FTL::Location should treat the offset as an addend in the case of a Register location
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
2
3         FTL::Location should treat the offset as an addend in the case of a Register location
4         https://bugs.webkit.org/show_bug.cgi?id=123062
5
6         Reviewed by Sam Weinig.
7
8         * ftl/FTLLocation.cpp:
9         (JSC::FTL::Location::forStackmaps):
10         (JSC::FTL::Location::dump):
11         (JSC::FTL::Location::restoreInto):
12         * ftl/FTLLocation.h:
13         (JSC::FTL::Location::forRegister):
14         (JSC::FTL::Location::hasAddend):
15         (JSC::FTL::Location::addend):
16
17 2013-10-19  Nadav Rotem  <nrotem@apple.com>
18
19         DFG dominators: document and rename stuff.
20         https://bugs.webkit.org/show_bug.cgi?id=123056
21
22         Reviewed by Filip Pizlo.
23
24         Documented the code and renamed some variables.
25
26         * dfg/DFGDominators.cpp:
27         (JSC::DFG::Dominators::compute):
28         (JSC::DFG::Dominators::pruneDominators):
29         * dfg/DFGDominators.h:
30
31 2013-10-19  Julien Brianceau  <jbriance@cisco.com>
32
33         Fix build failure for architectures with 4 argument registers.
34         https://bugs.webkit.org/show_bug.cgi?id=123060
35
36         Reviewed by Michael Saboff.
37
38         Add missing setupArgumentsWithExecState() prototypes for architecture with 4 argument registers.
39         Remove SH4 specific code no longer needed since callOperation prototype change in r157660.
40
41         * dfg/DFGSpeculativeJIT.h:
42         (JSC::DFG::SpeculativeJIT::callOperation):
43         * jit/CCallHelpers.h:
44         (JSC::CCallHelpers::setupArgumentsWithExecState):
45         * jit/JITInlines.h:
46         (JSC::JIT::callOperation):
47
48 2013-10-18  Filip Pizlo  <fpizlo@apple.com>
49
50         Unreviewed, fix FTL build.
51
52         * ftl/FTLIntrinsicRepository.h:
53         * ftl/FTLLowerDFGToLLVM.cpp:
54         (JSC::FTL::LowerDFGToLLVM::compileGetById):
55
56 2013-10-18  Filip Pizlo  <fpizlo@apple.com>
57
58         A CodeBlock's StructureStubInfos shouldn't be in a Vector that we search using code origins and machine code PCs
59         https://bugs.webkit.org/show_bug.cgi?id=122940
60
61         Reviewed by Oliver Hunt.
62         
63         This accomplishes a number of simplifications. StructureStubInfo is now non-moving,
64         whereas previously it was in a Vector, so it moved. This allows you to use pointers to
65         StructureStubInfo. This also eliminates the use of return PC as a way of finding the
66         StructureStubInfo's. It removes some of the need for the compile-time property access
67         records; for example the DFG no longer has to save information about registers in a
68         property access record only to later save it to the stub info.
69         
70         The main thing is accomplishes is that it makes it easier to add StructureStubInfo's
71         at any stage of compilation.
72
73         * bytecode/CodeBlock.cpp:
74         (JSC::CodeBlock::printGetByIdCacheStatus):
75         (JSC::CodeBlock::dumpBytecode):
76         (JSC::CodeBlock::~CodeBlock):
77         (JSC::CodeBlock::propagateTransitions):
78         (JSC::CodeBlock::finalizeUnconditionally):
79         (JSC::CodeBlock::addStubInfo):
80         (JSC::CodeBlock::getStubInfoMap):
81         (JSC::CodeBlock::shrinkToFit):
82         * bytecode/CodeBlock.h:
83         (JSC::CodeBlock::begin):
84         (JSC::CodeBlock::end):
85         (JSC::CodeBlock::rareCaseProfileForBytecodeOffset):
86         * bytecode/CodeOrigin.h:
87         (JSC::CodeOrigin::CodeOrigin):
88         (JSC::CodeOrigin::isHashTableDeletedValue):
89         (JSC::CodeOrigin::hash):
90         (JSC::CodeOriginHash::hash):
91         (JSC::CodeOriginHash::equal):
92         * bytecode/GetByIdStatus.cpp:
93         (JSC::GetByIdStatus::computeFor):
94         * bytecode/GetByIdStatus.h:
95         * bytecode/PutByIdStatus.cpp:
96         (JSC::PutByIdStatus::computeFor):
97         * bytecode/PutByIdStatus.h:
98         * bytecode/StructureStubInfo.h:
99         (JSC::getStructureStubInfoCodeOrigin):
100         * dfg/DFGByteCodeParser.cpp:
101         (JSC::DFG::ByteCodeParser::parseBlock):
102         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
103         * dfg/DFGJITCompiler.cpp:
104         (JSC::DFG::JITCompiler::link):
105         * dfg/DFGJITCompiler.h:
106         (JSC::DFG::PropertyAccessRecord::PropertyAccessRecord):
107         (JSC::DFG::InRecord::InRecord):
108         * dfg/DFGSpeculativeJIT.cpp:
109         (JSC::DFG::SpeculativeJIT::compileIn):
110         * dfg/DFGSpeculativeJIT.h:
111         (JSC::DFG::SpeculativeJIT::callOperation):
112         * dfg/DFGSpeculativeJIT32_64.cpp:
113         (JSC::DFG::SpeculativeJIT::cachedGetById):
114         (JSC::DFG::SpeculativeJIT::cachedPutById):
115         * dfg/DFGSpeculativeJIT64.cpp:
116         (JSC::DFG::SpeculativeJIT::cachedGetById):
117         (JSC::DFG::SpeculativeJIT::cachedPutById):
118         * jit/CCallHelpers.h:
119         (JSC::CCallHelpers::setupArgumentsWithExecState):
120         * jit/JIT.cpp:
121         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
122         (JSC::JIT::privateCompile):
123         * jit/JIT.h:
124         (JSC::PropertyStubCompilationInfo::slowCaseInfo):
125         * jit/JITInlines.h:
126         (JSC::JIT::callOperation):
127         * jit/JITOperations.cpp:
128         * jit/JITOperations.h:
129         * jit/JITPropertyAccess.cpp:
130         (JSC::JIT::emitSlow_op_get_by_id):
131         (JSC::JIT::emitSlow_op_put_by_id):
132         * jit/JITPropertyAccess32_64.cpp:
133         (JSC::JIT::emitSlow_op_get_by_id):
134         (JSC::JIT::emitSlow_op_put_by_id):
135         * jit/Repatch.cpp:
136         (JSC::appropriateGenericPutByIdFunction):
137         (JSC::appropriateListBuildingPutByIdFunction):
138         (JSC::resetPutByID):
139
140 2013-10-18  Oliver Hunt  <oliver@apple.com>
141
142         Spread operator should be performing direct "puts" and not triggering setters
143         https://bugs.webkit.org/show_bug.cgi?id=123047
144
145         Reviewed by Geoffrey Garen.
146
147         Add a new opcode -- op_put_by_val_directue -- and make use of it in the spread
148         to array construct.  This required a new PutByValDirect node to be introduced to
149         the DFG.  The current implementation simply changes the slow path function that
150         is called, but in future this could be made faster as it does not need to check
151         the prototype chain.
152
153         * bytecode/CodeBlock.cpp:
154         (JSC::CodeBlock::dumpBytecode):
155         (JSC::CodeBlock::CodeBlock):
156         * bytecode/Opcode.h:
157         (JSC::padOpcodeName):
158         * bytecompiler/BytecodeGenerator.cpp:
159         (JSC::BytecodeGenerator::emitDirectPutByVal):
160         * bytecompiler/BytecodeGenerator.h:
161         * bytecompiler/NodesCodegen.cpp:
162         (JSC::ArrayNode::emitBytecode):
163         * dfg/DFGAbstractInterpreterInlines.h:
164         (JSC::DFG::::executeEffects):
165         * dfg/DFGBackwardsPropagationPhase.cpp:
166         (JSC::DFG::BackwardsPropagationPhase::propagate):
167         * dfg/DFGByteCodeParser.cpp:
168         (JSC::DFG::ByteCodeParser::parseBlock):
169         * dfg/DFGCSEPhase.cpp:
170         (JSC::DFG::CSEPhase::getArrayLengthElimination):
171         (JSC::DFG::CSEPhase::getByValLoadElimination):
172         (JSC::DFG::CSEPhase::checkStructureElimination):
173         (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
174         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
175         (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
176         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
177         (JSC::DFG::CSEPhase::performNodeCSE):
178         * dfg/DFGCapabilities.cpp:
179         (JSC::DFG::capabilityLevel):
180         * dfg/DFGClobberize.h:
181         (JSC::DFG::clobberize):
182         * dfg/DFGFixupPhase.cpp:
183         (JSC::DFG::FixupPhase::fixupNode):
184         * dfg/DFGGraph.h:
185         (JSC::DFG::Graph::clobbersWorld):
186         * dfg/DFGNode.h:
187         (JSC::DFG::Node::hasArrayMode):
188         * dfg/DFGNodeType.h:
189         * dfg/DFGOperations.cpp:
190         (JSC::DFG::putByVal):
191         (JSC::DFG::operationPutByValInternal):
192         * dfg/DFGOperations.h:
193         * dfg/DFGPredictionPropagationPhase.cpp:
194         (JSC::DFG::PredictionPropagationPhase::propagate):
195         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
196         * dfg/DFGSafeToExecute.h:
197         (JSC::DFG::safeToExecute):
198         * dfg/DFGSpeculativeJIT32_64.cpp:
199         (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
200         (JSC::DFG::SpeculativeJIT::compile):
201         * dfg/DFGSpeculativeJIT64.cpp:
202         (JSC::DFG::SpeculativeJIT::compile):
203         * dfg/DFGTypeCheckHoistingPhase.cpp:
204         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
205         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
206         * jit/JIT.cpp:
207         (JSC::JIT::privateCompileMainPass):
208         (JSC::JIT::privateCompileSlowCases):
209         * jit/JIT.h:
210         (JSC::JIT::compileDirectPutByVal):
211         * jit/JITOperations.cpp:
212         * jit/JITOperations.h:
213         * jit/JITPropertyAccess.cpp:
214         (JSC::JIT::emitSlow_op_put_by_val):
215         (JSC::JIT::privateCompilePutByVal):
216         * jit/JITPropertyAccess32_64.cpp:
217         (JSC::JIT::emitSlow_op_put_by_val):
218         * llint/LLIntSlowPaths.cpp:
219         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
220         * llint/LLIntSlowPaths.h:
221         * llint/LowLevelInterpreter32_64.asm:
222         * llint/LowLevelInterpreter64.asm:
223
224 2013-10-18  Daniel Bates  <dabates@apple.com>
225
226         [iOS] Export symbol for VM::sharedInstanceExists()
227         https://bugs.webkit.org/show_bug.cgi?id=123046
228
229         Reviewed by Mark Hahnenberg.
230
231         * runtime/VM.h:
232
233 2013-10-18  Daniel Bates  <dabates@apple.com>
234
235         [iOS] Upstream WebSafe{GCActivityCallback, IncrementalSweeper}IOS
236         https://bugs.webkit.org/show_bug.cgi?id=123049
237
238         Reviewed by Mark Hahnenberg.
239
240         * heap/Heap.cpp:
241         (JSC::Heap::setIncrementalSweeper):
242         * heap/Heap.h:
243         * heap/HeapTimer.h:
244         * heap/IncrementalSweeper.h: Make protected and export CF-variant of constructor.
245         Removed unused include of header RetainPtr.h. Also forward declare class MarkedBlock
246         (we include its header in the .cpp file) and remove include for header wtf/HashSet.h
247         (duplicates the include in the .cpp).
