Fix build: using integer absolute value function 'abs' when argument is of floating...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2014-03-15  David Kilzer  <ddkilzer@apple.com>
2
3         Fix build: using integer absolute value function 'abs' when argument is of floating point type
4         <http://webkit.org/b/130286>
5
6         Reviewed by Filip Pizlo.
7
8         Fixes the following build failure using trunk clang:
9
10             JavaScriptCore/assembler/MacroAssembler.h:992:17: error: using integer absolute value function 'abs' when argument is of floating point type [-Werror,-Wabsolute-value]
11                     value = abs(value);
12                             ^
13             JavaScriptCore/assembler/MacroAssembler.h:992:17: note: use function 'fabs' instead
14                     value = abs(value);
15                             ^~~
16                             fabs
17
18         * assembler/MacroAssembler.h:
19         (JSC::MacroAssembler::shouldBlindDouble): Switch from abs() to
20         fabs().
21
22 2014-03-14  Oliver Hunt  <oliver@apple.com>
23
24         Reinstate intialiser syntax in for-in loops
25         https://bugs.webkit.org/show_bug.cgi?id=130269
26
27         Reviewed by Michael Saboff.
28
29         Disallowing the initialiser broke some sites so this patch re-allows
30         the syntax.  We still disallow the syntax in 'of' and pattern based
31         enumeration.
32
33         * parser/ASTBuilder.h:
34         (JSC::ASTBuilder::isBindingNode):
35         * parser/Parser.cpp:
36         (JSC::Parser<LexerType>::parseVarDeclarationList):
37         (JSC::Parser<LexerType>::parseForStatement):
38         * parser/SyntaxChecker.h:
39         (JSC::SyntaxChecker::operatorStackPop):
40
41 2014-03-14  Mark Lam  <mark.lam@apple.com>
42
43         Accessing __lookupGetter__ and __lookupSetter__ should not crash the VM when undefined.
44         <https://webkit.org/b/130279>
45
46         Reviewed by Filip Pizlo.
47
48         If neither the getter nor setter are defined, accessing __lookupGetter__
49         and __lookupSetter__ will return undefined as expected.  However, if the
50         getter is defined but the setter is not, accessing __lookupSetter__ will
51         crash the VM.  Similarly, accessing __lookupGetter__ when only the setter
52         is defined will crash the VM.
53
54         The reason is because objectProtoFuncLookupGetter() and
55         objectProtoFuncLookupSetter() did not check if the getter and setter
56         value is non-null before returning it as an EncodedJSValue.  The fix is
57         to add the appropriate null checks.
58
59         * runtime/ObjectPrototype.cpp:
60         (JSC::objectProtoFuncLookupGetter):
61         (JSC::objectProtoFuncLookupSetter):
62
63 2014-03-14  Mark Rowe  <mrowe@apple.com>
64
65         Fix the production build.
66
67         Don't rely on USE_INTERNAL_SDK being set for the Production configuration since UseInternalSDK.xcconfig won't
68         be at the expected relative path when working from installed source.
69
70         * Configurations/Base.xcconfig:
71
72 2014-03-14  Maciej Stachowiak  <mjs@apple.com>
73
74         Replace "Apple Computer, Inc." with "Apple Inc." in copyright headers
75         https://bugs.webkit.org/show_bug.cgi?id=130276
76         <rdar://problem/16266927>
77
78         Reviewed by Simon Fraser.
79
80         * API/APICast.h:
81         * API/JSBase.cpp:
82         * API/JSBase.h:
83         * API/JSBasePrivate.h:
84         * API/JSCallbackConstructor.cpp:
85         * API/JSCallbackConstructor.h:
86         * API/JSCallbackFunction.cpp:
87         * API/JSCallbackFunction.h:
88         * API/JSCallbackObject.cpp:
89         * API/JSCallbackObject.h:
90         * API/JSCallbackObjectFunctions.h:
91         * API/JSClassRef.cpp:
92         * API/JSClassRef.h:
93         * API/JSContextRef.cpp:
94         * API/JSContextRef.h:
95         * API/JSContextRefPrivate.h:
96         * API/JSObjectRef.cpp:
97         * API/JSObjectRef.h:
98         * API/JSProfilerPrivate.cpp:
99         * API/JSProfilerPrivate.h:
100         * API/JSRetainPtr.h:
101         * API/JSStringRef.cpp:
102         * API/JSStringRef.h:
103         * API/JSStringRefBSTR.cpp:
104         * API/JSStringRefBSTR.h:
105         * API/JSStringRefCF.cpp:
106         * API/JSStringRefCF.h:
107         * API/JSValueRef.cpp:
108         * API/JSValueRef.h:
109         * API/JavaScript.h:
110         * API/JavaScriptCore.h:
111         * API/OpaqueJSString.cpp:
112         * API/OpaqueJSString.h:
113         * API/tests/JSNode.c:
114         * API/tests/JSNode.h:
115         * API/tests/JSNodeList.c:
116         * API/tests/JSNodeList.h:
117         * API/tests/Node.c:
118         * API/tests/Node.h:
119         * API/tests/NodeList.c:
120         * API/tests/NodeList.h:
121         * API/tests/minidom.c:
122         * API/tests/minidom.js:
123         * API/tests/testapi.c:
124         * API/tests/testapi.js:
125         * DerivedSources.make:
126         * bindings/ScriptValue.cpp:
127         * bytecode/CodeBlock.cpp:
128         * bytecode/CodeBlock.h:
129         * bytecode/EvalCodeCache.h:
130         * bytecode/Instruction.h:
131         * bytecode/JumpTable.cpp:
132         * bytecode/JumpTable.h:
133         * bytecode/Opcode.cpp:
134         * bytecode/Opcode.h:
135         * bytecode/SamplingTool.cpp:
136         * bytecode/SamplingTool.h:
137         * bytecode/SpeculatedType.cpp:
138         * bytecode/SpeculatedType.h:
139         * bytecode/ValueProfile.h:
140         * bytecompiler/BytecodeGenerator.cpp:
141         * bytecompiler/BytecodeGenerator.h:
142         * bytecompiler/Label.h:
143         * bytecompiler/LabelScope.h:
144         * bytecompiler/RegisterID.h:
145         * debugger/DebuggerCallFrame.cpp:
146         * debugger/DebuggerCallFrame.h:
147         * dfg/DFGDesiredStructureChains.cpp:
148         * dfg/DFGDesiredStructureChains.h:
149         * heap/GCActivityCallback.cpp:
150         * heap/GCActivityCallback.h:
151         * inspector/ConsoleMessage.cpp:
152         * inspector/ConsoleMessage.h:
153         * inspector/IdentifiersFactory.cpp:
154         * inspector/IdentifiersFactory.h:
155         * inspector/InjectedScriptManager.cpp:
156         * inspector/InjectedScriptManager.h:
157         * inspector/InjectedScriptSource.js:
158         * inspector/ScriptBreakpoint.h:
159         * inspector/ScriptDebugListener.h:
160         * inspector/ScriptDebugServer.cpp:
161         * inspector/ScriptDebugServer.h:
162         * inspector/agents/InspectorAgent.cpp:
163         * inspector/agents/InspectorAgent.h:
164         * inspector/agents/InspectorDebuggerAgent.cpp:
165         * inspector/agents/InspectorDebuggerAgent.h:
166         * interpreter/Interpreter.cpp:
167         * interpreter/Interpreter.h:
168         * interpreter/JSStack.cpp:
169         * interpreter/JSStack.h:
170         * interpreter/Register.h:
171         * jit/CompactJITCodeMap.h:
172         * jit/JITStubs.cpp:
173         * jit/JITStubs.h:
174         * jit/JITStubsARM.h:
175         * jit/JITStubsARMv7.h:
176         * jit/JITStubsX86.h:
177         * jit/JITStubsX86_64.h:
178         * os-win32/stdbool.h:
179         * parser/SourceCode.h:
180         * parser/SourceProvider.h:
181         * profiler/LegacyProfiler.cpp:
182         * profiler/LegacyProfiler.h:
183         * profiler/ProfileNode.cpp:
184         * profiler/ProfileNode.h:
185         * runtime/ArrayBufferView.cpp:
186         * runtime/ArrayBufferView.h:
187         * runtime/BatchedTransitionOptimizer.h:
188         * runtime/CallData.h:
189         * runtime/ConstructData.h:
190         * runtime/DumpContext.cpp:
191         * runtime/DumpContext.h:
192         * runtime/ExceptionHelpers.cpp:
193         * runtime/ExceptionHelpers.h:
194         * runtime/InitializeThreading.cpp:
195         * runtime/InitializeThreading.h:
196         * runtime/IntegralTypedArrayBase.h:
197         * runtime/IntendedStructureChain.cpp:
198         * runtime/IntendedStructureChain.h:
199         * runtime/JSActivation.cpp:
200         * runtime/JSActivation.h:
201         * runtime/JSExportMacros.h:
202         * runtime/JSGlobalObject.cpp:
203         * runtime/JSNotAnObject.cpp:
204         * runtime/JSNotAnObject.h:
205         * runtime/JSPropertyNameIterator.cpp:
206         * runtime/JSPropertyNameIterator.h:
207         * runtime/JSSegmentedVariableObject.cpp:
208         * runtime/JSSegmentedVariableObject.h:
209         * runtime/JSSymbolTableObject.cpp:
210         * runtime/JSSymbolTableObject.h:
211         * runtime/JSTypeInfo.h:
212         * runtime/JSVariableObject.cpp:
213         * runtime/JSVariableObject.h:
214         * runtime/PropertyTable.cpp:
215         * runtime/PutPropertySlot.h:
216         * runtime/SamplingCounter.cpp:
217         * runtime/SamplingCounter.h:
218         * runtime/Structure.cpp:
219         * runtime/Structure.h:
220         * runtime/StructureChain.cpp:
221         * runtime/StructureChain.h:
222         * runtime/StructureInlines.h:
223         * runtime/StructureTransitionTable.h:
224         * runtime/SymbolTable.cpp:
225         * runtime/SymbolTable.h:
226         * runtime/TypedArrayBase.h:
227         * runtime/TypedArrayType.cpp:
228         * runtime/TypedArrayType.h:
229         * runtime/VM.cpp:
230         * runtime/VM.h:
231         * yarr/RegularExpression.cpp:
232         * yarr/RegularExpression.h:
233
234 2014-03-14  Filip Pizlo  <fpizlo@apple.com>
235
236         Final FTL iOS build magic
237         https://bugs.webkit.org/show_bug.cgi?id=130281
238
239         Reviewed by Michael Saboff.
240
241         * Configurations/Base.xcconfig: For now our LLVM headers are in /usr/local/LLVMForJavaScriptCore/include, which is the same as OS X.
242         * Configurations/LLVMForJSC.xcconfig: We need to be more careful about how we specify library paths if we want to get the prioritzation right. Also we need protobuf because things. :-/
243
244 2014-03-14  Joseph Pecoraro  <pecoraro@apple.com>
245
246         Web Inspector: Gracefully handle nil name -[JSContext setName:]
247         https://bugs.webkit.org/show_bug.cgi?id=130262
248
249         Reviewed by Mark Hahnenberg.
250
251         * API/JSContext.mm:
252         (-[JSContext setName:]):
253         Gracefully handle nil input.
254
255         * API/tests/testapi.c:
256         (globalContextNameTest):
257         * API/tests/testapi.mm:
258         Test for nil / NULL names in the ObjC and C APIs.
259
260 2014-03-11  Oliver Hunt  <oliver@apple.com>
261
262         Improve dom error messages
263         https://bugs.webkit.org/show_bug.cgi?id=130103
264
265         Reviewed by Andreas Kling.
266
267         Add new helper function.
268
269         * runtime/Error.h:
270         (JSC::throwVMTypeError):
271
272 2014-03-14  László Langó  <llango.u-szeged@partner.samsung.com>
273
274         Remove unused method declaration.
275         https://bugs.webkit.org/show_bug.cgi?id=130238
276
277         Reviewed by Filip Pizlo.
278
279         The implementation of CallFrame::dumpCaller was removed in
280         http://trac.webkit.org/changeset/153183, but the declaration of it was not.
281
282         * interpreter/CallFrame.h:
283         Remove CallFrame::dumpCaller() method declaration.
284
285 2014-03-12  Sergio Villar Senin  <svillar@igalia.com>
286
287         Rename DEFINE_STATIC_LOCAL to DEPRECATED_DEFINE_STATIC_LOCAL
288         https://bugs.webkit.org/show_bug.cgi?id=129612
289
290         Reviewed by Darin Adler.
291
292         For new code use static NeverDestroyed<T> instead.
293
294         * API/JSAPIWrapperObject.mm:
295         (jsAPIWrapperObjectHandleOwner):
296         * API/JSManagedValue.mm:
297         (managedValueHandleOwner):
298         * inspector/agents/InspectorDebuggerAgent.cpp:
299         (Inspector::objectGroupForBreakpointAction):
300         * inspector/scripts/CodeGeneratorInspectorStrings.py:
301         * interpreter/JSStack.cpp:
302         (JSC::stackStatisticsMutex):
303         * jit/ExecutableAllocator.cpp:
304         (JSC::DemandExecutableAllocator::allocators):
305
306 2014-03-12  Gavin Barraclough  <barraclough@apple.com>
307
308         Reduce memory use for static property maps
309         https://bugs.webkit.org/show_bug.cgi?id=129986
310
311         Reviewed by Andreas Kling.
312
313         Static property tables are currently duplicated on first use from read-only memory into dirty memory
314         in every process, and since the entries are large (48 bytes) and the tables can be unusually sparse
315         (we use a custom hash table without a rehash) a lot of memory may be wasted.
316
317         First, reduce the size of the hashtable. Instead of storing values in the table the hashtable maps
318         from string hashes to indicies into a densely packed array of values. Compute the index table at
319         compile time as a part of the derived sources step, such that this may be read-only data.
320
321         Second, don't copy all data from the HashTableValue array into a HashEntry objects. Instead refer
322         directly to the HashTableValue entries. The only data that needs to be allocated at runtime are the
323         keys, which are Identifiers.
324
325         * create_hash_table:
326             - emit the hash table index into the derived source (we were calculating this already to ensure chaining does not get too deep).
327         * parser/Lexer.cpp:
328         (JSC::Lexer<LChar>::parseIdentifier):
329         (JSC::Lexer<UChar>::parseIdentifier):
330         (JSC::Lexer<T>::parseIdentifierSlowCase):
331             - HashEntry -> HashTableValue.
332         * parser/Lexer.h:
333         (JSC::Keywords::getKeyword):
334             - HashEntry -> HashTableValue.
335         * runtime/ClassInfo.h:
336             - removed HashEntry.
337         * runtime/JSObject.cpp:
338         (JSC::getClassPropertyNames):
339             - use HashTable::ConstIterator.
340         (JSC::JSObject::put):
341         (JSC::JSObject::deleteProperty):
342         (JSC::JSObject::findPropertyHashEntry):
343             - HashEntry -> HashTableValue.
344         (JSC::JSObject::reifyStaticFunctionsForDelete):
345             - changed HashTable::ConstIterator interface.
346         * runtime/JSObject.h:
347             - HashEntry -> HashTableValue.
348         * runtime/Lookup.cpp:
349         (JSC::HashTable::createTable):
350             - table -> keys, keys array is now densely packed.
351         (JSC::HashTable::deleteTable):
352             - table -> keys.
353         (JSC::setUpStaticFunctionSlot):
354             - HashEntry -> HashTableValue.
355         * runtime/Lookup.h:
356         (JSC::HashTableValue::builtinGenerator):
357         (JSC::HashTableValue::function):
358         (JSC::HashTableValue::functionLength):
359         (JSC::HashTableValue::propertyGetter):
360         (JSC::HashTableValue::propertyPutter):
361         (JSC::HashTableValue::lexerValue):
362             - added accessor methods from HashEntry.
363         (JSC::HashTable::copy):
364             - fields changed.
365         (JSC::HashTable::initializeIfNeeded):
366             - table -> keys.
367         (JSC::HashTable::entry):
368             - HashEntry -> HashTableValue.
369         (JSC::HashTable::ConstIterator::ConstIterator):
370             - iterate packed value array, so no need to skipInvalidKeys().
371         (JSC::HashTable::ConstIterator::value):
372         (JSC::HashTable::ConstIterator::key):
373         (JSC::HashTable::ConstIterator::operator->):
374             - accessors now get HashTableValue/StringImpl* separately.
375         (JSC::HashTable::ConstIterator::operator++):
376             - iterate packed value array, so no need to skipInvalidKeys().
377         (JSC::HashTable::end):
378             - end is now size of dense not sparse array.
379         (JSC::getStaticPropertySlot):
380         (JSC::getStaticFunctionSlot):
381         (JSC::getStaticValueSlot):
382         (JSC::putEntry):
383         (JSC::lookupPut):
384             - HashEntry -> HashTableValue.
385
386 2014-03-13  Filip Pizlo  <fpizlo@apple.com>
387
388         Unreviewed, fix Mac no-FTL build.
389
390         * llvm/library/LLVMExports.cpp:
391         (initializeAndGetJSCLLVMAPI):
392
393 2014-03-13  Juergen Ributzka  <juergen@apple.com>
394
395         Only export initializeAndGetJSCLLVMAPI from libllvmForJSC.dylib
396         https://bugs.webkit.org/show_bug.cgi?id=130224
397
398         Reviewed by Filip Pizlo.
399
400         This limits the exported symbols to only initializeAndGetJSCLLVMAPI from
401         the LLVM dylib. This allows the dylib to be safely used with other LLVM
402         dylibs on the same system. It also reduces the dynamic linking overhead
403         and also reduces the size by 6MB, because the linker can now dead strip
404         many unused functions.
405
406         * Configurations/LLVMForJSC.xcconfig:
407
408 2014-03-13  Andreas Kling  <akling@apple.com>
409
410         VM::discardAllCode() should clear the RegExp cache.
411         <https://webkit.org/b/130144>
412
413         Reviewed by Michael Saboff.
414
415         * runtime/VM.cpp:
416         (JSC::VM::discardAllCode):
417
418 2014-03-13  Andreas Kling  <akling@apple.com>
419
420         Revert "Short-circuit JSGlobalObjectInspectorController when not inspecting."
421         <https://webkit.org/b/129995>
422
423         This code path is not taken anymore on DYEB, and I can't explain why
424         it was showing up in my profiles. Backing it out per JoePeck's suggestion.
425
426         * inspector/JSGlobalObjectInspectorController.cpp:
427         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
428
429 2014-03-13  Filip Pizlo  <fpizlo@apple.com>
430
431         FTL should support IsBlah
432         https://bugs.webkit.org/show_bug.cgi?id=130202
433
434         Reviewed by Geoffrey Garen.
435
436         * ftl/FTLCapabilities.cpp:
437         (JSC::FTL::canCompile):
438         * ftl/FTLIntrinsicRepository.h:
439         * ftl/FTLLowerDFGToLLVM.cpp:
440         (JSC::FTL::LowerDFGToLLVM::compileNode):
441         (JSC::FTL::LowerDFGToLLVM::compileIsUndefined):
442         (JSC::FTL::LowerDFGToLLVM::compileIsBoolean):
443         (JSC::FTL::LowerDFGToLLVM::compileIsNumber):
444         (JSC::FTL::LowerDFGToLLVM::compileIsString):
445         (JSC::FTL::LowerDFGToLLVM::compileIsObject):
446         (JSC::FTL::LowerDFGToLLVM::compileIsFunction):
447         (JSC::FTL::LowerDFGToLLVM::compileStoreBarrier):
448         (JSC::FTL::LowerDFGToLLVM::compileStoreBarrierWithNullCheck):
449         (JSC::FTL::LowerDFGToLLVM::isNotCellOrMisc):
450         (JSC::FTL::LowerDFGToLLVM::isNumber):
451         (JSC::FTL::LowerDFGToLLVM::isNotNumber):
452         (JSC::FTL::LowerDFGToLLVM::isBoolean):
453         * ftl/FTLOSRExitCompiler.cpp:
454         * tests/stress/is-undefined-exit-on-masquerader.js: Added.
