Unreviewed, fix Windows.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-10-30  Filip Pizlo  <fpizlo@apple.com>
2
3         Unreviewed, fix Windows.
4
5         * bytecode/CodeBlock.cpp:
6         (JSC::CodeBlock::jettison):
7
8 2013-10-30  Filip Pizlo  <fpizlo@apple.com>
9
10         Unreviewed, fix Windows.
11
12         * bytecode/CodeBlock.h:
13         (JSC::CodeBlock::addFrequentExitSite):
14
15 2013-10-29  Filip Pizlo  <fpizlo@apple.com>
16
17         Add InvalidationPoints to the DFG and use them for all watchpoints
18         https://bugs.webkit.org/show_bug.cgi?id=123472
19
20         Reviewed by Mark Hahnenberg.
21         
22         This makes a fundamental change to how watchpoints work in the DFG.
23         
24         Previously, a watchpoint was an instruction whose execution semantics were something
25         like:
26         
27             if (watchpoint->invalidated)
28                 exit
29         
30         We would implement this without any branch by using jump replacement.
31         
32         This is a very good optimization. But it's a bit awkward once you get a lot of
33         watchpoints: semantically we will have lots of these branches in the code, which the
34         compiler needs to reason about even though they don't actually result in any emitted
35         code.
36         
37         Separately, we also had a mechanism for jettisoning a CodeBlock. This mechanism would
38         be invoked if a CodeBlock exited a lot. It would ensure that a CodeBlock wouldn't be
39         called into again, but it would do nothing for CodeBlocks that were already on the
40         stack.
41         
42         This change flips jettisoning and watchpoint invalidation on their heads. Now, the jump
43         replacement has nothing to do with watchpoints; instead it's something that happens if
44         you ever jettison a CodeBlock. Jump replacement is now an all-or-nothing operation over
45         all of the potential call-return safe-exit-points in a CodeBlock. We call these
46         "InvalidationPoint"s. A watchpoint instruction is now "lowered" by having the DFG
47         collect all of the watchpoint sets that the CodeBlock cares about, and then registering
48         a CodeBlockJettisoningWatchpoint with all of them. That is, if the watchpoint fires, it
49         jettisons the CodeBlock, which in turn ensures that the CodeBlock can't be called into
50         (because the entrypoint now points to baseline code) and can't be returned into
51         (because returning exits to baseline before the next bytecode instruction).
52         
53         This will allow for a sensible lowering of watchpoints to LLVM IR. It will also allow
54         for jettison() to be used effectively for things like breakpointing and single-stepping
55         in the debugger.
56         
57         Well, basically, this mechanism just takes us into the HotSpot-style world where anyone
58         can, at any time and for any reason, request that an optimized CodeBlock is rendered
59         immediately invalid. You can use this for many cool things, I'm sure.
60
61         * CMakeLists.txt:
62         * GNUmakefile.list.am:
63         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
64         * JavaScriptCore.xcodeproj/project.pbxproj:
65         * assembler/AbstractMacroAssembler.h:
66         * bytecode/CodeBlock.cpp:
67         (JSC::CodeBlock::jettison):
68         * bytecode/CodeBlock.h:
69         * bytecode/CodeBlockJettisoningWatchpoint.cpp: Added.
70         (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
71         * bytecode/CodeBlockJettisoningWatchpoint.h: Added.
72         (JSC::CodeBlockJettisoningWatchpoint::CodeBlockJettisoningWatchpoint):
73         * bytecode/ExitKind.cpp:
74         (JSC::exitKindToString):
75         * bytecode/ExitKind.h:
76         * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp: Added.
77         (JSC::ProfiledCodeBlockJettisoningWatchpoint::fireInternal):
78         * bytecode/ProfiledCodeBlockJettisoningWatchpoint.h: Added.
79         (JSC::ProfiledCodeBlockJettisoningWatchpoint::ProfiledCodeBlockJettisoningWatchpoint):
80         * dfg/DFGAbstractHeap.h:
81         * dfg/DFGAbstractInterpreterInlines.h:
82         (JSC::DFG::::executeEffects):
83         * dfg/DFGClobberize.cpp:
84         (JSC::DFG::writesOverlap):
85         * dfg/DFGClobberize.h:
86         (JSC::DFG::clobberize):
87         (JSC::DFG::AbstractHeapOverlaps::AbstractHeapOverlaps):
88         (JSC::DFG::AbstractHeapOverlaps::operator()):
89         (JSC::DFG::AbstractHeapOverlaps::result):
90         * dfg/DFGCommonData.cpp:
91         (JSC::DFG::CommonData::invalidate):
92         * dfg/DFGCommonData.h:
93         (JSC::DFG::CommonData::CommonData):
94         * dfg/DFGDesiredWatchpoints.cpp:
95         (JSC::DFG::DesiredWatchpoints::addLazily):
96         (JSC::DFG::DesiredWatchpoints::reallyAdd):
97         * dfg/DFGDesiredWatchpoints.h:
98         (JSC::DFG::WatchpointForGenericWatchpointSet::WatchpointForGenericWatchpointSet):
99         (JSC::DFG::GenericDesiredWatchpoints::addLazily):
100         (JSC::DFG::GenericDesiredWatchpoints::reallyAdd):
101         (JSC::DFG::GenericDesiredWatchpoints::areStillValid):
102         * dfg/DFGFixupPhase.cpp:
103         (JSC::DFG::FixupPhase::fixupNode):
104         * dfg/DFGInvalidationPointInjectionPhase.cpp: Added.
105         (JSC::DFG::InvalidationPointInjectionPhase::InvalidationPointInjectionPhase):
106         (JSC::DFG::InvalidationPointInjectionPhase::run):
107         (JSC::DFG::InvalidationPointInjectionPhase::handle):
108         (JSC::DFG::InvalidationPointInjectionPhase::insertInvalidationCheck):
109         (JSC::DFG::performInvalidationPointInjection):
110         * dfg/DFGInvalidationPointInjectionPhase.h: Added.
111         * dfg/DFGJITCode.h:
112         * dfg/DFGJITCompiler.cpp:
113         (JSC::DFG::JITCompiler::linkOSRExits):
114         (JSC::DFG::JITCompiler::link):
115         * dfg/DFGJITCompiler.h:
116         * dfg/DFGJumpReplacement.cpp: Added.
117         (JSC::DFG::JumpReplacement::fire):
118         * dfg/DFGJumpReplacement.h: Added.
119         (JSC::DFG::JumpReplacement::JumpReplacement):
120         * dfg/DFGNodeType.h:
121         * dfg/DFGOSRExitCompilationInfo.h:
122         * dfg/DFGOperations.cpp:
123         * dfg/DFGPlan.cpp:
124         (JSC::DFG::Plan::compileInThreadImpl):
125         (JSC::DFG::Plan::reallyAdd):
126         * dfg/DFGPredictionPropagationPhase.cpp:
127         (JSC::DFG::PredictionPropagationPhase::propagate):
128         * dfg/DFGSafeToExecute.h:
129         (JSC::DFG::safeToExecute):
130         * dfg/DFGSpeculativeJIT.cpp:
131         (JSC::DFG::SpeculativeJIT::emitInvalidationPoint):
132         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
133         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
134         * dfg/DFGSpeculativeJIT.h:
135         (JSC::DFG::SpeculativeJIT::masqueradesAsUndefinedWatchpointIsStillValid):
136         (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
137         * dfg/DFGSpeculativeJIT32_64.cpp:
138         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
139         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
140         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
141         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
142         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
143         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
144         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
145         (JSC::DFG::SpeculativeJIT::compile):
146         * dfg/DFGSpeculativeJIT64.cpp:
147         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
148         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
149         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
150         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
151         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
152         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
153         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
154         (JSC::DFG::SpeculativeJIT::compile):
155         * dfg/DFGWatchpointCollectionPhase.cpp: Added.
156         (JSC::DFG::WatchpointCollectionPhase::WatchpointCollectionPhase):
157         (JSC::DFG::WatchpointCollectionPhase::run):
158         (JSC::DFG::WatchpointCollectionPhase::handle):
159         (JSC::DFG::WatchpointCollectionPhase::handleEdge):
160         (JSC::DFG::WatchpointCollectionPhase::handleMasqueradesAsUndefined):
161         (JSC::DFG::WatchpointCollectionPhase::handleStringGetByVal):
162         (JSC::DFG::WatchpointCollectionPhase::addLazily):
163         (JSC::DFG::WatchpointCollectionPhase::globalObject):
164         (JSC::DFG::performWatchpointCollection):
165         * dfg/DFGWatchpointCollectionPhase.h: Added.
166         * ftl/FTLCapabilities.cpp:
167         (JSC::FTL::canCompile):
168         * ftl/FTLLowerDFGToLLVM.cpp:
169         (JSC::FTL::LowerDFGToLLVM::compileNode):
170         (JSC::FTL::LowerDFGToLLVM::compileStructureTransitionWatchpoint):
171         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
172         (JSC::FTL::LowerDFGToLLVM::compileGlobalVarWatchpoint):
173         (JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant):
174         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
175         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
176         (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
177         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
178         (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
179         * jit/JITOperations.cpp:
180         * jit/JumpReplacementWatchpoint.cpp: Removed.
181         * jit/JumpReplacementWatchpoint.h: Removed.
182
183 2013-10-25  Mark Hahnenberg  <mhahnenberg@apple.com>
184
185         JSExport doesn't support constructors
186         https://bugs.webkit.org/show_bug.cgi?id=123380
187
188         Reviewed by Geoffrey Garen.
189
190         Support for constructor-style callbacks for the Objective-C API to JSC is currently limited to 
191         Objective-C blocks. Any clients who try to call the constructor of a JSExport-ed Objective-C class 
192         are met with a type error stating that it cannot be called as a constructor.
193
194         It would be nice to expand JSExport's functionality to support this idiom. It is a natural 
195         extension to JSExport and would increase the expressiveness and simplicity in both Objective-C and 
196         JavaScript client code.
197
198         The way we'll do this is to expand the capabilities of ObjCCallbackFunction and associated classes. 
199         Instead of constructing a normal C API object for the constructor, we'll instead allocate a full-blown 
200         ObjCCallbackFunction object which can already properly handle being invoked as a constructor.
201
202         * API/JSWrapperMap.mm:
203         (copyMethodsToObject):
204         (allocateConstructorForCustomClass):
205         (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]):
206         (tryUnwrapObjcObject):
207         * API/ObjCCallbackFunction.h:
208         (JSC::ObjCCallbackFunction::impl):
209         * API/ObjCCallbackFunction.mm:
210         (JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl):
211         (JSC::ObjCCallbackFunctionImpl::wrappedConstructor):
212         (JSC::ObjCCallbackFunctionImpl::isConstructible):
213         (JSC::ObjCCallbackFunction::getConstructData):
214         (JSC::ObjCCallbackFunctionImpl::name):
215         (JSC::ObjCCallbackFunctionImpl::call):
216         (objCCallbackFunctionForInvocation):
217         (objCCallbackFunctionForInit):
218         (tryUnwrapConstructor):
219         * API/tests/testapi.mm:
220         (-[TextXYZ initWithString:]):
221         (-[ClassA initWithA:]):
222         (-[ClassB initWithA:b:]):
223         (-[ClassC initWithA:]):
224         (-[ClassC initWithA:b:]):
225
226 2013-10-30  peavo@outlook.com  <peavo@outlook.com>
227
228         [Win] Compile errors when enabling DFG JIT.
229         https://bugs.webkit.org/show_bug.cgi?id=120998
230
231         Reviewed by Brent Fulgham.
232
233         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added files.
234         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
235         * dfg/DFGAllocator.h: Removed scope.
236         * dfg/DFGWorklist.cpp: Use new ThreadingOnce class instead of pthread_once.
237         (JSC::DFG::globalWorklist):
238         * heap/DeferGC.h: Link fix, member needs to be public.
239         * jit/JITOperationWrappers.h: Added required assembler macros.
240
241 2013-10-30  Iago Toral Quiroga  <itoral@igalia.com>
242
243         Add result caching for Math.cos
244         https://bugs.webkit.org/show_bug.cgi?id=123255
245
246         Reviewed by Brent Fulgham.
247
248         * runtime/MathObject.cpp:
249         (JSC::mathProtoFuncCos):
250         * runtime/VM.h:
251
252 2013-10-30  Alex Christensen  <achristensen@webkit.org>
253
254         Disabled JIT on Win64.
255         https://bugs.webkit.org/show_bug.cgi?id=122472
256
257         Reviewed by Geoffrey Garen.
258
259         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
260         Disabled building JITStubsMSVC64.
261
262 2013-10-29  Michael Saboff  <msaboff@apple.com>
263
264         Change local variable register allocation to start at offset -1
265         https://bugs.webkit.org/show_bug.cgi?id=123182
266
267         Reviewed by Geoffrey Garen.
268
269         Adjusted the virtual register mapping down by one slot.  Reduced
270         the CallFrame header slots offsets by one.  They now start at 0.
271         Changed arity fixup to no longer skip passed register slot 0 as this
272         is now part of the CallFrame header.
273
274         * bytecode/VirtualRegister.h:
275         (JSC::operandIsLocal):
276         (JSC::operandIsArgument):
277         (JSC::VirtualRegister::localToOperand):
278         (JSC::VirtualRegister::operandToLocal):
279           Adjusted functions for shift in mapping from local to register offset.
280
281         * dfg/DFGByteCodeParser.cpp:
282         (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
283         (JSC::DFG::ByteCodeParser::addCall):
284         (JSC::DFG::ByteCodeParser::handleInlining):
285         (JSC::DFG::ByteCodeParser::parseBlock):
286         * dfg/DFGVariableEventStream.cpp:
287         (JSC::DFG::VariableEventStream::reconstruct):
288         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
289         (JSC::DFG::VirtualRegisterAllocationPhase::run):
290         * interpreter/CallFrame.h:
291         (JSC::ExecState::frameExtent):
292         (JSC::ExecState::offsetFor):
293         * interpreter/Interpreter.cpp:
294         (JSC::loadVarargs):
295         (JSC::Interpreter::dumpRegisters):
296         (JSC::Interpreter::executeCall):
297         * llint/LLIntData.cpp:
298         (JSC::LLInt::Data::performAssertions):
299         * llint/LowLevelInterpreter.asm:
300           Adjusted math to accomodate for shift in call frame slots.
301
302         * dfg/DFGJITCompiler.cpp:
303         (JSC::DFG::JITCompiler::compileFunction):
304         * dfg/DFGSpeculativeJIT.h:
305         (JSC::DFG::SpeculativeJIT::calleeFrameOffset):
306         * interpreter/CallFrame.cpp:
307         (JSC::CallFrame::frameExtentInternal):
308         * interpreter/JSStackInlines.h:
309         (JSC::JSStack::pushFrame):
310         * jit/JIT.cpp:
311         (JSC::JIT::privateCompile):
312         * jit/JITOperations.cpp:
313         * llint/LLIntSlowPaths.cpp:
314         (JSC::LLInt::llint_slow_path_stack_check):
315         * runtime/CommonSlowPaths.h:
316         (JSC::CommonSlowPaths::arityCheckFor):
317           Fixed offset calculation to use VirtualRegister and related calculation instead of
318           doing seperate calculations.
319
320         * interpreter/JSStack.h:
321           Adjusted CallFrame slots down by one.  Did some miscellaneous fixing of dumpRegisters()
322           in the process of testing the fixes.
323
324         * jit/ThunkGenerators.cpp:
325         (JSC::arityFixup):
326           Changed arity fixup to no longer skip passed register slot 0 as this
327           is now part of the CallFrame header.
328
329         * llint/LowLevelInterpreter32_64.asm:
330         * llint/LowLevelInterpreter64.asm:
331           Changed arity fixup to no longer skip passed register slot 0 as this
332           is now part of the CallFrame header.  Updated op_enter processing for
333           the change in local registers.
334
335         * runtime/JSGlobalObject.h:
336           Removed the now unneeded extra slot in the global callframe
337
338 2013-10-29  Julien Brianceau  <jbriance@cisco.com>
339
340         [arm] Fix lots of crashes because of 4th argument register trampling.
341         https://bugs.webkit.org/show_bug.cgi?id=123421
342
343         Reviewed by Michael Saboff.
344
345         r3 register is the 4th argument register for ARM and also a scratch
346         register in the baseline JIT for this architecture. We can use r6
347         instead, as this used to be the timeoutCheckRegister and it is no
348         longer used since r148119.
349
350         * assembler/ARMAssembler.h: Temp register is now r6 instead of r3 for ARM.
351         * assembler/MacroAssemblerARMv7.h: Temp register is now r6 instead of r3 for ARMv7.
352         * jit/GPRInfo.h: Add r3 properly in GPRInfo for ARM.
353         (JSC::GPRInfo::toRegister):
354         (JSC::GPRInfo::toIndex):
355         * jit/JITStubsARM.h:
356         (JSC::ctiTrampoline): Remove obsolete timeoutCheckRegister init.
357         * jit/JITStubsARMv7.h:
358         (JSC::ctiTrampoline): Remove obsolete timeoutCheckRegister init.
359         * jit/JSInterfaceJIT.h: Remove useless stuff.
360         * yarr/YarrJIT.cpp: Use r3 and not the new scratch register r6.
361         (JSC::Yarr::YarrGenerator::generateEnter): r8 register doesn't need to be saved.
362         (JSC::Yarr::YarrGenerator::generateReturn):
363
364 2013-10-29  Julien Brianceau  <jbriance@cisco.com>
365
366         Fix CPU(ARM_TRADITIONAL) build after r157690.
367         https://bugs.webkit.org/show_bug.cgi?id=123247
368
369         Reviewed by Michael Saboff.
370
371         Since r157690, the executableCopy function has been removed from AssemblerBuffer.h
372         and the copy of executable code occurs in the linkCode function (in LinkBuffer.cpp).
373         As the constant pool for jumps is updated in the executableCopy function of ARM_TRADITIONAL,
374         this part of code still needs to be called and absolute jumps must be corrected to anticipate
375         the copy of the executable code through memcpy.
376
377         * assembler/ARMAssembler.cpp:
378         (JSC::ARMAssembler::prepareExecutableCopy): Rename executableCopy to prepareExecutableCopy
379         and correct absolute jump values using the delta between the source and destination buffers.
380         * assembler/ARMAssembler.h:
381         * assembler/LinkBuffer.cpp:
382         (JSC::LinkBuffer::linkCode): Call prepareExecutableCopy just before the memcpy.
383
384 2013-10-28  Filip Pizlo  <fpizlo@apple.com>
385
386         OSRExit::m_watchpointIndex should be in OSRExitCompilationInfo
387         https://bugs.webkit.org/show_bug.cgi?id=123423
388
389         Reviewed by Mark Hahnenberg.
390         
391         Also enable ExitKind to tell you if it's a watchpoint.
392
393         * bytecode/ExitKind.cpp:
394         (JSC::exitKindToString):
395         * bytecode/ExitKind.h:
396         (JSC::isWatchpoint):
397         * dfg/DFGByteCodeParser.cpp:
398         (JSC::DFG::ByteCodeParser::setLocal):
399         (JSC::DFG::ByteCodeParser::setArgument):
400         (JSC::DFG::ByteCodeParser::handleCall):
401         (JSC::DFG::ByteCodeParser::handleGetById):
402         (JSC::DFG::ByteCodeParser::parseBlock):
403         * dfg/DFGJITCompiler.cpp:
404         (JSC::DFG::JITCompiler::linkOSRExits):
405         (JSC::DFG::JITCompiler::link):
406         * dfg/DFGJITCompiler.h:
407         (JSC::DFG::JITCompiler::appendExitInfo):
408         * dfg/DFGOSRExit.cpp:
409         (JSC::DFG::OSRExit::OSRExit):
410         * dfg/DFGOSRExit.h:
411         * dfg/DFGOSRExitCompilationInfo.h:
412         (JSC::DFG::OSRExitCompilationInfo::OSRExitCompilationInfo):
413         * dfg/DFGOSRExitCompiler.cpp:
414         * dfg/DFGSpeculativeJIT.cpp:
415         (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
416         * dfg/DFGSpeculativeJIT32_64.cpp:
417         (JSC::DFG::SpeculativeJIT::compile):
418         * dfg/DFGSpeculativeJIT64.cpp:
419         (JSC::DFG::SpeculativeJIT::compile):
420
421 2013-10-28  Myles C. Maxfield  <mmaxfield@apple.com>
422
423         Parsing support for -webkit-text-decoration-skip: ink
424         https://bugs.webkit.org/show_bug.cgi?id=123358
425
426         Reviewed by Dean Jackson.
427
428         Adding ENABLE(CSS3_TEXT_DECORATION)
429
430         * Configurations/FeatureDefines.xcconfig:
431
432 2013-10-24  Filip Pizlo  <fpizlo@apple.com>
433
434         Get rid of InlineStart so that I don't have to implement it in FTL
435         https://bugs.webkit.org/show_bug.cgi?id=123302
436
437         Reviewed by Geoffrey Garen.
438         
439         InlineStart was a special instruction that we would insert at the top of inlined code,
440         so that the backend could capture the OSR state of arguments to an inlined call. It used
441         to be that only the backend had this information, so this instruction was sort of an ugly
442         callback from the backend for filling in some data structures.