248         * heap/MachineStackMarker.h: Export function makeUsableFromMultipleThreads(). We aren't
249         making use of this now, but we'll make use of it in a subsequent patch.
250
251 2013-10-18  Anders Carlsson  <andersca@apple.com>
252
253         Remove spaces between template angle brackets
254         https://bugs.webkit.org/show_bug.cgi?id=123040
255
256         Reviewed by Andreas Kling.
257
258         * API/JSCallbackObject.cpp:
259         (JSC::::create):
260         * API/JSObjectRef.cpp:
261         * bytecode/CodeBlock.h:
262         (JSC::CodeBlock::constants):
263         (JSC::CodeBlock::setConstantRegisters):
264         * bytecode/DFGExitProfile.h:
265         * bytecode/EvalCodeCache.h:
266         * bytecode/Operands.h:
267         * bytecode/UnlinkedCodeBlock.h:
268         (JSC::UnlinkedCodeBlock::constantRegisters):
269         * bytecode/Watchpoint.h:
270         * bytecompiler/BytecodeGenerator.h:
271         * bytecompiler/StaticPropertyAnalysis.h:
272         * bytecompiler/StaticPropertyAnalyzer.h:
273         * dfg/DFGArgumentsSimplificationPhase.cpp:
274         * dfg/DFGBlockInsertionSet.h:
275         * dfg/DFGCSEPhase.cpp:
276         (JSC::DFG::performCSE):
277         (JSC::DFG::performStoreElimination):
278         * dfg/DFGCommonData.h:
279         * dfg/DFGDesiredStructureChains.h:
280         * dfg/DFGDesiredWatchpoints.h:
281         * dfg/DFGJITCompiler.h:
282         * dfg/DFGOSRExitCompiler32_64.cpp:
283         (JSC::DFG::OSRExitCompiler::compileExit):
284         * dfg/DFGOSRExitCompiler64.cpp:
285         (JSC::DFG::OSRExitCompiler::compileExit):
286         * dfg/DFGWorklist.h:
287         * heap/BlockAllocator.h:
288         (JSC::CopiedBlock):
289         (JSC::MarkedBlock):
290         (JSC::WeakBlock):
291         (JSC::MarkStackSegment):
292         (JSC::CopyWorkListSegment):
293         (JSC::HandleBlock):
294         * heap/Heap.h:
295         * heap/Local.h:
296         * heap/MarkedBlock.h:
297         * heap/Strong.h:
298         * jit/AssemblyHelpers.cpp:
299         (JSC::AssemblyHelpers::decodedCodeMapFor):
300         * jit/AssemblyHelpers.h:
301         * jit/SpecializedThunkJIT.h:
302         * parser/Nodes.h:
303         * parser/Parser.cpp:
304         (JSC::::parseIfStatement):
305         * parser/Parser.h:
306         (JSC::Scope::copyCapturedVariablesToVector):
307         (JSC::parse):
308         * parser/ParserArena.h:
309         * parser/SourceProviderCacheItem.h:
310         * profiler/LegacyProfiler.cpp:
311         (JSC::dispatchFunctionToProfiles):
312         * profiler/LegacyProfiler.h:
313         (JSC::LegacyProfiler::currentProfiles):
314         * profiler/ProfileNode.h:
315         (JSC::ProfileNode::children):
316         * profiler/ProfilerDatabase.h:
317         * runtime/Butterfly.h:
318         (JSC::Butterfly::contiguousInt32):
319         (JSC::Butterfly::contiguous):
320         * runtime/GenericTypedArrayViewInlines.h:
321         (JSC::::create):
322         * runtime/Identifier.h:
323         (JSC::Identifier::add):
324         * runtime/JSPromise.h:
325         * runtime/PropertyMapHashTable.h:
326         * runtime/PropertyNameArray.h:
327         * runtime/RegExpCache.h:
328         * runtime/SparseArrayValueMap.h:
329         * runtime/SymbolTable.h:
330         * runtime/VM.h:
331         * tools/CodeProfile.cpp:
332         (JSC::truncateTrace):
333         * tools/CodeProfile.h:
334         * yarr/YarrInterpreter.cpp:
335         * yarr/YarrInterpreter.h:
336         (JSC::Yarr::BytecodePattern::BytecodePattern):
337         * yarr/YarrJIT.cpp:
338         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
339         (JSC::Yarr::YarrGenerator::opCompileParentheticalAssertion):
340         (JSC::Yarr::YarrGenerator::opCompileBody):
341         * yarr/YarrPattern.cpp:
342         (JSC::Yarr::YarrPatternConstructor::checkForTerminalParentheses):
343         (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
344         * yarr/YarrPattern.h:
345
346 2013-10-18  Mark Lam  <mark.lam@apple.com>
347
348         Remove excess reserved space in ctiTrampoline frames for X86 and X86_64.
349         https://bugs.webkit.org/show_bug.cgi?id=123037.
350
351         Reviewed by Geoffrey Garen.
352
353         * jit/JITStubsMSVC64.asm:
354         * jit/JITStubsX86.h:
355         * jit/JITStubsX86_64.h:
356
357 2013-10-18  Filip Pizlo  <fpizlo@apple.com>
358
359         Frequent RELEASE_ASSERT crashes in Structure::checkOffsetConsistency on WebGL swizzler tests
360         https://bugs.webkit.org/show_bug.cgi?id=121661
361
362         Reviewed by Mark Hahnenberg.
363         
364         This method shouldn't have been called from the concurrent JIT thread. That's hard to prevent
365         so I added a return-early check using isCompilationThread().
366         
367         Here's why this makes sense. Structure has two ways to tell you about the layout of the objects
368         it is describing: m_offset and the property table. Most structures only have m_offset and report
369         null for the property table. If the property table is there, it will tell you additional
370         information and that information subsumes m_offset - but the m_offset is still there. So, when
371         we have a property table, we have to keep it in sync with the m_offset. There is a bunch of
372         machinery to do this.
373         
374         Changing the property table only happens on the main thread.
375         
376         Because the machinery to change the property table is so complex, especially with respect to
377         keeping it in sync with m_offset, we have the checkOffsetConsistency method. It's meant to be
378         called at key points before and after changes to the property table or the offset.
379
380         Most clients of Structure who care about object layout, including the concurrent thread, will
381         want to know m_offset and not the property table. If they want the property table, they will
382         already be super careful. The concurrent thread has special methods for this, like
383         Structure::getConcurrently(), which uses fine-grained locking to ensure that it sees a coherent
384         view of the property table.
385         
386         Adding locking to checkOffsetConsistency() is probably a bad idea since that method may be
387         called when the relevant lock is already held. So, we'd have awkward recursive locking issues.
388         
389         But right now, the concurrent JIT thread may call a method, like Structure::outOfLineCapacity(),
390         which has a call to checkOffsetConsistency(). The call to checkOffsetConsistency() is there
391         because we have found that it helps quickly identify situations where the property table and
392         m_offset get out of sync - mainly because code that changes either of those things will usually
393         also want to know the outOfLineCapacity(). But Structure::outOfLineCapacity() doesn't *actually*
394         need the property table; it uses the m_offset. The concurrent JIT is correct to call
395         outOfLineCapacity(), and is right to do so without holding any locks (since in all cases where
396         it calls outOfLineCapacity() it has already proven that m_offset is immutable). But because
397         outOfLineCapacity() calls checkOffsetConsistency(), and checkOffsetConsistency() doesn't grab
398         locks, and that same structure is having its property table modified by the main thread, we end
399         up with these spurious assertion failures. FWIW, the structure isn't *actually* having *its*
400         property table modified - instead what happens is that some downstream structure steals the
401         property table and then starts adding things to it. The concurrent thread loads the property
402         table before it's stolen, and hence the badness.
403         
404         I suspect there are other code paths that lead to the concurrent JIT calling some Structure
405         method that it is fine and safe to call, but then that method calls checkOffsetConsistency(),
406         and then you have a possible crash.
407         
408         The most sensible solution to this appears to be to make sure that checkOffsetConsistency() is
409         aware of its uselessness to the concurrent JIT thread. This change makes it return early if
410         it's in the concurrent JIT.
411         
412         * runtime/StructureInlines.h:
413         (JSC::Structure::checkOffsetConsistency):
414
415 2013-10-18  Daniel Bates  <dabates@apple.com>
416
417         Add SPI to disable the garbage collector timer
418         https://bugs.webkit.org/show_bug.cgi?id=122921
419
420         Add null check to Heap::setGarbageCollectionTimerEnabled() that I inadvertently
421         omitted.
422
423         * heap/Heap.cpp:
424         (JSC::Heap::setGarbageCollectionTimerEnabled):
425
426 2013-10-18  Julien Brianceau  <jbriance@cisco.com>
427
428         Group 64-bit specific and 32-bit specific callOperation implementations.
429         https://bugs.webkit.org/show_bug.cgi?id=123024
430
431         Reviewed by Michael Saboff.
432
433         This is not a big deal, but could be less confusing when reading the code.
434
435         * jit/JITInlines.h:
436         (JSC::JIT::callOperation):
437         (JSC::JIT::callOperationWithCallFrameRollbackOnException):
438         (JSC::JIT::callOperationNoExceptionCheck):
439
440 2013-10-18  Nadav Rotem  <nrotem@apple.com>
441
442         Fix a FlushLiveness problem.
443         https://bugs.webkit.org/show_bug.cgi?id=122984
444
445         Reviewed by Filip Pizlo.
446
447         * dfg/DFGFlushLivenessAnalysisPhase.cpp:
448         (JSC::DFG::FlushLivenessAnalysisPhase::process):
449
450 2013-10-18  Michael Saboff  <msaboff@apple.com>
451
452         Change native function call stubs to use JIT operations instead of ctiVMHandleException
453         https://bugs.webkit.org/show_bug.cgi?id=122982
454
455         Reviewed by Geoffrey Garen.
456
457         Change ctiVMHandleException to operationVMHandleException.  Change all exception operations to
458         return the catch callFrame and entryPC via vm.callFrameForThrow and vm.targetMachinePCForThrow.
459         This removed calling convention headaches, fixing https://bugs.webkit.org/show_bug.cgi?id=122980
460         in the process.
461
462         * dfg/DFGJITCompiler.cpp:
463         (JSC::DFG::JITCompiler::compileExceptionHandlers):
464         * jit/CCallHelpers.h:
465         (JSC::CCallHelpers::jumpToExceptionHandler):
466         * jit/JIT.cpp:
467         (JSC::JIT::privateCompileExceptionHandlers):
468         * jit/JIT.h:
469         * jit/JITExceptions.cpp:
470         (JSC::genericUnwind):
471         * jit/JITExceptions.h:
472         * jit/JITInlines.h:
473         (JSC::JIT::callOperationNoExceptionCheck):
474         * jit/JITOpcodes.cpp:
475         (JSC::JIT::emit_op_throw):
476         * jit/JITOpcodes32_64.cpp:
477         (JSC::JIT::privateCompileCTINativeCall):
478         (JSC::JIT::emit_op_throw):
479         * jit/JITOperations.cpp:
480         * jit/JITOperations.h:
481         * jit/JITStubs.cpp:
482         * jit/JITStubs.h:
483         * jit/JITStubsARM.h:
484         * jit/JITStubsARM64.h:
485         * jit/JITStubsARMv7.h:
486         * jit/JITStubsMIPS.h:
487         * jit/JITStubsMSVC64.asm:
488         * jit/JITStubsSH4.h:
489         * jit/JITStubsX86.h:
490         * jit/JITStubsX86_64.h:
491         * jit/Repatch.cpp:
492         (JSC::tryBuildGetByIDList):
493         * jit/SlowPathCall.h:
494         (JSC::JITSlowPathCall::call):
495         * jit/ThunkGenerators.cpp:
496         (JSC::throwExceptionFromCallSlowPathGenerator):
497         (JSC::nativeForGenerator):
498         * runtime/VM.h:
499         (JSC::VM::callFrameForThrowOffset):
500         (JSC::VM::targetMachinePCForThrowOffset):
501
502 2013-10-18  Julien Brianceau  <jbriance@cisco.com>
503
504         Fix J_JITOperation_EAapJ call for MIPS and ARM EABI.
505         https://bugs.webkit.org/show_bug.cgi?id=123023
506
507         Reviewed by Michael Saboff.
508
509         * jit/JITInlines.h:
510         (JSC::JIT::callOperation): EncodedJSValue parameter do not need alignment
511         using EABI_32BIT_DUMMY_ARG here.
