Unreviewed, roll out http://trac.webkit.org/changeset/169159.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-05-21  Filip Pizlo  <fpizlo@apple.com>
2
3         Unreviewed, roll out http://trac.webkit.org/changeset/169159.
4         
5         This was a unilateral change and wasn't properly reviewed.
6
7         * tests/mozilla/mozilla-tests.yaml:
8
9 2014-05-21  Antoine Quint  <graouts@webkit.org>
10
11         Array.prototype.find and findIndex should skip holes
12         https://bugs.webkit.org/show_bug.cgi?id=132658
13
14         Reviewed by Geoffrey Garen.
15
16         Skip holes in the array when iterating such that callback isn't called.
17
18         * builtins/Array.prototype.js:
19         (find):
20         (findIndex):
21
22 2014-05-21  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>
23
24         REGRESSION(r169092 and r169102): Skip failing JSC tests on ARM64 properly
25         https://bugs.webkit.org/show_bug.cgi?id=133149
26
27         Reviewed by Csaba Osztrogonác.
28
29         * tests/mozilla/mozilla-tests.yaml:
30
31 2014-05-20  Geoffrey Garen  <ggaren@apple.com>
32
33         Rolled out <http://trac.webkit.org/changeset/166184>
34         https://bugs.webkit.org/show_bug.cgi?id=133144
35
36         Reviewed by Gavin Barraclough.
37
38         It caused a performance regression.
39
40         * heap/BlockAllocator.cpp:
41         (JSC::BlockAllocator::blockFreeingThreadStartFunc):
42
43 2014-05-20  Filip Pizlo  <fpizlo@apple.com>
44
45         DFG prediction propagation should agree with fixup phase over the return type of GetByVal
46         https://bugs.webkit.org/show_bug.cgi?id=133134
47
48         Reviewed by Mark Hahnenberg.
49         
50         Make prediction propagator use ArrayMode refinement to decide the return type.
51         
52         Also introduce a heap prediction intrinsic that allows us to test weird corner cases
53         like this. The only way we'll see a mismatch like this in the real world is probably
54         through a gnarly race condition.
55
56         * dfg/DFGByteCodeParser.cpp:
57         (JSC::DFG::ByteCodeParser::handleIntrinsic):
58         * dfg/DFGNode.h:
59         (JSC::DFG::Node::setHeapPrediction):
60         * dfg/DFGPredictionPropagationPhase.cpp:
61         (JSC::DFG::PredictionPropagationPhase::propagate):
62         * jsc.cpp:
63         (GlobalObject::finishCreation):
64         (functionFalse1):
65         (functionFalse2):
66         (functionUndefined1):
67         (functionUndefined2):
68         (functionFalse): Deleted.
69         (functionOtherFalse): Deleted.
70         (functionUndefined): Deleted.
71         * runtime/Intrinsic.h:
72         * tests/stress/get-by-val-double-predicted-int.js: Added.
73         (foo):
74
75 2014-05-20  Mark Hahnenberg  <mhahnenberg@apple.com>
76
77         Watchdog timer should be lazily allocated
78         https://bugs.webkit.org/show_bug.cgi?id=133135
79
80         Reviewed by Geoffrey Garen.
81
82         We incur a noticeable amount of overhead on some benchmarks due to checking if the Watchdog ever fired. 
83         There is no reason to do this checking if we never activated the Watchdog, which can only be done through 
84         JSContextGroupSetExecutionTimeLimit or JSContextGroupClearExecutionTimeLimit. 
85
86         By allocating the Watchdog lazily on the VM we can avoid all of the associated overhead when we don't use 
87         these two API functions (which is true of most clients).
88
89         * API/JSContextRef.cpp:
90         (JSContextGroupSetExecutionTimeLimit):
91         (JSContextGroupClearExecutionTimeLimit):
92         * dfg/DFGByteCodeParser.cpp:
93         (JSC::DFG::ByteCodeParser::parseBlock):
94         * dfg/DFGSpeculativeJIT32_64.cpp:
95         (JSC::DFG::SpeculativeJIT::compile):
96         * dfg/DFGSpeculativeJIT64.cpp:
97         (JSC::DFG::SpeculativeJIT::compile):
98         * interpreter/Interpreter.cpp:
99         (JSC::Interpreter::execute):
100         (JSC::Interpreter::executeCall):
101         (JSC::Interpreter::executeConstruct):
102         * jit/JITOpcodes.cpp:
103         (JSC::JIT::emit_op_loop_hint):
104         (JSC::JIT::emitSlow_op_loop_hint):
105         * jit/JITOperations.cpp:
106         * llint/LLIntSlowPaths.cpp:
107         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
108         * runtime/VM.h:
109         * runtime/Watchdog.cpp:
110         (JSC::Watchdog::Scope::Scope): Deleted.
111         (JSC::Watchdog::Scope::~Scope): Deleted.
112         * runtime/Watchdog.h:
113         (JSC::Watchdog::Scope::Scope):
114         (JSC::Watchdog::Scope::~Scope):
115
116 2014-05-19  Mark Hahnenberg  <mhahnenberg@apple.com>
117
118         JSArray::shiftCountWith* could be more efficient
119         https://bugs.webkit.org/show_bug.cgi?id=133011
120
121         Reviewed by Geoffrey Garen.
122
123         Our current implementations of shiftCountWithAnyIndexingType and shiftCountWithArrayStorage 
124         are scared of the presence of any holes in the array. We can mitigate this somewhat by enabling 
125         them to correctly handle holes, thus avoiding the slowest of slow paths in most cases.
126
127         * runtime/ArrayStorage.h:
128         (JSC::ArrayStorage::indexingHeader):
129         (JSC::ArrayStorage::length):
130         (JSC::ArrayStorage::hasHoles):
131         * runtime/IndexingHeader.h:
132         (JSC::IndexingHeader::publicLength):
133         (JSC::IndexingHeader::from):
134         * runtime/JSArray.cpp:
135         (JSC::JSArray::shiftCountWithArrayStorage):
136         (JSC::JSArray::shiftCountWithAnyIndexingType):
137         (JSC::JSArray::unshiftCountWithArrayStorage):
138         * runtime/JSArray.h:
139         (JSC::JSArray::shiftCountForShift):
140         (JSC::JSArray::shiftCountForSplice):
141         (JSC::JSArray::shiftCount):
142         * runtime/Structure.cpp:
143         (JSC::Structure::holesRequireSpecialBehavior):
144         * runtime/Structure.h:
145
146 2014-05-19  Filip Pizlo  <fpizlo@apple.com>
147
148         Test gardening: skip some failing tests on not-X86.
149
150         * tests/mozilla/mozilla-tests.yaml:
151
152 2014-05-19  Mark Lam  <mark.lam@apple.com>
153
154         operationOptimize() should defer the GC for a while.
155         <https://webkit.org/b/133103>
156
157         Reviewed by Filip Pizlo.
158
159         Currently, operationOptimize() only defers the GC until its end.  As a result,
160         a GC may be triggered just before we return from operationOptimize(), and it may
161         jettison the optimize codeBlock that we're planning to OSR enter into when we
162         return from this function.  This is because the OSR entry on-ramp code hasn't
163         been executed yet, and hence, there is not yet a reference to this new codeBlock
164         from the stack, and there won't be until we've had a chance to return out of
165         operationOptimize() to run the OSR entry on-ramp code.
166
167         This issue is now fixed by using DeferGCForAWhile instead of DeferGC.  This
168         ensures that the GC will be deferred until after the OSR entry on-ramp can be
169         executed.
170
171         * jit/JITOperations.cpp:
172
173 2014-05-19  Filip Pizlo  <fpizlo@apple.com>
174
175         Take care of some ARM64 test failures
176         https://bugs.webkit.org/show_bug.cgi?id=133090
177
178         Reviewed by Geoffrey Garen.
179         
180         Constant blinding on ARM64 cannot use the scratch register.
181
182         * assembler/MacroAssembler.h:
183         (JSC::MacroAssembler::convertInt32ToDouble):
184         (JSC::MacroAssembler::branchPtr):
185         (JSC::MacroAssembler::storePtr):
186         (JSC::MacroAssembler::store64):
187         * assembler/MacroAssemblerARM64.h:
188         (JSC::MacroAssemblerARM64::scratchRegisterForBlinding):
189
190 2014-05-19  Tanay C  <tanay.c@samsung.com>
191
192         Removing some check-webkit-style warnings from ./dfg
193         https://bugs.webkit.org/show_bug.cgi?id=132854
194
195         Reviewed by Darin Adler.
196
197         * dfg/DFGAbstractInterpreter.h:
198         * dfg/DFGAbstractValue.h:
199         * dfg/DFGBlockInsertionSet.h:
200         * dfg/DFGCommonData.h:
201         * dfg/DFGDominators.h:
202         * dfg/DFGGraph.h:
203         * dfg/DFGInPlaceAbstractState.h:
204         * dfg/DFGPredictionPropagationPhase.h:
205
206 2014-05-18  Filip Pizlo  <fpizlo@apple.com>
207
208         Unreviewed, remove bogus comment. We already made the FTL use our calling convention.
209         That was a long time ago.
210
211         * ftl/FTLLowerDFGToLLVM.cpp:
212         (JSC::FTL::LowerDFGToLLVM::compileReturn):
213
214 2014-05-18  Rik Cabanier  <cabanier@adobe.com>
215
216         support for navigator.hardwareConcurrency
217         https://bugs.webkit.org/show_bug.cgi?id=132588
218
219         Reviewed by Filip Pizlo.
220
221         * Configurations/FeatureDefines.xcconfig:
222
223 2014-05-16  Michael Saboff  <msaboff@apple.com>
224
225         Crash in JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::generatePatternCharacterFixed() due to WTF::CrashOnOverflow::overflowed + 9
226         https://bugs.webkit.org/show_bug.cgi?id=133009
227
228         Reviewed by Oliver Hunt.
229
230         If we determine that any alternative requires a minumum match size greater than
231         INT_MAX, we handle the match in the interpreter.
232
233         Check to see if the pattern has unsigned lengths before invoking YARR JIT.
234         * runtime/RegExp.cpp:
235         (JSC::RegExp::compile):
236         (JSC::RegExp::compileMatchOnly):
237
238         * tests/stress/large-regexp.js: New test added.
239
240         Set m_containsUnsignedLengthPattern flag if any alternative's minimum length
241         doesn't fit in an int.
242         * yarr/YarrPattern.cpp:
243         (JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets):
244
245         Clear new m_containsUnsignedLengthPattern flag.
246         * yarr/YarrPattern.cpp:
247         (JSC::Yarr::YarrPattern::YarrPattern):
248         * yarr/YarrPattern.h:
249         (JSC::Yarr::YarrPattern::reset):
250         (JSC::Yarr::YarrPattern::containsUnsignedLengthPattern):
251
252 2014-05-15  Mark Hahnenberg  <mhahnenberg@apple.com>
253
254         JSDOMWindow should not claim HasImpureGetOwnPropertySlot
255         https://bugs.webkit.org/show_bug.cgi?id=132918
256
257         Reviewed by Geoffrey Garen.
258
259         * jit/Repatch.cpp:
260         (JSC::tryRepatchIn): We forgot to check for watchpoints when repatching "in".
261
262 2014-05-15  Alex Christensen  <achristensen@webkit.org>
263
264         Add pointer lock to features without enabling it.
265         https://bugs.webkit.org/show_bug.cgi?id=132961
266
267         Reviewed by Sam Weinig.
268
269         * Configurations/FeatureDefines.xcconfig:
270         Added ENABLE_POINTER_LOCK to list of features.
271
272 2014-05-14  Mark Hahnenberg  <mhahnenberg@apple.com>
273
274         Inline caching for proxies clobbers baseGPR too early
275         https://bugs.webkit.org/show_bug.cgi?id=132916
276
277         Reviewed by Filip Pizlo.
278
279         We clobber baseGPR prior to the Structure checks, so if any of the checks fail then the slow path 
280         gets the target of the proxy rather than the proxy itself. We need to delay the clobbering of baseGPR 
281         until we know the inline cache is going to succeed.
282
283         * jit/Repatch.cpp:
284         (JSC::generateByIdStub):
285
286 2014-05-14  Brent Fulgham  <bfulgham@apple.com>
287
288         [Win] Unreviewed build fix.
289
290         * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: This solution
291         was missing commands to build LLInt portions of JSC.
292         * llint/LLIntData.cpp: 64-bit build fix.
293
294 2014-05-14  Martin Hodovan <mhodovan.u-szeged@partner.samsung.com>
295
296         ARM Traditional buildfix after r168776.
297         https://bugs.webkit.org/show_bug.cgi?id=132903
298
299         Reviewed by Darin Adler.
300
301         * assembler/MacroAssemblerARM.h:
302         (JSC::MacroAssemblerARM::abortWithReason): Added.
303
304 2014-05-14  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>
305
306         Remove CSS_STICKY_POSITION guards
307         https://bugs.webkit.org/show_bug.cgi?id=132676
308
309         Reviewed by Simon Fraser.
310
311         * Configurations/FeatureDefines.xcconfig:
312
313 2014-05-13  Filip Pizlo  <fpizlo@apple.com>
314
315         JIT breakpoints should be more informative
316         https://bugs.webkit.org/show_bug.cgi?id=132882
317
318         Reviewed by Oliver Hunt.
319         
320         Introduce the notion of an AbortReason, which is a nice enumeration of coded assertion
321         failure names. This means that all you need to figure out why the JIT SIGTRAP'd is to look
322         at that platform's abort reason register (r11 on X86-64 for example).
323
324         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
325         * JavaScriptCore.xcodeproj/project.pbxproj:
326         * assembler/AbortReason.h: Added.
327         * assembler/AbstractMacroAssembler.h:
328         * assembler/MacroAssemblerARM64.h:
329         (JSC::MacroAssemblerARM64::abortWithReason):
330         * assembler/MacroAssemblerARMv7.h:
331         (JSC::MacroAssemblerARMv7::abortWithReason):
332         * assembler/MacroAssemblerX86.h:
333         (JSC::MacroAssemblerX86::abortWithReason):
334         * assembler/MacroAssemblerX86_64.h:
335         (JSC::MacroAssemblerX86_64::abortWithReason):
336         * dfg/DFGSlowPathGenerator.h:
337         (JSC::DFG::SlowPathGenerator::generate):
338         * dfg/DFGSpeculativeJIT.cpp:
339         (JSC::DFG::SpeculativeJIT::bail):
340         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
341         (JSC::DFG::SpeculativeJIT::compileMakeRope):
342         * dfg/DFGSpeculativeJIT.h:
343         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):
344         * dfg/DFGSpeculativeJIT32_64.cpp:
345         (JSC::DFG::SpeculativeJIT::compile):
346         * dfg/DFGSpeculativeJIT64.cpp:
347         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
348         (JSC::DFG::SpeculativeJIT::compile):
349         * dfg/DFGThunks.cpp:
350         (JSC::DFG::osrEntryThunkGenerator):
351         * jit/AssemblyHelpers.cpp:
352         (JSC::AssemblyHelpers::jitAssertIsInt32):
353         (JSC::AssemblyHelpers::jitAssertIsJSInt32):
354         (JSC::AssemblyHelpers::jitAssertIsJSNumber):
355         (JSC::AssemblyHelpers::jitAssertIsJSDouble):
356         (JSC::AssemblyHelpers::jitAssertIsCell):
357         (JSC::AssemblyHelpers::jitAssertTagsInPlace):
358         (JSC::AssemblyHelpers::jitAssertHasValidCallFrame):
359         (JSC::AssemblyHelpers::jitAssertIsNull):
360         (JSC::AssemblyHelpers::jitAssertArgumentCountSane):
361         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
362         * jit/AssemblyHelpers.h:
363         (JSC::AssemblyHelpers::checkStackPointerAlignment):
364         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo): Deleted.
365         * jit/JIT.h:
366         * jit/JITArithmetic.cpp:
367         (JSC::JIT::emitSlow_op_div):
368         * jit/JITOpcodes.cpp:
369         (JSC::JIT::emitSlow_op_loop_hint):
370         * jit/JITOpcodes32_64.cpp:
371         (JSC::JIT::privateCompileCTINativeCall):
372         * jit/JITPropertyAccess.cpp:
373         (JSC::JIT::emit_op_get_by_val):
374         (JSC::JIT::compileGetDirectOffset):
375         (JSC::JIT::addStructureTransitionCheck): Deleted.
376         (JSC::JIT::testPrototype): Deleted.
377         * jit/JITPropertyAccess32_64.cpp:
378         (JSC::JIT::emit_op_get_by_val):
379         (JSC::JIT::compileGetDirectOffset):
380         * jit/RegisterPreservationWrapperGenerator.cpp:
381         (JSC::generateRegisterRestoration):
382         * jit/Repatch.cpp:
383         (JSC::addStructureTransitionCheck):
384         (JSC::linkClosureCall):
385         * jit/ThunkGenerators.cpp:
386         (JSC::emitPointerValidation):
387         (JSC::nativeForGenerator):
388         * yarr/YarrJIT.cpp:
389         (JSC::Yarr::YarrGenerator::generate):
390
391 2014-05-13  peavo@outlook.com  <peavo@outlook.com>
392
393         [Win] Enum type with value zero is compatible with void*, potential cause of crashes.
394         https://bugs.webkit.org/show_bug.cgi?id=132772
395
396         Reviewed by Geoffrey Garen.
397
398         Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example).
399         This has caused crashes on Windows on two occasions (bug 132683, and bug 121001).
400         This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*.
401         The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr.
402
403         * assembler/MacroAssemblerARM.h:
404         (JSC::MacroAssemblerARM::loadDouble):
405         (JSC::MacroAssemblerARM::storeDouble):
406         * assembler/MacroAssemblerARM64.h:
407         (JSC::MacroAssemblerARM64::loadDouble):
408         (JSC::MacroAssemblerARM64::storeDouble):
409         * assembler/MacroAssemblerARMv7.h:
410         (JSC::MacroAssemblerARMv7::loadDouble):
411         (JSC::MacroAssemblerARMv7::storeDouble):
412         * assembler/MacroAssemblerMIPS.h:
413         (JSC::MacroAssemblerMIPS::loadDouble):
414         (JSC::MacroAssemblerMIPS::storeDouble):
415         * assembler/MacroAssemblerSH4.h:
416         (JSC::MacroAssemblerSH4::loadDouble):
417         (JSC::MacroAssemblerSH4::storeDouble):
418         * assembler/MacroAssemblerX86.h:
419         (JSC::MacroAssemblerX86::storeDouble):
420         * assembler/MacroAssemblerX86Common.h:
421         (JSC::MacroAssemblerX86Common::absDouble):
422         (JSC::MacroAssemblerX86Common::negateDouble):
423         (JSC::MacroAssemblerX86Common::loadDouble):
424         * dfg/DFGSpeculativeJIT.cpp:
425         (JSC::DFG::SpeculativeJIT::silentFill):
426         (JSC::DFG::compileClampDoubleToByte):
427         * dfg/DFGSpeculativeJIT32_64.cpp:
428         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
429         (JSC::DFG::SpeculativeJIT::compile):
430         * jit/AssemblyHelpers.cpp:
431         (JSC::AssemblyHelpers::purifyNaN):
432         * jit/JITInlines.h:
433         (JSC::JIT::emitLoadDouble):
434         * jit/JITPropertyAccess.cpp:
435         (JSC::JIT::emitFloatTypedArrayGetByVal):
436         * jit/ThunkGenerators.cpp:
437         (JSC::floorThunkGenerator):
438         (JSC::roundThunkGenerator):
439         (JSC::powThunkGenerator):
440
441 2014-05-12  Commit Queue  <commit-queue@webkit.org>
442
443         Unreviewed, rolling out r168642.
444         https://bugs.webkit.org/show_bug.cgi?id=132839
445
446         Broke ARM build (Requested by jpfau on #webkit).
447
448         Reverted changeset:
449
450         "[Win] Enum type with value zero is compatible with void*,
451         potential cause of crashes."
