.org/show_bug.cgi?id=122873
3042
3043         Reviewed by Filip Pizlo.
3044
3045         * ftl/FTLCapabilities.cpp:
3046         (JSC::FTL::canCompile):
3047         * ftl/FTLLowerDFGToLLVM.cpp:
3048         (JSC::FTL::LowerDFGToLLVM::compileNode):
3049         (JSC::FTL::LowerDFGToLLVM::compileInt52ToValue):
3050         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
3051
3052 2013-10-15  Filip Pizlo  <fpizlo@apple.com>
3053
3054         Get rid of the UNINTERRUPTED_SEQUENCE thing
3055         https://bugs.webkit.org/show_bug.cgi?id=122876
3056
3057         Reviewed by Mark Hahnenberg.
3058         
3059         It doesn't make sense anymore. We now use the DFG's IC logic, which never needed that.
3060         
3061         Moreover, we should resist the temptation to bring anything like this back. We don't
3062         want to have inline caches that only work if the assembler lays out code in a specific
3063         predetermined way.
3064
3065         * jit/JIT.h:
3066         * jit/JITCall.cpp:
3067         (JSC::JIT::compileOpCall):
3068         * jit/JITCall32_64.cpp:
3069         (JSC::JIT::compileOpCall):
3070
3071 2013-10-15  Filip Pizlo  <fpizlo@apple.com>
3072
3073         Baseline JIT should use the DFG GetById IC
3074         https://bugs.webkit.org/show_bug.cgi?id=122861
3075
3076         Reviewed by Oliver Hunt.
3077         
3078         This mostly just kills a ton of code.
3079         
3080         Note that this doesn't yet do all of the simplifications that can be done, but it does
3081         kill dead code. I'll have another change to simplify StructureStubInfo's unions and such.
3082
3083         * bytecode/CodeBlock.cpp:
3084         (JSC::CodeBlock::resetStubInternal):
3085         * jit/JIT.cpp:
3086         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
3087         * jit/JIT.h:
3088         (JSC::PropertyStubCompilationInfo::PropertyStubCompilationInfo):
3089         * jit/JITInlines.h:
3090         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
3091         (JSC::JIT::callOperation):
3092         * jit/JITPropertyAccess.cpp:
3093         (JSC::JIT::compileGetByIdHotPath):
3094         (JSC::JIT::emitSlow_op_get_by_id):
3095         (JSC::JIT::emitSlow_op_get_from_scope):
3096         * jit/JITPropertyAccess32_64.cpp:
3097         (JSC::JIT::compileGetByIdHotPath):
3098         (JSC::JIT::emitSlow_op_get_by_id):
3099         (JSC::JIT::emitSlow_op_get_from_scope):
3100         * jit/JITStubs.cpp:
3101         * jit/JITStubs.h:
3102         * jit/Repatch.cpp:
3103         (JSC::repatchGetByID):
3104         (JSC::buildGetByIDList):
3105         * jit/ThunkGenerators.cpp:
3106         * jit/ThunkGenerators.h:
3107
3108 2013-10-15  Dean Jackson  <dino@apple.com>
3109
3110         Add ENABLE_WEB_ANIMATIONS flag
3111         https://bugs.webkit.org/show_bug.cgi?id=122871
3112
3113         Reviewed by Tim Horton.
3114
3115         Eventually might be http://dev.w3.org/fxtf/web-animations/
3116         but this is just engine-internal work at the moment.
3117
3118         * Configurations/FeatureDefines.xcconfig:
3119
3120 2013-10-15  Julien Brianceau  <jbriance@cisco.com>
3121
3122         [sh4] Some calls don't match sh4 ABI.
3123         https://bugs.webkit.org/show_bug.cgi?id=122863
3124
3125         Reviewed by Michael Saboff.
3126
3127         * dfg/DFGSpeculativeJIT.h:
3128         (JSC::DFG::SpeculativeJIT::callOperation):
3129         * jit/CCallHelpers.h:
3130         (JSC::CCallHelpers::setupArgumentsWithExecState):
3131         * jit/JITInlines.h:
3132         (JSC::JIT::callOperation):
3133
3134 2013-10-15  Daniel Bates  <dabates@apple.com>
3135
3136         [iOS] Upstream JavaScriptCore support for ARM64
3137         https://bugs.webkit.org/show_bug.cgi?id=122762
3138
3139         Reviewed by Oliver Hunt and Filip Pizlo.
3140
3141         * Configurations/Base.xcconfig:
3142         * Configurations/DebugRelease.xcconfig:
3143         * Configurations/JavaScriptCore.xcconfig:
3144         * Configurations/ToolExecutable.xcconfig:
3145         * JavaScriptCore.xcodeproj/project.pbxproj:
3146         * assembler/ARM64Assembler.h: Added.
