Source/JavaScriptCore: Support computed property names in object literals
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-10-21  Oliver Hunt  <oliver@apple.com>
2
3         Support computed property names in object literals
4         https://bugs.webkit.org/show_bug.cgi?id=123112
5
6         Reviewed by Michael Saboff.
7
8         Add support for computed property names to the parser.
9
10         * bytecompiler/NodesCodegen.cpp:
11         (JSC::PropertyListNode::emitBytecode):
12         * parser/ASTBuilder.h:
13         (JSC::ASTBuilder::createProperty):
14         (JSC::ASTBuilder::getName):
15         * parser/NodeConstructors.h:
16         (JSC::PropertyNode::PropertyNode):
17         * parser/Nodes.h:
18         (JSC::PropertyNode::expressionName):
19         (JSC::PropertyNode::name):
20         * parser/Parser.cpp:
21         (JSC::::parseProperty):
22         (JSC::::parseStrictObjectLiteral):
23         * parser/SyntaxChecker.h:
24         (JSC::SyntaxChecker::Property::Property):
25         (JSC::SyntaxChecker::createProperty):
26         (JSC::SyntaxChecker::operatorStackPop):
27
28 2013-10-21  Michael Saboff  <msaboff@apple.com>
29
30         Add option so that JSC will crash if it can't allocate executable memory for the JITs
31         https://bugs.webkit.org/show_bug.cgi?id=123048
32         <rdar://problem/12856193>
33
34         Reviewed by Geoffrey Garen.
35
36         Added new option, called crashIfCantAllocateJITMemory. If this option is true then we crash
37         when checking the validity of the executable allocator. The default value for this option is
38         false, but jsc sets it to true when built for iOS to make it straightforward to identify whether
39         the app can obtain executable memory.
40
41         * jsc.cpp: Explicitly enable crashIfCantAllocateJITMemory on iOS.
42         (main):
43         * runtime/Options.h: Added option crashIfCantAllocateJITMemory.
44         * runtime/VM.cpp:
45         (JSC::enableAssembler): Modified to crash if option crashIfCantAllocateJITMemory
46         is enabled.
47
48 2013-10-21  Nadav Rotem  <nrotem@apple.com>
49
50         Remove AllInOneFile.cpp
51         https://bugs.webkit.org/show_bug.cgi?id=123055
52
53         Reviewed by Csaba Osztrogon√°c.
54
55         * AllInOneFile.cpp: Removed.
56
57 2013-10-20  Filip Pizlo  <fpizlo@apple.com>
58
59         Unreviewed, cleanup a FIXME comment.
60
61         * jit/Repatch.cpp:
62
63 2013-10-20  Filip Pizlo  <fpizlo@apple.com>
64
65         StructureStubInfo's usedRegisters set should be able to track all registers, not just the ones that our JIT's view as temporaries
66         https://bugs.webkit.org/show_bug.cgi?id=123076
67
68         Reviewed by Sam Weinig.
69         
70         Start preparing for a world in which we are patching code generated by LLVM, which may have
71         very different register usage conventions than our JITs. This requires us being more explicit
72         about the registers we are using. For example, the repatching code shouldn't take for granted
73         that tagMaskRegister holds the TagMask or that the register is even in use.
74
75         * CMakeLists.txt:
76         * GNUmakefile.list.am:
77         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
78         * JavaScriptCore.xcodeproj/project.pbxproj:
79         * assembler/MacroAssembler.h:
80         (JSC::MacroAssembler::numberOfRegisters):
81         (JSC::MacroAssembler::registerIndex):
82         (JSC::MacroAssembler::numberOfFPRegisters):
83         (JSC::MacroAssembler::fpRegisterIndex):
84         (JSC::MacroAssembler::totalNumberOfRegisters):
85         * bytecode/StructureStubInfo.h:
86         * dfg/DFGSpeculativeJIT.cpp:
87         (JSC::DFG::SpeculativeJIT::usedRegisters):
88         * dfg/DFGSpeculativeJIT.h:
89         * ftl/FTLSaveRestore.cpp:
90         (JSC::FTL::bytesForGPRs):
91         (JSC::FTL::bytesForFPRs):
92         (JSC::FTL::offsetOfGPR):
93         (JSC::FTL::offsetOfFPR):
94         * jit/JITInlineCacheGenerator.cpp:
95         (JSC::JITByIdGenerator::JITByIdGenerator):
96         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
97         * jit/JITInlineCacheGenerator.h:
98         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
99         * jit/JITPropertyAccess.cpp:
100         (JSC::JIT::emit_op_get_by_id):
101         (JSC::JIT::emit_op_put_by_id):
102         * jit/JITPropertyAccess32_64.cpp:
103         (JSC::JIT::emit_op_get_by_id):
104         (JSC::JIT::emit_op_put_by_id):
105         * jit/RegisterSet.cpp: Added.
106         (JSC::RegisterSet::specialRegisters):
107         * jit/RegisterSet.h: Added.
108         (JSC::RegisterSet::RegisterSet):
109         (JSC::RegisterSet::set):
110         (JSC::RegisterSet::clear):
111         (JSC::RegisterSet::get):
112         (JSC::RegisterSet::merge):
113         * jit/Repatch.cpp:
114         (JSC::generateProtoChainAccessStub):
115         (JSC::tryCacheGetByID):
116         (JSC::tryBuildGetByIDList):
117         (JSC::emitPutReplaceStub):
118         (JSC::tryRepatchIn):
119         (JSC::linkClosureCall):
120         * jit/TempRegisterSet.cpp: Added.
121         (JSC::TempRegisterSet::TempRegisterSet):
122         * jit/TempRegisterSet.h:
123
124 2013-10-20  Julien Brianceau  <jbriance@cisco.com>
125
126         [sh4] Fix build (broken since r157690).
127         https://bugs.webkit.org/show_bug.cgi?id=123081
128
129         Reviewed by Andreas Kling.
130
131         * assembler/AssemblerBufferWithConstantPool.h:
132         * assembler/SH4Assembler.h:
133         (JSC::SH4Assembler::buffer):
134         (JSC::SH4Assembler::readCallTarget):
135
136 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
137
138         Simplify TempRegisterSet - it no longer needs to be convertible to a POD since it's no longer going to be a member of a union
139         https://bugs.webkit.org/show_bug.cgi?id=123079
140
141         Reviewed by Geoffrey Garen.
142
143         * jit/TempRegisterSet.h:
144
145 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
146
147         Rename RegisterSet to TempRegisterSet
148         https://bugs.webkit.org/show_bug.cgi?id=123077
149
150         Reviewed by Dan Bernstein.
151
152         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
153         * JavaScriptCore.xcodeproj/project.pbxproj:
154         * bytecode/StructureStubInfo.h:
155         * dfg/DFGJITCompiler.h:
156         * dfg/DFGSpeculativeJIT.h:
157         (JSC::DFG::SpeculativeJIT::usedRegisters):
158         * jit/JITInlineCacheGenerator.cpp:
159         (JSC::JITByIdGenerator::JITByIdGenerator):
160         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
161         * jit/JITInlineCacheGenerator.h:
162         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
163         * jit/JITPropertyAccess.cpp:
164         (JSC::JIT::emit_op_get_by_id):
165         (JSC::JIT::emit_op_put_by_id):
166         * jit/JITPropertyAccess32_64.cpp:
167         (JSC::JIT::emit_op_get_by_id):
168         (JSC::JIT::emit_op_put_by_id):
169         * jit/RegisterSet.h: Removed.
170         * jit/ScratchRegisterAllocator.h:
171         (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
172         * jit/TempRegisterSet.h: Copied from Source/JavaScriptCore/jit/RegisterSet.h.
173         (JSC::TempRegisterSet::TempRegisterSet):
174         (JSC::TempRegisterSet::asPOD):
175         (JSC::TempRegisterSet::copyInfo):
176
177 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
178
179         Restructure LinkBuffer to allow for alternate allocation strategies
180         https://bugs.webkit.org/show_bug.cgi?id=123071
181
182         Reviewed by Oliver Hunt.
183         
184         The idea is to eventually allow a LinkBuffer to place the code into an already
185         allocated region of memory.  That region of memory could be the nop-slide left behind
186         by a llvm.webkit.patchpoint.
187
188         * assembler/ARM64Assembler.h:
189         (JSC::ARM64Assembler::buffer):
190         * assembler/AssemblerBuffer.h:
191         * assembler/LinkBuffer.cpp:
192         (JSC::LinkBuffer::copyCompactAndLinkCode):
193         (JSC::LinkBuffer::linkCode):
194         (JSC::LinkBuffer::allocate):
195         (JSC::LinkBuffer::shrink):
196         * assembler/LinkBuffer.h:
197         (JSC::LinkBuffer::LinkBuffer):
198         (JSC::LinkBuffer::didFailToAllocate):
199         * assembler/X86Assembler.h:
200         (JSC::X86Assembler::buffer):
201         (JSC::X86Assembler::X86InstructionFormatter::memoryModRM):
202
203 2013-10-19  Alexey Proskuryakov  <ap@apple.com>
204
205         Some includes in JSC seem to use an incorrect style
206         https://bugs.webkit.org/show_bug.cgi?id=123057
207
208         Reviewed by Geoffrey Garen.
209
210         Changed pseudo-system includes to user ones.
211
212         * API/JSContextRef.cpp:
213         * API/JSStringRefCF.cpp:
214         * API/JSValueRef.cpp:
215         * API/OpaqueJSString.cpp:
216         * jit/JIT.h:
217         * parser/SyntaxChecker.h:
218         * runtime/WeakGCMap.h:
219
220 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
221
222         Baseline JIT and DFG IC code generation should be unified and rationalized
223         https://bugs.webkit.org/show_bug.cgi?id=122939
224
225         Reviewed by Geoffrey Garen.
226         
227         Introduce the JITInlineCacheGenerator, which takes a CodeBlock and a CodeOrigin plus
228         some register info and creates JIT inline caches for you. Used this to even furhter
229         unify the baseline and DFG ICs. In the future we can use this for FTL ICs. And my hope
230         is that we'll be able to use it for cascading ICs: an IC for some instruction may realize
231         that it needs to do the equivalent of get_by_id, so with this generator it will be able
232         to create an IC even though it wasn't associated with a get_by_id bytecode instruction.
233
234         * CMakeLists.txt:
235         * GNUmakefile.list.am:
236         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
237         * JavaScriptCore.xcodeproj/project.pbxproj:
238         * assembler/AbstractMacroAssembler.h:
239         (JSC::AbstractMacroAssembler::DataLabelCompact::label):
240         * bytecode/CodeBlock.h:
241         (JSC::CodeBlock::ecmaMode):
242         * dfg/DFGInlineCacheWrapper.h: Added.
243         (JSC::DFG::InlineCacheWrapper::InlineCacheWrapper):
244         * dfg/DFGInlineCacheWrapperInlines.h: Added.
245         (JSC::DFG::::finalize):
246         * dfg/DFGJITCompiler.cpp:
247         (JSC::DFG::JITCompiler::link):
248         * dfg/DFGJITCompiler.h:
249         (JSC::DFG::JITCompiler::addGetById):
250         (JSC::DFG::JITCompiler::addPutById):
251         * dfg/DFGSpeculativeJIT32_64.cpp:
252         (JSC::DFG::SpeculativeJIT::cachedGetById):
253         (JSC::DFG::SpeculativeJIT::cachedPutById):
254         * dfg/DFGSpeculativeJIT64.cpp:
255         (JSC::DFG::SpeculativeJIT::cachedGetById):
256         (JSC::DFG::SpeculativeJIT::cachedPutById):
257         (JSC::DFG::SpeculativeJIT::compile):
258         * jit/AssemblyHelpers.h:
259         (JSC::AssemblyHelpers::isStrictModeFor):
260         (JSC::AssemblyHelpers::strictModeFor):
261         * jit/GPRInfo.h:
262         (JSC::JSValueRegs::tagGPR):
263         * jit/JIT.cpp:
264         (JSC::JIT::JIT):
265         (JSC::JIT::privateCompileSlowCases):
266         (JSC::JIT::privateCompile):
267         * jit/JIT.h:
268         * jit/JITInlineCacheGenerator.cpp: Added.
269         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
270         (JSC::JITByIdGenerator::JITByIdGenerator):
271         (JSC::JITByIdGenerator::finalize):
272         (JSC::JITByIdGenerator::generateFastPathChecks):
273         (JSC::JITGetByIdGenerator::generateFastPath):
274         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
275         (JSC::JITPutByIdGenerator::generateFastPath):
276         (JSC::JITPutByIdGenerator::slowPathFunction):
277         * jit/JITInlineCacheGenerator.h: Added.
278         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
279         (JSC::JITInlineCacheGenerator::stubInfo):
280         (JSC::JITByIdGenerator::JITByIdGenerator):
281         (JSC::JITByIdGenerator::reportSlowPathCall):
282         (JSC::JITByIdGenerator::slowPathJump):
283         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
284         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
285         * jit/JITPropertyAccess.cpp:
286         (JSC::JIT::emit_op_get_by_id):
287         (JSC::JIT::emitSlow_op_get_by_id):
288         (JSC::JIT::emit_op_put_by_id):
289         (JSC::JIT::emitSlow_op_put_by_id):
290         * jit/JITPropertyAccess32_64.cpp:
291         (JSC::JIT::emit_op_get_by_id):
292         (JSC::JIT::emitSlow_op_get_by_id):
293         (JSC::JIT::emit_op_put_by_id):
294         (JSC::JIT::emitSlow_op_put_by_id):
295         * jit/RegisterSet.h:
296         (JSC::RegisterSet::set):
297
298 2013-10-19  Alexey Proskuryakov  <ap@apple.com>
299
300         APICast.h uses functions from JSCJSValueInlines.h, but doesn't include it
301         https://bugs.webkit.org/show_bug.cgi?id=123067
302
303         Reviewed by Geoffrey Garen.
304
305         * API/APICast.h: Include it.
