LLVM assertion failures should funnel into WTF's crash handling
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-11-02  Filip Pizlo  <fpizlo@apple.com>
2
3         LLVM assertion failures should funnel into WTF's crash handling
4         https://bugs.webkit.org/show_bug.cgi?id=123682
5
6         Reviewed by Geoffrey Garen.
7         
8         Inside llvmForJSC, we override assertion-related functions and funnel them
9         into g_llvmTrapCallback(). We also now register a fatal error handler inside
10         the library and funnel that into g_llvmTrapCallback, and have
11         initializeAndGetJSCLLVMAPI() take such a callback as an argument.
12         
13         Inside JSC, we no longer call LLVMInstallFatalErrorHandler() but instead we
14         pass WTFLogAlwaysAndCrash() as the trap callback for llvmForJSC.
15
16         * llvm/InitializeLLVM.cpp:
17         (JSC::initializeLLVM):
18         * llvm/InitializeLLVMPOSIX.cpp:
19         (JSC::initializeLLVMPOSIX):
20         * llvm/library/LLVMExports.cpp:
21         (llvmCrash):
22         (initializeAndGetJSCLLVMAPI):
23         * llvm/library/LLVMOverrides.cpp:
24         (raise):
25         (__assert_rtn):
26         (abort):
27         * llvm/library/LLVMTrapCallback.h: Added.
28
29 2013-11-02  Filip Pizlo  <fpizlo@apple.com>
30
31         CodeBlock::jettison() shouldn't call baselineVersion()
32         https://bugs.webkit.org/show_bug.cgi?id=123675
33
34         Reviewed by Geoffrey Garen.
35         
36         Fix more uses of baselineVersion().
37
38         * bytecode/CodeBlock.cpp:
39         (JSC::CodeBlock::jettison):
40         * bytecode/CodeBlock.h:
41         * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp:
42         (JSC::ProfiledCodeBlockJettisoningWatchpoint::fireInternal):
43
44 2013-11-02  Filip Pizlo  <fpizlo@apple.com>
45
46         LLVM asserts in internal-js-tests.yaml/Octane/stress-tests/mandreel.js
47         https://bugs.webkit.org/show_bug.cgi?id=123535
48
49         Reviewed by Geoffrey Garen.
50         
51         Use double comparisons for doubles.
52
53         * ftl/FTLLowerDFGToLLVM.cpp:
54         (JSC::FTL::LowerDFGToLLVM::doubleToInt32):
55
56 2013-11-02  Patrick Gansterer  <paroga@webkit.org>
57
58         Various small WinCE build fixes
59
60         * jsc.cpp:
61         (main):
62
63 2013-11-02  Patrick Gansterer  <paroga@webkit.org>
64
65         Fix MSVC ARM build after r157581.
66
67         * jit/JITStubsARM.h:
68
69 2013-11-01  Filip Pizlo  <fpizlo@apple.com>
70
71         FTL should use a simple optimization pipeline by default
72         https://bugs.webkit.org/show_bug.cgi?id=123638
73
74         Reviewed by Geoffrey Garen.
75         
76         20% speed-up on imagine-gaussian-blur, when combined with --ftlUsesStackmaps=true.
77
78         * ftl/FTLCompile.cpp:
79         (JSC::FTL::compile):
80         * runtime/Options.h:
81
82 2013-11-01  Andreas Kling  <akling@apple.com>
83
84         Neuter WTF_MAKE_FAST_ALLOCATED in GLOBAL_FASTMALLOC_NEW builds.
85         <https://webkit.org/b/123639>
86
87         JSC::ParserArenaRefCounted really needed to have the new/delete
88         operators overridden, in order for JSC::ScopeNode to be able to
89         choose that "operator new" out of the two it inherits.
90
91         Reviewed by Anders Carlsson.
92
93 2013-11-01  Filip Pizlo  <fpizlo@apple.com>
94
95         OSR exit profiling should be robust against all code being cleared
96         https://bugs.webkit.org/show_bug.cgi?id=123629
97         <rdar://problem/15365476>
98
99         Reviewed by Michael Saboff.
100         
101         The problem here is two-fold:
102
103         1) A watchpoint (i.e. ProfiledCodeBlockJettisoningWatchpoint) may be fired after we
104         have cleared the CodeBlock for all or some Executables.  This means that doing
105         codeBlock->baselineVersion() would either crash or return a bogus CodeBlock, since
106         there wasn't a baseline code block reachable from the Executable anymore.  The
107         solution is that we shouldn't be asking for the baseline code block reachable from
108         the owning executable (what baselineVersion did), but instead we should be asking
109         for the baseline version reachable from the code block being watchpointed (basically
110         what CodeBlock::alternative() did).
111
112         2) If dealing with inlined code, baselienCodeBlockForOriginAndBaselineCodeBlock()
113         may return null, for the same reason as above - we might have cleared the baseline
114         codeblock for the executable that was inlined.  The solution is to just not do
115         profiling if there isn't a baseline code block anymore.
116
117         * bytecode/CodeBlock.cpp:
118         (JSC::CodeBlock::baselineAlternative):
119         (JSC::CodeBlock::baselineVersion):
120         (JSC::CodeBlock::jettison):
121         * bytecode/CodeBlock.h:
122         * bytecode/CodeBlockJettisoningWatchpoint.cpp:
123         (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
124         * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp:
125         (JSC::ProfiledCodeBlockJettisoningWatchpoint::fireInternal):
126         * dfg/DFGOSRExitBase.cpp:
127         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
128         * jit/AssemblyHelpers.h:
129         (JSC::AssemblyHelpers::AssemblyHelpers):
130         * runtime/Executable.cpp:
131         (JSC::FunctionExecutable::baselineCodeBlockFor):
132
133 2013-10-31  Oliver Hunt  <oliver@apple.com>
134
135         JavaScript parser bug
136         https://bugs.webkit.org/show_bug.cgi?id=123506
137
138         Reviewed by Mark Lam.
139
140         Add ParserState as an abstraction and use that to save and restore
141         the parser state around nested functions (We'll need to use this in
142         more places in future).  Also fix a minor error typo this testcases
143         hit.
144
145         * parser/Parser.cpp:
146         (JSC::::parseFunctionInfo):
147         (JSC::::parseAssignmentExpression):
148         * parser/Parser.h:
149         (JSC::Parser::saveState):
150         (JSC::Parser::restoreState):
151
152 2013-10-31  Filip Pizlo  <fpizlo@apple.com>
153
154         FTL Int32ToDouble should handle the forward type check case where you need a recovery
155         https://bugs.webkit.org/show_bug.cgi?id=123605
156
157         Reviewed by Mark Hahnenberg.
158         
159         If you have a Int32ToDouble that needs to do a type check and it's required to do a
160         forward exit, then it needs to manually pass in a value recovery for itself in the
161         OSR exit - since this is one of those forward-exiting nodes that doesn't have a
162         preceding MovHint.
163
164         * ftl/FTLLowerDFGToLLVM.cpp:
165         (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble):
166         (JSC::FTL::LowerDFGToLLVM::forwardTypeCheck):
167
168 2013-10-31  Filip Pizlo  <fpizlo@apple.com>
169
170         FTL should implement InvalidationPoint in terms of llvm.stackmap
171         https://bugs.webkit.org/show_bug.cgi?id=113647
172
173         Reviewed by Mark Hahnenberg.
174         
175         This is pretty straightforward now that InvalidationPoint has exactly the semantics
176         that agree with llvm.stackmap.
177
178         * ftl/FTLCompile.cpp:
179         (JSC::FTL::fixFunctionBasedOnStackMaps):
180         * ftl/FTLLowerDFGToLLVM.cpp:
181         (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
182         (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
183         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
184         (JSC::FTL::LowerDFGToLLVM::callStackmap):
185         * ftl/FTLOSRExitCompilationInfo.h:
186         (JSC::FTL::OSRExitCompilationInfo::OSRExitCompilationInfo):
187
188 2013-10-30  Oliver Hunt  <oliver@apple.com>
189
190         Implement basic ES6 Math functions
191         https://bugs.webkit.org/show_bug.cgi?id=123536
192
193         Reviewed by Michael Saboff.
194
195         Fairly trivial patch to implement the core ES6 Math functions.
196
197         This doesn't implement Math.hypot as it is not a trivial function.
198         I've also skipped Math.sign as I am yet to be convinced the spec
199         behaviour is good.  Everything else is trivial.
200
201         * runtime/MathObject.cpp:
202         (JSC::MathObject::finishCreation):
203         (JSC::mathProtoFuncACosh):
204         (JSC::mathProtoFuncASinh):
205         (JSC::mathProtoFuncATanh):
206         (JSC::mathProtoFuncCbrt):
207         (JSC::mathProtoFuncCosh):
208         (JSC::mathProtoFuncExpm1):
209         (JSC::mathProtoFuncFround):
210         (JSC::mathProtoFuncLog1p):
211         (JSC::mathProtoFuncLog10):
212         (JSC::mathProtoFuncLog2):
213         (JSC::mathProtoFuncSinh):
214         (JSC::mathProtoFuncTanh):
215         (JSC::mathProtoFuncTrunc):
216
217 2013-10-31  Filip Pizlo  <fpizlo@apple.com>
218
219         FTL::Location::restoreInto() doesn't handle stack-related registers correctly if you're using it after pushing a new stack frame
220         https://bugs.webkit.org/show_bug.cgi?id=123591
221
222         Reviewed by Mark Hahnenberg.
223         
224         This gets us to pass more tests with ftlUsesStackmaps.
225
226         * ftl/FTLLocation.cpp:
227         (JSC::FTL::Location::restoreInto):
228         * ftl/FTLLocation.h:
229         * ftl/FTLThunks.cpp:
230         (JSC::FTL::osrExitGenerationWithStackMapThunkGenerator):
231
232 2013-10-31  Alexey Proskuryakov  <ap@apple.com>
233
234         Enable WebCrypto on Mac
235         https://bugs.webkit.org/show_bug.cgi?id=123587
236
237         Reviewed by Anders Carlsson.
238
239         * Configurations/FeatureDefines.xcconfig: Do it.
240
241 2013-10-31  Filip Pizlo  <fpizlo@apple.com>
242
243         Unreviewed, really remove CachedTranscendentalFunction.h.
244
245         * GNUmakefile.list.am:
246         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
247
248 2013-10-31  Filip Pizlo  <fpizlo@apple.com>
249
250         Remove CachedTranscendentalFunction because caching math functions is an ugly idea
251         https://bugs.webkit.org/show_bug.cgi?id=123574
252
253         Reviewed by Mark Hahnenberg.
254         
255         This is performance-neutral because I also make Math.cos/sin intrinsic. This means that
256         we gain the "overhead" of actually computing sin and cos but we lose the overhead of
257         going through the native call thunks.
258         
259         Caching transcendental functions is a really ugly idea. It works for SunSpider because
260         that benchmark makes very predictable calls into Math.sin. But I don't believe that this
261         is representative of any kind of reality, and so for sensible uses of Math.sin/cos all
262         that this was doing was adding more call overhead and some hashing overhead.
263
264         * JavaScriptCore.xcodeproj/project.pbxproj:
265         * dfg/DFGAbstractInterpreterInlines.h:
266         (JSC::DFG::::executeEffects):
267         * dfg/DFGBackwardsPropagationPhase.cpp:
268         (JSC::DFG::BackwardsPropagationPhase::propagate):
269         * dfg/DFGByteCodeParser.cpp:
270         (JSC::DFG::ByteCodeParser::handleIntrinsic):
271         * dfg/DFGCSEPhase.cpp:
272         (JSC::DFG::CSEPhase::performNodeCSE):
273         * dfg/DFGClobberize.h:
274         (JSC::DFG::clobberize):
275         * dfg/DFGFixupPhase.cpp:
276         (JSC::DFG::FixupPhase::fixupNode):
277         * dfg/DFGNodeType.h:
278         * dfg/DFGPredictionPropagationPhase.cpp:
279         (JSC::DFG::PredictionPropagationPhase::propagate):
280         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
281         * dfg/DFGSafeToExecute.h:
282         (JSC::DFG::safeToExecute):
283         * dfg/DFGSpeculativeJIT.h:
284         (JSC::DFG::SpeculativeJIT::callOperation):
285         * dfg/DFGSpeculativeJIT32_64.cpp:
286         (JSC::DFG::SpeculativeJIT::compile):
287         * dfg/DFGSpeculativeJIT64.cpp:
288         (JSC::DFG::SpeculativeJIT::compile):
289         * jit/JITOperations.h:
290         * runtime/CachedTranscendentalFunction.h: Removed.
291         * runtime/DateInstanceCache.h:
292         * runtime/Intrinsic.h:
293         * runtime/MathObject.cpp:
294         (JSC::MathObject::finishCreation):
295         (JSC::mathProtoFuncCos):
296         (JSC::mathProtoFuncSin):
297         * runtime/VM.h:
298
299 2013-10-30  Filip Pizlo  <fpizlo@apple.com>
300
301         Assertion failure in js/dom/global-constructors-attributes-dedicated-worker.html
302         https://bugs.webkit.org/show_bug.cgi?id=123551
303         <rdar://problem/15356238>
304
305         Reviewed by Mark Hahnenberg.
306         
307         WatchpointSets have always had this "fire everything on deletion" policy because it
308         seemed like a good fail-safe at the time I first implemented WatchpointSets. But
309         it's actually causing bugs rather than providing safety:
310         
311         - Everyone who registers Watchpoints with WatchpointSets have separate mechanisms
312           for either keeping the WatchpointSets alive or noticing when they are collected.
313           So this wasn't actually providing any safety.
314           
315           One example of this is Structures, where:
316           
317           - CodeBlocks that register Watchpoints on Structure's WatchpointSet will also
318             register weak references to the Structure, and the GC will jettison a CodeBlock
319             if the Structure(s) it cares about dies.
320           
321           - StructureStubInfos that register Watchpoints on Structure's WatchpointSet will
322             also be cleared by GC if the Structures die.
323         
324         - The WatchpointSet destructor would get invoked from finalization/destruction.
325           This would then cause CodeBlock::jettison() to be called on a CodeBlock, but that
326           method requires doing things that access heap objects. This would usually cause
327           problems on VM destruction, since then the CodeBlocks would still be alive but the
328           whole heap would be destroyed.
329         
330         This also ensures that CodeBlock::jettison() cannot cause a GC. This is safe since
331         that method doesn't really allocate objects, and it is likely necessary because
332         jettison() may be called from deep in the stack.
333
334         * bytecode/CodeBlock.cpp:
335         (JSC::CodeBlock::jettison):
336         * bytecode/Watchpoint.cpp:
337         (JSC::WatchpointSet::~WatchpointSet):
338         * bytecode/Watchpoint.h:
339
340 2013-10-30  Mark Lam  <mark.lam@apple.com>
341
342         Unreviewed, fix C Loop LLINT build.
343
344         * bytecode/CodeBlockJettisoningWatchpoint.cpp:
345         (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
346         * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp:
347         (JSC::ProfiledCodeBlockJettisoningWatchpoint::fireInternal):
348
349 2013-10-30  Filip Pizlo  <fpizlo@apple.com>
350
351         Unreviewed, fix FTL build.
352
353         * ftl/FTLAbstractHeapRepository.h:
354         * ftl/FTLLowerDFGToLLVM.cpp:
355         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
356
357 2013-10-30  Alexey Proskuryakov  <ap@apple.com>
358
359         Add a way to fulfill promises from DOM code
360         https://bugs.webkit.org/show_bug.cgi?id=123466
361
362         Reviewed by Sam Weinig.
363
364         * JavaScriptCore.xcodeproj/project.pbxproj: Make JSPromise.h and JSPromiseResolver.h
365         private headers for WebCore to use.
366
367         * runtime/JSPromise.h:
368         * runtime/JSPromiseResolver.h:
369         Export functions that JSDOMPromise will use.
370
371 2013-10-30  Mark Lam  <mark.lam@apple.com>
372
373         Adjust CallFrameHeader's ReturnPC and CallFrame locations to match the native ABI .
374         https://bugs.webkit.org/show_bug.cgi?id=123444.
375
376         Reviewed by Geoffrey Garen.
377
378         - Introduced an explicit CallerFrameAndPC struct.
379         - A CallFrame is expected to start with a CallerFrameAndPC struct. 
380         - The Register class no longer supports CallFrame* and Instruction*.
381
382           These hides the differences between JSVALUE32_64 and JSVALUE64 in
383           terms of managing the callerFrame() and returnPC() values.
384
385         - Convert all uses of JSStack::CallerFrame and JSStack::ReturnPC to
386           go through CallFrame to access the appropriate values and offsets.
387           CallFrame, in turn, will access the callerFrame and returnPC via
388           the CallerFrameAndPC struct.
389
390         - InlineCallFrame will provide offsets for its callerFrame and
391           returnPC. It will make use of CallFrame::callerFrameOffset() and
392           CallerFrame::returnPCOffset() to compute these.
393
394         * bytecode/CodeOrigin.h:
395         (JSC::InlineCallFrame::callerFrameOffset):
396         (JSC::InlineCallFrame::returnPCOffset):
397         * dfg/DFGJITCompiler.cpp:
398         (JSC::DFG::JITCompiler::compileEntry):
399         (JSC::DFG::JITCompiler::compileExceptionHandlers):
400         * dfg/DFGOSRExitCompilerCommon.cpp:
401         (JSC::DFG::reifyInlinedCallFrames):
402         * dfg/DFGSpeculativeJIT.h:
403         (JSC::DFG::SpeculativeJIT::calleeFrameSlot):
404         (JSC::DFG::SpeculativeJIT::calleeArgumentSlot):
405         (JSC::DFG::SpeculativeJIT::calleeFrameTagSlot):
406         (JSC::DFG::SpeculativeJIT::calleeFramePayloadSlot):
407         (JSC::DFG::SpeculativeJIT::calleeArgumentTagSlot):
408         (JSC::DFG::SpeculativeJIT::calleeArgumentPayloadSlot):
409         - Prefixed all the above with callee since they apply to the callee frame.
410         (JSC::DFG::SpeculativeJIT::calleeFrameCallerFrame):
411         - Added to set the callerFrame pointer in the callee frame.
412
413         * dfg/DFGSpeculativeJIT32_64.cpp:
414         (JSC::DFG::SpeculativeJIT::emitCall):
415         (JSC::DFG::SpeculativeJIT::compile):
416         * dfg/DFGSpeculativeJIT64.cpp:
417         (JSC::DFG::SpeculativeJIT::emitCall):
418         (JSC::DFG::SpeculativeJIT::compile):
419         * ftl/FTLLink.cpp:
420         (JSC::FTL::compileEntry):
421         (JSC::FTL::link):
422         * interpreter/CallFrame.h:
423         (JSC::ExecState::callerFrame):
424         (JSC::ExecState::callerFrameOffset):
425         (JSC::ExecState::returnPC):
426         (JSC::ExecState::hasReturnPC):
427         (JSC::ExecState::clearReturnPC):
428         (JSC::ExecState::returnPCOffset):
429         (JSC::ExecState::setCallerFrame):
430         (JSC::ExecState::setReturnPC):
431         (JSC::ExecState::callerFrameAndPC):
432         * interpreter/JSStack.h:
433         * interpreter/Register.h:
434         * jit/AssemblyHelpers.h:
435         (JSC::AssemblyHelpers::emitPutToCallFrameHeader):
436         - Convert to using storePtr() here and simplify the code.
437         (JSC::AssemblyHelpers::emitGetCallerFrameFromCallFrameHeaderPtr):
438         (JSC::AssemblyHelpers::emitPutCallerFrameToCallFrameHeader):
439         (JSC::AssemblyHelpers::emitGetReturnPCFromCallFrameHeaderPtr):
440         (JSC::AssemblyHelpers::emitPutReturnPCToCallFrameHeader):
441         - Helpers to emit gets/puts of the callerFrame and returnPC.
442         (JSC::AssemblyHelpers::addressForByteOffset):
443         * jit/JIT.cpp:
444         (JSC::JIT::JIT):
445         (JSC::JIT::privateCompile):
446         (JSC::JIT::privateCompileExceptionHandlers):
447         * jit/JITCall.cpp:
448         (JSC::JIT::compileCallEval):
449         (JSC::JIT::compileOpCall):
450         * jit/JITCall32_64.cpp:
451         (JSC::JIT::emit_op_ret):
452         (JSC::JIT::emit_op_ret_object_or_this):
453         (JSC::JIT::compileCallEval):
454         (JSC::JIT::compileOpCall):
455         * jit/JITInlines.h:
456         (JSC::JIT::unmap):
457         * jit/JITOpcodes.cpp:
458         (JSC::JIT::emit_op_end):
459         (JSC::JIT::emit_op_ret):
460         (JSC::JIT::emit_op_ret_object_or_this):
461         * jit/JITOpcodes32_64.cpp:
462         (JSC::JIT::privateCompileCTINativeCall):
463         (JSC::JIT::emit_op_end):
464         * jit/JITOperations.cpp:
465         * jit/SpecializedThunkJIT.h:
466         (JSC::SpecializedThunkJIT::returnJSValue):
467         (JSC::SpecializedThunkJIT::returnDouble):
468         (JSC::SpecializedThunkJIT::returnInt32):
469         (JSC::SpecializedThunkJIT::returnJSCell):
470         * jit/ThunkGenerators.cpp:
471         (JSC::throwExceptionFromCallSlowPathGenerator):
472         (JSC::slowPathFor):
473         (JSC::nativeForGenerator):
474
475         * llint/LLIntData.cpp:
476         (JSC::LLInt::Data::performAssertions):
477         * llint/LowLevelInterpreter.asm:
478         - Updated offsets and asserts to match the new CallFrame layout.
479
480 2013-10-30  Filip Pizlo  <fpizlo@apple.com>
481
482         Unreviewed, fix Mac.
483
484         * assembler/AbstractMacroAssembler.h:
485         (JSC::AbstractMacroAssembler::RegisterAllocationOffset::checkOffsets):
486         (JSC::AbstractMacroAssembler::checkRegisterAllocationAgainstBranchRange):
487
488 2013-10-30  Filip Pizlo  <fpizlo@apple.com>
489
490         Unreviewed, fix Windows.
491
492         * bytecode/CodeBlock.cpp:
493         (JSC::CodeBlock::jettison):
494
495 2013-10-30  Filip Pizlo  <fpizlo@apple.com>
496
497         Unreviewed, fix Windows.
498
499         * bytecode/CodeBlock.h:
500         (JSC::CodeBlock::addFrequentExitSite):
501
502 2013-10-29  Filip Pizlo  <fpizlo@apple.com>
503
504         Add InvalidationPoints to the DFG and use them for all watchpoints
505         https://bugs.webkit.org/show_bug.cgi?id=123472
506
507         Reviewed by Mark Hahnenberg.
508         
509         This makes a fundamental change to how watchpoints work in the DFG.
510         
511         Previously, a watchpoint was an instruction whose execution semantics were something
512         like:
513         
514             if (watchpoint->invalidated)
515                 exit
516         
517         We would implement this without any branch by using jump replacement.
518         
519         This is a very good optimization. But it's a bit awkward once you get a lot of
520         watchpoints: semantically we will have lots of these branches in the code, which the
521         compiler needs to reason about even though they don't actually result in any emitted
522         code.
523         
524         Separately, we also had a mechanism for jettisoning a CodeBlock. This mechanism would
525         be invoked if a CodeBlock exited a lot. It would ensure that a CodeBlock wouldn't be
526         called into again, but it would do nothing for CodeBlocks that were already on the
527         stack.