3147         * assembler/AbstractMacroAssembler.h:
3148         (JSC::isARM64):
3149         (JSC::AbstractMacroAssembler::Label::Label):
3150         (JSC::AbstractMacroAssembler::Jump::Jump):
3151         (JSC::AbstractMacroAssembler::Jump::link):
3152         (JSC::AbstractMacroAssembler::Jump::linkTo):
3153         (JSC::AbstractMacroAssembler::CachedTempRegister::CachedTempRegister):
3154         (JSC::AbstractMacroAssembler::CachedTempRegister::registerIDInvalidate):
3155         (JSC::AbstractMacroAssembler::CachedTempRegister::registerIDNoInvalidate):
3156         (JSC::AbstractMacroAssembler::CachedTempRegister::value):
3157         (JSC::AbstractMacroAssembler::CachedTempRegister::setValue):
3158         (JSC::AbstractMacroAssembler::CachedTempRegister::invalidate):
3159         (JSC::AbstractMacroAssembler::invalidateAllTempRegisters):
3160         (JSC::AbstractMacroAssembler::isTempRegisterValid):
3161         (JSC::AbstractMacroAssembler::clearTempRegisterValid):
3162         (JSC::AbstractMacroAssembler::setTempRegisterValid):
3163         * assembler/LinkBuffer.cpp:
3164         (JSC::LinkBuffer::copyCompactAndLinkCode):
3165         (JSC::LinkBuffer::linkCode):
3166         * assembler/LinkBuffer.h:
3167         * assembler/MacroAssembler.h:
3168         (JSC::MacroAssembler::isPtrAlignedAddressOffset):
3169         (JSC::MacroAssembler::pushToSave):
3170         (JSC::MacroAssembler::popToRestore):
3171         (JSC::MacroAssembler::patchableBranchTest32):
3172         * assembler/MacroAssemblerARM64.h: Added.
3173         * assembler/MacroAssemblerARMv7.h:
3174         * dfg/DFGFixupPhase.cpp:
3175         (JSC::DFG::FixupPhase::fixupNode):
3176         * dfg/DFGOSRExitCompiler32_64.cpp:
3177         (JSC::DFG::OSRExitCompiler::compileExit):
3178         * dfg/DFGOSRExitCompiler64.cpp:
3179         (JSC::DFG::OSRExitCompiler::compileExit):
3180         * dfg/DFGSpeculativeJIT.cpp:
3181         (JSC::DFG::SpeculativeJIT::compileArithDiv):
3182         (JSC::DFG::SpeculativeJIT::compileArithMod):
3183         * disassembler/ARM64/A64DOpcode.cpp: Added.
3184         * disassembler/ARM64/A64DOpcode.h: Added.
3185         * disassembler/ARM64Disassembler.cpp: Added.
3186         * heap/MachineStackMarker.cpp:
3187         (JSC::getPlatformThreadRegisters):
3188         (JSC::otherThreadStackPointer):
3189         * heap/Region.h:
3190         * jit/AssemblyHelpers.h:
3191         (JSC::AssemblyHelpers::debugCall):
3192         * jit/CCallHelpers.h:
3193         * jit/ExecutableAllocator.h:
3194         * jit/FPRInfo.h:
3195         (JSC::FPRInfo::toRegister):
3196         (JSC::FPRInfo::toIndex):
3197         (JSC::FPRInfo::debugName):
3198         * jit/GPRInfo.h:
3199         (JSC::GPRInfo::toRegister):
3200         (JSC::GPRInfo::toIndex):
3201         (JSC::GPRInfo::debugName):
3202         * jit/JITInlines.h:
3203         (JSC::JIT::restoreArgumentReferenceForTrampoline):
3204         * jit/JITOperationWrappers.h:
3205         * jit/JITOperations.cpp:
3206         * jit/JITStubs.cpp:
3207         (JSC::performPlatformSpecificJITAssertions):
3208         (JSC::tryCachePutByID):
3209         * jit/JITStubs.h:
3210         (JSC::JITStackFrame::returnAddressSlot):
3211         * jit/JITStubsARM64.h: Added.