306
307 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
308
309         FTL::Location should treat the offset as an addend in the case of a Register location
310         https://bugs.webkit.org/show_bug.cgi?id=123062
311
312         Reviewed by Sam Weinig.
313
314         * ftl/FTLLocation.cpp:
315         (JSC::FTL::Location::forStackmaps):
316         (JSC::FTL::Location::dump):
317         (JSC::FTL::Location::restoreInto):
318         * ftl/FTLLocation.h:
319         (JSC::FTL::Location::forRegister):
320         (JSC::FTL::Location::hasAddend):
321         (JSC::FTL::Location::addend):
322
323 2013-10-19  Nadav Rotem  <nrotem@apple.com>
324
325         DFG dominators: document and rename stuff.
326         https://bugs.webkit.org/show_bug.cgi?id=123056
327
328         Reviewed by Filip Pizlo.
329
330         Documented the code and renamed some variables.
331
332         * dfg/DFGDominators.cpp:
333         (JSC::DFG::Dominators::compute):
334         (JSC::DFG::Dominators::pruneDominators):
335         * dfg/DFGDominators.h:
336
337 2013-10-19  Julien Brianceau  <jbriance@cisco.com>
338
339         Fix build failure for architectures with 4 argument registers.
340         https://bugs.webkit.org/show_bug.cgi?id=123060
341
342         Reviewed by Michael Saboff.
343
344         Add missing setupArgumentsWithExecState() prototypes for architecture with 4 argument registers.
345         Remove SH4 specific code no longer needed since callOperation prototype change in r157660.
346
347         * dfg/DFGSpeculativeJIT.h:
348         (JSC::DFG::SpeculativeJIT::callOperation):
349         * jit/CCallHelpers.h:
350         (JSC::CCallHelpers::setupArgumentsWithExecState):
351         * jit/JITInlines.h:
352         (JSC::JIT::callOperation):
353
354 2013-10-18  Filip Pizlo  <fpizlo@apple.com>
355
356         Unreviewed, fix FTL build.
357
358         * ftl/FTLIntrinsicRepository.h:
359         * ftl/FTLLowerDFGToLLVM.cpp:
360         (JSC::FTL::LowerDFGToLLVM::compileGetById):
361
362 2013-10-18  Filip Pizlo  <fpizlo@apple.com>
363
364         A CodeBlock's StructureStubInfos shouldn't be in a Vector that we search using code origins and machine code PCs
365         https://bugs.webkit.org/show_bug.cgi?id=122940
366
367         Reviewed by Oliver Hunt.
368         
369         This accomplishes a number of simplifications. StructureStubInfo is now non-moving,
370         whereas previously it was in a Vector, so it moved. This allows you to use pointers to
371         StructureStubInfo. This also eliminates the use of return PC as a way of finding the
372         StructureStubInfo's. It removes some of the need for the compile-time property access
373         records; for example the DFG no longer has to save information about registers in a
374         property access record only to later save it to the stub info.
375         
376         The main thing is accomplishes is that it makes it easier to add StructureStubInfo's
377         at any stage of compilation.
378
379         * bytecode/CodeBlock.cpp:
380         (JSC::CodeBlock::printGetByIdCacheStatus):
381         (JSC::CodeBlock::dumpBytecode):
382         (JSC::CodeBlock::~CodeBlock):
383         (JSC::CodeBlock::propagateTransitions):
384         (JSC::CodeBlock::finalizeUnconditionally):
385         (JSC::CodeBlock::addStubInfo):
386         (JSC::CodeBlock::getStubInfoMap):
387         (JSC::CodeBlock::shrinkToFit):
388         * bytecode/CodeBlock.h:
389         (JSC::CodeBlock::begin):
390         (JSC::CodeBlock::end):
391         (JSC::CodeBlock::rareCaseProfileForBytecodeOffset):
392         * bytecode/CodeOrigin.h:
393         (JSC::CodeOrigin::CodeOrigin):
394         (JSC::CodeOrigin::isHashTableDeletedValue):
395         (JSC::CodeOrigin::hash):
396         (JSC::CodeOriginHash::hash):
397         (JSC::CodeOriginHash::equal):
398         * bytecode/GetByIdStatus.cpp:
399         (JSC::GetByIdStatus::computeFor):
400         * bytecode/GetByIdStatus.h:
401         * bytecode/PutByIdStatus.cpp:
402         (JSC::PutByIdStatus::computeFor):
403         * bytecode/PutByIdStatus.h:
404         * bytecode/StructureStubInfo.h:
405         (JSC::getStructureStubInfoCodeOrigin):
406         * dfg/DFGByteCodeParser.cpp:
407         (JSC::DFG::ByteCodeParser::parseBlock):
408         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
409         * dfg/DFGJITCompiler.cpp:
410         (JSC::DFG::JITCompiler::link):
411         * dfg/DFGJITCompiler.h:
412         (JSC::DFG::PropertyAccessRecord::PropertyAccessRecord):
413         (JSC::DFG::InRecord::InRecord):
414         * dfg/DFGSpeculativeJIT.cpp:
415         (JSC::DFG::SpeculativeJIT::compileIn):
416         * dfg/DFGSpeculativeJIT.h:
417         (JSC::DFG::SpeculativeJIT::callOperation):
418         * dfg/DFGSpeculativeJIT32_64.cpp:
419         (JSC::DFG::SpeculativeJIT::cachedGetById):
420         (JSC::DFG::SpeculativeJIT::cachedPutById):
421         * dfg/DFGSpeculativeJIT64.cpp:
422         (JSC::DFG::SpeculativeJIT::cachedGetById):
423         (JSC::DFG::SpeculativeJIT::cachedPutById):
424         * jit/CCallHelpers.h:
425         (JSC::CCallHelpers::setupArgumentsWithExecState):
426         * jit/JIT.cpp:
427         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
428         (JSC::JIT::privateCompile):
429         * jit/JIT.h:
430         (JSC::PropertyStubCompilationInfo::slowCaseInfo):
431         * jit/JITInlines.h:
432         (JSC::JIT::callOperation):
433         * jit/JITOperations.cpp:
434         * jit/JITOperations.h:
435         * jit/JITPropertyAccess.cpp:
436         (JSC::JIT::emitSlow_op_get_by_id):
437         (JSC::JIT::emitSlow_op_put_by_id):
438         * jit/JITPropertyAccess32_64.cpp:
439         (JSC::JIT::emitSlow_op_get_by_id):
440         (JSC::JIT::emitSlow_op_put_by_id):
441         * jit/Repatch.cpp:
442         (JSC::appropriateGenericPutByIdFunction):
443         (JSC::appropriateListBuildingPutByIdFunction):
444         (JSC::resetPutByID):
445
446 2013-10-18  Oliver Hunt  <oliver@apple.com>
447
448         Spread operator should be performing direct "puts" and not triggering setters
449         https://bugs.webkit.org/show_bug.cgi?id=123047
450
451         Reviewed by Geoffrey Garen.
452
453         Add a new opcode -- op_put_by_val_directue -- and make use of it in the spread
454         to array construct.  This required a new PutByValDirect node to be introduced to
455         the DFG.  The current implementation simply changes the slow path function that
456         is called, but in future this could be made faster as it does not need to check
457         the prototype chain.
458
459         * bytecode/CodeBlock.cpp:
460         (JSC::CodeBlock::dumpBytecode):
461         (JSC::CodeBlock::CodeBlock):
462         * bytecode/Opcode.h:
463         (JSC::padOpcodeName):
464         * bytecompiler/BytecodeGenerator.cpp:
465         (JSC::BytecodeGenerator::emitDirectPutByVal):
466         * bytecompiler/BytecodeGenerator.h:
467         * bytecompiler/NodesCodegen.cpp:
468         (JSC::ArrayNode::emitBytecode):
469         * dfg/DFGAbstractInterpreterInlines.h:
470         (JSC::DFG::::executeEffects):
471         * dfg/DFGBackwardsPropagationPhase.cpp:
472         (JSC::DFG::BackwardsPropagationPhase::propagate):
473         * dfg/DFGByteCodeParser.cpp:
474         (JSC::DFG::ByteCodeParser::parseBlock):
475         * dfg/DFGCSEPhase.cpp:
476         (JSC::DFG::CSEPhase::getArrayLengthElimination):
477         (JSC::DFG::CSEPhase::getByValLoadElimination):
478         (JSC::DFG::CSEPhase::checkStructureElimination):
479         (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
480         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
481         (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
482         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
483         (JSC::DFG::CSEPhase::performNodeCSE):
484         * dfg/DFGCapabilities.cpp:
485         (JSC::DFG::capabilityLevel):
486         * dfg/DFGClobberize.h:
487         (JSC::DFG::clobberize):
488         * dfg/DFGFixupPhase.cpp:
489         (JSC::DFG::FixupPhase::fixupNode):
490         * dfg/DFGGraph.h:
491         (JSC::DFG::Graph::clobbersWorld):
492         * dfg/DFGNode.h:
493         (JSC::DFG::Node::hasArrayMode):
494         * dfg/DFGNodeType.h:
495         * dfg/DFGOperations.cpp:
496         (JSC::DFG::putByVal):
497         (JSC::DFG::operationPutByValInternal):
498         * dfg/DFGOperations.h:
499         * dfg/DFGPredictionPropagationPhase.cpp:
500         (JSC::DFG::PredictionPropagationPhase::propagate):
501         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
502         * dfg/DFGSafeToExecute.h:
503         (JSC::DFG::safeToExecute):
504         * dfg/DFGSpeculativeJIT32_64.cpp:
505         (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
506         (JSC::DFG::SpeculativeJIT::compile):
507         * dfg/DFGSpeculativeJIT64.cpp:
508         (JSC::DFG::SpeculativeJIT::compile):
509         * dfg/DFGTypeCheckHoistingPhase.cpp:
510         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
511         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
512         * jit/JIT.cpp:
513         (JSC::JIT::privateCompileMainPass):
514         (JSC::JIT::privateCompileSlowCases):
515         * jit/JIT.h:
516         (JSC::JIT::compileDirectPutByVal):
517         * jit/JITOperations.cpp:
518         * jit/JITOperations.h:
519         * jit/JITPropertyAccess.cpp:
520         (JSC::JIT::emitSlow_op_put_by_val):
521         (JSC::JIT::privateCompilePutByVal):
522         * jit/JITPropertyAccess32_64.cpp:
523         (JSC::JIT::emitSlow_op_put_by_val):
524         * llint/LLIntSlowPaths.cpp:
525         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
526         * llint/LLIntSlowPaths.h:
527         * llint/LowLevelInterpreter32_64.asm:
528         * llint/LowLevelInterpreter64.asm:
529
530 2013-10-18  Daniel Bates  <dabates@apple.com>
531
532         [iOS] Export symbol for VM::sharedInstanceExists()
533         https://bugs.webkit.org/show_bug.cgi?id=123046
534
535         Reviewed by Mark Hahnenberg.
536
537         * runtime/VM.h:
538
539 2013-10-18  Daniel Bates  <dabates@apple.com>
540
541         [iOS] Upstream WebSafe{GCActivityCallback, IncrementalSweeper}IOS
542         https://bugs.webkit.org/show_bug.cgi?id=123049
543
544         Reviewed by Mark Hahnenberg.
545
546         * heap/Heap.cpp:
547         (JSC::Heap::setIncrementalSweeper):
548         * heap/Heap.h:
549         * heap/HeapTimer.h:
550         * heap/IncrementalSweeper.h: Make protected and export CF-variant of constructor.
551         Removed unused include of header RetainPtr.h. Also forward declare class MarkedBlock
552         (we include its header in the .cpp file) and remove include for header wtf/HashSet.h
553         (duplicates the include in the .cpp).
554         * heap/MachineStackMarker.h: Export function makeUsableFromMultipleThreads(). We aren't
555         making use of this now, but we'll make use of it in a subsequent patch.