528         
529         This change flips jettisoning and watchpoint invalidation on their heads. Now, the jump
530         replacement has nothing to do with watchpoints; instead it's something that happens if
531         you ever jettison a CodeBlock. Jump replacement is now an all-or-nothing operation over
532         all of the potential call-return safe-exit-points in a CodeBlock. We call these
533         "InvalidationPoint"s. A watchpoint instruction is now "lowered" by having the DFG
534         collect all of the watchpoint sets that the CodeBlock cares about, and then registering
535         a CodeBlockJettisoningWatchpoint with all of them. That is, if the watchpoint fires, it
536         jettisons the CodeBlock, which in turn ensures that the CodeBlock can't be called into
537         (because the entrypoint now points to baseline code) and can't be returned into
538         (because returning exits to baseline before the next bytecode instruction).
539         
540         This will allow for a sensible lowering of watchpoints to LLVM IR. It will also allow
541         for jettison() to be used effectively for things like breakpointing and single-stepping
542         in the debugger.
543         
544         Well, basically, this mechanism just takes us into the HotSpot-style world where anyone
545         can, at any time and for any reason, request that an optimized CodeBlock is rendered
546         immediately invalid. You can use this for many cool things, I'm sure.
547
548         * CMakeLists.txt:
549         * GNUmakefile.list.am:
550         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
551         * JavaScriptCore.xcodeproj/project.pbxproj:
552         * assembler/AbstractMacroAssembler.h:
553         * bytecode/CodeBlock.cpp:
554         (JSC::CodeBlock::jettison):
555         * bytecode/CodeBlock.h:
556         * bytecode/CodeBlockJettisoningWatchpoint.cpp: Added.
557         (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
558         * bytecode/CodeBlockJettisoningWatchpoint.h: Added.
559         (JSC::CodeBlockJettisoningWatchpoint::CodeBlockJettisoningWatchpoint):
560         * bytecode/ExitKind.cpp:
561         (JSC::exitKindToString):
562         * bytecode/ExitKind.h:
563         * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp: Added.
564         (JSC::ProfiledCodeBlockJettisoningWatchpoint::fireInternal):
565         * bytecode/ProfiledCodeBlockJettisoningWatchpoint.h: Added.
566         (JSC::ProfiledCodeBlockJettisoningWatchpoint::ProfiledCodeBlockJettisoningWatchpoint):
567         * dfg/DFGAbstractHeap.h:
568         * dfg/DFGAbstractInterpreterInlines.h:
569         (JSC::DFG::::executeEffects):
570         * dfg/DFGClobberize.cpp:
571         (JSC::DFG::writesOverlap):
572         * dfg/DFGClobberize.h:
573         (JSC::DFG::clobberize):
574         (JSC::DFG::AbstractHeapOverlaps::AbstractHeapOverlaps):
575         (JSC::DFG::AbstractHeapOverlaps::operator()):
576         (JSC::DFG::AbstractHeapOverlaps::result):
577         * dfg/DFGCommonData.cpp:
578         (JSC::DFG::CommonData::invalidate):
579         * dfg/DFGCommonData.h:
580         (JSC::DFG::CommonData::CommonData):
581         * dfg/DFGDesiredWatchpoints.cpp:
582         (JSC::DFG::DesiredWatchpoints::addLazily):
583         (JSC::DFG::DesiredWatchpoints::reallyAdd):
584         * dfg/DFGDesiredWatchpoints.h:
585         (JSC::DFG::WatchpointForGenericWatchpointSet::WatchpointForGenericWatchpointSet):
586         (JSC::DFG::GenericDesiredWatchpoints::addLazily):
587         (JSC::DFG::GenericDesiredWatchpoints::reallyAdd):
588         (JSC::DFG::GenericDesiredWatchpoints::areStillValid):
589         * dfg/DFGFixupPhase.cpp:
590         (JSC::DFG::FixupPhase::fixupNode):
591         * dfg/DFGInvalidationPointInjectionPhase.cpp: Added.
592         (JSC::DFG::InvalidationPointInjectionPhase::InvalidationPointInjectionPhase):
593         (JSC::DFG::InvalidationPointInjectionPhase::run):
594         (JSC::DFG::InvalidationPointInjectionPhase::handle):
595         (JSC::DFG::InvalidationPointInjectionPhase::insertInvalidationCheck):
596         (JSC::DFG::performInvalidationPointInjection):
597         * dfg/DFGInvalidationPointInjectionPhase.h: Added.
598         * dfg/DFGJITCode.h:
599         * dfg/DFGJITCompiler.cpp:
600         (JSC::DFG::JITCompiler::linkOSRExits):
601         (JSC::DFG::JITCompiler::link):
602         * dfg/DFGJITCompiler.h:
603         * dfg/DFGJumpReplacement.cpp: Added.
604         (JSC::DFG::JumpReplacement::fire):
605         * dfg/DFGJumpReplacement.h: Added.
606         (JSC::DFG::JumpReplacement::JumpReplacement):
607         * dfg/DFGNodeType.h:
608         * dfg/DFGOSRExitCompilationInfo.h:
609         * dfg/DFGOperations.cpp:
610         * dfg/DFGPlan.cpp:
611         (JSC::DFG::Plan::compileInThreadImpl):
612         (JSC::DFG::Plan::reallyAdd):
613         * dfg/DFGPredictionPropagationPhase.cpp:
614         (JSC::DFG::PredictionPropagationPhase::propagate):
615         * dfg/DFGSafeToExecute.h:
616         (JSC::DFG::safeToExecute):
617         * dfg/DFGSpeculativeJIT.cpp:
618         (JSC::DFG::SpeculativeJIT::emitInvalidationPoint):
619         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
620         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
621         * dfg/DFGSpeculativeJIT.h:
622         (JSC::DFG::SpeculativeJIT::masqueradesAsUndefinedWatchpointIsStillValid):
623         (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
624         * dfg/DFGSpeculativeJIT32_64.cpp:
625         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
626         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
627         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
628         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
629         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
630         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
631         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
632         (JSC::DFG::SpeculativeJIT::compile):
633         * dfg/DFGSpeculativeJIT64.cpp:
634         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
635         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
636         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
637         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
638         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
639         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
640         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
641         (JSC::DFG::SpeculativeJIT::compile):
642         * dfg/DFGWatchpointCollectionPhase.cpp: Added.
643         (JSC::DFG::WatchpointCollectionPhase::WatchpointCollectionPhase):
644         (JSC::DFG::WatchpointCollectionPhase::run):
645         (JSC::DFG::WatchpointCollectionPhase::handle):
646         (JSC::DFG::WatchpointCollectionPhase::handleEdge):
647         (JSC::DFG::WatchpointCollectionPhase::handleMasqueradesAsUndefined):
648         (JSC::DFG::WatchpointCollectionPhase::handleStringGetByVal):
649         (JSC::DFG::WatchpointCollectionPhase::addLazily):
650         (JSC::DFG::WatchpointCollectionPhase::globalObject):
651         (JSC::DFG::performWatchpointCollection):
652         * dfg/DFGWatchpointCollectionPhase.h: Added.
653         * ftl/FTLCapabilities.cpp:
654         (JSC::FTL::canCompile):
655         * ftl/FTLLowerDFGToLLVM.cpp:
656         (JSC::FTL::LowerDFGToLLVM::compileNode):
657         (JSC::FTL::LowerDFGToLLVM::compileStructureTransitionWatchpoint):
658         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
659         (JSC::FTL::LowerDFGToLLVM::compileGlobalVarWatchpoint):
660         (JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant):
661         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
662         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
663         (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
664         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
665         (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
666         * jit/JITOperations.cpp:
667         * jit/JumpReplacementWatchpoint.cpp: Removed.
668         * jit/JumpReplacementWatchpoint.h: Removed.
669
670 2013-10-25  Mark Hahnenberg  <mhahnenberg@apple.com>
671
672         JSExport doesn't support constructors
673         https://bugs.webkit.org/show_bug.cgi?id=123380
674
675         Reviewed by Geoffrey Garen.
676
677         Support for constructor-style callbacks for the Objective-C API to JSC is currently limited to 
678         Objective-C blocks. Any clients who try to call the constructor of a JSExport-ed Objective-C class 
679         are met with a type error stating that it cannot be called as a constructor.
680
681         It would be nice to expand JSExport's functionality to support this idiom. It is a natural 
682         extension to JSExport and would increase the expressiveness and simplicity in both Objective-C and 
683         JavaScript client code.
684
685         The way we'll do this is to expand the capabilities of ObjCCallbackFunction and associated classes. 
686         Instead of constructing a normal C API object for the constructor, we'll instead allocate a full-blown 
687         ObjCCallbackFunction object which can already properly handle being invoked as a constructor.
688
689         * API/JSWrapperMap.mm:
690         (copyMethodsToObject):
691         (allocateConstructorForCustomClass):
692         (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]):
693         (tryUnwrapObjcObject):
694         * API/ObjCCallbackFunction.h:
695         (JSC::ObjCCallbackFunction::impl):
696         * API/ObjCCallbackFunction.mm:
697         (JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl):
698         (JSC::ObjCCallbackFunctionImpl::wrappedConstructor):
699         (JSC::ObjCCallbackFunctionImpl::isConstructible):
700         (JSC::ObjCCallbackFunction::getConstructData):
701         (JSC::ObjCCallbackFunctionImpl::name):
702         (JSC::ObjCCallbackFunctionImpl::call):
703         (objCCallbackFunctionForInvocation):
704         (objCCallbackFunctionForInit):
705         (tryUnwrapConstructor):
706         * API/tests/testapi.mm:
707         (-[TextXYZ initWithString:]):
708         (-[ClassA initWithA:]):
709         (-[ClassB initWithA:b:]):
710         (-[ClassC initWithA:]):
711         (-[ClassC initWithA:b:]):
712
713 2013-10-30  peavo@outlook.com  <peavo@outlook.com>
714
715         [Win] Compile errors when enabling DFG JIT.
716         https://bugs.webkit.org/show_bug.cgi?id=120998
717
718         Reviewed by Brent Fulgham.
719
720         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added files.
721         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
722         * dfg/DFGAllocator.h: Removed scope.
723         * dfg/DFGWorklist.cpp: Use new ThreadingOnce class instead of pthread_once.
724         (JSC::DFG::globalWorklist):
725         * heap/DeferGC.h: Link fix, member needs to be public.
726         * jit/JITOperationWrappers.h: Added required assembler macros.
727
728 2013-10-30  Iago Toral Quiroga  <itoral@igalia.com>
729
730         Add result caching for Math.cos
731         https://bugs.webkit.org/show_bug.cgi?id=123255
732
733         Reviewed by Brent Fulgham.
734
735         * runtime/MathObject.cpp:
736         (JSC::mathProtoFuncCos):
737         * runtime/VM.h:
738
739 2013-10-30  Alex Christensen  <achristensen@webkit.org>
740
741         Disabled JIT on Win64.
742         https://bugs.webkit.org/show_bug.cgi?id=122472
743
744         Reviewed by Geoffrey Garen.
745
746         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
747         Disabled building JITStubsMSVC64.
748
749 2013-10-29  Michael Saboff  <msaboff@apple.com>
750
751         Change local variable register allocation to start at offset -1
752         https://bugs.webkit.org/show_bug.cgi?id=123182
753
754         Reviewed by Geoffrey Garen.
755
756         Adjusted the virtual register mapping down by one slot.  Reduced
757         the CallFrame header slots offsets by one.  They now start at 0.
758         Changed arity fixup to no longer skip passed register slot 0 as this
759         is now part of the CallFrame header.
760
761         * bytecode/VirtualRegister.h:
762         (JSC::operandIsLocal):
763         (JSC::operandIsArgument):
764         (JSC::VirtualRegister::localToOperand):
765         (JSC::VirtualRegister::operandToLocal):
766           Adjusted functions for shift in mapping from local to register offset.
767
768         * dfg/DFGByteCodeParser.cpp:
769         (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
770         (JSC::DFG::ByteCodeParser::addCall):
771         (JSC::DFG::ByteCodeParser::handleInlining):
772         (JSC::DFG::ByteCodeParser::parseBlock):
773         * dfg/DFGVariableEventStream.cpp:
774         (JSC::DFG::VariableEventStream::reconstruct):
775         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
776         (JSC::DFG::VirtualRegisterAllocationPhase::run):
777         * interpreter/CallFrame.h:
778         (JSC::ExecState::frameExtent):
779         (JSC::ExecState::offsetFor):
780         * interpreter/Interpreter.cpp:
781         (JSC::loadVarargs):
782         (JSC::Interpreter::dumpRegisters):
783         (JSC::Interpreter::executeCall):
784         * llint/LLIntData.cpp:
785         (JSC::LLInt::Data::performAssertions):
786         * llint/LowLevelInterpreter.asm:
787           Adjusted math to accomodate for shift in call frame slots.
788
789         * dfg/DFGJITCompiler.cpp:
790         (JSC::DFG::JITCompiler::compileFunction):
791         * dfg/DFGSpeculativeJIT.h:
792         (JSC::DFG::SpeculativeJIT::calleeFrameOffset):
793         * interpreter/CallFrame.cpp:
794         (JSC::CallFrame::frameExtentInternal):
795         * interpreter/JSStackInlines.h:
796         (JSC::JSStack::pushFrame):
797         * jit/JIT.cpp:
798         (JSC::JIT::privateCompile):
799         * jit/JITOperations.cpp:
800         * llint/LLIntSlowPaths.cpp:
801         (JSC::LLInt::llint_slow_path_stack_check):
802         * runtime/CommonSlowPaths.h:
803         (JSC::CommonSlowPaths::arityCheckFor):
804           Fixed offset calculation to use VirtualRegister and related calculation instead of
805           doing seperate calculations.
806
807         * interpreter/JSStack.h:
808           Adjusted CallFrame slots down by one.  Did some miscellaneous fixing of dumpRegisters()
809           in the process of testing the fixes.
810
811         * jit/ThunkGenerators.cpp:
812         (JSC::arityFixup):
813           Changed arity fixup to no longer skip passed register slot 0 as this
814           is now part of the CallFrame header.
815
816         * llint/LowLevelInterpreter32_64.asm:
817         * llint/LowLevelInterpreter64.asm:
818           Changed arity fixup to no longer skip passed register slot 0 as this
819           is now part of the CallFrame header.  Updated op_enter processing for
820           the change in local registers.
821
822         * runtime/JSGlobalObject.h:
823           Removed the now unneeded extra slot in the global callframe
824
825 2013-10-29  Julien Brianceau  <jbriance@cisco.com>
826
827         [arm] Fix lots of crashes because of 4th argument register trampling.
828         https://bugs.webkit.org/show_bug.cgi?id=123421
829
830         Reviewed by Michael Saboff.
831
832         r3 register is the 4th argument register for ARM and also a scratch
833         register in the baseline JIT for this architecture. We can use r6
834         instead, as this used to be the timeoutCheckRegister and it is no
835         longer used since r148119.
836
837         * assembler/ARMAssembler.h: Temp register is now r6 instead of r3 for ARM.
838         * assembler/MacroAssemblerARMv7.h: Temp register is now r6 instead of r3 for ARMv7.
839         * jit/GPRInfo.h: Add r3 properly in GPRInfo for ARM.
840         (JSC::GPRInfo::toRegister):
841         (JSC::GPRInfo::toIndex):
842         * jit/JITStubsARM.h:
843         (JSC::ctiTrampoline): Remove obsolete timeoutCheckRegister init.
844         * jit/JITStubsARMv7.h:
845         (JSC::ctiTrampoline): Remove obsolete timeoutCheckRegister init.
846         * jit/JSInterfaceJIT.h: Remove useless stuff.
847         * yarr/YarrJIT.cpp: Use r3 and not the new scratch register r6.
848         (JSC::Yarr::YarrGenerator::generateEnter): r8 register doesn't need to be saved.
849         (JSC::Yarr::YarrGenerator::generateReturn):
850
851 2013-10-29  Julien Brianceau  <jbriance@cisco.com>
852
853         Fix CPU(ARM_TRADITIONAL) build after r157690.
854         https://bugs.webkit.org/show_bug.cgi?id=123247
855
856         Reviewed by Michael Saboff.
857
858         Since r157690, the executableCopy function has been removed from AssemblerBuffer.h
859         and the copy of executable code occurs in the linkCode function (in LinkBuffer.cpp).
860         As the constant pool for jumps is updated in the executableCopy function of ARM_TRADITIONAL,
861         this part of code still needs to be called and absolute jumps must be corrected to anticipate
862         the copy of the executable code through memcpy.
863
864         * assembler/ARMAssembler.cpp:
865         (JSC::ARMAssembler::prepareExecutableCopy): Rename executableCopy to prepareExecutableCopy
866         and correct absolute jump values using the delta between the source and destination buffers.
867         * assembler/ARMAssembler.h:
868         * assembler/LinkBuffer.cpp:
869         (JSC::LinkBuffer::linkCode): Call prepareExecutableCopy just before the memcpy.
870
871 2013-10-28  Filip Pizlo  <fpizlo@apple.com>
872
873         OSRExit::m_watchpointIndex should be in OSRExitCompilationInfo
874         https://bugs.webkit.org/show_bug.cgi?id=123423
875
876         Reviewed by Mark Hahnenberg.
877         
878         Also enable ExitKind to tell you if it's a watchpoint.
879
880         * bytecode/ExitKind.cpp:
881         (JSC::exitKindToString):
882         * bytecode/ExitKind.h:
883         (JSC::isWatchpoint):
884         * dfg/DFGByteCodeParser.cpp:
885         (JSC::DFG::ByteCodeParser::setLocal):
886         (JSC::DFG::ByteCodeParser::setArgument):
887         (JSC::DFG::ByteCodeParser::handleCall):
888         (JSC::DFG::ByteCodeParser::handleGetById):
889         (JSC::DFG::ByteCodeParser::parseBlock):
890         * dfg/DFGJITCompiler.cpp:
891         (JSC::DFG::JITCompiler::linkOSRExits):
892         (JSC::DFG::JITCompiler::link):
893         * dfg/DFGJITCompiler.h:
894         (JSC::DFG::JITCompiler::appendExitInfo):
895         * dfg/DFGOSRExit.cpp:
896         (JSC::DFG::OSRExit::OSRExit):
897         * dfg/DFGOSRExit.h:
898         * dfg/DFGOSRExitCompilationInfo.h:
899         (JSC::DFG::OSRExitCompilationInfo::OSRExitCompilationInfo):
900         * dfg/DFGOSRExitCompiler.cpp:
901         * dfg/DFGSpeculativeJIT.cpp:
902         (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
903         * dfg/DFGSpeculativeJIT32_64.cpp:
904         (JSC::DFG::SpeculativeJIT::compile):
905         * dfg/DFGSpeculativeJIT64.cpp:
906         (JSC::DFG::SpeculativeJIT::compile):
907
908 2013-10-28  Myles C. Maxfield  <mmaxfield@apple.com>
909
910         Parsing support for -webkit-text-decoration-skip: ink
911         https://bugs.webkit.org/show_bug.cgi?id=123358
912
913         Reviewed by Dean Jackson.
914
915         Adding ENABLE(CSS3_TEXT_DECORATION)
916
917         * Configurations/FeatureDefines.xcconfig:
918
919 2013-10-24  Filip Pizlo  <fpizlo@apple.com>
920
921         Get rid of InlineStart so that I don't have to implement it in FTL
922         https://bugs.webkit.org/show_bug.cgi?id=123302
923
924         Reviewed by Geoffrey Garen.
925         
926         InlineStart was a special instruction that we would insert at the top of inlined code,
927         so that the backend could capture the OSR state of arguments to an inlined call. It used
928         to be that only the backend had this information, so this instruction was sort of an ugly
929         callback from the backend for filling in some data structures.
930         
931         But in the time since when that code was written (two years ago?), we rationalized how
932         variables work. It's now the case that variables that the runtime must know about are
933         treated specially in IR (they are "flushed") and we know how we will represent them even
934         before we get to the backend. The last place that makes changes to their representation
935         is the StackLayoutPhase.
936         
937         So, this patch gets rid of InlineStart, but keeps around the special meta-data that the
938         instruction had. Instead of handling the bookkeeping in the backend, we handle it in
939         StackLayoutPhase. This means that the DFG and FTL can share code for handling this
940         bookkeeping. This also means that now the FTL can compile code blocks that had inlining.
941         
942         Of course, giving the FTL the ability to handle code blocks that had inlining means that
943         we're going to have new bugs. Sure enough, the FTL's linker didn't handle inline call
944         frames. This patch also fixes that.
945
946         * dfg/DFGAbstractInterpreterInlines.h:
947         (JSC::DFG::::executeEffects):
948         * dfg/DFGByteCodeParser.cpp:
949         (JSC::DFG::ByteCodeParser::handleInlining):
950         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
951         * dfg/DFGClobberize.h:
952         (JSC::DFG::clobberize):
953         * dfg/DFGFixupPhase.cpp:
954         (JSC::DFG::FixupPhase::fixupNode):
955         * dfg/DFGGraph.h:
956         * dfg/DFGNode.h:
957         * dfg/DFGNodeType.h:
958         * dfg/DFGPredictionPropagationPhase.cpp:
959         (JSC::DFG::PredictionPropagationPhase::propagate):
960         * dfg/DFGSafeToExecute.h:
961         (JSC::DFG::safeToExecute):
962         * dfg/DFGSpeculativeJIT.cpp:
963         * dfg/DFGSpeculativeJIT.h:
964         * dfg/DFGSpeculativeJIT32_64.cpp:
965         (JSC::DFG::SpeculativeJIT::compile):
966         * dfg/DFGSpeculativeJIT64.cpp:
967         (JSC::DFG::SpeculativeJIT::compile):
968         * dfg/DFGStackLayoutPhase.cpp:
969         (JSC::DFG::StackLayoutPhase::run):
970         * ftl/FTLLink.cpp:
971         (JSC::FTL::link):
972
973 2013-10-24  Filip Pizlo  <fpizlo@apple.com>
974
975         The GetById->GetByOffset AI-based optimization should actually do things
976         https://bugs.webkit.org/show_bug.cgi?id=123299
977
978         Reviewed by Oliver Hunt.
979         
980         20% speed-up on Octane/gbemu.
981
982         * bytecode/GetByIdStatus.cpp:
983         (JSC::GetByIdStatus::computeFor): Actually finish filling in the Status by setting the state. Previously it would remain set to NoInformation, meaning that this whole method was a no-op.
984
985 2013-10-28  Carlos Garcia Campos  <cgarcia@igalia.com>
986
987         Unreviewed. Fix make distcheck.
988
989         * GNUmakefile.list.am: Add missing files to compilation.
990
991 2013-10-25  Oliver Hunt  <oliver@apple.com>
992
993         Refactor parser rollback logic
994         https://bugs.webkit.org/show_bug.cgi?id=123372
995
996         Reviewed by Brady Eidson.
997
998         Add a sane abstraction for rollbacks in the parser.
999
1000         * parser/Parser.cpp:
1001         (JSC::::parseSourceElements):
1002         (JSC::::parseObjectLiteral):
1003         * parser/Parser.h:
1004         (JSC::Parser::createSavePoint):
1005         (JSC::Parser::restoreSavePoint):
1006
1007 2013-10-25  peavo@outlook.com  <peavo@outlook.com>
1008
1009         [Win] Javascript crash with DFG JIT enabled.