455         (bar):
456         (foo):
457         (test):
458         * tests/stress/is-undefined-jettison-on-masquerader.js: Added.
459         (foo):
460         (test):
461         * tests/stress/is-undefined-masquerader.js: Added.
462         (foo):
463         (test):
464
465 2014-03-13  Mark Lam  <mark.lam@apple.com>
466
467         JS benchmarks crash with a bus error on 32-bit x86.
468         <https://webkit.org/b/130203>
469
470         Reviewed by Geoffrey Garen.
471
472         The issue is that generateGetByIdStub() can potentially use the same register
473         for the JSValue base register and the target tag register.  After loading the
474         tag value into the target tag register, the JSValue base address is lost.
475         The code then proceeds to load the payload value using the base register, and
476         this results in a crash.
477
478         The fix is to check if the base register is the same as the target tag register.
479         If so, we should make a copy the base register first before loading the tag
480         value, and use the copy to load the payload value instead.
481
482         * jit/Repatch.cpp:
483         (JSC::generateGetByIdStub):
484
485 2014-03-12  Filip Pizlo  <fpizlo@apple.com>
486
487         WebKit shouldn't crash on uniprocessor machines
488         https://bugs.webkit.org/show_bug.cgi?id=130176
489
490         Reviewed by Michael Saboff.
491         
492         Previously the math for computing the number of JIT compiler threads would come up with
493         zero threads on uniprocessor machines, and then the Worklist code would assert.
494
495         * runtime/Options.cpp:
496         (JSC::computeNumberOfWorkerThreads):
497         * runtime/Options.h:
498
499 2014-03-13  Radu Stavila  <stavila@adobe.com>
500
501         Webkit not building on XCode 5.1 due to garbage collection no longer being supported
502         https://bugs.webkit.org/show_bug.cgi?id=130087
503
504         Reviewed by Mark Rowe.
505
506         Disable garbage collection on macosx when not using internal SDK.
507
508         * Configurations/Base.xcconfig:
509
510 2014-03-10  Darin Adler  <darin@apple.com>
511
512         Avoid copy-prone idiom "for (auto item : collection)"
513         https://bugs.webkit.org/show_bug.cgi?id=129990
514
515         Reviewed by Geoffrey Garen.
516
517         * heap/CodeBlockSet.h:
518         (JSC::CodeBlockSet::iterate): Use auto& to be sure we don't copy by accident.
519         * inspector/ScriptDebugServer.cpp:
520         (Inspector::ScriptDebugServer::dispatchBreakpointActionLog): Use auto* to
521         make explicit that we are iterating through pointers.
522         (Inspector::ScriptDebugServer::dispatchBreakpointActionSound): Ditto.
523         (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe): Ditto.
524         * inspector/agents/InspectorDebuggerAgent.cpp:
525         (Inspector::InspectorDebuggerAgent::removeBreakpoint): Use auto&, and also
526         get rid of an unneeded local variable.
527
528 2014-03-13  Brian Burg  <bburg@apple.com>
529
530         Web Inspector: Remove unused callId parameter from evaluateInWebInspector
531         https://bugs.webkit.org/show_bug.cgi?id=129744
532
533         Reviewed by Timothy Hatcher.
534
535         * inspector/agents/InspectorAgent.cpp:
536         (Inspector::InspectorAgent::enable):
537         (Inspector::InspectorAgent::evaluateForTestInFrontend):
538         * inspector/agents/InspectorAgent.h:
539         * inspector/protocol/InspectorDomain.json:
540
541 2014-03-11  Filip Pizlo  <fpizlo@apple.com>
542
543         ASSERTION FAILED: node->op() == Phi || node->op() == SetArgument
544         https://bugs.webkit.org/show_bug.cgi?id=130069
545
546         Reviewed by Geoffrey Garen.
547         
548         This was a great assertion, and it represents our strictest interpretation of the rules of
549         our intermediate representation. However, fixing DCE to actually preserve the relevant
550         property would be hard, and it wouldn't have an observable effect right now because nobody
551         actually uses the propery of CPS that this assertion is checking for.
552         
553         In particular, we do always require, and rely on, the fact that non-captured variables
554         have variablesAtTail refer to the last interesting use of the variable: a SetLocal if the
555         block assigns to the variable, a GetLocal if it only reads from it, and a Flush,
556         PhantomLocal, or Phi otherwise. We do preserve this property successfully and DCE was not
557         broken in this regard. But, in the strictest sense, CPS also means that for captured
558         variables, variablesAtTail also continues to point to the last relevant use of the
559         variable. In particular, if there are multiple GetLocals, then it should point to the last
560         one. This is hard for DCE to preserve. Also, nobody relies on variablesAtTail for captured
561         variables, except to check the VariableAccessData; but in that case, we don't really need
562         the *last* relevant use of the variable - any node that mentions the same variable will do
563         just fine.
564         
565         So, this change loosens the assertion and adds a detailed FIXME describing what we would
566         have to do if we wanted to preserve the more strict property.
567         
568         This also makes changes to various debug printing paths so that validation doesn't crash
569         during graph dump. This also adds tests for the interesting cases of DCE failing to
570         preserve CPS in the strictest sense. This also attempts to win the record for longest test
571         name.
572
573         * bytecode/CodeBlock.cpp:
574         (JSC::CodeBlock::hashAsStringIfPossible):
575         (JSC::CodeBlock::dumpAssumingJITType):
576         * bytecode/CodeBlock.h:
577         * bytecode/CodeOrigin.cpp:
578         (JSC::InlineCallFrame::hashAsStringIfPossible):
579         (JSC::InlineCallFrame::dumpBriefFunctionInformation):
580         * bytecode/CodeOrigin.h:
581         * dfg/DFGCPSRethreadingPhase.cpp:
582         (JSC::DFG::CPSRethreadingPhase::run):
583         * dfg/DFGDCEPhase.cpp:
584         (JSC::DFG::DCEPhase::cleanVariables):
585         * dfg/DFGInPlaceAbstractState.cpp:
586         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
587         * runtime/FunctionExecutableDump.cpp:
588         (JSC::FunctionExecutableDump::dump):
589         * tests/stress/dead-access-to-captured-variable-preceded-by-a-live-store-in-function-with-multiple-basic-blocks.js: Added.
590         (foo):
591         * tests/stress/dead-access-to-captured-variable-preceded-by-a-live-store.js: Added.
592         (foo):
593
594 2014-03-12  Brian Burg  <bburg@apple.com>
595
596         Web Replay: add infrastructure for memoizing nondeterministic DOM APIs
597         https://bugs.webkit.org/show_bug.cgi?id=129445
598
599         Reviewed by Timothy Hatcher.
600
601         There was a bug in the replay inputs code generator that would include
602         headers for definitions of enum classes, even though they can be safely
603         forward-declared.
604
605         * replay/scripts/CodeGeneratorReplayInputs.py:
606         (Generator.generate_includes): Only include for copy constructor if the
607         type is a heavy scalar (i.e., String, URL), not a normal scalar
608         (i.e., int, double, enum classes).
609
610         (Generator.generate_type_forward_declarations): Forward-declare scalars
611         that are enums or enum classes.
612
613 2014-03-12  Joseph Pecoraro  <pecoraro@apple.com>
614
615         Web Inspector: Disable REMOTE_INSPECTOR in earlier OS X releases
616         https://bugs.webkit.org/show_bug.cgi?id=130118
617
618         Reviewed by Timothy Hatcher.
619
620         * Configurations/FeatureDefines.xcconfig:
621
622 2014-03-12  Joseph Pecoraro  <pecoraro@apple.com>
623
624         Web Inspector: Hang in Remote Inspection triggering breakpoint from console
625         https://bugs.webkit.org/show_bug.cgi?id=130032
626
627         Reviewed by Timothy Hatcher.
628
629         * inspector/EventLoop.h:
630         * inspector/EventLoop.cpp:
631         (Inspector::EventLoop::remoteInspectorRunLoopMode):
632         (Inspector::EventLoop::cycle):
633         Expose the run loop mode name so it can be used if needed by others.
634
635         * inspector/remote/RemoteInspectorDebuggableConnection.h:
636         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
637         (Inspector::RemoteInspectorBlock::RemoteInspectorBlock):
638         (Inspector::RemoteInspectorBlock::~RemoteInspectorBlock):
639         (Inspector::RemoteInspectorBlock::operator=):
640         (Inspector::RemoteInspectorBlock::operator()):
641         (Inspector::RemoteInspectorQueueTask):
642         Instead of a dispatch_queue, have our own static Vector of debugger tasks.
643
644         (Inspector::RemoteInspectorHandleRunSource):
645         (Inspector::RemoteInspectorInitializeQueue):
646         Initialize the static queue and run loop source. When the run loop source
647         fires, it will exhaust the queue of debugger messages.
648
649         (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
650         (Inspector::RemoteInspectorDebuggableConnection::~RemoteInspectorDebuggableConnection):
651         When we get a debuggable connection add a run loop source for inspector commands.
652
653         (Inspector::RemoteInspectorDebuggableConnection::dispatchAsyncOnDebuggable):
654         (Inspector::RemoteInspectorDebuggableConnection::sendMessageToBackend):
655         Enqueue blocks on our Vector instead of our dispatch_queue.
656
657 2014-03-12  Commit Queue  <commit-queue@webkit.org>
658
659         Unreviewed, rolling out r165482.
660         https://bugs.webkit.org/show_bug.cgi?id=130157
661
662         Broke the windows build; "error C2466: cannot allocate an
663         array of constant size 0" (Requested by jernoble on #webkit).
664
665         Reverted changeset:
666
667         "Reduce memory use for static property maps"
668         https://bugs.webkit.org/show_bug.cgi?id=129986
669         http://trac.webkit.org/changeset/165482
670
671 2014-03-12  Mark Hahnenberg  <mhahnenberg@apple.com>
672
673         Remove HandleSet::m_nextToFinalize
674         https://bugs.webkit.org/show_bug.cgi?id=130109
675
676         Reviewed by Mark Lam.
677
678         This is a remnant of when HandleSet contained things that needed to be finalized. 
679
680         * heap/HandleSet.cpp:
681         (JSC::HandleSet::HandleSet):
682         (JSC::HandleSet::writeBarrier):
683         * heap/HandleSet.h:
684         (JSC::HandleSet::allocate):
685         (JSC::HandleSet::deallocate):
686
687 2014-03-12  Mark Hahnenberg  <mhahnenberg@apple.com>
688
689         Layout Test fast/workers/worker-gc.html is failing
690         https://bugs.webkit.org/show_bug.cgi?id=130135
691
692         Reviewed by Geoffrey Garen.
693
694         When removing MarkedBlocks, we always expect them to be in the MarkedAllocator's 
695         main list of blocks, i.e. not in the retired list. When shutting down the VM this
696         wasn't always the case which was causing ASSERTs to fire. We should rearrange things 
697         so that allocators are notified with lastChanceToFinalize. This will give them 
698         the chance to move their retired blocks back into the main list before removing them all.
699
700         * heap/MarkedAllocator.cpp:
701         (JSC::LastChanceToFinalize::operator()):
702         (JSC::MarkedAllocator::lastChanceToFinalize):
703         * heap/MarkedAllocator.h:
704         * heap/MarkedSpace.cpp:
705         (JSC::LastChanceToFinalize::operator()):
706         (JSC::MarkedSpace::lastChanceToFinalize):
707
708 2014-03-12  Gavin Barraclough  <barraclough@apple.com>
709
710         Reduce memory use for static property maps
711         https://bugs.webkit.org/show_bug.cgi?id=129986
712
713         Reviewed by Andreas Kling.
714
715         Static property tables are currently duplicated on first use from read-only memory into dirty memory
716         in every process, and since the entries are large (48 bytes) and the tables can be unusually sparse
717         (we use a custom hash table without a rehash) a lot of memory may be wasted.
718
719         First, reduce the size of the hashtable. Instead of storing values in the table the hashtable maps
720         from string hashes to indicies into a densely packed array of values. Compute the index table at
721         compile time as a part of the derived sources step, such that this may be read-only data.
722
723         Second, don't copy all data from the HashTableValue array into a HashEntry objects. Instead refer
724         directly to the HashTableValue entries. The only data that needs to be allocated at runtime are the
725         keys, which are Identifiers.
726
727         * create_hash_table:
728             - emit the hash table index into the derived source (we were calculating this already to ensure chaining does not get too deep).
729         * parser/Lexer.cpp:
730         (JSC::Lexer<LChar>::parseIdentifier):
731         (JSC::Lexer<UChar>::parseIdentifier):
732         (JSC::Lexer<T>::parseIdentifierSlowCase):
733             - HashEntry -> HashTableValue.
734         * parser/Lexer.h:
735         (JSC::Keywords::getKeyword):
736             - HashEntry -> HashTableValue.
737         * runtime/ClassInfo.h:
738             - removed HashEntry.
739         * runtime/JSObject.cpp:
740         (JSC::getClassPropertyNames):
741             - use HashTable::ConstIterator.
742         (JSC::JSObject::put):
743         (JSC::JSObject::deleteProperty):
744         (JSC::JSObject::findPropertyHashEntry):
745             - HashEntry -> HashTableValue.
746         (JSC::JSObject::reifyStaticFunctionsForDelete):
747             - changed HashTable::ConstIterator interface.
748         * runtime/JSObject.h:
749             - HashEntry -> HashTableValue.
750         * runtime/Lookup.cpp:
751         (JSC::HashTable::createTable):
752             - table -> keys, keys array is now densely packed.
753         (JSC::HashTable::deleteTable):
754             - table -> keys.
755         (JSC::setUpStaticFunctionSlot):
756             - HashEntry -> HashTableValue.
757         * runtime/Lookup.h:
758         (JSC::HashTableValue::builtinGenerator):
759         (JSC::HashTableValue::function):
760         (JSC::HashTableValue::functionLength):
761         (JSC::HashTableValue::propertyGetter):
762         (JSC::HashTableValue::propertyPutter):
763         (JSC::HashTableValue::lexerValue):
764             - added accessor methods from HashEntry.
765         (JSC::HashTable::copy):
766             - fields changed.
767         (JSC::HashTable::initializeIfNeeded):
768             - table -> keys.
769         (JSC::HashTable::entry):
770             - HashEntry -> HashTableValue.
771         (JSC::HashTable::ConstIterator::ConstIterator):
772             - iterate packed value array, so no need to skipInvalidKeys().
773         (JSC::HashTable::ConstIterator::value):
774         (JSC::HashTable::ConstIterator::key):
775         (JSC::HashTable::ConstIterator::operator->):
776             - accessors now get HashTableValue/StringImpl* separately.
777         (JSC::HashTable::ConstIterator::operator++):
778             - iterate packed value array, so no need to skipInvalidKeys().
779         (JSC::HashTable::end):
780             - end is now size of dense not sparse array.
781         (JSC::getStaticPropertySlot):
782         (JSC::getStaticFunctionSlot):
783         (JSC::getStaticValueSlot):
784         (JSC::putEntry):
785         (JSC::lookupPut):
786             - HashEntry -> HashTableValue.
787
788 2014-03-11  Filip Pizlo  <fpizlo@apple.com>
789
790         It should be possible to build WebKit with FTL on iOS
791         https://bugs.webkit.org/show_bug.cgi?id=130116
792
793         Reviewed by Dan Bernstein.
794
795         * Configurations/Base.xcconfig:
796
797 2014-03-10  Filip Pizlo  <fpizlo@apple.com>
798
799         GetById list caching should use something object-oriented rather than PolymorphicAccessStructureList
800         https://bugs.webkit.org/show_bug.cgi?id=129778
801
802         Reviewed by Geoffrey Garen.
803         
804         Also deduplicate the GetById getter call caching. Also add some small tests for
805         get stubs.
806         
807         This change reduces the amount of code involved in GetById access caching and it
808         creates data structures that can serve as an elegant scaffold for introducing other
809         kinds of caches or improving current caching styles. It will definitely make getter
810         performance improvements easier to implement.
811
812         * CMakeLists.txt:
813         * GNUmakefile.list.am:
814         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
815         * JavaScriptCore.xcodeproj/project.pbxproj:
816         * bytecode/CodeBlock.cpp:
817         (JSC::CodeBlock::printGetByIdCacheStatus):
818         * bytecode/GetByIdStatus.cpp:
819         (JSC::GetByIdStatus::computeForStubInfo):
820         * bytecode/PolymorphicGetByIdList.cpp: Added.
821         (JSC::GetByIdAccess::GetByIdAccess):
822         (JSC::GetByIdAccess::~GetByIdAccess):
823         (JSC::GetByIdAccess::fromStructureStubInfo):
824         (JSC::GetByIdAccess::visitWeak):
825         (JSC::PolymorphicGetByIdList::PolymorphicGetByIdList):
826         (JSC::PolymorphicGetByIdList::from):
827         (JSC::PolymorphicGetByIdList::~PolymorphicGetByIdList):
828         (JSC::PolymorphicGetByIdList::currentSlowPathTarget):
829         (JSC::PolymorphicGetByIdList::addAccess):
830         (JSC::PolymorphicGetByIdList::isFull):
831         (JSC::PolymorphicGetByIdList::isAlmostFull):
832         (JSC::PolymorphicGetByIdList::didSelfPatching):
833         (JSC::PolymorphicGetByIdList::visitWeak):
834         * bytecode/PolymorphicGetByIdList.h: Added.
835         (JSC::GetByIdAccess::GetByIdAccess):
836         (JSC::GetByIdAccess::isSet):
837         (JSC::GetByIdAccess::operator!):
838         (JSC::GetByIdAccess::type):
839         (JSC::GetByIdAccess::structure):
840         (JSC::GetByIdAccess::chain):
841         (JSC::GetByIdAccess::chainCount):
842         (JSC::GetByIdAccess::stubRoutine):
843         (JSC::GetByIdAccess::doesCalls):
844         (JSC::PolymorphicGetByIdList::isEmpty):
845         (JSC::PolymorphicGetByIdList::size):
846         (JSC::PolymorphicGetByIdList::at):
847         (JSC::PolymorphicGetByIdList::operator[]):
848         * bytecode/StructureStubInfo.cpp:
849         (JSC::StructureStubInfo::deref):
850         (JSC::StructureStubInfo::visitWeakReferences):
851         * bytecode/StructureStubInfo.h:
852         (JSC::isGetByIdAccess):
853         (JSC::StructureStubInfo::initGetByIdList):
854         * jit/Repatch.cpp:
855         (JSC::generateGetByIdStub):
856         (JSC::tryCacheGetByID):
857         (JSC::patchJumpToGetByIdStub):
858         (JSC::tryBuildGetByIDList):
859         (JSC::tryBuildPutByIdList):
860         * tests/stress/getter.js: Added.
