StackLayoutPhase should use CodeBlock::usesArguments rather than FunctionExecutable...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-02-17  Filip Pizlo  <fpizlo@apple.com>
2
3         StackLayoutPhase should use CodeBlock::usesArguments rather than FunctionExecutable::usesArguments
4         https://bugs.webkit.org/show_bug.cgi?id=141721
5         rdar://problem/17198633
6
7         Reviewed by Michael Saboff.
8         
9         I've seen cases where the two are out of sync.  We know we can trust the CodeBlock::usesArguments because
10         we use it everywhere else.
11         
12         No test because I could never reproduce the crash.
13
14         * dfg/DFGGraph.h:
15         (JSC::DFG::Graph::usesArguments):
16         * dfg/DFGStackLayoutPhase.cpp:
17         (JSC::DFG::StackLayoutPhase::run):
18
19 2015-02-16  Joseph Pecoraro  <pecoraro@apple.com>
20
21         Web Inspector: Improved Console Support for Bound Functions
22         https://bugs.webkit.org/show_bug.cgi?id=141635
23
24         Reviewed by Timothy Hatcher.
25
26         * inspector/JSInjectedScriptHost.cpp:
27         (Inspector::JSInjectedScriptHost::getInternalProperties):
28         Expose internal properties of a JSBoundFunction.
29
30 2015-02-16  Joseph Pecoraro  <pecoraro@apple.com>
31
32         Web Inspector: ES6: Improved Console Support for Promise Objects
33         https://bugs.webkit.org/show_bug.cgi?id=141634
34
35         Reviewed by Timothy Hatcher.
36
37         * inspector/InjectedScript.cpp:
38         (Inspector::InjectedScript::getInternalProperties):
39         * inspector/InjectedScriptSource.js:
40         Include internal properties in previews. Share code
41         with normal internal property handling.
42
43         * inspector/JSInjectedScriptHost.cpp:
44         (Inspector::constructInternalProperty):
45         (Inspector::JSInjectedScriptHost::getInternalProperties):
46         Provide internal state of Promises.
47
48         * inspector/protocol/Runtime.json:
49         Provide an optional field to distinguish if a PropertyPreview
50         is for an Internal property or not.
51
52 2015-02-17  Filip Pizlo  <fpizlo@apple.com>
53
54         Throwing from an FTL call IC slow path may result in tag registers being clobbered on 64-bit CPUs
55         https://bugs.webkit.org/show_bug.cgi?id=141717
56         rdar://problem/19863382
57
58         Reviewed by Geoffrey Garen.
59         
60         The best solution is to ensure that the engine catching an exception restores tag registers.
61         
62         Each of these new test cases reliably crashed prior to this patch and they don't crash at all now.
63
64         * jit/JITOpcodes.cpp:
65         (JSC::JIT::emit_op_catch):
66         * llint/LowLevelInterpreter.asm:
67         * llint/LowLevelInterpreter64.asm:
68         * tests/stress/throw-from-ftl-call-ic-slow-path-cells.js: Added.
69         * tests/stress/throw-from-ftl-call-ic-slow-path-undefined.js: Added.
70         * tests/stress/throw-from-ftl-call-ic-slow-path.js: Added.
71
72 2015-02-17  Csaba Osztrogonác  <ossy@webkit.org>
73
74         [ARM] Add the necessary setupArgumentsWithExecState after bug141332
75         https://bugs.webkit.org/show_bug.cgi?id=141714
76
77         Reviewed by Michael Saboff.
78
79         * jit/CCallHelpers.h:
80         (JSC::CCallHelpers::setupArgumentsWithExecState):
81
82 2015-02-15  Sam Weinig  <sam@webkit.org>
83
84         Add experimental <attachment> element support
85         https://bugs.webkit.org/show_bug.cgi?id=141626
86
87         Reviewed by Tim Horton.
88
89         * Configurations/FeatureDefines.xcconfig:
90
91 2015-02-16  Michael Saboff  <msaboff@apple.com>
92
93         REGRESSION(r180060): C Loop crashes
94         https://bugs.webkit.org/show_bug.cgi?id=141671
95
96         Reviewed by Geoffrey Garen.
97
98         Fixed a typo that only affected the C Loop in the prologue() macro in LowLevelInterpreter.asm.
99         After the stackHeightOKGetCodeBlock label, codeBlockSetter(t1) should be codeBlockGetter(t1).
100         Fixed the processing of an out of stack exception in llint_stack_check to not get the caller's
101         frame.  This isn't needed, since this helper is only called to check the stack on entry.  Any
102         exception will be handled by a call ancestor.
103
104         * llint/LLIntSlowPaths.cpp:
105         (JSC::LLInt::llint_stack_check): Changed to use the current frame for processing an exception.
106         * llint/LowLevelInterpreter.asm: Fixed a typo.
107
108 2015-02-16  Joseph Pecoraro  <pecoraro@apple.com>
109
110         Web Inspector: Scope details sidebar should label objects with constructor names
111         https://bugs.webkit.org/show_bug.cgi?id=139449
112
113         Reviewed by Timothy Hatcher.
114
115         * inspector/JSInjectedScriptHost.cpp:
116         (Inspector::JSInjectedScriptHost::internalConstructorName):
117         * runtime/Structure.cpp:
118         (JSC::Structure::toStructureShape):
119         Share calculatedClassName.
120
121         * runtime/JSObject.h:        
122         * runtime/JSObject.cpp:
123         (JSC::JSObject::calculatedClassName):
124         Elaborate on a way to get an Object's class name.
125
126 2015-02-16  Filip Pizlo  <fpizlo@apple.com>
127
128         DFG SSA should use GetLocal for arguments, and the GetArgument node type should be removed
129         https://bugs.webkit.org/show_bug.cgi?id=141623
130
131         Reviewed by Oliver Hunt.
132         
133         During development of https://bugs.webkit.org/show_bug.cgi?id=141332, I realized that I
134         needed to use GetArgument for loading something that has magically already appeared on the
135         stack, so currently trunk sort of allows this. But then I realized three things:
136         
137         - A GetArgument with a non-JSValue flush format means speculating that the value on the
138           stack obeys that format, rather than just assuming that that it already has that format.
139           In bug 141332, I want it to assume rather than speculate. That also happens to be more
140           intuitive; I don't think I was wrong to expect that.
141         
142         - The node I really want is GetLocal. I'm just getting the value of the local and I don't
143           want to do anything else.
144         
145         - Maybe it would be easier if we just used GetLocal for all of the cases where we currently
146           use GetArgument.
147         
148         This changes the FTL to do argument speculations in the prologue just like the DFG does.
149         This brings some consistency to our system, and allows us to get rid of the GetArgument
150         node. The speculations that the FTL must do are now made explicit in the m_argumentFormats
151         vector in DFG::Graph. This has natural DCE behavior: even if all uses of the argument are
152         dead we will still speculate. We already have safeguards to ensure we only speculate if
153         there are uses that benefit from speculation (which is a much more conservative criterion
154         than DCE).
155         
156         * dfg/DFGAbstractInterpreterInlines.h:
157         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
158         * dfg/DFGClobberize.h:
159         (JSC::DFG::clobberize):
160         * dfg/DFGDCEPhase.cpp:
161         (JSC::DFG::DCEPhase::run):
162         * dfg/DFGDoesGC.cpp:
163         (JSC::DFG::doesGC):
164         * dfg/DFGFixupPhase.cpp:
165         (JSC::DFG::FixupPhase::fixupNode):
166         * dfg/DFGFlushFormat.h:
167         (JSC::DFG::typeFilterFor):
168         * dfg/DFGGraph.cpp:
169         (JSC::DFG::Graph::dump):
170         * dfg/DFGGraph.h:
171         (JSC::DFG::Graph::valueProfileFor):
172         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
173         * dfg/DFGInPlaceAbstractState.cpp:
174         (JSC::DFG::InPlaceAbstractState::initialize):
175         * dfg/DFGNode.cpp:
176         (JSC::DFG::Node::hasVariableAccessData):
177         * dfg/DFGNodeType.h:
178         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
179         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
180         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
181         * dfg/DFGPredictionPropagationPhase.cpp:
182         (JSC::DFG::PredictionPropagationPhase::propagate):
183         * dfg/DFGPutLocalSinkingPhase.cpp:
184         * dfg/DFGSSAConversionPhase.cpp:
185         (JSC::DFG::SSAConversionPhase::run):
186         * dfg/DFGSafeToExecute.h:
187         (JSC::DFG::safeToExecute):
188         * dfg/DFGSpeculativeJIT32_64.cpp:
189         (JSC::DFG::SpeculativeJIT::compile):
190         * dfg/DFGSpeculativeJIT64.cpp:
191         (JSC::DFG::SpeculativeJIT::compile):
192         * ftl/FTLCapabilities.cpp:
193         (JSC::FTL::canCompile):
194         * ftl/FTLLowerDFGToLLVM.cpp:
195         (JSC::FTL::LowerDFGToLLVM::lower):
196         (JSC::FTL::LowerDFGToLLVM::compileNode):
197         (JSC::FTL::LowerDFGToLLVM::compileGetLocal):
198         (JSC::FTL::LowerDFGToLLVM::compileGetArgument): Deleted.
199         * tests/stress/dead-speculating-argument-use.js: Added.
200         (foo):
201         (o.valueOf):
202
203 2015-02-15  Filip Pizlo  <fpizlo@apple.com>
204
205         Rare case profiling should actually work
206         https://bugs.webkit.org/show_bug.cgi?id=141632
207
208         Reviewed by Michael Saboff.
209         
210         This simple adjustment appears to be a 2% speed-up on Octane. Over time, the slow case
211         heuristic has essentially stopped working because the typical execution count threshold for a
212         bytecode instruction is around 66 while the slow case threshold is 100: virtually
213         guaranteeing that the DFG will never think that a bytecode instruction has taken the slow
214         case even if it took it every single time. So, this changes the slow case threshold to 20.
215         
216         I checked if we could lower this down further, like to 10. That is worse than 20, and about
217         as bad as 100.
218
219         * runtime/Options.h:
220
221 2015-02-15  Brian J. Burg  <burg@cs.washington.edu>
222
223         Web Inspector: remove unused XHR replay code
224         https://bugs.webkit.org/show_bug.cgi?id=141622
225
226         Reviewed by Timothy Hatcher.
227
228         * inspector/protocol/Network.json: remove XHR replay methods.
229
230 2015-02-15  David Kilzer  <ddkilzer@apple.com>
231
232         REGRESSION (r180082): WebCore Debug builds fail on Mavericks due to weak export symbols
233         <http://webkit.org/b/141607>
234
235         More work towards fixing the Mavericks Debug build.
236
237         * inspector/ScriptDebugServer.h:
238         (Inspector::ScriptDebugServer::Task):
239         * inspector/agents/InspectorDebuggerAgent.h:
240         (Inspector::InspectorDebuggerAgent::Listener):
241         - Remove subclass exports. They did not help.
242
243         * runtime/JSCJSValue.h:
244         (JSC::JSValue::toFloat): Do not mark inline method for export.
245
246 2015-02-09  Brian J. Burg  <burg@cs.washington.edu>
247
248         Web Inspector: remove some unnecessary Inspector prefixes from class names in Inspector namespace
249         https://bugs.webkit.org/show_bug.cgi?id=141372
250
251         Reviewed by Joseph Pecoraro.
252
253         * inspector/ConsoleMessage.cpp:
254         (Inspector::ConsoleMessage::addToFrontend):
255         (Inspector::ConsoleMessage::updateRepeatCountInConsole):
256         * inspector/ConsoleMessage.h:
257         * inspector/InspectorAgentBase.h:
258         * inspector/InspectorAgentRegistry.cpp:
259         (Inspector::AgentRegistry::AgentRegistry):
260         (Inspector::AgentRegistry::append):
261         (Inspector::AgentRegistry::appendExtraAgent):
262         (Inspector::AgentRegistry::didCreateFrontendAndBackend):
263         (Inspector::AgentRegistry::willDestroyFrontendAndBackend):
264         (Inspector::AgentRegistry::discardAgents):
265         (Inspector::InspectorAgentRegistry::InspectorAgentRegistry): Deleted.
266         (Inspector::InspectorAgentRegistry::append): Deleted.
267         (Inspector::InspectorAgentRegistry::appendExtraAgent): Deleted.
268         (Inspector::InspectorAgentRegistry::didCreateFrontendAndBackend): Deleted.
269         (Inspector::InspectorAgentRegistry::willDestroyFrontendAndBackend): Deleted.
270         (Inspector::InspectorAgentRegistry::discardAgents): Deleted.
271         * inspector/InspectorAgentRegistry.h:
272         * inspector/InspectorBackendDispatcher.cpp:
273         (Inspector::BackendDispatcher::CallbackBase::CallbackBase):
274         (Inspector::BackendDispatcher::CallbackBase::isActive):
275         (Inspector::BackendDispatcher::CallbackBase::sendFailure):
276         (Inspector::BackendDispatcher::CallbackBase::sendIfActive):
277         (Inspector::BackendDispatcher::create):
278         (Inspector::BackendDispatcher::registerDispatcherForDomain):
279         (Inspector::BackendDispatcher::dispatch):
280         (Inspector::BackendDispatcher::sendResponse):
281         (Inspector::BackendDispatcher::reportProtocolError):
282         (Inspector::BackendDispatcher::getInteger):
283         (Inspector::BackendDispatcher::getDouble):
284         (Inspector::BackendDispatcher::getString):
285         (Inspector::BackendDispatcher::getBoolean):
286         (Inspector::BackendDispatcher::getObject):
287         (Inspector::BackendDispatcher::getArray):
288         (Inspector::BackendDispatcher::getValue):
289         (Inspector::InspectorBackendDispatcher::CallbackBase::CallbackBase): Deleted.
290         (Inspector::InspectorBackendDispatcher::CallbackBase::isActive): Deleted.
291         (Inspector::InspectorBackendDispatcher::CallbackBase::sendFailure): Deleted.
292         (Inspector::InspectorBackendDispatcher::CallbackBase::sendIfActive): Deleted.
293         (Inspector::InspectorBackendDispatcher::create): Deleted.
294         (Inspector::InspectorBackendDispatcher::registerDispatcherForDomain): Deleted.
295         (Inspector::InspectorBackendDispatcher::dispatch): Deleted.
296         (Inspector::InspectorBackendDispatcher::sendResponse): Deleted.
297         (Inspector::InspectorBackendDispatcher::reportProtocolError): Deleted.
298         (Inspector::InspectorBackendDispatcher::getInteger): Deleted.
299         (Inspector::InspectorBackendDispatcher::getDouble): Deleted.
300         (Inspector::InspectorBackendDispatcher::getString): Deleted.
301         (Inspector::InspectorBackendDispatcher::getBoolean): Deleted.
302         (Inspector::InspectorBackendDispatcher::getObject): Deleted.
303         (Inspector::InspectorBackendDispatcher::getArray): Deleted.
304         (Inspector::InspectorBackendDispatcher::getValue): Deleted.
305         * inspector/InspectorBackendDispatcher.h:
306         (Inspector::SupplementalBackendDispatcher::SupplementalBackendDispatcher):
307         (Inspector::SupplementalBackendDispatcher::~SupplementalBackendDispatcher):
308         (Inspector::InspectorSupplementalBackendDispatcher::InspectorSupplementalBackendDispatcher): Deleted.
309         (Inspector::InspectorSupplementalBackendDispatcher::~InspectorSupplementalBackendDispatcher): Deleted.
310         * inspector/InspectorFrontendChannel.h:
311         (Inspector::FrontendChannel::~FrontendChannel):
312         (Inspector::InspectorFrontendChannel::~InspectorFrontendChannel): Deleted.
313         * inspector/JSGlobalObjectInspectorController.cpp:
314         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
315         (Inspector::JSGlobalObjectInspectorController::globalObjectDestroyed):
316         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
317         (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
318         (Inspector::JSGlobalObjectInspectorController::dispatchMessageFromFrontend):
319         (Inspector::JSGlobalObjectInspectorController::appendExtraAgent):
320         * inspector/JSGlobalObjectInspectorController.h:
321         * inspector/agents/InspectorAgent.cpp:
322         (Inspector::InspectorAgent::didCreateFrontendAndBackend):
323         (Inspector::InspectorAgent::willDestroyFrontendAndBackend):
324         * inspector/agents/InspectorAgent.h:
325         * inspector/agents/InspectorConsoleAgent.cpp:
326         (Inspector::InspectorConsoleAgent::didCreateFrontendAndBackend):
327         (Inspector::InspectorConsoleAgent::willDestroyFrontendAndBackend):
328         * inspector/agents/InspectorConsoleAgent.h:
329         * inspector/agents/InspectorDebuggerAgent.cpp:
330         (Inspector::InspectorDebuggerAgent::didCreateFrontendAndBackend):
331         (Inspector::InspectorDebuggerAgent::willDestroyFrontendAndBackend):
332         (Inspector::InspectorDebuggerAgent::handleConsoleAssert):
333         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
334         (Inspector::InspectorDebuggerAgent::pause):
335         (Inspector::InspectorDebuggerAgent::scriptExecutionBlockedByCSP):
336         (Inspector::InspectorDebuggerAgent::didPause):
337         (Inspector::InspectorDebuggerAgent::breakProgram):
338         (Inspector::InspectorDebuggerAgent::clearBreakDetails):
339         * inspector/agents/InspectorDebuggerAgent.h:
340         * inspector/agents/InspectorRuntimeAgent.cpp:
341         (Inspector::InspectorRuntimeAgent::willDestroyFrontendAndBackend):
342         * inspector/agents/InspectorRuntimeAgent.h:
343         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
344         (Inspector::JSGlobalObjectRuntimeAgent::didCreateFrontendAndBackend):
345         (Inspector::JSGlobalObjectRuntimeAgent::willDestroyFrontendAndBackend):
346         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
347         * inspector/augmentable/AlternateDispatchableAgent.h:
348         * inspector/augmentable/AugmentableInspectorController.h:
349         * inspector/remote/RemoteInspectorDebuggable.h:
350         * inspector/remote/RemoteInspectorDebuggableConnection.h:
351         * inspector/scripts/codegen/cpp_generator.py:
352         (CppGenerator.cpp_type_for_formal_out_parameter):
353         (CppGenerator.cpp_type_for_stack_out_parameter):
354         * inspector/scripts/codegen/cpp_generator_templates.py:
355         (AlternateBackendDispatcher):
356         (Alternate):
357         (void):
358         (AlternateInspectorBackendDispatcher): Deleted.
359         (AlternateInspector): Deleted.
360         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
361         (CppBackendDispatcherHeaderGenerator._generate_alternate_handler_forward_declarations_for_domains.Alternate):
362         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
363         (CppBackendDispatcherHeaderGenerator._generate_alternate_handler_forward_declarations_for_domains.AlternateInspector): Deleted.
364         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
365         (CppBackendDispatcherImplementationGenerator._generate_handler_class_destructor_for_domain):
366         (CppBackendDispatcherImplementationGenerator._generate_large_dispatcher_switch_implementation_for_domain):
367         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
368         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
369         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
370         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
371         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
372         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
373         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
374         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
375         * inspector/scripts/tests/expected/enum-values.json-result:
376         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
377         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
378         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
379         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
380         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
381         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
382         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
383         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
384         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
385         * runtime/JSGlobalObjectDebuggable.cpp:
386         (JSC::JSGlobalObjectDebuggable::connect):
387         (JSC::JSGlobalObjectDebuggable::disconnect):
388         * runtime/JSGlobalObjectDebuggable.h:
389
390 2015-02-14  David Kilzer  <ddkilzer@apple.com>
391
392         REGRESSION (r180082): WebCore Debug builds fail on Mavericks due to weak export symbols
393         <http://webkit.org/b/141607>
394
395         Work towards fixing the Mavericks Debug build.
396
397         * inspector/ScriptDebugServer.h:
398         (Inspector::ScriptDebugServer::Task): Export class.
399         * inspector/agents/InspectorDebuggerAgent.h:
400         (Inspector::InspectorDebuggerAgent::Listener): Export class.
401         * runtime/JSGlobalObject.h:
402         (JSC::JSGlobalObject::setConsoleClient): Do not mark inline
403         method for export.