3212         * jit/JSInterfaceJIT.h:
3213         * jit/Repatch.cpp:
3214         (JSC::emitRestoreScratch):
3215         (JSC::generateProtoChainAccessStub):
3216         (JSC::tryCacheGetByID):
3217         (JSC::emitPutReplaceStub):
3218         (JSC::tryCachePutByID):
3219         (JSC::tryRepatchIn):
3220         * jit/ScratchRegisterAllocator.h:
3221         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
3222         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
3223         * jit/ThunkGenerators.cpp:
3224         (JSC::nativeForGenerator):
3225         (JSC::floorThunkGenerator):
3226         (JSC::ceilThunkGenerator):
3227         * jsc.cpp:
3228         (main):
3229         * llint/LLIntOfflineAsmConfig.h:
3230         * llint/LLIntSlowPaths.cpp:
3231         (JSC::LLInt::handleHostCall):
3232         * llint/LowLevelInterpreter.asm:
3233         * llint/LowLevelInterpreter64.asm:
3234         * offlineasm/arm.rb:
3235         * offlineasm/arm64.rb: Added.
3236         * offlineasm/backends.rb:
3237         * offlineasm/instructions.rb:
3238         * offlineasm/risc.rb:
3239         * offlineasm/transform.rb:
3240         * yarr/YarrJIT.cpp:
3241         (JSC::Yarr::YarrGenerator::alignCallFrameSizeInBytes):
3242         (JSC::Yarr::YarrGenerator::initCallFrame):
3243         (JSC::Yarr::YarrGenerator::removeCallFrame):
3244         (JSC::Yarr::YarrGenerator::generateEnter):
3245         * yarr/YarrJIT.h:
3246
3247 2013-10-15  Mark Lam  <mark.lam@apple.com>
3248
3249         Fix 3 operand sub operation in C loop LLINT.
3250         https://bugs.webkit.org/show_bug.cgi?id=122866.
3251
3252         Reviewed by Geoffrey Garen.
3253
3254         * offlineasm/cloop.rb:
3255
3256 2013-10-15  Mark Hahnenberg  <mhahnenberg@apple.com>
3257
3258         ObjCCallbackFunctionImpl shouldn't store a JSContext
3259         https://bugs.webkit.org/show_bug.cgi?id=122531
3260
3261         Reviewed by Geoffrey Garen.
3262
3263         The m_context field in ObjCCallbackFunctionImpl is vestigial and is only incidentally correct 
3264         in the common case. It's also no longer necessary in that we can look up the current JSContext 
3265         by looking using the globalObject of the callee when the function callback is invoked.
3266  
3267         Also added a new test that would cause us to crash previously. The test required making 
3268         JSContextGetGlobalContext public API so that clients can obtain a JSContext from the JSContextRef
3269         in C API callbacks.
3270
3271         * API/JSContextRef.h:
3272         * API/JSContextRefPrivate.h:
3273         * API/ObjCCallbackFunction.mm:
3274         (JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl):
3275         (JSC::objCCallbackFunctionCallAsFunction):
3276         (objCCallbackFunctionForInvocation):
3277         * API/WebKitAvailability.h:
3278         * API/tests/CurrentThisInsideBlockGetterTest.h: Added.
3279         * API/tests/CurrentThisInsideBlockGetterTest.mm: Added.
3280         (CallAsConstructor):
3281         (ConstructorFinalize):
3282         (ConstructorClass):
3283         (+[JSValue valueWithConstructorDescriptor:inContext:]):
3284         (-[JSContext valueWithConstructorDescriptor:]):
3285         (currentThisInsideBlockGetterTest):
3286         * API/tests/testapi.mm:
3287         * JavaScriptCore.xcodeproj/project.pbxproj:
3288         * debugger/Debugger.cpp: Had to add some fully qualified names to avoid conflicts with Mac OS X headers.
3289
3290 2013-10-15  Julien Brianceau  <jbriance@cisco.com>
3291
3292         Fix build after r157457 for architecture with 4 argument registers.
3293         https://bugs.webkit.org/show_bug.cgi?id=122860
3294
3295         Reviewed by Michael Saboff.
3296
3297         * jit/CCallHelpers.h:
3298         (JSC::CCallHelpers::setupStubArguments134):
3299
3300 2013-10-14  Michael Saboff  <msaboff@apple.com>
3301
3302         transition void cti_op_* methods to JIT operations.