1010         https://bugs.webkit.org/show_bug.cgi?id=121001
1011
1012         Reviewed by Geoffrey Garen.
1013
1014         On windows, using register GPRInfo::regT0 as parameter to e.g. JIT::storeDouble(..., GPRInfo::regT0)),
1015         results in a call to JIT::storeDouble(FPRegisterID src, const void* address),
1016         where the address parameter gets the value of GPRInfo::regT0, which is 0 (eax on Windows).
1017         This causes the register to be written to address 0, hence the crash.
1018   
1019         * assembler/MacroAssemblerX86.h:
1020         (JSC::MacroAssemblerX86::storeDouble): Assert if we try to generate code which writes to a null pointer.
1021         * dfg/DFGOSRExitCompiler32_64.cpp:
1022         (JSC::DFG::OSRExitCompiler::compileExit): Use address in regT0 as parameter.
1023         * dfg/DFGThunks.cpp:
1024         (JSC::DFG::osrExitGenerationThunkGenerator): Ditto.
1025
1026 2013-10-25  Oliver Hunt  <oliver@apple.com>
1027
1028         Fix a number of problems with destructuring of arguments
1029         https://bugs.webkit.org/show_bug.cgi?id=123357
1030
1031         Reviewed by Filip Pizlo.
1032
1033         This renames the destructuring node's emitBytecode to bindValue
1034         in order to remove the existing confusion over what was happening.
1035
1036         We then fix an incorrect fall through in the destructuring arguments
1037         logic, and fix the then exposed bug where we placed the index rather
1038         than value into the bound property.
1039
1040         * bytecompiler/BytecodeGenerator.cpp:
1041         (JSC::BytecodeGenerator::BytecodeGenerator):
1042         * bytecompiler/NodesCodegen.cpp:
1043         (JSC::ForInNode::emitBytecode):
1044         (JSC::ForOfNode::emitBytecode):
1045         (JSC::DeconstructingAssignmentNode::emitBytecode):
1046         (JSC::ArrayPatternNode::bindValue):
1047         (JSC::ArrayPatternNode::emitDirectBinding):
1048         (JSC::ObjectPatternNode::bindValue):
1049         (JSC::BindingNode::bindValue):
1050         * parser/Nodes.h:
1051
1052 2013-10-25  Joseph Pecoraro  <pecoraro@apple.com>
1053
1054         Upstream ENABLE(REMOTE_INSPECTOR) and enable on iOS and Mac
1055         https://bugs.webkit.org/show_bug.cgi?id=123111
1056
1057         Reviewed by Timothy Hatcher.
1058
1059         * Configurations/FeatureDefines.xcconfig:
1060
1061 2013-10-25  Oliver Hunt  <oliver@apple.com>
1062
1063         Fix MSVC again
1064
1065         * parser/Parser.cpp:
1066
1067 2013-10-25  Oliver Hunt  <oliver@apple.com>
1068
1069         Fix MSVC
1070
1071         * parser/Parser.cpp:
1072
1073 2013-10-25  Oliver Hunt  <oliver@apple.com>
1074
1075         Improve JSC Parser error messages
1076         https://bugs.webkit.org/show_bug.cgi?id=123341
1077
1078         Reviewed by Andreas Kling.
1079
1080         This patch moves away from the current cludgy mechanisms used to produce
1081         error messages and moves to something closer to case by case errors.
1082
1083         This results in a large change size as previously we may just have
1084         'failIfFalse(foo)', but now the logic becomes either
1085         'failIfFalseWithMessage(foo, "Cannot do blah with ", foo->thing())'
1086         Or alternatively
1087
1088         if (!foo)
1089             check for 'interesting' errors, before falling back to generic error
1090
1091         This means that this patch is large, but produces no semantic changes, and
1092         only hits slow (e.g. error) paths.
1093
1094         * parser/Parser.cpp:
1095         (JSC::::Parser):
1096         (JSC::::parseSourceElements):
1097         (JSC::::parseVarDeclaration):
1098         (JSC::::parseConstDeclaration):
1099         (JSC::::parseDoWhileStatement):
1100         (JSC::::parseWhileStatement):
1101         (JSC::::parseVarDeclarationList):
1102         (JSC::::createBindingPattern):
1103         (JSC::::parseDeconstructionPattern):
1104         (JSC::::parseConstDeclarationList):
1105         (JSC::::parseForStatement):
1106         (JSC::::parseBreakStatement):
1107         (JSC::::parseContinueStatement):
1108         (JSC::::parseReturnStatement):
1109         (JSC::::parseThrowStatement):
1110         (JSC::::parseWithStatement):
1111         (JSC::::parseSwitchStatement):
1112         (JSC::::parseSwitchClauses):
1113         (JSC::::parseSwitchDefaultClause):
1114         (JSC::::parseTryStatement):
1115         (JSC::::parseDebuggerStatement):
1116         (JSC::::parseBlockStatement):
1117         (JSC::::parseStatement):
1118         (JSC::::parseFormalParameters):
1119         (JSC::::parseFunctionBody):
1120         (JSC::stringForFunctionMode):
1121         (JSC::::parseFunctionInfo):
1122         (JSC::::parseFunctionDeclaration):
1123         (JSC::::parseExpressionOrLabelStatement):
1124         (JSC::::parseExpressionStatement):
1125         (JSC::::parseIfStatement):
1126         (JSC::::parseExpression):
1127         (JSC::::parseAssignmentExpression):
1128         (JSC::::parseConditionalExpression):
1129         (JSC::::parseBinaryExpression):
1130         (JSC::::parseProperty):
1131         (JSC::::parseObjectLiteral):
1132         (JSC::::parseStrictObjectLiteral):
1133         (JSC::::parseArrayLiteral):
1134         (JSC::::parsePrimaryExpression):
1135         (JSC::::parseArguments):
1136         (JSC::::parseMemberExpression):
1137         (JSC::operatorString):
1138         (JSC::::parseUnaryExpression):
1139         (JSC::::printUnexpectedTokenText):
1140         * parser/Parser.h:
1141         (JSC::Scope::hasDeclaredVariable):
1142         (JSC::Scope::hasDeclaredParameter):
1143         (JSC::Parser::hasDeclaredVariable):
1144         (JSC::Parser::hasDeclaredParameter):
1145         (JSC::Parser::setErrorMessage):
1146
1147 2013-10-24  Mark Rowe  <mrowe@apple.com>
1148
1149         Remove references to OS X 10.7 from Xcode configuration settings.
1150
1151         Now that we're not building for OS X 10.7 they're no longer needed.
1152
1153         Reviewed by Anders Carlsson.
1154
1155         * Configurations/Base.xcconfig:
1156         * Configurations/DebugRelease.xcconfig:
1157         * Configurations/FeatureDefines.xcconfig:
1158         * Configurations/Version.xcconfig:
1159
1160 2013-10-24  Mark Rowe  <mrowe@apple.com>
1161
1162         <rdar://problem/15312643> Prepare for the mysterious future.
1163
1164         Reviewed by David Kilzer.
1165
1166         * Configurations/Base.xcconfig:
1167         * Configurations/DebugRelease.xcconfig:
1168         * Configurations/FeatureDefines.xcconfig:
1169         * Configurations/Version.xcconfig:
1170
1171 2013-10-24  Mark Lam  <mark.lam@apple.com>
1172
1173         Better way to fix part of broken C Loop LLINT build.
1174         https://bugs.webkit.org/show_bug.cgi?id=123271.
1175
1176         Reviewed by Geoffrey Garen.
1177
1178         Undoing offline asm hackery.
1179
1180         * llint/LowLevelInterpreter.cpp:
1181         * llint/LowLevelInterpreter32_64.asm:
1182         * llint/LowLevelInterpreter64.asm:
1183         * offlineasm/cloop.rb:
1184         * offlineasm/instructions.rb:
1185
1186 2013-10-24  Mark Lam  <mark.lam@apple.com>
1187
1188         Fix broken C Loop LLINT build.
1189         https://bugs.webkit.org/show_bug.cgi?id=123271.
1190
1191         Reviewed by Michael Saboff.
1192
1193         * bytecode/CodeBlock.cpp:
1194         (JSC::CodeBlock::printGetByIdCacheStatus): Added an UNUSED_PARAM().
1195         (JSC::CodeBlock::dumpBytecode): Added #if ENABLE(JIT) to JIT only code.
1196         * bytecode/GetByIdStatus.cpp:
1197         (JSC::GetByIdStatus::computeFor): Added an UNUSED_PARAM().
1198         * bytecode/PutByIdStatus.cpp:
1199         (JSC::PutByIdStatus::computeFor): Added an UNUSED_PARAM().
1200         * bytecode/StructureStubInfo.h:
1201         - Added a stub StubInfoMap for non-JIT builds. StubInfoMap is still used
1202           in function prototypes even when !ENABLE(JIT). Rather that adding #if's
1203           in many places, we just provide a stub/placeholder implementation that
1204           is unused but keeps the compiler happy.
1205         * jit/JITOperations.h: Added #if ENABLE(JIT).
1206         * llint/LowLevelInterpreter32_64.asm:
1207         * llint/LowLevelInterpreter64.asm:
1208         - The putByVal() macro reifies a slow path which is never taken in one case.
1209           This translates into a label that is never used in the C Loop LLINT. The
1210           C++ compiler doesn't like unused labels. So, we fix this by adding a
1211           cloopUnusedLabel offline asm instruction that synthesizes the following:
1212
1213               if (false) goto unusedLabel;
1214
1215           This keeps the C++ compiler happy without changing code behavior.
1216         * offlineasm/cloop.rb: Implementing cloopUnusedLabel.
1217         * offlineasm/instructions.rb: Declaring cloopUnusedLabel.
1218         * runtime/Executable.cpp:
1219         (JSC::setupJIT): Added UNUSED_PARAM()s.
1220         (JSC::ScriptExecutable::prepareForExecutionImpl):
1221         - run-javascriptcore-tests have phases that forces the LLINT to be off
1222           which in turn asserts that the JIT is enabled. With the C Loop LLINT,
1223           this combination is illegal. So, we override the setup code here to
1224           always use the LLINT if !ENABLE(JIT) regardless of what options are
1225           passed in.
1226
1227 2013-10-24  peavo@outlook.com  <peavo@outlook.com>
1228
1229         Uninitialized member causes crash when DFG JIT is not enabled.
1230         https://bugs.webkit.org/show_bug.cgi?id=123270
1231
1232         Reviewed by Brent Fulgham.
1233
1234         The data member sizeOfLastScratchBuffer in the VM class is only initialized if DFG JIT is enabled, even though it's defined regardless.
1235         This causes an early crash on Windows, which doesn't have DFG JIT enabled.
1236
1237         * runtime/VM.cpp:
1238         (JSC::VM::VM): Initialize sizeOfLastScratchBuffer member regardless of whether DFG JIT is enabled.
1239
1240 2013-10-24  Ryuan Choi  <ryuan.choi@samsung.com>
1241
1242         [EFL] Build break with latest EFL 1.8 libraries.
1243         https://bugs.webkit.org/show_bug.cgi?id=123245
1244
1245         Reviewed by Gyuyoung Kim.
1246
1247         After fixed build break on EFL 1.8 at r138326, EFL libraries are changed
1248         Eo typedef and splitted header files which contain version macro.
1249
1250         * PlatformEfl.cmake: Added EO path to include directories.
1251         * heap/HeapTimer.h: Changed Ecore_Timer typedef when EO exist.
1252
1253 2013-10-23  Filip Pizlo  <fpizlo@apple.com>
1254
1255         Put all uses of LLVM intrinsics behind a single Option
1256         https://bugs.webkit.org/show_bug.cgi?id=123219
1257
1258         Reviewed by Mark Hahnenberg.
1259
1260         * ftl/FTLExitThunkGenerator.cpp:
1261         (JSC::FTL::ExitThunkGenerator::emitThunk):
1262         * ftl/FTLLowerDFGToLLVM.cpp:
1263         (JSC::FTL::generateExitThunks):
1264         (JSC::FTL::LowerDFGToLLVM::compileGetById):
1265         (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
1266         (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
1267         * ftl/FTLOSRExitCompiler.cpp:
1268         (JSC::FTL::compileFTLOSRExit):
1269         * runtime/Options.h:
1270
1271 2013-10-23  Daniel Bates  <dabates@apple.com>
1272
1273         Fix JavaScriptCore build targets following <http://trac.webkit.org/changeset/157864>
1274         (https://bugs.webkit.org/show_bug.cgi?id=123169)
1275
1276         Tell Xcode that the supported platforms for all JavaScriptCore targets are iOS and OS X.
1277
1278         * Configurations/Base.xcconfig:
1279
1280 2013-10-23  Michael Saboff  <msaboff@apple.com>
1281
1282         LLInt arity check exception processing should start unwinding from caller
1283         https://bugs.webkit.org/show_bug.cgi?id=123209
1284
1285         Reviewed by Oliver Hunt.
1286
1287         Use the caller frame returned from slow_path_call_arityCheck to process exceptions.
1288
1289         * llint/LowLevelInterpreter32_64.asm:
1290         * llint/LowLevelInterpreter64.asm:
1291
1292 2013-10-22  Filip Pizlo  <fpizlo@apple.com>
1293
1294         FTL should be able to do some simple inline caches using LLVM patchpoints
1295         https://bugs.webkit.org/show_bug.cgi?id=123164
1296
1297         Reviewed by Mark Hahnenberg.
1298         
1299         This implements GetById inline caches in the FTL using llvm.webkit.patchpoint.
1300         
1301         The idea is that we ask LLVM for a nop slide the size of a GetById inline
1302         cache and then fill in the code after LLVM compilation is complete. For now, we
1303         just use the system calling convention for the arguments and return. We also
1304         still make some assumptions about registers that aren't correct. But, most of
1305         the scaffolding is there and this will successfully patch an inline cache.
1306
1307         * JavaScriptCore.xcodeproj/project.pbxproj:
1308         * assembler/AbstractMacroAssembler.h:
1309         * assembler/LinkBuffer.cpp:
1310         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
1311         (JSC::LinkBuffer::linkCode):
1312         (JSC::LinkBuffer::allocate):
1313         * assembler/LinkBuffer.h:
1314         (JSC::LinkBuffer::LinkBuffer):
1315         (JSC::LinkBuffer::link):
1316         * ftl/FTLAbbreviations.h:
1317         (JSC::FTL::constNull):
1318         (JSC::FTL::buildCall):
1319         * ftl/FTLCapabilities.cpp:
1320         (JSC::FTL::canCompile):
1321         * ftl/FTLCompile.cpp:
1322         (JSC::FTL::fixFunctionBasedOnStackMaps):
1323         * ftl/FTLInlineCacheDescriptor.h: Added.
1324         (JSC::FTL::InlineCacheDescriptor::InlineCacheDescriptor):
1325         (JSC::FTL::GetByIdDescriptor::GetByIdDescriptor):
1326         (JSC::FTL::GetByIdDescriptor::stackmapID):
1327         (JSC::FTL::GetByIdDescriptor::codeOrigin):
1328         (JSC::FTL::GetByIdDescriptor::uid):
1329         * ftl/FTLInlineCacheSize.cpp: Added.
1330         (JSC::FTL::sizeOfGetById):
1331         (JSC::FTL::sizeOfPutById):
1332         * ftl/FTLInlineCacheSize.h: Added.
1333         * ftl/FTLIntrinsicRepository.h:
1334         * ftl/FTLJITFinalizer.cpp:
1335         (JSC::FTL::JITFinalizer::finalizeFunction):
1336         * ftl/FTLJITFinalizer.h:
1337         * ftl/FTLLocation.cpp:
1338         (JSC::FTL::Location::directGPR):
1339         * ftl/FTLLocation.h:
1340         * ftl/FTLLowerDFGToLLVM.cpp:
1341         (JSC::FTL::LowerDFGToLLVM::compileGetById):
1342         * ftl/FTLOutput.h:
1343         (JSC::FTL::Output::call):
1344         * ftl/FTLSlowPathCall.cpp: Added.
1345         (JSC::FTL::callOperation):
1346         * ftl/FTLSlowPathCall.h: Added.
1347         (JSC::FTL::SlowPathCall::SlowPathCall):
1348         (JSC::FTL::SlowPathCall::call):
1349         (JSC::FTL::SlowPathCall::key):
1350         * ftl/FTLSlowPathCallKey.cpp: Added.
1351         (JSC::FTL::SlowPathCallKey::dump):
1352         * ftl/FTLSlowPathCallKey.h: Added.
1353         (JSC::FTL::SlowPathCallKey::SlowPathCallKey):
1354         (JSC::FTL::SlowPathCallKey::usedRegisters):
1355         (JSC::FTL::SlowPathCallKey::callTarget):
1356         (JSC::FTL::SlowPathCallKey::offset):
1357         (JSC::FTL::SlowPathCallKey::isEmptyValue):
1358         (JSC::FTL::SlowPathCallKey::isDeletedValue):
1359         (JSC::FTL::SlowPathCallKey::operator==):
1360         (JSC::FTL::SlowPathCallKey::hash):
1361         (JSC::FTL::SlowPathCallKeyHash::hash):
1362         (JSC::FTL::SlowPathCallKeyHash::equal):
1363         * ftl/FTLStackMaps.cpp:
1364         (JSC::FTL::StackMaps::Location::directGPR):
1365         * ftl/FTLStackMaps.h:
1366         * ftl/FTLState.h:
1367         * ftl/FTLThunks.cpp:
1368         (JSC::FTL::slowPathCallThunkGenerator):
1369         * ftl/FTLThunks.h:
1370         (JSC::FTL::Thunks::getSlowPathCallThunk):
1371         * jit/CCallHelpers.h:
1372         (JSC::CCallHelpers::setupArguments):
1373         * jit/GPRInfo.h:
1374         * jit/JITInlineCacheGenerator.cpp:
1375         (JSC::garbageStubInfo):
1376         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
1377         (JSC::JITByIdGenerator::finalize):
1378         * jit/JITInlineCacheGenerator.h:
1379         (JSC::JITByIdGenerator::slowPathBegin):
1380         * jit/RegisterSet.cpp:
1381         (JSC::RegisterSet::stackRegisters):
1382         (JSC::RegisterSet::specialRegisters):
1383         (JSC::RegisterSet::calleeSaveRegisters):
1384         (JSC::RegisterSet::allGPRs):
1385         (JSC::RegisterSet::allFPRs):
1386         (JSC::RegisterSet::allRegisters):
1387         (JSC::RegisterSet::dump):
1388         * jit/RegisterSet.h:
1389         (JSC::RegisterSet::exclude):
1390         (JSC::RegisterSet::numberOfSetRegisters):
1391         (JSC::RegisterSet::RegisterSet):
1392         (JSC::RegisterSet::isEmptyValue):
1393         (JSC::RegisterSet::isDeletedValue):
1394         (JSC::RegisterSet::operator==):
1395         (JSC::RegisterSet::hash):
1396         (JSC::RegisterSetHash::hash):
1397         (JSC::RegisterSetHash::equal):
1398         * runtime/Options.h:
1399
1400 2013-10-22  Filip Pizlo  <fpizlo@apple.com>
1401
1402         jitCompileAndSetHeuristics should DeferGCForAWhile
1403         https://bugs.webkit.org/show_bug.cgi?id=123196
1404
1405         Reviewed by Mark Hahnenberg.
1406         
1407         This fixes random crashes in V8v7/raytrace. I only see those crashes on exactly one of
1408         my machines. I don't think this is testable; we just need to steadily converge towards
1409         getting our uses of DeferGC to be right and then be careful not to regress. We're not
1410         there yet, obviously.
1411         
1412         * llint/LLIntSlowPaths.cpp:
1413         (JSC::LLInt::jitCompileAndSetHeuristics):
1414
1415 2013-10-23  Daniel Bates  <dabates@apple.com>
1416
1417         [iOS] Upstream more JavaScriptCore build configuration changes
1418         https://bugs.webkit.org/show_bug.cgi?id=123169
1419
1420         Reviewed by David Kilzer.
1421
1422         * Configurations/Base.xcconfig:
1423         * Configurations/Version.xcconfig:
1424         * Configurations/iOS.xcconfig: Added.
1425         * JavaScriptCore.xcodeproj/project.pbxproj:
1426
1427 2013-10-23  Daniel Bates  <dabates@apple.com>
1428
1429         [iOS] Export DefaultGCActivityCallback member functions
1430         https://bugs.webkit.org/show_bug.cgi?id=123175
1431
1432         Reviewed by David Kilzer.
1433
1434         * runtime/GCActivityCallback.h:
1435
1436 2013-10-23  Daniel Bates  <dabates@apple.com>
1437
1438         [iOS] Upstream more ARMv7s bits
1439         https://bugs.webkit.org/show_bug.cgi?id=123052
1440
1441         Reviewed by Joseph Pecoraro.
1442
1443         * Configurations/JavaScriptCore.xcconfig:
1444
1445 2013-10-22  Andreas Kling  <akling@apple.com>
1446
1447         Minor VM* -> VM& cleanups in HashTable and Keywords.
1448         <https://webkit.org/b/123183>
1449
1450         Turn some VM* variables that will never be null into VM&.
1451
1452         Reviewed by Geoffrey Garen.
1453
1454 2013-10-22  Geoffrey Garen  <ggaren@apple.com>
1455
1456         REGRESSION: `if (false === (true && undefined)) console.log("wrong!");` logs "wrong!", shouldn't!
1457         https://bugs.webkit.org/show_bug.cgi?id=123179
1458
1459         Reviewed by Mark Hahnenberg.
1460
1461         * parser/NodeConstructors.h:
1462         (JSC::LogicalOpNode::LogicalOpNode):
1463         * parser/ResultType.h:
1464         (JSC::ResultType::forLogicalOp): Don't assume that && produces a boolean.
1465         This is JavaScript (aka Sparta).
1466
1467 2013-10-22  Commit Queue  <commit-queue@webkit.org>
1468
1469         Unreviewed, rolling out r157819.
1470         http://trac.webkit.org/changeset/157819
1471         https://bugs.webkit.org/show_bug.cgi?id=123180
1472
1473         Broke 32-bit builds (Requested by smfr on #webkit).
1474
1475         * Configurations/JavaScriptCore.xcconfig:
1476         * Configurations/ToolExecutable.xcconfig:
1477
1478 2013-10-22  Daniel Bates  <dabates@apple.com>
1479
1480         [iOS] Upstream more ARMv7s bits
1481         https://bugs.webkit.org/show_bug.cgi?id=123052
1482
1483         Reviewed by Joseph Pecoraro.
1484
1485         * Configurations/JavaScriptCore.xcconfig:
1486         * Configurations/ToolExecutable.xcconfig: Enable CLANG_ENABLE_OBJC_ARC for i386 as I'm
1487         modifying a file in JavaScriptCore/Configurations.
1488
1489 2013-10-22  Daniel Bates  <dabates@apple.com>
1490
1491         [iOS] Upstream JSLock changes
1492         https://bugs.webkit.org/show_bug.cgi?id=123107
1493
1494         Reviewed by Geoffrey Garen.
1495
1496         * runtime/JSLock.cpp:
1497         (JSC::JSLock::unlock):
1498         (JSC::JSLock::dropAllLocks): Modified to take a SpinLock, used only on iOS.
1499         (JSC::JSLock::dropAllLocksUnconditionally): Modified to take a SpinLock, used only on iOS. Also
1500         use pre-increment instead of post-increment when we're not using the return value of the instruction.
