FTL should use a simple optimization pipeline by default
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-11-01  Filip Pizlo  <fpizlo@apple.com>
2
3         FTL should use a simple optimization pipeline by default
4         https://bugs.webkit.org/show_bug.cgi?id=123638
5
6         Reviewed by Geoffrey Garen.
7         
8         20% speed-up on imagine-gaussian-blur, when combined with --ftlUsesStackmaps=true.
9
10         * ftl/FTLCompile.cpp:
11         (JSC::FTL::compile):
12         * runtime/Options.h:
13
14 2013-11-01  Andreas Kling  <akling@apple.com>
15
16         Neuter WTF_MAKE_FAST_ALLOCATED in GLOBAL_FASTMALLOC_NEW builds.
17         <https://webkit.org/b/123639>
18
19         JSC::ParserArenaRefCounted really needed to have the new/delete
20         operators overridden, in order for JSC::ScopeNode to be able to
21         choose that "operator new" out of the two it inherits.
22
23         Reviewed by Anders Carlsson.
24
25 2013-11-01  Filip Pizlo  <fpizlo@apple.com>
26
27         OSR exit profiling should be robust against all code being cleared
28         https://bugs.webkit.org/show_bug.cgi?id=123629
29         <rdar://problem/15365476>
30
31         Reviewed by Michael Saboff.
32         
33         The problem here is two-fold:
34
35         1) A watchpoint (i.e. ProfiledCodeBlockJettisoningWatchpoint) may be fired after we
36         have cleared the CodeBlock for all or some Executables.  This means that doing
37         codeBlock->baselineVersion() would either crash or return a bogus CodeBlock, since
38         there wasn't a baseline code block reachable from the Executable anymore.  The
39         solution is that we shouldn't be asking for the baseline code block reachable from
40         the owning executable (what baselineVersion did), but instead we should be asking
41         for the baseline version reachable from the code block being watchpointed (basically
42         what CodeBlock::alternative() did).
43
44         2) If dealing with inlined code, baselienCodeBlockForOriginAndBaselineCodeBlock()
45         may return null, for the same reason as above - we might have cleared the baseline
46         codeblock for the executable that was inlined.  The solution is to just not do
47         profiling if there isn't a baseline code block anymore.
48
49         * bytecode/CodeBlock.cpp:
50         (JSC::CodeBlock::baselineAlternative):
51         (JSC::CodeBlock::baselineVersion):
52         (JSC::CodeBlock::jettison):
53         * bytecode/CodeBlock.h:
54         * bytecode/CodeBlockJettisoningWatchpoint.cpp:
55         (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
56         * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp:
57         (JSC::ProfiledCodeBlockJettisoningWatchpoint::fireInternal):
58         * dfg/DFGOSRExitBase.cpp:
59         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
60         * jit/AssemblyHelpers.h:
61         (JSC::AssemblyHelpers::AssemblyHelpers):
62         * runtime/Executable.cpp:
63         (JSC::FunctionExecutable::baselineCodeBlockFor):
64
65 2013-10-31  Oliver Hunt  <oliver@apple.com>
66
67         JavaScript parser bug
68         https://bugs.webkit.org/show_bug.cgi?id=123506
69
70         Reviewed by Mark Lam.
71
72         Add ParserState as an abstraction and use that to save and restore
73         the parser state around nested functions (We'll need to use this in
74         more places in future).  Also fix a minor error typo this testcases
75         hit.
76
77         * parser/Parser.cpp:
78         (JSC::::parseFunctionInfo):
79         (JSC::::parseAssignmentExpression):
80         * parser/Parser.h:
81         (JSC::Parser::saveState):
82         (JSC::Parser::restoreState):
83
84 2013-10-31  Filip Pizlo  <fpizlo@apple.com>
85
86         FTL Int32ToDouble should handle the forward type check case where you need a recovery
87         https://bugs.webkit.org/show_bug.cgi?id=123605
88
89         Reviewed by Mark Hahnenberg.
90         
91         If you have a Int32ToDouble that needs to do a type check and it's required to do a
92         forward exit, then it needs to manually pass in a value recovery for itself in the
93         OSR exit - since this is one of those forward-exiting nodes that doesn't have a
94         preceding MovHint.
95
96         * ftl/FTLLowerDFGToLLVM.cpp:
97         (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble):
98         (JSC::FTL::LowerDFGToLLVM::forwardTypeCheck):
99
100 2013-10-31  Filip Pizlo  <fpizlo@apple.com>
101
102         FTL should implement InvalidationPoint in terms of llvm.stackmap
103         https://bugs.webkit.org/show_bug.cgi?id=113647
104
105         Reviewed by Mark Hahnenberg.
106         
107         This is pretty straightforward now that InvalidationPoint has exactly the semantics
108         that agree with llvm.stackmap.
109
110         * ftl/FTLCompile.cpp:
111         (JSC::FTL::fixFunctionBasedOnStackMaps):
112         * ftl/FTLLowerDFGToLLVM.cpp:
113         (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
114         (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
115         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
116         (JSC::FTL::LowerDFGToLLVM::callStackmap):
117         * ftl/FTLOSRExitCompilationInfo.h:
118         (JSC::FTL::OSRExitCompilationInfo::OSRExitCompilationInfo):
119
120 2013-10-30  Oliver Hunt  <oliver@apple.com>
121
122         Implement basic ES6 Math functions
123         https://bugs.webkit.org/show_bug.cgi?id=123536
124
125         Reviewed by Michael Saboff.
126
127         Fairly trivial patch to implement the core ES6 Math functions.
128
129         This doesn't implement Math.hypot as it is not a trivial function.
130         I've also skipped Math.sign as I am yet to be convinced the spec
131         behaviour is good.  Everything else is trivial.
132
133         * runtime/MathObject.cpp:
134         (JSC::MathObject::finishCreation):
135         (JSC::mathProtoFuncACosh):
136         (JSC::mathProtoFuncASinh):
137         (JSC::mathProtoFuncATanh):
138         (JSC::mathProtoFuncCbrt):
139         (JSC::mathProtoFuncCosh):
140         (JSC::mathProtoFuncExpm1):
141         (JSC::mathProtoFuncFround):
142         (JSC::mathProtoFuncLog1p):
143         (JSC::mathProtoFuncLog10):
144         (JSC::mathProtoFuncLog2):
145         (JSC::mathProtoFuncSinh):
146         (JSC::mathProtoFuncTanh):
147         (JSC::mathProtoFuncTrunc):
148
149 2013-10-31  Filip Pizlo  <fpizlo@apple.com>
150
151         FTL::Location::restoreInto() doesn't handle stack-related registers correctly if you're using it after pushing a new stack frame
152         https://bugs.webkit.org/show_bug.cgi?id=123591
153
154         Reviewed by Mark Hahnenberg.
155         
156         This gets us to pass more tests with ftlUsesStackmaps.
157
158         * ftl/FTLLocation.cpp:
159         (JSC::FTL::Location::restoreInto):
160         * ftl/FTLLocation.h:
161         * ftl/FTLThunks.cpp:
162         (JSC::FTL::osrExitGenerationWithStackMapThunkGenerator):
163
164 2013-10-31  Alexey Proskuryakov  <ap@apple.com>
165
166         Enable WebCrypto on Mac
167         https://bugs.webkit.org/show_bug.cgi?id=123587
168
169         Reviewed by Anders Carlsson.
170
171         * Configurations/FeatureDefines.xcconfig: Do it.
172
173 2013-10-31  Filip Pizlo  <fpizlo@apple.com>
174
175         Unreviewed, really remove CachedTranscendentalFunction.h.
176
177         * GNUmakefile.list.am:
178         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
179
180 2013-10-31  Filip Pizlo  <fpizlo@apple.com>
181
182         Remove CachedTranscendentalFunction because caching math functions is an ugly idea
183         https://bugs.webkit.org/show_bug.cgi?id=123574
184
185         Reviewed by Mark Hahnenberg.
186         
187         This is performance-neutral because I also make Math.cos/sin intrinsic. This means that
188         we gain the "overhead" of actually computing sin and cos but we lose the overhead of
189         going through the native call thunks.
190         
191         Caching transcendental functions is a really ugly idea. It works for SunSpider because
192         that benchmark makes very predictable calls into Math.sin. But I don't believe that this
193         is representative of any kind of reality, and so for sensible uses of Math.sin/cos all
194         that this was doing was adding more call overhead and some hashing overhead.
195
196         * JavaScriptCore.xcodeproj/project.pbxproj:
197         * dfg/DFGAbstractInterpreterInlines.h:
198         (JSC::DFG::::executeEffects):
199         * dfg/DFGBackwardsPropagationPhase.cpp:
200         (JSC::DFG::BackwardsPropagationPhase::propagate):
201         * dfg/DFGByteCodeParser.cpp:
202         (JSC::DFG::ByteCodeParser::handleIntrinsic):
203         * dfg/DFGCSEPhase.cpp:
204         (JSC::DFG::CSEPhase::performNodeCSE):
205         * dfg/DFGClobberize.h:
206         (JSC::DFG::clobberize):
207         * dfg/DFGFixupPhase.cpp:
208         (JSC::DFG::FixupPhase::fixupNode):
209         * dfg/DFGNodeType.h:
210         * dfg/DFGPredictionPropagationPhase.cpp:
211         (JSC::DFG::PredictionPropagationPhase::propagate):
212         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
213         * dfg/DFGSafeToExecute.h:
214         (JSC::DFG::safeToExecute):
215         * dfg/DFGSpeculativeJIT.h:
216         (JSC::DFG::SpeculativeJIT::callOperation):
217         * dfg/DFGSpeculativeJIT32_64.cpp:
218         (JSC::DFG::SpeculativeJIT::compile):
219         * dfg/DFGSpeculativeJIT64.cpp:
220         (JSC::DFG::SpeculativeJIT::compile):
221         * jit/JITOperations.h:
222         * runtime/CachedTranscendentalFunction.h: Removed.
223         * runtime/DateInstanceCache.h:
224         * runtime/Intrinsic.h:
225         * runtime/MathObject.cpp:
226         (JSC::MathObject::finishCreation):
227         (JSC::mathProtoFuncCos):
228         (JSC::mathProtoFuncSin):
229         * runtime/VM.h:
230
231 2013-10-30  Filip Pizlo  <fpizlo@apple.com>
232
233         Assertion failure in js/dom/global-constructors-attributes-dedicated-worker.html
234         https://bugs.webkit.org/show_bug.cgi?id=123551
235         <rdar://problem/15356238>
236
237         Reviewed by Mark Hahnenberg.
238         
239         WatchpointSets have always had this "fire everything on deletion" policy because it
240         seemed like a good fail-safe at the time I first implemented WatchpointSets. But
241         it's actually causing bugs rather than providing safety:
242         
243         - Everyone who registers Watchpoints with WatchpointSets have separate mechanisms
244           for either keeping the WatchpointSets alive or noticing when they are collected.
245           So this wasn't actually providing any safety.
246           
247           One example of this is Structures, where:
248           
249           - CodeBlocks that register Watchpoints on Structure's WatchpointSet will also
250             register weak references to the Structure, and the GC will jettison a CodeBlock
251             if the Structure(s) it cares about dies.
252           
253           - StructureStubInfos that register Watchpoints on Structure's WatchpointSet will
254             also be cleared by GC if the Structures die.
255         
256         - The WatchpointSet destructor would get invoked from finalization/destruction.
257           This would then cause CodeBlock::jettison() to be called on a CodeBlock, but that
258           method requires doing things that access heap objects. This would usually cause
259           problems on VM destruction, since then the CodeBlocks would still be alive but the
260           whole heap would be destroyed.
261         
262         This also ensures that CodeBlock::jettison() cannot cause a GC. This is safe since
263         that method doesn't really allocate objects, and it is likely necessary because
264         jettison() may be called from deep in the stack.
265
266         * bytecode/CodeBlock.cpp:
267         (JSC::CodeBlock::jettison):
268         * bytecode/Watchpoint.cpp:
269         (JSC::WatchpointSet::~WatchpointSet):
270         * bytecode/Watchpoint.h:
271
272 2013-10-30  Mark Lam  <mark.lam@apple.com>
273
274         Unreviewed, fix C Loop LLINT build.
275
276         * bytecode/CodeBlockJettisoningWatchpoint.cpp:
277         (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
278         * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp:
279         (JSC::ProfiledCodeBlockJettisoningWatchpoint::fireInternal):
280
281 2013-10-30  Filip Pizlo  <fpizlo@apple.com>
282
283         Unreviewed, fix FTL build.
284
285         * ftl/FTLAbstractHeapRepository.h:
286         * ftl/FTLLowerDFGToLLVM.cpp:
287         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
288
289 2013-10-30  Alexey Proskuryakov  <ap@apple.com>
290
291         Add a way to fulfill promises from DOM code
292         https://bugs.webkit.org/show_bug.cgi?id=123466
293
294         Reviewed by Sam Weinig.
295
296         * JavaScriptCore.xcodeproj/project.pbxproj: Make JSPromise.h and JSPromiseResolver.h
297         private headers for WebCore to use.
298
299         * runtime/JSPromise.h:
300         * runtime/JSPromiseResolver.h:
301         Export functions that JSDOMPromise will use.
302
303 2013-10-30  Mark Lam  <mark.lam@apple.com>
304
305         Adjust CallFrameHeader's ReturnPC and CallFrame locations to match the native ABI .
306         https://bugs.webkit.org/show_bug.cgi?id=123444.
307
308         Reviewed by Geoffrey Garen.
309
310         - Introduced an explicit CallerFrameAndPC struct.
311         - A CallFrame is expected to start with a CallerFrameAndPC struct. 
312         - The Register class no longer supports CallFrame* and Instruction*.
313
314           These hides the differences between JSVALUE32_64 and JSVALUE64 in
315           terms of managing the callerFrame() and returnPC() values.
316
317         - Convert all uses of JSStack::CallerFrame and JSStack::ReturnPC to
318           go through CallFrame to access the appropriate values and offsets.
319           CallFrame, in turn, will access the callerFrame and returnPC via
320           the CallerFrameAndPC struct.
321
322         - InlineCallFrame will provide offsets for its callerFrame and
323           returnPC. It will make use of CallFrame::callerFrameOffset() and
324           CallerFrame::returnPCOffset() to compute these.
325
326         * bytecode/CodeOrigin.h:
327         (JSC::InlineCallFrame::callerFrameOffset):
328         (JSC::InlineCallFrame::returnPCOffset):
329         * dfg/DFGJITCompiler.cpp:
330         (JSC::DFG::JITCompiler::compileEntry):
331         (JSC::DFG::JITCompiler::compileExceptionHandlers):
332         * dfg/DFGOSRExitCompilerCommon.cpp:
333         (JSC::DFG::reifyInlinedCallFrames):
334         * dfg/DFGSpeculativeJIT.h:
335         (JSC::DFG::SpeculativeJIT::calleeFrameSlot):
336         (JSC::DFG::SpeculativeJIT::calleeArgumentSlot):
337         (JSC::DFG::SpeculativeJIT::calleeFrameTagSlot):
338         (JSC::DFG::SpeculativeJIT::calleeFramePayloadSlot):
339         (JSC::DFG::SpeculativeJIT::calleeArgumentTagSlot):
340         (JSC::DFG::SpeculativeJIT::calleeArgumentPayloadSlot):
341         - Prefixed all the above with callee since they apply to the callee frame.
342         (JSC::DFG::SpeculativeJIT::calleeFrameCallerFrame):
343         - Added to set the callerFrame pointer in the callee frame.
344
345         * dfg/DFGSpeculativeJIT32_64.cpp:
346         (JSC::DFG::SpeculativeJIT::emitCall):
347         (JSC::DFG::SpeculativeJIT::compile):
348         * dfg/DFGSpeculativeJIT64.cpp:
349         (JSC::DFG::SpeculativeJIT::emitCall):
350         (JSC::DFG::SpeculativeJIT::compile):
351         * ftl/FTLLink.cpp:
352         (JSC::FTL::compileEntry):
353         (JSC::FTL::link):
354         * interpreter/CallFrame.h:
355         (JSC::ExecState::callerFrame):
356         (JSC::ExecState::callerFrameOffset):
357         (JSC::ExecState::returnPC):
358         (JSC::ExecState::hasReturnPC):
359         (JSC::ExecState::clearReturnPC):
360         (JSC::ExecState::returnPCOffset):
361         (JSC::ExecState::setCallerFrame):
362         (JSC::ExecState::setReturnPC):
363         (JSC::ExecState::callerFrameAndPC):
364         * interpreter/JSStack.h:
365         * interpreter/Register.h:
366         * jit/AssemblyHelpers.h:
367         (JSC::AssemblyHelpers::emitPutToCallFrameHeader):
368         - Convert to using storePtr() here and simplify the code.
369         (JSC::AssemblyHelpers::emitGetCallerFrameFromCallFrameHeaderPtr):
370         (JSC::AssemblyHelpers::emitPutCallerFrameToCallFrameHeader):
371         (JSC::AssemblyHelpers::emitGetReturnPCFromCallFrameHeaderPtr):
372         (JSC::AssemblyHelpers::emitPutReturnPCToCallFrameHeader):
373         - Helpers to emit gets/puts of the callerFrame and returnPC.
374         (JSC::AssemblyHelpers::addressForByteOffset):
375         * jit/JIT.cpp:
376         (JSC::JIT::JIT):
377         (JSC::JIT::privateCompile):
378         (JSC::JIT::privateCompileExceptionHandlers):
379         * jit/JITCall.cpp:
380         (JSC::JIT::compileCallEval):
381         (JSC::JIT::compileOpCall):
382         * jit/JITCall32_64.cpp:
383         (JSC::JIT::emit_op_ret):
384         (JSC::JIT::emit_op_ret_object_or_this):
385         (JSC::JIT::compileCallEval):
386         (JSC::JIT::compileOpCall):
387         * jit/JITInlines.h:
388         (JSC::JIT::unmap):
389         * jit/JITOpcodes.cpp:
390         (JSC::JIT::emit_op_end):
391         (JSC::JIT::emit_op_ret):
392         (JSC::JIT::emit_op_ret_object_or_this):
393         * jit/JITOpcodes32_64.cpp:
394         (JSC::JIT::privateCompileCTINativeCall):
395         (JSC::JIT::emit_op_end):
396         * jit/JITOperations.cpp:
397         * jit/SpecializedThunkJIT.h:
398         (JSC::SpecializedThunkJIT::returnJSValue):
399         (JSC::SpecializedThunkJIT::returnDouble):
400         (JSC::SpecializedThunkJIT::returnInt32):
401         (JSC::SpecializedThunkJIT::returnJSCell):
402         * jit/ThunkGenerators.cpp:
403         (JSC::throwExceptionFromCallSlowPathGenerator):
404         (JSC::slowPathFor):
405         (JSC::nativeForGenerator):
406
407         * llint/LLIntData.cpp:
408         (JSC::LLInt::Data::performAssertions):
409         * llint/LowLevelInterpreter.asm:
410         - Updated offsets and asserts to match the new CallFrame layout.
411
412 2013-10-30  Filip Pizlo  <fpizlo@apple.com>
413
414         Unreviewed, fix Mac.
415
416         * assembler/AbstractMacroAssembler.h:
417         (JSC::AbstractMacroAssembler::RegisterAllocationOffset::checkOffsets):
418         (JSC::AbstractMacroAssembler::checkRegisterAllocationAgainstBranchRange):
419
420 2013-10-30  Filip Pizlo  <fpizlo@apple.com>
421
422         Unreviewed, fix Windows.
423
424         * bytecode/CodeBlock.cpp:
425         (JSC::CodeBlock::jettison):
426
427 2013-10-30  Filip Pizlo  <fpizlo@apple.com>
428
429         Unreviewed, fix Windows.
430
431         * bytecode/CodeBlock.h:
432         (JSC::CodeBlock::addFrequentExitSite):
433
434 2013-10-29  Filip Pizlo  <fpizlo@apple.com>
435
436         Add InvalidationPoints to the DFG and use them for all watchpoints
437         https://bugs.webkit.org/show_bug.cgi?id=123472
438
439         Reviewed by Mark Hahnenberg.
440         
441         This makes a fundamental change to how watchpoints work in the DFG.
442         
443         Previously, a watchpoint was an instruction whose execution semantics were something
444         like:
445         
446             if (watchpoint->invalidated)
447                 exit
448         
449         We would implement this without any branch by using jump replacement.
450         
451         This is a very good optimization. But it's a bit awkward once you get a lot of
452         watchpoints: semantically we will have lots of these branches in the code, which the
453         compiler needs to reason about even though they don't actually result in any emitted
454         code.
455         
456         Separately, we also had a mechanism for jettisoning a CodeBlock. This mechanism would
457         be invoked if a CodeBlock exited a lot. It would ensure that a CodeBlock wouldn't be
458         called into again, but it would do nothing for CodeBlocks that were already on the
459         stack.
460         
461         This change flips jettisoning and watchpoint invalidation on their heads. Now, the jump
462         replacement has nothing to do with watchpoints; instead it's something that happens if
463         you ever jettison a CodeBlock. Jump replacement is now an all-or-nothing operation over
464         all of the potential call-return safe-exit-points in a CodeBlock. We call these
465         "InvalidationPoint"s. A watchpoint instruction is now "lowered" by having the DFG
466         collect all of the watchpoint sets that the CodeBlock cares about, and then registering
467         a CodeBlockJettisoningWatchpoint with all of them. That is, if the watchpoint fires, it
468         jettisons the CodeBlock, which in turn ensures that the CodeBlock can't be called into
469         (because the entrypoint now points to baseline code) and can't be returned into
470         (because returning exits to baseline before the next bytecode instruction).
471         
472         This will allow for a sensible lowering of watchpoints to LLVM IR. It will also allow
473         for jettison() to be used effectively for things like breakpointing and single-stepping
474         in the debugger.
475         
476         Well, basically, this mechanism just takes us into the HotSpot-style world where anyone
477         can, at any time and for any reason, request that an optimized CodeBlock is rendered
478         immediately invalid. You can use this for many cool things, I'm sure.
479
480         * CMakeLists.txt:
481         * GNUmakefile.list.am:
482         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
483         * JavaScriptCore.xcodeproj/project.pbxproj:
484         * assembler/AbstractMacroAssembler.h:
485         * bytecode/CodeBlock.cpp:
486         (JSC::CodeBlock::jettison):
487         * bytecode/CodeBlock.h:
488         * bytecode/CodeBlockJettisoningWatchpoint.cpp: Added.
489         (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
490         * bytecode/CodeBlockJettisoningWatchpoint.h: Added.
491         (JSC::CodeBlockJettisoningWatchpoint::CodeBlockJettisoningWatchpoint):
492         * bytecode/ExitKind.cpp:
493         (JSC::exitKindToString):
494         * bytecode/ExitKind.h:
495         * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp: Added.
496         (JSC::ProfiledCodeBlockJettisoningWatchpoint::fireInternal):
497         * bytecode/ProfiledCodeBlockJettisoningWatchpoint.h: Added.