404
405 2015-02-14  Joseph Pecoraro  <pecoraro@apple.com>
406
407         Web Inspector: Symbol RemoteObject should not send sub-type
408         https://bugs.webkit.org/show_bug.cgi?id=141604
409
410         Reviewed by Brian Burg.
411
412         * inspector/InjectedScriptSource.js:
413
414 2015-02-13  Benjamin Poulain  <bpoulain@apple.com>
415
416         Attempt to fix 32bits build after r180098
417
418         * jit/JITOperations.cpp:
419         * jit/JITOperations.h:
420         I copied the attribute from the MathObject version of that function when I moved
421         it over. DFG has no version of a function call taking those attributes.
422
423 2015-02-13  Joseph Pecoraro  <pecoraro@apple.com>
424
425         JSContext Inspector: Do not stash console messages for non-debuggable JSContext
426         https://bugs.webkit.org/show_bug.cgi?id=141589
427
428         Reviewed by Timothy Hatcher.
429
430         Consider developer extras disabled for JSContext inspection if the
431         RemoteInspector server is not enabled (typically a non-debuggable
432         process rejected by webinspectord) or if remote debugging on the
433         JSContext was explicitly disabled via SPI.
434
435         When developer extras are disabled, console message will not be stashed.
436
437         * inspector/JSGlobalObjectInspectorController.cpp:
438         (Inspector::JSGlobalObjectInspectorController::developerExtrasEnabled):
439         * inspector/JSGlobalObjectInspectorController.h:
440
441 2015-02-13  Benjamin Poulain  <bpoulain@apple.com>
442
443         Add a DFG node for the Pow Intrinsics
444         https://bugs.webkit.org/show_bug.cgi?id=141540
445
446         Reviewed by Filip Pizlo.
447
448         Add a DFG Node for PowIntrinsic. This patch covers the basic cases
449         need to avoid massive regression. I will iterate over the node to cover
450         the missing types.
451
452         With this patch I get the following progressions on benchmarks:
453         -LongSpider's math-partial-sums: +5%.
454         -Kraken's imaging-darkroom: +17%
455         -AsmBench's cray.c: +6.6%
456         -CompressionBench: +2.2% globally.
457
458         * dfg/DFGAbstractInterpreterInlines.h:
459         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
460         Cover a couple of trivial cases:
461         -If the exponent is zero, the result is always one, regardless of the base.
462         -If both arguments are constants, compute the result at compile time.
463
464         * dfg/DFGByteCodeParser.cpp:
465         (JSC::DFG::ByteCodeParser::handleIntrinsic):
466         * dfg/DFGClobberize.h:
467         (JSC::DFG::clobberize):
468         * dfg/DFGDoesGC.cpp:
469         (JSC::DFG::doesGC):
470
471         * dfg/DFGFixupPhase.cpp:
472         (JSC::DFG::FixupPhase::fixupNode):
473         We only support 2 basic cases at this time:
474         -Math.pow(double, int)
475         -Math.pow(double, double).
476
477         I'll cover Math.pow(int, int) in a follow up.
478
479         * dfg/DFGNode.h:
480         (JSC::DFG::Node::convertToArithSqrt):
481         (JSC::DFG::Node::arithNodeFlags):
482         * dfg/DFGNodeType.h:
483         * dfg/DFGPredictionPropagationPhase.cpp:
484         (JSC::DFG::PredictionPropagationPhase::propagate):
485         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
486         * dfg/DFGSafeToExecute.h:
487         (JSC::DFG::safeToExecute):
488         * dfg/DFGSpeculativeJIT.cpp:
489         (JSC::DFG::compileArithPowIntegerFastPath):
490         (JSC::DFG::SpeculativeJIT::compileArithPow):
491         * dfg/DFGSpeculativeJIT.h:
492         * dfg/DFGSpeculativeJIT32_64.cpp:
493         (JSC::DFG::SpeculativeJIT::compile):
494         * dfg/DFGSpeculativeJIT64.cpp:
495         (JSC::DFG::SpeculativeJIT::compile):
496         * dfg/DFGStrengthReductionPhase.cpp:
497         (JSC::DFG::StrengthReductionPhase::handleNode):
498         * dfg/DFGValidate.cpp:
499         (JSC::DFG::Validate::validate):
500         * ftl/FTLCapabilities.cpp:
501         (JSC::FTL::canCompile):
502         * ftl/FTLIntrinsicRepository.h:
503         * ftl/FTLLowerDFGToLLVM.cpp:
504         (JSC::FTL::LowerDFGToLLVM::compileNode):
505         (JSC::FTL::LowerDFGToLLVM::compileArithPow):
506         * ftl/FTLOutput.h:
507         (JSC::FTL::Output::doublePow):
508         (JSC::FTL::Output::doublePowi):
509         * jit/JITOperations.cpp:
510         * jit/JITOperations.h:
511         * runtime/MathObject.cpp:
512         (JSC::mathProtoFuncPow):
513         (JSC::isDenormal): Deleted.
514         (JSC::isEdgeCase): Deleted.
515         (JSC::mathPow): Deleted.
516
517         * tests/stress/math-pow-basics.js: Added.
518         * tests/stress/math-pow-integer-exponent-fastpath.js: Added.
519         * tests/stress/math-pow-nan-behaviors.js: Added.
520         * tests/stress/math-pow-with-constants.js: Added.
521         Start some basic testing of Math.pow().
522         Due to the various transform, the value change when the code tiers up,
523         I covered this by checking for approximate values.
524
525 2015-02-13  Benjamin Poulain  <bpoulain@apple.com>
526
527         ArithSqrt should not be conditional on supportsFloatingPointSqrt
528         https://bugs.webkit.org/show_bug.cgi?id=141546
529
530         Reviewed by Geoffrey Garen and Filip Pizlo.
531
532         Just fallback to the function call in the DFG codegen.
533
534         * dfg/DFGByteCodeParser.cpp:
535         (JSC::DFG::ByteCodeParser::handleIntrinsic):
536         * dfg/DFGSpeculativeJIT.cpp:
537         (JSC::DFG::SpeculativeJIT::compileArithSqrt):
538         * dfg/DFGSpeculativeJIT.h:
539         * dfg/DFGSpeculativeJIT32_64.cpp:
540         (JSC::DFG::SpeculativeJIT::compile):
541         * dfg/DFGSpeculativeJIT64.cpp:
542         (JSC::DFG::SpeculativeJIT::compile):
543         * tests/stress/math-sqrt-basics.js: Added.
544         Basic coverage.
545
546         * tests/stress/math-sqrt-basics-disable-architecture-specific-optimizations.js: Added.
547         Same tests but forcing the function call.
548
549 2015-02-13  Michael Saboff  <msaboff@apple.com>
550
551         REGRESSION(r180060) New js/regress-141098 test crashes when LLInt is disabled.
552         https://bugs.webkit.org/show_bug.cgi?id=141577
553
554         Reviewed by Benjamin Poulain.
555
556         Changed the prologue of the baseline JIT to check for stack space for all
557         types of code blocks.  Previously, it was only checking Function.  Now
558         it checks Program and Eval as well.
559
560         * jit/JIT.cpp:
561         (JSC::JIT::privateCompile):
562
563 2015-02-13  Benjamin Poulain  <bpoulain@apple.com>
564
565         Generate incq instead of addq when the immediate value is one
566         https://bugs.webkit.org/show_bug.cgi?id=141548
567
568         Reviewed by Gavin Barraclough.
569
570         JSC emits "addq #1 (rXX)" *a lot*.
571         This patch replace that by incq, which is one byte shorter
572         and is the adviced form.
573
574         Sunspider: +0.47%
575         Octane: +0.28%
576         Kraken: +0.44%
577         AsmBench, CompressionBench: neutral.
578
579         * assembler/MacroAssemblerX86_64.h:
580         (JSC::MacroAssemblerX86_64::add64):
581         * assembler/X86Assembler.h:
582         (JSC::X86Assembler::incq_m):
583
584 2015-02-13  Benjamin Poulain  <benjamin@webkit.org>
585
586         Little clean up of Bytecode Generator's Label
587         https://bugs.webkit.org/show_bug.cgi?id=141557
588
589         Reviewed by Michael Saboff.
590
591         * bytecompiler/BytecodeGenerator.h:
592         * bytecompiler/BytecodeGenerator.cpp:
593         Label was a friend of BytecodeGenerator in order to access
594         m_instructions. There is no need for that, BytecodeGenerator
595         has a public getter.
596
597         * bytecompiler/Label.h:
598         (JSC::Label::Label):
599         (JSC::Label::setLocation):
600         (JSC::BytecodeGenerator::newLabel):
601         Make it explicit that the generator must exist.
602
603 2015-02-13  Michael Saboff  <msaboff@apple.com>
604
605         Google doc spreadsheet reproducibly crashes when sorting
606         https://bugs.webkit.org/show_bug.cgi?id=141098
607
608         Reviewed by Oliver Hunt.
609
610         Moved the stack check to before the callee registers are allocated in the
611         prologue() by movving it from the functionInitialization() macro.  This
612         way we can check the stack before moving the stack pointer, avoiding a
613         crash during a "call" instruction.  Before this change, we weren't even
614         checking the stack for program and eval execution.
615
616         Made a couple of supporting changes.
617
618         * llint/LLIntSlowPaths.cpp:
619         (JSC::LLInt::llint_stack_check): We can't just go up one frame as we
620         may be processing an exception to an entry frame.
621
622         * llint/LowLevelInterpreter.asm:
623
624         * llint/LowLevelInterpreter32_64.asm:
625         * llint/LowLevelInterpreter64.asm:
626         (llint_throw_from_slow_path_trampoline): Changed method to get the vm
627         from the code block to not use the codeBlock, since we may need to
628         continue from an exception in a native function.
629
630 2015-02-12  Benjamin Poulain  <benjamin@webkit.org>
631
632         Simplify the initialization of BytecodeGenerator a bit
633         https://bugs.webkit.org/show_bug.cgi?id=141505
634
635         Reviewed by Anders Carlsson.
636
637         * bytecompiler/BytecodeGenerator.cpp:
638         (JSC::BytecodeGenerator::BytecodeGenerator):
639         * bytecompiler/BytecodeGenerator.h:
640         Setup the default initialization at the declaration level
641         instead of the constructor.
642
643         Also made m_scopeNode and m_codeType const to make it explicit
644         that they are invariant after construction.
645
646         * parser/Nodes.cpp:
647         * runtime/Executable.cpp:
648         Remove 2 useless #includes.
649
650 2015-02-12  Benjamin Poulain  <benjamin@webkit.org>
651
652         Move the generators for GetScope and SkipScope to the common core in DFGSpeculativeJIT
653         https://bugs.webkit.org/show_bug.cgi?id=141506
654
655         Reviewed by Michael Saboff.
656
657         The generators for the nodes GetScope and SkipScope were
658         completely identical between 32 and 64bits.
659
660         This patch moves the duplicated code to DFGSpeculativeJIT.
661
662         * dfg/DFGSpeculativeJIT.cpp:
663         (JSC::DFG::SpeculativeJIT::compileGetScope):
664         (JSC::DFG::SpeculativeJIT::compileSkipScope):
665         * dfg/DFGSpeculativeJIT.h:
666         * dfg/DFGSpeculativeJIT32_64.cpp:
667         (JSC::DFG::SpeculativeJIT::compile):
668         * dfg/DFGSpeculativeJIT64.cpp:
669         (JSC::DFG::SpeculativeJIT::compile):
670
671 2015-02-11  Brent Fulgham  <bfulgham@apple.com>
672
673         [Win] [64-bit] Work around MSVC2013 Runtime Bug
674         https://bugs.webkit.org/show_bug.cgi?id=141498
675         <rdar://problem/19803642>
676
677         Reviewed by Anders Carlsson.
678
679         Disable FMA3 instruction use in the MSVC math library to
680         work around a VS2013 runtime crash. We can remove this
681         workaround when we switch to VS2015.
682
683         * API/tests/testapi.c: Call _set_FMA3_enable(0) to disable
684         FMA3 support.
685         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add new files.
686         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
687         * JavaScriptCore.vcxproj/JavaScriptCoreDLL.cpp: Added.
688         * JavaScriptCore.vcxproj/jsc/DLLLauncherMain.cpp: Call _set_FMA3_enable(0)
689         to disable FMA3 support.
690         * jsc.cpp: Ditto.
691         * testRegExp.cpp: Ditto.
692
693 2015-02-11  Filip Pizlo  <fpizlo@apple.com>
694
695         The callee frame helpers in DFG::SpeculativeJIT should be available to other JITs
696         https://bugs.webkit.org/show_bug.cgi?id=141493
697
698         Reviewed by Michael Saboff.
699
700         * dfg/DFGSpeculativeJIT.h:
701         (JSC::DFG::SpeculativeJIT::calleeFrameSlot): Deleted.
702         (JSC::DFG::SpeculativeJIT::calleeArgumentSlot): Deleted.
703         (JSC::DFG::SpeculativeJIT::calleeFrameTagSlot): Deleted.
704         (JSC::DFG::SpeculativeJIT::calleeFramePayloadSlot): Deleted.
705         (JSC::DFG::SpeculativeJIT::calleeArgumentTagSlot): Deleted.
706         (JSC::DFG::SpeculativeJIT::calleeArgumentPayloadSlot): Deleted.
707         (JSC::DFG::SpeculativeJIT::calleeFrameCallerFrame): Deleted.
708         * dfg/DFGSpeculativeJIT32_64.cpp:
709         (JSC::DFG::SpeculativeJIT::emitCall):
710         * dfg/DFGSpeculativeJIT64.cpp:
711         (JSC::DFG::SpeculativeJIT::emitCall):
712         * jit/AssemblyHelpers.h:
713         (JSC::AssemblyHelpers::calleeFrameSlot):
714         (JSC::AssemblyHelpers::calleeArgumentSlot):
715         (JSC::AssemblyHelpers::calleeFrameTagSlot):
716         (JSC::AssemblyHelpers::calleeFramePayloadSlot):
717         (JSC::AssemblyHelpers::calleeArgumentTagSlot):
718         (JSC::AssemblyHelpers::calleeArgumentPayloadSlot):
719         (JSC::AssemblyHelpers::calleeFrameCallerFrame):
720
721 2015-02-11  Filip Pizlo  <fpizlo@apple.com>
722
723         SetupVarargsFrame should not assume that an inline stack frame would have identical layout to a normal stack frame
724         https://bugs.webkit.org/show_bug.cgi?id=141485
725
726         Reviewed by Oliver Hunt.
727         
728         The inlineStackOffset argument was meant to make it easy for the DFG to use this helper for
729         vararg calls from inlined code, but that doesn't work since the DFG inline call frame
730         doesn't actually put the argument count at the JSStack::ArgumentCount offset. In fact there
731         is really no such thing as an inlineStackOffset except when we OSR exit; while the code is
732         running the stack layout is compacted so that the stackOffset is not meaningful.
733
734         * jit/JITCall.cpp:
735         (JSC::JIT::compileSetupVarargsFrame):
736         * jit/JITCall32_64.cpp:
737         (JSC::JIT::compileSetupVarargsFrame):
738         * jit/SetupVarargsFrame.cpp:
739         (JSC::emitSetupVarargsFrameFastCase):
740         * jit/SetupVarargsFrame.h:
741
742 2015-02-10  Filip Pizlo  <fpizlo@apple.com>
743
744         Split FTL::JSCall into the part that knows about call inline caching and the part that interacts with LLVM patchpoints
745         https://bugs.webkit.org/show_bug.cgi?id=141455
746
747         Reviewed by Mark Lam.
748         
749         The newly introduced FTL::JSCallBase can be used to build other things, like the FTL portion
750         of https://bugs.webkit.org/show_bug.cgi?id=141332.
751
752         * CMakeLists.txt:
753         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
754         * JavaScriptCore.xcodeproj/project.pbxproj:
755         * bytecode/CallLinkInfo.h:
756         (JSC::CallLinkInfo::specializationKindFor):
757         (JSC::CallLinkInfo::specializationKind):
758         * ftl/FTLJSCall.cpp:
759         (JSC::FTL::JSCall::JSCall):
760         (JSC::FTL::JSCall::emit): Deleted.
761         (JSC::FTL::JSCall::link): Deleted.
762         * ftl/FTLJSCall.h:
763         * ftl/FTLJSCallBase.cpp: Added.
764         (JSC::FTL::JSCallBase::JSCallBase):
765         (JSC::FTL::JSCallBase::emit):
766         (JSC::FTL::JSCallBase::link):
767         * ftl/FTLJSCallBase.h: Added.
768
769 2015-02-10  Filip Pizlo  <fpizlo@apple.com>
770
771         Unreviewed, fix build.
772
773         * jit/CCallHelpers.h:
774         (JSC::CCallHelpers::setupArgumentsWithExecState):
775
776 2015-02-10  Filip Pizlo  <fpizlo@apple.com>
777
778         op_call_varargs should only load the length once
779         https://bugs.webkit.org/show_bug.cgi?id=141440
780         rdar://problem/19761683
781
782         Reviewed by Michael Saboff.
783         
784         Refactors the pair of calls that set up the varargs frame so that the first call returns the
785         length, and the second call uses the length returned by the first one. It turns out that this
786         gave me an opportunity to shorten a lot of the code.
787
788         * interpreter/Interpreter.cpp:
789         (JSC::sizeFrameForVarargs):
790         (JSC::loadVarargs):
791         (JSC::setupVarargsFrame):
792         (JSC::setupVarargsFrameAndSetThis):
793         * interpreter/Interpreter.h:
794         (JSC::calleeFrameForVarargs):
795         * jit/CCallHelpers.h:
796         (JSC::CCallHelpers::setupArgumentsWithExecState):
797         * jit/JIT.h:
798         * jit/JITCall.cpp:
799         (JSC::JIT::compileSetupVarargsFrame):
800         * jit/JITCall32_64.cpp:
801         (JSC::JIT::compileSetupVarargsFrame):
802         * jit/JITInlines.h:
803         (JSC::JIT::callOperation):
804         * jit/JITOperations.cpp:
805         * jit/JITOperations.h:
806         * jit/SetupVarargsFrame.cpp:
807         (JSC::emitSetVarargsFrame):
808         (JSC::emitSetupVarargsFrameFastCase):
809         * jit/SetupVarargsFrame.h:
810         * llint/LLIntSlowPaths.cpp:
811         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
812         * runtime/Arguments.cpp:
813         (JSC::Arguments::copyToArguments):
814         * runtime/Arguments.h:
815         * runtime/JSArray.cpp:
816         (JSC::JSArray::copyToArguments):
817         * runtime/JSArray.h:
818         * runtime/VM.h:
819         * tests/stress/call-varargs-length-effects.js: Added.
820         (foo):
821         (bar):
822
823 2015-02-10  Michael Saboff  <msaboff@apple.com>
824
825         Crash in JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq
826         https://bugs.webkit.org/show_bug.cgi?id=139398
827
828         Reviewed by Filip Pizlo.
829
830         Due to CFA analysis, the CompareStrictEq node was determined to be unreachable, but later
831         was determined to be reachable.  When we go to lower to LLVM, the edges for the CompareStrictEq
832         node are UntypedUse which we can't compile.  Fixed this by checking that the IR before
833         lowering can still be handled by the FTL.
834
835         Had to add GetArgument as a node that the FTL can compile as the SSA conversion phase converts
836         a SetArgument to a GetArgument.  Before this change FTL::canCompile() would never see a GetArgument
837         node.  With the check right before lowering, we see this node.
838
839         * dfg/DFGPlan.cpp:
840         (JSC::DFG::Plan::compileInThreadImpl): Added a final FTL::canCompile() check before lowering
841         to verify that after all the transformations we still have valid IR for the FTL.
842         * ftl/FTLCapabilities.cpp:
843         (JSC::FTL::canCompile): Added GetArgument as a node the FTL can compile.
844
845 2015-02-10  Filip Pizlo  <fpizlo@apple.com>
846
847         Remove unused DFG::SpeculativeJIT::calleeFrameOffset().
848
849         Rubber stamped by Michael Saboff.
850         
851         Not only was this not used, I believe that the math was wrong. The callee frame doesn't
852         actually land past m_nextMachineLocal; instead it lands just below wherever we put SP and
853         that decision is made elsewhere. Also, it makes no sense to subtract 1 from
854         m_nextMachineLocal when trying to deduce the number of in-use stack slots.
