CodeBlock::jettison() shouldn't call baselineVersion()
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-11-02  Filip Pizlo  <fpizlo@apple.com>
2
3         CodeBlock::jettison() shouldn't call baselineVersion()
4         https://bugs.webkit.org/show_bug.cgi?id=123675
5
6         Reviewed by Geoffrey Garen.
7         
8         Fix more uses of baselineVersion().
9
10         * bytecode/CodeBlock.cpp:
11         (JSC::CodeBlock::jettison):
12         * bytecode/CodeBlock.h:
13         * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp:
14         (JSC::ProfiledCodeBlockJettisoningWatchpoint::fireInternal):
15
16 2013-11-02  Filip Pizlo  <fpizlo@apple.com>
17
18         LLVM asserts in internal-js-tests.yaml/Octane/stress-tests/mandreel.js
19         https://bugs.webkit.org/show_bug.cgi?id=123535
20
21         Reviewed by Geoffrey Garen.
22         
23         Use double comparisons for doubles.
24
25         * ftl/FTLLowerDFGToLLVM.cpp:
26         (JSC::FTL::LowerDFGToLLVM::doubleToInt32):
27
28 2013-11-02  Patrick Gansterer  <paroga@webkit.org>
29
30         Various small WinCE build fixes
31
32         * jsc.cpp:
33         (main):
34
35 2013-11-02  Patrick Gansterer  <paroga@webkit.org>
36
37         Fix MSVC ARM build after r157581.
38
39         * jit/JITStubsARM.h:
40
41 2013-11-01  Filip Pizlo  <fpizlo@apple.com>
42
43         FTL should use a simple optimization pipeline by default
44         https://bugs.webkit.org/show_bug.cgi?id=123638
45
46         Reviewed by Geoffrey Garen.
47         
48         20% speed-up on imagine-gaussian-blur, when combined with --ftlUsesStackmaps=true.
49
50         * ftl/FTLCompile.cpp:
51         (JSC::FTL::compile):
52         * runtime/Options.h:
53
54 2013-11-01  Andreas Kling  <akling@apple.com>
55
56         Neuter WTF_MAKE_FAST_ALLOCATED in GLOBAL_FASTMALLOC_NEW builds.
57         <https://webkit.org/b/123639>
58
59         JSC::ParserArenaRefCounted really needed to have the new/delete
60         operators overridden, in order for JSC::ScopeNode to be able to
61         choose that "operator new" out of the two it inherits.
62
63         Reviewed by Anders Carlsson.
64
65 2013-11-01  Filip Pizlo  <fpizlo@apple.com>
66
67         OSR exit profiling should be robust against all code being cleared
68         https://bugs.webkit.org/show_bug.cgi?id=123629
69         <rdar://problem/15365476>
70
71         Reviewed by Michael Saboff.
72         
73         The problem here is two-fold:
74
75         1) A watchpoint (i.e. ProfiledCodeBlockJettisoningWatchpoint) may be fired after we
76         have cleared the CodeBlock for all or some Executables.  This means that doing
77         codeBlock->baselineVersion() would either crash or return a bogus CodeBlock, since
78         there wasn't a baseline code block reachable from the Executable anymore.  The
79         solution is that we shouldn't be asking for the baseline code block reachable from
80         the owning executable (what baselineVersion did), but instead we should be asking
81         for the baseline version reachable from the code block being watchpointed (basically
82         what CodeBlock::alternative() did).
83
84         2) If dealing with inlined code, baselienCodeBlockForOriginAndBaselineCodeBlock()
85         may return null, for the same reason as above - we might have cleared the baseline
86         codeblock for the executable that was inlined.  The solution is to just not do
87         profiling if there isn't a baseline code block anymore.
88
89         * bytecode/CodeBlock.cpp:
90         (JSC::CodeBlock::baselineAlternative):
91         (JSC::CodeBlock::baselineVersion):
92         (JSC::CodeBlock::jettison):
93         * bytecode/CodeBlock.h:
94         * bytecode/CodeBlockJettisoningWatchpoint.cpp:
95         (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
96         * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp:
97         (JSC::ProfiledCodeBlockJettisoningWatchpoint::fireInternal):
98         * dfg/DFGOSRExitBase.cpp:
99         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
100         * jit/AssemblyHelpers.h:
101         (JSC::AssemblyHelpers::AssemblyHelpers):
102         * runtime/Executable.cpp:
103         (JSC::FunctionExecutable::baselineCodeBlockFor):
104
105 2013-10-31  Oliver Hunt  <oliver@apple.com>
106
107         JavaScript parser bug
108         https://bugs.webkit.org/show_bug.cgi?id=123506
109
110         Reviewed by Mark Lam.
111
112         Add ParserState as an abstraction and use that to save and restore
113         the parser state around nested functions (We'll need to use this in
114         more places in future).  Also fix a minor error typo this testcases
115         hit.
116
117         * parser/Parser.cpp:
118         (JSC::::parseFunctionInfo):
119         (JSC::::parseAssignmentExpression):
120         * parser/Parser.h:
121         (JSC::Parser::saveState):
122         (JSC::Parser::restoreState):
123
124 2013-10-31  Filip Pizlo  <fpizlo@apple.com>
125
126         FTL Int32ToDouble should handle the forward type check case where you need a recovery
127         https://bugs.webkit.org/show_bug.cgi?id=123605
128
129         Reviewed by Mark Hahnenberg.
130         
131         If you have a Int32ToDouble that needs to do a type check and it's required to do a
132         forward exit, then it needs to manually pass in a value recovery for itself in the
133         OSR exit - since this is one of those forward-exiting nodes that doesn't have a
134         preceding MovHint.
135
136         * ftl/FTLLowerDFGToLLVM.cpp:
137         (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble):
138         (JSC::FTL::LowerDFGToLLVM::forwardTypeCheck):
139
140 2013-10-31  Filip Pizlo  <fpizlo@apple.com>
141
142         FTL should implement InvalidationPoint in terms of llvm.stackmap
143         https://bugs.webkit.org/show_bug.cgi?id=113647
144
145         Reviewed by Mark Hahnenberg.
146         
147         This is pretty straightforward now that InvalidationPoint has exactly the semantics
148         that agree with llvm.stackmap.
149
150         * ftl/FTLCompile.cpp:
151         (JSC::FTL::fixFunctionBasedOnStackMaps):
152         * ftl/FTLLowerDFGToLLVM.cpp:
153         (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
154         (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
155         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
156         (JSC::FTL::LowerDFGToLLVM::callStackmap):
157         * ftl/FTLOSRExitCompilationInfo.h:
158         (JSC::FTL::OSRExitCompilationInfo::OSRExitCompilationInfo):
159
160 2013-10-30  Oliver Hunt  <oliver@apple.com>
161
162         Implement basic ES6 Math functions
163         https://bugs.webkit.org/show_bug.cgi?id=123536
164
165         Reviewed by Michael Saboff.
166
167         Fairly trivial patch to implement the core ES6 Math functions.
168
169         This doesn't implement Math.hypot as it is not a trivial function.
170         I've also skipped Math.sign as I am yet to be convinced the spec
171         behaviour is good.  Everything else is trivial.
172
173         * runtime/MathObject.cpp:
174         (JSC::MathObject::finishCreation):
175         (JSC::mathProtoFuncACosh):
176         (JSC::mathProtoFuncASinh):
177         (JSC::mathProtoFuncATanh):
178         (JSC::mathProtoFuncCbrt):
179         (JSC::mathProtoFuncCosh):
180         (JSC::mathProtoFuncExpm1):
181         (JSC::mathProtoFuncFround):
182         (JSC::mathProtoFuncLog1p):
183         (JSC::mathProtoFuncLog10):
184         (JSC::mathProtoFuncLog2):
185         (JSC::mathProtoFuncSinh):
186         (JSC::mathProtoFuncTanh):
187         (JSC::mathProtoFuncTrunc):
188
189 2013-10-31  Filip Pizlo  <fpizlo@apple.com>
190
191         FTL::Location::restoreInto() doesn't handle stack-related registers correctly if you're using it after pushing a new stack frame
192         https://bugs.webkit.org/show_bug.cgi?id=123591
193
194         Reviewed by Mark Hahnenberg.
195         
196         This gets us to pass more tests with ftlUsesStackmaps.
197
198         * ftl/FTLLocation.cpp:
199         (JSC::FTL::Location::restoreInto):
200         * ftl/FTLLocation.h:
201         * ftl/FTLThunks.cpp:
202         (JSC::FTL::osrExitGenerationWithStackMapThunkGenerator):
203
204 2013-10-31  Alexey Proskuryakov  <ap@apple.com>
205
206         Enable WebCrypto on Mac
207         https://bugs.webkit.org/show_bug.cgi?id=123587
208
209         Reviewed by Anders Carlsson.
210
211         * Configurations/FeatureDefines.xcconfig: Do it.
212
213 2013-10-31  Filip Pizlo  <fpizlo@apple.com>
214
215         Unreviewed, really remove CachedTranscendentalFunction.h.
216
217         * GNUmakefile.list.am:
218         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
219
220 2013-10-31  Filip Pizlo  <fpizlo@apple.com>
221
222         Remove CachedTranscendentalFunction because caching math functions is an ugly idea
223         https://bugs.webkit.org/show_bug.cgi?id=123574
224
225         Reviewed by Mark Hahnenberg.
226         
227         This is performance-neutral because I also make Math.cos/sin intrinsic. This means that
228         we gain the "overhead" of actually computing sin and cos but we lose the overhead of
229         going through the native call thunks.
230         
231         Caching transcendental functions is a really ugly idea. It works for SunSpider because
232         that benchmark makes very predictable calls into Math.sin. But I don't believe that this
233         is representative of any kind of reality, and so for sensible uses of Math.sin/cos all
234         that this was doing was adding more call overhead and some hashing overhead.
235
236         * JavaScriptCore.xcodeproj/project.pbxproj:
237         * dfg/DFGAbstractInterpreterInlines.h:
238         (JSC::DFG::::executeEffects):
239         * dfg/DFGBackwardsPropagationPhase.cpp:
240         (JSC::DFG::BackwardsPropagationPhase::propagate):
241         * dfg/DFGByteCodeParser.cpp:
242         (JSC::DFG::ByteCodeParser::handleIntrinsic):
243         * dfg/DFGCSEPhase.cpp:
244         (JSC::DFG::CSEPhase::performNodeCSE):
245         * dfg/DFGClobberize.h:
246         (JSC::DFG::clobberize):
247         * dfg/DFGFixupPhase.cpp:
248         (JSC::DFG::FixupPhase::fixupNode):
249         * dfg/DFGNodeType.h:
250         * dfg/DFGPredictionPropagationPhase.cpp:
251         (JSC::DFG::PredictionPropagationPhase::propagate):
252         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
253         * dfg/DFGSafeToExecute.h:
254         (JSC::DFG::safeToExecute):
255         * dfg/DFGSpeculativeJIT.h:
256         (JSC::DFG::SpeculativeJIT::callOperation):
257         * dfg/DFGSpeculativeJIT32_64.cpp:
258         (JSC::DFG::SpeculativeJIT::compile):
259         * dfg/DFGSpeculativeJIT64.cpp:
260         (JSC::DFG::SpeculativeJIT::compile):
261         * jit/JITOperations.h:
262         * runtime/CachedTranscendentalFunction.h: Removed.
263         * runtime/DateInstanceCache.h:
264         * runtime/Intrinsic.h:
265         * runtime/MathObject.cpp:
266         (JSC::MathObject::finishCreation):
267         (JSC::mathProtoFuncCos):
268         (JSC::mathProtoFuncSin):
269         * runtime/VM.h:
270
271 2013-10-30  Filip Pizlo  <fpizlo@apple.com>
272
273         Assertion failure in js/dom/global-constructors-attributes-dedicated-worker.html
274         https://bugs.webkit.org/show_bug.cgi?id=123551
275         <rdar://problem/15356238>
276
277         Reviewed by Mark Hahnenberg.
278         
279         WatchpointSets have always had this "fire everything on deletion" policy because it
280         seemed like a good fail-safe at the time I first implemented WatchpointSets. But
281         it's actually causing bugs rather than providing safety:
282         
283         - Everyone who registers Watchpoints with WatchpointSets have separate mechanisms
284           for either keeping the WatchpointSets alive or noticing when they are collected.
285           So this wasn't actually providing any safety.
286           
287           One example of this is Structures, where:
288           
289           - CodeBlocks that register Watchpoints on Structure's WatchpointSet will also
290             register weak references to the Structure, and the GC will jettison a CodeBlock
291             if the Structure(s) it cares about dies.
292           
293           - StructureStubInfos that register Watchpoints on Structure's WatchpointSet will
294             also be cleared by GC if the Structures die.
295         
296         - The WatchpointSet destructor would get invoked from finalization/destruction.
297           This would then cause CodeBlock::jettison() to be called on a CodeBlock, but that
298           method requires doing things that access heap objects. This would usually cause
299           problems on VM destruction, since then the CodeBlocks would still be alive but the
300           whole heap would be destroyed.
301         
302         This also ensures that CodeBlock::jettison() cannot cause a GC. This is safe since
303         that method doesn't really allocate objects, and it is likely necessary because
304         jettison() may be called from deep in the stack.
305
306         * bytecode/CodeBlock.cpp:
307         (JSC::CodeBlock::jettison):
308         * bytecode/Watchpoint.cpp:
309         (JSC::WatchpointSet::~WatchpointSet):
310         * bytecode/Watchpoint.h:
311
312 2013-10-30  Mark Lam  <mark.lam@apple.com>
313
314         Unreviewed, fix C Loop LLINT build.
315
316         * bytecode/CodeBlockJettisoningWatchpoint.cpp:
317         (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
318         * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp:
319         (JSC::ProfiledCodeBlockJettisoningWatchpoint::fireInternal):
320
321 2013-10-30  Filip Pizlo  <fpizlo@apple.com>
322
323         Unreviewed, fix FTL build.
324
325         * ftl/FTLAbstractHeapRepository.h:
326         * ftl/FTLLowerDFGToLLVM.cpp:
327         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
328
329 2013-10-30  Alexey Proskuryakov  <ap@apple.com>
330
331         Add a way to fulfill promises from DOM code
332         https://bugs.webkit.org/show_bug.cgi?id=123466
333
334         Reviewed by Sam Weinig.
335
336         * JavaScriptCore.xcodeproj/project.pbxproj: Make JSPromise.h and JSPromiseResolver.h
337         private headers for WebCore to use.
338
339         * runtime/JSPromise.h:
340         * runtime/JSPromiseResolver.h:
341         Export functions that JSDOMPromise will use.
342
343 2013-10-30  Mark Lam  <mark.lam@apple.com>
344
345         Adjust CallFrameHeader's ReturnPC and CallFrame locations to match the native ABI .
346         https://bugs.webkit.org/show_bug.cgi?id=123444.
347
348         Reviewed by Geoffrey Garen.
349
350         - Introduced an explicit CallerFrameAndPC struct.
351         - A CallFrame is expected to start with a CallerFrameAndPC struct. 
352         - The Register class no longer supports CallFrame* and Instruction*.
353
354           These hides the differences between JSVALUE32_64 and JSVALUE64 in
355           terms of managing the callerFrame() and returnPC() values.
356
357         - Convert all uses of JSStack::CallerFrame and JSStack::ReturnPC to
358           go through CallFrame to access the appropriate values and offsets.
359           CallFrame, in turn, will access the callerFrame and returnPC via
360           the CallerFrameAndPC struct.
361
362         - InlineCallFrame will provide offsets for its callerFrame and
363           returnPC. It will make use of CallFrame::callerFrameOffset() and
364           CallerFrame::returnPCOffset() to compute these.
365
366         * bytecode/CodeOrigin.h:
367         (JSC::InlineCallFrame::callerFrameOffset):
368         (JSC::InlineCallFrame::returnPCOffset):
369         * dfg/DFGJITCompiler.cpp:
370         (JSC::DFG::JITCompiler::compileEntry):
371         (JSC::DFG::JITCompiler::compileExceptionHandlers):
372         * dfg/DFGOSRExitCompilerCommon.cpp:
373         (JSC::DFG::reifyInlinedCallFrames):
374         * dfg/DFGSpeculativeJIT.h:
375         (JSC::DFG::SpeculativeJIT::calleeFrameSlot):
376         (JSC::DFG::SpeculativeJIT::calleeArgumentSlot):
377         (JSC::DFG::SpeculativeJIT::calleeFrameTagSlot):
378         (JSC::DFG::SpeculativeJIT::calleeFramePayloadSlot):
379         (JSC::DFG::SpeculativeJIT::calleeArgumentTagSlot):
380         (JSC::DFG::SpeculativeJIT::calleeArgumentPayloadSlot):
381         - Prefixed all the above with callee since they apply to the callee frame.
382         (JSC::DFG::SpeculativeJIT::calleeFrameCallerFrame):
383         - Added to set the callerFrame pointer in the callee frame.
384
385         * dfg/DFGSpeculativeJIT32_64.cpp:
386         (JSC::DFG::SpeculativeJIT::emitCall):
387         (JSC::DFG::SpeculativeJIT::compile):
388         * dfg/DFGSpeculativeJIT64.cpp:
389         (JSC::DFG::SpeculativeJIT::emitCall):
390         (JSC::DFG::SpeculativeJIT::compile):
391         * ftl/FTLLink.cpp:
392         (JSC::FTL::compileEntry):
393         (JSC::FTL::link):
394         * interpreter/CallFrame.h:
395         (JSC::ExecState::callerFrame):
396         (JSC::ExecState::callerFrameOffset):
397         (JSC::ExecState::returnPC):
398         (JSC::ExecState::hasReturnPC):
399         (JSC::ExecState::clearReturnPC):
400         (JSC::ExecState::returnPCOffset):
401         (JSC::ExecState::setCallerFrame):
402         (JSC::ExecState::setReturnPC):
403         (JSC::ExecState::callerFrameAndPC):
404         * interpreter/JSStack.h:
405         * interpreter/Register.h:
406         * jit/AssemblyHelpers.h:
407         (JSC::AssemblyHelpers::emitPutToCallFrameHeader):
408         - Convert to using storePtr() here and simplify the code.
409         (JSC::AssemblyHelpers::emitGetCallerFrameFromCallFrameHeaderPtr):
410         (JSC::AssemblyHelpers::emitPutCallerFrameToCallFrameHeader):
411         (JSC::AssemblyHelpers::emitGetReturnPCFromCallFrameHeaderPtr):
412         (JSC::AssemblyHelpers::emitPutReturnPCToCallFrameHeader):
413         - Helpers to emit gets/puts of the callerFrame and returnPC.
414         (JSC::AssemblyHelpers::addressForByteOffset):
415         * jit/JIT.cpp:
416         (JSC::JIT::JIT):
417         (JSC::JIT::privateCompile):
418         (JSC::JIT::privateCompileExceptionHandlers):
419         * jit/JITCall.cpp:
420         (JSC::JIT::compileCallEval):
421         (JSC::JIT::compileOpCall):
422         * jit/JITCall32_64.cpp:
423         (JSC::JIT::emit_op_ret):
424         (JSC::JIT::emit_op_ret_object_or_this):
425         (JSC::JIT::compileCallEval):
426         (JSC::JIT::compileOpCall):
427         * jit/JITInlines.h:
428         (JSC::JIT::unmap):
429         * jit/JITOpcodes.cpp:
430         (JSC::JIT::emit_op_end):
431         (JSC::JIT::emit_op_ret):
432         (JSC::JIT::emit_op_ret_object_or_this):
433         * jit/JITOpcodes32_64.cpp:
434         (JSC::JIT::privateCompileCTINativeCall):
435         (JSC::JIT::emit_op_end):
436         * jit/JITOperations.cpp:
437         * jit/SpecializedThunkJIT.h:
438         (JSC::SpecializedThunkJIT::returnJSValue):
439         (JSC::SpecializedThunkJIT::returnDouble):
440         (JSC::SpecializedThunkJIT::returnInt32):
441         (JSC::SpecializedThunkJIT::returnJSCell):
442         * jit/ThunkGenerators.cpp:
443         (JSC::throwExceptionFromCallSlowPathGenerator):
444         (JSC::slowPathFor):
445         (JSC::nativeForGenerator):
446
447         * llint/LLIntData.cpp:
448         (JSC::LLInt::Data::performAssertions):
449         * llint/LowLevelInterpreter.asm:
450         - Updated offsets and asserts to match the new CallFrame layout.
451
452 2013-10-30  Filip Pizlo  <fpizlo@apple.com>
453
454         Unreviewed, fix Mac.
455
456         * assembler/AbstractMacroAssembler.h:
457         (JSC::AbstractMacroAssembler::RegisterAllocationOffset::checkOffsets):
458         (JSC::AbstractMacroAssembler::checkRegisterAllocationAgainstBranchRange):
459
460 2013-10-30  Filip Pizlo  <fpizlo@apple.com>
461
462         Unreviewed, fix Windows.
463
464         * bytecode/CodeBlock.cpp:
465         (JSC::CodeBlock::jettison):
466
467 2013-10-30  Filip Pizlo  <fpizlo@apple.com>
468
469         Unreviewed, fix Windows.
470
471         * bytecode/CodeBlock.h:
472         (JSC::CodeBlock::addFrequentExitSite):
473
474 2013-10-29  Filip Pizlo  <fpizlo@apple.com>
475
476         Add InvalidationPoints to the DFG and use them for all watchpoints
477         https://bugs.webkit.org/show_bug.cgi?id=123472
478
479         Reviewed by Mark Hahnenberg.
480         
481         This makes a fundamental change to how watchpoints work in the DFG.
482         
483         Previously, a watchpoint was an instruction whose execution semantics were something
484         like:
485         
486             if (watchpoint->invalidated)
487                 exit
488         
489         We would implement this without any branch by using jump replacement.
490         
491         This is a very good optimization. But it's a bit awkward once you get a lot of
492         watchpoints: semantically we will have lots of these branches in the code, which the
493         compiler needs to reason about even though they don't actually result in any emitted
494         code.
495         
496         Separately, we also had a mechanism for jettisoning a CodeBlock. This mechanism would
497         be invoked if a CodeBlock exited a lot. It would ensure that a CodeBlock wouldn't be
498         called into again, but it would do nothing for CodeBlocks that were already on the
499         stack.
500         
501         This change flips jettisoning and watchpoint invalidation on their heads. Now, the jump
502         replacement has nothing to do with watchpoints; instead it's something that happens if
503         you ever jettison a CodeBlock. Jump replacement is now an all-or-nothing operation over
504         all of the potential call-return safe-exit-points in a CodeBlock. We call these
505         "InvalidationPoint"s. A watchpoint instruction is now "lowered" by having the DFG
506         collect all of the watchpoint sets that the CodeBlock cares about, and then registering
507         a CodeBlockJettisoningWatchpoint with all of them. That is, if the watchpoint fires, it
508         jettisons the CodeBlock, which in turn ensures that the CodeBlock can't be called into
509         (because the entrypoint now points to baseline code) and can't be returned into
510         (because returning exits to baseline before the next bytecode instruction).
511         
512         This will allow for a sensible lowering of watchpoints to LLVM IR. It will also allow
513         for jettison() to be used effectively for things like breakpointing and single-stepping
514         in the debugger.
515         
516         Well, basically, this mechanism just takes us into the HotSpot-style world where anyone
517         can, at any time and for any reason, request that an optimized CodeBlock is rendered
518         immediately invalid. You can use this for many cool things, I'm sure.