498         (JSC::ProfiledCodeBlockJettisoningWatchpoint::ProfiledCodeBlockJettisoningWatchpoint):
499         * dfg/DFGAbstractHeap.h:
500         * dfg/DFGAbstractInterpreterInlines.h:
501         (JSC::DFG::::executeEffects):
502         * dfg/DFGClobberize.cpp:
503         (JSC::DFG::writesOverlap):
504         * dfg/DFGClobberize.h:
505         (JSC::DFG::clobberize):
506         (JSC::DFG::AbstractHeapOverlaps::AbstractHeapOverlaps):
507         (JSC::DFG::AbstractHeapOverlaps::operator()):
508         (JSC::DFG::AbstractHeapOverlaps::result):
509         * dfg/DFGCommonData.cpp:
510         (JSC::DFG::CommonData::invalidate):
511         * dfg/DFGCommonData.h:
512         (JSC::DFG::CommonData::CommonData):
513         * dfg/DFGDesiredWatchpoints.cpp:
514         (JSC::DFG::DesiredWatchpoints::addLazily):
515         (JSC::DFG::DesiredWatchpoints::reallyAdd):
516         * dfg/DFGDesiredWatchpoints.h:
517         (JSC::DFG::WatchpointForGenericWatchpointSet::WatchpointForGenericWatchpointSet):
518         (JSC::DFG::GenericDesiredWatchpoints::addLazily):
519         (JSC::DFG::GenericDesiredWatchpoints::reallyAdd):
520         (JSC::DFG::GenericDesiredWatchpoints::areStillValid):
521         * dfg/DFGFixupPhase.cpp:
522         (JSC::DFG::FixupPhase::fixupNode):
523         * dfg/DFGInvalidationPointInjectionPhase.cpp: Added.
524         (JSC::DFG::InvalidationPointInjectionPhase::InvalidationPointInjectionPhase):
525         (JSC::DFG::InvalidationPointInjectionPhase::run):
526         (JSC::DFG::InvalidationPointInjectionPhase::handle):
527         (JSC::DFG::InvalidationPointInjectionPhase::insertInvalidationCheck):
528         (JSC::DFG::performInvalidationPointInjection):
529         * dfg/DFGInvalidationPointInjectionPhase.h: Added.
530         * dfg/DFGJITCode.h:
531         * dfg/DFGJITCompiler.cpp:
532         (JSC::DFG::JITCompiler::linkOSRExits):
533         (JSC::DFG::JITCompiler::link):
534         * dfg/DFGJITCompiler.h:
535         * dfg/DFGJumpReplacement.cpp: Added.
536         (JSC::DFG::JumpReplacement::fire):
537         * dfg/DFGJumpReplacement.h: Added.
538         (JSC::DFG::JumpReplacement::JumpReplacement):
539         * dfg/DFGNodeType.h:
540         * dfg/DFGOSRExitCompilationInfo.h:
541         * dfg/DFGOperations.cpp:
542         * dfg/DFGPlan.cpp:
543         (JSC::DFG::Plan::compileInThreadImpl):
544         (JSC::DFG::Plan::reallyAdd):
545         * dfg/DFGPredictionPropagationPhase.cpp:
546         (JSC::DFG::PredictionPropagationPhase::propagate):
547         * dfg/DFGSafeToExecute.h:
548         (JSC::DFG::safeToExecute):
549         * dfg/DFGSpeculativeJIT.cpp:
550         (JSC::DFG::SpeculativeJIT::emitInvalidationPoint):
551         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
552         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
553         * dfg/DFGSpeculativeJIT.h:
554         (JSC::DFG::SpeculativeJIT::masqueradesAsUndefinedWatchpointIsStillValid):
555         (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
556         * dfg/DFGSpeculativeJIT32_64.cpp:
557         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
558         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
559         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
560         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
561         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
562         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
563         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
564         (JSC::DFG::SpeculativeJIT::compile):
565         * dfg/DFGSpeculativeJIT64.cpp:
566         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
567         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
568         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
569         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
570         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
571         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
572         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
573         (JSC::DFG::SpeculativeJIT::compile):
574         * dfg/DFGWatchpointCollectionPhase.cpp: Added.
575         (JSC::DFG::WatchpointCollectionPhase::WatchpointCollectionPhase):
576         (JSC::DFG::WatchpointCollectionPhase::run):
577         (JSC::DFG::WatchpointCollectionPhase::handle):
578         (JSC::DFG::WatchpointCollectionPhase::handleEdge):
579         (JSC::DFG::WatchpointCollectionPhase::handleMasqueradesAsUndefined):
580         (JSC::DFG::WatchpointCollectionPhase::handleStringGetByVal):
581         (JSC::DFG::WatchpointCollectionPhase::addLazily):
582         (JSC::DFG::WatchpointCollectionPhase::globalObject):
583         (JSC::DFG::performWatchpointCollection):
584         * dfg/DFGWatchpointCollectionPhase.h: Added.
585         * ftl/FTLCapabilities.cpp:
586         (JSC::FTL::canCompile):
587         * ftl/FTLLowerDFGToLLVM.cpp:
588         (JSC::FTL::LowerDFGToLLVM::compileNode):
589         (JSC::FTL::LowerDFGToLLVM::compileStructureTransitionWatchpoint):
590         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
591         (JSC::FTL::LowerDFGToLLVM::compileGlobalVarWatchpoint):
592         (JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant):
593         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
594         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
595         (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
596         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
597         (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
598         * jit/JITOperations.cpp:
599         * jit/JumpReplacementWatchpoint.cpp: Removed.
600         * jit/JumpReplacementWatchpoint.h: Removed.
601
602 2013-10-25  Mark Hahnenberg  <mhahnenberg@apple.com>
603
604         JSExport doesn't support constructors
605         https://bugs.webkit.org/show_bug.cgi?id=123380
606
607         Reviewed by Geoffrey Garen.
608
609         Support for constructor-style callbacks for the Objective-C API to JSC is currently limited to 
610         Objective-C blocks. Any clients who try to call the constructor of a JSExport-ed Objective-C class 
611         are met with a type error stating that it cannot be called as a constructor.
612
613         It would be nice to expand JSExport's functionality to support this idiom. It is a natural 
614         extension to JSExport and would increase the expressiveness and simplicity in both Objective-C and 
615         JavaScript client code.
616
617         The way we'll do this is to expand the capabilities of ObjCCallbackFunction and associated classes. 
618         Instead of constructing a normal C API object for the constructor, we'll instead allocate a full-blown 
619         ObjCCallbackFunction object which can already properly handle being invoked as a constructor.
620
621         * API/JSWrapperMap.mm:
622         (copyMethodsToObject):
623         (allocateConstructorForCustomClass):
624         (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]):
625         (tryUnwrapObjcObject):
626         * API/ObjCCallbackFunction.h:
627         (JSC::ObjCCallbackFunction::impl):
628         * API/ObjCCallbackFunction.mm:
629         (JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl):
630         (JSC::ObjCCallbackFunctionImpl::wrappedConstructor):
631         (JSC::ObjCCallbackFunctionImpl::isConstructible):
632         (JSC::ObjCCallbackFunction::getConstructData):
633         (JSC::ObjCCallbackFunctionImpl::name):
634         (JSC::ObjCCallbackFunctionImpl::call):
635         (objCCallbackFunctionForInvocation):
636         (objCCallbackFunctionForInit):
637         (tryUnwrapConstructor):
638         * API/tests/testapi.mm:
639         (-[TextXYZ initWithString:]):
640         (-[ClassA initWithA:]):
641         (-[ClassB initWithA:b:]):
642         (-[ClassC initWithA:]):
643         (-[ClassC initWithA:b:]):
644
645 2013-10-30  peavo@outlook.com  <peavo@outlook.com>
646
647         [Win] Compile errors when enabling DFG JIT.
648         https://bugs.webkit.org/show_bug.cgi?id=120998
649
650         Reviewed by Brent Fulgham.
651
652         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added files.
653         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
654         * dfg/DFGAllocator.h: Removed scope.
655         * dfg/DFGWorklist.cpp: Use new ThreadingOnce class instead of pthread_once.
656         (JSC::DFG::globalWorklist):
657         * heap/DeferGC.h: Link fix, member needs to be public.
658         * jit/JITOperationWrappers.h: Added required assembler macros.
659
660 2013-10-30  Iago Toral Quiroga  <itoral@igalia.com>
661
662         Add result caching for Math.cos
663         https://bugs.webkit.org/show_bug.cgi?id=123255
664
665         Reviewed by Brent Fulgham.
666
667         * runtime/MathObject.cpp:
668         (JSC::mathProtoFuncCos):
669         * runtime/VM.h:
670
671 2013-10-30  Alex Christensen  <achristensen@webkit.org>
672
673         Disabled JIT on Win64.
674         https://bugs.webkit.org/show_bug.cgi?id=122472
675
676         Reviewed by Geoffrey Garen.
677
678         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
679         Disabled building JITStubsMSVC64.
680
681 2013-10-29  Michael Saboff  <msaboff@apple.com>
682
683         Change local variable register allocation to start at offset -1
684         https://bugs.webkit.org/show_bug.cgi?id=123182
685
686         Reviewed by Geoffrey Garen.
687
688         Adjusted the virtual register mapping down by one slot.  Reduced
689         the CallFrame header slots offsets by one.  They now start at 0.
690         Changed arity fixup to no longer skip passed register slot 0 as this
691         is now part of the CallFrame header.
692
693         * bytecode/VirtualRegister.h:
694         (JSC::operandIsLocal):
695         (JSC::operandIsArgument):
696         (JSC::VirtualRegister::localToOperand):
697         (JSC::VirtualRegister::operandToLocal):
698           Adjusted functions for shift in mapping from local to register offset.
699
700         * dfg/DFGByteCodeParser.cpp:
701         (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
702         (JSC::DFG::ByteCodeParser::addCall):
703         (JSC::DFG::ByteCodeParser::handleInlining):
704         (JSC::DFG::ByteCodeParser::parseBlock):
705         * dfg/DFGVariableEventStream.cpp:
706         (JSC::DFG::VariableEventStream::reconstruct):
707         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
708         (JSC::DFG::VirtualRegisterAllocationPhase::run):
709         * interpreter/CallFrame.h:
710         (JSC::ExecState::frameExtent):
711         (JSC::ExecState::offsetFor):
712         * interpreter/Interpreter.cpp:
713         (JSC::loadVarargs):
714         (JSC::Interpreter::dumpRegisters):
715         (JSC::Interpreter::executeCall):
716         * llint/LLIntData.cpp:
717         (JSC::LLInt::Data::performAssertions):
718         * llint/LowLevelInterpreter.asm:
719           Adjusted math to accomodate for shift in call frame slots.
720
721         * dfg/DFGJITCompiler.cpp:
722         (JSC::DFG::JITCompiler::compileFunction):
723         * dfg/DFGSpeculativeJIT.h:
724         (JSC::DFG::SpeculativeJIT::calleeFrameOffset):
725         * interpreter/CallFrame.cpp:
726         (JSC::CallFrame::frameExtentInternal):
727         * interpreter/JSStackInlines.h:
728         (JSC::JSStack::pushFrame):
729         * jit/JIT.cpp:
730         (JSC::JIT::privateCompile):
731         * jit/JITOperations.cpp:
732         * llint/LLIntSlowPaths.cpp:
733         (JSC::LLInt::llint_slow_path_stack_check):
734         * runtime/CommonSlowPaths.h:
735         (JSC::CommonSlowPaths::arityCheckFor):
736           Fixed offset calculation to use VirtualRegister and related calculation instead of
737           doing seperate calculations.
738
739         * interpreter/JSStack.h:
740           Adjusted CallFrame slots down by one.  Did some miscellaneous fixing of dumpRegisters()
741           in the process of testing the fixes.
742
743         * jit/ThunkGenerators.cpp:
744         (JSC::arityFixup):
745           Changed arity fixup to no longer skip passed register slot 0 as this
746           is now part of the CallFrame header.
747
748         * llint/LowLevelInterpreter32_64.asm:
749         * llint/LowLevelInterpreter64.asm:
750           Changed arity fixup to no longer skip passed register slot 0 as this
751           is now part of the CallFrame header.  Updated op_enter processing for
752           the change in local registers.
753
754         * runtime/JSGlobalObject.h:
755           Removed the now unneeded extra slot in the global callframe
756
757 2013-10-29  Julien Brianceau  <jbriance@cisco.com>
758
759         [arm] Fix lots of crashes because of 4th argument register trampling.
760         https://bugs.webkit.org/show_bug.cgi?id=123421
761
762         Reviewed by Michael Saboff.
763
764         r3 register is the 4th argument register for ARM and also a scratch
765         register in the baseline JIT for this architecture. We can use r6
766         instead, as this used to be the timeoutCheckRegister and it is no
767         longer used since r148119.
768
769         * assembler/ARMAssembler.h: Temp register is now r6 instead of r3 for ARM.
770         * assembler/MacroAssemblerARMv7.h: Temp register is now r6 instead of r3 for ARMv7.
771         * jit/GPRInfo.h: Add r3 properly in GPRInfo for ARM.
772         (JSC::GPRInfo::toRegister):
773         (JSC::GPRInfo::toIndex):
774         * jit/JITStubsARM.h:
775         (JSC::ctiTrampoline): Remove obsolete timeoutCheckRegister init.
776         * jit/JITStubsARMv7.h:
777         (JSC::ctiTrampoline): Remove obsolete timeoutCheckRegister init.
778         * jit/JSInterfaceJIT.h: Remove useless stuff.
779         * yarr/YarrJIT.cpp: Use r3 and not the new scratch register r6.
780         (JSC::Yarr::YarrGenerator::generateEnter): r8 register doesn't need to be saved.
781         (JSC::Yarr::YarrGenerator::generateReturn):
782
783 2013-10-29  Julien Brianceau  <jbriance@cisco.com>
784
785         Fix CPU(ARM_TRADITIONAL) build after r157690.
786         https://bugs.webkit.org/show_bug.cgi?id=123247
787
788         Reviewed by Michael Saboff.
789
790         Since r157690, the executableCopy function has been removed from AssemblerBuffer.h
791         and the copy of executable code occurs in the linkCode function (in LinkBuffer.cpp).
792         As the constant pool for jumps is updated in the executableCopy function of ARM_TRADITIONAL,
793         this part of code still needs to be called and absolute jumps must be corrected to anticipate
794         the copy of the executable code through memcpy.
795
796         * assembler/ARMAssembler.cpp:
797         (JSC::ARMAssembler::prepareExecutableCopy): Rename executableCopy to prepareExecutableCopy
798         and correct absolute jump values using the delta between the source and destination buffers.
799         * assembler/ARMAssembler.h:
800         * assembler/LinkBuffer.cpp:
801         (JSC::LinkBuffer::linkCode): Call prepareExecutableCopy just before the memcpy.
802
803 2013-10-28  Filip Pizlo  <fpizlo@apple.com>
804
805         OSRExit::m_watchpointIndex should be in OSRExitCompilationInfo
806         https://bugs.webkit.org/show_bug.cgi?id=123423
807
808         Reviewed by Mark Hahnenberg.
809         
810         Also enable ExitKind to tell you if it's a watchpoint.
811
812         * bytecode/ExitKind.cpp:
813         (JSC::exitKindToString):
814         * bytecode/ExitKind.h:
815         (JSC::isWatchpoint):
816         * dfg/DFGByteCodeParser.cpp:
817         (JSC::DFG::ByteCodeParser::setLocal):
818         (JSC::DFG::ByteCodeParser::setArgument):
819         (JSC::DFG::ByteCodeParser::handleCall):
820         (JSC::DFG::ByteCodeParser::handleGetById):
821         (JSC::DFG::ByteCodeParser::parseBlock):
822         * dfg/DFGJITCompiler.cpp:
823         (JSC::DFG::JITCompiler::linkOSRExits):
824         (JSC::DFG::JITCompiler::link):
825         * dfg/DFGJITCompiler.h:
826         (JSC::DFG::JITCompiler::appendExitInfo):
827         * dfg/DFGOSRExit.cpp:
828         (JSC::DFG::OSRExit::OSRExit):
829         * dfg/DFGOSRExit.h:
830         * dfg/DFGOSRExitCompilationInfo.h:
831         (JSC::DFG::OSRExitCompilationInfo::OSRExitCompilationInfo):
832         * dfg/DFGOSRExitCompiler.cpp:
833         * dfg/DFGSpeculativeJIT.cpp:
834         (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
835         * dfg/DFGSpeculativeJIT32_64.cpp:
836         (JSC::DFG::SpeculativeJIT::compile):
837         * dfg/DFGSpeculativeJIT64.cpp:
838         (JSC::DFG::SpeculativeJIT::compile):
839
840 2013-10-28  Myles C. Maxfield  <mmaxfield@apple.com>
841
842         Parsing support for -webkit-text-decoration-skip: ink
843         https://bugs.webkit.org/show_bug.cgi?id=123358
844
845         Reviewed by Dean Jackson.
846
847         Adding ENABLE(CSS3_TEXT_DECORATION)
848
849         * Configurations/FeatureDefines.xcconfig:
850
851 2013-10-24  Filip Pizlo  <fpizlo@apple.com>
852
853         Get rid of InlineStart so that I don't have to implement it in FTL
854         https://bugs.webkit.org/show_bug.cgi?id=123302
855
856         Reviewed by Geoffrey Garen.
857         
858         InlineStart was a special instruction that we would insert at the top of inlined code,
859         so that the backend could capture the OSR state of arguments to an inlined call. It used
860         to be that only the backend had this information, so this instruction was sort of an ugly
861         callback from the backend for filling in some data structures.
862         
863         But in the time since when that code was written (two years ago?), we rationalized how
864         variables work. It's now the case that variables that the runtime must know about are
865         treated specially in IR (they are "flushed") and we know how we will represent them even
866         before we get to the backend. The last place that makes changes to their representation
867         is the StackLayoutPhase.
868         
869         So, this patch gets rid of InlineStart, but keeps around the special meta-data that the
870         instruction had. Instead of handling the bookkeeping in the backend, we handle it in
871         StackLayoutPhase. This means that the DFG and FTL can share code for handling this
872         bookkeeping. This also means that now the FTL can compile code blocks that had inlining.
873         
874         Of course, giving the FTL the ability to handle code blocks that had inlining means that
875         we're going to have new bugs. Sure enough, the FTL's linker didn't handle inline call
876         frames. This patch also fixes that.
877
878         * dfg/DFGAbstractInterpreterInlines.h:
879         (JSC::DFG::::executeEffects):
880         * dfg/DFGByteCodeParser.cpp:
881         (JSC::DFG::ByteCodeParser::handleInlining):
882         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
883         * dfg/DFGClobberize.h:
884         (JSC::DFG::clobberize):
885         * dfg/DFGFixupPhase.cpp:
886         (JSC::DFG::FixupPhase::fixupNode):
887         * dfg/DFGGraph.h:
888         * dfg/DFGNode.h:
889         * dfg/DFGNodeType.h:
890         * dfg/DFGPredictionPropagationPhase.cpp:
891         (JSC::DFG::PredictionPropagationPhase::propagate):
892         * dfg/DFGSafeToExecute.h:
893         (JSC::DFG::safeToExecute):
894         * dfg/DFGSpeculativeJIT.cpp:
895         * dfg/DFGSpeculativeJIT.h:
896         * dfg/DFGSpeculativeJIT32_64.cpp:
897         (JSC::DFG::SpeculativeJIT::compile):
898         * dfg/DFGSpeculativeJIT64.cpp:
899         (JSC::DFG::SpeculativeJIT::compile):
900         * dfg/DFGStackLayoutPhase.cpp:
901         (JSC::DFG::StackLayoutPhase::run):
902         * ftl/FTLLink.cpp:
903         (JSC::FTL::link):
904
905 2013-10-24  Filip Pizlo  <fpizlo@apple.com>
906
907         The GetById->GetByOffset AI-based optimization should actually do things
908         https://bugs.webkit.org/show_bug.cgi?id=123299
909
910         Reviewed by Oliver Hunt.
911         
912         20% speed-up on Octane/gbemu.
913
914         * bytecode/GetByIdStatus.cpp:
915         (JSC::GetByIdStatus::computeFor): Actually finish filling in the Status by setting the state. Previously it would remain set to NoInformation, meaning that this whole method was a no-op.
916
917 2013-10-28  Carlos Garcia Campos  <cgarcia@igalia.com>
918
919         Unreviewed. Fix make distcheck.
920
921         * GNUmakefile.list.am: Add missing files to compilation.
922
923 2013-10-25  Oliver Hunt  <oliver@apple.com>
924
925         Refactor parser rollback logic
926         https://bugs.webkit.org/show_bug.cgi?id=123372
927
928         Reviewed by Brady Eidson.
929
930         Add a sane abstraction for rollbacks in the parser.
931
932         * parser/Parser.cpp:
933         (JSC::::parseSourceElements):
934         (JSC::::parseObjectLiteral):
935         * parser/Parser.h:
936         (JSC::Parser::createSavePoint):
937         (JSC::Parser::restoreSavePoint):
938
939 2013-10-25  peavo@outlook.com  <peavo@outlook.com>
940
941         [Win] Javascript crash with DFG JIT enabled.
942         https://bugs.webkit.org/show_bug.cgi?id=121001
943
944         Reviewed by Geoffrey Garen.
945
946         On windows, using register GPRInfo::regT0 as parameter to e.g. JIT::storeDouble(..., GPRInfo::regT0)),
947         results in a call to JIT::storeDouble(FPRegisterID src, const void* address),
948         where the address parameter gets the value of GPRInfo::regT0, which is 0 (eax on Windows).
949         This causes the register to be written to address 0, hence the crash.
950   
951         * assembler/MacroAssemblerX86.h:
952         (JSC::MacroAssemblerX86::storeDouble): Assert if we try to generate code which writes to a null pointer.
953         * dfg/DFGOSRExitCompiler32_64.cpp:
954         (JSC::DFG::OSRExitCompiler::compileExit): Use address in regT0 as parameter.
955         * dfg/DFGThunks.cpp:
956         (JSC::DFG::osrExitGenerationThunkGenerator): Ditto.
957
958 2013-10-25  Oliver Hunt  <oliver@apple.com>
959
960         Fix a number of problems with destructuring of arguments
961         https://bugs.webkit.org/show_bug.cgi?id=123357
962
963         Reviewed by Filip Pizlo.
964
965         This renames the destructuring node's emitBytecode to bindValue
966         in order to remove the existing confusion over what was happening.
967
968         We then fix an incorrect fall through in the destructuring arguments
969         logic, and fix the then exposed bug where we placed the index rather
970         than value into the bound property.