3303         https://bugs.webkit.org/show_bug.cgi?id=122617
3304
3305         Reviewed by Geoffrey Garen.
3306
3307         Converted the follow stubs to JIT operations:
3308             cti_handle_watchdog_timer
3309             cti_op_debug
3310             cti_op_pop_scope
3311             cti_op_profile_did_call
3312             cti_op_profile_will_call
3313             cti_op_put_by_index
3314             cti_op_put_getter_setter
3315             cti_op_tear_off_activation
3316             cti_op_tear_off_arguments
3317             cti_op_throw_static_error
3318             cti_optimize
3319
3320         * dfg/DFGOperations.cpp:
3321         * dfg/DFGOperations.h:
3322         * jit/CCallHelpers.h:
3323         (JSC::CCallHelpers::setupArgumentsWithExecState):
3324         (JSC::CCallHelpers::setupThreeStubArgsGPR):
3325         (JSC::CCallHelpers::setupStubArguments):
3326         (JSC::CCallHelpers::setupStubArguments134):
3327         * jit/JIT.cpp:
3328         (JSC::JIT::emitEnterOptimizationCheck):
3329         * jit/JIT.h:
3330         * jit/JITInlines.h:
3331         (JSC::JIT::callOperation):
3332         * jit/JITOpcodes.cpp:
3333         (JSC::JIT::emit_op_tear_off_activation):
3334         (JSC::JIT::emit_op_tear_off_arguments):
3335         (JSC::JIT::emit_op_push_with_scope):
3336         (JSC::JIT::emit_op_pop_scope):
3337         (JSC::JIT::emit_op_push_name_scope):
3338         (JSC::JIT::emit_op_throw_static_error):
3339         (JSC::JIT::emit_op_debug):
3340         (JSC::JIT::emit_op_profile_will_call):
3341         (JSC::JIT::emit_op_profile_did_call):
3342         (JSC::JIT::emitSlow_op_loop_hint):
3343         * jit/JITOpcodes32_64.cpp:
3344         (JSC::JIT::emit_op_push_with_scope):
3345         (JSC::JIT::emit_op_pop_scope):
3346         (JSC::JIT::emit_op_push_name_scope):
3347         (JSC::JIT::emit_op_throw_static_error):
3348         (JSC::JIT::emit_op_debug):
3349         (JSC::JIT::emit_op_profile_will_call):
3350         (JSC::JIT::emit_op_profile_did_call):
3351         * jit/JITOperations.cpp:
3352         * jit/JITOperations.h:
3353         * jit/JITPropertyAccess.cpp:
3354         (JSC::JIT::emit_op_put_by_index):
3355         (JSC::JIT::emit_op_put_getter_setter):
3356         * jit/JITPropertyAccess32_64.cpp:
3357         (JSC::JIT::emit_op_put_by_index):
3358         (JSC::JIT::emit_op_put_getter_setter):
3359         * jit/JITStubs.cpp:
3360         * jit/JITStubs.h:
3361
3362 2013-10-15  Julien Brianceau  <jbriance@cisco.com>
3363
3364         [sh4] Introduce const pools in LLINT.
3365         https://bugs.webkit.org/show_bug.cgi?id=122746
3366
3367         Reviewed by Michael Saboff.
3368
3369         In current implementation of LLINT for sh4, immediate values outside range -128..127 are
3370         loaded this way:
3371
3372             mov.l .label, rx
3373             bra out
3374             nop
3375             .balign 4
3376             .label: .long immvalue
3377             out:
3378
3379         This change introduces const pools for sh4 implementation to avoid lots of useless branches
3380         and reduce code size. It also removes lines of dirty code, like jmpf and callf.
3381
3382         * offlineasm/instructions.rb: Remove jmpf and callf sh4 specific instructions.
3383         * offlineasm/sh4.rb:
3384
3385 2013-10-15  Mark Lam  <mark.lam@apple.com>
3386
3387         Fix broken C Loop LLINT build.
3388         https://bugs.webkit.org/show_bug.cgi?id=122839.
3389
3390         Reviewed by Michael Saboff.
3391
3392         * dfg/DFGFlushedAt.cpp:
3393         * jit/JITOperations.h:
3394
3395 2013-10-14  Mark Lam  <mark.lam@apple.com>
3396
3397         Transition *switch* and *scope* JITStubs to JIT operations.
3398         https://bugs.webkit.org/show_bug.cgi?id=122757.