1501         (JSC::JSLock::grabAllLocks): Modified to take a SpinLock, used only on iOS. Also change
1502         places where we were using post-increment/post-decrement to use pre-increment/pre-decrement,
1503         since we don't use the return value of such instructions.
1504         (JSC::JSLock::DropAllLocks::DropAllLocks): Modified to support releasing all locks unconditionally.
1505         Take a spin lock before releasing all locks on iOS. Also, use nullptr instead of 0.
1506         (JSC::JSLock::DropAllLocks::~DropAllLocks): Take a spin lock before acquiring all locks on iOS.
1507         * runtime/JSLock.h: Remove extraneous argument name "exec" from DropAllLocks as the data type of
1508         the argument is sufficiently descriptive of its purpose.
1509
1510 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
1511
1512         [arm] Add missing setupArgumentsWithExecState() prototypes to fix build.
1513         https://bugs.webkit.org/show_bug.cgi?id=123166
1514
1515         Reviewed by Michael Saboff.
1516
1517         * jit/CCallHelpers.h:
1518         (JSC::CCallHelpers::setupArgumentsWithExecState):
1519
1520 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
1521
1522         [sh4][mips][arm] Fix crashes in JSC (32-bit only).
1523         https://bugs.webkit.org/show_bug.cgi?id=123165
1524
1525         Reviewed by Michael Saboff.
1526
1527         * jit/JITInlines.h:
1528         (JSC::JIT::callOperationNoExceptionCheck): Add missing EABI_32BIT_DUMMY_ARG.
1529         (JSC::JIT::callOperation): The last TrustedImm32(arg3) is a bit overkill for SH4 :)
1530         (JSC::JIT::callOperation): Add missing EABI_32BIT_DUMMY_ARG.
1531         (JSC::JIT::callOperation): Fix tag and payload order for V_JITOperation_EJJJ prototype.
1532
1533 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
1534
1535         REGRESSION(r157690, r157699) Fix architectures using AssemblerBufferWithConstantPool.
1536         https://bugs.webkit.org/show_bug.cgi?id=123092
1537
1538         Reviewed by Michael Saboff.
1539
1540         Impacted architectures are SH4 and ARM_TRADITIONAL.
1541
1542         * assembler/ARMAssembler.h:
1543         (JSC::ARMAssembler::buffer):
1544         * assembler/AssemblerBufferWithConstantPool.h:
1545         (JSC::AssemblerBufferWithConstantPool::flushConstantPool):
1546         * assembler/LinkBuffer.cpp:
1547         (JSC::LinkBuffer::linkCode):
1548         * assembler/SH4Assembler.h:
1549         (JSC::SH4Assembler::buffer):
1550
1551 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
1552
1553         Remove unused stuff in JIT stubs.
1554         https://bugs.webkit.org/show_bug.cgi?id=123155
1555
1556         Reviewed by Michael Saboff.
1557
1558         * jit/JITStubs.h:
1559         * jit/JITStubsARM.h:
1560         (JSC::ctiTrampoline):
1561         * jit/JITStubsARM64.h:
1562         * jit/JITStubsARMv7.h:
1563         * jit/JITStubsMIPS.h:
1564         * jit/JITStubsSH4.h:
1565         * jit/JITStubsX86.h:
1566         * jit/JITStubsX86_64.h:
1567
1568 2013-10-22  Daniel Bates  <dabates@apple.com>
1569
1570         [iOS] Upstream OS-version-specific install paths for JavaScriptCore.framework
1571         https://bugs.webkit.org/show_bug.cgi?id=123115
1572         <rdar://problem/13696872>
1573
1574         Reviewed by Andy Estes.
1575
1576         Based on a patch by Mark Hahnenberg.
1577
1578         Add support for running JavaScriptCore-based apps, built against the iOS 7 SDK, on older versions of iOS.
1579
1580         * API/JSBase.cpp:
1581
1582 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
1583
1584         [sh4] Add missing lastRegister(), firstFPRegister() and lastFPRegister(). 
1585         https://bugs.webkit.org/show_bug.cgi?id=123157
1586
1587         Reviewed by Andreas Kling.
1588
1589         * assembler/SH4Assembler.h:
1590         (JSC::SH4Assembler::lastRegister):
1591         (JSC::SH4Assembler::firstFPRegister):
1592         (JSC::SH4Assembler::lastFPRegister):
1593
1594 2013-10-22  Brian Holt  <brian.holt@samsung.com>
1595
1596         Build break on ARMv7 after r157209
1597         https://bugs.webkit.org/show_bug.cgi?id=122890
1598
1599         Reviewed by Csaba Osztrogon√°c.
1600
1601         Add framePointerRegister and first/last register helpers for ARM_TRADITIONAL.
1602
1603         * assembler/ARMAssembler.h:
1604         * assembler/MacroAssemblerARM.h:
1605         (JSC::MacroAssemblerARM::firstRegister):
1606         (JSC::MacroAssemblerARM::lastRegister):
1607         (JSC::MacroAssemblerARM::firstFPRegister):
1608         (JSC::MacroAssemblerARM::lastFPRegister):
1609
1610 2013-10-21  Daniel Bates  <dabates@apple.com>
1611
1612         [iOS] Upstream JSGlobalObject::shouldInterruptScriptBeforeTimeout()
1613         https://bugs.webkit.org/show_bug.cgi?id=123045
1614
1615         Reviewed by Joseph Pecoraro.
1616
1617         * jsc.cpp: Add function pointer for shouldInterruptScriptBeforeTimeout
1618         to global method table.
1619         * runtime/JSGlobalObject.cpp: Ditto.
1620         * runtime/JSGlobalObject.h:
1621         (JSC::JSGlobalObject::shouldInterruptScriptBeforeTimeout): Added.
1622
1623 2013-10-21  Daniel Bates  <dabates@apple.com>
1624
1625         [iOS] Upstream JSC Objective-C API compiler warning fixes
1626         https://bugs.webkit.org/show_bug.cgi?id=123125
1627
1628         Reviewed by Mark Hahnenberg.
1629
1630         Based on a patch by Mark Hahnenberg.
1631
1632         * API/JSValue.mm:
1633         (-[JSValue toPoint]): Cast to CGFloat to fix some compiler warnings about double narrowing to float.
1634         (-[JSValue toSize]): Ditto.
1635         * API/tests/testapi.mm: Changed a test that was failing due to overflow of 32-bit NSUInteger on armv7.
1636
1637 2013-10-21  Daniel Bates  <dabates@apple.com>
1638
1639         [iOS] Mark classes JS{Context, ManagedValue, Value, VirtualMachine} as
1640         available since iOS 7.0
1641         https://bugs.webkit.org/show_bug.cgi?id=123122
1642
1643         Reviewed by Dan Bernstein.
1644
1645         * API/JSContext.h:
1646         * API/JSManagedValue.h:
1647         * API/JSValue.h:
1648         * API/JSVirtualMachine.h:
1649
1650 2013-10-20  Mark Lam  <mark.lam@apple.com>
1651
1652         Avoid JSC debugger overhead unless needed.
1653         https://bugs.webkit.org/show_bug.cgi?id=123084.
1654
1655         Reviewed by Geoffrey Garen.
1656
1657         - If no breakpoints are set, we now avoid calling the debug hook callbacks.
1658         - If no break on exception is set, we also avoid exception event debug callbacks.
1659         - When we return from the ScriptDebugServer to the JSC::Debugger, we may no
1660           longer call the debug hook callbacks if not needed. Hence, the m_currentCallFrame
1661           pointer in the ScriptDebugServer may become stale. To avoid this issue, before
1662           returning, the ScriptDebugServer will clear its m_currentCallFrame if
1663           needsOpDebugCallbacks() is false.
1664
1665         * debugger/Debugger.cpp:
1666         (JSC::Debugger::Debugger):
1667         (JSC::Debugger::setNeedsExceptionCallbacks):
1668         (JSC::Debugger::setShouldPause):
1669         (JSC::Debugger::updateNumberOfBreakpoints):
1670         (JSC::Debugger::updateNeedForOpDebugCallbacks):
1671         * debugger/Debugger.h:
1672         * interpreter/Interpreter.cpp:
1673         (JSC::Interpreter::unwind):
1674         (JSC::Interpreter::debug):
1675         * jit/JITOpcodes.cpp:
1676         (JSC::JIT::emit_op_debug):
1677         * jit/JITOpcodes32_64.cpp:
1678         (JSC::JIT::emit_op_debug):
1679         * llint/LLIntOffsetsExtractor.cpp:
1680         * llint/LowLevelInterpreter.asm:
1681
1682 2013-10-21  Brent Fulgham  <bfulgham@apple.com>
1683
1684         [WIN] Unreviewed build correction.
1685
1686         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Handle new JIT files as C++ implementation
1687           sources, not header files.
1688         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
1689
1690 2013-10-21  Oliver Hunt  <oliver@apple.com>
1691
1692         Support computed property names in object literals
1693         https://bugs.webkit.org/show_bug.cgi?id=123112
1694
1695         Reviewed by Michael Saboff.
1696
1697         Add support for computed property names to the parser.
1698
1699         * bytecompiler/NodesCodegen.cpp:
1700         (JSC::PropertyListNode::emitBytecode):
1701         * parser/ASTBuilder.h:
1702         (JSC::ASTBuilder::createProperty):
1703         (JSC::ASTBuilder::getName):
1704         * parser/NodeConstructors.h:
1705         (JSC::PropertyNode::PropertyNode):
1706         * parser/Nodes.h:
1707         (JSC::PropertyNode::expressionName):
1708         (JSC::PropertyNode::name):
1709         * parser/Parser.cpp:
1710         (JSC::::parseProperty):
1711         (JSC::::parseStrictObjectLiteral):
1712         * parser/SyntaxChecker.h:
1713         (JSC::SyntaxChecker::Property::Property):
1714         (JSC::SyntaxChecker::createProperty):
1715         (JSC::SyntaxChecker::operatorStackPop):
1716
1717 2013-10-21  Michael Saboff  <msaboff@apple.com>
1718
1719         Add option so that JSC will crash if it can't allocate executable memory for the JITs
1720         https://bugs.webkit.org/show_bug.cgi?id=123048
1721         <rdar://problem/12856193>
1722
1723         Reviewed by Geoffrey Garen.
1724
1725         Added new option, called crashIfCantAllocateJITMemory. If this option is true then we crash
1726         when checking the validity of the executable allocator. The default value for this option is
1727         false, but jsc sets it to true when built for iOS to make it straightforward to identify whether
1728         the app can obtain executable memory.
1729
1730         * jsc.cpp: Explicitly enable crashIfCantAllocateJITMemory on iOS.
1731         (main):
1732         * runtime/Options.h: Added option crashIfCantAllocateJITMemory.
1733         * runtime/VM.cpp:
1734         (JSC::enableAssembler): Modified to crash if option crashIfCantAllocateJITMemory
1735         is enabled.
1736
1737 2013-10-21  Nadav Rotem  <nrotem@apple.com>
1738
1739         Remove AllInOneFile.cpp
1740         https://bugs.webkit.org/show_bug.cgi?id=123055
1741
1742         Reviewed by Csaba Osztrogon√°c.
1743
1744         * AllInOneFile.cpp: Removed.
1745
1746 2013-10-20  Filip Pizlo  <fpizlo@apple.com>
1747
1748         Unreviewed, cleanup a FIXME comment.
1749
1750         * jit/Repatch.cpp:
1751
1752 2013-10-20  Filip Pizlo  <fpizlo@apple.com>
1753
1754         StructureStubInfo's usedRegisters set should be able to track all registers, not just the ones that our JIT's view as temporaries
1755         https://bugs.webkit.org/show_bug.cgi?id=123076
1756
1757         Reviewed by Sam Weinig.
1758         
1759         Start preparing for a world in which we are patching code generated by LLVM, which may have
1760         very different register usage conventions than our JITs. This requires us being more explicit
1761         about the registers we are using. For example, the repatching code shouldn't take for granted
1762         that tagMaskRegister holds the TagMask or that the register is even in use.
1763
1764         * CMakeLists.txt:
1765         * GNUmakefile.list.am:
1766         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1767         * JavaScriptCore.xcodeproj/project.pbxproj:
1768         * assembler/MacroAssembler.h:
1769         (JSC::MacroAssembler::numberOfRegisters):
1770         (JSC::MacroAssembler::registerIndex):
1771         (JSC::MacroAssembler::numberOfFPRegisters):
1772         (JSC::MacroAssembler::fpRegisterIndex):
1773         (JSC::MacroAssembler::totalNumberOfRegisters):
1774         * bytecode/StructureStubInfo.h:
1775         * dfg/DFGSpeculativeJIT.cpp:
1776         (JSC::DFG::SpeculativeJIT::usedRegisters):
1777         * dfg/DFGSpeculativeJIT.h:
1778         * ftl/FTLSaveRestore.cpp:
1779         (JSC::FTL::bytesForGPRs):
1780         (JSC::FTL::bytesForFPRs):
1781         (JSC::FTL::offsetOfGPR):
1782         (JSC::FTL::offsetOfFPR):
1783         * jit/JITInlineCacheGenerator.cpp:
1784         (JSC::JITByIdGenerator::JITByIdGenerator):
1785         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
1786         * jit/JITInlineCacheGenerator.h:
1787         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
1788         * jit/JITPropertyAccess.cpp:
1789         (JSC::JIT::emit_op_get_by_id):
1790         (JSC::JIT::emit_op_put_by_id):
1791         * jit/JITPropertyAccess32_64.cpp:
1792         (JSC::JIT::emit_op_get_by_id):
1793         (JSC::JIT::emit_op_put_by_id):
1794         * jit/RegisterSet.cpp: Added.
1795         (JSC::RegisterSet::specialRegisters):
1796         * jit/RegisterSet.h: Added.
1797         (JSC::RegisterSet::RegisterSet):
1798         (JSC::RegisterSet::set):
1799         (JSC::RegisterSet::clear):
1800         (JSC::RegisterSet::get):
1801         (JSC::RegisterSet::merge):
1802         * jit/Repatch.cpp:
1803         (JSC::generateProtoChainAccessStub):
1804         (JSC::tryCacheGetByID):
1805         (JSC::tryBuildGetByIDList):
1806         (JSC::emitPutReplaceStub):
1807         (JSC::tryRepatchIn):
1808         (JSC::linkClosureCall):
1809         * jit/TempRegisterSet.cpp: Added.
1810         (JSC::TempRegisterSet::TempRegisterSet):
1811         * jit/TempRegisterSet.h:
1812
1813 2013-10-20  Julien Brianceau  <jbriance@cisco.com>
1814
1815         [sh4] Fix build (broken since r157690).
1816         https://bugs.webkit.org/show_bug.cgi?id=123081
1817
1818         Reviewed by Andreas Kling.
1819
1820         * assembler/AssemblerBufferWithConstantPool.h:
1821         * assembler/SH4Assembler.h:
1822         (JSC::SH4Assembler::buffer):
1823         (JSC::SH4Assembler::readCallTarget):
1824
1825 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
1826
1827         Simplify TempRegisterSet - it no longer needs to be convertible to a POD since it's no longer going to be a member of a union
1828         https://bugs.webkit.org/show_bug.cgi?id=123079
1829
1830         Reviewed by Geoffrey Garen.
1831
1832         * jit/TempRegisterSet.h:
1833
1834 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
1835
1836         Rename RegisterSet to TempRegisterSet
1837         https://bugs.webkit.org/show_bug.cgi?id=123077
1838
1839         Reviewed by Dan Bernstein.
1840
1841         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1842         * JavaScriptCore.xcodeproj/project.pbxproj:
1843         * bytecode/StructureStubInfo.h:
1844         * dfg/DFGJITCompiler.h:
1845         * dfg/DFGSpeculativeJIT.h:
1846         (JSC::DFG::SpeculativeJIT::usedRegisters):
1847         * jit/JITInlineCacheGenerator.cpp:
1848         (JSC::JITByIdGenerator::JITByIdGenerator):
1849         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
1850         * jit/JITInlineCacheGenerator.h:
1851         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
1852         * jit/JITPropertyAccess.cpp:
1853         (JSC::JIT::emit_op_get_by_id):
1854         (JSC::JIT::emit_op_put_by_id):
1855         * jit/JITPropertyAccess32_64.cpp:
1856         (JSC::JIT::emit_op_get_by_id):
1857         (JSC::JIT::emit_op_put_by_id):
1858         * jit/RegisterSet.h: Removed.
1859         * jit/ScratchRegisterAllocator.h:
1860         (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
1861         * jit/TempRegisterSet.h: Copied from Source/JavaScriptCore/jit/RegisterSet.h.
1862         (JSC::TempRegisterSet::TempRegisterSet):
1863         (JSC::TempRegisterSet::asPOD):
1864         (JSC::TempRegisterSet::copyInfo):
1865
1866 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
1867
1868         Restructure LinkBuffer to allow for alternate allocation strategies
1869         https://bugs.webkit.org/show_bug.cgi?id=123071
1870
1871         Reviewed by Oliver Hunt.
1872         
1873         The idea is to eventually allow a LinkBuffer to place the code into an already
1874         allocated region of memory.  That region of memory could be the nop-slide left behind
1875         by a llvm.webkit.patchpoint.
1876
1877         * assembler/ARM64Assembler.h:
1878         (JSC::ARM64Assembler::buffer):
1879         * assembler/AssemblerBuffer.h:
1880         * assembler/LinkBuffer.cpp:
1881         (JSC::LinkBuffer::copyCompactAndLinkCode):
1882         (JSC::LinkBuffer::linkCode):
1883         (JSC::LinkBuffer::allocate):
1884         (JSC::LinkBuffer::shrink):
1885         * assembler/LinkBuffer.h:
1886         (JSC::LinkBuffer::LinkBuffer):
1887         (JSC::LinkBuffer::didFailToAllocate):
1888         * assembler/X86Assembler.h:
1889         (JSC::X86Assembler::buffer):
1890         (JSC::X86Assembler::X86InstructionFormatter::memoryModRM):
1891
1892 2013-10-19  Alexey Proskuryakov  <ap@apple.com>
1893
1894         Some includes in JSC seem to use an incorrect style
1895         https://bugs.webkit.org/show_bug.cgi?id=123057
1896
1897         Reviewed by Geoffrey Garen.
1898
1899         Changed pseudo-system includes to user ones.
1900
1901         * API/JSContextRef.cpp:
1902         * API/JSStringRefCF.cpp:
1903         * API/JSValueRef.cpp:
1904         * API/OpaqueJSString.cpp:
1905         * jit/JIT.h:
1906         * parser/SyntaxChecker.h:
1907         * runtime/WeakGCMap.h:
1908
1909 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
1910
1911         Baseline JIT and DFG IC code generation should be unified and rationalized
1912         https://bugs.webkit.org/show_bug.cgi?id=122939
1913
1914         Reviewed by Geoffrey Garen.
1915         
1916         Introduce the JITInlineCacheGenerator, which takes a CodeBlock and a CodeOrigin plus
1917         some register info and creates JIT inline caches for you. Used this to even furhter
1918         unify the baseline and DFG ICs. In the future we can use this for FTL ICs. And my hope
1919         is that we'll be able to use it for cascading ICs: an IC for some instruction may realize
1920         that it needs to do the equivalent of get_by_id, so with this generator it will be able
1921         to create an IC even though it wasn't associated with a get_by_id bytecode instruction.
1922
1923         * CMakeLists.txt:
1924         * GNUmakefile.list.am:
1925         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1926         * JavaScriptCore.xcodeproj/project.pbxproj:
1927         * assembler/AbstractMacroAssembler.h:
1928         (JSC::AbstractMacroAssembler::DataLabelCompact::label):
1929         * bytecode/CodeBlock.h:
1930         (JSC::CodeBlock::ecmaMode):
1931         * dfg/DFGInlineCacheWrapper.h: Added.
1932         (JSC::DFG::InlineCacheWrapper::InlineCacheWrapper):
1933         * dfg/DFGInlineCacheWrapperInlines.h: Added.
1934         (JSC::DFG::::finalize):
1935         * dfg/DFGJITCompiler.cpp:
1936         (JSC::DFG::JITCompiler::link):
1937         * dfg/DFGJITCompiler.h:
1938         (JSC::DFG::JITCompiler::addGetById):
1939         (JSC::DFG::JITCompiler::addPutById):
1940         * dfg/DFGSpeculativeJIT32_64.cpp:
1941         (JSC::DFG::SpeculativeJIT::cachedGetById):
1942         (JSC::DFG::SpeculativeJIT::cachedPutById):
1943         * dfg/DFGSpeculativeJIT64.cpp:
1944         (JSC::DFG::SpeculativeJIT::cachedGetById):
1945         (JSC::DFG::SpeculativeJIT::cachedPutById):
1946         (JSC::DFG::SpeculativeJIT::compile):
1947         * jit/AssemblyHelpers.h:
1948         (JSC::AssemblyHelpers::isStrictModeFor):
1949         (JSC::AssemblyHelpers::strictModeFor):
1950         * jit/GPRInfo.h:
1951         (JSC::JSValueRegs::tagGPR):
1952         * jit/JIT.cpp:
1953         (JSC::JIT::JIT):
1954         (JSC::JIT::privateCompileSlowCases):
1955         (JSC::JIT::privateCompile):
1956         * jit/JIT.h:
1957         * jit/JITInlineCacheGenerator.cpp: Added.
1958         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
1959         (JSC::JITByIdGenerator::JITByIdGenerator):
1960         (JSC::JITByIdGenerator::finalize):
1961         (JSC::JITByIdGenerator::generateFastPathChecks):
1962         (JSC::JITGetByIdGenerator::generateFastPath):
1963         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
1964         (JSC::JITPutByIdGenerator::generateFastPath):
1965         (JSC::JITPutByIdGenerator::slowPathFunction):
1966         * jit/JITInlineCacheGenerator.h: Added.
1967         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
1968         (JSC::JITInlineCacheGenerator::stubInfo):
1969         (JSC::JITByIdGenerator::JITByIdGenerator):
1970         (JSC::JITByIdGenerator::reportSlowPathCall):
1971         (JSC::JITByIdGenerator::slowPathJump):
1972         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
1973         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
1974         * jit/JITPropertyAccess.cpp:
1975         (JSC::JIT::emit_op_get_by_id):
1976         (JSC::JIT::emitSlow_op_get_by_id):
1977         (JSC::JIT::emit_op_put_by_id):
1978         (JSC::JIT::emitSlow_op_put_by_id):
1979         * jit/JITPropertyAccess32_64.cpp:
1980         (JSC::JIT::emit_op_get_by_id):
1981         (JSC::JIT::emitSlow_op_get_by_id):
1982         (JSC::JIT::emit_op_put_by_id):
1983         (JSC::JIT::emitSlow_op_put_by_id):
1984         * jit/RegisterSet.h:
1985         (JSC::RegisterSet::set):
1986
1987 2013-10-19  Alexey Proskuryakov  <ap@apple.com>
1988
1989         APICast.h uses functions from JSCJSValueInlines.h, but doesn't include it
1990         https://bugs.webkit.org/show_bug.cgi?id=123067
1991
1992         Reviewed by Geoffrey Garen.
1993
1994         * API/APICast.h: Include it.