452         https://bugs.webkit.org/show_bug.cgi?id=132772
453         http://trac.webkit.org/changeset/168642
454
455 2014-05-12  peavo@outlook.com  <peavo@outlook.com>
456
457         [Win] Enum type with value zero is compatible with void*, potential cause of crashes.
458         https://bugs.webkit.org/show_bug.cgi?id=132772
459
460         Reviewed by Geoffrey Garen.
461
462         Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example).
463         This has caused crashes on Windows on two occasions (bug 132683, and bug 121001).
464         This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*.
465         The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr.
466
467         * assembler/MacroAssemblerARM.h:
468         (JSC::MacroAssemblerARM::loadDouble):
469         (JSC::MacroAssemblerARM::storeDouble):
470         * assembler/MacroAssemblerARM64.h:
471         (JSC::MacroAssemblerARM64::loadDouble):
472         (JSC::MacroAssemblerARM64::storeDouble):
473         * assembler/MacroAssemblerARMv7.h:
474         (JSC::MacroAssemblerARMv7::loadDouble):
475         (JSC::MacroAssemblerARMv7::storeDouble):
476         * assembler/MacroAssemblerMIPS.h:
477         (JSC::MacroAssemblerMIPS::loadDouble):
478         (JSC::MacroAssemblerMIPS::storeDouble):
479         * assembler/MacroAssemblerSH4.h:
480         (JSC::MacroAssemblerSH4::loadDouble):
481         (JSC::MacroAssemblerSH4::storeDouble):
482         * assembler/MacroAssemblerX86.h:
483         (JSC::MacroAssemblerX86::storeDouble):
484         * assembler/MacroAssemblerX86Common.h:
485         (JSC::MacroAssemblerX86Common::absDouble):
486         (JSC::MacroAssemblerX86Common::negateDouble):
487         (JSC::MacroAssemblerX86Common::loadDouble):
488         * dfg/DFGSpeculativeJIT.cpp:
489         (JSC::DFG::SpeculativeJIT::silentFill):
490         (JSC::DFG::compileClampDoubleToByte):
491         * dfg/DFGSpeculativeJIT32_64.cpp:
492         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
493         (JSC::DFG::SpeculativeJIT::compile):
494         * jit/AssemblyHelpers.cpp:
495         (JSC::AssemblyHelpers::purifyNaN):
496         * jit/JITInlines.h:
497         (JSC::JIT::emitLoadDouble):
498         * jit/JITPropertyAccess.cpp:
499         (JSC::JIT::emitFloatTypedArrayGetByVal):
500         * jit/ThunkGenerators.cpp:
501         (JSC::floorThunkGenerator):
502         (JSC::roundThunkGenerator):
503         (JSC::powThunkGenerator):
504
505 2014-05-12  Andreas Kling  <akling@apple.com>
506
507         0.4% of PLT3 in JSCell::structure() below JSObject::visitChildren().
508         <https://webkit.org/b/132828>
509         <rdar://problem/16886285>
510
511         Reviewed by Michael Saboff.
512
513         * runtime/JSObject.cpp:
514         (JSC::JSObject::visitButterfly):
515         (JSC::JSObject::visitChildren):
516
517             Use JSCell::structure(VM&) to reduce the number of hoops we jump
518             through to find Structures during marking.
519
520 2014-05-12  László Langó  <llango.u-szeged@partner.samsung.com>
521
522         [cmake] Add missing FTL source files to the build system.
523
524         Reviewed by Csaba Osztrogonác.
525
526         * CMakeLists.txt:
527
528 2014-05-09  Joseph Pecoraro  <pecoraro@apple.com>
529
530         Web Inspector: Allow Remote Inspector to entitlement check UIProcess through WebProcess
531         https://bugs.webkit.org/show_bug.cgi?id=132409
532
533         Reviewed by Timothy Hatcher.
534
535         Proxy applications are applications which hold WebViews for other
536         applications. The WebProcess (Web Content Service) is a proxy application.
537         For legacy reasons we were supporting a scenario where proxy applications
538         could potentially host WebViews for more then one other application. That
539         was never the case for WebProcess and it is now a scenario we don't need
540         to worry about supporting.
541
542         With this change, a proxy application more naturally only holds WebViews
543         for a single parent / host application. The proxy process can set the
544         parent pid / audit_token data on the RemoteInspector singleton, and
545         that data will be sent on to webinspectord later on to be validated.
546         In the WebProcess<->UIProcess relationship that information is known
547         and set immediately. In the Legacy iOS case that information is set
548         soon after, but not immediately known at the point the WebView is created.
549
550         This allows us to simplify the RemoteInspectorDebuggable interface.
551         We no longer need a pid per-Debuggable.
552
553         * inspector/remote/RemoteInspector.h:
554         * inspector/remote/RemoteInspector.mm:
555         (Inspector::RemoteInspector::RemoteInspector):
556         (Inspector::RemoteInspector::setParentProcessInformation):
557         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
558         (Inspector::RemoteInspector::listingForDebuggable):
559         (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
560         Handle new proxy application setup message, and provide an API
561         for a proxy application to set the parent process information.
562
563         * inspector/remote/RemoteInspectorConstants.h:
564         New setup and response message for proxy applications to pass
565         their parent / host application information to webinspectord.
566
567         * inspector/remote/RemoteInspectorDebuggable.cpp:
568         (Inspector::RemoteInspectorDebuggable::info):
569         * inspector/remote/RemoteInspectorDebuggable.h:
570         (Inspector::RemoteInspectorDebuggableInfo::RemoteInspectorDebuggableInfo):
571         (Inspector::RemoteInspectorDebuggableInfo::hasParentProcess): Deleted.
572         pid per debuggable is no longer needed.
573
574 2014-05-09  Mark Hahnenberg  <mhahnenberg@apple.com>
575
576         JSDOMWindow should disable property caching after a certain point
577         https://bugs.webkit.org/show_bug.cgi?id=132751
578
579         Reviewed by Filip Pizlo.
580
581         This is part of removing HasImpureGetOwnPropertySlot from JSDOMWindow. After the lookup in the static 
582         hash table for JSDOMWindow fails we want to disable property caching even if the code that follows thinks 
583         that it has provided a cacheable value.
584
585         * runtime/PropertySlot.h:
586         (JSC::PropertySlot::PropertySlot):
587         (JSC::PropertySlot::isCacheable):
588         (JSC::PropertySlot::disableCaching):
589
590 2014-05-09  Andreas Kling  <akling@apple.com>
591
592         8.8% spent in Object.prototype.hasOwnProperty() on sbperftest.
593         <https://webkit.org/b/132749>
594
595         Leverage the fast-resolve-to-AtomicString optimization for JSRopeString
596         in Object.prototype.* by using JSString::toIdentifier() in the cases where
597         we are converting JSString -> String -> Identifier.
598
599         This brings time spent in hasOwnProperty() from 8.8% to 1.3% on
600         "The Great HTML5 Gaming Performance Test: 2014 edition"
601         <http://www.scirra.com/demos/c2/sbperftest/>
602
603         Reviewed by Oliver Hunt.
604
605         * runtime/ObjectPrototype.cpp:
606         (JSC::objectProtoFuncHasOwnProperty):
607         (JSC::objectProtoFuncDefineGetter):
608         (JSC::objectProtoFuncDefineSetter):
609         (JSC::objectProtoFuncLookupGetter):
610         (JSC::objectProtoFuncLookupSetter):
611
612 2014-05-08  Mark Hahnenberg  <mhahnenberg@apple.com>
613
614         JSDOMWindow should have a WatchpointSet to fire on window close
615         https://bugs.webkit.org/show_bug.cgi?id=132721
616
617         Reviewed by Filip Pizlo.
618
619         This patch allows us to reset the inline caches that assumed they could skip 
620         the first part of JSDOMWindow::getOwnPropertySlot that checks if the window has 
621         been closed. This is part of getting rid of HasImpureGetOwnPropertySlot on JSDOMWindow.
622
623         PropertySlot now accepts a WatchpointSet which the inline cache code can look for
624         to see if it should create a new Watchpoint for that particular inline cache site.
625
626         * bytecode/Watchpoint.h:
627         * jit/Repatch.cpp:
628         (JSC::generateByIdStub):
629         (JSC::tryBuildGetByIDList):
630         (JSC::tryCachePutByID):
631         (JSC::tryBuildPutByIdList):
632         * runtime/PropertySlot.h:
633         (JSC::PropertySlot::PropertySlot):
634         (JSC::PropertySlot::watchpointSet):
635         (JSC::PropertySlot::setWatchpointSet):
636
637 2014-05-09  Tanay C  <tanay.c@samsung.com>
638
639         Fix build warning (uninitialized variable) in DFGFixupPhase.cpp 
640         https://bugs.webkit.org/show_bug.cgi?id=132331
641
642         Reviewed by Darin Adler.
643
644         * dfg/DFGFixupPhase.cpp:
645         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
646
647 2014-05-09  peavo@outlook.com  <peavo@outlook.com>
648
649         [Win] Crash when enabling DFG JIT.
650         https://bugs.webkit.org/show_bug.cgi?id=132683
651
652         Reviewed by Geoffrey Garen.
653
654         On windows, using register GPRInfo::regT0 as parameter to e.g. JIT::storeDouble(..., GPRInfo::regT0)),
655         results in a call to JIT::storeDouble(FPRegisterID src, const void* address),
656         where the address parameter gets the value of GPRInfo::regT0, which is 0 (eax on Windows).
657         This causes the register to be written to address 0, hence the crash.
658
659         * dfg/DFGOSRExitCompiler32_64.cpp:
660         (JSC::DFG::OSRExitCompiler::compileExit): Use address in regT0 as parameter.
661         * dfg/DFGOSRExitCompiler64.cpp:
662         (JSC::DFG::OSRExitCompiler::compileExit): Ditto.
663
664 2014-05-09  Martin Hodovan <mhodovan.u-szeged@partner.samsung.com>
665
666         REGRESSION(r167094): JSC crashes on ARM Traditional
667         https://bugs.webkit.org/show_bug.cgi?id=132738
668
669         Reviewed by Zoltan Herczeg.
670
671         PC is two instructions ahead of the current instruction
672         on ARM Traditional, so the distance is 8 bytes not 2.
673
674         * llint/LowLevelInterpreter.asm:
675
676 2014-05-09  Alberto Garcia  <berto@igalia.com>
677
678         jsmin.py license header confusing, mentions non-free license
679         https://bugs.webkit.org/show_bug.cgi?id=123665
680
681         Reviewed by Darin Adler.
682
683         Pull the most recent version from upstream, which has a clear
684         license.
685
686         * inspector/scripts/jsmin.py:
687
688 2014-05-08  Mark Hahnenberg  <mhahnenberg@apple.com>
689
690         Base case for get-by-id inline cache doesn't check for HasImpureGetOwnPropertySlot
691         https://bugs.webkit.org/show_bug.cgi?id=132695
692
693         Reviewed by Filip Pizlo.
694
695         We check in the case where we're accessing something other than the base object (e.g. the prototype), 
696         but we fail to do so for the base object.
697
698         * jit/Repatch.cpp:
699         (JSC::tryCacheGetByID):
700         (JSC::tryBuildGetByIDList):
701         * jsc.cpp: Added some infrastructure to support this test. We don't currently trigger this bug anywhere in WebKit
702         because all of the values that are returned that could be impure are set to uncacheable anyways.
703         (WTF::ImpureGetter::ImpureGetter):
704         (WTF::ImpureGetter::createStructure):
705         (WTF::ImpureGetter::create):
706         (WTF::ImpureGetter::finishCreation):
707         (WTF::ImpureGetter::getOwnPropertySlot):
708         (WTF::ImpureGetter::visitChildren):
709         (WTF::ImpureGetter::setDelegate):
710         (GlobalObject::finishCreation):
711         (functionCreateImpureGetter):
712         (functionSetImpureGetterDelegate):
713         * tests/stress/impure-get-own-property-slot-inline-cache.js: Added.
714         (foo):
715
716 2014-05-08  Filip Pizlo  <fpizlo@apple.com>
717
718         deleteAllCompiledCode() shouldn't use the suspension worklist
719         https://bugs.webkit.org/show_bug.cgi?id=132708
720
721         Reviewed by Mark Hahnenberg.
722
723         * bytecode/CodeBlock.cpp:
724         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
725         * dfg/DFGPlan.cpp:
726         (JSC::DFG::Plan::isStillValid):
727         * heap/Heap.cpp:
728         (JSC::Heap::deleteAllCompiledCode):
729
730 2014-05-08  Filip Pizlo  <fpizlo@apple.com>
731
732         SSA conversion should delete PhantomLocals for captured variables
733         https://bugs.webkit.org/show_bug.cgi?id=132693
734
735         Reviewed by Mark Hahnenberg.
736
737         * dfg/DFGCommon.cpp:
738         (JSC::DFG::startCrashing): Parallel JIT and a JIT bug means that we man dump IR in parallel. This is the workaround. This patch uses it in all of the places where we dump IR and crash.
739         * dfg/DFGCommon.h:
740         * dfg/DFGFixupPhase.cpp:
741         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): Use the workaround.
742         * dfg/DFGLivenessAnalysisPhase.cpp:
743         (JSC::DFG::LivenessAnalysisPhase::run): Use the workaround.
744         * dfg/DFGSSAConversionPhase.cpp:
745         (JSC::DFG::SSAConversionPhase::run): Fix the bug - it's true that PhantomLocal for captured variables doesn't need anything done to it, but it's wrong that we didn't delete it outright.
746         * dfg/DFGValidate.cpp: Use the workaround.
747         * tests/stress/phantom-local-captured-but-not-flushed-to-ssa.js: Added.
748         (foo):
749         (bar):
750
751 2014-05-07  Commit Queue  <commit-queue@webkit.org>
752
753         Unreviewed, rolling out r168451.
754         https://bugs.webkit.org/show_bug.cgi?id=132670
755
756         Not a speed-up, just do what other compilers do. (Requested by
757         kling on #webkit).
758
759         Reverted changeset:
760
761         "[X86] Emit BT instruction for single-bit tests."
762         https://bugs.webkit.org/show_bug.cgi?id=132650
763         http://trac.webkit.org/changeset/168451
764
765 2014-05-07  Filip Pizlo  <fpizlo@apple.com>
766
767         Make Executable::clearCode() actually clear all of the entrypoints, and
768         clean up some other FTL-related calling convention stuff.
769         <rdar://problem/16720172>
770
771         Rubber stamped by Mark Hahnenberg.
772
773         * dfg/DFGOperations.cpp:
774         * dfg/DFGOperations.h:
775         * dfg/DFGWorklist.cpp:
776         (JSC::DFG::Worklist::Worklist):
777         (JSC::DFG::Worklist::finishCreation):
778         (JSC::DFG::Worklist::create):
779         (JSC::DFG::ensureGlobalDFGWorklist):
780         (JSC::DFG::ensureGlobalFTLWorklist):
781         * dfg/DFGWorklist.h:
782         * heap/CodeBlockSet.cpp:
783         (JSC::CodeBlockSet::dump):
784         * heap/CodeBlockSet.h:
785         * runtime/Executable.cpp:
786         (JSC::ExecutableBase::clearCode):
787
788 2014-05-07  Andreas Kling  <akling@apple.com>
789
790         [X86] Emit BT instruction for single-bit tests.
791         <https://webkit.org/b/132650>
792
793         Implement test-bit-and-branch slightly more efficiently by using
794         BT + JC/JNC instead of TEST + JZ/JNZ when we're only testing for
795         a single bit.
796
797         Reviewed by Michael Saboff.
798
799         * assembler/MacroAssemblerX86Common.h:
800         (JSC::MacroAssemblerX86Common::singleBitIndex):
801         (JSC::MacroAssemblerX86Common::branchTest32):
802         * assembler/X86Assembler.h:
803         (JSC::X86Assembler::bt_i8r):
804         (JSC::X86Assembler::bt_i8m):
805
806 2014-05-07  Mark Lam  <mark.lam@apple.com>
807
808         REGRESSION(r166678): Dromaeo/cssquery-dojo.html crashes regularly.
809         <https://webkit.org/b/131356>
810
811         Reviewed by Geoffrey Garen.
812
813         The issue is that GC needs to be made aware of writes to m_inferredValue
814         in the VariableWatchpointSet, but was not.  As a result, if a JSCell*
815         is written to a VariableWatchpointSet m_inferredValue, and that JSCell
816         does not survive an eden GC shortly after, we will end up with a stale
817         JSCell pointer left in the m_inferredValue.
818
819         This issue can be detected more easily by running Dromaeo/cssquery-dojo.html
820         using DumpRenderTree with the VM heap in zombie mode.
821
822         The fix is to change VariableWatchpointSet m_inferredValue to type
823         WriteBarrier<Unknown> and ensure that VariableWatchpointSet::notifyWrite()
824         is executed by all the execution engines so that the WriteBarrier semantics
825         are honored.
826
827         We still check if the value to be written is the same as the one in the
828         inferredValue.  We'll by-pass calling the slow path notifyWrite() if the
829         values are the same.        
830
831         * JavaScriptCore.xcodeproj/project.pbxproj:
832         * bytecode/CodeBlock.cpp:
833         (JSC::CodeBlock::CodeBlock):
834         - need to pass the symbolTable to prepareToWatch() because it will be needed
835           for instantiating the VariableWatchpointSet in prepareToWatch().
836
837         * bytecode/VariableWatchpointSet.h:
838         (JSC::VariableWatchpointSet::VariableWatchpointSet):
839         - VariableWatchpointSet now tracks its owner symbol table for its m_inferredValue
840           write barrier, and yes, m_inferredValue is now of type WriteBarrier<Unknown>.
841         (JSC::VariableWatchpointSet::inferredValue):
842         (JSC::VariableWatchpointSet::invalidate):
843         (JSC::VariableWatchpointSet::finalizeUnconditionally):
844         (JSC::VariableWatchpointSet::addressOfInferredValue):
845         (JSC::VariableWatchpointSet::notifyWrite): Deleted.
846         * bytecode/VariableWatchpointSetInlines.h: Added.
847         (JSC::VariableWatchpointSet::notifyWrite):
848
849         * dfg/DFGByteCodeParser.cpp:
850         (JSC::DFG::ByteCodeParser::cellConstant):
851         - Added an assert in case we try to make constants of zombified JSCells again.
852
853         * dfg/DFGOperations.cpp:
854         * dfg/DFGOperations.h:
855         * dfg/DFGSpeculativeJIT.h:
856         (JSC::DFG::SpeculativeJIT::callOperation):
857         * dfg/DFGSpeculativeJIT32_64.cpp:
858         (JSC::DFG::SpeculativeJIT::compile):
859         * dfg/DFGSpeculativeJIT64.cpp:
860         (JSC::DFG::SpeculativeJIT::compile):
861         - We now let the slow path handle the cases when the VariableWatchpointSet is
862           in state ClearWatchpoint and IsWatched, and the slow path will ensure that
863           we handle the needed write barrier semantics correctly.
864           We will by-pass the slow path if the value being written is the same as the
865           inferred value.
866
867         * ftl/FTLIntrinsicRepository.h:
868         * ftl/FTLLowerDFGToLLVM.cpp:
869         (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):
870         - Let the slow path handle the cases when the VariableWatchpointSet is
871           in state ClearWatchpoint and IsWatched.
872           We will by-pass the slow path if the value being written is the same as the
873           inferred value.
874
875         * heap/Heap.cpp:
876         (JSC::Zombify::operator()):
877         - Use a different value for the zombified bits (to distinguish it from 0xbbadbeef
878           which is used everywhere else).
879         * heap/Heap.h:
880         (JSC::Heap::isZombified):
881         - Provide a convenience test function to check if JSCells are zombified.  This is
882           currently only used in an assertion in the DFG bytecode parser, but the intent
883           it that we'll apply this test in other strategic places later to help with early
884           detection of usage of GC'ed objects when we run in zombie mode.
885
886         * jit/JITOpcodes.cpp:
887         (JSC::JIT::emitSlow_op_captured_mov):
888         * jit/JITOperations.h:
889         * jit/JITPropertyAccess.cpp:
890         (JSC::JIT::emitNotifyWrite):
891         * jit/JITPropertyAccess32_64.cpp:
892         (JSC::JIT::emitNotifyWrite):
893         (JSC::JIT::emitSlow_op_put_to_scope):
894         - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
895           is in state ClearWatchpoint and IsWatched.