443         
444         But in the time since when that code was written (two years ago?), we rationalized how
445         variables work. It's now the case that variables that the runtime must know about are
446         treated specially in IR (they are "flushed") and we know how we will represent them even
447         before we get to the backend. The last place that makes changes to their representation
448         is the StackLayoutPhase.
449         
450         So, this patch gets rid of InlineStart, but keeps around the special meta-data that the
451         instruction had. Instead of handling the bookkeeping in the backend, we handle it in
452         StackLayoutPhase. This means that the DFG and FTL can share code for handling this
453         bookkeeping. This also means that now the FTL can compile code blocks that had inlining.
454         
455         Of course, giving the FTL the ability to handle code blocks that had inlining means that
456         we're going to have new bugs. Sure enough, the FTL's linker didn't handle inline call
457         frames. This patch also fixes that.
458
459         * dfg/DFGAbstractInterpreterInlines.h:
460         (JSC::DFG::::executeEffects):
461         * dfg/DFGByteCodeParser.cpp:
462         (JSC::DFG::ByteCodeParser::handleInlining):
463         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
464         * dfg/DFGClobberize.h:
465         (JSC::DFG::clobberize):
466         * dfg/DFGFixupPhase.cpp:
467         (JSC::DFG::FixupPhase::fixupNode):
468         * dfg/DFGGraph.h:
469         * dfg/DFGNode.h:
470         * dfg/DFGNodeType.h:
471         * dfg/DFGPredictionPropagationPhase.cpp:
472         (JSC::DFG::PredictionPropagationPhase::propagate):
473         * dfg/DFGSafeToExecute.h:
474         (JSC::DFG::safeToExecute):
475         * dfg/DFGSpeculativeJIT.cpp:
476         * dfg/DFGSpeculativeJIT.h:
477         * dfg/DFGSpeculativeJIT32_64.cpp:
478         (JSC::DFG::SpeculativeJIT::compile):
479         * dfg/DFGSpeculativeJIT64.cpp:
480         (JSC::DFG::SpeculativeJIT::compile):
481         * dfg/DFGStackLayoutPhase.cpp:
482         (JSC::DFG::StackLayoutPhase::run):
483         * ftl/FTLLink.cpp:
484         (JSC::FTL::link):
485
486 2013-10-24  Filip Pizlo  <fpizlo@apple.com>
487
488         The GetById->GetByOffset AI-based optimization should actually do things
489         https://bugs.webkit.org/show_bug.cgi?id=123299
490
491         Reviewed by Oliver Hunt.
492         
493         20% speed-up on Octane/gbemu.
494
495         * bytecode/GetByIdStatus.cpp:
496         (JSC::GetByIdStatus::computeFor): Actually finish filling in the Status by setting the state. Previously it would remain set to NoInformation, meaning that this whole method was a no-op.
497
498 2013-10-28  Carlos Garcia Campos  <cgarcia@igalia.com>
499
500         Unreviewed. Fix make distcheck.
501
502         * GNUmakefile.list.am: Add missing files to compilation.
503
504 2013-10-25  Oliver Hunt  <oliver@apple.com>
505
506         Refactor parser rollback logic
507         https://bugs.webkit.org/show_bug.cgi?id=123372
508
509         Reviewed by Brady Eidson.
510
511         Add a sane abstraction for rollbacks in the parser.
512
513         * parser/Parser.cpp:
514         (JSC::::parseSourceElements):
515         (JSC::::parseObjectLiteral):
516         * parser/Parser.h:
517         (JSC::Parser::createSavePoint):
518         (JSC::Parser::restoreSavePoint):
519
520 2013-10-25  peavo@outlook.com  <peavo@outlook.com>
521
522         [Win] Javascript crash with DFG JIT enabled.
523         https://bugs.webkit.org/show_bug.cgi?id=121001
524
525         Reviewed by Geoffrey Garen.
526
527         On windows, using register GPRInfo::regT0 as parameter to e.g. JIT::storeDouble(..., GPRInfo::regT0)),
528         results in a call to JIT::storeDouble(FPRegisterID src, const void* address),
529         where the address parameter gets the value of GPRInfo::regT0, which is 0 (eax on Windows).
530         This causes the register to be written to address 0, hence the crash.
531   
532         * assembler/MacroAssemblerX86.h:
533         (JSC::MacroAssemblerX86::storeDouble): Assert if we try to generate code which writes to a null pointer.
534         * dfg/DFGOSRExitCompiler32_64.cpp:
535         (JSC::DFG::OSRExitCompiler::compileExit): Use address in regT0 as parameter.
536         * dfg/DFGThunks.cpp:
537         (JSC::DFG::osrExitGenerationThunkGenerator): Ditto.
538
539 2013-10-25  Oliver Hunt  <oliver@apple.com>
540
541         Fix a number of problems with destructuring of arguments
542         https://bugs.webkit.org/show_bug.cgi?id=123357
543
544         Reviewed by Filip Pizlo.
545
546         This renames the destructuring node's emitBytecode to bindValue
547         in order to remove the existing confusion over what was happening.
548
549         We then fix an incorrect fall through in the destructuring arguments
550         logic, and fix the then exposed bug where we placed the index rather
551         than value into the bound property.
552
553         * bytecompiler/BytecodeGenerator.cpp:
554         (JSC::BytecodeGenerator::BytecodeGenerator):
555         * bytecompiler/NodesCodegen.cpp:
556         (JSC::ForInNode::emitBytecode):
557         (JSC::ForOfNode::emitBytecode):
558         (JSC::DeconstructingAssignmentNode::emitBytecode):
559         (JSC::ArrayPatternNode::bindValue):
560         (JSC::ArrayPatternNode::emitDirectBinding):
561         (JSC::ObjectPatternNode::bindValue):
562         (JSC::BindingNode::bindValue):
563         * parser/Nodes.h:
564
565 2013-10-25  Joseph Pecoraro  <pecoraro@apple.com>
566
567         Upstream ENABLE(REMOTE_INSPECTOR) and enable on iOS and Mac
568         https://bugs.webkit.org/show_bug.cgi?id=123111
569
570         Reviewed by Timothy Hatcher.
571
572         * Configurations/FeatureDefines.xcconfig:
573
574 2013-10-25  Oliver Hunt  <oliver@apple.com>
575
576         Fix MSVC again
577
578         * parser/Parser.cpp:
579
580 2013-10-25  Oliver Hunt  <oliver@apple.com>
581
582         Fix MSVC
583
584         * parser/Parser.cpp:
585
586 2013-10-25  Oliver Hunt  <oliver@apple.com>
587
588         Improve JSC Parser error messages
589         https://bugs.webkit.org/show_bug.cgi?id=123341
590
591         Reviewed by Andreas Kling.
592
593         This patch moves away from the current cludgy mechanisms used to produce
594         error messages and moves to something closer to case by case errors.
595
596         This results in a large change size as previously we may just have
597         'failIfFalse(foo)', but now the logic becomes either
598         'failIfFalseWithMessage(foo, "Cannot do blah with ", foo->thing())'
599         Or alternatively
600
601         if (!foo)
602             check for 'interesting' errors, before falling back to generic error
603
604         This means that this patch is large, but produces no semantic changes, and
605         only hits slow (e.g. error) paths.
606
607         * parser/Parser.cpp:
608         (JSC::::Parser):
609         (JSC::::parseSourceElements):
610         (JSC::::parseVarDeclaration):
611         (JSC::::parseConstDeclaration):
612         (JSC::::parseDoWhileStatement):
613         (JSC::::parseWhileStatement):
614         (JSC::::parseVarDeclarationList):
615         (JSC::::createBindingPattern):
616         (JSC::::parseDeconstructionPattern):
617         (JSC::::parseConstDeclarationList):
618         (JSC::::parseForStatement):
619         (JSC::::parseBreakStatement):
620         (JSC::::parseContinueStatement):
621         (JSC::::parseReturnStatement):
622         (JSC::::parseThrowStatement):
623         (JSC::::parseWithStatement):
624         (JSC::::parseSwitchStatement):
625         (JSC::::parseSwitchClauses):
626         (JSC::::parseSwitchDefaultClause):
627         (JSC::::parseTryStatement):
628         (JSC::::parseDebuggerStatement):
629         (JSC::::parseBlockStatement):
630         (JSC::::parseStatement):
631         (JSC::::parseFormalParameters):
632         (JSC::::parseFunctionBody):
633         (JSC::stringForFunctionMode):
634         (JSC::::parseFunctionInfo):
635         (JSC::::parseFunctionDeclaration):
636         (JSC::::parseExpressionOrLabelStatement):
637         (JSC::::parseExpressionStatement):
638         (JSC::::parseIfStatement):
639         (JSC::::parseExpression):
640         (JSC::::parseAssignmentExpression):
641         (JSC::::parseConditionalExpression):
642         (JSC::::parseBinaryExpression):
643         (JSC::::parseProperty):
644         (JSC::::parseObjectLiteral):
645         (JSC::::parseStrictObjectLiteral):
646         (JSC::::parseArrayLiteral):
647         (JSC::::parsePrimaryExpression):
648         (JSC::::parseArguments):
649         (JSC::::parseMemberExpression):
650         (JSC::operatorString):
651         (JSC::::parseUnaryExpression):
652         (JSC::::printUnexpectedTokenText):
653         * parser/Parser.h:
654         (JSC::Scope::hasDeclaredVariable):
655         (JSC::Scope::hasDeclaredParameter):
656         (JSC::Parser::hasDeclaredVariable):
657         (JSC::Parser::hasDeclaredParameter):
658         (JSC::Parser::setErrorMessage):
659
660 2013-10-24  Mark Rowe  <mrowe@apple.com>
661
662         Remove references to OS X 10.7 from Xcode configuration settings.
663
664         Now that we're not building for OS X 10.7 they're no longer needed.
665
666         Reviewed by Anders Carlsson.
667
668         * Configurations/Base.xcconfig:
669         * Configurations/DebugRelease.xcconfig:
670         * Configurations/FeatureDefines.xcconfig:
671         * Configurations/Version.xcconfig:
672
673 2013-10-24  Mark Rowe  <mrowe@apple.com>
674
675         <rdar://problem/15312643> Prepare for the mysterious future.
676
677         Reviewed by David Kilzer.
678
679         * Configurations/Base.xcconfig:
680         * Configurations/DebugRelease.xcconfig:
681         * Configurations/FeatureDefines.xcconfig:
682         * Configurations/Version.xcconfig:
683
684 2013-10-24  Mark Lam  <mark.lam@apple.com>
685
686         Better way to fix part of broken C Loop LLINT build.
687         https://bugs.webkit.org/show_bug.cgi?id=123271.
688
689         Reviewed by Geoffrey Garen.
690
691         Undoing offline asm hackery.
692
693         * llint/LowLevelInterpreter.cpp:
694         * llint/LowLevelInterpreter32_64.asm:
695         * llint/LowLevelInterpreter64.asm:
696         * offlineasm/cloop.rb:
697         * offlineasm/instructions.rb:
698
699 2013-10-24  Mark Lam  <mark.lam@apple.com>
700
701         Fix broken C Loop LLINT build.
702         https://bugs.webkit.org/show_bug.cgi?id=123271.
703
704         Reviewed by Michael Saboff.
705
706         * bytecode/CodeBlock.cpp:
707         (JSC::CodeBlock::printGetByIdCacheStatus): Added an UNUSED_PARAM().
708         (JSC::CodeBlock::dumpBytecode): Added #if ENABLE(JIT) to JIT only code.
709         * bytecode/GetByIdStatus.cpp:
710         (JSC::GetByIdStatus::computeFor): Added an UNUSED_PARAM().
711         * bytecode/PutByIdStatus.cpp:
712         (JSC::PutByIdStatus::computeFor): Added an UNUSED_PARAM().
713         * bytecode/StructureStubInfo.h:
714         - Added a stub StubInfoMap for non-JIT builds. StubInfoMap is still used
715           in function prototypes even when !ENABLE(JIT). Rather that adding #if's
716           in many places, we just provide a stub/placeholder implementation that
717           is unused but keeps the compiler happy.
718         * jit/JITOperations.h: Added #if ENABLE(JIT).
719         * llint/LowLevelInterpreter32_64.asm:
720         * llint/LowLevelInterpreter64.asm:
721         - The putByVal() macro reifies a slow path which is never taken in one case.
722           This translates into a label that is never used in the C Loop LLINT. The
723           C++ compiler doesn't like unused labels. So, we fix this by adding a
724           cloopUnusedLabel offline asm instruction that synthesizes the following:
725
726               if (false) goto unusedLabel;
727
728           This keeps the C++ compiler happy without changing code behavior.
729         * offlineasm/cloop.rb: Implementing cloopUnusedLabel.
730         * offlineasm/instructions.rb: Declaring cloopUnusedLabel.
731         * runtime/Executable.cpp:
732         (JSC::setupJIT): Added UNUSED_PARAM()s.
733         (JSC::ScriptExecutable::prepareForExecutionImpl):
734         - run-javascriptcore-tests have phases that forces the LLINT to be off
735           which in turn asserts that the JIT is enabled. With the C Loop LLINT,
736           this combination is illegal. So, we override the setup code here to
737           always use the LLINT if !ENABLE(JIT) regardless of what options are
738           passed in.
739
740 2013-10-24  peavo@outlook.com  <peavo@outlook.com>
741
742         Uninitialized member causes crash when DFG JIT is not enabled.
743         https://bugs.webkit.org/show_bug.cgi?id=123270
744
745         Reviewed by Brent Fulgham.
746
747         The data member sizeOfLastScratchBuffer in the VM class is only initialized if DFG JIT is enabled, even though it's defined regardless.
748         This causes an early crash on Windows, which doesn't have DFG JIT enabled.
749
750         * runtime/VM.cpp:
751         (JSC::VM::VM): Initialize sizeOfLastScratchBuffer member regardless of whether DFG JIT is enabled.
752
753 2013-10-24  Ryuan Choi  <ryuan.choi@samsung.com>
754
755         [EFL] Build break with latest EFL 1.8 libraries.
756         https://bugs.webkit.org/show_bug.cgi?id=123245
757
758         Reviewed by Gyuyoung Kim.
759
760         After fixed build break on EFL 1.8 at r138326, EFL libraries are changed
761         Eo typedef and splitted header files which contain version macro.
762
763         * PlatformEfl.cmake: Added EO path to include directories.
764         * heap/HeapTimer.h: Changed Ecore_Timer typedef when EO exist.
765
766 2013-10-23  Filip Pizlo  <fpizlo@apple.com>
767
768         Put all uses of LLVM intrinsics behind a single Option
769         https://bugs.webkit.org/show_bug.cgi?id=123219
770
771         Reviewed by Mark Hahnenberg.
772
773         * ftl/FTLExitThunkGenerator.cpp:
774         (JSC::FTL::ExitThunkGenerator::emitThunk):
775         * ftl/FTLLowerDFGToLLVM.cpp:
776         (JSC::FTL::generateExitThunks):
777         (JSC::FTL::LowerDFGToLLVM::compileGetById):
778         (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
779         (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
780         * ftl/FTLOSRExitCompiler.cpp:
781         (JSC::FTL::compileFTLOSRExit):
782         * runtime/Options.h:
783
784 2013-10-23  Daniel Bates  <dabates@apple.com>
785
786         Fix JavaScriptCore build targets following <http://trac.webkit.org/changeset/157864>
787         (https://bugs.webkit.org/show_bug.cgi?id=123169)
788
789         Tell Xcode that the supported platforms for all JavaScriptCore targets are iOS and OS X.
790
791         * Configurations/Base.xcconfig:
792
793 2013-10-23  Michael Saboff  <msaboff@apple.com>
794
795         LLInt arity check exception processing should start unwinding from caller
796         https://bugs.webkit.org/show_bug.cgi?id=123209
797
798         Reviewed by Oliver Hunt.
799
800         Use the caller frame returned from slow_path_call_arityCheck to process exceptions.
801
802         * llint/LowLevelInterpreter32_64.asm:
803         * llint/LowLevelInterpreter64.asm:
804
805 2013-10-22  Filip Pizlo  <fpizlo@apple.com>
806
807         FTL should be able to do some simple inline caches using LLVM patchpoints
808         https://bugs.webkit.org/show_bug.cgi?id=123164
809
810         Reviewed by Mark Hahnenberg.
811         
812         This implements GetById inline caches in the FTL using llvm.webkit.patchpoint.
813         
814         The idea is that we ask LLVM for a nop slide the size of a GetById inline
815         cache and then fill in the code after LLVM compilation is complete. For now, we
816         just use the system calling convention for the arguments and return. We also
817         still make some assumptions about registers that aren't correct. But, most of
818         the scaffolding is there and this will successfully patch an inline cache.
819
820         * JavaScriptCore.xcodeproj/project.pbxproj:
821         * assembler/AbstractMacroAssembler.h:
822         * assembler/LinkBuffer.cpp:
823         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
824         (JSC::LinkBuffer::linkCode):
825         (JSC::LinkBuffer::allocate):
826         * assembler/LinkBuffer.h:
827         (JSC::LinkBuffer::LinkBuffer):
828         (JSC::LinkBuffer::link):
829         * ftl/FTLAbbreviations.h:
830         (JSC::FTL::constNull):
831         (JSC::FTL::buildCall):
832         * ftl/FTLCapabilities.cpp:
833         (JSC::FTL::canCompile):
834         * ftl/FTLCompile.cpp:
835         (JSC::FTL::fixFunctionBasedOnStackMaps):
836         * ftl/FTLInlineCacheDescriptor.h: Added.
837         (JSC::FTL::InlineCacheDescriptor::InlineCacheDescriptor):
838         (JSC::FTL::GetByIdDescriptor::GetByIdDescriptor):
839         (JSC::FTL::GetByIdDescriptor::stackmapID):
840         (JSC::FTL::GetByIdDescriptor::codeOrigin):
841         (JSC::FTL::GetByIdDescriptor::uid):
842         * ftl/FTLInlineCacheSize.cpp: Added.
843         (JSC::FTL::sizeOfGetById):
844         (JSC::FTL::sizeOfPutById):
845         * ftl/FTLInlineCacheSize.h: Added.
846         * ftl/FTLIntrinsicRepository.h:
847         * ftl/FTLJITFinalizer.cpp:
848         (JSC::FTL::JITFinalizer::finalizeFunction):
849         * ftl/FTLJITFinalizer.h:
850         * ftl/FTLLocation.cpp:
851         (JSC::FTL::Location::directGPR):
852         * ftl/FTLLocation.h:
853         * ftl/FTLLowerDFGToLLVM.cpp:
854         (JSC::FTL::LowerDFGToLLVM::compileGetById):
855         * ftl/FTLOutput.h:
856         (JSC::FTL::Output::call):
857         * ftl/FTLSlowPathCall.cpp: Added.
858         (JSC::FTL::callOperation):
859         * ftl/FTLSlowPathCall.h: Added.
860         (JSC::FTL::SlowPathCall::SlowPathCall):
861         (JSC::FTL::SlowPathCall::call):
862         (JSC::FTL::SlowPathCall::key):
863         * ftl/FTLSlowPathCallKey.cpp: Added.
864         (JSC::FTL::SlowPathCallKey::dump):
865         * ftl/FTLSlowPathCallKey.h: Added.