556
557 2013-10-18  Anders Carlsson  <andersca@apple.com>
558
559         Remove spaces between template angle brackets
560         https://bugs.webkit.org/show_bug.cgi?id=123040
561
562         Reviewed by Andreas Kling.
563
564         * API/JSCallbackObject.cpp:
565         (JSC::::create):
566         * API/JSObjectRef.cpp:
567         * bytecode/CodeBlock.h:
568         (JSC::CodeBlock::constants):
569         (JSC::CodeBlock::setConstantRegisters):
570         * bytecode/DFGExitProfile.h:
571         * bytecode/EvalCodeCache.h:
572         * bytecode/Operands.h:
573         * bytecode/UnlinkedCodeBlock.h:
574         (JSC::UnlinkedCodeBlock::constantRegisters):
575         * bytecode/Watchpoint.h:
576         * bytecompiler/BytecodeGenerator.h:
577         * bytecompiler/StaticPropertyAnalysis.h:
578         * bytecompiler/StaticPropertyAnalyzer.h:
579         * dfg/DFGArgumentsSimplificationPhase.cpp:
580         * dfg/DFGBlockInsertionSet.h:
581         * dfg/DFGCSEPhase.cpp:
582         (JSC::DFG::performCSE):
583         (JSC::DFG::performStoreElimination):
584         * dfg/DFGCommonData.h:
585         * dfg/DFGDesiredStructureChains.h:
586         * dfg/DFGDesiredWatchpoints.h:
587         * dfg/DFGJITCompiler.h:
588         * dfg/DFGOSRExitCompiler32_64.cpp:
589         (JSC::DFG::OSRExitCompiler::compileExit):
590         * dfg/DFGOSRExitCompiler64.cpp:
591         (JSC::DFG::OSRExitCompiler::compileExit):
592         * dfg/DFGWorklist.h:
593         * heap/BlockAllocator.h:
594         (JSC::CopiedBlock):
595         (JSC::MarkedBlock):
596         (JSC::WeakBlock):
597         (JSC::MarkStackSegment):
598         (JSC::CopyWorkListSegment):
599         (JSC::HandleBlock):
600         * heap/Heap.h:
601         * heap/Local.h:
602         * heap/MarkedBlock.h:
603         * heap/Strong.h:
604         * jit/AssemblyHelpers.cpp:
605         (JSC::AssemblyHelpers::decodedCodeMapFor):
606         * jit/AssemblyHelpers.h:
607         * jit/SpecializedThunkJIT.h:
608         * parser/Nodes.h:
609         * parser/Parser.cpp:
610         (JSC::::parseIfStatement):
611         * parser/Parser.h:
612         (JSC::Scope::copyCapturedVariablesToVector):
613         (JSC::parse):
614         * parser/ParserArena.h:
615         * parser/SourceProviderCacheItem.h:
616         * profiler/LegacyProfiler.cpp:
617         (JSC::dispatchFunctionToProfiles):
618         * profiler/LegacyProfiler.h:
619         (JSC::LegacyProfiler::currentProfiles):
620         * profiler/ProfileNode.h:
621         (JSC::ProfileNode::children):
622         * profiler/ProfilerDatabase.h:
623         * runtime/Butterfly.h:
624         (JSC::Butterfly::contiguousInt32):
625         (JSC::Butterfly::contiguous):
626         * runtime/GenericTypedArrayViewInlines.h:
627         (JSC::::create):
628         * runtime/Identifier.h:
629         (JSC::Identifier::add):
630         * runtime/JSPromise.h:
631         * runtime/PropertyMapHashTable.h:
632         * runtime/PropertyNameArray.h:
633         * runtime/RegExpCache.h:
634         * runtime/SparseArrayValueMap.h:
635         * runtime/SymbolTable.h:
636         * runtime/VM.h:
637         * tools/CodeProfile.cpp:
638         (JSC::truncateTrace):
639         * tools/CodeProfile.h:
640         * yarr/YarrInterpreter.cpp:
641         * yarr/YarrInterpreter.h:
642         (JSC::Yarr::BytecodePattern::BytecodePattern):
643         * yarr/YarrJIT.cpp:
644         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
645         (JSC::Yarr::YarrGenerator::opCompileParentheticalAssertion):
646         (JSC::Yarr::YarrGenerator::opCompileBody):
647         * yarr/YarrPattern.cpp:
648         (JSC::Yarr::YarrPatternConstructor::checkForTerminalParentheses):
649         (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
650         * yarr/YarrPattern.h:
651
652 2013-10-18  Mark Lam  <mark.lam@apple.com>
653
654         Remove excess reserved space in ctiTrampoline frames for X86 and X86_64.
655         https://bugs.webkit.org/show_bug.cgi?id=123037.
656
657         Reviewed by Geoffrey Garen.
658
659         * jit/JITStubsMSVC64.asm:
660         * jit/JITStubsX86.h:
661         * jit/JITStubsX86_64.h:
662
663 2013-10-18  Filip Pizlo  <fpizlo@apple.com>
664
665         Frequent RELEASE_ASSERT crashes in Structure::checkOffsetConsistency on WebGL swizzler tests
666         https://bugs.webkit.org/show_bug.cgi?id=121661
667
668         Reviewed by Mark Hahnenberg.
669         
670         This method shouldn't have been called from the concurrent JIT thread. That's hard to prevent
671         so I added a return-early check using isCompilationThread().
672         
673         Here's why this makes sense. Structure has two ways to tell you about the layout of the objects
674         it is describing: m_offset and the property table. Most structures only have m_offset and report
675         null for the property table. If the property table is there, it will tell you additional
676         information and that information subsumes m_offset - but the m_offset is still there. So, when
677         we have a property table, we have to keep it in sync with the m_offset. There is a bunch of
678         machinery to do this.
679         
680         Changing the property table only happens on the main thread.
681         
682         Because the machinery to change the property table is so complex, especially with respect to
683         keeping it in sync with m_offset, we have the checkOffsetConsistency method. It's meant to be
684         called at key points before and after changes to the property table or the offset.
685
686         Most clients of Structure who care about object layout, including the concurrent thread, will
687         want to know m_offset and not the property table. If they want the property table, they will
688         already be super careful. The concurrent thread has special methods for this, like
689         Structure::getConcurrently(), which uses fine-grained locking to ensure that it sees a coherent
690         view of the property table.
691         
692         Adding locking to checkOffsetConsistency() is probably a bad idea since that method may be
693         called when the relevant lock is already held. So, we'd have awkward recursive locking issues.
694         
695         But right now, the concurrent JIT thread may call a method, like Structure::outOfLineCapacity(),
696         which has a call to checkOffsetConsistency(). The call to checkOffsetConsistency() is there
697         because we have found that it helps quickly identify situations where the property table and
698         m_offset get out of sync - mainly because code that changes either of those things will usually
699         also want to know the outOfLineCapacity(). But Structure::outOfLineCapacity() doesn't *actually*
700         need the property table; it uses the m_offset. The concurrent JIT is correct to call
701         outOfLineCapacity(), and is right to do so without holding any locks (since in all cases where
702         it calls outOfLineCapacity() it has already proven that m_offset is immutable). But because
703         outOfLineCapacity() calls checkOffsetConsistency(), and checkOffsetConsistency() doesn't grab
704         locks, and that same structure is having its property table modified by the main thread, we end
705         up with these spurious assertion failures. FWIW, the structure isn't *actually* having *its*
706         property table modified - instead what happens is that some downstream structure steals the
707         property table and then starts adding things to it. The concurrent thread loads the property
708         table before it's stolen, and hence the badness.
709         
710         I suspect there are other code paths that lead to the concurrent JIT calling some Structure
711         method that it is fine and safe to call, but then that method calls checkOffsetConsistency(),
712         and then you have a possible crash.
713         
714         The most sensible solution to this appears to be to make sure that checkOffsetConsistency() is
715         aware of its uselessness to the concurrent JIT thread. This change makes it return early if
716         it's in the concurrent JIT.
717         
718         * runtime/StructureInlines.h:
719         (JSC::Structure::checkOffsetConsistency):
720
721 2013-10-18  Daniel Bates  <dabates@apple.com>
722
723         Add SPI to disable the garbage collector timer
724         https://bugs.webkit.org/show_bug.cgi?id=122921
725
726         Add null check to Heap::setGarbageCollectionTimerEnabled() that I inadvertently
727         omitted.
728
729         * heap/Heap.cpp:
730         (JSC::Heap::setGarbageCollectionTimerEnabled):
731
732 2013-10-18  Julien Brianceau  <jbriance@cisco.com>
733
734         Group 64-bit specific and 32-bit specific callOperation implementations.
735         https://bugs.webkit.org/show_bug.cgi?id=123024
736
737         Reviewed by Michael Saboff.
738
739         This is not a big deal, but could be less confusing when reading the code.
740
741         * jit/JITInlines.h:
742         (JSC::JIT::callOperation):
743         (JSC::JIT::callOperationWithCallFrameRollbackOnException):
744         (JSC::JIT::callOperationNoExceptionCheck):
745
746 2013-10-18  Nadav Rotem  <nrotem@apple.com>
747
748         Fix a FlushLiveness problem.
749         https://bugs.webkit.org/show_bug.cgi?id=122984
750
751         Reviewed by Filip Pizlo.
752
753         * dfg/DFGFlushLivenessAnalysisPhase.cpp:
754         (JSC::DFG::FlushLivenessAnalysisPhase::process):
755
756 2013-10-18  Michael Saboff  <msaboff@apple.com>
757
758         Change native function call stubs to use JIT operations instead of ctiVMHandleException
759         https://bugs.webkit.org/show_bug.cgi?id=122982
760
761         Reviewed by Geoffrey Garen.
762
763         Change ctiVMHandleException to operationVMHandleException.  Change all exception operations to
764         return the catch callFrame and entryPC via vm.callFrameForThrow and vm.targetMachinePCForThrow.
765         This removed calling convention headaches, fixing https://bugs.webkit.org/show_bug.cgi?id=122980
766         in the process.
767
768         * dfg/DFGJITCompiler.cpp:
769         (JSC::DFG::JITCompiler::compileExceptionHandlers):
770         * jit/CCallHelpers.h:
771         (JSC::CCallHelpers::jumpToExceptionHandler):
772         * jit/JIT.cpp:
773         (JSC::JIT::privateCompileExceptionHandlers):
774         * jit/JIT.h:
775         * jit/JITExceptions.cpp:
776         (JSC::genericUnwind):
777         * jit/JITExceptions.h:
778         * jit/JITInlines.h:
779         (JSC::JIT::callOperationNoExceptionCheck):
780         * jit/JITOpcodes.cpp:
781         (JSC::JIT::emit_op_throw):
782         * jit/JITOpcodes32_64.cpp:
783         (JSC::JIT::privateCompileCTINativeCall):
784         (JSC::JIT::emit_op_throw):
785         * jit/JITOperations.cpp:
786         * jit/JITOperations.h:
787         * jit/JITStubs.cpp:
788         * jit/JITStubs.h:
789         * jit/JITStubsARM.h:
790         * jit/JITStubsARM64.h:
791         * jit/JITStubsARMv7.h:
792         * jit/JITStubsMIPS.h:
793         * jit/JITStubsMSVC64.asm:
794         * jit/JITStubsSH4.h:
795         * jit/JITStubsX86.h:
796         * jit/JITStubsX86_64.h:
797         * jit/Repatch.cpp:
798         (JSC::tryBuildGetByIDList):
799         * jit/SlowPathCall.h:
800         (JSC::JITSlowPathCall::call):
801         * jit/ThunkGenerators.cpp:
802         (JSC::throwExceptionFromCallSlowPathGenerator):
803         (JSC::nativeForGenerator):
804         * runtime/VM.h:
805         (JSC::VM::callFrameForThrowOffset):
806         (JSC::VM::targetMachinePCForThrowOffset):
807
808 2013-10-18  Julien Brianceau  <jbriance@cisco.com>
809
810         Fix J_JITOperation_EAapJ call for MIPS and ARM EABI.
811         https://bugs.webkit.org/show_bug.cgi?id=123023
812
813         Reviewed by Michael Saboff.
814
815         * jit/JITInlines.h:
816         (JSC::JIT::callOperation): EncodedJSValue parameter do not need alignment
817         using EABI_32BIT_DUMMY_ARG here.
818
819 2013-10-17  Filip Pizlo  <fpizlo@apple.com>
820
821         Unreviewed, another ARM64 build fix.
822         
823         Get rid of andPtr(TrustedImmPtr, blah), since it would take Effort to get it to work
824         on ARM64 and none of its uses are legit - they should all be using
825         andPtr(TrustedImm32, blah) anyway.
826
827         * assembler/MacroAssembler.h:
828         * assembler/MacroAssemblerARM64.h:
829         * dfg/DFGJITCompiler.cpp:
830         (JSC::DFG::JITCompiler::compileExceptionHandlers):
831         * jit/JIT.cpp:
832         (JSC::JIT::privateCompileExceptionHandlers):
833
834 2013-10-17  Filip Pizlo  <fpizlo@apple.com>
835
836         Unreviewed, speculative ARM64 build fix.
837         
838         move(ImmPtr, blah) is only available in MacroAssembler since that's where blinding is
839         implemented. So, you have to use TrustedImmPtr in the superclasses.
840
841         * assembler/MacroAssemblerARM64.h:
842         (JSC::MacroAssemblerARM64::store8):
843         (JSC::MacroAssemblerARM64::branchTest8):
844
845 2013-10-17  Filip Pizlo  <fpizlo@apple.com>
846
847         Unreviewed, speculative ARM build fix.
848         https://bugs.webkit.org/show_bug.cgi?id=122890
849         <rdar://problem/15258624>
850
851         * assembler/ARM64Assembler.h:
852         (JSC::ARM64Assembler::firstRegister):
853         (JSC::ARM64Assembler::lastRegister):
854         (JSC::ARM64Assembler::firstFPRegister):
855         (JSC::ARM64Assembler::lastFPRegister):
856         * assembler/MacroAssemblerARM64.h:
857         * assembler/MacroAssemblerARMv7.h:
858
859 2013-10-17  Andreas Kling  <akling@apple.com>
860
861         Pass VM instead of JSGlobalObject to JSONObject constructor.
862         <https://webkit.org/b/122999>
863
864         JSONObject was only use the JSGlobalObject to grab at the VM.
865         Dodge a few loads by passing the VM directly instead.
866
867         Reviewed by Geoffrey Garen.
868
869         * runtime/JSONObject.cpp:
870         (JSC::JSONObject::JSONObject):
871         (JSC::JSONObject::finishCreation):
872         * runtime/JSONObject.h:
873         (JSC::JSONObject::create):
874
875 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
876
877         Removed the JITStackFrame struct
878         https://bugs.webkit.org/show_bug.cgi?id=123001
879
880         Reviewed by Anders Carlsson.
881
882         * jit/JITStubs.h: JITStackFrame and JITStubArg are unused now, since all
883         our helper functions obey the C function call ABI.