896           We will by-pass the slow path if the value being written is the same as the
897           inferred value.
898         
899         * llint/LowLevelInterpreter32_64.asm:
900         * llint/LowLevelInterpreter64.asm:
901         - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
902           is in state ClearWatchpoint and IsWatched.
903           We will by-pass the slow path if the value being written is the same as the
904           inferred value.
905         
906         * runtime/CommonSlowPaths.cpp:
907
908         * runtime/JSCJSValue.h: Fixed some typos in the comments.
909         * runtime/JSGlobalObject.cpp:
910         (JSC::JSGlobalObject::addGlobalVar):
911         (JSC::JSGlobalObject::addFunction):
912         * runtime/JSSymbolTableObject.h:
913         (JSC::symbolTablePut):
914         (JSC::symbolTablePutWithAttributes):
915         * runtime/SymbolTable.cpp:
916         (JSC::SymbolTableEntry::prepareToWatch):
917         (JSC::SymbolTableEntry::notifyWriteSlow):
918         * runtime/SymbolTable.h:
919         (JSC::SymbolTableEntry::notifyWrite):
920
921 2014-05-06  Michael Saboff  <msaboff@apple.com>
922
923         Unreviewd build fix for C-LOOP after r168396.
924
925         * runtime/TestRunnerUtils.cpp:
926         (JSC::optimizeNextInvocation): Wrapped actual call inside #if ENABLE(JIT)
927
928 2014-05-06  Michael Saboff  <msaboff@apple.com>
929
930         Add test for deleteAllCompiledCode
931         https://bugs.webkit.org/show_bug.cgi?id=132632
932
933         Reviewed by Phil Pizlo.
934
935         Added two new hooks to jsc, one to call Heap::deleteAllCompiledCode() and
936         the other to call CodeBlock::optimizeNextInvocation().  Used these two hooks
937         to write a test that will queue up loads of DFG compiles and then call
938         Heap::deleteAllCompiledCode() to make sure that it can handle compiled
939         code as well as code being compiled.
940
941         * jsc.cpp:
942         (GlobalObject::finishCreation):
943         (functionDeleteAllCompiledCode):
944         (functionOptimizeNextInvocation):
945         * runtime/TestRunnerUtils.cpp:
946         (JSC::optimizeNextInvocation):
947         * runtime/TestRunnerUtils.h:
948         * tests/stress/deleteAllCompiledCode.js: Added.
949         (functionList):
950         (runTest):
951
952 2014-05-06  Andreas Kling  <akling@apple.com>
953
954         JSString::toAtomicString() should return AtomicString.
955         <https://webkit.org/b/132627>
956
957         Remove premature optimization where I was trying to avoid refcount
958         churn when returning an already atomicized String.
959
960         Instead of using reinterpret_cast to mangle the String member into
961         a const AtomicString& return value, just return AtomicString.
962
963         Reviewed by Geoff Garen.
964
965         * runtime/JSString.h:
966         (JSC::JSString::toAtomicString):
967
968 2014-05-06  Mark Hahnenberg  <mhahnenberg@apple.com>
969
970         Roll out r167889
971
972         Rubber stamped by Geoff Garen.
973
974         It broke some websites.
975
976         * runtime/JSPropertyNameIterator.cpp:
977         (JSC::JSPropertyNameIterator::create):
978         * runtime/PropertyMapHashTable.h:
979         (JSC::PropertyTable::hasDeletedOffset):
980         (JSC::PropertyTable::hadDeletedOffset): Deleted.
981         * runtime/Structure.cpp:
982         (JSC::Structure::Structure):
983         (JSC::Structure::materializePropertyMap):
984         (JSC::Structure::removePropertyTransition):
985         (JSC::Structure::changePrototypeTransition):
986         (JSC::Structure::despecifyFunctionTransition):
987         (JSC::Structure::attributeChangeTransition):
988         (JSC::Structure::toDictionaryTransition):
989         (JSC::Structure::preventExtensionsTransition):
990         (JSC::Structure::addPropertyWithoutTransition):
991         (JSC::Structure::removePropertyWithoutTransition):
992         (JSC::Structure::pin):
993         (JSC::Structure::pinAndPreventTransitions): Deleted.
994         * runtime/Structure.h:
995         * runtime/StructureInlines.h:
996         (JSC::Structure::setEnumerationCache):
997         (JSC::Structure::propertyTable):
998         (JSC::Structure::checkOffsetConsistency):
999         (JSC::Structure::hadDeletedOffsets): Deleted.
1000         * tests/stress/for-in-after-delete.js:
1001         (foo): Deleted.
1002
1003 2014-05-05  Andreas Kling  <akling@apple.com>
1004
1005         Fix debug build.
1006
1007         * runtime/JSCellInlines.h:
1008         (JSC::JSCell::fastGetOwnProperty):
1009
1010 2014-05-05  Andreas Kling  <akling@apple.com>
1011
1012         Optimize GetByVal when subscript is a rope string.
1013         <https://webkit.org/b/132590>
1014
1015         Use JSString::toIdentifier() in the various GetByVal implementations
1016         to try and avoid allocating extra strings.
1017
1018         Added canUseFastGetOwnProperty() and wrap calls to fastGetOwnProperty()
1019         in that, to avoid calling JSString::value() which always resolves ropes
1020         into new strings and de-optimizes subsequent toIdentifier() calls.
1021
1022         My iMac says ~9% progression on Dromaeo/dom-attr.html
1023
1024         Reviewed by Phil Pizlo.
1025
1026         * dfg/DFGOperations.cpp:
1027         * jit/JITOperations.cpp:
1028         (JSC::getByVal):
1029         * llint/LLIntSlowPaths.cpp:
1030         (JSC::LLInt::getByVal):
1031         * runtime/JSCell.h:
1032         * runtime/JSCellInlines.h:
1033         (JSC::JSCell::fastGetOwnProperty):
1034         (JSC::JSCell::canUseFastGetOwnProperty):
1035
1036 2014-05-05  Andreas Kling  <akling@apple.com>
1037
1038         REGRESSION (r168256): ASSERTION FAILED: (buffer + m_length) == position loading vanityfair.com article.
1039         <https://webkit.org/b/168256>
1040         <rdar://problem/16816316>
1041
1042         Make resolveRopeSlowCase8() behave like its 16-bit counterpart and not
1043         clear the fibers. The caller takes care of this.
1044
1045         Test: fast/dom/getElementById-with-rope-string-arg.html
1046
1047         Reviewed by Geoffrey Garen.
1048
1049         * runtime/JSString.cpp:
1050         (JSC::JSRopeString::resolveRopeSlowCase8):
1051
1052 2014-05-05  Michael Saboff  <msaboff@apple.com>
1053
1054         REGRESSION: RELEASE_ASSERT in CodeBlock::baselineVersion @ cnn.com
1055         https://bugs.webkit.org/show_bug.cgi?id=132581
1056
1057         Reviewed by Filip Pizlo.
1058
1059         * dfg/DFGPlan.cpp:
1060         (JSC::DFG::Plan::isStillValid): Check that the alternative codeBlock we
1061         started compiling for is still the same at the end of compilation.
1062         Also did some minor restructuring.
1063
1064 2014-05-05  Andreas Kling  <akling@apple.com>
1065
1066         Optimize PutByVal when subscript is a rope string.
1067         <https://webkit.org/b/132572>
1068
1069         Add a JSString::toIdentifier() that is smarter when the JSString is
1070         really a rope string. Use this in baseline & DFG's PutByVal to avoid
1071         allocating new StringImpls that we immediately deduplicate anyway.
1072
1073         Reviewed by Antti Koivisto.
1074
1075         * dfg/DFGOperations.cpp:
1076         (JSC::DFG::operationPutByValInternal):
1077         * jit/JITOperations.cpp:
1078         * runtime/JSString.h:
1079         (JSC::JSString::toIdentifier):
1080
1081 2014-05-05  Andreas Kling  <akling@apple.com>
1082
1083         Remove two now-incorrect assertions after r168256.
1084
1085         * runtime/JSString.cpp:
1086         (JSC::JSRopeString::resolveRopeSlowCase8):
1087         (JSC::JSRopeString::resolveRopeSlowCase):
1088
1089 2014-05-04  Andreas Kling  <akling@apple.com>
1090
1091         Optimize JSRopeString for resolving directly to AtomicString.
1092         <https://webkit.org/b/132548>
1093
1094         If we know that the JSRopeString we are resolving is going to be used
1095         as an AtomicString, we can try to avoid creating a new string.
1096
1097         We do this by first resolving the rope into a stack buffer, and using
1098         that buffer as a key into the AtomicString table. If there is already
1099         an AtomicString with the same characters, we reuse that instead of
1100         constructing a new StringImpl.
1101
1102         JSString gains these two public functions:
1103
1104         - AtomicString toAtomicString()
1105
1106             Returns an AtomicString, tries to avoid allocating a new string
1107             if possible.
1108
1109         - AtomicStringImpl* toExistingAtomicString()
1110
1111             Returns a non-null AtomicStringImpl* if one already exists in the
1112             AtomicString table. If none is found, the rope is left unresolved.
1113
1114         Reviewed by Filip Pizlo.
1115
1116         * runtime/JSString.cpp:
1117         (JSC::JSRopeString::resolveRopeInternal8):
1118         (JSC::JSRopeString::resolveRopeInternal16):
1119         (JSC::JSRopeString::resolveRopeToAtomicString):
1120         (JSC::JSRopeString::clearFibers):
1121         (JSC::JSRopeString::resolveRopeToExistingAtomicString):
1122         (JSC::JSRopeString::resolveRope):
1123         (JSC::JSRopeString::outOfMemory):
1124         * runtime/JSString.h:
1125         (JSC::JSString::toAtomicString):
1126         (JSC::JSString::toExistingAtomicString):
1127
1128 2014-05-04  Andreas Kling  <akling@apple.com>
1129
1130         Unreviewed, rolling out r168254.
1131
1132         Very crashy on debug JSC tests.
1133
1134         Reverted changeset:
1135
1136         "jsSubstring() should be lazy"
1137         https://bugs.webkit.org/show_bug.cgi?id=132556
1138         http://trac.webkit.org/changeset/168254
1139
1140 2014-05-04  Filip Pizlo  <fpizlo@apple.com>
1141
1142         jsSubstring() should be lazy
1143         https://bugs.webkit.org/show_bug.cgi?id=132556
1144
1145         Reviewed by Andreas Kling.
1146         
1147         jsSubstring() is now lazy by using a special rope that is a substring instead of a
1148         concatenation. To make this patch super simple, we require that a substring's base is
1149         never a rope. Hence, when resolving a rope, we either go down a non-recursive substring
1150         path, or we go down a concatenation path which may see exactly one level of substrings in
1151         its fibers.
1152         
1153         This is up to a 50% speed-up on microbenchmarks and a 10% speed-up on Octane/regexp.
1154
1155         * heap/MarkedBlock.cpp:
1156         (JSC::MarkedBlock::specializedSweep):
1157         * runtime/JSString.cpp:
1158         (JSC::JSRopeString::visitFibers):
1159         (JSC::JSRopeString::resolveRope):
1160         (JSC::JSRopeString::resolveRopeSlowCase8):
1161         (JSC::JSRopeString::resolveRopeSlowCase):
1162         (JSC::JSRopeString::outOfMemory):
1163         * runtime/JSString.h:
1164         (JSC::JSRopeString::finishCreation):
1165         (JSC::JSRopeString::append):
1166         (JSC::JSRopeString::create):
1167         (JSC::JSRopeString::offsetOfFibers):
1168         (JSC::JSRopeString::fiber):
1169         (JSC::JSRopeString::substringBase):
1170         (JSC::JSRopeString::substringOffset):
1171         (JSC::JSRopeString::substringSentinel):
1172         (JSC::JSRopeString::isSubstring):
1173         (JSC::jsSubstring):
1174         * runtime/RegExpMatchesArray.cpp:
1175         (JSC::RegExpMatchesArray::reifyAllProperties):
1176         * runtime/StringPrototype.cpp:
1177         (JSC::stringProtoFuncSubstring):
1178
1179 2014-05-02  Michael Saboff  <msaboff@apple.com>
1180
1181         "arm64 function not 4-byte aligned" warnings when building JSC
1182         https://bugs.webkit.org/show_bug.cgi?id=132495
1183
1184         Reviewed by Geoffrey Garen.
1185
1186         Added ".align 4" for both ARM Thumb2 and ARM 64 to silence the linker.
1187
1188         * llint/LowLevelInterpreter.cpp:
1189
1190 2014-05-02  Mark Hahnenberg  <mhahnenberg@apple.com>
1191
1192         Fix cloop build after r168178
1193
1194         * bytecode/CodeBlock.cpp:
1195
1196 2014-05-01  Mark Hahnenberg  <mhahnenberg@apple.com>
1197
1198         Add a DFG function whitelist
1199         https://bugs.webkit.org/show_bug.cgi?id=132437
1200
1201         Reviewed by Geoffrey Garen.
1202
1203         Often times when debugging, using bytecode ranges isn't enough to narrow down to the 
1204         particular DFG block that's causing issues. This patch adds the ability to whitelist 
1205         specific functions specified in a file to enable further filtering without having to recompile.
1206
1207         * CMakeLists.txt:
1208         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1209         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1210         * JavaScriptCore.xcodeproj/project.pbxproj:
1211         * dfg/DFGCapabilities.cpp:
1212         (JSC::DFG::isSupported):
1213         (JSC::DFG::mightInlineFunctionForCall):
1214         (JSC::DFG::mightInlineFunctionForClosureCall):
1215         (JSC::DFG::mightInlineFunctionForConstruct):
1216         * dfg/DFGFunctionWhitelist.cpp: Added.
1217         (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
1218         (JSC::DFG::FunctionWhitelist::FunctionWhitelist):
1219         (JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile):
1220         (JSC::DFG::FunctionWhitelist::contains):
1221         * dfg/DFGFunctionWhitelist.h: Added.
1222         * runtime/Options.cpp:
1223         (JSC::parse):
1224         (JSC::Options::dumpOption):
1225         * runtime/Options.h:
1226
1227 2014-05-02  Filip Pizlo  <fpizlo@apple.com>
1228
1229         DFGAbstractInterpreter should not claim Int52 arithmetic creates Int52s
1230         https://bugs.webkit.org/show_bug.cgi?id=132446
1231
1232         Reviewed by Mark Hahnenberg.
1233         
1234         Basically any arithmetic operation can turn an Int52 into an Int32 or vice-versa, and
1235         our modeling of Int52Rep nodes is such that they can have either Int32 or Int52 type
1236         to indicate a bound on the value. This is useful for knowing, for example, that
1237         Int52Rep(Int32:) returns a value that cannot be outside the Int32 range. Also,
1238         ValueRep(Int52Rep:) uses this to determine whether it may return a double or an int.
1239         But this means that all arithmetic operations must be careful to note that they may
1240         turn Int32 inputs into an Int52 output or vice-versa, as these new tests show.
1241
1242         * dfg/DFGAbstractInterpreterInlines.h:
1243         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1244         * dfg/DFGByteCodeParser.cpp:
1245         (JSC::DFG::ByteCodeParser::makeSafe):
1246         * tests/stress/int52-ai-add-then-filter-int32.js: Added.
1247         (foo):
1248         * tests/stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js: Added.
1249         (foo):
1250         * tests/stress/int52-ai-mul-then-filter-int32-directly.js: Added.
1251         (foo):
1252         * tests/stress/int52-ai-mul-then-filter-int32.js: Added.
1253         (foo):
1254         * tests/stress/int52-ai-neg-then-filter-int32.js: Added.
1255         (foo):
1256         * tests/stress/int52-ai-sub-then-filter-int32.js: Added.
1257         (foo):
1258
1259 2014-05-01  Geoffrey Garen  <ggaren@apple.com>
1260
1261         JavaScriptCore fails to build with some versions of clang
1262         https://bugs.webkit.org/show_bug.cgi?id=132436
1263
1264         Reviewed by Anders Carlsson.
1265
1266         * runtime/ArgumentsIteratorConstructor.cpp: Since we call
1267         putDirectWithoutTransition, and it calls putWillGrowOutOfLineStorage,
1268         and both are marked inline, it's valid for the compiler to decide
1269         to inline both and emit neither in the binary. Therefore, we need
1270         both inline definitions to be available in the translation unit at
1271         compile time, or we'll try to link against a function that doesn't exist.
1272
1273 2014-05-01  Commit Queue  <commit-queue@webkit.org>
1274
1275         Unreviewed, rolling out r167964.
1276         https://bugs.webkit.org/show_bug.cgi?id=132431
1277
1278         Memory improvements should not regress memory usage (Requested
1279         by olliej on #webkit).
1280
1281         Reverted changeset:
1282
1283         "Don't hold on to parameter BindingNodes forever"
1284         https://bugs.webkit.org/show_bug.cgi?id=132360
1285         http://trac.webkit.org/changeset/167964
1286
1287 2014-05-01  Filip Pizlo  <fpizlo@apple.com>
1288
1289         Fix trivial debug-only race-that-crashes in CallLinkStatus and explain why the remaining races are totally awesome
1290         https://bugs.webkit.org/show_bug.cgi?id=132427
1291
1292         Reviewed by Mark Hahnenberg.
1293
1294         * bytecode/CallLinkStatus.cpp:
1295         (JSC::CallLinkStatus::computeFor):
1296
1297 2014-04-30  Simon Fraser  <simon.fraser@apple.com>
1298
1299         Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO
1300         https://bugs.webkit.org/show_bug.cgi?id=132396
1301
1302         Reviewed by Eric Carlson.
1303
1304         Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO and related code.
1305
1306         * Configurations/FeatureDefines.xcconfig:
1307
1308 2014-04-30  Filip Pizlo  <fpizlo@apple.com>
1309
1310         Argument flush formats should not be presumed to be JSValue since 'this' is weird
1311         https://bugs.webkit.org/show_bug.cgi?id=132404
1312
1313         Reviewed by Michael Saboff.
1314
1315         * dfg/DFGSpeculativeJIT.cpp:
1316         (JSC::DFG::SpeculativeJIT::compileCurrentBlock): Don't assume that arguments are flushed as JSValue. Use the logic for locals instead.
1317         * dfg/DFGSpeculativeJIT32_64.cpp:
1318         (JSC::DFG::SpeculativeJIT::compile): SetArgument "changes" the format because before this we wouldn't know we had arguments.
1319         * dfg/DFGSpeculativeJIT64.cpp:
1320         (JSC::DFG::SpeculativeJIT::compile): Ditto.
1321         * dfg/DFGValueSource.cpp:
1322         (JSC::DFG::ValueSource::dumpInContext): Make this easier to dump.
1323         * dfg/DFGValueSource.h:
1324         (JSC::DFG::ValueSource::operator!): Make this easier to dump because Operands<T> uses T::operator!().
1325         * ftl/FTLOSREntry.cpp:
1326         (JSC::FTL::prepareOSREntry): This had a useful assertion for everything except 'this'.
1327         * tests/stress/strict-to-this-int.js: Added.
1328         (foo):
1329         (Number.prototype.valueOf):
1330         (test):
1331
1332 2014-04-29  Oliver Hunt  <oliver@apple.com>
1333
1334         Don't hold on to parameterBindingNodes forever
1335         https://bugs.webkit.org/show_bug.cgi?id=132360
1336
1337         Reviewed by Geoffrey Garen.
1338
1339         Don't keep the parameter nodes anymore. Instead we store the
1340         original parameter string and reparse whenever we actually
1341         need them. Because we only actually need them for compilation
1342         this only results in a single extra parse.
1343
1344         * bytecode/UnlinkedCodeBlock.cpp:
1345         (JSC::generateFunctionCodeBlock):
1346         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1347         (JSC::UnlinkedFunctionExecutable::visitChildren):
1348         (JSC::UnlinkedFunctionExecutable::finishCreation):
1349         (JSC::UnlinkedFunctionExecutable::paramString):
1350         (JSC::UnlinkedFunctionExecutable::parameters):
1351         (JSC::UnlinkedFunctionExecutable::parameterCount): Deleted.