512
513 2013-10-17  Filip Pizlo  <fpizlo@apple.com>
514
515         Unreviewed, another ARM64 build fix.
516         
517         Get rid of andPtr(TrustedImmPtr, blah), since it would take Effort to get it to work
518         on ARM64 and none of its uses are legit - they should all be using
519         andPtr(TrustedImm32, blah) anyway.
520
521         * assembler/MacroAssembler.h:
522         * assembler/MacroAssemblerARM64.h:
523         * dfg/DFGJITCompiler.cpp:
524         (JSC::DFG::JITCompiler::compileExceptionHandlers):
525         * jit/JIT.cpp:
526         (JSC::JIT::privateCompileExceptionHandlers):
527
528 2013-10-17  Filip Pizlo  <fpizlo@apple.com>
529
530         Unreviewed, speculative ARM64 build fix.
531         
532         move(ImmPtr, blah) is only available in MacroAssembler since that's where blinding is
533         implemented. So, you have to use TrustedImmPtr in the superclasses.
534
535         * assembler/MacroAssemblerARM64.h:
536         (JSC::MacroAssemblerARM64::store8):
537         (JSC::MacroAssemblerARM64::branchTest8):
538
539 2013-10-17  Filip Pizlo  <fpizlo@apple.com>
540
541         Unreviewed, speculative ARM build fix.
542         https://bugs.webkit.org/show_bug.cgi?id=122890
543         <rdar://problem/15258624>
544
545         * assembler/ARM64Assembler.h:
546         (JSC::ARM64Assembler::firstRegister):
547         (JSC::ARM64Assembler::lastRegister):
548         (JSC::ARM64Assembler::firstFPRegister):
549         (JSC::ARM64Assembler::lastFPRegister):
550         * assembler/MacroAssemblerARM64.h:
551         * assembler/MacroAssemblerARMv7.h:
552
553 2013-10-17  Andreas Kling  <akling@apple.com>
554
555         Pass VM instead of JSGlobalObject to JSONObject constructor.
556         <https://webkit.org/b/122999>
557
558         JSONObject was only use the JSGlobalObject to grab at the VM.
559         Dodge a few loads by passing the VM directly instead.
560
561         Reviewed by Geoffrey Garen.
562
563         * runtime/JSONObject.cpp:
564         (JSC::JSONObject::JSONObject):
565         (JSC::JSONObject::finishCreation):
566         * runtime/JSONObject.h:
567         (JSC::JSONObject::create):
568
569 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
570
571         Removed the JITStackFrame struct
572         https://bugs.webkit.org/show_bug.cgi?id=123001
573
574         Reviewed by Anders Carlsson.
575
576         * jit/JITStubs.h: JITStackFrame and JITStubArg are unused now, since all
577         our helper functions obey the C function call ABI.
578
579 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
580
581         Removed an unused #define
582         https://bugs.webkit.org/show_bug.cgi?id=123000
583
584         Reviewed by Anders Carlsson.
585
586         * jit/JITStubs.h: Removed the concept of JITSTACKFRAME_ARGS_INDEX,
587         since it is unused now. This is a step toward using the C stack.
588
589 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
590
591         Eliminate uses of JITSTACKFRAME_ARGS_INDEX as scratch area for thunks
592         https://bugs.webkit.org/show_bug.cgi?id=122973
593
594         Reviewed by Michael Saboff.
595
596         * jit/ThunkGenerators.cpp:
597         (JSC::throwExceptionFromCallSlowPathGenerator): This was all dead code,
598         so I removed it.
599
600         The code acted as if it needed to pass an argument to
601         lookupExceptionHandler, and as if it passed that argument to itself
602         through JITStackFrame. However, lookupExceptionHandler does not take
603         an argument (other than the default ExecState argument), and the code
604         did not initialize the thing that it thought it passed to itself!
605
606 2013-10-17  Alex Christensen  <achristensen@webkit.org>
607
608         Run JavaScriptCore tests again on Windows.
609         https://bugs.webkit.org/show_bug.cgi?id=122787
610
611         Reviewed by Tim Horton.
612
613         * JavaScriptCore.vcxproj/JavaScriptCore.sln: Added.
614         * jit/JITStubsMSVC64.asm: Removed reference to cti_vm_throw unused since r157581.
615
616 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
617
618         Removed restoreArgumentReference (another use of JITStackFrame)
619         https://bugs.webkit.org/show_bug.cgi?id=122997
620
621         Reviewed by Oliver Hunt.
622
623         * jit/JSInterfaceJIT.h: Removed an unused function. This is a step
624         toward using the C stack.
625
626 2013-10-17  Oliver Hunt  <oliver@apple.com>
627
628         Remove JITStubCall.h
629         https://bugs.webkit.org/show_bug.cgi?id=122991
630
631         Reviewed by Geoff Garen.
632
633         Happily this is no longer used
634
635         * GNUmakefile.list.am:
636         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
637         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
638         * JavaScriptCore.xcodeproj/project.pbxproj:
639         * jit/JIT.cpp:
640         * jit/JITArithmetic.cpp:
641         * jit/JITArithmetic32_64.cpp:
642         * jit/JITCall.cpp:
643         * jit/JITCall32_64.cpp:
644         * jit/JITOpcodes.cpp:
645         * jit/JITOpcodes32_64.cpp:
646         * jit/JITPropertyAccess.cpp:
647         * jit/JITPropertyAccess32_64.cpp:
648         * jit/JITStubCall.h: Removed.
649
650 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
651
652         Removed a use of JITSTACKFRAME_ARGS_INDEX
653         https://bugs.webkit.org/show_bug.cgi?id=122989
654
655         Reviewed by Oliver Hunt.
656
657         * jit/JITStubCall.h: Removed an unused function. This is one step closer
658         to using the C stack.
659
660 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
661
662         Change emit_op_catch to use another method to materialize VM
663         https://bugs.webkit.org/show_bug.cgi?id=122977
664
665         Reviewed by Oliver Hunt.
666
667         * jit/JITOpcodes.cpp:
668         (JSC::JIT::emit_op_catch):
669         * jit/JITOpcodes32_64.cpp:
670         (JSC::JIT::emit_op_catch): Use a constant. It removes our dependency
671         on JITStackFrame. It is also faster and simpler.
672
673 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
674
675         Eliminate emitGetJITStubArg() - dead code
676         https://bugs.webkit.org/show_bug.cgi?id=122975
677
678         Reviewed by Anders Carlsson.
679
680         * jit/JIT.h:
681         * jit/JITInlines.h: Removed unused, deprecated function.
682
683 2013-10-17  Mark Lam  <mark.lam@apple.com>
684
685         Eliminate all ASSERT references to OBJECT_OFFSETOF(struct JITStackFrame,...) in JITStubsXXX.h.
686         https://bugs.webkit.org/show_bug.cgi?id=122979.
687
688         Reviewed by Michael Saboff.
689
690         * jit/JITStubs.cpp:
691         * jit/JITStubs.h:
692         * jit/JITStubsARM.h:
693         * jit/JITStubsARM64.h:
694         * jit/JITStubsARMv7.h:
695         * jit/JITStubsMIPS.h:
696         * jit/JITStubsSH4.h:
697         * jit/JITStubsX86.h:
698         * jit/JITStubsX86_64.h:
699         * runtime/VM.cpp:
700         (JSC::VM::VM):
701
702 2013-10-17  Michael Saboff  <msaboff@apple.com>
703
704         Remove saving callFrameRegister to JITStackFrame in JITCompiler::compileFunction()
705         https://bugs.webkit.org/show_bug.cgi?id=122974
706
707         Reviewed by Geoffrey Garen.
708
709         Eliminated unneeded storing to JITStackFrame.
710
711         * dfg/DFGJITCompiler.cpp:
712         (JSC::DFG::JITCompiler::compileFunction):
713
714 2013-10-17  Michael Saboff  <msaboff@apple.com>
715
716         Transition cti_op_throw and cti_vm_throw to a JIT operation
717         https://bugs.webkit.org/show_bug.cgi?id=122931
718
719         Reviewed by Filip Pizlo.
720
721         Moved cti_op_throw to operationThrow.  Made the caller responsible for jumping to the
722         catch handler.  Eliminated cti_op_throw_static_error, cti_vm_throw, ctiVMThrowTrampoline()
723         and their callers as it is now dead code.  There is some work needed on the Microsoft X86
724         callOperation to handle the need to provide space for structure return value.
725
726         * jit/JIT.h:
727         * jit/JITInlines.h:
728         (JSC::JIT::callOperation):
729         * jit/JITOpcodes.cpp:
730         (JSC::JIT::emit_op_throw):
731         * jit/JITOpcodes32_64.cpp:
732         (JSC::JIT::emit_op_throw):
733         (JSC::JIT::emit_op_catch):
734         * jit/JITOperations.cpp:
735         * jit/JITOperations.h:
736         * jit/JITStubs.cpp:
737         * jit/JITStubs.h:
738         * jit/JITStubsARM.h:
739         * jit/JITStubsARM64.h:
740         * jit/JITStubsARMv7.h:
741         * jit/JITStubsMIPS.h:
742         * jit/JITStubsMSVC64.asm:
743         * jit/JITStubsSH4.h:
744         * jit/JITStubsX86.h:
745         * jit/JITStubsX86_64.h:
746         * jit/JSInterfaceJIT.h:
747
748 2013-10-17  Mark Lam  <mark.lam@apple.com>
749
750         Remove JITStackFrame references in the C Loop LLINT.
751         https://bugs.webkit.org/show_bug.cgi?id=122950.
752
753         Reviewed by Michael Saboff.
754
755         * jit/JITStubs.h:
756         * llint/LowLevelInterpreter.cpp:
757         (JSC::CLoop::execute):
758         * offlineasm/cloop.rb:
759
760 2013-10-17  Mark Lam  <mark.lam@apple.com>
761
762         Remove JITStackFrame references in JIT probes.
763         https://bugs.webkit.org/show_bug.cgi?id=122947.
764
765         Reviewed by Michael Saboff.
766
767         * assembler/MacroAssemblerARM.cpp:
768         (JSC::MacroAssemblerARM::ProbeContext::dump):
769         * assembler/MacroAssemblerARM.h:
770         * assembler/MacroAssemblerARMv7.cpp:
771         (JSC::MacroAssemblerARMv7::ProbeContext::dump):
772         * assembler/MacroAssemblerARMv7.h:
773         * assembler/MacroAssemblerX86Common.cpp:
774         (JSC::MacroAssemblerX86Common::ProbeContext::dump):
775         * assembler/MacroAssemblerX86Common.h:
776         * jit/JITStubsARM.h:
777         * jit/JITStubsARMv7.h:
778         * jit/JITStubsX86.h:
779         * jit/JITStubsX86Common.h:
780         * jit/JITStubsX86_64.h:
781
782 2013-10-17  Julien Brianceau  <jbriance@cisco.com>
783
784         Fix build when NUMBER_OF_ARGUMENT_REGISTERS == 4.
785         https://bugs.webkit.org/show_bug.cgi?id=122949
786
787         Reviewed by Andreas Kling.
788
789         * jit/CCallHelpers.h:
790         (JSC::CCallHelpers::setupArgumentsWithExecState):
791
792 2013-10-16  Mark Lam  <mark.lam@apple.com>
793
794         Transition remaining op_get* JITStubs to JIT operations.
795         https://bugs.webkit.org/show_bug.cgi?id=122925.