1995
1996 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
1997
1998         FTL::Location should treat the offset as an addend in the case of a Register location
1999         https://bugs.webkit.org/show_bug.cgi?id=123062
2000
2001         Reviewed by Sam Weinig.
2002
2003         * ftl/FTLLocation.cpp:
2004         (JSC::FTL::Location::forStackmaps):
2005         (JSC::FTL::Location::dump):
2006         (JSC::FTL::Location::restoreInto):
2007         * ftl/FTLLocation.h:
2008         (JSC::FTL::Location::forRegister):
2009         (JSC::FTL::Location::hasAddend):
2010         (JSC::FTL::Location::addend):
2011
2012 2013-10-19  Nadav Rotem  <nrotem@apple.com>
2013
2014         DFG dominators: document and rename stuff.
2015         https://bugs.webkit.org/show_bug.cgi?id=123056
2016
2017         Reviewed by Filip Pizlo.
2018
2019         Documented the code and renamed some variables.
2020
2021         * dfg/DFGDominators.cpp:
2022         (JSC::DFG::Dominators::compute):
2023         (JSC::DFG::Dominators::pruneDominators):
2024         * dfg/DFGDominators.h:
2025
2026 2013-10-19  Julien Brianceau  <jbriance@cisco.com>
2027
2028         Fix build failure for architectures with 4 argument registers.
2029         https://bugs.webkit.org/show_bug.cgi?id=123060
2030
2031         Reviewed by Michael Saboff.
2032
2033         Add missing setupArgumentsWithExecState() prototypes for architecture with 4 argument registers.
2034         Remove SH4 specific code no longer needed since callOperation prototype change in r157660.
2035
2036         * dfg/DFGSpeculativeJIT.h:
2037         (JSC::DFG::SpeculativeJIT::callOperation):
2038         * jit/CCallHelpers.h:
2039         (JSC::CCallHelpers::setupArgumentsWithExecState):
2040         * jit/JITInlines.h:
2041         (JSC::JIT::callOperation):
2042
2043 2013-10-18  Filip Pizlo  <fpizlo@apple.com>
2044
2045         Unreviewed, fix FTL build.
2046
2047         * ftl/FTLIntrinsicRepository.h:
2048         * ftl/FTLLowerDFGToLLVM.cpp:
2049         (JSC::FTL::LowerDFGToLLVM::compileGetById):
2050
2051 2013-10-18  Filip Pizlo  <fpizlo@apple.com>
2052
2053         A CodeBlock's StructureStubInfos shouldn't be in a Vector that we search using code origins and machine code PCs
2054         https://bugs.webkit.org/show_bug.cgi?id=122940
2055
2056         Reviewed by Oliver Hunt.
2057         
2058         This accomplishes a number of simplifications. StructureStubInfo is now non-moving,
2059         whereas previously it was in a Vector, so it moved. This allows you to use pointers to
2060         StructureStubInfo. This also eliminates the use of return PC as a way of finding the
2061         StructureStubInfo's. It removes some of the need for the compile-time property access
2062         records; for example the DFG no longer has to save information about registers in a
2063         property access record only to later save it to the stub info.
2064         
2065         The main thing is accomplishes is that it makes it easier to add StructureStubInfo's
2066         at any stage of compilation.
2067
2068         * bytecode/CodeBlock.cpp:
2069         (JSC::CodeBlock::printGetByIdCacheStatus):
2070         (JSC::CodeBlock::dumpBytecode):
2071         (JSC::CodeBlock::~CodeBlock):
2072         (JSC::CodeBlock::propagateTransitions):
2073         (JSC::CodeBlock::finalizeUnconditionally):
2074         (JSC::CodeBlock::addStubInfo):
2075         (JSC::CodeBlock::getStubInfoMap):
2076         (JSC::CodeBlock::shrinkToFit):
2077         * bytecode/CodeBlock.h:
2078         (JSC::CodeBlock::begin):
2079         (JSC::CodeBlock::end):
2080         (JSC::CodeBlock::rareCaseProfileForBytecodeOffset):
2081         * bytecode/CodeOrigin.h:
2082         (JSC::CodeOrigin::CodeOrigin):
2083         (JSC::CodeOrigin::isHashTableDeletedValue):
2084         (JSC::CodeOrigin::hash):
2085         (JSC::CodeOriginHash::hash):
2086         (JSC::CodeOriginHash::equal):
2087         * bytecode/GetByIdStatus.cpp:
2088         (JSC::GetByIdStatus::computeFor):
2089         * bytecode/GetByIdStatus.h:
2090         * bytecode/PutByIdStatus.cpp:
2091         (JSC::PutByIdStatus::computeFor):
2092         * bytecode/PutByIdStatus.h:
2093         * bytecode/StructureStubInfo.h:
2094         (JSC::getStructureStubInfoCodeOrigin):
2095         * dfg/DFGByteCodeParser.cpp:
2096         (JSC::DFG::ByteCodeParser::parseBlock):
2097         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2098         * dfg/DFGJITCompiler.cpp:
2099         (JSC::DFG::JITCompiler::link):
2100         * dfg/DFGJITCompiler.h:
2101         (JSC::DFG::PropertyAccessRecord::PropertyAccessRecord):
2102         (JSC::DFG::InRecord::InRecord):
2103         * dfg/DFGSpeculativeJIT.cpp:
2104         (JSC::DFG::SpeculativeJIT::compileIn):
2105         * dfg/DFGSpeculativeJIT.h:
2106         (JSC::DFG::SpeculativeJIT::callOperation):
2107         * dfg/DFGSpeculativeJIT32_64.cpp:
2108         (JSC::DFG::SpeculativeJIT::cachedGetById):
2109         (JSC::DFG::SpeculativeJIT::cachedPutById):
2110         * dfg/DFGSpeculativeJIT64.cpp:
2111         (JSC::DFG::SpeculativeJIT::cachedGetById):
2112         (JSC::DFG::SpeculativeJIT::cachedPutById):
2113         * jit/CCallHelpers.h:
2114         (JSC::CCallHelpers::setupArgumentsWithExecState):
2115         * jit/JIT.cpp:
2116         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
2117         (JSC::JIT::privateCompile):
2118         * jit/JIT.h:
2119         (JSC::PropertyStubCompilationInfo::slowCaseInfo):
2120         * jit/JITInlines.h:
2121         (JSC::JIT::callOperation):
2122         * jit/JITOperations.cpp:
2123         * jit/JITOperations.h:
2124         * jit/JITPropertyAccess.cpp:
2125         (JSC::JIT::emitSlow_op_get_by_id):
2126         (JSC::JIT::emitSlow_op_put_by_id):
2127         * jit/JITPropertyAccess32_64.cpp:
2128         (JSC::JIT::emitSlow_op_get_by_id):
2129         (JSC::JIT::emitSlow_op_put_by_id):
2130         * jit/Repatch.cpp:
2131         (JSC::appropriateGenericPutByIdFunction):
2132         (JSC::appropriateListBuildingPutByIdFunction):
2133         (JSC::resetPutByID):
2134
2135 2013-10-18  Oliver Hunt  <oliver@apple.com>
2136
2137         Spread operator should be performing direct "puts" and not triggering setters
2138         https://bugs.webkit.org/show_bug.cgi?id=123047
2139
2140         Reviewed by Geoffrey Garen.
2141
2142         Add a new opcode -- op_put_by_val_directue -- and make use of it in the spread
2143         to array construct.  This required a new PutByValDirect node to be introduced to
2144         the DFG.  The current implementation simply changes the slow path function that
2145         is called, but in future this could be made faster as it does not need to check
2146         the prototype chain.
2147
2148         * bytecode/CodeBlock.cpp:
2149         (JSC::CodeBlock::dumpBytecode):
2150         (JSC::CodeBlock::CodeBlock):
2151         * bytecode/Opcode.h:
2152         (JSC::padOpcodeName):
2153         * bytecompiler/BytecodeGenerator.cpp:
2154         (JSC::BytecodeGenerator::emitDirectPutByVal):
2155         * bytecompiler/BytecodeGenerator.h:
2156         * bytecompiler/NodesCodegen.cpp:
2157         (JSC::ArrayNode::emitBytecode):
2158         * dfg/DFGAbstractInterpreterInlines.h:
2159         (JSC::DFG::::executeEffects):
2160         * dfg/DFGBackwardsPropagationPhase.cpp:
2161         (JSC::DFG::BackwardsPropagationPhase::propagate):
2162         * dfg/DFGByteCodeParser.cpp:
2163         (JSC::DFG::ByteCodeParser::parseBlock):
2164         * dfg/DFGCSEPhase.cpp:
2165         (JSC::DFG::CSEPhase::getArrayLengthElimination):
2166         (JSC::DFG::CSEPhase::getByValLoadElimination):
2167         (JSC::DFG::CSEPhase::checkStructureElimination):
2168         (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
2169         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
2170         (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
2171         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
2172         (JSC::DFG::CSEPhase::performNodeCSE):
2173         * dfg/DFGCapabilities.cpp:
2174         (JSC::DFG::capabilityLevel):
2175         * dfg/DFGClobberize.h:
2176         (JSC::DFG::clobberize):
2177         * dfg/DFGFixupPhase.cpp:
2178         (JSC::DFG::FixupPhase::fixupNode):
2179         * dfg/DFGGraph.h:
2180         (JSC::DFG::Graph::clobbersWorld):
2181         * dfg/DFGNode.h:
2182         (JSC::DFG::Node::hasArrayMode):
2183         * dfg/DFGNodeType.h:
2184         * dfg/DFGOperations.cpp:
2185         (JSC::DFG::putByVal):
2186         (JSC::DFG::operationPutByValInternal):
2187         * dfg/DFGOperations.h:
2188         * dfg/DFGPredictionPropagationPhase.cpp:
2189         (JSC::DFG::PredictionPropagationPhase::propagate):
2190         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
2191         * dfg/DFGSafeToExecute.h:
2192         (JSC::DFG::safeToExecute):
2193         * dfg/DFGSpeculativeJIT32_64.cpp:
2194         (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
2195         (JSC::DFG::SpeculativeJIT::compile):
2196         * dfg/DFGSpeculativeJIT64.cpp:
2197         (JSC::DFG::SpeculativeJIT::compile):
2198         * dfg/DFGTypeCheckHoistingPhase.cpp:
2199         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
2200         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
2201         * jit/JIT.cpp:
2202         (JSC::JIT::privateCompileMainPass):
2203         (JSC::JIT::privateCompileSlowCases):
2204         * jit/JIT.h:
2205         (JSC::JIT::compileDirectPutByVal):
2206         * jit/JITOperations.cpp:
2207         * jit/JITOperations.h:
2208         * jit/JITPropertyAccess.cpp:
2209         (JSC::JIT::emitSlow_op_put_by_val):
2210         (JSC::JIT::privateCompilePutByVal):
2211         * jit/JITPropertyAccess32_64.cpp:
2212         (JSC::JIT::emitSlow_op_put_by_val):
2213         * llint/LLIntSlowPaths.cpp:
2214         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2215         * llint/LLIntSlowPaths.h:
2216         * llint/LowLevelInterpreter32_64.asm:
2217         * llint/LowLevelInterpreter64.asm:
2218
2219 2013-10-18  Daniel Bates  <dabates@apple.com>
2220
2221         [iOS] Export symbol for VM::sharedInstanceExists()
2222         https://bugs.webkit.org/show_bug.cgi?id=123046
2223
2224         Reviewed by Mark Hahnenberg.
2225
2226         * runtime/VM.h:
2227
2228 2013-10-18  Daniel Bates  <dabates@apple.com>
2229
2230         [iOS] Upstream WebSafe{GCActivityCallback, IncrementalSweeper}IOS
2231         https://bugs.webkit.org/show_bug.cgi?id=123049
2232
2233         Reviewed by Mark Hahnenberg.
2234
2235         * heap/Heap.cpp:
2236         (JSC::Heap::setIncrementalSweeper):
2237         * heap/Heap.h:
2238         * heap/HeapTimer.h:
2239         * heap/IncrementalSweeper.h: Make protected and export CF-variant of constructor.
2240         Removed unused include of header RetainPtr.h. Also forward declare class MarkedBlock
2241         (we include its header in the .cpp file) and remove include for header wtf/HashSet.h
2242         (duplicates the include in the .cpp).
2243         * heap/MachineStackMarker.h: Export function makeUsableFromMultipleThreads(). We aren't
2244         making use of this now, but we'll make use of it in a subsequent patch.
2245
2246 2013-10-18  Anders Carlsson  <andersca@apple.com>
2247
2248         Remove spaces between template angle brackets
2249         https://bugs.webkit.org/show_bug.cgi?id=123040
2250
2251         Reviewed by Andreas Kling.
2252
2253         * API/JSCallbackObject.cpp:
2254         (JSC::::create):
2255         * API/JSObjectRef.cpp:
2256         * bytecode/CodeBlock.h:
2257         (JSC::CodeBlock::constants):
2258         (JSC::CodeBlock::setConstantRegisters):
2259         * bytecode/DFGExitProfile.h:
2260         * bytecode/EvalCodeCache.h:
2261         * bytecode/Operands.h:
2262         * bytecode/UnlinkedCodeBlock.h:
2263         (JSC::UnlinkedCodeBlock::constantRegisters):
2264         * bytecode/Watchpoint.h:
2265         * bytecompiler/BytecodeGenerator.h:
2266         * bytecompiler/StaticPropertyAnalysis.h:
2267         * bytecompiler/StaticPropertyAnalyzer.h:
2268         * dfg/DFGArgumentsSimplificationPhase.cpp:
2269         * dfg/DFGBlockInsertionSet.h:
2270         * dfg/DFGCSEPhase.cpp:
2271         (JSC::DFG::performCSE):
2272         (JSC::DFG::performStoreElimination):
2273         * dfg/DFGCommonData.h:
2274         * dfg/DFGDesiredStructureChains.h:
2275         * dfg/DFGDesiredWatchpoints.h:
2276         * dfg/DFGJITCompiler.h:
2277         * dfg/DFGOSRExitCompiler32_64.cpp:
2278         (JSC::DFG::OSRExitCompiler::compileExit):
2279         * dfg/DFGOSRExitCompiler64.cpp:
2280         (JSC::DFG::OSRExitCompiler::compileExit):
2281         * dfg/DFGWorklist.h:
2282         * heap/BlockAllocator.h:
2283         (JSC::CopiedBlock):
2284         (JSC::MarkedBlock):
2285         (JSC::WeakBlock):
2286         (JSC::MarkStackSegment):
2287         (JSC::CopyWorkListSegment):
2288         (JSC::HandleBlock):
2289         * heap/Heap.h:
2290         * heap/Local.h:
2291         * heap/MarkedBlock.h:
2292         * heap/Strong.h:
2293         * jit/AssemblyHelpers.cpp:
2294         (JSC::AssemblyHelpers::decodedCodeMapFor):
2295         * jit/AssemblyHelpers.h:
2296         * jit/SpecializedThunkJIT.h:
2297         * parser/Nodes.h:
2298         * parser/Parser.cpp:
2299         (JSC::::parseIfStatement):
2300         * parser/Parser.h:
2301         (JSC::Scope::copyCapturedVariablesToVector):
2302         (JSC::parse):
2303         * parser/ParserArena.h:
2304         * parser/SourceProviderCacheItem.h:
2305         * profiler/LegacyProfiler.cpp:
2306         (JSC::dispatchFunctionToProfiles):
2307         * profiler/LegacyProfiler.h:
2308         (JSC::LegacyProfiler::currentProfiles):
2309         * profiler/ProfileNode.h:
2310         (JSC::ProfileNode::children):
2311         * profiler/ProfilerDatabase.h:
2312         * runtime/Butterfly.h:
2313         (JSC::Butterfly::contiguousInt32):
2314         (JSC::Butterfly::contiguous):
2315         * runtime/GenericTypedArrayViewInlines.h:
2316         (JSC::::create):
2317         * runtime/Identifier.h:
2318         (JSC::Identifier::add):
2319         * runtime/JSPromise.h:
2320         * runtime/PropertyMapHashTable.h:
2321         * runtime/PropertyNameArray.h:
2322         * runtime/RegExpCache.h:
2323         * runtime/SparseArrayValueMap.h:
2324         * runtime/SymbolTable.h:
2325         * runtime/VM.h:
2326         * tools/CodeProfile.cpp:
2327         (JSC::truncateTrace):
2328         * tools/CodeProfile.h:
2329         * yarr/YarrInterpreter.cpp:
2330         * yarr/YarrInterpreter.h:
2331         (JSC::Yarr::BytecodePattern::BytecodePattern):
2332         * yarr/YarrJIT.cpp:
2333         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
2334         (JSC::Yarr::YarrGenerator::opCompileParentheticalAssertion):
2335         (JSC::Yarr::YarrGenerator::opCompileBody):
2336         * yarr/YarrPattern.cpp:
2337         (JSC::Yarr::YarrPatternConstructor::checkForTerminalParentheses):
2338         (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
2339         * yarr/YarrPattern.h:
2340
2341 2013-10-18  Mark Lam  <mark.lam@apple.com>
2342
2343         Remove excess reserved space in ctiTrampoline frames for X86 and X86_64.
2344         https://bugs.webkit.org/show_bug.cgi?id=123037.
2345
2346         Reviewed by Geoffrey Garen.
2347
2348         * jit/JITStubsMSVC64.asm:
2349         * jit/JITStubsX86.h:
2350         * jit/JITStubsX86_64.h:
2351
2352 2013-10-18  Filip Pizlo  <fpizlo@apple.com>
2353
2354         Frequent RELEASE_ASSERT crashes in Structure::checkOffsetConsistency on WebGL swizzler tests
2355         https://bugs.webkit.org/show_bug.cgi?id=121661
2356
2357         Reviewed by Mark Hahnenberg.
2358         
2359         This method shouldn't have been called from the concurrent JIT thread. That's hard to prevent
2360         so I added a return-early check using isCompilationThread().
2361         
2362         Here's why this makes sense. Structure has two ways to tell you about the layout of the objects
2363         it is describing: m_offset and the property table. Most structures only have m_offset and report
2364         null for the property table. If the property table is there, it will tell you additional
2365         information and that information subsumes m_offset - but the m_offset is still there. So, when
2366         we have a property table, we have to keep it in sync with the m_offset. There is a bunch of
2367         machinery to do this.
2368         
2369         Changing the property table only happens on the main thread.
2370         
2371         Because the machinery to change the property table is so complex, especially with respect to
2372         keeping it in sync with m_offset, we have the checkOffsetConsistency method. It's meant to be
2373         called at key points before and after changes to the property table or the offset.
2374
2375         Most clients of Structure who care about object layout, including the concurrent thread, will
2376         want to know m_offset and not the property table. If they want the property table, they will
2377         already be super careful. The concurrent thread has special methods for this, like
2378         Structure::getConcurrently(), which uses fine-grained locking to ensure that it sees a coherent
2379         view of the property table.
2380         
2381         Adding locking to checkOffsetConsistency() is probably a bad idea since that method may be
2382         called when the relevant lock is already held. So, we'd have awkward recursive locking issues.
2383         
2384         But right now, the concurrent JIT thread may call a method, like Structure::outOfLineCapacity(),
2385         which has a call to checkOffsetConsistency(). The call to checkOffsetConsistency() is there
2386         because we have found that it helps quickly identify situations where the property table and
2387         m_offset get out of sync - mainly because code that changes either of those things will usually
2388         also want to know the outOfLineCapacity(). But Structure::outOfLineCapacity() doesn't *actually*
2389         need the property table; it uses the m_offset. The concurrent JIT is correct to call
2390         outOfLineCapacity(), and is right to do so without holding any locks (since in all cases where
2391         it calls outOfLineCapacity() it has already proven that m_offset is immutable). But because
2392         outOfLineCapacity() calls checkOffsetConsistency(), and checkOffsetConsistency() doesn't grab
2393         locks, and that same structure is having its property table modified by the main thread, we end
2394         up with these spurious assertion failures. FWIW, the structure isn't *actually* having *its*
2395         property table modified - instead what happens is that some downstream structure steals the
2396         property table and then starts adding things to it. The concurrent thread loads the property
2397         table before it's stolen, and hence the badness.
2398         
2399         I suspect there are other code paths that lead to the concurrent JIT calling some Structure
2400         method that it is fine and safe to call, but then that method calls checkOffsetConsistency(),
2401         and then you have a possible crash.
2402         
2403         The most sensible solution to this appears to be to make sure that checkOffsetConsistency() is
2404         aware of its uselessness to the concurrent JIT thread. This change makes it return early if
2405         it's in the concurrent JIT.
2406         
2407         * runtime/StructureInlines.h:
2408         (JSC::Structure::checkOffsetConsistency):
2409
2410 2013-10-18  Daniel Bates  <dabates@apple.com>
2411
2412         Add SPI to disable the garbage collector timer
2413         https://bugs.webkit.org/show_bug.cgi?id=122921
2414
2415         Add null check to Heap::setGarbageCollectionTimerEnabled() that I inadvertently
2416         omitted.
2417
2418         * heap/Heap.cpp:
2419         (JSC::Heap::setGarbageCollectionTimerEnabled):
2420
2421 2013-10-18  Julien Brianceau  <jbriance@cisco.com>
2422
2423         Group 64-bit specific and 32-bit specific callOperation implementations.
2424         https://bugs.webkit.org/show_bug.cgi?id=123024
2425
2426         Reviewed by Michael Saboff.
2427
2428         This is not a big deal, but could be less confusing when reading the code.
2429
2430         * jit/JITInlines.h:
2431         (JSC::JIT::callOperation):
2432         (JSC::JIT::callOperationWithCallFrameRollbackOnException):
2433         (JSC::JIT::callOperationNoExceptionCheck):
2434
2435 2013-10-18  Nadav Rotem  <nrotem@apple.com>
2436
2437         Fix a FlushLiveness problem.
2438         https://bugs.webkit.org/show_bug.cgi?id=122984
2439
2440         Reviewed by Filip Pizlo.
2441
2442         * dfg/DFGFlushLivenessAnalysisPhase.cpp:
2443         (JSC::DFG::FlushLivenessAnalysisPhase::process):
2444
2445 2013-10-18  Michael Saboff  <msaboff@apple.com>
2446
2447         Change native function call stubs to use JIT operations instead of ctiVMHandleException
2448         https://bugs.webkit.org/show_bug.cgi?id=122982
2449
2450         Reviewed by Geoffrey Garen.
2451
2452         Change ctiVMHandleException to operationVMHandleException.  Change all exception operations to
2453         return the catch callFrame and entryPC via vm.callFrameForThrow and vm.targetMachinePCForThrow.
2454         This removed calling convention headaches, fixing https://bugs.webkit.org/show_bug.cgi?id=122980
2455         in the process.