1352         * bytecode/UnlinkedCodeBlock.h:
1353         (JSC::UnlinkedFunctionExecutable::create):
1354         (JSC::UnlinkedFunctionExecutable::parameterCount):
1355         (JSC::UnlinkedFunctionExecutable::parameters): Deleted.
1356         (JSC::UnlinkedFunctionExecutable::finishCreation): Deleted.
1357         * parser/ASTBuilder.h:
1358         (JSC::ASTBuilder::ASTBuilder):
1359         (JSC::ASTBuilder::setFunctionBodyParameters):
1360         * parser/Nodes.h:
1361         (JSC::FunctionBodyNode::parametersStartOffset):
1362         (JSC::FunctionBodyNode::parametersEndOffset):
1363         (JSC::FunctionBodyNode::setParameterLocation):
1364         * parser/Parser.cpp:
1365         (JSC::Parser<LexerType>::parseFunctionInfo):
1366         (JSC::parseParameters):
1367         * parser/Parser.h:
1368         (JSC::parse):
1369         * parser/SourceCode.h:
1370         (JSC::SourceCode::subExpression):
1371         * parser/SyntaxChecker.h:
1372         (JSC::SyntaxChecker::setFunctionBodyParameters):
1373
1374 2014-04-29  Mark Hahnenberg  <mhahnenberg@apple.com>
1375
1376         JSProxies should be cacheable
1377         https://bugs.webkit.org/show_bug.cgi?id=132351
1378
1379         Reviewed by Geoffrey Garen.
1380
1381         Whenever we encounter a proxy in an inline cache we should try to cache on the 
1382         proxy's target instead of giving up.
1383
1384         This patch adds support for a simple "recursive" inline cache if the base object
1385         we're accessing is a pure forwarding proxy. JSGlobalObject and its subclasses 
1386         are the only ones to benefit from this right now.
1387
1388         This is performance neutral on the benchmarks we track. Currently we won't
1389         cache on JSDOMWindow due to HasImpureGetOwnPropertySlot, but this issue will be fixed soon.
1390
1391         * jit/Repatch.cpp:
1392         (JSC::generateByIdStub):
1393         (JSC::tryBuildGetByIDList):
1394         (JSC::tryCachePutByID):
1395         (JSC::tryBuildPutByIdList):
1396         * jsc.cpp:
1397         (GlobalObject::finishCreation):
1398         (functionCreateProxy):
1399         * runtime/IntendedStructureChain.cpp:
1400         (JSC::IntendedStructureChain::isNormalized):
1401         * runtime/JSCellInlines.h:
1402         (JSC::JSCell::isProxy):
1403         * runtime/JSGlobalObject.h:
1404         (JSC::JSGlobalObject::finishCreation):
1405         * runtime/JSProxy.h:
1406         (JSC::JSProxy::createStructure):
1407         (JSC::JSProxy::targetOffset):
1408         * runtime/JSType.h:
1409         * runtime/Operations.h:
1410         (JSC::isPrototypeChainNormalized):
1411         * runtime/Structure.h:
1412         (JSC::Structure::isProxy):
1413         * tests/stress/proxy-inline-cache.js: Added.
1414         (cacheOnTarget.getX):
1415         (cacheOnTarget):
1416         (cacheOnPrototypeOfTarget.getX):
1417         (cacheOnPrototypeOfTarget):
1418         (dontCacheOnProxyInPrototypeChain.getX):
1419         (dontCacheOnProxyInPrototypeChain):
1420         (dontCacheOnTargetOfProxyInPrototypeChainOfTarget.getX):
1421         (dontCacheOnTargetOfProxyInPrototypeChainOfTarget):
1422
1423 2014-04-29  Filip Pizlo  <fpizlo@apple.com>
1424
1425         Use LLVM as a backend for the fourth-tier DFG JIT (a.k.a. the FTL JIT)
1426         https://bugs.webkit.org/show_bug.cgi?id=112840
1427
1428         Rubber stamped by Geoffrey Garen.
1429
1430         * Configurations/FeatureDefines.xcconfig:
1431
1432 2014-04-29  Geoffrey Garen  <ggaren@apple.com>
1433
1434         String.prototype.trim removes U+200B from strings.
1435         https://bugs.webkit.org/show_bug.cgi?id=130184
1436
1437         Reviewed by Michael Saboff.
1438
1439         * runtime/StringPrototype.cpp:
1440         (JSC::trimString):
1441         (JSC::isTrimWhitespace): Deleted.
1442
1443 2014-04-29  Mark Lam  <mark.lam@apple.com>
1444
1445         Zombifying sweep should ignore retired blocks.
1446         <https://webkit.org/b/132344>
1447
1448         Reviewed by Mark Hahnenberg.
1449
1450         By definition, retired blocks do not have "dead" objects, or at least
1451         none that we know of yet until the next marking phase has been run
1452         over it.  So, we should not be sweeping them (even for zombie mode).
1453
1454         * heap/Heap.cpp:
1455         (JSC::Heap::zombifyDeadObjects):
1456         * heap/MarkedSpace.cpp:
1457         (JSC::MarkedSpace::zombifySweep):
1458         * heap/MarkedSpace.h:
1459         (JSC::ZombifySweep::operator()):
1460
1461 2014-04-29  Mark Lam  <mark.lam@apple.com>
1462
1463         Fix bit rot in zombie mode heap code.
1464         <https://webkit.org/b/132342>
1465
1466         Reviewed by Mark Hahnenberg.
1467
1468         Need to enter a DelayedReleaseScope before doing a sweep.
1469
1470         * heap/Heap.cpp:
1471         (JSC::Heap::zombifyDeadObjects):
1472
1473 2014-04-29  Tomas Popela  <tpopela@redhat.com>
1474
1475         LLINT loadisFromInstruction doesn't need special case for big endians
1476         https://bugs.webkit.org/show_bug.cgi?id=132330
1477
1478         Reviewed by Mark Lam.
1479
1480         The change introduced in r167076 was wrong. We should not apply the offset
1481         adjustment on loadisFromInstruction usage as the instruction
1482         (UnlinkedInstruction) is declared as an union (i.e. with the int32_t
1483         operand variable). The offset of the other union members will be the
1484         same as the offset of the first one, that is 0. The behavior here is the
1485         same on little and big endian architectures. Thus we don't need
1486         special case for big endians.
1487
1488         * llint/LowLevelInterpreter.asm:
1489
1490 2014-04-28  Mark Hahnenberg  <mhahnenberg@apple.com>
1491
1492         Simplify tryCacheGetById
1493         https://bugs.webkit.org/show_bug.cgi?id=132314
1494
1495         Reviewed by Oliver Hunt and Filip Pizlo.
1496
1497         This is neutral across all benchmarks we track, although it looks like a wee 0.5% progression on sunspider.
1498
1499         * jit/Repatch.cpp:
1500         (JSC::tryCacheGetByID): If we fail to cache on self, we just repatch to call tryBuildGetByIDList next time.
1501
1502 2014-04-28  Michael Saboff  <msaboff@apple.com>
1503
1504         REGRESSION(r153142) ASSERT from CodeBlock::dumpBytecode dumping String Switch Jump Tables
1505         https://bugs.webkit.org/show_bug.cgi?id=132315
1506
1507         Reviewed by Mark Hahnenberg.
1508
1509         Used the StringImpl version of utf8() instead of creating a String first.
1510
1511         * bytecode/CodeBlock.cpp:
1512         (JSC::CodeBlock::dumpBytecode):
1513
1514 2014-04-28  Filip Pizlo  <fpizlo@apple.com>
1515
1516         The LLInt is awesome and it should get more of the action.
1517
1518         Rubber stamped by Geoffrey Garen.
1519         
1520         5% speed-up on JSBench and no meaningful regressions.  Should be a PLT/DYE speed-up also.
1521
1522         * runtime/Options.h:
1523
1524 2014-04-27  Filip Pizlo  <fpizlo@apple.com>
1525
1526         GC should be able to remove things from the DFG worklist and cancel on-going compilations if it knows that the compilation would already be invalidated
1527         https://bugs.webkit.org/show_bug.cgi?id=132166
1528
1529         Reviewed by Oliver Hunt and Mark Hahnenberg.
1530         
1531         The GC can aid type inference by removing structures that are dead and jettisoning
1532         code that relies on those structures. This can dramatically accelerate type inference
1533         for some tricky programs.
1534         
1535         Unfortunately, we previously pinned any structures that enqueued compilations depended
1536         on. This means that if you're on a machine that only runs a single compilation thread
1537         and where compilations are relatively slow, you have a high chance of large numbers of
1538         structures being pinned during any GC since the compilation queue is likely to be full
1539         of random stuff.
1540         
1541         This comprehensively fixes this issue by allowing the GC to remove compilation plans
1542         if the things they depend on are dead, and to even cancel safepointed compilations.
1543         
1544         * bytecode/CodeBlock.cpp:
1545         (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan):
1546         (JSC::CodeBlock::isKnownToBeLiveDuringGC):
1547         (JSC::CodeBlock::finalizeUnconditionally):
1548         * bytecode/CodeBlock.h:
1549         (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan): Deleted.
1550         * dfg/DFGDesiredIdentifiers.cpp:
1551         (JSC::DFG::DesiredIdentifiers::DesiredIdentifiers):
1552         * dfg/DFGDesiredIdentifiers.h:
1553         * dfg/DFGDesiredWatchpoints.h:
1554         * dfg/DFGDesiredWeakReferences.cpp:
1555         (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
1556         * dfg/DFGDesiredWeakReferences.h:
1557         * dfg/DFGGraphSafepoint.cpp:
1558         (JSC::DFG::GraphSafepoint::GraphSafepoint):
1559         * dfg/DFGGraphSafepoint.h:
1560         * dfg/DFGPlan.cpp:
1561         (JSC::DFG::Plan::Plan):
1562         (JSC::DFG::Plan::compileInThread):
1563         (JSC::DFG::Plan::compileInThreadImpl):
1564         (JSC::DFG::Plan::notifyCompiling):
1565         (JSC::DFG::Plan::notifyCompiled):
1566         (JSC::DFG::Plan::notifyReady):
1567         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
1568         (JSC::DFG::Plan::isKnownToBeLiveDuringGC):
1569         (JSC::DFG::Plan::cancel):
1570         (JSC::DFG::Plan::visitChildren): Deleted.
1571         * dfg/DFGPlan.h:
1572         * dfg/DFGSafepoint.cpp:
1573         (JSC::DFG::Safepoint::Result::~Result):
1574         (JSC::DFG::Safepoint::Result::didGetCancelled):
1575         (JSC::DFG::Safepoint::Safepoint):
1576         (JSC::DFG::Safepoint::~Safepoint):
1577         (JSC::DFG::Safepoint::checkLivenessAndVisitChildren):
1578         (JSC::DFG::Safepoint::isKnownToBeLiveDuringGC):
1579         (JSC::DFG::Safepoint::cancel):
1580         (JSC::DFG::Safepoint::visitChildren): Deleted.
1581         * dfg/DFGSafepoint.h:
1582         (JSC::DFG::Safepoint::Result::Result):
1583         * dfg/DFGWorklist.cpp:
1584         (JSC::DFG::Worklist::compilationState):
1585         (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
1586         (JSC::DFG::Worklist::removeAllReadyPlansForVM):
1587         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
1588         (JSC::DFG::Worklist::visitWeakReferences):
1589         (JSC::DFG::Worklist::removeDeadPlans):
1590         (JSC::DFG::Worklist::runThread):
1591         (JSC::DFG::Worklist::visitChildren): Deleted.
1592         * dfg/DFGWorklist.h:
1593         * ftl/FTLCompile.cpp:
1594         (JSC::FTL::compile):
1595         * ftl/FTLCompile.h:
1596         * heap/CodeBlockSet.cpp:
1597         (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks):
1598         * heap/Heap.cpp:
1599         (JSC::Heap::markRoots):
1600         (JSC::Heap::visitCompilerWorklistWeakReferences):
1601         (JSC::Heap::removeDeadCompilerWorklistEntries):
1602         (JSC::Heap::visitWeakHandles):
1603         (JSC::Heap::collect):
1604         (JSC::Heap::visitCompilerWorklists): Deleted.
1605         * heap/Heap.h:
1606
1607 2014-04-28  Mark Hahnenberg  <mhahnenberg@apple.com>
1608
1609         Deleting properties poisons objects
1610         https://bugs.webkit.org/show_bug.cgi?id=131551
1611
1612         Reviewed by Oliver Hunt.
1613
1614         This is ~3% progression on Dromaeo with a ~6% progression on the jslib portion of Dromaeo in particular.
1615
1616         * runtime/JSPropertyNameIterator.cpp:
1617         (JSC::JSPropertyNameIterator::create):
1618         * runtime/PropertyMapHashTable.h:
1619         (JSC::PropertyTable::hasDeletedOffset):
1620         (JSC::PropertyTable::hadDeletedOffset): If we ever had deleted properties we can no longer cache offsets when 
1621         iterating properties because we're required to iterate properties in insertion order.
1622         * runtime/Structure.cpp:
1623         (JSC::Structure::Structure):
1624         (JSC::Structure::materializePropertyMap): We now re-use deleted properties when materializing the property map.
1625         (JSC::Structure::removePropertyTransition): We allow up to 5 deletes for a particular path through the tree of 
1626         Structure transitions. After that, we convert to an uncacheable dictionary like we used to. We don't cache 
1627         delete transitions, but we allow transitioning from them.
1628         (JSC::Structure::changePrototypeTransition):
1629         (JSC::Structure::despecifyFunctionTransition):
1630         (JSC::Structure::attributeChangeTransition):
1631         (JSC::Structure::toDictionaryTransition):
1632         (JSC::Structure::preventExtensionsTransition):
1633         (JSC::Structure::addPropertyWithoutTransition):
1634         (JSC::Structure::removePropertyWithoutTransition):
1635         (JSC::Structure::pin): Now does only what it says it does--marks the property table as pinned.
1636         (JSC::Structure::pinAndPreventTransitions): More descriptive version of what the old pin() was doing.
1637         * runtime/Structure.h:
1638         * runtime/StructureInlines.h:
1639         (JSC::Structure::setEnumerationCache):
1640         (JSC::Structure::hadDeletedOffsets):
1641         (JSC::Structure::propertyTable):
1642         (JSC::Structure::checkOffsetConsistency): Rearranged variables to be more sensible.
1643         * tests/stress/for-in-after-delete.js: Added.
1644         (foo):
1645
1646 2014-04-25  Andreas Kling  <akling@apple.com>
1647
1648         Inline (C++) GetByVal with numeric indices more aggressively.
1649         <https://webkit.org/b/132218>
1650
1651         We were already inlining the string indexed GetByVal path pretty well,
1652         while the path for numeric indices got neglected. No more!
1653
1654         ~9.5% improvement on Dromaeo/dom-traverse.html on my MBP:
1655
1656             Before: 199.50 runs/s
1657              After: 218.58 runs/s
1658
1659         Reviewed by Phil Pizlo.
1660
1661         * dfg/DFGOperations.cpp:
1662         * runtime/JSCJSValueInlines.h:
1663         (JSC::JSValue::get):
1664
1665             ALWAYS_INLINE all the things.
1666
1667         * runtime/JSObject.h:
1668         (JSC::JSObject::getPropertySlot):
1669
1670             Avoid fetching the Structure more than once. We have the same
1671             optimization in the string-indexed code path.
1672
1673 2014-04-25  Oliver Hunt  <oliver@apple.com>
1674
1675         Need earlier cell test
1676         https://bugs.webkit.org/show_bug.cgi?id=132211
1677
1678         Reviewed by Mark Lam.
1679
1680         Move cell test to before the function call repatch
1681         location, as the repatch logic for 32bit assumes that the
1682         caller will already have performed a cell check.
1683
1684         * jit/JITCall32_64.cpp:
1685         (JSC::JIT::compileOpCall):
1686
1687 2014-04-25  Andreas Kling  <akling@apple.com>
1688
1689         Un-fast-allocate JSGlobalObjectRareData because Windows doesn't build and I'm not in the mood.
1690
1691         * runtime/JSGlobalObject.h:
1692         (JSC::JSGlobalObject::JSGlobalObjectRareData::JSGlobalObjectRareData):
1693         (JSC::JSGlobalObject::JSGlobalObjectRareData::~JSGlobalObjectRareData): Deleted.
1694
1695 2014-04-25  Andreas Kling  <akling@apple.com>
1696
1697         Windows build fix attempt.
1698
1699         * runtime/JSGlobalObject.h:
1700         (JSC::JSGlobalObject::JSGlobalObjectRareData::~JSGlobalObjectRareData):
1701
1702 2014-04-25  Mark Lam  <mark.lam@apple.com>
1703
1704         Refactor debugging code to use BreakpointActions instead of Vector<ScriptBreakpointAction>.
1705         <https://webkit.org/b/132201>
1706
1707         Reviewed by Joseph Pecoraro.
1708
1709         BreakpointActions is Vector<ScriptBreakpointAction>.  Let's just consistently use
1710         BreakpointActions everywhere.
1711
1712         * inspector/ScriptBreakpoint.h:
1713         (Inspector::ScriptBreakpoint::ScriptBreakpoint):
1714         * inspector/ScriptDebugServer.cpp:
1715         (Inspector::ScriptDebugServer::setBreakpoint):
1716         (Inspector::ScriptDebugServer::getActionsForBreakpoint):
1717         * inspector/ScriptDebugServer.h:
1718         * inspector/agents/InspectorDebuggerAgent.cpp:
1719         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
1720         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
1721         (Inspector::InspectorDebuggerAgent::setBreakpoint):
1722         (Inspector::InspectorDebuggerAgent::removeBreakpoint):
1723         * inspector/agents/InspectorDebuggerAgent.h:
1724
1725 2014-04-24  Filip Pizlo  <fpizlo@apple.com>
1726
1727         DFG worklist scanning should not treat the key as a separate entity
1728         https://bugs.webkit.org/show_bug.cgi?id=132167
1729
1730         Reviewed by Mark Hahnenberg.
1731         
1732         This simplifies the interface to the GC and will enable more optimizations.
1733
1734         * dfg/DFGCompilationKey.cpp:
1735         (JSC::DFG::CompilationKey::visitChildren): Deleted.
1736         * dfg/DFGCompilationKey.h:
1737         * dfg/DFGPlan.cpp:
1738         (JSC::DFG::Plan::visitChildren):
1739         * dfg/DFGWorklist.cpp:
1740         (JSC::DFG::Worklist::visitChildren):
1741
1742 2014-04-25  Oliver Hunt  <oliver@apple.com>
1743
1744         Remove unused parameter from codeblock linking function
1745         https://bugs.webkit.org/show_bug.cgi?id=132199
1746
1747         Reviewed by Anders Carlsson.
1748
1749         No change in behaviour. This is just a small change to make it
1750         slightly easier to reason about what the offsets in UnlinkedFunctionExecutable
1751         actually mean.