855
856         * dfg/DFGSpeculativeJIT.h:
857         (JSC::DFG::SpeculativeJIT::calleeFrameOffset): Deleted.
858
859 2015-02-10  Saam Barati  <saambarati1@gmail.com>
860
861         Parser::parseVarDeclarationList gets the wrong JSToken for the last identifier
862         https://bugs.webkit.org/show_bug.cgi?id=141272
863
864         Reviewed by Oliver Hunt.
865
866         This patch fixes a bug where the wrong text location would be 
867         assigned to a variable declaration inside a ForIn/ForOf loop. 
868         It also fixes a bug in the type profiler where the type profiler 
869         emits the wrong text offset for a ForIn loop's variable declarator 
870         when it's not a pattern node.
871
872         * bytecompiler/NodesCodegen.cpp:
873         (JSC::ForInNode::emitLoopHeader):
874         * parser/Parser.cpp:
875         (JSC::Parser<LexerType>::parseVarDeclarationList):
876         * tests/typeProfiler/loop.js:
877         (testForIn):
878         (testForOf):
879
880 2015-02-09  Saam Barati  <saambarati1@gmail.com>
881
882         JSC's Type Profiler doesn't profile the type of the looping variable in ForOf/ForIn loops
883         https://bugs.webkit.org/show_bug.cgi?id=141241
884
885         Reviewed by Filip Pizlo.
886
887         Type information is now recorded for ForIn and ForOf statements. 
888         It was an oversight to not have these statements profiled before.
889
890         * bytecompiler/NodesCodegen.cpp:
891         (JSC::ForInNode::emitLoopHeader):
892         (JSC::ForOfNode::emitBytecode):
893         * tests/typeProfiler/loop.js: Added.
894         (testForIn):
895         (testForOf):
896
897 2015-02-09  Filip Pizlo  <fpizlo@apple.com>
898
899         DFG::StackLayoutPhase should always set the scopeRegister to VirtualRegister() because the DFG doesn't do anything to make its value valid
900         https://bugs.webkit.org/show_bug.cgi?id=141412
901
902         Reviewed by Michael Saboff.
903         
904         StackLayoutPhase was attempting to ensure that the register that
905         CodeBlock::scopeRegister() points to is the right one for the DFG. But the DFG did nothing
906         else to maintain the validity of the scopeRegister(). It wasn't captured as far as I can
907         tell. StackLayoutPhase didn't explicitly mark it live. PreciseLocalClobberize didn't mark
908         it as being live. So, by the time we got here the register referred to by
909         CodeBlock::scopeRegister() would have been junk. Moreover, CodeBlock::scopeRegister() was
910         not used for DFG code blocks, and was hardly ever used outside of bytecode generation.
911         
912         So, this patch just removes the code to manipulate this field and replaces it with an
913         unconditional setScopeRegister(VirtualRegister()). Setting it to the invalid register
914         ensures that any attempst to read the scopeRegister in a DFG or FTL frame immediately
915         punts.
916
917         * dfg/DFGStackLayoutPhase.cpp:
918         (JSC::DFG::StackLayoutPhase::run):
919
920 2015-02-09  Filip Pizlo  <fpizlo@apple.com>
921
922         Varargs frame set-up should be factored out for use by other JITs
923         https://bugs.webkit.org/show_bug.cgi?id=141388
924
925         Reviewed by Michael Saboff.
926         
927         Previously the code that dealt with varargs always assumed that we were setting up a varargs call
928         frame by literally following the execution semantics of op_call_varargs. This isn't how it'll
929         happen once the DFG and FTL do varargs calls, or when varargs calls get inlined. The DFG and FTL
930         don't literally execute bytecode; for example their stack frame layout has absolutely nothing in
931         common with what the bytecode says, and that will never change.
932         
933         This patch makes two changes:
934         
935         Setting up the varargs callee frame can be done in smaller steps: particularly in the case of a
936         varargs call that gets inlined, we aren't going to actually want to set up a callee frame in
937         full - we just want to put the arguments somewhere, and that place will not have much (if
938         anything) in common with the call frame format. This patch factors that out into something called
939         a loadVarargs. The thing we used to call loadVarargs is now called setupVarargsFrame. This patch
940         also separates loading varargs from setting this, since the fact that those two things are done
941         together is a detail made explicit in bytecode but it's not at all required in the higher-tier
942         engines. In the process of factoring this code out, I found a bunch of off-by-one errors in the
943         various calculations. I fixed them. The distance from the caller's frame pointer to the callee
944         frame pointer is always:
945         
946             numUsedCallerSlots + argCount + 1 + CallFrameSize
947         
948         where numUsedCallerSlots is toLocal(firstFreeRegister) - 1, which simplifies down to just
949         -firstFreeRegister. The code now speaks of numUsedCallerSlots rather than firstFreeRegister,
950         since the latter is a bytecode peculiarity that doesn't apply in the DFG or FTL. In the DFG, the
951         internally-computed frame size, minus the parameter slots, will be used for numUsedCallerSlots.
952         In the FTL, we will essentially compute numUsedCallerSlots dynamically by subtracting SP from FP.
953         Eventually, LLVM might give us some cleaner way of doing this, but it probably doesn't matter
954         very much.
955         
956         The arguments forwarding optimization is factored out of the Baseline JIT: the DFG and FTL will
957         want to do this optimization as well, but it involves quite a bit of code. So, this code is now
958         factored out into SetupVarargsFrame.h|cpp, so that other JITs can use it. In the process of factoring
959         this code out I noticed that the 32-bit and 64-bit code is nearly identical, so I combined them.
960
961         * CMakeLists.txt:
962         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
963         * JavaScriptCore.xcodeproj/project.pbxproj:
964         * bytecode/CodeBlock.h:
965         (JSC::ExecState::r):
966         (JSC::ExecState::uncheckedR):
967         * bytecode/VirtualRegister.h:
968         (JSC::VirtualRegister::operator+):
969         (JSC::VirtualRegister::operator-):
970         (JSC::VirtualRegister::operator+=):
971         (JSC::VirtualRegister::operator-=):
972         * interpreter/CallFrame.h:
973         * interpreter/Interpreter.cpp:
974         (JSC::sizeFrameForVarargs):
975         (JSC::loadVarargs):
976         (JSC::setupVarargsFrame):
977         (JSC::setupVarargsFrameAndSetThis):
978         * interpreter/Interpreter.h:
979         * jit/AssemblyHelpers.h:
980         (JSC::AssemblyHelpers::emitGetFromCallFrameHeaderPtr):
981         (JSC::AssemblyHelpers::emitGetFromCallFrameHeader32):
982         (JSC::AssemblyHelpers::emitGetFromCallFrameHeader64):
983         * jit/JIT.h:
984         * jit/JITCall.cpp:
985         (JSC::JIT::compileSetupVarargsFrame):
986         * jit/JITCall32_64.cpp:
987         (JSC::JIT::compileSetupVarargsFrame):
988         * jit/JITInlines.h:
989         (JSC::JIT::callOperation):
990         (JSC::JIT::emitGetFromCallFrameHeaderPtr): Deleted.
991         (JSC::JIT::emitGetFromCallFrameHeader32): Deleted.
992         (JSC::JIT::emitGetFromCallFrameHeader64): Deleted.
993         * jit/JITOperations.cpp:
994         * jit/JITOperations.h:
995         * jit/SetupVarargsFrame.cpp: Added.
996         (JSC::emitSetupVarargsFrameFastCase):
997         * jit/SetupVarargsFrame.h: Added.
998         * llint/LLIntSlowPaths.cpp:
999         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1000         * runtime/Arguments.cpp:
1001         (JSC::Arguments::copyToArguments):
1002         * runtime/Arguments.h:
1003         * runtime/JSArray.cpp:
1004         (JSC::JSArray::copyToArguments):
1005         * runtime/JSArray.h:
1006
1007 2015-02-09  Filip Pizlo  <fpizlo@apple.com>
1008
1009         DFG call codegen should resolve the callee operand as late as possible
1010         https://bugs.webkit.org/show_bug.cgi?id=141398
1011
1012         Reviewed by Mark Lam.
1013         
1014         This is mostly a benign restructuring to help with the implementation of
1015         https://bugs.webkit.org/show_bug.cgi?id=141332.
1016
1017         * dfg/DFGSpeculativeJIT32_64.cpp:
1018         (JSC::DFG::SpeculativeJIT::emitCall):
1019         * dfg/DFGSpeculativeJIT64.cpp:
1020         (JSC::DFG::SpeculativeJIT::emitCall):
1021
1022 2015-02-08  Filip Pizlo  <fpizlo@apple.com>
1023
1024         DFG should only have two mechanisms for describing effectfulness of nodes; previously there were three
1025         https://bugs.webkit.org/show_bug.cgi?id=141369
1026
1027         Reviewed by Michael Saboff.
1028
1029         We previously used the NodeMightClobber and NodeClobbersWorld NodeFlags to describe
1030         effectfulness.  Starting over a year ago, we introduced a more powerful mechanism - the
1031         DFG::clobberize() function.  Now we only have one remaining client of the old NodeFlags,
1032         and everyone else uses DFG::clobberize().  We should get rid of those NodeFlags and
1033         finally switch everyone over to DFG::clobberize().
1034         
1035         Unfortunately there is still another place where effectfulness of nodes is described: the
1036         AbstractInterpreter. This is because the AbstractInterpreter has special tuning both for
1037         compile time performance and there are places where the AI is more precise than
1038         clobberize() because of its flow-sensitivity.
1039         
1040         This means that after this change there will be only two places, rather than three, where
1041         the effectfulness of a node has to be described:
1042
1043         - DFG::clobberize()
1044         - DFG::AbstractInterpreter
1045
1046         * dfg/DFGClobberize.cpp:
1047         (JSC::DFG::clobbersWorld):
1048         * dfg/DFGClobberize.h:
1049         * dfg/DFGDoesGC.cpp:
1050         (JSC::DFG::doesGC):
1051         * dfg/DFGFixupPhase.cpp:
1052         (JSC::DFG::FixupPhase::fixupNode):
1053         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
1054         (JSC::DFG::FixupPhase::convertToGetArrayLength):
1055         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
1056         * dfg/DFGGraph.h:
1057         (JSC::DFG::Graph::isPredictedNumerical): Deleted.
1058         (JSC::DFG::Graph::byValIsPure): Deleted.
1059         (JSC::DFG::Graph::clobbersWorld): Deleted.
1060         * dfg/DFGNode.h:
1061         (JSC::DFG::Node::convertToConstant):
1062         (JSC::DFG::Node::convertToGetLocalUnlinked):
1063         (JSC::DFG::Node::convertToGetByOffset):
1064         (JSC::DFG::Node::convertToMultiGetByOffset):
1065         (JSC::DFG::Node::convertToPutByOffset):
1066         (JSC::DFG::Node::convertToMultiPutByOffset):
1067         * dfg/DFGNodeFlags.cpp:
1068         (JSC::DFG::dumpNodeFlags):
1069         * dfg/DFGNodeFlags.h:
1070         * dfg/DFGNodeType.h:
1071
1072 2015-02-09  Csaba Osztrogonác  <ossy@webkit.org>
1073
1074         Fix the !ENABLE(DFG_JIT) build
1075         https://bugs.webkit.org/show_bug.cgi?id=141387
1076
1077         Reviewed by Darin Adler.
1078
1079         * jit/Repatch.cpp:
1080
1081 2015-02-08  Benjamin Poulain  <benjamin@webkit.org>
1082
1083         Remove a few duplicate propagation steps from the DFG's PredictionPropagation phase
1084         https://bugs.webkit.org/show_bug.cgi?id=141363
1085
1086         Reviewed by Darin Adler.
1087
1088         * dfg/DFGPredictionPropagationPhase.cpp:
1089         (JSC::DFG::PredictionPropagationPhase::propagate):
1090         Some blocks were duplicated, they probably evolved separately
1091         to the same state.
1092
1093 2015-02-08  Benjamin Poulain  <benjamin@webkit.org>
1094
1095         Remove useless declarations and a stale comment from DFGByteCodeParser.h
1096         https://bugs.webkit.org/show_bug.cgi?id=141361
1097
1098         Reviewed by Darin Adler.
1099
1100         The comment refers to the original form of the ByteCodeParser:
1101             parse(Graph&, JSGlobalData*, CodeBlock*, unsigned startIndex);
1102
1103         That form is long dead, the comment is more misleading than anything.
1104
1105         * dfg/DFGByteCodeParser.cpp:
1106         * dfg/DFGByteCodeParser.h:
1107
1108 2015-02-08  Benjamin Poulain  <benjamin@webkit.org>
1109
1110         Encapsulate DFG::Plan's beforeFTL timestamp
1111         https://bugs.webkit.org/show_bug.cgi?id=141360
1112
1113         Reviewed by Darin Adler.
1114
1115         Make the attribute private, it is an internal state.
1116
1117         Rename beforeFTL->timeBeforeFTL for readability.
1118
1119         * dfg/DFGPlan.cpp:
1120         (JSC::DFG::Plan::compileInThread):
1121         (JSC::DFG::Plan::compileInThreadImpl):
1122         * dfg/DFGPlan.h:
1123
1124 2015-02-08  Benjamin Poulain  <bpoulain@apple.com>
1125
1126         Remove DFGNode::hasArithNodeFlags()
1127         https://bugs.webkit.org/show_bug.cgi?id=141319
1128
1129         Reviewed by Michael Saboff.
1130
1131         * dfg/DFGNode.h:
1132         (JSC::DFG::Node::hasArithNodeFlags): Deleted.
1133         Unused code is unused.
1134
1135 2015-02-07  Chris Dumez  <cdumez@apple.com>
1136
1137         Add Vector::removeFirstMatching() / removeAllMatching() methods taking lambda functions
1138         https://bugs.webkit.org/show_bug.cgi?id=141321
1139
1140         Reviewed by Darin Adler.
1141
1142         Use new Vector::removeFirstMatching() / removeAllMatching() methods.
1143
1144 2015-02-06  Filip Pizlo  <fpizlo@apple.com>
1145
1146         DFG SSA shouldn't have SetArgument nodes
1147         https://bugs.webkit.org/show_bug.cgi?id=141342
1148
1149         Reviewed by Mark Lam.
1150
1151         I was wondering why we kept the SetArgument around for captured
1152         variables. It turns out we did so because we thought we had to, even
1153         though we didn't have to. The node is meaningless in SSA.
1154
1155         * dfg/DFGSSAConversionPhase.cpp:
1156         (JSC::DFG::SSAConversionPhase::run):
1157         * ftl/FTLLowerDFGToLLVM.cpp:
1158         (JSC::FTL::LowerDFGToLLVM::compileNode):
1159
1160 2015-02-06  Filip Pizlo  <fpizlo@apple.com>
1161
1162         It should be possible to use the DFG SetArgument node to indicate that someone set the value of a local out-of-band
1163         https://bugs.webkit.org/show_bug.cgi?id=141337
1164
1165         Reviewed by Mark Lam.
1166
1167         This mainly involved ensuring that SetArgument behaves just like SetLocal from a CPS standpoint, but with a special case for those SetArguments that
1168         are associated with the prologue.
1169
1170         * dfg/DFGCPSRethreadingPhase.cpp:
1171         (JSC::DFG::CPSRethreadingPhase::run):
1172         (JSC::DFG::CPSRethreadingPhase::canonicalizeSet):
1173         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
1174         (JSC::DFG::CPSRethreadingPhase::specialCaseArguments):
1175         (JSC::DFG::CPSRethreadingPhase::canonicalizeSetLocal): Deleted.
1176         (JSC::DFG::CPSRethreadingPhase::canonicalizeSetArgument): Deleted.
1177
1178 2015-02-06  Mark Lam  <mark.lam@apple.com>
1179
1180         MachineThreads should be ref counted.
1181         <https://webkit.org/b/141317>
1182
1183         Reviewed by Filip Pizlo.
1184
1185         The VM's MachineThreads registry object is being referenced from other
1186         threads as a raw pointer.  In a scenario where the VM is destructed on
1187         the main thread, there is no guarantee that another thread isn't still
1188         holding a reference to the registry and will eventually invoke
1189         removeThread() on it on thread exit.  Hence, there's a possible use
1190         after free scenario here.
1191
1192         The fix is to make MachineThreads ThreadSafeRefCounted, and have all
1193         threads that references keep a RefPtr to it to ensure that it stays
1194         alive until the very last thread is done with it.
1195
1196         * API/tests/testapi.mm:
1197         (useVMFromOtherThread): - Renamed to be more descriptive.
1198         (useVMFromOtherThreadAndOutliveVM):
1199         - Added a test that has another thread which uses the VM outlive the
1200           VM to confirm that there is no crash.
1201
1202           However, I was not actually able to get the VM to crash without this
1203           patch because I wasn't always able to the thread destructor to be
1204           called.  With this patch applied, I did verify with some logging that
1205           the MachineThreads registry is only destructed after all threads
1206           have removed themselves from it.
1207
1208         (threadMain): Deleted.
1209
1210         * heap/Heap.cpp:
1211         (JSC::Heap::Heap):
1212         (JSC::Heap::~Heap):
1213         (JSC::Heap::gatherStackRoots):
1214         * heap/Heap.h:
1215         (JSC::Heap::machineThreads):
1216         * heap/MachineStackMarker.cpp:
1217         (JSC::MachineThreads::Thread::Thread):
1218         (JSC::MachineThreads::addCurrentThread):
1219         (JSC::MachineThreads::removeCurrentThread):
1220         * heap/MachineStackMarker.h:
1221
1222 2015-02-06  Commit Queue  <commit-queue@webkit.org>
1223
1224         Unreviewed, rolling out r179743.
1225         https://bugs.webkit.org/show_bug.cgi?id=141335
1226
1227         caused missing symbols in non-WebKit clients of WTF::Vector
1228         (Requested by kling on #webkit).
1229
1230         Reverted changeset:
1231
1232         "Remove WTF::fastMallocGoodSize()."
1233         https://bugs.webkit.org/show_bug.cgi?id=141020
1234         http://trac.webkit.org/changeset/179743
1235
1236 2015-02-04  Filip Pizlo  <fpizlo@apple.com>
1237
1238         Remove BytecodeGenerator::preserveLastVar() and replace it with a more robust mechanism for preserving non-temporary registers
1239         https://bugs.webkit.org/show_bug.cgi?id=141211
1240
1241         Reviewed by Mark Lam.
1242
1243         Previously, the way non-temporary registers were preserved (i.e. not reclaimed anytime
1244         we did newTemporary()) by calling preserveLastVar() after all non-temps are created. It
1245         would raise the refcount on the last (highest-numbered) variable created, and rely on
1246         the fact that register reclamation started at higher-numbered registers and worked its
1247         way down. So any retained register would block any lower-numbered registers from being
1248         reclaimed.
1249         
1250         Also, preserveLastVar() sets a thing called m_firstConstantIndex. It's unused.
1251         
1252         This removes preserveLastVar() and makes addVar() retain each register it creates. This
1253         is more explicit, since addVar() is the mechanism for creating non-temporary registers.
1254         
1255         To make this work I had to remove an assertion that Register::setIndex() can only be
1256         called when the refcount is zero. This method might be called after a var is created to
1257         change its index. This previously worked because preserveLastVar() would be called after
1258         we had already made all index changes, so the vars would still have refcount zero. Now
1259         they have refcount 1. I think it's OK to lose this assertion; I can't remember this
1260         assertion ever firing in a way that alerted me to a serious issue.
1261         
1262         * bytecompiler/BytecodeGenerator.cpp:
1263         (JSC::BytecodeGenerator::BytecodeGenerator):
1264         (JSC::BytecodeGenerator::preserveLastVar): Deleted.
1265         * bytecompiler/BytecodeGenerator.h:
1266         (JSC::BytecodeGenerator::addVar):
1267         * bytecompiler/RegisterID.h:
1268         (JSC::RegisterID::setIndex):
1269
1270 2015-02-06  Andreas Kling  <akling@apple.com>
1271
1272         Remove WTF::fastMallocGoodSize().
1273         <https://webkit.org/b/141020>
1274
1275         Reviewed by Anders Carlsson.
1276
1277         * assembler/AssemblerBuffer.h:
1278         (JSC::AssemblerData::AssemblerData):
1279         (JSC::AssemblerData::grow):
1280
1281 2015-02-05  Michael Saboff  <msaboff@apple.com>
1282
1283         CodeCache is not thread safe when adding the same source from two different threads
1284         https://bugs.webkit.org/show_bug.cgi?id=141275
1285
1286         Reviewed by Mark Lam.
1287
1288         The issue for this bug is that one thread, takes a cache miss in CodeCache::getGlobalCodeBlock,
1289         but in the process creates a cache entry with a nullptr UnlinkedCodeBlockType* which it
1290         will fill in later in the function.  During the body of that function, it allocates
1291         objects that may garbage collect.  During that garbage collection, we drop the all locks.