971
972         * bytecompiler/BytecodeGenerator.cpp:
973         (JSC::BytecodeGenerator::BytecodeGenerator):
974         * bytecompiler/NodesCodegen.cpp:
975         (JSC::ForInNode::emitBytecode):
976         (JSC::ForOfNode::emitBytecode):
977         (JSC::DeconstructingAssignmentNode::emitBytecode):
978         (JSC::ArrayPatternNode::bindValue):
979         (JSC::ArrayPatternNode::emitDirectBinding):
980         (JSC::ObjectPatternNode::bindValue):
981         (JSC::BindingNode::bindValue):
982         * parser/Nodes.h:
983
984 2013-10-25  Joseph Pecoraro  <pecoraro@apple.com>
985
986         Upstream ENABLE(REMOTE_INSPECTOR) and enable on iOS and Mac
987         https://bugs.webkit.org/show_bug.cgi?id=123111
988
989         Reviewed by Timothy Hatcher.
990
991         * Configurations/FeatureDefines.xcconfig:
992
993 2013-10-25  Oliver Hunt  <oliver@apple.com>
994
995         Fix MSVC again
996
997         * parser/Parser.cpp:
998
999 2013-10-25  Oliver Hunt  <oliver@apple.com>
1000
1001         Fix MSVC
1002
1003         * parser/Parser.cpp:
1004
1005 2013-10-25  Oliver Hunt  <oliver@apple.com>
1006
1007         Improve JSC Parser error messages
1008         https://bugs.webkit.org/show_bug.cgi?id=123341
1009
1010         Reviewed by Andreas Kling.
1011
1012         This patch moves away from the current cludgy mechanisms used to produce
1013         error messages and moves to something closer to case by case errors.
1014
1015         This results in a large change size as previously we may just have
1016         'failIfFalse(foo)', but now the logic becomes either
1017         'failIfFalseWithMessage(foo, "Cannot do blah with ", foo->thing())'
1018         Or alternatively
1019
1020         if (!foo)
1021             check for 'interesting' errors, before falling back to generic error
1022
1023         This means that this patch is large, but produces no semantic changes, and
1024         only hits slow (e.g. error) paths.
1025
1026         * parser/Parser.cpp:
1027         (JSC::::Parser):
1028         (JSC::::parseSourceElements):
1029         (JSC::::parseVarDeclaration):
1030         (JSC::::parseConstDeclaration):
1031         (JSC::::parseDoWhileStatement):
1032         (JSC::::parseWhileStatement):
1033         (JSC::::parseVarDeclarationList):
1034         (JSC::::createBindingPattern):
1035         (JSC::::parseDeconstructionPattern):
1036         (JSC::::parseConstDeclarationList):
1037         (JSC::::parseForStatement):
1038         (JSC::::parseBreakStatement):
1039         (JSC::::parseContinueStatement):
1040         (JSC::::parseReturnStatement):
1041         (JSC::::parseThrowStatement):
1042         (JSC::::parseWithStatement):
1043         (JSC::::parseSwitchStatement):
1044         (JSC::::parseSwitchClauses):
1045         (JSC::::parseSwitchDefaultClause):
1046         (JSC::::parseTryStatement):
1047         (JSC::::parseDebuggerStatement):
1048         (JSC::::parseBlockStatement):
1049         (JSC::::parseStatement):
1050         (JSC::::parseFormalParameters):
1051         (JSC::::parseFunctionBody):
1052         (JSC::stringForFunctionMode):
1053         (JSC::::parseFunctionInfo):
1054         (JSC::::parseFunctionDeclaration):
1055         (JSC::::parseExpressionOrLabelStatement):
1056         (JSC::::parseExpressionStatement):
1057         (JSC::::parseIfStatement):
1058         (JSC::::parseExpression):
1059         (JSC::::parseAssignmentExpression):
1060         (JSC::::parseConditionalExpression):
1061         (JSC::::parseBinaryExpression):
1062         (JSC::::parseProperty):
1063         (JSC::::parseObjectLiteral):
1064         (JSC::::parseStrictObjectLiteral):
1065         (JSC::::parseArrayLiteral):
1066         (JSC::::parsePrimaryExpression):
1067         (JSC::::parseArguments):
1068         (JSC::::parseMemberExpression):
1069         (JSC::operatorString):
1070         (JSC::::parseUnaryExpression):
1071         (JSC::::printUnexpectedTokenText):
1072         * parser/Parser.h:
1073         (JSC::Scope::hasDeclaredVariable):
1074         (JSC::Scope::hasDeclaredParameter):
1075         (JSC::Parser::hasDeclaredVariable):
1076         (JSC::Parser::hasDeclaredParameter):
1077         (JSC::Parser::setErrorMessage):
1078
1079 2013-10-24  Mark Rowe  <mrowe@apple.com>
1080
1081         Remove references to OS X 10.7 from Xcode configuration settings.
1082
1083         Now that we're not building for OS X 10.7 they're no longer needed.
1084
1085         Reviewed by Anders Carlsson.
1086
1087         * Configurations/Base.xcconfig:
1088         * Configurations/DebugRelease.xcconfig:
1089         * Configurations/FeatureDefines.xcconfig:
1090         * Configurations/Version.xcconfig:
1091
1092 2013-10-24  Mark Rowe  <mrowe@apple.com>
1093
1094         <rdar://problem/15312643> Prepare for the mysterious future.
1095
1096         Reviewed by David Kilzer.
1097
1098         * Configurations/Base.xcconfig:
1099         * Configurations/DebugRelease.xcconfig:
1100         * Configurations/FeatureDefines.xcconfig:
1101         * Configurations/Version.xcconfig:
1102
1103 2013-10-24  Mark Lam  <mark.lam@apple.com>
1104
1105         Better way to fix part of broken C Loop LLINT build.
1106         https://bugs.webkit.org/show_bug.cgi?id=123271.
1107
1108         Reviewed by Geoffrey Garen.
1109
1110         Undoing offline asm hackery.
1111
1112         * llint/LowLevelInterpreter.cpp:
1113         * llint/LowLevelInterpreter32_64.asm:
1114         * llint/LowLevelInterpreter64.asm:
1115         * offlineasm/cloop.rb:
1116         * offlineasm/instructions.rb:
1117
1118 2013-10-24  Mark Lam  <mark.lam@apple.com>
1119
1120         Fix broken C Loop LLINT build.
1121         https://bugs.webkit.org/show_bug.cgi?id=123271.
1122
1123         Reviewed by Michael Saboff.
1124
1125         * bytecode/CodeBlock.cpp:
1126         (JSC::CodeBlock::printGetByIdCacheStatus): Added an UNUSED_PARAM().
1127         (JSC::CodeBlock::dumpBytecode): Added #if ENABLE(JIT) to JIT only code.
1128         * bytecode/GetByIdStatus.cpp:
1129         (JSC::GetByIdStatus::computeFor): Added an UNUSED_PARAM().
1130         * bytecode/PutByIdStatus.cpp:
1131         (JSC::PutByIdStatus::computeFor): Added an UNUSED_PARAM().
1132         * bytecode/StructureStubInfo.h:
1133         - Added a stub StubInfoMap for non-JIT builds. StubInfoMap is still used
1134           in function prototypes even when !ENABLE(JIT). Rather that adding #if's
1135           in many places, we just provide a stub/placeholder implementation that
1136           is unused but keeps the compiler happy.
1137         * jit/JITOperations.h: Added #if ENABLE(JIT).
1138         * llint/LowLevelInterpreter32_64.asm:
1139         * llint/LowLevelInterpreter64.asm:
1140         - The putByVal() macro reifies a slow path which is never taken in one case.
1141           This translates into a label that is never used in the C Loop LLINT. The
1142           C++ compiler doesn't like unused labels. So, we fix this by adding a
1143           cloopUnusedLabel offline asm instruction that synthesizes the following:
1144
1145               if (false) goto unusedLabel;
1146
1147           This keeps the C++ compiler happy without changing code behavior.
1148         * offlineasm/cloop.rb: Implementing cloopUnusedLabel.
1149         * offlineasm/instructions.rb: Declaring cloopUnusedLabel.
1150         * runtime/Executable.cpp:
1151         (JSC::setupJIT): Added UNUSED_PARAM()s.
1152         (JSC::ScriptExecutable::prepareForExecutionImpl):
1153         - run-javascriptcore-tests have phases that forces the LLINT to be off
1154           which in turn asserts that the JIT is enabled. With the C Loop LLINT,
1155           this combination is illegal. So, we override the setup code here to
1156           always use the LLINT if !ENABLE(JIT) regardless of what options are
1157           passed in.
1158
1159 2013-10-24  peavo@outlook.com  <peavo@outlook.com>
1160
1161         Uninitialized member causes crash when DFG JIT is not enabled.
1162         https://bugs.webkit.org/show_bug.cgi?id=123270
1163
1164         Reviewed by Brent Fulgham.
1165
1166         The data member sizeOfLastScratchBuffer in the VM class is only initialized if DFG JIT is enabled, even though it's defined regardless.
1167         This causes an early crash on Windows, which doesn't have DFG JIT enabled.
1168
1169         * runtime/VM.cpp:
1170         (JSC::VM::VM): Initialize sizeOfLastScratchBuffer member regardless of whether DFG JIT is enabled.
1171
1172 2013-10-24  Ryuan Choi  <ryuan.choi@samsung.com>
1173
1174         [EFL] Build break with latest EFL 1.8 libraries.
1175         https://bugs.webkit.org/show_bug.cgi?id=123245
1176
1177         Reviewed by Gyuyoung Kim.
1178
1179         After fixed build break on EFL 1.8 at r138326, EFL libraries are changed
1180         Eo typedef and splitted header files which contain version macro.
1181
1182         * PlatformEfl.cmake: Added EO path to include directories.
1183         * heap/HeapTimer.h: Changed Ecore_Timer typedef when EO exist.
1184
1185 2013-10-23  Filip Pizlo  <fpizlo@apple.com>
1186
1187         Put all uses of LLVM intrinsics behind a single Option
1188         https://bugs.webkit.org/show_bug.cgi?id=123219
1189
1190         Reviewed by Mark Hahnenberg.
1191
1192         * ftl/FTLExitThunkGenerator.cpp:
1193         (JSC::FTL::ExitThunkGenerator::emitThunk):
1194         * ftl/FTLLowerDFGToLLVM.cpp:
1195         (JSC::FTL::generateExitThunks):
1196         (JSC::FTL::LowerDFGToLLVM::compileGetById):
1197         (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
1198         (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
1199         * ftl/FTLOSRExitCompiler.cpp:
1200         (JSC::FTL::compileFTLOSRExit):
1201         * runtime/Options.h:
1202
1203 2013-10-23  Daniel Bates  <dabates@apple.com>
1204
1205         Fix JavaScriptCore build targets following <http://trac.webkit.org/changeset/157864>
1206         (https://bugs.webkit.org/show_bug.cgi?id=123169)
1207
1208         Tell Xcode that the supported platforms for all JavaScriptCore targets are iOS and OS X.
1209
1210         * Configurations/Base.xcconfig:
1211
1212 2013-10-23  Michael Saboff  <msaboff@apple.com>
1213
1214         LLInt arity check exception processing should start unwinding from caller
1215         https://bugs.webkit.org/show_bug.cgi?id=123209
1216
1217         Reviewed by Oliver Hunt.
1218
1219         Use the caller frame returned from slow_path_call_arityCheck to process exceptions.
1220
1221         * llint/LowLevelInterpreter32_64.asm:
1222         * llint/LowLevelInterpreter64.asm:
1223
1224 2013-10-22  Filip Pizlo  <fpizlo@apple.com>
1225
1226         FTL should be able to do some simple inline caches using LLVM patchpoints
1227         https://bugs.webkit.org/show_bug.cgi?id=123164
1228
1229         Reviewed by Mark Hahnenberg.
1230         
1231         This implements GetById inline caches in the FTL using llvm.webkit.patchpoint.
1232         
1233         The idea is that we ask LLVM for a nop slide the size of a GetById inline
1234         cache and then fill in the code after LLVM compilation is complete. For now, we
1235         just use the system calling convention for the arguments and return. We also
1236         still make some assumptions about registers that aren't correct. But, most of
1237         the scaffolding is there and this will successfully patch an inline cache.
1238
1239         * JavaScriptCore.xcodeproj/project.pbxproj:
1240         * assembler/AbstractMacroAssembler.h:
1241         * assembler/LinkBuffer.cpp:
1242         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
1243         (JSC::LinkBuffer::linkCode):
1244         (JSC::LinkBuffer::allocate):
1245         * assembler/LinkBuffer.h:
1246         (JSC::LinkBuffer::LinkBuffer):
1247         (JSC::LinkBuffer::link):
1248         * ftl/FTLAbbreviations.h:
1249         (JSC::FTL::constNull):
1250         (JSC::FTL::buildCall):
1251         * ftl/FTLCapabilities.cpp:
1252         (JSC::FTL::canCompile):
1253         * ftl/FTLCompile.cpp:
1254         (JSC::FTL::fixFunctionBasedOnStackMaps):
1255         * ftl/FTLInlineCacheDescriptor.h: Added.
1256         (JSC::FTL::InlineCacheDescriptor::InlineCacheDescriptor):
1257         (JSC::FTL::GetByIdDescriptor::GetByIdDescriptor):
1258         (JSC::FTL::GetByIdDescriptor::stackmapID):
1259         (JSC::FTL::GetByIdDescriptor::codeOrigin):
1260         (JSC::FTL::GetByIdDescriptor::uid):
1261         * ftl/FTLInlineCacheSize.cpp: Added.
1262         (JSC::FTL::sizeOfGetById):
1263         (JSC::FTL::sizeOfPutById):
1264         * ftl/FTLInlineCacheSize.h: Added.
1265         * ftl/FTLIntrinsicRepository.h:
1266         * ftl/FTLJITFinalizer.cpp:
1267         (JSC::FTL::JITFinalizer::finalizeFunction):
1268         * ftl/FTLJITFinalizer.h:
1269         * ftl/FTLLocation.cpp:
1270         (JSC::FTL::Location::directGPR):
1271         * ftl/FTLLocation.h:
1272         * ftl/FTLLowerDFGToLLVM.cpp:
1273         (JSC::FTL::LowerDFGToLLVM::compileGetById):
1274         * ftl/FTLOutput.h:
1275         (JSC::FTL::Output::call):
1276         * ftl/FTLSlowPathCall.cpp: Added.
1277         (JSC::FTL::callOperation):
1278         * ftl/FTLSlowPathCall.h: Added.
1279         (JSC::FTL::SlowPathCall::SlowPathCall):
1280         (JSC::FTL::SlowPathCall::call):
1281         (JSC::FTL::SlowPathCall::key):
1282         * ftl/FTLSlowPathCallKey.cpp: Added.
1283         (JSC::FTL::SlowPathCallKey::dump):
1284         * ftl/FTLSlowPathCallKey.h: Added.
1285         (JSC::FTL::SlowPathCallKey::SlowPathCallKey):
1286         (JSC::FTL::SlowPathCallKey::usedRegisters):
1287         (JSC::FTL::SlowPathCallKey::callTarget):
1288         (JSC::FTL::SlowPathCallKey::offset):
1289         (JSC::FTL::SlowPathCallKey::isEmptyValue):
1290         (JSC::FTL::SlowPathCallKey::isDeletedValue):
1291         (JSC::FTL::SlowPathCallKey::operator==):
1292         (JSC::FTL::SlowPathCallKey::hash):
1293         (JSC::FTL::SlowPathCallKeyHash::hash):
1294         (JSC::FTL::SlowPathCallKeyHash::equal):
1295         * ftl/FTLStackMaps.cpp:
1296         (JSC::FTL::StackMaps::Location::directGPR):
1297         * ftl/FTLStackMaps.h:
1298         * ftl/FTLState.h:
1299         * ftl/FTLThunks.cpp:
1300         (JSC::FTL::slowPathCallThunkGenerator):
1301         * ftl/FTLThunks.h:
1302         (JSC::FTL::Thunks::getSlowPathCallThunk):
1303         * jit/CCallHelpers.h:
1304         (JSC::CCallHelpers::setupArguments):
1305         * jit/GPRInfo.h:
1306         * jit/JITInlineCacheGenerator.cpp:
1307         (JSC::garbageStubInfo):
1308         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
1309         (JSC::JITByIdGenerator::finalize):
1310         * jit/JITInlineCacheGenerator.h:
1311         (JSC::JITByIdGenerator::slowPathBegin):
1312         * jit/RegisterSet.cpp:
1313         (JSC::RegisterSet::stackRegisters):
1314         (JSC::RegisterSet::specialRegisters):
1315         (JSC::RegisterSet::calleeSaveRegisters):
1316         (JSC::RegisterSet::allGPRs):
1317         (JSC::RegisterSet::allFPRs):
1318         (JSC::RegisterSet::allRegisters):
1319         (JSC::RegisterSet::dump):
1320         * jit/RegisterSet.h:
1321         (JSC::RegisterSet::exclude):
1322         (JSC::RegisterSet::numberOfSetRegisters):
1323         (JSC::RegisterSet::RegisterSet):
1324         (JSC::RegisterSet::isEmptyValue):
1325         (JSC::RegisterSet::isDeletedValue):
1326         (JSC::RegisterSet::operator==):
1327         (JSC::RegisterSet::hash):
1328         (JSC::RegisterSetHash::hash):
1329         (JSC::RegisterSetHash::equal):
1330         * runtime/Options.h:
1331
1332 2013-10-22  Filip Pizlo  <fpizlo@apple.com>
1333
1334         jitCompileAndSetHeuristics should DeferGCForAWhile
1335         https://bugs.webkit.org/show_bug.cgi?id=123196
1336
1337         Reviewed by Mark Hahnenberg.
1338         
1339         This fixes random crashes in V8v7/raytrace. I only see those crashes on exactly one of
1340         my machines. I don't think this is testable; we just need to steadily converge towards
1341         getting our uses of DeferGC to be right and then be careful not to regress. We're not
1342         there yet, obviously.
1343         
1344         * llint/LLIntSlowPaths.cpp:
1345         (JSC::LLInt::jitCompileAndSetHeuristics):
1346
1347 2013-10-23  Daniel Bates  <dabates@apple.com>
1348
1349         [iOS] Upstream more JavaScriptCore build configuration changes
1350         https://bugs.webkit.org/show_bug.cgi?id=123169
1351
1352         Reviewed by David Kilzer.
1353
1354         * Configurations/Base.xcconfig:
1355         * Configurations/Version.xcconfig:
1356         * Configurations/iOS.xcconfig: Added.
1357         * JavaScriptCore.xcodeproj/project.pbxproj:
1358
1359 2013-10-23  Daniel Bates  <dabates@apple.com>
1360
1361         [iOS] Export DefaultGCActivityCallback member functions
1362         https://bugs.webkit.org/show_bug.cgi?id=123175
1363
1364         Reviewed by David Kilzer.
1365
1366         * runtime/GCActivityCallback.h:
1367
1368 2013-10-23  Daniel Bates  <dabates@apple.com>
1369
1370         [iOS] Upstream more ARMv7s bits
1371         https://bugs.webkit.org/show_bug.cgi?id=123052
1372
1373         Reviewed by Joseph Pecoraro.
1374
1375         * Configurations/JavaScriptCore.xcconfig:
1376
1377 2013-10-22  Andreas Kling  <akling@apple.com>
1378
1379         Minor VM* -> VM& cleanups in HashTable and Keywords.
1380         <https://webkit.org/b/123183>
1381
1382         Turn some VM* variables that will never be null into VM&.
1383
1384         Reviewed by Geoffrey Garen.
1385
1386 2013-10-22  Geoffrey Garen  <ggaren@apple.com>
1387
1388         REGRESSION: `if (false === (true && undefined)) console.log("wrong!");` logs "wrong!", shouldn't!
1389         https://bugs.webkit.org/show_bug.cgi?id=123179
1390
1391         Reviewed by Mark Hahnenberg.
1392
1393         * parser/NodeConstructors.h:
1394         (JSC::LogicalOpNode::LogicalOpNode):
1395         * parser/ResultType.h:
1396         (JSC::ResultType::forLogicalOp): Don't assume that && produces a boolean.
1397         This is JavaScript (aka Sparta).
1398
1399 2013-10-22  Commit Queue  <commit-queue@webkit.org>
1400
1401         Unreviewed, rolling out r157819.
1402         http://trac.webkit.org/changeset/157819
1403         https://bugs.webkit.org/show_bug.cgi?id=123180
1404
1405         Broke 32-bit builds (Requested by smfr on #webkit).
1406
1407         * Configurations/JavaScriptCore.xcconfig:
1408         * Configurations/ToolExecutable.xcconfig:
1409
1410 2013-10-22  Daniel Bates  <dabates@apple.com>
1411
1412         [iOS] Upstream more ARMv7s bits
1413         https://bugs.webkit.org/show_bug.cgi?id=123052
1414
1415         Reviewed by Joseph Pecoraro.
1416
1417         * Configurations/JavaScriptCore.xcconfig:
1418         * Configurations/ToolExecutable.xcconfig: Enable CLANG_ENABLE_OBJC_ARC for i386 as I'm
1419         modifying a file in JavaScriptCore/Configurations.
1420
1421 2013-10-22  Daniel Bates  <dabates@apple.com>
1422
1423         [iOS] Upstream JSLock changes
1424         https://bugs.webkit.org/show_bug.cgi?id=123107
1425
1426         Reviewed by Geoffrey Garen.
1427
1428         * runtime/JSLock.cpp:
1429         (JSC::JSLock::unlock):
1430         (JSC::JSLock::dropAllLocks): Modified to take a SpinLock, used only on iOS.
1431         (JSC::JSLock::dropAllLocksUnconditionally): Modified to take a SpinLock, used only on iOS. Also
1432         use pre-increment instead of post-increment when we're not using the return value of the instruction.
1433         (JSC::JSLock::grabAllLocks): Modified to take a SpinLock, used only on iOS. Also change
1434         places where we were using post-increment/post-decrement to use pre-increment/pre-decrement,
1435         since we don't use the return value of such instructions.
1436         (JSC::JSLock::DropAllLocks::DropAllLocks): Modified to support releasing all locks unconditionally.
1437         Take a spin lock before releasing all locks on iOS. Also, use nullptr instead of 0.
1438         (JSC::JSLock::DropAllLocks::~DropAllLocks): Take a spin lock before acquiring all locks on iOS.
1439         * runtime/JSLock.h: Remove extraneous argument name "exec" from DropAllLocks as the data type of
1440         the argument is sufficiently descriptive of its purpose.
1441
1442 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
1443
1444         [arm] Add missing setupArgumentsWithExecState() prototypes to fix build.
1445         https://bugs.webkit.org/show_bug.cgi?id=123166
1446
1447         Reviewed by Michael Saboff.
1448
1449         * jit/CCallHelpers.h:
1450         (JSC::CCallHelpers::setupArgumentsWithExecState):
1451
1452 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
1453
1454         [sh4][mips][arm] Fix crashes in JSC (32-bit only).
1455         https://bugs.webkit.org/show_bug.cgi?id=123165
1456
1457         Reviewed by Michael Saboff.
1458
1459         * jit/JITInlines.h:
1460         (JSC::JIT::callOperationNoExceptionCheck): Add missing EABI_32BIT_DUMMY_ARG.
1461         (JSC::JIT::callOperation): The last TrustedImm32(arg3) is a bit overkill for SH4 :)
1462         (JSC::JIT::callOperation): Add missing EABI_32BIT_DUMMY_ARG.
1463         (JSC::JIT::callOperation): Fix tag and payload order for V_JITOperation_EJJJ prototype.
