JSArrayBufferViews of length 0 allocate 0 CopiedSpace bytes, which is invalid
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-11-04  Mark Hahnenberg  <mhahnenberg@apple.com>
2
3         JSArrayBufferViews of length 0 allocate 0 CopiedSpace bytes, which is invalid
4         https://bugs.webkit.org/show_bug.cgi?id=123746
5
6         Reviewed by Geoffrey Garen.
7
8         This patch disallows clients from allocating 0 bytes in CopiedSpace. We enforce this invariant 
9         with an ASSERT in C++ code and a breakpoint in JIT code. Clients who care about 0-byte 
10         allocations (like JSArrayBufferViews) must handle that case themselves, but we don't punish 
11         anybody else for the rare case that somebody decides to allocate a 0-length typed array. 
12         It also makes the allocation and copying cases consistent for CopiedSpace: no 0-byte allocations, 
13         no 0-byte copying.
14  
15         Also added a check so that JSArrayBufferViews don't try to copy their m_vector backing store when 
16         their length is 0. Also sprinkled several ASSERTs throughout the JSArrayBufferView code to make sure that 
17         when length is 0 m_vector is null.
18
19         * dfg/DFGSpeculativeJIT.cpp:
20         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
21         * dfg/DFGSpeculativeJIT.h:
22         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):
23         * heap/CopiedSpaceInlines.h:
24         (JSC::CopiedSpace::tryAllocate):
25         * runtime/ArrayBuffer.h:
26         (JSC::ArrayBuffer::create):
27         * runtime/JSArrayBufferView.cpp:
28         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
29         * runtime/JSGenericTypedArrayViewInlines.h:
30         (JSC::::visitChildren):
31         (JSC::::copyBackingStore):
32         (JSC::::slowDownAndWasteMemory):
33
34 2013-11-04  Julien Brianceau  <jbriance@cisco.com>
35
36         [sh4] Refactor jumps in baseline JIT to return label after the jump.
37         https://bugs.webkit.org/show_bug.cgi?id=123734
38
39         Reviewed by Michael Saboff.
40
41         Current implementation of jumps in sh4 baseline JIT returns a label on the jump itself
42         and not after it. This is not correct and leads to issues like infinite loop the DFG
43         (https://bugs.webkit.org/show_bug.cgi?id=122597 for instance). This refactor fixes this
44         and also simplifies the link and relink procedures for sh4 jumps.
45
46         * assembler/MacroAssemblerSH4.h:
47         (JSC::MacroAssemblerSH4::branchDouble):
48         (JSC::MacroAssemblerSH4::branchTrue):
49         (JSC::MacroAssemblerSH4::branchFalse):
50         * assembler/SH4Assembler.h:
51         (JSC::SH4Assembler::jmp):
52         (JSC::SH4Assembler::extraInstrForBranch):
53         (JSC::SH4Assembler::jne):
54         (JSC::SH4Assembler::je):
55         (JSC::SH4Assembler::bra):
56         (JSC::SH4Assembler::linkJump):
57         (JSC::SH4Assembler::relinkJump):
58
59 2013-11-03  Filip Pizlo  <fpizlo@apple.com>
60
61         Generated color wheel displays incorrectly (regressed in r155567)
62         https://bugs.webkit.org/show_bug.cgi?id=123664
63
64         Reviewed by Andreas Kling.
65
66         Interestingly, r155567 just "un-broke" the attempt to constant-fold ArithMod, but
67         that constant folding was just wrong to begin with. There is no evidence that this
68         constant folding rule is profitable. I'm removing it instead of trying to think
69         about what it means for it to be correct.
70
71         * dfg/DFGAbstractInterpreterInlines.h:
72         (JSC::DFG::::executeEffects):
73
74 2013-11-03  Filip Pizlo  <fpizlo@apple.com>
75
76         Unreviewed, it is no longer necessary to call DisablePrettyStackTrace.
77
78         * llvm/library/LLVMExports.cpp:
79         (initializeAndGetJSCLLVMAPI):
80
81 2013-11-02  Mark Lam  <mark.lam@apple.com>
82
83         Assertion failure in non-JIT'ed LLInt on ARM Thumb.
84         https://bugs.webkit.org/show_bug.cgi?id=97569.
85
86         Reviewed by Geoffrey Garen.
87
88         * assembler/MacroAssemblerCodeRef.h:
89         - Thumb2 alignment assertions do not apply to the C Loop LLINT because
90           the arguments passed to those assertions are actually OpcodeIDs
91           masquerading as addresses.
92         * llint/LLIntOfflineAsmConfig.h:
93         - Some of the #defines belong in the !ENABLE(LLINT_C_LOOP) section.
94           Moving them there.
95         * llint/LowLevelInterpreter.cpp:
96         - Keep the compiler happy from some unreferenced C Loop labels.
97
98 2013-11-02  Filip Pizlo  <fpizlo@apple.com>
99
100         FTL should use LLVM intrinsics for OSR exit, watchpoints, inline caches, and stack layout
101         https://bugs.webkit.org/show_bug.cgi?id=122318
102
103         Reviewed by Geoffrey Garen.
104         
105         This all now works. This patch just updates our implementation to work with LLVM trunk,
106         and removes all of the old code that tried to do OSR exits and heap accesses without
107         the benefit of those intrinsics.
108         
109         In particular:
110         
111         - StackMaps parsing now uses the new, less compact, but more future-proof, format.
112         
113         - Remove the ftlUsesStackmaps() option and hard-code ftlUsesStackmaps = true. Remove
114           all code for ftlUsesStackmaps = false, since that was only there for back when we
115           didn't have the intrinsics.
116         
117         - Remove the other experimental OSR options (useLLVMOSRExitIntrinsic,
118           ftlTrapsOnOSRExit, and FTLOSRExitOmitsMarshalling).
119         
120         - Remove LowerDFGToLLVM's use of the ExitThunkGenerator since we don't need to generate
121           the exit thunks until after we parse the stackmaps.
122         
123         - Remove all of the exit thunk and compiler code for the no-stackmaps case.
124
125         * dfg/DFGDriver.cpp:
126         (JSC::DFG::compileImpl):
127         * ftl/FTLCompile.cpp:
128         (JSC::FTL::mmAllocateDataSection):
129         * ftl/FTLExitThunkGenerator.cpp:
130         (JSC::FTL::ExitThunkGenerator::emitThunk):
131         * ftl/FTLIntrinsicRepository.h:
132         * ftl/FTLLocation.cpp:
133         (JSC::FTL::Location::forStackmaps):
134         * ftl/FTLLowerDFGToLLVM.cpp:
135         (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
136         (JSC::FTL::LowerDFGToLLVM::lower):
137         (JSC::FTL::LowerDFGToLLVM::compileGetById):
138         (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
139         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
140         (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
141         (JSC::FTL::LowerDFGToLLVM::callStackmap):
142         (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
143         * ftl/FTLOSRExitCompilationInfo.h:
144         (JSC::FTL::OSRExitCompilationInfo::OSRExitCompilationInfo):
145         * ftl/FTLOSRExitCompiler.cpp:
146         (JSC::FTL::compileStub):
147         (JSC::FTL::compileFTLOSRExit):
148         * ftl/FTLStackMaps.cpp:
149         (JSC::FTL::StackMaps::Location::parse):
150         (JSC::FTL::StackMaps::parse):
151         (WTF::printInternal):
152         * ftl/FTLStackMaps.h:
153         * ftl/FTLThunks.cpp:
154         (JSC::FTL::osrExitGenerationThunkGenerator):
155         * ftl/FTLThunks.h:
156         (JSC::FTL::Thunks::getOSRExitGenerationThunk):
157         * runtime/Options.h:
158
159 2013-11-02  Patrick Gansterer  <paroga@webkit.org>
160
161         Add missing getHostCallReturnValue() for MSVC ARM
162         https://bugs.webkit.org/show_bug.cgi?id=123685
163
164         Reviewed by Darin Adler.
165
166         * jit/JITStubsARM.h:
167
168 2013-11-02  Patrick Gansterer  <paroga@webkit.org>
169
170         Fix MSVC warning about unary minus operator
171         https://bugs.webkit.org/show_bug.cgi?id=123674
172
173         Reviewed by Darin Adler.
174
175         Change some static_cast<> to silence the following warning of Microsoft compiler:
176         warning C4146: unary minus operator applied to unsigned type, result still unsigned
177
178         * jit/Repatch.cpp:
179         (JSC::emitPutTransitionStub):
180
181 2013-11-02  Filip Pizlo  <fpizlo@apple.com>
182
183         Disable LLVM's pretty stack traces, which involve intercepting fatal signals
184         https://bugs.webkit.org/show_bug.cgi?id=123681
185
186         Reviewed by Geoffrey Garen.
187
188         * llvm/library/LLVMExports.cpp:
189         (initializeAndGetJSCLLVMAPI):
190
191 2013-11-02  Filip Pizlo  <fpizlo@apple.com>
192
193         LLVM assertion failures should funnel into WTF's crash handling
194         https://bugs.webkit.org/show_bug.cgi?id=123682
195
196         Reviewed by Geoffrey Garen.
197         
198         Inside llvmForJSC, we override assertion-related functions and funnel them
199         into g_llvmTrapCallback(). We also now register a fatal error handler inside
200         the library and funnel that into g_llvmTrapCallback, and have
201         initializeAndGetJSCLLVMAPI() take such a callback as an argument.
202         
203         Inside JSC, we no longer call LLVMInstallFatalErrorHandler() but instead we
204         pass WTFLogAlwaysAndCrash() as the trap callback for llvmForJSC.
205
206         * llvm/InitializeLLVM.cpp:
207         (JSC::initializeLLVM):
208         * llvm/InitializeLLVMPOSIX.cpp:
209         (JSC::initializeLLVMPOSIX):
210         * llvm/library/LLVMExports.cpp:
211         (llvmCrash):
212         (initializeAndGetJSCLLVMAPI):
213         * llvm/library/LLVMOverrides.cpp:
214         (raise):
215         (__assert_rtn):
216         (abort):
217         * llvm/library/LLVMTrapCallback.h: Added.
218
219 2013-11-02  Filip Pizlo  <fpizlo@apple.com>
220
221         CodeBlock::jettison() shouldn't call baselineVersion()
222         https://bugs.webkit.org/show_bug.cgi?id=123675
223
224         Reviewed by Geoffrey Garen.
225         
226         Fix more uses of baselineVersion().
227
228         * bytecode/CodeBlock.cpp:
229         (JSC::CodeBlock::jettison):
230         * bytecode/CodeBlock.h:
231         * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp:
232         (JSC::ProfiledCodeBlockJettisoningWatchpoint::fireInternal):
233
234 2013-11-02  Filip Pizlo  <fpizlo@apple.com>
235
236         LLVM asserts in internal-js-tests.yaml/Octane/stress-tests/mandreel.js
237         https://bugs.webkit.org/show_bug.cgi?id=123535
238
239         Reviewed by Geoffrey Garen.
240         
241         Use double comparisons for doubles.
242
243         * ftl/FTLLowerDFGToLLVM.cpp:
244         (JSC::FTL::LowerDFGToLLVM::doubleToInt32):
245
246 2013-11-02  Patrick Gansterer  <paroga@webkit.org>
247
248         Various small WinCE build fixes
249
250         * jsc.cpp:
251         (main):
252
253 2013-11-02  Patrick Gansterer  <paroga@webkit.org>
254
255         Fix MSVC ARM build after r157581.
256
257         * jit/JITStubsARM.h:
258
259 2013-11-01  Filip Pizlo  <fpizlo@apple.com>
260
261         FTL should use a simple optimization pipeline by default
262         https://bugs.webkit.org/show_bug.cgi?id=123638
263
264         Reviewed by Geoffrey Garen.
265         
266         20% speed-up on imagine-gaussian-blur, when combined with --ftlUsesStackmaps=true.
267
268         * ftl/FTLCompile.cpp:
269         (JSC::FTL::compile):
270         * runtime/Options.h:
271
272 2013-11-01  Andreas Kling  <akling@apple.com>
273
274         Neuter WTF_MAKE_FAST_ALLOCATED in GLOBAL_FASTMALLOC_NEW builds.
275         <https://webkit.org/b/123639>
276
277         JSC::ParserArenaRefCounted really needed to have the new/delete
278         operators overridden, in order for JSC::ScopeNode to be able to
279         choose that "operator new" out of the two it inherits.
280
281         Reviewed by Anders Carlsson.
282
283 2013-11-01  Filip Pizlo  <fpizlo@apple.com>
284
285         OSR exit profiling should be robust against all code being cleared
286         https://bugs.webkit.org/show_bug.cgi?id=123629
287         <rdar://problem/15365476>
288
289         Reviewed by Michael Saboff.
290         
291         The problem here is two-fold:
292
293         1) A watchpoint (i.e. ProfiledCodeBlockJettisoningWatchpoint) may be fired after we
294         have cleared the CodeBlock for all or some Executables.  This means that doing
295         codeBlock->baselineVersion() would either crash or return a bogus CodeBlock, since
296         there wasn't a baseline code block reachable from the Executable anymore.  The
297         solution is that we shouldn't be asking for the baseline code block reachable from
298         the owning executable (what baselineVersion did), but instead we should be asking
299         for the baseline version reachable from the code block being watchpointed (basically
300         what CodeBlock::alternative() did).
301
302         2) If dealing with inlined code, baselienCodeBlockForOriginAndBaselineCodeBlock()
303         may return null, for the same reason as above - we might have cleared the baseline
304         codeblock for the executable that was inlined.  The solution is to just not do
305         profiling if there isn't a baseline code block anymore.
306
307         * bytecode/CodeBlock.cpp:
308         (JSC::CodeBlock::baselineAlternative):
309         (JSC::CodeBlock::baselineVersion):
310         (JSC::CodeBlock::jettison):
311         * bytecode/CodeBlock.h:
312         * bytecode/CodeBlockJettisoningWatchpoint.cpp:
313         (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
314         * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp:
315         (JSC::ProfiledCodeBlockJettisoningWatchpoint::fireInternal):
316         * dfg/DFGOSRExitBase.cpp:
317         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
318         * jit/AssemblyHelpers.h:
319         (JSC::AssemblyHelpers::AssemblyHelpers):
320         * runtime/Executable.cpp:
321         (JSC::FunctionExecutable::baselineCodeBlockFor):
322
323 2013-10-31  Oliver Hunt  <oliver@apple.com>
324
325         JavaScript parser bug
326         https://bugs.webkit.org/show_bug.cgi?id=123506
327
328         Reviewed by Mark Lam.
329
330         Add ParserState as an abstraction and use that to save and restore
331         the parser state around nested functions (We'll need to use this in
332         more places in future).  Also fix a minor error typo this testcases
333         hit.
334
335         * parser/Parser.cpp:
336         (JSC::::parseFunctionInfo):
337         (JSC::::parseAssignmentExpression):
338         * parser/Parser.h:
339         (JSC::Parser::saveState):
340         (JSC::Parser::restoreState):
341
342 2013-10-31  Filip Pizlo  <fpizlo@apple.com>
343
344         FTL Int32ToDouble should handle the forward type check case where you need a recovery
345         https://bugs.webkit.org/show_bug.cgi?id=123605
346
347         Reviewed by Mark Hahnenberg.
348         
349         If you have a Int32ToDouble that needs to do a type check and it's required to do a
350         forward exit, then it needs to manually pass in a value recovery for itself in the
351         OSR exit - since this is one of those forward-exiting nodes that doesn't have a
352         preceding MovHint.
353
354         * ftl/FTLLowerDFGToLLVM.cpp:
355         (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble):
356         (JSC::FTL::LowerDFGToLLVM::forwardTypeCheck):
357
358 2013-10-31  Filip Pizlo  <fpizlo@apple.com>
359
360         FTL should implement InvalidationPoint in terms of llvm.stackmap
361         https://bugs.webkit.org/show_bug.cgi?id=113647
362
363         Reviewed by Mark Hahnenberg.
364         
365         This is pretty straightforward now that InvalidationPoint has exactly the semantics
366         that agree with llvm.stackmap.
367
368         * ftl/FTLCompile.cpp:
369         (JSC::FTL::fixFunctionBasedOnStackMaps):
370         * ftl/FTLLowerDFGToLLVM.cpp:
371         (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
372         (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
373         (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
374         (JSC::FTL::LowerDFGToLLVM::callStackmap):
375         * ftl/FTLOSRExitCompilationInfo.h:
376         (JSC::FTL::OSRExitCompilationInfo::OSRExitCompilationInfo):
377
378 2013-10-30  Oliver Hunt  <oliver@apple.com>
379
380         Implement basic ES6 Math functions
381         https://bugs.webkit.org/show_bug.cgi?id=123536
382
383         Reviewed by Michael Saboff.
384
385         Fairly trivial patch to implement the core ES6 Math functions.
386
387         This doesn't implement Math.hypot as it is not a trivial function.
388         I've also skipped Math.sign as I am yet to be convinced the spec
389         behaviour is good.  Everything else is trivial.
390
391         * runtime/MathObject.cpp:
392         (JSC::MathObject::finishCreation):
393         (JSC::mathProtoFuncACosh):
394         (JSC::mathProtoFuncASinh):
395         (JSC::mathProtoFuncATanh):
396         (JSC::mathProtoFuncCbrt):
397         (JSC::mathProtoFuncCosh):
398         (JSC::mathProtoFuncExpm1):
399         (JSC::mathProtoFuncFround):
400         (JSC::mathProtoFuncLog1p):
401         (JSC::mathProtoFuncLog10):
402         (JSC::mathProtoFuncLog2):
403         (JSC::mathProtoFuncSinh):
404         (JSC::mathProtoFuncTanh):
405         (JSC::mathProtoFuncTrunc):
406
407 2013-10-31  Filip Pizlo  <fpizlo@apple.com>
408
409         FTL::Location::restoreInto() doesn't handle stack-related registers correctly if you're using it after pushing a new stack frame
410         https://bugs.webkit.org/show_bug.cgi?id=123591
411
412         Reviewed by Mark Hahnenberg.
413         
414         This gets us to pass more tests with ftlUsesStackmaps.
415
416         * ftl/FTLLocation.cpp:
417         (JSC::FTL::Location::restoreInto):
418         * ftl/FTLLocation.h:
419         * ftl/FTLThunks.cpp:
420         (JSC::FTL::osrExitGenerationWithStackMapThunkGenerator):
421
422 2013-10-31  Alexey Proskuryakov  <ap@apple.com>
423
424         Enable WebCrypto on Mac
425         https://bugs.webkit.org/show_bug.cgi?id=123587
426
427         Reviewed by Anders Carlsson.
428
429         * Configurations/FeatureDefines.xcconfig: Do it.
430
431 2013-10-31  Filip Pizlo  <fpizlo@apple.com>
432
433         Unreviewed, really remove CachedTranscendentalFunction.h.
434
435         * GNUmakefile.list.am:
436         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
437
438 2013-10-31  Filip Pizlo  <fpizlo@apple.com>
439
440         Remove CachedTranscendentalFunction because caching math functions is an ugly idea
441         https://bugs.webkit.org/show_bug.cgi?id=123574
442
443         Reviewed by Mark Hahnenberg.
444         
445         This is performance-neutral because I also make Math.cos/sin intrinsic. This means that
446         we gain the "overhead" of actually computing sin and cos but we lose the overhead of
447         going through the native call thunks.
448         
449         Caching transcendental functions is a really ugly idea. It works for SunSpider because
450         that benchmark makes very predictable calls into Math.sin. But I don't believe that this
451         is representative of any kind of reality, and so for sensible uses of Math.sin/cos all
452         that this was doing was adding more call overhead and some hashing overhead.
453
454         * JavaScriptCore.xcodeproj/project.pbxproj:
455         * dfg/DFGAbstractInterpreterInlines.h:
456         (JSC::DFG::::executeEffects):
457         * dfg/DFGBackwardsPropagationPhase.cpp:
458         (JSC::DFG::BackwardsPropagationPhase::propagate):
459         * dfg/DFGByteCodeParser.cpp:
460         (JSC::DFG::ByteCodeParser::handleIntrinsic):
461         * dfg/DFGCSEPhase.cpp:
462         (JSC::DFG::CSEPhase::performNodeCSE):
463         * dfg/DFGClobberize.h:
464         (JSC::DFG::clobberize):
465         * dfg/DFGFixupPhase.cpp:
466         (JSC::DFG::FixupPhase::fixupNode):
467         * dfg/DFGNodeType.h:
468         * dfg/DFGPredictionPropagationPhase.cpp:
469         (JSC::DFG::PredictionPropagationPhase::propagate):
470         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
471         * dfg/DFGSafeToExecute.h:
472         (JSC::DFG::safeToExecute):
473         * dfg/DFGSpeculativeJIT.h:
474         (JSC::DFG::SpeculativeJIT::callOperation):
475         * dfg/DFGSpeculativeJIT32_64.cpp:
476         (JSC::DFG::SpeculativeJIT::compile):
477         * dfg/DFGSpeculativeJIT64.cpp:
478         (JSC::DFG::SpeculativeJIT::compile):
479         * jit/JITOperations.h:
480         * runtime/CachedTranscendentalFunction.h: Removed.
481         * runtime/DateInstanceCache.h:
482         * runtime/Intrinsic.h:
483         * runtime/MathObject.cpp:
484         (JSC::MathObject::finishCreation):
485         (JSC::mathProtoFuncCos):
486         (JSC::mathProtoFuncSin):
487         * runtime/VM.h:
488
489 2013-10-30  Filip Pizlo  <fpizlo@apple.com>
490
491         Assertion failure in js/dom/global-constructors-attributes-dedicated-worker.html
492         https://bugs.webkit.org/show_bug.cgi?id=123551
493         <rdar://problem/15356238>
494
495         Reviewed by Mark Hahnenberg.
496         
497         WatchpointSets have always had this "fire everything on deletion" policy because it
498         seemed like a good fail-safe at the time I first implemented WatchpointSets. But
499         it's actually causing bugs rather than providing safety:
500         
501         - Everyone who registers Watchpoints with WatchpointSets have separate mechanisms
502           for either keeping the WatchpointSets alive or noticing when they are collected.
503           So this wasn't actually providing any safety.
504           
505           One example of this is Structures, where:
506           
507           - CodeBlocks that register Watchpoints on Structure's WatchpointSet will also
508             register weak references to the Structure, and the GC will jettison a CodeBlock
509             if the Structure(s) it cares about dies.
510           
511           - StructureStubInfos that register Watchpoints on Structure's WatchpointSet will
512             also be cleared by GC if the Structures die.
513         
514         - The WatchpointSet destructor would get invoked from finalization/destruction.
515           This would then cause CodeBlock::jettison() to be called on a CodeBlock, but that
516           method requires doing things that access heap objects. This would usually cause
517           problems on VM destruction, since then the CodeBlocks would still be alive but the
518           whole heap would be destroyed.
519         
520         This also ensures that CodeBlock::jettison() cannot cause a GC. This is safe since
521         that method doesn't really allocate objects, and it is likely necessary because
522         jettison() may be called from deep in the stack.
