JIT debugging features that selectively disable the JITs for code blocks need to...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-03-03  Filip Pizlo  <fpizlo@apple.com>
2
3         JIT debugging features that selectively disable the JITs for code blocks need to stay out of the way of the critical path of JIT management
4         https://bugs.webkit.org/show_bug.cgi?id=142234
5
6         Reviewed by Mark Lam and Benjamin Poulain.
7         
8         Long ago, we used to selectively disable compilation of CodeBlocks for debugging purposes by
9         adding hacks to DFGDriver.cpp.  This was all well and good.  It used the existing
10         CompilationFailed mode of the DFG driver to signal failure of CodeBlocks that we didn't want
11         to compile.  That's great because CompilationFailed is a well-supported return value on the
12         critical path, usually used for when we run out of JIT memory.
13
14         Later, this was moved into DFGCapabilities. This was basically incorrect. It introduced a bug
15         where disabling compiling of a CodeBlock meant that we stopped inlining it as well.  So if
16         you had a compiler bug that arose if foo was inlined into bar, and you bisected down to bar,
17         then foo would no longer get inlined and you wouldn't see the bug.  That's busted.
18
19         So then we changed the code in DFGCapabilities to mark bar as CanCompile and foo as
20         CanInline. Now, foo wouldn't get compiled alone but it would get inlined.
21
22         But then we removed CanCompile because that capability mode only existed for the purpose of
23         our old varargs hacks.  After that removal, "CanInline" became CannotCompile.  This means
24         that if you bisect down on bar in the "foo inlined into bar" case, you'll crash in the DFG
25         because the baseline JIT wouldn't have known to insert profiling on foo.
26
27         We could fix this by bringing back CanInline.
28
29         But this is all a pile of nonsense.  The debug support to selectively disable compilation of
30         some CodeBlocks shouldn't cross-cut our entire engine and should most certainly never involve
31         adding new capability modes.  This support is a hack at best and is for use by JSC hackers
32         only.  It should be as unintrusive as possible.
33
34         So, as in the ancient times, the only proper place to put this hack is in DFGDriver.cpp, and
35         return CompilationFailed.  This is correct not just because it takes capability modes out of
36         the picture (and obviates the need to introduce new ones), but also because it means that
37         disabling compilation doesn't change the profiling mode of other CodeBlocks in the Baseline
38         JIT.  Capability mode influences profiling mode which in turn influences code generation in
39         the Baseline JIT, sometimes in very significant ways - like, we sometimes do additional
40         double-to-int conversions in Baseline if we know that we might tier-up into the DFG, since
41         this buys us more precise profiling.
42         
43         This change reduces the intrusiveness of debugging hacks by making them use the very simple
44         CompilationFailed mechanism rather than trying to influence capability modes. Capability
45         modes have very subtle effects on the whole engine, while CompilationFailed just makes the
46         engine pretend like the DFG compilation will happen at timelike infinity. That makes these
47         hacks much more likely to continue working as we make other changes to the system.
48         
49         This brings back the ability to bisect down onto a function bar when bar inlines foo. Prior
50         to this change, we would crash in that case.
51
52         * dfg/DFGCapabilities.cpp:
53         (JSC::DFG::isSupported):
54         (JSC::DFG::mightCompileEval):
55         (JSC::DFG::mightCompileProgram):
56         (JSC::DFG::mightCompileFunctionForCall):
57         (JSC::DFG::mightCompileFunctionForConstruct):
58         * dfg/DFGCapabilities.h:
59         * dfg/DFGDriver.cpp:
60         (JSC::DFG::compileImpl):
61
62 2015-03-03  peavo@outlook.com  <peavo@outlook.com>
63
64         [Win64] JSC compile error.
65         https://bugs.webkit.org/show_bug.cgi?id=142216
66
67         Reviewed by Mark Lam.
68
69         There is missing a version of setupArgumentsWithExecState when NUMBER_OF_ARGUMENT_REGISTERS == 4.
70
71         * jit/CCallHelpers.h:
72         (JSC::CCallHelpers::setupArgumentsWithExecState):
73
74 2015-03-02  Filip Pizlo  <fpizlo@apple.com>
75
76         DFG compile time measurements should really report milliseconds
77         https://bugs.webkit.org/show_bug.cgi?id=142209
78
79         Reviewed by Benjamin Poulain.
80         
81         Fix this to record milliseconds instead of seconds.
82
83         * dfg/DFGPlan.cpp:
84         (JSC::DFG::Plan::compileInThread):
85         (JSC::DFG::Plan::compileInThreadImpl):
86
87 2015-03-02  Filip Pizlo  <fpizlo@apple.com>
88
89         Remove op_get_callee, it's unused
90         https://bugs.webkit.org/show_bug.cgi?id=142206
91
92         Reviewed by Andreas Kling.
93         
94         It's a bit of a shame that we stopped using this opcode since it gives us same-callee
95         profiling. But, if we were to add this functionality back in, we would almost certainly do
96         it by adding a JSFunction allocation watchpoint on FunctionExecutable.
97
98         * bytecode/BytecodeList.json:
99         * bytecode/BytecodeUseDef.h:
100         (JSC::computeUsesForBytecodeOffset):
101         (JSC::computeDefsForBytecodeOffset):
102         * bytecode/CodeBlock.cpp:
103         (JSC::CodeBlock::dumpBytecode):
104         (JSC::CodeBlock::finalizeUnconditionally):
105         * dfg/DFGByteCodeParser.cpp:
106         (JSC::DFG::ByteCodeParser::parseBlock):
107         * dfg/DFGCapabilities.cpp:
108         (JSC::DFG::capabilityLevel):
109         * jit/JIT.cpp:
110         (JSC::JIT::privateCompileMainPass):
111         (JSC::JIT::privateCompileSlowCases):
112         * jit/JIT.h:
113         * jit/JITOpcodes.cpp:
114         (JSC::JIT::emit_op_get_callee): Deleted.
115         (JSC::JIT::emitSlow_op_get_callee): Deleted.
116         * jit/JITOpcodes32_64.cpp:
117         (JSC::JIT::emit_op_get_callee): Deleted.
118         (JSC::JIT::emitSlow_op_get_callee): Deleted.
119         * llint/LowLevelInterpreter32_64.asm:
120         * llint/LowLevelInterpreter64.asm:
121         * runtime/CommonSlowPaths.cpp:
122         (JSC::SLOW_PATH_DECL): Deleted.
123
124 2015-03-02  Joseph Pecoraro  <pecoraro@apple.com>
125
126         Web Inspector: Context Menu to Log a Particular Object
127         https://bugs.webkit.org/show_bug.cgi?id=142198
128
129         Reviewed by Timothy Hatcher.
130
131         Add a protocol method to assign a $n index to a value. For an object
132         use the injected script context for that object. For a value, use
133         the execution context to know where to save the value.
134
135         * inspector/InjectedScript.cpp:
136         (Inspector::InjectedScript::saveResult):
137         * inspector/InjectedScript.h:
138         * inspector/InjectedScriptSource.js:
139         * inspector/agents/InspectorRuntimeAgent.cpp:
140         (Inspector::InspectorRuntimeAgent::saveResult):
141         * inspector/agents/InspectorRuntimeAgent.h:
142         * inspector/protocol/Debugger.json:
143         * inspector/protocol/Runtime.json:
144
145 2015-03-02  Filip Pizlo  <fpizlo@apple.com>
146
147         SpeculativeJIT::emitAllocateArguments() should be a bit faster, and shouldn't do destructor initialization
148         https://bugs.webkit.org/show_bug.cgi?id=142197
149
150         Reviewed by Geoffrey Garen.
151
152         * dfg/DFGSpeculativeJIT.cpp:
153         (JSC::DFG::SpeculativeJIT::emitAllocateArguments): Use shift instead of mul, since mul doesn't automatically strength-reduce to shift. Also pass the structure as a TrustedImmPtr.
154         * dfg/DFGSpeculativeJIT.h:
155         (JSC::DFG::SpeculativeJIT::emitAllocateVariableSizedJSObject): Rationalize this a bit. The other emitAllocate... methods take a templated structure so that it can be either a TrustedImmPtr or a register. Also don't do destructor initialization, since its one client doesn't need it, and it's actually probably wrong.
156
157 2015-03-02  Mark Lam  <mark.lam@apple.com>
158
159         Exception stack unwinding in JSC hangs while the Timeline Profiler is enabled.
160         <https://webkit.org/b/142191>
161
162         Reviewed by Geoffrey Garen.
163
164         Imagine a scenario where the Inspector is paused / suspended at a breakpoint or
165         while the user is stepping through JS code. The user then tries to evaluate an
166         expression in the console, and that evaluation results in an exception being
167         thrown. Currently, if the Timeline Profiler is enabled while this exception is
168         being thrown, the WebProcess will hang while trying to handle that exception.
169
170         The issue is that the Timeline Profiler's ProfileGenerator::didExecute() will
171         return early and decline to process ProfileNodes if the Inspector is paused.
172         This is proper because it does not want to count work done for injected scripts
173         (e.g. from the console) towards the timeline profile of the webpage being run.
174         However, this is in conflict with ProfileGenerator::exceptionUnwind()'s
175         expectation that didExecute() will process ProfileNodes in order to do the stack
176         unwinding for the exception handling. As a result,
177         ProfileGenerator::exceptionUnwind() hangs.
178
179         ProfileGenerator::exceptionUnwind() is in error. While the Inspector is paused,
180         there will not be any ProfileNodes that it needs to "unwind". Hence, the fix is
181         simply to return early also in ProfileGenerator::exceptionUnwind() if the
182         Inspector is paused.
183
184         * profiler/ProfileGenerator.cpp:
185         (JSC::ProfileGenerator::exceptionUnwind):
186
187 2015-03-02  Filip Pizlo  <fpizlo@apple.com>
188
189         FTL should correctly document where it puts the argument count for inlined varargs frames
190         https://bugs.webkit.org/show_bug.cgi?id=142187
191
192         Reviewed by Geoffrey Garn.
193         
194         After LLVM tells us where the captured variables alloca landed in the frame, we need to
195         tell all of our meta-data about it. We were forgetting to do so for the argument count
196         register, which is used by inlined varargs calls.
197
198         * ftl/FTLCompile.cpp:
199         (JSC::FTL::mmAllocateDataSection):
200         * tests/stress/inline-varargs-get-arguments.js: Added.
201         (foo):
202         (bar):
203         (baz):
204
205 2015-03-02  Filip Pizlo  <fpizlo@apple.com>
206
207         Deduplicate slow path calling code in JITOpcodes.cpp/JITOpcodes32_64.cpp
208         https://bugs.webkit.org/show_bug.cgi?id=142184
209
210         Reviewed by Michael Saboff.
211
212         * jit/JITOpcodes.cpp:
213         (JSC::JIT::emit_op_get_enumerable_length):
214         (JSC::JIT::emitSlow_op_has_structure_property):
215         (JSC::JIT::emit_op_has_generic_property):
216         (JSC::JIT::emit_op_get_structure_property_enumerator):
217         (JSC::JIT::emit_op_get_generic_property_enumerator):
218         (JSC::JIT::emit_op_to_index_string):
219         * jit/JITOpcodes32_64.cpp:
220         (JSC::JIT::emit_op_get_enumerable_length): Deleted.
221         (JSC::JIT::emitSlow_op_has_structure_property): Deleted.
222         (JSC::JIT::emit_op_has_generic_property): Deleted.
223         (JSC::JIT::emit_op_get_structure_property_enumerator): Deleted.
224         (JSC::JIT::emit_op_get_generic_property_enumerator): Deleted.
225         (JSC::JIT::emit_op_to_index_string): Deleted.
226         (JSC::JIT::emit_op_profile_control_flow): Deleted.
227
228 2015-03-02  Antti Koivisto  <antti@apple.com>
229
230         Add way to dump cache meta data to file
231         https://bugs.webkit.org/show_bug.cgi?id=142183
232
233         Reviewed by Andreas Kling.
234
235         Export appendQuotedJSONStringToBuilder.
236
237         * bytecompiler/NodesCodegen.cpp:
238         (JSC::ObjectPatternNode::toString):
239         * runtime/JSONObject.cpp:
240         (JSC::appendQuotedJSONStringToBuilder):
241         (JSC::Stringifier::appendQuotedString):
242         (JSC::escapeStringToBuilder): Deleted.
243         * runtime/JSONObject.h:
244
245 2015-03-02  Joseph Pecoraro  <pecoraro@apple.com>
246
247         Web Inspector: Add Context Menus to Object Tree properties
248         https://bugs.webkit.org/show_bug.cgi?id=142125
249
250         Reviewed by Timothy Hatcher.
251
252         * inspector/JSInjectedScriptHost.cpp:
253         (Inspector::JSInjectedScriptHost::functionDetails):
254         Update to include columnNumber.
255
256 2015-03-01  Filip Pizlo  <fpizlo@apple.com>
257
258         BytecodeGenerator shouldn't emit op_resolve_scope as a roundabout way of returning the scopeRegister
259         https://bugs.webkit.org/show_bug.cgi?id=142153
260
261         Reviewed by Michael Saboff.
262         
263         We don't need a op_resolve_scope if we know that it will simply return the scope register.
264         This changes the BytecodeGenerator to use the scope register directly in those cases where
265         we know statically that we would just have returned that from op_resolve_scope.
266         
267         This doesn't appear to have a significant impact on performance.
268
269         * bytecode/CodeBlock.cpp:
270         (JSC::CodeBlock::CodeBlock):
271         * bytecompiler/BytecodeGenerator.cpp:
272         (JSC::BytecodeGenerator::emitResolveScope):
273         (JSC::BytecodeGenerator::emitReturn):
274         (JSC::BytecodeGenerator::emitGetOwnScope): Deleted.
275         * bytecompiler/BytecodeGenerator.h:
276         * bytecompiler/NodesCodegen.cpp:
277         (JSC::ResolveNode::emitBytecode):
278         (JSC::EvalFunctionCallNode::emitBytecode):
279         (JSC::FunctionCallResolveNode::emitBytecode):
280         (JSC::PostfixNode::emitResolve):
281         (JSC::DeleteResolveNode::emitBytecode):
282         (JSC::TypeOfResolveNode::emitBytecode):
283         (JSC::PrefixNode::emitResolve):
284         (JSC::ReadModifyResolveNode::emitBytecode):
285         (JSC::AssignResolveNode::emitBytecode):
286         (JSC::ConstDeclNode::emitCodeSingle):
287         (JSC::EmptyVarExpression::emitBytecode):
288         (JSC::ForInNode::emitLoopHeader):
289         (JSC::ForOfNode::emitBytecode):
290         (JSC::BindingNode::bindValue):
291
292 2015-02-27  Benjamin Poulain  <bpoulain@apple.com>
293
294         [JSC] Use the way number constants are written to help type speculation
295         https://bugs.webkit.org/show_bug.cgi?id=142072
296
297         Reviewed by Filip Pizlo.
298
299         This patch changes how we interpret numeric constant based on how they appear
300         in the source.
301
302         Constants that are integers but written with a decimal point now carry that information
303         to the optimizating tiers. From there, we use that to be more aggressive about typing
304         math operations toward double operations.
305
306         For example, in:
307             var a = x + 1.0;
308             var b = y + 1;
309         The Add for a would be biased toward doubles, the Add for b would speculate
310         integer as usual.
311
312
313         The gains are tiny but this is a prerequisite to make my next patch useful:
314         -SunSpider's access-fannkuch: definitely 1.0661x faster
315         -SunSpider's math-cordic: definitely 1.0266x slower
316             overal: might be 1.0066x slower.
317         -Kraken's imaging-darkroom: definitely 1.0333x faster.
318
319         * parser/Lexer.cpp:
320         (JSC::tokenTypeForIntegerLikeToken):
321         (JSC::Lexer<T>::lex):
322         The lexer now create two types of tokens for number: INTEGER and DOUBLE.
323         Those token types only carry information about how the values were
324         entered, an INTEGER does not have to be an integer, it is only written like one.
325         Large integer still end up represented as double in memory.
326
327         One trap I fell into was typing numbers like 12e3 as double. This kind of literal
328         is frequently used in integer-typed code, while 12.e3 would appear in double-typed
329         code.
330         Because of that, the only signals for double are: decimal point, negative zero,
331         and ridiculously large values.
332
333         * parser/NodeConstructors.h:
334         (JSC::DoubleNode::DoubleNode):
335         (JSC::IntegerNode::IntegerNode):
336         * parser/Nodes.h:
337         (JSC::NumberNode::value):
338         (JSC::NumberNode::setValue): Deleted.
339         Number get specialized in two new kind of nodes in the AST: IntegerNode and DoubleNode.
340
341         * bytecompiler/NodesCodegen.cpp:
342         (JSC::NumberNode::emitBytecode):
343
344         * parser/ASTBuilder.h:
345         (JSC::ASTBuilder::createDoubleExpr):
346         (JSC::ASTBuilder::createIntegerExpr):
347         (JSC::ASTBuilder::createIntegerLikeNumber):
348         (JSC::ASTBuilder::createDoubleLikeNumber):
349         (JSC::ASTBuilder::createNumberFromBinaryOperation):
350         (JSC::ASTBuilder::createNumberFromUnaryOperation):
351         (JSC::ASTBuilder::makeNegateNode):
352         (JSC::ASTBuilder::makeBitwiseNotNode):
353         (JSC::ASTBuilder::makeMultNode):
354         (JSC::ASTBuilder::makeDivNode):
355         (JSC::ASTBuilder::makeModNode):
356         (JSC::ASTBuilder::makeAddNode):
357         (JSC::ASTBuilder::makeSubNode):
358         (JSC::ASTBuilder::makeLeftShiftNode):
359         (JSC::ASTBuilder::makeRightShiftNode):
360         (JSC::ASTBuilder::makeURightShiftNode):
361         (JSC::ASTBuilder::makeBitOrNode):
362         (JSC::ASTBuilder::makeBitAndNode):
363         (JSC::ASTBuilder::makeBitXOrNode):
364         (JSC::ASTBuilder::createNumberExpr): Deleted.
365         (JSC::ASTBuilder::createNumber): Deleted.
366         The AST has some optimization to resolve constants before emitting bytecode.
367         In the new code, the intger representation is kept if both operands where
368         also represented as integers.
369
370         * parser/Parser.cpp:
371         (JSC::Parser<LexerType>::parseDeconstructionPattern):
372         (JSC::Parser<LexerType>::parseProperty):
373         (JSC::Parser<LexerType>::parseGetterSetter):
374         (JSC::Parser<LexerType>::parsePrimaryExpression):
375         (JSC::Parser<LexerType>::printUnexpectedTokenText):
376         * parser/ParserTokens.h:
377         * parser/SyntaxChecker.h:
378         (JSC::SyntaxChecker::createDoubleExpr):
379         (JSC::SyntaxChecker::createIntegerExpr):
380         (JSC::SyntaxChecker::createNumberExpr): Deleted.
381
382         * bytecode/CodeBlock.cpp:
383         (JSC::CodeBlock::registerName):
384         (JSC::CodeBlock::constantName):
385         Change constantName(r, getConstant(r)) -> constantName(r) to simplify
386         the dump code.
387
388         (JSC::CodeBlock::dumpBytecode):
389         Dump thre soure representation information we have with each constant.
390
391         (JSC::CodeBlock::CodeBlock):
392         (JSC::CodeBlock::shrinkToFit):
393         (JSC::constantName): Deleted.
394         * bytecode/CodeBlock.h:
395         (JSC::CodeBlock::constantsSourceCodeRepresentation):
396         (JSC::CodeBlock::addConstant):
397         (JSC::CodeBlock::addConstantLazily):
398         (JSC::CodeBlock::constantSourceCodeRepresentation):
399         (JSC::CodeBlock::setConstantRegisters):
400
401         * bytecode/UnlinkedCodeBlock.h:
402         (JSC::UnlinkedCodeBlock::addConstant):
403         (JSC::UnlinkedCodeBlock::constantsSourceCodeRepresentation):
404         (JSC::UnlinkedCodeBlock::shrinkToFit):
405
406         * bytecompiler/BytecodeGenerator.cpp:
407         (JSC::BytecodeGenerator::addConstantValue):
408         (JSC::BytecodeGenerator::emitLoad):
409         * bytecompiler/BytecodeGenerator.h:
410         We have to differentiate between constants that have the same values but are
411         represented differently in the source. Values like 1.0 and 1 now end up
412         as different constants.