3399
3400         Reviewed by Geoffrey Garen.
3401
3402         Transitioning:
3403             cti_op_switch_char
3404             cti_op_switch_imm
3405             cti_op_switch_string
3406             cti_op_resolve_scope
3407             cti_op_get_from_scope
3408             cti_op_put_to_scope
3409
3410         * jit/JIT.h:
3411         * jit/JITInlines.h:
3412         (JSC::JIT::callOperation):
3413         * jit/JITOpcodes.cpp:
3414         (JSC::JIT::emit_op_switch_imm):
3415         (JSC::JIT::emit_op_switch_char):
3416         (JSC::JIT::emit_op_switch_string):
3417         * jit/JITOpcodes32_64.cpp:
3418         (JSC::JIT::emit_op_switch_imm):
3419         (JSC::JIT::emit_op_switch_char):
3420         (JSC::JIT::emit_op_switch_string):
3421         * jit/JITOperations.cpp:
3422         * jit/JITOperations.h:
3423         * jit/JITPropertyAccess.cpp:
3424         (JSC::JIT::emitSlow_op_resolve_scope):
3425         (JSC::JIT::emitSlow_op_get_from_scope):
3426         (JSC::JIT::emitSlow_op_put_to_scope):
3427         * jit/JITPropertyAccess32_64.cpp:
3428         (JSC::JIT::emitSlow_op_resolve_scope):
3429         (JSC::JIT::emitSlow_op_get_from_scope):
3430         (JSC::JIT::emitSlow_op_put_to_scope):
3431         * jit/JITStubs.cpp:
3432         * jit/JITStubs.h:
3433
3434 2013-10-14  Filip Pizlo  <fpizlo@apple.com>
3435
3436         DFG PutById IC should use the ConcurrentJITLocker since it's now dealing with IC's that get read by the compiler thread
3437         https://bugs.webkit.org/show_bug.cgi?id=122786
3438
3439         Reviewed by Mark Hahnenberg.
3440
3441         * bytecode/CodeBlock.cpp:
3442         (JSC::CodeBlock::resetStub): Resetting a stub should acquire the lock since this is observable from the thread; but we should only acquire the lock if we're resetting outside of GC.
3443         * jit/Repatch.cpp:
3444         (JSC::repatchPutByID): Doing the PutById patching should hold the lock.
3445         (JSC::buildPutByIdList): Ditto.
3446
3447 2013-10-14  Nadav Rotem  <nrotem@apple.com>
3448
3449         Add FTL support for LogicalNot(string)
3450         https://bugs.webkit.org/show_bug.cgi?id=122765
3451
3452         Reviewed by Filip Pizlo.
3453
3454         This patch is tested by:
3455         regress/script-tests/emscripten-cube2hash.js.ftl-eager
3456
3457         * ftl/FTLCapabilities.cpp:
3458         (JSC::FTL::canCompile):
3459         * ftl/FTLLowerDFGToLLVM.cpp:
3460         (JSC::FTL::LowerDFGToLLVM::compileLogicalNot):
3461
3462 2013-10-14  Julien Brianceau  <jbriance@cisco.com>
3463
3464         [sh4] Fixes after r157404 and r157411.
3465         https://bugs.webkit.org/show_bug.cgi?id=122782
3466
3467         Reviewed by Michael Saboff.
3468
3469         * dfg/DFGSpeculativeJIT.h:
3470         (JSC::DFG::SpeculativeJIT::callOperation): Add missing SH4_32BIT_DUMMY_ARG.
3471         * jit/CCallHelpers.h:
3472         (JSC::CCallHelpers::setupArgumentsWithExecState):
3473         * jit/JITInlines.h:
3474         (JSC::JIT::callOperation): Add missing SH4_32BIT_DUMMY_ARG.
3475         * jit/JITPropertyAccess32_64.cpp:
3476         (JSC::JIT::emit_op_put_by_id): Remove unwanted BEGIN_UNINTERRUPTED_SEQUENCE.
3477
3478 2013-10-14  Commit Queue  <commit-queue@webkit.org>
3479
3480         Unreviewed, rolling out r157413.
3481         http://trac.webkit.org/changeset/157413
3482         https://bugs.webkit.org/show_bug.cgi?id=122779
3483
3484         Appears to have caused frequent crashes (Requested by ap on
3485         #webkit).
3486
3487         * CMakeLists.txt:
3488         * GNUmakefile.list.am:
3489         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3490         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3491         * JavaScriptCore.xcodeproj/project.pbxproj:
3492         * heap/DeferGC.cpp: Removed.