1752
1753         * bytecode/UnlinkedCodeBlock.cpp:
1754         (JSC::UnlinkedFunctionExecutable::link):
1755         * bytecode/UnlinkedCodeBlock.h:
1756         * runtime/Executable.cpp:
1757         (JSC::ProgramExecutable::initializeGlobalProperties):
1758
1759 2014-04-25  Andreas Kling  <akling@apple.com>
1760
1761         Mark some things with WTF_MAKE_FAST_ALLOCATED.
1762         <https://webkit.org/b/132198>
1763
1764         Use FastMalloc for more things.
1765
1766         Reviewed by Anders Carlsson.
1767
1768         * builtins/BuiltinExecutables.h:
1769         * heap/GCThreadSharedData.h:
1770         * inspector/JSConsoleClient.h:
1771         * inspector/agents/InspectorAgent.h:
1772         * runtime/CodeCache.h:
1773         * runtime/JSGlobalObject.h:
1774         * runtime/Lookup.cpp:
1775         (JSC::HashTable::createTable):
1776         (JSC::HashTable::deleteTable):
1777         * runtime/WeakGCMap.h:
1778
1779 2014-04-25  Antoine Quint  <graouts@webkit.org>
1780
1781         Implement Array.prototype.find()
1782         https://bugs.webkit.org/show_bug.cgi?id=130966
1783
1784         Reviewed by Oliver Hunt.
1785
1786         Implement Array.prototype.find() and Array.prototype.findIndex() as proposed in the Harmony spec.
1787
1788         * builtins/Array.prototype.js:
1789         (find):
1790         (findIndex):
1791         * runtime/ArrayPrototype.cpp:
1792
1793 2014-04-24  Brady Eidson  <beidson@apple.com>
1794
1795         Rename "IMAGE_CONTROLS" feature to "SERVICE_CONTROLS"
1796         https://bugs.webkit.org/show_bug.cgi?id=132155
1797
1798         Reviewed by Tim Horton.
1799
1800         * Configurations/FeatureDefines.xcconfig:
1801
1802 2014-04-24  Michael Saboff  <msaboff@apple.com>
1803
1804         REGRESSION: Apparent hang of PCE.js Mac OS System 7.0.1 on ARM64 devices
1805         https://bugs.webkit.org/show_bug.cgi?id=132147
1806
1807         Reviewed by Mark Lam.
1808
1809         Fixed or64(), eor32( ) and eor64() to use "src" register when we have a valid logicalImm.
1810
1811         * assembler/MacroAssemblerARM64.h:
1812         (JSC::MacroAssemblerARM64::or64):
1813         (JSC::MacroAssemblerARM64::xor32):
1814         (JSC::MacroAssemblerARM64::xor64):
1815         * tests/stress/regress-132147.js: Added test.
1816
1817 2014-04-24  Mark Lam  <mark.lam@apple.com>
1818
1819         Make slowPathAllocsBetweenGCs a runtime option.
1820         <https://webkit.org/b/132137>
1821
1822         Reviewed by Mark Hahnenberg.
1823
1824         This will make it easier to more casually run tests with this configuration
1825         as well as to reproduce issues (instead of requiring a code mod and rebuild).
1826         We will now take --slowPathAllocsBetweenGCs=N where N is the number of
1827         slow path allocations before we trigger a collection.
1828
1829         The option defaults to 0, which is reserved to mean that we will not trigger
1830         any collections there.
1831
1832         * heap/Heap.h:
1833         * heap/MarkedAllocator.cpp:
1834         (JSC::MarkedAllocator::doTestCollectionsIfNeeded):
1835         (JSC::MarkedAllocator::allocateSlowCase):
1836         * heap/MarkedAllocator.h:
1837         * runtime/Options.h:
1838
1839 2014-04-23  Mark Lam  <mark.lam@apple.com>
1840
1841         The GC should only resume compiler threads that it suspended in the same GC pass.
1842         <https://webkit.org/b/132088>
1843
1844         Reviewed by Mark Hahnenberg.
1845
1846         Previously, this scenario can occur:
1847         1. Thread 1 starts a GC and tries to suspend DFG worklist threads.  However,
1848            no worklists were created yet at the that time.
1849         2. Thread 2 starts to compile some functions and creates a DFG worklist, and
1850            acquires the worklist thread's lock.
1851         3. Thread 1's GC completes and tries to resume suspended DFG worklist thread.
1852            This time, it sees the worklist created by Thread 2 and ends up unlocking
1853            the worklist thread's lock that is supposedly held by Thread 2.
1854         Thereafter, chaos ensues.
1855
1856         The fix is to cache the worklists that were actually suspended by each GC pass,
1857         and only resume those when the GC is done.
1858
1859         This issue was discovered by enabling COLLECT_ON_EVERY_ALLOCATION and running
1860         the fast/workers layout tests.
1861
1862         * heap/Heap.cpp:
1863         (JSC::Heap::visitCompilerWorklists):
1864         (JSC::Heap::deleteAllCompiledCode):
1865         (JSC::Heap::suspendCompilerThreads):
1866         (JSC::Heap::resumeCompilerThreads):
1867         * heap/Heap.h:
1868
1869 2014-04-23  Mark Hahnenberg  <mhahnenberg@apple.com>
1870
1871         Arguments::copyBackingStore needs to update m_registers in tandem with m_registerArray
1872         https://bugs.webkit.org/show_bug.cgi?id=132079
1873
1874         Reviewed by Michael Saboff.
1875
1876         Since we're moving the register backing store, we don't want to leave a dangling pointer into a random CopiedBlock.
1877
1878         Also added a test that previously triggered this bug.
1879
1880         * runtime/Arguments.cpp:
1881         (JSC::Arguments::copyBackingStore): D'oh!
1882         * tests/stress/arguments-copy-register-array-backing-store.js: Added.
1883         (foo):
1884         (bar):
1885
1886 2014-04-23  Mark Rowe  <mrowe@apple.com>
1887
1888         [Mac] REGRESSION (r164823): Building JavaScriptCore creates files under /tmp/JavaScriptCore.dst
1889         <https://webkit.org/b/132053>
1890
1891         Reviewed by Dan Bernstein.
1892
1893         * JavaScriptCore.xcodeproj/project.pbxproj: Don't try to create a symlink at /usr/local/bin/jsc inside
1894         the DSTROOT unless we're building to the deployment location. Also remove the unnecessary -x argument
1895         from /bin/sh since that generates unnecessary output.
1896
1897 2014-04-22  Mark Lam  <mark.lam@apple.com>
1898
1899         DFG::Worklist should acquire the m_lock before iterating DFG plans.
1900         <https://webkit.org/b/132032>
1901
1902         Reviewed by Filip Pizlo.
1903
1904         Currently, there's a rightToRun mechanism that ensures that no compilation
1905         threads are running when the GC is iterating through the DFG worklists.
1906         However, this does not prevent a Worker thread from doing a DFG compilation
1907         and modifying the plans in the worklists thereby invalidating the plan
1908         iterator that the GC is using.  This patch fixes the issue by acquiring
1909         the worklist m_lock before iterating the worklist plans.
1910
1911         This issue was uncovered by running the fast/workers layout tests with
1912         COLLECT_ON_EVERY_ALLOCATION enabled.
1913
1914         * dfg/DFGWorklist.cpp:
1915         (JSC::DFG::Worklist::isActiveForVM):
1916         (JSC::DFG::Worklist::visitChildren):
1917
1918 2014-04-22  Brent Fulgham  <bfulgham@apple.com>
1919
1920         [Win] Support Python 2.7 in Cygwin
1921         https://bugs.webkit.org/show_bug.cgi?id=132023
1922
1923         Reviewed by Michael Saboff.
1924
1925         * DerivedSources.make: Use a conditional variable to define
1926         the path to Python/Perl.
1927
1928 2014-04-22  Filip Pizlo  <fpizlo@apple.com>
1929
1930         Switch the LLVMForJSC target to using the LLVM in /usr/local rather than /usr/local/LLVMForJavaScriptCore on iOS
1931         https://bugs.webkit.org/show_bug.cgi?id=130867
1932         <rdar://problem/16432456> 
1933
1934         Reviewed by Mark Hahnenberg.
1935
1936         * Configurations/Base.xcconfig:
1937         * Configurations/LLVMForJSC.xcconfig:
1938
1939 2014-04-22  Alex Christensen  <achristensen@webkit.org>
1940
1941         [Win] Unreviewed build fix after my r167666.
1942
1943         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
1944         Added ../../../ again to include headers in Source/JavaScriptCore.
1945
1946 2014-04-22  Alex Christensen  <achristensen@webkit.org>
1947
1948         Removed old stdbool and inttypes headers.
1949         https://bugs.webkit.org/show_bug.cgi?id=131966
1950
1951         Reviewed by Brent Fulgham.
1952
1953         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
1954         * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
1955         Removed references to os-win32 directory.
1956         * os-win32: Removed.
1957         * os-win32/inttypes.h: Removed.
1958         * os-win32/stdbool.h: Removed.
1959
1960 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
1961
1962         DFG::clobberize() should honestly admit that profiler and debugger nodes are effectful
1963         https://bugs.webkit.org/show_bug.cgi?id=131971
1964         <rdar://problem/16676511>
1965
1966         Reviewed by Mark Lam.
1967
1968         * dfg/DFGClobberize.h:
1969         (JSC::DFG::clobberize):
1970
1971 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
1972
1973         Switch statements that skip the baseline JIT should work
1974         https://bugs.webkit.org/show_bug.cgi?id=131965
1975
1976         Reviewed by Mark Hahnenberg.
1977
1978         * bytecode/JumpTable.h:
1979         (JSC::SimpleJumpTable::ensureCTITable):
1980         * dfg/DFGSpeculativeJIT.cpp:
1981         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
1982         * jit/JITOpcodes.cpp:
1983         (JSC::JIT::emit_op_switch_imm):
1984         (JSC::JIT::emit_op_switch_char):
1985         * jit/JITOpcodes32_64.cpp:
1986         (JSC::JIT::emit_op_switch_imm):
1987         (JSC::JIT::emit_op_switch_char):
1988         * tests/stress/inline-llint-with-switch.js: Added.
1989         (foo):
1990         (bar):
1991         (test):
1992
1993 2014-04-21  Mark Hahnenberg  <mhahnenberg@apple.com>
1994
1995         Arguments objects shouldn't need a destructor
1996         https://bugs.webkit.org/show_bug.cgi?id=131899
1997
1998         Reviewed by Oliver Hunt.
1999
2000         This patch rids Arguments objects of their destructors. It does this by 
2001         switching their backing stores to use CopiedSpace rather than malloc memory.
2002
2003         * dfg/DFGSpeculativeJIT.cpp:
2004         (JSC::DFG::SpeculativeJIT::emitAllocateArguments): Fix the code emitted for inline
2005         Arguments allocation so that it only emits an extra write for strict mode code rather
2006         than unconditionally.
2007         * heap/CopyToken.h: New CopyTokens for the two different types of Arguments backing stores.
2008         * runtime/Arguments.cpp:
2009         (JSC::Arguments::visitChildren): We need to tell the collector to copy the back stores now.
2010         (JSC::Arguments::copyBackingStore): Do the actual copying of the backing stores.
2011         (JSC::Arguments::deletePropertyByIndex): Update all the accesses to SlowArgumentData and m_registerArray.
2012         (JSC::Arguments::deleteProperty):
2013         (JSC::Arguments::defineOwnProperty):
2014         (JSC::Arguments::allocateRegisterArray):
2015         (JSC::Arguments::tearOff):
2016         (JSC::Arguments::destroy): Deleted. We don't need the destructor any more.
2017         * runtime/Arguments.h:
2018         (JSC::Arguments::registerArraySizeInBytes):
2019         (JSC::Arguments::SlowArgumentData::SlowArgumentData): Switch SlowArgumentData to being allocated
2020         in CopiedSpace. Now the SlowArgumentData and its backing store are a single contiguous CopiedSpace
2021         allocation.
2022         (JSC::Arguments::SlowArgumentData::slowArguments):
2023         (JSC::Arguments::SlowArgumentData::bytecodeToMachineCaptureOffset):
2024         (JSC::Arguments::SlowArgumentData::setBytecodeToMachineCaptureOffset):
2025         (JSC::Arguments::SlowArgumentData::sizeForNumArguments):
2026         (JSC::Arguments::Arguments):
2027         (JSC::Arguments::allocateSlowArguments):
2028         (JSC::Arguments::tryDeleteArgument):
2029         (JSC::Arguments::isDeletedArgument):
2030         (JSC::Arguments::isArgument):
2031         (JSC::Arguments::argument):
2032         (JSC::Arguments::finishCreation):
2033         * runtime/SymbolTable.h:
2034
2035 2014-04-21  Eric Carlson  <eric.carlson@apple.com>
2036
2037         [Mac] implement WebKitDataCue
2038         https://bugs.webkit.org/show_bug.cgi?id=131799
2039
2040         Reviewed by Dean Jackson.
2041
2042         * Configurations/FeatureDefines.xcconfig: Define ENABLE_DATACUE_VALUE.
2043
2044 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
2045
2046         Unreviewed test gardening, run the repeat-out-of-bounds tests again.
2047
2048         * tests/stress/float32-repeat-out-of-bounds.js:
2049         * tests/stress/int8-repeat-out-of-bounds.js:
2050
2051 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
2052
2053         OSR exit should know about Int52 and Double constants
2054         https://bugs.webkit.org/show_bug.cgi?id=131945
2055
2056         Reviewed by Oliver Hunt.
2057         
2058         The DFG OSR exit machinery's ignorance would lead to some constants becoming
2059         jsUndefined() after OSR exit.
2060         
2061         The FTL OSR exit machinery's ignorance just meant that we would sometimes use a
2062         stackmap constant rather than baking the constant into the OSRExit data structure.
2063         So, not a big deal, but worth fixing.
2064         
2065         Also added some helpful hacks to jsc.cpp for testing such OSR exit pathologies.
2066
2067         * dfg/DFGByteCodeParser.cpp:
2068         (JSC::DFG::ByteCodeParser::handleIntrinsic):
2069         * dfg/DFGMinifiedNode.h:
2070         (JSC::DFG::belongsInMinifiedGraph):
2071         (JSC::DFG::MinifiedNode::hasConstantNumber):
2072         * ftl/FTLLowerDFGToLLVM.cpp:
2073         (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
2074         * jsc.cpp:
2075         (GlobalObject::finishCreation):
2076         (functionOtherFalse):
2077         (functionUndefined):
2078         * runtime/Intrinsic.h:
2079         * tests/stress/fold-to-double-constant-then-exit.js: Added.
2080         (foo):
2081         * tests/stress/fold-to-int52-constant-then-exit.js: Added.
2082         (foo):
2083
2084 2014-04-21  Filip Pizlo  <fpizlo@apple.com>
2085
2086         Provide feedback when we encounter an unrecognied node in the FTL backend.
2087
2088         Rubber stamped by Alexey Proskuryakov.
2089
2090         * ftl/FTLLowerDFGToLLVM.cpp:
2091         (JSC::FTL::LowerDFGToLLVM::compileNode):
2092
2093 2014-04-21  Andreas Kling  <akling@apple.com>
2094
2095         Move the JSString cache from DOMWrapperWorld to VM.
2096         <https://webkit.org/b/131940>
2097
2098         Reviewed by Geoff Garen.
2099
2100         * runtime/VM.h:
2101
2102 2014-04-19  Filip Pizlo  <fpizlo@apple.com>
2103
2104         Take block execution count estimates into account when voting double
2105         https://bugs.webkit.org/show_bug.cgi?id=131906
2106
2107         Reviewed by Geoffrey Garen.
2108         
2109         This was a drama in three acts.
2110         
2111         Act I: Slurp in BasicBlock::executionCount and use it as a weight when counting the
2112             number of uses of a variable that want double or non-double. Easy as pie. This
2113             gave me a huge speed-up on FloatMM and a huge slow-down on basically everything
2114             else.
2115         
2116         Act II: Realize that there were some programs where our previous double voting was
2117             just on the edge of disaster and making it more precise tipped it over. In
2118             particular, if you had an integer variable that would infrequently be used in a
2119             computation that resulted in a variable that was frequently used as an array index,
2120             the outer infrequentness would be the thing we'd use in the vote. So, an array
2121             index would become double. We fix this by reviving global backwards propagation
2122             and introducing the concept of ReallyWantsInt, which is used just for array
2123             indices. Any variable transitively flagged as ReallyWantsInt will never be forced
2124             double. We need that flag to be separate from UsedAsInt, since UsedAsInt needs to
2125             be set in bitops for RageConversion but using it for double forcing is too much.
2126             Basically, it's cheaper to have to convert a double to an int for a bitop than it
2127             is to convert a double to an int for an array index; also a variable being used as
2128             an array index is a much stronger hint that it ought to be an int. This recovered
2129             performance on everything except programs that used FTL OSR entry.
2130         
2131         Act III: Realize that OSR entrypoint creation creates blocks that have NaN execution
2132             count, which then completely pollutes the weighting - essentially all votes go
2133             NaN. Fix this with some surgical defenses. Basically, any client of execution
2134             counts should allow for them to be NaN and shouldn't completely fall off a cliff
2135             when it happens.
2136         
2137         This is awesome. 75% speed-up on FloatMM. 11% speed-up on audio-dft. This leads to
2138         7% speed-up on AsmBench and 2% speed-up on Kraken.
2139
2140         * CMakeLists.txt:
2141         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2142         * JavaScriptCore.xcodeproj/project.pbxproj:
2143         * dfg/DFGBackwardsPropagationPhase.cpp:
2144         (JSC::DFG::BackwardsPropagationPhase::run):
2145         (JSC::DFG::BackwardsPropagationPhase::propagate):
2146         * dfg/DFGGraph.cpp:
2147         (JSC::DFG::Graph::dumpBlockHeader):
2148         * dfg/DFGGraph.h:
2149         (JSC::DFG::Graph::voteNode):
2150         (JSC::DFG::Graph::voteChildren):
2151         * dfg/DFGNodeFlags.cpp:
2152         (JSC::DFG::dumpNodeFlags):
2153         * dfg/DFGNodeFlags.h:
2154         * dfg/DFGOSREntrypointCreationPhase.cpp:
2155         (JSC::DFG::OSREntrypointCreationPhase::run):
2156         * dfg/DFGPlan.cpp:
2157         (JSC::DFG::Plan::compileInThreadImpl):
2158         * dfg/DFGPredictionPropagationPhase.cpp:
2159         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
2160         (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
2161         * dfg/DFGVariableAccessData.cpp: Added.
2162         (JSC::DFG::VariableAccessData::VariableAccessData):
2163         (JSC::DFG::VariableAccessData::mergeIsCaptured):
2164         (JSC::DFG::VariableAccessData::mergeShouldNeverUnbox):
2165         (JSC::DFG::VariableAccessData::predict):
2166         (JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction):
2167         (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
2168         (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat):
2169         (JSC::DFG::VariableAccessData::mergeDoubleFormatState):
2170         (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
2171         (JSC::DFG::VariableAccessData::flushFormat):
2172         * dfg/DFGVariableAccessData.h:
2173         (JSC::DFG::VariableAccessData::vote):
2174         (JSC::DFG::VariableAccessData::VariableAccessData): Deleted.
2175         (JSC::DFG::VariableAccessData::mergeIsCaptured): Deleted.
2176         (JSC::DFG::VariableAccessData::mergeShouldNeverUnbox): Deleted.
2177         (JSC::DFG::VariableAccessData::predict): Deleted.
2178         (JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction): Deleted.
2179         (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote): Deleted.
2180         (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat): Deleted.
2181         (JSC::DFG::VariableAccessData::mergeDoubleFormatState): Deleted.
2182         (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat): Deleted.
2183         (JSC::DFG::VariableAccessData::flushFormat): Deleted.
2184
2185 2014-04-21  Michael Saboff  <msaboff@apple.com>
2186
2187         REGRESSION(r167591): ARM64 and ARM traditional builds broken
2188         https://bugs.webkit.org/show_bug.cgi?id=131935
2189
2190         Reviewed by Mark Hahnenberg.
2191
2192         Added store8(TrustedImm32, MacroAssembler::Address) to the ARM traditional and ARM64
2193         macro assemblers.  Added a new test for the original patch.
2194
2195         * assembler/MacroAssemblerARM.h:
2196         (JSC::MacroAssemblerARM::store8):
2197         * assembler/MacroAssemblerARM64.h:
2198         (JSC::MacroAssemblerARM64::store8):
2199         * tests/stress/dfg-create-arguments-inline-alloc.js: New test.
2200
2201 2014-04-21  Mark Hahnenberg  <mhahnenberg@apple.com>
2202
2203         Inline allocate Arguments objects in the DFG
2204         https://bugs.webkit.org/show_bug.cgi?id=131897
2205
2206         Reviewed by Geoffrey Garen.
2207
2208         Many libraries/frameworks depend on the arguments object for overloaded API entry points. 
2209         This is the first step to making Arguments fast(er). We'll duplicate the logic in Arguments::create 
2210         for now and take the slow path for complicated cases like slow arguments, tearing off for strict mode, etc.