866         (JSC::FTL::SlowPathCallKey::SlowPathCallKey):
867         (JSC::FTL::SlowPathCallKey::usedRegisters):
868         (JSC::FTL::SlowPathCallKey::callTarget):
869         (JSC::FTL::SlowPathCallKey::offset):
870         (JSC::FTL::SlowPathCallKey::isEmptyValue):
871         (JSC::FTL::SlowPathCallKey::isDeletedValue):
872         (JSC::FTL::SlowPathCallKey::operator==):
873         (JSC::FTL::SlowPathCallKey::hash):
874         (JSC::FTL::SlowPathCallKeyHash::hash):
875         (JSC::FTL::SlowPathCallKeyHash::equal):
876         * ftl/FTLStackMaps.cpp:
877         (JSC::FTL::StackMaps::Location::directGPR):
878         * ftl/FTLStackMaps.h:
879         * ftl/FTLState.h:
880         * ftl/FTLThunks.cpp:
881         (JSC::FTL::slowPathCallThunkGenerator):
882         * ftl/FTLThunks.h:
883         (JSC::FTL::Thunks::getSlowPathCallThunk):
884         * jit/CCallHelpers.h:
885         (JSC::CCallHelpers::setupArguments):
886         * jit/GPRInfo.h:
887         * jit/JITInlineCacheGenerator.cpp:
888         (JSC::garbageStubInfo):
889         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
890         (JSC::JITByIdGenerator::finalize):
891         * jit/JITInlineCacheGenerator.h:
892         (JSC::JITByIdGenerator::slowPathBegin):
893         * jit/RegisterSet.cpp:
894         (JSC::RegisterSet::stackRegisters):
895         (JSC::RegisterSet::specialRegisters):
896         (JSC::RegisterSet::calleeSaveRegisters):
897         (JSC::RegisterSet::allGPRs):
898         (JSC::RegisterSet::allFPRs):
899         (JSC::RegisterSet::allRegisters):
900         (JSC::RegisterSet::dump):
901         * jit/RegisterSet.h:
902         (JSC::RegisterSet::exclude):
903         (JSC::RegisterSet::numberOfSetRegisters):
904         (JSC::RegisterSet::RegisterSet):
905         (JSC::RegisterSet::isEmptyValue):
906         (JSC::RegisterSet::isDeletedValue):
907         (JSC::RegisterSet::operator==):
908         (JSC::RegisterSet::hash):
909         (JSC::RegisterSetHash::hash):
910         (JSC::RegisterSetHash::equal):
911         * runtime/Options.h:
912
913 2013-10-22  Filip Pizlo  <fpizlo@apple.com>
914
915         jitCompileAndSetHeuristics should DeferGCForAWhile
916         https://bugs.webkit.org/show_bug.cgi?id=123196
917
918         Reviewed by Mark Hahnenberg.
919         
920         This fixes random crashes in V8v7/raytrace. I only see those crashes on exactly one of
921         my machines. I don't think this is testable; we just need to steadily converge towards
922         getting our uses of DeferGC to be right and then be careful not to regress. We're not
923         there yet, obviously.
924         
925         * llint/LLIntSlowPaths.cpp:
926         (JSC::LLInt::jitCompileAndSetHeuristics):
927
928 2013-10-23  Daniel Bates  <dabates@apple.com>
929
930         [iOS] Upstream more JavaScriptCore build configuration changes
931         https://bugs.webkit.org/show_bug.cgi?id=123169
932
933         Reviewed by David Kilzer.
934
935         * Configurations/Base.xcconfig:
936         * Configurations/Version.xcconfig:
937         * Configurations/iOS.xcconfig: Added.
938         * JavaScriptCore.xcodeproj/project.pbxproj:
939
940 2013-10-23  Daniel Bates  <dabates@apple.com>
941
942         [iOS] Export DefaultGCActivityCallback member functions
943         https://bugs.webkit.org/show_bug.cgi?id=123175
944
945         Reviewed by David Kilzer.
946
947         * runtime/GCActivityCallback.h:
948
949 2013-10-23  Daniel Bates  <dabates@apple.com>
950
951         [iOS] Upstream more ARMv7s bits
952         https://bugs.webkit.org/show_bug.cgi?id=123052
953
954         Reviewed by Joseph Pecoraro.
955
956         * Configurations/JavaScriptCore.xcconfig:
957
958 2013-10-22  Andreas Kling  <akling@apple.com>
959
960         Minor VM* -> VM& cleanups in HashTable and Keywords.
961         <https://webkit.org/b/123183>
962
963         Turn some VM* variables that will never be null into VM&.
964
965         Reviewed by Geoffrey Garen.
966
967 2013-10-22  Geoffrey Garen  <ggaren@apple.com>
968
969         REGRESSION: `if (false === (true && undefined)) console.log("wrong!");` logs "wrong!", shouldn't!
970         https://bugs.webkit.org/show_bug.cgi?id=123179
971
972         Reviewed by Mark Hahnenberg.
973
974         * parser/NodeConstructors.h:
975         (JSC::LogicalOpNode::LogicalOpNode):
976         * parser/ResultType.h:
977         (JSC::ResultType::forLogicalOp): Don't assume that && produces a boolean.
978         This is JavaScript (aka Sparta).
979
980 2013-10-22  Commit Queue  <commit-queue@webkit.org>
981
982         Unreviewed, rolling out r157819.
983         http://trac.webkit.org/changeset/157819
984         https://bugs.webkit.org/show_bug.cgi?id=123180
985
986         Broke 32-bit builds (Requested by smfr on #webkit).
987
988         * Configurations/JavaScriptCore.xcconfig:
989         * Configurations/ToolExecutable.xcconfig:
990
991 2013-10-22  Daniel Bates  <dabates@apple.com>
992
993         [iOS] Upstream more ARMv7s bits
994         https://bugs.webkit.org/show_bug.cgi?id=123052
995
996         Reviewed by Joseph Pecoraro.
997
998         * Configurations/JavaScriptCore.xcconfig:
999         * Configurations/ToolExecutable.xcconfig: Enable CLANG_ENABLE_OBJC_ARC for i386 as I'm
1000         modifying a file in JavaScriptCore/Configurations.
1001
1002 2013-10-22  Daniel Bates  <dabates@apple.com>
1003
1004         [iOS] Upstream JSLock changes
1005         https://bugs.webkit.org/show_bug.cgi?id=123107
1006
1007         Reviewed by Geoffrey Garen.
1008
1009         * runtime/JSLock.cpp:
1010         (JSC::JSLock::unlock):
1011         (JSC::JSLock::dropAllLocks): Modified to take a SpinLock, used only on iOS.
1012         (JSC::JSLock::dropAllLocksUnconditionally): Modified to take a SpinLock, used only on iOS. Also
1013         use pre-increment instead of post-increment when we're not using the return value of the instruction.
1014         (JSC::JSLock::grabAllLocks): Modified to take a SpinLock, used only on iOS. Also change
1015         places where we were using post-increment/post-decrement to use pre-increment/pre-decrement,
1016         since we don't use the return value of such instructions.
1017         (JSC::JSLock::DropAllLocks::DropAllLocks): Modified to support releasing all locks unconditionally.
1018         Take a spin lock before releasing all locks on iOS. Also, use nullptr instead of 0.
1019         (JSC::JSLock::DropAllLocks::~DropAllLocks): Take a spin lock before acquiring all locks on iOS.
1020         * runtime/JSLock.h: Remove extraneous argument name "exec" from DropAllLocks as the data type of
1021         the argument is sufficiently descriptive of its purpose.
1022
1023 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
1024
1025         [arm] Add missing setupArgumentsWithExecState() prototypes to fix build.
1026         https://bugs.webkit.org/show_bug.cgi?id=123166
1027
1028         Reviewed by Michael Saboff.
1029
1030         * jit/CCallHelpers.h:
1031         (JSC::CCallHelpers::setupArgumentsWithExecState):
1032
1033 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
1034
1035         [sh4][mips][arm] Fix crashes in JSC (32-bit only).
1036         https://bugs.webkit.org/show_bug.cgi?id=123165
1037
1038         Reviewed by Michael Saboff.
1039
1040         * jit/JITInlines.h:
1041         (JSC::JIT::callOperationNoExceptionCheck): Add missing EABI_32BIT_DUMMY_ARG.
1042         (JSC::JIT::callOperation): The last TrustedImm32(arg3) is a bit overkill for SH4 :)
1043         (JSC::JIT::callOperation): Add missing EABI_32BIT_DUMMY_ARG.
1044         (JSC::JIT::callOperation): Fix tag and payload order for V_JITOperation_EJJJ prototype.
1045
1046 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
1047
1048         REGRESSION(r157690, r157699) Fix architectures using AssemblerBufferWithConstantPool.
1049         https://bugs.webkit.org/show_bug.cgi?id=123092
1050
1051         Reviewed by Michael Saboff.
1052
1053         Impacted architectures are SH4 and ARM_TRADITIONAL.
1054
1055         * assembler/ARMAssembler.h:
1056         (JSC::ARMAssembler::buffer):
1057         * assembler/AssemblerBufferWithConstantPool.h:
1058         (JSC::AssemblerBufferWithConstantPool::flushConstantPool):
1059         * assembler/LinkBuffer.cpp:
1060         (JSC::LinkBuffer::linkCode):
1061         * assembler/SH4Assembler.h:
1062         (JSC::SH4Assembler::buffer):
1063
1064 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
1065
1066         Remove unused stuff in JIT stubs.
1067         https://bugs.webkit.org/show_bug.cgi?id=123155
1068
1069         Reviewed by Michael Saboff.
1070
1071         * jit/JITStubs.h:
1072         * jit/JITStubsARM.h:
1073         (JSC::ctiTrampoline):
1074         * jit/JITStubsARM64.h:
1075         * jit/JITStubsARMv7.h:
1076         * jit/JITStubsMIPS.h:
1077         * jit/JITStubsSH4.h:
1078         * jit/JITStubsX86.h:
1079         * jit/JITStubsX86_64.h:
1080
1081 2013-10-22  Daniel Bates  <dabates@apple.com>
1082
1083         [iOS] Upstream OS-version-specific install paths for JavaScriptCore.framework
1084         https://bugs.webkit.org/show_bug.cgi?id=123115
1085         <rdar://problem/13696872>
1086
1087         Reviewed by Andy Estes.
1088
1089         Based on a patch by Mark Hahnenberg.
1090
1091         Add support for running JavaScriptCore-based apps, built against the iOS 7 SDK, on older versions of iOS.
1092
1093         * API/JSBase.cpp:
1094
1095 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
1096
1097         [sh4] Add missing lastRegister(), firstFPRegister() and lastFPRegister(). 
1098         https://bugs.webkit.org/show_bug.cgi?id=123157
1099
1100         Reviewed by Andreas Kling.
1101
1102         * assembler/SH4Assembler.h:
1103         (JSC::SH4Assembler::lastRegister):
1104         (JSC::SH4Assembler::firstFPRegister):
1105         (JSC::SH4Assembler::lastFPRegister):
1106
1107 2013-10-22  Brian Holt  <brian.holt@samsung.com>
1108
1109         Build break on ARMv7 after r157209
1110         https://bugs.webkit.org/show_bug.cgi?id=122890
1111
1112         Reviewed by Csaba Osztrogon√°c.
1113
1114         Add framePointerRegister and first/last register helpers for ARM_TRADITIONAL.
1115
1116         * assembler/ARMAssembler.h:
1117         * assembler/MacroAssemblerARM.h:
1118         (JSC::MacroAssemblerARM::firstRegister):
1119         (JSC::MacroAssemblerARM::lastRegister):
1120         (JSC::MacroAssemblerARM::firstFPRegister):
1121         (JSC::MacroAssemblerARM::lastFPRegister):
1122
1123 2013-10-21  Daniel Bates  <dabates@apple.com>
1124
1125         [iOS] Upstream JSGlobalObject::shouldInterruptScriptBeforeTimeout()
1126         https://bugs.webkit.org/show_bug.cgi?id=123045
1127
1128         Reviewed by Joseph Pecoraro.
1129
1130         * jsc.cpp: Add function pointer for shouldInterruptScriptBeforeTimeout
1131         to global method table.
1132         * runtime/JSGlobalObject.cpp: Ditto.
1133         * runtime/JSGlobalObject.h:
1134         (JSC::JSGlobalObject::shouldInterruptScriptBeforeTimeout): Added.
1135
1136 2013-10-21  Daniel Bates  <dabates@apple.com>
1137
1138         [iOS] Upstream JSC Objective-C API compiler warning fixes
1139         https://bugs.webkit.org/show_bug.cgi?id=123125
1140
1141         Reviewed by Mark Hahnenberg.
1142
1143         Based on a patch by Mark Hahnenberg.
1144
1145         * API/JSValue.mm:
1146         (-[JSValue toPoint]): Cast to CGFloat to fix some compiler warnings about double narrowing to float.
1147         (-[JSValue toSize]): Ditto.
1148         * API/tests/testapi.mm: Changed a test that was failing due to overflow of 32-bit NSUInteger on armv7.
1149
1150 2013-10-21  Daniel Bates  <dabates@apple.com>
1151
1152         [iOS] Mark classes JS{Context, ManagedValue, Value, VirtualMachine} as
1153         available since iOS 7.0
1154         https://bugs.webkit.org/show_bug.cgi?id=123122
1155
1156         Reviewed by Dan Bernstein.
1157
1158         * API/JSContext.h:
1159         * API/JSManagedValue.h:
1160         * API/JSValue.h:
1161         * API/JSVirtualMachine.h:
1162
1163 2013-10-20  Mark Lam  <mark.lam@apple.com>
1164
1165         Avoid JSC debugger overhead unless needed.
1166         https://bugs.webkit.org/show_bug.cgi?id=123084.
1167
1168         Reviewed by Geoffrey Garen.
1169
1170         - If no breakpoints are set, we now avoid calling the debug hook callbacks.
1171         - If no break on exception is set, we also avoid exception event debug callbacks.
1172         - When we return from the ScriptDebugServer to the JSC::Debugger, we may no
1173           longer call the debug hook callbacks if not needed. Hence, the m_currentCallFrame
1174           pointer in the ScriptDebugServer may become stale. To avoid this issue, before
1175           returning, the ScriptDebugServer will clear its m_currentCallFrame if
1176           needsOpDebugCallbacks() is false.
1177
1178         * debugger/Debugger.cpp:
1179         (JSC::Debugger::Debugger):
1180         (JSC::Debugger::setNeedsExceptionCallbacks):
1181         (JSC::Debugger::setShouldPause):
1182         (JSC::Debugger::updateNumberOfBreakpoints):
1183         (JSC::Debugger::updateNeedForOpDebugCallbacks):
1184         * debugger/Debugger.h:
1185         * interpreter/Interpreter.cpp:
1186         (JSC::Interpreter::unwind):
1187         (JSC::Interpreter::debug):
1188         * jit/JITOpcodes.cpp:
1189         (JSC::JIT::emit_op_debug):
1190         * jit/JITOpcodes32_64.cpp:
1191         (JSC::JIT::emit_op_debug):
1192         * llint/LLIntOffsetsExtractor.cpp:
1193         * llint/LowLevelInterpreter.asm:
1194
1195 2013-10-21  Brent Fulgham  <bfulgham@apple.com>
1196
1197         [WIN] Unreviewed build correction.
1198
1199         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Handle new JIT files as C++ implementation
1200           sources, not header files.
1201         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
1202
1203 2013-10-21  Oliver Hunt  <oliver@apple.com>
1204
1205         Support computed property names in object literals
1206         https://bugs.webkit.org/show_bug.cgi?id=123112
1207
1208         Reviewed by Michael Saboff.
1209
1210         Add support for computed property names to the parser.
1211
1212         * bytecompiler/NodesCodegen.cpp:
1213         (JSC::PropertyListNode::emitBytecode):
1214         * parser/ASTBuilder.h:
1215         (JSC::ASTBuilder::createProperty):
1216         (JSC::ASTBuilder::getName):
1217         * parser/NodeConstructors.h:
1218         (JSC::PropertyNode::PropertyNode):
1219         * parser/Nodes.h:
1220         (JSC::PropertyNode::expressionName):
1221         (JSC::PropertyNode::name):
1222         * parser/Parser.cpp:
1223         (JSC::::parseProperty):
1224         (JSC::::parseStrictObjectLiteral):
1225         * parser/SyntaxChecker.h:
1226         (JSC::SyntaxChecker::Property::Property):
1227         (JSC::SyntaxChecker::createProperty):
1228         (JSC::SyntaxChecker::operatorStackPop):
1229
1230 2013-10-21  Michael Saboff  <msaboff@apple.com>
1231
1232         Add option so that JSC will crash if it can't allocate executable memory for the JITs
1233         https://bugs.webkit.org/show_bug.cgi?id=123048
1234         <rdar://problem/12856193>
1235
1236         Reviewed by Geoffrey Garen.
1237
1238         Added new option, called crashIfCantAllocateJITMemory. If this option is true then we crash
1239         when checking the validity of the executable allocator. The default value for this option is
1240         false, but jsc sets it to true when built for iOS to make it straightforward to identify whether
1241         the app can obtain executable memory.
1242
1243         * jsc.cpp: Explicitly enable crashIfCantAllocateJITMemory on iOS.
1244         (main):
1245         * runtime/Options.h: Added option crashIfCantAllocateJITMemory.
1246         * runtime/VM.cpp:
1247         (JSC::enableAssembler): Modified to crash if option crashIfCantAllocateJITMemory
1248         is enabled.
1249
1250 2013-10-21  Nadav Rotem  <nrotem@apple.com>
1251
1252         Remove AllInOneFile.cpp
1253         https://bugs.webkit.org/show_bug.cgi?id=123055
1254
1255         Reviewed by Csaba Osztrogon√°c.
1256
1257         * AllInOneFile.cpp: Removed.
1258
1259 2013-10-20  Filip Pizlo  <fpizlo@apple.com>
1260
1261         Unreviewed, cleanup a FIXME comment.
1262
1263         * jit/Repatch.cpp:
1264
1265 2013-10-20  Filip Pizlo  <fpizlo@apple.com>
1266
1267         StructureStubInfo's usedRegisters set should be able to track all registers, not just the ones that our JIT's view as temporaries
1268         https://bugs.webkit.org/show_bug.cgi?id=123076
1269
1270         Reviewed by Sam Weinig.
1271         
1272         Start preparing for a world in which we are patching code generated by LLVM, which may have
1273         very different register usage conventions than our JITs. This requires us being more explicit
1274         about the registers we are using. For example, the repatching code shouldn't take for granted
1275         that tagMaskRegister holds the TagMask or that the register is even in use.
1276
1277         * CMakeLists.txt:
1278         * GNUmakefile.list.am:
1279         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1280         * JavaScriptCore.xcodeproj/project.pbxproj:
1281         * assembler/MacroAssembler.h:
1282         (JSC::MacroAssembler::numberOfRegisters):
1283         (JSC::MacroAssembler::registerIndex):
1284         (JSC::MacroAssembler::numberOfFPRegisters):
1285         (JSC::MacroAssembler::fpRegisterIndex):
1286         (JSC::MacroAssembler::totalNumberOfRegisters):
1287         * bytecode/StructureStubInfo.h:
1288         * dfg/DFGSpeculativeJIT.cpp:
1289         (JSC::DFG::SpeculativeJIT::usedRegisters):
1290         * dfg/DFGSpeculativeJIT.h:
1291         * ftl/FTLSaveRestore.cpp:
1292         (JSC::FTL::bytesForGPRs):
1293         (JSC::FTL::bytesForFPRs):
1294         (JSC::FTL::offsetOfGPR):
1295         (JSC::FTL::offsetOfFPR):
1296         * jit/JITInlineCacheGenerator.cpp:
1297         (JSC::JITByIdGenerator::JITByIdGenerator):
1298         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
1299         * jit/JITInlineCacheGenerator.h:
1300         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
1301         * jit/JITPropertyAccess.cpp:
1302         (JSC::JIT::emit_op_get_by_id):
1303         (JSC::JIT::emit_op_put_by_id):
1304         * jit/JITPropertyAccess32_64.cpp:
1305         (JSC::JIT::emit_op_get_by_id):
1306         (JSC::JIT::emit_op_put_by_id):
1307         * jit/RegisterSet.cpp: Added.
1308         (JSC::RegisterSet::specialRegisters):
1309         * jit/RegisterSet.h: Added.
1310         (JSC::RegisterSet::RegisterSet):
1311         (JSC::RegisterSet::set):
1312         (JSC::RegisterSet::clear):
1313         (JSC::RegisterSet::get):
1314         (JSC::RegisterSet::merge):
1315         * jit/Repatch.cpp:
1316         (JSC::generateProtoChainAccessStub):
1317         (JSC::tryCacheGetByID):
1318         (JSC::tryBuildGetByIDList):
1319         (JSC::emitPutReplaceStub):
1320         (JSC::tryRepatchIn):
1321         (JSC::linkClosureCall):
1322         * jit/TempRegisterSet.cpp: Added.
1323         (JSC::TempRegisterSet::TempRegisterSet):
1324         * jit/TempRegisterSet.h:
1325
1326 2013-10-20  Julien Brianceau  <jbriance@cisco.com>
1327
1328         [sh4] Fix build (broken since r157690).