519
520         * CMakeLists.txt:
521         * GNUmakefile.list.am:
522         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
523         * JavaScriptCore.xcodeproj/project.pbxproj:
524         * assembler/AbstractMacroAssembler.h:
525         * bytecode/CodeBlock.cpp:
526         (JSC::CodeBlock::jettison):
527         * bytecode/CodeBlock.h:
528         * bytecode/CodeBlockJettisoningWatchpoint.cpp: Added.
529         (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
530         * bytecode/CodeBlockJettisoningWatchpoint.h: Added.
531         (JSC::CodeBlockJettisoningWatchpoint::CodeBlockJettisoningWatchpoint):
532         * bytecode/ExitKind.cpp:
533         (JSC::exitKindToString):
534         * bytecode/ExitKind.h:
535         * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp: Added.
536         (JSC::ProfiledCodeBlockJettisoningWatchpoint::fireInternal):
537         * bytecode/ProfiledCodeBlockJettisoningWatchpoint.h: Added.
538         (JSC::ProfiledCodeBlockJettisoningWatchpoint::ProfiledCodeBlockJettisoningWatchpoint):
539         * dfg/DFGAbstractHeap.h:
540         * dfg/DFGAbstractInterpreterInlines.h:
541         (JSC::DFG::::executeEffects):
542         * dfg/DFGClobberize.cpp:
543         (JSC::DFG::writesOverlap):
544         * dfg/DFGClobberize.h:
545         (JSC::DFG::clobberize):
546         (JSC::DFG::AbstractHeapOverlaps::AbstractHeapOverlaps):
547         (JSC::DFG::AbstractHeapOverlaps::operator()):
548         (JSC::DFG::AbstractHeapOverlaps::result):
549         * dfg/DFGCommonData.cpp:
550         (JSC::DFG::CommonData::invalidate):
551         * dfg/DFGCommonData.h:
552         (JSC::DFG::CommonData::CommonData):
553         * dfg/DFGDesiredWatchpoints.cpp:
554         (JSC::DFG::DesiredWatchpoints::addLazily):
555         (JSC::DFG::DesiredWatchpoints::reallyAdd):
556         * dfg/DFGDesiredWatchpoints.h:
557         (JSC::DFG::WatchpointForGenericWatchpointSet::WatchpointForGenericWatchpointSet):
558         (JSC::DFG::GenericDesiredWatchpoints::addLazily):
559         (JSC::DFG::GenericDesiredWatchpoints::reallyAdd):
560         (JSC::DFG::GenericDesiredWatchpoints::areStillValid):
561         * dfg/DFGFixupPhase.cpp:
562         (JSC::DFG::FixupPhase::fixupNode):
563         * dfg/DFGInvalidationPointInjectionPhase.cpp: Added.
564         (JSC::DFG::InvalidationPointInjectionPhase::InvalidationPointInjectionPhase):
565         (JSC::DFG::InvalidationPointInjectionPhase::run):
566         (JSC::DFG::InvalidationPointInjectionPhase::handle):
567         (JSC::DFG::InvalidationPointInjectionPhase::insertInvalidationCheck):
568         (JSC::DFG::performInvalidationPointInjection):
569         * dfg/DFGInvalidationPointInjectionPhase.h: Added.
570         * dfg/DFGJITCode.h:
571         * dfg/DFGJITCompiler.cpp:
572         (JSC::DFG::JITCompiler::linkOSRExits):
573         (JSC::DFG::JITCompiler::link):
574         * dfg/DFGJITCompiler.h:
575         * dfg/DFGJumpReplacement.cpp: Added.
576         (JSC::DFG::JumpReplacement::fire):
577         * dfg/DFGJumpReplacement.h: Added.
578         (JSC::DFG::JumpReplacement::JumpReplacement):
579         * dfg/DFGNodeType.h:
580         * dfg/DFGOSRExitCompilationInfo.h:
581         * dfg/DFGOperations.cpp:
582         * dfg/DFGPlan.cpp:
583         (JSC::DFG::Plan::compileInThreadImpl):
584         (JSC::DFG::Plan::reallyAdd):
585         * dfg/DFGPredictionPropagationPhase.cpp:
586         (JSC::DFG::PredictionPropagationPhase::propagate):
587         * dfg/DFGSafeToExecute.h:
588         (JSC::DFG::safeToExecute):
589         * dfg/DFGSpeculativeJIT.cpp:
590         (JSC::DFG::SpeculativeJIT::emitInvalidationPoint):
591         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
592         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
593         * dfg/DFGSpeculativeJIT.h:
594         (JSC::DFG::SpeculativeJIT::masqueradesAsUndefinedWatchpointIsStillValid):
595         (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
596         * dfg/DFGSpeculativeJIT32_64.cpp:
597         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
598         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
599         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
600         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
601         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
602         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
603         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
604         (JSC::DFG::SpeculativeJIT::compile):
605         * dfg/DFGSpeculativeJIT64.cpp:
606         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
607         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
608         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
609         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
610         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
611         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
612         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
613         (JSC::DFG::SpeculativeJIT::compile):
614         * dfg/DFGWatchpointCollectionPhase.cpp: Added.
615         (JSC::DFG::WatchpointCollectionPhase::WatchpointCollectionPhase):
616         (JSC::DFG::WatchpointCollectionPhase::run):
617         (JSC::DFG::WatchpointCollectionPhase::handle):
618         (JSC::DFG::WatchpointCollectionPhase::handleEdge):
619         (JSC::DFG::WatchpointCollectionPhase::handleMasqueradesAsUndefined):
620         (JSC::DFG::WatchpointCollectionPhase::handleStringGetByVal):
621         (JSC::DFG::WatchpointCollectionPhase::addLazily):
622         (JSC::DFG::WatchpointCollectionPhase::globalObject):
623         (JSC::DFG::performWatchpointCollection):
624         * dfg/DFGWatchpointCollectionPhase.h: Added.
625         * ftl/FTLCapabilities.cpp:
626         (JSC::FTL::canCompile):
627         * ftl/FTLLowerDFGToLLVM.cpp:
628         (JSC::FTL::LowerDFGToLLVM::compileNode):
629         (JSC::FTL::LowerDFGToLLVM::compileStructureTransitionWatchpoint):
630         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
631         (JSC::FTL::LowerDFGToLLVM::compileGlobalVarWatchpoint):
632         (JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant):
633         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
634         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
635         (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
636         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
637         (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
638         * jit/JITOperations.cpp:
639         * jit/JumpReplacementWatchpoint.cpp: Removed.
640         * jit/JumpReplacementWatchpoint.h: Removed.
641
642 2013-10-25  Mark Hahnenberg  <mhahnenberg@apple.com>
643
644         JSExport doesn't support constructors
645         https://bugs.webkit.org/show_bug.cgi?id=123380
646
647         Reviewed by Geoffrey Garen.
648
649         Support for constructor-style callbacks for the Objective-C API to JSC is currently limited to 
650         Objective-C blocks. Any clients who try to call the constructor of a JSExport-ed Objective-C class 
651         are met with a type error stating that it cannot be called as a constructor.
652
653         It would be nice to expand JSExport's functionality to support this idiom. It is a natural 
654         extension to JSExport and would increase the expressiveness and simplicity in both Objective-C and 
655         JavaScript client code.
656
657         The way we'll do this is to expand the capabilities of ObjCCallbackFunction and associated classes. 
658         Instead of constructing a normal C API object for the constructor, we'll instead allocate a full-blown 
659         ObjCCallbackFunction object which can already properly handle being invoked as a constructor.
660
661         * API/JSWrapperMap.mm:
662         (copyMethodsToObject):
663         (allocateConstructorForCustomClass):
664         (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]):
665         (tryUnwrapObjcObject):
666         * API/ObjCCallbackFunction.h:
667         (JSC::ObjCCallbackFunction::impl):
668         * API/ObjCCallbackFunction.mm:
669         (JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl):
670         (JSC::ObjCCallbackFunctionImpl::wrappedConstructor):
671         (JSC::ObjCCallbackFunctionImpl::isConstructible):
672         (JSC::ObjCCallbackFunction::getConstructData):
673         (JSC::ObjCCallbackFunctionImpl::name):
674         (JSC::ObjCCallbackFunctionImpl::call):
675         (objCCallbackFunctionForInvocation):
676         (objCCallbackFunctionForInit):
677         (tryUnwrapConstructor):
678         * API/tests/testapi.mm:
679         (-[TextXYZ initWithString:]):
680         (-[ClassA initWithA:]):
681         (-[ClassB initWithA:b:]):
682         (-[ClassC initWithA:]):
683         (-[ClassC initWithA:b:]):
684
685 2013-10-30  peavo@outlook.com  <peavo@outlook.com>
686
687         [Win] Compile errors when enabling DFG JIT.
688         https://bugs.webkit.org/show_bug.cgi?id=120998
689
690         Reviewed by Brent Fulgham.
691
692         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added files.
693         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
694         * dfg/DFGAllocator.h: Removed scope.
695         * dfg/DFGWorklist.cpp: Use new ThreadingOnce class instead of pthread_once.
696         (JSC::DFG::globalWorklist):
697         * heap/DeferGC.h: Link fix, member needs to be public.
698         * jit/JITOperationWrappers.h: Added required assembler macros.
699
700 2013-10-30  Iago Toral Quiroga  <itoral@igalia.com>
701
702         Add result caching for Math.cos
703         https://bugs.webkit.org/show_bug.cgi?id=123255
704
705         Reviewed by Brent Fulgham.
706
707         * runtime/MathObject.cpp:
708         (JSC::mathProtoFuncCos):
709         * runtime/VM.h:
710
711 2013-10-30  Alex Christensen  <achristensen@webkit.org>
712
713         Disabled JIT on Win64.
714         https://bugs.webkit.org/show_bug.cgi?id=122472
715
716         Reviewed by Geoffrey Garen.
717
718         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
719         Disabled building JITStubsMSVC64.
720
721 2013-10-29  Michael Saboff  <msaboff@apple.com>
722
723         Change local variable register allocation to start at offset -1
724         https://bugs.webkit.org/show_bug.cgi?id=123182
725
726         Reviewed by Geoffrey Garen.
727
728         Adjusted the virtual register mapping down by one slot.  Reduced
729         the CallFrame header slots offsets by one.  They now start at 0.
730         Changed arity fixup to no longer skip passed register slot 0 as this
731         is now part of the CallFrame header.
732
733         * bytecode/VirtualRegister.h:
734         (JSC::operandIsLocal):
735         (JSC::operandIsArgument):
736         (JSC::VirtualRegister::localToOperand):
737         (JSC::VirtualRegister::operandToLocal):
738           Adjusted functions for shift in mapping from local to register offset.
739
740         * dfg/DFGByteCodeParser.cpp:
741         (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
742         (JSC::DFG::ByteCodeParser::addCall):
743         (JSC::DFG::ByteCodeParser::handleInlining):
744         (JSC::DFG::ByteCodeParser::parseBlock):
745         * dfg/DFGVariableEventStream.cpp:
746         (JSC::DFG::VariableEventStream::reconstruct):
747         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
748         (JSC::DFG::VirtualRegisterAllocationPhase::run):
749         * interpreter/CallFrame.h:
750         (JSC::ExecState::frameExtent):
751         (JSC::ExecState::offsetFor):
752         * interpreter/Interpreter.cpp:
753         (JSC::loadVarargs):
754         (JSC::Interpreter::dumpRegisters):
755         (JSC::Interpreter::executeCall):
756         * llint/LLIntData.cpp:
757         (JSC::LLInt::Data::performAssertions):
758         * llint/LowLevelInterpreter.asm:
759           Adjusted math to accomodate for shift in call frame slots.
760
761         * dfg/DFGJITCompiler.cpp:
762         (JSC::DFG::JITCompiler::compileFunction):
763         * dfg/DFGSpeculativeJIT.h:
764         (JSC::DFG::SpeculativeJIT::calleeFrameOffset):
765         * interpreter/CallFrame.cpp:
766         (JSC::CallFrame::frameExtentInternal):
767         * interpreter/JSStackInlines.h:
768         (JSC::JSStack::pushFrame):
769         * jit/JIT.cpp:
770         (JSC::JIT::privateCompile):
771         * jit/JITOperations.cpp:
772         * llint/LLIntSlowPaths.cpp:
773         (JSC::LLInt::llint_slow_path_stack_check):
774         * runtime/CommonSlowPaths.h:
775         (JSC::CommonSlowPaths::arityCheckFor):
776           Fixed offset calculation to use VirtualRegister and related calculation instead of
777           doing seperate calculations.
778
779         * interpreter/JSStack.h:
780           Adjusted CallFrame slots down by one.  Did some miscellaneous fixing of dumpRegisters()
781           in the process of testing the fixes.
782
783         * jit/ThunkGenerators.cpp:
784         (JSC::arityFixup):
785           Changed arity fixup to no longer skip passed register slot 0 as this
786           is now part of the CallFrame header.
787
788         * llint/LowLevelInterpreter32_64.asm:
789         * llint/LowLevelInterpreter64.asm:
790           Changed arity fixup to no longer skip passed register slot 0 as this
791           is now part of the CallFrame header.  Updated op_enter processing for
792           the change in local registers.
793
794         * runtime/JSGlobalObject.h:
795           Removed the now unneeded extra slot in the global callframe
796
797 2013-10-29  Julien Brianceau  <jbriance@cisco.com>
798
799         [arm] Fix lots of crashes because of 4th argument register trampling.
800         https://bugs.webkit.org/show_bug.cgi?id=123421
801
802         Reviewed by Michael Saboff.
803
804         r3 register is the 4th argument register for ARM and also a scratch
805         register in the baseline JIT for this architecture. We can use r6
806         instead, as this used to be the timeoutCheckRegister and it is no
807         longer used since r148119.
808
809         * assembler/ARMAssembler.h: Temp register is now r6 instead of r3 for ARM.
810         * assembler/MacroAssemblerARMv7.h: Temp register is now r6 instead of r3 for ARMv7.
811         * jit/GPRInfo.h: Add r3 properly in GPRInfo for ARM.
812         (JSC::GPRInfo::toRegister):
813         (JSC::GPRInfo::toIndex):
814         * jit/JITStubsARM.h:
815         (JSC::ctiTrampoline): Remove obsolete timeoutCheckRegister init.
816         * jit/JITStubsARMv7.h:
817         (JSC::ctiTrampoline): Remove obsolete timeoutCheckRegister init.
818         * jit/JSInterfaceJIT.h: Remove useless stuff.
819         * yarr/YarrJIT.cpp: Use r3 and not the new scratch register r6.
820         (JSC::Yarr::YarrGenerator::generateEnter): r8 register doesn't need to be saved.
821         (JSC::Yarr::YarrGenerator::generateReturn):
822
823 2013-10-29  Julien Brianceau  <jbriance@cisco.com>
824
825         Fix CPU(ARM_TRADITIONAL) build after r157690.
826         https://bugs.webkit.org/show_bug.cgi?id=123247
827
828         Reviewed by Michael Saboff.
829
830         Since r157690, the executableCopy function has been removed from AssemblerBuffer.h
831         and the copy of executable code occurs in the linkCode function (in LinkBuffer.cpp).
832         As the constant pool for jumps is updated in the executableCopy function of ARM_TRADITIONAL,
833         this part of code still needs to be called and absolute jumps must be corrected to anticipate
834         the copy of the executable code through memcpy.
835
836         * assembler/ARMAssembler.cpp:
837         (JSC::ARMAssembler::prepareExecutableCopy): Rename executableCopy to prepareExecutableCopy
838         and correct absolute jump values using the delta between the source and destination buffers.
839         * assembler/ARMAssembler.h:
840         * assembler/LinkBuffer.cpp:
841         (JSC::LinkBuffer::linkCode): Call prepareExecutableCopy just before the memcpy.
842
843 2013-10-28  Filip Pizlo  <fpizlo@apple.com>
844
845         OSRExit::m_watchpointIndex should be in OSRExitCompilationInfo
846         https://bugs.webkit.org/show_bug.cgi?id=123423
847
848         Reviewed by Mark Hahnenberg.
849         
850         Also enable ExitKind to tell you if it's a watchpoint.
851
852         * bytecode/ExitKind.cpp:
853         (JSC::exitKindToString):
854         * bytecode/ExitKind.h:
855         (JSC::isWatchpoint):
856         * dfg/DFGByteCodeParser.cpp:
857         (JSC::DFG::ByteCodeParser::setLocal):
858         (JSC::DFG::ByteCodeParser::setArgument):
859         (JSC::DFG::ByteCodeParser::handleCall):
860         (JSC::DFG::ByteCodeParser::handleGetById):
861         (JSC::DFG::ByteCodeParser::parseBlock):
862         * dfg/DFGJITCompiler.cpp:
863         (JSC::DFG::JITCompiler::linkOSRExits):
864         (JSC::DFG::JITCompiler::link):
865         * dfg/DFGJITCompiler.h:
866         (JSC::DFG::JITCompiler::appendExitInfo):
867         * dfg/DFGOSRExit.cpp:
868         (JSC::DFG::OSRExit::OSRExit):
869         * dfg/DFGOSRExit.h:
870         * dfg/DFGOSRExitCompilationInfo.h:
871         (JSC::DFG::OSRExitCompilationInfo::OSRExitCompilationInfo):
872         * dfg/DFGOSRExitCompiler.cpp:
873         * dfg/DFGSpeculativeJIT.cpp:
874         (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
875         * dfg/DFGSpeculativeJIT32_64.cpp:
876         (JSC::DFG::SpeculativeJIT::compile):
877         * dfg/DFGSpeculativeJIT64.cpp:
878         (JSC::DFG::SpeculativeJIT::compile):
879
880 2013-10-28  Myles C. Maxfield  <mmaxfield@apple.com>
881
882         Parsing support for -webkit-text-decoration-skip: ink
883         https://bugs.webkit.org/show_bug.cgi?id=123358
884
885         Reviewed by Dean Jackson.
886
887         Adding ENABLE(CSS3_TEXT_DECORATION)
888
889         * Configurations/FeatureDefines.xcconfig:
890
891 2013-10-24  Filip Pizlo  <fpizlo@apple.com>
892
893         Get rid of InlineStart so that I don't have to implement it in FTL
894         https://bugs.webkit.org/show_bug.cgi?id=123302
895
896         Reviewed by Geoffrey Garen.
897         
898         InlineStart was a special instruction that we would insert at the top of inlined code,
899         so that the backend could capture the OSR state of arguments to an inlined call. It used
900         to be that only the backend had this information, so this instruction was sort of an ugly
901         callback from the backend for filling in some data structures.
902         
903         But in the time since when that code was written (two years ago?), we rationalized how
904         variables work. It's now the case that variables that the runtime must know about are
905         treated specially in IR (they are "flushed") and we know how we will represent them even
906         before we get to the backend. The last place that makes changes to their representation
907         is the StackLayoutPhase.
908         
909         So, this patch gets rid of InlineStart, but keeps around the special meta-data that the
910         instruction had. Instead of handling the bookkeeping in the backend, we handle it in
911         StackLayoutPhase. This means that the DFG and FTL can share code for handling this
912         bookkeeping. This also means that now the FTL can compile code blocks that had inlining.
913         
914         Of course, giving the FTL the ability to handle code blocks that had inlining means that
915         we're going to have new bugs. Sure enough, the FTL's linker didn't handle inline call
916         frames. This patch also fixes that.
917
918         * dfg/DFGAbstractInterpreterInlines.h:
919         (JSC::DFG::::executeEffects):
920         * dfg/DFGByteCodeParser.cpp:
921         (JSC::DFG::ByteCodeParser::handleInlining):
922         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
923         * dfg/DFGClobberize.h:
924         (JSC::DFG::clobberize):
925         * dfg/DFGFixupPhase.cpp:
926         (JSC::DFG::FixupPhase::fixupNode):
927         * dfg/DFGGraph.h:
928         * dfg/DFGNode.h:
929         * dfg/DFGNodeType.h:
930         * dfg/DFGPredictionPropagationPhase.cpp:
931         (JSC::DFG::PredictionPropagationPhase::propagate):
932         * dfg/DFGSafeToExecute.h:
933         (JSC::DFG::safeToExecute):
934         * dfg/DFGSpeculativeJIT.cpp:
935         * dfg/DFGSpeculativeJIT.h:
936         * dfg/DFGSpeculativeJIT32_64.cpp:
937         (JSC::DFG::SpeculativeJIT::compile):
938         * dfg/DFGSpeculativeJIT64.cpp:
939         (JSC::DFG::SpeculativeJIT::compile):
940         * dfg/DFGStackLayoutPhase.cpp:
941         (JSC::DFG::StackLayoutPhase::run):
942         * ftl/FTLLink.cpp:
943         (JSC::FTL::link):
944
945 2013-10-24  Filip Pizlo  <fpizlo@apple.com>
946
947         The GetById->GetByOffset AI-based optimization should actually do things
948         https://bugs.webkit.org/show_bug.cgi?id=123299
949
950         Reviewed by Oliver Hunt.
951         
952         20% speed-up on Octane/gbemu.
953
954         * bytecode/GetByIdStatus.cpp:
955         (JSC::GetByIdStatus::computeFor): Actually finish filling in the Status by setting the state. Previously it would remain set to NoInformation, meaning that this whole method was a no-op.
956
957 2013-10-28  Carlos Garcia Campos  <cgarcia@igalia.com>
958
959         Unreviewed. Fix make distcheck.
960
961         * GNUmakefile.list.am: Add missing files to compilation.
962
963 2013-10-25  Oliver Hunt  <oliver@apple.com>
964
965         Refactor parser rollback logic
966         https://bugs.webkit.org/show_bug.cgi?id=123372
967
968         Reviewed by Brady Eidson.
969
970         Add a sane abstraction for rollbacks in the parser.
971
972         * parser/Parser.cpp:
973         (JSC::::parseSourceElements):
974         (JSC::::parseObjectLiteral):
975         * parser/Parser.h:
976         (JSC::Parser::createSavePoint):
977         (JSC::Parser::restoreSavePoint):
978
979 2013-10-25  peavo@outlook.com  <peavo@outlook.com>
980
981         [Win] Javascript crash with DFG JIT enabled.
982         https://bugs.webkit.org/show_bug.cgi?id=121001
983
984         Reviewed by Geoffrey Garen.
985
986         On windows, using register GPRInfo::regT0 as parameter to e.g. JIT::storeDouble(..., GPRInfo::regT0)),
987         results in a call to JIT::storeDouble(FPRegisterID src, const void* address),
988         where the address parameter gets the value of GPRInfo::regT0, which is 0 (eax on Windows).
989         This causes the register to be written to address 0, hence the crash.
990   
991         * assembler/MacroAssemblerX86.h:
992         (JSC::MacroAssemblerX86::storeDouble): Assert if we try to generate code which writes to a null pointer.
993         * dfg/DFGOSRExitCompiler32_64.cpp:
994         (JSC::DFG::OSRExitCompiler::compileExit): Use address in regT0 as parameter.
995         * dfg/DFGThunks.cpp:
996         (JSC::DFG::osrExitGenerationThunkGenerator): Ditto.
997
998 2013-10-25  Oliver Hunt  <oliver@apple.com>
999
1000         Fix a number of problems with destructuring of arguments
1001         https://bugs.webkit.org/show_bug.cgi?id=123357
1002
1003         Reviewed by Filip Pizlo.
1004
1005         This renames the destructuring node's emitBytecode to bindValue
1006         in order to remove the existing confusion over what was happening.