2456
2457         * dfg/DFGJITCompiler.cpp:
2458         (JSC::DFG::JITCompiler::compileExceptionHandlers):
2459         * jit/CCallHelpers.h:
2460         (JSC::CCallHelpers::jumpToExceptionHandler):
2461         * jit/JIT.cpp:
2462         (JSC::JIT::privateCompileExceptionHandlers):
2463         * jit/JIT.h:
2464         * jit/JITExceptions.cpp:
2465         (JSC::genericUnwind):
2466         * jit/JITExceptions.h:
2467         * jit/JITInlines.h:
2468         (JSC::JIT::callOperationNoExceptionCheck):
2469         * jit/JITOpcodes.cpp:
2470         (JSC::JIT::emit_op_throw):
2471         * jit/JITOpcodes32_64.cpp:
2472         (JSC::JIT::privateCompileCTINativeCall):
2473         (JSC::JIT::emit_op_throw):
2474         * jit/JITOperations.cpp:
2475         * jit/JITOperations.h:
2476         * jit/JITStubs.cpp:
2477         * jit/JITStubs.h:
2478         * jit/JITStubsARM.h:
2479         * jit/JITStubsARM64.h:
2480         * jit/JITStubsARMv7.h:
2481         * jit/JITStubsMIPS.h:
2482         * jit/JITStubsMSVC64.asm:
2483         * jit/JITStubsSH4.h:
2484         * jit/JITStubsX86.h:
2485         * jit/JITStubsX86_64.h:
2486         * jit/Repatch.cpp:
2487         (JSC::tryBuildGetByIDList):
2488         * jit/SlowPathCall.h:
2489         (JSC::JITSlowPathCall::call):
2490         * jit/ThunkGenerators.cpp:
2491         (JSC::throwExceptionFromCallSlowPathGenerator):
2492         (JSC::nativeForGenerator):
2493         * runtime/VM.h:
2494         (JSC::VM::callFrameForThrowOffset):
2495         (JSC::VM::targetMachinePCForThrowOffset):
2496
2497 2013-10-18  Julien Brianceau  <jbriance@cisco.com>
2498
2499         Fix J_JITOperation_EAapJ call for MIPS and ARM EABI.
2500         https://bugs.webkit.org/show_bug.cgi?id=123023
2501
2502         Reviewed by Michael Saboff.
2503
2504         * jit/JITInlines.h:
2505         (JSC::JIT::callOperation): EncodedJSValue parameter do not need alignment
2506         using EABI_32BIT_DUMMY_ARG here.
2507
2508 2013-10-17  Filip Pizlo  <fpizlo@apple.com>
2509
2510         Unreviewed, another ARM64 build fix.
2511         
2512         Get rid of andPtr(TrustedImmPtr, blah), since it would take Effort to get it to work
2513         on ARM64 and none of its uses are legit - they should all be using
2514         andPtr(TrustedImm32, blah) anyway.
2515
2516         * assembler/MacroAssembler.h:
2517         * assembler/MacroAssemblerARM64.h:
2518         * dfg/DFGJITCompiler.cpp:
2519         (JSC::DFG::JITCompiler::compileExceptionHandlers):
2520         * jit/JIT.cpp:
2521         (JSC::JIT::privateCompileExceptionHandlers):
2522
2523 2013-10-17  Filip Pizlo  <fpizlo@apple.com>
2524
2525         Unreviewed, speculative ARM64 build fix.
2526         
2527         move(ImmPtr, blah) is only available in MacroAssembler since that's where blinding is
2528         implemented. So, you have to use TrustedImmPtr in the superclasses.
2529
2530         * assembler/MacroAssemblerARM64.h:
2531         (JSC::MacroAssemblerARM64::store8):
2532         (JSC::MacroAssemblerARM64::branchTest8):
2533
2534 2013-10-17  Filip Pizlo  <fpizlo@apple.com>
2535
2536         Unreviewed, speculative ARM build fix.
2537         https://bugs.webkit.org/show_bug.cgi?id=122890
2538         <rdar://problem/15258624>
2539
2540         * assembler/ARM64Assembler.h:
2541         (JSC::ARM64Assembler::firstRegister):
2542         (JSC::ARM64Assembler::lastRegister):
2543         (JSC::ARM64Assembler::firstFPRegister):
2544         (JSC::ARM64Assembler::lastFPRegister):
2545         * assembler/MacroAssemblerARM64.h:
2546         * assembler/MacroAssemblerARMv7.h:
2547
2548 2013-10-17  Andreas Kling  <akling@apple.com>
2549
2550         Pass VM instead of JSGlobalObject to JSONObject constructor.
2551         <https://webkit.org/b/122999>
2552
2553         JSONObject was only use the JSGlobalObject to grab at the VM.
2554         Dodge a few loads by passing the VM directly instead.
2555
2556         Reviewed by Geoffrey Garen.
2557
2558         * runtime/JSONObject.cpp:
2559         (JSC::JSONObject::JSONObject):
2560         (JSC::JSONObject::finishCreation):
2561         * runtime/JSONObject.h:
2562         (JSC::JSONObject::create):
2563
2564 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2565
2566         Removed the JITStackFrame struct
2567         https://bugs.webkit.org/show_bug.cgi?id=123001
2568
2569         Reviewed by Anders Carlsson.
2570
2571         * jit/JITStubs.h: JITStackFrame and JITStubArg are unused now, since all
2572         our helper functions obey the C function call ABI.
2573
2574 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2575
2576         Removed an unused #define
2577         https://bugs.webkit.org/show_bug.cgi?id=123000
2578
2579         Reviewed by Anders Carlsson.
2580
2581         * jit/JITStubs.h: Removed the concept of JITSTACKFRAME_ARGS_INDEX,
2582         since it is unused now. This is a step toward using the C stack.
2583
2584 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2585
2586         Eliminate uses of JITSTACKFRAME_ARGS_INDEX as scratch area for thunks
2587         https://bugs.webkit.org/show_bug.cgi?id=122973
2588
2589         Reviewed by Michael Saboff.
2590
2591         * jit/ThunkGenerators.cpp:
2592         (JSC::throwExceptionFromCallSlowPathGenerator): This was all dead code,
2593         so I removed it.
2594
2595         The code acted as if it needed to pass an argument to
2596         lookupExceptionHandler, and as if it passed that argument to itself
2597         through JITStackFrame. However, lookupExceptionHandler does not take
2598         an argument (other than the default ExecState argument), and the code
2599         did not initialize the thing that it thought it passed to itself!
2600
2601 2013-10-17  Alex Christensen  <achristensen@webkit.org>
2602
2603         Run JavaScriptCore tests again on Windows.
2604         https://bugs.webkit.org/show_bug.cgi?id=122787
2605
2606         Reviewed by Tim Horton.
2607
2608         * JavaScriptCore.vcxproj/JavaScriptCore.sln: Added.
2609         * jit/JITStubsMSVC64.asm: Removed reference to cti_vm_throw unused since r157581.
2610
2611 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2612
2613         Removed restoreArgumentReference (another use of JITStackFrame)
2614         https://bugs.webkit.org/show_bug.cgi?id=122997
2615
2616         Reviewed by Oliver Hunt.
2617
2618         * jit/JSInterfaceJIT.h: Removed an unused function. This is a step
2619         toward using the C stack.
2620
2621 2013-10-17  Oliver Hunt  <oliver@apple.com>
2622
2623         Remove JITStubCall.h
2624         https://bugs.webkit.org/show_bug.cgi?id=122991
2625
2626         Reviewed by Geoff Garen.
2627
2628         Happily this is no longer used
2629
2630         * GNUmakefile.list.am:
2631         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2632         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2633         * JavaScriptCore.xcodeproj/project.pbxproj:
2634         * jit/JIT.cpp:
2635         * jit/JITArithmetic.cpp:
2636         * jit/JITArithmetic32_64.cpp:
2637         * jit/JITCall.cpp:
2638         * jit/JITCall32_64.cpp:
2639         * jit/JITOpcodes.cpp:
2640         * jit/JITOpcodes32_64.cpp:
2641         * jit/JITPropertyAccess.cpp:
2642         * jit/JITPropertyAccess32_64.cpp:
2643         * jit/JITStubCall.h: Removed.
2644
2645 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2646
2647         Removed a use of JITSTACKFRAME_ARGS_INDEX
2648         https://bugs.webkit.org/show_bug.cgi?id=122989
2649
2650         Reviewed by Oliver Hunt.
2651
2652         * jit/JITStubCall.h: Removed an unused function. This is one step closer
2653         to using the C stack.
2654
2655 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2656
2657         Change emit_op_catch to use another method to materialize VM
2658         https://bugs.webkit.org/show_bug.cgi?id=122977
2659
2660         Reviewed by Oliver Hunt.
2661
2662         * jit/JITOpcodes.cpp:
2663         (JSC::JIT::emit_op_catch):
2664         * jit/JITOpcodes32_64.cpp:
2665         (JSC::JIT::emit_op_catch): Use a constant. It removes our dependency
2666         on JITStackFrame. It is also faster and simpler.
2667
2668 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2669
2670         Eliminate emitGetJITStubArg() - dead code
2671         https://bugs.webkit.org/show_bug.cgi?id=122975
2672
2673         Reviewed by Anders Carlsson.
2674
2675         * jit/JIT.h:
2676         * jit/JITInlines.h: Removed unused, deprecated function.
2677
2678 2013-10-17  Mark Lam  <mark.lam@apple.com>
2679
2680         Eliminate all ASSERT references to OBJECT_OFFSETOF(struct JITStackFrame,...) in JITStubsXXX.h.
2681         https://bugs.webkit.org/show_bug.cgi?id=122979.
2682
2683         Reviewed by Michael Saboff.
2684
2685         * jit/JITStubs.cpp:
2686         * jit/JITStubs.h:
2687         * jit/JITStubsARM.h:
2688         * jit/JITStubsARM64.h:
2689         * jit/JITStubsARMv7.h:
2690         * jit/JITStubsMIPS.h:
2691         * jit/JITStubsSH4.h:
2692         * jit/JITStubsX86.h:
2693         * jit/JITStubsX86_64.h:
2694         * runtime/VM.cpp:
2695         (JSC::VM::VM):
2696
2697 2013-10-17  Michael Saboff  <msaboff@apple.com>
2698
2699         Remove saving callFrameRegister to JITStackFrame in JITCompiler::compileFunction()
2700         https://bugs.webkit.org/show_bug.cgi?id=122974
2701
2702         Reviewed by Geoffrey Garen.
2703
2704         Eliminated unneeded storing to JITStackFrame.
2705
2706         * dfg/DFGJITCompiler.cpp:
2707         (JSC::DFG::JITCompiler::compileFunction):
2708
2709 2013-10-17  Michael Saboff  <msaboff@apple.com>
2710
2711         Transition cti_op_throw and cti_vm_throw to a JIT operation
2712         https://bugs.webkit.org/show_bug.cgi?id=122931
2713
2714         Reviewed by Filip Pizlo.
2715
2716         Moved cti_op_throw to operationThrow.  Made the caller responsible for jumping to the
2717         catch handler.  Eliminated cti_op_throw_static_error, cti_vm_throw, ctiVMThrowTrampoline()
2718         and their callers as it is now dead code.  There is some work needed on the Microsoft X86
2719         callOperation to handle the need to provide space for structure return value.
2720
2721         * jit/JIT.h:
2722         * jit/JITInlines.h:
2723         (JSC::JIT::callOperation):
2724         * jit/JITOpcodes.cpp:
2725         (JSC::JIT::emit_op_throw):
2726         * jit/JITOpcodes32_64.cpp:
2727         (JSC::JIT::emit_op_throw):
2728         (JSC::JIT::emit_op_catch):
2729         * jit/JITOperations.cpp:
2730         * jit/JITOperations.h:
2731         * jit/JITStubs.cpp:
2732         * jit/JITStubs.h:
2733         * jit/JITStubsARM.h:
2734         * jit/JITStubsARM64.h:
2735         * jit/JITStubsARMv7.h:
2736         * jit/JITStubsMIPS.h:
2737         * jit/JITStubsMSVC64.asm:
2738         * jit/JITStubsSH4.h:
2739         * jit/JITStubsX86.h:
2740         * jit/JITStubsX86_64.h:
2741         * jit/JSInterfaceJIT.h:
2742
2743 2013-10-17  Mark Lam  <mark.lam@apple.com>
2744
2745         Remove JITStackFrame references in the C Loop LLINT.
2746         https://bugs.webkit.org/show_bug.cgi?id=122950.
2747
2748         Reviewed by Michael Saboff.
2749
2750         * jit/JITStubs.h:
2751         * llint/LowLevelInterpreter.cpp:
2752         (JSC::CLoop::execute):
2753         * offlineasm/cloop.rb:
2754
2755 2013-10-17  Mark Lam  <mark.lam@apple.com>
2756
2757         Remove JITStackFrame references in JIT probes.
2758         https://bugs.webkit.org/show_bug.cgi?id=122947.
2759
2760         Reviewed by Michael Saboff.
2761
2762         * assembler/MacroAssemblerARM.cpp:
2763         (JSC::MacroAssemblerARM::ProbeContext::dump):
2764         * assembler/MacroAssemblerARM.h:
2765         * assembler/MacroAssemblerARMv7.cpp:
2766         (JSC::MacroAssemblerARMv7::ProbeContext::dump):
2767         * assembler/MacroAssemblerARMv7.h:
2768         * assembler/MacroAssemblerX86Common.cpp:
2769         (JSC::MacroAssemblerX86Common::ProbeContext::dump):
2770         * assembler/MacroAssemblerX86Common.h:
2771         * jit/JITStubsARM.h:
2772         * jit/JITStubsARMv7.h:
2773         * jit/JITStubsX86.h:
2774         * jit/JITStubsX86Common.h:
2775         * jit/JITStubsX86_64.h:
2776
2777 2013-10-17  Julien Brianceau  <jbriance@cisco.com>
2778
2779         Fix build when NUMBER_OF_ARGUMENT_REGISTERS == 4.
2780         https://bugs.webkit.org/show_bug.cgi?id=122949
2781
2782         Reviewed by Andreas Kling.
2783
2784         * jit/CCallHelpers.h:
2785         (JSC::CCallHelpers::setupArgumentsWithExecState):
2786
2787 2013-10-16  Mark Lam  <mark.lam@apple.com>
2788
2789         Transition remaining op_get* JITStubs to JIT operations.
2790         https://bugs.webkit.org/show_bug.cgi?id=122925.
2791
2792         Reviewed by Geoffrey Garen.
2793
2794         Transitioning:
2795             cti_op_get_by_id_generic
2796             cti_op_get_by_val
2797             cti_op_get_by_val_generic
2798             cti_op_get_by_val_string
2799
2800         * dfg/DFGOperations.cpp:
2801         * dfg/DFGOperations.h:
2802         * jit/JIT.h:
2803         * jit/JITInlines.h:
2804         (JSC::JIT::callOperation):
2805         * jit/JITOpcodes.cpp:
2806         (JSC::JIT::emitSlow_op_get_arguments_length):
2807         (JSC::JIT::emitSlow_op_get_argument_by_val):
2808         * jit/JITOpcodes32_64.cpp:
2809         (JSC::JIT::emitSlow_op_get_arguments_length):
2810         (JSC::JIT::emitSlow_op_get_argument_by_val):
2811         * jit/JITOperations.cpp:
2812         * jit/JITOperations.h:
2813         * jit/JITPropertyAccess.cpp:
2814         (JSC::JIT::emitSlow_op_get_by_val):
2815         (JSC::JIT::emitSlow_op_get_by_pname):
2816         (JSC::JIT::privateCompileGetByVal):
2817         * jit/JITPropertyAccess32_64.cpp:
2818         (JSC::JIT::emitSlow_op_get_by_val):
2819         (JSC::JIT::emitSlow_op_get_by_pname):
2820         * jit/JITStubs.cpp:
2821         * jit/JITStubs.h:
2822         * runtime/Executable.cpp:
2823         (JSC::setupLLInt): Added some UNUSED_PARAMs to fix the no LLINT build.
2824         * runtime/Options.cpp:
2825         (JSC::Options::initialize):
2826
2827 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
2828
2829         Introduce WTF::Bag and start using it for InlineCallFrameSet
2830         https://bugs.webkit.org/show_bug.cgi?id=122941
2831
2832         Reviewed by Geoffrey Garen.
2833         
2834         Use Bag for InlineCallFrameSet. If this works out then I'll make other
2835         SegmentedVectors into Bags as well.
2836
2837         * bytecode/InlineCallFrameSet.cpp:
2838         (JSC::InlineCallFrameSet::add):
2839         * bytecode/InlineCallFrameSet.h:
2840         (JSC::InlineCallFrameSet::begin):
2841         (JSC::InlineCallFrameSet::end):
2842         * dfg/DFGArgumentsSimplificationPhase.cpp:
2843         (JSC::DFG::ArgumentsSimplificationPhase::run):
2844         * dfg/DFGJITCompiler.cpp:
2845         (JSC::DFG::JITCompiler::link):
2846         * dfg/DFGStackLayoutPhase.cpp:
2847         (JSC::DFG::StackLayoutPhase::run):
2848         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
2849         (JSC::DFG::VirtualRegisterAllocationPhase::run):
2850
2851 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
2852
2853         libllvmForJSC shouldn't call exit(1) on report_fatal_error()
2854         https://bugs.webkit.org/show_bug.cgi?id=122905
2855         <rdar://problem/15237856>
2856
2857         Reviewed by Michael Saboff.
2858         
2859         Expose the new LLVMInstallFatalErrorHandler() API through the soft linking magic and
2860         then always call it to install something that calls CRASH().
2861
2862         * llvm/InitializeLLVM.cpp:
2863         (JSC::llvmCrash):
2864         (JSC::initializeLLVMOnce):
2865         (JSC::initializeLLVM):
2866         * llvm/LLVMAPIFunctions.h:
2867
2868 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
2869
2870         Prototype chain repatching in the polymorphic case fails to check if the receiver is a dictionary
2871         https://bugs.webkit.org/show_bug.cgi?id=122938
2872
2873         Reviewed by Sam Weinig.
2874         
2875         This fixes jsc-layout-tests.yaml/js/script-tests/dictionary-prototype-caching.js.layout-no-llint.
2876
2877         * jit/Repatch.cpp:
2878         (JSC::tryBuildGetByIDList):
2879
2880 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
2881
2882         JIT::appendCall() needs to killLastResultRegister() or equivalent since there's some really bad code that expects it
2883         https://bugs.webkit.org/show_bug.cgi?id=122937
2884
2885         Reviewed by Geoffrey Garen.
2886         
2887         JITStubCall used to do it.
2888         
2889         This makes mozilla-tests.yaml/ecma/Statements/12.10-1.js.mozilla-baseline pass.
2890
2891         * jit/JIT.h:
2892         (JSC::JIT::appendCall):
2893
2894 2013-10-16  Michael Saboff  <msaboff@apple.com>
2895
2896         transition void cti_op_put_by_val* stubs to JIT operations
2897         https://bugs.webkit.org/show_bug.cgi?id=122903
2898
2899         Reviewed by Geoffrey Garen.
2900
2901         Transitioned cti_op_put_by_val and cti_op_put_by_val_generic to operationPutByVal and
2902         operationPutByValGeneric.
2903
2904         * jit/CCallHelpers.h:
2905         (JSC::CCallHelpers::setupArgumentsWithExecState):
2906         * jit/JIT.h:
2907         * jit/JITInlines.h:
2908         (JSC::JIT::callOperation):
2909         * jit/JITOperations.cpp:
2910         * jit/JITOperations.h:
2911         * jit/JITPropertyAccess.cpp:
2912         (JSC::JIT::emitSlow_op_put_by_val):
2913         (JSC::JIT::privateCompilePutByVal):
2914         * jit/JITPropertyAccess32_64.cpp:
2915         (JSC::JIT::emitSlow_op_put_by_val):
2916         * jit/JITStubs.cpp:
2917         * jit/JITStubs.h:
2918         * jit/JSInterfaceJIT.h:
2919
2920 2013-10-16  Oliver Hunt  <oliver@apple.com>
2921
2922         Implement ES6 spread operator
2923         https://bugs.webkit.org/show_bug.cgi?id=122911
2924
2925         Reviewed by Michael Saboff.
2926
2927         Implement the ES6 spread operator
2928
2929         This has a little bit of refactoring to move the enumeration logic out ForOfNode
2930         and into BytecodeGenerator, and then adds the logic to make it nicely callback
2931         driven.
2932
2933         The rest of the logic is just the addition of the SpreadExpressionNode, the parsing,
2934         and actually handling the spread.
2935
2936         * bytecompiler/BytecodeGenerator.cpp:
2937         (JSC::BytecodeGenerator::emitNewArray):
2938         (JSC::BytecodeGenerator::emitCall):
2939         (JSC::BytecodeGenerator::emitEnumeration):
2940         * bytecompiler/BytecodeGenerator.h:
2941         * bytecompiler/NodesCodegen.cpp:
2942         (JSC::ArrayNode::emitBytecode):
2943         (JSC::ForOfNode::emitBytecode):
2944         (JSC::SpreadExpressionNode::emitBytecode):
2945         * parser/ASTBuilder.h:
2946         (JSC::ASTBuilder::createSpreadExpression):
2947         * parser/Lexer.cpp:
2948         (JSC::::lex):
2949         * parser/NodeConstructors.h:
2950         (JSC::SpreadExpressionNode::SpreadExpressionNode):
2951         * parser/Nodes.h:
2952         (JSC::ExpressionNode::isSpreadExpression):
2953         (JSC::SpreadExpressionNode::expression):
2954         * parser/Parser.cpp:
2955         (JSC::::parseArrayLiteral):
2956         (JSC::::parseArguments):
2957         (JSC::::parseMemberExpression):
2958         * parser/Parser.h:
2959         (JSC::Parser::getTokenName):
2960         (JSC::Parser::updateErrorMessageSpecialCase):
2961         * parser/ParserTokens.h:
2962         * parser/SyntaxChecker.h:
2963         (JSC::SyntaxChecker::createSpreadExpression):
2964
2965 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
2966
2967         Add a useLLInt option to jsc
2968         https://bugs.webkit.org/show_bug.cgi?id=122930
2969
2970         Reviewed by Geoffrey Garen.
2971
2972         * runtime/Executable.cpp:
2973         (JSC::setupLLInt):
2974         (JSC::setupJIT):
2975         (JSC::ScriptExecutable::prepareForExecutionImpl):
2976         * runtime/Options.h:
2977
2978 2013-10-16  Mark Hahnenberg  <mhahnenberg@apple.com>
2979
2980         Build fix.
2981
2982         Forgot to svn add DeferGC.cpp
2983
2984         * heap/DeferGC.cpp: Added.
2985
2986 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
2987
2988         r157411 fails run-javascriptcore-tests when run with Baseline JIT
2989         https://bugs.webkit.org/show_bug.cgi?id=122902
2990
2991         Reviewed by Mark Hahnenberg.
2992         
2993         It turns out that this was a long-standing bug in the DFG PutById repatching logic. It's
2994         not legal to patch if the typeInfo tells you that you can't patch. The old JIT's patching
2995         logic did this right, and the DFG's GetById patching logic did it right; but DFG PutById
2996         didn't. Turns out that there's even a helpful method,
2997         Structure::propertyAccessesAreCacheable(), that will even do all of the checks for you!
2998
2999         * jit/Repatch.cpp:
3000         (JSC::tryCachePutByID):
3001
3002 2013-10-16  Mark Hahnenberg  <mhahnenberg@apple.com>
3003
3004         llint_slow_path_put_by_id can deadlock on a ConcurrentJITLock
3005         https://bugs.webkit.org/show_bug.cgi?id=122667
3006
3007         Reviewed by Geoffrey Garen.
3008
3009         The issue this patch is attempting to fix is that there are places in our codebase
3010         where we acquire the ConcurrentJITLock for a particular CodeBlock, then we do some
3011         operations that can initiate a garbage collection. Garbage collection then calls 
3012         some methods of CodeBlock that also take the ConcurrentJITLock (because they don't
3013         always necessarily run during garbage collection). This causes a deadlock.