413
414         * dfg/DFGByteCodeParser.cpp:
415         (JSC::DFG::ByteCodeParser::get):
416         (JSC::DFG::ByteCodeParser::addConstantToGraph):
417         * dfg/DFGGraph.cpp:
418         (JSC::DFG::Graph::registerFrozenValues):
419         * dfg/DFGGraph.h:
420         (JSC::DFG::Graph::addSpeculationMode):
421         (JSC::DFG::Graph::addImmediateShouldSpeculateInt32):
422         ArithAdd is very aggressive toward using Int52, which is quite useful
423         in many benchmarks.
424
425         Here we need to specialize to make sure we don't force our literals
426         to Int52 if there were represented as double.
427
428         There is one exception to that rule: when the other operand is guaranteed
429         to come from a NodeResultInt32. This is because there is some weird code
430         doing stuff like:
431             var b = a|0;
432             var c = b*2.0;
433
434         * dfg/DFGNode.h:
435         (JSC::DFG::Node::Node):
436         (JSC::DFG::Node::setOpAndDefaultFlags):
437         (JSC::DFG::Node::sourceCodeRepresentation):
438         * dfg/DFGPredictionPropagationPhase.cpp:
439         (JSC::DFG::PredictionPropagationPhase::propagate):
440         * runtime/JSCJSValue.h:
441         (JSC::EncodedJSValueWithRepresentationHashTraits::emptyValue):
442         (JSC::EncodedJSValueWithRepresentationHashTraits::constructDeletedValue):
443         (JSC::EncodedJSValueWithRepresentationHashTraits::isDeletedValue):
444         (JSC::EncodedJSValueWithRepresentationHash::hash):
445         (JSC::EncodedJSValueWithRepresentationHash::equal):
446         * tests/stress/arith-add-with-constants.js: Added.
447         * tests/stress/arith-mul-with-constants.js: Added.
448
449 2015-02-26  Filip Pizlo  <fpizlo@apple.com>
450
451         Unreviewed, roll out r180723. It broke a bunch of tests.
452
453         * bytecompiler/BytecodeGenerator.cpp:
454         (JSC::BytecodeGenerator::constLocal):
455         * bytecompiler/BytecodeGenerator.h:
456         * bytecompiler/NodesCodegen.cpp:
457         (JSC::ConstDeclNode::emitCodeSingle):
458         * tests/stress/const-arguments.js: Removed.
459
460 2015-02-26  Mark Lam  <mark.lam@apple.com>
461
462         Assertion fix for r180711: The bool returning form of BytecodeGenerator::addVar() can be removed.
463         <https://webkit.org/b/142064>
464
465         Reviewed by Joseph Pecoraro.
466
467         * bytecompiler/BytecodeGenerator.cpp:
468         (JSC::BytecodeGenerator::addVar):
469
470 2015-02-26  Mark Lam  <mark.lam@apple.com>
471
472         MachineThreads::Thread clean up has a use after free race condition.
473         <https://webkit.org/b/141990>
474
475         Reviewed by Filip Pizlo.
476
477         MachineThreads::Thread clean up relies on the clean up mechanism
478         implemented in _pthread_tsd_cleanup_key(), which looks like this:
479
480         void _pthread_tsd_cleanup_key(pthread_t self, pthread_key_t key)
481         {
482             void (*destructor)(void *);
483             if (_pthread_key_get_destructor(key, &destructor)) {
484                 void **ptr = &self->tsd[key];
485                 void *value = *ptr;
486
487             // === Start of window for the bug to manifest =================
488
489                 // At this point, this thread has cached "destructor" and "value"
490                 // (which is a MachineThreads*).  If the VM gets destructed (along
491                 // with its MachineThreads registry) by another thread, then this
492                 // thread will have no way of knowing that the MachineThreads* is
493                 // now pointing to freed memory.  Calling the destructor below will
494                 // therefore result in a use after free scenario when it tries to
495                 // access the MachineThreads' data members.
496
497                 if (value) {
498                     *ptr = NULL;
499                     if (destructor) {
500
501             // === End of window for the bug to manifest ==================
502
503                         destructor(value);
504                     }
505                 }
506             }
507         }
508
509         The fix is to add each active MachineThreads to an ActiveMachineThreadsManager,
510         and always check if the manager still contains that MachineThreads object
511         before we call removeCurrentThread() on it.  When MachineThreads is destructed,
512         it will remove itself from the manager.  The add, remove, and checking
513         operations are all synchronized on the manager's lock, thereby ensuring that
514         the MachineThreads object, if found in the manager, will remain alive for the
515         duration of time we call removeCurrentThread() on it.
516
517         There's also possible for the MachineThreads object to already be destructed
518         and another one happened to have been instantiated at the same address.
519         Hence, we should only remove the exiting thread if it is found in the
520         MachineThreads object.
521
522         There is no test for this issue because this bug requires a race condition
523         between 2 threads where:
524         1. Thread B, which had previously used the VM, exiting and
525            getting to the bug window shown in _pthread_tsd_cleanup_key() above.
526         2. Thread A destructing the VM (and its MachineThreads object)
527            within that window of time before Thread B calls the destructor.
528
529         It is not possible to get a reliable test case without invasively
530         instrumenting _pthread_tsd_cleanup_key() or MachineThreads::removeCurrentThread()
531         to significantly increase that window of opportunity.
532
533         * heap/MachineStackMarker.cpp:
534         (JSC::ActiveMachineThreadsManager::Locker::Locker):
535         (JSC::ActiveMachineThreadsManager::add):
536         (JSC::ActiveMachineThreadsManager::remove):
537         (JSC::ActiveMachineThreadsManager::contains):
538         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager):
539         (JSC::activeMachineThreadsManager):
540         (JSC::MachineThreads::MachineThreads):
541         (JSC::MachineThreads::~MachineThreads):
542         (JSC::MachineThreads::removeThread):
543         (JSC::MachineThreads::removeThreadIfFound):
544         (JSC::MachineThreads::removeCurrentThread): Deleted.
545         * heap/MachineStackMarker.h:
546
547 2015-02-26  Joseph Pecoraro  <pecoraro@apple.com>
548
549         Web Inspector: Save Console Evaluations into Command Line variables $1-$99 ($n)
550         https://bugs.webkit.org/show_bug.cgi?id=142061
551
552         Reviewed by Timothy Hatcher.
553
554         * inspector/protocol/Debugger.json:
555         * inspector/protocol/Runtime.json:
556         Input flag "saveResult" on whether we should try to save a result.
557         Output int "savedResultIndex" to tell the frontend the saved state.
558
559         * inspector/InjectedScriptSource.js:
560         Handle saving and clearing $1-$99 values.
561         Include in BasicCommandLineAPI for JSContext inspection.
562
563         * inspector/InjectedScriptBase.cpp:
564         (Inspector::InjectedScriptBase::makeEvalCall):
565         * inspector/InjectedScriptBase.h:
566         Allow an optional "savedResultIndex" out value on evals.
567
568         * inspector/InjectedScript.cpp:
569         (Inspector::InjectedScript::evaluate):
570         (Inspector::InjectedScript::evaluateOnCallFrame):
571         * inspector/InjectedScript.h:
572         * inspector/agents/InspectorDebuggerAgent.cpp:
573         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
574         * inspector/agents/InspectorDebuggerAgent.h:
575         * inspector/agents/InspectorRuntimeAgent.cpp:
576         (Inspector::InspectorRuntimeAgent::evaluate):
577         * inspector/agents/InspectorRuntimeAgent.h:
578         Plumbing for new in and out parameters.
579
580 2015-02-26  Filip Pizlo  <fpizlo@apple.com>
581
582         The bool returning form of BytecodeGenerator::addVar() can be removed
583         https://bugs.webkit.org/show_bug.cgi?id=142064
584
585         Reviewed by Mark Lam.
586         
587         It's easier to implement addVar() when you don't have to return whether it's a new
588         variable or not.
589
590         * bytecompiler/BytecodeGenerator.cpp:
591         (JSC::BytecodeGenerator::addVar):
592         * bytecompiler/BytecodeGenerator.h:
593         (JSC::BytecodeGenerator::addVar): Deleted.
594
595 2015-02-26  Filip Pizlo  <fpizlo@apple.com>
596
597         Various array access corner cases should take OSR exit feedback
598         https://bugs.webkit.org/show_bug.cgi?id=142056
599
600         Reviewed by Geoffrey Garen.
601         
602         Two major changes here:
603         
604         - Don't keep converting GetById into GetArrayLength if we exited due to any kind of array
605           type check.
606         
607         - Use a generic form of GetByVal/PutByVal if we exited due to any kind of exotic checks,
608           like the Arguments safety checks. We use the "ExoticObjectMode" for out-of-bounds on
609           arguments for now, since it's a convenient way of forcing out-of-bounds to be handled by
610           the Generic array mode.
611
612         * bytecode/ExitKind.cpp:
613         (JSC::exitKindToString):
614         * bytecode/ExitKind.h:
615         * dfg/DFGArrayMode.cpp:
616         (JSC::DFG::ArrayMode::refine):
617         * dfg/DFGFixupPhase.cpp:
618         (JSC::DFG::FixupPhase::fixupNode):
619         * dfg/DFGSpeculativeJIT.cpp:
620         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
621         (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength):
622         * tests/stress/array-length-array-storage-plain-object.js: Added.
623         (foo):
624         * tests/stress/array-length-plain-object.js: Added.
625         (foo):
626
627 2015-02-25  Filip Pizlo  <fpizlo@apple.com>
628
629         DFG SSA stack accesses shouldn't speak of VariableAccessDatas
630         https://bugs.webkit.org/show_bug.cgi?id=142036
631
632         Reviewed by Michael Saboff.
633         
634         VariableAccessData is a useful thing in LoadStore and ThreadedCPS, but it's purely harmful in
635         SSA because you can't cook up new VariableAccessDatas. So, if you know that you want to load
636         or store to the stack, and you know what format to use as well as the location, then prior to
637         this patch you couldn't do it unless you found some existing VariableAccessData that matched
638         your requirements. That can be a hard task.
639         
640         It's better if SSA doesn't speak of VariableAccessDatas but instead just has stack accesses
641         that speak of the things that a stack access needs: local, machineLocal, and format. This
642         patch changes the SSA way of accessing the stack to do just that.
643         
644         Also add more IR validation.
645
646         * CMakeLists.txt:
647         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
648         * JavaScriptCore.xcodeproj/project.pbxproj:
649         * dfg/DFGAbstractInterpreterInlines.h:
650         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
651         * dfg/DFGClobberize.h:
652         (JSC::DFG::clobberize):
653         * dfg/DFGConstantFoldingPhase.cpp:
654         (JSC::DFG::ConstantFoldingPhase::foldConstants):
655         * dfg/DFGDoesGC.cpp:
656         (JSC::DFG::doesGC):
657         * dfg/DFGFixupPhase.cpp:
658         (JSC::DFG::FixupPhase::fixupNode):
659         * dfg/DFGFlushFormat.h:
660         (JSC::DFG::isConcrete):
661         * dfg/DFGGraph.cpp:
662         (JSC::DFG::Graph::dump):
663         * dfg/DFGGraph.h:
664         * dfg/DFGMayExit.cpp:
665         (JSC::DFG::mayExit):
666         * dfg/DFGNode.cpp:
667         (JSC::DFG::Node::hasVariableAccessData):
668         * dfg/DFGNode.h:
669         (JSC::DFG::StackAccessData::StackAccessData):
670         (JSC::DFG::StackAccessData::flushedAt):
671         (JSC::DFG::Node::convertToPutStack):
672         (JSC::DFG::Node::convertToGetStack):
673         (JSC::DFG::Node::hasUnlinkedLocal):
674         (JSC::DFG::Node::hasStackAccessData):
675         (JSC::DFG::Node::stackAccessData):
676         (JSC::DFG::Node::willHaveCodeGenOrOSR):
677         * dfg/DFGNodeType.h:
678         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
679         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
680         * dfg/DFGPlan.cpp:
681         (JSC::DFG::Plan::compileInThreadImpl):
682         * dfg/DFGPredictionPropagationPhase.cpp:
683         (JSC::DFG::PredictionPropagationPhase::propagate):
684         * dfg/DFGPutLocalSinkingPhase.cpp: Removed.
685         * dfg/DFGPutLocalSinkingPhase.h: Removed.
686         * dfg/DFGPutStackSinkingPhase.cpp: Copied from Source/JavaScriptCore/dfg/DFGPutLocalSinkingPhase.cpp.
687         (JSC::DFG::performPutStackSinking):
688         (JSC::DFG::performPutLocalSinking): Deleted.
689         * dfg/DFGPutStackSinkingPhase.h: Copied from Source/JavaScriptCore/dfg/DFGPutLocalSinkingPhase.h.
690         * dfg/DFGSSAConversionPhase.cpp:
691         (JSC::DFG::SSAConversionPhase::run):
692         * dfg/DFGSafeToExecute.h:
693         (JSC::DFG::safeToExecute):
694         * dfg/DFGSpeculativeJIT32_64.cpp:
695         (JSC::DFG::SpeculativeJIT::compile):
696         * dfg/DFGSpeculativeJIT64.cpp:
697         (JSC::DFG::SpeculativeJIT::compile):
698         * dfg/DFGStackLayoutPhase.cpp:
699         (JSC::DFG::StackLayoutPhase::run):
700         * dfg/DFGValidate.cpp:
701         (JSC::DFG::Validate::validate):
702         (JSC::DFG::Validate::validateCPS):
703         (JSC::DFG::Validate::validateSSA):
704         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
705         (JSC::DFG::VirtualRegisterAllocationPhase::run):
706         * ftl/FTLCapabilities.cpp:
707         (JSC::FTL::canCompile):
708         * ftl/FTLLowerDFGToLLVM.cpp:
709         (JSC::FTL::LowerDFGToLLVM::lower):
710         (JSC::FTL::LowerDFGToLLVM::compileNode):
711         (JSC::FTL::LowerDFGToLLVM::compileGetStack):
712         (JSC::FTL::LowerDFGToLLVM::compilePutStack):
713         (JSC::FTL::LowerDFGToLLVM::compileGetLocal): Deleted.
714         (JSC::FTL::LowerDFGToLLVM::compilePutLocal): Deleted.
715         * ftl/FTLOSRExit.h:
716         * tests/stress/many-sunken-locals.js: Added. This failure mode was caught by some miscellaneous test, so I figured I should write an explicit test for it.
717         (foo):
718         (bar):
719         (baz):
720         (fuzz):
721         (buzz):
722
723 2015-02-26  Mark Lam  <mark.lam@apple.com>
724
725         Rolling out r180602, r180608, r180613, r180617, r180671.
726         <https://webkit.org/b/141990>
727
728         Not reviewed.
729
730         The r180602 solution does result in more work for GC when worker
731         threads are in use.  Filip is uncomfortable with that.
732         The EFL and GTK ports also seem to be unhappy with this change.
733         Rolling out while we investigate.
734
735         * heap/Heap.cpp:
736         (JSC::Heap::Heap):
737         (JSC::Heap::gatherStackRoots):
738         (JSC::Heap::machineThreads): Deleted.
739         * heap/Heap.h:
740         (JSC::Heap::machineThreads):
741         * heap/MachineStackMarker.cpp:
742         (JSC::MachineThreads::MachineThreads):
743         (JSC::MachineThreads::~MachineThreads):
744         (JSC::MachineThreads::addCurrentThread):
745         * heap/MachineStackMarker.h:
746         * runtime/JSLock.cpp:
747         (JSC::JSLock::didAcquireLock):
748
749 2015-02-26  Myles C. Maxfield  <mmaxfield@apple.com>
750
751         [Mac] [iOS] Parsing support for -apple-trailing-word
752         https://bugs.webkit.org/show_bug.cgi?id=141939
753
754         Reviewed by Andreas Kling.
755
756         * Configurations/FeatureDefines.xcconfig:
757
758 2015-02-26  Michael Saboff  <msaboff@apple.com>
759
760         [Win] Debug-only JavaScriptCore failures
761         https://bugs.webkit.org/show_bug.cgi?id=142045
762
763         Rubber stamped by Filip Pizlo.
764
765         Reduced loop count to a more reasonable value of 10,000.  This still gets us to tier up
766         to the FTL, but doesn't take too long to run.
767
768         * tests/stress/repeated-arity-check-fail.js:
769
770 2015-02-26  Brent Fulgham  <bfulgham@apple.com>
771
772         [Win] Make build logs more legible by reducing noise
773         https://bugs.webkit.org/show_bug.cgi?id=142034
774
775         Reviewed by Alexey Proskuryakov.
776
777         Modify batch files, makefiles, and DOS commands to remove
778         uninteresting/unhelpful output.
779
780         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
781         * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd:
782         * JavaScriptCore.vcxproj/copy-files.cmd:
783         * JavaScriptCore.vcxproj/jsc/jscLauncherPreBuild.cmd:
784         * JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd:
785         * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncherPreBuild.cmd:
786         * JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd:
787         * JavaScriptCore.vcxproj/testapi/testapiLauncherPostBuild.cmd:
788         * JavaScriptCore.vcxproj/testapi/testapiLauncherPreBuild.cmd:
789         * JavaScriptCore.vcxproj/testapi/testapiPostBuild.cmd:
790         * JavaScriptCore.vcxproj/testapi/testapiPreBuild.cmd:
791
792 2015-02-26  Csaba Osztrogonác  <ossy@webkit.org>
793
794         Add calleeSaveRegisters() implementation for ARM Traditional
795         https://bugs.webkit.org/show_bug.cgi?id=141903
796
797         Reviewed by Darin Adler.
798
799         * jit/RegisterSet.cpp:
800         (JSC::RegisterSet::calleeSaveRegisters):
801
802 2015-02-25  Michael Saboff  <msaboff@apple.com>
803
804         Web Inspector: CRASH when debugger pauses inside a Promise handler
805         https://bugs.webkit.org/show_bug.cgi?id=141396
806
807         Reviewed by Mark Lam.
808
809         For frames that don't have a scope, typically native frames, use the lexicalGlobalObject to
810         create the DebuggerScope for that frame.
811
812         * debugger/DebuggerCallFrame.cpp:
813         (JSC::DebuggerCallFrame::scope):
814
815 2015-02-25  Filip Pizlo  <fpizlo@apple.com>
816
817         DFG abstract heaps should respect the difference between heap and stack
818         https://bugs.webkit.org/show_bug.cgi?id=142022
819
820         Reviewed by Geoffrey Garen.
821         
822         We will soon (https://bugs.webkit.org/show_bug.cgi?id=141174) be in a world where a "world
823         clobbering" operation cannot write to our stack, but may be able to read from it. This
824         means that we need to change the DFG abstract heap hierarchy to have a notion of Heap that
825         subsumes all that World previously subsumed, and a new notion of Stack that is a subtype
826         of World and a sibling of Heap.
827
828         So, henceforth "clobbering the world" means reading World and writing Heap.
829         
830         This makes a bunch of changes to make this work, including changing the implementation of
831         disjointness in AbstractHeap to make it support a more general hierarchy. I was expecting
832         a slow-down, but I measured the heck out of this and found no perf difference.
833
834         * dfg/DFGAbstractHeap.cpp:
835         (JSC::DFG::AbstractHeap::dump):
836         * dfg/DFGAbstractHeap.h:
837         (JSC::DFG::AbstractHeap::supertype):
838         (JSC::DFG::AbstractHeap::isStrictSubtypeOf):
839         (JSC::DFG::AbstractHeap::isSubtypeOf):
840         (JSC::DFG::AbstractHeap::overlaps):
841         (JSC::DFG::AbstractHeap::isDisjoint):
842         * dfg/DFGClobberize.cpp:
843         (JSC::DFG::clobbersHeap):
844         (JSC::DFG::clobbersWorld): Deleted.