861         (foo):
862         (.o):
863         * tests/stress/polymorphic-prototype-accesses.js: Added.
864         (Foo):
865         (Bar):
866         (foo):
867         * tests/stress/prototype-getter.js: Added.
868         (Foo):
869         (foo):
870         * tests/stress/simple-prototype-accesses.js: Added.
871         (Foo):
872         (foo):
873
874 2014-03-11  Mark Hahnenberg  <mhahnenberg@apple.com>
875
876         MarkedBlocks that are "full enough" shouldn't be swept after EdenCollections
877         https://bugs.webkit.org/show_bug.cgi?id=129920
878
879         Reviewed by Geoffrey Garen.
880
881         This patch introduces the notion of "retiring" MarkedBlocks. We retire a MarkedBlock
882         when the amount of free space in a MarkedBlock drops below a certain threshold.
883         Retired blocks are not considered for sweeping.
884
885         This is profitable because it reduces churn during sweeping. To build a free list, 
886         we have to scan through each cell in a block. After a collection, all objects that 
887         are live in the block will remain live until the next FullCollection, at which time
888         we un-retire all previously retired blocks. Thus, a small number of objects in a block
889         that die during each EdenCollection could cause us to do a disproportiante amount of 
890         sweeping for how much free memory we get back.
891
892         This patch looks like a consistent ~2% progression on boyer and is neutral everywhere else.
893
894         * heap/Heap.h:
895         (JSC::Heap::didRetireBlockWithFreeListSize):
896         * heap/MarkedAllocator.cpp:
897         (JSC::MarkedAllocator::tryAllocateHelper):
898         (JSC::MarkedAllocator::removeBlock):
899         (JSC::MarkedAllocator::reset):
900         * heap/MarkedAllocator.h:
901         (JSC::MarkedAllocator::MarkedAllocator):
902         (JSC::MarkedAllocator::forEachBlock):
903         * heap/MarkedBlock.cpp:
904         (JSC::MarkedBlock::sweepHelper):
905         (JSC::MarkedBlock::clearMarksWithCollectionType):
906         (JSC::MarkedBlock::didRetireBlock):
907         * heap/MarkedBlock.h:
908         (JSC::MarkedBlock::willRemoveBlock):
909         (JSC::MarkedBlock::isLive):
910         * heap/MarkedSpace.cpp:
911         (JSC::MarkedSpace::clearNewlyAllocated):
912         (JSC::MarkedSpace::clearMarks):
913         * runtime/Options.h:
914
915 2014-03-11  Andreas Kling  <akling@apple.com>
916
917         Streamline PropertyTable for lookup-only access.
918         <https://webkit.org/b/130060>
919
920         The PropertyTable lookup algorithm was written to support both read
921         and write access. This wasn't actually needed in most places.
922
923         This change adds a PropertyTable::get() that just returns the value
924         type (instead of an insertion iterator.) It also adds an early return
925         for empty tables.
926
927         Finally, up the minimum table capacity from 8 to 16. It was lowered
928         to 8 in order to save memory, but that was before PropertyTables were
929         GC allocated. Nowadays we don't have nearly as many tables, since all
930         the unpinned transitions die off.
931
932         Reviewed by Darin Adler.
933
934         * runtime/PropertyMapHashTable.h:
935         (JSC::PropertyTable::get):
936         * runtime/Structure.cpp:
937         (JSC::Structure::despecifyDictionaryFunction):
938         (JSC::Structure::attributeChangeTransition):
939         (JSC::Structure::get):
940         (JSC::Structure::despecifyFunction):
941         * runtime/StructureInlines.h:
942         (JSC::Structure::get):
943
944 2014-03-10  Mark Hahnenberg  <mhahnenberg@apple.com>
945
946         REGRESSION(r165407): DoYouEvenBench crashes in DRT
947         https://bugs.webkit.org/show_bug.cgi?id=130066
948
949         Reviewed by Geoffrey Garen.
950
951         The baseline JIT does a conditional store barrier for the put_by_id, but we need 
952         an unconditional store barrier so that we cover the butterfly case as well in emitPutTransitionStub.
953
954         * jit/JIT.h:
955         * jit/JITPropertyAccess.cpp:
956         (JSC::JIT::emit_op_put_by_id):
957         (JSC::JIT::emitWriteBarrier):
958
959 2014-03-10  Mark Lam  <mark.lam@apple.com>
960
961         Resurrect bit-rotted JIT::probe() mechanism.
962         <https://webkit.org/b/130067>
963
964         Reviewed by Geoffrey Garen.
965
966         * jit/JITStubs.cpp:
967         - Added the needed #include <wtf/InlineASM.h>.
968
969 2014-03-10  Joseph Pecoraro  <pecoraro@apple.com>
970
971         Fix typo in EXCLUDED_SOURCE_FILE_NAMES_iphoneos.
972
973         Rubber-stamped by Dan Bernstein.
974
975         * Configurations/JavaScriptCore.xcconfig:
976
977 2014-03-10  Mark Lam  <mark.lam@apple.com>
978
979         r165414 broke the 32-bit x86 tests: ASSERTION FAILED: result != InvalidIndex @ GPRInfo.h:330.
980         <https://webkit.org/b/130065>
981
982         Reviewed by Michael Saboff.
983
984         There is code in ScratchRegisterAllocator.cpp that is relying on GPRInfo::toIndex()
985         being able to return InvalidIndex.  Hence, the assertion is invalid.  Ditto for
986         FPRInfo::toIndex().
987
988         The fix is to remove the "result != InvalidIndex" assertions.
989
990         * jit/FPRInfo.h:
991         (JSC::FPRInfo::toIndex):
992         * jit/GPRInfo.h:
993         (JSC::GPRInfo::toIndex):
994
995 2014-03-10  Mark Lam  <mark.lam@apple.com>
996
997         Crash on a stack overflow on 32-bit x86 in http/tests/websocket/tests/hybi/workers/no-onmessage-in-sync-op.html.
998         <https://webkit.org/b/129955>
999
1000         Reviewed by Geoffrey Garen.
1001
1002         The 32-bit x86 version of getHostCallReturnValue() was leaking 16 bytes
1003         stack memory every time it was called.  This is now fixed.
1004
1005         * jit/JITOperations.cpp:
1006
1007 2014-03-10  Joseph Pecoraro  <pecoraro@apple.com>
1008
1009         Better JSContext API for named evaluations (other than //# sourceURL)
1010         https://bugs.webkit.org/show_bug.cgi?id=129911
1011
1012         Reviewed by Geoffrey Garen.
1013
1014         * API/JSBase.h:
1015         * API/JSContext.h:
1016         * API/JSContext.mm:
1017         (-[JSContext evaluateScript:]):
1018         (-[JSContext evaluateScript:withSourceURL:]):
1019         Add new evaluateScript:withSourceURL:.
1020
1021         * API/tests/testapi.c:
1022         (main):
1023         * API/tests/testapi.mm:
1024         (testObjectiveCAPI):
1025         Add tests for sourceURL in evaluate APIs. It should
1026         affect the exception objects.
1027
1028 2014-03-10  Filip Pizlo  <fpizlo@apple.com>
1029
1030         Repatch should save and restore all used registers - not just temp ones - when making a call
1031         https://bugs.webkit.org/show_bug.cgi?id=130041
1032
1033         Reviewed by Geoffrey Garen and Mark Hahnenberg.
1034         
1035         The save/restore code was written back when the only client was the DFG, which only uses a
1036         subset of hardware registers: the "temp" registers in our lingo. But the FTL may use many
1037         other registers, especially on ARM64. The fact that Repatch doesn't know to save those can
1038         lead to data corruption on ARM64. 
1039
1040         * jit/RegisterSet.cpp:
1041         (JSC::RegisterSet::calleeSaveRegisters):
1042         (JSC::RegisterSet::numberOfSetGPRs):
1043         (JSC::RegisterSet::numberOfSetFPRs):
1044         * jit/RegisterSet.h:
1045         * jit/Repatch.cpp:
1046         (JSC::storeToWriteBarrierBuffer):
1047         (JSC::emitPutTransitionStub):
1048         * jit/ScratchRegisterAllocator.cpp:
1049         (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
1050         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
1051         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
1052         (JSC::ScratchRegisterAllocator::usedRegistersForCall):
1053         (JSC::ScratchRegisterAllocator::desiredScratchBufferSizeForCall):
1054         (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
1055         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
1056         * jit/ScratchRegisterAllocator.h:
1057
1058 2014-03-10  Mark Hahnenberg  <mhahnenberg@apple.com>
1059
1060         Remove ConditionalStore barrier
1061         https://bugs.webkit.org/show_bug.cgi?id=130040
1062
1063         Reviewed by Geoffrey Garen.
1064
1065         ConditionalStoreBarrier was created when barriers were much more expensive. Now that 
1066         they're cheap(er), we can get rid of them. This also allows us to get rid of the write 
1067         barrier logic in emitPutTransitionStub because we always will have executed a write barrier 
1068         on the base object in the case where we are allocating and storing a new Butterfly into it. 
1069         Previously, a ConditionalStoreBarrier might or might not have barrier-ed the base object, 
1070         so we'd have to emit a write barrier in the transition case.
1071
1072         This is performance neutral on the benchmarks we track.
1073
1074         * dfg/DFGAbstractInterpreterInlines.h:
1075         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1076         * dfg/DFGClobberize.h:
1077         (JSC::DFG::clobberize):
1078         * dfg/DFGConstantFoldingPhase.cpp:
1079         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1080         (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
1081         * dfg/DFGFixupPhase.cpp:
1082         (JSC::DFG::FixupPhase::fixupNode):
1083         (JSC::DFG::FixupPhase::insertStoreBarrier):
1084         * dfg/DFGNode.h:
1085         (JSC::DFG::Node::isStoreBarrier):
1086         * dfg/DFGNodeType.h:
1087         * dfg/DFGPredictionPropagationPhase.cpp:
1088         (JSC::DFG::PredictionPropagationPhase::propagate):
1089         * dfg/DFGSafeToExecute.h:
1090         (JSC::DFG::safeToExecute):
1091         * dfg/DFGSpeculativeJIT.cpp:
1092         (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
1093         * dfg/DFGSpeculativeJIT32_64.cpp:
1094         (JSC::DFG::SpeculativeJIT::compile):
1095         * dfg/DFGSpeculativeJIT64.cpp:
1096         (JSC::DFG::SpeculativeJIT::compile):
1097         * ftl/FTLCapabilities.cpp:
1098         (JSC::FTL::canCompile):
1099         * ftl/FTLLowerDFGToLLVM.cpp:
1100         (JSC::FTL::LowerDFGToLLVM::compileNode):
1101         * jit/Repatch.cpp:
1102         (JSC::emitPutTransitionStub):
1103
1104 2014-03-10  Filip Pizlo  <fpizlo@apple.com>
1105
1106         DFG and FTL should know that comparing anything to Misc is cheap and easy
1107         https://bugs.webkit.org/show_bug.cgi?id=130001
1108
1109         Reviewed by Geoffrey Garen.
1110         
1111         - Expand CompareStrictEq(Misc:, Misc:) to work for cases where either side of the
1112           comparison is just Untyped:.
1113         
1114         - This obviates the need for CompareStrictEqConstant, so remove it.
1115         
1116         - FTL had a thing called "Nully" which is really "Other". Rename it and add
1117           OtherUse.
1118         
1119         9% speed-up on box2d.
1120
1121         * dfg/DFGAbstractInterpreterInlines.h:
1122         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1123         * dfg/DFGByteCodeParser.cpp:
1124         (JSC::DFG::ByteCodeParser::parseBlock):
1125         * dfg/DFGClobberize.h:
1126         (JSC::DFG::clobberize):
1127         * dfg/DFGFixupPhase.cpp:
1128         (JSC::DFG::FixupPhase::fixupNode):
1129         * dfg/DFGNode.h:
1130         (JSC::DFG::Node::isBinaryUseKind):
1131         (JSC::DFG::Node::shouldSpeculateOther):
1132         * dfg/DFGNodeType.h:
1133         * dfg/DFGPredictionPropagationPhase.cpp:
1134         (JSC::DFG::PredictionPropagationPhase::propagate):
1135         * dfg/DFGSafeToExecute.h:
1136         (JSC::DFG::safeToExecute):
1137         * dfg/DFGSpeculativeJIT.cpp:
1138         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
1139         (JSC::DFG::SpeculativeJIT::compare):
1140         (JSC::DFG::SpeculativeJIT::compileStrictEq):
1141         * dfg/DFGSpeculativeJIT.h:
1142         * dfg/DFGSpeculativeJIT32_64.cpp:
1143         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
1144         (JSC::DFG::SpeculativeJIT::compile):
1145         * dfg/DFGSpeculativeJIT64.cpp:
1146         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
1147         (JSC::DFG::SpeculativeJIT::compile):
1148         * ftl/FTLCapabilities.cpp:
1149         (JSC::FTL::canCompile):
1150         * ftl/FTLLowerDFGToLLVM.cpp:
1151         (JSC::FTL::LowerDFGToLLVM::compileNode):
1152         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
1153         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
1154         (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
1155         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
1156         (JSC::FTL::LowerDFGToLLVM::isNotOther):
1157         (JSC::FTL::LowerDFGToLLVM::isOther):
1158         (JSC::FTL::LowerDFGToLLVM::speculate):
1159         (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
1160         (JSC::FTL::LowerDFGToLLVM::speculateNotCell):
1161         (JSC::FTL::LowerDFGToLLVM::speculateOther):
1162         (JSC::FTL::LowerDFGToLLVM::speculateMisc):
1163         * tests/stress/compare-strict-eq-integer-to-misc.js: Added.
1164
1165 2014-03-10  Filip Pizlo  <fpizlo@apple.com>
1166
1167         Unreviewed, remove unintended change.
1168
1169         * dfg/DFGDriver.cpp:
1170         (JSC::DFG::compileImpl):
1171
1172 2014-03-10  Filip Pizlo  <fpizlo@apple.com>
1173
1174         jsc commandline shouldn't have a "console" because that confuses some tests into thinking
1175         that they're running in the browser.
1176
1177         Rubber stamped by Mark Hahnenberg.
1178
1179         * jsc.cpp:
1180         (GlobalObject::finishCreation):
1181
1182 2014-03-10  Filip Pizlo  <fpizlo@apple.com>
1183
1184         Out-line ScratchRegisterAllocator
1185
1186         Rubber stamped by Mark Hahnenberg.
1187
1188         * CMakeLists.txt:
1189         * GNUmakefile.list.am:
1190         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1191         * JavaScriptCore.xcodeproj/project.pbxproj:
1192         * dfg/DFGDriver.cpp:
1193         (JSC::DFG::compileImpl):
1194         * jit/ScratchRegisterAllocator.cpp: Added.
1195         (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
1196         (JSC::ScratchRegisterAllocator::~ScratchRegisterAllocator):
1197         (JSC::ScratchRegisterAllocator::lock):
1198         (JSC::ScratchRegisterAllocator::allocateScratch):
1199         (JSC::ScratchRegisterAllocator::allocateScratchGPR):
1200         (JSC::ScratchRegisterAllocator::allocateScratchFPR):
1201         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
1202         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
1203         (JSC::ScratchRegisterAllocator::desiredScratchBufferSize):
1204         (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer):
1205         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer):
1206         * jit/ScratchRegisterAllocator.h:
1207
1208 2014-03-10  Brent Fulgham  <bfulgham@apple.com>
1209
1210         [Win] Pass environment to Pre-Build, Pre-link, and Post-Build Stages.
1211         https://bugs.webkit.org/show_bug.cgi?id=130023
1212
1213         Reviewed by Dean Jackson.
1214
1215         * JavaScriptCore.vcxproj/JavaScriptCore.proj: Avoid trailing backslashes in
1216         path names to avoid accidental escaping of later string substitutions.
1217
1218 2014-03-10  Andreas Kling  <akling@apple.com>
1219
1220         [X86_64] Smaller code for testb_i8r when register is accumulator.
1221         <https://webkit.org/b/130026>
1222
1223         Generate the shorthand version of "test al, imm" when possible.
1224
1225         Reviewed by Michael Saboff.
1226
1227         * assembler/X86Assembler.h:
1228         (JSC::X86Assembler::testb_i8r):
1229
1230 2014-03-10  Andreas Kling  <akling@apple.com>
1231
1232         [X86_64] Smaller code for sub_ir when register is accumulator.
1233         <https://webkit.org/b/130025>
1234
1235         Generate the shorthand version of "sub eax, imm" when possible.
1236
1237         Reviewed by Michael Saboff.
1238
1239         * assembler/X86Assembler.h:
1240         (JSC::X86Assembler::subl_ir):
1241         (JSC::X86Assembler::subq_ir):
1242
1243 2014-03-10  Andreas Kling  <akling@apple.com>
1244
1245         [X86_64] Smaller code for add_ir when register is accumulator.
1246         <https://webkit.org/b/130024>
1247
1248         Generate the shorthand version of "add eax, imm" when possible.
1249
1250         Reviewed by Michael Saboff.
1251
1252         * assembler/X86Assembler.h:
1253         (JSC::X86Assembler::addl_ir):
1254         (JSC::X86Assembler::addq_ir):
1255
1256 2014-03-10  Mark Hahnenberg  <mhahnenberg@apple.com>
1257
1258         writeBarrier in emitPutReplaceStub is unnecessary
1259         https://bugs.webkit.org/show_bug.cgi?id=130030
1260
1261         Reviewed by Filip Pizlo.
1262
1263         We already emit write barriers for each put-by-id when they're first compiled, so it's 
1264         redundant to emit a write barrier as part of the repatched code.
1265
1266         * jit/Repatch.cpp:
1267         (JSC::emitPutReplaceStub):
1268
1269 2014-03-10  Andreas Kling  <akling@apple.com>
1270
1271         [X86_64] Smaller code for xor_ir when register is accumulator.
1272         <https://webkit.org/b/130008>
1273
1274         Generate the shorthand version of "xor eax, imm" when possible.
1275
1276         Reviewed by Benjamin Poulain.
1277
1278         * assembler/X86Assembler.h:
1279         (JSC::X86Assembler::xorl_ir):
1280         (JSC::X86Assembler::xorq_ir):
1281
1282 2014-03-10  Andreas Kling  <akling@apple.com>
1283
1284         [X86_64] Smaller code for or_ir when register is accumulator.
1285         <https://webkit.org/b/130007>
1286
1287         Generate the shorthand version of "or eax, imm" when possible.
1288
1289         Reviewed by Benjamin Poulain.
1290
1291         * assembler/X86Assembler.h:
1292         (JSC::X86Assembler::orl_ir):
1293         (JSC::X86Assembler::orq_ir):
1294
1295 2014-03-10  Andreas Kling  <akling@apple.com>
1296
1297         [X86_64] Smaller code for test_ir when register is accumulator.
1298         <https://webkit.org/b/130006>
1299
1300         Generate the shorthand version of "test eax, imm" when possible.
1301
1302         Reviewed by Benjamin Poulain.
1303
1304         * assembler/X86Assembler.h:
1305         (JSC::X86Assembler::testl_i32r):
1306         (JSC::X86Assembler::testq_i32r):
1307
1308 2014-03-10  Andreas Kling  <akling@apple.com>
1309
1310         [X86_64] Smaller code for cmp_ir when register is accumulator.