1464
1465 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
1466
1467         REGRESSION(r157690, r157699) Fix architectures using AssemblerBufferWithConstantPool.
1468         https://bugs.webkit.org/show_bug.cgi?id=123092
1469
1470         Reviewed by Michael Saboff.
1471
1472         Impacted architectures are SH4 and ARM_TRADITIONAL.
1473
1474         * assembler/ARMAssembler.h:
1475         (JSC::ARMAssembler::buffer):
1476         * assembler/AssemblerBufferWithConstantPool.h:
1477         (JSC::AssemblerBufferWithConstantPool::flushConstantPool):
1478         * assembler/LinkBuffer.cpp:
1479         (JSC::LinkBuffer::linkCode):
1480         * assembler/SH4Assembler.h:
1481         (JSC::SH4Assembler::buffer):
1482
1483 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
1484
1485         Remove unused stuff in JIT stubs.
1486         https://bugs.webkit.org/show_bug.cgi?id=123155
1487
1488         Reviewed by Michael Saboff.
1489
1490         * jit/JITStubs.h:
1491         * jit/JITStubsARM.h:
1492         (JSC::ctiTrampoline):
1493         * jit/JITStubsARM64.h:
1494         * jit/JITStubsARMv7.h:
1495         * jit/JITStubsMIPS.h:
1496         * jit/JITStubsSH4.h:
1497         * jit/JITStubsX86.h:
1498         * jit/JITStubsX86_64.h:
1499
1500 2013-10-22  Daniel Bates  <dabates@apple.com>
1501
1502         [iOS] Upstream OS-version-specific install paths for JavaScriptCore.framework
1503         https://bugs.webkit.org/show_bug.cgi?id=123115
1504         <rdar://problem/13696872>
1505
1506         Reviewed by Andy Estes.
1507
1508         Based on a patch by Mark Hahnenberg.
1509
1510         Add support for running JavaScriptCore-based apps, built against the iOS 7 SDK, on older versions of iOS.
1511
1512         * API/JSBase.cpp:
1513
1514 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
1515
1516         [sh4] Add missing lastRegister(), firstFPRegister() and lastFPRegister(). 
1517         https://bugs.webkit.org/show_bug.cgi?id=123157
1518
1519         Reviewed by Andreas Kling.
1520
1521         * assembler/SH4Assembler.h:
1522         (JSC::SH4Assembler::lastRegister):
1523         (JSC::SH4Assembler::firstFPRegister):
1524         (JSC::SH4Assembler::lastFPRegister):
1525
1526 2013-10-22  Brian Holt  <brian.holt@samsung.com>
1527
1528         Build break on ARMv7 after r157209
1529         https://bugs.webkit.org/show_bug.cgi?id=122890
1530
1531         Reviewed by Csaba Osztrogon√°c.
1532
1533         Add framePointerRegister and first/last register helpers for ARM_TRADITIONAL.
1534
1535         * assembler/ARMAssembler.h:
1536         * assembler/MacroAssemblerARM.h:
1537         (JSC::MacroAssemblerARM::firstRegister):
1538         (JSC::MacroAssemblerARM::lastRegister):
1539         (JSC::MacroAssemblerARM::firstFPRegister):
1540         (JSC::MacroAssemblerARM::lastFPRegister):
1541
1542 2013-10-21  Daniel Bates  <dabates@apple.com>
1543
1544         [iOS] Upstream JSGlobalObject::shouldInterruptScriptBeforeTimeout()
1545         https://bugs.webkit.org/show_bug.cgi?id=123045
1546
1547         Reviewed by Joseph Pecoraro.
1548
1549         * jsc.cpp: Add function pointer for shouldInterruptScriptBeforeTimeout
1550         to global method table.
1551         * runtime/JSGlobalObject.cpp: Ditto.
1552         * runtime/JSGlobalObject.h:
1553         (JSC::JSGlobalObject::shouldInterruptScriptBeforeTimeout): Added.
1554
1555 2013-10-21  Daniel Bates  <dabates@apple.com>
1556
1557         [iOS] Upstream JSC Objective-C API compiler warning fixes
1558         https://bugs.webkit.org/show_bug.cgi?id=123125
1559
1560         Reviewed by Mark Hahnenberg.
1561
1562         Based on a patch by Mark Hahnenberg.
1563
1564         * API/JSValue.mm:
1565         (-[JSValue toPoint]): Cast to CGFloat to fix some compiler warnings about double narrowing to float.
1566         (-[JSValue toSize]): Ditto.
1567         * API/tests/testapi.mm: Changed a test that was failing due to overflow of 32-bit NSUInteger on armv7.
1568
1569 2013-10-21  Daniel Bates  <dabates@apple.com>
1570
1571         [iOS] Mark classes JS{Context, ManagedValue, Value, VirtualMachine} as
1572         available since iOS 7.0
1573         https://bugs.webkit.org/show_bug.cgi?id=123122
1574
1575         Reviewed by Dan Bernstein.
1576
1577         * API/JSContext.h:
1578         * API/JSManagedValue.h:
1579         * API/JSValue.h:
1580         * API/JSVirtualMachine.h:
1581
1582 2013-10-20  Mark Lam  <mark.lam@apple.com>
1583
1584         Avoid JSC debugger overhead unless needed.
1585         https://bugs.webkit.org/show_bug.cgi?id=123084.
1586
1587         Reviewed by Geoffrey Garen.
1588
1589         - If no breakpoints are set, we now avoid calling the debug hook callbacks.
1590         - If no break on exception is set, we also avoid exception event debug callbacks.
1591         - When we return from the ScriptDebugServer to the JSC::Debugger, we may no
1592           longer call the debug hook callbacks if not needed. Hence, the m_currentCallFrame
1593           pointer in the ScriptDebugServer may become stale. To avoid this issue, before
1594           returning, the ScriptDebugServer will clear its m_currentCallFrame if
1595           needsOpDebugCallbacks() is false.
1596
1597         * debugger/Debugger.cpp:
1598         (JSC::Debugger::Debugger):
1599         (JSC::Debugger::setNeedsExceptionCallbacks):
1600         (JSC::Debugger::setShouldPause):
1601         (JSC::Debugger::updateNumberOfBreakpoints):
1602         (JSC::Debugger::updateNeedForOpDebugCallbacks):
1603         * debugger/Debugger.h:
1604         * interpreter/Interpreter.cpp:
1605         (JSC::Interpreter::unwind):
1606         (JSC::Interpreter::debug):
1607         * jit/JITOpcodes.cpp:
1608         (JSC::JIT::emit_op_debug):
1609         * jit/JITOpcodes32_64.cpp:
1610         (JSC::JIT::emit_op_debug):
1611         * llint/LLIntOffsetsExtractor.cpp:
1612         * llint/LowLevelInterpreter.asm:
1613
1614 2013-10-21  Brent Fulgham  <bfulgham@apple.com>
1615
1616         [WIN] Unreviewed build correction.
1617
1618         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Handle new JIT files as C++ implementation
1619           sources, not header files.
1620         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
1621
1622 2013-10-21  Oliver Hunt  <oliver@apple.com>
1623
1624         Support computed property names in object literals
1625         https://bugs.webkit.org/show_bug.cgi?id=123112
1626
1627         Reviewed by Michael Saboff.
1628
1629         Add support for computed property names to the parser.
1630
1631         * bytecompiler/NodesCodegen.cpp:
1632         (JSC::PropertyListNode::emitBytecode):
1633         * parser/ASTBuilder.h:
1634         (JSC::ASTBuilder::createProperty):
1635         (JSC::ASTBuilder::getName):
1636         * parser/NodeConstructors.h:
1637         (JSC::PropertyNode::PropertyNode):
1638         * parser/Nodes.h:
1639         (JSC::PropertyNode::expressionName):
1640         (JSC::PropertyNode::name):
1641         * parser/Parser.cpp:
1642         (JSC::::parseProperty):
1643         (JSC::::parseStrictObjectLiteral):
1644         * parser/SyntaxChecker.h:
1645         (JSC::SyntaxChecker::Property::Property):
1646         (JSC::SyntaxChecker::createProperty):
1647         (JSC::SyntaxChecker::operatorStackPop):
1648
1649 2013-10-21  Michael Saboff  <msaboff@apple.com>
1650
1651         Add option so that JSC will crash if it can't allocate executable memory for the JITs
1652         https://bugs.webkit.org/show_bug.cgi?id=123048
1653         <rdar://problem/12856193>
1654
1655         Reviewed by Geoffrey Garen.
1656
1657         Added new option, called crashIfCantAllocateJITMemory. If this option is true then we crash
1658         when checking the validity of the executable allocator. The default value for this option is
1659         false, but jsc sets it to true when built for iOS to make it straightforward to identify whether
1660         the app can obtain executable memory.
1661
1662         * jsc.cpp: Explicitly enable crashIfCantAllocateJITMemory on iOS.
1663         (main):
1664         * runtime/Options.h: Added option crashIfCantAllocateJITMemory.
1665         * runtime/VM.cpp:
1666         (JSC::enableAssembler): Modified to crash if option crashIfCantAllocateJITMemory
1667         is enabled.
1668
1669 2013-10-21  Nadav Rotem  <nrotem@apple.com>
1670
1671         Remove AllInOneFile.cpp
1672         https://bugs.webkit.org/show_bug.cgi?id=123055
1673
1674         Reviewed by Csaba Osztrogon√°c.
1675
1676         * AllInOneFile.cpp: Removed.
1677
1678 2013-10-20  Filip Pizlo  <fpizlo@apple.com>
1679
1680         Unreviewed, cleanup a FIXME comment.
1681
1682         * jit/Repatch.cpp:
1683
1684 2013-10-20  Filip Pizlo  <fpizlo@apple.com>
1685
1686         StructureStubInfo's usedRegisters set should be able to track all registers, not just the ones that our JIT's view as temporaries
1687         https://bugs.webkit.org/show_bug.cgi?id=123076
1688
1689         Reviewed by Sam Weinig.
1690         
1691         Start preparing for a world in which we are patching code generated by LLVM, which may have
1692         very different register usage conventions than our JITs. This requires us being more explicit
1693         about the registers we are using. For example, the repatching code shouldn't take for granted
1694         that tagMaskRegister holds the TagMask or that the register is even in use.
1695
1696         * CMakeLists.txt:
1697         * GNUmakefile.list.am:
1698         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1699         * JavaScriptCore.xcodeproj/project.pbxproj:
1700         * assembler/MacroAssembler.h:
1701         (JSC::MacroAssembler::numberOfRegisters):
1702         (JSC::MacroAssembler::registerIndex):
1703         (JSC::MacroAssembler::numberOfFPRegisters):
1704         (JSC::MacroAssembler::fpRegisterIndex):
1705         (JSC::MacroAssembler::totalNumberOfRegisters):
1706         * bytecode/StructureStubInfo.h:
1707         * dfg/DFGSpeculativeJIT.cpp:
1708         (JSC::DFG::SpeculativeJIT::usedRegisters):
1709         * dfg/DFGSpeculativeJIT.h:
1710         * ftl/FTLSaveRestore.cpp:
1711         (JSC::FTL::bytesForGPRs):
1712         (JSC::FTL::bytesForFPRs):
1713         (JSC::FTL::offsetOfGPR):
1714         (JSC::FTL::offsetOfFPR):
1715         * jit/JITInlineCacheGenerator.cpp:
1716         (JSC::JITByIdGenerator::JITByIdGenerator):
1717         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
1718         * jit/JITInlineCacheGenerator.h:
1719         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
1720         * jit/JITPropertyAccess.cpp:
1721         (JSC::JIT::emit_op_get_by_id):
1722         (JSC::JIT::emit_op_put_by_id):
1723         * jit/JITPropertyAccess32_64.cpp:
1724         (JSC::JIT::emit_op_get_by_id):
1725         (JSC::JIT::emit_op_put_by_id):
1726         * jit/RegisterSet.cpp: Added.
1727         (JSC::RegisterSet::specialRegisters):
1728         * jit/RegisterSet.h: Added.
1729         (JSC::RegisterSet::RegisterSet):
1730         (JSC::RegisterSet::set):
1731         (JSC::RegisterSet::clear):
1732         (JSC::RegisterSet::get):
1733         (JSC::RegisterSet::merge):
1734         * jit/Repatch.cpp:
1735         (JSC::generateProtoChainAccessStub):
1736         (JSC::tryCacheGetByID):
1737         (JSC::tryBuildGetByIDList):
1738         (JSC::emitPutReplaceStub):
1739         (JSC::tryRepatchIn):
1740         (JSC::linkClosureCall):
1741         * jit/TempRegisterSet.cpp: Added.
1742         (JSC::TempRegisterSet::TempRegisterSet):
1743         * jit/TempRegisterSet.h:
1744
1745 2013-10-20  Julien Brianceau  <jbriance@cisco.com>
1746
1747         [sh4] Fix build (broken since r157690).
1748         https://bugs.webkit.org/show_bug.cgi?id=123081
1749
1750         Reviewed by Andreas Kling.
1751
1752         * assembler/AssemblerBufferWithConstantPool.h:
1753         * assembler/SH4Assembler.h:
1754         (JSC::SH4Assembler::buffer):
1755         (JSC::SH4Assembler::readCallTarget):
1756
1757 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
1758
1759         Simplify TempRegisterSet - it no longer needs to be convertible to a POD since it's no longer going to be a member of a union
1760         https://bugs.webkit.org/show_bug.cgi?id=123079
1761
1762         Reviewed by Geoffrey Garen.
1763
1764         * jit/TempRegisterSet.h:
1765
1766 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
1767
1768         Rename RegisterSet to TempRegisterSet
1769         https://bugs.webkit.org/show_bug.cgi?id=123077
1770
1771         Reviewed by Dan Bernstein.
1772
1773         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1774         * JavaScriptCore.xcodeproj/project.pbxproj:
1775         * bytecode/StructureStubInfo.h:
1776         * dfg/DFGJITCompiler.h:
1777         * dfg/DFGSpeculativeJIT.h:
1778         (JSC::DFG::SpeculativeJIT::usedRegisters):
1779         * jit/JITInlineCacheGenerator.cpp:
1780         (JSC::JITByIdGenerator::JITByIdGenerator):
1781         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
1782         * jit/JITInlineCacheGenerator.h:
1783         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
1784         * jit/JITPropertyAccess.cpp:
1785         (JSC::JIT::emit_op_get_by_id):
1786         (JSC::JIT::emit_op_put_by_id):
1787         * jit/JITPropertyAccess32_64.cpp:
1788         (JSC::JIT::emit_op_get_by_id):
1789         (JSC::JIT::emit_op_put_by_id):
1790         * jit/RegisterSet.h: Removed.
1791         * jit/ScratchRegisterAllocator.h:
1792         (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
1793         * jit/TempRegisterSet.h: Copied from Source/JavaScriptCore/jit/RegisterSet.h.
1794         (JSC::TempRegisterSet::TempRegisterSet):
1795         (JSC::TempRegisterSet::asPOD):
1796         (JSC::TempRegisterSet::copyInfo):
1797
1798 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
1799
1800         Restructure LinkBuffer to allow for alternate allocation strategies
1801         https://bugs.webkit.org/show_bug.cgi?id=123071
1802
1803         Reviewed by Oliver Hunt.
1804         
1805         The idea is to eventually allow a LinkBuffer to place the code into an already
1806         allocated region of memory.  That region of memory could be the nop-slide left behind
1807         by a llvm.webkit.patchpoint.
1808
1809         * assembler/ARM64Assembler.h:
1810         (JSC::ARM64Assembler::buffer):
1811         * assembler/AssemblerBuffer.h:
1812         * assembler/LinkBuffer.cpp:
1813         (JSC::LinkBuffer::copyCompactAndLinkCode):
1814         (JSC::LinkBuffer::linkCode):
1815         (JSC::LinkBuffer::allocate):
1816         (JSC::LinkBuffer::shrink):
1817         * assembler/LinkBuffer.h:
1818         (JSC::LinkBuffer::LinkBuffer):
1819         (JSC::LinkBuffer::didFailToAllocate):
1820         * assembler/X86Assembler.h:
1821         (JSC::X86Assembler::buffer):
1822         (JSC::X86Assembler::X86InstructionFormatter::memoryModRM):
1823
1824 2013-10-19  Alexey Proskuryakov  <ap@apple.com>
1825
1826         Some includes in JSC seem to use an incorrect style
1827         https://bugs.webkit.org/show_bug.cgi?id=123057
1828
1829         Reviewed by Geoffrey Garen.
1830
1831         Changed pseudo-system includes to user ones.
1832
1833         * API/JSContextRef.cpp:
1834         * API/JSStringRefCF.cpp:
1835         * API/JSValueRef.cpp:
1836         * API/OpaqueJSString.cpp:
1837         * jit/JIT.h:
1838         * parser/SyntaxChecker.h:
1839         * runtime/WeakGCMap.h:
1840
1841 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
1842
1843         Baseline JIT and DFG IC code generation should be unified and rationalized
1844         https://bugs.webkit.org/show_bug.cgi?id=122939
1845
1846         Reviewed by Geoffrey Garen.
1847         
1848         Introduce the JITInlineCacheGenerator, which takes a CodeBlock and a CodeOrigin plus
1849         some register info and creates JIT inline caches for you. Used this to even furhter
1850         unify the baseline and DFG ICs. In the future we can use this for FTL ICs. And my hope
1851         is that we'll be able to use it for cascading ICs: an IC for some instruction may realize
1852         that it needs to do the equivalent of get_by_id, so with this generator it will be able
1853         to create an IC even though it wasn't associated with a get_by_id bytecode instruction.
1854
1855         * CMakeLists.txt:
1856         * GNUmakefile.list.am:
1857         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1858         * JavaScriptCore.xcodeproj/project.pbxproj:
1859         * assembler/AbstractMacroAssembler.h:
1860         (JSC::AbstractMacroAssembler::DataLabelCompact::label):
1861         * bytecode/CodeBlock.h:
1862         (JSC::CodeBlock::ecmaMode):
1863         * dfg/DFGInlineCacheWrapper.h: Added.
1864         (JSC::DFG::InlineCacheWrapper::InlineCacheWrapper):
1865         * dfg/DFGInlineCacheWrapperInlines.h: Added.
1866         (JSC::DFG::::finalize):
1867         * dfg/DFGJITCompiler.cpp:
1868         (JSC::DFG::JITCompiler::link):
1869         * dfg/DFGJITCompiler.h:
1870         (JSC::DFG::JITCompiler::addGetById):
1871         (JSC::DFG::JITCompiler::addPutById):
1872         * dfg/DFGSpeculativeJIT32_64.cpp:
1873         (JSC::DFG::SpeculativeJIT::cachedGetById):
1874         (JSC::DFG::SpeculativeJIT::cachedPutById):
1875         * dfg/DFGSpeculativeJIT64.cpp:
1876         (JSC::DFG::SpeculativeJIT::cachedGetById):
1877         (JSC::DFG::SpeculativeJIT::cachedPutById):
1878         (JSC::DFG::SpeculativeJIT::compile):
1879         * jit/AssemblyHelpers.h:
1880         (JSC::AssemblyHelpers::isStrictModeFor):
1881         (JSC::AssemblyHelpers::strictModeFor):
1882         * jit/GPRInfo.h:
1883         (JSC::JSValueRegs::tagGPR):
1884         * jit/JIT.cpp:
1885         (JSC::JIT::JIT):
1886         (JSC::JIT::privateCompileSlowCases):
1887         (JSC::JIT::privateCompile):
1888         * jit/JIT.h:
1889         * jit/JITInlineCacheGenerator.cpp: Added.
1890         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
1891         (JSC::JITByIdGenerator::JITByIdGenerator):
1892         (JSC::JITByIdGenerator::finalize):
1893         (JSC::JITByIdGenerator::generateFastPathChecks):
1894         (JSC::JITGetByIdGenerator::generateFastPath):
1895         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
1896         (JSC::JITPutByIdGenerator::generateFastPath):
1897         (JSC::JITPutByIdGenerator::slowPathFunction):
1898         * jit/JITInlineCacheGenerator.h: Added.
1899         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
1900         (JSC::JITInlineCacheGenerator::stubInfo):
1901         (JSC::JITByIdGenerator::JITByIdGenerator):
1902         (JSC::JITByIdGenerator::reportSlowPathCall):
1903         (JSC::JITByIdGenerator::slowPathJump):
1904         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
1905         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
1906         * jit/JITPropertyAccess.cpp:
1907         (JSC::JIT::emit_op_get_by_id):
1908         (JSC::JIT::emitSlow_op_get_by_id):
1909         (JSC::JIT::emit_op_put_by_id):
1910         (JSC::JIT::emitSlow_op_put_by_id):
1911         * jit/JITPropertyAccess32_64.cpp:
1912         (JSC::JIT::emit_op_get_by_id):
1913         (JSC::JIT::emitSlow_op_get_by_id):
1914         (JSC::JIT::emit_op_put_by_id):
1915         (JSC::JIT::emitSlow_op_put_by_id):
1916         * jit/RegisterSet.h:
1917         (JSC::RegisterSet::set):
1918
1919 2013-10-19  Alexey Proskuryakov  <ap@apple.com>
1920
1921         APICast.h uses functions from JSCJSValueInlines.h, but doesn't include it
1922         https://bugs.webkit.org/show_bug.cgi?id=123067
1923
1924         Reviewed by Geoffrey Garen.
1925
1926         * API/APICast.h: Include it.
1927
1928 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
1929
1930         FTL::Location should treat the offset as an addend in the case of a Register location
1931         https://bugs.webkit.org/show_bug.cgi?id=123062
1932
1933         Reviewed by Sam Weinig.
1934
1935         * ftl/FTLLocation.cpp:
1936         (JSC::FTL::Location::forStackmaps):
1937         (JSC::FTL::Location::dump):
1938         (JSC::FTL::Location::restoreInto):
1939         * ftl/FTLLocation.h:
1940         (JSC::FTL::Location::forRegister):
1941         (JSC::FTL::Location::hasAddend):
1942         (JSC::FTL::Location::addend):
1943
1944 2013-10-19  Nadav Rotem  <nrotem@apple.com>
1945
1946         DFG dominators: document and rename stuff.
1947         https://bugs.webkit.org/show_bug.cgi?id=123056
1948
1949         Reviewed by Filip Pizlo.
1950
1951         Documented the code and renamed some variables.
1952
1953         * dfg/DFGDominators.cpp:
1954         (JSC::DFG::Dominators::compute):
1955         (JSC::DFG::Dominators::pruneDominators):
1956         * dfg/DFGDominators.h:
1957
1958 2013-10-19  Julien Brianceau  <jbriance@cisco.com>
1959
1960         Fix build failure for architectures with 4 argument registers.
1961         https://bugs.webkit.org/show_bug.cgi?id=123060
1962
1963         Reviewed by Michael Saboff.
1964
1965         Add missing setupArgumentsWithExecState() prototypes for architecture with 4 argument registers.
1966         Remove SH4 specific code no longer needed since callOperation prototype change in r157660.
1967
1968         * dfg/DFGSpeculativeJIT.h:
1969         (JSC::DFG::SpeculativeJIT::callOperation):
1970         * jit/CCallHelpers.h:
1971         (JSC::CCallHelpers::setupArgumentsWithExecState):
1972         * jit/JITInlines.h:
1973         (JSC::JIT::callOperation):
1974
1975 2013-10-18  Filip Pizlo  <fpizlo@apple.com>
1976
1977         Unreviewed, fix FTL build.
1978
1979         * ftl/FTLIntrinsicRepository.h:
1980         * ftl/FTLLowerDFGToLLVM.cpp:
1981         (JSC::FTL::LowerDFGToLLVM::compileGetById):
1982
1983 2013-10-18  Filip Pizlo  <fpizlo@apple.com>
1984
1985         A CodeBlock's StructureStubInfos shouldn't be in a Vector that we search using code origins and machine code PCs
1986         https://bugs.webkit.org/show_bug.cgi?id=122940
1987
1988         Reviewed by Oliver Hunt.
1989         
1990         This accomplishes a number of simplifications. StructureStubInfo is now non-moving,
1991         whereas previously it was in a Vector, so it moved. This allows you to use pointers to
1992         StructureStubInfo. This also eliminates the use of return PC as a way of finding the
1993         StructureStubInfo's. It removes some of the need for the compile-time property access
1994         records; for example the DFG no longer has to save information about registers in a
1995         property access record only to later save it to the stub info.