884
885 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
886
887         Removed an unused #define
888         https://bugs.webkit.org/show_bug.cgi?id=123000
889
890         Reviewed by Anders Carlsson.
891
892         * jit/JITStubs.h: Removed the concept of JITSTACKFRAME_ARGS_INDEX,
893         since it is unused now. This is a step toward using the C stack.
894
895 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
896
897         Eliminate uses of JITSTACKFRAME_ARGS_INDEX as scratch area for thunks
898         https://bugs.webkit.org/show_bug.cgi?id=122973
899
900         Reviewed by Michael Saboff.
901
902         * jit/ThunkGenerators.cpp:
903         (JSC::throwExceptionFromCallSlowPathGenerator): This was all dead code,
904         so I removed it.
905
906         The code acted as if it needed to pass an argument to
907         lookupExceptionHandler, and as if it passed that argument to itself
908         through JITStackFrame. However, lookupExceptionHandler does not take
909         an argument (other than the default ExecState argument), and the code
910         did not initialize the thing that it thought it passed to itself!
911
912 2013-10-17  Alex Christensen  <achristensen@webkit.org>
913
914         Run JavaScriptCore tests again on Windows.
915         https://bugs.webkit.org/show_bug.cgi?id=122787
916
917         Reviewed by Tim Horton.
918
919         * JavaScriptCore.vcxproj/JavaScriptCore.sln: Added.
920         * jit/JITStubsMSVC64.asm: Removed reference to cti_vm_throw unused since r157581.
921
922 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
923
924         Removed restoreArgumentReference (another use of JITStackFrame)
925         https://bugs.webkit.org/show_bug.cgi?id=122997
926
927         Reviewed by Oliver Hunt.
928
929         * jit/JSInterfaceJIT.h: Removed an unused function. This is a step
930         toward using the C stack.
931
932 2013-10-17  Oliver Hunt  <oliver@apple.com>
933
934         Remove JITStubCall.h
935         https://bugs.webkit.org/show_bug.cgi?id=122991
936
937         Reviewed by Geoff Garen.
938
939         Happily this is no longer used
940
941         * GNUmakefile.list.am:
942         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
943         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
944         * JavaScriptCore.xcodeproj/project.pbxproj:
945         * jit/JIT.cpp:
946         * jit/JITArithmetic.cpp:
947         * jit/JITArithmetic32_64.cpp:
948         * jit/JITCall.cpp:
949         * jit/JITCall32_64.cpp:
950         * jit/JITOpcodes.cpp:
951         * jit/JITOpcodes32_64.cpp:
952         * jit/JITPropertyAccess.cpp:
953         * jit/JITPropertyAccess32_64.cpp:
954         * jit/JITStubCall.h: Removed.
955
956 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
957
958         Removed a use of JITSTACKFRAME_ARGS_INDEX
959         https://bugs.webkit.org/show_bug.cgi?id=122989
960
961         Reviewed by Oliver Hunt.
962
963         * jit/JITStubCall.h: Removed an unused function. This is one step closer
964         to using the C stack.
965
966 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
967
968         Change emit_op_catch to use another method to materialize VM
969         https://bugs.webkit.org/show_bug.cgi?id=122977
970
971         Reviewed by Oliver Hunt.
972
973         * jit/JITOpcodes.cpp:
974         (JSC::JIT::emit_op_catch):
975         * jit/JITOpcodes32_64.cpp:
976         (JSC::JIT::emit_op_catch): Use a constant. It removes our dependency
977         on JITStackFrame. It is also faster and simpler.
978
979 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
980
981         Eliminate emitGetJITStubArg() - dead code
982         https://bugs.webkit.org/show_bug.cgi?id=122975
983
984         Reviewed by Anders Carlsson.
985
986         * jit/JIT.h:
987         * jit/JITInlines.h: Removed unused, deprecated function.
988
989 2013-10-17  Mark Lam  <mark.lam@apple.com>
990
991         Eliminate all ASSERT references to OBJECT_OFFSETOF(struct JITStackFrame,...) in JITStubsXXX.h.
992         https://bugs.webkit.org/show_bug.cgi?id=122979.
993
994         Reviewed by Michael Saboff.
995
996         * jit/JITStubs.cpp:
997         * jit/JITStubs.h:
998         * jit/JITStubsARM.h:
999         * jit/JITStubsARM64.h:
1000         * jit/JITStubsARMv7.h:
1001         * jit/JITStubsMIPS.h:
1002         * jit/JITStubsSH4.h:
1003         * jit/JITStubsX86.h:
1004         * jit/JITStubsX86_64.h:
1005         * runtime/VM.cpp:
1006         (JSC::VM::VM):
1007
1008 2013-10-17  Michael Saboff  <msaboff@apple.com>
1009
1010         Remove saving callFrameRegister to JITStackFrame in JITCompiler::compileFunction()
1011         https://bugs.webkit.org/show_bug.cgi?id=122974
1012
1013         Reviewed by Geoffrey Garen.
1014
1015         Eliminated unneeded storing to JITStackFrame.
1016
1017         * dfg/DFGJITCompiler.cpp:
1018         (JSC::DFG::JITCompiler::compileFunction):
1019
1020 2013-10-17  Michael Saboff  <msaboff@apple.com>
1021
1022         Transition cti_op_throw and cti_vm_throw to a JIT operation
1023         https://bugs.webkit.org/show_bug.cgi?id=122931
1024
1025         Reviewed by Filip Pizlo.
1026
1027         Moved cti_op_throw to operationThrow.  Made the caller responsible for jumping to the
1028         catch handler.  Eliminated cti_op_throw_static_error, cti_vm_throw, ctiVMThrowTrampoline()
1029         and their callers as it is now dead code.  There is some work needed on the Microsoft X86
1030         callOperation to handle the need to provide space for structure return value.
1031
1032         * jit/JIT.h:
1033         * jit/JITInlines.h:
1034         (JSC::JIT::callOperation):
1035         * jit/JITOpcodes.cpp:
1036         (JSC::JIT::emit_op_throw):
1037         * jit/JITOpcodes32_64.cpp:
1038         (JSC::JIT::emit_op_throw):
1039         (JSC::JIT::emit_op_catch):
1040         * jit/JITOperations.cpp:
1041         * jit/JITOperations.h:
1042         * jit/JITStubs.cpp:
1043         * jit/JITStubs.h:
1044         * jit/JITStubsARM.h:
1045         * jit/JITStubsARM64.h:
1046         * jit/JITStubsARMv7.h:
1047         * jit/JITStubsMIPS.h:
1048         * jit/JITStubsMSVC64.asm:
1049         * jit/JITStubsSH4.h:
1050         * jit/JITStubsX86.h:
1051         * jit/JITStubsX86_64.h:
1052         * jit/JSInterfaceJIT.h:
1053
1054 2013-10-17  Mark Lam  <mark.lam@apple.com>
1055
1056         Remove JITStackFrame references in the C Loop LLINT.
1057         https://bugs.webkit.org/show_bug.cgi?id=122950.
1058
1059         Reviewed by Michael Saboff.
1060
1061         * jit/JITStubs.h:
1062         * llint/LowLevelInterpreter.cpp:
1063         (JSC::CLoop::execute):
1064         * offlineasm/cloop.rb:
1065
1066 2013-10-17  Mark Lam  <mark.lam@apple.com>
1067
1068         Remove JITStackFrame references in JIT probes.
1069         https://bugs.webkit.org/show_bug.cgi?id=122947.
1070
1071         Reviewed by Michael Saboff.
1072
1073         * assembler/MacroAssemblerARM.cpp:
1074         (JSC::MacroAssemblerARM::ProbeContext::dump):
1075         * assembler/MacroAssemblerARM.h:
1076         * assembler/MacroAssemblerARMv7.cpp:
1077         (JSC::MacroAssemblerARMv7::ProbeContext::dump):
1078         * assembler/MacroAssemblerARMv7.h:
1079         * assembler/MacroAssemblerX86Common.cpp:
1080         (JSC::MacroAssemblerX86Common::ProbeContext::dump):
1081         * assembler/MacroAssemblerX86Common.h:
1082         * jit/JITStubsARM.h:
1083         * jit/JITStubsARMv7.h:
1084         * jit/JITStubsX86.h:
1085         * jit/JITStubsX86Common.h:
1086         * jit/JITStubsX86_64.h:
1087
1088 2013-10-17  Julien Brianceau  <jbriance@cisco.com>
1089
1090         Fix build when NUMBER_OF_ARGUMENT_REGISTERS == 4.
1091         https://bugs.webkit.org/show_bug.cgi?id=122949
1092
1093         Reviewed by Andreas Kling.
1094
1095         * jit/CCallHelpers.h:
1096         (JSC::CCallHelpers::setupArgumentsWithExecState):
1097
1098 2013-10-16  Mark Lam  <mark.lam@apple.com>
1099
1100         Transition remaining op_get* JITStubs to JIT operations.
1101         https://bugs.webkit.org/show_bug.cgi?id=122925.
1102
1103         Reviewed by Geoffrey Garen.
1104
1105         Transitioning:
1106             cti_op_get_by_id_generic
1107             cti_op_get_by_val
1108             cti_op_get_by_val_generic
1109             cti_op_get_by_val_string
1110
1111         * dfg/DFGOperations.cpp:
1112         * dfg/DFGOperations.h:
1113         * jit/JIT.h:
1114         * jit/JITInlines.h:
1115         (JSC::JIT::callOperation):
1116         * jit/JITOpcodes.cpp:
1117         (JSC::JIT::emitSlow_op_get_arguments_length):
1118         (JSC::JIT::emitSlow_op_get_argument_by_val):
1119         * jit/JITOpcodes32_64.cpp:
1120         (JSC::JIT::emitSlow_op_get_arguments_length):
1121         (JSC::JIT::emitSlow_op_get_argument_by_val):
1122         * jit/JITOperations.cpp:
1123         * jit/JITOperations.h:
1124         * jit/JITPropertyAccess.cpp:
1125         (JSC::JIT::emitSlow_op_get_by_val):
1126         (JSC::JIT::emitSlow_op_get_by_pname):
1127         (JSC::JIT::privateCompileGetByVal):
1128         * jit/JITPropertyAccess32_64.cpp:
1129         (JSC::JIT::emitSlow_op_get_by_val):
1130         (JSC::JIT::emitSlow_op_get_by_pname):
1131         * jit/JITStubs.cpp:
1132         * jit/JITStubs.h:
1133         * runtime/Executable.cpp:
1134         (JSC::setupLLInt): Added some UNUSED_PARAMs to fix the no LLINT build.
1135         * runtime/Options.cpp:
1136         (JSC::Options::initialize):
1137
1138 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
1139
1140         Introduce WTF::Bag and start using it for InlineCallFrameSet
1141         https://bugs.webkit.org/show_bug.cgi?id=122941
1142
1143         Reviewed by Geoffrey Garen.
1144         
1145         Use Bag for InlineCallFrameSet. If this works out then I'll make other
1146         SegmentedVectors into Bags as well.
1147
1148         * bytecode/InlineCallFrameSet.cpp:
1149         (JSC::InlineCallFrameSet::add):
1150         * bytecode/InlineCallFrameSet.h:
1151         (JSC::InlineCallFrameSet::begin):
1152         (JSC::InlineCallFrameSet::end):
1153         * dfg/DFGArgumentsSimplificationPhase.cpp:
1154         (JSC::DFG::ArgumentsSimplificationPhase::run):
1155         * dfg/DFGJITCompiler.cpp:
1156         (JSC::DFG::JITCompiler::link):
1157         * dfg/DFGStackLayoutPhase.cpp:
1158         (JSC::DFG::StackLayoutPhase::run):
1159         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
1160         (JSC::DFG::VirtualRegisterAllocationPhase::run):
1161
1162 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
1163
1164         libllvmForJSC shouldn't call exit(1) on report_fatal_error()
1165         https://bugs.webkit.org/show_bug.cgi?id=122905
1166         <rdar://problem/15237856>
1167
1168         Reviewed by Michael Saboff.
1169         
1170         Expose the new LLVMInstallFatalErrorHandler() API through the soft linking magic and
1171         then always call it to install something that calls CRASH().
1172
1173         * llvm/InitializeLLVM.cpp:
1174         (JSC::llvmCrash):
1175         (JSC::initializeLLVMOnce):
1176         (JSC::initializeLLVM):
1177         * llvm/LLVMAPIFunctions.h:
1178
1179 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
1180
1181         Prototype chain repatching in the polymorphic case fails to check if the receiver is a dictionary
1182         https://bugs.webkit.org/show_bug.cgi?id=122938
1183
1184         Reviewed by Sam Weinig.
1185         
1186         This fixes jsc-layout-tests.yaml/js/script-tests/dictionary-prototype-caching.js.layout-no-llint.
1187
1188         * jit/Repatch.cpp:
1189         (JSC::tryBuildGetByIDList):
1190
1191 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
1192
1193         JIT::appendCall() needs to killLastResultRegister() or equivalent since there's some really bad code that expects it
1194         https://bugs.webkit.org/show_bug.cgi?id=122937
1195
1196         Reviewed by Geoffrey Garen.
1197         
1198         JITStubCall used to do it.
1199         
1200         This makes mozilla-tests.yaml/ecma/Statements/12.10-1.js.mozilla-baseline pass.
1201
1202         * jit/JIT.h:
1203         (JSC::JIT::appendCall):
1204
1205 2013-10-16  Michael Saboff  <msaboff@apple.com>
1206
1207         transition void cti_op_put_by_val* stubs to JIT operations
1208         https://bugs.webkit.org/show_bug.cgi?id=122903
1209
1210         Reviewed by Geoffrey Garen.
1211
1212         Transitioned cti_op_put_by_val and cti_op_put_by_val_generic to operationPutByVal and
1213         operationPutByValGeneric.