796
797         Reviewed by Geoffrey Garen.
798
799         Transitioning:
800             cti_op_get_by_id_generic
801             cti_op_get_by_val
802             cti_op_get_by_val_generic
803             cti_op_get_by_val_string
804
805         * dfg/DFGOperations.cpp:
806         * dfg/DFGOperations.h:
807         * jit/JIT.h:
808         * jit/JITInlines.h:
809         (JSC::JIT::callOperation):
810         * jit/JITOpcodes.cpp:
811         (JSC::JIT::emitSlow_op_get_arguments_length):
812         (JSC::JIT::emitSlow_op_get_argument_by_val):
813         * jit/JITOpcodes32_64.cpp:
814         (JSC::JIT::emitSlow_op_get_arguments_length):
815         (JSC::JIT::emitSlow_op_get_argument_by_val):
816         * jit/JITOperations.cpp:
817         * jit/JITOperations.h:
818         * jit/JITPropertyAccess.cpp:
819         (JSC::JIT::emitSlow_op_get_by_val):
820         (JSC::JIT::emitSlow_op_get_by_pname):
821         (JSC::JIT::privateCompileGetByVal):
822         * jit/JITPropertyAccess32_64.cpp:
823         (JSC::JIT::emitSlow_op_get_by_val):
824         (JSC::JIT::emitSlow_op_get_by_pname):
825         * jit/JITStubs.cpp:
826         * jit/JITStubs.h:
827         * runtime/Executable.cpp:
828         (JSC::setupLLInt): Added some UNUSED_PARAMs to fix the no LLINT build.
829         * runtime/Options.cpp:
830         (JSC::Options::initialize):
831
832 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
833
834         Introduce WTF::Bag and start using it for InlineCallFrameSet
835         https://bugs.webkit.org/show_bug.cgi?id=122941
836
837         Reviewed by Geoffrey Garen.
838         
839         Use Bag for InlineCallFrameSet. If this works out then I'll make other
840         SegmentedVectors into Bags as well.
841
842         * bytecode/InlineCallFrameSet.cpp:
843         (JSC::InlineCallFrameSet::add):
844         * bytecode/InlineCallFrameSet.h:
845         (JSC::InlineCallFrameSet::begin):
846         (JSC::InlineCallFrameSet::end):
847         * dfg/DFGArgumentsSimplificationPhase.cpp:
848         (JSC::DFG::ArgumentsSimplificationPhase::run):
849         * dfg/DFGJITCompiler.cpp:
850         (JSC::DFG::JITCompiler::link):
851         * dfg/DFGStackLayoutPhase.cpp:
852         (JSC::DFG::StackLayoutPhase::run):
853         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
854         (JSC::DFG::VirtualRegisterAllocationPhase::run):
855
856 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
857
858         libllvmForJSC shouldn't call exit(1) on report_fatal_error()
859         https://bugs.webkit.org/show_bug.cgi?id=122905
860         <rdar://problem/15237856>
861
862         Reviewed by Michael Saboff.
863         
864         Expose the new LLVMInstallFatalErrorHandler() API through the soft linking magic and
865         then always call it to install something that calls CRASH().
866
867         * llvm/InitializeLLVM.cpp:
868         (JSC::llvmCrash):
869         (JSC::initializeLLVMOnce):
870         (JSC::initializeLLVM):
871         * llvm/LLVMAPIFunctions.h:
872
873 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
874
875         Prototype chain repatching in the polymorphic case fails to check if the receiver is a dictionary
876         https://bugs.webkit.org/show_bug.cgi?id=122938
877
878         Reviewed by Sam Weinig.
879         
880         This fixes jsc-layout-tests.yaml/js/script-tests/dictionary-prototype-caching.js.layout-no-llint.
881
882         * jit/Repatch.cpp:
883         (JSC::tryBuildGetByIDList):
884
885 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
886
887         JIT::appendCall() needs to killLastResultRegister() or equivalent since there's some really bad code that expects it
888         https://bugs.webkit.org/show_bug.cgi?id=122937
889
890         Reviewed by Geoffrey Garen.
891         
892         JITStubCall used to do it.
893         
894         This makes mozilla-tests.yaml/ecma/Statements/12.10-1.js.mozilla-baseline pass.
895
896         * jit/JIT.h:
897         (JSC::JIT::appendCall):
898
899 2013-10-16  Michael Saboff  <msaboff@apple.com>
900
901         transition void cti_op_put_by_val* stubs to JIT operations
902         https://bugs.webkit.org/show_bug.cgi?id=122903
903
904         Reviewed by Geoffrey Garen.
905
906         Transitioned cti_op_put_by_val and cti_op_put_by_val_generic to operationPutByVal and
907         operationPutByValGeneric.
908
909         * jit/CCallHelpers.h:
910         (JSC::CCallHelpers::setupArgumentsWithExecState):
911         * jit/JIT.h:
912         * jit/JITInlines.h:
913         (JSC::JIT::callOperation):
914         * jit/JITOperations.cpp:
915         * jit/JITOperations.h:
916         * jit/JITPropertyAccess.cpp:
917         (JSC::JIT::emitSlow_op_put_by_val):
918         (JSC::JIT::privateCompilePutByVal):
919         * jit/JITPropertyAccess32_64.cpp:
920         (JSC::JIT::emitSlow_op_put_by_val):
921         * jit/JITStubs.cpp:
922         * jit/JITStubs.h:
923         * jit/JSInterfaceJIT.h:
924
925 2013-10-16  Oliver Hunt  <oliver@apple.com>
926
927         Implement ES6 spread operator
928         https://bugs.webkit.org/show_bug.cgi?id=122911
929
930         Reviewed by Michael Saboff.
931
932         Implement the ES6 spread operator
933
934         This has a little bit of refactoring to move the enumeration logic out ForOfNode
935         and into BytecodeGenerator, and then adds the logic to make it nicely callback
936         driven.
937
938         The rest of the logic is just the addition of the SpreadExpressionNode, the parsing,
939         and actually handling the spread.
940
941         * bytecompiler/BytecodeGenerator.cpp:
942         (JSC::BytecodeGenerator::emitNewArray):
943         (JSC::BytecodeGenerator::emitCall):
944         (JSC::BytecodeGenerator::emitEnumeration):
945         * bytecompiler/BytecodeGenerator.h:
946         * bytecompiler/NodesCodegen.cpp:
947         (JSC::ArrayNode::emitBytecode):
948         (JSC::ForOfNode::emitBytecode):
949         (JSC::SpreadExpressionNode::emitBytecode):
950         * parser/ASTBuilder.h:
951         (JSC::ASTBuilder::createSpreadExpression):
952         * parser/Lexer.cpp:
953         (JSC::::lex):
954         * parser/NodeConstructors.h:
955         (JSC::SpreadExpressionNode::SpreadExpressionNode):
956         * parser/Nodes.h:
957         (JSC::ExpressionNode::isSpreadExpression):
958         (JSC::SpreadExpressionNode::expression):
959         * parser/Parser.cpp:
960         (JSC::::parseArrayLiteral):
961         (JSC::::parseArguments):
962         (JSC::::parseMemberExpression):
963         * parser/Parser.h:
964         (JSC::Parser::getTokenName):
965         (JSC::Parser::updateErrorMessageSpecialCase):
966         * parser/ParserTokens.h:
967         * parser/SyntaxChecker.h:
968         (JSC::SyntaxChecker::createSpreadExpression):
969
970 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
971
972         Add a useLLInt option to jsc
973         https://bugs.webkit.org/show_bug.cgi?id=122930
974
975         Reviewed by Geoffrey Garen.
976
977         * runtime/Executable.cpp:
978         (JSC::setupLLInt):
979         (JSC::setupJIT):
980         (JSC::ScriptExecutable::prepareForExecutionImpl):
981         * runtime/Options.h:
982
983 2013-10-16  Mark Hahnenberg  <mhahnenberg@apple.com>
984
985         Build fix.
986
987         Forgot to svn add DeferGC.cpp
988
989         * heap/DeferGC.cpp: Added.
990
991 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
992
993         r157411 fails run-javascriptcore-tests when run with Baseline JIT
994         https://bugs.webkit.org/show_bug.cgi?id=122902
995
996         Reviewed by Mark Hahnenberg.
997         
998         It turns out that this was a long-standing bug in the DFG PutById repatching logic. It's
999         not legal to patch if the typeInfo tells you that you can't patch. The old JIT's patching
1000         logic did this right, and the DFG's GetById patching logic did it right; but DFG PutById
1001         didn't. Turns out that there's even a helpful method,
1002         Structure::propertyAccessesAreCacheable(), that will even do all of the checks for you!
1003
1004         * jit/Repatch.cpp:
1005         (JSC::tryCachePutByID):
1006
1007 2013-10-16  Mark Hahnenberg  <mhahnenberg@apple.com>
1008
1009         llint_slow_path_put_by_id can deadlock on a ConcurrentJITLock
1010         https://bugs.webkit.org/show_bug.cgi?id=122667
1011
1012         Reviewed by Geoffrey Garen.
1013
1014         The issue this patch is attempting to fix is that there are places in our codebase
1015         where we acquire the ConcurrentJITLock for a particular CodeBlock, then we do some
1016         operations that can initiate a garbage collection. Garbage collection then calls 
1017         some methods of CodeBlock that also take the ConcurrentJITLock (because they don't
1018         always necessarily run during garbage collection). This causes a deadlock.
1019  
1020         To fix this issue, this patch adds a new RAII-style object (DisallowGC) that stores 
1021         into a thread-local field that indicates that it is unsafe to perform any operation 
1022         that could trigger garbage collection on the current thread. In debug builds, 
1023         ConcurrentJITLocker contains one of these DisallowGC objects so that we can eagerly 
1024         detect deadlocks.
1025  
1026         This patch also adds a new type of ConcurrentJITLocker, GCSafeConcurrentJITLocker,
1027         which uses the DeferGC mechanism to prevent collections from occurring while the 
1028         lock is held.
1029
1030         * CMakeLists.txt:
1031         * GNUmakefile.list.am:
1032         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1033         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1034         * JavaScriptCore.xcodeproj/project.pbxproj:
1035         * heap/DeferGC.h:
1036         (JSC::DisallowGC::DisallowGC):
1037         (JSC::DisallowGC::~DisallowGC):
1038         (JSC::DisallowGC::isGCDisallowedOnCurrentThread):
1039         (JSC::DisallowGC::initialize):
1040         * jit/Repatch.cpp:
1041         (JSC::repatchPutByID):
1042         (JSC::buildPutByIdList):
1043         * llint/LLIntSlowPaths.cpp:
1044         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1045         * runtime/ConcurrentJITLock.h:
1046         (JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase):
1047         (JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase):
1048         (JSC::ConcurrentJITLockerBase::unlockEarly):
1049         (JSC::GCSafeConcurrentJITLocker::GCSafeConcurrentJITLocker):
1050         (JSC::GCSafeConcurrentJITLocker::~GCSafeConcurrentJITLocker):
1051         (JSC::GCSafeConcurrentJITLocker::NoDefer::NoDefer):
1052         (JSC::ConcurrentJITLocker::ConcurrentJITLocker):
1053         * runtime/InitializeThreading.cpp:
1054         (JSC::initializeThreadingOnce):
1055         * runtime/JSCellInlines.h:
1056         (JSC::allocateCell):
1057         * runtime/JSSymbolTableObject.h:
1058         (JSC::symbolTablePut):
1059         * runtime/Structure.cpp: materializePropertyMapIfNecessary* now has a problem in that it
1060         can start a garbage collection when the GCSafeConcurrentJITLocker goes out of scope, but 
1061         before the caller has a chance to use the newly created PropertyTable. The garbage collection
1062         clears the PropertyTable, and then the caller uses it assuming it's valid. To avoid this,
1063         we must DeferGC until the caller is done getting the newly materialized PropertyTable from 
1064         the Structure.