1007
1008         We then fix an incorrect fall through in the destructuring arguments
1009         logic, and fix the then exposed bug where we placed the index rather
1010         than value into the bound property.
1011
1012         * bytecompiler/BytecodeGenerator.cpp:
1013         (JSC::BytecodeGenerator::BytecodeGenerator):
1014         * bytecompiler/NodesCodegen.cpp:
1015         (JSC::ForInNode::emitBytecode):
1016         (JSC::ForOfNode::emitBytecode):
1017         (JSC::DeconstructingAssignmentNode::emitBytecode):
1018         (JSC::ArrayPatternNode::bindValue):
1019         (JSC::ArrayPatternNode::emitDirectBinding):
1020         (JSC::ObjectPatternNode::bindValue):
1021         (JSC::BindingNode::bindValue):
1022         * parser/Nodes.h:
1023
1024 2013-10-25  Joseph Pecoraro  <pecoraro@apple.com>
1025
1026         Upstream ENABLE(REMOTE_INSPECTOR) and enable on iOS and Mac
1027         https://bugs.webkit.org/show_bug.cgi?id=123111
1028
1029         Reviewed by Timothy Hatcher.
1030
1031         * Configurations/FeatureDefines.xcconfig:
1032
1033 2013-10-25  Oliver Hunt  <oliver@apple.com>
1034
1035         Fix MSVC again
1036
1037         * parser/Parser.cpp:
1038
1039 2013-10-25  Oliver Hunt  <oliver@apple.com>
1040
1041         Fix MSVC
1042
1043         * parser/Parser.cpp:
1044
1045 2013-10-25  Oliver Hunt  <oliver@apple.com>
1046
1047         Improve JSC Parser error messages
1048         https://bugs.webkit.org/show_bug.cgi?id=123341
1049
1050         Reviewed by Andreas Kling.
1051
1052         This patch moves away from the current cludgy mechanisms used to produce
1053         error messages and moves to something closer to case by case errors.
1054
1055         This results in a large change size as previously we may just have
1056         'failIfFalse(foo)', but now the logic becomes either
1057         'failIfFalseWithMessage(foo, "Cannot do blah with ", foo->thing())'
1058         Or alternatively
1059
1060         if (!foo)
1061             check for 'interesting' errors, before falling back to generic error
1062
1063         This means that this patch is large, but produces no semantic changes, and
1064         only hits slow (e.g. error) paths.
1065
1066         * parser/Parser.cpp:
1067         (JSC::::Parser):
1068         (JSC::::parseSourceElements):
1069         (JSC::::parseVarDeclaration):
1070         (JSC::::parseConstDeclaration):
1071         (JSC::::parseDoWhileStatement):
1072         (JSC::::parseWhileStatement):
1073         (JSC::::parseVarDeclarationList):
1074         (JSC::::createBindingPattern):
1075         (JSC::::parseDeconstructionPattern):
1076         (JSC::::parseConstDeclarationList):
1077         (JSC::::parseForStatement):
1078         (JSC::::parseBreakStatement):
1079         (JSC::::parseContinueStatement):
1080         (JSC::::parseReturnStatement):
1081         (JSC::::parseThrowStatement):
1082         (JSC::::parseWithStatement):
1083         (JSC::::parseSwitchStatement):
1084         (JSC::::parseSwitchClauses):
1085         (JSC::::parseSwitchDefaultClause):
1086         (JSC::::parseTryStatement):
1087         (JSC::::parseDebuggerStatement):
1088         (JSC::::parseBlockStatement):
1089         (JSC::::parseStatement):
1090         (JSC::::parseFormalParameters):
1091         (JSC::::parseFunctionBody):
1092         (JSC::stringForFunctionMode):
1093         (JSC::::parseFunctionInfo):
1094         (JSC::::parseFunctionDeclaration):
1095         (JSC::::parseExpressionOrLabelStatement):
1096         (JSC::::parseExpressionStatement):
1097         (JSC::::parseIfStatement):
1098         (JSC::::parseExpression):
1099         (JSC::::parseAssignmentExpression):
1100         (JSC::::parseConditionalExpression):
1101         (JSC::::parseBinaryExpression):
1102         (JSC::::parseProperty):
1103         (JSC::::parseObjectLiteral):
1104         (JSC::::parseStrictObjectLiteral):
1105         (JSC::::parseArrayLiteral):
1106         (JSC::::parsePrimaryExpression):
1107         (JSC::::parseArguments):
1108         (JSC::::parseMemberExpression):
1109         (JSC::operatorString):
1110         (JSC::::parseUnaryExpression):
1111         (JSC::::printUnexpectedTokenText):
1112         * parser/Parser.h:
1113         (JSC::Scope::hasDeclaredVariable):
1114         (JSC::Scope::hasDeclaredParameter):
1115         (JSC::Parser::hasDeclaredVariable):
1116         (JSC::Parser::hasDeclaredParameter):
1117         (JSC::Parser::setErrorMessage):
1118
1119 2013-10-24  Mark Rowe  <mrowe@apple.com>
1120
1121         Remove references to OS X 10.7 from Xcode configuration settings.
1122
1123         Now that we're not building for OS X 10.7 they're no longer needed.
1124
1125         Reviewed by Anders Carlsson.
1126
1127         * Configurations/Base.xcconfig:
1128         * Configurations/DebugRelease.xcconfig:
1129         * Configurations/FeatureDefines.xcconfig:
1130         * Configurations/Version.xcconfig:
1131
1132 2013-10-24  Mark Rowe  <mrowe@apple.com>
1133
1134         <rdar://problem/15312643> Prepare for the mysterious future.
1135
1136         Reviewed by David Kilzer.
1137
1138         * Configurations/Base.xcconfig:
1139         * Configurations/DebugRelease.xcconfig:
1140         * Configurations/FeatureDefines.xcconfig:
1141         * Configurations/Version.xcconfig:
1142
1143 2013-10-24  Mark Lam  <mark.lam@apple.com>
1144
1145         Better way to fix part of broken C Loop LLINT build.
1146         https://bugs.webkit.org/show_bug.cgi?id=123271.
1147
1148         Reviewed by Geoffrey Garen.
1149
1150         Undoing offline asm hackery.
1151
1152         * llint/LowLevelInterpreter.cpp:
1153         * llint/LowLevelInterpreter32_64.asm:
1154         * llint/LowLevelInterpreter64.asm:
1155         * offlineasm/cloop.rb:
1156         * offlineasm/instructions.rb:
1157
1158 2013-10-24  Mark Lam  <mark.lam@apple.com>
1159
1160         Fix broken C Loop LLINT build.
1161         https://bugs.webkit.org/show_bug.cgi?id=123271.
1162
1163         Reviewed by Michael Saboff.
1164
1165         * bytecode/CodeBlock.cpp:
1166         (JSC::CodeBlock::printGetByIdCacheStatus): Added an UNUSED_PARAM().
1167         (JSC::CodeBlock::dumpBytecode): Added #if ENABLE(JIT) to JIT only code.
1168         * bytecode/GetByIdStatus.cpp:
1169         (JSC::GetByIdStatus::computeFor): Added an UNUSED_PARAM().
1170         * bytecode/PutByIdStatus.cpp:
1171         (JSC::PutByIdStatus::computeFor): Added an UNUSED_PARAM().
1172         * bytecode/StructureStubInfo.h:
1173         - Added a stub StubInfoMap for non-JIT builds. StubInfoMap is still used
1174           in function prototypes even when !ENABLE(JIT). Rather that adding #if's
1175           in many places, we just provide a stub/placeholder implementation that
1176           is unused but keeps the compiler happy.
1177         * jit/JITOperations.h: Added #if ENABLE(JIT).
1178         * llint/LowLevelInterpreter32_64.asm:
1179         * llint/LowLevelInterpreter64.asm:
1180         - The putByVal() macro reifies a slow path which is never taken in one case.
1181           This translates into a label that is never used in the C Loop LLINT. The
1182           C++ compiler doesn't like unused labels. So, we fix this by adding a
1183           cloopUnusedLabel offline asm instruction that synthesizes the following:
1184
1185               if (false) goto unusedLabel;
1186
1187           This keeps the C++ compiler happy without changing code behavior.
1188         * offlineasm/cloop.rb: Implementing cloopUnusedLabel.
1189         * offlineasm/instructions.rb: Declaring cloopUnusedLabel.
1190         * runtime/Executable.cpp:
1191         (JSC::setupJIT): Added UNUSED_PARAM()s.
1192         (JSC::ScriptExecutable::prepareForExecutionImpl):
1193         - run-javascriptcore-tests have phases that forces the LLINT to be off
1194           which in turn asserts that the JIT is enabled. With the C Loop LLINT,
1195           this combination is illegal. So, we override the setup code here to
1196           always use the LLINT if !ENABLE(JIT) regardless of what options are
1197           passed in.
1198
1199 2013-10-24  peavo@outlook.com  <peavo@outlook.com>
1200
1201         Uninitialized member causes crash when DFG JIT is not enabled.
1202         https://bugs.webkit.org/show_bug.cgi?id=123270
1203
1204         Reviewed by Brent Fulgham.
1205
1206         The data member sizeOfLastScratchBuffer in the VM class is only initialized if DFG JIT is enabled, even though it's defined regardless.
1207         This causes an early crash on Windows, which doesn't have DFG JIT enabled.
1208
1209         * runtime/VM.cpp:
1210         (JSC::VM::VM): Initialize sizeOfLastScratchBuffer member regardless of whether DFG JIT is enabled.
1211
1212 2013-10-24  Ryuan Choi  <ryuan.choi@samsung.com>
1213
1214         [EFL] Build break with latest EFL 1.8 libraries.
1215         https://bugs.webkit.org/show_bug.cgi?id=123245
1216
1217         Reviewed by Gyuyoung Kim.
1218
1219         After fixed build break on EFL 1.8 at r138326, EFL libraries are changed
1220         Eo typedef and splitted header files which contain version macro.
1221
1222         * PlatformEfl.cmake: Added EO path to include directories.
1223         * heap/HeapTimer.h: Changed Ecore_Timer typedef when EO exist.
1224
1225 2013-10-23  Filip Pizlo  <fpizlo@apple.com>
1226
1227         Put all uses of LLVM intrinsics behind a single Option
1228         https://bugs.webkit.org/show_bug.cgi?id=123219
1229
1230         Reviewed by Mark Hahnenberg.
1231
1232         * ftl/FTLExitThunkGenerator.cpp:
1233         (JSC::FTL::ExitThunkGenerator::emitThunk):
1234         * ftl/FTLLowerDFGToLLVM.cpp:
1235         (JSC::FTL::generateExitThunks):
1236         (JSC::FTL::LowerDFGToLLVM::compileGetById):
1237         (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
1238         (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
1239         * ftl/FTLOSRExitCompiler.cpp:
1240         (JSC::FTL::compileFTLOSRExit):
1241         * runtime/Options.h:
1242
1243 2013-10-23  Daniel Bates  <dabates@apple.com>
1244
1245         Fix JavaScriptCore build targets following <http://trac.webkit.org/changeset/157864>
1246         (https://bugs.webkit.org/show_bug.cgi?id=123169)
1247
1248         Tell Xcode that the supported platforms for all JavaScriptCore targets are iOS and OS X.
1249
1250         * Configurations/Base.xcconfig:
1251
1252 2013-10-23  Michael Saboff  <msaboff@apple.com>
1253
1254         LLInt arity check exception processing should start unwinding from caller
1255         https://bugs.webkit.org/show_bug.cgi?id=123209
1256
1257         Reviewed by Oliver Hunt.
1258
1259         Use the caller frame returned from slow_path_call_arityCheck to process exceptions.
1260
1261         * llint/LowLevelInterpreter32_64.asm:
1262         * llint/LowLevelInterpreter64.asm:
1263
1264 2013-10-22  Filip Pizlo  <fpizlo@apple.com>
1265
1266         FTL should be able to do some simple inline caches using LLVM patchpoints
1267         https://bugs.webkit.org/show_bug.cgi?id=123164
1268
1269         Reviewed by Mark Hahnenberg.
1270         
1271         This implements GetById inline caches in the FTL using llvm.webkit.patchpoint.
1272         
1273         The idea is that we ask LLVM for a nop slide the size of a GetById inline
1274         cache and then fill in the code after LLVM compilation is complete. For now, we
1275         just use the system calling convention for the arguments and return. We also
1276         still make some assumptions about registers that aren't correct. But, most of
1277         the scaffolding is there and this will successfully patch an inline cache.
1278
1279         * JavaScriptCore.xcodeproj/project.pbxproj:
1280         * assembler/AbstractMacroAssembler.h:
1281         * assembler/LinkBuffer.cpp:
1282         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
1283         (JSC::LinkBuffer::linkCode):
1284         (JSC::LinkBuffer::allocate):
1285         * assembler/LinkBuffer.h:
1286         (JSC::LinkBuffer::LinkBuffer):
1287         (JSC::LinkBuffer::link):
1288         * ftl/FTLAbbreviations.h:
1289         (JSC::FTL::constNull):
1290         (JSC::FTL::buildCall):
1291         * ftl/FTLCapabilities.cpp:
1292         (JSC::FTL::canCompile):
1293         * ftl/FTLCompile.cpp:
1294         (JSC::FTL::fixFunctionBasedOnStackMaps):
1295         * ftl/FTLInlineCacheDescriptor.h: Added.
1296         (JSC::FTL::InlineCacheDescriptor::InlineCacheDescriptor):
1297         (JSC::FTL::GetByIdDescriptor::GetByIdDescriptor):
1298         (JSC::FTL::GetByIdDescriptor::stackmapID):
1299         (JSC::FTL::GetByIdDescriptor::codeOrigin):
1300         (JSC::FTL::GetByIdDescriptor::uid):
1301         * ftl/FTLInlineCacheSize.cpp: Added.
1302         (JSC::FTL::sizeOfGetById):
1303         (JSC::FTL::sizeOfPutById):
1304         * ftl/FTLInlineCacheSize.h: Added.
1305         * ftl/FTLIntrinsicRepository.h:
1306         * ftl/FTLJITFinalizer.cpp:
1307         (JSC::FTL::JITFinalizer::finalizeFunction):
1308         * ftl/FTLJITFinalizer.h:
1309         * ftl/FTLLocation.cpp:
1310         (JSC::FTL::Location::directGPR):
1311         * ftl/FTLLocation.h:
1312         * ftl/FTLLowerDFGToLLVM.cpp:
1313         (JSC::FTL::LowerDFGToLLVM::compileGetById):
1314         * ftl/FTLOutput.h:
1315         (JSC::FTL::Output::call):
1316         * ftl/FTLSlowPathCall.cpp: Added.
1317         (JSC::FTL::callOperation):
1318         * ftl/FTLSlowPathCall.h: Added.
1319         (JSC::FTL::SlowPathCall::SlowPathCall):
1320         (JSC::FTL::SlowPathCall::call):
1321         (JSC::FTL::SlowPathCall::key):
1322         * ftl/FTLSlowPathCallKey.cpp: Added.
1323         (JSC::FTL::SlowPathCallKey::dump):
1324         * ftl/FTLSlowPathCallKey.h: Added.
1325         (JSC::FTL::SlowPathCallKey::SlowPathCallKey):
1326         (JSC::FTL::SlowPathCallKey::usedRegisters):
1327         (JSC::FTL::SlowPathCallKey::callTarget):
1328         (JSC::FTL::SlowPathCallKey::offset):
1329         (JSC::FTL::SlowPathCallKey::isEmptyValue):
1330         (JSC::FTL::SlowPathCallKey::isDeletedValue):
1331         (JSC::FTL::SlowPathCallKey::operator==):
1332         (JSC::FTL::SlowPathCallKey::hash):
1333         (JSC::FTL::SlowPathCallKeyHash::hash):
1334         (JSC::FTL::SlowPathCallKeyHash::equal):
1335         * ftl/FTLStackMaps.cpp:
1336         (JSC::FTL::StackMaps::Location::directGPR):
1337         * ftl/FTLStackMaps.h:
1338         * ftl/FTLState.h:
1339         * ftl/FTLThunks.cpp:
1340         (JSC::FTL::slowPathCallThunkGenerator):
1341         * ftl/FTLThunks.h:
1342         (JSC::FTL::Thunks::getSlowPathCallThunk):
1343         * jit/CCallHelpers.h:
1344         (JSC::CCallHelpers::setupArguments):
1345         * jit/GPRInfo.h:
1346         * jit/JITInlineCacheGenerator.cpp:
1347         (JSC::garbageStubInfo):
1348         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
1349         (JSC::JITByIdGenerator::finalize):
1350         * jit/JITInlineCacheGenerator.h:
1351         (JSC::JITByIdGenerator::slowPathBegin):
1352         * jit/RegisterSet.cpp:
1353         (JSC::RegisterSet::stackRegisters):
1354         (JSC::RegisterSet::specialRegisters):
1355         (JSC::RegisterSet::calleeSaveRegisters):
1356         (JSC::RegisterSet::allGPRs):
1357         (JSC::RegisterSet::allFPRs):
1358         (JSC::RegisterSet::allRegisters):
1359         (JSC::RegisterSet::dump):
1360         * jit/RegisterSet.h:
1361         (JSC::RegisterSet::exclude):
1362         (JSC::RegisterSet::numberOfSetRegisters):
1363         (JSC::RegisterSet::RegisterSet):
1364         (JSC::RegisterSet::isEmptyValue):
1365         (JSC::RegisterSet::isDeletedValue):
1366         (JSC::RegisterSet::operator==):
1367         (JSC::RegisterSet::hash):
1368         (JSC::RegisterSetHash::hash):
1369         (JSC::RegisterSetHash::equal):
1370         * runtime/Options.h:
1371
1372 2013-10-22  Filip Pizlo  <fpizlo@apple.com>
1373
1374         jitCompileAndSetHeuristics should DeferGCForAWhile
1375         https://bugs.webkit.org/show_bug.cgi?id=123196
1376
1377         Reviewed by Mark Hahnenberg.
1378         
1379         This fixes random crashes in V8v7/raytrace. I only see those crashes on exactly one of
1380         my machines. I don't think this is testable; we just need to steadily converge towards
1381         getting our uses of DeferGC to be right and then be careful not to regress. We're not
1382         there yet, obviously.
1383         
1384         * llint/LLIntSlowPaths.cpp:
1385         (JSC::LLInt::jitCompileAndSetHeuristics):
1386
1387 2013-10-23  Daniel Bates  <dabates@apple.com>
1388
1389         [iOS] Upstream more JavaScriptCore build configuration changes
1390         https://bugs.webkit.org/show_bug.cgi?id=123169
1391
1392         Reviewed by David Kilzer.
1393
1394         * Configurations/Base.xcconfig:
1395         * Configurations/Version.xcconfig:
1396         * Configurations/iOS.xcconfig: Added.
1397         * JavaScriptCore.xcodeproj/project.pbxproj:
1398
1399 2013-10-23  Daniel Bates  <dabates@apple.com>
1400
1401         [iOS] Export DefaultGCActivityCallback member functions
1402         https://bugs.webkit.org/show_bug.cgi?id=123175
1403
1404         Reviewed by David Kilzer.
1405
1406         * runtime/GCActivityCallback.h:
1407
1408 2013-10-23  Daniel Bates  <dabates@apple.com>
1409
1410         [iOS] Upstream more ARMv7s bits
1411         https://bugs.webkit.org/show_bug.cgi?id=123052
1412
1413         Reviewed by Joseph Pecoraro.
1414
1415         * Configurations/JavaScriptCore.xcconfig:
1416
1417 2013-10-22  Andreas Kling  <akling@apple.com>
1418
1419         Minor VM* -> VM& cleanups in HashTable and Keywords.
1420         <https://webkit.org/b/123183>
1421
1422         Turn some VM* variables that will never be null into VM&.
1423
1424         Reviewed by Geoffrey Garen.
1425
1426 2013-10-22  Geoffrey Garen  <ggaren@apple.com>
1427
1428         REGRESSION: `if (false === (true && undefined)) console.log("wrong!");` logs "wrong!", shouldn't!
1429         https://bugs.webkit.org/show_bug.cgi?id=123179
1430
1431         Reviewed by Mark Hahnenberg.
1432
1433         * parser/NodeConstructors.h:
1434         (JSC::LogicalOpNode::LogicalOpNode):
1435         * parser/ResultType.h:
1436         (JSC::ResultType::forLogicalOp): Don't assume that && produces a boolean.
1437         This is JavaScript (aka Sparta).
1438
1439 2013-10-22  Commit Queue  <commit-queue@webkit.org>
1440
1441         Unreviewed, rolling out r157819.
1442         http://trac.webkit.org/changeset/157819
1443         https://bugs.webkit.org/show_bug.cgi?id=123180
1444
1445         Broke 32-bit builds (Requested by smfr on #webkit).
1446
1447         * Configurations/JavaScriptCore.xcconfig:
1448         * Configurations/ToolExecutable.xcconfig:
1449
1450 2013-10-22  Daniel Bates  <dabates@apple.com>
1451
1452         [iOS] Upstream more ARMv7s bits
1453         https://bugs.webkit.org/show_bug.cgi?id=123052
1454
1455         Reviewed by Joseph Pecoraro.
1456
1457         * Configurations/JavaScriptCore.xcconfig:
1458         * Configurations/ToolExecutable.xcconfig: Enable CLANG_ENABLE_OBJC_ARC for i386 as I'm
1459         modifying a file in JavaScriptCore/Configurations.
1460
1461 2013-10-22  Daniel Bates  <dabates@apple.com>
1462
1463         [iOS] Upstream JSLock changes
1464         https://bugs.webkit.org/show_bug.cgi?id=123107
1465
1466         Reviewed by Geoffrey Garen.
1467
1468         * runtime/JSLock.cpp:
1469         (JSC::JSLock::unlock):
1470         (JSC::JSLock::dropAllLocks): Modified to take a SpinLock, used only on iOS.
1471         (JSC::JSLock::dropAllLocksUnconditionally): Modified to take a SpinLock, used only on iOS. Also
1472         use pre-increment instead of post-increment when we're not using the return value of the instruction.
1473         (JSC::JSLock::grabAllLocks): Modified to take a SpinLock, used only on iOS. Also change
1474         places where we were using post-increment/post-decrement to use pre-increment/pre-decrement,
1475         since we don't use the return value of such instructions.
1476         (JSC::JSLock::DropAllLocks::DropAllLocks): Modified to support releasing all locks unconditionally.
1477         Take a spin lock before releasing all locks on iOS. Also, use nullptr instead of 0.
1478         (JSC::JSLock::DropAllLocks::~DropAllLocks): Take a spin lock before acquiring all locks on iOS.
1479         * runtime/JSLock.h: Remove extraneous argument name "exec" from DropAllLocks as the data type of
1480         the argument is sufficiently descriptive of its purpose.
1481
1482 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
1483
1484         [arm] Add missing setupArgumentsWithExecState() prototypes to fix build.
1485         https://bugs.webkit.org/show_bug.cgi?id=123166
1486
1487         Reviewed by Michael Saboff.
1488
1489         * jit/CCallHelpers.h:
1490         (JSC::CCallHelpers::setupArgumentsWithExecState):
1491
1492 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
1493
1494         [sh4][mips][arm] Fix crashes in JSC (32-bit only).