1311         <https://webkit.org/b/130005>
1312
1313         Generate the shorthand version of "cmp eax, imm" when possible.
1314
1315         Reviewed by Benjamin Poulain.
1316
1317         * assembler/X86Assembler.h:
1318         (JSC::X86Assembler::cmpl_ir):
1319         (JSC::X86Assembler::cmpq_ir):
1320
1321 2014-03-10  Andreas Kling  <akling@apple.com>
1322
1323         [X86_64] Smaller code for store64(imm, address) when imm fits in 32 bits.
1324         <https://webkit.org/b/130002>
1325
1326         Generate this:
1327
1328             mov [address], imm32
1329
1330         Instead of this:
1331
1332             mov scratchRegister, imm32
1333             mov [address], scratchRegister
1334
1335         For store64(imm, address) where the 64-bit immediate can be passed as
1336         a sign-extended 32-bit value.
1337
1338         Reviewed by Benjamin Poulain.
1339
1340         * assembler/MacroAssemblerX86_64.h:
1341         (CAN_SIGN_EXTEND_32_64):
1342         (JSC::MacroAssemblerX86_64::store64):
1343
1344 2014-03-10  Andreas Kling  <akling@apple.com>
1345
1346         [X86_64] Smaller code for xchg_rr when one register is accumulator.
1347         <https://webkit.org/b/130004>
1348
1349         Generate the 1-byte version of "xchg eax, reg" when possible.
1350
1351         Reviewed by Benjamin Poulain.
1352
1353         * assembler/X86Assembler.h:
1354         (JSC::X86Assembler::xchgl_rr):
1355         (JSC::X86Assembler::xchgq_rr):
1356
1357 2014-03-09  Filip Pizlo  <fpizlo@apple.com>
1358
1359         GPRInfo::toIndex should return InvalidIndex for non-temp registers on ARM64
1360         https://bugs.webkit.org/show_bug.cgi?id=129998
1361
1362         Reviewed by Geoffrey Garen.
1363         
1364         Not only is that the established contract, but this is used to signal to
1365         ScratchRegisterAllocator that the register doesn't need locking since it isn't a register
1366         that this allocator would use. In the FTL, we may have an inline cache where LLVM had used
1367         some non-temp register (i.e. a register that JSC itself wouldn't have used). This is totally
1368         fine but previously it would have led to either an assertion failure, or data corruption, in
1369         the ScratchRegisterAllocator.
1370
1371         * jit/GPRInfo.h:
1372         (JSC::GPRInfo::toIndex):
1373
1374 2014-03-09  Filip Pizlo  <fpizlo@apple.com>
1375
1376         FTL fails the new equals-masquerader strictEqualConstant test
1377         https://bugs.webkit.org/show_bug.cgi?id=129996
1378
1379         Reviewed by Mark Lam.
1380         
1381         It turns out that the FTL was trying to do the masquerading stuff for ===null. But
1382         that's wrong since none of the other engines do it. The DFG even had an ancient
1383         FIXME about doing it - but that doesn't make sense since the LLInt and baseline JIT
1384         don't do it and JSValue::strictEqual() doesn't do it.
1385         
1386         Remove the FIXME and remove the extra checks in the FTL.
1387         
1388         This is a glorious patch: nothing but red and it fixes a test failure.
1389
1390         * dfg/DFGSpeculativeJIT.cpp:
1391         (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
1392         * ftl/FTLLowerDFGToLLVM.cpp:
1393         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
1394
1395 2014-03-09  Andreas Kling  <akling@apple.com>
1396
1397         Short-circuit JSGlobalObjectInspectorController when not inspecting.
1398         <https://webkit.org/b/129995>
1399
1400         Add an early return in reportAPIException() when the console agent
1401         is disabled. This avoids expensive symbolication during exceptions
1402         if there's nobody expecting the fancy backtrace anyway.
1403
1404         ~2% progression on DYEB on my MBP.
1405
1406         Reviewed by Geoff Garen.
1407
1408         * inspector/JSGlobalObjectInspectorController.cpp:
1409         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
1410
1411 2014-03-09  Andreas Kling  <akling@apple.com>
1412
1413         Inline the trivial parts of GC deferral.
1414         <https://webkit.org/b/129984>
1415
1416         Made most of the functions called by the DeferGC RAII object inline
1417         to avoid function call overhead.
1418
1419         Looks like ~1% progression on DYEB.
1420
1421         Reviewed by Geoffrey Garen.
1422
1423         * heap/Heap.cpp:
1424         * heap/Heap.h:
1425         (JSC::Heap::incrementDeferralDepth):
1426         (JSC::Heap::decrementDeferralDepth):
1427         (JSC::Heap::collectIfNecessaryOrDefer):
1428         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
1429
1430 2014-03-08  Mark Lam  <mark.lam@apple.com>
1431
1432         32-bit x86 handleUncaughtException returns to wrong location after a stack overflow.
1433         <https://webkit.org/b/129969>
1434
1435         Reviewed by Geoffrey Garen.
1436
1437         The 32-bit version of handleUncaughtException was missing the handling of an
1438         edge case for stack overflows where the current frame may already be the
1439         sentinel frame.  This edge case was handled in the 64-bit version.  The fix
1440         is to bring the 32-bit version up to parity.
1441
1442         * jit/JIT.cpp:
1443         (JSC::JIT::privateCompile):
1444         * llint/LowLevelInterpreter32_64.asm:
1445
1446 2014-03-07  Mark Lam  <mark.lam@apple.com>
1447
1448         Fix bugs in 32-bit Structure implementation.
1449         <https://webkit.org/b/129947>
1450
1451         Reviewed by Mark Hahnenberg.
1452
1453         Added the loading of the Structure (from the JSCell) before use that was
1454         missing in a few places.  Also added more test cases to equals-masquerader.js.
1455
1456         * dfg/DFGSpeculativeJIT32_64.cpp:
1457         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
1458         (JSC::DFG::SpeculativeJIT::compile):
1459         * dfg/DFGSpeculativeJIT64.cpp:
1460         (JSC::DFG::SpeculativeJIT::compile):
1461         * llint/LowLevelInterpreter32_64.asm:
1462         * tests/stress/equals-masquerader.js:
1463         (equalsNull):
1464         (notEqualsNull):
1465         (strictEqualsNull):
1466         (strictNotEqualsNull):
1467         (equalsUndefined):
1468         (notEqualsUndefined):
1469         (strictEqualsUndefined):
1470         (strictNotEqualsUndefined):
1471         (isFalsey):
1472         (test):
1473
1474 2014-03-07  Andrew Trick  <atrick@apple.com>
1475
1476         Temporarily disable repeat-out-of-bounds stress tests pending fix for 129953.
1477         https://bugs.webkit.org/show_bug.cgi?id=129954
1478
1479         Reviewed by Filip Pizlo.
1480
1481         * tests/stress/float32-repeat-out-of-bounds.js:
1482         * tests/stress/int8-repeat-out-of-bounds.js:
1483
1484 2014-03-07  Michael Saboff  <msaboff@apple.com>
1485
1486         .cfi directives in LowLevelInterpreter.cpp are providing no benefit
1487         https://bugs.webkit.org/show_bug.cgi?id=129945
1488
1489         Reviewed by Mark Lam.
1490
1491         Removed .cfi directive.  Verified that stack traces didn't regress in crash reporter
1492         or in lldb.
1493
1494         * llint/LowLevelInterpreter.cpp:
1495
1496 2014-03-07  Oliver Hunt  <oliver@apple.com>
1497
1498         Continue hangs when performing for-of over arguments
1499         https://bugs.webkit.org/show_bug.cgi?id=129915
1500
1501         Reviewed by Geoffrey Garen.
1502
1503         Put the continue label in the right place
1504
1505         * bytecompiler/BytecodeGenerator.cpp:
1506         (JSC::BytecodeGenerator::emitEnumeration):
1507
1508 2014-03-07  peavo@outlook.com  <peavo@outlook.com>
1509
1510         [Win64] Compile error after r165128.
1511         https://bugs.webkit.org/show_bug.cgi?id=129807
1512
1513         Reviewed by Mark Lam.
1514
1515         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: 
1516         Check platform environment variable to determine if an assembler file should be generated.
1517
1518 2014-03-07  Michael Saboff  <msaboff@apple.com>
1519
1520         Clarify how we deal with "special" registers
1521         https://bugs.webkit.org/show_bug.cgi?id=129806
1522
1523         Already reviewed change being relanded.
1524
1525         Relanding change set r165196 as it wasn't responsible for the breakage reported in
1526         https://bugs.webkit.org/show_bug.cgi?id=129822.  That appears to be a build or
1527
1528         Reviewed by Michael Saboff.
1529         configuration issue.
1530
1531         * assembler/ARM64Assembler.h:
1532         (JSC::ARM64Assembler::lastRegister):
1533         * assembler/MacroAssembler.h:
1534         (JSC::MacroAssembler::nextRegister):
1535         * ftl/FTLLocation.cpp:
1536         (JSC::FTL::Location::restoreInto):
1537         * ftl/FTLSaveRestore.cpp:
1538         (JSC::FTL::saveAllRegisters):
1539         (JSC::FTL::restoreAllRegisters):
1540         * ftl/FTLSlowPathCall.cpp:
1541         * jit/RegisterSet.cpp:
1542         (JSC::RegisterSet::reservedHardwareRegisters):
1543         (JSC::RegisterSet::runtimeRegisters):
1544         (JSC::RegisterSet::specialRegisters):
1545         (JSC::RegisterSet::calleeSaveRegisters):
1546         * jit/RegisterSet.h:
1547
1548 2014-03-07  Mark Hahnenberg  <mhahnenberg@apple.com>
1549
1550         Move GCActivityCallback to heap
1551         https://bugs.webkit.org/show_bug.cgi?id=129457
1552
1553         Reviewed by Geoffrey Garen.
1554
1555         All the other GC timer related stuff is there already.
1556
1557         * CMakeLists.txt:
1558         * GNUmakefile.list.am:
1559         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1560         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1561         * JavaScriptCore.xcodeproj/project.pbxproj:
1562         * heap/GCActivityCallback.cpp: Copied from Source/JavaScriptCore/runtime/GCActivityCallback.cpp.
1563         * heap/GCActivityCallback.h: Copied from Source/JavaScriptCore/runtime/GCActivityCallback.h.
1564         * runtime/GCActivityCallback.cpp: Removed.
1565         * runtime/GCActivityCallback.h: Removed.
1566
1567 2014-03-07  Andrew Trick  <atrick@apple.com>
1568
1569         Correct a comment typo from:
1570         FLT should call fmod directly on platforms where LLVM cannot relocate the libcall
1571         https://bugs.webkit.org/show_bug.cgi?id=129865
1572
1573         Reviewed by Mark Lam.
1574
1575         * ftl/FTLOutput.h:
1576         (JSC::FTL::Output::doubleRem):
1577
1578 2014-03-07  Mark Hahnenberg  <mhahnenberg@apple.com>
1579
1580         Use OwnPtr in StructureIDTable
1581         https://bugs.webkit.org/show_bug.cgi?id=129828
1582
1583         Reviewed by Geoffrey Garen.
1584
1585         This reduces the amount of boilerplate and fixes a memory leak.
1586
1587         * runtime/StructureIDTable.cpp:
1588         (JSC::StructureIDTable::StructureIDTable):
1589         (JSC::StructureIDTable::resize):
1590         (JSC::StructureIDTable::flushOldTables):
1591         (JSC::StructureIDTable::allocateID):
1592         (JSC::StructureIDTable::deallocateID):
1593         * runtime/StructureIDTable.h:
1594         (JSC::StructureIDTable::table):
1595         (JSC::StructureIDTable::get):
1596
1597 2014-03-07  Andrew Trick  <atrick@apple.com>
1598
1599         FLT should call fmod directly on platforms where LLVM cannot relocate the libcall
1600         https://bugs.webkit.org/show_bug.cgi?id=129865
1601
1602         Reviewed by Filip Pizlo.
1603
1604         * ftl/FTLIntrinsicRepository.h:
1605         * ftl/FTLOutput.h:
1606         (JSC::FTL::Output::doubleRem):
1607
1608 2014-03-06  Filip Pizlo  <fpizlo@apple.com>
1609
1610         If the FTL is build-time enabled then it should be run-time enabled.
1611
1612         Rubber stamped by Geoffrey Garen.
1613
1614         * runtime/Options.cpp:
1615         (JSC::recomputeDependentOptions):
1616         * runtime/Options.h:
1617
1618 2014-03-06  Joseph Pecoraro  <pecoraro@apple.com>
1619
1620         [OS X] Web Inspector: Allow Apps using JavaScriptCore to access "com.apple.webinspector" mach port
1621         https://bugs.webkit.org/show_bug.cgi?id=129852
1622
1623         Reviewed by Geoffrey Garen.
1624
1625         * framework.sb: Added.
1626         Sandbox extension to allow access to "com.apple.webinspector".
1627
1628         * JavaScriptCore.xcodeproj/project.pbxproj:
1629         Add a Copy Resources build phase and include framework.sb.
1630
1631         * Configurations/JavaScriptCore.xcconfig:
1632         Do not copy framework.sb on iOS.
1633
1634 2014-03-06  Mark Hahnenberg  <mhahnenberg@apple.com>
1635
1636         JSGlobalContextRelease incorrectly handles saving/restoring IdentifierTable
1637         https://bugs.webkit.org/show_bug.cgi?id=129858
1638
1639         Reviewed by Mark Lam.
1640
1641         It was correct (but really ugly) prior to the combining of APIEntryShim and JSLock, 
1642         but now it ends up overwriting the IdentifierTable that JSLock just restored.
1643
1644         * API/JSContextRef.cpp:
1645         (JSGlobalContextRelease):
1646
1647 2014-03-06  Oliver Hunt  <oliver@apple.com>
1648
1649         Fix FTL build.
1650
1651         * dfg/DFGConstantFoldingPhase.cpp:
1652         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1653
1654 2014-03-06  Brent Fulgham  <bfulgham@apple.com>
1655
1656         Unreviewed build fix after r165128.
1657
1658         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: The SEH flag was not getting set when
1659         performing 'Production' and 'DebugSuffix' type builds.
1660
1661 2014-03-06  Julien Brianceau  <jbriance@cisco.com>
1662
1663         Unreviewed, fix style in my previous commit.
1664         https://bugs.webkit.org/show_bug.cgi?id=129833
1665
1666         * runtime/JSConsole.cpp:
1667
1668 2014-03-06  Julien Brianceau  <jbriance@cisco.com>
1669
1670         Build fix: add missing include in JSConole.cpp.
1671         https://bugs.webkit.org/show_bug.cgi?id=129833
1672
1673         Reviewed by Oliver Hunt.
1674
1675         * runtime/JSConsole.cpp:
1676
1677 2014-03-06  Oliver Hunt  <oliver@apple.com>
1678
1679         Fix ARMv7
1680
1681         * jit/CCallHelpers.h:
1682         (JSC::CCallHelpers::setupArgumentsWithExecState):
1683
1684 2014-03-06  Commit Queue  <commit-queue@webkit.org>
1685
1686         Unreviewed, rolling out r165196.
1687         http://trac.webkit.org/changeset/165196
1688         https://bugs.webkit.org/show_bug.cgi?id=129822
1689
1690         broke arm64 on hardware (Requested by bfulgham on #webkit).
1691
1692         * assembler/ARM64Assembler.h:
1693         (JSC::ARM64Assembler::lastRegister):
1694         * assembler/MacroAssembler.h:
1695         (JSC::MacroAssembler::isStackRelated):
1696         (JSC::MacroAssembler::firstRealRegister):
1697         (JSC::MacroAssembler::nextRegister):
1698         (JSC::MacroAssembler::secondRealRegister):
1699         * ftl/FTLLocation.cpp:
1700         (JSC::FTL::Location::restoreInto):
1701         * ftl/FTLSaveRestore.cpp:
1702         (JSC::FTL::saveAllRegisters):
1703         (JSC::FTL::restoreAllRegisters):
1704         * ftl/FTLSlowPathCall.cpp:
1705         * jit/RegisterSet.cpp:
1706         (JSC::RegisterSet::specialRegisters):
1707         (JSC::RegisterSet::calleeSaveRegisters):
1708         * jit/RegisterSet.h:
1709
1710 2014-03-06  Mark Lam  <mark.lam@apple.com>
1711
1712         REGRESSION(r165205): broke the CLOOP build (Requested by smfr on #webkit).
1713         <https://webkit.org/b/129813>
1714
1715         Reviewed by Michael Saboff.
1716
1717         Fixed broken C loop LLINT build.
1718
1719         * llint/LowLevelInterpreter.cpp:
1720         (JSC::CLoop::execute):
1721         * offlineasm/cloop.rb:
1722
1723 2014-03-03  Oliver Hunt  <oliver@apple.com>
1724
1725         Support caching of custom setters
1726         https://bugs.webkit.org/show_bug.cgi?id=129519
1727
1728         Reviewed by Filip Pizlo.
1729
1730         This patch adds caching of assignment to properties that
1731         are backed by C functions. This provides most of the leg
1732         work required to start supporting setters, and resolves
1733         the remaining regressions from moving DOM properties up
1734         the prototype chain.
1735
1736         * JavaScriptCore.xcodeproj/project.pbxproj:
1737         * bytecode/PolymorphicPutByIdList.cpp:
1738         (JSC::PutByIdAccess::visitWeak):
1739         (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
1740         (JSC::PolymorphicPutByIdList::from):
1741         * bytecode/PolymorphicPutByIdList.h:
1742         (JSC::PutByIdAccess::transition):
1743         (JSC::PutByIdAccess::replace):
1744         (JSC::PutByIdAccess::customSetter):
1745         (JSC::PutByIdAccess::isCustom):
1746         (JSC::PutByIdAccess::oldStructure):
1747         (JSC::PutByIdAccess::chain):
1748         (JSC::PutByIdAccess::stubRoutine):
1749         * bytecode/PutByIdStatus.cpp:
1750         (JSC::PutByIdStatus::computeForStubInfo):
1751         (JSC::PutByIdStatus::computeFor):
1752         (JSC::PutByIdStatus::dump):
1753         * bytecode/PutByIdStatus.h:
1754         (JSC::PutByIdStatus::PutByIdStatus):
1755         (JSC::PutByIdStatus::takesSlowPath):
1756         (JSC::PutByIdStatus::makesCalls):
1757         * bytecode/StructureStubInfo.h:
1758         * dfg/DFGAbstractInterpreterInlines.h:
1759         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1760         * dfg/DFGByteCodeParser.cpp:
1761         (JSC::DFG::ByteCodeParser::emitPutById):
1762         (JSC::DFG::ByteCodeParser::handlePutById):
1763         * dfg/DFGClobberize.h:
1764         (JSC::DFG::clobberize):
1765         * dfg/DFGCommon.h:
1766         * dfg/DFGConstantFoldingPhase.cpp:
1767         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1768         * dfg/DFGFixupPhase.cpp:
1769         (JSC::DFG::FixupPhase::fixupNode):
1770         * dfg/DFGNode.h:
1771         (JSC::DFG::Node::hasIdentifier):
1772         * dfg/DFGNodeType.h:
1773         * dfg/DFGPredictionPropagationPhase.cpp:
1774         (JSC::DFG::PredictionPropagationPhase::propagate):
1775         * dfg/DFGSafeToExecute.h:
1776         (JSC::DFG::safeToExecute):
1777         * dfg/DFGSpeculativeJIT.cpp:
1778         (JSC::DFG::SpeculativeJIT::compileIn):
1779         * dfg/DFGSpeculativeJIT.h:
1780         * dfg/DFGSpeculativeJIT32_64.cpp:
1781         (JSC::DFG::SpeculativeJIT::cachedGetById):
1782         (JSC::DFG::SpeculativeJIT::cachedPutById):
1783         (JSC::DFG::SpeculativeJIT::compile):
1784         * dfg/DFGSpeculativeJIT64.cpp:
1785         (JSC::DFG::SpeculativeJIT::cachedGetById):
1786         (JSC::DFG::SpeculativeJIT::cachedPutById):
1787         (JSC::DFG::SpeculativeJIT::compile):
1788         * jit/CCallHelpers.h:
1789         (JSC::CCallHelpers::setupArgumentsWithExecState):
1790         * jit/JITInlineCacheGenerator.cpp:
1791         (JSC::JITByIdGenerator::JITByIdGenerator):
1792         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
1793         * jit/JITInlineCacheGenerator.h:
1794         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
1795         * jit/JITOperations.cpp:
1796         * jit/JITOperations.h:
1797         * jit/JITPropertyAccess.cpp:
1798         (JSC::JIT::emit_op_get_by_id):
1799         (JSC::JIT::emit_op_put_by_id):
1800         * jit/JITPropertyAccess32_64.cpp:
1801         (JSC::JIT::emit_op_get_by_id):
1802         (JSC::JIT::emit_op_put_by_id):
1803         * jit/Repatch.cpp:
1804         (JSC::tryCacheGetByID):
1805         (JSC::tryBuildGetByIDList):
1806         (JSC::emitCustomSetterStub):
1807         (JSC::tryCachePutByID):
1808         (JSC::tryBuildPutByIdList):
1809         * jit/SpillRegistersMode.h: Added.