1065         (JSC::Structure::materializePropertyMap):
1066         (JSC::Structure::despecifyDictionaryFunction):
1067         (JSC::Structure::changePrototypeTransition):
1068         (JSC::Structure::despecifyFunctionTransition):
1069         (JSC::Structure::attributeChangeTransition):
1070         (JSC::Structure::toDictionaryTransition):
1071         (JSC::Structure::preventExtensionsTransition):
1072         (JSC::Structure::takePropertyTableOrCloneIfPinned):
1073         (JSC::Structure::isSealed):
1074         (JSC::Structure::isFrozen):
1075         (JSC::Structure::addPropertyWithoutTransition):
1076         (JSC::Structure::removePropertyWithoutTransition):
1077         (JSC::Structure::get):
1078         (JSC::Structure::despecifyFunction):
1079         (JSC::Structure::despecifyAllFunctions):
1080         (JSC::Structure::putSpecificValue):
1081         (JSC::Structure::createPropertyMap):
1082         (JSC::Structure::getPropertyNamesFromStructure):
1083         * runtime/Structure.h:
1084         (JSC::Structure::materializePropertyMapIfNecessary):
1085         (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
1086         * runtime/StructureInlines.h:
1087         (JSC::Structure::get):
1088         * runtime/SymbolTable.h:
1089         (JSC::SymbolTable::find):
1090         (JSC::SymbolTable::end):
1091
1092 2013-10-16  Daniel Bates  <dabates@apple.com>
1093
1094         Add SPI to disable the garbage collector timer
1095         https://bugs.webkit.org/show_bug.cgi?id=122921
1096
1097         Reviewed by Geoffrey Garen.
1098
1099         Based on a patch by Mark Hahnenberg.
1100
1101         * API/JSBase.cpp:
1102         (JSDisableGCTimer): Added; SPI function.
1103         * API/JSBasePrivate.h:
1104         * heap/BlockAllocator.cpp:
1105         (JSC::createBlockFreeingThread): Added.
1106         (JSC::BlockAllocator::BlockAllocator): Modified to use JSC::createBlockFreeingThread()
1107         to conditionally create the "block freeing" thread depending on the value of
1108         GCActivityCallback::s_shouldCreateGCTimer.
1109         (JSC::BlockAllocator::~BlockAllocator):
1110         * heap/BlockAllocator.h:
1111         (JSC::BlockAllocator::deallocate):
1112         * heap/Heap.cpp:
1113         (JSC::Heap::didAbandon):
1114         (JSC::Heap::collect):
1115         (JSC::Heap::didAllocate):
1116         * heap/HeapTimer.cpp:
1117         (JSC::HeapTimer::timerDidFire):
1118         * runtime/GCActivityCallback.cpp:
1119         * runtime/GCActivityCallback.h:
1120         (JSC::DefaultGCActivityCallback::create): Only instantiate a DefaultGCActivityCallback object
1121         when GCActivityCallback::s_shouldCreateGCTimer is true so as to prevent allocating a HeapTimer
1122         object (since DefaultGCActivityCallback ultimately extends HeapTimer).
1123
1124 2013-10-16  Commit Queue  <commit-queue@webkit.org>
1125
1126         Unreviewed, rolling out r157529.
1127         http://trac.webkit.org/changeset/157529
1128         https://bugs.webkit.org/show_bug.cgi?id=122919
1129
1130         Caused score test failures and some build failures. (Requested
1131         by rfong on #webkit).
1132
1133         * bytecompiler/BytecodeGenerator.cpp:
1134         (JSC::BytecodeGenerator::emitNewArray):
1135         (JSC::BytecodeGenerator::emitCall):
1136         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
1137         * bytecompiler/BytecodeGenerator.h:
1138         * bytecompiler/NodesCodegen.cpp:
1139         (JSC::ArrayNode::emitBytecode):
1140         (JSC::CallArguments::CallArguments):
1141         (JSC::ForOfNode::emitBytecode):
1142         (JSC::BindingNode::collectBoundIdentifiers):
1143         * parser/ASTBuilder.h:
1144         * parser/Lexer.cpp:
1145         (JSC::::lex):
1146         * parser/NodeConstructors.h:
1147         (JSC::DotAccessorNode::DotAccessorNode):
1148         * parser/Nodes.h:
1149         * parser/Parser.cpp:
1150         (JSC::::parseArrayLiteral):
1151         (JSC::::parseArguments):
1152         (JSC::::parseMemberExpression):
1153         * parser/Parser.h:
1154         (JSC::Parser::getTokenName):
1155         (JSC::Parser::updateErrorMessageSpecialCase):
1156         * parser/ParserTokens.h:
1157         * parser/SyntaxChecker.h:
1158
1159 2013-10-16  Julien Brianceau  <jbriance@cisco.com>
1160
1161         Remove useless architecture specific implementation in DFG.
1162         https://bugs.webkit.org/show_bug.cgi?id=122917.
1163
1164         Reviewed by Michael Saboff.
1165
1166         With CPU(ARM) && CPU(ARM_HARDFP) architecture, the fallback implementation is fine
1167         as FPRInfo::argumentFPR0 == FPRInfo::returnValueFPR in this case.
1168
1169         * dfg/DFGSpeculativeJIT.h:
1170
1171 2013-10-16  Julien Brianceau  <jbriance@cisco.com>
1172
1173         Remove unused JIT::restoreArgumentReferenceForTrampoline function.
1174         https://bugs.webkit.org/show_bug.cgi?id=122916.
1175
1176         Reviewed by Michael Saboff.
1177
1178         This architecture specific function is not used anymore, so get rid of it.
1179
1180         * jit/JIT.h:
1181         * jit/JITInlines.h:
1182
1183 2013-10-16  Oliver Hunt  <oliver@apple.com>
1184
1185         Implement ES6 spread operator
1186         https://bugs.webkit.org/show_bug.cgi?id=122911
1187
1188         Reviewed by Michael Saboff.
1189
1190         Implement the ES6 spread operator
1191
1192         This has a little bit of refactoring to move the enumeration logic out ForOfNode
1193         and into BytecodeGenerator, and then adds the logic to make it nicely callback
1194         driven.
1195
1196         The rest of the logic is just the addition of the SpreadExpressionNode, the parsing,
1197         and actually handling the spread.
1198
1199         * bytecompiler/BytecodeGenerator.cpp:
1200         (JSC::BytecodeGenerator::emitNewArray):
1201         (JSC::BytecodeGenerator::emitCall):
1202         (JSC::BytecodeGenerator::emitEnumeration):
1203         * bytecompiler/BytecodeGenerator.h:
1204         * bytecompiler/NodesCodegen.cpp:
1205         (JSC::ArrayNode::emitBytecode):
1206         (JSC::ForOfNode::emitBytecode):
1207         (JSC::SpreadExpressionNode::emitBytecode):
1208         * parser/ASTBuilder.h:
1209         (JSC::ASTBuilder::createSpreadExpression):
1210         * parser/Lexer.cpp:
1211         (JSC::::lex):
1212         * parser/NodeConstructors.h:
1213         (JSC::SpreadExpressionNode::SpreadExpressionNode):
1214         * parser/Nodes.h:
1215         (JSC::ExpressionNode::isSpreadExpression):
1216         (JSC::SpreadExpressionNode::expression):
1217         * parser/Parser.cpp:
1218         (JSC::::parseArrayLiteral):
1219         (JSC::::parseArguments):
1220         (JSC::::parseMemberExpression):
1221         * parser/Parser.h:
1222         (JSC::Parser::getTokenName):
1223         (JSC::Parser::updateErrorMessageSpecialCase):
1224         * parser/ParserTokens.h:
1225         * parser/SyntaxChecker.h:
1226         (JSC::SyntaxChecker::createSpreadExpression):
1227
1228 2013-10-16  Mark Lam  <mark.lam@apple.com>
1229
1230         Transition void cti_op_tear_off* methods to JIT operations for 32 bit.
1231         https://bugs.webkit.org/show_bug.cgi?id=122899.
1232
1233         Reviewed by Michael Saboff.
1234
1235         * jit/JITOpcodes32_64.cpp:
1236         (JSC::JIT::emit_op_tear_off_activation):
1237         (JSC::JIT::emit_op_tear_off_arguments):
1238         * jit/JITStubs.cpp:
1239         * jit/JITStubs.h:
1240
1241 2013-10-16  Julien Brianceau  <jbriance@cisco.com>
1242
1243         Remove more of the UNINTERRUPTED_SEQUENCE thing
1244         https://bugs.webkit.org/show_bug.cgi?id=122885
1245
1246         Reviewed by Andreas Kling.
1247
1248         It was not completely removed by r157481, leading to build failure for sh4 architecture.
1249
1250         * jit/JIT.h:
1251         * jit/JITInlines.h:
1252
1253 2013-10-15  Filip Pizlo  <fpizlo@apple.com>
1254
1255         Get rid of the StructureStubInfo::patch union
1256         https://bugs.webkit.org/show_bug.cgi?id=122877
1257
1258         Reviewed by Sam Weinig.
1259         
1260         Just simplifying code by getting rid of data structures that ain't used no more.
1261         
1262         Note that I replace the patch union with a patch struct. This means we say things like
1263         stubInfo.patch.valueGPR instead of stubInfo.valueGPR. I think that this extra
1264         encapsulation makes the code more readable: the patch struct contains just those things
1265         that you need to know to perform patching.
1266
1267         * bytecode/StructureStubInfo.h:
1268         * dfg/DFGJITCompiler.cpp:
1269         (JSC::DFG::JITCompiler::link):
1270         * jit/JIT.cpp:
1271         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
1272         * jit/Repatch.cpp:
1273         (JSC::repatchByIdSelfAccess):
1274         (JSC::replaceWithJump):
1275         (JSC::linkRestoreScratch):
1276         (JSC::generateProtoChainAccessStub):
1277         (JSC::tryCacheGetByID):
1278         (JSC::getPolymorphicStructureList):
1279         (JSC::patchJumpToGetByIdStub):
1280         (JSC::tryBuildGetByIDList):
1281         (JSC::emitPutReplaceStub):
1282         (JSC::emitPutTransitionStub):
1283         (JSC::tryCachePutByID):
1284         (JSC::tryBuildPutByIdList):
1285         (JSC::tryRepatchIn):
1286         (JSC::resetGetByID):
1287         (JSC::resetPutByID):
1288         (JSC::resetIn):
1289
1290 2013-10-15  Nadav Rotem  <nrotem@apple.com>
1291
1292         FTL: add support for Int52ToValue and fix putByVal of int52s.
1293         https://bugs.webkit.org/show_bug.cgi?id=122873
1294
1295         Reviewed by Filip Pizlo.
1296
1297         * ftl/FTLCapabilities.cpp:
1298         (JSC::FTL::canCompile):
1299         * ftl/FTLLowerDFGToLLVM.cpp:
1300         (JSC::FTL::LowerDFGToLLVM::compileNode):
1301         (JSC::FTL::LowerDFGToLLVM::compileInt52ToValue):
1302         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
1303
1304 2013-10-15  Filip Pizlo  <fpizlo@apple.com>
1305
1306         Get rid of the UNINTERRUPTED_SEQUENCE thing
1307         https://bugs.webkit.org/show_bug.cgi?id=122876
1308
1309         Reviewed by Mark Hahnenberg.
1310         
1311         It doesn't make sense anymore. We now use the DFG's IC logic, which never needed that.
1312         
1313         Moreover, we should resist the temptation to bring anything like this back. We don't
1314         want to have inline caches that only work if the assembler lays out code in a specific
1315         predetermined way.