845         * dfg/DFGClobberize.h:
846         (JSC::DFG::clobberize):
847         * dfg/DFGDoesGC.cpp:
848         (JSC::DFG::doesGC):
849
850 2015-02-25  Ryosuke Niwa  <rniwa@webkit.org>
851
852         REGRESSION(r180595): construct varargs fails in FTL
853         https://bugs.webkit.org/show_bug.cgi?id=142030
854
855         Reviewed by Geoffrey Garen.
856
857         The bug was caused by IC size being too small for construct_varargs even though we've added a new argument.
858         Fixed the bug by increasing the IC size to match call_varargs.
859
860         * ftl/FTLInlineCacheSize.cpp:
861         (JSC::FTL::sizeOfConstructVarargs):
862
863 2015-02-25  Mark Lam  <mark.lam@apple.com>
864
865         ASan does not like JSC::MachineThreads::tryCopyOtherThreadStack.
866         <https://webkit.org/b/141672>
867
868         Reviewed by Alexey Proskuryakov.
869
870         ASan does not like the fact that we memcpy the stack for GC scans.  So,
871         we're working around this by using our own memcpy (asanUnsafeMemcpy)
872         implementation that we can tell ASan to ignore.
873
874         * heap/MachineStackMarker.cpp:
875         (JSC::asanUnsafeMemcpy):
876
877 2015-02-25  Benjamin Poulain  <bpoulain@apple.com>
878
879         CodeBlock crashes when dumping op_push_name_scope
880         https://bugs.webkit.org/show_bug.cgi?id=141953
881
882         Reviewed by Filip Pizlo and Csaba Osztrogonác.
883
884         * bytecode/CodeBlock.cpp:
885         (JSC::CodeBlock::dumpBytecode):
886         * tests/stress/op-push-name-scope-crashes-profiler.js: Added.
887
888 2015-02-25  Benjamin Poulain  <benjamin@webkit.org>
889
890         Make ParserError immutable by design
891         https://bugs.webkit.org/show_bug.cgi?id=141955
892
893         Reviewed by Geoffrey Garen.
894
895         This patch enforce that no field of ParserError can
896         be modified after the constructor.
897
898         * parser/ParserError.h:
899         Move the attributes to pack the integer + 2 bytes together.
900         This is irrelevant for memory impact, it is to remve a load-store
901         when copying by value.
902
903         Also move the attributes to be private.
904
905         (JSC::ParserError::isValid):
906         To client of the interface cared about the type of the error,
907         the only information needed was: is there an error.
908
909         (JSC::ParserError::ParserError):
910         (JSC::ParserError::syntaxErrorType):
911         (JSC::ParserError::token):
912         (JSC::ParserError::message):
913         (JSC::ParserError::line):
914         (JSC::ParserError::toErrorObject):
915         * API/JSScriptRef.cpp:
916         * builtins/BuiltinExecutables.cpp:
917         (JSC::BuiltinExecutables::createBuiltinExecutable):
918         * bytecode/UnlinkedCodeBlock.cpp:
919         (JSC::generateFunctionCodeBlock):
920         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
921         (JSC::UnlinkedFunctionExecutable::codeBlockFor):
922         * bytecode/UnlinkedCodeBlock.h:
923         * inspector/agents/InspectorRuntimeAgent.cpp:
924         (Inspector::InspectorRuntimeAgent::parse):
925         * jsc.cpp:
926         (runInteractive):
927         * parser/Parser.h:
928         (JSC::parse):
929         * runtime/CodeCache.cpp:
930         (JSC::CodeCache::getGlobalCodeBlock):
931         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
932         * runtime/CodeCache.h:
933         * runtime/Completion.h:
934         * runtime/Executable.cpp:
935         (JSC::ProgramExecutable::checkSyntax):
936         * runtime/JSGlobalObject.cpp:
937         (JSC::JSGlobalObject::createProgramCodeBlock):
938         (JSC::JSGlobalObject::createEvalCodeBlock):
939
940 2015-02-25  Filip Pizlo  <fpizlo@apple.com>
941
942         Need to pass RTLD_DEEPBIND to dlopen() to ensure that our LLVMOverrides take effect on Linux
943         https://bugs.webkit.org/show_bug.cgi?id=142006
944
945         Reviewed by Csaba Osztrogonác.
946
947         This fixes hard-to-reproduce concurrency-related crashes when running stress tests with FTL and
948         concurrent JIT enabled.
949
950         * llvm/InitializeLLVMPOSIX.cpp:
951         (JSC::initializeLLVMPOSIX):
952
953 2015-02-24  Filip Pizlo  <fpizlo@apple.com>
954
955         CMake build of libllvmForJSC.so should limit its export list like the Xcode build does
956         https://bugs.webkit.org/show_bug.cgi?id=141989
957
958         Reviewed by Gyuyoung Kim.
959
960         * CMakeLists.txt:
961         * llvm/library/libllvmForJSC.version: Added.
962
963 2015-02-24  Alexey Proskuryakov  <ap@apple.com>
964
965         More iOS build fix after r180602.
966
967         * heap/Heap.h: Export Heap::machineThreads().
968
969 2015-02-24  Brent Fulgham  <bfulgham@apple.com>
970
971         Unreviewed build fix after r180602.
972
973         * heap/MachineStackMarker.h: Add missing 'no return'
974         declaration for Windows.
975
976 2015-02-24  Commit Queue  <commit-queue@webkit.org>
977
978         Unreviewed, rolling out r180599.
979         https://bugs.webkit.org/show_bug.cgi?id=141998
980
981         Lots of new test failures (Requested by smfr on #webkit).
982
983         Reverted changeset:
984
985         "Parsing support for -webkit-trailing-word"
986         https://bugs.webkit.org/show_bug.cgi?id=141939
987         http://trac.webkit.org/changeset/180599
988
989 2015-02-24  Mark Lam  <mark.lam@apple.com>
990
991         MachineThreads::Thread clean up has a use after free race condition.
992         <https://webkit.org/b/141990>
993
994         Reviewed by Michael Saboff.
995
996         MachineThreads::Thread clean up relies on the clean up mechanism
997         implemented in _pthread_tsd_cleanup_key(), which looks like this:
998
999         void _pthread_tsd_cleanup_key(pthread_t self, pthread_key_t key)
1000         {
1001             void (*destructor)(void *);
1002             if (_pthread_key_get_destructor(key, &destructor)) {
1003                 void **ptr = &self->tsd[key];
1004                 void *value = *ptr;
1005
1006                 // At this point, this thread has cached "destructor" and "value"
1007                 // (which is a MachineThreads*).  If the VM gets destructed (along
1008                 // with its MachineThreads registry) by another thread, then this
1009                 // thread will have no way of knowing that the MachineThreads* is
1010                 // now pointing to freed memory.  Calling the destructor below will
1011                 // therefore result in a use after free scenario when it tries to
1012                 // access the MachineThreads' data members.
1013
1014                 if (value) {
1015                     *ptr = NULL;
1016                     if (destructor) {
1017                         destructor(value);
1018                     }
1019                 }
1020             }
1021         }
1022
1023         The solution is simply to change MachineThreads from a per VM thread
1024         registry to a process global singleton thread registry i.e. the
1025         MachineThreads registry is now immortal and we cannot have a use after
1026         free scenario since we never free it.
1027
1028         The cost of this change is that all VM instances will have to scan
1029         stacks of all threads ever touched by a VM, and not just those that
1030         touched a specific VM.  However, stacks tend to be shallow.  Hence,
1031         those additional scans will tend to be cheap.
1032
1033         Secondly, it is not common for there to be multiple JSC VMs in use
1034         concurrently on multiple threads.  Hence, this cost should rarely
1035         manifest in real world applications.
1036
1037         * heap/Heap.cpp:
1038         (JSC::Heap::Heap):
1039         (JSC::Heap::machineThreads):
1040         (JSC::Heap::gatherStackRoots):
1041         * heap/Heap.h:
1042         (JSC::Heap::machineThreads): Deleted.
1043         * heap/MachineStackMarker.cpp:
1044         (JSC::MachineThreads::MachineThreads):
1045         (JSC::MachineThreads::~MachineThreads):
1046         (JSC::MachineThreads::addCurrentThread):
1047         * heap/MachineStackMarker.h:
1048         * runtime/JSLock.cpp:
1049         (JSC::JSLock::didAcquireLock):
1050
1051 2015-02-24  Myles C. Maxfield  <mmaxfield@apple.com>
1052
1053         [Mac] [iOS] Parsing support for -apple-trailing-word
1054         https://bugs.webkit.org/show_bug.cgi?id=141939
1055
1056         Reviewed by Andreas Kling.
1057
1058         * Configurations/FeatureDefines.xcconfig:
1059
1060 2015-02-24  Ryosuke Niwa  <rniwa@webkit.org>
1061
1062         Use "this" instead of "callee" to get the constructor
1063         https://bugs.webkit.org/show_bug.cgi?id=141019
1064
1065         Reviewed by Filip Pizlo.
1066
1067         This patch uses "this" register to pass the constructor (newTarget) to op_create_this from
1068         op_construct or op_construct_varargs. This will allow future patches that implement ES6 class
1069         to pass in the most derived class' constructor through "this" argument.
1070
1071         BytecodeGenerator's emitConstruct and emitConstructVarargs now passes thisRegister like
1072         regular calls and emitCreateThis passes in this register to op_create_this as constructor.
1073
1074         The rest of the code change removes the code for special casing "this" register not being used
1075         in call to construct.
1076
1077         * bytecode/BytecodeUseDef.h:
1078         (JSC::computeUsesForBytecodeOffset):
1079         * bytecompiler/BytecodeGenerator.cpp:
1080         (JSC::BytecodeGenerator::emitCreateThis):
1081         (JSC::BytecodeGenerator::emitConstructVarargs):
1082         (JSC::BytecodeGenerator::emitConstruct):
1083         * bytecompiler/BytecodeGenerator.h:
1084         * bytecompiler/NodesCodegen.cpp:
1085         (JSC::NewExprNode::emitBytecode):
1086         * dfg/DFGByteCodeParser.cpp:
1087         (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
1088         (JSC::DFG::ByteCodeParser::handleVarargsCall):
1089         (JSC::DFG::ByteCodeParser::emitArgumentPhantoms):
1090         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
1091         (JSC::DFG::ByteCodeParser::handleInlining):
1092         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1093         (JSC::DFG::ByteCodeParser::parseBlock):
1094         * dfg/DFGJITCode.cpp:
1095         (JSC::DFG::JITCode::reconstruct):
1096         * dfg/DFGSpeculativeJIT32_64.cpp:
1097         (JSC::DFG::SpeculativeJIT::emitCall):
1098         * dfg/DFGSpeculativeJIT64.cpp:
1099         (JSC::DFG::SpeculativeJIT::emitCall):
1100         * ftl/FTLJSCallVarargs.cpp:
1101         (JSC::FTL::JSCallVarargs::emit):
1102         * ftl/FTLLowerDFGToLLVM.cpp:
1103         (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct):
1104         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
1105         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstructVarargs):
1106         * interpreter/Interpreter.cpp:
1107         (JSC::Interpreter::executeConstruct):
1108         * jit/JITOperations.cpp:
1109
1110 2015-02-24  Joseph Pecoraro  <pecoraro@apple.com>
1111
1112         Web Inspector: Make Getter/Setter RemoteObject property and ObjectPreview handling consistent
1113         https://bugs.webkit.org/show_bug.cgi?id=141587
1114
1115         Reviewed by Timothy Hatcher.
1116
1117         Convert getProperties(ownAndGetterProperties) to getDisplayableProperties().
1118         Mark PropertyDescriptors that are presumed to be native getters / bindings
1119         separately so that the frontend may display them differently.
1120
1121         * inspector/InjectedScript.cpp:
1122         (Inspector::InjectedScript::getProperties):
1123         (Inspector::InjectedScript::getDisplayableProperties):
1124         * inspector/InjectedScript.h:
1125         * inspector/InjectedScriptSource.js:
1126         * inspector/agents/InspectorRuntimeAgent.cpp:
1127         (Inspector::InspectorRuntimeAgent::getProperties):
1128         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
1129         * inspector/agents/InspectorRuntimeAgent.h:
1130         * inspector/protocol/Runtime.json:
1131
1132 2015-02-24  Mark Lam  <mark.lam@apple.com>
1133
1134         Rolling out r179753.  The fix was invalid.
1135         <https://webkit.org/b/141990>
1136
1137         Not reviewed.
1138
1139         * API/tests/testapi.mm:
1140         (threadMain):
1141         (useVMFromOtherThread): Deleted.
1142         (useVMFromOtherThreadAndOutliveVM): Deleted.
1143         * heap/Heap.cpp:
1144         (JSC::Heap::Heap):
1145         (JSC::Heap::~Heap):
1146         (JSC::Heap::gatherStackRoots):
1147         * heap/Heap.h:
1148         (JSC::Heap::machineThreads):
1149         * heap/MachineStackMarker.cpp:
1150         (JSC::MachineThreads::Thread::Thread):
1151         (JSC::MachineThreads::MachineThreads):
1152         (JSC::MachineThreads::~MachineThreads):
1153         (JSC::MachineThreads::addCurrentThread):
1154         (JSC::MachineThreads::removeThread):
1155         (JSC::MachineThreads::removeCurrentThread):
1156         * heap/MachineStackMarker.h:
1157
1158 2015-02-24  Yusuke Suzuki  <utatane.tea@gmail.com>
1159
1160         Constructor returning null should construct an object instead of null
1161         https://bugs.webkit.org/show_bug.cgi?id=141640
1162
1163         Reviewed by Filip Pizlo.
1164
1165         When constructor code doesn't return object, constructor should return `this` object instead.
1166         Since we used `op_is_object` for this check and `op_is_object` is intended to be used for `typeof`,
1167         it allows `null` as an object.
1168         This patch fixes it by introducing an new bytecode `op_is_object_or_null` for `typeof` use cases.
1169         Instead, constructor uses simplified `is_object`.
1170
1171         As a result, `op_is_object` becomes fairly simple. So we introduce optimization for `op_is_object`.
1172
1173         1. LLInt and baseline JIT support `op_is_object` as a fast path.
1174         2. DFG abstract interpreter support `op_is_object`. And recognize its speculated type and read-write effects.
1175         3. DFG introduces inlined asm for `op_is_object` rather than calling a C++ function.
1176         4. FTL lowers DFG's IsObject into LLVM IR.
1177
1178         And at the same time, this patch fixes isString / isObject predicate used for `op_is_object` and others
1179         in LLInt, JIT, DFG and FTL.
1180         Before introducing ES6 Symbol, JSCell is only used for object and string in user observable area.
1181         So in many places, when the cell is not object, we recognize it as a string, and vice versa.
1182         However, now ES6 Symbol is implemented as a JSCell, this assumption is broken.
1183         So this patch stop using !isString as isObject.
1184         To check whether a cell is an object, instead of seeing that structure ID of a cell is not stringStructure,
1185         we examine typeInfo in JSCell.
1186
1187         * JavaScriptCore.order:
1188         * bytecode/BytecodeList.json:
1189         * bytecode/BytecodeUseDef.h:
1190         (JSC::computeUsesForBytecodeOffset):
1191         (JSC::computeDefsForBytecodeOffset):
1192         * bytecode/CodeBlock.cpp:
1193         (JSC::CodeBlock::dumpBytecode):
1194         * bytecode/PutByIdStatus.cpp:
1195         (JSC::PutByIdStatus::computeFor):
1196         * bytecompiler/BytecodeGenerator.cpp:
1197         (JSC::BytecodeGenerator::emitEqualityOp):
1198         (JSC::BytecodeGenerator::emitReturn):
1199         * dfg/DFGAbstractInterpreterInlines.h:
1200         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1201         * dfg/DFGByteCodeParser.cpp:
1202         (JSC::DFG::ByteCodeParser::parseBlock):
1203         * dfg/DFGCapabilities.cpp:
1204         (JSC::DFG::capabilityLevel):
1205         * dfg/DFGClobberize.h:
1206         (JSC::DFG::clobberize):
1207
1208         IsObject operation only touches JSCell typeInfoType.
1209         And this value would be changed through structure transition.
1210         As a result, IsObject can report that it doesn't read any information.
1211
1212         * dfg/DFGConstantFoldingPhase.cpp:
1213         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1214         * dfg/DFGDoesGC.cpp:
1215         (JSC::DFG::doesGC):
1216         * dfg/DFGFixupPhase.cpp:
1217         (JSC::DFG::FixupPhase::fixupNode):
1218
1219         Just like IsString, IsObject is also fixed up.
1220
1221         * dfg/DFGHeapLocation.cpp:
1222         (WTF::printInternal):
1223         * dfg/DFGHeapLocation.h:
1224         * dfg/DFGNodeType.h:
1225         * dfg/DFGOperations.cpp:
1226         * dfg/DFGOperations.h:
1227         * dfg/DFGPredictionPropagationPhase.cpp:
1228         (JSC::DFG::PredictionPropagationPhase::propagate):
1229         * dfg/DFGSafeToExecute.h:
1230         (JSC::DFG::safeToExecute):
1231         * dfg/DFGSpeculativeJIT.cpp:
1232         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
1233         (JSC::DFG::SpeculativeJIT::compileStringToUntypedEquality):
1234         (JSC::DFG::SpeculativeJIT::compileStringIdentToNotStringVarEquality):
1235         (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
1236         (JSC::DFG::SpeculativeJIT::speculateObject):
1237         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
1238         (JSC::DFG::SpeculativeJIT::speculateString):
1239         (JSC::DFG::SpeculativeJIT::speculateNotStringVar):
1240         (JSC::DFG::SpeculativeJIT::emitSwitchChar):
1241         (JSC::DFG::SpeculativeJIT::emitSwitchString):
1242         (JSC::DFG::SpeculativeJIT::branchIsObject):
1243         (JSC::DFG::SpeculativeJIT::branchNotObject):
1244         (JSC::DFG::SpeculativeJIT::branchIsString):
1245         (JSC::DFG::SpeculativeJIT::branchNotString):
1246         * dfg/DFGSpeculativeJIT.h:
1247         * dfg/DFGSpeculativeJIT32_64.cpp:
1248         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
1249         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
1250         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
1251         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
1252         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
1253         (JSC::DFG::SpeculativeJIT::compile):
1254         * dfg/DFGSpeculativeJIT64.cpp:
1255         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
1256         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
1257         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
1258         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
1259         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
1260         (JSC::DFG::SpeculativeJIT::compile):
1261         * ftl/FTLCapabilities.cpp:
1262         (JSC::FTL::canCompile):
1263         * ftl/FTLLowerDFGToLLVM.cpp:
1264         (JSC::FTL::LowerDFGToLLVM::compileNode):
1265         (JSC::FTL::LowerDFGToLLVM::compileToString):
1266         (JSC::FTL::LowerDFGToLLVM::compileIsObject):
1267         (JSC::FTL::LowerDFGToLLVM::compileIsObjectOrNull):
1268         (JSC::FTL::LowerDFGToLLVM::speculateTruthyObject):
1269         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
1270         (JSC::FTL::LowerDFGToLLVM::isObject):
1271         (JSC::FTL::LowerDFGToLLVM::isNotObject):
1272         (JSC::FTL::LowerDFGToLLVM::isNotString):
1273         (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
1274         * jit/JIT.cpp:
1275         (JSC::JIT::privateCompileMainPass):
1276         * jit/JIT.h:
1277         * jit/JITInlines.h:
1278         (JSC::JIT::emitJumpIfCellObject):
1279         * jit/JITOpcodes.cpp:
1280         (JSC::JIT::emit_op_is_object):
1281         (JSC::JIT::emit_op_to_primitive):
1282         * jit/JITOpcodes32_64.cpp:
1283         (JSC::JIT::emit_op_is_object):
1284         (JSC::JIT::emit_op_to_primitive):
1285         (JSC::JIT::compileOpStrictEq):
1286         * llint/LowLevelInterpreter.asm:
1287         * llint/LowLevelInterpreter32_64.asm:
1288         * llint/LowLevelInterpreter64.asm:
1289         * runtime/CommonSlowPaths.cpp:
1290         (JSC::SLOW_PATH_DECL):
1291         * runtime/CommonSlowPaths.h:
1292         * runtime/Operations.cpp:
1293         (JSC::jsIsObjectTypeOrNull):
1294         (JSC::jsIsObjectType): Deleted.