1329         https://bugs.webkit.org/show_bug.cgi?id=123081
1330
1331         Reviewed by Andreas Kling.
1332
1333         * assembler/AssemblerBufferWithConstantPool.h:
1334         * assembler/SH4Assembler.h:
1335         (JSC::SH4Assembler::buffer):
1336         (JSC::SH4Assembler::readCallTarget):
1337
1338 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
1339
1340         Simplify TempRegisterSet - it no longer needs to be convertible to a POD since it's no longer going to be a member of a union
1341         https://bugs.webkit.org/show_bug.cgi?id=123079
1342
1343         Reviewed by Geoffrey Garen.
1344
1345         * jit/TempRegisterSet.h:
1346
1347 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
1348
1349         Rename RegisterSet to TempRegisterSet
1350         https://bugs.webkit.org/show_bug.cgi?id=123077
1351
1352         Reviewed by Dan Bernstein.
1353
1354         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1355         * JavaScriptCore.xcodeproj/project.pbxproj:
1356         * bytecode/StructureStubInfo.h:
1357         * dfg/DFGJITCompiler.h:
1358         * dfg/DFGSpeculativeJIT.h:
1359         (JSC::DFG::SpeculativeJIT::usedRegisters):
1360         * jit/JITInlineCacheGenerator.cpp:
1361         (JSC::JITByIdGenerator::JITByIdGenerator):
1362         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
1363         * jit/JITInlineCacheGenerator.h:
1364         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
1365         * jit/JITPropertyAccess.cpp:
1366         (JSC::JIT::emit_op_get_by_id):
1367         (JSC::JIT::emit_op_put_by_id):
1368         * jit/JITPropertyAccess32_64.cpp:
1369         (JSC::JIT::emit_op_get_by_id):
1370         (JSC::JIT::emit_op_put_by_id):
1371         * jit/RegisterSet.h: Removed.
1372         * jit/ScratchRegisterAllocator.h:
1373         (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
1374         * jit/TempRegisterSet.h: Copied from Source/JavaScriptCore/jit/RegisterSet.h.
1375         (JSC::TempRegisterSet::TempRegisterSet):
1376         (JSC::TempRegisterSet::asPOD):
1377         (JSC::TempRegisterSet::copyInfo):
1378
1379 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
1380
1381         Restructure LinkBuffer to allow for alternate allocation strategies
1382         https://bugs.webkit.org/show_bug.cgi?id=123071
1383
1384         Reviewed by Oliver Hunt.
1385         
1386         The idea is to eventually allow a LinkBuffer to place the code into an already
1387         allocated region of memory.  That region of memory could be the nop-slide left behind
1388         by a llvm.webkit.patchpoint.
1389
1390         * assembler/ARM64Assembler.h:
1391         (JSC::ARM64Assembler::buffer):
1392         * assembler/AssemblerBuffer.h:
1393         * assembler/LinkBuffer.cpp:
1394         (JSC::LinkBuffer::copyCompactAndLinkCode):
1395         (JSC::LinkBuffer::linkCode):
1396         (JSC::LinkBuffer::allocate):
1397         (JSC::LinkBuffer::shrink):
1398         * assembler/LinkBuffer.h:
1399         (JSC::LinkBuffer::LinkBuffer):
1400         (JSC::LinkBuffer::didFailToAllocate):
1401         * assembler/X86Assembler.h:
1402         (JSC::X86Assembler::buffer):
1403         (JSC::X86Assembler::X86InstructionFormatter::memoryModRM):
1404
1405 2013-10-19  Alexey Proskuryakov  <ap@apple.com>
1406
1407         Some includes in JSC seem to use an incorrect style
1408         https://bugs.webkit.org/show_bug.cgi?id=123057
1409
1410         Reviewed by Geoffrey Garen.
1411
1412         Changed pseudo-system includes to user ones.
1413
1414         * API/JSContextRef.cpp:
1415         * API/JSStringRefCF.cpp:
1416         * API/JSValueRef.cpp:
1417         * API/OpaqueJSString.cpp:
1418         * jit/JIT.h:
1419         * parser/SyntaxChecker.h:
1420         * runtime/WeakGCMap.h:
1421
1422 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
1423
1424         Baseline JIT and DFG IC code generation should be unified and rationalized
1425         https://bugs.webkit.org/show_bug.cgi?id=122939
1426
1427         Reviewed by Geoffrey Garen.
1428         
1429         Introduce the JITInlineCacheGenerator, which takes a CodeBlock and a CodeOrigin plus
1430         some register info and creates JIT inline caches for you. Used this to even furhter
1431         unify the baseline and DFG ICs. In the future we can use this for FTL ICs. And my hope
1432         is that we'll be able to use it for cascading ICs: an IC for some instruction may realize
1433         that it needs to do the equivalent of get_by_id, so with this generator it will be able
1434         to create an IC even though it wasn't associated with a get_by_id bytecode instruction.
1435
1436         * CMakeLists.txt:
1437         * GNUmakefile.list.am:
1438         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1439         * JavaScriptCore.xcodeproj/project.pbxproj:
1440         * assembler/AbstractMacroAssembler.h:
1441         (JSC::AbstractMacroAssembler::DataLabelCompact::label):
1442         * bytecode/CodeBlock.h:
1443         (JSC::CodeBlock::ecmaMode):
1444         * dfg/DFGInlineCacheWrapper.h: Added.
1445         (JSC::DFG::InlineCacheWrapper::InlineCacheWrapper):
1446         * dfg/DFGInlineCacheWrapperInlines.h: Added.
1447         (JSC::DFG::::finalize):
1448         * dfg/DFGJITCompiler.cpp:
1449         (JSC::DFG::JITCompiler::link):
1450         * dfg/DFGJITCompiler.h:
1451         (JSC::DFG::JITCompiler::addGetById):
1452         (JSC::DFG::JITCompiler::addPutById):
1453         * dfg/DFGSpeculativeJIT32_64.cpp:
1454         (JSC::DFG::SpeculativeJIT::cachedGetById):
1455         (JSC::DFG::SpeculativeJIT::cachedPutById):
1456         * dfg/DFGSpeculativeJIT64.cpp:
1457         (JSC::DFG::SpeculativeJIT::cachedGetById):
1458         (JSC::DFG::SpeculativeJIT::cachedPutById):
1459         (JSC::DFG::SpeculativeJIT::compile):
1460         * jit/AssemblyHelpers.h:
1461         (JSC::AssemblyHelpers::isStrictModeFor):
1462         (JSC::AssemblyHelpers::strictModeFor):
1463         * jit/GPRInfo.h:
1464         (JSC::JSValueRegs::tagGPR):
1465         * jit/JIT.cpp:
1466         (JSC::JIT::JIT):
1467         (JSC::JIT::privateCompileSlowCases):
1468         (JSC::JIT::privateCompile):
1469         * jit/JIT.h:
1470         * jit/JITInlineCacheGenerator.cpp: Added.
1471         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
1472         (JSC::JITByIdGenerator::JITByIdGenerator):
1473         (JSC::JITByIdGenerator::finalize):
1474         (JSC::JITByIdGenerator::generateFastPathChecks):
1475         (JSC::JITGetByIdGenerator::generateFastPath):
1476         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
1477         (JSC::JITPutByIdGenerator::generateFastPath):
1478         (JSC::JITPutByIdGenerator::slowPathFunction):
1479         * jit/JITInlineCacheGenerator.h: Added.
1480         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
1481         (JSC::JITInlineCacheGenerator::stubInfo):
1482         (JSC::JITByIdGenerator::JITByIdGenerator):
1483         (JSC::JITByIdGenerator::reportSlowPathCall):
1484         (JSC::JITByIdGenerator::slowPathJump):
1485         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
1486         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
1487         * jit/JITPropertyAccess.cpp:
1488         (JSC::JIT::emit_op_get_by_id):
1489         (JSC::JIT::emitSlow_op_get_by_id):
1490         (JSC::JIT::emit_op_put_by_id):
1491         (JSC::JIT::emitSlow_op_put_by_id):
1492         * jit/JITPropertyAccess32_64.cpp:
1493         (JSC::JIT::emit_op_get_by_id):
1494         (JSC::JIT::emitSlow_op_get_by_id):
1495         (JSC::JIT::emit_op_put_by_id):
1496         (JSC::JIT::emitSlow_op_put_by_id):
1497         * jit/RegisterSet.h:
1498         (JSC::RegisterSet::set):
1499
1500 2013-10-19  Alexey Proskuryakov  <ap@apple.com>
1501
1502         APICast.h uses functions from JSCJSValueInlines.h, but doesn't include it
1503         https://bugs.webkit.org/show_bug.cgi?id=123067
1504
1505         Reviewed by Geoffrey Garen.
1506
1507         * API/APICast.h: Include it.
1508
1509 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
1510
1511         FTL::Location should treat the offset as an addend in the case of a Register location
1512         https://bugs.webkit.org/show_bug.cgi?id=123062
1513
1514         Reviewed by Sam Weinig.
1515
1516         * ftl/FTLLocation.cpp:
1517         (JSC::FTL::Location::forStackmaps):
1518         (JSC::FTL::Location::dump):
1519         (JSC::FTL::Location::restoreInto):
1520         * ftl/FTLLocation.h:
1521         (JSC::FTL::Location::forRegister):
1522         (JSC::FTL::Location::hasAddend):
1523         (JSC::FTL::Location::addend):
1524
1525 2013-10-19  Nadav Rotem  <nrotem@apple.com>
1526
1527         DFG dominators: document and rename stuff.
1528         https://bugs.webkit.org/show_bug.cgi?id=123056
1529
1530         Reviewed by Filip Pizlo.
1531
1532         Documented the code and renamed some variables.
1533
1534         * dfg/DFGDominators.cpp:
1535         (JSC::DFG::Dominators::compute):
1536         (JSC::DFG::Dominators::pruneDominators):
1537         * dfg/DFGDominators.h:
1538
1539 2013-10-19  Julien Brianceau  <jbriance@cisco.com>
1540
1541         Fix build failure for architectures with 4 argument registers.
1542         https://bugs.webkit.org/show_bug.cgi?id=123060
1543
1544         Reviewed by Michael Saboff.
1545
1546         Add missing setupArgumentsWithExecState() prototypes for architecture with 4 argument registers.
1547         Remove SH4 specific code no longer needed since callOperation prototype change in r157660.
1548
1549         * dfg/DFGSpeculativeJIT.h:
1550         (JSC::DFG::SpeculativeJIT::callOperation):
1551         * jit/CCallHelpers.h:
1552         (JSC::CCallHelpers::setupArgumentsWithExecState):
1553         * jit/JITInlines.h:
1554         (JSC::JIT::callOperation):
1555
1556 2013-10-18  Filip Pizlo  <fpizlo@apple.com>
1557
1558         Unreviewed, fix FTL build.
1559
1560         * ftl/FTLIntrinsicRepository.h:
1561         * ftl/FTLLowerDFGToLLVM.cpp:
1562         (JSC::FTL::LowerDFGToLLVM::compileGetById):
1563
1564 2013-10-18  Filip Pizlo  <fpizlo@apple.com>
1565
1566         A CodeBlock's StructureStubInfos shouldn't be in a Vector that we search using code origins and machine code PCs
1567         https://bugs.webkit.org/show_bug.cgi?id=122940
1568
1569         Reviewed by Oliver Hunt.
1570         
1571         This accomplishes a number of simplifications. StructureStubInfo is now non-moving,
1572         whereas previously it was in a Vector, so it moved. This allows you to use pointers to
1573         StructureStubInfo. This also eliminates the use of return PC as a way of finding the
1574         StructureStubInfo's. It removes some of the need for the compile-time property access
1575         records; for example the DFG no longer has to save information about registers in a
1576         property access record only to later save it to the stub info.
1577         
1578         The main thing is accomplishes is that it makes it easier to add StructureStubInfo's
1579         at any stage of compilation.
1580
1581         * bytecode/CodeBlock.cpp:
1582         (JSC::CodeBlock::printGetByIdCacheStatus):
1583         (JSC::CodeBlock::dumpBytecode):
1584         (JSC::CodeBlock::~CodeBlock):
1585         (JSC::CodeBlock::propagateTransitions):
1586         (JSC::CodeBlock::finalizeUnconditionally):
1587         (JSC::CodeBlock::addStubInfo):
1588         (JSC::CodeBlock::getStubInfoMap):
1589         (JSC::CodeBlock::shrinkToFit):
1590         * bytecode/CodeBlock.h:
1591         (JSC::CodeBlock::begin):
1592         (JSC::CodeBlock::end):
1593         (JSC::CodeBlock::rareCaseProfileForBytecodeOffset):
1594         * bytecode/CodeOrigin.h:
1595         (JSC::CodeOrigin::CodeOrigin):
1596         (JSC::CodeOrigin::isHashTableDeletedValue):
1597         (JSC::CodeOrigin::hash):
1598         (JSC::CodeOriginHash::hash):
1599         (JSC::CodeOriginHash::equal):
1600         * bytecode/GetByIdStatus.cpp:
1601         (JSC::GetByIdStatus::computeFor):
1602         * bytecode/GetByIdStatus.h:
1603         * bytecode/PutByIdStatus.cpp:
1604         (JSC::PutByIdStatus::computeFor):
1605         * bytecode/PutByIdStatus.h:
1606         * bytecode/StructureStubInfo.h:
1607         (JSC::getStructureStubInfoCodeOrigin):
1608         * dfg/DFGByteCodeParser.cpp:
1609         (JSC::DFG::ByteCodeParser::parseBlock):
1610         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1611         * dfg/DFGJITCompiler.cpp:
1612         (JSC::DFG::JITCompiler::link):
1613         * dfg/DFGJITCompiler.h:
1614         (JSC::DFG::PropertyAccessRecord::PropertyAccessRecord):
1615         (JSC::DFG::InRecord::InRecord):
1616         * dfg/DFGSpeculativeJIT.cpp:
1617         (JSC::DFG::SpeculativeJIT::compileIn):
1618         * dfg/DFGSpeculativeJIT.h:
1619         (JSC::DFG::SpeculativeJIT::callOperation):
1620         * dfg/DFGSpeculativeJIT32_64.cpp:
1621         (JSC::DFG::SpeculativeJIT::cachedGetById):
1622         (JSC::DFG::SpeculativeJIT::cachedPutById):
1623         * dfg/DFGSpeculativeJIT64.cpp:
1624         (JSC::DFG::SpeculativeJIT::cachedGetById):
1625         (JSC::DFG::SpeculativeJIT::cachedPutById):
1626         * jit/CCallHelpers.h:
1627         (JSC::CCallHelpers::setupArgumentsWithExecState):
1628         * jit/JIT.cpp:
1629         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
1630         (JSC::JIT::privateCompile):
1631         * jit/JIT.h:
1632         (JSC::PropertyStubCompilationInfo::slowCaseInfo):
1633         * jit/JITInlines.h:
1634         (JSC::JIT::callOperation):
1635         * jit/JITOperations.cpp:
1636         * jit/JITOperations.h:
1637         * jit/JITPropertyAccess.cpp:
1638         (JSC::JIT::emitSlow_op_get_by_id):
1639         (JSC::JIT::emitSlow_op_put_by_id):
1640         * jit/JITPropertyAccess32_64.cpp:
1641         (JSC::JIT::emitSlow_op_get_by_id):
1642         (JSC::JIT::emitSlow_op_put_by_id):
1643         * jit/Repatch.cpp:
1644         (JSC::appropriateGenericPutByIdFunction):
1645         (JSC::appropriateListBuildingPutByIdFunction):
1646         (JSC::resetPutByID):
1647
1648 2013-10-18  Oliver Hunt  <oliver@apple.com>
1649
1650         Spread operator should be performing direct "puts" and not triggering setters
1651         https://bugs.webkit.org/show_bug.cgi?id=123047
1652
1653         Reviewed by Geoffrey Garen.
1654
1655         Add a new opcode -- op_put_by_val_directue -- and make use of it in the spread
1656         to array construct.  This required a new PutByValDirect node to be introduced to
1657         the DFG.  The current implementation simply changes the slow path function that
1658         is called, but in future this could be made faster as it does not need to check
1659         the prototype chain.
1660
1661         * bytecode/CodeBlock.cpp:
1662         (JSC::CodeBlock::dumpBytecode):
1663         (JSC::CodeBlock::CodeBlock):
1664         * bytecode/Opcode.h:
1665         (JSC::padOpcodeName):
1666         * bytecompiler/BytecodeGenerator.cpp:
1667         (JSC::BytecodeGenerator::emitDirectPutByVal):
1668         * bytecompiler/BytecodeGenerator.h:
1669         * bytecompiler/NodesCodegen.cpp:
1670         (JSC::ArrayNode::emitBytecode):
1671         * dfg/DFGAbstractInterpreterInlines.h:
1672         (JSC::DFG::::executeEffects):
1673         * dfg/DFGBackwardsPropagationPhase.cpp:
1674         (JSC::DFG::BackwardsPropagationPhase::propagate):
1675         * dfg/DFGByteCodeParser.cpp:
1676         (JSC::DFG::ByteCodeParser::parseBlock):
1677         * dfg/DFGCSEPhase.cpp:
1678         (JSC::DFG::CSEPhase::getArrayLengthElimination):
1679         (JSC::DFG::CSEPhase::getByValLoadElimination):
1680         (JSC::DFG::CSEPhase::checkStructureElimination):
1681         (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
1682         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
1683         (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
1684         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
1685         (JSC::DFG::CSEPhase::performNodeCSE):
1686         * dfg/DFGCapabilities.cpp:
1687         (JSC::DFG::capabilityLevel):
1688         * dfg/DFGClobberize.h:
1689         (JSC::DFG::clobberize):
1690         * dfg/DFGFixupPhase.cpp:
1691         (JSC::DFG::FixupPhase::fixupNode):
1692         * dfg/DFGGraph.h:
1693         (JSC::DFG::Graph::clobbersWorld):
1694         * dfg/DFGNode.h:
1695         (JSC::DFG::Node::hasArrayMode):
1696         * dfg/DFGNodeType.h:
1697         * dfg/DFGOperations.cpp:
1698         (JSC::DFG::putByVal):
1699         (JSC::DFG::operationPutByValInternal):
1700         * dfg/DFGOperations.h:
1701         * dfg/DFGPredictionPropagationPhase.cpp:
1702         (JSC::DFG::PredictionPropagationPhase::propagate):
1703         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
1704         * dfg/DFGSafeToExecute.h:
1705         (JSC::DFG::safeToExecute):
1706         * dfg/DFGSpeculativeJIT32_64.cpp:
1707         (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
1708         (JSC::DFG::SpeculativeJIT::compile):
1709         * dfg/DFGSpeculativeJIT64.cpp:
1710         (JSC::DFG::SpeculativeJIT::compile):
1711         * dfg/DFGTypeCheckHoistingPhase.cpp:
1712         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
1713         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
1714         * jit/JIT.cpp:
1715         (JSC::JIT::privateCompileMainPass):
1716         (JSC::JIT::privateCompileSlowCases):
1717         * jit/JIT.h:
1718         (JSC::JIT::compileDirectPutByVal):
1719         * jit/JITOperations.cpp:
1720         * jit/JITOperations.h:
1721         * jit/JITPropertyAccess.cpp:
1722         (JSC::JIT::emitSlow_op_put_by_val):
1723         (JSC::JIT::privateCompilePutByVal):
1724         * jit/JITPropertyAccess32_64.cpp:
1725         (JSC::JIT::emitSlow_op_put_by_val):
1726         * llint/LLIntSlowPaths.cpp:
1727         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1728         * llint/LLIntSlowPaths.h:
1729         * llint/LowLevelInterpreter32_64.asm:
1730         * llint/LowLevelInterpreter64.asm:
1731
1732 2013-10-18  Daniel Bates  <dabates@apple.com>
1733
1734         [iOS] Export symbol for VM::sharedInstanceExists()
1735         https://bugs.webkit.org/show_bug.cgi?id=123046
1736
1737         Reviewed by Mark Hahnenberg.
1738
1739         * runtime/VM.h:
1740
1741 2013-10-18  Daniel Bates  <dabates@apple.com>
1742
1743         [iOS] Upstream WebSafe{GCActivityCallback, IncrementalSweeper}IOS
1744         https://bugs.webkit.org/show_bug.cgi?id=123049
1745
1746         Reviewed by Mark Hahnenberg.
1747
1748         * heap/Heap.cpp:
1749         (JSC::Heap::setIncrementalSweeper):
1750         * heap/Heap.h:
1751         * heap/HeapTimer.h:
1752         * heap/IncrementalSweeper.h: Make protected and export CF-variant of constructor.
1753         Removed unused include of header RetainPtr.h. Also forward declare class MarkedBlock
1754         (we include its header in the .cpp file) and remove include for header wtf/HashSet.h
1755         (duplicates the include in the .cpp).
1756         * heap/MachineStackMarker.h: Export function makeUsableFromMultipleThreads(). We aren't
1757         making use of this now, but we'll make use of it in a subsequent patch.