523
524         * bytecode/CodeBlock.cpp:
525         (JSC::CodeBlock::jettison):
526         * bytecode/Watchpoint.cpp:
527         (JSC::WatchpointSet::~WatchpointSet):
528         * bytecode/Watchpoint.h:
529
530 2013-10-30  Mark Lam  <mark.lam@apple.com>
531
532         Unreviewed, fix C Loop LLINT build.
533
534         * bytecode/CodeBlockJettisoningWatchpoint.cpp:
535         (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
536         * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp:
537         (JSC::ProfiledCodeBlockJettisoningWatchpoint::fireInternal):
538
539 2013-10-30  Filip Pizlo  <fpizlo@apple.com>
540
541         Unreviewed, fix FTL build.
542
543         * ftl/FTLAbstractHeapRepository.h:
544         * ftl/FTLLowerDFGToLLVM.cpp:
545         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
546
547 2013-10-30  Alexey Proskuryakov  <ap@apple.com>
548
549         Add a way to fulfill promises from DOM code
550         https://bugs.webkit.org/show_bug.cgi?id=123466
551
552         Reviewed by Sam Weinig.
553
554         * JavaScriptCore.xcodeproj/project.pbxproj: Make JSPromise.h and JSPromiseResolver.h
555         private headers for WebCore to use.
556
557         * runtime/JSPromise.h:
558         * runtime/JSPromiseResolver.h:
559         Export functions that JSDOMPromise will use.
560
561 2013-10-30  Mark Lam  <mark.lam@apple.com>
562
563         Adjust CallFrameHeader's ReturnPC and CallFrame locations to match the native ABI .
564         https://bugs.webkit.org/show_bug.cgi?id=123444.
565
566         Reviewed by Geoffrey Garen.
567
568         - Introduced an explicit CallerFrameAndPC struct.
569         - A CallFrame is expected to start with a CallerFrameAndPC struct. 
570         - The Register class no longer supports CallFrame* and Instruction*.
571
572           These hides the differences between JSVALUE32_64 and JSVALUE64 in
573           terms of managing the callerFrame() and returnPC() values.
574
575         - Convert all uses of JSStack::CallerFrame and JSStack::ReturnPC to
576           go through CallFrame to access the appropriate values and offsets.
577           CallFrame, in turn, will access the callerFrame and returnPC via
578           the CallerFrameAndPC struct.
579
580         - InlineCallFrame will provide offsets for its callerFrame and
581           returnPC. It will make use of CallFrame::callerFrameOffset() and
582           CallerFrame::returnPCOffset() to compute these.
583
584         * bytecode/CodeOrigin.h:
585         (JSC::InlineCallFrame::callerFrameOffset):
586         (JSC::InlineCallFrame::returnPCOffset):
587         * dfg/DFGJITCompiler.cpp:
588         (JSC::DFG::JITCompiler::compileEntry):
589         (JSC::DFG::JITCompiler::compileExceptionHandlers):
590         * dfg/DFGOSRExitCompilerCommon.cpp:
591         (JSC::DFG::reifyInlinedCallFrames):
592         * dfg/DFGSpeculativeJIT.h:
593         (JSC::DFG::SpeculativeJIT::calleeFrameSlot):
594         (JSC::DFG::SpeculativeJIT::calleeArgumentSlot):
595         (JSC::DFG::SpeculativeJIT::calleeFrameTagSlot):
596         (JSC::DFG::SpeculativeJIT::calleeFramePayloadSlot):
597         (JSC::DFG::SpeculativeJIT::calleeArgumentTagSlot):
598         (JSC::DFG::SpeculativeJIT::calleeArgumentPayloadSlot):
599         - Prefixed all the above with callee since they apply to the callee frame.
600         (JSC::DFG::SpeculativeJIT::calleeFrameCallerFrame):
601         - Added to set the callerFrame pointer in the callee frame.
602
603         * dfg/DFGSpeculativeJIT32_64.cpp:
604         (JSC::DFG::SpeculativeJIT::emitCall):
605         (JSC::DFG::SpeculativeJIT::compile):
606         * dfg/DFGSpeculativeJIT64.cpp:
607         (JSC::DFG::SpeculativeJIT::emitCall):
608         (JSC::DFG::SpeculativeJIT::compile):
609         * ftl/FTLLink.cpp:
610         (JSC::FTL::compileEntry):
611         (JSC::FTL::link):
612         * interpreter/CallFrame.h:
613         (JSC::ExecState::callerFrame):
614         (JSC::ExecState::callerFrameOffset):
615         (JSC::ExecState::returnPC):
616         (JSC::ExecState::hasReturnPC):
617         (JSC::ExecState::clearReturnPC):
618         (JSC::ExecState::returnPCOffset):
619         (JSC::ExecState::setCallerFrame):
620         (JSC::ExecState::setReturnPC):
621         (JSC::ExecState::callerFrameAndPC):
622         * interpreter/JSStack.h:
623         * interpreter/Register.h:
624         * jit/AssemblyHelpers.h:
625         (JSC::AssemblyHelpers::emitPutToCallFrameHeader):
626         - Convert to using storePtr() here and simplify the code.
627         (JSC::AssemblyHelpers::emitGetCallerFrameFromCallFrameHeaderPtr):
628         (JSC::AssemblyHelpers::emitPutCallerFrameToCallFrameHeader):
629         (JSC::AssemblyHelpers::emitGetReturnPCFromCallFrameHeaderPtr):
630         (JSC::AssemblyHelpers::emitPutReturnPCToCallFrameHeader):
631         - Helpers to emit gets/puts of the callerFrame and returnPC.
632         (JSC::AssemblyHelpers::addressForByteOffset):
633         * jit/JIT.cpp:
634         (JSC::JIT::JIT):
635         (JSC::JIT::privateCompile):
636         (JSC::JIT::privateCompileExceptionHandlers):
637         * jit/JITCall.cpp:
638         (JSC::JIT::compileCallEval):
639         (JSC::JIT::compileOpCall):
640         * jit/JITCall32_64.cpp:
641         (JSC::JIT::emit_op_ret):
642         (JSC::JIT::emit_op_ret_object_or_this):
643         (JSC::JIT::compileCallEval):
644         (JSC::JIT::compileOpCall):
645         * jit/JITInlines.h:
646         (JSC::JIT::unmap):
647         * jit/JITOpcodes.cpp:
648         (JSC::JIT::emit_op_end):
649         (JSC::JIT::emit_op_ret):
650         (JSC::JIT::emit_op_ret_object_or_this):
651         * jit/JITOpcodes32_64.cpp:
652         (JSC::JIT::privateCompileCTINativeCall):
653         (JSC::JIT::emit_op_end):
654         * jit/JITOperations.cpp:
655         * jit/SpecializedThunkJIT.h:
656         (JSC::SpecializedThunkJIT::returnJSValue):
657         (JSC::SpecializedThunkJIT::returnDouble):
658         (JSC::SpecializedThunkJIT::returnInt32):
659         (JSC::SpecializedThunkJIT::returnJSCell):
660         * jit/ThunkGenerators.cpp:
661         (JSC::throwExceptionFromCallSlowPathGenerator):
662         (JSC::slowPathFor):
663         (JSC::nativeForGenerator):
664
665         * llint/LLIntData.cpp:
666         (JSC::LLInt::Data::performAssertions):
667         * llint/LowLevelInterpreter.asm:
668         - Updated offsets and asserts to match the new CallFrame layout.
669
670 2013-10-30  Filip Pizlo  <fpizlo@apple.com>
671
672         Unreviewed, fix Mac.
673
674         * assembler/AbstractMacroAssembler.h:
675         (JSC::AbstractMacroAssembler::RegisterAllocationOffset::checkOffsets):
676         (JSC::AbstractMacroAssembler::checkRegisterAllocationAgainstBranchRange):
677
678 2013-10-30  Filip Pizlo  <fpizlo@apple.com>
679
680         Unreviewed, fix Windows.
681
682         * bytecode/CodeBlock.cpp:
683         (JSC::CodeBlock::jettison):
684
685 2013-10-30  Filip Pizlo  <fpizlo@apple.com>
686
687         Unreviewed, fix Windows.
688
689         * bytecode/CodeBlock.h:
690         (JSC::CodeBlock::addFrequentExitSite):
691
692 2013-10-29  Filip Pizlo  <fpizlo@apple.com>
693
694         Add InvalidationPoints to the DFG and use them for all watchpoints
695         https://bugs.webkit.org/show_bug.cgi?id=123472
696
697         Reviewed by Mark Hahnenberg.
698         
699         This makes a fundamental change to how watchpoints work in the DFG.
700         
701         Previously, a watchpoint was an instruction whose execution semantics were something
702         like:
703         
704             if (watchpoint->invalidated)
705                 exit
706         
707         We would implement this without any branch by using jump replacement.
708         
709         This is a very good optimization. But it's a bit awkward once you get a lot of
710         watchpoints: semantically we will have lots of these branches in the code, which the
711         compiler needs to reason about even though they don't actually result in any emitted
712         code.
713         
714         Separately, we also had a mechanism for jettisoning a CodeBlock. This mechanism would
715         be invoked if a CodeBlock exited a lot. It would ensure that a CodeBlock wouldn't be
716         called into again, but it would do nothing for CodeBlocks that were already on the
717         stack.
718         
719         This change flips jettisoning and watchpoint invalidation on their heads. Now, the jump
720         replacement has nothing to do with watchpoints; instead it's something that happens if
721         you ever jettison a CodeBlock. Jump replacement is now an all-or-nothing operation over
722         all of the potential call-return safe-exit-points in a CodeBlock. We call these
723         "InvalidationPoint"s. A watchpoint instruction is now "lowered" by having the DFG
724         collect all of the watchpoint sets that the CodeBlock cares about, and then registering
725         a CodeBlockJettisoningWatchpoint with all of them. That is, if the watchpoint fires, it
726         jettisons the CodeBlock, which in turn ensures that the CodeBlock can't be called into
727         (because the entrypoint now points to baseline code) and can't be returned into
728         (because returning exits to baseline before the next bytecode instruction).
729         
730         This will allow for a sensible lowering of watchpoints to LLVM IR. It will also allow
731         for jettison() to be used effectively for things like breakpointing and single-stepping
732         in the debugger.
733         
734         Well, basically, this mechanism just takes us into the HotSpot-style world where anyone
735         can, at any time and for any reason, request that an optimized CodeBlock is rendered
736         immediately invalid. You can use this for many cool things, I'm sure.
737
738         * CMakeLists.txt:
739         * GNUmakefile.list.am:
740         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
741         * JavaScriptCore.xcodeproj/project.pbxproj:
742         * assembler/AbstractMacroAssembler.h:
743         * bytecode/CodeBlock.cpp:
744         (JSC::CodeBlock::jettison):
745         * bytecode/CodeBlock.h:
746         * bytecode/CodeBlockJettisoningWatchpoint.cpp: Added.
747         (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
748         * bytecode/CodeBlockJettisoningWatchpoint.h: Added.
749         (JSC::CodeBlockJettisoningWatchpoint::CodeBlockJettisoningWatchpoint):
750         * bytecode/ExitKind.cpp:
751         (JSC::exitKindToString):
752         * bytecode/ExitKind.h:
753         * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp: Added.
754         (JSC::ProfiledCodeBlockJettisoningWatchpoint::fireInternal):
755         * bytecode/ProfiledCodeBlockJettisoningWatchpoint.h: Added.
756         (JSC::ProfiledCodeBlockJettisoningWatchpoint::ProfiledCodeBlockJettisoningWatchpoint):
757         * dfg/DFGAbstractHeap.h:
758         * dfg/DFGAbstractInterpreterInlines.h:
759         (JSC::DFG::::executeEffects):
760         * dfg/DFGClobberize.cpp:
761         (JSC::DFG::writesOverlap):
762         * dfg/DFGClobberize.h:
763         (JSC::DFG::clobberize):
764         (JSC::DFG::AbstractHeapOverlaps::AbstractHeapOverlaps):
765         (JSC::DFG::AbstractHeapOverlaps::operator()):
766         (JSC::DFG::AbstractHeapOverlaps::result):
767         * dfg/DFGCommonData.cpp:
768         (JSC::DFG::CommonData::invalidate):
769         * dfg/DFGCommonData.h:
770         (JSC::DFG::CommonData::CommonData):
771         * dfg/DFGDesiredWatchpoints.cpp:
772         (JSC::DFG::DesiredWatchpoints::addLazily):
773         (JSC::DFG::DesiredWatchpoints::reallyAdd):
774         * dfg/DFGDesiredWatchpoints.h:
775         (JSC::DFG::WatchpointForGenericWatchpointSet::WatchpointForGenericWatchpointSet):
776         (JSC::DFG::GenericDesiredWatchpoints::addLazily):
777         (JSC::DFG::GenericDesiredWatchpoints::reallyAdd):
778         (JSC::DFG::GenericDesiredWatchpoints::areStillValid):
779         * dfg/DFGFixupPhase.cpp:
780         (JSC::DFG::FixupPhase::fixupNode):
781         * dfg/DFGInvalidationPointInjectionPhase.cpp: Added.
782         (JSC::DFG::InvalidationPointInjectionPhase::InvalidationPointInjectionPhase):
783         (JSC::DFG::InvalidationPointInjectionPhase::run):
784         (JSC::DFG::InvalidationPointInjectionPhase::handle):
785         (JSC::DFG::InvalidationPointInjectionPhase::insertInvalidationCheck):
786         (JSC::DFG::performInvalidationPointInjection):
787         * dfg/DFGInvalidationPointInjectionPhase.h: Added.
788         * dfg/DFGJITCode.h:
789         * dfg/DFGJITCompiler.cpp:
790         (JSC::DFG::JITCompiler::linkOSRExits):
791         (JSC::DFG::JITCompiler::link):
792         * dfg/DFGJITCompiler.h:
793         * dfg/DFGJumpReplacement.cpp: Added.
794         (JSC::DFG::JumpReplacement::fire):
795         * dfg/DFGJumpReplacement.h: Added.
796         (JSC::DFG::JumpReplacement::JumpReplacement):
797         * dfg/DFGNodeType.h:
798         * dfg/DFGOSRExitCompilationInfo.h:
799         * dfg/DFGOperations.cpp:
800         * dfg/DFGPlan.cpp:
801         (JSC::DFG::Plan::compileInThreadImpl):
802         (JSC::DFG::Plan::reallyAdd):
803         * dfg/DFGPredictionPropagationPhase.cpp:
804         (JSC::DFG::PredictionPropagationPhase::propagate):
805         * dfg/DFGSafeToExecute.h:
806         (JSC::DFG::safeToExecute):
807         * dfg/DFGSpeculativeJIT.cpp:
808         (JSC::DFG::SpeculativeJIT::emitInvalidationPoint):
809         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
810         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
811         * dfg/DFGSpeculativeJIT.h:
812         (JSC::DFG::SpeculativeJIT::masqueradesAsUndefinedWatchpointIsStillValid):
813         (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
814         * dfg/DFGSpeculativeJIT32_64.cpp:
815         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
816         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
817         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
818         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
819         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
820         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
821         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
822         (JSC::DFG::SpeculativeJIT::compile):
823         * dfg/DFGSpeculativeJIT64.cpp:
824         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
825         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
826         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
827         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
828         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
829         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
830         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
831         (JSC::DFG::SpeculativeJIT::compile):
832         * dfg/DFGWatchpointCollectionPhase.cpp: Added.
833         (JSC::DFG::WatchpointCollectionPhase::WatchpointCollectionPhase):
834         (JSC::DFG::WatchpointCollectionPhase::run):
835         (JSC::DFG::WatchpointCollectionPhase::handle):
836         (JSC::DFG::WatchpointCollectionPhase::handleEdge):
837         (JSC::DFG::WatchpointCollectionPhase::handleMasqueradesAsUndefined):
838         (JSC::DFG::WatchpointCollectionPhase::handleStringGetByVal):
839         (JSC::DFG::WatchpointCollectionPhase::addLazily):
840         (JSC::DFG::WatchpointCollectionPhase::globalObject):
841         (JSC::DFG::performWatchpointCollection):
842         * dfg/DFGWatchpointCollectionPhase.h: Added.
843         * ftl/FTLCapabilities.cpp:
844         (JSC::FTL::canCompile):
845         * ftl/FTLLowerDFGToLLVM.cpp:
846         (JSC::FTL::LowerDFGToLLVM::compileNode):
847         (JSC::FTL::LowerDFGToLLVM::compileStructureTransitionWatchpoint):
848         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
849         (JSC::FTL::LowerDFGToLLVM::compileGlobalVarWatchpoint):
850         (JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant):
851         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
852         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
853         (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
854         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
855         (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
856         * jit/JITOperations.cpp:
857         * jit/JumpReplacementWatchpoint.cpp: Removed.
858         * jit/JumpReplacementWatchpoint.h: Removed.
859
860 2013-10-25  Mark Hahnenberg  <mhahnenberg@apple.com>
861
862         JSExport doesn't support constructors
863         https://bugs.webkit.org/show_bug.cgi?id=123380
864
865         Reviewed by Geoffrey Garen.
866
867         Support for constructor-style callbacks for the Objective-C API to JSC is currently limited to 
868         Objective-C blocks. Any clients who try to call the constructor of a JSExport-ed Objective-C class 
869         are met with a type error stating that it cannot be called as a constructor.
870
871         It would be nice to expand JSExport's functionality to support this idiom. It is a natural 
872         extension to JSExport and would increase the expressiveness and simplicity in both Objective-C and 
873         JavaScript client code.
874
875         The way we'll do this is to expand the capabilities of ObjCCallbackFunction and associated classes. 
876         Instead of constructing a normal C API object for the constructor, we'll instead allocate a full-blown 
877         ObjCCallbackFunction object which can already properly handle being invoked as a constructor.
878
879         * API/JSWrapperMap.mm:
880         (copyMethodsToObject):
881         (allocateConstructorForCustomClass):
882         (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]):
883         (tryUnwrapObjcObject):
884         * API/ObjCCallbackFunction.h:
885         (JSC::ObjCCallbackFunction::impl):
886         * API/ObjCCallbackFunction.mm:
887         (JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl):
888         (JSC::ObjCCallbackFunctionImpl::wrappedConstructor):
889         (JSC::ObjCCallbackFunctionImpl::isConstructible):
890         (JSC::ObjCCallbackFunction::getConstructData):
891         (JSC::ObjCCallbackFunctionImpl::name):
892         (JSC::ObjCCallbackFunctionImpl::call):
893         (objCCallbackFunctionForInvocation):
894         (objCCallbackFunctionForInit):
895         (tryUnwrapConstructor):
896         * API/tests/testapi.mm:
897         (-[TextXYZ initWithString:]):
898         (-[ClassA initWithA:]):
899         (-[ClassB initWithA:b:]):
900         (-[ClassC initWithA:]):
901         (-[ClassC initWithA:b:]):
902
903 2013-10-30  peavo@outlook.com  <peavo@outlook.com>
904
905         [Win] Compile errors when enabling DFG JIT.
906         https://bugs.webkit.org/show_bug.cgi?id=120998
907
908         Reviewed by Brent Fulgham.
909
910         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added files.
911         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
912         * dfg/DFGAllocator.h: Removed scope.
913         * dfg/DFGWorklist.cpp: Use new ThreadingOnce class instead of pthread_once.
914         (JSC::DFG::globalWorklist):
915         * heap/DeferGC.h: Link fix, member needs to be public.
916         * jit/JITOperationWrappers.h: Added required assembler macros.
917
918 2013-10-30  Iago Toral Quiroga  <itoral@igalia.com>
919
920         Add result caching for Math.cos
921         https://bugs.webkit.org/show_bug.cgi?id=123255
922
923         Reviewed by Brent Fulgham.
924
925         * runtime/MathObject.cpp:
926         (JSC::mathProtoFuncCos):
927         * runtime/VM.h:
928
929 2013-10-30  Alex Christensen  <achristensen@webkit.org>
930
931         Disabled JIT on Win64.
932         https://bugs.webkit.org/show_bug.cgi?id=122472
933
934         Reviewed by Geoffrey Garen.
935
936         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
937         Disabled building JITStubsMSVC64.
938
939 2013-10-29  Michael Saboff  <msaboff@apple.com>
940
941         Change local variable register allocation to start at offset -1
942         https://bugs.webkit.org/show_bug.cgi?id=123182
943
944         Reviewed by Geoffrey Garen.
945
946         Adjusted the virtual register mapping down by one slot.  Reduced
947         the CallFrame header slots offsets by one.  They now start at 0.
948         Changed arity fixup to no longer skip passed register slot 0 as this
949         is now part of the CallFrame header.
950
951         * bytecode/VirtualRegister.h:
952         (JSC::operandIsLocal):
953         (JSC::operandIsArgument):
954         (JSC::VirtualRegister::localToOperand):
955         (JSC::VirtualRegister::operandToLocal):
956           Adjusted functions for shift in mapping from local to register offset.
957
958         * dfg/DFGByteCodeParser.cpp:
959         (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
960         (JSC::DFG::ByteCodeParser::addCall):
961         (JSC::DFG::ByteCodeParser::handleInlining):
962         (JSC::DFG::ByteCodeParser::parseBlock):
963         * dfg/DFGVariableEventStream.cpp:
964         (JSC::DFG::VariableEventStream::reconstruct):
965         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
966         (JSC::DFG::VirtualRegisterAllocationPhase::run):
967         * interpreter/CallFrame.h:
968         (JSC::ExecState::frameExtent):
969         (JSC::ExecState::offsetFor):
970         * interpreter/Interpreter.cpp:
971         (JSC::loadVarargs):
972         (JSC::Interpreter::dumpRegisters):
973         (JSC::Interpreter::executeCall):
974         * llint/LLIntData.cpp:
975         (JSC::LLInt::Data::performAssertions):
976         * llint/LowLevelInterpreter.asm:
977           Adjusted math to accomodate for shift in call frame slots.
978
979         * dfg/DFGJITCompiler.cpp:
980         (JSC::DFG::JITCompiler::compileFunction):
981         * dfg/DFGSpeculativeJIT.h:
982         (JSC::DFG::SpeculativeJIT::calleeFrameOffset):
983         * interpreter/CallFrame.cpp:
984         (JSC::CallFrame::frameExtentInternal):
985         * interpreter/JSStackInlines.h:
986         (JSC::JSStack::pushFrame):
987         * jit/JIT.cpp:
988         (JSC::JIT::privateCompile):
989         * jit/JITOperations.cpp:
990         * llint/LLIntSlowPaths.cpp:
991         (JSC::LLInt::llint_slow_path_stack_check):
992         * runtime/CommonSlowPaths.h:
993         (JSC::CommonSlowPaths::arityCheckFor):
994           Fixed offset calculation to use VirtualRegister and related calculation instead of
995           doing seperate calculations.
996
997         * interpreter/JSStack.h:
998           Adjusted CallFrame slots down by one.  Did some miscellaneous fixing of dumpRegisters()
999           in the process of testing the fixes.
1000
1001         * jit/ThunkGenerators.cpp:
1002         (JSC::arityFixup):
1003           Changed arity fixup to no longer skip passed register slot 0 as this
1004           is now part of the CallFrame header.
1005
1006         * llint/LowLevelInterpreter32_64.asm:
1007         * llint/LowLevelInterpreter64.asm:
1008           Changed arity fixup to no longer skip passed register slot 0 as this
1009           is now part of the CallFrame header.  Updated op_enter processing for
1010           the change in local registers.
1011
1012         * runtime/JSGlobalObject.h:
1013           Removed the now unneeded extra slot in the global callframe
1014
1015 2013-10-29  Julien Brianceau  <jbriance@cisco.com>
1016
1017         [arm] Fix lots of crashes because of 4th argument register trampling.