1495         https://bugs.webkit.org/show_bug.cgi?id=123165
1496
1497         Reviewed by Michael Saboff.
1498
1499         * jit/JITInlines.h:
1500         (JSC::JIT::callOperationNoExceptionCheck): Add missing EABI_32BIT_DUMMY_ARG.
1501         (JSC::JIT::callOperation): The last TrustedImm32(arg3) is a bit overkill for SH4 :)
1502         (JSC::JIT::callOperation): Add missing EABI_32BIT_DUMMY_ARG.
1503         (JSC::JIT::callOperation): Fix tag and payload order for V_JITOperation_EJJJ prototype.
1504
1505 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
1506
1507         REGRESSION(r157690, r157699) Fix architectures using AssemblerBufferWithConstantPool.
1508         https://bugs.webkit.org/show_bug.cgi?id=123092
1509
1510         Reviewed by Michael Saboff.
1511
1512         Impacted architectures are SH4 and ARM_TRADITIONAL.
1513
1514         * assembler/ARMAssembler.h:
1515         (JSC::ARMAssembler::buffer):
1516         * assembler/AssemblerBufferWithConstantPool.h:
1517         (JSC::AssemblerBufferWithConstantPool::flushConstantPool):
1518         * assembler/LinkBuffer.cpp:
1519         (JSC::LinkBuffer::linkCode):
1520         * assembler/SH4Assembler.h:
1521         (JSC::SH4Assembler::buffer):
1522
1523 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
1524
1525         Remove unused stuff in JIT stubs.
1526         https://bugs.webkit.org/show_bug.cgi?id=123155
1527
1528         Reviewed by Michael Saboff.
1529
1530         * jit/JITStubs.h:
1531         * jit/JITStubsARM.h:
1532         (JSC::ctiTrampoline):
1533         * jit/JITStubsARM64.h:
1534         * jit/JITStubsARMv7.h:
1535         * jit/JITStubsMIPS.h:
1536         * jit/JITStubsSH4.h:
1537         * jit/JITStubsX86.h:
1538         * jit/JITStubsX86_64.h:
1539
1540 2013-10-22  Daniel Bates  <dabates@apple.com>
1541
1542         [iOS] Upstream OS-version-specific install paths for JavaScriptCore.framework
1543         https://bugs.webkit.org/show_bug.cgi?id=123115
1544         <rdar://problem/13696872>
1545
1546         Reviewed by Andy Estes.
1547
1548         Based on a patch by Mark Hahnenberg.
1549
1550         Add support for running JavaScriptCore-based apps, built against the iOS 7 SDK, on older versions of iOS.
1551
1552         * API/JSBase.cpp:
1553
1554 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
1555
1556         [sh4] Add missing lastRegister(), firstFPRegister() and lastFPRegister(). 
1557         https://bugs.webkit.org/show_bug.cgi?id=123157
1558
1559         Reviewed by Andreas Kling.
1560
1561         * assembler/SH4Assembler.h:
1562         (JSC::SH4Assembler::lastRegister):
1563         (JSC::SH4Assembler::firstFPRegister):
1564         (JSC::SH4Assembler::lastFPRegister):
1565
1566 2013-10-22  Brian Holt  <brian.holt@samsung.com>
1567
1568         Build break on ARMv7 after r157209
1569         https://bugs.webkit.org/show_bug.cgi?id=122890
1570
1571         Reviewed by Csaba Osztrogon√°c.
1572
1573         Add framePointerRegister and first/last register helpers for ARM_TRADITIONAL.
1574
1575         * assembler/ARMAssembler.h:
1576         * assembler/MacroAssemblerARM.h:
1577         (JSC::MacroAssemblerARM::firstRegister):
1578         (JSC::MacroAssemblerARM::lastRegister):
1579         (JSC::MacroAssemblerARM::firstFPRegister):
1580         (JSC::MacroAssemblerARM::lastFPRegister):
1581
1582 2013-10-21  Daniel Bates  <dabates@apple.com>
1583
1584         [iOS] Upstream JSGlobalObject::shouldInterruptScriptBeforeTimeout()
1585         https://bugs.webkit.org/show_bug.cgi?id=123045
1586
1587         Reviewed by Joseph Pecoraro.
1588
1589         * jsc.cpp: Add function pointer for shouldInterruptScriptBeforeTimeout
1590         to global method table.
1591         * runtime/JSGlobalObject.cpp: Ditto.
1592         * runtime/JSGlobalObject.h:
1593         (JSC::JSGlobalObject::shouldInterruptScriptBeforeTimeout): Added.
1594
1595 2013-10-21  Daniel Bates  <dabates@apple.com>
1596
1597         [iOS] Upstream JSC Objective-C API compiler warning fixes
1598         https://bugs.webkit.org/show_bug.cgi?id=123125
1599
1600         Reviewed by Mark Hahnenberg.
1601
1602         Based on a patch by Mark Hahnenberg.
1603
1604         * API/JSValue.mm:
1605         (-[JSValue toPoint]): Cast to CGFloat to fix some compiler warnings about double narrowing to float.
1606         (-[JSValue toSize]): Ditto.
1607         * API/tests/testapi.mm: Changed a test that was failing due to overflow of 32-bit NSUInteger on armv7.
1608
1609 2013-10-21  Daniel Bates  <dabates@apple.com>
1610
1611         [iOS] Mark classes JS{Context, ManagedValue, Value, VirtualMachine} as
1612         available since iOS 7.0
1613         https://bugs.webkit.org/show_bug.cgi?id=123122
1614
1615         Reviewed by Dan Bernstein.
1616
1617         * API/JSContext.h:
1618         * API/JSManagedValue.h:
1619         * API/JSValue.h:
1620         * API/JSVirtualMachine.h:
1621
1622 2013-10-20  Mark Lam  <mark.lam@apple.com>
1623
1624         Avoid JSC debugger overhead unless needed.
1625         https://bugs.webkit.org/show_bug.cgi?id=123084.
1626
1627         Reviewed by Geoffrey Garen.
1628
1629         - If no breakpoints are set, we now avoid calling the debug hook callbacks.
1630         - If no break on exception is set, we also avoid exception event debug callbacks.
1631         - When we return from the ScriptDebugServer to the JSC::Debugger, we may no
1632           longer call the debug hook callbacks if not needed. Hence, the m_currentCallFrame
1633           pointer in the ScriptDebugServer may become stale. To avoid this issue, before
1634           returning, the ScriptDebugServer will clear its m_currentCallFrame if
1635           needsOpDebugCallbacks() is false.
1636
1637         * debugger/Debugger.cpp:
1638         (JSC::Debugger::Debugger):
1639         (JSC::Debugger::setNeedsExceptionCallbacks):
1640         (JSC::Debugger::setShouldPause):
1641         (JSC::Debugger::updateNumberOfBreakpoints):
1642         (JSC::Debugger::updateNeedForOpDebugCallbacks):
1643         * debugger/Debugger.h:
1644         * interpreter/Interpreter.cpp:
1645         (JSC::Interpreter::unwind):
1646         (JSC::Interpreter::debug):
1647         * jit/JITOpcodes.cpp:
1648         (JSC::JIT::emit_op_debug):
1649         * jit/JITOpcodes32_64.cpp:
1650         (JSC::JIT::emit_op_debug):
1651         * llint/LLIntOffsetsExtractor.cpp:
1652         * llint/LowLevelInterpreter.asm:
1653
1654 2013-10-21  Brent Fulgham  <bfulgham@apple.com>
1655
1656         [WIN] Unreviewed build correction.
1657
1658         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Handle new JIT files as C++ implementation
1659           sources, not header files.
1660         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
1661
1662 2013-10-21  Oliver Hunt  <oliver@apple.com>
1663
1664         Support computed property names in object literals
1665         https://bugs.webkit.org/show_bug.cgi?id=123112
1666
1667         Reviewed by Michael Saboff.
1668
1669         Add support for computed property names to the parser.
1670
1671         * bytecompiler/NodesCodegen.cpp:
1672         (JSC::PropertyListNode::emitBytecode):
1673         * parser/ASTBuilder.h:
1674         (JSC::ASTBuilder::createProperty):
1675         (JSC::ASTBuilder::getName):
1676         * parser/NodeConstructors.h:
1677         (JSC::PropertyNode::PropertyNode):
1678         * parser/Nodes.h:
1679         (JSC::PropertyNode::expressionName):
1680         (JSC::PropertyNode::name):
1681         * parser/Parser.cpp:
1682         (JSC::::parseProperty):
1683         (JSC::::parseStrictObjectLiteral):
1684         * parser/SyntaxChecker.h:
1685         (JSC::SyntaxChecker::Property::Property):
1686         (JSC::SyntaxChecker::createProperty):
1687         (JSC::SyntaxChecker::operatorStackPop):
1688
1689 2013-10-21  Michael Saboff  <msaboff@apple.com>
1690
1691         Add option so that JSC will crash if it can't allocate executable memory for the JITs
1692         https://bugs.webkit.org/show_bug.cgi?id=123048
1693         <rdar://problem/12856193>
1694
1695         Reviewed by Geoffrey Garen.
1696
1697         Added new option, called crashIfCantAllocateJITMemory. If this option is true then we crash
1698         when checking the validity of the executable allocator. The default value for this option is
1699         false, but jsc sets it to true when built for iOS to make it straightforward to identify whether
1700         the app can obtain executable memory.
1701
1702         * jsc.cpp: Explicitly enable crashIfCantAllocateJITMemory on iOS.
1703         (main):
1704         * runtime/Options.h: Added option crashIfCantAllocateJITMemory.
1705         * runtime/VM.cpp:
1706         (JSC::enableAssembler): Modified to crash if option crashIfCantAllocateJITMemory
1707         is enabled.
1708
1709 2013-10-21  Nadav Rotem  <nrotem@apple.com>
1710
1711         Remove AllInOneFile.cpp
1712         https://bugs.webkit.org/show_bug.cgi?id=123055
1713
1714         Reviewed by Csaba Osztrogon√°c.
1715
1716         * AllInOneFile.cpp: Removed.
1717
1718 2013-10-20  Filip Pizlo  <fpizlo@apple.com>
1719
1720         Unreviewed, cleanup a FIXME comment.
1721
1722         * jit/Repatch.cpp:
1723
1724 2013-10-20  Filip Pizlo  <fpizlo@apple.com>
1725
1726         StructureStubInfo's usedRegisters set should be able to track all registers, not just the ones that our JIT's view as temporaries
1727         https://bugs.webkit.org/show_bug.cgi?id=123076
1728
1729         Reviewed by Sam Weinig.
1730         
1731         Start preparing for a world in which we are patching code generated by LLVM, which may have
1732         very different register usage conventions than our JITs. This requires us being more explicit
1733         about the registers we are using. For example, the repatching code shouldn't take for granted
1734         that tagMaskRegister holds the TagMask or that the register is even in use.
1735
1736         * CMakeLists.txt:
1737         * GNUmakefile.list.am:
1738         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1739         * JavaScriptCore.xcodeproj/project.pbxproj:
1740         * assembler/MacroAssembler.h:
1741         (JSC::MacroAssembler::numberOfRegisters):
1742         (JSC::MacroAssembler::registerIndex):
1743         (JSC::MacroAssembler::numberOfFPRegisters):
1744         (JSC::MacroAssembler::fpRegisterIndex):
1745         (JSC::MacroAssembler::totalNumberOfRegisters):
1746         * bytecode/StructureStubInfo.h:
1747         * dfg/DFGSpeculativeJIT.cpp:
1748         (JSC::DFG::SpeculativeJIT::usedRegisters):
1749         * dfg/DFGSpeculativeJIT.h:
1750         * ftl/FTLSaveRestore.cpp:
1751         (JSC::FTL::bytesForGPRs):
1752         (JSC::FTL::bytesForFPRs):
1753         (JSC::FTL::offsetOfGPR):
1754         (JSC::FTL::offsetOfFPR):
1755         * jit/JITInlineCacheGenerator.cpp:
1756         (JSC::JITByIdGenerator::JITByIdGenerator):
1757         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
1758         * jit/JITInlineCacheGenerator.h:
1759         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
1760         * jit/JITPropertyAccess.cpp:
1761         (JSC::JIT::emit_op_get_by_id):
1762         (JSC::JIT::emit_op_put_by_id):
1763         * jit/JITPropertyAccess32_64.cpp:
1764         (JSC::JIT::emit_op_get_by_id):
1765         (JSC::JIT::emit_op_put_by_id):
1766         * jit/RegisterSet.cpp: Added.
1767         (JSC::RegisterSet::specialRegisters):
1768         * jit/RegisterSet.h: Added.
1769         (JSC::RegisterSet::RegisterSet):
1770         (JSC::RegisterSet::set):
1771         (JSC::RegisterSet::clear):
1772         (JSC::RegisterSet::get):
1773         (JSC::RegisterSet::merge):
1774         * jit/Repatch.cpp:
1775         (JSC::generateProtoChainAccessStub):
1776         (JSC::tryCacheGetByID):
1777         (JSC::tryBuildGetByIDList):
1778         (JSC::emitPutReplaceStub):
1779         (JSC::tryRepatchIn):
1780         (JSC::linkClosureCall):
1781         * jit/TempRegisterSet.cpp: Added.
1782         (JSC::TempRegisterSet::TempRegisterSet):
1783         * jit/TempRegisterSet.h:
1784
1785 2013-10-20  Julien Brianceau  <jbriance@cisco.com>
1786
1787         [sh4] Fix build (broken since r157690).
1788         https://bugs.webkit.org/show_bug.cgi?id=123081
1789
1790         Reviewed by Andreas Kling.
1791
1792         * assembler/AssemblerBufferWithConstantPool.h:
1793         * assembler/SH4Assembler.h:
1794         (JSC::SH4Assembler::buffer):
1795         (JSC::SH4Assembler::readCallTarget):
1796
1797 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
1798
1799         Simplify TempRegisterSet - it no longer needs to be convertible to a POD since it's no longer going to be a member of a union
1800         https://bugs.webkit.org/show_bug.cgi?id=123079
1801
1802         Reviewed by Geoffrey Garen.
1803
1804         * jit/TempRegisterSet.h:
1805
1806 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
1807
1808         Rename RegisterSet to TempRegisterSet
1809         https://bugs.webkit.org/show_bug.cgi?id=123077
1810
1811         Reviewed by Dan Bernstein.
1812
1813         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1814         * JavaScriptCore.xcodeproj/project.pbxproj:
1815         * bytecode/StructureStubInfo.h:
1816         * dfg/DFGJITCompiler.h:
1817         * dfg/DFGSpeculativeJIT.h:
1818         (JSC::DFG::SpeculativeJIT::usedRegisters):
1819         * jit/JITInlineCacheGenerator.cpp:
1820         (JSC::JITByIdGenerator::JITByIdGenerator):
1821         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
1822         * jit/JITInlineCacheGenerator.h:
1823         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
1824         * jit/JITPropertyAccess.cpp:
1825         (JSC::JIT::emit_op_get_by_id):
1826         (JSC::JIT::emit_op_put_by_id):
1827         * jit/JITPropertyAccess32_64.cpp:
1828         (JSC::JIT::emit_op_get_by_id):
1829         (JSC::JIT::emit_op_put_by_id):
1830         * jit/RegisterSet.h: Removed.
1831         * jit/ScratchRegisterAllocator.h:
1832         (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
1833         * jit/TempRegisterSet.h: Copied from Source/JavaScriptCore/jit/RegisterSet.h.
1834         (JSC::TempRegisterSet::TempRegisterSet):
1835         (JSC::TempRegisterSet::asPOD):
1836         (JSC::TempRegisterSet::copyInfo):
1837
1838 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
1839
1840         Restructure LinkBuffer to allow for alternate allocation strategies
1841         https://bugs.webkit.org/show_bug.cgi?id=123071
1842
1843         Reviewed by Oliver Hunt.
1844         
1845         The idea is to eventually allow a LinkBuffer to place the code into an already
1846         allocated region of memory.  That region of memory could be the nop-slide left behind
1847         by a llvm.webkit.patchpoint.
1848
1849         * assembler/ARM64Assembler.h:
1850         (JSC::ARM64Assembler::buffer):
1851         * assembler/AssemblerBuffer.h:
1852         * assembler/LinkBuffer.cpp:
1853         (JSC::LinkBuffer::copyCompactAndLinkCode):
1854         (JSC::LinkBuffer::linkCode):
1855         (JSC::LinkBuffer::allocate):
1856         (JSC::LinkBuffer::shrink):
1857         * assembler/LinkBuffer.h:
1858         (JSC::LinkBuffer::LinkBuffer):
1859         (JSC::LinkBuffer::didFailToAllocate):
1860         * assembler/X86Assembler.h:
1861         (JSC::X86Assembler::buffer):
1862         (JSC::X86Assembler::X86InstructionFormatter::memoryModRM):
1863
1864 2013-10-19  Alexey Proskuryakov  <ap@apple.com>
1865
1866         Some includes in JSC seem to use an incorrect style
1867         https://bugs.webkit.org/show_bug.cgi?id=123057
1868
1869         Reviewed by Geoffrey Garen.
1870
1871         Changed pseudo-system includes to user ones.
1872
1873         * API/JSContextRef.cpp:
1874         * API/JSStringRefCF.cpp:
1875         * API/JSValueRef.cpp:
1876         * API/OpaqueJSString.cpp:
1877         * jit/JIT.h:
1878         * parser/SyntaxChecker.h:
1879         * runtime/WeakGCMap.h:
1880
1881 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
1882
1883         Baseline JIT and DFG IC code generation should be unified and rationalized
1884         https://bugs.webkit.org/show_bug.cgi?id=122939
1885
1886         Reviewed by Geoffrey Garen.
1887         
1888         Introduce the JITInlineCacheGenerator, which takes a CodeBlock and a CodeOrigin plus
1889         some register info and creates JIT inline caches for you. Used this to even furhter
1890         unify the baseline and DFG ICs. In the future we can use this for FTL ICs. And my hope
1891         is that we'll be able to use it for cascading ICs: an IC for some instruction may realize
1892         that it needs to do the equivalent of get_by_id, so with this generator it will be able
1893         to create an IC even though it wasn't associated with a get_by_id bytecode instruction.
1894
1895         * CMakeLists.txt:
1896         * GNUmakefile.list.am:
1897         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1898         * JavaScriptCore.xcodeproj/project.pbxproj:
1899         * assembler/AbstractMacroAssembler.h:
1900         (JSC::AbstractMacroAssembler::DataLabelCompact::label):
1901         * bytecode/CodeBlock.h:
1902         (JSC::CodeBlock::ecmaMode):
1903         * dfg/DFGInlineCacheWrapper.h: Added.
1904         (JSC::DFG::InlineCacheWrapper::InlineCacheWrapper):
1905         * dfg/DFGInlineCacheWrapperInlines.h: Added.
1906         (JSC::DFG::::finalize):
1907         * dfg/DFGJITCompiler.cpp:
1908         (JSC::DFG::JITCompiler::link):
1909         * dfg/DFGJITCompiler.h:
1910         (JSC::DFG::JITCompiler::addGetById):
1911         (JSC::DFG::JITCompiler::addPutById):
1912         * dfg/DFGSpeculativeJIT32_64.cpp:
1913         (JSC::DFG::SpeculativeJIT::cachedGetById):
1914         (JSC::DFG::SpeculativeJIT::cachedPutById):
1915         * dfg/DFGSpeculativeJIT64.cpp:
1916         (JSC::DFG::SpeculativeJIT::cachedGetById):
1917         (JSC::DFG::SpeculativeJIT::cachedPutById):
1918         (JSC::DFG::SpeculativeJIT::compile):
1919         * jit/AssemblyHelpers.h:
1920         (JSC::AssemblyHelpers::isStrictModeFor):
1921         (JSC::AssemblyHelpers::strictModeFor):
1922         * jit/GPRInfo.h:
1923         (JSC::JSValueRegs::tagGPR):
1924         * jit/JIT.cpp:
1925         (JSC::JIT::JIT):
1926         (JSC::JIT::privateCompileSlowCases):
1927         (JSC::JIT::privateCompile):
1928         * jit/JIT.h:
1929         * jit/JITInlineCacheGenerator.cpp: Added.
1930         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
1931         (JSC::JITByIdGenerator::JITByIdGenerator):
1932         (JSC::JITByIdGenerator::finalize):
1933         (JSC::JITByIdGenerator::generateFastPathChecks):
1934         (JSC::JITGetByIdGenerator::generateFastPath):
1935         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
1936         (JSC::JITPutByIdGenerator::generateFastPath):
1937         (JSC::JITPutByIdGenerator::slowPathFunction):
1938         * jit/JITInlineCacheGenerator.h: Added.
1939         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
1940         (JSC::JITInlineCacheGenerator::stubInfo):
1941         (JSC::JITByIdGenerator::JITByIdGenerator):
1942         (JSC::JITByIdGenerator::reportSlowPathCall):
1943         (JSC::JITByIdGenerator::slowPathJump):
1944         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
1945         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
1946         * jit/JITPropertyAccess.cpp:
1947         (JSC::JIT::emit_op_get_by_id):
1948         (JSC::JIT::emitSlow_op_get_by_id):
1949         (JSC::JIT::emit_op_put_by_id):
1950         (JSC::JIT::emitSlow_op_put_by_id):
1951         * jit/JITPropertyAccess32_64.cpp:
1952         (JSC::JIT::emit_op_get_by_id):
1953         (JSC::JIT::emitSlow_op_get_by_id):
1954         (JSC::JIT::emit_op_put_by_id):
1955         (JSC::JIT::emitSlow_op_put_by_id):
1956         * jit/RegisterSet.h:
1957         (JSC::RegisterSet::set):
1958
1959 2013-10-19  Alexey Proskuryakov  <ap@apple.com>
1960
1961         APICast.h uses functions from JSCJSValueInlines.h, but doesn't include it
1962         https://bugs.webkit.org/show_bug.cgi?id=123067
1963
1964         Reviewed by Geoffrey Garen.
1965
1966         * API/APICast.h: Include it.