1758
1759 2013-10-18  Anders Carlsson  <andersca@apple.com>
1760
1761         Remove spaces between template angle brackets
1762         https://bugs.webkit.org/show_bug.cgi?id=123040
1763
1764         Reviewed by Andreas Kling.
1765
1766         * API/JSCallbackObject.cpp:
1767         (JSC::::create):
1768         * API/JSObjectRef.cpp:
1769         * bytecode/CodeBlock.h:
1770         (JSC::CodeBlock::constants):
1771         (JSC::CodeBlock::setConstantRegisters):
1772         * bytecode/DFGExitProfile.h:
1773         * bytecode/EvalCodeCache.h:
1774         * bytecode/Operands.h:
1775         * bytecode/UnlinkedCodeBlock.h:
1776         (JSC::UnlinkedCodeBlock::constantRegisters):
1777         * bytecode/Watchpoint.h:
1778         * bytecompiler/BytecodeGenerator.h:
1779         * bytecompiler/StaticPropertyAnalysis.h:
1780         * bytecompiler/StaticPropertyAnalyzer.h:
1781         * dfg/DFGArgumentsSimplificationPhase.cpp:
1782         * dfg/DFGBlockInsertionSet.h:
1783         * dfg/DFGCSEPhase.cpp:
1784         (JSC::DFG::performCSE):
1785         (JSC::DFG::performStoreElimination):
1786         * dfg/DFGCommonData.h:
1787         * dfg/DFGDesiredStructureChains.h:
1788         * dfg/DFGDesiredWatchpoints.h:
1789         * dfg/DFGJITCompiler.h:
1790         * dfg/DFGOSRExitCompiler32_64.cpp:
1791         (JSC::DFG::OSRExitCompiler::compileExit):
1792         * dfg/DFGOSRExitCompiler64.cpp:
1793         (JSC::DFG::OSRExitCompiler::compileExit):
1794         * dfg/DFGWorklist.h:
1795         * heap/BlockAllocator.h:
1796         (JSC::CopiedBlock):
1797         (JSC::MarkedBlock):
1798         (JSC::WeakBlock):
1799         (JSC::MarkStackSegment):
1800         (JSC::CopyWorkListSegment):
1801         (JSC::HandleBlock):
1802         * heap/Heap.h:
1803         * heap/Local.h:
1804         * heap/MarkedBlock.h:
1805         * heap/Strong.h:
1806         * jit/AssemblyHelpers.cpp:
1807         (JSC::AssemblyHelpers::decodedCodeMapFor):
1808         * jit/AssemblyHelpers.h:
1809         * jit/SpecializedThunkJIT.h:
1810         * parser/Nodes.h:
1811         * parser/Parser.cpp:
1812         (JSC::::parseIfStatement):
1813         * parser/Parser.h:
1814         (JSC::Scope::copyCapturedVariablesToVector):
1815         (JSC::parse):
1816         * parser/ParserArena.h:
1817         * parser/SourceProviderCacheItem.h:
1818         * profiler/LegacyProfiler.cpp:
1819         (JSC::dispatchFunctionToProfiles):
1820         * profiler/LegacyProfiler.h:
1821         (JSC::LegacyProfiler::currentProfiles):
1822         * profiler/ProfileNode.h:
1823         (JSC::ProfileNode::children):
1824         * profiler/ProfilerDatabase.h:
1825         * runtime/Butterfly.h:
1826         (JSC::Butterfly::contiguousInt32):
1827         (JSC::Butterfly::contiguous):
1828         * runtime/GenericTypedArrayViewInlines.h:
1829         (JSC::::create):
1830         * runtime/Identifier.h:
1831         (JSC::Identifier::add):
1832         * runtime/JSPromise.h:
1833         * runtime/PropertyMapHashTable.h:
1834         * runtime/PropertyNameArray.h:
1835         * runtime/RegExpCache.h:
1836         * runtime/SparseArrayValueMap.h:
1837         * runtime/SymbolTable.h:
1838         * runtime/VM.h:
1839         * tools/CodeProfile.cpp:
1840         (JSC::truncateTrace):
1841         * tools/CodeProfile.h:
1842         * yarr/YarrInterpreter.cpp:
1843         * yarr/YarrInterpreter.h:
1844         (JSC::Yarr::BytecodePattern::BytecodePattern):
1845         * yarr/YarrJIT.cpp:
1846         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
1847         (JSC::Yarr::YarrGenerator::opCompileParentheticalAssertion):
1848         (JSC::Yarr::YarrGenerator::opCompileBody):
1849         * yarr/YarrPattern.cpp:
1850         (JSC::Yarr::YarrPatternConstructor::checkForTerminalParentheses):
1851         (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
1852         * yarr/YarrPattern.h:
1853
1854 2013-10-18  Mark Lam  <mark.lam@apple.com>
1855
1856         Remove excess reserved space in ctiTrampoline frames for X86 and X86_64.
1857         https://bugs.webkit.org/show_bug.cgi?id=123037.
1858
1859         Reviewed by Geoffrey Garen.
1860
1861         * jit/JITStubsMSVC64.asm:
1862         * jit/JITStubsX86.h:
1863         * jit/JITStubsX86_64.h:
1864
1865 2013-10-18  Filip Pizlo  <fpizlo@apple.com>
1866
1867         Frequent RELEASE_ASSERT crashes in Structure::checkOffsetConsistency on WebGL swizzler tests
1868         https://bugs.webkit.org/show_bug.cgi?id=121661
1869
1870         Reviewed by Mark Hahnenberg.
1871         
1872         This method shouldn't have been called from the concurrent JIT thread. That's hard to prevent
1873         so I added a return-early check using isCompilationThread().
1874         
1875         Here's why this makes sense. Structure has two ways to tell you about the layout of the objects
1876         it is describing: m_offset and the property table. Most structures only have m_offset and report
1877         null for the property table. If the property table is there, it will tell you additional
1878         information and that information subsumes m_offset - but the m_offset is still there. So, when
1879         we have a property table, we have to keep it in sync with the m_offset. There is a bunch of
1880         machinery to do this.
1881         
1882         Changing the property table only happens on the main thread.
1883         
1884         Because the machinery to change the property table is so complex, especially with respect to
1885         keeping it in sync with m_offset, we have the checkOffsetConsistency method. It's meant to be
1886         called at key points before and after changes to the property table or the offset.
1887
1888         Most clients of Structure who care about object layout, including the concurrent thread, will
1889         want to know m_offset and not the property table. If they want the property table, they will
1890         already be super careful. The concurrent thread has special methods for this, like
1891         Structure::getConcurrently(), which uses fine-grained locking to ensure that it sees a coherent
1892         view of the property table.
1893         
1894         Adding locking to checkOffsetConsistency() is probably a bad idea since that method may be
1895         called when the relevant lock is already held. So, we'd have awkward recursive locking issues.
1896         
1897         But right now, the concurrent JIT thread may call a method, like Structure::outOfLineCapacity(),
1898         which has a call to checkOffsetConsistency(). The call to checkOffsetConsistency() is there
1899         because we have found that it helps quickly identify situations where the property table and
1900         m_offset get out of sync - mainly because code that changes either of those things will usually
1901         also want to know the outOfLineCapacity(). But Structure::outOfLineCapacity() doesn't *actually*
1902         need the property table; it uses the m_offset. The concurrent JIT is correct to call
1903         outOfLineCapacity(), and is right to do so without holding any locks (since in all cases where
1904         it calls outOfLineCapacity() it has already proven that m_offset is immutable). But because
1905         outOfLineCapacity() calls checkOffsetConsistency(), and checkOffsetConsistency() doesn't grab
1906         locks, and that same structure is having its property table modified by the main thread, we end
1907         up with these spurious assertion failures. FWIW, the structure isn't *actually* having *its*
1908         property table modified - instead what happens is that some downstream structure steals the
1909         property table and then starts adding things to it. The concurrent thread loads the property
1910         table before it's stolen, and hence the badness.
1911         
1912         I suspect there are other code paths that lead to the concurrent JIT calling some Structure
1913         method that it is fine and safe to call, but then that method calls checkOffsetConsistency(),
1914         and then you have a possible crash.
1915         
1916         The most sensible solution to this appears to be to make sure that checkOffsetConsistency() is
1917         aware of its uselessness to the concurrent JIT thread. This change makes it return early if
1918         it's in the concurrent JIT.
1919         
1920         * runtime/StructureInlines.h:
1921         (JSC::Structure::checkOffsetConsistency):
1922
1923 2013-10-18  Daniel Bates  <dabates@apple.com>
1924
1925         Add SPI to disable the garbage collector timer
1926         https://bugs.webkit.org/show_bug.cgi?id=122921
1927
1928         Add null check to Heap::setGarbageCollectionTimerEnabled() that I inadvertently
1929         omitted.
1930
1931         * heap/Heap.cpp:
1932         (JSC::Heap::setGarbageCollectionTimerEnabled):
1933
1934 2013-10-18  Julien Brianceau  <jbriance@cisco.com>
1935
1936         Group 64-bit specific and 32-bit specific callOperation implementations.
1937         https://bugs.webkit.org/show_bug.cgi?id=123024
1938
1939         Reviewed by Michael Saboff.
1940
1941         This is not a big deal, but could be less confusing when reading the code.
1942
1943         * jit/JITInlines.h:
1944         (JSC::JIT::callOperation):
1945         (JSC::JIT::callOperationWithCallFrameRollbackOnException):
1946         (JSC::JIT::callOperationNoExceptionCheck):
1947
1948 2013-10-18  Nadav Rotem  <nrotem@apple.com>
1949
1950         Fix a FlushLiveness problem.
1951         https://bugs.webkit.org/show_bug.cgi?id=122984
1952
1953         Reviewed by Filip Pizlo.
1954
1955         * dfg/DFGFlushLivenessAnalysisPhase.cpp:
1956         (JSC::DFG::FlushLivenessAnalysisPhase::process):
1957
1958 2013-10-18  Michael Saboff  <msaboff@apple.com>
1959
1960         Change native function call stubs to use JIT operations instead of ctiVMHandleException
1961         https://bugs.webkit.org/show_bug.cgi?id=122982
1962
1963         Reviewed by Geoffrey Garen.
1964
1965         Change ctiVMHandleException to operationVMHandleException.  Change all exception operations to
1966         return the catch callFrame and entryPC via vm.callFrameForThrow and vm.targetMachinePCForThrow.
1967         This removed calling convention headaches, fixing https://bugs.webkit.org/show_bug.cgi?id=122980
1968         in the process.
1969
1970         * dfg/DFGJITCompiler.cpp:
1971         (JSC::DFG::JITCompiler::compileExceptionHandlers):
1972         * jit/CCallHelpers.h:
1973         (JSC::CCallHelpers::jumpToExceptionHandler):
1974         * jit/JIT.cpp:
1975         (JSC::JIT::privateCompileExceptionHandlers):
1976         * jit/JIT.h:
1977         * jit/JITExceptions.cpp:
1978         (JSC::genericUnwind):
1979         * jit/JITExceptions.h:
1980         * jit/JITInlines.h:
1981         (JSC::JIT::callOperationNoExceptionCheck):
1982         * jit/JITOpcodes.cpp:
1983         (JSC::JIT::emit_op_throw):
1984         * jit/JITOpcodes32_64.cpp:
1985         (JSC::JIT::privateCompileCTINativeCall):
1986         (JSC::JIT::emit_op_throw):
1987         * jit/JITOperations.cpp:
1988         * jit/JITOperations.h:
1989         * jit/JITStubs.cpp:
1990         * jit/JITStubs.h:
1991         * jit/JITStubsARM.h:
1992         * jit/JITStubsARM64.h:
1993         * jit/JITStubsARMv7.h:
1994         * jit/JITStubsMIPS.h:
1995         * jit/JITStubsMSVC64.asm:
1996         * jit/JITStubsSH4.h:
1997         * jit/JITStubsX86.h:
1998         * jit/JITStubsX86_64.h:
1999         * jit/Repatch.cpp:
2000         (JSC::tryBuildGetByIDList):
2001         * jit/SlowPathCall.h:
2002         (JSC::JITSlowPathCall::call):
2003         * jit/ThunkGenerators.cpp:
2004         (JSC::throwExceptionFromCallSlowPathGenerator):
2005         (JSC::nativeForGenerator):
2006         * runtime/VM.h:
2007         (JSC::VM::callFrameForThrowOffset):
2008         (JSC::VM::targetMachinePCForThrowOffset):
2009
2010 2013-10-18  Julien Brianceau  <jbriance@cisco.com>
2011
2012         Fix J_JITOperation_EAapJ call for MIPS and ARM EABI.
2013         https://bugs.webkit.org/show_bug.cgi?id=123023
2014
2015         Reviewed by Michael Saboff.
2016
2017         * jit/JITInlines.h:
2018         (JSC::JIT::callOperation): EncodedJSValue parameter do not need alignment
2019         using EABI_32BIT_DUMMY_ARG here.
2020
2021 2013-10-17  Filip Pizlo  <fpizlo@apple.com>
2022
2023         Unreviewed, another ARM64 build fix.
2024         
2025         Get rid of andPtr(TrustedImmPtr, blah), since it would take Effort to get it to work
2026         on ARM64 and none of its uses are legit - they should all be using
2027         andPtr(TrustedImm32, blah) anyway.
2028
2029         * assembler/MacroAssembler.h:
2030         * assembler/MacroAssemblerARM64.h:
2031         * dfg/DFGJITCompiler.cpp:
2032         (JSC::DFG::JITCompiler::compileExceptionHandlers):
2033         * jit/JIT.cpp:
2034         (JSC::JIT::privateCompileExceptionHandlers):
2035
2036 2013-10-17  Filip Pizlo  <fpizlo@apple.com>
2037
2038         Unreviewed, speculative ARM64 build fix.
2039         
2040         move(ImmPtr, blah) is only available in MacroAssembler since that's where blinding is
2041         implemented. So, you have to use TrustedImmPtr in the superclasses.
2042
2043         * assembler/MacroAssemblerARM64.h:
2044         (JSC::MacroAssemblerARM64::store8):
2045         (JSC::MacroAssemblerARM64::branchTest8):
2046
2047 2013-10-17  Filip Pizlo  <fpizlo@apple.com>
2048
2049         Unreviewed, speculative ARM build fix.
2050         https://bugs.webkit.org/show_bug.cgi?id=122890
2051         <rdar://problem/15258624>
2052
2053         * assembler/ARM64Assembler.h:
2054         (JSC::ARM64Assembler::firstRegister):
2055         (JSC::ARM64Assembler::lastRegister):
2056         (JSC::ARM64Assembler::firstFPRegister):
2057         (JSC::ARM64Assembler::lastFPRegister):
2058         * assembler/MacroAssemblerARM64.h:
2059         * assembler/MacroAssemblerARMv7.h:
2060
2061 2013-10-17  Andreas Kling  <akling@apple.com>
2062
2063         Pass VM instead of JSGlobalObject to JSONObject constructor.
2064         <https://webkit.org/b/122999>
2065
2066         JSONObject was only use the JSGlobalObject to grab at the VM.
2067         Dodge a few loads by passing the VM directly instead.
2068
2069         Reviewed by Geoffrey Garen.
2070
2071         * runtime/JSONObject.cpp:
2072         (JSC::JSONObject::JSONObject):
2073         (JSC::JSONObject::finishCreation):
2074         * runtime/JSONObject.h:
2075         (JSC::JSONObject::create):
2076
2077 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2078
2079         Removed the JITStackFrame struct
2080         https://bugs.webkit.org/show_bug.cgi?id=123001
2081
2082         Reviewed by Anders Carlsson.
2083
2084         * jit/JITStubs.h: JITStackFrame and JITStubArg are unused now, since all
2085         our helper functions obey the C function call ABI.
2086
2087 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2088
2089         Removed an unused #define
2090         https://bugs.webkit.org/show_bug.cgi?id=123000
2091
2092         Reviewed by Anders Carlsson.
2093
2094         * jit/JITStubs.h: Removed the concept of JITSTACKFRAME_ARGS_INDEX,
2095         since it is unused now. This is a step toward using the C stack.
2096
2097 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2098
2099         Eliminate uses of JITSTACKFRAME_ARGS_INDEX as scratch area for thunks
2100         https://bugs.webkit.org/show_bug.cgi?id=122973
2101
2102         Reviewed by Michael Saboff.
2103
2104         * jit/ThunkGenerators.cpp:
2105         (JSC::throwExceptionFromCallSlowPathGenerator): This was all dead code,
2106         so I removed it.
2107
2108         The code acted as if it needed to pass an argument to
2109         lookupExceptionHandler, and as if it passed that argument to itself
2110         through JITStackFrame. However, lookupExceptionHandler does not take
2111         an argument (other than the default ExecState argument), and the code
2112         did not initialize the thing that it thought it passed to itself!
2113
2114 2013-10-17  Alex Christensen  <achristensen@webkit.org>
2115
2116         Run JavaScriptCore tests again on Windows.
2117         https://bugs.webkit.org/show_bug.cgi?id=122787
2118
2119         Reviewed by Tim Horton.
2120
2121         * JavaScriptCore.vcxproj/JavaScriptCore.sln: Added.
2122         * jit/JITStubsMSVC64.asm: Removed reference to cti_vm_throw unused since r157581.
2123
2124 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2125
2126         Removed restoreArgumentReference (another use of JITStackFrame)
2127         https://bugs.webkit.org/show_bug.cgi?id=122997
2128
2129         Reviewed by Oliver Hunt.
2130
2131         * jit/JSInterfaceJIT.h: Removed an unused function. This is a step
2132         toward using the C stack.
2133
2134 2013-10-17  Oliver Hunt  <oliver@apple.com>
2135
2136         Remove JITStubCall.h
2137         https://bugs.webkit.org/show_bug.cgi?id=122991
2138
2139         Reviewed by Geoff Garen.
2140
2141         Happily this is no longer used
2142
2143         * GNUmakefile.list.am:
2144         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2145         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2146         * JavaScriptCore.xcodeproj/project.pbxproj:
2147         * jit/JIT.cpp:
2148         * jit/JITArithmetic.cpp:
2149         * jit/JITArithmetic32_64.cpp:
2150         * jit/JITCall.cpp:
2151         * jit/JITCall32_64.cpp:
2152         * jit/JITOpcodes.cpp:
2153         * jit/JITOpcodes32_64.cpp:
2154         * jit/JITPropertyAccess.cpp:
2155         * jit/JITPropertyAccess32_64.cpp:
2156         * jit/JITStubCall.h: Removed.
2157
2158 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2159
2160         Removed a use of JITSTACKFRAME_ARGS_INDEX
2161         https://bugs.webkit.org/show_bug.cgi?id=122989
2162
2163         Reviewed by Oliver Hunt.
2164
2165         * jit/JITStubCall.h: Removed an unused function. This is one step closer
2166         to using the C stack.
2167
2168 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2169
2170         Change emit_op_catch to use another method to materialize VM
2171         https://bugs.webkit.org/show_bug.cgi?id=122977
2172
2173         Reviewed by Oliver Hunt.
2174
2175         * jit/JITOpcodes.cpp:
2176         (JSC::JIT::emit_op_catch):
2177         * jit/JITOpcodes32_64.cpp:
2178         (JSC::JIT::emit_op_catch): Use a constant. It removes our dependency
2179         on JITStackFrame. It is also faster and simpler.
2180
2181 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2182
2183         Eliminate emitGetJITStubArg() - dead code
2184         https://bugs.webkit.org/show_bug.cgi?id=122975
2185
2186         Reviewed by Anders Carlsson.
2187
2188         * jit/JIT.h:
2189         * jit/JITInlines.h: Removed unused, deprecated function.
2190
2191 2013-10-17  Mark Lam  <mark.lam@apple.com>
2192
2193         Eliminate all ASSERT references to OBJECT_OFFSETOF(struct JITStackFrame,...) in JITStubsXXX.h.
2194         https://bugs.webkit.org/show_bug.cgi?id=122979.