1316
1317         * jit/JIT.h:
1318         * jit/JITCall.cpp:
1319         (JSC::JIT::compileOpCall):
1320         * jit/JITCall32_64.cpp:
1321         (JSC::JIT::compileOpCall):
1322
1323 2013-10-15  Filip Pizlo  <fpizlo@apple.com>
1324
1325         Baseline JIT should use the DFG GetById IC
1326         https://bugs.webkit.org/show_bug.cgi?id=122861
1327
1328         Reviewed by Oliver Hunt.
1329         
1330         This mostly just kills a ton of code.
1331         
1332         Note that this doesn't yet do all of the simplifications that can be done, but it does
1333         kill dead code. I'll have another change to simplify StructureStubInfo's unions and such.
1334
1335         * bytecode/CodeBlock.cpp:
1336         (JSC::CodeBlock::resetStubInternal):
1337         * jit/JIT.cpp:
1338         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
1339         * jit/JIT.h:
1340         (JSC::PropertyStubCompilationInfo::PropertyStubCompilationInfo):
1341         * jit/JITInlines.h:
1342         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
1343         (JSC::JIT::callOperation):
1344         * jit/JITPropertyAccess.cpp:
1345         (JSC::JIT::compileGetByIdHotPath):
1346         (JSC::JIT::emitSlow_op_get_by_id):
1347         (JSC::JIT::emitSlow_op_get_from_scope):
1348         * jit/JITPropertyAccess32_64.cpp:
1349         (JSC::JIT::compileGetByIdHotPath):
1350         (JSC::JIT::emitSlow_op_get_by_id):
1351         (JSC::JIT::emitSlow_op_get_from_scope):
1352         * jit/JITStubs.cpp:
1353         * jit/JITStubs.h:
1354         * jit/Repatch.cpp:
1355         (JSC::repatchGetByID):
1356         (JSC::buildGetByIDList):
1357         * jit/ThunkGenerators.cpp:
1358         * jit/ThunkGenerators.h:
1359
1360 2013-10-15  Dean Jackson  <dino@apple.com>
1361
1362         Add ENABLE_WEB_ANIMATIONS flag
1363         https://bugs.webkit.org/show_bug.cgi?id=122871
1364
1365         Reviewed by Tim Horton.
1366
1367         Eventually might be http://dev.w3.org/fxtf/web-animations/
1368         but this is just engine-internal work at the moment.
1369
1370         * Configurations/FeatureDefines.xcconfig:
1371
1372 2013-10-15  Julien Brianceau  <jbriance@cisco.com>
1373
1374         [sh4] Some calls don't match sh4 ABI.
1375         https://bugs.webkit.org/show_bug.cgi?id=122863
1376
1377         Reviewed by Michael Saboff.
1378
1379         * dfg/DFGSpeculativeJIT.h:
1380         (JSC::DFG::SpeculativeJIT::callOperation):
1381         * jit/CCallHelpers.h:
1382         (JSC::CCallHelpers::setupArgumentsWithExecState):
1383         * jit/JITInlines.h:
1384         (JSC::JIT::callOperation):
1385
1386 2013-10-15  Daniel Bates  <dabates@apple.com>
1387
1388         [iOS] Upstream JavaScriptCore support for ARM64
1389         https://bugs.webkit.org/show_bug.cgi?id=122762
1390
1391         Reviewed by Oliver Hunt and Filip Pizlo.
1392
1393         * Configurations/Base.xcconfig:
1394         * Configurations/DebugRelease.xcconfig:
1395         * Configurations/JavaScriptCore.xcconfig:
1396         * Configurations/ToolExecutable.xcconfig:
1397         * JavaScriptCore.xcodeproj/project.pbxproj:
1398         * assembler/ARM64Assembler.h: Added.
1399         * assembler/AbstractMacroAssembler.h:
1400         (JSC::isARM64):
1401         (JSC::AbstractMacroAssembler::Label::Label):
1402         (JSC::AbstractMacroAssembler::Jump::Jump):
1403         (JSC::AbstractMacroAssembler::Jump::link):
1404         (JSC::AbstractMacroAssembler::Jump::linkTo):
1405         (JSC::AbstractMacroAssembler::CachedTempRegister::CachedTempRegister):
1406         (JSC::AbstractMacroAssembler::CachedTempRegister::registerIDInvalidate):
1407         (JSC::AbstractMacroAssembler::CachedTempRegister::registerIDNoInvalidate):
1408         (JSC::AbstractMacroAssembler::CachedTempRegister::value):
1409         (JSC::AbstractMacroAssembler::CachedTempRegister::setValue):
1410         (JSC::AbstractMacroAssembler::CachedTempRegister::invalidate):
1411         (JSC::AbstractMacroAssembler::invalidateAllTempRegisters):
1412         (JSC::AbstractMacroAssembler::isTempRegisterValid):
1413         (JSC::AbstractMacroAssembler::clearTempRegisterValid):
1414         (JSC::AbstractMacroAssembler::setTempRegisterValid):
1415         * assembler/LinkBuffer.cpp:
1416         (JSC::LinkBuffer::copyCompactAndLinkCode):
1417         (JSC::LinkBuffer::linkCode):
1418         * assembler/LinkBuffer.h:
1419         * assembler/MacroAssembler.h:
1420         (JSC::MacroAssembler::isPtrAlignedAddressOffset):
1421         (JSC::MacroAssembler::pushToSave):
1422         (JSC::MacroAssembler::popToRestore):
1423         (JSC::MacroAssembler::patchableBranchTest32):
1424         * assembler/MacroAssemblerARM64.h: Added.
1425         * assembler/MacroAssemblerARMv7.h:
1426         * dfg/DFGFixupPhase.cpp:
1427         (JSC::DFG::FixupPhase::fixupNode):
1428         * dfg/DFGOSRExitCompiler32_64.cpp:
1429         (JSC::DFG::OSRExitCompiler::compileExit):
1430         * dfg/DFGOSRExitCompiler64.cpp:
1431         (JSC::DFG::OSRExitCompiler::compileExit):
1432         * dfg/DFGSpeculativeJIT.cpp:
1433         (JSC::DFG::SpeculativeJIT::compileArithDiv):
1434         (JSC::DFG::SpeculativeJIT::compileArithMod):
1435         * disassembler/ARM64/A64DOpcode.cpp: Added.
1436         * disassembler/ARM64/A64DOpcode.h: Added.
1437         * disassembler/ARM64Disassembler.cpp: Added.
1438         * heap/MachineStackMarker.cpp:
1439         (JSC::getPlatformThreadRegisters):
1440         (JSC::otherThreadStackPointer):
1441         * heap/Region.h:
1442         * jit/AssemblyHelpers.h:
1443         (JSC::AssemblyHelpers::debugCall):
1444         * jit/CCallHelpers.h:
1445         * jit/ExecutableAllocator.h:
1446         * jit/FPRInfo.h:
1447         (JSC::FPRInfo::toRegister):
1448         (JSC::FPRInfo::toIndex):
1449         (JSC::FPRInfo::debugName):
1450         * jit/GPRInfo.h:
1451         (JSC::GPRInfo::toRegister):
1452         (JSC::GPRInfo::toIndex):
1453         (JSC::GPRInfo::debugName):
1454         * jit/JITInlines.h:
1455         (JSC::JIT::restoreArgumentReferenceForTrampoline):
1456         * jit/JITOperationWrappers.h:
1457         * jit/JITOperations.cpp:
1458         * jit/JITStubs.cpp:
1459         (JSC::performPlatformSpecificJITAssertions):
1460         (JSC::tryCachePutByID):
1461         * jit/JITStubs.h:
1462         (JSC::JITStackFrame::returnAddressSlot):
1463         * jit/JITStubsARM64.h: Added.
1464         * jit/JSInterfaceJIT.h:
1465         * jit/Repatch.cpp:
1466         (JSC::emitRestoreScratch):
1467         (JSC::generateProtoChainAccessStub):
1468         (JSC::tryCacheGetByID):
1469         (JSC::emitPutReplaceStub):
1470         (JSC::tryCachePutByID):
1471         (JSC::tryRepatchIn):
1472         * jit/ScratchRegisterAllocator.h:
1473         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
1474         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
1475         * jit/ThunkGenerators.cpp:
1476         (JSC::nativeForGenerator):
1477         (JSC::floorThunkGenerator):
1478         (JSC::ceilThunkGenerator):
1479         * jsc.cpp:
1480         (main):
1481         * llint/LLIntOfflineAsmConfig.h:
1482         * llint/LLIntSlowPaths.cpp:
1483         (JSC::LLInt::handleHostCall):
1484         * llint/LowLevelInterpreter.asm:
1485         * llint/LowLevelInterpreter64.asm:
1486         * offlineasm/arm.rb:
1487         * offlineasm/arm64.rb: Added.
1488         * offlineasm/backends.rb:
1489         * offlineasm/instructions.rb:
1490         * offlineasm/risc.rb:
1491         * offlineasm/transform.rb:
1492         * yarr/YarrJIT.cpp:
1493         (JSC::Yarr::YarrGenerator::alignCallFrameSizeInBytes):
1494         (JSC::Yarr::YarrGenerator::initCallFrame):
1495         (JSC::Yarr::YarrGenerator::removeCallFrame):
1496         (JSC::Yarr::YarrGenerator::generateEnter):
1497         * yarr/YarrJIT.h:
1498
1499 2013-10-15  Mark Lam  <mark.lam@apple.com>
1500
1501         Fix 3 operand sub operation in C loop LLINT.
1502         https://bugs.webkit.org/show_bug.cgi?id=122866.
1503
1504         Reviewed by Geoffrey Garen.
1505
1506         * offlineasm/cloop.rb:
1507
1508 2013-10-15  Mark Hahnenberg  <mhahnenberg@apple.com>
1509
1510         ObjCCallbackFunctionImpl shouldn't store a JSContext
1511         https://bugs.webkit.org/show_bug.cgi?id=122531
1512
1513         Reviewed by Geoffrey Garen.
1514
1515         The m_context field in ObjCCallbackFunctionImpl is vestigial and is only incidentally correct 
1516         in the common case. It's also no longer necessary in that we can look up the current JSContext 
1517         by looking using the globalObject of the callee when the function callback is invoked.
1518  
1519         Also added a new test that would cause us to crash previously. The test required making 
1520         JSContextGetGlobalContext public API so that clients can obtain a JSContext from the JSContextRef
1521         in C API callbacks.
1522
1523         * API/JSContextRef.h:
1524         * API/JSContextRefPrivate.h:
1525         * API/ObjCCallbackFunction.mm:
1526         (JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl):
1527         (JSC::objCCallbackFunctionCallAsFunction):
1528         (objCCallbackFunctionForInvocation):
1529         * API/WebKitAvailability.h:
1530         * API/tests/CurrentThisInsideBlockGetterTest.h: Added.
1531         * API/tests/CurrentThisInsideBlockGetterTest.mm: Added.
1532         (CallAsConstructor):
1533         (ConstructorFinalize):
1534         (ConstructorClass):
1535         (+[JSValue valueWithConstructorDescriptor:inContext:]):
1536         (-[JSContext valueWithConstructorDescriptor:]):
1537         (currentThisInsideBlockGetterTest):
1538         * API/tests/testapi.mm:
1539         * JavaScriptCore.xcodeproj/project.pbxproj:
1540         * debugger/Debugger.cpp: Had to add some fully qualified names to avoid conflicts with Mac OS X headers.