1295         * runtime/Operations.h:
1296         * tests/stress/constructor-with-return.js: Added.
1297         (Test):
1298
1299         When constructor doesn't return an object, `this` should be returned instead.
1300         In this test, we check all primitives. And test object, array and wrappers.
1301
1302         * tests/stress/dfg-to-primitive-pass-symbol.js: Added.
1303         (toPrimitiveTarget):
1304         (doToPrimitive):
1305
1306         op_to_primitive operation passes Symbol in fast path.
1307
1308 2015-02-24  Yusuke Suzuki  <utatane.tea@gmail.com>
1309
1310         REGRESSION(r179429): Can't type comments in Facebook
1311         https://bugs.webkit.org/show_bug.cgi?id=141859
1312
1313         Reviewed by Brent Fulgham.
1314
1315         When window.Symbol is exposed to user-space pages,
1316         Facebook's JavaScript use it (maybe, for immutable-js and React.js's unique key).
1317         However, to work with Symbols completely, it also requires
1318         1) Object.getOwnPropertySymbols (for mixin including Symbols)
1319         2) the latest ES6 Iterator interface that uses Iterator.next and it returns { done: boolean, value: value }.
1320         Since they are not landed yet, comments in Facebook don't work.
1321
1322         This patch introduces RuntimeFlags for JavaScriptCore.
1323         Specifying SymbolEnabled flag under test runner and inspector to continue to work with Symbol.
1324         And drop JavaScriptExperimentsEnabled flag
1325         because it is no longer used and use case of this is duplicated to runtime flags.
1326
1327         * JavaScriptCore.order:
1328         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1329         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1330         * JavaScriptCore.xcodeproj/project.pbxproj:
1331         * jsc.cpp:
1332         (GlobalObject::javaScriptRuntimeFlags):
1333         (GlobalObject::javaScriptExperimentsEnabled): Deleted.
1334         * runtime/JSGlobalObject.cpp:
1335         (JSC::JSGlobalObject::JSGlobalObject):
1336         (JSC::JSGlobalObject::init):
1337         * runtime/JSGlobalObject.h:
1338         (JSC::JSGlobalObject::finishCreation):
1339         (JSC::JSGlobalObject::javaScriptRuntimeFlags):
1340         (JSC::JSGlobalObject::javaScriptExperimentsEnabled): Deleted.
1341         * runtime/RuntimeFlags.h: Added.
1342         (JSC::RuntimeFlags::RuntimeFlags):
1343         (JSC::RuntimeFlags::createAllEnabled):
1344
1345 2015-02-23  Filip Pizlo  <fpizlo@apple.com>
1346
1347         Our bizarre behavior on Arguments::defineOwnProperty should be deliberate rather than a spaghetti incident
1348         https://bugs.webkit.org/show_bug.cgi?id=141951
1349
1350         Reviewed by Benjamin Poulain.
1351         
1352         This patch has no behavioral change, but it simplifies a bunch of wrong code. The code is
1353         still wrong in exactly the same way, but at least it's obvious what's going on. The wrongness
1354         is covered by this bug: https://bugs.webkit.org/show_bug.cgi?id=141952.
1355
1356         * runtime/Arguments.cpp:
1357         (JSC::Arguments::copyBackingStore): We should only see the arguments token; assert otherwise. This works because if the GC sees the butterfly token it calls the JSObject::copyBackingStore method directly.
1358         (JSC::Arguments::defineOwnProperty): Make our bizarre behavior deliberate rather than an accident of a decade of patches.
1359         * tests/stress/arguments-bizarre-behavior.js: Added.
1360         (foo):
1361         * tests/stress/arguments-bizarre-behaviour-disable-enumerability.js: Added. My choice of spellings of the word "behavio[u]r" is almost as consistent as our implementation of arguments.
1362         (foo):
1363         * tests/stress/arguments-custom-properties-gc.js: Added. I added this test because at first I was unsure if we GCd arguments correctly.
1364         (makeBaseArguments):
1365         (makeArray):
1366         (cons):
1367
1368 2015-02-23  Commit Queue  <commit-queue@webkit.org>
1369
1370         Unreviewed, rolling out r180547 and r180550.
1371         https://bugs.webkit.org/show_bug.cgi?id=141957
1372
1373         Broke 10 Windows tests. (Requested by bfulgham_ on #webkit).
1374
1375         Reverted changesets:
1376
1377         "REGRESSION(r179429): Can't type comments in Facebook"
1378         https://bugs.webkit.org/show_bug.cgi?id=141859
1379         http://trac.webkit.org/changeset/180547
1380
1381         "Constructor returning null should construct an object instead
1382         of null"
1383         https://bugs.webkit.org/show_bug.cgi?id=141640
1384         http://trac.webkit.org/changeset/180550
1385
1386 2015-02-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1387
1388         Constructor returning null should construct an object instead of null
1389         https://bugs.webkit.org/show_bug.cgi?id=141640
1390
1391         Reviewed by Geoffrey Garen.
1392
1393         When constructor code doesn't return object, constructor should return `this` object instead.
1394         Since we used `op_is_object` for this check and `op_is_object` is intended to be used for `typeof`,
1395         it allows `null` as an object.
1396         This patch fixes it by introducing an new bytecode `op_is_object_or_null` for `typeof` use cases.
1397         Instead, constructor uses simplified `is_object`.
1398
1399         As a result, `op_is_object` becomes fairly simple. So we introduce optimization for `op_is_object`.
1400
1401         1. LLInt and baseline JIT support `op_is_object` as a fast path.
1402         2. DFG abstract interpreter support `op_is_object`. And recognize its speculated type and read-write effects.
1403         3. DFG introduces inlined asm for `op_is_object` rather than calling a C++ function.
1404         4. FTL lowers DFG's IsObject into LLVM IR.
1405
1406         And at the same time, this patch fixes isString / isObject predicate used for `op_is_object` and others
1407         in LLInt, JIT, DFG and FTL.
1408         Before introducing ES6 Symbol, JSCell is only used for object and string in user observable area.
1409         So in many places, when the cell is not object, we recognize it as a string, and vice versa.
1410         However, now ES6 Symbol is implemented as a JSCell, this assumption is broken.
1411         So this patch stop using !isString as isObject.
1412         To check whether a cell is an object, instead of seeing that structure ID of a cell is not stringStructure,
1413         we examine typeInfo in JSCell.
1414
1415         * JavaScriptCore.order:
1416         * bytecode/BytecodeList.json:
1417         * bytecode/BytecodeUseDef.h:
1418         (JSC::computeUsesForBytecodeOffset):
1419         (JSC::computeDefsForBytecodeOffset):
1420         * bytecode/CodeBlock.cpp:
1421         (JSC::CodeBlock::dumpBytecode):
1422         * bytecode/PutByIdStatus.cpp:
1423         (JSC::PutByIdStatus::computeFor):
1424         * bytecompiler/BytecodeGenerator.cpp:
1425         (JSC::BytecodeGenerator::emitEqualityOp):
1426         (JSC::BytecodeGenerator::emitReturn):
1427         * dfg/DFGAbstractInterpreterInlines.h:
1428         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1429         * dfg/DFGByteCodeParser.cpp:
1430         (JSC::DFG::ByteCodeParser::parseBlock):
1431         * dfg/DFGCapabilities.cpp:
1432         (JSC::DFG::capabilityLevel):
1433         * dfg/DFGClobberize.h:
1434         (JSC::DFG::clobberize):
1435
1436         IsObject operation only touches JSCell typeInfoType.
1437         And this value would not be changed through structure transition.
1438         As a result, IsObject can report that it doesn't read any information.
1439
1440         * dfg/DFGDoesGC.cpp:
1441         (JSC::DFG::doesGC):
1442         * dfg/DFGFixupPhase.cpp:
1443         (JSC::DFG::FixupPhase::fixupNode):
1444
1445         Just like IsString, IsObject is also fixed up.
1446
1447         * dfg/DFGHeapLocation.cpp:
1448         (WTF::printInternal):
1449         * dfg/DFGHeapLocation.h:
1450         * dfg/DFGNodeType.h:
1451         * dfg/DFGOperations.cpp:
1452         * dfg/DFGOperations.h:
1453         * dfg/DFGPredictionPropagationPhase.cpp:
1454         (JSC::DFG::PredictionPropagationPhase::propagate):
1455         * dfg/DFGSafeToExecute.h:
1456         (JSC::DFG::safeToExecute):
1457         * dfg/DFGSpeculativeJIT.cpp:
1458         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
1459         (JSC::DFG::SpeculativeJIT::compileStringToUntypedEquality):
1460         (JSC::DFG::SpeculativeJIT::compileStringIdentToNotStringVarEquality):
1461         (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
1462         (JSC::DFG::SpeculativeJIT::speculateObject):
1463         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
1464         (JSC::DFG::SpeculativeJIT::speculateString):
1465         (JSC::DFG::SpeculativeJIT::speculateNotStringVar):
1466         (JSC::DFG::SpeculativeJIT::emitSwitchChar):
1467         (JSC::DFG::SpeculativeJIT::emitSwitchString):
1468         (JSC::DFG::SpeculativeJIT::branchIsObject):
1469         (JSC::DFG::SpeculativeJIT::branchNotObject):
1470         (JSC::DFG::SpeculativeJIT::branchIsString):
1471         (JSC::DFG::SpeculativeJIT::branchNotString):
1472         * dfg/DFGSpeculativeJIT.h:
1473         * dfg/DFGSpeculativeJIT32_64.cpp:
1474         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
1475         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
1476         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
1477         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
1478         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
1479         (JSC::DFG::SpeculativeJIT::compile):
1480         * dfg/DFGSpeculativeJIT64.cpp:
1481         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
1482         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
1483         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
1484         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
1485         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
1486         (JSC::DFG::SpeculativeJIT::compile):
1487         * ftl/FTLCapabilities.cpp:
1488         (JSC::FTL::canCompile):
1489         * ftl/FTLLowerDFGToLLVM.cpp:
1490         (JSC::FTL::LowerDFGToLLVM::compileNode):
1491         (JSC::FTL::LowerDFGToLLVM::compileToString):
1492         (JSC::FTL::LowerDFGToLLVM::compileIsObject):
1493         (JSC::FTL::LowerDFGToLLVM::compileIsObjectOrNull):
1494         (JSC::FTL::LowerDFGToLLVM::speculateTruthyObject):
1495         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
1496         (JSC::FTL::LowerDFGToLLVM::isObject):
1497         (JSC::FTL::LowerDFGToLLVM::isNotObject):
1498         (JSC::FTL::LowerDFGToLLVM::isNotString):
1499         (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
1500         * jit/JIT.cpp:
1501         (JSC::JIT::privateCompileMainPass):
1502         * jit/JIT.h:
1503         * jit/JITInlines.h:
1504         (JSC::JIT::emitJumpIfCellObject):
1505         * jit/JITOpcodes.cpp:
1506         (JSC::JIT::emit_op_is_object):
1507         (JSC::JIT::emit_op_to_primitive):
1508         * jit/JITOpcodes32_64.cpp:
1509         (JSC::JIT::emit_op_is_object):
1510         (JSC::JIT::emit_op_to_primitive):
1511         (JSC::JIT::compileOpStrictEq):
1512         * llint/LowLevelInterpreter.asm:
1513         * llint/LowLevelInterpreter32_64.asm:
1514         * llint/LowLevelInterpreter64.asm:
1515         * runtime/CommonSlowPaths.cpp:
1516         (JSC::SLOW_PATH_DECL):
1517         * runtime/CommonSlowPaths.h:
1518         * runtime/Operations.cpp:
1519         (JSC::jsIsObjectTypeOrNull):
1520         (JSC::jsIsObjectType): Deleted.
1521         * runtime/Operations.h:
1522
1523 2015-02-23  Ryosuke Niwa  <rniwa@webkit.org>
1524
1525         Disable font loading events until our implementation gets updated to match the latest spec
1526         https://bugs.webkit.org/show_bug.cgi?id=141938
1527
1528         Reviewed by Andreas Kling.
1529
1530         * Configurations/FeatureDefines.xcconfig:
1531
1532 2015-02-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1533
1534         REGRESSION(r179429): Can't type comments in Facebook
1535         https://bugs.webkit.org/show_bug.cgi?id=141859
1536
1537         Reviewed by Geoffrey Garen.
1538
1539         When window.Symbol is exposed to user-space pages,
1540         Facebook's JavaScript use it (maybe, for immutable-js and React.js's unique key).
1541         However, to work with Symbols completely, it also requires
1542         1) Object.getOwnPropertySymbols (for mixin including Symbols)
1543         2) the latest ES6 Iterator interface that uses Iterator.next and it returns { done: boolean, value: value }.
1544         Since they are not landed yet, comments in Facebook don't work.
1545
1546         This patch introduces RuntimeFlags for JavaScriptCore.
1547         Specifying SymbolEnabled flag under test runner and inspector to continue to work with Symbol.
1548         And drop JavaScriptExperimentsEnabled flag
1549         because it is no longer used and use case of this is duplicated to runtime flags.
1550
1551         * JavaScriptCore.order:
1552         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1553         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1554         * JavaScriptCore.xcodeproj/project.pbxproj:
1555         * jsc.cpp:
1556         (GlobalObject::javaScriptRuntimeFlags):
1557         (GlobalObject::javaScriptExperimentsEnabled): Deleted.
1558         * runtime/JSGlobalObject.cpp:
1559         (JSC::JSGlobalObject::JSGlobalObject):
1560         (JSC::JSGlobalObject::init):
1561         * runtime/JSGlobalObject.h:
1562         (JSC::JSGlobalObject::finishCreation):
1563         (JSC::JSGlobalObject::javaScriptRuntimeFlags):
1564         (JSC::JSGlobalObject::javaScriptExperimentsEnabled): Deleted.
1565         * runtime/RuntimeFlags.h: Added.
1566         (JSC::RuntimeFlags::RuntimeFlags):
1567         (JSC::RuntimeFlags::createAllEnabled):
1568
1569 2015-02-23  Benjamin Poulain  <bpoulain@apple.com>
1570
1571         Set the semantic origin of delayed SetLocal to the Bytecode that originated it
1572         https://bugs.webkit.org/show_bug.cgi?id=141727
1573
1574         Reviewed by Filip Pizlo.
1575
1576         Previously, delayed SetLocals would have the NodeOrigin of the next
1577         bytecode. This was because delayed SetLocal are...delayed... and
1578         currentCodeOrigin() is the one where the node is emitted.
1579
1580         This made debugging a little awkward since the OSR exits on SetLocal
1581         were reported for the next bytecode. This patch changes the semantic
1582         origin to keep the original bytecode.
1583
1584         From benchmarks, this looks like it could be a tiny bit faster
1585         but it likely just noise.
1586
1587         * dfg/DFGByteCodeParser.cpp:
1588         (JSC::DFG::ByteCodeParser::setDirect):
1589         (JSC::DFG::ByteCodeParser::setLocal):
1590         (JSC::DFG::ByteCodeParser::setArgument):
1591         (JSC::DFG::ByteCodeParser::currentNodeOrigin):
1592         (JSC::DFG::ByteCodeParser::addToGraph):
1593         (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal):
1594         (JSC::DFG::ByteCodeParser::DelayedSetLocal::execute):
1595
1596 2015-02-23  Benjamin Poulain  <bpoulain@apple.com>
1597
1598         Remove DFGNode::predictHeap()
1599         https://bugs.webkit.org/show_bug.cgi?id=141864
1600
1601         Reviewed by Geoffrey Garen.
1602
1603         * dfg/DFGNode.h:
1604         (JSC::DFG::Node::predictHeap): Deleted.
1605         Unused code.
1606
1607 2015-02-23  Filip Pizlo  <fpizlo@apple.com>
1608
1609         Get rid of JSLexicalEnvironment::argumentsGetter
1610         https://bugs.webkit.org/show_bug.cgi?id=141930
1611
1612         Reviewed by Mark Lam.
1613         
1614         This function is unused, and the way it's written is bizarre - it's a return statement that
1615         dominates a bunch of dead code.
1616
1617         * runtime/JSLexicalEnvironment.cpp:
1618         (JSC::JSLexicalEnvironment::argumentsGetter): Deleted.
1619         * runtime/JSLexicalEnvironment.h:
1620
1621 2015-02-23  Filip Pizlo  <fpizlo@apple.com>
1622
1623         Remove unused activationCount and allTheThingsCount variable declarations.
1624
1625         Rubber stamped by Mark Lam and Michael Saboff.
1626
1627         * runtime/JSLexicalEnvironment.h:
1628
1629 2015-02-23  Saam Barati  <saambarati1@gmail.com>
1630
1631         Adjust the ranges of basic block statements in JSC's control flow profiler to be mutually exclusive
1632         https://bugs.webkit.org/show_bug.cgi?id=141095
1633
1634         Reviewed by Mark Lam.
1635
1636         Suppose the control flow of a program forms basic block A with successor block
1637         B. A's end offset will be the *same* as B's start offset in the current architecture 
1638         of the control flow profiler. This makes reasoning about the text offsets of
1639         the control flow profiler unsound. To make reasoning about offsets sound, all 
1640         basic block ranges should be mutually exclusive.  All calls to emitProfileControlFlow 
1641         now pass in the *start* of a basic block as the text offset argument. This simplifies 
1642         all calls to emitProfileControlFlow because the previous implementation had a
1643         lot of edge cases for getting the desired basic block text boundaries.
1644
1645         This patch also ensures that the basic block boundary of a block statement 
1646         is the exactly the block's open and close brace offsets (inclusive). For example,
1647         in if/for/while statements. This also has the consequence that for statements 
1648         like "if (cond) foo();", the whitespace preceding "foo()" is not part of 
1649         the "foo()" basic block, but instead is part of the "if (cond) " basic block. 
1650         This is okay because these text offsets aren't meant to be human readable.
1651         Instead, they reflect the text offsets of JSC's AST nodes. The Web Inspector 
1652         is the only client of this API and user of these text offsets and it is 
1653         not negatively effected by this new behavior.
1654
1655         * bytecode/CodeBlock.cpp:
1656         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
1657         When computing basic block boundaries in CodeBlock, we ensure that every
1658         block's end offset is one less than its successor's start offset to
1659         maintain that boundaries' ranges should be mutually exclusive.
1660
1661         * bytecompiler/BytecodeGenerator.cpp:
1662         (JSC::BytecodeGenerator::BytecodeGenerator):
1663         Because the control flow profiler needs to know which functions
1664         have executed, we can't lazily create functions. This was a bug 
1665         from before that was hidden because the Type Profiler was always 
1666         enabled when the control flow profiler was enabled when profiling 
1667         was turned on from the Web Inspector. But, JSC allows for Control 
1668         Flow profiling to be turned on without Type Profiling, so we need 
1669         to ensure the Control Flow profiler has all the data it needs.
1670
1671         * bytecompiler/NodesCodegen.cpp:
1672         (JSC::ConditionalNode::emitBytecode):
1673         (JSC::IfElseNode::emitBytecode):
1674         (JSC::WhileNode::emitBytecode):
1675         (JSC::ForNode::emitBytecode):
1676         (JSC::ForInNode::emitMultiLoopBytecode):
1677         (JSC::ForOfNode::emitBytecode):
1678         (JSC::TryNode::emitBytecode):
1679         * jsc.cpp:
1680         (functionHasBasicBlockExecuted):
1681         We now assert that the substring argument is indeed a substring
1682         of the function argument's text because subtle bugs could be
1683         introduced otherwise.
1684
1685         * parser/ASTBuilder.h:
1686         (JSC::ASTBuilder::setStartOffset):
1687         * parser/Nodes.h:
1688         (JSC::Node::setStartOffset):
1689         * parser/Parser.cpp:
1690         (JSC::Parser<LexerType>::parseBlockStatement):
1691         (JSC::Parser<LexerType>::parseStatement):
1692         (JSC::Parser<LexerType>::parseMemberExpression):
1693         For the various function call AST nodes, their m_position member 
1694         variable is now the start of the entire function call expression 
1695         and not at the start of the open paren of the arguments list.