1214
1215         * jit/CCallHelpers.h:
1216         (JSC::CCallHelpers::setupArgumentsWithExecState):
1217         * jit/JIT.h:
1218         * jit/JITInlines.h:
1219         (JSC::JIT::callOperation):
1220         * jit/JITOperations.cpp:
1221         * jit/JITOperations.h:
1222         * jit/JITPropertyAccess.cpp:
1223         (JSC::JIT::emitSlow_op_put_by_val):
1224         (JSC::JIT::privateCompilePutByVal):
1225         * jit/JITPropertyAccess32_64.cpp:
1226         (JSC::JIT::emitSlow_op_put_by_val):
1227         * jit/JITStubs.cpp:
1228         * jit/JITStubs.h:
1229         * jit/JSInterfaceJIT.h:
1230
1231 2013-10-16  Oliver Hunt  <oliver@apple.com>
1232
1233         Implement ES6 spread operator
1234         https://bugs.webkit.org/show_bug.cgi?id=122911
1235
1236         Reviewed by Michael Saboff.
1237
1238         Implement the ES6 spread operator
1239
1240         This has a little bit of refactoring to move the enumeration logic out ForOfNode
1241         and into BytecodeGenerator, and then adds the logic to make it nicely callback
1242         driven.
1243
1244         The rest of the logic is just the addition of the SpreadExpressionNode, the parsing,
1245         and actually handling the spread.
1246
1247         * bytecompiler/BytecodeGenerator.cpp:
1248         (JSC::BytecodeGenerator::emitNewArray):
1249         (JSC::BytecodeGenerator::emitCall):
1250         (JSC::BytecodeGenerator::emitEnumeration):
1251         * bytecompiler/BytecodeGenerator.h:
1252         * bytecompiler/NodesCodegen.cpp:
1253         (JSC::ArrayNode::emitBytecode):
1254         (JSC::ForOfNode::emitBytecode):
1255         (JSC::SpreadExpressionNode::emitBytecode):
1256         * parser/ASTBuilder.h:
1257         (JSC::ASTBuilder::createSpreadExpression):
1258         * parser/Lexer.cpp:
1259         (JSC::::lex):
1260         * parser/NodeConstructors.h:
1261         (JSC::SpreadExpressionNode::SpreadExpressionNode):
1262         * parser/Nodes.h:
1263         (JSC::ExpressionNode::isSpreadExpression):
1264         (JSC::SpreadExpressionNode::expression):
1265         * parser/Parser.cpp:
1266         (JSC::::parseArrayLiteral):
1267         (JSC::::parseArguments):
1268         (JSC::::parseMemberExpression):
1269         * parser/Parser.h:
1270         (JSC::Parser::getTokenName):
1271         (JSC::Parser::updateErrorMessageSpecialCase):
1272         * parser/ParserTokens.h:
1273         * parser/SyntaxChecker.h:
1274         (JSC::SyntaxChecker::createSpreadExpression):
1275
1276 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
1277
1278         Add a useLLInt option to jsc
1279         https://bugs.webkit.org/show_bug.cgi?id=122930
1280
1281         Reviewed by Geoffrey Garen.
1282
1283         * runtime/Executable.cpp:
1284         (JSC::setupLLInt):
1285         (JSC::setupJIT):
1286         (JSC::ScriptExecutable::prepareForExecutionImpl):
1287         * runtime/Options.h:
1288
1289 2013-10-16  Mark Hahnenberg  <mhahnenberg@apple.com>
1290
1291         Build fix.
1292
1293         Forgot to svn add DeferGC.cpp
1294
1295         * heap/DeferGC.cpp: Added.
1296
1297 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
1298
1299         r157411 fails run-javascriptcore-tests when run with Baseline JIT
1300         https://bugs.webkit.org/show_bug.cgi?id=122902
1301
1302         Reviewed by Mark Hahnenberg.
1303         
1304         It turns out that this was a long-standing bug in the DFG PutById repatching logic. It's
1305         not legal to patch if the typeInfo tells you that you can't patch. The old JIT's patching
1306         logic did this right, and the DFG's GetById patching logic did it right; but DFG PutById
1307         didn't. Turns out that there's even a helpful method,
1308         Structure::propertyAccessesAreCacheable(), that will even do all of the checks for you!
1309
1310         * jit/Repatch.cpp:
1311         (JSC::tryCachePutByID):
1312
1313 2013-10-16  Mark Hahnenberg  <mhahnenberg@apple.com>
1314
1315         llint_slow_path_put_by_id can deadlock on a ConcurrentJITLock
1316         https://bugs.webkit.org/show_bug.cgi?id=122667
1317
1318         Reviewed by Geoffrey Garen.
1319
1320         The issue this patch is attempting to fix is that there are places in our codebase
1321         where we acquire the ConcurrentJITLock for a particular CodeBlock, then we do some
1322         operations that can initiate a garbage collection. Garbage collection then calls 
1323         some methods of CodeBlock that also take the ConcurrentJITLock (because they don't
1324         always necessarily run during garbage collection). This causes a deadlock.
1325  
1326         To fix this issue, this patch adds a new RAII-style object (DisallowGC) that stores 
1327         into a thread-local field that indicates that it is unsafe to perform any operation 
1328         that could trigger garbage collection on the current thread. In debug builds, 
1329         ConcurrentJITLocker contains one of these DisallowGC objects so that we can eagerly 
1330         detect deadlocks.
1331  
1332         This patch also adds a new type of ConcurrentJITLocker, GCSafeConcurrentJITLocker,
1333         which uses the DeferGC mechanism to prevent collections from occurring while the 
1334         lock is held.
1335
1336         * CMakeLists.txt:
1337         * GNUmakefile.list.am:
1338         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1339         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1340         * JavaScriptCore.xcodeproj/project.pbxproj:
1341         * heap/DeferGC.h:
1342         (JSC::DisallowGC::DisallowGC):
1343         (JSC::DisallowGC::~DisallowGC):
1344         (JSC::DisallowGC::isGCDisallowedOnCurrentThread):
1345         (JSC::DisallowGC::initialize):
1346         * jit/Repatch.cpp:
1347         (JSC::repatchPutByID):
1348         (JSC::buildPutByIdList):
1349         * llint/LLIntSlowPaths.cpp:
1350         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1351         * runtime/ConcurrentJITLock.h:
1352         (JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase):
1353         (JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase):
1354         (JSC::ConcurrentJITLockerBase::unlockEarly):
1355         (JSC::GCSafeConcurrentJITLocker::GCSafeConcurrentJITLocker):
1356         (JSC::GCSafeConcurrentJITLocker::~GCSafeConcurrentJITLocker):
1357         (JSC::GCSafeConcurrentJITLocker::NoDefer::NoDefer):
1358         (JSC::ConcurrentJITLocker::ConcurrentJITLocker):
1359         * runtime/InitializeThreading.cpp:
1360         (JSC::initializeThreadingOnce):
1361         * runtime/JSCellInlines.h:
1362         (JSC::allocateCell):
1363         * runtime/JSSymbolTableObject.h:
1364         (JSC::symbolTablePut):
1365         * runtime/Structure.cpp: materializePropertyMapIfNecessary* now has a problem in that it
1366         can start a garbage collection when the GCSafeConcurrentJITLocker goes out of scope, but 
1367         before the caller has a chance to use the newly created PropertyTable. The garbage collection
1368         clears the PropertyTable, and then the caller uses it assuming it's valid. To avoid this,
1369         we must DeferGC until the caller is done getting the newly materialized PropertyTable from 
1370         the Structure.
1371         (JSC::Structure::materializePropertyMap):
1372         (JSC::Structure::despecifyDictionaryFunction):
1373         (JSC::Structure::changePrototypeTransition):
1374         (JSC::Structure::despecifyFunctionTransition):
1375         (JSC::Structure::attributeChangeTransition):
1376         (JSC::Structure::toDictionaryTransition):
1377         (JSC::Structure::preventExtensionsTransition):
1378         (JSC::Structure::takePropertyTableOrCloneIfPinned):
1379         (JSC::Structure::isSealed):
1380         (JSC::Structure::isFrozen):
1381         (JSC::Structure::addPropertyWithoutTransition):
1382         (JSC::Structure::removePropertyWithoutTransition):
1383         (JSC::Structure::get):
1384         (JSC::Structure::despecifyFunction):
1385         (JSC::Structure::despecifyAllFunctions):
1386         (JSC::Structure::putSpecificValue):
1387         (JSC::Structure::createPropertyMap):
1388         (JSC::Structure::getPropertyNamesFromStructure):
1389         * runtime/Structure.h:
1390         (JSC::Structure::materializePropertyMapIfNecessary):
1391         (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
1392         * runtime/StructureInlines.h:
1393         (JSC::Structure::get):
1394         * runtime/SymbolTable.h:
1395         (JSC::SymbolTable::find):
1396         (JSC::SymbolTable::end):
1397
1398 2013-10-16  Daniel Bates  <dabates@apple.com>
1399
1400         Add SPI to disable the garbage collector timer
1401         https://bugs.webkit.org/show_bug.cgi?id=122921
1402
1403         Reviewed by Geoffrey Garen.
1404
1405         Based on a patch by Mark Hahnenberg.
1406
1407         * API/JSBase.cpp:
1408         (JSDisableGCTimer): Added; SPI function.
1409         * API/JSBasePrivate.h:
1410         * heap/BlockAllocator.cpp:
1411         (JSC::createBlockFreeingThread): Added.
1412         (JSC::BlockAllocator::BlockAllocator): Modified to use JSC::createBlockFreeingThread()
1413         to conditionally create the "block freeing" thread depending on the value of
1414         GCActivityCallback::s_shouldCreateGCTimer.
1415         (JSC::BlockAllocator::~BlockAllocator):
1416         * heap/BlockAllocator.h:
1417         (JSC::BlockAllocator::deallocate):
1418         * heap/Heap.cpp:
1419         (JSC::Heap::didAbandon):
1420         (JSC::Heap::collect):
1421         (JSC::Heap::didAllocate):
1422         * heap/HeapTimer.cpp:
1423         (JSC::HeapTimer::timerDidFire):
1424         * runtime/GCActivityCallback.cpp:
1425         * runtime/GCActivityCallback.h:
1426         (JSC::DefaultGCActivityCallback::create): Only instantiate a DefaultGCActivityCallback object
1427         when GCActivityCallback::s_shouldCreateGCTimer is true so as to prevent allocating a HeapTimer
1428         object (since DefaultGCActivityCallback ultimately extends HeapTimer).
1429
1430 2013-10-16  Commit Queue  <commit-queue@webkit.org>
1431
1432         Unreviewed, rolling out r157529.
1433         http://trac.webkit.org/changeset/157529
1434         https://bugs.webkit.org/show_bug.cgi?id=122919
1435
1436         Caused score test failures and some build failures. (Requested
1437         by rfong on #webkit).
1438
1439         * bytecompiler/BytecodeGenerator.cpp:
1440         (JSC::BytecodeGenerator::emitNewArray):
1441         (JSC::BytecodeGenerator::emitCall):
1442         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
1443         * bytecompiler/BytecodeGenerator.h:
1444         * bytecompiler/NodesCodegen.cpp:
1445         (JSC::ArrayNode::emitBytecode):
1446         (JSC::CallArguments::CallArguments):
1447         (JSC::ForOfNode::emitBytecode):
1448         (JSC::BindingNode::collectBoundIdentifiers):
1449         * parser/ASTBuilder.h:
1450         * parser/Lexer.cpp:
1451         (JSC::::lex):
1452         * parser/NodeConstructors.h:
1453         (JSC::DotAccessorNode::DotAccessorNode):
1454         * parser/Nodes.h:
1455         * parser/Parser.cpp:
1456         (JSC::::parseArrayLiteral):
1457         (JSC::::parseArguments):
1458         (JSC::::parseMemberExpression):
1459         * parser/Parser.h:
1460         (JSC::Parser::getTokenName):
1461         (JSC::Parser::updateErrorMessageSpecialCase):
1462         * parser/ParserTokens.h:
1463         * parser/SyntaxChecker.h:
1464
1465 2013-10-16  Julien Brianceau  <jbriance@cisco.com>
1466
1467         Remove useless architecture specific implementation in DFG.
1468         https://bugs.webkit.org/show_bug.cgi?id=122917.
1469
1470         Reviewed by Michael Saboff.
1471
1472         With CPU(ARM) && CPU(ARM_HARDFP) architecture, the fallback implementation is fine
1473         as FPRInfo::argumentFPR0 == FPRInfo::returnValueFPR in this case.
1474
1475         * dfg/DFGSpeculativeJIT.h:
1476
1477 2013-10-16  Julien Brianceau  <jbriance@cisco.com>
1478
1479         Remove unused JIT::restoreArgumentReferenceForTrampoline function.
1480         https://bugs.webkit.org/show_bug.cgi?id=122916.