1292         While the locks are released by the first thread, another thread can enter the VM and might
1293         have exactly the same source and enter CodeCache::getGlobalCodeBlock() itself.  When it
1294         looks up the code block, it sees it as a cache it and uses the nullptr UnlinkedCodeBlockType*
1295         and crashes.  This fixes the problem by not dropping the locks during garbage collection.
1296         There are other likely scenarios where we have a data structure like this code cache in an
1297         unsafe state for arbitrary reentrance.
1298
1299         Moved the functionality of DelayedReleaseScope directly into Heap.  Changed it into
1300         a simple list that is cleared with the new function Heap::releaseDelayedReleasedObjects.
1301         Now we accumulate objects to be released and release them when all locks are dropped or
1302         when destroying the Heap.  This eliminated the dropping and reaquiring of locks associated
1303         with the old scope form of this list.
1304
1305         Given that all functionality of DelayedReleaseScope is now used and referenced by Heap
1306         and the lock management no longer needs to be done, just made the list a member of Heap.
1307         We do need to guard against the case that releasing an object can create more objects
1308         by calling into JS.  That is why releaseDelayedReleasedObjects() is written to remove
1309         an object to release so that we aren't recursively in Vector code.  The other thing we
1310         do in releaseDelayedReleasedObjects() is to guard against recursive calls to itself using
1311         the m_delayedReleaseRecursionCount.  We only release at the first entry into the function.
1312         This case is already tested by testapi.mm.
1313
1314         * heap/DelayedReleaseScope.h: Removed file
1315
1316         * API/JSAPIWrapperObject.mm:
1317         * API/ObjCCallbackFunction.mm:
1318         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1319         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1320         * JavaScriptCore.xcodeproj/project.pbxproj:
1321         * heap/IncrementalSweeper.cpp:
1322         (JSC::IncrementalSweeper::doSweep):
1323         * heap/MarkedAllocator.cpp:
1324         (JSC::MarkedAllocator::tryAllocateHelper):
1325         (JSC::MarkedAllocator::tryAllocate):
1326         * heap/MarkedBlock.cpp:
1327         (JSC::MarkedBlock::sweep):
1328         * heap/MarkedSpace.cpp:
1329         (JSC::MarkedSpace::MarkedSpace):
1330         (JSC::MarkedSpace::lastChanceToFinalize):
1331         (JSC::MarkedSpace::didFinishIterating):
1332         * heap/MarkedSpace.h:
1333         * heap/Heap.cpp:
1334         (JSC::Heap::collectAllGarbage):
1335         (JSC::Heap::zombifyDeadObjects):
1336         Removed references to DelayedReleaseScope and DelayedReleaseScope.h.
1337
1338         * heap/Heap.cpp:
1339         (JSC::Heap::Heap): Initialized m_delayedReleaseRecursionCount.
1340         (JSC::Heap::lastChanceToFinalize): Call releaseDelayedObjectsNow() as the VM is going away.
1341         (JSC::Heap::releaseDelayedReleasedObjects): New function that released the accumulated
1342         delayed release objects.
1343
1344         * heap/Heap.h:
1345         (JSC::Heap::m_delayedReleaseObjects): List of objects to be released later.
1346         (JSC::Heap::m_delayedReleaseRecursionCount): Counter to indicate that
1347         releaseDelayedReleasedObjects is being called recursively.
1348         * heap/HeapInlines.h:
1349         (JSC::Heap::releaseSoon): Changed location of list to add delayed release objects.
1350         
1351         * runtime/JSLock.cpp:
1352         (JSC::JSLock::willReleaseLock):
1353         Call Heap::releaseDelayedObjectsNow() when releasing the lock.
1354
1355 2015-02-05  Youenn Fablet  <youenn.fablet@crf.canon.fr> and Xabier Rodriguez Calvar <calvaris@igalia.com>
1356
1357         [Streams API] Implement a barebone ReadableStream interface
1358         https://bugs.webkit.org/show_bug.cgi?id=141045
1359
1360         Reviewed by Benjamin Poulain.
1361
1362         * Configurations/FeatureDefines.xcconfig:
1363
1364 2015-02-05  Saam Barati  <saambarati1@gmail.com>
1365
1366         Crash in uninitialized deconstructing variable.
1367         https://bugs.webkit.org/show_bug.cgi?id=141070
1368
1369         Reviewed by Michael Saboff.
1370
1371         According to the ES6 spec, when a destructuring pattern occurs
1372         as the left hand side of an assignment inside a var declaration 
1373         statement, the assignment must also have a right hand side value.
1374         "var {x} = {};" is a legal syntactic statement, but,
1375         "var {x};" is a syntactic error.
1376
1377         Section 13.2.2 of the latest draft ES6 spec specifies this requirement:
1378         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-variable-statement
1379
1380         * parser/Parser.cpp:
1381         (JSC::Parser<LexerType>::parseVarDeclaration):
1382         (JSC::Parser<LexerType>::parseVarDeclarationList):
1383         (JSC::Parser<LexerType>::parseForStatement):
1384         * parser/Parser.h:
1385
1386 2015-02-04  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
1387
1388         Unreviewed, fix a build break on EFL port since r179648.
1389
1390         * heap/MachineStackMarker.cpp: EFL port doesn't use previousThread variable. 
1391         (JSC::MachineThreads::tryCopyOtherThreadStacks):
1392
1393 2015-02-04  Joseph Pecoraro  <pecoraro@apple.com>
1394
1395         Web Inspector: ES6: Improved Console Support for Symbol Objects
1396         https://bugs.webkit.org/show_bug.cgi?id=141173
1397
1398         Reviewed by Timothy Hatcher.
1399
1400         * inspector/protocol/Runtime.json:
1401         New type, "symbol".
1402
1403         * inspector/InjectedScriptSource.js:
1404         Handle Symbol objects in a few places. They don't have properties
1405         and they cannot be implicitly converted to strings.
1406
1407 2015-02-04  Mark Lam  <mark.lam@apple.com>
1408
1409         Undo gardening: Restoring the expected ERROR message since that is not the cause of the bot unhappiness.
1410
1411         Not reviewed.
1412
1413         * heap/MachineStackMarker.cpp:
1414         (JSC::MachineThreads::tryCopyOtherThreadStacks):
1415
1416 2015-02-04  Mark Lam  <mark.lam@apple.com>
1417
1418         Gardening: Changed expected ERROR message to WARNING to make test bots happy.
1419
1420         Rubber stamped by Simon Fraser.
1421
1422         * heap/MachineStackMarker.cpp:
1423         (JSC::MachineThreads::tryCopyOtherThreadStacks):
1424
1425 2015-02-04  Mark Lam  <mark.lam@apple.com>
1426
1427         r179576 introduce a deadlock potential during GC thread suspension.
1428         <https://webkit.org/b/141268>
1429
1430         Reviewed by Michael Saboff.
1431
1432         http://trac.webkit.org/r179576 introduced a potential for deadlocking.
1433         In the GC thread suspension loop, we currently delete
1434         MachineThreads::Thread that we detect to be invalid.  This is unsafe
1435         because we may have already suspended some threads, and one of those
1436         suspended threads may still be holding the C heap lock which we need
1437         for deleting the invalid thread.
1438
1439         The fix is to put the invalid threads in a separate toBeDeleted list,
1440         and delete them only after GC has resumed all threads.
1441
1442         * heap/MachineStackMarker.cpp:
1443         (JSC::MachineThreads::removeCurrentThread):
1444         - Undo refactoring removeThreadWithLockAlreadyAcquired() out of
1445           removeCurrentThread() since it is no longer needed.
1446
1447         (JSC::MachineThreads::tryCopyOtherThreadStacks):
1448         - Put invalid Threads on a threadsToBeDeleted list, and delete those
1449           Threads only after all threads have been resumed.
1450
1451         (JSC::MachineThreads::removeThreadWithLockAlreadyAcquired): Deleted.
1452         * heap/MachineStackMarker.h:
1453
1454 2015-02-04  Joseph Pecoraro  <pecoraro@apple.com>
1455
1456         Web Inspector: Clean up Object Property Descriptor Collection
1457         https://bugs.webkit.org/show_bug.cgi?id=141222
1458
1459         Reviewed by Timothy Hatcher.
1460
1461         * inspector/InjectedScriptSource.js:
1462         Use a list of options when determining which properties to collect
1463         instead of a few booleans with overlapping responsibilities.
1464
1465 2015-02-04  Joseph Pecoraro  <pecoraro@apple.com>
1466
1467         Web Inspector: console.table with columnName filter for non-existent property should still show column
1468         https://bugs.webkit.org/show_bug.cgi?id=141066
1469
1470         Reviewed by Timothy Hatcher.
1471
1472         * inspector/ConsoleMessage.cpp:
1473         (Inspector::ConsoleMessage::addToFrontend):
1474         When a user provides a second argument, e.g. console.table(..., columnNames),
1475         then pass that second argument to the frontend.
1476
1477         * inspector/InjectedScriptSource.js:
1478         Add a FIXME about the old, unused path now.
1479
1480 2015-02-04  Saam Barati  <saambarati1@gmail.com>
1481
1482         TypeSet can use 1 byte instead of 4 bytes for its m_seenTypes member variable
1483         https://bugs.webkit.org/show_bug.cgi?id=141204
1484
1485         Reviewed by Darin Adler.
1486
1487         There is no need to use 32 bits to store a TypeSet::RuntimeType set 
1488         bit-vector when the largest value for a single TypeSet::RuntimeType 
1489         is 0x80. 8 bits is enough to represent the set of seen types.
1490
1491         * dfg/DFGFixupPhase.cpp:
1492         (JSC::DFG::FixupPhase::fixupNode):
1493         * runtime/TypeSet.cpp:
1494         (JSC::TypeSet::doesTypeConformTo):
1495         * runtime/TypeSet.h:
1496         (JSC::TypeSet::seenTypes):
1497
1498 2015-02-04  Mark Lam  <mark.lam@apple.com>
1499
1500         Remove concept of makeUsableFromMultipleThreads().
1501         <https://webkit.org/b/141221>
1502
1503         Reviewed by Mark Hahnenberg.
1504
1505         Currently, we rely on VM::makeUsableFromMultipleThreads() being called before we
1506         start acquiring the JSLock and entering the VM from different threads.
1507         Acquisition of the JSLock will register the acquiring thread with the VM's thread
1508         registry if not already registered.  However, it will only do this if the VM's
1509         thread specific key has been initialized by makeUsableFromMultipleThreads().
1510
1511         This is fragile, and also does not read intuitively because one would expect to
1512         acquire the JSLock before calling any methods on the VM.  This is exactly what
1513         JSGlobalContextCreateInGroup() did (i.e. acquire the lock before calling
1514         makeUsableFromMultipleThreads()), but is wrong.  The result is that the invoking
1515         thread will not have been registered with the VM during that first entry into
1516         the VM.
1517
1518         The fix is to make it so that we initialize the VM's thread specific key on
1519         construction of the VM's MachineThreads registry instead of relying on
1520         makeUsableFromMultipleThreads() being called.  With this, we can eliminate
1521         makeUsableFromMultipleThreads() altogether.
1522
1523         Performance results are neutral in aggregate.
1524
1525         * API/JSContextRef.cpp:
1526         (JSGlobalContextCreateInGroup):
1527         * heap/MachineStackMarker.cpp:
1528         (JSC::MachineThreads::MachineThreads):
1529         (JSC::MachineThreads::~MachineThreads):
1530         (JSC::MachineThreads::addCurrentThread):
1531         (JSC::MachineThreads::removeThread):
1532         (JSC::MachineThreads::gatherConservativeRoots):
1533         (JSC::MachineThreads::makeUsableFromMultipleThreads): Deleted.
1534         * heap/MachineStackMarker.h:
1535         * runtime/VM.cpp:
1536         (JSC::VM::sharedInstance):
1537         * runtime/VM.h:
1538         (JSC::VM::makeUsableFromMultipleThreads): Deleted.
1539
1540 2015-02-04  Chris Dumez  <cdumez@apple.com>
1541
1542         Add removeFirst(value) / removeAll(value) methods to WTF::Vector
1543         https://bugs.webkit.org/show_bug.cgi?id=141192
1544
1545         Reviewed by Benjamin Poulain.
1546
1547         Use new Vector::removeFirst(value) / removeAll(value) API to simplify the
1548         code a bit.
1549
1550         * inspector/InspectorValues.cpp:
1551         (Inspector::InspectorObjectBase::remove):
1552
1553 2015-02-03  Mark Lam  <mark.lam@apple.com>
1554
1555         Workaround a thread library bug where thread destructors may not get called.
1556         <https://webkit.org/b/141209>
1557
1558         Reviewed by Michael Saboff.
1559
1560         There's a bug where thread destructors may not get called.  As far as
1561         we know, this only manifests on darwin ports.  We will work around this
1562         by checking at GC time if the platform thread is still valid.  If not,
1563         we'll purge it from the VM's registeredThreads list before proceeding
1564         with thread scanning activity.
1565
1566         Note: it is important that we do this invalid thread detection during
1567         suspension, because the validity (and liveness) of the other thread is
1568         only guaranteed while it is suspended.
1569
1570         * API/tests/testapi.mm:
1571         (threadMain):
1572         - Added a test to enter the VM from another thread before we GC on
1573           the main thread.
1574
1575         * heap/MachineStackMarker.cpp:
1576         (JSC::MachineThreads::removeThreadWithLockAlreadyAcquired):
1577         (JSC::MachineThreads::removeCurrentThread):
1578         - refactored removeThreadWithLockAlreadyAcquired() out from
1579           removeCurrentThread() so that we can also call it for purging invalid
1580           threads.
1581         (JSC::suspendThread):
1582         - Added a return status to tell if the suspension succeeded or not.
1583         (JSC::MachineThreads::tryCopyOtherThreadStacks):
1584         - Check if the suspension failed, and purge the thread if we can't
1585           suspend it.  Failure to suspend implies that the thread has
1586           terminated without calling its destructor.
1587         * heap/MachineStackMarker.h:
1588
1589 2015-02-03  Joseph Pecoraro  <pecoraro@apple.com>
1590
1591         Web Inspector: ASSERT mainThreadPthread launching remote debuggable JSContext app with Debug JavaScriptCore
1592         https://bugs.webkit.org/show_bug.cgi?id=141189
1593
1594         Reviewed by Michael Saboff.
1595
1596         * inspector/remote/RemoteInspector.mm:
1597         (Inspector::RemoteInspector::singleton):
1598         Ensure we call WTF::initializeMainThread() on the main thread so that
1599         we can perform automatic String <-> NSString conversions.
1600
1601 2015-02-03  Brent Fulgham  <bfulgham@apple.com>
1602
1603         [Win] Project file cleanups after r179429.
1604
1605         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1606         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1607
1608 2015-02-02  Filip Pizlo  <fpizlo@apple.com>
1609
1610         arguments[-1] should have well-defined behavior
1611         https://bugs.webkit.org/show_bug.cgi?id=141183
1612
1613         Reviewed by Mark Lam.
1614         
1615         According to JSC's internal argument numbering, 0 is "this" and 1 is the first argument.
1616         In the "arguments[i]" expression, "this" is not accessible and i = 0 refers to the first
1617         argument. Previously we handled the bounds check in "arguments[i]" - where "arguments" is
1618         statically known to be the current function's arguments object - as follows:
1619         
1620             add 1, i
1621             branchAboveOrEqual i, callFrame.ArgumentCount, slowPath
1622         
1623         The problem with this is that if i = -1, this passes the test, and we end up accessing
1624         what would be the "this" argument slot. That's wrong, since we should really be bottoming
1625         out in arguments["-1"], which is usually undefined but could be anything. It's even worse
1626         if the function is inlined or if we're in a constructor - in that case the "this" slot
1627         could be garbage.
1628         
1629         It turns out that we had this bug in all of our engines.
1630         
1631         This fixes the issue by changing the algorithm to:
1632         
1633             load32 callFrame.ArgumentCount, tmp
1634             sub 1, tmp
1635             branchAboveOrEqual i, tmp, slowPath
1636         
1637         In some engines, we would have used the modified "i" (the one that had 1 added to it) for
1638         the subsequent argument load; since we don't do this anymore I also had to change some of
1639         the offsets on the BaseIndex arguments load.
1640         
1641         This also includes tests that are written in such a way as to get coverage on LLInt and
1642         Baseline JIT (get-my-argument-by-val-wrap-around-no-warm-up), DFG and FTL
1643         (get-my-argument-by-val-wrap-around), and DFG when we're being paranoid about the user
1644         overwriting the "arguments" variable (get-my-argument-by-val-safe-wrap-around). This also
1645         includes off-by-1 out-of-bounds tests for each of these cases, since in the process of
1646         writing the patch I broke the arguments[arguments.length] case in the DFG and didn't see
1647         any test failures.
1648
1649         * dfg/DFGSpeculativeJIT32_64.cpp:
1650         (JSC::DFG::SpeculativeJIT::compile):
1651         * dfg/DFGSpeculativeJIT64.cpp:
1652         (JSC::DFG::SpeculativeJIT::compile):
1653         * ftl/FTLLowerDFGToLLVM.cpp:
1654         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
1655         * jit/AssemblyHelpers.h:
1656         (JSC::AssemblyHelpers::offsetOfArguments):
1657         (JSC::AssemblyHelpers::offsetOfArgumentsIncludingThis): Deleted.
1658         * jit/JITOpcodes.cpp:
1659         (JSC::JIT::emit_op_get_argument_by_val):
1660         * jit/JITOpcodes32_64.cpp:
1661         (JSC::JIT::emit_op_get_argument_by_val):
1662         * llint/LowLevelInterpreter.asm:
1663         * llint/LowLevelInterpreter32_64.asm:
1664         * llint/LowLevelInterpreter64.asm:
1665         * tests/stress/get-my-argument-by-val-out-of-bounds-no-warm-up.js: Added.
1666         (foo):
1667         * tests/stress/get-my-argument-by-val-out-of-bounds.js: Added.
1668         (foo):
1669         * tests/stress/get-my-argument-by-val-safe-out-of-bounds.js: Added.
1670         (foo):
1671         * tests/stress/get-my-argument-by-val-safe-wrap-around.js: Added.
1672         (foo):
1673         * tests/stress/get-my-argument-by-val-wrap-around-no-warm-up.js: Added.
1674         (foo):
1675         * tests/stress/get-my-argument-by-val-wrap-around.js: Added.
1676         (foo):
1677
1678 2015-02-02  Filip Pizlo  <fpizlo@apple.com>
1679
1680         MultiGetByOffset should be marked NodeMustGenerate
1681         https://bugs.webkit.org/show_bug.cgi?id=140137
1682
1683         Reviewed by Michael Saboff.
1684
1685         * dfg/DFGNode.h:
1686         (JSC::DFG::Node::convertToGetByOffset): We were sloppy - we should also clear NodeMustGenerate once it's a GetByOffset.
1687         (JSC::DFG::Node::convertToMultiGetByOffset): Assert that we converted from something that already had NodeMustGenerate.
1688         * dfg/DFGNodeType.h: We shouldn't DCE a node that does checks and could be effectful in baseline. Making MultiGetByOffset as NodeMustGenerate prevents DCE. FTL could still DCE the actual loads, but the checks will stay.
1689         * tests/stress/multi-get-by-offset-dce.js: Added. This previously failed because the getter wasn't called.
1690         (foo):
1691
1692 2015-02-02  Filip Pizlo  <fpizlo@apple.com>
1693
1694         [FTL] inlined GetMyArgumentByVal with no arguments passed causes instant crash
1695         https://bugs.webkit.org/show_bug.cgi?id=141180
1696         rdar://problem/19677552
1697
1698         Reviewed by Benjamin Poulain.
1699         
1700         If we do a GetMyArgumentByVal on an inlined call frame that has no arguments, then the
1701         bounds check already terminates execution. This means we can skip the part where we
1702         previously did an out-of-bound array access on the inlined call frame arguments vector.