2195
2196         Reviewed by Michael Saboff.
2197
2198         * jit/JITStubs.cpp:
2199         * jit/JITStubs.h:
2200         * jit/JITStubsARM.h:
2201         * jit/JITStubsARM64.h:
2202         * jit/JITStubsARMv7.h:
2203         * jit/JITStubsMIPS.h:
2204         * jit/JITStubsSH4.h:
2205         * jit/JITStubsX86.h:
2206         * jit/JITStubsX86_64.h:
2207         * runtime/VM.cpp:
2208         (JSC::VM::VM):
2209
2210 2013-10-17  Michael Saboff  <msaboff@apple.com>
2211
2212         Remove saving callFrameRegister to JITStackFrame in JITCompiler::compileFunction()
2213         https://bugs.webkit.org/show_bug.cgi?id=122974
2214
2215         Reviewed by Geoffrey Garen.
2216
2217         Eliminated unneeded storing to JITStackFrame.
2218
2219         * dfg/DFGJITCompiler.cpp:
2220         (JSC::DFG::JITCompiler::compileFunction):
2221
2222 2013-10-17  Michael Saboff  <msaboff@apple.com>
2223
2224         Transition cti_op_throw and cti_vm_throw to a JIT operation
2225         https://bugs.webkit.org/show_bug.cgi?id=122931
2226
2227         Reviewed by Filip Pizlo.
2228
2229         Moved cti_op_throw to operationThrow.  Made the caller responsible for jumping to the
2230         catch handler.  Eliminated cti_op_throw_static_error, cti_vm_throw, ctiVMThrowTrampoline()
2231         and their callers as it is now dead code.  There is some work needed on the Microsoft X86
2232         callOperation to handle the need to provide space for structure return value.
2233
2234         * jit/JIT.h:
2235         * jit/JITInlines.h:
2236         (JSC::JIT::callOperation):
2237         * jit/JITOpcodes.cpp:
2238         (JSC::JIT::emit_op_throw):
2239         * jit/JITOpcodes32_64.cpp:
2240         (JSC::JIT::emit_op_throw):
2241         (JSC::JIT::emit_op_catch):
2242         * jit/JITOperations.cpp:
2243         * jit/JITOperations.h:
2244         * jit/JITStubs.cpp:
2245         * jit/JITStubs.h:
2246         * jit/JITStubsARM.h:
2247         * jit/JITStubsARM64.h:
2248         * jit/JITStubsARMv7.h:
2249         * jit/JITStubsMIPS.h:
2250         * jit/JITStubsMSVC64.asm:
2251         * jit/JITStubsSH4.h:
2252         * jit/JITStubsX86.h:
2253         * jit/JITStubsX86_64.h:
2254         * jit/JSInterfaceJIT.h:
2255
2256 2013-10-17  Mark Lam  <mark.lam@apple.com>
2257
2258         Remove JITStackFrame references in the C Loop LLINT.
2259         https://bugs.webkit.org/show_bug.cgi?id=122950.
2260
2261         Reviewed by Michael Saboff.
2262
2263         * jit/JITStubs.h:
2264         * llint/LowLevelInterpreter.cpp:
2265         (JSC::CLoop::execute):
2266         * offlineasm/cloop.rb:
2267
2268 2013-10-17  Mark Lam  <mark.lam@apple.com>
2269
2270         Remove JITStackFrame references in JIT probes.
2271         https://bugs.webkit.org/show_bug.cgi?id=122947.
2272
2273         Reviewed by Michael Saboff.
2274
2275         * assembler/MacroAssemblerARM.cpp:
2276         (JSC::MacroAssemblerARM::ProbeContext::dump):
2277         * assembler/MacroAssemblerARM.h:
2278         * assembler/MacroAssemblerARMv7.cpp:
2279         (JSC::MacroAssemblerARMv7::ProbeContext::dump):
2280         * assembler/MacroAssemblerARMv7.h:
2281         * assembler/MacroAssemblerX86Common.cpp:
2282         (JSC::MacroAssemblerX86Common::ProbeContext::dump):
2283         * assembler/MacroAssemblerX86Common.h:
2284         * jit/JITStubsARM.h:
2285         * jit/JITStubsARMv7.h:
2286         * jit/JITStubsX86.h:
2287         * jit/JITStubsX86Common.h:
2288         * jit/JITStubsX86_64.h:
2289
2290 2013-10-17  Julien Brianceau  <jbriance@cisco.com>
2291
2292         Fix build when NUMBER_OF_ARGUMENT_REGISTERS == 4.
2293         https://bugs.webkit.org/show_bug.cgi?id=122949
2294
2295         Reviewed by Andreas Kling.
2296
2297         * jit/CCallHelpers.h:
2298         (JSC::CCallHelpers::setupArgumentsWithExecState):
2299
2300 2013-10-16  Mark Lam  <mark.lam@apple.com>
2301
2302         Transition remaining op_get* JITStubs to JIT operations.
2303         https://bugs.webkit.org/show_bug.cgi?id=122925.
2304
2305         Reviewed by Geoffrey Garen.
2306
2307         Transitioning:
2308             cti_op_get_by_id_generic
2309             cti_op_get_by_val
2310             cti_op_get_by_val_generic
2311             cti_op_get_by_val_string
2312
2313         * dfg/DFGOperations.cpp:
2314         * dfg/DFGOperations.h:
2315         * jit/JIT.h:
2316         * jit/JITInlines.h:
2317         (JSC::JIT::callOperation):
2318         * jit/JITOpcodes.cpp:
2319         (JSC::JIT::emitSlow_op_get_arguments_length):
2320         (JSC::JIT::emitSlow_op_get_argument_by_val):
2321         * jit/JITOpcodes32_64.cpp:
2322         (JSC::JIT::emitSlow_op_get_arguments_length):
2323         (JSC::JIT::emitSlow_op_get_argument_by_val):
2324         * jit/JITOperations.cpp:
2325         * jit/JITOperations.h:
2326         * jit/JITPropertyAccess.cpp:
2327         (JSC::JIT::emitSlow_op_get_by_val):
2328         (JSC::JIT::emitSlow_op_get_by_pname):
2329         (JSC::JIT::privateCompileGetByVal):
2330         * jit/JITPropertyAccess32_64.cpp:
2331         (JSC::JIT::emitSlow_op_get_by_val):
2332         (JSC::JIT::emitSlow_op_get_by_pname):
2333         * jit/JITStubs.cpp:
2334         * jit/JITStubs.h:
2335         * runtime/Executable.cpp:
2336         (JSC::setupLLInt): Added some UNUSED_PARAMs to fix the no LLINT build.
2337         * runtime/Options.cpp:
2338         (JSC::Options::initialize):
2339
2340 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
2341
2342         Introduce WTF::Bag and start using it for InlineCallFrameSet
2343         https://bugs.webkit.org/show_bug.cgi?id=122941
2344
2345         Reviewed by Geoffrey Garen.
2346         
2347         Use Bag for InlineCallFrameSet. If this works out then I'll make other
2348         SegmentedVectors into Bags as well.
2349
2350         * bytecode/InlineCallFrameSet.cpp:
2351         (JSC::InlineCallFrameSet::add):
2352         * bytecode/InlineCallFrameSet.h:
2353         (JSC::InlineCallFrameSet::begin):
2354         (JSC::InlineCallFrameSet::end):
2355         * dfg/DFGArgumentsSimplificationPhase.cpp:
2356         (JSC::DFG::ArgumentsSimplificationPhase::run):
2357         * dfg/DFGJITCompiler.cpp:
2358         (JSC::DFG::JITCompiler::link):
2359         * dfg/DFGStackLayoutPhase.cpp:
2360         (JSC::DFG::StackLayoutPhase::run):
2361         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
2362         (JSC::DFG::VirtualRegisterAllocationPhase::run):
2363
2364 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
2365
2366         libllvmForJSC shouldn't call exit(1) on report_fatal_error()
2367         https://bugs.webkit.org/show_bug.cgi?id=122905
2368         <rdar://problem/15237856>
2369
2370         Reviewed by Michael Saboff.
2371         
2372         Expose the new LLVMInstallFatalErrorHandler() API through the soft linking magic and
2373         then always call it to install something that calls CRASH().
2374
2375         * llvm/InitializeLLVM.cpp:
2376         (JSC::llvmCrash):
2377         (JSC::initializeLLVMOnce):
2378         (JSC::initializeLLVM):
2379         * llvm/LLVMAPIFunctions.h:
2380
2381 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
2382
2383         Prototype chain repatching in the polymorphic case fails to check if the receiver is a dictionary
2384         https://bugs.webkit.org/show_bug.cgi?id=122938
2385
2386         Reviewed by Sam Weinig.
2387         
2388         This fixes jsc-layout-tests.yaml/js/script-tests/dictionary-prototype-caching.js.layout-no-llint.
2389
2390         * jit/Repatch.cpp:
2391         (JSC::tryBuildGetByIDList):
2392
2393 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
2394
2395         JIT::appendCall() needs to killLastResultRegister() or equivalent since there's some really bad code that expects it
2396         https://bugs.webkit.org/show_bug.cgi?id=122937
2397
2398         Reviewed by Geoffrey Garen.
2399         
2400         JITStubCall used to do it.
2401         
2402         This makes mozilla-tests.yaml/ecma/Statements/12.10-1.js.mozilla-baseline pass.
2403
2404         * jit/JIT.h:
2405         (JSC::JIT::appendCall):
2406
2407 2013-10-16  Michael Saboff  <msaboff@apple.com>
2408
2409         transition void cti_op_put_by_val* stubs to JIT operations
2410         https://bugs.webkit.org/show_bug.cgi?id=122903
2411
2412         Reviewed by Geoffrey Garen.
2413
2414         Transitioned cti_op_put_by_val and cti_op_put_by_val_generic to operationPutByVal and
2415         operationPutByValGeneric.
2416
2417         * jit/CCallHelpers.h:
2418         (JSC::CCallHelpers::setupArgumentsWithExecState):
2419         * jit/JIT.h:
2420         * jit/JITInlines.h:
2421         (JSC::JIT::callOperation):
2422         * jit/JITOperations.cpp:
2423         * jit/JITOperations.h:
2424         * jit/JITPropertyAccess.cpp:
2425         (JSC::JIT::emitSlow_op_put_by_val):
2426         (JSC::JIT::privateCompilePutByVal):
2427         * jit/JITPropertyAccess32_64.cpp:
2428         (JSC::JIT::emitSlow_op_put_by_val):
2429         * jit/JITStubs.cpp:
2430         * jit/JITStubs.h:
2431         * jit/JSInterfaceJIT.h:
2432
2433 2013-10-16  Oliver Hunt  <oliver@apple.com>
2434
2435         Implement ES6 spread operator
2436         https://bugs.webkit.org/show_bug.cgi?id=122911
2437
2438         Reviewed by Michael Saboff.
2439
2440         Implement the ES6 spread operator
2441
2442         This has a little bit of refactoring to move the enumeration logic out ForOfNode
2443         and into BytecodeGenerator, and then adds the logic to make it nicely callback
2444         driven.
2445
2446         The rest of the logic is just the addition of the SpreadExpressionNode, the parsing,
2447         and actually handling the spread.
2448
2449         * bytecompiler/BytecodeGenerator.cpp:
2450         (JSC::BytecodeGenerator::emitNewArray):
2451         (JSC::BytecodeGenerator::emitCall):
2452         (JSC::BytecodeGenerator::emitEnumeration):
2453         * bytecompiler/BytecodeGenerator.h:
2454         * bytecompiler/NodesCodegen.cpp:
2455         (JSC::ArrayNode::emitBytecode):
2456         (JSC::ForOfNode::emitBytecode):
2457         (JSC::SpreadExpressionNode::emitBytecode):
2458         * parser/ASTBuilder.h:
2459         (JSC::ASTBuilder::createSpreadExpression):
2460         * parser/Lexer.cpp:
2461         (JSC::::lex):
2462         * parser/NodeConstructors.h:
2463         (JSC::SpreadExpressionNode::SpreadExpressionNode):
2464         * parser/Nodes.h:
2465         (JSC::ExpressionNode::isSpreadExpression):
2466         (JSC::SpreadExpressionNode::expression):
2467         * parser/Parser.cpp:
2468         (JSC::::parseArrayLiteral):
2469         (JSC::::parseArguments):
2470         (JSC::::parseMemberExpression):
2471         * parser/Parser.h:
2472         (JSC::Parser::getTokenName):
2473         (JSC::Parser::updateErrorMessageSpecialCase):
2474         * parser/ParserTokens.h:
2475         * parser/SyntaxChecker.h:
2476         (JSC::SyntaxChecker::createSpreadExpression):
2477
2478 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
2479
2480         Add a useLLInt option to jsc
2481         https://bugs.webkit.org/show_bug.cgi?id=122930
2482
2483         Reviewed by Geoffrey Garen.
2484
2485         * runtime/Executable.cpp:
2486         (JSC::setupLLInt):
2487         (JSC::setupJIT):
2488         (JSC::ScriptExecutable::prepareForExecutionImpl):
2489         * runtime/Options.h:
2490
2491 2013-10-16  Mark Hahnenberg  <mhahnenberg@apple.com>
2492
2493         Build fix.
2494
2495         Forgot to svn add DeferGC.cpp
2496
2497         * heap/DeferGC.cpp: Added.
2498
2499 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
2500
2501         r157411 fails run-javascriptcore-tests when run with Baseline JIT
2502         https://bugs.webkit.org/show_bug.cgi?id=122902
2503
2504         Reviewed by Mark Hahnenberg.
2505         
2506         It turns out that this was a long-standing bug in the DFG PutById repatching logic. It's
2507         not legal to patch if the typeInfo tells you that you can't patch. The old JIT's patching
2508         logic did this right, and the DFG's GetById patching logic did it right; but DFG PutById
2509         didn't. Turns out that there's even a helpful method,
2510         Structure::propertyAccessesAreCacheable(), that will even do all of the checks for you!
2511
2512         * jit/Repatch.cpp:
2513         (JSC::tryCachePutByID):
2514
2515 2013-10-16  Mark Hahnenberg  <mhahnenberg@apple.com>
2516
2517         llint_slow_path_put_by_id can deadlock on a ConcurrentJITLock
2518         https://bugs.webkit.org/show_bug.cgi?id=122667
2519
2520         Reviewed by Geoffrey Garen.
2521
2522         The issue this patch is attempting to fix is that there are places in our codebase
2523         where we acquire the ConcurrentJITLock for a particular CodeBlock, then we do some
2524         operations that can initiate a garbage collection. Garbage collection then calls 
2525         some methods of CodeBlock that also take the ConcurrentJITLock (because they don't
2526         always necessarily run during garbage collection). This causes a deadlock.
2527  
2528         To fix this issue, this patch adds a new RAII-style object (DisallowGC) that stores 
2529         into a thread-local field that indicates that it is unsafe to perform any operation 
2530         that could trigger garbage collection on the current thread. In debug builds, 
2531         ConcurrentJITLocker contains one of these DisallowGC objects so that we can eagerly 
2532         detect deadlocks.
2533  
2534         This patch also adds a new type of ConcurrentJITLocker, GCSafeConcurrentJITLocker,
2535         which uses the DeferGC mechanism to prevent collections from occurring while the 
2536         lock is held.
2537
2538         * CMakeLists.txt:
2539         * GNUmakefile.list.am:
2540         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2541         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2542         * JavaScriptCore.xcodeproj/project.pbxproj:
2543         * heap/DeferGC.h:
2544         (JSC::DisallowGC::DisallowGC):
2545         (JSC::DisallowGC::~DisallowGC):
2546         (JSC::DisallowGC::isGCDisallowedOnCurrentThread):
2547         (JSC::DisallowGC::initialize):
2548         * jit/Repatch.cpp:
2549         (JSC::repatchPutByID):
2550         (JSC::buildPutByIdList):
2551         * llint/LLIntSlowPaths.cpp:
2552         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2553         * runtime/ConcurrentJITLock.h:
2554         (JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase):
2555         (JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase):
2556         (JSC::ConcurrentJITLockerBase::unlockEarly):
2557         (JSC::GCSafeConcurrentJITLocker::GCSafeConcurrentJITLocker):
2558         (JSC::GCSafeConcurrentJITLocker::~GCSafeConcurrentJITLocker):
2559         (JSC::GCSafeConcurrentJITLocker::NoDefer::NoDefer):
2560         (JSC::ConcurrentJITLocker::ConcurrentJITLocker):
2561         * runtime/InitializeThreading.cpp:
2562         (JSC::initializeThreadingOnce):
2563         * runtime/JSCellInlines.h:
2564         (JSC::allocateCell):
2565         * runtime/JSSymbolTableObject.h:
2566         (JSC::symbolTablePut):
2567         * runtime/Structure.cpp: materializePropertyMapIfNecessary* now has a problem in that it
2568         can start a garbage collection when the GCSafeConcurrentJITLocker goes out of scope, but 
2569         before the caller has a chance to use the newly created PropertyTable. The garbage collection
2570         clears the PropertyTable, and then the caller uses it assuming it's valid. To avoid this,
2571         we must DeferGC until the caller is done getting the newly materialized PropertyTable from 
2572         the Structure.
2573         (JSC::Structure::materializePropertyMap):
2574         (JSC::Structure::despecifyDictionaryFunction):
2575         (JSC::Structure::changePrototypeTransition):
2576         (JSC::Structure::despecifyFunctionTransition):
2577         (JSC::Structure::attributeChangeTransition):
2578         (JSC::Structure::toDictionaryTransition):
2579         (JSC::Structure::preventExtensionsTransition):
2580         (JSC::Structure::takePropertyTableOrCloneIfPinned):
2581         (JSC::Structure::isSealed):
2582         (JSC::Structure::isFrozen):
2583         (JSC::Structure::addPropertyWithoutTransition):
2584         (JSC::Structure::removePropertyWithoutTransition):
2585         (JSC::Structure::get):
2586         (JSC::Structure::despecifyFunction):
2587         (JSC::Structure::despecifyAllFunctions):
2588         (JSC::Structure::putSpecificValue):
2589         (JSC::Structure::createPropertyMap):
2590         (JSC::Structure::getPropertyNamesFromStructure):
2591         * runtime/Structure.h:
2592         (JSC::Structure::materializePropertyMapIfNecessary):
2593         (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
2594         * runtime/StructureInlines.h:
2595         (JSC::Structure::get):
2596         * runtime/SymbolTable.h:
2597         (JSC::SymbolTable::find):
2598         (JSC::SymbolTable::end):
2599
2600 2013-10-16  Daniel Bates  <dabates@apple.com>
2601
2602         Add SPI to disable the garbage collector timer
2603         https://bugs.webkit.org/show_bug.cgi?id=122921
2604
2605         Reviewed by Geoffrey Garen.
2606
2607         Based on a patch by Mark Hahnenberg.
2608
2609         * API/JSBase.cpp:
2610         (JSDisableGCTimer): Added; SPI function.
2611         * API/JSBasePrivate.h:
2612         * heap/BlockAllocator.cpp:
2613         (JSC::createBlockFreeingThread): Added.
2614         (JSC::BlockAllocator::BlockAllocator): Modified to use JSC::createBlockFreeingThread()
2615         to conditionally create the "block freeing" thread depending on the value of
2616         GCActivityCallback::s_shouldCreateGCTimer.
2617         (JSC::BlockAllocator::~BlockAllocator):
2618         * heap/BlockAllocator.h:
2619         (JSC::BlockAllocator::deallocate):
2620         * heap/Heap.cpp:
2621         (JSC::Heap::didAbandon):
2622         (JSC::Heap::collect):
2623         (JSC::Heap::didAllocate):
2624         * heap/HeapTimer.cpp:
2625         (JSC::HeapTimer::timerDidFire):
2626         * runtime/GCActivityCallback.cpp:
2627         * runtime/GCActivityCallback.h:
2628         (JSC::DefaultGCActivityCallback::create): Only instantiate a DefaultGCActivityCallback object
2629         when GCActivityCallback::s_shouldCreateGCTimer is true so as to prevent allocating a HeapTimer
2630         object (since DefaultGCActivityCallback ultimately extends HeapTimer).
2631
2632 2013-10-16  Commit Queue  <commit-queue@webkit.org>
2633
2634         Unreviewed, rolling out r157529.
2635         http://trac.webkit.org/changeset/157529
2636         https://bugs.webkit.org/show_bug.cgi?id=122919
2637
2638         Caused score test failures and some build failures. (Requested
2639         by rfong on #webkit).
2640
2641         * bytecompiler/BytecodeGenerator.cpp:
2642         (JSC::BytecodeGenerator::emitNewArray):
2643         (JSC::BytecodeGenerator::emitCall):
2644         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
2645         * bytecompiler/BytecodeGenerator.h:
2646         * bytecompiler/NodesCodegen.cpp:
2647         (JSC::ArrayNode::emitBytecode):
2648         (JSC::CallArguments::CallArguments):
2649         (JSC::ForOfNode::emitBytecode):
2650         (JSC::BindingNode::collectBoundIdentifiers):
2651         * parser/ASTBuilder.h:
2652         * parser/Lexer.cpp:
2653         (JSC::::lex):
2654         * parser/NodeConstructors.h:
2655         (JSC::DotAccessorNode::DotAccessorNode):
2656         * parser/Nodes.h:
2657         * parser/Parser.cpp:
2658         (JSC::::parseArrayLiteral):
2659         (JSC::::parseArguments):
2660         (JSC::::parseMemberExpression):
2661         * parser/Parser.h:
2662         (JSC::Parser::getTokenName):
2663         (JSC::Parser::updateErrorMessageSpecialCase):
2664         * parser/ParserTokens.h:
2665         * parser/SyntaxChecker.h:
2666
2667 2013-10-16  Julien Brianceau  <jbriance@cisco.com>
2668
2669         Remove useless architecture specific implementation in DFG.
2670         https://bugs.webkit.org/show_bug.cgi?id=122917.