2211
2212         * dfg/DFGSpeculativeJIT.cpp:
2213         (JSC::DFG::SpeculativeJIT::emitAllocateArguments):
2214         * dfg/DFGSpeculativeJIT.h:
2215         (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject):
2216         * dfg/DFGSpeculativeJIT32_64.cpp:
2217         (JSC::DFG::SpeculativeJIT::compile):
2218         * dfg/DFGSpeculativeJIT64.cpp:
2219         (JSC::DFG::SpeculativeJIT::compile):
2220         * runtime/Arguments.h:
2221         (JSC::Arguments::offsetOfActivation):
2222         (JSC::Arguments::offsetOfOverrodeLength):
2223         (JSC::Arguments::offsetOfIsStrictMode):
2224         (JSC::Arguments::offsetOfRegisterArray):
2225         (JSC::Arguments::offsetOfCallee):
2226         (JSC::Arguments::allocationSize):
2227
2228 2014-04-20  Andreas Kling  <akling@apple.com>
2229
2230         Speed up jsStringWithCache() through WeakGCMap inlining.
2231         <https://webkit.org/b/131923>
2232
2233         Always inline WeakGCMap::add() but move the slow garbage collecting
2234         path out-of-line.
2235
2236         Reviewed by Darin Adler.
2237
2238         * runtime/WeakGCMap.h:
2239         (JSC::WeakGCMap::add):
2240         (JSC::WeakGCMap::gcMap):
2241
2242 2014-04-20  László Langó  <llango.u-szeged@partner.samsung.com>
2243
2244         JavaScriptCore: ARM build fix after r167094.
2245         https://bugs.webkit.org/show_bug.cgi?id=131612
2246
2247         Reviewed by Michael Saboff.
2248
2249         After r167094 there are many build errors on ARM like these:
2250
2251             /tmp/ccgtHRno.s:370: Error: invalid constant (425a) after fixup
2252             /tmp/ccgtHRno.s:374: Error: invalid constant (426e) after fixup
2253             /tmp/ccgtHRno.s:378: Error: invalid constant (4282) after fixup
2254             /tmp/ccgtHRno.s:382: Error: invalid constant (4296) after fixup
2255
2256         Problem is caused by the wrong generated assembly like:
2257             "\tmov r2, (" LOCAL_LABEL_STRING(llint_op_strcat) " - " LOCAL_LABEL_STRING(relativePCBase) ")\n" // /home/webkit/WebKit/Source/JavaScriptCore/llint/LowLevelInterpreter.asm:741
2258
2259         `mov` can only move 8 bit immediate, but not every constant fit into 8 bit. Clang converts
2260         the mov to a single movw or a movw and a movt, depending on the immediate, but binutils doesn't.
2261         Add a new ARM specific offline assembler instruction (`mvlbl`) for the following llint_entry
2262         use case: move rn, (label1-label2) which is translated to movw and movt.
2263
2264         * llint/LowLevelInterpreter.asm:
2265         * offlineasm/arm.rb:
2266         * offlineasm/instructions.rb:
2267
2268 2014-04-20  Csaba Osztrogonác  <ossy@webkit.org>
2269
2270         [ARM] Unreviewed build fix after r167336.
2271
2272         * assembler/MacroAssemblerARM.h:
2273         (JSC::MacroAssemblerARM::branchAdd32):
2274
2275 2014-04-20  Commit Queue  <commit-queue@webkit.org>
2276
2277         Unreviewed, rolling out r167501.
2278         https://bugs.webkit.org/show_bug.cgi?id=131913
2279
2280         It broke DYEBench (Requested by mhahnenberg on #webkit).
2281
2282         Reverted changeset:
2283
2284         "Deleting properties poisons objects"
2285         https://bugs.webkit.org/show_bug.cgi?id=131551
2286         http://trac.webkit.org/changeset/167501
2287
2288 2014-04-19  Filip Pizlo  <fpizlo@apple.com>
2289
2290         It should be OK to store new fields into objects that have no prototypes
2291         https://bugs.webkit.org/show_bug.cgi?id=131905
2292
2293         Reviewed by Mark Hahnenberg.
2294
2295         * dfg/DFGByteCodeParser.cpp:
2296         (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
2297         * tests/stress/put-by-id-transition-null-prototype.js: Added.
2298         (foo):
2299
2300 2014-04-19  Benjamin Poulain  <bpoulain@apple.com>
2301
2302         Make the CSS JIT compile for ARM64
2303         https://bugs.webkit.org/show_bug.cgi?id=131834
2304
2305         Reviewed by Gavin Barraclough.
2306
2307         Extend the ARM64 MacroAssembler to support the code generation required by
2308         the CSS JIT.
2309
2310         * assembler/MacroAssembler.h:
2311         * assembler/MacroAssemblerARM64.h:
2312         (JSC::MacroAssemblerARM64::addPtrNoFlags):
2313         (JSC::MacroAssemblerARM64::or32):
2314         (JSC::MacroAssemblerARM64::branchPtr):
2315         (JSC::MacroAssemblerARM64::test32):
2316         (JSC::MacroAssemblerARM64::branch):
2317         * assembler/MacroAssemblerX86Common.h:
2318         (JSC::MacroAssemblerX86Common::test32):
2319
2320 2014-04-19  Andreas Kling  <akling@apple.com>
2321
2322         Two little shortcuts to the JSType.
2323         <https://webkit.org/b/131896>
2324
2325         Tweak two sites that take the long road through JSCell::structure()->typeInfo()
2326         to look at data that's already in JSCell::type().
2327
2328         Reviewed by Darin Adler.
2329
2330         * runtime/NameInstance.h:
2331         (JSC::isName):
2332         * runtime/NumberPrototype.cpp:
2333         (JSC::toThisNumber):
2334
2335 2014-04-19  Filip Pizlo  <fpizlo@apple.com>
2336
2337         Make it easier to check if an integer sum would overflow
2338         https://bugs.webkit.org/show_bug.cgi?id=131900
2339
2340         Reviewed by Darin Adler.
2341
2342         * dfg/DFGOperations.cpp:
2343         * runtime/Operations.h:
2344         (JSC::jsString):
2345
2346 2014-04-19  Filip Pizlo  <fpizlo@apple.com>
2347
2348         Address some feedback on https://bugs.webkit.org/show_bug.cgi?id=130684.
2349
2350         * dfg/DFGOperations.cpp:
2351         * runtime/JSString.h:
2352         (JSC::JSRopeString::RopeBuilder::append):
2353
2354 2014-04-18  Mark Lam  <mark.lam@apple.com>
2355
2356         REGRESSION(r164205): WebKit crash @StructureIDTable::get.
2357         <https://webkit.org/b/130539>
2358
2359         Reviewed by Geoffrey Garen.
2360
2361         prepareOSREntry() prepares for OSR entry by first copying the local var
2362         values from the baseline frame to a scartch buffer, which is then used
2363         to fill in the locals in their new position in the DFG frame.  Unfortunately,
2364         prepareOSREntry() was using the DFG frame's frameRegisterCount as the frame
2365         size of the baseline frame.  As a result, some values of locals in the
2366         baseline frame were not saved off, and the DFG frame may get initialized
2367         with random content that happened to be in the uninitialized (and possibly
2368         unallocated) portions of the scratch buffer.
2369
2370         The fix is to use OSREntryData::m_expectedValues.numberOfLocals() as the
2371         number of locals in the baseline frame that we want to copy to the scratch
2372         buffer.
2373
2374         Note: osrEntryThunkGenerator() is expecting the DFG frameRegisterCount
2375         at offset 0 in the scratch buffer.  So, we continue to write that value
2376         there, not the baseline frame size.
2377
2378         * dfg/DFGOSREntry.cpp:
2379         (JSC::DFG::prepareOSREntry):
2380
2381 2014-04-18  Timothy Hatcher  <timothy@apple.com>
2382
2383         Web Inspector: Move InspectorProfilerAgent to JavaScriptCore
2384         https://bugs.webkit.org/show_bug.cgi?id=131673
2385
2386         Passes existing profiler and inspector tests.
2387
2388         Reviewed by Joseph Pecoraro.
2389
2390         * CMakeLists.txt:
2391         * DerivedSources.make:
2392         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2393         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2394         * JavaScriptCore.xcodeproj/project.pbxproj:
2395         * inspector/JSConsoleClient.cpp:
2396         (Inspector::JSConsoleClient::JSConsoleClient):
2397         (Inspector::JSConsoleClient::profile):
2398         (Inspector::JSConsoleClient::profileEnd):
2399         (Inspector::JSConsoleClient::count): Deleted.
2400         * inspector/JSConsoleClient.h:
2401         * inspector/JSGlobalObjectInspectorController.cpp:
2402         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2403         * inspector/agents/InspectorProfilerAgent.cpp: Added.
2404         (Inspector::InspectorProfilerAgent::InspectorProfilerAgent):
2405         (Inspector::InspectorProfilerAgent::~InspectorProfilerAgent):
2406         (Inspector::InspectorProfilerAgent::addProfile):
2407         (Inspector::InspectorProfilerAgent::createProfileHeader):
2408         (Inspector::InspectorProfilerAgent::enable):
2409         (Inspector::InspectorProfilerAgent::disable):
2410         (Inspector::InspectorProfilerAgent::getUserInitiatedProfileName):
2411         (Inspector::InspectorProfilerAgent::getProfileHeaders):
2412         (Inspector::buildInspectorObject):
2413         (Inspector::InspectorProfilerAgent::buildProfileInspectorObject):
2414         (Inspector::InspectorProfilerAgent::getCPUProfile):
2415         (Inspector::InspectorProfilerAgent::removeProfile):
2416         (Inspector::InspectorProfilerAgent::reset):
2417         (Inspector::InspectorProfilerAgent::didCreateFrontendAndBackend):
2418         (Inspector::InspectorProfilerAgent::willDestroyFrontendAndBackend):
2419         (Inspector::InspectorProfilerAgent::start):
2420         (Inspector::InspectorProfilerAgent::stop):
2421         (Inspector::InspectorProfilerAgent::setRecordingProfile):
2422         (Inspector::InspectorProfilerAgent::startProfiling):
2423         (Inspector::InspectorProfilerAgent::stopProfiling):
2424         * inspector/agents/InspectorProfilerAgent.h: Added.
2425         * inspector/agents/JSGlobalObjectProfilerAgent.cpp: Copied from Source/WebCore/inspector/ScriptProfile.idl.
2426         (Inspector::JSGlobalObjectProfilerAgent::JSGlobalObjectProfilerAgent):
2427         (Inspector::JSGlobalObjectProfilerAgent::profilingGlobalExecState):
2428         * inspector/agents/JSGlobalObjectProfilerAgent.h: Copied from Source/WebCore/inspector/ScriptProfile.idl.
2429         * inspector/protocol/Profiler.json: Renamed from Source/WebCore/inspector/protocol/Profiler.json.
2430         * profiler/Profile.h:
2431         * runtime/ConsoleClient.h:
2432
2433 2014-04-18  Commit Queue  <commit-queue@webkit.org>
2434
2435         Unreviewed, rolling out r167527.
2436         https://bugs.webkit.org/show_bug.cgi?id=131883
2437
2438         Broke 32-bit build (Requested by ap on #webkit).
2439
2440         Reverted changeset:
2441
2442         "[Mac] implement WebKitDataCue"
2443         https://bugs.webkit.org/show_bug.cgi?id=131799
2444         http://trac.webkit.org/changeset/167527
2445
2446 2014-04-18  Eric Carlson  <eric.carlson@apple.com>
2447
2448         [Mac] implement WebKitDataCue
2449         https://bugs.webkit.org/show_bug.cgi?id=131799
2450
2451         Reviewed by Dean Jackson.
2452
2453         * Configurations/FeatureDefines.xcconfig: Define ENABLE_DATACUE_VALUE.
2454
2455 2014-04-18  Filip Pizlo  <fpizlo@apple.com>
2456
2457         Actually address Mark's review feedback.
2458
2459         * dfg/DFGOSRExitCompilerCommon.cpp:
2460         (JSC::DFG::handleExitCounts):
2461
2462 2014-04-18  Filip Pizlo  <fpizlo@apple.com>
2463
2464         Options::maximumExecutionCountsBetweenCheckpoints() should be higher for DFG->FTL tier-up but the same for other tier-ups
2465         https://bugs.webkit.org/show_bug.cgi?id=131850
2466
2467         Reviewed by Mark Hahnenberg.
2468         
2469         Templatize ExecutionCounter to allow for two different styles of calculating the
2470         checkpoint threshold.
2471         
2472         Appears to be a slight speed-up on DYEBench.
2473
2474         * bytecode/CodeBlock.h:
2475         (JSC::CodeBlock::llintExecuteCounter):
2476         (JSC::CodeBlock::offsetOfJITExecuteCounter):
2477         (JSC::CodeBlock::offsetOfJITExecutionActiveThreshold):
2478         (JSC::CodeBlock::offsetOfJITExecutionTotalCount):
2479         (JSC::CodeBlock::jitExecuteCounter):
2480         * bytecode/ExecutionCounter.cpp:
2481         (JSC::ExecutionCounter<countingVariant>::ExecutionCounter):
2482         (JSC::ExecutionCounter<countingVariant>::forceSlowPathConcurrently):
2483         (JSC::ExecutionCounter<countingVariant>::checkIfThresholdCrossedAndSet):
2484         (JSC::ExecutionCounter<countingVariant>::setNewThreshold):
2485         (JSC::ExecutionCounter<countingVariant>::deferIndefinitely):
2486         (JSC::applyMemoryUsageHeuristics):
2487         (JSC::applyMemoryUsageHeuristicsAndConvertToInt):
2488         (JSC::ExecutionCounter<countingVariant>::hasCrossedThreshold):
2489         (JSC::ExecutionCounter<countingVariant>::setThreshold):
2490         (JSC::ExecutionCounter<countingVariant>::reset):
2491         (JSC::ExecutionCounter<countingVariant>::dump):
2492         (JSC::ExecutionCounter::ExecutionCounter): Deleted.
2493         (JSC::ExecutionCounter::forceSlowPathConcurrently): Deleted.
2494         (JSC::ExecutionCounter::checkIfThresholdCrossedAndSet): Deleted.
2495         (JSC::ExecutionCounter::setNewThreshold): Deleted.
2496         (JSC::ExecutionCounter::deferIndefinitely): Deleted.
2497         (JSC::ExecutionCounter::applyMemoryUsageHeuristics): Deleted.
2498         (JSC::ExecutionCounter::applyMemoryUsageHeuristicsAndConvertToInt): Deleted.
2499         (JSC::ExecutionCounter::hasCrossedThreshold): Deleted.
2500         (JSC::ExecutionCounter::setThreshold): Deleted.
2501         (JSC::ExecutionCounter::reset): Deleted.
2502         (JSC::ExecutionCounter::dump): Deleted.
2503         * bytecode/ExecutionCounter.h:
2504         (JSC::formattedTotalExecutionCount):
2505         (JSC::ExecutionCounter::maximumExecutionCountsBetweenCheckpoints):
2506         (JSC::ExecutionCounter::clippedThreshold):
2507         (JSC::ExecutionCounter::formattedTotalCount): Deleted.
2508         * dfg/DFGJITCode.h:
2509         * dfg/DFGOSRExitCompilerCommon.cpp:
2510         (JSC::DFG::handleExitCounts):
2511         * llint/LowLevelInterpreter.asm:
2512         * runtime/Options.h:
2513
2514 2014-04-17  Mark Hahnenberg  <mhahnenberg@apple.com>
2515
2516         Deleting properties poisons objects
2517         https://bugs.webkit.org/show_bug.cgi?id=131551
2518
2519         Reviewed by Geoffrey Garen.
2520
2521         This is ~3% progression on Dromaeo with a ~6% progression on the jslib portion of Dromaeo in particular.
2522
2523         * runtime/Structure.cpp:
2524         (JSC::Structure::Structure):
2525         (JSC::Structure::materializePropertyMap): We now re-use deleted properties when materializing the property map.
2526         (JSC::Structure::removePropertyTransition): We allow up to 5 deletes for a particular path through the tree of 
2527         Structure transitions. After that, we convert to an uncacheable dictionary like we used to. We don't cache 
2528         delete transitions, but we allow transitioning from them.
2529         (JSC::Structure::changePrototypeTransition):
2530         (JSC::Structure::despecifyFunctionTransition):
2531         (JSC::Structure::attributeChangeTransition):
2532         (JSC::Structure::toDictionaryTransition):
2533         (JSC::Structure::preventExtensionsTransition):
2534         (JSC::Structure::addPropertyWithoutTransition):
2535         (JSC::Structure::removePropertyWithoutTransition):
2536         (JSC::Structure::pin): Now does only what it says it does--marks the property table as pinned.
2537         (JSC::Structure::pinAndPreventTransitions): More descriptive version of what the old pin() was doing.
2538         * runtime/Structure.h:
2539         * runtime/StructureInlines.h:
2540         (JSC::Structure::checkOffsetConsistency): Rearranged variables to be more sensible.
2541
2542 2014-04-17  Filip Pizlo  <fpizlo@apple.com>
2543
2544         InlineCallFrameSet should be refcounted
2545         https://bugs.webkit.org/show_bug.cgi?id=131829
2546
2547         Reviewed by Geoffrey Garen.
2548         
2549         And DFG::Plan should hold a ref to it. Previously it was owned by Graph until it
2550         became owned by JITCode. Except that if we're "failing" to compile, JITCode may die.
2551         Even as it dies, the GC may still want to scan the DFG::Plan, which leads to scanning
2552         the DesiredWriteBarriers, which leads to scanning the InlineCallFrameSet.
2553         
2554         So, just make the darn thing refcounted.
2555
2556         * bytecode/InlineCallFrameSet.h:
2557         * dfg/DFGArgumentsSimplificationPhase.cpp:
2558         (JSC::DFG::ArgumentsSimplificationPhase::run):
2559         * dfg/DFGByteCodeParser.cpp:
2560         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2561         * dfg/DFGCommonData.h:
2562         * dfg/DFGGraph.cpp:
2563         (JSC::DFG::Graph::Graph):
2564         (JSC::DFG::Graph::requiredRegisterCountForExit):
2565         * dfg/DFGGraph.h:
2566         * dfg/DFGJITCompiler.cpp:
2567         (JSC::DFG::JITCompiler::link):
2568         * dfg/DFGPlan.cpp:
2569         (JSC::DFG::Plan::Plan):
2570         * dfg/DFGPlan.h:
2571         * dfg/DFGStackLayoutPhase.cpp:
2572         (JSC::DFG::StackLayoutPhase::run):
2573         * ftl/FTLFail.cpp:
2574         (JSC::FTL::fail):
2575         * ftl/FTLLink.cpp:
2576         (JSC::FTL::link):
2577
2578 2014-04-17  Filip Pizlo  <fpizlo@apple.com>
2579
2580         FTL::fail() should manage memory "correctly"
2581         https://bugs.webkit.org/show_bug.cgi?id=131823
2582         <rdar://problem/16384297>
2583
2584         Reviewed by Oliver Hunt.
2585
2586         * ftl/FTLFail.cpp:
2587         (JSC::FTL::fail):
2588
2589 2014-04-17  Filip Pizlo  <fpizlo@apple.com>
2590
2591         Prediction propagator should correctly model Int52s flowing through arguments
2592         https://bugs.webkit.org/show_bug.cgi?id=131822
2593         <rdar://problem/16641408>
2594
2595         Reviewed by Oliver Hunt.
2596
2597         * dfg/DFGPredictionPropagationPhase.cpp:
2598         (JSC::DFG::PredictionPropagationPhase::propagate):
2599         * tests/stress/int52-argument.js: Added.
2600         (foo):
2601         * tests/stress/int52-variable.js: Added.