1996         
1997         The main thing is accomplishes is that it makes it easier to add StructureStubInfo's
1998         at any stage of compilation.
1999
2000         * bytecode/CodeBlock.cpp:
2001         (JSC::CodeBlock::printGetByIdCacheStatus):
2002         (JSC::CodeBlock::dumpBytecode):
2003         (JSC::CodeBlock::~CodeBlock):
2004         (JSC::CodeBlock::propagateTransitions):
2005         (JSC::CodeBlock::finalizeUnconditionally):
2006         (JSC::CodeBlock::addStubInfo):
2007         (JSC::CodeBlock::getStubInfoMap):
2008         (JSC::CodeBlock::shrinkToFit):
2009         * bytecode/CodeBlock.h:
2010         (JSC::CodeBlock::begin):
2011         (JSC::CodeBlock::end):
2012         (JSC::CodeBlock::rareCaseProfileForBytecodeOffset):
2013         * bytecode/CodeOrigin.h:
2014         (JSC::CodeOrigin::CodeOrigin):
2015         (JSC::CodeOrigin::isHashTableDeletedValue):
2016         (JSC::CodeOrigin::hash):
2017         (JSC::CodeOriginHash::hash):
2018         (JSC::CodeOriginHash::equal):
2019         * bytecode/GetByIdStatus.cpp:
2020         (JSC::GetByIdStatus::computeFor):
2021         * bytecode/GetByIdStatus.h:
2022         * bytecode/PutByIdStatus.cpp:
2023         (JSC::PutByIdStatus::computeFor):
2024         * bytecode/PutByIdStatus.h:
2025         * bytecode/StructureStubInfo.h:
2026         (JSC::getStructureStubInfoCodeOrigin):
2027         * dfg/DFGByteCodeParser.cpp:
2028         (JSC::DFG::ByteCodeParser::parseBlock):
2029         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2030         * dfg/DFGJITCompiler.cpp:
2031         (JSC::DFG::JITCompiler::link):
2032         * dfg/DFGJITCompiler.h:
2033         (JSC::DFG::PropertyAccessRecord::PropertyAccessRecord):
2034         (JSC::DFG::InRecord::InRecord):
2035         * dfg/DFGSpeculativeJIT.cpp:
2036         (JSC::DFG::SpeculativeJIT::compileIn):
2037         * dfg/DFGSpeculativeJIT.h:
2038         (JSC::DFG::SpeculativeJIT::callOperation):
2039         * dfg/DFGSpeculativeJIT32_64.cpp:
2040         (JSC::DFG::SpeculativeJIT::cachedGetById):
2041         (JSC::DFG::SpeculativeJIT::cachedPutById):
2042         * dfg/DFGSpeculativeJIT64.cpp:
2043         (JSC::DFG::SpeculativeJIT::cachedGetById):
2044         (JSC::DFG::SpeculativeJIT::cachedPutById):
2045         * jit/CCallHelpers.h:
2046         (JSC::CCallHelpers::setupArgumentsWithExecState):
2047         * jit/JIT.cpp:
2048         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
2049         (JSC::JIT::privateCompile):
2050         * jit/JIT.h:
2051         (JSC::PropertyStubCompilationInfo::slowCaseInfo):
2052         * jit/JITInlines.h:
2053         (JSC::JIT::callOperation):
2054         * jit/JITOperations.cpp:
2055         * jit/JITOperations.h:
2056         * jit/JITPropertyAccess.cpp:
2057         (JSC::JIT::emitSlow_op_get_by_id):
2058         (JSC::JIT::emitSlow_op_put_by_id):
2059         * jit/JITPropertyAccess32_64.cpp:
2060         (JSC::JIT::emitSlow_op_get_by_id):
2061         (JSC::JIT::emitSlow_op_put_by_id):
2062         * jit/Repatch.cpp:
2063         (JSC::appropriateGenericPutByIdFunction):
2064         (JSC::appropriateListBuildingPutByIdFunction):
2065         (JSC::resetPutByID):
2066
2067 2013-10-18  Oliver Hunt  <oliver@apple.com>
2068
2069         Spread operator should be performing direct "puts" and not triggering setters
2070         https://bugs.webkit.org/show_bug.cgi?id=123047
2071
2072         Reviewed by Geoffrey Garen.
2073
2074         Add a new opcode -- op_put_by_val_directue -- and make use of it in the spread
2075         to array construct.  This required a new PutByValDirect node to be introduced to
2076         the DFG.  The current implementation simply changes the slow path function that
2077         is called, but in future this could be made faster as it does not need to check
2078         the prototype chain.
2079
2080         * bytecode/CodeBlock.cpp:
2081         (JSC::CodeBlock::dumpBytecode):
2082         (JSC::CodeBlock::CodeBlock):
2083         * bytecode/Opcode.h:
2084         (JSC::padOpcodeName):
2085         * bytecompiler/BytecodeGenerator.cpp:
2086         (JSC::BytecodeGenerator::emitDirectPutByVal):
2087         * bytecompiler/BytecodeGenerator.h:
2088         * bytecompiler/NodesCodegen.cpp:
2089         (JSC::ArrayNode::emitBytecode):
2090         * dfg/DFGAbstractInterpreterInlines.h:
2091         (JSC::DFG::::executeEffects):
2092         * dfg/DFGBackwardsPropagationPhase.cpp:
2093         (JSC::DFG::BackwardsPropagationPhase::propagate):
2094         * dfg/DFGByteCodeParser.cpp:
2095         (JSC::DFG::ByteCodeParser::parseBlock):
2096         * dfg/DFGCSEPhase.cpp:
2097         (JSC::DFG::CSEPhase::getArrayLengthElimination):
2098         (JSC::DFG::CSEPhase::getByValLoadElimination):
2099         (JSC::DFG::CSEPhase::checkStructureElimination):
2100         (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
2101         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
2102         (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
2103         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
2104         (JSC::DFG::CSEPhase::performNodeCSE):
2105         * dfg/DFGCapabilities.cpp:
2106         (JSC::DFG::capabilityLevel):
2107         * dfg/DFGClobberize.h:
2108         (JSC::DFG::clobberize):
2109         * dfg/DFGFixupPhase.cpp:
2110         (JSC::DFG::FixupPhase::fixupNode):
2111         * dfg/DFGGraph.h:
2112         (JSC::DFG::Graph::clobbersWorld):
2113         * dfg/DFGNode.h:
2114         (JSC::DFG::Node::hasArrayMode):
2115         * dfg/DFGNodeType.h:
2116         * dfg/DFGOperations.cpp:
2117         (JSC::DFG::putByVal):
2118         (JSC::DFG::operationPutByValInternal):
2119         * dfg/DFGOperations.h:
2120         * dfg/DFGPredictionPropagationPhase.cpp:
2121         (JSC::DFG::PredictionPropagationPhase::propagate):
2122         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
2123         * dfg/DFGSafeToExecute.h:
2124         (JSC::DFG::safeToExecute):
2125         * dfg/DFGSpeculativeJIT32_64.cpp:
2126         (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
2127         (JSC::DFG::SpeculativeJIT::compile):
2128         * dfg/DFGSpeculativeJIT64.cpp:
2129         (JSC::DFG::SpeculativeJIT::compile):
2130         * dfg/DFGTypeCheckHoistingPhase.cpp:
2131         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
2132         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
2133         * jit/JIT.cpp:
2134         (JSC::JIT::privateCompileMainPass):
2135         (JSC::JIT::privateCompileSlowCases):
2136         * jit/JIT.h:
2137         (JSC::JIT::compileDirectPutByVal):
2138         * jit/JITOperations.cpp:
2139         * jit/JITOperations.h:
2140         * jit/JITPropertyAccess.cpp:
2141         (JSC::JIT::emitSlow_op_put_by_val):
2142         (JSC::JIT::privateCompilePutByVal):
2143         * jit/JITPropertyAccess32_64.cpp:
2144         (JSC::JIT::emitSlow_op_put_by_val):
2145         * llint/LLIntSlowPaths.cpp:
2146         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2147         * llint/LLIntSlowPaths.h:
2148         * llint/LowLevelInterpreter32_64.asm:
2149         * llint/LowLevelInterpreter64.asm:
2150
2151 2013-10-18  Daniel Bates  <dabates@apple.com>
2152
2153         [iOS] Export symbol for VM::sharedInstanceExists()
2154         https://bugs.webkit.org/show_bug.cgi?id=123046
2155
2156         Reviewed by Mark Hahnenberg.
2157
2158         * runtime/VM.h:
2159
2160 2013-10-18  Daniel Bates  <dabates@apple.com>
2161
2162         [iOS] Upstream WebSafe{GCActivityCallback, IncrementalSweeper}IOS
2163         https://bugs.webkit.org/show_bug.cgi?id=123049
2164
2165         Reviewed by Mark Hahnenberg.
2166
2167         * heap/Heap.cpp:
2168         (JSC::Heap::setIncrementalSweeper):
2169         * heap/Heap.h:
2170         * heap/HeapTimer.h:
2171         * heap/IncrementalSweeper.h: Make protected and export CF-variant of constructor.
2172         Removed unused include of header RetainPtr.h. Also forward declare class MarkedBlock
2173         (we include its header in the .cpp file) and remove include for header wtf/HashSet.h
2174         (duplicates the include in the .cpp).
2175         * heap/MachineStackMarker.h: Export function makeUsableFromMultipleThreads(). We aren't
2176         making use of this now, but we'll make use of it in a subsequent patch.
2177
2178 2013-10-18  Anders Carlsson  <andersca@apple.com>
2179
2180         Remove spaces between template angle brackets
2181         https://bugs.webkit.org/show_bug.cgi?id=123040
2182
2183         Reviewed by Andreas Kling.
2184
2185         * API/JSCallbackObject.cpp:
2186         (JSC::::create):
2187         * API/JSObjectRef.cpp:
2188         * bytecode/CodeBlock.h:
2189         (JSC::CodeBlock::constants):
2190         (JSC::CodeBlock::setConstantRegisters):
2191         * bytecode/DFGExitProfile.h:
2192         * bytecode/EvalCodeCache.h:
2193         * bytecode/Operands.h:
2194         * bytecode/UnlinkedCodeBlock.h:
2195         (JSC::UnlinkedCodeBlock::constantRegisters):
2196         * bytecode/Watchpoint.h:
2197         * bytecompiler/BytecodeGenerator.h:
2198         * bytecompiler/StaticPropertyAnalysis.h:
2199         * bytecompiler/StaticPropertyAnalyzer.h:
2200         * dfg/DFGArgumentsSimplificationPhase.cpp:
2201         * dfg/DFGBlockInsertionSet.h:
2202         * dfg/DFGCSEPhase.cpp:
2203         (JSC::DFG::performCSE):
2204         (JSC::DFG::performStoreElimination):
2205         * dfg/DFGCommonData.h:
2206         * dfg/DFGDesiredStructureChains.h:
2207         * dfg/DFGDesiredWatchpoints.h:
2208         * dfg/DFGJITCompiler.h:
2209         * dfg/DFGOSRExitCompiler32_64.cpp:
2210         (JSC::DFG::OSRExitCompiler::compileExit):
2211         * dfg/DFGOSRExitCompiler64.cpp:
2212         (JSC::DFG::OSRExitCompiler::compileExit):
2213         * dfg/DFGWorklist.h:
2214         * heap/BlockAllocator.h:
2215         (JSC::CopiedBlock):
2216         (JSC::MarkedBlock):
2217         (JSC::WeakBlock):
2218         (JSC::MarkStackSegment):
2219         (JSC::CopyWorkListSegment):
2220         (JSC::HandleBlock):
2221         * heap/Heap.h:
2222         * heap/Local.h:
2223         * heap/MarkedBlock.h:
2224         * heap/Strong.h:
2225         * jit/AssemblyHelpers.cpp:
2226         (JSC::AssemblyHelpers::decodedCodeMapFor):
2227         * jit/AssemblyHelpers.h:
2228         * jit/SpecializedThunkJIT.h:
2229         * parser/Nodes.h:
2230         * parser/Parser.cpp:
2231         (JSC::::parseIfStatement):
2232         * parser/Parser.h:
2233         (JSC::Scope::copyCapturedVariablesToVector):
2234         (JSC::parse):
2235         * parser/ParserArena.h:
2236         * parser/SourceProviderCacheItem.h:
2237         * profiler/LegacyProfiler.cpp:
2238         (JSC::dispatchFunctionToProfiles):
2239         * profiler/LegacyProfiler.h:
2240         (JSC::LegacyProfiler::currentProfiles):
2241         * profiler/ProfileNode.h:
2242         (JSC::ProfileNode::children):
2243         * profiler/ProfilerDatabase.h:
2244         * runtime/Butterfly.h:
2245         (JSC::Butterfly::contiguousInt32):
2246         (JSC::Butterfly::contiguous):
2247         * runtime/GenericTypedArrayViewInlines.h:
2248         (JSC::::create):
2249         * runtime/Identifier.h:
2250         (JSC::Identifier::add):
2251         * runtime/JSPromise.h:
2252         * runtime/PropertyMapHashTable.h:
2253         * runtime/PropertyNameArray.h:
2254         * runtime/RegExpCache.h:
2255         * runtime/SparseArrayValueMap.h:
2256         * runtime/SymbolTable.h:
2257         * runtime/VM.h:
2258         * tools/CodeProfile.cpp:
2259         (JSC::truncateTrace):
2260         * tools/CodeProfile.h:
2261         * yarr/YarrInterpreter.cpp:
2262         * yarr/YarrInterpreter.h:
2263         (JSC::Yarr::BytecodePattern::BytecodePattern):
2264         * yarr/YarrJIT.cpp:
2265         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
2266         (JSC::Yarr::YarrGenerator::opCompileParentheticalAssertion):
2267         (JSC::Yarr::YarrGenerator::opCompileBody):
2268         * yarr/YarrPattern.cpp:
2269         (JSC::Yarr::YarrPatternConstructor::checkForTerminalParentheses):
2270         (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
2271         * yarr/YarrPattern.h:
2272
2273 2013-10-18  Mark Lam  <mark.lam@apple.com>
2274
2275         Remove excess reserved space in ctiTrampoline frames for X86 and X86_64.
2276         https://bugs.webkit.org/show_bug.cgi?id=123037.
2277
2278         Reviewed by Geoffrey Garen.
2279
2280         * jit/JITStubsMSVC64.asm:
2281         * jit/JITStubsX86.h:
2282         * jit/JITStubsX86_64.h:
2283
2284 2013-10-18  Filip Pizlo  <fpizlo@apple.com>
2285
2286         Frequent RELEASE_ASSERT crashes in Structure::checkOffsetConsistency on WebGL swizzler tests
2287         https://bugs.webkit.org/show_bug.cgi?id=121661
2288
2289         Reviewed by Mark Hahnenberg.
2290         
2291         This method shouldn't have been called from the concurrent JIT thread. That's hard to prevent
2292         so I added a return-early check using isCompilationThread().
2293         
2294         Here's why this makes sense. Structure has two ways to tell you about the layout of the objects
2295         it is describing: m_offset and the property table. Most structures only have m_offset and report
2296         null for the property table. If the property table is there, it will tell you additional
2297         information and that information subsumes m_offset - but the m_offset is still there. So, when
2298         we have a property table, we have to keep it in sync with the m_offset. There is a bunch of
2299         machinery to do this.
2300         
2301         Changing the property table only happens on the main thread.
2302         
2303         Because the machinery to change the property table is so complex, especially with respect to
2304         keeping it in sync with m_offset, we have the checkOffsetConsistency method. It's meant to be
2305         called at key points before and after changes to the property table or the offset.
2306
2307         Most clients of Structure who care about object layout, including the concurrent thread, will
2308         want to know m_offset and not the property table. If they want the property table, they will
2309         already be super careful. The concurrent thread has special methods for this, like
2310         Structure::getConcurrently(), which uses fine-grained locking to ensure that it sees a coherent
2311         view of the property table.
2312         
2313         Adding locking to checkOffsetConsistency() is probably a bad idea since that method may be
2314         called when the relevant lock is already held. So, we'd have awkward recursive locking issues.
2315         
2316         But right now, the concurrent JIT thread may call a method, like Structure::outOfLineCapacity(),
2317         which has a call to checkOffsetConsistency(). The call to checkOffsetConsistency() is there
2318         because we have found that it helps quickly identify situations where the property table and
2319         m_offset get out of sync - mainly because code that changes either of those things will usually
2320         also want to know the outOfLineCapacity(). But Structure::outOfLineCapacity() doesn't *actually*
2321         need the property table; it uses the m_offset. The concurrent JIT is correct to call
2322         outOfLineCapacity(), and is right to do so without holding any locks (since in all cases where
2323         it calls outOfLineCapacity() it has already proven that m_offset is immutable). But because
2324         outOfLineCapacity() calls checkOffsetConsistency(), and checkOffsetConsistency() doesn't grab
2325         locks, and that same structure is having its property table modified by the main thread, we end
2326         up with these spurious assertion failures. FWIW, the structure isn't *actually* having *its*
2327         property table modified - instead what happens is that some downstream structure steals the
2328         property table and then starts adding things to it. The concurrent thread loads the property
2329         table before it's stolen, and hence the badness.
2330         
2331         I suspect there are other code paths that lead to the concurrent JIT calling some Structure
2332         method that it is fine and safe to call, but then that method calls checkOffsetConsistency(),
2333         and then you have a possible crash.
2334         
2335         The most sensible solution to this appears to be to make sure that checkOffsetConsistency() is
2336         aware of its uselessness to the concurrent JIT thread. This change makes it return early if
2337         it's in the concurrent JIT.
2338         
2339         * runtime/StructureInlines.h:
2340         (JSC::Structure::checkOffsetConsistency):
2341
2342 2013-10-18  Daniel Bates  <dabates@apple.com>
2343
2344         Add SPI to disable the garbage collector timer
2345         https://bugs.webkit.org/show_bug.cgi?id=122921
2346
2347         Add null check to Heap::setGarbageCollectionTimerEnabled() that I inadvertently
2348         omitted.
2349
2350         * heap/Heap.cpp:
2351         (JSC::Heap::setGarbageCollectionTimerEnabled):
2352
2353 2013-10-18  Julien Brianceau  <jbriance@cisco.com>
2354
2355         Group 64-bit specific and 32-bit specific callOperation implementations.
2356         https://bugs.webkit.org/show_bug.cgi?id=123024
2357
2358         Reviewed by Michael Saboff.
2359
2360         This is not a big deal, but could be less confusing when reading the code.
2361
2362         * jit/JITInlines.h:
2363         (JSC::JIT::callOperation):
2364         (JSC::JIT::callOperationWithCallFrameRollbackOnException):
2365         (JSC::JIT::callOperationNoExceptionCheck):
2366
2367 2013-10-18  Nadav Rotem  <nrotem@apple.com>
2368
2369         Fix a FlushLiveness problem.
2370         https://bugs.webkit.org/show_bug.cgi?id=122984
2371
2372         Reviewed by Filip Pizlo.
2373
2374         * dfg/DFGFlushLivenessAnalysisPhase.cpp:
2375         (JSC::DFG::FlushLivenessAnalysisPhase::process):
2376
2377 2013-10-18  Michael Saboff  <msaboff@apple.com>
2378
2379         Change native function call stubs to use JIT operations instead of ctiVMHandleException
2380         https://bugs.webkit.org/show_bug.cgi?id=122982
2381
2382         Reviewed by Geoffrey Garen.
2383
2384         Change ctiVMHandleException to operationVMHandleException.  Change all exception operations to
2385         return the catch callFrame and entryPC via vm.callFrameForThrow and vm.targetMachinePCForThrow.
2386         This removed calling convention headaches, fixing https://bugs.webkit.org/show_bug.cgi?id=122980
2387         in the process.
2388
2389         * dfg/DFGJITCompiler.cpp:
2390         (JSC::DFG::JITCompiler::compileExceptionHandlers):
2391         * jit/CCallHelpers.h:
2392         (JSC::CCallHelpers::jumpToExceptionHandler):
2393         * jit/JIT.cpp:
2394         (JSC::JIT::privateCompileExceptionHandlers):
2395         * jit/JIT.h:
2396         * jit/JITExceptions.cpp:
2397         (JSC::genericUnwind):
2398         * jit/JITExceptions.h:
2399         * jit/JITInlines.h:
2400         (JSC::JIT::callOperationNoExceptionCheck):
2401         * jit/JITOpcodes.cpp:
2402         (JSC::JIT::emit_op_throw):
2403         * jit/JITOpcodes32_64.cpp:
2404         (JSC::JIT::privateCompileCTINativeCall):
2405         (JSC::JIT::emit_op_throw):
2406         * jit/JITOperations.cpp:
2407         * jit/JITOperations.h:
2408         * jit/JITStubs.cpp:
2409         * jit/JITStubs.h:
2410         * jit/JITStubsARM.h:
2411         * jit/JITStubsARM64.h:
2412         * jit/JITStubsARMv7.h:
2413         * jit/JITStubsMIPS.h:
2414         * jit/JITStubsMSVC64.asm:
2415         * jit/JITStubsSH4.h:
2416         * jit/JITStubsX86.h:
2417         * jit/JITStubsX86_64.h:
2418         * jit/Repatch.cpp:
2419         (JSC::tryBuildGetByIDList):
2420         * jit/SlowPathCall.h:
2421         (JSC::JITSlowPathCall::call):
2422         * jit/ThunkGenerators.cpp:
2423         (JSC::throwExceptionFromCallSlowPathGenerator):
2424         (JSC::nativeForGenerator):
2425         * runtime/VM.h:
2426         (JSC::VM::callFrameForThrowOffset):
2427         (JSC::VM::targetMachinePCForThrowOffset):
2428
2429 2013-10-18  Julien Brianceau  <jbriance@cisco.com>
2430
2431         Fix J_JITOperation_EAapJ call for MIPS and ARM EABI.
2432         https://bugs.webkit.org/show_bug.cgi?id=123023
2433
2434         Reviewed by Michael Saboff.
2435
2436         * jit/JITInlines.h:
2437         (JSC::JIT::callOperation): EncodedJSValue parameter do not need alignment
2438         using EABI_32BIT_DUMMY_ARG here.
2439
2440 2013-10-17  Filip Pizlo  <fpizlo@apple.com>
2441
2442         Unreviewed, another ARM64 build fix.
2443         
2444         Get rid of andPtr(TrustedImmPtr, blah), since it would take Effort to get it to work
2445         on ARM64 and none of its uses are legit - they should all be using
2446         andPtr(TrustedImm32, blah) anyway.