1696
1697         * runtime/BasicBlockLocation.cpp:
1698         (JSC::BasicBlockLocation::getExecutedRanges):
1699         * runtime/ControlFlowProfiler.cpp:
1700         (JSC::ControlFlowProfiler::getBasicBlocksForSourceID):
1701         Function ranges inserted as gaps should follow the same criteria
1702         that the bytecode generator uses to ensure that basic blocks
1703         start and end offsets are mutually exclusive.
1704
1705         * tests/controlFlowProfiler/brace-location.js: Added.
1706         (foo):
1707         (bar):
1708         (baz):
1709         (testIf):
1710         (testForRegular):
1711         (testForIn):
1712         (testForOf):
1713         (testWhile):
1714         (testIfNoBraces):
1715         (testForRegularNoBraces):
1716         (testForInNoBraces):
1717         (testForOfNoBraces):
1718         (testWhileNoBraces):
1719         * tests/controlFlowProfiler/conditional-expression.js: Added.
1720         (foo):
1721         (bar):
1722         (baz):
1723         (testConditionalBasic):
1724         (testConditionalFunctionCall):
1725         * tests/controlFlowProfiler/driver/driver.js:
1726         (checkBasicBlock):
1727
1728 2015-02-23  Matthew Mirman  <mmirman@apple.com>
1729
1730         r9 is volatile on ARMv7 for iOS 3 and up. 
1731         https://bugs.webkit.org/show_bug.cgi?id=141489
1732         rdar://problem/19432916
1733
1734         Reviewed by Michael Saboff.
1735
1736         * jit/RegisterSet.cpp: 
1737         (JSC::RegisterSet::calleeSaveRegisters): removed r9 from the list of ARMv7 callee save registers.
1738         * tests/stress/regress-141489.js: Added.
1739         (foo):
1740
1741 2015-02-23  Csaba Osztrogonác  <ossy@webkit.org>
1742
1743         [ARM] Add the necessary setupArgumentsWithExecState after bug141915
1744         https://bugs.webkit.org/show_bug.cgi?id=141921
1745
1746         Reviewed by Michael Saboff.
1747
1748         * jit/CCallHelpers.h:
1749         (JSC::CCallHelpers::setupArgumentsWithExecState):
1750
1751 2015-02-23  Filip Pizlo  <fpizlo@apple.com>
1752
1753         Scopes should always be created with a previously-created symbol table rather than creating one on the fly
1754         https://bugs.webkit.org/show_bug.cgi?id=141915
1755
1756         Reviewed by Mark Lam.
1757         
1758         The main effect of this change is that pushing name scopes no longer requires creating symbol
1759         tables on the fly.
1760         
1761         This also makes it so that JSEnvironmentRecords must always have an a priori symbol table.
1762         
1763         JSSegmentedVariableObject still does a hack where it creates a blank symbol table on-demand.
1764         This is needed because that's what JSGlobalObject and all of its many subclasses want. That's
1765         harmless; I mainly needed a prior symbol tables for JSEnvironmentRecords anyway.
1766
1767         * bytecode/BytecodeList.json:
1768         * bytecompiler/BytecodeGenerator.cpp:
1769         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
1770         (JSC::BytecodeGenerator::emitPushCatchScope):
1771         * jit/CCallHelpers.h:
1772         (JSC::CCallHelpers::setupArgumentsWithExecState):
1773         * jit/JIT.h:
1774         * jit/JITInlines.h:
1775         (JSC::JIT::callOperation):
1776         * jit/JITOpcodes.cpp:
1777         (JSC::JIT::emit_op_push_name_scope):
1778         * jit/JITOpcodes32_64.cpp:
1779         (JSC::JIT::emit_op_push_name_scope):
1780         * jit/JITOperations.cpp:
1781         (JSC::pushNameScope):
1782         * jit/JITOperations.h:
1783         * llint/LLIntSlowPaths.cpp:
1784         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1785         * llint/LowLevelInterpreter.asm:
1786         * runtime/Executable.cpp:
1787         (JSC::ScriptExecutable::newCodeBlockFor):
1788         * runtime/JSCatchScope.h:
1789         (JSC::JSCatchScope::JSCatchScope):
1790         (JSC::JSCatchScope::create):
1791         * runtime/JSEnvironmentRecord.h:
1792         (JSC::JSEnvironmentRecord::JSEnvironmentRecord):
1793         * runtime/JSFunctionNameScope.h:
1794         (JSC::JSFunctionNameScope::JSFunctionNameScope):
1795         (JSC::JSFunctionNameScope::create):
1796         * runtime/JSNameScope.cpp:
1797         (JSC::JSNameScope::create):
1798         * runtime/JSNameScope.h:
1799         (JSC::JSNameScope::create):
1800         (JSC::JSNameScope::finishCreation):
1801         (JSC::JSNameScope::JSNameScope):
1802         * runtime/JSSegmentedVariableObject.h:
1803         (JSC::JSSegmentedVariableObject::finishCreation):
1804         * runtime/JSSymbolTableObject.h:
1805         (JSC::JSSymbolTableObject::JSSymbolTableObject):
1806         (JSC::JSSymbolTableObject::finishCreation): Deleted.
1807         * runtime/SymbolTable.h:
1808         (JSC::SymbolTable::createNameScopeTable):
1809
1810 2015-02-23  Filip Pizlo  <fpizlo@apple.com>
1811
1812         Add a comment to clarify that the test was taken from the bug report, in response to
1813         feedback from Michael Saboff and Benjamin Poulain.
1814         
1815         * tests/stress/regress-141883.js:
1816
1817 2015-02-22  Filip Pizlo  <fpizlo@apple.com>
1818
1819         Function name scope is only created on the function instance that triggered parsing rather than on every function instance that needs it
1820         https://bugs.webkit.org/show_bug.cgi?id=141881
1821
1822         Reviewed by Michael Saboff.
1823         
1824         Previously we only created the function name scope in a way that made it visible to the
1825         function that triggered parsing/linking of the executable/codeBlock, and to the linker for
1826         that code block. This was sort of the bare minimum for the feature to appear to work right to
1827         synthetic tests.
1828
1829         There are two valid "times" to create the function name scope. Either it's created for each
1830         JSFunction instance that needs a name scope, or it's created for each execution of such a
1831         JSFunction. This change chooses the latter, because it happens to be the easiest to implement
1832         with what we have right now. I opened a bug for optimizing this if we ever need to:
1833         https://bugs.webkit.org/show_bug.cgi?id=141887.
1834         
1835         * bytecompiler/BytecodeGenerator.cpp:
1836         (JSC::BytecodeGenerator::BytecodeGenerator):
1837         * interpreter/Interpreter.cpp:
1838         (JSC::Interpreter::execute):
1839         (JSC::Interpreter::executeCall):
1840         (JSC::Interpreter::executeConstruct):
1841         (JSC::Interpreter::prepareForRepeatCall):
1842         * jit/JITOperations.cpp:
1843         * llint/LLIntSlowPaths.cpp:
1844         (JSC::LLInt::setUpCall):
1845         * runtime/ArrayPrototype.cpp:
1846         (JSC::isNumericCompareFunction):
1847         * runtime/Executable.cpp:
1848         (JSC::ScriptExecutable::newCodeBlockFor):
1849         (JSC::ScriptExecutable::prepareForExecutionImpl):
1850         (JSC::FunctionExecutable::FunctionExecutable):
1851         * runtime/Executable.h:
1852         (JSC::ScriptExecutable::prepareForExecution):
1853         * runtime/JSFunction.cpp:
1854         (JSC::JSFunction::addNameScopeIfNeeded): Deleted.
1855         * runtime/JSFunction.h:
1856         * tests/stress/function-name-scope.js: Added.
1857         (check.verify):
1858         (check):
1859
1860 2015-02-22  Filip Pizlo  <fpizlo@apple.com>
1861
1862         Crash in DFGFrozenValue
1863         https://bugs.webkit.org/show_bug.cgi?id=141883
1864
1865         Reviewed by Benjamin Poulain.
1866         
1867         If a value might be a cell, then we have to have Graph freeze it rather than trying to
1868         create the FrozenValue directly. Creating it directly is just an optimization for when you
1869         know for sure that it cannot be a cell.
1870
1871         * dfg/DFGAbstractInterpreterInlines.h:
1872         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1873         * tests/stress/regress-141883.js: Added. Hacked the original test to be faster while still crashing before this fix.
1874
1875 2015-02-21  Joseph Pecoraro  <pecoraro@apple.com>
1876
1877         Web Inspector: Generate Previews more often for RemoteObject interaction
1878         https://bugs.webkit.org/show_bug.cgi?id=141875
1879
1880         Reviewed by Timothy Hatcher.
1881
1882         * inspector/protocol/Runtime.json:
1883         Add generatePreview to getProperties.
1884
1885         * inspector/InjectedScript.cpp:
1886         (Inspector::InjectedScript::getProperties):
1887         (Inspector::InjectedScript::getInternalProperties):
1888         * inspector/InjectedScript.h:
1889         * inspector/agents/InspectorRuntimeAgent.cpp:
1890         (Inspector::InspectorRuntimeAgent::getProperties):
1891         * inspector/agents/InspectorRuntimeAgent.h:
1892         Plumb the generatePreview boolean through to the injected script.
1893
1894         * inspector/InjectedScriptSource.js:
1895         Add generatePreview for getProperties.
1896         Fix callFunctionOn to generatePreviews if asked.
1897
1898 2015-02-20  Mark Lam  <mark.lam@apple.com>
1899
1900         Refactor JSWrapperMap.mm to defer creation of the ObjC JSValue until the latest possible moment.
1901         <https://webkit.org/b/141856>
1902
1903         Reviewed by Geoffrey Garen.
1904
1905         1. Make JSObjCClassInfo's -constructor and -wrapperForObject return a
1906            JSC::JSObject* just like -prototype.
1907         2. Defer the creation of the ObjC JSValue from JSC::JSObject* until
1908            the latest moment when it is needed.  This allows us to not have to
1909            keep converting back to a JSC::JSObject* in intermediate code.
1910
1911         * API/JSWrapperMap.mm:
1912         (makeWrapper):
1913         (objectWithCustomBrand):
1914         (constructorWithCustomBrand):
1915         (allocateConstructorForCustomClass):
1916         (-[JSObjCClassInfo allocateConstructorAndPrototype]):
1917         (-[JSObjCClassInfo wrapperForObject:]):
1918         (-[JSObjCClassInfo constructor]):
1919         (-[JSWrapperMap jsWrapperForObject:]):
1920
1921 2015-02-20  Filip Pizlo  <fpizlo@apple.com>
1922
1923         Build fix for gcc.
1924
1925         * runtime/JSNameScope.cpp:
1926         (JSC::JSNameScope::create):
1927
1928 2015-02-20  Filip Pizlo  <fpizlo@apple.com>
1929
1930         Get rid of JSNameScope::m_type
1931         https://bugs.webkit.org/show_bug.cgi?id=141851
1932
1933         Reviewed by Geoffrey Garen.
1934         
1935         This is a big step towards getting rid of JSEnvironmentRecord::m_registers. To do it we need
1936         to ensure that subclasses of JSEnvironmentRecord never have additional C++ fields, so that
1937         JSEnvironmentRecord can always place "registers" right after the end of itself.
1938
1939         * CMakeLists.txt:
1940         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1941         * JavaScriptCore.xcodeproj/project.pbxproj:
1942         * debugger/DebuggerScope.cpp:
1943         (JSC::DebuggerScope::isCatchScope):
1944         (JSC::DebuggerScope::isFunctionNameScope):
1945         * interpreter/Interpreter.cpp:
1946         (JSC::Interpreter::execute):
1947         * jit/JITOperations.cpp:
1948         * llint/LLIntSlowPaths.cpp:
1949         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1950         * runtime/JSCatchScope.cpp: Added.
1951         * runtime/JSCatchScope.h: Added.
1952         (JSC::JSCatchScope::JSCatchScope):
1953         (JSC::JSCatchScope::create):
1954         (JSC::JSCatchScope::createStructure):
1955         * runtime/JSFunction.cpp:
1956         (JSC::JSFunction::addNameScopeIfNeeded):
1957         * runtime/JSFunctionNameScope.cpp: Added.
1958         * runtime/JSFunctionNameScope.h: Added.
1959         (JSC::JSFunctionNameScope::JSFunctionNameScope):
1960         (JSC::JSFunctionNameScope::create):
1961         (JSC::JSFunctionNameScope::createStructure):
1962         * runtime/JSGlobalObject.cpp:
1963         (JSC::JSGlobalObject::init):
1964         (JSC::JSGlobalObject::visitChildren):
1965         * runtime/JSGlobalObject.h:
1966         (JSC::JSGlobalObject::catchScopeStructure):
1967         (JSC::JSGlobalObject::functionNameScopeStructure):
1968         (JSC::JSGlobalObject::nameScopeStructure): Deleted.
1969         * runtime/JSNameScope.cpp:
1970         (JSC::JSNameScope::create):
1971         * runtime/JSNameScope.h:
1972         (JSC::JSNameScope::create):
1973         (JSC::JSNameScope::JSNameScope):
1974         (JSC::JSNameScope::createStructure): Deleted.
1975         (JSC::JSNameScope::isFunctionNameScope): Deleted.
1976         (JSC::JSNameScope::isCatchScope): Deleted.
1977         * runtime/JSObject.cpp:
1978         (JSC::JSObject::isCatchScopeObject):
1979         (JSC::JSObject::isFunctionNameScopeObject):
1980         * runtime/JSObject.h:
1981
1982 2015-02-20  Mark Lam  <mark.lam@apple.com>
1983
1984         [JSObjCClassInfo reallocateConstructorAndOrPrototype] should also reallocate super class prototype chain.
1985         <https://webkit.org/b/141809>
1986
1987         Reviewed by Geoffrey Garen.
1988
1989         A ObjC class that implement the JSExport protocol will have a JS prototype
1990         chain and constructor automatically synthesized for its JS wrapper object.
1991         However, if there are no more instances of that ObjC class reachable by a
1992         JS GC root scan, then its synthesized prototype chain and constructors may
1993         be released by the GC.  If a new instance of that ObjC class is subsequently
1994         instantiated, then [JSObjCClassInfo reallocateConstructorAndOrPrototype]
1995         should re-construct the prototype chain and constructor (if they were
1996         previously released).  However, the current implementation only
1997         re-constructs the immediate prototype, but not every other prototype
1998         object upstream in the prototype chain.
1999
2000         To fix this, we do the following:
2001         1. We no longer allocate the JSObjCClassInfo's prototype and constructor
2002            eagerly.  Hence, -initWithContext:forClass: will no longer call
2003            -allocateConstructorAndPrototypeWithSuperClassInfo:.
2004         2. Instead, we'll always access the prototype and constructor thru
2005            accessor methods.  The accessor methods will call
2006            -allocateConstructorAndPrototype: if needed.
2007         3. -allocateConstructorAndPrototype: will fetch the needed superClassInfo
2008            from the JSWrapperMap itself.  This makes it so that we no longer
2009            need to pass the superClassInfo all over.
2010         4. -allocateConstructorAndPrototype: will get the super class prototype
2011            by invoking -prototype: on the superClassInfo, thereby allowing the
2012            super class to allocate its prototype and constructor if needed and
2013            fixing the issue in this bug.
2014
2015         5. Also removed the GC warning comments, and ensured that needed JS
2016            objects are kept alive by having a local var pointing to it from the
2017            stack (which makes a GC root).
2018
2019         * API/JSWrapperMap.mm:
2020         (-[JSObjCClassInfo initWithContext:forClass:]):
2021         (-[JSObjCClassInfo allocateConstructorAndPrototype]):
2022         (-[JSObjCClassInfo wrapperForObject:]):
2023         (-[JSObjCClassInfo constructor]):
2024         (-[JSObjCClassInfo prototype]):
2025         (-[JSWrapperMap classInfoForClass:]):
2026         (-[JSObjCClassInfo initWithContext:forClass:superClassInfo:]): Deleted.
2027         (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]): Deleted.
2028         (-[JSObjCClassInfo reallocateConstructorAndOrPrototype]): Deleted.
2029         * API/tests/Regress141809.h: Added.
2030         * API/tests/Regress141809.mm: Added.
2031         (-[TestClassB name]):
2032         (-[TestClassC name]):
2033         (runRegress141809):
2034         * API/tests/testapi.mm:
2035         * JavaScriptCore.xcodeproj/project.pbxproj:
2036
2037 2015-02-20  Alexey Proskuryakov  <ap@apple.com>
2038
2039         Remove svn:keywords property.
2040
2041         As far as I can tell, the property had no effect on any of these files, but also,
2042         when it has effect it's likely harmful.
2043
2044         * builtins/ArrayConstructor.js: Removed property svn:keywords.
2045
2046 2015-02-20  Michael Saboff  <msaboff@apple.com>
2047
2048         DFG JIT needs to check for stack overflow at the start of Program and Eval execution
2049         https://bugs.webkit.org/show_bug.cgi?id=141676
2050
2051         Reviewed by Filip Pizlo.
2052
2053         Added stack check to the beginning of the code the DFG copmiler emits for Program and Eval nodes.
2054         To aid in testing the code, I replaced the EvalCodeCache::maxCacheableSourceLength const
2055         a options in runtime/Options.h.  The test script, run-jsc-stress-tests, sets that option
2056         to a huge value when running with the "Eager" options.  This allows the updated test to 
2057         reliably exercise the code in questions.
2058
2059         * dfg/DFGJITCompiler.cpp:
2060         (JSC::DFG::JITCompiler::compile):
2061         Added stack check.
2062
2063         * bytecode/EvalCodeCache.h:
2064         (JSC::EvalCodeCache::tryGet):
2065         (JSC::EvalCodeCache::getSlow):
2066         * runtime/Options.h:
2067         Replaced EvalCodeCache::imaxCacheableSourceLength with Options::maximumEvalCacheableSourceLength
2068         so that it can be configured when running the related test.
2069
2070 2015-02-20  Eric Carlson  <eric.carlson@apple.com>
2071
2072         [iOS] cleanup AirPlay code
2073         https://bugs.webkit.org/show_bug.cgi?id=141811
2074
2075         Reviewed by Jer Noble.
2076
2077         * Configurations/FeatureDefines.xcconfig: IOS_AIRPLAY -> WIRELESS_PLAYBACK_TARGET.
2078
2079 2015-02-19  Dean Jackson  <dino@apple.com>
2080
2081         ES6: Implement Array.from()
2082         https://bugs.webkit.org/show_bug.cgi?id=141054
2083         <rdar://problem/19654521>
2084
2085         Reviewed by Filip Pizlo.
2086
2087         Implement the Array.from() ES6 method
2088         as defined in Section 22.1.2.1 of the specification.
2089
2090         Given that we can't rely on the built-in
2091         global functions or objects to be untainted,
2092         I had to expose a few of them directly to
2093         the function via private names. In particular:
2094         - Math.floor -> @floor
2095         - Math.abs -> @abs
2096         - Number -> @Number
2097         - Array -> @Array
2098         - isFinite -> @isFinite
2099
2100         * builtins/ArrayConstructor.js: Added.
2101         (from): Implementation of Array.from in JavaScript.
2102         * runtime/ArrayConstructor.cpp: Add "from" to the lookup
2103         table for the constructor object.
2104         * runtime/CommonIdentifiers.h: Add the private versions
2105         of the identifiers listed above.
2106         * runtime/JSGlobalObject.cpp: Add the implementations of
2107         those identifiers to the global object (using their
2108         private names).
2109         (JSC::JSGlobalObject::init):
2110         * runtime/JSGlobalObjectFunctions.cpp:
2111         (JSC::globalPrivateFuncAbs): Implementation of the abs function.
2112         (JSC::globalPrivateFuncFloor): Implementation of the floor function.