2602         (foo):
2603
2604 2014-04-17  Filip Pizlo  <fpizlo@apple.com>
2605
2606         REGRESSION: ASSERT(!typeInfo().hasImpureGetOwnPropertySlot() || typeInfo().newImpurePropertyFiresWatchpoints()) on jquery tests
2607         https://bugs.webkit.org/show_bug.cgi?id=131798
2608
2609         Reviewed by Alexey Proskuryakov.
2610         
2611         Some day, we will fix https://bugs.webkit.org/show_bug.cgi?id=131810 and some version
2612         of this assertion can return. For now, it's not clear that the assertion is guarding
2613         any truly undesirable behavior - so it should just go away and be replaced with a
2614         FIXME.
2615
2616         * bytecode/GetByIdStatus.cpp:
2617         (JSC::GetByIdStatus::computeForStubInfo):
2618         * runtime/Structure.h:
2619         (JSC::Structure::takesSlowPathInDFGForImpureProperty):
2620
2621 2014-04-17  David Kilzer  <ddkilzer@apple.com>
2622
2623         Blind attempt to fix Windows build after r166837
2624         <http://webkit.org/b/131246>
2625
2626         Hoping to fix this build error:
2627
2628             warning MSB8027: Two or more files with the name of GCLogging.cpp will produce outputs to the same location. This can lead to an incorrect build result.  The files involved are ..\heap\GCLogging.cpp, ..\heap\GCLogging.cpp.
2629
2630         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Fix copy-paste
2631         boo-boo by changing the GCLogging.cpp ClCompile entry to a
2632         GCLogging.h ClInclude entry.
2633
2634 2014-04-16  Filip Pizlo  <fpizlo@apple.com>
2635
2636         AI for GetLocal should match the DFG backend, and in this case, the best way to do that is to get rid of the "exit if empty prediction" thing since it's a vestige of a time long gone
2637         https://bugs.webkit.org/show_bug.cgi?id=131764
2638
2639         Reviewed by Geoffrey Garen.
2640         
2641         The attached test case can be made to not crash by deleting old code. It used to be
2642         the case that the DFG needed empty prediction guards, for shady reasons. We fixed that
2643         long ago. At this point, these guards just make life difficult. So get rid of them.
2644
2645         * dfg/DFGAbstractInterpreterInlines.h:
2646         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2647         * dfg/DFGSpeculativeJIT32_64.cpp:
2648         (JSC::DFG::SpeculativeJIT::compile):
2649         * dfg/DFGSpeculativeJIT64.cpp:
2650         (JSC::DFG::SpeculativeJIT::compile):
2651         * tests/stress/bug-131764.js: Added.
2652         (test1):
2653         (test2):
2654
2655 2014-04-17  Darin Adler  <darin@apple.com>
2656
2657         Add separate flag for IndexedDatabase in workers since the current implementation is not threadsafe
2658         https://bugs.webkit.org/show_bug.cgi?id=131785
2659         rdar://problem/16003108
2660
2661         Reviewed by Brady Eidson.
2662
2663         * Configurations/FeatureDefines.xcconfig: Added INDEXED_DATABASE_IN_WORKERS.
2664
2665 2014-04-16  Alexey Proskuryakov  <ap@apple.com>
2666
2667         Build fix after http://trac.webkit.org/changeset/167416 (Sink NaN sanitization)
2668
2669         * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::speculate):
2670
2671 2014-04-16  Filip Pizlo  <fpizlo@apple.com>
2672
2673         Extra error reporting for invalid value conversions
2674         https://bugs.webkit.org/show_bug.cgi?id=131786
2675
2676         Rubber stamped by Ryosuke Niwa.
2677
2678         * dfg/DFGFixupPhase.cpp:
2679         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
2680
2681 2014-04-16  Filip Pizlo  <fpizlo@apple.com>
2682
2683         Sink NaN sanitization to uses and remove it when it's unnecessary
2684         https://bugs.webkit.org/show_bug.cgi?id=131419
2685
2686         Reviewed by Oliver Hunt.
2687         
2688         This moves NaN purification to stores that could see an impure NaN.
2689         
2690         5% speed-up on AsmBench, 50% speed-up on AsmBench/n-body. It is a regression on FloatMM
2691         though, because of the other bug that causes that benchmark to box doubles in a loop.
2692
2693         * bytecode/SpeculatedType.h:
2694         (JSC::isInt32SpeculationForArithmetic):
2695         (JSC::isMachineIntSpeculationForArithmetic):
2696         (JSC::isDoubleSpeculation):
2697         (JSC::isDoubleSpeculationForArithmetic):
2698         * dfg/DFGAbstractInterpreterInlines.h:
2699         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2700         * dfg/DFGAbstractValue.cpp:
2701         (JSC::DFG::AbstractValue::fixTypeForRepresentation):
2702         * dfg/DFGFixupPhase.cpp:
2703         (JSC::DFG::FixupPhase::fixupNode):
2704         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
2705         * dfg/DFGInPlaceAbstractState.cpp:
2706         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
2707         * dfg/DFGPredictionPropagationPhase.cpp:
2708         (JSC::DFG::PredictionPropagationPhase::propagate):
2709         * dfg/DFGSpeculativeJIT.cpp:
2710         (JSC::DFG::SpeculativeJIT::compileValueRep):
2711         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
2712         * dfg/DFGUseKind.h:
2713         (JSC::DFG::typeFilterFor):
2714         * ftl/FTLLowerDFGToLLVM.cpp:
2715         (JSC::FTL::LowerDFGToLLVM::compileValueRep):
2716         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
2717         * runtime/PureNaN.h:
2718         * tests/stress/float32-array-nan-inlined.js: Added.
2719         (foo):
2720         (test):
2721         * tests/stress/float32-array-nan.js: Added.
2722         (foo):
2723         (test):
2724         * tests/stress/float64-array-nan-inlined.js: Added.
2725         (foo):
2726         (isBigEndian):
2727         (test):
2728         * tests/stress/float64-array-nan.js: Added.
2729         (foo):
2730         (isBigEndian):
2731         (test):
2732
2733 2014-04-16  Brent Fulgham  <bfulgham@apple.com>
2734
2735         [Win] Unreviewed Windows gardening. Restrict our new 'isinf' check
2736         to 32-bit builds, and revise the comment to explain what we are
2737         doing.
2738
2739         * runtime/JSCJSValueInlines.h:
2740         (JSC::JSValue::isMachineInt): Provide motivation for the new
2741         'isinf' check for our 32-bit code path.
2742
2743 2014-04-16  Juergen Ributzka  <juergen@apple.com>
2744
2745         Allocate the data section on the heap again for FTL on ARM64
2746         https://bugs.webkit.org/show_bug.cgi?id=130156
2747
2748         Reviewed by Geoffrey Garen and Filip Pizlo.
2749
2750         * ftl/FTLCompile.cpp:
2751         (JSC::FTL::mmAllocateDataSection):
2752         * ftl/FTLDataSection.cpp:
2753         (JSC::FTL::DataSection::DataSection):
2754         (JSC::FTL::DataSection::~DataSection):
2755         * ftl/FTLDataSection.h:
2756
2757 2014-04-16  Mark Lam  <mark.lam@apple.com>
2758
2759         Crash in CodeBlock::setOptimizationThresholdBasedOnCompilationResult() when the debugger activates.
2760         <https://webkit.org/b/131747>
2761
2762         Reviewed by Filip Pizlo.
2763
2764         When the debugger is about to activate (e.g. enter stepping mode), it first
2765         waits for all DFG compilations to complete.  However, when the DFG completes,
2766         if compilation is successful, it will install a new DFG codeBlock.  The
2767         CodeBlock installation process is required to register codeBlocks with the
2768         debugger.  Debugger::registerCodeBlock() will eventually call
2769         CodeBlock::setSteppingMode() which may jettison the DFG codeBlock that we're
2770         trying to install.  Thereafter, chaos ensues.
2771
2772         This jettison'ing only happens because the debugger currently set its
2773         m_steppingMode flag before waiting for compilation to complete.  The fix is
2774         simply to set that flag only after compilation is complete.
2775
2776         * debugger/Debugger.cpp:
2777         (JSC::Debugger::setSteppingMode):
2778         (JSC::Debugger::registerCodeBlock):
2779
2780 2014-04-16  Filip Pizlo  <fpizlo@apple.com>
2781
2782         Discern between NaNs that would be safe to tag and NaNs that need some purification before tagging
2783         https://bugs.webkit.org/show_bug.cgi?id=131420
2784
2785         Reviewed by Oliver Hunt.
2786         
2787         Rationalizes our handling of NaNs. We now have the notion of pureNaN(), or PNaN, which
2788         replaces QNaN and represents a "safe" NaN for our tagging purposes. NaN purification now
2789         goes through the purifyNaN() API.
2790         
2791         SpeculatedType and its clients can now distinguish between a PureNaN and an ImpureNaN.
2792         
2793         Prediction propagator is made slightly more cautious when dealing with NaNs. It doesn't
2794         have to be too cautious since most prediction-based logic only cares about whether or not
2795         a value could be an integer.
2796         
2797         AI is made much more cautious when dealing with NaNs. We don't yet introduce ImpureNaN
2798         anywhere in the compiler, but when we do, we ought to be able to trust AI to propagate it
2799         soundly and precisely.
2800         
2801         No performance change because this just unblocks
2802         https://bugs.webkit.org/show_bug.cgi?id=131419.
2803
2804         * API/JSValueRef.cpp:
2805         (JSValueMakeNumber):
2806         (JSValueToNumber):
2807         * JavaScriptCore.xcodeproj/project.pbxproj:
2808         * bytecode/SpeculatedType.cpp:
2809         (JSC::dumpSpeculation):
2810         (JSC::speculationFromValue):
2811         (JSC::typeOfDoubleSum):
2812         (JSC::typeOfDoubleDifference):
2813         (JSC::typeOfDoubleProduct):
2814         (JSC::polluteDouble):
2815         (JSC::typeOfDoubleQuotient):
2816         (JSC::typeOfDoubleMinMax):
2817         (JSC::typeOfDoubleNegation):
2818         (JSC::typeOfDoubleAbs):
2819         (JSC::typeOfDoubleFRound):
2820         (JSC::typeOfDoubleBinaryOp):
2821         (JSC::typeOfDoubleUnaryOp):
2822         * bytecode/SpeculatedType.h:
2823         * dfg/DFGAbstractInterpreterInlines.h:
2824         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2825         * dfg/DFGByteCodeParser.cpp:
2826         (JSC::DFG::ByteCodeParser::handleInlining):
2827         (JSC::DFG::ByteCodeParser::parseCodeBlock):
2828         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
2829         (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
2830         * dfg/DFGInPlaceAbstractState.cpp:
2831         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
2832         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
2833         (JSC::DFG::createPreHeader):
2834         * dfg/DFGNode.h:
2835         (JSC::DFG::BranchTarget::BranchTarget):
2836         * dfg/DFGOSREntrypointCreationPhase.cpp:
2837         (JSC::DFG::OSREntrypointCreationPhase::run):
2838         * dfg/DFGOSRExitCompiler32_64.cpp:
2839         (JSC::DFG::OSRExitCompiler::compileExit):
2840         * dfg/DFGOSRExitCompiler64.cpp:
2841         (JSC::DFG::OSRExitCompiler::compileExit):
2842         * dfg/DFGPredictionPropagationPhase.cpp:
2843         (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
2844         (JSC::DFG::PredictionPropagationPhase::propagate):
2845         * dfg/DFGSpeculativeJIT.cpp:
2846         (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
2847         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
2848         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
2849         * dfg/DFGSpeculativeJIT32_64.cpp:
2850         (JSC::DFG::SpeculativeJIT::compile):
2851         * dfg/DFGSpeculativeJIT64.cpp:
2852         (JSC::DFG::SpeculativeJIT::compile):
2853         * dfg/DFGVariableAccessData.h:
2854         (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
2855         * ftl/FTLLowerDFGToLLVM.cpp:
2856         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
2857         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2858         (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
2859         (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
2860         (JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize):
2861         (JSC::FTL::LowerDFGToLLVM::numberOrNotCellToInt32):
2862         (JSC::FTL::LowerDFGToLLVM::allocateJSArray):
2863         * ftl/FTLValueFormat.cpp:
2864         (JSC::FTL::reboxAccordingToFormat):
2865         * jit/AssemblyHelpers.cpp:
2866         (JSC::AssemblyHelpers::purifyNaN):
2867         (JSC::AssemblyHelpers::sanitizeDouble): Deleted.
2868         * jit/AssemblyHelpers.h:
2869         * jit/JITPropertyAccess.cpp:
2870         (JSC::JIT::emitFloatTypedArrayGetByVal):
2871         * runtime/DateConstructor.cpp:
2872         (JSC::constructDate):
2873         * runtime/DateInstanceCache.h:
2874         (JSC::DateInstanceData::DateInstanceData):
2875         (JSC::DateInstanceCache::reset):
2876         * runtime/ExceptionHelpers.cpp:
2877         (JSC::TerminatedExecutionError::defaultValue):
2878         * runtime/JSArray.cpp:
2879         (JSC::JSArray::setLength):
2880         (JSC::JSArray::pop):
2881         (JSC::JSArray::shiftCountWithAnyIndexingType):
2882         (JSC::JSArray::sortVector):
2883         (JSC::JSArray::compactForSorting):
2884         * runtime/JSArray.h:
2885         (JSC::JSArray::create):
2886         (JSC::JSArray::tryCreateUninitialized):
2887         * runtime/JSCJSValue.cpp:
2888         (JSC::JSValue::toNumberSlowCase):
2889         * runtime/JSCJSValue.h:
2890         * runtime/JSCJSValueInlines.h:
2891         (JSC::jsNaN):
2892         (JSC::JSValue::JSValue):
2893         (JSC::JSValue::getPrimitiveNumber):
2894         * runtime/JSGlobalObjectFunctions.cpp:
2895         (JSC::parseInt):
2896         (JSC::jsStrDecimalLiteral):
2897         (JSC::toDouble):
2898         (JSC::jsToNumber):
2899         (JSC::parseFloat):
2900         * runtime/JSObject.cpp:
2901         (JSC::JSObject::createInitialDouble):
2902         (JSC::JSObject::convertUndecidedToDouble):
2903         (JSC::JSObject::convertInt32ToDouble):
2904         (JSC::JSObject::deletePropertyByIndex):
2905         (JSC::JSObject::ensureLengthSlow):
2906         * runtime/MathObject.cpp:
2907         (JSC::mathProtoFuncMax):
2908         (JSC::mathProtoFuncMin):
2909         * runtime/PureNaN.h: Added.
2910         (JSC::pureNaN):
2911         (JSC::isImpureNaN):
2912         (JSC::purifyNaN):
2913         * runtime/TypedArrayAdaptors.h:
2914         (JSC::FloatTypedArrayAdaptor::toJSValue):
2915
2916 2014-04-16  Juergen Ributzka  <juergen@apple.com>
2917
2918         Enable system library calls in FTL for ARM64
2919         https://bugs.webkit.org/show_bug.cgi?id=130154
2920
2921         Reviewed by Geoffrey Garen and Filip Pizlo.
2922
2923         * ftl/FTLIntrinsicRepository.h:
2924         * ftl/FTLOutput.h:
2925         (JSC::FTL::Output::doubleRem):
2926         (JSC::FTL::Output::doubleSin):
2927         (JSC::FTL::Output::doubleCos):
2928
2929 2014-04-16  peavo@outlook.com  <peavo@outlook.com>
2930
2931         Fix JSC Debug Regressions on Windows
2932         https://bugs.webkit.org/show_bug.cgi?id=131182
2933
2934         Reviewed by Brent Fulgham.
2935
2936         The cast static_cast<int64_t>(number) in JSValue::isMachineInt() can generate a floating point error,
2937         and set the st floating point register tags, if the value of the number parameter is infinite.
2938         If the st floating point register tags are not cleared, this can cause strange floating point behavior later on.
2939         This can be avoided by checking for infinity first.
2940
2941         * runtime/JSCJSValueInlines.h:
2942         (JSC::JSValue::isMachineInt): Avoid floating point error by checking for infinity first.
2943         * runtime/Options.cpp:
2944         (JSC::recomputeDependentOptions): Re-enable jit for Windows.
2945
2946 2014-04-16  Oliver Hunt  <oliver@apple.com>
2947
2948         Simple ES6 feature:Array.prototype.fill
2949         https://bugs.webkit.org/show_bug.cgi?id=131703
2950
2951         Reviewed by David Hyatt.
2952
2953         Add support for Array.prototype.fill
2954
2955         * builtins/Array.prototype.js:
2956         (fill):
2957         * runtime/ArrayPrototype.cpp:
2958
2959 2014-04-16  Mark Hahnenberg  <mhahnenberg@apple.com>
2960
2961         [WebKit] Cleanup the build from uninitialized variable in JavaScriptCore
2962         https://bugs.webkit.org/show_bug.cgi?id=131728
2963
2964         Reviewed by Darin Adler.
2965
2966         * runtime/JSObject.cpp:
2967         (JSC::JSObject::genericConvertDoubleToContiguous): Add a RELEASE_ASSERT on the 
2968         path we expect to never take. Also shut up confused compilers about uninitialized things.
2969
2970 2014-04-16  Filip Pizlo  <fpizlo@apple.com>
2971
2972         Unreviewed, ARMv7 build fix after r167336.
2973
2974         * assembler/MacroAssemblerARMv7.h:
2975         (JSC::MacroAssemblerARMv7::branchAdd32):
2976
2977 2014-04-16  Gabor Rapcsanyi  <rgabor@webkit.org>
2978
2979         Unreviewed, ARM64 buildfix after r167336.
2980
2981         * assembler/MacroAssemblerARM64.h:
2982         (JSC::MacroAssemblerARM64::branchAdd32): Add missing function.
2983
2984 2014-04-15  Filip Pizlo  <fpizlo@apple.com>
2985
2986         Unreviewed, add the obvious thing that marks MakeRope as exiting since it can exit.
2987
2988         * dfg/DFGAbstractInterpreterInlines.h:
2989         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2990
2991 2014-04-15  Filip Pizlo  <fpizlo@apple.com>
2992
2993         compileMakeRope does not emit necessary bounds checks
2994         https://bugs.webkit.org/show_bug.cgi?id=130684
2995         <rdar://problem/16398388>
2996
2997         Reviewed by Oliver Hunt.
2998         
2999         Add string length bounds checks in a bunch of places. We should never allow a string
3000         to have a length greater than 2^31-1 because it's not clear that the language has
3001         semantics for it and because there is code that assumes that this cannot happen.
3002         
3003         Also add a bunch of tests to that effect to cover the various ways in which this was
3004         previously allowed to happen.
3005
3006         * dfg/DFGOperations.cpp:
3007         * dfg/DFGSpeculativeJIT.cpp:
3008         (JSC::DFG::SpeculativeJIT::compileMakeRope):
3009         * ftl/FTLLowerDFGToLLVM.cpp:
3010         (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
3011         * runtime/JSString.cpp:
3012         (JSC::JSRopeString::RopeBuilder::expand):
3013         * runtime/JSString.h:
3014         (JSC::JSString::create):
3015         (JSC::JSRopeString::RopeBuilder::append):
3016         (JSC::JSRopeString::RopeBuilder::release):
3017         (JSC::JSRopeString::append):
3018         * runtime/Operations.h:
3019         (JSC::jsString):
3020         (JSC::jsStringFromRegisterArray):
3021         (JSC::jsStringFromArguments):
3022         * runtime/StringPrototype.cpp:
3023         (JSC::stringProtoFuncIndexOf):
3024         (JSC::stringProtoFuncSlice):
3025         (JSC::stringProtoFuncSubstring):
3026         (JSC::stringProtoFuncToLowerCase):
3027         * tests/stress/make-large-string-jit-strcat.js: Added.
3028         (foo):
3029         * tests/stress/make-large-string-jit.js: Added.
3030         (foo):
3031         * tests/stress/make-large-string-strcat.js: Added.
3032         * tests/stress/make-large-string.js: Added.