1018         https://bugs.webkit.org/show_bug.cgi?id=123421
1019
1020         Reviewed by Michael Saboff.
1021
1022         r3 register is the 4th argument register for ARM and also a scratch
1023         register in the baseline JIT for this architecture. We can use r6
1024         instead, as this used to be the timeoutCheckRegister and it is no
1025         longer used since r148119.
1026
1027         * assembler/ARMAssembler.h: Temp register is now r6 instead of r3 for ARM.
1028         * assembler/MacroAssemblerARMv7.h: Temp register is now r6 instead of r3 for ARMv7.
1029         * jit/GPRInfo.h: Add r3 properly in GPRInfo for ARM.
1030         (JSC::GPRInfo::toRegister):
1031         (JSC::GPRInfo::toIndex):
1032         * jit/JITStubsARM.h:
1033         (JSC::ctiTrampoline): Remove obsolete timeoutCheckRegister init.
1034         * jit/JITStubsARMv7.h:
1035         (JSC::ctiTrampoline): Remove obsolete timeoutCheckRegister init.
1036         * jit/JSInterfaceJIT.h: Remove useless stuff.
1037         * yarr/YarrJIT.cpp: Use r3 and not the new scratch register r6.
1038         (JSC::Yarr::YarrGenerator::generateEnter): r8 register doesn't need to be saved.
1039         (JSC::Yarr::YarrGenerator::generateReturn):
1040
1041 2013-10-29  Julien Brianceau  <jbriance@cisco.com>
1042
1043         Fix CPU(ARM_TRADITIONAL) build after r157690.
1044         https://bugs.webkit.org/show_bug.cgi?id=123247
1045
1046         Reviewed by Michael Saboff.
1047
1048         Since r157690, the executableCopy function has been removed from AssemblerBuffer.h
1049         and the copy of executable code occurs in the linkCode function (in LinkBuffer.cpp).
1050         As the constant pool for jumps is updated in the executableCopy function of ARM_TRADITIONAL,
1051         this part of code still needs to be called and absolute jumps must be corrected to anticipate
1052         the copy of the executable code through memcpy.
1053
1054         * assembler/ARMAssembler.cpp:
1055         (JSC::ARMAssembler::prepareExecutableCopy): Rename executableCopy to prepareExecutableCopy
1056         and correct absolute jump values using the delta between the source and destination buffers.
1057         * assembler/ARMAssembler.h:
1058         * assembler/LinkBuffer.cpp:
1059         (JSC::LinkBuffer::linkCode): Call prepareExecutableCopy just before the memcpy.
1060
1061 2013-10-28  Filip Pizlo  <fpizlo@apple.com>
1062
1063         OSRExit::m_watchpointIndex should be in OSRExitCompilationInfo
1064         https://bugs.webkit.org/show_bug.cgi?id=123423
1065
1066         Reviewed by Mark Hahnenberg.
1067         
1068         Also enable ExitKind to tell you if it's a watchpoint.
1069
1070         * bytecode/ExitKind.cpp:
1071         (JSC::exitKindToString):
1072         * bytecode/ExitKind.h:
1073         (JSC::isWatchpoint):
1074         * dfg/DFGByteCodeParser.cpp:
1075         (JSC::DFG::ByteCodeParser::setLocal):
1076         (JSC::DFG::ByteCodeParser::setArgument):
1077         (JSC::DFG::ByteCodeParser::handleCall):
1078         (JSC::DFG::ByteCodeParser::handleGetById):
1079         (JSC::DFG::ByteCodeParser::parseBlock):
1080         * dfg/DFGJITCompiler.cpp:
1081         (JSC::DFG::JITCompiler::linkOSRExits):
1082         (JSC::DFG::JITCompiler::link):
1083         * dfg/DFGJITCompiler.h:
1084         (JSC::DFG::JITCompiler::appendExitInfo):
1085         * dfg/DFGOSRExit.cpp:
1086         (JSC::DFG::OSRExit::OSRExit):
1087         * dfg/DFGOSRExit.h:
1088         * dfg/DFGOSRExitCompilationInfo.h:
1089         (JSC::DFG::OSRExitCompilationInfo::OSRExitCompilationInfo):
1090         * dfg/DFGOSRExitCompiler.cpp:
1091         * dfg/DFGSpeculativeJIT.cpp:
1092         (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
1093         * dfg/DFGSpeculativeJIT32_64.cpp:
1094         (JSC::DFG::SpeculativeJIT::compile):
1095         * dfg/DFGSpeculativeJIT64.cpp:
1096         (JSC::DFG::SpeculativeJIT::compile):
1097
1098 2013-10-28  Myles C. Maxfield  <mmaxfield@apple.com>
1099
1100         Parsing support for -webkit-text-decoration-skip: ink
1101         https://bugs.webkit.org/show_bug.cgi?id=123358
1102
1103         Reviewed by Dean Jackson.
1104
1105         Adding ENABLE(CSS3_TEXT_DECORATION)
1106
1107         * Configurations/FeatureDefines.xcconfig:
1108
1109 2013-10-24  Filip Pizlo  <fpizlo@apple.com>
1110
1111         Get rid of InlineStart so that I don't have to implement it in FTL
1112         https://bugs.webkit.org/show_bug.cgi?id=123302
1113
1114         Reviewed by Geoffrey Garen.
1115         
1116         InlineStart was a special instruction that we would insert at the top of inlined code,
1117         so that the backend could capture the OSR state of arguments to an inlined call. It used
1118         to be that only the backend had this information, so this instruction was sort of an ugly
1119         callback from the backend for filling in some data structures.
1120         
1121         But in the time since when that code was written (two years ago?), we rationalized how
1122         variables work. It's now the case that variables that the runtime must know about are
1123         treated specially in IR (they are "flushed") and we know how we will represent them even
1124         before we get to the backend. The last place that makes changes to their representation
1125         is the StackLayoutPhase.
1126         
1127         So, this patch gets rid of InlineStart, but keeps around the special meta-data that the
1128         instruction had. Instead of handling the bookkeeping in the backend, we handle it in
1129         StackLayoutPhase. This means that the DFG and FTL can share code for handling this
1130         bookkeeping. This also means that now the FTL can compile code blocks that had inlining.
1131         
1132         Of course, giving the FTL the ability to handle code blocks that had inlining means that
1133         we're going to have new bugs. Sure enough, the FTL's linker didn't handle inline call
1134         frames. This patch also fixes that.
1135
1136         * dfg/DFGAbstractInterpreterInlines.h:
1137         (JSC::DFG::::executeEffects):
1138         * dfg/DFGByteCodeParser.cpp:
1139         (JSC::DFG::ByteCodeParser::handleInlining):
1140         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1141         * dfg/DFGClobberize.h:
1142         (JSC::DFG::clobberize):
1143         * dfg/DFGFixupPhase.cpp:
1144         (JSC::DFG::FixupPhase::fixupNode):
1145         * dfg/DFGGraph.h:
1146         * dfg/DFGNode.h:
1147         * dfg/DFGNodeType.h:
1148         * dfg/DFGPredictionPropagationPhase.cpp:
1149         (JSC::DFG::PredictionPropagationPhase::propagate):
1150         * dfg/DFGSafeToExecute.h:
1151         (JSC::DFG::safeToExecute):
1152         * dfg/DFGSpeculativeJIT.cpp:
1153         * dfg/DFGSpeculativeJIT.h:
1154         * dfg/DFGSpeculativeJIT32_64.cpp:
1155         (JSC::DFG::SpeculativeJIT::compile):
1156         * dfg/DFGSpeculativeJIT64.cpp:
1157         (JSC::DFG::SpeculativeJIT::compile):
1158         * dfg/DFGStackLayoutPhase.cpp:
1159         (JSC::DFG::StackLayoutPhase::run):
1160         * ftl/FTLLink.cpp:
1161         (JSC::FTL::link):
1162
1163 2013-10-24  Filip Pizlo  <fpizlo@apple.com>
1164
1165         The GetById->GetByOffset AI-based optimization should actually do things
1166         https://bugs.webkit.org/show_bug.cgi?id=123299
1167
1168         Reviewed by Oliver Hunt.
1169         
1170         20% speed-up on Octane/gbemu.
1171
1172         * bytecode/GetByIdStatus.cpp:
1173         (JSC::GetByIdStatus::computeFor): Actually finish filling in the Status by setting the state. Previously it would remain set to NoInformation, meaning that this whole method was a no-op.
1174
1175 2013-10-28  Carlos Garcia Campos  <cgarcia@igalia.com>
1176
1177         Unreviewed. Fix make distcheck.
1178
1179         * GNUmakefile.list.am: Add missing files to compilation.
1180
1181 2013-10-25  Oliver Hunt  <oliver@apple.com>
1182
1183         Refactor parser rollback logic
1184         https://bugs.webkit.org/show_bug.cgi?id=123372
1185
1186         Reviewed by Brady Eidson.
1187
1188         Add a sane abstraction for rollbacks in the parser.
1189
1190         * parser/Parser.cpp:
1191         (JSC::::parseSourceElements):
1192         (JSC::::parseObjectLiteral):
1193         * parser/Parser.h:
1194         (JSC::Parser::createSavePoint):
1195         (JSC::Parser::restoreSavePoint):
1196
1197 2013-10-25  peavo@outlook.com  <peavo@outlook.com>
1198
1199         [Win] Javascript crash with DFG JIT enabled.
1200         https://bugs.webkit.org/show_bug.cgi?id=121001
1201
1202         Reviewed by Geoffrey Garen.
1203
1204         On windows, using register GPRInfo::regT0 as parameter to e.g. JIT::storeDouble(..., GPRInfo::regT0)),
1205         results in a call to JIT::storeDouble(FPRegisterID src, const void* address),
1206         where the address parameter gets the value of GPRInfo::regT0, which is 0 (eax on Windows).
1207         This causes the register to be written to address 0, hence the crash.
1208   
1209         * assembler/MacroAssemblerX86.h:
1210         (JSC::MacroAssemblerX86::storeDouble): Assert if we try to generate code which writes to a null pointer.
1211         * dfg/DFGOSRExitCompiler32_64.cpp:
1212         (JSC::DFG::OSRExitCompiler::compileExit): Use address in regT0 as parameter.
1213         * dfg/DFGThunks.cpp:
1214         (JSC::DFG::osrExitGenerationThunkGenerator): Ditto.
1215
1216 2013-10-25  Oliver Hunt  <oliver@apple.com>
1217
1218         Fix a number of problems with destructuring of arguments
1219         https://bugs.webkit.org/show_bug.cgi?id=123357
1220
1221         Reviewed by Filip Pizlo.
1222
1223         This renames the destructuring node's emitBytecode to bindValue
1224         in order to remove the existing confusion over what was happening.
1225
1226         We then fix an incorrect fall through in the destructuring arguments
1227         logic, and fix the then exposed bug where we placed the index rather
1228         than value into the bound property.
1229
1230         * bytecompiler/BytecodeGenerator.cpp:
1231         (JSC::BytecodeGenerator::BytecodeGenerator):
1232         * bytecompiler/NodesCodegen.cpp:
1233         (JSC::ForInNode::emitBytecode):
1234         (JSC::ForOfNode::emitBytecode):
1235         (JSC::DeconstructingAssignmentNode::emitBytecode):
1236         (JSC::ArrayPatternNode::bindValue):
1237         (JSC::ArrayPatternNode::emitDirectBinding):
1238         (JSC::ObjectPatternNode::bindValue):
1239         (JSC::BindingNode::bindValue):
1240         * parser/Nodes.h:
1241
1242 2013-10-25  Joseph Pecoraro  <pecoraro@apple.com>
1243
1244         Upstream ENABLE(REMOTE_INSPECTOR) and enable on iOS and Mac
1245         https://bugs.webkit.org/show_bug.cgi?id=123111
1246
1247         Reviewed by Timothy Hatcher.
1248
1249         * Configurations/FeatureDefines.xcconfig:
1250
1251 2013-10-25  Oliver Hunt  <oliver@apple.com>
1252
1253         Fix MSVC again
1254
1255         * parser/Parser.cpp:
1256
1257 2013-10-25  Oliver Hunt  <oliver@apple.com>
1258
1259         Fix MSVC
1260
1261         * parser/Parser.cpp:
1262
1263 2013-10-25  Oliver Hunt  <oliver@apple.com>
1264
1265         Improve JSC Parser error messages
1266         https://bugs.webkit.org/show_bug.cgi?id=123341
1267
1268         Reviewed by Andreas Kling.
1269
1270         This patch moves away from the current cludgy mechanisms used to produce
1271         error messages and moves to something closer to case by case errors.
1272
1273         This results in a large change size as previously we may just have
1274         'failIfFalse(foo)', but now the logic becomes either
1275         'failIfFalseWithMessage(foo, "Cannot do blah with ", foo->thing())'
1276         Or alternatively
1277
1278         if (!foo)
1279             check for 'interesting' errors, before falling back to generic error
1280
1281         This means that this patch is large, but produces no semantic changes, and
1282         only hits slow (e.g. error) paths.
1283
1284         * parser/Parser.cpp:
1285         (JSC::::Parser):
1286         (JSC::::parseSourceElements):
1287         (JSC::::parseVarDeclaration):
1288         (JSC::::parseConstDeclaration):
1289         (JSC::::parseDoWhileStatement):
1290         (JSC::::parseWhileStatement):
1291         (JSC::::parseVarDeclarationList):
1292         (JSC::::createBindingPattern):
1293         (JSC::::parseDeconstructionPattern):
1294         (JSC::::parseConstDeclarationList):
1295         (JSC::::parseForStatement):
1296         (JSC::::parseBreakStatement):
1297         (JSC::::parseContinueStatement):
1298         (JSC::::parseReturnStatement):
1299         (JSC::::parseThrowStatement):
1300         (JSC::::parseWithStatement):
1301         (JSC::::parseSwitchStatement):
1302         (JSC::::parseSwitchClauses):
1303         (JSC::::parseSwitchDefaultClause):
1304         (JSC::::parseTryStatement):
1305         (JSC::::parseDebuggerStatement):
1306         (JSC::::parseBlockStatement):
1307         (JSC::::parseStatement):
1308         (JSC::::parseFormalParameters):
1309         (JSC::::parseFunctionBody):
1310         (JSC::stringForFunctionMode):
1311         (JSC::::parseFunctionInfo):
1312         (JSC::::parseFunctionDeclaration):
1313         (JSC::::parseExpressionOrLabelStatement):
1314         (JSC::::parseExpressionStatement):
1315         (JSC::::parseIfStatement):
1316         (JSC::::parseExpression):
1317         (JSC::::parseAssignmentExpression):
1318         (JSC::::parseConditionalExpression):
1319         (JSC::::parseBinaryExpression):
1320         (JSC::::parseProperty):
1321         (JSC::::parseObjectLiteral):
1322         (JSC::::parseStrictObjectLiteral):
1323         (JSC::::parseArrayLiteral):
1324         (JSC::::parsePrimaryExpression):
1325         (JSC::::parseArguments):
1326         (JSC::::parseMemberExpression):
1327         (JSC::operatorString):
1328         (JSC::::parseUnaryExpression):
1329         (JSC::::printUnexpectedTokenText):
1330         * parser/Parser.h:
1331         (JSC::Scope::hasDeclaredVariable):
1332         (JSC::Scope::hasDeclaredParameter):
1333         (JSC::Parser::hasDeclaredVariable):
1334         (JSC::Parser::hasDeclaredParameter):
1335         (JSC::Parser::setErrorMessage):
1336
1337 2013-10-24  Mark Rowe  <mrowe@apple.com>
1338
1339         Remove references to OS X 10.7 from Xcode configuration settings.
1340
1341         Now that we're not building for OS X 10.7 they're no longer needed.
1342
1343         Reviewed by Anders Carlsson.
1344
1345         * Configurations/Base.xcconfig:
1346         * Configurations/DebugRelease.xcconfig:
1347         * Configurations/FeatureDefines.xcconfig:
1348         * Configurations/Version.xcconfig:
1349
1350 2013-10-24  Mark Rowe  <mrowe@apple.com>
1351
1352         <rdar://problem/15312643> Prepare for the mysterious future.
1353
1354         Reviewed by David Kilzer.
1355
1356         * Configurations/Base.xcconfig:
1357         * Configurations/DebugRelease.xcconfig:
1358         * Configurations/FeatureDefines.xcconfig:
1359         * Configurations/Version.xcconfig:
1360
1361 2013-10-24  Mark Lam  <mark.lam@apple.com>
1362
1363         Better way to fix part of broken C Loop LLINT build.
1364         https://bugs.webkit.org/show_bug.cgi?id=123271.
1365
1366         Reviewed by Geoffrey Garen.
1367
1368         Undoing offline asm hackery.
1369
1370         * llint/LowLevelInterpreter.cpp:
1371         * llint/LowLevelInterpreter32_64.asm:
1372         * llint/LowLevelInterpreter64.asm:
1373         * offlineasm/cloop.rb:
1374         * offlineasm/instructions.rb:
1375
1376 2013-10-24  Mark Lam  <mark.lam@apple.com>
1377
1378         Fix broken C Loop LLINT build.
1379         https://bugs.webkit.org/show_bug.cgi?id=123271.
1380
1381         Reviewed by Michael Saboff.
1382
1383         * bytecode/CodeBlock.cpp:
1384         (JSC::CodeBlock::printGetByIdCacheStatus): Added an UNUSED_PARAM().
1385         (JSC::CodeBlock::dumpBytecode): Added #if ENABLE(JIT) to JIT only code.
1386         * bytecode/GetByIdStatus.cpp:
1387         (JSC::GetByIdStatus::computeFor): Added an UNUSED_PARAM().
1388         * bytecode/PutByIdStatus.cpp:
1389         (JSC::PutByIdStatus::computeFor): Added an UNUSED_PARAM().
1390         * bytecode/StructureStubInfo.h:
1391         - Added a stub StubInfoMap for non-JIT builds. StubInfoMap is still used
1392           in function prototypes even when !ENABLE(JIT). Rather that adding #if's
1393           in many places, we just provide a stub/placeholder implementation that
1394           is unused but keeps the compiler happy.
1395         * jit/JITOperations.h: Added #if ENABLE(JIT).
1396         * llint/LowLevelInterpreter32_64.asm:
1397         * llint/LowLevelInterpreter64.asm:
1398         - The putByVal() macro reifies a slow path which is never taken in one case.
1399           This translates into a label that is never used in the C Loop LLINT. The
1400           C++ compiler doesn't like unused labels. So, we fix this by adding a
1401           cloopUnusedLabel offline asm instruction that synthesizes the following:
1402
1403               if (false) goto unusedLabel;
1404
1405           This keeps the C++ compiler happy without changing code behavior.
1406         * offlineasm/cloop.rb: Implementing cloopUnusedLabel.
1407         * offlineasm/instructions.rb: Declaring cloopUnusedLabel.
1408         * runtime/Executable.cpp:
1409         (JSC::setupJIT): Added UNUSED_PARAM()s.
1410         (JSC::ScriptExecutable::prepareForExecutionImpl):
1411         - run-javascriptcore-tests have phases that forces the LLINT to be off
1412           which in turn asserts that the JIT is enabled. With the C Loop LLINT,
1413           this combination is illegal. So, we override the setup code here to
1414           always use the LLINT if !ENABLE(JIT) regardless of what options are
1415           passed in.
1416
1417 2013-10-24  peavo@outlook.com  <peavo@outlook.com>
1418
1419         Uninitialized member causes crash when DFG JIT is not enabled.
1420         https://bugs.webkit.org/show_bug.cgi?id=123270
1421
1422         Reviewed by Brent Fulgham.
1423
1424         The data member sizeOfLastScratchBuffer in the VM class is only initialized if DFG JIT is enabled, even though it's defined regardless.
1425         This causes an early crash on Windows, which doesn't have DFG JIT enabled.
1426
1427         * runtime/VM.cpp:
1428         (JSC::VM::VM): Initialize sizeOfLastScratchBuffer member regardless of whether DFG JIT is enabled.
1429
1430 2013-10-24  Ryuan Choi  <ryuan.choi@samsung.com>
1431
1432         [EFL] Build break with latest EFL 1.8 libraries.
1433         https://bugs.webkit.org/show_bug.cgi?id=123245
1434
1435         Reviewed by Gyuyoung Kim.
1436
1437         After fixed build break on EFL 1.8 at r138326, EFL libraries are changed
1438         Eo typedef and splitted header files which contain version macro.
1439
1440         * PlatformEfl.cmake: Added EO path to include directories.
1441         * heap/HeapTimer.h: Changed Ecore_Timer typedef when EO exist.
1442
1443 2013-10-23  Filip Pizlo  <fpizlo@apple.com>
1444
1445         Put all uses of LLVM intrinsics behind a single Option
1446         https://bugs.webkit.org/show_bug.cgi?id=123219
1447
1448         Reviewed by Mark Hahnenberg.
1449
1450         * ftl/FTLExitThunkGenerator.cpp:
1451         (JSC::FTL::ExitThunkGenerator::emitThunk):
1452         * ftl/FTLLowerDFGToLLVM.cpp:
1453         (JSC::FTL::generateExitThunks):
1454         (JSC::FTL::LowerDFGToLLVM::compileGetById):
1455         (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
1456         (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
1457         * ftl/FTLOSRExitCompiler.cpp:
1458         (JSC::FTL::compileFTLOSRExit):
1459         * runtime/Options.h:
1460
1461 2013-10-23  Daniel Bates  <dabates@apple.com>
1462
1463         Fix JavaScriptCore build targets following <http://trac.webkit.org/changeset/157864>
1464         (https://bugs.webkit.org/show_bug.cgi?id=123169)
1465
1466         Tell Xcode that the supported platforms for all JavaScriptCore targets are iOS and OS X.
1467
1468         * Configurations/Base.xcconfig:
1469
1470 2013-10-23  Michael Saboff  <msaboff@apple.com>
1471
1472         LLInt arity check exception processing should start unwinding from caller
1473         https://bugs.webkit.org/show_bug.cgi?id=123209
1474
1475         Reviewed by Oliver Hunt.
1476
1477         Use the caller frame returned from slow_path_call_arityCheck to process exceptions.
1478
1479         * llint/LowLevelInterpreter32_64.asm:
1480         * llint/LowLevelInterpreter64.asm:
1481
1482 2013-10-22  Filip Pizlo  <fpizlo@apple.com>
1483
1484         FTL should be able to do some simple inline caches using LLVM patchpoints
1485         https://bugs.webkit.org/show_bug.cgi?id=123164
1486
1487         Reviewed by Mark Hahnenberg.
1488         
1489         This implements GetById inline caches in the FTL using llvm.webkit.patchpoint.
1490         
1491         The idea is that we ask LLVM for a nop slide the size of a GetById inline
1492         cache and then fill in the code after LLVM compilation is complete. For now, we
1493         just use the system calling convention for the arguments and return. We also
1494         still make some assumptions about registers that aren't correct. But, most of
1495         the scaffolding is there and this will successfully patch an inline cache.
1496
1497         * JavaScriptCore.xcodeproj/project.pbxproj:
1498         * assembler/AbstractMacroAssembler.h:
1499         * assembler/LinkBuffer.cpp:
1500         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
1501         (JSC::LinkBuffer::linkCode):
1502         (JSC::LinkBuffer::allocate):
1503         * assembler/LinkBuffer.h:
1504         (JSC::LinkBuffer::LinkBuffer):
1505         (JSC::LinkBuffer::link):
1506         * ftl/FTLAbbreviations.h:
1507         (JSC::FTL::constNull):
1508         (JSC::FTL::buildCall):
1509         * ftl/FTLCapabilities.cpp:
1510         (JSC::FTL::canCompile):
1511         * ftl/FTLCompile.cpp:
1512         (JSC::FTL::fixFunctionBasedOnStackMaps):
1513         * ftl/FTLInlineCacheDescriptor.h: Added.