1541
1542 2013-10-15  Julien Brianceau  <jbriance@cisco.com>
1543
1544         Fix build after r157457 for architecture with 4 argument registers.
1545         https://bugs.webkit.org/show_bug.cgi?id=122860
1546
1547         Reviewed by Michael Saboff.
1548
1549         * jit/CCallHelpers.h:
1550         (JSC::CCallHelpers::setupStubArguments134):
1551
1552 2013-10-14  Michael Saboff  <msaboff@apple.com>
1553
1554         transition void cti_op_* methods to JIT operations.
1555         https://bugs.webkit.org/show_bug.cgi?id=122617
1556
1557         Reviewed by Geoffrey Garen.
1558
1559         Converted the follow stubs to JIT operations:
1560             cti_handle_watchdog_timer
1561             cti_op_debug
1562             cti_op_pop_scope
1563             cti_op_profile_did_call
1564             cti_op_profile_will_call
1565             cti_op_put_by_index
1566             cti_op_put_getter_setter
1567             cti_op_tear_off_activation
1568             cti_op_tear_off_arguments
1569             cti_op_throw_static_error
1570             cti_optimize
1571
1572         * dfg/DFGOperations.cpp:
1573         * dfg/DFGOperations.h:
1574         * jit/CCallHelpers.h:
1575         (JSC::CCallHelpers::setupArgumentsWithExecState):
1576         (JSC::CCallHelpers::setupThreeStubArgsGPR):
1577         (JSC::CCallHelpers::setupStubArguments):
1578         (JSC::CCallHelpers::setupStubArguments134):
1579         * jit/JIT.cpp:
1580         (JSC::JIT::emitEnterOptimizationCheck):
1581         * jit/JIT.h:
1582         * jit/JITInlines.h:
1583         (JSC::JIT::callOperation):
1584         * jit/JITOpcodes.cpp:
1585         (JSC::JIT::emit_op_tear_off_activation):
1586         (JSC::JIT::emit_op_tear_off_arguments):
1587         (JSC::JIT::emit_op_push_with_scope):
1588         (JSC::JIT::emit_op_pop_scope):
1589         (JSC::JIT::emit_op_push_name_scope):
1590         (JSC::JIT::emit_op_throw_static_error):
1591         (JSC::JIT::emit_op_debug):
1592         (JSC::JIT::emit_op_profile_will_call):
1593         (JSC::JIT::emit_op_profile_did_call):
1594         (JSC::JIT::emitSlow_op_loop_hint):
1595         * jit/JITOpcodes32_64.cpp:
1596         (JSC::JIT::emit_op_push_with_scope):
1597         (JSC::JIT::emit_op_pop_scope):
1598         (JSC::JIT::emit_op_push_name_scope):
1599         (JSC::JIT::emit_op_throw_static_error):
1600         (JSC::JIT::emit_op_debug):
1601         (JSC::JIT::emit_op_profile_will_call):
1602         (JSC::JIT::emit_op_profile_did_call):
1603         * jit/JITOperations.cpp:
1604         * jit/JITOperations.h:
1605         * jit/JITPropertyAccess.cpp:
1606         (JSC::JIT::emit_op_put_by_index):
1607         (JSC::JIT::emit_op_put_getter_setter):
1608         * jit/JITPropertyAccess32_64.cpp:
1609         (JSC::JIT::emit_op_put_by_index):
1610         (JSC::JIT::emit_op_put_getter_setter):
1611         * jit/JITStubs.cpp:
1612         * jit/JITStubs.h:
1613
1614 2013-10-15  Julien Brianceau  <jbriance@cisco.com>
1615
1616         [sh4] Introduce const pools in LLINT.
1617         https://bugs.webkit.org/show_bug.cgi?id=122746
1618
1619         Reviewed by Michael Saboff.
1620
1621         In current implementation of LLINT for sh4, immediate values outside range -128..127 are
1622         loaded this way:
1623
1624             mov.l .label, rx
1625             bra out
1626             nop
1627             .balign 4
1628             .label: .long immvalue
1629             out:
1630
1631         This change introduces const pools for sh4 implementation to avoid lots of useless branches
1632         and reduce code size. It also removes lines of dirty code, like jmpf and callf.
1633
1634         * offlineasm/instructions.rb: Remove jmpf and callf sh4 specific instructions.
1635         * offlineasm/sh4.rb:
1636
1637 2013-10-15  Mark Lam  <mark.lam@apple.com>
1638
1639         Fix broken C Loop LLINT build.
1640         https://bugs.webkit.org/show_bug.cgi?id=122839.
1641
1642         Reviewed by Michael Saboff.
1643
1644         * dfg/DFGFlushedAt.cpp:
1645         * jit/JITOperations.h:
1646
1647 2013-10-14  Mark Lam  <mark.lam@apple.com>
1648
1649         Transition *switch* and *scope* JITStubs to JIT operations.
1650         https://bugs.webkit.org/show_bug.cgi?id=122757.
1651
1652         Reviewed by Geoffrey Garen.
1653
1654         Transitioning:
1655             cti_op_switch_char
1656             cti_op_switch_imm
1657             cti_op_switch_string
1658             cti_op_resolve_scope
1659             cti_op_get_from_scope
1660             cti_op_put_to_scope
1661
1662         * jit/JIT.h:
1663         * jit/JITInlines.h:
1664         (JSC::JIT::callOperation):
1665         * jit/JITOpcodes.cpp:
1666         (JSC::JIT::emit_op_switch_imm):
1667         (JSC::JIT::emit_op_switch_char):
1668         (JSC::JIT::emit_op_switch_string):
1669         * jit/JITOpcodes32_64.cpp:
1670         (JSC::JIT::emit_op_switch_imm):
1671         (JSC::JIT::emit_op_switch_char):
1672         (JSC::JIT::emit_op_switch_string):
1673         * jit/JITOperations.cpp:
1674         * jit/JITOperations.h:
1675         * jit/JITPropertyAccess.cpp:
1676         (JSC::JIT::emitSlow_op_resolve_scope):
1677         (JSC::JIT::emitSlow_op_get_from_scope):
1678         (JSC::JIT::emitSlow_op_put_to_scope):
1679         * jit/JITPropertyAccess32_64.cpp:
1680         (JSC::JIT::emitSlow_op_resolve_scope):
1681         (JSC::JIT::emitSlow_op_get_from_scope):
1682         (JSC::JIT::emitSlow_op_put_to_scope):
1683         * jit/JITStubs.cpp:
1684         * jit/JITStubs.h:
1685
1686 2013-10-14  Filip Pizlo  <fpizlo@apple.com>
1687
1688         DFG PutById IC should use the ConcurrentJITLocker since it's now dealing with IC's that get read by the compiler thread
1689         https://bugs.webkit.org/show_bug.cgi?id=122786
1690
1691         Reviewed by Mark Hahnenberg.
1692
1693         * bytecode/CodeBlock.cpp:
1694         (JSC::CodeBlock::resetStub): Resetting a stub should acquire the lock since this is observable from the thread; but we should only acquire the lock if we're resetting outside of GC.
1695         * jit/Repatch.cpp:
1696         (JSC::repatchPutByID): Doing the PutById patching should hold the lock.
1697         (JSC::buildPutByIdList): Ditto.
1698
1699 2013-10-14  Nadav Rotem  <nrotem@apple.com>
1700
1701         Add FTL support for LogicalNot(string)
1702         https://bugs.webkit.org/show_bug.cgi?id=122765
1703
1704         Reviewed by Filip Pizlo.
1705
1706         This patch is tested by:
1707         regress/script-tests/emscripten-cube2hash.js.ftl-eager
1708
1709         * ftl/FTLCapabilities.cpp:
1710         (JSC::FTL::canCompile):
1711         * ftl/FTLLowerDFGToLLVM.cpp:
1712         (JSC::FTL::LowerDFGToLLVM::compileLogicalNot):
1713
1714 2013-10-14  Julien Brianceau  <jbriance@cisco.com>
1715
1716         [sh4] Fixes after r157404 and r157411.
1717         https://bugs.webkit.org/show_bug.cgi?id=122782
1718
1719         Reviewed by Michael Saboff.
1720
1721         * dfg/DFGSpeculativeJIT.h:
1722         (JSC::DFG::SpeculativeJIT::callOperation): Add missing SH4_32BIT_DUMMY_ARG.
1723         * jit/CCallHelpers.h:
1724         (JSC::CCallHelpers::setupArgumentsWithExecState):
1725         * jit/JITInlines.h:
1726         (JSC::JIT::callOperation): Add missing SH4_32BIT_DUMMY_ARG.
1727         * jit/JITPropertyAccess32_64.cpp:
1728         (JSC::JIT::emit_op_put_by_id): Remove unwanted BEGIN_UNINTERRUPTED_SEQUENCE.
1729
1730 2013-10-14  Commit Queue  <commit-queue@webkit.org>
1731
1732         Unreviewed, rolling out r157413.
1733         http://trac.webkit.org/changeset/157413
1734         https://bugs.webkit.org/show_bug.cgi?id=122779
1735
1736         Appears to have caused frequent crashes (Requested by ap on
1737         #webkit).
1738
1739         * CMakeLists.txt:
1740         * GNUmakefile.list.am:
1741         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1742         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1743         * JavaScriptCore.xcodeproj/project.pbxproj:
1744         * heap/DeferGC.cpp: Removed.
1745         * heap/DeferGC.h:
1746         * jit/JITStubs.cpp:
1747         (JSC::tryCacheGetByID):
1748         (JSC::DEFINE_STUB_FUNCTION):
1749         * llint/LLIntSlowPaths.cpp:
1750         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1751         * runtime/ConcurrentJITLock.h:
1752         * runtime/InitializeThreading.cpp:
1753         (JSC::initializeThreadingOnce):
1754         * runtime/JSCellInlines.h:
1755         (JSC::allocateCell):
1756         * runtime/Structure.cpp:
1757         (JSC::Structure::materializePropertyMap):
1758         (JSC::Structure::putSpecificValue):
1759         (JSC::Structure::createPropertyMap):
1760         * runtime/Structure.h:
1761
1762 2013-10-14  Mark Hahnenberg  <mhahnenberg@apple.com>
1763
1764         COLLECT_ON_EVERY_ALLOCATION causes assertion failures
1765         https://bugs.webkit.org/show_bug.cgi?id=122652
1766
1767         Reviewed by Filip Pizlo.
1768
1769         COLLECT_ON_EVERY_ALLOCATION wasn't accounting for the new GC deferral mechanism,
1770         so we would end up ASSERTing during garbage collection.
1771
1772         * heap/MarkedAllocator.cpp:
1773         (JSC::MarkedAllocator::allocateSlowCase):
1774
1775 2013-10-11  Oliver Hunt  <oliver@apple.com>
1776
1777         Separate out array iteration intrinsics
1778         https://bugs.webkit.org/show_bug.cgi?id=122656
1779
1780         Reviewed by Michael Saboff.
1781
1782         Separate out the intrinsics for key and values iteration
1783         of arrays.
1784
1785         This requires moving moving array iteration into the iterator
1786         instance, rather than the prototype, but this is essentially
1787         unobservable so we'll live with it for now.