1481
1482         Reviewed by Michael Saboff.
1483
1484         This architecture specific function is not used anymore, so get rid of it.
1485
1486         * jit/JIT.h:
1487         * jit/JITInlines.h:
1488
1489 2013-10-16  Oliver Hunt  <oliver@apple.com>
1490
1491         Implement ES6 spread operator
1492         https://bugs.webkit.org/show_bug.cgi?id=122911
1493
1494         Reviewed by Michael Saboff.
1495
1496         Implement the ES6 spread operator
1497
1498         This has a little bit of refactoring to move the enumeration logic out ForOfNode
1499         and into BytecodeGenerator, and then adds the logic to make it nicely callback
1500         driven.
1501
1502         The rest of the logic is just the addition of the SpreadExpressionNode, the parsing,
1503         and actually handling the spread.
1504
1505         * bytecompiler/BytecodeGenerator.cpp:
1506         (JSC::BytecodeGenerator::emitNewArray):
1507         (JSC::BytecodeGenerator::emitCall):
1508         (JSC::BytecodeGenerator::emitEnumeration):
1509         * bytecompiler/BytecodeGenerator.h:
1510         * bytecompiler/NodesCodegen.cpp:
1511         (JSC::ArrayNode::emitBytecode):
1512         (JSC::ForOfNode::emitBytecode):
1513         (JSC::SpreadExpressionNode::emitBytecode):
1514         * parser/ASTBuilder.h:
1515         (JSC::ASTBuilder::createSpreadExpression):
1516         * parser/Lexer.cpp:
1517         (JSC::::lex):
1518         * parser/NodeConstructors.h:
1519         (JSC::SpreadExpressionNode::SpreadExpressionNode):
1520         * parser/Nodes.h:
1521         (JSC::ExpressionNode::isSpreadExpression):
1522         (JSC::SpreadExpressionNode::expression):
1523         * parser/Parser.cpp:
1524         (JSC::::parseArrayLiteral):
1525         (JSC::::parseArguments):
1526         (JSC::::parseMemberExpression):
1527         * parser/Parser.h:
1528         (JSC::Parser::getTokenName):
1529         (JSC::Parser::updateErrorMessageSpecialCase):
1530         * parser/ParserTokens.h:
1531         * parser/SyntaxChecker.h:
1532         (JSC::SyntaxChecker::createSpreadExpression):
1533
1534 2013-10-16  Mark Lam  <mark.lam@apple.com>
1535
1536         Transition void cti_op_tear_off* methods to JIT operations for 32 bit.
1537         https://bugs.webkit.org/show_bug.cgi?id=122899.
1538
1539         Reviewed by Michael Saboff.
1540
1541         * jit/JITOpcodes32_64.cpp:
1542         (JSC::JIT::emit_op_tear_off_activation):
1543         (JSC::JIT::emit_op_tear_off_arguments):
1544         * jit/JITStubs.cpp:
1545         * jit/JITStubs.h:
1546
1547 2013-10-16  Julien Brianceau  <jbriance@cisco.com>
1548
1549         Remove more of the UNINTERRUPTED_SEQUENCE thing
1550         https://bugs.webkit.org/show_bug.cgi?id=122885
1551
1552         Reviewed by Andreas Kling.
1553
1554         It was not completely removed by r157481, leading to build failure for sh4 architecture.
1555
1556         * jit/JIT.h:
1557         * jit/JITInlines.h:
1558
1559 2013-10-15  Filip Pizlo  <fpizlo@apple.com>
1560
1561         Get rid of the StructureStubInfo::patch union
1562         https://bugs.webkit.org/show_bug.cgi?id=122877
1563
1564         Reviewed by Sam Weinig.
1565         
1566         Just simplifying code by getting rid of data structures that ain't used no more.
1567         
1568         Note that I replace the patch union with a patch struct. This means we say things like
1569         stubInfo.patch.valueGPR instead of stubInfo.valueGPR. I think that this extra
1570         encapsulation makes the code more readable: the patch struct contains just those things
1571         that you need to know to perform patching.
1572
1573         * bytecode/StructureStubInfo.h:
1574         * dfg/DFGJITCompiler.cpp:
1575         (JSC::DFG::JITCompiler::link):
1576         * jit/JIT.cpp:
1577         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
1578         * jit/Repatch.cpp:
1579         (JSC::repatchByIdSelfAccess):
1580         (JSC::replaceWithJump):
1581         (JSC::linkRestoreScratch):
1582         (JSC::generateProtoChainAccessStub):
1583         (JSC::tryCacheGetByID):
1584         (JSC::getPolymorphicStructureList):
1585         (JSC::patchJumpToGetByIdStub):
1586         (JSC::tryBuildGetByIDList):
1587         (JSC::emitPutReplaceStub):
1588         (JSC::emitPutTransitionStub):
1589         (JSC::tryCachePutByID):
1590         (JSC::tryBuildPutByIdList):
1591         (JSC::tryRepatchIn):
1592         (JSC::resetGetByID):
1593         (JSC::resetPutByID):
1594         (JSC::resetIn):
1595
1596 2013-10-15  Nadav Rotem  <nrotem@apple.com>
1597
1598         FTL: add support for Int52ToValue and fix putByVal of int52s.
1599         https://bugs.webkit.org/show_bug.cgi?id=122873
1600
1601         Reviewed by Filip Pizlo.
1602
1603         * ftl/FTLCapabilities.cpp:
1604         (JSC::FTL::canCompile):
1605         * ftl/FTLLowerDFGToLLVM.cpp:
1606         (JSC::FTL::LowerDFGToLLVM::compileNode):
1607         (JSC::FTL::LowerDFGToLLVM::compileInt52ToValue):
1608         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
1609
1610 2013-10-15  Filip Pizlo  <fpizlo@apple.com>
1611
1612         Get rid of the UNINTERRUPTED_SEQUENCE thing
1613         https://bugs.webkit.org/show_bug.cgi?id=122876
1614
1615         Reviewed by Mark Hahnenberg.
1616         
1617         It doesn't make sense anymore. We now use the DFG's IC logic, which never needed that.
1618         
1619         Moreover, we should resist the temptation to bring anything like this back. We don't
1620         want to have inline caches that only work if the assembler lays out code in a specific
1621         predetermined way.
1622
1623         * jit/JIT.h:
1624         * jit/JITCall.cpp:
1625         (JSC::JIT::compileOpCall):
1626         * jit/JITCall32_64.cpp:
1627         (JSC::JIT::compileOpCall):
1628
1629 2013-10-15  Filip Pizlo  <fpizlo@apple.com>
1630
1631         Baseline JIT should use the DFG GetById IC
1632         https://bugs.webkit.org/show_bug.cgi?id=122861
1633
1634         Reviewed by Oliver Hunt.
1635         
1636         This mostly just kills a ton of code.
1637         
1638         Note that this doesn't yet do all of the simplifications that can be done, but it does
1639         kill dead code. I'll have another change to simplify StructureStubInfo's unions and such.
1640
1641         * bytecode/CodeBlock.cpp:
1642         (JSC::CodeBlock::resetStubInternal):
1643         * jit/JIT.cpp:
1644         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
1645         * jit/JIT.h:
1646         (JSC::PropertyStubCompilationInfo::PropertyStubCompilationInfo):
1647         * jit/JITInlines.h:
1648         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
1649         (JSC::JIT::callOperation):
1650         * jit/JITPropertyAccess.cpp:
1651         (JSC::JIT::compileGetByIdHotPath):
1652         (JSC::JIT::emitSlow_op_get_by_id):
1653         (JSC::JIT::emitSlow_op_get_from_scope):
1654         * jit/JITPropertyAccess32_64.cpp:
1655         (JSC::JIT::compileGetByIdHotPath):
1656         (JSC::JIT::emitSlow_op_get_by_id):
1657         (JSC::JIT::emitSlow_op_get_from_scope):
1658         * jit/JITStubs.cpp:
1659         * jit/JITStubs.h:
1660         * jit/Repatch.cpp:
1661         (JSC::repatchGetByID):
1662         (JSC::buildGetByIDList):
1663         * jit/ThunkGenerators.cpp:
1664         * jit/ThunkGenerators.h:
1665
1666 2013-10-15  Dean Jackson  <dino@apple.com>
1667
1668         Add ENABLE_WEB_ANIMATIONS flag
1669         https://bugs.webkit.org/show_bug.cgi?id=122871
1670
1671         Reviewed by Tim Horton.
1672
1673         Eventually might be http://dev.w3.org/fxtf/web-animations/
1674         but this is just engine-internal work at the moment.
1675
1676         * Configurations/FeatureDefines.xcconfig:
1677
1678 2013-10-15  Julien Brianceau  <jbriance@cisco.com>
1679
1680         [sh4] Some calls don't match sh4 ABI.
1681         https://bugs.webkit.org/show_bug.cgi?id=122863
1682
1683         Reviewed by Michael Saboff.
1684
1685         * dfg/DFGSpeculativeJIT.h:
1686         (JSC::DFG::SpeculativeJIT::callOperation):
1687         * jit/CCallHelpers.h:
1688         (JSC::CCallHelpers::setupArgumentsWithExecState):
1689         * jit/JITInlines.h:
1690         (JSC::JIT::callOperation):
1691
1692 2013-10-15  Daniel Bates  <dabates@apple.com>
1693
1694         [iOS] Upstream JavaScriptCore support for ARM64
1695         https://bugs.webkit.org/show_bug.cgi?id=122762
1696
1697         Reviewed by Oliver Hunt and Filip Pizlo.
1698
1699         * Configurations/Base.xcconfig:
1700         * Configurations/DebugRelease.xcconfig:
1701         * Configurations/JavaScriptCore.xcconfig:
1702         * Configurations/ToolExecutable.xcconfig:
1703         * JavaScriptCore.xcodeproj/project.pbxproj:
1704         * assembler/ARM64Assembler.h: Added.
1705         * assembler/AbstractMacroAssembler.h:
1706         (JSC::isARM64):
1707         (JSC::AbstractMacroAssembler::Label::Label):
1708         (JSC::AbstractMacroAssembler::Jump::Jump):
1709         (JSC::AbstractMacroAssembler::Jump::link):
1710         (JSC::AbstractMacroAssembler::Jump::linkTo):
1711         (JSC::AbstractMacroAssembler::CachedTempRegister::CachedTempRegister):
1712         (JSC::AbstractMacroAssembler::CachedTempRegister::registerIDInvalidate):
1713         (JSC::AbstractMacroAssembler::CachedTempRegister::registerIDNoInvalidate):
1714         (JSC::AbstractMacroAssembler::CachedTempRegister::value):
1715         (JSC::AbstractMacroAssembler::CachedTempRegister::setValue):
1716         (JSC::AbstractMacroAssembler::CachedTempRegister::invalidate):
1717         (JSC::AbstractMacroAssembler::invalidateAllTempRegisters):
1718         (JSC::AbstractMacroAssembler::isTempRegisterValid):
1719         (JSC::AbstractMacroAssembler::clearTempRegisterValid):
1720         (JSC::AbstractMacroAssembler::setTempRegisterValid):
1721         * assembler/LinkBuffer.cpp:
1722         (JSC::LinkBuffer::copyCompactAndLinkCode):
1723         (JSC::LinkBuffer::linkCode):
1724         * assembler/LinkBuffer.h:
1725         * assembler/MacroAssembler.h:
1726         (JSC::MacroAssembler::isPtrAlignedAddressOffset):
1727         (JSC::MacroAssembler::pushToSave):
1728         (JSC::MacroAssembler::popToRestore):
1729         (JSC::MacroAssembler::patchableBranchTest32):
1730         * assembler/MacroAssemblerARM64.h: Added.
1731         * assembler/MacroAssemblerARMv7.h:
1732         * dfg/DFGFixupPhase.cpp:
1733         (JSC::DFG::FixupPhase::fixupNode):
1734         * dfg/DFGOSRExitCompiler32_64.cpp:
1735         (JSC::DFG::OSRExitCompiler::compileExit):
1736         * dfg/DFGOSRExitCompiler64.cpp:
1737         (JSC::DFG::OSRExitCompiler::compileExit):
1738         * dfg/DFGSpeculativeJIT.cpp:
1739         (JSC::DFG::SpeculativeJIT::compileArithDiv):
1740         (JSC::DFG::SpeculativeJIT::compileArithMod):
1741         * disassembler/ARM64/A64DOpcode.cpp: Added.
1742         * disassembler/ARM64/A64DOpcode.h: Added.
1743         * disassembler/ARM64Disassembler.cpp: Added.
1744         * heap/MachineStackMarker.cpp:
1745         (JSC::getPlatformThreadRegisters):
1746         (JSC::otherThreadStackPointer):
1747         * heap/Region.h:
1748         * jit/AssemblyHelpers.h:
1749         (JSC::AssemblyHelpers::debugCall):
1750         * jit/CCallHelpers.h:
1751         * jit/ExecutableAllocator.h:
1752         * jit/FPRInfo.h:
1753         (JSC::FPRInfo::toRegister):
1754         (JSC::FPRInfo::toIndex):
1755         (JSC::FPRInfo::debugName):
1756         * jit/GPRInfo.h:
1757         (JSC::GPRInfo::toRegister):
1758         (JSC::GPRInfo::toIndex):
1759         (JSC::GPRInfo::debugName):
1760         * jit/JITInlines.h:
1761         (JSC::JIT::restoreArgumentReferenceForTrampoline):
1762         * jit/JITOperationWrappers.h:
1763         * jit/JITOperations.cpp:
1764         * jit/JITStubs.cpp:
1765         (JSC::performPlatformSpecificJITAssertions):
1766         (JSC::tryCachePutByID):
1767         * jit/JITStubs.h:
1768         (JSC::JITStackFrame::returnAddressSlot):
1769         * jit/JITStubsARM64.h: Added.