1967
1968 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
1969
1970         FTL::Location should treat the offset as an addend in the case of a Register location
1971         https://bugs.webkit.org/show_bug.cgi?id=123062
1972
1973         Reviewed by Sam Weinig.
1974
1975         * ftl/FTLLocation.cpp:
1976         (JSC::FTL::Location::forStackmaps):
1977         (JSC::FTL::Location::dump):
1978         (JSC::FTL::Location::restoreInto):
1979         * ftl/FTLLocation.h:
1980         (JSC::FTL::Location::forRegister):
1981         (JSC::FTL::Location::hasAddend):
1982         (JSC::FTL::Location::addend):
1983
1984 2013-10-19  Nadav Rotem  <nrotem@apple.com>
1985
1986         DFG dominators: document and rename stuff.
1987         https://bugs.webkit.org/show_bug.cgi?id=123056
1988
1989         Reviewed by Filip Pizlo.
1990
1991         Documented the code and renamed some variables.
1992
1993         * dfg/DFGDominators.cpp:
1994         (JSC::DFG::Dominators::compute):
1995         (JSC::DFG::Dominators::pruneDominators):
1996         * dfg/DFGDominators.h:
1997
1998 2013-10-19  Julien Brianceau  <jbriance@cisco.com>
1999
2000         Fix build failure for architectures with 4 argument registers.
2001         https://bugs.webkit.org/show_bug.cgi?id=123060
2002
2003         Reviewed by Michael Saboff.
2004
2005         Add missing setupArgumentsWithExecState() prototypes for architecture with 4 argument registers.
2006         Remove SH4 specific code no longer needed since callOperation prototype change in r157660.
2007
2008         * dfg/DFGSpeculativeJIT.h:
2009         (JSC::DFG::SpeculativeJIT::callOperation):
2010         * jit/CCallHelpers.h:
2011         (JSC::CCallHelpers::setupArgumentsWithExecState):
2012         * jit/JITInlines.h:
2013         (JSC::JIT::callOperation):
2014
2015 2013-10-18  Filip Pizlo  <fpizlo@apple.com>
2016
2017         Unreviewed, fix FTL build.
2018
2019         * ftl/FTLIntrinsicRepository.h:
2020         * ftl/FTLLowerDFGToLLVM.cpp:
2021         (JSC::FTL::LowerDFGToLLVM::compileGetById):
2022
2023 2013-10-18  Filip Pizlo  <fpizlo@apple.com>
2024
2025         A CodeBlock's StructureStubInfos shouldn't be in a Vector that we search using code origins and machine code PCs
2026         https://bugs.webkit.org/show_bug.cgi?id=122940
2027
2028         Reviewed by Oliver Hunt.
2029         
2030         This accomplishes a number of simplifications. StructureStubInfo is now non-moving,
2031         whereas previously it was in a Vector, so it moved. This allows you to use pointers to
2032         StructureStubInfo. This also eliminates the use of return PC as a way of finding the
2033         StructureStubInfo's. It removes some of the need for the compile-time property access
2034         records; for example the DFG no longer has to save information about registers in a
2035         property access record only to later save it to the stub info.
2036         
2037         The main thing is accomplishes is that it makes it easier to add StructureStubInfo's
2038         at any stage of compilation.
2039
2040         * bytecode/CodeBlock.cpp:
2041         (JSC::CodeBlock::printGetByIdCacheStatus):
2042         (JSC::CodeBlock::dumpBytecode):
2043         (JSC::CodeBlock::~CodeBlock):
2044         (JSC::CodeBlock::propagateTransitions):
2045         (JSC::CodeBlock::finalizeUnconditionally):
2046         (JSC::CodeBlock::addStubInfo):
2047         (JSC::CodeBlock::getStubInfoMap):
2048         (JSC::CodeBlock::shrinkToFit):
2049         * bytecode/CodeBlock.h:
2050         (JSC::CodeBlock::begin):
2051         (JSC::CodeBlock::end):
2052         (JSC::CodeBlock::rareCaseProfileForBytecodeOffset):
2053         * bytecode/CodeOrigin.h:
2054         (JSC::CodeOrigin::CodeOrigin):
2055         (JSC::CodeOrigin::isHashTableDeletedValue):
2056         (JSC::CodeOrigin::hash):
2057         (JSC::CodeOriginHash::hash):
2058         (JSC::CodeOriginHash::equal):
2059         * bytecode/GetByIdStatus.cpp:
2060         (JSC::GetByIdStatus::computeFor):
2061         * bytecode/GetByIdStatus.h:
2062         * bytecode/PutByIdStatus.cpp:
2063         (JSC::PutByIdStatus::computeFor):
2064         * bytecode/PutByIdStatus.h:
2065         * bytecode/StructureStubInfo.h:
2066         (JSC::getStructureStubInfoCodeOrigin):
2067         * dfg/DFGByteCodeParser.cpp:
2068         (JSC::DFG::ByteCodeParser::parseBlock):
2069         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2070         * dfg/DFGJITCompiler.cpp:
2071         (JSC::DFG::JITCompiler::link):
2072         * dfg/DFGJITCompiler.h:
2073         (JSC::DFG::PropertyAccessRecord::PropertyAccessRecord):
2074         (JSC::DFG::InRecord::InRecord):
2075         * dfg/DFGSpeculativeJIT.cpp:
2076         (JSC::DFG::SpeculativeJIT::compileIn):
2077         * dfg/DFGSpeculativeJIT.h:
2078         (JSC::DFG::SpeculativeJIT::callOperation):
2079         * dfg/DFGSpeculativeJIT32_64.cpp:
2080         (JSC::DFG::SpeculativeJIT::cachedGetById):
2081         (JSC::DFG::SpeculativeJIT::cachedPutById):
2082         * dfg/DFGSpeculativeJIT64.cpp:
2083         (JSC::DFG::SpeculativeJIT::cachedGetById):
2084         (JSC::DFG::SpeculativeJIT::cachedPutById):
2085         * jit/CCallHelpers.h:
2086         (JSC::CCallHelpers::setupArgumentsWithExecState):
2087         * jit/JIT.cpp:
2088         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
2089         (JSC::JIT::privateCompile):
2090         * jit/JIT.h:
2091         (JSC::PropertyStubCompilationInfo::slowCaseInfo):
2092         * jit/JITInlines.h:
2093         (JSC::JIT::callOperation):
2094         * jit/JITOperations.cpp:
2095         * jit/JITOperations.h:
2096         * jit/JITPropertyAccess.cpp:
2097         (JSC::JIT::emitSlow_op_get_by_id):
2098         (JSC::JIT::emitSlow_op_put_by_id):
2099         * jit/JITPropertyAccess32_64.cpp:
2100         (JSC::JIT::emitSlow_op_get_by_id):
2101         (JSC::JIT::emitSlow_op_put_by_id):
2102         * jit/Repatch.cpp:
2103         (JSC::appropriateGenericPutByIdFunction):
2104         (JSC::appropriateListBuildingPutByIdFunction):
2105         (JSC::resetPutByID):
2106
2107 2013-10-18  Oliver Hunt  <oliver@apple.com>
2108
2109         Spread operator should be performing direct "puts" and not triggering setters
2110         https://bugs.webkit.org/show_bug.cgi?id=123047
2111
2112         Reviewed by Geoffrey Garen.
2113
2114         Add a new opcode -- op_put_by_val_directue -- and make use of it in the spread
2115         to array construct.  This required a new PutByValDirect node to be introduced to
2116         the DFG.  The current implementation simply changes the slow path function that
2117         is called, but in future this could be made faster as it does not need to check
2118         the prototype chain.
2119
2120         * bytecode/CodeBlock.cpp:
2121         (JSC::CodeBlock::dumpBytecode):
2122         (JSC::CodeBlock::CodeBlock):
2123         * bytecode/Opcode.h:
2124         (JSC::padOpcodeName):
2125         * bytecompiler/BytecodeGenerator.cpp:
2126         (JSC::BytecodeGenerator::emitDirectPutByVal):
2127         * bytecompiler/BytecodeGenerator.h:
2128         * bytecompiler/NodesCodegen.cpp:
2129         (JSC::ArrayNode::emitBytecode):
2130         * dfg/DFGAbstractInterpreterInlines.h:
2131         (JSC::DFG::::executeEffects):
2132         * dfg/DFGBackwardsPropagationPhase.cpp:
2133         (JSC::DFG::BackwardsPropagationPhase::propagate):
2134         * dfg/DFGByteCodeParser.cpp:
2135         (JSC::DFG::ByteCodeParser::parseBlock):
2136         * dfg/DFGCSEPhase.cpp:
2137         (JSC::DFG::CSEPhase::getArrayLengthElimination):
2138         (JSC::DFG::CSEPhase::getByValLoadElimination):
2139         (JSC::DFG::CSEPhase::checkStructureElimination):
2140         (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
2141         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
2142         (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
2143         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
2144         (JSC::DFG::CSEPhase::performNodeCSE):
2145         * dfg/DFGCapabilities.cpp:
2146         (JSC::DFG::capabilityLevel):
2147         * dfg/DFGClobberize.h:
2148         (JSC::DFG::clobberize):
2149         * dfg/DFGFixupPhase.cpp:
2150         (JSC::DFG::FixupPhase::fixupNode):
2151         * dfg/DFGGraph.h:
2152         (JSC::DFG::Graph::clobbersWorld):
2153         * dfg/DFGNode.h:
2154         (JSC::DFG::Node::hasArrayMode):
2155         * dfg/DFGNodeType.h:
2156         * dfg/DFGOperations.cpp:
2157         (JSC::DFG::putByVal):
2158         (JSC::DFG::operationPutByValInternal):
2159         * dfg/DFGOperations.h:
2160         * dfg/DFGPredictionPropagationPhase.cpp:
2161         (JSC::DFG::PredictionPropagationPhase::propagate):
2162         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
2163         * dfg/DFGSafeToExecute.h:
2164         (JSC::DFG::safeToExecute):
2165         * dfg/DFGSpeculativeJIT32_64.cpp:
2166         (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
2167         (JSC::DFG::SpeculativeJIT::compile):
2168         * dfg/DFGSpeculativeJIT64.cpp:
2169         (JSC::DFG::SpeculativeJIT::compile):
2170         * dfg/DFGTypeCheckHoistingPhase.cpp:
2171         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
2172         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
2173         * jit/JIT.cpp:
2174         (JSC::JIT::privateCompileMainPass):
2175         (JSC::JIT::privateCompileSlowCases):
2176         * jit/JIT.h:
2177         (JSC::JIT::compileDirectPutByVal):
2178         * jit/JITOperations.cpp:
2179         * jit/JITOperations.h:
2180         * jit/JITPropertyAccess.cpp:
2181         (JSC::JIT::emitSlow_op_put_by_val):
2182         (JSC::JIT::privateCompilePutByVal):
2183         * jit/JITPropertyAccess32_64.cpp:
2184         (JSC::JIT::emitSlow_op_put_by_val):
2185         * llint/LLIntSlowPaths.cpp:
2186         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2187         * llint/LLIntSlowPaths.h:
2188         * llint/LowLevelInterpreter32_64.asm:
2189         * llint/LowLevelInterpreter64.asm:
2190
2191 2013-10-18  Daniel Bates  <dabates@apple.com>
2192
2193         [iOS] Export symbol for VM::sharedInstanceExists()
2194         https://bugs.webkit.org/show_bug.cgi?id=123046
2195
2196         Reviewed by Mark Hahnenberg.
2197
2198         * runtime/VM.h:
2199
2200 2013-10-18  Daniel Bates  <dabates@apple.com>
2201
2202         [iOS] Upstream WebSafe{GCActivityCallback, IncrementalSweeper}IOS
2203         https://bugs.webkit.org/show_bug.cgi?id=123049
2204
2205         Reviewed by Mark Hahnenberg.
2206
2207         * heap/Heap.cpp:
2208         (JSC::Heap::setIncrementalSweeper):
2209         * heap/Heap.h:
2210         * heap/HeapTimer.h:
2211         * heap/IncrementalSweeper.h: Make protected and export CF-variant of constructor.
2212         Removed unused include of header RetainPtr.h. Also forward declare class MarkedBlock
2213         (we include its header in the .cpp file) and remove include for header wtf/HashSet.h
2214         (duplicates the include in the .cpp).
2215         * heap/MachineStackMarker.h: Export function makeUsableFromMultipleThreads(). We aren't
2216         making use of this now, but we'll make use of it in a subsequent patch.
2217
2218 2013-10-18  Anders Carlsson  <andersca@apple.com>
2219
2220         Remove spaces between template angle brackets
2221         https://bugs.webkit.org/show_bug.cgi?id=123040
2222
2223         Reviewed by Andreas Kling.
2224
2225         * API/JSCallbackObject.cpp:
2226         (JSC::::create):
2227         * API/JSObjectRef.cpp:
2228         * bytecode/CodeBlock.h:
2229         (JSC::CodeBlock::constants):
2230         (JSC::CodeBlock::setConstantRegisters):
2231         * bytecode/DFGExitProfile.h:
2232         * bytecode/EvalCodeCache.h:
2233         * bytecode/Operands.h:
2234         * bytecode/UnlinkedCodeBlock.h:
2235         (JSC::UnlinkedCodeBlock::constantRegisters):
2236         * bytecode/Watchpoint.h:
2237         * bytecompiler/BytecodeGenerator.h:
2238         * bytecompiler/StaticPropertyAnalysis.h:
2239         * bytecompiler/StaticPropertyAnalyzer.h:
2240         * dfg/DFGArgumentsSimplificationPhase.cpp:
2241         * dfg/DFGBlockInsertionSet.h:
2242         * dfg/DFGCSEPhase.cpp:
2243         (JSC::DFG::performCSE):
2244         (JSC::DFG::performStoreElimination):
2245         * dfg/DFGCommonData.h:
2246         * dfg/DFGDesiredStructureChains.h:
2247         * dfg/DFGDesiredWatchpoints.h:
2248         * dfg/DFGJITCompiler.h:
2249         * dfg/DFGOSRExitCompiler32_64.cpp:
2250         (JSC::DFG::OSRExitCompiler::compileExit):
2251         * dfg/DFGOSRExitCompiler64.cpp:
2252         (JSC::DFG::OSRExitCompiler::compileExit):
2253         * dfg/DFGWorklist.h:
2254         * heap/BlockAllocator.h:
2255         (JSC::CopiedBlock):
2256         (JSC::MarkedBlock):
2257         (JSC::WeakBlock):
2258         (JSC::MarkStackSegment):
2259         (JSC::CopyWorkListSegment):
2260         (JSC::HandleBlock):
2261         * heap/Heap.h:
2262         * heap/Local.h:
2263         * heap/MarkedBlock.h:
2264         * heap/Strong.h:
2265         * jit/AssemblyHelpers.cpp:
2266         (JSC::AssemblyHelpers::decodedCodeMapFor):
2267         * jit/AssemblyHelpers.h:
2268         * jit/SpecializedThunkJIT.h:
2269         * parser/Nodes.h:
2270         * parser/Parser.cpp:
2271         (JSC::::parseIfStatement):
2272         * parser/Parser.h:
2273         (JSC::Scope::copyCapturedVariablesToVector):
2274         (JSC::parse):
2275         * parser/ParserArena.h:
2276         * parser/SourceProviderCacheItem.h:
2277         * profiler/LegacyProfiler.cpp:
2278         (JSC::dispatchFunctionToProfiles):
2279         * profiler/LegacyProfiler.h:
2280         (JSC::LegacyProfiler::currentProfiles):
2281         * profiler/ProfileNode.h:
2282         (JSC::ProfileNode::children):
2283         * profiler/ProfilerDatabase.h:
2284         * runtime/Butterfly.h:
2285         (JSC::Butterfly::contiguousInt32):
2286         (JSC::Butterfly::contiguous):
2287         * runtime/GenericTypedArrayViewInlines.h:
2288         (JSC::::create):
2289         * runtime/Identifier.h:
2290         (JSC::Identifier::add):
2291         * runtime/JSPromise.h:
2292         * runtime/PropertyMapHashTable.h:
2293         * runtime/PropertyNameArray.h:
2294         * runtime/RegExpCache.h:
2295         * runtime/SparseArrayValueMap.h:
2296         * runtime/SymbolTable.h:
2297         * runtime/VM.h:
2298         * tools/CodeProfile.cpp:
2299         (JSC::truncateTrace):
2300         * tools/CodeProfile.h:
2301         * yarr/YarrInterpreter.cpp:
2302         * yarr/YarrInterpreter.h:
2303         (JSC::Yarr::BytecodePattern::BytecodePattern):
2304         * yarr/YarrJIT.cpp:
2305         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
2306         (JSC::Yarr::YarrGenerator::opCompileParentheticalAssertion):
2307         (JSC::Yarr::YarrGenerator::opCompileBody):
2308         * yarr/YarrPattern.cpp:
2309         (JSC::Yarr::YarrPatternConstructor::checkForTerminalParentheses):
2310         (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
2311         * yarr/YarrPattern.h:
2312
2313 2013-10-18  Mark Lam  <mark.lam@apple.com>
2314
2315         Remove excess reserved space in ctiTrampoline frames for X86 and X86_64.
2316         https://bugs.webkit.org/show_bug.cgi?id=123037.
2317
2318         Reviewed by Geoffrey Garen.
2319
2320         * jit/JITStubsMSVC64.asm:
2321         * jit/JITStubsX86.h:
2322         * jit/JITStubsX86_64.h:
2323
2324 2013-10-18  Filip Pizlo  <fpizlo@apple.com>
2325
2326         Frequent RELEASE_ASSERT crashes in Structure::checkOffsetConsistency on WebGL swizzler tests
2327         https://bugs.webkit.org/show_bug.cgi?id=121661
2328
2329         Reviewed by Mark Hahnenberg.
2330         
2331         This method shouldn't have been called from the concurrent JIT thread. That's hard to prevent
2332         so I added a return-early check using isCompilationThread().
2333         
2334         Here's why this makes sense. Structure has two ways to tell you about the layout of the objects
2335         it is describing: m_offset and the property table. Most structures only have m_offset and report
2336         null for the property table. If the property table is there, it will tell you additional
2337         information and that information subsumes m_offset - but the m_offset is still there. So, when
2338         we have a property table, we have to keep it in sync with the m_offset. There is a bunch of
2339         machinery to do this.
2340         
2341         Changing the property table only happens on the main thread.
2342         
2343         Because the machinery to change the property table is so complex, especially with respect to
2344         keeping it in sync with m_offset, we have the checkOffsetConsistency method. It's meant to be
2345         called at key points before and after changes to the property table or the offset.
2346
2347         Most clients of Structure who care about object layout, including the concurrent thread, will
2348         want to know m_offset and not the property table. If they want the property table, they will
2349         already be super careful. The concurrent thread has special methods for this, like
2350         Structure::getConcurrently(), which uses fine-grained locking to ensure that it sees a coherent
2351         view of the property table.
2352         
2353         Adding locking to checkOffsetConsistency() is probably a bad idea since that method may be
2354         called when the relevant lock is already held. So, we'd have awkward recursive locking issues.
2355         
2356         But right now, the concurrent JIT thread may call a method, like Structure::outOfLineCapacity(),
2357         which has a call to checkOffsetConsistency(). The call to checkOffsetConsistency() is there
2358         because we have found that it helps quickly identify situations where the property table and
2359         m_offset get out of sync - mainly because code that changes either of those things will usually
2360         also want to know the outOfLineCapacity(). But Structure::outOfLineCapacity() doesn't *actually*
2361         need the property table; it uses the m_offset. The concurrent JIT is correct to call
2362         outOfLineCapacity(), and is right to do so without holding any locks (since in all cases where
2363         it calls outOfLineCapacity() it has already proven that m_offset is immutable). But because
2364         outOfLineCapacity() calls checkOffsetConsistency(), and checkOffsetConsistency() doesn't grab
2365         locks, and that same structure is having its property table modified by the main thread, we end
2366         up with these spurious assertion failures. FWIW, the structure isn't *actually* having *its*
2367         property table modified - instead what happens is that some downstream structure steals the
2368         property table and then starts adding things to it. The concurrent thread loads the property
2369         table before it's stolen, and hence the badness.
2370         
2371         I suspect there are other code paths that lead to the concurrent JIT calling some Structure
2372         method that it is fine and safe to call, but then that method calls checkOffsetConsistency(),
2373         and then you have a possible crash.
2374         
2375         The most sensible solution to this appears to be to make sure that checkOffsetConsistency() is
2376         aware of its uselessness to the concurrent JIT thread. This change makes it return early if
2377         it's in the concurrent JIT.
2378         
2379         * runtime/StructureInlines.h:
2380         (JSC::Structure::checkOffsetConsistency):
2381
2382 2013-10-18  Daniel Bates  <dabates@apple.com>
2383
2384         Add SPI to disable the garbage collector timer
2385         https://bugs.webkit.org/show_bug.cgi?id=122921
2386
2387         Add null check to Heap::setGarbageCollectionTimerEnabled() that I inadvertently
2388         omitted.
2389
2390         * heap/Heap.cpp:
2391         (JSC::Heap::setGarbageCollectionTimerEnabled):
2392
2393 2013-10-18  Julien Brianceau  <jbriance@cisco.com>
2394
2395         Group 64-bit specific and 32-bit specific callOperation implementations.
2396         https://bugs.webkit.org/show_bug.cgi?id=123024
2397
2398         Reviewed by Michael Saboff.
2399
2400         This is not a big deal, but could be less confusing when reading the code.
2401
2402         * jit/JITInlines.h:
2403         (JSC::JIT::callOperation):
2404         (JSC::JIT::callOperationWithCallFrameRollbackOnException):
2405         (JSC::JIT::callOperationNoExceptionCheck):
2406
2407 2013-10-18  Nadav Rotem  <nrotem@apple.com>
2408
2409         Fix a FlushLiveness problem.
2410         https://bugs.webkit.org/show_bug.cgi?id=122984
2411
2412         Reviewed by Filip Pizlo.
2413
2414         * dfg/DFGFlushLivenessAnalysisPhase.cpp:
2415         (JSC::DFG::FlushLivenessAnalysisPhase::process):
2416
2417 2013-10-18  Michael Saboff  <msaboff@apple.com>
2418
2419         Change native function call stubs to use JIT operations instead of ctiVMHandleException
2420         https://bugs.webkit.org/show_bug.cgi?id=122982
2421
2422         Reviewed by Geoffrey Garen.
2423
2424         Change ctiVMHandleException to operationVMHandleException.  Change all exception operations to
2425         return the catch callFrame and entryPC via vm.callFrameForThrow and vm.targetMachinePCForThrow.
2426         This removed calling convention headaches, fixing https://bugs.webkit.org/show_bug.cgi?id=122980
2427         in the process.
2428
2429         * dfg/DFGJITCompiler.cpp:
2430         (JSC::DFG::JITCompiler::compileExceptionHandlers):
2431         * jit/CCallHelpers.h:
2432         (JSC::CCallHelpers::jumpToExceptionHandler):
2433         * jit/JIT.cpp:
2434         (JSC::JIT::privateCompileExceptionHandlers):
2435         * jit/JIT.h:
2436         * jit/JITExceptions.cpp:
2437         (JSC::genericUnwind):
2438         * jit/JITExceptions.h:
2439         * jit/JITInlines.h:
2440         (JSC::JIT::callOperationNoExceptionCheck):
2441         * jit/JITOpcodes.cpp:
2442         (JSC::JIT::emit_op_throw):
2443         * jit/JITOpcodes32_64.cpp:
2444         (JSC::JIT::privateCompileCTINativeCall):
2445         (JSC::JIT::emit_op_throw):
2446         * jit/JITOperations.cpp:
2447         * jit/JITOperations.h:
2448         * jit/JITStubs.cpp:
2449         * jit/JITStubs.h:
2450         * jit/JITStubsARM.h:
2451         * jit/JITStubsARM64.h:
2452         * jit/JITStubsARMv7.h:
2453         * jit/JITStubsMIPS.h:
2454         * jit/JITStubsMSVC64.asm:
2455         * jit/JITStubsSH4.h:
2456         * jit/JITStubsX86.h:
2457         * jit/JITStubsX86_64.h:
2458         * jit/Repatch.cpp:
2459         (JSC::tryBuildGetByIDList):
2460         * jit/SlowPathCall.h:
2461         (JSC::JITSlowPathCall::call):
2462         * jit/ThunkGenerators.cpp:
2463         (JSC::throwExceptionFromCallSlowPathGenerator):
2464         (JSC::nativeForGenerator):
2465         * runtime/VM.h:
2466         (JSC::VM::callFrameForThrowOffset):
2467         (JSC::VM::targetMachinePCForThrowOffset):
2468
2469 2013-10-18  Julien Brianceau  <jbriance@cisco.com>
2470
2471         Fix J_JITOperation_EAapJ call for MIPS and ARM EABI.
2472         https://bugs.webkit.org/show_bug.cgi?id=123023
2473
2474         Reviewed by Michael Saboff.
2475
2476         * jit/JITInlines.h:
2477         (JSC::JIT::callOperation): EncodedJSValue parameter do not need alignment
2478         using EABI_32BIT_DUMMY_ARG here.