3014  
3015         To fix this issue, this patch adds a new RAII-style object (DisallowGC) that stores 
3016         into a thread-local field that indicates that it is unsafe to perform any operation 
3017         that could trigger garbage collection on the current thread. In debug builds, 
3018         ConcurrentJITLocker contains one of these DisallowGC objects so that we can eagerly 
3019         detect deadlocks.
3020  
3021         This patch also adds a new type of ConcurrentJITLocker, GCSafeConcurrentJITLocker,
3022         which uses the DeferGC mechanism to prevent collections from occurring while the 
3023         lock is held.
3024
3025         * CMakeLists.txt:
3026         * GNUmakefile.list.am:
3027         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3028         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3029         * JavaScriptCore.xcodeproj/project.pbxproj:
3030         * heap/DeferGC.h:
3031         (JSC::DisallowGC::DisallowGC):
3032         (JSC::DisallowGC::~DisallowGC):
3033         (JSC::DisallowGC::isGCDisallowedOnCurrentThread):
3034         (JSC::DisallowGC::initialize):
3035         * jit/Repatch.cpp:
3036         (JSC::repatchPutByID):
3037         (JSC::buildPutByIdList):
3038         * llint/LLIntSlowPaths.cpp:
3039         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3040         * runtime/ConcurrentJITLock.h:
3041         (JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase):
3042         (JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase):
3043         (JSC::ConcurrentJITLockerBase::unlockEarly):
3044         (JSC::GCSafeConcurrentJITLocker::GCSafeConcurrentJITLocker):
3045         (JSC::GCSafeConcurrentJITLocker::~GCSafeConcurrentJITLocker):
3046         (JSC::GCSafeConcurrentJITLocker::NoDefer::NoDefer):
3047         (JSC::ConcurrentJITLocker::ConcurrentJITLocker):
3048         * runtime/InitializeThreading.cpp:
3049         (JSC::initializeThreadingOnce):
3050         * runtime/JSCellInlines.h:
3051         (JSC::allocateCell):
3052         * runtime/JSSymbolTableObject.h:
3053         (JSC::symbolTablePut):
3054         * runtime/Structure.cpp: materializePropertyMapIfNecessary* now has a problem in that it
3055         can start a garbage collection when the GCSafeConcurrentJITLocker goes out of scope, but 
3056         before the caller has a chance to use the newly created PropertyTable. The garbage collection
3057         clears the PropertyTable, and then the caller uses it assuming it's valid. To avoid this,
3058         we must DeferGC until the caller is done getting the newly materialized PropertyTable from 
3059         the Structure.
3060         (JSC::Structure::materializePropertyMap):
3061         (JSC::Structure::despecifyDictionaryFunction):
3062         (JSC::Structure::changePrototypeTransition):
3063         (JSC::Structure::despecifyFunctionTransition):
3064         (JSC::Structure::attributeChangeTransition):
3065         (JSC::Structure::toDictionaryTransition):
3066         (JSC::Structure::preventExtensionsTransition):
3067         (JSC::Structure::takePropertyTableOrCloneIfPinned):
3068         (JSC::Structure::isSealed):
3069         (JSC::Structure::isFrozen):
3070         (JSC::Structure::addPropertyWithoutTransition):
3071         (JSC::Structure::removePropertyWithoutTransition):
3072         (JSC::Structure::get):
3073         (JSC::Structure::despecifyFunction):
3074         (JSC::Structure::despecifyAllFunctions):
3075         (JSC::Structure::putSpecificValue):
3076         (JSC::Structure::createPropertyMap):
3077         (JSC::Structure::getPropertyNamesFromStructure):
3078         * runtime/Structure.h:
3079         (JSC::Structure::materializePropertyMapIfNecessary):
3080         (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
3081         * runtime/StructureInlines.h:
3082         (JSC::Structure::get):
3083         * runtime/SymbolTable.h:
3084         (JSC::SymbolTable::find):
3085         (JSC::SymbolTable::end):
3086
3087 2013-10-16  Daniel Bates  <dabates@apple.com>
3088
3089         Add SPI to disable the garbage collector timer
3090         https://bugs.webkit.org/show_bug.cgi?id=122921
3091
3092         Reviewed by Geoffrey Garen.
3093
3094         Based on a patch by Mark Hahnenberg.
3095
3096         * API/JSBase.cpp:
3097         (JSDisableGCTimer): Added; SPI function.
3098         * API/JSBasePrivate.h:
3099         * heap/BlockAllocator.cpp:
3100         (JSC::createBlockFreeingThread): Added.
3101         (JSC::BlockAllocator::BlockAllocator): Modified to use JSC::createBlockFreeingThread()
3102         to conditionally create the "block freeing" thread depending on the value of
3103         GCActivityCallback::s_shouldCreateGCTimer.
3104         (JSC::BlockAllocator::~BlockAllocator):
3105         * heap/BlockAllocator.h:
3106         (JSC::BlockAllocator::deallocate):
3107         * heap/Heap.cpp:
3108         (JSC::Heap::didAbandon):
3109         (JSC::Heap::collect):
3110         (JSC::Heap::didAllocate):
3111         * heap/HeapTimer.cpp:
3112         (JSC::HeapTimer::timerDidFire):
3113         * runtime/GCActivityCallback.cpp:
3114         * runtime/GCActivityCallback.h:
3115         (JSC::DefaultGCActivityCallback::create): Only instantiate a DefaultGCActivityCallback object
3116         when GCActivityCallback::s_shouldCreateGCTimer is true so as to prevent allocating a HeapTimer
3117         object (since DefaultGCActivityCallback ultimately extends HeapTimer).
3118
3119 2013-10-16  Commit Queue  <commit-queue@webkit.org>
3120
3121         Unreviewed, rolling out r157529.
3122         http://trac.webkit.org/changeset/157529
3123         https://bugs.webkit.org/show_bug.cgi?id=122919
3124
3125         Caused score test failures and some build failures. (Requested
3126         by rfong on #webkit).
3127
3128         * bytecompiler/BytecodeGenerator.cpp:
3129         (JSC::BytecodeGenerator::emitNewArray):
3130         (JSC::BytecodeGenerator::emitCall):
3131         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
3132         * bytecompiler/BytecodeGenerator.h:
3133         * bytecompiler/NodesCodegen.cpp:
3134         (JSC::ArrayNode::emitBytecode):
3135         (JSC::CallArguments::CallArguments):
3136         (JSC::ForOfNode::emitBytecode):
3137         (JSC::BindingNode::collectBoundIdentifiers):
3138         * parser/ASTBuilder.h:
3139         * parser/Lexer.cpp:
3140         (JSC::::lex):
3141         * parser/NodeConstructors.h:
3142         (JSC::DotAccessorNode::DotAccessorNode):
3143         * parser/Nodes.h:
3144         * parser/Parser.cpp:
3145         (JSC::::parseArrayLiteral):
3146         (JSC::::parseArguments):
3147         (JSC::::parseMemberExpression):
3148         * parser/Parser.h:
3149         (JSC::Parser::getTokenName):
3150         (JSC::Parser::updateErrorMessageSpecialCase):
3151         * parser/ParserTokens.h:
3152         * parser/SyntaxChecker.h:
3153
3154 2013-10-16  Julien Brianceau  <jbriance@cisco.com>
3155
3156         Remove useless architecture specific implementation in DFG.
3157         https://bugs.webkit.org/show_bug.cgi?id=122917.
3158
3159         Reviewed by Michael Saboff.
3160
3161         With CPU(ARM) && CPU(ARM_HARDFP) architecture, the fallback implementation is fine
3162         as FPRInfo::argumentFPR0 == FPRInfo::returnValueFPR in this case.
3163
3164         * dfg/DFGSpeculativeJIT.h:
3165
3166 2013-10-16  Julien Brianceau  <jbriance@cisco.com>
3167
3168         Remove unused JIT::restoreArgumentReferenceForTrampoline function.
3169         https://bugs.webkit.org/show_bug.cgi?id=122916.
3170
3171         Reviewed by Michael Saboff.
3172
3173         This architecture specific function is not used anymore, so get rid of it.
3174
3175         * jit/JIT.h:
3176         * jit/JITInlines.h:
3177
3178 2013-10-16  Oliver Hunt  <oliver@apple.com>
3179
3180         Implement ES6 spread operator
3181         https://bugs.webkit.org/show_bug.cgi?id=122911
3182
3183         Reviewed by Michael Saboff.
3184
3185         Implement the ES6 spread operator
3186
3187         This has a little bit of refactoring to move the enumeration logic out ForOfNode
3188         and into BytecodeGenerator, and then adds the logic to make it nicely callback
3189         driven.
3190
3191         The rest of the logic is just the addition of the SpreadExpressionNode, the parsing,
3192         and actually handling the spread.
3193
3194         * bytecompiler/BytecodeGenerator.cpp:
3195         (JSC::BytecodeGenerator::emitNewArray):
3196         (JSC::BytecodeGenerator::emitCall):
3197         (JSC::BytecodeGenerator::emitEnumeration):
3198         * bytecompiler/BytecodeGenerator.h:
3199         * bytecompiler/NodesCodegen.cpp:
3200         (JSC::ArrayNode::emitBytecode):
3201         (JSC::ForOfNode::emitBytecode):
3202         (JSC::SpreadExpressionNode::emitBytecode):
3203         * parser/ASTBuilder.h:
3204         (JSC::ASTBuilder::createSpreadExpression):
3205         * parser/Lexer.cpp:
3206         (JSC::::lex):
3207         * parser/NodeConstructors.h:
3208         (JSC::SpreadExpressionNode::SpreadExpressionNode):
3209         * parser/Nodes.h:
3210         (JSC::ExpressionNode::isSpreadExpression):
3211         (JSC::SpreadExpressionNode::expression):
3212         * parser/Parser.cpp:
3213         (JSC::::parseArrayLiteral):
3214         (JSC::::parseArguments):
3215         (JSC::::parseMemberExpression):
3216         * parser/Parser.h:
3217         (JSC::Parser::getTokenName):
3218         (JSC::Parser::updateErrorMessageSpecialCase):
3219         * parser/ParserTokens.h:
3220         * parser/SyntaxChecker.h:
3221         (JSC::SyntaxChecker::createSpreadExpression):
3222
3223 2013-10-16  Mark Lam  <mark.lam@apple.com>
3224
3225         Transition void cti_op_tear_off* methods to JIT operations for 32 bit.
3226         https://bugs.webkit.org/show_bug.cgi?id=122899.
3227
3228         Reviewed by Michael Saboff.
3229
3230         * jit/JITOpcodes32_64.cpp:
3231         (JSC::JIT::emit_op_tear_off_activation):
3232         (JSC::JIT::emit_op_tear_off_arguments):
3233         * jit/JITStubs.cpp:
3234         * jit/JITStubs.h:
3235
3236 2013-10-16  Julien Brianceau  <jbriance@cisco.com>
3237
3238         Remove more of the UNINTERRUPTED_SEQUENCE thing
3239         https://bugs.webkit.org/show_bug.cgi?id=122885
3240
3241         Reviewed by Andreas Kling.
3242
3243         It was not completely removed by r157481, leading to build failure for sh4 architecture.
3244
3245         * jit/JIT.h:
3246         * jit/JITInlines.h:
3247
3248 2013-10-15  Filip Pizlo  <fpizlo@apple.com>
3249
3250         Get rid of the StructureStubInfo::patch union
3251         https://bugs.webkit.org/show_bug.cgi?id=122877
3252
3253         Reviewed by Sam Weinig.
3254         
3255         Just simplifying code by getting rid of data structures that ain't used no more.
3256         
3257         Note that I replace the patch union with a patch struct. This means we say things like
3258         stubInfo.patch.valueGPR instead of stubInfo.valueGPR. I think that this extra
3259         encapsulation makes the code more readable: the patch struct contains just those things
3260         that you need to know to perform patching.
3261
3262         * bytecode/StructureStubInfo.h:
3263         * dfg/DFGJITCompiler.cpp:
3264         (JSC::DFG::JITCompiler::link):
3265         * jit/JIT.cpp:
3266         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
3267         * jit/Repatch.cpp:
3268         (JSC::repatchByIdSelfAccess):
3269         (JSC::replaceWithJump):
3270         (JSC::linkRestoreScratch):
3271         (JSC::generateProtoChainAccessStub):
3272         (JSC::tryCacheGetByID):
3273         (JSC::getPolymorphicStructureList):
3274         (JSC::patchJumpToGetByIdStub):
3275         (JSC::tryBuildGetByIDList):
3276         (JSC::emitPutReplaceStub):
3277         (JSC::emitPutTransitionStub):
3278         (JSC::tryCachePutByID):
3279         (JSC::tryBuildPutByIdList):
3280         (JSC::tryRepatchIn):
3281         (JSC::resetGetByID):
3282         (JSC::resetPutByID):
3283         (JSC::resetIn):
3284
3285 2013-10-15  Nadav Rotem  <nrotem@apple.com>
3286
3287         FTL: add support for Int52ToValue and fix putByVal of int52s.
3288         https://bugs.webkit.org/show_bug.cgi?id=122873
3289
3290         Reviewed by Filip Pizlo.
3291
3292         * ftl/FTLCapabilities.cpp:
3293         (JSC::FTL::canCompile):
3294         * ftl/FTLLowerDFGToLLVM.cpp:
3295         (JSC::FTL::LowerDFGToLLVM::compileNode):
3296         (JSC::FTL::LowerDFGToLLVM::compileInt52ToValue):
3297         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
3298
3299 2013-10-15  Filip Pizlo  <fpizlo@apple.com>
3300
3301         Get rid of the UNINTERRUPTED_SEQUENCE thing
3302         https://bugs.webkit.org/show_bug.cgi?id=122876
3303
3304         Reviewed by Mark Hahnenberg.
3305         
3306         It doesn't make sense anymore. We now use the DFG's IC logic, which never needed that.
3307         
3308         Moreover, we should resist the temptation to bring anything like this back. We don't
3309         want to have inline caches that only work if the assembler lays out code in a specific
3310         predetermined way.
3311
3312         * jit/JIT.h:
3313         * jit/JITCall.cpp:
3314         (JSC::JIT::compileOpCall):
3315         * jit/JITCall32_64.cpp:
3316         (JSC::JIT::compileOpCall):
3317
3318 2013-10-15  Filip Pizlo  <fpizlo@apple.com>
3319
3320         Baseline JIT should use the DFG GetById IC
3321         https://bugs.webkit.org/show_bug.cgi?id=122861
3322
3323         Reviewed by Oliver Hunt.
3324         
3325         This mostly just kills a ton of code.
3326         
3327         Note that this doesn't yet do all of the simplifications that can be done, but it does
3328         kill dead code. I'll have another change to simplify StructureStubInfo's unions and such.
3329
3330         * bytecode/CodeBlock.cpp:
3331         (JSC::CodeBlock::resetStubInternal):
3332         * jit/JIT.cpp:
3333         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
3334         * jit/JIT.h:
3335         (JSC::PropertyStubCompilationInfo::PropertyStubCompilationInfo):
3336         * jit/JITInlines.h:
3337         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
3338         (JSC::JIT::callOperation):
3339         * jit/JITPropertyAccess.cpp:
3340         (JSC::JIT::compileGetByIdHotPath):
3341         (JSC::JIT::emitSlow_op_get_by_id):
3342         (JSC::JIT::emitSlow_op_get_from_scope):
3343         * jit/JITPropertyAccess32_64.cpp:
3344         (JSC::JIT::compileGetByIdHotPath):
3345         (JSC::JIT::emitSlow_op_get_by_id):
3346         (JSC::JIT::emitSlow_op_get_from_scope):
3347         * jit/JITStubs.cpp:
3348         * jit/JITStubs.h:
3349         * jit/Repatch.cpp:
3350         (JSC::repatchGetByID):
3351         (JSC::buildGetByIDList):
3352         * jit/ThunkGenerators.cpp:
3353         * jit/ThunkGenerators.h:
3354
3355 2013-10-15  Dean Jackson  <dino@apple.com>
3356
3357         Add ENABLE_WEB_ANIMATIONS flag
3358         https://bugs.webkit.org/show_bug.cgi?id=122871
3359
3360         Reviewed by Tim Horton.
3361
3362         Eventually might be http://dev.w3.org/fxtf/web-animations/
3363         but this is just engine-internal work at the moment.
3364
3365         * Configurations/FeatureDefines.xcconfig:
3366
3367 2013-10-15  Julien Brianceau  <jbriance@cisco.com>
3368
3369         [sh4] Some calls don't match sh4 ABI.
3370         https://bugs.webkit.org/show_bug.cgi?id=122863
3371
3372         Reviewed by Michael Saboff.
3373
3374         * dfg/DFGSpeculativeJIT.h:
3375         (JSC::DFG::SpeculativeJIT::callOperation):
3376         * jit/CCallHelpers.h:
3377         (JSC::CCallHelpers::setupArgumentsWithExecState):
3378         * jit/JITInlines.h:
3379         (JSC::JIT::callOperation):
3380
3381 2013-10-15  Daniel Bates  <dabates@apple.com>
3382
3383         [iOS] Upstream JavaScriptCore support for ARM64
3384         https://bugs.webkit.org/show_bug.cgi?id=122762
3385
3386         Reviewed by Oliver Hunt and Filip Pizlo.
3387
3388         * Configurations/Base.xcconfig:
3389         * Configurations/DebugRelease.xcconfig:
3390         * Configurations/JavaScriptCore.xcconfig:
3391         * Configurations/ToolExecutable.xcconfig:
3392         * JavaScriptCore.xcodeproj/project.pbxproj:
3393         * assembler/ARM64Assembler.h: Added.
3394         * assembler/AbstractMacroAssembler.h:
3395         (JSC::isARM64):
3396         (JSC::AbstractMacroAssembler::Label::Label):
3397         (JSC::AbstractMacroAssembler::Jump::Jump):
3398         (JSC::AbstractMacroAssembler::Jump::link):
3399         (JSC::AbstractMacroAssembler::Jump::linkTo):
3400         (JSC::AbstractMacroAssembler::CachedTempRegister::CachedTempRegister):
3401         (JSC::AbstractMacroAssembler::CachedTempRegister::registerIDInvalidate):
3402         (JSC::AbstractMacroAssembler::CachedTempRegister::registerIDNoInvalidate):
3403         (JSC::AbstractMacroAssembler::CachedTempRegister::value):
3404         (JSC::AbstractMacroAssembler::CachedTempRegister::setValue):
3405         (JSC::AbstractMacroAssembler::CachedTempRegister::invalidate):
3406         (JSC::AbstractMacroAssembler::invalidateAllTempRegisters):
3407         (JSC::AbstractMacroAssembler::isTempRegisterValid):
3408         (JSC::AbstractMacroAssembler::clearTempRegisterValid):
3409         (JSC::AbstractMacroAssembler::setTempRegisterValid):
3410         * assembler/LinkBuffer.cpp:
3411         (JSC::LinkBuffer::copyCompactAndLinkCode):
3412         (JSC::LinkBuffer::linkCode):
3413         * assembler/LinkBuffer.h:
3414         * assembler/MacroAssembler.h:
3415         (JSC::MacroAssembler::isPtrAlignedAddressOffset):
3416         (JSC::MacroAssembler::pushToSave):
3417         (JSC::MacroAssembler::popToRestore):
3418         (JSC::MacroAssembler::patchableBranchTest32):
3419         * assembler/MacroAssemblerARM64.h: Added.
3420         * assembler/MacroAssemblerARMv7.h:
3421         * dfg/DFGFixupPhase.cpp:
3422         (JSC::DFG::FixupPhase::fixupNode):
3423         * dfg/DFGOSRExitCompiler32_64.cpp:
3424         (JSC::DFG::OSRExitCompiler::compileExit):
3425         * dfg/DFGOSRExitCompiler64.cpp:
3426         (JSC::DFG::OSRExitCompiler::compileExit):
3427         * dfg/DFGSpeculativeJIT.cpp:
3428         (JSC::DFG::SpeculativeJIT::compileArithDiv):
3429         (JSC::DFG::SpeculativeJIT::compileArithMod):
3430         * disassembler/ARM64/A64DOpcode.cpp: Added.
3431         * disassembler/ARM64/A64DOpcode.h: Added.
3432         * disassembler/ARM64Disassembler.cpp: Added.
3433         * heap/MachineStackMarker.cpp:
3434         (JSC::getPlatformThreadRegisters):
3435         (JSC::otherThreadStackPointer):
3436         * heap/Region.h:
3437         * jit/AssemblyHelpers.h:
3438         (JSC::AssemblyHelpers::debugCall):
3439         * jit/CCallHelpers.h:
3440         * jit/ExecutableAllocator.h:
3441         * jit/FPRInfo.h:
3442         (JSC::FPRInfo::toRegister):
3443         (JSC::FPRInfo::toIndex):
3444         (JSC::FPRInfo::debugName):
3445         * jit/GPRInfo.h:
3446         (JSC::GPRInfo::toRegister):
3447         (JSC::GPRInfo::toIndex):
3448         (JSC::GPRInfo::debugName):
3449         * jit/JITInlines.h:
3450         (JSC::JIT::restoreArgumentReferenceForTrampoline):
3451         * jit/JITOperationWrappers.h:
3452         * jit/JITOperations.cpp:
3453         * jit/JITStubs.cpp:
3454         (JSC::performPlatformSpecificJITAssertions):
3455         (JSC::tryCachePutByID):
3456         * jit/JITStubs.h:
3457         (JSC::JITStackFrame::returnAddressSlot):
3458         * jit/JITStubsARM64.h: Added.
3459         * jit/JSInterfaceJIT.h:
3460         * jit/Repatch.cpp:
3461         (JSC::emitRestoreScratch):
3462         (JSC::generateProtoChainAccessStub):
3463         (JSC::tryCacheGetByID):
3464         (JSC::emitPutReplaceStub):
3465         (JSC::tryCachePutByID):
3466         (JSC::tryRepatchIn):
3467         * jit/ScratchRegisterAllocator.h:
3468         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
3469         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
3470         * jit/ThunkGenerators.cpp:
3471         (JSC::nativeForGenerator):
3472         (JSC::floorThunkGenerator):
3473         (JSC::ceilThunkGenerator):
3474         * jsc.cpp:
3475         (main):
3476         * llint/LLIntOfflineAsmConfig.h:
3477         * llint/LLIntSlowPaths.cpp:
3478         (JSC::LLInt::handleHostCall):
3479         * llint/LowLevelInterpreter.asm:
3480         * llint/LowLevelInterpreter64.asm:
3481         * offlineasm/arm.rb:
3482         * offlineasm/arm64.rb: Added.
3483         * offlineasm/backends.rb:
3484         * offlineasm/instructions.rb:
3485         * offlineasm/risc.rb:
3486         * offlineasm/transform.rb:
3487         * yarr/YarrJIT.cpp:
3488         (JSC::Yarr::YarrGenerator::alignCallFrameSizeInBytes):
3489         (JSC::Yarr::YarrGenerator::initCallFrame):
3490         (JSC::Yarr::YarrGenerator::removeCallFrame):
3491         (JSC::Yarr::YarrGenerator::generateEnter):
3492         * yarr/YarrJIT.h:
3493
3494 2013-10-15  Mark Lam  <mark.lam@apple.com>
3495
3496         Fix 3 operand sub operation in C loop LLINT.
3497         https://bugs.webkit.org/show_bug.cgi?id=122866.