1770         * jit/JSInterfaceJIT.h:
1771         * jit/Repatch.cpp:
1772         (JSC::emitRestoreScratch):
1773         (JSC::generateProtoChainAccessStub):
1774         (JSC::tryCacheGetByID):
1775         (JSC::emitPutReplaceStub):
1776         (JSC::tryCachePutByID):
1777         (JSC::tryRepatchIn):
1778         * jit/ScratchRegisterAllocator.h:
1779         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
1780         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
1781         * jit/ThunkGenerators.cpp:
1782         (JSC::nativeForGenerator):
1783         (JSC::floorThunkGenerator):
1784         (JSC::ceilThunkGenerator):
1785         * jsc.cpp:
1786         (main):
1787         * llint/LLIntOfflineAsmConfig.h:
1788         * llint/LLIntSlowPaths.cpp:
1789         (JSC::LLInt::handleHostCall):
1790         * llint/LowLevelInterpreter.asm:
1791         * llint/LowLevelInterpreter64.asm:
1792         * offlineasm/arm.rb:
1793         * offlineasm/arm64.rb: Added.
1794         * offlineasm/backends.rb:
1795         * offlineasm/instructions.rb:
1796         * offlineasm/risc.rb:
1797         * offlineasm/transform.rb:
1798         * yarr/YarrJIT.cpp:
1799         (JSC::Yarr::YarrGenerator::alignCallFrameSizeInBytes):
1800         (JSC::Yarr::YarrGenerator::initCallFrame):
1801         (JSC::Yarr::YarrGenerator::removeCallFrame):
1802         (JSC::Yarr::YarrGenerator::generateEnter):
1803         * yarr/YarrJIT.h:
1804
1805 2013-10-15  Mark Lam  <mark.lam@apple.com>
1806
1807         Fix 3 operand sub operation in C loop LLINT.
1808         https://bugs.webkit.org/show_bug.cgi?id=122866.
1809
1810         Reviewed by Geoffrey Garen.
1811
1812         * offlineasm/cloop.rb:
1813
1814 2013-10-15  Mark Hahnenberg  <mhahnenberg@apple.com>
1815
1816         ObjCCallbackFunctionImpl shouldn't store a JSContext
1817         https://bugs.webkit.org/show_bug.cgi?id=122531
1818
1819         Reviewed by Geoffrey Garen.
1820
1821         The m_context field in ObjCCallbackFunctionImpl is vestigial and is only incidentally correct 
1822         in the common case. It's also no longer necessary in that we can look up the current JSContext 
1823         by looking using the globalObject of the callee when the function callback is invoked.
1824  
1825         Also added a new test that would cause us to crash previously. The test required making 
1826         JSContextGetGlobalContext public API so that clients can obtain a JSContext from the JSContextRef
1827         in C API callbacks.
1828
1829         * API/JSContextRef.h:
1830         * API/JSContextRefPrivate.h:
1831         * API/ObjCCallbackFunction.mm:
1832         (JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl):
1833         (JSC::objCCallbackFunctionCallAsFunction):
1834         (objCCallbackFunctionForInvocation):
1835         * API/WebKitAvailability.h:
1836         * API/tests/CurrentThisInsideBlockGetterTest.h: Added.
1837         * API/tests/CurrentThisInsideBlockGetterTest.mm: Added.
1838         (CallAsConstructor):
1839         (ConstructorFinalize):
1840         (ConstructorClass):
1841         (+[JSValue valueWithConstructorDescriptor:inContext:]):
1842         (-[JSContext valueWithConstructorDescriptor:]):
1843         (currentThisInsideBlockGetterTest):
1844         * API/tests/testapi.mm:
1845         * JavaScriptCore.xcodeproj/project.pbxproj:
1846         * debugger/Debugger.cpp: Had to add some fully qualified names to avoid conflicts with Mac OS X headers.
1847
1848 2013-10-15  Julien Brianceau  <jbriance@cisco.com>
1849
1850         Fix build after r157457 for architecture with 4 argument registers.
1851         https://bugs.webkit.org/show_bug.cgi?id=122860
1852
1853         Reviewed by Michael Saboff.
1854
1855         * jit/CCallHelpers.h:
1856         (JSC::CCallHelpers::setupStubArguments134):
1857
1858 2013-10-14  Michael Saboff  <msaboff@apple.com>
1859
1860         transition void cti_op_* methods to JIT operations.
1861         https://bugs.webkit.org/show_bug.cgi?id=122617
1862
1863         Reviewed by Geoffrey Garen.
1864
1865         Converted the follow stubs to JIT operations:
1866             cti_handle_watchdog_timer
1867             cti_op_debug
1868             cti_op_pop_scope
1869             cti_op_profile_did_call
1870             cti_op_profile_will_call
1871             cti_op_put_by_index
1872             cti_op_put_getter_setter
1873             cti_op_tear_off_activation
1874             cti_op_tear_off_arguments
1875             cti_op_throw_static_error
1876             cti_optimize
1877
1878         * dfg/DFGOperations.cpp:
1879         * dfg/DFGOperations.h:
1880         * jit/CCallHelpers.h:
1881         (JSC::CCallHelpers::setupArgumentsWithExecState):
1882         (JSC::CCallHelpers::setupThreeStubArgsGPR):
1883         (JSC::CCallHelpers::setupStubArguments):
1884         (JSC::CCallHelpers::setupStubArguments134):
1885         * jit/JIT.cpp:
1886         (JSC::JIT::emitEnterOptimizationCheck):
1887         * jit/JIT.h:
1888         * jit/JITInlines.h:
1889         (JSC::JIT::callOperation):
1890         * jit/JITOpcodes.cpp:
1891         (JSC::JIT::emit_op_tear_off_activation):
1892         (JSC::JIT::emit_op_tear_off_arguments):
1893         (JSC::JIT::emit_op_push_with_scope):
1894         (JSC::JIT::emit_op_pop_scope):
1895         (JSC::JIT::emit_op_push_name_scope):
1896         (JSC::JIT::emit_op_throw_static_error):
1897         (JSC::JIT::emit_op_debug):
1898         (JSC::JIT::emit_op_profile_will_call):
1899         (JSC::JIT::emit_op_profile_did_call):
1900         (JSC::JIT::emitSlow_op_loop_hint):
1901         * jit/JITOpcodes32_64.cpp:
1902         (JSC::JIT::emit_op_push_with_scope):
1903         (JSC::JIT::emit_op_pop_scope):
1904         (JSC::JIT::emit_op_push_name_scope):
1905         (JSC::JIT::emit_op_throw_static_error):
1906         (JSC::JIT::emit_op_debug):
1907         (JSC::JIT::emit_op_profile_will_call):
1908         (JSC::JIT::emit_op_profile_did_call):
1909         * jit/JITOperations.cpp:
1910         * jit/JITOperations.h:
1911         * jit/JITPropertyAccess.cpp:
1912         (JSC::JIT::emit_op_put_by_index):
1913         (JSC::JIT::emit_op_put_getter_setter):
1914         * jit/JITPropertyAccess32_64.cpp:
1915         (JSC::JIT::emit_op_put_by_index):
1916         (JSC::JIT::emit_op_put_getter_setter):
1917         * jit/JITStubs.cpp:
1918         * jit/JITStubs.h:
1919
1920 2013-10-15  Julien Brianceau  <jbriance@cisco.com>
1921
1922         [sh4] Introduce const pools in LLINT.
1923         https://bugs.webkit.org/show_bug.cgi?id=122746
1924
1925         Reviewed by Michael Saboff.
1926
1927         In current implementation of LLINT for sh4, immediate values outside range -128..127 are
1928         loaded this way:
1929
1930             mov.l .label, rx
1931             bra out
1932             nop
1933             .balign 4
1934             .label: .long immvalue
1935             out:
1936
1937         This change introduces const pools for sh4 implementation to avoid lots of useless branches
1938         and reduce code size. It also removes lines of dirty code, like jmpf and callf.
1939
1940         * offlineasm/instructions.rb: Remove jmpf and callf sh4 specific instructions.
1941         * offlineasm/sh4.rb:
1942
1943 2013-10-15  Mark Lam  <mark.lam@apple.com>
1944
1945         Fix broken C Loop LLINT build.
1946         https://bugs.webkit.org/show_bug.cgi?id=122839.
1947
1948         Reviewed by Michael Saboff.
1949
1950         * dfg/DFGFlushedAt.cpp:
1951         * jit/JITOperations.h:
1952
1953 2013-10-14  Mark Lam  <mark.lam@apple.com>
1954
1955         Transition *switch* and *scope* JITStubs to JIT operations.
1956         https://bugs.webkit.org/show_bug.cgi?id=122757.
1957
1958         Reviewed by Geoffrey Garen.
1959
1960         Transitioning:
1961             cti_op_switch_char
1962             cti_op_switch_imm
1963             cti_op_switch_string
1964             cti_op_resolve_scope
1965             cti_op_get_from_scope
1966             cti_op_put_to_scope
1967
1968         * jit/JIT.h:
1969         * jit/JITInlines.h:
1970         (JSC::JIT::callOperation):
1971         * jit/JITOpcodes.cpp:
1972         (JSC::JIT::emit_op_switch_imm):
1973         (JSC::JIT::emit_op_switch_char):
1974         (JSC::JIT::emit_op_switch_string):
1975         * jit/JITOpcodes32_64.cpp:
1976         (JSC::JIT::emit_op_switch_imm):
1977         (JSC::JIT::emit_op_switch_char):
1978         (JSC::JIT::emit_op_switch_string):
1979         * jit/JITOperations.cpp:
1980         * jit/JITOperations.h:
1981         * jit/JITPropertyAccess.cpp:
1982         (JSC::JIT::emitSlow_op_resolve_scope):
1983         (JSC::JIT::emitSlow_op_get_from_scope):
1984         (JSC::JIT::emitSlow_op_put_to_scope):
1985         * jit/JITPropertyAccess32_64.cpp:
1986         (JSC::JIT::emitSlow_op_resolve_scope):
1987         (JSC::JIT::emitSlow_op_get_from_scope):
1988         (JSC::JIT::emitSlow_op_put_to_scope):
1989         * jit/JITStubs.cpp:
1990         * jit/JITStubs.h:
1991
1992 2013-10-14  Filip Pizlo  <fpizlo@apple.com>
1993
1994         DFG PutById IC should use the ConcurrentJITLocker since it's now dealing with IC's that get read by the compiler thread
1995         https://bugs.webkit.org/show_bug.cgi?id=122786
1996
1997         Reviewed by Mark Hahnenberg.
1998
1999         * bytecode/CodeBlock.cpp:
2000         (JSC::CodeBlock::resetStub): Resetting a stub should acquire the lock since this is observable from the thread; but we should only acquire the lock if we're resetting outside of GC.
2001         * jit/Repatch.cpp:
2002         (JSC::repatchPutByID): Doing the PutById patching should hold the lock.
2003         (JSC::buildPutByIdList): Ditto.
2004
2005 2013-10-14  Nadav Rotem  <nrotem@apple.com>
2006
2007         Add FTL support for LogicalNot(string)
2008         https://bugs.webkit.org/show_bug.cgi?id=122765
2009
2010         Reviewed by Filip Pizlo.
2011
2012         This patch is tested by:
2013         regress/script-tests/emscripten-cube2hash.js.ftl-eager
2014
2015         * ftl/FTLCapabilities.cpp:
2016         (JSC::FTL::canCompile):
2017         * ftl/FTLLowerDFGToLLVM.cpp:
2018         (JSC::FTL::LowerDFGToLLVM::compileLogicalNot):
2019
2020 2013-10-14  Julien Brianceau  <jbriance@cisco.com>
2021
2022         [sh4] Fixes after r157404 and r157411.
2023         https://bugs.webkit.org/show_bug.cgi?id=122782
2024
2025         Reviewed by Michael Saboff.
2026
2027         * dfg/DFGSpeculativeJIT.h:
2028         (JSC::DFG::SpeculativeJIT::callOperation): Add missing SH4_32BIT_DUMMY_ARG.
2029         * jit/CCallHelpers.h:
2030         (JSC::CCallHelpers::setupArgumentsWithExecState):
2031         * jit/JITInlines.h:
2032         (JSC::JIT::callOperation): Add missing SH4_32BIT_DUMMY_ARG.
2033         * jit/JITPropertyAccess32_64.cpp:
2034         (JSC::JIT::emit_op_put_by_id): Remove unwanted BEGIN_UNINTERRUPTED_SEQUENCE.
2035
2036 2013-10-14  Commit Queue  <commit-queue@webkit.org>
2037
2038         Unreviewed, rolling out r157413.
2039         http://trac.webkit.org/changeset/157413
2040         https://bugs.webkit.org/show_bug.cgi?id=122779
2041
2042         Appears to have caused frequent crashes (Requested by ap on
2043         #webkit).
2044
2045         * CMakeLists.txt:
2046         * GNUmakefile.list.am:
2047         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2048         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2049         * JavaScriptCore.xcodeproj/project.pbxproj:
2050         * heap/DeferGC.cpp: Removed.