2447
2448         * assembler/MacroAssembler.h:
2449         * assembler/MacroAssemblerARM64.h:
2450         * dfg/DFGJITCompiler.cpp:
2451         (JSC::DFG::JITCompiler::compileExceptionHandlers):
2452         * jit/JIT.cpp:
2453         (JSC::JIT::privateCompileExceptionHandlers):
2454
2455 2013-10-17  Filip Pizlo  <fpizlo@apple.com>
2456
2457         Unreviewed, speculative ARM64 build fix.
2458         
2459         move(ImmPtr, blah) is only available in MacroAssembler since that's where blinding is
2460         implemented. So, you have to use TrustedImmPtr in the superclasses.
2461
2462         * assembler/MacroAssemblerARM64.h:
2463         (JSC::MacroAssemblerARM64::store8):
2464         (JSC::MacroAssemblerARM64::branchTest8):
2465
2466 2013-10-17  Filip Pizlo  <fpizlo@apple.com>
2467
2468         Unreviewed, speculative ARM build fix.
2469         https://bugs.webkit.org/show_bug.cgi?id=122890
2470         <rdar://problem/15258624>
2471
2472         * assembler/ARM64Assembler.h:
2473         (JSC::ARM64Assembler::firstRegister):
2474         (JSC::ARM64Assembler::lastRegister):
2475         (JSC::ARM64Assembler::firstFPRegister):
2476         (JSC::ARM64Assembler::lastFPRegister):
2477         * assembler/MacroAssemblerARM64.h:
2478         * assembler/MacroAssemblerARMv7.h:
2479
2480 2013-10-17  Andreas Kling  <akling@apple.com>
2481
2482         Pass VM instead of JSGlobalObject to JSONObject constructor.
2483         <https://webkit.org/b/122999>
2484
2485         JSONObject was only use the JSGlobalObject to grab at the VM.
2486         Dodge a few loads by passing the VM directly instead.
2487
2488         Reviewed by Geoffrey Garen.
2489
2490         * runtime/JSONObject.cpp:
2491         (JSC::JSONObject::JSONObject):
2492         (JSC::JSONObject::finishCreation):
2493         * runtime/JSONObject.h:
2494         (JSC::JSONObject::create):
2495
2496 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2497
2498         Removed the JITStackFrame struct
2499         https://bugs.webkit.org/show_bug.cgi?id=123001
2500
2501         Reviewed by Anders Carlsson.
2502
2503         * jit/JITStubs.h: JITStackFrame and JITStubArg are unused now, since all
2504         our helper functions obey the C function call ABI.
2505
2506 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2507
2508         Removed an unused #define
2509         https://bugs.webkit.org/show_bug.cgi?id=123000
2510
2511         Reviewed by Anders Carlsson.
2512
2513         * jit/JITStubs.h: Removed the concept of JITSTACKFRAME_ARGS_INDEX,
2514         since it is unused now. This is a step toward using the C stack.
2515
2516 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2517
2518         Eliminate uses of JITSTACKFRAME_ARGS_INDEX as scratch area for thunks
2519         https://bugs.webkit.org/show_bug.cgi?id=122973
2520
2521         Reviewed by Michael Saboff.
2522
2523         * jit/ThunkGenerators.cpp:
2524         (JSC::throwExceptionFromCallSlowPathGenerator): This was all dead code,
2525         so I removed it.
2526
2527         The code acted as if it needed to pass an argument to
2528         lookupExceptionHandler, and as if it passed that argument to itself
2529         through JITStackFrame. However, lookupExceptionHandler does not take
2530         an argument (other than the default ExecState argument), and the code
2531         did not initialize the thing that it thought it passed to itself!
2532
2533 2013-10-17  Alex Christensen  <achristensen@webkit.org>
2534
2535         Run JavaScriptCore tests again on Windows.
2536         https://bugs.webkit.org/show_bug.cgi?id=122787
2537
2538         Reviewed by Tim Horton.
2539
2540         * JavaScriptCore.vcxproj/JavaScriptCore.sln: Added.
2541         * jit/JITStubsMSVC64.asm: Removed reference to cti_vm_throw unused since r157581.
2542
2543 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2544
2545         Removed restoreArgumentReference (another use of JITStackFrame)
2546         https://bugs.webkit.org/show_bug.cgi?id=122997
2547
2548         Reviewed by Oliver Hunt.
2549
2550         * jit/JSInterfaceJIT.h: Removed an unused function. This is a step
2551         toward using the C stack.
2552
2553 2013-10-17  Oliver Hunt  <oliver@apple.com>
2554
2555         Remove JITStubCall.h
2556         https://bugs.webkit.org/show_bug.cgi?id=122991
2557
2558         Reviewed by Geoff Garen.
2559
2560         Happily this is no longer used
2561
2562         * GNUmakefile.list.am:
2563         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2564         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2565         * JavaScriptCore.xcodeproj/project.pbxproj:
2566         * jit/JIT.cpp:
2567         * jit/JITArithmetic.cpp:
2568         * jit/JITArithmetic32_64.cpp:
2569         * jit/JITCall.cpp:
2570         * jit/JITCall32_64.cpp:
2571         * jit/JITOpcodes.cpp:
2572         * jit/JITOpcodes32_64.cpp:
2573         * jit/JITPropertyAccess.cpp:
2574         * jit/JITPropertyAccess32_64.cpp:
2575         * jit/JITStubCall.h: Removed.
2576
2577 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2578
2579         Removed a use of JITSTACKFRAME_ARGS_INDEX
2580         https://bugs.webkit.org/show_bug.cgi?id=122989
2581
2582         Reviewed by Oliver Hunt.
2583
2584         * jit/JITStubCall.h: Removed an unused function. This is one step closer
2585         to using the C stack.
2586
2587 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2588
2589         Change emit_op_catch to use another method to materialize VM
2590         https://bugs.webkit.org/show_bug.cgi?id=122977
2591
2592         Reviewed by Oliver Hunt.
2593
2594         * jit/JITOpcodes.cpp:
2595         (JSC::JIT::emit_op_catch):
2596         * jit/JITOpcodes32_64.cpp:
2597         (JSC::JIT::emit_op_catch): Use a constant. It removes our dependency
2598         on JITStackFrame. It is also faster and simpler.
2599
2600 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2601
2602         Eliminate emitGetJITStubArg() - dead code
2603         https://bugs.webkit.org/show_bug.cgi?id=122975
2604
2605         Reviewed by Anders Carlsson.
2606
2607         * jit/JIT.h:
2608         * jit/JITInlines.h: Removed unused, deprecated function.
2609
2610 2013-10-17  Mark Lam  <mark.lam@apple.com>
2611
2612         Eliminate all ASSERT references to OBJECT_OFFSETOF(struct JITStackFrame,...) in JITStubsXXX.h.
2613         https://bugs.webkit.org/show_bug.cgi?id=122979.
2614
2615         Reviewed by Michael Saboff.
2616
2617         * jit/JITStubs.cpp:
2618         * jit/JITStubs.h:
2619         * jit/JITStubsARM.h:
2620         * jit/JITStubsARM64.h:
2621         * jit/JITStubsARMv7.h:
2622         * jit/JITStubsMIPS.h:
2623         * jit/JITStubsSH4.h:
2624         * jit/JITStubsX86.h:
2625         * jit/JITStubsX86_64.h:
2626         * runtime/VM.cpp:
2627         (JSC::VM::VM):
2628
2629 2013-10-17  Michael Saboff  <msaboff@apple.com>
2630
2631         Remove saving callFrameRegister to JITStackFrame in JITCompiler::compileFunction()
2632         https://bugs.webkit.org/show_bug.cgi?id=122974
2633
2634         Reviewed by Geoffrey Garen.
2635
2636         Eliminated unneeded storing to JITStackFrame.
2637
2638         * dfg/DFGJITCompiler.cpp:
2639         (JSC::DFG::JITCompiler::compileFunction):
2640
2641 2013-10-17  Michael Saboff  <msaboff@apple.com>
2642
2643         Transition cti_op_throw and cti_vm_throw to a JIT operation
2644         https://bugs.webkit.org/show_bug.cgi?id=122931
2645
2646         Reviewed by Filip Pizlo.
2647
2648         Moved cti_op_throw to operationThrow.  Made the caller responsible for jumping to the
2649         catch handler.  Eliminated cti_op_throw_static_error, cti_vm_throw, ctiVMThrowTrampoline()
2650         and their callers as it is now dead code.  There is some work needed on the Microsoft X86
2651         callOperation to handle the need to provide space for structure return value.
2652
2653         * jit/JIT.h:
2654         * jit/JITInlines.h:
2655         (JSC::JIT::callOperation):
2656         * jit/JITOpcodes.cpp:
2657         (JSC::JIT::emit_op_throw):
2658         * jit/JITOpcodes32_64.cpp:
2659         (JSC::JIT::emit_op_throw):
2660         (JSC::JIT::emit_op_catch):
2661         * jit/JITOperations.cpp:
2662         * jit/JITOperations.h:
2663         * jit/JITStubs.cpp:
2664         * jit/JITStubs.h:
2665         * jit/JITStubsARM.h:
2666         * jit/JITStubsARM64.h:
2667         * jit/JITStubsARMv7.h:
2668         * jit/JITStubsMIPS.h:
2669         * jit/JITStubsMSVC64.asm:
2670         * jit/JITStubsSH4.h:
2671         * jit/JITStubsX86.h:
2672         * jit/JITStubsX86_64.h:
2673         * jit/JSInterfaceJIT.h:
2674
2675 2013-10-17  Mark Lam  <mark.lam@apple.com>
2676
2677         Remove JITStackFrame references in the C Loop LLINT.
2678         https://bugs.webkit.org/show_bug.cgi?id=122950.
2679
2680         Reviewed by Michael Saboff.
2681
2682         * jit/JITStubs.h:
2683         * llint/LowLevelInterpreter.cpp:
2684         (JSC::CLoop::execute):
2685         * offlineasm/cloop.rb:
2686
2687 2013-10-17  Mark Lam  <mark.lam@apple.com>
2688
2689         Remove JITStackFrame references in JIT probes.
2690         https://bugs.webkit.org/show_bug.cgi?id=122947.
2691
2692         Reviewed by Michael Saboff.
2693
2694         * assembler/MacroAssemblerARM.cpp:
2695         (JSC::MacroAssemblerARM::ProbeContext::dump):
2696         * assembler/MacroAssemblerARM.h:
2697         * assembler/MacroAssemblerARMv7.cpp:
2698         (JSC::MacroAssemblerARMv7::ProbeContext::dump):
2699         * assembler/MacroAssemblerARMv7.h:
2700         * assembler/MacroAssemblerX86Common.cpp:
2701         (JSC::MacroAssemblerX86Common::ProbeContext::dump):
2702         * assembler/MacroAssemblerX86Common.h:
2703         * jit/JITStubsARM.h:
2704         * jit/JITStubsARMv7.h:
2705         * jit/JITStubsX86.h:
2706         * jit/JITStubsX86Common.h:
2707         * jit/JITStubsX86_64.h:
2708
2709 2013-10-17  Julien Brianceau  <jbriance@cisco.com>
2710
2711         Fix build when NUMBER_OF_ARGUMENT_REGISTERS == 4.
2712         https://bugs.webkit.org/show_bug.cgi?id=122949
2713
2714         Reviewed by Andreas Kling.
2715
2716         * jit/CCallHelpers.h:
2717         (JSC::CCallHelpers::setupArgumentsWithExecState):
2718
2719 2013-10-16  Mark Lam  <mark.lam@apple.com>
2720
2721         Transition remaining op_get* JITStubs to JIT operations.
2722         https://bugs.webkit.org/show_bug.cgi?id=122925.
2723
2724         Reviewed by Geoffrey Garen.
2725
2726         Transitioning:
2727             cti_op_get_by_id_generic
2728             cti_op_get_by_val
2729             cti_op_get_by_val_generic
2730             cti_op_get_by_val_string
2731
2732         * dfg/DFGOperations.cpp:
2733         * dfg/DFGOperations.h:
2734         * jit/JIT.h:
2735         * jit/JITInlines.h:
2736         (JSC::JIT::callOperation):
2737         * jit/JITOpcodes.cpp:
2738         (JSC::JIT::emitSlow_op_get_arguments_length):
2739         (JSC::JIT::emitSlow_op_get_argument_by_val):
2740         * jit/JITOpcodes32_64.cpp:
2741         (JSC::JIT::emitSlow_op_get_arguments_length):
2742         (JSC::JIT::emitSlow_op_get_argument_by_val):
2743         * jit/JITOperations.cpp:
2744         * jit/JITOperations.h:
2745         * jit/JITPropertyAccess.cpp:
2746         (JSC::JIT::emitSlow_op_get_by_val):
2747         (JSC::JIT::emitSlow_op_get_by_pname):
2748         (JSC::JIT::privateCompileGetByVal):
2749         * jit/JITPropertyAccess32_64.cpp:
2750         (JSC::JIT::emitSlow_op_get_by_val):
2751         (JSC::JIT::emitSlow_op_get_by_pname):
2752         * jit/JITStubs.cpp:
2753         * jit/JITStubs.h:
2754         * runtime/Executable.cpp:
2755         (JSC::setupLLInt): Added some UNUSED_PARAMs to fix the no LLINT build.
2756         * runtime/Options.cpp:
2757         (JSC::Options::initialize):
2758
2759 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
2760
2761         Introduce WTF::Bag and start using it for InlineCallFrameSet
2762         https://bugs.webkit.org/show_bug.cgi?id=122941
2763
2764         Reviewed by Geoffrey Garen.
2765         
2766         Use Bag for InlineCallFrameSet. If this works out then I'll make other
2767         SegmentedVectors into Bags as well.
2768
2769         * bytecode/InlineCallFrameSet.cpp:
2770         (JSC::InlineCallFrameSet::add):
2771         * bytecode/InlineCallFrameSet.h:
2772         (JSC::InlineCallFrameSet::begin):
2773         (JSC::InlineCallFrameSet::end):
2774         * dfg/DFGArgumentsSimplificationPhase.cpp:
2775         (JSC::DFG::ArgumentsSimplificationPhase::run):
2776         * dfg/DFGJITCompiler.cpp:
2777         (JSC::DFG::JITCompiler::link):
2778         * dfg/DFGStackLayoutPhase.cpp:
2779         (JSC::DFG::StackLayoutPhase::run):
2780         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
2781         (JSC::DFG::VirtualRegisterAllocationPhase::run):
2782
2783 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
2784
2785         libllvmForJSC shouldn't call exit(1) on report_fatal_error()
2786         https://bugs.webkit.org/show_bug.cgi?id=122905
2787         <rdar://problem/15237856>
2788
2789         Reviewed by Michael Saboff.
2790         
2791         Expose the new LLVMInstallFatalErrorHandler() API through the soft linking magic and
2792         then always call it to install something that calls CRASH().
2793
2794         * llvm/InitializeLLVM.cpp:
2795         (JSC::llvmCrash):
2796         (JSC::initializeLLVMOnce):
2797         (JSC::initializeLLVM):
2798         * llvm/LLVMAPIFunctions.h:
2799
2800 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
2801
2802         Prototype chain repatching in the polymorphic case fails to check if the receiver is a dictionary
2803         https://bugs.webkit.org/show_bug.cgi?id=122938
2804
2805         Reviewed by Sam Weinig.
2806         
2807         This fixes jsc-layout-tests.yaml/js/script-tests/dictionary-prototype-caching.js.layout-no-llint.
2808
2809         * jit/Repatch.cpp:
2810         (JSC::tryBuildGetByIDList):
2811
2812 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
2813
2814         JIT::appendCall() needs to killLastResultRegister() or equivalent since there's some really bad code that expects it
2815         https://bugs.webkit.org/show_bug.cgi?id=122937
2816
2817         Reviewed by Geoffrey Garen.
2818         
2819         JITStubCall used to do it.
2820         
2821         This makes mozilla-tests.yaml/ecma/Statements/12.10-1.js.mozilla-baseline pass.
2822
2823         * jit/JIT.h:
2824         (JSC::JIT::appendCall):
2825
2826 2013-10-16  Michael Saboff  <msaboff@apple.com>
2827
2828         transition void cti_op_put_by_val* stubs to JIT operations
2829         https://bugs.webkit.org/show_bug.cgi?id=122903
2830
2831         Reviewed by Geoffrey Garen.
2832
2833         Transitioned cti_op_put_by_val and cti_op_put_by_val_generic to operationPutByVal and
2834         operationPutByValGeneric.
2835
2836         * jit/CCallHelpers.h:
2837         (JSC::CCallHelpers::setupArgumentsWithExecState):
2838         * jit/JIT.h:
2839         * jit/JITInlines.h:
2840         (JSC::JIT::callOperation):
2841         * jit/JITOperations.cpp:
2842         * jit/JITOperations.h:
2843         * jit/JITPropertyAccess.cpp:
2844         (JSC::JIT::emitSlow_op_put_by_val):
2845         (JSC::JIT::privateCompilePutByVal):
2846         * jit/JITPropertyAccess32_64.cpp:
2847         (JSC::JIT::emitSlow_op_put_by_val):
2848         * jit/JITStubs.cpp:
2849         * jit/JITStubs.h:
2850         * jit/JSInterfaceJIT.h:
2851
2852 2013-10-16  Oliver Hunt  <oliver@apple.com>
2853
2854         Implement ES6 spread operator
2855         https://bugs.webkit.org/show_bug.cgi?id=122911
2856
2857         Reviewed by Michael Saboff.
2858
2859         Implement the ES6 spread operator
2860
2861         This has a little bit of refactoring to move the enumeration logic out ForOfNode
2862         and into BytecodeGenerator, and then adds the logic to make it nicely callback
2863         driven.
2864
2865         The rest of the logic is just the addition of the SpreadExpressionNode, the parsing,
2866         and actually handling the spread.
2867
2868         * bytecompiler/BytecodeGenerator.cpp:
2869         (JSC::BytecodeGenerator::emitNewArray):
2870         (JSC::BytecodeGenerator::emitCall):
2871         (JSC::BytecodeGenerator::emitEnumeration):
2872         * bytecompiler/BytecodeGenerator.h:
2873         * bytecompiler/NodesCodegen.cpp:
2874         (JSC::ArrayNode::emitBytecode):
2875         (JSC::ForOfNode::emitBytecode):
2876         (JSC::SpreadExpressionNode::emitBytecode):
2877         * parser/ASTBuilder.h:
2878         (JSC::ASTBuilder::createSpreadExpression):
2879         * parser/Lexer.cpp:
2880         (JSC::::lex):
2881         * parser/NodeConstructors.h:
2882         (JSC::SpreadExpressionNode::SpreadExpressionNode):
2883         * parser/Nodes.h:
2884         (JSC::ExpressionNode::isSpreadExpression):
2885         (JSC::SpreadExpressionNode::expression):
2886         * parser/Parser.cpp:
2887         (JSC::::parseArrayLiteral):
2888         (JSC::::parseArguments):
2889         (JSC::::parseMemberExpression):
2890         * parser/Parser.h:
2891         (JSC::Parser::getTokenName):
2892         (JSC::Parser::updateErrorMessageSpecialCase):
2893         * parser/ParserTokens.h:
2894         * parser/SyntaxChecker.h:
2895         (JSC::SyntaxChecker::createSpreadExpression):
2896
2897 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
2898
2899         Add a useLLInt option to jsc
2900         https://bugs.webkit.org/show_bug.cgi?id=122930
2901
2902         Reviewed by Geoffrey Garen.
2903
2904         * runtime/Executable.cpp:
2905         (JSC::setupLLInt):
2906         (JSC::setupJIT):
2907         (JSC::ScriptExecutable::prepareForExecutionImpl):
2908         * runtime/Options.h:
2909
2910 2013-10-16  Mark Hahnenberg  <mhahnenberg@apple.com>
2911
2912         Build fix.
2913
2914         Forgot to svn add DeferGC.cpp
2915
2916         * heap/DeferGC.cpp: Added.
2917
2918 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
2919
2920         r157411 fails run-javascriptcore-tests when run with Baseline JIT
2921         https://bugs.webkit.org/show_bug.cgi?id=122902
2922
2923         Reviewed by Mark Hahnenberg.
2924         
2925         It turns out that this was a long-standing bug in the DFG PutById repatching logic. It's
2926         not legal to patch if the typeInfo tells you that you can't patch. The old JIT's patching
2927         logic did this right, and the DFG's GetById patching logic did it right; but DFG PutById
2928         didn't. Turns out that there's even a helpful method,
2929         Structure::propertyAccessesAreCacheable(), that will even do all of the checks for you!
2930
2931         * jit/Repatch.cpp:
2932         (JSC::tryCachePutByID):
2933
2934 2013-10-16  Mark Hahnenberg  <mhahnenberg@apple.com>
2935
2936         llint_slow_path_put_by_id can deadlock on a ConcurrentJITLock
2937         https://bugs.webkit.org/show_bug.cgi?id=122667
2938
2939         Reviewed by Geoffrey Garen.
2940
2941         The issue this patch is attempting to fix is that there are places in our codebase
2942         where we acquire the ConcurrentJITLock for a particular CodeBlock, then we do some
2943         operations that can initiate a garbage collection. Garbage collection then calls 
2944         some methods of CodeBlock that also take the ConcurrentJITLock (because they don't
2945         always necessarily run during garbage collection). This causes a deadlock.
2946  
2947         To fix this issue, this patch adds a new RAII-style object (DisallowGC) that stores 
2948         into a thread-local field that indicates that it is unsafe to perform any operation 
2949         that could trigger garbage collection on the current thread. In debug builds, 
2950         ConcurrentJITLocker contains one of these DisallowGC objects so that we can eagerly 
2951         detect deadlocks.
2952  
2953         This patch also adds a new type of ConcurrentJITLocker, GCSafeConcurrentJITLocker,
2954         which uses the DeferGC mechanism to prevent collections from occurring while the 
2955         lock is held.
2956
2957         * CMakeLists.txt:
2958         * GNUmakefile.list.am:
2959         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2960         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2961         * JavaScriptCore.xcodeproj/project.pbxproj:
2962         * heap/DeferGC.h:
2963         (JSC::DisallowGC::DisallowGC):
2964         (JSC::DisallowGC::~DisallowGC):
2965         (JSC::DisallowGC::isGCDisallowedOnCurrentThread):
2966         (JSC::DisallowGC::initialize):
2967         * jit/Repatch.cpp:
2968         (JSC::repatchPutByID):
2969         (JSC::buildPutByIdList):
2970         * llint/LLIntSlowPaths.cpp:
2971         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2972         * runtime/ConcurrentJITLock.h:
2973         (JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase):
2974         (JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase):
2975         (JSC::ConcurrentJITLockerBase::unlockEarly):
2976         (JSC::GCSafeConcurrentJITLocker::GCSafeConcurrentJITLocker):
2977         (JSC::GCSafeConcurrentJITLocker::~GCSafeConcurrentJITLocker):
2978         (JSC::GCSafeConcurrentJITLocker::NoDefer::NoDefer):
2979         (JSC::ConcurrentJITLocker::ConcurrentJITLocker):
2980         * runtime/InitializeThreading.cpp:
2981         (JSC::initializeThreadingOnce):
2982         * runtime/JSCellInlines.h:
2983         (JSC::allocateCell):
2984         * runtime/JSSymbolTableObject.h:
2985         (JSC::symbolTablePut):
2986         * runtime/Structure.cpp: materializePropertyMapIfNecessary* now has a problem in that it
2987         can start a garbage collection when the GCSafeConcurrentJITLocker goes out of scope, but 
2988         before the caller has a chance to use the newly created PropertyTable. The garbage collection
2989         clears the PropertyTable, and then the caller uses it assuming it's valid. To avoid this,
2990         we must DeferGC until the caller is done getting the newly materialized PropertyTable from 
2991         the Structure.