1703
1704         * ftl/FTLLowerDFGToLLVM.cpp:
1705         (JSC::FTL::LowerDFGToLLVM::safelyInvalidateAfterTermination):
1706         (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
1707         (JSC::FTL::LowerDFGToLLVM::terminate):
1708         (JSC::FTL::LowerDFGToLLVM::didAlreadyTerminate):
1709         (JSC::FTL::LowerDFGToLLVM::crash):
1710         * tests/stress/get-my-argument-by-val-inlined-no-formal-parameters.js: Added.
1711         (foo):
1712         (bar):
1713
1714 2015-02-02  Filip Pizlo  <fpizlo@apple.com>
1715
1716         REGRESSION(r179477): arguments simplification no longer works
1717         https://bugs.webkit.org/show_bug.cgi?id=141169
1718
1719         Reviewed by Mark Lam.
1720         
1721         The operations involved in callee/scope access don't exit and shouldn't get in the way
1722         of strength-reducing a Flush to a PhantomLocal. Then the PhantomLocal shouldn't get in
1723         the way of further such strength-reduction. We also need to canonicalize PhantomLocal
1724         before running arguments simplification.
1725
1726         * dfg/DFGMayExit.cpp:
1727         (JSC::DFG::mayExit):
1728         * dfg/DFGPlan.cpp:
1729         (JSC::DFG::Plan::compileInThreadImpl):
1730         * dfg/DFGStrengthReductionPhase.cpp:
1731         (JSC::DFG::StrengthReductionPhase::handleNode):
1732
1733 2015-02-02  Filip Pizlo  <fpizlo@apple.com>
1734
1735         VirtualRegister should really know how to dump itself
1736         https://bugs.webkit.org/show_bug.cgi?id=141171
1737
1738         Reviewed by Geoffrey Garen.
1739         
1740         Gives VirtualRegister a dump() method that pretty-prints the virtual register. The rest of
1741         the patch is all about using this new power.
1742
1743         * CMakeLists.txt:
1744         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1745         * JavaScriptCore.xcodeproj/project.pbxproj:
1746         * bytecode/CodeBlock.cpp:
1747         (JSC::constantName):
1748         (JSC::CodeBlock::registerName):
1749         * bytecode/CodeBlock.h:
1750         (JSC::missingThisObjectMarker): Deleted.
1751         * bytecode/VirtualRegister.cpp: Added.
1752         (JSC::VirtualRegister::dump):
1753         * bytecode/VirtualRegister.h:
1754         (WTF::printInternal): Deleted.
1755         * dfg/DFGArgumentPosition.h:
1756         (JSC::DFG::ArgumentPosition::dump):
1757         * dfg/DFGFlushedAt.cpp:
1758         (JSC::DFG::FlushedAt::dump):
1759         * dfg/DFGGraph.cpp:
1760         (JSC::DFG::Graph::dump):
1761         * dfg/DFGPutLocalSinkingPhase.cpp:
1762         * dfg/DFGSSAConversionPhase.cpp:
1763         (JSC::DFG::SSAConversionPhase::run):
1764         * dfg/DFGValidate.cpp:
1765         (JSC::DFG::Validate::reportValidationContext):
1766         * dfg/DFGValueSource.cpp:
1767         (JSC::DFG::ValueSource::dump):
1768         * dfg/DFGVariableEvent.cpp:
1769         (JSC::DFG::VariableEvent::dump):
1770         (JSC::DFG::VariableEvent::dumpSpillInfo):
1771         * ftl/FTLExitArgumentForOperand.cpp:
1772         (JSC::FTL::ExitArgumentForOperand::dump):
1773         * ftl/FTLExitValue.cpp:
1774         (JSC::FTL::ExitValue::dumpInContext):
1775         * profiler/ProfilerBytecodeSequence.cpp:
1776         (JSC::Profiler::BytecodeSequence::BytecodeSequence):
1777
1778 2015-02-02  Geoffrey Garen  <ggaren@apple.com>
1779
1780         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
1781         https://bugs.webkit.org/show_bug.cgi?id=140900
1782
1783         Reviewed by Mark Hahnenberg.
1784
1785         Re-landing just the HandleBlock piece of this patch.
1786
1787         * heap/HandleBlock.h:
1788         * heap/HandleBlockInlines.h:
1789         (JSC::HandleBlock::create):
1790         (JSC::HandleBlock::destroy):
1791         (JSC::HandleBlock::HandleBlock):
1792         (JSC::HandleBlock::payloadEnd):
1793         * heap/HandleSet.cpp:
1794         (JSC::HandleSet::~HandleSet):
1795         (JSC::HandleSet::grow):
1796
1797 2015-02-02  Joseph Pecoraro  <pecoraro@apple.com>
1798
1799         Web Inspector: Support console.table
1800         https://bugs.webkit.org/show_bug.cgi?id=141058
1801
1802         Reviewed by Timothy Hatcher.
1803
1804         * inspector/InjectedScriptSource.js:
1805         Include the firstLevelKeys filter when generating previews.
1806
1807         * runtime/ConsoleClient.cpp:
1808         (JSC::appendMessagePrefix):
1809         Differentiate console.table logs to system log.
1810
1811 2015-01-31  Filip Pizlo  <fpizlo@apple.com>
1812
1813         BinarySwitch should be faster on average
1814         https://bugs.webkit.org/show_bug.cgi?id=141046
1815
1816         Reviewed by Anders Carlsson.
1817         
1818         This optimizes our binary switch using math. It's strictly better than what we had before
1819         assuming we bottom out in some case (rather than fall through), assuming all cases get
1820         hit with equal probability. The difference is particularly large for large switch
1821         statements. For example, a switch statement with 1000 cases would previously require on
1822         average 13.207 branches to get to some case, while now it just requires 10.464.
1823         
1824         This is also a progression for the fall-through case, though we could shave off another
1825         1/6 branch on average if we wanted to - though it would regress taking a case (not falling
1826         through) by 1/6 branch. I believe it's better to bias the BinarySwitch for not falling
1827         through.
1828         
1829         This also adds some randomness to the algorithm to minimize the likelihood of us
1830         generating a switch statement that is always particularly bad for some input. Note that
1831         the randomness has no effect on average-case performance assuming all cases are equally
1832         likely.
1833         
1834         This ought to have no actual performance change because we don't rely on binary switches
1835         that much. The main reason why this change is interesting is that I'm finding myself
1836         increasingly relying on BinarySwitch, and I'd like to know that it's optimal.
1837
1838         * jit/BinarySwitch.cpp:
1839         (JSC::BinarySwitch::BinarySwitch):
1840         (JSC::BinarySwitch::~BinarySwitch):
1841         (JSC::BinarySwitch::build):
1842         * jit/BinarySwitch.h:
1843
1844 2015-02-02  Joseph Pecoraro  <pecoraro@apple.com>
1845
1846         Web Inspector: Extend CSS.getSupportedCSSProperties to provide values for properties for CSS Augmented JSContext
1847         https://bugs.webkit.org/show_bug.cgi?id=141064
1848
1849         Reviewed by Timothy Hatcher.
1850
1851         * inspector/protocol/CSS.json:
1852
1853 2015-02-02  Daniel Bates  <dabates@apple.com>
1854
1855         [iOS] ASSERTION FAILED: m_scriptExecutionContext->isContextThread() in ContextDestructionObserver::observeContext
1856         https://bugs.webkit.org/show_bug.cgi?id=141057
1857         <rdar://problem/19068790>
1858
1859         Reviewed by Alexey Proskuryakov.
1860
1861         * inspector/remote/RemoteInspector.mm:
1862         (Inspector::RemoteInspector::receivedIndicateMessage): Modified to call WTF::callOnWebThreadOrDispatchAsyncOnMainThread().
1863         (Inspector::dispatchAsyncOnQueueSafeForAnyDebuggable): Deleted; moved logic to common helper function,
1864         WTF::callOnWebThreadOrDispatchAsyncOnMainThread() so that it can be called from both RemoteInspector::receivedIndicateMessage()
1865         and CryptoKeyRSA::generatePair().
1866
1867 2015-02-02  Saam Barati  <saambarati1@gmail.com>
1868
1869         Create tests for JSC's Control Flow Profiler
1870         https://bugs.webkit.org/show_bug.cgi?id=141123
1871
1872         Reviewed by Filip Pizlo.
1873
1874         This patch creates a control flow profiler testing API in jsc.cpp 
1875         that accepts a function and a string as arguments. The string must 
1876         be a substring of the text of the function argument. The API returns 
1877         a boolean indicating whether or not the basic block that encloses the 
1878         substring has executed.
1879
1880         This patch uses this API to test that the control flow profiler
1881         behaves as expected on basic block boundaries. These tests do not
1882         provide full coverage for all JavaScript statements that can create
1883         basic blocks boundaries. Full coverage will come in a later patch.
1884
1885         * jsc.cpp:
1886         (GlobalObject::finishCreation):
1887         (functionHasBasicBlockExecuted):
1888         * runtime/ControlFlowProfiler.cpp:
1889         (JSC::ControlFlowProfiler::hasBasicBlockAtTextOffsetBeenExecuted):
1890         * runtime/ControlFlowProfiler.h:
1891         * tests/controlFlowProfiler: Added.
1892         * tests/controlFlowProfiler.yaml: Added.
1893         * tests/controlFlowProfiler/driver: Added.
1894         * tests/controlFlowProfiler/driver/driver.js: Added.
1895         (assert):
1896         * tests/controlFlowProfiler/if-statement.js: Added.
1897         (testIf):
1898         (noMatches):
1899         * tests/controlFlowProfiler/loop-statements.js: Added.
1900         (forRegular):
1901         (forIn):
1902         (forOf):
1903         (whileLoop):
1904         * tests/controlFlowProfiler/switch-statements.js: Added.
1905         (testSwitch):
1906         * tests/controlFlowProfiler/test-jit.js: Added.
1907         (tierUpToBaseline):
1908         (tierUpToDFG):
1909         (baselineTest):
1910         (dfgTest):
1911
1912 2015-01-28  Filip Pizlo  <fpizlo@apple.com>
1913
1914         Polymorphic call inlining should be based on polymorphic call inline caching rather than logging
1915         https://bugs.webkit.org/show_bug.cgi?id=140660
1916
1917         Reviewed by Geoffrey Garen.
1918         
1919         When we first implemented polymorphic call inlining, we did the profiling based on a call
1920         edge log. The idea was to store each call edge (a tuple of call site and callee) into a
1921         global log that was processed lazily. Processing the log would give precise counts of call
1922         edges, and could be used to drive well-informed inlining decisions - polymorphic or not.
1923         This was a speed-up on throughput tests but a slow-down for latency tests. It was a net win
1924         nonetheless.
1925         
1926         Experience with this code shows three things. First, the call edge profiler is buggy and
1927         complex. It would take work to fix the bugs. Second, the call edge profiler incurs lots of
1928         overhead for latency code that we care deeply about. Third, it's not at all clear that
1929         having call edge counts for every possible callee is any better than just having call edge
1930         counts for the limited number of callees that an inline cache would catch.
1931         
1932         So, this patch removes the call edge profiler and replaces it with a polymorphic call inline
1933         cache. If we miss the basic call inline cache, we inflate the cache to be a jump to an
1934         out-of-line stub that cases on the previously known callees. If that misses again, then we
1935         rewrite that stub to include the new callee. We do this up to some number of callees. If we
1936         hit the limit then we switch to using a plain virtual call.
1937         
1938         Substantial speed-up on V8Spider; undoes the slow-down that the original call edge profiler
1939         caused. Might be a SunSpider speed-up (below 1%), depending on hardware.
1940         
1941         Rolling this back in after fixing https://bugs.webkit.org/show_bug.cgi?id=141107.
1942
1943         * CMakeLists.txt:
1944         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1945         * JavaScriptCore.xcodeproj/project.pbxproj:
1946         * bytecode/CallEdge.h:
1947         (JSC::CallEdge::count):
1948         (JSC::CallEdge::CallEdge):
1949         * bytecode/CallEdgeProfile.cpp: Removed.
1950         * bytecode/CallEdgeProfile.h: Removed.
1951         * bytecode/CallEdgeProfileInlines.h: Removed.
1952         * bytecode/CallLinkInfo.cpp:
1953         (JSC::CallLinkInfo::unlink):
1954         (JSC::CallLinkInfo::visitWeak):
1955         * bytecode/CallLinkInfo.h:
1956         * bytecode/CallLinkStatus.cpp:
1957         (JSC::CallLinkStatus::CallLinkStatus):
1958         (JSC::CallLinkStatus::computeFor):
1959         (JSC::CallLinkStatus::computeFromCallLinkInfo):
1960         (JSC::CallLinkStatus::isClosureCall):
1961         (JSC::CallLinkStatus::makeClosureCall):
1962         (JSC::CallLinkStatus::dump):
1963         (JSC::CallLinkStatus::computeFromCallEdgeProfile): Deleted.
1964         * bytecode/CallLinkStatus.h:
1965         (JSC::CallLinkStatus::CallLinkStatus):
1966         (JSC::CallLinkStatus::isSet):
1967         (JSC::CallLinkStatus::variants):
1968         (JSC::CallLinkStatus::size):
1969         (JSC::CallLinkStatus::at):
1970         (JSC::CallLinkStatus::operator[]):
1971         (JSC::CallLinkStatus::canOptimize):
1972         (JSC::CallLinkStatus::edges): Deleted.
1973         (JSC::CallLinkStatus::canTrustCounts): Deleted.
1974         * bytecode/CallVariant.cpp:
1975         (JSC::variantListWithVariant):
1976         (JSC::despecifiedVariantList):
1977         * bytecode/CallVariant.h:
1978         * bytecode/CodeBlock.cpp:
1979         (JSC::CodeBlock::~CodeBlock):
1980         (JSC::CodeBlock::linkIncomingPolymorphicCall):
1981         (JSC::CodeBlock::unlinkIncomingCalls):
1982         (JSC::CodeBlock::noticeIncomingCall):
1983         * bytecode/CodeBlock.h:
1984         (JSC::CodeBlock::isIncomingCallAlreadyLinked): Deleted.
1985         * dfg/DFGAbstractInterpreterInlines.h:
1986         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1987         * dfg/DFGByteCodeParser.cpp:
1988         (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
1989         (JSC::DFG::ByteCodeParser::handleCall):
1990         (JSC::DFG::ByteCodeParser::handleInlining):
1991         * dfg/DFGClobberize.h:
1992         (JSC::DFG::clobberize):
1993         * dfg/DFGConstantFoldingPhase.cpp:
1994         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1995         * dfg/DFGDoesGC.cpp:
1996         (JSC::DFG::doesGC):
1997         * dfg/DFGDriver.cpp:
1998         (JSC::DFG::compileImpl):
1999         * dfg/DFGFixupPhase.cpp:
2000         (JSC::DFG::FixupPhase::fixupNode):
2001         * dfg/DFGNode.h:
2002         (JSC::DFG::Node::hasHeapPrediction):
2003         * dfg/DFGNodeType.h:
2004         * dfg/DFGOperations.cpp:
2005         * dfg/DFGPredictionPropagationPhase.cpp:
2006         (JSC::DFG::PredictionPropagationPhase::propagate):
2007         * dfg/DFGSafeToExecute.h:
2008         (JSC::DFG::safeToExecute):
2009         * dfg/DFGSpeculativeJIT32_64.cpp:
2010         (JSC::DFG::SpeculativeJIT::emitCall):
2011         (JSC::DFG::SpeculativeJIT::compile):
2012         * dfg/DFGSpeculativeJIT64.cpp:
2013         (JSC::DFG::SpeculativeJIT::emitCall):
2014         (JSC::DFG::SpeculativeJIT::compile):
2015         * dfg/DFGTierUpCheckInjectionPhase.cpp:
2016         (JSC::DFG::TierUpCheckInjectionPhase::run):
2017         (JSC::DFG::TierUpCheckInjectionPhase::removeFTLProfiling): Deleted.
2018         * ftl/FTLCapabilities.cpp:
2019         (JSC::FTL::canCompile):
2020         * heap/Heap.cpp:
2021         (JSC::Heap::collect):
2022         * jit/BinarySwitch.h:
2023         * jit/ClosureCallStubRoutine.cpp: Removed.
2024         * jit/ClosureCallStubRoutine.h: Removed.
2025         * jit/JITCall.cpp:
2026         (JSC::JIT::compileOpCall):
2027         * jit/JITCall32_64.cpp:
2028         (JSC::JIT::compileOpCall):
2029         * jit/JITOperations.cpp:
2030         * jit/JITOperations.h:
2031         (JSC::operationLinkPolymorphicCallFor):
2032         (JSC::operationLinkClosureCallFor): Deleted.
2033         * jit/JITStubRoutine.h:
2034         * jit/JITWriteBarrier.h:
2035         * jit/PolymorphicCallStubRoutine.cpp: Added.
2036         (JSC::PolymorphicCallNode::~PolymorphicCallNode):
2037         (JSC::PolymorphicCallNode::unlink):
2038         (JSC::PolymorphicCallCase::dump):
2039         (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
2040         (JSC::PolymorphicCallStubRoutine::~PolymorphicCallStubRoutine):
2041         (JSC::PolymorphicCallStubRoutine::variants):
2042         (JSC::PolymorphicCallStubRoutine::edges):
2043         (JSC::PolymorphicCallStubRoutine::visitWeak):
2044         (JSC::PolymorphicCallStubRoutine::markRequiredObjectsInternal):
2045         * jit/PolymorphicCallStubRoutine.h: Added.
2046         (JSC::PolymorphicCallNode::PolymorphicCallNode):
2047         (JSC::PolymorphicCallCase::PolymorphicCallCase):
2048         (JSC::PolymorphicCallCase::variant):
2049         (JSC::PolymorphicCallCase::codeBlock):
2050         * jit/Repatch.cpp:
2051         (JSC::linkSlowFor):
2052         (JSC::linkFor):
2053         (JSC::revertCall):
2054         (JSC::unlinkFor):
2055         (JSC::linkVirtualFor):
2056         (JSC::linkPolymorphicCall):
2057         (JSC::linkClosureCall): Deleted.
2058         * jit/Repatch.h:
2059         * jit/ThunkGenerators.cpp:
2060         (JSC::linkPolymorphicCallForThunkGenerator):
2061         (JSC::linkPolymorphicCallThunkGenerator):
2062         (JSC::linkPolymorphicCallThatPreservesRegsThunkGenerator):
2063         (JSC::linkClosureCallForThunkGenerator): Deleted.
2064         (JSC::linkClosureCallThunkGenerator): Deleted.
2065         (JSC::linkClosureCallThatPreservesRegsThunkGenerator): Deleted.
2066         * jit/ThunkGenerators.h:
2067         (JSC::linkPolymorphicCallThunkGeneratorFor):
2068         (JSC::linkClosureCallThunkGeneratorFor): Deleted.
2069         * llint/LLIntSlowPaths.cpp:
2070         (JSC::LLInt::jitCompileAndSetHeuristics):
2071         * runtime/Options.h:
2072         * runtime/VM.cpp:
2073         (JSC::VM::prepareToDiscardCode):
2074         (JSC::VM::ensureCallEdgeLog): Deleted.
2075         * runtime/VM.h:
2076
2077 2015-01-30  Filip Pizlo  <fpizlo@apple.com>
2078
2079         Converting Flushes and PhantomLocals to Phantoms requires an OSR availability analysis rather than just using the SetLocal's child
2080         https://bugs.webkit.org/show_bug.cgi?id=141107
2081
2082         Reviewed by Michael Saboff.
2083         
2084         See the bugzilla for a discussion of the problem. This addresses the problem by ensuring
2085         that Flushes are always strength-reduced to PhantomLocals, and CPS rethreading does a mini
2086         OSR availability analysis to determine the right MovHint value to use for the Phantom.
2087
2088         * dfg/DFGCPSRethreadingPhase.cpp:
2089         (JSC::DFG::CPSRethreadingPhase::CPSRethreadingPhase):
2090         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
2091         (JSC::DFG::CPSRethreadingPhase::clearVariables):
2092         (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
2093         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
2094         (JSC::DFG::CPSRethreadingPhase::clearVariablesAtHeadAndTail): Deleted.