1788
1789         * jit/ThunkGenerators.cpp:
1790         (JSC::arrayIteratorNextThunkGenerator):
1791         (JSC::arrayIteratorNextKeyThunkGenerator):
1792         (JSC::arrayIteratorNextValueThunkGenerator):
1793         * jit/ThunkGenerators.h:
1794         * runtime/ArrayIteratorPrototype.cpp:
1795         (JSC::ArrayIteratorPrototype::finishCreation):
1796         * runtime/Intrinsic.h:
1797         * runtime/JSArrayIterator.cpp:
1798         (JSC::JSArrayIterator::finishCreation):
1799         (JSC::createIteratorResult):
1800         (JSC::arrayIteratorNext):
1801         (JSC::arrayIteratorNextKey):
1802         (JSC::arrayIteratorNextValue):
1803         (JSC::arrayIteratorNextGeneric):
1804         * runtime/VM.cpp:
1805         (JSC::thunkGeneratorForIntrinsic):
1806
1807 2013-10-11  Mark Hahnenberg  <mhahnenberg@apple.com>
1808
1809         llint_slow_path_put_by_id can deadlock on a ConcurrentJITLock
1810         https://bugs.webkit.org/show_bug.cgi?id=122667
1811
1812         Reviewed by Filip Pizlo.
1813
1814         The issue this patch is attempting to fix is that there are places in our codebase
1815         where we acquire the ConcurrentJITLock for a particular CodeBlock, then we do some
1816         operations that can initiate a garbage collection. Garbage collection then calls 
1817         some methods of CodeBlock that also take the ConcurrentJITLock (because they don't
1818         always necessarily run during garbage collection). This causes a deadlock.
1819
1820         To fix this issue, this patch adds a new RAII-style object (DisallowGC) that stores 
1821         into a thread-local field that indicates that it is unsafe to perform any operation 
1822         that could trigger garbage collection on the current thread. In debug builds, 
1823         ConcurrentJITLocker contains one of these DisallowGC objects so that we can eagerly 
1824         detect deadlocks.
1825
1826         This patch also adds a new type of ConcurrentJITLocker, GCSafeConcurrentJITLocker,
1827         which uses the DeferGC mechanism to prevent collections from occurring while the 
1828         lock is held.
1829
1830         * CMakeLists.txt:
1831         * GNUmakefile.list.am:
1832         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1833         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1834         * JavaScriptCore.xcodeproj/project.pbxproj:
1835         * heap/DeferGC.cpp: Added.
1836         * heap/DeferGC.h:
1837         (JSC::DisallowGC::DisallowGC):
1838         (JSC::DisallowGC::~DisallowGC):
1839         (JSC::DisallowGC::isGCDisallowedOnCurrentThread):
1840         (JSC::DisallowGC::initialize):
1841         * jit/JITStubs.cpp:
1842         (JSC::tryCachePutByID):
1843         (JSC::tryCacheGetByID):
1844         (JSC::DEFINE_STUB_FUNCTION):
1845         * llint/LLIntSlowPaths.cpp:
1846         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1847         * runtime/ConcurrentJITLock.h:
1848         (JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase):
1849         (JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase):
1850         (JSC::ConcurrentJITLockerBase::unlockEarly):
1851         (JSC::GCSafeConcurrentJITLocker::GCSafeConcurrentJITLocker):
1852         (JSC::ConcurrentJITLocker::ConcurrentJITLocker):
1853         * runtime/InitializeThreading.cpp:
1854         (JSC::initializeThreadingOnce):
1855         * runtime/JSCellInlines.h:
1856         (JSC::allocateCell):
1857         * runtime/Structure.cpp:
1858         (JSC::Structure::materializePropertyMap):
1859         (JSC::Structure::putSpecificValue):
1860         (JSC::Structure::createPropertyMap):
1861         * runtime/Structure.h:
1862
1863 2013-10-14  Filip Pizlo  <fpizlo@apple.com>
1864
1865         Baseline JIT should use the DFG's PutById IC
1866         https://bugs.webkit.org/show_bug.cgi?id=122704
1867
1868         Reviewed by Mark Hahnenberg.
1869         
1870         Mostly no big deal, just removing the old Baseline JIT's put_by_id IC support and forcing
1871         that JIT to use the DFG's (i.e. JITOperations) PutById IC.
1872         
1873         The only complicated part was that the PutById operations assumed that we first did a
1874         cell speculation, which the baseline JIT obviously won't do. So I changed all of those
1875         slow paths to deal with EncodedJSValue's.
1876
1877         * bytecode/CodeBlock.cpp:
1878         (JSC::CodeBlock::resetStubInternal):
1879         * bytecode/PutByIdStatus.cpp:
1880         (JSC::PutByIdStatus::computeFor):
1881         * dfg/DFGSpeculativeJIT.h:
1882         (JSC::DFG::SpeculativeJIT::callOperation):
1883         * dfg/DFGSpeculativeJIT32_64.cpp:
1884         (JSC::DFG::SpeculativeJIT::cachedPutById):
1885         * dfg/DFGSpeculativeJIT64.cpp:
1886         (JSC::DFG::SpeculativeJIT::cachedPutById):
1887         * jit/CCallHelpers.h:
1888         (JSC::CCallHelpers::setupArgumentsWithExecState):
1889         * jit/JIT.cpp:
1890         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
1891         * jit/JIT.h:
1892         (JSC::PropertyStubCompilationInfo::PropertyStubCompilationInfo):
1893         (JSC::PropertyStubCompilationInfo::slowCaseInfo):
1894         * jit/JITInlines.h:
1895         (JSC::JIT::callOperation):
1896         * jit/JITOperationWrappers.h:
1897         * jit/JITOperations.cpp:
1898         * jit/JITOperations.h:
1899         * jit/JITPropertyAccess.cpp:
1900         (JSC::JIT::compileGetByIdHotPath):
1901         (JSC::JIT::compileGetByIdSlowCase):
1902         (JSC::JIT::emit_op_put_by_id):
1903         (JSC::JIT::emitSlow_op_put_by_id):
1904         * jit/JITPropertyAccess32_64.cpp:
1905         (JSC::JIT::compileGetByIdSlowCase):
1906         (JSC::JIT::emit_op_put_by_id):
1907         (JSC::JIT::emitSlow_op_put_by_id):
1908         * jit/JITStubs.cpp:
1909         * jit/JITStubs.h:
1910         * jit/Repatch.cpp:
1911         (JSC::appropriateGenericPutByIdFunction):
1912         (JSC::appropriateListBuildingPutByIdFunction):
1913         (JSC::resetPutByID):
1914
1915 2013-10-13  Filip Pizlo  <fpizlo@apple.com>
1916
1917         FTL should have an inefficient but correct implementation of GetById
1918         https://bugs.webkit.org/show_bug.cgi?id=122740
1919
1920         Reviewed by Mark Hahnenberg.
1921         
1922         It took some effort to realize that the node->prediction() check in the DFG backends
1923         are completely unnecessary since the ByteCodeParser will always insert a ForceOSRExit
1924         if !prediction.
1925         
1926         But other than that this was an easy patch.
1927
1928         * dfg/DFGByteCodeParser.cpp:
1929         (JSC::DFG::ByteCodeParser::handleGetById):
1930         * dfg/DFGSpeculativeJIT32_64.cpp:
1931         (JSC::DFG::SpeculativeJIT::compile):
1932         * dfg/DFGSpeculativeJIT64.cpp:
1933         (JSC::DFG::SpeculativeJIT::compile):
1934         * ftl/FTLCapabilities.cpp:
1935         (JSC::FTL::canCompile):
1936         * ftl/FTLIntrinsicRepository.h:
1937         * ftl/FTLLowerDFGToLLVM.cpp:
1938         (JSC::FTL::LowerDFGToLLVM::compileNode):
1939         (JSC::FTL::LowerDFGToLLVM::compileGetById):
1940
1941 2013-10-13  Mark Lam  <mark.lam@apple.com>
1942
1943         Transition misc cti_op_* JITStubs to JIT operations.
1944         https://bugs.webkit.org/show_bug.cgi?id=122645.
1945
1946         Reviewed by Michael Saboff.
1947
1948         Stubs converted:
1949             cti_op_check_has_instance
1950             cti_op_create_arguments
1951             cti_op_del_by_id
1952             cti_op_instanceof
1953             cti_to_object
1954             cti_op_push_activation
1955             cti_op_get_pnames
1956             cti_op_load_varargs
1957
1958         * dfg/DFGOperations.cpp:
1959         * dfg/DFGOperations.h:
1960         * jit/CCallHelpers.h:
1961         (JSC::CCallHelpers::setupArgumentsWithExecState):
1962         * jit/JIT.h:
1963         (JSC::JIT::emitStoreCell):
1964         * jit/JITCall.cpp:
1965         (JSC::JIT::compileLoadVarargs):
1966         * jit/JITCall32_64.cpp:
1967         (JSC::JIT::compileLoadVarargs):
1968         * jit/JITInlines.h:
1969         (JSC::JIT::callOperation):
1970         * jit/JITOpcodes.cpp:
1971         (JSC::JIT::emit_op_get_pnames):
1972         (JSC::JIT::emit_op_create_activation):
1973         (JSC::JIT::emit_op_create_arguments):
1974         (JSC::JIT::emitSlow_op_check_has_instance):
1975         (JSC::JIT::emitSlow_op_instanceof):
1976         (JSC::JIT::emitSlow_op_get_argument_by_val):
1977         * jit/JITOpcodes32_64.cpp:
1978         (JSC::JIT::emitSlow_op_check_has_instance):
1979         (JSC::JIT::emitSlow_op_instanceof):
1980         (JSC::JIT::emit_op_get_pnames):
1981         (JSC::JIT::emit_op_create_activation):
1982         (JSC::JIT::emit_op_create_arguments):
1983         (JSC::JIT::emitSlow_op_get_argument_by_val):
1984         * jit/JITOperations.cpp:
1985         * jit/JITOperations.h:
1986         * jit/JITPropertyAccess.cpp:
1987         (JSC::JIT::emit_op_del_by_id):
1988         * jit/JITPropertyAccess32_64.cpp:
1989         (JSC::JIT::emit_op_del_by_id):
1990         * jit/JITStubs.cpp:
1991         * jit/JITStubs.h:
1992
1993 2013-10-13  Filip Pizlo  <fpizlo@apple.com>
1994
1995         FTL OSR exit should perform zero extension on values smaller than 64-bit
1996         https://bugs.webkit.org/show_bug.cgi?id=122688
1997
1998         Reviewed by Gavin Barraclough.
1999         
2000         In the DFG we usually make the simplistic assumption that a 32-bit value in a 64-bit
2001         register will have zeros on the high bits.  In the few cases where the high bits are
2002         non-zero, the DFG sort of tells us this explicitly.
2003
2004         But when working with llvm.webkit.stackmap, it doesn't work that way.  Consider we might
2005         emit LLVM IR like:
2006
2007             %2 = trunc i64 %1 to i32
2008             stuff %2
2009             call @llvm.webkit.stackmap(...., %2)
2010
2011         LLVM may never actually emit a truncation instruction of any kind.  And that's great - in
2012         many cases it won't be needed, like if 'stuff %2' is a 32-bit op that ignores the high
2013         bits anyway.  Hence LLVM may tell us that %2 is in the register that still had the value
2014         from before truncation, and that register may have garbage in the high bits.
2015
2016         This means that on our end, if we want a 32-bit value and we want that value to be
2017         zero-extended, we should zero-extend it ourselves.  This is pretty easy and should be
2018         cheap, so we should just do it and not make it a requirement that LLVM does it on its
2019         end.
2020         
2021         This makes all tests pass with JSC_ftlOSRExitUsesStackmap=true.
2022
2023         * ftl/FTLOSRExitCompiler.cpp:
2024         (JSC::FTL::compileStubWithOSRExitStackmap):
2025         * ftl/FTLValueFormat.cpp:
2026         (JSC::FTL::reboxAccordingToFormat):
2027
2028 == Rolled over to ChangeLog-2013-10-13 ==