2113         * runtime/JSGlobalObjectFunctions.h:
2114
2115 2015-02-19  Benjamin Poulain  <bpoulain@apple.com>
2116
2117         Refine the FTL part of ArithPow
2118         https://bugs.webkit.org/show_bug.cgi?id=141792
2119
2120         Reviewed by Filip Pizlo.
2121
2122         This patch refines the FTL lowering of ArithPow. This was left out
2123         of the original patch to keep it simpler.
2124
2125         * ftl/FTLLowerDFGToLLVM.cpp:
2126         (JSC::FTL::LowerDFGToLLVM::compileArithPow):
2127         Two improvements here:
2128         1) Do not generate the NaN check unless we know the exponent might be a NaN.
2129         2) Use one BasicBlock per check with the appropriate weight. Now that we have
2130            one branch per test, move the Infinity check before the check for 1 since
2131            it is the less common case.
2132
2133         * tests/stress/math-pow-becomes-custom-function.js: Added.
2134         Test for changing the Math.pow() function after it has been optimized.
2135
2136         * tests/stress/math-pow-nan-behaviors.js:
2137         The previous tests were only going as far as the DFGAbstractInterpreter
2138         were the operations were replaced by the equivalent constant.
2139
2140         I duplicated the test functions to also test the dynamic behavior of DFG
2141         and FTL.
2142
2143         * tests/stress/math-pow-with-constants.js:
2144         Add cases covering exponent constants. LLVM removes many value
2145         checks for those.
2146
2147         * tests/stress/math-pow-with-never-NaN-exponent.js: Added.
2148         Test for the new optimization removing the NaN check.
2149
2150 2015-02-19  Csaba Osztrogonác  <ossy@webkit.org>
2151
2152         REGRESSION(r180279): It broke 20 tests on ARM Linux
2153         https://bugs.webkit.org/show_bug.cgi?id=141771
2154
2155         Reviewed by Filip Pizlo.
2156
2157         * dfg/DFGSpeculativeJIT.h:
2158         (JSC::DFG::SpeculativeJIT::callOperation): Align 64-bit values to respect ARM EABI.
2159
2160 2015-02-18  Benjamin Poulain  <bpoulain@apple.com>
2161
2162         Remove BytecodeGenerator's numberMap, it is dead code
2163         https://bugs.webkit.org/show_bug.cgi?id=141779
2164
2165         Reviewed by Filip Pizlo.
2166
2167         * bytecompiler/BytecodeGenerator.cpp:
2168         (JSC::BytecodeGenerator::emitLoad): Deleted.
2169         * bytecompiler/BytecodeGenerator.h:
2170         The JSValueMap seems better in every way.
2171
2172         The emitLoad() taking a double was the only way to use numberMap
2173         and that code has no caller.
2174
2175 2015-02-18  Michael Saboff  <msaboff@apple.com>
2176
2177         Rollout r180247 & r180249 from trunk
2178         https://bugs.webkit.org/show_bug.cgi?id=141773
2179
2180         Reviewed by Filip Pizlo.
2181
2182         Theses changes makes sense to fix the crash reported in https://bugs.webkit.org/show_bug.cgi?id=141730
2183         only for branches.  The change to fail the FTL compile but continue running is not comprehensive
2184         enough for general use on trunk.
2185
2186         * dfg/DFGPlan.cpp:
2187         (JSC::DFG::Plan::compileInThreadImpl):
2188         * ftl/FTLLowerDFGToLLVM.cpp:
2189         (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
2190         (JSC::FTL::LowerDFGToLLVM::lower):
2191         (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
2192         (JSC::FTL::LowerDFGToLLVM::compileNode):
2193         (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
2194         (JSC::FTL::LowerDFGToLLVM::compilePhi):
2195         (JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
2196         (JSC::FTL::LowerDFGToLLVM::compileValueRep):
2197         (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
2198         (JSC::FTL::LowerDFGToLLVM::compilePutLocal):
2199         (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub):
2200         (JSC::FTL::LowerDFGToLLVM::compileArithMul):
2201         (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
2202         (JSC::FTL::LowerDFGToLLVM::compileArithMod):
2203         (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
2204         (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
2205         (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
2206         (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
2207         (JSC::FTL::LowerDFGToLLVM::compileGetById):
2208         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
2209         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
2210         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
2211         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2212         (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
2213         (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
2214         (JSC::FTL::LowerDFGToLLVM::compileNewArray):
2215         (JSC::FTL::LowerDFGToLLVM::compileToString):
2216         (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
2217         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
2218         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
2219         (JSC::FTL::LowerDFGToLLVM::compileSwitch):
2220         (JSC::FTL::LowerDFGToLLVM::compare):
2221         (JSC::FTL::LowerDFGToLLVM::boolify):
2222         (JSC::FTL::LowerDFGToLLVM::opposite):
2223         (JSC::FTL::LowerDFGToLLVM::lowJSValue):
2224         (JSC::FTL::LowerDFGToLLVM::speculate):
2225         (JSC::FTL::LowerDFGToLLVM::isArrayType):
2226         (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
2227         (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
2228         (JSC::FTL::LowerDFGToLLVM::setInt52):
2229         (JSC::FTL::lowerDFGToLLVM):
2230         (JSC::FTL::LowerDFGToLLVM::loweringFailed): Deleted.
2231         * ftl/FTLLowerDFGToLLVM.h:
2232
2233 2015-02-18  Filip Pizlo  <fpizlo@apple.com>
2234
2235         DFG should really support varargs
2236         https://bugs.webkit.org/show_bug.cgi?id=141332
2237
2238         Reviewed by Oliver Hunt.
2239         
2240         This adds comprehensive vararg call support to the DFG and FTL compilers. Previously, if a
2241         function had a varargs call, then it could only be compiled if that varargs call was just
2242         forwarding arguments and we were inlining the function rather than compiling it directly. Also,
2243         only varargs calls were dealt with; varargs constructs were not.
2244         
2245         This lifts all of those restrictions. Every varargs call or construct can now be compiled by both
2246         the DFG and the FTL. Those calls can also be inlined, too - provided that profiling gives us a
2247         sensible bound on arguments list length. When we inline a varargs call, the act of loading the
2248         varargs is now made explicit in IR. I believe that we have enough IR machinery in place that we
2249         would be able to do the arguments forwarding optimization as an IR transformation. This patch
2250         doesn't implement that yet, and keeps the old bytecode-based varargs argument forwarding
2251         optimization for now.
2252         
2253         There are three major IR features introduced in this patch:
2254         
2255         CallVarargs/ConstructVarargs: these are like Call/Construct except that they take an arguments
2256         array rather than a list of arguments. Currently, they splat this arguments array onto the stack
2257         using the same basic technique as the baseline JIT has always done. Except, these nodes indicate
2258         that we are not interested in doing the non-escaping "arguments" optimization.
2259         
2260         CallForwardVarargs: this is a form of CallVarargs that just does the non-escaping "arguments"
2261         optimization, aka forwarding arguments. It's somewhat lazy that this doesn't include
2262         ConstructForwardVarargs, but the reason is that once we eliminate the lazy tear-off for
2263         arguments, this whole thing will have to be tweaked - and for now forwarding on construct is just
2264         not important in benchmarks. ConstructVarargs will still do forwarding, just not inlined.
2265         
2266         LoadVarargs: loads all elements out of an array onto the stack in a manner suitable for a varargs
2267         call. This is used only when a varargs call (or construct) was inlined. The bytecode parser will
2268         make room on the stack for the arguments, and will use LoadVarars to put those arguments into
2269         place.
2270         
2271         In the future, we can consider adding strength reductions like:
2272         
2273         - If CallVarargs/ConstructVarargs see an array of known size with known elements, turn them into
2274           Call/Construct.
2275         
2276         - If CallVarargs/ConstructVarargs are passed an unmodified, unescaped Arguments object, then
2277           turn them into CallForwardVarargs/ConstructForwardVarargs.
2278         
2279         - If LoadVarargs sees an array of known size, then turn it into a sequence of GetByVals and
2280           PutLocals.
2281         
2282         - If LoadVarargs sees an unmodified, unescaped Arguments object, then turn it into something like
2283           LoadForwardVarargs.
2284         
2285         - If CallVarargs/ConstructVarargs/LoadVarargs see the result of a splice (or other Array
2286           prototype function), then do the splice and varargs loading in one go (maybe via a new node
2287           type).
2288
2289         * CMakeLists.txt:
2290         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2291         * JavaScriptCore.xcodeproj/project.pbxproj:
2292         * assembler/MacroAssembler.h:
2293         (JSC::MacroAssembler::rshiftPtr):
2294         (JSC::MacroAssembler::urshiftPtr):
2295         * assembler/MacroAssemblerARM64.h:
2296         (JSC::MacroAssemblerARM64::urshift64):
2297         * assembler/MacroAssemblerX86_64.h:
2298         (JSC::MacroAssemblerX86_64::urshift64):
2299         * assembler/X86Assembler.h:
2300         (JSC::X86Assembler::shrq_i8r):
2301         * bytecode/CallLinkInfo.h:
2302         (JSC::CallLinkInfo::CallLinkInfo):
2303         * bytecode/CallLinkStatus.cpp:
2304         (JSC::CallLinkStatus::computeFor):
2305         (JSC::CallLinkStatus::setProvenConstantCallee):
2306         (JSC::CallLinkStatus::dump):
2307         * bytecode/CallLinkStatus.h:
2308         (JSC::CallLinkStatus::maxNumArguments):
2309         (JSC::CallLinkStatus::setIsProved): Deleted.
2310         * bytecode/CodeOrigin.cpp:
2311         (WTF::printInternal):
2312         * bytecode/CodeOrigin.h:
2313         (JSC::InlineCallFrame::varargsKindFor):
2314         (JSC::InlineCallFrame::specializationKindFor):
2315         (JSC::InlineCallFrame::isVarargs):
2316         (JSC::InlineCallFrame::isNormalCall): Deleted.
2317         * bytecode/ExitKind.cpp:
2318         (JSC::exitKindToString):
2319         * bytecode/ExitKind.h:
2320         * bytecode/ValueRecovery.cpp:
2321         (JSC::ValueRecovery::dumpInContext):
2322         * dfg/DFGAbstractInterpreterInlines.h:
2323         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2324         * dfg/DFGArgumentsSimplificationPhase.cpp:
2325         (JSC::DFG::ArgumentsSimplificationPhase::run):
2326         * dfg/DFGByteCodeParser.cpp:
2327         (JSC::DFG::ByteCodeParser::flush):
2328         (JSC::DFG::ByteCodeParser::addCall):
2329         (JSC::DFG::ByteCodeParser::handleCall):
2330         (JSC::DFG::ByteCodeParser::handleVarargsCall):
2331         (JSC::DFG::ByteCodeParser::emitFunctionChecks):
2332         (JSC::DFG::ByteCodeParser::inliningCost):
2333         (JSC::DFG::ByteCodeParser::inlineCall):
2334         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
2335         (JSC::DFG::ByteCodeParser::handleInlining):
2336         (JSC::DFG::ByteCodeParser::handleMinMax):
2337         (JSC::DFG::ByteCodeParser::handleIntrinsic):
2338         (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
2339         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2340         (JSC::DFG::ByteCodeParser::parseBlock):
2341         (JSC::DFG::ByteCodeParser::removeLastNodeFromGraph): Deleted.
2342         (JSC::DFG::ByteCodeParser::undoFunctionChecks): Deleted.
2343         * dfg/DFGCapabilities.cpp:
2344         (JSC::DFG::capabilityLevel):
2345         * dfg/DFGCapabilities.h:
2346         (JSC::DFG::functionCapabilityLevel):
2347         (JSC::DFG::mightCompileFunctionFor):
2348         * dfg/DFGClobberize.h:
2349         (JSC::DFG::clobberize):
2350         * dfg/DFGCommon.cpp:
2351         (WTF::printInternal):
2352         * dfg/DFGCommon.h:
2353         (JSC::DFG::canInline):
2354         (JSC::DFG::leastUpperBound):
2355         * dfg/DFGDoesGC.cpp:
2356         (JSC::DFG::doesGC):
2357         * dfg/DFGFixupPhase.cpp:
2358         (JSC::DFG::FixupPhase::fixupNode):
2359         * dfg/DFGGraph.cpp:
2360         (JSC::DFG::Graph::dump):
2361         (JSC::DFG::Graph::dumpBlockHeader):
2362         (JSC::DFG::Graph::isLiveInBytecode):
2363         (JSC::DFG::Graph::valueProfileFor):
2364         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2365         * dfg/DFGGraph.h:
2366         (JSC::DFG::Graph::valueProfileFor): Deleted.
2367         (JSC::DFG::Graph::methodOfGettingAValueProfileFor): Deleted.
2368         * dfg/DFGJITCompiler.cpp:
2369         (JSC::DFG::JITCompiler::compileExceptionHandlers):
2370         (JSC::DFG::JITCompiler::link):
2371         * dfg/DFGMayExit.cpp:
2372         (JSC::DFG::mayExit):
2373         * dfg/DFGNode.h:
2374         (JSC::DFG::Node::hasCallVarargsData):
2375         (JSC::DFG::Node::callVarargsData):
2376         (JSC::DFG::Node::hasLoadVarargsData):
2377         (JSC::DFG::Node::loadVarargsData):
2378         (JSC::DFG::Node::hasHeapPrediction):
2379         * dfg/DFGNodeType.h:
2380         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
2381         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
2382         * dfg/DFGOSRExitCompilerCommon.cpp:
2383         (JSC::DFG::reifyInlinedCallFrames):
2384         * dfg/DFGOperations.cpp:
2385         * dfg/DFGOperations.h:
2386         * dfg/DFGPlan.cpp:
2387         (JSC::DFG::dumpAndVerifyGraph):
2388         (JSC::DFG::Plan::compileInThreadImpl):
2389         * dfg/DFGPreciseLocalClobberize.h:
2390         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
2391         (JSC::DFG::PreciseLocalClobberizeAdaptor::writeTop):
2392         * dfg/DFGPredictionPropagationPhase.cpp:
2393         (JSC::DFG::PredictionPropagationPhase::propagate):
2394         * dfg/DFGSSAConversionPhase.cpp:
2395         * dfg/DFGSafeToExecute.h:
2396         (JSC::DFG::safeToExecute):
2397         * dfg/DFGSpeculativeJIT.h:
2398         (JSC::DFG::SpeculativeJIT::isFlushed):
2399         (JSC::DFG::SpeculativeJIT::callOperation):
2400         * dfg/DFGSpeculativeJIT32_64.cpp:
2401         (JSC::DFG::SpeculativeJIT::emitCall):
2402         (JSC::DFG::SpeculativeJIT::compile):
2403         * dfg/DFGSpeculativeJIT64.cpp:
2404         (JSC::DFG::SpeculativeJIT::emitCall):
2405         (JSC::DFG::SpeculativeJIT::compile):
2406         * dfg/DFGStackLayoutPhase.cpp:
2407         (JSC::DFG::StackLayoutPhase::run):
2408         (JSC::DFG::StackLayoutPhase::assign):
2409         * dfg/DFGStrengthReductionPhase.cpp:
2410         (JSC::DFG::StrengthReductionPhase::handleNode):
2411         * dfg/DFGTypeCheckHoistingPhase.cpp:
2412         (JSC::DFG::TypeCheckHoistingPhase::run):
2413         * dfg/DFGValidate.cpp:
2414         (JSC::DFG::Validate::validateCPS):
2415         * ftl/FTLAbbreviations.h:
2416         (JSC::FTL::functionType):
2417         (JSC::FTL::buildCall):
2418         * ftl/FTLCapabilities.cpp:
2419         (JSC::FTL::canCompile):
2420         * ftl/FTLCompile.cpp:
2421         (JSC::FTL::mmAllocateDataSection):
2422         * ftl/FTLInlineCacheSize.cpp:
2423         (JSC::FTL::sizeOfCall):
2424         (JSC::FTL::sizeOfCallVarargs):
2425         (JSC::FTL::sizeOfCallForwardVarargs):
2426         (JSC::FTL::sizeOfConstructVarargs):
2427         (JSC::FTL::sizeOfIn):
2428         (JSC::FTL::sizeOfICFor):
2429         (JSC::FTL::sizeOfCheckIn): Deleted.
2430         * ftl/FTLInlineCacheSize.h:
2431         * ftl/FTLIntrinsicRepository.h:
2432         * ftl/FTLJSCall.cpp:
2433         (JSC::FTL::JSCall::JSCall):
2434         * ftl/FTLJSCallBase.cpp:
2435         * ftl/FTLJSCallBase.h:
2436         * ftl/FTLJSCallVarargs.cpp: Added.
2437         (JSC::FTL::JSCallVarargs::JSCallVarargs):
2438         (JSC::FTL::JSCallVarargs::numSpillSlotsNeeded):
2439         (JSC::FTL::JSCallVarargs::emit):
2440         (JSC::FTL::JSCallVarargs::link):
2441         * ftl/FTLJSCallVarargs.h: Added.
2442         (JSC::FTL::JSCallVarargs::node):
2443         (JSC::FTL::JSCallVarargs::stackmapID):
2444         (JSC::FTL::JSCallVarargs::operator<):
2445         * ftl/FTLLowerDFGToLLVM.cpp:
2446         (JSC::FTL::LowerDFGToLLVM::lower):
2447         (JSC::FTL::LowerDFGToLLVM::compileNode):
2448         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
2449         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
2450         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstructVarargs):
2451         (JSC::FTL::LowerDFGToLLVM::compileLoadVarargs):
2452         (JSC::FTL::LowerDFGToLLVM::compileIn):
2453         (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
2454         (JSC::FTL::LowerDFGToLLVM::vmCall):
2455         (JSC::FTL::LowerDFGToLLVM::vmCallNoExceptions):
2456         (JSC::FTL::LowerDFGToLLVM::callCheck):
2457         * ftl/FTLOutput.h:
2458         (JSC::FTL::Output::call):
2459         * ftl/FTLState.cpp:
2460         (JSC::FTL::State::State):
2461         * ftl/FTLState.h:
2462         * interpreter/Interpreter.cpp:
2463         (JSC::sizeOfVarargs):
2464         (JSC::sizeFrameForVarargs):
2465         * interpreter/Interpreter.h:
2466         * interpreter/StackVisitor.cpp:
2467         (JSC::StackVisitor::readInlinedFrame):
2468         * jit/AssemblyHelpers.cpp:
2469         (JSC::AssemblyHelpers::emitExceptionCheck):
2470         * jit/AssemblyHelpers.h:
2471         (JSC::AssemblyHelpers::addressFor):
2472         (JSC::AssemblyHelpers::calleeFrameSlot):
2473         (JSC::AssemblyHelpers::calleeArgumentSlot):
2474         (JSC::AssemblyHelpers::calleeFrameTagSlot):
2475         (JSC::AssemblyHelpers::calleeFramePayloadSlot):
2476         (JSC::AssemblyHelpers::calleeArgumentTagSlot):
2477         (JSC::AssemblyHelpers::calleeArgumentPayloadSlot):
2478         (JSC::AssemblyHelpers::calleeFrameCallerFrame):
2479         (JSC::AssemblyHelpers::selectScratchGPR):
2480         * jit/CCallHelpers.h:
2481         (JSC::CCallHelpers::setupArgumentsWithExecState):
2482         * jit/GPRInfo.h:
2483         * jit/JIT.cpp:
2484         (JSC::JIT::privateCompile):
2485         * jit/JIT.h:
2486         * jit/JITCall.cpp:
2487         (JSC::JIT::compileSetupVarargsFrame):
2488         (JSC::JIT::compileOpCall):
2489         * jit/JITCall32_64.cpp:
2490         (JSC::JIT::compileSetupVarargsFrame):
2491         (JSC::JIT::compileOpCall):
2492         * jit/JITOperations.h:
2493         * jit/SetupVarargsFrame.cpp:
2494         (JSC::emitSetupVarargsFrameFastCase):
2495         * jit/SetupVarargsFrame.h:
2496         * runtime/Arguments.h:
2497         (JSC::Arguments::create):
2498         (JSC::Arguments::registerArraySizeInBytes):
2499         (JSC::Arguments::finishCreation):
2500         * runtime/Options.h:
2501         * tests/stress/construct-varargs-inline-smaller-Foo.js: Added.