3493         * heap/DeferGC.h:
3494         * jit/JITStubs.cpp:
3495         (JSC::tryCacheGetByID):
3496         (JSC::DEFINE_STUB_FUNCTION):
3497         * llint/LLIntSlowPaths.cpp:
3498         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3499         * runtime/ConcurrentJITLock.h:
3500         * runtime/InitializeThreading.cpp:
3501         (JSC::initializeThreadingOnce):
3502         * runtime/JSCellInlines.h:
3503         (JSC::allocateCell):
3504         * runtime/Structure.cpp:
3505         (JSC::Structure::materializePropertyMap):
3506         (JSC::Structure::putSpecificValue):
3507         (JSC::Structure::createPropertyMap):
3508         * runtime/Structure.h:
3509
3510 2013-10-14  Mark Hahnenberg  <mhahnenberg@apple.com>
3511
3512         COLLECT_ON_EVERY_ALLOCATION causes assertion failures
3513         https://bugs.webkit.org/show_bug.cgi?id=122652
3514
3515         Reviewed by Filip Pizlo.
3516
3517         COLLECT_ON_EVERY_ALLOCATION wasn't accounting for the new GC deferral mechanism,
3518         so we would end up ASSERTing during garbage collection.
3519
3520         * heap/MarkedAllocator.cpp:
3521         (JSC::MarkedAllocator::allocateSlowCase):
3522
3523 2013-10-11  Oliver Hunt  <oliver@apple.com>
3524
3525         Separate out array iteration intrinsics
3526         https://bugs.webkit.org/show_bug.cgi?id=122656
3527
3528         Reviewed by Michael Saboff.
3529
3530         Separate out the intrinsics for key and values iteration
3531         of arrays.
3532
3533         This requires moving moving array iteration into the iterator
3534         instance, rather than the prototype, but this is essentially
3535         unobservable so we'll live with it for now.
3536
3537         * jit/ThunkGenerators.cpp:
3538         (JSC::arrayIteratorNextThunkGenerator):
3539         (JSC::arrayIteratorNextKeyThunkGenerator):
3540         (JSC::arrayIteratorNextValueThunkGenerator):
3541         * jit/ThunkGenerators.h:
3542         * runtime/ArrayIteratorPrototype.cpp:
3543         (JSC::ArrayIteratorPrototype::finishCreation):
3544         * runtime/Intrinsic.h:
3545         * runtime/JSArrayIterator.cpp:
3546         (JSC::JSArrayIterator::finishCreation):
3547         (JSC::createIteratorResult):
3548         (JSC::arrayIteratorNext):
3549         (JSC::arrayIteratorNextKey):
3550         (JSC::arrayIteratorNextValue):
3551         (JSC::arrayIteratorNextGeneric):
3552         * runtime/VM.cpp:
3553         (JSC::thunkGeneratorForIntrinsic):
3554
3555 2013-10-11  Mark Hahnenberg  <mhahnenberg@apple.com>
3556
3557         llint_slow_path_put_by_id can deadlock on a ConcurrentJITLock
3558         https://bugs.webkit.org/show_bug.cgi?id=122667
3559
3560         Reviewed by Filip Pizlo.
3561
3562         The issue this patch is attempting to fix is that there are places in our codebase
3563         where we acquire the ConcurrentJITLock for a particular CodeBlock, then we do some
3564         operations that can initiate a garbage collection. Garbage collection then calls 
3565         some methods of CodeBlock that also take the ConcurrentJITLock (because they don't
3566         always necessarily run during garbage collection). This causes a deadlock.
3567
3568         To fix this issue, this patch adds a new RAII-style object (DisallowGC) that stores 
3569         into a thread-local field that indicates that it is unsafe to perform any operation 
3570         that could trigger garbage collection on the current thread. In debug builds, 
3571         ConcurrentJITLocker contains one of these DisallowGC objects so that we can eagerly 
3572         detect deadlocks.
3573
3574         This patch also adds a new type of ConcurrentJITLocker, GCSafeConcurrentJITLocker,
3575         which uses the DeferGC mechanism to prevent collections from occurring while the 
3576         lock is held.
3577
3578         * CMakeLists.txt:
3579         * GNUmakefile.list.am:
3580         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3581         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3582         * JavaScriptCore.xcodeproj/project.pbxproj:
3583         * heap/DeferGC.cpp: Added.