2479
2480 2013-10-17  Filip Pizlo  <fpizlo@apple.com>
2481
2482         Unreviewed, another ARM64 build fix.
2483         
2484         Get rid of andPtr(TrustedImmPtr, blah), since it would take Effort to get it to work
2485         on ARM64 and none of its uses are legit - they should all be using
2486         andPtr(TrustedImm32, blah) anyway.
2487
2488         * assembler/MacroAssembler.h:
2489         * assembler/MacroAssemblerARM64.h:
2490         * dfg/DFGJITCompiler.cpp:
2491         (JSC::DFG::JITCompiler::compileExceptionHandlers):
2492         * jit/JIT.cpp:
2493         (JSC::JIT::privateCompileExceptionHandlers):
2494
2495 2013-10-17  Filip Pizlo  <fpizlo@apple.com>
2496
2497         Unreviewed, speculative ARM64 build fix.
2498         
2499         move(ImmPtr, blah) is only available in MacroAssembler since that's where blinding is
2500         implemented. So, you have to use TrustedImmPtr in the superclasses.
2501
2502         * assembler/MacroAssemblerARM64.h:
2503         (JSC::MacroAssemblerARM64::store8):
2504         (JSC::MacroAssemblerARM64::branchTest8):
2505
2506 2013-10-17  Filip Pizlo  <fpizlo@apple.com>
2507
2508         Unreviewed, speculative ARM build fix.
2509         https://bugs.webkit.org/show_bug.cgi?id=122890
2510         <rdar://problem/15258624>
2511
2512         * assembler/ARM64Assembler.h:
2513         (JSC::ARM64Assembler::firstRegister):
2514         (JSC::ARM64Assembler::lastRegister):
2515         (JSC::ARM64Assembler::firstFPRegister):
2516         (JSC::ARM64Assembler::lastFPRegister):
2517         * assembler/MacroAssemblerARM64.h:
2518         * assembler/MacroAssemblerARMv7.h:
2519
2520 2013-10-17  Andreas Kling  <akling@apple.com>
2521
2522         Pass VM instead of JSGlobalObject to JSONObject constructor.
2523         <https://webkit.org/b/122999>
2524
2525         JSONObject was only use the JSGlobalObject to grab at the VM.
2526         Dodge a few loads by passing the VM directly instead.
2527
2528         Reviewed by Geoffrey Garen.
2529
2530         * runtime/JSONObject.cpp:
2531         (JSC::JSONObject::JSONObject):
2532         (JSC::JSONObject::finishCreation):
2533         * runtime/JSONObject.h:
2534         (JSC::JSONObject::create):
2535
2536 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2537
2538         Removed the JITStackFrame struct
2539         https://bugs.webkit.org/show_bug.cgi?id=123001
2540
2541         Reviewed by Anders Carlsson.
2542
2543         * jit/JITStubs.h: JITStackFrame and JITStubArg are unused now, since all
2544         our helper functions obey the C function call ABI.
2545
2546 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2547
2548         Removed an unused #define
2549         https://bugs.webkit.org/show_bug.cgi?id=123000
2550
2551         Reviewed by Anders Carlsson.
2552
2553         * jit/JITStubs.h: Removed the concept of JITSTACKFRAME_ARGS_INDEX,
2554         since it is unused now. This is a step toward using the C stack.
2555
2556 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2557
2558         Eliminate uses of JITSTACKFRAME_ARGS_INDEX as scratch area for thunks
2559         https://bugs.webkit.org/show_bug.cgi?id=122973
2560
2561         Reviewed by Michael Saboff.
2562
2563         * jit/ThunkGenerators.cpp:
2564         (JSC::throwExceptionFromCallSlowPathGenerator): This was all dead code,
2565         so I removed it.
2566
2567         The code acted as if it needed to pass an argument to
2568         lookupExceptionHandler, and as if it passed that argument to itself
2569         through JITStackFrame. However, lookupExceptionHandler does not take
2570         an argument (other than the default ExecState argument), and the code
2571         did not initialize the thing that it thought it passed to itself!
2572
2573 2013-10-17  Alex Christensen  <achristensen@webkit.org>
2574
2575         Run JavaScriptCore tests again on Windows.
2576         https://bugs.webkit.org/show_bug.cgi?id=122787
2577
2578         Reviewed by Tim Horton.
2579
2580         * JavaScriptCore.vcxproj/JavaScriptCore.sln: Added.
2581         * jit/JITStubsMSVC64.asm: Removed reference to cti_vm_throw unused since r157581.
2582
2583 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2584
2585         Removed restoreArgumentReference (another use of JITStackFrame)
2586         https://bugs.webkit.org/show_bug.cgi?id=122997
2587
2588         Reviewed by Oliver Hunt.
2589
2590         * jit/JSInterfaceJIT.h: Removed an unused function. This is a step
2591         toward using the C stack.
2592
2593 2013-10-17  Oliver Hunt  <oliver@apple.com>
2594
2595         Remove JITStubCall.h
2596         https://bugs.webkit.org/show_bug.cgi?id=122991
2597
2598         Reviewed by Geoff Garen.
2599
2600         Happily this is no longer used
2601
2602         * GNUmakefile.list.am:
2603         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2604         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2605         * JavaScriptCore.xcodeproj/project.pbxproj:
2606         * jit/JIT.cpp:
2607         * jit/JITArithmetic.cpp:
2608         * jit/JITArithmetic32_64.cpp:
2609         * jit/JITCall.cpp:
2610         * jit/JITCall32_64.cpp:
2611         * jit/JITOpcodes.cpp:
2612         * jit/JITOpcodes32_64.cpp:
2613         * jit/JITPropertyAccess.cpp:
2614         * jit/JITPropertyAccess32_64.cpp:
2615         * jit/JITStubCall.h: Removed.
2616
2617 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2618
2619         Removed a use of JITSTACKFRAME_ARGS_INDEX
2620         https://bugs.webkit.org/show_bug.cgi?id=122989
2621
2622         Reviewed by Oliver Hunt.
2623
2624         * jit/JITStubCall.h: Removed an unused function. This is one step closer
2625         to using the C stack.
2626
2627 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2628
2629         Change emit_op_catch to use another method to materialize VM
2630         https://bugs.webkit.org/show_bug.cgi?id=122977
2631
2632         Reviewed by Oliver Hunt.
2633
2634         * jit/JITOpcodes.cpp:
2635         (JSC::JIT::emit_op_catch):
2636         * jit/JITOpcodes32_64.cpp:
2637         (JSC::JIT::emit_op_catch): Use a constant. It removes our dependency
2638         on JITStackFrame. It is also faster and simpler.
2639
2640 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2641
2642         Eliminate emitGetJITStubArg() - dead code
2643         https://bugs.webkit.org/show_bug.cgi?id=122975
2644
2645         Reviewed by Anders Carlsson.
2646
2647         * jit/JIT.h:
2648         * jit/JITInlines.h: Removed unused, deprecated function.
2649
2650 2013-10-17  Mark Lam  <mark.lam@apple.com>
2651
2652         Eliminate all ASSERT references to OBJECT_OFFSETOF(struct JITStackFrame,...) in JITStubsXXX.h.
2653         https://bugs.webkit.org/show_bug.cgi?id=122979.
2654
2655         Reviewed by Michael Saboff.
2656
2657         * jit/JITStubs.cpp:
2658         * jit/JITStubs.h:
2659         * jit/JITStubsARM.h:
2660         * jit/JITStubsARM64.h:
2661         * jit/JITStubsARMv7.h:
2662         * jit/JITStubsMIPS.h:
2663         * jit/JITStubsSH4.h:
2664         * jit/JITStubsX86.h:
2665         * jit/JITStubsX86_64.h:
2666         * runtime/VM.cpp:
2667         (JSC::VM::VM):
2668
2669 2013-10-17  Michael Saboff  <msaboff@apple.com>
2670
2671         Remove saving callFrameRegister to JITStackFrame in JITCompiler::compileFunction()
2672         https://bugs.webkit.org/show_bug.cgi?id=122974
2673
2674         Reviewed by Geoffrey Garen.
2675
2676         Eliminated unneeded storing to JITStackFrame.
2677
2678         * dfg/DFGJITCompiler.cpp:
2679         (JSC::DFG::JITCompiler::compileFunction):
2680
2681 2013-10-17  Michael Saboff  <msaboff@apple.com>
2682
2683         Transition cti_op_throw and cti_vm_throw to a JIT operation
2684         https://bugs.webkit.org/show_bug.cgi?id=122931
2685
2686         Reviewed by Filip Pizlo.
2687
2688         Moved cti_op_throw to operationThrow.  Made the caller responsible for jumping to the
2689         catch handler.  Eliminated cti_op_throw_static_error, cti_vm_throw, ctiVMThrowTrampoline()
2690         and their callers as it is now dead code.  There is some work needed on the Microsoft X86
2691         callOperation to handle the need to provide space for structure return value.
2692
2693         * jit/JIT.h:
2694         * jit/JITInlines.h:
2695         (JSC::JIT::callOperation):
2696         * jit/JITOpcodes.cpp:
2697         (JSC::JIT::emit_op_throw):
2698         * jit/JITOpcodes32_64.cpp:
2699         (JSC::JIT::emit_op_throw):
2700         (JSC::JIT::emit_op_catch):
2701         * jit/JITOperations.cpp:
2702         * jit/JITOperations.h:
2703         * jit/JITStubs.cpp:
2704         * jit/JITStubs.h:
2705         * jit/JITStubsARM.h:
2706         * jit/JITStubsARM64.h:
2707         * jit/JITStubsARMv7.h:
2708         * jit/JITStubsMIPS.h:
2709         * jit/JITStubsMSVC64.asm:
2710         * jit/JITStubsSH4.h:
2711         * jit/JITStubsX86.h:
2712         * jit/JITStubsX86_64.h:
2713         * jit/JSInterfaceJIT.h:
2714
2715 2013-10-17  Mark Lam  <mark.lam@apple.com>
2716
2717         Remove JITStackFrame references in the C Loop LLINT.
2718         https://bugs.webkit.org/show_bug.cgi?id=122950.
2719
2720         Reviewed by Michael Saboff.
2721
2722         * jit/JITStubs.h:
2723         * llint/LowLevelInterpreter.cpp:
2724         (JSC::CLoop::execute):
2725         * offlineasm/cloop.rb:
2726
2727 2013-10-17  Mark Lam  <mark.lam@apple.com>
2728
2729         Remove JITStackFrame references in JIT probes.
2730         https://bugs.webkit.org/show_bug.cgi?id=122947.
2731
2732         Reviewed by Michael Saboff.
2733
2734         * assembler/MacroAssemblerARM.cpp:
2735         (JSC::MacroAssemblerARM::ProbeContext::dump):
2736         * assembler/MacroAssemblerARM.h:
2737         * assembler/MacroAssemblerARMv7.cpp:
2738         (JSC::MacroAssemblerARMv7::ProbeContext::dump):
2739         * assembler/MacroAssemblerARMv7.h:
2740         * assembler/MacroAssemblerX86Common.cpp:
2741         (JSC::MacroAssemblerX86Common::ProbeContext::dump):
2742         * assembler/MacroAssemblerX86Common.h:
2743         * jit/JITStubsARM.h:
2744         * jit/JITStubsARMv7.h:
2745         * jit/JITStubsX86.h:
2746         * jit/JITStubsX86Common.h:
2747         * jit/JITStubsX86_64.h:
2748
2749 2013-10-17  Julien Brianceau  <jbriance@cisco.com>
2750
2751         Fix build when NUMBER_OF_ARGUMENT_REGISTERS == 4.
2752         https://bugs.webkit.org/show_bug.cgi?id=122949
2753
2754         Reviewed by Andreas Kling.
2755
2756         * jit/CCallHelpers.h:
2757         (JSC::CCallHelpers::setupArgumentsWithExecState):
2758
2759 2013-10-16  Mark Lam  <mark.lam@apple.com>
2760
2761         Transition remaining op_get* JITStubs to JIT operations.
2762         https://bugs.webkit.org/show_bug.cgi?id=122925.
2763
2764         Reviewed by Geoffrey Garen.
2765
2766         Transitioning:
2767             cti_op_get_by_id_generic
2768             cti_op_get_by_val
2769             cti_op_get_by_val_generic
2770             cti_op_get_by_val_string
2771
2772         * dfg/DFGOperations.cpp:
2773         * dfg/DFGOperations.h:
2774         * jit/JIT.h:
2775         * jit/JITInlines.h:
2776         (JSC::JIT::callOperation):
2777         * jit/JITOpcodes.cpp:
2778         (JSC::JIT::emitSlow_op_get_arguments_length):
2779         (JSC::JIT::emitSlow_op_get_argument_by_val):
2780         * jit/JITOpcodes32_64.cpp:
2781         (JSC::JIT::emitSlow_op_get_arguments_length):
2782         (JSC::JIT::emitSlow_op_get_argument_by_val):
2783         * jit/JITOperations.cpp:
2784         * jit/JITOperations.h:
2785         * jit/JITPropertyAccess.cpp:
2786         (JSC::JIT::emitSlow_op_get_by_val):
2787         (JSC::JIT::emitSlow_op_get_by_pname):
2788         (JSC::JIT::privateCompileGetByVal):
2789         * jit/JITPropertyAccess32_64.cpp:
2790         (JSC::JIT::emitSlow_op_get_by_val):
2791         (JSC::JIT::emitSlow_op_get_by_pname):
2792         * jit/JITStubs.cpp:
2793         * jit/JITStubs.h:
2794         * runtime/Executable.cpp:
2795         (JSC::setupLLInt): Added some UNUSED_PARAMs to fix the no LLINT build.
2796         * runtime/Options.cpp:
2797         (JSC::Options::initialize):
2798
2799 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
2800
2801         Introduce WTF::Bag and start using it for InlineCallFrameSet
2802         https://bugs.webkit.org/show_bug.cgi?id=122941
2803
2804         Reviewed by Geoffrey Garen.
2805         
2806         Use Bag for InlineCallFrameSet. If this works out then I'll make other
2807         SegmentedVectors into Bags as well.
2808
2809         * bytecode/InlineCallFrameSet.cpp:
2810         (JSC::InlineCallFrameSet::add):
2811         * bytecode/InlineCallFrameSet.h:
2812         (JSC::InlineCallFrameSet::begin):
2813         (JSC::InlineCallFrameSet::end):
2814         * dfg/DFGArgumentsSimplificationPhase.cpp:
2815         (JSC::DFG::ArgumentsSimplificationPhase::run):
2816         * dfg/DFGJITCompiler.cpp:
2817         (JSC::DFG::JITCompiler::link):
2818         * dfg/DFGStackLayoutPhase.cpp:
2819         (JSC::DFG::StackLayoutPhase::run):
2820         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
2821         (JSC::DFG::VirtualRegisterAllocationPhase::run):
2822
2823 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
2824
2825         libllvmForJSC shouldn't call exit(1) on report_fatal_error()
2826         https://bugs.webkit.org/show_bug.cgi?id=122905
2827         <rdar://problem/15237856>
2828
2829         Reviewed by Michael Saboff.
2830         
2831         Expose the new LLVMInstallFatalErrorHandler() API through the soft linking magic and
2832         then always call it to install something that calls CRASH().
2833
2834         * llvm/InitializeLLVM.cpp:
2835         (JSC::llvmCrash):
2836         (JSC::initializeLLVMOnce):
2837         (JSC::initializeLLVM):
2838         * llvm/LLVMAPIFunctions.h:
2839
2840 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
2841
2842         Prototype chain repatching in the polymorphic case fails to check if the receiver is a dictionary
2843         https://bugs.webkit.org/show_bug.cgi?id=122938
2844
2845         Reviewed by Sam Weinig.
2846         
2847         This fixes jsc-layout-tests.yaml/js/script-tests/dictionary-prototype-caching.js.layout-no-llint.
2848
2849         * jit/Repatch.cpp:
2850         (JSC::tryBuildGetByIDList):
2851
2852 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
2853
2854         JIT::appendCall() needs to killLastResultRegister() or equivalent since there's some really bad code that expects it
2855         https://bugs.webkit.org/show_bug.cgi?id=122937
2856
2857         Reviewed by Geoffrey Garen.
2858         
2859         JITStubCall used to do it.
2860         
2861         This makes mozilla-tests.yaml/ecma/Statements/12.10-1.js.mozilla-baseline pass.
2862
2863         * jit/JIT.h:
2864         (JSC::JIT::appendCall):
2865
2866 2013-10-16  Michael Saboff  <msaboff@apple.com>
2867
2868         transition void cti_op_put_by_val* stubs to JIT operations
2869         https://bugs.webkit.org/show_bug.cgi?id=122903
2870
2871         Reviewed by Geoffrey Garen.
2872
2873         Transitioned cti_op_put_by_val and cti_op_put_by_val_generic to operationPutByVal and
2874         operationPutByValGeneric.
2875
2876         * jit/CCallHelpers.h:
2877         (JSC::CCallHelpers::setupArgumentsWithExecState):
2878         * jit/JIT.h:
2879         * jit/JITInlines.h:
2880         (JSC::JIT::callOperation):
2881         * jit/JITOperations.cpp:
2882         * jit/JITOperations.h:
2883         * jit/JITPropertyAccess.cpp:
2884         (JSC::JIT::emitSlow_op_put_by_val):
2885         (JSC::JIT::privateCompilePutByVal):
2886         * jit/JITPropertyAccess32_64.cpp:
2887         (JSC::JIT::emitSlow_op_put_by_val):
2888         * jit/JITStubs.cpp:
2889         * jit/JITStubs.h:
2890         * jit/JSInterfaceJIT.h:
2891
2892 2013-10-16  Oliver Hunt  <oliver@apple.com>
2893
2894         Implement ES6 spread operator
2895         https://bugs.webkit.org/show_bug.cgi?id=122911
2896
2897         Reviewed by Michael Saboff.
2898
2899         Implement the ES6 spread operator
2900
2901         This has a little bit of refactoring to move the enumeration logic out ForOfNode
2902         and into BytecodeGenerator, and then adds the logic to make it nicely callback
2903         driven.
2904
2905         The rest of the logic is just the addition of the SpreadExpressionNode, the parsing,
2906         and actually handling the spread.
2907
2908         * bytecompiler/BytecodeGenerator.cpp:
2909         (JSC::BytecodeGenerator::emitNewArray):
2910         (JSC::BytecodeGenerator::emitCall):
2911         (JSC::BytecodeGenerator::emitEnumeration):
2912         * bytecompiler/BytecodeGenerator.h:
2913         * bytecompiler/NodesCodegen.cpp:
2914         (JSC::ArrayNode::emitBytecode):
2915         (JSC::ForOfNode::emitBytecode):
2916         (JSC::SpreadExpressionNode::emitBytecode):
2917         * parser/ASTBuilder.h:
2918         (JSC::ASTBuilder::createSpreadExpression):
2919         * parser/Lexer.cpp:
2920         (JSC::::lex):
2921         * parser/NodeConstructors.h:
2922         (JSC::SpreadExpressionNode::SpreadExpressionNode):
2923         * parser/Nodes.h:
2924         (JSC::ExpressionNode::isSpreadExpression):
2925         (JSC::SpreadExpressionNode::expression):
2926         * parser/Parser.cpp:
2927         (JSC::::parseArrayLiteral):
2928         (JSC::::parseArguments):
2929         (JSC::::parseMemberExpression):
2930         * parser/Parser.h:
2931         (JSC::Parser::getTokenName):
2932         (JSC::Parser::updateErrorMessageSpecialCase):
2933         * parser/ParserTokens.h:
2934         * parser/SyntaxChecker.h:
2935         (JSC::SyntaxChecker::createSpreadExpression):
2936
2937 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
2938
2939         Add a useLLInt option to jsc
2940         https://bugs.webkit.org/show_bug.cgi?id=122930
2941
2942         Reviewed by Geoffrey Garen.
2943
2944         * runtime/Executable.cpp:
2945         (JSC::setupLLInt):
2946         (JSC::setupJIT):
2947         (JSC::ScriptExecutable::prepareForExecutionImpl):
2948         * runtime/Options.h:
2949
2950 2013-10-16  Mark Hahnenberg  <mhahnenberg@apple.com>
2951
2952         Build fix.
2953
2954         Forgot to svn add DeferGC.cpp
2955
2956         * heap/DeferGC.cpp: Added.
2957
2958 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
2959
2960         r157411 fails run-javascriptcore-tests when run with Baseline JIT
2961         https://bugs.webkit.org/show_bug.cgi?id=122902
2962
2963         Reviewed by Mark Hahnenberg.
2964         
2965         It turns out that this was a long-standing bug in the DFG PutById repatching logic. It's
2966         not legal to patch if the typeInfo tells you that you can't patch. The old JIT's patching
2967         logic did this right, and the DFG's GetById patching logic did it right; but DFG PutById
2968         didn't. Turns out that there's even a helpful method,
2969         Structure::propertyAccessesAreCacheable(), that will even do all of the checks for you!
2970
2971         * jit/Repatch.cpp:
2972         (JSC::tryCachePutByID):
2973
2974 2013-10-16  Mark Hahnenberg  <mhahnenberg@apple.com>
2975
2976         llint_slow_path_put_by_id can deadlock on a ConcurrentJITLock
2977         https://bugs.webkit.org/show_bug.cgi?id=122667
2978
2979         Reviewed by Geoffrey Garen.
2980
2981         The issue this patch is attempting to fix is that there are places in our codebase
2982         where we acquire the ConcurrentJITLock for a particular CodeBlock, then we do some
2983         operations that can initiate a garbage collection. Garbage collection then calls 
2984         some methods of CodeBlock that also take the ConcurrentJITLock (because they don't
2985         always necessarily run during garbage collection). This causes a deadlock.
2986  
2987         To fix this issue, this patch adds a new RAII-style object (DisallowGC) that stores 
2988         into a thread-local field that indicates that it is unsafe to perform any operation 
2989         that could trigger garbage collection on the current thread. In debug builds, 
2990         ConcurrentJITLocker contains one of these DisallowGC objects so that we can eagerly 
2991         detect deadlocks.
2992  
2993         This patch also adds a new type of ConcurrentJITLocker, GCSafeConcurrentJITLocker,
2994         which uses the DeferGC mechanism to prevent collections from occurring while the 
2995         lock is held.