2502         (Foo):
2503         (bar):
2504         (checkEqual):
2505         (test):
2506         * tests/stress/construct-varargs-inline.js: Added.
2507         (Foo):
2508         (bar):
2509         (checkEqual):
2510         (test):
2511         * tests/stress/construct-varargs-no-inline.js: Added.
2512         (Foo):
2513         (bar):
2514         (checkEqual):
2515         (test):
2516         * tests/stress/get-argument-by-val-in-inlined-varargs-call-out-of-bounds.js: Added.
2517         (foo):
2518         (bar):
2519         * tests/stress/get-argument-by-val-safe-in-inlined-varargs-call-out-of-bounds.js: Added.
2520         (foo):
2521         (bar):
2522         * tests/stress/get-my-argument-by-val-creates-arguments.js: Added.
2523         (blah):
2524         (foo):
2525         (bar):
2526         (checkEqual):
2527         (test):
2528         * tests/stress/load-varargs-then-inlined-call-exit-in-foo.js: Added.
2529         (foo):
2530         (bar):
2531         (checkEqual):
2532         * tests/stress/load-varargs-then-inlined-call-inlined.js: Added.
2533         (foo):
2534         (bar):
2535         (baz):
2536         (checkEqual):
2537         (test):
2538         * tests/stress/load-varargs-then-inlined-call.js: Added.
2539         (foo):
2540         (bar):
2541         (checkEqual):
2542         (test):
2543
2544 2015-02-17  Michael Saboff  <msaboff@apple.com>
2545
2546         Unreviewed, Restoring the C LOOP insta-crash fix in r180184.
2547
2548         Fixed a typo that only affected the C Loop in the prologue() macro in LowLevelInterpreter.asm.
2549         After the stackHeightOKGetCodeBlock label, codeBlockSetter(t1) should be codeBlockGetter(t1).
2550
2551         * llint/LowLevelInterpreter.asm: Fixed a typo.
2552
2553 2015-02-18  Csaba Osztrogonác  <ossy@webkit.org>
2554
2555         URTBF after r180258 to fix Windows build.
2556
2557         * runtime/MathCommon.cpp:
2558         (JSC::mathPowInternal):
2559
2560 2015-02-18  Joseph Pecoraro  <pecoraro@apple.com>
2561
2562         REGRESSION(r180235): It broke the !ENABLE(PROMISES) build
2563         https://bugs.webkit.org/show_bug.cgi?id=141746
2564
2565         Unreviewed build fix.
2566
2567         * inspector/JSInjectedScriptHost.cpp:
2568         (Inspector::JSInjectedScriptHost::getInternalProperties):
2569         Wrap JSPromise related code in ENABLE(PROMISES) guard.
2570
2571 2015-02-18  Benjamin Poulain  <benjamin@webkit.org>
2572
2573         Fix the C-Loop LLInt build
2574         https://bugs.webkit.org/show_bug.cgi?id=141618
2575
2576         Reviewed by Filip Pizlo.
2577
2578         I broke C-Loop when moving the common code of pow()
2579         to JITOperations because that file is #ifdefed out
2580         when the JITs are disabled.
2581
2582         It would be weird to move it back to MathObject since
2583         the function needs to know about the calling conventions.
2584
2585         To avoid making a mess, I just gave the function its own file
2586         that is used by both the runtime and the JIT.
2587
2588         * CMakeLists.txt:
2589         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2590         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2591         * JavaScriptCore.xcodeproj/project.pbxproj:
2592         * dfg/DFGAbstractInterpreterInlines.h:
2593         * jit/JITOperations.cpp:
2594         * jit/JITOperations.h:
2595         * runtime/MathCommon.cpp: Added.
2596         (JSC::fdlibmScalbn):
2597         (JSC::fdlibmPow):
2598         (JSC::isDenormal):
2599         (JSC::isEdgeCase):
2600         (JSC::mathPowInternal):
2601         (JSC::operationMathPow):
2602         * runtime/MathCommon.h: Added.
2603         * runtime/MathObject.cpp:
2604
2605 2015-02-17  Benjamin Poulain  <bpoulain@apple.com>
2606
2607         Clean up OSRExit's considerAddingAsFrequentExitSite()
2608         https://bugs.webkit.org/show_bug.cgi?id=141690
2609
2610         Reviewed by Anders Carlsson.
2611
2612         Looks like some code was removed from CodeBlock::tallyFrequentExitSites()
2613         and the OSRExit were left untouched.
2614
2615         This patch cleans up the two loops and remove the boolean return
2616         on considerAddingAsFrequentExitSite().
2617
2618         * bytecode/CodeBlock.cpp:
2619         (JSC::CodeBlock::tallyFrequentExitSites):
2620         * dfg/DFGOSRExit.h:
2621         (JSC::DFG::OSRExit::considerAddingAsFrequentExitSite):
2622         * dfg/DFGOSRExitBase.cpp:
2623         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
2624         * dfg/DFGOSRExitBase.h:
2625         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSite):
2626         * ftl/FTLOSRExit.h:
2627         (JSC::FTL::OSRExit::considerAddingAsFrequentExitSite):
2628
2629 2015-02-17  Alexey Proskuryakov  <ap@apple.com>
2630
2631         Debug build fix after r180247.
2632
2633         * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::loweringFailed):
2634
2635 2015-02-17  Commit Queue  <commit-queue@webkit.org>
2636
2637         Unreviewed, rolling out r180184.
2638         https://bugs.webkit.org/show_bug.cgi?id=141733
2639
2640         Caused infinite recursion on js/function-apply-aliased.html
2641         (Requested by ap_ on #webkit).
2642
2643         Reverted changeset:
2644
2645         "REGRESSION(r180060): C Loop crashes"
2646         https://bugs.webkit.org/show_bug.cgi?id=141671
2647         http://trac.webkit.org/changeset/180184
2648
2649 2015-02-17  Michael Saboff  <msaboff@apple.com>
2650
2651         CrashTracer: DFG_CRASH beneath JSC::FTL::LowerDFGToLLVM::compileNode
2652         https://bugs.webkit.org/show_bug.cgi?id=141730
2653
2654         Reviewed by Geoffrey Garen.
2655
2656         Added a new failure handler, loweringFailed(), to LowerDFGToLLVM that reports failures
2657         while processing DFG lowering.  For debug builds, the failures are logged identical
2658         to the way the DFG_CRASH() reports them.  For release builds, the failures are reported
2659         and that FTL compilation is terminated, but the process is allowed to continue.
2660         Wrapped calls to loweringFailed() in a macro LOWERING_FAILED so the function and
2661         line number are reported at the point of the inconsistancy.
2662
2663         Converted instances of DFG_CRASH to LOWERING_FAILED.
2664
2665         * dfg/DFGPlan.cpp:
2666         (JSC::DFG::Plan::compileInThreadImpl): Added lowerDFGToLLVM() failure check that
2667         will fail the FTL compile.
2668
2669         * ftl/FTLLowerDFGToLLVM.cpp:
2670         (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
2671         Added new member variable, m_loweringSucceeded, to stop compilation on the first
2672         reported failure.
2673
2674         * ftl/FTLLowerDFGToLLVM.cpp:
2675         (JSC::FTL::LowerDFGToLLVM::lower):
2676         * ftl/FTLLowerDFGToLLVM.h:
2677         Added check for compilation failures and now report those failures via a boolean
2678         return value.
2679
2680         * ftl/FTLLowerDFGToLLVM.cpp:
2681         (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
2682         (JSC::FTL::LowerDFGToLLVM::compileNode):
2683         (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
2684         (JSC::FTL::LowerDFGToLLVM::compilePhi):
2685         (JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
2686         (JSC::FTL::LowerDFGToLLVM::compileValueRep):
2687         (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
2688         (JSC::FTL::LowerDFGToLLVM::compilePutLocal):
2689         (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub):
2690         (JSC::FTL::LowerDFGToLLVM::compileArithMul):
2691         (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
2692         (JSC::FTL::LowerDFGToLLVM::compileArithMod):
2693         (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
2694         (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
2695         (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
2696         (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
2697         (JSC::FTL::LowerDFGToLLVM::compileGetById):
2698         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
2699         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
2700         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
2701         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2702         (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
2703         (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
2704         (JSC::FTL::LowerDFGToLLVM::compileNewArray):
2705         (JSC::FTL::LowerDFGToLLVM::compileToString):
2706         (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
2707         (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
2708         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
2709         (JSC::FTL::LowerDFGToLLVM::compileSwitch):
2710         (JSC::FTL::LowerDFGToLLVM::compare):
2711         (JSC::FTL::LowerDFGToLLVM::boolify):
2712         (JSC::FTL::LowerDFGToLLVM::opposite):
2713         (JSC::FTL::LowerDFGToLLVM::lowJSValue):
2714         (JSC::FTL::LowerDFGToLLVM::speculate):
2715         (JSC::FTL::LowerDFGToLLVM::isArrayType):
2716         (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
2717         (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
2718         (JSC::FTL::LowerDFGToLLVM::setInt52):
2719         Changed DFG_CRASH() to LOWERING_FAILED().  Updated related control flow as appropriate.
2720
2721         (JSC::FTL::LowerDFGToLLVM::loweringFailed): New error reporting member function.
2722
2723 2015-02-17  Filip Pizlo  <fpizlo@apple.com>
2724
2725         StackLayoutPhase should use CodeBlock::usesArguments rather than FunctionExecutable::usesArguments
2726         https://bugs.webkit.org/show_bug.cgi?id=141721
2727         rdar://problem/17198633
2728
2729         Reviewed by Michael Saboff.
2730         
2731         I've seen cases where the two are out of sync.  We know we can trust the CodeBlock::usesArguments because
2732         we use it everywhere else.
2733         
2734         No test because I could never reproduce the crash.
2735
2736         * dfg/DFGGraph.h:
2737         (JSC::DFG::Graph::usesArguments):
2738         * dfg/DFGStackLayoutPhase.cpp:
2739         (JSC::DFG::StackLayoutPhase::run):
2740
2741 2015-02-16  Joseph Pecoraro  <pecoraro@apple.com>
2742
2743         Web Inspector: Improved Console Support for Bound Functions
2744         https://bugs.webkit.org/show_bug.cgi?id=141635
2745
2746         Reviewed by Timothy Hatcher.
2747
2748         * inspector/JSInjectedScriptHost.cpp:
2749         (Inspector::JSInjectedScriptHost::getInternalProperties):
2750         Expose internal properties of a JSBoundFunction.
2751
2752 2015-02-16  Joseph Pecoraro  <pecoraro@apple.com>
2753
2754         Web Inspector: ES6: Improved Console Support for Promise Objects
2755         https://bugs.webkit.org/show_bug.cgi?id=141634
2756
2757         Reviewed by Timothy Hatcher.
2758
2759         * inspector/InjectedScript.cpp:
2760         (Inspector::InjectedScript::getInternalProperties):
2761         * inspector/InjectedScriptSource.js:
2762         Include internal properties in previews. Share code
2763         with normal internal property handling.
2764
2765         * inspector/JSInjectedScriptHost.cpp:
2766         (Inspector::constructInternalProperty):
2767         (Inspector::JSInjectedScriptHost::getInternalProperties):
2768         Provide internal state of Promises.
2769
2770         * inspector/protocol/Runtime.json:
2771         Provide an optional field to distinguish if a PropertyPreview
2772         is for an Internal property or not.
2773
2774 2015-02-17  Filip Pizlo  <fpizlo@apple.com>
2775
2776         Throwing from an FTL call IC slow path may result in tag registers being clobbered on 64-bit CPUs
2777         https://bugs.webkit.org/show_bug.cgi?id=141717
2778         rdar://problem/19863382
2779
2780         Reviewed by Geoffrey Garen.
2781         
2782         The best solution is to ensure that the engine catching an exception restores tag registers.
2783         
2784         Each of these new test cases reliably crashed prior to this patch and they don't crash at all now.
2785
2786         * jit/JITOpcodes.cpp:
2787         (JSC::JIT::emit_op_catch):
2788         * llint/LowLevelInterpreter.asm:
2789         * llint/LowLevelInterpreter64.asm:
2790         * tests/stress/throw-from-ftl-call-ic-slow-path-cells.js: Added.
2791         * tests/stress/throw-from-ftl-call-ic-slow-path-undefined.js: Added.
2792         * tests/stress/throw-from-ftl-call-ic-slow-path.js: Added.
2793
2794 2015-02-17  Csaba Osztrogonác  <ossy@webkit.org>
2795
2796         [ARM] Add the necessary setupArgumentsWithExecState after bug141332
2797         https://bugs.webkit.org/show_bug.cgi?id=141714
2798
2799         Reviewed by Michael Saboff.
2800
2801         * jit/CCallHelpers.h:
2802         (JSC::CCallHelpers::setupArgumentsWithExecState):
2803
2804 2015-02-15  Sam Weinig  <sam@webkit.org>
2805
2806         Add experimental <attachment> element support
2807         https://bugs.webkit.org/show_bug.cgi?id=141626
2808
2809         Reviewed by Tim Horton.
2810
2811         * Configurations/FeatureDefines.xcconfig:
2812
2813 2015-02-16  Michael Saboff  <msaboff@apple.com>
2814
2815         REGRESSION(r180060): C Loop crashes
2816         https://bugs.webkit.org/show_bug.cgi?id=141671
2817
2818         Reviewed by Geoffrey Garen.
2819
2820         Fixed a typo that only affected the C Loop in the prologue() macro in LowLevelInterpreter.asm.
2821         After the stackHeightOKGetCodeBlock label, codeBlockSetter(t1) should be codeBlockGetter(t1).
2822         Fixed the processing of an out of stack exception in llint_stack_check to not get the caller's
2823         frame.  This isn't needed, since this helper is only called to check the stack on entry.  Any
2824         exception will be handled by a call ancestor.
2825
2826         * llint/LLIntSlowPaths.cpp:
2827         (JSC::LLInt::llint_stack_check): Changed to use the current frame for processing an exception.
2828         * llint/LowLevelInterpreter.asm: Fixed a typo.
2829
2830 2015-02-16  Joseph Pecoraro  <pecoraro@apple.com>
2831
2832         Web Inspector: Scope details sidebar should label objects with constructor names
2833         https://bugs.webkit.org/show_bug.cgi?id=139449
2834
2835         Reviewed by Timothy Hatcher.
2836
2837         * inspector/JSInjectedScriptHost.cpp:
2838         (Inspector::JSInjectedScriptHost::internalConstructorName):
2839         * runtime/Structure.cpp:
2840         (JSC::Structure::toStructureShape):
2841         Share calculatedClassName.
2842
2843         * runtime/JSObject.h:        
2844         * runtime/JSObject.cpp:
2845         (JSC::JSObject::calculatedClassName):
2846         Elaborate on a way to get an Object's class name.
2847
2848 2015-02-16  Filip Pizlo  <fpizlo@apple.com>
2849
2850         DFG SSA should use GetLocal for arguments, and the GetArgument node type should be removed
2851         https://bugs.webkit.org/show_bug.cgi?id=141623
2852
2853         Reviewed by Oliver Hunt.
2854         
2855         During development of https://bugs.webkit.org/show_bug.cgi?id=141332, I realized that I
2856         needed to use GetArgument for loading something that has magically already appeared on the
2857         stack, so currently trunk sort of allows this. But then I realized three things:
2858         
2859         - A GetArgument with a non-JSValue flush format means speculating that the value on the
2860           stack obeys that format, rather than just assuming that that it already has that format.
2861           In bug 141332, I want it to assume rather than speculate. That also happens to be more
2862           intuitive; I don't think I was wrong to expect that.
2863         
2864         - The node I really want is GetLocal. I'm just getting the value of the local and I don't
2865           want to do anything else.
2866         
2867         - Maybe it would be easier if we just used GetLocal for all of the cases where we currently
2868           use GetArgument.
2869         
2870         This changes the FTL to do argument speculations in the prologue just like the DFG does.
2871         This brings some consistency to our system, and allows us to get rid of the GetArgument
2872         node. The speculations that the FTL must do are now made explicit in the m_argumentFormats
2873         vector in DFG::Graph. This has natural DCE behavior: even if all uses of the argument are
2874         dead we will still speculate. We already have safeguards to ensure we only speculate if
2875         there are uses that benefit from speculation (which is a much more conservative criterion
2876         than DCE).
2877         
2878         * dfg/DFGAbstractInterpreterInlines.h:
2879         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2880         * dfg/DFGClobberize.h:
2881         (JSC::DFG::clobberize):
2882         * dfg/DFGDCEPhase.cpp:
2883         (JSC::DFG::DCEPhase::run):
2884         * dfg/DFGDoesGC.cpp:
2885         (JSC::DFG::doesGC):
2886         * dfg/DFGFixupPhase.cpp:
2887         (JSC::DFG::FixupPhase::fixupNode):
2888         * dfg/DFGFlushFormat.h:
2889         (JSC::DFG::typeFilterFor):
2890         * dfg/DFGGraph.cpp:
2891         (JSC::DFG::Graph::dump):
2892         * dfg/DFGGraph.h:
2893         (JSC::DFG::Graph::valueProfileFor):
2894         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2895         * dfg/DFGInPlaceAbstractState.cpp:
2896         (JSC::DFG::InPlaceAbstractState::initialize):
2897         * dfg/DFGNode.cpp:
2898         (JSC::DFG::Node::hasVariableAccessData):
2899         * dfg/DFGNodeType.h:
2900         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
2901         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
2902         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
2903         * dfg/DFGPredictionPropagationPhase.cpp:
2904         (JSC::DFG::PredictionPropagationPhase::propagate):
2905         * dfg/DFGPutLocalSinkingPhase.cpp:
2906         * dfg/DFGSSAConversionPhase.cpp:
2907         (JSC::DFG::SSAConversionPhase::run):
2908         * dfg/DFGSafeToExecute.h:
2909         (JSC::DFG::safeToExecute):
2910         * dfg/DFGSpeculativeJIT32_64.cpp:
2911         (JSC::DFG::SpeculativeJIT::compile):
2912         * dfg/DFGSpeculativeJIT64.cpp:
2913         (JSC::DFG::SpeculativeJIT::compile):
2914         * ftl/FTLCapabilities.cpp:
2915         (JSC::FTL::canCompile):
2916         * ftl/FTLLowerDFGToLLVM.cpp:
2917         (JSC::FTL::LowerDFGToLLVM::lower):
2918         (JSC::FTL::LowerDFGToLLVM::compileNode):
2919         (JSC::FTL::LowerDFGToLLVM::compileGetLocal):
2920         (JSC::FTL::LowerDFGToLLVM::compileGetArgument): Deleted.
2921         * tests/stress/dead-speculating-argument-use.js: Added.
2922         (foo):
2923         (o.valueOf):
2924
2925 2015-02-15  Filip Pizlo  <fpizlo@apple.com>
2926
2927         Rare case profiling should actually work
2928         https://bugs.webkit.org/show_bug.cgi?id=141632
2929
2930         Reviewed by Michael Saboff.
2931         
2932         This simple adjustment appears to be a 2% speed-up on Octane. Over time, the slow case
2933         heuristic has essentially stopped working because the typical execution count threshold for a
2934         bytecode instruction is around 66 while the slow case threshold is 100: virtually
2935         guaranteeing that the DFG will never think that a bytecode instruction has taken the slow
2936         case even if it took it every single time. So, this changes the slow case threshold to 20.
2937         
2938         I checked if we could lower this down further, like to 10. That is worse than 20, and about
2939         as bad as 100.
2940
2941         * runtime/Options.h:
2942
2943 2015-02-15  Brian J. Burg  <burg@cs.washington.edu>
2944
2945         Web Inspector: remove unused XHR replay code
2946         https://bugs.webkit.org/show_bug.cgi?id=141622
2947
2948         Reviewed by Timothy Hatcher.
2949
2950         * inspector/protocol/Network.json: remove XHR replay methods.