2992         (JSC::Structure::materializePropertyMap):
2993         (JSC::Structure::despecifyDictionaryFunction):
2994         (JSC::Structure::changePrototypeTransition):
2995         (JSC::Structure::despecifyFunctionTransition):
2996         (JSC::Structure::attributeChangeTransition):
2997         (JSC::Structure::toDictionaryTransition):
2998         (JSC::Structure::preventExtensionsTransition):
2999         (JSC::Structure::takePropertyTableOrCloneIfPinned):
3000         (JSC::Structure::isSealed):
3001         (JSC::Structure::isFrozen):
3002         (JSC::Structure::addPropertyWithoutTransition):
3003         (JSC::Structure::removePropertyWithoutTransition):
3004         (JSC::Structure::get):
3005         (JSC::Structure::despecifyFunction):
3006         (JSC::Structure::despecifyAllFunctions):
3007         (JSC::Structure::putSpecificValue):
3008         (JSC::Structure::createPropertyMap):
3009         (JSC::Structure::getPropertyNamesFromStructure):
3010         * runtime/Structure.h:
3011         (JSC::Structure::materializePropertyMapIfNecessary):
3012         (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
3013         * runtime/StructureInlines.h:
3014         (JSC::Structure::get):
3015         * runtime/SymbolTable.h:
3016         (JSC::SymbolTable::find):
3017         (JSC::SymbolTable::end):
3018
3019 2013-10-16  Daniel Bates  <dabates@apple.com>
3020
3021         Add SPI to disable the garbage collector timer
3022         https://bugs.webkit.org/show_bug.cgi?id=122921
3023
3024         Reviewed by Geoffrey Garen.
3025
3026         Based on a patch by Mark Hahnenberg.
3027
3028         * API/JSBase.cpp:
3029         (JSDisableGCTimer): Added; SPI function.
3030         * API/JSBasePrivate.h:
3031         * heap/BlockAllocator.cpp:
3032         (JSC::createBlockFreeingThread): Added.
3033         (JSC::BlockAllocator::BlockAllocator): Modified to use JSC::createBlockFreeingThread()
3034         to conditionally create the "block freeing" thread depending on the value of
3035         GCActivityCallback::s_shouldCreateGCTimer.
3036         (JSC::BlockAllocator::~BlockAllocator):
3037         * heap/BlockAllocator.h:
3038         (JSC::BlockAllocator::deallocate):
3039         * heap/Heap.cpp:
3040         (JSC::Heap::didAbandon):
3041         (JSC::Heap::collect):
3042         (JSC::Heap::didAllocate):
3043         * heap/HeapTimer.cpp:
3044         (JSC::HeapTimer::timerDidFire):
3045         * runtime/GCActivityCallback.cpp:
3046         * runtime/GCActivityCallback.h:
3047         (JSC::DefaultGCActivityCallback::create): Only instantiate a DefaultGCActivityCallback object
3048         when GCActivityCallback::s_shouldCreateGCTimer is true so as to prevent allocating a HeapTimer
3049         object (since DefaultGCActivityCallback ultimately extends HeapTimer).
3050
3051 2013-10-16  Commit Queue  <commit-queue@webkit.org>
3052
3053         Unreviewed, rolling out r157529.
3054         http://trac.webkit.org/changeset/157529
3055         https://bugs.webkit.org/show_bug.cgi?id=122919
3056
3057         Caused score test failures and some build failures. (Requested
3058         by rfong on #webkit).
3059
3060         * bytecompiler/BytecodeGenerator.cpp:
3061         (JSC::BytecodeGenerator::emitNewArray):
3062         (JSC::BytecodeGenerator::emitCall):
3063         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
3064         * bytecompiler/BytecodeGenerator.h:
3065         * bytecompiler/NodesCodegen.cpp:
3066         (JSC::ArrayNode::emitBytecode):
3067         (JSC::CallArguments::CallArguments):
3068         (JSC::ForOfNode::emitBytecode):
3069         (JSC::BindingNode::collectBoundIdentifiers):
3070         * parser/ASTBuilder.h:
3071         * parser/Lexer.cpp:
3072         (JSC::::lex):
3073         * parser/NodeConstructors.h:
3074         (JSC::DotAccessorNode::DotAccessorNode):
3075         * parser/Nodes.h:
3076         * parser/Parser.cpp:
3077         (JSC::::parseArrayLiteral):
3078         (JSC::::parseArguments):
3079         (JSC::::parseMemberExpression):
3080         * parser/Parser.h:
3081         (JSC::Parser::getTokenName):
3082         (JSC::Parser::updateErrorMessageSpecialCase):
3083         * parser/ParserTokens.h:
3084         * parser/SyntaxChecker.h:
3085
3086 2013-10-16  Julien Brianceau  <jbriance@cisco.com>
3087
3088         Remove useless architecture specific implementation in DFG.
3089         https://bugs.webkit.org/show_bug.cgi?id=122917.
3090
3091         Reviewed by Michael Saboff.
3092
3093         With CPU(ARM) && CPU(ARM_HARDFP) architecture, the fallback implementation is fine
3094         as FPRInfo::argumentFPR0 == FPRInfo::returnValueFPR in this case.
3095
3096         * dfg/DFGSpeculativeJIT.h:
3097
3098 2013-10-16  Julien Brianceau  <jbriance@cisco.com>
3099
3100         Remove unused JIT::restoreArgumentReferenceForTrampoline function.
3101         https://bugs.webkit.org/show_bug.cgi?id=122916.
3102
3103         Reviewed by Michael Saboff.
3104
3105         This architecture specific function is not used anymore, so get rid of it.
3106
3107         * jit/JIT.h:
3108         * jit/JITInlines.h:
3109
3110 2013-10-16  Oliver Hunt  <oliver@apple.com>
3111
3112         Implement ES6 spread operator
3113         https://bugs.webkit.org/show_bug.cgi?id=122911
3114
3115         Reviewed by Michael Saboff.
3116
3117         Implement the ES6 spread operator
3118
3119         This has a little bit of refactoring to move the enumeration logic out ForOfNode
3120         and into BytecodeGenerator, and then adds the logic to make it nicely callback
3121         driven.
3122
3123         The rest of the logic is just the addition of the SpreadExpressionNode, the parsing,
3124         and actually handling the spread.
3125
3126         * bytecompiler/BytecodeGenerator.cpp:
3127         (JSC::BytecodeGenerator::emitNewArray):
3128         (JSC::BytecodeGenerator::emitCall):
3129         (JSC::BytecodeGenerator::emitEnumeration):
3130         * bytecompiler/BytecodeGenerator.h:
3131         * bytecompiler/NodesCodegen.cpp:
3132         (JSC::ArrayNode::emitBytecode):
3133         (JSC::ForOfNode::emitBytecode):
3134         (JSC::SpreadExpressionNode::emitBytecode):
3135         * parser/ASTBuilder.h:
3136         (JSC::ASTBuilder::createSpreadExpression):
3137         * parser/Lexer.cpp:
3138         (JSC::::lex):
3139         * parser/NodeConstructors.h:
3140         (JSC::SpreadExpressionNode::SpreadExpressionNode):
3141         * parser/Nodes.h:
3142         (JSC::ExpressionNode::isSpreadExpression):
3143         (JSC::SpreadExpressionNode::expression):
3144         * parser/Parser.cpp:
3145         (JSC::::parseArrayLiteral):
3146         (JSC::::parseArguments):
3147         (JSC::::parseMemberExpression):
3148         * parser/Parser.h:
3149         (JSC::Parser::getTokenName):
3150         (JSC::Parser::updateErrorMessageSpecialCase):
3151         * parser/ParserTokens.h:
3152         * parser/SyntaxChecker.h:
3153         (JSC::SyntaxChecker::createSpreadExpression):
3154
3155 2013-10-16  Mark Lam  <mark.lam@apple.com>
3156
3157         Transition void cti_op_tear_off* methods to JIT operations for 32 bit.
3158         https://bugs.webkit.org/show_bug.cgi?id=122899.
3159
3160         Reviewed by Michael Saboff.
3161
3162         * jit/JITOpcodes32_64.cpp:
3163         (JSC::JIT::emit_op_tear_off_activation):
3164         (JSC::JIT::emit_op_tear_off_arguments):
3165         * jit/JITStubs.cpp:
3166         * jit/JITStubs.h:
3167
3168 2013-10-16  Julien Brianceau  <jbriance@cisco.com>
3169
3170         Remove more of the UNINTERRUPTED_SEQUENCE thing
3171         https://bugs.webkit.org/show_bug.cgi?id=122885
3172
3173         Reviewed by Andreas Kling.
3174
3175         It was not completely removed by r157481, leading to build failure for sh4 architecture.
3176
3177         * jit/JIT.h:
3178         * jit/JITInlines.h:
3179
3180 2013-10-15  Filip Pizlo  <fpizlo@apple.com>
3181
3182         Get rid of the StructureStubInfo::patch union
3183         https://bugs.webkit.org/show_bug.cgi?id=122877
3184
3185         Reviewed by Sam Weinig.
3186         
3187         Just simplifying code by getting rid of data structures that ain't used no more.
3188         
3189         Note that I replace the patch union with a patch struct. This means we say things like
3190         stubInfo.patch.valueGPR instead of stubInfo.valueGPR. I think that this extra
3191         encapsulation makes the code more readable: the patch struct contains just those things
3192         that you need to know to perform patching.
3193
3194         * bytecode/StructureStubInfo.h:
3195         * dfg/DFGJITCompiler.cpp:
3196         (JSC::DFG::JITCompiler::link):
3197         * jit/JIT.cpp:
3198         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
3199         * jit/Repatch.cpp:
3200         (JSC::repatchByIdSelfAccess):
3201         (JSC::replaceWithJump):
3202         (JSC::linkRestoreScratch):
3203         (JSC::generateProtoChainAccessStub):
3204         (JSC::tryCacheGetByID):
3205         (JSC::getPolymorphicStructureList):
3206         (JSC::patchJumpToGetByIdStub):
3207         (JSC::tryBuildGetByIDList):
3208         (JSC::emitPutReplaceStub):
3209         (JSC::emitPutTransitionStub):
3210         (JSC::tryCachePutByID):
3211         (JSC::tryBuildPutByIdList):
3212         (JSC::tryRepatchIn):
3213         (JSC::resetGetByID):
3214         (JSC::resetPutByID):
3215         (JSC::resetIn):
3216
3217 2013-10-15  Nadav Rotem  <nrotem@apple.com>
3218
3219         FTL: add support for Int52ToValue and fix putByVal of int52s.
3220         https://bugs.webkit.org/show_bug.cgi?id=122873
3221
3222         Reviewed by Filip Pizlo.
3223
3224         * ftl/FTLCapabilities.cpp:
3225         (JSC::FTL::canCompile):
3226         * ftl/FTLLowerDFGToLLVM.cpp:
3227         (JSC::FTL::LowerDFGToLLVM::compileNode):
3228         (JSC::FTL::LowerDFGToLLVM::compileInt52ToValue):
3229         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
3230
3231 2013-10-15  Filip Pizlo  <fpizlo@apple.com>
3232
3233         Get rid of the UNINTERRUPTED_SEQUENCE thing
3234         https://bugs.webkit.org/show_bug.cgi?id=122876
3235
3236         Reviewed by Mark Hahnenberg.
3237         
3238         It doesn't make sense anymore. We now use the DFG's IC logic, which never needed that.
3239         
3240         Moreover, we should resist the temptation to bring anything like this back. We don't
3241         want to have inline caches that only work if the assembler lays out code in a specific
3242         predetermined way.
3243
3244         * jit/JIT.h:
3245         * jit/JITCall.cpp:
3246         (JSC::JIT::compileOpCall):
3247         * jit/JITCall32_64.cpp:
3248         (JSC::JIT::compileOpCall):
3249
3250 2013-10-15  Filip Pizlo  <fpizlo@apple.com>
3251
3252         Baseline JIT should use the DFG GetById IC
3253         https://bugs.webkit.org/show_bug.cgi?id=122861
3254
3255         Reviewed by Oliver Hunt.
3256         
3257         This mostly just kills a ton of code.
3258         
3259         Note that this doesn't yet do all of the simplifications that can be done, but it does
3260         kill dead code. I'll have another change to simplify StructureStubInfo's unions and such.
3261
3262         * bytecode/CodeBlock.cpp:
3263         (JSC::CodeBlock::resetStubInternal):
3264         * jit/JIT.cpp:
3265         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
3266         * jit/JIT.h:
3267         (JSC::PropertyStubCompilationInfo::PropertyStubCompilationInfo):
3268         * jit/JITInlines.h:
3269         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
3270         (JSC::JIT::callOperation):
3271         * jit/JITPropertyAccess.cpp:
3272         (JSC::JIT::compileGetByIdHotPath):
3273         (JSC::JIT::emitSlow_op_get_by_id):
3274         (JSC::JIT::emitSlow_op_get_from_scope):
3275         * jit/JITPropertyAccess32_64.cpp:
3276         (JSC::JIT::compileGetByIdHotPath):
3277         (JSC::JIT::emitSlow_op_get_by_id):
3278         (JSC::JIT::emitSlow_op_get_from_scope):
3279         * jit/JITStubs.cpp:
3280         * jit/JITStubs.h:
3281         * jit/Repatch.cpp:
3282         (JSC::repatchGetByID):
3283         (JSC::buildGetByIDList):
3284         * jit/ThunkGenerators.cpp:
3285         * jit/ThunkGenerators.h:
3286
3287 2013-10-15  Dean Jackson  <dino@apple.com>
3288
3289         Add ENABLE_WEB_ANIMATIONS flag
3290         https://bugs.webkit.org/show_bug.cgi?id=122871
3291
3292         Reviewed by Tim Horton.
3293
3294         Eventually might be http://dev.w3.org/fxtf/web-animations/
3295         but this is just engine-internal work at the moment.
3296
3297         * Configurations/FeatureDefines.xcconfig:
3298
3299 2013-10-15  Julien Brianceau  <jbriance@cisco.com>
3300
3301         [sh4] Some calls don't match sh4 ABI.
3302         https://bugs.webkit.org/show_bug.cgi?id=122863
3303
3304         Reviewed by Michael Saboff.
3305
3306         * dfg/DFGSpeculativeJIT.h:
3307         (JSC::DFG::SpeculativeJIT::callOperation):
3308         * jit/CCallHelpers.h:
3309         (JSC::CCallHelpers::setupArgumentsWithExecState):
3310         * jit/JITInlines.h:
3311         (JSC::JIT::callOperation):
3312
3313 2013-10-15  Daniel Bates  <dabates@apple.com>
3314
3315         [iOS] Upstream JavaScriptCore support for ARM64
3316         https://bugs.webkit.org/show_bug.cgi?id=122762
3317
3318         Reviewed by Oliver Hunt and Filip Pizlo.
3319
3320         * Configurations/Base.xcconfig:
3321         * Configurations/DebugRelease.xcconfig:
3322         * Configurations/JavaScriptCore.xcconfig:
3323         * Configurations/ToolExecutable.xcconfig:
3324         * JavaScriptCore.xcodeproj/project.pbxproj:
3325         * assembler/ARM64Assembler.h: Added.
3326         * assembler/AbstractMacroAssembler.h:
3327         (JSC::isARM64):
3328         (JSC::AbstractMacroAssembler::Label::Label):
3329         (JSC::AbstractMacroAssembler::Jump::Jump):
3330         (JSC::AbstractMacroAssembler::Jump::link):
3331         (JSC::AbstractMacroAssembler::Jump::linkTo):
3332         (JSC::AbstractMacroAssembler::CachedTempRegister::CachedTempRegister):
3333         (JSC::AbstractMacroAssembler::CachedTempRegister::registerIDInvalidate):
3334         (JSC::AbstractMacroAssembler::CachedTempRegister::registerIDNoInvalidate):
3335         (JSC::AbstractMacroAssembler::CachedTempRegister::value):
3336         (JSC::AbstractMacroAssembler::CachedTempRegister::setValue):
3337         (JSC::AbstractMacroAssembler::CachedTempRegister::invalidate):
3338         (JSC::AbstractMacroAssembler::invalidateAllTempRegisters):
3339         (JSC::AbstractMacroAssembler::isTempRegisterValid):
3340         (JSC::AbstractMacroAssembler::clearTempRegisterValid):
3341         (JSC::AbstractMacroAssembler::setTempRegisterValid):
3342         * assembler/LinkBuffer.cpp:
3343         (JSC::LinkBuffer::copyCompactAndLinkCode):
3344         (JSC::LinkBuffer::linkCode):
3345         * assembler/LinkBuffer.h:
3346         * assembler/MacroAssembler.h:
3347         (JSC::MacroAssembler::isPtrAlignedAddressOffset):
3348         (JSC::MacroAssembler::pushToSave):
3349         (JSC::MacroAssembler::popToRestore):
3350         (JSC::MacroAssembler::patchableBranchTest32):
3351         * assembler/MacroAssemblerARM64.h: Added.
3352         * assembler/MacroAssemblerARMv7.h:
3353         * dfg/DFGFixupPhase.cpp:
3354         (JSC::DFG::FixupPhase::fixupNode):
3355         * dfg/DFGOSRExitCompiler32_64.cpp:
3356         (JSC::DFG::OSRExitCompiler::compileExit):
3357         * dfg/DFGOSRExitCompiler64.cpp:
3358         (JSC::DFG::OSRExitCompiler::compileExit):
3359         * dfg/DFGSpeculativeJIT.cpp:
3360         (JSC::DFG::SpeculativeJIT::compileArithDiv):
3361         (JSC::DFG::SpeculativeJIT::compileArithMod):
3362         * disassembler/ARM64/A64DOpcode.cpp: Added.
3363         * disassembler/ARM64/A64DOpcode.h: Added.
3364         * disassembler/ARM64Disassembler.cpp: Added.
3365         * heap/MachineStackMarker.cpp:
3366         (JSC::getPlatformThreadRegisters):
3367         (JSC::otherThreadStackPointer):
3368         * heap/Region.h:
3369         * jit/AssemblyHelpers.h:
3370         (JSC::AssemblyHelpers::debugCall):
3371         * jit/CCallHelpers.h:
3372         * jit/ExecutableAllocator.h:
3373         * jit/FPRInfo.h:
3374         (JSC::FPRInfo::toRegister):
3375         (JSC::FPRInfo::toIndex):
3376         (JSC::FPRInfo::debugName):
3377         * jit/GPRInfo.h:
3378         (JSC::GPRInfo::toRegister):
3379         (JSC::GPRInfo::toIndex):
3380         (JSC::GPRInfo::debugName):
3381         * jit/JITInlines.h:
3382         (JSC::JIT::restoreArgumentReferenceForTrampoline):
3383         * jit/JITOperationWrappers.h:
3384         * jit/JITOperations.cpp:
3385         * jit/JITStubs.cpp:
3386         (JSC::performPlatformSpecificJITAssertions):
3387         (JSC::tryCachePutByID):
3388         * jit/JITStubs.h:
3389         (JSC::JITStackFrame::returnAddressSlot):
3390         * jit/JITStubsARM64.h: Added.
3391         * jit/JSInterfaceJIT.h:
3392         * jit/Repatch.cpp:
3393         (JSC::emitRestoreScratch):
3394         (JSC::generateProtoChainAccessStub):
3395         (JSC::tryCacheGetByID):
3396         (JSC::emitPutReplaceStub):
3397         (JSC::tryCachePutByID):
3398         (JSC::tryRepatchIn):
3399         * jit/ScratchRegisterAllocator.h:
3400         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
3401         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
3402         * jit/ThunkGenerators.cpp:
3403         (JSC::nativeForGenerator):
3404         (JSC::floorThunkGenerator):
3405         (JSC::ceilThunkGenerator):
3406         * jsc.cpp:
3407         (main):
3408         * llint/LLIntOfflineAsmConfig.h:
3409         * llint/LLIntSlowPaths.cpp:
3410         (JSC::LLInt::handleHostCall):
3411         * llint/LowLevelInterpreter.asm:
3412         * llint/LowLevelInterpreter64.asm:
3413         * offlineasm/arm.rb:
3414         * offlineasm/arm64.rb: Added.
3415         * offlineasm/backends.rb:
3416         * offlineasm/instructions.rb:
3417         * offlineasm/risc.rb:
3418         * offlineasm/transform.rb:
3419         * yarr/YarrJIT.cpp:
3420         (JSC::Yarr::YarrGenerator::alignCallFrameSizeInBytes):
3421         (JSC::Yarr::YarrGenerator::initCallFrame):
3422         (JSC::Yarr::YarrGenerator::removeCallFrame):
3423         (JSC::Yarr::YarrGenerator::generateEnter):
3424         * yarr/YarrJIT.h:
3425
3426 2013-10-15  Mark Lam  <mark.lam@apple.com>
3427
3428         Fix 3 operand sub operation in C loop LLINT.
3429         https://bugs.webkit.org/show_bug.cgi?id=122866.
3430
3431         Reviewed by Geoffrey Garen.
3432
3433         * offlineasm/cloop.rb:
3434
3435 2013-10-15  Mark Hahnenberg  <mhahnenberg@apple.com>
3436
3437         ObjCCallbackFunctionImpl shouldn't store a JSContext
3438         https://bugs.webkit.org/show_bug.cgi?id=122531
3439
3440         Reviewed by Geoffrey Garen.
3441
3442         The m_context field in ObjCCallbackFunctionImpl is vestigial and is only incidentally correct 
3443         in the common case. It's also no longer necessary in that we can look up the current JSContext 
3444         by looking using the globalObject of the callee when the function callback is invoked.
3445  
3446         Also added a new test that would cause us to crash previously. The test required making 
3447         JSContextGetGlobalContext public API so that clients can obtain a JSContext from the JSContextRef
3448         in C API callbacks.
3449
3450         * API/JSContextRef.h:
3451         * API/JSContextRefPrivate.h:
3452         * API/ObjCCallbackFunction.mm:
3453         (JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl):
3454         (JSC::objCCallbackFunctionCallAsFunction):
3455         (objCCallbackFunctionForInvocation):
3456         * API/WebKitAvailability.h:
3457         * API/tests/CurrentThisInsideBlockGetterTest.h: Added.
3458         * API/tests/CurrentThisInsideBlockGetterTest.mm: Added.