2996
2997         * CMakeLists.txt:
2998         * GNUmakefile.list.am:
2999         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3000         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3001         * JavaScriptCore.xcodeproj/project.pbxproj:
3002         * heap/DeferGC.h:
3003         (JSC::DisallowGC::DisallowGC):
3004         (JSC::DisallowGC::~DisallowGC):
3005         (JSC::DisallowGC::isGCDisallowedOnCurrentThread):
3006         (JSC::DisallowGC::initialize):
3007         * jit/Repatch.cpp:
3008         (JSC::repatchPutByID):
3009         (JSC::buildPutByIdList):
3010         * llint/LLIntSlowPaths.cpp:
3011         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3012         * runtime/ConcurrentJITLock.h:
3013         (JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase):
3014         (JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase):
3015         (JSC::ConcurrentJITLockerBase::unlockEarly):
3016         (JSC::GCSafeConcurrentJITLocker::GCSafeConcurrentJITLocker):
3017         (JSC::GCSafeConcurrentJITLocker::~GCSafeConcurrentJITLocker):
3018         (JSC::GCSafeConcurrentJITLocker::NoDefer::NoDefer):
3019         (JSC::ConcurrentJITLocker::ConcurrentJITLocker):
3020         * runtime/InitializeThreading.cpp:
3021         (JSC::initializeThreadingOnce):
3022         * runtime/JSCellInlines.h:
3023         (JSC::allocateCell):
3024         * runtime/JSSymbolTableObject.h:
3025         (JSC::symbolTablePut):
3026         * runtime/Structure.cpp: materializePropertyMapIfNecessary* now has a problem in that it
3027         can start a garbage collection when the GCSafeConcurrentJITLocker goes out of scope, but 
3028         before the caller has a chance to use the newly created PropertyTable. The garbage collection
3029         clears the PropertyTable, and then the caller uses it assuming it's valid. To avoid this,
3030         we must DeferGC until the caller is done getting the newly materialized PropertyTable from 
3031         the Structure.
3032         (JSC::Structure::materializePropertyMap):
3033         (JSC::Structure::despecifyDictionaryFunction):
3034         (JSC::Structure::changePrototypeTransition):
3035         (JSC::Structure::despecifyFunctionTransition):
3036         (JSC::Structure::attributeChangeTransition):
3037         (JSC::Structure::toDictionaryTransition):
3038         (JSC::Structure::preventExtensionsTransition):
3039         (JSC::Structure::takePropertyTableOrCloneIfPinned):
3040         (JSC::Structure::isSealed):
3041         (JSC::Structure::isFrozen):
3042         (JSC::Structure::addPropertyWithoutTransition):
3043         (JSC::Structure::removePropertyWithoutTransition):
3044         (JSC::Structure::get):
3045         (JSC::Structure::despecifyFunction):
3046         (JSC::Structure::despecifyAllFunctions):
3047         (JSC::Structure::putSpecificValue):
3048         (JSC::Structure::createPropertyMap):
3049         (JSC::Structure::getPropertyNamesFromStructure):
3050         * runtime/Structure.h:
3051         (JSC::Structure::materializePropertyMapIfNecessary):
3052         (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
3053         * runtime/StructureInlines.h:
3054         (JSC::Structure::get):
3055         * runtime/SymbolTable.h:
3056         (JSC::SymbolTable::find):
3057         (JSC::SymbolTable::end):
3058
3059 2013-10-16  Daniel Bates  <dabates@apple.com>
3060
3061         Add SPI to disable the garbage collector timer
3062         https://bugs.webkit.org/show_bug.cgi?id=122921
3063
3064         Reviewed by Geoffrey Garen.
3065
3066         Based on a patch by Mark Hahnenberg.
3067
3068         * API/JSBase.cpp:
3069         (JSDisableGCTimer): Added; SPI function.
3070         * API/JSBasePrivate.h:
3071         * heap/BlockAllocator.cpp:
3072         (JSC::createBlockFreeingThread): Added.
3073         (JSC::BlockAllocator::BlockAllocator): Modified to use JSC::createBlockFreeingThread()
3074         to conditionally create the "block freeing" thread depending on the value of
3075         GCActivityCallback::s_shouldCreateGCTimer.
3076         (JSC::BlockAllocator::~BlockAllocator):
3077         * heap/BlockAllocator.h:
3078         (JSC::BlockAllocator::deallocate):
3079         * heap/Heap.cpp:
3080         (JSC::Heap::didAbandon):
3081         (JSC::Heap::collect):
3082         (JSC::Heap::didAllocate):
3083         * heap/HeapTimer.cpp:
3084         (JSC::HeapTimer::timerDidFire):
3085         * runtime/GCActivityCallback.cpp:
3086         * runtime/GCActivityCallback.h:
3087         (JSC::DefaultGCActivityCallback::create): Only instantiate a DefaultGCActivityCallback object
3088         when GCActivityCallback::s_shouldCreateGCTimer is true so as to prevent allocating a HeapTimer
3089         object (since DefaultGCActivityCallback ultimately extends HeapTimer).
3090
3091 2013-10-16  Commit Queue  <commit-queue@webkit.org>
3092
3093         Unreviewed, rolling out r157529.
3094         http://trac.webkit.org/changeset/157529
3095         https://bugs.webkit.org/show_bug.cgi?id=122919
3096
3097         Caused score test failures and some build failures. (Requested
3098         by rfong on #webkit).
3099
3100         * bytecompiler/BytecodeGenerator.cpp:
3101         (JSC::BytecodeGenerator::emitNewArray):
3102         (JSC::BytecodeGenerator::emitCall):
3103         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
3104         * bytecompiler/BytecodeGenerator.h:
3105         * bytecompiler/NodesCodegen.cpp:
3106         (JSC::ArrayNode::emitBytecode):
3107         (JSC::CallArguments::CallArguments):
3108         (JSC::ForOfNode::emitBytecode):
3109         (JSC::BindingNode::collectBoundIdentifiers):
3110         * parser/ASTBuilder.h:
3111         * parser/Lexer.cpp:
3112         (JSC::::lex):
3113         * parser/NodeConstructors.h:
3114         (JSC::DotAccessorNode::DotAccessorNode):
3115         * parser/Nodes.h:
3116         * parser/Parser.cpp:
3117         (JSC::::parseArrayLiteral):
3118         (JSC::::parseArguments):
3119         (JSC::::parseMemberExpression):
3120         * parser/Parser.h:
3121         (JSC::Parser::getTokenName):
3122         (JSC::Parser::updateErrorMessageSpecialCase):
3123         * parser/ParserTokens.h:
3124         * parser/SyntaxChecker.h:
3125
3126 2013-10-16  Julien Brianceau  <jbriance@cisco.com>
3127
3128         Remove useless architecture specific implementation in DFG.
3129         https://bugs.webkit.org/show_bug.cgi?id=122917.
3130
3131         Reviewed by Michael Saboff.
3132
3133         With CPU(ARM) && CPU(ARM_HARDFP) architecture, the fallback implementation is fine
3134         as FPRInfo::argumentFPR0 == FPRInfo::returnValueFPR in this case.
3135
3136         * dfg/DFGSpeculativeJIT.h:
3137
3138 2013-10-16  Julien Brianceau  <jbriance@cisco.com>
3139
3140         Remove unused JIT::restoreArgumentReferenceForTrampoline function.
3141         https://bugs.webkit.org/show_bug.cgi?id=122916.
3142
3143         Reviewed by Michael Saboff.
3144
3145         This architecture specific function is not used anymore, so get rid of it.
3146
3147         * jit/JIT.h:
3148         * jit/JITInlines.h:
3149
3150 2013-10-16  Oliver Hunt  <oliver@apple.com>
3151
3152         Implement ES6 spread operator
3153         https://bugs.webkit.org/show_bug.cgi?id=122911
3154
3155         Reviewed by Michael Saboff.
3156
3157         Implement the ES6 spread operator
3158
3159         This has a little bit of refactoring to move the enumeration logic out ForOfNode
3160         and into BytecodeGenerator, and then adds the logic to make it nicely callback
3161         driven.
3162
3163         The rest of the logic is just the addition of the SpreadExpressionNode, the parsing,
3164         and actually handling the spread.
3165
3166         * bytecompiler/BytecodeGenerator.cpp:
3167         (JSC::BytecodeGenerator::emitNewArray):
3168         (JSC::BytecodeGenerator::emitCall):
3169         (JSC::BytecodeGenerator::emitEnumeration):
3170         * bytecompiler/BytecodeGenerator.h:
3171         * bytecompiler/NodesCodegen.cpp:
3172         (JSC::ArrayNode::emitBytecode):
3173         (JSC::ForOfNode::emitBytecode):
3174         (JSC::SpreadExpressionNode::emitBytecode):
3175         * parser/ASTBuilder.h:
3176         (JSC::ASTBuilder::createSpreadExpression):
3177         * parser/Lexer.cpp:
3178         (JSC::::lex):
3179         * parser/NodeConstructors.h:
3180         (JSC::SpreadExpressionNode::SpreadExpressionNode):
3181         * parser/Nodes.h:
3182         (JSC::ExpressionNode::isSpreadExpression):
3183         (JSC::SpreadExpressionNode::expression):
3184         * parser/Parser.cpp:
3185         (JSC::::parseArrayLiteral):
3186         (JSC::::parseArguments):
3187         (JSC::::parseMemberExpression):
3188         * parser/Parser.h:
3189         (JSC::Parser::getTokenName):
3190         (JSC::Parser::updateErrorMessageSpecialCase):
3191         * parser/ParserTokens.h:
3192         * parser/SyntaxChecker.h:
3193         (JSC::SyntaxChecker::createSpreadExpression):
3194
3195 2013-10-16  Mark Lam  <mark.lam@apple.com>
3196
3197         Transition void cti_op_tear_off* methods to JIT operations for 32 bit.
3198         https://bugs.webkit.org/show_bug.cgi?id=122899.
3199
3200         Reviewed by Michael Saboff.
3201
3202         * jit/JITOpcodes32_64.cpp:
3203         (JSC::JIT::emit_op_tear_off_activation):
3204         (JSC::JIT::emit_op_tear_off_arguments):
3205         * jit/JITStubs.cpp:
3206         * jit/JITStubs.h:
3207
3208 2013-10-16  Julien Brianceau  <jbriance@cisco.com>
3209
3210         Remove more of the UNINTERRUPTED_SEQUENCE thing
3211         https://bugs.webkit.org/show_bug.cgi?id=122885
3212
3213         Reviewed by Andreas Kling.
3214
3215         It was not completely removed by r157481, leading to build failure for sh4 architecture.
3216
3217         * jit/JIT.h:
3218         * jit/JITInlines.h:
3219
3220 2013-10-15  Filip Pizlo  <fpizlo@apple.com>
3221
3222         Get rid of the StructureStubInfo::patch union
3223         https://bugs.webkit.org/show_bug.cgi?id=122877
3224
3225         Reviewed by Sam Weinig.
3226         
3227         Just simplifying code by getting rid of data structures that ain't used no more.
3228         
3229         Note that I replace the patch union with a patch struct. This means we say things like
3230         stubInfo.patch.valueGPR instead of stubInfo.valueGPR. I think that this extra
3231         encapsulation makes the code more readable: the patch struct contains just those things
3232         that you need to know to perform patching.
3233
3234         * bytecode/StructureStubInfo.h:
3235         * dfg/DFGJITCompiler.cpp:
3236         (JSC::DFG::JITCompiler::link):
3237         * jit/JIT.cpp:
3238         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
3239         * jit/Repatch.cpp:
3240         (JSC::repatchByIdSelfAccess):
3241         (JSC::replaceWithJump):
3242         (JSC::linkRestoreScratch):
3243         (JSC::generateProtoChainAccessStub):
3244         (JSC::tryCacheGetByID):
3245         (JSC::getPolymorphicStructureList):
3246         (JSC::patchJumpToGetByIdStub):
3247         (JSC::tryBuildGetByIDList):
3248         (JSC::emitPutReplaceStub):
3249         (JSC::emitPutTransitionStub):
3250         (JSC::tryCachePutByID):
3251         (JSC::tryBuildPutByIdList):
3252         (JSC::tryRepatchIn):
3253         (JSC::resetGetByID):
3254         (JSC::resetPutByID):
3255         (JSC::resetIn):
3256
3257 2013-10-15  Nadav Rotem  <nrotem@apple.com>
3258
3259         FTL: add support for Int52ToValue and fix putByVal of int52s.
3260         https://bugs.webkit.org/show_bug.cgi?id=122873
3261
3262         Reviewed by Filip Pizlo.
3263
3264         * ftl/FTLCapabilities.cpp:
3265         (JSC::FTL::canCompile):
3266         * ftl/FTLLowerDFGToLLVM.cpp:
3267         (JSC::FTL::LowerDFGToLLVM::compileNode):
3268         (JSC::FTL::LowerDFGToLLVM::compileInt52ToValue):
3269         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
3270
3271 2013-10-15  Filip Pizlo  <fpizlo@apple.com>
3272
3273         Get rid of the UNINTERRUPTED_SEQUENCE thing
3274         https://bugs.webkit.org/show_bug.cgi?id=122876
3275
3276         Reviewed by Mark Hahnenberg.
3277         
3278         It doesn't make sense anymore. We now use the DFG's IC logic, which never needed that.
3279         
3280         Moreover, we should resist the temptation to bring anything like this back. We don't
3281         want to have inline caches that only work if the assembler lays out code in a specific
3282         predetermined way.
3283
3284         * jit/JIT.h:
3285         * jit/JITCall.cpp:
3286         (JSC::JIT::compileOpCall):
3287         * jit/JITCall32_64.cpp:
3288         (JSC::JIT::compileOpCall):
3289
3290 2013-10-15  Filip Pizlo  <fpizlo@apple.com>
3291
3292         Baseline JIT should use the DFG GetById IC
3293         https://bugs.webkit.org/show_bug.cgi?id=122861
3294
3295         Reviewed by Oliver Hunt.
3296         
3297         This mostly just kills a ton of code.
3298         
3299         Note that this doesn't yet do all of the simplifications that can be done, but it does
3300         kill dead code. I'll have another change to simplify StructureStubInfo's unions and such.
3301
3302         * bytecode/CodeBlock.cpp:
3303         (JSC::CodeBlock::resetStubInternal):
3304         * jit/JIT.cpp:
3305         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
3306         * jit/JIT.h:
3307         (JSC::PropertyStubCompilationInfo::PropertyStubCompilationInfo):
3308         * jit/JITInlines.h:
3309         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
3310         (JSC::JIT::callOperation):
3311         * jit/JITPropertyAccess.cpp:
3312         (JSC::JIT::compileGetByIdHotPath):
3313         (JSC::JIT::emitSlow_op_get_by_id):
3314         (JSC::JIT::emitSlow_op_get_from_scope):
3315         * jit/JITPropertyAccess32_64.cpp:
3316         (JSC::JIT::compileGetByIdHotPath):
3317         (JSC::JIT::emitSlow_op_get_by_id):
3318         (JSC::JIT::emitSlow_op_get_from_scope):
3319         * jit/JITStubs.cpp:
3320         * jit/JITStubs.h:
3321         * jit/Repatch.cpp:
3322         (JSC::repatchGetByID):
3323         (JSC::buildGetByIDList):
3324         * jit/ThunkGenerators.cpp:
3325         * jit/ThunkGenerators.h:
3326
3327 2013-10-15  Dean Jackson  <dino@apple.com>
3328
3329         Add ENABLE_WEB_ANIMATIONS flag
3330         https://bugs.webkit.org/show_bug.cgi?id=122871
3331
3332         Reviewed by Tim Horton.
3333
3334         Eventually might be http://dev.w3.org/fxtf/web-animations/
3335         but this is just engine-internal work at the moment.
3336
3337         * Configurations/FeatureDefines.xcconfig:
3338
3339 2013-10-15  Julien Brianceau  <jbriance@cisco.com>
3340
3341         [sh4] Some calls don't match sh4 ABI.
3342         https://bugs.webkit.org/show_bug.cgi?id=122863
3343
3344         Reviewed by Michael Saboff.
3345
3346         * dfg/DFGSpeculativeJIT.h:
3347         (JSC::DFG::SpeculativeJIT::callOperation):
3348         * jit/CCallHelpers.h:
3349         (JSC::CCallHelpers::setupArgumentsWithExecState):
3350         * jit/JITInlines.h:
3351         (JSC::JIT::callOperation):
3352
3353 2013-10-15  Daniel Bates  <dabates@apple.com>
3354
3355         [iOS] Upstream JavaScriptCore support for ARM64
3356         https://bugs.webkit.org/show_bug.cgi?id=122762
3357
3358         Reviewed by Oliver Hunt and Filip Pizlo.
3359
3360         * Configurations/Base.xcconfig:
3361         * Configurations/DebugRelease.xcconfig:
3362         * Configurations/JavaScriptCore.xcconfig:
3363         * Configurations/ToolExecutable.xcconfig:
3364         * JavaScriptCore.xcodeproj/project.pbxproj:
3365         * assembler/ARM64Assembler.h: Added.
3366         * assembler/AbstractMacroAssembler.h:
3367         (JSC::isARM64):
3368         (JSC::AbstractMacroAssembler::Label::Label):
3369         (JSC::AbstractMacroAssembler::Jump::Jump):
3370         (JSC::AbstractMacroAssembler::Jump::link):
3371         (JSC::AbstractMacroAssembler::Jump::linkTo):
3372         (JSC::AbstractMacroAssembler::CachedTempRegister::CachedTempRegister):
3373         (JSC::AbstractMacroAssembler::CachedTempRegister::registerIDInvalidate):
3374         (JSC::AbstractMacroAssembler::CachedTempRegister::registerIDNoInvalidate):
3375         (JSC::AbstractMacroAssembler::CachedTempRegister::value):
3376         (JSC::AbstractMacroAssembler::CachedTempRegister::setValue):
3377         (JSC::AbstractMacroAssembler::CachedTempRegister::invalidate):
3378         (JSC::AbstractMacroAssembler::invalidateAllTempRegisters):
3379         (JSC::AbstractMacroAssembler::isTempRegisterValid):
3380         (JSC::AbstractMacroAssembler::clearTempRegisterValid):
3381         (JSC::AbstractMacroAssembler::setTempRegisterValid):
3382         * assembler/LinkBuffer.cpp:
3383         (JSC::LinkBuffer::copyCompactAndLinkCode):
3384         (JSC::LinkBuffer::linkCode):
3385         * assembler/LinkBuffer.h:
3386         * assembler/MacroAssembler.h:
3387         (JSC::MacroAssembler::isPtrAlignedAddressOffset):
3388         (JSC::MacroAssembler::pushToSave):
3389         (JSC::MacroAssembler::popToRestore):
3390         (JSC::MacroAssembler::patchableBranchTest32):
3391         * assembler/MacroAssemblerARM64.h: Added.
3392         * assembler/MacroAssemblerARMv7.h:
3393         * dfg/DFGFixupPhase.cpp:
3394         (JSC::DFG::FixupPhase::fixupNode):
3395         * dfg/DFGOSRExitCompiler32_64.cpp:
3396         (JSC::DFG::OSRExitCompiler::compileExit):
3397         * dfg/DFGOSRExitCompiler64.cpp:
3398         (JSC::DFG::OSRExitCompiler::compileExit):
3399         * dfg/DFGSpeculativeJIT.cpp:
3400         (JSC::DFG::SpeculativeJIT::compileArithDiv):
3401         (JSC::DFG::SpeculativeJIT::compileArithMod):
3402         * disassembler/ARM64/A64DOpcode.cpp: Added.
3403         * disassembler/ARM64/A64DOpcode.h: Added.
3404         * disassembler/ARM64Disassembler.cpp: Added.
3405         * heap/MachineStackMarker.cpp:
3406         (JSC::getPlatformThreadRegisters):
3407         (JSC::otherThreadStackPointer):
3408         * heap/Region.h:
3409         * jit/AssemblyHelpers.h:
3410         (JSC::AssemblyHelpers::debugCall):
3411         * jit/CCallHelpers.h:
3412         * jit/ExecutableAllocator.h:
3413         * jit/FPRInfo.h:
3414         (JSC::FPRInfo::toRegister):
3415         (JSC::FPRInfo::toIndex):
3416         (JSC::FPRInfo::debugName):
3417         * jit/GPRInfo.h:
3418         (JSC::GPRInfo::toRegister):
3419         (JSC::GPRInfo::toIndex):
3420         (JSC::GPRInfo::debugName):
3421         * jit/JITInlines.h:
3422         (JSC::JIT::restoreArgumentReferenceForTrampoline):
3423         * jit/JITOperationWrappers.h:
3424         * jit/JITOperations.cpp:
3425         * jit/JITStubs.cpp:
3426         (JSC::performPlatformSpecificJITAssertions):
3427         (JSC::tryCachePutByID):
3428         * jit/JITStubs.h:
3429         (JSC::JITStackFrame::returnAddressSlot):
3430         * jit/JITStubsARM64.h: Added.
3431         * jit/JSInterfaceJIT.h:
3432         * jit/Repatch.cpp:
3433         (JSC::emitRestoreScratch):
3434         (JSC::generateProtoChainAccessStub):
3435         (JSC::tryCacheGetByID):
3436         (JSC::emitPutReplaceStub):
3437         (JSC::tryCachePutByID):
3438         (JSC::tryRepatchIn):
3439         * jit/ScratchRegisterAllocator.h:
3440         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
3441         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
3442         * jit/ThunkGenerators.cpp:
3443         (JSC::nativeForGenerator):
3444         (JSC::floorThunkGenerator):
3445         (JSC::ceilThunkGenerator):
3446         * jsc.cpp:
3447         (main):
3448         * llint/LLIntOfflineAsmConfig.h:
3449         * llint/LLIntSlowPaths.cpp:
3450         (JSC::LLInt::handleHostCall):
3451         * llint/LowLevelInterpreter.asm:
3452         * llint/LowLevelInterpreter64.asm:
3453         * offlineasm/arm.rb:
3454         * offlineasm/arm64.rb: Added.
3455         * offlineasm/backends.rb:
3456         * offlineasm/instructions.rb:
3457         * offlineasm/risc.rb:
3458         * offlineasm/transform.rb:
3459         * yarr/YarrJIT.cpp:
3460         (JSC::Yarr::YarrGenerator::alignCallFrameSizeInBytes):
3461         (JSC::Yarr::YarrGenerator::initCallFrame):
3462         (JSC::Yarr::YarrGenerator::removeCallFrame):
3463         (JSC::Yarr::YarrGenerator::generateEnter):
3464         * yarr/YarrJIT.h:
3465
3466 2013-10-15  Mark Lam  <mark.lam@apple.com>
3467
3468         Fix 3 operand sub operation in C loop LLINT.
3469         https://bugs.webkit.org/show_bug.cgi?id=122866.
3470
3471         Reviewed by Geoffrey Garen.
3472
3473         * offlineasm/cloop.rb:
3474
3475 2013-10-15  Mark Hahnenberg  <mhahnenberg@apple.com>
3476
3477         ObjCCallbackFunctionImpl shouldn't store a JSContext
3478         https://bugs.webkit.org/show_bug.cgi?id=122531
3479
3480         Reviewed by Geoffrey Garen.
3481
3482         The m_context field in ObjCCallbackFunctionImpl is vestigial and is only incidentally correct 
3483         in the common case. It's also no longer necessary in that we can look up the current JSContext 
3484         by looking using the globalObject of the callee when the function callback is invoked.
3485  
3486         Also added a new test that would cause us to crash previously. The test required making 
3487         JSContextGetGlobalContext public API so that clients can obtain a JSContext from the JSContextRef
3488         in C API callbacks.
3489
3490         * API/JSContextRef.h:
3491         * API/JSContextRefPrivate.h:
3492         * API/ObjCCallbackFunction.mm:
3493         (JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl):
3494         (JSC::objCCallbackFunctionCallAsFunction):
3495         (objCCallbackFunctionForInvocation):
3496         * API/WebKitAvailability.h:
3497         * API/tests/CurrentThisInsideBlockGetterTest.h: Added.
3498         * API/tests/CurrentThisInsideBlockGetterTest.mm: Added.