2951
2952 2015-02-15  David Kilzer  <ddkilzer@apple.com>
2953
2954         REGRESSION (r180082): WebCore Debug builds fail on Mavericks due to weak export symbols
2955         <http://webkit.org/b/141607>
2956
2957         More work towards fixing the Mavericks Debug build.
2958
2959         * inspector/ScriptDebugServer.h:
2960         (Inspector::ScriptDebugServer::Task):
2961         * inspector/agents/InspectorDebuggerAgent.h:
2962         (Inspector::InspectorDebuggerAgent::Listener):
2963         - Remove subclass exports. They did not help.
2964
2965         * runtime/JSCJSValue.h:
2966         (JSC::JSValue::toFloat): Do not mark inline method for export.
2967
2968 2015-02-09  Brian J. Burg  <burg@cs.washington.edu>
2969
2970         Web Inspector: remove some unnecessary Inspector prefixes from class names in Inspector namespace
2971         https://bugs.webkit.org/show_bug.cgi?id=141372
2972
2973         Reviewed by Joseph Pecoraro.
2974
2975         * inspector/ConsoleMessage.cpp:
2976         (Inspector::ConsoleMessage::addToFrontend):
2977         (Inspector::ConsoleMessage::updateRepeatCountInConsole):
2978         * inspector/ConsoleMessage.h:
2979         * inspector/InspectorAgentBase.h:
2980         * inspector/InspectorAgentRegistry.cpp:
2981         (Inspector::AgentRegistry::AgentRegistry):
2982         (Inspector::AgentRegistry::append):
2983         (Inspector::AgentRegistry::appendExtraAgent):
2984         (Inspector::AgentRegistry::didCreateFrontendAndBackend):
2985         (Inspector::AgentRegistry::willDestroyFrontendAndBackend):
2986         (Inspector::AgentRegistry::discardAgents):
2987         (Inspector::InspectorAgentRegistry::InspectorAgentRegistry): Deleted.
2988         (Inspector::InspectorAgentRegistry::append): Deleted.
2989         (Inspector::InspectorAgentRegistry::appendExtraAgent): Deleted.
2990         (Inspector::InspectorAgentRegistry::didCreateFrontendAndBackend): Deleted.
2991         (Inspector::InspectorAgentRegistry::willDestroyFrontendAndBackend): Deleted.
2992         (Inspector::InspectorAgentRegistry::discardAgents): Deleted.
2993         * inspector/InspectorAgentRegistry.h:
2994         * inspector/InspectorBackendDispatcher.cpp:
2995         (Inspector::BackendDispatcher::CallbackBase::CallbackBase):
2996         (Inspector::BackendDispatcher::CallbackBase::isActive):
2997         (Inspector::BackendDispatcher::CallbackBase::sendFailure):
2998         (Inspector::BackendDispatcher::CallbackBase::sendIfActive):
2999         (Inspector::BackendDispatcher::create):
3000         (Inspector::BackendDispatcher::registerDispatcherForDomain):
3001         (Inspector::BackendDispatcher::dispatch):
3002         (Inspector::BackendDispatcher::sendResponse):
3003         (Inspector::BackendDispatcher::reportProtocolError):
3004         (Inspector::BackendDispatcher::getInteger):
3005         (Inspector::BackendDispatcher::getDouble):
3006         (Inspector::BackendDispatcher::getString):
3007         (Inspector::BackendDispatcher::getBoolean):
3008         (Inspector::BackendDispatcher::getObject):
3009         (Inspector::BackendDispatcher::getArray):
3010         (Inspector::BackendDispatcher::getValue):
3011         (Inspector::InspectorBackendDispatcher::CallbackBase::CallbackBase): Deleted.
3012         (Inspector::InspectorBackendDispatcher::CallbackBase::isActive): Deleted.
3013         (Inspector::InspectorBackendDispatcher::CallbackBase::sendFailure): Deleted.
3014         (Inspector::InspectorBackendDispatcher::CallbackBase::sendIfActive): Deleted.
3015         (Inspector::InspectorBackendDispatcher::create): Deleted.
3016         (Inspector::InspectorBackendDispatcher::registerDispatcherForDomain): Deleted.
3017         (Inspector::InspectorBackendDispatcher::dispatch): Deleted.
3018         (Inspector::InspectorBackendDispatcher::sendResponse): Deleted.
3019         (Inspector::InspectorBackendDispatcher::reportProtocolError): Deleted.
3020         (Inspector::InspectorBackendDispatcher::getInteger): Deleted.
3021         (Inspector::InspectorBackendDispatcher::getDouble): Deleted.
3022         (Inspector::InspectorBackendDispatcher::getString): Deleted.
3023         (Inspector::InspectorBackendDispatcher::getBoolean): Deleted.
3024         (Inspector::InspectorBackendDispatcher::getObject): Deleted.
3025         (Inspector::InspectorBackendDispatcher::getArray): Deleted.
3026         (Inspector::InspectorBackendDispatcher::getValue): Deleted.
3027         * inspector/InspectorBackendDispatcher.h:
3028         (Inspector::SupplementalBackendDispatcher::SupplementalBackendDispatcher):
3029         (Inspector::SupplementalBackendDispatcher::~SupplementalBackendDispatcher):
3030         (Inspector::InspectorSupplementalBackendDispatcher::InspectorSupplementalBackendDispatcher): Deleted.
3031         (Inspector::InspectorSupplementalBackendDispatcher::~InspectorSupplementalBackendDispatcher): Deleted.
3032         * inspector/InspectorFrontendChannel.h:
3033         (Inspector::FrontendChannel::~FrontendChannel):
3034         (Inspector::InspectorFrontendChannel::~InspectorFrontendChannel): Deleted.
3035         * inspector/JSGlobalObjectInspectorController.cpp:
3036         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3037         (Inspector::JSGlobalObjectInspectorController::globalObjectDestroyed):
3038         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
3039         (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
3040         (Inspector::JSGlobalObjectInspectorController::dispatchMessageFromFrontend):
3041         (Inspector::JSGlobalObjectInspectorController::appendExtraAgent):
3042         * inspector/JSGlobalObjectInspectorController.h:
3043         * inspector/agents/InspectorAgent.cpp:
3044         (Inspector::InspectorAgent::didCreateFrontendAndBackend):
3045         (Inspector::InspectorAgent::willDestroyFrontendAndBackend):
3046         * inspector/agents/InspectorAgent.h:
3047         * inspector/agents/InspectorConsoleAgent.cpp:
3048         (Inspector::InspectorConsoleAgent::didCreateFrontendAndBackend):
3049         (Inspector::InspectorConsoleAgent::willDestroyFrontendAndBackend):
3050         * inspector/agents/InspectorConsoleAgent.h:
3051         * inspector/agents/InspectorDebuggerAgent.cpp:
3052         (Inspector::InspectorDebuggerAgent::didCreateFrontendAndBackend):
3053         (Inspector::InspectorDebuggerAgent::willDestroyFrontendAndBackend):
3054         (Inspector::InspectorDebuggerAgent::handleConsoleAssert):
3055         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
3056         (Inspector::InspectorDebuggerAgent::pause):
3057         (Inspector::InspectorDebuggerAgent::scriptExecutionBlockedByCSP):
3058         (Inspector::InspectorDebuggerAgent::didPause):
3059         (Inspector::InspectorDebuggerAgent::breakProgram):
3060         (Inspector::InspectorDebuggerAgent::clearBreakDetails):
3061         * inspector/agents/InspectorDebuggerAgent.h:
3062         * inspector/agents/InspectorRuntimeAgent.cpp:
3063         (Inspector::InspectorRuntimeAgent::willDestroyFrontendAndBackend):
3064         * inspector/agents/InspectorRuntimeAgent.h:
3065         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
3066         (Inspector::JSGlobalObjectRuntimeAgent::didCreateFrontendAndBackend):
3067         (Inspector::JSGlobalObjectRuntimeAgent::willDestroyFrontendAndBackend):
3068         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
3069         * inspector/augmentable/AlternateDispatchableAgent.h:
3070         * inspector/augmentable/AugmentableInspectorController.h:
3071         * inspector/remote/RemoteInspectorDebuggable.h:
3072         * inspector/remote/RemoteInspectorDebuggableConnection.h:
3073         * inspector/scripts/codegen/cpp_generator.py:
3074         (CppGenerator.cpp_type_for_formal_out_parameter):
3075         (CppGenerator.cpp_type_for_stack_out_parameter):
3076         * inspector/scripts/codegen/cpp_generator_templates.py:
3077         (AlternateBackendDispatcher):
3078         (Alternate):
3079         (void):
3080         (AlternateInspectorBackendDispatcher): Deleted.
3081         (AlternateInspector): Deleted.
3082         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
3083         (CppBackendDispatcherHeaderGenerator._generate_alternate_handler_forward_declarations_for_domains.Alternate):
3084         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
3085         (CppBackendDispatcherHeaderGenerator._generate_alternate_handler_forward_declarations_for_domains.AlternateInspector): Deleted.
3086         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
3087         (CppBackendDispatcherImplementationGenerator._generate_handler_class_destructor_for_domain):
3088         (CppBackendDispatcherImplementationGenerator._generate_large_dispatcher_switch_implementation_for_domain):
3089         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
3090         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
3091         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
3092         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
3093         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
3094         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
3095         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
3096         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
3097         * inspector/scripts/tests/expected/enum-values.json-result:
3098         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
3099         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
3100         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
3101         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
3102         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
3103         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
3104         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
3105         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
3106         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
3107         * runtime/JSGlobalObjectDebuggable.cpp:
3108         (JSC::JSGlobalObjectDebuggable::connect):
3109         (JSC::JSGlobalObjectDebuggable::disconnect):
3110         * runtime/JSGlobalObjectDebuggable.h:
3111
3112 2015-02-14  David Kilzer  <ddkilzer@apple.com>
3113
3114         REGRESSION (r180082): WebCore Debug builds fail on Mavericks due to weak export symbols
3115         <http://webkit.org/b/141607>
3116
3117         Work towards fixing the Mavericks Debug build.
3118
3119         * inspector/ScriptDebugServer.h:
3120         (Inspector::ScriptDebugServer::Task): Export class.
3121         * inspector/agents/InspectorDebuggerAgent.h:
3122         (Inspector::InspectorDebuggerAgent::Listener): Export class.
3123         * runtime/JSGlobalObject.h:
3124         (JSC::JSGlobalObject::setConsoleClient): Do not mark inline
3125         method for export.
3126
3127 2015-02-14  Joseph Pecoraro  <pecoraro@apple.com>
3128
3129         Web Inspector: Symbol RemoteObject should not send sub-type
3130         https://bugs.webkit.org/show_bug.cgi?id=141604
3131
3132         Reviewed by Brian Burg.
3133
3134         * inspector/InjectedScriptSource.js:
3135
3136 2015-02-13  Benjamin Poulain  <bpoulain@apple.com>
3137
3138         Attempt to fix 32bits build after r180098
3139
3140         * jit/JITOperations.cpp:
3141         * jit/JITOperations.h:
3142         I copied the attribute from the MathObject version of that function when I moved
3143         it over. DFG has no version of a function call taking those attributes.
3144
3145 2015-02-13  Joseph Pecoraro  <pecoraro@apple.com>
3146
3147         JSContext Inspector: Do not stash console messages for non-debuggable JSContext
3148         https://bugs.webkit.org/show_bug.cgi?id=141589
3149
3150         Reviewed by Timothy Hatcher.
3151
3152         Consider developer extras disabled for JSContext inspection if the
3153         RemoteInspector server is not enabled (typically a non-debuggable
3154         process rejected by webinspectord) or if remote debugging on the
3155         JSContext was explicitly disabled via SPI.
3156
3157         When developer extras are disabled, console message will not be stashed.
3158
3159         * inspector/JSGlobalObjectInspectorController.cpp:
3160         (Inspector::JSGlobalObjectInspectorController::developerExtrasEnabled):
3161         * inspector/JSGlobalObjectInspectorController.h:
3162
3163 2015-02-13  Benjamin Poulain  <bpoulain@apple.com>
3164
3165         Add a DFG node for the Pow Intrinsics
3166         https://bugs.webkit.org/show_bug.cgi?id=141540
3167
3168         Reviewed by Filip Pizlo.
3169
3170         Add a DFG Node for PowIntrinsic. This patch covers the basic cases
3171         need to avoid massive regression. I will iterate over the node to cover
3172         the missing types.
3173
3174         With this patch I get the following progressions on benchmarks:
3175         -LongSpider's math-partial-sums: +5%.
3176         -Kraken's imaging-darkroom: +17%
3177         -AsmBench's cray.c: +6.6%
3178         -CompressionBench: +2.2% globally.
3179
3180         * dfg/DFGAbstractInterpreterInlines.h:
3181         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3182         Cover a couple of trivial cases:
3183         -If the exponent is zero, the result is always one, regardless of the base.
3184         -If both arguments are constants, compute the result at compile time.
3185
3186         * dfg/DFGByteCodeParser.cpp:
3187         (JSC::DFG::ByteCodeParser::handleIntrinsic):
3188         * dfg/DFGClobberize.h:
3189         (JSC::DFG::clobberize):
3190         * dfg/DFGDoesGC.cpp:
3191         (JSC::DFG::doesGC):
3192
3193         * dfg/DFGFixupPhase.cpp:
3194         (JSC::DFG::FixupPhase::fixupNode):
3195         We only support 2 basic cases at this time:
3196         -Math.pow(double, int)
3197         -Math.pow(double, double).
3198
3199         I'll cover Math.pow(int, int) in a follow up.
3200
3201         * dfg/DFGNode.h:
3202         (JSC::DFG::Node::convertToArithSqrt):
3203         (JSC::DFG::Node::arithNodeFlags):
3204         * dfg/DFGNodeType.h:
3205         * dfg/DFGPredictionPropagationPhase.cpp:
3206         (JSC::DFG::PredictionPropagationPhase::propagate):
3207         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
3208         * dfg/DFGSafeToExecute.h:
3209         (JSC::DFG::safeToExecute):
3210         * dfg/DFGSpeculativeJIT.cpp:
3211         (JSC::DFG::compileArithPowIntegerFastPath):
3212         (JSC::DFG::SpeculativeJIT::compileArithPow):
3213         * dfg/DFGSpeculativeJIT.h:
3214         * dfg/DFGSpeculativeJIT32_64.cpp:
3215         (JSC::DFG::SpeculativeJIT::compile):
3216         * dfg/DFGSpeculativeJIT64.cpp:
3217         (JSC::DFG::SpeculativeJIT::compile):
3218         * dfg/DFGStrengthReductionPhase.cpp:
3219         (JSC::DFG::StrengthReductionPhase::handleNode):
3220         * dfg/DFGValidate.cpp:
3221         (JSC::DFG::Validate::validate):
3222         * ftl/FTLCapabilities.cpp:
3223         (JSC::FTL::canCompile):
3224         * ftl/FTLIntrinsicRepository.h:
3225         * ftl/FTLLowerDFGToLLVM.cpp:
3226         (JSC::FTL::LowerDFGToLLVM::compileNode):
3227         (JSC::FTL::LowerDFGToLLVM::compileArithPow):
3228         * ftl/FTLOutput.h:
3229         (JSC::FTL::Output::doublePow):
3230         (JSC::FTL::Output::doublePowi):
3231         * jit/JITOperations.cpp:
3232         * jit/JITOperations.h:
3233         * runtime/MathObject.cpp:
3234         (JSC::mathProtoFuncPow):
3235         (JSC::isDenormal): Deleted.
3236         (JSC::isEdgeCase): Deleted.
3237         (JSC::mathPow): Deleted.
3238
3239         * tests/stress/math-pow-basics.js: Added.
3240         * tests/stress/math-pow-integer-exponent-fastpath.js: Added.
3241         * tests/stress/math-pow-nan-behaviors.js: Added.
3242         * tests/stress/math-pow-with-constants.js: Added.
3243         Start some basic testing of Math.pow().
3244         Due to the various transform, the value change when the code tiers up,
3245         I covered this by checking for approximate values.
3246
3247 2015-02-13  Benjamin Poulain  <bpoulain@apple.com>
3248
3249         ArithSqrt should not be conditional on supportsFloatingPointSqrt
3250         https://bugs.webkit.org/show_bug.cgi?id=141546
3251
3252         Reviewed by Geoffrey Garen and Filip Pizlo.
3253
3254         Just fallback to the function call in the DFG codegen.
3255
3256         * dfg/DFGByteCodeParser.cpp:
3257         (JSC::DFG::ByteCodeParser::handleIntrinsic):
3258         * dfg/DFGSpeculativeJIT.cpp:
3259         (JSC::DFG::SpeculativeJIT::compileArithSqrt):
3260         * dfg/DFGSpeculativeJIT.h:
3261         * dfg/DFGSpeculativeJIT32_64.cpp:
3262         (JSC::DFG::SpeculativeJIT::compile):
3263         * dfg/DFGSpeculativeJIT64.cpp:
3264         (JSC::DFG::SpeculativeJIT::compile):
3265         * tests/stress/math-sqrt-basics.js: Added.
3266         Basic coverage.
3267
3268         * tests/stress/math-sqrt-basics-disable-architecture-specific-optimizations.js: Added.
3269         Same tests but forcing the function call.
3270
3271 2015-02-13  Michael Saboff  <msaboff@apple.com>
3272
3273         REGRESSION(r180060) New js/regress-141098 test crashes when LLInt is disabled.
3274         https://bugs.webkit.org/show_bug.cgi?id=141577
3275
3276         Reviewed by Benjamin Poulain.
3277
3278         Changed the prologue of the baseline JIT to check for stack space for all
3279         types of code blocks.  Previously, it was only checking Function.  Now
3280         it checks Program and Eval as well.
3281
3282         * jit/JIT.cpp:
3283         (JSC::JIT::privateCompile):
3284
3285 2015-02-13  Benjamin Poulain  <bpoulain@apple.com>
3286
3287         Generate incq instead of addq when the immediate value is one
3288         https://bugs.webkit.org/show_bug.cgi?id=141548
3289
3290         Reviewed by Gavin Barraclough.
3291
3292         JSC emits "addq #1 (rXX)" *a lot*.
3293         This patch replace that by incq, which is one byte shorter
3294         and is the adviced form.
3295
3296         Sunspider: +0.47%
3297         Octane: +0.28%
3298         Kraken: +0.44%
3299         AsmBench, CompressionBench: neutral.
3300
3301         * assembler/MacroAssemblerX86_64.h:
3302         (JSC::MacroAssemblerX86_64::add64):
3303         * assembler/X86Assembler.h:
3304         (JSC::X86Assembler::incq_m):
3305
3306 2015-02-13  Benjamin Poulain  <benjamin@webkit.org>
3307
3308         Little clean up of Bytecode Generator's Label
3309         https://bugs.webkit.org/show_bug.cgi?id=141557
3310
3311         Reviewed by Michael Saboff.
3312
3313         * bytecompiler/BytecodeGenerator.h:
3314         * bytecompiler/BytecodeGenerator.cpp:
3315         Label was a friend of BytecodeGenerator in order to access
3316         m_instructions. There is no need for that, BytecodeGenerator
3317         has a public getter.
3318
3319         * bytecompiler/Label.h:
3320         (JSC::Label::Label):
3321         (JSC::Label::setLocation):
3322         (JSC::BytecodeGenerator::newLabel):
3323         Make it explicit that the generator must exist.
3324
3325 2015-02-13  Michael Saboff  <msaboff@apple.com>
3326
3327         Google doc spreadsheet reproducibly crashes when sorting
3328         https://bugs.webkit.org/show_bug.cgi?id=141098
3329
3330         Reviewed by Oliver Hunt.
3331
3332         Moved the stack check to before the callee registers are allocated in the
3333         prologue() by movving it from the functionInitialization() macro.  This
3334         way we can check the stack before moving the stack pointer, avoiding a
3335         crash during a "call" instruction.  Before this change, we weren't even
3336         checking the stack for program and eval execution.
3337
3338         Made a couple of supporting changes.
3339
3340         * llint/LLIntSlowPaths.cpp:
3341         (JSC::LLInt::llint_stack_check): We can't just go up one frame as we
3342         may be processing an exception to an entry frame.
3343
3344         * llint/LowLevelInterpreter.asm:
3345