1810         * llint/LLIntSlowPaths.cpp:
1811         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1812         * runtime/Lookup.h:
1813         (JSC::putEntry):
1814         * runtime/PutPropertySlot.h:
1815         (JSC::PutPropertySlot::setCacheableCustomProperty):
1816         (JSC::PutPropertySlot::customSetter):
1817         (JSC::PutPropertySlot::isCacheablePut):
1818         (JSC::PutPropertySlot::isCacheableCustomProperty):
1819         (JSC::PutPropertySlot::cachedOffset):
1820
1821 2014-03-06  Filip Pizlo  <fpizlo@apple.com>
1822
1823         FTL arity fixup should work on ARM64
1824         https://bugs.webkit.org/show_bug.cgi?id=129810
1825
1826         Reviewed by Michael Saboff.
1827         
1828         - Using regT5 to pass the thunk return address to arityFixup is shady since that's a
1829           callee-save.
1830         
1831         - The FTL path was assuming X86 conventions for where SP points at the top of the prologue.
1832         
1833         This makes some more tests pass.
1834
1835         * dfg/DFGJITCompiler.cpp:
1836         (JSC::DFG::JITCompiler::compileFunction):
1837         * ftl/FTLLink.cpp:
1838         (JSC::FTL::link):
1839         * jit/AssemblyHelpers.h:
1840         (JSC::AssemblyHelpers::prologueStackPointerDelta):
1841         * jit/JIT.cpp:
1842         (JSC::JIT::privateCompile):
1843         * jit/ThunkGenerators.cpp:
1844         (JSC::arityFixup):
1845         * llint/LowLevelInterpreter64.asm:
1846         * offlineasm/arm64.rb:
1847         * offlineasm/x86.rb: In addition to the t7 change, make t6 agree with GPRInfo.h.
1848
1849 2014-03-06  Mark Hahnenberg  <mhahnenberg@apple.com>
1850
1851         Fix write barriers in Repatch.cpp for !ENABLE(DFG_JIT) platforms after r165128
1852         https://bugs.webkit.org/show_bug.cgi?id=129760
1853
1854         Reviewed by Geoffrey Garen.
1855
1856         r165128 disabled the write barrier fast path for inline caches on !ENABLE(DFG_JIT) platforms. 
1857         The fix is to refactor the write barrier code into AssemblyHelpers and use that everywhere.
1858
1859         * dfg/DFGSpeculativeJIT.cpp:
1860         (JSC::DFG::SpeculativeJIT::writeBarrier):
1861         * dfg/DFGSpeculativeJIT.h:
1862         * dfg/DFGSpeculativeJIT32_64.cpp:
1863         (JSC::DFG::SpeculativeJIT::writeBarrier):
1864         * dfg/DFGSpeculativeJIT64.cpp:
1865         (JSC::DFG::SpeculativeJIT::writeBarrier):
1866         * jit/AssemblyHelpers.h:
1867         (JSC::AssemblyHelpers::checkMarkByte):
1868         * jit/JIT.h:
1869         * jit/JITPropertyAccess.cpp:
1870         * jit/Repatch.cpp:
1871         (JSC::writeBarrier):
1872
1873 2014-03-06  Joseph Pecoraro  <pecoraro@apple.com>
1874
1875         Web Inspector: Expose the console object in JSContexts to interact with Web Inspector
1876         https://bugs.webkit.org/show_bug.cgi?id=127944
1877
1878         Reviewed by Geoffrey Garen.
1879
1880         Always expose the Console object in JSContexts, just like we
1881         do for web pages. The default behavior will route to an
1882         attached JSContext inspector. This can be overriden by
1883         setting the ConsoleClient on the JSGlobalObject, which WebCore
1884         does to get slightly different behavior.
1885
1886         * CMakeLists.txt:
1887         * GNUmakefile.list.am:
1888         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1889         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1890         * JavaScriptCore.xcodeproj/project.pbxproj:
1891         Update build systems.
1892
1893         * API/tests/testapi.js:
1894         * API/tests/testapi.mm:
1895         Test that "console" exists in C and ObjC contexts.
1896
1897         * runtime/ConsoleClient.cpp: Added.
1898         (JSC::ConsoleClient::printURLAndPosition):
1899         (JSC::ConsoleClient::printMessagePrefix):
1900         (JSC::ConsoleClient::printConsoleMessage):
1901         (JSC::ConsoleClient::printConsoleMessageWithArguments):
1902         (JSC::ConsoleClient::internalMessageWithTypeAndLevel):
1903         (JSC::ConsoleClient::logWithLevel):
1904         (JSC::ConsoleClient::clear):
1905         (JSC::ConsoleClient::dir):
1906         (JSC::ConsoleClient::dirXML):
1907         (JSC::ConsoleClient::table):
1908         (JSC::ConsoleClient::trace):
1909         (JSC::ConsoleClient::assertCondition):
1910         (JSC::ConsoleClient::group):
1911         (JSC::ConsoleClient::groupCollapsed):
1912         (JSC::ConsoleClient::groupEnd):
1913         * runtime/ConsoleClient.h: Added.
1914         (JSC::ConsoleClient::~ConsoleClient):
1915         New private interface for handling the console object's methods.
1916         A lot of the methods funnel through messageWithTypeAndLevel.
1917
1918         * runtime/ConsoleTypes.h: Renamed from Source/JavaScriptCore/inspector/ConsoleTypes.h.
1919         Moved to JSC namespace.
1920
1921         * runtime/JSGlobalObject.cpp:
1922         (JSC::JSGlobalObject::JSGlobalObject):
1923         (JSC::JSGlobalObject::init):
1924         (JSC::JSGlobalObject::reset):
1925         (JSC::JSGlobalObject::visitChildren):
1926         Create the "console" object when initializing the environment.
1927         Also set the default console client to be the JS context inspector.
1928
1929         * runtime/JSGlobalObject.h:
1930         (JSC::JSGlobalObject::setConsoleClient):
1931         (JSC::JSGlobalObject::consoleClient):
1932         Ability to change the console client, so WebCore can set a custom client.
1933
1934         * runtime/ConsolePrototype.cpp: Added.
1935         (JSC::ConsolePrototype::finishCreation):
1936         (JSC::valueToStringWithUndefinedOrNullCheck):
1937         (JSC::consoleLogWithLevel):
1938         (JSC::consoleProtoFuncDebug):
1939         (JSC::consoleProtoFuncError):
1940         (JSC::consoleProtoFuncLog):
1941         (JSC::consoleProtoFuncWarn):
1942         (JSC::consoleProtoFuncClear):
1943         (JSC::consoleProtoFuncDir):
1944         (JSC::consoleProtoFuncDirXML):
1945         (JSC::consoleProtoFuncTable):
1946         (JSC::consoleProtoFuncTrace):
1947         (JSC::consoleProtoFuncAssert):
1948         (JSC::consoleProtoFuncCount):
1949         (JSC::consoleProtoFuncProfile):
1950         (JSC::consoleProtoFuncProfileEnd):
1951         (JSC::consoleProtoFuncTime):
1952         (JSC::consoleProtoFuncTimeEnd):
1953         (JSC::consoleProtoFuncTimeStamp):
1954         (JSC::consoleProtoFuncGroup):
1955         (JSC::consoleProtoFuncGroupCollapsed):
1956         (JSC::consoleProtoFuncGroupEnd):
1957         * runtime/ConsolePrototype.h: Added.
1958         (JSC::ConsolePrototype::create):
1959         (JSC::ConsolePrototype::createStructure):
1960         (JSC::ConsolePrototype::ConsolePrototype):
1961         Define the console object interface. Parse out required / expected
1962         arguments and throw expcetions when methods are misused.
1963
1964         * runtime/JSConsole.cpp: Added.
1965         * runtime/JSConsole.h: Added.
1966         (JSC::JSConsole::createStructure):
1967         (JSC::JSConsole::create):
1968         (JSC::JSConsole::JSConsole):
1969         Empty "console" object. Everything is in the prototype.
1970
1971         * inspector/JSConsoleClient.cpp: Added.
1972         (Inspector::JSConsoleClient::JSGlobalObjectConsole):
1973         (Inspector::JSConsoleClient::count):
1974         (Inspector::JSConsoleClient::profile):
1975         (Inspector::JSConsoleClient::profileEnd):
1976         (Inspector::JSConsoleClient::time):
1977         (Inspector::JSConsoleClient::timeEnd):
1978         (Inspector::JSConsoleClient::timeStamp):
1979         (Inspector::JSConsoleClient::warnUnimplemented):
1980         (Inspector::JSConsoleClient::internalAddMessage):
1981         * inspector/JSConsoleClient.h: Added.
1982         * inspector/JSGlobalObjectInspectorController.cpp:
1983         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1984         (Inspector::JSGlobalObjectInspectorController::consoleClient):
1985         * inspector/JSGlobalObjectInspectorController.h:
1986         Default JSContext ConsoleClient implementation. Handle nearly
1987         everything exception profile/profileEnd and timeStamp.
1988
1989 2014-03-06  Andreas Kling  <akling@apple.com>
1990
1991         Drop unlinked function code on memory pressure.
1992         <https://webkit.org/b/129789>
1993
1994         Make VM::discardAllCode() also drop UnlinkedFunctionCodeBlocks that
1995         are not currently being compiled.
1996
1997         4.5 MB progression on Membuster.
1998
1999         Reviewed by Geoffrey Garen.
2000
2001         * heap/Heap.cpp:
2002         (JSC::Heap::deleteAllUnlinkedFunctionCode):
2003         * heap/Heap.h:
2004         * runtime/VM.cpp:
2005         (JSC::VM::discardAllCode):
2006
2007 2014-03-06  Filip Pizlo  <fpizlo@apple.com>
2008
2009         Clarify how we deal with "special" registers
2010         https://bugs.webkit.org/show_bug.cgi?id=129806
2011
2012         Reviewed by Michael Saboff.
2013         
2014         Previously we had two different places that defined what "stack" registers are, a thing
2015         called "specialRegisters" that had unclear meaning, and a really weird "firstRealRegister"/
2016         "secondRealRegister"/"nextRegister" idiom in MacroAssembler that appeared to only be used by
2017         one place and had a baked-in notion of what it meant for a register to be "real" or not.
2018         
2019         It's not cool to use words like "real" and "special" to describe registers, especially if you
2020         fail to qualify what that means. This originally made sense on X86 - "real" registers were
2021         the ones that weren't "stack related" (so "real" was the opposite of "stack"). But on ARM64,
2022         you also have to worry about the LR register, which we'd want to say is "not real" but it's
2023         also not a "stack" register. This got super confusing.
2024         
2025         So, this patch removes any mention of "real" registers, consolidates the knowledge of what is
2026         a "stack" register, and uses the word special only in places where it's clearly defined and
2027         where no better word comes to mind.
2028         
2029         This cleans up the code and fixes what seems like it was probably a harmless ARM64 bug: the
2030         Reg and RegisterSet data structures would sometimes think that FP was Q0. Somehow this
2031         magically didn't break anything because you never need to save/restore either FP or Q0, but
2032         it was still super weird.
2033
2034         * assembler/ARM64Assembler.h:
2035         (JSC::ARM64Assembler::lastRegister):
2036         * assembler/MacroAssembler.h:
2037         (JSC::MacroAssembler::nextRegister):
2038         * ftl/FTLLocation.cpp:
2039         (JSC::FTL::Location::restoreInto):
2040         * ftl/FTLSaveRestore.cpp:
2041         (JSC::FTL::saveAllRegisters):
2042         (JSC::FTL::restoreAllRegisters):
2043         * ftl/FTLSlowPathCall.cpp:
2044         * jit/RegisterSet.cpp:
2045         (JSC::RegisterSet::reservedHardwareRegisters):
2046         (JSC::RegisterSet::runtimeRegisters):
2047         (JSC::RegisterSet::specialRegisters):
2048         (JSC::RegisterSet::calleeSaveRegisters):
2049         * jit/RegisterSet.h:
2050
2051 2014-03-06  Filip Pizlo  <fpizlo@apple.com>
2052
2053         Unreviewed, fix build.
2054
2055         * disassembler/ARM64Disassembler.cpp:
2056
2057 2014-03-06  Filip Pizlo  <fpizlo@apple.com>
2058
2059         Use the LLVM disassembler on ARM64 if we are enabling the FTL
2060         https://bugs.webkit.org/show_bug.cgi?id=129785
2061
2062         Reviewed by Geoffrey Garen.
2063         
2064         Our disassembler can't handle some of the code sequences that LLVM emits. LLVM's disassembler
2065         is strictly more capable at this point. Use it if it's available.
2066
2067         * disassembler/ARM64Disassembler.cpp:
2068         (JSC::tryToDisassemble):
2069
2070 2014-03-05  Joseph Pecoraro  <pecoraro@apple.com>
2071
2072         Web Inspector: Reduce RWI message frequency
2073         https://bugs.webkit.org/show_bug.cgi?id=129767
2074
2075         Reviewed by Timothy Hatcher.
2076
2077         This used to be 0.2s and changed by accident to 0.02s.
2078
2079         * inspector/remote/RemoteInspector.mm:
2080         (Inspector::RemoteInspector::pushListingSoon):
2081
2082 2014-03-05  Commit Queue  <commit-queue@webkit.org>
2083
2084         Unreviewed, rolling out r165141, r165157, and r165158.
2085         http://trac.webkit.org/changeset/165141
2086         http://trac.webkit.org/changeset/165157
2087         http://trac.webkit.org/changeset/165158
2088         https://bugs.webkit.org/show_bug.cgi?id=129772
2089
2090         "broke ftl" (Requested by olliej_ on #webkit).
2091
2092         * JavaScriptCore.xcodeproj/project.pbxproj:
2093         * bytecode/PolymorphicPutByIdList.cpp:
2094         (JSC::PutByIdAccess::visitWeak):
2095         (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
2096         (JSC::PolymorphicPutByIdList::from):
2097         * bytecode/PolymorphicPutByIdList.h:
2098         (JSC::PutByIdAccess::transition):
2099         (JSC::PutByIdAccess::replace):
2100         (JSC::PutByIdAccess::oldStructure):
2101         (JSC::PutByIdAccess::chain):
2102         (JSC::PutByIdAccess::stubRoutine):
2103         * bytecode/PutByIdStatus.cpp:
2104         (JSC::PutByIdStatus::computeForStubInfo):
2105         (JSC::PutByIdStatus::computeFor):
2106         (JSC::PutByIdStatus::dump):
2107         * bytecode/PutByIdStatus.h:
2108         (JSC::PutByIdStatus::PutByIdStatus):
2109         (JSC::PutByIdStatus::takesSlowPath):
2110         * bytecode/StructureStubInfo.h:
2111         * dfg/DFGAbstractInterpreterInlines.h:
2112         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2113         * dfg/DFGByteCodeParser.cpp:
2114         (JSC::DFG::ByteCodeParser::emitPutById):
2115         (JSC::DFG::ByteCodeParser::handlePutById):
2116         * dfg/DFGClobberize.h:
2117         (JSC::DFG::clobberize):
2118         * dfg/DFGCommon.h:
2119         * dfg/DFGConstantFoldingPhase.cpp:
2120         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2121         * dfg/DFGFixupPhase.cpp:
2122         (JSC::DFG::FixupPhase::fixupNode):
2123         * dfg/DFGNode.h:
2124         (JSC::DFG::Node::hasIdentifier):
2125         * dfg/DFGNodeType.h:
2126         * dfg/DFGPredictionPropagationPhase.cpp:
2127         (JSC::DFG::PredictionPropagationPhase::propagate):
2128         * dfg/DFGSafeToExecute.h:
2129         (JSC::DFG::safeToExecute):
2130         * dfg/DFGSpeculativeJIT.cpp:
2131         (JSC::DFG::SpeculativeJIT::compileIn):
2132         * dfg/DFGSpeculativeJIT.h:
2133         * dfg/DFGSpeculativeJIT32_64.cpp:
2134         (JSC::DFG::SpeculativeJIT::cachedGetById):
2135         (JSC::DFG::SpeculativeJIT::cachedPutById):
2136         (JSC::DFG::SpeculativeJIT::compile):
2137         * dfg/DFGSpeculativeJIT64.cpp:
2138         (JSC::DFG::SpeculativeJIT::cachedGetById):
2139         (JSC::DFG::SpeculativeJIT::cachedPutById):
2140         (JSC::DFG::SpeculativeJIT::compile):
2141         * ftl/FTLCompile.cpp:
2142         (JSC::FTL::fixFunctionBasedOnStackMaps):
2143         * jit/CCallHelpers.h:
2144         (JSC::CCallHelpers::setupArgumentsWithExecState):
2145         * jit/JITInlineCacheGenerator.cpp:
2146         (JSC::JITByIdGenerator::JITByIdGenerator):
2147         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
2148         * jit/JITInlineCacheGenerator.h:
2149         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
2150         * jit/JITOperations.cpp:
2151         * jit/JITOperations.h:
2152         * jit/JITPropertyAccess.cpp:
2153         (JSC::JIT::emit_op_get_by_id):
2154         (JSC::JIT::emit_op_put_by_id):
2155         * jit/JITPropertyAccess32_64.cpp:
2156         (JSC::JIT::emit_op_get_by_id):
2157         (JSC::JIT::emit_op_put_by_id):
2158         * jit/Repatch.cpp:
2159         (JSC::tryCacheGetByID):
2160         (JSC::tryBuildGetByIDList):
2161         (JSC::tryCachePutByID):
2162         (JSC::tryBuildPutByIdList):
2163         * jit/SpillRegistersMode.h: Removed.