2051         * heap/DeferGC.h:
2052         * jit/JITStubs.cpp:
2053         (JSC::tryCacheGetByID):
2054         (JSC::DEFINE_STUB_FUNCTION):
2055         * llint/LLIntSlowPaths.cpp:
2056         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2057         * runtime/ConcurrentJITLock.h:
2058         * runtime/InitializeThreading.cpp:
2059         (JSC::initializeThreadingOnce):
2060         * runtime/JSCellInlines.h:
2061         (JSC::allocateCell):
2062         * runtime/Structure.cpp:
2063         (JSC::Structure::materializePropertyMap):
2064         (JSC::Structure::putSpecificValue):
2065         (JSC::Structure::createPropertyMap):
2066         * runtime/Structure.h:
2067
2068 2013-10-14  Mark Hahnenberg  <mhahnenberg@apple.com>
2069
2070         COLLECT_ON_EVERY_ALLOCATION causes assertion failures
2071         https://bugs.webkit.org/show_bug.cgi?id=122652
2072
2073         Reviewed by Filip Pizlo.
2074
2075         COLLECT_ON_EVERY_ALLOCATION wasn't accounting for the new GC deferral mechanism,
2076         so we would end up ASSERTing during garbage collection.
2077
2078         * heap/MarkedAllocator.cpp:
2079         (JSC::MarkedAllocator::allocateSlowCase):
2080
2081 2013-10-11  Oliver Hunt  <oliver@apple.com>
2082
2083         Separate out array iteration intrinsics
2084         https://bugs.webkit.org/show_bug.cgi?id=122656
2085
2086         Reviewed by Michael Saboff.
2087
2088         Separate out the intrinsics for key and values iteration
2089         of arrays.
2090
2091         This requires moving moving array iteration into the iterator
2092         instance, rather than the prototype, but this is essentially
2093         unobservable so we'll live with it for now.
2094
2095         * jit/ThunkGenerators.cpp:
2096         (JSC::arrayIteratorNextThunkGenerator):
2097         (JSC::arrayIteratorNextKeyThunkGenerator):
2098         (JSC::arrayIteratorNextValueThunkGenerator):
2099         * jit/ThunkGenerators.h:
2100         * runtime/ArrayIteratorPrototype.cpp:
2101         (JSC::ArrayIteratorPrototype::finishCreation):
2102         * runtime/Intrinsic.h:
2103         * runtime/JSArrayIterator.cpp:
2104         (JSC::JSArrayIterator::finishCreation):
2105         (JSC::createIteratorResult):
2106         (JSC::arrayIteratorNext):
2107         (JSC::arrayIteratorNextKey):
2108         (JSC::arrayIteratorNextValue):
2109         (JSC::arrayIteratorNextGeneric):
2110         * runtime/VM.cpp:
2111         (JSC::thunkGeneratorForIntrinsic):
2112
2113 2013-10-11  Mark Hahnenberg  <mhahnenberg@apple.com>
2114
2115         llint_slow_path_put_by_id can deadlock on a ConcurrentJITLock
2116         https://bugs.webkit.org/show_bug.cgi?id=122667
2117
2118         Reviewed by Filip Pizlo.
2119
2120         The issue this patch is attempting to fix is that there are places in our codebase
2121         where we acquire the ConcurrentJITLock for a particular CodeBlock, then we do some
2122         operations that can initiate a garbage collection. Garbage collection then calls 
2123         some methods of CodeBlock that also take the ConcurrentJITLock (because they don't
2124         always necessarily run during garbage collection). This causes a deadlock.
2125
2126         To fix this issue, this patch adds a new RAII-style object (DisallowGC) that stores 
2127         into a thread-local field that indicates that it is unsafe to perform any operation 
2128         that could trigger garbage collection on the current thread. In debug builds, 
2129         ConcurrentJITLocker contains one of these DisallowGC objects so that we can eagerly 
2130         detect deadlocks.
2131
2132         This patch also adds a new type of ConcurrentJITLocker, GCSafeConcurrentJITLocker,
2133         which uses the DeferGC mechanism to prevent collections from occurring while the 
2134         lock is held.
2135
2136         * CMakeLists.txt:
2137         * GNUmakefile.list.am:
2138         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2139         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2140         * JavaScriptCore.xcodeproj/project.pbxproj:
2141         * heap/DeferGC.cpp: Added.
2142         * heap/DeferGC.h:
2143         (JSC::DisallowGC::DisallowGC):
2144         (JSC::DisallowGC::~DisallowGC):
2145         (JSC::DisallowGC::isGCDisallowedOnCurrentThread):
2146         (JSC::DisallowGC::initialize):
2147         * jit/JITStubs.cpp:
2148         (JSC::tryCachePutByID):
2149         (JSC::tryCacheGetByID):
2150         (JSC::DEFINE_STUB_FUNCTION):
2151         * llint/LLIntSlowPaths.cpp:
2152         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2153         * runtime/ConcurrentJITLock.h:
2154         (JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase):
2155         (JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase):
2156         (JSC::ConcurrentJITLockerBase::unlockEarly):
2157         (JSC::GCSafeConcurrentJITLocker::GCSafeConcurrentJITLocker):
2158         (JSC::ConcurrentJITLocker::ConcurrentJITLocker):
2159         * runtime/InitializeThreading.cpp:
2160         (JSC::initializeThreadingOnce):
2161         * runtime/JSCellInlines.h:
2162         (JSC::allocateCell):
2163         * runtime/Structure.cpp:
2164         (JSC::Structure::materializePropertyMap):
2165         (JSC::Structure::putSpecificValue):
2166         (JSC::Structure::createPropertyMap):
2167         * runtime/Structure.h:
2168
2169 2013-10-14  Filip Pizlo  <fpizlo@apple.com>
2170
2171         Baseline JIT should use the DFG's PutById IC
2172         https://bugs.webkit.org/show_bug.cgi?id=122704
2173
2174         Reviewed by Mark Hahnenberg.
2175         
2176         Mostly no big deal, just removing the old Baseline JIT's put_by_id IC support and forcing
2177         that JIT to use the DFG's (i.e. JITOperations) PutById IC.
2178         
2179         The only complicated part was that the PutById operations assumed that we first did a
2180         cell speculation, which the baseline JIT obviously won't do. So I changed all of those
2181         slow paths to deal with EncodedJSValue's.
2182
2183         * bytecode/CodeBlock.cpp:
2184         (JSC::CodeBlock::resetStubInternal):
2185         * bytecode/PutByIdStatus.cpp:
2186         (JSC::PutByIdStatus::computeFor):
2187         * dfg/DFGSpeculativeJIT.h:
2188         (JSC::DFG::SpeculativeJIT::callOperation):
2189         * dfg/DFGSpeculativeJIT32_64.cpp:
2190         (JSC::DFG::SpeculativeJIT::cachedPutById):
2191         * dfg/DFGSpeculativeJIT64.cpp:
2192         (JSC::DFG::SpeculativeJIT::cachedPutById):
2193         * jit/CCallHelpers.h:
2194         (JSC::CCallHelpers::setupArgumentsWithExecState):
2195         * jit/JIT.cpp:
2196         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
2197         * jit/JIT.h:
2198         (JSC::PropertyStubCompilationInfo::PropertyStubCompilationInfo):
2199         (JSC::PropertyStubCompilationInfo::slowCaseInfo):
2200         * jit/JITInlines.h:
2201         (JSC::JIT::callOperation):
2202         * jit/JITOperationWrappers.h:
2203         * jit/JITOperations.cpp:
2204         * jit/JITOperations.h:
2205         * jit/JITPropertyAccess.cpp:
2206         (JSC::JIT::compileGetByIdHotPath):
2207         (JSC::JIT::compileGetByIdSlowCase):
2208         (JSC::JIT::emit_op_put_by_id):
2209         (JSC::JIT::emitSlow_op_put_by_id):
2210         * jit/JITPropertyAccess32_64.cpp:
2211         (JSC::JIT::compileGetByIdSlowCase):
2212         (JSC::JIT::emit_op_put_by_id):
2213         (JSC::JIT::emitSlow_op_put_by_id):
2214         * jit/JITStubs.cpp:
2215         * jit/JITStubs.h:
2216         * jit/Repatch.cpp:
2217         (JSC::appropriateGenericPutByIdFunction):
2218         (JSC::appropriateListBuildingPutByIdFunction):
2219         (JSC::resetPutByID):
2220
2221 2013-10-13  Filip Pizlo  <fpizlo@apple.com>
2222
2223         FTL should have an inefficient but correct implementation of GetById
2224         https://bugs.webkit.org/show_bug.cgi?id=122740
2225
2226         Reviewed by Mark Hahnenberg.
2227         
2228         It took some effort to realize that the node->prediction() check in the DFG backends
2229         are completely unnecessary since the ByteCodeParser will always insert a ForceOSRExit
2230         if !prediction.
2231         
2232         But other than that this was an easy patch.
2233
2234         * dfg/DFGByteCodeParser.cpp:
2235         (JSC::DFG::ByteCodeParser::handleGetById):
2236         * dfg/DFGSpeculativeJIT32_64.cpp:
2237         (JSC::DFG::SpeculativeJIT::compile):
2238         * dfg/DFGSpeculativeJIT64.cpp:
2239         (JSC::DFG::SpeculativeJIT::compile):
2240         * ftl/FTLCapabilities.cpp:
2241         (JSC::FTL::canCompile):
2242         * ftl/FTLIntrinsicRepository.h:
2243         * ftl/FTLLowerDFGToLLVM.cpp:
2244         (JSC::FTL::LowerDFGToLLVM::compileNode):
2245         (JSC::FTL::LowerDFGToLLVM::compileGetById):
2246
2247 2013-10-13  Mark Lam  <mark.lam@apple.com>
2248
2249         Transition misc cti_op_* JITStubs to JIT operations.
2250         https://bugs.webkit.org/show_bug.cgi?id=122645.
2251
2252         Reviewed by Michael Saboff.
2253
2254         Stubs converted:
2255             cti_op_check_has_instance
2256             cti_op_create_arguments
2257             cti_op_del_by_id
2258             cti_op_instanceof
2259             cti_to_object
2260             cti_op_push_activation
2261             cti_op_get_pnames
2262             cti_op_load_varargs
2263
2264         * dfg/DFGOperations.cpp:
2265         * dfg/DFGOperations.h:
2266         * jit/CCallHelpers.h:
2267         (JSC::CCallHelpers::setupArgumentsWithExecState):
2268         * jit/JIT.h:
2269         (JSC::JIT::emitStoreCell):
2270         * jit/JITCall.cpp:
2271         (JSC::JIT::compileLoadVarargs):
2272         * jit/JITCall32_64.cpp:
2273         (JSC::JIT::compileLoadVarargs):
2274         * jit/JITInlines.h:
2275         (JSC::JIT::callOperation):
2276         * jit/JITOpcodes.cpp:
2277         (JSC::JIT::emit_op_get_pnames):
2278         (JSC::JIT::emit_op_create_activation):
2279         (JSC::JIT::emit_op_create_arguments):
2280         (JSC::JIT::emitSlow_op_check_has_instance):
2281         (JSC::JIT::emitSlow_op_instanceof):
2282         (JSC::JIT::emitSlow_op_get_argument_by_val):
2283         * jit/JITOpcodes32_64.cpp:
2284         (JSC::JIT::emitSlow_op_check_has_instance):
2285         (JSC::JIT::emitSlow_op_instanceof):
2286         (JSC::JIT::emit_op_get_pnames):
2287         (JSC::JIT::emit_op_create_activation):
2288         (JSC::JIT::emit_op_create_arguments):
2289         (JSC::JIT::emitSlow_op_get_argument_by_val):
2290         * jit/JITOperations.cpp:
2291         * jit/JITOperations.h:
2292         * jit/JITPropertyAccess.cpp:
2293         (JSC::JIT::emit_op_del_by_id):
2294         * jit/JITPropertyAccess32_64.cpp:
2295         (JSC::JIT::emit_op_del_by_id):
2296         * jit/JITStubs.cpp:
2297         * jit/JITStubs.h:
2298
2299 2013-10-13  Filip Pizlo  <fpizlo@apple.com>
2300
2301         FTL OSR exit should perform zero extension on values smaller than 64-bit
2302         https://bugs.webkit.org/show_bug.cgi?id=122688
2303
2304         Reviewed by Gavin Barraclough.
2305         
2306         In the DFG we usually make the simplistic assumption that a 32-bit value in a 64-bit
2307         register will have zeros on the high bits.  In the few cases where the high bits are
2308         non-zero, the DFG sort of tells us this explicitly.
2309
2310         But when working with llvm.webkit.stackmap, it doesn't work that way.  Consider we might
2311         emit LLVM IR like:
2312
2313             %2 = trunc i64 %1 to i32
2314             stuff %2
2315             call @llvm.webkit.stackmap(...., %2)
2316
2317         LLVM may never actually emit a truncation instruction of any kind.  And that's great - in
2318         many cases it won't be needed, like if 'stuff %2' is a 32-bit op that ignores the high
2319         bits anyway.  Hence LLVM may tell us that %2 is in the register that still had the value
2320         from before truncation, and that register may have garbage in the high bits.
2321
2322         This means that on our end, if we want a 32-bit value and we want that value to be
2323         zero-extended, we should zero-extend it ourselves.  This is pretty easy and should be
2324         cheap, so we should just do it and not make it a requirement that LLVM does it on its
2325         end.
2326         
2327         This makes all tests pass with JSC_ftlOSRExitUsesStackmap=true.
2328
2329         * ftl/FTLOSRExitCompiler.cpp:
2330         (JSC::FTL::compileStubWithOSRExitStackmap):
2331         * ftl/FTLValueFormat.cpp:
2332         (JSC::FTL::reboxAccordingToFormat):
2333
2334 == Rolled over to ChangeLog-2013-10-13 ==