3033
3034 2014-04-15  Julien Brianceau  <jbriance@cisco.com>
3035
3036         Remove invalid sh4 specific code in JITInlines header.
3037         https://bugs.webkit.org/show_bug.cgi?id=131692
3038
3039         Reviewed by Geoffrey Garen.
3040
3041         * jit/JITInlines.h:
3042         (JSC::JIT::callOperation): Prototype is not F_JITOperation_EJJZ
3043         anymore since r160244, so the sh4 specific code is invalid now
3044         and has to be removed.
3045
3046 2014-04-15  Mark Hahnenberg  <mhahnenberg@apple.com>
3047
3048         Fix precedence issue in JSCell:setRemembered
3049
3050         Rubber stamped by Filip Pizlo.
3051
3052         * runtime/JSCell.h:
3053         (JSC::JSCell::setRemembered):
3054
3055 2014-04-15  Mark Hahnenberg  <mhahnenberg@apple.com>
3056
3057         Objective-C API external object graphs don't handle generational collection properly
3058         https://bugs.webkit.org/show_bug.cgi?id=131634
3059
3060         Reviewed by Geoffrey Garen.
3061
3062         If the set of Objective-C objects transitively reachable through an object changes, we 
3063         need to update the set of opaque roots accordingly. If we don't, the next EdenCollection 
3064         won't rescan the external object graph, which would lead us to consider a newly allocated 
3065         JSManagedValue to be dead.
3066
3067         * API/JSBase.cpp:
3068         (JSSynchronousEdenCollectForDebugging):
3069         * API/JSVirtualMachine.mm:
3070         (-[JSVirtualMachine initWithContextGroupRef:]):
3071         (-[JSVirtualMachine dealloc]):
3072         (-[JSVirtualMachine isOldExternalObject:]):
3073         (-[JSVirtualMachine addExternalRememberedObject:]):
3074         (-[JSVirtualMachine addManagedReference:withOwner:]):
3075         (-[JSVirtualMachine removeManagedReference:withOwner:]):
3076         (-[JSVirtualMachine externalRememberedSet]):
3077         (scanExternalObjectGraph):
3078         (scanExternalRememberedSet):
3079         * API/JSVirtualMachineInternal.h:
3080         * API/tests/testapi.mm:
3081         * heap/Heap.cpp:
3082         (JSC::Heap::markRoots):
3083         * heap/Heap.h:
3084         (JSC::Heap::slotVisitor):
3085         * heap/SlotVisitor.h:
3086         * heap/SlotVisitorInlines.h:
3087         (JSC::SlotVisitor::containsOpaqueRoot):
3088         (JSC::SlotVisitor::containsOpaqueRootTriState):
3089
3090 2014-04-15  Filip Pizlo  <fpizlo@apple.com>
3091
3092         DFG IR should keep the data flow of doubles and int52's separate from the data flow of JSValue's
3093         https://bugs.webkit.org/show_bug.cgi?id=131423
3094
3095         Reviewed by Geoffrey Garen.
3096         
3097         This introduces more static typing into DFG IR. Previously we just had the notion of
3098         JSValues and Storage. This was weird because doubles weren't always convertible to
3099         JSValues, and Int52s weren't always convertible to either doubles or JSValues. We would
3100         sort of insert explicit conversion nodes just for the places where we knew that an
3101         implicit conversion wouldn't have been possible -- but there was no hard and fast rule so
3102         we'd get bugs from forgetting to do the right conversion.
3103         
3104         This patch introduces a hard and fast rule: doubles can never be implicitly converted to
3105         anything but doubles, and likewise Int52's can never be implicitly converted. Conversion
3106         nodes are used for all of the conversions. Int52Rep, DoubleRep, and ValueRep are the
3107         conversions. They are like Identity but return the same value using a different
3108         representation. Likewise, constants may now be represented using either JSConstant,
3109         Int52Constant, or DoubleConstant. UseKinds have been adjusted accordingly, as well.
3110         Int52RepUse and DoubleRepUse are node uses that mean "the node must be of Int52 (or
3111         Double) type". They don't imply checks. There is also DoubleRepRealUse, which means that
3112         we speculate DoubleReal and expect Double representation.
3113         
3114         In addition to simplifying a bunch of rules in the IR and making the IR more verifiable,
3115         this also makes it easier to introduce optimizations in the future. It's now possible for
3116         AI to model when/how conversion take place. For example if doing a conversion results in
3117         NaN sanitization, then AI can model this and can allow us to sink sanitizations. That's
3118         what https://bugs.webkit.org/show_bug.cgi?id=131419 will be all about.
3119         
3120         This was a big change, so I had to do some interesting things, like finally get rid of
3121         the DFG's weird variadic template macro hacks and use real C++11 variadic templates. Also
3122         the ByteCodeParser no longer emits Identity nodes since that was always pointless.
3123         
3124         No performance change because this mostly just rationalizes preexisting behavior.
3125
3126         * JavaScriptCore.xcodeproj/project.pbxproj:
3127         * assembler/MacroAssemblerX86.h:
3128         * bytecode/CodeBlock.cpp:
3129         * bytecode/CodeBlock.h:
3130         * dfg/DFGAbstractInterpreter.h:
3131         (JSC::DFG::AbstractInterpreter::setBuiltInConstant):
3132         (JSC::DFG::AbstractInterpreter::setConstant):
3133         * dfg/DFGAbstractInterpreterInlines.h:
3134         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3135         * dfg/DFGAbstractValue.cpp:
3136         (JSC::DFG::AbstractValue::set):
3137         (JSC::DFG::AbstractValue::fixTypeForRepresentation):
3138         (JSC::DFG::AbstractValue::checkConsistency):
3139         * dfg/DFGAbstractValue.h:
3140         * dfg/DFGBackwardsPropagationPhase.cpp:
3141         (JSC::DFG::BackwardsPropagationPhase::propagate):
3142         * dfg/DFGBasicBlock.h:
3143         * dfg/DFGBasicBlockInlines.h:
3144         (JSC::DFG::BasicBlock::appendNode):
3145         (JSC::DFG::BasicBlock::appendNonTerminal):
3146         * dfg/DFGByteCodeParser.cpp:
3147         (JSC::DFG::ByteCodeParser::parseBlock):
3148         * dfg/DFGCSEPhase.cpp:
3149         (JSC::DFG::CSEPhase::constantCSE):
3150         (JSC::DFG::CSEPhase::performNodeCSE):
3151         (JSC::DFG::CSEPhase::int32ToDoubleCSE): Deleted.
3152         * dfg/DFGCapabilities.h:
3153         * dfg/DFGClobberize.h:
3154         (JSC::DFG::clobberize):
3155         * dfg/DFGConstantFoldingPhase.cpp:
3156         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3157         * dfg/DFGDCEPhase.cpp:
3158         (JSC::DFG::DCEPhase::fixupBlock):
3159         * dfg/DFGEdge.h:
3160         (JSC::DFG::Edge::willNotHaveCheck):
3161         * dfg/DFGFixupPhase.cpp:
3162         (JSC::DFG::FixupPhase::run):
3163         (JSC::DFG::FixupPhase::fixupNode):
3164         (JSC::DFG::FixupPhase::fixupGetAndSetLocalsInBlock):
3165         (JSC::DFG::FixupPhase::observeUseKindOnNode):
3166         (JSC::DFG::FixupPhase::fixIntEdge):
3167         (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
3168         (JSC::DFG::FixupPhase::injectTypeConversionsInBlock):
3169         (JSC::DFG::FixupPhase::tryToRelaxRepresentation):
3170         (JSC::DFG::FixupPhase::fixEdgeRepresentation):
3171         (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
3172         (JSC::DFG::FixupPhase::addRequiredPhantom):
3173         (JSC::DFG::FixupPhase::addPhantomsIfNecessary):
3174         (JSC::DFG::FixupPhase::clearPhantomsAtEnd):
3175         (JSC::DFG::FixupPhase::fixupSetLocalsInBlock): Deleted.
3176         * dfg/DFGFlushFormat.h:
3177         (JSC::DFG::resultFor):
3178         (JSC::DFG::useKindFor):
3179         * dfg/DFGGraph.cpp:
3180         (JSC::DFG::Graph::dump):
3181         * dfg/DFGGraph.h:
3182         (JSC::DFG::Graph::addNode):
3183         * dfg/DFGInPlaceAbstractState.cpp:
3184         (JSC::DFG::InPlaceAbstractState::initialize):
3185         * dfg/DFGInsertionSet.h:
3186         (JSC::DFG::InsertionSet::insertNode):
3187         (JSC::DFG::InsertionSet::insertConstant):
3188         (JSC::DFG::InsertionSet::insertConstantForUse):
3189         * dfg/DFGIntegerCheckCombiningPhase.cpp:
3190         (JSC::DFG::IntegerCheckCombiningPhase::insertAdd):
3191         (JSC::DFG::IntegerCheckCombiningPhase::insertMustAdd):
3192         * dfg/DFGNode.cpp:
3193         (JSC::DFG::Node::convertToIdentity):
3194         (WTF::printInternal):
3195         * dfg/DFGNode.h:
3196         (JSC::DFG::Node::Node):
3197         (JSC::DFG::Node::setResult):
3198         (JSC::DFG::Node::result):
3199         (JSC::DFG::Node::isConstant):
3200         (JSC::DFG::Node::hasConstant):
3201         (JSC::DFG::Node::convertToConstant):
3202         (JSC::DFG::Node::valueOfJSConstant):
3203         (JSC::DFG::Node::hasResult):
3204         (JSC::DFG::Node::hasInt32Result):
3205         (JSC::DFG::Node::hasInt52Result):
3206         (JSC::DFG::Node::hasNumberResult):
3207         (JSC::DFG::Node::hasDoubleResult):
3208         (JSC::DFG::Node::hasJSResult):
3209         (JSC::DFG::Node::hasBooleanResult):
3210         (JSC::DFG::Node::hasStorageResult):
3211         (JSC::DFG::Node::defaultUseKind):
3212         (JSC::DFG::Node::defaultEdge):
3213         (JSC::DFG::Node::convertToIdentity): Deleted.
3214         * dfg/DFGNodeFlags.cpp:
3215         (JSC::DFG::dumpNodeFlags):
3216         * dfg/DFGNodeFlags.h:
3217         (JSC::DFG::canonicalResultRepresentation):
3218         * dfg/DFGNodeType.h:
3219         * dfg/DFGOSRExitCompiler32_64.cpp:
3220         (JSC::DFG::OSRExitCompiler::compileExit):
3221         * dfg/DFGOSRExitCompiler64.cpp:
3222         (JSC::DFG::OSRExitCompiler::compileExit):
3223         * dfg/DFGPredictionPropagationPhase.cpp:
3224         (JSC::DFG::PredictionPropagationPhase::propagate):
3225         * dfg/DFGResurrectionForValidationPhase.cpp:
3226         (JSC::DFG::ResurrectionForValidationPhase::run):
3227         * dfg/DFGSSAConversionPhase.cpp:
3228         (JSC::DFG::SSAConversionPhase::run):
3229         * dfg/DFGSafeToExecute.h:
3230         (JSC::DFG::SafeToExecuteEdge::operator()):
3231         (JSC::DFG::safeToExecute):
3232         * dfg/DFGSpeculativeJIT.cpp:
3233         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
3234         (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR):
3235         (JSC::DFG::SpeculativeJIT::silentFill):
3236         (JSC::DFG::JSValueRegsTemporary::JSValueRegsTemporary):
3237         (JSC::DFG::JSValueRegsTemporary::~JSValueRegsTemporary):
3238         (JSC::DFG::JSValueRegsTemporary::regs):
3239         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
3240         (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
3241         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
3242         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
3243         (JSC::DFG::SpeculativeJIT::compileValueRep):
3244         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
3245         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
3246         (JSC::DFG::SpeculativeJIT::compileAdd):
3247         (JSC::DFG::SpeculativeJIT::compileArithSub):
3248         (JSC::DFG::SpeculativeJIT::compileArithNegate):
3249         (JSC::DFG::SpeculativeJIT::compileArithMul):
3250         (JSC::DFG::SpeculativeJIT::compileArithDiv):
3251         (JSC::DFG::SpeculativeJIT::compileArithMod):
3252         (JSC::DFG::SpeculativeJIT::compare):
3253         (JSC::DFG::SpeculativeJIT::compileStrictEq):
3254         (JSC::DFG::SpeculativeJIT::speculateNumber):
3255         (JSC::DFG::SpeculativeJIT::speculateDoubleReal):
3256         (JSC::DFG::SpeculativeJIT::speculate):
3257         (JSC::DFG::SpeculativeJIT::compileInt32ToDouble): Deleted.
3258         (JSC::DFG::SpeculativeJIT::speculateMachineInt): Deleted.
3259         (JSC::DFG::SpeculativeJIT::speculateRealNumber): Deleted.
3260         * dfg/DFGSpeculativeJIT.h:
3261         (JSC::DFG::SpeculativeJIT::allocate):
3262         (JSC::DFG::SpeculativeJIT::use):
3263         (JSC::DFG::SpeculativeJIT::boxDouble):
3264         (JSC::DFG::SpeculativeJIT::spill):
3265         (JSC::DFG::SpeculativeJIT::jsValueResult):
3266         (JSC::DFG::SpeculateInt52Operand::SpeculateInt52Operand):
3267         (JSC::DFG::SpeculateStrictInt52Operand::SpeculateStrictInt52Operand):
3268         (JSC::DFG::SpeculateWhicheverInt52Operand::SpeculateWhicheverInt52Operand):
3269         (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
3270         * dfg/DFGSpeculativeJIT32_64.cpp:
3271         (JSC::DFG::SpeculativeJIT::fillJSValue):
3272         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
3273         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3274         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3275         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3276         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
3277         (JSC::DFG::SpeculativeJIT::emitBranch):
3278         (JSC::DFG::SpeculativeJIT::compile):
3279         (JSC::DFG::SpeculativeJIT::convertToDouble): Deleted.
3280         * dfg/DFGSpeculativeJIT64.cpp:
3281         (JSC::DFG::SpeculativeJIT::fillJSValue):
3282         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
3283         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
3284         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3285         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3286         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3287         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
3288         (JSC::DFG::SpeculativeJIT::emitBranch):
3289         (JSC::DFG::SpeculativeJIT::compile):
3290         (JSC::DFG::SpeculativeJIT::convertToDouble): Deleted.
3291         * dfg/DFGStrengthReductionPhase.cpp:
3292         (JSC::DFG::StrengthReductionPhase::handleNode):
3293         * dfg/DFGUseKind.cpp:
3294         (WTF::printInternal):
3295         * dfg/DFGUseKind.h:
3296         (JSC::DFG::typeFilterFor):
3297         (JSC::DFG::shouldNotHaveTypeCheck):
3298         (JSC::DFG::mayHaveTypeCheck):
3299         (JSC::DFG::isNumerical):
3300         (JSC::DFG::isDouble):
3301         (JSC::DFG::isCell):
3302         (JSC::DFG::usesStructure):
3303         (JSC::DFG::useKindForResult):
3304         * dfg/DFGValidate.cpp:
3305         (JSC::DFG::Validate::validate):
3306         * dfg/DFGVariadicFunction.h: Removed.
3307         * ftl/FTLCapabilities.cpp:
3308         (JSC::FTL::canCompile):
3309         * ftl/FTLLowerDFGToLLVM.cpp:
3310         (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
3311         (JSC::FTL::LowerDFGToLLVM::compileNode):
3312         (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
3313         (JSC::FTL::LowerDFGToLLVM::compilePhi):
3314         (JSC::FTL::LowerDFGToLLVM::compileDoubleConstant):
3315         (JSC::FTL::LowerDFGToLLVM::compileInt52Constant):
3316         (JSC::FTL::LowerDFGToLLVM::compileWeakJSConstant):
3317         (JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
3318         (JSC::FTL::LowerDFGToLLVM::compileValueRep):
3319         (JSC::FTL::LowerDFGToLLVM::compileInt52Rep):
3320         (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
3321         (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub):
3322         (JSC::FTL::LowerDFGToLLVM::compileArithMul):
3323         (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
3324         (JSC::FTL::LowerDFGToLLVM::compileArithMod):
3325         (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
3326         (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
3327         (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
3328         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
3329         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
3330         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
3331         (JSC::FTL::LowerDFGToLLVM::compare):
3332         (JSC::FTL::LowerDFGToLLVM::boolify):
3333         (JSC::FTL::LowerDFGToLLVM::lowInt52):
3334         (JSC::FTL::LowerDFGToLLVM::lowStrictInt52):
3335         (JSC::FTL::LowerDFGToLLVM::lowWhicheverInt52):
3336         (JSC::FTL::LowerDFGToLLVM::lowDouble):
3337         (JSC::FTL::LowerDFGToLLVM::lowJSValue):
3338         (JSC::FTL::LowerDFGToLLVM::strictInt52ToDouble):
3339         (JSC::FTL::LowerDFGToLLVM::jsValueToDouble):
3340         (JSC::FTL::LowerDFGToLLVM::speculate):
3341         (JSC::FTL::LowerDFGToLLVM::speculateNumber):
3342         (JSC::FTL::LowerDFGToLLVM::speculateDoubleReal):
3343         (JSC::FTL::LowerDFGToLLVM::compileInt52ToValue): Deleted.
3344         (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble): Deleted.
3345         (JSC::FTL::LowerDFGToLLVM::setInt52WithStrictValue): Deleted.
3346         (JSC::FTL::LowerDFGToLLVM::speculateRealNumber): Deleted.
3347         (JSC::FTL::LowerDFGToLLVM::speculateMachineInt): Deleted.
3348         * ftl/FTLValueFormat.cpp:
3349         (JSC::FTL::reboxAccordingToFormat):
3350         * jit/AssemblyHelpers.cpp:
3351         (JSC::AssemblyHelpers::sanitizeDouble):
3352         * jit/AssemblyHelpers.h:
3353         (JSC::AssemblyHelpers::boxDouble):
3354
3355 2014-04-15  Commit Queue  <commit-queue@webkit.org>
3356
3357         Unreviewed, rolling out r167199 and r167251.
3358         https://bugs.webkit.org/show_bug.cgi?id=131678
3359
3360         Caused a DYEBench regression and does not seem to improve perf
3361         on relevant websites (Requested by rniwa on #webkit).
3362
3363         Reverted changesets:
3364
3365         "Rewrite Function.bind as a builtin"
3366         https://bugs.webkit.org/show_bug.cgi?id=131083
3367         http://trac.webkit.org/changeset/167199
3368
3369         "Update test result"
3370         http://trac.webkit.org/changeset/167251
3371
3372 2014-04-14  Commit Queue  <commit-queue@webkit.org>
3373
3374         Unreviewed, rolling out r167272.
3375         https://bugs.webkit.org/show_bug.cgi?id=131666
3376
3377         Broke multiple tests (Requested by ap on #webkit).
3378
3379         Reverted changeset:
3380
3381         "Function.bind itself is too slow"
3382         https://bugs.webkit.org/show_bug.cgi?id=131636
3383         http://trac.webkit.org/changeset/167272
3384
3385 2014-04-14  Geoffrey Garen  <ggaren@apple.com>
3386
3387         ASSERT when firing low memory warning
3388         https://bugs.webkit.org/show_bug.cgi?id=131659
3389
3390         Reviewed by Mark Hahnenberg.
3391
3392         * heap/Heap.cpp:
3393         (JSC::Heap::deleteAllCompiledCode): Allow deleteAllCompiledCode to be
3394         called when no GC is happening because that is what we do when a low
3395         memory warning fires, and it is harmless.
3396
3397 2014-04-14  Mark Hahnenberg  <mhahnenberg@apple.com>
3398
3399         emit_op_put_by_id should not emit a write barrier that filters on value
3400         https://bugs.webkit.org/show_bug.cgi?id=131654
3401
3402         Reviewed by Filip Pizlo.
3403
3404         The 32-bit implementation does this, and it can cause crashes if we later repatch the 
3405         code to allocate and store new Butterflies.
3406
3407         * jit/JITPropertyAccess.cpp:
3408         (JSC::JIT::emitWriteBarrier): We also weren't verifying that the base was a cell on 
3409         32-bit if we were passed ShouldFilterBase. I also took the liberty of sinking the tag 
3410         load down into the if st