3498
3499         Reviewed by Geoffrey Garen.
3500
3501         * offlineasm/cloop.rb:
3502
3503 2013-10-15  Mark Hahnenberg  <mhahnenberg@apple.com>
3504
3505         ObjCCallbackFunctionImpl shouldn't store a JSContext
3506         https://bugs.webkit.org/show_bug.cgi?id=122531
3507
3508         Reviewed by Geoffrey Garen.
3509
3510         The m_context field in ObjCCallbackFunctionImpl is vestigial and is only incidentally correct 
3511         in the common case. It's also no longer necessary in that we can look up the current JSContext 
3512         by looking using the globalObject of the callee when the function callback is invoked.
3513  
3514         Also added a new test that would cause us to crash previously. The test required making 
3515         JSContextGetGlobalContext public API so that clients can obtain a JSContext from the JSContextRef
3516         in C API callbacks.
3517
3518         * API/JSContextRef.h:
3519         * API/JSContextRefPrivate.h:
3520         * API/ObjCCallbackFunction.mm:
3521         (JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl):
3522         (JSC::objCCallbackFunctionCallAsFunction):
3523         (objCCallbackFunctionForInvocation):
3524         * API/WebKitAvailability.h:
3525         * API/tests/CurrentThisInsideBlockGetterTest.h: Added.
3526         * API/tests/CurrentThisInsideBlockGetterTest.mm: Added.
3527         (CallAsConstructor):
3528         (ConstructorFinalize):
3529         (ConstructorClass):
3530         (+[JSValue valueWithConstructorDescriptor:inContext:]):
3531         (-[JSContext valueWithConstructorDescriptor:]):
3532         (currentThisInsideBlockGetterTest):
3533         * API/tests/testapi.mm:
3534         * JavaScriptCore.xcodeproj/project.pbxproj:
3535         * debugger/Debugger.cpp: Had to add some fully qualified names to avoid conflicts with Mac OS X headers.
3536
3537 2013-10-15  Julien Brianceau  <jbriance@cisco.com>
3538
3539         Fix build after r157457 for architecture with 4 argument registers.
3540         https://bugs.webkit.org/show_bug.cgi?id=122860
3541
3542         Reviewed by Michael Saboff.
3543
3544         * jit/CCallHelpers.h:
3545         (JSC::CCallHelpers::setupStubArguments134):
3546
3547 2013-10-14  Michael Saboff  <msaboff@apple.com>
3548
3549         transition void cti_op_* methods to JIT operations.
3550         https://bugs.webkit.org/show_bug.cgi?id=122617
3551
3552         Reviewed by Geoffrey Garen.
3553
3554         Converted the follow stubs to JIT operations:
3555             cti_handle_watchdog_timer
3556             cti_op_debug
3557             cti_op_pop_scope
3558             cti_op_profile_did_call
3559             cti_op_profile_will_call
3560             cti_op_put_by_index
3561             cti_op_put_getter_setter
3562             cti_op_tear_off_activation
3563             cti_op_tear_off_arguments
3564             cti_op_throw_static_error
3565             cti_optimize
3566
3567         * dfg/DFGOperations.cpp:
3568         * dfg/DFGOperations.h:
3569         * jit/CCallHelpers.h:
3570         (JSC::CCallHelpers::setupArgumentsWithExecState):
3571         (JSC::CCallHelpers::setupThreeStubArgsGPR):
3572         (JSC::CCallHelpers::setupStubArguments):
3573         (JSC::CCallHelpers::setupStubArguments134):
3574         * jit/JIT.cpp:
3575         (JSC::JIT::emitEnterOptimizationCheck):
3576         * jit/JIT.h:
3577         * jit/JITInlines.h:
3578         (JSC::JIT::callOperation):
3579         * jit/JITOpcodes.cpp:
3580         (JSC::JIT::emit_op_tear_off_activation):
3581         (JSC::JIT::emit_op_tear_off_arguments):
3582         (JSC::JIT::emit_op_push_with_scope):
3583         (JSC::JIT::emit_op_pop_scope):
3584         (JSC::JIT::emit_op_push_name_scope):
3585         (JSC::JIT::emit_op_throw_static_error):
3586         (JSC::JIT::emit_op_debug):
3587         (JSC::JIT::emit_op_profile_will_call):
3588         (JSC::JIT::emit_op_profile_did_call):
3589         (JSC::JIT::emitSlow_op_loop_hint):
3590         * jit/JITOpcodes32_64.cpp:
3591         (JSC::JIT::emit_op_push_with_scope):
3592         (JSC::JIT::emit_op_pop_scope):
3593         (JSC::JIT::emit_op_push_name_scope):
3594         (JSC::JIT::emit_op_throw_static_error):
3595         (JSC::JIT::emit_op_debug):
3596         (JSC::JIT::emit_op_profile_will_call):
3597         (JSC::JIT::emit_op_profile_did_call):
3598         * jit/JITOperations.cpp:
3599         * jit/JITOperations.h:
3600         * jit/JITPropertyAccess.cpp:
3601         (JSC::JIT::emit_op_put_by_index):
3602         (JSC::JIT::emit_op_put_getter_setter):
3603         * jit/JITPropertyAccess32_64.cpp:
3604         (JSC::JIT::emit_op_put_by_index):
3605         (JSC::JIT::emit_op_put_getter_setter):
3606         * jit/JITStubs.cpp:
3607         * jit/JITStubs.h:
3608
3609 2013-10-15  Julien Brianceau  <jbriance@cisco.com>
3610
3611         [sh4] Introduce const pools in LLINT.
3612         https://bugs.webkit.org/show_bug.cgi?id=122746
3613
3614         Reviewed by Michael Saboff.
3615
3616         In current implementation of LLINT for sh4, immediate values outside range -128..127 are
3617         loaded this way:
3618
3619             mov.l .label, rx
3620             bra out
3621             nop
3622             .balign 4
3623             .label: .long immvalue
3624             out:
3625
3626         This change introduces const pools for sh4 implementation to avoid lots of useless branches
3627         and reduce code size. It also removes lines of dirty code, like jmpf and callf.
3628
3629         * offlineasm/instructions.rb: Remove jmpf and callf sh4 specific instructions.
3630         * offlineasm/sh4.rb:
3631
3632 2013-10-15  Mark Lam  <mark.lam@apple.com>
3633
3634         Fix broken C Loop LLINT build.
3635         https://bugs.webkit.org/show_bug.cgi?id=122839.
3636
3637         Reviewed by Michael Saboff.
3638
3639         * dfg/DFGFlushedAt.cpp:
3640         * jit/JITOperations.h:
3641
3642 2013-10-14  Mark Lam  <mark.lam@apple.com>
3643
3644         Transition *switch* and *scope* JITStubs to JIT operations.
3645         https://bugs.webkit.org/show_bug.cgi?id=122757.
3646
3647         Reviewed by Geoffrey Garen.
3648
3649         Transitioning:
3650             cti_op_switch_char
3651             cti_op_switch_imm
3652             cti_op_switch_string
3653             cti_op_resolve_scope
3654             cti_op_get_from_scope
3655             cti_op_put_to_scope
3656
3657         * jit/JIT.h:
3658         * jit/JITInlines.h:
3659         (JSC::JIT::callOperation):
3660         * jit/JITOpcodes.cpp:
3661         (JSC::JIT::emit_op_switch_imm):
3662         (JSC::JIT::emit_op_switch_char):
3663         (JSC::JIT::emit_op_switch_string):
3664         * jit/JITOpcodes32_64.cpp:
3665         (JSC::JIT::emit_op_switch_imm):
3666         (JSC::JIT::emit_op_switch_char):
3667         (JSC::JIT::emit_op_switch_string):
3668         * jit/JITOperations.cpp:
3669         * jit/JITOperations.h:
3670         * jit/JITPropertyAccess.cpp:
3671         (JSC::JIT::emitSlow_op_resolve_scope):
3672         (JSC::JIT::emitSlow_op_get_from_scope):
3673         (JSC::JIT::emitSlow_op_put_to_scope):
3674         * jit/JITPropertyAccess32_64.cpp:
3675         (JSC::JIT::emitSlow_op_resolve_scope):
3676         (JSC::JIT::emitSlow_op_get_from_scope):
3677         (JSC::JIT::emitSlow_op_put_to_scope):
3678         * jit/JITStubs.cpp:
3679         * jit/JITStubs.h:
3680
3681 2013-10-14  Filip Pizlo  <fpizlo@apple.com>
3682
3683         DFG PutById IC should use the ConcurrentJITLocker since it's now dealing with IC's that get read by the compiler thread
3684         https://bugs.webkit.org/show_bug.cgi?id=122786
3685
3686         Reviewed by Mark Hahnenberg.
3687
3688         * bytecode/CodeBlock.cpp:
3689         (JSC::CodeBlock::resetStub): Resetting a stub should acquire the lock since this is observable from the thread; but we should only acquire the lock if we're resetting outside of GC.
3690         * jit/Repatch.cpp:
3691         (JSC::repatchPutByID): Doing the PutById patching should hold the lock.
3692         (JSC::buildPutByIdList): Ditto.
3693
3694 2013-10-14  Nadav Rotem  <nrotem@apple.com>
3695
3696         Add FTL support for LogicalNot(string)
3697         https://bugs.webkit.org/show_bug.cgi?id=122765
3698
3699         Reviewed by Filip Pizlo.
3700
3701         This patch is tested by:
3702         regress/script-tests/emscripten-cube2hash.js.ftl-eager
3703
3704         * ftl/FTLCapabilities.cpp:
3705         (JSC::FTL::canCompile):
3706         * ftl/FTLLowerDFGToLLVM.cpp:
3707         (JSC::FTL::LowerDFGToLLVM::compileLogicalNot):
3708
3709 2013-10-14  Julien Brianceau  <jbriance@cisco.com>
3710
3711         [sh4] Fixes after r157404 and r157411.
3712         https://bugs.webkit.org/show_bug.cgi?id=122782
3713
3714         Reviewed by Michael Saboff.
3715
3716         * dfg/DFGSpeculativeJIT.h:
3717         (JSC::DFG::SpeculativeJIT::callOperation): Add missing SH4_32BIT_DUMMY_ARG.
3718         * jit/CCallHelpers.h:
3719         (JSC::CCallHelpers::setupArgumentsWithExecState):
3720         * jit/JITInlines.h:
3721         (JSC::JIT::callOperation): Add missing SH4_32BIT_DUMMY_ARG.
3722         * jit/JITPropertyAccess32_64.cpp:
3723         (JSC::JIT::emit_op_put_by_id): Remove unwanted BEGIN_UNINTERRUPTED_SEQUENCE.
3724
3725 2013-10-14  Commit Queue  <commit-queue@webkit.org>
3726
3727         Unreviewed, rolling out r157413.
3728         http://trac.webkit.org/changeset/157413
3729         https://bugs.webkit.org/show_bug.cgi?id=122779
3730
3731         Appears to have caused frequent crashes (Requested by ap on
3732         #webkit).
3733
3734         * CMakeLists.txt:
3735         * GNUmakefile.list.am:
3736         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3737         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3738         * JavaScriptCore.xcodeproj/project.pbxproj:
3739         * heap/DeferGC.cpp: Removed.
3740         * heap/DeferGC.h:
3741         * jit/JITStubs.cpp:
3742         (JSC::tryCacheGetByID):
3743         (JSC::DEFINE_STUB_FUNCTION):
3744         * llint/LLIntSlowPaths.cpp:
3745         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3746         * runtime/ConcurrentJITLock.h:
3747         * runtime/InitializeThreading.cpp:
3748         (JSC::initializeThreadingOnce):
3749         * runtime/JSCellInlines.h:
3750         (JSC::allocateCell):
3751         * runtime/Structure.cpp:
3752         (JSC::Structure::materializePropertyMap):
3753         (JSC::Structure::putSpecificValue):
3754         (JSC::Structure::createPropertyMap):
3755         * runtime/Structure.h:
3756
3757 2013-10-14  Mark Hahnenberg  <mhahnenberg@apple.com>
3758
3759         COLLECT_ON_EVERY_ALLOCATION causes assertion failures
3760         https://bugs.webkit.org/show_bug.cgi?id=122652
3761
3762         Reviewed by Filip Pizlo.
3763
3764         COLLECT_ON_EVERY_ALLOCATION wasn't accounting for the new GC deferral mechanism,
3765         so we would end up ASSERTing during garbage collection.
3766
3767         * heap/MarkedAllocator.cpp:
3768         (JSC::MarkedAllocator::allocateSlowCase):
3769
3770 2013-10-11  Oliver Hunt  <oliver@apple.com>
3771
3772         Separate out array iteration intrinsics
3773         https://bugs.webkit.org/show_bug.cgi?id=122656
3774
3775         Reviewed by Michael Saboff.
3776
3777         Separate out the intrinsics for key and values iteration
3778         of arrays.
3779
3780         This requires moving moving array iteration into the iterator
3781         instance, rather than the prototype, but this is essentially
3782         unobservable so we'll live with it for now.
3783
3784         * jit/ThunkGenerators.cpp:
3785         (JSC::arrayIteratorNextThunkGenerator):
3786         (JSC::arrayIteratorNextKeyThunkGenerator):
3787         (JSC::arrayIteratorNextValueThunkGenerator):
3788         * jit/ThunkGenerators.h:
3789         * runtime/ArrayIteratorPrototype.cpp:
3790         (JSC::ArrayIteratorPrototype::finishCreation):
3791         * runtime/Intrinsic.h:
3792         * runtime/JSArrayIterator.cpp:
3793         (JSC::JSArrayIterator::finishCreation):
3794         (JSC::createIteratorResult):
3795         (JSC::arrayIteratorNext):
3796         (JSC::arrayIteratorNextKey):
3797         (JSC::arrayIteratorNextValue):
3798         (JSC::arrayIteratorNextGeneric):
3799         * runtime/VM.cpp:
3800         (JSC::thunkGeneratorForIntrinsic):
3801
3802 2013-10-11  Mark Hahnenberg  <mhahnenberg@apple.com>
3803
3804         llint_slow_path_put_by_id can deadlock on a ConcurrentJITLock
3805         https://bugs.webkit.org/show_bug.cgi?id=122667
3806
3807         Reviewed by Filip Pizlo.
3808
3809         The issue this patch is attempting to fix is that there are places in our codebase
3810         where we acquire the ConcurrentJITLock for a particular CodeBlock, then we do some
3811         operations that can initiate a garbage collection. Garbage collection then calls 
3812         some methods of CodeBlock that also take the ConcurrentJITLock (because they don't
3813         always necessarily run during garbage collection). This causes a deadlock.
3814
3815         To fix this issue, this patch adds a new RAII-style object (DisallowGC) that stores 
3816         into a thread-local field that indicates that it is unsafe to perform any operation 
3817         that could trigger garbage collection on the current thread. In debug builds, 
3818         ConcurrentJITLocker contains one of these DisallowGC objects so that we can eagerly 
3819         detect deadlocks.
3820
3821         This patch also adds a new type of ConcurrentJITLocker, GCSafeConcurrentJITLocker,
3822         which uses the DeferGC mechanism to prevent collections from occurring while the 
3823         lock is held.
3824
3825         * CMakeLists.txt:
3826         * GNUmakefile.list.am:
3827         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3828         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3829         * JavaScriptCore.xcodeproj/project.pbxproj:
3830         * heap/DeferGC.cpp: Added.
3831         * heap/DeferGC.h:
3832         (JSC::DisallowGC::DisallowGC):
3833         (JSC::DisallowGC::~DisallowGC):
3834         (JSC::DisallowGC::isGCDisallowedOnCurrentThread):
3835         (JSC::DisallowGC::initialize):
3836         * jit/JITStubs.cpp:
3837         (JSC::tryCachePutByID):
3838         (JSC::tryCacheGetByID):
3839         (JSC::DEFINE_STUB_FUNCTION):
3840         * llint/LLIntSlowPaths.cpp:
3841         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3842         * runtime/ConcurrentJITLock.h:
3843         (JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase):
3844         (JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase):
3845         (JSC::ConcurrentJITLockerBase::unlockEarly):
3846         (JSC::GCSafeConcurrentJITLocker::GCSafeConcurrentJITLocker):
3847         (JSC::ConcurrentJITLocker::ConcurrentJITLocker):
3848         * runtime/InitializeThreading.cpp:
3849         (JSC::initializeThreadingOnce):
3850         * runtime/JSCellInlines.h:
3851         (JSC::allocateCell):
3852         * runtime/Structure.cpp:
3853         (JSC::Structure::materializePropertyMap):
3854         (JSC::Structure::putSpecificValue):
3855         (JSC::Structure::createPropertyMap):
3856         * runtime/Structure.h:
3857
3858 2013-10-14  Filip Pizlo  <fpizlo@apple.com>
3859
3860         Baseline JIT should use the DFG's PutById IC
3861         https://bugs.webkit.org/show_bug.cgi?id=122704
3862
3863         Reviewed by Mark Hahnenberg.
3864         
3865         Mostly no big deal, just removing the old Baseline JIT's put_by_id IC support and forcing
3866         that JIT to use the DFG's (i.e. JITOperations) PutById IC.
3867         
3868         The only complicated part was that the PutById operations assumed that we first did a
3869         cell speculation, which the baseline JIT obviously won't do. So I changed all of those
3870         slow paths to deal with EncodedJSValue's.
3871
3872         * bytecode/CodeBlock.cpp:
3873         (JSC::CodeBlock::resetStubInternal):
3874         * bytecode/PutByIdStatus.cpp:
3875         (JSC::PutByIdStatus::computeFor):
3876         * dfg/DFGSpeculativeJIT.h:
3877         (JSC::DFG::SpeculativeJIT::callOperation):
3878         * dfg/DFGSpeculativeJIT32_64.cpp:
3879         (JSC::DFG::SpeculativeJIT::cachedPutById):
3880         * dfg/DFGSpeculativeJIT64.cpp:
3881         (JSC::DFG::SpeculativeJIT::cachedPutById):
3882         * jit/CCallHelpers.h:
3883         (JSC::CCallHelpers::setupArgumentsWithExecState):
3884         * jit/JIT.cpp:
3885         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
3886         * jit/JIT.h:
3887         (JSC::PropertyStubCompilationInfo::PropertyStubCompilationInfo):
3888         (JSC::PropertyStubCompilationInfo::slowCaseInfo):
3889         * jit/JITInlines.h:
3890         (JSC::JIT::callOperation):
3891         * jit/JITOperationWrappers.h:
3892         * jit/JITOperations.cpp:
3893         * jit/JITOperations.h:
3894         * jit/JITPropertyAccess.cpp:
3895         (JSC::JIT::compileGetByIdHotPath):
3896         (JSC::JIT::compileGetByIdSlowCase):
3897         (JSC::JIT::emit_op_put_by_id):
3898         (JSC::JIT::emitSlow_op_put_by_id):
3899         * jit/JITPropertyAccess32_64.cpp:
3900         (JSC::JIT::compileGetByIdSlowCase):
3901         (JSC::JIT::emit_op_put_by_id):
3902         (JSC::JIT::emitSlow_op_put_by_id):
3903         * jit/JITStubs.cpp:
3904         * jit/JITStubs.h:
3905         * jit/Repatch.cpp:
3906         (JSC::appropriateGenericPutByIdFunction):
3907         (JSC::appropriateListBuildingPutByIdFunction):
3908         (JSC::resetPutByID):
3909
3910 2013-10-13  Filip Pizlo  <fpizlo@apple.com>
3911
3912         FTL should have an inefficient but correct implementation of GetById
3913         https://bugs.webkit.org/show_bug.cgi?id=122740
3914
3915         Reviewed by Mark Hahnenberg.
3916         
3917         It took some effort to realize that the node->prediction() check in the DFG backends
3918         are completely unnecessary since the ByteCodeParser will always insert a ForceOSRExit
3919         if !prediction.
3920         
3921         But other than that this was an easy patch.
3922
3923         * dfg/DFGByteCodeParser.cpp:
3924         (JSC::DFG::ByteCodeParser::handleGetById):
3925         * dfg/DFGSpeculativeJIT32_64.cpp:
3926         (JSC::DFG::SpeculativeJIT::compile):
3927         * dfg/DFGSpeculativeJIT64.cpp:
3928         (JSC::DFG::SpeculativeJIT::compile):
3929         * ftl/FTLCapabilities.cpp:
3930         (JSC::FTL::canCompile):
3931         * ftl/FTLIntrinsicRepository.h:
3932         * ftl/FTLLowerDFGToLLVM.cpp:
3933         (JSC::FTL::LowerDFGToLLVM::compileNode):
3934         (JSC::FTL::LowerDFGToLLVM::compileGetById):
3935
3936 2013-10-13  Mark Lam  <mark.lam@apple.com>
3937
3938         Transition misc cti_op_* JITStubs to JIT operations.
3939         https://bugs.webkit.org/show_bug.cgi?id=122645.
3940
3941         Reviewed by Michael Saboff.
3942
3943         Stubs converted:
3944             cti_op_check_has_instance
3945             cti_op_create_arguments
3946             cti_op_del_by_id
3947             cti_op_instanceof
3948             cti_to_object
3949             cti_op_push_activation
3950             cti_op_get_pnames
3951             cti_op_load_varargs
3952
3953         * dfg/DFGOperations.cpp:
3954         * dfg/DFGOperations.h:
3955         * jit/CCallHelpers.h:
3956         (JSC::CCallHelpers::setupArgumentsWithExecState):
3957         * jit/JIT.h:
3958         (JSC::JIT::emitStoreCell):
3959         * jit/JITCall.cpp:
3960         (JSC::JIT::compileLoadVarargs):
3961         * jit/JITCall32_64.cpp:
3962         (JSC::JIT::compileLoadVarargs):
3963         * jit/JITInlines.h:
3964         (JSC::JIT::callOperation):
3965         * jit/JITOpcodes.cpp:
3966         (JSC::JIT::emit_op_get_pnames):
3967         (JSC::JIT::emit_op_create_activation):
3968         (JSC::JIT::emit_op_create_arguments):
3969         (JSC::JIT::emitSlow_op_check_has_instance):
3970         (JSC::JIT::emitSlow_op_instanceof):
3971         (JSC::JIT::emitSlow_op_get_argument_by_val):
3972         * jit/JITOpcodes32_64.cpp:
3973         (JSC::JIT::emitSlow_op_check_has_instance):
3974         (JSC::JIT::emitSlow_op_instanceof):
3975         (JSC::JIT::emit_op_get_pnames):
3976         (JSC::JIT::emit_op_create_activation):
3977         (JSC::JIT::emit_op_create_arguments):
3978         (JSC::JIT::emitSlow_op_get_argument_by_val):
3979         * jit/JITOperations.cpp:
3980         * jit/JITOperations.h:
3981         * jit/JITPropertyAccess.cpp:
3982         (JSC::JIT::emit_op_del_by_id):
3983         * jit/JITPropertyAccess32_64.cpp:
3984         (JSC::JIT::emit_op_del_by_id):
3985         * jit/JITStubs.cpp:
3986         * jit/JITStubs.h:
3987
3988 2013-10-13  Filip Pizlo  <fpizlo@apple.com>
3989
3990         FTL OSR exit should perform zero extension on values smaller than 64-bit
3991         https://bugs.webkit.org/show_bug.cgi?id=122688
3992
3993         Reviewed by Gavin Barraclough.
3994         
3995         In the DFG we usually make the simplistic assumption that a 32-bit value in a 64-bit
3996         register will have zeros on the high bits.  In the few cases where the high bits