1514         (JSC::FTL::InlineCacheDescriptor::InlineCacheDescriptor):
1515         (JSC::FTL::GetByIdDescriptor::GetByIdDescriptor):
1516         (JSC::FTL::GetByIdDescriptor::stackmapID):
1517         (JSC::FTL::GetByIdDescriptor::codeOrigin):
1518         (JSC::FTL::GetByIdDescriptor::uid):
1519         * ftl/FTLInlineCacheSize.cpp: Added.
1520         (JSC::FTL::sizeOfGetById):
1521         (JSC::FTL::sizeOfPutById):
1522         * ftl/FTLInlineCacheSize.h: Added.
1523         * ftl/FTLIntrinsicRepository.h:
1524         * ftl/FTLJITFinalizer.cpp:
1525         (JSC::FTL::JITFinalizer::finalizeFunction):
1526         * ftl/FTLJITFinalizer.h:
1527         * ftl/FTLLocation.cpp:
1528         (JSC::FTL::Location::directGPR):
1529         * ftl/FTLLocation.h:
1530         * ftl/FTLLowerDFGToLLVM.cpp:
1531         (JSC::FTL::LowerDFGToLLVM::compileGetById):
1532         * ftl/FTLOutput.h:
1533         (JSC::FTL::Output::call):
1534         * ftl/FTLSlowPathCall.cpp: Added.
1535         (JSC::FTL::callOperation):
1536         * ftl/FTLSlowPathCall.h: Added.
1537         (JSC::FTL::SlowPathCall::SlowPathCall):
1538         (JSC::FTL::SlowPathCall::call):
1539         (JSC::FTL::SlowPathCall::key):
1540         * ftl/FTLSlowPathCallKey.cpp: Added.
1541         (JSC::FTL::SlowPathCallKey::dump):
1542         * ftl/FTLSlowPathCallKey.h: Added.
1543         (JSC::FTL::SlowPathCallKey::SlowPathCallKey):
1544         (JSC::FTL::SlowPathCallKey::usedRegisters):
1545         (JSC::FTL::SlowPathCallKey::callTarget):
1546         (JSC::FTL::SlowPathCallKey::offset):
1547         (JSC::FTL::SlowPathCallKey::isEmptyValue):
1548         (JSC::FTL::SlowPathCallKey::isDeletedValue):
1549         (JSC::FTL::SlowPathCallKey::operator==):
1550         (JSC::FTL::SlowPathCallKey::hash):
1551         (JSC::FTL::SlowPathCallKeyHash::hash):
1552         (JSC::FTL::SlowPathCallKeyHash::equal):
1553         * ftl/FTLStackMaps.cpp:
1554         (JSC::FTL::StackMaps::Location::directGPR):
1555         * ftl/FTLStackMaps.h:
1556         * ftl/FTLState.h:
1557         * ftl/FTLThunks.cpp:
1558         (JSC::FTL::slowPathCallThunkGenerator):
1559         * ftl/FTLThunks.h:
1560         (JSC::FTL::Thunks::getSlowPathCallThunk):
1561         * jit/CCallHelpers.h:
1562         (JSC::CCallHelpers::setupArguments):
1563         * jit/GPRInfo.h:
1564         * jit/JITInlineCacheGenerator.cpp:
1565         (JSC::garbageStubInfo):
1566         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
1567         (JSC::JITByIdGenerator::finalize):
1568         * jit/JITInlineCacheGenerator.h:
1569         (JSC::JITByIdGenerator::slowPathBegin):
1570         * jit/RegisterSet.cpp:
1571         (JSC::RegisterSet::stackRegisters):
1572         (JSC::RegisterSet::specialRegisters):
1573         (JSC::RegisterSet::calleeSaveRegisters):
1574         (JSC::RegisterSet::allGPRs):
1575         (JSC::RegisterSet::allFPRs):
1576         (JSC::RegisterSet::allRegisters):
1577         (JSC::RegisterSet::dump):
1578         * jit/RegisterSet.h:
1579         (JSC::RegisterSet::exclude):
1580         (JSC::RegisterSet::numberOfSetRegisters):
1581         (JSC::RegisterSet::RegisterSet):
1582         (JSC::RegisterSet::isEmptyValue):
1583         (JSC::RegisterSet::isDeletedValue):
1584         (JSC::RegisterSet::operator==):
1585         (JSC::RegisterSet::hash):
1586         (JSC::RegisterSetHash::hash):
1587         (JSC::RegisterSetHash::equal):
1588         * runtime/Options.h:
1589
1590 2013-10-22  Filip Pizlo  <fpizlo@apple.com>
1591
1592         jitCompileAndSetHeuristics should DeferGCForAWhile
1593         https://bugs.webkit.org/show_bug.cgi?id=123196
1594
1595         Reviewed by Mark Hahnenberg.
1596         
1597         This fixes random crashes in V8v7/raytrace. I only see those crashes on exactly one of
1598         my machines. I don't think this is testable; we just need to steadily converge towards
1599         getting our uses of DeferGC to be right and then be careful not to regress. We're not
1600         there yet, obviously.
1601         
1602         * llint/LLIntSlowPaths.cpp:
1603         (JSC::LLInt::jitCompileAndSetHeuristics):
1604
1605 2013-10-23  Daniel Bates  <dabates@apple.com>
1606
1607         [iOS] Upstream more JavaScriptCore build configuration changes
1608         https://bugs.webkit.org/show_bug.cgi?id=123169
1609
1610         Reviewed by David Kilzer.
1611
1612         * Configurations/Base.xcconfig:
1613         * Configurations/Version.xcconfig:
1614         * Configurations/iOS.xcconfig: Added.
1615         * JavaScriptCore.xcodeproj/project.pbxproj:
1616
1617 2013-10-23  Daniel Bates  <dabates@apple.com>
1618
1619         [iOS] Export DefaultGCActivityCallback member functions
1620         https://bugs.webkit.org/show_bug.cgi?id=123175
1621
1622         Reviewed by David Kilzer.
1623
1624         * runtime/GCActivityCallback.h:
1625
1626 2013-10-23  Daniel Bates  <dabates@apple.com>
1627
1628         [iOS] Upstream more ARMv7s bits
1629         https://bugs.webkit.org/show_bug.cgi?id=123052
1630
1631         Reviewed by Joseph Pecoraro.
1632
1633         * Configurations/JavaScriptCore.xcconfig:
1634
1635 2013-10-22  Andreas Kling  <akling@apple.com>
1636
1637         Minor VM* -> VM& cleanups in HashTable and Keywords.
1638         <https://webkit.org/b/123183>
1639
1640         Turn some VM* variables that will never be null into VM&.
1641
1642         Reviewed by Geoffrey Garen.
1643
1644 2013-10-22  Geoffrey Garen  <ggaren@apple.com>
1645
1646         REGRESSION: `if (false === (true && undefined)) console.log("wrong!");` logs "wrong!", shouldn't!
1647         https://bugs.webkit.org/show_bug.cgi?id=123179
1648
1649         Reviewed by Mark Hahnenberg.
1650
1651         * parser/NodeConstructors.h:
1652         (JSC::LogicalOpNode::LogicalOpNode):
1653         * parser/ResultType.h:
1654         (JSC::ResultType::forLogicalOp): Don't assume that && produces a boolean.
1655         This is JavaScript (aka Sparta).
1656
1657 2013-10-22  Commit Queue  <commit-queue@webkit.org>
1658
1659         Unreviewed, rolling out r157819.
1660         http://trac.webkit.org/changeset/157819
1661         https://bugs.webkit.org/show_bug.cgi?id=123180
1662
1663         Broke 32-bit builds (Requested by smfr on #webkit).
1664
1665         * Configurations/JavaScriptCore.xcconfig:
1666         * Configurations/ToolExecutable.xcconfig:
1667
1668 2013-10-22  Daniel Bates  <dabates@apple.com>
1669
1670         [iOS] Upstream more ARMv7s bits
1671         https://bugs.webkit.org/show_bug.cgi?id=123052
1672
1673         Reviewed by Joseph Pecoraro.
1674
1675         * Configurations/JavaScriptCore.xcconfig:
1676         * Configurations/ToolExecutable.xcconfig: Enable CLANG_ENABLE_OBJC_ARC for i386 as I'm
1677         modifying a file in JavaScriptCore/Configurations.
1678
1679 2013-10-22  Daniel Bates  <dabates@apple.com>
1680
1681         [iOS] Upstream JSLock changes
1682         https://bugs.webkit.org/show_bug.cgi?id=123107
1683
1684         Reviewed by Geoffrey Garen.
1685
1686         * runtime/JSLock.cpp:
1687         (JSC::JSLock::unlock):
1688         (JSC::JSLock::dropAllLocks): Modified to take a SpinLock, used only on iOS.
1689         (JSC::JSLock::dropAllLocksUnconditionally): Modified to take a SpinLock, used only on iOS. Also
1690         use pre-increment instead of post-increment when we're not using the return value of the instruction.
1691         (JSC::JSLock::grabAllLocks): Modified to take a SpinLock, used only on iOS. Also change
1692         places where we were using post-increment/post-decrement to use pre-increment/pre-decrement,
1693         since we don't use the return value of such instructions.
1694         (JSC::JSLock::DropAllLocks::DropAllLocks): Modified to support releasing all locks unconditionally.
1695         Take a spin lock before releasing all locks on iOS. Also, use nullptr instead of 0.
1696         (JSC::JSLock::DropAllLocks::~DropAllLocks): Take a spin lock before acquiring all locks on iOS.
1697         * runtime/JSLock.h: Remove extraneous argument name "exec" from DropAllLocks as the data type of
1698         the argument is sufficiently descriptive of its purpose.
1699
1700 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
1701
1702         [arm] Add missing setupArgumentsWithExecState() prototypes to fix build.
1703         https://bugs.webkit.org/show_bug.cgi?id=123166
1704
1705         Reviewed by Michael Saboff.
1706
1707         * jit/CCallHelpers.h:
1708         (JSC::CCallHelpers::setupArgumentsWithExecState):
1709
1710 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
1711
1712         [sh4][mips][arm] Fix crashes in JSC (32-bit only).
1713         https://bugs.webkit.org/show_bug.cgi?id=123165
1714
1715         Reviewed by Michael Saboff.
1716
1717         * jit/JITInlines.h:
1718         (JSC::JIT::callOperationNoExceptionCheck): Add missing EABI_32BIT_DUMMY_ARG.
1719         (JSC::JIT::callOperation): The last TrustedImm32(arg3) is a bit overkill for SH4 :)
1720         (JSC::JIT::callOperation): Add missing EABI_32BIT_DUMMY_ARG.
1721         (JSC::JIT::callOperation): Fix tag and payload order for V_JITOperation_EJJJ prototype.
1722
1723 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
1724
1725         REGRESSION(r157690, r157699) Fix architectures using AssemblerBufferWithConstantPool.
1726         https://bugs.webkit.org/show_bug.cgi?id=123092
1727
1728         Reviewed by Michael Saboff.
1729
1730         Impacted architectures are SH4 and ARM_TRADITIONAL.
1731
1732         * assembler/ARMAssembler.h:
1733         (JSC::ARMAssembler::buffer):
1734         * assembler/AssemblerBufferWithConstantPool.h:
1735         (JSC::AssemblerBufferWithConstantPool::flushConstantPool):
1736         * assembler/LinkBuffer.cpp:
1737         (JSC::LinkBuffer::linkCode):
1738         * assembler/SH4Assembler.h:
1739         (JSC::SH4Assembler::buffer):
1740
1741 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
1742
1743         Remove unused stuff in JIT stubs.
1744         https://bugs.webkit.org/show_bug.cgi?id=123155
1745
1746         Reviewed by Michael Saboff.
1747
1748         * jit/JITStubs.h:
1749         * jit/JITStubsARM.h:
1750         (JSC::ctiTrampoline):
1751         * jit/JITStubsARM64.h:
1752         * jit/JITStubsARMv7.h:
1753         * jit/JITStubsMIPS.h:
1754         * jit/JITStubsSH4.h:
1755         * jit/JITStubsX86.h:
1756         * jit/JITStubsX86_64.h:
1757
1758 2013-10-22  Daniel Bates  <dabates@apple.com>
1759
1760         [iOS] Upstream OS-version-specific install paths for JavaScriptCore.framework
1761         https://bugs.webkit.org/show_bug.cgi?id=123115
1762         <rdar://problem/13696872>
1763
1764         Reviewed by Andy Estes.
1765
1766         Based on a patch by Mark Hahnenberg.
1767
1768         Add support for running JavaScriptCore-based apps, built against the iOS 7 SDK, on older versions of iOS.
1769
1770         * API/JSBase.cpp:
1771
1772 2013-10-22  Julien Brianceau  <jbriance@cisco.com>
1773
1774         [sh4] Add missing lastRegister(), firstFPRegister() and lastFPRegister(). 
1775         https://bugs.webkit.org/show_bug.cgi?id=123157
1776
1777         Reviewed by Andreas Kling.
1778
1779         * assembler/SH4Assembler.h:
1780         (JSC::SH4Assembler::lastRegister):
1781         (JSC::SH4Assembler::firstFPRegister):
1782         (JSC::SH4Assembler::lastFPRegister):
1783
1784 2013-10-22  Brian Holt  <brian.holt@samsung.com>
1785
1786         Build break on ARMv7 after r157209
1787         https://bugs.webkit.org/show_bug.cgi?id=122890
1788
1789         Reviewed by Csaba Osztrogon√°c.
1790
1791         Add framePointerRegister and first/last register helpers for ARM_TRADITIONAL.
1792
1793         * assembler/ARMAssembler.h:
1794         * assembler/MacroAssemblerARM.h:
1795         (JSC::MacroAssemblerARM::firstRegister):
1796         (JSC::MacroAssemblerARM::lastRegister):
1797         (JSC::MacroAssemblerARM::firstFPRegister):
1798         (JSC::MacroAssemblerARM::lastFPRegister):
1799
1800 2013-10-21  Daniel Bates  <dabates@apple.com>
1801
1802         [iOS] Upstream JSGlobalObject::shouldInterruptScriptBeforeTimeout()
1803         https://bugs.webkit.org/show_bug.cgi?id=123045
1804
1805         Reviewed by Joseph Pecoraro.
1806
1807         * jsc.cpp: Add function pointer for shouldInterruptScriptBeforeTimeout
1808         to global method table.
1809         * runtime/JSGlobalObject.cpp: Ditto.
1810         * runtime/JSGlobalObject.h:
1811         (JSC::JSGlobalObject::shouldInterruptScriptBeforeTimeout): Added.
1812
1813 2013-10-21  Daniel Bates  <dabates@apple.com>
1814
1815         [iOS] Upstream JSC Objective-C API compiler warning fixes
1816         https://bugs.webkit.org/show_bug.cgi?id=123125
1817
1818         Reviewed by Mark Hahnenberg.
1819
1820         Based on a patch by Mark Hahnenberg.
1821
1822         * API/JSValue.mm:
1823         (-[JSValue toPoint]): Cast to CGFloat to fix some compiler warnings about double narrowing to float.
1824         (-[JSValue toSize]): Ditto.
1825         * API/tests/testapi.mm: Changed a test that was failing due to overflow of 32-bit NSUInteger on armv7.
1826
1827 2013-10-21  Daniel Bates  <dabates@apple.com>
1828
1829         [iOS] Mark classes JS{Context, ManagedValue, Value, VirtualMachine} as
1830         available since iOS 7.0
1831         https://bugs.webkit.org/show_bug.cgi?id=123122
1832
1833         Reviewed by Dan Bernstein.
1834
1835         * API/JSContext.h:
1836         * API/JSManagedValue.h:
1837         * API/JSValue.h:
1838         * API/JSVirtualMachine.h:
1839
1840 2013-10-20  Mark Lam  <mark.lam@apple.com>
1841
1842         Avoid JSC debugger overhead unless needed.
1843         https://bugs.webkit.org/show_bug.cgi?id=123084.
1844
1845         Reviewed by Geoffrey Garen.
1846
1847         - If no breakpoints are set, we now avoid calling the debug hook callbacks.
1848         - If no break on exception is set, we also avoid exception event debug callbacks.
1849         - When we return from the ScriptDebugServer to the JSC::Debugger, we may no
1850           longer call the debug hook callbacks if not needed. Hence, the m_currentCallFrame
1851           pointer in the ScriptDebugServer may become stale. To avoid this issue, before
1852           returning, the ScriptDebugServer will clear its m_currentCallFrame if
1853           needsOpDebugCallbacks() is false.
1854
1855         * debugger/Debugger.cpp:
1856         (JSC::Debugger::Debugger):
1857         (JSC::Debugger::setNeedsExceptionCallbacks):
1858         (JSC::Debugger::setShouldPause):
1859         (JSC::Debugger::updateNumberOfBreakpoints):
1860         (JSC::Debugger::updateNeedForOpDebugCallbacks):
1861         * debugger/Debugger.h:
1862         * interpreter/Interpreter.cpp:
1863         (JSC::Interpreter::unwind):
1864         (JSC::Interpreter::debug):
1865         * jit/JITOpcodes.cpp:
1866         (JSC::JIT::emit_op_debug):
1867         * jit/JITOpcodes32_64.cpp:
1868         (JSC::JIT::emit_op_debug):
1869         * llint/LLIntOffsetsExtractor.cpp:
1870         * llint/LowLevelInterpreter.asm:
1871
1872 2013-10-21  Brent Fulgham  <bfulgham@apple.com>
1873
1874         [WIN] Unreviewed build correction.
1875
1876         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Handle new JIT files as C++ implementation
1877           sources, not header files.
1878         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
1879
1880 2013-10-21  Oliver Hunt  <oliver@apple.com>
1881
1882         Support computed property names in object literals
1883         https://bugs.webkit.org/show_bug.cgi?id=123112
1884
1885         Reviewed by Michael Saboff.
1886
1887         Add support for computed property names to the parser.
1888
1889         * bytecompiler/NodesCodegen.cpp:
1890         (JSC::PropertyListNode::emitBytecode):
1891         * parser/ASTBuilder.h:
1892         (JSC::ASTBuilder::createProperty):
1893         (JSC::ASTBuilder::getName):
1894         * parser/NodeConstructors.h:
1895         (JSC::PropertyNode::PropertyNode):
1896         * parser/Nodes.h:
1897         (JSC::PropertyNode::expressionName):
1898         (JSC::PropertyNode::name):
1899         * parser/Parser.cpp:
1900         (JSC::::parseProperty):
1901         (JSC::::parseStrictObjectLiteral):
1902         * parser/SyntaxChecker.h:
1903         (JSC::SyntaxChecker::Property::Property):
1904         (JSC::SyntaxChecker::createProperty):
1905         (JSC::SyntaxChecker::operatorStackPop):
1906
1907 2013-10-21  Michael Saboff  <msaboff@apple.com>
1908
1909         Add option so that JSC will crash if it can't allocate executable memory for the JITs
1910         https://bugs.webkit.org/show_bug.cgi?id=123048
1911         <rdar://problem/12856193>
1912
1913         Reviewed by Geoffrey Garen.
1914
1915         Added new option, called crashIfCantAllocateJITMemory. If this option is true then we crash
1916         when checking the validity of the executable allocator. The default value for this option is
1917         false, but jsc sets it to true when built for iOS to make it straightforward to identify whether
1918         the app can obtain executable memory.
1919
1920         * jsc.cpp: Explicitly enable crashIfCantAllocateJITMemory on iOS.
1921         (main):
1922         * runtime/Options.h: Added option crashIfCantAllocateJITMemory.
1923         * runtime/VM.cpp:
1924         (JSC::enableAssembler): Modified to crash if option crashIfCantAllocateJITMemory
1925         is enabled.
1926
1927 2013-10-21  Nadav Rotem  <nrotem@apple.com>
1928
1929         Remove AllInOneFile.cpp
1930         https://bugs.webkit.org/show_bug.cgi?id=123055
1931
1932         Reviewed by Csaba Osztrogon√°c.
1933
1934         * AllInOneFile.cpp: Removed.
1935
1936 2013-10-20  Filip Pizlo  <fpizlo@apple.com>
1937
1938         Unreviewed, cleanup a FIXME comment.
1939
1940         * jit/Repatch.cpp:
1941
1942 2013-10-20  Filip Pizlo  <fpizlo@apple.com>
1943
1944         StructureStubInfo's usedRegisters set should be able to track all registers, not just the ones that our JIT's view as temporaries
1945         https://bugs.webkit.org/show_bug.cgi?id=123076
1946
1947         Reviewed by Sam Weinig.
1948         
1949         Start preparing for a world in which we are patching code generated by LLVM, which may have
1950         very different register usage conventions than our JITs. This requires us being more explicit
1951         about the registers we are using. For example, the repatching code shouldn't take for granted
1952         that tagMaskRegister holds the TagMask or that the register is even in use.
1953
1954         * CMakeLists.txt:
1955         * GNUmakefile.list.am:
1956         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1957         * JavaScriptCore.xcodeproj/project.pbxproj:
1958         * assembler/MacroAssembler.h:
1959         (JSC::MacroAssembler::numberOfRegisters):
1960         (JSC::MacroAssembler::registerIndex):
1961         (JSC::MacroAssembler::numberOfFPRegisters):
1962         (JSC::MacroAssembler::fpRegisterIndex):
1963         (JSC::MacroAssembler::totalNumberOfRegisters):
1964         * bytecode/StructureStubInfo.h:
1965         * dfg/DFGSpeculativeJIT.cpp:
1966         (JSC::DFG::SpeculativeJIT::usedRegisters):
1967         * dfg/DFGSpeculativeJIT.h:
1968         * ftl/FTLSaveRestore.cpp:
1969         (JSC::FTL::bytesForGPRs):
1970         (JSC::FTL::bytesForFPRs):
1971         (JSC::FTL::offsetOfGPR):
1972         (JSC::FTL::offsetOfFPR):
1973         * jit/JITInlineCacheGenerator.cpp:
1974         (JSC::JITByIdGenerator::JITByIdGenerator):
1975         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
1976         * jit/JITInlineCacheGenerator.h:
1977         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
1978         * jit/JITPropertyAccess.cpp:
1979         (JSC::JIT::emit_op_get_by_id):
1980         (JSC::JIT::emit_op_put_by_id):
1981         * jit/JITPropertyAccess32_64.cpp:
1982         (JSC::JIT::emit_op_get_by_id):
1983         (JSC::JIT::emit_op_put_by_id):
1984         * jit/RegisterSet.cpp: Added.
1985         (JSC::RegisterSet::specialRegisters):
1986         * jit/RegisterSet.h: Added.
1987         (JSC::RegisterSet::RegisterSet):
1988         (JSC::RegisterSet::set):
1989         (JSC::RegisterSet::clear):
1990         (JSC::RegisterSet::get):
1991         (JSC::RegisterSet::merge):
1992         * jit/Repatch.cpp:
1993         (JSC::generateProtoChainAccessStub):
1994         (JSC::tryCacheGetByID):
1995         (JSC::tryBuildGetByIDList):
1996         (JSC::emitPutReplaceStub):
1997         (JSC::tryRepatchIn):
1998         (JSC::linkClosureCall):
1999         * jit/TempRegisterSet.cpp: Added.