2095         * dfg/DFGNode.h:
2096         (JSC::DFG::Node::convertPhantomToPhantomLocal):
2097         (JSC::DFG::Node::convertFlushToPhantomLocal):
2098         (JSC::DFG::Node::convertToPhantomLocal): Deleted.
2099         * dfg/DFGStrengthReductionPhase.cpp:
2100         (JSC::DFG::StrengthReductionPhase::handleNode):
2101         * tests/stress/inline-call-that-doesnt-use-all-args.js: Added.
2102         (foo):
2103         (bar):
2104         (baz):
2105
2106 2015-01-31  Michael Saboff  <msaboff@apple.com>
2107
2108         Crash (DFG assertion) beneath AbstractInterpreter::verifyEdge() @ http://experilous.com/1/planet-generator/2014-09-28/version-1
2109         https://bugs.webkit.org/show_bug.cgi?id=141111
2110
2111         Reviewed by Filip Pizlo.
2112
2113         In LowerDFGToLLVM::compileNode(), if we determine while compiling a node that we would have
2114         exited, we don't need to process the OSR availability or abstract interpreter.
2115
2116         * ftl/FTLLowerDFGToLLVM.cpp:
2117         (JSC::FTL::LowerDFGToLLVM::safelyInvalidateAfterTermination): Broke this out a a separate
2118         method since we need to call it at the top and near the bottom of compileNode().
2119         (JSC::FTL::LowerDFGToLLVM::compileNode):
2120
2121 2015-01-31  Sam Weinig  <sam@webkit.org>
2122
2123         Remove even more Mountain Lion support
2124         https://bugs.webkit.org/show_bug.cgi?id=141124
2125
2126         Reviewed by Alexey Proskuryakov.
2127
2128         * API/tests/DateTests.mm:
2129         * Configurations/Base.xcconfig:
2130         * Configurations/DebugRelease.xcconfig:
2131         * Configurations/FeatureDefines.xcconfig:
2132         * Configurations/Version.xcconfig:
2133         * jit/ExecutableAllocatorFixedVMPool.cpp:
2134
2135 2015-01-31  Commit Queue  <commit-queue@webkit.org>
2136
2137         Unreviewed, rolling out r179426.
2138         https://bugs.webkit.org/show_bug.cgi?id=141119
2139
2140         "caused a memory use regression" (Requested by Guest45 on
2141         #webkit).
2142
2143         Reverted changeset:
2144
2145         "Use FastMalloc (bmalloc) instead of BlockAllocator for GC
2146         pages"
2147         https://bugs.webkit.org/show_bug.cgi?id=140900
2148         http://trac.webkit.org/changeset/179426
2149
2150 2015-01-30  Daniel Bates  <dabates@apple.com>
2151
2152         Clean up: Remove unnecessary <dispatch/dispatch.h> header from RemoteInspectorDebuggableConnection.h
2153         https://bugs.webkit.org/show_bug.cgi?id=141067
2154
2155         Reviewed by Timothy Hatcher.
2156
2157         Remove the header <dispatch/dispatch.h> from RemoteInspectorDebuggableConnection.h as we
2158         do not make use of its functionality. Instead, include this header in RemoteInspectorDebuggableConnection.mm
2159         and RemoteInspector.mm. The latter depended on <dispatch/dispatch.h> being included via
2160         header RemoteInspectorDebuggableConnection.h.
2161
2162         * inspector/remote/RemoteInspector.mm: Include header <dispatch/dispatch.h>.
2163         * inspector/remote/RemoteInspectorDebuggableConnection.h: Remove header <dispatch/dispatch.h>.
2164         * inspector/remote/RemoteInspectorDebuggableConnection.mm: Include header <dispatch/dispatch.h>.
2165
2166 2015-01-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2167
2168         Implement ES6 Symbol
2169         https://bugs.webkit.org/show_bug.cgi?id=140435
2170
2171         Reviewed by Geoffrey Garen.
2172
2173         This patch implements ES6 Symbol. In this patch, we don't support
2174         Symbol.keyFor, Symbol.for, Object.getOwnPropertySymbols. They will be
2175         supported in the subsequent patches.
2176
2177         Since ES6 Symbol is introduced as new primitive value, we implement
2178         Symbol as a derived class from JSCell. And now JSValue accepts Symbol*
2179         as a new primitive value.
2180
2181         Symbol has a *unique* flagged StringImpl* as an `uid`. Which pointer
2182         value represents the Symbol's identity. So don't compare Symbol's
2183         JSCell pointer value for comparison.
2184         This enables re-producing Symbol primitive value from StringImpl* uid
2185         by executing`Symbol::create(vm, uid)`. This is needed to produce
2186         Symbol primitive values from stored StringImpl* in `Object.getOwnPropertySymbols`.
2187
2188         And Symbol.[[Description]] is folded into the string value of Symbol's uid.
2189         By doing so, we can represent ES6 Symbol without extending current PropertyTable key; StringImpl*.
2190
2191         * CMakeLists.txt:
2192         * DerivedSources.make:
2193         * JavaScriptCore.order:
2194         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2195         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2196         * JavaScriptCore.xcodeproj/project.pbxproj:
2197         * builtins/BuiltinExecutables.cpp:
2198         (JSC::BuiltinExecutables::createBuiltinExecutable):
2199         * builtins/BuiltinNames.h:
2200         * dfg/DFGOperations.cpp:
2201         (JSC::DFG::operationPutByValInternal):
2202         * inspector/JSInjectedScriptHost.cpp:
2203         (Inspector::JSInjectedScriptHost::subtype):
2204         * interpreter/Interpreter.cpp:
2205         * jit/JITOperations.cpp:
2206         (JSC::getByVal):
2207         * llint/LLIntData.cpp:
2208         (JSC::LLInt::Data::performAssertions):
2209         * llint/LLIntSlowPaths.cpp:
2210         (JSC::LLInt::getByVal):
2211         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2212         * llint/LowLevelInterpreter.asm:
2213         * runtime/CommonIdentifiers.h:
2214         * runtime/CommonSlowPaths.cpp:
2215         (JSC::SLOW_PATH_DECL):
2216         * runtime/CommonSlowPaths.h:
2217         (JSC::CommonSlowPaths::opIn):
2218         * runtime/ExceptionHelpers.cpp:
2219         (JSC::createUndefinedVariableError):
2220         * runtime/JSCJSValue.cpp:
2221         (JSC::JSValue::synthesizePrototype):
2222         (JSC::JSValue::dumpInContextAssumingStructure):
2223         (JSC::JSValue::toStringSlowCase):
2224         * runtime/JSCJSValue.h:
2225         * runtime/JSCJSValueInlines.h:
2226         (JSC::JSValue::isSymbol):
2227         (JSC::JSValue::isPrimitive):
2228         (JSC::JSValue::toPropertyKey):
2229
2230         It represents ToPropertyKey abstract operation in the ES6 spec.
2231         It cleans up the old implementation's `isName` checks.
2232         And to prevent performance regressions in
2233             js/regress/fold-get-by-id-to-multi-get-by-offset-rare-int.html
2234             js/regress/fold-get-by-id-to-multi-get-by-offset.html
2235         we annnotate this function as ALWAYS_INLINE.
2236
2237         (JSC::JSValue::getPropertySlot):
2238         (JSC::JSValue::get):
2239         (JSC::JSValue::equalSlowCaseInline):
2240         (JSC::JSValue::strictEqualSlowCaseInline):
2241         * runtime/JSCell.cpp:
2242         (JSC::JSCell::put):
2243         (JSC::JSCell::putByIndex):
2244         (JSC::JSCell::toPrimitive):
2245         (JSC::JSCell::getPrimitiveNumber):
2246         (JSC::JSCell::toNumber):
2247         (JSC::JSCell::toObject):
2248         * runtime/JSCell.h:
2249         * runtime/JSCellInlines.h:
2250         (JSC::JSCell::isSymbol):
2251         (JSC::JSCell::toBoolean):
2252         (JSC::JSCell::pureToBoolean):
2253         * runtime/JSGlobalObject.cpp:
2254         (JSC::JSGlobalObject::init):
2255         (JSC::JSGlobalObject::visitChildren):
2256         * runtime/JSGlobalObject.h:
2257         (JSC::JSGlobalObject::symbolPrototype):
2258         (JSC::JSGlobalObject::symbolObjectStructure):
2259         * runtime/JSONObject.cpp:
2260         (JSC::Stringifier::Stringifier):
2261         * runtime/JSSymbolTableObject.cpp:
2262         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
2263         * runtime/JSType.h:
2264         * runtime/JSTypeInfo.h:
2265         (JSC::TypeInfo::isName): Deleted.
2266         * runtime/MapData.cpp:
2267         (JSC::MapData::find):
2268         (JSC::MapData::add):
2269         (JSC::MapData::remove):
2270         (JSC::MapData::replaceAndPackBackingStore):
2271         * runtime/MapData.h:
2272         (JSC::MapData::clear):
2273         * runtime/NameInstance.h: Removed.
2274         * runtime/NamePrototype.cpp: Removed.
2275         * runtime/ObjectConstructor.cpp:
2276         (JSC::objectConstructorGetOwnPropertyDescriptor):
2277         (JSC::objectConstructorDefineProperty):
2278         * runtime/ObjectPrototype.cpp:
2279         (JSC::objectProtoFuncHasOwnProperty):
2280         (JSC::objectProtoFuncDefineGetter):
2281         (JSC::objectProtoFuncDefineSetter):
2282         (JSC::objectProtoFuncLookupGetter):
2283         (JSC::objectProtoFuncLookupSetter):
2284         (JSC::objectProtoFuncPropertyIsEnumerable):
2285         * runtime/Operations.cpp:
2286         (JSC::jsTypeStringForValue):
2287         (JSC::jsIsObjectType):
2288         * runtime/PrivateName.h:
2289         (JSC::PrivateName::PrivateName):
2290         (JSC::PrivateName::operator==):
2291         (JSC::PrivateName::operator!=):
2292         * runtime/PropertyMapHashTable.h:
2293         (JSC::PropertyTable::find):
2294         (JSC::PropertyTable::get):
2295         * runtime/PropertyName.h:
2296         (JSC::PropertyName::PropertyName):
2297         (JSC::PropertyName::publicName):
2298         * runtime/SmallStrings.h:
2299         * runtime/StringConstructor.cpp:
2300         (JSC::callStringConstructor):
2301
2302         In ES6, String constructor accepts Symbol to execute `String(symbol)`.
2303
2304         * runtime/Structure.cpp:
2305         (JSC::Structure::getPropertyNamesFromStructure):
2306         * runtime/StructureInlines.h:
2307         (JSC::Structure::prototypeForLookup):
2308         * runtime/Symbol.cpp: Added.
2309         (JSC::Symbol::Symbol):
2310         (JSC::SymbolObject::create):
2311         (JSC::Symbol::toPrimitive):
2312         (JSC::Symbol::toBoolean):
2313         (JSC::Symbol::getPrimitiveNumber):
2314         (JSC::Symbol::toObject):
2315         (JSC::Symbol::toNumber):
2316         (JSC::Symbol::destroy):
2317         (JSC::Symbol::descriptiveString):
2318         * runtime/Symbol.h: Added.
2319         (JSC::Symbol::createStructure):
2320         (JSC::Symbol::create):
2321         (JSC::Symbol::privateName):
2322         (JSC::Symbol::finishCreation):
2323         (JSC::asSymbol):
2324         * runtime/SymbolConstructor.cpp: Renamed from Source/JavaScriptCore/runtime/NameConstructor.cpp.
2325         (JSC::SymbolConstructor::SymbolConstructor):
2326         (JSC::SymbolConstructor::finishCreation):
2327         (JSC::callSymbol):
2328         (JSC::SymbolConstructor::getConstructData):
2329         (JSC::SymbolConstructor::getCallData):
2330         * runtime/SymbolConstructor.h: Renamed from Source/JavaScriptCore/runtime/NameConstructor.h.
2331         (JSC::SymbolConstructor::create):
2332         (JSC::SymbolConstructor::createStructure):
2333         * runtime/SymbolObject.cpp: Renamed from Source/JavaScriptCore/runtime/NameInstance.cpp.
2334         (JSC::SymbolObject::SymbolObject):
2335         (JSC::SymbolObject::finishCreation):
2336         (JSC::SymbolObject::defaultValue):
2337
2338         Now JSC doesn't support @@toPrimitive. So instead of it, we implement
2339         Symbol.prototype[@@toPrimitive] as ES5 Symbol.[[DefaultValue]].
2340
2341         * runtime/SymbolObject.h: Added.
2342         (JSC::SymbolObject::create):
2343         (JSC::SymbolObject::internalValue):
2344         (JSC::SymbolObject::createStructure):
2345         * runtime/SymbolPrototype.cpp: Added.
2346         (JSC::SymbolPrototype::SymbolPrototype):
2347         (JSC::SymbolPrototype::finishCreation):
2348         (JSC::SymbolPrototype::getOwnPropertySlot):
2349         (JSC::symbolProtoFuncToString):
2350         (JSC::symbolProtoFuncValueOf):
2351         * runtime/SymbolPrototype.h: Renamed from Source/JavaScriptCore/runtime/NamePrototype.h.
2352         (JSC::SymbolPrototype::create):
2353         (JSC::SymbolPrototype::createStructure):
2354
2355         SymbolPrototype object is ordinary JS object. Not wrapper object of Symbol.
2356         It is tested in js/symbol-prototype-is-ordinary-object.html.
2357
2358         * runtime/VM.cpp:
2359         (JSC::VM::VM):
2360         * runtime/VM.h:
2361
2362 2015-01-30  Geoffrey Garen  <ggaren@apple.com>
2363
2364         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
2365         https://bugs.webkit.org/show_bug.cgi?id=140900
2366
2367         Reviewed by Mark Hahnenberg.
2368
2369         Re-landing just the HandleBlock piece of this patch.
2370
2371         * heap/HandleBlock.h:
2372         * heap/HandleBlockInlines.h:
2373         (JSC::HandleBlock::create):
2374         (JSC::HandleBlock::destroy):
2375         (JSC::HandleBlock::HandleBlock):
2376         (JSC::HandleBlock::payloadEnd):
2377         * heap/HandleSet.cpp:
2378         (JSC::HandleSet::~HandleSet):
2379         (JSC::HandleSet::grow):
2380
2381 2015-01-30  Geoffrey Garen  <ggaren@apple.com>
2382
2383         GC marking threads should clear malloc caches
2384         https://bugs.webkit.org/show_bug.cgi?id=141097
2385
2386         Reviewed by Sam Weinig.
2387
2388         Follow-up based on Mark Hahnenberg's review: Release after the copy
2389         phase, rather than after any phase, since we'd rather not release
2390         between marking and copying.
2391
2392         * heap/GCThread.cpp:
2393         (JSC::GCThread::waitForNextPhase):
2394         (JSC::GCThread::gcThreadMain):
2395
2396 2015-01-30  Geoffrey Garen  <ggaren@apple.com>
2397
2398         GC marking threads should clear malloc caches
2399         https://bugs.webkit.org/show_bug.cgi?id=141097
2400
2401         Reviewed by Andreas Kling.
2402
2403         This is an attempt to ameliorate a potential memory use regression
2404         caused by https://bugs.webkit.org/show_bug.cgi?id=140900
2405         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages.
2406
2407         FastMalloc may accumulate a per-thread cache on each of the 8-ish
2408         GC marking threads, which can be expensive.
2409
2410         * heap/GCThread.cpp:
2411         (JSC::GCThread::waitForNextPhase): Scavenge the current thread before
2412         going to sleep. There's probably not too much value to keeping our
2413         per-thread cache between GCs, and it has some memory footprint.
2414
2415 2015-01-30  Chris Dumez  <cdumez@apple.com>
2416
2417         Rename shared() static member functions to singleton() for singleton classes.
2418         https://bugs.webkit.org/show_bug.cgi?id=141088
2419
2420         Reviewed by Ryosuke Niwa and Benjamin Poulain.
2421
2422         Rename shared() static member functions to singleton() for singleton
2423         classes as per the recent coding style change.
2424
2425         * inspector/remote/RemoteInspector.h:
2426         * inspector/remote/RemoteInspector.mm:
2427         (Inspector::RemoteInspector::singleton):
2428         (Inspector::RemoteInspector::start):
2429         (Inspector::RemoteInspector::shared): Deleted.
2430         * inspector/remote/RemoteInspectorDebuggable.cpp:
2431         (Inspector::RemoteInspectorDebuggable::~RemoteInspectorDebuggable):
2432         (Inspector::RemoteInspectorDebuggable::init):
2433         (Inspector::RemoteInspectorDebuggable::update):
2434         (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed):
2435         (Inspector::RemoteInspectorDebuggable::pauseWaitingForAutomaticInspection):
2436         (Inspector::RemoteInspectorDebuggable::unpauseForInitializedInspector):
2437         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
2438         (Inspector::RemoteInspectorDebuggableConnection::setup):
2439         (Inspector::RemoteInspectorDebuggableConnection::sendMessageToFrontend):
2440
2441 2015-01-30  Geoffrey Garen  <ggaren@apple.com>
2442
2443         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
2444         https://bugs.webkit.org/show_bug.cgi?id=140900
2445
2446         Reviewed by Mark Hahnenberg.
2447
2448         Re-landing just the CopyWorkListSegment piece of this patch.
2449
2450         * heap/CopiedBlockInlines.h:
2451         (JSC::CopiedBlock::reportLiveBytes):
2452         * heap/CopyWorkList.h:
2453         (JSC::CopyWorkListSegment::create):
2454         (JSC::CopyWorkListSegment::destroy):
2455         (JSC::CopyWorkListSegment::CopyWorkListSegment):
2456         (JSC::CopyWorkList::CopyWorkList):
2457         (JSC::CopyWorkList::~CopyWorkList):
2458         (JSC::CopyWorkList::append):
2459
2460 2015-01-29  Commit Queue  <commit-queue@webkit.org>
2461
2462         Unreviewed, rolling out r179357 and r179358.
2463         https://bugs.webkit.org/show_bug.cgi?id=141062
2464
2465         Suspect this caused WebGL tests to start flaking (Requested by
2466         kling on #webkit).
2467
2468         Reverted changesets:
2469
2470         "Polymorphic call inlining should be based on polymorphic call
2471         inline caching rather than logging"
2472         https://bugs.webkit.org/show_bug.cgi?id=140660
2473         http://trac.webkit.org/changeset/179357
2474
2475         "Unreviewed, fix no-JIT build."
2476         http://trac.webkit.org/changeset/179358
2477
2478 2015-01-29  Geoffrey Garen  <ggaren@apple.com>
2479
2480         Removed op_ret_object_or_this
2481         https://bugs.webkit.org/show_bug.cgi?id=141048
2482
2483         Reviewed by Michael Saboff.
2484
2485         op_ret_object_or_this was one opcode that would keep us out of the
2486         optimizing compilers.
2487
2488         We don't need a special-purpose opcode; we can just use a branch.
2489
2490         * bytecode/BytecodeBasicBlock.cpp:
2491         (JSC::isTerminal): Removed.
2492         * bytecode/BytecodeList.json:
2493         * bytecode/BytecodeUseDef.h:
2494         (JSC::computeUsesForBytecodeOffset):
2495         (JSC::computeDefsForBytecodeOffset): Removed.
2496
2497         * bytecode/CodeBlock.cpp:
2498         (JSC::CodeBlock::dumpBytecode): Removed.
2499
2500         * bytecompiler/BytecodeGenerator.cpp:
2501         (JSC::BytecodeGenerator::emitReturn): Use an explicit branch to determine
2502         if we need to substitute 'this' for the return value. Our engine no longer
2503         benefits from fused opcodes that dispatch less in the interpreter.
2504
2505         * jit/JIT.cpp:
2506         (JSC::JIT::privateCompileMainPass):
2507         * jit/JIT.h:
2508         * jit/JITCall32_64.cpp:
2509         (JSC::JIT::emit_op_ret_object_or_this): Deleted.
2510         * jit/JITOpcodes.cpp:
2511         (JSC::JIT::emit_op_ret_object_or_this): Deleted.
2512         * llint/LowLevelInterpreter32_64.asm:
2513         * llint/LowLevelInterpreter64.asm: Removed.