3499         (CallAsConstructor):
3500         (ConstructorFinalize):
3501         (ConstructorClass):
3502         (+[JSValue valueWithConstructorDescriptor:inContext:]):
3503         (-[JSContext valueWithConstructorDescriptor:]):
3504         (currentThisInsideBlockGetterTest):
3505         * API/tests/testapi.mm:
3506         * JavaScriptCore.xcodeproj/project.pbxproj:
3507         * debugger/Debugger.cpp: Had to add some fully qualified names to avoid conflicts with Mac OS X headers.
3508
3509 2013-10-15  Julien Brianceau  <jbriance@cisco.com>
3510
3511         Fix build after r157457 for architecture with 4 argument registers.
3512         https://bugs.webkit.org/show_bug.cgi?id=122860
3513
3514         Reviewed by Michael Saboff.
3515
3516         * jit/CCallHelpers.h:
3517         (JSC::CCallHelpers::setupStubArguments134):
3518
3519 2013-10-14  Michael Saboff  <msaboff@apple.com>
3520
3521         transition void cti_op_* methods to JIT operations.
3522         https://bugs.webkit.org/show_bug.cgi?id=122617
3523
3524         Reviewed by Geoffrey Garen.
3525
3526         Converted the follow stubs to JIT operations:
3527             cti_handle_watchdog_timer
3528             cti_op_debug
3529             cti_op_pop_scope
3530             cti_op_profile_did_call
3531             cti_op_profile_will_call
3532             cti_op_put_by_index
3533             cti_op_put_getter_setter
3534             cti_op_tear_off_activation
3535             cti_op_tear_off_arguments
3536             cti_op_throw_static_error
3537             cti_optimize
3538
3539         * dfg/DFGOperations.cpp:
3540         * dfg/DFGOperations.h:
3541         * jit/CCallHelpers.h:
3542         (JSC::CCallHelpers::setupArgumentsWithExecState):
3543         (JSC::CCallHelpers::setupThreeStubArgsGPR):
3544         (JSC::CCallHelpers::setupStubArguments):
3545         (JSC::CCallHelpers::setupStubArguments134):
3546         * jit/JIT.cpp:
3547         (JSC::JIT::emitEnterOptimizationCheck):
3548         * jit/JIT.h:
3549         * jit/JITInlines.h:
3550         (JSC::JIT::callOperation):
3551         * jit/JITOpcodes.cpp:
3552         (JSC::JIT::emit_op_tear_off_activation):
3553         (JSC::JIT::emit_op_tear_off_arguments):
3554         (JSC::JIT::emit_op_push_with_scope):
3555         (JSC::JIT::emit_op_pop_scope):
3556         (JSC::JIT::emit_op_push_name_scope):
3557         (JSC::JIT::emit_op_throw_static_error):
3558         (JSC::JIT::emit_op_debug):
3559         (JSC::JIT::emit_op_profile_will_call):
3560         (JSC::JIT::emit_op_profile_did_call):
3561         (JSC::JIT::emitSlow_op_loop_hint):
3562         * jit/JITOpcodes32_64.cpp:
3563         (JSC::JIT::emit_op_push_with_scope):
3564         (JSC::JIT::emit_op_pop_scope):
3565         (JSC::JIT::emit_op_push_name_scope):
3566         (JSC::JIT::emit_op_throw_static_error):
3567         (JSC::JIT::emit_op_debug):
3568         (JSC::JIT::emit_op_profile_will_call):
3569         (JSC::JIT::emit_op_profile_did_call):
3570         * jit/JITOperations.cpp:
3571         * jit/JITOperations.h:
3572         * jit/JITPropertyAccess.cpp:
3573         (JSC::JIT::emit_op_put_by_index):
3574         (JSC::JIT::emit_op_put_getter_setter):
3575         * jit/JITPropertyAccess32_64.cpp:
3576         (JSC::JIT::emit_op_put_by_index):
3577         (JSC::JIT::emit_op_put_getter_setter):
3578         * jit/JITStubs.cpp:
3579         * jit/JITStubs.h:
3580
3581 2013-10-15  Julien Brianceau  <jbriance@cisco.com>
3582
3583         [sh4] Introduce const pools in LLINT.
3584         https://bugs.webkit.org/show_bug.cgi?id=122746
3585
3586         Reviewed by Michael Saboff.
3587
3588         In current implementation of LLINT for sh4, immediate values outside range -128..127 are
3589         loaded this way:
3590
3591             mov.l .label, rx
3592             bra out
3593             nop
3594             .balign 4
3595             .label: .long immvalue
3596             out:
3597
3598         This change introduces const pools for sh4 implementation to avoid lots of useless branches
3599         and reduce code size. It also removes lines of dirty code, like jmpf and callf.
3600
3601         * offlineasm/instructions.rb: Remove jmpf and callf sh4 specific instructions.
3602         * offlineasm/sh4.rb:
3603
3604 2013-10-15  Mark Lam  <mark.lam@apple.com>
3605
3606         Fix broken C Loop LLINT build.
3607         https://bugs.webkit.org/show_bug.cgi?id=122839.
3608
3609         Reviewed by Michael Saboff.
3610
3611         * dfg/DFGFlushedAt.cpp:
3612         * jit/JITOperations.h:
3613
3614 2013-10-14  Mark Lam  <mark.lam@apple.com>
3615
3616         Transition *switch* and *scope* JITStubs to JIT operations.
3617         https://bugs.webkit.org/show_bug.cgi?id=122757.
3618
3619         Reviewed by Geoffrey Garen.
3620
3621         Transitioning:
3622             cti_op_switch_char
3623             cti_op_switch_imm
3624             cti_op_switch_string
3625             cti_op_resolve_scope
3626             cti_op_get_from_scope
3627             cti_op_put_to_scope
3628
3629         * jit/JIT.h:
3630         * jit/JITInlines.h:
3631         (JSC::JIT::callOperation):
3632         * jit/JITOpcodes.cpp:
3633         (JSC::JIT::emit_op_switch_imm):
3634         (JSC::JIT::emit_op_switch_char):
3635         (JSC::JIT::emit_op_switch_string):
3636         * jit/JITOpcodes32_64.cpp:
3637         (JSC::JIT::emit_op_switch_imm):
3638         (JSC::JIT::emit_op_switch_char):
3639         (JSC::JIT::emit_op_switch_string):
3640         * jit/JITOperations.cpp:
3641         * jit/JITOperations.h:
3642         * jit/JITPropertyAccess.cpp:
3643         (JSC::JIT::emitSlow_op_resolve_scope):
3644         (JSC::JIT::emitSlow_op_get_from_scope):
3645         (JSC::JIT::emitSlow_op_put_to_scope):
3646         * jit/JITPropertyAccess32_64.cpp:
3647         (JSC::JIT::emitSlow_op_resolve_scope):
3648         (JSC::JIT::emitSlow_op_get_from_scope):
3649         (JSC::JIT::emitSlow_op_put_to_scope):
3650         * jit/JITStubs.cpp:
3651         * jit/JITStubs.h:
3652
3653 2013-10-14  Filip Pizlo  <fpizlo@apple.com>
3654
3655         DFG PutById IC should use the ConcurrentJITLocker since it's now dealing with IC's that get read by the compiler thread
3656         https://bugs.webkit.org/show_bug.cgi?id=122786
3657
3658         Reviewed by Mark Hahnenberg.
3659
3660         * bytecode/CodeBlock.cpp:
3661         (JSC::CodeBlock::resetStub): Resetting a stub should acquire the lock since this is observable from the thread; but we should only acquire the lock if we're resetting outside of GC.
3662         * jit/Repatch.cpp:
3663         (JSC::repatchPutByID): Doing the PutById patching should hold the lock.
3664         (JSC::buildPutByIdList): Ditto.
3665
3666 2013-10-14  Nadav Rotem  <nrotem@apple.com>
3667
3668         Add FTL support for LogicalNot(string)
3669         https://bugs.webkit.org/show_bug.cgi?id=122765
3670
3671         Reviewed by Filip Pizlo.
3672
3673         This patch is tested by:
3674         regress/script-tests/emscripten-cube2hash.js.ftl-eager
3675
3676         * ftl/FTLCapabilities.cpp:
3677         (JSC::FTL::canCompile):
3678         * ftl/FTLLowerDFGToLLVM.cpp:
3679         (JSC::FTL::LowerDFGToLLVM::compileLogicalNot):
3680
3681 2013-10-14  Julien Brianceau  <jbriance@cisco.com>
3682
3683         [sh4] Fixes after r157404 and r157411.
3684         https://bugs.webkit.org/show_bug.cgi?id=122782
3685
3686         Reviewed by Michael Saboff.
3687
3688         * dfg/DFGSpeculativeJIT.h:
3689         (JSC::DFG::SpeculativeJIT::callOperation): Add missing SH4_32BIT_DUMMY_ARG.
3690         * jit/CCallHelpers.h:
3691         (JSC::CCallHelpers::setupArgumentsWithExecState):
3692         * jit/JITInlines.h:
3693         (JSC::JIT::callOperation): Add missing SH4_32BIT_DUMMY_ARG.
3694         * jit/JITPropertyAccess32_64.cpp:
3695         (JSC::JIT::emit_op_put_by_id): Remove unwanted BEGIN_UNINTERRUPTED_SEQUENCE.
3696
3697 2013-10-14  Commit Queue  <commit-queue@webkit.org>
3698
3699         Unreviewed, rolling out r157413.
3700         http://trac.webkit.org/changeset/157413
3701         https://bugs.webkit.org/show_bug.cgi?id=122779
3702
3703         Appears to have caused frequent crashes (Requested by ap on
3704         #webkit).
3705
3706         * CMakeLists.txt:
3707         * GNUmakefile.list.am:
3708         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3709         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3710         * JavaScriptCore.xcodeproj/project.pbxproj:
3711         * heap/DeferGC.cpp: Removed.
3712         * heap/DeferGC.h:
3713         * jit/JITStubs.cpp:
3714         (JSC::tryCacheGetByID):
3715         (JSC::DEFINE_STUB_FUNCTION):
3716         * llint/LLIntSlowPaths.cpp:
3717         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3718         * runtime/ConcurrentJITLock.h:
3719         * runtime/InitializeThreading.cpp:
3720         (JSC::initializeThreadingOnce):
3721         * runtime/JSCellInlines.h:
3722         (JSC::allocateCell):
3723         * runtime/Structure.cpp:
3724         (JSC::Structure::materializePropertyMap):
3725         (JSC::Structure::putSpecificValue):
3726         (JSC::Structure::createPropertyMap):
3727         * runtime/Structure.h:
3728
3729 2013-10-14  Mark Hahnenberg  <mhahnenberg@apple.com>
3730
3731         COLLECT_ON_EVERY_ALLOCATION causes assertion failures
3732         https://bugs.webkit.org/show_bug.cgi?id=122652
3733
3734         Reviewed by Filip Pizlo.
3735
3736         COLLECT_ON_EVERY_ALLOCATION wasn't accounting for the new GC deferral mechanism,
3737         so we would end up ASSERTing during garbage collection.
3738
3739         * heap/MarkedAllocator.cpp:
3740         (JSC::MarkedAllocator::allocateSlowCase):
3741
3742 2013-10-11  Oliver Hunt  <oliver@apple.com>
3743
3744         Separate out array iteration intrinsics
3745         https://bugs.webkit.org/show_bug.cgi?id=122656
3746
3747         Reviewed by Michael Saboff.
3748
3749         Separate out the intrinsics for key and values iteration
3750         of arrays.
3751
3752         This requires moving moving array iteration into the iterator
3753         instance, rather than the prototype, but this is essentially
3754         unobservable so we'll live with it for now.
3755
3756         * jit/ThunkGenerators.cpp:
3757         (JSC::arrayIteratorNextThunkGenerator):
3758         (JSC::arrayIteratorNextKeyThunkGenerator):
3759         (JSC::arrayIteratorNextValueThunkGenerator):
3760         * jit/ThunkGenerators.h:
3761         * runtime/ArrayIteratorPrototype.cpp:
3762         (JSC::ArrayIteratorPrototype::finishCreation):
3763         * runtime/Intrinsic.h:
3764         * runtime/JSArrayIterator.cpp:
3765         (JSC::JSArrayIterator::finishCreation):
3766         (JSC::createIteratorResult):
3767         (JSC::arrayIteratorNext):
3768         (JSC::arrayIteratorNextKey):
3769         (JSC::arrayIteratorNextValue):
3770         (JSC::arrayIteratorNextGeneric):
3771         * runtime/VM.cpp:
3772         (JSC::thunkGeneratorForIntrinsic):
3773
3774 2013-10-11  Mark Hahnenberg  <mhahnenberg@apple.com>
3775
3776         llint_slow_path_put_by_id can deadlock on a ConcurrentJITLock
3777         https://bugs.webkit.org/show_bug.cgi?id=122667
3778
3779         Reviewed by Filip Pizlo.
3780
3781         The issue this patch is attempting to fix is that there are places in our codebase
3782         where we acquire the ConcurrentJITLock for a particular CodeBlock, then we do some
3783         operations that can initiate a garbage collection. Garbage collection then calls 
3784         some methods of CodeBlock that also take the ConcurrentJITLock (because they don't
3785         always necessarily run during garbage collection). This causes a deadlock.
3786
3787         To fix this issue, this patch adds a new RAII-style object (DisallowGC) that stores 
3788         into a thread-local field that indicates that it is unsafe to perform any operation 
3789         that could trigger garbage collection on the current thread. In debug builds, 
3790         ConcurrentJITLocker contains one of these DisallowGC objects so that we can eagerly 
3791         detect deadlocks.
3792
3793         This patch also adds a new type of ConcurrentJITLocker, GCSafeConcurrentJITLocker,
3794         which uses the DeferGC mechanism to prevent collections from occurring while the 
3795         lock is held.
3796
3797         * CMakeLists.txt:
3798         * GNUmakefile.list.am:
3799         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3800         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3801         * JavaScriptCore.xcodeproj/project.pbxproj:
3802         * heap/DeferGC.cpp: Added.
3803         * heap/DeferGC.h:
3804         (JSC::DisallowGC::DisallowGC):
3805         (JSC::DisallowGC::~DisallowGC):
3806         (JSC::DisallowGC::isGCDisallowedOnCurrentThread):
3807         (JSC::DisallowGC::initialize):
3808         * jit/JITStubs.cpp:
3809         (JSC::tryCachePutByID):
3810         (JSC::tryCacheGetByID):
3811         (JSC::DEFINE_STUB_FUNCTION):
3812         * llint/LLIntSlowPaths.cpp:
3813         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3814         * runtime/ConcurrentJITLock.h:
3815         (JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase):
3816         (JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase):
3817         (JSC::ConcurrentJITLockerBase::unlockEarly):
3818         (JSC::GCSafeConcurrentJITLocker::GCSafeConcurrentJITLocker):
3819         (JSC::ConcurrentJITLocker::ConcurrentJITLocker):
3820         * runtime/InitializeThreading.cpp:
3821         (JSC::initializeThreadingOnce):
3822         * runtime/JSCellInlines.h:
3823         (JSC::allocateCell):
3824         * runtime/Structure.cpp:
3825         (JSC::Structure::materializePropertyMap):
3826         (JSC::Structure::putSpecificValue):
3827         (JSC::Structure::createPropertyMap):
3828         * runtime/Structure.h:
3829
3830 2013-10-14  Filip Pizlo  <fpizlo@apple.com>
3831
3832         Baseline JIT should use the DFG's PutById IC
3833         https://bugs.webkit.org/show_bug.cgi?id=122704
3834
3835         Reviewed by Mark Hahnenberg.
3836         
3837         Mostly no big deal, just removing the old Baseline JIT's put_by_id IC support and forcing
3838         that JIT to use the DFG's (i.e. JITOperations) PutById IC.
3839         
3840         The only complicated part was that the PutById operations assumed that we first did a
3841         cell speculation, which the baseline JIT obviously won't do. So I changed all of those
3842         slow paths to deal with EncodedJSValue's.
3843
3844         * bytecode/CodeBlock.cpp:
3845         (JSC::CodeBlock::resetStubInternal):
3846         * bytecode/PutByIdStatus.cpp:
3847         (JSC::PutByIdStatus::computeFor):
3848         * dfg/DFGSpeculativeJIT.h:
3849         (JSC::DFG::SpeculativeJIT::callOperation):
3850         * dfg/DFGSpeculativeJIT32_64.cpp:
3851         (JSC::DFG::SpeculativeJIT::cachedPutById):
3852         * dfg/DFGSpeculativeJIT64.cpp:
3853         (JSC::DFG::SpeculativeJIT::cachedPutById):
3854         * jit/CCallHelpers.h:
3855         (JSC::CCallHelpers::setupArgumentsWithExecState):
3856         * jit/JIT.cpp:
3857         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
3858         * jit/JIT.h:
3859         (JSC::PropertyStubCompilationInfo::PropertyStubCompilationInfo):
3860         (JSC::PropertyStubCompilationInfo::slowCaseInfo):
3861         * jit/JITInlines.h:
3862         (JSC::JIT::callOperation):
3863         * jit/JITOperationWrappers.h:
3864         * jit/JITOperations.cpp:
3865         * jit/JITOperations.h:
3866         * jit/JITPropertyAccess.cpp:
3867         (JSC::JIT::compileGetByIdHotPath):
3868         (JSC::JIT::compileGetByIdSlowCase):
3869         (JSC::JIT::emit_op_put_by_id):
3870         (JSC::JIT::emitSlow_op_put_by_id):
3871         * jit/JITPropertyAccess32_64.cpp:
3872         (JSC::JIT::compileGetByIdSlowCase):
3873         (JSC::JIT::emit_op_put_by_id):
3874         (JSC::JIT::emitSlow_op_put_by_id):
3875         * jit/JITStubs.cpp:
3876         * jit/JITStubs.h:
3877         * jit/Repatch.cpp:
3878         (JSC::appropriateGenericPutByIdFunction):
3879         (JSC::appropriateListBuildingPutByIdFunction):
3880         (JSC::resetPutByID):
3881
3882 2013-10-13  Filip Pizlo  <fpizlo@apple.com>
3883
3884         FTL should have an inefficient but correct implementation of GetById
3885         https://bugs.webkit.org/show_bug.cgi?id=122740
3886
3887         Reviewed by Mark Hahnenberg.
3888         
3889         It took some effort to realize that the node->prediction() check in the DFG backends
3890         are completely unnecessary since the ByteCodeParser will always insert a ForceOSRExit
3891         if !prediction.
3892         
3893         But other than that this was an easy patch.
3894
3895         * dfg/DFGByteCodeParser.cpp:
3896         (JSC::DFG::ByteCodeParser::handleGetById):
3897         * dfg/DFGSpeculativeJIT32_64.cpp:
3898         (JSC::DFG::SpeculativeJIT::compile):
3899         * dfg/DFGSpeculativeJIT64.cpp:
3900         (JSC::DFG::SpeculativeJIT::compile):
3901         * ftl/FTLCapabilities.cpp:
3902         (JSC::FTL::canCompile):
3903         * ftl/FTLIntrinsicRepository.h:
3904         * ftl/FTLLowerDFGToLLVM.cpp:
3905         (JSC::FTL::LowerDFGToLLVM::compileNode):
3906         (JSC::FTL::LowerDFGToLLVM::compileGetById):
3907
3908 2013-10-13  Mark Lam  <mark.lam@apple.com>
3909
3910         Transition misc cti_op_* JITStubs to JIT operations.
3911         https://bugs.webkit.org/show_bug.cgi?id=122645.
3912
3913         Reviewed by Michael Saboff.
3914
3915         Stubs converted:
3916             cti_op_check_has_instance
3917             cti_op_create_arguments
3918             cti_op_del_by_id
3919             cti_op_instanceof
3920             cti_to_object
3921             cti_op_push_activation
3922             cti_op_get_pnames
3923             cti_op_load_varargs
3924
3925         * dfg/DFGOperations.cpp:
3926         * dfg/DFGOperations.h:
3927         * jit/CCallHelpers.h:
3928         (JSC::CCallHelpers::setupArgumentsWithExecState):
3929         * jit/JIT.h:
3930         (JSC::JIT::emitStoreCell):
3931         * jit/JITCall.cpp:
3932         (JSC::JIT::compileLoadVarargs):
3933         * jit/JITCall32_64.cpp:
3934         (JSC::JIT::compileLoadVarargs):
3935         * jit/JITInlines.h:
3936         (JSC::JIT::callOperation):
3937         * jit/JITOpcodes.cpp:
3938         (JSC::JIT::emit_op_get_pnames):
3939         (JSC::JIT::emit_op_create_activation):
3940         (JSC::JIT::emit_op_create_arguments):
3941         (JSC::JIT::emitSlow_op_check_has_instance):
3942         (JSC::JIT::emitSlow_op_instanceof):
3943         (JSC::JIT::emitSlow_op_get_argument_by_val):
3944         * jit/JITOpcodes32_64.cpp:
3945         (JSC::JIT::emitSlow_op_check_has_instance):
3946         (JSC::JIT::emitSlow_op_instanceof):
3947         (JSC::JIT::emit_op_get_pnames):
3948         (JSC::JIT::emit_op_create_activation):
3949         (JSC::JIT::emit_op_create_arguments):
3950         (JSC::JIT::emitSlow_op_get_argument_by_val):
3951         * jit/JITOperations.cpp:
3952         * jit/JITOperations.h:
3953         * jit/JITPropertyAccess.cpp:
3954         (JSC::JIT::emit_op_del_by_id):
3955         * jit/JITPropertyAccess32_64.cpp:
3956         (JSC::JIT::emit_op_del_by_id):
3957         * jit/JITStubs.cpp:
3958         * jit/JITStubs.h:
3959
3960 2013-10-13  Filip Pizlo  <fpizlo@apple.com>
3961
3962         FTL OSR exit should perform zero extension on values smaller than 64-bit
3963         https://bugs.webkit.org/show_bug.cgi?id=122688
3964
3965         Reviewed by Gavin Barraclough.
3966         
3967         In the DFG we usually make the simplistic assumption that a 32-bit value in a 64-bit
3968         register will have zeros on the high bits.  In the few cases where the high bits are
3969         non-zero, the DFG sort of tells us this explicitly.
3970
3971         But when working with llvm.webkit.stackmap, it doesn't work that way.  Consider we might
3972         emit LLVM IR like:
3973
3974             %2 = trunc i64 %1 to i32
3975             stuff %2
3976             call @llvm.webkit.stackmap(...., %2)
3977
3978         LLVM may never actually emit a truncation instruction of any kind.  And that's great - in
3979         many cases it won't be needed, like if 'stuff %2' is a 32-bit op that ignores the high
3980         bits anyway.  Hence LLVM may tell us that %2 is in the register that still had the value
3981         from before truncation, and that register may have garbage in the high bits.
3982
3983         This means that on our end, if we want a 32-bit value and we want that value to be
3984         zero-extended, we should zero-extend it ourselves.  This is pretty easy and should be
3985         cheap, so we should just do it and not make it a requirement that LLVM does it on its
3986         end.
3987         
3988         This makes all tests pass with JSC_ftlOSRExitUsesStackmap=true.
3989
3990         * ftl/FTLOSRExitCompiler.cpp:
3991         (JSC::FTL::compileStubWithOSRExitStackmap):
3992         * ftl/FTLValueFormat.cpp:
3993         (JSC::FTL::reboxAccordingToFormat):