2000         (JSC::TempRegisterSet::TempRegisterSet):
2001         * jit/TempRegisterSet.h:
2002
2003 2013-10-20  Julien Brianceau  <jbriance@cisco.com>
2004
2005         [sh4] Fix build (broken since r157690).
2006         https://bugs.webkit.org/show_bug.cgi?id=123081
2007
2008         Reviewed by Andreas Kling.
2009
2010         * assembler/AssemblerBufferWithConstantPool.h:
2011         * assembler/SH4Assembler.h:
2012         (JSC::SH4Assembler::buffer):
2013         (JSC::SH4Assembler::readCallTarget):
2014
2015 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
2016
2017         Simplify TempRegisterSet - it no longer needs to be convertible to a POD since it's no longer going to be a member of a union
2018         https://bugs.webkit.org/show_bug.cgi?id=123079
2019
2020         Reviewed by Geoffrey Garen.
2021
2022         * jit/TempRegisterSet.h:
2023
2024 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
2025
2026         Rename RegisterSet to TempRegisterSet
2027         https://bugs.webkit.org/show_bug.cgi?id=123077
2028
2029         Reviewed by Dan Bernstein.
2030
2031         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2032         * JavaScriptCore.xcodeproj/project.pbxproj:
2033         * bytecode/StructureStubInfo.h:
2034         * dfg/DFGJITCompiler.h:
2035         * dfg/DFGSpeculativeJIT.h:
2036         (JSC::DFG::SpeculativeJIT::usedRegisters):
2037         * jit/JITInlineCacheGenerator.cpp:
2038         (JSC::JITByIdGenerator::JITByIdGenerator):
2039         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
2040         * jit/JITInlineCacheGenerator.h:
2041         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
2042         * jit/JITPropertyAccess.cpp:
2043         (JSC::JIT::emit_op_get_by_id):
2044         (JSC::JIT::emit_op_put_by_id):
2045         * jit/JITPropertyAccess32_64.cpp:
2046         (JSC::JIT::emit_op_get_by_id):
2047         (JSC::JIT::emit_op_put_by_id):
2048         * jit/RegisterSet.h: Removed.
2049         * jit/ScratchRegisterAllocator.h:
2050         (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
2051         * jit/TempRegisterSet.h: Copied from Source/JavaScriptCore/jit/RegisterSet.h.
2052         (JSC::TempRegisterSet::TempRegisterSet):
2053         (JSC::TempRegisterSet::asPOD):
2054         (JSC::TempRegisterSet::copyInfo):
2055
2056 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
2057
2058         Restructure LinkBuffer to allow for alternate allocation strategies
2059         https://bugs.webkit.org/show_bug.cgi?id=123071
2060
2061         Reviewed by Oliver Hunt.
2062         
2063         The idea is to eventually allow a LinkBuffer to place the code into an already
2064         allocated region of memory.  That region of memory could be the nop-slide left behind
2065         by a llvm.webkit.patchpoint.
2066
2067         * assembler/ARM64Assembler.h:
2068         (JSC::ARM64Assembler::buffer):
2069         * assembler/AssemblerBuffer.h:
2070         * assembler/LinkBuffer.cpp:
2071         (JSC::LinkBuffer::copyCompactAndLinkCode):
2072         (JSC::LinkBuffer::linkCode):
2073         (JSC::LinkBuffer::allocate):
2074         (JSC::LinkBuffer::shrink):
2075         * assembler/LinkBuffer.h:
2076         (JSC::LinkBuffer::LinkBuffer):
2077         (JSC::LinkBuffer::didFailToAllocate):
2078         * assembler/X86Assembler.h:
2079         (JSC::X86Assembler::buffer):
2080         (JSC::X86Assembler::X86InstructionFormatter::memoryModRM):
2081
2082 2013-10-19  Alexey Proskuryakov  <ap@apple.com>
2083
2084         Some includes in JSC seem to use an incorrect style
2085         https://bugs.webkit.org/show_bug.cgi?id=123057
2086
2087         Reviewed by Geoffrey Garen.
2088
2089         Changed pseudo-system includes to user ones.
2090
2091         * API/JSContextRef.cpp:
2092         * API/JSStringRefCF.cpp:
2093         * API/JSValueRef.cpp:
2094         * API/OpaqueJSString.cpp:
2095         * jit/JIT.h:
2096         * parser/SyntaxChecker.h:
2097         * runtime/WeakGCMap.h:
2098
2099 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
2100
2101         Baseline JIT and DFG IC code generation should be unified and rationalized
2102         https://bugs.webkit.org/show_bug.cgi?id=122939
2103
2104         Reviewed by Geoffrey Garen.
2105         
2106         Introduce the JITInlineCacheGenerator, which takes a CodeBlock and a CodeOrigin plus
2107         some register info and creates JIT inline caches for you. Used this to even furhter
2108         unify the baseline and DFG ICs. In the future we can use this for FTL ICs. And my hope
2109         is that we'll be able to use it for cascading ICs: an IC for some instruction may realize
2110         that it needs to do the equivalent of get_by_id, so with this generator it will be able
2111         to create an IC even though it wasn't associated with a get_by_id bytecode instruction.
2112
2113         * CMakeLists.txt:
2114         * GNUmakefile.list.am:
2115         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2116         * JavaScriptCore.xcodeproj/project.pbxproj:
2117         * assembler/AbstractMacroAssembler.h:
2118         (JSC::AbstractMacroAssembler::DataLabelCompact::label):
2119         * bytecode/CodeBlock.h:
2120         (JSC::CodeBlock::ecmaMode):
2121         * dfg/DFGInlineCacheWrapper.h: Added.
2122         (JSC::DFG::InlineCacheWrapper::InlineCacheWrapper):
2123         * dfg/DFGInlineCacheWrapperInlines.h: Added.
2124         (JSC::DFG::::finalize):
2125         * dfg/DFGJITCompiler.cpp:
2126         (JSC::DFG::JITCompiler::link):
2127         * dfg/DFGJITCompiler.h:
2128         (JSC::DFG::JITCompiler::addGetById):
2129         (JSC::DFG::JITCompiler::addPutById):
2130         * dfg/DFGSpeculativeJIT32_64.cpp:
2131         (JSC::DFG::SpeculativeJIT::cachedGetById):
2132         (JSC::DFG::SpeculativeJIT::cachedPutById):
2133         * dfg/DFGSpeculativeJIT64.cpp:
2134         (JSC::DFG::SpeculativeJIT::cachedGetById):
2135         (JSC::DFG::SpeculativeJIT::cachedPutById):
2136         (JSC::DFG::SpeculativeJIT::compile):
2137         * jit/AssemblyHelpers.h:
2138         (JSC::AssemblyHelpers::isStrictModeFor):
2139         (JSC::AssemblyHelpers::strictModeFor):
2140         * jit/GPRInfo.h:
2141         (JSC::JSValueRegs::tagGPR):
2142         * jit/JIT.cpp:
2143         (JSC::JIT::JIT):
2144         (JSC::JIT::privateCompileSlowCases):
2145         (JSC::JIT::privateCompile):
2146         * jit/JIT.h:
2147         * jit/JITInlineCacheGenerator.cpp: Added.
2148         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
2149         (JSC::JITByIdGenerator::JITByIdGenerator):
2150         (JSC::JITByIdGenerator::finalize):
2151         (JSC::JITByIdGenerator::generateFastPathChecks):
2152         (JSC::JITGetByIdGenerator::generateFastPath):
2153         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
2154         (JSC::JITPutByIdGenerator::generateFastPath):
2155         (JSC::JITPutByIdGenerator::slowPathFunction):
2156         * jit/JITInlineCacheGenerator.h: Added.
2157         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
2158         (JSC::JITInlineCacheGenerator::stubInfo):
2159         (JSC::JITByIdGenerator::JITByIdGenerator):
2160         (JSC::JITByIdGenerator::reportSlowPathCall):
2161         (JSC::JITByIdGenerator::slowPathJump):
2162         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
2163         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
2164         * jit/JITPropertyAccess.cpp:
2165         (JSC::JIT::emit_op_get_by_id):
2166         (JSC::JIT::emitSlow_op_get_by_id):
2167         (JSC::JIT::emit_op_put_by_id):
2168         (JSC::JIT::emitSlow_op_put_by_id):
2169         * jit/JITPropertyAccess32_64.cpp:
2170         (JSC::JIT::emit_op_get_by_id):
2171         (JSC::JIT::emitSlow_op_get_by_id):
2172         (JSC::JIT::emit_op_put_by_id):
2173         (JSC::JIT::emitSlow_op_put_by_id):
2174         * jit/RegisterSet.h:
2175         (JSC::RegisterSet::set):
2176
2177 2013-10-19  Alexey Proskuryakov  <ap@apple.com>
2178
2179         APICast.h uses functions from JSCJSValueInlines.h, but doesn't include it
2180         https://bugs.webkit.org/show_bug.cgi?id=123067
2181
2182         Reviewed by Geoffrey Garen.
2183
2184         * API/APICast.h: Include it.
2185
2186 2013-10-19  Filip Pizlo  <fpizlo@apple.com>
2187
2188         FTL::Location should treat the offset as an addend in the case of a Register location
2189         https://bugs.webkit.org/show_bug.cgi?id=123062
2190
2191         Reviewed by Sam Weinig.
2192
2193         * ftl/FTLLocation.cpp:
2194         (JSC::FTL::Location::forStackmaps):
2195         (JSC::FTL::Location::dump):
2196         (JSC::FTL::Location::restoreInto):
2197         * ftl/FTLLocation.h:
2198         (JSC::FTL::Location::forRegister):
2199         (JSC::FTL::Location::hasAddend):
2200         (JSC::FTL::Location::addend):
2201
2202 2013-10-19  Nadav Rotem  <nrotem@apple.com>
2203
2204         DFG dominators: document and rename stuff.
2205         https://bugs.webkit.org/show_bug.cgi?id=123056
2206
2207         Reviewed by Filip Pizlo.
2208
2209         Documented the code and renamed some variables.
2210
2211         * dfg/DFGDominators.cpp:
2212         (JSC::DFG::Dominators::compute):
2213         (JSC::DFG::Dominators::pruneDominators):
2214         * dfg/DFGDominators.h:
2215
2216 2013-10-19  Julien Brianceau  <jbriance@cisco.com>
2217
2218         Fix build failure for architectures with 4 argument registers.
2219         https://bugs.webkit.org/show_bug.cgi?id=123060
2220
2221         Reviewed by Michael Saboff.
2222
2223         Add missing setupArgumentsWithExecState() prototypes for architecture with 4 argument registers.
2224         Remove SH4 specific code no longer needed since callOperation prototype change in r157660.
2225
2226         * dfg/DFGSpeculativeJIT.h:
2227         (JSC::DFG::SpeculativeJIT::callOperation):
2228         * jit/CCallHelpers.h:
2229         (JSC::CCallHelpers::setupArgumentsWithExecState):
2230         * jit/JITInlines.h:
2231         (JSC::JIT::callOperation):
2232
2233 2013-10-18  Filip Pizlo  <fpizlo@apple.com>
2234
2235         Unreviewed, fix FTL build.
2236
2237         * ftl/FTLIntrinsicRepository.h:
2238         * ftl/FTLLowerDFGToLLVM.cpp:
2239         (JSC::FTL::LowerDFGToLLVM::compileGetById):
2240
2241 2013-10-18  Filip Pizlo  <fpizlo@apple.com>
2242
2243         A CodeBlock's StructureStubInfos shouldn't be in a Vector that we search using code origins and machine code PCs
2244         https://bugs.webkit.org/show_bug.cgi?id=122940
2245
2246         Reviewed by Oliver Hunt.
2247         
2248         This accomplishes a number of simplifications. StructureStubInfo is now non-moving,
2249         whereas previously it was in a Vector, so it moved. This allows you to use pointers to
2250         StructureStubInfo. This also eliminates the use of return PC as a way of finding the
2251         StructureStubInfo's. It removes some of the need for the compile-time property access
2252         records; for example the DFG no longer has to save information about registers in a
2253         property access record only to later save it to the stub info.
2254         
2255         The main thing is accomplishes is that it makes it easier to add StructureStubInfo's
2256         at any stage of compilation.
2257
2258         * bytecode/CodeBlock.cpp:
2259         (JSC::CodeBlock::printGetByIdCacheStatus):
2260         (JSC::CodeBlock::dumpBytecode):
2261         (JSC::CodeBlock::~CodeBlock):
2262         (JSC::CodeBlock::propagateTransitions):
2263         (JSC::CodeBlock::finalizeUnconditionally):
2264         (JSC::CodeBlock::addStubInfo):
2265         (JSC::CodeBlock::getStubInfoMap):
2266         (JSC::CodeBlock::shrinkToFit):
2267         * bytecode/CodeBlock.h:
2268         (JSC::CodeBlock::begin):
2269         (JSC::CodeBlock::end):
2270         (JSC::CodeBlock::rareCaseProfileForBytecodeOffset):
2271         * bytecode/CodeOrigin.h:
2272         (JSC::CodeOrigin::CodeOrigin):
2273         (JSC::CodeOrigin::isHashTableDeletedValue):
2274         (JSC::CodeOrigin::hash):
2275         (JSC::CodeOriginHash::hash):
2276         (JSC::CodeOriginHash::equal):
2277         * bytecode/GetByIdStatus.cpp:
2278         (JSC::GetByIdStatus::computeFor):
2279         * bytecode/GetByIdStatus.h:
2280         * bytecode/PutByIdStatus.cpp:
2281         (JSC::PutByIdStatus::computeFor):
2282         * bytecode/PutByIdStatus.h:
2283         * bytecode/StructureStubInfo.h:
2284         (JSC::getStructureStubInfoCodeOrigin):
2285         * dfg/DFGByteCodeParser.cpp:
2286         (JSC::DFG::ByteCodeParser::parseBlock):
2287         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2288         * dfg/DFGJITCompiler.cpp:
2289         (JSC::DFG::JITCompiler::link):
2290         * dfg/DFGJITCompiler.h:
2291         (JSC::DFG::PropertyAccessRecord::PropertyAccessRecord):
2292         (JSC::DFG::InRecord::InRecord):
2293         * dfg/DFGSpeculativeJIT.cpp:
2294         (JSC::DFG::SpeculativeJIT::compileIn):
2295         * dfg/DFGSpeculativeJIT.h:
2296         (JSC::DFG::SpeculativeJIT::callOperation):
2297         * dfg/DFGSpeculativeJIT32_64.cpp:
2298         (JSC::DFG::SpeculativeJIT::cachedGetById):
2299         (JSC::DFG::SpeculativeJIT::cachedPutById):
2300         * dfg/DFGSpeculativeJIT64.cpp:
2301         (JSC::DFG::SpeculativeJIT::cachedGetById):
2302         (JSC::DFG::SpeculativeJIT::cachedPutById):
2303         * jit/CCallHelpers.h:
2304         (JSC::CCallHelpers::setupArgumentsWithExecState):
2305         * jit/JIT.cpp:
2306         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
2307         (JSC::JIT::privateCompile):
2308         * jit/JIT.h:
2309         (JSC::PropertyStubCompilationInfo::slowCaseInfo):
2310         * jit/JITInlines.h:
2311         (JSC::JIT::callOperation):
2312         * jit/JITOperations.cpp:
2313         * jit/JITOperations.h:
2314         * jit/JITPropertyAccess.cpp:
2315         (JSC::JIT::emitSlow_op_get_by_id):
2316         (JSC::JIT::emitSlow_op_put_by_id):
2317         * jit/JITPropertyAccess32_64.cpp:
2318         (JSC::JIT::emitSlow_op_get_by_id):
2319         (JSC::JIT::emitSlow_op_put_by_id):
2320         * jit/Repatch.cpp:
2321         (JSC::appropriateGenericPutByIdFunction):
2322         (JSC::appropriateListBuildingPutByIdFunction):
2323         (JSC::resetPutByID):
2324
2325 2013-10-18  Oliver Hunt  <oliver@apple.com>
2326
2327         Spread operator should be performing direct "puts" and not triggering setters
2328         https://bugs.webkit.org/show_bug.cgi?id=123047
2329
2330         Reviewed by Geoffrey Garen.
2331
2332         Add a new opcode -- op_put_by_val_directue -- and make use of it in the spread
2333         to array construct.  This required a new PutByValDirect node to be introduced to
2334         the DFG.  The current implementation simply changes the slow path function that
2335         is called, but in future this could be made faster as it does not need to check
2336         the prototype chain.
2337
2338         * bytecode/CodeBlock.cpp:
2339         (JSC::CodeBlock::dumpBytecode):
2340         (JSC::CodeBlock::CodeBlock):
2341         * bytecode/Opcode.h:
2342         (JSC::padOpcodeName):
2343         * bytecompiler/BytecodeGenerator.cpp:
2344         (JSC::BytecodeGenerator::emitDirectPutByVal):
2345         * bytecompiler/BytecodeGenerator.h:
2346         * bytecompiler/NodesCodegen.cpp:
2347         (JSC::ArrayNode::emitBytecode):
2348         * dfg/DFGAbstractInterpreterInlines.h:
2349         (JSC::DFG::::executeEffects):
2350         * dfg/DFGBackwardsPropagationPhase.cpp:
2351         (JSC::DFG::BackwardsPropagationPhase::propagate):
2352         * dfg/DFGByteCodeParser.cpp:
2353         (JSC::DFG::ByteCodeParser::parseBlock):
2354         * dfg/DFGCSEPhase.cpp:
2355         (JSC::DFG::CSEPhase::getArrayLengthElimination):
2356         (JSC::DFG::CSEPhase::getByValLoadElimination):
2357         (JSC::DFG::CSEPhase::checkStructureElimination):
2358         (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
2359         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
2360         (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
2361         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
2362         (JSC::DFG::CSEPhase::performNodeCSE):
2363         * dfg/DFGCapabilities.cpp:
2364         (JSC::DFG::capabilityLevel):
2365         * dfg/DFGClobberize.h:
2366         (JSC::DFG::clobberize):
2367         * dfg/DFGFixupPhase.cpp:
2368         (JSC::DFG::FixupPhase::fixupNode):
2369         * dfg/DFGGraph.h:
2370         (JSC::DFG::Graph::clobbersWorld):
2371         * dfg/DFGNode.h:
2372         (JSC::DFG::Node::hasArrayMode):
2373         * dfg/DFGNodeType.h:
2374         * dfg/DFGOperations.cpp:
2375         (JSC::DFG::putByVal):
2376         (JSC::DFG::operationPutByValInternal):
2377         * dfg/DFGOperations.h:
2378         * dfg/DFGPredictionPropagationPhase.cpp:
2379         (JSC::DFG::PredictionPropagationPhase::propagate):
2380         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
2381         * dfg/DFGSafeToExecute.h:
2382         (JSC::DFG::safeToExecute):
2383         * dfg/DFGSpeculativeJIT32_64.cpp:
2384         (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
2385         (JSC::DFG::SpeculativeJIT::compile):
2386         * dfg/DFGSpeculativeJIT64.cpp:
2387         (JSC::DFG::SpeculativeJIT::compile):
2388         * dfg/DFGTypeCheckHoistingPhase.cpp:
2389         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
2390         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
2391         * jit/JIT.cpp:
2392         (JSC::JIT::privateCompileMainPass):
2393         (JSC::JIT::privateCompileSlowCases):
2394         * jit/JIT.h:
2395         (JSC::JIT::compileDirectPutByVal):
2396         * jit/JITOperations.cpp:
2397         * jit/JITOperations.h:
2398         * jit/JITPropertyAccess.cpp:
2399         (JSC::JIT::emitSlow_op_put_by_val):
2400         (JSC::JIT::privateCompilePutByVal):
2401         * jit/JITPropertyAccess32_64.cpp:
2402         (JSC::JIT::emitSlow_op_put_by_val):
2403         * llint/LLIntSlowPaths.cpp:
2404         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2405         * llint/LLIntSlowPaths.h:
2406         * llint/LowLevelInterpreter32_64.asm:
2407         * llint/LowLevelInterpreter64.asm:
2408
2409 2013-10-18  Daniel Bates  <dabates@apple.com>
2410
2411         [iOS] Export symbol for VM::sharedInstanceExists()
2412         https://bugs.webkit.org/show_bug.cgi?id=123046
2413
2414         Reviewed by Mark Hahnenberg.
2415
2416         * runtime/VM.h:
2417
2418 2013-10-18  Daniel Bates  <dabates@apple.com>
2419
2420         [iOS] Upstream WebSafe{GCActivityCallback, IncrementalSweeper}IOS
2421         https://bugs.webkit.org/show_bug.cgi?id=123049
2422
2423         Reviewed by Mark Hahnenberg.
2424
2425         * heap/Heap.cpp:
2426         (JSC::Heap::setIncrementalSweeper):
2427         * heap/Heap.h:
2428         * heap/HeapTimer.h:
2429         * heap/IncrementalSweeper.h: Make protected and export CF-variant of constructor.
2430         Removed unused include of header RetainPtr.h. Also forward declare class MarkedBlock
2431         (we include its header in the .cpp file) and remove include for header wtf/HashSet.h
2432         (duplicates the include in the .cpp).
2433         * heap/MachineStackMarker.h: Export function makeUsableFromMultipleThreads(). We aren't
2434         making use of this now, but we'll make use of it in a subsequent patch.