2514
2515 2015-01-29  Ryosuke Niwa  <rniwa@webkit.org>
2516
2517         Implement ES6 class syntax without inheritance support
2518         https://bugs.webkit.org/show_bug.cgi?id=140918
2519
2520         Reviewed by Geoffrey Garen.
2521
2522         Added the most basic support for ES6 class syntax. After this patch, we support basic class definition like:
2523         class A {
2524             constructor() { }
2525             someMethod() { }
2526         }
2527
2528         We'll add the support for "extends" keyword and automatically generating a constructor in follow up patches.
2529         We also don't support block scoping of a class declaration.
2530
2531         We support both class declaration and class expression. A class expression is implemented by the newly added
2532         ClassExprNode AST node. A class declaration is implemented by ClassDeclNode, which is a thin wrapper around
2533         AssignResolveNode.
2534
2535         Tests: js/class-syntax-declaration.html
2536                js/class-syntax-expression.html
2537
2538         * bytecompiler/NodesCodegen.cpp:
2539         (JSC::ObjectLiteralNode::emitBytecode): Create a new object instead of delegating the work to PropertyListNode.
2540         Also fixed the 5-space indentation.
2541         (JSC::PropertyListNode::emitBytecode): Don't create a new object now that ObjectLiteralNode does this.
2542         (JSC::ClassDeclNode::emitBytecode): Added. Just let the AssignResolveNode node emit the byte code.
2543         (JSC::ClassExprNode::emitBytecode): Create the class constructor and add static methods to the constructor by
2544         emitting the byte code for PropertyListNode. Add instance methods to the class's prototype object the same way.
2545
2546         * parser/ASTBuilder.h:
2547         (JSC::ASTBuilder::createClassExpr): Added. Creates a ClassExprNode.
2548         (JSC::ASTBuilder::createClassDeclStatement): Added. Creates a AssignResolveNode and wraps it by a ClassDeclNode.
2549
2550         * parser/NodeConstructors.h:
2551         (JSC::ClassDeclNode::ClassDeclNode): Added.
2552         (JSC::ClassExprNode::ClassExprNode): Added.
2553
2554         * parser/Nodes.h:
2555         (JSC::ClassExprNode): Added.
2556         (JSC::ClassDeclNode): Added.
2557
2558         * parser/Parser.cpp:
2559         (JSC::Parser<LexerType>::parseStatement): Added the support for class declaration.
2560         (JSC::stringForFunctionMode): Return "method" for MethodMode.
2561         (JSC::Parser<LexerType>::parseClassDeclaration): Added. Uses parseClass to create a class expression and wraps
2562         it with ClassDeclNode as described above.
2563         (JSC::Parser<LexerType>::parseClass): Parses a class expression.
2564         (JSC::Parser<LexerType>::parseProperty):
2565         (JSC::Parser<LexerType>::parseGetterSetter): Extracted from parseProperty to share the code between parseProperty
2566         and parseClass.
2567         (JSC::Parser<LexerType>::parsePrimaryExpression): Added the support for class expression.
2568
2569         * parser/Parser.h:
2570         (FunctionParseMode): Added MethodMode.
2571
2572         * parser/SyntaxChecker.h:
2573         (JSC::SyntaxChecker::createClassExpr): Added.
2574         (JSC::SyntaxChecker::createClassDeclStatement): Added.
2575
2576 2015-01-29  Geoffrey Garen  <ggaren@apple.com>
2577
2578         Try to fix the Windows build.
2579
2580         Not reviewed.
2581
2582         * heap/WeakBlock.h: Use the fully qualified name when declaring our friend.
2583
2584 2015-01-29  Geoffrey Garen  <ggaren@apple.com>
2585
2586         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
2587         https://bugs.webkit.org/show_bug.cgi?id=140900
2588
2589         Reviewed by Mark Hahnenberg.
2590
2591         Re-landing just the WeakBlock piece of this patch.
2592
2593         * heap/WeakBlock.cpp:
2594         (JSC::WeakBlock::create):
2595         (JSC::WeakBlock::destroy):
2596         (JSC::WeakBlock::WeakBlock):
2597         * heap/WeakBlock.h:
2598         * heap/WeakSet.cpp:
2599         (JSC::WeakSet::~WeakSet):
2600         (JSC::WeakSet::addAllocator):
2601         (JSC::WeakSet::removeAllocator):
2602
2603 2015-01-29  Geoffrey Garen  <ggaren@apple.com>
2604
2605         Use Vector instead of GCSegmentedArray in CodeBlockSet
2606         https://bugs.webkit.org/show_bug.cgi?id=141044
2607
2608         Reviewed by Ryosuke Niwa.
2609
2610         This is allowed now that we've gotten rid of fastMallocForbid.
2611
2612         4kB was a bit overkill for just storing a few pointers.
2613
2614         * heap/CodeBlockSet.cpp:
2615         (JSC::CodeBlockSet::CodeBlockSet):
2616         * heap/CodeBlockSet.h:
2617         * heap/Heap.cpp:
2618         (JSC::Heap::Heap):
2619
2620 2015-01-29  Filip Pizlo  <fpizlo@apple.com>
2621
2622         Unreviewed, fix no-JIT build.
2623
2624         * jit/PolymorphicCallStubRoutine.cpp:
2625
2626 2015-01-28  Filip Pizlo  <fpizlo@apple.com>
2627
2628         Polymorphic call inlining should be based on polymorphic call inline caching rather than logging
2629         https://bugs.webkit.org/show_bug.cgi?id=140660
2630
2631         Reviewed by Geoffrey Garen.
2632         
2633         When we first implemented polymorphic call inlining, we did the profiling based on a call
2634         edge log. The idea was to store each call edge (a tuple of call site and callee) into a
2635         global log that was processed lazily. Processing the log would give precise counts of call
2636         edges, and could be used to drive well-informed inlining decisions - polymorphic or not.
2637         This was a speed-up on throughput tests but a slow-down for latency tests. It was a net win
2638         nonetheless.
2639         
2640         Experience with this code shows three things. First, the call edge profiler is buggy and
2641         complex. It would take work to fix the bugs. Second, the call edge profiler incurs lots of
2642         overhead for latency code that we care deeply about. Third, it's not at all clear that
2643         having call edge counts for every possible callee is any better than just having call edge
2644         counts for the limited number of callees that an inline cache would catch.
2645         
2646         So, this patch removes the call edge profiler and replaces it with a polymorphic call inline
2647         cache. If we miss the basic call inline cache, we inflate the cache to be a jump to an
2648         out-of-line stub that cases on the previously known callees. If that misses again, then we
2649         rewrite that stub to include the new callee. We do this up to some number of callees. If we
2650         hit the limit then we switch to using a plain virtual call.
2651         
2652         Substantial speed-up on V8Spider; undoes the slow-down that the original call edge profiler
2653         caused. Might be a SunSpider speed-up (below 1%), depending on hardware.
2654
2655         * CMakeLists.txt:
2656         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2657         * JavaScriptCore.xcodeproj/project.pbxproj:
2658         * bytecode/CallEdge.h:
2659         (JSC::CallEdge::count):
2660         (JSC::CallEdge::CallEdge):
2661         * bytecode/CallEdgeProfile.cpp: Removed.
2662         * bytecode/CallEdgeProfile.h: Removed.
2663         * bytecode/CallEdgeProfileInlines.h: Removed.
2664         * bytecode/CallLinkInfo.cpp:
2665         (JSC::CallLinkInfo::unlink):
2666         (JSC::CallLinkInfo::visitWeak):
2667         * bytecode/CallLinkInfo.h:
2668         * bytecode/CallLinkStatus.cpp:
2669         (JSC::CallLinkStatus::CallLinkStatus):
2670         (JSC::CallLinkStatus::computeFor):
2671         (JSC::CallLinkStatus::computeFromCallLinkInfo):
2672         (JSC::CallLinkStatus::isClosureCall):
2673         (JSC::CallLinkStatus::makeClosureCall):
2674         (JSC::CallLinkStatus::dump):
2675         (JSC::CallLinkStatus::computeFromCallEdgeProfile): Deleted.
2676         * bytecode/CallLinkStatus.h:
2677         (JSC::CallLinkStatus::CallLinkStatus):
2678         (JSC::CallLinkStatus::isSet):
2679         (JSC::CallLinkStatus::variants):
2680         (JSC::CallLinkStatus::size):
2681         (JSC::CallLinkStatus::at):
2682         (JSC::CallLinkStatus::operator[]):
2683         (JSC::CallLinkStatus::canOptimize):
2684         (JSC::CallLinkStatus::edges): Deleted.
2685         (JSC::CallLinkStatus::canTrustCounts): Deleted.
2686         * bytecode/CallVariant.cpp:
2687         (JSC::variantListWithVariant):
2688         (JSC::despecifiedVariantList):
2689         * bytecode/CallVariant.h:
2690         * bytecode/CodeBlock.cpp:
2691         (JSC::CodeBlock::~CodeBlock):
2692         (JSC::CodeBlock::linkIncomingPolymorphicCall):
2693         (JSC::CodeBlock::unlinkIncomingCalls):
2694         (JSC::CodeBlock::noticeIncomingCall):
2695         * bytecode/CodeBlock.h:
2696         (JSC::CodeBlock::isIncomingCallAlreadyLinked): Deleted.
2697         * dfg/DFGAbstractInterpreterInlines.h:
2698         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2699         * dfg/DFGByteCodeParser.cpp:
2700         (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
2701         (JSC::DFG::ByteCodeParser::handleCall):
2702         (JSC::DFG::ByteCodeParser::handleInlining):
2703         * dfg/DFGClobberize.h:
2704         (JSC::DFG::clobberize):
2705         * dfg/DFGConstantFoldingPhase.cpp:
2706         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2707         * dfg/DFGDoesGC.cpp:
2708         (JSC::DFG::doesGC):
2709         * dfg/DFGDriver.cpp:
2710         (JSC::DFG::compileImpl):
2711         * dfg/DFGFixupPhase.cpp:
2712         (JSC::DFG::FixupPhase::fixupNode):
2713         * dfg/DFGNode.h:
2714         (JSC::DFG::Node::hasHeapPrediction):
2715         * dfg/DFGNodeType.h:
2716         * dfg/DFGOperations.cpp:
2717         * dfg/DFGPredictionPropagationPhase.cpp:
2718         (JSC::DFG::PredictionPropagationPhase::propagate):
2719         * dfg/DFGSafeToExecute.h:
2720         (JSC::DFG::safeToExecute):
2721         * dfg/DFGSpeculativeJIT32_64.cpp:
2722         (JSC::DFG::SpeculativeJIT::emitCall):
2723         (JSC::DFG::SpeculativeJIT::compile):
2724         * dfg/DFGSpeculativeJIT64.cpp:
2725         (JSC::DFG::SpeculativeJIT::emitCall):
2726         (JSC::DFG::SpeculativeJIT::compile):
2727         * dfg/DFGTierUpCheckInjectionPhase.cpp:
2728         (JSC::DFG::TierUpCheckInjectionPhase::run):
2729         (JSC::DFG::TierUpCheckInjectionPhase::removeFTLProfiling): Deleted.
2730         * ftl/FTLCapabilities.cpp:
2731         (JSC::FTL::canCompile):
2732         * heap/Heap.cpp:
2733         (JSC::Heap::collect):
2734         * jit/BinarySwitch.h:
2735         * jit/ClosureCallStubRoutine.cpp: Removed.
2736         * jit/ClosureCallStubRoutine.h: Removed.
2737         * jit/JITCall.cpp:
2738         (JSC::JIT::compileOpCall):
2739         * jit/JITCall32_64.cpp:
2740         (JSC::JIT::compileOpCall):
2741         * jit/JITOperations.cpp:
2742         * jit/JITOperations.h:
2743         (JSC::operationLinkPolymorphicCallFor):
2744         (JSC::operationLinkClosureCallFor): Deleted.
2745         * jit/JITStubRoutine.h:
2746         * jit/JITWriteBarrier.h:
2747         * jit/PolymorphicCallStubRoutine.cpp: Added.
2748         (JSC::PolymorphicCallNode::~PolymorphicCallNode):
2749         (JSC::PolymorphicCallNode::unlink):
2750         (JSC::PolymorphicCallCase::dump):
2751         (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
2752         (JSC::PolymorphicCallStubRoutine::~PolymorphicCallStubRoutine):
2753         (JSC::PolymorphicCallStubRoutine::variants):
2754         (JSC::PolymorphicCallStubRoutine::edges):
2755         (JSC::PolymorphicCallStubRoutine::visitWeak):
2756         (JSC::PolymorphicCallStubRoutine::markRequiredObjectsInternal):
2757         * jit/PolymorphicCallStubRoutine.h: Added.
2758         (JSC::PolymorphicCallNode::PolymorphicCallNode):
2759         (JSC::PolymorphicCallCase::PolymorphicCallCase):
2760         (JSC::PolymorphicCallCase::variant):
2761         (JSC::PolymorphicCallCase::codeBlock):
2762         * jit/Repatch.cpp:
2763         (JSC::linkSlowFor):
2764         (JSC::linkFor):
2765         (JSC::revertCall):
2766         (JSC::unlinkFor):
2767         (JSC::linkVirtualFor):
2768         (JSC::linkPolymorphicCall):
2769         (JSC::linkClosureCall): Deleted.
2770         * jit/Repatch.h:
2771         * jit/ThunkGenerators.cpp:
2772         (JSC::linkPolymorphicCallForThunkGenerator):
2773         (JSC::linkPolymorphicCallThunkGenerator):
2774         (JSC::linkPolymorphicCallThatPreservesRegsThunkGenerator):
2775         (JSC::linkClosureCallForThunkGenerator): Deleted.
2776         (JSC::linkClosureCallThunkGenerator): Deleted.
2777         (JSC::linkClosureCallThatPreservesRegsThunkGenerator): Deleted.
2778         * jit/ThunkGenerators.h:
2779         (JSC::linkPolymorphicCallThunkGeneratorFor):
2780         (JSC::linkClosureCallThunkGeneratorFor): Deleted.
2781         * llint/LLIntSlowPaths.cpp:
2782         (JSC::LLInt::jitCompileAndSetHeuristics):
2783         * runtime/Options.h:
2784         * runtime/VM.cpp:
2785         (JSC::VM::prepareToDiscardCode):
2786         (JSC::VM::ensureCallEdgeLog): Deleted.
2787         * runtime/VM.h:
2788
2789 2015-01-29  Joseph Pecoraro  <pecoraro@apple.com>
2790
2791         Web Inspector: ES6: Improved Console Format for Set and Map Objects (like Arrays)
2792         https://bugs.webkit.org/show_bug.cgi?id=122867
2793
2794         Reviewed by Timothy Hatcher.
2795
2796         Add new Runtime.RemoteObject object subtypes for "map", "set", and "weakmap".
2797
2798         Upgrade Runtime.ObjectPreview to include type/subtype information. Now,
2799         an ObjectPreview can be used for any value, in place of a RemoteObject,
2800         and not capture / hold a reference to the value. The value will be in
2801         the string description.
2802
2803         Adding this information to ObjectPreview can duplicate some information
2804         in the protocol messages if a preview is provided, but simplifies
2805         previews, so that all the information you need for any RemoteObject
2806         preview is available. To slim messages further, make "overflow" and
2807         "properties" only available on previews that may contain properties.
2808         So, not primitives or null.
2809
2810         Finally, for "Map/Set/WeakMap" add an "entries" list to the preview
2811         that will return previews with "key" and "value" properties depending
2812         on the collection type. To get live, non-preview objects from a
2813         collection, use Runtime.getCollectionEntries.
2814
2815         In order to keep the WeakMap's values Weak the frontend may provide
2816         a unique object group name when getting collection entries. It may
2817         then release that object group, e.g. when not showing the WeakMap's
2818         values to the user, and thus remove the strong reference to the keys
2819         so they may be garbage collected.
2820
2821         * runtime/WeakMapData.h:
2822         (JSC::WeakMapData::begin):
2823         (JSC::WeakMapData::end):
2824         Expose iterators so the Inspector may access WeakMap keys/values.
2825
2826         * inspector/JSInjectedScriptHostPrototype.cpp:
2827         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
2828         (Inspector::jsInjectedScriptHostPrototypeFunctionWeakMapEntries):
2829         * inspector/JSInjectedScriptHost.h:
2830         * inspector/JSInjectedScriptHost.cpp:
2831         (Inspector::JSInjectedScriptHost::subtype):
2832         Discern "map", "set", and "weakmap" object subtypes.
2833
2834         (Inspector::JSInjectedScriptHost::weakMapEntries):
2835         Return a list of WeakMap entries. These are strong references
2836         that the Inspector code is responsible for releasing.
2837
2838         * inspector/protocol/Runtime.json:
2839         Update types and expose the new getCollectionEntries command.
2840
2841         * inspector/agents/InspectorRuntimeAgent.h:
2842         * inspector/agents/InspectorRuntimeAgent.cpp:
2843         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
2844         * inspector/InjectedScript.h:
2845         * inspector/InjectedScript.cpp:
2846         (Inspector::InjectedScript::getInternalProperties):
2847         (Inspector::InjectedScript::getCollectionEntries):
2848         Pass through to the InjectedScript and call getCollectionEntries.
2849
2850         * inspector/scripts/codegen/generator.py:
2851         Add another type with runtime casting.
2852
2853         * inspector/InjectedScriptSource.js:
2854         - Implement getCollectionEntries to get a range of values from a
2855         collection. The non-Weak collections have an order to their keys (in
2856         order of added) so range'd gets are okay. WeakMap does not have an
2857         order, so only allow fetching a number of values.
2858         - Update preview generation to address the Runtime.ObjectPreview
2859         type changes.
2860
2861 2015-01-28  Geoffrey Garen  <ggaren@apple.com>
2862
2863         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
2864         https://bugs.webkit.org/show_bug.cgi?id=140900
2865
2866         Reviewed by Mark Hahnenberg.
2867
2868         Re-landing just the GCArraySegment piece of this patch.
2869
2870         * heap/CodeBlockSet.cpp:
2871         (JSC::CodeBlockSet::CodeBlockSet):
2872         * heap/CodeBlockSet.h:
2873         * heap/GCSegmentedArray.h:
2874         (JSC::GCArraySegment::GCArraySegment):
2875         * heap/GCSegmentedArrayInlines.h:
2876         (JSC::GCSegmentedArray<T>::GCSegmentedArray):
2877         (JSC::GCSegmentedArray<T>::~GCSegmentedArray):
2878         (JSC::GCSegmentedArray<T>::clear):
2879         (JSC::GCSegmentedArray<T>::expand):
2880         (JSC::GCSegmentedArray<T>::refill):
2881         (JSC::GCArraySegment<T>::create):
2882         (JSC::GCArraySegment<T>::destroy):
2883         * heap/GCThreadSharedData.cpp:
2884         (JSC::GCThreadSharedData::GCThreadSharedData):
2885         * heap/Heap.cpp:
2886         (JSC::Heap::Heap):
2887         * heap/MarkStack.cpp:
2888         (JSC::MarkStackArray::MarkStackArray):
2889         * heap/MarkStack.h:
2890         * heap/SlotVisitor.cpp:
2891         (JSC::SlotVisitor::SlotVisitor):
2892
2893 2015-01-29  Csaba Osztrogonác  <ossy@webkit.org>
2894
2895         Move HAVE_DTRACE definition back to Platform.h
2896         https://bugs.webkit.org/show_bug.cgi?id=141033
2897
2898         Reviewed by Dan Bernstein.
2899
2900         * Configurations/Base.xcconfig:
2901         * JavaScriptCore.xcodeproj/project.pbxproj:
2902
2903 2015-01-28  Geoffrey Garen  <ggaren@apple.com>
2904
2905         Removed fastMallocForbid / fastMallocAllow
2906         https://bugs.webkit.org/show_bug.cgi?id=141012
2907
2908         Reviewed by Mark Hahnenberg.
2909
2910         Copy non-current thread stacks before scanning them instead of scanning
2911         them in-place.
2912
2913         This operation is uncommon (i.e., never in the web content process),
2914         and even in a stress test with 4 threads it only copies about 27kB,
2915         so I think the performance cost is OK.