2671
2672         Reviewed by Michael Saboff.
2673
2674         With CPU(ARM) && CPU(ARM_HARDFP) architecture, the fallback implementation is fine
2675         as FPRInfo::argumentFPR0 == FPRInfo::returnValueFPR in this case.
2676
2677         * dfg/DFGSpeculativeJIT.h:
2678
2679 2013-10-16  Julien Brianceau  <jbriance@cisco.com>
2680
2681         Remove unused JIT::restoreArgumentReferenceForTrampoline function.
2682         https://bugs.webkit.org/show_bug.cgi?id=122916.
2683
2684         Reviewed by Michael Saboff.
2685
2686         This architecture specific function is not used anymore, so get rid of it.
2687
2688         * jit/JIT.h:
2689         * jit/JITInlines.h:
2690
2691 2013-10-16  Oliver Hunt  <oliver@apple.com>
2692
2693         Implement ES6 spread operator
2694         https://bugs.webkit.org/show_bug.cgi?id=122911
2695
2696         Reviewed by Michael Saboff.
2697
2698         Implement the ES6 spread operator
2699
2700         This has a little bit of refactoring to move the enumeration logic out ForOfNode
2701         and into BytecodeGenerator, and then adds the logic to make it nicely callback
2702         driven.
2703
2704         The rest of the logic is just the addition of the SpreadExpressionNode, the parsing,
2705         and actually handling the spread.
2706
2707         * bytecompiler/BytecodeGenerator.cpp:
2708         (JSC::BytecodeGenerator::emitNewArray):
2709         (JSC::BytecodeGenerator::emitCall):
2710         (JSC::BytecodeGenerator::emitEnumeration):
2711         * bytecompiler/BytecodeGenerator.h:
2712         * bytecompiler/NodesCodegen.cpp:
2713         (JSC::ArrayNode::emitBytecode):
2714         (JSC::ForOfNode::emitBytecode):
2715         (JSC::SpreadExpressionNode::emitBytecode):
2716         * parser/ASTBuilder.h:
2717         (JSC::ASTBuilder::createSpreadExpression):
2718         * parser/Lexer.cpp:
2719         (JSC::::lex):
2720         * parser/NodeConstructors.h:
2721         (JSC::SpreadExpressionNode::SpreadExpressionNode):
2722         * parser/Nodes.h:
2723         (JSC::ExpressionNode::isSpreadExpression):
2724         (JSC::SpreadExpressionNode::expression):
2725         * parser/Parser.cpp:
2726         (JSC::::parseArrayLiteral):
2727         (JSC::::parseArguments):
2728         (JSC::::parseMemberExpression):
2729         * parser/Parser.h:
2730         (JSC::Parser::getTokenName):
2731         (JSC::Parser::updateErrorMessageSpecialCase):
2732         * parser/ParserTokens.h:
2733         * parser/SyntaxChecker.h:
2734         (JSC::SyntaxChecker::createSpreadExpression):
2735
2736 2013-10-16  Mark Lam  <mark.lam@apple.com>
2737
2738         Transition void cti_op_tear_off* methods to JIT operations for 32 bit.
2739         https://bugs.webkit.org/show_bug.cgi?id=122899.
2740
2741         Reviewed by Michael Saboff.
2742
2743         * jit/JITOpcodes32_64.cpp:
2744         (JSC::JIT::emit_op_tear_off_activation):
2745         (JSC::JIT::emit_op_tear_off_arguments):
2746         * jit/JITStubs.cpp:
2747         * jit/JITStubs.h:
2748
2749 2013-10-16  Julien Brianceau  <jbriance@cisco.com>
2750
2751         Remove more of the UNINTERRUPTED_SEQUENCE thing
2752         https://bugs.webkit.org/show_bug.cgi?id=122885
2753
2754         Reviewed by Andreas Kling.
2755
2756         It was not completely removed by r157481, leading to build failure for sh4 architecture.
2757
2758         * jit/JIT.h:
2759         * jit/JITInlines.h:
2760
2761 2013-10-15  Filip Pizlo  <fpizlo@apple.com>
2762
2763         Get rid of the StructureStubInfo::patch union
2764         https://bugs.webkit.org/show_bug.cgi?id=122877
2765
2766         Reviewed by Sam Weinig.
2767         
2768         Just simplifying code by getting rid of data structures that ain't used no more.
2769         
2770         Note that I replace the patch union with a patch struct. This means we say things like
2771         stubInfo.patch.valueGPR instead of stubInfo.valueGPR. I think that this extra
2772         encapsulation makes the code more readable: the patch struct contains just those things
2773         that you need to know to perform patching.
2774
2775         * bytecode/StructureStubInfo.h:
2776         * dfg/DFGJITCompiler.cpp:
2777         (JSC::DFG::JITCompiler::link):
2778         * jit/JIT.cpp:
2779         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
2780         * jit/Repatch.cpp:
2781         (JSC::repatchByIdSelfAccess):
2782         (JSC::replaceWithJump):
2783         (JSC::linkRestoreScratch):
2784         (JSC::generateProtoChainAccessStub):
2785         (JSC::tryCacheGetByID):
2786         (JSC::getPolymorphicStructureList):
2787         (JSC::patchJumpToGetByIdStub):
2788         (JSC::tryBuildGetByIDList):
2789         (JSC::emitPutReplaceStub):
2790         (JSC::emitPutTransitionStub):
2791         (JSC::tryCachePutByID):
2792         (JSC::tryBuildPutByIdList):
2793         (JSC::tryRepatchIn):
2794         (JSC::resetGetByID):
2795         (JSC::resetPutByID):
2796         (JSC::resetIn):
2797
2798 2013-10-15  Nadav Rotem  <nrotem@apple.com>
2799
2800         FTL: add support for Int52ToValue and fix putByVal of int52s.
2801         https://bugs.webkit.org/show_bug.cgi?id=122873
2802
2803         Reviewed by Filip Pizlo.
2804
2805         * ftl/FTLCapabilities.cpp:
2806         (JSC::FTL::canCompile):
2807         * ftl/FTLLowerDFGToLLVM.cpp:
2808         (JSC::FTL::LowerDFGToLLVM::compileNode):
2809         (JSC::FTL::LowerDFGToLLVM::compileInt52ToValue):
2810         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2811
2812 2013-10-15  Filip Pizlo  <fpizlo@apple.com>
2813
2814         Get rid of the UNINTERRUPTED_SEQUENCE thing
2815         https://bugs.webkit.org/show_bug.cgi?id=122876
2816
2817         Reviewed by Mark Hahnenberg.
2818         
2819         It doesn't make sense anymore. We now use the DFG's IC logic, which never needed that.
2820         
2821         Moreover, we should resist the temptation to bring anything like this back. We don't
2822         want to have inline caches that only work if the assembler lays out code in a specific
2823         predetermined way.
2824
2825         * jit/JIT.h:
2826         * jit/JITCall.cpp:
2827         (JSC::JIT::compileOpCall):
2828         * jit/JITCall32_64.cpp:
2829         (JSC::JIT::compileOpCall):
2830
2831 2013-10-15  Filip Pizlo  <fpizlo@apple.com>
2832
2833         Baseline JIT should use the DFG GetById IC
2834         https://bugs.webkit.org/show_bug.cgi?id=122861
2835
2836         Reviewed by Oliver Hunt.
2837         
2838         This mostly just kills a ton of code.
2839         
2840         Note that this doesn't yet do all of the simplifications that can be done, but it does
2841         kill dead code. I'll have another change to simplify StructureStubInfo's unions and such.
2842
2843         * bytecode/CodeBlock.cpp:
2844         (JSC::CodeBlock::resetStubInternal):
2845         * jit/JIT.cpp:
2846         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
2847         * jit/JIT.h:
2848         (JSC::PropertyStubCompilationInfo::PropertyStubCompilationInfo):
2849         * jit/JITInlines.h:
2850         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
2851         (JSC::JIT::callOperation):
2852         * jit/JITPropertyAccess.cpp:
2853         (JSC::JIT::compileGetByIdHotPath):
2854         (JSC::JIT::emitSlow_op_get_by_id):
2855         (JSC::JIT::emitSlow_op_get_from_scope):
2856         * jit/JITPropertyAccess32_64.cpp:
2857         (JSC::JIT::compileGetByIdHotPath):
2858         (JSC::JIT::emitSlow_op_get_by_id):
2859         (JSC::JIT::emitSlow_op_get_from_scope):
2860         * jit/JITStubs.cpp:
2861         * jit/JITStubs.h:
2862         * jit/Repatch.cpp:
2863         (JSC::repatchGetByID):
2864         (JSC::buildGetByIDList):
2865         * jit/ThunkGenerators.cpp:
2866         * jit/ThunkGenerators.h:
2867
2868 2013-10-15  Dean Jackson  <dino@apple.com>
2869
2870         Add ENABLE_WEB_ANIMATIONS flag
2871         https://bugs.webkit.org/show_bug.cgi?id=122871
2872
2873         Reviewed by Tim Horton.
2874
2875         Eventually might be http://dev.w3.org/fxtf/web-animations/
2876         but this is just engine-internal work at the moment.
2877
2878         * Configurations/FeatureDefines.xcconfig:
2879
2880 2013-10-15  Julien Brianceau  <jbriance@cisco.com>
2881
2882         [sh4] Some calls don't match sh4 ABI.
2883         https://bugs.webkit.org/show_bug.cgi?id=122863
2884
2885         Reviewed by Michael Saboff.
2886
2887         * dfg/DFGSpeculativeJIT.h:
2888         (JSC::DFG::SpeculativeJIT::callOperation):
2889         * jit/CCallHelpers.h:
2890         (JSC::CCallHelpers::setupArgumentsWithExecState):
2891         * jit/JITInlines.h:
2892         (JSC::JIT::callOperation):
2893
2894 2013-10-15  Daniel Bates  <dabates@apple.com>
2895
2896         [iOS] Upstream JavaScriptCore support for ARM64
2897         https://bugs.webkit.org/show_bug.cgi?id=122762
2898
2899         Reviewed by Oliver Hunt and Filip Pizlo.
2900
2901         * Configurations/Base.xcconfig:
2902         * Configurations/DebugRelease.xcconfig:
2903         * Configurations/JavaScriptCore.xcconfig:
2904         * Configurations/ToolExecutable.xcconfig:
2905         * JavaScriptCore.xcodeproj/project.pbxproj:
2906         * assembler/ARM64Assembler.h: Added.
2907         * assembler/AbstractMacroAssembler.h:
2908         (JSC::isARM64):
2909         (JSC::AbstractMacroAssembler::Label::Label):
2910         (JSC::AbstractMacroAssembler::Jump::Jump):
2911         (JSC::AbstractMacroAssembler::Jump::link):
2912         (JSC::AbstractMacroAssembler::Jump::linkTo):
2913         (JSC::AbstractMacroAssembler::CachedTempRegister::CachedTempRegister):
2914         (JSC::AbstractMacroAssembler::CachedTempRegister::registerIDInvalidate):
2915         (JSC::AbstractMacroAssembler::CachedTempRegister::registerIDNoInvalidate):
2916         (JSC::AbstractMacroAssembler::CachedTempRegister::value):
2917         (JSC::AbstractMacroAssembler::CachedTempRegister::setValue):
2918         (JSC::AbstractMacroAssembler::CachedTempRegister::invalidate):
2919         (JSC::AbstractMacroAssembler::invalidateAllTempRegisters):
2920         (JSC::AbstractMacroAssembler::isTempRegisterValid):
2921         (JSC::AbstractMacroAssembler::clearTempRegisterValid):
2922         (JSC::AbstractMacroAssembler::setTempRegisterValid):
2923         * assembler/LinkBuffer.cpp:
2924         (JSC::LinkBuffer::copyCompactAndLinkCode):
2925         (JSC::LinkBuffer::linkCode):
2926         * assembler/LinkBuffer.h:
2927         * assembler/MacroAssembler.h:
2928         (JSC::MacroAssembler::isPtrAlignedAddressOffset):
2929         (JSC::MacroAssembler::pushToSave):
2930         (JSC::MacroAssembler::popToRestore):
2931         (JSC::MacroAssembler::patchableBranchTest32):
2932         * assembler/MacroAssemblerARM64.h: Added.
2933         * assembler/MacroAssemblerARMv7.h:
2934         * dfg/DFGFixupPhase.cpp:
2935         (JSC::DFG::FixupPhase::fixupNode):
2936         * dfg/DFGOSRExitCompiler32_64.cpp:
2937         (JSC::DFG::OSRExitCompiler::compileExit):
2938         * dfg/DFGOSRExitCompiler64.cpp:
2939         (JSC::DFG::OSRExitCompiler::compileExit):
2940         * dfg/DFGSpeculativeJIT.cpp:
2941         (JSC::DFG::SpeculativeJIT::compileArithDiv):
2942         (JSC::DFG::SpeculativeJIT::compileArithMod):
2943         * disassembler/ARM64/A64DOpcode.cpp: Added.
2944         * disassembler/ARM64/A64DOpcode.h: Added.
2945         * disassembler/ARM64Disassembler.cpp: Added.
2946         * heap/MachineStackMarker.cpp:
2947         (JSC::getPlatformThreadRegisters):
2948         (JSC::otherThreadStackPointer):
2949         * heap/Region.h:
2950         * jit/AssemblyHelpers.h:
2951         (JSC::AssemblyHelpers::debugCall):
2952         * jit/CCallHelpers.h:
2953         * jit/ExecutableAllocator.h:
2954         * jit/FPRInfo.h:
2955         (JSC::FPRInfo::toRegister):
2956         (JSC::FPRInfo::toIndex):
2957         (JSC::FPRInfo::debugName):
2958         * jit/GPRInfo.h:
2959         (JSC::GPRInfo::toRegister):
2960         (JSC::GPRInfo::toIndex):
2961         (JSC::GPRInfo::debugName):
2962         * jit/JITInlines.h:
2963         (JSC::JIT::restoreArgumentReferenceForTrampoline):
2964         * jit/JITOperationWrappers.h:
2965         * jit/JITOperations.cpp:
2966         * jit/JITStubs.cpp:
2967         (JSC::performPlatformSpecificJITAssertions):
2968         (JSC::tryCachePutByID):
2969         * jit/JITStubs.h:
2970         (JSC::JITStackFrame::returnAddressSlot):
2971         * jit/JITStubsARM64.h: Added.
2972         * jit/JSInterfaceJIT.h:
2973         * jit/Repatch.cpp:
2974         (JSC::emitRestoreScratch):
2975         (JSC::generateProtoChainAccessStub):
2976         (JSC::tryCacheGetByID):
2977         (JSC::emitPutReplaceStub):
2978         (JSC::tryCachePutByID):
2979         (JSC::tryRepatchIn):
2980         * jit/ScratchRegisterAllocator.h:
2981         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
2982         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
2983         * jit/ThunkGenerators.cpp:
2984         (JSC::nativeForGenerator):
2985         (JSC::floorThunkGenerator):
2986         (JSC::ceilThunkGenerator):
2987         * jsc.cpp:
2988         (main):
2989         * llint/LLIntOfflineAsmConfig.h:
2990         * llint/LLIntSlowPaths.cpp:
2991         (JSC::LLInt::handleHostCall):
2992         * llint/LowLevelInterpreter.asm:
2993         * llint/LowLevelInterpreter64.asm:
2994         * offlineasm/arm.rb:
2995         * offlineasm/arm64.rb: Added.
2996         * offlineasm/backends.rb:
2997         * offlineasm/instructions.rb:
2998         * offlineasm/risc.rb:
2999         * offlineasm/transform.rb:
3000         * yarr/YarrJIT.cpp:
3001         (JSC::Yarr::YarrGenerator::alignCallFrameSizeInBytes):
3002         (JSC::Yarr::YarrGenerator::initCallFrame):
3003         (JSC::Yarr::YarrGenerator::removeCallFrame):
3004         (JSC::Yarr::YarrGenerator::generateEnter):
3005         * yarr/YarrJIT.h:
3006
3007 2013-10-15  Mark Lam  <mark.lam@apple.com>
3008
3009         Fix 3 operand sub operation in C loop LLINT.
3010         https://bugs.webkit.org/show_bug.cgi?id=122866.
3011
3012         Reviewed by Geoffrey Garen.
3013
3014         * offlineasm/cloop.rb:
3015
3016 2013-10-15  Mark Hahnenberg  <mhahnenberg@apple.com>
3017
3018         ObjCCallbackFunctionImpl shouldn't store a JSContext
3019         https://bugs.webkit.org/show_bug.cgi?id=122531
3020
3021         Reviewed by Geoffrey Garen.
3022
3023         The m_context field in ObjCCallbackFunctionImpl is vestigial and is only incidentally correct 
3024         in the common case. It's also no longer necessary in that we can look up the current JSContext 
3025         by looking using the globalObject of the callee when the function callback is invoked.
3026  
3027         Also added a new test that would cause us to crash previously. The test required making 
3028         JSContextGetGlobalContext public API so that clients can obtain a JSContext from the JSContextRef
3029         in C API callbacks.
3030
3031         * API/JSContextRef.h:
3032         * API/JSContextRefPrivate.h:
3033         * API/ObjCCallbackFunction.mm:
3034         (JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl):
3035         (JSC::objCCallbackFunctionCallAsFunction):
3036         (objCCallbackFunctionForInvocation):
3037         * API/WebKitAvailability.h:
3038         * API/tests/CurrentThisInsideBlockGetterTest.h: Added.
3039         * API/tests/CurrentThisInsideBlockGetterTest.mm: Added.
3040         (CallAsConstructor):
3041         (ConstructorFinalize):
3042         (ConstructorClass):
3043         (+[JSValue valueWithConstructorDescriptor:inContext:]):
3044         (-[JSContext valueWithConstructorDescriptor:]):
3045         (currentThisInsideBlockGetterTest):
3046         * API/tests/testapi.mm:
3047         * JavaScriptCore.xcodeproj/project.pbxproj:
3048         * debugger/Debugger.cpp: Had to add some fully qualified names to avoid conflicts with Mac OS X headers.
3049
3050 2013-10-15  Julien Brianceau  <jbriance@cisco.com>
3051
3052         Fix build after r157457 for architecture with 4 argument registers.
3053         https://bugs.webkit.org/show_bug.cgi?id=122860
3054
3055         Reviewed by Michael Saboff.
3056
3057         * jit/CCallHelpers.h:
3058         (JSC::CCallHelpers::setupStubArguments134):
3059
3060 2013-10-14  Michael Saboff  <msaboff@apple.com>
3061
3062         transition void cti_op_* methods to JIT operations.
3063         https://bugs.webkit.org/show_bug.cgi?id=122617
3064
3065         Reviewed by Geoffrey Garen.
3066
3067         Converted the follow stubs to JIT operations:
3068             cti_handle_watchdog_timer
3069             cti_op_debug
3070             cti_op_pop_scope
3071             cti_op_profile_did_call
3072             cti_op_profile_will_call
3073             cti_op_put_by_index
3074             cti_op_put_getter_setter
3075             cti_op_tear_off_activation
3076             cti_op_tear_off_arguments
3077             cti_op_throw_static_error
3078             cti_optimize
3079
3080         * dfg/DFGOperations.cpp:
3081         * dfg/DFGOperations.h:
3082         * jit/CCallHelpers.h:
3083         (JSC::CCallHelpers::setupArgumentsWithExecState):
3084         (JSC::CCallHelpers::setupThreeStubArgsGPR):
3085         (JSC::CCallHelpers::setupStubArguments):
3086         (JSC::CCallHelpers::setupStubArguments134):
3087         * jit/JIT.cpp:
3088         (JSC::JIT::emitEnterOptimizationCheck):
3089         * jit/JIT.h:
3090         * jit/JITInlines.h:
3091         (JSC::JIT::callOperation):
3092         * jit/JITOpcodes.cpp:
3093         (JSC::JIT::emit_op_tear_off_activation):
3094         (JSC::JIT::emit_op_tear_off_arguments):
3095         (JSC::JIT::emit_op_push_with_scope):
3096         (JSC::JIT::emit_op_pop_scope):
3097         (JSC::JIT::emit_op_push_name_scope):
3098         (JSC::JIT::emit_op_throw_static_error):
3099         (JSC::JIT::emit_op_debug):
3100         (JSC::JIT::emit_op_profile_will_call):
3101         (JSC::JIT::emit_op_profile_did_call):
3102         (JSC::JIT::emitSlow_op_loop_hint):
3103         * jit/JITOpcodes32_64.cpp:
3104         (JSC::JIT::emit_op_push_with_scope):
3105         (JSC::JIT::emit_op_pop_scope):
3106         (JSC::JIT::emit_op_push_name_scope):
3107         (JSC::JIT::emit_op_throw_static_error):
3108         (JSC::JIT::emit_op_debug):
3109         (JSC::JIT::emit_op_profile_will_call):
3110         (JSC::JIT::emit_op_profile_did_call):
3111         * jit/JITOperations.cpp:
3112         * jit/JITOperations.h:
3113         * jit/JITPropertyAccess.cpp:
3114         (JSC::JIT::emit_op_put_by_index):
3115         (JSC::JIT::emit_op_put_getter_setter):
3116         * jit/JITPropertyAccess32_64.cpp:
3117         (JSC::JIT::emit_op_put_by_index):
3118         (JSC::JIT::emit_op_put_getter_setter):
3119         * jit/JITStubs.cpp:
3120         * jit/JITStubs.h:
3121
3122 2013-10-15  Julien Brianceau  <jbriance@cisco.com>
3123
3124         [sh4] Introduce const pools in LLINT.