2435
2436 2013-10-18  Anders Carlsson  <andersca@apple.com>
2437
2438         Remove spaces between template angle brackets
2439         https://bugs.webkit.org/show_bug.cgi?id=123040
2440
2441         Reviewed by Andreas Kling.
2442
2443         * API/JSCallbackObject.cpp:
2444         (JSC::::create):
2445         * API/JSObjectRef.cpp:
2446         * bytecode/CodeBlock.h:
2447         (JSC::CodeBlock::constants):
2448         (JSC::CodeBlock::setConstantRegisters):
2449         * bytecode/DFGExitProfile.h:
2450         * bytecode/EvalCodeCache.h:
2451         * bytecode/Operands.h:
2452         * bytecode/UnlinkedCodeBlock.h:
2453         (JSC::UnlinkedCodeBlock::constantRegisters):
2454         * bytecode/Watchpoint.h:
2455         * bytecompiler/BytecodeGenerator.h:
2456         * bytecompiler/StaticPropertyAnalysis.h:
2457         * bytecompiler/StaticPropertyAnalyzer.h:
2458         * dfg/DFGArgumentsSimplificationPhase.cpp:
2459         * dfg/DFGBlockInsertionSet.h:
2460         * dfg/DFGCSEPhase.cpp:
2461         (JSC::DFG::performCSE):
2462         (JSC::DFG::performStoreElimination):
2463         * dfg/DFGCommonData.h:
2464         * dfg/DFGDesiredStructureChains.h:
2465         * dfg/DFGDesiredWatchpoints.h:
2466         * dfg/DFGJITCompiler.h:
2467         * dfg/DFGOSRExitCompiler32_64.cpp:
2468         (JSC::DFG::OSRExitCompiler::compileExit):
2469         * dfg/DFGOSRExitCompiler64.cpp:
2470         (JSC::DFG::OSRExitCompiler::compileExit):
2471         * dfg/DFGWorklist.h:
2472         * heap/BlockAllocator.h:
2473         (JSC::CopiedBlock):
2474         (JSC::MarkedBlock):
2475         (JSC::WeakBlock):
2476         (JSC::MarkStackSegment):
2477         (JSC::CopyWorkListSegment):
2478         (JSC::HandleBlock):
2479         * heap/Heap.h:
2480         * heap/Local.h:
2481         * heap/MarkedBlock.h:
2482         * heap/Strong.h:
2483         * jit/AssemblyHelpers.cpp:
2484         (JSC::AssemblyHelpers::decodedCodeMapFor):
2485         * jit/AssemblyHelpers.h:
2486         * jit/SpecializedThunkJIT.h:
2487         * parser/Nodes.h:
2488         * parser/Parser.cpp:
2489         (JSC::::parseIfStatement):
2490         * parser/Parser.h:
2491         (JSC::Scope::copyCapturedVariablesToVector):
2492         (JSC::parse):
2493         * parser/ParserArena.h:
2494         * parser/SourceProviderCacheItem.h:
2495         * profiler/LegacyProfiler.cpp:
2496         (JSC::dispatchFunctionToProfiles):
2497         * profiler/LegacyProfiler.h:
2498         (JSC::LegacyProfiler::currentProfiles):
2499         * profiler/ProfileNode.h:
2500         (JSC::ProfileNode::children):
2501         * profiler/ProfilerDatabase.h:
2502         * runtime/Butterfly.h:
2503         (JSC::Butterfly::contiguousInt32):
2504         (JSC::Butterfly::contiguous):
2505         * runtime/GenericTypedArrayViewInlines.h:
2506         (JSC::::create):
2507         * runtime/Identifier.h:
2508         (JSC::Identifier::add):
2509         * runtime/JSPromise.h:
2510         * runtime/PropertyMapHashTable.h:
2511         * runtime/PropertyNameArray.h:
2512         * runtime/RegExpCache.h:
2513         * runtime/SparseArrayValueMap.h:
2514         * runtime/SymbolTable.h:
2515         * runtime/VM.h:
2516         * tools/CodeProfile.cpp:
2517         (JSC::truncateTrace):
2518         * tools/CodeProfile.h:
2519         * yarr/YarrInterpreter.cpp:
2520         * yarr/YarrInterpreter.h:
2521         (JSC::Yarr::BytecodePattern::BytecodePattern):
2522         * yarr/YarrJIT.cpp:
2523         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
2524         (JSC::Yarr::YarrGenerator::opCompileParentheticalAssertion):
2525         (JSC::Yarr::YarrGenerator::opCompileBody):
2526         * yarr/YarrPattern.cpp:
2527         (JSC::Yarr::YarrPatternConstructor::checkForTerminalParentheses):
2528         (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
2529         * yarr/YarrPattern.h:
2530
2531 2013-10-18  Mark Lam  <mark.lam@apple.com>
2532
2533         Remove excess reserved space in ctiTrampoline frames for X86 and X86_64.
2534         https://bugs.webkit.org/show_bug.cgi?id=123037.
2535
2536         Reviewed by Geoffrey Garen.
2537
2538         * jit/JITStubsMSVC64.asm:
2539         * jit/JITStubsX86.h:
2540         * jit/JITStubsX86_64.h:
2541
2542 2013-10-18  Filip Pizlo  <fpizlo@apple.com>
2543
2544         Frequent RELEASE_ASSERT crashes in Structure::checkOffsetConsistency on WebGL swizzler tests
2545         https://bugs.webkit.org/show_bug.cgi?id=121661
2546
2547         Reviewed by Mark Hahnenberg.
2548         
2549         This method shouldn't have been called from the concurrent JIT thread. That's hard to prevent
2550         so I added a return-early check using isCompilationThread().
2551         
2552         Here's why this makes sense. Structure has two ways to tell you about the layout of the objects
2553         it is describing: m_offset and the property table. Most structures only have m_offset and report
2554         null for the property table. If the property table is there, it will tell you additional
2555         information and that information subsumes m_offset - but the m_offset is still there. So, when
2556         we have a property table, we have to keep it in sync with the m_offset. There is a bunch of
2557         machinery to do this.
2558         
2559         Changing the property table only happens on the main thread.
2560         
2561         Because the machinery to change the property table is so complex, especially with respect to
2562         keeping it in sync with m_offset, we have the checkOffsetConsistency method. It's meant to be
2563         called at key points before and after changes to the property table or the offset.
2564
2565         Most clients of Structure who care about object layout, including the concurrent thread, will
2566         want to know m_offset and not the property table. If they want the property table, they will
2567         already be super careful. The concurrent thread has special methods for this, like
2568         Structure::getConcurrently(), which uses fine-grained locking to ensure that it sees a coherent
2569         view of the property table.
2570         
2571         Adding locking to checkOffsetConsistency() is probably a bad idea since that method may be
2572         called when the relevant lock is already held. So, we'd have awkward recursive locking issues.
2573         
2574         But right now, the concurrent JIT thread may call a method, like Structure::outOfLineCapacity(),
2575         which has a call to checkOffsetConsistency(). The call to checkOffsetConsistency() is there
2576         because we have found that it helps quickly identify situations where the property table and
2577         m_offset get out of sync - mainly because code that changes either of those things will usually
2578         also want to know the outOfLineCapacity(). But Structure::outOfLineCapacity() doesn't *actually*
2579         need the property table; it uses the m_offset. The concurrent JIT is correct to call
2580         outOfLineCapacity(), and is right to do so without holding any locks (since in all cases where
2581         it calls outOfLineCapacity() it has already proven that m_offset is immutable). But because
2582         outOfLineCapacity() calls checkOffsetConsistency(), and checkOffsetConsistency() doesn't grab
2583         locks, and that same structure is having its property table modified by the main thread, we end
2584         up with these spurious assertion failures. FWIW, the structure isn't *actually* having *its*
2585         property table modified - instead what happens is that some downstream structure steals the
2586         property table and then starts adding things to it. The concurrent thread loads the property
2587         table before it's stolen, and hence the badness.
2588         
2589         I suspect there are other code paths that lead to the concurrent JIT calling some Structure
2590         method that it is fine and safe to call, but then that method calls checkOffsetConsistency(),
2591         and then you have a possible crash.
2592         
2593         The most sensible solution to this appears to be to make sure that checkOffsetConsistency() is
2594         aware of its uselessness to the concurrent JIT thread. This change makes it return early if
2595         it's in the concurrent JIT.
2596         
2597         * runtime/StructureInlines.h:
2598         (JSC::Structure::checkOffsetConsistency):
2599
2600 2013-10-18  Daniel Bates  <dabates@apple.com>
2601
2602         Add SPI to disable the garbage collector timer
2603         https://bugs.webkit.org/show_bug.cgi?id=122921
2604
2605         Add null check to Heap::setGarbageCollectionTimerEnabled() that I inadvertently
2606         omitted.
2607
2608         * heap/Heap.cpp:
2609         (JSC::Heap::setGarbageCollectionTimerEnabled):
2610
2611 2013-10-18  Julien Brianceau  <jbriance@cisco.com>
2612
2613         Group 64-bit specific and 32-bit specific callOperation implementations.
2614         https://bugs.webkit.org/show_bug.cgi?id=123024
2615
2616         Reviewed by Michael Saboff.
2617
2618         This is not a big deal, but could be less confusing when reading the code.
2619
2620         * jit/JITInlines.h:
2621         (JSC::JIT::callOperation):
2622         (JSC::JIT::callOperationWithCallFrameRollbackOnException):
2623         (JSC::JIT::callOperationNoExceptionCheck):
2624
2625 2013-10-18  Nadav Rotem  <nrotem@apple.com>
2626
2627         Fix a FlushLiveness problem.
2628         https://bugs.webkit.org/show_bug.cgi?id=122984
2629
2630         Reviewed by Filip Pizlo.
2631
2632         * dfg/DFGFlushLivenessAnalysisPhase.cpp:
2633         (JSC::DFG::FlushLivenessAnalysisPhase::process):
2634
2635 2013-10-18  Michael Saboff  <msaboff@apple.com>
2636
2637         Change native function call stubs to use JIT operations instead of ctiVMHandleException
2638         https://bugs.webkit.org/show_bug.cgi?id=122982
2639
2640         Reviewed by Geoffrey Garen.
2641
2642         Change ctiVMHandleException to operationVMHandleException.  Change all exception operations to
2643         return the catch callFrame and entryPC via vm.callFrameForThrow and vm.targetMachinePCForThrow.
2644         This removed calling convention headaches, fixing https://bugs.webkit.org/show_bug.cgi?id=122980
2645         in the process.
2646
2647         * dfg/DFGJITCompiler.cpp:
2648         (JSC::DFG::JITCompiler::compileExceptionHandlers):
2649         * jit/CCallHelpers.h:
2650         (JSC::CCallHelpers::jumpToExceptionHandler):
2651         * jit/JIT.cpp:
2652         (JSC::JIT::privateCompileExceptionHandlers):
2653         * jit/JIT.h:
2654         * jit/JITExceptions.cpp:
2655         (JSC::genericUnwind):
2656         * jit/JITExceptions.h:
2657         * jit/JITInlines.h:
2658         (JSC::JIT::callOperationNoExceptionCheck):
2659         * jit/JITOpcodes.cpp:
2660         (JSC::JIT::emit_op_throw):
2661         * jit/JITOpcodes32_64.cpp:
2662         (JSC::JIT::privateCompileCTINativeCall):
2663         (JSC::JIT::emit_op_throw):
2664         * jit/JITOperations.cpp:
2665         * jit/JITOperations.h:
2666         * jit/JITStubs.cpp:
2667         * jit/JITStubs.h:
2668         * jit/JITStubsARM.h:
2669         * jit/JITStubsARM64.h:
2670         * jit/JITStubsARMv7.h:
2671         * jit/JITStubsMIPS.h:
2672         * jit/JITStubsMSVC64.asm:
2673         * jit/JITStubsSH4.h:
2674         * jit/JITStubsX86.h:
2675         * jit/JITStubsX86_64.h:
2676         * jit/Repatch.cpp:
2677         (JSC::tryBuildGetByIDList):
2678         * jit/SlowPathCall.h:
2679         (JSC::JITSlowPathCall::call):
2680         * jit/ThunkGenerators.cpp:
2681         (JSC::throwExceptionFromCallSlowPathGenerator):
2682         (JSC::nativeForGenerator):
2683         * runtime/VM.h:
2684         (JSC::VM::callFrameForThrowOffset):
2685         (JSC::VM::targetMachinePCForThrowOffset):
2686
2687 2013-10-18  Julien Brianceau  <jbriance@cisco.com>
2688
2689         Fix J_JITOperation_EAapJ call for MIPS and ARM EABI.
2690         https://bugs.webkit.org/show_bug.cgi?id=123023
2691
2692         Reviewed by Michael Saboff.
2693
2694         * jit/JITInlines.h:
2695         (JSC::JIT::callOperation): EncodedJSValue parameter do not need alignment
2696         using EABI_32BIT_DUMMY_ARG here.
2697
2698 2013-10-17  Filip Pizlo  <fpizlo@apple.com>
2699
2700         Unreviewed, another ARM64 build fix.
2701         
2702         Get rid of andPtr(TrustedImmPtr, blah), since it would take Effort to get it to work
2703         on ARM64 and none of its uses are legit - they should all be using
2704         andPtr(TrustedImm32, blah) anyway.
2705
2706         * assembler/MacroAssembler.h:
2707         * assembler/MacroAssemblerARM64.h:
2708         * dfg/DFGJITCompiler.cpp:
2709         (JSC::DFG::JITCompiler::compileExceptionHandlers):
2710         * jit/JIT.cpp:
2711         (JSC::JIT::privateCompileExceptionHandlers):
2712
2713 2013-10-17  Filip Pizlo  <fpizlo@apple.com>
2714
2715         Unreviewed, speculative ARM64 build fix.
2716         
2717         move(ImmPtr, blah) is only available in MacroAssembler since that's where blinding is
2718         implemented. So, you have to use TrustedImmPtr in the superclasses.
2719
2720         * assembler/MacroAssemblerARM64.h:
2721         (JSC::MacroAssemblerARM64::store8):
2722         (JSC::MacroAssemblerARM64::branchTest8):
2723
2724 2013-10-17  Filip Pizlo  <fpizlo@apple.com>
2725
2726         Unreviewed, speculative ARM build fix.
2727         https://bugs.webkit.org/show_bug.cgi?id=122890
2728         <rdar://problem/15258624>
2729
2730         * assembler/ARM64Assembler.h:
2731         (JSC::ARM64Assembler::firstRegister):
2732         (JSC::ARM64Assembler::lastRegister):
2733         (JSC::ARM64Assembler::firstFPRegister):
2734         (JSC::ARM64Assembler::lastFPRegister):
2735         * assembler/MacroAssemblerARM64.h:
2736         * assembler/MacroAssemblerARMv7.h:
2737
2738 2013-10-17  Andreas Kling  <akling@apple.com>
2739
2740         Pass VM instead of JSGlobalObject to JSONObject constructor.
2741         <https://webkit.org/b/122999>
2742
2743         JSONObject was only use the JSGlobalObject to grab at the VM.
2744         Dodge a few loads by passing the VM directly instead.
2745
2746         Reviewed by Geoffrey Garen.
2747
2748         * runtime/JSONObject.cpp:
2749         (JSC::JSONObject::JSONObject):
2750         (JSC::JSONObject::finishCreation):
2751         * runtime/JSONObject.h:
2752         (JSC::JSONObject::create):
2753
2754 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2755
2756         Removed the JITStackFrame struct
2757         https://bugs.webkit.org/show_bug.cgi?id=123001
2758
2759         Reviewed by Anders Carlsson.
2760
2761         * jit/JITStubs.h: JITStackFrame and JITStubArg are unused now, since all
2762         our helper functions obey the C function call ABI.
2763
2764 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2765
2766         Removed an unused #define
2767         https://bugs.webkit.org/show_bug.cgi?id=123000
2768
2769         Reviewed by Anders Carlsson.
2770
2771         * jit/JITStubs.h: Removed the concept of JITSTACKFRAME_ARGS_INDEX,
2772         since it is unused now. This is a step toward using the C stack.
2773
2774 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2775
2776         Eliminate uses of JITSTACKFRAME_ARGS_INDEX as scratch area for thunks
2777         https://bugs.webkit.org/show_bug.cgi?id=122973
2778
2779         Reviewed by Michael Saboff.
2780
2781         * jit/ThunkGenerators.cpp:
2782         (JSC::throwExceptionFromCallSlowPathGenerator): This was all dead code,
2783         so I removed it.
2784
2785         The code acted as if it needed to pass an argument to
2786         lookupExceptionHandler, and as if it passed that argument to itself
2787         through JITStackFrame. However, lookupExceptionHandler does not take
2788         an argument (other than the default ExecState argument), and the code
2789         did not initialize the thing that it thought it passed to itself!
2790
2791 2013-10-17  Alex Christensen  <achristensen@webkit.org>
2792
2793         Run JavaScriptCore tests again on Windows.
2794         https://bugs.webkit.org/show_bug.cgi?id=122787
2795
2796         Reviewed by Tim Horton.
2797
2798         * JavaScriptCore.vcxproj/JavaScriptCore.sln: Added.
2799         * jit/JITStubsMSVC64.asm: Removed reference to cti_vm_throw unused since r157581.
2800
2801 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2802
2803         Removed restoreArgumentReference (another use of JITStackFrame)
2804         https://bugs.webkit.org/show_bug.cgi?id=122997
2805
2806         Reviewed by Oliver Hunt.
2807
2808         * jit/JSInterfaceJIT.h: Removed an unused function. This is a step
2809         toward using the C stack.
2810
2811 2013-10-17  Oliver Hunt  <oliver@apple.com>
2812
2813         Remove JITStubCall.h
2814         https://bugs.webkit.org/show_bug.cgi?id=122991
2815
2816         Reviewed by Geoff Garen.
2817
2818         Happily this is no longer used
2819
2820         * GNUmakefile.list.am:
2821         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2822         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2823         * JavaScriptCore.xcodeproj/project.pbxproj:
2824         * jit/JIT.cpp:
2825         * jit/JITArithmetic.cpp:
2826         * jit/JITArithmetic32_64.cpp:
2827         * jit/JITCall.cpp:
2828         * jit/JITCall32_64.cpp:
2829         * jit/JITOpcodes.cpp:
2830         * jit/JITOpcodes32_64.cpp:
2831         * jit/JITPropertyAccess.cpp:
2832         * jit/JITPropertyAccess32_64.cpp:
2833         * jit/JITStubCall.h: Removed.
2834
2835 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2836
2837         Removed a use of JITSTACKFRAME_ARGS_INDEX
2838         https://bugs.webkit.org/show_bug.cgi?id=122989
2839
2840         Reviewed by Oliver Hunt.
2841
2842         * jit/JITStubCall.h: Removed an unused function. This is one step closer
2843         to using the C stack.
2844
2845 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2846
2847         Change emit_op_catch to use another method to materialize VM
2848         https://bugs.webkit.org/show_bug.cgi?id=122977
2849
2850         Reviewed by Oliver Hunt.
2851
2852         * jit/JITOpcodes.cpp:
2853         (JSC::JIT::emit_op_catch):
2854         * jit/JITOpcodes32_64.cpp:
2855         (JSC::JIT::emit_op_catch): Use a constant. It removes our dependency
2856         on JITStackFrame. It is also faster and simpler.
2857
2858 2013-10-17  Geoffrey Garen  <ggaren@apple.com>
2859
2860         Eliminate emitGetJITStubArg() - dead code
2861         https://bugs.webkit.org/show_bug.cgi?id=122975
2862
2863         Reviewed by Anders Carlsson.
2864
2865         * jit/JIT.h:
2866         * jit/JITInlines.h: Removed unused, deprecated function.
2867
2868 2013-10-17  Mark Lam  <mark.lam@apple.com>
2869
2870         Eliminate all ASSERT references to OBJECT_OFFSETOF(struct JITStackFrame,...) in JITStubsXXX.h.
2871         https://bugs.webkit.org/show_bug.cgi?id=122979.
2872
2873         Reviewed by Michael Saboff.
2874
2875         * jit/JITStubs.cpp:
2876         * jit/JITStubs.h:
2877         * jit/JITStubsARM.h:
2878         * jit/JITStubsARM64.h:
2879         * jit/JITStubsARMv7.h:
2880         * jit/JITStubsMIPS.h:
2881         * jit/JITStubsSH4.h:
2882         * jit/JITStubsX86.h:
2883         * jit/JITStubsX86_64.h:
2884         * runtime/VM.cpp:
2885         (JSC::VM::VM):
2886
2887 2013-10-17  Michael Saboff  <msaboff@apple.com>
2888
2889         Remove saving callFrameRegister to JITStackFrame in JITCompiler::compileFunction()
2890         https://bugs.webkit.org/show_bug.cgi?id=122974
2891
2892         Reviewed by Geoffrey Garen.
2893
2894         Eliminated unneeded storing to JITStackFrame.
2895
2896         * dfg/DFGJITCompiler.cpp:
2897         (JSC::DFG::JITCompiler::compileFunction):
2898
2899 2013-10-17  Michael Saboff  <msaboff@apple.com>
2900
2901         Transition cti_op_throw and cti_vm_throw to a JIT operation
2902         https://bugs.webkit.org/show_bug.cgi?id=122931
2903
2904         Reviewed by Filip Pizlo.
2905
2906         Moved cti_op_throw to operationThrow.  Made the caller responsible for jumping to the
2907         catch handler.  Eliminated cti_op_throw_static_error, cti_vm_throw, ctiVMThrowTrampoline()
2908         and their callers as it is now dead code.  There is some work needed on the Microsoft X86
2909         callOperation to handle the need to provide space for structure return value.
2910
2911         * jit/JIT.h:
2912         * jit/JITInlines.h:
2913         (JSC::JIT::callOperation):
2914         * jit/JITOpcodes.cpp:
2915         (JSC::JIT::emit_op_throw):
2916         * jit/JITOpcodes32_64.cpp:
2917         (JSC::JIT::emit_op_throw):
2918         (JSC::JIT::emit_op_catch):
2919         * jit/JITOperations.cpp:
2920         * jit/JITOperations.h:
2921         * jit/JITStubs.cpp:
2922         * jit/JITStubs.h:
2923         * jit/JITStubsARM.h:
2924         * jit/JITStubsARM64.h:
2925         * jit/JITStubsARMv7.h:
2926         * jit/JITStubsMIPS.h:
2927         * jit/JITStubsMSVC64.asm:
2928         * jit/JITStubsSH4.h:
2929         * jit/JITStubsX86.h:
2930         * jit/JITStubsX86_64.h:
2931         * jit/JSInterfaceJIT.h:
2932
2933 2013-10-17  Mark Lam  <mark.lam@apple.com>
2934
2935         Remove JITStackFrame references in the C Loop LLINT.
2936         https://bugs.webkit.org/show_bug.cgi?id=122950.
2937
2938         Reviewed by Michael Saboff.
2939
2940         * jit/JITStubs.h:
2941         * llint/LowLevelInterpreter.cpp:
2942         (JSC::CLoop::execute):
2943         * offlineasm/cloop.rb:
2944
2945 2013-10-17  Mark Lam  <mark.lam@apple.com>
2946
2947         Remove JITStackFrame references in JIT probes.
2948         https://bugs.webkit.org/show_bug.cgi?id=122947.
2949
2950         Reviewed by Michael Saboff.
2951
2952         * assembler/MacroAssemblerARM.cpp:
2953         (JSC::MacroAssemblerARM::ProbeContext::dump):
2954         * assembler/MacroAssemblerARM.h:
2955         * assembler/MacroAssemblerARMv7.cpp:
2956         (JSC::MacroAssemblerARMv7::ProbeContext::dump):
2957         * assembler/MacroAssemblerARMv7.h:
2958         * assembler/MacroAssemblerX86Common.cpp:
2959         (JSC::MacroAssemblerX86Common::ProbeContext::dump):
2960         * assembler/MacroAssemblerX86Common.h:
2961         * jit/JITStubsARM.h:
2962         * jit/JITStubsARMv7.h:
2963         * jit/JITStubsX86.h:
2964         * jit/JITStubsX86Common.h:
2965         * jit/JITStubsX86_64.h:
2966
2967 2013-10-17  Julien Brianceau  <jbriance@cisco.com>
2968
2969         Fix build when NUMBER_OF_ARGUMENT_REGISTERS == 4.
2970         https://bugs.webkit.org/show_bug.cgi?id=122949
2971
2972         Reviewed by Andreas Kling.
2973
2974         * jit/CCallHelpers.h:
2975         (JSC::CCallHelpers::setupArgumentsWithExecState):
2976
2977 2013-10-16  Mark Lam  <mark.lam@apple.com>
2978
2979         Transition remaining op_get* JITStubs to JIT operations.
2980         https://bugs.webkit.org/show_bug.cgi?id=122925.