2164         * llint/LLIntSlowPaths.cpp:
2165         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2166         * runtime/Lookup.h:
2167         (JSC::putEntry):
2168         * runtime/PutPropertySlot.h:
2169         (JSC::PutPropertySlot::isCacheable):
2170         (JSC::PutPropertySlot::cachedOffset):
2171
2172 2014-03-05  Joseph Pecoraro  <pecoraro@apple.com>
2173
2174         Web Inspector: Prevent possible deadlock in view indication
2175         https://bugs.webkit.org/show_bug.cgi?id=129766
2176
2177         Reviewed by Geoffrey Garen.
2178
2179         * inspector/remote/RemoteInspector.mm:
2180         (Inspector::RemoteInspector::receivedIndicateMessage):
2181
2182 2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>
2183
2184         JSObject::fastGetOwnPropertySlot does a slow check for OverridesGetOwnPropertySlot
2185         https://bugs.webkit.org/show_bug.cgi?id=129754
2186
2187         Reviewed by Geoffrey Garen.
2188
2189         InlineTypeFlags are stored in JSCell, so we can just load those instead of going through the TypeInfo.
2190
2191         * runtime/JSCell.h:
2192         (JSC::JSCell::inlineTypeFlags):
2193         * runtime/JSObject.h:
2194         (JSC::JSObject::fastGetOwnPropertySlot):
2195         * runtime/JSTypeInfo.h:
2196         (JSC::TypeInfo::TypeInfo):
2197         (JSC::TypeInfo::overridesGetOwnPropertySlot):
2198
2199 2014-03-05  Joseph Pecoraro  <pecoraro@apple.com>
2200
2201         Web Inspector: ASSERTION FAILED: m_javaScriptBreakpoints.isEmpty()
2202         https://bugs.webkit.org/show_bug.cgi?id=129763
2203
2204         Reviewed by Geoffrey Garen.
2205
2206         Clear the list of all breakpoints, including unresolved breakpoints.
2207
2208         * inspector/agents/InspectorDebuggerAgent.cpp:
2209         (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):
2210
2211 2014-03-05  Mark Lam  <mark.lam@apple.com>
2212
2213         llint_slow_path_check_has_instance() should not adjust PC before accessing operands.
2214         <https://webkit.org/b/129768>
2215
2216         Reviewed by Mark Hahnenberg.
2217
2218         When evaluating "a instanceof b" where b is an object that ImplementsHasInstance
2219         and OverridesHasInstance (e.g. a bound function), the LLINT will take the slow
2220         path llint_slow_path_check_has_instance(), and execute a code path that does the
2221         following:
2222         1. Adjusts the byte code PC to the jump target PC.
2223         2. For the purpose of storing the result, get the result registerIndex from the
2224            1st operand using the PC as if the PC is still pointing to op_check_has_instance
2225            bytecode.
2226
2227         The result is that whatever value resides after where the jump target PC is will
2228         be used as a result register value.  Depending on what that value is, the result
2229         can be:
2230         1. the code coincidently works correctly
2231         2. memory corruption
2232         3. crashes
2233
2234         The fix is to only adjust the byte code PC after we have stored the result.
2235         
2236         * llint/LLIntSlowPaths.cpp:
2237         (llint_slow_path_check_has_instance):
2238
2239 2014-03-05  Ryosuke Niwa  <rniwa@webkit.org>
2240
2241         Another build fix attempt after r165141.
2242
2243         * ftl/FTLCompile.cpp:
2244         (JSC::FTL::fixFunctionBasedOnStackMaps):
2245
2246 2014-03-05  Ryosuke Niwa  <rniwa@webkit.org>
2247
2248         FTL build fix attempt after r165141.
2249
2250         * ftl/FTLCompile.cpp:
2251         (JSC::FTL::fixFunctionBasedOnStackMaps):
2252
2253 2014-03-05  Gavin Barraclough  <barraclough@apple.com>
2254
2255         https://bugs.webkit.org/show_bug.cgi?id=128625
2256         Add fast mapping from StringImpl to JSString
2257
2258         Unreviewed roll-out.
2259
2260         Reverting r164347, r165054, r165066 - not clear the performance tradeoff was right.
2261
2262         * runtime/JSString.cpp:
2263         * runtime/JSString.h:
2264         * runtime/VM.cpp:
2265         (JSC::VM::createLeaked):
2266         * runtime/VM.h:
2267
2268 2014-03-03  Oliver Hunt  <oliver@apple.com>
2269
2270         Support caching of custom setters
2271         https://bugs.webkit.org/show_bug.cgi?id=129519
2272
2273         Reviewed by Filip Pizlo.
2274
2275         This patch adds caching of assignment to properties that
2276         are backed by C functions. This provides most of the leg
2277         work required to start supporting setters, and resolves
2278         the remaining regressions from moving DOM properties up
2279         the prototype chain.
2280
2281         * JavaScriptCore.xcodeproj/project.pbxproj:
2282         * bytecode/PolymorphicPutByIdList.cpp:
2283         (JSC::PutByIdAccess::visitWeak):
2284         (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
2285         (JSC::PolymorphicPutByIdList::from):
2286         * bytecode/PolymorphicPutByIdList.h:
2287         (JSC::PutByIdAccess::transition):
2288         (JSC::PutByIdAccess::replace):
2289         (JSC::PutByIdAccess::customSetter):
2290         (JSC::PutByIdAccess::isCustom):
2291         (JSC::PutByIdAccess::oldStructure):
2292         (JSC::PutByIdAccess::chain):
2293         (JSC::PutByIdAccess::stubRoutine):
2294         * bytecode/PutByIdStatus.cpp:
2295         (JSC::PutByIdStatus::computeForStubInfo):
2296         (JSC::PutByIdStatus::computeFor):
2297         (JSC::PutByIdStatus::dump):
2298         * bytecode/PutByIdStatus.h:
2299         (JSC::PutByIdStatus::PutByIdStatus):
2300         (JSC::PutByIdStatus::takesSlowPath):
2301         (JSC::PutByIdStatus::makesCalls):
2302         * bytecode/StructureStubInfo.h:
2303         * dfg/DFGAbstractInterpreterInlines.h:
2304         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2305         * dfg/DFGByteCodeParser.cpp:
2306         (JSC::DFG::ByteCodeParser::emitPutById):
2307         (JSC::DFG::ByteCodeParser::handlePutById):
2308         * dfg/DFGClobberize.h:
2309         (JSC::DFG::clobberize):
2310         * dfg/DFGCommon.h:
2311         * dfg/DFGConstantFoldingPhase.cpp:
2312         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2313         * dfg/DFGFixupPhase.cpp:
2314         (JSC::DFG::FixupPhase::fixupNode):
2315         * dfg/DFGNode.h:
2316         (JSC::DFG::Node::hasIdentifier):
2317         * dfg/DFGNodeType.h:
2318         * dfg/DFGPredictionPropagationPhase.cpp:
2319         (JSC::DFG::PredictionPropagationPhase::propagate):
2320         * dfg/DFGSafeToExecute.h:
2321         (JSC::DFG::safeToExecute):
2322         * dfg/DFGSpeculativeJIT.cpp:
2323         (JSC::DFG::SpeculativeJIT::compileIn):
2324         * dfg/DFGSpeculativeJIT.h:
2325         * dfg/DFGSpeculativeJIT32_64.cpp:
2326         (JSC::DFG::SpeculativeJIT::cachedGetById):
2327         (JSC::DFG::SpeculativeJIT::cachedPutById):
2328         (JSC::DFG::SpeculativeJIT::compile):
2329         * dfg/DFGSpeculativeJIT64.cpp:
2330         (JSC::DFG::SpeculativeJIT::cachedGetById):
2331         (JSC::DFG::SpeculativeJIT::cachedPutById):
2332         (JSC::DFG::SpeculativeJIT::compile):
2333         * jit/CCallHelpers.h:
2334         (JSC::CCallHelpers::setupArgumentsWithExecState):
2335         * jit/JITInlineCacheGenerator.cpp:
2336         (JSC::JITByIdGenerator::JITByIdGenerator):
2337         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
2338         * jit/JITInlineCacheGenerator.h:
2339         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
2340         * jit/JITOperations.cpp:
2341         * jit/JITOperations.h:
2342         * jit/JITPropertyAccess.cpp:
2343         (JSC::JIT::emit_op_get_by_id):
2344         (JSC::JIT::emit_op_put_by_id):
2345         * jit/JITPropertyAccess32_64.cpp:
2346         (JSC::JIT::emit_op_get_by_id):
2347         (JSC::JIT::emit_op_put_by_id):
2348         * jit/Repatch.cpp:
2349         (JSC::tryCacheGetByID):
2350         (JSC::tryBuildGetByIDList):
2351         (JSC::emitCustomSetterStub):
2352         (JSC::tryCachePutByID):
2353         (JSC::tryBuildPutByIdList):
2354         * jit/SpillRegistersMode.h: Added.
2355         * llint/LLIntSlowPaths.cpp:
2356         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2357         * runtime/Lookup.h:
2358         (JSC::putEntry):
2359         * runtime/PutPropertySlot.h:
2360         (JSC::PutPropertySlot::setCacheableCustomProperty):
2361         (JSC::PutPropertySlot::customSetter):
2362         (JSC::PutPropertySlot::isCacheablePut):
2363         (JSC::PutPropertySlot::isCacheableCustomProperty):
2364         (JSC::PutPropertySlot::cachedOffset):
2365
2366 2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>
2367
2368         JSCell::m_gcData should encode its information differently
2369         https://bugs.webkit.org/show_bug.cgi?id=129741
2370
2371         Reviewed by Geoffrey Garen.
2372
2373         We want to keep track of three GC states for an object:
2374
2375         1. Not marked (which implies not in the remembered set)
2376         2. Marked but not in the remembered set
2377         3. Marked and in the remembered set
2378         
2379         Currently we only indicate marked vs. not marked in JSCell::m_gcData. During a write 
2380         barrier, we only want to take the slow path if the object being stored to is in state #2. 
2381         We'd like to make the test for state #2 as fast as possible, which means making it a 
2382         compare against 0.
2383
2384         * dfg/DFGOSRExitCompilerCommon.cpp:
2385         (JSC::DFG::osrWriteBarrier):
2386         * dfg/DFGSpeculativeJIT.cpp:
2387         (JSC::DFG::SpeculativeJIT::checkMarkByte):
2388         (JSC::DFG::SpeculativeJIT::writeBarrier):
2389         * dfg/DFGSpeculativeJIT.h:
2390         * dfg/DFGSpeculativeJIT32_64.cpp:
2391         (JSC::DFG::SpeculativeJIT::writeBarrier):
2392         * dfg/DFGSpeculativeJIT64.cpp:
2393         (JSC::DFG::SpeculativeJIT::writeBarrier):
2394         * ftl/FTLLowerDFGToLLVM.cpp:
2395         (JSC::FTL::LowerDFGToLLVM::allocateCell):
2396         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
2397         * heap/Heap.cpp:
2398         (JSC::Heap::clearRememberedSet):
2399         (JSC::Heap::addToRememberedSet):
2400         * jit/AssemblyHelpers.h:
2401         (JSC::AssemblyHelpers::checkMarkByte):
2402         * jit/JIT.h:
2403         * jit/JITPropertyAccess.cpp:
2404         (JSC::JIT::checkMarkByte):
2405         (JSC::JIT::emitWriteBarrier):
2406         * jit/Repatch.cpp:
2407         (JSC::writeBarrier):
2408         * llint/LowLevelInterpreter.asm:
2409         * llint/LowLevelInterpreter32_64.asm:
2410         * llint/LowLevelInterpreter64.asm:
2411         * runtime/JSCell.h:
2412         (JSC::JSCell::mark):
2413         (JSC::JSCell::remember):
2414         (JSC::JSCell::forget):
2415         (JSC::JSCell::isMarked):
2416         (JSC::JSCell::isRemembered):
2417         * runtime/JSCellInlines.h:
2418         (JSC::JSCell::JSCell):
2419         * runtime/StructureIDBlob.h:
2420         (JSC::StructureIDBlob::StructureIDBlob):
2421
2422 2014-03-05  Filip Pizlo  <fpizlo@apple.com>
2423
2424         More FTL ARM fixes
2425         https://bugs.webkit.org/show_bug.cgi?id=129755
2426
2427         Reviewed by Geoffrey Garen.
2428         
2429         - Be more defensive about inline caches that have degenerate chains.
2430         
2431         - Temporarily switch to allocating all MCJIT memory in the executable pool on non-x86
2432           platforms. The bug tracking the real fix is: https://bugs.webkit.org/show_bug.cgi?id=129756
2433         
2434         - Don't even emit intrinsic declarations on non-x86 platforms.
2435         
2436         - More debug printing support.
2437         
2438         - Don't use vmCall() in the prologue. This should have crashed on all platforms all the time
2439           but somehow it gets lucky on x86.
2440
2441         * bytecode/GetByIdStatus.cpp:
2442         (JSC::GetByIdStatus::appendVariant):
2443         (JSC::GetByIdStatus::computeForChain):
2444         (JSC::GetByIdStatus::computeForStubInfo):
2445         * bytecode/GetByIdStatus.h:
2446         * bytecode/PutByIdStatus.cpp:
2447         (JSC::PutByIdStatus::appendVariant):
2448         (JSC::PutByIdStatus::computeForStubInfo):
2449         * bytecode/PutByIdStatus.h:
2450         * bytecode/StructureSet.h:
2451         (JSC::StructureSet::overlaps):
2452         * ftl/FTLCompile.cpp:
2453         (JSC::FTL::mmAllocateDataSection):
2454         * ftl/FTLDataSection.cpp:
2455         (JSC::FTL::DataSection::DataSection):
2456         (JSC::FTL::DataSection::~DataSection):
2457         * ftl/FTLDataSection.h:
2458         * ftl/FTLLowerDFGToLLVM.cpp:
2459         (JSC::FTL::LowerDFGToLLVM::lower):
2460         * ftl/FTLOutput.h:
2461         (JSC::FTL::Output::doubleSin):
2462         (JSC::FTL::Output::doubleCos):
2463         * runtime/JSCJSValue.cpp:
2464         (JSC::JSValue::dumpInContext):
2465         * runtime/JSCell.h:
2466         (JSC::JSCell::structureID):
2467
2468 2014-03-05  peavo@outlook.com  <peavo@outlook.com>
2469
2470         [Win32][LLINT] Crash when running JSC stress tests.
2471         https://bugs.webkit.org/show_bug.cgi?id=129429
2472
2473         On Windows the reserved stack space consists of committed memory, a guard page, and uncommitted memory,
2474         where the guard page is a barrier between committed and uncommitted memory.
2475         When data from the guard page is read or written, the guard page is moved, and memory is committed.
2476         This is how the system grows the stack.
2477         When using the C stack on Windows we need to precommit the needed stack space.
2478         Otherwise we might crash later if we access uncommitted stack memory.
2479         This can happen if we allocate stack space larger than the page guard size (4K).
2480         The system does not get the chance to move the guard page, and commit more memory,
2481         and we crash if uncommitted memory is accessed.
2482         The MSVC compiler fixes this by inserting a call to the _chkstk() function,
2483         when needed, see http://support.microsoft.com/kb/100775.
2484
2485         Reviewed by Geoffrey Garen.
2486
2487         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Enable LLINT.
2488         * jit/Repatch.cpp:
2489         (JSC::writeBarrier): Compile fix when DFG_JIT is not enabled.
2490         * offlineasm/x86.rb: Compile fix, and small simplification.
2491         * runtime/VM.cpp:
2492         (JSC::preCommitStackMemory): Added function to precommit stack memory.
2493         (JSC::VM::updateStackLimit): Call function to precommit stack memory when stack limit is updated.
2494
2495 2014-03-05  Michael Saboff  <msaboff@apple.com>
2496
2497         JSDataViewPrototype::getData() and setData() crash on platforms that don't allow unaligned accesses
2498         https://bugs.webkit.org/show_bug.cgi?id=129746
2499
2500         Reviewed by Filip Pizlo.
2501
2502         Changed to use a union to manually assemble or disassemble the various types
2503         from / to the corresponding bytes.  All memory access is now done using
2504         byte accesses.
2505
2506         * runtime/JSDataViewPrototype.cpp:
2507         (JSC::getData):
2508         (JSC::setData):
2509
2510 2014-03-05  Filip Pizlo  <fpizlo@apple.com>
2511
2512         FTL loadStructure always generates invalid IR
2513         https://bugs.webkit.org/show_bug.cgi?id=129747
2514
2515         Reviewed by Mark Hahnenberg.
2516
2517         As the comment at the top of FTL::Output states, the FTL doesn't use LLVM's notion
2518         of pointers. LLVM's notion of pointers tries to model C, in the sense that you have
2519         to have a pointer to a type, and you can only load things of that type from that
2520         pointer. Pointer arithmetic is basically not possible except through the bizarre
2521         getelementptr operator. This doesn't fit with how the JS object model works since
2522         the JS object model doesn't consist of nice and tidy C types placed in C arrays.
2523         Also, it would be impossible to use getelementptr and LLVM pointers for accessing
2524         any of JSC's C or C++ objects unless we went through the exercise of redeclaring
2525         all of our fundamental data structures in LLVM IR as LLVM types. Clang could do
2526         this for us, but that would require that to use the FTL, JSC itself would have to
2527         be compiled with clang. Worse, it would have to be compiled with a clang that uses
2528         a version of LLVM that is compatible with the one against which the FTL is linked.
2529         Yuck!
2530
2531         The solution is to NEVER use LLVM pointers. This has always been the case in the
2532         FTL. But it causes some confusion.
2533         
2534         Not using LLVM pointers means that if the FTL has a "pointer", it's actually a
2535         pointer-wide integer (m_out.intPtr in FTL-speak). The act of "loading" and
2536         "storing" from or to a pointer involves first bitcasting the intPtr to a real LLVM
2537         pointer that has the type that we want. The load and store operations over pointers
2538         are called Output::load* and Output::store*, where * is one of "8", "16", "32",
2539         "64", "Ptr", "Float", or "Double.
2540         
2541         There is unavoidable confusion here. It would be bizarre for the FTL to call its
2542         "pointer-wide integers" anything other than "pointers", since they are, in all
2543         respects that we care about, simply pointers. But they are *not* LLVM pointers and
2544         they never will be that.
2545         
2546         There is one exception to this "no pointers" rule. The FTL does use actual LLVM
2547         pointers for refering to LLVM alloca's - i.e. local variables. To try to reduce
2548         confusion, we call these "references". So an "FTL reference" is actually an "LLVM
2549         pointer", while an "FTL pointer" is actually an "LLVM integer". FTL references have
2550         methods for access called Output::get and Output::set. These lower to LLVM load
2551         and store, since FTL references are just LLVM pointers.
2552         
2553         This confusion appears to have led to incorrect code in loadStructure().
2554         loadStructure() was using get() and set() to access FTL pointers. But those methods
2555         don't work on FTL pointers and never will, since they are for FTL references.
2556         
2557         The worst part of this is that it was previously impossible to have test coverage
2558         for the relevant path (MasqueradesAsUndefined) without writing a DRT test. This
2559         patch fixes this by introducing a Masquerader object to jsc.cpp.
2560         
2561         * ftl/FTLAbstractHeapRepository.h: Add an abstract heap for the structure table.
2562         * ftl/FTLLowerDFGToLLVM.cpp:
2563         (JSC::FTL::LowerDFGToLLVM::loadStructure): This was wrong.
2564         * ftl/FTLOutput.h: Add a comment to disuade people from using get() and set().