3584         * heap/DeferGC.h:
3585         (JSC::DisallowGC::DisallowGC):
3586         (JSC::DisallowGC::~DisallowGC):
3587         (JSC::DisallowGC::isGCDisallowedOnCurrentThread):
3588         (JSC::DisallowGC::initialize):
3589         * jit/JITStubs.cpp:
3590         (JSC::tryCachePutByID):
3591         (JSC::tryCacheGetByID):
3592         (JSC::DEFINE_STUB_FUNCTION):
3593         * llint/LLIntSlowPaths.cpp:
3594         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3595         * runtime/ConcurrentJITLock.h:
3596         (JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase):
3597         (JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase):
3598         (JSC::ConcurrentJITLockerBase::unlockEarly):
3599         (JSC::GCSafeConcurrentJITLocker::GCSafeConcurrentJITLocker):
3600         (JSC::ConcurrentJITLocker::ConcurrentJITLocker):
3601         * runtime/InitializeThreading.cpp:
3602         (JSC::initializeThreadingOnce):
3603         * runtime/JSCellInlines.h:
3604         (JSC::allocateCell):
3605         * runtime/Structure.cpp:
3606         (JSC::Structure::materializePropertyMap):
3607         (JSC::Structure::putSpecificValue):
3608         (JSC::Structure::createPropertyMap):
3609         * runtime/Structure.h:
3610
3611 2013-10-14  Filip Pizlo  <fpizlo@apple.com>
3612
3613         Baseline JIT should use the DFG's PutById IC
3614         https://bugs.webkit.org/show_bug.cgi?id=122704
3615
3616         Reviewed by Mark Hahnenberg.
3617         
3618         Mostly no big deal, just removing the old Baseline JIT's put_by_id IC support and forcing
3619         that JIT to use the DFG's (i.e. JITOperations) PutById IC.
3620         
3621         The only complicated part was that the PutById operations assumed that we first did a
3622         cell speculation, which the baseline JIT obviously won't do. So I changed all of those
3623         slow paths to deal with EncodedJSValue's.
3624
3625         * bytecode/CodeBlock.cpp:
3626         (JSC::CodeBlock::resetStubInternal):
3627         * bytecode/PutByIdStatus.cpp:
3628         (JSC::PutByIdStatus::computeFor):
3629         * dfg/DFGSpeculativeJIT.h:
3630         (JSC::DFG::SpeculativeJIT::callOperation):
3631         * dfg/DFGSpeculativeJIT32_64.cpp:
3632         (JSC::DFG::SpeculativeJIT::cachedPutById):
3633         * dfg/DFGSpeculativeJIT64.cpp:
3634         (JSC::DFG::SpeculativeJIT::cachedPutById):
3635         * jit/CCallHelpers.h:
3636         (JSC::CCallHelpers::setupArgumentsWithExecState):
3637         * jit/JIT.cpp:
3638         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
3639         * jit/JIT.h:
3640         (JSC::PropertyStubCompilationInfo::PropertyStubCompilationInfo):
3641         (JSC::PropertyStubCompilationInfo::slowCaseInfo):
3642         * jit/JITInlines.h:
3643         (JSC::JIT::callOperation):
3644         * jit/JITOperationWrappers.h:
3645         * jit/JITOperations.cpp:
3646         * jit/JITOperations.h:
3647         * jit/JITPropertyAccess.cpp:
3648         (JSC::JIT::compileGetByIdHotPath):
3649         (JSC::JIT::compileGetByIdSlowCase):
3650         (JSC::JIT::emit_op_put_by_id):
3651         (JSC::JIT::emitSlow_op_put_by_id):
3652         * jit/JITPropertyAccess32_64.cpp:
3653         (JSC::JIT::compileGetByIdSlowCase):
3654         (JSC::JIT::emit_op_put_by_id):
3655         (JSC::JIT::emitSlow_op_put_by_id):
3656         * jit/JITStubs.cpp:
3657         * jit/JITStubs.h:
3658         * jit/Repatch.cpp:
3659         (JSC::appropriateGenericPutByIdFunction):
3660         (JSC::appropriateListBuildingPutByIdFunction):
3661         (JSC::resetPutByID):
3662
3663 2013-10-13  Filip Pizlo  <fpizlo@apple.com>
3664
3665         FTL should have an inefficient but correct implementation of GetById
3666         https://bugs.webkit.org/show_bug.cgi?id=122740
3667
3668         Reviewed by Mark Hahnenberg.
3669         
3670         It took some effort to realize that the node->prediction() check in the DFG backends
3671         are completely unnecessary since the ByteCodeParser will always insert a ForceOSRExit
3672         if !prediction.
3673         
3674         But other than that this was an easy patch.
3675
3676         * dfg/DFGByteCodeParser.cpp:
3677         (JSC::DFG::ByteCodeParser::handleGetById):
3678         * dfg/DFGSpeculativeJIT32_64.cpp:
3679         (JSC::DFG::SpeculativeJIT::compile):
3680         * dfg/DFGSpeculativeJIT64.cpp:
3681         (JSC::DFG::SpeculativeJIT::compile):
3682         * ftl/FTLCapabilities.cpp:
3683         (JSC::FTL::canCompile):
3684         * ftl/FTLIntrinsicRepository.h:
3685         * ftl/FTLLowerDFGToLLVM.cpp:
3686         (JSC::FTL::LowerDFGToLLVM::compileNode):
3687         (JSC::FTL::LowerDFGToLLVM::compileGetById):
3688
3689 2013-10-13  Mark Lam  <mark.lam@apple.com>
3690
3691         Transition misc cti_op_* JITStubs to JIT operations.
3692         https://bugs.webkit.org/show_bug.cgi?id=122645.