2981
2982         Reviewed by Geoffrey Garen.
2983
2984         Transitioning:
2985             cti_op_get_by_id_generic
2986             cti_op_get_by_val
2987             cti_op_get_by_val_generic
2988             cti_op_get_by_val_string
2989
2990         * dfg/DFGOperations.cpp:
2991         * dfg/DFGOperations.h:
2992         * jit/JIT.h:
2993         * jit/JITInlines.h:
2994         (JSC::JIT::callOperation):
2995         * jit/JITOpcodes.cpp:
2996         (JSC::JIT::emitSlow_op_get_arguments_length):
2997         (JSC::JIT::emitSlow_op_get_argument_by_val):
2998         * jit/JITOpcodes32_64.cpp:
2999         (JSC::JIT::emitSlow_op_get_arguments_length):
3000         (JSC::JIT::emitSlow_op_get_argument_by_val):
3001         * jit/JITOperations.cpp:
3002         * jit/JITOperations.h:
3003         * jit/JITPropertyAccess.cpp:
3004         (JSC::JIT::emitSlow_op_get_by_val):
3005         (JSC::JIT::emitSlow_op_get_by_pname):
3006         (JSC::JIT::privateCompileGetByVal):
3007         * jit/JITPropertyAccess32_64.cpp:
3008         (JSC::JIT::emitSlow_op_get_by_val):
3009         (JSC::JIT::emitSlow_op_get_by_pname):
3010         * jit/JITStubs.cpp:
3011         * jit/JITStubs.h:
3012         * runtime/Executable.cpp:
3013         (JSC::setupLLInt): Added some UNUSED_PARAMs to fix the no LLINT build.
3014         * runtime/Options.cpp:
3015         (JSC::Options::initialize):
3016
3017 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
3018
3019         Introduce WTF::Bag and start using it for InlineCallFrameSet
3020         https://bugs.webkit.org/show_bug.cgi?id=122941
3021
3022         Reviewed by Geoffrey Garen.
3023         
3024         Use Bag for InlineCallFrameSet. If this works out then I'll make other
3025         SegmentedVectors into Bags as well.
3026
3027         * bytecode/InlineCallFrameSet.cpp:
3028         (JSC::InlineCallFrameSet::add):
3029         * bytecode/InlineCallFrameSet.h:
3030         (JSC::InlineCallFrameSet::begin):
3031         (JSC::InlineCallFrameSet::end):
3032         * dfg/DFGArgumentsSimplificationPhase.cpp:
3033         (JSC::DFG::ArgumentsSimplificationPhase::run):
3034         * dfg/DFGJITCompiler.cpp:
3035         (JSC::DFG::JITCompiler::link):
3036         * dfg/DFGStackLayoutPhase.cpp:
3037         (JSC::DFG::StackLayoutPhase::run):
3038         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
3039         (JSC::DFG::VirtualRegisterAllocationPhase::run):
3040
3041 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
3042
3043         libllvmForJSC shouldn't call exit(1) on report_fatal_error()
3044         https://bugs.webkit.org/show_bug.cgi?id=122905
3045         <rdar://problem/15237856>
3046
3047         Reviewed by Michael Saboff.
3048         
3049         Expose the new LLVMInstallFatalErrorHandler() API through the soft linking magic and
3050         then always call it to install something that calls CRASH().
3051
3052         * llvm/InitializeLLVM.cpp:
3053         (JSC::llvmCrash):
3054         (JSC::initializeLLVMOnce):
3055         (JSC::initializeLLVM):
3056         * llvm/LLVMAPIFunctions.h:
3057
3058 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
3059
3060         Prototype chain repatching in the polymorphic case fails to check if the receiver is a dictionary
3061         https://bugs.webkit.org/show_bug.cgi?id=122938
3062
3063         Reviewed by Sam Weinig.
3064         
3065         This fixes jsc-layout-tests.yaml/js/script-tests/dictionary-prototype-caching.js.layout-no-llint.
3066
3067         * jit/Repatch.cpp:
3068         (JSC::tryBuildGetByIDList):
3069
3070 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
3071
3072         JIT::appendCall() needs to killLastResultRegister() or equivalent since there's some really bad code that expects it
3073         https://bugs.webkit.org/show_bug.cgi?id=122937
3074
3075         Reviewed by Geoffrey Garen.
3076         
3077         JITStubCall used to do it.
3078         
3079         This makes mozilla-tests.yaml/ecma/Statements/12.10-1.js.mozilla-baseline pass.
3080
3081         * jit/JIT.h:
3082         (JSC::JIT::appendCall):
3083
3084 2013-10-16  Michael Saboff  <msaboff@apple.com>
3085
3086         transition void cti_op_put_by_val* stubs to JIT operations
3087         https://bugs.webkit.org/show_bug.cgi?id=122903
3088
3089         Reviewed by Geoffrey Garen.
3090
3091         Transitioned cti_op_put_by_val and cti_op_put_by_val_generic to operationPutByVal and
3092         operationPutByValGeneric.
3093
3094         * jit/CCallHelpers.h:
3095         (JSC::CCallHelpers::setupArgumentsWithExecState):
3096         * jit/JIT.h:
3097         * jit/JITInlines.h:
3098         (JSC::JIT::callOperation):
3099         * jit/JITOperations.cpp:
3100         * jit/JITOperations.h:
3101         * jit/JITPropertyAccess.cpp:
3102         (JSC::JIT::emitSlow_op_put_by_val):
3103         (JSC::JIT::privateCompilePutByVal):
3104         * jit/JITPropertyAccess32_64.cpp:
3105         (JSC::JIT::emitSlow_op_put_by_val):
3106         * jit/JITStubs.cpp:
3107         * jit/JITStubs.h:
3108         * jit/JSInterfaceJIT.h:
3109
3110 2013-10-16  Oliver Hunt  <oliver@apple.com>
3111
3112         Implement ES6 spread operator
3113         https://bugs.webkit.org/show_bug.cgi?id=122911
3114
3115         Reviewed by Michael Saboff.
3116
3117         Implement the ES6 spread operator
3118
3119         This has a little bit of refactoring to move the enumeration logic out ForOfNode
3120         and into BytecodeGenerator, and then adds the logic to make it nicely callback
3121         driven.
3122
3123         The rest of the logic is just the addition of the SpreadExpressionNode, the parsing,
3124         and actually handling the spread.
3125
3126         * bytecompiler/BytecodeGenerator.cpp:
3127         (JSC::BytecodeGenerator::emitNewArray):
3128         (JSC::BytecodeGenerator::emitCall):
3129         (JSC::BytecodeGenerator::emitEnumeration):
3130         * bytecompiler/BytecodeGenerator.h:
3131         * bytecompiler/NodesCodegen.cpp:
3132         (JSC::ArrayNode::emitBytecode):
3133         (JSC::ForOfNode::emitBytecode):
3134         (JSC::SpreadExpressionNode::emitBytecode):
3135         * parser/ASTBuilder.h:
3136         (JSC::ASTBuilder::createSpreadExpression):
3137         * parser/Lexer.cpp:
3138         (JSC::::lex):
3139         * parser/NodeConstructors.h:
3140         (JSC::SpreadExpressionNode::SpreadExpressionNode):
3141         * parser/Nodes.h:
3142         (JSC::ExpressionNode::isSpreadExpression):
3143         (JSC::SpreadExpressionNode::expression):
3144         * parser/Parser.cpp:
3145         (JSC::::parseArrayLiteral):
3146         (JSC::::parseArguments):
3147         (JSC::::parseMemberExpression):
3148         * parser/Parser.h:
3149         (JSC::Parser::getTokenName):
3150         (JSC::Parser::updateErrorMessageSpecialCase):
3151         * parser/ParserTokens.h:
3152         * parser/SyntaxChecker.h:
3153         (JSC::SyntaxChecker::createSpreadExpression):
3154
3155 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
3156
3157         Add a useLLInt option to jsc
3158         https://bugs.webkit.org/show_bug.cgi?id=122930
3159
3160         Reviewed by Geoffrey Garen.
3161
3162         * runtime/Executable.cpp:
3163         (JSC::setupLLInt):
3164         (JSC::setupJIT):
3165         (JSC::ScriptExecutable::prepareForExecutionImpl):
3166         * runtime/Options.h:
3167
3168 2013-10-16  Mark Hahnenberg  <mhahnenberg@apple.com>
3169
3170         Build fix.
3171
3172         Forgot to svn add DeferGC.cpp
3173
3174         * heap/DeferGC.cpp: Added.
3175
3176 2013-10-16  Filip Pizlo  <fpizlo@apple.com>
3177
3178         r157411 fails run-javascriptcore-tests when run with Baseline JIT
3179         https://bugs.webkit.org/show_bug.cgi?id=122902
3180
3181         Reviewed by Mark Hahnenberg.
3182         
3183         It turns out that this was a long-standing bug in the DFG PutById repatching logic. It's
3184         not legal to patch if the typeInfo tells you that you can't patch. The old JIT's patching
3185         logic did this right, and the DFG's GetById patching logic did it right; but DFG PutById
3186         didn't. Turns out that there's even a helpful method,
3187         Structure::propertyAccessesAreCacheable(), that will even do all of the checks for you!
3188
3189         * jit/Repatch.cpp:
3190         (JSC::tryCachePutByID):
3191
3192 2013-10-16  Mark Hahnenberg  <mhahnenberg@apple.com>
3193
3194         llint_slow_path_put_by_id can deadlock on a ConcurrentJITLock
3195         https://bugs.webkit.org/show_bug.cgi?id=122667
3196
3197         Reviewed by Geoffrey Garen.
3198
3199         The issue this patch is attempting to fix is that there are places in our codebase
3200         where we acquire the ConcurrentJITLock for a particular CodeBlock, then we do some
3201         operations that can initiate a garbage collection. Garbage collection then calls 
3202         some methods of CodeBlock that also take the ConcurrentJITLock (because they don't
3203         always necessarily run during garbage collection). This causes a deadlock.
3204  
3205         To fix this issue, this patch adds a new RAII-style object (DisallowGC) that stores 
3206         into a thread-local field that indicates that it is unsafe to perform any operation 
3207         that could trigger garbage collection on the current thread. In debug builds, 
3208         ConcurrentJITLocker contains one of these DisallowGC objects so that we can eagerly 
3209         detect deadlocks.
3210  
3211         This patch also adds a new type of ConcurrentJITLocker, GCSafeConcurrentJITLocker,
3212         which uses the DeferGC mechanism to prevent collections from occurring while the 
3213         lock is held.
3214
3215         * CMakeLists.txt:
3216         * GNUmakefile.list.am:
3217         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3218         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3219         * JavaScriptCore.xcodeproj/project.pbxproj:
3220         * heap/DeferGC.h:
3221         (JSC::DisallowGC::DisallowGC):
3222         (JSC::DisallowGC::~DisallowGC):
3223         (JSC::DisallowGC::isGCDisallowedOnCurrentThread):
3224         (JSC::DisallowGC::initialize):
3225         * jit/Repatch.cpp:
3226         (JSC::repatchPutByID):
3227         (JSC::buildPutByIdList):
3228         * llint/LLIntSlowPaths.cpp:
3229         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3230         * runtime/ConcurrentJITLock.h:
3231         (JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase):
3232         (JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase):
3233         (JSC::ConcurrentJITLockerBase::unlockEarly):
3234         (JSC::GCSafeConcurrentJITLocker::GCSafeConcurrentJITLocker):
3235         (JSC::GCSafeConcurrentJITLocker::~GCSafeConcurrentJITLocker):
3236         (JSC::GCSafeConcurrentJITLocker::NoDefer::NoDefer):
3237         (JSC::ConcurrentJITLocker::ConcurrentJITLocker):
3238         * runtime/InitializeThreading.cpp:
3239         (JSC::initializeThreadingOnce):
3240         * runtime/JSCellInlines.h:
3241         (JSC::allocateCell):
3242         * runtime/JSSymbolTableObject.h:
3243         (JSC::symbolTablePut):
3244         * runtime/Structure.cpp: materializePropertyMapIfNecessary* now has a problem in that it
3245         can start a garbage collection when the GCSafeConcurrentJITLocker goes out of scope, but 
3246         before the caller has a chance to use the newly created PropertyTable. The garbage collection
3247         clears the PropertyTable, and then the caller uses it assuming it's valid. To avoid this,
3248         we must DeferGC until the caller is done getting the newly materialized PropertyTable from 
3249         the Structure.
3250         (JSC::Structure::materializePropertyMap):
3251         (JSC::Structure::despecifyDictionaryFunction):
3252         (JSC::Structure::changePrototypeTransition):
3253         (JSC::Structure::despecifyFunctionTransition):
3254         (JSC::Structure::attributeChangeTransition):
3255         (JSC::Structure::toDictionaryTransition):
3256         (JSC::Structure::preventExtensionsTransition):
3257         (JSC::Structure::takePropertyTableOrCloneIfPinned):
3258         (JSC::Structure::isSealed):
3259         (JSC::Structure::isFrozen):
3260         (JSC::Structure::addPropertyWithoutTransition):
3261         (JSC::Structure::removePropertyWithoutTransition):
3262         (JSC::Structure::get):
3263         (JSC::Structure::despecifyFunction):
3264         (JSC::Structure::despecifyAllFunctions):
3265         (JSC::Structure::putSpecificValue):
3266         (JSC::Structure::createPropertyMap):
3267         (JSC::Structure::getPropertyNamesFromStructure):
3268         * runtime/Structure.h:
3269         (JSC::Structure::materializePropertyMapIfNecessary):
3270         (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
3271         * runtime/StructureInlines.h:
3272         (JSC::Structure::get):
3273         * runtime/SymbolTable.h:
3274         (JSC::SymbolTable::find):
3275         (JSC::SymbolTable::end):
3276
3277 2013-10-16  Daniel Bates  <dabates@apple.com>
3278
3279         Add SPI to disable the garbage collector timer
3280         https://bugs.webkit.org/show_bug.cgi?id=122921
3281
3282         Reviewed by Geoffrey Garen.
3283
3284         Based on a patch by Mark Hahnenberg.
3285
3286         * API/JSBase.cpp:
3287         (JSDisableGCTimer): Added; SPI function.
3288         * API/JSBasePrivate.h:
3289         * heap/BlockAllocator.cpp:
3290         (JSC::createBlockFreeingThread): Added.
3291         (JSC::BlockAllocator::BlockAllocator): Modified to use JSC::createBlockFreeingThread()
3292         to conditionally create the "block freeing" thread depending on the value of
3293         GCActivityCallback::s_shouldCreateGCTimer.
3294         (JSC::BlockAllocator::~BlockAllocator):
3295         * heap/BlockAllocator.h:
3296         (JSC::BlockAllocator::deallocate):
3297         * heap/Heap.cpp:
3298         (JSC::Heap::didAbandon):
3299         (JSC::Heap::collect):
3300         (JSC::Heap::didAllocate):
3301         * heap/HeapTimer.cpp:
3302         (JSC::HeapTimer::timerDidFire):
3303         * runtime/GCActivityCallback.cpp:
3304         * runtime/GCActivityCallback.h:
3305         (JSC::DefaultGCActivityCallback::create): Only instantiate a DefaultGCActivityCallback object
3306         when GCActivityCallback::s_shouldCreateGCTimer is true so as to prevent allocating a HeapTimer
3307         object (since DefaultGCActivityCallback ultimately extends HeapTimer).
3308
3309 2013-10-16  Commit Queue  <commit-queue@webkit.org>
3310
3311         Unreviewed, rolling out r157529.
3312         http://trac.webkit.org/changeset/157529
3313         https://bugs.webkit.org/show_bug.cgi?id=122919
3314
3315         Caused score test failures and some build failures. (Requested
3316         by rfong on #webkit).
3317
3318         * bytecompiler/BytecodeGenerator.cpp:
3319         (JSC::BytecodeGenerator::emitNewArray):
3320         (JSC::BytecodeGenerator::emitCall):
3321         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
3322         * bytecompiler/BytecodeGenerator.h:
3323         * bytecompiler/NodesCodegen.cpp:
3324         (JSC::ArrayNode::emitBytecode):
3325         (JSC::CallArguments::CallArguments):
3326         (JSC::ForOfNode::emitBytecode):
3327         (JSC::BindingNode::collectBoundIdentifiers):
3328         * parser/ASTBuilder.h:
3329         * parser/Lexer.cpp:
3330         (JSC::::lex):
3331         * parser/NodeConstructors.h:
3332         (JSC::DotAccessorNode::DotAccessorNode):
3333         * parser/Nodes.h:
3334         * parser/Parser.cpp:
3335         (JSC::::parseArrayLiteral):
3336         (JSC::::parseArguments):
3337         (JSC::::parseMemberExpression):
3338         * parser/Parser.h:
3339         (JSC::Parser::getTokenName):
3340         (JSC::Parser::updateErrorMessageSpecialCase):
3341         * parser/ParserTokens.h:
3342         * parser/SyntaxChecker.h:
3343
3344 2013-10-16  Julien Brianceau  <jbriance@cisco.com>
3345
3346         Remove useless architecture specific implementation in DFG.
3347         https://bugs.webkit.org/show_bug.cgi?id=122917.
3348
3349         Reviewed by Michael Saboff.
3350
3351         With CPU(ARM) && CPU(ARM_HARDFP) architecture, the fallback implementation is fine
3352         as FPRInfo::argumentFPR0 == FPRInfo::returnValueFPR in this case.
3353
3354         * dfg/DFGSpeculativeJIT.h:
3355
3356 2013-10-16  Julien Brianceau  <jbriance@cisco.com>
3357
3358         Remove unused JIT::restoreArgumentReferenceForTrampoline function.
3359         https://bugs.webkit.org/show_bug.cgi?id=122916.
3360
3361         Reviewed by Michael Saboff.
3362
3363         This architecture specific function is not used anymore, so get rid of it.
3364
3365         * jit/JIT.h:
3366         * jit/JITInlines.h:
3367
3368 2013-10-16  Oliver Hunt  <oliver@apple.com>
3369
3370         Implement ES6 spread operator
3371         https://bugs.webkit.org/show_bug.cgi?id=122911
3372
3373         Reviewed by Michael Saboff.
3374
3375         Implement the ES6 spread operator
3376
3377         This has a little bit of refactoring to move the enumeration logic out ForOfNode
3378         and into BytecodeGenerator, and then adds the logic to make it nicely callback
3379         driven.
3380
3381         The rest of the logic is just the addition of the SpreadExpressionNode, the parsing,
3382         and actually handling the spread.
3383
3384         * bytecompiler/BytecodeGenerator.cpp:
3385         (JSC::BytecodeGenerator::emitNewArray):
3386         (JSC::BytecodeGenerator::emitCall):
3387         (JSC::BytecodeGenerator::emitEnumeration):
3388         * bytecompiler/BytecodeGenerator.h:
3389         * bytecompiler/NodesCodegen.cpp:
3390         (JSC::ArrayNode::emitBytecode):
3391         (JSC::ForOfNode::emitBytecode):
3392         (JSC::SpreadExpressionNode::emitBytecode):
3393         * parser/ASTBuilder.h:
3394         (JSC::ASTBuilder::createSpreadExpression):
3395         * parser/Lexer.cpp:
3396         (JSC::::lex):
3397         * parser/NodeConstructors.h:
3398         (JSC::SpreadExpressionNode::SpreadExpressionNode):
3399         * parser/Nodes.h:
3400         (JSC::ExpressionNode::isSpreadExpression):
3401         (JSC::SpreadExpressionNode::expression):
3402         * parser/Parser.cpp:
3403         (JSC::::parseArrayLiteral):
3404         (JSC::::parseArguments):
3405         (JSC::::parseMemberExpression):
3406         * parser/Parser.h:
3407         (JSC::Parser::getTokenName):
3408         (JSC::Parser::updateErrorMessageSpecialCase):
3409         * parser/ParserTokens.h:
3410         * parser/SyntaxChecker.h:
3411         (JSC::SyntaxChecker::createSpreadExpression):
3412
3413 2013-10-16  Mark Lam  <mark.lam@apple.com>
3414
3415         Transition void cti_op_tear_off* methods to JIT operations for 32 bit.
3416         https://bugs.webkit.org/show_bug.cgi?id=122899.
3417
3418         Reviewed by Michael Saboff.
3419
3420         * jit/JITOpcodes32_64.cpp:
3421         (JSC::JIT::emit_op_tear_off_activation):
3422         (JSC::JIT::emit_op_tear_off_arguments):
3423         * jit/JITStubs.cpp:
3424         * jit/JITStubs.h:
3425
3426 2013-10-16  Julien Brianceau  <jbriance@cisco.com>
3427
3428         Remove more of the UNINTERRUPTED_SEQUENCE thing
3429         https://bugs.webkit.org/show_bug.cgi?id=122885
3430
3431         Reviewed by Andreas Kling.
3432
3433         It was not completely removed by r157481, leading to build failure for sh4 architecture.
3434
3435         * jit/JIT.h:
3436         * jit/JITInlines.h:
3437
3438 2013-10-15  Filip Pizlo  <fpizlo@apple.com>
3439
3440         Get rid of the StructureStubInfo::patch union
3441         https://bugs.webkit.org/show_bug.cgi?id=122877
3442
3443         Reviewed by Sam Weinig.
3444         
3445         Just simplifying code by getting rid of data structures that ain't used no more.
3446         
3447         Note that I replace the patch union with a patch struct. This means we say things like
3448         stubInfo.patch.valueGPR instead of stubInfo.valueGPR. I think that this extra
3449         encapsulation makes the code more readable: the patch struct contains just those things
3450         that you need to know to perform patching.
3451
3452         * bytecode/StructureStubInfo.h:
3453         * dfg/DFGJITCompiler.cpp:
3454         (JSC::DFG::JITCompiler::link):
3455         * jit/JIT.cpp:
3456         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
3457         * jit/Repatch.cpp:
3458         (JSC::repatchByIdSelfAccess):
3459         (JSC::replaceWithJump):
3460         (JSC::linkRestoreScratch):
3461         (JSC::generateProtoChainAccessStub):
3462         (JSC::tryCacheGetByID):
3463         (JSC::getPolymorphicStructureList):
3464         (JSC::patchJumpToGetByIdStub):
3465         (JSC::tryBuildGetByIDList):
3466         (JSC::emitPutReplaceStub):
3467         (JSC::emitPutTransitionStub):
3468         (JSC::tryCachePutByID):
3469         (JSC::tryBuildPutByIdList):
3470         (JSC::tryRepatchIn):
3471         (JSC::resetGetByID):
3472         (JSC::resetPutByID):
3473         (JSC::resetIn):
3474
3475 2013-10-15  Nadav Rotem  <nrotem@apple.com>
3476
3477         FTL: add support for Int52ToValue and fix putByVal of int52s.
3478         https://bugs.webkit.org/show_bug.cgi?id=122873
3479
3480         Reviewed by Filip Pizlo.
3481
3482         * ftl/FTLCapabilities.cpp:
3483         (JSC::FTL::canCompile):
3484         * ftl/FTLLowerDFGToLLVM.cpp:
3485         (JSC::FTL::LowerDFGToLLVM::compileNode):
3486         (JSC::FTL::LowerDFGToLLVM::compileInt52ToValue):
3487         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
3488
3489 2013-10-15  Filip Pizlo  <fpizlo@apple.com>
3490
3491         Get rid of the UNINTERRUPTED_SEQUENCE thing
3492         https://bugs.webkit.org/show_bug.cgi?id=122876
3493
3494         Reviewed by Mark Hahnenberg.
3495         
3496         It doesn't make sense anymore. We now use the DFG's IC logic, which never needed that.
3497         
3498         Moreover, we should resist the temptation to bring anything like this back. We don't
3499         want to have inline caches that only work if the assembler lays out code in a specific
3500         predetermined way.