2916
2917         Scanning in-place requires a complex dance where we constrain our GC
2918         data structures not to use malloc, free, or any other interesting functions
2919         that might acquire locks. We've gotten this wrong many times in the past,
2920         and I just got it wrong again yesterday. Since this code path is rarely
2921         tested, I want it to just make sense, and not depend on or constrain the
2922         details of the rest of the GC heap's design.
2923
2924         * heap/MachineStackMarker.cpp:
2925         (JSC::otherThreadStack): Factored out a helper function for dealing with
2926         unaligned and/or backwards pointers.
2927
2928         (JSC::MachineThreads::tryCopyOtherThreadStack): This is now the only
2929         constrained function, and it only calls memcpy and low-level thread APIs.
2930
2931         (JSC::MachineThreads::tryCopyOtherThreadStacks): The design here is that
2932         you do one pass over all the threads to compute their combined size,
2933         and then a second pass to do all the copying. In theory, the threads may
2934         grow in between passes, in which case you'll continue until the threads
2935         stop growing. In practice, you never continue.
2936
2937         (JSC::growBuffer): Helper function for growing.
2938
2939         (JSC::MachineThreads::gatherConservativeRoots):
2940         (JSC::MachineThreads::gatherFromOtherThread): Deleted.
2941         * heap/MachineStackMarker.h: Updated for interface changes.
2942
2943 2015-01-28  Brian J. Burg  <burg@cs.washington.edu>
2944
2945         Web Inspector: remove CSS.setPropertyText, CSS.toggleProperty and related dead code
2946         https://bugs.webkit.org/show_bug.cgi?id=140961
2947
2948         Reviewed by Timothy Hatcher.
2949
2950         * inspector/protocol/CSS.json: Remove unused protocol methods.
2951
2952 2015-01-28  Dana Burkart  <dburkart@apple.com>
2953
2954         Move ASan flag settings from DebugRelease.xcconfig to Base.xcconfig
2955         https://bugs.webkit.org/show_bug.cgi?id=136765
2956
2957         Reviewed by Alexey Proskuryakov.
2958
2959         * Configurations/Base.xcconfig:
2960         * Configurations/DebugRelease.xcconfig:
2961
2962 2015-01-27  Filip Pizlo  <fpizlo@apple.com>
2963
2964         ExitSiteData saying m_takesSlowPath shouldn't mean early returning takesSlowPath() since for the non-LLInt case we later set m_couldTakeSlowPath, which is more precise
2965         https://bugs.webkit.org/show_bug.cgi?id=140980
2966
2967         Reviewed by Oliver Hunt.
2968
2969         * bytecode/CallLinkStatus.cpp:
2970         (JSC::CallLinkStatus::computeFor):
2971
2972 2015-01-27  Filip Pizlo  <fpizlo@apple.com>
2973
2974         Move DFGBinarySwitch out of the DFG so that all of the JITs can use it
2975         https://bugs.webkit.org/show_bug.cgi?id=140959
2976
2977         Rubber stamped by Geoffrey Garen.
2978         
2979         I want to use this for polymorphic stubs for https://bugs.webkit.org/show_bug.cgi?id=140660.
2980         This code no longer has DFG dependencies so this is a very clean move.
2981
2982         * CMakeLists.txt:
2983         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2984         * JavaScriptCore.xcodeproj/project.pbxproj:
2985         * dfg/DFGBinarySwitch.cpp: Removed.
2986         * dfg/DFGBinarySwitch.h: Removed.
2987         * dfg/DFGSpeculativeJIT.cpp:
2988         * jit/BinarySwitch.cpp: Copied from Source/JavaScriptCore/dfg/DFGBinarySwitch.cpp.
2989         * jit/BinarySwitch.h: Copied from Source/JavaScriptCore/dfg/DFGBinarySwitch.h.
2990
2991 2015-01-27  Commit Queue  <commit-queue@webkit.org>
2992
2993         Unreviewed, rolling out r179192.
2994         https://bugs.webkit.org/show_bug.cgi?id=140953
2995
2996         Caused numerous layout test failures (Requested by mattbaker_
2997         on #webkit).
2998
2999         Reverted changeset:
3000
3001         "Use FastMalloc (bmalloc) instead of BlockAllocator for GC
3002         pages"
3003         https://bugs.webkit.org/show_bug.cgi?id=140900
3004         http://trac.webkit.org/changeset/179192
3005
3006 2015-01-27  Michael Saboff  <msaboff@apple.com>
3007
3008         REGRESSION(r178591): 20% regression in Octane box2d
3009         https://bugs.webkit.org/show_bug.cgi?id=140948
3010
3011         Reviewed by Geoffrey Garen.
3012
3013         Added check that we have a lexical environment to the arguments is captured check.
3014         It doesn't make sense to resolve "arguments" when it really isn't captured.
3015
3016         * bytecompiler/BytecodeGenerator.cpp:
3017         (JSC::BytecodeGenerator::willResolveToArgumentsRegister):
3018
3019 2015-01-26  Geoffrey Garen  <ggaren@apple.com>
3020
3021         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
3022         https://bugs.webkit.org/show_bug.cgi?id=140900
3023
3024         Reviewed by Mark Hahnenberg.
3025
3026         Removes some more custom allocation code.
3027
3028         Looks like a speedup. (See results attached to bugzilla.)
3029
3030         Will hopefully reduce memory use by improving sharing between the GC and
3031         malloc heaps.
3032
3033         * API/JSBase.cpp:
3034         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3035         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3036         * JavaScriptCore.xcodeproj/project.pbxproj: Feed the compiler.
3037
3038         * heap/BlockAllocator.cpp: Removed.
3039         * heap/BlockAllocator.h: Removed. No need for a custom allocator anymore.
3040
3041         * heap/CodeBlockSet.cpp:
3042         (JSC::CodeBlockSet::CodeBlockSet):
3043         * heap/CodeBlockSet.h: Feed the compiler.
3044
3045         * heap/CopiedBlock.h:
3046         (JSC::CopiedBlock::createNoZeroFill):
3047         (JSC::CopiedBlock::create):
3048         (JSC::CopiedBlock::CopiedBlock):
3049         (JSC::CopiedBlock::isOversize):
3050         (JSC::CopiedBlock::payloadEnd):
3051         (JSC::CopiedBlock::capacity):
3052         * heap/CopiedBlockInlines.h:
3053         (JSC::CopiedBlock::reportLiveBytes): Each copied block now tracks its
3054         own size, since we can't rely on Region to tell us our size anymore.
3055
3056         * heap/CopiedSpace.cpp:
3057         (JSC::CopiedSpace::~CopiedSpace):
3058         (JSC::CopiedSpace::tryAllocateOversize):
3059         (JSC::CopiedSpace::tryReallocateOversize):
3060         * heap/CopiedSpaceInlines.h:
3061         (JSC::CopiedSpace::recycleEvacuatedBlock):
3062         (JSC::CopiedSpace::recycleBorrowedBlock):
3063         (JSC::CopiedSpace::allocateBlockForCopyingPhase):
3064         (JSC::CopiedSpace::allocateBlock):
3065         (JSC::CopiedSpace::startedCopying): Deallocate blocks directly, rather
3066         than pushing them onto the block allocator's free list; the block
3067         allocator doesn't exist anymore.
3068
3069         * heap/CopyWorkList.h:
3070         (JSC::CopyWorkListSegment::create):
3071         (JSC::CopyWorkListSegment::CopyWorkListSegment):
3072         (JSC::CopyWorkList::~CopyWorkList):
3073         (JSC::CopyWorkList::append):
3074         (JSC::CopyWorkList::CopyWorkList): Deleted.
3075         * heap/GCSegmentedArray.h:
3076         (JSC::GCArraySegment::GCArraySegment):
3077         * heap/GCSegmentedArrayInlines.h:
3078         (JSC::GCSegmentedArray<T>::GCSegmentedArray):
3079         (JSC::GCSegmentedArray<T>::~GCSegmentedArray):
3080         (JSC::GCSegmentedArray<T>::clear):
3081         (JSC::GCSegmentedArray<T>::expand):
3082         (JSC::GCSegmentedArray<T>::refill):
3083         (JSC::GCArraySegment<T>::create):
3084         * heap/GCThreadSharedData.cpp:
3085         (JSC::GCThreadSharedData::GCThreadSharedData):
3086         * heap/GCThreadSharedData.h: Feed the compiler.
3087
3088         * heap/HandleBlock.h:
3089         * heap/HandleBlockInlines.h:
3090         (JSC::HandleBlock::create):
3091         (JSC::HandleBlock::HandleBlock):
3092         (JSC::HandleBlock::payloadEnd):
3093         * heap/HandleSet.cpp:
3094         (JSC::HandleSet::~HandleSet):
3095         (JSC::HandleSet::grow): Same as above.
3096
3097         * heap/Heap.cpp:
3098         (JSC::Heap::Heap):
3099         * heap/Heap.h: Removed the block allocator since it is unused now.
3100
3101         * heap/HeapBlock.h:
3102         (JSC::HeapBlock::destroy):
3103         (JSC::HeapBlock::HeapBlock):
3104         (JSC::HeapBlock::region): Deleted. Removed the Region pointer from each
3105         HeapBlock since a HeapBlock is just a normal allocation now.
3106
3107         * heap/HeapInlines.h:
3108         (JSC::Heap::blockAllocator): Deleted.
3109
3110         * heap/HeapTimer.cpp:
3111         * heap/MarkStack.cpp:
3112         (JSC::MarkStackArray::MarkStackArray):
3113         * heap/MarkStack.h: Feed the compiler.
3114
3115         * heap/MarkedAllocator.cpp:
3116         (JSC::MarkedAllocator::allocateBlock): No need to use a custom code path
3117         based on size, since we use a general purpose allocator now.
3118
3119         * heap/MarkedBlock.cpp:
3120         (JSC::MarkedBlock::create):
3121         (JSC::MarkedBlock::destroy):
3122         (JSC::MarkedBlock::MarkedBlock):
3123         * heap/MarkedBlock.h:
3124         (JSC::MarkedBlock::capacity): Track block size explicitly, like CopiedBlock.
3125
3126         * heap/MarkedSpace.cpp:
3127         (JSC::MarkedSpace::freeBlock):
3128         * heap/MarkedSpace.h:
3129
3130         * heap/Region.h: Removed.
3131
3132         * heap/SlotVisitor.cpp:
3133         (JSC::SlotVisitor::SlotVisitor): Removed reference to block allocator.
3134
3135         * heap/SuperRegion.cpp: Removed.
3136         * heap/SuperRegion.h: Removed.
3137
3138         * heap/WeakBlock.cpp:
3139         (JSC::WeakBlock::create):
3140         (JSC::WeakBlock::WeakBlock):
3141         * heap/WeakBlock.h:
3142         * heap/WeakSet.cpp:
3143         (JSC::WeakSet::~WeakSet):
3144         (JSC::WeakSet::addAllocator):
3145         (JSC::WeakSet::removeAllocator): Removed reference to block allocator.
3146
3147 2015-01-27  Csaba Osztrogonác  <ossy@webkit.org>
3148
3149         [ARM] Typo fix after r176083
3150         https://bugs.webkit.org/show_bug.cgi?id=140937
3151
3152         Reviewed by Anders Carlsson.
3153
3154         * assembler/ARMv7Assembler.h:
3155         (JSC::ARMv7Assembler::ldrh):
3156
3157 2015-01-27  Csaba Osztrogonác  <ossy@webkit.org>
3158
3159         [Win] Unreviewed gardening, skip failing tests.
3160
3161         * tests/exceptionFuzz.yaml: Skip exception fuzz tests due to bug140928.
3162         * tests/mozilla/mozilla-tests.yaml: Skip ecma/Date/15.9.5.28-1.js due to bug140927.
3163
3164 2015-01-26  Csaba Osztrogonác  <ossy@webkit.org>
3165
3166         [Win] Enable JSC stress tests by default
3167         https://bugs.webkit.org/show_bug.cgi?id=128307
3168
3169         Unreviewed typo fix after r179165.
3170
3171         * tests/mozilla/mozilla-tests.yaml:
3172
3173 2015-01-26  Csaba Osztrogonác  <ossy@webkit.org>
3174
3175         [Win] Enable JSC stress tests by default
3176         https://bugs.webkit.org/show_bug.cgi?id=128307
3177
3178         Reviewed by Brent Fulgham.
3179
3180         * tests/mozilla/mozilla-tests.yaml: Skipped on Windows.
3181         * tests/stress/ftl-arithcos.js: Skipped on Windows.
3182
3183 2015-01-26  Ryosuke Niwa  <rniwa@webkit.org>
3184
3185         Parse a function expression as a primary expression
3186         https://bugs.webkit.org/show_bug.cgi?id=140908
3187
3188         Reviewed by Mark Lam.
3189
3190         Moved the code to generate an AST node for a function expression from parseMemberExpression
3191         to parsePrimaryExpression to match the ES6 specification terminology:
3192         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-primary-expression
3193
3194         There should be no behavior change from this change since parsePrimaryExpression is only
3195         called in parseMemberExpression other than the fact failIfStackOverflow() is called.
3196
3197         * parser/Parser.cpp:
3198         (JSC::Parser<LexerType>::parsePrimaryExpression):
3199         (JSC::Parser<LexerType>::parseMemberExpression):
3200
3201 2015-01-26  Myles C. Maxfield  <mmaxfield@apple.com>
3202
3203         [iOS] [SVG -> OTF Converter] Flip the switch off on iOS
3204         https://bugs.webkit.org/show_bug.cgi?id=140860
3205
3206         Reviewed by Darin Adler.
3207
3208         The fonts it makes are grotesque. (See what I did there? Typographic
3209         humor is the best humor.)
3210
3211         * Configurations/FeatureDefines.xcconfig:
3212
3213 2015-01-23  Joseph Pecoraro  <pecoraro@apple.com>
3214
3215         Web Inspector: Rename InjectedScriptHost::type to subtype
3216         https://bugs.webkit.org/show_bug.cgi?id=140841
3217
3218         Reviewed by Timothy Hatcher.
3219
3220         We were using this to set the subtype of an "object" type RemoteObject
3221         so we should clean up the name and call it subtype.
3222
3223         * inspector/InjectedScriptHost.h:
3224         * inspector/InjectedScriptSource.js:
3225         * inspector/JSInjectedScriptHost.cpp:
3226         (Inspector::JSInjectedScriptHost::subtype):
3227         (Inspector::JSInjectedScriptHost::type): Deleted.
3228         * inspector/JSInjectedScriptHost.h:
3229         * inspector/JSInjectedScriptHostPrototype.cpp:
3230         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
3231         (Inspector::jsInjectedScriptHostPrototypeFunctionSubtype):
3232         (Inspector::jsInjectedScriptHostPrototypeFunctionType): Deleted.
3233
3234 2015-01-23  Michael Saboff  <msaboff@apple.com>
3235
3236         LayoutTests/js/script-tests/reentrant-caching.js crashing on 32 bit builds
3237         https://bugs.webkit.org/show_bug.cgi?id=140843
3238
3239         Reviewed by Oliver Hunt.
3240
3241         When we are in vmEntryToJavaScript, we keep the stack pointer at an
3242         alignment sutiable for pointing to a call frame header, which is the
3243         alignment post making a call.  We adjust the sp when calling to JS code,
3244         but don't adjust it before calling the out of stack handler.
3245
3246         * llint/LowLevelInterpreter32_64.asm:
3247         Moved stack point down 8 bytes to get it aligned.
3248
3249 2015-01-23  Joseph Pecoraro  <pecoraro@apple.com>
3250
3251         Web Inspector: Object Previews in the Console
3252         https://bugs.webkit.org/show_bug.cgi?id=129204
3253
3254         Reviewed by Timothy Hatcher.
3255
3256         Update the very old, unused object preview code. Part of this comes from
3257         the earlier WebKit legacy implementation, and the Blink implementation.
3258
3259         A RemoteObject may include a preview, if it is asked for, and if the
3260         RemoteObject is an object. Previews are a shallow (single level) list
3261         of a limited number of properties on the object. The previewed
3262         properties are always stringified (even if primatives). Previews are
3263         limited to just 5 properties or 100 indices. Previews are marked
3264         as lossless if they are a complete snapshot of the object.
3265
3266         There is a path to make previews two levels deep, that is currently
3267         unused but should soon be used for tables (e.g. IndexedDB).
3268
3269         * inspector/InjectedScriptSource.js:
3270         - Move some code off of InjectedScript to be generic functions
3271         usable by RemoteObject as well.
3272         - Update preview generation to use 
3273
3274         * inspector/protocol/Runtime.json:
3275         - Add a new type, "accessor" for preview objects. This represents
3276         a getter / setter. We currently don't get the value.
3277
3278 2015-01-23  Michael Saboff  <msaboff@apple.com>
3279
3280         Immediate crash when setting JS breakpoint
3281         https://bugs.webkit.org/show_bug.cgi?id=140811
3282
3283         Reviewed by Mark Lam.
3284
3285         When the DFG stack layout phase doesn't allocate a register for the scope register,
3286         it incorrectly sets the scope register in the code block to a bad value, one with
3287         an offset of 0.  Changed it so that we set the code block's scope register to the 
3288         invalid VirtualRegister instead.
3289
3290         No tests needed as adding the ASSERT in setScopeRegister() was used to find the bug.
3291         We crash with that ASSERT in testapi and likely many other tests as well.
3292
3293         * bytecode/CodeBlock.cpp:
3294         (JSC::CodeBlock::CodeBlock):
3295         * bytecode/CodeBlock.h:
3296         (JSC::CodeBlock::setScopeRegister):
3297         (JSC::CodeBlock::scopeRegister):
3298         Added ASSERTs to catch any future improper setting of the code block's scope register.
3299
3300         * dfg/DFGStackLayoutPhase.cpp:
3301         (JSC::DFG::StackLayoutPhase::run):
3302
3303 2015-01-22  Mark Hahnenberg  <mhahnenb@gmail.com>
3304
3305         EdenCollections unnecessarily visit SmallStrings
3306         https://bugs.webkit.org/show_bug.cgi?id=140762
3307
3308         Reviewed by Geoffrey Garen.
3309
3310         * heap/Heap.cpp:
3311         (JSC::Heap::copyBackingStores): Also added a GCPhase for copying
3312         backing stores, which is a significant portion of garbage collection.
3313         (JSC::Heap::visitSmallStrings): Check to see if we need to visit
3314         SmallStrings based on the collection type.
3315         * runtime/SmallStrings.cpp:
3316         (JSC::SmallStrings::SmallStrings):
3317         (JSC::SmallStrings::visitStrongReferences): Set the fact that we have
3318         visited the SmallStrings since the last modification.
3319         * runtime/SmallStrings.h:
3320         (JSC::SmallStrings::needsToBeVisited): If we're doing a
3321         FullCollection, we need to visit. Otherwise, it depends on whether
3322         we've been visited since the last modification/allocation.
3323
3324 2015-01-22  Ryosuke Niwa  <rniwa@webkit.org>
3325
3326         Add a build flag for ES6 class syntax
3327         https://bugs.webkit.org/show_bug.cgi?id=140760
3328
3329         Reviewed by Michael Saboff.
3330
3331         Added ES6_CLASS_SYNTAX build flag and used it in tokenizer to recognize
3332         "class", "extends", "static" and "super" keywords.
3333
3334         * Configurations/FeatureDefines.xcconfig:
3335         * parser/Keywords.table:
3336         * parser/ParserTokens.h:
3337
3338 2015-01-22  Commit Queue  <commit-queue@webkit.org>
3339
3340         Unreviewed, rolling out r178894.
3341         https://bugs.webkit.org/show_bug.cgi?id=140775
3342
3343         Broke JSC and bindings tests (Requested by ap_ on #webkit).
3344
3345         Reverted changeset:
3346
3347         "put_by_val_direct need to check the property is index or not
3348         for using putDirect / putDirectIndex"
3349         https://bugs.webkit.org/show_bug.cgi?id=140426
3350         http://trac.webkit.org/changeset/178894
3351
3352 2015-01-22  Mark Lam  <mark.lam@apple.com>
3353
3354         BytecodeGenerator::initializeCapturedVariable() sets a misleading value for the 5th operand of op_put_to_scope.
3355         <https://webkit.org/b/140743>
3356
3357         Reviewed by Oliver Hunt.
3358
3359         BytecodeGenerator::initializeCapturedVariable() was setting the 5th operand to
3360         op_put_to_scope to an inappropriate value (i.e. 0).  As a result, the execution