2565         * jsc.cpp: Give us the power to test for MasqueradesAsUndefined.
2566         (WTF::Masquerader::Masquerader):
2567         (WTF::Masquerader::create):
2568         (WTF::Masquerader::createStructure):
2569         (GlobalObject::finishCreation):
2570         (functionMakeMasquerader):
2571         * tests/stress/equals-masquerader.js: Added.
2572         (foo):
2573         (test):
2574
2575 2014-03-05  Anders Carlsson  <andersca@apple.com>
2576
2577         Tweak after r165109 to avoid extra copies
2578         https://bugs.webkit.org/show_bug.cgi?id=129745
2579
2580         Reviewed by Geoffrey Garen.
2581
2582         * heap/Heap.cpp:
2583         (JSC::Heap::visitProtectedObjects):
2584         (JSC::Heap::visitTempSortVectors):
2585         (JSC::Heap::clearRememberedSet):
2586         * heap/Heap.h:
2587         (JSC::Heap::forEachProtectedCell):
2588
2589 2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>
2590
2591         DFGStoreBarrierElisionPhase should should GCState directly instead of m_gcClobberSet when calling writesOverlap()
2592         https://bugs.webkit.org/show_bug.cgi?id=129717
2593
2594         Reviewed by Filip Pizlo.
2595
2596         * dfg/DFGStoreBarrierElisionPhase.cpp:
2597         (JSC::DFG::StoreBarrierElisionPhase::StoreBarrierElisionPhase):
2598         (JSC::DFG::StoreBarrierElisionPhase::couldCauseGC):
2599
2600 2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>
2601
2602         Use range-based loops where possible in Heap methods
2603         https://bugs.webkit.org/show_bug.cgi?id=129513
2604
2605         Reviewed by Mark Lam.
2606
2607         Replace old school iterator based loops with the new range-based loop hotness
2608         for a better tomorrow.
2609
2610         * heap/CodeBlockSet.cpp:
2611         (JSC::CodeBlockSet::~CodeBlockSet):
2612         (JSC::CodeBlockSet::clearMarks):
2613         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
2614         (JSC::CodeBlockSet::traceMarked):
2615         * heap/Heap.cpp:
2616         (JSC::Heap::visitProtectedObjects):
2617         (JSC::Heap::visitTempSortVectors):
2618         (JSC::Heap::clearRememberedSet):
2619         * heap/Heap.h:
2620         (JSC::Heap::forEachProtectedCell):
2621
2622 2014-03-04  Filip Pizlo  <fpizlo@apple.com>
2623
2624         DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e. boolean, undefined, or null)
2625         https://bugs.webkit.org/show_bug.cgi?id=129563
2626
2627         Reviewed by Geoffrey Garen.
2628         
2629         Rolling this back in after fixing an assertion failure. speculateMisc() should have
2630         said DFG_TYPE_CHECK instead of typeCheck.
2631         
2632         This adds a specialization of CompareStrictEq over Misc. I noticed the need for this
2633         when I saw that we didn't support CompareStrictEq(Untyped) in FTL but that the main
2634         user of this was EarleyBoyer, and in that benchmark what it was really doing was
2635         comparing undefined, null, and booleans to each other.
2636         
2637         This also adds support for miscellaneous things that I needed to make my various test
2638         cases work. This includes comparison over booleans and the various Throw-related node
2639         types.
2640         
2641         This also improves constant folding of CompareStrictEq and CompareEq.
2642         
2643         Also found a bug where we were claiming that GetByVals on typed arrays are OutOfBounds
2644         based on profiling, which caused some downstream badness. We don't actually support
2645         compiling OutOfBounds GetByVals on typed arrays. The DFG would ignore the flag and just
2646         emit a bounds check, but in the FTL path, the SSA lowering phase would assume that it
2647         shouldn't factor out the bounds check since the access is not InBounds but then the
2648         backend would ignore the flag and assume that the bounds check was already emitted.
2649         This showed up on an existing test but I added a test for this explicitly to have more
2650         certain coverage. The fix is to not mark something as OutOfBounds if the semantics are
2651         that we'll have a bounds check anyway.
2652         
2653         This is a 1% speed-up on Octane mostly because of raytrace, but also because of just
2654         general progressions across the board. No speed-up yet on EarleyBoyer, since there is
2655         still a lot more coverage work to be done there.
2656
2657         * bytecode/SpeculatedType.cpp:
2658         (JSC::speculationToAbbreviatedString):
2659         (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
2660         (JSC::valuesCouldBeEqual):
2661         * bytecode/SpeculatedType.h:
2662         (JSC::isMiscSpeculation):
2663         * dfg/DFGAbstractInterpreterInlines.h:
2664         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2665         * dfg/DFGArrayMode.cpp:
2666         (JSC::DFG::ArrayMode::refine):
2667         * dfg/DFGArrayMode.h:
2668         * dfg/DFGFixupPhase.cpp:
2669         (JSC::DFG::FixupPhase::fixupNode):
2670         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
2671         * dfg/DFGNode.h:
2672         (JSC::DFG::Node::shouldSpeculateMisc):
2673         * dfg/DFGSafeToExecute.h:
2674         (JSC::DFG::SafeToExecuteEdge::operator()):
2675         * dfg/DFGSpeculativeJIT.cpp:
2676         (JSC::DFG::SpeculativeJIT::compileStrictEq):
2677         (JSC::DFG::SpeculativeJIT::speculateMisc):
2678         (JSC::DFG::SpeculativeJIT::speculate):
2679         * dfg/DFGSpeculativeJIT.h:
2680         * dfg/DFGSpeculativeJIT32_64.cpp:
2681         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
2682         * dfg/DFGSpeculativeJIT64.cpp:
2683         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
2684         * dfg/DFGUseKind.cpp:
2685         (WTF::printInternal):
2686         * dfg/DFGUseKind.h:
2687         (JSC::DFG::typeFilterFor):
2688         * ftl/FTLCapabilities.cpp:
2689         (JSC::FTL::canCompile):
2690         * ftl/FTLLowerDFGToLLVM.cpp:
2691         (JSC::FTL::LowerDFGToLLVM::compileNode):
2692         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
2693         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
2694         (JSC::FTL::LowerDFGToLLVM::compileThrow):
2695         (JSC::FTL::LowerDFGToLLVM::isNotMisc):
2696         (JSC::FTL::LowerDFGToLLVM::isMisc):
2697         (JSC::FTL::LowerDFGToLLVM::speculate):
2698         (JSC::FTL::LowerDFGToLLVM::speculateMisc):
2699         * tests/stress/float32-array-out-of-bounds.js: Added.
2700         * tests/stress/weird-equality-folding-cases.js: Added.
2701
2702 2014-03-04  Commit Queue  <commit-queue@webkit.org>
2703
2704         Unreviewed, rolling out r165085.
2705         http://trac.webkit.org/changeset/165085
2706         https://bugs.webkit.org/show_bug.cgi?id=129729
2707
2708         Broke imported/w3c/html-templates/template-element/template-
2709         content.html (Requested by ap on #webkit).
2710
2711         * bytecode/SpeculatedType.cpp:
2712         (JSC::speculationToAbbreviatedString):
2713         * bytecode/SpeculatedType.h:
2714         * dfg/DFGAbstractInterpreterInlines.h:
2715         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2716         * dfg/DFGArrayMode.cpp:
2717         (JSC::DFG::ArrayMode::refine):
2718         * dfg/DFGArrayMode.h:
2719         * dfg/DFGFixupPhase.cpp:
2720         (JSC::DFG::FixupPhase::fixupNode):
2721         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
2722         * dfg/DFGNode.h:
2723         (JSC::DFG::Node::shouldSpeculateBoolean):
2724         * dfg/DFGSafeToExecute.h:
2725         (JSC::DFG::SafeToExecuteEdge::operator()):
2726         * dfg/DFGSpeculativeJIT.cpp:
2727         (JSC::DFG::SpeculativeJIT::compileStrictEq):
2728         (JSC::DFG::SpeculativeJIT::speculate):
2729         * dfg/DFGSpeculativeJIT.h:
2730         * dfg/DFGSpeculativeJIT32_64.cpp:
2731         * dfg/DFGSpeculativeJIT64.cpp:
2732         * dfg/DFGUseKind.cpp:
2733         (WTF::printInternal):
2734         * dfg/DFGUseKind.h:
2735         (JSC::DFG::typeFilterFor):
2736         * ftl/FTLCapabilities.cpp:
2737         (JSC::FTL::canCompile):
2738         * ftl/FTLLowerDFGToLLVM.cpp:
2739         (JSC::FTL::LowerDFGToLLVM::compileNode):
2740         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
2741         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
2742         (JSC::FTL::LowerDFGToLLVM::speculate):
2743         * tests/stress/float32-array-out-of-bounds.js: Removed.
2744         * tests/stress/weird-equality-folding-cases.js: Removed.
2745
2746 2014-03-04  Brian Burg  <bburg@apple.com>
2747
2748         Inspector does not restore breakpoints after a page reload
2749         https://bugs.webkit.org/show_bug.cgi?id=129655
2750
2751         Reviewed by Joseph Pecoraro.
2752
2753         Fix a regression introduced by r162096 that erroneously removed
2754         the inspector backend's mapping of files to breakpoints whenever the
2755         global object was cleared.
2756
2757         The inspector's breakpoint mappings should only be cleared when the
2758         debugger agent is disabled or destroyed. We should only clear the
2759         debugger's breakpoint state when the global object is cleared.
2760
2761         To make it clearer what state is being cleared, the two cases have
2762         been split into separate methods.
2763
2764         * inspector/agents/InspectorDebuggerAgent.cpp:
2765         (Inspector::InspectorDebuggerAgent::disable):
2766         (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):
2767         (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
2768         (Inspector::InspectorDebuggerAgent::didClearGlobalObject):
2769         * inspector/agents/InspectorDebuggerAgent.h:
2770
2771 2014-03-04  Andreas Kling  <akling@apple.com>
2772
2773         Streamline JSValue::get().
2774         <https://webkit.org/b/129720>
2775
2776         Fetch each Structure and VM only once when walking the prototype chain
2777         in JSObject::getPropertySlot(), then pass it along to the functions
2778         we call from there, so they don't have to re-fetch it.
2779
2780         Reviewed by Geoff Garen.
2781
2782         * runtime/JSObject.h:
2783         (JSC::JSObject::inlineGetOwnPropertySlot):
2784         (JSC::JSObject::fastGetOwnPropertySlot):
2785         (JSC::JSObject::getPropertySlot):
2786
2787 2014-03-01  Filip Pizlo  <fpizlo@apple.com>
2788
2789         DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e. boolean, undefined, or null)
2790         https://bugs.webkit.org/show_bug.cgi?id=129563
2791
2792         Reviewed by Geoffrey Garen.
2793         
2794         This adds a specialization of CompareStrictEq over Misc. I noticed the need for this
2795         when I saw that we didn't support CompareStrictEq(Untyped) in FTL but that the main
2796         user of this was EarleyBoyer, and in that benchmark what it was really doing was
2797         comparing undefined, null, and booleans to each other.
2798         
2799         This also adds support for miscellaneous things that I needed to make my various test
2800         cases work. This includes comparison over booleans and the various Throw-related node
2801         types.
2802         
2803         This also improves constant folding of CompareStrictEq and CompareEq.
2804         
2805         Also found a bug where we were claiming that GetByVals on typed arrays are OutOfBounds
2806         based on profiling, which caused some downstream badness. We don't actually support
2807         compiling OutOfBounds GetByVals on typed arrays. The DFG would ignore the flag and just
2808         emit a bounds check, but in the FTL path, the SSA lowering phase would assume that it
2809         shouldn't factor out the bounds check since the access is not InBounds but then the
2810         backend would ignore the flag and assume that the bounds check was already emitted.
2811         This showed up on an existing test but I added a test for this explicitly to have more
2812         certain coverage. The fix is to not mark something as OutOfBounds if the semantics are
2813         that we'll have a bounds check anyway.
2814         
2815         This is a 1% speed-up on Octane mostly because of raytrace, but also because of just
2816         general progressions across the board. No speed-up yet on EarleyBoyer, since there is
2817         still a lot more coverage work to be done there.
2818
2819         * bytecode/SpeculatedType.cpp:
2820         (JSC::speculationToAbbreviatedString):
2821         (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
2822         (JSC::valuesCouldBeEqual):
2823         * bytecode/SpeculatedType.h:
2824         (JSC::isMiscSpeculation):
2825         * dfg/DFGAbstractInterpreterInlines.h:
2826         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2827         * dfg/DFGFixupPhase.cpp:
2828         (JSC::DFG::FixupPhase::fixupNode):
2829         * dfg/DFGNode.h:
2830         (JSC::DFG::Node::shouldSpeculateMisc):
2831         * dfg/DFGSafeToExecute.h:
2832         (JSC::DFG::SafeToExecuteEdge::operator()):
2833         * dfg/DFGSpeculativeJIT.cpp:
2834         (JSC::DFG::SpeculativeJIT::compileStrictEq):
2835         (JSC::DFG::SpeculativeJIT::speculateMisc):
2836         (JSC::DFG::SpeculativeJIT::speculate):
2837         * dfg/DFGSpeculativeJIT.h:
2838         * dfg/DFGSpeculativeJIT32_64.cpp:
2839         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
2840         * dfg/DFGSpeculativeJIT64.cpp:
2841         (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
2842         * dfg/DFGUseKind.cpp:
2843         (WTF::printInternal):
2844         * dfg/DFGUseKind.h:
2845         (JSC::DFG::typeFilterFor):
2846         * ftl/FTLCapabilities.cpp:
2847         (JSC::FTL::canCompile):
2848         * ftl/FTLLowerDFGToLLVM.cpp:
2849         (JSC::FTL::LowerDFGToLLVM::compileNode):
2850         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
2851         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
2852         (JSC::FTL::LowerDFGToLLVM::compileThrow):
2853         (JSC::FTL::LowerDFGToLLVM::isNotMisc):
2854         (JSC::FTL::LowerDFGToLLVM::isMisc):
2855         (JSC::FTL::LowerDFGToLLVM::speculate):
2856         (JSC::FTL::LowerDFGToLLVM::speculateMisc):
2857         * tests/stress/float32-array-out-of-bounds.js: Added.
2858         * tests/stress/weird-equality-folding-cases.js: Added.
2859
2860 2014-03-04  Andreas Kling  <akling@apple.com>
2861
2862         Spam static branch prediction hints on JS bindings.
2863         <https://webkit.org/b/129703>
2864
2865         Add LIKELY hint to jsDynamicCast since it's always used in a context
2866         where we expect it to succeed and takes an error path when it doesn't.
2867
2868         Reviewed by Geoff Garen.
2869
2870         * runtime/JSCell.h:
2871         (JSC::jsDynamicCast):
2872
2873 2014-03-04  Andreas Kling  <akling@apple.com>
2874
2875         Get to Structures more efficiently in JSCell::methodTable().
2876         <https://webkit.org/b/129702>
2877
2878         In JSCell::methodTable(), get the VM once and pass that along to
2879         structure(VM&) instead of using the heavier structure().
2880
2881         In JSCell::methodTable(VM&), replace calls to structure() with
2882         calls to structure(VM&).
2883
2884         Reviewed by Mark Hahnenberg.
2885
2886         * runtime/JSCellInlines.h:
2887         (JSC::JSCell::methodTable):
2888
2889 2014-03-04  Joseph Pecoraro  <pecoraro@apple.com>
2890
2891         Web Inspector: Listen for the XPC_ERROR_CONNECTION_INVALID event to deref
2892         https://bugs.webkit.org/show_bug.cgi?id=129697
2893
2894         Reviewed by Timothy Hatcher.
2895
2896         * inspector/remote/RemoteInspectorXPCConnection.mm:
2897         (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
2898         (Inspector::RemoteInspectorXPCConnection::handleEvent):
2899
2900 2014-03-04  Mark Hahnenberg  <mhahnenberg@apple.com>
2901
2902         Merge API shims and JSLock
2903         https://bugs.webkit.org/show_bug.cgi?id=129650
2904
2905         Reviewed by Mark Lam.
2906
2907         JSLock is now taking on all of APIEntryShim's responsibilities since there is never a reason 
2908         to take just the JSLock. Ditto for DropAllLocks and APICallbackShim.
2909
2910         * API/APICallbackFunction.h:
2911         (JSC::APICallbackFunction::call):
2912         (JSC::APICallbackFunction::construct):
2913         * API/APIShims.h: Removed.
2914         * API/JSBase.cpp:
2915         (JSEvaluateScript):
2916         (JSCheckScriptSyntax):
2917         (JSGarbageCollect):
2918         (JSReportExtraMemoryCost):
2919         (JSSynchronousGarbageCollectForDebugging):
2920         * API/JSCallbackConstructor.cpp:
2921         * API/JSCallbackFunction.cpp:
2922         * API/JSCallbackObjectFunctions.h:
2923         (JSC::JSCallbackObject<Parent>::init):
2924         (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
2925         (JSC::JSCallbackObject<Parent>::put):
2926         (JSC::JSCallbackObject<Parent>::putByIndex):
2927         (JSC::JSCallbackObject<Parent>::deleteProperty):
2928         (JSC::JSCallbackObject<Parent>::construct):
2929         (JSC::JSCallbackObject<Parent>::customHasInstance):
2930         (JSC::JSCallbackObject<Parent>::call):
2931         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
2932         (JSC::JSCallbackObject<Parent>::getStaticValue):
2933         (JSC::JSCallbackObject<Parent>::callbackGetter):
2934         * API/JSContext.mm:
2935         (-[JSContext setException:]):
2936         (-[JSContext wrapperForObjCObject:]):
2937         (-[JSContext wrapperForJSObject:]):
2938         * API/JSContextRef.cpp:
2939         (JSContextGroupRelease):
2940         (JSContextGroupSetExecutionTimeLimit):
2941         (JSContextGroupClearExecutionTimeLimit):
2942         (JSGlobalContextCreateInGroup):
2943         (JSGlobalContextRetain):
2944         (JSGlobalContextRelease):
2945         (JSContextGetGlobalObject):
2946         (JSContextGetGlobalContext):
2947         (JSGlobalContextCopyName):
2948         (JSGlobalContextSetName):
2949         * API/JSManagedValue.mm:
2950         (-[JSManagedValue value]):
2951         * API/JSObjectRef.cpp:
2952         (JSObjectMake):
2953         (JSObjectMakeFunctionWithCallback):
2954         (JSObjectMakeConstructor):
2955         (JSObjectMakeFunction):
2956         (JSObjectMakeArray):
2957         (JSObjectMakeDate):
2958         (JSObjectMakeError):
2959         (JSObjectMakeRegExp):
2960         (JSObjectGetPrototype):
2961         (JSObjectSetPrototype):
2962         (JSObjectHasProperty):
2963         (JSObjectGetProperty):
2964         (JSObjectSetProperty):
2965         (JSObjectGetPropertyAtIndex):
2966         (JSObjectSetPropertyAtIndex):
2967         (JSObjectDeleteProperty):
2968         (JSObjectGetPrivateProperty):
2969         (JSObjectSetPrivateProperty):
2970         (JSObjectDeletePrivateProperty):
2971         (JSObjectIsFunction):
2972         (JSObjectCallAsFunction):
2973         (JSObjectCallAsConstructor):
2974         (JSObjectCopyPropertyNames):
2975         (JSPropertyNameArrayRelease):
2976         (JSPropertyNameAccumulatorAddName):
2977         * API/JSScriptRef.cpp:
2978         * API/JSValue.mm:
2979         (isDate):
2980         (isArray):
2981         (containerValueToObject):
2982         (valueToArray):
2983         (valueToDictionary):
2984         (objectToValue):
2985         * API/JSValueRef.cpp:
2986         (JSValueGetType):
2987         (JSValueIsUndefined):
2988         (JSValueIsNull):
2989         (JSValueIsBoolean):
2990         (JSValueIsNumber):
2991         (JSValueIsString):
2992         (JSValueIsObject):
2993         (JSValueIsObjectOfClass):
2994         (JSValueIsEqual):
2995         (JSValueIsStrictEqual):
2996         (JSValueIsInstanceOfConstructor):
2997         (JSValueMakeUndefined):
2998         (JSValueMakeNull):
2999         (JSValueMakeBoolean):
3000         (JSValueMakeNumber):
3001         (JSValueMakeString):
3002         (JSValueMakeFromJSONString):
3003         (JSValueCreateJSONString):
3004         (JSValueToBoolean):
3005         (JSValueToNumber):
3006         (JSValueToStringCopy):
3007         (JSValueToObject):
3008         (JSValueProtect):
3009         (JSValueUnprotect):
3010         * API/JSVirtualMachine.mm:
3011         (-[JSVirtualMachine addManagedReference:withOwner:]):
3012         (-[JSVirtualMachine removeManagedReference:withOwner:]):
3013         * API/JSWeakObjectMapRefPrivate.cpp:
3014         * API/JSWrapperMap.mm:
3015         (constructorHasInstance):
3016         (makeWrapper):
3017         (tryUnwrapObjcObject):
3018         * API/ObjCCallbackFunction.mm:
3019         (JSC::objCCallbackFunctionCallAsFunction):
3020         (JSC::objCCallbackFunctionCallAsConstructor):
3021         (objCCallbackFunctionForInvocation):
3022         * CMakeLists.txt:
3023         * ForwardingHeaders/JavaScriptCore/APIShims.h: Removed.