3501
3502         * jit/JIT.h:
3503         * jit/JITCall.cpp:
3504         (JSC::JIT::compileOpCall):
3505         * jit/JITCall32_64.cpp:
3506         (JSC::JIT::compileOpCall):
3507
3508 2013-10-15  Filip Pizlo  <fpizlo@apple.com>
3509
3510         Baseline JIT should use the DFG GetById IC
3511         https://bugs.webkit.org/show_bug.cgi?id=122861
3512
3513         Reviewed by Oliver Hunt.
3514         
3515         This mostly just kills a ton of code.
3516         
3517         Note that this doesn't yet do all of the simplifications that can be done, but it does
3518         kill dead code. I'll have another change to simplify StructureStubInfo's unions and such.
3519
3520         * bytecode/CodeBlock.cpp:
3521         (JSC::CodeBlock::resetStubInternal):
3522         * jit/JIT.cpp:
3523         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
3524         * jit/JIT.h:
3525         (JSC::PropertyStubCompilationInfo::PropertyStubCompilationInfo):
3526         * jit/JITInlines.h:
3527         (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
3528         (JSC::JIT::callOperation):
3529         * jit/JITPropertyAccess.cpp:
3530         (JSC::JIT::compileGetByIdHotPath):
3531         (JSC::JIT::emitSlow_op_get_by_id):
3532         (JSC::JIT::emitSlow_op_get_from_scope):
3533         * jit/JITPropertyAccess32_64.cpp:
3534         (JSC::JIT::compileGetByIdHotPath):
3535         (JSC::JIT::emitSlow_op_get_by_id):
3536         (JSC::JIT::emitSlow_op_get_from_scope):
3537         * jit/JITStubs.cpp:
3538         * jit/JITStubs.h:
3539         * jit/Repatch.cpp:
3540         (JSC::repatchGetByID):
3541         (JSC::buildGetByIDList):
3542         * jit/ThunkGenerators.cpp:
3543         * jit/ThunkGenerators.h:
3544
3545 2013-10-15  Dean Jackson  <dino@apple.com>
3546
3547         Add ENABLE_WEB_ANIMATIONS flag
3548         https://bugs.webkit.org/show_bug.cgi?id=122871
3549
3550         Reviewed by Tim Horton.
3551
3552         Eventually might be http://dev.w3.org/fxtf/web-animations/
3553         but this is just engine-internal work at the moment.
3554
3555         * Configurations/FeatureDefines.xcconfig:
3556
3557 2013-10-15  Julien Brianceau  <jbriance@cisco.com>
3558
3559         [sh4] Some calls don't match sh4 ABI.
3560         https://bugs.webkit.org/show_bug.cgi?id=122863
3561
3562         Reviewed by Michael Saboff.
3563
3564         * dfg/DFGSpeculativeJIT.h:
3565         (JSC::DFG::SpeculativeJIT::callOperation):
3566         * jit/CCallHelpers.h:
3567         (JSC::CCallHelpers::setupArgumentsWithExecState):
3568         * jit/JITInlines.h:
3569         (JSC::JIT::callOperation):
3570
3571 2013-10-15  Daniel Bates  <dabates@apple.com>
3572
3573         [iOS] Upstream JavaScriptCore support for ARM64
3574         https://bugs.webkit.org/show_bug.cgi?id=122762
3575
3576         Reviewed by Oliver Hunt and Filip Pizlo.
3577
3578         * Configurations/Base.xcconfig:
3579         * Configurations/DebugRelease.xcconfig:
3580         * Configurations/JavaScriptCore.xcconfig:
3581         * Configurations/ToolExecutable.xcconfig:
3582         * JavaScriptCore.xcodeproj/project.pbxproj:
3583         * assembler/ARM64Assembler.h: Added.
3584         * assembler/AbstractMacroAssembler.h:
3585         (JSC::isARM64):
3586         (JSC::AbstractMacroAssembler::Label::Label):
3587         (JSC::AbstractMacroAssembler::Jump::Jump):
3588         (JSC::AbstractMacroAssembler::Jump::link):
3589         (JSC::AbstractMacroAssembler::Jump::linkTo):
3590         (JSC::AbstractMacroAssembler::CachedTempRegister::CachedTempRegister):
3591         (JSC::AbstractMacroAssembler::CachedTempRegister::registerIDInvalidate):
3592         (JSC::AbstractMacroAssembler::CachedTempRegister::registerIDNoInvalidate):
3593         (JSC::AbstractMacroAssembler::CachedTempRegister::value):
3594         (JSC::AbstractMacroAssembler::CachedTempRegister::setValue):
3595         (JSC::AbstractMacroAssembler::CachedTempRegister::invalidate):
3596         (JSC::AbstractMacroAssembler::invalidateAllTempRegisters):
3597         (JSC::AbstractMacroAssembler::isTempRegisterValid):
3598         (JSC::AbstractMacroAssembler::clearTempRegisterValid):
3599         (JSC::AbstractMacroAssembler::setTempRegisterValid):
3600         * assembler/LinkBuffer.cpp:
3601         (JSC::LinkBuffer::copyCompactAndLinkCode):
3602         (JSC::LinkBuffer::linkCode):
3603         * assembler/LinkBuffer.h:
3604         * assembler/MacroAssembler.h:
3605         (JSC::MacroAssembler::isPtrAlignedAddressOffset):
3606         (JSC::MacroAssembler::pushToSave):
3607         (JSC::MacroAssembler::popToRestore):
3608         (JSC::MacroAssembler::patchableBranchTest32):
3609         * assembler/MacroAssemblerARM64.h: Added.
3610         * assembler/MacroAssemblerARMv7.h:
3611         * dfg/DFGFixupPhase.cpp:
3612         (JSC::DFG::FixupPhase::fixupNode):
3613         * dfg/DFGOSRExitCompiler32_64.cpp:
3614         (JSC::DFG::OSRExitCompiler::compileExit):
3615         * dfg/DFGOSRExitCompiler64.cpp:
3616         (JSC::DFG::OSRExitCompiler::compileExit):
3617         * dfg/DFGSpeculativeJIT.cpp:
3618         (JSC::DFG::SpeculativeJIT::compileArithDiv):
3619         (JSC::DFG::SpeculativeJIT::compileArithMod):
3620         * disassembler/ARM64/A64DOpcode.cpp: Added.
3621         * disassembler/ARM64/A64DOpcode.h: Added.
3622         * disassembler/ARM64Disassembler.cpp: Added.
3623         * heap/MachineStackMarker.cpp:
3624         (JSC::getPlatformThreadRegisters):
3625         (JSC::otherThreadStackPointer):
3626         * heap/Region.h:
3627         * jit/AssemblyHelpers.h:
3628         (JSC::AssemblyHelpers::debugCall):
3629         * jit/CCallHelpers.h:
3630         * jit/ExecutableAllocator.h:
3631         * jit/FPRInfo.h:
3632         (JSC::FPRInfo::toRegister):
3633         (JSC::FPRInfo::toIndex):
3634         (JSC::FPRInfo::debugName):
3635         * jit/GPRInfo.h:
3636         (JSC::GPRInfo::toRegister):
3637         (JSC::GPRInfo::toIndex):
3638         (JSC::GPRInfo::debugName):
3639         * jit/JITInlines.h:
3640         (JSC::JIT::restoreArgumentReferenceForTrampoline):
3641         * jit/JITOperationWrappers.h:
3642         * jit/JITOperations.cpp:
3643         * jit/JITStubs.cpp:
3644         (JSC::performPlatformSpecificJITAssertions):
3645         (JSC::tryCachePutByID):
3646         * jit/JITStubs.h:
3647         (JSC::JITStackFrame::returnAddressSlot):
3648         * jit/JITStubsARM64.h: Added.
3649         * jit/JSInterfaceJIT.h:
3650         * jit/Repatch.cpp:
3651         (JSC::emitRestoreScratch):
3652         (JSC::generateProtoChainAccessStub):
3653         (JSC::tryCacheGetByID):
3654         (JSC::emitPutReplaceStub):
3655         (JSC::tryCachePutByID):
3656         (JSC::tryRepatchIn):
3657         * jit/ScratchRegisterAllocator.h:
3658         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
3659         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
3660         * jit/ThunkGenerators.cpp:
3661         (JSC::nativeForGenerator):
3662         (JSC::floorThunkGenerator):
3663         (JSC::ceilThunkGenerator):
3664         * jsc.cpp:
3665         (main):
3666         * llint/LLIntOfflineAsmConfig.h:
3667         * llint/LLIntSlowPaths.cpp:
3668         (JSC::LLInt::handleHostCall):
3669         * llint/LowLevelInterpreter.asm:
3670         * llint/LowLevelInterpreter64.asm:
3671         * offlineasm/arm.rb:
3672         * offlineasm/arm64.rb: Added.
3673         * offlineasm/backends.rb:
3674         * offlineasm/instructions.rb:
3675         * offlineasm/risc.rb:
3676         * offlineasm/transform.rb:
3677         * yarr/YarrJIT.cpp:
3678         (JSC::Yarr::YarrGenerator::alignCallFrameSizeInBytes):
3679         (JSC::Yarr::YarrGenerator::initCallFrame):
3680         (JSC::Yarr::YarrGenerator::removeCallFrame):
3681         (JSC::Yarr::YarrGenerator::generateEnter):
3682         * yarr/YarrJIT.h:
3683
3684 2013-10-15  Mark Lam  <mark.lam@apple.com>
3685
3686         Fix 3 operand sub operation in C loop LLINT.
3687         https://bugs.webkit.org/show_bug.cgi?id=122866.
3688
3689         Reviewed by Geoffrey Garen.
3690
3691         * offlineasm/cloop.rb:
3692
3693 2013-10-15  Mark Hahnenberg  <mhahnenberg@apple.com>
3694
3695         ObjCCallbackFunctionImpl shouldn't store a JSContext
3696         https://bugs.webkit.org/show_bug.cgi?id=122531
3697
3698         Reviewed by Geoffrey Garen.
3699
3700         The m_context field in ObjCCallbackFunctionImpl is vestigial and is only incidentally correct 
3701         in the common case. It's also no longer necessary in that we can look up the current JSContext 
3702         by looking using the globalObject of the callee when the function callback is invoked.
3703  
3704         Also added a new test that would cause us to crash previously. The test required making 
3705         JSContextGetGlobalContext public API so that clients can obtain a JSContext from the JSContextRef
3706         in C API callbacks.
3707
3708         * API/JSContextRef.h:
3709         * API/JSContextRefPrivate.h:
3710         * API/ObjCCallbackFunction.mm:
3711         (JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl):
3712         (JSC::objCCallbackFunctionCallAsFunction):
3713         (objCCallbackFunctionForInvocation):
3714         * API/WebKitAvailability.h:
3715         * API/tests/CurrentThisInsideBlockGetterTest.h: Added.
3716         * API/tests/CurrentThisInsideBlockGetterTest.mm: Added.
3717         (CallAsConstructor):
3718         (ConstructorFinalize):
3719         (ConstructorClass):
3720         (+[JSValue valueWithConstructorDescriptor:inContext:]):
3721         (-[JSContext valueWithConstructorDescriptor:]):
3722         (currentThisInsideBlockGetterTest):
3723         * API/tests/testapi.mm:
3724         * JavaScriptCore.xcodeproj/project.pbxproj:
3725         * debugger/Debugger.cpp: Had to add some fully qualified names to avoid conflicts with Mac OS X headers.
3726
3727 2013-10-15  Julien Brianceau  <jbriance@cisco.com>
3728
3729         Fix build after r157457 for architecture with 4 argument registers.
3730         https://bugs.webkit.org/show_bug.cgi?id=122860
3731
3732         Reviewed by Michael Saboff.
3733
3734         * jit/CCallHelpers.h:
3735         (JSC::CCallHelpers::setupStubArguments134):
3736
3737 2013-10-14  Michael Saboff  <msaboff@apple.com>
3738
3739         transition void cti_op_* methods to JIT operations.
3740         https://bugs.webkit.org/show_bug.cgi?id=122617
3741
3742         Reviewed by Geoffrey Garen.
3743
3744         Converted the follow stubs to JIT operations:
3745             cti_handle_watchdog_timer
3746             cti_op_debug
3747             cti_op_pop_scope
3748             cti_op_profile_did_call
3749             cti_op_profile_will_call
3750             cti_op_put_by_index
3751             cti_op_put_getter_setter
3752             cti_op_tear_off_activation
3753             cti_op_tear_off_arguments
3754             cti_op_throw_static_error
3755             cti_optimize
3756
3757         * dfg/DFGOperations.cpp:
3758         * dfg/DFGOperations.h:
3759         * jit/CCallHelpers.h:
3760         (JSC::CCallHelpers::setupArgumentsWithExecState):
3761         (JSC::CCallHelpers::setupThreeStubArgsGPR):
3762         (JSC::CCallHelpers::setupStubArguments):
3763         (JSC::CCallHelpers::setupStubArguments134):
3764         * jit/JIT.cpp:
3765         (JSC::JIT::emitEnterOptimizationCheck):
3766         * jit/JIT.h:
3767         * jit/JITInlines.h:
3768         (JSC::JIT::callOperation):
3769         * jit/JITOpcodes.cpp:
3770         (JSC::JIT::emit_op_tear_off_activation):
3771         (JSC::JIT::emit_op_tear_off_arguments):
3772         (JSC::JIT::emit_op_push_with_scope):
3773         (JSC::JIT::emit_op_pop_scope):
3774         (JSC::JIT::emit_op_push_name_scope):
3775         (JSC::JIT::emit_op_throw_static_error):
3776         (JSC::JIT::emit_op_debug):
3777         (JSC::JIT::emit_op_profile_will_call):
3778         (JSC::JIT::emit_op_profile_did_call):
3779         (JSC::JIT::emitSlow_op_loop_hint):
3780         * jit/JITOpcodes32_64.cpp:
3781         (JSC::JIT::emit_op_push_with_scope):
3782         (JSC::JIT::emit_op_pop_scope):
3783         (JSC::JIT::emit_op_push_name_scope):
3784         (JSC::JIT::emit_op_throw_static_error):
3785         (JSC::JIT::emit_op_debug):
3786         (JSC::JIT::emit_op_profile_will_call):
3787         (JSC::JIT::emit_op_profile_did_call):
3788         * jit/JITOperations.cpp:
3789         * jit/JITOperations.h:
3790         * jit/JITPropertyAccess.cpp:
3791         (JSC::JIT::emit_op_put_by_index):
3792         (JSC::JIT::emit_op_put_getter_setter):
3793         * jit/JITPropertyAccess32_64.cpp:
3794         (JSC::JIT::emit_op_put_by_index):
3795         (JSC::JIT::emit_op_put_getter_setter):
3796         * jit/JITStubs.cpp:
3797         * jit/JITStubs.h:
3798
3799 2013-10-15  Julien Brianceau  <jbriance@cisco.com>
3800
3801         [sh4] Introduce const pools in LLINT.
3802         https://bugs.webkit.org/show_bug.cgi?id=122746
3803
3804         Reviewed by Michael Saboff.
3805
3806         In current implementation of LLINT for sh4, immediate values outside range -128..127 are
3807         loaded this way:
3808
3809             mov.l .label, rx
3810             bra out
3811             nop
3812             .balign 4
3813             .label: .long immvalue
3814             out:
3815
3816         This change introduces const pools for sh4 implementation to avoid lots of useless branches
3817         and reduce code size. It also removes lines of dirty code, like jmpf and callf.
3818
3819         * offlineasm/instructions.rb: Remove jmpf and callf sh4 specific instructions.
3820         * offlineasm/sh4.rb:
3821
3822 2013-10-15  Mark Lam  <mark.lam@apple.com>
3823
3824         Fix broken C Loop LLINT build.
3825         https://bugs.webkit.org/show_bug.cgi?id=122839.
3826
3827         Reviewed by Michael Saboff.
3828
3829         * dfg/DFGFlushedAt.cpp:
3830         * jit/JITOperations.h:
3831
3832 2013-10-14  Mark Lam  <mark.lam@apple.com>
3833
3834         Transition *switch* and *scope* JITStubs to JIT operations.
3835         https://bugs.webkit.org/show_bug.cgi?id=122757.
3836
3837         Reviewed by Geoffrey Garen.
3838
3839         Transitioning:
3840             cti_op_switch_char
3841             cti_op_switch_imm
3842             cti_op_switch_string
3843             cti_op_resolve_scope
3844             cti_op_get_from_scope
3845             cti_op_put_to_scope
3846
3847         * jit/JIT.h:
3848         * jit/JITInlines.h:
3849         (JSC::JIT::callOperation):
3850         * jit/JITOpcodes.cpp:
3851         (JSC::JIT::emit_op_switch_imm):
3852         (JSC::JIT::emit_op_switch_char):
3853         (JSC::JIT::emit_op_switch_string):
3854         * jit/JITOpcodes32_64.cpp:
3855         (JSC::JIT::emit_op_switch_imm):
3856         (JSC::JIT::emit_op_switch_char):
3857         (JSC::JIT::emit_op_switch_string):
3858         * jit/JITOperations.cpp:
3859         * jit/JITOperations.h:
3860         * jit/JITPropertyAccess.cpp:
3861         (JSC::JIT::emitSlow_op_resolve_scope):
3862         (JSC::JIT::emitSlow_op_get_from_scope):
3863         (JSC::JIT::emitSlow_op_put_to_scope):
3864         * jit/JITPropertyAccess32_64.cpp:
3865         (JSC::JIT::emitSlow_op_resolve_scope):
3866         (JSC::JIT::emitSlow_op_get_from_scope):
3867         (JSC::JIT::emitSlow_op_put_to_scope):
3868         * jit/JITStubs.cpp:
3869         * jit/JITStubs.h:
3870
3871 2013-10-14  Filip Pizlo  <fpizlo@apple.com>
3872
3873         DFG PutById IC should use the ConcurrentJITLocker since it's now dealing with IC's that get read by the compiler thread
3874         https://bugs.webkit.org/show_bug.cgi?id=122786
3875
3876         Reviewed by Mark Hahnenberg.
3877
3878         * bytecode/CodeBlock.cpp:
3879         (JSC::CodeBlock::resetStub): Resetting a stub should acquire the lock since this is observable from the thread; but we should only acquire the lock if we're resetting outside of GC.
3880         * jit/Repatch.cpp:
3881         (JSC::repatchPutByID): Doing the PutById patching should hold the lock.
3882         (JSC::buildPutByIdList): Ditto.
3883
3884 2013-10-14  Nadav Rotem  <nrotem@apple.com>
3885
3886         Add FTL support for LogicalNot(string)
3887         https://bugs.webkit.org/show_bug.cgi?id=122765
3888
3889         Reviewed by Filip Pizlo.
3890
3891         This patch is tested by:
3892         regress/script-tests/emscripten-cube2hash.js.ftl-eager
3893
3894         * ftl/FTLCapabilities.cpp:
3895         (JSC::FTL::canCompile):
3896         * ftl/FTLLowerDFGToLLVM.cpp:
3897         (JSC::FTL::LowerDFGToLLVM::compileLogicalNot):
3898
3899 2013-10-14  Julien Brianceau  <jbriance@cisco.com>
3900
3901         [sh4] Fixes after r157404 and r157411.
3902         https://bugs.webkit.org/show_bug.cgi?id=122782
3903
3904         Reviewed by Michael Saboff.
3905
3906         * dfg/DFGSpeculativeJIT.h:
3907         (JSC::DFG::SpeculativeJIT::callOperation): Add missing SH4_32BIT_DUMMY_ARG.
3908         * jit/CCallHelpers.h:
3909         (JSC::CCallHelpers::setupArgumentsWithExecState):
3910         * jit/JITInlines.h:
3911         (JSC::JIT::callOperation): Add missing SH4_32BIT_DUMMY_ARG.
3912         * jit/JITPropertyAccess32_64.cpp:
3913         (JSC::JIT::emit_op_put_by_id): Remove unwanted BEGIN_UNINTERRUPTED_SEQUENCE.
3914
3915 2013-10-14  Commit Queue  <commit-queue@webkit.org>
3916
3917         Unreviewed, rolling out r157413.
3918         http://trac.webkit.org/changeset/157413
3919         https://bugs.webkit.org/show_bug.cgi?id=122779
3920
3921         Appears to have caused frequent crashes (Requested by ap on
3922         #webkit).
3923
3924         * CMakeLists.txt:
3925         * GNUmakefile.list.am:
3926         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3927         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3928         * JavaScriptCore.xcodeproj/project.pbxproj:
3929         * heap/DeferGC.cpp: Removed.
3930         * heap/DeferGC.h:
3931         * jit/JITStubs.cpp:
3932         (JSC::tryCacheGetByID):
3933         (JSC::DEFINE_STUB_FUNCTION):
3934         * llint/LLIntSlowPaths.cpp:
3935         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3936         * runtime/ConcurrentJITLock.h:
3937         * runtime/InitializeThreading.cpp:
3938         (JSC::initializeThreadingOnce):
3939         * runtime/JSCellInlines.h:
3940         (JSC::allocateCell):
3941         * runtime/Structure.cpp:
3942         (JSC::Structure::materializePropertyMap):
3943         (JSC::Structure::putSpecificValue):
3944         (JSC::Structure::createPropertyMap):
3945         * runtime/Structure.h:
3946
3947 2013-10-14  Mark Hahnenberg  <mhahnenberg@apple.com>
3948
3949         COLLECT_ON_EVERY_ALLOCATION causes assertion failures
3950         https://bugs.webkit.org/show_bug.cgi?id=122652
3951
3952         Reviewed by Filip Pizlo.
3953
3954         COLLECT_ON_EVERY_ALLOCATION wasn't accounting for the new GC deferral mechanism,
3955         so we would end up ASSERTing during garbage collection.
3956
3957         * heap/MarkedAllocator.cpp:
3958         (JSC::MarkedAllocator::allocateSlowCase):
3959
3960 2013-10-11  Oliver Hunt  <oliver@apple.com>
3961
3962         Separate out array iteration intrinsics
3963         https://bugs.webkit.org/show_bug.cgi?id=122656
3964
3965         Reviewed by Michael Saboff.
3966
3967         Separate out the intrinsics for key and values iteration
3968         of arrays.
3969
3970         This requires moving moving array iteration into the iterator
3971         instance, rather than the prototype, but this is essentially
3972         unobservable so we'll live with it for now.
3973
3974         * jit/ThunkGenerators.cpp:
3975         (JSC::arrayIteratorNextThunkGenerator):
3976         (JSC::arrayIteratorNextKeyThunkGenerator):
3977         (JSC::arrayIteratorNextValueThunkGenerator):
3978         * jit/ThunkGenerators.h:
3979         * runtime/ArrayIteratorPrototype.cpp:
3980         (JSC::ArrayIteratorPrototype::finishCreation):
3981         * runtime/Intrinsic.h:
3982         * runtime/JSArrayIterator.cpp:
3983         (JSC::JSArrayIterator::finishCreation):
3984         (JSC::createIteratorResult):
3985         (JSC::arrayIteratorNext):
3986         (JSC::arrayIteratorNextKey):
3987         (JSC::arrayIteratorNextValue):
3988         (JSC::arrayIteratorNextGeneric):
3989         * runtime/VM.cpp:
3990         (JSC::thunkGeneratorForIntrinsic):
3991
3992 2013-10-11  Mark Hahnenberg  <mhahnenberg@apple.com>
3993
3994         llint_slow_path_put_by_id can deadlock on a ConcurrentJITLock
3995         https://bugs.webkit.org/show_bug.cgi?id=122667
3996