3125         https://bugs.webkit.org/show_bug.cgi?id=122746
3126
3127         Reviewed by Michael Saboff.
3128
3129         In current implementation of LLINT for sh4, immediate values outside range -128..127 are
3130         loaded this way:
3131
3132             mov.l .label, rx
3133             bra out
3134             nop
3135             .balign 4
3136             .label: .long immvalue
3137             out:
3138
3139         This change introduces const pools for sh4 implementation to avoid lots of useless branches
3140         and reduce code size. It also removes lines of dirty code, like jmpf and callf.
3141
3142         * offlineasm/instructions.rb: Remove jmpf and callf sh4 specific instructions.
3143         * offlineasm/sh4.rb:
3144
3145 2013-10-15  Mark Lam  <mark.lam@apple.com>
3146
3147         Fix broken C Loop LLINT build.
3148         https://bugs.webkit.org/show_bug.cgi?id=122839.
3149
3150         Reviewed by Michael Saboff.
3151
3152         * dfg/DFGFlushedAt.cpp:
3153         * jit/JITOperations.h:
3154
3155 2013-10-14  Mark Lam  <mark.lam@apple.com>
3156
3157         Transition *switch* and *scope* JITStubs to JIT operations.
3158         https://bugs.webkit.org/show_bug.cgi?id=122757.
3159
3160         Reviewed by Geoffrey Garen.
3161
3162         Transitioning:
3163             cti_op_switch_char
3164             cti_op_switch_imm
3165             cti_op_switch_string
3166             cti_op_resolve_scope
3167             cti_op_get_from_scope
3168             cti_op_put_to_scope
3169
3170         * jit/JIT.h:
3171         * jit/JITInlines.h:
3172         (JSC::JIT::callOperation):
3173         * jit/JITOpcodes.cpp:
3174         (JSC::JIT::emit_op_switch_imm):
3175         (JSC::JIT::emit_op_switch_char):
3176         (JSC::JIT::emit_op_switch_string):
3177         * jit/JITOpcodes32_64.cpp:
3178         (JSC::JIT::emit_op_switch_imm):
3179         (JSC::JIT::emit_op_switch_char):
3180         (JSC::JIT::emit_op_switch_string):
3181         * jit/JITOperations.cpp:
3182         * jit/JITOperations.h:
3183         * jit/JITPropertyAccess.cpp:
3184         (JSC::JIT::emitSlow_op_resolve_scope):
3185         (JSC::JIT::emitSlow_op_get_from_scope):
3186         (JSC::JIT::emitSlow_op_put_to_scope):
3187         * jit/JITPropertyAccess32_64.cpp:
3188         (JSC::JIT::emitSlow_op_resolve_scope):
3189         (JSC::JIT::emitSlow_op_get_from_scope):
3190         (JSC::JIT::emitSlow_op_put_to_scope):
3191         * jit/JITStubs.cpp:
3192         * jit/JITStubs.h:
3193
3194 2013-10-14  Filip Pizlo  <fpizlo@apple.com>
3195
3196         DFG PutById IC should use the ConcurrentJITLocker since it's now dealing with IC's that get read by the compiler thread
3197         https://bugs.webkit.org/show_bug.cgi?id=122786
3198
3199         Reviewed by Mark Hahnenberg.
3200
3201         * bytecode/CodeBlock.cpp:
3202         (JSC::CodeBlock::resetStub): Resetting a stub should acquire the lock since this is observable from the thread; but we should only acquire the lock if we're resetting outside of GC.
3203         * jit/Repatch.cpp:
3204         (JSC::repatchPutByID): Doing the PutById patching should hold the lock.
3205         (JSC::buildPutByIdList): Ditto.
3206
3207 2013-10-14  Nadav Rotem  <nrotem@apple.com>
3208
3209         Add FTL support for LogicalNot(string)
3210         https://bugs.webkit.org/show_bug.cgi?id=122765
3211
3212         Reviewed by Filip Pizlo.
3213
3214         This patch is tested by:
3215         regress/script-tests/emscripten-cube2hash.js.ftl-eager
3216
3217         * ftl/FTLCapabilities.cpp:
3218         (JSC::FTL::canCompile):
3219         * ftl/FTLLowerDFGToLLVM.cpp:
3220         (JSC::FTL::LowerDFGToLLVM::compileLogicalNot):
3221
3222 2013-10-14  Julien Brianceau  <jbriance@cisco.com>
3223
3224         [sh4] Fixes after r157404 and r157411.
3225         https://bugs.webkit.org/show_bug.cgi?id=122782
3226
3227         Reviewed by Michael Saboff.
3228
3229         * dfg/DFGSpeculativeJIT.h:
3230         (JSC::DFG::SpeculativeJIT::callOperation): Add missing SH4_32BIT_DUMMY_ARG.
3231         * jit/CCallHelpers.h:
3232         (JSC::CCallHelpers::setupArgumentsWithExecState):
3233         * jit/JITInlines.h:
3234         (JSC::JIT::callOperation): Add missing SH4_32BIT_DUMMY_ARG.
3235         * jit/JITPropertyAccess32_64.cpp:
3236         (JSC::JIT::emit_op_put_by_id): Remove unwanted BEGIN_UNINTERRUPTED_SEQUENCE.
3237
3238 2013-10-14  Commit Queue  <commit-queue@webkit.org>
3239
3240         Unreviewed, rolling out r157413.
3241         http://trac.webkit.org/changeset/157413
3242         https://bugs.webkit.org/show_bug.cgi?id=122779
3243
3244         Appears to have caused frequent crashes (Requested by ap on
3245         #webkit).
3246
3247         * CMakeLists.txt:
3248         * GNUmakefile.list.am:
3249         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3250         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3251         * JavaScriptCore.xcodeproj/project.pbxproj:
3252         * heap/DeferGC.cpp: Removed.
3253         * heap/DeferGC.h:
3254         * jit/JITStubs.cpp:
3255         (JSC::tryCacheGetByID):
3256         (JSC::DEFINE_STUB_FUNCTION):
3257         * llint/LLIntSlowPaths.cpp:
3258         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3259         * runtime/ConcurrentJITLock.h:
3260         * runtime/InitializeThreading.cpp:
3261         (JSC::initializeThreadingOnce):
3262         * runtime/JSCellInlines.h:
3263         (JSC::allocateCell):
3264         * runtime/Structure.cpp:
3265         (JSC::Structure::materializePropertyMap):
3266         (JSC::Structure::putSpecificValue):
3267         (JSC::Structure::createPropertyMap):
3268         * runtime/Structure.h:
3269
3270 2013-10-14  Mark Hahnenberg  <mhahnenberg@apple.com>
3271
3272         COLLECT_ON_EVERY_ALLOCATION causes assertion failures
3273         https://bugs.webkit.org/show_bug.cgi?id=122652
3274
3275         Reviewed by Filip Pizlo.
3276
3277         COLLECT_ON_EVERY_ALLOCATION wasn't accounting for the new GC deferral mechanism,
3278         so we would end up ASSERTing during garbage collection.
3279
3280         * heap/MarkedAllocator.cpp:
3281         (JSC::MarkedAllocator::allocateSlowCase):
3282
3283 2013-10-11  Oliver Hunt  <oliver@apple.com>
3284
3285         Separate out array iteration intrinsics
3286         https://bugs.webkit.org/show_bug.cgi?id=122656
3287
3288         Reviewed by Michael Saboff.
3289
3290         Separate out the intrinsics for key and values iteration
3291         of arrays.
3292
3293         This requires moving moving array iteration into the iterator
3294         instance, rather than the prototype, but this is essentially
3295         unobservable so we'll live with it for now.
3296
3297         * jit/ThunkGenerators.cpp:
3298         (JSC::arrayIteratorNextThunkGenerator):
3299         (JSC::arrayIteratorNextKeyThunkGenerator):
3300         (JSC::arrayIteratorNextValueThunkGenerator):
3301         * jit/ThunkGenerators.h:
3302         * runtime/ArrayIteratorPrototype.cpp:
3303         (JSC::ArrayIteratorPrototype::finishCreation):
3304         * runtime/Intrinsic.h:
3305         * runtime/JSArrayIterator.cpp:
3306         (JSC::JSArrayIterator::finishCreation):
3307         (JSC::createIteratorResult):
3308         (JSC::arrayIteratorNext):
3309         (JSC::arrayIteratorNextKey):
3310         (JSC::arrayIteratorNextValue):
3311         (JSC::arrayIteratorNextGeneric):
3312         * runtime/VM.cpp:
3313         (JSC::thunkGeneratorForIntrinsic):
3314
3315 2013-10-11  Mark Hahnenberg  <mhahnenberg@apple.com>
3316
3317         llint_slow_path_put_by_id can deadlock on a ConcurrentJITLock
3318         https://bugs.webkit.org/show_bug.cgi?id=122667
3319
3320         Reviewed by Filip Pizlo.
3321
3322         The issue this patch is attempting to fix is that there are places in our codebase
3323         where we acquire the ConcurrentJITLock for a particular CodeBlock, then we do some
3324         operations that can initiate a garbage collection. Garbage collection then calls 
3325         some methods of CodeBlock that also take the ConcurrentJITLock (because they don't
3326         always necessarily run during garbage collection). This causes a deadlock.
3327
3328         To fix this issue, this patch adds a new RAII-style object (DisallowGC) that stores 
3329         into a thread-local field that indicates that it is unsafe to perform any operation 
3330         that could trigger garbage collection on the current thread. In debug builds, 
3331         ConcurrentJITLocker contains one of these DisallowGC objects so that we can eagerly 
3332         detect deadlocks.
3333
3334         This patch also adds a new type of ConcurrentJITLocker, GCSafeConcurrentJITLocker,
3335         which uses the DeferGC mechanism to prevent collections from occurring while the 
3336         lock is held.
3337
3338         * CMakeLists.txt:
3339         * GNUmakefile.list.am:
3340         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3341         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3342         * JavaScriptCore.xcodeproj/project.pbxproj:
3343         * heap/DeferGC.cpp: Added.
3344         * heap/DeferGC.h:
3345         (JSC::DisallowGC::DisallowGC):
3346         (JSC::DisallowGC::~DisallowGC):
3347         (JSC::DisallowGC::isGCDisallowedOnCurrentThread):
3348         (JSC::DisallowGC::initialize):
3349         * jit/JITStubs.cpp:
3350         (JSC::tryCachePutByID):
3351         (JSC::tryCacheGetByID):
3352         (JSC::DEFINE_STUB_FUNCTION):
3353         * llint/LLIntSlowPaths.cpp:
3354         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3355         * runtime/ConcurrentJITLock.h:
3356         (JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase):
3357         (JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase):
3358         (JSC::ConcurrentJITLockerBase::unlockEarly):
3359         (JSC::GCSafeConcurrentJITLocker::GCSafeConcurrentJITLocker):
3360         (JSC::ConcurrentJITLocker::ConcurrentJITLocker):
3361         * runtime/InitializeThreading.cpp:
3362         (JSC::initializeThreadingOnce):
3363         * runtime/JSCellInlines.h:
3364         (JSC::allocateCell):
3365         * runtime/Structure.cpp:
3366         (JSC::Structure::materializePropertyMap):
3367         (JSC::Structure::putSpecificValue):
3368         (JSC::Structure::createPropertyMap):
3369         * runtime/Structure.h:
3370
3371 2013-10-14  Filip Pizlo  <fpizlo@apple.com>
3372
3373         Baseline JIT should use the DFG's PutById IC
3374         https://bugs.webkit.org/show_bug.cgi?id=122704
3375
3376         Reviewed by Mark Hahnenberg.
3377         
3378         Mostly no big deal, just removing the old Baseline JIT's put_by_id IC support and forcing
3379         that JIT to use the DFG's (i.e. JITOperations) PutById IC.
3380         
3381         The only complicated part was that the PutById operations assumed that we first did a
3382         cell speculation, which the baseline JIT obviously won't do. So I changed all of those
3383         slow paths to deal with EncodedJSValue's.
3384
3385         * bytecode/CodeBlock.cpp:
3386         (JSC::CodeBlock::resetStubInternal):
3387         * bytecode/PutByIdStatus.cpp:
3388         (JSC::PutByIdStatus::computeFor):
3389         * dfg/DFGSpeculativeJIT.h:
3390         (JSC::DFG::SpeculativeJIT::callOperation):
3391         * dfg/DFGSpeculativeJIT32_64.cpp:
3392         (JSC::DFG::SpeculativeJIT::cachedPutById):
3393         * dfg/DFGSpeculativeJIT64.cpp:
3394         (JSC::DFG::SpeculativeJIT::cachedPutById):
3395         * jit/CCallHelpers.h:
3396         (JSC::CCallHelpers::setupArgumentsWithExecState):
3397         * jit/JIT.cpp:
3398         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
3399         * jit/JIT.h:
3400         (JSC::PropertyStubCompilationInfo::PropertyStubCompilationInfo):
3401         (JSC::PropertyStubCompilationInfo::slowCaseInfo):
3402         * jit/JITInlines.h:
3403         (JSC::JIT::callOperation):
3404         * jit/JITOperationWrappers.h:
3405         * jit/JITOperations.cpp:
3406         * jit/JITOperations.h:
3407         * jit/JITPropertyAccess.cpp:
3408         (JSC::JIT::compileGetByIdHotPath):
3409         (JSC::JIT::compileGetByIdSlowCase):
3410         (JSC::JIT::emit_op_put_by_id):
3411         (JSC::JIT::emitSlow_op_put_by_id):
3412         * jit/JITPropertyAccess32_64.cpp:
3413         (JSC::JIT::compileGetByIdSlowCase):
3414         (JSC::JIT::emit_op_put_by_id):
3415         (JSC::JIT::emitSlow_op_put_by_id):
3416         * jit/JITStubs.cpp:
3417         * jit/JITStubs.h:
3418         * jit/Repatch.cpp:
3419         (JSC::appropriateGenericPutByIdFunction):
3420         (JSC::appropriateListBuildingPutByIdFunction):
3421         (JSC::resetPutByID):
3422
3423 2013-10-13  Filip Pizlo  <fpizlo@apple.com>
3424
3425         FTL should have an inefficient but correct implementation of GetById
3426         https://bugs.webkit.org/show_bug.cgi?id=122740
3427
3428         Reviewed by Mark Hahnenberg.
3429         
3430         It took some effort to realize that the node->prediction() check in the DFG backends
3431         are completely unnecessary since the ByteCodeParser will always insert a ForceOSRExit
3432         if !prediction.
3433         
3434         But other than that this was an easy patch.
3435
3436         * dfg/DFGByteCodeParser.cpp:
3437         (JSC::DFG::ByteCodeParser::handleGetById):
3438         * dfg/DFGSpeculativeJIT32_64.cpp:
3439         (JSC::DFG::SpeculativeJIT::compile):
3440         * dfg/DFGSpeculativeJIT64.cpp:
3441         (JSC::DFG::SpeculativeJIT::compile):
3442         * ftl/FTLCapabilities.cpp:
3443         (JSC::FTL::canCompile):
3444         * ftl/FTLIntrinsicRepository.h:
3445         * ftl/FTLLowerDFGToLLVM.cpp:
3446         (JSC::FTL::LowerDFGToLLVM::compileNode):
3447         (JSC::FTL::LowerDFGToLLVM::compileGetById):
3448
3449 2013-10-13  Mark Lam  <mark.lam@apple.com>
3450
3451         Transition misc cti_op_* JITStubs to JIT operations.
3452         https://bugs.webkit.org/show_bug.cgi?id=122645.
3453
3454         Reviewed by Michael Saboff.
3455
3456         Stubs converted:
3457             cti_op_check_has_instance
3458             cti_op_create_arguments
3459             cti_op_del_by_id
3460             cti_op_instanceof
3461             cti_to_object
3462             cti_op_push_activation
3463             cti_op_get_pnames
3464             cti_op_load_varargs
3465
3466         * dfg/DFGOperations.cpp:
3467         * dfg/DFGOperations.h:
3468         * jit/CCallHelpers.h:
3469         (JSC::CCallHelpers::setupArgumentsWithExecState):
3470         * jit/JIT.h:
3471         (JSC::JIT::emitStoreCell):
3472         * jit/JITCall.cpp:
3473         (JSC::JIT::compileLoadVarargs):
3474         * jit/JITCall32_64.cpp:
3475         (JSC::JIT::compileLoadVarargs):
3476         * jit/JITInlines.h:
3477         (JSC::JIT::callOperation):
3478         * jit/JITOpcodes.cpp:
3479         (JSC::JIT::emit_op_get_pnames):
3480         (JSC::JIT::emit_op_create_activation):
3481         (JSC::JIT::emit_op_create_arguments):
3482         (JSC::JIT::emitSlow_op_check_has_instance):
3483         (JSC::JIT::emitSlow_op_instanceof):
3484         (JSC::JIT::emitSlow_op_get_argument_by_val):
3485         * jit/JITOpcodes32_64.cpp:
3486         (JSC::JIT::emitSlow_op_check_has_instance):
3487         (JSC::JIT::emitSlow_op_instanceof):
3488         (JSC::JIT::emit_op_get_pnames):
3489         (JSC::JIT::emit_op_create_activation):
3490         (JSC::JIT::emit_op_create_arguments):
3491         (JSC::JIT::emitSlow_op_get_argument_by_val):
3492         * jit/JITOperations.cpp:
3493         * jit/JITOperations.h:
3494         * jit/JITPropertyAccess.cpp:
3495         (JSC::JIT::emit_op_del_by_id):
3496         * jit/JITPropertyAccess32_64.cpp:
3497         (JSC::JIT::emit_op_del_by_id):
3498         * jit/JITStubs.cpp:
3499         * jit/JITStubs.h:
3500
3501 2013-10-13  Filip Pizlo  <fpizlo@apple.com>
3502
3503         FTL OSR exit should perform zero extension on values smaller than 64-bit
3504         https://bugs.webkit.org/show_bug.cgi?id=122688
3505
3506         Reviewed by Gavin Barraclough.
3507         
3508         In the DFG we usually make the simplistic assumption that a 32-bit value in a 64-bit
3509         register will have zeros on the high bits.  In the few cases where the high bits are
3510         non-zero, the DFG sort of tells us this explicitly.
3511
3512         But when working with llvm.webkit.stackmap, it doesn't work that way.  Consider we might
3513         emit LLVM IR like:
3514
3515             %2 = trunc i64 %1 to i32
3516             stuff %2
3517             call @llvm.webkit.stackmap(...., %2)
3518
3519         LLVM may never actually emit a truncation instruction of any kind.  And that's great - in
3520         many cases it won't be needed, like if 'stuff %2' is a 32-bit op that ignores the high
3521         bits anyway.  Hence LLVM may tell us that %2 is in the register that still had the value
3522         from before truncation, and that register may have garbage in the high bits.
3523
3524         This means that on our end, if we want a 32-bit value and we want that value to be
3525         zero-extended, we should zero-extend it ourselves.  This is pretty easy and should be
3526         cheap, so we should just do it and not make it a requirement that LLVM does it on its
3527         end.
3528         
3529         This makes all tests pass with JSC_ftlOSRExitUsesStackmap=true.
3530
3531         * ftl/FTLOSRExitCompiler.cpp:
3532         (JSC::FTL::compileStubWithOSRExitStackmap):
3533         * ftl/FTLValueFormat.cpp:
3534         (JSC::FTL::reboxAccordingToFormat):
3535
3536 == Rolled over to ChangeLog-2013-10-13 ==