3693
3694         Reviewed by Michael Saboff.
3695
3696         Stubs converted:
3697             cti_op_check_has_instance
3698             cti_op_create_arguments
3699             cti_op_del_by_id
3700             cti_op_instanceof
3701             cti_to_object
3702             cti_op_push_activation
3703             cti_op_get_pnames
3704             cti_op_load_varargs
3705
3706         * dfg/DFGOperations.cpp:
3707         * dfg/DFGOperations.h:
3708         * jit/CCallHelpers.h:
3709         (JSC::CCallHelpers::setupArgumentsWithExecState):
3710         * jit/JIT.h:
3711         (JSC::JIT::emitStoreCell):
3712         * jit/JITCall.cpp:
3713         (JSC::JIT::compileLoadVarargs):
3714         * jit/JITCall32_64.cpp:
3715         (JSC::JIT::compileLoadVarargs):
3716         * jit/JITInlines.h:
3717         (JSC::JIT::callOperation):
3718         * jit/JITOpcodes.cpp:
3719         (JSC::JIT::emit_op_get_pnames):
3720         (JSC::JIT::emit_op_create_activation):
3721         (JSC::JIT::emit_op_create_arguments):
3722         (JSC::JIT::emitSlow_op_check_has_instance):
3723         (JSC::JIT::emitSlow_op_instanceof):
3724         (JSC::JIT::emitSlow_op_get_argument_by_val):
3725         * jit/JITOpcodes32_64.cpp:
3726         (JSC::JIT::emitSlow_op_check_has_instance):
3727         (JSC::JIT::emitSlow_op_instanceof):
3728         (JSC::JIT::emit_op_get_pnames):
3729         (JSC::JIT::emit_op_create_activation):
3730         (JSC::JIT::emit_op_create_arguments):
3731         (JSC::JIT::emitSlow_op_get_argument_by_val):
3732         * jit/JITOperations.cpp:
3733         * jit/JITOperations.h:
3734         * jit/JITPropertyAccess.cpp:
3735         (JSC::JIT::emit_op_del_by_id):
3736         * jit/JITPropertyAccess32_64.cpp:
3737         (JSC::JIT::emit_op_del_by_id):
3738         * jit/JITStubs.cpp:
3739         * jit/JITStubs.h:
3740
3741 2013-10-13  Filip Pizlo  <fpizlo@apple.com>
3742
3743         FTL OSR exit should perform zero extension on values smaller than 64-bit
3744         https://bugs.webkit.org/show_bug.cgi?id=122688
3745
3746         Reviewed by Gavin Barraclough.
3747         
3748         In the DFG we usually make the simplistic assumption that a 32-bit value in a 64-bit
3749         register will have zeros on the high bits.  In the few cases where the high bits are
3750         non-zero, the DFG sort of tells us this explicitly.
3751
3752         But when working with llvm.webkit.stackmap, it doesn't work that way.  Consider we might
3753         emit LLVM IR like:
3754
3755             %2 = trunc i64 %1 to i32
3756             stuff %2
3757             call @llvm.webkit.stackmap(...., %2)
3758
3759         LLVM may never actually emit a truncation instruction of any kind.  And that's great - in
3760         many cases it won't be needed, like if 'stuff %2' is a 32-bit op that ignores the high
3761         bits anyway.  Hence LLVM may tell us that %2 is in the register that still had the value
3762         from before truncation, and that register may have garbage in the high bits.
3763
3764         This means that on our end, if we want a 32-bit value and we want that value to be
3765         zero-extended, we should zero-extend it ourselves.  This is pretty easy and should be
3766         cheap, so we should just do it and not make it a requirement that LLVM does it on its
3767         end.
3768         
3769         This makes all tests pass with JSC_ftlOSRExitUsesStackmap=true.
3770
3771         * ftl/FTLOSRExitCompiler.cpp:
3772         (JSC::FTL::compileStubWithOSRExitStackmap):
3773         * ftl/FTLValueFormat.cpp:
3774         (JSC::FTL::reboxAccordingToFormat):
3775
3776 == Rolled over to ChangeLog-2013-10-13 ==