3459         (CallAsConstructor):
3460         (ConstructorFinalize):
3461         (ConstructorClass):
3462         (+[JSValue valueWithConstructorDescriptor:inContext:]):
3463         (-[JSContext valueWithConstructorDescriptor:]):
3464         (currentThisInsideBlockGetterTest):
3465         * API/tests/testapi.mm:
3466         * JavaScriptCore.xcodeproj/project.pbxproj:
3467         * debugger/Debugger.cpp: Had to add some fully qualified names to avoid conflicts with Mac OS X headers.
3468
3469 2013-10-15  Julien Brianceau  <jbriance@cisco.com>
3470
3471         Fix build after r157457 for architecture with 4 argument registers.
3472         https://bugs.webkit.org/show_bug.cgi?id=122860
3473
3474         Reviewed by Michael Saboff.
3475
3476         * jit/CCallHelpers.h:
3477         (JSC::CCallHelpers::setupStubArguments134):
3478
3479 2013-10-14  Michael Saboff  <msaboff@apple.com>
3480
3481         transition void cti_op_* methods to JIT operations.
3482         https://bugs.webkit.org/show_bug.cgi?id=122617
3483
3484         Reviewed by Geoffrey Garen.
3485
3486         Converted the follow stubs to JIT operations:
3487             cti_handle_watchdog_timer
3488             cti_op_debug
3489             cti_op_pop_scope
3490             cti_op_profile_did_call
3491             cti_op_profile_will_call
3492             cti_op_put_by_index
3493             cti_op_put_getter_setter
3494             cti_op_tear_off_activation
3495             cti_op_tear_off_arguments
3496             cti_op_throw_static_error
3497             cti_optimize
3498
3499         * dfg/DFGOperations.cpp:
3500         * dfg/DFGOperations.h:
3501         * jit/CCallHelpers.h:
3502         (JSC::CCallHelpers::setupArgumentsWithExecState):
3503         (JSC::CCallHelpers::setupThreeStubArgsGPR):
3504         (JSC::CCallHelpers::setupStubArguments):
3505         (JSC::CCallHelpers::setupStubArguments134):
3506         * jit/JIT.cpp:
3507         (JSC::JIT::emitEnterOptimizationCheck):
3508         * jit/JIT.h:
3509         * jit/JITInlines.h:
3510         (JSC::JIT::callOperation):
3511         * jit/JITOpcodes.cpp:
3512         (JSC::JIT::emit_op_tear_off_activation):
3513         (JSC::JIT::emit_op_tear_off_arguments):
3514         (JSC::JIT::emit_op_push_with_scope):
3515         (JSC::JIT::emit_op_pop_scope):
3516         (JSC::JIT::emit_op_push_name_scope):
3517         (JSC::JIT::emit_op_throw_static_error):
3518         (JSC::JIT::emit_op_debug):
3519         (JSC::JIT::emit_op_profile_will_call):
3520         (JSC::JIT::emit_op_profile_did_call):
3521         (JSC::JIT::emitSlow_op_loop_hint):
3522         * jit/JITOpcodes32_64.cpp:
3523         (JSC::JIT::emit_op_push_with_scope):
3524         (JSC::JIT::emit_op_pop_scope):
3525         (JSC::JIT::emit_op_push_name_scope):
3526         (JSC::JIT::emit_op_throw_static_error):
3527         (JSC::JIT::emit_op_debug):
3528         (JSC::JIT::emit_op_profile_will_call):
3529         (JSC::JIT::emit_op_profile_did_call):
3530         * jit/JITOperations.cpp:
3531         * jit/JITOperations.h:
3532         * jit/JITPropertyAccess.cpp:
3533         (JSC::JIT::emit_op_put_by_index):
3534         (JSC::JIT::emit_op_put_getter_setter):
3535         * jit/JITPropertyAccess32_64.cpp:
3536         (JSC::JIT::emit_op_put_by_index):
3537         (JSC::JIT::emit_op_put_getter_setter):
3538         * jit/JITStubs.cpp:
3539         * jit/JITStubs.h:
3540
3541 2013-10-15  Julien Brianceau  <jbriance@cisco.com>
3542
3543         [sh4] Introduce const pools in LLINT.
3544         https://bugs.webkit.org/show_bug.cgi?id=122746
3545
3546         Reviewed by Michael Saboff.
3547
3548         In current implementation of LLINT for sh4, immediate values outside range -128..127 are
3549         loaded this way:
3550
3551             mov.l .label, rx
3552             bra out
3553             nop
3554             .balign 4
3555             .label: .long immvalue
3556             out:
3557
3558         This change introduces const pools for sh4 implementation to avoid lots of useless branches
3559         and reduce code size. It also removes lines of dirty code, like jmpf and callf.
3560
3561         * offlineasm/instructions.rb: Remove jmpf and callf sh4 specific instructions.
3562         * offlineasm/sh4.rb:
3563
3564 2013-10-15  Mark Lam  <mark.lam@apple.com>
3565
3566         Fix broken C Loop LLINT build.
3567         https://bugs.webkit.org/show_bug.cgi?id=122839.
3568
3569         Reviewed by Michael Saboff.
3570
3571         * dfg/DFGFlushedAt.cpp:
3572         * jit/JITOperations.h:
3573
3574 2013-10-14  Mark Lam  <mark.lam@apple.com>
3575
3576         Transition *switch* and *scope* JITStubs to JIT operations.
3577         https://bugs.webkit.org/show_bug.cgi?id=122757.
3578
3579         Reviewed by Geoffrey Garen.
3580
3581         Transitioning:
3582             cti_op_switch_char
3583             cti_op_switch_imm
3584             cti_op_switch_string
3585             cti_op_resolve_scope
3586             cti_op_get_from_scope
3587             cti_op_put_to_scope
3588
3589         * jit/JIT.h:
3590         * jit/JITInlines.h:
3591         (JSC::JIT::callOperation):
3592         * jit/JITOpcodes.cpp:
3593         (JSC::JIT::emit_op_switch_imm):
3594         (JSC::JIT::emit_op_switch_char):
3595         (JSC::JIT::emit_op_switch_string):
3596         * jit/JITOpcodes32_64.cpp:
3597         (JSC::JIT::emit_op_switch_imm):
3598         (JSC::JIT::emit_op_switch_char):
3599         (JSC::JIT::emit_op_switch_string):
3600         * jit/JITOperations.cpp:
3601         * jit/JITOperations.h:
3602         * jit/JITPropertyAccess.cpp:
3603         (JSC::JIT::emitSlow_op_resolve_scope):
3604         (JSC::JIT::emitSlow_op_get_from_scope):
3605         (JSC::JIT::emitSlow_op_put_to_scope):
3606         * jit/JITPropertyAccess32_64.cpp:
3607         (JSC::JIT::emitSlow_op_resolve_scope):
3608         (JSC::JIT::emitSlow_op_get_from_scope):
3609         (JSC::JIT::emitSlow_op_put_to_scope):
3610         * jit/JITStubs.cpp:
3611         * jit/JITStubs.h:
3612
3613 2013-10-14  Filip Pizlo  <fpizlo@apple.com>
3614
3615         DFG PutById IC should use the ConcurrentJITLocker since it's now dealing with IC's that get read by the compiler thread
3616         https://bugs.webkit.org/show_bug.cgi?id=122786
3617
3618         Reviewed by Mark Hahnenberg.
3619
3620         * bytecode/CodeBlock.cpp:
3621         (JSC::CodeBlock::resetStub): Resetting a stub should acquire the lock since this is observable from the thread; but we should only acquire the lock if we're resetting outside of GC.
3622         * jit/Repatch.cpp:
3623         (JSC::repatchPutByID): Doing the PutById patching should hold the lock.
3624         (JSC::buildPutByIdList): Ditto.
3625
3626 2013-10-14  Nadav Rotem  <nrotem@apple.com>
3627
3628         Add FTL support for LogicalNot(string)
3629         https://bugs.webkit.org/show_bug.cgi?id=122765
3630
3631         Reviewed by Filip Pizlo.
3632
3633         This patch is tested by:
3634         regress/script-tests/emscripten-cube2hash.js.ftl-eager
3635
3636         * ftl/FTLCapabilities.cpp:
3637         (JSC::FTL::canCompile):
3638         * ftl/FTLLowerDFGToLLVM.cpp:
3639         (JSC::FTL::LowerDFGToLLVM::compileLogicalNot):
3640
3641 2013-10-14  Julien Brianceau  <jbriance@cisco.com>
3642
3643         [sh4] Fixes after r157404 and r157411.
3644         https://bugs.webkit.org/show_bug.cgi?id=122782
3645
3646         Reviewed by Michael Saboff.
3647
3648         * dfg/DFGSpeculativeJIT.h:
3649         (JSC::DFG::SpeculativeJIT::callOperation): Add missing SH4_32BIT_DUMMY_ARG.
3650         * jit/CCallHelpers.h:
3651         (JSC::CCallHelpers::setupArgumentsWithExecState):
3652         * jit/JITInlines.h:
3653         (JSC::JIT::callOperation): Add missing SH4_32BIT_DUMMY_ARG.
3654         * jit/JITPropertyAccess32_64.cpp:
3655         (JSC::JIT::emit_op_put_by_id): Remove unwanted BEGIN_UNINTERRUPTED_SEQUENCE.
3656
3657 2013-10-14  Commit Queue  <commit-queue@webkit.org>
3658
3659         Unreviewed, rolling out r157413.
3660         http://trac.webkit.org/changeset/157413
3661         https://bugs.webkit.org/show_bug.cgi?id=122779
3662
3663         Appears to have caused frequent crashes (Requested by ap on
3664         #webkit).
3665
3666         * CMakeLists.txt:
3667         * GNUmakefile.list.am:
3668         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3669         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3670         * JavaScriptCore.xcodeproj/project.pbxproj:
3671         * heap/DeferGC.cpp: Removed.
3672         * heap/DeferGC.h:
3673         * jit/JITStubs.cpp:
3674         (JSC::tryCacheGetByID):
3675         (JSC::DEFINE_STUB_FUNCTION):
3676         * llint/LLIntSlowPaths.cpp:
3677         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3678         * runtime/ConcurrentJITLock.h:
3679         * runtime/InitializeThreading.cpp:
3680         (JSC::initializeThreadingOnce):
3681         * runtime/JSCellInlines.h:
3682         (JSC::allocateCell):
3683         * runtime/Structure.cpp:
3684         (JSC::Structure::materializePropertyMap):
3685         (JSC::Structure::putSpecificValue):
3686         (JSC::Structure::createPropertyMap):
3687         * runtime/Structure.h:
3688
3689 2013-10-14  Mark Hahnenberg  <mhahnenberg@apple.com>
3690
3691         COLLECT_ON_EVERY_ALLOCATION causes assertion failures
3692         https://bugs.webkit.org/show_bug.cgi?id=122652
3693
3694         Reviewed by Filip Pizlo.
3695
3696         COLLECT_ON_EVERY_ALLOCATION wasn't accounting for the new GC deferral mechanism,
3697         so we would end up ASSERTing during garbage collection.
3698
3699         * heap/MarkedAllocator.cpp:
3700         (JSC::MarkedAllocator::allocateSlowCase):
3701
3702 2013-10-11  Oliver Hunt  <oliver@apple.com>
3703
3704         Separate out array iteration intrinsics
3705         https://bugs.webkit.org/show_bug.cgi?id=122656
3706
3707         Reviewed by Michael Saboff.
3708
3709         Separate out the intrinsics for key and values iteration
3710         of arrays.
3711
3712         This requires moving moving array iteration into the iterator
3713         instance, rather than the prototype, but this is essentially
3714         unobservable so we'll live with it for now.
3715
3716         * jit/ThunkGenerators.cpp:
3717         (JSC::arrayIteratorNextThunkGenerator):
3718         (JSC::arrayIteratorNextKeyThunkGenerator):
3719         (JSC::arrayIteratorNextValueThunkGenerator):
3720         * jit/ThunkGenerators.h:
3721         * runtime/ArrayIteratorPrototype.cpp:
3722         (JSC::ArrayIteratorPrototype::finishCreation):
3723         * runtime/Intrinsic.h:
3724         * runtime/JSArrayIterator.cpp:
3725         (JSC::JSArrayIterator::finishCreation):
3726         (JSC::createIteratorResult):
3727         (JSC::arrayIteratorNext):
3728         (JSC::arrayIteratorNextKey):
3729         (JSC::arrayIteratorNextValue):
3730         (JSC::arrayIteratorNextGeneric):
3731         * runtime/VM.cpp:
3732         (JSC::thunkGeneratorForIntrinsic):
3733
3734 2013-10-11  Mark Hahnenberg  <mhahnenberg@apple.com>
3735
3736         llint_slow_path_put_by_id can deadlock on a ConcurrentJITLock
3737         https://bugs.webkit.org/show_bug.cgi?id=122667
3738
3739         Reviewed by Filip Pizlo.
3740
3741         The issue this patch is attempting to fix is that there are places in our codebase
3742         where we acquire the ConcurrentJITLock for a particular CodeBlock, then we do some
3743         operations that can initiate a garbage collection. Garbage collection then calls 
3744         some methods of CodeBlock that also take the ConcurrentJITLock (because they don't
3745         always necessarily run during garbage collection). This causes a deadlock.
3746
3747         To fix this issue, this patch adds a new RAII-style object (DisallowGC) that stores 
3748         into a thread-local field that indicates that it is unsafe to perform any operation 
3749         that could trigger garbage collection on the current thread. In debug builds, 
3750         ConcurrentJITLocker contains one of these DisallowGC objects so that we can eagerly 
3751         detect deadlocks.
3752
3753         This patch also adds a new type of ConcurrentJITLocker, GCSafeConcurrentJITLocker,
3754         which uses the DeferGC mechanism to prevent collections from occurring while the 
3755         lock is held.
3756
3757         * CMakeLists.txt:
3758         * GNUmakefile.list.am:
3759         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3760         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3761         * JavaScriptCore.xcodeproj/project.pbxproj:
3762         * heap/DeferGC.cpp: Added.
3763         * heap/DeferGC.h:
3764         (JSC::DisallowGC::DisallowGC):
3765         (JSC::DisallowGC::~DisallowGC):
3766         (JSC::DisallowGC::isGCDisallowedOnCurrentThread):
3767         (JSC::DisallowGC::initialize):
3768         * jit/JITStubs.cpp:
3769         (JSC::tryCachePutByID):
3770         (JSC::tryCacheGetByID):
3771         (JSC::DEFINE_STUB_FUNCTION):
3772         * llint/LLIntSlowPaths.cpp:
3773         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3774         * runtime/ConcurrentJITLock.h:
3775         (JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase):
3776         (JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase):
3777         (JSC::ConcurrentJITLockerBase::unlockEarly):
3778         (JSC::GCSafeConcurrentJITLocker::GCSafeConcurrentJITLocker):
3779         (JSC::ConcurrentJITLocker::ConcurrentJITLocker):
3780         * runtime/InitializeThreading.cpp:
3781         (JSC::initializeThreadingOnce):
3782         * runtime/JSCellInlines.h:
3783         (JSC::allocateCell):
3784         * runtime/Structure.cpp:
3785         (JSC::Structure::materializePropertyMap):
3786         (JSC::Structure::putSpecificValue):
3787         (JSC::Structure::createPropertyMap):
3788         * runtime/Structure.h:
3789
3790 2013-10-14  Filip Pizlo  <fpizlo@apple.com>
3791
3792         Baseline JIT should use the DFG's PutById IC
3793         https://bugs.webkit.org/show_bug.cgi?id=122704
3794
3795         Reviewed by Mark Hahnenberg.
3796         
3797         Mostly no big deal, just removing the old Baseline JIT's put_by_id IC support and forcing
3798         that JIT to use the DFG's (i.e. JITOperations) PutById IC.
3799         
3800         The only complicated part was that the PutById operations assumed that we first did a
3801         cell speculation, which the baseline JIT obviously won't do. So I changed all of those
3802         slow paths to deal with EncodedJSValue's.
3803
3804         * bytecode/CodeBlock.cpp:
3805         (JSC::CodeBlock::resetStubInternal):
3806         * bytecode/PutByIdStatus.cpp:
3807         (JSC::PutByIdStatus::computeFor):
3808         * dfg/DFGSpeculativeJIT.h:
3809         (JSC::DFG::SpeculativeJIT::callOperation):
3810         * dfg/DFGSpeculativeJIT32_64.cpp:
3811         (JSC::DFG::SpeculativeJIT::cachedPutById):
3812         * dfg/DFGSpeculativeJIT64.cpp:
3813         (JSC::DFG::SpeculativeJIT::cachedPutById):
3814         * jit/CCallHelpers.h:
3815         (JSC::CCallHelpers::setupArgumentsWithExecState):
3816         * jit/JIT.cpp:
3817         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
3818         * jit/JIT.h:
3819         (JSC::PropertyStubCompilationInfo::PropertyStubCompilationInfo):
3820         (JSC::PropertyStubCompilationInfo::slowCaseInfo):
3821         * jit/JITInlines.h:
3822         (JSC::JIT::callOperation):
3823         * jit/JITOperationWrappers.h:
3824         * jit/JITOperations.cpp:
3825         * jit/JITOperations.h:
3826         * jit/JITPropertyAccess.cpp:
3827         (JSC::JIT::compileGetByIdHotPath):
3828         (JSC::JIT::compileGetByIdSlowCase):
3829         (JSC::JIT::emit_op_put_by_id):
3830         (JSC::JIT::emitSlow_op_put_by_id):
3831         * jit/JITPropertyAccess32_64.cpp:
3832         (JSC::JIT::compileGetByIdSlowCase):
3833         (JSC::JIT::emit_op_put_by_id):
3834         (JSC::JIT::emitSlow_op_put_by_id):
3835         * jit/JITStubs.cpp:
3836         * jit/JITStubs.h:
3837         * jit/Repatch.cpp:
3838         (JSC::appropriateGenericPutByIdFunction):
3839         (JSC::appropriateListBuildingPutByIdFunction):
3840         (JSC::resetPutByID):
3841
3842 2013-10-13  Filip Pizlo  <fpizlo@apple.com>
3843
3844         FTL should have an inefficient but correct implementation of GetById
3845         https://bugs.webkit.org/show_bug.cgi?id=122740
3846
3847         Reviewed by Mark Hahnenberg.
3848         
3849         It took some effort to realize that the node->prediction() check in the DFG backends
3850         are completely unnecessary since the ByteCodeParser will always insert a ForceOSRExit
3851         if !prediction.
3852         
3853         But other than that this was an easy patch.
3854
3855         * dfg/DFGByteCodeParser.cpp:
3856         (JSC::DFG::ByteCodeParser::handleGetById):
3857         * dfg/DFGSpeculativeJIT32_64.cpp:
3858         (JSC::DFG::SpeculativeJIT::compile):
3859         * dfg/DFGSpeculativeJIT64.cpp:
3860         (JSC::DFG::SpeculativeJIT::compile):
3861         * ftl/FTLCapabilities.cpp:
3862         (JSC::FTL::canCompile):
3863         * ftl/FTLIntrinsicRepository.h:
3864         * ftl/FTLLowerDFGToLLVM.cpp:
3865         (JSC::FTL::LowerDFGToLLVM::compileNode):
3866         (JSC::FTL::LowerDFGToLLVM::compileGetById):
3867
3868 2013-10-13  Mark Lam  <mark.lam@apple.com>
3869
3870         Transition misc cti_op_* JITStubs to JIT operations.
3871         https://bugs.webkit.org/show_bug.cgi?id=122645.
3872
3873         Reviewed by Michael Saboff.
3874
3875         Stubs converted:
3876             cti_op_check_has_instance
3877             cti_op_create_arguments
3878             cti_op_del_by_id
3879             cti_op_instanceof
3880             cti_to_object
3881             cti_op_push_activation
3882             cti_op_get_pnames
3883             cti_op_load_varargs
3884
3885         * dfg/DFGOperations.cpp:
3886         * dfg/DFGOperations.h:
3887         * jit/CCallHelpers.h:
3888         (JSC::CCallHelpers::setupArgumentsWithExecState):
3889         * jit/JIT.h:
3890         (JSC::JIT::emitStoreCell):
3891         * jit/JITCall.cpp:
3892         (JSC::JIT::compileLoadVarargs):
3893         * jit/JITCall32_64.cpp:
3894         (JSC::JIT::compileLoadVarargs):
3895         * jit/JITInlines.h:
3896         (JSC::JIT::callOperation):
3897         * jit/JITOpcodes.cpp:
3898         (JSC::JIT::emit_op_get_pnames):
3899         (JSC::JIT::emit_op_create_activation):
3900         (JSC::JIT::emit_op_create_arguments):
3901         (JSC::JIT::emitSlow_op_check_has_instance):
3902         (JSC::JIT::emitSlow_op_instanceof):
3903         (JSC::JIT::emitSlow_op_get_argument_by_val):
3904         * jit/JITOpcodes32_64.cpp:
3905         (JSC::JIT::emitSlow_op_check_has_instance):
3906         (JSC::JIT::emitSlow_op_instanceof):
3907         (JSC::JIT::emit_op_get_pnames):
3908         (JSC::JIT::emit_op_create_activation):
3909         (JSC::JIT::emit_op_create_arguments):
3910         (JSC::JIT::emitSlow_op_get_argument_by_val):
3911         * jit/JITOperations.cpp:
3912         * jit/JITOperations.h:
3913         * jit/JITPropertyAccess.cpp:
3914         (JSC::JIT::emit_op_del_by_id):
3915         * jit/JITPropertyAccess32_64.cpp:
3916         (JSC::JIT::emit_op_del_by_id):
3917         * jit/JITStubs.cpp:
3918         * jit/JITStubs.h:
3919
3920 2013-10-13  Filip Pizlo  <fpizlo@apple.com>
3921
3922         FTL OSR exit should perform zero extension on values smaller than 64-bit
3923         https://bugs.webkit.org/show_bug.cgi?id=122688
3924
3925         Reviewed by Gavin Barraclough.
3926         
3927         In the DFG we usually make the simplistic assumption that a 32-bit value in a 64-bit
3928         register will have zeros on the high bits.  In the few cases where the high bits are
3929         non-zero, the DFG sort of tells us this explicitly.
3930
3931         But when working with llvm.webkit.stackmap, it doesn't work that way.  Consider we might
3932         emit LLVM IR like:
3933
3934             %2 = trunc i64 %1 to i32
3935             stuff %2
3936             call @llvm.webkit.stackmap(...., %2)
3937
3938         LLVM may never actually emit a truncation instruction of any kind.  And that's great - in
3939         many cases it won't be needed, like if 'stuff %2' is a 32-bit op that ignores the high
3940         bits anyway.  Hence LLVM may tell us that %2 is in the register that still had the value
3941         from before truncation, and that register may have garbage in the high bits.
3942
3943         This means that on our end, if we want a 32-bit value and we want that value to be
3944         zero-extended, we should zero-extend it ourselves.  This is pretty easy and should be
3945         cheap, so we should just do it and not make it a requirement that LLVM does it on its
3946         end.
3947         
3948         This makes all tests pass with JSC_ftlOSRExitUsesStackmap=true.
3949
3950         * ftl/FTLOSRExitCompiler.cpp:
3951         (JSC::FTL::compileStubWithOSRExitStackmap):
3952         * ftl/FTLValueFormat.cpp:
3953         (JSC::FTL::reboxAccordingToFormat):
3954
3955 == Rolled over to ChangeLog-2013-10-13 ==