3024         * GNUmakefile.list.am:
3025         * JavaScriptCore.xcodeproj/project.pbxproj:
3026         * dfg/DFGWorklist.cpp:
3027         * heap/DelayedReleaseScope.h:
3028         (JSC::DelayedReleaseScope::~DelayedReleaseScope):
3029         * heap/HeapTimer.cpp:
3030         (JSC::HeapTimer::timerDidFire):
3031         (JSC::HeapTimer::timerEvent):
3032         * heap/IncrementalSweeper.cpp:
3033         * inspector/InjectedScriptModule.cpp:
3034         (Inspector::InjectedScriptModule::ensureInjected):
3035         * jsc.cpp:
3036         (jscmain):
3037         * runtime/GCActivityCallback.cpp:
3038         (JSC::DefaultGCActivityCallback::doWork):
3039         * runtime/JSGlobalObjectDebuggable.cpp:
3040         (JSC::JSGlobalObjectDebuggable::connect):
3041         (JSC::JSGlobalObjectDebuggable::disconnect):
3042         (JSC::JSGlobalObjectDebuggable::dispatchMessageFromRemoteFrontend):
3043         * runtime/JSLock.cpp:
3044         (JSC::JSLock::lock):
3045         (JSC::JSLock::didAcquireLock):
3046         (JSC::JSLock::unlock):
3047         (JSC::JSLock::willReleaseLock):
3048         (JSC::JSLock::DropAllLocks::DropAllLocks):
3049         (JSC::JSLock::DropAllLocks::~DropAllLocks):
3050         * runtime/JSLock.h:
3051         * testRegExp.cpp:
3052         (realMain):
3053
3054 2014-03-04  Commit Queue  <commit-queue@webkit.org>
3055
3056         Unreviewed, rolling out r164812.
3057         http://trac.webkit.org/changeset/164812
3058         https://bugs.webkit.org/show_bug.cgi?id=129699
3059
3060         it made things run slower (Requested by pizlo on #webkit).
3061
3062         * interpreter/Interpreter.cpp:
3063         (JSC::Interpreter::execute):
3064         * jsc.cpp:
3065         (GlobalObject::finishCreation):
3066         * runtime/BatchedTransitionOptimizer.h:
3067         (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
3068         (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer):
3069
3070 2014-03-02  Filip Pizlo  <fpizlo@apple.com>
3071
3072         GetMyArgumentByVal in FTL
3073         https://bugs.webkit.org/show_bug.cgi?id=128850
3074
3075         Reviewed by Oliver Hunt.
3076         
3077         This would have been easy if the OSR exit compiler's arity checks hadn't been wrong.
3078         They checked arity by doing "exec->argumentCount == codeBlock->numParameters", which
3079         caused it to think that the arity check had failed if the caller had passed more
3080         arguments than needed. This would cause the call frame copying to sort of go into
3081         reverse (because the amount-by-which-we-failed-arity would have opposite sign,
3082         throwing off a bunch of math) and the stack would end up being corrupted.
3083         
3084         The bug was revealed by two existing tests although as far as I could tell, neither
3085         test was intending to cover this case directly. So, I added a new test.
3086
3087         * ftl/FTLCapabilities.cpp:
3088         (JSC::FTL::canCompile):
3089         * ftl/FTLLowerDFGToLLVM.cpp:
3090         (JSC::FTL::LowerDFGToLLVM::compileNode):
3091         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
3092         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
3093         (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated):
3094         (JSC::FTL::LowerDFGToLLVM::checkArgumentsNotCreated):
3095         * ftl/FTLOSRExitCompiler.cpp:
3096         (JSC::FTL::compileStub):
3097         * ftl/FTLState.h:
3098         * tests/stress/exit-from-ftl-when-caller-passed-extra-args-then-use-function-dot-arguments.js: Added.
3099         * tests/stress/ftl-get-my-argument-by-val-inlined-and-not-inlined.js: Added.
3100         * tests/stress/ftl-get-my-argument-by-val-inlined.js: Added.
3101         * tests/stress/ftl-get-my-argument-by-val.js: Added.
3102
3103 2014-03-04  Zan Dobersek  <zdobersek@igalia.com>
3104
3105         [GTK] Build the Udis86 disassembler
3106         https://bugs.webkit.org/show_bug.cgi?id=129679
3107
3108         Reviewed by Michael Saboff.
3109
3110         * GNUmakefile.am: Generate the Udis86-related derived sources. Distribute the required files.
3111         * GNUmakefile.list.am: Add the Udis86 disassembler files to the build.
3112
3113 2014-03-04  Andreas Kling  <akling@apple.com>
3114
3115         Fix too-narrow assertion I added in r165054.
3116
3117         It's okay for a 1-character string to come in here. This will happen
3118         if the VM small string optimization doesn't apply (ch > 0xFF)
3119
3120         * runtime/JSString.h:
3121         (JSC::jsStringWithWeakOwner):
3122
3123 2014-03-04  Andreas Kling  <akling@apple.com>
3124
3125         Micro-optimize Strings in JS bindings.
3126         <https://webkit.org/b/129673>
3127
3128         Make jsStringWithWeakOwner() take a StringImpl& instead of a String.
3129         This avoids branches in length() and operator[].
3130
3131         Also call JSString::create() directly instead of jsString() and just
3132         assert that the string length is >1. This way we don't duplicate the
3133         optimizations for empty and single-character strings.
3134
3135         Reviewed by Ryosuke Niwa.
3136
3137         * runtime/JSString.h:
3138         (JSC::jsStringWithWeakOwner):
3139
3140 2014-03-04  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>
3141
3142         Implement Number.prototype.clz()
3143         https://bugs.webkit.org/show_bug.cgi?id=129479
3144
3145         Reviewed by Oliver Hunt.
3146
3147         Implemented Number.prototype.clz() as specified in the ES6 standard.
3148
3149         * runtime/NumberPrototype.cpp:
3150         (JSC::numberProtoFuncClz):
3151
3152 2014-03-03  Joseph Pecoraro  <pecoraro@apple.com>
3153
3154         Web Inspector: Avoid too early deref caused by RemoteInspectorXPCConnection::close
3155         https://bugs.webkit.org/show_bug.cgi?id=129631
3156
3157         Reviewed by Timothy Hatcher.
3158
3159         Avoid deref() too early if a client calls close(). The xpc_connection_close
3160         will cause another XPC_ERROR event to come in from the queue, deref then.
3161         Likewise, protect multithreaded access to m_client. If a client calls
3162         close() we want to immediately clear the pointer to prevent calls to it.
3163
3164         Overall the multi-threading aspects of RemoteInspectorXPCConnection are
3165         growing too complicated for probably little benefit. We may want to
3166         clean this up later.
3167
3168         * inspector/remote/RemoteInspector.mm:
3169         (Inspector::RemoteInspector::xpcConnectionFailed):
3170         * inspector/remote/RemoteInspectorXPCConnection.h:
3171         * inspector/remote/RemoteInspectorXPCConnection.mm:
3172         (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
3173         (Inspector::RemoteInspectorXPCConnection::close):
3174         (Inspector::RemoteInspectorXPCConnection::closeOnQueue):
3175         (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
3176         (Inspector::RemoteInspectorXPCConnection::handleEvent):
3177         (Inspector::RemoteInspectorXPCConnection::sendMessage):
3178
3179 2014-03-03  Michael Saboff  <msaboff@apple.com>
3180
3181         AbstractMacroAssembler::CachedTempRegister should start out invalid
3182         https://bugs.webkit.org/show_bug.cgi?id=129657
3183
3184         Reviewed by Filip Pizlo.
3185
3186         * assembler/AbstractMacroAssembler.h:
3187         (JSC::AbstractMacroAssembler::AbstractMacroAssembler):
3188         - Invalidate all cached registers in constructor as we don't know the
3189           contents of any register at the entry to the code we are going to
3190           generate.
3191
3192 2014-03-03  Andreas Kling  <akling@apple.com>
3193
3194         StructureOrOffset should be fastmalloced.
3195         <https://webkit.org/b/129640>
3196
3197         Reviewed by Geoffrey Garen.
3198
3199         * runtime/StructureIDTable.h:
3200
3201 2014-03-03  Michael Saboff  <msaboff@apple.com>
3202
3203         Crash in JIT code while watching a video @ storyboard.tumblr.com
3204         https://bugs.webkit.org/show_bug.cgi?id=129635
3205
3206         Reviewed by Filip Pizlo.
3207
3208         Clear m_set before we set bits in the TempRegisterSet(const RegisterSet& other)
3209         construtor.
3210
3211         * jit/TempRegisterSet.cpp:
3212         (JSC::TempRegisterSet::TempRegisterSet): Clear map before setting it.
3213         * jit/TempRegisterSet.h:
3214         (JSC::TempRegisterSet::TempRegisterSet): Use new clearAll() helper.
3215         (JSC::TempRegisterSet::clearAll): New private helper.
3216
3217 2014-03-03  Benjamin Poulain  <benjamin@webkit.org>
3218
3219         [x86] Improve code generation of byte test
3220         https://bugs.webkit.org/show_bug.cgi?id=129597
3221
3222         Reviewed by Geoffrey Garen.
3223
3224         When possible, test the 8 bit register to itself instead of comparing it
3225         to a literal.
3226
3227         * assembler/MacroAssemblerX86Common.h:
3228         (JSC::MacroAssemblerX86Common::test32):
3229
3230 2014-03-03  Mark Lam  <mark.lam@apple.com>
3231
3232         Web Inspector: debugger statements do not break.
3233         <https://webkit.org/b/129524>
3234
3235         Reviewed by Geoff Garen.
3236
3237         Since we no longer call op_debug hooks unless there is a debugger request
3238         made on the CodeBlock, the op_debug for the debugger statement never gets
3239         serviced.
3240
3241         With this fix, we check in the CodeBlock constructor if any debugger
3242         statements are present.  If so, we set a m_hasDebuggerStatement flag that
3243         causes the CodeBlock to show as having debugger requests.  Hence,
3244         breaking at debugger statements is now restored.
3245
3246         * bytecode/CodeBlock.cpp:
3247         (JSC::CodeBlock::CodeBlock):
3248         * bytecode/CodeBlock.h:
3249         (JSC::CodeBlock::hasDebuggerRequests):
3250         (JSC::CodeBlock::clearDebuggerRequests):
3251
3252 2014-03-03  Mark Lam  <mark.lam@apple.com>
3253
3254         ASSERTION FAILED: m_numBreakpoints >= numBreakpoints when deleting breakpoints.
3255         <https://webkit.org/b/129393>
3256
3257         Reviewed by Geoffrey Garen.
3258
3259         The issue manifests because the debugger will iterate all CodeBlocks in
3260         the heap when setting / clearing breakpoints, but it is possible for a
3261         CodeBlock to have been instantiate but is not yet registered with the
3262         debugger.  This can happen because of the following:
3263
3264         1. DFG worklist compilation is still in progress, and the target
3265            codeBlock is not ready for installation in its executable yet.
3266
3267         2. DFG compilation failed and we have a codeBlock that will never be
3268            installed in its executable, and the codeBlock has not been cleaned
3269            up by the GC yet.
3270
3271         The code for installing the codeBlock in its executable is the same code
3272         that registers it with the debugger.  Hence, these codeBlocks are not
3273         registered with the debugger, and any pending breakpoints that would map
3274         to that CodeBlock is as yet unset or will never be set.  As such, an
3275         attempt to remove a breakpoint in that CodeBlock will fail that assertion.
3276
3277         To fix this, we do the following:
3278
3279         1. We'll eagerly clean up any zombie CodeBlocks due to failed DFG / FTL
3280            compilation.  This is achieved by providing a
3281            DeferredCompilationCallback::compilationDidComplete() that does this
3282            clean up, and have all sub classes call it at the end of their
3283            compilationDidComplete() methods.
3284
3285         2. Before the debugger or profiler iterates CodeBlocks in the heap, they
3286            will wait for all compilations to complete before proceeding.  This
3287            ensures that:
3288            1. any zombie CodeBlocks would have been cleaned up, and won't be
3289               seen by the debugger or profiler.
3290            2. all CodeBlocks that the debugger and profiler needs to operate on
3291               will be "ready" for whatever needs to be done to them e.g.
3292               jettison'ing of DFG codeBlocks.
3293
3294         * bytecode/DeferredCompilationCallback.cpp:
3295         (JSC::DeferredCompilationCallback::compilationDidComplete):
3296         * bytecode/DeferredCompilationCallback.h:
3297         - Provide default implementation method to clean up zombie CodeBlocks.
3298
3299         * debugger/Debugger.cpp:
3300         (JSC::Debugger::forEachCodeBlock):
3301         - Utility function to iterate CodeBlocks.  It ensures that all compilations
3302           are complete before proceeding.
3303         (JSC::Debugger::setSteppingMode):
3304         (JSC::Debugger::toggleBreakpoint):
3305         (JSC::Debugger::recompileAllJSFunctions):
3306         (JSC::Debugger::clearBreakpoints):
3307         (JSC::Debugger::clearDebuggerRequests):
3308         - Use the utility iterator function.
3309
3310         * debugger/Debugger.h:
3311         * dfg/DFGOperations.cpp:
3312         - Added an assert to ensure that zombie CodeBlocks will be imminently cleaned up.
3313
3314         * dfg/DFGPlan.cpp:
3315         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
3316         - Remove unneeded code (that was not the best solution anyway) for ensuring
3317           that we don't generate new DFG codeBlocks after enabling the debugger or
3318           profiler.  Now that we wait for compilations to complete before proceeding
3319           with debugger and profiler work, this scenario will never happen.
3320
3321         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
3322         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
3323         - Call the super class method to clean up zombie codeBlocks.
3324
3325         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
3326         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete):
3327         - Call the super class method to clean up zombie codeBlocks.
3328
3329         * heap/CodeBlockSet.cpp:
3330         (JSC::CodeBlockSet::remove):
3331         * heap/CodeBlockSet.h:
3332         * heap/Heap.h:
3333         (JSC::Heap::removeCodeBlock):
3334         - New method to remove a codeBlock from the codeBlock set.
3335
3336         * jit/JITOperations.cpp:
3337         - Added an assert to ensure that zombie CodeBlocks will be imminently cleaned up.
3338
3339         * jit/JITToDFGDeferredCompilationCallback.cpp:
3340         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
3341         - Call the super class method to clean up zombie codeBlocks.
3342
3343         * runtime/VM.cpp:
3344         (JSC::VM::waitForCompilationsToComplete):
3345         - Renamed from prepareToDiscardCode() to be clearer about what it does.
3346
3347         (JSC::VM::discardAllCode):
3348         (JSC::VM::releaseExecutableMemory):
3349         (JSC::VM::setEnabledProfiler):
3350         - Wait for compilation to complete before enabling the profiler.
3351
3352         * runtime/VM.h:
3353
3354 2014-03-03  Brian Burg  <bburg@apple.com>
3355
3356         Another unreviewed build fix attempt for Windows after r164986.
3357
3358         We never told Visual Studio to copy over the web replay code generator scripts
3359         and the generated headers for JavaScriptCore replay inputs as if they were
3360         private headers.
3361
3362         * JavaScriptCore.vcxproj/copy-files.cmd:
3363
3364 2014-03-03  Brian Burg  <bburg@apple.com>
3365
3366         Web Replay: upstream input storage, capture/replay machinery, and inspector domain
3367         https://bugs.webkit.org/show_bug.cgi?id=128782
3368
3369         Reviewed by Timothy Hatcher.
3370
3371         Alter the replay inputs code generator so that it knows when it is necessary to
3372         to include headers for HEAVY_SCALAR types such as WTF::String and WebCore::URL.
3373
3374         * JavaScriptCore.xcodeproj/project.pbxproj:
3375         * replay/scripts/CodeGeneratorReplayInputs.py:
3376         (Framework.fromString):
3377         (Frameworks): Add WTF as an allowed framework for code generation.
3378         (Generator.generate_includes): Include headers for HEAVY_SCALAR types in the header file.
3379         (Generator.generate_includes.declaration):
3380         (Generator.generate_includes.or):
3381         (Generator.generate_type_forward_declarations): Skip HEAVY_SCALAR types.
3382
3383 2014-03-02  Filip Pizlo  <fpizlo@apple.com>
3384
3385         PolymorphicPutByIdList should have a simpler construction API with basically a single entrypoint
3386         https://bugs.webkit.org/show_bug.cgi?id=129591
3387
3388         Reviewed by Michael Saboff.
3389
3390         * bytecode/PolymorphicPutByIdList.cpp:
3391         (JSC::PutByIdAccess::fromStructureStubInfo): This function can figure out the slow path target for itself.
3392         (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList): This constuctor should be private, only from() should call it.
3393         (JSC::PolymorphicPutByIdList::from):
3394         * bytecode/PolymorphicPutByIdList.h:
3395         (JSC::PutByIdAccess::stubRoutine):
3396         * jit/Repatch.cpp:
3397         (JSC::tryBuildPutByIdList): Don't pass the slow path target since it can be derived from the stubInfo.
3398
3399 2014-03-02  Filip Pizlo  <fpizlo@apple.com>
3400
3401         Debugging improvements from my gbemu investigation session
3402         https://bugs.webkit.org/show_bug.cgi?id=129599
3403
3404         Reviewed by Mark Lam.
3405         
3406         Various improvements from when I was investigating bug 129411.
3407
3408   &